Update renovate/renovate Docker tag to v39.245.1

Reviewed-on: #18

apps/gitea/backups.yaml

@@ -0,0 +1,33 @@
+apiVersion: k8up.io/v1
+kind: Schedule
+metadata:
+  name: gitea-backup
+  namespace: gitea
+spec:
+  backend:
+    # Manually adding secrets for now
+    repoPasswordSecretRef:
+      name: restic-repo
+      key: password
+    s3:
+      endpoint: https://s3.eu-central-003.backblazeb2.com
+      bucket: lumpiasty-backups
+      accessKeyIDSecretRef:
+        name: backblaze
+        key: keyid
+      secretAccessKeySecretRef:
+        name: backblaze
+        key: secret
+  backup:
+    schedule: "@daily-random"
+    failedJobsHistoryLimit: 2
+    successfulJobsHistoryLimit: 2
+  check:
+    schedule: "@daily-random"
+  prune:
+    schedule: "@daily-random"
+    retention:
+      keepLast: 14
+      keepDaily: 14
+      keepWeekly: 50
+      keepYearly: 10

apps/gitea/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - release.yaml
+  - backups.yaml
+  - postgres-cluster.yaml

apps/gitea/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea

apps/gitea/postgres-cluster.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: gitea-postgresql-cluster
+  namespace: gitea
+spec:
+  instances: 1
+
+  storage:
+    size: 10Gi
+    storageClass: mayastor-single-hdd

apps/gitea/release.yaml

@@ -1,9 +1,3 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: gitea
----
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
@@ -23,7 +17,7 @@ spec:
   chart:
     spec:
       chart: gitea
-      version: 10.6.0
+      version: 11.0.1
       sourceRef:
         kind: HelmRepository
         name: gitea-charts
@@ -60,9 +54,6 @@ spec:
       enabled: true
       storageClass: mayastor-single-hdd
 
-    image:
-      tag: 1.23.3
-
     gitea:
       config:
         database:
@@ -111,37 +102,3 @@ spec:
       resources:
         requests:
           cpu: 0
----
-apiVersion: k8up.io/v1
-kind: Schedule
-metadata:
-  name: gitea-backup
-  namespace: gitea
-spec:
-  backend:
-    # Manually adding secrets for now
-    repoPasswordSecretRef:
-      name: restic-repo
-      key: password
-    s3:
-      endpoint: https://s3.eu-central-003.backblazeb2.com
-      bucket: lumpiasty-backups
-      accessKeyIDSecretRef:
-        name: backblaze
-        key: keyid
-      secretAccessKeySecretRef:
-        name: backblaze
-        key: secret
-  backup:
-    schedule: "@daily-random"
-    failedJobsHistoryLimit: 2
-    successfulJobsHistoryLimit: 2
-  check:
-    schedule: "@daily-random"
-  prune:
-    schedule: "@daily-random"
-    retention:
-      keepLast: 14
-      keepDaily: 14
-      keepWeekly: 50
-      keepYearly: 10

apps/kustomization.yaml

@@ -1,5 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - gitea.yaml
+  - gitea
-  - renovate.yaml
+  - renovate
+  - ollama
+  - librechat

apps/librechat/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - release.yaml

apps/librechat/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: librechat

apps/librechat/release.yaml

@@ -0,0 +1,90 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: bat-librechat
+  namespace: librechat
+spec:
+  interval: 24h
+  url: https://charts.blue-atlas.de
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: librechat
+  namespace: librechat
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: librechat
+      version: 1.8.9
+      sourceRef:
+        kind: HelmRepository
+        name: bat-librechat
+  values:
+    global:
+      librechat:
+        existingSecretName: librechat
+    librechat:
+      configEnv:
+        PLUGIN_MODELS: null
+        ALLOW_REGISTRATION: "false"
+        TRUST_PROXY: "1"
+        DOMAIN_CLIENT: https://librechat.lumpiasty.xyz
+        SEARCH: "true"
+      existingSecretName: librechat
+      configYamlContent: |
+        version: 1.0.3
+
+        endpoints:
+          custom:
+            - name: "Ollama"
+              apiKey: "ollama"
+              baseURL: "http://ollama.ollama.svc.cluster.local:11434/v1/chat/completions" 
+              models:
+                default: [
+                  "llama2",
+                  "mistral",
+                  "codellama",
+                  "dolphin-mixtral",
+                  "mistral-openorca"
+                  ]
+                # fetching list of models is supported but the `name` field must start
+                # with `ollama` (case-insensitive), as it does in this example.
+                fetch: true
+              titleConvo: true
+              titleModel: "current_model"
+              summarize: false
+              summaryModel: "current_model"
+              forcePrompt: false
+              modelDisplayLabel: "Ollama"
+      imageVolume:
+        enabled: true
+        size: 10G
+        accessModes: ReadWriteOnce
+        storageClassName: mayastor-single-hdd
+    ingress:
+      enabled: true
+      className: nginx
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt
+      hosts:
+        - host: librechat.lumpiasty.xyz
+          paths:
+            - path: /
+              pathType: ImplementationSpecific
+      tls:
+        - hosts:
+            - librechat.lumpiasty.xyz
+          secretName: librechat-ingress
+
+    mongodb:
+      persistence:
+        storageClass: mayastor-single-hdd
+
+    meilisearch:
+      persistence:
+        storageClass: mayastor-single-hdd
+      auth:
+        existingMasterKeySecret: librechat

apps/ollama/auth-proxy.yaml

@@ -0,0 +1,68 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ollama-proxy
+  namespace: ollama
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: ollama-proxy
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: ollama-proxy
+    spec:
+      containers:
+        - name: caddy
+          image: caddy:2.9.1-alpine
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - mountPath: /etc/caddy
+              name: proxy-config
+          env:
+            - name: API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: ollama-api-key
+                  key: API_KEY
+      volumes:
+        - name: proxy-config
+          configMap:
+            name: ollama-proxy-config
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: ollama
+  name: ollama-proxy-config
+data:
+  Caddyfile: |
+    http://ollama.lumpiasty.xyz {
+
+      @requireAuth {
+        not header Authorization "Bearer {env.API_KEY}"
+      }
+
+      respond @requireAuth "Unauthorized" 401
+
+      reverse_proxy ollama:11434 {
+        flush_interval -1
+      }
+    }
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: ollama
+  name: ollama-proxy
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: ollama-proxy
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+      protocol: TCP

apps/ollama/ingress.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: ollama
+  name: ollama
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    acme.cert-manager.io/http01-edit-in-place: "true"
+    nginx.ingress.kubernetes.io/proxy-buffering: "false"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: 30m
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: ollama.lumpiasty.xyz
+      http:
+        paths:
+          - backend:
+              service:
+                name: ollama-proxy
+                port:
+                  number: 80
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - ollama.lumpiasty.xyz
+      secretName: ollama-ingress

apps/ollama/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - release.yaml
+  - auth-proxy.yaml
+  - ingress.yaml

apps/ollama/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ollama

apps/ollama/release.yaml

@@ -0,0 +1,60 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: ollama-helm
+  namespace: ollama
+spec:
+  interval: 24h
+  url: https://otwld.github.io/ollama-helm/
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ollama
+  namespace: ollama
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: ollama
+      version: 1.14.0
+      sourceRef:
+        kind: HelmRepository
+        name: ollama-helm
+        namespace: ollama
+      interval: 12h
+  values:
+    ollama:
+      gpu:
+        enabled: false
+    persistentVolume:
+      enabled: true
+      storageClass: mayastor-single-hdd
+      size: 200Gi
+    # GPU support
+    # Rewrite of options in
+    # https://hub.docker.com/r/grinco/ollama-amd-apu
+    image:
+      repository: grinco/ollama-amd-apu
+      tag: vulkan
+    securityContext:
+      # Not ideal
+      privileged: true
+      capabilities:
+        add:
+          - PERFMON
+    volumeMounts:
+      - name: kfd
+        mountPath: /dev/kfd
+      - name: dri
+        mountPath: /dev/dri
+    volumes:
+      - name: kfd
+        hostPath:
+          path: /dev/kfd
+          type: CharDevice
+      - name: dri
+        hostPath:
+          path: /dev/dri
+          type: Directory

apps/renovate/cronjob.yaml

@@ -1,9 +1,4 @@
 ---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: renovate
----
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -20,7 +15,7 @@ spec:
             - name: renovate
               # Update this to the latest available and then enable Renovate on
               # the manifest
-              image: renovate/renovate:39.215.2-full
+              image: renovate/renovate:39.245.1-full
               envFrom:
                 - secretRef:
                     name: renovate-env

apps/renovate/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - cronjob.yaml

apps/renovate/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: renovate

infra/controllers/cert-manager.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: cert-manager
-      version: 1.17.0
+      version: v1.17.1
       sourceRef:
         kind: HelmRepository
         name: cert-manager

infra/controllers/cloudnative-pg.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cnpg-system
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cnpg
+  namespace: cnpg-system
+spec:
+  interval: 24h
+  url: https://cloudnative-pg.github.io/charts
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cnpg
+  namespace: cnpg-system
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cloudnative-pg
+      version: 0.23.2
+      sourceRef:
+        kind: HelmRepository
+        name: cnpg
+        namespace: cnpg-system
+      interval: 12h

infra/controllers/dns-public.yaml

@@ -97,7 +97,7 @@ spec:
           env:
             - name: GOMEMLIMIT
               value: 161MiB
-          image: registry.k8s.io/coredns/coredns:v1.12.0
+          image: registry.k8s.io/coredns/coredns:v1.12.1
           imagePullPolicy: IfNotPresent
           livenessProbe:
             failureThreshold: 5

infra/controllers/k8up.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: k8up
-      version: 4.8.3
+      version: 4.8.4
       sourceRef:
         kind: HelmRepository
         name: k8up-io

infra/controllers/mongodb-operator.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mongodb
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: mongodb
+  namespace: mongodb
+spec:
+  interval: 24h
+  url: https://mongodb.github.io/helm-charts
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mongodb-operator
+  namespace: mongodb
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: community-operator
+      version: 0.13.0
+      sourceRef:
+        kind: HelmRepository
+        name: mongodb
+        namespace: mongodb
+  values:
+    operator:
+      watchNamespace: "*"

infra/controllers/nginx.yaml

@@ -54,3 +54,6 @@ spec:
           lbipam.cilium.io/sharing-key: gitea
           lbipam.cilium.io/sharing-cross-namespace: gitea
           lbipam.cilium.io/ips: 10.44.0.0,2001:470:61a3:400::1
+      config:
+        entries:
+          proxy-buffering: "false"

infra/controllers/openbao.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: openbao
-      version: 0.8.1
+      version: 0.10.1
       sourceRef:
         kind: HelmRepository
         name: openbao

infra/controllers/openebs.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: openebs
-      version: 4.1.3
+      version: 4.2.0
       sourceRef:
         kind: HelmRepository
         name: openebs

infra/kustomization.yaml

@@ -10,6 +10,8 @@ resources:
   - controllers/openebs.yaml
   - controllers/k8up.yaml
   - controllers/openbao.yaml
+  - controllers/mongodb-operator.yaml
+  - controllers/cloudnative-pg.yaml
   - diskpools/anapistula-delrosalae-hdd.yaml
   - configs/bgp-cluster-config.yaml
   - configs/loadbalancer-ippool.yaml

renovate.json

@@ -1,10 +1,14 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "kubernetes": {
-    "fileMatch": ["\\.yaml$"]
+    "fileMatch": ["infra/.+\\.yaml$", "apps/.+\\.yaml$"]
   },
   "flux": {
-    "fileMatch": ["infra/.+\\.yaml$", "apps/.+\\.yaml$"]
+    "fileMatch": [
+      "infra/.+\\.yaml$",
+      "apps/.+\\.yaml$",
+      "gotk-components\\.ya?ml$"
+    ]
   },
   "prHourlyLimit": 9
 }

talos/patches/ollama.patch

@@ -0,0 +1,11 @@
+# CSI driver requirement
+cluster:
+  apiServer:
+    admissionControl:
+      - name: PodSecurity
+        configuration:
+          apiVersion: pod-security.admission.config.k8s.io/v1beta1
+          kind: PodSecurityConfiguration
+          exemptions:
+            namespaces:
+              - ollama