Merge pull request #255 from bdriggersTorch/openwebui-command-override

upgrade subcharts (redis v21.2.4 - postgresql v16.7.12)

charts/open-webui/Chart.lock

@@ -1,18 +1,18 @@
 dependencies:
 - name: ollama
   repository: https://otwld.github.io/ollama-helm/
-  version: 1.14.0
+  version: 1.19.0
 - name: pipelines
   repository: https://helm.openwebui.com
-  version: 0.5.0
+  version: 0.7.0
 - name: tika
   repository: https://apache.jfrog.io/artifactory/tika
   version: 2.9.0
 - name: redis
   repository: https://charts.bitnami.com/bitnami
-  version: 20.11.5
+  version: 21.2.4
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
-  version: 16.6.3
-digest: sha256:6da6a7bae03aba138c247775a786c0f459bdd9360db8980b0a5ffdea0fb88a5d
-generated: "2025-04-13T03:03:27.462575+02:00"
+  version: 16.7.12
+digest: sha256:c321c315a3d0be92cb0de7e676564b3f1f550a0ab58436149dfb02e6afb6d2f1
+generated: "2025-06-17T10:58:01.903769+02:00"

charts/open-webui/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: open-webui
-version: 6.4.0
-appVersion: 0.6.5
+version: 6.22.0
+appVersion: 0.6.15
 home: https://www.openwebui.com/
 icon: >-
   https://raw.githubusercontent.com/open-webui/open-webui/main/static/favicon.png

charts/open-webui/README.md

@@ -1,6 +1,6 @@
 # open-webui
 
-![Version: 6.4.0](https://img.shields.io/badge/Version-6.4.0-informational?style=flat-square) ![AppVersion: 0.6.5](https://img.shields.io/badge/AppVersion-0.6.5-informational?style=flat-square)
+![Version: 6.22.0](https://img.shields.io/badge/Version-6.22.0-informational?style=flat-square) ![AppVersion: 0.6.15](https://img.shields.io/badge/AppVersion-0.6.15-informational?style=flat-square)
 
 Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋
 
@@ -41,6 +41,55 @@ helm upgrade --install open-webui open-webui/open-webui
 
 ## Values
 
+### Logging configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| logging.components.audio | string | `""` | Set the log level for the Audio processing component |
+| logging.components.comfyui | string | `""` | Set the log level for the ComfyUI Integration component |
+| logging.components.config | string | `""` | Set the log level for the Configuration Management component |
+| logging.components.db | string | `""` | Set the log level for the Database Operations (Peewee) component |
+| logging.components.images | string | `""` | Set the log level for the Image Generation component |
+| logging.components.main | string | `""` | Set the log level for the Main Application Execution component |
+| logging.components.models | string | `""` | Set the log level for the Model Management component |
+| logging.components.ollama | string | `""` | Set the log level for the Ollama Backend Integration component |
+| logging.components.openai | string | `""` | Set the log level for the OpenAI API Integration component |
+| logging.components.rag | string | `""` | Set the log level for the Retrieval-Augmented Generation (RAG) component |
+| logging.components.webhook | string | `""` | Set the log level for the Authentication Webhook component |
+| logging.level | string | `""` | Set the global log level ["notset", "debug", "info" (default), "warning", "error", "critical"] |
+
+### Azure Storage configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| persistence.azure.container | string | `""` | Sets the container name for Azure Storage |
+| persistence.azure.endpointUrl | string | `""` | Sets the endpoint URL for Azure Storage |
+| persistence.azure.key | string | `""` | Set the access key for Azure Storage (ignored if keyExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services |
+| persistence.azure.keyExistingSecret | string | `""` | Set the access key for Azure Storage from existing secret |
+| persistence.azure.keyExistingSecretKey | string | `""` | Set the access key for Azure Storage from existing secret key |
+
+### Google Cloud Storage configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| persistence.gcs.appCredentialsJson | string | `""` | Contents of Google Application Credentials JSON file (ignored if appCredentialsJsonExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account |
+| persistence.gcs.appCredentialsJsonExistingSecret | string | `""` | Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret |
+| persistence.gcs.appCredentialsJsonExistingSecretKey | string | `""` | Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret key |
+| persistence.gcs.bucket | string | `""` | Sets the bucket name for Google Cloud Storage. Bucket must already exist |
+
+### Amazon S3 Storage configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| persistence.s3.accessKey | string | `""` | Sets the access key ID for S3 storage |
+| persistence.s3.bucket | string | `""` | Sets the bucket name for S3 storage |
+| persistence.s3.endpointUrl | string | `""` | Sets the endpoint url for S3 storage |
+| persistence.s3.keyPrefix | string | `""` | Sets the key prefix for a S3 object |
+| persistence.s3.region | string | `""` | Sets the region name for S3 storage |
+| persistence.s3.secretKey | string | `""` | Sets the secret access key for S3 storage (ignored if secretKeyExistingSecret is set) |
+| persistence.s3.secretKeyExistingSecret | string | `""` | Set the secret access key for S3 storage from existing k8s secret |
+| persistence.s3.secretKeyExistingSecretKey | string | `""` | Set the secret access key for S3 storage from existing k8s secret key |
+
 ### SSO Configuration
 
 | Key | Type | Default | Description |
@@ -56,24 +105,30 @@ helm upgrade --install open-webui open-webui/open-webui
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| sso.github.clientExistingSecret | string | `""` | GitHub OAuth client secret from existing secret |
+| sso.github.clientExistingSecretKey | string | `""` | GitHub OAuth client secret key from existing secret |
 | sso.github.clientId | string | `""` | GitHub OAuth client ID |
-| sso.github.clientSecret | string | `""` | GitHub OAuth client secret |
+| sso.github.clientSecret | string | `""` | GitHub OAuth client secret (ignored if clientExistingSecret is set) |
 | sso.github.enabled | bool | `false` | Enable GitHub OAuth |
 
 ### Google OAuth configuration
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| sso.google.clientExistingSecret | string | `""` | Google OAuth client secret from existing secret |
+| sso.google.clientExistingSecretKey | string | `""` | Google OAuth client secret key from existing secret |
 | sso.google.clientId | string | `""` | Google OAuth client ID |
-| sso.google.clientSecret | string | `""` | Google OAuth client secret |
+| sso.google.clientSecret | string | `""` | Google OAuth client secret (ignored if clientExistingSecret is set) |
 | sso.google.enabled | bool | `false` | Enable Google OAuth |
 
 ### Microsoft OAuth configuration
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| sso.microsoft.clientExistingSecret | string | `""` | Microsoft OAuth client secret from existing secret |
+| sso.microsoft.clientExistingSecretKey | string | `""` | Microsoft OAuth client secret key from existing secret |
 | sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID |
-| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret |
+| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret (ignored if clientExistingSecret is set) |
 | sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth |
 | sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts |
 
@@ -81,8 +136,10 @@ helm upgrade --install open-webui open-webui/open-webui
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| sso.oidc.clientExistingSecret | string | `""` | OICD client secret from existing secret |
+| sso.oidc.clientExistingSecretKey | string | `""` | OIDC client secret key from existing secret |
 | sso.oidc.clientId | string | `""` | OIDC client ID |
-| sso.oidc.clientSecret | string | `""` | OIDC client secret |
+| sso.oidc.clientSecret | string | `""` | OIDC client secret (ignored if clientExistingSecret is set) |
 | sso.oidc.enabled | bool | `false` | Enable OIDC authentication |
 | sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI |
 | sso.oidc.providerUrl | string | `""` | OIDC provider well known URL |
@@ -110,8 +167,13 @@ helm upgrade --install open-webui open-webui/open-webui
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity for pod assignment |
 | annotations | object | `{}` |  |
+| args | list | `[]` | Open WebUI container arguments (overrides default) |
 | clusterDomain | string | `"cluster.local"` | Value of cluster domain |
+| command | list | `[]` | Open WebUI container command (overrides default entrypoint) |
+| commonEnvVars | list | `[]` | Env vars added to the Open WebUI deployment, common across environments. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: environment variables defined in both `extraEnvVars` and `commonEnvVars` will result in a conflict. Avoid duplicates) |
 | containerSecurityContext | object | `{}` | Configure container security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe> |
+| copyAppData.args | list | `[]` | Open WebUI copy-app-data init container arguments (overrides default) |
+| copyAppData.command | list | `[]` | Open WebUI copy-app-data init container command (overrides default) |
 | copyAppData.resources | object | `{}` |  |
 | databaseUrl | string | `""` | Configure database URL, needed to work with Postgres (example: `postgresql://<user>:<password>@<service>:<port>/<database>`), leave empty to use the default sqlite database |
 | enableOpenaiApi | bool | `true` | Enables the use of OpenAI APIs |
@@ -128,6 +190,7 @@ helm upgrade --install open-webui open-webui/open-webui
 | ingress.class | string | `""` |  |
 | ingress.enabled | bool | `false` |  |
 | ingress.existingSecret | string | `""` |  |
+| ingress.extraLabels | object | `{}` | Additional custom labels to add to the Ingress metadata Useful for tagging, selecting, or applying policies to the Ingress via labels. |
 | ingress.host | string | `"chat.example.com"` |  |
 | ingress.tls | bool | `false` |  |
 | livenessProbe | object | `{}` | Probe for liveness of the Open WebUI container ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes> |
@@ -145,20 +208,9 @@ helm upgrade --install open-webui open-webui/open-webui
 | openaiBaseApiUrls | list | `[]` | OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set |
 | persistence.accessModes | list | `["ReadWriteOnce"]` | If using multiple replicas, you must update accessModes to ReadWriteMany |
 | persistence.annotations | object | `{}` |  |
-| persistence.azure.container | string | `""` | Sets the container name for Azure Storage |
-| persistence.azure.endpointUrl | string | `""` | Sets the endpoint URL for Azure Storage |
-| persistence.azure.key | string | `""` | Set the access key for Azure Storage. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services |
 | persistence.enabled | bool | `true` |  |
 | persistence.existingClaim | string | `""` | Use existingClaim if you want to re-use an existing Open WebUI PVC instead of creating a new one |
-| persistence.gcs.appCredentialsJson | string | `""` | Contents of Google Application Credentials JSON file. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account |
-| persistence.gcs.bucket | string | `""` | Sets the bucket name for Google Cloud Storage. Bucket must already exist |
 | persistence.provider | string | `"local"` | Sets the storage provider, availables values are `local`, `s3`, `gcs` or `azure` |
-| persistence.s3.accessKey | string | `""` | Sets the access key ID for S3 storage |
-| persistence.s3.bucket | string | `""` | Sets the bucket name for S3 storage |
-| persistence.s3.endpointUrl | string | `""` | Sets the endpoint url for S3 storage |
-| persistence.s3.keyPrefix | string | `""` | Sets the key prefix for a S3 object |
-| persistence.s3.region | string | `""` | Sets the region name for S3 storage |
-| persistence.s3.secretKey | string | `""` | Sets the secret access key for S3 storage |
 | persistence.selector | object | `{}` |  |
 | persistence.size | string | `"2Gi"` |  |
 | persistence.storageClass | string | `""` |  |
@@ -194,7 +246,8 @@ helm upgrade --install open-webui open-webui/open-webui
 | volumes | list | `[]` | Configure pod volumes ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/> |
 | websocket.enabled | bool | `false` | Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT` |
 | websocket.manager | string | `"redis"` | Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default) |
-| websocket.redis | object | `{"affinity":{},"annotations":{},"args":[],"command":[],"enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"},"labels":{},"name":"open-webui-redis","pods":{"annotations":{}},"resources":{},"securityContext":{},"service":{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"},"tolerations":[]}` | Deploys a redis |
+| websocket.nodeSelector | object | `{}` | Node selector for websocket pods |
+| websocket.redis | object | `{"affinity":{},"annotations":{},"args":[],"command":[],"enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"},"labels":{},"name":"open-webui-redis","pods":{"annotations":{},"labels":{}},"resources":{},"securityContext":{},"service":{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"},"tolerations":[]}` | Deploys a redis |
 | websocket.redis.affinity | object | `{}` | Redis affinity for pod assignment |
 | websocket.redis.annotations | object | `{}` | Redis annotations |
 | websocket.redis.args | list | `[]` | Redis arguments (overrides default) |
@@ -203,8 +256,9 @@ helm upgrade --install open-webui open-webui/open-webui
 | websocket.redis.image | object | `{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"}` | Redis image |
 | websocket.redis.labels | object | `{}` | Redis labels |
 | websocket.redis.name | string | `"open-webui-redis"` | Redis name |
-| websocket.redis.pods | object | `{"annotations":{}}` | Redis pod |
+| websocket.redis.pods | object | `{"annotations":{},"labels":{}}` | Redis pod |
 | websocket.redis.pods.annotations | object | `{}` | Redis pod annotations |
+| websocket.redis.pods.labels | object | `{}` | Redis pod labels |
 | websocket.redis.resources | object | `{}` | Redis resources |
 | websocket.redis.securityContext | object | `{}` | Redis security context |
 | websocket.redis.service | object | `{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"}` | Redis service |

charts/open-webui/templates/_helpers.tpl

@@ -169,3 +169,88 @@ Create labels to include on chart all websocket resources
 {{ include "base.labels" . }}
 {{ include "websocket.redis.selectorLabels" . }}
 {{- end }}
+
+{{/*
+Validate SSO ClientSecret to be set literally or via Secret
+*/}}
+{{- define "sso.validateClientSecret" -}}
+{{- $provider := .provider }}
+{{- $values := .values }}
+{{- if and (empty (index $values $provider "clientSecret")) (empty (index $values $provider "clientExistingSecret")) }}
+  {{- fail (printf "You must provide either .Values.sso.%s.clientSecret or .Values.sso.%s.clientExistingSecret" $provider $provider) }}
+{{- end }}
+{{- end }}
+
+{{- /*
+Fail template rendering if invalid log component
+*/ -}}
+{{- define "logging.isValidComponent" -}}
+  {{- $component := . | lower -}}
+  {{- $validComponents := dict
+      "audio" true
+      "comfyui" true
+      "config" true
+      "db" true
+      "images" true
+      "main" true
+      "models" true
+      "ollama" true
+      "openai" true
+      "rag" true
+      "webhook" true
+  -}}
+  {{- hasKey $validComponents $component -}}
+{{- end }}
+
+
+{{- define "logging.assertValidComponent" -}}
+  {{- $component := lower . -}}
+  {{- $res := include "logging.isValidComponent" $component }}
+  {{- if ne $res "true" }}
+    {{- fail (printf "Invalid logging component name: '%s'. Valid names: audio, comfyui, config, db, images, main, models, ollama, openai, rag, webhook" $component) }}
+  {{- end }}
+{{- end }}
+
+{{- /*
+Fail template rendering if invalid log level
+*/ -}}
+{{- define "logging.assertValidLevel" -}}
+  {{- $level := lower . }}
+  {{- $validLevels := dict "notset" true "debug" true "info" true "warning" true "error" true "critical" true }}
+  {{- if not (hasKey $validLevels $level) }}
+    {{- fail (printf "Invalid log level: '%s'. Valid values are: notset, debug, info, warning, error, critical" $level) }}
+  {{- end }}
+{{- end }}
+
+{{- /*
+Render a logging env var for a component, validating value
+*/ -}}
+{{- define "logging.componentEnvVar" -}}
+  {{- $name := .componentName }}
+  {{- $level := .logLevel }}
+{{- include "logging.assertValidComponent" $name -}}
+{{- include "logging.assertValidLevel" $level }}
+- name: {{ printf "%s_LOG_LEVEL" (upper $name) | quote }}
+  value: {{ $level | quote | trim }}
+{{- end }}
+
+{{- /*
+Constructs a string containing the URLs of the Open WebUI based on the ingress configuration
+used to populate the variable WEBUI_URL  
+*/ -}}
+{{- define "openweb-ui.url" -}}
+  {{- $url := "" -}}
+  {{- range .Values.extraEnvVars }}
+    {{- if and (eq .name "WEBUI_URL") .value }}
+      {{- $url = .value }}
+    {{- end }}
+  {{- end }}
+  {{- if not $url }}
+    {{- $proto := "http" -}}
+    {{- if .Values.ingress.tls }}
+      {{- $proto = "https" -}}
+    {{- end }}
+    {{- $url = printf "%s://%s" $proto .Values.ingress.host }}
+  {{- end }}
+  {{- $url }}
+{{- end }}

charts/open-webui/templates/ingress.yaml

@@ -6,6 +6,9 @@ metadata:
   namespace: {{ include "open-webui.namespace" . }}
   labels:
     {{- include "open-webui.labels" . | nindent 4 }}
+    {{- with .Values.ingress.extraLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   {{- with .Values.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

charts/open-webui/templates/websocket-redis.yaml

@@ -21,6 +21,9 @@ spec:
     metadata:
       labels:
         {{- include "websocket.redis.labels" . | nindent 8 }}
+        {{- with .Values.websocket.redis.pods.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       annotations:
         {{- with .Values.websocket.redis.pods.annotations }}
         {{- toYaml . | nindent 8 }}
@@ -61,6 +64,10 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.websocket.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
 ---
 apiVersion: v1
 kind: Service

charts/open-webui/templates/workload-manager.yaml

@@ -52,7 +52,12 @@ spec:
         image: {{ .repository }}:{{ .tag | default $.Chart.AppVersion }}
         imagePullPolicy: {{ .pullPolicy }}
         {{- end }}
-        command: ['sh', '-c', 'cp -R -n /app/backend/data/* /tmp/app-data/']
+        command:
+          {{- toYaml (.Values.copyAppData.command | default (list "sh" "-c" "cp -R -n /app/backend/data/* /tmp/app-data/")) | nindent 10 }}
+        {{- with .Values.copyAppData.args }}
+        args:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         {{- with .Values.containerSecurityContext }}
         securityContext:
           {{- toYaml . | nindent 10 }}
@@ -90,6 +95,14 @@ spec:
         image: {{ .repository }}:{{ .tag | default $.Chart.AppVersion }}
         imagePullPolicy: {{ .pullPolicy }}
         {{- end }}
+        {{- with .Values.command }}
+        command:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.args }}
+        args:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         ports:
         - name: http
           containerPort: {{ .Values.service.containerPort }}
@@ -119,6 +132,16 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
         env:
+        {{- $hasCustomWebUIUrl := false }}
+        {{- range .Values.extraEnvVars }}
+          {{- if eq .name "WEBUI_URL" }}
+            {{- $hasCustomWebUIUrl = true }}
+          {{- end }}
+        {{- end }}
+        {{- if and .Values.ingress.enabled (not $hasCustomWebUIUrl) }}
+        - name: WEBUI_URL
+          value: {{ include "openweb-ui.url" . | quote }}
+        {{- end }}
         {{- if .Values.ollamaUrlsFromExtraEnv}}
         {{- else if or .Values.ollamaUrls .Values.ollama.enabled }}
         - name: "OLLAMA_BASE_URLS"
@@ -159,7 +182,14 @@ spec:
         - name: "S3_ACCESS_KEY_ID"
           value: {{ .Values.persistence.s3.accessKey }}
         - name: "S3_SECRET_ACCESS_KEY"
+        {{- if .Values.persistence.s3.secretKeyExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.s3.secretKeyExistingSecret }}
+              key: {{ .Values.persistence.s3.secretKeyExistingSecretKey }}
+        {{- else }}
           value: {{ .Values.persistence.s3.secretKey }}
+        {{- end }}
         - name: "S3_ENDPOINT_URL"
           value: {{ .Values.persistence.s3.endpointUrl }}
         - name: "S3_BUCKET_NAME"
@@ -172,7 +202,14 @@ spec:
         - name: "STORAGE_PROVIDER"
           value: {{ .Values.persistence.provider }}
         - name: "GOOGLE_APPLICATION_CREDENTIALS_JSON"
+        {{- if .Values.persistence.gcs.appCredentialsJsonExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.gcs.appCredentialsJsonExistingSecret }}
+              key: {{ .Values.persistence.gcs.appCredentialsJsonExistingSecretKey }}
+        {{- else }}
           value: {{ .Values.persistence.gcs.appCredentialsJson }}
+        {{- end }}
         - name: "GCS_BUCKET_NAME"
           value: {{ .Values.persistence.gcs.bucket }}
         {{- else if eq .Values.persistence.provider "azure" }}
@@ -183,8 +220,15 @@ spec:
         - name: "AZURE_STORAGE_CONTAINER_NAME"
           value: {{ .Values.persistence.azure.container }}
         - name: "AZURE_STORAGE_KEY"
+        {{- if .Values.persistence.azure.keyExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.azure.keyExistingSecret }}
+              key: {{ .Values.persistence.azure.keyExistingSecretKey }}
+        {{- else }}
           value: {{ .Values.persistence.azure.key }}
         {{- end }}
+        {{- end }}
         {{- if .Values.websocket.enabled }}
         - name: "ENABLE_WEBSOCKET_SUPPORT"
           value: "True"
@@ -209,28 +253,60 @@ spec:
         {{- if .Values.sso.google.enabled }}
         - name: "GOOGLE_CLIENT_ID"
           value: {{ .Values.sso.google.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "google" "values" .Values.sso) }}
         - name: "GOOGLE_CLIENT_SECRET"
+        {{- if .Values.sso.google.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.google.clientExistingSecret | quote }}
+              key: {{ .Values.sso.google.clientExistingSecretKey | quote }}
+        {{- else }}
           value: {{ .Values.sso.google.clientSecret | quote }}
         {{- end }}
+        {{- end }}
         {{- if .Values.sso.microsoft.enabled }}
         - name: "MICROSOFT_CLIENT_ID"
           value: {{ .Values.sso.microsoft.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "microsoft" "values" .Values.sso) }}
         - name: "MICROSOFT_CLIENT_SECRET"
+        {{- if .Values.sso.microsoft.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.microsoft.clientExistingSecret | quote }}
+              key: {{ .Values.sso.microsoft.clientExistingSecretKey | quote }}
+        {{- else }}
           value: {{ .Values.sso.microsoft.clientSecret | quote }}
+        {{- end }}
         - name: "MICROSOFT_CLIENT_TENANT_ID"
           value: {{ .Values.sso.microsoft.tenantId | quote }}
         {{- end }}
         {{- if .Values.sso.github.enabled }}
         - name: "GITHUB_CLIENT_ID"
           value: {{ .Values.sso.github.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "github" "values" .Values.sso) }}
         - name: "GITHUB_CLIENT_SECRET"
+        {{- if .Values.sso.github.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.github.clientExistingSecret | quote }}
+              key: {{ .Values.sso.github.clientExistingSecretKey | quote }}
+        {{- else }}
           value: {{ .Values.sso.github.clientSecret | quote }}
         {{- end }}
+        {{- end }}
         {{- if .Values.sso.oidc.enabled }}
         - name: "OAUTH_CLIENT_ID"
           value: {{ .Values.sso.oidc.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "oidc" "values" .Values.sso) }}
         - name: "OAUTH_CLIENT_SECRET"
+        {{- if .Values.sso.oidc.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.oidc.clientExistingSecret | quote }}
+              key: {{ .Values.sso.oidc.clientExistingSecretKey | quote }}
+        {{- else }}
           value: {{ .Values.sso.oidc.clientSecret | quote }}
+        {{- end }}
         - name: "OPENID_PROVIDER_URL"
           value: {{ .Values.sso.oidc.providerUrl | quote }}
         - name: "OAUTH_PROVIDER_NAME"
@@ -267,9 +343,25 @@ spec:
         {{- end }}
         {{- end }}
         {{- end }}
+        {{- if .Values.logging.level }}
+        {{- include "logging.assertValidLevel" .Values.logging.level }}
+        - name: "GLOBAL_LOG_LEVEL"
+          value: {{ .Values.logging.level | quote }}
+        {{- end }}
+
+        {{- if .Values.logging.components }}
+        {{- range $name, $level := .Values.logging.components }}
+        {{- if $level }}
+        {{- include "logging.componentEnvVar" (dict "componentName" $name "logLevel" $level) | indent 8 }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
         {{- if .Values.extraEnvVars }}
           {{- toYaml .Values.extraEnvVars | nindent 8 }}
         {{- end }}
+        {{- if .Values.commonEnvVars }}
+          {{- toYaml .Values.commonEnvVars | nindent 8 }}
+        {{- end }}
         {{- if .Values.extraEnvFrom }}
         envFrom:
           {{- toYaml .Values.extraEnvFrom | nindent 8 }}

charts/open-webui/values.yaml

@@ -44,6 +44,8 @@ websocket:
   manager: redis
   # -- Specifies the URL of the Redis instance for websocket communication. Template with `redis://[:<password>@]<hostname>:<port>/<db>`
   url: redis://open-webui-redis:6379/0
+  # -- Node selector for websocket pods
+  nodeSelector: {}
   # -- Deploys a redis
   redis:
     # -- Enable redis installation
@@ -56,6 +58,8 @@ websocket:
     annotations: {}
     # -- Redis pod
     pods:
+      # -- Redis pod labels
+      labels: {}
       # -- Redis pod annotations
       annotations: {}
     # -- Redis image
@@ -126,6 +130,11 @@ image:
   tag: ""
   pullPolicy: "IfNotPresent"
 
+# -- Open WebUI container command (overrides default entrypoint)
+command: []
+# -- Open WebUI container arguments (overrides default)
+args: []
+
 serviceAccount:
   enable: true
   name: ""
@@ -172,6 +181,11 @@ startupProbe: {}
 resources: {}
 
 copyAppData:
+  # -- Open WebUI copy-app-data init container command (overrides default)
+  command: []
+  # -- Open WebUI copy-app-data init container arguments (overrides default)
+  args: []
+
   resources: {}
 
 managedCertificate:
@@ -198,6 +212,13 @@ ingress:
   additionalHosts: []
   tls: false
   existingSecret: ""
+
+  # -- Additional custom labels to add to the Ingress metadata
+  # Useful for tagging, selecting, or applying policies to the Ingress via labels.
+  extraLabels: {}
+  # extraLabels:
+  #   app.kubernetes.io/environment: "staging"
+
 persistence:
   enabled: true
   size: 2Gi
@@ -215,29 +236,58 @@ persistence:
   provider: local
   s3:
     # -- Sets the access key ID for S3 storage
+    # @section -- Amazon S3 Storage configuration
     accessKey: ""
-    # -- Sets the secret access key for S3 storage
+    # -- Sets the secret access key for S3 storage (ignored if secretKeyExistingSecret is set)
+    # @section -- Amazon S3 Storage configuration
     secretKey: ""
+    # -- Set the secret access key for S3 storage from existing k8s secret
+    # @section -- Amazon S3 Storage configuration
+    secretKeyExistingSecret: ""
+    # -- Set the secret access key for S3 storage from existing k8s secret key
+    # @section -- Amazon S3 Storage configuration
+    secretKeyExistingSecretKey: ""
     # -- Sets the endpoint url for S3 storage
+    # @section -- Amazon S3 Storage configuration
     endpointUrl: ""
     # -- Sets the region name for S3 storage
-    region:	""
+    # @section -- Amazon S3 Storage configuration
+    region: ""
     # -- Sets the bucket name for S3 storage
-    bucket:	""
+    # @section -- Amazon S3 Storage configuration
+    bucket: ""
     # -- Sets the key prefix for a S3 object
+    # @section -- Amazon S3 Storage configuration
     keyPrefix: ""
   gcs:
-    # -- Contents of Google Application Credentials JSON file. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account
+    # -- Contents of Google Application Credentials JSON file (ignored if appCredentialsJsonExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account
+    # @section -- Google Cloud Storage configuration
     appCredentialsJson: ""
+    # -- Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret
+    # @section -- Google Cloud Storage configuration
+    appCredentialsJsonExistingSecret: ""
+    # -- Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret key
+    # @section -- Google Cloud Storage configuration
+    appCredentialsJsonExistingSecretKey: ""
     # -- Sets the bucket name for Google Cloud Storage. Bucket must already exist
+    # @section -- Google Cloud Storage configuration
     bucket: ""
   azure:
     # -- Sets the endpoint URL for Azure Storage
+    # @section -- Azure Storage configuration
     endpointUrl: ""
     # -- Sets the container name for Azure Storage
+    # @section -- Azure Storage configuration
     container: ""
-    # -- Set the access key for Azure Storage. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services
+    # -- Set the access key for Azure Storage (ignored if keyExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services
+    # @section -- Azure Storage configuration
     key: ""
+    # -- Set the access key for Azure Storage from existing secret
+    # @section -- Azure Storage configuration
+    keyExistingSecret: ""
+    # -- Set the access key for Azure Storage from existing secret key
+    # @section -- Azure Storage configuration
+    keyExistingSecretKey: ""
 
 # -- Node labels for pod assignment.
 nodeSelector: {}
@@ -293,6 +343,11 @@ extraEnvVars:
   # - name: OLLAMA_DEBUG
   #   value: "1"
 
+# -- Env vars added to the Open WebUI deployment, common across environments. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: environment variables defined in both `extraEnvVars` and `commonEnvVars` will result in a conflict. Avoid duplicates)
+commonEnvVars: []
+  # - name: RAG_EMBEDDING_ENGINE
+  #   value: "openai"
+
 # -- Env vars added from configmap or secret to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: `extraEnvVars` will take precedence over the value from `extraEnvFrom`)
 extraEnvFrom: []
   # - configMapRef:
@@ -382,9 +437,15 @@ sso:
     # -- Google OAuth client ID
     # @section -- Google OAuth configuration
     clientId: ""
-    # -- Google OAuth client secret
+    # -- Google OAuth client secret (ignored if clientExistingSecret is set)
     # @section -- Google OAuth configuration
     clientSecret: ""
+    # -- Google OAuth client secret from existing secret
+    # @section -- Google OAuth configuration
+    clientExistingSecret: ""
+    # -- Google OAuth client secret key from existing secret
+    # @section -- Google OAuth configuration
+    clientExistingSecretKey: ""
 
   microsoft:
     # -- Enable Microsoft OAuth
@@ -393,9 +454,15 @@ sso:
     # -- Microsoft OAuth client ID
     # @section -- Microsoft OAuth configuration
     clientId: ""
-    # -- Microsoft OAuth client secret
+    # -- Microsoft OAuth client secret (ignored if clientExistingSecret is set)
     # @section -- Microsoft OAuth configuration
     clientSecret: ""
+    # -- Microsoft OAuth client secret from existing secret
+    # @section -- Microsoft OAuth configuration
+    clientExistingSecret: ""
+    # -- Microsoft OAuth client secret key from existing secret
+    # @section -- Microsoft OAuth configuration
+    clientExistingSecretKey: ""
     # -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts
     # @section -- Microsoft OAuth configuration
     tenantId: ""
@@ -407,9 +474,15 @@ sso:
     # -- GitHub OAuth client ID
     # @section -- GitHub OAuth configuration
     clientId: ""
-    # -- GitHub OAuth client secret
+    # -- GitHub OAuth client secret (ignored if clientExistingSecret is set)
     # @section -- GitHub OAuth configuration
     clientSecret: ""
+    # -- GitHub OAuth client secret from existing secret
+    # @section -- GitHub OAuth configuration
+    clientExistingSecret: ""
+    # -- GitHub OAuth client secret key from existing secret
+    # @section -- GitHub OAuth configuration
+    clientExistingSecretKey: ""
 
   oidc:
     # -- Enable OIDC authentication
@@ -418,9 +491,15 @@ sso:
     # -- OIDC client ID
     # @section -- OIDC configuration
     clientId: ""
-    # -- OIDC client secret
+    # -- OIDC client secret (ignored if clientExistingSecret is set)
     # @section -- OIDC configuration
     clientSecret: ""
+    # -- OICD client secret from existing secret
+    # @section -- OIDC configuration
+    clientExistingSecret: ""
+    # -- OIDC client secret key from existing secret
+    # @section -- OIDC configuration
+    clientExistingSecretKey: ""
     # -- OIDC provider well known URL
     # @section -- OIDC configuration
     providerUrl: ""
@@ -491,3 +570,46 @@ postgresql:
       limits:
         memory: 512Mi
         cpu: 500m
+
+# Configure Application logging levels (see. https://docs.openwebui.com/getting-started/advanced-topics/logging#-logging-levels-explained)
+logging:
+  # -- Set the global log level ["notset", "debug", "info" (default), "warning", "error", "critical"]
+  # @section -- Logging configuration
+  level: ""
+
+  # Optional granularity: override log levels per subsystem/component
+  # if not set, it will use the global level (see. https://docs.openwebui.com/getting-started/advanced-topics/logging#%EF%B8%8F-appbackend-specific-logging-levels)
+  components:
+    # -- Set the log level for the Audio processing component
+    # @section -- Logging configuration
+    audio: ""
+    # -- Set the log level for the ComfyUI Integration component
+    # @section -- Logging configuration
+    comfyui: ""
+    # -- Set the log level for the Configuration Management component
+    # @section -- Logging configuration
+    config: ""
+    # -- Set the log level for the Database Operations (Peewee) component
+    # @section -- Logging configuration
+    db: ""
+    # -- Set the log level for the Image Generation component
+    # @section -- Logging configuration
+    images: ""
+    # -- Set the log level for the Main Application Execution component
+    # @section -- Logging configuration
+    main: ""
+    # -- Set the log level for the Model Management component
+    # @section -- Logging configuration
+    models: ""
+    # -- Set the log level for the Ollama Backend Integration component
+    # @section -- Logging configuration
+    ollama: ""
+    # -- Set the log level for the OpenAI API Integration component
+    # @section -- Logging configuration
+    openai: ""
+    # -- Set the log level for the Retrieval-Augmented Generation (RAG) component
+    # @section -- Logging configuration
+    rag: ""
+    # -- Set the log level for the Authentication Webhook component
+    # @section -- Logging configuration
+    webhook: ""

charts/pipelines/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: pipelines
-version: 0.5.0
+version: 0.7.0
 appVersion: "alpha"
 
 home: https://github.com/open-webui/pipelines

charts/pipelines/README.md

@@ -1,6 +1,6 @@
 # pipelines
 
-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: alpha](https://img.shields.io/badge/AppVersion-alpha-informational?style=flat-square)
+![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![AppVersion: alpha](https://img.shields.io/badge/AppVersion-alpha-informational?style=flat-square)
 
 Pipelines: UI-Agnostic OpenAI API Plugin Framework
 
@@ -33,6 +33,8 @@ helm upgrade --install open-webui open-webui/pipelines
 | affinity | object | `{}` | Affinity for pod assignment |
 | annotations | object | `{}` |  |
 | clusterDomain | string | `"cluster.local"` | Value of cluster domain |
+| commonEnvVars | list | `[]` | Additional environments variables on the output Deployment definition, common across environments |
+| containerSecurityContext | object | `{}` | Configure container security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe> |
 | extraEnvVars | list | `[{"name":"PIPELINES_URLS","value":"https://github.com/open-webui/pipelines/blob/main/examples/filters/detoxify_filter_pipeline.py"}]` | Additional environments variables on the output Deployment definition. These are used to pull initial Pipeline files, and help configure Pipelines with required values (e.g. Langfuse API keys) |
 | extraEnvVars[0] | object | `{"name":"PIPELINES_URLS","value":"https://github.com/open-webui/pipelines/blob/main/examples/filters/detoxify_filter_pipeline.py"}` | Example pipeline to pull and load on deployment startup, see current pipelines here: https://github.com/open-webui/pipelines/blob/main/examples |
 | extraInitContainers | list | `[]` | Additional init containers to add to the deployment ref: <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/> |
@@ -60,6 +62,7 @@ helm upgrade --install open-webui open-webui/pipelines
 | persistence.storageClass | string | `""` |  |
 | podAnnotations | object | `{}` |  |
 | podLabels | object | `{}` |  |
+| podSecurityContext | object | `{}` | Configure pod security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container> |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
 | service.annotations | object | `{}` |  |

charts/pipelines/templates/deployment.yaml

@@ -43,6 +43,10 @@ spec:
       {{- if .Values.serviceAccount.enable }}
       serviceAccountName: {{ .Values.serviceAccount.name | default (include "pipelines.name" .) }}
       {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
       - name: {{ .Chart.Name }}
         {{- with .Values.image }}
@@ -55,6 +59,10 @@ spec:
         {{- with .Values.resources }}
         resources: {{- toYaml . | nindent 10 }}
         {{- end }}
+        {{- with .Values.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: data
           mountPath: /app/pipelines
@@ -65,6 +73,9 @@ spec:
         {{- if .Values.extraEnvVars }}
           {{- toYaml .Values.extraEnvVars | nindent 8 }}
         {{- end }}
+        {{- if .Values.commonEnvVars }}
+          {{- toYaml .Values.commonEnvVars | nindent 8 }}
+        {{- end }}
         tty: true
       {{- with .Values.nodeSelector }}
       nodeSelector:
@@ -97,4 +108,4 @@ spec:
       {{- end }}
       {{- with .Values.volumes }}
       {{- toYaml . | nindent 6 }}
-      {{- end }}
+      {{- end }}

charts/pipelines/values.yaml

@@ -46,6 +46,31 @@ serviceAccount:
   enable: true
   automountServiceAccountToken: false
 
+# -- Configure pod security context
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container>
+podSecurityContext:
+  {}
+  # fsGroupChangePolicy: Always
+  # sysctls: []
+  # supplementalGroups: []
+  # fsGroup: 1001
+
+# -- Configure container security context
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe>
+containerSecurityContext:
+  {}
+  # runAsUser: 1001
+  # runAsGroup: 1001
+  # runAsNonRoot: true
+  # privileged: false
+  # allowPrivilegeEscalation: false
+  # readOnlyRootFilesystem: false
+  # capabilities:
+  #   drop:
+  #     - ALL
+  # seccompProfile:
+  #   type: "RuntimeDefault"
+
 # -- Node labels for pod assignment.
 nodeSelector: {}
 
@@ -93,6 +118,9 @@ extraEnvVars:
   # - name: LANGFUSE_HOST
   #   value: https://us.cloud.langfuse.com
 
+# -- Additional environments variables on the output Deployment definition, common across environments.
+commonEnvVars: []
+
 # -- Configure container volume mounts
 # ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
 volumeMounts: []