Merge pull request #7 from whylabs/dev/aberg/langkit-permission-fixes

Update Langkit Helm chart for fixes related to file permissions and non-root user
whylabs · Feb 2, 2024 · e2d0473 · e2d0473
2 parents 8df9f86 + b0bddd6
commit e2d0473
Show file tree

Hide file tree

Showing 5 changed files with 115 additions and 52 deletions.
diff --git a/charts/langkit/CHANGELOG.md b/charts/langkit/CHANGELOG.md
@@ -6,6 +6,27 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning]
 (https://semver.org/spec/v2.0.0.html).
 
+## [0.6.0] - **Breaking Changes** - 2023-02-01
+
+### Breaking
+
+- :warning: changed the structure of the `values.yaml` file for better
+  organization with the introduction of an init container and running as a
+  non-root user by default
+
+### Changed
+
+- Updated the `securityContext` to run the container as a non-root user
+
+### Added
+
+- Added an `initContainer`
+- Added support for configuring container environment variables
+
+### Removed
+
+- Removed default `root-config` volume and volume mount
+
 ## [0.5.0] - 2023-01-30
 
 ### Changed

diff --git a/charts/langkit/Chart.yaml b/charts/langkit/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: langkit
 description: A Helm chart for LangKit container deployment
 type: application
-version: 0.5.0
-appVersion: "1.0.2.dev1"
+version: 0.6.0
+appVersion: "1.0.2.dev2"
diff --git a/charts/langkit/README.md b/charts/langkit/README.md
@@ -88,11 +88,23 @@ helm-docs --dry-run
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| containers.env[0].name | string | `"HOME"` |  |
+| containers.env[0].value | string | `"/home"` |  |
+| containers.env[1].name | string | `"HF_HOME"` |  |
+| containers.env[1].value | string | `"/home/.cache/hf_home"` |  |
+| containers.securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| containers.securityContext.runAsUser | int | `1000` |  |
+| containers.volumeMounts[0].mountPath | string | `"/tmp"` |  |
+| containers.volumeMounts[0].name | string | `"temp-dir"` |  |
+| containers.volumeMounts[1].mountPath | string | `"/root/.config"` |  |
+| containers.volumeMounts[1].name | string | `"root-config"` |  |
+| containers.volumeMounts[2].mountPath | string | `"/home"` |  |
+| containers.volumeMounts[2].name | string | `"home"` |  |
 | fullnameOverride | string | `""` |  |
 | image.containerPort | int | `8000` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"whylabs/whylogs"` |  |
-| image.tag | string | `"py-llm-1.0.2.dev0"` |  |
+| image.tag | string | `"py-llm-1.0.2.dev1"` |  |
 | imagePullSecrets | list | `[]` |  |
 | ingress.annotations | object | `{}` |  |
 | ingress.className | string | `""` |  |
@@ -101,14 +113,18 @@ helm-docs --dry-run
 | ingress.hosts[0].paths[0].path | string | `"/"` |  |
 | ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
 | ingress.tls | list | `[]` |  |
+| initContainers.volumeMounts[0].mountPath | string | `"/root/.config"` |  |
+| initContainers.volumeMounts[0].name | string | `"root-config"` |  |
+| initContainers.volumeMounts[1].mountPath | string | `"/home"` |  |
+| initContainers.volumeMounts[1].name | string | `"home"` |  |
 | livenessProbe.initialDelaySeconds | int | `15` |  |
 | livenessProbe.periodSeconds | int | `10` |  |
 | livenessProbe.tcpSocket.port | int | `8000` |  |
 | nameOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
-| podAnnotations | object | `{}` |  |
-| podLabels | object | `{}` |  |
-| podSecurityContext | object | `{}` |  |
+| pod.annotations | object | `{}` |  |
+| pod.labels | object | `{}` |  |
+| pod.securityContext | object | `{}` |  |
 | readinessProbe.initialDelaySeconds | int | `15` |  |
 | readinessProbe.periodSeconds | int | `10` |  |
 | readinessProbe.tcpSocket.port | int | `8000` |  |
@@ -119,18 +135,15 @@ helm-docs --dry-run
 | resources.requests.memory | string | `"8Gi"` |  |
 | secrets.langkitApiSecret.name | string | `"langkit-api-secret"` |  |
 | secrets.whylabsApiKey.name | string | `"whylabs-api-key"` |  |
-| securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | service.port | int | `80` |  |
 | service.type | string | `"ClusterIP"` |  |
 | tolerations | list | `[]` |  |
-| volumeMounts[0].mountPath | string | `"/tmp"` |  |
-| volumeMounts[0].name | string | `"temp-dir"` |  |
-| volumeMounts[1].mountPath | string | `"/root/.config"` |  |
-| volumeMounts[1].name | string | `"root-config"` |  |
 | volumes[0].emptyDir | object | `{}` |  |
 | volumes[0].name | string | `"temp-dir"` |  |
 | volumes[1].emptyDir | object | `{}` |  |
 | volumes[1].name | string | `"root-config"` |  |
+| volumes[2].emptyDir | object | `{}` |  |
+| volumes[2].name | string | `"home"` |  |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)
diff --git a/charts/langkit/templates/deployment.yaml b/charts/langkit/templates/deployment.yaml
@@ -11,13 +11,13 @@ spec:
       {{- include "langkit.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
+      {{- with .Values.pod.annotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
         {{- include "langkit.labels" . | nindent 8 }}
-        {{- with .Values.podLabels }}
+        {{- with .Values.pod.labels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
@@ -26,11 +26,23 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.pod.securityContext | nindent 8 }}
+      initContainers:
+        - name: init
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            {{- toYaml .Values.containers.securityContext | nindent 12 }}
+          command:
+            {{- toYaml .Values.initContainers.command | nindent 12 }}
+          {{- with .Values.initContainers.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- toYaml .Values.containers.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
@@ -41,12 +53,14 @@ spec:
             {{- toYaml .Values.readinessProbe | nindent 12 }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          env:
+            {{- toYaml .Values.containers.env | nindent 12 }}
           envFrom:
             - secretRef:
                 name: {{ .Values.secrets.whylabsApiKey.name }}
             - secretRef:
                 name: {{ .Values.secrets.langkitApiSecret.name }}
-          {{- with .Values.volumeMounts }}
+          {{- with .Values.containers.volumeMounts }}
           volumeMounts:
             {{- toYaml . | nindent 12 }}
           {{- end }}

diff --git a/charts/langkit/values.yaml b/charts/langkit/values.yaml
@@ -1,12 +1,5 @@
 replicaCount: 3
 
-image:
-  repository: whylabs/whylogs
-  pullPolicy: IfNotPresent
-  tag: py-llm-1.0.2.dev1
-  containerPort: 8000
-
-imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
@@ -26,31 +19,47 @@ ingress:
   #    hosts:
   #      - chart-example.local
 
-podAnnotations: {}
-podLabels: {}
+image:
+  repository: whylabs/whylogs
+  pullPolicy: Always
+  tag: py-llm-1.0.2.dev2
+  containerPort: 8000
 
-podSecurityContext: {}
-  # fsGroup: 2000
+imagePullSecrets: []
 
-securityContext:
-  readOnlyRootFilesystem: true
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # runAsNonRoot: true
-  # runAsUser: 1000
+pod:
+  annotations: {}
+  labels: {}
+  securityContext: {}
+    # fsGroup: 2000
+    # runAsNonRoot: true
+    # runAsUser: 1000
 
-secrets:
-  # kubectl create secret generic whylabs-api-key \
-  # --namespace=langkit \
-  # --from-literal=WHYLABS_API_KEY=<whylabs-api-key>
-  whylabsApiKey: 
-    name: whylabs-api-key
-  # kubectl create secret generic langkit-api-secret \
-  # --namespace=langkit \
-  # --from-literal=CONTAINER_PASSWORD=<llangkit-api-secret>
-  langkitApiSecret:
-    name: langkit-api-secret
+containers:
+  securityContext:
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # runAsNonRoot: true
+    # runAsUser: 1000
+  env:
+    - name: HOME
+      value: "/home"
+    - name: HF_HOME
+      value: "/home/.cache/hf_home"
+  volumeMounts:
+    - name: temp-dir
+      mountPath: /tmp
+    - name: home
+      mountPath: /home
+
+initContainers:
+  command: ["sh", "-c", "cp -R /opt/whylogs-container/.cache /home/"]
+  volumeMounts:
+    - name: home
+      mountPath: /home
 
 service:
   type: ClusterIP
@@ -63,6 +72,18 @@ resources:
   limits:
     cpu: "8"
     memory: 16Gi
+
+secrets:
+  # kubectl create secret generic whylabs-api-key \
+  # --namespace=langkit \
+  # --from-literal=WHYLABS_API_KEY=<whylabs-api-key>
+  whylabsApiKey: 
+    name: whylabs-api-key
+  # kubectl create secret generic langkit-api-secret \
+  # --namespace=langkit \
+  # --from-literal=CONTAINER_PASSWORD=<llangkit-api-secret>
+  langkitApiSecret:
+    name: langkit-api-secret
 
 livenessProbe:
   tcpSocket:
@@ -99,11 +120,5 @@ affinity:
 volumes:
   - name: temp-dir
     emptyDir: {}
-  - name: root-config
+  - name: home
     emptyDir: {}
-
-volumeMounts:
-  - name: temp-dir
-    mountPath: /tmp
-  - name: root-config
-    mountPath: /root/.config