Add openwebui via helm chart and fix monitoring deployments

2025-02-06 17:42:37 -05:00 · 2025-02-06 17:42:37 -05:00 · 3d42a11c90
commit 3d42a11c90
parent 71b2d94392
12 changed files with 290 additions and 3 deletions
--- a/kustomize/helmchart/helmchart.yaml
+++ b/kustomize/helmchart/helmchart.yaml
@ -0,0 +1,7 @@
 apiVersion: helm.cattle.io/v1
 kind: HelmChart
 metadata:
  name: chart
  namespace: charts
 spec:
  targetNamespace: default
--- a/kustomize/helmchart/httproute-http.yaml
+++ b/kustomize/helmchart/httproute-http.yaml
@ -0,0 +1,26 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: http
 spec:
  parentRefs:
    - name: homelab-gateway
      sectionName: web
      kind: Gateway
      namespace: homelab
  hostnames:
    - web.leechpepin.com
  rules:
    - filters:
        - type: RequestHeaderModifier
          requestHeaderModifier:
            set:
              - name: "X-Forwarded-Proto"
                value: "https"
      backendRefs:
        - name: web
          port: 80
      matches:
        - path:
            type: PathPrefix
            value: /
--- a/kustomize/helmchart/httproute-https.yaml
+++ b/kustomize/helmchart/httproute-https.yaml
@ -0,0 +1,20 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: https
 spec:
  parentRefs:
    - name: homelab-gateway
      sectionName: websecure
      kind: Gateway
      namespace: homelab
  hostnames:
    - web.leechpepin.com
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: web
          port: 80
--- a/kustomize/helmchart/kustomization.yaml
+++ b/kustomize/helmchart/kustomization.yaml
@ -0,0 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - helmchart.yaml
  - httproute-http.yaml
  - httproute-https.yaml
  - secret.yaml
 labels:
  - includeSelectors: true
    pairs:
      app.kubernetes.io/managed-by: kustomize
--- a/kustomize/helmchart/secret.yaml
+++ b/kustomize/helmchart/secret.yaml
@ -0,0 +1,27 @@
 apiVersion: secrets.infisical.com/v1alpha1
 kind: InfisicalSecret
 metadata:
  name: secrets
  namespace: infisical
  labels:
    label-to-be-passed-to-managed-secret: homelab
  annotations:
    example.com/annotation-to-be-passed-to-managed-secret: "homelab"
 spec:
  hostAPI: https://app.infisical.com/api
  resyncInterval: 10
  authentication:
    # Universal Auth
    universalAuth:
      secretsScope:
        projectSlug: homelab-n-f-yj
        envSlug: prod
        secretsPath: "/apps/appname" # Root is "/"
        recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
      credentialsRef:
        secretName: universal-auth-credentials
        secretNamespace: infisical
  managedSecretReference:
    secretName: app-secrets
    secretNamespace: ns
    creationPolicy: "Orphan" ## Owner | Orphan
--- a/namespaces/ai/openwebui/kustomization.yaml
+++ b/namespaces/ai/openwebui/kustomization.yaml
@ -0,0 +1,97 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 transformers:
  - |-
    apiVersion: builtin
    kind: NamespaceTransformer
    metadata:
      name: notImportantHere
      namespace: ai
    unsetOnly: true
 namePrefix: open-webui-
 resources:
  - ../../../kustomize/helmchart/
 patches:
  - path: patches/chart.yaml
    target:
      kind: HelmChart
      name: chart
 replacements:
  - source:
      kind: HTTPRoute
      name: http
      fieldPath: metadata.labels.[app.kubernetes.io/appName]
    targets:
      - select:
          kind: HTTPRoute
        options:
          create: true
          delimiter: "."
          index: 0
        fieldPaths:
          - spec.hostnames.0
      - select:
          kind: InfisicalSecret
        options:
          delimiter: "-"
          index: 0
        fieldPaths:
          - spec.managedSecretReference.secretName
      - select:
          kind: InfisicalSecret
        options:
          delimiter: "/"
          index: 2
        fieldPaths:
          - spec.authentication.universalAuth.secretsScope.secretsPath
      - select:
          kind: HTTPRoute
        fieldPaths:
          - spec.rules.0.backendRefs.0.name
  - source:
      kind: HTTPRoute
      name: http
      fieldPath: metadata.labels.[app.kubernetes.io/routePrefix]
    targets:
      - select:
          kind: HTTPRoute
        options:
          create: true
          delimiter: "."
          index: 0
        fieldPaths:
          - spec.hostnames.0
  - source:
      kind: HTTPRoute
      name: http
      fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
    targets:
      - select:
          kind: HelmChart
          name: chart
        fieldPaths:
          - spec.targetNamespace
      - select:
          kind: InfisicalSecret
        options:
          delimiter: "/"
          index: 1
        fieldPaths:
          - spec.authentication.universalAuth.secretsScope.secretsPath
      - select:
          kind: InfisicalSecret
        fieldPaths:
          - spec.managedSecretReference.secretNamespace
 labels:
  - includeSelectors: true
    pairs:
      app.kubernetes.io/appName: open-webui
  - pairs:
      app.kubernetes.io/appNamespace: ai
  - pairs:
      app.kubernetes.io/routePrefix: owui
--- a/namespaces/ai/openwebui/patches/chart.yaml
+++ b/namespaces/ai/openwebui/patches/chart.yaml
@ -0,0 +1,72 @@
 apiVersion: helm.cattle.io/v1
 kind: HelmChart
 metadata:
  name: chart
 spec:
  chart: open-webui
  repo: https://open-webui.github.io/helm-charts
  valuesContent: |-
    ollama:
      enabled: false
    ollamaUrls:
      - https://ollama.leechpepin.com:11434
    websocket:
      enabled: true
      url: redis://redis.core.svc.cluster.local:6379/0
      redis:
        enabled: false
    persistence:
      size: 5Gi
      subPath: "data"
      storageClass: longhorn-private
    image:
      tag: 0.5.10
    extraEnvVars:
      - name: ENABLE_OAUTH_SIGNUP
        value: "true"
      - name: ENABLE_SIGNUP
        value: "false"
      - name: ENABLE_LOGIN_FORM
        value: "false"
      - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
        value: "true"
      - name: OAUTH_PROVIDER_NAME
        value: "Authentik"
      - name: OPENID_PROVIDER_URL
        value: "https://auth.leechpepin.com/application/o/owui/.well-known/openid-configuration"
      - name: OAUTH_SCOPES
        value: "openid email profile"
      - name: OPENID_REDIRECT_URI
        value: "https://owui.leechpepin.com/oauth/oidc/callback"
      - name: OAUTH_CLIENT_ID
        value: 83yKhCIsSPXSqN5pMaT8yUUMbWDHEQg9vpVOPFWP
      - name: OAUTH_CLIENT_SECRET
        valueFrom:
          secretKeyRef:
            name: open-webui-secrets
            key: AUTHENTIK_CLIENT_SECRET
      - name: OPENAI_API_KEY
        valueFrom:
          secretKeyRef:
            name: open-webui-secrets
            key: PIPELINE_API_KEY
      - name: RAG_EMBEDDING_ENGINE
        value: "ollama"
      - name: RAG_EMBEDDING_MODEL
        value: "jina/jina-embeddings-v2-base-en:latest"
      - name: CONTENT_EXTRACTION_ENGINE
        value: "tika"
      - name: RAG_OLLAMA_BASE_URL
        value: "https://ollama.leechpepin.com:11434"
      - name: TIKA_SERVER_URL
        value: "http://tika.apps.svc.cluster.local:9998"
      - name: WEBUI_URL
        value: "https://owui.leechpepin.com"
      - name: ENABLE_RAG_WEB_SEARCH
        value: "true"
      - name: RAG_WEB_SEARCH_ENGINE
        value: "duckduckgo"
      - name: TASK_MODEL
        value: "llama3.2:latest"
      - name: WEBHOOK_URL
        value: "https://owui.leechpepin.com/webhook"
--- a/namespaces/monitoring/healthchecks/kustomization.yaml
+++ b/namespaces/monitoring/healthchecks/kustomization.yaml
@ -12,7 +12,7 @@ transformers:
 namePrefix: healthchecks-
 resources:
-  - ../../../kustomize/deployment/
+  - ../../../kustomize/public-oidc/
 replacements:
  - source:
@ -110,4 +110,4 @@ configMapGenerator:
      - SITE_NAME=JLP Healthchecks
      - SITE_ROOT=https://healthchecks.leechpepin.com
      - DEBUG=False
-      - REMOTE_USER_HEADER=HTTP_X_AUTHENTIK_EMAIL
+      - REGISTRATION_OPEN=False
--- a/namespaces/monitoring/ntfy/kustomization.yaml
+++ b/namespaces/monitoring/ntfy/kustomization.yaml
@ -12,7 +12,7 @@ transformers:
 namePrefix: ntfy-
 resources:
-  - ../../../kustomize/deployment/
+  - ../../../kustomize/public-oidc/
 replacements:
  - source:
--- a/namespaces/monitoring/uptime-kuma/kustomization.yaml
+++ b/namespaces/monitoring/uptime-kuma/kustomization.yaml
@ -81,6 +81,10 @@ patches:
  - path: patches/httproute.yaml
    target:
      kind: HTTPRoute
  - path: patches/pvc.yaml
    target:
      kind: PersistentVolumeClaim
      name: pvc
 labels:
  - includeSelectors: true
--- a/namespaces/monitoring/uptime-kuma/patches/deployment.yaml
+++ b/namespaces/monitoring/uptime-kuma/patches/deployment.yaml
@ -5,6 +5,21 @@ metadata:
 spec:
  template:
    spec:
      tolerations:
        - key: "public"
          operator: "Equal"
          value: "true"
          effect: "NoSchedule"
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              preference:
                matchExpressions:
                  - key: public
                    operator: In
                    values:
                      - "true"
      containers:
        - name: uptime-kuma
          image: louislam/uptime-kuma:1
--- a/namespaces/monitoring/uptime-kuma/patches/pvc.yaml
+++ b/namespaces/monitoring/uptime-kuma/patches/pvc.yaml
@ -0,0 +1,6 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: pvc
 spec:
  storageClassName: longhorn-public