Missing helm charts for Vault (buerokratt#375)

* remove unwanted file

* updated changes

* fixed requested changes

* fixed issue

* service workflow implementation without calling service endpoints

* fixed requested changes

* fixed issues

* protocol related requested changes

* fixed requested changes

* update time tracking

* added time tracking and reloacate input guardrail before toolclassifiier

* fixed issue

* fixed issue

* added hybrid search for the service detection

* update tool classifier

* fixing merge conflicts

* fixed issue

* optimize first user query response generation time

* fixed pr reviewed issues

* service integration

* context based response generation flow

* fixed pr review suggested issues

* removed service project layer

* fixed issues

* delete unnessary files

* added requested changes

* added seperate db for langfuse

* fixed issue

* partially completed langfuse deployment issue

* Add Helm chart for RAG Module with database and service configurations

* fixed missinng helm charts issue

---------

Co-authored-by: Thiru Dinesh <56014038+Thirunayan22@users.noreply.github.com>

Author: nuwangeek

kubernetes/charts/CronManager/templates/deployment-byk-cronmanager.yaml

@@ -44,17 +44,41 @@ spec:
 
                 mkdir -p /app/src/vector_indexer &&
                 mkdir -p /app/scripts &&
-                mkdir -p /DSL
+                mkdir -p /DSL &&
+                mkdir -p /app/src/utils
                 
                 cp -r /tmp/rag/DSL/CronManager/DSL/* /DSL/ &&
                 cp -r /tmp/rag/DSL/CronManager/script/* /app/scripts/ &&
                 cp -r /tmp/rag/src/vector_indexer/* /app/src/vector_indexer/ &&
+                cp -r /tmp/rag/src/utils/decrypt_vault_secrets.py /app/src/utils/ &&
                 
                 # Set execute permissions on all shell scripts
                 chmod +x /app/scripts/*.sh &&
                 echo "Scripts copied and permissions set successfully"
        
       containers:
+        {{- if .Values.vaultAgent.enabled }}
+        # CronManager connects to localhost:8203, never directly to Vault
+        - name: vault-agent-cron
+          image: hashicorp/vault:1.20.3
+          command: ["vault", "agent", "-config=/agent/config/cron-agent.hcl", "-log-level=info"]
+          ports:
+          - name: agent-api
+            containerPort: 8203
+            protocol: TCP
+          volumeMounts:
+          - name: vault-agent-config
+            mountPath: /agent/config
+            readOnly: true
+          - name: vault-agent-creds
+            mountPath: /agent/credentials
+            readOnly: true
+          - name: vault-agent-cron-token
+            mountPath: /agent/cron-token
+          securityContext:
+            capabilities:
+              add: ["IPC_LOCK"]
+        {{- end }}
         - name: "{{ .Values.release_name }}"
           image: "{{ .Values.cronmanager.image.registry }}/{{ .Values.cronmanager.image.repository }}:{{ .Values.cronmanager.image.tag }}"
           imagePullPolicy: {{ .Values.cronmanager.image.pullPolicy }}
@@ -65,8 +89,11 @@ spec:
           env:
             - name: PYTHONPATH
               value: {{ .Values.cronmanager.environment.pythonPath | quote }}
-            - name: VAULT_ADDR
-              value: {{ .Values.cronmanager.environment.VAULT_ADDR | quote }}
+            {{- if .Values.vaultAgent.enabled }}
+            # Vault Agent proxy URL (localhost sidecar)
+            - name: VAULT_AGENT_URL
+              value: "http://localhost:8203"
+            {{- end }}
             - name: RAG_MODULE_RUUTER_PRIVATE
               value: {{ .Values.constants.RAG_MODULE_RUUTER_PRIVATE | quote }}
             - name: RAG_MODULE_RESQL
@@ -103,5 +130,19 @@ spec:
         - name: config-volume
           configMap:
             name: "{{ .Values.release_name }}-config"
+        {{- if .Values.vaultAgent.enabled }}
+        # Vault Agent configuration (from Vault-Agent-Cron chart configmap)
+        - name: vault-agent-config
+          configMap:
+            name: vault-agent-cron-config
+        # Shared AppRole credentials (created by vault-init Job)
+        - name: vault-agent-creds
+          persistentVolumeClaim:
+            claimName: vault-agent-creds
+        # CronManager-specific token storage (pod-scoped, short-lived)
+        # Tokens are generated by Vault Agent and destroyed when pod terminates
+        - name: vault-agent-cron-token
+          emptyDir: {}
+        {{- end }}
 
 {{- end }}

kubernetes/charts/CronManager/values.yaml

@@ -36,11 +36,15 @@ constants:
 
 resources:
   requests:
-    memory: "1Gi"
-    cpu: "500m"
+    memory: "512Mi"
+    cpu: "100m"
   limits:
-    memory: "4Gi"
-    cpu: "2000m"
+    memory: "2Gi"
+    cpu: "500m"
 
 podAnnotations: 
-  dsl-checksum: "initial"
+  dsl-checksum: "initial"
+
+# Vault Agent sidecar configuration
+vaultAgent:
+  enabled: true

kubernetes/charts/GUI/templates/configmap-vite-config.yaml

@@ -0,0 +1,56 @@
+{{- if .Values.gui.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.gui.release_name }}-vite-config
+  namespace: rag-module
+  labels:
+    app: {{ .Values.gui.release_name }}
+data:
+  vite.config.ts: |
+    import { defineConfig } from 'vite';
+    import react from '@vitejs/plugin-react';
+    import tsconfigPaths from 'vite-tsconfig-paths';
+    import svgr from 'vite-plugin-svgr';
+    import path from 'path';
+    import { removeHiddenMenuItems } from './vitePlugin';
+
+    // https://vitejs.dev/config/
+    export default defineConfig({
+      envPrefix: 'REACT_APP_',
+      plugins: [
+        react(),
+        tsconfigPaths(),
+        svgr(),
+        {
+          name: 'removeHiddenMenuItemsPlugin',
+          transform: (str, id) => {
+            if(!id.endsWith('/menu-structure.json'))
+              return str;
+            return removeHiddenMenuItems(str);
+          },
+        },
+      ],
+      base: '/rag-search',
+      build: {
+        outDir: './build',
+        target: 'es2015',
+        emptyOutDir: true,
+      },
+      server: {
+        host: '0.0.0.0',
+        allowedHosts: [{{- range $index, $host := splitList "," .Values.gui.vite.allowedHosts }}{{ if $index }}, {{ end }}'{{ $host | trim }}'{{- end }}],
+        headers: {
+          ...(process.env.REACT_APP_CSP && {
+            'Content-Security-Policy': process.env.REACT_APP_CSP,
+          }),
+        },
+      },
+      resolve: {
+        alias: {
+          '~@fontsource': path.resolve(__dirname, 'node_modules/@fontsource'),
+          '@': `${path.resolve(__dirname, './src')}`,
+        },
+      },
+    });
+{{- end }}

kubernetes/charts/GUI/templates/deployment-byk-gui.yaml

@@ -17,6 +17,48 @@ spec:
 
     spec:
       containers:
+      # sidecar: GUI connects to localhost:8202 (vault-agent)
+      {{- if .Values.vaultAgent.enabled }}
+      - name: vault-agent-gui
+        image: hashicorp/vault:1.20.3
+        command: ["vault", "agent", "-config=/agent/config/gui-agent.hcl", "-log-level=info"]
+        ports:
+        - name: agent-api
+          containerPort: 8202
+          protocol: TCP
+        volumeMounts:
+        - name: vault-agent-config
+          mountPath: /agent/config
+          readOnly: true
+        - name: vault-agent-creds
+          mountPath: /agent/credentials
+          readOnly: true
+        - name: vault-agent-gui-token
+          mountPath: /agent/gui-token
+        securityContext:
+          capabilities:
+            add: ["IPC_LOCK"]
+        # # Health check: Ensure token file exists and is not empty
+        # livenessProbe:
+        #   exec:
+        #     command:
+        #     - sh
+        #     - -c
+        #     - test -f /agent/gui-token/token && test -s /agent/gui-token/token
+        #   initialDelaySeconds: 10
+        #   periodSeconds: 10
+        #   timeoutSeconds: 3
+        #   failureThreshold: 3
+        # readinessProbe:
+        #   exec:
+        #     command:
+        #     - sh
+        #     - -c
+        #     - test -f /agent/gui-token/token && test -s /agent/gui-token/token
+        #   initialDelaySeconds: 5
+        #   periodSeconds: 5
+        #   timeoutSeconds: 3
+      {{- end }}
       - name: {{ .Values.gui.release_name }}
         image: "{{ .Values.gui.image.repository }}:{{ .Values.gui.image.tag }}"
         imagePullPolicy: {{ .Values.gui.image.pullPolicy }}
@@ -51,13 +93,24 @@ spec:
           value: {{ .Values.gui.serviceId | quote }}
         - name: REACT_APP_ENABLE_HIDDEN_FEATURES
           value: {{ .Values.gui.enableHiddenFeatures | quote | upper }}
+        
+        {{- if .Values.vaultAgent.enabled }}
+        # Vault Agent proxy URL (localhost sidecar)
+        - name: VAULT_AGENT_URL
+          value: "http://localhost:8202"
+        {{- end }}
 
         # Vite development server configuration
         - name: VITE_HOST
           value: {{ .Values.gui.vite.host | quote }}
         - name: VITE_ALLOWED_HOSTS
           value: {{ .Values.gui.vite.allowedHosts | quote }}
 
+        volumeMounts:
+        - name: vite-config
+          mountPath: /app/vite.config.ts
+          subPath: vite.config.ts
+        
         resources:
           limits:
             cpu: {{ .Values.gui.resources.limits.cpu }}
@@ -82,6 +135,25 @@ spec:
         #   periodSeconds: 5
         #   timeoutSeconds: 3
 
+      volumes:
+      - name: vite-config
+        configMap:
+          name: {{ .Values.gui.release_name }}-vite-config
+      {{- if .Values.vaultAgent.enabled }}
+      # Vault Agent configuration (from Vault-Agent-GUI chart)
+      - name: vault-agent-config
+        configMap:
+          name: vault-agent-gui-config
+      # Shared AppRole credentials (created by vault-init Job)
+      - name: vault-agent-creds
+        persistentVolumeClaim:
+          claimName: vault-agent-creds
+      # GUI-specific token storage (pod-scoped, short-lived)
+      # Tokens are generated by Vault Agent and destroyed when pod terminates
+      - name: vault-agent-gui-token
+        emptyDir: {}
+      {{- end }}
+      
       restartPolicy: Always
 
 {{- end }}

kubernetes/charts/GUI/templates/ingress-byk-gui.yaml

@@ -5,9 +5,10 @@ metadata:
   namespace: rag-module
   annotations:
     kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
   rules:
-  - host: localhost
+  - host: {{ .Values.gui.ingress.host }}
     http:
       paths:
       - path: /rag-search
@@ -16,5 +17,4 @@ spec:
           service:
             name: gui
             port:
-              number: 3003
-  
+              number: 3001

kubernetes/charts/GUI/values.yaml

@@ -3,7 +3,7 @@ gui:
     release_name: gui
     image:
       repository: "ghcr.io/buerokratt/rag-gui" # Update with actual GUI image repository
-      tag: sha-84833e1
+      tag: sha-1331462
       pullPolicy: Always
 
     # React application configuration
@@ -14,37 +14,46 @@ gui:
 
     #service URLs 
     services:
-      ruuterPublic: "http://ruuter-public:8086"
-      ruuterPrivate: "http://localhost:8088"
-      authenticationLayer: "http://authentication-layer:3004"
+      ruuterPublic: "http://<your-domain>/ruuter-public"
+      ruuterPrivate: "http://<your-domain>/ruuter-private"
+      authenticationLayer: "http://<your-domain>"
       notificationNode: "http://notifications-node:4040"
       datasetGenerator: "http://dataset-gen-service:8000"
 
     # Content Security Policy - Updated for browser access
-    csp: "default-src 'self'; connect-src 'self' http://ruuter-public:8086 https://ruuter-public:8086 http://ruuter-private:8088 https://ruuter-private:8088 http://authentication-layer:3004 https://authentication-layer:3004 http://notifications-node:4040 https://notifications-node:4040 http://dataset-gen-service:8000 https://dataset-gen-service:8000 http://localhost:* https://localhost:* http://global-classifier.local https://global-classifier.local ws://global-classifier.local wss://global-classifier.local; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:;"    
+    csp: "default-src 'self'; connect-src 'self' http://<your-domain>/ruuter-public http://<your-domain>/ruuter-private http://<your-domain> http://<your-domain> http://notifications-node:4040 http://notifications-node:4040 http://dataset-gen-service:8000 http://dataset-gen-service:8000 http://localhost:* http://localhost:* http://global-classifier.local http://global-classifier.local ws://global-classifier.local ws://global-classifier.local; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:;"    
 
     # Service configuration
     serviceId: "conversations,settings,monitoring"
 
     # Vite development server (for development mode)
     vite:
       host: "0.0.0.0"
-      allowedHosts: "localhost,127.0.0.1"
+      allowedHosts: "localhost,127.0.0.1,<your-domain>"  # Update with actual domain for development access
+
+    # Ingress host
+    ingress:
+      host: "<your-domain>"  # Update with actual domain
 
     resources:
       limits:
-        cpu: 500m
-        memory: 1Gi
+        cpu: 200m
+        memory: 512Mi
       requests:
-        cpu: 100m
-        memory: 256Mi
+        cpu: 50m
+        memory: 128Mi
 
     replicas: 1
 
     service:
       type: ClusterIP
       port: 3001
       targetPort: 3001
+
+# Vault Agent sidecar configuration
+vaultAgent:
+  enabled: true
+  
 
     # ingress:
     #   enabled: true