diff --git a/charts/hypha/Chart.lock b/charts/hypha/Chart.lock index 8e76ac2..a7fbf53 100644 --- a/charts/hypha/Chart.lock +++ b/charts/hypha/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: minio - repository: https://charts.min.io/ - version: 3.3.0 + repository: https://charts.bitnami.com/bitnami + version: 13.4.3 - name: tritoninferenceserver-hypha repository: file://../tritoninferenceserver-hypha - version: 1.0.12 + version: 1.0.13 - name: redis repository: https://charts.bitnami.com/bitnami version: 17.11.6 -digest: sha256:b88fc0133e5328a56c6aef65d3867f212f95094704530dcc88cb0f03f10dbd55 -generated: "2024-02-07T15:41:56.884037515Z" +digest: sha256:6db886f63b952120e9c3f63d986c30bda2c39b008562bae5d7b16743ce2b75b3 +generated: "2024-02-08T08:55:56.380060859Z" diff --git a/charts/hypha/Chart.yaml b/charts/hypha/Chart.yaml index c792399..1308905 100644 --- a/charts/hypha/Chart.yaml +++ b/charts/hypha/Chart.yaml @@ -13,7 +13,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.16.14 +version: 0.16.15 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. @@ -21,8 +21,8 @@ version: 0.16.14 appVersion: 0.15.35 dependencies: - name: minio - version: 3.3.0 - repository: https://charts.min.io/ + version: 13.4.3 + repository: https://charts.bitnami.com/bitnami condition: minio.enabled # - name: tritoninferenceserver # repository: https://helm.ngc.nvidia.com/nvidia @@ -30,7 +30,7 @@ dependencies: # condition: tritoninferenceserver.enabled - name: tritoninferenceserver-hypha repository: "file://../tritoninferenceserver-hypha" - version: 1.0.12 + version: 1.0.13 condition: tritoninferenceserver-hypha.enabled - name: redis repository: "https://charts.bitnami.com/bitnami" diff --git a/charts/hypha/charts/minio-13.4.3.tgz b/charts/hypha/charts/minio-13.4.3.tgz new file mode 100644 index 0000000..7ba5ca7 Binary files /dev/null and b/charts/hypha/charts/minio-13.4.3.tgz differ diff --git a/charts/hypha/charts/minio-3.3.0.tgz b/charts/hypha/charts/minio-3.3.0.tgz deleted file mode 100644 index 34db95c..0000000 Binary files a/charts/hypha/charts/minio-3.3.0.tgz and /dev/null differ diff --git a/charts/hypha/charts/tritoninferenceserver-hypha-1.0.12.tgz b/charts/hypha/charts/tritoninferenceserver-hypha-1.0.12.tgz deleted file mode 100644 index 9b7849e..0000000 Binary files a/charts/hypha/charts/tritoninferenceserver-hypha-1.0.12.tgz and /dev/null differ diff --git a/charts/hypha/charts/tritoninferenceserver-hypha-1.0.13.tgz b/charts/hypha/charts/tritoninferenceserver-hypha-1.0.13.tgz new file mode 100644 index 0000000..92c8870 Binary files /dev/null and b/charts/hypha/charts/tritoninferenceserver-hypha-1.0.13.tgz differ diff --git a/charts/hypha/templates/deployment.yaml b/charts/hypha/templates/deployment.yaml index df5af9a..4072277 100644 --- a/charts/hypha/templates/deployment.yaml +++ b/charts/hypha/templates/deployment.yaml @@ -55,9 +55,9 @@ spec: {{- include "hypha.selectorLabels" . | nindent 8 }} spec: nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} +{{ toYaml .Values.nodeSelector | nindent 8 }} securityContext: -{{ toYaml .Values.securityContext | indent 8 }} +{{ toYaml .Values.securityContext | nindent 8 }} containers: - name: {{ .Chart.Name }} command: ["/bin/sh", "-c"] @@ -71,10 +71,10 @@ spec: --triton-servers=http://{{(index .Values "tritoninferenceserver-hypha" "fullnameOverride")}}:{{(index .Values "tritoninferenceserver-hypha" "service" "port")}} \ {{- end }} --enable-s3 \ - --endpoint-url=http://{{ .Values.minio.fullnameOverride }}:{{.Values.minio.service.port}} \ + --endpoint-url=http://{{ .Values.minio.fullnameOverride }}:{{.Values.minio.service.ports.api}} \ --endpoint-url-public={{ $S3_ENDPOINT_URL_PUBLIC }} \ - --access-key-id="{{ .Values.minio.rootUser }}" \ - --secret-access="{{ .Values.minio.rootPassword }}" \ + --access-key-id="{{ .Values.minio.auth.rootUser }}" \ + --secret-access="{{ .Values.minio.auth.rootPassword }}" \ --executable-path={{ .Values.executablePath }} \ --enable-server-apps \ --apps-dir={{ .Values.appsDir }} \ @@ -91,6 +91,8 @@ spec: # --in-docker \ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: +{{ toYaml .Values.securityContext | nindent 10 }} env: - name: AUTH0_AUDIENCE value: "{{ $AUTH0_AUDIENCE }}" @@ -126,8 +128,7 @@ spec: protocol: TCP securityContext: - # fsGroup: 1000 - runAsUser: 0 +{{ toYaml .Values.securityContext | nindent 8 }} diff --git a/charts/hypha/values.yaml b/charts/hypha/values.yaml index 8e5e946..4b8131f 100644 --- a/charts/hypha/values.yaml +++ b/charts/hypha/values.yaml @@ -13,7 +13,19 @@ auth0_domain: "" jwt_secret: "xZ/aDcP+PfoTWgwA9ZADTtU/+djwMeMKz4QlSKRcgEs=" nodeSelector: {} podLabels: {} -securityContext: {} +# TODO add when https://github.com/amun-ai/hypha/pull/588 +# securityContext: +# enabled: true +# seLinuxOptions: null +# runAsUser: 1001 +# runAsNonRoot: true +# privileged: false +# readOnlyRootFilesystem: false +# allowPrivilegeEscalation: false +# capabilities: +# drop: ["ALL"] +# seccompProfile: +# type: "RuntimeDefault" # TODO # Currently disabled in template because no obvious # way to pass in the scripts to deployment @@ -69,16 +81,6 @@ docker-registry: minio: fullnameOverride: "minio" enabled: true - rootUser: "minio" - rootPassword: "minio123" - publicEndpointUrl: "" - browserRedirectUrl: "" - - replicas: 4 - ingress: - enabled: true - resources: - requests: - memory: 2Gi - persistence: - size: 1Gi + auth: + rootUser: "minio" + rootPassword: "minio123" diff --git a/charts/tritoninferenceserver-hypha/Chart.yaml b/charts/tritoninferenceserver-hypha/Chart.yaml index ace5606..66aa049 100644 --- a/charts/tritoninferenceserver-hypha/Chart.yaml +++ b/charts/tritoninferenceserver-hypha/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.12 +version: 1.0.13 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/tritoninferenceserver-hypha/templates/deployment.yaml b/charts/tritoninferenceserver-hypha/templates/deployment.yaml index bead64d..6d7678e 100644 --- a/charts/tritoninferenceserver-hypha/templates/deployment.yaml +++ b/charts/tritoninferenceserver-hypha/templates/deployment.yaml @@ -20,16 +20,15 @@ spec: app: {{ template "tritoninferenceserver.name" . }} release: {{ .Release.Name }} {{- if .Values.podLabels }} -{{ toYaml .Values.podLabels | indent 8 }} +{{ toYaml .Values.podLabels | nindent 8 }} {{- end }} spec: nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} +{{ toYaml .Values.nodeSelector | nindent 8 }} securityContext: -{{ toYaml .Values.securityContext | indent 8 }} - # fsGroup: 1000 +{{ toYaml .Values.securityContext | nindent 8 }} initContainers: -{{ toYaml .Values.initContainers | indent 8 }} +{{ toYaml .Values.initContainers | nindent 8 }} containers: - name: tritoninferenceserver image: {{ .Values.image.imageName }} @@ -40,8 +39,10 @@ spec: value: "{{ .Values.image.modelSnapshots }}" - name: TF_FORCE_GPU_ALLOW_GROWTH value: "true" -{{ toYaml .Values.image.env | indent 12 }} +{{ toYaml .Values.image.env | nindent 12 }} imagePullPolicy: IfNotPresent + securityContext: +{{ toYaml .Values.securityContext | nindent 12 }} readinessProbe: {{- toYaml .Values.readinessProbe | nindent 12 }} httpGet: @@ -53,12 +54,12 @@ spec: path: /v2/health/live port: 8000 resources: -{{ toYaml .Values.resources | indent 12 }} +{{ toYaml .Values.resources | nindent 12 }} command: ["/bin/sh"] args: - -c - >- - chmod 1777 /tmp && apt-get update && apt-get install -y libstdc++6 libgl1-mesa-glx && tritonserver --model-store={{ .Values.image.modelStore }} --log-verbose=1 --model-control-mode=poll --strict-readiness=false --repository-poll-secs=60 --exit-on-error=false --strict-model-config=false --model-repository={{ .Values.image.modelRepository}} + tritonserver --model-store={{ .Values.image.modelStore }} --log-verbose=1 --model-control-mode=poll --strict-readiness=false --repository-poll-secs=60 --exit-on-error=false --strict-model-config=false --model-repository={{ .Values.image.modelRepository}} ports: - containerPort: 8000 name: http diff --git a/charts/tritoninferenceserver-hypha/values.yaml b/charts/tritoninferenceserver-hypha/values.yaml index 90eb867..491481c 100644 --- a/charts/tritoninferenceserver-hypha/values.yaml +++ b/charts/tritoninferenceserver-hypha/values.yaml @@ -26,11 +26,9 @@ ingress: resources: requests: - nvidia.com/gpu: 0 memory: "2Gi" cpu: "1" limits: - nvidia.com/gpu: 0 memory: "3Gi" cpu: "1" @@ -54,7 +52,19 @@ autoscaling: nodeSelector: {} podLabels: {} -securityContext: {} +securityContext: + enabled: true + seLinuxOptions: null + runAsUser: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + readinessProbe: httpGet: