Add Rasa & Studio installation steps

Author: Element9

.gitignore

@@ -56,6 +56,14 @@ azure/configure/test-ingress-certificate.yaml
 azure/configure/test-ingress-httpbin-values.yaml
 azure/configure/db-init.yaml
 azure/rasa/kafka/kafka.yaml
+azure/rasa/assistant/repos/*
+azure/rasa/assistant/values.yaml
+azure/rasa/ingress/ingress.yaml
+azure/rasa/ingress/certificate.yaml
+azure/studio/repos/*
+azure/studio/values.yaml
+azure/studio/certificate.yaml
+
 
 
 # Dev

aws/setup/environment-variables.sh

@@ -39,8 +39,6 @@ export BUCKET_NAME_ENTROPY="xbuc"
 export MODEL_BUCKET="${MY_COMPANY_NAME}-${BUCKET_NAME_ENTROPY}-${NAME}-model"
 # The name of the bucket used to store models for Rasa Studio.
 export STUDIO_BUCKET="${MY_COMPANY_NAME}-${BUCKET_NAME_ENTROPY}-${NAME}-studio"
-# Process your domain name to create a DNS zone name for Amazon Route 53.
-export DNS_ZONE=$(echo "$DOMAIN" | sed -e 's/\./-/g')
 # The Kubernetes namespace that will be used for the deployment.
 export NAMESPACE=rasa
 # The database name for Rasa Pro.

azure/configure/configure-cluster.sh

@@ -5,19 +5,9 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 # Source common utilities
 source "$SCRIPT_DIR/../../utils/common.sh"
+source "$SCRIPT_DIR/../utils/common.sh"
 
-print_info "Generating kubeconfig to authenticate with EKS cluster..."
-# To be able to interact with the EKS cluster we deployed earlier, we need to obtain the credentials for it. These credentials are saved in a file called kubeconfig which the Azure CLI can generate for us and kubectl can use.
-# Ensure we've got a path setup for the kubeconfig file:
-export KUBECONFIG=$(pwd)/kubeconfig
-print_info "Kubeconfig path:  $KUBECONFIG"
-rm -f $KUBECONFIG
-# Retrieve the credentials for the cluster using the Azure CLI:
-az aks get-credentials --resource-group "$NAME" --name "$NAME"
-# Next, validate that the credentials work - we should see information about our cluster output here if everything has worked.
-print_info "Kubeconfig generated successfully! Printing cluster info below, if you see output here, authentication was successful."
-kubectl cluster-info
-kubectl get ns
+auth_to_k8s
 
 # Get the directory where this script is located
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

azure/configure/get-infra-values.sh

@@ -33,7 +33,6 @@ export REDIS_HOST=$($TF_CMD -chdir=$TARGET_DIR_ABSOLUTE output -raw redis_host)
 export REDIS_AUTH=$($TF_CMD -chdir=$TARGET_DIR_ABSOLUTE output -raw redis_pw)
 
 export SERVICE_ACCOUNT_DNS=$($TF_CMD -chdir=$TARGET_DIR_ABSOLUTE output -raw client_id_dns)
-export SERVICE_ACCOUNT_ASSISTANT=$($TF_CMD -chdir=$TARGET_DIR_ABSOLUTE output -raw client_id_assistant)
 export SERVICE_ACCOUNT_STUDIO=$($TF_CMD -chdir=$TARGET_DIR_ABSOLUTE output -raw client_id_studio)
 
 echo "Infrastructure values fetched successfully:"
@@ -44,5 +43,4 @@ echo "DB_HOST=$DB_HOST"
 echo "REDIS_HOST=$REDIS_HOST"
 echo "REDIS_AUTH=$REDIS_AUTH"
 echo "SERVICE_ACCOUNT_DNS=$SERVICE_ACCOUNT_DNS"
-echo "SERVICE_ACCOUNT_ASSISTANT=$SERVICE_ACCOUNT_ASSISTANT"
 echo "SERVICE_ACCOUNT_STUDIO=$SERVICE_ACCOUNT_STUDIO"

azure/deploy/main.tf.template

@@ -185,13 +185,6 @@ resource "azuread_application" "assistant" {
   owners       = [data.azuread_client_config.current.object_id]
 }
 
-resource "azuread_service_principal" "assistant" {
-  client_id                    = azuread_application.assistant.client_id
-  app_role_assignment_required = false
-  owners                       = [data.azuread_client_config.current.object_id]
-  use_existing = true
-}
-
 output "client_id_assistant" {
   value = azuread_application.assistant.client_id
 }
@@ -203,13 +196,6 @@ resource "azuread_application" "studio" {
   owners       = [data.azuread_client_config.current.object_id]
 }
 
-resource "azuread_service_principal" "studio" {
-  client_id                    = azuread_application.studio.client_id
-  app_role_assignment_required = false
-  owners                       = [data.azuread_client_config.current.object_id]
-  use_existing = true
-}
-
 output "client_id_studio" {
   value = azuread_application.studio.client_id
 }
@@ -228,33 +214,20 @@ resource "azurerm_storage_account" "main" {
 
 # Model storage container
 
-resource "azurerm_storage_container" "model" {
-  name                  = "${NAME}-model"
+resource "azurerm_storage_container" "assistant" {
+  name                  = "${ASSISTANT_STORAGE_CONTAINER}"
   storage_account_id    = azurerm_storage_account.main.id
   container_access_type = "private"
 }
 
-resource "azurerm_role_assignment" "assistant_storage_blob_data_reader" {
-  scope                = azurerm_storage_container.model.id
-  role_definition_name = "Storage Blob Data Reader"
-  principal_id         = resource.azuread_service_principal.assistant.object_id
-}
-
 # Studio storage container
 
 resource "azurerm_storage_container" "studio" {
-  name                  = "${NAME}-studio"
+  name                  = "${STUDIO_STORAGE_CONTAINER}"
   storage_account_id    = azurerm_storage_account.main.id
   container_access_type = "private"
 }
 
-resource "azurerm_role_assignment" "studio_storage_blob_data_contributor" {
-  scope                = azurerm_storage_container.model.id
-  role_definition_name = "Storage Blob Data Contributor"
-  principal_id         = resource.azuread_service_principal.assistant.object_id
-}
-
-
 # Key Vault ==============================================
 
 resource "azurerm_key_vault" "main" {

azure/rasa/assistant/setup-assistant.sh

@@ -0,0 +1,59 @@
+set -e
+
+# Get the directory where this script is located
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Source common utilities
+source "$SCRIPT_DIR/../../../utils/common.sh"
+source "$SCRIPT_DIR/../../utils/common.sh"
+
+auth_to_k8s
+
+print_info "Deleting Rasa Helm chart if it already exists..."
+rm -rf $SCRIPT_DIR/repos
+
+# This Helm chart contains instructions for setting up theRasa bot and Analytics components.
+print_info "Pulling Rasa Helm chart..."
+mkdir $SCRIPT_DIR/repos
+helm pull oci://europe-west3-docker.pkg.dev/rasa-releases/helm-charts/rasa --version 1.2.5 --untar --destination $SCRIPT_DIR/repos/rasa-helm
+
+print_info "Getting storage account key..."
+SAKEYS_OUTPUT_OUTPUT=$(az storage account keys list \
+  --resource-group $NAME \
+  --account-name $NAME)
+
+# Next, we'll ensure that other passwords and secret values that Rasa requires are set, before creating a Kubernetes Secret to securely store them in a way that we can reference later on:
+print_info "Creating secrets for the Rasa assistant to use..."
+export AUTH_TOKEN=$(openssl rand -hex 8 | base64)
+export JWT_SECRET=$(openssl rand -hex 8 | base64)
+export KAFKA_CLIENT_PASSWORD=$(kubectl get secret kafka -n $NAMESPACE -o jsonpath='{.data.password}' | base64 -d | cut -d ',' -f 1)
+export STORAGE_ACCOUNT_KEY=$(echo $SAKEYS_OUTPUT_OUTPUT | jq -r '.[0].value')
+
+print_info "Secret values retrieved. Validating that all required values are set..."
+
+# Validate all required secret variables
+validate_variables \
+    "AUTH_TOKEN" \
+    "JWT_SECRET" \
+    "REDIS_AUTH" \
+    "KAFKA_CLIENT_PASSWORD" \
+    "DB_ASSISTANT_PASSWORD" \
+    "STORAGE_ACCOUNT_KEY" \
+    "RASA_PRO_LICENSE" \
+    "OPENAI_API_KEY"
+
+print_info "Deleting a secret if it already exists..."
+kubectl delete secret rasa-secrets -n $NAMESPACE || true
+
+print_info "Creating a Kubernetes secret for these values..."
+kubectl --namespace $NAMESPACE \
+create secret generic rasa-secrets \
+--from-literal=authToken="$(echo $AUTH_TOKEN )" \
+--from-literal=jwtSecret="$(echo $JWT_SECRET)" \
+--from-literal=redisPassword="$(echo REDIS_AUTH)" \
+--from-literal=kafkaSslPassword="$(echo $KAFKA_CLIENT_PASSWORD)" \
+--from-literal=dbPassword="$(echo DB_ASSISTANT_PASSWORD)" \
+--from-literal=storageAccountKey="$(echo $STORAGE_ACCOUNT_KEY)" \
+--from-literal=rasaProLicense="$(echo $RASA_PRO_LICENSE )" \
+--from-literal=openaiApiKey="$(echo $OPENAI_API_KEY)"
+

azure/rasa/assistant/values.template.yaml

@@ -0,0 +1,107 @@
+rasa:
+  enabled: true
+  settings:
+    environment: production
+    enableApi: true
+    credentials:
+      enabled: true
+      additionalChannelCredentials:
+        socketio:
+          bot_message_evt: bot_uttered
+          metadata_key: customData
+          session_persistence: false
+          user_message_evt: user_uttered
+        rest: { }
+    endpoints:
+      modelGroups:
+      - id: openai-gpt-4o
+        models:
+        - max_tokens: 256
+          model: gpt-4o-2024-11-20
+          provider: openai
+          request_timeout: 7
+      - id: openai-embeddings
+        models:
+        - model: text-embedding-3-small
+          provider: openai
+      models:
+        enabled: false
+      # Configure the assistant to use our PostgreSQL instance as the Tracker Store, which records the assistant's conversations.
+      trackerStore:
+        enabled: true
+        type: sql
+        dialect: postgresql
+        url: ${DB_HOST}
+        db: ${DB_ASSISTANT_DATABASE}
+        username: ${DB_ASSISTANT_USERNAME}
+        password: ${DB_PASSWORD}
+        port: 5432
+      # Configure the assistant to use Redis as the Rasa Lock Store.
+      # This is needed when you have a high-load scenario that requires the Rasa server to be replicated across multiple instances. It ensures that even with multiple servers, the messages for each conversation are handled in the correct sequence without any loss or overlap.
+      lockStore:
+        enabled: true
+        type: concurrent_redis
+        password: ${REDIS_PASSWORD}
+        port: 6380
+        url: ${REDIS_HOST}
+        use_ssl: true
+        key_prefix: ${NAME}
+      # Configure the assistant to use the Kafka broker. This allows us to perform further processing on the messages, like using the Rasa Studio Conversation View or Rasa Pro Analytics.
+      eventBroker:
+        enabled: true
+        type: kafka
+        security_protocol: SASL_PLAINTEXT
+        sasl_mechanism: SCRAM-SHA-512
+        topic: rasa
+        url: kafka-kafka-bootstrap.${NAMESPACE}.svc.cluster.local:9092
+        sasl_username: kafka
+        sasl_password: ${KAFKA_PASSWORD}
+        ssl_check_hostname: false
+  # We'll configure Rasa to use Azure for remote storage, so we can load models from the buckets we created earlier.
+  additionalArgs:
+    - --remote-storage
+    - azure
+  # Define the environment variables that Rasa needs to function and interact with the above services.
+  # Note here that some of the values are plaintext environment variables and some are configured to be pulled from the Kubernetes Secret we created earlier.
+  additionalEnv:
+    - name: AZURE_CONTAINER
+      value: ${ASSISTANT_STORAGE_CONTAINER}
+    - name: AZURE_ACCOUNT_NAME
+      value: ${NAME}
+    - name: AZURE_ACCOUNT_KEY
+      valueFrom:
+        secretKeyRef:
+          name: rasa-secrets
+          key: storageAccountKey
+    - name: BUCKET_NAME
+      value: ${MODEL_BUCKET}
+    - name: DB_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: rasa-secrets
+          key: dbPassword
+    - name: KAFKA_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: rasa-secrets
+          key: kafkaSslPassword
+    - name: REDIS_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: rasa-secrets
+          key: redisPassword
+    - name: OPENAI_API_KEY
+      valueFrom:
+        secretKeyRef:
+          key: openaiApiKey
+          name: rasa-secrets
+# Disable other Rasa components for now.
+# https://rasa.com/docs/reference/integrations/analytics/
+rasaProServices:
+  enabled: false
+# https://rasa.com/docs/action-server
+actionServer:
+  enabled: false
+# https://rasa.com/docs/reference/integrations/tracing
+tracing:
+    enabled: false

azure/rasa/ingress/certificate.template.yaml

@@ -0,0 +1,18 @@
+kind: Certificate
+apiVersion: cert-manager.io/v1
+metadata:
+  name: $NAME-assistant
+  namespace: istio-system
+spec:
+  commonName: assistant.$DOMAIN
+  dnsNames:
+    - assistant.$DOMAIN
+  duration: 2160h0m0s
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt
+  renewBefore: 360h0m0s
+  secretName: $NAME-assistant-tls
+  usages:
+    - server auth
+    - client auth

azure/rasa/ingress/ingress.template.yaml

@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: $NAME-assistant
+  namespace: $NAMESPACE
+spec:
+  ingressClassName: istio
+  tls:
+    - hosts:
+        - assistant.$DOMAIN
+      secretName: $NAME-assistant-tls
+  rules:
+    - host: assistant.$DOMAIN
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: rasa
+                port:
+                  number: 5005

azure/rasa/ingress/setup-ingress.sh

@@ -0,0 +1,26 @@
+set -e
+
+# Get the directory where this script is located
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Source common utilities
+source "$SCRIPT_DIR/../../../utils/common.sh"
+source "$SCRIPT_DIR/../../utils/common.sh"
+
+auth_to_k8s
+
+# Configure certificate 
+print_info "Configuring certificate..."
+envsubst < $SCRIPT_DIR/certificate.template.yaml > $SCRIPT_DIR/certificate.yaml
+
+print_info "Deploying certificate..."
+kubectl apply -f $SCRIPT_DIR/certificate.yaml
+
+# Configure ingress
+print_info "Configuring ingress..."
+envsubst < $SCRIPT_DIR/ingress.template.yaml > $SCRIPT_DIR/ingress.yaml
+
+print_info "Deploying ingress..."
+kubectl apply -f $SCRIPT_DIR/ingress.yaml
+
+print_info "You should now be able to access the Rasa assistant at https://assistant.$DOMAIN. It may take a few minutes for the certificate to issue and be fully available."