diff --git a/CHANGELOG.md b/CHANGELOG.md index f5efd6a..05572fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ See [keep a changelog] for information about writing changes to this log. ## [Unreleased] * Changed nodeSelectorTerm on vllm deployments, for better upgradeability +* Added internal backups for PostgreSQL databases below LiteLLM and OpenWeb UI ## [0.1.1] - 2026-01-14 diff --git a/applications/argo-cd-resources/templates/projects/template-controller.yaml b/applications/argo-cd-resources/templates/projects/template-controller.yaml new file mode 100644 index 0000000..f43f247 --- /dev/null +++ b/applications/argo-cd-resources/templates/projects/template-controller.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: template-controller +spec: + destinations: + - name: in-cluster + namespace: template-controller + server: https://kubernetes.default.svc + clusterResourceWhitelist: + - group: '' + kind: Namespace + - group: apiextensions.k8s.io + kind: CustomResourceDefinition + - group: rbac.authorization.k8s.io + kind: ClusterRole + - group: rbac.authorization.k8s.io + kind: ClusterRoleBinding + namespaceResourceWhitelist: + - group: '*' + kind: '*' + orphanedResources: + warn: false + sourceRepos: + - {{ .Values.repoUrl }} # git repository diff --git a/applications/argo-cd-resources/values.yaml b/applications/argo-cd-resources/values.yaml index aa5a8ad..b72bb1d 100644 --- a/applications/argo-cd-resources/values.yaml +++ b/applications/argo-cd-resources/values.yaml @@ -33,6 +33,11 @@ apps: namespace: kube-system automated: true + - name: template-controller + project: template-controller + namespace: template-controller + automated: true + ## Storage - name: cloudnative-pg-operator project: cloudnative-pg-operator diff --git a/applications/litellm/cloudnative-pg-values.yaml b/applications/litellm/cloudnative-pg-values.yaml index 2ece933..31d5759 100644 --- a/applications/litellm/cloudnative-pg-values.yaml +++ b/applications/litellm/cloudnative-pg-values.yaml @@ -4,7 +4,7 @@ cloudnative-pg: # -- Override the full name of the chart fullnameOverride: cloudnative-pg-cluster # -- Override the namespace of the chart - namespaceOverride: "litellm" + namespaceOverride: "" ### # -- Type of the CNPG database. Available types: @@ -372,11 +372,11 @@ cloudnative-pg: backups: # -- You need to configure backups manually, so backups are disabled by default. - enabled: false + enabled: true # -- Overrides the provider specific default endpoint. Defaults to: # S3: https://s3..amazonaws.com" - endpointURL: https://hel1.your-objectstorage.com # Leave empty if using the default S3 endpoint + endpointURL: http://rook-ceph-rgw-ceph-objectstore.rook-ceph.svc # Leave empty if using the default S3 endpoint # -- Specifies a CA bundle to validate a privately signed certificate. endpointCA: # -- Creates a secret with the given value if true, otherwise uses an existing secret. @@ -393,9 +393,9 @@ cloudnative-pg: # -- One of `s3`, `azure` or `google` provider: s3 s3: - region: hel1 - bucket: kom1-cluster-backups - path: /litellm/ + region: + bucket: litellm-backup-bucket + path: / accessKey: "" secretKey: "" # -- Use the role based authentication without providing explicitly the keys @@ -418,7 +418,7 @@ cloudnative-pg: # -- Whether to create a secret for the backup credentials create: false # -- Name of the backup credentials secret - name: hetzner-s3-backup-credentials + name: litellm-backup-bucket-transformed wal: # -- WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. diff --git a/applications/litellm/templates/backup-bucket-transformer.yaml b/applications/litellm/templates/backup-bucket-transformer.yaml new file mode 100644 index 0000000..3f244f4 --- /dev/null +++ b/applications/litellm/templates/backup-bucket-transformer.yaml @@ -0,0 +1,51 @@ +apiVersion: templates.kluctl.io/v1alpha1 +kind: ObjectTemplate +metadata: + name: {{ .Release.Name }}-backup-bucket-transformer +spec: + serviceAccountName: {{ .Release.Name }}-backup-bucket-transformer + prune: true + matrix: + - name: secret + object: + ref: + apiVersion: v1 + kind: Secret + name: {{ .Release.Name }}-backup-bucket + templates: + - object: + apiVersion: v1 + kind: Secret + metadata: + name: {{ .Release.Name }}-backup-bucket-transformed + data: + ACCESS_KEY_ID: {{ "'{{ matrix.secret.data.AWS_ACCESS_KEY_ID }}'" }} + ACCESS_SECRET_KEY: {{ "'{{ matrix.secret.data.AWS_SECRET_ACCESS_KEY }}'" }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-backup-bucket-transformer +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["{{ .Release.Name }}-backup-bucket", "{{ .Release.Name }}-backup-bucket-transformed"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-backup-bucket-transformer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-backup-bucket-transformer +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-backup-bucket-transformer + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-backup-bucket-transformer diff --git a/applications/litellm/templates/backup-bucket.yaml b/applications/litellm/templates/backup-bucket.yaml new file mode 100644 index 0000000..0e599f2 --- /dev/null +++ b/applications/litellm/templates/backup-bucket.yaml @@ -0,0 +1,7 @@ +apiVersion: objectbucket.io/v1alpha1 +kind: ObjectBucketClaim +metadata: + name: {{ .Release.Name }}-backup-bucket +spec: + bucketName: {{ .Release.Name }}-backup-bucket + storageClassName: s3-bucket-retain diff --git a/applications/openwebui/cloudnative-pg-values.yaml b/applications/openwebui/cloudnative-pg-values.yaml index e3de3d9..668a4c2 100644 --- a/applications/openwebui/cloudnative-pg-values.yaml +++ b/applications/openwebui/cloudnative-pg-values.yaml @@ -375,7 +375,7 @@ cloudnative-pg: # -- Overrides the provider specific default endpoint. Defaults to: # S3: https://s3..amazonaws.com" - endpointURL: https://hel1.your-objectstorage.com # Leave empty if using the default S3 endpoint + endpointURL: http://rook-ceph-rgw-ceph-objectstore.rook-ceph.svc # Leave empty if using the default S3 endpoint # -- Specifies a CA bundle to validate a privately signed certificate. endpointCA: # -- Creates a secret with the given value if true, otherwise uses an existing secret. @@ -392,9 +392,9 @@ cloudnative-pg: # -- One of `s3`, `azure` or `google` provider: s3 s3: - region: hel1 - bucket: kom1-cluster-backups - path: /openwebui/ + region: + bucket: openwebui-backup-bucket + path: / accessKey: "" secretKey: "" # -- Use the role based authentication without providing explicitly the keys @@ -417,7 +417,7 @@ cloudnative-pg: # -- Whether to create a secret for the backup credentials create: false # -- Name of the backup credentials secret - name: hetzner-s3-backup-credentials + name: openwebui-backup-bucket-transformed wal: # -- WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. diff --git a/applications/openwebui/templates/backup-bucket-transformer.yaml b/applications/openwebui/templates/backup-bucket-transformer.yaml new file mode 100644 index 0000000..3f244f4 --- /dev/null +++ b/applications/openwebui/templates/backup-bucket-transformer.yaml @@ -0,0 +1,51 @@ +apiVersion: templates.kluctl.io/v1alpha1 +kind: ObjectTemplate +metadata: + name: {{ .Release.Name }}-backup-bucket-transformer +spec: + serviceAccountName: {{ .Release.Name }}-backup-bucket-transformer + prune: true + matrix: + - name: secret + object: + ref: + apiVersion: v1 + kind: Secret + name: {{ .Release.Name }}-backup-bucket + templates: + - object: + apiVersion: v1 + kind: Secret + metadata: + name: {{ .Release.Name }}-backup-bucket-transformed + data: + ACCESS_KEY_ID: {{ "'{{ matrix.secret.data.AWS_ACCESS_KEY_ID }}'" }} + ACCESS_SECRET_KEY: {{ "'{{ matrix.secret.data.AWS_SECRET_ACCESS_KEY }}'" }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-backup-bucket-transformer +rules: + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["{{ .Release.Name }}-backup-bucket", "{{ .Release.Name }}-backup-bucket-transformed"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-backup-bucket-transformer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-backup-bucket-transformer +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-backup-bucket-transformer + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-backup-bucket-transformer diff --git a/applications/openwebui/templates/backup-bucket.yaml b/applications/openwebui/templates/backup-bucket.yaml new file mode 100644 index 0000000..0e599f2 --- /dev/null +++ b/applications/openwebui/templates/backup-bucket.yaml @@ -0,0 +1,7 @@ +apiVersion: objectbucket.io/v1alpha1 +kind: ObjectBucketClaim +metadata: + name: {{ .Release.Name }}-backup-bucket +spec: + bucketName: {{ .Release.Name }}-backup-bucket + storageClassName: s3-bucket-retain diff --git a/applications/template-controller/Chart.yaml b/applications/template-controller/Chart.yaml new file mode 100644 index 0000000..ec7f8b4 --- /dev/null +++ b/applications/template-controller/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: template-controller +version: 0.0.0 +dependencies: + - name: template-controller + version: 0.9.4 + repository: oci://ghcr.io/kluctl/charts diff --git a/applications/template-controller/values.yaml b/applications/template-controller/values.yaml new file mode 100644 index 0000000..86cde55 --- /dev/null +++ b/applications/template-controller/values.yaml @@ -0,0 +1,78 @@ +# Default values for flux-kluctl-controller. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + repository: ghcr.io/kluctl/template-controller + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +# -- If set, install and upgrade CRDs through helm chart. +installCRDs: true + +crds: + annotations: {} + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8080" + +podSecurityContext: + fsGroup: 1337 + +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1337 + seccompProfile: + type: RuntimeDefault + +# Additional environment variables +env: [] + # - name: HTTPS_PROXY + # value: https://proxy.example.org + # - name: NO_PROXY + # value: 10.96.0.1 + +service: + type: ClusterIP + prometheus: + port: 8080 + health: + port: 8081 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 1000m + # memory: 1Gi + # requests: + # cpu: 100m +# memory: 64Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} +