diff --git a/kustomize/helmchart/helmchart.yaml b/kustomize/helmchart/helmchart.yaml new file mode 100644 index 0000000..e78708a --- /dev/null +++ b/kustomize/helmchart/helmchart.yaml @@ -0,0 +1,7 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: chart + namespace: charts +spec: + targetNamespace: default diff --git a/kustomize/helmchart/httproute-http.yaml b/kustomize/helmchart/httproute-http.yaml new file mode 100644 index 0000000..9f70c85 --- /dev/null +++ b/kustomize/helmchart/httproute-http.yaml @@ -0,0 +1,26 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http +spec: + parentRefs: + - name: homelab-gateway + sectionName: web + kind: Gateway + namespace: homelab + hostnames: + - web.leechpepin.com + rules: + - filters: + - type: RequestHeaderModifier + requestHeaderModifier: + set: + - name: "X-Forwarded-Proto" + value: "https" + backendRefs: + - name: web + port: 80 + matches: + - path: + type: PathPrefix + value: / diff --git a/kustomize/helmchart/httproute-https.yaml b/kustomize/helmchart/httproute-https.yaml new file mode 100644 index 0000000..b38ea13 --- /dev/null +++ b/kustomize/helmchart/httproute-https.yaml @@ -0,0 +1,20 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: https +spec: + parentRefs: + - name: homelab-gateway + sectionName: websecure + kind: Gateway + namespace: homelab + hostnames: + - web.leechpepin.com + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: web + port: 80 diff --git a/kustomize/helmchart/kustomization.yaml b/kustomize/helmchart/kustomization.yaml new file mode 100644 index 0000000..d1d88a4 --- /dev/null +++ b/kustomize/helmchart/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - helmchart.yaml + - httproute-http.yaml + - httproute-https.yaml + - secret.yaml + +labels: + - includeSelectors: true + pairs: + app.kubernetes.io/managed-by: kustomize diff --git a/kustomize/helmchart/secret.yaml b/kustomize/helmchart/secret.yaml new file mode 100644 index 0000000..e7ab759 --- /dev/null +++ b/kustomize/helmchart/secret.yaml @@ -0,0 +1,27 @@ +apiVersion: secrets.infisical.com/v1alpha1 +kind: InfisicalSecret +metadata: + name: secrets + namespace: infisical + labels: + label-to-be-passed-to-managed-secret: homelab + annotations: + example.com/annotation-to-be-passed-to-managed-secret: "homelab" +spec: + hostAPI: https://app.infisical.com/api + resyncInterval: 10 + authentication: + # Universal Auth + universalAuth: + secretsScope: + projectSlug: homelab-n-f-yj + envSlug: prod + secretsPath: "/apps/appname" # Root is "/" + recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false + credentialsRef: + secretName: universal-auth-credentials + secretNamespace: infisical + managedSecretReference: + secretName: app-secrets + secretNamespace: ns + creationPolicy: "Orphan" ## Owner | Orphan diff --git a/namespaces/ai/openwebui/kustomization.yaml b/namespaces/ai/openwebui/kustomization.yaml new file mode 100644 index 0000000..25b5a94 --- /dev/null +++ b/namespaces/ai/openwebui/kustomization.yaml @@ -0,0 +1,97 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +transformers: + - |- + apiVersion: builtin + kind: NamespaceTransformer + metadata: + name: notImportantHere + namespace: ai + unsetOnly: true + +namePrefix: open-webui- +resources: + - ../../../kustomize/helmchart/ + +patches: + - path: patches/chart.yaml + target: + kind: HelmChart + name: chart + +replacements: + - source: + kind: HTTPRoute + name: http + fieldPath: metadata.labels.[app.kubernetes.io/appName] + targets: + - select: + kind: HTTPRoute + options: + create: true + delimiter: "." + index: 0 + fieldPaths: + - spec.hostnames.0 + - select: + kind: InfisicalSecret + options: + delimiter: "-" + index: 0 + fieldPaths: + - spec.managedSecretReference.secretName + - select: + kind: InfisicalSecret + options: + delimiter: "/" + index: 2 + fieldPaths: + - spec.authentication.universalAuth.secretsScope.secretsPath + - select: + kind: HTTPRoute + fieldPaths: + - spec.rules.0.backendRefs.0.name + - source: + kind: HTTPRoute + name: http + fieldPath: metadata.labels.[app.kubernetes.io/routePrefix] + targets: + - select: + kind: HTTPRoute + options: + create: true + delimiter: "." + index: 0 + fieldPaths: + - spec.hostnames.0 + - source: + kind: HTTPRoute + name: http + fieldPath: metadata.labels.[app.kubernetes.io/appNamespace] + targets: + - select: + kind: HelmChart + name: chart + fieldPaths: + - spec.targetNamespace + - select: + kind: InfisicalSecret + options: + delimiter: "/" + index: 1 + fieldPaths: + - spec.authentication.universalAuth.secretsScope.secretsPath + - select: + kind: InfisicalSecret + fieldPaths: + - spec.managedSecretReference.secretNamespace + +labels: + - includeSelectors: true + pairs: + app.kubernetes.io/appName: open-webui + - pairs: + app.kubernetes.io/appNamespace: ai + - pairs: + app.kubernetes.io/routePrefix: owui diff --git a/namespaces/ai/openwebui/patches/chart.yaml b/namespaces/ai/openwebui/patches/chart.yaml new file mode 100644 index 0000000..8ef6587 --- /dev/null +++ b/namespaces/ai/openwebui/patches/chart.yaml @@ -0,0 +1,72 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: chart +spec: + chart: open-webui + repo: https://open-webui.github.io/helm-charts + valuesContent: |- + ollama: + enabled: false + ollamaUrls: + - https://ollama.leechpepin.com:11434 + websocket: + enabled: true + url: redis://redis.core.svc.cluster.local:6379/0 + redis: + enabled: false + persistence: + size: 5Gi + subPath: "data" + storageClass: longhorn-private + image: + tag: 0.5.10 + extraEnvVars: + - name: ENABLE_OAUTH_SIGNUP + value: "true" + - name: ENABLE_SIGNUP + value: "false" + - name: ENABLE_LOGIN_FORM + value: "false" + - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL + value: "true" + - name: OAUTH_PROVIDER_NAME + value: "Authentik" + - name: OPENID_PROVIDER_URL + value: "https://auth.leechpepin.com/application/o/owui/.well-known/openid-configuration" + - name: OAUTH_SCOPES + value: "openid email profile" + - name: OPENID_REDIRECT_URI + value: "https://owui.leechpepin.com/oauth/oidc/callback" + - name: OAUTH_CLIENT_ID + value: 83yKhCIsSPXSqN5pMaT8yUUMbWDHEQg9vpVOPFWP + - name: OAUTH_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: open-webui-secrets + key: AUTHENTIK_CLIENT_SECRET + - name: OPENAI_API_KEY + valueFrom: + secretKeyRef: + name: open-webui-secrets + key: PIPELINE_API_KEY + - name: RAG_EMBEDDING_ENGINE + value: "ollama" + - name: RAG_EMBEDDING_MODEL + value: "jina/jina-embeddings-v2-base-en:latest" + - name: CONTENT_EXTRACTION_ENGINE + value: "tika" + - name: RAG_OLLAMA_BASE_URL + value: "https://ollama.leechpepin.com:11434" + - name: TIKA_SERVER_URL + value: "http://tika.apps.svc.cluster.local:9998" + - name: WEBUI_URL + value: "https://owui.leechpepin.com" + - name: ENABLE_RAG_WEB_SEARCH + value: "true" + - name: RAG_WEB_SEARCH_ENGINE + value: "duckduckgo" + - name: TASK_MODEL + value: "llama3.2:latest" + - name: WEBHOOK_URL + value: "https://owui.leechpepin.com/webhook" diff --git a/namespaces/monitoring/healthchecks/kustomization.yaml b/namespaces/monitoring/healthchecks/kustomization.yaml index e9a830f..f04734a 100644 --- a/namespaces/monitoring/healthchecks/kustomization.yaml +++ b/namespaces/monitoring/healthchecks/kustomization.yaml @@ -12,7 +12,7 @@ transformers: namePrefix: healthchecks- resources: - - ../../../kustomize/deployment/ + - ../../../kustomize/public-oidc/ replacements: - source: @@ -110,4 +110,4 @@ configMapGenerator: - SITE_NAME=JLP Healthchecks - SITE_ROOT=https://healthchecks.leechpepin.com - DEBUG=False - - REMOTE_USER_HEADER=HTTP_X_AUTHENTIK_EMAIL + - REGISTRATION_OPEN=False diff --git a/namespaces/monitoring/ntfy/kustomization.yaml b/namespaces/monitoring/ntfy/kustomization.yaml index f6a1e35..1157208 100644 --- a/namespaces/monitoring/ntfy/kustomization.yaml +++ b/namespaces/monitoring/ntfy/kustomization.yaml @@ -12,7 +12,7 @@ transformers: namePrefix: ntfy- resources: - - ../../../kustomize/deployment/ + - ../../../kustomize/public-oidc/ replacements: - source: diff --git a/namespaces/monitoring/uptime-kuma/kustomization.yaml b/namespaces/monitoring/uptime-kuma/kustomization.yaml index 7ecceef..f5b1576 100644 --- a/namespaces/monitoring/uptime-kuma/kustomization.yaml +++ b/namespaces/monitoring/uptime-kuma/kustomization.yaml @@ -81,6 +81,10 @@ patches: - path: patches/httproute.yaml target: kind: HTTPRoute + - path: patches/pvc.yaml + target: + kind: PersistentVolumeClaim + name: pvc labels: - includeSelectors: true diff --git a/namespaces/monitoring/uptime-kuma/patches/deployment.yaml b/namespaces/monitoring/uptime-kuma/patches/deployment.yaml index 15dd903..092244d 100644 --- a/namespaces/monitoring/uptime-kuma/patches/deployment.yaml +++ b/namespaces/monitoring/uptime-kuma/patches/deployment.yaml @@ -5,6 +5,21 @@ metadata: spec: template: spec: + tolerations: + - key: "public" + operator: "Equal" + value: "true" + effect: "NoSchedule" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: public + operator: In + values: + - "true" containers: - name: uptime-kuma image: louislam/uptime-kuma:1 diff --git a/namespaces/monitoring/uptime-kuma/patches/pvc.yaml b/namespaces/monitoring/uptime-kuma/patches/pvc.yaml new file mode 100644 index 0000000..8985946 --- /dev/null +++ b/namespaces/monitoring/uptime-kuma/patches/pvc.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc +spec: + storageClassName: longhorn-public