OpenWebUI/helm-charts
1
0
Fork 0
mirror of https://github.com/open-webui/helm-charts synced 2025-06-26 18:16:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: add SSO and OAuth configuration options to README and values.yaml

Browse Source 
Signed-off-by: Boris Bliznioukov <blib@mail.com>
This commit is contained in:
Boris Bliznioukov 2025-03-20 14:41:36 +01:00
parent 8916b426ec
commit 57fd1bd513
No known key found for this signature in database
2 changed files with 94 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
charts/open-webui/README.md
View File

@ -40,6 +40,71 @@ helm upgrade --install open-webui open-webui/open-webui
## Values ## Values
### SSO Configuration
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim |
| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim |
| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) |
| sso.enabled | bool | `false` | **Enable SSO authentication globally** must enable to use SSO authentication |
| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) |
| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) |
### GitHub OAuth configuration
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| sso.github.clientId | string | `""` | GitHub OAuth client ID |
| sso.github.clientSecret | string | `""` | GitHub OAuth client secret |
| sso.github.enabled | bool | `false` | Enable GitHub OAuth |
### Google OAuth configuration
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| sso.google.clientId | string | `""` | Google OAuth client ID |
| sso.google.clientSecret | string | `""` | Google OAuth client secret |
| sso.google.enabled | bool | `false` | Enable Google OAuth |
### Microsoft OAuth configuration
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID |
| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret |
| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth |
| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts |
### OIDC configuration
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| sso.oidc.clientId | string | `""` | OIDC client ID |
| sso.oidc.clientSecret | string | `""` | OIDC client secret |
| sso.oidc.enabled | bool | `false` | Enable OIDC authentication |
| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI |
| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL |
| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). |
### Role management configuration
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) |
| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) |
| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) |
### SSO trusted header authentication
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address |
| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication |
| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) |
### Other Values
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| affinity | object | `{}` | Affinity for pod assignment | | affinity | object | `{}` | Affinity for pod assignment |
@ -103,34 +168,6 @@ helm upgrade --install open-webui open-webui/open-webui
| serviceAccount.automountServiceAccountToken | bool | `false` | | | serviceAccount.automountServiceAccountToken | bool | `false` | |
| serviceAccount.enable | bool | `true` | | | serviceAccount.enable | bool | `true` | |
| serviceAccount.name | string | `""` | | | serviceAccount.name | string | `""` | |
| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim |
| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim |
| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) |
| sso.enabled | bool | `false` | Enable SSO authentication globally |
| sso.github.clientId | string | `""` | GitHub OAuth client ID |
| sso.github.clientSecret | string | `""` | GitHub OAuth client secret |
| sso.github.enabled | bool | `false` | Enable GitHub OAuth |
| sso.google.clientId | string | `""` | Google OAuth client ID |
| sso.google.clientSecret | string | `""` | Google OAuth client secret |
| sso.google.enabled | bool | `false` | Enable Google OAuth |
| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) |
| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) |
| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID |
| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret |
| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth |
| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts |
| sso.oidc.clientId | string | `""` | OIDC client ID |
| sso.oidc.clientSecret | string | `""` | OIDC client secret |
| sso.oidc.enabled | bool | `false` | Enable OIDC authentication |
| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI |
| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL |
| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). |
| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) |
| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) |
| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) |
| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address |
| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication |
| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) |
| startupProbe | object | `{}` | Probe for startup of the Open WebUI container ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes> | | startupProbe | object | `{}` | Probe for startup of the Open WebUI container ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes> |
| strategy | object | `{}` | Strategy for updating the workload manager: deployment or statefulset | | strategy | object | `{}` | Strategy for updating the workload manager: deployment or statefulset |
| tika.enabled | bool | `false` | Automatically install Apache Tika to extend Open WebUI | | tika.enabled | bool | `false` | Automatically install Apache Tika to extend Open WebUI |

40
charts/open-webui/values.yaml
View File

@ -1,6 +1,5 @@
nameOverride: "" nameOverride: ""
namespaceOverride: "" namespaceOverride: ""
# @section -- OLLAMA
ollama: ollama:
# -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure # -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure
enabled: true enabled: true
@ -321,85 +320,104 @@ containerSecurityContext:
# seccompProfile: # seccompProfile:
# type: "RuntimeDefault" # type: "RuntimeDefault"
# @section -- SSO Configuration
sso: sso:
# -- Enable SSO authentication globally # -- **Enable SSO authentication globally** must enable to use SSO authentication
# @section -- SSO Configuration
enabled: false enabled: false
# -- Enable account creation when logging in with OAuth (distinct from regular signup) # -- Enable account creation when logging in with OAuth (distinct from regular signup)
# @section -- SSO Configuration
enableSignup: false enableSignup: false
# -- Allow logging into accounts that match email from OAuth provider (considered insecure) # -- Allow logging into accounts that match email from OAuth provider (considered insecure)
# @section -- SSO Configuration
mergeAccountsByEmail: false mergeAccountsByEmail: false
# -- Enable OAuth role management through access token roles claim # -- Enable OAuth role management through access token roles claim
# @section -- SSO Configuration
enableRoleManagement: false enableRoleManagement: false
# -- Enable OAuth group management through access token groups claim # -- Enable OAuth group management through access token groups claim
# @section -- SSO Configuration
enableGroupManagement: false enableGroupManagement: false
# @section -- Google OAuth configuration
google: google:
# -- Enable Google OAuth # -- Enable Google OAuth
# @section -- Google OAuth configuration
enabled: false enabled: false
# -- Google OAuth client ID # -- Google OAuth client ID
# @section -- Google OAuth configuration
clientId: "" clientId: ""
# -- Google OAuth client secret # -- Google OAuth client secret
# @section -- Google OAuth configuration
clientSecret: "" clientSecret: ""
# @section -- Microsoft OAuth configuration
microsoft: microsoft:
# -- Enable Microsoft OAuth # -- Enable Microsoft OAuth
# @section -- Microsoft OAuth configuration
enabled: false enabled: false
# -- Microsoft OAuth client ID # -- Microsoft OAuth client ID
# @section -- Microsoft OAuth configuration
clientId: "" clientId: ""
# -- Microsoft OAuth client secret # -- Microsoft OAuth client secret
# @section -- Microsoft OAuth configuration
clientSecret: "" clientSecret: ""
# -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts # -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts
# @section -- Microsoft OAuth configuration
tenantId: "" tenantId: ""
# @section -- GitHub OAuth configuration
github: github:
# -- Enable GitHub OAuth # -- Enable GitHub OAuth
# @section -- GitHub OAuth configuration
enabled: false enabled: false
# -- GitHub OAuth client ID # -- GitHub OAuth client ID
# @section -- GitHub OAuth configuration
clientId: "" clientId: ""
# -- GitHub OAuth client secret # -- GitHub OAuth client secret
# @section -- GitHub OAuth configuration
clientSecret: "" clientSecret: ""
# @section -- OIDC configuration
oidc: oidc:
# -- Enable OIDC authentication # -- Enable OIDC authentication
# @section -- OIDC configuration
enabled: false enabled: false
# -- OIDC client ID # -- OIDC client ID
# @section -- OIDC configuration
clientId: "" clientId: ""
# -- OIDC client secret # -- OIDC client secret
# @section -- OIDC configuration
clientSecret: "" clientSecret: ""
# -- OIDC provider well known URL # -- OIDC provider well known URL
# @section -- OIDC configuration
providerUrl: "" providerUrl: ""
# -- Name of the provider to show on the UI # -- Name of the provider to show on the UI
# @section -- OIDC configuration
providerName: "SSO" providerName: "SSO"
# -- Scopes to request (space-separated). # -- Scopes to request (space-separated).
# @section -- OIDC configuration
scopes: "openid email profile" scopes: "openid email profile"
# @section -- Role management configuration
roleManagement: roleManagement:
# -- The claim that contains the roles (can be nested, e.g., user.roles) # -- The claim that contains the roles (can be nested, e.g., user.roles)
# @section -- Role management configuration
rolesClaim: "roles" rolesClaim: "roles"
# -- Comma-separated list of roles allowed to log in (receive open webui role user) # -- Comma-separated list of roles allowed to log in (receive open webui role user)
# @section -- Role management configuration
allowedRoles: "" allowedRoles: ""
# -- Comma-separated list of roles allowed to log in as admin (receive open webui role admin) # -- Comma-separated list of roles allowed to log in as admin (receive open webui role admin)
# @section -- Role management configuration
adminRoles: "" adminRoles: ""
# @section -- Group management configuration
# @default -- "groups"
groupManagement: groupManagement:
# -- The claim that contains the groups (can be nested, e.g., user.memberOf) # -- The claim that contains the groups (can be nested, e.g., user.memberOf)
# @section -- SSO Configuration
groupsClaim: "groups" groupsClaim: "groups"
# @section -- Trusted header authentication
trustedHeader: trustedHeader:
# -- Enable trusted header authentication # -- Enable trusted header authentication
# @section -- SSO trusted header authentication
enabled: false enabled: false
# -- Header containing the user's email address # -- Header containing the user's email address
# @section -- SSO trusted header authentication
emailHeader: "" emailHeader: ""
# -- Header containing the user's name (optional, used for new user creation) # -- Header containing the user's name (optional, used for new user creation)
# @section -- SSO trusted header authentication
nameHeader: "" nameHeader: ""
# -- Extra resources to deploy with Open WebUI # -- Extra resources to deploy with Open WebUI