Kubernetes helm charts #214
Conversation
Pulling changes from Burokratt WIP to rootcodelabs/RAG-Module wip
Get update from RAG-201-Fix into encrypt-llm-keys
update cron manager vault script
Streaming response formatting
Encrypt llm keys
Sync rootcodelabs/RAG-Module wip with buerokratt/RAG-Module wip
There was a problem hiding this comment.
Bitnami Posstgres image cannot be used anymore, as starting of end of august 2025 it was discontinued as a free to use. Database helm should use a pure Postgres image.
Use this as a reference
https://github.com/buerokratt/NoOps/tree/dev/Kubernetes/Components/Databases
There was a problem hiding this comment.
Bitnami Posstgres image cannot be used anymore, as starting of end of august 2025 it was discontinued as a free to use. Database helm should use a pure Postgres image.
Use this as a reference
https://github.com/buerokratt/NoOps/tree/dev/Kubernetes/Components/Databases
There was a problem hiding this comment.
Seems that the .md cuts off at 1.3 Authentication layer.
Also. I would reccomend utilizing the Github actions workflows for automated image building.
As a reference -
https://github.com/buerokratt/Buerokratt-Chatbot/blob/dev/.github/workflows/check-version.yml
If you need help with implementing this as is or want to modify it, then please let me know.
There was a problem hiding this comment.
How do you plan build the helm dependancy ?
Manual .lock creating is not something I would support.
I reccomend utilizing Github actions workflows.
As a reference -
https://github.com/buerokratt/NoOps/blob/dev/.github/workflows/helm-dependancy.yaml
If help is needed, please let me know
There was a problem hiding this comment.
This comment should be applied everywhere, where sensitive info is present. While giving for example a password for database, inside values.yaml is easier (I have made that mistake often myself) a good practice is keep sensitive info away from values.yaml and use secret.yaml.
I will use Langfuse-Web helm as a example:
Separate non-sensitive and sensitive info inside deployment yaml
# Non-sensitive env's from values.yaml
env:
{{- range $key, $value := .Values.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
# Sensitive env's from Kubernetes Secretist
{{- if .Values.envFrom }}
envFrom:
{{- toYaml .Values.envFrom | nindent 12 }}
{{- end }}
In values.yaml remove all sensitive env's and keep non-sensitive.
Add reference to the secret.yaml
# Reference to Kubernetes Secret
envFrom:
- secretRef:
name: langfuse-secrets
secret-example yaml
apiVersion: v1
kind: Secret
metadata:
name: langfuse-secrets
type: Opaque
stringData:
DATABASE_URL: "<SET_ME>"
NEXTAUTH_SECRET: "<SET_ME>"
ENCRYPTION_KEY: "<SET_ME>"
SALT: "<SET_ME>"
CLICKHOUSE_MIGRATION_URL: "<SET_ME>"
LANGFUSE_S3_EVENT_UPLOAD_ACCESS_KEY_ID: "<SET_ME>"
LANGFUSE_S3_EVENT_UPLOAD_SECRET_ACCESS_KEY: "<SET_ME>"
LANGFUSE_S3_MEDIA_UPLOAD_ACCESS_KEY_ID: "<SET_ME>"
LANGFUSE_S3_MEDIA_UPLOAD_SECRET_ACCESS_KEY: "<SET_ME>"
LANGFUSE_S3_BATCH_EXPORT_ACCESS_KEY_ID: "<SET_ME>"
LANGFUSE_S3_BATCH_EXPORT_SECRET_ACCESS_KEY: "<SET_ME>"
REDIS_AUTH: "<SET_ME>"
During deployment, the secret example can be seeded with correct info locally and then deployed
helm install -n <namespace> <release_name> ./<helm folder>
or a manual secret generation can be used
e.g.
kubectl create secret generic langfuse-secrets \
--from-literal=DATABASE_URL=postgresql://... \
--from-literal=NEXTAUTH_SECRET=supersecret \
--from-literal=ENCRYPTION_KEY=supersecretkey \
--from-literal=SALT=supersalt \
--from-literal=REDIS_AUTH=myredissecret
4 participants
No description provided.