highperfocused/danswer
1
0
Fork 0
mirror of https://github.com/danswer-ai/danswer.git synced 2025-07-28 13:53:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Feat/certificate (#2998)

Browse Source 
* first pass

* simplify

* remove now unneeded COPY command

* minor clean up

* k

* nit
This commit is contained in:
pablodanswer
2024-11-01 12:34:52 -07:00
committed by GitHub
parent 753293cefb
commit d66b81a902
5 changed files with 108 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
backend/Dockerfile
View File

@@ -12,7 +12,6 @@ ARG DANSWER_VERSION=0.8-dev
ENV DANSWER_VERSION=${DANSWER_VERSION} \ ENV DANSWER_VERSION=${DANSWER_VERSION} \
DANSWER_RUNNING_IN_DOCKER="true" DANSWER_RUNNING_IN_DOCKER="true"
ARG CA_CERT_CONTENT=""
RUN echo "DANSWER_VERSION: ${DANSWER_VERSION}" RUN echo "DANSWER_VERSION: ${DANSWER_VERSION}"
# Install system dependencies # Install system dependencies
@@ -39,15 +38,6 @@ RUN apt-get update && \
apt-get clean apt-get clean
# Conditionally write the CA certificate and update certificates
RUN if [ -n "$CA_CERT_CONTENT" ]; then \
echo "Adding custom CA certificate"; \
echo "$CA_CERT_CONTENT" > /usr/local/share/ca-certificates/my-ca.crt && \
chmod 644 /usr/local/share/ca-certificates/my-ca.crt && \
update-ca-certificates; \
else \
echo "No custom CA certificate provided"; \
fi
# Install Python dependencies # Install Python dependencies
# Remove py which is pulled in by retry, py is not needed and is a CVE # Remove py which is pulled in by retry, py is not needed and is a CVE
@@ -87,7 +77,6 @@ RUN apt-get update && \
RUN python -c "from tokenizers import Tokenizer; \ RUN python -c "from tokenizers import Tokenizer; \
Tokenizer.from_pretrained('nomic-ai/nomic-embed-text-v1')" Tokenizer.from_pretrained('nomic-ai/nomic-embed-text-v1')"
# Pre-downloading NLTK for setups with limited egress # Pre-downloading NLTK for setups with limited egress
RUN python -c "import nltk; \ RUN python -c "import nltk; \
nltk.download('stopwords', quiet=True); \ nltk.download('stopwords', quiet=True); \

36
deployment/docker_compose/docker-compose.dev.yml
View File

@@ -79,8 +79,8 @@ services:
# Leave this on pretty please? Nothing sensitive is collected! # Leave this on pretty please? Nothing sensitive is collected!
# https://docs.danswer.dev/more/telemetry # https://docs.danswer.dev/more/telemetry
- DISABLE_TELEMETRY=${DISABLE_TELEMETRY:-} - DISABLE_TELEMETRY=${DISABLE_TELEMETRY:-}
- LOG_LEVEL=${LOG_LEVEL:-info} # Set to debug to get more fine-grained logs - LOG_LEVEL=${LOG_LEVEL:-info} # Set to debug to get more fine-grained logs
- LOG_ALL_MODEL_INTERACTIONS=${LOG_ALL_MODEL_INTERACTIONS:-} # LiteLLM Verbose Logging - LOG_ALL_MODEL_INTERACTIONS=${LOG_ALL_MODEL_INTERACTIONS:-} # LiteLLM Verbose Logging
# Log all of Danswer prompts and interactions with the LLM # Log all of Danswer prompts and interactions with the LLM
- LOG_DANSWER_MODEL_INTERACTIONS=${LOG_DANSWER_MODEL_INTERACTIONS:-} - LOG_DANSWER_MODEL_INTERACTIONS=${LOG_DANSWER_MODEL_INTERACTIONS:-}
# If set to `true` will enable additional logs about Vespa query performance # If set to `true` will enable additional logs about Vespa query performance
@@ -96,7 +96,7 @@ services:
# Chat Configs # Chat Configs
- HARD_DELETE_CHATS=${HARD_DELETE_CHATS:-} - HARD_DELETE_CHATS=${HARD_DELETE_CHATS:-}
# Enterprise Edition only # Enterprise Edition only
- ENABLE_PAID_ENTERPRISE_EDITION_FEATURES=${ENABLE_PAID_ENTERPRISE_EDITION_FEATURES:-false} - ENABLE_PAID_ENTERPRISE_EDITION_FEATURES=${ENABLE_PAID_ENTERPRISE_EDITION_FEATURES:-false}
- API_KEY_HASH_ROUNDS=${API_KEY_HASH_ROUNDS:-} - API_KEY_HASH_ROUNDS=${API_KEY_HASH_ROUNDS:-}
@@ -114,7 +114,12 @@ services:
build: build:
context: ../../backend context: ../../backend
dockerfile: Dockerfile dockerfile: Dockerfile
command: /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf command: >
/bin/sh -c "
if [ -f /etc/ssl/certs/custom-ca.crt ]; then
update-ca-certificates;
fi &&
/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf"
depends_on: depends_on:
- relational_db - relational_db
- index - index
@@ -197,8 +202,8 @@ services:
# Leave this on pretty please? Nothing sensitive is collected! # Leave this on pretty please? Nothing sensitive is collected!
# https://docs.danswer.dev/more/telemetry # https://docs.danswer.dev/more/telemetry
- DISABLE_TELEMETRY=${DISABLE_TELEMETRY:-} - DISABLE_TELEMETRY=${DISABLE_TELEMETRY:-}
- LOG_LEVEL=${LOG_LEVEL:-info} # Set to debug to get more fine-grained logs - LOG_LEVEL=${LOG_LEVEL:-info} # Set to debug to get more fine-grained logs
- LOG_ALL_MODEL_INTERACTIONS=${LOG_ALL_MODEL_INTERACTIONS:-} # LiteLLM Verbose Logging - LOG_ALL_MODEL_INTERACTIONS=${LOG_ALL_MODEL_INTERACTIONS:-} # LiteLLM Verbose Logging
# Log all of Danswer prompts and interactions with the LLM # Log all of Danswer prompts and interactions with the LLM
- LOG_DANSWER_MODEL_INTERACTIONS=${LOG_DANSWER_MODEL_INTERACTIONS:-} - LOG_DANSWER_MODEL_INTERACTIONS=${LOG_DANSWER_MODEL_INTERACTIONS:-}
- LOG_VESPA_TIMING_INFORMATION=${LOG_VESPA_TIMING_INFORMATION:-} - LOG_VESPA_TIMING_INFORMATION=${LOG_VESPA_TIMING_INFORMATION:-}
@@ -215,6 +220,11 @@ services:
options: options:
max-size: "50m" max-size: "50m"
max-file: "6" max-file: "6"
# Uncomment the following lines if you need to include a custom CA certificate
# Optional volume mount for CA certificate
# volumes:
# # Maps to the CA_CERT_PATH environment variable in the Dockerfile
# - ${CA_CERT_PATH:-./custom-ca.crt}:/etc/ssl/certs/custom-ca.crt:ro
web_server: web_server:
image: danswer/danswer-web-server:${IMAGE_TAG:-latest} image: danswer/danswer-web-server:${IMAGE_TAG:-latest}
@@ -295,7 +305,7 @@ services:
# Set to debug to get more fine-grained logs # Set to debug to get more fine-grained logs
- LOG_LEVEL=${LOG_LEVEL:-info} - LOG_LEVEL=${LOG_LEVEL:-info}
- CLIENT_EMBEDDING_TIMEOUT=${CLIENT_EMBEDDING_TIMEOUT:-} - CLIENT_EMBEDDING_TIMEOUT=${CLIENT_EMBEDDING_TIMEOUT:-}
# Analytics Configs # Analytics Configs
- SENTRY_DSN=${SENTRY_DSN:-} - SENTRY_DSN=${SENTRY_DSN:-}
volumes: volumes:
@@ -338,7 +348,7 @@ services:
image: nginx:1.23.4-alpine image: nginx:1.23.4-alpine
restart: always restart: always
# nginx will immediately crash with `nginx: [emerg] host not found in upstream` # nginx will immediately crash with `nginx: [emerg] host not found in upstream`
# if api_server / web_server are not up # if api_server / web_server are not up
depends_on: depends_on:
- api_server - api_server
- web_server - web_server
@@ -354,20 +364,20 @@ services:
options: options:
max-size: "50m" max-size: "50m"
max-file: "6" max-file: "6"
# The specified script waits for the api_server to start up. # The specified script waits for the api_server to start up.
# Without this we've seen issues where nginx shows no error logs but # Without this we've seen issues where nginx shows no error logs but
# does not recieve any traffic # does not recieve any traffic
# NOTE: we have to use dos2unix to remove Carriage Return chars from the file # NOTE: we have to use dos2unix to remove Carriage Return chars from the file
# in order to make this work on both Unix-like systems and windows # in order to make this work on both Unix-like systems and windows
command: > command: >
/bin/sh -c "dos2unix /etc/nginx/conf.d/run-nginx.sh /bin/sh -c "dos2unix /etc/nginx/conf.d/run-nginx.sh
&& /etc/nginx/conf.d/run-nginx.sh app.conf.template.dev" && /etc/nginx/conf.d/run-nginx.sh app.conf.template.dev"
cache: cache:
image: redis:7.4-alpine image: redis:7.4-alpine
restart: always restart: always
ports: ports:
- '6379:6379' - "6379:6379"
# docker silently mounts /data even without an explicit volume mount, which enables # docker silently mounts /data even without an explicit volume mount, which enables
# persistence. explicitly setting save and appendonly forces ephemeral behavior. # persistence. explicitly setting save and appendonly forces ephemeral behavior.
command: redis-server --save "" --appendonly no command: redis-server --save "" --appendonly no

40
deployment/docker_compose/docker-compose.prod.yml
View File

@@ -5,7 +5,8 @@ services:
context: ../../backend context: ../../backend
dockerfile: Dockerfile dockerfile: Dockerfile
command: > command: >
/bin/sh -c "alembic upgrade head && /bin/sh -c "
alembic upgrade head &&
echo \"Starting Danswer Api Server\" && echo \"Starting Danswer Api Server\" &&
uvicorn danswer.main:app --host 0.0.0.0 --port 8080" uvicorn danswer.main:app --host 0.0.0.0 --port 8080"
depends_on: depends_on:
@@ -29,14 +30,17 @@ services:
options: options:
max-size: "50m" max-size: "50m"
max-file: "6" max-file: "6"
background: background:
image: danswer/danswer-backend:${IMAGE_TAG:-latest} image: danswer/danswer-backend:${IMAGE_TAG:-latest}
build: build:
context: ../../backend context: ../../backend
dockerfile: Dockerfile dockerfile: Dockerfile
command: /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf command: >
/bin/sh -c "
if [ -f /etc/ssl/certs/custom-ca.crt ]; then
update-ca-certificates;
fi &&
/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf"
depends_on: depends_on:
- relational_db - relational_db
- index - index
@@ -60,6 +64,10 @@ services:
options: options:
max-size: "50m" max-size: "50m"
max-file: "6" max-file: "6"
# Uncomment the following lines if you need to include a custom CA certificate
# volumes:
# # Maps to the CA_CERT_PATH environment variable in the Dockerfile
# - ${CA_CERT_PATH:-./custom-ca.crt}:/etc/ssl/certs/custom-ca.crt:ro
web_server: web_server:
image: danswer/danswer-web-server:${IMAGE_TAG:-latest} image: danswer/danswer-web-server:${IMAGE_TAG:-latest}
@@ -86,7 +94,6 @@ services:
max-size: "50m" max-size: "50m"
max-file: "6" max-file: "6"
relational_db: relational_db:
image: postgres:15.2-alpine image: postgres:15.2-alpine
command: -c 'max_connections=250' command: -c 'max_connections=250'
@@ -102,7 +109,6 @@ services:
max-size: "50m" max-size: "50m"
max-file: "6" max-file: "6"
inference_model_server: inference_model_server:
image: danswer/danswer-model-server:${IMAGE_TAG:-latest} image: danswer/danswer-model-server:${IMAGE_TAG:-latest}
build: build:
@@ -129,7 +135,6 @@ services:
max-size: "50m" max-size: "50m"
max-file: "6" max-file: "6"
indexing_model_server: indexing_model_server:
image: danswer/danswer-model-server:${IMAGE_TAG:-latest} image: danswer/danswer-model-server:${IMAGE_TAG:-latest}
build: build:
@@ -158,7 +163,6 @@ services:
max-size: "50m" max-size: "50m"
max-file: "6" max-file: "6"
# This container name cannot have an underscore in it due to Vespa expectations of the URL # This container name cannot have an underscore in it due to Vespa expectations of the URL
index: index:
image: vespaengine/vespa:8.277.17 image: vespaengine/vespa:8.277.17
@@ -174,12 +178,11 @@ services:
max-size: "50m" max-size: "50m"
max-file: "6" max-file: "6"
nginx: nginx:
image: nginx:1.23.4-alpine image: nginx:1.23.4-alpine
restart: always restart: always
# nginx will immediately crash with `nginx: [emerg] host not found in upstream` # nginx will immediately crash with `nginx: [emerg] host not found in upstream`
# if api_server / web_server are not up # if api_server / web_server are not up
depends_on: depends_on:
- api_server - api_server
- web_server - web_server
@@ -190,26 +193,25 @@ services:
- ../data/nginx:/etc/nginx/conf.d - ../data/nginx:/etc/nginx/conf.d
- ../data/certbot/conf:/etc/letsencrypt - ../data/certbot/conf:/etc/letsencrypt
- ../data/certbot/www:/var/www/certbot - ../data/certbot/www:/var/www/certbot
# sleep a little bit to allow the web_server / api_server to start up. # sleep a little bit to allow the web_server / api_server to start up.
# Without this we've seen issues where nginx shows no error logs but # Without this we've seen issues where nginx shows no error logs but
# does not recieve any traffic # does not recieve any traffic
logging: logging:
driver: json-file driver: json-file
options: options:
max-size: "50m" max-size: "50m"
max-file: "6" max-file: "6"
# The specified script waits for the api_server to start up. # The specified script waits for the api_server to start up.
# Without this we've seen issues where nginx shows no error logs but # Without this we've seen issues where nginx shows no error logs but
# does not recieve any traffic # does not recieve any traffic
# NOTE: we have to use dos2unix to remove Carriage Return chars from the file # NOTE: we have to use dos2unix to remove Carriage Return chars from the file
# in order to make this work on both Unix-like systems and windows # in order to make this work on both Unix-like systems and windows
command: > command: >
/bin/sh -c "dos2unix /etc/nginx/conf.d/run-nginx.sh /bin/sh -c "dos2unix /etc/nginx/conf.d/run-nginx.sh
&& /etc/nginx/conf.d/run-nginx.sh app.conf.template" && /etc/nginx/conf.d/run-nginx.sh app.conf.template"
env_file: env_file:
- .env.nginx - .env.nginx
# follows https://pentacent.medium.com/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71 # follows https://pentacent.medium.com/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
certbot: certbot:
image: certbot/certbot image: certbot/certbot
@@ -224,17 +226,15 @@ services:
max-file: "6" max-file: "6"
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
cache: cache:
image: redis:7.4-alpine image: redis:7.4-alpine
restart: always restart: always
ports: ports:
- '6379:6379' - "6379:6379"
# docker silently mounts /data even without an explicit volume mount, which enables # docker silently mounts /data even without an explicit volume mount, which enables
# persistence. explicitly setting save and appendonly forces ephemeral behavior. # persistence. explicitly setting save and appendonly forces ephemeral behavior.
command: redis-server --save "" --appendonly no command: redis-server --save "" --appendonly no
volumes: volumes:
db_volume: db_volume:
vespa_volume: vespa_volume:

66
deployment/kubernetes/api_server-service-deployment.yaml
View File

@@ -27,36 +27,36 @@ spec:
app: api-server app: api-server
spec: spec:
containers: containers:
- name: api-server - name: api-server
image: danswer/danswer-backend:latest image: danswer/danswer-backend:latest
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
- "/bin/sh" - "/bin/sh"
- "-c" - "-c"
- | - |
alembic upgrade head && alembic upgrade head &&
echo "Starting Danswer Api Server" && echo "Starting Danswer Api Server" &&
uvicorn danswer.main:app --host 0.0.0.0 --port 8080 uvicorn danswer.main:app --host 0.0.0.0 --port 8080
ports: ports:
- containerPort: 8080 - containerPort: 8080
# There are some extra values since this is shared between services # There are some extra values since this is shared between services
# There are no conflicts though, extra env variables are simply ignored # There are no conflicts though, extra env variables are simply ignored
env: env:
- name: OAUTH_CLIENT_ID - name: OAUTH_CLIENT_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: danswer-secrets name: danswer-secrets
key: google_oauth_client_id key: google_oauth_client_id
- name: OAUTH_CLIENT_SECRET - name: OAUTH_CLIENT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: danswer-secrets name: danswer-secrets
key: google_oauth_client_secret key: google_oauth_client_secret
- name: REDIS_PASSWORD - name: REDIS_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: danswer-secrets name: danswer-secrets
key: redis_password key: redis_password
envFrom: envFrom:
- configMapRef: - configMapRef:
name: env-configmap name: env-configmap

47
deployment/kubernetes/background-deployment.yaml
View File

@@ -13,18 +13,35 @@ spec:
app: background app: background
spec: spec:
containers: containers:
- name: background - name: background
image: danswer/danswer-backend:latest image: danswer/danswer-backend:latest
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"] command:
# There are some extra values since this is shared between services [
# There are no conflicts though, extra env variables are simply ignored "/usr/bin/supervisord",
env: "-c",
- name: REDIS_PASSWORD "/etc/supervisor/conf.d/supervisord.conf",
valueFrom: ]
secretKeyRef: env:
name: danswer-secrets - name: REDIS_PASSWORD
key: redis_password valueFrom:
envFrom: secretKeyRef:
- configMapRef: name: danswer-secrets
name: env-configmap key: redis_password
envFrom:
- configMapRef:
name: env-configmap
# Uncomment the following lines if you need to include a custom CA certificate
# Optional volume mount for CA certificate
# volumeMounts:
# - name: my-ca-cert-volume
# mountPath: /etc/ssl/certs/custom-ca.crt
# subPath: my-ca.crt
# Optional volume for CA certificate
# volumes:
# - name: my-cas-cert-volume
# secret:
# secretName: my-ca-cert
# items:
# - key: my-ca.crt
# path: my-ca.crt