-
Notifications
You must be signed in to change notification settings - Fork 36
Expand file tree
/
Copy pathvalues.yaml
More file actions
355 lines (337 loc) · 14.6 KB
/
Copy pathvalues.yaml
File metadata and controls
355 lines (337 loc) · 14.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
# Default values for the CodeRAG Helm chart.
# This is a YAML-formatted file. Override any of these with `--set` or `-f my-values.yaml`.
#
# Quick start (server-only, indexing a public git repo):
#
# helm install coderag ./deploy/helm/coderag \
# --set workspace.git.repository=https://github.com/Neverdecel/CodeRAG.git
#
# See deploy/README.md for the full guide (UI, ingress, private repos, OpenAI/Anthropic).
# -- Override the chart name used in resource names (rarely needed).
nameOverride: ""
# -- Fully override the generated resource name prefix.
fullnameOverride: ""
image:
# -- Container image repository. The UI reuses this repo with the `uiSuffix` appended.
repository: ghcr.io/neverdecel/coderag
# -- Image tag. Empty defaults to the rolling `beta` channel. Pin to an immutable
# `sha-<commit>` tag for reproducible deploys.
tag: ""
# -- Suffix appended to `tag` for the web UI image (published as `:beta-ui`).
uiSuffix: "-ui"
pullPolicy: IfNotPresent
# -- Names of pre-created docker-registry Secrets for pulling private images.
pullSecrets: []
# --- The codebase CodeRAG indexes (mounted at workspace.mountPath in every pod) ---
workspace:
# -- How the codebase gets into the pod:
# emptyDir — empty volume (default): the chart installs and runs standalone with
# no required config; point it at your code by switching to one of the
# sources below, or populate it via extraInitContainers / `kubectl cp`.
# git — an init container clones workspace.git.repository into an emptyDir.
# existingClaim — mount a PVC you have already populated with your code.
source: emptyDir
# -- Where the codebase is mounted (maps to CODERAG_WATCHED_DIR).
mountPath: /workspace
# -- Mount the workspace read-only in the app container (writes happen via the
# git init/sync containers, never the app).
readOnly: true
git:
# -- Repository to clone. REQUIRED when source=git.
repository: ""
# -- Branch or tag to check out. Empty clones the default branch.
ref: ""
# -- Shallow-clone depth (1 = latest commit only). Set 0 for a full clone.
depth: 1
# -- Image providing the `git` binary for the clone/sync containers.
# Digest-pinned for supply-chain integrity (re-resolve with
# `docker buildx imagetools inspect alpine/git:2.45.2`).
image: alpine/git:2.45.2@sha256:16ad8e788e1d3b0c30f18da8dde5c0ace3b187445a62d8af893b003ca1e70592
# -- Resource requests/limits for the git clone init container and the sync
# sidecar. Set by default so the sidecar satisfies clusters that mandate
# resources on every container (e.g. Kyverno require-resources / LimitRange).
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 64Mi
# -- Optional: keep the workspace fresh with a sidecar that `git pull`s on an interval.
sync:
enabled: false
# -- Seconds between pulls.
periodSeconds: 300
# -- PVC name to mount when source=existingClaim.
existingClaim: ""
# --- Persistent index (LanceDB store + downloaded model) ---
# CodeRAG is a single-writer engine, so each writer (the server, or the UI when
# enabled) gets its own ReadWriteOnce volume. Do not point two writers at one claim.
persistence:
# -- Persist the index to a PVC. When false, an ephemeral emptyDir is used and the
# index is rebuilt on every restart (fine for demos, not for real use).
enabled: true
# -- Where the index lives (maps to CODERAG_STORE_DIR).
mountPath: /data
size: 10Gi
# -- StorageClass for dynamic provisioning. Works out of the box on most clusters:
# "" use the cluster's DEFAULT StorageClass (EKS gp3/gp2, GKE standard-rwo,
# AKS managed-csi, k3s local-path, Minikube/kind standard, …).
# "<name>" a specific class, e.g. "longhorn", "nfs-client", "openebs-hostpath", "gp3".
# "-" disable dynamic provisioning and bind statically (see volumeName/selector).
storageClass: ""
# ReadWriteOnce suits the single-writer index. ReadWriteMany also works if your storage
# (NFS, CephFS, …) provides it, but is not required.
accessModes:
- ReadWriteOnce
# -- Bind a specific pre-provisioned PersistentVolume (static provisioning — common for
# NFS / hostPath / local PVs in self-managed clusters). Usually paired with storageClass: "-".
volumeName: ""
# -- Match a pre-provisioned PV by labels instead of by name.
selector: {}
# -- Extra annotations on the PVC (storage-driver hints, backup policies, …).
annotations: {}
# -- Mount an existing PVC for the SERVER index instead of creating one.
existingClaim: ""
modelCache:
# -- Where the local embedding model is cached (maps to CODERAG_CACHE_DIR). Defaults
# to a subdirectory of the data volume so the ~130 MB model is downloaded once and
# survives restarts. Set to a path on a separate volume if you prefer.
dir: /data/.model-cache
# --- Engine configuration (rendered into a ConfigMap; CODERAG_* env) ---
config:
# fastembed (local, no key) | openai | fake
provider: fastembed
model: BAAI/bge-small-en-v1.5
topK: 8
# LLM answer backend (only used by the optional `--answer` / UI answer feature).
llmProvider: openai
chatModel: gpt-4o-mini
anthropicModel: claude-opus-4-8
# -- Point at a self-hosted OpenAI-compatible server (Ollama, vLLM, …). Optional.
openaiBaseUrl: ""
# -- Arbitrary extra CODERAG_* (or other) env vars added to the ConfigMap.
extraEnv: {}
# --- Secrets: API keys for providers + the optional CodeRAG API key ---
#
# PREFERRED: hand the chart a pre-created Secret via `existingSecret` so no
# credential is ever written into your values/CI. The inline *ApiKey fields below
# are for quick demos ONLY — they land in the release's stored values in plaintext.
#
# Expected keys in the Secret (all optional; supply only what you use):
# OPENAI_API_KEY OpenAI embeddings / LLM answers
# ANTHROPIC_API_KEY Anthropic LLM answers
# CODERAG_API_KEY turns ON API authentication (see below)
secrets:
# -- Use a pre-existing Secret (RECOMMENDED). Takes precedence over the inline
# keys below and over `create`. Keys: OPENAI_API_KEY / ANTHROPIC_API_KEY / CODERAG_API_KEY.
existingSecret: ""
# -- Create a chart-managed Secret from the inline keys below. Ignored when
# `existingSecret` is set.
create: true
# !! DEMO ONLY — prefer existingSecret. Inline values are stored in the Helm
# !! release (plaintext) and may leak via `helm get values` / CI logs.
openaiApiKey: ""
anthropicApiKey: ""
# -- API authentication key for CodeRAG's HTTP API. The server is UNAUTHENTICATED
# unless CODERAG_API_KEY is set; when set, every request must present it. Setting
# this (or providing CODERAG_API_KEY via existingSecret) turns auth ON for the
# server, the UI, and the in-cluster index/reindex jobs. DEMO ONLY — prefer
# supplying CODERAG_API_KEY through existingSecret.
apiKey: ""
# --- HTTP/REST API (the primary, recommended surface) ---
server:
enabled: true
containerPort: 8000
service:
type: ClusterIP
port: 8000
annotations: {}
resources:
requests:
cpu: 250m
memory: 512Mi
limits:
cpu: "2"
memory: 2Gi
# -- First boot downloads the embedding model before the API binds, so give the
# startup probe generous headroom (periodSeconds * failureThreshold = max boot time).
startupProbe:
periodSeconds: 10
failureThreshold: 30
podAnnotations: {}
# -- Extra env vars (list of {name,value|valueFrom}) for the server container.
extraEnv: []
# --- Web UI (optional) ---
# The UI image bundles the engine and reads a LanceDB store at CODERAG_STORE_DIR.
# Two topologies:
#
# useServerIndex: false (default) — INDEPENDENT instance with its OWN data volume
# (…-ui-data). Nothing populates it automatically: the index/reindex Jobs drive the
# SERVER's volume, not this one. Build it with the in-app "Reindex" button — which is
# DISABLED in demo mode, so a demo UI left on the default will show 0 files/0 chunks.
#
# useServerIndex: true (RECOMMENDED for a read-only / demo UI) — the UI mounts the
# SERVER's index volume READ-ONLY and serves whatever the index Job built. No second
# writer, no separate PVC, always in sync with the server. See `useServerIndex` below.
ui:
enabled: false
containerPort: 8501
# -- Share the SERVER's index instead of keeping a separate (empty) UI volume. When
# true the UI mounts the server's data PVC READ-ONLY at persistence.mountPath, so it
# shows the index built by the init/reindex Jobs and can never corrupt the writer's
# store. No …-ui-data PVC is created. Requirements & caveats:
# * The server (persistence) must be enabled — that's the volume being shared.
# * Access mode: the server PVC is ReadWriteOnce by default, so the UI and server
# pods must land on the SAME node. Either set `coLocateWithServer: true` below, or
# give persistence a ReadWriteMany storageClass (NFS/CephFS/EFS/Longhorn-RWX/…).
# * The UI's model cache is redirected to a writable in-pod volume automatically
# (the shared index mount is read-only), so query embedding still works.
# * Reindex stays a SERVER action (Job/CronJob); the in-app button is irrelevant here.
useServerIndex: false
# -- Pin the UI pod onto the same node as the server pod via podAffinity. REQUIRED with
# useServerIndex on ReadWriteOnce storage (a single RWO volume attaches to one node).
# Harmless (but unnecessary) on ReadWriteMany. Ignored when useServerIndex is false.
coLocateWithServer: false
# -- Deployment update strategy. Defaults to Recreate: the UI is a single writer on
# a ReadWriteOnce volume, so the old pod must release the claim before the new one
# binds it. The cost is a brief gap with no Ready pod on every image change — visible
# behind an ingress as a 502 / "no available server".
#
# Switch to a zero-surge RollingUpdate to make image rollouts seamless (new pod goes
# Ready before the old one is removed) ONLY when BOTH hold:
# 1. the volume tolerates two pods mounting it at once — same-node RWO (e.g. k3s
# local-path, where the surge pod lands on the same node) or a ReadWriteMany
# class — otherwise the surge pod is stuck Pending and the rollout stalls; and
# 2. there are no concurrent index writes during the overlap (the UI only writes on
# Reindex, so a read-only / demo-mode UI is safe; a UI actively reindexing is not).
# Worst case if (1) is misjudged is a stalled-but-still-up rollout, never an outage.
# strategy:
# type: RollingUpdate
# rollingUpdate:
# maxUnavailable: 0
# maxSurge: 1
strategy:
type: Recreate
service:
type: ClusterIP
port: 8501
annotations: {}
persistence:
size: 10Gi
# Same semantics as persistence.storageClass above ("" = default, "-" = static).
storageClass: ""
accessModes:
- ReadWriteOnce
volumeName: ""
selector: {}
annotations: {}
existingClaim: ""
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: "1"
memory: 1Gi
startupProbe:
periodSeconds: 10
failureThreshold: 30
podAnnotations: {}
extraEnv: []
# --- Indexing (drives the SERVER over HTTP — no second writer on the volume) ---
index:
# -- One-shot Job, re-created each `helm upgrade`, that waits for the server and then
# triggers a build via POST /index. Keeps the index populated without manual steps.
initJob:
enabled: true
# Force a clean rebuild (full=true) instead of an incremental update.
full: true
backoffLimit: 3
# Auto-clean finished Jobs after this many seconds.
ttlSecondsAfterFinished: 600
# -- Recurring reindex to pick up workspace changes (pairs well with git.sync).
cronjob:
enabled: false
schedule: "*/30 * * * *"
full: false
backoffLimit: 2
concurrencyPolicy: Forbid
# -- Image used by the index/reindex jobs (needs curl + sh).
# Digest-pinned for supply-chain integrity (re-resolve with
# `docker buildx imagetools inspect curlimages/curl:8.11.1`).
image: curlimages/curl:8.11.1@sha256:c1fe1679c34d9784c1b0d1e5f62ac0a79fca01fb6377cdd33e90473c6f9f9a69
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
ingress:
enabled: false
className: ""
annotations: {}
hosts:
- host: coderag.local
paths:
- path: /
pathType: Prefix
# Which service to route to: server | ui
service: server
tls: []
serviceAccount:
create: true
name: ""
annotations: {}
# -- CodeRAG never talks to the Kubernetes API, so the token is not mounted.
automountServiceAccountToken: false
# --- Pod- and container-level hardening (applied to every workload) ---
podSecurityContext:
runAsNonRoot: true
runAsUser: 10001
runAsGroup: 10001
# Make mounted volumes group-writable by the non-root coderag user (uid/gid 10001).
fsGroup: 10001
seccompProfile:
type: RuntimeDefault
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
# --- NetworkPolicy: default-deny ingress to the server, allow only known clients ---
# Off by default to preserve zero-config installs, but RECOMMENDED in any shared
# cluster (see deploy/README.md). When enabled, the server pod accepts traffic on
# the API port (server.containerPort) only from the UI pods, the index/reindex jobs,
# and — if you set ingressController labels — the ingress controller. Egress is
# restricted to DNS (53) and HTTPS (443) for git/model/provider access.
networkPolicy:
enabled: false
# -- Also restrict EGRESS (DNS + HTTPS only). Disable if your egress needs other
# ports (e.g. a self-hosted model server on a custom port — add it via extraEgress).
egress:
enabled: true
# -- Select your ingress-controller pods so they may reach the API. Empty = the
# ingress controller is NOT granted access by the policy (use only in-cluster
# clients). Example for ingress-nginx:
# ingressController:
# namespaceSelector:
# matchLabels: { kubernetes.io/metadata.name: ingress-nginx }
# podSelector:
# matchLabels: { app.kubernetes.io/name: ingress-nginx }
ingressController:
namespaceSelector: {}
podSelector: {}
# -- Extra ingress rules appended verbatim (list of NetworkPolicyIngressRule).
extraIngress: []
# -- Extra egress rules appended verbatim (list of NetworkPolicyEgressRule).
extraEgress: []
# --- Pod-level escape hatches (private-repo git auth, custom CA, …) ---
extraVolumes: []
extraVolumeMounts: []
extraInitContainers: []
nodeSelector: {}
tolerations: []
affinity: {}