Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Langkit Helm chart for fixes related to file permissions and non-root user #7

Merged
merged 5 commits into from
Feb 2, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions charts/langkit/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,27 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning]
(https://semver.org/spec/v2.0.0.html).

## [0.6.0] - **Breaking Changes** - 2023-02-01

### Breaking

- :warning: changed the structure of the `values.yaml` file for better
organization with the introduction of an init container and running as a
non-root user by default

### Changed

- Updated the `securityContext` to run the container as a non-root user

### Added

- Added an `initContainer`
- Added support for configuring container environment variables

### Removed

- Removed default `root-config` volume and volume mount

## [0.5.0] - 2023-01-30

### Changed
Expand Down
4 changes: 2 additions & 2 deletions charts/langkit/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@ apiVersion: v2
name: langkit
description: A Helm chart for LangKit container deployment
type: application
version: 0.5.0
appVersion: "1.0.2.dev1"
version: 0.6.0
appVersion: "1.0.2.dev2"
31 changes: 22 additions & 9 deletions charts/langkit/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,11 +88,23 @@ helm-docs --dry-run

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| containers.env[0].name | string | `"HOME"` | |
| containers.env[0].value | string | `"/home"` | |
| containers.env[1].name | string | `"HF_HOME"` | |
| containers.env[1].value | string | `"/home/.cache/hf_home"` | |
| containers.securityContext.readOnlyRootFilesystem | bool | `true` | |
| containers.securityContext.runAsUser | int | `1000` | |
| containers.volumeMounts[0].mountPath | string | `"/tmp"` | |
| containers.volumeMounts[0].name | string | `"temp-dir"` | |
| containers.volumeMounts[1].mountPath | string | `"/root/.config"` | |
| containers.volumeMounts[1].name | string | `"root-config"` | |
| containers.volumeMounts[2].mountPath | string | `"/home"` | |
| containers.volumeMounts[2].name | string | `"home"` | |
| fullnameOverride | string | `""` | |
| image.containerPort | int | `8000` | |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"whylabs/whylogs"` | |
| image.tag | string | `"py-llm-1.0.2.dev0"` | |
| image.tag | string | `"py-llm-1.0.2.dev1"` | |
| imagePullSecrets | list | `[]` | |
| ingress.annotations | object | `{}` | |
| ingress.className | string | `""` | |
Expand All @@ -101,14 +113,18 @@ helm-docs --dry-run
| ingress.hosts[0].paths[0].path | string | `"/"` | |
| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | |
| ingress.tls | list | `[]` | |
| initContainers.volumeMounts[0].mountPath | string | `"/root/.config"` | |
| initContainers.volumeMounts[0].name | string | `"root-config"` | |
| initContainers.volumeMounts[1].mountPath | string | `"/home"` | |
| initContainers.volumeMounts[1].name | string | `"home"` | |
| livenessProbe.initialDelaySeconds | int | `15` | |
| livenessProbe.periodSeconds | int | `10` | |
| livenessProbe.tcpSocket.port | int | `8000` | |
| nameOverride | string | `""` | |
| nodeSelector | object | `{}` | |
| podAnnotations | object | `{}` | |
| podLabels | object | `{}` | |
| podSecurityContext | object | `{}` | |
| pod.annotations | object | `{}` | |
| pod.labels | object | `{}` | |
| pod.securityContext | object | `{}` | |
| readinessProbe.initialDelaySeconds | int | `15` | |
| readinessProbe.periodSeconds | int | `10` | |
| readinessProbe.tcpSocket.port | int | `8000` | |
Expand All @@ -119,18 +135,15 @@ helm-docs --dry-run
| resources.requests.memory | string | `"8Gi"` | |
| secrets.langkitApiSecret.name | string | `"langkit-api-secret"` | |
| secrets.whylabsApiKey.name | string | `"whylabs-api-key"` | |
| securityContext.readOnlyRootFilesystem | bool | `true` | |
| service.port | int | `80` | |
| service.type | string | `"ClusterIP"` | |
| tolerations | list | `[]` | |
| volumeMounts[0].mountPath | string | `"/tmp"` | |
| volumeMounts[0].name | string | `"temp-dir"` | |
| volumeMounts[1].mountPath | string | `"/root/.config"` | |
| volumeMounts[1].name | string | `"root-config"` | |
| volumes[0].emptyDir | object | `{}` | |
| volumes[0].name | string | `"temp-dir"` | |
| volumes[1].emptyDir | object | `{}` | |
| volumes[1].name | string | `"root-config"` | |
| volumes[2].emptyDir | object | `{}` | |
| volumes[2].name | string | `"home"` | |

----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)
24 changes: 19 additions & 5 deletions charts/langkit/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,13 @@ spec:
{{- include "langkit.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
{{- with .Values.pod.annotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "langkit.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- with .Values.pod.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
Expand All @@ -26,11 +26,23 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- toYaml .Values.pod.securityContext | nindent 8 }}
initContainers:
- name: init
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- toYaml .Values.containers.securityContext | nindent 12 }}
command:
{{- toYaml .Values.initContainers.command | nindent 12 }}
{{- with .Values.initContainers.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- toYaml .Values.containers.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
Expand All @@ -41,12 +53,14 @@ spec:
{{- toYaml .Values.readinessProbe | nindent 12 }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
env:
{{- toYaml .Values.containers.env | nindent 12 }}
envFrom:
- secretRef:
name: {{ .Values.secrets.whylabsApiKey.name }}
- secretRef:
name: {{ .Values.secrets.langkitApiSecret.name }}
{{- with .Values.volumeMounts }}
{{- with .Values.containers.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 12 }}
{{- end }}
Expand Down
87 changes: 51 additions & 36 deletions charts/langkit/values.yaml
Original file line number Diff line number Diff line change
@@ -1,12 +1,5 @@
replicaCount: 3

image:
repository: whylabs/whylogs
pullPolicy: IfNotPresent
tag: py-llm-1.0.2.dev1
containerPort: 8000

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

Expand All @@ -26,31 +19,47 @@ ingress:
# hosts:
# - chart-example.local

podAnnotations: {}
podLabels: {}
image:
repository: whylabs/whylogs
pullPolicy: Always
tag: py-llm-1.0.2.dev2
containerPort: 8000

podSecurityContext: {}
# fsGroup: 2000
imagePullSecrets: []

securityContext:
readOnlyRootFilesystem: true
# capabilities:
# drop:
# - ALL
# runAsNonRoot: true
# runAsUser: 1000
pod:
annotations: {}
labels: {}
securityContext: {}
# fsGroup: 2000
# runAsNonRoot: true
# runAsUser: 1000

secrets:
# kubectl create secret generic whylabs-api-key \
# --namespace=langkit \
# --from-literal=WHYLABS_API_KEY=<whylabs-api-key>
whylabsApiKey:
name: whylabs-api-key
# kubectl create secret generic langkit-api-secret \
# --namespace=langkit \
# --from-literal=CONTAINER_PASSWORD=<llangkit-api-secret>
langkitApiSecret:
name: langkit-api-secret
containers:
securityContext:
readOnlyRootFilesystem: true
runAsUser: 1000
# capabilities:
# drop:
# - ALL
# runAsNonRoot: true
# runAsUser: 1000
env:
- name: HOME
value: "/home"
- name: HF_HOME
value: "/home/.cache/hf_home"
volumeMounts:
- name: temp-dir
mountPath: /tmp
- name: home
mountPath: /home

initContainers:
command: ["sh", "-c", "cp -R /opt/whylogs-container/.cache /home/"]
volumeMounts:
- name: home
mountPath: /home

service:
type: ClusterIP
Expand All @@ -63,6 +72,18 @@ resources:
limits:
cpu: "8"
memory: 16Gi

secrets:
# kubectl create secret generic whylabs-api-key \
# --namespace=langkit \
# --from-literal=WHYLABS_API_KEY=<whylabs-api-key>
whylabsApiKey:
name: whylabs-api-key
# kubectl create secret generic langkit-api-secret \
# --namespace=langkit \
# --from-literal=CONTAINER_PASSWORD=<llangkit-api-secret>
langkitApiSecret:
name: langkit-api-secret

livenessProbe:
tcpSocket:
Expand Down Expand Up @@ -99,11 +120,5 @@ affinity:
volumes:
- name: temp-dir
emptyDir: {}
- name: root-config
- name: home
emptyDir: {}

volumeMounts:
- name: temp-dir
mountPath: /tmp
- name: root-config
mountPath: /root/.config
Loading