From e30d8c457b517d9282c07b961ab99dcb3d39cded Mon Sep 17 00:00:00 2001 From: James Purcell Date: Wed, 6 May 2026 16:54:26 +0100 Subject: [PATCH 1/4] Add helm examples for EKS with and without Quarantine VPC enabled --- README.md | 2 +- braintrust/README.md | 6 + .../examples/aws-eks-quarantine/values.yaml | 109 ++++++++++++++++++ braintrust/examples/aws-eks/values.yaml | 90 +++++++++++++++ 4 files changed, 206 insertions(+), 1 deletion(-) create mode 100644 braintrust/examples/aws-eks-quarantine/values.yaml create mode 100644 braintrust/examples/aws-eks/values.yaml diff --git a/README.md b/README.md index 5ec78fd..348ec1b 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,6 @@ helm upgrade --install \ ## Prerequisites -Before installing the Braintrust Helm chart, ensure you have run the appropriate braintrust terraform module [Google](https://github.com/braintrustdata/terraform-google-braintrust-data-plane) or [Azure](https://github.com/braintrustdata/terraform-azure-braintrust-data-plane) to deploy the base infrastructure. +Before installing the Braintrust Helm chart, ensure you have run the appropriate Braintrust Terraform module for [AWS](https://github.com/braintrustdata/terraform-aws-braintrust-data-plane), [Google](https://github.com/braintrustdata/terraform-google-braintrust-data-plane), or [Azure](https://github.com/braintrustdata/terraform-azure-braintrust-data-plane) to deploy the base infrastructure. See the [Braintrust Helm Chart](./braintrust/README.md) for more details. diff --git a/braintrust/README.md b/braintrust/README.md index a912b70..d413adf 100644 --- a/braintrust/README.md +++ b/braintrust/README.md @@ -192,3 +192,9 @@ This version also adds first-class `brainstoreWalFooterVersion` support and auto ## Example Values Files Example values files for different cloud providers and configurations are located in the `examples/` folder. + +- `examples/aws-eks/values.yaml`: AWS EKS deployment without a quarantine VPC. User-defined functions execute in the API pod. Includes the API service annotations needed for the Terraform-managed CloudFront plus adopted internal NLB path. +- `examples/aws-eks-quarantine/values.yaml`: AWS EKS deployment with user-defined functions routed into the quarantine VPC. Includes the API service annotations needed for the Terraform-managed CloudFront plus adopted internal NLB path. +- `examples/google-autopilot/values.yaml`: GKE Autopilot deployment. +- `examples/google-autopilot-cel/values.yaml`: GKE Autopilot deployment with CEL-friendly security settings. +- `examples/google-standard/values.yaml`: GKE Standard deployment. diff --git a/braintrust/examples/aws-eks-quarantine/values.yaml b/braintrust/examples/aws-eks-quarantine/values.yaml new file mode 100644 index 0000000..1fef7f7 --- /dev/null +++ b/braintrust/examples/aws-eks-quarantine/values.yaml @@ -0,0 +1,109 @@ +# Sample values for AWS EKS deployment with a quarantine VPC + +global: + orgName: "" + namespace: "braintrust" + +cloud: "aws" + +objectStorage: + aws: + brainstoreBucket: "" + responseBucket: "" + codeBundleBucket: "" + +api: + name: "braintrust-api" + replicas: 1 + # Disable in-pod code execution so user-defined functions run in the quarantine VPC. + allowCodeFunctionExecution: false + annotations: + service: + # Internal NLB via the AWS Load Balancer Controller. + # If you are using the terraform-aws-braintrust-data-plane EKS CloudFront path, + # set these so the controller adopts the pre-created internal NLB. + service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" + service.beta.kubernetes.io/aws-load-balancer-type: "external" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance" + service.beta.kubernetes.io/aws-load-balancer-security-groups: "" + service.beta.kubernetes.io/aws-load-balancer-name: "" + service: + type: LoadBalancer + port: 8000 + portName: http + serviceAccount: + name: "braintrust-api" + awsRoleArn: "" + resources: + requests: + cpu: "4" + memory: "16Gi" + limits: + cpu: "8" + memory: "16Gi" + extraEnvVars: + - name: QUARANTINE_INVOKE_ROLE + value: "" + - name: QUARANTINE_FUNCTION_ROLE + value: "" + - name: QUARANTINE_REGION + value: "" + - name: QUARANTINE_PRIVATE_SUBNET_1_ID + value: "" + - name: QUARANTINE_PRIVATE_SUBNET_2_ID + value: "" + - name: QUARANTINE_PRIVATE_SUBNET_3_ID + value: "" + - name: QUARANTINE_PUB_PRIVATE_VPC_DEFAULT_SECURITY_GROUP + value: "" + - name: QUARANTINE_PUB_PRIVATE_VPC_ID + value: "" + # nodeSelector: + # topology.kubernetes.io/zone: us-east-1a + +brainstore: + serviceAccount: + name: "brainstore" + awsRoleArn: "" + reader: + name: "brainstore-reader" + replicas: 2 + service: + type: ClusterIP + port: 4000 + portName: http + resources: + requests: + cpu: "16" + memory: "32Gi" + limits: + cpu: "16" + memory: "32Gi" + fastreader: + name: "brainstore-fastreader" + replicas: 2 + service: + type: ClusterIP + port: 4000 + portName: http + resources: + requests: + cpu: "16" + memory: "32Gi" + limits: + cpu: "16" + memory: "32Gi" + writer: + name: "brainstore-writer" + replicas: 1 + service: + type: ClusterIP + port: 4000 + portName: http + resources: + requests: + cpu: "32" + memory: "64Gi" + limits: + cpu: "32" + memory: "64Gi" diff --git a/braintrust/examples/aws-eks/values.yaml b/braintrust/examples/aws-eks/values.yaml new file mode 100644 index 0000000..b676ea3 --- /dev/null +++ b/braintrust/examples/aws-eks/values.yaml @@ -0,0 +1,90 @@ +# Sample values for AWS EKS deployment without a quarantine VPC + +global: + orgName: "" + namespace: "braintrust" + +cloud: "aws" + +objectStorage: + aws: + brainstoreBucket: "" + responseBucket: "" + codeBundleBucket: "" + +api: + name: "braintrust-api" + annotations: + service: + # Internal NLB via the AWS Load Balancer Controller. + # If you are using the terraform-aws-braintrust-data-plane EKS CloudFront path, + # set these so the controller adopts the pre-created internal NLB. + service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" + service.beta.kubernetes.io/aws-load-balancer-type: "external" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance" + service.beta.kubernetes.io/aws-load-balancer-security-groups: "" + service.beta.kubernetes.io/aws-load-balancer-name: "" + replicas: 1 + service: + type: LoadBalancer + port: 8000 + portName: http + serviceAccount: + name: "braintrust-api" + awsRoleArn: "" + # Keep code execution enabled when not using a quarantine VPC. + allowCodeFunctionExecution: true + resources: + requests: + cpu: "4" + memory: "16Gi" + limits: + cpu: "8" + memory: "16Gi" + +brainstore: + serviceAccount: + name: "brainstore" + awsRoleArn: "" + reader: + name: "brainstore-reader" + replicas: 2 + service: + type: ClusterIP + port: 4000 + portName: http + resources: + requests: + cpu: "16" + memory: "32Gi" + limits: + cpu: "16" + memory: "32Gi" + fastreader: + name: "brainstore-fastreader" + replicas: 2 + service: + type: ClusterIP + port: 4000 + portName: http + resources: + requests: + cpu: "16" + memory: "32Gi" + limits: + cpu: "16" + memory: "32Gi" + writer: + name: "brainstore-writer" + replicas: 1 + service: + type: ClusterIP + port: 4000 + portName: http + resources: + requests: + cpu: "32" + memory: "64Gi" + limits: + cpu: "32" + memory: "64Gi" From dfd1689f3d1437bbed4a9e89badd2bdc60da6236 Mon Sep 17 00:00:00 2001 From: James Purcell Date: Wed, 6 May 2026 17:01:26 +0100 Subject: [PATCH 2/4] Remove CEL example from README --- braintrust/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/braintrust/README.md b/braintrust/README.md index d413adf..7194ef0 100644 --- a/braintrust/README.md +++ b/braintrust/README.md @@ -196,5 +196,4 @@ Example values files for different cloud providers and configurations are locate - `examples/aws-eks/values.yaml`: AWS EKS deployment without a quarantine VPC. User-defined functions execute in the API pod. Includes the API service annotations needed for the Terraform-managed CloudFront plus adopted internal NLB path. - `examples/aws-eks-quarantine/values.yaml`: AWS EKS deployment with user-defined functions routed into the quarantine VPC. Includes the API service annotations needed for the Terraform-managed CloudFront plus adopted internal NLB path. - `examples/google-autopilot/values.yaml`: GKE Autopilot deployment. -- `examples/google-autopilot-cel/values.yaml`: GKE Autopilot deployment with CEL-friendly security settings. - `examples/google-standard/values.yaml`: GKE Standard deployment. From 40ae3bc50814a0c50a48bd53a0058d0eba766305 Mon Sep 17 00:00:00 2001 From: James Purcell Date: Wed, 6 May 2026 17:27:51 +0100 Subject: [PATCH 3/4] Bump API replicas to 4 to match general guidance --- braintrust/examples/aws-eks-quarantine/values.yaml | 2 +- braintrust/examples/aws-eks/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/braintrust/examples/aws-eks-quarantine/values.yaml b/braintrust/examples/aws-eks-quarantine/values.yaml index 1fef7f7..7dafae1 100644 --- a/braintrust/examples/aws-eks-quarantine/values.yaml +++ b/braintrust/examples/aws-eks-quarantine/values.yaml @@ -14,7 +14,7 @@ objectStorage: api: name: "braintrust-api" - replicas: 1 + replicas: 4 # Disable in-pod code execution so user-defined functions run in the quarantine VPC. allowCodeFunctionExecution: false annotations: diff --git a/braintrust/examples/aws-eks/values.yaml b/braintrust/examples/aws-eks/values.yaml index b676ea3..9dc7141 100644 --- a/braintrust/examples/aws-eks/values.yaml +++ b/braintrust/examples/aws-eks/values.yaml @@ -24,7 +24,7 @@ api: service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance" service.beta.kubernetes.io/aws-load-balancer-security-groups: "" service.beta.kubernetes.io/aws-load-balancer-name: "" - replicas: 1 + replicas: 4 service: type: LoadBalancer port: 8000 From a26d8c5472c405bd0183cf2a60a1004890799ed1 Mon Sep 17 00:00:00 2001 From: James Purcell Date: Fri, 15 May 2026 15:32:11 +0100 Subject: [PATCH 4/4] Remove non quarantine option from EKS examples --- braintrust/README.md | 3 +- .../examples/aws-eks-quarantine/values.yaml | 109 ------------------ braintrust/examples/aws-eks/values.yaml | 37 +++--- 3 files changed, 24 insertions(+), 125 deletions(-) delete mode 100644 braintrust/examples/aws-eks-quarantine/values.yaml diff --git a/braintrust/README.md b/braintrust/README.md index 7194ef0..f32705f 100644 --- a/braintrust/README.md +++ b/braintrust/README.md @@ -193,7 +193,6 @@ This version also adds first-class `brainstoreWalFooterVersion` support and auto Example values files for different cloud providers and configurations are located in the `examples/` folder. -- `examples/aws-eks/values.yaml`: AWS EKS deployment without a quarantine VPC. User-defined functions execute in the API pod. Includes the API service annotations needed for the Terraform-managed CloudFront plus adopted internal NLB path. -- `examples/aws-eks-quarantine/values.yaml`: AWS EKS deployment with user-defined functions routed into the quarantine VPC. Includes the API service annotations needed for the Terraform-managed CloudFront plus adopted internal NLB path. +- `examples/aws-eks/values.yaml`: AWS EKS deployment with user-defined functions routed into the quarantine VPC. Uses an internal API `ClusterIP` service so you can pair it with the ingress or service exposure model used by your cluster. - `examples/google-autopilot/values.yaml`: GKE Autopilot deployment. - `examples/google-standard/values.yaml`: GKE Standard deployment. diff --git a/braintrust/examples/aws-eks-quarantine/values.yaml b/braintrust/examples/aws-eks-quarantine/values.yaml deleted file mode 100644 index 7dafae1..0000000 --- a/braintrust/examples/aws-eks-quarantine/values.yaml +++ /dev/null @@ -1,109 +0,0 @@ -# Sample values for AWS EKS deployment with a quarantine VPC - -global: - orgName: "" - namespace: "braintrust" - -cloud: "aws" - -objectStorage: - aws: - brainstoreBucket: "" - responseBucket: "" - codeBundleBucket: "" - -api: - name: "braintrust-api" - replicas: 4 - # Disable in-pod code execution so user-defined functions run in the quarantine VPC. - allowCodeFunctionExecution: false - annotations: - service: - # Internal NLB via the AWS Load Balancer Controller. - # If you are using the terraform-aws-braintrust-data-plane EKS CloudFront path, - # set these so the controller adopts the pre-created internal NLB. - service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" - service.beta.kubernetes.io/aws-load-balancer-type: "external" - service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance" - service.beta.kubernetes.io/aws-load-balancer-security-groups: "" - service.beta.kubernetes.io/aws-load-balancer-name: "" - service: - type: LoadBalancer - port: 8000 - portName: http - serviceAccount: - name: "braintrust-api" - awsRoleArn: "" - resources: - requests: - cpu: "4" - memory: "16Gi" - limits: - cpu: "8" - memory: "16Gi" - extraEnvVars: - - name: QUARANTINE_INVOKE_ROLE - value: "" - - name: QUARANTINE_FUNCTION_ROLE - value: "" - - name: QUARANTINE_REGION - value: "" - - name: QUARANTINE_PRIVATE_SUBNET_1_ID - value: "" - - name: QUARANTINE_PRIVATE_SUBNET_2_ID - value: "" - - name: QUARANTINE_PRIVATE_SUBNET_3_ID - value: "" - - name: QUARANTINE_PUB_PRIVATE_VPC_DEFAULT_SECURITY_GROUP - value: "" - - name: QUARANTINE_PUB_PRIVATE_VPC_ID - value: "" - # nodeSelector: - # topology.kubernetes.io/zone: us-east-1a - -brainstore: - serviceAccount: - name: "brainstore" - awsRoleArn: "" - reader: - name: "brainstore-reader" - replicas: 2 - service: - type: ClusterIP - port: 4000 - portName: http - resources: - requests: - cpu: "16" - memory: "32Gi" - limits: - cpu: "16" - memory: "32Gi" - fastreader: - name: "brainstore-fastreader" - replicas: 2 - service: - type: ClusterIP - port: 4000 - portName: http - resources: - requests: - cpu: "16" - memory: "32Gi" - limits: - cpu: "16" - memory: "32Gi" - writer: - name: "brainstore-writer" - replicas: 1 - service: - type: ClusterIP - port: 4000 - portName: http - resources: - requests: - cpu: "32" - memory: "64Gi" - limits: - cpu: "32" - memory: "64Gi" diff --git a/braintrust/examples/aws-eks/values.yaml b/braintrust/examples/aws-eks/values.yaml index 9dc7141..57c14a0 100644 --- a/braintrust/examples/aws-eks/values.yaml +++ b/braintrust/examples/aws-eks/values.yaml @@ -1,4 +1,4 @@ -# Sample values for AWS EKS deployment without a quarantine VPC +# Sample values for AWS EKS deployment with a quarantine VPC global: orgName: "" @@ -14,26 +14,16 @@ objectStorage: api: name: "braintrust-api" - annotations: - service: - # Internal NLB via the AWS Load Balancer Controller. - # If you are using the terraform-aws-braintrust-data-plane EKS CloudFront path, - # set these so the controller adopts the pre-created internal NLB. - service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" - service.beta.kubernetes.io/aws-load-balancer-type: "external" - service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance" - service.beta.kubernetes.io/aws-load-balancer-security-groups: "" - service.beta.kubernetes.io/aws-load-balancer-name: "" replicas: 4 + # Disable in-pod code execution so user-defined functions run in the quarantine VPC. + allowCodeFunctionExecution: false service: - type: LoadBalancer + type: ClusterIP port: 8000 portName: http serviceAccount: name: "braintrust-api" awsRoleArn: "" - # Keep code execution enabled when not using a quarantine VPC. - allowCodeFunctionExecution: true resources: requests: cpu: "4" @@ -41,6 +31,25 @@ api: limits: cpu: "8" memory: "16Gi" + extraEnvVars: + - name: QUARANTINE_INVOKE_ROLE + value: "" + - name: QUARANTINE_FUNCTION_ROLE + value: "" + - name: QUARANTINE_REGION + value: "" + - name: QUARANTINE_PRIVATE_SUBNET_1_ID + value: "" + - name: QUARANTINE_PRIVATE_SUBNET_2_ID + value: "" + - name: QUARANTINE_PRIVATE_SUBNET_3_ID + value: "" + - name: QUARANTINE_PUB_PRIVATE_VPC_DEFAULT_SECURITY_GROUP + value: "" + - name: QUARANTINE_PUB_PRIVATE_VPC_ID + value: "" + # nodeSelector: + # topology.kubernetes.io/zone: us-east-1a brainstore: serviceAccount: