Add Helm chart for Kubernetes deployment of CodeRAG#14
Merged
Conversation
Self-host the CodeRAG HTTP/REST API (and optional Streamlit UI) on Kubernetes for teams who want a shared, always-on deployment. The chart is built around CodeRAG's single-writer model (SQLite source of truth + non-atomic FAISS cache): - 1 replica, Recreate strategy, ReadWriteOnce PVC — never two writers on one index. - Indexing is driven over HTTP (initial Job + optional reindex CronJob), so no second pod ever mounts the index volume. - The embedding model is cached on the data volume (CODERAG_CACHE_DIR) and a generous startup probe covers the first download before liveness kicks in. - Codebase sourced via a git init container (with optional git-sync sidecar), an existing PVC, or an emptyDir; mounted read-only into the engine. - Hardened defaults: non-root (uid 10001), read-only rootfs with writable /tmp, /data, /home, dropped capabilities, RuntimeDefault seccomp, no SA token. - ConfigMap/Secret for CODERAG_* config and OpenAI/Anthropic keys; optional Ingress; Helm test; NOTES with next steps. Also adds: - deploy/README.md: full guide (private repos, keys, ingress, UI, reindex, plain-kubectl via `helm template`). - .github/workflows/helm.yml: helm lint + template + kubeconform (k8s 1.27/1.29/1.31). - README + .dockerignore updates. Validated with helm lint, helm template, and kubeconform (strict) across the default and full value sets. https://claude.ai/code/session_011ehFw23bFYqnEPe7HJCgpL
Make the chart easy to run inside any cluster:
- Standalone default: workspace.source now defaults to emptyDir, so
`helm install ./deploy/helm/coderag` runs with ZERO required config — a healthy
server on the cluster's default StorageClass with an empty index. Point it at code
later via workspace.source=git (repository) or existingClaim. `source=git` still
requires a repository (guarded with a clear error).
- Storage that fits common infrastructure:
- storageClass "" uses the cluster default (EKS gp3, GKE standard-rwo, AKS managed-csi,
k3s local-path, kind/minikube standard, …) — works out of the box.
- storageClass "-" disables dynamic provisioning for static binding.
- new persistence.volumeName / selector / annotations to bind a pre-provisioned PV
(NFS, hostPath, local, Longhorn, …); mirrored under ui.persistence.
- shared coderag.pvcSpec helper keeps server/ui PVCs consistent.
- Docs: deploy/README gains a Storage section (provider default classes, self-managed
provisioners, static PV binding, existingClaim) and a zero-config quick start;
NOTES.txt guides standalone users to attach their code.
- CI: also render the bare-defaults (standalone) path, and exercise the static-storage
fields via the default value set.
Validated with helm lint + kubeconform (strict) across standalone, static-storage, and
full value sets on k8s 1.27/1.29/1.31.
https://claude.ai/code/session_011ehFw23bFYqnEPe7HJCgpL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds a production-ready Helm chart for deploying CodeRAG on Kubernetes, enabling teams to self-host the HTTP API and optional Streamlit UI with persistent indexing, git-sourced workspaces, and hardened security defaults.
Key Changes
Helm Chart (
deploy/helm/coderag/): Complete chart with configurable deployments for the API server and optional UIRecreatestrategy to ensure safe SQLite/FAISS writeshelm.sh/resource-policy: keepto prevent accidental deletionIndexing Jobs: HTTP-driven indexing to maintain single-writer safety
Workspace Management:
Security Hardening:
RuntimeDefaultseccompConfiguration & Values:
values.yamlwith sensible defaults and detailed commentsDocumentation:
deploy/README.mdwith architecture overview, quick start, and common scenariosCI/CD:
helm.yml) for linting and schema validation across multiple Kubernetes versions (1.27, 1.29, 1.31)Root README Update: Added Kubernetes/Helm section with quick reference
Notable Implementation Details
replicas: 1andRecreatestrategy since FAISS index writes are non-atomicPOST /indexon the running server rather than mounting the volume directly, ensuring exactly one process touches index fileshttps://claude.ai/code/session_011ehFw23bFYqnEPe7HJCgpL