Merge branch 'main' into jeff/security-enhancements

jeffmccollum · jeffmccollum · commit 0d993b51422c · 2025-12-15T09:42:06.000-06:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -180,7 +180,7 @@ jobs:
           ### Installation
           \`\`\`bash
 
-          helm install braintrust oci://${{ steps.push-chart.outputs.chart_url }}/${{ env.CHART_NAME }} --version $CHART_VERSION
+          helm install braintrust ${{ steps.push-chart.outputs.chart_url }}/${{ env.CHART_NAME }} --version $CHART_VERSION
           \`\`\`
           EOF
 
diff --git a/README.md b/README.md
@@ -7,13 +7,12 @@ This repository contains the official Helm chart for deploying Braintrust's self
 ### Install from OCI Registry
 
 ```bash
-helm install braintrust oci://public.ecr.aws/braintrust/helm/braintrust
-```
-
-To install a specific version:
-
-```bash
-helm install braintrust oci://public.ecr.aws/braintrust/helm/braintrust --version 1.2.3
+helm upgrade --install \
+  --namespace braintrust --create-namespace \
+  braintrust \
+  oci://public.ecr.aws/braintrust/helm/braintrust \
+  --version 1.2.3 \
+  --values helm-values.yaml
 ```
 
 ## Prerequisites
diff --git a/braintrust/Chart.yaml b/braintrust/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: braintrust
-version: 2.1.0
+version: 3.0.3
 description: A Helm chart to run the Braintrust services for the self-hosted data plane
 type: application
 home: https://github.com/braintrustdata/helm
diff --git a/braintrust/README.md b/braintrust/README.md
@@ -2,7 +2,7 @@
 
 ## Prerequisites
 
-This helm chart requires a Kubernetes secret named `braintrust-secrets` to exist in the namespace where the chart is installed. Azure users can optionally use the Azure Key Vault CSI driver to automatically sync secrets from Azure Key Vault into Kubernetes (see below for details).
+This helm chart requires a Kubernetes secret named `braintrust-secrets` to exist in the namespace where the chart is installed. Azure users will automatically sync secrets from Azure Key Vault into Kubernetes (see below for details). AWS and Google users will need to manually create and manage the `braintrust-secrets` Kubernetes secret.
 
 ## Required Secrets
 
@@ -19,32 +19,30 @@ The `braintrust-secrets` secret must contain the following keys:
 | `GCS_ACCESS_KEY_ID` | Google HMAC Access ID string | Valid S3 API Key Id (only required if `cloud` is `google`) |
 | `GCS_SECRET_ACCESS_KEY` | Google HMAC Secret string | Valid S3 Secret string (only required if `cloud` is `google`) |
 
-## Azure Key Vault CSI Integration (Optional)
+## Azure Key Vault Driver Integration
 
-If you're using Azure, you can optionally use the Azure Key Vault CSI driver to automatically sync secrets from Azure Key Vault into Kubernetes. This eliminates the need to manually create and manage the `braintrust-secrets` Kubernetes secret.
+If you're using Azure, the Azure Key Vault CSI driver is default enabled and will automatically sync secrets from Azure Key Vault into Kubernetes. This eliminates the need to manually create and manage the `braintrust-secrets` Kubernetes secret.
 
 To enable this feature:
 
-1. Set `azureKeyVaultCSI.enabled: true` in your values.yaml
-2. Configure your Key Vault details:
+1. Configure your Key Vault details:
 
    ```yaml
-   azureKeyVaultCSI:
-     enabled: true
-     name: "your-keyvault-name"
-     userAssignedIdentityID: "your-identity-id"
-     clientID: "your-client-id"
+   azure:
+     keyVaultName: "your-keyvault-name"
+     keyVaultCSIclientID: "your-client-id" # This should come from the terraform module
      tenantId: "your-tenant-id"
    ```
 
-3. Optionally map your Key Vault secret names to the required Kubernetes secret keys. This is only required if you aren't using our terraform module. The defaults assume you are using the Braintrust terraform module to deploy the base infrastructure.
+2. Optionally map your Key Vault secret names to the required Kubernetes secret keys. This is only required if you aren't using our terraform module. The defaults assume you are using the Braintrust terraform module to deploy the base infrastructure.
 
    ```yaml
-   secrets:
-     - keyVaultSecretName: "your-redis-secret-name"
-       kubernetesSecretKey: "REDIS_URL"
-       keyVaultSecretType: "secret"
-     # ... other secret mappings
+   azureKeyVaultDriver:
+     secrets:
+       - keyVaultSecretName: "your-redis-secret-name"
+         kubernetesSecretKey: "REDIS_URL"
+         keyVaultSecretType: "secret"
+       # ... other secret mappings
    ```
 
 The CSI driver will:
@@ -91,7 +89,7 @@ brainstore:
 - Ephemeral-storage requests ensure proper SSD allocation
 - Each brainstore pod gets its own dedicated node with full access to local SSDs
 
-**Supported machine families:** c4, c4d,
+**Supported machine families:** c4, c4d
 
 ### GKE Standard Mode
 
@@ -102,7 +100,7 @@ For Standard mode clusters, create node pools with local SSDs, then deploy:
    cloud: "google"
 
    google:
-     mode: "standard" 
+     mode: "standard"
 
    brainstore:
      reader:
@@ -150,10 +148,6 @@ For Standard mode clusters, create node pools with local SSDs, then deploy:
 - Local SSDs are automatically available via emptyDir volumes
 - Pod anti-affinity ensures readers and writers don't share nodes (each pod gets dedicated node access)
 
-## Notes
-
-- The `AZURE_STORAGE_CONNECTION_STRING` may or may not contain an AccountKey or SAS token depending on the storage account configuration. If a key or token is not provided, workload identity will be used.
-- When using Azure Key Vault CSI, ensure your AKS cluster has the CSI driver installed and the managed identity has the correct permissions in Key Vault.
 
 ## Breaking Changes
 
diff --git a/braintrust/templates/api-deployment.yaml b/braintrust/templates/api-deployment.yaml
@@ -60,6 +60,14 @@ spec:
             - containerPort: {{ .Values.api.service.port }}
           resources:
             {{- toYaml .Values.api.resources | nindent 12 }}
+          {{- with .Values.api.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.api.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ .Values.api.name }}
@@ -103,6 +111,10 @@ spec:
                   name: braintrust-secrets
                   key: GCS_SECRET_ACCESS_KEY
             {{- end }}
+            - name: TS_API_HEALTHSERVER_HOST
+              value: "0.0.0.0"
+            - name: TS_API_HEALTHSERVER_PORT
+              value: "8001"
             {{- if .Values.api.extraEnvVars }}
             {{- toYaml .Values.api.extraEnvVars | nindent 12 }}
             {{- end }}
@@ -114,9 +126,9 @@ spec:
             - name: NODE_EXTRA_CA_CERTS
               value: "/etc/braintrust/tls/ca-bundle.pem"
             {{- end }}
-          {{- if or .Values.azureKeyVaultCSI.enabled .Values.customTLSCABundle }}
+          {{- if or (and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver) .Values.customTLSCABundle }}
           volumeMounts:
-            {{- if .Values.azureKeyVaultCSI.enabled }}
+            {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
             - name: secrets-store-inline
               mountPath: "/mnt/secrets-store"
               readOnly: true
@@ -127,7 +139,7 @@ spec:
               readOnly: true
             {{- end }}
           {{- end }}
-      {{- if or .Values.azureKeyVaultCSI.enabled .Values.customTLSCABundle }}
+      {{- if or (and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver) .Values.customTLSCABundle }}
       volumes:
         {{- if .Values.customTLSCABundle }}
         - name: tls-ca
@@ -139,13 +151,13 @@ spec:
                     - key: "CA_PEM"
                       path: "ca-bundle.pem"
         {{- end }}
-        {{- if .Values.azureKeyVaultCSI.enabled }}
+        {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
         - name: secrets-store-inline
           csi:
             driver: secrets-store.csi.k8s.io
             readOnly: true
             volumeAttributes:
-              secretProviderClass: {{ .Values.azureKeyVaultCSI.name }}
+              secretProviderClass: {{ .Values.azure.keyVaultName }}
         {{- end }}
       {{- end }}
 
diff --git a/braintrust/templates/brainstore-reader-deployment.yaml b/braintrust/templates/brainstore-reader-deployment.yaml
@@ -83,6 +83,14 @@ spec:
             limits:
               cpu: {{ .Values.brainstore.reader.resources.limits.cpu | quote }}
               memory: {{ .Values.brainstore.reader.resources.limits.memory | quote }}
+          {{- with .Values.brainstore.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.brainstore.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ .Values.brainstore.reader.name }}
@@ -114,6 +122,11 @@ spec:
                 secretKeyRef:
                   name: braintrust-secrets
                   key: BRAINSTORE_LICENSE_KEY
+            - name: FUNCTION_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: braintrust-secrets
+                  key: FUNCTION_SECRET_KEY
             {{- if .Values.brainstore.reader.extraEnvVars }}
             {{- toYaml .Values.brainstore.reader.extraEnvVars | nindent 12 }}
             {{- end }}
@@ -124,7 +137,7 @@ spec:
           volumeMounts:
             - name: cache-volume
               mountPath: {{ .Values.brainstore.reader.cacheDir }}
-            {{- if .Values.azureKeyVaultCSI.enabled }}
+            {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
             - name: secrets-store-inline
               mountPath: "/mnt/secrets-store"
               readOnly: true
@@ -136,14 +149,26 @@ spec:
             {{- end }}
       volumes:
         - name: cache-volume
+          {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureContainerStorageDriver }}
+          ephemeral:
+            volumeClaimTemplate:
+              spec:
+                volumeMode: Filesystem
+                accessModes: ["ReadWriteOnce"]
+                storageClassName: local
+                resources:
+                  requests:
+                    storage: {{ required "brainstore.reader.volume.size must be set" .Values.brainstore.reader.volume.size | quote }}
+          {{- else }}
           emptyDir: {}
-        {{- if .Values.azureKeyVaultCSI.enabled }}
+          {{- end }}
+        {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
         - name: secrets-store-inline
           csi:
             driver: secrets-store.csi.k8s.io
             readOnly: true
             volumeAttributes:
-              secretProviderClass: {{ .Values.azureKeyVaultCSI.name }}
+              secretProviderClass: {{ .Values.azure.keyVaultName }}
         {{- end }}
         {{- if .Values.customTLSCABundle }}
         - name: tls-ca
diff --git a/braintrust/templates/brainstore-writer-deployment.yaml b/braintrust/templates/brainstore-writer-deployment.yaml
@@ -83,6 +83,14 @@ spec:
             limits:
               cpu: {{ .Values.brainstore.writer.resources.limits.cpu | quote }}
               memory: {{ .Values.brainstore.writer.resources.limits.memory | quote }}
+          {{- with .Values.brainstore.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.brainstore.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ .Values.brainstore.writer.name }}
@@ -114,6 +122,11 @@ spec:
                 secretKeyRef:
                   name: braintrust-secrets
                   key: BRAINSTORE_LICENSE_KEY
+            - name: FUNCTION_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: braintrust-secrets
+                  key: FUNCTION_SECRET_KEY
             {{- if .Values.brainstore.writer.extraEnvVars }}
             {{- toYaml .Values.brainstore.writer.extraEnvVars | nindent 12 }}
             {{- end }}
@@ -124,7 +137,7 @@ spec:
           volumeMounts:
             - name: cache-volume
               mountPath: {{ .Values.brainstore.writer.cacheDir }}
-            {{- if .Values.azureKeyVaultCSI.enabled }}
+            {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
             - name: secrets-store-inline
               mountPath: "/mnt/secrets-store"
               readOnly: true
@@ -136,14 +149,26 @@ spec:
             {{- end }}
       volumes:
         - name: cache-volume
+          {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureContainerStorageDriver }}
+          ephemeral:
+            volumeClaimTemplate:
+              spec:
+                volumeMode: Filesystem
+                accessModes: ["ReadWriteOnce"]
+                storageClassName: local
+                resources:
+                  requests:
+                    storage: {{ required "brainstore.writer.volume.size must be set" .Values.brainstore.writer.volume.size | quote }}
+          {{- else }}
           emptyDir: {}
-        {{- if .Values.azureKeyVaultCSI.enabled }}
+          {{- end }}
+        {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
         - name: secrets-store-inline
           csi:
             driver: secrets-store.csi.k8s.io
             readOnly: true
             volumeAttributes:
-              secretProviderClass: {{ .Values.azureKeyVaultCSI.name }}
+              secretProviderClass: {{ .Values.azure.keyVaultName }}
         {{- end }}
         {{- if .Values.customTLSCABundle }}
         - name: tls-ca
diff --git a/braintrust/templates/secretproviderclass.yaml b/braintrust/templates/secretproviderclass.yaml
@@ -1,8 +1,8 @@
-{{- if .Values.azureKeyVaultCSI.enabled }}
+{{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
 apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
-  name: {{ .Values.azureKeyVaultCSI.name }}
+  name: {{ .Values.azure.keyVaultName }}
   namespace: {{ include "braintrust.namespace" . }}
   {{- with .Values.global.labels }}
   labels:
@@ -14,19 +14,19 @@ spec:
   - secretName: braintrust-secrets
     type: Opaque
     data:
-      {{- range .Values.azureKeyVaultCSI.secrets }}
+      {{- range .Values.azureKeyVaultDriver.secrets }}
       - key: {{ .kubernetesSecretKey }}
         objectName: {{ .keyVaultSecretName }}
       {{- end }}
   parameters:
     usePodIdentity: "false"
     useVMManagedIdentity: "false"
-    keyvaultName: "{{ .Values.azureKeyVaultCSI.name }}"
-    clientID: "{{ .Values.azureKeyVaultCSI.clientID }}"
-    tenantId: "{{ .Values.azureKeyVaultCSI.tenantId }}"
+    keyvaultName: "{{ .Values.azure.keyVaultName }}"
+    clientID: "{{ .Values.azure.keyVaultCSIclientID }}"
+    tenantId: "{{ .Values.azure.tenantId }}"
     objects: |
       array:
-        {{- range .Values.azureKeyVaultCSI.secrets }}
+        {{- range .Values.azureKeyVaultDriver.secrets }}
         - |
           objectName: {{ .keyVaultSecretName }}
           objectType: {{ .keyVaultSecretType }}
diff --git a/braintrust/templates/storageclass.yaml b/braintrust/templates/storageclass.yaml
@@ -0,0 +1,10 @@
+{{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureContainerStorageDriver }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: local
+provisioner: localdisk.csi.acstor.io
+reclaimPolicy: Delete
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+{{- end }}
diff --git a/braintrust/values.yaml b/braintrust/values.yaml
