openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
66ea39f091
openova/platform/llm-gateway/blueprint.yaml
e3mrah 87d9a4afa7
feat(charts): bp-temporal + bp-llm-gateway + bp-anthropic-adapter wrapper charts (closes #267 #268 #271) (#288) 
W2.5.E batch — three Application-tier Blueprints completing the LLM
serving / workflow stack:

- bp-temporal/1.0.0 — wraps temporal/temporal 1.2.0 (the new chart
  rewrite that removed cassandra:/mysql:/postgresql:/elasticsearch:/
  prometheus:/grafana: top-level keys in favour of
  server.config.persistence.datastores). Postgres-only via CNPG-backed
  visibility store (skip Cassandra). Web UI ON. Keycloak OIDC
  integration via --auth-claim-mapper renders auth.yaml ConfigMap
  (operator wires via additionalVolumes once bp-keycloak is
  reconciled, default OFF). dependsOn: bp-cnpg + bp-cert-manager.
  Closes #271.
  Kinds: Cluster (CNPG) + ConfigMap + Deployment + Job + Pod +
  Service.

- bp-llm-gateway/1.0.0 — wraps berriai/litellm-helm 0.1.572 from OCI.
  Subscription-aware proxy for Claude Code: routes to Anthropic (via
  operator OAuth/Max subscription — NEVER an ANTHROPIC_API_KEY,
  per memory/feedback_no_api_key.md), Bedrock, Vertex,
  OpenAI-compatible (via bp-anthropic-adapter), and self-hosted
  vLLM. CNPG-backed audit log (every prompt + response persisted
  for compliance). Bundled bitnami postgresql + redis subcharts
  DISABLED (db.useExisting=true points at the CNPG cluster).
  Keycloak SSO via auth.yaml ConfigMap (default OFF).
  ExternalSecret-backed environmentSecrets brings tokens / IAM
  creds in without inlining plaintext. dependsOn: bp-cnpg +
  bp-keycloak + bp-external-secrets. Closes #267.
  Kinds: Cluster (CNPG audit) + ConfigMap + Deployment + Job +
  Pod + Secret + Service + ServiceAccount.

- bp-anthropic-adapter/1.0.0 — Catalyst-authored scratch chart for
  the OpenAI ↔ Anthropic translation Go service. SHA-pinned image
  ghcr.io/openova-io/openova/anthropic-adapter:<sha> (Inviolable
  Principle #4a — GitHub Actions is the only build path; empty
  default tag fails the render with a clear error instead of
  silently shipping :latest). OAuth/Max subscription token mounted
  from K8s Secret materialized by ESO from bp-openbao —
  ANTHROPIC_OAUTH_TOKEN env var, NEVER an ANTHROPIC_API_KEY.
  Includes OpenAI → Anthropic model-mapping ConfigMap (gpt-4 →
  claude-3-5-sonnet, gpt-4o-mini → claude-3-5-haiku, etc.).
  sigstore/common library subchart included to satisfy the
  hollow-chart gate (matches bp-vllm pattern from #283).
  dependsOn: bp-external-secrets. Closes #268.
  Kinds: ConfigMap + Deployment + Service + ServiceAccount.

CRITICAL — bp-llm-gateway and bp-anthropic-adapter both consume the
operator's Claude OAuth/Max subscription. Per memory/
feedback_no_api_key.md and the user's standing instruction, neither
chart accepts or generates an ANTHROPIC_API_KEY. Tokens flow
exclusively through ExternalSecret-managed K8s Secrets that ESO
materializes from bp-openbao at install time.

Per docs/BLUEPRINT-AUTHORING.md §11.2 (issue #182): every
observability toggle defaults `false` (ServiceMonitor / metrics
sidecar / PodMonitor) and is operator-tunable via per-cluster
overlay once bp-kube-prometheus-stack reconciles. Each chart ships
tests/observability-toggle.sh covering default-off, opt-in (with
--api-versions monitoring.coreos.com/v1 to simulate the CRDs), and
explicit-off cases. bp-anthropic-adapter additionally tests the
never-:latest gate via Case 4 (empty image tag must fail render).

Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode): every
upstream version, namespace, server URL, role, secret name, model
default, and toggle is exposed under values.yaml. Cluster overlays
in clusters/<sovereign>/ may override without rebuilding the
Blueprint OCI artifact.

Per docs/BLUEPRINT-AUTHORING.md §11.1 (umbrella shape — hard
contract): bp-temporal and bp-llm-gateway declare their upstream
charts under Chart.yaml dependencies: so helm dependency build
bundles the upstream payload into the OCI artifact. bp-anthropic-
adapter is a scratch chart (no upstream Helm chart exists) and
includes sigstore/common as the obligatory hollow-chart-gate
dependency, matching the bp-vllm precedent from W2.5.D (#283).

Closes #267
Closes #268
Closes #271

helm lint: 1 chart(s) linted, 0 chart(s) failed (each, INFO icon-recommended only)

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
2026-04-30 19:37:19 +04:00

124 lines
3.7 KiB
YAML
Raw Blame History

apiVersion: catalyst.openova.io/v1alpha1
kind: Blueprint
metadata:
name: bp-llm-gateway
labels:
catalyst.openova.io/category: ai-runtime
catalyst.openova.io/section: pts-4-6-llm-serving
spec:
version: 1.0.0
card:
title: LLM Gateway
summary: |
Subscription-aware LLM proxy. Wraps the upstream LiteLLM proxy
(`ghcr.io/berriai/litellm:main-stable`) and routes requests to
Anthropic (via the operator's Claude OAuth/Max subscription —
NEVER an ANTHROPIC_API_KEY), Bedrock, Vertex, OpenAI-compatible
backends (via bp-anthropic-adapter), and self-hosted vLLM. CNPG-
backed audit log; Keycloak SSO for human callers.
icon: llm-gateway.svg
category: ai-runtime
tags: [llm, gateway, litellm, proxy, claude, openai, bedrock, vertex]
documentation: https://docs.litellm.ai/
license: MIT
visibility: listed
owner:
team: ai-platform
contact: ai-platform@openova.io
configSchema:
type: object
properties:
replicas:
type: integer
default: 1
minimum: 1
maximum: 16
auth:
type: object
properties:
mode:
type: string
enum: [keycloak, masterKey, hybrid]
default: keycloak
description: |
`keycloak` = OIDC-only (every caller authenticates via
bp-keycloak realm). `masterKey` = static per-tenant master
keys (dev only — operators MUST NOT enable in production).
`hybrid` = Keycloak for human callers, master keys for
CI/automation accounts.
keycloak:
type: object
properties:
issuer:
type: string
description: Keycloak realm issuer URL (https://keycloak.<env>.<sovereign-domain>/realms/<realm>).
audience:
type: string
default: llm-gateway
audit:
type: object
properties:
enabled:
type: boolean
default: true
description: Enable CNPG-backed audit log (every prompt + response stored for compliance).
backends:
type: object
properties:
anthropic:
type: object
properties:
enabled:
type: boolean
default: false
description: |
Forward Claude requests via the operator's
OAuth/Max subscription. NEVER set an ANTHROPIC_API_KEY
— the gateway uses subscription tokens issued by the
operator's Claude account.
bedrock:
type: object
properties:
enabled:
type: boolean
default: false
vertex:
type: object
properties:
enabled:
type: boolean
default: false
vllm:
type: object
properties:
enabled:
type: boolean
default: false
anthropicAdapter:
type: object
properties:
enabled:
type: boolean
default: false
description: Route OpenAI-compatible callers to Claude via bp-anthropic-adapter.
placementSchema:
modes: [single-region, active-active]
default: single-region
manifests:
chart: ./chart
depends:
- blueprint: bp-cnpg
version: ^1.0
alias: db
- blueprint: bp-keycloak
version: ^1.0
alias: idp
- blueprint: bp-external-secrets
version: ^1.0
alias: eso
upgrades:
from: ["0.x"]
observability:
metrics: prometheus
logs: stdout
Reference in New Issue View Git Blame Copy Permalink