openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 18 Packages Projects Releases Wiki Activity
e5c2797ce6
openova/platform/librechat/blueprint.yaml
e3mrah a6bf07b0ce
feat(charts): bp-librechat wrapper chart (closes #275) (#287) 
W2.5.G — Catalyst-authored scratch chart for LibreChat (slot 48 of the
omantel-1 bootstrap-kit). LibreChat upstream does not publish a Helm
chart, so this chart hand-wires the official ghcr.io/danny-avila/librechat
container as Deployment + Service + Ingress + ConfigMap + ServiceAccount
+ NetworkPolicy + ServiceMonitor + HPA, with the sigstore/common
library subchart declared to satisfy the hollow-chart gate (issue #181).

Per docs/BLUEPRINT-AUTHORING.md §11.2: every observability toggle
(serviceMonitor, hpa) defaults false; opt-in via per-cluster overlay
once kube-prometheus-stack reconciles. The ServiceMonitor template is
double-gated by .Values.serviceMonitor.enabled AND
Capabilities.APIVersions.Has "monitoring.coreos.com/v1" so flipping the
toggle on a too-early Sovereign cannot break the bp-librechat reconcile.

Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode): every endpoint
URL, model name, secret reference, namespace selector, and image tag is
operator-tunable via values.yaml. The Sovereign FQDN, Keycloak issuer,
llm-gateway URL, embeddings URL, and TLS ClusterIssuer are all
operator-supplied at install time. The image tag is pinned to v0.7.5
(no :latest).

Connectors:
- Chat completions: bp-llm-gateway (OpenAI-compatible /v1/chat/completions)
  exposed as a "custom" endpoint named "Catalyst LLM"
- Embeddings (RAG): bp-bge — provider=bge maps to EMBEDDINGS_PROVIDER=openai
  + RAG_OPENAI_BASEURL=<bge.svc> at template-render time
- SSO: bp-keycloak (OpenID Connect) — issuer/clientId from values,
  client secret + session secret from ExternalSecret
- Conversation store: FerretDB on bp-cnpg (MongoDB wire protocol over
  Postgres) — operator-supplied connection URI

Hosted at chat-app.<sovereign-fqdn>; the chart `fail`s render if
ingress.host is empty (no platform-wide default).

helm template (default values, --set ingress.host=...):
  ConfigMap, Deployment, Ingress, NetworkPolicy, Service, ServiceAccount

helm template (--set hpa.enabled=true serviceMonitor.enabled=true
              --api-versions monitoring.coreos.com/v1):
  ConfigMap, Deployment, HorizontalPodAutoscaler, Ingress, NetworkPolicy,
  Service, ServiceAccount, ServiceMonitor

helm lint: 1 chart(s) linted, 0 chart(s) failed (single INFO on
missing icon — icons land with the marketplace card work).

tests/observability-toggle.sh: PASS on default-off, opt-in
(--api-versions monitoring.coreos.com/v1 to simulate the CRDs), and
explicit-off cases.

Path isolation: only platform/librechat/ — no HR slot files,
blueprint-release.yaml, or other charts touched. The HR slot files
(clusters/.../48-librechat.yaml) and blueprint-release.yaml will land
in a separate slot-wiring PR per the W2.K4 expansion plan.

Closes #275

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 18:56:59 +04:00

95 lines
2.6 KiB
YAML
Raw Blame History

apiVersion: catalyst.openova.io/v1alpha1
kind: Blueprint
metadata:
name: bp-librechat
labels:
catalyst.openova.io/category: application
catalyst.openova.io/section: pts-4-7-application-tier-chat-ui
spec:
version: 1.0.0
card:
title: LibreChat
summary: |
Multi-LLM chat UI front-end. Joins bp-llm-gateway + bp-vllm + bp-bge,
with Keycloak SSO via OIDC. Backed by FerretDB (MongoDB wire compat
over CNPG Postgres) for conversation history.
icon: librechat.svg
category: application
tags: [chat, llm, ui, openid, rag, application]
documentation: https://www.librechat.ai/docs
license: MIT
visibility: listed
owner:
team: ai-platform
contact: ai-platform@openova.io
configSchema:
type: object
properties:
host:
type: string
format: hostname
description: |
Public hostname for the LibreChat UI. Defaults to
chat-app.<sovereign-fqdn> per the Sovereign overlay.
replicas:
type: integer
default: 1
minimum: 1
maximum: 10
llmGateway:
type: object
properties:
baseURL:
type: string
description: Base URL of the OpenAI-compatible LLM gateway (bp-llm-gateway).
default: http://llm-gateway.llm-gateway.svc.cluster.local:8080/v1
embeddings:
type: object
properties:
provider:
type: string
enum: [bge, openai, huggingface, ollama]
default: bge
baseURL:
type: string
description: Base URL of the embeddings service (bp-bge).
default: http://bge.bge.svc.cluster.local:8080/v1
model:
type: string
default: BAAI/bge-large-en-v1.5
keycloak:
type: object
properties:
enabled:
type: boolean
default: true
issuer:
type: string
description: |
Keycloak realm issuer URL (e.g. https://keycloak.<location-code>
.<sovereign-domain>/realms/<org>). Operator-supplied; never
hardcoded.
placementSchema:
modes: [single-region, active-active]
default: single-region
manifests:
chart: ./chart
depends:
- blueprint: bp-llm-gateway
version: ^1.0
alias: gateway
- blueprint: bp-vllm
version: ^1.0
alias: vllm
- blueprint: bp-bge
version: ^1.0
alias: bge
- blueprint: bp-keycloak
version: ^1.1
alias: idp
upgrades:
from: ["0.x"]
observability:
metrics: prometheus
logs: stdout
Reference in New Issue View Git Blame Copy Permalink