From 88db603193f873143b25d9a0b7ab4a986291f672 Mon Sep 17 00:00:00 2001 From: Sara Qasmi Date: Fri, 8 Aug 2025 15:54:01 +0200 Subject: [PATCH 1/8] feat: Add support for initContainer in UI deployment Signed-off-by: Sara Qasmi --- helm/kagent/templates/ui-deployment.yaml | 3 +++ helm/kagent/tests/ui-deployment_test.yaml | 26 ++++++++++++++++++++++- helm/kagent/values.yaml | 13 ++++++++++++ 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/helm/kagent/templates/ui-deployment.yaml b/helm/kagent/templates/ui-deployment.yaml index 784569f17..caf24c236 100644 --- a/helm/kagent/templates/ui-deployment.yaml +++ b/helm/kagent/templates/ui-deployment.yaml @@ -33,6 +33,9 @@ spec: {{- with .Values.ui.tolerations }} tolerations: {{- toYaml . | nindent 8 }} + {{- with .Values.ui.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} containers: - name: ui diff --git a/helm/kagent/tests/ui-deployment_test.yaml b/helm/kagent/tests/ui-deployment_test.yaml index be2481955..ac1e21e03 100644 --- a/helm/kagent/tests/ui-deployment_test.yaml +++ b/helm/kagent/tests/ui-deployment_test.yaml @@ -102,4 +102,28 @@ tests: key: role value: AI effect: NoSchedule - operator: Equal \ No newline at end of file + operator: Equal + - it: should include init-nginx container + set: + ui: + initContainers: + - name: init-nginx + image: busybox + command: + - sh + - -c + - | + mkdir -p /var/lib/nginx/tmp/client_body + volumeMounts: + - name: nginx-writable + mountPath: /var/lib/nginx + asserts: + - equal: + path: spec.template.spec.initContainers[0].name + value: init-nginx + - equal: + path: spec.template.spec.initContainers[0].image + value: busybox + - equal: + path: spec.template.spec.initContainers[0].volumeMounts[0].mountPath + value: /var/lib/nginx diff --git a/helm/kagent/values.yaml b/helm/kagent/values.yaml index cdda26338..e4923bfe6 100644 --- a/helm/kagent/values.yaml +++ b/helm/kagent/values.yaml @@ -125,6 +125,19 @@ ui: # -- Node labels to match for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). nodeSelector: {} + # Init containers to add to the UI pod if your require a custom configuration + initContainers: [] + # - name: init-nginx + # image: busybox + # command: + # - sh + # - -c + # - | + # mkdir -p /var/lib/nginx/tmp/client_body + # volumeMounts: + # - name: nginx-writable + # mountPath: /var/lib/nginx + # ============================================================================== # LLM PROVIDERS CONFIGURATION # ============================================================================== From fffa4597b608101e9f0ce79f6902b894cd705bfb Mon Sep 17 00:00:00 2001 From: Sara Qasmi Date: Fri, 8 Aug 2025 19:41:27 +0200 Subject: [PATCH 2/8] feat: Add support for running UI deployment in restrictive environments Signed-off-by: Sara Qasmi --- helm/kagent/templates/ui-deployment.yaml | 22 +++++++++++++- helm/kagent/tests/ui-deployment_test.yaml | 35 ++++++++++++++++------- helm/kagent/values.yaml | 35 +++++++++++++++++------ ui/Dockerfile | 7 +++-- 4 files changed, 76 insertions(+), 23 deletions(-) diff --git a/helm/kagent/templates/ui-deployment.yaml b/helm/kagent/templates/ui-deployment.yaml index caf24c236..f8a724d92 100644 --- a/helm/kagent/templates/ui-deployment.yaml +++ b/helm/kagent/templates/ui-deployment.yaml @@ -37,6 +37,16 @@ spec: initContainers: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} + volumes: + - emptyDir: {} + name: tmp + - emptyDir: {} + name: lib-nginx + - emptyDir: {} + name: run-nginx + {{- with .Values.ui.volumes }} + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: ui securityContext: @@ -65,4 +75,14 @@ spec: httpGet: path: /health port: http - periodSeconds: 30 \ No newline at end of file + periodSeconds: 30 + volumeMounts: + - mountPath: /tmp + name: tmp + - mountPath: /var/lib/nginx + name: lib-nginx + - mountPath: /run/nginx + name: run-nginx + {{- with .Values.ui.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} \ No newline at end of file diff --git a/helm/kagent/tests/ui-deployment_test.yaml b/helm/kagent/tests/ui-deployment_test.yaml index ac1e21e03..de468406e 100644 --- a/helm/kagent/tests/ui-deployment_test.yaml +++ b/helm/kagent/tests/ui-deployment_test.yaml @@ -103,20 +103,14 @@ tests: value: AI effect: NoSchedule operator: Equal + - it: should include init-nginx container set: ui: initContainers: - name: init-nginx image: busybox - command: - - sh - - -c - - | - mkdir -p /var/lib/nginx/tmp/client_body - volumeMounts: - - name: nginx-writable - mountPath: /var/lib/nginx + command: [] asserts: - equal: path: spec.template.spec.initContainers[0].name @@ -125,5 +119,26 @@ tests: path: spec.template.spec.initContainers[0].image value: busybox - equal: - path: spec.template.spec.initContainers[0].volumeMounts[0].mountPath - value: /var/lib/nginx + path: spec.template.spec.initContainers[0].command + value: [] + + - it: should include extra volumes and volumeMounts + set: + ui: + volumeMounts: + - mountPath: /tmp + name: tmp + volumes: + - name: tmp + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /tmp + name: tmp + - contains: + path: spec.template.spec.volumes + content: + name: tmp + emptyDir: {} diff --git a/helm/kagent/values.yaml b/helm/kagent/values.yaml index e4923bfe6..157a11917 100644 --- a/helm/kagent/values.yaml +++ b/helm/kagent/values.yaml @@ -129,15 +129,32 @@ ui: initContainers: [] # - name: init-nginx # image: busybox - # command: - # - sh - # - -c - # - | - # mkdir -p /var/lib/nginx/tmp/client_body - # volumeMounts: - # - name: nginx-writable - # mountPath: /var/lib/nginx - + # command: [] + + # -- Additional volumeMounts to the UI container + volumeMounts: [] + # - mountPath: /tmp + # name: tmp + + # -- Additional volumes to the UI pod + volumes: [] + # - name: tmp + # emptyDir: {} + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: false + seccompProfile: + type: RuntimeDefault + + podSecurityContext: + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + fsGroup: 1001 + # ============================================================================== # LLM PROVIDERS CONFIGURATION # ============================================================================== diff --git a/ui/Dockerfile b/ui/Dockerfile index 7375cb9bb..5d0d6fd5c 100644 --- a/ui/Dockerfile +++ b/ui/Dockerfile @@ -76,15 +76,16 @@ RUN mkdir -p $BUN_INSTALL \ && curl -fsSL https://bun.sh/install | bash -s "bun-v$TOOLS_BUN_VERSION" \ && bun --version -RUN mkdir -p /app/ui/public /run/nginx/ /var/run/nginx/ /var/lib/nginx/tmp/ /var/lib/nginx/logs/ \ +RUN mkdir -p /app/ui/public /run/nginx/ /var/run/nginx/ /var/lib/nginx/tmp/ /var/lib/nginx/tmp/client_body /var/lib/nginx/logs/ \ && addgroup -g 1001 nginx \ && adduser -u 1001 -G nginx -s /bin/bash -D nextjs \ && adduser -u 1002 -G nginx -s /bin/bash -D nginx \ && chown -vR nextjs:nginx /app/ui \ && chown -vR nextjs:nginx /run/nginx \ && chown -vR nextjs:nginx /var/run/nginx \ - && chown -vR nextjs:nginx /var/lib/nginx/ - + && chown -vR nextjs:nginx /var/lib/nginx/ \ + && touch /var/lib/nginx/logs/error.log + WORKDIR /app COPY conf/nginx.conf /etc/nginx/nginx.conf COPY conf/supervisord.conf /etc/supervisor/conf.d/supervisord.conf From 1b058f7b64d8115b6c4ddeaffc3511d23fdfb948 Mon Sep 17 00:00:00 2001 From: sara Date: Fri, 8 Aug 2025 17:22:06 +0200 Subject: [PATCH 3/8] feat: Add support for nodeSelector and tolerations (#719) * feat: Add support for nodeSelector and tolerations Signed-off-by: Sara Qasmi * feat: Add support for nodeSelector and tolerations in tools Signed-off-by: Sara Qasmi --------- Signed-off-by: Sara Qasmi Co-authored-by: Sara Qasmi Signed-off-by: Sara Qasmi --- helm/kagent/templates/ui-deployment.yaml | 6 +++++ helm/kagent/tests/ui-deployment_test.yaml | 31 ++++++++++++++++++++++- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/helm/kagent/templates/ui-deployment.yaml b/helm/kagent/templates/ui-deployment.yaml index f8a724d92..64f8b4639 100644 --- a/helm/kagent/templates/ui-deployment.yaml +++ b/helm/kagent/templates/ui-deployment.yaml @@ -45,6 +45,12 @@ spec: - emptyDir: {} name: run-nginx {{- with .Values.ui.volumes }} + {{- with .Values.ui.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.ui.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} {{- end }} containers: diff --git a/helm/kagent/tests/ui-deployment_test.yaml b/helm/kagent/tests/ui-deployment_test.yaml index de468406e..4e285b138 100644 --- a/helm/kagent/tests/ui-deployment_test.yaml +++ b/helm/kagent/tests/ui-deployment_test.yaml @@ -103,7 +103,7 @@ tests: value: AI effect: NoSchedule operator: Equal - + - it: should include init-nginx container set: ui: @@ -142,3 +142,32 @@ tests: content: name: tmp emptyDir: {} + + - it: should set nodeSelector + set: + ui: + nodeSelector: + role: AI + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + role: AI + + - it: should set tolerations + set: + ui: + tolerations: + - key: role + operator: Equal + value: AI + effect: NoSchedule + asserts: + - contains: + any: true + path: spec.template.spec.tolerations + content: + key: role + value: AI + effect: NoSchedule + operator: Equal From 80d15c330b14e9610375741e142c6f0ce878305e Mon Sep 17 00:00:00 2001 From: Sara Qasmi Date: Fri, 8 Aug 2025 20:18:03 +0200 Subject: [PATCH 4/8] doc: fix values comments Signed-off-by: Sara Qasmi --- helm/kagent/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/kagent/values.yaml b/helm/kagent/values.yaml index 157a11917..019299639 100644 --- a/helm/kagent/values.yaml +++ b/helm/kagent/values.yaml @@ -125,7 +125,7 @@ ui: # -- Node labels to match for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). nodeSelector: {} - # Init containers to add to the UI pod if your require a custom configuration + # -- Init containers to add to the UI pod if you require a custom configuration initContainers: [] # - name: init-nginx # image: busybox From 14ab851cf8f7abed63f569f23a6fc3b78e9511e1 Mon Sep 17 00:00:00 2001 From: Sara Qasmi Date: Fri, 8 Aug 2025 20:44:23 +0200 Subject: [PATCH 5/8] feat: extend securitycontext Signed-off-by: Sara Qasmi --- helm/kagent/templates/ui-deployment.yaml | 11 +++------ helm/kagent/tests/ui-deployment_test.yaml | 30 +---------------------- 2 files changed, 4 insertions(+), 37 deletions(-) diff --git a/helm/kagent/templates/ui-deployment.yaml b/helm/kagent/templates/ui-deployment.yaml index 64f8b4639..216c372fb 100644 --- a/helm/kagent/templates/ui-deployment.yaml +++ b/helm/kagent/templates/ui-deployment.yaml @@ -24,7 +24,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml (.Values.ui.podSecurityContext | default .Values.podSecurityContext ) | nindent 8 }} serviceAccountName: {{ include "kagent.fullname" . }}-ui {{- with .Values.ui.nodeSelector }} nodeSelector: @@ -33,6 +33,7 @@ spec: {{- with .Values.ui.tolerations }} tolerations: {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.ui.initContainers }} initContainers: {{- tpl (toYaml .) $ | nindent 8 }} @@ -45,18 +46,12 @@ spec: - emptyDir: {} name: run-nginx {{- with .Values.ui.volumes }} - {{- with .Values.ui.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.ui.tolerations }} - tolerations: {{- toYaml . | nindent 8 }} {{- end }} containers: - name: ui securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml (.Values.ui.securityContext | default .Values.securityContext ) | nindent 12 }} image: "{{ .Values.ui.image.registry }}/{{ .Values.ui.image.repository }}:{{ coalesce .Values.tag .Values.ui.image.tag .Chart.Version }}" imagePullPolicy: {{ .Values.ui.image.pullPolicy | default .Values.imagePullPolicy }} env: diff --git a/helm/kagent/tests/ui-deployment_test.yaml b/helm/kagent/tests/ui-deployment_test.yaml index 4e285b138..bed57552d 100644 --- a/helm/kagent/tests/ui-deployment_test.yaml +++ b/helm/kagent/tests/ui-deployment_test.yaml @@ -142,32 +142,4 @@ tests: content: name: tmp emptyDir: {} - - - it: should set nodeSelector - set: - ui: - nodeSelector: - role: AI - asserts: - - equal: - path: spec.template.spec.nodeSelector - value: - role: AI - - - it: should set tolerations - set: - ui: - tolerations: - - key: role - operator: Equal - value: AI - effect: NoSchedule - asserts: - - contains: - any: true - path: spec.template.spec.tolerations - content: - key: role - value: AI - effect: NoSchedule - operator: Equal + \ No newline at end of file From 95d27ea41cde51860bc3ab76e6702156221aad98 Mon Sep 17 00:00:00 2001 From: Paul Yu Date: Wed, 13 Aug 2025 06:10:10 -0700 Subject: [PATCH 6/8] fix(kagent-ui): write PID to /var/run/nginx and chown to non-root user to avoid permission error (#743) Signed-off-by: Paul Yu Signed-off-by: Sara Qasmi --- ui/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ui/Dockerfile b/ui/Dockerfile index 5d0d6fd5c..4ce78ffda 100644 --- a/ui/Dockerfile +++ b/ui/Dockerfile @@ -84,8 +84,9 @@ RUN mkdir -p /app/ui/public /run/nginx/ /var/run/nginx/ /var/lib/nginx/tmp/ /var && chown -vR nextjs:nginx /run/nginx \ && chown -vR nextjs:nginx /var/run/nginx \ && chown -vR nextjs:nginx /var/lib/nginx/ \ + && chown -vR nextjs:nginx /var/run/nginx \ && touch /var/lib/nginx/logs/error.log - + WORKDIR /app COPY conf/nginx.conf /etc/nginx/nginx.conf COPY conf/supervisord.conf /etc/supervisor/conf.d/supervisord.conf From 2bafdbd6b8ba5d5aebfd0d2bf230bee4fd11092b Mon Sep 17 00:00:00 2001 From: sara Date: Wed, 13 Aug 2025 15:15:59 +0200 Subject: [PATCH 7/8] Update Dockerfile Signed-off-by: Sara Qasmi --- ui/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui/Dockerfile b/ui/Dockerfile index 4ce78ffda..4f17be3d6 100644 --- a/ui/Dockerfile +++ b/ui/Dockerfile @@ -112,4 +112,4 @@ LABEL org.opencontainers.image.version="$VERSION" USER nextjs -CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"] \ No newline at end of file +CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"] From 0a39cf735bda90e1eae40ceea9c0d8746451b693 Mon Sep 17 00:00:00 2001 From: Eitan Yarmush Date: Fri, 27 Feb 2026 08:29:38 -0500 Subject: [PATCH 8/8] Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Eitan Yarmush --- helm/kagent/tests/ui-deployment_test.yaml | 11 +++++------ helm/kagent/values.yaml | 3 +-- ui/Dockerfile | 4 ++-- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/helm/kagent/tests/ui-deployment_test.yaml b/helm/kagent/tests/ui-deployment_test.yaml index bed57552d..9098d3a7e 100644 --- a/helm/kagent/tests/ui-deployment_test.yaml +++ b/helm/kagent/tests/ui-deployment_test.yaml @@ -127,19 +127,18 @@ tests: ui: volumeMounts: - mountPath: /tmp - name: tmp + name: custom-volume volumes: - - name: tmp + - name: custom-volume emptyDir: {} asserts: - contains: path: spec.template.spec.containers[0].volumeMounts content: mountPath: /tmp - name: tmp + name: custom-volume - contains: path: spec.template.spec.volumes content: - name: tmp - emptyDir: {} - \ No newline at end of file + name: custom-volume + emptyDir: {} \ No newline at end of file diff --git a/helm/kagent/values.yaml b/helm/kagent/values.yaml index ef839afb2..609e379ff 100644 --- a/helm/kagent/values.yaml +++ b/helm/kagent/values.yaml @@ -191,8 +191,7 @@ ui: runAsUser: 1001 runAsGroup: 1001 runAsNonRoot: true - fsGroup: 1001 - + fsGroup: 1001 # ============================================================================== # LLM PROVIDERS CONFIGURATION # ============================================================================== diff --git a/ui/Dockerfile b/ui/Dockerfile index e4d46ff06..c89e08bbb 100644 --- a/ui/Dockerfile +++ b/ui/Dockerfile @@ -84,8 +84,8 @@ RUN mkdir -p /app/ui/public /run/nginx/ /var/run/nginx/ /var/lib/nginx/tmp/ /var && chown -vR nextjs:nginx /run/nginx \ && chown -vR nextjs:nginx /var/run/nginx \ && chown -vR nextjs:nginx /var/lib/nginx/ \ - && chown -vR nextjs:nginx /var/run/nginx \ - && touch /var/lib/nginx/logs/error.log + + && touch /var/lib/nginx/logs/error.log && printf '\n' >> /var/lib/nginx/logs/error.log WORKDIR /app COPY conf/nginx.conf /etc/nginx/nginx.conf