From af84aca52eaecf4b8c5eb45b5426ab7f726af91f Mon Sep 17 00:00:00 2001 From: waleed Date: Tue, 16 Dec 2025 15:06:58 -0800 Subject: [PATCH 1/2] improvement(helm): added more to helm charts, remove instance selector for various cloud providers --- helm/sim/examples/values-aws.yaml | 58 ++++++++++++------------ helm/sim/examples/values-azure.yaml | 61 ++++++++++++++------------ helm/sim/examples/values-gcp.yaml | 52 +++++++++++----------- helm/sim/templates/_helpers.tpl | 6 +++ helm/sim/templates/deployment-app.yaml | 2 +- helm/sim/values.schema.json | 12 ++--- helm/sim/values.yaml | 16 +++---- 7 files changed, 107 insertions(+), 100 deletions(-) diff --git a/helm/sim/examples/values-aws.yaml b/helm/sim/examples/values-aws.yaml index 3588074e20..8fb7e167ab 100644 --- a/helm/sim/examples/values-aws.yaml +++ b/helm/sim/examples/values-aws.yaml @@ -4,17 +4,17 @@ # Global configuration global: imageRegistry: "ghcr.io" - storageClass: "gp3" + storageClass: "gp2" # Use gp2 (default on EKS) or create gp3 StorageClass for better performance # Main application app: enabled: true replicaCount: 2 - - # Node selector for application pods (customize based on your EKS node labels) - nodeSelector: - kubernetes.io/arch: amd64 - node.kubernetes.io/instance-type: "t3.large" + + # Node selector for application pods + # Uncomment and customize based on your EKS node labels: + # nodeSelector: + # node.kubernetes.io/instance-type: "t3.large" resources: limits: @@ -28,8 +28,8 @@ app: env: NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com" BETTER_AUTH_URL: "https://simstudio.acme.com" - SOCKET_SERVER_URL: "https://simstudio-ws.acme.com" - NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com" + # SOCKET_SERVER_URL is auto-detected (uses internal service http://sim-realtime:3002) + NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com" # Public WebSocket URL for browsers # Security settings (REQUIRED - replace with your own secure secrets) # Generate using: openssl rand -hex 32 @@ -52,11 +52,11 @@ app: realtime: enabled: true replicaCount: 2 - - # Node selector for realtime pods (customize based on your EKS node labels) - nodeSelector: - kubernetes.io/arch: amd64 - node.kubernetes.io/instance-type: "t3.medium" + + # Node selector for realtime pods + # Uncomment and customize based on your EKS node labels: + # nodeSelector: + # node.kubernetes.io/instance-type: "t3.medium" resources: limits: @@ -89,10 +89,11 @@ migrations: # PostgreSQL database postgresql: enabled: true - - # Node selector for database pods (recommended: memory-optimized EC2 instances) - nodeSelector: - node.kubernetes.io/instance-type: "r5.large" + + # Node selector for database pods + # Uncomment and customize (recommended: memory-optimized EC2 instances like r5.large): + # nodeSelector: + # node.kubernetes.io/instance-type: "r5.large" # Database authentication (REQUIRED - set secure credentials) auth: @@ -109,17 +110,17 @@ postgresql: memory: "2Gi" cpu: "1000m" - # Persistent storage using AWS EBS GP3 volumes + # Persistent storage using AWS EBS volumes persistence: enabled: true - storageClass: "gp3" + storageClass: "gp2" # Use gp2 (default) or create gp3 StorageClass size: 50Gi accessModes: - ReadWriteOnce - # SSL/TLS configuration + # SSL/TLS configuration (requires cert-manager to be installed) tls: - enabled: true + enabled: false # Set to true if cert-manager is installed certificatesSecret: postgres-tls-secret # PostgreSQL performance tuning for AWS infrastructure @@ -130,14 +131,15 @@ postgresql: minWalSize: "160MB" # Ollama AI models with GPU acceleration (AWS EC2 GPU instances) +# Set ollama.enabled: false if you don't need local AI models ollama: - enabled: true + enabled: false replicaCount: 1 - - # GPU node targeting (recommended: g4dn.xlarge or p3.2xlarge instances) - nodeSelector: - node.kubernetes.io/instance-type: "g4dn.xlarge" - kubernetes.io/arch: amd64 + + # GPU node targeting - uncomment and customize for GPU instances + # Recommended: g4dn.xlarge or p3.2xlarge instances + # nodeSelector: + # node.kubernetes.io/instance-type: "g4dn.xlarge" tolerations: - key: "nvidia.com/gpu" @@ -162,7 +164,7 @@ ollama: # High-performance storage for AI models persistence: enabled: true - storageClass: "gp3" + storageClass: "gp2" # Use gp2 (default) or create gp3 StorageClass size: 100Gi accessModes: - ReadWriteOnce diff --git a/helm/sim/examples/values-azure.yaml b/helm/sim/examples/values-azure.yaml index a888531bf3..1ae5a468b1 100644 --- a/helm/sim/examples/values-azure.yaml +++ b/helm/sim/examples/values-azure.yaml @@ -4,16 +4,19 @@ # Global configuration global: imageRegistry: "ghcr.io" - storageClass: "managed-csi-premium" + # Use "managed-csi-premium" for Premium SSD (requires Premium storage-capable VMs like Standard_DS*) + # Use "managed-csi" for Standard SSD (works with all VM types) + storageClass: "managed-csi" # Main application app: enabled: true - replicaCount: 1 - - # Node selector for application pods (customize based on your AKS node labels) - nodeSelector: - node-role: application + replicaCount: 2 + + # Node selector for application pods + # Uncomment and customize based on your AKS node labels: + # nodeSelector: + # agentpool: "application" resources: limits: @@ -26,8 +29,8 @@ app: env: NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com" BETTER_AUTH_URL: "https://simstudio.acme.com" - SOCKET_SERVER_URL: "https://simstudio-ws.acme.com" - NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com" + # SOCKET_SERVER_URL is auto-detected (uses internal service http://sim-realtime:3002) + NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com" # Public WebSocket URL for browsers # Security settings (REQUIRED - replace with your own secure secrets) # Generate using: openssl rand -hex 32 @@ -46,11 +49,12 @@ app: # Realtime service realtime: enabled: true - replicaCount: 1 - - # Node selector for application pods (customize based on your AKS node labels) - nodeSelector: - node-role: application + replicaCount: 2 + + # Node selector for realtime pods + # Uncomment and customize based on your AKS node labels: + # nodeSelector: + # agentpool: "application" resources: limits: @@ -74,10 +78,11 @@ migrations: # PostgreSQL database postgresql: enabled: true - - # Node selector for database pods (recommended: memory-optimized VM sizes) - nodeSelector: - node-role: datalake + + # Node selector for database pods + # Uncomment and customize (recommended: memory-optimized VM sizes): + # nodeSelector: + # agentpool: "database" # Database authentication (REQUIRED - set secure credentials) auth: @@ -93,15 +98,15 @@ postgresql: memory: "1Gi" cpu: "500m" - # Persistent storage using Azure Premium SSD + # Persistent storage using Azure Managed Disk persistence: enabled: true - storageClass: "managed-csi-premium" + storageClass: "managed-csi" size: 10Gi - # SSL/TLS configuration (recommended for production) + # SSL/TLS configuration (requires cert-manager to be installed) tls: - enabled: true + enabled: false # Set to true if cert-manager is installed certificatesSecret: postgres-tls-secret # PostgreSQL performance tuning for Azure infrastructure @@ -112,13 +117,15 @@ postgresql: minWalSize: "80MB" # Ollama AI models with GPU acceleration (Azure NC-series VMs) +# Set ollama.enabled: false if you don't need local AI models ollama: - enabled: true + enabled: false replicaCount: 1 - - # GPU node targeting (recommended: NC6s_v3 or NC12s_v3 VMs) - nodeSelector: - accelerator: nvidia + + # GPU node targeting - uncomment and customize for GPU node pools + # Recommended: NC6s_v3 or NC12s_v3 VMs + # nodeSelector: + # agentpool: "gpu" tolerations: - key: "sku" @@ -139,7 +146,7 @@ ollama: memory: "4Gi" cpu: "1000m" - # High-performance storage for AI models + # High-performance storage for AI models (use managed-csi-premium for GPU workloads) persistence: enabled: true storageClass: "managed-csi-premium" diff --git a/helm/sim/examples/values-gcp.yaml b/helm/sim/examples/values-gcp.yaml index c8d5af9083..f0b5e66b58 100644 --- a/helm/sim/examples/values-gcp.yaml +++ b/helm/sim/examples/values-gcp.yaml @@ -10,11 +10,11 @@ global: app: enabled: true replicaCount: 2 - - # Node selector for application pods (customize based on your GKE node labels) - nodeSelector: - kubernetes.io/arch: amd64 - cloud.google.com/gke-nodepool: "default-pool" + + # Node selector for application pods + # Uncomment and customize based on your GKE node labels: + # nodeSelector: + # cloud.google.com/gke-nodepool: "default-pool" resources: limits: @@ -28,8 +28,8 @@ app: env: NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com" BETTER_AUTH_URL: "https://simstudio.acme.com" - SOCKET_SERVER_URL: "https://simstudio-ws.acme.com" - NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com" + # SOCKET_SERVER_URL is auto-detected (uses internal service http://sim-realtime:3002) + NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com" # Public WebSocket URL for browsers # Security settings (REQUIRED - replace with your own secure secrets) # Generate using: openssl rand -hex 32 @@ -53,11 +53,11 @@ app: realtime: enabled: true replicaCount: 2 - - # Node selector for realtime pods (customize based on your GKE node labels) - nodeSelector: - kubernetes.io/arch: amd64 - cloud.google.com/gke-nodepool: "default-pool" + + # Node selector for realtime pods + # Uncomment and customize based on your GKE node labels: + # nodeSelector: + # cloud.google.com/gke-nodepool: "default-pool" resources: limits: @@ -90,11 +90,11 @@ migrations: # PostgreSQL database postgresql: enabled: true - - # Node selector for database pods (recommended: memory-optimized machine types) - nodeSelector: - cloud.google.com/gke-nodepool: "database-pool" - cloud.google.com/machine-family: "n2" + + # Node selector for database pods + # Uncomment and customize (recommended: memory-optimized machine types): + # nodeSelector: + # cloud.google.com/gke-nodepool: "database-pool" # Database authentication (REQUIRED - set secure credentials) auth: @@ -119,9 +119,9 @@ postgresql: accessModes: - ReadWriteOnce - # SSL/TLS configuration + # SSL/TLS configuration (requires cert-manager to be installed) tls: - enabled: true + enabled: false # Set to true if cert-manager is installed certificatesSecret: postgres-tls-secret # PostgreSQL performance tuning for GCP infrastructure @@ -132,14 +132,16 @@ postgresql: minWalSize: "160MB" # Ollama AI models with GPU acceleration (GCP GPU instances) +# Set ollama.enabled: false if you don't need local AI models ollama: - enabled: true + enabled: false replicaCount: 1 - - # GPU node targeting (recommended: T4 or V100 GPU instances) - nodeSelector: - cloud.google.com/gke-nodepool: "gpu-pool" - cloud.google.com/gke-accelerator: "nvidia-tesla-t4" + + # GPU node targeting - uncomment and customize for GPU node pools + # Recommended: T4 or V100 GPU instances + # nodeSelector: + # cloud.google.com/gke-nodepool: "gpu-pool" + # cloud.google.com/gke-accelerator: "nvidia-tesla-t4" tolerations: - key: "nvidia.com/gpu" diff --git a/helm/sim/templates/_helpers.tpl b/helm/sim/templates/_helpers.tpl index 134fe2b443..dbac5fff1b 100644 --- a/helm/sim/templates/_helpers.tpl +++ b/helm/sim/templates/_helpers.tpl @@ -204,9 +204,15 @@ Validate required secrets and reject default placeholder values {{- if and .Values.postgresql.enabled (eq .Values.postgresql.auth.password "CHANGE-ME-SECURE-PASSWORD") }} {{- fail "postgresql.auth.password must not use the default placeholder value. Set a secure password for production" }} {{- end }} +{{- if and .Values.postgresql.enabled (regexMatch "[/:@#?&=+]" .Values.postgresql.auth.password) }} +{{- fail "postgresql.auth.password contains URL-special characters (/:@#?&=+) which will break the DATABASE_URL. Use a password with only alphanumeric characters. Generate with: openssl rand -hex 16" }} +{{- end }} {{- if and .Values.externalDatabase.enabled (not .Values.externalDatabase.password) }} {{- fail "externalDatabase.password is required when using external database" }} {{- end }} +{{- if and .Values.externalDatabase.enabled .Values.externalDatabase.password (regexMatch "[/:@#?&=+]" .Values.externalDatabase.password) }} +{{- fail "externalDatabase.password contains URL-special characters (/:@#?&=+) which will break the DATABASE_URL. Use a password with only alphanumeric characters." }} +{{- end }} {{- end }} {{/* diff --git a/helm/sim/templates/deployment-app.yaml b/helm/sim/templates/deployment-app.yaml index 564fa532d0..6433e82ea0 100644 --- a/helm/sim/templates/deployment-app.yaml +++ b/helm/sim/templates/deployment-app.yaml @@ -68,7 +68,7 @@ spec: - name: DATABASE_URL value: {{ include "sim.databaseUrl" . | quote }} - name: SOCKET_SERVER_URL - value: {{ .Values.app.env.SOCKET_SERVER_URL | default "http://localhost:3002" | quote }} + value: {{ include "sim.socketServerUrl" . | quote }} - name: OLLAMA_URL value: {{ include "sim.ollamaUrl" . | quote }} {{- range $key, $value := omit .Values.app.env "DATABASE_URL" "SOCKET_SERVER_URL" "OLLAMA_URL" }} diff --git a/helm/sim/values.schema.json b/helm/sim/values.schema.json index 37f4d4288b..6aa96f1c2b 100644 --- a/helm/sim/values.schema.json +++ b/helm/sim/values.schema.json @@ -185,8 +185,7 @@ }, "OLLAMA_URL": { "type": "string", - "format": "uri", - "description": "Ollama local LLM server URL" + "description": "Ollama local LLM server URL (leave empty if not using Ollama)" }, "ELEVENLABS_API_KEY": { "type": "string", @@ -238,18 +237,15 @@ }, "NEXT_PUBLIC_BRAND_LOGO_URL": { "type": "string", - "format": "uri", - "description": "Custom logo URL (must be a full URL, e.g., https://example.com/logo.png)" + "description": "Custom logo URL (leave empty for default)" }, "NEXT_PUBLIC_BRAND_FAVICON_URL": { "type": "string", - "format": "uri", - "description": "Custom favicon URL (must be a full URL, e.g., https://example.com/favicon.ico)" + "description": "Custom favicon URL (leave empty for default)" }, "NEXT_PUBLIC_CUSTOM_CSS_URL": { "type": "string", - "format": "uri", - "description": "Custom stylesheet URL (must be a full URL)" + "description": "Custom stylesheet URL (leave empty for none)" }, "NEXT_PUBLIC_SUPPORT_EMAIL": { "type": "string", diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml index d0d51252a2..d588d06b76 100644 --- a/helm/sim/values.yaml +++ b/helm/sim/values.yaml @@ -52,8 +52,9 @@ app: # Application URLs NEXT_PUBLIC_APP_URL: "http://localhost:3000" BETTER_AUTH_URL: "http://localhost:3000" - SOCKET_SERVER_URL: "http://localhost:3002" - NEXT_PUBLIC_SOCKET_URL: "http://localhost:3002" + # SOCKET_SERVER_URL: Auto-detected when realtime.enabled=true (uses internal service) + # Only set this if using an external WebSocket service with realtime.enabled=false + NEXT_PUBLIC_SOCKET_URL: "http://localhost:3002" # Public WebSocket URL for browsers # Node environment NODE_ENV: "production" @@ -99,15 +100,8 @@ app: # Rate Limiting Configuration (per minute) RATE_LIMIT_WINDOW_MS: "60000" # Rate limit window duration (1 minute) - RATE_LIMIT_FREE_SYNC: "10" # Free tier sync API executions - RATE_LIMIT_PRO_SYNC: "25" # Pro tier sync API executions - RATE_LIMIT_TEAM_SYNC: "75" # Team tier sync API executions - RATE_LIMIT_ENTERPRISE_SYNC: "150" # Enterprise tier sync API executions - RATE_LIMIT_FREE_ASYNC: "50" # Free tier async API executions - RATE_LIMIT_PRO_ASYNC: "200" # Pro tier async API executions - RATE_LIMIT_TEAM_ASYNC: "500" # Team tier async API executions - RATE_LIMIT_ENTERPRISE_ASYNC: "1000" # Enterprise tier async API executions - MANUAL_EXECUTION_LIMIT: "999999" # Manual execution bypass value + RATE_LIMIT_FREE_SYNC: "10" # Sync API executions per minute + RATE_LIMIT_FREE_ASYNC: "50" # Async API executions per minute # UI Branding & Whitelabeling Configuration NEXT_PUBLIC_BRAND_NAME: "Sim" # Custom brand name From d182993d861d22f539ddb025aa40ca70b206e7dd Mon Sep 17 00:00:00 2001 From: waleed Date: Tue, 16 Dec 2025 18:17:15 -0800 Subject: [PATCH 2/2] ack PR comment --- helm/sim/templates/_helpers.tpl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/helm/sim/templates/_helpers.tpl b/helm/sim/templates/_helpers.tpl index dbac5fff1b..9966b14937 100644 --- a/helm/sim/templates/_helpers.tpl +++ b/helm/sim/templates/_helpers.tpl @@ -204,14 +204,14 @@ Validate required secrets and reject default placeholder values {{- if and .Values.postgresql.enabled (eq .Values.postgresql.auth.password "CHANGE-ME-SECURE-PASSWORD") }} {{- fail "postgresql.auth.password must not use the default placeholder value. Set a secure password for production" }} {{- end }} -{{- if and .Values.postgresql.enabled (regexMatch "[/:@#?&=+]" .Values.postgresql.auth.password) }} -{{- fail "postgresql.auth.password contains URL-special characters (/:@#?&=+) which will break the DATABASE_URL. Use a password with only alphanumeric characters. Generate with: openssl rand -hex 16" }} +{{- if and .Values.postgresql.enabled (not (regexMatch "^[a-zA-Z0-9._-]+$" .Values.postgresql.auth.password)) }} +{{- fail "postgresql.auth.password must only contain alphanumeric characters, hyphens, underscores, or periods to ensure DATABASE_URL compatibility. Generate with: openssl rand -base64 16 | tr -d '/+='" }} {{- end }} {{- if and .Values.externalDatabase.enabled (not .Values.externalDatabase.password) }} {{- fail "externalDatabase.password is required when using external database" }} {{- end }} -{{- if and .Values.externalDatabase.enabled .Values.externalDatabase.password (regexMatch "[/:@#?&=+]" .Values.externalDatabase.password) }} -{{- fail "externalDatabase.password contains URL-special characters (/:@#?&=+) which will break the DATABASE_URL. Use a password with only alphanumeric characters." }} +{{- if and .Values.externalDatabase.enabled .Values.externalDatabase.password (not (regexMatch "^[a-zA-Z0-9._-]+$" .Values.externalDatabase.password)) }} +{{- fail "externalDatabase.password must only contain alphanumeric characters, hyphens, underscores, or periods to ensure DATABASE_URL compatibility." }} {{- end }} {{- end }}