Add readOnlyRootFileSystem for the common services: (#867)

- data-prep
- retriever-usvc

Signed-off-by: Lianhao Lu <[email protected]>

Author: lianhao

helm-charts/common/data-prep/templates/configmap.yaml

@@ -64,3 +64,6 @@ data:
   no_proxy: {{ .Values.global.no_proxy | quote }}
   {{- end }}
   LOGFLAG: {{ .Values.LOGFLAG | quote }}
+  NUMBA_CACHE_DIR: "/tmp/numba/cache"
+  XDG_CACHE_HOME: "/tmp/fontconfig/cache"
+  MPLCONFIGDIR: "/tmp/matplotlib"

helm-charts/common/data-prep/templates/deployment.yaml

@@ -82,6 +82,12 @@ spec:
           volumeMounts:
             - mountPath: /tmp
               name: tmp
+            - mountPath: /home/user/comps/dataprep/src/uploaded_files
+              name: uploaded-files
+            - mountPath: /home/user/nltk_data
+              name: nltk-data
+            - mountPath: /home/user/.config
+              name: user-config-data
           {{- if .Values.livenessProbe }}
           livenessProbe:
             {{- toYaml .Values.livenessProbe | nindent 12 }}
@@ -99,6 +105,12 @@ spec:
       volumes:
         - name: tmp
           emptyDir: {}
+        - name: uploaded-files
+          emptyDir: {}
+        - name: nltk-data
+          emptyDir: {}
+        - name: user-config-data
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

helm-charts/common/data-prep/templates/tests/test-pod.yaml

@@ -17,18 +17,22 @@ spec:
       command: ['bash', '-c']
       args:
         - |
-          echo "test file" > /tmp/file1.txt;
-          max_retry=20;
-          echo "test upload...";
-          for ((i=1; i<=max_retry; i++)); do
-            curl http://{{ include "data-prep.fullname" . }}:{{ .Values.service.port }}/v1/dataprep/ingest -sS --fail-with-body \
-            -X POST \
-            -H "Content-Type: multipart/form-data" \
-            -F "files=@/tmp/file1.txt" && break;
-            curlcode=$?
-            if [[ $curlcode -eq 7 ]]; then sleep 10; else echo "curl failed with code $curlcode"; exit 1; fi;
+          filetypes=(docx pdf txt xlsx pptx doc);
+          for type in ${filetypes[@]}; do
+            echo "Get ingest file of type $type ...";
+            curl -sLJO "https://github.com/opea-project/GenAIComps/raw/refs/heads/main/tests/dataprep/ingest_dataprep.${type}";
+            max_retry=20;
+            echo "Test ingest file of type $type ...";
+            for ((i=1; i<=max_retry; i++)); do
+              curl http://{{ include "data-prep.fullname" . }}:{{ .Values.service.port }}/v1/dataprep/ingest -sS --fail-with-body \
+                -X POST -H "Content-Type: multipart/form-data" \
+                -F "files=@./ingest_dataprep.${type}" && break;
+              curlcode=$?;
+              if [[ $curlcode -eq 7 ]]; then sleep 10; else echo "curl failed with code $curlcode"; exit 1; fi;
+            done;
+            if [ $i -gt $max_retry ]; then echo "test failed with maximum retry"; exit 1; fi
+            echo "";
           done;
-          if [ $i -gt $max_retry ]; then echo "test failed with maximum retry"; exit 1; fi
           echo "test delete...";
           for ((i=1; i<=max_retry; i++)); do
               curl http://{{ include "data-prep.fullname" . }}:{{ .Values.service.port }}/v1/dataprep/delete -sS --fail-with-body \

helm-charts/common/data-prep/values.yaml

@@ -77,7 +77,7 @@ podSecurityContext: {}
   # fsGroup: 2000
 
 securityContext:
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000

helm-charts/common/retriever-usvc/templates/configmap.yaml

@@ -63,3 +63,6 @@ data:
   HF_HOME: "/tmp/.cache/huggingface"
   HUGGINGFACEHUB_API_TOKEN: {{ .Values.global.HUGGINGFACEHUB_API_TOKEN | quote}}
   LOGFLAG: {{ .Values.LOGFLAG | quote }}
+  NUMBA_CACHE_DIR: "/tmp/numba/cache"
+  MPLCONFIGDIR: "/tmp/matplotlib"
+  HAYSTACK_TELEMETRY_ENABLED: "False"

helm-charts/common/retriever-usvc/templates/deployment.yaml

@@ -82,6 +82,8 @@ spec:
           volumeMounts:
             - mountPath: /tmp
               name: tmp
+            - mountPath: /home/user/nltk_data
+              name: nltk-data
           {{- if .Values.livenessProbe }}
           livenessProbe:
             {{- toYaml .Values.livenessProbe | nindent 12 }}
@@ -99,6 +101,8 @@ spec:
       volumes:
         - name: tmp
           emptyDir: {}
+        - name: nltk-data
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

helm-charts/common/retriever-usvc/values.yaml

@@ -68,8 +68,7 @@ podSecurityContext: {}
   # fsGroup: 2000
 
 securityContext:
-  # NOTE: many dependent python modules(e.g. numpy, mpl, haystack, etc.) need to write to local disk
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000