OpenShift and Kubernetes

This page contains detailed instructions for deploying Rasa X using OpenShift or Kubernetes (K8S).

Rasa X is available as a Helm Chart for a quick and easy cluster setup. If you are not using Helm in your cluster, you can still use the Helm command-line interface to generate the Kubernetes / OpenShift object configurations.

Requirements

  1. Check that Helm is installed on your machine. If this is not the case, see this guide for instructions on how to install Helm.

  2. Get the Rasa X Helm chart

    export RASA_X_VERSION="Rasa X version you want to use"
    wget -qO rasa-x-helm.tgz https://storage.googleapis.com/rasa-x-releases/${RASA_X_VERSION}/rasa-x-${RASA_X_VERSION}.tgz
    
  3. Make sure kubectl or oc are connected with your cluster and are using the right namespace.

Configuring the Helm Chart

The Rasa X Helm Chart comes with a default configuration. However, especially in a cluster environment, you might want to adapt some of these default settings to your infrastructure. You can see which values are configurable in the Rasa X chart by running this on your command line:

$ helm inspect values <chart file>

There are different ways to change the default parameters:

  • --values (or -f): Specify a YAML file with overrides for the values.
  • --set (and its variants --set-string and --set-file): Specify overrides in the command line.

Our recommended option is to specify your configurations in a separate YAML file. Please see the following sections for examples.

OpenShift / Kubernetes Specific Configuration

The Helm chart is compatible with both Kubernetes and OpenShift. However, depending on your cluster configuration, it might be necessary to to adjust the security permissions for the deployments:

securityContext: ""
  # fsGroup to use (e.g. when deploying on Kubernetes)
  fsGroup: 0

Using Rasa X EE

By default, the Helm chart is configured to use the Rasa X CE image. To use the Rasa X EE image add this to your override file:

rasax:
  name: "gcr.io/rasa-platform/rasa-x-ee"

The next step is to configure the pull secret, which Kubernetes / OpenShift will use to pull the image from the private registry:

  1. Copy everything between the outer " of the docker_registry_license key in your Rasa X EE license to a file gcr-auth.json. The contents of gcr-auth.json should look like this:

    {
      "type": "service_account",
      "project_id": "rasa-platform",
      "private_key_id": "sdferw234qadst423qafdgxhw",
      "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvfwrt423qwadsfghtzw0BAQEFAASCBKgwggSkAgEAAoIBAQCgt338FkWbW13dghtzew4easdf5wAi15jrA9t4uOk8dghrtze4weasfgdhtAFZNfrLgvr2\nPBTu1lAJDLo136ZGTdMKi+/TuRqrIMg/sr8q0Ungish8v6t5Jb4gsjBi9StytCT4\nhWXDL3qeadfsgeDOudl6c3iMzylBws+VffrFfaZWjDpGtxmlYwIUa2e\noNSe7BYLnY9tDrX3zrP/wu/6FPbbGkBjguDG1l3Kx7l1wmiPtK5lIhjt+k7Oyx/u\nd6+gvfs+7RX9wUxnZT/tLggybYdsr8BA1Pqr0hDmhdDl7tjXVTmGLG+1/+lXVGFc\nqKEg+uLXAgMBAAECggEAESzwRK0Cp62LgBjInk+jvTmMI4lYP/XTnfk0TNwyiLxd\nT7mkw/TzkSVRifZ37lBQ6BS6BiqBJherh1N4xI+DF9HUN/wHR93QTyu7p8umlcxC\nlPV0KE4b5ZMfWvRG4y236cRGly9urcBNGoFzFHl8pd2iS5DMqZOYpSXY+qvkXTKE\nUOm5mVSs4S4Qa9cHL+jWXCvY0789fG1GrT+L3Fn+StKacgQuBnN1krYFYBSjCAh8\nsnSdjkvGguw/6OApPHd8HqkHtjU0PD67uU5QIm5N1bmz9KT4s9Pm+WbCinEstIiN\nIfln5ikmHcMAiIS0gzSnZavsY21PsDHBkD8SUO7CTQKBgQDgMPhx0TsB/oVH/SnU\nt3oTME+tfAKI69tozX02jHj6DY/vDpI1hXNmb4oMOos5+3ulborHqnso9za1RgV7\nm2N04QQVfzYEuZzJzXL11SHvBYVjHkXYy6HR5GhnPmwA+CzrDNy2/oYxlaqH7TBA\nR+f7IHToIPKGCVrhCJztlAgzIwKBgQC3hQNclIQ5Iw0gm9Rr8zAP/YoRJdiUSYtv\nNBmav+dTTSkPh51Bomj/J4Rrg8OLvHG5U79pmzbQdIFGYGKlR0l4/QepKpbaGm7x\nM/gRp/GXu9sN8LgI+h+FskCYi4cuqDjQ9L2S0gwMre4witmeVSIiBxLWxS7mvkZX\nWRW58ml2vQKBgBozPuW2SQobn6HhIUFdy+NwMu+YXYd44ORnl2mHkx/N8/NBJa8h\nkHH5OQ3izaCSFkooGAnrj4cjFP6sVzmx2DaxkVOd0UdOFdezreqy5MtVPthtkkYa\nzieEZPsj3WVjm4RAtY6hQjeLQSmve4MXpDHCAkeaih1F/Jvt8MEHGso3AoGBAJez\nTioTYpFQliNkbN2nMw2kyaKPJE6/1JDiAmBXTcMgP1blBWsh86UnZ2DwlI5IAcHu\npoWHlnIOPGaOejyhhuyKTPDbkcNMonSkPuVpbF2/Hb6SQ664A6KizJ7Mh7xbtkuU\nY7igBPHePMzHmkg1m3eBXWNHsBNxKfg+XaVN6zwJAoGBAN6VhGMmyDcn0GqkkP6d\nrSsQ0Ig7L4PnU633oYWoGWa8q/XYiFbcACMFynMbrmHG+/0c3Iwt32bi3th60Cwb\nT66yqmv4MaT72+EfQHxiLxnUxhqSpBXM0eoXbyvDg97Zp/slsYvGGLjONmmretlE\nsjAsuAH4Iz1XdfdenzGnyBZH\n-----END PRIVATE KEY-----\n",
      "client_email": "company@rasa-platform.iam.gserviceaccount.com",
      "client_id": "114123456713428149",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://accounts.google.com/o/oauth2/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/company%40rasa-platform.iam.gserviceaccount.com"
    }
    
  2. Log in to the docker registry:

    $ sudo docker login  -u _json_key -p "$(cat gcr-auth.json)" https://gcr.io
    
  3. Create an image pull secret from the docker config.json following the Kubernetes guide or the OpenShift guide.

  4. Add the secret name in your override file:

    images:
      imagePullSecrets:
      - <name of the created secret>
    

Using Your Own Custom Action Server Image

To use your own custom action server image, put the following in the override file:

app:
  name: "name of your image"
  tag: "tag you want to use"

Specifying Volume Sizes

Rasa X requires two volume claims: one for Rasa X, and one for the database. You can define the claim sizes by setting the storage of these services in your override file:

rasax:
  storage: "10Gi"
database:
  storage: "100Gi"

Using HTTPS

We recommend that you enable HTTPS on your server by adding SSL certificates (for example using Let’s encrypt).

To do so, you need a PEM-encoded private key file (privkey.pem) and a PEM-encoded certificate chain file (fullchain.pem). Add them to your override file:

nginx:
  certificates: []
  - fileName: "privkey.pem"
    data: "content of privkey.pem"
  - fileName: "fullchain.pem"
    data: "content of fullchain.pem"

This will automatically be mounted in the correct place within the Nginx pod. If you have your own secret in place, you can also use that one instead of the preconfigured one. Make sure that the secret specifies contents for privkey.pem and fullchain.pem and instruct Nginx to use it by adding this to your override file:

nginx:
  certificateSecret: "name of your secret to use"

Debug Mode

Sometimes it’s helpful to have more log messages in the Rasa pods. To activate the debug mode for all Rasa and Rasa X pods, use the following configuration:

debugMode: "true"

Deploying With Helm

If your cluster has Helm configured, you can install the Rasa X chart with the command:

$ helm install --values <path to your override file> <name of downloaded Rasa X chart>

Using Helm to Generate Object Configurations

Even if Helm is not configured in your cluster, you can still use Helm to generate the OpenShift / Kubernetes object configurations for Rasa X with your custom overrides:

$ helm template --values <path to your override file> <chart name> > generated.yml

Then create the object configurations based on this file:

$ kubectl create -f generated.yml  # Kubernetes
$ oc create -f generated.yml       # OpenShift

Logging in for the First Time

Rasa X CE

If you are using Rasa X CE, please set your admin password by executing this within the Rasa X pod:

$ cd scripts
$ python manage_users.py create --update me <your password> admin

Rasa X EE

You can create a new user by using the terminal of the Rasa X pod:

$ kubectl exec -it <Rasa X pod name> bash  # Kubernetes
$ oc exec -it <Rasa X pod name> bash       # OpenShift


$ cd scripts
$ python manage_users.py create [username] [password] [role]

Possible values for role are admin, annotator, and tester.