From 971241444f1b174265d2ee5f479d15979f66f424 Mon Sep 17 00:00:00 2001
From: Alex VanTol <avantol@uchicago.edu>
Date: Fri, 14 Jul 2023 10:38:18 -0500
Subject: [PATCH] feat(gen3-openai): rough initial testing, no automation for
 rolling

---
 files/squid_whitelist/web_whitelist           |  1 +
 .../gen3-openai/gen3-openai-deploy.yaml       | 46 +++++++++++++++++++
 .../gen3-openai/gen3-openai-service.yaml      | 30 ++++++++++++
 .../gen3.nginx.conf/gen3-openai-service.conf  | 17 +++++++
 4 files changed, 94 insertions(+)
 create mode 100644 kube/services/gen3-openai/gen3-openai-deploy.yaml
 create mode 100644 kube/services/gen3-openai/gen3-openai-service.yaml
 create mode 100644 kube/services/revproxy/gen3.nginx.conf/gen3-openai-service.conf

diff --git a/files/squid_whitelist/web_whitelist b/files/squid_whitelist/web_whitelist
index c36194765..a3d74e76c 100644
--- a/files/squid_whitelist/web_whitelist
+++ b/files/squid_whitelist/web_whitelist
@@ -14,6 +14,7 @@ ctds-planx.atlassian.net
 data.cityofchicago.org
 dataguids.org
 api.login.yahoo.com
+api.openai.com
 api.snapcraft.io
 apt.kubernetes.io
 argoproj.github.io
diff --git a/kube/services/gen3-openai/gen3-openai-deploy.yaml b/kube/services/gen3-openai/gen3-openai-deploy.yaml
new file mode 100644
index 000000000..fc19be45e
--- /dev/null
+++ b/kube/services/gen3-openai/gen3-openai-deploy.yaml
@@ -0,0 +1,46 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gen3-openai-deployment
+spec:
+  selector:
+    # Only select pods based on the 'app' label
+    matchLabels:
+      app: gen3-openai
+      release: production
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        app: gen3-openai
+        release: production
+    spec:
+      containers:
+      - name: gen3-openai
+        image: "quay.io/cdis/gen3-openai:latest"
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+        env:
+        - name: OPENAI_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: gen3-openai-g3auto
+              key: "openai_key"
+        - name: TOPICS
+          value: default,custom
+        - name: CUSTOM_SYSTEM_PROMPT
+          value: You answer questions about datasets that are available in BioData Catalyst. You'll be given relevant dataset descriptions for every dataset that's been ingested into BioData Catalyst. You are acting as a search assistant for a biomedical researcher (who will be asking you questions). The researcher is likely trying to find datasets of interest for a particular research question. You should recommend datasets that may be of interest to that researcher.
+        - name: CUSTOM_EMBEDDINGS_PATH
+          value: embeddings/embeddings.csv
+        imagePullPolicy: Always
+        resources:
+          requests:
+            cpu: 1
+          limits:
+            cpu: 2
+            memory: 512Mi
diff --git a/kube/services/gen3-openai/gen3-openai-service.yaml b/kube/services/gen3-openai/gen3-openai-service.yaml
new file mode 100644
index 000000000..7d3588835
--- /dev/null
+++ b/kube/services/gen3-openai/gen3-openai-service.yaml
@@ -0,0 +1,30 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: gen3-openai-service
+  annotations:
+    getambassador.io/config: |
+      ---
+      apiVersion: ambassador/v1
+      ambassador_id: "gen3"
+      kind:  Mapping
+      name:  gen3-openai_mapping
+      prefix: /index/
+      service: http://gen3-openai-service:80
+spec:
+  selector:
+    app: gen3-openai
+    release: production
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+      name: http
+      nodePort: null
+    - protocol: TCP
+      port: 443
+      targetPort: 443
+      name: https
+      nodePort: null
+  type: ClusterIP
+
diff --git a/kube/services/revproxy/gen3.nginx.conf/gen3-openai-service.conf b/kube/services/revproxy/gen3.nginx.conf/gen3-openai-service.conf
new file mode 100644
index 000000000..1f3668ca4
--- /dev/null
+++ b/kube/services/revproxy/gen3.nginx.conf/gen3-openai-service.conf
@@ -0,0 +1,17 @@
+          location /openai/ {
+              if ($csrf_check !~ ^ok-\S.+$) {
+                return 403 "failed csrf check";
+              }
+              set $authz_resource "/mds_gateway";
+              set $authz_method "access";
+              set $authz_service "mds_gateway";
+              # be careful - sub-request runs in same context as this request
+              auth_request /gen3-authz;
+
+              set $proxy_service  "gen3-openai-service";
+              set $upstream http://gen3-openai-service$des_domain;
+              rewrite ^/openai/(.*) /$1 break;
+              proxy_pass $upstream;
+              proxy_redirect http://$host/ https://$host/openai/;
+              client_max_body_size 0;
+          }