feat: update charts to support openshift requirements (#19)

---------

Co-authored-by: Alexander Dejanovski <[email protected]>

Author: jordanrfrazier

charts/langflow-ide/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: langflow-ide
 description: Helm chart for Langflow IDE
 type: application
-version: 0.1.0
+version: 0.1.1
 appVersion: latest
 maintainers:
   - name: Langflow

charts/langflow-ide/templates/backend-statefulset.yaml

@@ -34,22 +34,25 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "langflow.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.langflow.backend.podSecurityContext | nindent 8 }}
-      {{- if .Values.secretProvider.enabled }}
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       volumes:
+        {{- if .Values.secretProvider.enabled }}
         - name: secrets-store-inline
           csi:
             driver: secrets-store.csi.k8s.io
             readOnly: true
             volumeAttributes:
               secretProviderClass: "{{- .Values.secretProvider.name }}"
-      {{- end }}
+        {{- end }}
+        {{- with .Values.langflow.backend.volumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
-            {{- toYaml .Values.langflow.backend.securityContext | nindent 12 }}
+            {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.langflow.backend.image.repository }}:{{ .Values.langflow.backend.image.tag  | default .Values.langflow.global.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.langflow.backend.image.pullPolicy | default .Values.langflow.global.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.langflow.backend.image.imagePullPolicy | default .Values.langflow.global.image.imagePullPolicy }}
           command: ["/bin/bash", "-c"]
           args:
             - >
@@ -65,9 +68,8 @@ spec:
             - name: http
               containerPort: {{ .Values.langflow.backend.service.port }}
               protocol: TCP
-          {{- if or .Values.secretProvider.enabled .Values.langflow.backend.sqlite.enabled }}
+          {{- if or .Values.secretProvider.enabled .Values.langflow.backend.sqlite.enabled .Values.langflow.backend.volumeMounts }}
           volumeMounts:
-          {{- end }}
             {{- if .Values.secretProvider.enabled }}
             - name: secrets-store-inline
               mountPath: "/mnt/secrets"
@@ -77,6 +79,10 @@ spec:
             - name: data
               mountPath: /data
             {{- end }}
+            {{- with .Values.langflow.backend.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- end }}
           livenessProbe:
             httpGet:
               path: /health

charts/langflow-ide/templates/clusterrole-openshift.yaml

@@ -0,0 +1,21 @@
+{{- $openshift := .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- if .Values.serviceAccount.create -}}
+{{- if $openshift -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "langflow.fullname" . }}-openshift-scc
+  labels:
+    {{- include "langflow.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+    - security.openshift.io
+  resourceNames:
+    - anyuid
+    - nonroot-v2
+  resources:
+    - securitycontextconstraints
+  verbs:
+    - use
+{{- end }}
+{{- end -}}

charts/langflow-ide/templates/clusterrolebinding-openshift.yaml

@@ -0,0 +1,19 @@
+{{- $openshift := .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- if .Values.serviceAccount.create -}}
+{{- if $openshift -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "langflow.fullname" . }}-openshift-scc
+  labels:
+    {{- include "langflow.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "langflow.fullname" . }}-openshift-scc
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "langflow.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
+{{- end -}}

charts/langflow-ide/templates/frontend-deployment.yaml

@@ -34,7 +34,7 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "langflow.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.langflow.frontend.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       volumes:
         {{- if .Values.secretProvider.enabled }}
         - name: secrets-store-inline
@@ -44,12 +44,19 @@ spec:
             volumeAttributes:
               secretProviderClass: "{{- .Values.secretProvider.name }}"
         {{- end }}
+        {{- with .Values.langflow.frontend.volumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        - name: nginx
+          emptyDir: {}
+        - name: nginx-cache
+          emptyDir: {}
       containers:
         - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.langflow.securityContext | nindent 12 }}
           image: "{{ .Values.langflow.frontend.image.repository }}:{{ .Values.langflow.frontend.image.tag | default .Values.langflow.global.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.langflow.frontend.image.pullPolicy | default .Values.langflow.global.image.pullPolicy }}
+          imagePullPolicy: {{ .Values.langflow.frontend.image.imagePullPolicy | default .Values.langflow.global.image.imagePullPolicy }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
           ports:
             - name: http
               containerPort: {{ .Values.langflow.frontend.service.port }}
@@ -60,6 +67,16 @@ spec:
               mountPath: "/mnt/secrets"
               readOnly: true
             {{- end }}
+            {{- with .Values.langflow.frontend.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+
+            - name: nginx
+              mountPath: "/tmp/nginx"
+              readOnly: false
+            - name: nginx-cache
+              mountPath: "/var/cache/nginx"
+              readOnly: false
           livenessProbe:
             httpGet:
               path: /index.html

charts/langflow-ide/values.yaml

@@ -1,16 +1,20 @@
 imagePullSecrets: []
 
-nameOverride: "langflow"
+nameOverride: "langflow-service"
 # Override for the name of the helm deployment
-fullnameOverride: "langflow"
+# Note: using `langflow` as service name causes
+# env var collision when deploying on openshift
+# https://github.com/langflow-ai/langflow/issues/4330#issuecomment-2459097917
+fullnameOverride: "langflow-service"
 
 serviceAccount:
   # Specifies whether a service account should be created
   create: true
   # Annotations to add to the service account
   annotations: {}
   # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
+  # If not set and create is true, a name is generated using the
+  # fullname template
   name: ""
 
 ingress:
@@ -26,11 +30,27 @@ ingress:
   #    hosts:
   #      - chart-example.local
 
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+  allowPrivilegeEscalation: false
+  runAsGroup: 1000
+
+podSecurityContext:
+  fsGroup: 1000
+  runAsUser: 1000
+  runAsNonRoot: true
+  runAsGroup: 1000
+
+
 langflow:
   global:
     image:
-      pullPolicy: IfNotPresent
-      tag: ""
+      tag: "latest"
   backend:
     replicaCount: 1
     service:
@@ -39,9 +59,17 @@ langflow:
     backendOnly: true
     numWorkers: 1
     image:
-      repository: langflowai/langflow-backend
-      pullPolicy: IfNotPresent
-      tag: ""
+      repository: langflowai/langflow
+      imagePullPolicy: IfNotPresent
+      tag: latest
+    command:
+      - python
+      - -m
+      - langflow
+      - run
+      - --host
+      - 0.0.0.0
+      - --backend-only
     resources:
       requests:
         cpu: 0.5
@@ -54,42 +82,75 @@ langflow:
       periodSeconds: 10
       timeoutSeconds: 5
       initialDelaySeconds: 5
-    env: []
+    env:
+      - name: LANGFLOW_PORT
+        value: "7860"
+      - name: LANGFLOW_ALEMBIC_LOG_FILE
+        value: "/app/db/alembic.log"
+      - name: LANGFLOW_UPDATE_STARTER_PROJECTS
+        value: "false"
     nodeSelector: {}
-
-
     tolerations: []
-
     affinity: {}
     podAnnotations:
       prometheus.io/scrape: "true"
-      prometheus.io/port: "9090"
+      prometheus.io/port: 9090
       prometheus.io/path: "/metrics"
 
-    securityContext: {}
-    # capabilities:
-    #   drop:
-    #   - ALL
-    # readOnlyRootFilesystem: true
-    # runAsNonRoot: true
-    # runAsUser: 1000
-
-    podSecurityContext: {}
+    securityContext:
+      capabilities:
+        drop:
+          - ALL
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      runAsUser: 1000
+      allowPrivilegeEscalation: false
+      runAsGroup: 1000
+
+    podSecurityContext:
+      fsGroup: 1000
+      runAsUser: 1000
+      runAsNonRoot: true
+      runAsGroup: 1000
 
     externalDatabase:
-      # Compose in the SQLAlchemy format: https://docs.sqlalchemy.org/en/20/core/engines.html#database-urls
+      # Compose in the SQLAlchemy format:
+      # https://docs.sqlalchemy.org/en/20/core/engines.html#database-urls
       enabled: false
       driver: {}
         # value: "postgresql"
       port: {}
       user: {}
       password: {}
-        # valueFrom:                                                                                                                                                                                                                   │
-        #   secretKeyRef:                                                                                                                                                                                                              │
-        #    key: password                                                                                                                                                                                                            │
+        # valueFrom:
+        #   secretKeyRef:
+        #    key: password
         #    name: <secret-name>
       database: {}
 
+    volumes:
+      - name: flows
+        emptyDir: {}
+      - name: tmp
+        emptyDir: {}
+      - name: data
+        emptyDir: {}
+      - name: db
+        emptyDir: {}
+
+    volumeMounts:
+      - name: flows
+        mountPath: /app/flows
+        readOnly: false
+      - name: tmp
+        mountPath: /tmp
+        readOnly: false
+      - name: data
+        mountPath: /app/data
+        readOnly: false
+      - name: db
+        mountPath: /app/db
+        readOnly: false
 
     sqlite:
       enabled: true
@@ -133,7 +194,7 @@ langflow:
     # superuserPassword: <superuser password>
     # secretKey: <encryption key, optional>
     # newUserIsActive: true|false
-    
+
   frontend:
     enabled: true
     replicaCount: 1
@@ -142,8 +203,8 @@ langflow:
       port: 8080
     image:
       repository: langflowai/langflow-frontend
-      pullPolicy: IfNotPresent
-      tag: ""
+      imagePullPolicy: IfNotPresent
+      tag: latest
     resources:
       requests:
         cpu: 0.3
@@ -162,14 +223,15 @@ langflow:
 
     affinity: {}
     podAnnotations: {}
-    podSecurityContext: {}
-    securityContext: {}
-    # capabilities:
-    #   drop:
-    #   - ALL
-    # readOnlyRootFilesystem: true
-    # runAsNonRoot: true
-    # runAsUser: 1000
+
+    volumes:
+      - name: tmp
+        emptyDir: {}
+
+    volumeMounts:
+      - name: tmp
+        mountPath: /tmp
+        readOnly: false
 
 secretProvider:
   enabled: false

charts/langflow-runtime/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: langflow-runtime
 description: A helm chart for running LangFlow flows as a service
 type: application
-version: 0.1.0
+version: 0.1.1
 appVersion: latest
 maintainers:
   - name: Langflow

charts/langflow-runtime/templates/clusterrole-openshift.yaml

@@ -0,0 +1,21 @@
+{{- $openshift := .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- if .Values.serviceAccount.create -}}
+{{- if $openshift -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "langflow-runtime.fullname" . }}-openshift-scc
+  labels:
+    {{- include "langflow-runtime.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+    - security.openshift.io
+  resourceNames:
+    - anyuid
+    - nonroot-v2
+  resources:
+    - securitycontextconstraints
+  verbs:
+    - use
+{{- end }}
+{{- end -}}