feat(librechat): install librechat

librechat/values.gomplate.yaml

@@ -0,0 +1,150 @@
+replicaCount: 1
+
+global:
+  librechat:
+    existingSecretName: "librechat-credentials-env"
+    existingSecretApiKey: OPENAI_API_KEY
+{{- if eq .Env.TAVILY_MCP_ENABLED "true" }}
+    env:
+      - name: TAVILY_API_KEY
+        valueFrom:
+          secretKeyRef:
+            name: tavily-api-key
+            key: TAVILY_API_KEY
+{{- end }}
+
+librechat:
+  configEnv:
+    # Domain configuration (required for OIDC redirects)
+    DOMAIN_CLIENT: "https://{{ .Env.LIBRECHAT_HOST }}"
+    DOMAIN_SERVER: "https://{{ .Env.LIBRECHAT_HOST }}"
+
+    # Ollama endpoint (internal k8s service)
+    OLLAMA_BASE_URL: "http://{{ .Env.OLLAMA_HOST }}:11434"
+
+    # OpenID Connect / Keycloak
+    ALLOW_SOCIAL_LOGIN: "true"
+    OPENID_BUTTON_LABEL: "Login with Keycloak"
+    OPENID_ISSUER: "https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}"
+    OPENID_CALLBACK_URL: "/oauth/openid/callback"
+    OPENID_SCOPE: "openid profile email"
+
+    # Optional: Role-based access control
+    # OPENID_REQUIRED_ROLE_PARAMETER_PATH: "realm_access.roles"
+    # OPENID_REQUIRED_ROLE_TOKEN_KIND: "access"
+
+    # Optional: Group sync from Keycloak roles
+    # OPENID_SYNC_GROUPS_FROM_TOKEN: "true"
+    # OPENID_GROUPS_CLAIM_PATH: "realm_access.roles"
+    # OPENID_GROUPS_TOKEN_KIND: "access"
+
+    # Disable email registration (use Keycloak only)
+    ALLOW_EMAIL_LOGIN: "false"
+    ALLOW_REGISTRATION: "false"
+    ALLOW_SOCIAL_REGISTRATION: "true"
+
+    # Debug (set to true for troubleshooting)
+    DEBUG_OPENID_REQUESTS: "false"
+    DEBUG_PLUGINS: "false"
+
+  existingSecretName: "librechat-credentials-env"
+
+  # Use external configmap for librechat.yaml
+  existingConfigYaml: "librechat-config"
+
+  imageVolume:
+    enabled: true
+    size: 10Gi
+    accessModes: ReadWriteOnce
+
+image:
+  repository: danny-avila/librechat
+  registry: ghcr.io
+  pullPolicy: IfNotPresent
+
+podSecurityContext:
+  fsGroup: 2000
+
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  runAsNonRoot: true
+  runAsUser: 1000
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: RuntimeDefault
+
+service:
+  type: ClusterIP
+  port: 3080
+
+ingress:
+  enabled: true
+  className: "traefik"
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+  hosts:
+    - host: {{ .Env.LIBRECHAT_HOST }}
+      paths:
+        - path: /
+          pathType: Prefix
+  tls: []
+
+resources:
+  requests:
+    cpu: 100m
+    memory: 512Mi
+  limits:
+    cpu: 1000m
+    memory: 1Gi
+
+mongodb:
+  enabled: true
+  auth:
+    enabled: false
+  databases:
+    - LibreChat
+  image:
+    tag: "latest"
+  persistence:
+    size: 8Gi
+  podSecurityContext:
+    fsGroup: 1001
+    seccompProfile:
+      type: RuntimeDefault
+  containerSecurityContext:
+    runAsUser: 1001
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+        - ALL
+
+meilisearch:
+  enabled: true
+  persistence:
+    enabled: true
+  image:
+    tag: "v1.7.3"
+  auth:
+    existingMasterKeySecret: "librechat-credentials-env"
+  podSecurityContext:
+    fsGroup: 1000
+    seccompProfile:
+      type: RuntimeDefault
+  containerSecurityContext:
+    runAsUser: 1000
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+        - ALL
+
+librechat-rag-api:
+  enabled: false