diff --git a/charts/open-webui/README.md b/charts/open-webui/README.md index 6429888..73a611f 100644 --- a/charts/open-webui/README.md +++ b/charts/open-webui/README.md @@ -1,6 +1,6 @@ # open-webui -![Version: 5.24.0](https://img.shields.io/badge/Version-5.24.0-informational?style=flat-square) ![AppVersion: 0.5.20](https://img.shields.io/badge/AppVersion-0.5.20-informational?style=flat-square) +![Version: 5.25.0](https://img.shields.io/badge/Version-5.25.0-informational?style=flat-square) ![AppVersion: 0.5.20](https://img.shields.io/badge/AppVersion-0.5.20-informational?style=flat-square) Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋 @@ -40,6 +40,71 @@ helm upgrade --install open-webui open-webui/open-webui ## Values +### SSO Configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim | +| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim | +| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) | +| sso.enabled | bool | `false` | **Enable SSO authentication globally** must enable to use SSO authentication | +| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) | +| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) | + +### GitHub OAuth configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.github.clientId | string | `""` | GitHub OAuth client ID | +| sso.github.clientSecret | string | `""` | GitHub OAuth client secret | +| sso.github.enabled | bool | `false` | Enable GitHub OAuth | + +### Google OAuth configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.google.clientId | string | `""` | Google OAuth client ID | +| sso.google.clientSecret | string | `""` | Google OAuth client secret | +| sso.google.enabled | bool | `false` | Enable Google OAuth | + +### Microsoft OAuth configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID | +| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret | +| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth | +| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts | + +### OIDC configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.oidc.clientId | string | `""` | OIDC client ID | +| sso.oidc.clientSecret | string | `""` | OIDC client secret | +| sso.oidc.enabled | bool | `false` | Enable OIDC authentication | +| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI | +| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL | +| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). | + +### Role management configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) | +| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) | +| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) | + +### SSO trusted header authentication + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address | +| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication | +| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) | + +### Other Values + | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Affinity for pod assignment | @@ -56,7 +121,7 @@ helm upgrade --install open-webui open-webui/open-webui | image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/open-webui/open-webui","tag":""}` | Open WebUI image tags can be found here: https://github.com/open-webui/open-webui | | imagePullSecrets | list | `[]` | Configure imagePullSecrets to use private registry ref: | | ingress.additionalHosts | list | `[]` | | -| ingress.annotations | object | `{}` | Use appropriate annotations for your Ingress controller, e.g., for NGINX: | +| ingress.annotations | object | `{}` | Use appropriate annotations for your Ingress controller, e.g., for NGINX: | | ingress.class | string | `""` | | | ingress.enabled | bool | `false` | | | ingress.existingSecret | string | `""` | | @@ -112,7 +177,7 @@ helm upgrade --install open-webui open-webui/open-webui | volumes | list | `[]` | Configure pod volumes ref: | | websocket.enabled | bool | `false` | Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT` | | websocket.manager | string | `"redis"` | Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default) | -| websocket.redis | object | `{"affinity":{},"annotations":{},"args":[],"command":[],"enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"},"labels":{},"name":"open-webui-redis","pods":{"annotations":{}},"resources":{},"service":{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"},"tolerations":[]}` | Deploys a redis | +| websocket.redis | object | `{"affinity":{},"annotations":{},"args":[],"command":[],"enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"},"labels":{},"name":"open-webui-redis","pods":{"annotations":{}},"resources":{},"securityContext":{},"service":{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"},"tolerations":[]}` | Deploys a redis | | websocket.redis.affinity | object | `{}` | Redis affinity for pod assignment | | websocket.redis.annotations | object | `{}` | Redis annotations | | websocket.redis.args | list | `[]` | Redis arguments (overrides default) | @@ -124,7 +189,7 @@ helm upgrade --install open-webui open-webui/open-webui | websocket.redis.pods | object | `{"annotations":{}}` | Redis pod | | websocket.redis.pods.annotations | object | `{}` | Redis pod annotations | | websocket.redis.resources | object | `{}` | Redis resources | -| websocket.redis.securityContext | object | `{}` | Redis security context ref: | +| websocket.redis.securityContext | object | `{}` | Redis security context | | websocket.redis.service | object | `{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"}` | Redis service | | websocket.redis.service.annotations | object | `{}` | Redis service annotations | | websocket.redis.service.containerPort | int | `6379` | Redis container/target port | diff --git a/charts/open-webui/templates/workload-manager.yaml b/charts/open-webui/templates/workload-manager.yaml index fe6290b..a950c74 100644 --- a/charts/open-webui/templates/workload-manager.yaml +++ b/charts/open-webui/templates/workload-manager.yaml @@ -161,6 +161,76 @@ spec: - name: "WEBSOCKET_REDIS_URL" value: {{ .Values.websocket.url | quote }} {{- end }} + {{- if .Values.sso.enabled }} + {{- if .Values.sso.enableSignup }} + - name: "ENABLE_OAUTH_SIGNUP" + value: "True" + {{- end }} + {{- if .Values.sso.mergeAccountsByEmail }} + - name: "OAUTH_MERGE_ACCOUNTS_BY_EMAIL" + value: "True" + {{- end }} + {{- if .Values.sso.google.enabled }} + - name: "GOOGLE_CLIENT_ID" + value: {{ .Values.sso.google.clientId | quote }} + - name: "GOOGLE_CLIENT_SECRET" + value: {{ .Values.sso.google.clientSecret | quote }} + {{- end }} + {{- if .Values.sso.microsoft.enabled }} + - name: "MICROSOFT_CLIENT_ID" + value: {{ .Values.sso.microsoft.clientId | quote }} + - name: "MICROSOFT_CLIENT_SECRET" + value: {{ .Values.sso.microsoft.clientSecret | quote }} + - name: "MICROSOFT_CLIENT_TENANT_ID" + value: {{ .Values.sso.microsoft.tenantId | quote }} + {{- end }} + {{- if .Values.sso.github.enabled }} + - name: "GITHUB_CLIENT_ID" + value: {{ .Values.sso.github.clientId | quote }} + - name: "GITHUB_CLIENT_SECRET" + value: {{ .Values.sso.github.clientSecret | quote }} + {{- end }} + {{- if .Values.sso.oidc.enabled }} + - name: "OAUTH_CLIENT_ID" + value: {{ .Values.sso.oidc.clientId | quote }} + - name: "OAUTH_CLIENT_SECRET" + value: {{ .Values.sso.oidc.clientSecret | quote }} + - name: "OPENID_PROVIDER_URL" + value: {{ .Values.sso.oidc.providerUrl | quote }} + - name: "OAUTH_PROVIDER_NAME" + value: {{ .Values.sso.oidc.providerName | quote }} + - name: "OAUTH_SCOPES" + value: {{ .Values.sso.oidc.scopes | quote }} + {{- end }} + {{- if .Values.sso.enableRoleManagement }} + - name: "ENABLE_OAUTH_ROLE_MANAGEMENT" + value: "True" + - name: "OAUTH_ROLES_CLAIM" + value: {{ .Values.sso.roleManagement.rolesClaim | quote }} + {{- if .Values.sso.roleManagement.allowedRoles }} + - name: "OAUTH_ALLOWED_ROLES" + value: {{ .Values.sso.roleManagement.allowedRoles | quote }} + {{- end }} + {{- if .Values.sso.roleManagement.adminRoles }} + - name: "OAUTH_ADMIN_ROLES" + value: {{ .Values.sso.roleManagement.adminRoles | quote }} + {{- end }} + {{- end }} + {{- if .Values.sso.enableGroupManagement }} + - name: "ENABLE_OAUTH_GROUP_MANAGEMENT" + value: "True" + - name: "OAUTH_GROUP_CLAIM" + value: {{ .Values.sso.groupManagement.groupsClaim | quote }} + {{- end }} + {{- if .Values.sso.trustedHeader.enabled }} + - name: "WEBUI_AUTH_TRUSTED_EMAIL_HEADER" + value: {{ .Values.sso.trustedHeader.emailHeader | quote }} + {{- if .Values.sso.trustedHeader.nameHeader }} + - name: "WEBUI_AUTH_TRUSTED_NAME_HEADER" + value: {{ .Values.sso.trustedHeader.nameHeader | quote }} + {{- end }} + {{- end }} + {{- end }} tty: true {{- with .Values.nodeSelector }} nodeSelector: diff --git a/charts/open-webui/values.yaml b/charts/open-webui/values.yaml index 02007df..fa3327f 100644 --- a/charts/open-webui/values.yaml +++ b/charts/open-webui/values.yaml @@ -1,6 +1,5 @@ nameOverride: "" namespaceOverride: "" - ollama: # -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure enabled: true @@ -177,14 +176,14 @@ copyAppData: managedCertificate: enabled: false - name: "mydomain-chat-cert" # You can override this name if needed + name: "mydomain-chat-cert" # You can override this name if needed domains: - chat.example.com # update to your real domain ingress: enabled: false class: "" - # -- Use appropriate annotations for your Ingress controller, e.g., for NGINX: + # -- Use appropriate annotations for your Ingress controller, e.g., for NGINX: annotations: {} # # Example for GKE Ingress # kubernetes.io/ingress.class: "gce" @@ -194,8 +193,8 @@ ingress: # nginx.ingress.kubernetes.io/ssl-redirect: "true" # nginx.ingress.kubernetes.io/permanent-redirect: "https://chat.example.com" # networking.gke.io/managed-certificates: "mydomain-chat-cert" - # # nginx.ingress.kubernetes.io/rewrite-target: / - host: "chat.example.com" # update to your real domain + # # nginx.ingress.kubernetes.io/rewrite-target: / + host: "chat.example.com" # update to your real domain additionalHosts: [] tls: false existingSecret: "" @@ -245,7 +244,8 @@ enableOpenaiApi: true openaiBaseApiUrl: "https://api.openai.com/v1" # -- OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set -openaiBaseApiUrls: [] +openaiBaseApiUrls: + [] # - "https://api.openai.com/v1" # - "https://api.company.openai.com/v1" @@ -304,7 +304,6 @@ podSecurityContext: # supplementalGroups: [] # fsGroup: 1001 - # -- Configure container security context # ref: containerSecurityContext: @@ -321,6 +320,106 @@ containerSecurityContext: # seccompProfile: # type: "RuntimeDefault" +sso: + # -- **Enable SSO authentication globally** must enable to use SSO authentication + # @section -- SSO Configuration + enabled: false + # -- Enable account creation when logging in with OAuth (distinct from regular signup) + # @section -- SSO Configuration + enableSignup: false + # -- Allow logging into accounts that match email from OAuth provider (considered insecure) + # @section -- SSO Configuration + mergeAccountsByEmail: false + # -- Enable OAuth role management through access token roles claim + # @section -- SSO Configuration + enableRoleManagement: false + # -- Enable OAuth group management through access token groups claim + # @section -- SSO Configuration + enableGroupManagement: false + + google: + # -- Enable Google OAuth + # @section -- Google OAuth configuration + enabled: false + # -- Google OAuth client ID + # @section -- Google OAuth configuration + clientId: "" + # -- Google OAuth client secret + # @section -- Google OAuth configuration + clientSecret: "" + + microsoft: + # -- Enable Microsoft OAuth + # @section -- Microsoft OAuth configuration + enabled: false + # -- Microsoft OAuth client ID + # @section -- Microsoft OAuth configuration + clientId: "" + # -- Microsoft OAuth client secret + # @section -- Microsoft OAuth configuration + clientSecret: "" + # -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts + # @section -- Microsoft OAuth configuration + tenantId: "" + + github: + # -- Enable GitHub OAuth + # @section -- GitHub OAuth configuration + enabled: false + # -- GitHub OAuth client ID + # @section -- GitHub OAuth configuration + clientId: "" + # -- GitHub OAuth client secret + # @section -- GitHub OAuth configuration + clientSecret: "" + + oidc: + # -- Enable OIDC authentication + # @section -- OIDC configuration + enabled: false + # -- OIDC client ID + # @section -- OIDC configuration + clientId: "" + # -- OIDC client secret + # @section -- OIDC configuration + clientSecret: "" + # -- OIDC provider well known URL + # @section -- OIDC configuration + providerUrl: "" + # -- Name of the provider to show on the UI + # @section -- OIDC configuration + providerName: "SSO" + # -- Scopes to request (space-separated). + # @section -- OIDC configuration + scopes: "openid email profile" + + roleManagement: + # -- The claim that contains the roles (can be nested, e.g., user.roles) + # @section -- Role management configuration + rolesClaim: "roles" + # -- Comma-separated list of roles allowed to log in (receive open webui role user) + # @section -- Role management configuration + allowedRoles: "" + # -- Comma-separated list of roles allowed to log in as admin (receive open webui role admin) + # @section -- Role management configuration + adminRoles: "" + + groupManagement: + # -- The claim that contains the groups (can be nested, e.g., user.memberOf) + # @section -- SSO Configuration + groupsClaim: "groups" + + trustedHeader: + # -- Enable trusted header authentication + # @section -- SSO trusted header authentication + enabled: false + # -- Header containing the user's email address + # @section -- SSO trusted header authentication + emailHeader: "" + # -- Header containing the user's name (optional, used for new user creation) + # @section -- SSO trusted header authentication + nameHeader: "" + # -- Extra resources to deploy with Open WebUI extraResources: []