diff --git a/charts/open-webui/Chart.yaml b/charts/open-webui/Chart.yaml index f01e06e..3fee9fe 100644 --- a/charts/open-webui/Chart.yaml +++ b/charts/open-webui/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: open-webui -version: 6.6.0 +version: 6.7.0 appVersion: 0.6.6 home: https://www.openwebui.com/ icon: >- diff --git a/charts/open-webui/README.md b/charts/open-webui/README.md index b89ac73..095df8a 100644 --- a/charts/open-webui/README.md +++ b/charts/open-webui/README.md @@ -1,6 +1,6 @@ # open-webui -![Version: 6.6.0](https://img.shields.io/badge/Version-6.6.0-informational?style=flat-square) ![AppVersion: 0.6.6](https://img.shields.io/badge/AppVersion-0.6.6-informational?style=flat-square) +![Version: 6.7.0](https://img.shields.io/badge/Version-6.7.0-informational?style=flat-square) ![AppVersion: 0.6.6](https://img.shields.io/badge/AppVersion-0.6.6-informational?style=flat-square) Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋 @@ -57,24 +57,30 @@ helm upgrade --install open-webui open-webui/open-webui | Key | Type | Default | Description | |-----|------|---------|-------------| +| sso.github.clientExistingSecret | string | `""` | GitHub OAuth client secret from existing secret | +| sso.github.clientExistingSecretKey | string | `""` | GitHub OAuth client secret key from existing secret | | sso.github.clientId | string | `""` | GitHub OAuth client ID | -| sso.github.clientSecret | string | `""` | GitHub OAuth client secret | +| sso.github.clientSecret | string | `""` | GitHub OAuth client secret (ignored if clientExistingSecret is set) | | sso.github.enabled | bool | `false` | Enable GitHub OAuth | ### Google OAuth configuration | Key | Type | Default | Description | |-----|------|---------|-------------| +| sso.google.clientExistingSecret | string | `""` | Google OAuth client secret from existing secret | +| sso.google.clientExistingSecretKey | string | `""` | Google OAuth client secret key from existing secret | | sso.google.clientId | string | `""` | Google OAuth client ID | -| sso.google.clientSecret | string | `""` | Google OAuth client secret | +| sso.google.clientSecret | string | `""` | Google OAuth client secret (ignored if clientExistingSecret is set) | | sso.google.enabled | bool | `false` | Enable Google OAuth | ### Microsoft OAuth configuration | Key | Type | Default | Description | |-----|------|---------|-------------| +| sso.microsoft.clientExistingSecret | string | `""` | Microsoft OAuth client secret from existing secret | +| sso.microsoft.clientExistingSecretKey | string | `""` | Microsoft OAuth client secret key from existing secret | | sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID | -| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret | +| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret (ignored if clientExistingSecret is set) | | sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth | | sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts | @@ -82,8 +88,10 @@ helm upgrade --install open-webui open-webui/open-webui | Key | Type | Default | Description | |-----|------|---------|-------------| +| sso.oidc.clientExistingSecret | string | `""` | OICD client secret from existing secret | +| sso.oidc.clientExistingSecretKey | string | `""` | OIDC client secret key from existing secret | | sso.oidc.clientId | string | `""` | OIDC client ID | -| sso.oidc.clientSecret | string | `""` | OIDC client secret | +| sso.oidc.clientSecret | string | `""` | OIDC client secret (ignored if clientExistingSecret is set) | | sso.oidc.enabled | bool | `false` | Enable OIDC authentication | | sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI | | sso.oidc.providerUrl | string | `""` | OIDC provider well known URL | diff --git a/charts/open-webui/templates/_helpers.tpl b/charts/open-webui/templates/_helpers.tpl index 953244b..8787210 100644 --- a/charts/open-webui/templates/_helpers.tpl +++ b/charts/open-webui/templates/_helpers.tpl @@ -169,3 +169,14 @@ Create labels to include on chart all websocket resources {{ include "base.labels" . }} {{ include "websocket.redis.selectorLabels" . }} {{- end }} + +{{/* +Validate SSO ClientSecret to be set literally or via Secret +*/}} +{{- define "sso.validateClientSecret" -}} +{{- $provider := .provider }} +{{- $values := .values }} +{{- if and (empty (index $values $provider "clientSecret")) (empty (index $values $provider "clientExistingSecret")) }} + {{- fail (printf "You must provide either .Values.sso.%s.clientSecret or .Values.sso.%s.clientExistingSecret" $provider $provider) }} +{{- end }} +{{- end }} diff --git a/charts/open-webui/templates/workload-manager.yaml b/charts/open-webui/templates/workload-manager.yaml index 082c8c8..0bce866 100644 --- a/charts/open-webui/templates/workload-manager.yaml +++ b/charts/open-webui/templates/workload-manager.yaml @@ -209,28 +209,60 @@ spec: {{- if .Values.sso.google.enabled }} - name: "GOOGLE_CLIENT_ID" value: {{ .Values.sso.google.clientId | quote }} + {{- include "sso.validateClientSecret" (dict "provider" "google" "values" .Values.sso) }} - name: "GOOGLE_CLIENT_SECRET" + {{- if .Values.sso.google.clientExistingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.sso.google.clientExistingSecret | quote }} + key: {{ .Values.sso.google.clientExistingSecretKey | quote }} + {{- else }} value: {{ .Values.sso.google.clientSecret | quote }} {{- end }} + {{- end }} {{- if .Values.sso.microsoft.enabled }} - name: "MICROSOFT_CLIENT_ID" value: {{ .Values.sso.microsoft.clientId | quote }} + {{- include "sso.validateClientSecret" (dict "provider" "microsoft" "values" .Values.sso) }} - name: "MICROSOFT_CLIENT_SECRET" + {{- if .Values.sso.microsoft.clientExistingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.sso.microsoft.clientExistingSecret | quote }} + key: {{ .Values.sso.microsoft.clientExistingSecretKey | quote }} + {{- else }} value: {{ .Values.sso.microsoft.clientSecret | quote }} + {{- end }} - name: "MICROSOFT_CLIENT_TENANT_ID" value: {{ .Values.sso.microsoft.tenantId | quote }} {{- end }} {{- if .Values.sso.github.enabled }} - name: "GITHUB_CLIENT_ID" value: {{ .Values.sso.github.clientId | quote }} + {{- include "sso.validateClientSecret" (dict "provider" "github" "values" .Values.sso) }} - name: "GITHUB_CLIENT_SECRET" + {{- if .Values.sso.github.clientExistingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.sso.github.clientExistingSecret | quote }} + key: {{ .Values.sso.github.clientExistingSecretKey | quote }} + {{- else }} value: {{ .Values.sso.github.clientSecret | quote }} {{- end }} + {{- end }} {{- if .Values.sso.oidc.enabled }} - name: "OAUTH_CLIENT_ID" value: {{ .Values.sso.oidc.clientId | quote }} + {{- include "sso.validateClientSecret" (dict "provider" "oidc" "values" .Values.sso) }} - name: "OAUTH_CLIENT_SECRET" + {{- if .Values.sso.oidc.clientExistingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.sso.oidc.clientExistingSecret | quote }} + key: {{ .Values.sso.oidc.clientExistingSecretKey | quote }} + {{- else }} value: {{ .Values.sso.oidc.clientSecret | quote }} + {{- end }} - name: "OPENID_PROVIDER_URL" value: {{ .Values.sso.oidc.providerUrl | quote }} - name: "OAUTH_PROVIDER_NAME" diff --git a/charts/open-webui/values.yaml b/charts/open-webui/values.yaml index e101f18..0218bfb 100644 --- a/charts/open-webui/values.yaml +++ b/charts/open-webui/values.yaml @@ -415,9 +415,15 @@ sso: # -- Google OAuth client ID # @section -- Google OAuth configuration clientId: "" - # -- Google OAuth client secret + # -- Google OAuth client secret (ignored if clientExistingSecret is set) # @section -- Google OAuth configuration clientSecret: "" + # -- Google OAuth client secret from existing secret + # @section -- Google OAuth configuration + clientExistingSecret: "" + # -- Google OAuth client secret key from existing secret + # @section -- Google OAuth configuration + clientExistingSecretKey: "" microsoft: # -- Enable Microsoft OAuth @@ -426,9 +432,15 @@ sso: # -- Microsoft OAuth client ID # @section -- Microsoft OAuth configuration clientId: "" - # -- Microsoft OAuth client secret + # -- Microsoft OAuth client secret (ignored if clientExistingSecret is set) # @section -- Microsoft OAuth configuration clientSecret: "" + # -- Microsoft OAuth client secret from existing secret + # @section -- Microsoft OAuth configuration + clientExistingSecret: "" + # -- Microsoft OAuth client secret key from existing secret + # @section -- Microsoft OAuth configuration + clientExistingSecretKey: "" # -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts # @section -- Microsoft OAuth configuration tenantId: "" @@ -440,9 +452,15 @@ sso: # -- GitHub OAuth client ID # @section -- GitHub OAuth configuration clientId: "" - # -- GitHub OAuth client secret + # -- GitHub OAuth client secret (ignored if clientExistingSecret is set) # @section -- GitHub OAuth configuration clientSecret: "" + # -- GitHub OAuth client secret from existing secret + # @section -- GitHub OAuth configuration + clientExistingSecret: "" + # -- GitHub OAuth client secret key from existing secret + # @section -- GitHub OAuth configuration + clientExistingSecretKey: "" oidc: # -- Enable OIDC authentication @@ -451,9 +469,15 @@ sso: # -- OIDC client ID # @section -- OIDC configuration clientId: "" - # -- OIDC client secret + # -- OIDC client secret (ignored if clientExistingSecret is set) # @section -- OIDC configuration clientSecret: "" + # -- OICD client secret from existing secret + # @section -- OIDC configuration + clientExistingSecret: "" + # -- OIDC client secret key from existing secret + # @section -- OIDC configuration + clientExistingSecretKey: "" # -- OIDC provider well known URL # @section -- OIDC configuration providerUrl: ""