BorisPolonsky · BorisPolonsky · Apr 19, 2024 · Jun 17, 2023 · Jun 17, 2023 · Jul 11, 2023
diff --git a/charts/dify/templates/_helpers.tpl b/charts/dify/templates/_helpers.tpl
@@ -47,6 +47,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{ template "dify.fullname" . }}-web
 {{- end -}}
 
+{{/*
+Create a default fully qualified web name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "dify.sandbox.fullname" -}}
+{{ template "dify.fullname" . }}-sandbox
+{{- end -}}
+
 {{/*
 Create a default fully qualified nginx name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

diff --git a/charts/dify/templates/api-deployment.yaml b/charts/dify/templates/api-deployment.yaml
@@ -58,8 +58,10 @@ spec:
           {{- toYaml .Values.api.extraEnv | nindent 8 }}
         {{- end }}
         envFrom:
-          - configMapRef:
-              name: {{ template "dify.api.fullname" . }}
+        - configMapRef:
+            name: {{ template "dify.api.fullname" . }}
+        - secretRef:
+            name: {{ template "dify.api.fullname" . }}
         ports:
           - name: api
             containerPort: 5001

diff --git a/charts/dify/templates/api-secret.yaml b/charts/dify/templates/api-secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "dify.api.fullname" . }}
+type: Opaque
+data:
+  {{- include "dify.api.credentials" . | nindent 2 }}
diff --git a/charts/dify/templates/config.tpl b/charts/dify/templates/config.tpl
@@ -4,7 +4,7 @@ MODE: api
 # The log level for the application. Supported values are `DEBUG`, `INFO`, `WARNING`, `ERROR`, `CRITICAL`
 LOG_LEVEL: {{ .Values.api.logLevel }}
 # A secret key that is used for securely signing the session cookie and encrypting sensitive information on the database. You can generate a strong key using `openssl rand -base64 42`.
-SECRET_KEY: {{ .Values.api.secretKey }}
+# SECRET_KEY: {{ .Values.api.secretKey }}
 # The base URL of console application web frontend, refers to the Console base URL of WEB service if console domain is
 # different from api or web app domain.
 # example: http://cloud.dify.ai
@@ -63,6 +63,7 @@ SENTRY_DSN: ''
 SENTRY_TRACES_SAMPLE_RATE: "1.0"
 # The sample rate for Sentry profiles. Default: `1.0`
 SENTRY_PROFILES_SAMPLE_RATE: "1.0"
+{{ include "dify.sandbox.config" . }}
 {{- end }}
 
 {{- define "dify.worker.config" -}}
@@ -81,7 +82,7 @@ CONSOLE_WEB_URL: {{ .Values.api.url.consoleWeb | quote }}
 LOG_LEVEL: {{ .Values.worker.logLevel | quote }}
 # A secret key that is used for securely signing the session cookie and encrypting sensitive information on the database. You can generate a strong key using `openssl rand -base64 42`.
 # same as the API service
-SECRET_KEY: {{ .Values.api.secretKey }}
+# SECRET_KEY: {{ .Values.api.secretKey }}
 # The configurations of postgres database connection.
 # It is consistent with the configuration in the 'db' service below.
 {{ include "dify.db.config" . }}
@@ -111,19 +112,19 @@ APP_API_URL: {{ .Values.api.url.appApi | quote }}
 
 {{- define "dify.db.config" -}}
 {{- if .Values.externalPostgres.enabled }}
-DB_USERNAME: {{ .Values.externalPostgres.username }}
-DB_PASSWORD: {{ .Values.externalPostgres.password }}
+# DB_USERNAME: {{ .Values.externalPostgres.username }}
+# DB_PASSWORD: {{ .Values.externalPostgres.password }}
 DB_HOST: {{ .Values.externalPostgres.address }}
 DB_PORT: {{ .Values.externalPostgres.port | toString | quote }}
 DB_DATABASE: {{ .Values.externalPostgres.dbName }}
 {{- else if .Values.postgresql.enabled }}
   {{ with .Values.postgresql.global.postgresql.auth }}
   {{- if empty .username }}
-DB_USERNAME: postgres
-DB_PASSWORD: {{ .postgresPassword }}
+# DB_USERNAME: postgres
+# DB_PASSWORD: {{ .postgresPassword }}
   {{- else }}
-DB_USERNAME: {{ .username }}
-DB_PASSWORD: {{ .password }}
+# DB_USERNAME: {{ .username }}
+# DB_PASSWORD: {{ .password }}
   {{- end }}
   {{- end }}
   {{- if eq .Values.postgresql.architecture "replication" }}
@@ -143,15 +144,15 @@ STORAGE_TYPE: s3
 # The S3 storage configurations, only available when STORAGE_TYPE is `s3`.
 S3_ENDPOINT: {{ .Values.externalS3.endpoint }}
 S3_BUCKET_NAME: {{ .Values.externalS3.bucketName }}
-S3_ACCESS_KEY: {{ .Values.externalS3.accessKey }}
-S3_SECRET_KEY: {{ .Values.externalS3.secretKey }}
+# S3_ACCESS_KEY: {{ .Values.externalS3.accessKey }}
+# S3_SECRET_KEY: {{ .Values.externalS3.secretKey }}
 S3_REGION: 'us-east-1'
 {{- else if .Values.externalAzureBlobStorage.enabled }}
 STORAGE_TYPE: azure-blob
 # The type of storage to use for storing user files. Supported values are `local` and `s3` and `azure-blob`, Default: `local`
 # The Azure Blob storage configurations, only available when STORAGE_TYPE is `azure-blob`.
 AZURE_BLOB_ACCOUNT_NAME: {{ .Values.externalAzureBlobStorage.account | quote }}
-AZURE_BLOB_ACCOUNT_KEY: {{ .Values.externalAzureBlobStorage.key | quote }}
+# AZURE_BLOB_ACCOUNT_KEY: {{ .Values.externalAzureBlobStorage.key | quote }}
 AZURE_BLOB_CONTAINER_NAME: {{ .Values.externalAzureBlobStorage.container | quote }}
 AZURE_BLOB_ACCOUNT_URL: {{ .Values.externalAzureBlobStorage.url | quote }}
 {{- else }}
@@ -168,8 +169,8 @@ STORAGE_LOCAL_PATH: {{ .Values.api.persistence.mountPath }}
   {{- with .Values.externalRedis }}
 REDIS_HOST: {{ .host | quote }}
 REDIS_PORT: {{ .port | toString | quote }}
-REDIS_USERNAME: {{ .username | quote }}
-REDIS_PASSWORD: {{ .password | quote }}
+# REDIS_USERNAME: {{ .username | quote }}
+# REDIS_PASSWORD: {{ .password | quote }}
 REDIS_USE_SSL: {{ .useSSL | toString | quote }}
 # use redis db 0 for redis cache
 REDIS_DB: "0"
@@ -179,8 +180,8 @@ REDIS_DB: "0"
   {{- with .Values.redis }}
 REDIS_HOST: {{ $redisHost }}
 REDIS_PORT: {{ .master.service.ports.redis | toString | quote }}
-REDIS_USERNAME: ""
-REDIS_PASSWORD: {{ .auth.password | quote }}
+# REDIS_USERNAME: ""
+# REDIS_PASSWORD: {{ .auth.password | quote }}
 REDIS_USE_SSL: {{ .tls.enabled | toString | quote }}
 # use redis db 0 for redis cache
 REDIS_DB: "0"
@@ -192,12 +193,12 @@ REDIS_DB: "0"
 # Use redis as the broker, and redis db 1 for celery broker.
 {{- if .Values.externalRedis.enabled }}
   {{- with .Values.externalRedis }}
-CELERY_BROKER_URL: {{ printf "redis://%s:%s@%s:%v/1" .username .password .host .port }}
+# CELERY_BROKER_URL: {{ printf "redis://%s:%s@%s:%v/1" .username .password .host .port }}
   {{- end }}
 {{- else if .Values.redis.enabled }}
 {{- $redisHost := printf "%s-redis-master" .Release.Name -}}
   {{- with .Values.redis }}
-CELERY_BROKER_URL: {{ printf "redis://:%s@%s:%v/1" .auth.password $redisHost .master.service.ports.redis }}
+# CELERY_BROKER_URL: {{ printf "redis://:%s@%s:%v/1" .auth.password $redisHost .master.service.ports.redis }}
   {{- end }}
 {{- end }}
 {{- end }}
@@ -209,13 +210,13 @@ VECTOR_STORE: weaviate
 # The Weaviate endpoint URL. Only available when VECTOR_STORE is `weaviate`.
 WEAVIATE_ENDPOINT: {{ .Values.externalWeaviate.endpoint | quote }}
 # The Weaviate API key.
-WEAVIATE_API_KEY: {{ .Values.externalWeaviate.apiKey }}
+# WEAVIATE_API_KEY: {{ .Values.externalWeaviate.apiKey }}
 {{- else if .Values.externalQdrant.enabled }}
 VECTOR_STORE: qdrant
 # The Qdrant endpoint URL. Only available when VECTOR_STORE is `qdrant`.
 QDRANT_URL: {{ .Values.externalQdrant.endpoint }}
 # The Qdrant API key.
-QDRANT_API_KEY: {{ .Values.externalQdrant.apiKey }}
+# QDRANT_API_KEY: {{ .Values.externalQdrant.apiKey }}
 # The Qdrant clinet timeout setting.
 QDRANT_CLIENT_TIMEOUT: "20"
 # The DSN for Sentry error reporting. If not set, Sentry error reporting will be disabled.
@@ -227,9 +228,9 @@ MILVUS_HOST: {{ .Values.externalMilvus.host | quote }}
 # The milvus host.
 MILVUS_PORT: {{ .Values.externalMilvus.port | toString | quote }}
 # The milvus username.
-MILVUS_USER: {{ .Values.externalMilvus.user | quote }}
+# MILVUS_USER: {{ .Values.externalMilvus.user | quote }}
 # The milvus password.
-MILVUS_PASSWORD: {{ .Values.externalMilvus.password | quote }}
+# MILVUS_PASSWORD: {{ .Values.externalMilvus.password | quote }}
 # The milvus tls switch.
 MILVUS_SECURE: {{ .Values.externalMilvus.useTLS | toString | quote }}
 {{- else if .Values.weaviate.enabled }}
@@ -247,7 +248,7 @@ WEAVIATE_ENDPOINT: {{ printf "http://%s" .name | quote }}
   {{- end }}
 # The Weaviate API key.
   {{- if .Values.weaviate.authentication.apikey }}
-WEAVIATE_API_KEY: {{ first .Values.weaviate.authentication.apikey.allowed_keys }}
+# WEAVIATE_API_KEY: {{ first .Values.weaviate.authentication.apikey.allowed_keys }}
   {{- end }}
 {{- end }}
 {{- end }}
@@ -257,20 +258,24 @@ WEAVIATE_API_KEY: {{ first .Values.weaviate.authentication.apikey.allowed_keys }
 # Mail configuration for resend
 MAIL_TYPE: {{ .Values.api.mail.type | quote }}
 MAIL_DEFAULT_SEND_FROM: {{ .Values.api.mail.defaultSender | quote }}
-RESEND_API_KEY: {{ .Values.api.mail.resend.apiKey | quote }}
+# RESEND_API_KEY: {{ .Values.api.mail.resend.apiKey | quote }}
 RESEND_API_URL: {{ .Values.api.mail.resend.apiUrl | quote }}
 {{- else if eq .Values.api.mail.type "smtp" }}
 # Mail configuration for SMTP
 MAIL_TYPE: {{ .Values.api.mail.type | quote }}
 MAIL_DEFAULT_SEND_FROM: {{ .Values.api.mail.defaultSender | quote }}
 SMTP_SERVER: {{ .Values.api.mail.smtp.server | quote }}
 SMTP_PORT: {{ .Values.api.mail.smtp.port | quote }}
-SMTP_USERNAME: {{ .Values.api.mail.smtp.username | quote }}
-SMTP_PASSWORD: {{ .Values.api.mail.smtp.password | quote }}
+# SMTP_USERNAME: {{ .Values.api.mail.smtp.username | quote }}
+# SMTP_PASSWORD: {{ .Values.api.mail.smtp.password | quote }}
 SMTP_USE_TLS: {{ .Values.api.mail.smtp.useTLS | toString | quote }}
 {{- end }}
 {{- end }}
 
+{{- define "dify.sandbox.config" -}}
+CODE_EXECUTION_ENDPOINT: http://{{ template "dify.sandbox.fullname" .}}:{{ .Values.sandbox.service.port }}
+{{- end }}
+
 {{- define "dify.nginx.config.proxy" }}
 proxy_set_header Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

diff --git a/charts/dify/templates/credentials.tpl b/charts/dify/templates/credentials.tpl
@@ -0,0 +1,131 @@
+{{- define "dify.api.credentials" -}}
+# A secret key that is used for securely signing the session cookie and encrypting sensitive information on the database. You can generate a strong key using `openssl rand -base64 42`.
+SECRET_KEY: {{ .Values.api.secretKey | b64enc | quote }}
+{{- include "dify.db.credentials" . }}
+# The configurations of redis connection.
+# It is consistent with the configuration in the 'redis' service below.
+{{- include "dify.redis.credentials" . }}
+# The configurations of celery broker.
+{{- include "dify.celery.credentials" . }}
+{{ include "dify.storage.credentials" . }}
+{{ include "dify.vectordb.credentials" . }}
+{{ include "dify.mail.credentials" . }}
+{{- end }}
+
+{{- define "dify.worker.credentials" -}}
+SECRET_KEY: {{ .Values.api.secretKey | b64enc | quote }}
+# The configurations of postgres database connection.
+# It is consistent with the configuration in the 'db' service below.
+{{ include "dify.db.credentials" . }}
+
+# The configurations of redis cache connection.
+{{ include "dify.redis.credentials" . }}
+# The configurations of celery broker.
+{{ include "dify.celery.credentials" . }}
+
+{{ include "dify.storage.credentials" . }}
+# The Vector store configurations.
+{{ include "dify.vectordb.credentials" . }}
+{{ include "dify.mail.credentials" . }}
+{{- end }}
+
+{{- define "dify.web.credentials" -}}
+{{- end }}
+
+{{- define "dify.db.credentials" -}}
+{{- if .Values.externalPostgres.enabled }}
+DB_USERNAME: {{ .Values.externalPostgres.username | b64enc | quote }}
+DB_PASSWORD: {{ .Values.externalPostgres.password | b64enc | quote }}
+{{- else if .Values.postgresql.enabled }}
+  {{ with .Values.postgresql.global.postgresql.auth}}
+  {{- if empty .username }}
+DB_USERNAME: {{ print "postgres" | b64enc | quote }}
+DB_PASSWORD: {{ .postgresPassword | b64enc | quote }}
+  {{- else }}
+DB_USERNAME: {{ .username | b64enc | quote }}
+DB_PASSWORD: {{ .password | b64enc | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "dify.storage.credentials" -}}
+{{- if .Values.externalS3.enabled}}
+S3_ACCESS_KEY: {{ .Values.externalS3.accessKey | b64enc | quote }}
+S3_SECRET_KEY: {{ .Values.externalS3.secretKey | b64enc | quote }}
+{{- else if .Values.externalAzureBlobStorage.enabled }}
+# The Azure Blob storage configurations, only available when STORAGE_TYPE is `azure-blob`.
+AZURE_BLOB_ACCOUNT_KEY: {{ .Values.externalAzureBlobStorage.key | b64enc | quote }}
+{{- else }}
+{{- end }}
+{{- end }}
+
+{{- define "dify.redis.credentials" -}}
+{{- if .Values.externalRedis.enabled }}
+  {{- with .Values.externalRedis }}
+REDIS_USERNAME: {{ .username | b64enc | quote }}
+REDIS_PASSWORD: {{ .password | b64enc | quote }}
+  {{- end }}
+{{- else if .Values.redis.enabled }}
+{{- $redisHost := printf "%s-redis-master" .Release.Name -}}
+  {{- with .Values.redis }}
+REDIS_USERNAME: {{ print "" | b64enc | quote }}
+REDIS_PASSWORD: {{ .auth.password | b64enc | quote }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "dify.celery.credentials" -}}
+# Use redis as the broker, and redis db 1 for celery broker.
+{{- if .Values.externalRedis.enabled }}
+  {{- with .Values.externalRedis }}
+CELERY_BROKER_URL: {{ printf "redis://%s:%s@%s:%v/1" .username .password .host .port | b64enc | quote }}
+  {{- end }}
+{{- else if .Values.redis.enabled }}
+{{- $redisHost := printf "%s-redis-master" .Release.Name -}}
+  {{- with .Values.redis }}
+CELERY_BROKER_URL: {{ printf "redis://:%s@%s:%v/1" .auth.password $redisHost .master.service.ports.redis | b64enc | quote }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "dify.vectordb.credentials" -}}
+{{- if .Values.externalWeaviate.enabled }}
+WEAVIATE_API_KEY: {{ .Values.externalWeaviate.apiKey | b64enc | quote }}
+{{- else if .Values.externalQdrant.enabled }}
+QDRANT_API_KEY: {{ .Values.externalQdrant.apiKey | b64enc | quote }}
+{{- else if .Values.externalMilvus.enabled}}
+MILVUS_USER: {{ .Values.externalMilvus.user | b64enc | quote }}
+# The milvus password.
+MILVUS_PASSWORD: {{ .Values.externalMilvus.password | b64enc | quote }}
+{{- else if .Values.weaviate.enabled }}
+# The Weaviate API key.
+  {{- if .Values.weaviate.authentication.apikey }}
+WEAVIATE_API_KEY: {{ first .Values.weaviate.authentication.apikey.allowed_keys | b64enc | quote }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "dify.mail.credentials" -}}
+{{- if eq .Values.api.mail.type "resend" }}
+RESEND_API_KEY: {{ .Values.api.mail.resend.apiKey | b64enc | quote }}
+{{- else if eq .Values.api.mail.type "smtp" }}
+# Mail configuration for SMTP
+SMTP_USERNAME: {{ .Values.api.mail.smtp.username | b64enc | quote }}
+SMTP_PASSWORD: {{ .Values.api.mail.smtp.password | b64enc | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "dify.sandbox.credentials" -}}
+CODE_EXECUTION_API_KEY: {{ .Values.sandbox.auth.apiKey | b64enc | quote }}
+{{- end }}
+
+{{- define "dify.sandbox.secretPasswordKey" -}}
+{{- if and .Values.sandbox.enabled .Values.sandbox.auth.existingSecret }}
+    {{- .Values.sandbox.auth.existingSecretAuthKey | printf "%s" }}
+{{- else if and (not .Values.sandbox.enabled) .Values.externalSandbox.existingSecret }}
+    {{- .Values.externalSandbox.existingSecretAuthKey | printf "%s" }}
+{{- else -}}
+    {{- printf "CODE_EXECUTION_API_KEY" }}
+{{- end -}}
+{{- end -}}