ContextQMD
Back to Weknora

WeKnora Helm Chart

helm/README.md

0.5.19.9 KB
Original Source

WeKnora Helm Chart

Helm chart for deploying WeKnora - an AI-powered Knowledge RAG Platform.

Overview

WeKnora is an intelligent knowledge base platform that combines:

  • Document parsing and understanding
  • Vector search with BM25 hybrid retrieval
  • LLM integration for conversational AI
  • Multi-tenant support with encryption

Prerequisites

  • Kubernetes 1.25+
  • Helm 3.10+
  • PV provisioner support in the underlying infrastructure
  • Ingress controller (nginx-ingress recommended) for external access

Quick Start

bash
# Add required secrets
helm install weknora ./helm \
  --namespace weknora \
  --create-namespace \
  --set secrets.dbPassword=<your-db-password> \
  --set secrets.redisPassword=<your-redis-password> \
  --set secrets.jwtSecret=<your-jwt-secret>

Architecture

                    ┌─────────────┐
                    │   Ingress   │
                    └──────┬──────┘
                           │
           ┌───────────────┴───────────────┐
           │                               │
           ▼                               ▼
    ┌─────────────┐                 ┌─────────────┐
    │  Frontend   │                 │   Backend   │
    │  (Vue.js)   │                 │   (Go/Gin)  │
    └─────────────┘                 └──────┬──────┘
                                           │
                    ┌──────────────────────┼──────────────────────┐
                    │                      │                      │
                    ▼                      ▼                      ▼
             ┌─────────────┐        ┌─────────────┐        ┌─────────────┐
             │  Docreader  │        │  PostgreSQL │        │    Redis    │
             │   (gRPC)    │        │  (ParadeDB) │        │   (Queue)   │
             └─────────────┘        └─────────────┘        └─────────────┘

Installation

Basic Installation

bash
helm install weknora ./helm \
  --namespace weknora \
  --create-namespace \
  --set secrets.dbPassword=secure-password \
  --set secrets.redisPassword=secure-password \
  --set secrets.jwtSecret=$(openssl rand -base64 32)

With Ingress

bash
helm install weknora ./helm \
  --namespace weknora \
  --create-namespace \
  --set ingress.enabled=true \
  --set ingress.host=weknora.example.com \
  --set ingress.tls.enabled=true \
  --set ingress.tls.secretName=weknora-tls \
  --set secrets.dbPassword=secure-password \
  --set secrets.redisPassword=secure-password \
  --set secrets.jwtSecret=$(openssl rand -base64 32)

With External LLM (Ollama)

bash
helm install weknora ./helm \
  --namespace weknora \
  --create-namespace \
  --set app.extraEnv[0].name=OLLAMA_BASE_URL \
  --set app.extraEnv[0].value=http://ollama.ollama:11434 \
  --set app.extraEnv[1].name=INIT_LLM_MODEL_NAME \
  --set app.extraEnv[1].value=qwen2.5:7b \
  --set secrets.dbPassword=secure-password \
  --set secrets.redisPassword=secure-password \
  --set secrets.jwtSecret=$(openssl rand -base64 32)

Production Installation

For production, use a values file:

yaml
# values-production.yaml
global:
  storageClass: "fast-ssd"

app:
  replicaCount: 3
  resources:
    requests:
      cpu: 500m
      memory: 1Gi
    limits:
      cpu: 2
      memory: 4Gi

postgresql:
  persistence:
    size: 100Gi

ingress:
  enabled: true
  host: weknora.company.com
  tls:
    enabled: true
    secretName: weknora-tls

secrets:
  existingSecret: weknora-secrets  # Use pre-created secret
bash
helm install weknora ./helm \
  --namespace weknora \
  --create-namespace \
  -f values-production.yaml

Configuration

Global Parameters

ParameterDescriptionDefault
global.storageClassStorage class for PVCs""
global.imagePullSecretsImage pull secrets[]
global.podSecurityContextPod security contextSee values.yaml
global.containerSecurityContextContainer security contextSee values.yaml

ServiceAccount

ParameterDescriptionDefault
serviceAccount.createCreate ServiceAccounttrue
serviceAccount.nameServiceAccount name""
serviceAccount.annotationsServiceAccount annotations{}

App (Backend)

ParameterDescriptionDefault
app.enabledEnable backendtrue
app.replicaCountNumber of replicas1
app.image.repositoryImage repositorywechatopenai/weknora-app
app.image.tagImage tag"" (uses appVersion)
app.resourcesResource limitsSee values.yaml
app.envEnvironment variablesSee values.yaml
app.extraEnvAdditional env vars[]

Frontend

ParameterDescriptionDefault
frontend.enabledEnable frontendtrue
frontend.replicaCountNumber of replicas1
frontend.image.repositoryImage repositorywechatopenai/weknora-ui
frontend.image.tagImage taglatest

PostgreSQL (ParadeDB)

ParameterDescriptionDefault
postgresql.enabledEnable PostgreSQLtrue
postgresql.image.repositoryImage repositoryparadedb/paradedb
postgresql.image.tagImage tagv0.18.9-pg17
postgresql.persistence.enabledEnable persistencetrue
postgresql.persistence.sizePVC size10Gi

Redis

ParameterDescriptionDefault
redis.enabledEnable Redistrue
redis.image.repositoryImage repositoryredis
redis.image.tagImage tag7-alpine
redis.persistence.enabledEnable persistencetrue
redis.persistence.sizePVC size1Gi

Ingress

ParameterDescriptionDefault
ingress.enabledEnable ingressfalse
ingress.classNameIngress classnginx
ingress.hostHostnameweknora.example.com
ingress.tls.enabledEnable TLSfalse
ingress.tls.secretNameTLS secret name""

Secrets

ParameterDescriptionDefault
secrets.dbUserDatabase usernamepostgres
secrets.dbPasswordDatabase password"" (required)
secrets.dbNameDatabase nameweknora
secrets.redisPasswordRedis password"" (required)
secrets.jwtSecretJWT signing secret"" (required)
secrets.existingSecretUse existing secret""

Optional Components

These map to docker-compose profiles:

ParameterDescriptionDefault
minio.enabledEnable MinIO storagefalse
neo4j.enabledEnable Neo4j (GraphRAG)false
qdrant.enabledEnable Qdrant vector DBfalse
jaeger.enabledEnable Jaeger tracingfalse

Security Best Practices

Secret Management

Never commit secrets to Git! Use one of these approaches:

  1. Helm --set flags (for testing)

    bash
    helm install weknora ./helm --set secrets.dbPassword=xxx

  2. External Secrets Operator (recommended for production)

    yaml
    secrets:
  existingSecret: weknora-external-secret

  3. Sealed Secrets (for GitOps)

    bash
    kubeseal < secret.yaml > sealed-secret.yaml

Pod Security

The chart follows CNCF security best practices:

  • Runs as non-root user
  • Read-only root filesystem where possible
  • Drops all capabilities
  • Uses seccomp profiles

Upgrading

bash
helm upgrade weknora ./helm \
  --namespace weknora \
  --reuse-values

Uninstalling

bash
helm uninstall weknora --namespace weknora

# Optional: Remove PVCs
kubectl delete pvc -n weknora -l app.kubernetes.io/instance=weknora

Troubleshooting

Check Pod Status

bash
kubectl get pods -n weknora

View Logs

bash
# Backend logs
kubectl logs -n weknora -l app.kubernetes.io/component=app -f

# Frontend logs
kubectl logs -n weknora -l app.kubernetes.io/component=frontend -f

Common Issues

Pod stuck in Pending

  • Check if PVCs are bound: kubectl get pvc -n weknora
  • Verify storage class exists: kubectl get sc

Connection refused errors

  • Wait for all pods to be Ready
  • Check service endpoints: kubectl get endpoints -n weknora

Database connection errors

  • Verify secrets are correct
  • Check PostgreSQL logs: kubectl logs -n weknora -l app.kubernetes.io/component=database

Contributing

See CONTRIBUTING.md in the main repository.

References

This Helm chart follows best practices from:

License

This chart is licensed under the MIT License - see the LICENSE file for details.