From e6c33ca07c60b60fc74ae7c92626a3ed61e42b5c Mon Sep 17 00:00:00 2001
From: Mario Trangoni <mjtrangoni@gmail.com>
Date: Sat, 26 Apr 2025 16:16:44 +0200
Subject: [PATCH] feat(open-webui): Make it possible to configure Azure Storage
 credentials via k8s secrets

Signed-off-by: Mario Trangoni <mjtrangoni@gmail.com>
---
 charts/open-webui/README.md                       | 13 ++++++++++---
 charts/open-webui/templates/workload-manager.yaml |  7 +++++++
 charts/open-webui/values.yaml                     | 11 ++++++++++-
 3 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/charts/open-webui/README.md b/charts/open-webui/README.md
index abfd697..fd1a002 100644
--- a/charts/open-webui/README.md
+++ b/charts/open-webui/README.md
@@ -41,6 +41,16 @@ helm upgrade --install open-webui open-webui/open-webui
 
 ## Values
 
+### Azure Storage configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| persistence.azure.container | string | `""` | Sets the container name for Azure Storage |
+| persistence.azure.endpointUrl | string | `""` | Sets the endpoint URL for Azure Storage |
+| persistence.azure.key | string | `""` | Set the access key for Azure Storage (ignored if keyExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services |
+| persistence.azure.keyExistingSecret | string | `""` | Set the access key for Azure Storage from existing secret |
+| persistence.azure.keyExistingSecretKey | string | `""` | Set the access key for Azure Storage from existing secret key |
+
 ### SSO Configuration
 
 | Key | Type | Default | Description |
@@ -153,9 +163,6 @@ helm upgrade --install open-webui open-webui/open-webui
 | openaiBaseApiUrls | list | `[]` | OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set |
 | persistence.accessModes | list | `["ReadWriteOnce"]` | If using multiple replicas, you must update accessModes to ReadWriteMany |
 | persistence.annotations | object | `{}` |  |
-| persistence.azure.container | string | `""` | Sets the container name for Azure Storage |
-| persistence.azure.endpointUrl | string | `""` | Sets the endpoint URL for Azure Storage |
-| persistence.azure.key | string | `""` | Set the access key for Azure Storage. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services |
 | persistence.enabled | bool | `true` |  |
 | persistence.existingClaim | string | `""` | Use existingClaim if you want to re-use an existing Open WebUI PVC instead of creating a new one |
 | persistence.gcs.appCredentialsJson | string | `""` | Contents of Google Application Credentials JSON file. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account |
diff --git a/charts/open-webui/templates/workload-manager.yaml b/charts/open-webui/templates/workload-manager.yaml
index 26f0b93..44a3f7a 100644
--- a/charts/open-webui/templates/workload-manager.yaml
+++ b/charts/open-webui/templates/workload-manager.yaml
@@ -183,8 +183,15 @@ spec:
         - name: "AZURE_STORAGE_CONTAINER_NAME"
           value: {{ .Values.persistence.azure.container }}
         - name: "AZURE_STORAGE_KEY"
+        {{- if .Values.persistence.azure.keyExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.azure.keyExistingSecret }}
+              key: {{ .Values.persistence.azure.keyExistingSecretKey }}
+        {{- else }}
           value: {{ .Values.persistence.azure.key }}
         {{- end }}
+        {{- end }}
         {{- if .Values.websocket.enabled }}
         - name: "ENABLE_WEBSOCKET_SUPPORT"
           value: "True"
diff --git a/charts/open-webui/values.yaml b/charts/open-webui/values.yaml
index 35c70d0..349456c 100644
--- a/charts/open-webui/values.yaml
+++ b/charts/open-webui/values.yaml
@@ -233,11 +233,20 @@ persistence:
     bucket: ""
   azure:
     # -- Sets the endpoint URL for Azure Storage
+    # @section -- Azure Storage configuration
     endpointUrl: ""
     # -- Sets the container name for Azure Storage
+    # @section -- Azure Storage configuration
     container: ""
-    # -- Set the access key for Azure Storage. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services
+    # -- Set the access key for Azure Storage (ignored if keyExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services
+    # @section -- Azure Storage configuration
     key: ""
+    # -- Set the access key for Azure Storage from existing secret
+    # @section -- Azure Storage configuration
+    keyExistingSecret: ""
+    # -- Set the access key for Azure Storage from existing secret key
+    # @section -- Azure Storage configuration
+    keyExistingSecretKey: ""
 
 # -- Node labels for pod assignment.
 nodeSelector: {}