From e9e6110f8071642d70dabf84454c14fc93f54d28 Mon Sep 17 00:00:00 2001 From: davidmirror-ops Date: Tue, 13 Jan 2026 20:24:10 -0800 Subject: [PATCH 1/5] Fix typos --- charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md | 2 +- charts/dataplane/values.aws.selfhosted-intracluster.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md index a1f261ad..5b068b77 100644 --- a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md +++ b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md @@ -6,7 +6,7 @@ This guide covers deploying Union control plane in the **same Kubernetes cluster In an intra-cluster deployment, the control plane and dataplane communicate using Kubernetes internal networking rather than external endpoints. This architecture simplifies networking, reduces costs, and provides complete data sovereignty. -**Important**: This guide assumes you will also deploy the dataplane in the same cluster. See the [Dataplane Intra-Cluster Guide](../dataplane/SELFHOST_INTRA_CLUSTER_AWS.md) for dataplane-specific configuration. +**Important**: This guide assumes you will also deploy the dataplane in the same cluster. See the [Dataplane Intra-Cluster Guide](../dataplane/SELFHOSTED_INTRA_CLUSTER_AWS.md) for dataplane-specific configuration. ## Benefits of Intra-Cluster Deployment diff --git a/charts/dataplane/values.aws.selfhosted-intracluster.yaml b/charts/dataplane/values.aws.selfhosted-intracluster.yaml index d6a9d9b6..482d94fa 100644 --- a/charts/dataplane/values.aws.selfhosted-intracluster.yaml +++ b/charts/dataplane/values.aws.selfhosted-intracluster.yaml @@ -346,7 +346,6 @@ fluentbit: name: fluentbit-system # Annotations may be required for IRSA annotations: {} -<<<<<<< Updated upstream # ---------------------------------------------------------------------------- # SECTION 7: Task Level Monitoring From 4651fe940896164f77d196b70c26c12210598a05 Mon Sep 17 00:00:00 2001 From: davidmirror-ops Date: Tue, 13 Jan 2026 20:48:30 -0800 Subject: [PATCH 2/5] Add note on RDS --- charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md index 5b068b77..9d6b406e 100644 --- a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md +++ b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md @@ -43,8 +43,9 @@ Choose standard hosted deployment when: 2. **PostgreSQL database**: - Version: PostgreSQL 12+ - - Can be AWS RDS or self-hosted in the cluster - - Required for all control plane services + - Can be AWS RDS or self-hosted in the cluster (it's not deployed by the Helm chart) + - Required for all control plane services. + - Memory-optimized instances are recommended. 3. **ScyllaDB** (for queue service): - Can be deployed via the Helm chart (embedded) or externally managed From 464e54b0994a2fc2737cc4d8d49e653d115fa434 Mon Sep 17 00:00:00 2001 From: davidmirror-ops Date: Fri, 16 Jan 2026 12:20:28 -0800 Subject: [PATCH 3/5] Minor updates to deployment process --- charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md | 7 ++++--- charts/controlplane/scripts/install-scylla-crds.sh | 3 +-- .../controlplane/values.aws.selfhosted-intracluster.yaml | 1 + 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md index 9d6b406e..b39241e0 100644 --- a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md +++ b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md @@ -59,6 +59,8 @@ Choose standard hosted deployment when: - Control plane services (with S3 access) - Artifacts service (with S3 access) +Check out the [deployment page](https://www.union.ai/docs/v1/selfmanaged/deployment/cluster-recommendations/#iam) for an example IAM policy. + ### Required Tools - `kubectl` configured to access your cluster @@ -77,8 +79,7 @@ Choose standard hosted deployment when: #### Install ScyllaDB CRDs (if using embedded ScyllaDB) ```bash -cd helm-charts/charts/controlplane -./scripts/install-scylla-crds.sh +curl -O https://raw.githubusercontent.com/unionai/helm-charts/refs/heads/main/charts/controlplane/scripts/install-scylla-crds.sh && bash install-scylla-crds.sh ``` #### Add Helm Repositories @@ -112,7 +113,7 @@ kubectl create secret tls controlplane-tls-cert \ **Option B: Using cert-manager (recommended for production)** -See the example in `values.aws.selfhosted-intracluster.yaml` under the `extraObjects` section. +See the example #3 in `values.aws.selfhosted-intracluster.yaml` under the `extraObjects` section. ### Step 3: Configure Values File diff --git a/charts/controlplane/scripts/install-scylla-crds.sh b/charts/controlplane/scripts/install-scylla-crds.sh index e75a645c..f0e12a00 100755 --- a/charts/controlplane/scripts/install-scylla-crds.sh +++ b/charts/controlplane/scripts/install-scylla-crds.sh @@ -78,6 +78,5 @@ kubectl apply --server-side -f "${CRD_DIR}/" echo "" echo "==> ✓ ScyllaDB Operator CRDs installed successfully!" echo "" -echo "You can now install the control plane chart with scylla.enabled=true:" -echo " helm install my-controlplane ./controlplane -f values-scylla-example.yaml" +echo "You can now proceed with the rest of the controlplane installation." echo "" diff --git a/charts/controlplane/values.aws.selfhosted-intracluster.yaml b/charts/controlplane/values.aws.selfhosted-intracluster.yaml index 938477e9..e3e41533 100644 --- a/charts/controlplane/values.aws.selfhosted-intracluster.yaml +++ b/charts/controlplane/values.aws.selfhosted-intracluster.yaml @@ -56,6 +56,7 @@ global: # Name of Kubernetes secret containing the DB password and other service specific secrets. # The secret can be created and set through databaseSecret.secretManifest and dbPass below. + # Check out example https://github.com/unionai/helm-charts/blob/main/charts/controlplane/values.yaml#L927 # Example: "union-controlplane-secrets" # Note: Secret must contain "pass.txt" key KUBERNETES_SECRET_NAME: "" From 25bc7c2934ab02dbd9e0cc95b6103948385e9c86 Mon Sep 17 00:00:00 2001 From: davidmirror-ops Date: Fri, 16 Jan 2026 13:54:07 -0800 Subject: [PATCH 4/5] Update prereqs --- .../SELFHOSTED_INTRA_CLUSTER_AWS.md | 23 +++++++++++-------- charts/controlplane/values.yaml | 5 ++-- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md index b39241e0..882e8049 100644 --- a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md +++ b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md @@ -59,6 +59,10 @@ Choose standard hosted deployment when: - Control plane services (with S3 access) - Artifacts service (with S3 access) +6. **cert-manager** + - Used by the database to generate TLS certificate + - It can be added as Add-on to your cluster or installed by different methos, as covered in [cert-manager docs](https://cert-manager.io/docs/installation/) + Check out the [deployment page](https://www.union.ai/docs/v1/selfmanaged/deployment/cluster-recommendations/#iam) for an example IAM policy. ### Required Tools @@ -115,7 +119,16 @@ kubectl create secret tls controlplane-tls-cert \ See the example #3 in `values.aws.selfhosted-intracluster.yaml` under the `extraObjects` section. -### Step 3: Configure Values File +### Step 3: Create Database Password Secret + +```bash +# Create secret with database password +kubectl create secret generic union-controlplane-secrets \ + --from-literal=pass.txt='YOUR_DB_PASSWORD' \ + -n union-cp +``` + +### Step 4: Configure Values File Download and configure the intra-cluster values file: @@ -126,14 +139,6 @@ curl -O https://raw.githubusercontent.com/unionai/helm-charts/main/charts/contro Edit `values.aws.selfhosted-intracluster.yaml` by setting all `global` values and replace all empty `""` values. This file is self-contained and includes all necessary AWS and intra-cluster configuration. -### Step 4: Create Database Password Secret - -```bash -# Create secret with database password -kubectl create secret generic union-controlplane-secrets \ - --from-literal=pass.txt='YOUR_DB_PASSWORD' \ - -n union-cp -``` ### Step 5: Install Control Plane diff --git a/charts/controlplane/values.yaml b/charts/controlplane/values.yaml index daab7be7..6e554527 100644 --- a/charts/controlplane/values.yaml +++ b/charts/controlplane/values.yaml @@ -921,8 +921,9 @@ flyte: # flyte-org/flyte flyte-core helm chart _helpers.tpl does not render templates. # Therefore we have to explicitly set the value here. # Ref: https://github.com/flyteorg/flyte/pull/6711 - # TODO (DIRECTLY CONFIGURE): Match value to global.KUBERNETES_SECRET_NAME - name: "" + # IMPORTANT: Override this value directly in your values file (e.g., values.aws.yaml) + # Set to your actual secret name, NOT a template variable + name: "" # -- Leave it empty if your secret already exists secretManifest: {} From 8695c1a39ea3ff1bac8759666abfd452e8493478 Mon Sep 17 00:00:00 2001 From: davidmirror-ops Date: Fri, 16 Jan 2026 14:11:37 -0800 Subject: [PATCH 5/5] Add expected tests --- .../controlplane.aws.billing-enable.yaml | 23 ++++++------------- tests/generated/controlplane.aws.yaml | 23 ++++++------------- 2 files changed, 14 insertions(+), 32 deletions(-) diff --git a/tests/generated/controlplane.aws.billing-enable.yaml b/tests/generated/controlplane.aws.billing-enable.yaml index 2d572879..da06c194 100644 --- a/tests/generated/controlplane.aws.billing-enable.yaml +++ b/tests/generated/controlplane.aws.billing-enable.yaml @@ -2214,8 +2214,7 @@ spec: capabilities: drop: ["ALL"] volumeMounts: - - mountPath: /etc/db - name: + - mountPath: /etc/flyte/config name: base-config-volume - command: @@ -2234,8 +2233,7 @@ spec: capabilities: drop: ["ALL"] volumeMounts: - - mountPath: /etc/db - name: + - mountPath: /etc/flyte/config name: base-config-volume - name: generate-secrets @@ -2305,8 +2303,7 @@ spec: capabilities: drop: ["ALL"] volumeMounts: - - mountPath: /etc/db - name: + - mountPath: /srv/flyte name: shared-data - mountPath: /etc/flyte/config @@ -2315,9 +2312,7 @@ spec: name: admin-secrets serviceAccountName: flyteadmin volumes: - - name: - secret: - secretName: + - emptyDir: {} name: shared-data - emptyDir: {} @@ -2582,8 +2577,7 @@ spec: imagePullPolicy: "IfNotPresent" name: run-migrations volumeMounts: - - mountPath: /etc/db - name: + - mountPath: /etc/cacheservice/config name: config-volume securityContext: @@ -2616,15 +2610,12 @@ spec: ephemeral-storage: 200Mi memory: 200Mi volumeMounts: - - mountPath: /etc/db - name: + - mountPath: /etc/cacheservice/config name: config-volume serviceAccountName: cacheservice volumes: - - name: - secret: - secretName: + - emptyDir: {} name: shared-data - configMap: diff --git a/tests/generated/controlplane.aws.yaml b/tests/generated/controlplane.aws.yaml index d1289eaa..7cd21b5e 100644 --- a/tests/generated/controlplane.aws.yaml +++ b/tests/generated/controlplane.aws.yaml @@ -2214,8 +2214,7 @@ spec: capabilities: drop: ["ALL"] volumeMounts: - - mountPath: /etc/db - name: + - mountPath: /etc/flyte/config name: base-config-volume - command: @@ -2234,8 +2233,7 @@ spec: capabilities: drop: ["ALL"] volumeMounts: - - mountPath: /etc/db - name: + - mountPath: /etc/flyte/config name: base-config-volume - name: generate-secrets @@ -2305,8 +2303,7 @@ spec: capabilities: drop: ["ALL"] volumeMounts: - - mountPath: /etc/db - name: + - mountPath: /srv/flyte name: shared-data - mountPath: /etc/flyte/config @@ -2315,9 +2312,7 @@ spec: name: admin-secrets serviceAccountName: flyteadmin volumes: - - name: - secret: - secretName: + - emptyDir: {} name: shared-data - emptyDir: {} @@ -2582,8 +2577,7 @@ spec: imagePullPolicy: "IfNotPresent" name: run-migrations volumeMounts: - - mountPath: /etc/db - name: + - mountPath: /etc/cacheservice/config name: config-volume securityContext: @@ -2616,15 +2610,12 @@ spec: ephemeral-storage: 200Mi memory: 200Mi volumeMounts: - - mountPath: /etc/db - name: + - mountPath: /etc/cacheservice/config name: config-volume serviceAccountName: cacheservice volumes: - - name: - secret: - secretName: + - emptyDir: {} name: shared-data - configMap: