Helm Chart for k8s deployment

charts/openzosma/.helmignore

@@ -0,0 +1,9 @@
+.DS_Store
+.git
+.gitignore
+.vscode
+*.swp
+*.bak
+*.tmp
+*.md
+CLAUDE.md

charts/openzosma/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: openzosma
+description: Self-hosted AI agent platform with sandboxed execution
+type: application
+version: 0.1.0
+appVersion: "0.0.4"
+home: https://github.com/zosmaai/openzosma
+sources:
+  - https://github.com/zosmaai/openzosma
+keywords:
+  - ai
+  - agents
+  - sandbox
+  - llm
+  - self-hosted
+maintainers:
+  - name: zosmaai
+    url: https://zosma.ai

charts/openzosma/templates/NOTES.txt

@@ -0,0 +1,48 @@
+
+OpenZosma has been deployed!
+
+{{- if .Values.ingress.enabled }}
+
+Access the application at:
+{{- if .Values.ingress.tls.enabled }}
+  https://{{ .Values.ingress.host }}
+{{- else }}
+  http://{{ .Values.ingress.host }}
+{{- end }}
+
+Ingress type: {{ .Values.ingress.type }}
+{{- end }}
+
+Components:
+  - Gateway:  {{ include "openzosma.fullname" . }}-gateway (port {{ .Values.gateway.port }})
+{{- if .Values.web.enabled }}
+  - Web:      {{ include "openzosma.fullname" . }}-web (port {{ .Values.web.port }})
+{{- end }}
+
+Sandbox mode: {{ .Values.sandbox.mode }}
+
+{{- if not .Values.postgresql.host }}
+
+WARNING: postgresql.host is not set. The gateway will fail to start without a database connection.
+Set it with: --set postgresql.host=your-db-host
+{{- end }}
+
+{{- if not .Values.auth.secret }}
+
+WARNING: auth.secret is not set. Set a secure random string for session signing:
+  --set auth.secret=$(openssl rand -hex 32)
+{{- end }}
+
+{{- if and (not .Values.llm.anthropicApiKey) (not .Values.llm.openaiApiKey) (not .Values.llm.localModelUrl) }}
+
+WARNING: No LLM API key configured. Set at least one:
+  --set llm.anthropicApiKey=sk-ant-...
+  --set llm.openaiApiKey=sk-...
+  --set llm.localModelUrl=http://your-model:8080/v1
+{{- end }}
+
+Run database migrations:
+  kubectl exec -it deploy/{{ include "openzosma.fullname" . }}-gateway -- npx db-migrate up
+  kubectl exec -it deploy/{{ include "openzosma.fullname" . }}-gateway -- npx db-migrate up --config config/auth-database.json
+
+Documentation: https://github.com/zosmaai/openzosma

charts/openzosma/templates/_helpers.tpl

@@ -0,0 +1,97 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "openzosma.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "openzosma.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "openzosma.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels.
+*/}}
+{{- define "openzosma.labels" -}}
+helm.sh/chart: {{ include "openzosma.chart" . }}
+{{ include "openzosma.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels.
+*/}}
+{{- define "openzosma.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "openzosma.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Gateway selector labels.
+*/}}
+{{- define "openzosma.gateway.selectorLabels" -}}
+{{ include "openzosma.selectorLabels" . }}
+app.kubernetes.io/component: gateway
+{{- end }}
+
+{{/*
+Web selector labels.
+*/}}
+{{- define "openzosma.web.selectorLabels" -}}
+{{ include "openzosma.selectorLabels" . }}
+app.kubernetes.io/component: web
+{{- end }}
+
+{{/*
+Service account name.
+*/}}
+{{- define "openzosma.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "openzosma.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Construct the DATABASE_URL from postgresql values.
+*/}}
+{{- define "openzosma.databaseUrl" -}}
+postgresql://{{ .Values.postgresql.username }}:$(DB_PASS)@{{ .Values.postgresql.host }}:{{ .Values.postgresql.port }}/{{ .Values.postgresql.database }}
+{{- end }}
+
+{{/*
+Name of the secret containing sensitive values.
+*/}}
+{{- define "openzosma.secretName" -}}
+{{ include "openzosma.fullname" . }}
+{{- end }}
+
+{{/*
+Name of the configmap.
+*/}}
+{{- define "openzosma.configmapName" -}}
+{{ include "openzosma.fullname" . }}
+{{- end }}

charts/openzosma/templates/configmap.yaml

@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "openzosma.configmapName" . }}
+  labels:
+    {{- include "openzosma.labels" . | nindent 4 }}
+data:
+  # Database
+  DB_HOST: {{ .Values.postgresql.host | quote }}
+  DB_PORT: {{ .Values.postgresql.port | quote }}
+  DB_NAME: {{ .Values.postgresql.database | quote }}
+  DB_USER: {{ .Values.postgresql.username | quote }}
+  DB_POOL_SIZE: {{ .Values.postgresql.poolSize | quote }}
+
+  # Valkey
+  {{- if .Values.valkey.url }}
+  VALKEY_URL: {{ .Values.valkey.url | quote }}
+  {{- end }}
+
+  # RabbitMQ
+  {{- if .Values.rabbitmq.url }}
+  RABBITMQ_URL: {{ .Values.rabbitmq.url | quote }}
+  {{- end }}
+
+  # Gateway
+  GATEWAY_PORT: {{ .Values.gateway.port | quote }}
+  GATEWAY_HOST: "0.0.0.0"
+  {{- if .Values.auth.url }}
+  PUBLIC_URL: {{ .Values.auth.url | quote }}
+  {{- else }}
+  PUBLIC_URL: {{ printf "http://%s" .Values.ingress.host | quote }}
+  {{- end }}
+
+  # Agent
+  OPENZOSMA_MODEL_PROVIDER: {{ .Values.agent.provider | quote }}
+  OPENZOSMA_MODEL_ID: {{ .Values.agent.modelId | quote }}
+  OPENZOSMA_WORKSPACE: {{ .Values.agent.workspace | quote }}
+
+  # Sandbox / Orchestrator
+  OPENZOSMA_SANDBOX_MODE: {{ .Values.sandbox.mode | quote }}
+  SANDBOX_IMAGE: {{ .Values.sandbox.image | quote }}
+  SANDBOX_AGENT_PORT: {{ .Values.sandbox.agentPort | quote }}
+  MAX_SANDBOXES: {{ .Values.sandbox.maxSandboxes | quote }}
+  SANDBOX_IDLE_SUSPEND_MS: {{ .Values.sandbox.idleSuspendMs | int | quote }}
+  SANDBOX_HEALTH_CHECK_INTERVAL_MS: {{ .Values.sandbox.healthCheckIntervalMs | quote }}
+  SANDBOX_READY_TIMEOUT_MS: {{ .Values.sandbox.readyTimeoutMs | quote }}
+  SANDBOX_POLICY_PATH: {{ .Values.sandbox.policyPath | quote }}
+
+  # Auth
+  {{- if .Values.auth.url }}
+  AUTH_URL: {{ .Values.auth.url | quote }}
+  {{- end }}
+
+  # Web
+  {{- if .Values.web.enabled }}
+  NEXT_PUBLIC_GATEWAY_URL: {{ printf "http://%s-gateway:%d" (include "openzosma.fullname" .) (.Values.gateway.port | int) | quote }}
+  {{- end }}

charts/openzosma/templates/gateway-deployment.yaml

@@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "openzosma.fullname" . }}-gateway
+  labels:
+    {{- include "openzosma.labels" . | nindent 4 }}
+    app.kubernetes.io/component: gateway
+spec:
+  {{- if not .Values.gateway.autoscaling.enabled }}
+  replicas: {{ .Values.gateway.replicas }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "openzosma.gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+      labels:
+        {{- include "openzosma.gateway.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "openzosma.serviceAccountName" . }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1001
+        runAsGroup: 1001
+        fsGroup: 1001
+      containers:
+        - name: gateway
+          image: "{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag }}"
+          imagePullPolicy: {{ .Values.gateway.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.gateway.port }}
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: {{ include "openzosma.configmapName" . }}
+            - secretRef:
+                name: {{ include "openzosma.secretName" . }}
+          {{- if .Values.postgresql.existingSecret }}
+          env:
+            - name: DB_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.postgresql.existingSecret }}
+                  key: password
+          {{- end }}
+          readinessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          resources:
+            {{- toYaml .Values.gateway.resources | nindent 12 }}
+      {{- with .Values.gateway.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.gateway.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.gateway.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/openzosma/templates/gateway-hpa.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.gateway.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "openzosma.fullname" . }}-gateway
+  labels:
+    {{- include "openzosma.labels" . | nindent 4 }}
+    app.kubernetes.io/component: gateway
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "openzosma.fullname" . }}-gateway
+  minReplicas: {{ .Values.gateway.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.gateway.autoscaling.maxReplicas }}
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.gateway.autoscaling.targetCPU }}
+{{- end }}

charts/openzosma/templates/gateway-service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "openzosma.fullname" . }}-gateway
+  labels:
+    {{- include "openzosma.labels" . | nindent 4 }}
+    app.kubernetes.io/component: gateway
+spec:
+  type: ClusterIP
+  ports:
+    - port: {{ .Values.gateway.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "openzosma.gateway.selectorLabels" . | nindent 4 }}