Ollama service used in the classroom backend

.github/workflows/test-private.yaml

@@ -24,6 +24,9 @@ jobs:
           python-version: 3.9
       - name: Set up chart-testing
         uses: helm/chart-testing-action@v2.8.0
+      - name: Helm login
+        run: |
+          echo -n '${{ secrets.OSC_REGISTRY_ROBOT_OSC_READ_TOKEN }}' | helm registry login docker-registry.osc.edu -u '${{ secrets.OSC_REGISTRY_ROBOT_OSC_READ_USERNAME }}' --password-stdin
       - name: Run chart-testing (lint)
         run: ct lint --config .github/config/cf.yaml --chart-dirs charts-private
 
@@ -71,6 +74,9 @@ jobs:
         run: |
           kubectl label node kind-control-plane node-role.kubernetes.io/test=''
           kubectl label node kind-control-plane node-role.kubernetes.io/webservices=''
+      - name: Helm login
+        run: |
+          echo -n '${{ secrets.OSC_REGISTRY_ROBOT_OSC_READ_TOKEN }}' | helm registry login docker-registry.osc.edu -u '${{ secrets.OSC_REGISTRY_ROBOT_OSC_READ_USERNAME }}' --password-stdin
       - name: Build and Load nominatim images
         if: matrix.chart == 'nominatim'
         run: |

charts-private/ollama/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: ollama
+description: OSC Ollama service for classroom
+type: application
+version: 0.2.0
+appVersion: '0.18.3'
+maintainers:
+  - name: zyou
+dependencies:
+  - name: osc-common
+    version: 0.14.0
+    repository: https://osc.github.io/osc-helm-charts/
+    # repository: file://../../charts/osc-common
+  - name: ollama
+    version: 1.54.0-osc-r2
+    repository: oci://docker-registry.osc.edu/kubernetes/charts
+    # version: 1.54.0
+    # repository: file://./ollama-helm

charts-private/ollama/ci/test-values.yaml

@@ -0,0 +1,22 @@
+global:
+  environment: dev
+  imagePullSecret:
+    password: IMAGE-PULL-PASSWORD
+  nodeSelectorRole: test
+  debugGroups:
+    - foobar
+  maintenanceGroups:
+    - foo
+    - bar
+  project: PAS0710
+
+ollama:
+  persistentVolume:
+    accessModes:
+    - ReadWriteOnce
+    storageClass: standard
+
+  podSecurityContext:
+    runAsUser: 65534
+    runAsGroup: 65534
+    fsGroup: 65534

charts-private/ollama/values.yaml

@@ -0,0 +1,165 @@
+global:
+  # -- The service account used by OSC deployments.
+  # Also pulled from global.env.<env>.serviceAccount
+  oscServiceAccount: '{{ include "ollama.fullname" . }}'
+  # -- The deployment's OSC environment
+  environment: production
+  # -- The nodeSelector role
+  nodeSelectorRole: webservices
+  imagePullSecret:
+    # -- Create the image pull secret
+    create: true
+    # -- imagePullSecret name
+    name: osc-registry
+    # -- imagePullSecret registry
+    registry: docker-registry.osc.edu
+    # -- imagePullSecret username
+    username: robot$webservices-read
+    # -- imagePullSecret password.
+    # This value will be set by OSC's Puppet.
+    # This value must be set to IMAGE-PULL-PASSWORD for CI tests.
+    password:
+  # @ignored
+  networkPolicy:
+    # -- Create the network policy
+    create: false
+    # -- Labels for NetworkPolicy podSelector. Defaults to `"osc.common.selectorLabels"`
+    podSelector: ~
+    # Example define podSelector labels
+    #  podSelector:
+    #    app.kubernetes.io/name: test
+    #
+    # -- Labels of pods allowed to Ingress from the same namespace
+    ingressAllowedPods: []
+    # Example additional ingress labels
+    #  ingressAllowedPods:
+    #    - require: test
+    #    - client: test
+    #
+    # @ignored
+    ingressNamespace: ingress-nginx
+    # @ignored
+    prometheusNamespace: prometheus
+  # @ignored
+  webservicesDeploy:
+    # -- Create webservices deployment rolebinding
+    create: false
+  # -- Groups that debug pods
+  debugGroups:
+    - sappstf
+  # -- Groups that can perform maintenance operations
+  maintenanceGroups:
+    - sappstf
+  # -- Groups that are allowed to perform port forwarding
+  portforwardGroups: []
+  auth:
+    # @ignored
+    enable: false
+    # @ignored
+    allowGroups: []
+  ingress:
+    # -- Ingress host
+    # @default -- **required**
+    host: ""
+    # -- Ingress host alias
+    # @default -- **required**
+    hostAlias: ""
+  alert:
+    # -- The alert receiver
+    receiver: sciapps
+  # -- The service project
+  # @default -- **required**
+  project: ''
+
+ollama:
+  # -- Map of labels to add to the pods
+  podLabels:
+    '{{ include "osc.common.serviceAccountKey" . }}': '{{ tpl (include "osc.common.serviceAccountValue" .) . }}'
+    receiver: '{{ .Values.global.alert.receiver }}'
+
+  deployment:
+    # -- Labels to add to the deployment
+    labels:
+      '{{ include "osc.common.serviceAccountKey" . }}': '{{ include "osc.common.serviceAccountValue" . }}'
+      receiver: '{{ .Values.global.alert.receiver }}'
+
+  # -- Docker registry secret names as an array
+  imagePullSecrets:
+  - name: '{{ .Values.global.imagePullSecret.name }}'
+
+  image:
+    # -- Docker image registry
+    repository: docker-registry.osc.edu/kubernetes/ollama/ollama
+    # -- Docker image tag, overrides the image tag whose default is the chart appVersion.
+    tag: '0.18.3'
+
+  ollama:
+    mountPath: /ollama
+    gpu:
+      # -- Enable GPU integration
+      enabled: true
+      type: nvidia
+      # -- Specify the number of GPU
+      number: 1
+    models:
+      # -- List of models to pull at container startup
+      # The more you add, the longer the container will take to start if models are not present
+      pull: []
+
+  # -- Node labels for pod assignment.
+  nodeSelector:
+    nvidia.com/gpu.product: NVIDIA-A100-PCIE-40GB-MIG-1g.5gb
+    '{{ include "osc.common.nodeSelectorRoleKey" . }}': ''
+
+  service:
+    # -- Labels to add to the service
+    labels:
+      receiver: '{{ .Values.global.alert.receiver }}'
+    # -- Annotations to add to the service
+    annotations:
+      prometheus.io/probe_module: http
+      prometheus.io/probe_scheme: http
+
+  # -- Pod Security Context
+  podSecurityContext:
+    runAsNonRoot: true
+
+  # -- Container Security Context
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    seccompProfile:
+      type: RuntimeDefault
+    privileged: false
+
+  resources:
+    limits:
+      memory: 8Gi
+      cpu: 4
+    requests:
+      memory: 4Gi
+      cpu: 2
+
+  extraEnv:
+  - name: OLLAMA_MODELS
+    value: /ollama
+  - name: HOME
+    value: /ollama
+  - name: OLLAMA_FLASH_ATTENTION
+    value: '1'
+
+  persistentVolume:
+    # -- Enable persistence using PVC
+    enabled: true
+    accessModes:
+    - ReadWriteMany
+    annotations:
+      osc.edu/fileset: '{{ .Values.global.project }}'
+    size: 500Gi
+    storageClass: local-ess
+
+  serviceAccount:
+    # -- Specifies whether a service account should be created
+    create: true