feat: add SSO and OAuth configuration options to README and values.yaml

Signed-off-by: Boris Bliznioukov <blib@mail.com>
2025-06-26 18:16:14 +00:00 · 2025-03-20 14:41:36 +01:00 · 2025-03-20 14:41:36 +01:00 · 57fd1bd513
commit 57fd1bd513
parent 8916b426ec
2 changed files with 94 additions and 39 deletions
--- a/charts/open-webui/README.md
+++ b/charts/open-webui/README.md
@ -40,6 +40,71 @@ helm upgrade --install open-webui open-webui/open-webui

 ## Values

+### SSO Configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim |
+| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim |
+| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) |
+| sso.enabled | bool | `false` | **Enable SSO authentication globally** must enable to use SSO authentication |
+| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) |
+| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) |
+
+### GitHub OAuth configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.github.clientId | string | `""` | GitHub OAuth client ID |
+| sso.github.clientSecret | string | `""` | GitHub OAuth client secret |
+| sso.github.enabled | bool | `false` | Enable GitHub OAuth |
+
+### Google OAuth configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.google.clientId | string | `""` | Google OAuth client ID |
+| sso.google.clientSecret | string | `""` | Google OAuth client secret |
+| sso.google.enabled | bool | `false` | Enable Google OAuth |
+
+### Microsoft OAuth configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID |
+| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret |
+| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth |
+| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts |
+
+### OIDC configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.oidc.clientId | string | `""` | OIDC client ID |
+| sso.oidc.clientSecret | string | `""` | OIDC client secret |
+| sso.oidc.enabled | bool | `false` | Enable OIDC authentication |
+| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI |
+| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL |
+| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). |
+
+### Role management configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) |
+| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) |
+| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) |
+
+### SSO trusted header authentication
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address |
+| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication |
+| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) |
+
+### Other Values
+
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity for pod assignment |
@ -103,34 +168,6 @@ helm upgrade --install open-webui open-webui/open-webui
 | serviceAccount.automountServiceAccountToken | bool | `false` |  |
 | serviceAccount.enable | bool | `true` |  |
 | serviceAccount.name | string | `""` |  |
-| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim |
-| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim |
-| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) |
-| sso.enabled | bool | `false` | Enable SSO authentication globally |
-| sso.github.clientId | string | `""` | GitHub OAuth client ID |
-| sso.github.clientSecret | string | `""` | GitHub OAuth client secret |
-| sso.github.enabled | bool | `false` | Enable GitHub OAuth |
-| sso.google.clientId | string | `""` | Google OAuth client ID |
-| sso.google.clientSecret | string | `""` | Google OAuth client secret |
-| sso.google.enabled | bool | `false` | Enable Google OAuth |
-| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) |
-| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) |
-| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID |
-| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret |
-| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth |
-| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts |
-| sso.oidc.clientId | string | `""` | OIDC client ID |
-| sso.oidc.clientSecret | string | `""` | OIDC client secret |
-| sso.oidc.enabled | bool | `false` | Enable OIDC authentication |
-| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI |
-| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL |
-| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). |
-| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) |
-| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) |
-| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) |
-| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address |
-| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication |
-| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) |
 | startupProbe | object | `{}` | Probe for startup of the Open WebUI container ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes> |
 | strategy | object | `{}` | Strategy for updating the workload manager: deployment or statefulset |
 | tika.enabled | bool | `false` | Automatically install Apache Tika to extend Open WebUI |
--- a/charts/open-webui/values.yaml
+++ b/charts/open-webui/values.yaml
@ -1,6 +1,5 @@
 nameOverride: ""
 namespaceOverride: ""
-# @section -- OLLAMA
 ollama:
  # -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure
  enabled: true
@ -321,85 +320,104 @@ containerSecurityContext:
  # seccompProfile:
  #   type: "RuntimeDefault"

-# @section -- SSO Configuration
 sso:
-  # -- Enable SSO authentication globally
+  # -- **Enable SSO authentication globally** must enable to use SSO authentication
+  # @section -- SSO Configuration
  enabled: false
  # -- Enable account creation when logging in with OAuth (distinct from regular signup)
+  # @section -- SSO Configuration
  enableSignup: false
  # -- Allow logging into accounts that match email from OAuth provider (considered insecure)
+  # @section -- SSO Configuration
  mergeAccountsByEmail: false
  # -- Enable OAuth role management through access token roles claim
+  # @section -- SSO Configuration
  enableRoleManagement: false
  # -- Enable OAuth group management through access token groups claim
+  # @section -- SSO Configuration
  enableGroupManagement: false

-  # @section -- Google OAuth configuration
  google:
    # -- Enable Google OAuth
+    # @section -- Google OAuth configuration
    enabled: false
    # -- Google OAuth client ID
+    # @section -- Google OAuth configuration
    clientId: ""
    # -- Google OAuth client secret
+    # @section -- Google OAuth configuration
    clientSecret: ""

-  # @section -- Microsoft OAuth configuration
  microsoft:
    # -- Enable Microsoft OAuth
+    # @section -- Microsoft OAuth configuration
    enabled: false
    # -- Microsoft OAuth client ID
+    # @section -- Microsoft OAuth configuration
    clientId: ""
    # -- Microsoft OAuth client secret
+    # @section -- Microsoft OAuth configuration
    clientSecret: ""
    # -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts
+    # @section -- Microsoft OAuth configuration
    tenantId: ""

-  # @section -- GitHub OAuth configuration
  github:
    # -- Enable GitHub OAuth
+    # @section -- GitHub OAuth configuration
    enabled: false
    # -- GitHub OAuth client ID
+    # @section -- GitHub OAuth configuration
    clientId: ""
    # -- GitHub OAuth client secret
+    # @section -- GitHub OAuth configuration
    clientSecret: ""

-  # @section -- OIDC configuration
  oidc:
    # -- Enable OIDC authentication
+    # @section -- OIDC configuration
    enabled: false
    # -- OIDC client ID
+    # @section -- OIDC configuration
    clientId: ""
    # -- OIDC client secret
+    # @section -- OIDC configuration
    clientSecret: ""
    # -- OIDC provider well known URL
+    # @section -- OIDC configuration
    providerUrl: ""
    # -- Name of the provider to show on the UI
+    # @section -- OIDC configuration
    providerName: "SSO"
    # -- Scopes to request (space-separated).
+    # @section -- OIDC configuration
    scopes: "openid email profile"

-  # @section -- Role management configuration
  roleManagement:
    # -- The claim that contains the roles (can be nested, e.g., user.roles)
+    # @section -- Role management configuration
    rolesClaim: "roles"
    # -- Comma-separated list of roles allowed to log in (receive open webui role user)
+    # @section -- Role management configuration
    allowedRoles: ""
    # -- Comma-separated list of roles allowed to log in as admin (receive open webui role admin)
+    # @section -- Role management configuration
    adminRoles: ""

-  # @section -- Group management configuration
-  # @default -- "groups"
  groupManagement:
    # -- The claim that contains the groups (can be nested, e.g., user.memberOf)
+    # @section -- SSO Configuration
    groupsClaim: "groups"

-  # @section -- Trusted header authentication
  trustedHeader:
    # -- Enable trusted header authentication
+    # @section -- SSO trusted header authentication
    enabled: false
    # -- Header containing the user's email address
+    # @section -- SSO trusted header authentication
    emailHeader: ""
    # -- Header containing the user's name (optional, used for new user creation)
+    # @section -- SSO trusted header authentication
    nameHeader: ""

 # -- Extra resources to deploy with Open WebUI