Add Azimuth components to Helm chart

.github/workflows/helm-build-push.yml

@@ -2,27 +2,56 @@ name: Publish Danswer Helm Chart
 
 on:
   push:
-    branches:
-      - main
   workflow_dispatch:
 
 jobs:
+  helm_chart_version_check:
+    runs-on: ubuntu-latest
+    outputs:
+      version_changed: ${{ steps.version_check.outputs.chart_version_changed }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # Check if current chart version exists in releases already
+      - name: Check for Helm chart version bump
+        id: version_check
+        run: |
+          set -xe
+          chart_version=$(yq .version deployment/helm/Chart.yaml)
+          if [[ $(curl https://api.github.com/repos/stackhpc/danswer/releases | jq '.[].tag_name' | grep danswer-helm-$chart_version) ]]; then
+            echo chart_version_changed=false >> $GITHUB_OUTPUT
+          else
+            echo chart_version_changed=true >> $GITHUB_OUTPUT
+          fi
+
   release:
     # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions
     # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
     permissions:
       contents: write
     runs-on: ubuntu-latest
+    needs: helm_chart_version_check
+    if: ${{ needs.helm_chart_version_check.outputs.version_changed == 'true' }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      # We mark any builds on main branch as latest GH release
+      # so make sure we don't accidentally use a pre-release tag.
       - name: Fail on semver pre-release chart version
         run: yq .version deployment/helm/Chart.yaml | grep -v '[a-zA-Z-]'
-        if: ${{ github.ref_name == 'main'}}
+        if: ${{ github.ref_name == 'main' }}
 
+      # To reduce resource usage images are built only on tag.
+      # To build a new set of images after committing and pushing
+      # new changes to GitHub, use:
+      # git tag <tag-name>
+      # git push --tags
       - name: Fail if image tags don't exist
         run: >-
          curl -H "Authorization: Bearer $(echo ${{ secrets.GITHUB_TOKEN }} | base64)"

deployment/helm/Chart.yaml

@@ -5,7 +5,7 @@ home: https://www.danswer.ai/
 sources:
   - "https://github.com/danswer-ai/danswer"
 type: application
-version: 0.1.0
+version: 0.1.0-azimuth.1
 appVersion: v0.5.10
 dependencies:
   - name: postgresql

deployment/helm/azimuth-ui.schema.yaml

@@ -0,0 +1,2 @@
+controls: {}
+

deployment/helm/templates/stackhpc/client.yaml

@@ -0,0 +1,9 @@
+apiVersion: zenith.stackhpc.com/v1alpha1
+kind: Client
+metadata:
+  name: {{ include "danswer-stack.fullname" . }}
+  labels: {{ include "danswer-stack.labels" . | nindent 4 }}
+spec:
+  reservationName: {{ include "danswer-stack.fullname" . }}
+  upstream:
+    serviceName: {{ .Release.Name }}-nginx

deployment/helm/templates/stackhpc/hooks.yml

@@ -0,0 +1,163 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-danswer-fixup
+  namespace: {{ .Release.Name }}
+  annotations:
+    # Need to keep around for post-delete hooks
+    helm.sh/resource-policy: keep
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - get
+  - list
+  - delete
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  - deployments
+  verbs:
+  - get
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-danswer-fixup
+  namespace: {{ .Release.Name }}
+  annotations:
+    # Need to keep around for post-delete hooks
+    helm.sh/resource-policy: keep
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-danswer-fixup
+subjects:
+# Namespace is unique to Azimuth app so using default
+# service account is fine.
+- kind: ServiceAccount
+  name: default
+  namespace: {{ .Release.Name }}
+---
+# Delete stateful set PVCs since upstream Helm chart doesn't expose this config option
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: pvc-cleanup
+  namespace: {{ .Release.Name }}
+  annotations:
+    helm.sh/hook: post-delete
+    helm.sh/hook-weight: "0"
+    helm.sh/hook-delete-policy: hook-succeeded
+spec:
+  template:
+    spec:
+      containers:
+      - name: pvc-deleter
+        image: gcr.io/google_containers/hyperkube:v1.18.0
+        command:
+        - kubectl
+        - delete
+        - -n
+        - {{ .Release.Name }}
+        - pvc
+        - --all
+      restartPolicy: Never
+      serviceAccountName: default
+---
+# Until https://github.com/unoplat/vespa-helm-charts/pull/23
+# is merged, we need to patch vespa stateful set after deployment
+# so that service label selectors match correctly.
+# Since Danswer API pod gives up on Vespa application package
+# init request after just 5 retries we also need to restart the API
+# deployment to trigger a retry on the Vespa setup by the API pod
+# after labels are corrected.
+# Use three separate hooks with different hook-weights to control ordering.
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: vespa-label-updater
+  namespace: {{ .Release.Name }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade,post-rollback
+    helm.sh/hook-weight: "1"
+    helm.sh/hook-delete-policy: hook-succeeded
+spec:
+  template:
+    spec:
+      containers:
+      - name: label-updater
+        image: gcr.io/google_containers/hyperkube:v1.18.0
+        command:
+        - kubectl
+        - patch
+        - -n
+        - {{ .Release.Name }}
+        - statefulset/vespa
+        - -p
+        - {{ printf "{'spec':{'template':{'metadata':{'labels':{'app.kubernetes.io/instance':'%s'}}}}}" .Release.Name | replace "'" "\"" | squote }}
+      restartPolicy: Never
+      serviceAccountName: default
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: vespa-waiter
+  namespace: {{ .Release.Name }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade,post-rollback
+    helm.sh/hook-weight: "2"
+    helm.sh/hook-delete-policy: hook-succeeded
+spec:
+  template:
+    spec:
+      containers:
+      - name: waiter
+        image: gcr.io/google_containers/hyperkube:v1.18.0
+        command:
+        - kubectl
+        - wait
+        - -n
+        - {{ .Release.Name }}
+        - --for=condition=Ready
+        - pod/vespa-0
+      restartPolicy: Never
+      serviceAccountName: default
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: danswer-api-restarter
+  namespace: {{ .Release.Name }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade,post-rollback
+    helm.sh/hook-weight: "3"
+    helm.sh/hook-delete-policy: hook-succeeded
+spec:
+  template:
+    spec:
+      containers:
+      - name: restarter
+        image: gcr.io/google_containers/hyperkube:v1.18.0
+        command:
+        - kubectl
+        - rollout
+        - restart
+        - -n
+        - {{ .Release.Name }}
+        - {{ printf "deployment/%s-danswer-stack-api-deployment" .Release.Name }}
+      restartPolicy: Never
+      serviceAccountName: default

deployment/helm/templates/stackhpc/reservation.yaml

@@ -0,0 +1,13 @@
+apiVersion: zenith.stackhpc.com/v1alpha1
+kind: Reservation
+metadata:
+  name: {{ include "danswer-stack.fullname" . }}
+  labels: {{ include "danswer-stack.labels" . | nindent 4 }}
+  annotations:
+    azimuth.stackhpc.com/service-label: {{ quote .Values.zenithClient.label }}
+    azimuth.stackhpc.com/service-icon-url: {{ .Values.zenithClient.iconUrl }}
+    {{- with .Values.zenithClient.description }}
+    azimuth.stackhpc.com/service-description: {{ quote . }}
+    {{- end }}
+spec:
+  credentialSecretName: {{ include "danswer-stack.fullname" . }}-credential

deployment/helm/values.schema.json

@@ -0,0 +1,5 @@
+{
+    "$schema": "http://json-schema.org/schema#",
+    "type": "object",
+    "properties": {}
+}

deployment/helm/values.yaml

@@ -8,11 +8,16 @@ fullnameOverride: ""
 appVersionOverride: # e.g "v0.3.93"
 
 # The suffix to add to the backend and web-server image
-# tags to refer to downstream image modifications.
+# tags to refer to downstream StackHPC-modified images.
 # The full image ref will be:
 # {{ image-name }}:{{ image-tag or appVersion }}-{{ tagSuffix }}
 tagSuffix: stackhpc.1
 
+zenithClient:
+  iconUrl: https://raw.githubusercontent.com/danswer-ai/danswer/1fabd9372d66cd54238847197c33f091a724803b/Danswer.png
+  description:
+  label: "Danswer"
+
 inferenceCapability:
   service:
     name: inference-model-server-service
@@ -118,6 +123,9 @@ nginx:
     - name: DOMAIN
       value: localhost
   service:
+    # Don't need external service since service
+    # will be exposed via Zenith tunnel
+    type: ClusterIP
     ports:
       http: 80
       danswer: 3000
@@ -354,6 +362,18 @@ vespa:
   tolerations: []
   affinity: {}
 
+  service:
+    type: ClusterIP
+  volumeClaimTemplates:
+    - metadata:
+        name: vespa-storage
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 10Gi
+
 
 #ingress:
 #  enabled: false
@@ -408,7 +428,7 @@ auth:
     danswer_bot_slack_bot_token: ""
 
 configMap:
-  AUTH_TYPE: "disabled"  # Change this for production uses unless Danswer is only accessible behind VPN
+  AUTH_TYPE: "basic"  # Basic auth required for x-remote-user header integration
   SESSION_EXPIRE_TIME_SECONDS: "86400"  # 1 Day Default
   VALID_EMAIL_DOMAINS: ""  # Can be something like danswer.ai, as an extra double-check
   SMTP_SERVER: "" # For sending verification emails, if unspecified then defaults to 'smtp.gmail.com'
@@ -428,7 +448,7 @@ configMap:
   QA_TIMEOUT: "60"
   MAX_CHUNKS_FED_TO_CHAT: ""
   DISABLE_LLM_DOC_RELEVANCE: ""
-  DISABLE_LLM_CHOOSE_SEARCH: ""
+  DISABLE_LLM_CHOOSE_SEARCH: true
   DISABLE_LLM_QUERY_REPHRASE: ""
   # Query Options
   DOC_TIME_DECAY: ""
@@ -469,7 +489,7 @@ configMap:
   # Logging
   # Optional Telemetry, please keep it on (nothing sensitive is collected)? <3
   # https://docs.danswer.dev/more/telemetry
-  DISABLE_TELEMETRY: ""
+  DISABLE_TELEMETRY: true
   LOG_LEVEL: ""
   LOG_ALL_MODEL_INTERACTIONS: ""
   LOG_DANSWER_MODEL_INTERACTIONS: ""