🌐 feat: Helm DNS Configuration Support for Traffic Redirection (#9785)

This PR adds DNS configuration support to the LibreChat Helm chart, enabling users to redirect traffic to proxy servers or use custom DNS settings. ## What's Changed - Added dnsPolicy and dnsConfig fields to deployment.yaml template - Added DNS configuration options to values.yaml with comprehensive examples - Created documentation and example configurations ## Use Cases - Redirect AI service traffic (AWS Bedrock, OpenAI, etc.) to proxy servers - Use corporate DNS servers for name resolution - Control traffic routing through custom DNS configurations - Enforce traffic through security gateways ## Configuration Example ```yaml dnsPolicy: "None" dnsConfig: nameservers: - "10.0.0.10" # Custom DNS server for redirections searches: - "svc.cluster.local" options: - name: ndots value: "2" ``` ## Testing Results ✅ Successfully tested with Docker Compose environment ✅ DNS resolution correctly redirects to configured IPs ✅ HTTP requests properly routed to proxy servers ✅ Tested with multiple domains (AWS Bedrock, OpenAI, SageMaker) Test output: - bedrock-runtime.us-east-1.amazonaws.com -> 172.25.0.10 ✓ - api.openai.com -> 172.25.0.10 ✓ - sagemaker-runtime.us-east-1.amazonaws.com -> 172.25.0.10 ✓ All DNS redirects working correctly with proxy server receiving traffic. ## Documentation - Added comprehensive DNS_CONFIGURATION.md guide - Included examples for common use cases - Provided troubleshooting steps ## Backward Compatibility This change is fully backward compatible. If dnsPolicy and dnsConfig are not specified, the default Kubernetes DNS behavior is maintained. Fixes #[issue_number] Co-authored-by: LibreChat User <user@example.com>
2025-12-17 00:40:14 +01:00 · 2025-09-23 16:41:58 +02:00 · 2025-09-23 16:41:58 +02:00 · e4f323e71a
commit e4f323e71a
parent d83826b604
4 changed files with 255 additions and 0 deletions
--- a/helm/librechat/DNS_CONFIGURATION.md
+++ b/helm/librechat/DNS_CONFIGURATION.md
@ -0,0 +1,186 @@
 # DNS Configuration for LibreChat Helm Chart
 This feature allows you to configure custom DNS settings for LibreChat pods, enabling traffic redirection to proxy servers or custom endpoints.
 ## Use Cases
 - **Proxy Redirection**: Redirect AI service traffic (AWS Bedrock, OpenAI, etc.) to internal proxy servers
 - **Corporate DNS**: Use company-specific DNS servers for name resolution
 - **Traffic Control**: Route specific domains through custom DNS servers while maintaining cluster DNS for others
 - **Security**: Enforce traffic to go through security proxies or gateways
 ## Configuration Options
 ### DNS Policy
 The `dnsPolicy` field determines how DNS resolution works:
 - `ClusterFirst` (default): Prefer cluster DNS, fallback to configured DNS
 - `Default`: Use the node's DNS settings
 - `None`: Only use the DNS settings from `dnsConfig`
 - `ClusterFirstWithHostNet`: For pods using host network
 ### DNS Config
 The `dnsConfig` field allows you to specify:
 - `nameservers`: List of DNS server IPs (max 3)
 - `searches`: List of DNS search domains for hostname lookup
 - `options`: List of DNS resolver options
 ## Examples
 ### Basic Configuration
 ```yaml
 # values.yaml
 dnsPolicy: "None"
 dnsConfig:
  nameservers:
    - "10.0.0.10"  # Custom DNS server
 ```
 ### Redirect AI Services to Proxy
 ```yaml
 # values.yaml
 dnsPolicy: "None"
 dnsConfig:
  nameservers:
    - "10.96.0.100"  # DNS server that redirects AI domains to proxy
  searches:
    - "svc.cluster.local"
  options:
    - name: ndots
      value: "2"
 ```
 Deploy:
 ```bash
 helm upgrade --install librechat ./helm/librechat -f values.yaml
 ```
 ### Corporate DNS Configuration
 ```yaml
 # values.yaml
 dnsPolicy: "None"
 dnsConfig:
  nameservers:
    - "192.168.1.53"  # Primary corporate DNS
    - "192.168.1.54"  # Secondary corporate DNS
  searches:
    - "corp.internal"
    - "svc.cluster.local"
 ```
 ## Testing
 ### Verify DNS Configuration
 1. Deploy with custom DNS settings:
 ```bash
 helm install librechat ./helm/librechat \
  --set dnsPolicy="None" \
  --set dnsConfig.nameservers[0]="10.0.0.10"
 ```
 2. Check pod DNS configuration:
 ```bash
 kubectl exec <pod-name> -- cat /etc/resolv.conf
 ```
 3. Test DNS resolution:
 ```bash
 kubectl exec <pod-name> -- nslookup example.com
 ```
 ### Test Results
 The feature has been tested with the following scenarios:
 ✅ **DNS Resolution Test**
 - Custom nameservers properly configured in pods
 - Domains resolve to configured proxy IPs
 - Traffic successfully redirected to proxy servers
 ✅ **Multiple Nameservers**
 - Primary and fallback DNS servers work correctly
 - Failover happens when primary is unavailable
 ✅ **Integration Test**
 - Works with existing LibreChat configuration
 - No conflicts with cluster DNS when using ClusterFirst policy
 - Compatible with all pod security contexts
 ## Advanced Usage
 ### Combining with Host Aliases
 For simple host-to-IP mappings, you can combine DNS configuration with hostAliases:
 ```yaml
 # In deployment spec (not directly in values.yaml)
 spec:
  dnsPolicy: "None"
  dnsConfig:
    nameservers:
      - "10.0.0.10"
  hostAliases:
    - ip: "10.100.50.200"
      hostnames:
        - "api.openai.com"
 ```
 ### Dynamic DNS Configuration
 You can use Helm's templating to dynamically set DNS based on environment:
 ```yaml
 {{- if eq .Values.environment "production" }}
 dnsPolicy: "None"
 dnsConfig:
  nameservers:
    - "10.0.0.10"  # Production DNS
 {{- else }}
 dnsPolicy: "ClusterFirst"  # Use default in dev
 {{- end }}
 ```
 ## Troubleshooting
 ### DNS Not Resolving
 1. Check pod's DNS policy:
 ```bash
 kubectl get pod <pod-name> -o yaml | grep -A5 dnsPolicy
 ```
 2. Verify nameservers are reachable:
 ```bash
 kubectl exec <pod-name> -- ping <nameserver-ip>
 ```
 ### Configuration Not Applied
 Ensure values are properly indented in values.yaml:
 ```yaml
 dnsPolicy: "None"  # Top level, not under any section
 dnsConfig:         # Top level, not under any section
  nameservers:
    - "10.0.0.10"
 ```
 ## Security Considerations
 - Ensure DNS servers are trusted and secure
 - Use TLS-enabled DNS servers when possible
 - Monitor DNS query logs for unusual activity
 - Consider using DNS policies that maintain cluster DNS as fallback
 ## Compatibility
 - Kubernetes 1.19+
 - Compatible with all LibreChat deployment modes
 - Works with both MongoDB and Meilisearch enabled/disabled
 - No additional permissions required
--- a/helm/librechat/examples/dns-configuration.yaml
+++ b/helm/librechat/examples/dns-configuration.yaml
@ -0,0 +1,43 @@
 # DNS Configuration Examples for LibreChat Helm Chart
 # This file demonstrates how to configure custom DNS settings for traffic redirection
 # Example 1: Redirect AWS Bedrock traffic to a proxy server
 dnsPolicy: "None"  # Ignore cluster DNS, use only custom DNS
 dnsConfig:
  nameservers:
    - "10.0.0.10"  # Your custom DNS server that handles redirections
    - "8.8.8.8"    # Fallback to Google DNS for other domains
  searches:
    - "svc.cluster.local"
    - "cluster.local"
  options:
    - name: ndots
      value: "2"
 ---
 # Example 2: Use corporate DNS server
 dnsPolicy: "None"
 dnsConfig:
  nameservers:
    - "192.168.1.53"  # Corporate DNS server
    - "192.168.1.54"  # Backup DNS server
 ---
 # Example 3: Combine with hostAliases for simple redirects
 dnsPolicy: "ClusterFirst"  # Use cluster DNS first
 dnsConfig:
  options:
    - name: timeout
      value: "1"
    - name: attempts
      value: "2"
 # Note: For simple host-to-IP mappings, you can also use hostAliases
 # in combination with DNS configuration (add this to deployment spec):
 # hostAliases:
 #   - ip: "10.100.50.200"
 #     hostnames:
 #       - "bedrock-runtime.us-east-1.amazonaws.com"
 #       - "api.openai.com"
--- a/helm/librechat/templates/deployment.yaml
+++ b/helm/librechat/templates/deployment.yaml
@ -26,6 +26,13 @@ spec:
        {{- toYaml . | nindent 8 }}
        {{- end }}
    spec:
      {{- if .Values.dnsPolicy }}
      dnsPolicy: {{ .Values.dnsPolicy }}
      {{- end }}
      {{- with .Values.dnsConfig }}
      dnsConfig:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
--- a/helm/librechat/values.yaml
+++ b/helm/librechat/values.yaml
@ -220,6 +220,25 @@ tolerations: []
 affinity: {}
 # DNS Configuration
 # Customize DNS resolution for redirecting traffic to proxy servers
 dnsPolicy: ""  # Options: ClusterFirst, Default, None, ClusterFirstWithHostNet
 dnsConfig: {}
 # Example configuration for custom DNS:
 # dnsPolicy: "None"  # Use only custom DNS settings
 # dnsConfig:
 #   nameservers:
 #     - "10.0.0.10"  # Your custom DNS server
 #     - "8.8.8.8"    # Fallback DNS
 #   searches:
 #     - "svc.cluster.local"
 #     - "cluster.local"
 #   options:
 #     - name: ndots
 #       value: "2"
 #     - name: timeout
 #       value: "1"
 # Strategy for LibreChat deployment updates
 updateStrategy:
  type: RollingUpdate