diff --git a/Makefile b/Makefile index 6c8cbc2e..4c17a08f 100644 --- a/Makefile +++ b/Makefile @@ -233,6 +233,7 @@ ifeq ($(origin INSTALLER), undefined) else $(MAKE) datamate-$(INSTALLER)-install $(MAKE) milvus-$(INSTALLER)-install + @rm -f /tmp/datamate-helm-args.sh endif .PHONY: uninstall-% @@ -357,8 +358,8 @@ VALID_K8S_TARGETS := datamate deer-flow milvus label-studio data-juicer mineru m exit 1; \ fi @if [ "$*" = "label-studio" ]; then \ - kubectl apply -f deployment/kubernetes/sealed-secrets/label-studio.yaml; \ - helm upgrade label-studio deployment/helm/label-studio/ -n $(NAMESPACE) --install; \ + if [ -f /tmp/datamate-helm-args.sh ]; then source /tmp/datamate-helm-args.sh; fi; \ + helm upgrade label-studio deployment/helm/label-studio/ -n $(NAMESPACE) --install $${HELM_LABEL_STUDIO_TOLERATIONS:-}; \ elif [ "$*" = "mineru" ] || [ "$*" = "mineru-910B" ] || [ "$*" = "mineru-910C" ]; then \ kubectl apply -f deployment/kubernetes/mineru/deploy-910.yaml -n $(NAMESPACE); \ elif [ "$*" = "mineru-310P" ]; then \ @@ -370,32 +371,41 @@ VALID_K8S_TARGETS := datamate deer-flow milvus label-studio data-juicer mineru m if [ -f /tmp/datamate-helm-args.sh ]; then \ source /tmp/datamate-helm-args.sh; \ fi; \ - kubectl apply -f deployment/kubernetes/sealed-secrets/datamate.yaml; \ - if [ -n "$$HELM_NODE_SELECTOR_ARGS" ] || [ -n "$$$HELM_TOLERATIONS_ARGS" ]; then \ - helm upgrade datamate deployment/helm/datamate/ -n $(NAMESPACE) --install --set global.image.repository=$(REGISTRY) --set public.secrets.create=false $$HELM_NODE_SELECTOR_ARGS $$HELM_TOLERATIONS_ARGS; \ + chmod +x scripts/k8s/collect-secrets.sh; \ + eval $$(NAMESPACE=$(NAMESPACE) bash scripts/k8s/collect-secrets.sh); \ + if [ "$$SECRETS_CREATE" = "SKIP" ]; then \ + echo "[SKIP] Secrets collection failed — skipping datamate Helm install"; \ + rm -f /tmp/datamate-helm-args.sh; \ + exit 0; \ + fi; \ + if [ -n "$$HELM_VALUES_FILE" ] && [ -f "$$HELM_VALUES_FILE" ]; then \ + HELM_EXTRA_ARGS="-f $$HELM_VALUES_FILE"; \ + else \ + HELM_EXTRA_ARGS=""; \ + fi; \ + if [ -n "$$HELM_NODE_SELECTOR_ARGS" ] || [ -n "$$HELM_TOLERATIONS_ARGS" ]; then \ + helm upgrade datamate deployment/helm/datamate/ -n $(NAMESPACE) --install --force --set global.image.repository=$(REGISTRY) --set public.secrets.create=$$SECRETS_CREATE --set public.persistentVolumeClaim.accessModes=ReadWriteOnce $$HELM_EXTRA_ARGS $$HELM_NODE_SELECTOR_ARGS $$HELM_TOLERATIONS_ARGS; \ else \ - helm upgrade datamate deployment/helm/datamate/ -n $(NAMESPACE) --install --set global.image.repository=$(REGISTRY) --set public.secrets.create=false; \ + helm upgrade datamate deployment/helm/datamate/ -n $(NAMESPACE) --install --force --set global.image.repository=$(REGISTRY) --set public.secrets.create=$$SECRETS_CREATE --set public.persistentVolumeClaim.accessModes=ReadWriteOnce $$HELM_EXTRA_ARGS; \ fi; \ - rm -f /tmp/datamate-helm-args.sh; \ + rm -f /tmp/datamate-secret-values-*.yaml; \ elif [ "$*" = "deer-flow" ]; then \ cp runtime/deer-flow/.env deployment/helm/deer-flow/charts/public/.env; \ cp runtime/deer-flow/conf.yaml deployment/helm/deer-flow/charts/public/conf.yaml; \ helm upgrade deer-flow deployment/helm/deer-flow -n $(NAMESPACE) --install --set global.image.repository=$(REGISTRY); \ elif [ "$*" = "milvus" ]; then \ - kubectl apply -f deployment/kubernetes/sealed-secrets/milvus.yaml 2>/dev/null || true; \ - ACCESSKEY=$$(kubectl get secret milvus-minio-secret -n $(NAMESPACE) -o jsonpath='{.data.accessKey}' 2>/dev/null | base64 -d 2>/dev/null || echo ""); \ - SECRETKEY=$$(kubectl get secret milvus-minio-secret -n $(NAMESPACE) -o jsonpath='{.data.secretKey}' 2>/dev/null | base64 -d 2>/dev/null || echo ""); \ - if [ -n "$$ACCESSKEY" ] && [ -n "$$SECRETKEY" ]; then \ - helm upgrade milvus deployment/helm/milvus -n $(NAMESPACE) --install \ - --set minio.accessKey=$$ACCESSKEY \ - --set minio.secretKey=$$SECRETKEY; \ - else \ - echo "[ERROR] milvus-minio-secret not found or empty in namespace $(NAMESPACE)"; \ - echo " Please ensure Sealed Secrets Controller is running and the secret was decrypted."; \ - echo " For local dev: kubectl create secret generic milvus-minio-secret \\"; \ - echo " --from-literal=accessKey= --from-literal=secretKey= -n $(NAMESPACE)"; \ - exit 1; \ + chmod +x scripts/k8s/collect-secrets.sh; \ + bash scripts/k8s/collect-secrets.sh --component milvus -n $(NAMESPACE); \ + MILVUS_MINIO_ACCESS_KEY=$$(kubectl get secret milvus-minio-secret -n $(NAMESPACE) -o jsonpath='{.data.accesskey}' | base64 -d); \ + MILVUS_MINIO_SECRET_KEY=$$(kubectl get secret milvus-minio-secret -n $(NAMESPACE) -o jsonpath='{.data.secretkey}' | base64 -d); \ + if [ -f /tmp/datamate-helm-args.sh ]; then \ + source /tmp/datamate-helm-args.sh; \ fi; \ + helm upgrade milvus deployment/helm/milvus -n $(NAMESPACE) --install \ + --set minio.accessKey="$$MILVUS_MINIO_ACCESS_KEY" \ + --set minio.secretKey="$$MILVUS_MINIO_SECRET_KEY" \ + --set log.persistence.persistentVolumeClaim.accessModes=ReadWriteOnce \ + $$HELM_MILVUS_TOLERATIONS; \ elif [ "$*" = "data-juicer" ] || [ "$*" = "dj" ]; then \ kubectl apply -f deployment/kubernetes/data-juicer/deploy.yaml -n $(NAMESPACE); \ fi @@ -416,13 +426,8 @@ VALID_K8S_TARGETS := datamate deer-flow milvus label-studio data-juicer mineru m elif [ "$*" = "mineru-310P" ]; then \ kubectl delete -f deployment/kubernetes/mineru/deploy-310.yaml -n $(NAMESPACE); \ elif [ "$*" = "datamate" ]; then \ - echo ""; \ - echo "Remove node configuration (labels/taints)? (y/n) [n]"; \ - read -p "> " CLEANUP_NODES; \ - if [ "$$CLEANUP_NODES" = "y" ] || [ "$$CLEANUP_NODES" = "Y" ]; then \ - $(MAKE) node-cleanup; \ - fi; \ helm uninstall datamate -n $(NAMESPACE) --ignore-not-found; \ + $(MAKE) node-cleanup; \ elif [ "$*" = "deer-flow" ]; then \ helm uninstall deer-flow -n $(NAMESPACE) --ignore-not-found; \ elif [ "$*" = "milvus" ]; then \ diff --git a/deployment/helm/datamate/values.yaml b/deployment/helm/datamate/values.yaml index 78fbc108..00f18f47 100644 --- a/deployment/helm/datamate/values.yaml +++ b/deployment/helm/datamate/values.yaml @@ -50,12 +50,16 @@ public: database: 1Gi operator: 1Gi secrets: - create: false # Managed by SealedSecret (deployment/kubernetes/sealed-secrets/) + # Set to false when using Sealed Secrets (managed by install script) + create: false data: - DB_PASSWORD: "" # Set via secrets.yaml or --set - CERT_PASS: "" # Set via secrets.yaml for encrypted SSL keys + DB_PASSWORD: "" # Set via install script or --set + CERT_PASS: "" # Set via install script for encrypted SSL keys DOMAIN: "" HOME_PAGE_URL: "" + JWT_SECRET: "" # Auto-generated by install script + LABEL_STUDIO_PASSWORD: "" # Set via install script + LABEL_STUDIO_USER_TOKEN: "" # Auto-generated by install script datasetVolume: &datasetVolume name: dataset-volume diff --git a/deployment/helm/label-studio/templates/deployment.yaml b/deployment/helm/label-studio/templates/deployment.yaml index f2a16f9c..c58a6009 100644 --- a/deployment/helm/label-studio/templates/deployment.yaml +++ b/deployment/helm/label-studio/templates/deployment.yaml @@ -91,6 +91,18 @@ spec: mountPath: /label-studio/local resources: {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: data persistentVolumeClaim: diff --git a/deployment/helm/milvus/values.yaml b/deployment/helm/milvus/values.yaml index 7d4396c5..a8178e5f 100644 --- a/deployment/helm/milvus/values.yaml +++ b/deployment/helm/milvus/values.yaml @@ -6,11 +6,9 @@ fullnameOverride: "" ## Define toleration for node isolation ## This anchor can be referenced throughout the configuration -nodeIsolationTolerations: &nodeIsolationTolerations - - key: "node-role.kubernetes.io/datamate" - operator: "Equal" - value: "true" - effect: "NoSchedule" +## NOTE: Default is empty array - tolerations should be set via Helm --set +## during install if node isolation is configured +nodeIsolationTolerations: &nodeIsolationTolerations [] ## Enable or disable Milvus Cluster mode cluster: @@ -39,7 +37,9 @@ nodeSelector: {} # Global tolerations # If set, this will apply to all milvus components # Individual components can be set to a different tolerations -tolerations: *nodeIsolationTolerations +# Default: empty (no tolerations) - allows scheduling on any node +# Set via --set tolerations[0].key=... during install if node isolation is needed +tolerations: [] # Global affinity # If set, this will apply to all milvus components @@ -218,7 +218,7 @@ log: ## ReadWriteMany access mode required for milvus cluster. ## storageClass: - accessModes: ReadWriteMany + accessModes: ReadWriteOnce size: 10Gi subPath: "" storagePath: @@ -616,7 +616,7 @@ attu: # - secretName: chart-attu-tls # hosts: # - milvus-attu.local - + route: enabled: false host: "" @@ -644,7 +644,7 @@ minio: pullPolicy: IfNotPresent accessKey: "" # Set via secrets.yaml or --set secretKey: "" # Set via secrets.yaml or --set - existingSecret: "" + existingSecret: milvus-minio-secret bucketName: "milvus-bucket" rootPath: file useIAM: false @@ -1296,7 +1296,7 @@ kafka: zookeeper: enabled: true replicaCount: 3 - image: + image: repository: bitnamilegacy/zookeeper tag: 3.7.0 diff --git a/deployment/kubernetes/sealed-secrets/datamate.yaml b/deployment/kubernetes/sealed-secrets/datamate.yaml deleted file mode 100644 index c8c57696..00000000 --- a/deployment/kubernetes/sealed-secrets/datamate.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - creationTimestamp: null - name: datamate-conf - namespace: datamate -spec: - encryptedData: - CERT_PASS: AgAFa2NSMHymGMXv63PKqnUifZ70ocLLYd1MhIympF/NzJakL44sxMQlLLWWSJByouOgTu8ROM91rKYUkb6Y6kdV/pj0iQr1y/NLb6lS3y4Lvjvt4S/m7JCOcOivXJv5hzPU7uDfn8y8yw0qsjyXwa+lWMdeUmwnSEYwLcPexjvTcAs7xiV0OWW1WHkAZlx8A9UJqk1Yeaj/4fqRdLMEKBHYiGH8iW5nm3r5/5Uv3sdTU6n2EQgjFT2zpCYVbDvSVaFjRQ/yZ4jCuNNlw2q7EpoLzT8Ak+6BaoVqEVLK885fo8Wu8B88Pnx3Tse9v/Dld9qZaUVkXxYK/wpIjFPZCGC2q5y9oPl0fbK9nMbml9lkOgmGEsJm9CVTpllRGgT1O4hwE/Ij94dgLXErMlUukrU6/RiMwhis7bBrC1qMj+aEpsRl4vscbvbTBGUhW4rJrwMZscnqw6bt7sHnInrOKnO3vXJIJPDyoR9bHWj83NX1A7WkqQe69xYUK/+Zf4vRmNFHmU6KV+rRR80pWChJGlybmp+fZ2LGoI5PFHky/cmPz2gmGZJdiOC5Y2mi+vvzPJASra7n2nWxrcZ10H2YJI39/J/H6tANf6/Bpj97h9VzGpDFVxE19jKxkrmnsGUcVfB8+wa985kIPKPRzGktQ4pROC0Feyta9lbi75yW7ZaTSptVmzknJ9FrK8xx9yT6HOc= - DB_PASSWORD: AgCYbAis3YHfbcoI/uazKsyc7Q25A77gLrJAfx6F0Y9LzDoIlE5xczNHV8AhUtmT5lCCnzMxBRd6bCpVQho5xvpv8pfn2vjlbd/JbI0Up3vj6Yg3iw4lOmqxLs7DVpnn/Lo/GeoBXWZOerCRMiY/geVoSaQfybgIsmqFahHYaBciRHGxpZ0rhWqnm6U+RT5Oun73U47Mb8HMkEBIeMZW6IXGYoj7VetbouGZrSsu/uDlvO0P1BLFNVDiMZWW9B9gRnIdINxJUUzmvzvzyYBjOrsQlNZu+LycE57PspUSW4/TTHlZyxwrsdXSkWH/J66m04vHEzAaxF7Yg3zYCdcNBpiI8FLLDS64mROgj/dv8PY4qAIrEvb7e3qt07t/ArXEa1R7kkoBBjp/VvIy2wF905oQ99AgPEasnHYNp8VB1lym3YWWeuifsi6aaWhKyqq/22EhMRXKiC3brfp7KVnlnwX+98AHLl8Q04C90LwuDyKW+OBt6ATQktJuHqh+5uB17rvSu2KtWp2ugh1oqH8VaGydcd7lhKlHmi9a3b18uS3n6o5O8bR3mgmOWjlck4lDQI6cmnRVfx9J92jpdmZW5MeEtnlldYaek8am+zZTAusaagTp5eE8+p7238dGwr95LdWkkJbiJGBBvxuNdI0zjAFtGirueNe0ZHLvAKDh/Pw/Db8gg8DkyIVgJNDx4Q1F6eG2TPhwRu6vq/4RMvYFH5f1K58dCzEtkoQJsgJyJ4Kd9DBJzblOQ7fFLSx7Ag== - DOMAIN: AgCjEuH37xiKRpOkIrnAnk4Ui5A7B0M0R5BOhpvrbbu+QU/dqW7ysZzyNppDpABMB9n3H8jDsPYoKgFUVkD6p8FF3IpHmLlaJvO6FeIC86rJPVZTpWjPTub8LOCP5sszr7t4F1zyIo8uckyvqW2LxlNbN6cOCNzVutdHEcsu4dxWI/MzZGocT2CrWh3PDORdN6xrJ8qfpZEyFHiVwyxcbh3XM5oHqqe2o2OIlejXtrB3fQo1oUOH99CZTsZ+JrhUF5KOb4jDgq6aFLrJzkSWF+d/MXgrzqLDsqUuWxOp4CkbsIJJfO+aF2ULH9JAS1ZD/mnYUr1Lmix1wJORx5VXfT5L+fx+y8VDP2H8BeoLNqmmCyyV41GcvAyG5fN641Ck63MMehZkAJo72Bu4eRk8Mkk9JvDejAUTR5a/J1qKOtNVeFmM4Fq9y3WvW5X9e/3mHs7tCWTxGzJ70bV7zTngnu+G5SUoOjtvuBMNOfes9MAKj+hQ5YBaKiqZ5cJANgXX1YnmY5fvPSi9tyAxFspJgGSzHwBXLsTbeDRtTW86qmvY8anF++iizeuZ4DEqCLl8D0G3lj51elTTw7/1dDa8s1Xvy8EY6SwZAiuHpHkYf5barbrZLKSUldzd2AOPfxDgnbmussTV7o+/bjbCFKhGnWW2EEvLx4yKHjAJa8A/9uDsX8Zv1O+idsV7VXuFrsV8UGc= - HOME_PAGE_URL: AgC1A5P37JqlZXKdwNJT/0d3HiSvlCITF7mc8bXl4LslRToKloICDqO8PHuC3gvIxPtbrWr8YRCBPg9gZsb4s8234cIlYl3Ntxr+YQXbtLXFXyu4/BIJoz4qOJhyq5zo/0QkN+2mztol/1ZcLSGtj6mV3JY0yvZCqBlPIR3M78IW0OHPu3mF4zo4S+aumUE7QKZHsb83phUVvIJ1o+XsR8xrwAQBFtRp6GCgowAppeTrG9OTgmsjkHmb5Hz+ri2AbNkzx8SXQUCbWaosYHTwY/OYolFN6zKCql6zxLRt3ryjhGizIcSURumPcGzzuhotunXBPjhp4bI+lOAotwOW19vaNk/g4atQz16V5ceXg7Rk/+cZRkKJ/rKgpI2MN+1sP17U/DtudBqvsPk0da3QNqeOJ1VN6mFKs6R/DVxh4YYK1a/kUD5GdhK4jpFpvguEsBzx1swpB8Wb8AlIze7xAksk1BFL9+UzCpeDPVQeH+QyZA+cfZ4PIv5MC31A6clMz2o2cthNufggmQxvy2ndhjY7ZbfXyOA78eoPYY5IIx5pZA7zR2pxgJb79FS9RFcarjaF51fBCZy/EZie/C+JNI7fwLtai7BexqN6Nefdn9VVCr+zN0dCBZ3Rw402WiihaXiaPAxfsKrMYneqWs4F0hyRaL3AmEA8jRfNEAGrcUljMAie03I9+mtA6RAxW6d5ZA8= - JWT_SECRET: AgBztOHSCJostJW7ZxXRUhf2I1YzJubpX0dJmvHielNcuezyBg2R3JIHxZeZEiLtsDG4arE3ZFbPo6c16e+i15e0ElkScAJJbiCFnVgPOqbVOHcWmgdCDV88OZo4MSXpJBxuUmGMtRYdVRgp26p70TzmPEi+S4U5YZxp+Jb7jaCtxg//o5iikIobNzigX0eiwSBgXrBKA5KobVFMmKRYZskdM4mYvZXe30mcyABxIDiGjwXPdQWT7d0pNaAMmYToGDngVFAzHfkS8/fXzQOnP+Vo1/rKskZCDw401EjyYu83UJulbwNwY9HejJyP7xQJ9ZQOsOklaNjtKRN4uiLciBUQLGvaa3hPpyRCbm2Xv1Jjq+enxeHSZdWmQ6DcYpy8YPwVhiyIEQtkONtKaZtPBj7U9vZARK/ET5+iCT/CXmU3fElKH4n0sFMerDUqbEN5F1V1PIljHDpPobbwirvkNIBPc2sMX1Vt+KPPv6CWf6HWCleayMv8lXU9+son5CnBzwjVj8stxCqGje7l5b7g98qidiikBlocc/N+vCBzGf5plKVrB66lK07tO3yccKXmNos2Y6S3aSCwRgXhAkeeELreV2pK8DVI58KKiK2ClARdxE3Ba1mRL1hWDe3aT1U/FjStBYb+/u7O2rh+rGMaVMz3g/xDRDXJtHRW9PKz+Dlw9uGNUNtkL/BVg0LvbrBECOsGeIkb65SZlUm0i+8f1ZC69Fa0KM9dew7/2aVXmuKXhgPKh2XxmndC2QNmYQ== - LABEL_STUDIO_PASSWORD: AgBt5v87JYw+EpPwquwglWV81OK4lLg3jyZ75OK0k6GmedasPz+DnZb+OfWxsxdvpjEUSyKlEmpDbsH7zkrmCRn5VCasuJ6oa1fuMjJU/8DQ44piPvg1OagVrenVLy5cyzzcnLdKGVEDg69aUrZTfz+dSnyh9kL3f98g+Wt7EIhFcB7cxrVv7KXrc+hu8j0PnEHo/X/B1lA9KNi0yCj4CBofy9vrcJVFnGTeNh3hUEOGDORppdJUl1dDFx/qJeg94e+GClQUmC1QJmhBosxfnDbQnw/5lB9EP9iqjxMbswLsMhpEGQZqPbrFakvz0lb7N2Skq4RxD4XnkZTJ29RDsOl4TCAKL8C2a8OxP7P+yVflrTi5aBMLXhvrmEW1IwQXlFGP8th5AWkB+KM/gCfL1Iw34H8uklFPqAXexqxSsctwlnCIKBjG8lvbKfYEjOQhKHPZij1WYv8UZarU6rTvJ9OnLKW0kTTI/1MAFbfARPaKIcBzP7Ahexv7i7fo6YjeCz1n6N8UXxlszKZbQV82e/Zq40AmNJIG2vnBaNfskzYPQCpLr5yjwNO99IQZplw5i/X4pFWT9NfJTb7lfgb4PqUbsoYZgfJ5JBuA6b17/YYQy4pMyCorXAVmFDhKwSKT6WYgpw9N0TSErc3eOnusAolTuyzD5ns5h3NnomA3lD4hcz7L4CuR6lXekjfWk4vZNQu55Km1fTvB5DTB8gicRamxq5JAEQj8EYRK6Po8sXrjgw== - LABEL_STUDIO_USER_TOKEN: AgAiYeDEoGB1lSPKTb9n9dHzHPfH6sbLuNzAIX3ZwSRzjQjnkcEw/oSausQ4y0Z4kBv/983cuXwOF2xbOejPZ6LW9JSzzpS0dqWShfVcEjFwwPX7N7Nihqi9KdfXr4n2KoMCGZPphokxQwKt034VbFjQVdmIPQo5zRRYNlqr7i/etjlpsIs+mc9LO8s6J+zlRt+z4mxDg2m8y7MvNm0iW0nF0Ef7abGk+SctzXK+Zoec6uhvOv6FqEwsRAqjHsdcWySpH3Q53nMfM05LrkF5W5eca5t7rcGQTK0bmFr0x7pdt70mPTac8z0B2v7IIsb16v59xSweWlyKUPKCY2WGIDZuPjL38Ilt6gKYw/lDIFG2/gMa0ai1rIer7+nd7OzMP/OP6fwcY8l1GFOSeV1f16ZhV8n1vaJ0qR9lzrDLMQHYHHP7a/wFDz1S66sNVSNF4Otd6O9e0svBq+mYsQUw/ahruxZ/kl7hQK6qCP86E8z6H1MIRmEDR2zq2CV6SxLtEa8RwxWqcT57Zew8rqn62zcNxilDyFA6xw/ZrzTmNOy+QWP16ema9mC9Ja3J8LHHChN8+bzFswdPCVol4tW97cZp+FsXceadoyC6LE2f/i7cwVUj4g+O7yiyHfpohDlvujnJsVf+ejMToNJ3JN8pl8mpv2YqCXmjJ5WdkbvElT/W4jvVJlUV+QS6fTK47n6xAwJCKcP3n77nmUj3M+/dJdGBBZaRb5A6H7ywgPMItirtuw== - template: - metadata: - annotations: - meta.helm.sh/release-name: datamate - meta.helm.sh/release-namespace: datamate - creationTimestamp: null - labels: - app.kubernetes.io/managed-by: Helm - name: datamate-conf - namespace: datamate - type: Opaque diff --git a/deployment/kubernetes/sealed-secrets/label-studio.yaml b/deployment/kubernetes/sealed-secrets/label-studio.yaml deleted file mode 100644 index 9a2a1b10..00000000 --- a/deployment/kubernetes/sealed-secrets/label-studio.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - creationTimestamp: null - name: label-studio-env - namespace: datamate -spec: - encryptedData: - LABEL_STUDIO_PASSWORD: AgAdOZuj2s/Q4AsJbTU2DHw/uXuU0tIpiKD/o56jxhGkgIjH/IMCX/cB+12hq+xoz2yJCWGHuN0YV7iZhAwQ7Dwrn5xPTBUlQM2Ky5hBvvSs6lFld9R7iA5UChjwuCts4cQ8xKmUEIXAMv4rvL7g/iCpUhESlac8JB0KLofDm94+XRFyT30cQDdSyZKQ17Vi59TLSPuVUQf/R+8YtaChrX6hgM3OvCG2dw8h8jir7M1ppROyVUu+PmvblpITolklrm7HjPNaWybOjfXcZ3YYghAVEA/OJ4HdLF3aEmPZaw3tD1NQ7wlDtl3P3MCQ/l1eR657iuc1MzoH5/sNMSit5l322zg+wTXPjRNrDjcHtsCICH7ze+q0P1y0UZzey3vGXNyEFDtXcgy/Xg/GAC3OZbLS+Tin9ZQcssifkDChaHezTKHhqTPSFEj7yAQMK+jCXfchJcsV8SRwbqTSvNyr2vTKDgErM0XaQR3G6utY/VSZY0CEC3MhaWPiYEoUr2GJ6RRSLKARafjriDPvC4y/JxvCRGm+CqqHjwkJ31W2arJwJsGzl8ut9GLuH5M2/UmBIt0qLaJBNL/LQYPr6QINfUxiRKSRLMw72AxpFkHeM+EMucQv6NqE7AzqMhlygA+FNwXXQYS+1A+cv8o1TrbG4ounodUdprmUAdYjDH6zr1GRZ8lqjd9pteOceB82tUyzRs+6j1+5RlOsklLWd3uWgqP1s/N89kl8ho70W6rJToCDew== - LABEL_STUDIO_USER_TOKEN: AgB0EclTH3xnvW6zo/J25y40/Q8149QHvGre+eKd7hnun1kiVIYIHvAf4KXmgaGY7no6gTNGjleh4KnkSvoAo7W3T5wypS0MMZGpnzPbMpV8XNLA+sFcV2+Hiim+lxSzKKIEbNWnHr8urHnnBvRK2Wa54hzj4j4bcLGQqjptseusX2MB8BlaociKY/5LrQugNjMsLS9je4Wnz7ygSggU4PdUnpeTF/tRRyacOoCUSPb2GJmBthAZP5DvbKbvwDYoiKEIZRTjnF3V0FIRPe3weO3XRwl7nG3JgvVxSIMt48J5eKofNeSW15A5391USfMkNNnyN12I7+6fNtqUYWB+XuG/zB3kP0Uy8EsWYNQrJaJqHbQpetnCWda+azdvJWSE/TAEiy5pLR57gNhSdM5e/5vyXwgEpGxq3XI4HOSmnXq+bf2lQ36FyiPLsOTcJqOB0sqMT7tQthawSaTRy2yw2bJ2xxicmJBqzsp+xZ7EurtMSAeAThAHWuJ6w8KKvJbnCirQNKSwGjjVC6bq7KtEppu0gY6IL75VH94NmQi2sN9sBe9XPHUzfOJXilNl79LkDDKNfqPDbIhmwc5ECJBLsP9xhs6/0U8hSrmIUQ8AuvK/DYEsaydCvauEWFiNoYcKY4XoEW9kFvRH5Cd1r59P5dYiqZ5ivIHEWBYz6pBmN8uRs4p7aawO0SBy7KaVNM9PMgkP5D5VbLmNF6oTyruODEyeXmi8JKWd5u8R9kcYgY9lgA== - POSTGRE_PASSWORD: AgATLvaLNWeapPWyvmH8/li3GgpMACMfJd3dbO3FZ5MIfzj3K+KDGXyxrqiYuX1im4tFQgXdyIQzL59zlRLnMntCaiA5eNdhdeXMNEgef9hbLgWbnhH+Hl1//RYSd9CIueSpzsLC2Gd/c3PptIt2Gzvz6lazjc8Fz6gIETVEIHQvMTVsb7HDVHcICL2+/PLuEN6bXkwmiAcNJT3ipe9kqT38EagTwOmIErCrQVkg/KoECxdmdSYRiZqKTGwZndToosgiFr7FrAhv4lDsuyBReA73bFUA6B+94treSuRK2dp0JQBnL4GdOB1v04/BP+gCKWeIVzwOnpSrTVvVOyPQil/deRk1Fj54le2sU0yTPFh18U6NtTyRITH6GUvYRF8pn5QQQFsPD9gz/EtenjOmr2f587AsdDwHwuEo6tuiIPe1DeyxMJlSAUtlbwDH3hFvkpZBZpAqf3f8veEo/EW1fFA3QDRGATGiw4qIrILw/a5d66VkkvtTiztOHxD1mVG6JSWPrxmL13s4S7S5ZbZTIlR6KmGOya3NpThrOm3OWoO3aBquvzlLz5zK6MpsARJ7FSSzNXMrE8sbIRVEDAUJQWPcrrDTGDFIBx4rYHeSPw8Kx3hu3AfsAw0VKwRQsrWMxrXDlppyQTcGr0tgN+wH3X93YD1LXmt8gSH+/iP9APT1GmUV6JwCEyED/koEJ4LsCPlhr17S5ImckZKR0PXL83ubFVkPaQI6yDn5P+szU9boyVpKwA4NfnEI8jTvLw== - template: - metadata: - annotations: - meta.helm.sh/release-name: label-studio - meta.helm.sh/release-namespace: datamate - creationTimestamp: null - labels: - app.kubernetes.io/managed-by: Helm - name: label-studio-env - namespace: datamate - type: Opaque diff --git a/deployment/kubernetes/sealed-secrets/milvus.yaml b/deployment/kubernetes/sealed-secrets/milvus.yaml deleted file mode 100644 index 37c47b1d..00000000 --- a/deployment/kubernetes/sealed-secrets/milvus.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - creationTimestamp: null - name: milvus-minio-secret - namespace: datamate -spec: - encryptedData: - accessKey: AgCHrAV6iWIaJuvl53abd85VmMvVLtQddJLiShtOJR5rfJ7Zm6rvFJN36OxwbXDR5uSk8xi6YE1t0Kwz2VD23PgTHVGzUu8VY/S9bVPFkp1qMj2GP2mYcAE2tI74OwK9lCfKVkGV3x+mdOFj6BrDf8uA3R5VZFNEh2dIT+a3FMOHC/zEePAmztYeJvq7W/usKPaswDbff6pGrmi+VHvFpA4BO9bNbIhxJ8dLt6KGz1PbJZSODBoK747ZkoQnbApVe/nIshlRcs/0ThTuLZkCVRL7f5VFiCSUiakv+NCLXgF3+icFjcuRk2E8bLqAo5Pi3UHD7N+MG83ofaQ96JumtVu3F9e5Pr9rg60Nf4sKUz3E/McTqSWUwGZk6y6O/qdYjOWXJj+K9Hg8hY2JS8m92iVdtGOgKmjaJELoT/OK0vv29K/aPzDDD/9Eh5lsIZjlP64qCZhTdJDRGIPK88KnWh+Fr0A43OJ4Jq2SRkSwNF2I2muTu2dgSaCxQt2YJWOHsK+zLE5WyvU6k8icG059j+jf2D9f9dJClZx/3J45FTv2j/K5HqyStjixwyHzqkmlGGep+11IgsVoEfKWa/cnXLSME0z6p1C4yx88KwhoZDXBjCOrDxU6mmRLirlI+UdT51+zZiIjU7qfU47/ELI2eKHTd+QXu3EtAi8unvmEmVlfLImIBMoxrzBEbG4wuNEayg04u9HSNMFYcSIfYgcc2cDuDIUXljY9rP4oXVcQgpvnuA== - secretKey: AgBZo+eq+sdI4UHnaOMpY2MybhXVIgDeWYxDX+19f7rKgOzGQmhiseQsLDtkz+H2JcskyPWpL0aJTtBgPc7p0cvPigxXVu3yHsYn0R5nTDKLsYUkDReSj/qhCGfb4Z0uUjmxtQK0qvPoT3zh6X0rZ4eWXehVCK7DtnlcVzraHSjSXeHF4hKB6fRt5KyTVClSAHD1X+qjX1MzPpbMYnx1+X/NQampn+kWzes31GOZXjjURKnEW3j0zcyz8fUd3WVD5dCjAndMl8FyfjoEuzU4v71AO7yL6MPn9GXZ5XX/7ssX7SpWGkD1YBVe+loQr77H+pVkSKNIP245QZHV0TQosXpJQXzFfSkvieSkQFqz7+iYxf7LzvsXrnq5I5m7VsBZ3oADpimQbEgdq9xEySTe7tP2z+TgJjf0VbYBcz3EVaKACT4O2BeUNT86TllQAmrcUX+4CjOoeIDHJUT5yMZq1YydyAjTqJS9dQ5Vhz1GIWYKBucGZfcmWDv+uGuRySUfvJRI3bEtb6RzzC8i1HHJ4ROzSTHwR9n9up2lsSA675E3pR0AYu3jWPBo3d1L/bL7yVJd7H1WO+a8SWYshQ30M800xK58DMkRFGcIS3QnzmYV1CFbRYJUqekTn9Qjkzn/gchtio4kFj704IadXyb4Au1ebJ1pSBhBeuAGjNifp9bZa8yqzxhAQj/FurCPzHErlH7altm7ddgWBKxjlLnnc6TujKk41j3iO4hoRP7zxY7Xzw== - template: - metadata: - annotations: - meta.helm.sh/release-name: milvus - meta.helm.sh/release-namespace: datamate - creationTimestamp: null - labels: - app.kubernetes.io/managed-by: Helm - name: milvus-minio-secret - namespace: datamate - type: Opaque diff --git a/scripts/k8s/collect-secrets.sh b/scripts/k8s/collect-secrets.sh new file mode 100755 index 00000000..8138e118 --- /dev/null +++ b/scripts/k8s/collect-secrets.sh @@ -0,0 +1,248 @@ +#!/bin/bash +### Collect secrets for DataMate installation. +### +### Usage: +### scripts/k8s/collect-secrets.sh [--component datamate|milvus] [--namespace ] +### +### Modes (auto-detected): +### 1. Sealed-secrets mode: controller running + kubeseal available → encrypt → apply SealedSecret +### 2. Plain mode: no controller → Helm creates Secret with base64 (dev mode) +### +### Password priority: .env file values > interactive prompt > auto-generated +### +### Output: writes shell script variables to stdout (eval by caller) + +# NOTE: NOT using 'set -e' because interactive prompts (read) can fail +# when stdin is not a TTY. We validate critical values explicitly instead. + +COMPONENT="${1:-datamate}" +NAMESPACE="${NAMESPACE:-datamate}" +ENV_FILE="${ENV_FILE:-.env}" + +# Parse --component and --namespace from args if passed differently +while [[ "$#" -gt 0 ]]; do + case $1 in + --component) COMPONENT="$2"; shift 2 ;; + --namespace|-n) NAMESPACE="$2"; shift 2 ;; + *) shift ;; + esac +done + +TMP_DIR=$(mktemp -d) +trap "rm -rf $TMP_DIR" EXIT + +# ========== Detect Mode ========== +detect_sealed_secrets() { + kubectl get deployment -n "$NAMESPACE" sealed-secrets >/dev/null 2>&1 && return 0 + kubectl get deployment -n kube-system sealed-secrets >/dev/null 2>&1 && return 0 + kubectl get pod -n "$NAMESPACE" -l app.kubernetes.io/name=sealed-secrets --no-headers 2>/dev/null | grep -q Running && return 0 + return 1 +} + +KUBESEAL="$(command -v kubeseal 2>/dev/null || echo "")" +[ -z "$KUBESEAL" ] && KUBESEAL="$HOME/bin/kubeseal" +[ ! -x "$KUBESEAL" ] && [ -x "./tools/bin/kubeseal" ] && KUBESEAL="./tools/bin/kubeseal" +[ ! -x "$KUBESEAL" ] && [ -x "../tools/bin/kubeseal" ] && KUBESEAL="../tools/bin/kubeseal" + +# Auto-download kubeseal if controller exists but binary is missing +if detect_sealed_secrets && [ ! -x "$KUBESEAL" ]; then + echo "[INFO] Sealed Secrets controller detected, but kubeseal not found. Downloading..." >&2 + KUBESEAL_URL="https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.27.2/kubeseal-0.27.2-$(uname -s | tr '[:upper:]' '[:lower:]')-$(dpkg --print-architecture 2>/dev/null || uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')" + KUBESEAL_DIR="$HOME/bin" + mkdir -p "$KUBESEAL_DIR" + curl -sSL "$KUBESEAL_URL" -o "$KUBESEAL_DIR/kubeseal" && chmod +x "$KUBESEAL_DIR/kubeseal" + KUBESEAL="$KUBESEAL_DIR/kubeseal" + echo "[INFO] Installed kubeseal to $KUBESEAL" >&2 +fi + +if detect_sealed_secrets && [ -x "$KUBESEAL" ]; then + MODE="sealed" +else + MODE="plain" +fi + +echo "# DataMate secrets collection — component: $COMPONENT, mode: $MODE" >&2 + +# ========== Helper ========== +random_hex() { + openssl rand -hex 16 2>/dev/null || python3 -c "import secrets;print(secrets.token_hex(16))" +} + +seal_secret() { + local name="$1" output="$2" + shift 2 + local raw="${TMP_DIR}/${name}-raw.yaml" + { + echo "apiVersion: v1" + echo "kind: Secret" + echo "metadata:" + echo " name: ${name}" + echo " namespace: ${NAMESPACE}" + echo "type: Opaque" + echo "stringData:" + for pair in "$@"; do + key="${pair%%=*}" + value="${pair#*=}" + echo " ${key}: \"${value}\"" + done + } > "$raw" + "$KUBESEAL" --controller-name=sealed-secrets --namespace="${NAMESPACE}" -o yaml -f "$raw" > "$output" + echo "[INFO] Created SealedSecret: $output" >&2 +} + +# ========== Load .env (targeted: only reads known secret keys) ========== +if [ -f "$ENV_FILE" ]; then + echo "[INFO] Loading secrets from ${ENV_FILE}..." >&2 + + # Read .env line by line, only extract vars matching our known keys. + # Ignores comments, blank lines, and unrelated vars like pgsql_host/shell vars. + while IFS='=' read -r key value; do + # Skip blank lines and comments + [ -z "$key" ] && continue + case "$key" in + \#*) continue ;; + esac + # Strip leading/trailing whitespace from key + key="$(echo "$key" | xargs)" + + case "$key" in + DB_PASSWORD|CERT_PASS|DOMAIN|HOME_PAGE_URL|JWT_SECRET|\ + LABEL_STUDIO_PASSWORD|LABEL_STUDIO_USER_TOKEN|POSTGRE_PASSWORD|\ + MINIO_ACCESS_KEY|MINIO_SECRET_KEY) + val="$value" + case "$val" in + \'*|\"*) val="${val:1}" ;; + esac + case "$val" in + *\'|*\") val="${val:0:-1}" ;; + esac + printf -v "$key" '%s' "$val" + ;; + esac + done < "$ENV_FILE" + + [ -n "$DB_PASSWORD" ] && echo "[INFO] Loaded DB_PASSWORD from $ENV_FILE" >&2 + [ -n "$CERT_PASS" ] && echo "[INFO] Loaded CERT_PASS from $ENV_FILE" >&2 + [ -n "$JWT_SECRET" ] && echo "[INFO] Loaded JWT_SECRET from $ENV_FILE" >&2 +else + echo "[WARN] No .env file found at $(pwd)/${ENV_FILE} — will prompt for secrets" >&2 +fi + +# ========== Datamate ========== +if [ "$COMPONENT" = "datamate" ]; then + # Collect + [ -z "$DB_PASSWORD" ] && read -rsp "Enter DB_PASSWORD: " DB_PASSWORD && echo "" >&2 + [ -z "$JWT_SECRET" ] && JWT_SECRET=$(openssl rand -hex 32 2>/dev/null || python3 -c "import secrets;print(secrets.token_hex(32))") && echo "[INFO] Auto-generated JWT_SECRET" >&2 + [ -z "$DOMAIN" ] && read -rp "Enter DOMAIN (enter to skip): " DOMAIN >&2 + [ -z "$CERT_PASS" ] && read -rsp "Enter CERT_PASS (enter to skip): " CERT_PASS && echo "" >&2 + HOME_PAGE_URL="${HOME_PAGE_URL:-/data/management}" + [ -z "$LABEL_STUDIO_PASSWORD" ] && read -rsp "Enter LABEL_STUDIO_PASSWORD (enter to skip): " LABEL_STUDIO_PASSWORD && echo "" >&2 + [ -z "$LABEL_STUDIO_USER_TOKEN" ] && LABEL_STUDIO_USER_TOKEN=$(random_hex)$(random_hex) && echo "[INFO] Auto-generated LABEL_STUDIO_USER_TOKEN" >&2 + + # ===== MANDATORY CHECK: DB_PASSWORD must not be empty ===== + if [ -z "$DB_PASSWORD" ]; then + echo "[FATAL] DB_PASSWORD is empty! Cannot install without a database password." >&2 + echo "[FATAL] Set DB_PASSWORD in .env or ensure interactive prompts work." >&2 + echo "SECRETS_CREATE=SKIP" + echo "HELM_VALUES_FILE=" + exit 0 + fi + + if [ "$MODE" = "sealed" ]; then + # Clean up any old stale Secret (prevents Helm conflict) + if kubectl get secret datamate-conf -n "$NAMESPACE" >/dev/null 2>&1; then + echo "[INFO] Removing old datamate-conf Secret..." >&2 + kubectl delete secret datamate-conf -n "$NAMESPACE" --ignore-not-found >/dev/null 2>&1 + fi + # Clean up old SealedSecret (apply is idempotent, but belt-and-suspenders) + kubectl delete sealedsecret datamate-conf -n "$NAMESPACE" --ignore-not-found >/dev/null 2>&1 || true + + # Datamate-conf + seal_secret "datamate-conf" "${TMP_DIR}/datamate-sealed.yaml" \ + "DB_PASSWORD=${DB_PASSWORD}" \ + "CERT_PASS=${CERT_PASS}" \ + "DOMAIN=${DOMAIN}" \ + "HOME_PAGE_URL=${HOME_PAGE_URL}" \ + "JWT_SECRET=${JWT_SECRET}" \ + "LABEL_STUDIO_PASSWORD=${LABEL_STUDIO_PASSWORD}" \ + "LABEL_STUDIO_USER_TOKEN=${LABEL_STUDIO_USER_TOKEN}" + kubectl apply -f "${TMP_DIR}/datamate-sealed.yaml" -n "$NAMESPACE" >/dev/null + # Add Helm ownership labels so 'helm install --force' accepts the Secret + kubectl wait --for=jsonpath='{.data.DB_PASSWORD}' --timeout=30s secret/datamate-conf -n "$NAMESPACE" >/dev/null 2>&1 || true + kubectl annotate secret datamate-conf -n "$NAMESPACE" \ + meta.helm.sh/release-name=datamate \ + meta.helm.sh/release-namespace="${NAMESPACE}" \ + --overwrite >/dev/null 2>&1 + kubectl label secret datamate-conf -n "$NAMESPACE" \ + app.kubernetes.io/managed-by=Helm \ + --overwrite >/dev/null 2>&1 + + # Label Studio + if [ -n "$LABEL_STUDIO_PASSWORD" ]; then + POSTGRE_PASSWORD="${POSTGRE_PASSWORD:-$DB_PASSWORD}" + seal_secret "label-studio-env" "${TMP_DIR}/label-studio-sealed.yaml" \ + "POSTGRE_PASSWORD=${POSTGRE_PASSWORD}" \ + "LABEL_STUDIO_PASSWORD=${LABEL_STUDIO_PASSWORD}" \ + "LABEL_STUDIO_USER_TOKEN=${LABEL_STUDIO_USER_TOKEN}" + kubectl apply -f "${TMP_DIR}/label-studio-sealed.yaml" -n "$NAMESPACE" >/dev/null + fi + + echo "SECRETS_CREATE=false" + echo "HELM_VALUES_FILE=" + else + # Plain — delete any old SealedSecret and stale Secret first + kubectl delete sealedsecret datamate-conf -n "$NAMESPACE" --ignore-not-found >/dev/null 2>&1 || true + if kubectl get secret datamate-conf -n "$NAMESPACE" >/dev/null 2>&1; then + echo "[INFO] Removing old datamate-conf Secret..." >&2 + kubectl delete secret datamate-conf -n "$NAMESPACE" --ignore-not-found >/dev/null 2>&1 + fi + + # Write extra values to /tmp (survives script exit for Helm to read) + values_file="/tmp/datamate-secret-values-$$.yaml" + cat > "$values_file" <&2 + echo "SECRETS_CREATE=true" + echo "HELM_VALUES_FILE=${values_file}" + fi + +# ========== Milvus ========== +elif [ "$COMPONENT" = "milvus" ]; then + # Only needed if secret doesn't already exist + if kubectl get secret milvus-minio-secret -n "$NAMESPACE" >/dev/null 2>&1; then + echo "# milvus-minio-secret already exists — skipping" >&2 + exit 0 + fi + + [ -z "$MINIO_ACCESS_KEY" ] && MINIO_ACCESS_KEY=$(random_hex) && echo "[INFO] Auto-generated MINIO_ACCESS_KEY" >&2 + [ -z "$MINIO_SECRET_KEY" ] && MINIO_SECRET_KEY=$(random_hex)$(random_hex) && echo "[INFO] Auto-generated MINIO_SECRET_KEY" >&2 + + if [ "$MODE" = "sealed" ]; then + seal_secret "milvus-minio-secret" "${TMP_DIR}/milvus-sealed.yaml" \ + "accesskey=${MINIO_ACCESS_KEY}" \ + "secretkey=${MINIO_SECRET_KEY}" + kubectl apply -f "${TMP_DIR}/milvus-sealed.yaml" -n "$NAMESPACE" >/dev/null + kubectl wait --for=jsonpath='{.data.accesskey}' --timeout=30s secret/milvus-minio-secret -n "$NAMESPACE" >/dev/null 2>&1 || true + kubectl annotate secret milvus-minio-secret -n "$NAMESPACE" \ + meta.helm.sh/release-name=milvus-minio \ + meta.helm.sh/release-namespace="${NAMESPACE}" \ + --overwrite >/dev/null 2>&1 + else + kubectl create secret generic milvus-minio-secret \ + --from-literal=accesskey="$MINIO_ACCESS_KEY" \ + --from-literal=secretkey="$MINIO_SECRET_KEY" \ + -n "$NAMESPACE" --dry-run=client -o yaml | kubectl apply -f - >/dev/null + echo "[INFO] Created milvus-minio-secret (plain)" >&2 + fi +fi diff --git a/scripts/k8s/node-setup.sh b/scripts/k8s/node-setup.sh index d2726af1..85ec5b05 100755 --- a/scripts/k8s/node-setup.sh +++ b/scripts/k8s/node-setup.sh @@ -366,6 +366,35 @@ generate_helm_args() { HELM_TOLERATIONS_ARGS="$HELM_TOLERATIONS_ARGS --set-string global.tolerations[0].value=${LABEL_VALUE}" HELM_TOLERATIONS_ARGS="$HELM_TOLERATIONS_ARGS --set-string global.tolerations[0].effect=${TAINT_EFFECT}" + # Milvus-specific tolerations (Milvus chart uses direct tolerations, not global.tolerations) + HELM_MILVUS_TOLERATIONS="--set-string tolerations[0].key=${LABEL_KEY}" + HELM_MILVUS_TOLERATIONS="$HELM_MILVUS_TOLERATIONS --set-string tolerations[0].operator=Equal" + HELM_MILVUS_TOLERATIONS="$HELM_MILVUS_TOLERATIONS --set-string tolerations[0].value=${LABEL_VALUE}" + HELM_MILVUS_TOLERATIONS="$HELM_MILVUS_TOLERATIONS --set-string tolerations[0].effect=${TAINT_EFFECT}" + + # Milvus sub-chart tolerations (etcd, minio don't inherit parent chart tolerations) + HELM_MILVUS_TOLERATIONS="$HELM_MILVUS_TOLERATIONS --set-string etcd.tolerations[0].key=${LABEL_KEY}" + HELM_MILVUS_TOLERATIONS="$HELM_MILVUS_TOLERATIONS --set-string etcd.tolerations[0].operator=Equal" + HELM_MILVUS_TOLERATIONS="$HELM_MILVUS_TOLERATIONS --set-string etcd.tolerations[0].value=${LABEL_VALUE}" + HELM_MILVUS_TOLERATIONS="$HELM_MILVUS_TOLERATIONS --set-string etcd.tolerations[0].effect=${TAINT_EFFECT}" + + HELM_MILVUS_TOLERATIONS="$HELM_MILVUS_TOLERATIONS --set-string minio.tolerations[0].key=${LABEL_KEY}" + HELM_MILVUS_TOLERATIONS="$HELM_MILVUS_TOLERATIONS --set-string minio.tolerations[0].operator=Equal" + HELM_MILVUS_TOLERATIONS="$HELM_MILVUS_TOLERATIONS --set-string minio.tolerations[0].value=${LABEL_VALUE}" + HELM_MILVUS_TOLERATIONS="$HELM_MILVUS_TOLERATIONS --set-string minio.tolerations[0].effect=${TAINT_EFFECT}" + + # Label-studio tolerations (app + pgbouncer) + HELM_LABEL_STUDIO_TOLERATIONS="--set-string tolerations[0].key=${LABEL_KEY}" + HELM_LABEL_STUDIO_TOLERATIONS="$HELM_LABEL_STUDIO_TOLERATIONS --set-string tolerations[0].operator=Equal" + HELM_LABEL_STUDIO_TOLERATIONS="$HELM_LABEL_STUDIO_TOLERATIONS --set-string tolerations[0].value=${LABEL_VALUE}" + HELM_LABEL_STUDIO_TOLERATIONS="$HELM_LABEL_STUDIO_TOLERATIONS --set-string tolerations[0].effect=${TAINT_EFFECT}" + HELM_LABEL_STUDIO_TOLERATIONS="$HELM_LABEL_STUDIO_TOLERATIONS --set-string nodeSelector.${LABEL_KEY_ESCAPED}=${LABEL_VALUE}" + HELM_LABEL_STUDIO_TOLERATIONS="$HELM_LABEL_STUDIO_TOLERATIONS --set-string pgbouncer.tolerations[0].key=${LABEL_KEY}" + HELM_LABEL_STUDIO_TOLERATIONS="$HELM_LABEL_STUDIO_TOLERATIONS --set-string pgbouncer.tolerations[0].operator=Equal" + HELM_LABEL_STUDIO_TOLERATIONS="$HELM_LABEL_STUDIO_TOLERATIONS --set-string pgbouncer.tolerations[0].value=${LABEL_VALUE}" + HELM_LABEL_STUDIO_TOLERATIONS="$HELM_LABEL_STUDIO_TOLERATIONS --set-string pgbouncer.tolerations[0].effect=${TAINT_EFFECT}" + HELM_LABEL_STUDIO_TOLERATIONS="$HELM_LABEL_STUDIO_TOLERATIONS --set-string pgbouncer.nodeSelector.${LABEL_KEY_ESCAPED}=${LABEL_VALUE}" + for SERVICE in $SERVICES; do HELM_TOLERATIONS_ARGS="$HELM_TOLERATIONS_ARGS --set-string ${SERVICE}.tolerations[0].key=${LABEL_KEY}" HELM_TOLERATIONS_ARGS="$HELM_TOLERATIONS_ARGS --set-string ${SERVICE}.tolerations[0].operator=Equal" @@ -400,6 +429,8 @@ generate_helm_args() { HELM_TOLERATIONS_ARGS="$HELM_TOLERATIONS_ARGS --set-string kuberay-operator.tolerations[0].effect=${TAINT_EFFECT}" else HELM_TOLERATIONS_ARGS="" + HELM_MILVUS_TOLERATIONS="" + HELM_LABEL_STUDIO_TOLERATIONS="" fi # Write Helm args to temp file for Makefile to source @@ -407,6 +438,8 @@ generate_helm_args() { cat > "$HELM_ARGS_FILE" < "$HELM_ARGS_FILE" <