PufferAI
diff --git a/‎devops/charts/README.md‎
Lines changed: 18 additions & 2 deletions b/‎devops/charts/README.md‎
Lines changed: 18 additions & 2 deletions
diff --git a/‎devops/charts/helmfile.yaml‎
Lines changed: 45 additions & 4 deletions b/‎devops/charts/helmfile.yaml‎
Lines changed: 45 additions & 4 deletions
diff --git a/‎devops/charts/observatory-backend/Chart.yaml‎
Lines changed: 3 additions & 0 deletions b/‎devops/charts/observatory-backend/Chart.yaml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎devops/charts/observatory-backend/templates/deployment.yaml‎
Lines changed: 41 additions & 0 deletions b/‎devops/charts/observatory-backend/templates/deployment.yaml‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎devops/charts/observatory-backend/templates/ingress.yaml‎
Lines changed: 27 additions & 0 deletions b/‎devops/charts/observatory-backend/templates/ingress.yaml‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎devops/charts/observatory-backend/templates/service.yaml‎
Lines changed: 10 additions & 0 deletions b/‎devops/charts/observatory-backend/templates/service.yaml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎devops/charts/observatory-backend/values.yaml‎
Lines changed: 16 additions & 0 deletions b/‎devops/charts/observatory-backend/values.yaml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎devops/charts/observatory/Chart.yaml‎
Lines changed: 3 additions & 0 deletions b/‎devops/charts/observatory/Chart.yaml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎devops/charts/observatory/templates/deployment.yaml‎
Lines changed: 34 additions & 0 deletions b/‎devops/charts/observatory/templates/deployment.yaml‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎devops/charts/observatory/templates/ingress.yaml‎
Lines changed: 65 additions & 0 deletions b/‎devops/charts/observatory/templates/ingress.yaml‎
Lines changed: 65 additions & 0 deletions
@@ -8,8 +8,24 @@ Install necessary tools with `./devops/macos/setup_machine.py --devops`.
 
 ## Updating charts
 
-Edit some charts and/or `helmfile.yaml`.
+### Helmfile-powered charts
 
-Then run `helmfile apply`.
+Most of the infrastructure is described by `helmfile.yaml`.
+
+This file describes several Helm charts:
+
+- core services such as `ingress-nginx` and `cert-manager`
+- `skypilot` chart (which is our fork of the upstream SkyPilot helm chart)
+
+How to update infra charts:
+
+1. Edit some charts and/or `helmfile.yaml`.
+2. Then run `helmfile apply`.
 
 Refer to [helmfile documentation](https://helmfile.readthedocs.io/en/latest/) for more details.
+
+### Observatory
+
+Observatory charts (`./observatory` and `./observatory-backend`) are deployed by CI/CD pipelines powered by GitHub Actions.
+
+Image tag values are updated on each build, so we can't describe these charts with all up-to-date values statically in `helmfile.yaml`.
@@ -3,6 +3,10 @@ repositories:
   url: https://kubernetes-sigs.github.io/external-dns/
 - name: cert-manager
   url: https://charts.jetstack.io
+- name: ingress-nginx
+  url: https://kubernetes.github.io/ingress-nginx
+- name: metrics-server
+  url: https://kubernetes-sigs.github.io/metrics-server/
 
 releases:
 ########## Core infrastructure ##########
@@ -26,6 +30,46 @@ releases:
   values:
   - installCRDs: true
 
+- name: ingress-nginx
+  chart: ingress-nginx/ingress-nginx
+  version: 4.11.3
+  namespace: ingress-nginx
+  values:
+  # The initial version of these values is borrowed from skypilot chart.
+  # Comments below come from skypilot chart too. (Probably could be simplified since we're committed to AWS.)
+  # Since we use ingress-nginx for more than just skypilot, we install it separately.
+  - controller:
+      service:
+        type: LoadBalancer
+        # Default annotations for the ingress controller service. We want an L4 loadbalancer by default for maximum compatibility,
+        # especially for websocket SSH tunneling. Different cloud providers may require different annotations.
+        # Annotations with no side effects are aggregated below to simplify the usage.
+        annotations:
+          # For AWS service reconciled by cloud-controller-manager, use NLB by default.
+          # If you are using AWS Load Balancer Controller, refer to the following doc to configure annotations:
+          # https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/
+          service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+          # For GKE, use backend service-based external passthrough Network Load Balancer as per best practices.
+          # Ref: https://cloud.google.com/kubernetes-engine/docs/concepts/service-load-balancer#load_balancer_types
+          cloud.google.com/l4-rbs: "enabled"
+          # For Azure, override the healthz check protocol to TCP probe to avoid HTTP auth issues.
+          service.beta.kubernetes.io/port_443_health-probe_protocol: "TCP"
+          service.beta.kubernetes.io/port_80_health-probe_protocol: "TCP"
+          service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+      config:
+        # necessary for observatory, we strip headers in observatory-api ingress
+        allow-snippet-annotations: true
+        http-snippet: |
+          map $http_upgrade $connection_upgrade {
+              default upgrade;
+              ''      close;
+          }
+
+- name: metrics-server
+  chart: metrics-server/metrics-server
+  version: 3.12.2
+  namespace: metrics-server
+
 ########## Skypilot ##########
 - name: skypilot
   chart: ./skypilot
@@ -46,10 +90,7 @@ releases:
         enabled: true
       host: skypilot-api.softmax-research.net
     ingress-nginx:
-      controller:
-        service:
-          annotations:
-            service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+      enabled: false
     lambdaAiCredentials:
       enabled: true
       # created by terraform
 
@@ -0,0 +1,3 @@
+apiVersion: v2
+name: metta-observatory-backend
+version: "0.1.0"
@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}
+    spec:
+      imagePullSecrets:
+      - name: dockerconfig
+      containers:
+        - name: server
+          image: "{{ .Values.image.registry }}/{{ .Values.image.name }}:{{ required "tag is required" .Values.image.tag }}"
+          imagePullPolicy: Always
+          envFrom:
+          - secretRef:
+              name: {{ .Values.secret_name }}
+          resources:
+            requests:
+              memory: "1Gi"
+            limits:
+              memory: "4Gi"
+          ports:
+            - containerPort: 8000
+          livenessProbe:
+            httpGet:
+              path: /whoami
+              port: 8000
+            timeoutSeconds: 30
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /whoami
+              port: 8000
+            timeoutSeconds: 3
+            periodSeconds: 1
@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}
+  annotations:
+    cert-manager.io/cluster-issuer: {{ .Values.cert_manager_issuer | required "cert_manager_issuer is required" }}
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header X-Auth-Request-Email   "";
+      proxy_set_header X-Auth-Request-User    "";
+
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: "{{ .Values.host | required "host is required" }}"
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ .Release.Name }}
+            port:
+              number: 8000
+  tls:
+  - hosts:
+    - {{ .Values.host | required "host is required" }}
+    secretName: {{ .Release.Name }}-tls
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  selector:
+    app: {{ .Release.Name }}
+  ports:
+    - port: 8000
+      targetPort: 8000
@@ -0,0 +1,16 @@
+# This host is used by scripts that authenticate with API tokens.
+# Backend server will be mounted under /
+#
+# Note that another chart, `observatory`, creates another endpoint for browser access, `https://observatory.softmax-research.net/api`.
+# That endpoint is protected by oauth2-proxy.
+host: api.observatory.softmax-research.net
+
+image:
+  registry: 751442549699.dkr.ecr.us-east-1.amazonaws.com
+  name: metta-app-backend
+  tag: "" # will be set by CI/CD pipeline
+
+# created by terraform
+secret_name: observatory-backend-env
+
+cert_manager_issuer: letsencrypt
@@ -0,0 +1,3 @@
+apiVersion: v2
+name: metta-observatory
+version: "0.1.0"
@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}
+    spec:
+      imagePullSecrets:
+      - name: dockerconfig
+      containers:
+        - name: server
+          image: "{{ .Values.image.registry }}/{{ .Values.image.name }}:{{ required "tag is required" .Values.image.tag }}"
+          imagePullPolicy: Always
+          resources:
+            requests:
+              memory: "128Mi"
+            limits:
+              memory: "1Gi"
+          ports:
+            - containerPort: 80
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 80
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 80
@@ -0,0 +1,65 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}-oauth2-proxy
+  annotations:
+    cert-manager.io/cluster-issuer: {{ .Values.cert_manager_issuer | required "cert_manager_issuer is required" }}
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: "{{ .Values.host | required "host is required" }}"
+    http:
+      paths:
+      - path: /oauth2
+        pathType: Prefix
+        backend:
+          service:
+            name: "{{ .Release.Name }}-oauth2-proxy"
+            port:
+              number: 4180
+  tls:
+  - hosts:
+    - {{ .Values.host | required "host is required" }}
+    secretName: {{ .Release.Name }}-tls
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}
+  annotations:
+    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
+    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
+    nginx.ingress.kubernetes.io/auth-response-headers: |
+      X-Auth-Request-User, X-Auth-Request-Email
+    cert-manager.io/cluster-issuer: {{ .Values.cert_manager_issuer | required "cert_manager_issuer is required" }}
+    # needed for /api rewrites
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: "/$2"
+
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: "{{ .Values.host | required "host is required" }}"
+    http:
+      paths:
+      # /api –> backend, drop the prefix
+      - path: /api(/|$)(.*)
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: "{{ .Release.Name }}-backend"
+            port:
+              number: 8000
+      # / –> frontend
+      - path: /()(.*)
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: {{ .Release.Name }}
+            port:
+              number: 80
+  tls:
+  - hosts:
+    - {{ .Values.host | required "host is required" }}
+    secretName: {{ .Release.Name }}-tls
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+apiVersion: v2`
	`2`	`+name: metta-observatory-backend`
	`3`	`+version: "0.1.0"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+apiVersion: v2`
	`2`	`+name: metta-observatory`
	`3`	`+version: "0.1.0"`