openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
f9c802c62d
openova/platform/anthropic-adapter/blueprint.yaml
e3mrah 87d9a4afa7
feat(charts): bp-temporal + bp-llm-gateway + bp-anthropic-adapter wrapper charts (closes #267 #268 #271) (#288) 
W2.5.E batch — three Application-tier Blueprints completing the LLM
serving / workflow stack:

- bp-temporal/1.0.0 — wraps temporal/temporal 1.2.0 (the new chart
  rewrite that removed cassandra:/mysql:/postgresql:/elasticsearch:/
  prometheus:/grafana: top-level keys in favour of
  server.config.persistence.datastores). Postgres-only via CNPG-backed
  visibility store (skip Cassandra). Web UI ON. Keycloak OIDC
  integration via --auth-claim-mapper renders auth.yaml ConfigMap
  (operator wires via additionalVolumes once bp-keycloak is
  reconciled, default OFF). dependsOn: bp-cnpg + bp-cert-manager.
  Closes #271.
  Kinds: Cluster (CNPG) + ConfigMap + Deployment + Job + Pod +
  Service.

- bp-llm-gateway/1.0.0 — wraps berriai/litellm-helm 0.1.572 from OCI.
  Subscription-aware proxy for Claude Code: routes to Anthropic (via
  operator OAuth/Max subscription — NEVER an ANTHROPIC_API_KEY,
  per memory/feedback_no_api_key.md), Bedrock, Vertex,
  OpenAI-compatible (via bp-anthropic-adapter), and self-hosted
  vLLM. CNPG-backed audit log (every prompt + response persisted
  for compliance). Bundled bitnami postgresql + redis subcharts
  DISABLED (db.useExisting=true points at the CNPG cluster).
  Keycloak SSO via auth.yaml ConfigMap (default OFF).
  ExternalSecret-backed environmentSecrets brings tokens / IAM
  creds in without inlining plaintext. dependsOn: bp-cnpg +
  bp-keycloak + bp-external-secrets. Closes #267.
  Kinds: Cluster (CNPG audit) + ConfigMap + Deployment + Job +
  Pod + Secret + Service + ServiceAccount.

- bp-anthropic-adapter/1.0.0 — Catalyst-authored scratch chart for
  the OpenAI ↔ Anthropic translation Go service. SHA-pinned image
  ghcr.io/openova-io/openova/anthropic-adapter:<sha> (Inviolable
  Principle #4a — GitHub Actions is the only build path; empty
  default tag fails the render with a clear error instead of
  silently shipping :latest). OAuth/Max subscription token mounted
  from K8s Secret materialized by ESO from bp-openbao —
  ANTHROPIC_OAUTH_TOKEN env var, NEVER an ANTHROPIC_API_KEY.
  Includes OpenAI → Anthropic model-mapping ConfigMap (gpt-4 →
  claude-3-5-sonnet, gpt-4o-mini → claude-3-5-haiku, etc.).
  sigstore/common library subchart included to satisfy the
  hollow-chart gate (matches bp-vllm pattern from #283).
  dependsOn: bp-external-secrets. Closes #268.
  Kinds: ConfigMap + Deployment + Service + ServiceAccount.

CRITICAL — bp-llm-gateway and bp-anthropic-adapter both consume the
operator's Claude OAuth/Max subscription. Per memory/
feedback_no_api_key.md and the user's standing instruction, neither
chart accepts or generates an ANTHROPIC_API_KEY. Tokens flow
exclusively through ExternalSecret-managed K8s Secrets that ESO
materializes from bp-openbao at install time.

Per docs/BLUEPRINT-AUTHORING.md §11.2 (issue #182): every
observability toggle defaults `false` (ServiceMonitor / metrics
sidecar / PodMonitor) and is operator-tunable via per-cluster
overlay once bp-kube-prometheus-stack reconciles. Each chart ships
tests/observability-toggle.sh covering default-off, opt-in (with
--api-versions monitoring.coreos.com/v1 to simulate the CRDs), and
explicit-off cases. bp-anthropic-adapter additionally tests the
never-:latest gate via Case 4 (empty image tag must fail render).

Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode): every
upstream version, namespace, server URL, role, secret name, model
default, and toggle is exposed under values.yaml. Cluster overlays
in clusters/<sovereign>/ may override without rebuilding the
Blueprint OCI artifact.

Per docs/BLUEPRINT-AUTHORING.md §11.1 (umbrella shape — hard
contract): bp-temporal and bp-llm-gateway declare their upstream
charts under Chart.yaml dependencies: so helm dependency build
bundles the upstream payload into the OCI artifact. bp-anthropic-
adapter is a scratch chart (no upstream Helm chart exists) and
includes sigstore/common as the obligatory hollow-chart-gate
dependency, matching the bp-vllm precedent from W2.5.D (#283).

Closes #267
Closes #268
Closes #271

helm lint: 1 chart(s) linted, 0 chart(s) failed (each, INFO icon-recommended only)

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
2026-04-30 19:37:19 +04:00

90 lines
2.9 KiB
YAML
Raw Blame History

apiVersion: catalyst.openova.io/v1alpha1
kind: Blueprint
metadata:
name: bp-anthropic-adapter
labels:
catalyst.openova.io/category: ai-runtime
catalyst.openova.io/section: pts-4-6-llm-serving
spec:
version: 1.0.0
card:
title: Anthropic Adapter
summary: |
OpenAI ↔ Anthropic translation layer. Single Catalyst-authored Go
service that translates `/v1/chat/completions` (OpenAI) ↔
Anthropic `/v1/messages`, including streaming SSE. Pairs with
bp-llm-gateway so OpenAI-SDK clients can target Claude transparently.
icon: anthropic-adapter.svg
category: ai-runtime
tags: [llm, anthropic, claude, openai, adapter, proxy]
documentation: https://docs.anthropic.com/en/api/messages
license: Apache-2.0
visibility: listed
owner:
team: ai-platform
contact: ai-platform@openova.io
configSchema:
type: object
properties:
replicas:
type: integer
default: 1
minimum: 1
maximum: 16
anthropic:
type: object
properties:
baseUrl:
type: string
default: "https://api.anthropic.com"
description: |
Upstream Anthropic API base URL. Air-gapped Sovereigns
override to a regional egress proxy; cluster-internal
routing via bp-llm-gateway sets this to the in-cluster
gateway endpoint.
authMode:
type: string
enum: [oauth, subscription]
default: oauth
description: |
`oauth` = use the operator's Claude OAuth/Max
subscription token (NEVER an ANTHROPIC_API_KEY). The
token is mounted from the K8s Secret declared under
`auth.secretName`. `subscription` is reserved for future
tier-based routing — same secret, different validation.
auth:
type: object
properties:
secretName:
type: string
default: bp-anthropic-adapter-oauth
description: |
K8s Secret materialized by ESO from bp-openbao that
carries the operator's Claude OAuth/Max token under the
key `oauth_token`. NEVER commit a plaintext API key.
defaults:
type: object
properties:
model:
type: string
default: "claude-3-5-sonnet-20241022"
description: Default Anthropic model when the OpenAI request omits `model`.
maxTokens:
type: integer
default: 4096
description: Default Anthropic `max_tokens` when the OpenAI request omits it.
placementSchema:
modes: [single-region, active-active]
default: single-region
manifests:
chart: ./chart
depends:
- blueprint: bp-external-secrets
version: ^1.0
alias: eso
upgrades:
from: ["0.x"]
observability:
metrics: prometheus
logs: stdout
Reference in New Issue View Git Blame Copy Permalink