add ollama

clusters/cl01tl/platform/ollama/Chart.yaml

@@ -0,0 +1,29 @@
+apiVersion: v2
+name: ollama
+version: 1.0.0
+description: Ollama
+keywords:
+  - ollama
+  - ai
+home: https://wiki.alexlebens.dev/doc/ollama-
+sources:
+  - https://github.com/ollama/ollama
+  - https://github.com/open-webui/open-webui
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://hub.docker.com/r/ollama/ollama
+  - https://github.com/open-webui/open-webui/pkgs/container/open-webui
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+  - https://github.com/alexlebens/helm-charts/tree/main/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: ollama
+    repository: https://bjw-s.github.io/helm-charts/
+    version: 3.4.0
+  - name: postgres-cluster
+    alias: postgres-16-cluster
+    version: 3.12.0
+    repository: http://alexlebens.github.io/helm-charts
+icon: https://avatars.githubusercontent.com/u/151674099?s=48&v=4
+appVersion: 0.3.12

clusters/cl01tl/platform/ollama/templates/external-secret.yaml

@@ -0,0 +1,206 @@
+
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: ollama-key-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ollama-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/ollama/key
+        metadataPolicy: None
+        property: key
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: ollama-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ollama-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: auth
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: client
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/ollama
+        metadataPolicy: None
+        property: client
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/ollama
+        metadataPolicy: None
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: ollama-root-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ollama-root-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/ollama/ollama-root"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /aws/keys/cl01tl-volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /aws/keys/cl01tl-volsync-backups
+        metadataPolicy: None
+        property: secret_key
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: ollama-web-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ollama-web-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/ollama/ollama-web"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /aws/keys/cl01tl-volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /aws/keys/cl01tl-volsync-backups
+        metadataPolicy: None
+        property: secret_key
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: ollama-web-postgresql-16-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ollama-web-postgresql-16-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /aws/keys/cl01tl-ollama-web-postgresql
+        metadataPolicy: None
+        property: access_key
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /aws/keys/cl01tl-ollama-web-postgresql
+        metadataPolicy: None
+        property: secret_key

clusters/cl01tl/platform/ollama/templates/replication-source.yaml

@@ -0,0 +1,59 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: ollama-root-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ollama-root-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: ollama-root
+  trigger:
+    schedule: 0 0 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: ollama-root-backup-secret
+    retain:
+      hourly: 1
+      daily: 1
+      weekly: 3
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block-delete
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: ollama-web-data-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ollama-web-data-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: backup
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: ollama-web-data
+  trigger:
+    schedule: 0 0 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: ollama-web-data-backup-secret
+    retain:
+      hourly: 1
+      daily: 1
+      weekly: 3
+      monthly: 2
+      yearly: 4
+    moverSecurityContext:
+      runAsUser: 1337
+      runAsGroup: 1337
+    copyMethod: Snapshot
+    storageClassName: ceph-block-delete
+    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/platform/ollama/values.yaml

@@ -0,0 +1,162 @@
+ollama:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ollama/ollama
+            tag: 0.3.12
+            pullPolicy: IfNotPresent
+          env:
+            - name: OLLAMA_KEEP_ALIVE
+              value: 24h
+            - name: OLLAMA_HOST
+              value: 0.0.0.0
+          resources:
+            limits:
+              cpu: 5000m
+              memory: 8Gi
+              gpu.intel.com/i915: 1
+            requests:
+              cpu: 100m
+              memory: 8Gi
+              gpu.intel.com/i915: 1
+    web:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/open-webui/open-webui
+            tag: 0.3.12
+            pullPolicy: IfNotPresent
+          env:
+            - name: ENV
+              value: prod
+            - name: WEBUI_AUTH
+              value: true
+            - name: WEBUI_NAME
+              value: Ollama
+            - name: WEBUI_URL
+              value: http://ollama-cl01tl.boreal-beaufort.ts.net
+            - name: ENABLE_LOGIN_FORM
+              value: false
+            - name: DEFAULT_USER_ROLE
+              value: admin
+            - name: WEBUI_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: ollama-secret-key
+                  key: key
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: ollama-web-postgresql-16-cluster-app
+                  key: uri
+            - name: OLLAMA_BASE_URL
+              value: http://ollama-main.ollama:11434
+            - name: ENABLE_OAUTH_SIGNUP
+              value: true
+            - name: OAUTH_USERNAME_CLAIM
+              value: preferred_username
+            - name: OAUTH_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: ollama-oidc-secret
+                  key: secret
+            - name: OAUTH_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: ollama-oidc-secret
+                  key: client
+            - name: OAUTH_PROVIDER_NAME
+              value: Authentik
+            - name: OPENID_PROVIDER_URL
+              value: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/ollama-web/.well-known/openid-configuration
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+  serviceAccount:
+    create: true
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 11434
+          targetPort: 11434
+          protocol: HTTP
+    web:
+      controller: web
+      ports:
+        http:
+          port: 80
+          targetPort: 8080
+          protocol: HTTP
+  ingress:
+    main:
+      className: tailscale
+      hosts:
+        - host: ollama-cl01tl
+          paths:
+            - path: /
+              pathType: Prefix
+              service:
+                name: ollama-web
+                port: 80
+      tls:
+        - secretName: ollama-cl01tl
+          hosts:
+            - ollama-cl01tl
+  persistence:
+    root:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 10Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /root/.ollama
+              readOnly: false
+    web-data:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 1Gi
+      retain: true
+      advancedMounts:
+        web:
+          main:
+            - path: /app/backend/data
+              readOnly: false
+postgres-16-cluster:
+  nameOverride: ollama-web-postgresql-16
+  mode: standalone
+  cluster:
+    walStorage:
+      storageClass: local-path
+    storage:
+      storageClass: local-path
+    monitoring:
+      enabled: true
+      prometheusRule:
+        enabled: false
+  backup:
+    enabled: true
+    endpointURL: https://s3.us-east-2.amazonaws.com
+    destinationPath: s3://cl01tl-postgresql-backups/ollama-web
+    endpointCredentials: ollama-postgresql-16-cluster-backup-secret
+    backupIndex: 1
+    tags:
+      backupRetentionPolicy: "expire"
+      user: "cl01tl-ollama-web-postgresql"
+    historyTags:
+      backupRetentionPolicy: "keep"
+      user: "cl01tl-ollama-web-postgresql"