From 3b2738e7d8ee58d03ea3b12c65e0945490beda59 Mon Sep 17 00:00:00 2001
From: Leo Q <LeoQuote@users.noreply.github.com>
Date: Tue, 9 Apr 2024 21:48:54 +0800
Subject: [PATCH] add sandbox for dify (#68)

---
 charts/dify/Chart.yaml                |  2 +-
 charts/dify/templates/deployment.yaml | 99 +++++++++++++++++++++++++++
 charts/dify/templates/hpa.yaml        | 29 ++++++++
 charts/dify/templates/service.yaml    | 18 +++++
 charts/dify/values.yaml               | 81 +++++++++++++++++++++-
 5 files changed, 227 insertions(+), 2 deletions(-)

diff --git a/charts/dify/Chart.yaml b/charts/dify/Chart.yaml
index 22010fe..60a0693 100644
--- a/charts/dify/Chart.yaml
+++ b/charts/dify/Chart.yaml
@@ -20,7 +20,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/dify/templates/deployment.yaml b/charts/dify/templates/deployment.yaml
index 33fee24..2cb45e1 100644
--- a/charts/dify/templates/deployment.yaml
+++ b/charts/dify/templates/deployment.yaml
@@ -49,6 +49,21 @@ spec:
             {{- with .Values.global.extraBackendEnvs }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
+            {{- with .Values.api.envs }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+            - name: CODE_EXECUTION_ENDPOINT
+              value: "http://{{ include "dify.fullname" . }}-sandbox"
+            - name: CODE_EXECUTION_API_KEY
+            {{- if .Values.sandbox.apiKeySecret }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.sandbox.apiKeySecret }}
+                  key: sandbox-api-key
+            {{- else if .Values.sandbox.apiKey }}
+              value: {{ .Values.sandbox.apiKey | quote }}
+            {{- else }}
+            {{- end }}
           {{- with .Values.volumeMounts }}
           volumeMounts:
           {{- toYaml . | nindent 12 }}
@@ -234,3 +249,87 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+
+
+# sandbox
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "dify.fullname" . }}-sandbox
+  labels:
+    {{- include "dify.labels" . | nindent 4 }}
+    app.kubernetes.io/component: sandbox
+spec:
+  {{- if not .Values.sandbox.autoscaling.enabled }}
+  replicas: {{ .Values.sandbox.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "dify.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: sandbox
+  template:
+    metadata:
+      {{- with .Values.sandbox.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "dify.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: sandbox
+    spec:
+      {{- with .Values.sandbox.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "dify.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.sandbox.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.sandbox.securityContext | nindent 12 }}
+          image: "{{ .Values.sandbox.image.repository }}:{{ .Values.sandbox.image.tag | default "latest" }}"
+          imagePullPolicy: {{ .Values.sandbox.image.pullPolicy }}
+          env:
+          - name: PLACEHOLDER
+            value: "PLACEHOLDER"
+          {{- with .Values.sandbox.envs }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          - name: API_KEY
+          {{- if .Values.sandbox.apiKeySecret }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.sandbox.apiKeySecret }}
+                key: sandbox-api-key
+          {{- else if .Values.sandbox.apiKey }}
+            value: {{ .Values.sandbox.apiKey | quote }}
+          {{- else }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.sandbox.containerPort }}
+              protocol: TCP
+          # livenessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: http
+          # readinessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: http
+          resources:
+            {{- toYaml .Values.sandbox.resources | nindent 12 }}
+      {{- with .Values.sandbox.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sandbox.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sandbox.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/charts/dify/templates/hpa.yaml b/charts/dify/templates/hpa.yaml
index 6a48fd5..f4aa886 100644
--- a/charts/dify/templates/hpa.yaml
+++ b/charts/dify/templates/hpa.yaml
@@ -88,3 +88,32 @@ spec:
         targetAverageUtilization: {{ .Values.worker.autoscaling.targetMemoryUtilizationPercentage }}
     {{- end }}
 {{- end }}
+{{- if .Values.sandbox.autoscaling.enabled }}
+---
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "dify.fullname" . }}-sandbox
+  labels:
+    {{- include "dify.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "dify.fullname" . }}-sandbox
+  minReplicas: {{ .Values.sandbox.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.sandbox.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.sandbox.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: {{ .Values.sandbox.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.sandbox.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        targetAverageUtilization: {{ .Values.sandbox.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}
diff --git a/charts/dify/templates/service.yaml b/charts/dify/templates/service.yaml
index 105613b..e5eaaea 100644
--- a/charts/dify/templates/service.yaml
+++ b/charts/dify/templates/service.yaml
@@ -37,3 +37,21 @@ spec:
   selector:
     {{- include "dify.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: frontend
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "dify.fullname" . }}-sandbox
+  labels:
+    {{- include "dify.labels" . | nindent 4 }}
+    app.kubernetes.io/component: sandbox
+spec:
+  type: {{ .Values.sandbox.service.type }}
+  ports:
+    - port: {{ .Values.sandbox.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "dify.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: sandbox
diff --git a/charts/dify/values.yaml b/charts/dify/values.yaml
index 638c564..7b2916b 100644
--- a/charts/dify/values.yaml
+++ b/charts/dify/values.yaml
@@ -110,7 +110,22 @@ api:
     pullPolicy: IfNotPresent
     # Overrides the image tag whose default is the chart appVersion.
     tag: ""
-
+  envs:
+  # sandbox
+  - name: CODE_MAX_NUMBER
+    value: "9223372036854775807"
+  - name: CODE_MIN_NUMBER
+    value: "-9223372036854775808"
+  - name: CODE_MAX_STRING_LENGTH
+    value: "80000"
+  - name: TEMPLATE_TRANSFORM_MAX_LENGTH
+    value: "80000"
+  - name: CODE_MAX_STRING_ARRAY_LENGTH
+    value: "30"
+  - name: CODE_MAX_OBJECT_ARRAY_LENGTH
+    value: "30"
+  - name: CODE_MAX_NUMBER_ARRAY_LENGTH
+    value: "1000"
   imagePullSecrets: []
 
   podAnnotations: {}
@@ -182,6 +197,70 @@ worker:
     # runAsUser: 1000
 
 
+  resources: {}
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 128Mi
+
+  autoscaling:
+    enabled: false
+    minReplicas: 1
+    maxReplicas: 100
+    targetCPUUtilizationPercentage: 80
+    # targetMemoryUtilizationPercentage: 80
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  affinity: {}
+
+sandbox:
+  replicaCount: 1
+  # please change to avoid abuse
+  apiKey: "dify-sandbox"
+  # prefer to use secret
+  apiKeySecret: ""
+  image:
+    repository: langgenius/dify-sandbox
+    pullPolicy: IfNotPresent
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: ""
+
+  envs:
+  - name: GIN_MODE
+    value: "release"
+  - name: WORKER_TIMEOUT
+    value: "15"
+  imagePullSecrets: []
+
+  podAnnotations: {}
+
+  podSecurityContext: {}
+    # fsGroup: 2000
+
+  securityContext: {}
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # readOnlyRootFilesystem: true
+    # runAsNonRoot: true
+    # runAsUser: 1000
+
+  service:
+    type: ClusterIP
+    port: 80
+
+  containerPort: 8194
+
+
   resources: {}
     # We usually recommend not to specify default resources and to leave this as a conscious
     # choice for the user. This also increases chances charts run on environments with little