feat(k8s): add open webui and open webui pipelines

cloud-infrastructure/terraform/environments/production/aws/kubernetes/main.tf

@@ -715,3 +715,27 @@ module "hm_kubernetes_namespace_hm_litellm" {
     module.amazon_eks_cluster
   ]
 }
+
+# Open WebUI
+# Open WebUI - Kubernetes namespace
+module "hm_kubernetes_namespace_hm_open_webui" {
+  source               = "../../../../modules/kubernetes/hm_kubernetes_namespace"
+  kubernetes_namespace = "${var.environment}-hm-open-webui"
+  labels = {
+    "goldilocks.fairwinds.com/enabled" = "true"
+  }
+  depends_on = [
+    module.amazon_eks_cluster
+  ]
+}
+# Open WebUI Pipelines - Kubernetes namespace
+module "hm_kubernetes_namespace_hm_open_webui_pipelines" {
+  source               = "../../../../modules/kubernetes/hm_kubernetes_namespace"
+  kubernetes_namespace = "${var.environment}-hm-open-webui-pipelines"
+  labels = {
+    "goldilocks.fairwinds.com/enabled" = "true"
+  }
+  depends_on = [
+    module.amazon_eks_cluster
+  ]
+}

kubernetes/argo-cd/applications/production-hm/open-webui-pipelines/Makefile

@@ -0,0 +1,14 @@
+sealed-secrets-seal:
+	cat secrets/hm-open-webui-pipelines-secret.unsealed.yaml | \
+	kubeseal \
+		--controller-namespace=production-hm-sealed-secrets \
+		--controller-name=hm-sealed-secrets \
+		--format=yaml \
+		> kubernetes-manifests/hm-open-webui-pipelines-secret.yaml
+
+argo-cd-app-create:
+	argocd app create production-hm-open-webui-pipelines --file=argo-cd-manifests/hm-open-webui-pipelines-application.yaml
+argo-cd-app-update:
+	argocd app create production-hm-open-webui-pipelines --file=argo-cd-manifests/hm-open-webui-pipelines-application.yaml --upsert
+argo-cd-app-delete:
+	argocd app delete production-hm-open-webui-pipelines --yes

kubernetes/argo-cd/applications/production-hm/open-webui-pipelines/argo-cd-manifests/hm-open-webui-pipelines-application.yaml

@@ -0,0 +1,49 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: production-hm-open-webui-pipelines
+  namespace: production-hm-argo-cd
+  labels:
+    app.kubernetes.io/name: hm-open-webui-pipelines
+spec:
+  project: production-hm
+  sources:
+    - repoURL: https://helm.openwebui.com
+      # https://artifacthub.io/packages/helm/open-webui/pipelines
+      targetRevision: 0.0.4
+      chart: pipelines
+      helm:
+        releaseName: hm-open-webui-pipelines
+        values: |
+          # https://github.com/open-webui/helm-charts/blob/main/charts/pipelines/values.yaml
+          ---
+          ingress:
+            enabled: false
+          persistence:
+            enabled: true
+            existingClaim: hm-open-webui-pipelines-persistent-volume-claim
+          extraEnvVars:
+            - name: PIPELINES_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: hm-open-webui-pipelines-secret
+                  key: pipelines_api_key
+          resources:
+            requests:
+              cpu: 1000m
+              memory: 1Gi
+            limits:
+              cpu: 2000m
+              memory: 2Gi
+    - repoURL: git@github.com:hongbo-miao/hongbomiao.com.git
+      targetRevision: main
+      path: kubernetes/argo-cd/applications/production-hm/open-webui-pipelines/kubernetes-manifests
+  destination:
+    namespace: production-hm-open-webui-pipelines
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    syncOptions:
+      - ServerSideApply=true
+    automated:
+      prune: true

kubernetes/argo-cd/applications/production-hm/open-webui-pipelines/kubernetes-manifests/hm-open-webui-pipelines-persistent-volume-claim.yaml

@@ -0,0 +1,18 @@
+# https://github.com/open-webui/helm-charts/blob/main/charts/open-webui/values.yaml
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: hm-open-webui-pipelines-persistent-volume-claim
+  namespace: production-hm-open-webui-pipelines
+  annotations:
+    # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
+    argocd.argoproj.io/hook: PreSync
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: production-hm-open-webui-pipelines-storage-class
+  volumeName: pvc-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

kubernetes/argo-cd/applications/production-hm/open-webui-pipelines/kubernetes-manifests/hm-open-webui-pipelines-secret.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
+    argocd.argoproj.io/hook: PreSync
+  creationTimestamp: null
+  name: hm-open-webui-pipelines-secret
+  namespace: production-hm-open-webui-pipelines
+spec:
+  encryptedData:
+    pipelines_api_key: AgB/oVDISrSy6256R8v/7WMdHqg7O00QcRldVhTsdJ1UrEJxP4z8cOc7IAiioZoRfErRn3jccBTQetkX4zLAsqXaf4kuShC0cJiEZkNqnakshRwDfYHesJqtHK39AHH4SBYAsLE+ondOiiZf/3exg7VaGViUHDh1XC92vL+aLJCQJ1kY9sh1SmJinbgoq8umhbeqcI/ug89ws0vU9AhbR0WQD0XQbqYzi7PDKsHRfFWVbghsL+++seVqkGXjbbiPwVTlZxzgr9MgnCanA6y6eyXfU7ZIE/JKPHVBz7zmrRAOnjGCF/8AFGoCunH5hCTLcoAQYSEWrFOiBQQZIh3tIM3LiJ/odBVuNIEkbRIMB5PfCwbMNuGGtLYyn2wEQP8BF85vLeWW8yZdWLlwSr5DX47k8TQN3L5f5naqX2NWGgoyO8iLU8gDbu8iitN1tbQeWSRzOddA1qyV/mujLjp8GEdn7GyMvuz4+qF1rj32okyeRq7aUOQ9Xwe2OEybEF11w7rIPdcw6TSpESihCiSC5kbOoRQ4XEEIK9p0xC8WftfAs+dwUArk6lAmFszVmn3wRv6j2nwQ2N+y94S6fIjEY1SfC6z/FT7OJEf3b1pPu8hVYkSk1ZrycYvlP5HYJTaHb4cC/cmdWYYQgK9dledzB4h8dCxo2+NoYdSQKs9uv9xJt2KS0uvW73O8EFGBFhZijVT7BnE=
+  template:
+    metadata:
+      annotations:
+        argocd.argoproj.io/hook: PreSync
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/name: hm-open-webui-pipelines-secret
+        app.kubernetes.io/part-of: production-hm-open-webui-pipelines
+      name: hm-open-webui-pipelines-secret
+      namespace: production-hm-open-webui-pipelines

kubernetes/argo-cd/applications/production-hm/open-webui-pipelines/kubernetes-manifests/production-hm-open-webui-pipelines-storage-class.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: production-hm-open-webui-pipelines-storage-class
+  annotations:
+    # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
+    argocd.argoproj.io/hook: PreSync
+provisioner: kubernetes.io/aws-ebs
+volumeBindingMode: Immediate
+reclaimPolicy: Retain
+allowVolumeExpansion: true
+# https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md
+parameters:
+  csi.storage.k8s.io/fstype: ext4
+  type: gp3
+  encrypted: "true"
+allowedTopologies:
+  - matchLabelExpressions:
+      - key: topology.kubernetes.io/zone
+        values:
+          - us-west-2a

kubernetes/argo-cd/applications/production-hm/open-webui-pipelines/secrets/hm-open-webui-pipelines-secret.unsealed.yaml.template

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: hm-open-webui-pipelines-secret
+  namespace: production-hm-open-webui-pipelines
+  annotations:
+    # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
+    argocd.argoproj.io/hook: PreSync
+  labels:
+    app.kubernetes.io/name: hm-open-webui-pipelines-secret
+    app.kubernetes.io/part-of: production-hm-open-webui-pipelines
+stringData:
+  pipelines_api_key: xxx

kubernetes/argo-cd/applications/production-hm/open-webui/Makefile

@@ -0,0 +1,14 @@
+sealed-secrets-seal:
+	cat secrets/hm-open-webui-secret.unsealed.yaml | \
+	kubeseal \
+		--controller-namespace=production-hm-sealed-secrets \
+		--controller-name=hm-sealed-secrets \
+		--format=yaml \
+		> kubernetes-manifests/hm-open-webui-secret.yaml
+
+argo-cd-app-create:
+	argocd app create production-hm-open-webui --file=argo-cd-manifests/hm-open-webui-application.yaml
+argo-cd-app-update:
+	argocd app create production-hm-open-webui --file=argo-cd-manifests/hm-open-webui-application.yaml --upsert
+argo-cd-app-delete:
+	argocd app delete production-hm-open-webui --yes

kubernetes/argo-cd/applications/production-hm/open-webui/argo-cd-manifests/hm-open-webui-application.yaml

@@ -0,0 +1,109 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: production-hm-open-webui
+  namespace: production-hm-argo-cd
+  labels:
+    app.kubernetes.io/name: hm-open-webui
+spec:
+  project: production-hm
+  sources:
+    - repoURL: https://helm.openwebui.com
+      # https://artifacthub.io/packages/helm/open-webui/open-webui
+      targetRevision: 3.4.3
+      chart: open-webui
+      helm:
+        releaseName: hm-open-webui
+        values: |
+          # https://github.com/open-webui/helm-charts/blob/main/charts/open-webui/values.yaml
+          ---
+          image:
+            repository: ghcr.io/open-webui/open-webui
+            # https://github.com/open-webui/open-webui/releases
+            tag: v0.3.35
+          ollama:
+            enabled: false
+          pipelines:
+            enabled: false
+          persistence:
+            enabled: true
+            existingClaim: hm-open-webui-persistent-volume-claim
+          # https://docs.openwebui.com/getting-started/env-configuration/
+          extraEnvVars:
+            - name: ENV
+              value: prod
+            - name: WEBUI_NAME
+              value: AI Chat
+            - name: WEBUI_URL
+              value: https://hm-open-webui.internal.hongbomiao.com
+            - name: OPENAI_API_BASE_URLS
+              value: http://hm-litellm-service.production-hm-litellm.svc:80;http://hm-open-webui-pipelines.production-hm-open-webui-pipelines.svc:9099
+            - name: OPENAI_API_KEYS
+              valueFrom:
+                secretKeyRef:
+                  name: hm-open-webui-secret
+                  key: openai_api_keys
+            - name: DEFAULT_MODELS
+              value: claude-3-5-sonnet
+            - name: SCARF_NO_ANALYTICS
+              value: "true"
+            - name: DO_NOT_TRACK
+              value: "true"
+            - name: CORS_ALLOW_ORIGIN
+              value: https://hm-open-webui.internal.hongbomiao.com
+            - name: WEBUI_SESSION_COOKIE_SAME_SITE
+              value: lax
+            - name: JWT_EXPIRES_IN
+              value: 7d
+            - name: ANONYMIZED_TELEMETRY
+              value: "false"
+            - name: ENABLE_COMMUNITY_SHARING
+              value: "false"
+            - name: ENABLE_MESSAGE_RATING
+              value: "false"
+            - name: ENABLE_EVALUATION_ARENA_MODELS
+              value: "false"
+            - name: ENABLE_ADMIN_CHAT_ACCESS
+              value: "false"
+            - name: ENABLE_ADMIN_EXPORT
+              value: "false"
+            - name: PDF_EXTRACT_IMAGES
+              value: "true"
+            - name: DEFAULT_USER_ROLE
+              value: user
+            - name: ENABLE_LOGIN_FORM
+              value: "false"
+            - name: ENABLE_OAUTH_SIGNUP
+              value: "true"
+            - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
+              value: "true"
+            - name: GOOGLE_OAUTH_SCOPE
+              value: openid email profile
+            - name: GOOGLE_REDIRECT_URI
+              value: https://hm-open-webui.internal.hongbomiao.com/oauth/google/callback
+            - name: GOOGLE_CLIENT_ID
+              value: xxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
+            - name: GOOGLE_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: hm-open-webui-secret
+                  key: google_client_secret
+          resources:
+            requests:
+              cpu: 2000m
+              memory: 4Gi
+            limits:
+              cpu: 4000m
+              memory: 8Gi
+    - repoURL: git@github.com:hongbo-miao/hongbomiao.com.git
+      targetRevision: main
+      path: kubernetes/argo-cd/applications/production-hm/open-webui/kubernetes-manifests
+  destination:
+    namespace: production-hm-open-webui
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    syncOptions:
+      - ServerSideApply=true
+    automated:
+      prune: true

kubernetes/argo-cd/applications/production-hm/open-webui/kubernetes-manifests/hm-open-webui-ingress.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hm-open-webui-ingress
+  namespace: production-hm-open-webui
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    # https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/#on-ingress
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    # https://kubernetes-sigs.github.io/external-dns/latest/annotations/annotations
+    external-dns.alpha.kubernetes.io/hostname: hm-open-webui.internal.hongbomiao.com
+    # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
+    argocd.argoproj.io/hook: PostSync
+  labels:
+    app.kubernetes.io/name: hm-open-webui-ingress
+    app.kubernetes.io/part-of: production-hm-open-webui
+spec:
+  rules:
+    - host: hm-open-webui.internal.hongbomiao.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: open-webui
+                port:
+                  number: 80
+  tls:
+    - hosts:
+        - hm-open-webui.internal.hongbomiao.com
+      secretName: production-hm-open-webui-certificate

kubernetes/argo-cd/applications/production-hm/open-webui/kubernetes-manifests/hm-open-webui-persistent-volume-claim.yaml

@@ -0,0 +1,18 @@
+# https://github.com/open-webui/helm-charts/blob/main/charts/open-webui/values.yaml
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: hm-open-webui-persistent-volume-claim
+  namespace: production-hm-open-webui
+  annotations:
+    # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
+    argocd.argoproj.io/hook: PreSync
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100Gi
+  storageClassName: production-hm-open-webui-storage-class
+  volumeName: pvc-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

kubernetes/argo-cd/applications/production-hm/open-webui/kubernetes-manifests/hm-open-webui-secret.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
+    argocd.argoproj.io/hook: PreSync
+  creationTimestamp: null
+  name: hm-open-webui-secret
+  namespace: production-hm-open-webui
+spec:
+  encryptedData:
+    google_client_secret: AgA+jqD//fz/HeC4ovVKQQv/ThAO/pX9WX7PJBIcud30X/6rKtRAAQGMZ0MSzRuxWH7CeFwLLr9JvYWOqh9SSTQjUd6iXdhTUIZPB1mx+byOSjqg2SOjfuCG4RqzKHo8cWO8XLhBRkgrWip3nIeOWLGVp7DLSPcm4cbt24CuKfF09/0RDpOEaDIAwWyainGLzwufmPOdBye/GxEt8mb/92i/nNHn9cyVQ8FBmhdNXqii0Xu5QpeqnE5h/8uZQQfZ46h9ILu+svdFlRwM/heNFFQ8WzG7MWY/+36QlfkoTtvoWMfIo9tBNDt2OZloIojEa84NPltvnDD+kfduWqPRquD2jorNVk7MhiMnpfMVd8yFXwPYYx5+eT/MdeNPJdUdaU0YILOfE/j8LhP2X38wks64QXeubTBXCuDkKC/4r7cfYdUxBTASXtN5yDti7emwKId93vSDMeCCHFS8LSVu+52qfP5y2v+L30PLrz9SjZatsnHdPwM6cwLXTDUEbtsmpHE0fGBFxq1JqLkrf0x6/eu610FT7fx9yordwZOrerO0n7dRBo7cM0PptFLAdhIa8XTEWifbGoA6As6aa2YCmptuDggb1sBLsZUeijw/RDVHjcdgsMwVHuO3Bm6VNH2K/GzfMkUd3Vr94NCmAgxxuO1BZksHpuE3uHClf8zZW4UoDetaAQGxEDTDaBUUJUgQNFq8rWs=
+    openai_api_keys: AgDXJmy4ev4oUkYbqfTpaF/2jI8p0KGdCUeVpn+OkmO/rKJFr5xWkIHz/3ZIM7AB9UfQR+kBlf2aTctrvvYBTJHI6wJzQpWx4nvdTi4/hGqnI+kUUSkfDJHHa+rX7lT1sFrrl0CjRjBdkmVprLIBNFySYK91cEb3zKkuDsMQyDHxl+MJye02eCjU1OBAHTKes8fdqWd0M9cgScNtX2JNGw+hRgiPIAWhdPgx508+EqLzp1EvMp4oV2nKOX0ZeRTM0vDsfZ0TSydTt1n3eFpCG2wwYEZLr9lwXjoxTww6EmQ/sow2ErMnz8yZIHR/1/9ksLc6gBgRW7sC7tXLDtG0tCz5BZ1+XSHtxLjEsUIHekfY+gwkuSupT12u0ry0z/njYCAlpUB/375Onq9T/HX0SXFRKCV8qwwlWc6b5Nz7lX6CbpUOQvYDqYQcoyMnciJvaow0TDZzLa1Duh9YOQS3wyX5hYp5qt+SnDrAvPJ63FNm0UJd//NvctWFubPaznG514nl2EElOJeVNbBjmwNrAonNEoX0CG3InyP+mWrPaRRvSlB8yNo+cuIXEMRNgAq01Im6u5je0SGw9PrQsPCSq4yIRKxZm9wx7aJ4D7y+O6QHP5cri8qUZe7mZ9hYuc3SrlaZ/UZ+iINCDFraWlUA/vXN8ksexDmM/VikXI3oO686YMdyk2KVyfq0SaTteCsBRh6UJ4eZYHiP
+  template:
+    metadata:
+      annotations:
+        argocd.argoproj.io/hook: PreSync
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/name: hm-open-webui-secret
+        app.kubernetes.io/part-of: production-hm-open-webui
+      name: hm-open-webui-secret
+      namespace: production-hm-open-webui