baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
98b03704d7445aba632c1729113f64717e85a41f
buun-stack/librechat/values.gomplate.yaml
Masaki Yatsu 46fdff720f chore(librechat): adjust kubernetes resouces
2025-12-03 21:01:28 +09:00

165 lines
3.5 KiB
YAML
Raw Blame History

replicaCount: 1
global:
librechat:
existingSecretName: "librechat-credentials-env"
existingSecretApiKey: OPENAI_API_KEY
{{- if eq .Env.TAVILY_MCP_ENABLED "true" }}
env:
- name: TAVILY_API_KEY
valueFrom:
secretKeyRef:
name: tavily-api-key
key: TAVILY_API_KEY
{{- end }}
librechat:
configEnv:
# Domain configuration (required for OIDC redirects)
DOMAIN_CLIENT: "https://{{ .Env.LIBRECHAT_HOST }}"
DOMAIN_SERVER: "https://{{ .Env.LIBRECHAT_HOST }}"
# Ollama endpoint (internal k8s service)
OLLAMA_BASE_URL: "http://{{ .Env.OLLAMA_HOST }}:11434"
# OpenID Connect / Keycloak
ALLOW_SOCIAL_LOGIN: "true"
OPENID_BUTTON_LABEL: "Login with Keycloak"
OPENID_ISSUER: "https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}"
OPENID_CALLBACK_URL: "/oauth/openid/callback"
OPENID_SCOPE: "openid profile email"
# Optional: Role-based access control
# OPENID_REQUIRED_ROLE_PARAMETER_PATH: "realm_access.roles"
# OPENID_REQUIRED_ROLE_TOKEN_KIND: "access"
# Optional: Group sync from Keycloak roles
# OPENID_SYNC_GROUPS_FROM_TOKEN: "true"
# OPENID_GROUPS_CLAIM_PATH: "realm_access.roles"
# OPENID_GROUPS_TOKEN_KIND: "access"
# Disable email registration (use Keycloak only)
ALLOW_EMAIL_LOGIN: "false"
ALLOW_REGISTRATION: "false"
ALLOW_SOCIAL_REGISTRATION: "true"
# Debug (set to true for troubleshooting)
DEBUG_OPENID_REQUESTS: "false"
DEBUG_PLUGINS: "false"
existingSecretName: "librechat-credentials-env"
# Use external configmap for librechat.yaml
existingConfigYaml: "librechat-config"
imageVolume:
enabled: true
size: 10Gi
accessModes: ReadWriteOnce
image:
repository: danny-avila/librechat
registry: ghcr.io
pullPolicy: IfNotPresent
podSecurityContext:
fsGroup: 2000
securityContext:
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
service:
type: ClusterIP
port: 3080
ingress:
enabled: true
className: "traefik"
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
hosts:
- host: {{ .Env.LIBRECHAT_HOST }}
paths:
- path: /
pathType: Prefix
tls: []
resources:
requests:
cpu: 25m
memory: 512Mi
limits:
cpu: 100m
memory: 1Gi
mongodb:
enabled: true
auth:
enabled: false
databases:
- LibreChat
image:
tag: "latest"
persistence:
size: 8Gi
resources:
requests:
cpu: 75m
memory: 512Mi
limits:
cpu: 500m
memory: 2Gi
podSecurityContext:
fsGroup: 1001
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
runAsUser: 1001
runAsNonRoot: true
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
meilisearch:
enabled: true
persistence:
enabled: true
image:
tag: "v1.7.3"
auth:
existingMasterKeySecret: "librechat-credentials-env"
resources:
requests:
cpu: 25m
memory: 256Mi
limits:
cpu: 100m
memory: 1Gi
podSecurityContext:
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
runAsUser: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
librechat-rag-api:
enabled: false
Reference in New Issue View Git Blame Copy Permalink