Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/services-to-build.txt
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@

# Core Application Services
frontend
chat_service
embedder_service
pdf_processor_service
pdf_extraction_service
Expand Down
12 changes: 6 additions & 6 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ help:
@echo ""
@echo "Single-service commands:"
@echo " make install Install chart (CHART_NAME, ENV)"
@echo " e.g. make install CHART_NAME=chat-service ENV=staging"
@echo " e.g. make install CHART_NAME=pdf-extraction-service ENV=staging"
@echo " make upgrade Upgrade chart (CHART_NAME, ENV)"
@echo " e.g. make upgrade CHART_NAME=embedder-service ENV=prod"
@echo " make uninstall Uninstall chart (CHART_NAME)"
Expand All @@ -39,9 +39,9 @@ help:
@echo " e.g. make lint CHART_NAME=embedder-service"
@echo " make lint-all Lint all charts under ./helm/"
@echo " make status Show status of Helm release (CHART_NAME)"
@echo " e.g. make status CHART_NAME=chat-service"
@echo " e.g. make status CHART_NAME=pdf-extraction-service"
@echo " make port-forward Port-forward a pod to local machine"
@echo " e.g. make port-forward CHART_NAME=chat-service LOCAL_PORT=8000 REMOTE_PORT=8000"
@echo " e.g. make port-forward CHART_NAME=pdf-extraction-service LOCAL_PORT=8000 REMOTE_PORT=8000"
@echo ""
@echo "Multi-service commands:"
@echo " make install-all Install all charts (ENV)"
Expand All @@ -61,12 +61,12 @@ help:
@echo "Development Environment:"
@echo " Use docker-compose for local development:"
@echo " docker-compose up -d # Start all services locally"
@echo " docker-compose logs -f chat_service # View service logs"
@echo " docker-compose logs -f pdf_processor_service # View service logs"
@echo ""
@echo "⚠️ IMPORTANT:"
@echo " Avoid underscores (_) in CHART_NAME or release names."
@echo " Use hyphens (-) instead to follow Kubernetes naming conventions (RFC 1123)."
@echo " Example: use chat-service ✅, not chat_service ❌"
@echo " Example: use pdf-extraction-service ✅, not pdf_extraction_service ❌"

## Install a single Helm chart
install:
Expand Down Expand Up @@ -162,7 +162,7 @@ uninstall-all:
port-forward:
ifeq ($(CHART_NAME),example-service)
@echo "ERROR: CHART_NAME must be specified. Example usage:"
@echo " make port-forward CHART_NAME=chat-service LOCAL_PORT=3000 REMOTE_PORT=8000"
@echo " make port-forward CHART_NAME=pdf-extraction-service LOCAL_PORT=3000 REMOTE_PORT=8000"
@exit 1
else
kubectl --namespace $(NAMESPACE) port-forward \
Expand Down
41 changes: 20 additions & 21 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
> [!NOTE]
> Thank you for visiting! This project is currently a work in progress. Features, documentation, and deployment configurations are actively being developed and may change frequently.

OmniPDF is a PDF analyzer capable of translation, summarization, captioning and conversational capabilities through Retrieval-Augmented-Generation (RAG).
OmniPDF is a PDF analyzer capable of translation, summarization, and captioning.

## Architecture

Expand All @@ -12,7 +12,7 @@ OmniPDF is a PDF analyzer capable of translation, summarization, captioning and
OmniPDF follows a **microservices architecture** with **centralized orchestration**:

- **pdf-processor-service**: Main hub that coordinates all processing workflows
- **Processing services**: Specialized services for extraction, translation, rendering, embedding, and chat
- **Processing services**: Specialized services for extraction, translation, rendering, and embedding
- **Data layer**: Redis (sessions), ChromaDB (vectors), MinIO (files)
- **AI/ML layer**: vLLM text and vision-language models
- **Service mesh layer**: Istio for mTLS, traffic management, and observability (prestaging/staging/production)
Expand Down Expand Up @@ -45,14 +45,14 @@ docker compose -f docker-compose.gpu.yml up --build
### Kubernetes/OpenShift (Helm)
```bash
# Deploy individual service with explicit environment
helm install chat-service ./helm/chat-service \
--values ./helm/chat-service/values-prestaging.yaml \
helm install pdf-extraction-service ./helm/pdf-extraction-service \
--values ./helm/pdf-extraction-service/values-prestaging.yaml \
--namespace omnipdf

# Deploy all services using deployment script
./scripts/deploy-helm-charts.sh --all --env prestaging

# Deploy RBAC only (14 individual service roles - should be deployed first)
# Deploy RBAC only (13 individual service roles - should be deployed first)
./scripts/deploy-helm-charts.sh --service rbac --env prestaging
```

Expand All @@ -77,8 +77,8 @@ helm install istio-gateway ./helm/istio-gateway \
helm install rbac ./helm/rbac \
--namespace omnipdf-prestaging

# 5. Deploy services with Istio sidecars
for service in frontend pdf-processor-service chat-service embedder-service chromadb redis minio cleaner pdf-extraction-service docling-translation-service pdf-renderer-service image-captioner-service metadata-service; do
# 5. Deploy services with Istio sidecars
for service in frontend pdf-processor-service embedder-service chromadb redis minio cleaner pdf-extraction-service docling-translation-service pdf-renderer-service image-captioner-service metadata-service; do
helm install $service ./helm/$service \
--namespace omnipdf-prestaging \
--values ./helm/$service/values-prestaging.yaml
Expand All @@ -99,9 +99,9 @@ OmniPDF implements **defense-in-depth security** with multiple layers:

### Service Account & RBAC
- **Individual service accounts** for each service with per-service secret isolation
- **14 individual RBAC roles** - one role per service aligned with C4 architecture:
- **13 individual RBAC roles** - one role per service aligned with C4 architecture:
- `pdf-processor-service-role`, `pdf-extraction-service-role`, `docling-translation-service-role`
- `embedder-service-role`, `chat-service-role`, `pdf-renderer-service-role`
- `embedder-service-role`, `pdf-renderer-service-role`
- `image-captioner-service-role`, `metadata-service-role`
- `minio-role`, `chromadb-role`, `redis-role`
- `frontend-role`, `nginx-gateway-role`, `cleaner-role`
Expand All @@ -119,18 +119,17 @@ OmniPDF implements comprehensive zero-trust network policies with explicit servi
| **nginx** | • External traffic (users) | • istio-gateway:80/443<br>• DNS resolution |
| **istio-gateway** | • nginx | • frontend:8501<br>• pdf-processor-service:8000<br>• DNS resolution |
| **frontend** | • istio-gateway | • pdf-processor-service:8000<br>• DNS resolution |
| **pdf-processor-service** | • istio-gateway<br>• frontend | • pdf-extraction-service:8000<br>• docling-translation-service:8000<br>• pdf-renderer-service:8000<br>• embedder-service:8000<br>• chat-service:8000<br>• metadata-service:8000<br>• minio:9000<br>• redis:6379<br>• DNS resolution |
| **pdf-processor-service** | • istio-gateway<br>• frontend | • pdf-extraction-service:8000<br>• docling-translation-service:8000<br>• pdf-renderer-service:8000<br>• embedder-service:8000<br>• metadata-service:8000<br>• minio:9000<br>• redis:6379<br>• DNS resolution |
| **pdf-extraction-service** | • pdf-processor-service | • image-captioner-service:8000<br>• minio:9000<br>• redis:6379<br>• DNS resolution |
| **docling-translation-service** | • pdf-processor-service | • minio:9000<br>• redis:6379<br>• DNS resolution<br>• HTTP/HTTPS (external vLLM text model) |
| **pdf-renderer-service** | • pdf-processor-service | • minio:9000<br>• redis:6379<br>• DNS resolution |
| **embedder-service** | • pdf-processor-service | • chromadb:8000<br>• minio:9000<br>• redis:6379<br>• DNS resolution |
| **chat-service** | • pdf-processor-service | • chromadb:8000<br>• minio:9000<br>• redis:6379<br>• DNS resolution<br>• HTTP/HTTPS (external vLLM text model) |
| **image-captioner-service** | • pdf-extraction-service | • DNS resolution<br>• HTTP/HTTPS (external vLLM vision model) |
| **metadata-service** | • pdf-processor-service | • chromadb:8000<br>• minio:9000<br>• redis:6379<br>• DNS resolution<br>• HTTP/HTTPS (external vLLM text model) |
| **cleaner** | *No ingress (background service)* | • minio:9000<br>• chromadb:8000<br>• redis:6379<br>• DNS resolution |
| **chromadb** | • embedder-service<br>• chat-service<br>• metadata-service<br>• cleaner | • DNS resolution<br>*No outbound calls* |
| **redis** | • pdf-processor-service<br>• pdf-extraction-service<br>• docling-translation-service<br>• embedder-service<br>• chat-service<br>• pdf-renderer-service<br>• metadata-service<br>• cleaner | • DNS resolution<br>*No outbound calls* |
| **minio** | • pdf-processor-service<br>• pdf-extraction-service<br>• docling-translation-service<br>• pdf-renderer-service<br>• embedder-service<br>• chat-service<br>• metadata-service<br>• cleaner | • DNS resolution<br>*No outbound calls* |
| **chromadb** | • embedder-service<br>• metadata-service<br>• cleaner | • DNS resolution<br>*No outbound calls* |
| **redis** | • pdf-processor-service<br>• pdf-extraction-service<br>• docling-translation-service<br>• embedder-service<br>• pdf-renderer-service<br>• metadata-service<br>• cleaner | • DNS resolution<br>*No outbound calls* |
| **minio** | • pdf-processor-service<br>• pdf-extraction-service<br>• docling-translation-service<br>• pdf-renderer-service<br>• embedder-service<br>• metadata-service<br>• cleaner | • DNS resolution<br>*No outbound calls* |

#### Network Policy Configuration

Expand All @@ -152,9 +151,9 @@ OmniPDF implements comprehensive zero-trust network policies with explicit servi
- **External Connectivity**: Managed external vLLM/AI API access through ServiceEntry (Istio) or HTTPS egress

### HPA (Horizontal Pod Autoscaler)
- **9 services** with auto-scaling enabled across 3 tiers:
- **Tier 1 (Critical)**: nginx, pdf-processor-service, chat-service - aggressive scaling (60-70% thresholds)
- **Tier 2 (Processing)**: pdf-extraction, docling-translation, pdf-renderer - standard scaling (70% thresholds)
- **8 services** with auto-scaling enabled across 3 tiers:
- **Tier 1 (Critical)**: nginx, pdf-processor-service - aggressive scaling (60-70% thresholds)
- **Tier 2 (Processing)**: pdf-extraction, docling-translation, pdf-renderer - standard scaling (70% thresholds)
- **Tier 3 (Burst)**: embedder-service, image-captioner-service, metadata-service - conservative scaling (70% thresholds)
- **High availability**: Minimum 1-2 replicas with scaling up to 5-15 replicas based on service tier
- **Resource optimization**: Proactive scaling for user-facing services, workload-responsive for processing services
Expand All @@ -163,13 +162,13 @@ OmniPDF implements comprehensive zero-trust network policies with explicit servi

```bash
# Enable NetworkPolicy for production
helm upgrade chat-service ./helm/chat-service \
helm upgrade pdf-extraction-service ./helm/pdf-extraction-service \
--set networkPolicy.enabled=true \
--namespace omnipdf

# Check service account permissions
kubectl auth can-i get secrets \
--as=system:serviceaccount:omnipdf:chat-service \
--as=system:serviceaccount:omnipdf:pdf-extraction-service \
-n omnipdf

# Monitor HPA status
Expand Down Expand Up @@ -239,11 +238,11 @@ crc config view
## Testing

```bash
# Run all service unit tests (206+ tests across 7 services)
# Run all service unit tests (180+ tests across 6 services)
./scripts/test-all-services.sh

# Run tests for individual service
./scripts/test-single-service.sh chat-service
./scripts/test-single-service.sh pdf-extraction-service

# Security scanning with Trivy
./scripts/scan_with_trivy.sh
Expand Down
10 changes: 2 additions & 8 deletions c4-diagram.puml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ System_Boundary(omnipdf, "OmniPDF System - Prestaging (CRC)") {
System_Boundary(istio_mesh, "Istio Service Mesh") {
Container(istio_gateway, "Istio Ingress Gateway", "Istio Gateway + Envoy", "Handles ingress traffic into the mesh with advanced routing policies")

Container(frontend, "Streamlit Frontend", "Python/Streamlit + Envoy Sidecar", "Web UI for document processing and chat interface")
Container(frontend, "Streamlit Frontend", "Python/Streamlit + Envoy Sidecar", "Web UI for document processing")

Container(pdf_service, "PDF Processor Service", "FastAPI + Envoy Sidecar", "Main orchestrator - manages sessions, coordinates processing workflows")

Expand All @@ -21,7 +21,6 @@ System_Boundary(omnipdf, "OmniPDF System - Prestaging (CRC)") {
Container(pdf_renderer, "PDF Renderer Service", "FastAPI + Envoy Sidecar", "Renders translated content onto PDFs")

Container(embedder, "Embedder Service", "FastAPI + Envoy Sidecar", "Document chunking and embedding generation")
Container(chat_service, "Chat Service", "FastAPI + Envoy Sidecar", "RAG chat interface using retrieved context")
Container(image_captioner, "Image Captioning Service", "FastAPI + Envoy Sidecar", "AI image captioning for extracted images")

Container(metadata_service, "Metadata Service", "FastAPI + Envoy Sidecar", "Document metadata and wordcloud generation")
Expand All @@ -34,7 +33,7 @@ System_Boundary(omnipdf, "OmniPDF System - Prestaging (CRC)") {
}

System_Boundary(external_ai, "External AI Infrastructure") {
Container(vllm_text, "vLLM Text Model", "vLLM Server", "External text-only LLM for chat and translation")
Container(vllm_text, "vLLM Text Model", "vLLM Server", "External text-only LLM for translation and metadata")
Container(vllm_vlm, "vLLM Vision-Language Model", "vLLM Server", "External multimodal VLM for image understanding")
}

Expand All @@ -56,7 +55,6 @@ Rel(pdf_service, pdf_extraction, "Delegates table and image extraction")
Rel(pdf_service, docling_translate, "Requests docling translation")
Rel(pdf_service, pdf_renderer, "Renders previews of extracted content")
Rel(pdf_service, embedder, "Sends chunking + embedding task")
Rel(pdf_service, chat_service, "RAG conversations")
Rel(pdf_service, metadata_service, "Requests metadata generation")

' File storage operations (mTLS within mesh)
Expand All @@ -66,20 +64,17 @@ Rel(pdf_renderer, minio, "Stores rendered PDFs (mTLS)")
Rel(metadata_service, minio, "Stores metadata job status (mTLS)")
Rel(docling_translate, minio, "Stores translated JSON + job status (mTLS)")
Rel(embedder, minio, "Job status storage (mTLS)")
Rel(chat_service, minio, "Future file operations (mTLS)")
Rel(pdf_extraction, image_captioner, "Requests image captioning")

' External AI/ML service communication (HTTP over VPN)
Rel(docling_translate, vllm_text, "Translation requests (HTTP)")
Rel(chat_service, vllm_text, "RAG chat requests (HTTP)")
Rel(metadata_service, vllm_text, "Metadata generation (HTTP)")

' External VLM communication (HTTP over VPN)
Rel(image_captioner, vllm_vlm, "Image captioning requests (HTTP)")

' Vector database operations (mTLS within mesh)
Rel(embedder, chroma, "Store embeddings (mTLS)")
Rel(chat_service, chroma, "Query vectors (mTLS)")
Rel(metadata_service, chroma, "Query vectors for metadata generation (mTLS)")

' Job status and session management (mTLS within mesh)
Expand All @@ -89,7 +84,6 @@ Rel(pdf_renderer, redis, "Document file list management (mTLS)")
Rel(embedder, redis, "Job status polling (mTLS)")
Rel(docling_translate, redis, "Document file list management (mTLS)")
Rel(metadata_service, redis, "Document file list management (mTLS)")
Rel(chat_service, redis, "Future session management (mTLS)")

' Cleanup operations (mTLS within mesh)
Rel(cleaner, minio, "Delete expired files (mTLS)")
Expand Down
36 changes: 0 additions & 36 deletions chat_service/Dockerfile

This file was deleted.

23 changes: 0 additions & 23 deletions chat_service/example.env

This file was deleted.

19 changes: 0 additions & 19 deletions chat_service/main.py

This file was deleted.

Empty file removed chat_service/models/__init__.py
Empty file.
25 changes: 0 additions & 25 deletions chat_service/models/chat.py

This file was deleted.

Loading