feat: add OpenShift / OKD support (Route template + deployment guide)#344
Open
lokeshrangineni wants to merge 3 commits into
Open
feat: add OpenShift / OKD support (Route template + deployment guide)#344lokeshrangineni wants to merge 3 commits into
lokeshrangineni wants to merge 3 commits into
Conversation
Adds first-class support for deploying Langfuse on OpenShift and OKD clusters.
Changes
-------
- charts/langfuse/templates/route.yaml
New template that renders an `route.openshift.io/v1` Route resource when
`langfuse.route.enabled: true`. Mirrors the existing ingress.yaml pattern
and supports edge, reencrypt, and passthrough TLS termination modes.
- charts/langfuse/values.yaml
New `langfuse.route` section with `enabled`, `host`, `annotations`,
`additionalLabels`, and full TLS options (termination, policy, certs).
Disabled by default; does not affect existing Kubernetes deployments.
- charts/langfuse/tests/route_test.yaml
8 helm-unittest test cases covering: disabled (default), auto-generated host,
explicit host, edge TLS (default), passthrough TLS, TLS disabled,
custom annotations/labels, and mutual exclusion with ingress.
- examples/openshift/
Step-by-step deployment guide (README.md), annotated values file
(values.yaml), and secret template (secret.yaml).
- TROUBLESHOOTING.md
New section documenting the Bitnami SCC conflict with OpenShift's
restricted-v2 policy, with two remediation paths (see below).
Known limitation — Bitnami sub-charts and OpenShift SCCs
---------------------------------------------------------
The bundled PostgreSQL and Valkey/Redis sub-charts use Bitnami images that
run as a fixed UID (1001). OpenShift's default restricted-v2 SCC enforces
a namespace-allocated UID range and rejects this fixed UID, causing pods to
fail at startup.
Two options are documented in examples/openshift/ and TROUBLESHOOTING.md:
Option A (dev/demo clusters only):
Grant anyuid SCC to the chart service account:
oc adm policy add-scc-to-user anyuid -z <release-name> -n <namespace>
This bypasses UID isolation and is NOT recommended for production.
Option B (recommended for production):
Disable the bundled PostgreSQL sub-chart (`postgresql.deploy: false`)
and provision an SCC-compliant PostgreSQL instance — e.g. via the
CrunchyData PGO operator (available in OperatorHub) or any managed
service. This removes the Bitnami dependency entirely.
A follow-up contribution to add a CrunchyData PGO example is planned.
Tested on OpenShift 4.20 (ai-dev02.kni.syseng.devcluster.openshift.com).
All 69 existing helm-unittest tests continue to pass; 8 new route tests added.
Made-with: Cursor
…P 4.20
Fixes discovered during actual deployment on OpenShift 4.20:
- secret.yaml: add missing clickhouse-password key (Langfuse v3 requires
ClickHouse; omitting this key causes helm install to fail with
"Configuring an existing secret or clickhouse.auth.password is required")
- values.yaml: remove podSecurityContext.runAsNonRoot: true from Langfuse
web/worker section — the image uses a non-numeric user ("nextjs") which
causes CreateContainerConfigError on OpenShift; leave podSecurityContext: {}
and rely on the anyuid SCC grant instead
- values.yaml: add missing clickhouse.auth.existingSecret wiring
- README.md: grant anyuid to both 'langfuse' and 'default' service accounts
(ClickHouse uses the default SA); add note about non-numeric user issue;
use alphanumeric-only DB passwords to avoid ClickHouse special-char bug
Made-with: Cursor
|
|
dosubot
Bot
added
the
size:L
Author
|
@deejay1 or @MrOrz or @Steffen911 - Could you help me to review the PR and provide any feedback. I am happy to make any changes if it is needed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for deploying Langfuse on OpenShift / OKD clusters, which use
Routeresources instead ofIngressand enforce pod security via Security Context Constraints (SCCs).Changes
charts/langfuse/templates/route.yaml— newroute.openshift.io/v1Route template, disabled by default (langfuse.route.enabled: false), supportsedge,reencrypt, andpassthroughTLS terminationcharts/langfuse/values.yaml— newlangfuse.routesection (host, TLS options, annotations, labels)charts/langfuse/tests/route_test.yaml— 8 helm-unittest tests; all 69 existing tests still passexamples/openshift/— step-by-step README, annotated values.yaml, and secret template validated on OCP 4.20TROUBLESHOOTING.md— new section on Bitnami SCC conflict with two remediation pathsKnown Limitation — Bitnami sub-charts and OpenShift SCCs
Bitnami images (PostgreSQL, Redis, ClickHouse) run as fixed UID
1001, which conflicts with OpenShift'srestricted-v2SCC. Two options documented:anyuidSCC to thelangfuseanddefaultservice accountspostgresql.deploy: false) via CrunchyData PGO operator — eliminates the Bitnami dependency entirelyThis is a limitation of the upstream Bitnami images, not the Langfuse chart itself.
Test plan
Made with Cursor