feat: add helm charts for deployment (#145)

Co-authored-by: Julien Mancuso <jmancuso@nvidia.com>

.gitignore

@@ -78,3 +78,8 @@ __pycache__/
 *.so
 
 **/.devcontainer
+
+### Helm ###
+*.tgz
+Chart.lock
+generated-values.yaml
\ No newline at end of file

.pre-commit-config.yaml

@@ -56,7 +56,7 @@ repos:
     exclude: .devcontainer
   - id: check-toml
   - id: check-yaml
-    exclude: ^deploy/Kubernetes/.+/templates/.+\.yaml
+    exclude: ^.*/templates/.*\.yaml$ #ignore all yaml files in helm chart templates
   - id: check-shebang-scripts-are-executable
   - id: end-of-file-fixer
     types_or: [c, c++, cuda, proto, textproto, java, python]

deploy/dynamo/helm/README.md

+# Deploy CompoundAI API server and Operator
+
+### Manually install etcd and nats
+
+Pre-requisite: make sure your terminal is set in the `deploy/dynamo/helm/` directory.
+
+1. [Optional] Create a new kubernetes namespace and set it as your default
+
+```bash
+export KUBE_NS=cai    # change this to whatever you want!
+kubectl create namespace $KUBE_NS
+kubectl config set-context --current --namespace=$KUBE_NS
+```
+
+2. Install bitnami/etcd:
+
+```bash
+helm repo add bitnami https://charts.bitnami.com/bitnami
+helm repo update
+```
+
+3. Install nats:
+
+```bash
+helm repo add nats https://nats-io.github.io/k8s/helm/charts/
+helm repo update
+```
+
+4. Install etcd and nats to your kubernetes namespace:
+
+```bash
+helm install etcd bitnami/etcd -n $KUBE_NS -f etcd.yaml
+helm install my-nats nats/nats --version 1.2.9 -f nats.yaml -n $KUBE_NS
+```
+
+5. Deploy the helm charts:
+
+```bash
+export NGC_TOKEN=$NGC_API_TOKEN
+export NAMESPACE=$KUBE_NS
+export CI_COMMIT_SHA=6083324a0a5f310dcec38c6863f043cd9070ffcc
+export RELEASE_NAME=$KUBE_NS
+
+./deploy.sh
+```
+
+6. Make an example cluster POST:
+
+```bash
+./post-cluster.sh
+```
+
+As a bonus, the CompoundAI Deployments UI is also deployed alongside, so you can access it at https://${NAMESPACE}.dev.aire.nvidia.com/
\ No newline at end of file

deploy/dynamo/helm/deploy.sh

+#!/bin/bash
+
+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -euo pipefail
+
+# Set default values only if not already set
+export NAMESPACE="${NAMESPACE:=cai-system}"  # Default namespace
+export NGC_TOKEN="${NGC_TOKEN:=<your-ngc-token>}"  # Default NGC token
+export CI_COMMIT_SHA="${CI_COMMIT_SHA:=6083324a0a5f310dcec38c6863f043cd9070ffcc}"  # Default commit SHA
+export RELEASE_NAME="${RELEASE_NAME:=dynamo-platform}"  # Default commit SHA
+
+
+# Check if required variables are set
+if [ "$NGC_TOKEN" = "<your-ngc-token>" ]; then
+    echo "Error: Please set your NGC_TOKEN in the script or via environment variable"
+    exit 1
+fi
+
+# Update the helm repo and build the dependencies
+cd platform
+cd components/operator
+helm dependency update
+cd ../..
+cd components/api-server
+helm dependency update
+cd ../..
+helm dep build
+helm repo update
+cd ..
+
+# Generate the values file
+echo "Generating values file with:"
+echo "NAMESPACE: $NAMESPACE"
+echo "CI_COMMIT_SHA: $CI_COMMIT_SHA"
+echo "NGC_TOKEN: [HIDDEN]"
+echo "RELEASE_NAME: $RELEASE_NAME"
+
+echo "generated file contents:"
+envsubst '${NAMESPACE} ${NGC_TOKEN} ${CI_COMMIT_SHA} ${RELEASE_NAME}' < dynamo-platform-values.yaml
+
+envsubst '${NAMESPACE} ${NGC_TOKEN} ${CI_COMMIT_SHA} ${RELEASE_NAME}' < dynamo-platform-values.yaml > generated-values.yaml
+
+echo "Generated values file saved as generated-values.yaml"
+
+# Install/upgrade the helm chart
+echo "Installing/upgrading helm chart..."
+helm upgrade --install $RELEASE_NAME platform/ \
+  -f generated-values.yaml \
+  --create-namespace \
+  --namespace ${NAMESPACE}
+
+echo "Helm chart deployment complete"

deploy/dynamo/helm/dynamo-platform-values.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+existingImagePullSecret: nvcrimagepullsecret
+
+# Global values used across charts
+global:
+  NGC_API_KEY: ${NGC_TOKEN}
+
+dynamo-operator:
+  enabled: true
+  natsAddr: "nats://${RELEASE_NAME}-nats:4222"
+  etcdAddr: "${RELEASE_NAME}-etcd:2379"
+  namespaceRestriction:
+    enabled: true
+    targetNamespace: ${NAMESPACE}
+  controllerManager:
+    manager:
+      image:
+        repository: gitlab-master.nvidia.com:5005/aire/microservices/compoundai/dynamo-operator
+        tag: ${CI_COMMIT_SHA}
+      args:
+        - --health-probe-bind-address=:8081
+        - --metrics-bind-address=127.0.0.1:8080
+        - --leader-elect=false
+        - --natsAddr=nats://my-nats:4222
+        - --etcdAddr=etcd:2379
+
+  dynamo:
+    yatai:
+    # todo: only use dns name
+      endpoint: http://dynamo-server
+      clusterName: default
+
+    yataiSystem:
+    # can we just infer this, or change scheme to use default until overridden
+      namespace: ""
+
+    internalImages:
+      bentoDownloader: quay.io/bentoml/bento-downloader:0.0.5
+      kaniko: quay.io/bentoml/kaniko:debug
+      buildkit: quay.io/bentoml/buildkit:master
+      buildkitRootless: quay.io/bentoml/buildkit:master-rootless
+      metricsTransformer: quay.io/bentoml/yatai-bento-metrics-transformer:0.0.4
+      debugger: quay.io/bentoml/bento-debugger:0.0.8
+      monitorExporter: quay.io/bentoml/bentoml-monitor-exporter:0.0.3
+      proxy: quay.io/bentoml/bentoml-proxy:0.0.1
+
+    disableAutomateBentoImageBuilder: false
+    enableRestrictedSecurityContext: false
+    disableYataiComponentRegistration: false
+
+    dockerRegistry:
+      server: 'nvcr.io/nvidian/nim-llm-dev'
+      inClusterServer: ''
+      username: '$oauthtoken'
+      # Password will use global.NGC_API_KEY by default
+      password: ""
+      passwordExistingSecretName: ''
+      passwordExistingSecretKey: ''
+      secure: true
+      bentoRepositoryName: yatai-bentos
+
+    bentoImageBuildEngine: kaniko
+    addNamespacePrefixToImageName: false
+
+    estargz:
+      enabled: false
+
+    kaniko:
+      cacheRepo: ''
+      snapshotMode: ''
+
+dynamo-api-server:
+  enabled: true
+  namespaceRestriction:
+    enabled: true
+    targetNamespace: ${NAMESPACE}
+  istio:
+    host:
+      ${NAMESPACE}.dev.aire.nvidia.com
+  dynamo:
+    # need to be set to deployment-management
+    env:
+      resource_scope: "user"
+  image:
+    repository: gitlab-master.nvidia.com:5005/aire/microservices/compoundai/dynamo-api-server
+    tag: ${CI_COMMIT_SHA}
+    pullPolicy: Always
+  imagePullSecrets:
+    - name: nvcrimagepullsecret
+    - name: gitlab-imagepull
+  postgresql:
+    primary:
+      persistence:
+        enabled: false
+  minio:
+    persistence:
+      enabled: true
+      size: 10Gi
+      storageClass: ""
+    apiIngress:
+      enabled: false
+      ingressClassName: nginx
+      hostname: minio.example.com
+      pathType: Prefix
+
+etcd:
+  enabled: true
+
+nats:
+  enabled: true
\ No newline at end of file

deploy/dynamo/helm/platform/.helmignore

+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# test files
+test-values.yaml
+minikube-demo-values.yaml
+# subchart sources
+components/

deploy/dynamo/helm/platform/Chart.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v2
+name: dynamo-helm-chart
+maintainers:
+  - name: NVIDIA, Inc.
+    url: https://www.nvidia.com
+description: A Helm chart for NVIDIA CompoundAI Platform.
+type: application
+version: 25.2.0-rc3
+home: https://nvidia.com
+dependencies:
+  - name: dynamo-operator
+    version: 0.1.0
+    repository: file://components/operator
+    condition: dynamo-operator.enabled
+  - name: dynamo-api-server
+    version: 0.1.1
+    repository: "file://components/api-server"
+    condition: dynamo-api-server.enabled
+  - name: nats
+    version: 1.2.9
+    repository: https://nats-io.github.io/k8s/helm/charts/
+    condition: nats.enabled
+  - name: etcd
+    version: 11.1.0
+    repository: "https://charts.bitnami.com/bitnami"
+    condition: etcd.enabled

deploy/dynamo/helm/platform/components/api-server/.helmignore

+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deploy/dynamo/helm/platform/components/api-server/Chart.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v2
+name: dynamo-api-server
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"
+
+# These are the dependencies needed by the API server to run
+dependencies:
+  - name: postgresql
+    version: "16.0.4"  # This is an example; update with the latest version if needed
+    repository: "https://charts.bitnami.com/bitnami"
+
+  # https://github.com/bitnami/charts/tree/main/bitnami/minio
+  - name: minio
+    version: 13.3.1
+    repository: oci://registry-1.docker.io/bitnamicharts
\ No newline at end of file

deploy/dynamo/helm/platform/components/api-server/templates/NOTES.txt

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "helm.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "helm.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "helm.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "helm.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

deploy/dynamo/helm/platform/components/api-server/templates/_helpers.tpl

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "helm.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "helm.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "helm.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "helm.labels" -}}
+helm.sh/chart: {{ include "helm.chart" . }}
+{{ include "helm.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "helm.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "helm.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "helm.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "helm.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+ObjectStore Secret Name
+*/}}
+{{- define "api-server.objectStore.secretName" -}}
+{{- if .Values.objectStore.existingSecret -}}
+    {{- print .Values.objectStore.existingSecret -}}
+{{- else -}}
+    {{- printf "%s-%s" (include "common.names.fullname" .) "external-objstore" -}}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+ObjectStore Access Key
+*/}}
+{{- define "api-server.objectStore.accessKey" -}}
+{{- if  .Values.objectStore.existingSecret -}}
+    {{- print .Values.objectStore.existingSecretAccessKey -}}
+{{- else -}}
+    {{- print "accessKey" -}}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+ObjectStore Access Secret
+*/}}
+{{- define "api-server.objectStore.accessSecret" -}}
+{{- if .Values.objectStore.existingSecret -}}
+    {{- print .Values.objectStore.existingSecretAccessSecret -}}
+{{- else -}}
+    {{- print "accessSecret" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Object Store Endpoint
+*/}}
+{{- define "api-server.objectStore.endpoint" -}}
+{{- if .Values.objectStore.existingSecret -}}
+    {{- print .Values.objectStore.existingSecretEndpoint -}}
+{{- else -}}
+    {{- print "endpoint" -}}
+{{- end -}}
+{{- end -}}

deploy/dynamo/helm/platform/components/api-server/templates/deployment-ui.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dynamo-ui
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 2
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: dynamo-ui
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: dynamo-ui
+    spec:
+      containers:
+      - image: nvcr.io/nvidian/nim-llm-dev/compoundai-ui:0.0.11
+        imagePullPolicy: Always
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /health
+            port: 80
+            scheme: HTTP
+          initialDelaySeconds: 30
+          periodSeconds: 30
+          successThreshold: 1
+          timeoutSeconds: 10
+        name: dynamo-ui
+        ports:
+        - containerPort: 80
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /health
+            port: 80
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 5
+        resources:
+          limits:
+            memory: 2Gi
+          requests:
+            memory: 1Gi
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      imagePullSecrets:
+      - name: nvcrimagepullsecret
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30

deploy/dynamo/helm/platform/components/api-server/templates/deployment.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "helm.fullname" . }}
+  labels:
+    {{- include "helm.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "helm.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "helm.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "helm.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+        - name: wait-for-postgres
+          image: busybox
+          command: [ 'sh', '-c', 'until nc -z {{ .Release.Name }}-postgresql 5432; do echo "PostgreSQL is unavailable. Sleeping for 5 seconds"; sleep 5; done;' ]
+      containers:
+        - name: "api-server"
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.dynamo.port }}
+              protocol: TCP
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          env:
+            - name: DB_HOST
+              value:  "{{ .Release.Name }}-postgresql"
+            - name: DB_USER
+              value: {{ .Values.postgresql.auth.username | quote }}
+            - name: DB_NAME
+              value: {{ .Values.postgresql.auth.database | quote }}
+            - name: DB_PORT
+              value: "5432"
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-postgresql"
+                  key: password
+            - name: API_DATABASE_PORT
+              value: "8001"
+            - name: API_BACKEND_URL
+              value: "http://127.0.0.1:8001"
+            - name: RESOURCE_SCOPE
+              value: {{ .Values.dynamo.env.resource_scope | quote }}
+            - name: DEFAULT_KUBE_NAMESPACE
+              value: {{ .Release.Namespace }}
+            - name: DYNAMO_CONTAINER_NAME
+              value: "dynamo-storage"
+            - name: S3_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-minio"
+                  key: root-user
+            - name: S3_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-minio"
+                  key: root-password
+            - name: S3_ENDPOINT_URL
+              value: "http://{{ .Release.Name }}-minio:9000"
+          envFrom:
+          - secretRef:
+              name: dynamo-deployment-env
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+      {{- with .Values.volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

deploy/dynamo/helm/platform/components/api-server/templates/external-object-store-secret.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if (not .Values.objectStore.existingSecret) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "api-server.objectStore.secretName" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+type: Opaque
+data:
+  accessKey: {{ .Values.objectStore.accessKey | b64enc | quote }}
+  accessSecret: {{ .Values.objectStore.accessSecret | b64enc | quote }}
+  endpoint: {{ .Values.objectStore.endpoint | b64enc | quote }}
+{{- end }}

deploy/dynamo/helm/platform/components/api-server/templates/hpa.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.autoscaling.enabled }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "helm.fullname" . }}
+  labels:
+    {{- include "helm.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "helm.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

deploy/dynamo/helm/platform/components/api-server/templates/ingress.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.ingress.enabled -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "helm.fullname" . }}
+  labels:
+    {{- include "helm.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.ingress.className }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- with .pathType }}
+            pathType: {{ . }}
+            {{- end }}
+            backend:
+              service:
+                name: {{ include "helm.fullname" $ }}
+                port:
+                  number: {{ $.Values.service.port }}
+          {{- end }}
+    {{- end }}
+{{- end }}

deploy/dynamo/helm/platform/components/api-server/templates/server-rbac.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.namespaceRestriction.enabled }}
+kind: Role
+{{- else }}
+kind: ClusterRole
+{{- end }}
+metadata:
+  name: {{ include "helm.fullname" . }}-role
+  {{- if .Values.namespaceRestriction.enabled }}
+  namespace: {{ .Values.namespaceRestriction.targetNamespace }}
+  {{- end }}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.namespaceRestriction.enabled }}
+kind: RoleBinding
+{{- else }}
+kind: ClusterRoleBinding
+{{- end }}
+metadata:
+  name: {{ include "helm.fullname" . }}-role-binding
+  {{- if .Values.namespaceRestriction.enabled }}
+  namespace: {{ .Values.namespaceRestriction.targetNamespace }}
+  {{- end }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "helm.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "helm.fullname" . }}-role
+  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file

deploy/dynamo/helm/platform/components/api-server/templates/service-ui.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: Service
+metadata:
+  name: dynamo-ui
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: dynamo-ui
+  sessionAffinity: None
+  type: ClusterIP

deploy/dynamo/helm/platform/components/api-server/templates/service.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: Service
+metadata:
+  name: "dynamo-server"
+  labels:
+    {{- include "helm.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: {{ .Values.dynamo.port }}
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "helm.selectorLabels" . | nindent 4 }}

deploy/dynamo/helm/platform/components/api-server/templates/serviceaccount.yaml

+# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.serviceAccount.create -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "helm.serviceAccountName" . }}
+  labels:
+    {{- include "helm.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}