DEV Community: George Lukas The latest articles on DEV Community by George Lukas (@glukas). https://dev.to/glukas https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3757332%2Fea86413e-e0f5-4bc5-acb4-1243a93f6fa8.png DEV Community: George Lukas https://dev.to/glukas en Chapter 4: GitOps with Terraform + ArgoCD — Self-Hosting LLMs as a Platform Product George Lukas Fri, 06 Mar 2026 19:25:15 +0000 https://dev.to/glukas/chapter-4-gitops-with-terraform-argocd-a-llm-self-hosting-product-infrastructure-5a3o https://dev.to/glukas/chapter-4-gitops-with-terraform-argocd-a-llm-self-hosting-product-infrastructure-5a3o <p>Each chapter in this series has been a deliberate step toward removing friction from LLM infrastructure management. Chapter 2 introduced Infrastructure as Code by mapping Kubernetes resources directly to Terraform — functional, but painfully verbose. Chapter 3 resolved the abstraction problem by bringing in the Helm provider, collapsing 500 lines of HCL into 50 and allowing Terraform to reason about applications rather than individual resources. Both approaches, however, shared the same fundamental constraint: every change still required a human to run <code>terraform apply</code>. The cluster had no awareness of Git, drift went undetected until someone noticed, and scaling that model to larger teams or more frequent deploys would inevitably make manual execution a bottleneck. Chapter 4 closes that loop by introducing GitOps with ArgoCD — making the cluster itself responsible for continuously reconciling its state against Git, without anyone needing to trigger a command.</p> <h3> The Four Principles of GitOps </h3> <p>GitOps is an operational paradigm built on four interconnected principles:</p> <p><strong>1. Declarative</strong><br> Everything the cluster needs to run is expressed as YAML files. There is no procedural "run this command" — only a description of the desired end state.</p> <p><strong>2. Versioned</strong><br> All state lives in Git. Every change has an author, a timestamp, and a diff. Rollback becomes as simple as reverting a commit.</p> <p><strong>3. Pull-based</strong> (key differentiator)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Cap 3: Developer → terraform apply → push → Cluster Cap 4: Developer → git push → Git ← poll ← ArgoCD (no cluster) </code></pre> </div> <p><strong>4. Continuous reconciliation</strong><br> ArgoCD runs an infinite loop:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>while true: git_state = fetch_from_git() cluster_state = fetch_from_kubernetes() if git_state != cluster_state: apply_changes() sleep(180) # 3 minutes </code></pre> </div> <h2> Context and Rationale </h2> <p>With the mechanics of GitOps established, it is worth stepping back to understand why this shift matters beyond a single team running <code>git push</code>. Removing <code>terraform apply</code> from the workflow is only the surface benefit — the deeper payoff is that GitOps creates the operational foundation for treating infrastructure as a product, with real ownership, roadmaps, and SLAs.</p> <h3> Growing Cloud Complexity </h3> <p>Cloud infrastructure promised simplicity. In 2010, AWS offered ~20 intuitive services, provisioned with clicks in the UI. The value proposition was clear: simplify infrastructure.</p> <p>Today, reality is different:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS (2010): ├── ~20 services ├── Provisioning via UI └── Simplicity as core value AWS (2025): ├── 175+ services ├── Provisioning via IaC └── Complexity as new reality </code></pre> </div> <p><strong>Organizational impact:</strong></p> <p>According to Max Griffiths (Thoughtworks):</p> <blockquote> <p>"Rising cloud complexity is putting many organizations and their infrastructure teams right back to where they were 15 years ago — struggling to keep up with demand for new services and instances, and stay on top of an increasingly unmanageable infrastructure footprint."</p> </blockquote> <p><strong>Consequences:</strong></p> <ul> <li>Time to market increased (instead of decreasing)</li> <li>Required skills grew exponentially</li> <li>Self-service became impractical</li> <li>Full-stack developer scope expanded to the point of becoming a disadvantage</li> </ul> <h3> Infrastructure as Product </h3> <p>Infrastructure as Product treats infrastructure not as a <strong>centralized service provider</strong>, but as a <strong>portfolio of internal products</strong> that enable product teams to deliver value quickly.</p> <p><strong>Paradigm shift:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Traditional (project-based): Developer → Ticket → Ops Team → Wait → Provision → Deploy Timeline: Days/weeks Bottleneck: Ops team on critical path Infrastructure as Product: Developer → Self-service Platform → Provision → Deploy Timeline: Minutes/hours Enabler: Platform removes friction </code></pre> </div> <h3> Three Core Principles </h3> <h4> 1. Developer as Customer </h4> <p>Infrastructure should be designed around developer experience first. If the platform is hard to use, it won't be adopted — regardless of how technically sound it is.</p> <p><strong>Success metrics:</strong></p> <ul> <li>Developer satisfaction score</li> <li>Time to provision (target: &lt;30 min)</li> <li>Platform adoption rate</li> <li>Support tickets reduction</li> </ul> <p><strong>Anti-pattern:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Requires learning a new language just to provision</span> <span class="na">developer</span><span class="pi">:</span> <span class="na">must_learn</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">HCL</span><span class="pi">,</span> <span class="nv">Pulumi</span><span class="pi">,</span> <span class="nv">CloudFormation</span><span class="pi">]</span> <span class="na">to_do</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Same</span><span class="nv"> </span><span class="s">work</span><span class="nv"> </span><span class="s">as</span><span class="nv"> </span><span class="s">before"</span> <span class="na">result</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Poor</span><span class="nv"> </span><span class="s">developer</span><span class="nv"> </span><span class="s">experience"</span> </code></pre> </div> <p><strong>Correct pattern:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Familiar interface, correct abstraction</span> <span class="na">developer</span><span class="pi">:</span> <span class="na">uses</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">YAML</span><span class="pi">,</span> <span class="nv">familiar APIs</span><span class="pi">]</span> <span class="na">self_service</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">result</span><span class="pi">:</span> <span class="s2">"</span><span class="s">High</span><span class="nv"> </span><span class="s">adoption,</span><span class="nv"> </span><span class="s">low</span><span class="nv"> </span><span class="s">friction"</span> </code></pre> </div> <h4> 2. Platform Teams With a Product Mindset </h4> <p>According to Sebastian Straube (Accenture), infrastructure teams shouldn't operate as a shared service that reacts to tickets — they should be restructured into dedicated platform product teams, each owning a slice of the internal platform with a roadmap, SLAs, and real accountability to their users.</p> <p><strong>Organization example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Platform Team: Compute &amp; Container ├── Product: Kubernetes-as-a-Service ├── Customers: All development teams ├── Roadmap: │ ├── Q1: Auto-scaling GPU nodes │ ├── Q2: Service mesh integration │ └── Q3: Cost optimization ├── SLA: 99.9% uptime, &lt;5min provision └── Metrics: Adoption rate, developer satisfaction Platform Team: Observability ├── Product: Unified logs/metrics/traces ├── Customers: All teams (dev + ops) ├── Roadmap: │ ├── Q1: 30-day retention │ ├── Q2: AIOps integration │ └── Q3: Cost attribution ├── SLA: &lt;5s query response └── Metrics: Query volume, alert accuracy </code></pre> </div> <p><strong>Characteristics:</strong></p> <ul> <li>Long-lived teams (not project-based)</li> <li>Own product roadmap and backlog</li> <li>Accountable for adoption and satisfaction</li> <li>Measure success by customer outcomes</li> </ul> <h4> 3. Self-Service as a Core Value </h4> <p>The platform must enable true self-service — meaning the platform team is never on the critical path of a deployment.</p> <p><strong>Anti-pattern:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer → Submit PR → Platform review → Approve → Deploy Problem: Platform team on critical path (bottleneck) </code></pre> </div> <p><strong>Correct pattern:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer → Use platform API → Automated validation → Deploy Platform: Monitor outcomes </code></pre> </div> <p><strong>Real-world example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Developer workflow</span> kubectl apply <span class="nt">-f</span> app.yaml <span class="c"># Platform validates automatically:</span> <span class="c"># ✓ Security policies (OPA)</span> <span class="c"># ✓ Resource quotas</span> <span class="c"># ✓ Network policies</span> <span class="c"># ✓ Deploy without manual approval</span> </code></pre> </div> <h3> GitOps as the Technical Foundation </h3> <p>GitOps is not just "automation" — it is the enabling layer that makes Infrastructure as Product operationally viable. Each of its four properties maps directly to a platform capability:</p> <h4> 1. Declarative = Product Catalog </h4> <p>The Git repository becomes a catalog of available products that any team can consume, customize, and deploy independently.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>k8s-apps/ ├── apps/ollama/ # Product: LLM Inference ├── apps/librechat/ # Product: Chat Interface └── apps/postgres/ # Product: Database </code></pre> </div> <p>Developer "consumes" a product via:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone k8s-apps <span class="nb">cp</span> <span class="nt">-r</span> apps/ollama apps/my-llm vim apps/my-llm/values.yaml <span class="c"># Customize</span> git commit <span class="o">&amp;&amp;</span> git push <span class="c"># ArgoCD auto-deploy</span> </code></pre> </div> <h4> 2. Self-Service = Developer Autonomy </h4> <p>ArgoCD removes the platform team from the critical path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Without ArgoCD: Developer → Code → Request deploy → Platform team → Manual deploy With ArgoCD: Developer → Code → Git push → ArgoCD auto-sync → Deployed </code></pre> </div> <h4> 3. API-Driven = Programmatic Access </h4> <p>ArgoCD Application CRDs are the deployment API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Developer creates workload via Kubernetes API</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/company/k8s-apps</span> <span class="na">path</span><span class="pi">:</span> <span class="s">apps/my-service</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">my-namespace</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h4> 4. Standardization With Flexibility </h4> <p>Helm charts serve as reusable product templates — the platform defines the structure, teams supply the configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Platform provide templates: ├── web-app/ # Template for web apps ├── ml-service/ # Template for ML workloads └── data-pipeline/ # Template for ETL Developer customize: cp -r templates/web-app apps/my-app vim apps/my-app/values.yaml # Configuration only git push # Automatic deployment </code></pre> </div> <h2> Architectural Decision </h2> <h3> App of Apps with Independent Wrappers </h3> <p>Rather than managing all services as a single unit, this architecture treats each service as an independent package within the App of Apps pattern. GitOps manages deployments, versions, and updates at the individual service level — not the stack level.</p> <p>Each service (Ollama, LibreChat) has its own <strong>Helm chart wrapper</strong> that:</p> <ul> <li>References the upstream chart via <code>dependencies</code> in <code>Chart.yaml</code> </li> <li>Customizes configuration via a local <code>values.yaml</code> </li> <li>Maintains independent versioning</li> <li>Allows isolated evolution</li> </ul> <h3> Wrapper Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apps/ ├── librechat/ │ ├── Chart.yaml # Wrapper chart with dependency │ └── values.yaml # Specific configuration └── ollama/ ├── Chart.yaml # Wrapper chart with dependency └── values.yaml # Specific configuration </code></pre> </div> <p><strong>Chart.yaml defines the dependency:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ollama</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.42.0"</span> <span class="c1"># Fixed version</span> <span class="na">repository</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://otwld.github.io/ollama-helm/"</span> </code></pre> </div> <p><strong>values.yaml customizes the upstream chart:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ollama</span><span class="pi">:</span> <span class="c1"># Wrapper namespace</span> <span class="na">ollama</span><span class="pi">:</span> <span class="c1"># Chart namespace (double hierarchy)</span> <span class="na">gpu</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">models</span><span class="pi">:</span> <span class="na">pull</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">llama3.2:3b</span> </code></pre> </div> <h3> Benefits of This Approach </h3> <p><strong>1. Service Independence</strong></p> <ul> <li>Each app evolves at its own pace</li> <li>Deploying Ollama does not affect LibreChat</li> <li>Reduces the risk of cross-service regressions</li> </ul> <p><strong>2. Granular Versioning</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apps/ollama/Chart.yaml: version: "1.42.0" apps/librechat/Chart.yaml: version: "1.9.7" </code></pre> </div> <ul> <li>Upstream chart versions pinned individually</li> <li>Upgrades tested and applied per service</li> <li>Independent rollback per application</li> </ul> <p><strong>3. Isolated Customization</strong></p> <ul> <li>Values specific per service</li> <li>No configuration conflicts</li> <li>Individual testability</li> </ul> <p><strong>4. Per-Service Observability</strong></p> <ul> <li>ArgoCD Application per service</li> <li>Isolated logs and events</li> <li>Specific health checking</li> </ul> <p><strong>5. Automated Deployment</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Git commit → ArgoCD detects → Helm processes wrapper → Deploy to cluster </code></pre> </div> <ul> <li>ArgoCD manages each wrapper as an Application</li> <li>Automatic sync per service</li> <li>Independent self-healing</li> </ul> <p><strong>6. Complete Tracking</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git log apps/ollama/values.yaml <span class="c"># Complete change history for Ollama</span> git log apps/librechat/values.yaml <span class="c"># Complete change history for LibreChat</span> </code></pre> </div> <ul> <li>Audit trail per service</li> <li>Specific PRs per change</li> <li>Granular rollback via Git</li> </ul> <h3> Types of Wrappers </h3> <p><strong>Wrapper with Public Chart (HTTP):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/ollama/Chart.yaml</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ollama</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.42.0"</span> <span class="na">repository</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://otwld.github.io/ollama-helm/"</span> </code></pre> </div> <p><strong>Wrapper with OCI Chart:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/librechat/Chart.yaml</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">librechat</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.9.7"</span> <span class="na">repository</span><span class="pi">:</span> <span class="s2">"</span><span class="s">oci://ghcr.io/danny-avila/librechat-chart"</span> </code></pre> </div> <p><strong>Wrapper with Sub-charts:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># apps/custom-app/Chart.yaml</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="na">repository</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://..."</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">12.0.0"</span> <span class="na">repository</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://charts.bitnami.com/bitnami"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">17.0.0"</span> <span class="na">repository</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://charts.bitnami.com/bitnami"</span> </code></pre> </div> <h3> Governance and Standardization </h3> <p><strong>No tight coupling:</strong></p> <ul> <li>Each service maintains flexibility</li> <li>Standards enforced via linting (CI/CD)</li> <li>Common templates available, not mandatory</li> </ul> <p><strong>Example of suggested standard:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># All services follow label convention</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Chart.Name</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/instance</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Release.Name</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/version</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">.Chart.AppVersion</span> <span class="pi">}}</span> <span class="na">app.kubernetes.io/managed-by</span><span class="pi">:</span> <span class="s">argocd</span> </code></pre> </div> <p>But each service can add specific labels without breaking others.</p> <h3> Alternatives Considered and Rejected </h3> <p><strong>❌ Single monorepo without wrappers:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># values.yaml (monolítico)</span> <span class="na">ollama</span><span class="pi">:</span> <span class="na">gpu</span><span class="pi">:</span> <span class="s">...</span> <span class="na">librechat</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="s">...</span> <span class="na">postgres</span><span class="pi">:</span> <span class="s">...</span> </code></pre> </div> <p><strong>Problems:</strong></p> <ul> <li>A change in Ollama affects LibreChat's versioning</li> <li>Atomic all-or-nothing deployment</li> <li>Rollback impacts all services</li> </ul> <p><strong>❌ Single custom chart:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># custom-chart/</span> <span class="s">templates/</span> <span class="s">ollama.yaml</span> <span class="s">librechat.yaml</span> <span class="s">postgres.yaml</span> </code></pre> </div> <p><strong>Problems:</strong></p> <ul> <li>Reinventing the wheel (official charts already exist)</li> <li>Heavy maintenance burden</li> <li>Complicates upstream upgrades</li> </ul> <p><strong>✅ Independent wrappers (chosen):</strong></p> <ul> <li>Reuses upstream charts</li> <li>Independence between services</li> <li>Easy maintenance</li> <li>Flexible governance</li> </ul> <h3> Trade-offs </h3> <p><strong>Advantages:</strong></p> <ul> <li>Full independence between services</li> <li>Granular versioning</li> <li>Individual rollback</li> <li>Isolated observability</li> <li>Scalability (adding an app = new directory)</li> </ul> <p><strong>Disadvantages:</strong></p> <ul> <li>Duplication of common configurations (e.g., ingress annotations)</li> <li>Requires linting to enforce standards</li> <li>More files to manage</li> </ul> <h3> Considerations </h3> <p><strong>Use when:</strong></p> <ul> <li>Medium/large team (5+ people)</li> <li>Multiple independent services</li> <li>Frequent deploys per service</li> <li>Need for granular rollback</li> <li>Distributed governance (teams own services)</li> </ul> <p><strong>Do not use when:</strong></p> <ul> <li>Monolithic application (single service)</li> <li>Very small team (1–2 people)</li> <li>All services always deployed together</li> <li>Preference for extreme simplicity</li> </ul> <h2> Implementing Terraform </h2> <p>This section implements <code>main.tf</code>. It does everything Terraform is responsible for in this architecture — which is intentionally narrow. Rather than managing applications directly, <code>main.tf</code> bootstraps the platform once and then hands control to ArgoCD. Concretely, it does four things in sequence: creates the three namespaces, provisions the credentials secret that LibreChat needs at runtime, installs ArgoCD via Helm, and registers the two ArgoCD <code>Application</code> CRDs that point at the Git repository. After that first <code>terraform apply</code>, Terraform is largely out of the picture — all subsequent application changes flow through Git.</p> <p>The file is organised into four logical blocks, each separated by a comment header:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>main.tf ├── Providers — Kubernetes + Helm provider config ├── Infrastructure — Namespaces + credentials secret ├── ArgoCD — Helm installation + values reference └── ArgoCD Applications — CRDs that register Ollama and LibreChat </code></pre> </div> <p>The subsections below walk through each block in order.</p> <h3> Providers </h3> <p><em>(<code>main.tf</code> lines 1–27 — <code>terraform {}</code> block + provider declarations)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">kubernetes</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/kubernetes"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.23"</span> <span class="p">}</span> <span class="nx">helm</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/helm"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.11"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"~/.kube/config"</span> <span class="nx">config_context</span> <span class="p">=</span> <span class="s2">"minikube"</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"helm"</span> <span class="p">{</span> <span class="nx">kubernetes</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"~/.kube/config"</span> <span class="nx">config_context</span> <span class="p">=</span> <span class="s2">"minikube"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The provider configuration is identical to Chapter 3: both the <code>kubernetes</code> and <code>helm</code> providers read from <code>~/.kube/config</code> and target the <code>minikube</code> context. No changes needed here.</p> <h3> Namespaces </h3> <p><em>(<code>main.tf</code> — <code>INFRASTRUCTURE</code> block)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"argocd"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"argocd"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">managed-by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="nx">purpose</span> <span class="p">=</span> <span class="s2">"gitops"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">managed-by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"librechat"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"librechat"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">managed-by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Design decision:</strong> Namespaces are managed by Terraform rather than ArgoCD because they are prerequisites for everything else — ArgoCD itself cannot deploy into a namespace that does not yet exist. They also change rarely enough that the overhead of GitOps reconciliation is not justified. The <code>purpose = "gitops"</code> label distinguishes tooling namespaces from application namespaces at a glance.</p> <h3> Infrastructure Secrets </h3> <p><em>(<code>main.tf</code> — still inside the <code>INFRASTRUCTURE</code> block, immediately after the namespaces)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"kubernetes_secret"</span> <span class="s2">"librechat_credentials"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"librechat-credentials-env"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">librechat</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">data</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">JWT_SECRET</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">jwt_secret</span> <span class="nx">JWT_REFRESH_SECRET</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">jwt_refresh_secret</span> <span class="nx">CREDS_KEY</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">creds_key</span> <span class="nx">CREDS_IV</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">creds_iv</span> <span class="nx">MONGO_URI</span> <span class="p">=</span> <span class="s2">"mongodb://librechat-mongodb:27017/LibreChat"</span> <span class="nx">MEILI_HOST</span> <span class="p">=</span> <span class="s2">"http://librechat-meilisearch:7700"</span> <span class="nx">OLLAMA_BASE_URL</span> <span class="p">=</span> <span class="s2">"http://ollama.ollama.svc.cluster.local:11434"</span> <span class="p">}</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Opaque"</span> <span class="p">}</span> </code></pre> </div> <p><strong>Design decision:</strong> Credentials are managed by Terraform precisely because they must <em>not</em> appear in Git. Committing plaintext secrets to a repository — even a private one — violates the principle of least exposure. For production environments, the right path is to replace this with Sealed Secrets, External Secrets Operator, or HashiCorp Vault, all of which allow secrets to live in Git in an encrypted or referenced form. Chapter 5 covers this.</p> <h3> ArgoCD Installation </h3> <p><em>(<code>main.tf</code> — <code>ARGOCD</code> block)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"argocd"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"argocd"</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"https://argoproj.github.io/argo-helm"</span> <span class="nx">chart</span> <span class="p">=</span> <span class="s2">"argo-cd"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">argocd</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"5.51.6"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/values/argocd-values.yaml"</span><span class="p">)</span> <span class="p">]</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">600</span> <span class="nx">wait</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">wait_for_jobs</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">argocd</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> ArgoCD Applications (CRDs) </h3> <p><em>(<code>main.tf</code> — <code>ARGOCD APPLICATIONS</code> block — the last block in the file)</em></p> <p>With ArgoCD installed, the final step is registering the applications it should manage. Each <code>kubernetes_manifest</code> block below creates an ArgoCD <code>Application</code> CRD — a declarative instruction telling ArgoCD which Git path to watch, which cluster namespace to deploy into, and how to handle sync and drift.</p> <h4> Ollama: </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"kubernetes_manifest"</span> <span class="s2">"argocd_app_ollama"</span> <span class="p">{</span> <span class="nx">manifest</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">apiVersion</span> <span class="p">=</span> <span class="s2">"argoproj.io/v1alpha1"</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"Application"</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">argocd</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">managed-by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">source</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">repoURL</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">git_repo_url</span> <span class="nx">targetRevision</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">git_branch</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"apps/ollama"</span> <span class="nx">helm</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">valueFiles</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"values.yaml"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">destination</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">server</span> <span class="p">=</span> <span class="s2">"https://kubernetes.default.svc"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ollama</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">syncPolicy</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">automated</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">prune</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">selfHeal</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">syncOptions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"CreateNamespace=false"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">helm_release</span><span class="p">.</span><span class="nx">argocd</span><span class="p">,</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ollama</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><strong>Breaking Down:</strong></p> <p><strong><code>spec.source</code>:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">source</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">repoURL</span> <span class="p">=</span> <span class="s2">"https://github.com/&lt;user&gt;/k8s-apps.git"</span> <span class="nx">targetRevision</span> <span class="p">=</span> <span class="s2">"main"</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"apps/ollama"</span> <span class="nx">helm</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">valueFiles</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"values.yaml"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><code>repoURL</code>: Git repository to watch<br><br> <code>targetRevision</code>: Branch, tag, or specific SHA<br><br> <code>path</code>: Directory within the repo<br><br> <code>helm.valueFiles</code>: Array of values files (merged in order)</p> <p><strong><code>spec.destination</code>:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">destination</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">server</span> <span class="p">=</span> <span class="s2">"https://kubernetes.default.svc"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="p">}</span> </code></pre> </div> <p><code>server</code>: API server of the target cluster </p> <ul> <li> <code>kubernetes.default.svc</code>: Local cluster (where ArgoCD is) </li> <li>External URL: Deploy to a remote cluster</li> </ul> <p><code>namespace</code>: Destination namespace in the cluster</p> <p><strong><code>spec.syncPolicy</code>:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">syncPolicy</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">automated</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">prune</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">selfHeal</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">syncOptions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"CreateNamespace=false"</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>automated</code>:</strong></p> <ul> <li>Present: ArgoCD syncs automatically upon detecting changes</li> <li>Absent: Manual sync only</li> </ul> <p><strong><code>prune: true</code>:</strong></p> <ul> <li>Resources deleted from Git are deleted from the cluster</li> <li> <code>false</code>: Orphaned resources remain in the cluster</li> </ul> <p><strong><code>selfHeal: true</code>:</strong></p> <ul> <li>Manual changes in the cluster are reverted</li> <li>ArgoCD forces state = Git</li> <li> <code>false</code>: Manual changes persist (drift)</li> </ul> <p><strong><code>syncOptions</code>:</strong></p> <ul> <li> <code>CreateNamespace=false</code>: Do not create namespace (already exists via Terraform)</li> <li> <code>CreateNamespace=true</code>: Create if it doesn't exist</li> <li> <code>Validate=false</code>: Skip resource validation</li> <li> <code>PruneLast=true</code>: Delete orphaned resources last</li> </ul> <h4> LibreChat: </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"kubernetes_manifest"</span> <span class="s2">"argocd_app_librechat"</span> <span class="p">{</span> <span class="nx">manifest</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">apiVersion</span> <span class="p">=</span> <span class="s2">"argoproj.io/v1alpha1"</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"Application"</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"librechat"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">argocd</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">managed-by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">source</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">repoURL</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">git_repo_url</span> <span class="nx">targetRevision</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">git_branch</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"apps/librechat"</span> <span class="nx">helm</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">valueFiles</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"values.yaml"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">destination</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">server</span> <span class="p">=</span> <span class="s2">"https://kubernetes.default.svc"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">librechat</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">syncPolicy</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">automated</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">prune</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">selfHeal</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">syncOptions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"CreateNamespace=false"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">helm_release</span><span class="p">.</span><span class="nx">argocd</span><span class="p">,</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">librechat</span><span class="p">,</span> <span class="nx">kubernetes_secret</span><span class="p">.</span><span class="nx">librechat_credentials</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>The LibreChat Application CRD follows the same structure as Ollama. The only meaningful difference is that it carries an additional <code>depends_on</code> reference to <code>kubernetes_secret.librechat_credentials</code>, ensuring the credentials exist in the cluster before ArgoCD attempts its first sync.</p> <h3> Outputs </h3> <p><em>(<code>main.tf</code> — <code>OUTPUTS</code> block)</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"argocd_url"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"http://argocd.glukas.space"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"argocd_admin_password"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">try</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">kubernetes_secret</span><span class="p">.</span><span class="nx">argocd_initial_admin</span><span class="p">.</span><span class="nx">data</span><span class="p">[</span><span class="s2">"password"</span><span class="p">],</span> <span class="s2">""</span><span class="p">)</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"argocd_password_command"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"minikube kubectl -- -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"applications_managed"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ollama</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ollama</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Managed by ArgoCD"</span> <span class="p">}</span> <span class="nx">librechat</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">librechat</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Managed by ArgoCD"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>try()</code> function:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">try</span><span class="err">(</span><span class="nx">expression</span><span class="err">,</span> <span class="nx">fallback</span><span class="err">)</span> </code></pre> </div> <p>Attempts to execute expression, returns fallback if it fails. Avoids errors when the secret does not yet exist.</p> <p>With the outputs block in place, <code>main.tf</code> is complete. The full file now captures the entire platform bootstrap in roughly 200 lines: provider config, namespaces, one credentials secret, one Helm release, two ArgoCD Application CRDs, and four outputs. Running <code>terraform apply</code> once produces a live ArgoCD instance watching your Git repository — everything after that point is GitOps.</p> <h2> Implementing Application Charts </h2> <p>The Git repository that ArgoCD watches is separate from the Terraform code. It contains only the Helm wrapper charts — one directory per application — and nothing else. This clean separation means developers working on application configuration never need to touch Terraform, and the platform team can evolve the infrastructure layer independently.</p> <h3> Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>├── apps │ ├── librechat │ │ ├── Chart.yaml │ │ └── values.yaml │ └── ollama │ ├── Chart.yaml │ └── values.yaml ├── main.tf ├── values │ └── argocd-values.yaml └── variables.tf </code></pre> </div> <h3> ArgoCD Configuration (values/argocd-values.yaml) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">global</span><span class="pi">:</span> <span class="na">domain</span><span class="pi">:</span> <span class="s">argocd.glukas.space</span> <span class="na">server</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">extraArgs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">--insecure</span> <span class="c1"># HTTP only — no TLS (development only)</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">argocd.glukas.space</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">config</span><span class="pi">:</span> <span class="na">timeout.reconciliation</span><span class="pi">:</span> <span class="s">180s</span> <span class="c1"># Polling interval</span> <span class="na">controller</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">100m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">256Mi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">512Mi</span> <span class="na">repoServer</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">50m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">128Mi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">200m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">256Mi</span> <span class="na">applicationSet</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">notifications</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">dex</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <p><strong>Critical parameters:</strong></p> <p><code>timeout.reconciliation: 180s</code></p> <ul> <li>Git polling frequency</li> <li>Trade-off: Lower value = faster detection, higher load</li> <li>Recommendation: 180s (3 min) for most cases</li> </ul> <p><code>extraArgs: [--insecure]</code></p> <ul> <li><strong>DEVELOPMENT ONLY</strong></li> <li>Production must use TLS with valid certificates</li> </ul> <p><code>resources.limits</code></p> <ul> <li>Controller: Component responsible for reconciliation</li> <li>RepoServer: Component that reads Git</li> <li>Values for ~10 applications; scale as needed</li> </ul> <h3> Ollama Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Chart.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ollama</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Ollama deployment managed by ArgoCD</span> <span class="na">type</span><span class="pi">:</span> <span class="s">application</span> <span class="na">version</span><span class="pi">:</span> <span class="s">1.0.0</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ollama</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.42.0"</span> <span class="na">repository</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://otwld.github.io/ollama-helm/"</span> </code></pre> </div> <p><strong>Fields:</strong></p> <p><code>apiVersion: v2</code>: Helm 3 API version<br><br> <code>name</code>: Wrapper chart name<br><br> <code>type: application</code>: Deployable chart (vs <code>library</code>)<br><br> <code>version</code>: Wrapper version (local control) </p> <p><strong><code>dependencies</code>:</strong></p> <p><code>name: ollama</code>: Dependency name </p> <ul> <li>Automatically creates namespace <code>.Values.ollama</code> </li> </ul> <p><code>version: "1.42.0"</code>: Fixed version of the upstream chart </p> <ul> <li> <strong>CRITICAL:</strong> Always pin the version</li> <li>Avoid: <code>version: "*"</code> or no version</li> </ul> <p><code>repository</code>: Chart source</p> <h3> Ollama: values.yaml — Analysing its Double Hierarchy </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ollama</span><span class="pi">:</span> <span class="c1"># Layer 1: dependency namespace (created automatically by Helm)</span> <span class="na">ollama</span><span class="pi">:</span> <span class="c1"># Layer 2: chart's internal namespace</span> <span class="na">gpu</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">type</span><span class="pi">:</span> <span class="s">nvidia</span> <span class="na">number</span><span class="pi">:</span> <span class="m">1</span> <span class="na">models</span><span class="pi">:</span> <span class="na">pull</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">llama3.2:3b</span> <span class="pi">-</span> <span class="s">deepseek-r1:14b</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">className</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">nginx.ingress.kubernetes.io/proxy-body-size</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">nginx.ingress.kubernetes.io/proxy-read-timeout</span><span class="pi">:</span> <span class="s2">"</span><span class="s">600"</span> <span class="na">nginx.ingress.kubernetes.io/proxy-send-timeout</span><span class="pi">:</span> <span class="s2">"</span><span class="s">600"</span> <span class="na">nginx.ingress.kubernetes.io/proxy-connect-timeout</span><span class="pi">:</span> <span class="s2">"</span><span class="s">600"</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">ollama.glukas.space</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">service</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">11434</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2Gi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">4Gi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2000m"</span> </code></pre> </div> <h4> Why Double Hierarchy? </h4> <p>This is one of the most common silent failures when working with Helm wrapper charts. The configuration appears to apply correctly — ArgoCD reports Synced, no errors surface — but the behaviour you expected (GPU enabled, specific models pulled) simply does not materialise. Understanding the mechanism once prevents hours of debugging later.</p> <p>Helm automatically creates a value namespace when processing a dependency:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ollama</span> </code></pre> </div> <p>As a result, <code>.Values.ollama</code> is automatically created.</p> <p>Upstream chart has an internal namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm show values https://otwld.github.io/ollama-helm/ollama </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ollama</span><span class="pi">:</span> <span class="c1"># Chart internal namespace</span> <span class="na">gpu</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <p><strong>Consequence:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Wrapper creates: .Values.ollama Chart expects: .Values.ollama.xxx Result: .Values.ollama.ollama.xxx </code></pre> </div> <p><strong>Technical rules:</strong></p> <ol> <li> <strong>Every dependency creates a namespace</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">X</span> </code></pre> </div> <p>Helm always creates <code>.Values.X</code></p> <ol> <li><strong>Some charts have an internal namespace</strong></li> </ol> <p>If the first line is the chart name, there is an internal namespace.</p> <ol> <li><strong>Combination = Duplication</strong></li> </ol> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Origin</th> <th>Path</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Wrapper</td> <td><code>.Values.ollama</code></td> </tr> <tr> <td>2</td> <td>Chart</td> <td><code>.Values.ollama</code></td> </tr> <tr> <td><strong>Final</strong></td> <td>-</td> <td><code>.Values.ollama.ollama</code></td> </tr> </tbody> </table></div> <p><strong>Validation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verify internal namespace</span> helm show values &lt;repo&gt;/&lt;chart&gt; <span class="c"># Render locally</span> helm template <span class="nb">test </span>apps/ollama/ <span class="c"># Search for specific configuration</span> helm template <span class="nb">test </span>apps/ollama/ | <span class="nb">grep</span> <span class="nt">-A5</span> <span class="s2">"nvidia.com/gpu"</span> </code></pre> </div> <p><strong>Common mistake:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ❌ INCORRECT (only one layer)</span> <span class="na">ollama</span><span class="pi">:</span> <span class="na">gpu</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>Result:</p> <ul> <li>Helm looks for: <code>.Values.ollama.ollama.gpu.enabled</code> </li> <li>Finds: <code>.Values.ollama.gpu.enabled</code> </li> <li>Uses default: <code>gpu.enabled: false</code> </li> <li> <strong>Symptom:</strong> No error, but GPU not enabled</li> </ul> <p><strong>Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ✅ CORRECT (double layer)</span> <span class="na">ollama</span><span class="pi">:</span> <span class="na">ollama</span><span class="pi">:</span> <span class="na">gpu</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h4> Specific Configurations </h4> <p><strong>GPU:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ollama</span><span class="pi">:</span> <span class="na">ollama</span><span class="pi">:</span> <span class="na">gpu</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">type</span><span class="pi">:</span> <span class="s">nvidia</span> <span class="c1"># Alternativa: amd (ROCm)</span> <span class="na">number</span><span class="pi">:</span> <span class="m">1</span> </code></pre> </div> <p>Generates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">nvidia.com/gpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="na">nvidia.com/gpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">tolerations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">nvidia.com/gpu</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">Exists</span> </code></pre> </div> <p><strong>Models:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">models</span><span class="pi">:</span> <span class="na">pull</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">llama3.2:3b</span> <span class="pi">-</span> <span class="s">deepseek-r1:14b</span> </code></pre> </div> <p>Chart creates an init container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">initContainers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pull-models</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/bin/sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">ollama pull llama3.2:3b</span> <span class="s">ollama pull deepseek-r1:14b</span> </code></pre> </div> <p><strong>Ingress annotations:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">annotations</span><span class="pi">:</span> <span class="na">nginx.ingress.kubernetes.io/proxy-body-size</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="na">nginx.ingress.kubernetes.io/proxy-read-timeout</span><span class="pi">:</span> <span class="s2">"</span><span class="s">600"</span> <span class="na">nginx.ingress.kubernetes.io/proxy-send-timeout</span><span class="pi">:</span> <span class="s2">"</span><span class="s">600"</span> </code></pre> </div> <p><code>proxy-body-size: "0"</code>: No upload limit (models are large)<br><br> <code>proxy-read-timeout: "600"</code>: 10min timeout (long inference)<br><br> <code>proxy-send-timeout: "600"</code>: 10min timeout </p> <p><strong>Service and Resources (root layer):</strong></p> <p>Note: <code>service</code> and <code>resources</code> sit in the <strong>first</strong> <code>ollama</code> layer, not the second. The upstream chart does not expose these fields within its internal namespace, so they must be set at the dependency root level — not nested inside the chart's own namespace.</p> <p>Full structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ollama</span><span class="pi">:</span> <span class="c1"># dependency namespace</span> <span class="na">ollama</span><span class="pi">:</span> <span class="c1"># chart's internal namespace</span> <span class="na">gpu</span><span class="pi">:</span> <span class="s">...</span> <span class="na">models</span><span class="pi">:</span> <span class="s">...</span> <span class="na">ingress</span><span class="pi">:</span> <span class="s">...</span> <span class="na">service</span><span class="pi">:</span> <span class="s">...</span> <span class="c1"># root level</span> <span class="na">resources</span><span class="pi">:</span> <span class="s">...</span> <span class="c1"># root level</span> </code></pre> </div> <h3> LibreChat Configuration </h3> <h4> Chart.yaml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">name</span><span class="pi">:</span> <span class="s">librechat</span> <span class="na">description</span><span class="pi">:</span> <span class="s">LibreChat deployment managed by ArgoCD</span> <span class="na">type</span><span class="pi">:</span> <span class="s">application</span> <span class="na">version</span><span class="pi">:</span> <span class="s">1.0.0</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">librechat</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.9.7"</span> <span class="na">repository</span><span class="pi">:</span> <span class="s2">"</span><span class="s">oci://ghcr.io/danny-avila/librechat-chart"</span> </code></pre> </div> <p><strong>OCI Repository:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">repository</span><span class="pi">:</span> <span class="s2">"</span><span class="s">oci://ghcr.io/danny-avila/librechat-chart"</span> </code></pre> </div> <p>Syntax: <code>oci://&lt;registry&gt;/&lt;owner&gt;/&lt;chart&gt;</code></p> <p>Differences vs. HTTP repository:</p> <ul> <li>Uses the same container registry infrastructure</li> <li>Faster pull</li> <li>Better integrated versioning</li> </ul> <h4> values.yaml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">librechat</span><span class="pi">:</span> <span class="c1"># Layer 1: dependency namespace</span> <span class="na">librechat</span><span class="pi">:</span> <span class="c1"># Layer 2: chart's internal namespace (double hierarchy)</span> <span class="na">configEnv</span><span class="pi">:</span> <span class="na">APP_TITLE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">LibreChat</span><span class="nv"> </span><span class="s">+</span><span class="nv"> </span><span class="s">Ollama</span><span class="nv"> </span><span class="s">(via</span><span class="nv"> </span><span class="s">Terraform)"</span> <span class="na">HOST</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0"</span> <span class="na">PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3080"</span> <span class="na">SEARCH</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">MONGO_URI</span><span class="pi">:</span> <span class="s2">"</span><span class="s">mongodb://librechat-mongodb:27017/LibreChat"</span> <span class="na">MEILI_HOST</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://librechat-meilisearch:7700"</span> <span class="na">ALLOW_EMAIL_LOGIN</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">ALLOW_REGISTRATION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">ALLOW_SOCIAL_LOGIN</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">ALLOW_SOCIAL_REGISTRATION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">configYamlContent</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">version: 1.1.5</span> <span class="s">cache: true</span> <span class="s">endpoints:</span> <span class="s">custom:</span> <span class="s">- name: "Ollama"</span> <span class="s">apiKey: "ollama"</span> <span class="s">baseURL: "http://ollama.ollama.svc.cluster.local:11434/v1"</span> <span class="s">models:</span> <span class="s">default:</span> <span class="s">- "llama2:latest"</span> <span class="s">fetch: true</span> <span class="s">titleConvo: true</span> <span class="s">titleModel: "current_model"</span> <span class="s">modelDisplayLabel: "Ollama"</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">className</span><span class="pi">:</span> <span class="s2">"</span><span class="s">nginx"</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">nginx.ingress.kubernetes.io/proxy-body-size</span><span class="pi">:</span> <span class="s2">"</span><span class="s">25m"</span> <span class="na">nginx.ingress.kubernetes.io/proxy-read-timeout</span><span class="pi">:</span> <span class="s2">"</span><span class="s">600"</span> <span class="na">nginx.ingress.kubernetes.io/proxy-send-timeout</span><span class="pi">:</span> <span class="s2">"</span><span class="s">600"</span> <span class="na">nginx.ingress.kubernetes.io/proxy-connect-timeout</span><span class="pi">:</span> <span class="s2">"</span><span class="s">600"</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">librechat.glukas.space</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1Gi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">persistence</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">size</span><span class="pi">:</span> <span class="s">5Gi</span> <span class="na">storageClass</span><span class="pi">:</span> <span class="s2">"</span><span class="s">standard"</span> <span class="na">replicaCount</span><span class="pi">:</span> <span class="m">1</span> <span class="na">mongodb</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">image</span><span class="pi">:</span> <span class="na">registry</span><span class="pi">:</span> <span class="s">docker.io</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">bitnami/mongodb</span> <span class="na">tag</span><span class="pi">:</span> <span class="s2">"</span><span class="s">latest"</span> <span class="na">pullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">auth</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">persistence</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">size</span><span class="pi">:</span> <span class="s">8Gi</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1Gi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">meilisearch</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">auth</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">MEILI_NO_ANALYTICS</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">MEILI_ENV</span><span class="pi">:</span> <span class="s2">"</span><span class="s">development"</span> <span class="na">persistence</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">size</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">128Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">50m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">250m"</span> </code></pre> </div> <p><strong>Breaking down:</strong></p> <p><strong><code>configEnv</code>:</strong><br> Environment variables converted to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">APP_TITLE</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">LibreChat</span><span class="nv"> </span><span class="s">+</span><span class="nv"> </span><span class="s">Ollama</span><span class="nv"> </span><span class="s">(via</span><span class="nv"> </span><span class="s">Terraform)"</span> </code></pre> </div> <p><strong><code>configYamlContent</code>:</strong><br> Multi-line YAML (pipe <code>|</code>) written into a ConfigMap and mounted as a file.</p> <p>Helm processes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">configYamlContent</span><span class="pi">:</span> <span class="pi">|</span> <span class="err">...</span> </code></pre> </div> <p>Creates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">librechat-config</span> <span class="na">data</span><span class="pi">:</span> <span class="na">librechat.yaml</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">version: 1.1.5</span> <span class="s">cache: true</span> <span class="s">...</span> </code></pre> </div> <p>Mounts in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/app/librechat.yaml</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">librechat.yaml</span> </code></pre> </div> <p><strong>Sub-charts (mongodb, meilisearch):</strong></p> <p>Located in the <strong>first</strong> <code>librechat</code> layer, not the second.</p> <p>Structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">librechat</span><span class="pi">:</span> <span class="c1"># dependency namespace</span> <span class="na">librechat</span><span class="pi">:</span> <span class="c1"># chart's internal namespace</span> <span class="na">configEnv</span><span class="pi">:</span> <span class="s">...</span> <span class="na">configYamlContent</span><span class="pi">:</span> <span class="s">...</span> <span class="na">mongodb</span><span class="pi">:</span> <span class="s">...</span> <span class="c1"># sub-chart (root level)</span> <span class="na">meilisearch</span><span class="pi">:</span> <span class="s">...</span> <span class="c1"># sub-chart (root level)</span> <span class="na">ingress</span><span class="pi">:</span> <span class="s">...</span> <span class="c1"># root level</span> <span class="na">resources</span><span class="pi">:</span> <span class="s">...</span> <span class="c1"># root level</span> </code></pre> </div> <h3> .gitignore </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Helm charts/ Chart.lock # Secrets *-secrets.yaml *.secret.yaml # Backups *.bak *.tmp # IDE .vscode/ .idea/ *.swp </code></pre> </div> <p>Prevents accidental commits of:</p> <ul> <li>Downloaded charts (regeneratable)</li> <li>Plaintext secrets</li> <li>Temporary files</li> </ul> <h2> Deployment </h2> <h3> Prerequisites </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Cluster Minikube</span> minikube start <span class="se">\</span> <span class="nt">--driver</span> docker <span class="se">\</span> <span class="nt">--container-runtime</span> docker <span class="se">\</span> <span class="nt">--gpus</span> all <span class="se">\</span> <span class="nt">--memory</span> 8192 <span class="se">\</span> <span class="nt">--cpus</span> 4 minikube addons <span class="nb">enable </span>ingress <span class="c"># Local DNS</span> <span class="nb">echo</span> <span class="s2">"</span><span class="si">$(</span>minikube ip<span class="si">)</span><span class="s2"> ollama.glukas.space"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /etc/hosts <span class="nb">echo</span> <span class="s2">"</span><span class="si">$(</span>minikube ip<span class="si">)</span><span class="s2"> librechat.glukas.space"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /etc/hosts <span class="nb">echo</span> <span class="s2">"</span><span class="si">$(</span>minikube ip<span class="si">)</span><span class="s2"> argocd.glukas.space"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /etc/hosts <span class="c"># Git repository created and populated</span> git clone https://github.com/usuario/k8s-apps.git <span class="nb">cd </span>k8s-apps <span class="c"># Copy Chart.yaml and values.yaml to apps/ollama/ and apps/librechat/</span> git add <span class="nb">.</span> git commit <span class="nt">-m</span> <span class="s2">"Initial commit"</span> git push origin main </code></pre> </div> <h3> Terraform: Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># terraform.tfvars</span> <span class="nb">cat</span> <span class="o">&gt;</span> terraform.tfvars <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> git_repo_url = "https://github.com/usuario/k8s-apps.git" git_branch = "main" jwt_secret = "</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 32<span class="si">)</span><span class="sh">" jwt_refresh_secret = "</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 32<span class="si">)</span><span class="sh">" creds_key = "</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 32<span class="si">)</span><span class="sh">" creds_iv = "</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 16<span class="si">)</span><span class="sh">" </span><span class="no">EOF </span><span class="c"># .gitignore</span> <span class="nb">echo</span> <span class="s2">"terraform.tfvars"</span> <span class="o">&gt;&gt;</span> .gitignore </code></pre> </div> <h3> Terraform: Init </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>terraform/ terraform init </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Initializing provider plugins... - Installing hashicorp/kubernetes v2.23.0... - Installing hashicorp/helm v2.11.0... Terraform has been successfully initialized! </code></pre> </div> <h3> Terraform: Plan </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan <span class="nt">-out</span><span class="o">=</span>tfplan </code></pre> </div> <p>Planned resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Plan: 7 to add, 0 to change, 0 to destroy. Resources: + kubernetes_namespace.argocd + kubernetes_namespace.ollama + kubernetes_namespace.librechat + kubernetes_secret.librechat_credentials + helm_release.argocd + kubernetes_manifest.argocd_app_ollama + kubernetes_manifest.argocd_app_librechat </code></pre> </div> <h3> Terraform: Apply </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply tfplan </code></pre> </div> <p>Timeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[00:00-00:02] Namespaces created [00:02-00:03] Secret created [00:03-01:06] ArgoCD installed (Helm chart deployment) [01:06-01:07] ArgoCD Applications registered (CRDs) Apply complete! Resources: 7 added, 0 changed, 0 destroyed. </code></pre> </div> <p>Note: Terraform only creates the platform. Apps will be deployed by ArgoCD.</p> <h3> ArgoCD: Initial Access </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get password</span> <span class="nv">ARGOCD_PASSWORD</span><span class="o">=</span><span class="si">$(</span>minikube kubectl <span class="nt">--</span> <span class="nt">-n</span> argocd get secret argocd-initial-admin-secret <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.data.password}'</span> | <span class="nb">base64</span> <span class="nt">-d</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"URL: http://argocd.glukas.space"</span> <span class="nb">echo</span> <span class="s2">"User: admin"</span> <span class="nb">echo</span> <span class="s2">"Pass: </span><span class="nv">$ARGOCD_PASSWORD</span><span class="s2">"</span> </code></pre> </div> <p>Access the UI:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd4305vhwbtdyhoegorup.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd4305vhwbtdyhoegorup.png" alt="argo_ui" width="800" height="304"></a></p> <p>Initial state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Applications: ollama Status: Syncing... librechat Status: OutOfSync </code></pre> </div> <h3> ArgoCD: Sync Process </h3> <p>ArgoCD runs automatically:</p> <p><strong>1. Clone the repository:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/usuario/k8s-apps.git git checkout main </code></pre> </div> <p><strong>2. Change detection:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Current SHA: abc123def456... Last synced: (none - first sync) Action: Sync required </code></pre> </div> <p><strong>3. Helm processing:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># For apps/ollama/</span> helm dependency build apps/ollama/ helm template ollama apps/ollama/ <span class="nt">--values</span> apps/ollama/values.yaml <span class="c"># Generates YAML manifests</span> </code></pre> </div> <p><strong>4. Application to the cluster:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> &lt;manifestos gerados&gt; </code></pre> </div> <p><strong>5. Health checking:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Waiting: - Pods: Ready - Deployments: Available - StatefulSets: Ready </code></pre> </div> <p>Observable timeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Terminal 2: Monitor Ollama</span> watch kubectl get pods <span class="nt">-n</span> ollama <span class="c"># Output evolves as ArgoCD syncs:</span> NAME READY STATUS ollama-xxx-yyy 0/1 Pending ollama-xxx-yyy 0/1 ContainerCreating ollama-xxx-yyy 0/1 Running <span class="c"># Init container: pulling models</span> ollama-xxx-yyy 1/1 Running <span class="c"># Ready (~2-3 min)</span> <span class="c"># Terminal 3: Monitor LibreChat</span> watch kubectl get pods <span class="nt">-n</span> librechat <span class="c"># Output evolves:</span> NAME READY STATUS librechat-mongodb-0 0/1 Pending librechat-meilisearch-xxx 0/1 ContainerCreating librechat-xxx-yyy 0/1 Pending librechat-mongodb-0 1/1 Running <span class="c"># ~30s</span> librechat-meilisearch-xxx 1/1 Running <span class="c"># ~25s</span> librechat-xxx-yyy 1/1 Running <span class="c"># ~1 min</span> </code></pre> </div> <p>After 3–5 minutes, ArgoCD UI shows:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi6e45rimhffy617ivb3s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi6e45rimhffy617ivb3s.png" alt="argo_ui" width="800" height="244"></a></p> <h3> Verification </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Ollama</span> curl http://ollama.glukas.space/api/tags <span class="o">{</span> <span class="s2">"models"</span>: <span class="o">[</span> <span class="o">{</span><span class="s2">"name"</span>: <span class="s2">"llama3.2:3b"</span>, ...<span class="o">}</span>, <span class="o">{</span><span class="s2">"name"</span>: <span class="s2">"deepseek-r1:14b"</span>, ...<span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr41p3btk33u3z3xk99jw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr41p3btk33u3z3xk99jw.png" alt="librechat" width="800" height="431"></a></p> <h2> Operations </h2> <p>These five workflows cover the full operational lifecycle under GitOps: making a configuration change, upgrading a chart version, rolling back a broken deploy, understanding self-healing behaviour, and managing multiple environments. In every case the pattern is the same — edit files, push to Git, let ArgoCD do the rest. No <code>kubectl apply</code>, no <code>terraform apply</code>, no manual intervention required.</p> <h3> Workflow 1: Modify Configuration (Add a Model) </h3> <p><strong>Objective:</strong> Add the <code>mistral:latest</code> model to Ollama.</p> <p><strong>Process:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Clone and branch</span> git clone https://github.com/usuario/k8s-apps.git <span class="nb">cd </span>k8s-apps git checkout <span class="nt">-b</span> add-mistral <span class="c"># 2. Edit</span> vim apps/ollama/values.yaml <span class="c"># Modify:</span> models: pull: - llama3.2:3b - deepseek-r1:14b - mistral:latest <span class="c"># Added</span> <span class="c"># 3. Commit</span> git add apps/ollama/values.yaml git commit <span class="nt">-m</span> <span class="s2">"feat(ollama): Add mistral model"</span> <span class="c"># 4. Push</span> git push origin add-mistral </code></pre> </div> <p><strong>Pull Request:</strong></p> <ul> <li>Create PR on GitHub/GitLab</li> <li>Visible diff: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight diff"><code> models: pull: - llama3.2:3b - deepseek-r1:14b <span class="gi">+ - mistral:latest </span></code></pre> </div> <ul> <li>Review and approval</li> <li>Merge to main</li> </ul> <p><strong>Automatic ArgoCD:</strong></p> <p>Timeline after merge:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[T+0 min] Merge to main [T+0-3 min] ArgoCD polling (waiting for next cycle) [T+3 min] ArgoCD detects new SHA [T+3 min] Calculates diff: + models.pull: mistral:latest [T+3 min] Helm upgrade ollama... [T+4 min] Rolling update initiated [T+4-7 min] Init container: ollama pull mistral:latest [T+7 min] New pod Ready [T+7 min] Old pod Terminated [T+7 min] ArgoCD status: Synced ✓ </code></pre> </div> <p><strong>Total time:</strong> ~7 minutes from merge to deploy.</p> <p><strong>Note:</strong> At no point did the developer execute any command against the cluster directly — the entire deployment was driven by a Git push.</p> <h3> Workflow 2: Chart Version Upgrade </h3> <p><strong>Objective:</strong> Upgrade LibreChat from 1.9.7 to 1.10.0.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git checkout <span class="nt">-b</span> upgrade-librechat vim apps/librechat/Chart.yaml <span class="c"># Modify:</span> dependencies: - name: librechat version: <span class="s2">"1.10.0"</span> <span class="c"># Era 1.9.7</span> git commit <span class="nt">-am</span> <span class="s2">"chore(librechat): Upgrade to v1.10.0"</span> git push origin upgrade-librechat </code></pre> </div> <p><strong>CI/CD (optional):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/helm-lint.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Helm Lint</span> <span class="na">on</span><span class="pi">:</span> <span class="s">pull_request</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">lint</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">azure/setup-helm@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lint</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">helm lint apps/*/</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Template Test</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">helm template test apps/*/ &gt; /dev/null</span> </code></pre> </div> <p>Pipeline runs:</p> <ul> <li>Helm lint (syntax validation)</li> <li>Template rendering (detects errors)</li> </ul> <p>After approval and merge, ArgoCD deploys automatically.</p> <h3> Workflow 3: Rollback </h3> <p><strong>Scenario:</strong> New deploy caused a problem in production.</p> <p><strong>Option 1: Git Revert</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># View commits</span> git log <span class="nt">--oneline</span> apps/librechat/ <span class="c"># def456 chore(librechat): Upgrade to v1.10.0</span> <span class="c"># abc123 feat(ollama): Add mistral</span> <span class="c"># Revert</span> git revert def456 git push origin main </code></pre> </div> <p>ArgoCD detects and applies the revert automatically.</p> <p>Timeline: ~3–5 minutes.</p> <p><strong>Option 2: ArgoCD UI</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Open http://argocd.glukas.space 2. Select the "librechat" application 3. Open the "History" tab 4. Sync list: Sync 5: def456 (current) ❌ Sync 4: abc123 ✅ 5. Click on Sync 4 6. Click "Rollback" 7. Confirm </code></pre> </div> <p>Timeline: ~30 segundos.</p> <p><strong>Important:</strong> Rollback via UI is temporary. The next poll will re-sync with Git. For permanence, perform a git revert.</p> <p><strong>Option 3: ArgoCD CLI</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install CLI</span> brew <span class="nb">install </span>argocd <span class="c"># ou método apropriado</span> <span class="c"># Login</span> argocd login argocd.glukas.space <span class="nt">--username</span> admin <span class="c"># View history</span> argocd app <span class="nb">history </span>librechat <span class="c"># Rollback</span> argocd app rollback librechat &lt;REVISION&gt; </code></pre> </div> <h3> Workflow 4: Self-Healing </h3> <p><strong>Scenario:</strong> Manual change in the cluster.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Someone runs:</span> kubectl scale deployment ollama <span class="nt">--replicas</span><span class="o">=</span>3 <span class="nt">-n</span> ollama </code></pre> </div> <p><strong>ArgoCD response:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[T+0s] kubectl scale executed [T+0s] Deployment: replicas=3 [T+0-180s] ArgoCD polling interval [T+180s] ArgoCD detects drift: Git: replicas=1 Cluster: replicas=3 [T+181s] Self-heal triggered kubectl apply -f deployment.yaml (from Git) [T+182s] Kubernetes: replicas=1 3 extra pods terminated [T+183s] ArgoCD status: Synced ✓ Event: "Self-healed: ollama deployment" </code></pre> </div> <p>Manual change was automatically reverted.</p> <p>Responsible configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">syncPolicy</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">automated</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">selfHeal</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># This parameter enables automatic revert</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Disable self-heal:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">syncPolicy</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">automated</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">prune</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">selfHeal</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Allows manual changes to persist</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Workflow 5: Multi-Environment </h3> <p><strong>Structure:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>k8s-apps/ ├── apps/ │ └── ollama/ │ ├── Chart.yaml │ ├── values-dev.yaml │ ├── values-staging.yaml │ └── values-prod.yaml </code></pre> </div> <p><strong>Differentiated values:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># values-dev.yaml</span> <span class="na">ollama</span><span class="pi">:</span> <span class="na">ollama</span><span class="pi">:</span> <span class="na">models</span><span class="pi">:</span> <span class="na">pull</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">llama3.2:3b</span> <span class="c1"># Lightweight model only</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2Gi"</span> <span class="c1"># values-prod.yaml</span> <span class="na">ollama</span><span class="pi">:</span> <span class="na">ollama</span><span class="pi">:</span> <span class="na">models</span><span class="pi">:</span> <span class="na">pull</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">llama3.2:3b</span> <span class="pi">-</span> <span class="s">deepseek-r1:14b</span> <span class="pi">-</span> <span class="s">mistral:latest</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">8Gi"</span> </code></pre> </div> <p><strong>ArgoCD Applications (Terraform):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Dev</span> <span class="nx">resource</span> <span class="s2">"kubernetes_manifest"</span> <span class="s2">"argocd_app_ollama_dev"</span> <span class="p">{</span> <span class="nx">manifest</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">spec</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">repoURL</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">git_repo_url</span> <span class="nx">targetRevision</span> <span class="p">=</span> <span class="s2">"develop"</span> <span class="c1"># develop branch</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"apps/ollama"</span> <span class="nx">helm</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">valueFiles</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"values-dev.yaml"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">destination</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"ollama-dev"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Prod</span> <span class="nx">resource</span> <span class="s2">"kubernetes_manifest"</span> <span class="s2">"argocd_app_ollama_prod"</span> <span class="p">{</span> <span class="nx">manifest</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">spec</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">repoURL</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">git_repo_url</span> <span class="nx">targetRevision</span> <span class="p">=</span> <span class="s2">"main"</span> <span class="c1"># main branch</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"apps/ollama"</span> <span class="nx">helm</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">valueFiles</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"values-prod.yaml"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">destination</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"ollama-prod"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Promotion flow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Feature branch → develop (PR) → auto-deploy to Dev → staging (PR) → auto-deploy to Staging → main (PR + approvals) → auto-deploy to Prod </code></pre> </div> <p>Git branches map to environments.</p> <h2> Troubleshooting </h2> <p>This section covers the most common failure modes when running ArgoCD in practice — what they look like, why they happen, and how to fix them.</p> <h3> Problem 1: Application OutOfSync </h3> <p>An <code>OutOfSync</code> status means ArgoCD has detected a difference between what's in Git and what's running in the cluster, but hasn't been able to resolve it. This is usually the first sign that something went wrong during a sync — not necessarily a cluster problem, but worth investigating immediately.</p> <p><strong>Symptom:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get application <span class="nt">-n</span> argocd NAME SYNC STATUS HEALTH STATUS ollama OutOfSync Unknown </code></pre> </div> <p><strong>Diagnosis:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Describe Application</span> kubectl describe application ollama <span class="nt">-n</span> argocd <span class="c"># View events</span> kubectl get events <span class="nt">-n</span> argocd <span class="nt">--sort-by</span><span class="o">=</span><span class="s1">'.lastTimestamp'</span> <span class="c"># repo-server logs</span> kubectl logs <span class="nt">-n</span> argocd deployment/argocd-repo-server <span class="c"># application-controller logs</span> kubectl logs <span class="nt">-n</span> argocd statefulset/argocd-application-controller </code></pre> </div> <p><strong>Common causes:</strong></p> <ol> <li> <strong>YAML syntax error</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: YAML parse error line 15: mapping values are not allowed here </code></pre> </div> <p>Solution: Fix syntax in values.yaml</p> <ol> <li> <strong>Chart version not found</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: chart "ollama" version "1.42.0" not found </code></pre> </div> <p>Solution: Check available versions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm search repo ollama <span class="nt">--versions</span> </code></pre> </div> <ol> <li> <strong>Repository unreachable</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: failed to fetch https://github.com/usuario/k8s-apps.git: authentication required </code></pre> </div> <p>Solution: Configure credentials in ArgoCD</p> <p><strong>Local validation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test template rendering</span> <span class="nb">cd </span>k8s-apps/ helm dependency build apps/ollama/ helm template <span class="nb">test </span>apps/ollama/ <span class="c"># If there's an error, it will appear here</span> </code></pre> </div> <h3> Problem 2: Pods CrashLoopBackOff </h3> <p>A <code>CrashLoopBackOff</code> means the pod is starting, failing, and being restarted repeatedly. ArgoCD may show the application as Synced — meaning the deployment was applied correctly — but Degraded on health, because the pod never reaches a running state. The problem is almost always in the container itself, not in ArgoCD.</p> <p><strong>Symptom:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> ollama NAME READY STATUS RESTARTS ollama-xxx 0/1 CrashLoopBackOff 5 </code></pre> </div> <p><strong>Diagnosis:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Current pod logs</span> kubectl logs <span class="nt">-n</span> ollama ollama-xxx <span class="c"># Previous container logs (if it has restarted)</span> kubectl logs <span class="nt">-n</span> ollama ollama-xxx <span class="nt">--previous</span> <span class="c"># Pod events and conditions</span> kubectl describe pod <span class="nt">-n</span> ollama ollama-xxx </code></pre> </div> <p><strong>Common causes:</strong></p> <ol> <li> <strong>GPU not available</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: failed to initialize NVML: could not load NVML library </code></pre> </div> <p>Solution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Temporarily disable GPU</span> <span class="na">ollama</span><span class="pi">:</span> <span class="na">ollama</span><span class="pi">:</span> <span class="na">gpu</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <ol> <li> <strong>Insufficient memory</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: OOMKilled </code></pre> </div> <p>Solution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">8Gi"</span> <span class="c1"># Increase</span> </code></pre> </div> <ol> <li> <strong>Model does not exist</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: pulling model: model 'llama4' not found </code></pre> </div> <p>Solution: Check model name on values.yaml</p> <h3> Problem 3: Double Hierarchy Not Applied </h3> <p>This is one of the trickier failure modes because ArgoCD reports everything as healthy — the sync succeeded, no errors are visible, but the configuration simply isn't taking effect. It typically happens when the Helm values file is missing one level of nesting, causing the GPU settings to silently fall back to defaults.</p> <p><strong>Symptom:</strong></p> <ul> <li>ArgoCD shows Synced</li> <li>GPU not enabled</li> <li>No visible errors</li> </ul> <p><strong>Diagnosis:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Render full template</span> helm template <span class="nb">test </span>apps/ollama/ <span class="c"># Search for GPU configuration</span> helm template <span class="nb">test </span>apps/ollama/ | <span class="nb">grep</span> <span class="nt">-A10</span> <span class="s2">"nvidia.com/gpu"</span> <span class="c"># If not found, structure is wrong</span> </code></pre> </div> <p><strong>Cause:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ❌ Incorrect structure (one layer)</span> <span class="na">ollama</span><span class="pi">:</span> <span class="na">gpu</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p><strong>Solution:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ✅ Correct structure (double layer)</span> <span class="na">ollama</span><span class="pi">:</span> <span class="na">ollama</span><span class="pi">:</span> <span class="na">gpu</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p><strong>Validation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># After correction, check diff in ArgoCD UI</span> <span class="c"># Should show change in spec.template.spec.containers[].resources</span> </code></pre> </div> <h3> Problem 4: Slow Sync </h3> <p>Unlike the previous problems, slow sync isn't a failure — it's expected behavior that becomes surprising when you first encounter it. ArgoCD doesn't watch Git in real time; it polls on a fixed interval, so there will always be a delay between a git push and a deployment.</p> <p><strong>Symptom:</strong><br> ArgoCD takes &gt;5 minutes to detect changes.</p> <p><strong>Cause:</strong><br> Default polling interval is 3 minutes.</p> <p><strong>Solution 1: Adjust polling</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># values/argocd-values.yaml</span> <span class="na">server</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">timeout.reconciliation</span><span class="pi">:</span> <span class="s">60s</span> <span class="c1"># 1 minute</span> </code></pre> </div> <p>Trade-off: More load on the cluster and Git repo.</p> <p><strong>Solution 2: Webhook</strong></p> <p>Configure a webhook in Git to notify ArgoCD:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># GitHub webhook URL</span> POST https://argocd.glukas.space/api/webhook </code></pre> </div> <p>ArgoCD syncs immediately upon receiving a push.</p> <p><strong>Solution 3: Manual sync</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Via CLI</span> argocd app <span class="nb">sync </span>ollama <span class="c"># Via UI</span> Click <span class="s2">"Sync"</span> on the application </code></pre> </div> <h2> Ch. 3 vs Ch. 4: When to Use Each </h2> <p>Both approaches are valid, and the right choice depends on team size, deploy frequency, and how much operational overhead you want to absorb upfront. The table below maps the key trade-offs to help you decide:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Cap 3 (Terraform + Helm)</th> <th>Cap 4 (Terraform + ArgoCD)</th> </tr> </thead> <tbody> <tr> <td><strong>Deploy trigger</strong></td> <td>Manual: <code>terraform apply</code> </td> <td>Automatic: Git push</td> </tr> <tr> <td><strong>Latency</strong></td> <td>Immediate</td> <td>3 min (polling)</td> </tr> <tr> <td><strong>Reconciliation</strong></td> <td>Manual: <code>terraform plan</code> </td> <td>Continuous: 3-min loop</td> </tr> <tr> <td><strong>Drift detection</strong></td> <td>Manual</td> <td>Automatic</td> </tr> <tr> <td><strong>Self-healing</strong></td> <td>Does not exist</td> <td>Configurable (selfHeal)</td> </tr> <tr> <td><strong>Rollback</strong></td> <td> <code>git revert</code> + <code>terraform apply</code> </td> <td>ArgoCD UI (1 click) or <code>git revert</code> </td> </tr> <tr> <td><strong>Audit trail</strong></td> <td>Git + Terraform logs</td> <td>Git + ArgoCD events</td> </tr> <tr> <td><strong>Multi-env</strong></td> <td>Duplicate code or workspaces</td> <td>Branches + valueFiles</td> </tr> <tr> <td><strong>Permissions required</strong></td> <td>kubectl + Terraform</td> <td>Git only</td> </tr> <tr> <td><strong>Disaster recovery</strong></td> <td>Re-run Terraform</td> <td>Automatic ArgoCD re-sync</td> </tr> <tr> <td><strong>State management</strong></td> <td>Terraform state (central)</td> <td>Git (distributed)</td> </tr> <tr> <td><strong>Initial complexity</strong></td> <td>Medium</td> <td>High</td> </tr> <tr> <td><strong>Scalability (apps)</strong></td> <td>~20 apps</td> <td>Unlimited</td> </tr> <tr> <td><strong>Ideal team size</strong></td> <td>1–10</td> <td>10+</td> </tr> </tbody> </table></div> <p>Chapter 3's approach is simpler to set up and sufficient for small teams with controlled deploy cadences — if a weekly <code>terraform apply</code> is acceptable, the added complexity of ArgoCD is not justified. Chapter 4 becomes the right choice once teams grow, deploy frequency increases, or compliance requirements demand an immutable audit trail and automated drift correction. The two are not mutually exclusive: many organisations start with Chapter 3 and migrate to Chapter 4 as their operational maturity grows.</p> <h2> Conclusion </h2> <p>Chapters 1 through 4 trace a deliberate progression — from manual <code>kubectl</code> commands to a fully automated, self-healing platform. Each chapter addressed a specific limitation of the one before it: verbosity, the need for manual execution, the absence of continuous reconciliation. The cumulative result is an architecture where Git is the single source of truth, and the cluster enforces that truth on its own.</p> <p>The four GitOps principles are not just theoretical framing — each one translates directly into an operational guarantee. Declarative configuration means the desired state is always readable and auditable without touching the cluster. Version control means every change has an author, a rationale, and a rollback path. Pull-based deployment means no external system ever needs credentials to reach the cluster — the cluster reaches out to Git. Continuous reconciliation means drift is detected and corrected automatically, without anyone noticing or reacting.</p> <p>The architecture also enforces a clean separation of concerns that makes each layer independently replaceable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform → Platform bootstrap (namespaces, secrets, ArgoCD) Git → Application desired state ArgoCD → Reconciliation engine Helm → Packaging and templating </code></pre> </div> <p>Changes to one layer do not cascade into the others. You could swap Helm for raw manifests, or replace Terraform with a different provisioner, without touching ArgoCD or the Git repository structure.</p> <p>This foundation is deliberately extensible. The next steps — security, observability, multi-tenancy — build on top of it without requiring the core architecture to change.</p> <h3> Maturity Journey </h3> <p>Each chapter in this series represents a deliberate step up the maturity ladder — not just in tooling, but in ownership model, speed, and scale:</p> <p><strong>Stage 1: Manual Deployment (Ch. 1)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Maturity: Ad-hoc Ownership: Individuals Speed: Slow (days/weeks) Scale: Doesn't scale </code></pre> </div> <p><strong>Stage 2: Infrastructure as Code (Ch. 2–3)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Maturity: Repeatable Ownership: Ops team Speed: Medium (hours/days) Scale: Limited (manual execution) </code></pre> </div> <p><strong>Stage 3: GitOps Foundation (Ch. 4)</strong> ← We are here<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Maturity: Automated Ownership: Shared (platform + dev) Speed: Fast (minutes/hours) Scale: Good (self-service enabled) </code></pre> </div> <p><strong>Stage 4: Infrastructure as Product (Next Steps)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Maturity: Product-driven Ownership: Platform teams (product owners) Speed: Very fast (minutes) Scale: Excellent (true self-service) Metrics: DORA, satisfaction, adoption </code></pre> </div> <h3> What Comes Next </h3> <p>Stage 3 is a foundation, not a destination. The architecture built in this chapter is intentionally minimal — one team, two applications, one cluster — and that is the right place to start. But the same GitOps primitives that make this setup work at small scale are exactly what allow it to grow.</p> <p>The diagram below shows the current state: a single developer workflow, a flat namespace structure, and ArgoCD managing two specific workloads with no shared services, no multi-tenancy, and no separation between platform concerns and application concerns.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzj3x7fzuuay5zl0ho9g6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzj3x7fzuuay5zl0ho9g6.png" alt="as_is" width="800" height="426"></a></p> <p>The target looks substantially different. The cluster is split into two distinct layers: a <strong>Platform Layer</strong> of shared services — security, observability, secrets management — owned by a dedicated platform team with SLAs and roadmaps; and a <strong>Workload Layer</strong> where individual product teams deploy independently via <code>git push</code>, without ever touching the platform layer beneath them.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fliarq9hwn7hgqo5x79gz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fliarq9hwn7hgqo5x79gz.png" alt="to_be" width="800" height="417"></a></p> <p>The gap between the two diagrams is not a rewrite — it is an incremental build. Every component in the Platform Layer gets added as an ArgoCD-managed application in its own namespace, following the exact same wrapper-chart pattern introduced in this chapter. The core architecture does not change; it simply gains more managed services over time.</p> <p>The next chapters will build out this platform layer starting with the highest-impact additions: security, observability, and secrets management.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Initiative</th> <th>Domain</th> <th>Phase</th> <th>Complexity</th> <th>Impact</th> <th>Dependencies</th> <th>Time</th> <th>Priority</th> </tr> </thead> <tbody> <tr> <td><strong>Pomerium</strong></td> <td>SECURITY</td> <td>Foundation</td> <td>Intermediate</td> <td>High</td> <td>ArgoCD</td> <td>3-5d</td> <td>P0</td> </tr> <tr> <td><strong>Sealed Secrets</strong></td> <td>SECURITY</td> <td>Foundation</td> <td>Basic</td> <td>High</td> <td>None</td> <td>1d</td> <td>P0</td> </tr> <tr> <td><strong>Authentik</strong></td> <td>SECURITY</td> <td>Foundation</td> <td>Intermediate</td> <td>High</td> <td>PostgreSQL</td> <td>3-5d</td> <td>P0</td> </tr> <tr> <td><strong>Prometheus + Grafana</strong></td> <td>OBSERVABILITY</td> <td>Foundation</td> <td>Intermediate</td> <td>High</td> <td>None</td> <td>3-5d</td> <td>P0</td> </tr> <tr> <td><strong>MCP Servers</strong></td> <td>INTEGRATION</td> <td>Foundation</td> <td>Intermediate</td> <td>High</td> <td>None</td> <td>2-3d</td> <td>P0</td> </tr> <tr> <td><strong>RAG (Qdrant)</strong></td> <td>AI/LLM</td> <td>Foundation</td> <td>Advanced</td> <td>High</td> <td>None</td> <td>1w</td> <td>P1</td> </tr> <tr> <td><strong>LangSmith/Langfuse</strong></td> <td>AI/LLM</td> <td>Scale</td> <td>Advanced</td> <td>High</td> <td>Prometheus</td> <td>5-7d</td> <td>P1</td> </tr> <tr> <td><strong>Autoscaling</strong></td> <td>INFRA</td> <td>Scale</td> <td>Intermediate</td> <td>High</td> <td>Prometheus</td> <td>2-3d</td> <td>P1</td> </tr> <tr> <td><strong>Loki</strong></td> <td>OBSERVABILITY</td> <td>Scale</td> <td>Basic</td> <td>Medium</td> <td>Grafana</td> <td>1-2d</td> <td>P1</td> </tr> <tr> <td><strong>SearXNG</strong></td> <td>INTEGRATION</td> <td>Scale</td> <td>Basic</td> <td>Medium</td> <td>None</td> <td>1d</td> <td>P1</td> </tr> <tr> <td><strong>Web Scraper</strong></td> <td>INTEGRATION</td> <td>Scale</td> <td>Intermediate</td> <td>Medium</td> <td>None</td> <td>2d</td> <td>P1</td> </tr> <tr> <td><strong>Tilt</strong></td> <td>DEVEX</td> <td>Scale</td> <td>Basic</td> <td>Medium</td> <td>None</td> <td>1d</td> <td>P1</td> </tr> <tr> <td><strong>Jaeger</strong></td> <td>OBSERVABILITY</td> <td>Production Excellence</td> <td>Advanced</td> <td>Medium</td> <td>Prometheus</td> <td>3-5d</td> <td>P2</td> </tr> <tr> <td><strong>Model Registry</strong></td> <td>AI/LLM</td> <td>Production Excellence</td> <td>Intermediate</td> <td>Medium</td> <td>None</td> <td>3-5d</td> <td>P2</td> </tr> <tr> <td><strong>Multi-region</strong></td> <td>NETWORK</td> <td>Production Excellence</td> <td>Expert</td> <td>Medium</td> <td>ArgoCD</td> <td>2w+</td> <td>P3</td> </tr> <tr> <td><strong>Fine-tuning</strong></td> <td>AI/LLM</td> <td>Production Excellence</td> <td>Expert</td> <td>Low</td> <td>Registry</td> <td>2w</td> <td>P3</td> </tr> </tbody> </table></div> <p><strong>Platform Products (Shared Services):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Pomerium + Authentik</span><span class="pi">:</span> <span class="na">product</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Authentication</span><span class="nv"> </span><span class="s">&amp;</span><span class="nv"> </span><span class="s">Authorization</span><span class="nv"> </span><span class="s">Platform"</span> <span class="na">customers</span><span class="pi">:</span> <span class="s2">"</span><span class="s">All</span><span class="nv"> </span><span class="s">applications"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">SSO,</span><span class="nv"> </span><span class="s">MFA,</span><span class="nv"> </span><span class="s">zero-trust"</span> <span class="na">sla</span><span class="pi">:</span> <span class="s2">"</span><span class="s">99.9%</span><span class="nv"> </span><span class="s">uptime,</span><span class="nv"> </span><span class="s">&lt;200ms</span><span class="nv"> </span><span class="s">auth</span><span class="nv"> </span><span class="s">latency"</span> <span class="na">roadmap</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">RBAC</span><span class="nv"> </span><span class="s">granular"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">SAML</span><span class="nv"> </span><span class="s">support"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">API</span><span class="nv"> </span><span class="s">keys"</span><span class="pi">]</span> <span class="na">Prometheus + Grafana + Loki</span><span class="pi">:</span> <span class="na">product</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Observability</span><span class="nv"> </span><span class="s">Platform"</span> <span class="na">customers</span><span class="pi">:</span> <span class="s2">"</span><span class="s">All</span><span class="nv"> </span><span class="s">teams</span><span class="nv"> </span><span class="s">(dev</span><span class="nv"> </span><span class="s">+</span><span class="nv"> </span><span class="s">ops)"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Unified</span><span class="nv"> </span><span class="s">metrics/logs/traces"</span> <span class="na">sla</span><span class="pi">:</span> <span class="s2">"</span><span class="s">30d</span><span class="nv"> </span><span class="s">retention,</span><span class="nv"> </span><span class="s">&lt;5s</span><span class="nv"> </span><span class="s">query</span><span class="nv"> </span><span class="s">time"</span> <span class="na">roadmap</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">AIOps"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">Cost</span><span class="nv"> </span><span class="s">attribution"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">SLO</span><span class="nv"> </span><span class="s">management"</span><span class="pi">]</span> <span class="na">Sealed Secrets</span><span class="pi">:</span> <span class="na">product</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Secrets</span><span class="nv"> </span><span class="s">Management</span><span class="nv"> </span><span class="s">Platform"</span> <span class="na">customers</span><span class="pi">:</span> <span class="s2">"</span><span class="s">All</span><span class="nv"> </span><span class="s">teams"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Git-native</span><span class="nv"> </span><span class="s">secrets,</span><span class="nv"> </span><span class="s">rotation,</span><span class="nv"> </span><span class="s">audit"</span> <span class="na">sla</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Zero</span><span class="nv"> </span><span class="s">exposure,</span><span class="nv"> </span><span class="s">&lt;1min</span><span class="nv"> </span><span class="s">sync"</span> <span class="na">roadmap</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">Vault</span><span class="nv"> </span><span class="s">integration"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">RBAC"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">Expiration"</span><span class="pi">]</span> </code></pre> </div> <p><strong>Workload-Specific Products:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">RAG (Qdrant)</span><span class="pi">:</span> <span class="na">product</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Vector</span><span class="nv"> </span><span class="s">Search</span><span class="nv"> </span><span class="s">Service"</span> <span class="na">customers</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AI/ML</span><span class="nv"> </span><span class="s">teams"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Semantic</span><span class="nv"> </span><span class="s">search,</span><span class="nv"> </span><span class="s">embeddings"</span> <span class="na">sla</span><span class="pi">:</span> <span class="s2">"</span><span class="s">&lt;100ms</span><span class="nv"> </span><span class="s">p95</span><span class="nv"> </span><span class="s">search</span><span class="nv"> </span><span class="s">latency"</span> <span class="na">roadmap</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">Multi-model"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">Hybrid</span><span class="nv"> </span><span class="s">search"</span><span class="pi">]</span> <span class="na">MCP Servers</span><span class="pi">:</span> <span class="na">product</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Tool</span><span class="nv"> </span><span class="s">Integration</span><span class="nv"> </span><span class="s">Platform"</span> <span class="na">customers</span><span class="pi">:</span> <span class="s2">"</span><span class="s">LLM</span><span class="nv"> </span><span class="s">applications"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Connect</span><span class="nv"> </span><span class="s">LLMs</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">tools"</span> <span class="na">sla</span><span class="pi">:</span> <span class="s2">"</span><span class="s">&lt;50ms</span><span class="nv"> </span><span class="s">tool</span><span class="nv"> </span><span class="s">invocation"</span> <span class="na">roadmap</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">Custom</span><span class="nv"> </span><span class="s">tools"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">Async</span><span class="nv"> </span><span class="s">execution"</span><span class="pi">]</span> </code></pre> </div> <p><strong>Developer Experience Products:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Tilt</span><span class="pi">:</span> <span class="na">domain</span><span class="pi">:</span> <span class="s2">"</span><span class="s">[DEVEX]"</span> <span class="na">phase</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Scale"</span> <span class="na">complexity</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Basic"</span> <span class="na">impact</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Medium"</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">None"</span><span class="pi">]</span> <span class="na">time</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1</span><span class="nv"> </span><span class="s">day"</span> <span class="na">priority</span><span class="pi">:</span> <span class="s2">"</span><span class="s">P1"</span> <span class="na">product</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Local</span><span class="nv"> </span><span class="s">Development</span><span class="nv"> </span><span class="s">Platform"</span> <span class="na">customers</span><span class="pi">:</span> <span class="s2">"</span><span class="s">All</span><span class="nv"> </span><span class="s">developers"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Hot-reload,</span><span class="nv"> </span><span class="s">real</span><span class="nv"> </span><span class="s">K8s</span><span class="nv"> </span><span class="s">environment,</span><span class="nv"> </span><span class="s">fast</span><span class="nv"> </span><span class="s">iteration"</span> <span class="na">sla</span><span class="pi">:</span> <span class="s2">"</span><span class="s">&lt;5s</span><span class="nv"> </span><span class="s">code</span><span class="nv"> </span><span class="s">sync,</span><span class="nv"> </span><span class="s">&lt;10s</span><span class="nv"> </span><span class="s">service</span><span class="nv"> </span><span class="s">restart"</span> <span class="na">roadmap</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">Remote</span><span class="nv"> </span><span class="s">development"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">Debugging</span><span class="nv"> </span><span class="s">tools"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">Resource</span><span class="nv"> </span><span class="s">snapshots"</span><span class="pi">]</span> </code></pre> </div> <p><strong>Infrastructure Products:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Multi-region</span><span class="pi">:</span> <span class="na">domain</span><span class="pi">:</span> <span class="s2">"</span><span class="s">[NETWORK]"</span> <span class="na">phase</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Production</span><span class="nv"> </span><span class="s">Excellence"</span> <span class="na">complexity</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Expert"</span> <span class="na">impact</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Medium"</span> <span class="na">dependencies</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">ArgoCD"</span><span class="pi">]</span> <span class="na">time</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2+</span><span class="nv"> </span><span class="s">weeks"</span> <span class="na">priority</span><span class="pi">:</span> <span class="s2">"</span><span class="s">P3"</span> <span class="na">product</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Global</span><span class="nv"> </span><span class="s">Load</span><span class="nv"> </span><span class="s">Balancing</span><span class="nv"> </span><span class="s">&amp;</span><span class="nv"> </span><span class="s">Geo-distribution"</span> <span class="na">customers</span><span class="pi">:</span> <span class="s2">"</span><span class="s">All</span><span class="nv"> </span><span class="s">production</span><span class="nv"> </span><span class="s">workloads"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Low</span><span class="nv"> </span><span class="s">latency</span><span class="nv"> </span><span class="s">worldwide,</span><span class="nv"> </span><span class="s">compliance</span><span class="nv"> </span><span class="s">(data</span><span class="nv"> </span><span class="s">residency)"</span> <span class="na">sla</span><span class="pi">:</span> <span class="s2">"</span><span class="s">99.99%</span><span class="nv"> </span><span class="s">global</span><span class="nv"> </span><span class="s">availability,</span><span class="nv"> </span><span class="s">&lt;100ms</span><span class="nv"> </span><span class="s">cross-region</span><span class="nv"> </span><span class="s">failover"</span> <span class="na">roadmap</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">Active-active"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">Traffic</span><span class="nv"> </span><span class="s">shaping"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">Cost</span><span class="nv"> </span><span class="s">optimization"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">DR</span><span class="nv"> </span><span class="s">automation"</span><span class="pi">]</span> </code></pre> </div> <h3> Production Recommended Extensions </h3> <ol> <li> <strong>TLS/HTTPS:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># argocd-values.yaml</span> <span class="na">server</span><span class="pi">:</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">argocd-tls</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">argocd.empresa.com</span> </code></pre> </div> <ol> <li> <strong>SSO/OIDC:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://argocd.empresa.com</span> <span class="na">oidc.config</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">name: Okta</span> <span class="s">issuer: https://empresa.okta.com</span> <span class="s">clientID: $oidc.okta.clientId</span> <span class="s">clientSecret: $oidc.okta.clientSecret</span> </code></pre> </div> <ol> <li> <strong>RBAC:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">rbacConfig</span><span class="pi">:</span> <span class="na">policy.csv</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">p, role:developers, applications, get, */*, allow</span> <span class="s">p, role:developers, applications, sync, */*, allow</span> <span class="s">g, developers-group, role:developers</span> </code></pre> </div> <ol> <li> <strong>Notifications:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">notifications</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">notifiers</span><span class="pi">:</span> <span class="na">service.slack</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">token: $slack-token</span> <span class="na">templates</span><span class="pi">:</span> <span class="na">template.app-deployed</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">message: Application {{.app.metadata.name}} deployed</span> <span class="na">triggers</span><span class="pi">:</span> <span class="na">trigger.on-deployed</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- when: app.status.operationState.phase in ['Succeeded']</span> <span class="s">send: [app-deployed]</span> </code></pre> </div> <ol> <li> <strong>Application Sets:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ApplicationSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-apps</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">generators</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">git</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/empresa/k8s-apps.git</span> <span class="na">revision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">directories</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">apps/*</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{path.basename}}'</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/empresa/k8s-apps.git</span> <span class="na">path</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{path}}'</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{path.basename}}'</span> </code></pre> </div> <p><strong>Monitoring:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ServiceMonitor para Prometheus</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">monitoring.coreos.com/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceMonitor</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-metrics</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">argocd-metrics</span> <span class="na">endpoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="s">metrics</span> </code></pre> </div> <h2> Technical Resources </h2> <p><strong>References:</strong> </p> <ol> <li>Straube, S. (2025). <a href="https://medium.com/elevate-tech/infrastructure-as-a-product-the-key-to-agile-and-scalable-it-87501b4be7e3" rel="noopener noreferrer">"Infrastructure as a Product: The Key to Agile and Scalable IT".</a> Medium/Elevate Tech.</li> <li>Griffiths, M. (2021). <a href="https://www.thoughtworks.com/insights/articles/infrastructure-as-product" rel="noopener noreferrer">"Infrastructure as Product: Accelerating time to market through platform engineering".</a> Thoughtworks Insights.</li> <li>Strope, L. (2026). <a href="https://akava.io/blog/why-infrastructure-is-becoming-product-and-how-to-capitalize" rel="noopener noreferrer">"Why Infrastructure Is Becoming Product And How to Capitalize".</a> Akava.</li> </ol> <p><strong>Documentation:</strong></p> <ul> <li><a href="https://argo-cd.readthedocs.io/" rel="noopener noreferrer">ArgoCD Official Docs</a></li> <li><a href="https://opengitops.dev/" rel="noopener noreferrer">GitOps Principles</a></li> <li><a href="https://helm.sh/docs/chart_template_guide/" rel="noopener noreferrer">Helm Chart Development</a></li> <li><a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs" rel="noopener noreferrer">Terraform Kubernetes Provider</a></li> </ul> <p><strong>Reference Repositories:</strong></p> <ul> <li><a href="https://github.com/argoproj/argocd-example-apps" rel="noopener noreferrer">ArgoCD Examples</a></li> <li><a href="https://github.com/argoproj/gitops-engine" rel="noopener noreferrer">GitOps Engine</a></li> <li><a href="https://github.com/argoproj-labs/argocd-autopilot" rel="noopener noreferrer">Argo CD Autopilot</a></li> </ul> <p><strong>Auxiliary Tools:</strong></p> <ul> <li> <code>argocd</code> CLI</li> <li> <code>kubectl-argo-rollouts</code> (progressive delivery)</li> <li> <code>argocd-notifications</code> (alerts)</li> <li> <code>argocd-image-updater</code> (auto-update images)</li> </ul> <p><em>End of Chapter 4</em></p> devops ai sre tutorial Chapter 3: A Better Abstraction — Managing LLM Apps with Terraform + Helm George Lukas Fri, 20 Feb 2026 19:09:36 +0000 https://dev.to/glukas/chapter-3-terraform-helm-a-better-abstraction-5dka https://dev.to/glukas/chapter-3-terraform-helm-a-better-abstraction-5dka <p>In Chapter 2, we reached an uncomfortable conclusion: Terraform <strong>can</strong> manage Kubernetes, but that doesn't mean it <strong>should</strong> manage everything in Kubernetes.</p> <p>We observed that:</p> <ul> <li> <strong>Terraform</strong> → Versioning, auditing, reproducibility</li> <li> <strong>Helm</strong> → Simplicity, lifecycle management</li> <li> <strong>Terraform + K8s Provider directly</strong> → Verbose, giant state, no rollbacks</li> </ul> <p>The question that lingers: <strong>"Is there a way to have the best of both?"</strong></p> <h3> Changing Abstraction Level </h3> <p>The problem in Chapter 2 wasn't Terraform itself, it was the <strong>level of abstraction</strong> we chose.</p> <p><strong>Wrong thinking:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform → Manage Deployments, Services, Ingress, etc (individual Kubernetes resources) </code></pre> </div> <p><strong>Right thinking:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Terraform → Manage Helm Releases (complete applications as units) </code></pre> </div> <p>It's a subtle but profound change. Instead of Terraform <strong>replacing</strong> Helm, Terraform <strong>orchestrates</strong> Helm.</p> <h3> Layered Architecture of Responsibilities </h3> <p>Let's visualize how responsibilities are divided:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────┐ │ You (Developer) │ │ Define desired state in code │ └────────────────┬─────────────────────────┘ │ ↓ ┌──────────────────────────────────────────┐ │ Terraform (Orchestrator) │ │ • Manages namespaces │ │ • Manages infrastructure secrets │ │ • Manages RBAC │ │ • Manages Helm Releases (pointers) │ └────────────────┬─────────────────────────┘ │ ↓ ┌──────────────────────────────────────────┐ │ Helm (Package Manager) │ │ • Renders templates │ │ • Applies resources to cluster │ │ • Maintains release history │ │ • Manages rollbacks │ └────────────────┬─────────────────────────┘ │ ↓ ┌──────────────────────────────────────────┐ │ Kubernetes (Runtime) │ │ • Runs containers │ │ • Manages storage │ │ • Routes traffic │ │ • Self-healing │ └──────────────────────────────────────────┘ </code></pre> </div> <p>Each layer does what it does best. No unnecessary overlap.</p> <h3> Project Structure: </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cap3-helm-provider/ ├── main.tf # Main configuration ├── variables.tf # Input variables ├── terraform.tfvars # Values (don't commit!) ├── outputs.tf # Useful outputs ├── .gitignore # Secret protection │ ├── values/ # Helm chart values │ ├── ollama-values.yaml │ └── librechat-values.yaml │ └── README.md # Documentation </code></pre> </div> <ol> <li> <p><strong>Separation of code and configuration</strong></p> <ul> <li>Logic (<code>main.tf</code>) separated from values (<code>values/</code>)</li> <li>Easy to version and review changes</li> </ul> </li> <li> <p><strong>Reusable</strong></p> <ul> <li>Same structure for dev, staging, prod</li> <li>Only change <code>terraform.tfvars</code> </li> </ul> </li> <li> <p><strong>Secure</strong></p> <ul> <li> <code>.gitignore</code> protects secrets</li> <li>Values can have public and private versions</li> </ul> </li> </ol> <h4> Part 1: Provider Declaration </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">kubernetes</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/kubernetes"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.23"</span> <span class="p">}</span> <span class="nx">helm</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/helm"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.11"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"~/.kube/config"</span> <span class="nx">config_context</span> <span class="p">=</span> <span class="s2">"minikube"</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"helm"</span> <span class="p">{</span> <span class="nx">kubernetes</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"~/.kube/config"</span> <span class="nx">config_context</span> <span class="p">=</span> <span class="s2">"minikube"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Helm Provider</strong></p> <p>Now we have <strong>two</strong> providers:</p> <ul> <li> <code>kubernetes</code>: For base infrastructure resources</li> <li> <code>helm</code>: For managing application releases</li> </ul> <p><strong>Important:</strong> The Helm provider <strong>doesn't replace</strong> the Kubernetes provider. They work together:</p> <ul> <li> <strong>Kubernetes provider</strong> → Creates namespaces, secrets, RBAC</li> <li> <strong>Helm provider</strong> → Deploys applications in those namespaces</li> </ul> <p><strong>Semantic versioning (<code>~&gt; 2.23</code>):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>~&gt; 2.23 means: - 2.23.0, 2.23.1, 2.24.0 (accepts) - 3.0.0 (rejects - breaking change) </code></pre> </div> <p>Ensures security updates without breaking compatibility.</p> <h4> Part 2: Base Infrastructure (Terraform Territory) </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Namespaces managed by Terraform</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">managed-by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"librechat"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"librechat"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">managed-by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why does Terraform manage namespaces?</strong></p> <p>Namespaces are <strong>infrastructure</strong>, not applications. They:</p> <ul> <li>Rarely change</li> <li>Are prerequisites for everything</li> <li>Define security boundaries</li> <li>Need to exist before applications</li> </ul> <p><strong>Label <code>managed-by = "terraform"</code>:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Useful for filtering</span> kubectl get ns <span class="nt">-l</span> managed-by<span class="o">=</span>terraform <span class="c"># Output:</span> NAME STATUS AGE ollama Active 10m librechat Active 10m </code></pre> </div> <p>Makes it clear these resources shouldn't be edited manually.</p> <h4> Part 3: Infrastructure Secrets </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Secret managed by Terraform (infra-level)</span> <span class="nx">resource</span> <span class="s2">"kubernetes_secret"</span> <span class="s2">"librechat_credentials"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"librechat-credentials-env"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">librechat</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">data</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">JWT_SECRET</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">jwt_secret</span> <span class="nx">JWT_REFRESH_SECRET</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">jwt_refresh_secret</span> <span class="nx">CREDS_KEY</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">creds_key</span> <span class="nx">CREDS_IV</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">creds_iv</span> <span class="nx">MONGO_URI</span> <span class="p">=</span> <span class="s2">"mongodb://librechat-mongodb:27017/LibreChat"</span> <span class="nx">MEILI_HOST</span> <span class="p">=</span> <span class="s2">"http://librechat-meilisearch:7700"</span> <span class="nx">OLLAMA_BASE_URL</span> <span class="p">=</span> <span class="s2">"http://ollama.ollama.svc.cluster.local:11434"</span> <span class="p">}</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Opaque"</span> <span class="p">}</span> </code></pre> </div> <p><strong>Design decision: Why does Terraform manage this secret?</strong></p> <p>This secret contains <strong>infrastructure credentials</strong> that:</p> <ol> <li>Need to exist <strong>before</strong> application deployment</li> <li>Don't change frequently</li> <li>Are shared between environments (same structure, different values)</li> <li>Should be versioned (structure) but not values (<code>.tfvars</code>)</li> </ol> <p><strong>Important dynamic reference:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">namespace</span> <span class="err">=</span> <span class="nx">kubernetes_namespace</span><span class="err">.</span><span class="nx">librechat</span><span class="err">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="err">.</span><span class="nx">name</span> </code></pre> </div> <p>Terraform ensures the namespace is created <strong>first</strong>, then the secret. Automatic dependency management!</p> <p><strong>Variables file (<code>variables.tf</code>):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"jwt_secret"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"JWT secret for LibreChat"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"jwt_refresh_secret"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"JWT refresh secret"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"creds_key"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Credentials encryption key"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"creds_iv"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Credentials initialization vector"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p><strong>Values file (<code>terraform.tfvars</code> - DON'T COMMIT!):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">jwt_secret</span> <span class="err">=</span> <span class="s2">"abc123def456..."</span> <span class="c1"># generated with openssl rand -hex 32</span> <span class="nx">jwt_refresh_secret</span> <span class="err">=</span> <span class="s2">"ghi789jkl012..."</span> <span class="nx">creds_key</span> <span class="err">=</span> <span class="s2">"mno345pqr678..."</span> <span class="nx">creds_iv</span> <span class="err">=</span> <span class="s2">"stu901vwx234..."</span> </code></pre> </div> <p><strong><code>.gitignore</code>:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Terraform *.tfstate *.tfstate.* .terraform/ terraform.tfvars # ← CRITICAL! # Sensitive files values/*-secrets.yaml </code></pre> </div> <h4> Part 4: Helm Releases </h4> <p>This is where the Chapter 3 approach shines.</p> <p><strong>Ollama deployment:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Helm Release - Ollama</span> <span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"https://otwld.github.io/ollama-helm/"</span> <span class="nx">chart</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ollama</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/values/ollama-values.yaml"</span><span class="p">)</span> <span class="p">]</span> <span class="c1"># Version control</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.41.0"</span> <span class="c1"># Pin version for reproducibility</span> <span class="c1"># Deployment settings</span> <span class="nx">create_namespace</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Already created by Terraform</span> <span class="nx">wait</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Wait for ready</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">600</span> <span class="c1"># 10 minutes max</span> <span class="c1"># Dependency tracking</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ollama</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><strong>Breaking it down:</strong></p> <p><strong>1. Chart source:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">repository</span> <span class="err">=</span> <span class="s2">"https://otwld.github.io/ollama-helm/"</span> <span class="nx">chart</span> <span class="err">=</span> <span class="s2">"ollama"</span> </code></pre> </div> <p><strong>2. Values file:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">values</span> <span class="err">=</span> <span class="p">[</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/values/ollama-values.yaml"</span><span class="p">)</span> <span class="p">]</span> </code></pre> </div> <p>The <code>file()</code> function reads YAML from Terraform module Path.</p> <p><strong>3. Version pinning:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">version</span> <span class="err">=</span> <span class="s2">"1.41.0"</span> </code></pre> </div> <p>Critical for reproducibility! Without this, <code>helm_release</code> would use "latest", which changes over time.</p> <p><strong>4. Deployment controls:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">wait</span> <span class="err">=</span> <span class="kc">true</span> <span class="c1"># Don't return until ready</span> <span class="nx">timeout</span> <span class="err">=</span> <span class="mi">600</span> <span class="c1"># 10 min max</span> </code></pre> </div> <p>Terraform waits for Pods to be healthy before considering deployment successful.</p> <p><strong>5. Dependencies:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">depends_on</span> <span class="err">=</span> <span class="p">[</span><span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ollama</span><span class="p">]</span> </code></pre> </div> <p>Terraform creates namespace → then creates release</p> <p><strong>The values file (<code>values/ollama-values.yaml</code>):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ollama</span><span class="pi">:</span> <span class="na">gpu</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">type</span><span class="pi">:</span> <span class="s">nvidia</span> <span class="na">number</span><span class="pi">:</span> <span class="m">1</span> <span class="na">models</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">llama2</span> <span class="pi">-</span> <span class="s">codellama</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">2</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">8Gi</span> <span class="na">service</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">11434</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">className</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">ollama.glukas.space</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> </code></pre> </div> <p><strong>LibreChat deployment:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Helm Release - LibreChat</span> <span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"librechat"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"librechat"</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"oci://ghcr.io/danny-avila/librechat-chart"</span> <span class="nx">chart</span> <span class="p">=</span> <span class="s2">"librechat"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">librechat</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/values/librechat-values.yaml"</span><span class="p">)</span> <span class="p">]</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.5.0"</span> <span class="nx">create_namespace</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">wait</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">900</span> <span class="c1"># 15 min (MongoDB initialization)</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">librechat</span><span class="p">,</span> <span class="nx">kubernetes_secret</span><span class="p">.</span><span class="nx">librechat_credentials</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><strong>Notice:</strong></p> <ul> <li>Different repository (OCI registry)</li> <li>Longer timeout (MongoDB takes time)</li> <li>Depends on secret (must exist first)</li> </ul> <p>LibreChat <strong>depends</strong> on Ollama. Terraform ensures order:</p> <ol> <li>Namespace</li> <li>Secret</li> <li>Ollama</li> <li>LibreChat</li> </ol> <p><strong>The values file (<code>values/librechat-values.yaml</code>):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">config</span><span class="pi">:</span> <span class="na">APP_TITLE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">LibreChat</span><span class="nv"> </span><span class="s">+</span><span class="nv"> </span><span class="s">Ollama</span><span class="nv"> </span><span class="s">(via</span><span class="nv"> </span><span class="s">Terraform)"</span> <span class="na">HOST</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0"</span> <span class="na">PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3080"</span> <span class="na">SEARCH</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">MONGO_URI</span><span class="pi">:</span> <span class="s2">"</span><span class="s">mongodb://librechat-mongodb:27017/LibreChat"</span> <span class="na">MEILI_HOST</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://librechat-meilisearch:7700"</span> <span class="na">librechat</span><span class="pi">:</span> <span class="na">configEnv</span><span class="pi">:</span> <span class="na">ALLOW_REGISTRATION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">configYamlContent</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">version: 1.1.5</span> <span class="s">cache: true</span> <span class="s">endpoints:</span> <span class="s">custom:</span> <span class="s">- name: "Ollama"</span> <span class="s">apiKey: "ollama"</span> <span class="s">baseURL: "http://ollama.ollama.svc.cluster.local:11434/v1"</span> <span class="s">models:</span> <span class="s">default:</span> <span class="s">- "llama2:latest"</span> <span class="s">fetch: true</span> <span class="s">titleConvo: true</span> <span class="s">titleModel: "llama2:latest"</span> <span class="s">summarize: false</span> <span class="s">summaryModel: "llama2:latest"</span> <span class="s">forcePrompt: false</span> <span class="s">modelDisplayLabel: "Ollama"</span> <span class="s">addParams:</span> <span class="s">temperature: 0.7</span> <span class="s">max_tokens: 2000</span> <span class="na">extraEnvVarsSecret</span><span class="pi">:</span> <span class="s2">"</span><span class="s">librechat-credentials-env"</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">className</span><span class="pi">:</span> <span class="s2">"</span><span class="s">nginx"</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">nginx.ingress.kubernetes.io/proxy-body-size</span><span class="pi">:</span> <span class="s2">"</span><span class="s">25m"</span> <span class="na">nginx.ingress.kubernetes.io/proxy-read-timeout</span><span class="pi">:</span> <span class="s2">"</span><span class="s">600"</span> <span class="na">nginx.ingress.kubernetes.io/proxy-send-timeout</span><span class="pi">:</span> <span class="s2">"</span><span class="s">600"</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">librechat.glukas.space</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">mongodb</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">auth</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">bitnami/mongodb</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">latest</span> <span class="na">persistence</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">size</span><span class="pi">:</span> <span class="s">8Gi</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1Gi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">meilisearch</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">auth</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">MEILI_NO_ANALYTICS</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">MEILI_ENV</span><span class="pi">:</span> <span class="s2">"</span><span class="s">development"</span> <span class="na">persistence</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">size</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">128Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">50m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">250m"</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1Gi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">persistence</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">size</span><span class="pi">:</span> <span class="s">5Gi</span> <span class="na">storageClass</span><span class="pi">:</span> <span class="s2">"</span><span class="s">standard"</span> <span class="na">replicaCount</span><span class="pi">:</span> <span class="m">1</span> </code></pre> </div> <h3> Deployment Workflow </h3> <p>Now let's see this in action.</p> <h4> Initial Deployment </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate secrets</span> <span class="nb">export </span><span class="nv">TF_VAR_jwt_secret</span><span class="o">=</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 32<span class="si">)</span> <span class="nb">export </span><span class="nv">TF_VAR_jwt_refresh_secret</span><span class="o">=</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 32<span class="si">)</span> <span class="nb">export </span><span class="nv">TF_VAR_creds_key</span><span class="o">=</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 32<span class="si">)</span> <span class="nb">export </span><span class="nv">TF_VAR_creds_iv</span><span class="o">=</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 16<span class="si">)</span> <span class="c"># Or create terraform.tfvars</span> <span class="nb">cat</span> <span class="o">&gt;</span> terraform.tfvars <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> jwt_secret = "</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 32<span class="si">)</span><span class="sh">" jwt_refresh_secret = "</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 32<span class="si">)</span><span class="sh">" creds_key = "</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 32<span class="si">)</span><span class="sh">" creds_iv = "</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 16<span class="si">)</span><span class="sh">" </span><span class="no">EOF </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Initialize</span> terraform init <span class="c"># Downloads both kubernetes and helm providers</span> <span class="c"># 2. Validate</span> terraform validate <span class="c"># Checks HCL syntax</span> <span class="c"># 3. Plan</span> terraform plan </code></pre> </div> <p><strong>Plan output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">Terraform</span> <span class="nx">will</span> <span class="nx">perform</span> <span class="nx">the</span> <span class="nx">following</span> <span class="nx">actions</span><span class="err">:</span> <span class="c1"># kubernetes_namespace.ollama will be created</span> <span class="err">+</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">id</span> <span class="p">=</span> <span class="p">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="p">)</span> <span class="err">+</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">generation</span> <span class="p">=</span> <span class="p">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="p">)</span> <span class="err">+</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="err">+</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="s2">"managed-by"</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># kubernetes_secret.librechat_credentials will be created</span> <span class="err">+</span> <span class="nx">resource</span> <span class="s2">"kubernetes_secret"</span> <span class="s2">"librechat_credentials"</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">data</span> <span class="p">=</span> <span class="p">(</span><span class="nx">sensitive</span> <span class="nx">value</span><span class="p">)</span> <span class="err">+</span> <span class="nx">id</span> <span class="p">=</span> <span class="p">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="p">)</span> <span class="err">+</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Opaque"</span> <span class="err">+</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"librechat-credentials-env"</span> <span class="err">+</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="p">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># helm_release.ollama will be created</span> <span class="err">+</span> <span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">id</span> <span class="p">=</span> <span class="p">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="p">)</span> <span class="err">+</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="err">+</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="p">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="p">)</span> <span class="err">+</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"https://otwld.github.io/ollama-helm/"</span> <span class="err">+</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.41.0"</span> <span class="err">+</span> <span class="nx">status</span> <span class="p">=</span> <span class="p">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="p">)</span> <span class="err">+</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="err">+</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> ollama: gpu: enabled: true ... EOT, ] } Plan: 5 to add, 0 to change, 0 to destroy. </span></code></pre> </div> <p>Notice: Only <strong>5 resources</strong> in the plan!</p> <ul> <li>2 namespaces</li> <li>1 secret</li> <li>2 helm_releases</li> </ul> <p>Compare to Chapter 2: would be 50+ individual K8s resources.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 4. Apply</span> terraform apply <span class="c"># Output:</span> kubernetes_namespace.ollama: Creating... kubernetes_namespace.librechat: Creating... kubernetes_namespace.ollama: Creation <span class="nb">complete </span>after 1s kubernetes_namespace.librechat: Creation <span class="nb">complete </span>after 1s kubernetes_secret.librechat_credentials: Creating... kubernetes_secret.librechat_credentials: Creation <span class="nb">complete </span>after 1s helm_release.ollama: Creating... helm_release.ollama: Still creating... <span class="o">[</span>10s elapsed] helm_release.ollama: Still creating... <span class="o">[</span>20s elapsed] helm_release.ollama: Creation <span class="nb">complete </span>after 45s <span class="o">[</span><span class="nb">id</span><span class="o">=</span>ollama] helm_release.librechat: Creating... helm_release.librechat: Still creating... <span class="o">[</span>10s elapsed] helm_release.librechat: Still creating... <span class="o">[</span>20s elapsed] ... helm_release.librechat: Creation <span class="nb">complete </span>after 2m15s <span class="o">[</span><span class="nb">id</span><span class="o">=</span>librechat] Apply <span class="nb">complete</span><span class="o">!</span> Resources: 5 added, 0 changed, 0 destroyed. </code></pre> </div> <p><strong>What happened behind the scenes:</strong></p> <ol> <li>Terraform created namespaces</li> <li>Terraform created secret</li> <li>Terraform told Helm: "Install ollama chart with these values"</li> <li> <strong>Helm</strong> rendered templates and created: Deployment, Service, PVC, Ingress, etc</li> <li>Terraform told Helm: "Install librechat chart with these values"</li> <li> <strong>Helm</strong> rendered templates and created: Deployment, Service, MongoDB StatefulSet, MeiliSearch Deployment, Ingress, etc</li> </ol> <p><strong>Terraform state only tracks the 5 high-level resources.</strong><br> <strong>Helm manages all the detailed Kubernetes resources.</strong></p> <h4> Verifying Deployment </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check Terraform state</span> terraform state list <span class="c"># kubernetes_namespace.librechat</span> <span class="c"># kubernetes_namespace.ollama</span> <span class="c"># kubernetes_secret.librechat_credentials</span> <span class="c"># helm_release.librechat</span> <span class="c"># helm_release.ollama</span> <span class="c"># Check Helm releases</span> helm list <span class="nt">-A</span> <span class="c"># NAME NAMESPACE REVISION STATUS CHART APP VERSION</span> <span class="c"># ollama ollama 1 deployed ollama-1.41.0 0.1.20</span> <span class="c"># librechat librechat 1 deployed librechat-1.5.0 0.7.0</span> <span class="c"># Check actual Kubernetes resources</span> kubectl get all <span class="nt">-n</span> ollama <span class="c"># NAME READY STATUS RESTARTS AGE</span> <span class="c"># pod/ollama-7d8f9c5b6d-xk2p4 1/1 Running 0 2m</span> <span class="c">#</span> <span class="c"># NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE</span> <span class="c"># service/ollama ClusterIP 10.96.245.12 &lt;none&gt; 11434/TCP 2m</span> <span class="c">#</span> <span class="c"># NAME READY UP-TO-DATE AVAILABLE AGE</span> <span class="c"># deployment.apps/ollama 1/1 1 1 2m</span> kubectl get all <span class="nt">-n</span> librechat <span class="c"># (Shows MongoDB, MeiliSearch, LibreChat deployments/services)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Testing Ollama</span> curl http://ollama.glukas.space/api/tags </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"models"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"llama2:latest"</span><span class="p">,</span><span class="w"> </span><span class="nl">"modified_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-02-07T13:30:00.000Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"size"</span><span class="p">:</span><span class="w"> </span><span class="mi">3826793677</span><span class="p">,</span><span class="w"> </span><span class="nl">"digest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:abc123..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"details"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"format"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gguf"</span><span class="p">,</span><span class="w"> </span><span class="nl">"family"</span><span class="p">:</span><span class="w"> </span><span class="s2">"llama"</span><span class="p">,</span><span class="w"> </span><span class="nl">"families"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"llama"</span><span class="p">],</span><span class="w"> </span><span class="nl">"parameter_size"</span><span class="p">:</span><span class="w"> </span><span class="s2">"7B"</span><span class="p">,</span><span class="w"> </span><span class="nl">"quantization_level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Q4_0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Ollama Working!</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Testing LibreChat</span> curl <span class="nt">-I</span> http://librechat.glukas.space </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=utf-8 ... </code></pre> </div> <p><strong>LibreChat Working!</strong></p> <p><strong>Open in browser:</strong></p> <ul> <li><code>http://librechat.glukas.space</code></li> <li>Sign in</li> <li>Select model Ollama</li> <li>Start chatting!</li> </ul> <p><strong>All Good!</strong></p> <h3> Operations </h3> <p>Now let's see how daily operations are different.</p> <h4> Upgrading Chart Version </h4> <p><strong>Scenario:</strong> New Ollama chart version available.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Update version</span> vim main.tf </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="c1"># ...</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.42.0"</span> <span class="c1"># was 1.41.0</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 2. Plan</span> terraform plan </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="err">~</span> <span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="err">~</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.41.0"</span> <span class="nx">-</span><span class="err">&gt;</span> <span class="s2">"1.42.0"</span> <span class="c1"># (15 unchanged attributes hidden)</span> <span class="p">}</span> <span class="nx">Plan</span><span class="err">:</span> <span class="mi">0</span> <span class="nx">to</span> <span class="nx">add</span><span class="err">,</span> <span class="mi">1</span> <span class="nx">to</span> <span class="nx">change</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">to</span> <span class="nx">destroy</span><span class="err">.</span> </code></pre> </div> <p>Only 1 change: chart version!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 3. Apply</span> terraform apply </code></pre> </div> <p>Helm does rolling update, zero downtime!</p> <h4> Changing Configuration </h4> <p><strong>Scenario:</strong> Add CodeLlama model.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Edit values</span> vim values/ollama-values.yaml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ollama</span><span class="pi">:</span> <span class="na">models</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">llama2</span> <span class="pi">-</span> <span class="s">codellama</span> <span class="c1"># ← NEW</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 2. Plan</span> terraform plan </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="err">~</span> <span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="err">~</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="err">~</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> ollama: models: - llama2 + - codellama EOT, ] } </span></code></pre> </div> <p>Terraform detects diff in YAML!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 3. Apply</span> terraform apply </code></pre> </div> <p>Helm updates Deployment → Pod restarts → Downloads CodeLlama → Ready!</p> <h4> Rollback </h4> <p><strong>Scenario:</strong> New version broke.</p> <p><strong>Option 1: Via Terraform</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Revert commit in Git</span> git revert HEAD <span class="c"># Apply previous version</span> terraform apply </code></pre> </div> <p><strong>Option 2: Via Helm (faster)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># View history</span> helm <span class="nb">history </span>ollama <span class="nt">-n</span> ollama <span class="c"># REVISION UPDATED STATUS CHART DESCRIPTION</span> <span class="c"># 1 Thu Feb 07 10:29:30 2025 superseded ollama-1.41.0 Install complete</span> <span class="c"># 2 Thu Feb 07 11:15:20 2025 deployed ollama-1.42.0 Upgrade complete</span> <span class="c"># Rollback</span> helm rollback ollama <span class="nt">-n</span> ollama <span class="c"># Rollback was a success! Happy Helming!</span> <span class="c"># Terraform detects on next plan</span> terraform plan <span class="c"># (will show drift, but it's not a problem)</span> </code></pre> </div> <p><strong>Best practice:</strong> Always use Terraform, but Helm is available for emergencies.</p> <h3> Comparison: Chapter 2 vs Chapter 3 </h3> <p>Let's put side by side to visualize the gain.</p> <h4> Code Required </h4> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Ch 2 (TF + K8s)</th> <th>Ch 3 (TF + Helm)</th> <th>Reduction</th> </tr> </thead> <tbody> <tr> <td><strong>Lines of HCL</strong></td> <td>~500</td> <td>~100</td> <td>80% ↓</td> </tr> <tr> <td><strong>Lines of YAML</strong></td> <td>0</td> <td>~100</td> <td>-</td> </tr> <tr> <td><strong>Total code</strong></td> <td>500</td> <td>200</td> <td>60% ↓</td> </tr> <tr> <td><strong>Files</strong></td> <td>1 monolith</td> <td>5 organized</td> <td>-</td> </tr> </tbody> </table></div> <h4> State Management </h4> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>Ch 2</th> <th>Ch 3</th> </tr> </thead> <tbody> <tr> <td><strong>Resources in state</strong></td> <td>50+</td> <td>5</td> </tr> <tr> <td><strong>State size</strong></td> <td>2.3 MB</td> <td>15 KB</td> </tr> <tr> <td><strong>Plan time</strong></td> <td>2 minutes</td> <td>10 seconds</td> </tr> <tr> <td><strong>Detectable drift</strong></td> <td>Partially</td> <td>Yes (via Helm)</td> </tr> </tbody> </table></div> <h4> Operations </h4> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Operation</th> <th>Ch 2</th> <th>Ch 3</th> </tr> </thead> <tbody> <tr> <td><strong>Initial deploy</strong></td> <td> <code>terraform apply</code> (5 min)</td> <td> <code>terraform apply</code> (2 min)</td> </tr> <tr> <td><strong>Version upgrade</strong></td> <td>Edit multiple blocks</td> <td>Change 1 line</td> </tr> <tr> <td><strong>Rollback</strong></td> <td> <code>git revert</code> + apply</td> <td> <code>helm rollback</code> (instant)</td> </tr> <tr> <td><strong>View status</strong></td> <td><code>terraform state list</code></td> <td><code>helm list</code></td> </tr> <tr> <td><strong>Debug</strong></td> <td> <code>kubectl</code> + state inspection</td> <td><code>helm status</code></td> </tr> </tbody> </table></div> <h4> Maintainability </h4> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Factor</th> <th>Ch 2</th> <th>Ch 3</th> </tr> </thead> <tbody> <tr> <td><strong>Learning curve</strong></td> <td>High (HCL + K8s)</td> <td>Medium (HCL + familiar YAML)</td> </tr> <tr> <td><strong>New dev onboarding</strong></td> <td>Difficult</td> <td>Reasonable</td> </tr> <tr> <td><strong>Code review</strong></td> <td>Complex (many changes)</td> <td>Simple (clear diff)</td> </tr> <tr> <td><strong>Reusability</strong></td> <td>Low</td> <td>High (public charts)</td> </tr> </tbody> </table></div> <h3> The Advantages Scale </h3> <p>Now imagine you don't have 2 applications, but 20:</p> <p><strong>Chapter 2:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>20 applications × 250 lines = 5,000 lines of HCL 20 applications × 50 resources = 1,000 resources in state terraform plan = 10+ minutes State file = 50+ MB </code></pre> </div> <p><strong>Chapter 3:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>20 applications × 15 lines = 300 lines of HCL 20 applications × 100 lines YAML = 2,000 lines (familiar) 20 releases in state terraform plan = 30 seconds State file = 300 KB </code></pre> </div> <p>The difference becomes even more dramatic at scale.</p> <h3> Chapter 3 solves 90% of Chapter 2's problems, and in many scenarios that's sufficient. </h3> <p>Terraform + Helm is the sweet spot for managing Kubernetes applications in a reproducible and versioned way.</p> <p>Recapping what we achieved:</p> <ul> <li>Total versioning — Everything in Git</li> <li>Reproducibility — terraform apply = identical environment</li> <li>Separation of responsibilities — Terraform (infra) + Helm (apps)</li> <li>Manageable state — Few tracked resources</li> <li>Possible rollbacks — Via Helm or Git</li> <li>Less code — 94% reduction vs Ch 2</li> <li>Ecosystem — Thousands of public charts</li> <li>Maintainable — Familiar YAML, minimal HCL</li> </ul> <h3> But there are still limitations: </h3> <h4> 1. Deployment is Manual </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Always needs someone executing</span> terraform apply </code></pre> </div> <p>There's no real <strong>continuous deployment</strong>. Git isn't the single source of truth, it's an input that requires manual action.</p> <h4> 2. No Continuous Reconciliation </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># If someone does this:</span> kubectl edit deployment ollama <span class="nt">-n</span> ollama <span class="c"># Terraform only detects on next plan</span> <span class="c"># Until then, there's divergence</span> </code></pre> </div> <p>There's no automatic process ensuring cluster = code.</p> <h4> 3. Limited Auditing </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Who deployed version 1.42.0? git log # Shows commit # But who executed terraform apply? # There's no central record </code></pre> </div> <p>Terraform state has some information, but it's not a complete audit log.</p> <h4> 4. Approvals and Gates </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>How to ensure production deployment: - Passed automated tests? - Was approved by PO/PM? - Has automatic rollback if it fails? </code></pre> </div> <p>Terraform doesn't have this built-in. You need to build custom pipelines.</p> <h4> 5. Complex Multi-Tenancy </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>How to allow: - Team A to manage their apps in namespace team-a - Team B to manage their apps in namespace team-b - But both use the same cluster? - Without giving access to the entire Terraform state? </code></pre> </div> <p>Possible, but requires complex architecture.</p> <h3> What's Missing: GitOps </h3> <p><strong>GitOps principles:</strong></p> <ol> <li> <strong>Declarative</strong>: Desired state described declaratively (we have this!)</li> <li> <strong>Versioned</strong>: Everything in Git (we have this!)</li> <li> <strong>Pull-based</strong>: Cluster <strong>pulls</strong> changes from Git automatically (we don't have this)</li> <li> <strong>Continuous reconciliation</strong>: Agent ensures cluster = Git always (we don't have this)</li> </ol> <p><strong>What would change with GitOps:</strong></p> <p><strong>Without GitOps (Ch 3):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer → commits → Git Developer → terraform apply → Cluster (Push-based, manual) </code></pre> </div> <p><strong>With GitOps (Ch 4):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer → commits → Git ArgoCD (agent in cluster) → polls Git → applies changes (Pull-based, automatic) </code></pre> </div> <p><strong>Additional benefits:</strong></p> <ul> <li> <strong>Zero-touch deployment</strong>: Commit = automatic deploy</li> <li> <strong>Auto-healing</strong>: Cluster self-corrects if it diverges</li> <li> <strong>Complete audit</strong>: Each deploy is a commit</li> <li> <strong>Approvals</strong>: PR process = deployment approval</li> <li> <strong>Multi-tenancy</strong>: Each team has their repo/branch</li> </ul> <h3> Next Chapter: </h3> <p>In Chapter 4, we'll discover how Kubernetes infrastructure is managed at scale:</p> <ul> <li> <strong>ArgoCD</strong>: Real continuous deployment</li> <li> <strong>Application Sets</strong>: Deploy to multiple clusters</li> <li> <strong>Granular RBAC</strong>: Secure multi-tenancy</li> <li> <strong>Sync waves</strong>: Dependency orchestration</li> <li> <strong>Auto-sync</strong>: Git → Cluster automatic</li> <li> <strong>Automatic rollbacks</strong>: Integrated health checks</li> </ul> devops sre ai tutorial Chapter 2: Infrastructure as Code Introduction — Terraform + Kubernetes Provider George Lukas Thu, 12 Feb 2026 23:44:16 +0000 https://dev.to/glukas/chapter-2-infrastructure-as-code-5h52 https://dev.to/glukas/chapter-2-infrastructure-as-code-5h52 <p>Before diving into Terraform, we need to understand the mental shift that Infrastructure as Code (IaC) represents.</p> <h4> From Imperative to Declarative </h4> <p><strong>Imperative Approach (what we did in Chapter 1):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1: Do this</span> kubectl create namespace ollama <span class="c"># Step 2: Now do that </span> kubectl create secret generic credentials... <span class="c"># Step 3: Then do this other thing</span> helm <span class="nb">install </span>ollama... <span class="c"># Like a chef giving instructions: "First heat the oven,</span> <span class="c"># then mix the ingredients, then bake for 30 minutes"</span> </code></pre> </div> <p><strong>Declarative Approach (Infrastructure as Code):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Describe the desired end state</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ollama</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="c1"># ...</span> <span class="p">}</span> <span class="c1"># Like a shopping list: "I need flour, eggs, sugar"</span> <span class="c1"># The system figures out HOW to get it</span> </code></pre> </div> <p>The difference is subtle but profound:</p> <ul> <li> <strong>Imperative</strong>: You say <strong>how</strong> to do it</li> <li> <strong>Declarative</strong>: You say <strong>what</strong> you want</li> </ul> <h4> The Three Pillars of IaC </h4> <p><strong>1. Versioning</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git log infrastructure/ <span class="c"># Complete change history</span> <span class="c"># Who changed what, when, and why</span> </code></pre> </div> <p><strong>2. Reproducibility</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone repo terraform apply <span class="c"># Identical infrastructure anywhere</span> </code></pre> </div> <p><strong>3. Auditing</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git blame main.tf <span class="c"># Each line traced to its author</span> <span class="c"># Pull requests = infrastructure review</span> </code></pre> </div> <h3> Our First Step: Terraform + Kubernetes Provider </h3> <p>Let's start with the most direct approach, using Terraform to manage Kubernetes resources directly.</p> <h4> Project Structure </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubernetes-terraform/ ├── main.tf # Main configuration ├── variables.tf # Input variables ├── outputs.tf # Output values ├── terraform.tfvars # Variable values (don't commit!) └── .gitignore # Ignore secrets and state </code></pre> </div> <h4> Initial Configuration: Provider </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">kubernetes</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/kubernetes"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.23"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"~/.kube/config"</span> <span class="nx">config_context</span> <span class="p">=</span> <span class="s2">"minikube"</span> <span class="p">}</span> </code></pre> </div> <p><strong>What's happening here?</strong></p> <ol> <li> <p><strong><code>terraform</code></strong>: We declare requirements</p> <ul> <li>Minimum Terraform version</li> <li>Providers we'll use and their versions</li> </ul> </li> <li> <p><strong><code>provider "kubernetes"</code></strong>: We configure connection</p> <ul> <li> <code>config_path</code>: Where the kubeconfig is (credentials)</li> <li> <code>config_context</code>: Which cluster to use (can have multiple)</li> </ul> </li> </ol> <p>Terraform will read your <code>~/.kube/config</code> (same file that <code>kubectl</code> uses) and authenticate to the cluster.</p> <h4> Creating Namespaces: The Simplest </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">managed-by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="nx">app</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="nx">env</span> <span class="p">=</span> <span class="s2">"development"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"librechat"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"librechat"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">managed-by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="nx">app</span> <span class="p">=</span> <span class="s2">"librechat"</span> <span class="nx">env</span> <span class="p">=</span> <span class="s2">"development"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Important concepts:</strong></p> <p><strong>Resource:</strong> Terraform's basic unit<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"TYPE"</span> <span class="s2">"LOCAL_NAME"</span> <span class="p">{</span> <span class="c1"># configuration</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <code>TYPE</code>: Which resource to create (<code>kubernetes_namespace</code>)</li> <li> <code>LOCAL_NAME</code>: How to reference it in Terraform code</li> <li>The real resource will have <code>metadata.name</code> (in K8s)</li> </ul> <p><strong>Labels:</strong> Organizational metadata</p> <ul> <li> <code>managed-by = "terraform"</code>: Indicates who manages this resource</li> <li>Useful for filtering: <code>kubectl get ns -l managed-by=terraform</code> </li> </ul> <h4> Managing Secrets: Sensitive Variables </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"jwt_secret"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"JWT secret for LibreChat"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"jwt_refresh_secret"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"JWT refresh secret for LibreChat"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"creds_key"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Credentials encryption key"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"creds_iv"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Credentials initialization vector"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">resource</span> <span class="s2">"kubernetes_secret"</span> <span class="s2">"librechat_credentials"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"librechat-credentials-env"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">librechat</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">data</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">JWT_SECRET</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">jwt_secret</span> <span class="nx">JWT_REFRESH_SECRET</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">jwt_refresh_secret</span> <span class="nx">CREDS_KEY</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">creds_key</span> <span class="nx">CREDS_IV</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">creds_iv</span> <span class="nx">MONGO_URI</span> <span class="p">=</span> <span class="s2">"mongodb://librechat-mongodb:27017/LibreChat"</span> <span class="nx">MEILI_HOST</span> <span class="p">=</span> <span class="s2">"http://librechat-meilisearch:7700"</span> <span class="nx">OLLAMA_BASE_URL</span> <span class="p">=</span> <span class="s2">"http://ollama.ollama.svc.cluster.local:11434"</span> <span class="p">}</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Opaque"</span> <span class="p">}</span> </code></pre> </div> <p><strong>Security patterns:</strong></p> <ol> <li> <strong>Sensitive variables</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">sensitive</span> <span class="err">=</span> <span class="kc">true</span> <span class="c1"># Terraform won't show values in logs</span> </code></pre> </div> <ol> <li> <strong>Separate file</strong> (<code>terraform.tfvars</code>): </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">jwt_secret</span> <span class="err">=</span> <span class="s2">"abc123..."</span> <span class="nx">jwt_refresh_secret</span> <span class="err">=</span> <span class="s2">"def456..."</span> <span class="nx">creds_key</span> <span class="err">=</span> <span class="s2">"ghi789..."</span> <span class="nx">creds_iv</span> <span class="err">=</span> <span class="s2">"jkl012..."</span> </code></pre> </div> <p><strong>CRITICAL:</strong> Add to <code>.gitignore</code>!</p> <ol> <li> <strong>Dynamic references</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">namespace</span> <span class="err">=</span> <span class="nx">kubernetes_namespace</span><span class="err">.</span><span class="nx">librechat</span><span class="err">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="err">.</span><span class="nx">name</span> <span class="c1"># Terraform creates the namespace FIRST, then uses the name</span> <span class="c1"># Automatic dependency tracking!</span> </code></pre> </div> <h4> ConfigMaps: Versioned Configuration </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"kubernetes_config_map"</span> <span class="s2">"librechat_config"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"librechat-config"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">librechat</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">data</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"librechat.yaml"</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> version: 1.1.5 cache: true endpoints: custom: - name: "Ollama" apiKey: "ollama" baseURL: "http://ollama.ollama.svc.cluster.local:11434/v1" models: default: - "llama2:latest" fetch: true titleConvo: true titleModel: "llama2:latest" summarize: false forcePrompt: false modelDisplayLabel: "Ollama" addParams: temperature: 0.7 max_tokens: 2000 </span><span class="no"> EOT </span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Heredoc syntax</strong> (<code>&lt;&lt;-EOT ... EOT</code>):</p> <ul> <li>Allows multi-line strings</li> <li>Automatic indentation</li> <li>Perfect for YAML inside HCL</li> </ul> <p><strong>Advantage over manual:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Before:</span> kubectl create configmap librechat-config <span class="nt">--from-file</span><span class="o">=</span>config.yaml <span class="c"># Now:</span> git diff librechat_config.tf <span class="c"># See exactly what changed in the configuration</span> </code></pre> </div> <h4> The Terraform Workflow </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Initialize (first time)</span> terraform init <span class="c"># Downloads providers, prepares backend</span> <span class="c"># 2. Validate syntax</span> terraform validate <span class="c"># Checks if HCL is correct</span> <span class="c"># 3. Format code</span> terraform <span class="nb">fmt</span> <span class="c"># Standardizes formatting</span> <span class="c"># 4. Plan changes</span> terraform plan <span class="c"># Preview what will happen</span> <span class="c"># 5. Apply changes</span> terraform apply <span class="c"># Creates/updates resources</span> <span class="c"># 6. View current state</span> terraform state list <span class="c"># Lists all managed resources</span> </code></pre> </div> <p><strong>What <code>terraform plan</code> shows:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">Terraform</span> <span class="nx">will</span> <span class="nx">perform</span> <span class="nx">the</span> <span class="nx">following</span> <span class="nx">actions</span><span class="err">:</span> <span class="c1"># kubernetes_namespace.ollama will be created</span> <span class="err">+</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">id</span> <span class="p">=</span> <span class="p">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="p">)</span> <span class="err">+</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">generation</span> <span class="p">=</span> <span class="p">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="p">)</span> <span class="err">+</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="err">+</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="err">+</span> <span class="s2">"app"</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="err">+</span> <span class="s2">"env"</span> <span class="p">=</span> <span class="s2">"development"</span> <span class="err">+</span> <span class="s2">"managed-by"</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># kubernetes_secret.librechat_credentials will be created</span> <span class="err">+</span> <span class="nx">resource</span> <span class="s2">"kubernetes_secret"</span> <span class="s2">"librechat_credentials"</span> <span class="p">{</span> <span class="err">+</span> <span class="nx">data</span> <span class="p">=</span> <span class="p">(</span><span class="nx">sensitive</span> <span class="nx">value</span><span class="p">)</span> <span class="err">+</span> <span class="nx">id</span> <span class="p">=</span> <span class="p">(</span><span class="nx">known</span> <span class="nx">after</span> <span class="nx">apply</span><span class="p">)</span> <span class="err">+</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Opaque"</span> <span class="p">}</span> <span class="nx">Plan</span><span class="err">:</span> <span class="mi">2</span> <span class="nx">to</span> <span class="nx">add</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">to</span> <span class="nx">change</span><span class="err">,</span> <span class="mi">0</span> <span class="nx">to</span> <span class="nx">destroy</span><span class="err">.</span> </code></pre> </div> <p><strong>Key points:</strong></p> <ul> <li> <code>+</code> = Will be created</li> <li> <code>~</code> = Will be updated</li> <li> <code>-</code> = Will be destroyed</li> <li> <code>(sensitive value)</code> = Hidden for security</li> <li> <code>(known after apply)</code> = Terraform doesn't know yet (will be generated)</li> </ul> <h4> Deploying a Complete Application </h4> <p>Here's where things get... verbose.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"kubernetes_deployment"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ollama</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">{</span> <span class="nx">replicas</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">selector</span> <span class="p">{</span> <span class="nx">match_labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">template</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">{</span> <span class="nx">container</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"ollama/ollama:latest"</span> <span class="nx">port</span> <span class="p">{</span> <span class="nx">container_port</span> <span class="p">=</span> <span class="mi">11434</span> <span class="p">}</span> <span class="nx">volume_mount</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama-data"</span> <span class="nx">mount_path</span> <span class="p">=</span> <span class="s2">"/root/.ollama"</span> <span class="p">}</span> <span class="nx">resources</span> <span class="p">{</span> <span class="nx">limits</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"nvidia.com/gpu"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="nx">requests</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"4Gi"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">env</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"OLLAMA_HOST"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"0.0.0.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">volume</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama-data"</span> <span class="nx">persistent_volume_claim</span> <span class="p">{</span> <span class="nx">claim_name</span> <span class="p">=</span> <span class="nx">kubernetes_persistent_volume_claim</span><span class="p">.</span><span class="nx">ollama_data</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"kubernetes_persistent_volume_claim"</span> <span class="s2">"ollama_data"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama-data"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ollama</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">{</span> <span class="nx">access_modes</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ReadWriteOnce"</span><span class="p">]</span> <span class="nx">resources</span> <span class="p">{</span> <span class="nx">requests</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">storage</span> <span class="p">=</span> <span class="s2">"10Gi"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"kubernetes_service"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ollama</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">{</span> <span class="nx">selector</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="s2">"ollama"</span> <span class="p">}</span> <span class="nx">port</span> <span class="p">{</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">11434</span> <span class="nx">target_port</span> <span class="p">=</span> <span class="mi">11434</span> <span class="p">}</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ClusterIP"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"kubernetes_ingress_v1"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ollama-ingress"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ollama</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"nginx.ingress.kubernetes.io/rewrite-target"</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">{</span> <span class="nx">ingress_class_name</span> <span class="p">=</span> <span class="s2">"nginx"</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="s2">"ollama.glukas.space"</span> <span class="nx">http</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">path_type</span> <span class="p">=</span> <span class="s2">"Prefix"</span> <span class="nx">backend</span> <span class="p">{</span> <span class="nx">service</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">kubernetes_service</span><span class="p">.</span><span class="nx">ollama</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">port</span> <span class="p">{</span> <span class="nx">number</span> <span class="p">=</span> <span class="mi">11434</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>That's 160+ lines for ONE application!</strong></p> <p><strong>Compare:</strong></p> <ul> <li>Helm (Chapter 1): <strong>1 command</strong> + ~10 lines of values.yaml</li> <li>kubectl manual: ~200 lines of YAML</li> <li>Terraform + K8s Provider: ~160 lines of HCL</li> </ul> <p>Terraform <strong>didn't</strong> win much in simplicity here.</p> <h3> The Problems Emerge: </h3> <p>Now comes the crucial part—the problems that only appear when you try to use this for real.</p> <h4> Problem 1: State Explosion </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply <span class="c"># Creates resources...</span> terraform state list </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubernetes_namespace.ollama kubernetes_persistent_volume_claim.ollama_data kubernetes_deployment.ollama kubernetes_replica_set.ollama-5d9c8f7b6d # Created automatically kubernetes_pod.ollama-5d9c8f7b6d-xk2j9 # Created by ReplicaSet kubernetes_service.ollama kubernetes_endpoints.ollama # Created by Service kubernetes_endpoint_slice.ollama-xxxxx # Created by Service kubernetes_ingress_v1.ollama </code></pre> </div> <p><strong>The problem:</strong></p> <p>Kubernetes creates resources automatically:</p> <ul> <li> <strong>Deployment</strong> → creates <strong>ReplicaSet</strong> </li> <li> <strong>ReplicaSet</strong> → creates <strong>Pods</strong> </li> <li> <strong>Service</strong> → creates <strong>Endpoints</strong> and <strong>EndpointSlices</strong> </li> </ul> <p>Terraform <strong>tracks all of them</strong> in state, even though you didn't declare them explicitly.</p> <p><strong>Consequences:</strong></p> <ol> <li> <strong>Giant state file</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">ls</span> <span class="nt">-lh</span> terraform.tfstate <span class="c"># 2.3MB for just 2 applications</span> </code></pre> </div> <ol> <li> <strong>Slow plans</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> terraform plan <span class="c"># Needs to query state of hundreds of resources</span> <span class="c"># Takes 30+ seconds</span> </code></pre> </div> <ol> <li> <strong>Fragility</strong> <ul> <li>If a Pod dies and gets recreated, state becomes inconsistent</li> <li> <code>terraform refresh</code> tries to sync, but it's expensive</li> </ul> </li> </ol> <h4> Problem 2: Inevitable Drift </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deployed with 1 replica</span> terraform apply <span class="c"># User scales manually (common in production)</span> kubectl scale deployment ollama <span class="nt">--replicas</span><span class="o">=</span>3 <span class="c"># Terraform doesn't detect it!</span> terraform plan <span class="c"># Output: No changes. Infrastructure is up-to-date.</span> <span class="c"># But kubectl shows 3 Pods running</span> kubectl get pods <span class="nt">-n</span> ollama <span class="c"># ollama-xxx-aaa</span> <span class="c"># ollama-xxx-bbb</span> <span class="c"># ollama-xxx-ccc</span> </code></pre> </div> <p><strong>Why does this happen?</strong></p> <p>Terraform compares:</p> <ul> <li> <strong>State file</strong> (snapshot of what was created)</li> <li> <strong>Code</strong> (desired state)</li> </ul> <p>Changes made directly with <code>kubectl</code> aren't reflected in the state file immediately. Only when you run <code>terraform refresh</code> or <code>terraform apply</code>.</p> <p><strong>In dynamic environments:</strong></p> <ul> <li>HPAs (Horizontal Pod Autoscalers) change replicas</li> <li>Teams do hotfixes via kubectl</li> <li>CI/CD pipelines update deployments</li> </ul> <p>Terraform is constantly outdated.</p> <h4> Problem 3: No Natural Rollback </h4> <p><strong>With Helm:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Current version works</span> helm list <span class="c"># ollama 1 deployed</span> <span class="c"># Deploy new version</span> helm upgrade ollama ollama-helm/ollama <span class="nt">-f</span> new-values.yaml <span class="c"># ollama 2 deployed</span> <span class="c"># New version broke!</span> helm rollback ollama <span class="c"># ollama 3 deployed (back to rev 1 state)</span> </code></pre> </div> <p>Helm maintains release history. Rollback is instantaneous.</p> <p><strong>With Terraform:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Initial deploy</span> terraform apply <span class="c"># Change in code</span> vim main.tf terraform apply <span class="c"># It broke! How to go back?</span> <span class="c"># Option 1: Git revert</span> git revert HEAD terraform apply <span class="c"># Can take minutes to recreate resources</span> <span class="c"># Option 2: State manipulation (dangerous)</span> terraform state <span class="nb">rm</span> ... terraform import ... <span class="c"># Risky and manual</span> </code></pre> </div> <p>There's no native concept of "release" or "revision".</p> <h4> Problem 4: Complex Lifecycle </h4> <p>Kubernetes has resources that <strong>manage</strong> other resources:</p> <ul> <li> <strong>Deployment</strong> manages <strong>ReplicaSets</strong> </li> <li> <strong>ReplicaSet</strong> manages <strong>Pods</strong> </li> <li> <strong>Service</strong> manages <strong>Endpoints</strong> </li> </ul> <p>Terraform wasn't designed for this. It expects to manage resources <strong>directly</strong>, not via controllers.</p> <p><strong>Practical example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"kubernetes_deployment"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="nx">spec</span> <span class="p">{</span> <span class="nx">replicas</span> <span class="p">=</span> <span class="mi">2</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Terraform creates:</span> <span class="c1"># 1. Deployment</span> <span class="c1"># 2. ReplicaSet (created by Deployment controller)</span> <span class="c1"># 3. Pods (created by ReplicaSet controller)</span> <span class="c1"># If you delete the Deployment:</span> <span class="nx">terraform</span> <span class="nx">destroy</span> <span class="nx">-target</span> <span class="nx">kubernetes_deployment</span><span class="err">.</span><span class="nx">ollama</span> <span class="c1"># Pods die BEFORE the Deployment is deleted</span> <span class="c1"># Destruction order is hard to control</span> </code></pre> </div> <h4> Problem 5: In-Place Updates vs Replacements </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Simple change: update image</span> <span class="nx">resource</span> <span class="s2">"kubernetes_deployment"</span> <span class="s2">"ollama"</span> <span class="p">{</span> <span class="nx">spec</span> <span class="p">{</span> <span class="nx">template</span> <span class="p">{</span> <span class="nx">spec</span> <span class="p">{</span> <span class="nx">container</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"ollama/ollama:v0.1.21"</span> <span class="c1"># was v0.1.20</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan </code></pre> </div> <p><strong>Expected output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>~ kubernetes_deployment.ollama will be updated in-place </code></pre> </div> <p><strong>Actual output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>-/+ kubernetes_deployment.ollama must be replaced </code></pre> </div> <p>Terraform sometimes decides resources need to be <strong>recreated</strong> instead of <strong>updated</strong>, causing unnecessary downtime.</p> <h3> When to Use Each Approach </h3> <h4> Comparison Table </h4> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>kubectl Manual</th> <th>Terraform + K8s</th> <th>Helm</th> <th>Verdict</th> </tr> </thead> <tbody> <tr> <td><strong>Initial setup</strong></td> <td>Instant</td> <td>Configuration</td> <td>1 command</td> <td>Helm wins</td> </tr> <tr> <td><strong>Versioning</strong></td> <td>None</td> <td>Git</td> <td>Via Git</td> <td>Terraform/Helm</td> </tr> <tr> <td><strong>Reproducibility</strong></td> <td>Low</td> <td>High</td> <td>High</td> <td>Terraform/Helm</td> </tr> <tr> <td><strong>Rollback</strong></td> <td>Manual</td> <td>Via Git</td> <td>Native</td> <td>Helm wins</td> </tr> <tr> <td><strong>State management</strong></td> <td>N/A</td> <td>Complex</td> <td>Simple</td> <td>Helm wins</td> </tr> <tr> <td><strong>Drift detection</strong></td> <td>None</td> <td>Limited</td> <td>Good</td> <td>Helm wins</td> </tr> <tr> <td><strong>Apply time</strong></td> <td>Fast</td> <td>Slow</td> <td>Fast</td> <td>kubectl/Helm</td> </tr> <tr> <td><strong>Learning curve</strong></td> <td>Medium</td> <td>High</td> <td>Medium</td> <td>kubectl/Helm</td> </tr> </tbody> </table></div> <h4> When Terraform + K8s Provider Makes Sense </h4> <p><strong>Use for:</strong></p> <ol> <li> <strong>Base infrastructure resources:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="c1"># Namespaces</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"team_apps"</span> <span class="p">{</span> <span class="p">}</span> <span class="c1"># RBAC</span> <span class="nx">resource</span> <span class="s2">"kubernetes_role"</span> <span class="s2">"developer"</span> <span class="p">{</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"kubernetes_role_binding"</span> <span class="s2">"dev_binding"</span> <span class="p">{</span> <span class="p">}</span> <span class="c1"># Storage Classes</span> <span class="nx">resource</span> <span class="s2">"kubernetes_storage_class"</span> <span class="s2">"fast_ssd"</span> <span class="p">{</span> <span class="p">}</span> </code></pre> </div> <ol> <li> <p><strong>Resources that rarely change:</strong></p> <ul> <li>Network Policies</li> <li>Resource Quotas</li> <li>Limit Ranges</li> <li>Priority Classes</li> </ul> </li> <li><p><strong>Integration with other providers:</strong><br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="c1"># Create AWS infra and configure K8s in one go</span> <span class="nx">resource</span> <span class="s2">"aws_eks_cluster"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><strong>Avoid for:</strong></p> <ol> <li> <strong>Complete applications</strong> (use Helm)</li> <li> <strong>Frequently changing resources</strong> (use GitOps)</li> <li> <strong>Multiple interdependent components</strong> (use Helm charts)</li> <li> <strong>When an official chart already exists</strong> (don't reinvent)</li> </ol> <h3> Conclusion of Chapter 2: The Middle Ground Exists </h3> <p>Terraform + Kubernetes Provider isn't a bad approach—it's an <strong>incomplete</strong> approach.</p> <p><strong>What we learned:</strong></p> <p><strong>Terraform is excellent for:</strong></p> <ul> <li>Versioning and auditing</li> <li>Guaranteed reproducibility</li> <li>Multi-cloud integration</li> <li>Base resource management</li> </ul> <p><strong>Terraform is problematic for:</strong></p> <ul> <li>Complex deployments (too verbose)</li> <li>Resources managed by controllers (state explosion)</li> <li>Frequently changing applications (drift)</li> <li>Rollbacks and lifecycle management</li> </ul> <p><strong>The natural question emerges:</strong></p> <blockquote> <p>"Is there a way to combine the best of both worlds?<br><br> Terraform's versioning + Helm's simplicity?"</p> </blockquote> <p><strong>Answer:</strong> YES!</p> <p>And that's exactly what we'll explore in Chapter 3.</p> <h3> Next Chapter: A Better Abstraction </h3> <p>In Chapter 3, we'll discover that Terraform <strong>can</strong> manage Helm releases. Instead of describing each Kubernetes resource manually, we'll treat Helm charts as "deployable units" and use Terraform only to orchestrate.</p> <p><strong>Continue to:</strong><br><br> <a href="https://dev.to/glukas/chapter-3-terraform-helm-a-better-abstraction-5dka">Chapter 3: A Better Abstraction — Managing LLM Apps with Terraform + Helm →</a></p> <h3> Additional Resources </h3> <p><strong>To dive deeper into Terraform:</strong></p> <ul> <li> <a href="https://www.terraformupandrunning.com/" rel="noopener noreferrer">Terraform: Up &amp; Running</a> — The definitive book</li> <li> <a href="https://www.terraform-best-practices.com/" rel="noopener noreferrer">Terraform Best Practices</a> — Community patterns</li> <li> <a href="https://learn.hashicorp.com/terraform" rel="noopener noreferrer">HashiCorp Learn</a> — Official tutorials</li> </ul> <p><strong>To better understand Kubernetes:</strong></p> <ul> <li> <a href="https://k8spatterns.io/" rel="noopener noreferrer">Kubernetes Patterns</a> — Design patterns</li> <li> <a href="https://kubernetes.io/docs/concepts/architecture/controller/" rel="noopener noreferrer">Controllers and Operators</a> — How K8s works internally</li> </ul> devops sre ai tutorial Chapter 1: Kubernetes — Operational Fundamentals George Lukas Fri, 06 Feb 2026 22:51:25 +0000 https://dev.to/glukas/self-hosting-de-llms-controle-sobre-dados-e-infraestrutura-4cdo https://dev.to/glukas/self-hosting-de-llms-controle-sobre-dados-e-infraestrutura-4cdo <p>You've probably had this thought: <em>"What if I could run my own AI, without depending on external APIs, without token limits, without privacy concerns?"</em></p> <p>You're not alone. We're living in a historic moment where running cutting-edge language models is no longer the exclusive privilege of tech giants. With a reasonable NVIDIA GPU and the right tools, you can have your own AI infrastructure, complete, private, under your total control.</p> <h3> Why Self-Hosting LLMs Matters </h3> <p><strong>Real Privacy, Not Just Expectations</strong><br><br> Your confidential data, strategic conversations, proprietary code—everything stays on your infrastructure. No logs on third-party servers, no training models with your information, no terms of service that change overnight.</p> <p><strong>Predictable Cost vs. API Uncertainty</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Public API: $20/month base + $0.002/1k tokens = ??? (how much did that project that exploded cost again?) Self-hosted: GPU cloud: $0.50/hour = $360/month fixed (or own hardware: one-time cost) </code></pre> </div> <p><strong>Unlimited Experimentation</strong><br><br> Want to test 47 prompt variations? Do fine-tuning with proprietary datasets? Run exhaustive benchmarks? With your infrastructure, you're not burning credits or hitting rate limits—you're using resources that are already yours.</p> <p><strong>Customized and Specialized Models</strong><br><br> The real magic happens when you go beyond generic models. Fine-tuning for your specific domain, custom embeddings, specialized agents—all of this requires total control over the stack.</p> <h3> Your journey begins... </h3> <p>You download Ollama, run <code>docker run</code>, pull the <code>llama3:latest</code> model, and boom—you're chatting with an AI running on your hardware. Magical.</p> <p>Then the questions start:</p> <ul> <li><em>"How do I put a nice web interface on this?"</em></li> <li><em>"What if I want multiple models with different contexts?"</em></li> <li><em>"How do I backup conversations?"</em></li> <li><em>"What if I want to add semantic search?"</em></li> <li><em>"How do I make this accessible to my team without exposing it to the world?"</em></li> <li><em>"What happens if my machine reboots?"</em></li> </ul> <p>Suddenly, you're no longer playing with Docker—you're building <strong>distributed infrastructure</strong>.</p> <h3> The Gap Between "Works on My Machine" and "Production System" </h3> <p>This is the moment where many get stuck with fragile solutions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># The solution that works... until it doesn't:</span> <span class="nv">$ </span>docker run <span class="nt">-d</span> ollama <span class="nv">$ </span>docker run <span class="nt">-d</span> mongodb <span class="nv">$ </span>docker run <span class="nt">-d</span> librechat <span class="c"># (Ctrl+C to exit)</span> <span class="c"># (Machine reboots)</span> <span class="c"># (Everything dies)</span> <span class="c"># (You don't remember the exact commands)</span> <span class="c"># (Configurations are lost)</span> </code></pre> </div> <p><strong>You need:</strong></p> <ul> <li>Orchestration of multiple interdependent services</li> <li>Guaranteed data persistence</li> <li>Automatic service discovery</li> <li>Intelligent traffic routing</li> <li>Secrets and configuration management</li> <li>High availability and self-recovery</li> <li>Scalability when growing</li> </ul> <p>In other words: <strong>you need Kubernetes</strong>.</p> <h3> From Self-Hosting to Enterprise Infrastructure </h3> <p>This guide was born exactly from this need. It started with the simple desire to run Ollama + LibreChat locally, and evolved into a complete exploration of how to build modern infrastructure that:</p> <ul> <li>Survives reboots</li> <li>Can be recreated from scratch in minutes</li> <li>Has versioning and change auditing</li> <li>Scales from a laptop to dozens of servers</li> <li>Follows the same standards that large companies use</li> </ul> <p><strong>What you'll build:</strong></p> <p>A complete self-hosted AI stack with:</p> <ul> <li> <strong>Ollama</strong> — Your AI models running with GPU acceleration</li> <li> <strong>LibreChat</strong> — Elegant ChatGPT-style interface</li> <li> <strong>MongoDB</strong> — Persistence of conversations and contexts</li> <li> <strong>MeiliSearch</strong> — Semantic search</li> <li> <strong>NGINX Ingress</strong> — Secure and professional access</li> </ul> <p><strong>What you'll learn:</strong></p> <p>Much more than just "making it work". You'll understand the complete evolution of modern infrastructure:</p> <ol> <li> <strong>Chapter 1: Kubernetes — Operational Fundamentals</strong>: Configure everything by hand to understand concepts</li> <li> <strong>Chapter 2: Terraform + Kubernetes Provider — Infrastructure as Code</strong>: Automate with Infrastructure as Code</li> <li> <strong>Chapter 3: Terraform + Helm — A Better Abstraction</strong>: Correct abstractions emerge</li> <li> <strong>Chapter 4: GitOps with Terraform + ArgoCD — A LLM Self-Hosting Product Infrastructure</strong>: Enterprise patterns that scale</li> </ol> <h3> Motivation </h3> <p>Self-hosting isn't just about saving money or having privacy. It's about <strong>technological autonomy</strong>.</p> <p>When you master the complete stack—from the AI model to the infrastructure that supports it—you're no longer dependent on:</p> <ul> <li>Companies that can suddenly shut down APIs</li> <li>Unilateral price changes</li> <li>Arbitrary usage restrictions</li> <li>Latencies from distant datacenters</li> </ul> <p>You have <strong>real control</strong> over one of the most transformative technologies of our era.</p> <p>And the best part? The skills you'll develop managing infrastructure for LLMs are exactly the same ones needed to manage any modern distributed system. You're learning Kubernetes through a real use case.</p> <h2> Part I: Fundamentals — Understanding the Ecosystem </h2> <h3> What Are We Building? </h3> <p>Throughout this journey, we'll deploy a complete and real stack:</p> <p><strong>Ollama</strong> — AI model backend with NVIDIA GPU acceleration<br><br> A stateful application that needs specialized resources (GPU) and careful configuration.</p> <p><strong>LibreChat</strong> — Modern web interface for interacting with LLMs<br><br> Frontend application that communicates with multiple backends.</p> <p><strong>MongoDB</strong> — NoSQL database<br><br> Persistent storage with backup and recovery requirements.</p> <p><strong>MeiliSearch</strong> — Search engine<br><br> Indexes that need to be maintained and synchronized.</p> <p><strong>NGINX Ingress</strong> — Intelligent traffic routing<br><br> Gateway for all HTTP/HTTPS traffic.</p> <h3> Technology Stack: </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Foundation</span> <span class="na">Kubernetes</span><span class="pi">:</span> <span class="s">1.28+</span> <span class="s">└─ Minikube</span><span class="err">:</span> <span class="s">Local cluster for development</span> <span class="s">└─ Docker</span><span class="err">:</span> <span class="s">Container runtime</span> <span class="s">└─ NVIDIA Container Toolkit</span><span class="err">:</span> <span class="s">Bridge to GPUs</span> <span class="c1"># Management</span> <span class="na">kubectl</span><span class="pi">:</span> <span class="s">Official Kubernetes CLI</span> <span class="na">Helm</span><span class="pi">:</span> <span class="s">Package manager (think npm/apt for K8s)</span> <span class="na">Terraform</span><span class="pi">:</span> <span class="s">Infrastructure as Code (comes in chapters 2-4)</span> <span class="na">ArgoCD</span><span class="pi">:</span> <span class="s">GitOps operator (chapter 4)</span> <span class="c1"># Applications</span> <span class="na">Ollama</span><span class="pi">:</span> <span class="s">ollama/ollama (with GPU)</span> <span class="na">LibreChat</span><span class="pi">:</span> <span class="s">ghcr.io/danny-avila/librechat</span> <span class="na">MongoDB</span><span class="pi">:</span> <span class="s">bitnami/mongodb</span> <span class="na">MeiliSearch</span><span class="pi">:</span> <span class="s">getmeili/meilisearch</span> </code></pre> </div> <p>Each tool here has a specific purpose, and throughout the journey you'll understand exactly when and why to use each one.</p> <h2> Chapter 1: Kubernetes "By Hand" — Learning Through Direct Experience </h2> <p>It may seem counterproductive to start doing everything manually when the final goal is total automation. But there's method to this apparent madness:</p> <ol> <li> <strong>Solid conceptual foundation</strong> — You need to understand Pods, Services, Ingress, internal DNS</li> <li> <strong>Effective debugging</strong> — When something breaks in production (and it will), you need to know what to look for</li> <li> <strong>Appreciation of abstractions</strong> — You only value Helm/Terraform after writing YAML manually</li> <li> <strong>Knowledge of conventions</strong> — Each tool has its idiosyncrasies</li> </ol> <h3> Preparing the Environment: Your Local Cluster </h3> <p>First, let's create a safe playground—a Kubernetes cluster running locally on your machine.</p> <h4> Minikube Installation </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Arch Linux (adjust for your distro)</span> pacman <span class="nt">-S</span> minikube nvidia-container-toolkit libnvidia-container helm ollama terraform <span class="c"># Start cluster with GPU Support</span> minikube start <span class="se">\</span> <span class="nt">--driver</span> docker <span class="se">\</span> <span class="nt">--container-runtime</span> docker <span class="se">\</span> <span class="nt">--gpus</span> all <span class="se">\</span> <span class="nt">--memory</span> 8192 <span class="se">\</span> <span class="nt">--cpus</span> 4 </code></pre> </div> <p><strong>What's happening here?</strong></p> <p>When you execute <code>minikube start</code>, a sequence of events is triggered:</p> <ol> <li> <strong>Node creation</strong>: Minikube creates a Docker container that acts as your cluster's "server"</li> <li> <strong>Kubernetes installation</strong>: Inside this container, K8s core components are installed: <ul> <li> <code>kube-apiserver</code> — The brain, receives all requests</li> <li> <code>etcd</code> — Distributed database that stores state</li> <li> <code>kube-scheduler</code> — Decides which node each Pod will run on</li> <li> <code>kube-controller-manager</code> — Ensures current state = desired state</li> <li> <code>kubelet</code> — Agent running on each node, manages containers</li> </ul> </li> <li> <strong>Container runtime</strong>: Docker is configured as the runtime (who actually runs the containers)</li> <li> <strong>GPU exposure</strong>: <code>--gpus all</code> maps the host's GPUs into the cluster</li> </ol> <p>The result? A real Kubernetes cluster, running completely on your machine, isolated and safe for experimentation.</p> <h4> Enabling the Ingress Controller </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Activate NGINX Ingress addon</span> minikube addons <span class="nb">enable </span>ingress <span class="c"># Verify</span> minikube kubectl <span class="nt">--</span> get pods <span class="nt">-n</span> ingress-nginx </code></pre> </div> <p><strong>What is Ingress?</strong></p> <p>Think of Ingress as the "smart front door" of your cluster. Instead of each service having its own external IP, Ingress acts as a reverse proxy that:</p> <ul> <li>Routes traffic based on hostnames and paths</li> <li>Handles SSL/TLS termination</li> <li>Provides load balancing</li> <li>Implements rate limiting and authentication</li> </ul> <p>Without Ingress:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User → NodePort :30080 → Pod1 User → NodePort :30081 → Pod2 User → NodePort :30082 → Pod3 </code></pre> </div> <p>You would need to remember each port for application.</p> <p>With Ingress:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User → http://app1.company.com → Ingress → Pod1 User → http://app2.company.com → Ingress → Pod2 User → http://app3.company.com → Ingress → Pod3 </code></pre> </div> <p>You have intuitive hostnames.</p> <h3> Part II: Deploying the Stack </h3> <p>Now we'll deploy our applications. We'll start with Ollama (the AI backend) and then add LibreChat (the interface).</p> <h4> 1. Installing Ollama with GPU Support </h4> <p><strong>Creating the namespace:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>minikube kubectl <span class="nt">--</span> create ns ollama </code></pre> </div> <p>Namespaces are logical separations within the cluster. Think of them as "folders" for organizing resources.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cluster/ ├── default/ # Defalt Namespace, avoid using ├── kube-system/ # K8s core components ├── kube-public/ # Public resources ├── ollama/ # Ollama └── librechat/ # Librechat </code></pre> </div> <p>This keeps Ollama isolated from other applications.</p> <p><strong>Namespace also provides:</strong></p> <ul> <li> <strong>Organization</strong>: Logically separates applications</li> <li> <strong>Permissions</strong>: RBAC can be applied by namespace</li> <li> <strong>Quotas</strong>: Limit resources by application</li> <li> <strong>Network isolation</strong>: Policies can restric communication</li> </ul> <p><strong>Installing via Helm:</strong></p> <p>Helm is often called "Kubernetes package manager", more than that, it's also a template engine with lifecycle management.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Add repo</span> helm repo add ollama-helm https://otwld.github.io/ollama-helm/ helm repo update <span class="c"># Create configuration file</span> <span class="nb">cat</span> <span class="o">&gt;</span> ollama-values.yaml <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> ollama: gpu: enabled: true type: nvidia number: 1 models: - llama2 ingress: enabled: true hosts: - host: ollama.glukas.space paths: - path: / pathType: Prefix </span><span class="no">EOF </span><span class="c"># Install</span> helm <span class="nb">install </span>ollama ollama-helm/ollama <span class="se">\</span> <span class="nt">-f</span> ollama-values.yaml <span class="se">\</span> <span class="nt">--namespace</span> ollama </code></pre> </div> <p><strong>What's Helm doing?</strong></p> <p>When you run <code>helm install</code>, Helm:</p> <ol> <li> <strong>Template rendering</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> values.yaml + chart templates → YAMLs do Kubernetes </code></pre> </div> <p>Helm take values and inject them on chart templates, generating Deployments, Services, ConfigMaps, etc.</p> <ol> <li><p><strong>Dependency resolution</strong>:<br> If chart have dependencies(sub-charts), Helm resolve it, then installs.</p></li> <li><p><strong>Pre-install hooks</strong>:<br> Some charts execute jobs before installation (such migrations, etc)</p></li> <li><p><strong>Resource creation</strong>:<br> Rendered YAMLs are then applied on cluster via <code>kubectl apply</code></p></li> <li><p><strong>Release tracking</strong>:<br> Helm then save the metadata on cluster, allowing upgrades and rollbacks</p></li> </ol> <p><strong>Verifying the installation:</strong></p> <p>By running <code>minikube kubectl get all -n ollama</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME READY STATUS RESTARTS AGE pod/ollama-5d9c8f7b6-xk2j9 1/1 Running 0 2m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) service/ollama ClusterIP 10.96.234.123 &lt;none&gt; 11434/TCP NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/ollama 1/1 1 1 2m NAME DESIRED CURRENT READY AGE replicaset.apps/ollama-5d9c8f7b6 1 1 1 2m </code></pre> </div> <p>Each line represents a Kubernetes resource created by Helm.</p> <h4> Local DNS Configuration </h4> <p>This is the IP you'll use to access services exposed through Ingress.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Cluster IP</span> minikube ip <span class="c"># Output example: 192.168.49.2</span> <span class="c"># Add to /etc/hosts</span> <span class="nb">echo</span> <span class="s2">"192.168.49.2 ollama.glukas.space"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /etc/hosts </code></pre> </div> <p><strong>How it works?</strong></p> <ol> <li>Your browser tries resolves <code>ollama.glukas.space</code> </li> <li>OS first query <code>/etc/hosts</code> </li> <li>Finds <code>192.168.49.2</code> (Minikube IP)</li> <li>Request goes to k8s cluster</li> <li>Ingress Controller see the header <code>Host: ollama.glukas.space</code> </li> <li>Routes to Ollama service</li> <li>Service distributes to Pods</li> </ol> <p><strong>Pulling an AI model:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Execute a command inside the Ollama pod</span> minikube kubectl <span class="nb">exec</span> <span class="nt">-n</span> ollama deploy/ollama <span class="nt">--</span> <span class="se">\</span> ollama pull llama3 <span class="c"># This downloads the Llama 3 model</span> <span class="c"># The first time takes a few minutes (several GB)</span> </code></pre> </div> <p><strong>Testing the model:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>minikube kubectl <span class="nb">exec</span> <span class="nt">-n</span> ollama deploy/ollama <span class="nt">--</span> <span class="se">\</span> ollama run llama3 <span class="s2">"Explain Kubernetes in one sentence"</span> <span class="c"># Response:</span> <span class="c"># Kubernetes is a container orchestration platform that automates</span> <span class="c"># deployment, scaling, and management of containerized applications</span> <span class="c"># across a cluster of machines.</span> </code></pre> </div> <p>If you got a response, congratulations! You have a local LLM running with GPU acceleration.</p> <p><strong>Testing access:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://ollama.glukas.space/api/tags <span class="c"># Expected response: JSON with available models</span> <span class="o">{</span> <span class="s2">"models"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"name"</span>: <span class="s2">"llama3:latest"</span>, <span class="s2">"modified_at"</span>: <span class="s2">"2024-01-15T10:30:00Z"</span>, ... <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <p>If the JSON appeared, Ollama is successfully accessible via Ingress!</p> <h3> LibreChat Deploy: </h3> <p>Now comes the fun part: a proper web interface to interact with your AI.</p> <h4> Understanding LibreChat's Architecture </h4> <p>LibreChat is more than just a frontend. It's a complete application that needs:</p> <ul> <li> <strong>Database</strong> (MongoDB) — To store conversations, users, settings</li> <li> <strong>Search</strong> (MeiliSearch) — For semantic search in conversations</li> <li> <strong>Backend</strong> — Node.js API that orchestrates everything</li> <li> <strong>Frontend</strong> — React interface</li> </ul> <p>The official Helm chart manages all of this.</p> <h4> Creating the namespace: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>minikube kubectl <span class="nt">--</span> create bs librechat </code></pre> </div> <h4> Creating Secrets: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate secrets</span> <span class="nv">JWT_SECRET</span><span class="o">=</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 32<span class="si">)</span> <span class="nv">JWT_REFRESH_SECRET</span><span class="o">=</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 32<span class="si">)</span> <span class="nv">CREDS_KEY</span><span class="o">=</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 32<span class="si">)</span> <span class="nv">CREDS_IV</span><span class="o">=</span><span class="si">$(</span>openssl rand <span class="nt">-hex</span> 16<span class="si">)</span> <span class="c"># Kubernetes secret creation</span> kubectl create secret generic librechat-credentials-env <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">JWT_SECRET</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">JWT_SECRET</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">JWT_REFRESH_SECRET</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">JWT_REFRESH_SECRET</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">CREDS_KEY</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">CREDS_KEY</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">CREDS_IV</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">CREDS_IV</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">MONGO_URI</span><span class="o">=</span><span class="s2">"mongodb://librechat-mongodb:27017/LibreChat"</span> <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">MEILI_HOST</span><span class="o">=</span><span class="s2">"http://librechat-meilisearch:7700"</span> <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">OLLAMA_BASE_URL</span><span class="o">=</span><span class="s2">"http://ollama.ollama.svc.cluster.local:11434"</span> <span class="se">\</span> <span class="nt">--namespace</span> librechat </code></pre> </div> <p><strong>Secrets vs ConfigMaps: When to Use Each?</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>ConfigMap</th> <th>Secret</th> </tr> </thead> <tbody> <tr> <td><strong>Purpose</strong></td> <td>Public configuration</td> <td>Sensitive data</td> </tr> <tr> <td><strong>Encoding</strong></td> <td>Plain text</td> <td>Base64 (not encryption!)</td> </tr> <tr> <td><strong>Typical Use</strong></td> <td>Feature flags, public URLs</td> <td>Passwords, tokens, keys</td> </tr> <tr> <td><strong>Auditing</strong></td> <td>Can be committed to Git</td> <td>NEVER commit</td> </tr> <tr> <td><strong>Example</strong></td> <td><code>API_ENDPOINT=https://api.com</code></td> <td><code>API_KEY=sk_live_xxxxx</code></td> </tr> </tbody> </table></div> <p><strong>Important</strong>: Base64 is not encryption! It's just encoding. In production, use solutions such as:</p> <ul> <li> <strong>Sealed Secrets</strong> (Bitnami)</li> <li> <strong>External Secrets Operator</strong> + HashiCorp Vault</li> <li> <strong>SOPS</strong> (Mozilla)</li> <li> <strong>Cloud provider KMS</strong> (AWS Secrets Manager, GCP Secret Manager)</li> </ul> <h4> Configuration file: librechat-values.yaml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">cat &gt; librechat-values.yaml &lt;&lt;'EOF'</span> <span class="c1"># Env Config (Level 1)</span> <span class="na">config</span><span class="pi">:</span> <span class="na">APP_TITLE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">LibreChat</span><span class="nv"> </span><span class="s">+</span><span class="nv"> </span><span class="s">Ollama"</span> <span class="na">HOST</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0"</span> <span class="na">PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3080"</span> <span class="na">SEARCH</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">MONGO_URI</span><span class="pi">:</span> <span class="s2">"</span><span class="s">mongodb://librechat-mongodb:27017/LibreChat"</span> <span class="na">MEILI_HOST</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://librechat-meilisearch:7700"</span> <span class="c1"># Application Conig (Level 2)</span> <span class="na">librechat</span><span class="pi">:</span> <span class="na">configEnv</span><span class="pi">:</span> <span class="na">ALLOW_REGISTRATION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="c1"># YAML Injection (Level 3)</span> <span class="na">configYamlContent</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">version: 1.1.5</span> <span class="s">cache: true</span> <span class="s">endpoints:</span> <span class="s">custom:</span> <span class="s">- name: "Ollama"</span> <span class="s">apiKey: "ollama"</span> <span class="s"># Kubernetes internal DNS: &lt;service&gt;.&lt;namespace&gt;.svc.cluster.local</span> <span class="s">baseURL: "http://ollama.ollama.svc.cluster.local:11434/v1"</span> <span class="s">models:</span> <span class="s">default:</span> <span class="s">- "llama2:latest"</span> <span class="s">fetch: true</span> <span class="s">titleConvo: true</span> <span class="s">titleModel: "llama2:latest"</span> <span class="s">summarize: false</span> <span class="s">summaryModel: "llama2:latest"</span> <span class="s">forcePrompt: false</span> <span class="s">modelDisplayLabel: "Ollama"</span> <span class="s">addParams:</span> <span class="s">temperature: 0.7</span> <span class="s">max_tokens: 2000</span> <span class="c1"># Reference to Secret previously created</span> <span class="na">extraEnvVarsSecret</span><span class="pi">:</span> <span class="s2">"</span><span class="s">librechat-credentials-env"</span> <span class="c1"># External access configuration</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">className</span><span class="pi">:</span> <span class="s2">"</span><span class="s">nginx"</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">librechat.glukas.space</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="c1"># Sub-charts (dependencies)</span> <span class="na">mongodb</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">auth</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># NEVER in production</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">bitnami/mongodb</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">latest</span> <span class="na">persistence</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">size</span><span class="pi">:</span> <span class="s">8Gi</span> <span class="na">meilisearch</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">auth</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># NEVER in production</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">MEILI_NO_ANALYTICS</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">MEILI_ENV</span><span class="pi">:</span> <span class="s2">"</span><span class="s">development"</span> <span class="na">persistence</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">size</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="c1"># Main application storage</span> <span class="na">persistence</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">size</span><span class="pi">:</span> <span class="s">5Gi</span> <span class="na">storageClass</span><span class="pi">:</span> <span class="s2">"</span><span class="s">standard"</span> <span class="s">EOF</span> </code></pre> </div> <p><strong>Configuration breaking down:</strong></p> <p><strong>Level 1 — Environment Variables Simples</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">config</span><span class="pi">:</span> <span class="na">APP_TITLE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">LibreChat</span><span class="nv"> </span><span class="s">+</span><span class="nv"> </span><span class="s">Ollama"</span> </code></pre> </div> <p>Environment variables injected on container.</p> <p><strong>Level 2 — Application Configuration</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">librechat</span><span class="pi">:</span> <span class="na">configEnv</span><span class="pi">:</span> <span class="na">ALLOW_REGISTRATION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> </code></pre> </div> <p>LibreChat specific configuration(it will also be env vars).</p> <p><strong>Level 3 — Nested YAML</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">configYamlContent</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">version: 1.1.5</span> <span class="s">endpoints:</span> <span class="s">custom: ...</span> </code></pre> </div> <p>A YAML file that will be created inside thecontainer. O pipe <code>|</code> preserves line breaks.</p> <h4> Internal Kubernetes DNS: </h4> <ul> <li>LibreChat inside the cluster talks to Ollama via internal DNS</li> <li>No need to go through external Ingress</li> </ul> <p><strong>Kubernetes FQDN (Fully Qualified Domain Name) Anatomy:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">baseURL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://ollama.ollama.svc.cluster.local:11434/v1"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://ollama.ollama.svc.cluster.local:11434/v1 └─┬─┘ └─┬─┘ └┬┘ └────┬─────┘ └─┬─┘└┬┘ Service NS Type Domain Port Path </code></pre> </div> <ul> <li> <code>ollama</code> — Service Name </li> <li> <code>ollama</code> — Namespace where the Service is</li> <li> <code>svc</code> — Resource Type (service)</li> <li> <code>cluster.local</code> — cluster Domain</li> <li> <code>11434</code> — Port</li> <li> <code>/v1</code> — API Path</li> </ul> <p><strong>Shorthand that also works (inside the same namespace):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://ollama:11434 # Same namespace http://ollama.ollama:11434 # Explicit Namespace http://ollama.ollama.svc:11434 # With Type </code></pre> </div> <p><strong>Why using full FQDN?</strong></p> <p>LibreChat is inside <code>librechat</code> namespace and needs to access Ollama on <code>ollama</code> namespace. Cross-namespace communication requires <code>&lt;service&gt;.&lt;namespace&gt;</code>.</p> <h4> Deploying </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install LibreChat and its dependencies</span> helm <span class="nb">install </span>librechat oci://ghcr.io/danny-avila/librechat-chart/librechat <span class="se">\</span> <span class="nt">-f</span> librechat-values.yaml <span class="se">\</span> <span class="nt">--namespace</span> librechat <span class="c"># Watch the deploy</span> watch minikube kubectl <span class="nt">--</span> get pods <span class="nt">-n</span> librechat <span class="nt">-w</span> </code></pre> </div> <p><strong>Watch to Expect:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME READY STATUS RESTARTS AGE librechat-5d8f4b6c9d-xk7p2 0/1 ContainerCreating 0 10s librechat-mongodb-0 0/1 Pending 0 10s librechat-meilisearch-7f9d8c5b6-j4k8m 0/1 ContainerCreating 0 10s </code></pre> </div> <p>Wait Status to be <code>Running</code> and <code>READY</code> to be <code>1/1</code>.</p> <h4> Testing the System </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Adding to /etc/hosts</span> <span class="nb">echo</span> <span class="s2">"192.168.49.2 librechat.glukas.space"</span> | <span class="nb">sudo tee</span> <span class="nt">-a</span> /etc/hosts <span class="c"># Access in browser</span> <span class="c"># http://librechat.glukas.space</span> </code></pre> </div> <p>If everything worked, you'll see the LibreChat interface. Create an account, configure the Ollama model, and chat with the AI running completely locally.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffvojqcn9s7xur5n9lt1w.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffvojqcn9s7xur5n9lt1w.png" alt="Image1" width="800" height="433"></a></p> <h3> Let's ask some difficult questions: </h3> <p><strong>1. Reproducibility: If I delete the cluster now, can you recreate everything exactly the same?</strong></p> <p>Technically yes, but you'll need to:</p> <ul> <li>Remember all the commands in the right order</li> <li>Recreate all secrets with the same values</li> <li>Hope the charts haven't changed</li> <li>Hope you didn't forget to document some configuration</li> </ul> <p><strong>2. Versioning: How do you rollback if something breaks?</strong></p> <p>You don't. Helm has releases, but the configurations are on your machine. If you changed a value three weeks ago, good luck remembering what it was before.</p> <p><strong>3. Auditing: Who changed what and when?</strong></p> <p>Nobody knows. There's no record.</p> <p><strong>4. Consistency: How do you ensure dev, staging, and production are the same?</strong></p> <p>Copy and paste values between environments. And pray.</p> <p><strong>5. Drift Detection: Is the cluster as you think it is?</strong></p> <p>Maybe. Someone might have run <code>kubectl edit</code> directly. You'll never know.</p> <h3> Fundamental Problems of the Manual Approach </h3> <h4> 1. <strong>The Reproducibility Problem</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># What you DID:</span> <span class="nv">$ </span>kubectl create namespace ollama <span class="nv">$ </span>helm <span class="nb">install </span>ollama ... <span class="nv">$ </span>kubectl create secret ... <span class="nv">$ </span>helm <span class="nb">install </span>librechat ... <span class="c"># What you HAVE documented:</span> <span class="nv">$ </span><span class="c"># (cricket sounds)</span> </code></pre> </div> <p>You made it work, but this knowledge is in your head and bash history. If the cluster dies tomorrow, you'll need to rebuild everything from memory or by mining logs.</p> <h4> 2. <strong>The Distributed State Problem</strong> </h4> <p>Your system now has state in several places:</p> <ul> <li> <strong>Helm releases</strong> — Metadata in the cluster</li> <li> <strong>Secrets</strong> — Created via <code>kubectl</code> </li> <li> <strong>Configurations</strong> — YAML files on your machine</li> <li> <strong>DNS</strong> — Entries in <code>/etc/hosts</code> </li> <li> <strong>Commands</strong> — Bash history</li> </ul> <p>There's no single source of truth.</p> <h4> 3. <strong>The Scale Problem</strong> </h4> <p>This worked for 2 applications. Now imagine:</p> <ul> <li>10 applications</li> <li>3 environments (dev, staging, prod)</li> <li>5 people on the team</li> </ul> <p>Will you create 30 manual configurations? And when someone on the team updates one, how do the others know?</p> <h4> 4. <strong>The Drift Problem</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On day 1:</span> <span class="nv">$ </span>helm <span class="nb">install </span>app v1.0 <span class="c"># On day 30, someone does:</span> <span class="nv">$ </span>kubectl edit deployment app <span class="c"># Now there's divergence between:</span> <span class="c"># - What Helm thinks it deployed</span> <span class="c"># - What's actually running</span> <span class="c"># - What you think is running</span> </code></pre> </div> <p>Drift is when the current state diverges from the desired state. In manual infrastructure, drift is invisible until it breaks.</p> <h4> 5. <strong>The Collaboration Problem</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer A: "I changed the Ollama configuration" Developer B: "Which one? Where?" Developer A: "In my values.yaml" Developer B: "Did you commit it?" Developer A: "Was I supposed to commit it?" </code></pre> </div> <p>Without centralized versioning, collaboration is chaotic.</p> <h3> Lessons from Chapter 1: </h3> <p>Despite the problems mentioned, this manual implementation was essential:</p> <p><strong>You now understand Kubernetes from the inside</strong></p> <ul> <li>Pods aren't abstractions, they're running processes</li> <li>Services aren't magic, they're iptables rules</li> <li>Ingress isn't complex, it's HTTP proxy with rules</li> </ul> <p><strong>You gained technical vocabulary</strong></p> <ul> <li>Can talk about namespaces, secrets, internal DNS</li> <li>Understand what Helm does vs what Kubernetes does</li> <li>Know the difference between StatefulSet and Deployment</li> </ul> <p><strong>You felt the pain that motivates automation</strong></p> <ul> <li>Each manual command is an opportunity for error</li> <li>Each unversioned configuration is technical debt</li> <li>Each manual change is impossible to audit</li> </ul> <p><strong>You built intuition about the ecosystem</strong></p> <ul> <li>Know when to use Helm chart vs pure YAML</li> <li>Understand design trade-offs (simplicity vs flexibility)</li> <li>Can debug networking and DNS problems</li> </ul> <h3> The Next Step: Infrastructure as Code </h3> <p>Now that you deeply understand <strong>what</strong> is running and <strong>why</strong>, you're ready to learn <strong>how</strong> to automate.</p> <p>In Chapter 2, we'll take everything we did here and transform it into versioned, reproducible, and auditable code. We'll introduce Terraform and explore the first approach to managing Kubernetes with Infrastructure as Code.</p> <h2> Next Chapters </h2> <p><strong>Chapter 2: Terraform + Kubernetes Provider — Infrastructure as Code</strong><br><br> How to use Terraform to manage Kubernetes resources directly. We'll explore why this seems like a good idea, where it works well, and where it starts to break. We'll learn about state management, change planning, and the limits of the approach.</p> <p><strong>Chapter 3: Terraform + Helm — A Better Abstraction</strong><br><br> The correct abstraction emerges. We'll use Terraform to manage Helm releases, combining the best of both worlds: Terraform's versioning and auditing with Helm's packaging expertise.</p> <p><strong>Chapter 4: GitOps with Terraform + ArgoCD — A LLM Self-Hosting Product Infrastructure</strong><br><br> Robust architecture that completely separates infrastructure management (Terraform) from application management (ArgoCD), implementing real continuous delivery with GitOps, pull-based reconciliation, and multi-tenancy.</p> <p><strong>Continue to:</strong><br><br> <a href="https://dev.to/glukas/chapter-2-infrastructure-as-code-5h52">Chapter 2: Terraform + Kubernetes Provider — Infrastructure as Code →</a> </p> <h2> Additional Resources </h2> <p><strong>Official Documentation:</strong></p> <ul> <li><a href="https://kubernetes.io/docs/" rel="noopener noreferrer">Kubernetes Documentation</a></li> <li><a href="https://helm.sh/docs/" rel="noopener noreferrer">Helm Documentation</a></li> <li><a href="https://minikube.sigs.k8s.io/docs/" rel="noopener noreferrer">Minikube Guide</a></li> </ul> <p><strong>Important Concepts:</strong></p> <ul> <li> <a href="https://12factor.net/" rel="noopener noreferrer">The Twelve-Factor App</a> — Methodology for cloud-native apps</li> <li> <a href="https://www.redhat.com/en/resources/oreilly-kubernetes-patterns-cloud-native-apps" rel="noopener noreferrer">Kubernetes Patterns</a> — Design patterns for K8s</li> <li> <a href="https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/" rel="noopener noreferrer">DNS for Services and Pods</a> — Understanding internal DNS</li> </ul> <p><strong>Community:</strong></p> <ul> <li><a href="https://kubernetes.slack.com/" rel="noopener noreferrer">Kubernetes Slack</a></li> <li><a href="https://reddit.com/r/kubernetes" rel="noopener noreferrer">r/kubernetes</a></li> <li> <a href="https://landscape.cncf.io/" rel="noopener noreferrer">CNCF Landscape</a> — Complete map of the cloud-native ecosystem</li> </ul> devops ai sre tutorial