Merge pull request #226 from mjtrangoni/feature-secrets-oauth

feat(open-webui): Make it possible to define SSO OAuth secrets from Kubernetes Secrets

.github/workflows/helm-release.yml

@@ -50,7 +50,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -64,9 +64,11 @@ jobs:
           helm repo add ollama https://otwld.github.io/ollama-helm/
           helm repo add open-webui https://helm.openwebui.com/
           helm repo add tika https://apache.jfrog.io/artifactory/tika/
+          helm repo add redis https://charts.bitnami.com/bitnami
+          helm repo add milvus https://zilliztech.github.io/milvus-helm
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.6.0
+        uses: helm/chart-releaser-action@v1.7.0
         with:
           skip_existing: false
           packages_with_index: true

.github/workflows/helm-test-open-webui.yml

@@ -0,0 +1,78 @@
+name: Check Open WebUI Helm Charts (open-webui)
+
+on:
+  pull_request:
+    paths:
+      - "charts/open-webui/**"
+  push:
+    paths:
+      - "charts/open-webui/**"
+
+jobs:
+  lint-chart:
+    name: Lint Helm Chart
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+
+      - name: Add Dependency Repos
+        run: |
+          helm repo add ollama https://otwld.github.io/ollama-helm/
+          helm repo add open-webui https://helm.openwebui.com/
+          helm repo add tika https://apache.jfrog.io/artifactory/tika/
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo add milvus https://zilliztech.github.io/milvus-helm
+
+      - name: Build open-webui Helm dependencies
+        run: |
+          helm dependency build ./charts/open-webui
+
+      - name: Lint open-webui Helm Chart
+        run: |
+          helm lint ./charts/open-webui
+
+  test-deploy:
+    name: Test Chart Deployment
+    runs-on: ubuntu-latest
+    needs: lint-chart
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Set up kubectl
+        uses: azure/setup-kubectl@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+
+      - name: Set up KinD Cluster
+        uses: helm/kind-action@v1
+
+      - name: Add Dependency Repos
+        run: |
+          helm repo add ollama https://otwld.github.io/ollama-helm/
+          helm repo add open-webui https://helm.openwebui.com/
+          helm repo add tika https://apache.jfrog.io/artifactory/tika/
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo add milvus https://zilliztech.github.io/milvus-helm
+
+      - name: Build open-webui Helm dependencies
+        run: |
+          helm dependency build ./charts/open-webui
+
+      - name: Template open-webui Helm Chart
+        run: |
+          helm template open-webui ./charts/open-webui \
+            --namespace test-namespace --create-namespace > open-webui.yaml
+
+      - name: Verify open-webui
+        run: |
+          kubectl create namespace test-namespace
+          kubectl apply --namespace test-namespace -f open-webui.yaml
+          kubectl wait --namespace test-namespace pod/open-webui-0 --for=condition=Ready --timeout=600s

.github/workflows/helm-test-pipelines.yml

@@ -0,0 +1,55 @@
+name: Check Open WebUI Helm Charts (pipelines)
+
+on:
+  pull_request:
+    paths:
+      - "charts/pipelines/**"
+  push:
+    paths:
+      - "charts/pipelines/**"
+
+jobs:
+  lint-chart:
+    name: Lint Helm Chart
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+      
+      - name: Lint pipelines Helm Chart
+        run: |
+          helm lint ./charts/pipelines
+
+  test-deploy:
+    name: Test Chart Deployment
+    runs-on: ubuntu-latest
+    needs: lint-chart
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Set up kubectl
+        uses: azure/setup-kubectl@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+
+      - name: Set up KinD Cluster
+        uses: helm/kind-action@v1
+
+      - name: Template open-webui Helm Chart
+        run: |
+          helm template pipelines ./charts/pipelines \
+            --namespace test-namespace --create-namespace > pipelines.yaml
+
+      - name: Verify pipelines
+        run: |
+          kubectl create namespace test-namespace
+          kubectl apply --namespace test-namespace -f pipelines.yaml
+          PIPELINE_POD=$(kubectl get --namespace test-namespace pod -L app.kubernetes.io/component=pipelines -o jsonpath='{.items[*].metadata.name}')
+          kubectl wait --namespace test-namespace pod/${PIPELINE_POD} --for=condition=Ready --timeout=600s

.gitignore

@@ -0,0 +1,129 @@
+# Created by https://www.toptal.com/developers/gitignore/api/macos,intellij+all,helm
+# Edit at https://www.toptal.com/developers/gitignore?templates=macos,intellij+all,helm
+
+### Intellij+all ###
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# AWS User-specific
+.idea/**/aws.xml
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# SonarLint plugin
+.idea/sonarlint/
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+### Intellij+all Patch ###
+# Ignore everything but code style settings and run configurations
+# that are supposed to be shared within teams.
+
+.idea/*
+
+!.idea/codeStyles
+!.idea/runConfigurations
+
+### macOS ###
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### macOS Patch ###
+# iCloud generated files
+*.icloud
+
+### Helm ###
+# Chart dependencies
+**/charts/*.tgz
+
+# End of https://www.toptal.com/developers/gitignore/api/macos,intellij+all,helm

CONTRIBUTING.md

@@ -2,13 +2,10 @@
 
 ## How to Contribute
 
-> [!WARNING]
-> There is currently a bug in the Helm Chart Releaser Github Action that prevents you from deploying more than one chart on a single run. The best workaround for now is to ensure that pushes to `main` only include changes to a single chart. If you're contributing to more than one chart, please do it in separate PRs until the upstream issue is fixed, or until we can fork and fix the action ourselves. 
-
 1. **Fork the repository** and create your branch from `main`.
 2. **Make your changes** and ensure they follow the guidelines below.
 3. **Test your changes** locally to ensure everything works as expected. This should include deploying your updates to a live Kubernetes cluster (whether local or remote).
-4. **Run helm-docs** to ensure that the README is updated with the latest changes. 
+4. **Run [helm-docs]** to ensure that the README is updated with the latest changes. 
 5. **Commit your changes** using a descriptive commit message that follows the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification.
 6. **Push your changes** to your forked repository.
 7. **Create a Pull Request** and provide a detailed description of your changes. Please consider dropping us your redacted `values.yaml` file used during your testing in the PR so we can make sure we see consistent results. 
@@ -30,8 +27,12 @@
 
 - **Issues**: If you find any issues or have suggestions for improvements, please create a new issue in the repository before working on a Pull Request.
 
+- **Actions Updates**: If your Pull Request includes adding a new chart dependency, ensure to make the necessary updates to Github Actions to add the chart repo dependency, or else the release run will fail.
+
 ## Getting Help
 
 If you need any help or have questions about contributing, feel free to reach out to the maintainers of the repository.
 
 Thank you for your contributions!
+
+[helm-docs]: https://github.com/norwoodj/helm-docs

charts/open-webui/Chart.lock

@@ -1,12 +1,21 @@
 dependencies:
 - name: ollama
   repository: https://otwld.github.io/ollama-helm/
-  version: 0.67.0
+  version: 1.15.0
 - name: pipelines
   repository: https://helm.openwebui.com
-  version: 0.0.4
+  version: 0.5.0
 - name: tika
   repository: https://apache.jfrog.io/artifactory/tika
   version: 2.9.0
-digest: sha256:fac9d8b93937791cd066e983ae12f7d5d57adc9b3e8c8e4854fd68ebdef54237
-generated: "2024-11-24T12:42:43.794305-07:00"
+- name: redis
+  repository: https://charts.bitnami.com/bitnami
+  version: 20.13.4
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 16.6.6
+- name: milvus
+  repository: https://zilliztech.github.io/milvus-helm
+  version: 4.2.48
+digest: sha256:2b9b6b33588c4c20ec06dc82186d9a3e78cf0f27c5ff0ef2120ecf8eacdd94d3
+generated: "2025-05-06T00:10:31.22+09:00"

charts/open-webui/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: open-webui
-version: 4.0.2
-appVersion: 0.4.2
+version: 6.7.0
+appVersion: 0.6.6
 home: https://www.openwebui.com/
 icon: >-
   https://raw.githubusercontent.com/open-webui/open-webui/main/static/favicon.png
@@ -10,11 +10,13 @@ keywords:
   - llm
   - chat
   - web-ui
+  - open-webui
 sources:
   - https://github.com/open-webui/helm-charts
   - https://github.com/open-webui/open-webui/pkgs/container/open-webui
   - https://github.com/otwld/ollama-helm/
   - https://hub.docker.com/r/ollama/ollama
+  - https://charts.bitnami.com/bitnami
 annotations:
   licenses: MIT
 dependencies:
@@ -36,3 +38,17 @@ dependencies:
     repository: https://apache.jfrog.io/artifactory/tika
     version: '>=2.9.0'
     condition: tika.enabled
+  - name: redis
+    repository: https://charts.bitnami.com/bitnami
+    version: '>=20.6.2'
+    alias: redis-cluster
+    condition: redis-cluster.enabled
+  - name: postgresql
+    repository: https://charts.bitnami.com/bitnami
+    version: '>=15.5.38'
+    alias: postgresql
+    condition: postgresql.enabled
+  - name: milvus
+    repository: https://zilliztech.github.io/milvus-helm
+    version: '>=4.2.40'
+    condition: milvus.enabled

charts/open-webui/README.md

@@ -1,6 +1,6 @@
 # open-webui
 
-![Version: 3.6.0](https://img.shields.io/badge/Version-3.6.0-informational?style=flat-square) ![AppVersion: 0.3.35](https://img.shields.io/badge/AppVersion-0.3.35-informational?style=flat-square)
+![Version: 6.7.0](https://img.shields.io/badge/Version-6.7.0-informational?style=flat-square) ![AppVersion: 0.6.6](https://img.shields.io/badge/AppVersion-0.6.6-informational?style=flat-square)
 
 Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋
 
@@ -12,6 +12,7 @@ Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋
 * <https://github.com/open-webui/open-webui/pkgs/container/open-webui>
 * <https://github.com/otwld/ollama-helm/>
 * <https://hub.docker.com/r/ollama/ollama>
+* <https://charts.bitnami.com/bitnami>
 
 ## Installing
 
@@ -33,37 +34,145 @@ helm upgrade --install open-webui open-webui/open-webui
 | Repository | Name | Version |
 |------------|------|---------|
 | https://apache.jfrog.io/artifactory/tika | tika | >=2.9.0 |
+| https://charts.bitnami.com/bitnami | postgresql(postgresql) | >=15.5.38 |
+| https://charts.bitnami.com/bitnami | redis-cluster(redis) | >=20.6.2 |
 | https://helm.openwebui.com | pipelines | >=0.0.1 |
 | https://otwld.github.io/ollama-helm/ | ollama | >=0.24.0 |
+| https://zilliztech.github.io/milvus-helm | milvus | >=4.2.40 |
 
 ## Values
 
+### SSO Configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim |
+| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim |
+| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) |
+| sso.enabled | bool | `false` | **Enable SSO authentication globally** must enable to use SSO authentication |
+| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) |
+| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) |
+
+### GitHub OAuth configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.github.clientExistingSecret | string | `""` | GitHub OAuth client secret from existing secret |
+| sso.github.clientExistingSecretKey | string | `""` | GitHub OAuth client secret key from existing secret |
+| sso.github.clientId | string | `""` | GitHub OAuth client ID |
+| sso.github.clientSecret | string | `""` | GitHub OAuth client secret (ignored if clientExistingSecret is set) |
+| sso.github.enabled | bool | `false` | Enable GitHub OAuth |
+
+### Google OAuth configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.google.clientExistingSecret | string | `""` | Google OAuth client secret from existing secret |
+| sso.google.clientExistingSecretKey | string | `""` | Google OAuth client secret key from existing secret |
+| sso.google.clientId | string | `""` | Google OAuth client ID |
+| sso.google.clientSecret | string | `""` | Google OAuth client secret (ignored if clientExistingSecret is set) |
+| sso.google.enabled | bool | `false` | Enable Google OAuth |
+
+### Microsoft OAuth configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.microsoft.clientExistingSecret | string | `""` | Microsoft OAuth client secret from existing secret |
+| sso.microsoft.clientExistingSecretKey | string | `""` | Microsoft OAuth client secret key from existing secret |
+| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID |
+| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret (ignored if clientExistingSecret is set) |
+| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth |
+| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts |
+
+### OIDC configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.oidc.clientExistingSecret | string | `""` | OICD client secret from existing secret |
+| sso.oidc.clientExistingSecretKey | string | `""` | OIDC client secret key from existing secret |
+| sso.oidc.clientId | string | `""` | OIDC client ID |
+| sso.oidc.clientSecret | string | `""` | OIDC client secret (ignored if clientExistingSecret is set) |
+| sso.oidc.enabled | bool | `false` | Enable OIDC authentication |
+| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI |
+| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL |
+| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). |
+
+### Role management configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) |
+| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) |
+| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) |
+
+### SSO trusted header authentication
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address |
+| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication |
+| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) |
+
+### Other Values
+
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity for pod assignment |
 | annotations | object | `{}` |  |
 | clusterDomain | string | `"cluster.local"` | Value of cluster domain |
 | containerSecurityContext | object | `{}` | Configure container security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe> |
+| copyAppData.resources | object | `{}` |  |
+| databaseUrl | string | `""` | Configure database URL, needed to work with Postgres (example: `postgresql://<user>:<password>@<service>:<port>/<database>`), leave empty to use the default sqlite database |
+| enableOpenaiApi | bool | `true` | Enables the use of OpenAI APIs |
+| extraEnvFrom | list | `[]` | Env vars added from configmap or secret to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: `extraEnvVars` will take precedence over the value from `extraEnvFrom`) |
 | extraEnvVars | list | `[{"name":"OPENAI_API_KEY","value":"0p3n-w3bu!"}]` | Env vars added to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ |
 | extraEnvVars[0] | object | `{"name":"OPENAI_API_KEY","value":"0p3n-w3bu!"}` | Default API key value for Pipelines. Should be updated in a production deployment, or be changed to the required API key if not using Pipelines |
-| image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/open-webui/open-webui","tag":""}` | Open WebUI image tags can be found here: https://github.com/open-webui/open-webui/pkgs/container/open-webui |
+| extraInitContainers | list | `[]` | Additional init containers to add to the deployment/statefulset ref: <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/> |
+| extraResources | list | `[]` | Extra resources to deploy with Open WebUI |
+| hostAliases | list | `[]` | HostAliases to be added to hosts-file of each container |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/open-webui/open-webui","tag":""}` | Open WebUI image tags can be found here: https://github.com/open-webui/open-webui |
 | imagePullSecrets | list | `[]` | Configure imagePullSecrets to use private registry ref: <https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry> |
-| ingress.annotations | object | `{}` | Use appropriate annotations for your Ingress controller, e.g., for NGINX: nginx.ingress.kubernetes.io/rewrite-target: / |
+| ingress.additionalHosts | list | `[]` |  |
+| ingress.annotations | object | `{}` | Use appropriate annotations for your Ingress controller, e.g., for NGINX: |
 | ingress.class | string | `""` |  |
 | ingress.enabled | bool | `false` |  |
 | ingress.existingSecret | string | `""` |  |
-| ingress.host | string | `""` |  |
+| ingress.host | string | `"chat.example.com"` |  |
 | ingress.tls | bool | `false` |  |
+| livenessProbe | object | `{}` | Probe for liveness of the Open WebUI container ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes> |
+| managedCertificate.domains[0] | string | `"chat.example.com"` |  |
+| managedCertificate.enabled | bool | `false` |  |
+| managedCertificate.name | string | `"mydomain-chat-cert"` |  |
+| milvus.db | string | `"default"` | Active Milvus database for RAG with env `MILVUS_DB` ref: https://docs.openwebui.com/getting-started/env-configuration#milvus_db |
+| milvus.enabled | bool | `false` | Enable Milvus installation. Deploys a Milvus cluster/standalone with subchart 'milvus' from zilliztech ref: https://github.com/zilliztech/milvus-helm/tree/master/charts/milvus |
+| milvus.fullnameOverride | string | `"open-webui-milvus"` | Milvus fullname override (recommended to be 'open-webui-milvus') - In this case, the Milvus uri will be 'http://[username:password@]open-webui-milvus:19530' |
+| milvus.token | object | `{}` | Active Milvus token for RAG with env `MILVUS_TOKEN` ref: https://docs.openwebui.com/getting-started/env-configuration#milvus_token |
+| milvus.uri | string | `"http://open-webui-milvus:19530"` | Active Milvus URI for RAG with env `MILVUS_URI`. If there is credentials in the uri, it will be used to connect to the Milvus server. ref: https://docs.openwebui.com/getting-started/env-configuration#milvus_uri |
 | nameOverride | string | `""` |  |
+| namespaceOverride | string | `""` |  |
 | nodeSelector | object | `{}` | Node labels for pod assignment. |
 | ollama.enabled | bool | `true` | Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure |
 | ollama.fullnameOverride | string | `"open-webui-ollama"` | If enabling embedded Ollama, update fullnameOverride to your desired Ollama name value, or else it will use the default ollama.name value from the Ollama chart |
 | ollamaUrls | list | `[]` | A list of Ollama API endpoints. These can be added in lieu of automatically installing the Ollama Helm chart, or in addition to it. |
-| openaiBaseApiUrl | string | `""` | OpenAI base API URL to use. Defaults to the Pipelines service endpoint when Pipelines are enabled, and "https://api.openai.com/v1" if Pipelines are not enabled and this value is blank |
+| ollamaUrlsFromExtraEnv | bool | `false` | Disables taking Ollama Urls from `ollamaUrls`  list |
+| openaiBaseApiUrl | string | `"https://api.openai.com/v1"` | OpenAI base API URL to use. Defaults to the Pipelines service endpoint when Pipelines are enabled, and "https://api.openai.com/v1" if Pipelines are not enabled and this value is blank |
+| openaiBaseApiUrls | list | `[]` | OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set |
 | persistence.accessModes | list | `["ReadWriteOnce"]` | If using multiple replicas, you must update accessModes to ReadWriteMany |
 | persistence.annotations | object | `{}` |  |
+| persistence.azure.container | string | `""` | Sets the container name for Azure Storage |
+| persistence.azure.endpointUrl | string | `""` | Sets the endpoint URL for Azure Storage |
+| persistence.azure.key | string | `""` | Set the access key for Azure Storage. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services |
 | persistence.enabled | bool | `true` |  |
 | persistence.existingClaim | string | `""` | Use existingClaim if you want to re-use an existing Open WebUI PVC instead of creating a new one |
+| persistence.gcs.appCredentialsJson | string | `""` | Contents of Google Application Credentials JSON file. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account |
+| persistence.gcs.bucket | string | `""` | Sets the bucket name for Google Cloud Storage. Bucket must already exist |
+| persistence.provider | string | `"local"` | Sets the storage provider, availables values are `local`, `s3`, `gcs` or `azure` |
+| persistence.s3.accessKey | string | `""` | Sets the access key ID for S3 storage |
+| persistence.s3.bucket | string | `""` | Sets the bucket name for S3 storage |
+| persistence.s3.endpointUrl | string | `""` | Sets the endpoint url for S3 storage |
+| persistence.s3.keyPrefix | string | `""` | Sets the key prefix for a S3 object |
+| persistence.s3.region | string | `""` | Sets the region name for S3 storage |
+| persistence.s3.secretKey | string | `""` | Sets the secret access key for S3 storage |
 | persistence.selector | object | `{}` |  |
 | persistence.size | string | `"2Gi"` |  |
 | persistence.storageClass | string | `""` |  |
@@ -71,15 +180,60 @@ helm upgrade --install open-webui open-webui/open-webui
 | pipelines.enabled | bool | `true` | Automatically install Pipelines chart to extend Open WebUI functionality using Pipelines: https://github.com/open-webui/pipelines |
 | pipelines.extraEnvVars | list | `[]` | This section can be used to pass required environment variables to your pipelines (e.g. Langfuse hostname) |
 | podAnnotations | object | `{}` |  |
-| podSecurityContext | object | `{}` | Configure pod security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe> |
+| podLabels | object | `{}` |  |
+| podSecurityContext | object | `{}` | Configure pod security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container> |
+| postgresql | object | `{"architecture":"standalone","auth":{"database":"open-webui","password":"0p3n-w3bu!","postgresPassword":"0p3n-w3bu!","username":"open-webui"},"enabled":false,"fullnameOverride":"open-webui-postgres","primary":{"persistence":{"size":"1Gi"},"resources":{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}}}` | Postgresql configuration (see. https://artifacthub.io/packages/helm/bitnami/postgresql) |
+| rag.embeddingEngine | string | `""` | Embedding engine to use for RAG with env `RAG_EMBEDDING_ENGINE`: ""(empty), "ollama", "openai" ref: https://docs.openwebui.com/getting-started/env-configuration#rag_embedding_engine |
+| rag.embeddingModel | string | `""` | Embedding model to use for RAG with env `RAG_EMBEDDING_MODEL` ref: https://docs.openwebui.com/getting-started/env-configuration#rag_embedding_model |
+| rag.enabled | bool | `false` | Enable RAG ref: https://docs.openwebui.com/getting-started/env-configuration#retrieval-augmented-generation-rag |
+| rag.vectorDB | string | `""` | Vector database configuration ref: https://docs.openwebui.com/getting-started/env-configuration#vector_db |
+| readinessProbe | object | `{}` | Probe for readiness of the Open WebUI container ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes> |
+| redis-cluster | object | `{"auth":{"enabled":false},"enabled":false,"fullnameOverride":"open-webui-redis","replica":{"replicaCount":3}}` | Deploys a Redis cluster with subchart 'redis' from bitnami |
+| redis-cluster.auth | object | `{"enabled":false}` | Redis Authentication |
+| redis-cluster.auth.enabled | bool | `false` | Enable Redis authentication (disabled by default). For your security, we strongly suggest that you switch to 'auth.enabled=true' |
+| redis-cluster.enabled | bool | `false` | Enable Redis installation |
+| redis-cluster.fullnameOverride | string | `"open-webui-redis"` | Redis cluster name (recommended to be 'open-webui-redis') - In this case, redis url will be 'redis://open-webui-redis-master:6379/0' or 'redis://[:<password>@]open-webui-redis-master:6379/0' |
+| redis-cluster.replica | object | `{"replicaCount":3}` | Replica configuration for the Redis cluster |
+| redis-cluster.replica.replicaCount | int | `3` | Number of Redis replica instances |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
+| runtimeClassName | string | `""` | Configure runtime class ref: <https://kubernetes.io/docs/concepts/containers/runtime-class/> |
 | service | object | `{"annotations":{},"containerPort":8080,"labels":{},"loadBalancerClass":"","nodePort":"","port":80,"type":"ClusterIP"}` | Service values to expose Open WebUI pods to cluster |
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.automountServiceAccountToken | bool | `false` |  |
+| serviceAccount.enable | bool | `true` |  |
+| serviceAccount.name | string | `""` |  |
+| startupProbe | object | `{}` | Probe for startup of the Open WebUI container ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes> |
+| strategy | object | `{}` | Strategy for updating the workload manager: deployment or statefulset |
 | tika.enabled | bool | `false` | Automatically install Apache Tika to extend Open WebUI |
 | tolerations | list | `[]` | Tolerations for pod assignment |
 | topologySpreadConstraints | list | `[]` | Topology Spread Constraints for pod assignment |
 | volumeMounts | object | `{"container":[],"initContainer":[]}` | Configure container volume mounts ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/> |
 | volumes | list | `[]` | Configure pod volumes ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/> |
+| websocket.enabled | bool | `false` | Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT` |
+| websocket.manager | string | `"redis"` | Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default) |
+| websocket.redis | object | `{"affinity":{},"annotations":{},"args":[],"command":[],"enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"},"labels":{},"name":"open-webui-redis","pods":{"annotations":{}},"resources":{},"securityContext":{},"service":{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"},"tolerations":[]}` | Deploys a redis |
+| websocket.redis.affinity | object | `{}` | Redis affinity for pod assignment |
+| websocket.redis.annotations | object | `{}` | Redis annotations |
+| websocket.redis.args | list | `[]` | Redis arguments (overrides default) |
+| websocket.redis.command | list | `[]` | Redis command (overrides default) |
+| websocket.redis.enabled | bool | `true` | Enable redis installation |
+| websocket.redis.image | object | `{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"}` | Redis image |
+| websocket.redis.labels | object | `{}` | Redis labels |
+| websocket.redis.name | string | `"open-webui-redis"` | Redis name |
+| websocket.redis.pods | object | `{"annotations":{}}` | Redis pod |
+| websocket.redis.pods.annotations | object | `{}` | Redis pod annotations |
+| websocket.redis.resources | object | `{}` | Redis resources |
+| websocket.redis.securityContext | object | `{}` | Redis security context |
+| websocket.redis.service | object | `{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"}` | Redis service |
+| websocket.redis.service.annotations | object | `{}` | Redis service annotations |
+| websocket.redis.service.containerPort | int | `6379` | Redis container/target port |
+| websocket.redis.service.labels | object | `{}` | Redis service labels |
+| websocket.redis.service.nodePort | string | `""` | Redis service node port. Valid only when type is `NodePort` |
+| websocket.redis.service.port | int | `6379` | Redis service port |
+| websocket.redis.service.type | string | `"ClusterIP"` | Redis service type |
+| websocket.redis.tolerations | list | `[]` | Redis tolerations for pod assignment |
+| websocket.url | string | `"redis://open-webui-redis:6379/0"` | Specifies the URL of the Redis instance for websocket communication. Template with `redis://[:<password>@]<hostname>:<port>/<db>` |
 
 ----------------------------------------------
 

charts/open-webui/templates/NOTES.txt

@@ -0,0 +1,77 @@
+{{- `
+🎉 Welcome to Open WebUI!!
+ ██████╗ ██████╗ ███████╗███╗   ██╗    ██╗    ██╗███████╗██████╗ ██╗   ██╗██╗
+██╔═══██╗██╔══██╗██╔════╝████╗  ██║    ██║    ██║██╔════╝██╔══██╗██║   ██║██║
+██║   ██║██████╔╝█████╗  ██╔██╗ ██║    ██║ █╗ ██║█████╗  ██████╔╝██║   ██║██║
+██║   ██║██╔═══╝ ██╔══╝  ██║╚██╗██║    ██║███╗██║██╔══╝  ██╔══██╗██║   ██║██║
+╚██████╔╝██║     ███████╗██║ ╚████║    ╚███╔███╔╝███████╗██████╔╝╚██████╔╝██║
+ ╚═════╝ ╚═╝     ╚══════╝╚═╝  ╚═══╝     ╚══╝╚══╝ ╚══════╝╚═════╝  ╚═════╝ ╚═╝
+` }}
+v{{ .Chart.AppVersion }} - building the best open-source AI user interface.
+ - Chart Version: v{{ .Chart.Version }}
+ - Project URL 1: {{ .Chart.Home }}
+ - Project URL 2: https://github.com/open-webui/open-webui
+ - Documentation: https://docs.openwebui.com/
+ - Chart URL: https://github.com/open-webui/helm-charts
+
+Open WebUI is a web-based user interface that works with Ollama, OpenAI, Claude 3, Gemini and more.
+This interface allows you to easily interact with local AI models.
+
+1. Deployment Information:
+  - Chart Name: {{ .Chart.Name }}
+  - Release Name: {{ .Release.Name }}
+  - Namespace: {{ .Release.Namespace }}
+
+2. Access the Application:
+{{- if contains "ClusterIP" .Values.service.type }}
+  Access via ClusterIP service:
+
+    export LOCAL_PORT=8080
+    export POD_NAME=$(kubectl get pods -n {{ .Release.Namespace }} -l "app.kubernetes.io/component={{ include "open-webui.name" . }}" -o jsonpath="{.items[0].metadata.name}")
+    export CONTAINER_PORT=$(kubectl get pod -n {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+    kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME $LOCAL_PORT:$CONTAINER_PORT
+    echo "Visit http://127.0.0.1:$LOCAL_PORT to use your application"
+
+  Then, access the application at: http://127.0.0.1:$LOCAL_PORT or http://localhost:8080
+
+{{- else if contains "NodePort" .Values.service.type }}
+  Access via NodePort service:
+    export NODE_PORT=$(kubectl get -n {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "open-webui.name" . }})
+    export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}")
+    echo http://$NODE_IP:$NODE_PORT
+
+{{- else if contains "LoadBalancer" .Values.service.type }}
+  Access via LoadBalancer service:
+  NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+  NOTE: The external address format depends on your cloud provider:
+    - AWS: Will return a hostname (e.g., xxx.elb.amazonaws.com)
+    - GCP/Azure: Will return an IP address
+  You can watch the status by running:
+
+    kubectl get -n {{ .Release.Namespace }} svc {{ include "open-webui.name" . }} --watch
+    export EXTERNAL_IP=$(kubectl get -n {{ .Release.Namespace }} svc {{ include "open-webui.name" . }} -o jsonpath="{.status.loadBalancer.ingress[0].hostname:-.status.loadBalancer.ingress[0].ip}")
+    echo http://$EXTERNAL_IP:{{ .Values.service.port }}
+{{- end }}
+
+{{- if .Values.ingress.enabled }}
+
+  Ingress is enabled. Access the application at: http{{ if .Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.host }}
+{{- end }}
+
+3. Useful Commands:
+  - Check deployment status:
+      helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+  - Get detailed information:
+      helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+  - View logs:
+    {{- if .Values.persistence.enabled }}
+      kubectl logs -f statefulset/{{ include "open-webui.name" . }} -n {{ .Release.Namespace }}
+    {{- else }}
+      kubectl logs -f deployment/{{ include "open-webui.name" . }} -n {{ .Release.Namespace }}
+    {{- end }}
+
+4. Cleanup:
+  - Uninstall the deployment:
+      helm uninstall {{ .Release.Name }} -n {{ .Release.Namespace }}

charts/open-webui/templates/_helpers.tpl

@@ -1,3 +1,14 @@
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "open-webui.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
 {{/*
 Set the name of the Open WebUI resources
 */}}
@@ -141,4 +152,31 @@ Create the service endpoint to use for Pipelines if the subchart is used
 {{- $pipelinesServicePort := .Values.pipelines.service.port | toString }}
 {{- printf "http://%s.%s.svc.%s:%s" (include "pipelines.name" .) (.Release.Namespace) $clusterDomain $pipelinesServicePort }}
 {{- end }}
-{{- end }}
+{{- end }}
+
+{{/*
+Create selector labels to include on chart all websocket resources
+*/}}
+{{- define "websocket.redis.selectorLabels" -}}
+{{ include "base.selectorLabels" . }}
+app.kubernetes.io/component: {{ .Values.websocket.redis.name }}
+{{- end }}
+
+{{/*
+Create labels to include on chart all websocket resources
+*/}}
+{{- define "websocket.redis.labels" -}}
+{{ include "base.labels" . }}
+{{ include "websocket.redis.selectorLabels" . }}
+{{- end }}
+
+{{/*
+Validate SSO ClientSecret to be set literally or via Secret
+*/}}
+{{- define "sso.validateClientSecret" -}}
+{{- $provider := .provider }}
+{{- $values := .values }}
+{{- if and (empty (index $values $provider "clientSecret")) (empty (index $values $provider "clientExistingSecret")) }}
+  {{- fail (printf "You must provide either .Values.sso.%s.clientSecret or .Values.sso.%s.clientExistingSecret" $provider $provider) }}
+{{- end }}
+{{- end }}

charts/open-webui/templates/extra-resources.yaml

@@ -0,0 +1,6 @@
+{{- if .Values.extraResources }}
+{{- range .Values.extraResources }}
+---
+{{ toYaml . | nindent 0 }}
+{{- end }}
+{{- end }}

charts/open-webui/templates/ingress.yaml

@@ -3,6 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ include "open-webui.name" . }}
+  namespace: {{ include "open-webui.namespace" . }}
   labels:
     {{- include "open-webui.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}

charts/open-webui/templates/managed-cert.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.managedCertificate.enabled }}
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+  name: {{ .Values.managedCertificate.name | default "mydomain-cert" }}
+spec:
+  domains:
+    {{- range .Values.managedCertificate.domains }}
+    - {{ . | quote }}
+    {{- end }}
+{{- end }}

charts/open-webui/templates/pvc.yaml

@@ -1,8 +1,9 @@
-{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.provider "local") }}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: {{ include "open-webui.name" . }}
+  namespace: {{ include "open-webui.namespace" . }}
   labels:
     {{- include "open-webui.selectorLabels" . | nindent 4 }}
   {{- with .Values.persistence.annotations }}

charts/open-webui/templates/service-account.yaml

@@ -3,12 +3,12 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ .Values.serviceAccount.name | default (include "open-webui.name" .) }}
-  automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+  namespace: {{ include "open-webui.namespace" . }}
   labels:
     {{- include "open-webui.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 {{- end }}

charts/open-webui/templates/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "open-webui.name" . }}
+  namespace: {{ include "open-webui.namespace" . }}
   labels:
     {{- include "open-webui.labels" . | nindent 4 }}
     {{- with .Values.service.labels }}

charts/open-webui/templates/websocket-redis.yaml

@@ -0,0 +1,91 @@
+{{- if and .Values.websocket.enabled .Values.websocket.redis.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.websocket.redis.name }}
+  namespace: {{ include "open-webui.namespace" . }}
+  labels:
+    {{- include "websocket.redis.labels" . | nindent 4 }}
+    {{- with .Values.websocket.redis.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.websocket.redis.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "websocket.redis.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "websocket.redis.labels" . | nindent 8 }}
+      annotations:
+        {{- with .Values.websocket.redis.pods.annotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- if .Values.websocket.redis.image.pullSecretName }}
+      imagePullSecrets:
+        - name: {{ .Values.websocket.redis.image.pullSecretName }}
+      {{- end }}
+      containers:
+      - name: {{ .Values.websocket.redis.name }}
+        image: "{{ .Values.websocket.redis.image.repository }}:{{ .Values.websocket.redis.image.tag }}"
+        imagePullPolicy: {{ .Values.websocket.redis.image.pullPolicy }}
+        {{- with .Values.websocket.redis.command }}
+        command:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.websocket.redis.args }}
+        args:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        ports:
+        - name: http
+          containerPort: {{ .Values.websocket.redis.service.containerPort }}
+        {{- with .Values.websocket.redis.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      {{- with .Values.websocket.redis.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.websocket.redis.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.websocket.redis.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.websocket.redis.name }}
+  namespace: {{ include "open-webui.namespace" . }}
+  labels:
+    {{- include "websocket.redis.labels" . | nindent 4 }}
+    {{- with .Values.websocket.redis.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.websocket.redis.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    {{- include "websocket.redis.selectorLabels" . | nindent 4 }}
+  type: {{ .Values.websocket.redis.service.type | default "ClusterIP" }}
+  ports:
+  - protocol: TCP
+    name: http
+    port: {{ .Values.websocket.redis.service.port }}
+    targetPort: http
+    {{- if .Values.websocket.redis.service.nodePort }}
+    nodePort: {{ .Values.websocket.redis.service.nodePort | int }}
+    {{- end }}
+{{- end }}

charts/open-webui/templates/workload-manager.yaml

@@ -1,11 +1,12 @@
 apiVersion: apps/v1
-{{- if .Values.persistence.enabled }}
+{{- if and .Values.persistence.enabled (eq .Values.persistence.provider "local") }}
 kind: StatefulSet
 {{- else }}
 kind: Deployment
 {{- end }}
 metadata:
   name: {{ include "open-webui.name" . }}
+  namespace: {{ include "open-webui.namespace" . }}
   labels:
     {{- include "open-webui.labels" . | nindent 4 }}
   {{- with .Values.annotations }}
@@ -14,16 +15,28 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
-  {{- if .Values.persistence.enabled }}
+  {{- if and .Values.persistence.enabled (eq .Values.persistence.provider "local") }}
   serviceName: {{ include "open-webui.name" . }}
   {{- end }}
   selector:
     matchLabels:
       {{- include "open-webui.selectorLabels" . | nindent 6 }}
+  {{- if .Values.strategy }}
+  {{- if and .Values.persistence.enabled (eq .Values.persistence.provider "local") }}
+  updateStrategy:
+    {{- toYaml .Values.strategy | nindent 4 }}
+  {{- else }}
+  strategy:
+    {{- toYaml .Values.strategy | nindent 4 }}
+  {{- end }}
+  {{- end }}
   template:
     metadata:
       labels:
         {{- include "open-webui.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- with .Values.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
@@ -41,12 +54,12 @@ spec:
         {{- end }}
         command: ['sh', '-c', 'cp -R -n /app/backend/data/* /tmp/app-data/']
         {{- with .Values.containerSecurityContext }}
-        {{- with .Values.copyAppData.resources }}
-        resources: {{- toYaml . | nindent 10 }}
-        {{- end }}
         securityContext:
           {{- toYaml . | nindent 10 }}
         {{- end }}
+        {{- with .Values.copyAppData.resources }}
+        resources: {{- toYaml . | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: data
           mountPath: /tmp/app-data
@@ -56,8 +69,14 @@ spec:
         {{- with .Values.volumeMounts.initContainer }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
+      {{- with .Values.extraInitContainers }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
       enableServiceLinks: false
       automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+      {{- if .Values.runtimeClassName }}
+      runtimeClassName: {{ .Values.runtimeClassName | quote }}
+      {{- end }}
       {{- if .Values.serviceAccount.enable }}
       serviceAccountName: {{ .Values.serviceAccount.name | default (include "open-webui.name" .) }}
       {{- end }}
@@ -74,6 +93,15 @@ spec:
         ports:
         - name: http
           containerPort: {{ .Values.service.containerPort }}
+        {{- with .Values.livenessProbe }}
+        livenessProbe: {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.readinessProbe }}
+        readinessProbe: {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.startupProbe }}
+        startupProbe: {{- toYaml . | nindent 10 }}
+        {{- end }}
         {{- with .Values.resources }}
         resources: {{- toYaml . | nindent 10 }}
         {{- end }}
@@ -91,21 +119,33 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
         env:
-        {{- if or .Values.ollamaUrls .Values.ollama.enabled }}
+        {{- if .Values.ollamaUrlsFromExtraEnv}}
+        {{- else if or .Values.ollamaUrls .Values.ollama.enabled }}
         - name: "OLLAMA_BASE_URLS"
           value: {{ include "ollamaBaseUrls" . | quote }}
         {{- else }}
         - name: "ENABLE_OLLAMA_API"
           value: "False"
         {{- end }}
+        {{- if and .Values.enableOpenaiApi .Values.openaiBaseApiUrl (not .Values.openaiBaseApiUrls) (not .Values.pipelines.enabled) }}
+        # If only an OpenAI API value is set, set it to OPENAI_API_BASE_URL
         - name: "OPENAI_API_BASE_URL"
-        {{- if .Values.pipelines.enabled }}
-          value: {{ include "pipelines.serviceEndpoint" . }}
-        {{- else if .Values.openaiBaseApiUrl }}
           value: {{ .Values.openaiBaseApiUrl | quote }}
-        {{- end }}
-        {{- if .Values.extraEnvVars }}
-          {{- toYaml .Values.extraEnvVars | nindent 8 }}
+        {{- else if and .Values.enableOpenaiApi .Values.openaiBaseApiUrl .Values.pipelines.enabled (not .Values.openaiBaseApiUrls) }}
+        # If Pipelines is enabled and OpenAI API value is set, use OPENAI_API_BASE_URLS with combined values
+        - name: "OPENAI_API_BASE_URLS"
+          value: "{{ include "pipelines.serviceEndpoint" . }};{{ .Values.openaiBaseApiUrl }}"
+        {{- else if and .Values.enableOpenaiApi .Values.pipelines.enabled (not .Values.openaiBaseApiUrl) (not .Values.openaiBaseApiUrls) }}
+        # If Pipelines is enabled and no OpenAI API values are set, set OPENAI_API_BASE_URL to the Pipelines server endpoint 
+        - name: "OPENAI_API_BASE_URL"
+          value: {{ include "pipelines.serviceEndpoint" . | quote }}
+        {{- else if and .Values.enableOpenaiApi .Values.openaiBaseApiUrls .Values.pipelines.enabled }}
+        # If OpenAI API value(s) set and Pipelines is enabled, use OPENAI_API_BASE_URLS to support all the endpoints in the chart
+        - name: "OPENAI_API_BASE_URLS"
+          value: "{{ include "pipelines.serviceEndpoint" . }};{{ join ";" .Values.openaiBaseApiUrls }}"
+        {{- else if not .Values.enableOpenaiApi }}
+        - name: "ENABLE_OPENAI_API"
+          value: "False"
         {{- end }}
         {{- if .Values.tika.enabled }}
         - name: "CONTENT_EXTRACTION_ENGINE"
@@ -113,6 +153,181 @@ spec:
         - name: "TIKA_SERVER_URL"
           value: http://{{ .Chart.Name }}-tika:9998
         {{- end }}
+        {{- if eq .Values.persistence.provider "s3" }}
+        - name: "STORAGE_PROVIDER"
+          value: {{ .Values.persistence.provider }}
+        - name: "S3_ACCESS_KEY_ID"
+          value: {{ .Values.persistence.s3.accessKey }}
+        - name: "S3_SECRET_ACCESS_KEY"
+          value: {{ .Values.persistence.s3.secretKey }}
+        - name: "S3_ENDPOINT_URL"
+          value: {{ .Values.persistence.s3.endpointUrl }}
+        - name: "S3_BUCKET_NAME"
+          value: {{ .Values.persistence.s3.bucket }}
+        - name: "S3_REGION_NAME"
+          value: {{ .Values.persistence.s3.region }}
+        - name: "S3_KEY_PREFIX"
+          value: {{ .Values.persistence.s3.keyPrefix }}
+        {{- else if eq .Values.persistence.provider "gcs" }}
+        - name: "STORAGE_PROVIDER"
+          value: {{ .Values.persistence.provider }}
+        - name: "GOOGLE_APPLICATION_CREDENTIALS_JSON"
+          value: {{ .Values.persistence.gcs.appCredentialsJson }}
+        - name: "GCS_BUCKET_NAME"
+          value: {{ .Values.persistence.gcs.bucket }}
+        {{- else if eq .Values.persistence.provider "azure" }}
+        - name: "STORAGE_PROVIDER"
+          value: {{ .Values.persistence.provider }}
+        - name: "AZURE_STORAGE_ENDPOINT"
+          value: {{ .Values.persistence.azure.endpointUrl }}
+        - name: "AZURE_STORAGE_CONTAINER_NAME"
+          value: {{ .Values.persistence.azure.container }}
+        - name: "AZURE_STORAGE_KEY"
+          value: {{ .Values.persistence.azure.key }}
+        {{- end }}
+        {{- if .Values.websocket.enabled }}
+        - name: "ENABLE_WEBSOCKET_SUPPORT"
+          value: "True"
+        - name: "WEBSOCKET_MANAGER"
+          value: {{ .Values.websocket.manager | default "redis" | quote }}
+        - name: "WEBSOCKET_REDIS_URL"
+          value: {{ .Values.websocket.url | quote }}
+        {{- end }}
+        {{- if or .Values.postgresql.enabled .Values.databaseUrl }}
+        - name: "DATABASE_URL"
+          value: {{ .Values.databaseUrl | default (printf "postgresql://%s:%s@%s:%s/%s" .Values.postgresql.auth.username .Values.postgresql.auth.password .Values.postgresql.fullnameOverride "5432" .Values.postgresql.auth.database) }}
+        {{- end }}
+        {{- if .Values.sso.enabled }}
+        {{- if .Values.sso.enableSignup }}
+        - name: "ENABLE_OAUTH_SIGNUP"
+          value: "True"
+        {{- end }}
+        {{- if .Values.sso.mergeAccountsByEmail }}
+        - name: "OAUTH_MERGE_ACCOUNTS_BY_EMAIL"
+          value: "True"
+        {{- end }}
+        {{- if .Values.sso.google.enabled }}
+        - name: "GOOGLE_CLIENT_ID"
+          value: {{ .Values.sso.google.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "google" "values" .Values.sso) }}
+        - name: "GOOGLE_CLIENT_SECRET"
+        {{- if .Values.sso.google.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.google.clientExistingSecret | quote }}
+              key: {{ .Values.sso.google.clientExistingSecretKey | quote }}
+        {{- else }}
+          value: {{ .Values.sso.google.clientSecret | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.sso.microsoft.enabled }}
+        - name: "MICROSOFT_CLIENT_ID"
+          value: {{ .Values.sso.microsoft.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "microsoft" "values" .Values.sso) }}
+        - name: "MICROSOFT_CLIENT_SECRET"
+        {{- if .Values.sso.microsoft.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.microsoft.clientExistingSecret | quote }}
+              key: {{ .Values.sso.microsoft.clientExistingSecretKey | quote }}
+        {{- else }}
+          value: {{ .Values.sso.microsoft.clientSecret | quote }}
+        {{- end }}
+        - name: "MICROSOFT_CLIENT_TENANT_ID"
+          value: {{ .Values.sso.microsoft.tenantId | quote }}
+        {{- end }}
+        {{- if .Values.sso.github.enabled }}
+        - name: "GITHUB_CLIENT_ID"
+          value: {{ .Values.sso.github.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "github" "values" .Values.sso) }}
+        - name: "GITHUB_CLIENT_SECRET"
+        {{- if .Values.sso.github.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.github.clientExistingSecret | quote }}
+              key: {{ .Values.sso.github.clientExistingSecretKey | quote }}
+        {{- else }}
+          value: {{ .Values.sso.github.clientSecret | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.sso.oidc.enabled }}
+        - name: "OAUTH_CLIENT_ID"
+          value: {{ .Values.sso.oidc.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "oidc" "values" .Values.sso) }}
+        - name: "OAUTH_CLIENT_SECRET"
+        {{- if .Values.sso.oidc.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.oidc.clientExistingSecret | quote }}
+              key: {{ .Values.sso.oidc.clientExistingSecretKey | quote }}
+        {{- else }}
+          value: {{ .Values.sso.oidc.clientSecret | quote }}
+        {{- end }}
+        - name: "OPENID_PROVIDER_URL"
+          value: {{ .Values.sso.oidc.providerUrl | quote }}
+        - name: "OAUTH_PROVIDER_NAME"
+          value: {{ .Values.sso.oidc.providerName | quote }}
+        - name: "OAUTH_SCOPES"
+          value: {{ .Values.sso.oidc.scopes | quote }}
+        {{- end }}
+        {{- if .Values.sso.enableRoleManagement }}
+        - name: "ENABLE_OAUTH_ROLE_MANAGEMENT"
+          value: "True"
+        - name: "OAUTH_ROLES_CLAIM"
+          value: {{ .Values.sso.roleManagement.rolesClaim | quote }}
+        {{- if .Values.sso.roleManagement.allowedRoles }}
+        - name: "OAUTH_ALLOWED_ROLES"
+          value: {{ .Values.sso.roleManagement.allowedRoles | quote }}
+        {{- end }}
+        {{- if .Values.sso.roleManagement.adminRoles }}
+        - name: "OAUTH_ADMIN_ROLES"
+          value: {{ .Values.sso.roleManagement.adminRoles | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.sso.enableGroupManagement }}
+        - name: "ENABLE_OAUTH_GROUP_MANAGEMENT"
+          value: "True"
+        - name: "OAUTH_GROUP_CLAIM"
+          value: {{ .Values.sso.groupManagement.groupsClaim | quote }}
+        {{- end }}
+        {{- if .Values.sso.trustedHeader.enabled }}
+        - name: "WEBUI_AUTH_TRUSTED_EMAIL_HEADER"
+          value: {{ .Values.sso.trustedHeader.emailHeader | quote }}
+        {{- if .Values.sso.trustedHeader.nameHeader }}
+        - name: "WEBUI_AUTH_TRUSTED_NAME_HEADER"
+          value: {{ .Values.sso.trustedHeader.nameHeader | quote }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.rag.enabled }}
+        - name: "VECTOR_DB"
+          value: {{ .Values.rag.vectorDB | default "croma" | quote }}
+        {{- if and .Values.rag.enabled .Values.rag.embeddingEngine }}
+        - name: "RAG_EMBEDDING_ENGINE"
+          value: {{ .Values.rag.embeddingEngine | quote }}
+        {{- end }}
+        {{- if and .Values.rag.enabled .Values.rag.embeddingModel }}
+        - name: "RAG_EMBEDDING_MODEL"
+          value: {{ .Values.rag.embeddingModel | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.milvus.enabled }}
+        - name: "MILVUS_URI"
+          value: {{ .Values.milvus.uri | default "${DATA_DIR}/vector_db/milvus.db" | quote }}
+        - name: "MILVUS_DB"
+          value: {{ .Values.milvus.db | default "default" | quote }}
+        {{- if and .Values.milvus.enabled .Values.milvus.token }}
+        - name: "MILVUS_TOKEN"
+          value: {{ .Values.milvus.token | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.extraEnvVars }}
+          {{- toYaml .Values.extraEnvVars | nindent 8 }}
+        {{- end }}
+        {{- if .Values.extraEnvFrom }}
+        envFrom:
+          {{- toYaml .Values.extraEnvFrom | nindent 8 }}
+        {{- end }}
         tty: true
       {{- with .Values.nodeSelector }}
       nodeSelector:
@@ -130,12 +345,16 @@ spec:
       topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
       {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
       - name: data
         persistentVolumeClaim:
           claimName: {{ .Values.persistence.existingClaim }}
-      {{- else if not .Values.persistence.enabled }}
+      {{- else if or (not .Values.persistence.enabled) (not (eq .Values.persistence.provider "local")) }}
       - name: data
         emptyDir: {}
       {{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}

charts/open-webui/values-gke-min.yaml

@@ -0,0 +1,290 @@
+nameOverride: ""
+namespaceOverride: ""
+
+ollama:
+  # -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure
+  enabled: false
+  # -- If enabling embedded Ollama, update fullnameOverride to your desired Ollama name value, or else it will use the default ollama.name value from the Ollama chart
+  fullnameOverride: "open-webui-ollama"
+  # -- Example Ollama configuration with nvidia GPU enabled, automatically downloading a model, and deploying a PVC for model persistence
+  # ollama:
+  #   gpu:
+  #     enabled: true
+  #     type: 'nvidia'
+  #     number: 1
+  #   models:
+  #     - llama3
+  # runtimeClassName: nvidia
+  # persistentVolume:
+  #   enabled: true
+  #   volumeName: "example-pre-existing-pv-created-by-smb-csi"
+
+pipelines:
+  # -- Automatically install Pipelines chart to extend Open WebUI functionality using Pipelines: https://github.com/open-webui/pipelines
+  enabled: false
+  # -- This section can be used to pass required environment variables to your pipelines (e.g. Langfuse hostname)
+  extraEnvVars: []
+
+tika:
+  # -- Automatically install Apache Tika to extend Open WebUI
+  enabled: false
+
+# -- A list of Ollama API endpoints. These can be added in lieu of automatically installing the Ollama Helm chart, or in addition to it.
+ollamaUrls: []
+
+websocket:
+  # -- Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT`
+  enabled: false
+  # -- Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default)
+  manager: redis
+  # -- Specifies the URL of the Redis instance for websocket communication. Template with `redis://[:<password>@]<hostname>:<port>/<db>`
+  url: redis://open-webui-redis:6379/0
+  # -- Deploys a redis
+  redis:
+    # -- Enable redis installation
+    enabled: true
+    # -- Redis name
+    name: open-webui-redis
+    # -- Redis labels
+    labels: {}
+    # -- Redis annotations
+    annotations: {}
+    # -- Redis image
+    image:
+      repository: redis
+      tag: 7.4.2-alpine3.21
+      pullPolicy: IfNotPresent
+    # -- Redis command (overrides default)
+    command: []
+    # -- Redis arguments (overrides default)
+    args: []
+    # -- Redis resources
+    resources: {}
+    # -- Redis service
+    service:
+      # -- Redis container/target port
+      containerPort: 6379
+      # -- Redis service type
+      type: ClusterIP
+      # -- Redis service labels
+      labels: {}
+      # -- Redis service annotations
+      annotations: {}
+      # -- Redis service port
+      port: 6379
+      # -- Redis service node port. Valid only when type is `NodePort`
+      nodePort: ""
+
+# -- Deploys a Redis cluster with subchart 'redis' from bitnami
+redis-cluster:
+  # -- Enable Redis installation
+  enabled: false
+  # -- Redis cluster name (recommended to be 'open-webui-redis')
+  # - In this case, redis url will be 'redis://open-webui-redis-master:6379/0' or 'redis://[:<password>@]open-webui-redis-master:6379/0'
+  fullnameOverride: open-webui-redis
+  # -- Redis Authentication
+  auth:
+    # -- Enable Redis authentication (disabled by default). For your security, we strongly suggest that you switch to 'auth.enabled=true'
+    enabled: false
+  # -- Replica configuration for the Redis cluster
+  replica:
+    # -- Number of Redis replica instances
+    replicaCount: 3
+
+# -- Value of cluster domain
+clusterDomain: cluster.local
+
+annotations: {}
+podAnnotations: {}
+podLabels: {}
+replicaCount: 1
+# -- Strategy for updating the workload manager: deployment or statefulset
+strategy: {}
+# -- Open WebUI image tags can be found here: https://github.com/open-webui/open-webui
+image:
+  repository: ghcr.io/open-webui/open-webui
+  tag: ""
+  pullPolicy: "IfNotPresent"
+
+serviceAccount:
+  enable: true
+  name: ""
+  annotations: {}
+  automountServiceAccountToken: false
+
+# -- Configure imagePullSecrets to use private registry
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry>
+imagePullSecrets: []
+# imagePullSecrets:
+# - name: myRegistryKeySecretName
+
+# -- Probe for liveness of the Open WebUI container
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
+livenessProbe: {}
+# livenessProbe:
+#   httpGet:
+#     path: /health
+#     port: http
+#   failureThreshold: 1
+#   periodSeconds: 10
+
+# -- Probe for readiness of the Open WebUI container
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
+readinessProbe: {}
+# readinessProbe:
+#   httpGet:
+#     path: /health/db
+#     port: http
+#   failureThreshold: 1
+#   periodSeconds: 10
+
+# -- Probe for startup of the Open WebUI container
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
+startupProbe: {}
+# startupProbe:
+#   httpGet:
+#     path: /health
+#     port: http
+#   initialDelaySeconds: 30
+#   periodSeconds: 5
+#   failureThreshold: 20
+
+resources: {}
+
+copyAppData:
+  resources: {}
+
+managedCertificate:
+  enabled: true
+  name: "mydomain-chat-cert"  # You can override this name if needed
+  domains:
+    - chat.example.com # update to your real domain
+
+ingress:
+  enabled: true
+  class: ""
+  # -- Use appropriate annotations for your Ingress controller, e.g., for NGINX:  
+  annotations: 
+    # Example for GKE Ingress
+    kubernetes.io/ingress.class: "gce"
+    kubernetes.io/ingress.global-static-ip-name: "open-webui-external-ip"   #  you need to create this address in GCP console
+    # Force HTTP to redirect to HTTPS
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/permanent-redirect: "https://chat.example.com"
+    networking.gke.io/managed-certificates: "mydomain-chat-cert"
+    # nginx.ingress.kubernetes.io/rewrite-target: / 
+  host: "chat.example.com"  # update to your real domain 
+  additionalHosts: []
+  tls: false
+  existingSecret: ""
+persistence:
+  enabled: true
+  size: 2Gi
+  # -- Use existingClaim if you want to re-use an existing Open WebUI PVC instead of creating a new one
+  existingClaim: ""
+  # -- Subdirectory of Open WebUI PVC to mount. Useful if root directory is not empty.
+  subPath: ""
+  # -- If using multiple replicas, you must update accessModes to ReadWriteMany
+  accessModes:
+    - ReadWriteOnce
+  storageClass: ""
+  selector: {}
+  annotations: {}
+
+# -- Node labels for pod assignment.
+nodeSelector: {}
+
+# -- Tolerations for pod assignment
+tolerations: []
+
+# -- Affinity for pod assignment
+affinity: {}
+
+# -- Topology Spread Constraints for pod assignment
+topologySpreadConstraints: []
+
+# -- Service values to expose Open WebUI pods to cluster
+service:
+  type: LoadBalancer   # changed from ClusterIP to LoadBalancer for external access on GKE
+  annotations: {}
+  port: 80
+  containerPort: 8080
+  nodePort: ""
+  labels: {}
+  loadBalancerClass: ""
+
+# -- OpenAI base API URL to use. Defaults to the Pipelines service endpoint when Pipelines are enabled, and "https://api.openai.com/v1" if Pipelines are not enabled and this value is blank
+openaiBaseApiUrl: ""
+
+# -- Env vars added to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/
+extraEnvVars:
+  # -- Default API key value for Pipelines. Should be updated in a production deployment, or be changed to the required API key if not using Pipelines
+  - name: OPENAI_API_KEY
+    value: "0p3n-w3bu!"
+  # valueFrom:
+  #   secretKeyRef:
+  #     name: pipelines-api-key
+  #     key: api-key
+  # - name: OPENAI_API_KEY
+  #   valueFrom:
+  #     secretKeyRef:
+  #       name: openai-api-key
+  #       key: api-key
+  # - name: OLLAMA_DEBUG
+  #   value: "1"
+
+# -- Configure container volume mounts
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
+volumeMounts:
+  initContainer: []
+  # - name: ""
+  #   mountPath: ""
+  container: []
+  # - name: ""
+  #   mountPath: ""
+
+# -- Configure pod volumes
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
+volumes: []
+# - name: ""
+#   configMap:
+#     name: ""
+# - name: ""
+#   emptyDir: {}
+
+# -- Configure pod security context
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe>
+podSecurityContext:
+  {}
+  # fsGroupChangePolicy: Always
+  # sysctls: []
+  # supplementalGroups: []
+  # fsGroup: 1001
+
+
+# -- Configure container security context
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe>
+containerSecurityContext:
+  {}
+  # runAsUser: 1001
+  # runAsGroup: 1001
+  # runAsNonRoot: true
+  # privileged: false
+  # allowPrivilegeEscalation: false
+  # readOnlyRootFilesystem: false
+  # capabilities:
+  #   drop:
+  #     - ALL
+  # seccompProfile:
+  #   type: "RuntimeDefault"
+
+# -- Extra resources to deploy with Open WebUI
+extraResources:
+  []
+  # - apiVersion: v1
+  #   kind: ConfigMap
+  #   metadata:
+  #     name: example-configmap
+  #   data:
+  #     example-key: example-value

charts/open-webui/values-rag-milvus.yaml

@@ -0,0 +1,53 @@
+rag:
+  # -- Enable RAG
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#retrieval-augmented-generation-rag
+  enabled: true
+  vectorDB: milvus
+  embeddingEngine: ""
+  embeddingModel: ""
+
+milvus:
+  # -- Enable Milvus installation. Deploys a Milvus cluster/standalone with subchart 'milvus' from zilliztech
+  # ref: https://github.com/zilliztech/milvus-helm/tree/master/charts/milvus
+  enabled: true
+  uri: "http://open-webui-milvus:19530"
+  db: default
+  token: {}
+  cluster:
+    enabled: false # This means that the Milvus runs with standalone mode
+  minio:
+    enabled: true
+    resources:
+      requests:
+        memory: 50Mi
+    persistence:
+      enabled: true
+      size: 1Gi
+  etcd:
+    enabled: true
+  pulsar:
+    enabled: false
+  pulsarv3:
+    enabled: false
+  kafka:
+    enabled: false
+  externalS3:
+    enabled: false
+  externalEtcd:
+    enabled: false
+
+livenessProbe:
+  httpGet:
+    path: /health
+    port: http
+readinessProbe:
+  httpGet:
+    path: /health/db
+    port: http
+startupProbe:
+  httpGet:
+    path: /health
+    port: http
+  initialDelaySeconds: 30 # Adjust this value according to the startup time of the application
+  periodSeconds: 10 # Adjust this value according to the startup time of the application
+  failureThreshold: 20 # Adjust this value according to the startup time of the application

charts/open-webui/values.yaml

@@ -1,5 +1,5 @@
 nameOverride: ""
-
+namespaceOverride: ""
 ollama:
   # -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure
   enabled: true
@@ -12,7 +12,10 @@ ollama:
   #     type: 'nvidia'
   #     number: 1
   #   models:
-  #     - llama3
+  #     pull:
+  #       - llama3
+  #     run:
+  #       - llama3
   # runtimeClassName: nvidia
   # persistentVolume:
   #   enabled: true
@@ -31,13 +34,126 @@ tika:
 # -- A list of Ollama API endpoints. These can be added in lieu of automatically installing the Ollama Helm chart, or in addition to it.
 ollamaUrls: []
 
+# -- Disables taking Ollama Urls from `ollamaUrls`  list
+ollamaUrlsFromExtraEnv: false
+
+websocket:
+  # -- Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT`
+  enabled: false
+  # -- Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default)
+  manager: redis
+  # -- Specifies the URL of the Redis instance for websocket communication. Template with `redis://[:<password>@]<hostname>:<port>/<db>`
+  url: redis://open-webui-redis:6379/0
+  # -- Deploys a redis
+  redis:
+    # -- Enable redis installation
+    enabled: true
+    # -- Redis name
+    name: open-webui-redis
+    # -- Redis labels
+    labels: {}
+    # -- Redis annotations
+    annotations: {}
+    # -- Redis pod
+    pods:
+      # -- Redis pod annotations
+      annotations: {}
+    # -- Redis image
+    image:
+      repository: redis
+      tag: 7.4.2-alpine3.21
+      pullPolicy: IfNotPresent
+    # -- Redis command (overrides default)
+    command: []
+    # -- Redis arguments (overrides default)
+    args: []
+    # -- Redis resources
+    resources: {}
+    # -- Redis service
+    service:
+      # -- Redis container/target port
+      containerPort: 6379
+      # -- Redis service type
+      type: ClusterIP
+      # -- Redis service labels
+      labels: {}
+      # -- Redis service annotations
+      annotations: {}
+      # -- Redis service port
+      port: 6379
+      # -- Redis service node port. Valid only when type is `NodePort`
+      nodePort: ""
+    # -- Redis tolerations for pod assignment
+    tolerations: []
+
+    # -- Redis affinity for pod assignment
+    affinity: {}
+
+    # -- Redis security context
+    securityContext:
+      {}
+      # runAsUser: 999
+      # runAsGroup: 1000
+
+# -- Deploys a Redis cluster with subchart 'redis' from bitnami
+redis-cluster:
+  # -- Enable Redis installation
+  enabled: false
+  # -- Redis cluster name (recommended to be 'open-webui-redis')
+  # - In this case, redis url will be 'redis://open-webui-redis-master:6379/0' or 'redis://[:<password>@]open-webui-redis-master:6379/0'
+  fullnameOverride: open-webui-redis
+  # -- Redis Authentication
+  auth:
+    # -- Enable Redis authentication (disabled by default). For your security, we strongly suggest that you switch to 'auth.enabled=true'
+    enabled: false
+  # -- Replica configuration for the Redis cluster
+  replica:
+    # -- Number of Redis replica instances
+    replicaCount: 3
+
+rag:
+  # -- Enable RAG
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#retrieval-augmented-generation-rag
+  enabled: false
+  # -- Vector database configuration
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#vector_db
+  vectorDB: ""
+  # -- Embedding engine to use for RAG with env `RAG_EMBEDDING_ENGINE`: ""(empty), "ollama", "openai"
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#rag_embedding_engine
+  embeddingEngine: ""
+  # -- Embedding model to use for RAG with env `RAG_EMBEDDING_MODEL`
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#rag_embedding_model
+  embeddingModel: ""
+
+milvus:
+  # -- Enable Milvus installation. Deploys a Milvus cluster/standalone with subchart 'milvus' from zilliztech
+  # ref: https://github.com/zilliztech/milvus-helm/tree/master/charts/milvus
+  enabled: false
+  # -- Milvus fullname override (recommended to be 'open-webui-milvus')
+  # - In this case, the Milvus uri will be 'http://[username:password@]open-webui-milvus:19530'
+  fullnameOverride: open-webui-milvus
+  # -- Active Milvus URI for RAG with env `MILVUS_URI`. If there is credentials in the uri, it will be used to connect to the Milvus server.
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#milvus_uri
+  uri: "http://open-webui-milvus:19530"
+  # -- Example `milvus.uri` with credentials (Not recommended for production. Use `env` with `secretKeyRef` instead)
+  # uri: "http://username:password@open-webui-milvus:19530"
+  # -- Active Milvus database for RAG with env `MILVUS_DB`
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#milvus_db
+  db: default
+  # -- Active Milvus token for RAG with env `MILVUS_TOKEN`
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#milvus_token
+  token: {}
+
 # -- Value of cluster domain
 clusterDomain: cluster.local
 
 annotations: {}
 podAnnotations: {}
+podLabels: {}
 replicaCount: 1
-# -- Open WebUI image tags can be found here: https://github.com/open-webui/open-webui/pkgs/container/open-webui
+# -- Strategy for updating the workload manager: deployment or statefulset
+strategy: {}
+# -- Open WebUI image tags can be found here: https://github.com/open-webui/open-webui
 image:
   repository: ghcr.io/open-webui/open-webui
   tag: ""
@@ -55,14 +171,63 @@ imagePullSecrets: []
 # imagePullSecrets:
 # - name: myRegistryKeySecretName
 
+# -- Probe for liveness of the Open WebUI container
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
+livenessProbe: {}
+# livenessProbe:
+#   httpGet:
+#     path: /health
+#     port: http
+#   failureThreshold: 1
+#   periodSeconds: 10
+
+# -- Probe for readiness of the Open WebUI container
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
+readinessProbe: {}
+# readinessProbe:
+#   httpGet:
+#     path: /health/db
+#     port: http
+#   failureThreshold: 1
+#   periodSeconds: 10
+
+# -- Probe for startup of the Open WebUI container
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
+startupProbe: {}
+# startupProbe:
+#   httpGet:
+#     path: /health
+#     port: http
+#   initialDelaySeconds: 30
+#   periodSeconds: 5
+#   failureThreshold: 20
+
 resources: {}
+
+copyAppData:
+  resources: {}
+
+managedCertificate:
+  enabled: false
+  name: "mydomain-chat-cert" # You can override this name if needed
+  domains:
+    - chat.example.com # update to your real domain
+
 ingress:
   enabled: false
   class: ""
   # -- Use appropriate annotations for your Ingress controller, e.g., for NGINX:
-  # nginx.ingress.kubernetes.io/rewrite-target: /
   annotations: {}
-  host: ""
+  #   # Example for GKE Ingress
+  #   kubernetes.io/ingress.class: "gce"
+  #   kubernetes.io/ingress.global-static-ip-name: "open-webui-external-ip"   #  you need to create this address in GCP console
+  #   # Force HTTP to redirect to HTTPS
+  #   nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+  #   nginx.ingress.kubernetes.io/ssl-redirect: "true"
+  #   nginx.ingress.kubernetes.io/permanent-redirect: "https://chat.example.com"
+  #   networking.gke.io/managed-certificates: "mydomain-chat-cert"
+  #   # nginx.ingress.kubernetes.io/rewrite-target: /
+  host: "chat.example.com" # update to your real domain
   additionalHosts: []
   tls: false
   existingSecret: ""
@@ -79,6 +244,33 @@ persistence:
   storageClass: ""
   selector: {}
   annotations: {}
+  # -- Sets the storage provider, availables values are `local`, `s3`, `gcs` or `azure`
+  provider: local
+  s3:
+    # -- Sets the access key ID for S3 storage
+    accessKey: ""
+    # -- Sets the secret access key for S3 storage
+    secretKey: ""
+    # -- Sets the endpoint url for S3 storage
+    endpointUrl: ""
+    # -- Sets the region name for S3 storage
+    region:	""
+    # -- Sets the bucket name for S3 storage
+    bucket:	""
+    # -- Sets the key prefix for a S3 object
+    keyPrefix: ""
+  gcs:
+    # -- Contents of Google Application Credentials JSON file. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account
+    appCredentialsJson: ""
+    # -- Sets the bucket name for Google Cloud Storage. Bucket must already exist
+    bucket: ""
+  azure:
+    # -- Sets the endpoint URL for Azure Storage
+    endpointUrl: ""
+    # -- Sets the container name for Azure Storage
+    container: ""
+    # -- Set the access key for Azure Storage. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services
+    key: ""
 
 # -- Node labels for pod assignment.
 nodeSelector: {}
@@ -92,6 +284,9 @@ affinity: {}
 # -- Topology Spread Constraints for pod assignment
 topologySpreadConstraints: []
 
+# -- HostAliases to be added to hosts-file of each container
+hostAliases: []
+
 # -- Service values to expose Open WebUI pods to cluster
 service:
   type: ClusterIP
@@ -102,8 +297,17 @@ service:
   labels: {}
   loadBalancerClass: ""
 
+# -- Enables the use of OpenAI APIs
+enableOpenaiApi: true
+
 # -- OpenAI base API URL to use. Defaults to the Pipelines service endpoint when Pipelines are enabled, and "https://api.openai.com/v1" if Pipelines are not enabled and this value is blank
-openaiBaseApiUrl: ""
+openaiBaseApiUrl: "https://api.openai.com/v1"
+
+# -- OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set
+openaiBaseApiUrls:
+  []
+  # - "https://api.openai.com/v1"
+  # - "https://api.company.openai.com/v1"
 
 # -- Env vars added to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/
 extraEnvVars:
@@ -122,6 +326,17 @@ extraEnvVars:
   # - name: OLLAMA_DEBUG
   #   value: "1"
 
+# -- Env vars added from configmap or secret to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: `extraEnvVars` will take precedence over the value from `extraEnvFrom`)
+extraEnvFrom: []
+  # - configMapRef:
+  #     name: my-config
+  # - secretRef:
+  #     name: my-secret
+
+# -- Configure runtime class
+# ref: <https://kubernetes.io/docs/concepts/containers/runtime-class/>
+runtimeClassName: ""
+
 # -- Configure container volume mounts
 # ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
 volumeMounts:
@@ -132,6 +347,16 @@ volumeMounts:
   # - name: ""
   #   mountPath: ""
 
+# -- Additional init containers to add to the deployment/statefulset
+# ref: <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/>
+extraInitContainers: []
+# - name: custom-init
+#   image: busybox:latest
+#   command: ['sh', '-c', 'echo "Custom init container running"']
+#   volumeMounts:
+#   - name: data
+#     mountPath: /data
+
 # -- Configure pod volumes
 # ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
 volumes: []
@@ -142,7 +367,7 @@ volumes: []
 #   emptyDir: {}
 
 # -- Configure pod security context
-# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe>
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container>
 podSecurityContext:
   {}
   # fsGroupChangePolicy: Always
@@ -150,7 +375,6 @@ podSecurityContext:
   # supplementalGroups: []
   # fsGroup: 1001
 
-
 # -- Configure container security context
 # ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe>
 containerSecurityContext:
@@ -166,3 +390,161 @@ containerSecurityContext:
   #     - ALL
   # seccompProfile:
   #   type: "RuntimeDefault"
+
+sso:
+  # -- **Enable SSO authentication globally** must enable to use SSO authentication
+  # @section -- SSO Configuration
+  enabled: false
+  # -- Enable account creation when logging in with OAuth (distinct from regular signup)
+  # @section -- SSO Configuration
+  enableSignup: false
+  # -- Allow logging into accounts that match email from OAuth provider (considered insecure)
+  # @section -- SSO Configuration
+  mergeAccountsByEmail: false
+  # -- Enable OAuth role management through access token roles claim
+  # @section -- SSO Configuration
+  enableRoleManagement: false
+  # -- Enable OAuth group management through access token groups claim
+  # @section -- SSO Configuration
+  enableGroupManagement: false
+
+  google:
+    # -- Enable Google OAuth
+    # @section -- Google OAuth configuration
+    enabled: false
+    # -- Google OAuth client ID
+    # @section -- Google OAuth configuration
+    clientId: ""
+    # -- Google OAuth client secret (ignored if clientExistingSecret is set)
+    # @section -- Google OAuth configuration
+    clientSecret: ""
+    # -- Google OAuth client secret from existing secret
+    # @section -- Google OAuth configuration
+    clientExistingSecret: ""
+    # -- Google OAuth client secret key from existing secret
+    # @section -- Google OAuth configuration
+    clientExistingSecretKey: ""
+
+  microsoft:
+    # -- Enable Microsoft OAuth
+    # @section -- Microsoft OAuth configuration
+    enabled: false
+    # -- Microsoft OAuth client ID
+    # @section -- Microsoft OAuth configuration
+    clientId: ""
+    # -- Microsoft OAuth client secret (ignored if clientExistingSecret is set)
+    # @section -- Microsoft OAuth configuration
+    clientSecret: ""
+    # -- Microsoft OAuth client secret from existing secret
+    # @section -- Microsoft OAuth configuration
+    clientExistingSecret: ""
+    # -- Microsoft OAuth client secret key from existing secret
+    # @section -- Microsoft OAuth configuration
+    clientExistingSecretKey: ""
+    # -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts
+    # @section -- Microsoft OAuth configuration
+    tenantId: ""
+
+  github:
+    # -- Enable GitHub OAuth
+    # @section -- GitHub OAuth configuration
+    enabled: false
+    # -- GitHub OAuth client ID
+    # @section -- GitHub OAuth configuration
+    clientId: ""
+    # -- GitHub OAuth client secret (ignored if clientExistingSecret is set)
+    # @section -- GitHub OAuth configuration
+    clientSecret: ""
+    # -- GitHub OAuth client secret from existing secret
+    # @section -- GitHub OAuth configuration
+    clientExistingSecret: ""
+    # -- GitHub OAuth client secret key from existing secret
+    # @section -- GitHub OAuth configuration
+    clientExistingSecretKey: ""
+
+  oidc:
+    # -- Enable OIDC authentication
+    # @section -- OIDC configuration
+    enabled: false
+    # -- OIDC client ID
+    # @section -- OIDC configuration
+    clientId: ""
+    # -- OIDC client secret (ignored if clientExistingSecret is set)
+    # @section -- OIDC configuration
+    clientSecret: ""
+    # -- OICD client secret from existing secret
+    # @section -- OIDC configuration
+    clientExistingSecret: ""
+    # -- OIDC client secret key from existing secret
+    # @section -- OIDC configuration
+    clientExistingSecretKey: ""
+    # -- OIDC provider well known URL
+    # @section -- OIDC configuration
+    providerUrl: ""
+    # -- Name of the provider to show on the UI
+    # @section -- OIDC configuration
+    providerName: "SSO"
+    # -- Scopes to request (space-separated).
+    # @section -- OIDC configuration
+    scopes: "openid email profile"
+
+  roleManagement:
+    # -- The claim that contains the roles (can be nested, e.g., user.roles)
+    # @section -- Role management configuration
+    rolesClaim: "roles"
+    # -- Comma-separated list of roles allowed to log in (receive open webui role user)
+    # @section -- Role management configuration
+    allowedRoles: ""
+    # -- Comma-separated list of roles allowed to log in as admin (receive open webui role admin)
+    # @section -- Role management configuration
+    adminRoles: ""
+
+  groupManagement:
+    # -- The claim that contains the groups (can be nested, e.g., user.memberOf)
+    # @section -- SSO Configuration
+    groupsClaim: "groups"
+
+  trustedHeader:
+    # -- Enable trusted header authentication
+    # @section -- SSO trusted header authentication
+    enabled: false
+    # -- Header containing the user's email address
+    # @section -- SSO trusted header authentication
+    emailHeader: ""
+    # -- Header containing the user's name (optional, used for new user creation)
+    # @section -- SSO trusted header authentication
+    nameHeader: ""
+
+# -- Extra resources to deploy with Open WebUI
+extraResources:
+  []
+  # - apiVersion: v1
+  #   kind: ConfigMap
+  #   metadata:
+  #     name: example-configmap
+  #   data:
+  #     example-key: example-value
+
+# -- Configure database URL, needed to work with Postgres (example: `postgresql://<user>:<password>@<service>:<port>/<database>`), leave empty to use the default sqlite database
+databaseUrl: ""
+
+# -- Postgresql configuration (see. https://artifacthub.io/packages/helm/bitnami/postgresql)
+postgresql:
+  enabled: false
+  fullnameOverride: open-webui-postgres
+  architecture: standalone
+  auth:
+    database: open-webui
+    postgresPassword: 0p3n-w3bu!
+    username: open-webui
+    password: 0p3n-w3bu!
+  primary:
+    persistence:
+      size: 1Gi
+    resources:
+      requests:
+        memory: 256Mi
+        cpu: 250m
+      limits:
+        memory: 512Mi
+        cpu: 500m

charts/pipelines/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: pipelines
-version: 0.0.4
+version: 0.5.0
 appVersion: "alpha"
 
 home: https://github.com/open-webui/pipelines

charts/pipelines/README.md

@@ -1,6 +1,6 @@
 # pipelines
 
-![Version: 0.0.4](https://img.shields.io/badge/Version-0.0.4-informational?style=flat-square) ![AppVersion: alpha](https://img.shields.io/badge/AppVersion-alpha-informational?style=flat-square)
+![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: alpha](https://img.shields.io/badge/AppVersion-alpha-informational?style=flat-square)
 
 Pipelines: UI-Agnostic OpenAI API Plugin Framework
 
@@ -35,6 +35,9 @@ helm upgrade --install open-webui open-webui/pipelines
 | clusterDomain | string | `"cluster.local"` | Value of cluster domain |
 | extraEnvVars | list | `[{"name":"PIPELINES_URLS","value":"https://github.com/open-webui/pipelines/blob/main/examples/filters/detoxify_filter_pipeline.py"}]` | Additional environments variables on the output Deployment definition. These are used to pull initial Pipeline files, and help configure Pipelines with required values (e.g. Langfuse API keys) |
 | extraEnvVars[0] | object | `{"name":"PIPELINES_URLS","value":"https://github.com/open-webui/pipelines/blob/main/examples/filters/detoxify_filter_pipeline.py"}` | Example pipeline to pull and load on deployment startup, see current pipelines here: https://github.com/open-webui/pipelines/blob/main/examples |
+| extraInitContainers | list | `[]` | Additional init containers to add to the deployment ref: <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/> |
+| extraResources | list | `[]` | Extra resources to deploy with Open WebUI Pipelines |
+| hostAliases | list | `[]` | HostAliases to be added to hosts-file of each container |
 | image.pullPolicy | string | `"Always"` |  |
 | image.repository | string | `"ghcr.io/open-webui/pipelines"` |  |
 | image.tag | string | `"main"` |  |
@@ -46,6 +49,7 @@ helm upgrade --install open-webui open-webui/pipelines
 | ingress.host | string | `""` |  |
 | ingress.tls | bool | `false` |  |
 | nameOverride | string | `""` |  |
+| namespaceOverride | string | `""` |  |
 | nodeSelector | object | `{}` | Node labels for pod assignment. |
 | persistence.accessModes | list | `["ReadWriteOnce"]` | If using multiple replicas, you must update accessModes to ReadWriteMany |
 | persistence.annotations | object | `{}` |  |
@@ -55,6 +59,7 @@ helm upgrade --install open-webui open-webui/pipelines
 | persistence.size | string | `"2Gi"` |  |
 | persistence.storageClass | string | `""` |  |
 | podAnnotations | object | `{}` |  |
+| podLabels | object | `{}` |  |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
 | service.annotations | object | `{}` |  |
@@ -64,7 +69,12 @@ helm upgrade --install open-webui open-webui/pipelines
 | service.nodePort | string | `""` |  |
 | service.port | int | `9099` |  |
 | service.type | string | `"ClusterIP"` |  |
+| serviceAccount.automountServiceAccountToken | bool | `false` |  |
+| serviceAccount.enable | bool | `true` |  |
+| strategy | object | `{}` | Strategy for updating the deployment |
 | tolerations | list | `[]` | Tolerations for pod assignment |
+| volumeMounts | list | `[]` | Configure container volume mounts ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/> |
+| volumes | list | `[]` | Configure pod volumes ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/> |
 
 ----------------------------------------------
 

charts/pipelines/templates/_helpers.tpl

@@ -1,3 +1,14 @@
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "pipelines.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
 {{/*
 Set the name of the Pipelines resources
 */}}

charts/pipelines/templates/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "pipelines.name" . }}
+  namespace: {{ include "pipelines.namespace" . }}
   labels:
     {{- include "pipelines.labels" . | nindent 4 }}
   {{- with .Values.annotations }}
@@ -13,10 +14,17 @@ spec:
   selector:
     matchLabels:
       {{- include "pipelines.selectorLabels" . | nindent 6 }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   template:
     metadata:
       labels:
         {{- include "pipelines.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- with .Values.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
@@ -26,8 +34,15 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.extraInitContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       enableServiceLinks: false
-      automountServiceAccountToken: false
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken | default false }}
+      {{- if .Values.serviceAccount.enable }}
+      serviceAccountName: {{ .Values.serviceAccount.name | default (include "pipelines.name" .) }}
+      {{- end }}
       containers:
       - name: {{ .Chart.Name }}
         {{- with .Values.image }}
@@ -42,7 +57,10 @@ spec:
         {{- end }}
         volumeMounts:
         - name: data
-          mountPath: /app/backend/data
+          mountPath: /app/pipelines
+        {{- with .Values.volumeMounts }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
         env:
         {{- if .Values.extraEnvVars }}
           {{- toYaml .Values.extraEnvVars | nindent 8 }}
@@ -60,6 +78,10 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
       {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
       - name: data
@@ -73,3 +95,6 @@ spec:
         persistentVolumeClaim:
           claimName: {{ include "pipelines.name" . }}
       {{- end }}
+      {{- with .Values.volumes }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}

charts/pipelines/templates/extra-resources.yaml

@@ -0,0 +1,6 @@
+{{- if .Values.extraResources }}
+{{- range .Values.extraResources }}
+---
+{{ toYaml . | nindent 0 }}
+{{- end }}
+{{- end }}

charts/pipelines/templates/pvc.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: {{ include "pipelines.name" . }}
+  namespace: {{ include "pipelines.namespace" . }}
   labels:
     {{- include "pipelines.selectorLabels" . | nindent 4 }}
   {{- with .Values.persistence.annotations }}

charts/pipelines/templates/service-account.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.enable }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name | default (include "pipelines.name" .) }}
+  namespace: {{ include "pipelines.namespace" . }}
+  labels:
+    {{- include "pipelines.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/pipelines/templates/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "pipelines.name" . }}
+  namespace: {{ include "pipelines.namespace" . }}
   labels:
     {{- include "pipelines.labels" . | nindent 4 }}
     {{- with .Values.service.labels }}

charts/pipelines/values.yaml

@@ -1,11 +1,15 @@
 nameOverride: ""
+namespaceOverride: ""
 
 # -- Value of cluster domain
 clusterDomain: cluster.local
 
 annotations: {}
 podAnnotations: {}
+podLabels: {}
 replicaCount: 1
+# -- Strategy for updating the deployment
+strategy: {}
 image:
   repository: ghcr.io/open-webui/pipelines
   tag: main
@@ -38,6 +42,10 @@ persistence:
   selector: {}
   annotations: {}
 
+serviceAccount:
+  enable: true
+  automountServiceAccountToken: false
+
 # -- Node labels for pod assignment.
 nodeSelector: {}
 
@@ -47,6 +55,9 @@ tolerations: []
 # -- Affinity for pod assignment
 affinity: {}
 
+# -- HostAliases to be added to hosts-file of each container
+hostAliases: []
+
 service:
   type: ClusterIP
   annotations: {}
@@ -81,3 +92,41 @@ extraEnvVars:
   #       key: secret-key
   # - name: LANGFUSE_HOST
   #   value: https://us.cloud.langfuse.com
+
+# -- Configure container volume mounts
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
+volumeMounts: []
+  # - name: ""
+  #   mountPath: ""
+
+# -- Additional init containers to add to the deployment
+# ref: <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/>
+extraInitContainers: []
+# - name: custom-init
+#   image: busybox:latest
+#   command: ['sh', '-c', 'echo "Custom init container running"']
+#   volumeMounts:
+#   - name: data
+#     mountPath: /data
+
+# -- Configure pod volumes
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
+volumes: []
+# - name: ""
+#   configMap:
+#     name: ""
+# - name: ""
+#   secret:
+#     name: ""
+# - name: ""
+#   emptyDir: {}
+
+# -- Extra resources to deploy with Open WebUI Pipelines
+extraResources:
+  []
+  # - apiVersion: v1
+  #   kind: ConfigMap
+  #   metadata:
+  #     name: example-configmap
+  #   data:
+  #     example-key: example-value