Add openwebui via helm chart and fix monitoring deployments

kustomize/helmchart/helmchart.yaml

@@ -0,0 +1,7 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: chart
+  namespace: charts
+spec:
+  targetNamespace: default

kustomize/helmchart/httproute-http.yaml

@@ -0,0 +1,26 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http
+spec:
+  parentRefs:
+    - name: homelab-gateway
+      sectionName: web
+      kind: Gateway
+      namespace: homelab
+  hostnames:
+    - web.leechpepin.com
+  rules:
+    - filters:
+        - type: RequestHeaderModifier
+          requestHeaderModifier:
+            set:
+              - name: "X-Forwarded-Proto"
+                value: "https"
+      backendRefs:
+        - name: web
+          port: 80
+      matches:
+        - path:
+            type: PathPrefix
+            value: /

kustomize/helmchart/httproute-https.yaml

@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: https
+spec:
+  parentRefs:
+    - name: homelab-gateway
+      sectionName: websecure
+      kind: Gateway
+      namespace: homelab
+  hostnames:
+    - web.leechpepin.com
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: web
+          port: 80

kustomize/helmchart/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - helmchart.yaml
+  - httproute-http.yaml
+  - httproute-https.yaml
+  - secret.yaml
+
+labels:
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/managed-by: kustomize

kustomize/helmchart/secret.yaml

@@ -0,0 +1,27 @@
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: secrets
+  namespace: infisical
+  labels:
+    label-to-be-passed-to-managed-secret: homelab
+  annotations:
+    example.com/annotation-to-be-passed-to-managed-secret: "homelab"
+spec:
+  hostAPI: https://app.infisical.com/api
+  resyncInterval: 10
+  authentication:
+    # Universal Auth
+    universalAuth:
+      secretsScope:
+        projectSlug: homelab-n-f-yj
+        envSlug: prod
+        secretsPath: "/apps/appname" # Root is "/"
+        recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
+      credentialsRef:
+        secretName: universal-auth-credentials
+        secretNamespace: infisical
+  managedSecretReference:
+    secretName: app-secrets
+    secretNamespace: ns
+    creationPolicy: "Orphan" ## Owner | Orphan

namespaces/ai/openwebui/kustomization.yaml

@@ -0,0 +1,97 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+transformers:
+  - |-
+    apiVersion: builtin
+    kind: NamespaceTransformer
+    metadata:
+      name: notImportantHere
+      namespace: ai
+    unsetOnly: true
+
+namePrefix: open-webui-
+resources:
+  - ../../../kustomize/helmchart/
+
+patches:
+  - path: patches/chart.yaml
+    target:
+      kind: HelmChart
+      name: chart
+
+replacements:
+  - source:
+      kind: HTTPRoute
+      name: http
+      fieldPath: metadata.labels.[app.kubernetes.io/appName]
+    targets:
+      - select:
+          kind: HTTPRoute
+        options:
+          create: true
+          delimiter: "."
+          index: 0
+        fieldPaths:
+          - spec.hostnames.0
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "-"
+          index: 0
+        fieldPaths:
+          - spec.managedSecretReference.secretName
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "/"
+          index: 2
+        fieldPaths:
+          - spec.authentication.universalAuth.secretsScope.secretsPath
+      - select:
+          kind: HTTPRoute
+        fieldPaths:
+          - spec.rules.0.backendRefs.0.name
+  - source:
+      kind: HTTPRoute
+      name: http
+      fieldPath: metadata.labels.[app.kubernetes.io/routePrefix]
+    targets:
+      - select:
+          kind: HTTPRoute
+        options:
+          create: true
+          delimiter: "."
+          index: 0
+        fieldPaths:
+          - spec.hostnames.0
+  - source:
+      kind: HTTPRoute
+      name: http
+      fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
+    targets:
+      - select:
+          kind: HelmChart
+          name: chart
+        fieldPaths:
+          - spec.targetNamespace
+      - select:
+          kind: InfisicalSecret
+        options:
+          delimiter: "/"
+          index: 1
+        fieldPaths:
+          - spec.authentication.universalAuth.secretsScope.secretsPath
+      - select:
+          kind: InfisicalSecret
+        fieldPaths:
+          - spec.managedSecretReference.secretNamespace
+
+labels:
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/appName: open-webui
+  - pairs:
+      app.kubernetes.io/appNamespace: ai
+  - pairs:
+      app.kubernetes.io/routePrefix: owui

namespaces/ai/openwebui/patches/chart.yaml

@@ -0,0 +1,72 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: chart
+spec:
+  chart: open-webui
+  repo: https://open-webui.github.io/helm-charts
+  valuesContent: |-
+    ollama:
+      enabled: false
+    ollamaUrls:
+      - https://ollama.leechpepin.com:11434
+    websocket:
+      enabled: true
+      url: redis://redis.core.svc.cluster.local:6379/0
+      redis:
+        enabled: false
+    persistence:
+      size: 5Gi
+      subPath: "data"
+      storageClass: longhorn-private
+    image:
+      tag: 0.5.10
+    extraEnvVars:
+      - name: ENABLE_OAUTH_SIGNUP
+        value: "true"
+      - name: ENABLE_SIGNUP
+        value: "false"
+      - name: ENABLE_LOGIN_FORM
+        value: "false"
+      - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
+        value: "true"
+      - name: OAUTH_PROVIDER_NAME
+        value: "Authentik"
+      - name: OPENID_PROVIDER_URL
+        value: "https://auth.leechpepin.com/application/o/owui/.well-known/openid-configuration"
+      - name: OAUTH_SCOPES
+        value: "openid email profile"
+      - name: OPENID_REDIRECT_URI
+        value: "https://owui.leechpepin.com/oauth/oidc/callback"
+      - name: OAUTH_CLIENT_ID
+        value: 83yKhCIsSPXSqN5pMaT8yUUMbWDHEQg9vpVOPFWP
+      - name: OAUTH_CLIENT_SECRET
+        valueFrom:
+          secretKeyRef:
+            name: open-webui-secrets
+            key: AUTHENTIK_CLIENT_SECRET
+      - name: OPENAI_API_KEY
+        valueFrom:
+          secretKeyRef:
+            name: open-webui-secrets
+            key: PIPELINE_API_KEY
+      - name: RAG_EMBEDDING_ENGINE
+        value: "ollama"
+      - name: RAG_EMBEDDING_MODEL
+        value: "jina/jina-embeddings-v2-base-en:latest"
+      - name: CONTENT_EXTRACTION_ENGINE
+        value: "tika"
+      - name: RAG_OLLAMA_BASE_URL
+        value: "https://ollama.leechpepin.com:11434"
+      - name: TIKA_SERVER_URL
+        value: "http://tika.apps.svc.cluster.local:9998"
+      - name: WEBUI_URL
+        value: "https://owui.leechpepin.com"
+      - name: ENABLE_RAG_WEB_SEARCH
+        value: "true"
+      - name: RAG_WEB_SEARCH_ENGINE
+        value: "duckduckgo"
+      - name: TASK_MODEL
+        value: "llama3.2:latest"
+      - name: WEBHOOK_URL
+        value: "https://owui.leechpepin.com/webhook"

namespaces/monitoring/healthchecks/kustomization.yaml

@@ -12,7 +12,7 @@ transformers:
 
 namePrefix: healthchecks-
 resources:
-  - ../../../kustomize/deployment/
+  - ../../../kustomize/public-oidc/
 
 replacements:
   - source:
@@ -110,4 +110,4 @@ configMapGenerator:
       - SITE_NAME=JLP Healthchecks
       - SITE_ROOT=https://healthchecks.leechpepin.com
       - DEBUG=False
-      - REMOTE_USER_HEADER=HTTP_X_AUTHENTIK_EMAIL
+      - REGISTRATION_OPEN=False

namespaces/monitoring/ntfy/kustomization.yaml

@@ -12,7 +12,7 @@ transformers:
 
 namePrefix: ntfy-
 resources:
-  - ../../../kustomize/deployment/
+  - ../../../kustomize/public-oidc/
 
 replacements:
   - source:

namespaces/monitoring/uptime-kuma/kustomization.yaml

@@ -81,6 +81,10 @@ patches:
   - path: patches/httproute.yaml
     target:
       kind: HTTPRoute
+  - path: patches/pvc.yaml
+    target:
+      kind: PersistentVolumeClaim
+      name: pvc
 
 labels:
   - includeSelectors: true

namespaces/monitoring/uptime-kuma/patches/deployment.yaml

@@ -5,6 +5,21 @@ metadata:
 spec:
   template:
     spec:
+      tolerations:
+        - key: "public"
+          operator: "Equal"
+          value: "true"
+          effect: "NoSchedule"
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              preference:
+                matchExpressions:
+                  - key: public
+                    operator: In
+                    values:
+                      - "true"
       containers:
         - name: uptime-kuma
           image: louislam/uptime-kuma:1

namespaces/monitoring/uptime-kuma/patches/pvc.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc
+spec:
+  storageClassName: longhorn-public