Skip to main content

Prepare Helm Chart Values

In this section, you will prepare the necessary Helm chart values for the PaletteAI cluster. The Helm chart is used to deploy PaletteAI on the cluster. Sections that are not covered in this guide can be left as is.

tip

To learn more about each section in the Helm chart values file, refer to our Helm Configuration Reference page.

Assumptions

The following assumptions are made in this section:

  • PaletteAI will use the Zot registry that comes with the appliance cluster to store your application configurations. You may use a different registry, but for this installation, the built-in registry will be used.

  • Hub-spoke mode will be used for the PaletteAI cluster. This is the default mode for the PaletteAI cluster.

  • The PaletteAI cluster trusts Dex as the OIDC provider. This prevents the need to configure user impersonation for PaletteAI.

  • A Prometheus server will be deployed to the hub cluster during the appliance install step for metrics collection. Alternatively, if you have configured an external Prometheus server, you may use that instead.

Prerequisites

  • Completed the Prepare Infrastructure section.

  • The ability to host a file server to store the Helm chart values. This can be a local, cloud, or shared file server.

  • The network domain that you will use for the PaletteAI cluster. You will need to create a DNS record for the domain that points to the leader node's IP address or a VIP address.

  • Information about your OpenID Connect provider OIDC. This is used to authenticate users to PaletteAI through Single Sign-On (SSO). You may skip this section if you do not want to use SSO, but be aware that this is not a recommended practice.

  • curl or wget to download the Helm chart values file.

  • In your OIDC provider, you must configure your application to allow the following callback URLs. Replace <domain-or-vip-address> with the domain or VIP address you configured for the cluster.

    • https://<domain-or-vip-address>/ai/callback
    • https://<domain-or-vip-address>/dex/callback
    • https://<domain-or-vip-address>

Prepare Helm Chart Values

  1. Download the latest Helm chart values file. This example uses curl.

    curl --output values.yaml --silent https://docs.palette-ai.com/resources/assets/hosted/helm/values.yaml

  2. Open the Helm chart values file in a text editor of your choice and complete the following sections. This example uses vi.

    vi values.yaml

Global

  1. The global configuration is used to configure overarching settings for the PaletteAI deployment. Review and modify the following values as necessary.

    warning

    Make sure the domain has a DNS record that points to the leader node's IP address or a VIP address.

    1. Set global.dns.domain to the primary domain for the deployment. Do not include a protocol. For example, use example.org, not https://example.org.

      global:
        dns:
          domain: 'example.acme.org'

    2. In global.auditLogging.basicAuth, change the default username and password for audit logging. The session secret is used for encoding and decoding the PaletteAI session cookie. Credentials are not stored in the browser. The cookie is used to map the session to the user so that the server can retrieve the user's credentials.

      global:
        auditLogging:
          basicAuth:
            username: REPLACE_WITH_YOUR_USERNAME
            password: REPLACE_WITH_YOUR_PASSWORD

    3. Configure the metrics collection settings. By default, the appliance deploys a Prometheus server on the hub cluster at port 30090. Spoke clusters use Prometheus agents to collect metrics and ship them to the Prometheus server via remote_write. Set global.metrics.prometheusBaseUrl to the domain or VIP address of your leader node with port 30090. Ensure you do not include any API paths, only the protocol, host, and port.

      global:
        metrics:
          prometheusBaseUrl: 'https://example.acme.org:30090'
          timeout: '5s'
          scrapeInterval: '15s'
          agentType: 'prometheus-agent-minimal'
          username: ''
          password: ''

      The agentType is set to prometheus-agent-minimal by default. This agent collects only spoke cluster CPU and GPU utilization metrics. If you are using an external Prometheus server instead of the hub-based deployment, configure global.metrics.prometheusBaseUrl to point to your external Prometheus server's URL (e.g., https://your-external-prometheus:9090). In this case, you may also change global.metrics.agentType to prometheus-agent to ship all node-exporter and dcgm-exporter metrics from spoke clusters for comprehensive observability.

      If your Prometheus server requires basic authentication, configure the username and password fields. Leave these empty if authentication is not required.

      tip

      If you prefer to use an external Prometheus server, you may find the Deploy Monitoring Stack guide helpful for setting up a comprehensive monitoring solution.

      Complete global configuration section

FleetConfig

  1. FleetConfig orchestrates multi-cluster management support through Open Cluster Management (OCM). Review and modify the following values as necessary.

    1. Set fleetConfig.hub.apiServer to the API server of the domain or VIP address for the leader node. Ensure that you include the Kubernetes API server port and the communication protocol.

      fleetConfig:
        hub:
          apiServer: 'https://acme.example.org:6443'

    2. Navigate to the fleetConfig.spokes section and locate the hub-as-spoke spoke. Set ociRegistry.endpoint to the endpoint of the Zot registry. Set your domain after the oci:// protocol and end with port 30003. Set the username for the Zot registry to admin and replace REPLACE_WITH_YOUR_PASSWORD with the password you want to use.

      fleetConfig:
        spokes:
          - name: hub-as-spoke
            # OCI registry configuration for the spoke cluster.
            ociRegistry:
              endpoint: 'oci://acme.example.org:30003'
              repository: 'mural-workloads'
              insecure: true
              timeout: 60s
              basicAuth:
                username: 'admin'
                password: 'REPLACE_WITH_YOUR_PASSWORD'
              basicAuthSecretName: ''
              certData: {}

    3. Use the fleetConfig.spokeValuesOverrides section to configure what PaletteAI components are installed on the spoke cluster and what OCI registry is used. Set enabled to true.

      fleetConfig:
        spokeValuesOverrides:
          enabled: true

    4. Copy and paste the following code block below the fleetConfig.spokeValuesOverrides.enabled section. Set the ociRegistry.endpoint to the domain or VIP address for the leader node. Use the same value as the ociRegistry.endpoint in the fleetConfig.spokes section. Replace REPLACE_WITH_YOUR_PASSWORD with the same value you set earlier.

      hue: |
        enabled: true
        clusterType: spoke
        defaultDefinitions:
          enabled: false
        ociRegistry:
          enabled: true
          endpoint: 'oci://acme.example.org:30003'
          repository: 'mural-workloads'
          insecure: true
          interval: 5m
          timeout: 60s
          # basicAuthSecretName: "oci-creds"
          basicAuth:
            username: 'admin'
            password: 'REPLACE_WITH_YOUR_PASSWORD'
      cert-manager: |
        enabled: false
      flux2: |
        enabled: true
        policies:
          create: false
      zot: |
        enabled: false
      Complete fleetConfig configuration section

Alertmanager

  1. Navigate to the alertmanager section. Update credentials for the alertmanager instance based on the credentials you configured in the global section.

    You must provide a Base64 encoded string for the Authorization header. Use the interactive encoder below to generate your Base64 encoded string and copy the value to the clipboard.

    Base64 Encoded String:

    Alternatively, generate the Base64 encoded string using the following command. Replace username and password with the username and password you configured in the global section.

    echo -n "username:password" | base64

    Following is the livenessProbe and readinessProbe sections with the Base64 encoded string. Replace REPLACE_WITH_YOUR_BASE64_ENCODED_STRING with the Base64 encoded string you generated.

    alertmanager:
      livenessProbe:
        httpGet:
          path: /-/healthy
          port: http
          scheme: HTTPS
          httpHeaders:
            - name: Authorization
              value: 'Basic REPLACE_WITH_YOUR_BASE64_ENCODED_STRING'
      readinessProbe:
        httpGet:
          path: /-/ready
          port: http
          scheme: HTTPS
          httpHeaders:
            - name: Authorization
              value: 'Basic REPLACE_WITH_YOUR_BASE64_ENCODED_STRING'
    Complete alertmanager configuration section

Canvas

  1. Canvas controls part of the user interface. Review and modify the following values as necessary.

    1. Set canvas.ingress.enabled to true. Set the canvas.ingress.matchAllHosts to true.

      canvas:
        ingress:
          enabled: true
          annotations: {}
          ingressClassName: nginx
          matchAllHosts: true
          tls: []
          paths:
            - path: /ai
              pathType: ImplementationSpecific
              backend:
                service:
                  name: canvas
                  port:
                    number: 2999

    2. Set canvas.enableHTTP to true. This supports TLS termination at the load balancer. canvas.ingress.tls remains empty as a result.

      canvas:
        enableHTTP: true

    3. In the canvas.oidc section, enter a unique string for the sessionSecret. For redirectURL, replace replace.with.your.domain with the domain or VIP address for the leader node. Do not remove the /ai/callback path.

      canvas:
        oidc:
          sessionSecret: 'REPLACE_WITH_A_UNIQUE_STRING'
          sessionDir: '/app/sessions'
          issuerK8sService: 'https://dex.mural-system.svc.cluster.local:5554/dex'
          skipSSLCertificateVerification: true
          redirectURL: 'https://replace.with.your.domain/ai/callback'
      Complete canvas configuration section

Dex

  1. Dex authenticates users to PaletteAI through SSO. You can configure Dex to connect to an upstream OIDC provider or to a local user database. For this installation, you will configure Dex to connect to an upstream OIDC provider. If you want to configure an OIDC provider later, you can do so; however, Dex still requires some basic configuration.

    1. Set dex.config.issuer to the domain or VIP address for the leader node. Do not remove the /dex path.

      dex:
        config:
          issuer: 'https://replace.with.your.domain/dex'

    2. This next part may be deferred for later, but we strongly recommend configuring at least one connector. Set the dex.config.connectors to the connectors you want to use. The Dex documentation has examples for each of the connectors.

      Below is an example of an OIDC connector that connects to AWS Cognito. The oidc type can be used for any OIDC provider that does not have a native Dex connector. Different OIDC providers may require different configurations.

      Example AWS Cognito configuration
      dex:
        config:
          connectors:
            - type: oidc
              id: aws
              name: AWS Cognito
              config:
                issuer: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxx
                clientID: xxxxxxxxxxxxxxx
                clientSecret: xxxxxxxxxxxxxxxxx
                redirectURI: https://replace.with.your.domain/dex/callback # Dex's callback url for authorized code flow that will redirect to our application's callback url
                getUserInfo: true
                userNameKey: email
                insecureSkipEmailVerified: true
                insecureEnableGroups: true
                scopes:
                  - openid
                  - email
                  - profile
                promptType: consent
                claimMapping:
                  groups: groups

    3. Once you have configured the connectors, proceed to the dex.config.staticClients section. Replace REPLACE_WITH_A_UNIQUE_STRING with a unique string and replace.with.your.domain with the domain or VIP address for the leader node. Do not remove the /ai/callback path.

      dex:
        config:
          staticClients:
            - id: mural
              redirectURIs:
                - 'https://replace.with.your.domain/ai/callback'
              name: 'mural'
              secret: 'REPLACE_WITH_A_UNIQUE_STRING'
              public: false
              trustedPeers:
                - kubernetes
            - id: kubernetes
              redirectURIs:
                - 'https://replace.with.your.domain'
              name: kubernetes
              secret: 'REPLACE_WITH_A_UNIQUE_STRING'
              public: false
              trustedPeers:
                - mural

    4. Next, configure the dex.config.staticPasswords section. We strongly recommend changing the default user and password to strong values. The following example is the default user and password in bcrypt format. Remember to use a bcrypt hash generator to generate the password hash. The userID can be any unique string.

      warning

      If you did not configure any OIDC connectors, you must configure at least one static user, which is used to access the PaletteAI UI. Static Dex users automatically inherit admin privileges through the service account. Dex does not support groups for local static users. To use groups for local static users, you must use the User Impersonation feature.

      dex:
        config:
          staticPasswords:
            - email: 'admin@example.com'
              hash: '$2a$12$Ot2dJ0pmdIC2oXUDW/Ez1OIfhkSzLZIbsumsxkByuU3CUr02DtiC.'
              username: 'admin'
              userID: '08a8684b-db88-4b73-90a9-3cd1661f5466'

    5. Lastly, configure the dex and dexIngress sections to expose Dex. PaletteAI replaces the default dex ingress configuration with its own custom configuration to circumvent a known issue. Set dex.ingress.enabled to false and dexIngress.enabled to true. Within dexIngress, set matchAllHosts to true. Do not remove the /dex path. Because TLS is terminated at the load balancer, the tls section is empty.

      dex:
        ingress:
          enabled: false
      dexIngress:
        enabled: true
        annotations: {}
        className: 'nginx'
        matchAllHosts: true
        hosts:
          - host: ''
            paths:
              - path: /dex
                pathType: ImplementationSpecific
        tls: []
      Complete dex configuration section

Flux2

  1. Disable Flux. The appliance will stand up its own Flux instance.

    flux2:
      enabled: false

Hue

  1. Hue requires OCI registry information to work correctly. Use the same values you provided in the fleetConfig section.

    hue:
      ociRegistry:
        enabled: true
        endpoint: 'oci://replace.with.your.domain:30003'
        repository: 'mural-workloads'
        insecure: true
        interval: 5m
        timeout: 60s
        basicAuth:
          username: 'admin'
          password: 'REPLACE_WITH_YOUR_PASSWORD'
    Complete hue configuration section

Ingress-Nginx

  1. Disable Ingress Nginx. The appliance will stand up its own Ingress Nginx instance.

    ingress-nginx:
      enabled: false

Zot

  1. Disable Zot. The appliance will stand up its own Zot instance. The enabled parameter is located at the beginning of the zot section.

    zot:
      enabled: false

This concludes the Helm chart configuration for the PaletteAI appliance. The next step is to ensure the YAML file is hosted on a file server and made available on the same network as the PaletteAI appliance. For guidance on how to do this, expand the following section.

warning

The file server must be accessible and accessible at all times, including post-installation, in order to support Day-2 Operations, such as upgrading PaletteAI.

Exposing and hosting a file server

There are many options for hosting a file server. Options range from using a Python module to using an Apache HTTP server. A lightweight option is to use Caddy to host the values.yaml file.

  1. Download and install Caddy. Refer to the Caddy installation guide for more information.

  2. Navigate to the directory where you want to host the values.yaml file. Ensure the values.yaml file is in the directory.

  3. Issue the following command to start the Caddy server and send it to the background. Replace 8080 with the port you want to use for the file server.

    nohup caddy file-server --listen 0.0.0.0:8080 --browse &

  4. Using the IP address of the machine where Caddy is running, you can now access the values.yaml file at http://<IP_ADDRESS>:8080/values.yaml.

Caddy offers additional capabilities, such as authentication and automatic HTTPS. However, these features require additional configuration and are beyond the scope of this guide.

Validation

  1. Verify you have properly configured the following sections:

  2. Ensure you have disabled the following components:

  3. Lastly, ensure you have a file server that is hosting the values.yaml file and that it is accessible at all times, including post-installation.

Next Steps

You are now ready to proceed to the Deploy PaletteAI guide and begin installing self-hosted Palette and PaletteAI.