llama-stack persistence

[maorfr]

part of https://issues.redhat.com/browse/MGMT-21299

depends on https://gitlab.cee.redhat.com/service/app-interface/-/merge_requests/151196

this PR updates the llama-stack client config to use a postgres database for persistence.

according to https://github.com/meta-llama/llama-stack/tree/main/llama_stack/templates/postgres-demo

Summary by CodeRabbit

• New Features

  • Added support for PostgreSQL as the backend for all llama-stack persistence stores, replacing previous SQLite-based configurations.
  • Introduced a new parameter to specify the Kubernetes secret containing PostgreSQL credentials.
  • Updated deployment to include a PostgreSQL container for local database support.

• Chores

  • Updated container images to include necessary PostgreSQL drivers.

[coderabbitai]

Walkthrough

The changes transition llama-stack persistence from SQLite to PostgreSQL, updating all relevant configuration files, deployment templates, and container specifications. This includes adding a PostgreSQL container to the pod spec, updating environment variables, and ensuring the necessary Python PostgreSQL driver is installed in all relevant containers.

Changes

Cohort / File(s)	Change Summary
OpenShift Template & Parameters template.yaml	Added LLAMA_STACK_DB_SECRET_NAME parameter for specifying the Kubernetes secret holding PostgreSQL credentials. Updated all llama-stack persistence configurations from SQLite to PostgreSQL, referencing environment variables for connection details. Injected these variables into the deployment container from the specified secret.
Llama Stack Client Configuration config/llama_stack_client_config.yaml	Changed all agents, response, metadata, and inference store configurations from SQLite to PostgreSQL, sourcing connection parameters from environment variables. Added table_name for metadata_store. Telemetry trace storage remains on SQLite.
Pod Specification assisted-chat-pod.yaml	Added a postgres container running PostgreSQL 16, configured with environment variables and a persistent volume. Updated lightspeed-stack container with PostgreSQL connection environment variables. Added a new pgdata emptyDir volume.
Container Python Dependencies Containerfile.add_llama_to_lightspeed, Containerfile.assisted-chat	Added installation of the psycopg2-binary Python package to enable PostgreSQL support in both containers.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant AssistedChatPod
    participant PostgresContainer
    participant LightspeedStackContainer

    User->>AssistedChatPod: Deploy pod
    AssistedChatPod->>PostgresContainer: Start PostgreSQL with env vars
    AssistedChatPod->>LightspeedStackContainer: Start with PostgreSQL env vars
    LightspeedStackContainer->>PostgresContainer: Connect to PostgreSQL using env vars
    LightspeedStackContainer->>PostgresContainer: Store/retrieve agent, response, metadata, inference data

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~15 minutes

Possibly related PRs

• adding openshift template #12: Introduced the initial OpenShift template for assisted-chat deployment with SQLite persistence, which this PR extends by migrating to PostgreSQL.

Suggested labels

approved, lgtm

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

template.yaml (2)

373-378: CA certificate env var is injected but never consumed

LLAMA_STACK_POSTGRES_CA_CERT is optional, yet the Llama-stack config never references it (sslmode, rootcert, etc.).
Either wire it into the client config (sslmode: verify-full, sslrootcert: …) or drop the variable to prevent confusion.

---

235-249: PostgreSQL store definition duplicated – consider YAML anchors to DRY

persistence_store and responses_store share six identical lines. Repeating blocks makes future edits error-prone.

# 👇 one anchor
common_pg: &common_pg
  type: postgres
  host: ${env.LLAMA_STACK_POSTGRES_HOST}
  port: ${env.LLAMA_STACK_POSTGRES_PORT}
  db:   ${env.LLAMA_STACK_POSTGRES_NAME}
  user: ${env.LLAMA_STACK_POSTGRES_USER}
  password: ${env.LLAMA_STACK_POSTGRES_PASSWORD}

persistence_store: *common_pg
responses_store:   *common_pg

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 580bd72 and 4b92c3f.

📒 Files selected for processing (1)

• template.yaml (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Red Hat Konflux / assisted-chat-saas-main-on-pull-request

🔇 Additional comments (2)

template.yaml (2)

255-256: Telemetry still hard-codes an SQLite path

The telemetry sink keeps writing to ${STORAGE_MOUNT_PATH}/sqlite/trace_store.db.
If the goal is full Postgres persistence, consider migrating this sink as well or mount a persistent volume; otherwise traces are lost on pod eviction.

---

348-378: Secret keys with dots are valid – no changes needed

Kubernetes has always allowed . in Secret data keys (the spec permits alphanumeric, -, _, and .). The pod’s environment-variable name is taken from the name: field (e.g. LLAMA_STACK_POSTGRES_HOST), not the secret key itself, so there’s no risk of invalid env var names. Bracket-notation is only needed when querying via JSONPath, not for loading into pods.

No fixes required.

Likely an incorrect or invalid review comment.

[eranco74]

/hold
pending https://gitlab.cee.redhat.com/service/app-interface/-/merge_requests/151196
And changes to local dev env:

1. Add PostgreSQL container to assisted-chat-pod.yaml
2. Update config/llama_stack_client_config.yaml

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

config/llama_stack_client_config.yaml (1)

73-78: Same connection block duplicated again

The inference_store repeats the connection stanza verbatim; see earlier recommendation about YAML anchors to keep this DRY.

🧹 Nitpick comments (1)

config/llama_stack_client_config.yaml (1)

35-40: Avoid copy-pasted connection blocks – introduce a YAML anchor

The exact same five key/values are repeated for every Postgres store. Repetition invites drift and makes future rotations (e.g., changing db name) error-prone.

postgres_conn: &postgres_conn
  type: postgres
  host: ${env.POSTGRES_HOST:?missing}
  port: ${env.POSTGRES_PORT:?missing}
  db: ${env.POSTGRES_DB:?missing}
  user: ${env.POSTGRES_USER:?missing}
  password: ${env.POSTGRES_PASSWORD:?missing}

# …
persistence_store:
  <<: *postgres_conn
responses_store:
  <<: *postgres_conn

One change, everywhere.
Minor now, lifesaver later.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b06b3b7 and af087fd.

📒 Files selected for processing (2)

• config/llama_stack_client_config.yaml (2 hunks)
• template.yaml (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• template.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Red Hat Konflux / assisted-chat-saas-main-on-pull-request

🔇 Additional comments (1)

config/llama_stack_client_config.yaml (1)

65-71: Confirm table initialisation & permissions for llamastack_kvstore

A dedicated table_name is great. Ensure:

1. Migration/DDL for creating the table (CI/CD or app-side auto-create).
2. POSTGRES_USER has CREATE / ALTER rights if auto-creation is expected.
3. Proper indexing (primary key) is defined, otherwise metadata look-ups will degrade quickly.

Please verify these DB-level prerequisites are covered before merge.

[coderabbitai]

Actionable comments posted: 2

🔭 Outside diff range comments (1)

assisted-chat-pod.yaml (1)

86-94: pgdata volume is referenced but never defined – Pod will fail to schedule

The postgres container mounts a volume named pgdata, yet spec.volumes only defines config. Add a emptyDir (or hostPath for dev) volume declaration:

   volumeMounts:
     - name: pgdata
       mountPath: /var/lib/pgsql/data
@@
   volumes:
     - name: config
       hostPath:
         path: ./config
         type: Directory
+    - name: pgdata
+      emptyDir: {}

🧹 Nitpick comments (1)

assisted-chat-pod.yaml (1)

75-88: Add liveness / readiness probes for the PostgreSQL side-car

Without probes, the main container may attempt to connect before Postgres finishes initialisation, leading to spurious failures. Consider:

      readinessProbe:
        exec:
          command: ["psql", "-U", "llamastack", "-d", "llamastack", "-c", "SELECT 1"]
        initialDelaySeconds: 10
        periodSeconds: 5

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between af087fd and 956ed3b.

📒 Files selected for processing (1)

• assisted-chat-pod.yaml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Red Hat Konflux / assisted-chat-saas-main-on-pull-request

[eranco74]

make run
Starting assisted-chat services...
./scripts/run.sh
assisted-chat-pod not found. Skipping kill/remove.
OCM token successfully validated and exported.
Trying to pull registry.redhat.io/rhel9/postgresql-16:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 59b747fedbf2 done   | 
Copying blob a363593193cb skipped: already exists  
Copying blob b09d8b9895fb skipped: already exists  
Copying config 97b4db509f done   | 
Writing manifest to image destination
Storing signatures
Error: volume mount pgdata specified for container but not configured in volumes

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 956ed3b and 0b067e9.

📒 Files selected for processing (1)

• assisted-chat-pod.yaml (2 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

assisted-chat-pod.yaml

[MEDIUM] 1-97: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[MEDIUM] 1-97: Minimize the admission of root containers

(CKV_K8S_23)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Red Hat Konflux / assisted-chat-saas-main-on-pull-request

🔇 Additional comments (2)

assisted-chat-pod.yaml (2)

12-21: Verify env-var names match llama-stack client expectations

LLAMA_STACK_POSTGRES_HOST|PORT|USER|PASSWORD|NAME look reasonable, but the client library recently standardised on LLAMA_STACK_DB_* in the template (LLAMA_STACK_DB_SECRET_NAME was added too).
A mismatch will surface only at runtime with a “could not parse DSN” error.

Please cross-check the code path that builds the SQLAlchemy URL and align the keys (or export both sets for safety).

---

75-88: Reuse of ./config hostPath for database data risks corruption

The Postgres container writes its WAL and relation files to /var/lib/pgsql/data.
Mapping that to the same host directory that already stores YAML configs (./config) mixes mutable database files with source-controlled config and can cause:

• accidental deletion/overwrite when configs are cleaned
• permission clashes between the two containers
• noisy pg_wal growth inside your git working tree

Allocate a dedicated path (or simply an emptyDir) for PGDATA.

@@
-        - name: pgdata
-          mountPath: /var/lib/pgsql/data
+        - name: pgdata
+          mountPath: /var/lib/pgsql/data

[ suggest_essential_refactor ]

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

assisted-chat-pod.yaml (1)

12-21: Plain-text DB creds were already flagged – no further action unless policy changed
Previous review (see history) covered the risk of embedding credentials directly in the manifest and suggested valueFrom.secretKeyRef. Your reply indicated this file is “local-dev only”. No new concern beyond the earlier comment.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0b067e9 and 19a057f.

📒 Files selected for processing (1)

• assisted-chat-pod.yaml (2 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

assisted-chat-pod.yaml

[MEDIUM] 1-97: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[MEDIUM] 1-97: Minimize the admission of root containers

(CKV_K8S_23)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Red Hat Konflux / assisted-chat-saas-main-on-pull-request

🔇 Additional comments (1)

assisted-chat-pod.yaml (1)

75-88: PostgreSQL container looks correct for the RHEL-9 image
The move to POSTGRESQL_* variables and a dedicated pgdata mount aligns with the image contract. Nice catch on the variable prefix.

[maorfr]

/test images

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

assisted-chat-pod.yaml (1)

94-97: Relative hostPath blocks scheduling – use an absolute path & DirectoryOrCreate

Kubernetes rejects hostPath entries that are not absolute.
Persisting the database on the node also benefits from creating the directory automatically.

-    - name: pgdata
-      hostPath:
-        path: ./pgdata
-        type: Directory
+    - name: pgdata
+      hostPath:
+        path: /var/lib/assisted-chat/pgdata   # any suitable absolute path
+        type: DirectoryOrCreate

🧹 Nitpick comments (1)

assisted-chat-pod.yaml (1)

12-21: Plain-text DB credentials are fine for local dev – add a warning comment

Given this file is strictly for local development, embedding the credentials is acceptable, but consider adding an explicit comment so future contributors don’t accidentally promote the manifest to a shared cluster.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 70e5607 and bf1bb70.

📒 Files selected for processing (6)

• Containerfile.add_llama_to_lightspeed (1 hunks)
• Containerfile.assisted-chat (1 hunks)
• assisted-chat-pod.yaml (2 hunks)
• config/llama_stack_client_config.yaml (2 hunks)
• scripts/generate.sh (1 hunks)
• template.yaml (4 hunks)

✅ Files skipped from review due to trivial changes (2)

• Containerfile.add_llama_to_lightspeed
• scripts/generate.sh

🚧 Files skipped from review as they are similar to previous changes (2)

• config/llama_stack_client_config.yaml
• Containerfile.assisted-chat

🧰 Additional context used

🪛 Checkov (3.2.334)

assisted-chat-pod.yaml

[MEDIUM] 1-97: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[MEDIUM] 1-97: Minimize the admission of root containers

(CKV_K8S_23)

🔇 Additional comments (1)

template.yaml (1)

245-258: Verify that ${env.*} interpolation actually happens inside the ConfigMap

The YAML embeds placeholders like ${env.LLAMA_STACK_POSTGRES_HOST} which will be written verbatim into the mounted file.
Interpolation only happens at runtime if llama-stack’s config loader expands ${env.*} patterns – if that mechanism is absent the application will try to connect to literally "${env.LLAMA_STACK_POSTGRES_HOST}" and fail.

Please confirm the library performs this substitution, or pre-render the values before writing the ConfigMap.

Also applies to: 282-296

[coderabbitai]

Actionable comments posted: 1

🔭 Outside diff range comments (1)

assisted-chat-pod.yaml (1)

25-31: mountPath contains unsupported :Z suffix – pod will be rejected

/app-root/lightspeed-stack.yaml:Z is invalid in a Kubernetes manifest; the colon+flag syntax only applies to docker run/podman run.
Kubernetes expects an absolute path without extra modifiers.

-        - mountPath: /app-root/lightspeed-stack.yaml:Z
+        - mountPath: /app-root/lightspeed-stack.yaml

♻️ Duplicate comments (1)

assisted-chat-pod.yaml (1)

12-21: Credentials still in plain text (acknowledged as intentional)

Hard-coding DB user/password exposes them in the spec. Previous discussion concluded this is acceptable for local-dev only, so no further action taken here.

Also applies to: 78-83

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c16a57b and 631c357.

📒 Files selected for processing (5)

• Containerfile.add_llama_to_lightspeed (1 hunks)
• Containerfile.assisted-chat (1 hunks)
• assisted-chat-pod.yaml (2 hunks)
• config/llama_stack_client_config.yaml (2 hunks)
• template.yaml (4 hunks)

✅ Files skipped from review due to trivial changes (1)

• Containerfile.add_llama_to_lightspeed

🚧 Files skipped from review as they are similar to previous changes (3)

• config/llama_stack_client_config.yaml
• Containerfile.assisted-chat
• template.yaml

🧰 Additional context used

🪛 Checkov (3.2.334)

assisted-chat-pod.yaml

[MEDIUM] 1-95: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[MEDIUM] 1-95: Minimize the admission of root containers

(CKV_K8S_23)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Red Hat Konflux / assisted-chat-saas-main-on-pull-request

🔇 Additional comments (1)

assisted-chat-pod.yaml (1)

75-88: PostgreSQL container block looks correct

Renaming to POSTGRESQL_* matches the RHEL-9 image requirements, and the emptyDir volume mount is wired properly. LGTM.

[eranco74]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: eranco74, maorfr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [eranco74]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[eranco74]

/unhold