Merge branch 'main' into bump-k8s-deps

Author: anik120

.github/workflows/generate-release.yml

@@ -101,7 +101,7 @@ jobs:
           make release VERSION=${{ steps.validate.outputs.operator_version }} LLAMASTACK_VERSION=${{ steps.validate.outputs.llamastack_version }}
 
       - name: Set up Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
         with:
           python-version: '3.12'
 

README.md

@@ -15,6 +15,7 @@ This repo hosts a kubernetes operator that is responsible for creating and manag
 - [Quick Start](#quick-start)
     - [Installation](#installation)
     - [Deploying Llama Stack Server](#deploying-the-llama-stack-server)
+- [Enabling Network Policies](#enabling-network-policies)
 - [Developer Guide](#developer-guide)
     - [Prerequisites](#prerequisites)
     - [Building the Operator](#building-the-operator)
@@ -80,11 +81,10 @@ spec:
   replicas: 1
   server:
     distribution:
-      name: ollama
+      name: starter
     containerSpec:
-      port: 8321
       env:
-      - name: INFERENCE_MODEL
+      - name: OLLAMA_INFERENCE_MODEL
         value: "llama3.2:1b"
       - name: OLLAMA_URL
         value: "http://ollama-server-service.ollama-dist.svc.cluster.local:11434"
@@ -104,6 +104,36 @@ Example to create a run.yaml ConfigMap, and a LlamaStackDistribution that refere
 kubectl apply -f config/samples/example-with-configmap.yaml
 ```
 
+## Enabling Network Policies
+
+The operator can create an ingress-only `NetworkPolicy` for every `LlamaStackDistribution` to ensure traffic is limited to:
+- Other pods in the same namespace that are part of the Llama Stack deployment (`app.kubernetes.io/part-of: llama-stack`)
+- Components that run inside the operator namespace (default: `llama-stack-k8s-operator-system`)
+
+This behavior is guarded by a feature flag and is disabled by default to avoid interfering with existing cluster-level policies. To enable it:
+
+1. Identify the namespace where the operator is running. If you used the provided manifests, it is `llama-stack-k8s-operator-system`.
+2. Create or update the `llama-stack-operator-config` ConfigMap in that namespace so the `featureFlags` entry enables the network policy flag.
+
+```bash
+cat <<'EOF' > feature-flags.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: llama-stack-operator-config
+  namespace: llama-stack-k8s-operator-system
+data:
+  featureFlags: |
+    enableNetworkPolicy:
+      enabled: true
+EOF
+
+kubectl apply -f feature-flags.yaml
+```
+
+Within the next reconciliation loop the operator will begin creating a `<name>-network-policy` resource for each distribution.
+Set `enabled: false` (or remove the block) to turn the feature back off; the operator will delete the previously managed policies.
+
 ## Developer Guide
 
 ### Prerequisites

config/samples/_v1alpha1_llamastackdistribution.yaml

@@ -7,7 +7,7 @@ spec:
   server:
     containerSpec:
       env:
-        - name: INFERENCE_MODEL
+        - name: OLLAMA_INFERENCE_MODEL
           value: 'llama3.2:1b'
         - name: OLLAMA_URL
           value: 'http://ollama-server-service.ollama-dist.svc.cluster.local:11434'

config/samples/example-with-configmap.yaml

@@ -48,7 +48,7 @@ data:
 apiVersion: llamastack.io/v1alpha1
 kind: LlamaStackDistribution
 metadata:
-  name: llamastack-with-config
+  name: llamastack-with-userconfig
 spec:
   replicas: 1
   server:
@@ -57,10 +57,8 @@ spec:
     containerSpec:
       port: 8321
       env:
-      - name: INFERENCE_MODEL
-        value: "llama3.2:1b"
-      - name: OLLAMA_URL
-        value: "http://ollama-server-service.ollama-dist.svc.cluster.local:11434"
+      - name: OLLAMA_EMBEDDING_MODEL
+        value: all-minilm:l6-v2
     userConfig:
       configMapName: llama-stack-config
       # configMapNamespace: ""  # Optional - defaults to the same namespace as the CR

config/samples/example-withoutconfigmap.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: llamastack.io/v1alpha1
+kind: LlamaStackDistribution
+metadata:
+  name: llamastack-without-userconfig
+spec:
+  replicas: 1
+  server:
+    distribution:
+      name: starter
+    containerSpec:
+      env:
+      - name: OLLAMA_INFERENCE_MODEL
+        value: "llama3.2:1b"
+      - name: OLLAMA_URL
+        value: "http://ollama-server-service.ollama-dist.svc.cluster.local:11434"
+    storage:
+      size: "10Gi"  # Optional - defaults to 10Gi
+      mountPath: "/home/lls/.lls"  # Optional - defaults to /.llama

distributions.json

@@ -1,9 +1,6 @@
 {
-"starter": "docker.io/llamastack/distribution-starter:latest",
-"ollama": "docker.io/llamastack/distribution-ollama:latest",
-"bedrock": "docker.io/llamastack/distribution-bedrock:latest",
-"remote-vllm": "docker.io/llamastack/distribution-remote-vllm:latest",
-"tgi": "docker.io/llamastack/distribution-tgi:latest",
-"together": "docker.io/llamastack/distribution-together:latest",
-"vllm-gpu": "docker.io/llamastack/distribution-vllm-gpu:latest"
+  "starter": "docker.io/llamastack/distribution-starter:latest",
+  "remote-vllm": "docker.io/llamastack/distribution-remote-vllm:latest",
+  "meta-reference-gpu": "docker.io/llamastack/distribution-meta-reference-gpu:latest",
+  "postgres-demo": "docker.io/llamastack/distribution-postgres-demo:latest"
 }