Skip to content

feat(helm): add Helm chart for Presidio text services#2067

Open
binhnguyenduc wants to merge 2 commits into
data-privacy-stack:mainfrom
binhnguyenduc:feat/helm-chart-text
Open

feat(helm): add Helm chart for Presidio text services#2067
binhnguyenduc wants to merge 2 commits into
data-privacy-stack:mainfrom
binhnguyenduc:feat/helm-chart-text

Conversation

@binhnguyenduc

@binhnguyenduc binhnguyenduc commented Jun 17, 2026

Copy link
Copy Markdown

Change Description

Replaces the outdated Helm chart under docs/samples/deployments/k8s/charts/presidio
with a new chart that deploys the Presidio text stack — presidio-analyzer and
presidio-anonymizer — to Kubernetes. It mirrors the topology of docker-compose-text.yml
and is scaffolded from helm create, following Helm community best practices.

Highlights:

  • Single chart, both services, DRY — analyzer and anonymizer Deployments/Services/HPAs are
    rendered from shared named templates in _helpers.tpl (a (dict "root" $ "name" ... "component" ...)
    context), so the two near-identical services share one source of truth.
  • Security hardening — pods run as the non-root UID 1001 baked into the images, with all
    capabilities dropped, allowPrivilegeEscalation: false, and the RuntimeDefault seccomp profile.
  • Standard conventionsapp.kubernetes.io/* labels (with a component label distinguishing
    the workloads), per-component resources, replicaCount, image overrides, PORT/WORKERS env,
    and an enabled toggle per service.
  • Probes tuned for Presidio/health liveness/readiness plus a generous startupProbe on the
    analyzer, which loads spaCy NLP models on first boot and can take minutes to become Ready.
  • Optional networking/scaling — a single Ingress fronting both services and per-component HPAs,
    both disabled by default.
  • Best-practice extrasvalues.schema.json input validation, NOTES.txt, a helm test hook
    that curls both /health endpoints, and a chart README.md.

The surrounding sample is updated to stay consistent with the new chart values:

  • deployment/deploy-presidio.sh — uses image.registry / image.tag (was registry / tag) and
    adds --create-namespace.
  • k8s/index.md — corrected helm install examples, fixed the Ingress note (the chart no longer
    enables Ingress by default), and port-forwards the analyzer Service instead of a pod by name.

Scope: text services only. Image redaction, the transformers NLP engine, and Ollama are
intentionally out of scope for this chart.

Validation performed locally:

  • helm lint --strict passes.
  • helm template renders cleanly for defaults, ingress+HPA enabled, a disabled component, and a
    bare-registry image reference; the schema rejects invalid input (e.g. an unknown ingress
    service key or a bad service.type).

Issue reference

Relates to #1971

Checklist

  • I have reviewed the contribution guidelines
  • I have signed the CLA (if required)
  • My code includes unit tests
  • All unit tests and lint checks pass locally
  • My PR contains documentation updates / additions if required

feat(helm): add Helm chart for Presidio text services
0cfb046 
Replace the outdated chart under docs/samples/deployments/k8s/charts with a
new chart that deploys the Presidio text stack (presidio-analyzer and
presidio-anonymizer) to Kubernetes, modeled on docker-compose-text.yml and
scaffolded from `helm create`.

- Single chart templating both services via shared helpers (DRY)
- Hardened pod/container security context (non-root UID 1001, drop all
  capabilities, no privilege escalation, RuntimeDefault seccomp)
- Standard app.kubernetes.io labels; per-component resources, replicas,
  image, env (PORT/WORKERS), and enable toggles
- /health liveness/readiness probes plus a generous startup probe for the
  analyzer's slow NLP model load
- Optional Ingress (routes both services) and HPA, disabled by default
- values.schema.json validation, NOTES.txt, helm test hook, and README

Update the surrounding sample to match the new chart values:
- deploy-presidio.sh: use image.registry / image.tag; add --create-namespace
- k8s/index.md: fix install examples, correct the ingress note (Ingress is
  no longer enabled by default), and port-forward the analyzer Service
Copilot AI review requested due to automatic review settings June 17, 2026 07:52
@binhnguyenduc

binhnguyenduc commented Jun 17, 2026

Copy link
Copy Markdown
Author

@microsoft-github-policy-service agree

Copilot AI reviewed Jun 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the Kubernetes Helm chart sample for Presidio’s text services (analyzer + anonymizer), modernizing chart structure, values, and docs/scripts for installation and exposure (Ingress / port-forward).

Changes:

  • Refactors the Helm chart to use shared helper templates (deployment/service/HPA), adds a values JSON schema, and introduces a Helm test pod.
  • Modernizes Ingress to networking.k8s.io/v1, makes Ingress disabled by default, and updates docs to match.
  • Updates install scripts/docs to use new image.registry / image.tag values and --create-namespace.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
docs/samples/deployments/k8s/index.md Updates port-forward and Helm install instructions to match new values keys and Ingress defaults.
docs/samples/deployments/k8s/deployment/deploy-presidio.sh Updates Helm install flags for the new image.* values and creates the namespace.
docs/samples/deployments/k8s/charts/presidio/values.yaml Replaces legacy flat values with structured chart values (image, security, ingress, per-component blocks).
docs/samples/deployments/k8s/charts/presidio/values.schema.json Adds JSON schema for chart values validation.
docs/samples/deployments/k8s/charts/presidio/templates/tests/test-connection.yaml Adds helm test hook to validate /health endpoints.
docs/samples/deployments/k8s/charts/presidio/templates/serviceaccount.yaml Adds shared ServiceAccount support with optional token automount.
docs/samples/deployments/k8s/charts/presidio/templates/ingress.yaml Replaces legacy ingress template with v1 Ingress supporting hosts/paths, TLS, and validations.
docs/samples/deployments/k8s/charts/presidio/templates/analyzer-*.yaml Switches analyzer manifests to shared helper templates and conditional rendering (enabled).
docs/samples/deployments/k8s/charts/presidio/templates/anonymizer-*.yaml Switches anonymizer manifests to shared helper templates and conditional rendering (enabled).
docs/samples/deployments/k8s/charts/presidio/templates/anonymizer-image-*.yaml Removes image-redactor deployment/service from this chart’s scope.
docs/samples/deployments/k8s/charts/presidio/templates/_helpers.tpl Adds common naming/labels and shared deployment/service/HPA templates.
docs/samples/deployments/k8s/charts/presidio/templates/NOTES.txt Updates post-install notes with rollout guidance, ingress URLs, and port-forward examples.
docs/samples/deployments/k8s/charts/presidio/README.md Adds chart README detailing scope, install, configuration, and ingress example.
docs/samples/deployments/k8s/charts/presidio/Chart.yaml Updates chart metadata to Helm v3 best practices (type, home, keywords, versioning).
docs/samples/deployments/k8s/charts/presidio/.helmignore Expands ignores for editor/CI artifacts.

Comment thread docs/samples/deployments/k8s/charts/presidio/templates/_helpers.tpl
Comment on lines +113 to +120
metadata:
annotations:
{{- with $root.Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with $c.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
Comment thread docs/samples/deployments/k8s/charts/presidio/templates/_helpers.tpl
Comment on lines +245 to +261
metrics:
{{- if $c.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ $c.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if $c.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ $c.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
Comment thread docs/samples/deployments/k8s/charts/presidio/values.yaml
Comment on lines +63 to +79
# Single Ingress fronting both services. Disabled by default.
# NOTE: the path rewrites below assume the ingress-nginx controller.
ingress:
enabled: false
className: nginx
annotations: {}
# nginx.ingress.kubernetes.io/rewrite-target: /$2
hosts:
- host: presidio.local
paths:
- path: /analyzer(/|$)(.*)
pathType: ImplementationSpecific
# service references a component key below (analyzer | anonymizer).
service: analyzer
- path: /anonymizer(/|$)(.*)
pathType: ImplementationSpecific
service: anonymizer
Comment thread docs/samples/deployments/k8s/charts/presidio/README.md
Comment on lines +101 to +114
ingress:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
hosts:
- host: presidio.example.com
paths:
- path: /analyzer(/|$)(.*)
pathType: ImplementationSpecific
service: analyzer
- path: /anonymizer(/|$)(.*)
pathType: ImplementationSpecific
service: anonymizer
feat(helm): add optional image-redactor component to Presidio chart
976850c 
Adds presidio-image-redactor as optional Helm service (disabled by default).
Includes deployment, service, and HPA templates; updates schema and values.
@SharonHart SharonHart self-requested a review June 17, 2026 10:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@SharonHart SharonHart Awaiting requested review from SharonHart

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

external

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@binhnguyenduc @SharonHart