From 2316a0cac9f83e0c14ea71cae450818b3d10cc92 Mon Sep 17 00:00:00 2001 From: Thorsten Klein Date: Fri, 7 Mar 2025 09:38:21 +0100 Subject: [PATCH 1/2] chore: change the config setup via environment variables in the helm chart --- chart/Chart.yaml | 2 +- chart/templates/deployment.yaml | 132 ++------------------------------ chart/templates/secret.yaml | 64 +++------------- chart/values.yaml | 92 +++++++++++----------- 4 files changed, 62 insertions(+), 228 deletions(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index c15852020..795db18f3 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 name: obot description: A Helm chart for Obot -version: 0.1.0 +version: 0.1.1 appVersion: 1.0.0 diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index 04217f985..b81fe1ee8 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -46,136 +46,16 @@ spec: - mountPath: {{ .Values.persistence.path }} name: data {{- end }} + {{- if .Values.extraEnv }} env: - - name: "OBOT_SERVER_ENABLE_AUTHENTICATION" - value: {{ .Values.config.obotServerEnableAuthentication | quote }} - - name: "OBOT_SERVER_ENCRYPTION_PROVIDER" - value: {{ .Values.config.obotServerEncryptionProvider | quote }} - {{- if .Values.config.awsAccessKeyID }} - - name: "AWS_ACCESS_KEY_ID" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: awsAccessKeyID - {{- end }} - {{- if .Values.config.awsRegion }} - - name: "AWS_REGION" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: awsRegion - {{- end }} - {{- if .Values.config.awsSecretAccessKey }} - - name: "AWS_SECRET_ACCESS_KEY" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: awsSecretAccessKey - {{- end }} - {{- if .Values.config.nahThreadiness }} - - name: "NAH_THREADINESS" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: nahThreadiness - {{- end }} - {{- if .Values.config.knowledgeFileWorkers }} - - name: "OBOT_SERVER_KNOWLEDGE_FILE_WORKERS" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: knowledgeFileWorkers - {{- end }} - {{- if .Values.config.kinmDBConnections }} - - name: "KINM_DB_CONNECTIONS" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: kinmDBConnections - {{- end }} - {{- if .Values.config.ignoreInactiveObjects }} - - name: "OBOT_SERVER_IGNORE_INACTIVE" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: ignoreInactiveObjects - {{- end }} - {{- if .Values.config.githubAuthToken }} - - name: "GITHUB_AUTH_TOKEN" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: githubAuthToken - {{- end }} - {{- if .Values.config.gcpKMSKeyURI }} - - name: "OBOT_GCP_KMS_KEY_URI" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: gcpKMSKeyURI - {{- end }} - {{- if .Values.config.obotServerAuthAdminEmails }} - - name: "OBOT_SERVER_AUTH_ADMIN_EMAILS" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: obotServerAuthAdminEmails - {{- end }} - {{- if .Values.config.obotBootstrapToken }} - - name: "OBOT_BOOTSTRAP_TOKEN" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: obotBootstrapToken - {{- end }} - {{- if .Values.config.obotServerDSN }} - - name: "OBOT_SERVER_DSN" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: obotServerDSN - {{- end }} - {{- if .Values.config.obotServerHostname }} - - name: "OBOT_SERVER_HOSTNAME" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: obotServerHostname - {{- end }} - {{- if .Values.config.obotWorkspaceProviderType }} - - name: "OBOT_WORKSPACE_PROVIDER_TYPE" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: obotWorkspaceProviderType - {{- end }} - {{- if .Values.config.openaiApiKey }} - - name: "OPENAI_API_KEY" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: openaiApiKey - {{- end }} - {{- if .Values.config.workspaceProviderS3BaseEndpoint }} - - name: "WORKSPACE_PROVIDER_S3_BASE_ENDPOINT" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: workspaceProviderS3BaseEndpoint - {{- end }} - {{- if .Values.config.workspaceProviderS3Bucket }} - - name: "WORKSPACE_PROVIDER_S3_BUCKET" - valueFrom: - secretKeyRef: - name: {{ include "obot.config.secretName" . }} - key: workspaceProviderS3Bucket - {{- end }} - {{- if .Values.extraEnv }} {{- range $key, $value := .Values.extraEnv }} - name: {{ $key }} value: {{ $value | quote }} {{- end }} - {{- end }} + {{- end }} + envFrom: + - secretRef: + name: {{ if .Values.config.existingSecret }}{{ .Values.config.existingSecret }}{{ else }}{{ include "obot.config.secretName" . }}{{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} {{- if and (eq .Values.config.obotWorkspaceProviderType "directory") .Values.persistence.enabled }} @@ -183,4 +63,4 @@ spec: - name: data persistentVolumeClaim: claimName: {{ ternary .Values.persistence.existingClaim (print .Release.Name "-pvc") (ne .Values.persistence.existingClaim "") }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/chart/templates/secret.yaml b/chart/templates/secret.yaml index 72d07acb5..8f6de0780 100644 --- a/chart/templates/secret.yaml +++ b/chart/templates/secret.yaml @@ -1,61 +1,15 @@ -{{- if eq .Values.config.existingSecret "" -}} +{{- if not .Values.config.existingSecret -}} apiVersion: v1 -data: - {{- if .Values.config.awsAccessKeyID }} - awsAccessKeyID: {{ .Values.config.awsAccessKeyID | b64enc }} - {{- end }} - {{- if .Values.config.awsRegion }} - awsRegion: {{ .Values.config.awsRegion | b64enc }} - {{- end }} - {{- if .Values.config.awsSecretAccessKey }} - awsSecretAccessKey: {{ .Values.config.awsSecretAccessKey | b64enc }} - {{- end }} - {{- if .Values.config.nahThreadiness }} - nahThreadiness: {{ .Values.config.nahThreadiness | b64enc }} - {{- end }} - {{- if .Values.config.knowledgeFileWorkers }} - knowledgeFileWorkers: {{ .Values.config.knowledgeFileWorkers | b64enc }} - {{- end }} - {{- if .Values.config.kinmDBConnections }} - kinmDBConnections: {{ .Values.config.kinmDBConnections | b64enc }} - {{- end }} - {{- if .Values.config.ignoreInactiveObjects }} - ignoreInactiveObjects: {{ .Values.config.ignoreInactiveObjects | b64enc }} - {{- end }} - {{- if .Values.config.gcpKMSKeyURI }} - gcpKMSKeyURI: {{ .Values.config.gcpKMSKeyURI | b64enc }} - {{- end }} - {{- if .Values.config.githubAuthToken }} - githubAuthToken: {{ .Values.config.githubAuthToken | b64enc }} - {{- end }} - {{- if .Values.config.obotServerAuthAdminEmails }} - obotServerAuthAdminEmails: {{ .Values.config.obotServerAuthAdminEmails | b64enc }} - {{- end }} - {{- if .Values.config.obotServerDSN }} - obotServerDSN: {{ .Values.config.obotServerDSN | b64enc }} - {{- end }} - {{- if .Values.config.obotBootstrapToken }} - obotBootstrapToken: {{ .Values.config.obotBootstrapToken | b64enc }} - {{- end }} - {{- if .Values.config.obotServerHostname }} - obotServerHostname: {{ .Values.config.obotServerHostname | b64enc }} - {{- end }} - {{- if .Values.config.obotWorkspaceProviderType }} - obotWorkspaceProviderType: {{ .Values.config.obotWorkspaceProviderType | b64enc }} - {{- end }} - {{- if .Values.config.openaiApiKey }} - openaiApiKey: {{ .Values.config.openaiApiKey | b64enc }} - {{- end }} - {{- if .Values.config.workspaceProviderS3BaseEndpoint }} - workspaceProviderS3BaseEndpoint: {{ .Values.config.workspaceProviderS3BaseEndpoint | b64enc }} - {{- end }} - {{- if .Values.config.workspaceProviderS3Bucket }} - workspaceProviderS3Bucket: {{ .Values.config.workspaceProviderS3Bucket | b64enc }} - {{- end }} kind: Secret +type: Opaque metadata: labels: {{- include "obot.labels" . | nindent 4 }} name: {{ include "obot.config.secretName" . }} -type: Opaque -{{- end -}} \ No newline at end of file +data: + {{- range $key, $value := .Values.config }} + {{- if $value }} + {{ $key }}: {{ $value | quote | b64enc }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/chart/values.yaml b/chart/values.yaml index 096f49721..4004522e3 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -50,54 +50,54 @@ ingress: # hosts: # - chart-example.local -# config - A key/value object containing configuration variables to configure on the obot deployment +# config - A key/value object containing configuration variables to configure on the obot deployment. Will be converted to a secret and used via envFrom. config: - # config.existingSecret -- The name of an existing secret to use for config instead of creating a new one + # config.existingSecret -- The name of an existing secret to use for config instead of creating a new one. Must contain keys in env format, just like below. existingSecret: "" - # config.awsAccessKeyID -- An AWS access key with permissions for AWS KMS, used for encryption - awsAccessKeyID: "" - # config.awsRegion -- An AWS region, used to access AWS KMS - awsRegion: "" - # config.awsAccessKeyID -- An AWS secret access key with permissions for AWS KMS, used for encryption - awsSecretAccessKey: "" - - # config.gcpKMSKeyURI -- The URI of a Google Cloud KMS key, used for encryption - gcpKMSKeyURI: "" - - # config.nahThreadiness -- Advanced - sets the number of concurrent threads that can run in the Obot controller - nahThreadiness: "10000" - # config.knowledgeFileWorkers -- Advanced - sets the number of workers for knowledge - knowledgeFileWorkers: "5" - - # config.kinmDBConnections -- Advanced - the number of connections in the database pool for kinm - kinmDBConnections: "5" - - # config.ignoreInactiveObjects -- whether the controller objects that have been marked as inactive - ignoreInactiveObjects: false - - # config.githubAuthToken -- A github PAT, used to authenticate tool pulls to avoid github ratelimiting - githubAuthToken: "" - # config.obotServerEnableAuthentication -- Enables authentication for Obot - obotServerEnableAuthentication: true - # config.obotServerEncryptionProvider -- Configures an encryption provider for credentials in Obot - obotServerEncryptionProvider: "None" # "None", "AWS", "GCP" - # config.obotBootstrapToken -- Sets a bootstrap token. If authentication is enabled, one will be autogenerated for you if this is not set. - obotBootstrapToken: "" - # config.obotServerAuthAdminEmails -- A comma separated list of email addresses that will have the Admin role in Obot. - obotServerAuthAdminEmails: "" - # config.obotServerDSN -- The DSN for your database. For example: postgres://:@/ - obotServerDSN: "" - # config.obotServerHostname -- The hostname of your Obot instance, including protocol - obotServerHostname: "" - # config.obotWorkspaceProviderType -- Configures the storage backend for workspaces in Obot. Can be 's3' or 'directory' - obotWorkspaceProviderType: "directory" - # config.openaiApiKey -- An OpenAI API Key used to configure access to OpenAI models, which are the default in Obot. - openaiApiKey: "" - # config.workspaceProviderS3BaseEndpoint -- If config.obotWorkspaceProviderType is 's3' and you are not using AWS S3, this needs to be set to the S3 api endpoint of your provider. - workspaceProviderS3BaseEndpoint: "" - # config.workspaceProviderS3Bucket -- The name of the S3 bucket to store workspaces in. Only used if config.obotWorkspaceProviderType is 's3' - workspaceProviderS3Bucket: "" + # config.AWS_ACCESS_KEY_ID -- An AWS access key with permissions for AWS KMS, used for encryption + AWS_ACCESS_KEY_ID: "" + # config.AWS_REGION -- An AWS region, used to access AWS KMS + AWS_REGION: "" + # config.AWS_SECRET_ACCESS_KEY -- An AWS secret access key with permissions for AWS KMS, used for encryption + AWS_SECRET_ACCESS_KEY: "" + + # config.OBOT_GCP_KMS_KEY_URI -- The URI of a Google Cloud KMS key, used for encryption + OBOT_GCP_KMS_KEY_URI: "" + + # config.NAH_THREADINESS -- Advanced - sets the number of concurrent threads that can run in the Obot controller + NAH_THREADINESS: "10000" + # config.OBOT_SERVER_KNOWLEDGE_FILE_WORKERS -- Advanced - sets the number of workers for knowledge + OBOT_SERVER_KNOWLEDGE_FILE_WORKERS: "5" + + # config.KINM_DB_CONNECTIONS -- Advanced - the number of connections in the database pool for kinm + KINM_DB_CONNECTIONS: "5" + + # config.OBOT_SERVER_IGNORE_INACTIVE -- whether the controller processes objects that have been marked as inactive + OBOT_SERVER_IGNORE_INACTIVE: false + + # config.GITHUB_AUTH_TOKEN -- A github PAT, used to authenticate tool pulls to avoid github ratelimiting + GITHUB_AUTH_TOKEN: "" + # config.OBOT_SERVER_ENABLE_AUTHENTICATION -- Enables authentication for Obot + OBOT_SERVER_ENABLE_AUTHENTICATION: true + # config.OBOT_SERVER_ENCRYPTION_PROVIDER -- Configures an encryption provider for credentials in Obot + OBOT_SERVER_ENCRYPTION_PROVIDER: "None" # "None", "AWS", "GCP" + # config.OBOT_BOOTSTRAP_TOKEN -- Sets a bootstrap token. If authentication is enabled, one will be autogenerated for you if this is not set. + OBOT_BOOTSTRAP_TOKEN: "" + # config.OBOT_SERVER_AUTH_ADMIN_EMAILS -- A comma separated list of email addresses that will have the Admin role in Obot. + OBOT_SERVER_AUTH_ADMIN_EMAILS: "" + # config.OBOT_SERVER_DSN -- The DSN for your database. For example: postgres://:@/ + OBOT_SERVER_DSN: "" + # config.OBOT_SERVER_HOSTNAME -- The hostname of your Obot instance, including protocol + OBOT_SERVER_HOSTNAME: "" + # config.OBOT_WORKSPACE_PROVIDER_TYPE -- Configures the storage backend for workspaces in Obot. Can be 's3' or 'directory' + OBOT_WORKSPACE_PROVIDER_TYPE: "directory" + # config.OPENAI_API_KEY -- An OpenAI API Key used to configure access to OpenAI models, which are the default in Obot. + OPENAI_API_KEY: "" + # config.WORKSPACE_PROVIDER_S3_BASE_ENDPOINT -- If config.obotWorkspaceProviderType is 's3' and you are not using AWS S3, this needs to be set to the S3 api endpoint of your provider. + WORKSPACE_PROVIDER_S3_BASE_ENDPOINT: "" + # config.WORKSPACE_PROVIDER_S3_BUCKET -- The name of the S3 bucket to store workspaces in. Only used if config.obotWorkspaceProviderType is 's3' + WORKSPACE_PROVIDER_S3_BUCKET: "" # extraEnv -- A map of additional environment variables to set extraEnv: { } @@ -129,4 +129,4 @@ serviceAccount: annotations: { } # serviceAccount.name - The name of the service account to use. # If not set and create is true, a name is generated using the fullname template - name: "" \ No newline at end of file + name: "" From 2a0c5d527ead71098a4e962d8f762e0c2ebf79ff Mon Sep 17 00:00:00 2001 From: Thorsten Klein Date: Fri, 7 Mar 2025 21:02:51 +0100 Subject: [PATCH 2/2] Update Chart.yaml --- chart/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 795db18f3..c15852020 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 name: obot description: A Helm chart for Obot -version: 0.1.1 +version: 0.1.0 appVersion: 1.0.0