From 6053a3be40380c3b65bfc6ee808877a4a1541fbc Mon Sep 17 00:00:00 2001 From: shashi ranjan Date: Fri, 12 Apr 2024 15:36:53 -0500 Subject: [PATCH] Sombra and dependent chart 1st release. --- .cr-release-packages/sombra-0.1.0.tgz | Bin 0 -> 7956 bytes .../sombra-chart/.helmignore => .helmignore | 0 CHANGELOG.md | 5 + Chart.lock | 9 + Chart.yaml | 15 + README.md | 541 +++++++++++++++++- .../llm-classifier/.helmignore | 0 charts/llm-classifier/Chart.yaml | 6 + charts/llm-classifier/templates/NOTES.txt | 8 + .../llm-classifier/templates/_helpers.tpl | 0 .../llm-classifier/templates/deployment.yaml | 27 +- .../llm-classifier/templates/hpa.yaml | 3 +- .../llm-classifier/templates/service.yaml | 3 + charts/llm-classifier/values.yaml | 83 +++ charts/pathfinder/.helmignore | 23 + charts/pathfinder/Chart.yaml | 5 + charts/pathfinder/templates/NOTES.txt | 8 + charts/pathfinder/templates/_helpers.tpl | 62 ++ charts/pathfinder/templates/configmap.yaml | 9 + charts/pathfinder/templates/deployment.yaml | 92 +++ charts/pathfinder/templates/hpa.yaml | 33 ++ charts/pathfinder/templates/ingress.yaml | 28 + charts/pathfinder/templates/secrets.yaml | 13 + charts/pathfinder/templates/service.yaml | 18 + charts/pathfinder/values.yaml | 95 +++ deployments/sombra-chart/Chart.yaml | 24 - .../charts/llm-classifier/Chart.yaml | 24 - .../charts/llm-classifier/templates/NOTES.txt | 22 - .../llm-classifier/templates/ingress.yaml | 61 -- .../templates/serviceaccount.yaml | 13 - .../templates/tests/test-connection.yaml | 15 - .../charts/llm-classifier/values.yaml | 84 --- deployments/sombra-chart/templates/NOTES.txt | 22 - .../sombra-chart/templates/ingress.yaml | 61 -- .../sombra-chart/templates/service.yaml | 15 - .../templates/serviceaccount.yaml | 13 - .../templates/tests/test-connection.yaml | 15 - deployments/sombra-chart/values.yaml | 107 ---- robots.txt | 2 + templates/NOTES.txt | 35 ++ .../templates => templates}/_helpers.tpl | 0 .../templates => templates}/deployment.yaml | 40 +- .../templates => templates}/hpa.yaml | 1 + templates/ingress.yaml | 57 ++ templates/namespaces.yaml | 8 + templates/secrets.yaml | 28 + templates/service.yaml | 41 ++ values.yaml | 168 ++++++ 48 files changed, 1431 insertions(+), 511 deletions(-) create mode 100644 .cr-release-packages/sombra-0.1.0.tgz rename deployments/sombra-chart/.helmignore => .helmignore (100%) create mode 100644 CHANGELOG.md create mode 100644 Chart.lock create mode 100644 Chart.yaml rename {deployments/sombra-chart/charts => charts}/llm-classifier/.helmignore (100%) create mode 100644 charts/llm-classifier/Chart.yaml create mode 100644 charts/llm-classifier/templates/NOTES.txt rename {deployments/sombra-chart/charts => charts}/llm-classifier/templates/_helpers.tpl (100%) rename {deployments/sombra-chart/charts => charts}/llm-classifier/templates/deployment.yaml (72%) rename {deployments/sombra-chart/charts => charts}/llm-classifier/templates/hpa.yaml (91%) rename {deployments/sombra-chart/charts => charts}/llm-classifier/templates/service.yaml (83%) create mode 100644 charts/llm-classifier/values.yaml create mode 100644 charts/pathfinder/.helmignore create mode 100644 charts/pathfinder/Chart.yaml create mode 100644 charts/pathfinder/templates/NOTES.txt create mode 100644 charts/pathfinder/templates/_helpers.tpl create mode 100644 charts/pathfinder/templates/configmap.yaml create mode 100644 charts/pathfinder/templates/deployment.yaml create mode 100644 charts/pathfinder/templates/hpa.yaml create mode 100644 charts/pathfinder/templates/ingress.yaml create mode 100644 charts/pathfinder/templates/secrets.yaml create mode 100644 charts/pathfinder/templates/service.yaml create mode 100644 charts/pathfinder/values.yaml delete mode 100644 deployments/sombra-chart/Chart.yaml delete mode 100644 deployments/sombra-chart/charts/llm-classifier/Chart.yaml delete mode 100644 deployments/sombra-chart/charts/llm-classifier/templates/NOTES.txt delete mode 100644 deployments/sombra-chart/charts/llm-classifier/templates/ingress.yaml delete mode 100644 deployments/sombra-chart/charts/llm-classifier/templates/serviceaccount.yaml delete mode 100644 deployments/sombra-chart/charts/llm-classifier/templates/tests/test-connection.yaml delete mode 100644 deployments/sombra-chart/charts/llm-classifier/values.yaml delete mode 100644 deployments/sombra-chart/templates/NOTES.txt delete mode 100644 deployments/sombra-chart/templates/ingress.yaml delete mode 100644 deployments/sombra-chart/templates/service.yaml delete mode 100644 deployments/sombra-chart/templates/serviceaccount.yaml delete mode 100644 deployments/sombra-chart/templates/tests/test-connection.yaml delete mode 100644 deployments/sombra-chart/values.yaml create mode 100644 robots.txt create mode 100644 templates/NOTES.txt rename {deployments/sombra-chart/templates => templates}/_helpers.tpl (100%) rename {deployments/sombra-chart/templates => templates}/deployment.yaml (62%) rename {deployments/sombra-chart/templates => templates}/hpa.yaml (96%) create mode 100644 templates/ingress.yaml create mode 100644 templates/namespaces.yaml create mode 100644 templates/secrets.yaml create mode 100644 templates/service.yaml create mode 100644 values.yaml diff --git a/.cr-release-packages/sombra-0.1.0.tgz b/.cr-release-packages/sombra-0.1.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..c2504cb5808a18ae08a887019f231a8cb73d771f GIT binary patch literal 7956 zcmV+vAM4;BiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKBfciT9!XudXo1)iKaSzbg_tJ6B&bFRkLbadN`o~>j~-t9RK zL_!kVB*7*?IU2|Bx4(mhB)CYTZCTDjd`K)3C={_&6$-Tw>`nr>e>jH$)tAt9o^8Jv zhGBHuZT`Pu7}@`gZoBoY(e5^y&4W&-+kR#=n(c$uGhjRdF1ZpC3WI0HgZs*U+&5C7 zZ+}1mv9Z?!i>3yBKlyo}HxAzFhGrojc^2|a8Nn4Z|FuExDV-kYI{}z;N(>apcW!#VEY1S zAG|}33rx1)!4wC;LcW8Swl@P}F97ISz@`L5pG^Tl!NN8X0k#Kz4<{(_5Jg0Dq3uy< zdnn+;f?Q}jJz$~5f6)MX#6+H@+c?H~96i*;Z_%Abmp!6w2|6QZn|GOyJy?yU}d!K!2&k&(KK<2R7>Gqo4snz<~G*GA8nOL1p zciL^fZ5^}@4m!=2@wU}zn7Hs+AX7DHGkG-$U_07$m)Sw z(`dHqM!Vi@j~m@ytJ~`|^n-4*+c>Bjot|OT9(P-PGez$I1$0709!UULzyBMJPOF>U z{|Bvhwf}cf_P`OE!qA~WECJ3E#iFQl9;s`4U_7@8unBpcx$!qsO%wRc`(4C+F;3=>@LZQbR<0&|T6k2!&&U{7{aG(W< z^VmZidb9@`41;qtvk48BoW-Mn^L{fxjO*Lb0T!arb_gE=1VVxWhJ(NiI@fSX7=pE! zv)8~&D#yx%1l0-hh)wMUdi6%zvs5d4moeEj)P;a~k{PP!QM_;w+9WEa>}uEk-XmcT?&y?53gPfWJcMFb-<5CcL@E zp6A+X@rOar!<0|Cx)XtqEzQSPKY7~&H@8VMM{K%$i(@!Jj;O5dB_$exeqhdRicA^? z2<)Ycwg>);AOz-=`lPqNZ()<9=Y>7lC&&x~n=bc}XVodLv;UB121_n)@5j=0UC!d3 z+)NS!6H5`AE!!aUJSK?KYb-Y;iD^+tD0Wd$x4l`wR+-pN@@}cs_P`u2#DZmwLr)$-zy#52guHw^ zK1y=#qK}xf0cFGqvk`tb9*^|6O6W5zIT|MRJY<#tFW|lbb9{~XA4?qa@o*gAAu)A+ zfEUqTGf_b8DMOw84sbY|1LQ620DCSQrxE22oSV@ivz?K;RJ`2L7CdKFknr@rabTb02MwF>OZiod`i4yh8zc zBbZavFR&nmZ0*S{k1Q}jQyd^*Q-Bx*BAHgqHGt{h&=Oy981H_zYQTssm6y@tjRq6a z^r*e+fsWDoIoJF`wwH{LWQUQrYa8nD<>*H5KEp@S<5&E(a`ciHd^x-D3UN-22<6m( zk8U#bOG1%L-f);RNYOQ1O6en{bH=^pqQ`_S#t6_G5a5uCwIrWKl*YtCfJ`bOzlmfL zFPcCui^O6Jzya`4K(GfLZBI-#|7=FA5e);6P54qg6CfWtvF+wPC$^!mQK_&IsvI%1 zs$iR&b~)Kv{NhqVU{Z`w&>T7;p(q%Rm~epuDsg4vgu<5DFhk3V>3W2RX)>Wx11f_T zTsi47UV;Efbr+L!Lnh7ev-l~OzG~jg_CD7NKmjnv{5YNYNZno5E$l+u(@pG_AEhj9 zi3TZpUT%z9KR0EokD54<4QMRgp^UMLMN&QAVu-oG3k zkKYYW$HPO>$;n{+?(FCy)jXcQHv|!OickR^^~e3oi}(Nd@4?~t!N87>Pc9FS`xh6( ze+~!dm+#My)wXO+_4fBOdiZ20OKVt{G2@K@Z)GOL-cU; z{ynuFsSFsQz(gKpXKe7+h%24&5nf$S^RR_3kb_K$15OPoc2E#e$N%}a2B%Zov*}V0 z-I;?Y(BZq7ovBBm<6Q8Ko!X5FD~%KgoWU?bAzF`8T#86%$PP4YRRb4W$kF1Z%T{i| zFll>W6l;~4;L#s~89QlsOlSZOT=Jz0DVW&{BoAEJqXBj}m4cyVQ#i35n=S$Ngb*{s z3<=xgHJAjCrwk>cm!#E-o;&$7kNi_>_cj-)|Bdx>`=@8)!G%sg)9v-K;r^%F?Q}Bw z-*(gJR{Gyvl!gv|Lqb0wkL>Yck7dI5=f_OQkF_&gMqpJV^yOKxre!{he0x4(aLv!(|o)iLl4732`az)NX}fZ8dx z5IaHC3Lr?Tq%#3lAc#J5jm7EN(cp4)c0T^~`OB+tf=udw8KR(GkJZqC;dG811PRg; zRrc*IsAKRa!5$+Gzt(Pa;v-Y%+M53{{;hiwo!eS+vCKxqGo8>vpqA3UNBY7V(82BP zs|LDm-*^RXZ*OjN_K)0*wcCPqkbF(AaHmES%|CtRPK^(c zciO6>v!lz?{>dOSjy|@^ZUqO_pzrHfv26!q^sM2pE5|q)-#7WD(LL0!*)G}et=xGo zqL4`^9JU-|@r8$Hr{n(cbZ}lok(d}->NB55164?$;?pC?C8k#KV?nawiLZUIiA|&V zZ!`~dLpStB@2&CHh-781%u*~{*pWQKycEU^i~1A?*D$aY^jROh=jlNaD~c~rO>5@3 zTCA|VA5+U}AU5)}T!Zy2Em!@n9L>ZY2^FPG#n7IHp{<#RinD!3oGmxccV=vxcWlMi zD!!KDYmadL%bou(=g9FPF%M@(G`M=ff7@6~b$LMyd^Zzc&&CUL6ZSdKTY?C4z z7k=#_?7v>`OR{E(Yoj81QBSIHV=`SB6m!xL5j@rG1$+TC2t5;YTl`Pky$GjM`!lH3 zYcUm-!W>8OFhGpT!?*{=36=#GHoEpNBw+LUl=Z+cC18R~$aXKmE>g_6#V1c~8`jO++AJJU?_C ziS7E)P550j!irFuwIzxMZsq$jgU(o&{QEiofZng=XEnhw9tr^@%Pa(*sfTw&&JS#l zPC@N&r2aQj%fJ$ymS1DVf2LNRGNo*~o z9Lo-LW%bA}?#JFJ>|I_QiS5Z5qs=w>0{#jyMVS%ELvf)8XUM8gmc10mzK|CdMI#v9 zqm&!N?5EZX@emg(B?PmAwvk}g%gG$;)^wKOXRhLF9D60P-^nJ3wXlPfqXZ65Qyb!eL0N0Cs*-9SJWqoP1uNRxzb)o?<-_YfbS-=sKyM-zLpcAIgf8 z`m(#uivqbAcQFvzTI+GlVHr()VJE_XLC;z*B;bnd8ty$@iJBn+Q%`n_D$gn3Ba!HV znz9P{BR%no0Jpcj+-nMF;7e9APYF!5Y%e3lCn5(=ai>V(hrC5kRX4^TH9Q>;&QJTt zm%k4_rYcC=q<;q3?PXp7X)5+RTArh6{%u5FAp6f{#_J3FwMApG79M5rH(|BE`#gPN|>R#%8)sDFsuTWc5vE8iF5SicReF!1!>q z8iDA(r*!{WquV=npR=t?4`4*=WM`?`3jJ#|(>>TPwLDx8GV&HIhL&Rr zsu5gLEoB<_5H67GFS4mq_;X}sx7B_WTfU^0YT$Rj-kw@Kt;!>p-1%?r!)?2PZ#e%o zjb=9fOS^GUo&R=HGFqAy$EDOMF{!e@Xv)LlyVxpvgsr};fr8x0apOtwuE)zQog6v3 zV{S(s%TYx~WA;3EJO<$Ic&ALimElk)K&c}espjFU8YOjPBVmlL3{mlPuQxT1xIP5gn*3U4T;hQ{KS^3g8SWFIRqYIm|OWbmK^@v8TW1UHoF?WB}8-jA+yo- zc~4whhq!i5X&nhT67*r>CA-$4BKD@0%JR^O4&!y{Lc7@?Bd4(8HdQf8 z^C6w54*2!RF)wxKXV1o*FOC8(JS(gBQXG@hrQ||L7w!#Mq^jg$hXlBS zRh_>|EMrfc+GdBc){1SGb$R%1xXe*Dfd;NXKwq2V)4v} ze}zbkz!e1NVKP?H1W&qc=BP zr#sha+1cJ;w)fPN9n*h(jvUvXc{q54m}Q&vKb=-K{#Wy$qW`-oJh&bc+j&@4u>!#L z9C=_8+Ky#=GvGt>3eFITGeO9p-UN_2avU&o@I*L6*xu|72#^DL>|h_#x$<1Z8~4ym zgadr(b3HS%#P&-jbojgHk%ShjdLpy12ZcBILI8Ui@%)0W3Qpnm)7X zKL1ysuj!Nj1pEBo=)rup&;E&il7+XQ0GdGaD)f0S3!=T&$+fS&)+g{vd#zKK{fz^A zroH}u+8+1-0~?0~437px)BOPdiA<{LwuRuns2<=yHGM%$Y@z*c!IC1%|MaeZ`rF|6 z>^I%Dw%*64{cq&_|C_CLrT^JU*#n1j=*^IWXPUORCo?l?uffo>c?uNiWBb&2R^@Su z-2dl;{?Ww_(;Q$lYHce~jKlLq3Mx^$!#wFTMpFT|>5wV%)Q41b4 zUKMYN^h^5m>66yfe;Q*M<<0&NQi3t?$R9G$~FmZF8$G=#{hoppB#fvN=~#- zTsq*AiXLOgUhuz*(kTJ3Ii(US#c7qqjeL|^>6h_&|McQ;aC&sv9}O?ZXTJ|l|E|eu zQFwF!HiSqQB?>wIOSaD6Uu1x!!=`6i$1iiu$^=nQ11pSvu7WHZPW_HxR|Hm1L6Kpg zehH9+2s(u>`g^@Zto3MOlxX;o3tfTM{lzai|G#)x(^~d)&A3uVtN!Abl;h*yUkHTK zfvN?H=^P3LXvaf>edIy=68d)3$=PUddf6ZHHK}3))Z`>K_EKM(nZDfjfaS!3qow~e^ay3-fQP=2X|u#xM~|z;6v&p933kzC6!j-f zjp|dN(2NMgPgxAr2H4)38rMbVc+Aj@%-1y$$wp=I{)pYyeBBA_h-nXJ@8sP zvI%q?eBA@zgz};)4=!^53(B5JBO|kdKlmna)BbO^+nN2}?RG2w&z+Pt`TrZbafjsj z$Hyn&FkU+8O!>eR;cvCV?BY+G0RIOsYxn<_vVw2Y|Fn$k{r^FuS?&Lwly52jcP25^ zw$p*{feS=|&BGpkVrRuqipnd!GZHLykVR{A`s)m=vT3k0WOIEw>=k{iO^dCxLBYE0 z*qk$bU%9d4+Uapi+@G`(*)E0hM@Gz2)l3(I^AAxxZ&gRd8f0_*$-0MUr-$#)&j+W6 zA5%@5E9#GjCxf&1Y4DAv@k05wWNXQUf3Y4^W=-}(s_lUjc!dB70~E3CIE(WqZ(&S`gb`cKg z1v0T`ksfFnY<5s!V=I2vV9!Wsnuw6`JV0cQ9g9%_0H)A(!T_mH4NYS#f`iUFhL0_q4Q8d#`sDdw zav%5@8DUmZ#VRMv14>Ex??G8%Hpze8ZpQwj*)*#B|GOz`&i`9T4YPXBZX*uZ3J&#+ zq=(ta0>9}5F(u}vN)hwDridw*AS4?E?(4}9lId`DR*tVJ8AtY#YAsN;a+Qcp=yY=TKL?FU{@X>7G7Ay{|_2Q?*6Y+-T&>Rl+^!}2mGVxqEr@KaR+F9_XJLrVk z+c_1i-TzyP3bkqf=i@&e7*+na-IOZ+Qx*Ry+5bt1fNlByJuBn?*UIL9>>3Bv{m)Ly z8vnnAp*Na(r@O`lF!7HW#Vcp6>tC|KD!0F{qO9EiTk`#TR_6ZqAh-Xk_-{KZh5moZ zG5}wj58zIn{uH8?;BAkBiH-*W#F#$?UQxaIQ2o&9#%ADyJ?avG#oJ{pXU&puubPCuyi`~X`jmi_U&e-2NN z2It%fBLy*8qfs317eBIVp+Z9#ZM7xMVFWLZ*r$@0{t(RY0tFu9L2TSVFE#$JB+W%5 z;71l0VlPXxO3o~O%&7ew1)M#G&~<=dz1nu<|JTg(vxDFyBN=T3M=eog(z9{iOLoA z=av5%;!3NIPKaI-^r<+C33vQwY+ylu!@u<7bM@mmM?Si}qLgf2Q^ z(!z=fOC5XaqJCx~T-JOfjAPcU?kLe%Qb;%v%~n?{^kOgjg#z0GmbT%e%;;#C9+L8B z!I#V)wnp+5yZX0=K znwP9}w`34jPhb(K0?$kaq-ebJ&3}0HXDRysfY@)(O4$E(bNQc)j#1hF?4&$S{I{<| ziTCZqeJg1bw56DDYFWAew-o#B*}dYwbz6' + +transcend_service: + type: NodePort + port: 5042 + # Annotations to add to the service account + annotations: {} + +transcend_ingress: + enabled: true + className: alb + annotations: + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/healthcheck-path: /health + alb.ingress.kubernetes.io/healthcheck-port: "5042" + alb.ingress.kubernetes.io/healthcheck-protocol: HTTP + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5042}]' + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/subnets: + alb.ingress.kubernetes.io/tags: env=dev + alb.ingress.kubernetes.io/target-type: ip + host: sombra-transcend.my-domain.com + +customer_service: + type: NodePort + port: 5039 + # Annotations to add to the service account + annotations: {} + +customer_ingress: + enabled: true + className: alb + annotations: + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/healthcheck-path: /health + alb.ingress.kubernetes.io/healthcheck-port: "5039" + alb.ingress.kubernetes.io/healthcheck-protocol: HTTP + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5039}]' + alb.ingress.kubernetes.io/scheme: internal + alb.ingress.kubernetes.io/subnets: + alb.ingress.kubernetes.io/tags: env=dev + alb.ingress.kubernetes.io/target-type: ip + host: sombra-customer.my-domain.com + +envs: + - name: ORGANIZATION_URI + value: '' + - name: EMPLOYEE_AUTHENTICATION_METHODS + value: 'transcend,session' + - name: DATA_SUBJECT_AUTHENTICATION_METHODS + value: 'transcend,session' + +envs_as_secret: + - name: INTERNAL_KEY_HASH + value: '' + - name: JWT_ECDSA_KEY + value: '' + - name: INTERNAL_KEY + value: '' + +``` +4. Install the sombra package. + ``` + helm install some_release . -f values.yaml + ``` +5. To upgrade the sombra package after customization. + ```bash + helm upgrade some_release . -f values.yaml + ``` +5. To uninstalling a Release + ```bash + helm upgrade some_release . + ``` + +## Configuring Sombra + +Following is the list of enviroment variables supported by Sombra for its configuration. Please check out our detailed [guide](https://docs.transcend.io/docs/security/end-to-end-encryption/deploying-sombra) on self-hosting sombra configuration. + +| Variables | Required | default | secret | Description +| -------------------------------------- | ------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ORGANIZATION_URI | yes | N/A | no | This value can be found under "Sombra Audience" here: https://app.transcend.io/infrastructure/sombra/sombras | +| SOMBRA_ID | no | N/A | no | The SOMBRA_ID parameter is only required when deploying multiple Sombra gateways. This value can be found under "ID" here: https://app.transcend.io/infrastructure/sombra/sombras. | +| EMPLOYEE_AUTHENTICATION_METHODS | yes | N/A | no | We recommend starting with the 'transcend' authentication method. After Single Sign On is setup, 'transcend' can be switched to 'saml'. | +| DATA_SUBJECT_AUTHENTICATION_METHODS | yes | N/A | no | We recommend starting with the 'transcend' authentication method. After Account Login is setup, 'transcend' can be switched to 'oauth' or 'jwt'. | +| JWT_ECDSA_KEY | yes | N/A | yes | The root secrets that you should generate yourself and keep secret. If you are migrating from a Transcend-hosted multi-tenant Sombra to an on-premise and are mid-implementation, it is critical that you re-use the same JWT_ECDSA_KEY from the existing instance. If you already have connected integrations and DSRs, you should deploy the on premise Sombra gateway with the same JWT_ECDSA_KEY and then run a key rotation after the gateway is deployed. To obtain the JWT_ECDSA_KEY reach out to your account manager over Slack or email support@transcend.io to grant access for you to download the key. You will only be able to reveal the key once for security reasons. The key can be obtained by clicking the Reveal Multi Tenant Root Secret button on the Sombra Gateways panel in the Admin UI. | +| JWT_AUTHENTICATION_PUBLIC_KEY | no | N/A | no | Company's data subject authentication via JWT public key(s). First entry is latest. | +| ALLOW_EMPLOYEE_CEK_ACCESS | no | true | no | Allow employees to submit and download DSRs on behalf of the data subjects. | +| CONSENT_IDENTIFIER_ENCRYPTION_KEY | no | N/A | yes | The Elliptic Curve Diffie Hellman private key(s), for securely communicating with the data subject. Derived from JWT_ECDSA_KEY by default. First entry is latest. | +| INTERNAL_KEY_HASH | yes | N/A | yes | The hash of a randomly-generated API key that will be used to verify incoming requests from your internal systems. You can use [this](https://docs.transcend.io/docs/security/end-to-end-encryption/deploying-sombra#6.-cycle-your-keys) guide for the generation of key. | +| SAML_ENTRYPOINT | no | N/A | no | Identity provider entrypoint (is required to be spec-compliant when the request is signed). | +| SAML_ISSUER | no | `transcend` | no | Issuer string to supply to identity provider. | +| SAML_CERT | no | N/A | no | The public key to validate the SAML assertion against. The "BEGIN CERTIFICATE" and "END CERTIFICATE" lines should be stripped out and the certificate should be provided on a single line. | +| SAML_AUDIENCE | no | `transcend` | no | Expected saml response Audience (if not provided, Audience won't be verified) | +| OAUTH_CLIENT_ID | yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS. | no | no | The Client ID of your privacy center's OAuth 2 application. | +| OAUTH_CLIENT_SECRET | yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS. | N/A | yes | The Client Secret of your privacy center's OAuth 2 application. | +| OAUTH_GET_TOKEN_URL | yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS. | N/A | no | The token URL for your OAuth API (authorization_code => access_token) e.g. https://api.acme.com/oauth/token. | +| OAUTH_GET_TOKEN_HEADERS | yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS. | N/A | no | The headers to include when fetching the OAuth token. Expected format is a stringified JSON object, e.g. '{"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}'. | +| OAUTH_GET_TOKEN_METHOD | no | `POST` | no | The HTTP method to use when retrieving the OAuth token | +| OAUTH_GET_TOKEN_BODY_GRANT_TYPE | no | N/A | no | The grant type for this OAuth token | +| OAUTH_GET_TOKEN_BODY_REDIRECT_URI | yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS | N/A | no | The redirect URI for the Oauth token body. | +| OAUTH_GET_CORE_ID_URL | yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS | N/A | no | The API endpoint where we can find a user ID or similar core identifier (e.g. https://api.acme.com/user-profile). | +| OAUTH_GET_CORE_ID_PATH | yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS | N/A | no | A path to the coreIdentifier (User ID) to traverse a JSON body (path.to.user.id). | +| OAUTH_GET_CORE_ID_DATA_SUBJECT_TYPE | yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS | N/A | no | The type of Data Subject that the OAuth configuration refers to. This should use the Data Subject slug, which is the value found in parentheses under DSR Automation -> Request Settings -> Data Subjects. | +| OAUTH_GET_PROFILE_PICTURE_URL | no | N/A | no | Configuration to retrieve additional profile data for the data subject (e.g. nickname, picture). | +| OAUTH_GET_PROFILE_PICTURE_PATH | no | N/A | no | A path to the profile picture URL image, from the OAuth response body. | +| OAUTH_GET_EMAIL_URL | no | N/A | no | The URL that should be hit to fetch the user email address. | +| OAUTH_GET_EMAIL_PATH | no | N/A | no | In the JSON response body for the data subject oauth authentication, what is the path to the email? e.g. profile.email. | +| OAUTH_EMAIL_IS_VERIFIED_PATH | no | no | no | JSON path to the is_verified field on the Oauth profile. | +| OAUTH_EMAIL_IS_VERIFIED | no | N/A | no | Whether all OAuth emails are already verified by default, attested by the organization. | +| DATA_SUBJECT_SESSION_EXPIRY_TIME | no | '5 days' | no | The length in time that the session JWT will last | +| EMPLOYEE_SESSION_EXPIRY_TIME | no | '3 hour' | no | The length in time that the session JWT will last | +| SOMBRA_TLS_KEY | yes, if you want encrypted traffic b/w sombra and the load balancer. | N/A | no | The TLS private key for this server, base64-encoded in PEM format. | +| SOMBRA_TLS_KEY_PASSPHRASE | yes, if you want encrypted traffic b/w sombra and the load balancer. | N/A | yes | when generating your TLS cert, you may have been prompted to add a passphrase to your private key. If you did, you can add the passphrase here to let Sombra access it. | +| SOMBRA_TLS_CERT | yes, if you want encrypted traffic b/w sombra and the load balancer. | N/A | yes | The TLS certificate for this server, base64-encoded in PEM format. | +| TRUSTED_CLIENT_CA_CERT_ENCODED | no | N/A | yes | The public CA cert from a client who is connecting to the internal sombra over mutual TLS. If set, sombra will enforce that all incoming requests to non-health routes have a client cert. | +| EXTERNAL_PORT_HTTPS | no | 5041 | no | Port for the external HTTPS server (faces inside firewall). | +| EXTERNAL_PORT_HTTP | no | 5042 | no | Port for the external HTTP server (faces inside firewall) | +| INTERNAL_PORT_HTTPS | no | 5040 | no | Port for the internal HTTPS server (faces inside firewall) | +| INTERNAL_PORT_HTTP | no | 5039 | no | Port for the internal HTTP server (faces inside firewall) | +| LLM_CLASSIFIER_URL | no | N/A | no | The LLM classifier service endpoint. | +| SOMBRA_IS_BEHIND_PROXY | no | false | no | Whether Sombra is behind a proxy. | +| ODBC_POOL_CACHE_SIZE | no | | no | Max size of LRU cache to store the connection pool per database. | +| ODBC_CONNECTION_MAX_POOL_SIZE | no | 100 | no | The maximum number of open Connections the Pool will create | +| ODBC_CONNECTION_INITIAL_POOL_SIZE | no | Set a relevant value, to enable connection pooling, based on the number of odbc based Integrations you planning to connect | 10 | The initial number of Connections created in the Pool | +| ODBC_CONNECTION_POOL_SIZE_INCREMENT | no | 10 | no | How many additional Connections to create when all of the Pool's connections are taken | +| ODBC_CONNECTION_POOL_SIZE_SHRINK | no | true | no | Whether or not the number of Connections should shrink to initialSize as they free up | +| REUSE_ODBC_CONNECTIONS | no | false | no | Whether or not to reuse an existing Connection instead of creating a new one | +| ODBC_LOGIN_TIMEOUT_IN_SECONDS | no | 10 | no | The number of seconds to wait for a login request to complete before returning to the application | +| ODBC_CONNECTION_TIMEOUT_IN_SECONDS | no | 0 | no | The number of seconds to wait for a request on the connection to complete before returning to the application | +| ODBC_QUERY_TIMEOUT_IN_SECONDS | no | 60 | no | How long to wait for each ODBC query to execute before returning to the application | +| ODBC_POOL_CACHE_TTL_MS | no | 3600000 | no | How long the connection pool per database should be cached in milliseconds | +| MONGODB_SERVER_SELECTION_TIMEOUT_IN_MS | no | 30000 | no | How long to wait to connect to MongoDB | +| MONGODB_CONNECT_TIMEOUT_IN_MS | no | 30000 | no | How long to wait for each ongoing connection | +| KMS_PROVIDER | no | `local` | no | The key management provider. Follow this [guide](https://docs.transcend.io/docs/security/end-to-end-encryption/deploying-sombra#kms) for setup. | +| AWS_REGION | yes, when you are using `AWS` as `KMS_PROVIDER`. | N/A | no | The AWS Region where the KMS is hosted | +| AWS_KMS_KEY_ARN | yes, when you are using `AWS` as `KMS_PROVIDER`. | N/A | yes | The Amazon Resource Name for the Amazon KMS. | +| AWS_ACCESS_KEY_ID | yes, when you are using `AWS` as `KMS_PROVIDER`. | N/A | yes | The AWS access key ID, used to access the Amazon KMS. | +| AWS_SECRET_ACCESS_KEY | yes, when you are using `AWS` as `KMS_PROVIDER`. | N/A | yes | The AWS secret access key, used to access the Amazon KMS. | +| RUN_DATADOG_APM | no | false | no | Initialize Datadog tracing. Only applicable when you are using Datadog agent for log and metrics collection. | +| DD_APM_PORT | no | 8126 | no | Datadog Agent APM port, used for sending trace data. Only applicable when you are using Datadog agent for log and metrics collection. | +| DD_HOST | no | 'localhost' | no | Datadog Agent stat, string prefix name for the stat. Only applicable when you are using Datadog agent for log and metrics collection. | +| DD_STATSD_PORT | no | 8125 | no | Datadog Agent metric port, used for sending metrics data. | +| DD_APM_BLOCKLIST | no | [] | no | A blocklist of routes to pass to the trace. Only applicable when you are using Datadog agent for log and metrics collection. | +| DD_APM_ANALYTICS | no | true | no | Filter Analyzed Spans by user-defined tags. Only applicable when you are using Datadog agent for log and metrics collection. | +| DD_APM_LOG_INJECTION | no | true | no | Enable automatic injection of trace IDs in logs for supported logging libraries. Only applicable when you are using Datadog agent for log and metrics collection. | +| DD_APM_RUNTIME_METRICS | no | true | no | Whether to enable capturing runtime metrics. Only applicable when you are using Datadog agent for log and metrics collection. | +| DD_TRACE_DEBUG | no | false | no | Enable debug logging in the tracer. Only applicable when you are using Datadog agent for log and metrics collection. | +| DD_SERVICE_NAME | no | `transcend-hosted-sombra` | no | The name for your Sombra. Only applicable when you are using Datadog agent for log and metrics collection. | +| LOG_HTTP_TRANSPORT_URL | yes if your want to forward sombra logs to transcend | N/A | no | The Transcend Collector's HTTPS ingress endpoint. | +| LOG_HTTP_TRANSPORT_BATCH_INTERVAL_MS | no | 5000 | no | The maximum time to wait between batches of logs sent to the Collector. | +| LOG_HTTP_TRANSPORT_BATCH_COUNT | no | 10 | no | The maximum number of log lines to send in a single batched request. | + +## Configuring LLM Classifier +| Variables | Required | default | secret | Description +| ---------- | ---------- | ---------- | ---------- | ---------- | +| LLM_SERVER_PORT | no | 6081| no | Port on which server listen to.| +| LLM_SERVER_CONCURRENCY | no | (cpu count) * 2 | no | The number of worker processes for handling requests.| +| LLM_SERVER_TIMEOUT | no | 120 | no | Workers silent for more than this many seconds are killed and restarted.| +| DD_SERVICE | no | N/A | no | Service name. Only relevant for log and metrics collection through Datadog agent.| +| DD_ENV | no | N/A | no | Deployment environment. Only relevant for log and metrics collection through Datadog agent.| +| DD_AGENT_HOST | no | N/A | no | Host ip to which logs and metrics are forwarded. Only relevant for log and metrics collection through Datadog agent.| + + +## Configuring Pathfinder +| Variables | Required | default | secret | Description +| ---------- | ---------- | ---------- | ---------- | ---------- | +| AUTHENTICATION_KEY_HASH| Required if REQUIRE_AUTHENTICATION is true| N/A | yes | Hash to check Bearer tokens against when services are authenticating to the server. See section on Generating Keys below.| +| REQUIRE_AUTHENTICATION| no| N/A | yes | Whether to require services to authenticate to Pathfinder. May not be necessary if all services using Pathfinder are on the same network.| +| OPEN_AI_API_KEY| yes | N/A | yes | API key for OpenAI, obtained from https://platform.openai.com/account/api-keys.| +| PORT| no | 3030 | no | The internal port to run Pathfinder on. | + +### Generating AUTHENTICATION_KEY_HASH & AUTHENTICATION_KEY for Pathfinder + +Run the following to generate keys for Pathfinder + +```bash +INTERNAL_KEY_BIN=$(openssl rand 32) +AUTHENTICATION_KEY=$(echo -n "$INTERNAL_KEY_BIN" | base64) +AUTHENTICATION_KEY_HASH=$(echo -n "$INTERNAL_KEY_BIN" | openssl dgst -binary -sha256 | openssl base64) +Cyan='\033[0;36m' # Cyan color +NC='\033[0m' # No Color +echo "\n- Set in Pathfinder environment:\n AUTHENTICATION_KEY_HASH: $Cyan$AUTHENTICATION_KEY_HASH$NC" +echo "\n- Clients should pass this Bearer token in the HTTP authorization headers:\n PATHFINDER_BEARER_TOKEN: $Cyan$AUTHENTICATION_KEY$NC\n\n - For example:\n { authorization: Bearer $AUTHENTICATION_KEY }" +``` + +### Configure a service to use Pathfinder +For any call to OpenAI, configure your service to use Pathfinder instead by using `/api/open-ai` instead of the OpenAI base host. Individual endpoints can be appended to this base. For example, `https://api.openai.com/v1/chat/completions` becomes `/api/open-ai/v1/chat/completions`. + +If you set `REQUIRE_AUTHENTICATION` to `true` in your env file, you will also need to add an Authentication header to any API calls to Pathfinder. For example, + +```javascript +{ + headers: { + // AUTHENTICATION_KEY is the key output in the Generating Keys section above + Authentication: 'Bearer ' + } +} +``` + +## Deployment examples + +**Prerequisite:** A working kubernetes cluster with `alb` ingress controller deployed. LLM Classifer application requires +Nvidia GPU to run, so please make sure cluster support `nvidia.com/gpu` resource if you planning to deploy LLM Classifier service along with sombra. + +### Deploying Sombra with dropping tls at loadbalancer + +Follwoing is an example `values.yaml` file for deploying sombra in a EKS cluster. +Here we exposing sombra `sombra-transcend-ingress` server, for communication with Trancend, with internet facing load balancer +and sombra internal `sombra-customer-ingress` server, for communication with internal services, with internal load balancer. + +```yaml +imageCredentials: + registry: docker.transcend.io + username: Transcend + password: '' + +transcend_service: + type: NodePort + port: 5042 + # Annotations to add to the service account + annotations: {} + +transcend_ingress: + enabled: true + className: alb + annotations: + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/healthcheck-path: /health + alb.ingress.kubernetes.io/healthcheck-port: "5042" + alb.ingress.kubernetes.io/healthcheck-protocol: HTTP + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5042}]' + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/subnets: + alb.ingress.kubernetes.io/tags: env=dev + alb.ingress.kubernetes.io/target-type: ip + host: sombra-transcend.my-domain.com + +customer_service: + type: NodePort + port: 5039 + # Annotations to add to the service account + annotations: {} + +customer_ingress: + enabled: true + className: alb + annotations: + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/healthcheck-path: /health + alb.ingress.kubernetes.io/healthcheck-port: "5039" + alb.ingress.kubernetes.io/healthcheck-protocol: HTTP + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5039}]' + alb.ingress.kubernetes.io/scheme: internal + alb.ingress.kubernetes.io/subnets: + alb.ingress.kubernetes.io/tags: env=dev + alb.ingress.kubernetes.io/target-type: ip + host: sombra-customer.my-domain.com + +envs: + - name: ORGANIZATION_URI + value: '' + - name: EMPLOYEE_AUTHENTICATION_METHODS + value: 'transcend,session' + - name: DATA_SUBJECT_AUTHENTICATION_METHODS + value: 'transcend,session' + +envs_as_secret: + - name: INTERNAL_KEY_HASH + value: '' + - name: JWT_ECDSA_KEY + value: '' + - name: INTERNAL_KEY + value: '' + +``` + +### Deploying Sombra with encrypted communication with loadbalancer + +Its common to drop tls at load balancer but if you want tls termination at sombra server please follow this example. + +```yaml +imageCredentials: + registry: docker.transcend.io + username: Transcend + password: '' + +transcend_service: + type: NodePort + port: 5043 + # Annotations to add to the service account + annotations: {} + +transcend_ingress: + enabled: true + className: alb + annotations: + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/healthcheck-path: /health + alb.ingress.kubernetes.io/healthcheck-port: "5042" + alb.ingress.kubernetes.io/healthcheck-protocol: HTTP + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5041}]' + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/subnets: + alb.ingress.kubernetes.io/tags: env=dev + alb.ingress.kubernetes.io/target-type: ip + host: sombra-transcend.my-domain.com + +customer_service: + type: NodePort + port: 5040 + # Annotations to add to the service account + annotations: {} + +customer_ingress: + enabled: true + className: alb + annotations: + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/healthcheck-path: /health + alb.ingress.kubernetes.io/healthcheck-port: "5039" + alb.ingress.kubernetes.io/healthcheck-protocol: HTTP + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5040}]' + alb.ingress.kubernetes.io/scheme: internal + alb.ingress.kubernetes.io/subnets: + alb.ingress.kubernetes.io/tags: env=dev + alb.ingress.kubernetes.io/target-type: ip + host: sombra-customer.my-domain.com + +envs: + - name: ORGANIZATION_URI + value: '' + - name: EMPLOYEE_AUTHENTICATION_METHODS + value: 'transcend,session' + - name: DATA_SUBJECT_AUTHENTICATION_METHODS + value: 'transcend,session' + +envs_as_secret: + - name: INTERNAL_KEY_HASH + value: '' + - name: JWT_ECDSA_KEY + value: '' + - name: INTERNAL_KEY + value: '' + - name: SOMBRA_TLS_KEY + value: + - name: SOMBRA_TLS_KEY_PASSPHRASE + value: + - name: SOMBRA_TLS_CERT + value: + +``` + +### Deploying Sombra with Pathfinder + +Follwoing is an example `values.yaml` file for deploying sombra in a EKS cluster. +Here we exposing sombra `sombra-transcend-ingress` server, for communication with Trancend, with internet facing load balancer +and sombra internal `sombra-customer-ingress` server and pathfinder, for communication with internal services, with internal load balancers for each. + +```yaml +imageCredentials: + registry: docker.transcend.io + username: Transcend + password: '' + +transcend_service: + type: NodePort + port: 5042 + # Annotations to add to the service account + annotations: {} + +transcend_ingress: + enabled: true + className: alb + annotations: + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/healthcheck-path: /health + alb.ingress.kubernetes.io/healthcheck-port: "5042" + alb.ingress.kubernetes.io/healthcheck-protocol: HTTP + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5042}]' + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/subnets: + alb.ingress.kubernetes.io/tags: env=prod + alb.ingress.kubernetes.io/target-type: ip + host: sombra-transcend.my-domain.com + +customer_service: + type: NodePort + port: 5039 + # Annotations to add to the service account + annotations: {} + +customer_ingress: + enabled: true + className: alb + annotations: + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/healthcheck-path: /health + alb.ingress.kubernetes.io/healthcheck-protocol: HTTP + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5039}, {"HTTPS": 3030}]' + alb.ingress.kubernetes.io/scheme: internal + alb.ingress.kubernetes.io/subnets: + alb.ingress.kubernetes.io/tags: env=prod + alb.ingress.kubernetes.io/target-type: ip + host: sombra-customer.my-domain.com + +envs: + - name: ORGANIZATION_URI + value: '' + - name: EMPLOYEE_AUTHENTICATION_METHODS + value: 'transcend,session' + - name: DATA_SUBJECT_AUTHENTICATION_METHODS + value: 'transcend,session' + +envs_as_secret: + - name: INTERNAL_KEY_HASH + value: '' + - name: JWT_ECDSA_KEY + value: '' + - name: INTERNAL_KEY + value: '' + +pathfinder: + enabled: true + envs_as_secret: + - name: OPEN_AI_API_KEY + value: '' + - name: AUTHENTICATION_KEY_HASH + value: '' + - name: TRANSCEND_API_KEY + value: '' + + ingress: + enabled: true + annotations: + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/healthcheck-path: /health + alb.ingress.kubernetes.io/healthcheck-protocol: HTTP + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 3030}]' + alb.ingress.kubernetes.io/scheme: internal + alb.ingress.kubernetes.io/subnets: + alb.ingress.kubernetes.io/tags: env=prod + alb.ingress.kubernetes.io/target-type: ip + host: pathfinder.my-domain.com +``` + +### Deploying Sombra with llm-classifier + +Follwoing is an example `values.yaml` file for deploying sombra in a EKS cluster. +Here we exposing sombra `sombra-transcend-ingress` server, for communication with Trancend, with internet facing load balancer +and sombra internal `sombra-customer-ingress` server, for communication with internal services, with internal load balancer. + +```yaml +imageCredentials: + registry: docker.transcend.io + username: Transcend + password: '' + +transcend_service: + type: NodePort + port: 5042 + # Annotations to add to the service account + annotations: {} + +transcend_ingress: + enabled: true + className: alb + annotations: + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/healthcheck-path: /health + alb.ingress.kubernetes.io/healthcheck-port: "5042" + alb.ingress.kubernetes.io/healthcheck-protocol: HTTP + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5042}]' + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/subnets: + alb.ingress.kubernetes.io/tags: env=prod + alb.ingress.kubernetes.io/target-type: ip + host: sombra-transcend.my-domain.com + +customer_service: + type: NodePort + port: 5039 + # Annotations to add to the service account + annotations: {} + +customer_ingress: + enabled: true + className: alb + annotations: + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/healthcheck-path: /health + alb.ingress.kubernetes.io/healthcheck-protocol: HTTP + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5039}]' + alb.ingress.kubernetes.io/scheme: internal + alb.ingress.kubernetes.io/subnets: + alb.ingress.kubernetes.io/tags: env=prod + alb.ingress.kubernetes.io/target-type: ip + host: sombra-customer.my-domain.com + +envs: + - name: ORGANIZATION_URI + value: '' + - name: EMPLOYEE_AUTHENTICATION_METHODS + value: 'transcend,session' + - name: DATA_SUBJECT_AUTHENTICATION_METHODS + value: 'transcend,session' + - name: LLM_CLASSIFIER_URL + value: http://llm-classifier.transcend.svc:6081 + +envs_as_secret: + - name: INTERNAL_KEY_HASH + value: '' + - name: JWT_ECDSA_KEY + value: '' + - name: INTERNAL_KEY + value: '' + +llm-classifier: + enabled: true +``` \ No newline at end of file diff --git a/deployments/sombra-chart/charts/llm-classifier/.helmignore b/charts/llm-classifier/.helmignore similarity index 100% rename from deployments/sombra-chart/charts/llm-classifier/.helmignore rename to charts/llm-classifier/.helmignore diff --git a/charts/llm-classifier/Chart.yaml b/charts/llm-classifier/Chart.yaml new file mode 100644 index 0000000..b3ac3e3 --- /dev/null +++ b/charts/llm-classifier/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: llm-classifier +description: A Helm chart for deploying LLM Classifier in Kubernetes cluster +type: application +version: 0.1.0 + diff --git a/charts/llm-classifier/templates/NOTES.txt b/charts/llm-classifier/templates/NOTES.txt new file mode 100644 index 0000000..610d312 --- /dev/null +++ b/charts/llm-classifier/templates/NOTES.txt @@ -0,0 +1,8 @@ +{{- if .Values.enabled -}} +1. Get the application URL by running these commands: +{{- if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Values.namespace }} -l "app.kubernetes.io/name={{ include "llm-classifier.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Values.namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + kubectl --namespace {{ .Values.namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} +{{- end }} diff --git a/deployments/sombra-chart/charts/llm-classifier/templates/_helpers.tpl b/charts/llm-classifier/templates/_helpers.tpl similarity index 100% rename from deployments/sombra-chart/charts/llm-classifier/templates/_helpers.tpl rename to charts/llm-classifier/templates/_helpers.tpl diff --git a/deployments/sombra-chart/charts/llm-classifier/templates/deployment.yaml b/charts/llm-classifier/templates/deployment.yaml similarity index 72% rename from deployments/sombra-chart/charts/llm-classifier/templates/deployment.yaml rename to charts/llm-classifier/templates/deployment.yaml index bf77c12..3a7d4b1 100644 --- a/deployments/sombra-chart/charts/llm-classifier/templates/deployment.yaml +++ b/charts/llm-classifier/templates/deployment.yaml @@ -1,7 +1,9 @@ +{{- if .Values.enabled -}} apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "llm-classifier.fullname" . }} + namespace: {{ .Values.namespace }} labels: {{- include "llm-classifier.labels" . | nindent 4 }} spec: @@ -23,37 +25,29 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.imagePullSecrets }} + {{- with .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "llm-classifier.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + {{- range $name, $value := .Values.envs }} + - name: {{ $value.name }} + value: {{ $value.value | quote }} + {{- end }} ports: - name: http containerPort: {{ .Values.service.port }} protocol: TCP livenessProbe: {{- toYaml .Values.livenessProbe | nindent 12 }} - readinessProbe: - {{- toYaml .Values.readinessProbe | nindent 12 }} + startupProbe: + {{- toYaml .Values.startupProbe | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.volumes }} - volumes: - {{- toYaml . | nindent 8 }} - {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -66,3 +60,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/deployments/sombra-chart/charts/llm-classifier/templates/hpa.yaml b/charts/llm-classifier/templates/hpa.yaml similarity index 91% rename from deployments/sombra-chart/charts/llm-classifier/templates/hpa.yaml rename to charts/llm-classifier/templates/hpa.yaml index 305d6e6..75f9b5e 100644 --- a/deployments/sombra-chart/charts/llm-classifier/templates/hpa.yaml +++ b/charts/llm-classifier/templates/hpa.yaml @@ -1,8 +1,9 @@ -{{- if .Values.autoscaling.enabled }} +{{- if and .Values.enabled .Values.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "llm-classifier.fullname" . }} + namespace: {{ .Values.namespace }} labels: {{- include "llm-classifier.labels" . | nindent 4 }} spec: diff --git a/deployments/sombra-chart/charts/llm-classifier/templates/service.yaml b/charts/llm-classifier/templates/service.yaml similarity index 83% rename from deployments/sombra-chart/charts/llm-classifier/templates/service.yaml rename to charts/llm-classifier/templates/service.yaml index f7d784f..3d5a4f9 100644 --- a/deployments/sombra-chart/charts/llm-classifier/templates/service.yaml +++ b/charts/llm-classifier/templates/service.yaml @@ -1,7 +1,9 @@ +{{- if .Values.enabled -}} apiVersion: v1 kind: Service metadata: name: {{ include "llm-classifier.fullname" . }} + namespace: {{ .Values.namespace }} labels: {{- include "llm-classifier.labels" . | nindent 4 }} spec: @@ -13,3 +15,4 @@ spec: name: http selector: {{- include "llm-classifier.selectorLabels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/llm-classifier/values.yaml b/charts/llm-classifier/values.yaml new file mode 100644 index 0000000..50b2bfc --- /dev/null +++ b/charts/llm-classifier/values.yaml @@ -0,0 +1,83 @@ +# Default values for sombra-chart. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Namespace in which resources will be deployed +enabled: false +namespace: transcend +# Number of instances of Datadog Operator +replicaCount: 1 +# Set it to `true` to deploy llm-classifier resources. +enabled: false + +image: + # Repository to use for llm-classifier image + repository: docker.transcend.io/llm-classifier + # Define the pullPolicy for llm-classifier image + pullPolicy: IfNotPresent + # llm-classifer version to deploy + tag: "v1.0.0" + +# Override name of app +nameOverride: "" +# Override the full qualified app name +fullnameOverride: "" + +# Define annotations for sombra pod +podAnnotations: {} +# Define lables for sombra pod +podLabels: {} + +# Define llm-classifier networking +service: + type: ClusterIP + port: 6081 + +envs: + - name: LLM_SERVER_PORT + value: '6081' + - name: LLM_SERVER_CONCURRENCY + value: '2' + - name: LLM_SERVER_TIMEOUT + value: '120' + +# Define resources as per required throughput +# Make sure cluster support `nvidia.com/gpu` +resources: + limits: + memory: 8Gi + nvidia.com/gpu: '1' + +livenessProbe: + httpGet: + path: /health/ping + port: 6081 + scheme: HTTP + timeoutSeconds: 30 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + +startupProbe: + httpGet: + path: /health/ping + port: 6081 + scheme: HTTP + timeoutSeconds: 30 + periodSeconds: 20 + successThreshold: 1 + failureThreshold: 10 + +# Enable to use horizontal pod autoscaling based of metrics +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/charts/pathfinder/.helmignore b/charts/pathfinder/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/pathfinder/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/pathfinder/Chart.yaml b/charts/pathfinder/Chart.yaml new file mode 100644 index 0000000..de38c5f --- /dev/null +++ b/charts/pathfinder/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +name: pathfinder +description: A Helm chart to deploy Pathfinder in Kubernetes cluster +type: application +version: 0.1.0 diff --git a/charts/pathfinder/templates/NOTES.txt b/charts/pathfinder/templates/NOTES.txt new file mode 100644 index 0000000..da48945 --- /dev/null +++ b/charts/pathfinder/templates/NOTES.txt @@ -0,0 +1,8 @@ +{{- if .Values.enabled -}} +1. Get the application URL by running these commands: +{{- if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Values.namespace }} -l "app.kubernetes.io/name={{ include "pathfinder.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Values.namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + kubectl --namespace {{ .Values.namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} +{{- end }} diff --git a/charts/pathfinder/templates/_helpers.tpl b/charts/pathfinder/templates/_helpers.tpl new file mode 100644 index 0000000..96ebbe2 --- /dev/null +++ b/charts/pathfinder/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "pathfinder.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "pathfinder.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "pathfinder.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "pathfinder.labels" -}} +helm.sh/chart: {{ include "pathfinder.chart" . }} +{{ include "pathfinder.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "pathfinder.selectorLabels" -}} +app.kubernetes.io/name: {{ include "pathfinder.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "pathfinder.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "pathfinder.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/pathfinder/templates/configmap.yaml b/charts/pathfinder/templates/configmap.yaml new file mode 100644 index 0000000..a6771b7 --- /dev/null +++ b/charts/pathfinder/templates/configmap.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.enabled .Values.proxyPolicy.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-policy-config + namespace: {{ .Values.namespace }} +data: | + 'pathfinder.yml': {{ .Values.proxyPolicy.policy }} +{{- end }} \ No newline at end of file diff --git a/charts/pathfinder/templates/deployment.yaml b/charts/pathfinder/templates/deployment.yaml new file mode 100644 index 0000000..68a294c --- /dev/null +++ b/charts/pathfinder/templates/deployment.yaml @@ -0,0 +1,92 @@ +{{- if .Values.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "pathfinder.fullname" . }} + namespace: {{ .Values.namespace }} + labels: + {{- include "pathfinder.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "pathfinder.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "pathfinder.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: RUN_DATADOG_APM + value: 'false' + - name: DEPLOY_ENV + value: prod + - name: PATHFINDER_NAME + value: 'pathfinder-service' + {{- range $name, $value := .Values.envs_as_secret }} + - name: {{ $value.name }} + valueFrom: + secretKeyRef: + name: pathfinder-secrets + key: {{ $value.name }} + {{- end }} + {{- if .Values.proxyPolicy.enabled }} + - name: PATHFINDER_POLICY_PATH + value: '/etc/pathfinder/pathfinder.yml' + {{- end }} + {{- range $name, $value := .Values.envs }} + - name: {{ $value.name }} + value: {{ $value.value | quote }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .Values.readinessProbe | nindent 12 }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.proxyPolicy.enabled }} + volumeMounts: + - name: policy-config-volume + mountPath: /etc/pathfinder/pathfinder.yaml + subPath: pathfinder.yaml + {{- end }} + {{- if .Values.proxyPolicy.enabled }} + volumes: + - name: policy-config-volume + configMap: + name: {{ .Release.Name }}-policy-config + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/pathfinder/templates/hpa.yaml b/charts/pathfinder/templates/hpa.yaml new file mode 100644 index 0000000..0be0ba0 --- /dev/null +++ b/charts/pathfinder/templates/hpa.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.enabled .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "pathfinder.fullname" . }} + namespace: {{ .Values.namespace }} + labels: + {{- include "pathfinder.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "pathfinder.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/pathfinder/templates/ingress.yaml b/charts/pathfinder/templates/ingress.yaml new file mode 100644 index 0000000..a8e7493 --- /dev/null +++ b/charts/pathfinder/templates/ingress.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.enabled .Values.ingress.enabled -}} +{{- $fullIngressName := "pathfinder-ingress" -}} +{{- $ingressPort := .Values.service.port -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullIngressName }} + namespace: {{ .Values.namespace }} + labels: + {{- include "pathfinder.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.className }} + rules: + - host: {{ .Values.ingress.host | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullIngressName }} + port: + number: {{ $ingressPort }} +{{- end }} diff --git a/charts/pathfinder/templates/secrets.yaml b/charts/pathfinder/templates/secrets.yaml new file mode 100644 index 0000000..24ff27a --- /dev/null +++ b/charts/pathfinder/templates/secrets.yaml @@ -0,0 +1,13 @@ +{{- $envs_as_secret_len := len .Values.envs_as_secret }} +{{- if and .Values.enabled . (gt $envs_as_secret_len 0) -}} +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Values.namespace }} + name: pathfinder-secrets +type: Opaque +data: + {{- range $name, $value := .Values.envs_as_secret }} + {{ $value.name }}: {{ $value.value | b64enc | quote }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/pathfinder/templates/service.yaml b/charts/pathfinder/templates/service.yaml new file mode 100644 index 0000000..c68c888 --- /dev/null +++ b/charts/pathfinder/templates/service.yaml @@ -0,0 +1,18 @@ +{{- if .Values.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "pathfinder.fullname" . }} + namespace: {{ .Values.namespace }} + labels: + {{- include "pathfinder.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "pathfinder.selectorLabels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/pathfinder/values.yaml b/charts/pathfinder/values.yaml new file mode 100644 index 0000000..e5d5a08 --- /dev/null +++ b/charts/pathfinder/values.yaml @@ -0,0 +1,95 @@ +# Default values for pathfinder chart. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Namespace in which resources will be deployed +namespace: transcend +# Number of instances of Datadog Operator +replicaCount: 1 +# Set it to `true` to deploy Pathfinder resources +enabled: false + +image: + # Repository to use for Sombra image + repository: docker.transcend.io/pathfinder + # Define the pullPolicy for Sombra image + pullPolicy: IfNotPresent + # Sombra version to deploy + tag: "v0.12.56" + +# Override name of app +nameOverride: "" +# Override the full qualified app name +fullnameOverride: "" + +# Define annotations for sombra pod +podAnnotations: {} +# Define lables for sombra pod +podLabels: {} + +# Define Pathfinder networking +service: + type: ClusterIP + port: 3030 + +ingress: + enabled: false + className: "nginx" + annotations: {} + host: pathfinder.my-domain.com + +# Define resources as per required throughput +resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +livenessProbe: + httpGet: + path: /health + port: 3030 + scheme: HTTP +readinessProbe: + httpGet: + path: /health + port: 3030 + scheme: HTTP + +# These environment variables are required and saved as secrets +envs_as_secret: + - name: AUTHENTICATION_KEY_HASH + value: null + - name: OPEN_AI_API_KEY + value: null + - name: TRANSCEND_API_KEY + value: null + +envs: + - name: PORT + value: '3030' + - name: REQUIRE_AUTHENTICATION + value: 'true' + +# Enable to use horizontal pod autoscaling based of metrics +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# Define Policies for the Transcend Pathfinder AI governance proxy +proxyPolicy: + enabled: false + policy: {} + # define your poicy here in uaml format + diff --git a/deployments/sombra-chart/Chart.yaml b/deployments/sombra-chart/Chart.yaml deleted file mode 100644 index b6575ed..0000000 --- a/deployments/sombra-chart/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v2 -name: sombra-chart -description: A Helm chart for Kubernetes - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "1.16.0" diff --git a/deployments/sombra-chart/charts/llm-classifier/Chart.yaml b/deployments/sombra-chart/charts/llm-classifier/Chart.yaml deleted file mode 100644 index 548ca3a..0000000 --- a/deployments/sombra-chart/charts/llm-classifier/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v2 -name: llm-classifier -description: A Helm chart for Kubernetes - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "1.16.0" diff --git a/deployments/sombra-chart/charts/llm-classifier/templates/NOTES.txt b/deployments/sombra-chart/charts/llm-classifier/templates/NOTES.txt deleted file mode 100644 index d09d808..0000000 --- a/deployments/sombra-chart/charts/llm-classifier/templates/NOTES.txt +++ /dev/null @@ -1,22 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "llm-classifier.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "llm-classifier.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "llm-classifier.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "llm-classifier.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT -{{- end }} diff --git a/deployments/sombra-chart/charts/llm-classifier/templates/ingress.yaml b/deployments/sombra-chart/charts/llm-classifier/templates/ingress.yaml deleted file mode 100644 index 89fc7d3..0000000 --- a/deployments/sombra-chart/charts/llm-classifier/templates/ingress.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "llm-classifier.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "llm-classifier.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path }} - {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} - pathType: {{ .pathType }} - {{- end }} - backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} - service: - name: {{ $fullName }} - port: - number: {{ $svcPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/deployments/sombra-chart/charts/llm-classifier/templates/serviceaccount.yaml b/deployments/sombra-chart/charts/llm-classifier/templates/serviceaccount.yaml deleted file mode 100644 index db7a4ae..0000000 --- a/deployments/sombra-chart/charts/llm-classifier/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "llm-classifier.serviceAccountName" . }} - labels: - {{- include "llm-classifier.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: {{ .Values.serviceAccount.automount }} -{{- end }} diff --git a/deployments/sombra-chart/charts/llm-classifier/templates/tests/test-connection.yaml b/deployments/sombra-chart/charts/llm-classifier/templates/tests/test-connection.yaml deleted file mode 100644 index b3dfffa..0000000 --- a/deployments/sombra-chart/charts/llm-classifier/templates/tests/test-connection.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "llm-classifier.fullname" . }}-test-connection" - labels: - {{- include "llm-classifier.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "llm-classifier.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never diff --git a/deployments/sombra-chart/charts/llm-classifier/values.yaml b/deployments/sombra-chart/charts/llm-classifier/values.yaml deleted file mode 100644 index 683e5db..0000000 --- a/deployments/sombra-chart/charts/llm-classifier/values.yaml +++ /dev/null @@ -1,84 +0,0 @@ -# Default values for llm-classifier. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: docker.trancend.io/llm-classifier - pullPolicy: IfNotPresent - tag: "v.1.0.0" - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -podAnnotations: {} -podLabels: {} - -service: - type: ClusterIP - port: 6081 - -ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -livenessProbe: - httpGet: - path: / - port: http -readinessProbe: - httpGet: - path: / - port: http - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -# Additional volumes on the output Deployment definition. -volumes: [] -# - name: foo -# secret: -# secretName: mysecret -# optional: false - -# Additional volumeMounts on the output Deployment definition. -volumeMounts: [] -# - name: foo -# mountPath: "/etc/foo" -# readOnly: true - -nodeSelector: {} - -tolerations: [] - -affinity: {} diff --git a/deployments/sombra-chart/templates/NOTES.txt b/deployments/sombra-chart/templates/NOTES.txt deleted file mode 100644 index 1d7bde6..0000000 --- a/deployments/sombra-chart/templates/NOTES.txt +++ /dev/null @@ -1,22 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "sombra-chart.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "sombra-chart.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "sombra-chart.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "sombra-chart.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT -{{- end }} diff --git a/deployments/sombra-chart/templates/ingress.yaml b/deployments/sombra-chart/templates/ingress.yaml deleted file mode 100644 index b3d2fae..0000000 --- a/deployments/sombra-chart/templates/ingress.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "sombra-chart.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "sombra-chart.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path }} - {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} - pathType: {{ .pathType }} - {{- end }} - backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} - service: - name: {{ $fullName }} - port: - number: {{ $svcPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/deployments/sombra-chart/templates/service.yaml b/deployments/sombra-chart/templates/service.yaml deleted file mode 100644 index 1da058a..0000000 --- a/deployments/sombra-chart/templates/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "sombra-chart.fullname" . }} - labels: - {{- include "sombra-chart.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "sombra-chart.selectorLabels" . | nindent 4 }} diff --git a/deployments/sombra-chart/templates/serviceaccount.yaml b/deployments/sombra-chart/templates/serviceaccount.yaml deleted file mode 100644 index 04189e7..0000000 --- a/deployments/sombra-chart/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "sombra-chart.serviceAccountName" . }} - labels: - {{- include "sombra-chart.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: {{ .Values.serviceAccount.automount }} -{{- end }} diff --git a/deployments/sombra-chart/templates/tests/test-connection.yaml b/deployments/sombra-chart/templates/tests/test-connection.yaml deleted file mode 100644 index e33c1e0..0000000 --- a/deployments/sombra-chart/templates/tests/test-connection.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "sombra-chart.fullname" . }}-test-connection" - labels: - {{- include "sombra-chart.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "sombra-chart.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never diff --git a/deployments/sombra-chart/values.yaml b/deployments/sombra-chart/values.yaml deleted file mode 100644 index cc7c71e..0000000 --- a/deployments/sombra-chart/values.yaml +++ /dev/null @@ -1,107 +0,0 @@ -# Default values for sombra-chart. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: nginx - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "" - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Automatically mount a ServiceAccount's API credentials? - automount: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} -podLabels: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: ClusterIP - port: 80 - -ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -livenessProbe: - httpGet: - path: / - port: http -readinessProbe: - httpGet: - path: / - port: http - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -# Additional volumes on the output Deployment definition. -volumes: [] -# - name: foo -# secret: -# secretName: mysecret -# optional: false - -# Additional volumeMounts on the output Deployment definition. -volumeMounts: [] -# - name: foo -# mountPath: "/etc/foo" -# readOnly: true - -nodeSelector: {} - -tolerations: [] - -affinity: {} diff --git a/robots.txt b/robots.txt new file mode 100644 index 0000000..c6742d8 --- /dev/null +++ b/robots.txt @@ -0,0 +1,2 @@ +User-Agent: * +Disallow: / diff --git a/templates/NOTES.txt b/templates/NOTES.txt new file mode 100644 index 0000000..d9e0e20 --- /dev/null +++ b/templates/NOTES.txt @@ -0,0 +1,35 @@ +1. Get the Sombra transcend ingress URL by running these commands: +{{- if .Values.transcend_ingress.enabled }} + http{{ if $.Values.transcend_ingress.tls }}s{{ end }}://{{ .Values.transcend_ingress.host }} +{{- else if contains "NodePort" .Values.transcend_service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Values.namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "sombra-chart.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Values.namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.transcend_service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Values.namespace }} svc -w {{ include "sombra-chart.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Values.namespace }} {{ include "sombra-chart.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.transcend_service.port }} +{{- else if contains "ClusterIP" .Values.transcend_service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Values.namespace }} -l "app.kubernetes.io/name={{ include "sombra-chart.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Values.namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + kubectl --namespace {{ .Values.namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} + +2. Get the Sombra customer ingress URL by running these commands: +{{- if .Values.customer_ingress.enabled }} + http{{ if $.Values.customer_ingress.tls }}s{{ end }}://{{ .Values.customer_ingress.host }} +{{- else if contains "NodePort" .Values.customer_service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Values.namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "sombra-chart.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Values.namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.customer_service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Values.namespace }} svc -w {{ include "sombra-chart.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Values.namespace }} {{ include "sombra-chart.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.customer_service.port }} +{{- else if contains "ClusterIP" .Values.customer_service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Values.namespace }} -l "app.kubernetes.io/name={{ include "sombra-chart.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Values.namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + kubectl --namespace {{ .Values.namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/deployments/sombra-chart/templates/_helpers.tpl b/templates/_helpers.tpl similarity index 100% rename from deployments/sombra-chart/templates/_helpers.tpl rename to templates/_helpers.tpl diff --git a/deployments/sombra-chart/templates/deployment.yaml b/templates/deployment.yaml similarity index 62% rename from deployments/sombra-chart/templates/deployment.yaml rename to templates/deployment.yaml index 5174780..8849c54 100644 --- a/deployments/sombra-chart/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -1,7 +1,9 @@ +{{- $envs_as_secret_len := len .Values.envs_as_secret }} apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "sombra-chart.fullname" . }} + namespace: {{ .Values.namespace }} labels: {{- include "sombra-chart.labels" . | nindent 4 }} spec: @@ -23,22 +25,36 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.imagePullSecrets }} + {{- with .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "sombra-chart.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + {{- if gt $envs_as_secret_len 0 -}} + {{- range $name, $value := .Values.envs_as_secret }} + - name: {{ $value.name }} + valueFrom: + secretKeyRef: + name: sombra-secrets + key: {{ $value.name }} + {{- end }} + {{- end }} + {{- range $name, $value := .Values.envs }} + - name: {{ $value.name }} + value: {{ $value.value | quote }} + {{- end }} + - name: IS_MULTI + value: 'false' ports: - - name: http - containerPort: {{ .Values.service.port }} + - name: external + containerPort: {{ .Values.transcend_service.port }} + protocol: TCP + - name: internal + containerPort: {{ .Values.customer_service.port }} protocol: TCP livenessProbe: {{- toYaml .Values.livenessProbe | nindent 12 }} @@ -46,14 +62,6 @@ spec: {{- toYaml .Values.readinessProbe | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.volumes }} - volumes: - {{- toYaml . | nindent 8 }} - {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/deployments/sombra-chart/templates/hpa.yaml b/templates/hpa.yaml similarity index 96% rename from deployments/sombra-chart/templates/hpa.yaml rename to templates/hpa.yaml index 9681cb8..03e3dfe 100644 --- a/deployments/sombra-chart/templates/hpa.yaml +++ b/templates/hpa.yaml @@ -2,6 +2,7 @@ apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: + namespace: {{ .Values.namespace }} name: {{ include "sombra-chart.fullname" . }} labels: {{- include "sombra-chart.labels" . | nindent 4 }} diff --git a/templates/ingress.yaml b/templates/ingress.yaml new file mode 100644 index 0000000..aba7b48 --- /dev/null +++ b/templates/ingress.yaml @@ -0,0 +1,57 @@ +{{- if .Values.transcend_ingress.enabled -}} +{{- $fullTrancendIngressName := "sombra-transcend-ingress" -}} +{{- $trancenIngressPort := .Values.transcend_service.port -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: "{{ include "sombra-chart.fullname" . }}-transcend-ingress" + namespace: {{ .Values.namespace }} + labels: + {{- include "sombra-chart.labels" . | nindent 4 }} + {{- with .Values.transcend_ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.transcend_ingress.className }} + rules: + - host: {{ .Values.transcend_ingress.host | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: "{{ include "sombra-chart.fullname" . }}-transcend-service" + port: + number: {{ $trancenIngressPort }} +{{- end }} +--- +{{- if .Values.customer_ingress.enabled -}} +{{- $fullCustomerServiceName := "sombra-customer-service" -}} +{{- $customerIngressPort := .Values.customer_service.port -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: "{{ include "sombra-chart.fullname" . }}-customer-ingress" + namespace: {{ .Values.namespace }} + labels: + {{- include "sombra-chart.labels" . | nindent 4 }} + {{- with .Values.customer_ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: {{ .Values.customer_ingress.className }} + rules: + - host: {{ .Values.customer_ingress.host | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: "{{ include "sombra-chart.fullname" . }}-customer-service" + port: + number: {{ $customerIngressPort }} +{{- end }} \ No newline at end of file diff --git a/templates/namespaces.yaml b/templates/namespaces.yaml new file mode 100644 index 0000000..5bd24fe --- /dev/null +++ b/templates/namespaces.yaml @@ -0,0 +1,8 @@ +{{- if .Values.createNewNameSpace -}} +kind: Namespace +apiVersion: v1 +metadata: + name: {{ .Values.namespace }} + labels: + {{- include "sombra-chart.labels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/templates/secrets.yaml b/templates/secrets.yaml new file mode 100644 index 0000000..fcfa8ea --- /dev/null +++ b/templates/secrets.yaml @@ -0,0 +1,28 @@ +{{- $envs_as_secret_len := len .Values.envs_as_secret }} +{{- if gt $envs_as_secret_len 0 -}} +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Values.namespace }} + name: sombra-secrets +type: Opaque +data: + {{- range $name, $value := .Values.envs_as_secret }} + {{ $value.name }}: {{ $value.value | b64enc | quote }} + {{- end }} +--- +{{- end }} +{{- define "imagePullSecret" }} +{{- with .Values.imageCredentials }} +{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password (printf "%s:%s" .username .password | b64enc) | b64enc }} +{{- end }} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Values.namespace }} + name: transcend-registry +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "imagePullSecret" . }} \ No newline at end of file diff --git a/templates/service.yaml b/templates/service.yaml new file mode 100644 index 0000000..11de54e --- /dev/null +++ b/templates/service.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ include "sombra-chart.fullname" . }}-transcend-service" + namespace: {{ .Values.namespace }} + labels: + {{- include "sombra-chart.labels" . | nindent 4 }} + {{- with .Values.transcend_service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.transcend_service.type }} + ports: + - port: {{ .Values.transcend_service.port }} + targetPort: external + protocol: TCP + name: external + selector: + {{- include "sombra-chart.selectorLabels" . | nindent 4 }} +--- +apiVersion: v1 +kind: Service +metadata: + name: "{{ include "sombra-chart.fullname" . }}-customer-service" + namespace: {{ .Values.namespace }} + labels: + {{- include "sombra-chart.labels" . | nindent 4 }} + {{- with .Values.customer_service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.customer_service.type }} + ports: + - port: {{ .Values.customer_service.port }} + targetPort: internal + protocol: TCP + name: internal + selector: + {{- include "sombra-chart.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/values.yaml b/values.yaml new file mode 100644 index 0000000..c252051 --- /dev/null +++ b/values.yaml @@ -0,0 +1,168 @@ +# Default values for sombra-chart. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Namespace in which resources will be deployed +# Create new namespace +createNewNameSpace: true +# Name of new namespace, to use existing one set `createNewNameSpace` to `false`. +namespace: transcend + + +# Number of instances of Datadog Operator +replicaCount: 1 + +# Registry server and credential details +# The username will always be "Transcend" (this is case-sensitive), +# and the password will be any API Key for your organization within +# the Admin Dashboard (note: a scope is not required for the API key). +# This will be stored as a docker config secret, named `transcend-registry` +imageCredentials: + registry: docker.transcend.io + username: Transcend + password: null + +image: + # Repository to use for Sombra image + repository: docker.transcend.io/sombra + # Define the pullPolicy for Sombra image + pullPolicy: IfNotPresent + # Sombra version to deploy + tag: "v7.178.0" + +# Override name of app +nameOverride: "" +# Override the full qualified app name +fullnameOverride: "" + +# Define annotations for sombra pod +podAnnotations: {} +# Define lables for sombra pod +podLabels: {} + +########### Sombra Architecture ############### +# @see https://docs.transcend.io/docs/security/end-to-end-encryption/deploying-sombra +# +# The Sombra container is running two servers sombra-customer-ingress +# and sombra-transcend-ingress. Typically, each server is mapped to its +# own URL and load balancer. It is also possible to deploy a single URL used for +# both servers you can also map both servers to the same load balancer +# with a single URL, but different ports. + +# It is common to terminate TLS at the load balancer, and +# have the communication between the load balancer and Sombra servers happen +# over HTTP. Sombra support TLS connection between the load balancer and server, however, you +# will need to provide the certificate through environment variables, and you +# should consider a process for cycling this certificate. To read more +# about configuring TLS communication between the load balancer and servers, +# see the TLS Certificate section below. +# +# sombra-customer-ingress: +# +# This server handles all communication that come inbound from your +# internal servers. Here, your customer data is encrypted before it enters +# the Transcend cloud. +# +# Container HTTP Port (terminating TLS at load balancer): 5039 +# Container HTTPS Port (requires TLS Certificate): 5040 +# +# sombra-transcend-ingress: +# +# This server handles all communication that comes inbound from the Transcend cloud. +# Here, Transcend will make requests to your internal systems, the gateway will authenticate those +# requests, route the request to the correct system, and then encrypt any sensitive or personal +# data that is returned by that system. +# +# Container HTTP Port (terminating TLS at load balancer): 5042 +# Container HTTPS Port (requires TLS Certificate): 5041 + +# Define service and ingress for sombra-transcend-ingress server +transcend_service: + type: ClusterIP + port: 5042 + # Annotations to add to the service account + annotations: {} + +transcend_ingress: + enabled: false + className: nginx + annotations: {} + host: sombra-transcend.my-domain.com + +# Define service and ingress for sombra-customer-ingress server +customer_service: + type: ClusterIP + port: 5039 + # Annotations to add to the service account + annotations: {} + +customer_ingress: + enabled: false + className: nginx + annotations: {} + host: sombra-customer.my-domain.com + +# Configure the container service with the minimum set of environment variables +# @see https://docs.transcend.io/docs/security/end-to-end-encryption/deploying-sombra#3.-configure-the-container-service-with-the-minimum-set-of-environment-variables + +# These environment variables are saved as secret +envs_as_secret: + - name: JWT_ECDSA_KEY + value: '' + +envs: + - name: ORGANIZATION_URI + value: 'some-org' + - name: SOMBRA_ID + value: 'some-id' + - name: EMPLOYEE_AUTHENTICATION_METHODS + value: 'transcend,session' + - name: DATA_SUBJECT_AUTHENTICATION_METHODS + value: 'transcend,session' + - name: LLM_CLASSIFIER_URL + value: http://llm-classifier.transcend.svc:6081 + +# Customise the resousrces as per througput need +resources: + requests: + memory: '1000Mi' + cpu: '2000m' + limits: + memory: '2000Mi' + cpu: '3000m' + +livenessProbe: + httpGet: + path: /health + port: 5042 + scheme: HTTP +readinessProbe: + httpGet: + path: /health + port: 5042 + scheme: HTTP + +# Enable to use horizontal pod autoscaling based of metrics +autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} +tolerations: [] +affinity: {} + +global: + imagePullSecrets: + - name: transcend-registry + +# Data classification service using LLM model +llm-classfier: + enabled: false + +# Pathfinder is AI governance layer that gives you control and auditability on data going in and out of LLMs. +# @see https://docs.transcend.io/docs/pathfinder +pathfinder: + enabled: false