feat: add helm charts for deployment (#145)

Co-authored-by: Julien Mancuso <jmancuso@nvidia.com>

deploy/dynamo/helm/platform/components/operator/templates/yatai-regcred-secret.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: yatai-regcred
+  labels:
+    {{- include "dynamo-operator.labels" . | nindent 4 }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ include "dynamo-operator.dockerconfig" . | b64enc }}

deploy/dynamo/helm/platform/components/operator/values.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# Default values for dynamo-operator.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+global:
+  # NGC API Key to use as default for docker registry password
+  NGC_API_KEY: ""
+
+# Namespace restriction configuration for the operator
+# If enabled: true and targetNamespace is empty, the operator will be restricted to the release namespace
+# If enabled: true and targetNamespace is set, the operator will be restricted to the specified namespace
+# If enabled: false, the operator will run with cluster-wide permissions
+namespaceRestriction:
+  # Whether to restrict the operator to a single namespace
+  enabled: false
+  # The target namespace to restrict to. If empty, defaults to the release namespace
+  targetNamespace: ""
+controllerManager:
+  kubeRbacProxy:
+    args:
+    - --secure-listen-address=0.0.0.0:8443
+    - --upstream=http://127.0.0.1:8080/
+    - --logtostderr=true
+    - --v=0
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+    image:
+      repository: gcr.io/kubebuilder/kube-rbac-proxy
+      tag: v0.15.0
+    resources:
+      limits:
+        cpu: 500m
+        memory: 128Mi
+      requests:
+        cpu: 5m
+        memory: 64Mi
+  manager:
+    args:
+    - --health-probe-bind-address=:8081
+    - --metrics-bind-address=127.0.0.1:8080
+    - --leader-elect
+    - --leader-election-id=dynamo.nko.nvidia.com
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+    image:
+      repository: controller
+      tag: latest
+    resources:
+      limits:
+        cpu: 1024m
+        memory: 2Gi
+      requests:
+        cpu: 512m
+        memory: 1Gi
+  replicas: 1
+  serviceAccount:
+    annotations: {}
+
+dynamo:
+  yatai:
+    endpoint: http://dynamo-server.dynamo-system.svc.cluster.local
+    clusterName: default
+
+  yataiSystem:
+    # If left blank, will default to the installation namespace
+    namespace: ""
+
+  internalImages:
+    bentoDownloader: quay.io/bentoml/bento-downloader:0.0.5
+    kaniko: quay.io/bentoml/kaniko:debug
+    buildkit: quay.io/bentoml/buildkit:master
+    buildkitRootless: quay.io/bentoml/buildkit:master-rootless
+    metricsTransformer: quay.io/bentoml/yatai-bento-metrics-transformer:0.0.4
+    debugger: quay.io/bentoml/bento-debugger:0.0.8
+    monitorExporter: quay.io/bentoml/bentoml-monitor-exporter:0.0.3
+    proxy: quay.io/bentoml/bentoml-proxy:0.0.1
+
+  disableAutomateBentoImageBuilder: false
+  enableRestrictedSecurityContext: false
+  disableYataiComponentRegistration: false
+
+  dockerRegistry:
+    server: 'nvcr.io/nvidian/nim-llm-dev'
+    inClusterServer: ''
+    username: '$oauthtoken'
+    # If not set, will use global.NGC_API_KEY
+    password: ""
+    passwordExistingSecretName: ''
+    passwordExistingSecretKey: ''
+    secure: true
+    bentoRepositoryName: yatai-bentos
+
+  bentoImageBuildEngine: kaniko # options: kaniko, buildkit, buildkit-rootless
+  addNamespacePrefixToImageName: false
+
+  estargz:
+    enabled: false
+
+  kaniko:
+    cacheRepo: ''
+    snapshotMode: '' # options: full, redo, time
+
+
+
+
+imagePullSecrets: []
+kubernetesClusterDomain: cluster.local
+metricsService:
+  ports:
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: https
+  type: ClusterIP
\ No newline at end of file

deploy/dynamo/helm/platform/values.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# Used to generate top-level secrets (overridden by custom-values.yaml)
+existingSecret: ""
+existingImagePullSecret: ""
+ngcAPIKey: YOUR-NGC-API-KEY
+imagePullSecrets:
+  - name: nvcrimagepullsecret
+    registry: nvcr.io
+    username: $oauthtoken
+    password: YOUR-NGC-API-KEY
+# Subcharts
+dynamo-operator:
+  enabled: false
+  imagePullSecrets:
+    - name: gitlab-imagepull
+    - name: nvcrimagepullsecret
+  controllerManager:
+    manager:
+      image:
+        repository: gitlab-master.nvidia.com:5005/aire/microservices/nmp/dynamo-operator
+        tag: "latest"
+dynamo-api-server:
+  enabled: false
+  imagePullSecrets:
+    - name: gitlab-imagepull
+    - name: nvcrimagepullsecret
+
+etcd:
+  enabled: false
+  replicaCount: 1
+  # Explicitly remove authentication
+  auth:
+    rbac:
+      create: false
+
+  readinessProbe:
+    enabled: false
+
+  livenessProbe:
+    enabled: false
+
+nats:
+  enabled: false
+  # reference a common CA Certificate or Bundle in all nats config `tls` blocks and nats-box contexts
+  # note: `tls.verify` still must be set in the appropriate nats config `tls` blocks to require mTLS
+  tlsCA:
+    enabled: false
+
+  config:
+    cluster:
+      enabled: false
+
+
+    jetstream:
+      enabled: true
+
+      fileStore:
+        enabled: true
+        dir: /data
+
+        ############################################################
+        # stateful set -> volume claim templates -> jetstream pvc
+        ############################################################
+        pvc:
+          enabled: true
+          size: 10Gi
+          storageClassName:
+
+          # merge or patch the jetstream pvc
+          # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core
+          merge: {}
+          patch: []
+          # defaults to "{{ include "nats.fullname" $ }}-js"
+          name:
+
+        # defaults to the PVC size
+        maxSize:
+
+      memoryStore:
+        enabled: false
+
+      # merge or patch the jetstream config
+      # https://docs.nats.io/running-a-nats-service/configuration#jetstream
+      merge: {}
+      patch: []
+
+    nats:
+      port: 4222
+      tls:
+        enabled: false
+        # merge or patch the tls config
+        # https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls
+        merge: {}
+        patch: []
+
+    leafnodes:
+      enabled: false
+
+
+    websocket:
+      enabled: false
+
+
+    mqtt:
+      enabled: false
+
+
+    gateway:
+      enabled: false
+
+
+    monitor:
+      enabled: true
+      port: 8222
+      tls:
+        # config.nats.tls must be enabled also
+        # when enabled, monitoring port will use HTTPS with the options from config.nats.tls
+        enabled: false
+
+    profiling:
+      enabled: false
+      port: 65432
+
+    resolver:
+      enabled: false
+
+
+    # adds a prefix to the server name, which defaults to the pod name
+    # helpful for ensuring server name is unique in a super cluster
+    serverNamePrefix: ""
+
+    # merge or patch the nats config
+    # https://docs.nats.io/running-a-nats-service/configuration
+    # following special rules apply
+    #  1. strings that start with << and end with >> will be unquoted
+    #     use this for variables and numbers with units
+    #  2. keys ending in $include will be switched to include directives
+    #     keys are sorted alphabetically, use prefix before $includes to control includes ordering
+    #     paths should be relative to /etc/nats-config/nats.conf
+    # example:
+    #
+    #   merge:
+    #     $include: ./my-config.conf
+    #     zzz$include: ./my-config-last.conf
+    #     server_name: nats
+    #     authorization:
+    #       token: << $TOKEN >>
+    #     jetstream:
+    #       max_memory_store: << 1GB >>
+    #
+    # will yield the config:
+    # {
+    #   include ./my-config.conf;
+    #   "authorization": {
+    #     "token": $TOKEN
+    #   },
+    #   "jetstream": {
+    #     "max_memory_store": 1GB
+    #   },
+    #   "server_name": "nats",
+    #   include ./my-config-last.conf;
+    # }
+    merge: {}
+    patch: []
+
+  ############################################################
+  # stateful set -> pod template -> nats container
+  ############################################################
+  container:
+    image:
+      repository: nats
+      tag: 2.10.21-alpine
+      pullPolicy:
+      registry:
+
+    # container port options
+    # must be enabled in the config section also
+    # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#containerport-v1-core
+    ports:
+      nats: {}
+      leafnodes: {}
+      websocket: {}
+      mqtt: {}
+      cluster: {}
+      gateway: {}
+      monitor: {}
+      profiling: {}
+
+    # map with key as env var name, value can be string or map
+    # example:
+    #
+    #   env:
+    #     GOMEMLIMIT: 7GiB
+    #     TOKEN:
+    #       valueFrom:
+    #         secretKeyRef:
+    #           name: nats-auth
+    #           key: token
+    env: {}
+
+    # merge or patch the container
+    # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core
+    merge: {}
+    patch: []
+
+  ############################################################
+  # stateful set -> pod template -> reloader container
+  ############################################################
+  reloader:
+    enabled: true
+    image:
+      repository: natsio/nats-server-config-reloader
+      tag: 0.16.0
+      pullPolicy:
+      registry:
+
+    # env var map, see nats.env for an example
+    env: {}
+
+    # all nats container volume mounts with the following prefixes
+    # will be mounted into the reloader container
+    natsVolumeMountPrefixes:
+    - /etc/
+
+    # merge or patch the container
+    # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core
+    merge: {}
+    patch: []
+
+  ############################################################
+  # stateful set -> pod template -> prom-exporter container
+  ############################################################
+  # config.monitor must be enabled
+  promExporter:
+    enabled: false
+
+
+  ############################################################
+  # service
+  ############################################################
+  service:
+    enabled: true
+
+    # service port options
+    # additional boolean field enable to control whether port is exposed in the service
+    # must be enabled in the config section also
+    # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceport-v1-core
+    ports:
+      nats:
+        enabled: true
+      leafnodes:
+        enabled: true
+      websocket:
+        enabled: true
+      mqtt:
+        enabled: true
+      cluster:
+        enabled: false
+      gateway:
+        enabled: false
+      monitor:
+        enabled: false
+      profiling:
+        enabled: false
+
+    # merge or patch the service
+    # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core
+    merge: {}
+    patch: []
+    # defaults to "{{ include "nats.fullname" $ }}"
+    name:
+
+  ############################################################
+  # other nats extension points
+  ############################################################
+
+  # stateful set
+  statefulSet:
+    # merge or patch the stateful set
+    # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#statefulset-v1-apps
+    merge: {}
+    patch: []
+    # defaults to "{{ include "nats.fullname" $ }}"
+    name:
+
+  # stateful set -> pod template
+  podTemplate:
+    # adds a hash of the ConfigMap as a pod annotation
+    # this will cause the StatefulSet to roll when the ConfigMap is updated
+    configChecksumAnnotation: true
+
+    # map of topologyKey: topologySpreadConstraint
+    # labelSelector will be added to match StatefulSet pods
+    #
+    # topologySpreadConstraints:
+    #   kubernetes.io/hostname:
+    #     maxSkew: 1
+    #
+    topologySpreadConstraints: {}
+
+    # merge or patch the pod template
+    # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core
+    merge: {}
+    patch: []
+
+  # headless service
+  headlessService:
+    # merge or patch the headless service
+    # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core
+    merge: {}
+    patch: []
+    # defaults to "{{ include "nats.fullname" $ }}-headless"
+    name:
+
+  # config map
+  configMap:
+    # merge or patch the config map
+    # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#configmap-v1-core
+    merge: {}
+    patch: []
+    # defaults to "{{ include "nats.fullname" $ }}-config"
+    name:
+
+  # pod disruption budget
+  podDisruptionBudget:
+    enabled: true
+
+
+  # service account
+  serviceAccount:
+    enabled: false
+
+
+
+  ############################################################
+  # natsBox
+  #
+  # NATS Box Deployment and associated resources
+  ############################################################
+  natsBox:
+    enabled: true
+
+    ############################################################
+    # NATS contexts
+    ############################################################
+    contexts:
+      default:
+        creds:
+          # set contents in order to create a secret with the creds file contents
+          contents:
+          # set secretName in order to mount an existing secret to dir
+          secretName:
+          # defaults to /etc/nats-creds/<context-name>
+          dir:
+          key: nats.creds
+        nkey:
+          # set contents in order to create a secret with the nkey file contents
+          contents:
+          # set secretName in order to mount an existing secret to dir
+          secretName:
+          # defaults to /etc/nats-nkeys/<context-name>
+          dir:
+          key: nats.nk
+        # used to connect with client certificates
+        tls:
+          # set secretName in order to mount an existing secret to dir
+          secretName:
+          # defaults to /etc/nats-certs/<context-name>
+          dir:
+          cert: tls.crt
+          key: tls.key
+
+        # merge or patch the context
+        # https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts
+        merge: {}
+        patch: []
+
+    # name of context to select by default
+    defaultContextName: default
+
+    ############################################################
+    # deployment -> pod template -> nats-box container
+    ############################################################
+    container:
+      image:
+        repository: natsio/nats-box
+        tag: 0.14.5
+        pullPolicy:
+        registry:
+
+      # env var map, see nats.env for an example
+      env: {}
+
+      # merge or patch the container
+      # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core
+      merge: {}
+      patch: []
+    # service account
+    serviceAccount:
+      enabled: false

deploy/dynamo/helm/post-cluster.sh

+#!/bin/bash
+
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ACTION REQUIRED: Export your Kubernetes namespace as $KUBE_NS
+# and update the ns.yaml file with the same value
+export KUBE_NS=$KUBE_NS
+kubectl apply -f testing/ns.yaml
+
+# Export your ngc api key
+
+curl -X POST \
+     -H "Content-Type: application/json" \
+     https://${NAMESPACE}.dev.aire.nvidia.com/api/v1/clusters \
+     -d '{
+       "name": "default",
+       "description": "Default cluster",
+       "kube_config": ""
+     }' | jq '.'
+
+# check out ui at https://${NAMESPACE}.dev.aire.nvidia.com

deploy/dynamo/helm/testing/ns.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: cai-hannahz
+ labels:
+   nscleanup/enabled: 'false' # this enables automated cleanup
+   nvcr-imagepull: enabled # adds nvcr imagepull secret
+   gitlab-imagepull: enabled # adds gitlab imagepull secret
+   istio-injection: 'false'
\ No newline at end of file