OpenWebUI/helm-charts
1
0
Fork 0
mirror of https://github.com/open-webui/helm-charts synced 2025-06-16 11:31:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #208 from blib/main

Browse Source 
Add support for SSO/OIDC
This commit is contained in:
James W. 2025-03-31 21:09:20 -06:00 committed by GitHub
commit 1647c29b02
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 245 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
charts/open-webui/README.md
View File

@ -1,6 +1,6 @@
# open-webui # open-webui
![Version: 5.24.0](https://img.shields.io/badge/Version-5.24.0-informational?style=flat-square) ![AppVersion: 0.5.20](https://img.shields.io/badge/AppVersion-0.5.20-informational?style=flat-square) ![Version: 5.25.0](https://img.shields.io/badge/Version-5.25.0-informational?style=flat-square) ![AppVersion: 0.5.20](https://img.shields.io/badge/AppVersion-0.5.20-informational?style=flat-square)
Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋 Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋
@ -40,6 +40,71 @@ helm upgrade --install open-webui open-webui/open-webui
## Values ## Values
### SSO Configuration
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim |
| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim |
| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) |
| sso.enabled | bool | `false` | **Enable SSO authentication globally** must enable to use SSO authentication |
| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) |
| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) |
### GitHub OAuth configuration
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| sso.github.clientId | string | `""` | GitHub OAuth client ID |
| sso.github.clientSecret | string | `""` | GitHub OAuth client secret |
| sso.github.enabled | bool | `false` | Enable GitHub OAuth |
### Google OAuth configuration
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| sso.google.clientId | string | `""` | Google OAuth client ID |
| sso.google.clientSecret | string | `""` | Google OAuth client secret |
| sso.google.enabled | bool | `false` | Enable Google OAuth |
### Microsoft OAuth configuration
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID |
| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret |
| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth |
| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts |
### OIDC configuration
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| sso.oidc.clientId | string | `""` | OIDC client ID |
| sso.oidc.clientSecret | string | `""` | OIDC client secret |
| sso.oidc.enabled | bool | `false` | Enable OIDC authentication |
| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI |
| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL |
| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). |
### Role management configuration
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) |
| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) |
| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) |
### SSO trusted header authentication
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address |
| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication |
| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) |
### Other Values
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| affinity | object | `{}` | Affinity for pod assignment | | affinity | object | `{}` | Affinity for pod assignment |
@ -112,7 +177,7 @@ helm upgrade --install open-webui open-webui/open-webui
| volumes | list | `[]` | Configure pod volumes ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/> | | volumes | list | `[]` | Configure pod volumes ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/> |
| websocket.enabled | bool | `false` | Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT` | | websocket.enabled | bool | `false` | Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT` |
| websocket.manager | string | `"redis"` | Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default) | | websocket.manager | string | `"redis"` | Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default) |
| websocket.redis | object | `{"affinity":{},"annotations":{},"args":[],"command":[],"enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"},"labels":{},"name":"open-webui-redis","pods":{"annotations":{}},"resources":{},"service":{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"},"tolerations":[]}` | Deploys a redis | | websocket.redis | object | `{"affinity":{},"annotations":{},"args":[],"command":[],"enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"},"labels":{},"name":"open-webui-redis","pods":{"annotations":{}},"resources":{},"securityContext":{},"service":{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"},"tolerations":[]}` | Deploys a redis |
| websocket.redis.affinity | object | `{}` | Redis affinity for pod assignment | | websocket.redis.affinity | object | `{}` | Redis affinity for pod assignment |
| websocket.redis.annotations | object | `{}` | Redis annotations | | websocket.redis.annotations | object | `{}` | Redis annotations |
| websocket.redis.args | list | `[]` | Redis arguments (overrides default) | | websocket.redis.args | list | `[]` | Redis arguments (overrides default) |
@ -124,7 +189,7 @@ helm upgrade --install open-webui open-webui/open-webui
| websocket.redis.pods | object | `{"annotations":{}}` | Redis pod | | websocket.redis.pods | object | `{"annotations":{}}` | Redis pod |
| websocket.redis.pods.annotations | object | `{}` | Redis pod annotations | | websocket.redis.pods.annotations | object | `{}` | Redis pod annotations |
| websocket.redis.resources | object | `{}` | Redis resources | | websocket.redis.resources | object | `{}` | Redis resources |
| websocket.redis.securityContext | object | `{}` | Redis security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe> | | websocket.redis.securityContext | object | `{}` | Redis security context |
| websocket.redis.service | object | `{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"}` | Redis service | | websocket.redis.service | object | `{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"}` | Redis service |
| websocket.redis.service.annotations | object | `{}` | Redis service annotations | | websocket.redis.service.annotations | object | `{}` | Redis service annotations |
| websocket.redis.service.containerPort | int | `6379` | Redis container/target port | | websocket.redis.service.containerPort | int | `6379` | Redis container/target port |

70
charts/open-webui/templates/workload-manager.yaml
View File

@ -161,6 +161,76 @@ spec:
- name: "WEBSOCKET_REDIS_URL" - name: "WEBSOCKET_REDIS_URL"
value: {{ .Values.websocket.url | quote }} value: {{ .Values.websocket.url | quote }}
{{- end }} {{- end }}
{{- if .Values.sso.enabled }}
{{- if .Values.sso.enableSignup }}
- name: "ENABLE_OAUTH_SIGNUP"
value: "True"
{{- end }}
{{- if .Values.sso.mergeAccountsByEmail }}
- name: "OAUTH_MERGE_ACCOUNTS_BY_EMAIL"
value: "True"
{{- end }}
{{- if .Values.sso.google.enabled }}
- name: "GOOGLE_CLIENT_ID"
value: {{ .Values.sso.google.clientId | quote }}
- name: "GOOGLE_CLIENT_SECRET"
value: {{ .Values.sso.google.clientSecret | quote }}
{{- end }}
{{- if .Values.sso.microsoft.enabled }}
- name: "MICROSOFT_CLIENT_ID"
value: {{ .Values.sso.microsoft.clientId | quote }}
- name: "MICROSOFT_CLIENT_SECRET"
value: {{ .Values.sso.microsoft.clientSecret | quote }}
- name: "MICROSOFT_CLIENT_TENANT_ID"
value: {{ .Values.sso.microsoft.tenantId | quote }}
{{- end }}
{{- if .Values.sso.github.enabled }}
- name: "GITHUB_CLIENT_ID"
value: {{ .Values.sso.github.clientId | quote }}
- name: "GITHUB_CLIENT_SECRET"
value: {{ .Values.sso.github.clientSecret | quote }}
{{- end }}
{{- if .Values.sso.oidc.enabled }}
- name: "OAUTH_CLIENT_ID"
value: {{ .Values.sso.oidc.clientId | quote }}
- name: "OAUTH_CLIENT_SECRET"
value: {{ .Values.sso.oidc.clientSecret | quote }}
- name: "OPENID_PROVIDER_URL"
value: {{ .Values.sso.oidc.providerUrl | quote }}
- name: "OAUTH_PROVIDER_NAME"
value: {{ .Values.sso.oidc.providerName | quote }}
- name: "OAUTH_SCOPES"
value: {{ .Values.sso.oidc.scopes | quote }}
{{- end }}
{{- if .Values.sso.enableRoleManagement }}
- name: "ENABLE_OAUTH_ROLE_MANAGEMENT"
value: "True"
- name: "OAUTH_ROLES_CLAIM"
value: {{ .Values.sso.roleManagement.rolesClaim | quote }}
{{- if .Values.sso.roleManagement.allowedRoles }}
- name: "OAUTH_ALLOWED_ROLES"
value: {{ .Values.sso.roleManagement.allowedRoles | quote }}
{{- end }}
{{- if .Values.sso.roleManagement.adminRoles }}
- name: "OAUTH_ADMIN_ROLES"
value: {{ .Values.sso.roleManagement.adminRoles | quote }}
{{- end }}
{{- end }}
{{- if .Values.sso.enableGroupManagement }}
- name: "ENABLE_OAUTH_GROUP_MANAGEMENT"
value: "True"
- name: "OAUTH_GROUP_CLAIM"
value: {{ .Values.sso.groupManagement.groupsClaim | quote }}
{{- end }}
{{- if .Values.sso.trustedHeader.enabled }}
- name: "WEBUI_AUTH_TRUSTED_EMAIL_HEADER"
value: {{ .Values.sso.trustedHeader.emailHeader | quote }}
{{- if .Values.sso.trustedHeader.nameHeader }}
- name: "WEBUI_AUTH_TRUSTED_NAME_HEADER"
value: {{ .Values.sso.trustedHeader.nameHeader | quote }}
{{- end }}
{{- end }}
{{- end }}
tty: true tty: true
{{- with .Values.nodeSelector }} {{- with .Values.nodeSelector }}
nodeSelector: nodeSelector:

105
charts/open-webui/values.yaml
View File

@ -1,6 +1,5 @@
nameOverride: "" nameOverride: ""
namespaceOverride: "" namespaceOverride: ""
ollama: ollama:
# -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure # -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure
enabled: true enabled: true
@ -245,7 +244,8 @@ enableOpenaiApi: true
openaiBaseApiUrl: "https://api.openai.com/v1" openaiBaseApiUrl: "https://api.openai.com/v1"
# -- OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set # -- OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set
openaiBaseApiUrls: [] openaiBaseApiUrls:
[]
# - "https://api.openai.com/v1" # - "https://api.openai.com/v1"
# - "https://api.company.openai.com/v1" # - "https://api.company.openai.com/v1"
@ -304,7 +304,6 @@ podSecurityContext:
# supplementalGroups: [] # supplementalGroups: []
# fsGroup: 1001 # fsGroup: 1001
# -- Configure container security context # -- Configure container security context
# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe> # ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe>
containerSecurityContext: containerSecurityContext:
@ -321,6 +320,106 @@ containerSecurityContext:
# seccompProfile: # seccompProfile:
# type: "RuntimeDefault" # type: "RuntimeDefault"
sso:
# -- **Enable SSO authentication globally** must enable to use SSO authentication
# @section -- SSO Configuration
enabled: false
# -- Enable account creation when logging in with OAuth (distinct from regular signup)
# @section -- SSO Configuration
enableSignup: false
# -- Allow logging into accounts that match email from OAuth provider (considered insecure)
# @section -- SSO Configuration
mergeAccountsByEmail: false
# -- Enable OAuth role management through access token roles claim
# @section -- SSO Configuration
enableRoleManagement: false
# -- Enable OAuth group management through access token groups claim
# @section -- SSO Configuration
enableGroupManagement: false
google:
# -- Enable Google OAuth
# @section -- Google OAuth configuration
enabled: false
# -- Google OAuth client ID
# @section -- Google OAuth configuration
clientId: ""
# -- Google OAuth client secret
# @section -- Google OAuth configuration
clientSecret: ""
microsoft:
# -- Enable Microsoft OAuth
# @section -- Microsoft OAuth configuration
enabled: false
# -- Microsoft OAuth client ID
# @section -- Microsoft OAuth configuration
clientId: ""
# -- Microsoft OAuth client secret
# @section -- Microsoft OAuth configuration
clientSecret: ""
# -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts
# @section -- Microsoft OAuth configuration
tenantId: ""
github:
# -- Enable GitHub OAuth
# @section -- GitHub OAuth configuration
enabled: false
# -- GitHub OAuth client ID
# @section -- GitHub OAuth configuration
clientId: ""
# -- GitHub OAuth client secret
# @section -- GitHub OAuth configuration
clientSecret: ""
oidc:
# -- Enable OIDC authentication
# @section -- OIDC configuration
enabled: false
# -- OIDC client ID
# @section -- OIDC configuration
clientId: ""
# -- OIDC client secret
# @section -- OIDC configuration
clientSecret: ""
# -- OIDC provider well known URL
# @section -- OIDC configuration
providerUrl: ""
# -- Name of the provider to show on the UI
# @section -- OIDC configuration
providerName: "SSO"
# -- Scopes to request (space-separated).
# @section -- OIDC configuration
scopes: "openid email profile"
roleManagement:
# -- The claim that contains the roles (can be nested, e.g., user.roles)
# @section -- Role management configuration
rolesClaim: "roles"
# -- Comma-separated list of roles allowed to log in (receive open webui role user)
# @section -- Role management configuration
allowedRoles: ""
# -- Comma-separated list of roles allowed to log in as admin (receive open webui role admin)
# @section -- Role management configuration
adminRoles: ""
groupManagement:
# -- The claim that contains the groups (can be nested, e.g., user.memberOf)
# @section -- SSO Configuration
groupsClaim: "groups"
trustedHeader:
# -- Enable trusted header authentication
# @section -- SSO trusted header authentication
enabled: false
# -- Header containing the user's email address
# @section -- SSO trusted header authentication
emailHeader: ""
# -- Header containing the user's name (optional, used for new user creation)
# @section -- SSO trusted header authentication
nameHeader: ""
# -- Extra resources to deploy with Open WebUI # -- Extra resources to deploy with Open WebUI
extraResources: extraResources:
[] []