From 57fd1bd51353f2a3cb6f7f4cb4ea0c3db96f7761 Mon Sep 17 00:00:00 2001 From: Boris Bliznioukov Date: Thu, 20 Mar 2025 14:41:36 +0100 Subject: [PATCH] feat: add SSO and OAuth configuration options to README and values.yaml Signed-off-by: Boris Bliznioukov --- charts/open-webui/README.md | 93 ++++++++++++++++++++++++----------- charts/open-webui/values.yaml | 40 ++++++++++----- 2 files changed, 94 insertions(+), 39 deletions(-) diff --git a/charts/open-webui/README.md b/charts/open-webui/README.md index aa1d20d..73a611f 100644 --- a/charts/open-webui/README.md +++ b/charts/open-webui/README.md @@ -40,6 +40,71 @@ helm upgrade --install open-webui open-webui/open-webui ## Values +### SSO Configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim | +| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim | +| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) | +| sso.enabled | bool | `false` | **Enable SSO authentication globally** must enable to use SSO authentication | +| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) | +| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) | + +### GitHub OAuth configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.github.clientId | string | `""` | GitHub OAuth client ID | +| sso.github.clientSecret | string | `""` | GitHub OAuth client secret | +| sso.github.enabled | bool | `false` | Enable GitHub OAuth | + +### Google OAuth configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.google.clientId | string | `""` | Google OAuth client ID | +| sso.google.clientSecret | string | `""` | Google OAuth client secret | +| sso.google.enabled | bool | `false` | Enable Google OAuth | + +### Microsoft OAuth configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID | +| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret | +| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth | +| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts | + +### OIDC configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.oidc.clientId | string | `""` | OIDC client ID | +| sso.oidc.clientSecret | string | `""` | OIDC client secret | +| sso.oidc.enabled | bool | `false` | Enable OIDC authentication | +| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI | +| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL | +| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). | + +### Role management configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) | +| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) | +| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) | + +### SSO trusted header authentication + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address | +| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication | +| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) | + +### Other Values + | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Affinity for pod assignment | @@ -103,34 +168,6 @@ helm upgrade --install open-webui open-webui/open-webui | serviceAccount.automountServiceAccountToken | bool | `false` | | | serviceAccount.enable | bool | `true` | | | serviceAccount.name | string | `""` | | -| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim | -| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim | -| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) | -| sso.enabled | bool | `false` | Enable SSO authentication globally | -| sso.github.clientId | string | `""` | GitHub OAuth client ID | -| sso.github.clientSecret | string | `""` | GitHub OAuth client secret | -| sso.github.enabled | bool | `false` | Enable GitHub OAuth | -| sso.google.clientId | string | `""` | Google OAuth client ID | -| sso.google.clientSecret | string | `""` | Google OAuth client secret | -| sso.google.enabled | bool | `false` | Enable Google OAuth | -| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) | -| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) | -| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID | -| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret | -| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth | -| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts | -| sso.oidc.clientId | string | `""` | OIDC client ID | -| sso.oidc.clientSecret | string | `""` | OIDC client secret | -| sso.oidc.enabled | bool | `false` | Enable OIDC authentication | -| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI | -| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL | -| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). | -| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) | -| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) | -| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) | -| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address | -| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication | -| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) | | startupProbe | object | `{}` | Probe for startup of the Open WebUI container ref: | | strategy | object | `{}` | Strategy for updating the workload manager: deployment or statefulset | | tika.enabled | bool | `false` | Automatically install Apache Tika to extend Open WebUI | diff --git a/charts/open-webui/values.yaml b/charts/open-webui/values.yaml index 30a5ba2..fa3327f 100644 --- a/charts/open-webui/values.yaml +++ b/charts/open-webui/values.yaml @@ -1,6 +1,5 @@ nameOverride: "" namespaceOverride: "" -# @section -- OLLAMA ollama: # -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure enabled: true @@ -321,85 +320,104 @@ containerSecurityContext: # seccompProfile: # type: "RuntimeDefault" -# @section -- SSO Configuration sso: - # -- Enable SSO authentication globally + # -- **Enable SSO authentication globally** must enable to use SSO authentication + # @section -- SSO Configuration enabled: false # -- Enable account creation when logging in with OAuth (distinct from regular signup) + # @section -- SSO Configuration enableSignup: false # -- Allow logging into accounts that match email from OAuth provider (considered insecure) + # @section -- SSO Configuration mergeAccountsByEmail: false # -- Enable OAuth role management through access token roles claim + # @section -- SSO Configuration enableRoleManagement: false # -- Enable OAuth group management through access token groups claim + # @section -- SSO Configuration enableGroupManagement: false - # @section -- Google OAuth configuration google: # -- Enable Google OAuth + # @section -- Google OAuth configuration enabled: false # -- Google OAuth client ID + # @section -- Google OAuth configuration clientId: "" # -- Google OAuth client secret + # @section -- Google OAuth configuration clientSecret: "" - # @section -- Microsoft OAuth configuration microsoft: # -- Enable Microsoft OAuth + # @section -- Microsoft OAuth configuration enabled: false # -- Microsoft OAuth client ID + # @section -- Microsoft OAuth configuration clientId: "" # -- Microsoft OAuth client secret + # @section -- Microsoft OAuth configuration clientSecret: "" # -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts + # @section -- Microsoft OAuth configuration tenantId: "" - # @section -- GitHub OAuth configuration github: # -- Enable GitHub OAuth + # @section -- GitHub OAuth configuration enabled: false # -- GitHub OAuth client ID + # @section -- GitHub OAuth configuration clientId: "" # -- GitHub OAuth client secret + # @section -- GitHub OAuth configuration clientSecret: "" - # @section -- OIDC configuration oidc: # -- Enable OIDC authentication + # @section -- OIDC configuration enabled: false # -- OIDC client ID + # @section -- OIDC configuration clientId: "" # -- OIDC client secret + # @section -- OIDC configuration clientSecret: "" # -- OIDC provider well known URL + # @section -- OIDC configuration providerUrl: "" # -- Name of the provider to show on the UI + # @section -- OIDC configuration providerName: "SSO" # -- Scopes to request (space-separated). + # @section -- OIDC configuration scopes: "openid email profile" - # @section -- Role management configuration roleManagement: # -- The claim that contains the roles (can be nested, e.g., user.roles) + # @section -- Role management configuration rolesClaim: "roles" # -- Comma-separated list of roles allowed to log in (receive open webui role user) + # @section -- Role management configuration allowedRoles: "" # -- Comma-separated list of roles allowed to log in as admin (receive open webui role admin) + # @section -- Role management configuration adminRoles: "" - # @section -- Group management configuration - # @default -- "groups" groupManagement: # -- The claim that contains the groups (can be nested, e.g., user.memberOf) + # @section -- SSO Configuration groupsClaim: "groups" - # @section -- Trusted header authentication trustedHeader: # -- Enable trusted header authentication + # @section -- SSO trusted header authentication enabled: false # -- Header containing the user's email address + # @section -- SSO trusted header authentication emailHeader: "" # -- Header containing the user's name (optional, used for new user creation) + # @section -- SSO trusted header authentication nameHeader: "" # -- Extra resources to deploy with Open WebUI