feat: add SSO configuration options in values.yaml and workload-manager.yaml

Signed-off-by: Boris Bliznioukov <blib@mail.com>
2025-06-26 18:16:14 +00:00 · 2025-03-20 14:14:53 +01:00 · 2025-03-20 14:14:53 +01:00 · 8916b426ec
commit 8916b426ec
parent da259c7471
3 changed files with 190 additions and 11 deletions
--- a/charts/open-webui/README.md
+++ b/charts/open-webui/README.md
@ -1,6 +1,6 @@
 # open-webui

-![Version: 5.24.0](https://img.shields.io/badge/Version-5.24.0-informational?style=flat-square) ![AppVersion: 0.5.20](https://img.shields.io/badge/AppVersion-0.5.20-informational?style=flat-square)
+![Version: 5.25.0](https://img.shields.io/badge/Version-5.25.0-informational?style=flat-square) ![AppVersion: 0.5.20](https://img.shields.io/badge/AppVersion-0.5.20-informational?style=flat-square)

 Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋

@ -56,7 +56,7 @@ helm upgrade --install open-webui open-webui/open-webui
 | image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/open-webui/open-webui","tag":""}` | Open WebUI image tags can be found here: https://github.com/open-webui/open-webui |
 | imagePullSecrets | list | `[]` | Configure imagePullSecrets to use private registry ref: <https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry> |
 | ingress.additionalHosts | list | `[]` |  |
-| ingress.annotations | object | `{}` | Use appropriate annotations for your Ingress controller, e.g., for NGINX:   |
+| ingress.annotations | object | `{}` | Use appropriate annotations for your Ingress controller, e.g., for NGINX: |
 | ingress.class | string | `""` |  |
 | ingress.enabled | bool | `false` |  |
 | ingress.existingSecret | string | `""` |  |
@ -103,6 +103,34 @@ helm upgrade --install open-webui open-webui/open-webui
 | serviceAccount.automountServiceAccountToken | bool | `false` |  |
 | serviceAccount.enable | bool | `true` |  |
 | serviceAccount.name | string | `""` |  |
+| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim |
+| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim |
+| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) |
+| sso.enabled | bool | `false` | Enable SSO authentication globally |
+| sso.github.clientId | string | `""` | GitHub OAuth client ID |
+| sso.github.clientSecret | string | `""` | GitHub OAuth client secret |
+| sso.github.enabled | bool | `false` | Enable GitHub OAuth |
+| sso.google.clientId | string | `""` | Google OAuth client ID |
+| sso.google.clientSecret | string | `""` | Google OAuth client secret |
+| sso.google.enabled | bool | `false` | Enable Google OAuth |
+| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) |
+| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) |
+| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID |
+| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret |
+| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth |
+| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts |
+| sso.oidc.clientId | string | `""` | OIDC client ID |
+| sso.oidc.clientSecret | string | `""` | OIDC client secret |
+| sso.oidc.enabled | bool | `false` | Enable OIDC authentication |
+| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI |
+| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL |
+| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). |
+| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) |
+| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) |
+| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) |
+| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address |
+| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication |
+| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) |
 | startupProbe | object | `{}` | Probe for startup of the Open WebUI container ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes> |
 | strategy | object | `{}` | Strategy for updating the workload manager: deployment or statefulset |
 | tika.enabled | bool | `false` | Automatically install Apache Tika to extend Open WebUI |
@ -112,7 +140,7 @@ helm upgrade --install open-webui open-webui/open-webui
 | volumes | list | `[]` | Configure pod volumes ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/> |
 | websocket.enabled | bool | `false` | Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT` |
 | websocket.manager | string | `"redis"` | Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default) |
-| websocket.redis | object | `{"affinity":{},"annotations":{},"args":[],"command":[],"enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"},"labels":{},"name":"open-webui-redis","pods":{"annotations":{}},"resources":{},"service":{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"},"tolerations":[]}` | Deploys a redis |
+| websocket.redis | object | `{"affinity":{},"annotations":{},"args":[],"command":[],"enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"},"labels":{},"name":"open-webui-redis","pods":{"annotations":{}},"resources":{},"securityContext":{},"service":{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"},"tolerations":[]}` | Deploys a redis |
 | websocket.redis.affinity | object | `{}` | Redis affinity for pod assignment |
 | websocket.redis.annotations | object | `{}` | Redis annotations |
 | websocket.redis.args | list | `[]` | Redis arguments (overrides default) |
@ -124,7 +152,7 @@ helm upgrade --install open-webui open-webui/open-webui
 | websocket.redis.pods | object | `{"annotations":{}}` | Redis pod |
 | websocket.redis.pods.annotations | object | `{}` | Redis pod annotations |
 | websocket.redis.resources | object | `{}` | Redis resources |
-| websocket.redis.securityContext | object | `{}` | Redis security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe> |
+| websocket.redis.securityContext | object | `{}` | Redis security context |
 | websocket.redis.service | object | `{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"}` | Redis service |
 | websocket.redis.service.annotations | object | `{}` | Redis service annotations |
 | websocket.redis.service.containerPort | int | `6379` | Redis container/target port |
--- a/charts/open-webui/templates/workload-manager.yaml
+++ b/charts/open-webui/templates/workload-manager.yaml
@ -161,6 +161,76 @@ spec:
        - name: "WEBSOCKET_REDIS_URL"
          value: {{ .Values.websocket.url | quote }}
        {{- end }}
+        {{- if .Values.sso.enabled }}
+        {{- if .Values.sso.enableSignup }}
+        - name: "ENABLE_OAUTH_SIGNUP"
+          value: "True"
+        {{- end }}
+        {{- if .Values.sso.mergeAccountsByEmail }}
+        - name: "OAUTH_MERGE_ACCOUNTS_BY_EMAIL"
+          value: "True"
+        {{- end }}
+        {{- if .Values.sso.google.enabled }}
+        - name: "GOOGLE_CLIENT_ID"
+          value: {{ .Values.sso.google.clientId | quote }}
+        - name: "GOOGLE_CLIENT_SECRET"
+          value: {{ .Values.sso.google.clientSecret | quote }}
+        {{- end }}
+        {{- if .Values.sso.microsoft.enabled }}
+        - name: "MICROSOFT_CLIENT_ID"
+          value: {{ .Values.sso.microsoft.clientId | quote }}
+        - name: "MICROSOFT_CLIENT_SECRET"
+          value: {{ .Values.sso.microsoft.clientSecret | quote }}
+        - name: "MICROSOFT_CLIENT_TENANT_ID"
+          value: {{ .Values.sso.microsoft.tenantId | quote }}
+        {{- end }}
+        {{- if .Values.sso.github.enabled }}
+        - name: "GITHUB_CLIENT_ID"
+          value: {{ .Values.sso.github.clientId | quote }}
+        - name: "GITHUB_CLIENT_SECRET"
+          value: {{ .Values.sso.github.clientSecret | quote }}
+        {{- end }}
+        {{- if .Values.sso.oidc.enabled }}
+        - name: "OAUTH_CLIENT_ID"
+          value: {{ .Values.sso.oidc.clientId | quote }}
+        - name: "OAUTH_CLIENT_SECRET"
+          value: {{ .Values.sso.oidc.clientSecret | quote }}
+        - name: "OPENID_PROVIDER_URL"
+          value: {{ .Values.sso.oidc.providerUrl | quote }}
+        - name: "OAUTH_PROVIDER_NAME"
+          value: {{ .Values.sso.oidc.providerName | quote }}
+        - name: "OAUTH_SCOPES"
+          value: {{ .Values.sso.oidc.scopes | quote }}
+        {{- end }}
+        {{- if .Values.sso.enableRoleManagement }}
+        - name: "ENABLE_OAUTH_ROLE_MANAGEMENT"
+          value: "True"
+        - name: "OAUTH_ROLES_CLAIM"
+          value: {{ .Values.sso.roleManagement.rolesClaim | quote }}
+        {{- if .Values.sso.roleManagement.allowedRoles }}
+        - name: "OAUTH_ALLOWED_ROLES"
+          value: {{ .Values.sso.roleManagement.allowedRoles | quote }}
+        {{- end }}
+        {{- if .Values.sso.roleManagement.adminRoles }}
+        - name: "OAUTH_ADMIN_ROLES"
+          value: {{ .Values.sso.roleManagement.adminRoles | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.sso.enableGroupManagement }}
+        - name: "ENABLE_OAUTH_GROUP_MANAGEMENT"
+          value: "True"
+        - name: "OAUTH_GROUP_CLAIM"
+          value: {{ .Values.sso.groupManagement.groupsClaim | quote }}
+        {{- end }}
+        {{- if .Values.sso.trustedHeader.enabled }}
+        - name: "WEBUI_AUTH_TRUSTED_EMAIL_HEADER"
+          value: {{ .Values.sso.trustedHeader.emailHeader | quote }}
+        {{- if .Values.sso.trustedHeader.nameHeader }}
+        - name: "WEBUI_AUTH_TRUSTED_NAME_HEADER"
+          value: {{ .Values.sso.trustedHeader.nameHeader | quote }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
        tty: true
      {{- with .Values.nodeSelector }}
      nodeSelector:
--- a/charts/open-webui/values.yaml
+++ b/charts/open-webui/values.yaml
@ -1,6 +1,6 @@
 nameOverride: ""
 namespaceOverride: ""
-
+# @section -- OLLAMA
 ollama:
  # -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure
  enabled: true
@ -177,14 +177,14 @@ copyAppData:

 managedCertificate:
  enabled: false
-  name: "mydomain-chat-cert"  # You can override this name if needed
+  name: "mydomain-chat-cert" # You can override this name if needed
  domains:
    - chat.example.com # update to your real domain

 ingress:
  enabled: false
  class: ""
-  # -- Use appropriate annotations for your Ingress controller, e.g., for NGINX:  
+  # -- Use appropriate annotations for your Ingress controller, e.g., for NGINX:
  annotations: {}
  #   # Example for GKE Ingress
  #   kubernetes.io/ingress.class: "gce"
@ -194,8 +194,8 @@ ingress:
  #   nginx.ingress.kubernetes.io/ssl-redirect: "true"
  #   nginx.ingress.kubernetes.io/permanent-redirect: "https://chat.example.com"
  #   networking.gke.io/managed-certificates: "mydomain-chat-cert"
-  #   # nginx.ingress.kubernetes.io/rewrite-target: / 
-  host: "chat.example.com"  # update to your real domain 
+  #   # nginx.ingress.kubernetes.io/rewrite-target: /
+  host: "chat.example.com" # update to your real domain
  additionalHosts: []
  tls: false
  existingSecret: ""
@ -245,7 +245,8 @@ enableOpenaiApi: true
 openaiBaseApiUrl: "https://api.openai.com/v1"

 # -- OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set
-openaiBaseApiUrls: []
+openaiBaseApiUrls:
+  []
  # - "https://api.openai.com/v1"
  # - "https://api.company.openai.com/v1"

@ -304,7 +305,6 @@ podSecurityContext:
  # supplementalGroups: []
  # fsGroup: 1001

-
 # -- Configure container security context
 # ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe>
 containerSecurityContext:
@ -321,6 +321,87 @@ containerSecurityContext:
  # seccompProfile:
  #   type: "RuntimeDefault"

+# @section -- SSO Configuration
+sso:
+  # -- Enable SSO authentication globally
+  enabled: false
+  # -- Enable account creation when logging in with OAuth (distinct from regular signup)
+  enableSignup: false
+  # -- Allow logging into accounts that match email from OAuth provider (considered insecure)
+  mergeAccountsByEmail: false
+  # -- Enable OAuth role management through access token roles claim
+  enableRoleManagement: false
+  # -- Enable OAuth group management through access token groups claim
+  enableGroupManagement: false
+
+  # @section -- Google OAuth configuration
+  google:
+    # -- Enable Google OAuth
+    enabled: false
+    # -- Google OAuth client ID
+    clientId: ""
+    # -- Google OAuth client secret
+    clientSecret: ""
+
+  # @section -- Microsoft OAuth configuration
+  microsoft:
+    # -- Enable Microsoft OAuth
+    enabled: false
+    # -- Microsoft OAuth client ID
+    clientId: ""
+    # -- Microsoft OAuth client secret
+    clientSecret: ""
+    # -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts
+    tenantId: ""
+
+  # @section -- GitHub OAuth configuration
+  github:
+    # -- Enable GitHub OAuth
+    enabled: false
+    # -- GitHub OAuth client ID
+    clientId: ""
+    # -- GitHub OAuth client secret
+    clientSecret: ""
+
+  # @section -- OIDC configuration
+  oidc:
+    # -- Enable OIDC authentication
+    enabled: false
+    # -- OIDC client ID
+    clientId: ""
+    # -- OIDC client secret
+    clientSecret: ""
+    # -- OIDC provider well known URL
+    providerUrl: ""
+    # -- Name of the provider to show on the UI
+    providerName: "SSO"
+    # -- Scopes to request (space-separated).
+    scopes: "openid email profile"
+
+  # @section -- Role management configuration
+  roleManagement:
+    # -- The claim that contains the roles (can be nested, e.g., user.roles)
+    rolesClaim: "roles"
+    # -- Comma-separated list of roles allowed to log in (receive open webui role user)
+    allowedRoles: ""
+    # -- Comma-separated list of roles allowed to log in as admin (receive open webui role admin)
+    adminRoles: ""
+
+  # @section -- Group management configuration
+  # @default -- "groups"
+  groupManagement:
+    # -- The claim that contains the groups (can be nested, e.g., user.memberOf)
+    groupsClaim: "groups"
+
+  # @section -- Trusted header authentication
+  trustedHeader:
+    # -- Enable trusted header authentication
+    enabled: false
+    # -- Header containing the user's email address
+    emailHeader: ""
+    # -- Header containing the user's name (optional, used for new user creation)
+    nameHeader: ""
+
 # -- Extra resources to deploy with Open WebUI
 extraResources:
  []