diff --git a/Dockerfile b/Dockerfile index 98438c4..d40ddd8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,4 +11,4 @@ WORKDIR /app RUN uv sync --locked --no-cache # Run the application. -CMD ["/app/.venv/bin/fastapi", "run", "app/main.py", "--port", "80"] +CMD ["/app/.venv/bin/fastapi", "run", "app/main.py", "--port", "8080"] diff --git a/app/cli/main.py b/app/cli/main.py index 150ad7c..67f776f 100644 --- a/app/cli/main.py +++ b/app/cli/main.py @@ -72,7 +72,7 @@ def workers(): """Start the Temporal worker.""" typer.echo("Starting Temporal worker...") result = subprocess.run( - ["uv", "run", "python", "-m", "app.workers"], + [sys.executable, "-m", "app.workers"], cwd=PROJECT_ROOT, ) sys.exit(result.returncode) @@ -91,7 +91,7 @@ def run_all(ctx: typer.Context): cwd=PROJECT_ROOT, ), subprocess.Popen( - ["uv", "run", "python", "-m", "app.workers"], + [sys.executable, "-m", "app.workers"], cwd=PROJECT_ROOT, ), ] diff --git a/app/config.py b/app/config.py index 1884b04..c7e7468 100644 --- a/app/config.py +++ b/app/config.py @@ -23,8 +23,13 @@ class Settings(BaseSettings): auth_disabled: bool = False tenants_config_path: str = "tenants.json" - # Security - allowed_origins: list[str] = ["http://localhost:3000", "http://127.0.0.1:3000"] + allowed_origins: list[str] = [ + "http://localhost:3000", + "http://127.0.0.1:3000", + "https://localhost:5000", + "https://127.0.0.1:5000", + "https://orcha.app.cern.ch", + ] @property def database_url(self) -> str: diff --git a/app/main.py b/app/main.py index 84e9973..f60aa5f 100644 --- a/app/main.py +++ b/app/main.py @@ -35,6 +35,7 @@ async def lifespan(app: FastAPI): app = FastAPI(lifespan=lifespan) + # Apply CORS middleware using settings _settings = get_settings() if _settings.allowed_origins: @@ -50,5 +51,11 @@ async def lifespan(app: FastAPI): @app.get("/") async def root(auth=Depends(get_current_user)): - """Health check endpoint.""" + """Root endpoint.""" return {"message": "This is the backend service for Orcha!"} + + +@app.get("/health", include_in_schema=False) +async def health(): + """Health check endpoint, non-authenticated.""" + return {"status": "ok"} diff --git a/helm/Chart.lock b/helm/Chart.lock new file mode 100644 index 0000000..5fad1f6 --- /dev/null +++ b/helm/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 18.5.7 +- name: temporal + repository: https://go.temporal.io/helm-charts + version: 0.73.1 +digest: sha256:e560849947eb28377fb837ff5e664918e610cb6b1c287109472e5d35019c9c5d +generated: "2026-03-18T18:44:55.62055+01:00" diff --git a/helm/Chart.yaml b/helm/Chart.yaml new file mode 100644 index 0000000..e707488 --- /dev/null +++ b/helm/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v2 +name: orcha +description: Orcha AI workflow service +type: application +version: 0.1.0 +appVersion: "0.1.0" + +dependencies: + - name: postgresql + version: "18.5.7" + repository: https://charts.bitnami.com/bitnami + condition: postgresql.enabled + - name: temporal + version: "0.73.1" + repository: https://go.temporal.io/helm-charts + condition: temporal.enabled diff --git a/helm/README.md b/helm/README.md new file mode 100644 index 0000000..c54cca4 --- /dev/null +++ b/helm/README.md @@ -0,0 +1,240 @@ +# Orcha Helm Chart + +A V1 Helm chart for deploying Orcha to a Kubernetes cluster. + +The chart includes: +- Orcha API server +- [Temporal](https://temporal.io/) workflow engine as a subchart +- PostgreSQL for persistance + +## Prerequisites + +- [Helm 3](https://helm.sh) +- [kubectl](https://kubernetes.io/docs/tasks/tools/) or +[oc](https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html) +(for OpenShift) configured against the target cluster + +This repo only contains one chart currently, but is structured in the standard helm repo way. This means you will find +the chart in the `charts/orcha` directory. All example `helm` commands below should be run from that directory. + +--- + +## Deployment + +The sections that follow describe various deployment configurations. + +### Namespace/project + +Create the namespace / project ahead of the first-time deployment. + +**Plain Kubernetes:** +```bash +kubectl create namespace +``` + +**OpenShift:** +```bash +oc new-project +``` + +### Secrets (optional) +> See the secrets section in values.yaml for more information before creating the secrets + +Create a Kubernetes/OpenShift Secret holding the database password: + +**1. Create secrets** +```bash +kubectl create secret generic orcha-db-secret \ + --from-literal=password='' \ + -n +``` + +If an LLM API key is needed: + +```bash +oc create secret generic orcha-llm-secret \ + --from-literal=litellmApiKey='' \ + --from-literal=ollamaApiKey='' \ + -n +``` + +**2. Configure values** + +In your `values.yaml` override file: + +```yaml +secrets: + db: + existingSecret: "orcha-db-secret" + llm: + existingSecret: "orcha-llm-secret" # Omit if not using an LLM API key +``` + +### Persistence Configuration + +**Option A: Bundled PostgreSQL (default)** + +This is the default configuration in the existing `values.yaml`. Review the values in postgresql.auth and +temporal.server.config.persistance to ensure they match your needs. + +**Option B: External Database** + +**1. Prepare the external database** + +Your database instance must have **three databases** before deploying. If using PostgreSQL, connect to your +instance with an admin user and run: + +```sql +ALTER ROLE orcha CREATEDB; +``` + +> `` is the database user set in `values.yaml`. Change it if the database user in your values is different. + +Then, login to the database as the `orcha` user and run: +```sql +CREATE DATABASE orcha; +CREATE DATABASE temporal; +CREATE DATABASE temporal_visibility; +``` + +> The bundled PostgreSQL init script (`initdb`) that creates `temporal` and `temporal_visibility` only runs when the +> internal PostgreSQL subchart is enabled. With an external DB, you must create these manually. + + +**2. Configure values** + +Create a `values.yaml` override file where: +- postgresql.enabled is set to false +- externalDatabase fields are filled to point to your external instance +- Configure temporal.server.config.persistance values to point to your external instance. See values.yaml comments for +more information + +### Kubernetes + +If using Kubernetes, ensure ingress is enabled in your `values.yaml` override file: + +```yaml +ingress: + enabled: true + className: "" # Add your cluster's IngressClass, e.g. nginx +``` + +### OpenShift + +If using OpenShift, use route instead. In your `values.yaml` override file: + +```yaml +route: + app: + enabled: true + host: "orcha." # e.g. orcha.apps.paas.cern.ch + temporalWeb: + enabled: true # Optional: expose Temporal UI + host: "orcha-temporal." +``` + +--- + +## Multiple instances (e.g. sandbox + prod) + +We recommend deploying each instance into its own namespace. This avoids resource name collisions and keeps +configurations independent. + +Then, only the environment-specific value.yaml override file needs to be changed, e.g. `values-prod.yaml` and +`values-sandbox.yaml`. + +```bash +# Production +helm upgrade --install orcha ./charts/orcha \ + -f values-prod.yaml \ + -n orcha + +# Sandbox +helm upgrade --install orcha-sandbox ./charts/orcha \ + -f values-sandbox.yaml \ + -n orcha-sandbox +``` + +--- + +## Installing Chart + +```bash +helm repo add temporal https://go.temporal.io/helm-charts +helm repo add bitnami https://charts.bitnami.com/bitnami +helm dependency update ./charts/orcha + +helm upgrade --install orcha ./charts/orcha \ + -f values.yaml \ + -n \ + --create-namespace +``` + +### Verifying installation + +To check that your deployment works correctly, run: + +```bash +oc get pods -n +oc get routes -n +``` + +Check the app logs for DB connectivity and Temporal connection: + +```bash +oc logs deployment/orcha -n +``` + +--- + +## Upgrading + +```bash +helm upgrade orcha ./charts/orcha \ + -f values-.yaml \ + -n +``` + +--- + +## Uninstalling + +```bash +helm uninstall orcha -n +``` + +> PersistentVolumeClaims are **not** deleted automatically. To remove them: +> ```bash +> kubectl delete pvc -l app.kubernetes.io/instance=orcha -n +> ``` + +--- + +## Troubleshooting + +### SSE / streaming not working + +Verify the Route/Ingress has the correct timeout and buffering annotations: + +```yaml +# OpenShift Route +haproxy.router.openshift.io/timeout: 3600s + +# nginx Ingress +nginx.ingress.kubernetes.io/proxy-buffering: "off" +nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" +``` + +### TLS + +It might be necessary to install cert-manager in your cluster and create a secret orcha-tls: + +```yaml +# values.yaml +ingress: + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" + tls: + enabled: true + secretName: orcha-tls +``` diff --git a/helm/charts/postgresql-18.5.7.tgz b/helm/charts/postgresql-18.5.7.tgz new file mode 100644 index 0000000..17bff7c Binary files /dev/null and b/helm/charts/postgresql-18.5.7.tgz differ diff --git a/helm/charts/temporal-0.73.1.tgz b/helm/charts/temporal-0.73.1.tgz new file mode 100644 index 0000000..0bd3607 Binary files /dev/null and b/helm/charts/temporal-0.73.1.tgz differ diff --git a/helm/output.yaml b/helm/output.yaml new file mode 100644 index 0000000..e69de29 diff --git a/helm/templates/Configmap.yaml b/helm/templates/Configmap.yaml new file mode 100644 index 0000000..a705503 --- /dev/null +++ b/helm/templates/Configmap.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "orcha.fullname" . }} + labels: + {{- include "orcha.labels" . | nindent 4 }} +data: + AUTH_DISABLED: {{ .Values.config.authDisabled | quote }} + TEMPORAL_HOST: {{ tpl .Values.config.temporalHost . | quote }} + TEMPORAL_NAMESPACE: {{ .Values.config.temporalNamespace | quote }} + PGUSER: {{ .Values.postgresqlExternal.username | quote }} + PGHOST: {{ .Values.postgresqlExternal.hostname | quote }} + PGPORT: {{ .Values.postgresqlExternal.port | quote }} + PGDATABASE: {{ .Values.postgresqlExternal.database | quote }} + diff --git a/helm/templates/DeploymentFastapi.yaml b/helm/templates/DeploymentFastapi.yaml new file mode 100644 index 0000000..7cb320b --- /dev/null +++ b/helm/templates/DeploymentFastapi.yaml @@ -0,0 +1,62 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "orcha.fullname" . }}-api + labels: + {{- include "orcha.labels" . | nindent 4 }} + app.kubernetes.io/component: api +spec: + replicas: {{ .Values.api.replicaCount }} + selector: + matchLabels: + {{- include "orcha.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: api + template: + metadata: + labels: + {{- include "orcha.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: api + spec: + containers: + - name: api + image: {{ include "orcha.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + envFrom: + - configMapRef: + name: {{ include "orcha.fullname" . }} + - secretRef: + name: {{ .Values.externalSecret.name }} + env: + {{- include "orcha.config.database" . | nindent 10 }} + - name: TENANTS_FILE_PATH + value: /etc/orcha/tenants.json + volumeMounts: + - name: tenants + mountPath: /etc/orcha + readOnly: true + livenessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 15 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + resources: + {{- toYaml .Values.api.resources | nindent 12 }} + volumes: + - name: tenants + secret: + secretName: orcha-tenants + items: + - key: tenants.json + path: tenants.json \ No newline at end of file diff --git a/helm/templates/DeploymentWorker.yaml b/helm/templates/DeploymentWorker.yaml new file mode 100644 index 0000000..ab7295f --- /dev/null +++ b/helm/templates/DeploymentWorker.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "orcha.fullname" . }}-worker + labels: + {{- include "orcha.labels" . | nindent 4 }} + app.kubernetes.io/component: worker +spec: + replicas: {{ .Values.worker.replicaCount }} + selector: + matchLabels: + {{- include "orcha.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: worker + template: + metadata: + labels: + {{- include "orcha.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: worker + spec: + containers: + - name: worker + image: {{ include "orcha.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["/app/.venv/bin/orcha", "run", "workers"] + envFrom: + - configMapRef: + name: {{ include "orcha.fullname" . }} + - secretRef: + name: {{ include "orcha.fullname" . }} + + resources: + {{- toYaml .Values.worker.resources | nindent 12 }} diff --git a/helm/templates/Route.yaml b/helm/templates/Route.yaml new file mode 100644 index 0000000..e3c2220 --- /dev/null +++ b/helm/templates/Route.yaml @@ -0,0 +1,21 @@ +{{- if .Capabilities.APIVersions.Has "route.openshift.io/v1/Route" }} +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ include "orcha.fullname" . }} + {{- if and .Values.route .Values.route.annotations }} + annotations: + {{- .Values.route.annotations | toYaml | nindent 4 }} + {{- end }} +spec: + host: {{ include "orcha.hostname" $ }} + to: + kind: Service + name: {{ include "orcha.fullname" . }}-api + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + {{- end }} \ No newline at end of file diff --git a/helm/templates/Service.yaml b/helm/templates/Service.yaml new file mode 100644 index 0000000..bf28497 --- /dev/null +++ b/helm/templates/Service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "orcha.fullname" . }}-api + labels: + {{- include "orcha.labels" . | nindent 4 }} + app.kubernetes.io/component: api +spec: + type: {{ .Values.api.service.type }} + ports: + - port: {{ .Values.api.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "orcha.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: api \ No newline at end of file diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl new file mode 100644 index 0000000..d537f65 --- /dev/null +++ b/helm/templates/_helpers.tpl @@ -0,0 +1,204 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "orcha.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name, the release name will be used as a full name. +*/}} +{{- define "orcha.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "orcha.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + + +{{/* +Common labels +*/}} +{{- define "orcha.labels" -}} +helm.sh/chart: {{ include "orcha.chart" . }} +{{ include "orcha.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "orcha.selectorLabels" -}} +app.kubernetes.io/name: {{ include "orcha.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Return the hostname for the Orcha service. +*/}} +{{- define "orcha.hostname" -}} +{{- .Values.host }} +{{- end }} + +{{/* +Return the proper Orcha image name +*/}} +{{- define "orcha.image" -}} +{{- $registryName := required "Missing .Values.image.registry" .Values.image.registry -}} +{{- $repositoryName := required "Missing .Values.image.repository" .Values.image.repository -}} +{{- $separator := ":" -}} +{{- $termination := .Values.image.tag | default .Chart.AppVersion | toString -}} + +{{- if .Values.image.digest }} + {{- $separator = "@" -}} + {{- $termination = .Values.image.digest | toString -}} +{{- end -}} + +{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- end -}} + +######################### PostgreSQL connection configuration ######################### + +{{/* + This template renders the username used for the PostgreSQL instance. +*/}} +{{- define "orcha.postgresql.username" -}} + {{- if .Values.postgresql.enabled -}} + {{- required "Missing .Values.postgresql.auth.username" (tpl .Values.postgresql.auth.username .) -}} + {{- else -}} + {{- required "Missing .Values.postgresqlExternal.username" (tpl .Values.postgresqlExternal.username .) -}} + {{- end -}} +{{- end -}} + +{{/* + This template renders the password used for the PostgreSQL instance. + In production environments we encourage you to use secrets instead. +*/}} +{{- define "orcha.postgresql.password" -}} + {{- if .Values.postgresql.enabled -}} + {{- required "Missing .Values.postgresql.auth.password" .Values.postgresql.auth.password -}} + {{- else -}} + {{- required "Missing .Values.postgresqlExternal.password" .Values.postgresqlExternal.password -}} + {{- end -}} +{{- end -}} + +{{/* + Get the database password secret name +*/}} +{{- define "orcha.postgresql.secretName" -}} + {{- if .Values.postgresql.enabled -}} + {{- required "Missing .Values.postgresql.auth.existingSecret" (tpl .Values.postgresql.auth.existingSecret .) -}} + {{- else -}} + {{- required "Missing .Values.postgresqlExternal.existingSecret" (tpl .Values.postgresqlExternal.existingSecret .) -}} + {{- end -}} +{{- end -}} + +{{/* + Get the database password secret key +*/}} +{{- define "orcha.postgresql.secretKey" -}} + {{- if .Values.postgresql.enabled -}} + {{- required "Missing .Values.postgresql.auth.secretKeys.userPasswordKey" .Values.postgresql.auth.secretKeys.userPasswordKey -}} + {{- else -}} + {{- required "Missing .Values.postgresqlExternal.existingSecretPasswordKey" .Values.postgresqlExternal.existingSecretPasswordKey -}} + {{- end -}} +{{- end -}} + +{{/* + This template renders the hostname used for the PostgreSQL instance. +*/}} +{{- define "orcha.postgresql.hostname" -}} + {{- if .Values.postgresql.enabled -}} + {{- include "postgresql.v1.primary.fullname" .Subcharts.postgresql -}} + {{- else -}} + {{- required "Missing .Values.postgresqlExternal.hostname" (tpl .Values.postgresqlExternal.hostname .) -}} + {{- end -}} +{{- end -}} + +{{/* + This template renders the port number used for the PostgreSQL instance (as a string). +*/}} +{{- define "orcha.postgresql.portString" -}} + {{- if .Values.postgresql.enabled -}} + {{- required "Missing .Values.postgresql.primary.service.ports.postgresql" (tpl (toString .Values.postgresql.primary.service.ports.postgresql) .) | quote -}} + {{- else -}} + {{- required "Missing .Values.postgresqlExternal.port" (tpl (toString .Values.postgresqlExternal.port) .) | quote -}} + {{- end -}} +{{- end -}} + +{{/* + This template renders the name of the database in PostgreSQL. +*/}} +{{- define "orcha.postgresql.database" -}} + {{- if .Values.postgresql.enabled -}} + {{- required "Missing .Values.postgresql.auth.database" (tpl .Values.postgresql.auth.database .) -}} + {{- else -}} + {{- required "Missing .Values.postgresqlExternal.database" (tpl .Values.postgresqlExternal.database .) -}} + {{- end -}} +{{- end -}} + +{{/* + Define database connection env section. +*/}} +{{- define "orcha.config.database" -}} +- name: ORCHA_DB_USER + value: {{ include "orcha.postgresql.username" . }} +- name: ORCHA_DB_HOST + value: {{ include "orcha.postgresql.hostname" . }} +- name: ORCHA_DB_PORT + value: {{ include "orcha.postgresql.portString" . }} +- name: ORCHA_DB_NAME + value: {{ include "orcha.postgresql.database" . }} +- name: ORCHA_DB_PROTOCOL + value: "postgresql+psycopg2" +- name: ORCHA_DB_PASSWORD +{{- if or (and .Values.postgresql.enabled .Values.postgresql.auth.password) .Values.postgresqlExternal.password }} + value: {{ include "orcha.postgresql.password" . | quote }} +{{- else }} + valueFrom: + secretKeyRef: + name: {{ include "orcha.postgresql.secretName" .}} + key: {{ include "orcha.postgresql.secretKey" .}} +{{- end }} +- name: ORCHA_EXTERNAL_DATABASE_URI + value: "$(ORCHA_DB_PROTOCOL)://$(ORCHA_DB_USER):$(ORCHA_DB_PASSWORD)@$(ORCHA_DB_HOST):$(ORCHA_DB_PORT)/$(ORCHA_DB_NAME)" +{{- end -}} + +{{/* +Orcha basic configuration variables +*/}} +{{- define "orcha.configBase" -}} +ORCHA_TRUSTED_HOSTS: '["{{ include "orcha.hostname" $ }}"]' +ORCHA_SITE_HOSTNAME: '{{ include "orcha.hostname" $ }}' +ORCHA_SITE_UI_URL: 'https://{{ include "orcha.hostname" $ }}' +ORCHA_SITE_API_URL: 'https://{{ include "orcha.hostname" $ }}/api' +{{- end -}} + +{{/* +Get the Orcha general secret name +*/}} +{{- define "orcha.secretName" -}} +{{- if .Values.orcha.existingSecret -}} + {{- tpl .Values.orcha.existingSecret . -}} +{{- else -}} + {{- include "orcha.fullname" . -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/helm/templates/ingress.yaml b/helm/templates/ingress.yaml new file mode 100644 index 0000000..08cbdc4 --- /dev/null +++ b/helm/templates/ingress.yaml @@ -0,0 +1,33 @@ +{{- if not (.Capabilities.APIVersions.Has "route.openshift.io/v1/Route") }} +{{- if .Values.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "orcha.fullname" . }} + {{- if .Values.ingress.annotations }} + annotations: + {{- .Values.ingress.annotations | toYaml | nindent 4}} + {{- end }} + labels: + {{- include "orcha.labels" . | nindent 4 }} +spec: + {{- if .Values.ingress.class }} + ingressClassName: {{ .Values.ingress.class }} + {{- end }} + tls: + - hosts: + - {{ include "orcha.hostname" $ }} + secretName: {{ include "orcha.tlsSecretName" $ }} + rules: + - host: {{ include "orcha.hostname" $ }} + http: + paths: + - path: / + backend: + service: + name: {{ include "orcha.fullname" . }}-api + port: + name: http + pathType: Prefix +{{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/values.yaml b/helm/values.yaml new file mode 100644 index 0000000..cb880e0 --- /dev/null +++ b/helm/values.yaml @@ -0,0 +1,206 @@ +## Orcha image version +## ref: to be added +## @param image.registry Orcha image registry +## @param image.repository Orcha image repository +## @param image.tag Orcha image tag (immutable tags are recommended). Defaults to .Chart.appVersion +## @param image.digest Orcha image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy Orcha image pull policy +## @param image.pullSecrets Orcha image pull secrets +image: + registry: ghcr.io/inveniosoftware # to be created + repository: orcha/orcha + tag: "" + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - name: myRegistryKeySecretName + ## + pullSecrets: [] + +## Openshift Route object +## @param route.annotations Annotations to be added to the Route +route: + annotations: + enabled: true + host: "" + +## Orcha ingress parameters +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress record generation for Orcha. + ## + enabled: false + ## @param ingress.class IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + class: "" + ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: + ## @param ingress.tlsSecretNameOverride Custom TLS secret name. + ## + tlsSecretNameOverride: "" + +# Orcha application config — all sensitive values should be +# overridden via --set or a separate secrets.yaml at deploy time +config: + # Authentication + authDisabled: false + tenantsJson: | + { + "tenants": [] + } + + # OpenAI (or other LLM) + liteLlmApiKey: "" + liteLlmApiBase: "" + llm: "" + + # Temporal + temporalHost: "{{ .Release.Name }}-temporal-frontend:7233" + temporalNamespace: default + + # Database +# change with dbod values + databaseUrl: "" + +orcha: + ## @param orcha.hostname Orcha hostname (templated) used in configuration variables like TRUSTED_HOSTS, SITE_HOSTNAME or SITE_URL + ## + hostname: "" + ## @param orcha.existingSecret General existing secret name for, at least, PGPASSWORD and LLM values + ## + existingSecret: "" + +## @section PostgreSQL chart configuration +### ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml +### @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart +### @param postgresql.auth.username Name for a custom user to create +### @param postgresql.auth.password Password for the custom user to create +### @param postgresql.auth.database Name for a custom database to create +### @param postgresql.auth.existingSecret Name os the existing secret to get the password from. +### +postgresql: + enabled: false + auth: + username: orcha + password: orcha + database: orcha + primary: + persistence: + enabled: true + size: 8Gi + +## @param postgresqlExternal External PostgreSQL configuration +## All of these values are only used when postgresql.enabled is set to false +## @extra postgresqlExternal.host Database host +## @extra postgresqlExternal.port Database port number +## @extra postgresqlExternal.user Non-root username for Orcha +## @extra postgresqlExternal.password Password for the non-root username for Orcha +## @extra postgresqlExternal.database Orcha instance database name +## @extra postgresqlExternal.existingSecret Name of an existing secret resource containing the database credentials +## @extra postgresqlExternal.existingSecretPasswordKey Name of an existing secret key containing the database credentials +## +postgresqlExternal: {} + # hostname: "" + # port: 5432 + # username: orcha + # password: "" + # database: orcha + # existingSecret: "" + # existingSecretPasswordKey: "password" + +## @section FastAPI server +## +api: + replicaCount: 1 + ## @param api.resources `resources` for the api container + ## + resources: {} +# requests: +# cpu: 100m +# memory: 256Mi +# limits: +# cpu: 500m +# memory: 512Mi + ## Orcha api service parameters + ## + service: + ## @param api.service.annotations Add extra (templated) annotations to the api service + ## + annotations: { } + ## @param api.service.type Web service type + ## + type: ClusterIP + port: 8000 + +## @section Temporal worker +## +worker: + replicaCount: 1 + ## @param worker.resources `resources` for the worker container + ## + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi + +## @section Temporal server +## +temporal: + enabled: true + server: + replicaCount: 1 + config: + persistence: + default: + driver: sql + sql: + driver: postgres12 + host: "" + port: "" + database: temporal + user: temporal_user + existingSecret: "" # OpenShift secret + existingSecretKey: "password" + visibility: + driver: sql + sql: + driver: postgres12 + host: "" + port: "" + database: temporal_visibility + user: temporal_user + existingSecret: "" # OpenShift secret + existingSecretKey: "password" + cassandra: + enabled: false + mysql: + enabled: false + postgresql: + enabled: false + elasticsearch: + enabled: false + prometheus: + enabled: false + grafana: + enabled: false \ No newline at end of file