Merge pull request #214 from rootcodelabs/kubernetes

Kubernetes helm charts

Author: varmoh

.github/workflows/helm-dependency.yaml

@@ -0,0 +1,42 @@
+name: Helm Dependency Build
+
+on:
+  push:
+    branches:
+      - dev
+      - main
+    paths: 
+      - 'kubernetes/**'
+
+jobs:
+  build-dependencies:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+      with:
+        persist-credentials: true 
+
+    - name: Set up Helm
+      uses: azure/setup-helm@v3
+      with:
+        version: v3.12.0  
+
+    - name: Build Helm dependencies
+      working-directory: ./kubernetes
+      run: |
+        rm -f Chart.lock
+        helm dependency build
+
+    - name: Commit and push if dependencies updated
+      run: |
+        git config user.name "github-actions[bot]"
+        git config user.email "github-actions[bot]@users.noreply.github.com"
+        git add kubernetes/Chart.lock kubernetes/charts/
+        if ! git diff --cached --quiet; then
+          git commit -m "chore: update Helm dependencies (charts/ and Chart.lock)"
+          git push
+        else
+          echo "No changes to Helm dependencies."
+        fi

kubernetes/charts/Authentication-Layer/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: Authentication-Layer
+description: Authentication Layer Service for RAG
+type: application
+version: 0.1.0
+appVersion: "1.0"

kubernetes/charts/Authentication-Layer/templates/deployment-byk-authentication-layer.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Values.release_name }}"
+  labels:
+    app: "{{ .Values.release_name }}"
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app: "{{ .Values.release_name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Values.release_name }}"
+    spec:
+      containers:
+        - name: "{{ .Values.release_name }}"
+          image: "{{ .Values.authentication.image.repository }}:{{ .Values.authentication.image.tag }}"
+          imagePullPolicy: {{ .Values.authentication.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          env:
+            - name: PORT
+              value: {{ .Values.authentication.environment.serverPort | quote }}
+            - name: TIM_SERVICE_URL
+              value: {{ .Values.authentication.environment.timServiceUrl | quote }}
+            - name: CORS_ORIGINS
+              value: {{ .Values.authentication.environment.corsOrigins | quote }}
+        
+{{- end }}

kubernetes/charts/Authentication-Layer/templates/ingress-byk-authentication-layer.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: "{{ .Values.release_name }}-ingress"
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.certIssuerName | quote }}
+  labels:
+    name: "{{ .Values.release_name }}-ingress"
+spec:
+  rules:
+    - host: auth.{{ .Values.domain }}
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: "{{ .Values.release_name }}"
+                port:
+                  number: 3004
+  tls:
+    - hosts:
+        - auth.{{ .Values.domain }}
+      secretName: {{ .Values.secretname }}
+{{- end }}

kubernetes/charts/Authentication-Layer/templates/service-byk-authentication-layer.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Values.release_name }}"
+  labels:
+    app: "{{ .Values.release_name }}"
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: {{ .Values.service.port }}
+      protocol: TCP
+      name: http
+  selector:
+    app: "{{ .Values.release_name }}"
+{{- end }}

kubernetes/charts/Authentication-Layer/values.yaml

@@ -0,0 +1,35 @@
+replicas: 1
+enabled: true
+
+
+release_name: "authentication-layer"
+domain: "rag.local"    # need to set this 
+secretname: "authentication-layer-tls"
+
+ingress:
+  enabled: true
+  certIssuerName: "letsencrypt-prod"
+
+# Authentication Layer Configuration
+authentication:
+  image:
+    repository: "ghcr.io/buerokratt/authentication-layer"    # Update with actual auth-layer image repository
+    tag: "latest"
+    pullPolicy: Always
+  
+  environment:
+    serverPort: "3004"
+    timServiceUrl: "http://tim:8085"
+    corsOrigins: "http://localhost:3001,http://localhost:3003,http://localhost:8086"
+    
+service:
+  type: ClusterIP
+  port: 3004
+
+resources:
+  requests:
+    memory: "10Mi"
+    cpu: "1m"
+  limits:
+    memory: "50Mi"
+    cpu: "5m"

kubernetes/charts/ClickHouse/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: ClickHouse
+description: ClickHouse analytics database for Langfuse
+type: application
+version: 0.1.0
+appVersion: "latest"

kubernetes/charts/ClickHouse/templates/deployment-byk-clickhouse.yaml

@@ -0,0 +1,88 @@
+{{- if .Values.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Values.release_name }}"
+  labels:
+    app: "{{ .Values.release_name }}"
+    component: clickhouse
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app: "{{ .Values.release_name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Values.release_name }}"
+        component: clickhouse
+    spec:
+      {{- if .Values.securityContext }}
+      securityContext:
+        runAsUser: {{ .Values.securityContext.runAsUser }}
+        runAsGroup: {{ .Values.securityContext.runAsGroup }}
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+      {{- end }}
+      containers:
+        - name: "{{ .Values.release_name }}"
+          image: "{{ .Values.images.clickhouse.registry }}/{{ .Values.images.clickhouse.repository }}:{{ .Values.images.clickhouse.tag }}"
+          imagePullPolicy: {{ .Values.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.httpPort }}
+              protocol: TCP
+            - name: native
+              containerPort: {{ .Values.service.nativePort }}
+              protocol: TCP
+          # Non-sensitive env's from values.yaml
+          env:
+            - name: CLICKHOUSE_DB
+              value: "{{ .Values.env.CLICKHOUSE_DB }}"
+          # Sensitive env's from Kubernetes Secret
+          {{- if .Values.envFrom }}
+          envFrom:
+            {{- toYaml .Values.envFrom | nindent 12 }}
+          {{- end }}
+          {{- if .Values.healthcheck.enabled }}
+          livenessProbe:
+            httpGet:
+              path: "{{ .Values.healthcheck.httpPath }}"
+              port: {{ .Values.service.httpPort }}
+            initialDelaySeconds: {{ .Values.healthcheck.initialDelaySeconds }}
+            periodSeconds: {{ .Values.healthcheck.periodSeconds }}
+            timeoutSeconds: {{ .Values.healthcheck.timeoutSeconds }}
+            failureThreshold: {{ .Values.healthcheck.failureThreshold }}
+          readinessProbe:
+            httpGet:
+              path: "{{ .Values.healthcheck.httpPath }}"
+              port: {{ .Values.service.httpPort }}
+            initialDelaySeconds: {{ .Values.healthcheck.initialDelaySeconds }}
+            periodSeconds: {{ .Values.healthcheck.periodSeconds }}
+            timeoutSeconds: {{ .Values.healthcheck.timeoutSeconds }}
+            failureThreshold: {{ .Values.healthcheck.failureThreshold }}
+          {{- end }}
+          {{- if .Values.persistence.enabled }}
+          volumeMounts:
+            - name: langfuse-clickhouse-data
+              mountPath: /var/lib/clickhouse
+            - name: langfuse-clickhouse-logs
+              mountPath: /var/log/clickhouse-server
+          {{- end }}
+          resources:
+            requests:
+              memory: "{{ .Values.resources.requests.memory }}"
+              cpu: "{{ .Values.resources.requests.cpu }}"
+            limits:
+              memory: "{{ .Values.resources.limits.memory }}"
+              cpu: "{{ .Values.resources.limits.cpu }}"
+      {{- if .Values.persistence.enabled }}
+      volumes:
+        - name: langfuse-clickhouse-data
+          persistentVolumeClaim:
+            claimName: "{{ .Values.release_name }}-data"
+        - name: langfuse-clickhouse-logs
+          persistentVolumeClaim:
+            claimName: "{{ .Values.release_name }}-logs"
+      {{- end }}
+      restartPolicy: Always
+{{- end }}

kubernetes/charts/ClickHouse/templates/pvc-clickhouse.yaml

@@ -0,0 +1,37 @@
+{{- if and .Values.enabled .Values.persistence.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "{{ .Values.release_name }}-data"
+  labels:
+    app: "{{ .Values.release_name }}"
+    component: clickhouse
+    type: data
+spec:
+  accessModes:
+    - {{ .Values.persistence.data.accessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.data.size }}
+  {{- if .Values.persistence.data.storageClass }}
+  storageClassName: {{ .Values.persistence.data.storageClass }}
+  {{- end }}
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "{{ .Values.release_name }}-logs"
+  labels:
+    app: "{{ .Values.release_name }}"
+    component: clickhouse
+    type: logs
+spec:
+  accessModes:
+    - {{ .Values.persistence.logs.accessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.logs.size }}
+  {{- if .Values.persistence.logs.storageClass }}
+  storageClassName: {{ .Values.persistence.logs.storageClass }}
+  {{- end }}
+{{- end }}

kubernetes/charts/ClickHouse/templates/secret.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: clickhouse-secrets
+  labels:
+    app: "{{ .Values.release_name }}"
+    component: clickhouse
+type: Opaque
+stringData:
+  CLICKHOUSE_USER: "<SET_ME>"
+  CLICKHOUSE_PASSWORD: "<SET_ME>"
+{{- end }}