diff --git a/.gitignore b/.gitignore index 6a1df10..de895c4 100644 --- a/.gitignore +++ b/.gitignore @@ -136,3 +136,4 @@ __pycache__/ *.xml temp.* bun.lock +tmp/ diff --git a/apps/children/browser.yaml b/apps/children/browser.yaml index 435be84..0f655a9 100644 --- a/apps/children/browser.yaml +++ b/apps/children/browser.yaml @@ -9,7 +9,7 @@ spec: server: https://kubernetes.default.svc namespace: ai source: - repoURL: https://your.git/repo.git + repoURL: https://git.ion606.com/ion606/ollama-plus.git targetRevision: main path: manifests/browser syncPolicy: diff --git a/manifests/policy/allow-browser-ingress.yaml b/manifests/policy/allow-browser-ingress.yaml new file mode 100644 index 0000000..9c06596 --- /dev/null +++ b/manifests/policy/allow-browser-ingress.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-browser-ingress + namespace: ai +spec: + podSelector: + matchLabels: + app: browser + policyTypes: ["Ingress"] + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - { protocol: TCP, port: 7788 } + diff --git a/manifests/policy/allow-ollama-scheduler-ingress.yaml b/manifests/policy/allow-ollama-scheduler-ingress.yaml new file mode 100644 index 0000000..0e7dd6e --- /dev/null +++ b/manifests/policy/allow-ollama-scheduler-ingress.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-ollama-scheduler-ingress + namespace: argo +spec: + podSelector: + matchLabels: + app: ollama-scheduler + policyTypes: ["Ingress"] + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - { protocol: TCP, port: 12253 } + diff --git a/manifests/policy/allow-openwebui-ingress.yaml b/manifests/policy/allow-openwebui-ingress.yaml new file mode 100644 index 0000000..980e16f --- /dev/null +++ b/manifests/policy/allow-openwebui-ingress.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-openwebui-ingress + namespace: ai +spec: + # Select the Open WebUI pods deployed by the Helm release "openwebui" + podSelector: + matchLabels: + app.kubernetes.io/instance: openwebui + policyTypes: ["Ingress"] + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + # Open WebUI typically listens on 8080 (chart default), sometimes 80 + - { protocol: TCP, port: 8080 } + - { protocol: TCP, port: 80 } + diff --git a/manifests/policy/default-deny.yaml b/manifests/policy/default-deny.yaml index 04f19a9..292b504 100644 --- a/manifests/policy/default-deny.yaml +++ b/manifests/policy/default-deny.yaml @@ -1,6 +1,8 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy -metadata: { name: default-deny-all, namespace: ai } +metadata: + name: default-deny-all + namespace: ai spec: - podSelector: {} + podSelector: {} # die policyTypes: ["Ingress", "Egress"] diff --git a/scripts/setup.sh b/scripts/setup.sh index 0433936..f422696 100644 --- a/scripts/setup.sh +++ b/scripts/setup.sh @@ -28,13 +28,16 @@ kubectl rollout status deploy/argocd-application-controller -n argocd --timeout= # NOTE: creates the child Applications in apps/children/* kubectl apply -n argocd -f apps/0-project-and-root.yaml; +echo "DEBUG: writing pods to 'tmp/pods.txt'" +mkdir -p tmp || "" +kubectl get pod -o wide --all-namespaces > tmp/pods.txt + # port-forward argocd ui echo ""; echo "argocd initial admin password (username 'admin'):"; -kubectl -n argocd get secret argocd-initial-admin-secret \ --o jsonpath='{.data.password}' | base64 -d; echo ""; +kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d; echo ""; echo ""; echo "port-forwarding argocd ui to https://localhost:8443 (ctrl+c to stop) ..."; -kubectl -n ai port-forward svc/scheduler-ui 12253:12253 +# kubectl -n argocd port-forward svc/scheduler-ui 12253:12253 kubectl -n argocd port-forward svc/argocd-server 8443:443