mirror of
https://github.com/labring/FastGPT.git
synced 2026-04-26 02:07:28 +08:00
Archer
567d408158
* action * action * action * build: integrate OpenSandbox as Agent Execution Sandbox (#6490) * Update action (#6571) * action * action * action * action * action * build: integrate OpenSandbox as Agent Execution Sandbox # Conflicts: # deploy/args.json # deploy/dev/docker-compose.cn.yml # deploy/dev/docker-compose.yml # deploy/docker/cn/docker-compose.milvus.yml # deploy/docker/cn/docker-compose.oceanbase.yml # deploy/docker/cn/docker-compose.pg.yml # deploy/docker/cn/docker-compose.seekdb.yml # deploy/docker/cn/docker-compose.zilliz.yml # deploy/docker/global/docker-compose.milvus.yml # deploy/docker/global/docker-compose.oceanbase.yml # deploy/docker/global/docker-compose.pg.yml # deploy/docker/global/docker-compose.seekdb.yml # deploy/docker/global/docker-compose.ziliiz.yml # deploy/templates/docker-compose.prod.yml # document/public/deploy/docker/cn/docker-compose.milvus.yml # document/public/deploy/docker/cn/docker-compose.oceanbase.yml # document/public/deploy/docker/cn/docker-compose.pg.yml # document/public/deploy/docker/cn/docker-compose.seekdb.yml # document/public/deploy/docker/cn/docker-compose.zilliz.yml # document/public/deploy/docker/global/docker-compose.milvus.yml # document/public/deploy/docker/global/docker-compose.oceanbase.yml # document/public/deploy/docker/global/docker-compose.pg.yml # document/public/deploy/docker/global/docker-compose.seekdb.yml # document/public/deploy/docker/global/docker-compose.ziliiz.yml * remove invalid action --------- Co-authored-by: Archer <545436317@qq.com> Co-authored-by: xqvvu <whoeverimf5@gmail.com> * action --------- Co-authored-by: chanzany <chenzhi@sangfor.com.cn> Co-authored-by: xqvvu <whoeverimf5@gmail.com>
440 lines
11 KiB
YAML
440 lines
11 KiB
YAML
# Default values for opensandbox-controller.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
# Namespace configuration
|
|
# Controller and user resources use this namespace uniformly
|
|
namespaceOverride: "opensandbox"
|
|
|
|
# Name override configuration (optional)
|
|
# Used to customize the resource names generated by the Chart
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
# Controller image configuration
|
|
controllerManager:
|
|
image:
|
|
repository: opensandbox/controller
|
|
tag: "dev"
|
|
pullPolicy: Never
|
|
|
|
# Number of replicas
|
|
replicas: 1
|
|
|
|
# Resource limits
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 128Mi
|
|
requests:
|
|
cpu: 10m
|
|
memory: 64Mi
|
|
|
|
# Enable leader election (high availability)
|
|
leaderElect: true
|
|
|
|
# Health check address
|
|
healthProbeBindAddress: ":8081"
|
|
|
|
# Health check port (extracted from healthProbeBindAddress, or configured separately)
|
|
healthProbePort: 8081
|
|
|
|
# Log level
|
|
logLevel: 3
|
|
|
|
# Security context
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
containerSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- "ALL"
|
|
|
|
# Node selector
|
|
nodeSelector: {}
|
|
|
|
# Tolerations
|
|
tolerations: []
|
|
|
|
# Affinity
|
|
affinity: {}
|
|
|
|
# Environment variables
|
|
env: []
|
|
# - name: EXAMPLE_ENV
|
|
# value: "example-value"
|
|
|
|
# Additional container arguments
|
|
extraArgs: []
|
|
# - --some-arg=value
|
|
|
|
# Task Executor image configuration
|
|
# Note: task-executor is not an independently deployed service, but a sidecar container
|
|
# injected into Pods created by Pool for executing tasks.
|
|
# Only image information is configured here for users to use when creating Pool resources.
|
|
taskExecutor:
|
|
image:
|
|
repository: opensandbox/task-executor
|
|
tag: "dev"
|
|
pullPolicy: Never
|
|
|
|
# Task Executor default resource configuration (for Pool template reference)
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 256Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
|
|
# Task Executor required security context
|
|
securityContext:
|
|
capabilities:
|
|
add: ["SYS_PTRACE"] # Requires ptrace permission to inject processes
|
|
|
|
# OpenSandbox Server configuration
|
|
# Server is the FastAPI control plane that exposes REST API for SDK usage
|
|
# SDK creates and manages Sandbox through Server
|
|
server:
|
|
# Enable Server (required for SDK scenarios)
|
|
enabled: true
|
|
|
|
# Server image configuration
|
|
image:
|
|
repository: opensandbox/server
|
|
tag: "v0.1.0"
|
|
pullPolicy: Never
|
|
|
|
# Number of replicas
|
|
replicas: 1
|
|
|
|
# Resource limits
|
|
resources:
|
|
limits:
|
|
cpu: 1
|
|
memory: 512Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
|
|
# Security context
|
|
# ⚠️ Security Warning: Server image currently runs as root user (uid=0)
|
|
# This is a known security concern and does not comply with Kubernetes best practices
|
|
# Production recommendations:
|
|
# 1. Use NetworkPolicy to restrict Server's network access
|
|
# 2. Use PodSecurityPolicy/PodSecurityStandard to restrict Pod permissions
|
|
# 3. Regularly audit Server logs and behavior
|
|
#
|
|
# TODO: Update Server Dockerfile to support non-root user (Issue: #xxx)
|
|
# Planned to be fixed in next version
|
|
securityContext: {} # Must be empty to allow root user execution
|
|
|
|
containerSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- "ALL"
|
|
|
|
# Node selector
|
|
nodeSelector: {}
|
|
|
|
# Tolerations
|
|
tolerations: []
|
|
|
|
# Affinity
|
|
affinity: {}
|
|
|
|
# Environment variables
|
|
env: []
|
|
|
|
# Additional container arguments
|
|
extraArgs: []
|
|
|
|
# Development mode (enable hot reload)
|
|
reload: false
|
|
|
|
# Pod annotations
|
|
podAnnotations: {}
|
|
|
|
# Pod labels
|
|
podLabels: {}
|
|
|
|
# Termination grace period (seconds)
|
|
terminationGracePeriodSeconds: 10
|
|
|
|
# Server configuration (written to ConfigMap)
|
|
config:
|
|
server:
|
|
host: "0.0.0.0"
|
|
port: 8080
|
|
logLevel: "INFO"
|
|
# API Key authentication (optional)
|
|
apiKey: ""
|
|
|
|
runtime:
|
|
type: "kubernetes"
|
|
execdImage: "opensandbox/execd:v1.0.5"
|
|
|
|
kubernetes:
|
|
# workloadProvider: batchsandbox (use Pool) or agent-sandbox
|
|
workloadProvider: "batchsandbox"
|
|
# BatchSandbox template configuration (for non-Pool mode)
|
|
batchsandboxTemplate:
|
|
# BatchSandbox labels (optional)
|
|
labels: {}
|
|
# Pod labels (optional)
|
|
podLabels: {}
|
|
# Node tolerations
|
|
tolerations:
|
|
- operator: "Exists"
|
|
# Node selector (optional)
|
|
nodeSelector: {}
|
|
|
|
# Service configuration
|
|
service:
|
|
# Service type: ClusterIP, NodePort, LoadBalancer
|
|
type: ClusterIP
|
|
port: 8080
|
|
# NodePort (effective when type=NodePort)
|
|
# Set to specific port number (30000-32767) or leave empty for automatic allocation
|
|
# Example: 30080
|
|
nodePort: null
|
|
annotations: {}
|
|
|
|
# Ingress configuration (optional)
|
|
ingress:
|
|
enabled: false
|
|
className: ""
|
|
annotations: {}
|
|
# kubernetes.io/ingress.class: nginx
|
|
# cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
hosts:
|
|
- host: opensandbox.example.com
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
tls: []
|
|
# - secretName: opensandbox-tls
|
|
# hosts:
|
|
# - opensandbox.example.com
|
|
|
|
# Health probe configuration
|
|
healthProbes:
|
|
liveness:
|
|
path: /health
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 20
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
readiness:
|
|
path: /health
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
|
|
# Metrics configuration
|
|
metrics:
|
|
enabled: true
|
|
service:
|
|
type: ClusterIP
|
|
port: 8443
|
|
|
|
# Enable ServiceMonitor (requires Prometheus Operator)
|
|
serviceMonitor:
|
|
enabled: false
|
|
interval: 30s
|
|
scrapeTimeout: 10s
|
|
|
|
# RBAC configuration
|
|
rbac:
|
|
# Create RBAC resources
|
|
create: true
|
|
|
|
# ServiceAccount configuration
|
|
serviceAccount:
|
|
# Create ServiceAccount
|
|
create: true
|
|
# Use existing ServiceAccount
|
|
name: ""
|
|
# ServiceAccount annotations
|
|
annotations: {}
|
|
|
|
# CRD configuration
|
|
crds:
|
|
# Whether to install CRD (set to true for first installation, can be set to false for upgrades)
|
|
install: true
|
|
# CRD annotations
|
|
annotations: {}
|
|
|
|
# Image pull secrets
|
|
imagePullSecrets: []
|
|
# - name: regcred
|
|
|
|
# Global labels
|
|
labels: {}
|
|
|
|
# Global annotations
|
|
annotations: {}
|
|
|
|
# Name prefix, used to generate resource names and namespace (namePrefix + "system")
|
|
namePrefix: "opensandbox-"
|
|
|
|
# Pod annotations
|
|
podAnnotations:
|
|
kubectl.kubernetes.io/default-container: manager
|
|
|
|
# Pod labels
|
|
podLabels: {}
|
|
|
|
# Termination grace period (seconds)
|
|
terminationGracePeriodSeconds: 10
|
|
|
|
# Pod Disruption Budget (optional)
|
|
# Used for high availability deployment to prevent too many Pods from being unavailable simultaneously
|
|
podDisruptionBudget:
|
|
enabled: false
|
|
minAvailable: 1
|
|
# maxUnavailable: 1 # Mutually exclusive with minAvailable, choose one
|
|
|
|
# Health probe configuration
|
|
healthProbes:
|
|
liveness:
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 20
|
|
timeoutSeconds: 1
|
|
failureThreshold: 3
|
|
readiness:
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 1
|
|
failureThreshold: 3
|
|
|
|
# Extra user roles (optional)
|
|
extraRoles:
|
|
# Create BatchSandbox admin role
|
|
batchsandboxAdmin:
|
|
enabled: true
|
|
# Create BatchSandbox editor role
|
|
batchsandboxEditor:
|
|
enabled: true
|
|
# Create BatchSandbox viewer role
|
|
batchsandboxViewer:
|
|
enabled: true
|
|
# Create Pool admin role
|
|
poolAdmin:
|
|
enabled: true
|
|
# Create Pool editor role
|
|
poolEditor:
|
|
enabled: true
|
|
# Create Pool viewer role
|
|
poolViewer:
|
|
enabled: true
|
|
|
|
# Pool resource configuration
|
|
# Automatically create Pool resources during Helm deployment
|
|
# Default: Enable a general Agent Pool suitable for most SDK scenarios
|
|
pools:
|
|
# Default Agent Pool - SDK scenario (with execd + task-executor)
|
|
- name: agent-pool
|
|
enabled: true
|
|
labels:
|
|
app: opensandbox
|
|
component: agent-pool
|
|
annotations:
|
|
description: "Default Agent Pool with execd and task-executor for SDK usage"
|
|
|
|
template:
|
|
metadata:
|
|
labels:
|
|
pool: agent-pool
|
|
sdk-compatible: "true"
|
|
spec:
|
|
# Required: Share process namespace (required by task-executor)
|
|
shareProcessNamespace: true
|
|
|
|
# Init Container: Install execd (required for SDK scenario)
|
|
initContainers:
|
|
- name: execd-installer
|
|
image: opensandbox/execd:v1.0.5
|
|
imagePullPolicy: Never
|
|
command: ["/bin/sh", "-c"]
|
|
args:
|
|
- |
|
|
cp ./execd /opt/opensandbox/bin/execd && \
|
|
cp ./bootstrap.sh /opt/opensandbox/bin/bootstrap.sh && \
|
|
chmod +x /opt/opensandbox/bin/execd && \
|
|
chmod +x /opt/opensandbox/bin/bootstrap.sh
|
|
volumeMounts:
|
|
- name: opensandbox-bin
|
|
mountPath: /opt/opensandbox/bin
|
|
|
|
containers:
|
|
# Main container: Sandbox environment
|
|
- name: sandbox-container
|
|
image: nginx:latest
|
|
imagePullPolicy: Never
|
|
command: ["/opt/opensandbox/bin/bootstrap.sh", "sleep", "infinity"]
|
|
env:
|
|
- name: EXECD
|
|
value: /opt/opensandbox/bin/execd
|
|
ports:
|
|
- containerPort: 44772
|
|
name: execd
|
|
protocol: TCP
|
|
resources:
|
|
requests:
|
|
cpu: "100m"
|
|
memory: "128Mi"
|
|
limits:
|
|
cpu: "500m"
|
|
memory: "256Mi"
|
|
volumeMounts:
|
|
- name: opensandbox-bin
|
|
mountPath: /opt/opensandbox/bin
|
|
|
|
# Sidecar: Task Executor
|
|
- name: task-executor
|
|
image: opensandbox/task-executor:dev
|
|
imagePullPolicy: Never
|
|
ports:
|
|
- containerPort: 5758
|
|
name: task-executor
|
|
protocol: TCP
|
|
resources:
|
|
requests:
|
|
cpu: "100m"
|
|
memory: "128Mi"
|
|
limits:
|
|
cpu: "500m"
|
|
memory: "256Mi"
|
|
securityContext:
|
|
capabilities:
|
|
add: ["SYS_PTRACE"]
|
|
|
|
volumes:
|
|
- name: opensandbox-bin
|
|
emptyDir: {}
|
|
|
|
# Capacity configuration: Suitable for small to medium scale deployments (10-50 concurrent Agents)
|
|
capacitySpec:
|
|
bufferMin: 10 # Minimum available Pods
|
|
bufferMax: 20 # Maximum pre-warmed Pods
|
|
poolMin: 10 # Minimum total Pods
|
|
poolMax: 100 # Maximum total Pods
|
|
|
|
# Notes:
|
|
# - If Pool is not needed, set pools[0].enabled=false
|
|
# - If custom configuration is needed, override or add more Pools in values
|
|
# - Capacity configuration can be adjusted according to actual concurrency requirements:
|
|
# | Concurrent Agents | bufferMin | bufferMax | poolMin | poolMax |
|
|
# |------------------|-----------|-----------|---------|---------|
|
|
# | 1-10 | 2 | 5 | 2 | 20 |
|
|
# | 10-50 | 10 | 20 | 10 | 100 |
|
|
# | 50-200 | 50 | 100 | 50 | 300 |
|
|
# | 200+ | 100 | 200 | 100 | 500 |
|