feat(helm): add Neo 4.x Helm chart with microservice architecture#9
Conversation
New chart at charts/netapp-neo/ for the v4.x multi-service deployment: 6 independently scalable services (api, worker, extractor, ner, ui, postgres) with shared secrets, per-service configmaps, health probes, init containers, GPU support for NER, and optional ingress.
|
@romdalf - could you review this PR for 4.x.x code line support. Thanks in advance. |
There was a problem hiding this comment.
Pull request overview
Adds a new Helm chart (charts/netapp-neo/) to deploy NetApp NEO v4.x as a multi-service (microservice-style) application with optional in-cluster PostgreSQL and shared configuration/secrets.
Changes:
- Introduces a new Helm chart definition and default values for API/worker/extractor/NER/UI/PostgreSQL.
- Adds Kubernetes manifests (Deployments/Services/Ingresses/ConfigMaps/Secrets) for each service plus optional PostgreSQL StatefulSet.
- Adds helper templates for inter-service URLs, DATABASE_URL construction, and a reusable wait-for-db initContainer.
Reviewed changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| charts/netapp-neo/Chart.yaml | New chart metadata for netapp-neo v4.x (appVersion/version). |
| charts/netapp-neo/values.yaml | Default configuration for all services, ingress, GPU toggles, and PostgreSQL settings. |
| charts/netapp-neo/templates/_helpers.tpl | Template helpers for naming/labels, inter-service URLs, DATABASE_URL, image tags, and DB wait initContainer. |
| charts/netapp-neo/templates/NOTES.txt | Post-install guidance and endpoint summary for deployed services/ingresses. |
| charts/netapp-neo/templates/api-deployment.yaml | API Deployment wiring env/config/secrets, probes, and optional DB init container. |
| charts/netapp-neo/templates/api-service.yaml | API Service definition (incl. sessionAffinity). |
| charts/netapp-neo/templates/api-ingress.yaml | Optional API Ingress template. |
| charts/netapp-neo/templates/configmap-api.yaml | API ConfigMap for non-secret runtime settings and internal URLs. |
| charts/netapp-neo/templates/worker-deployment.yaml | Worker Deployment wiring env/config/secrets, probes, and optional DB init container. |
| charts/netapp-neo/templates/worker-service.yaml | Worker Service definition for internal API→worker communication. |
| charts/netapp-neo/templates/configmap-worker.yaml | Worker ConfigMap for concurrency and internal service URLs. |
| charts/netapp-neo/templates/extractor-deployment.yaml | Extractor Deployment wiring env/config/secrets, probes, privileged securityContext, and optional DB init container. |
| charts/netapp-neo/templates/extractor-service.yaml | Extractor Service definition for internal worker→extractor communication. |
| charts/netapp-neo/templates/configmap-extractor.yaml | Extractor ConfigMap for extractor/VLM/OpenAI non-secret settings. |
| charts/netapp-neo/templates/ner-deployment.yaml | NER Deployment wiring env/config, probes, and optional GPU resource limits. |
| charts/netapp-neo/templates/ner-service.yaml | NER Service definition for internal calls. |
| charts/netapp-neo/templates/configmap-ner.yaml | NER ConfigMap for model/runtime settings. |
| charts/netapp-neo/templates/ui-deployment.yaml | UI Deployment wiring NEO_API env var and probes. |
| charts/netapp-neo/templates/ui-service.yaml | UI Service definition. |
| charts/netapp-neo/templates/ui-ingress.yaml | Optional UI Ingress template. |
| charts/netapp-neo/templates/postgres-statefulset.yaml | Optional PostgreSQL StatefulSet with probes and persistence configuration. |
| charts/netapp-neo/templates/postgres-service.yaml | Optional PostgreSQL Service for in-cluster DB access. |
| charts/netapp-neo/templates/secret-db.yaml | Secret for DATABASE_URL and PostgreSQL credentials. |
| charts/netapp-neo/templates/secret-encryption.yaml | Shared encryption key Secret. |
| charts/netapp-neo/templates/secret-jwt.yaml | API JWT Secret. |
| charts/netapp-neo/templates/secret-license.yaml | Shared license/connector id Secret. |
| charts/netapp-neo/templates/secret-graph.yaml | Microsoft Graph credential Secret. |
| charts/netapp-neo/templates/secret-mcp.yaml | MCP OAuth/API key Secret for API integration. |
| charts/netapp-neo/templates/secret-openai.yaml | OpenAI API key Secret for extractor. |
| {{- if .Values.ner.gpu.enabled }} | ||
| resources: | ||
| limits: | ||
| nvidia.com/gpu: {{ .Values.ner.gpu.count }} | ||
| {{- else if .Values.ner.resources }} | ||
| resources: | ||
| {{- toYaml .Values.ner.resources | nindent 12 }} | ||
| {{- end }} |
There was a problem hiding this comment.
With ner.gpu.enabled=true, the template hard-codes resources.limits.nvidia.com/gpu and ignores any CPU/memory requests/limits users might set in ner.resources. This makes it hard to run reliably on GPU nodes (OOM/evictions). Consider merging GPU limits into ner.resources (or supporting separate ner.gpu.resources overrides) instead of replacing the entire resources block.
|
With a helm lint, was good... just the nit: While deploying, I got the following warning: The chart was deployed, and I got the extractor in a crash backoff loop, which I am 100% sure I am doing something wrong. I am guessing I might need to point to a directory to ingest/chunk documents: Other than that, just from a chart/yaml perspective... this looks good to me. |
Summary
charts/netapp-neo/for the v4.x multi-service architectureDesign highlights
postgresql.auth.*when built-in postgres enabled, or passthrough viapostgresql.externalDatabaseUrlSYS_ADMIN+DAC_READ_SEARCHcaps (not privileged), extractor getsprivileged: true, api/worker run as UID 1000ner.gpu.enabled, addsnvidia.com/gpuresource limits + nodeSelector/tolerationswait-for-db) on api, worker, extractor — conditional onpostgresql.enabledsessionAffinity: ClientIPTest plan
helm lint charts/netapp-neo— passed (0 failures)helm template test charts/netapp-neo— all 26 manifests render correctlyprivileged: truener.gpu.enabled=truepostgresql.enabled=falseomits StatefulSet, Service, and init containers