helm chart: Add service account support (#624)

* helm: Add service account support in common services 1. Add service account creation support, disabled by default. 2. Add support of sharing the same service account by setting global.sharedSAName, disabled by default. Signed-off-by: Lianhao Lu <[email protected]> * helm: Add service account support in e2e charts 1. Add service account creation support, enabled by default. 2. Add support of sharing the same service account by setting global.sharedSAName, enabled by default. Signed-off-by: Lianhao Lu <[email protected]> --------- Signed-off-by: Lianhao Lu <[email protected]>
opea-project · Dec 10, 2024 · 9bb7c3a · 9bb7c3a
1 parent 7219249
commit 9bb7c3a
Show file tree

Hide file tree

Showing 127 changed files with 1,219 additions and 86 deletions.
diff --git a/helm-charts/agentqna/templates/_helpers.tpl b/helm-charts/agentqna/templates/_helpers.tpl
@@ -54,7 +54,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "agentqna.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
+{{- if .Values.global.sharedSAName }}
+{{- .Values.global.sharedSAName }}
+{{- else if .Values.serviceAccount.create }}
 {{- default (include "agentqna.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}

diff --git a/helm-charts/agentqna/templates/crag.yaml b/helm-charts/agentqna/templates/crag.yaml
@@ -28,6 +28,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "agentqna.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:

diff --git a/helm-charts/agentqna/templates/docretriever.yaml b/helm-charts/agentqna/templates/docretriever.yaml
@@ -28,6 +28,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "agentqna.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:

diff --git a/helm-charts/agentqna/templates/serviceaccount.yaml b/helm-charts/agentqna/templates/serviceaccount.yaml
@@ -0,0 +1,16 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "agentqna.serviceAccountName" . }}
+  labels:
+    {{- include "agentqna.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}
diff --git a/helm-charts/agentqna/values.yaml b/helm-charts/agentqna/values.yaml
@@ -7,6 +7,26 @@
 
 replicaCount: 1
 
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
 securityContext:
   readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
@@ -102,6 +122,10 @@ global:
   https_proxy: ""
   no_proxy: ""
   HUGGINGFACEHUB_API_TOKEN: "insert-your-huggingface-token-here"
+  # service account name to be shared with all parent/child charts.
+  # If set, it will overwrite serviceAccount.name.
+  # If set, and serviceAccount.create is false, it will assume this service account is already created by others.
+  sharedSAName: "agentqna"
   # set modelUseHostPath or modelUsePVC to use model cache.
   modelUseHostPath: ""
   # modelUseHostPath: /mnt/opea-models

diff --git a/helm-charts/audioqna/templates/_helpers.tpl b/helm-charts/audioqna/templates/_helpers.tpl
@@ -54,7 +54,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "audioqna.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
+{{- if .Values.global.sharedSAName }}
+{{- .Values.global.sharedSAName }}
+{{- else if .Values.serviceAccount.create }}
 {{- default (include "audioqna.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}

diff --git a/helm-charts/audioqna/templates/deployment.yaml b/helm-charts/audioqna/templates/deployment.yaml
@@ -28,6 +28,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "audioqna.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:

diff --git a/helm-charts/audioqna/templates/serviceaccount.yaml b/helm-charts/audioqna/templates/serviceaccount.yaml
@@ -0,0 +1,16 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "audioqna.serviceAccountName" . }}
+  labels:
+    {{- include "audioqna.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}
diff --git a/helm-charts/audioqna/values.yaml b/helm-charts/audioqna/values.yaml
@@ -14,14 +14,25 @@ image:
   # Overrides the image tag whose default is the chart appVersion.
   tag: "latest"
 
-port: 8888
-service:
-  type: ClusterIP
-  port: 3008
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
 
-nginx:
-  service:
-    type: NodePort
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
 
 securityContext:
   readOnlyRootFilesystem: true
@@ -34,6 +45,15 @@ securityContext:
   seccompProfile:
     type: RuntimeDefault
 
+port: 8888
+service:
+  type: ClusterIP
+  port: 3008
+
+nginx:
+  service:
+    type: NodePort
+
 nodeSelector: {}
 
 tolerations: []
@@ -57,6 +77,10 @@ global:
   https_proxy: ""
   no_proxy: ""
   HUGGINGFACEHUB_API_TOKEN: "insert-your-huggingface-token-here"
+  # service account name to be shared with all parent/child charts.
+  # If set, it will overwrite serviceAccount.name.
+  # If set, and serviceAccount.create is false, it will assume this service account is already created by others.
+  sharedSAName: "audioqna"
   # set modelUseHostPath or modelUsePVC to use model cache.
   modelUseHostPath: ""
   # modelUseHostPath: /mnt/opea-models

diff --git a/helm-charts/chatqna/templates/_helpers.tpl b/helm-charts/chatqna/templates/_helpers.tpl
@@ -54,7 +54,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "chatqna.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
+{{- if .Values.global.sharedSAName }}
+{{- .Values.global.sharedSAName }}
+{{- else if .Values.serviceAccount.create }}
 {{- default (include "chatqna.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}

diff --git a/helm-charts/chatqna/templates/deployment.yaml b/helm-charts/chatqna/templates/deployment.yaml
@@ -28,6 +28,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "chatqna.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:

diff --git a/helm-charts/chatqna/templates/serviceaccount.yaml b/helm-charts/chatqna/templates/serviceaccount.yaml
@@ -0,0 +1,16 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "chatqna.serviceAccountName" . }}
+  labels:
+    {{- include "chatqna.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}
diff --git a/helm-charts/chatqna/values.yaml b/helm-charts/chatqna/values.yaml
@@ -14,14 +14,25 @@ image:
   # Overrides the image tag whose default is the chart appVersion.
   tag: "latest"
 
-port: 8888
-service:
-  type: ClusterIP
-  port: 8888
-
-nginx:
-  service:
-    type: NodePort
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
 
 securityContext:
   readOnlyRootFilesystem: true
@@ -34,6 +45,15 @@ securityContext:
   seccompProfile:
     type: RuntimeDefault
 
+port: 8888
+service:
+  type: ClusterIP
+  port: 8888
+
+nginx:
+  service:
+    type: NodePort
+
 nodeSelector: {}
 
 tolerations: []
@@ -67,6 +87,10 @@ global:
   https_proxy: ""
   no_proxy: ""
   HUGGINGFACEHUB_API_TOKEN: "insert-your-huggingface-token-here"
+  # service account name to be shared with all parent/child charts.
+  # If set, it will overwrite serviceAccount.name.
+  # If set, and serviceAccount.create is false, it will assume this service account is already created by others.
+  sharedSAName: "chatqna"
   # set modelUseHostPath or modelUsePVC to use model cache.
   modelUseHostPath: ""
   # modelUseHostPath: /mnt/opea-models

diff --git a/helm-charts/codegen/templates/_helpers.tpl b/helm-charts/codegen/templates/_helpers.tpl
@@ -54,7 +54,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "codegen.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
+{{- if .Values.global.sharedSAName }}
+{{- .Values.global.sharedSAName }}
+{{- else if .Values.serviceAccount.create }}
 {{- default (include "codegen.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}

diff --git a/helm-charts/codegen/templates/deployment.yaml b/helm-charts/codegen/templates/deployment.yaml
@@ -28,6 +28,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "codegen.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:

diff --git a/helm-charts/codegen/templates/serviceaccount.yaml b/helm-charts/codegen/templates/serviceaccount.yaml
@@ -0,0 +1,16 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: Apache-2.0
+
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "codegen.serviceAccountName" . }}
+  labels:
+    {{- include "codegen.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}
diff --git a/helm-charts/codegen/values.yaml b/helm-charts/codegen/values.yaml
@@ -14,14 +14,25 @@ image:
   # Overrides the image tag whose default is the chart appVersion.
   tag: "latest"
 
-port: 7778
-service:
-  type: ClusterIP
-  port: 7778
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
 
-nginx:
-  service:
-    type: NodePort
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
 
 securityContext:
   readOnlyRootFilesystem: true
@@ -34,6 +45,15 @@ securityContext:
   seccompProfile:
     type: RuntimeDefault
 
+port: 7778
+service:
+  type: ClusterIP
+  port: 7778
+
+nginx:
+  service:
+    type: NodePort
+
 nodeSelector: {}
 
 tolerations: []
@@ -56,6 +76,10 @@ global:
   https_proxy: ""
   no_proxy: ""
   HUGGINGFACEHUB_API_TOKEN: "insert-your-huggingface-token-here"
+  # service account name to be shared with all parent/child charts.
+  # If set, it will overwrite serviceAccount.name.
+  # If set, and serviceAccount.create is false, it will assume this service account is already created by others.
+  sharedSAName: "codegen"
   # set modelUseHostPath or modelUsePVC to use model cache.
   modelUseHostPath: ""
   # modelUseHostPath: /mnt/opea-models

diff --git a/helm-charts/codetrans/templates/_helpers.tpl b/helm-charts/codetrans/templates/_helpers.tpl
@@ -54,7 +54,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "codetrans.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
+{{- if .Values.global.sharedSAName }}
+{{- .Values.global.sharedSAName }}
+{{- else if .Values.serviceAccount.create }}
 {{- default (include "codetrans.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}

diff --git a/helm-charts/codetrans/templates/deployment.yaml b/helm-charts/codetrans/templates/deployment.yaml
@@ -28,6 +28,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "codetrans.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers: