Merge pull request #226 from mjtrangoni/feature-secrets-oauth

feat(open-webui): Make it possible to define SSO OAuth secrets from Kubernetes Secrets

.github/workflows/helm-release.yml

@@ -65,6 +65,7 @@ jobs:
           helm repo add open-webui https://helm.openwebui.com/
           helm repo add tika https://apache.jfrog.io/artifactory/tika/
           helm repo add redis https://charts.bitnami.com/bitnami
+          helm repo add milvus https://zilliztech.github.io/milvus-helm
 
       - name: Run chart-releaser
         uses: helm/chart-releaser-action@v1.7.0

.github/workflows/helm-test-open-webui.yml

@@ -20,20 +20,22 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@v4
 
-      - name: Lint open-webui Helm Chart
-        run: |
-          helm lint ./charts/open-webui
-
       - name: Add Dependency Repos
         run: |
           helm repo add ollama https://otwld.github.io/ollama-helm/
           helm repo add open-webui https://helm.openwebui.com/
           helm repo add tika https://apache.jfrog.io/artifactory/tika/
-          helm repo add redis https://charts.bitnami.com/bitnami
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo add milvus https://zilliztech.github.io/milvus-helm
+
       - name: Build open-webui Helm dependencies
         run: |
           helm dependency build ./charts/open-webui
 
+      - name: Lint open-webui Helm Chart
+        run: |
+          helm lint ./charts/open-webui
+
   test-deploy:
     name: Test Chart Deployment
     runs-on: ubuntu-latest
@@ -52,6 +54,18 @@ jobs:
       - name: Set up KinD Cluster
         uses: helm/kind-action@v1
 
+      - name: Add Dependency Repos
+        run: |
+          helm repo add ollama https://otwld.github.io/ollama-helm/
+          helm repo add open-webui https://helm.openwebui.com/
+          helm repo add tika https://apache.jfrog.io/artifactory/tika/
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo add milvus https://zilliztech.github.io/milvus-helm
+
+      - name: Build open-webui Helm dependencies
+        run: |
+          helm dependency build ./charts/open-webui
+
       - name: Template open-webui Helm Chart
         run: |
           helm template open-webui ./charts/open-webui \

.gitignore

@@ -122,4 +122,8 @@ Temporary Items
 # iCloud generated files
 *.icloud
 
+### Helm ###
+# Chart dependencies
+**/charts/*.tgz
+
 # End of https://www.toptal.com/developers/gitignore/api/macos,intellij+all,helm

CONTRIBUTING.md

@@ -2,9 +2,6 @@
 
 ## How to Contribute
 
-> [!WARNING]
-> There is currently a bug in the Helm Chart Releaser Github Action that prevents you from deploying more than one chart on a single run. The best workaround for now is to ensure that pushes to `main` only include changes to a single chart. If you're contributing to more than one chart, please do it in separate PRs until the upstream issue is fixed, or until we can fork and fix the action ourselves. 
-
 1. **Fork the repository** and create your branch from `main`.
 2. **Make your changes** and ensure they follow the guidelines below.
 3. **Test your changes** locally to ensure everything works as expected. This should include deploying your updates to a live Kubernetes cluster (whether local or remote).

charts/open-webui/Chart.lock

@@ -1,7 +1,7 @@
 dependencies:
 - name: ollama
   repository: https://otwld.github.io/ollama-helm/
-  version: 1.9.0
+  version: 1.15.0
 - name: pipelines
   repository: https://helm.openwebui.com
   version: 0.5.0
@@ -10,6 +10,12 @@ dependencies:
   version: 2.9.0
 - name: redis
   repository: https://charts.bitnami.com/bitnami
-  version: 20.11.3
-digest: sha256:8883c56753b4403161c144cdc5cb1ef3871c75cc511120709c4a848929126200
-generated: "2025-03-13T21:36:36.180953+09:00"
+  version: 20.13.4
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 16.6.6
+- name: milvus
+  repository: https://zilliztech.github.io/milvus-helm
+  version: 4.2.48
+digest: sha256:2b9b6b33588c4c20ec06dc82186d9a3e78cf0f27c5ff0ef2120ecf8eacdd94d3
+generated: "2025-05-06T00:10:31.22+09:00"

charts/open-webui/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: open-webui
-version: 5.25.0
-appVersion: 0.5.20
+version: 6.7.0
+appVersion: 0.6.6
 home: https://www.openwebui.com/
 icon: >-
   https://raw.githubusercontent.com/open-webui/open-webui/main/static/favicon.png
@@ -43,3 +43,12 @@ dependencies:
     version: '>=20.6.2'
     alias: redis-cluster
     condition: redis-cluster.enabled
+  - name: postgresql
+    repository: https://charts.bitnami.com/bitnami
+    version: '>=15.5.38'
+    alias: postgresql
+    condition: postgresql.enabled
+  - name: milvus
+    repository: https://zilliztech.github.io/milvus-helm
+    version: '>=4.2.40'
+    condition: milvus.enabled

charts/open-webui/README.md

@@ -1,6 +1,6 @@
 # open-webui
 
-![Version: 5.24.0](https://img.shields.io/badge/Version-5.24.0-informational?style=flat-square) ![AppVersion: 0.5.20](https://img.shields.io/badge/AppVersion-0.5.20-informational?style=flat-square)
+![Version: 6.7.0](https://img.shields.io/badge/Version-6.7.0-informational?style=flat-square) ![AppVersion: 0.6.6](https://img.shields.io/badge/AppVersion-0.6.6-informational?style=flat-square)
 
 Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋
 
@@ -34,12 +34,87 @@ helm upgrade --install open-webui open-webui/open-webui
 | Repository | Name | Version |
 |------------|------|---------|
 | https://apache.jfrog.io/artifactory/tika | tika | >=2.9.0 |
+| https://charts.bitnami.com/bitnami | postgresql(postgresql) | >=15.5.38 |
 | https://charts.bitnami.com/bitnami | redis-cluster(redis) | >=20.6.2 |
 | https://helm.openwebui.com | pipelines | >=0.0.1 |
 | https://otwld.github.io/ollama-helm/ | ollama | >=0.24.0 |
+| https://zilliztech.github.io/milvus-helm | milvus | >=4.2.40 |
 
 ## Values
 
+### SSO Configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim |
+| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim |
+| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) |
+| sso.enabled | bool | `false` | **Enable SSO authentication globally** must enable to use SSO authentication |
+| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) |
+| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) |
+
+### GitHub OAuth configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.github.clientExistingSecret | string | `""` | GitHub OAuth client secret from existing secret |
+| sso.github.clientExistingSecretKey | string | `""` | GitHub OAuth client secret key from existing secret |
+| sso.github.clientId | string | `""` | GitHub OAuth client ID |
+| sso.github.clientSecret | string | `""` | GitHub OAuth client secret (ignored if clientExistingSecret is set) |
+| sso.github.enabled | bool | `false` | Enable GitHub OAuth |
+
+### Google OAuth configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.google.clientExistingSecret | string | `""` | Google OAuth client secret from existing secret |
+| sso.google.clientExistingSecretKey | string | `""` | Google OAuth client secret key from existing secret |
+| sso.google.clientId | string | `""` | Google OAuth client ID |
+| sso.google.clientSecret | string | `""` | Google OAuth client secret (ignored if clientExistingSecret is set) |
+| sso.google.enabled | bool | `false` | Enable Google OAuth |
+
+### Microsoft OAuth configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.microsoft.clientExistingSecret | string | `""` | Microsoft OAuth client secret from existing secret |
+| sso.microsoft.clientExistingSecretKey | string | `""` | Microsoft OAuth client secret key from existing secret |
+| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID |
+| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret (ignored if clientExistingSecret is set) |
+| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth |
+| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts |
+
+### OIDC configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.oidc.clientExistingSecret | string | `""` | OICD client secret from existing secret |
+| sso.oidc.clientExistingSecretKey | string | `""` | OIDC client secret key from existing secret |
+| sso.oidc.clientId | string | `""` | OIDC client ID |
+| sso.oidc.clientSecret | string | `""` | OIDC client secret (ignored if clientExistingSecret is set) |
+| sso.oidc.enabled | bool | `false` | Enable OIDC authentication |
+| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI |
+| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL |
+| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). |
+
+### Role management configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) |
+| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) |
+| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) |
+
+### SSO trusted header authentication
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address |
+| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication |
+| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) |
+
+### Other Values
+
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity for pod assignment |
@@ -47,7 +122,9 @@ helm upgrade --install open-webui open-webui/open-webui
 | clusterDomain | string | `"cluster.local"` | Value of cluster domain |
 | containerSecurityContext | object | `{}` | Configure container security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe> |
 | copyAppData.resources | object | `{}` |  |
+| databaseUrl | string | `""` | Configure database URL, needed to work with Postgres (example: `postgresql://<user>:<password>@<service>:<port>/<database>`), leave empty to use the default sqlite database |
 | enableOpenaiApi | bool | `true` | Enables the use of OpenAI APIs |
+| extraEnvFrom | list | `[]` | Env vars added from configmap or secret to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: `extraEnvVars` will take precedence over the value from `extraEnvFrom`) |
 | extraEnvVars | list | `[{"name":"OPENAI_API_KEY","value":"0p3n-w3bu!"}]` | Env vars added to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ |
 | extraEnvVars[0] | object | `{"name":"OPENAI_API_KEY","value":"0p3n-w3bu!"}` | Default API key value for Pipelines. Should be updated in a production deployment, or be changed to the required API key if not using Pipelines |
 | extraInitContainers | list | `[]` | Additional init containers to add to the deployment/statefulset ref: <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/> |
@@ -56,7 +133,7 @@ helm upgrade --install open-webui open-webui/open-webui
 | image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/open-webui/open-webui","tag":""}` | Open WebUI image tags can be found here: https://github.com/open-webui/open-webui |
 | imagePullSecrets | list | `[]` | Configure imagePullSecrets to use private registry ref: <https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry> |
 | ingress.additionalHosts | list | `[]` |  |
-| ingress.annotations | object | `{}` | Use appropriate annotations for your Ingress controller, e.g., for NGINX:   |
+| ingress.annotations | object | `{}` | Use appropriate annotations for your Ingress controller, e.g., for NGINX: |
 | ingress.class | string | `""` |  |
 | ingress.enabled | bool | `false` |  |
 | ingress.existingSecret | string | `""` |  |
@@ -66,6 +143,11 @@ helm upgrade --install open-webui open-webui/open-webui
 | managedCertificate.domains[0] | string | `"chat.example.com"` |  |
 | managedCertificate.enabled | bool | `false` |  |
 | managedCertificate.name | string | `"mydomain-chat-cert"` |  |
+| milvus.db | string | `"default"` | Active Milvus database for RAG with env `MILVUS_DB` ref: https://docs.openwebui.com/getting-started/env-configuration#milvus_db |
+| milvus.enabled | bool | `false` | Enable Milvus installation. Deploys a Milvus cluster/standalone with subchart 'milvus' from zilliztech ref: https://github.com/zilliztech/milvus-helm/tree/master/charts/milvus |
+| milvus.fullnameOverride | string | `"open-webui-milvus"` | Milvus fullname override (recommended to be 'open-webui-milvus') - In this case, the Milvus uri will be 'http://[username:password@]open-webui-milvus:19530' |
+| milvus.token | object | `{}` | Active Milvus token for RAG with env `MILVUS_TOKEN` ref: https://docs.openwebui.com/getting-started/env-configuration#milvus_token |
+| milvus.uri | string | `"http://open-webui-milvus:19530"` | Active Milvus URI for RAG with env `MILVUS_URI`. If there is credentials in the uri, it will be used to connect to the Milvus server. ref: https://docs.openwebui.com/getting-started/env-configuration#milvus_uri |
 | nameOverride | string | `""` |  |
 | namespaceOverride | string | `""` |  |
 | nodeSelector | object | `{}` | Node labels for pod assignment. |
@@ -77,8 +159,20 @@ helm upgrade --install open-webui open-webui/open-webui
 | openaiBaseApiUrls | list | `[]` | OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set |
 | persistence.accessModes | list | `["ReadWriteOnce"]` | If using multiple replicas, you must update accessModes to ReadWriteMany |
 | persistence.annotations | object | `{}` |  |
+| persistence.azure.container | string | `""` | Sets the container name for Azure Storage |
+| persistence.azure.endpointUrl | string | `""` | Sets the endpoint URL for Azure Storage |
+| persistence.azure.key | string | `""` | Set the access key for Azure Storage. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services |
 | persistence.enabled | bool | `true` |  |
 | persistence.existingClaim | string | `""` | Use existingClaim if you want to re-use an existing Open WebUI PVC instead of creating a new one |
+| persistence.gcs.appCredentialsJson | string | `""` | Contents of Google Application Credentials JSON file. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account |
+| persistence.gcs.bucket | string | `""` | Sets the bucket name for Google Cloud Storage. Bucket must already exist |
+| persistence.provider | string | `"local"` | Sets the storage provider, availables values are `local`, `s3`, `gcs` or `azure` |
+| persistence.s3.accessKey | string | `""` | Sets the access key ID for S3 storage |
+| persistence.s3.bucket | string | `""` | Sets the bucket name for S3 storage |
+| persistence.s3.endpointUrl | string | `""` | Sets the endpoint url for S3 storage |
+| persistence.s3.keyPrefix | string | `""` | Sets the key prefix for a S3 object |
+| persistence.s3.region | string | `""` | Sets the region name for S3 storage |
+| persistence.s3.secretKey | string | `""` | Sets the secret access key for S3 storage |
 | persistence.selector | object | `{}` |  |
 | persistence.size | string | `"2Gi"` |  |
 | persistence.storageClass | string | `""` |  |
@@ -88,6 +182,11 @@ helm upgrade --install open-webui open-webui/open-webui
 | podAnnotations | object | `{}` |  |
 | podLabels | object | `{}` |  |
 | podSecurityContext | object | `{}` | Configure pod security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container> |
+| postgresql | object | `{"architecture":"standalone","auth":{"database":"open-webui","password":"0p3n-w3bu!","postgresPassword":"0p3n-w3bu!","username":"open-webui"},"enabled":false,"fullnameOverride":"open-webui-postgres","primary":{"persistence":{"size":"1Gi"},"resources":{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}}}` | Postgresql configuration (see. https://artifacthub.io/packages/helm/bitnami/postgresql) |
+| rag.embeddingEngine | string | `""` | Embedding engine to use for RAG with env `RAG_EMBEDDING_ENGINE`: ""(empty), "ollama", "openai" ref: https://docs.openwebui.com/getting-started/env-configuration#rag_embedding_engine |
+| rag.embeddingModel | string | `""` | Embedding model to use for RAG with env `RAG_EMBEDDING_MODEL` ref: https://docs.openwebui.com/getting-started/env-configuration#rag_embedding_model |
+| rag.enabled | bool | `false` | Enable RAG ref: https://docs.openwebui.com/getting-started/env-configuration#retrieval-augmented-generation-rag |
+| rag.vectorDB | string | `""` | Vector database configuration ref: https://docs.openwebui.com/getting-started/env-configuration#vector_db |
 | readinessProbe | object | `{}` | Probe for readiness of the Open WebUI container ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes> |
 | redis-cluster | object | `{"auth":{"enabled":false},"enabled":false,"fullnameOverride":"open-webui-redis","replica":{"replicaCount":3}}` | Deploys a Redis cluster with subchart 'redis' from bitnami |
 | redis-cluster.auth | object | `{"enabled":false}` | Redis Authentication |
@@ -98,6 +197,7 @@ helm upgrade --install open-webui open-webui/open-webui
 | redis-cluster.replica.replicaCount | int | `3` | Number of Redis replica instances |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
+| runtimeClassName | string | `""` | Configure runtime class ref: <https://kubernetes.io/docs/concepts/containers/runtime-class/> |
 | service | object | `{"annotations":{},"containerPort":8080,"labels":{},"loadBalancerClass":"","nodePort":"","port":80,"type":"ClusterIP"}` | Service values to expose Open WebUI pods to cluster |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.automountServiceAccountToken | bool | `false` |  |
@@ -112,7 +212,7 @@ helm upgrade --install open-webui open-webui/open-webui
 | volumes | list | `[]` | Configure pod volumes ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/> |
 | websocket.enabled | bool | `false` | Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT` |
 | websocket.manager | string | `"redis"` | Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default) |
-| websocket.redis | object | `{"affinity":{},"annotations":{},"args":[],"command":[],"enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"},"labels":{},"name":"open-webui-redis","pods":{"annotations":{}},"resources":{},"service":{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"},"tolerations":[]}` | Deploys a redis |
+| websocket.redis | object | `{"affinity":{},"annotations":{},"args":[],"command":[],"enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"},"labels":{},"name":"open-webui-redis","pods":{"annotations":{}},"resources":{},"securityContext":{},"service":{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"},"tolerations":[]}` | Deploys a redis |
 | websocket.redis.affinity | object | `{}` | Redis affinity for pod assignment |
 | websocket.redis.annotations | object | `{}` | Redis annotations |
 | websocket.redis.args | list | `[]` | Redis arguments (overrides default) |
@@ -124,7 +224,7 @@ helm upgrade --install open-webui open-webui/open-webui
 | websocket.redis.pods | object | `{"annotations":{}}` | Redis pod |
 | websocket.redis.pods.annotations | object | `{}` | Redis pod annotations |
 | websocket.redis.resources | object | `{}` | Redis resources |
-| websocket.redis.securityContext | object | `{}` | Redis security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe> |
+| websocket.redis.securityContext | object | `{}` | Redis security context |
 | websocket.redis.service | object | `{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"}` | Redis service |
 | websocket.redis.service.annotations | object | `{}` | Redis service annotations |
 | websocket.redis.service.containerPort | int | `6379` | Redis container/target port |

charts/open-webui/templates/_helpers.tpl

@@ -169,3 +169,14 @@ Create labels to include on chart all websocket resources
 {{ include "base.labels" . }}
 {{ include "websocket.redis.selectorLabels" . }}
 {{- end }}
+
+{{/*
+Validate SSO ClientSecret to be set literally or via Secret
+*/}}
+{{- define "sso.validateClientSecret" -}}
+{{- $provider := .provider }}
+{{- $values := .values }}
+{{- if and (empty (index $values $provider "clientSecret")) (empty (index $values $provider "clientExistingSecret")) }}
+  {{- fail (printf "You must provide either .Values.sso.%s.clientSecret or .Values.sso.%s.clientExistingSecret" $provider $provider) }}
+{{- end }}
+{{- end }}

charts/open-webui/templates/pvc.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.provider "local") }}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:

charts/open-webui/templates/websocket-redis.yaml

@@ -23,7 +23,7 @@ spec:
         {{- include "websocket.redis.labels" . | nindent 8 }}
       annotations:
         {{- with .Values.websocket.redis.pods.annotations }}
-        {{- toYaml . | nindent 4 }}
+        {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
       {{- if .Values.websocket.redis.image.pullSecretName }}

charts/open-webui/templates/workload-manager.yaml

@@ -1,5 +1,5 @@
 apiVersion: apps/v1
-{{- if .Values.persistence.enabled }}
+{{- if and .Values.persistence.enabled (eq .Values.persistence.provider "local") }}
 kind: StatefulSet
 {{- else }}
 kind: Deployment
@@ -15,14 +15,14 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
-  {{- if .Values.persistence.enabled }}
+  {{- if and .Values.persistence.enabled (eq .Values.persistence.provider "local") }}
   serviceName: {{ include "open-webui.name" . }}
   {{- end }}
   selector:
     matchLabels:
       {{- include "open-webui.selectorLabels" . | nindent 6 }}
   {{- if .Values.strategy }}
-  {{- if .Values.persistence.enabled }}
+  {{- if and .Values.persistence.enabled (eq .Values.persistence.provider "local") }}
   updateStrategy:
     {{- toYaml .Values.strategy | nindent 4 }}
   {{- else }}
@@ -74,6 +74,9 @@ spec:
       {{- end }}
       enableServiceLinks: false
       automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+      {{- if .Values.runtimeClassName }}
+      runtimeClassName: {{ .Values.runtimeClassName | quote }}
+      {{- end }}
       {{- if .Values.serviceAccount.enable }}
       serviceAccountName: {{ .Values.serviceAccount.name | default (include "open-webui.name" .) }}
       {{- end }}
@@ -144,15 +147,44 @@ spec:
         - name: "ENABLE_OPENAI_API"
           value: "False"
         {{- end }}
-        {{- if .Values.extraEnvVars }}
-          {{- toYaml .Values.extraEnvVars | nindent 8 }}
-        {{- end }}
         {{- if .Values.tika.enabled }}
         - name: "CONTENT_EXTRACTION_ENGINE"
           value: "Tika"
         - name: "TIKA_SERVER_URL"
           value: http://{{ .Chart.Name }}-tika:9998
         {{- end }}
+        {{- if eq .Values.persistence.provider "s3" }}
+        - name: "STORAGE_PROVIDER"
+          value: {{ .Values.persistence.provider }}
+        - name: "S3_ACCESS_KEY_ID"
+          value: {{ .Values.persistence.s3.accessKey }}
+        - name: "S3_SECRET_ACCESS_KEY"
+          value: {{ .Values.persistence.s3.secretKey }}
+        - name: "S3_ENDPOINT_URL"
+          value: {{ .Values.persistence.s3.endpointUrl }}
+        - name: "S3_BUCKET_NAME"
+          value: {{ .Values.persistence.s3.bucket }}
+        - name: "S3_REGION_NAME"
+          value: {{ .Values.persistence.s3.region }}
+        - name: "S3_KEY_PREFIX"
+          value: {{ .Values.persistence.s3.keyPrefix }}
+        {{- else if eq .Values.persistence.provider "gcs" }}
+        - name: "STORAGE_PROVIDER"
+          value: {{ .Values.persistence.provider }}
+        - name: "GOOGLE_APPLICATION_CREDENTIALS_JSON"
+          value: {{ .Values.persistence.gcs.appCredentialsJson }}
+        - name: "GCS_BUCKET_NAME"
+          value: {{ .Values.persistence.gcs.bucket }}
+        {{- else if eq .Values.persistence.provider "azure" }}
+        - name: "STORAGE_PROVIDER"
+          value: {{ .Values.persistence.provider }}
+        - name: "AZURE_STORAGE_ENDPOINT"
+          value: {{ .Values.persistence.azure.endpointUrl }}
+        - name: "AZURE_STORAGE_CONTAINER_NAME"
+          value: {{ .Values.persistence.azure.container }}
+        - name: "AZURE_STORAGE_KEY"
+          value: {{ .Values.persistence.azure.key }}
+        {{- end }}
         {{- if .Values.websocket.enabled }}
         - name: "ENABLE_WEBSOCKET_SUPPORT"
           value: "True"
@@ -161,6 +193,141 @@ spec:
         - name: "WEBSOCKET_REDIS_URL"
           value: {{ .Values.websocket.url | quote }}
         {{- end }}
+        {{- if or .Values.postgresql.enabled .Values.databaseUrl }}
+        - name: "DATABASE_URL"
+          value: {{ .Values.databaseUrl | default (printf "postgresql://%s:%s@%s:%s/%s" .Values.postgresql.auth.username .Values.postgresql.auth.password .Values.postgresql.fullnameOverride "5432" .Values.postgresql.auth.database) }}
+        {{- end }}
+        {{- if .Values.sso.enabled }}
+        {{- if .Values.sso.enableSignup }}
+        - name: "ENABLE_OAUTH_SIGNUP"
+          value: "True"
+        {{- end }}
+        {{- if .Values.sso.mergeAccountsByEmail }}
+        - name: "OAUTH_MERGE_ACCOUNTS_BY_EMAIL"
+          value: "True"
+        {{- end }}
+        {{- if .Values.sso.google.enabled }}
+        - name: "GOOGLE_CLIENT_ID"
+          value: {{ .Values.sso.google.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "google" "values" .Values.sso) }}
+        - name: "GOOGLE_CLIENT_SECRET"
+        {{- if .Values.sso.google.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.google.clientExistingSecret | quote }}
+              key: {{ .Values.sso.google.clientExistingSecretKey | quote }}
+        {{- else }}
+          value: {{ .Values.sso.google.clientSecret | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.sso.microsoft.enabled }}
+        - name: "MICROSOFT_CLIENT_ID"
+          value: {{ .Values.sso.microsoft.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "microsoft" "values" .Values.sso) }}
+        - name: "MICROSOFT_CLIENT_SECRET"
+        {{- if .Values.sso.microsoft.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.microsoft.clientExistingSecret | quote }}
+              key: {{ .Values.sso.microsoft.clientExistingSecretKey | quote }}
+        {{- else }}
+          value: {{ .Values.sso.microsoft.clientSecret | quote }}
+        {{- end }}
+        - name: "MICROSOFT_CLIENT_TENANT_ID"
+          value: {{ .Values.sso.microsoft.tenantId | quote }}
+        {{- end }}
+        {{- if .Values.sso.github.enabled }}
+        - name: "GITHUB_CLIENT_ID"
+          value: {{ .Values.sso.github.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "github" "values" .Values.sso) }}
+        - name: "GITHUB_CLIENT_SECRET"
+        {{- if .Values.sso.github.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.github.clientExistingSecret | quote }}
+              key: {{ .Values.sso.github.clientExistingSecretKey | quote }}
+        {{- else }}
+          value: {{ .Values.sso.github.clientSecret | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.sso.oidc.enabled }}
+        - name: "OAUTH_CLIENT_ID"
+          value: {{ .Values.sso.oidc.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "oidc" "values" .Values.sso) }}
+        - name: "OAUTH_CLIENT_SECRET"
+        {{- if .Values.sso.oidc.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.oidc.clientExistingSecret | quote }}
+              key: {{ .Values.sso.oidc.clientExistingSecretKey | quote }}
+        {{- else }}
+          value: {{ .Values.sso.oidc.clientSecret | quote }}
+        {{- end }}
+        - name: "OPENID_PROVIDER_URL"
+          value: {{ .Values.sso.oidc.providerUrl | quote }}
+        - name: "OAUTH_PROVIDER_NAME"
+          value: {{ .Values.sso.oidc.providerName | quote }}
+        - name: "OAUTH_SCOPES"
+          value: {{ .Values.sso.oidc.scopes | quote }}
+        {{- end }}
+        {{- if .Values.sso.enableRoleManagement }}
+        - name: "ENABLE_OAUTH_ROLE_MANAGEMENT"
+          value: "True"
+        - name: "OAUTH_ROLES_CLAIM"
+          value: {{ .Values.sso.roleManagement.rolesClaim | quote }}
+        {{- if .Values.sso.roleManagement.allowedRoles }}
+        - name: "OAUTH_ALLOWED_ROLES"
+          value: {{ .Values.sso.roleManagement.allowedRoles | quote }}
+        {{- end }}
+        {{- if .Values.sso.roleManagement.adminRoles }}
+        - name: "OAUTH_ADMIN_ROLES"
+          value: {{ .Values.sso.roleManagement.adminRoles | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.sso.enableGroupManagement }}
+        - name: "ENABLE_OAUTH_GROUP_MANAGEMENT"
+          value: "True"
+        - name: "OAUTH_GROUP_CLAIM"
+          value: {{ .Values.sso.groupManagement.groupsClaim | quote }}
+        {{- end }}
+        {{- if .Values.sso.trustedHeader.enabled }}
+        - name: "WEBUI_AUTH_TRUSTED_EMAIL_HEADER"
+          value: {{ .Values.sso.trustedHeader.emailHeader | quote }}
+        {{- if .Values.sso.trustedHeader.nameHeader }}
+        - name: "WEBUI_AUTH_TRUSTED_NAME_HEADER"
+          value: {{ .Values.sso.trustedHeader.nameHeader | quote }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.rag.enabled }}
+        - name: "VECTOR_DB"
+          value: {{ .Values.rag.vectorDB | default "croma" | quote }}
+        {{- if and .Values.rag.enabled .Values.rag.embeddingEngine }}
+        - name: "RAG_EMBEDDING_ENGINE"
+          value: {{ .Values.rag.embeddingEngine | quote }}
+        {{- end }}
+        {{- if and .Values.rag.enabled .Values.rag.embeddingModel }}
+        - name: "RAG_EMBEDDING_MODEL"
+          value: {{ .Values.rag.embeddingModel | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.milvus.enabled }}
+        - name: "MILVUS_URI"
+          value: {{ .Values.milvus.uri | default "${DATA_DIR}/vector_db/milvus.db" | quote }}
+        - name: "MILVUS_DB"
+          value: {{ .Values.milvus.db | default "default" | quote }}
+        {{- if and .Values.milvus.enabled .Values.milvus.token }}
+        - name: "MILVUS_TOKEN"
+          value: {{ .Values.milvus.token | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.extraEnvVars }}
+          {{- toYaml .Values.extraEnvVars | nindent 8 }}
+        {{- end }}
+        {{- if .Values.extraEnvFrom }}
+        envFrom:
+          {{- toYaml .Values.extraEnvFrom | nindent 8 }}
+        {{- end }}
         tty: true
       {{- with .Values.nodeSelector }}
       nodeSelector:
@@ -187,7 +354,7 @@ spec:
       - name: data
         persistentVolumeClaim:
           claimName: {{ .Values.persistence.existingClaim }}
-      {{- else if not .Values.persistence.enabled }}
+      {{- else if or (not .Values.persistence.enabled) (not (eq .Values.persistence.provider "local")) }}
       - name: data
         emptyDir: {}
       {{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}

charts/open-webui/values-rag-milvus.yaml

@@ -0,0 +1,53 @@
+rag:
+  # -- Enable RAG
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#retrieval-augmented-generation-rag
+  enabled: true
+  vectorDB: milvus
+  embeddingEngine: ""
+  embeddingModel: ""
+
+milvus:
+  # -- Enable Milvus installation. Deploys a Milvus cluster/standalone with subchart 'milvus' from zilliztech
+  # ref: https://github.com/zilliztech/milvus-helm/tree/master/charts/milvus
+  enabled: true
+  uri: "http://open-webui-milvus:19530"
+  db: default
+  token: {}
+  cluster:
+    enabled: false # This means that the Milvus runs with standalone mode
+  minio:
+    enabled: true
+    resources:
+      requests:
+        memory: 50Mi
+    persistence:
+      enabled: true
+      size: 1Gi
+  etcd:
+    enabled: true
+  pulsar:
+    enabled: false
+  pulsarv3:
+    enabled: false
+  kafka:
+    enabled: false
+  externalS3:
+    enabled: false
+  externalEtcd:
+    enabled: false
+
+livenessProbe:
+  httpGet:
+    path: /health
+    port: http
+readinessProbe:
+  httpGet:
+    path: /health/db
+    port: http
+startupProbe:
+  httpGet:
+    path: /health
+    port: http
+  initialDelaySeconds: 30 # Adjust this value according to the startup time of the application
+  periodSeconds: 10 # Adjust this value according to the startup time of the application
+  failureThreshold: 20 # Adjust this value according to the startup time of the application

charts/open-webui/values.yaml

@@ -1,6 +1,5 @@
 nameOverride: ""
 namespaceOverride: ""
-
 ollama:
   # -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure
   enabled: true
@@ -112,6 +111,39 @@ redis-cluster:
     # -- Number of Redis replica instances
     replicaCount: 3
 
+rag:
+  # -- Enable RAG
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#retrieval-augmented-generation-rag
+  enabled: false
+  # -- Vector database configuration
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#vector_db
+  vectorDB: ""
+  # -- Embedding engine to use for RAG with env `RAG_EMBEDDING_ENGINE`: ""(empty), "ollama", "openai"
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#rag_embedding_engine
+  embeddingEngine: ""
+  # -- Embedding model to use for RAG with env `RAG_EMBEDDING_MODEL`
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#rag_embedding_model
+  embeddingModel: ""
+
+milvus:
+  # -- Enable Milvus installation. Deploys a Milvus cluster/standalone with subchart 'milvus' from zilliztech
+  # ref: https://github.com/zilliztech/milvus-helm/tree/master/charts/milvus
+  enabled: false
+  # -- Milvus fullname override (recommended to be 'open-webui-milvus')
+  # - In this case, the Milvus uri will be 'http://[username:password@]open-webui-milvus:19530'
+  fullnameOverride: open-webui-milvus
+  # -- Active Milvus URI for RAG with env `MILVUS_URI`. If there is credentials in the uri, it will be used to connect to the Milvus server.
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#milvus_uri
+  uri: "http://open-webui-milvus:19530"
+  # -- Example `milvus.uri` with credentials (Not recommended for production. Use `env` with `secretKeyRef` instead)
+  # uri: "http://username:password@open-webui-milvus:19530"
+  # -- Active Milvus database for RAG with env `MILVUS_DB`
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#milvus_db
+  db: default
+  # -- Active Milvus token for RAG with env `MILVUS_TOKEN`
+  # ref: https://docs.openwebui.com/getting-started/env-configuration#milvus_token
+  token: {}
+
 # -- Value of cluster domain
 clusterDomain: cluster.local
 
@@ -177,14 +209,14 @@ copyAppData:
 
 managedCertificate:
   enabled: false
-  name: "mydomain-chat-cert"  # You can override this name if needed
+  name: "mydomain-chat-cert" # You can override this name if needed
   domains:
     - chat.example.com # update to your real domain
 
 ingress:
   enabled: false
   class: ""
-  # -- Use appropriate annotations for your Ingress controller, e.g., for NGINX:  
+  # -- Use appropriate annotations for your Ingress controller, e.g., for NGINX:
   annotations: {}
   #   # Example for GKE Ingress
   #   kubernetes.io/ingress.class: "gce"
@@ -194,8 +226,8 @@ ingress:
   #   nginx.ingress.kubernetes.io/ssl-redirect: "true"
   #   nginx.ingress.kubernetes.io/permanent-redirect: "https://chat.example.com"
   #   networking.gke.io/managed-certificates: "mydomain-chat-cert"
-  #   # nginx.ingress.kubernetes.io/rewrite-target: / 
-  host: "chat.example.com"  # update to your real domain 
+  #   # nginx.ingress.kubernetes.io/rewrite-target: /
+  host: "chat.example.com" # update to your real domain
   additionalHosts: []
   tls: false
   existingSecret: ""
@@ -212,6 +244,33 @@ persistence:
   storageClass: ""
   selector: {}
   annotations: {}
+  # -- Sets the storage provider, availables values are `local`, `s3`, `gcs` or `azure`
+  provider: local
+  s3:
+    # -- Sets the access key ID for S3 storage
+    accessKey: ""
+    # -- Sets the secret access key for S3 storage
+    secretKey: ""
+    # -- Sets the endpoint url for S3 storage
+    endpointUrl: ""
+    # -- Sets the region name for S3 storage
+    region:	""
+    # -- Sets the bucket name for S3 storage
+    bucket:	""
+    # -- Sets the key prefix for a S3 object
+    keyPrefix: ""
+  gcs:
+    # -- Contents of Google Application Credentials JSON file. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account
+    appCredentialsJson: ""
+    # -- Sets the bucket name for Google Cloud Storage. Bucket must already exist
+    bucket: ""
+  azure:
+    # -- Sets the endpoint URL for Azure Storage
+    endpointUrl: ""
+    # -- Sets the container name for Azure Storage
+    container: ""
+    # -- Set the access key for Azure Storage. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services
+    key: ""
 
 # -- Node labels for pod assignment.
 nodeSelector: {}
@@ -245,7 +304,8 @@ enableOpenaiApi: true
 openaiBaseApiUrl: "https://api.openai.com/v1"
 
 # -- OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set
-openaiBaseApiUrls: []
+openaiBaseApiUrls:
+  []
   # - "https://api.openai.com/v1"
   # - "https://api.company.openai.com/v1"
 
@@ -266,6 +326,17 @@ extraEnvVars:
   # - name: OLLAMA_DEBUG
   #   value: "1"
 
+# -- Env vars added from configmap or secret to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: `extraEnvVars` will take precedence over the value from `extraEnvFrom`)
+extraEnvFrom: []
+  # - configMapRef:
+  #     name: my-config
+  # - secretRef:
+  #     name: my-secret
+
+# -- Configure runtime class
+# ref: <https://kubernetes.io/docs/concepts/containers/runtime-class/>
+runtimeClassName: ""
+
 # -- Configure container volume mounts
 # ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
 volumeMounts:
@@ -304,7 +375,6 @@ podSecurityContext:
   # supplementalGroups: []
   # fsGroup: 1001
 
-
 # -- Configure container security context
 # ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe>
 containerSecurityContext:
@@ -321,6 +391,130 @@ containerSecurityContext:
   # seccompProfile:
   #   type: "RuntimeDefault"
 
+sso:
+  # -- **Enable SSO authentication globally** must enable to use SSO authentication
+  # @section -- SSO Configuration
+  enabled: false
+  # -- Enable account creation when logging in with OAuth (distinct from regular signup)
+  # @section -- SSO Configuration
+  enableSignup: false
+  # -- Allow logging into accounts that match email from OAuth provider (considered insecure)
+  # @section -- SSO Configuration
+  mergeAccountsByEmail: false
+  # -- Enable OAuth role management through access token roles claim
+  # @section -- SSO Configuration
+  enableRoleManagement: false
+  # -- Enable OAuth group management through access token groups claim
+  # @section -- SSO Configuration
+  enableGroupManagement: false
+
+  google:
+    # -- Enable Google OAuth
+    # @section -- Google OAuth configuration
+    enabled: false
+    # -- Google OAuth client ID
+    # @section -- Google OAuth configuration
+    clientId: ""
+    # -- Google OAuth client secret (ignored if clientExistingSecret is set)
+    # @section -- Google OAuth configuration
+    clientSecret: ""
+    # -- Google OAuth client secret from existing secret
+    # @section -- Google OAuth configuration
+    clientExistingSecret: ""
+    # -- Google OAuth client secret key from existing secret
+    # @section -- Google OAuth configuration
+    clientExistingSecretKey: ""
+
+  microsoft:
+    # -- Enable Microsoft OAuth
+    # @section -- Microsoft OAuth configuration
+    enabled: false
+    # -- Microsoft OAuth client ID
+    # @section -- Microsoft OAuth configuration
+    clientId: ""
+    # -- Microsoft OAuth client secret (ignored if clientExistingSecret is set)
+    # @section -- Microsoft OAuth configuration
+    clientSecret: ""
+    # -- Microsoft OAuth client secret from existing secret
+    # @section -- Microsoft OAuth configuration
+    clientExistingSecret: ""
+    # -- Microsoft OAuth client secret key from existing secret
+    # @section -- Microsoft OAuth configuration
+    clientExistingSecretKey: ""
+    # -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts
+    # @section -- Microsoft OAuth configuration
+    tenantId: ""
+
+  github:
+    # -- Enable GitHub OAuth
+    # @section -- GitHub OAuth configuration
+    enabled: false
+    # -- GitHub OAuth client ID
+    # @section -- GitHub OAuth configuration
+    clientId: ""
+    # -- GitHub OAuth client secret (ignored if clientExistingSecret is set)
+    # @section -- GitHub OAuth configuration
+    clientSecret: ""
+    # -- GitHub OAuth client secret from existing secret
+    # @section -- GitHub OAuth configuration
+    clientExistingSecret: ""
+    # -- GitHub OAuth client secret key from existing secret
+    # @section -- GitHub OAuth configuration
+    clientExistingSecretKey: ""
+
+  oidc:
+    # -- Enable OIDC authentication
+    # @section -- OIDC configuration
+    enabled: false
+    # -- OIDC client ID
+    # @section -- OIDC configuration
+    clientId: ""
+    # -- OIDC client secret (ignored if clientExistingSecret is set)
+    # @section -- OIDC configuration
+    clientSecret: ""
+    # -- OICD client secret from existing secret
+    # @section -- OIDC configuration
+    clientExistingSecret: ""
+    # -- OIDC client secret key from existing secret
+    # @section -- OIDC configuration
+    clientExistingSecretKey: ""
+    # -- OIDC provider well known URL
+    # @section -- OIDC configuration
+    providerUrl: ""
+    # -- Name of the provider to show on the UI
+    # @section -- OIDC configuration
+    providerName: "SSO"
+    # -- Scopes to request (space-separated).
+    # @section -- OIDC configuration
+    scopes: "openid email profile"
+
+  roleManagement:
+    # -- The claim that contains the roles (can be nested, e.g., user.roles)
+    # @section -- Role management configuration
+    rolesClaim: "roles"
+    # -- Comma-separated list of roles allowed to log in (receive open webui role user)
+    # @section -- Role management configuration
+    allowedRoles: ""
+    # -- Comma-separated list of roles allowed to log in as admin (receive open webui role admin)
+    # @section -- Role management configuration
+    adminRoles: ""
+
+  groupManagement:
+    # -- The claim that contains the groups (can be nested, e.g., user.memberOf)
+    # @section -- SSO Configuration
+    groupsClaim: "groups"
+
+  trustedHeader:
+    # -- Enable trusted header authentication
+    # @section -- SSO trusted header authentication
+    enabled: false
+    # -- Header containing the user's email address
+    # @section -- SSO trusted header authentication
+    emailHeader: ""
+    # -- Header containing the user's name (optional, used for new user creation)
+    # @section -- SSO trusted header authentication
+    nameHeader: ""
+
 # -- Extra resources to deploy with Open WebUI
 extraResources:
   []
@@ -330,3 +524,27 @@ extraResources:
   #     name: example-configmap
   #   data:
   #     example-key: example-value
+
+# -- Configure database URL, needed to work with Postgres (example: `postgresql://<user>:<password>@<service>:<port>/<database>`), leave empty to use the default sqlite database
+databaseUrl: ""
+
+# -- Postgresql configuration (see. https://artifacthub.io/packages/helm/bitnami/postgresql)
+postgresql:
+  enabled: false
+  fullnameOverride: open-webui-postgres
+  architecture: standalone
+  auth:
+    database: open-webui
+    postgresPassword: 0p3n-w3bu!
+    username: open-webui
+    password: 0p3n-w3bu!
+  primary:
+    persistence:
+      size: 1Gi
+    resources:
+      requests:
+        memory: 256Mi
+        cpu: 250m
+      limits:
+        memory: 512Mi
+        cpu: 500m