feat(open-webui): Make it possible to configure Amazon S3 Storage secret key via k8s secrets

Signed-off-by: Mario Trangoni <mjtrangoni@gmail.com>
2025-06-26 18:16:14 +00:00 · 2025-05-06 16:20:20 +02:00 · 2025-05-06 16:20:20 +02:00 · a5073d40f2
commit a5073d40f2
parent 86e42681ca
4 changed files with 37 additions and 11 deletions
--- a/charts/open-webui/Chart.yaml
+++ b/charts/open-webui/Chart.yaml
@ -1,6 +1,6 @@
 apiVersion: v2
 name: open-webui
-version: 6.8.0
+version: 6.9.0
 appVersion: 0.6.6
 home: https://www.openwebui.com/
 icon: >-
--- a/charts/open-webui/README.md
+++ b/charts/open-webui/README.md
@ -1,6 +1,6 @@
 # open-webui

-![Version: 6.8.0](https://img.shields.io/badge/Version-6.8.0-informational?style=flat-square) ![AppVersion: 0.6.6](https://img.shields.io/badge/AppVersion-0.6.6-informational?style=flat-square)
+![Version: 6.9.0](https://img.shields.io/badge/Version-6.9.0-informational?style=flat-square) ![AppVersion: 0.6.6](https://img.shields.io/badge/AppVersion-0.6.6-informational?style=flat-square)

 Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋

@ -60,6 +60,19 @@ helm upgrade --install open-webui open-webui/open-webui
 | persistence.gcs.appCredentialsJsonExistingSecretKey | string | `""` | Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret key |
 | persistence.gcs.bucket | string | `""` | Sets the bucket name for Google Cloud Storage. Bucket must already exist |

+### Amazon S3 Storage configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| persistence.s3.accessKey | string | `""` | Sets the access key ID for S3 storage |
+| persistence.s3.bucket | string | `""` | Sets the bucket name for S3 storage |
+| persistence.s3.endpointUrl | string | `""` | Sets the endpoint url for S3 storage |
+| persistence.s3.keyPrefix | string | `""` | Sets the key prefix for a S3 object |
+| persistence.s3.region | string | `""` | Sets the region name for S3 storage |
+| persistence.s3.secretKey | string | `""` | Sets the secret access key for S3 storage (ignored if secretKeyExistingSecret is set) |
+| persistence.s3.secretKeyExistingSecret | string | `""` | Set the secret access key for S3 storage from existing k8s secret |
+| persistence.s3.secretKeyExistingSecretKey | string | `""` | Set the secret access key for S3 storage from existing k8s secret key |
+
 ### SSO Configuration

 | Key | Type | Default | Description |
@ -175,12 +188,6 @@ helm upgrade --install open-webui open-webui/open-webui
 | persistence.enabled | bool | `true` |  |
 | persistence.existingClaim | string | `""` | Use existingClaim if you want to re-use an existing Open WebUI PVC instead of creating a new one |
 | persistence.provider | string | `"local"` | Sets the storage provider, availables values are `local`, `s3`, `gcs` or `azure` |
-| persistence.s3.accessKey | string | `""` | Sets the access key ID for S3 storage |
-| persistence.s3.bucket | string | `""` | Sets the bucket name for S3 storage |
-| persistence.s3.endpointUrl | string | `""` | Sets the endpoint url for S3 storage |
-| persistence.s3.keyPrefix | string | `""` | Sets the key prefix for a S3 object |
-| persistence.s3.region | string | `""` | Sets the region name for S3 storage |
-| persistence.s3.secretKey | string | `""` | Sets the secret access key for S3 storage |
 | persistence.selector | object | `{}` |  |
 | persistence.size | string | `"2Gi"` |  |
 | persistence.storageClass | string | `""` |  |
--- a/charts/open-webui/templates/workload-manager.yaml
+++ b/charts/open-webui/templates/workload-manager.yaml
@ -159,7 +159,14 @@ spec:
        - name: "S3_ACCESS_KEY_ID"
          value: {{ .Values.persistence.s3.accessKey }}
        - name: "S3_SECRET_ACCESS_KEY"
+        {{- if .Values.persistence.s3.secretKeyExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.s3.secretKeyExistingSecret }}
+              key: {{ .Values.persistence.s3.secretKeyExistingSecretKey }}
+        {{- else }}
          value: {{ .Values.persistence.s3.secretKey }}
+        {{- end }}
        - name: "S3_ENDPOINT_URL"
          value: {{ .Values.persistence.s3.endpointUrl }}
        - name: "S3_BUCKET_NAME"
--- a/charts/open-webui/values.yaml
+++ b/charts/open-webui/values.yaml
@ -215,16 +215,28 @@ persistence:
  provider: local
  s3:
    # -- Sets the access key ID for S3 storage
+    # @section -- Amazon S3 Storage configuration
    accessKey: ""
-    # -- Sets the secret access key for S3 storage
+    # -- Sets the secret access key for S3 storage (ignored if secretKeyExistingSecret is set)
+    # @section -- Amazon S3 Storage configuration
    secretKey: ""
+    # -- Set the secret access key for S3 storage from existing k8s secret
+    # @section -- Amazon S3 Storage configuration
+    secretKeyExistingSecret: ""
+    # -- Set the secret access key for S3 storage from existing k8s secret key
+    # @section -- Amazon S3 Storage configuration
+    secretKeyExistingSecretKey: ""
    # -- Sets the endpoint url for S3 storage
+    # @section -- Amazon S3 Storage configuration
    endpointUrl: ""
    # -- Sets the region name for S3 storage
-    region:	""
+    # @section -- Amazon S3 Storage configuration
+    region: ""
    # -- Sets the bucket name for S3 storage
-    bucket:	""
+    # @section -- Amazon S3 Storage configuration
+    bucket: ""
    # -- Sets the key prefix for a S3 object
+    # @section -- Amazon S3 Storage configuration
    keyPrefix: ""
  gcs:
    # -- Contents of Google Application Credentials JSON file (ignored if appCredentialsJsonExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account