opened ports

.gitignore

@@ -136,3 +136,4 @@ __pycache__/
 *.xml
 temp.*
 bun.lock
+tmp/

apps/children/browser.yaml

@@ -9,7 +9,7 @@ spec:
         server: https://kubernetes.default.svc
         namespace: ai
     source:
-        repoURL: https://your.git/repo.git
+        repoURL: https://git.ion606.com/ion606/ollama-plus.git
         targetRevision: main
         path: manifests/browser
     syncPolicy:

manifests/policy/allow-browser-ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+    name: allow-browser-ingress
+    namespace: ai
+spec:
+    podSelector:
+        matchLabels:
+            app: browser
+    policyTypes: ["Ingress"]
+    ingress:
+        - from:
+              - ipBlock:
+                    cidr: 0.0.0.0/0
+          ports:
+              - { protocol: TCP, port: 7788 }
+

manifests/policy/allow-ollama-scheduler-ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+    name: allow-ollama-scheduler-ingress
+    namespace: argo
+spec:
+    podSelector:
+        matchLabels:
+            app: ollama-scheduler
+    policyTypes: ["Ingress"]
+    ingress:
+        - from:
+              - ipBlock:
+                    cidr: 0.0.0.0/0
+          ports:
+              - { protocol: TCP, port: 12253 }
+

manifests/policy/allow-openwebui-ingress.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+    name: allow-openwebui-ingress
+    namespace: ai
+spec:
+    # Select the Open WebUI pods deployed by the Helm release "openwebui"
+    podSelector:
+        matchLabels:
+            app.kubernetes.io/instance: openwebui
+    policyTypes: ["Ingress"]
+    ingress:
+        - from:
+              - ipBlock:
+                    cidr: 0.0.0.0/0
+          ports:
+              # Open WebUI typically listens on 8080 (chart default), sometimes 80
+              - { protocol: TCP, port: 8080 }
+              - { protocol: TCP, port: 80 }
+

manifests/policy/default-deny.yaml

@@ -1,6 +1,8 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
-metadata: { name: default-deny-all, namespace: ai }
+metadata:
+    name: default-deny-all
+    namespace: ai
 spec:
-    podSelector: {}
+    podSelector: {} # die
     policyTypes: ["Ingress", "Egress"]

scripts/setup.sh

@@ -28,13 +28,16 @@ kubectl rollout status deploy/argocd-application-controller -n argocd --timeout=
 # NOTE: creates the child Applications in apps/children/*
 kubectl apply -n argocd -f apps/0-project-and-root.yaml;
 
+echo "DEBUG: writing pods to 'tmp/pods.txt'"
+mkdir -p tmp || ""
+kubectl get pod -o wide --all-namespaces > tmp/pods.txt
+
 # port-forward argocd ui
 echo "";
 echo "argocd initial admin password (username 'admin'):";
-kubectl -n argocd get secret argocd-initial-admin-secret \
--o jsonpath='{.data.password}' | base64 -d; echo "";
+kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d; echo "";
 echo "";
 echo "port-forwarding argocd ui to https://localhost:8443 (ctrl+c to stop) ...";
 
-kubectl -n ai port-forward svc/scheduler-ui 12253:12253
+# kubectl -n argocd port-forward svc/scheduler-ui 12253:12253
 kubectl -n argocd port-forward svc/argocd-server 8443:443