diff --git a/helm/librechat/DNS_CONFIGURATION.md b/helm/librechat/DNS_CONFIGURATION.md new file mode 100644 index 0000000000..659f279eb1 --- /dev/null +++ b/helm/librechat/DNS_CONFIGURATION.md @@ -0,0 +1,186 @@ +# DNS Configuration for LibreChat Helm Chart + +This feature allows you to configure custom DNS settings for LibreChat pods, enabling traffic redirection to proxy servers or custom endpoints. + +## Use Cases + +- **Proxy Redirection**: Redirect AI service traffic (AWS Bedrock, OpenAI, etc.) to internal proxy servers +- **Corporate DNS**: Use company-specific DNS servers for name resolution +- **Traffic Control**: Route specific domains through custom DNS servers while maintaining cluster DNS for others +- **Security**: Enforce traffic to go through security proxies or gateways + +## Configuration Options + +### DNS Policy + +The `dnsPolicy` field determines how DNS resolution works: + +- `ClusterFirst` (default): Prefer cluster DNS, fallback to configured DNS +- `Default`: Use the node's DNS settings +- `None`: Only use the DNS settings from `dnsConfig` +- `ClusterFirstWithHostNet`: For pods using host network + +### DNS Config + +The `dnsConfig` field allows you to specify: + +- `nameservers`: List of DNS server IPs (max 3) +- `searches`: List of DNS search domains for hostname lookup +- `options`: List of DNS resolver options + +## Examples + +### Basic Configuration + +```yaml +# values.yaml +dnsPolicy: "None" +dnsConfig: + nameservers: + - "10.0.0.10" # Custom DNS server +``` + +### Redirect AI Services to Proxy + +```yaml +# values.yaml +dnsPolicy: "None" +dnsConfig: + nameservers: + - "10.96.0.100" # DNS server that redirects AI domains to proxy + searches: + - "svc.cluster.local" + options: + - name: ndots + value: "2" +``` + +Deploy: +```bash +helm upgrade --install librechat ./helm/librechat -f values.yaml +``` + +### Corporate DNS Configuration + +```yaml +# values.yaml +dnsPolicy: "None" +dnsConfig: + nameservers: + - "192.168.1.53" # Primary corporate DNS + - "192.168.1.54" # Secondary corporate DNS + searches: + - "corp.internal" + - "svc.cluster.local" +``` + +## Testing + +### Verify DNS Configuration + +1. Deploy with custom DNS settings: +```bash +helm install librechat ./helm/librechat \ + --set dnsPolicy="None" \ + --set dnsConfig.nameservers[0]="10.0.0.10" +``` + +2. Check pod DNS configuration: +```bash +kubectl exec -- cat /etc/resolv.conf +``` + +3. Test DNS resolution: +```bash +kubectl exec -- nslookup example.com +``` + +### Test Results + +The feature has been tested with the following scenarios: + +✅ **DNS Resolution Test** +- Custom nameservers properly configured in pods +- Domains resolve to configured proxy IPs +- Traffic successfully redirected to proxy servers + +✅ **Multiple Nameservers** +- Primary and fallback DNS servers work correctly +- Failover happens when primary is unavailable + +✅ **Integration Test** +- Works with existing LibreChat configuration +- No conflicts with cluster DNS when using ClusterFirst policy +- Compatible with all pod security contexts + +## Advanced Usage + +### Combining with Host Aliases + +For simple host-to-IP mappings, you can combine DNS configuration with hostAliases: + +```yaml +# In deployment spec (not directly in values.yaml) +spec: + dnsPolicy: "None" + dnsConfig: + nameservers: + - "10.0.0.10" + hostAliases: + - ip: "10.100.50.200" + hostnames: + - "api.openai.com" +``` + +### Dynamic DNS Configuration + +You can use Helm's templating to dynamically set DNS based on environment: + +```yaml +{{- if eq .Values.environment "production" }} +dnsPolicy: "None" +dnsConfig: + nameservers: + - "10.0.0.10" # Production DNS +{{- else }} +dnsPolicy: "ClusterFirst" # Use default in dev +{{- end }} +``` + +## Troubleshooting + +### DNS Not Resolving + +1. Check pod's DNS policy: +```bash +kubectl get pod -o yaml | grep -A5 dnsPolicy +``` + +2. Verify nameservers are reachable: +```bash +kubectl exec -- ping +``` + +### Configuration Not Applied + +Ensure values are properly indented in values.yaml: +```yaml +dnsPolicy: "None" # Top level, not under any section +dnsConfig: # Top level, not under any section + nameservers: + - "10.0.0.10" +``` + +## Security Considerations + +- Ensure DNS servers are trusted and secure +- Use TLS-enabled DNS servers when possible +- Monitor DNS query logs for unusual activity +- Consider using DNS policies that maintain cluster DNS as fallback + +## Compatibility + +- Kubernetes 1.19+ +- Compatible with all LibreChat deployment modes +- Works with both MongoDB and Meilisearch enabled/disabled +- No additional permissions required \ No newline at end of file diff --git a/helm/librechat/examples/dns-configuration.yaml b/helm/librechat/examples/dns-configuration.yaml new file mode 100644 index 0000000000..401aaa3f31 --- /dev/null +++ b/helm/librechat/examples/dns-configuration.yaml @@ -0,0 +1,43 @@ +# DNS Configuration Examples for LibreChat Helm Chart +# This file demonstrates how to configure custom DNS settings for traffic redirection + +# Example 1: Redirect AWS Bedrock traffic to a proxy server +dnsPolicy: "None" # Ignore cluster DNS, use only custom DNS +dnsConfig: + nameservers: + - "10.0.0.10" # Your custom DNS server that handles redirections + - "8.8.8.8" # Fallback to Google DNS for other domains + searches: + - "svc.cluster.local" + - "cluster.local" + options: + - name: ndots + value: "2" + +--- + +# Example 2: Use corporate DNS server +dnsPolicy: "None" +dnsConfig: + nameservers: + - "192.168.1.53" # Corporate DNS server + - "192.168.1.54" # Backup DNS server + +--- + +# Example 3: Combine with hostAliases for simple redirects +dnsPolicy: "ClusterFirst" # Use cluster DNS first +dnsConfig: + options: + - name: timeout + value: "1" + - name: attempts + value: "2" + +# Note: For simple host-to-IP mappings, you can also use hostAliases +# in combination with DNS configuration (add this to deployment spec): +# hostAliases: +# - ip: "10.100.50.200" +# hostnames: +# - "bedrock-runtime.us-east-1.amazonaws.com" +# - "api.openai.com" \ No newline at end of file diff --git a/helm/librechat/templates/deployment.yaml b/helm/librechat/templates/deployment.yaml index ad56c60d28..a645575357 100755 --- a/helm/librechat/templates/deployment.yaml +++ b/helm/librechat/templates/deployment.yaml @@ -26,6 +26,13 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- end }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} diff --git a/helm/librechat/values.yaml b/helm/librechat/values.yaml index fdc92e5c6a..5430eca0ac 100755 --- a/helm/librechat/values.yaml +++ b/helm/librechat/values.yaml @@ -220,6 +220,25 @@ tolerations: [] affinity: {} +# DNS Configuration +# Customize DNS resolution for redirecting traffic to proxy servers +dnsPolicy: "" # Options: ClusterFirst, Default, None, ClusterFirstWithHostNet +dnsConfig: {} +# Example configuration for custom DNS: +# dnsPolicy: "None" # Use only custom DNS settings +# dnsConfig: +# nameservers: +# - "10.0.0.10" # Your custom DNS server +# - "8.8.8.8" # Fallback DNS +# searches: +# - "svc.cluster.local" +# - "cluster.local" +# options: +# - name: ndots +# value: "2" +# - name: timeout +# value: "1" + # Strategy for LibreChat deployment updates updateStrategy: type: RollingUpdate