chore: update Open WebUI to latest app version

feat(open-webui): Add application logging configuration

charts/open-webui/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: open-webui
-version: 6.8.0
-appVersion: 0.6.6
+version: 6.11.0
+appVersion: 0.6.7
 home: https://www.openwebui.com/
 icon: >-
   https://raw.githubusercontent.com/open-webui/open-webui/main/static/favicon.png

charts/open-webui/README.md

@@ -1,6 +1,6 @@
 # open-webui
 
-![Version: 6.8.0](https://img.shields.io/badge/Version-6.8.0-informational?style=flat-square) ![AppVersion: 0.6.6](https://img.shields.io/badge/AppVersion-0.6.6-informational?style=flat-square)
+![Version: 6.11.0](https://img.shields.io/badge/Version-6.11.0-informational?style=flat-square) ![AppVersion: 0.6.7](https://img.shields.io/badge/AppVersion-0.6.7-informational?style=flat-square)
 
 Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋
 
@@ -41,6 +41,55 @@ helm upgrade --install open-webui open-webui/open-webui
 
 ## Values
 
+### Logging configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| logging.components.audio | string | `""` | Set the log level for the Audio processing component |
+| logging.components.comfyui | string | `""` | Set the log level for the ComfyUI Integration component |
+| logging.components.config | string | `""` | Set the log level for the Configuration Management component |
+| logging.components.db | string | `""` | Set the log level for the Database Operations (Peewee) component |
+| logging.components.images | string | `""` | Set the log level for the Image Generation component |
+| logging.components.main | string | `""` | Set the log level for the Main Application Execution component |
+| logging.components.models | string | `""` | Set the log level for the Model Management component |
+| logging.components.ollama | string | `""` | Set the log level for the Ollama Backend Integration component |
+| logging.components.openai | string | `""` | Set the log level for the OpenAI API Integration component |
+| logging.components.rag | string | `""` | Set the log level for the Retrieval-Augmented Generation (RAG) component |
+| logging.components.webhook | string | `""` | Set the log level for the Authentication Webhook component |
+| logging.level | string | `""` | Set the global log level ["notset", "debug", "info" (default), "warning", "error", "critical"] |
+
+### Azure Storage configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| persistence.azure.container | string | `""` | Sets the container name for Azure Storage |
+| persistence.azure.endpointUrl | string | `""` | Sets the endpoint URL for Azure Storage |
+| persistence.azure.key | string | `""` | Set the access key for Azure Storage (ignored if keyExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services |
+| persistence.azure.keyExistingSecret | string | `""` | Set the access key for Azure Storage from existing secret |
+| persistence.azure.keyExistingSecretKey | string | `""` | Set the access key for Azure Storage from existing secret key |
+
+### Google Cloud Storage configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| persistence.gcs.appCredentialsJson | string | `""` | Contents of Google Application Credentials JSON file (ignored if appCredentialsJsonExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account |
+| persistence.gcs.appCredentialsJsonExistingSecret | string | `""` | Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret |
+| persistence.gcs.appCredentialsJsonExistingSecretKey | string | `""` | Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret key |
+| persistence.gcs.bucket | string | `""` | Sets the bucket name for Google Cloud Storage. Bucket must already exist |
+
+### Amazon S3 Storage configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| persistence.s3.accessKey | string | `""` | Sets the access key ID for S3 storage |
+| persistence.s3.bucket | string | `""` | Sets the bucket name for S3 storage |
+| persistence.s3.endpointUrl | string | `""` | Sets the endpoint url for S3 storage |
+| persistence.s3.keyPrefix | string | `""` | Sets the key prefix for a S3 object |
+| persistence.s3.region | string | `""` | Sets the region name for S3 storage |
+| persistence.s3.secretKey | string | `""` | Sets the secret access key for S3 storage (ignored if secretKeyExistingSecret is set) |
+| persistence.s3.secretKeyExistingSecret | string | `""` | Set the secret access key for S3 storage from existing k8s secret |
+| persistence.s3.secretKeyExistingSecretKey | string | `""` | Set the secret access key for S3 storage from existing k8s secret key |
+
 ### SSO Configuration
 
 | Key | Type | Default | Description |
@@ -153,20 +202,9 @@ helm upgrade --install open-webui open-webui/open-webui
 | openaiBaseApiUrls | list | `[]` | OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set |
 | persistence.accessModes | list | `["ReadWriteOnce"]` | If using multiple replicas, you must update accessModes to ReadWriteMany |
 | persistence.annotations | object | `{}` |  |
-| persistence.azure.container | string | `""` | Sets the container name for Azure Storage |
-| persistence.azure.endpointUrl | string | `""` | Sets the endpoint URL for Azure Storage |
-| persistence.azure.key | string | `""` | Set the access key for Azure Storage. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services |
 | persistence.enabled | bool | `true` |  |
 | persistence.existingClaim | string | `""` | Use existingClaim if you want to re-use an existing Open WebUI PVC instead of creating a new one |
-| persistence.gcs.appCredentialsJson | string | `""` | Contents of Google Application Credentials JSON file. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account |
-| persistence.gcs.bucket | string | `""` | Sets the bucket name for Google Cloud Storage. Bucket must already exist |
 | persistence.provider | string | `"local"` | Sets the storage provider, availables values are `local`, `s3`, `gcs` or `azure` |
-| persistence.s3.accessKey | string | `""` | Sets the access key ID for S3 storage |
-| persistence.s3.bucket | string | `""` | Sets the bucket name for S3 storage |
-| persistence.s3.endpointUrl | string | `""` | Sets the endpoint url for S3 storage |
-| persistence.s3.keyPrefix | string | `""` | Sets the key prefix for a S3 object |
-| persistence.s3.region | string | `""` | Sets the region name for S3 storage |
-| persistence.s3.secretKey | string | `""` | Sets the secret access key for S3 storage |
 | persistence.selector | object | `{}` |  |
 | persistence.size | string | `"2Gi"` |  |
 | persistence.storageClass | string | `""` |  |

charts/open-webui/templates/_helpers.tpl

@@ -180,3 +180,56 @@ Validate SSO ClientSecret to be set literally or via Secret
   {{- fail (printf "You must provide either .Values.sso.%s.clientSecret or .Values.sso.%s.clientExistingSecret" $provider $provider) }}
 {{- end }}
 {{- end }}
+
+{{- /*
+Fail template rendering if invalid log component
+*/ -}}
+{{- define "logging.isValidComponent" -}}
+  {{- $component := . | lower -}}
+  {{- $validComponents := dict
+      "audio" true
+      "comfyui" true
+      "config" true
+      "db" true
+      "images" true
+      "main" true
+      "models" true
+      "ollama" true
+      "openai" true
+      "rag" true
+      "webhook" true
+  -}}
+  {{- hasKey $validComponents $component -}}
+{{- end }}
+
+
+{{- define "logging.assertValidComponent" -}}
+  {{- $component := lower . -}}
+  {{- $res := include "logging.isValidComponent" $component }}
+  {{- if ne $res "true" }}
+    {{- fail (printf "Invalid logging component name: '%s'. Valid names: audio, comfyui, config, db, images, main, models, ollama, openai, rag, webhook" $component) }}
+  {{- end }}
+{{- end }}
+
+{{- /*
+Fail template rendering if invalid log level
+*/ -}}
+{{- define "logging.assertValidLevel" -}}
+  {{- $level := lower . }}
+  {{- $validLevels := dict "notset" true "debug" true "info" true "warning" true "error" true "critical" true }}
+  {{- if not (hasKey $validLevels $level) }}
+    {{- fail (printf "Invalid log level: '%s'. Valid values are: notset, debug, info, warning, error, critical" $level) }}
+  {{- end }}
+{{- end }}
+
+{{- /*
+Render a logging env var for a component, validating value
+*/ -}}
+{{- define "logging.componentEnvVar" -}}
+  {{- $name := .componentName }}
+  {{- $level := .logLevel }}
+{{- include "logging.assertValidComponent" $name -}}
+{{- include "logging.assertValidLevel" $level }}
+- name: {{ printf "%s_LOG_LEVEL" (upper $name) | quote }}
+  value: {{ $level | quote | trim }}
+{{- end }}

charts/open-webui/templates/workload-manager.yaml

@@ -159,7 +159,14 @@ spec:
         - name: "S3_ACCESS_KEY_ID"
           value: {{ .Values.persistence.s3.accessKey }}
         - name: "S3_SECRET_ACCESS_KEY"
+        {{- if .Values.persistence.s3.secretKeyExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.s3.secretKeyExistingSecret }}
+              key: {{ .Values.persistence.s3.secretKeyExistingSecretKey }}
+        {{- else }}
           value: {{ .Values.persistence.s3.secretKey }}
+        {{- end }}
         - name: "S3_ENDPOINT_URL"
           value: {{ .Values.persistence.s3.endpointUrl }}
         - name: "S3_BUCKET_NAME"
@@ -172,7 +179,14 @@ spec:
         - name: "STORAGE_PROVIDER"
           value: {{ .Values.persistence.provider }}
         - name: "GOOGLE_APPLICATION_CREDENTIALS_JSON"
+        {{- if .Values.persistence.gcs.appCredentialsJsonExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.gcs.appCredentialsJsonExistingSecret }}
+              key: {{ .Values.persistence.gcs.appCredentialsJsonExistingSecretKey }}
+        {{- else }}
           value: {{ .Values.persistence.gcs.appCredentialsJson }}
+        {{- end }}
         - name: "GCS_BUCKET_NAME"
           value: {{ .Values.persistence.gcs.bucket }}
         {{- else if eq .Values.persistence.provider "azure" }}
@@ -183,8 +197,15 @@ spec:
         - name: "AZURE_STORAGE_CONTAINER_NAME"
           value: {{ .Values.persistence.azure.container }}
         - name: "AZURE_STORAGE_KEY"
+        {{- if .Values.persistence.azure.keyExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.azure.keyExistingSecret }}
+              key: {{ .Values.persistence.azure.keyExistingSecretKey }}
+        {{- else }}
           value: {{ .Values.persistence.azure.key }}
         {{- end }}
+        {{- end }}
         {{- if .Values.websocket.enabled }}
         - name: "ENABLE_WEBSOCKET_SUPPORT"
           value: "True"
@@ -299,6 +320,19 @@ spec:
         {{- end }}
         {{- end }}
         {{- end }}
+        {{- if .Values.logging.level }}
+        {{- include "logging.assertValidLevel" .Values.logging.level }}
+        - name: "GLOBAL_LOG_LEVEL"
+          value: {{ .Values.logging.level | quote }}
+        {{- end }}
+
+        {{- if .Values.logging.components }}
+        {{- range $name, $level := .Values.logging.components }}
+        {{- if $level }}
+        {{- include "logging.componentEnvVar" (dict "componentName" $name "logLevel" $level) | indent 8 }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
         {{- if .Values.extraEnvVars }}
           {{- toYaml .Values.extraEnvVars | nindent 8 }}
         {{- end }}

charts/open-webui/values.yaml

@@ -198,6 +198,7 @@ ingress:
   additionalHosts: []
   tls: false
   existingSecret: ""
+
 persistence:
   enabled: true
   size: 2Gi
@@ -215,29 +216,58 @@ persistence:
   provider: local
   s3:
     # -- Sets the access key ID for S3 storage
+    # @section -- Amazon S3 Storage configuration
     accessKey: ""
-    # -- Sets the secret access key for S3 storage
+    # -- Sets the secret access key for S3 storage (ignored if secretKeyExistingSecret is set)
+    # @section -- Amazon S3 Storage configuration
     secretKey: ""
+    # -- Set the secret access key for S3 storage from existing k8s secret
+    # @section -- Amazon S3 Storage configuration
+    secretKeyExistingSecret: ""
+    # -- Set the secret access key for S3 storage from existing k8s secret key
+    # @section -- Amazon S3 Storage configuration
+    secretKeyExistingSecretKey: ""
     # -- Sets the endpoint url for S3 storage
+    # @section -- Amazon S3 Storage configuration
     endpointUrl: ""
     # -- Sets the region name for S3 storage
-    region:	""
+    # @section -- Amazon S3 Storage configuration
+    region: ""
     # -- Sets the bucket name for S3 storage
-    bucket:	""
+    # @section -- Amazon S3 Storage configuration
+    bucket: ""
     # -- Sets the key prefix for a S3 object
+    # @section -- Amazon S3 Storage configuration
     keyPrefix: ""
   gcs:
-    # -- Contents of Google Application Credentials JSON file. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account
+    # -- Contents of Google Application Credentials JSON file (ignored if appCredentialsJsonExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account
+    # @section -- Google Cloud Storage configuration
     appCredentialsJson: ""
+    # -- Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret
+    # @section -- Google Cloud Storage configuration
+    appCredentialsJsonExistingSecret: ""
+    # -- Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret key
+    # @section -- Google Cloud Storage configuration
+    appCredentialsJsonExistingSecretKey: ""
     # -- Sets the bucket name for Google Cloud Storage. Bucket must already exist
+    # @section -- Google Cloud Storage configuration
     bucket: ""
   azure:
     # -- Sets the endpoint URL for Azure Storage
+    # @section -- Azure Storage configuration
     endpointUrl: ""
     # -- Sets the container name for Azure Storage
+    # @section -- Azure Storage configuration
     container: ""
-    # -- Set the access key for Azure Storage. Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services
+    # -- Set the access key for Azure Storage (ignored if keyExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services
+    # @section -- Azure Storage configuration
     key: ""
+    # -- Set the access key for Azure Storage from existing secret
+    # @section -- Azure Storage configuration
+    keyExistingSecret: ""
+    # -- Set the access key for Azure Storage from existing secret key
+    # @section -- Azure Storage configuration
+    keyExistingSecretKey: ""
 
 # -- Node labels for pod assignment.
 nodeSelector: {}
@@ -515,3 +545,46 @@ postgresql:
       limits:
         memory: 512Mi
         cpu: 500m
+
+# Configure Application logging levels (see. https://docs.openwebui.com/getting-started/advanced-topics/logging#-logging-levels-explained)
+logging:
+  # -- Set the global log level ["notset", "debug", "info" (default), "warning", "error", "critical"]
+  # @section -- Logging configuration
+  level: ""
+
+  # Optional granularity: override log levels per subsystem/component
+  # if not set, it will use the global level (see. https://docs.openwebui.com/getting-started/advanced-topics/logging#%EF%B8%8F-appbackend-specific-logging-levels)
+  components:
+    # -- Set the log level for the Audio processing component
+    # @section -- Logging configuration
+    audio: ""
+    # -- Set the log level for the ComfyUI Integration component
+    # @section -- Logging configuration
+    comfyui: ""
+    # -- Set the log level for the Configuration Management component
+    # @section -- Logging configuration
+    config: ""
+    # -- Set the log level for the Database Operations (Peewee) component
+    # @section -- Logging configuration
+    db: ""
+    # -- Set the log level for the Image Generation component
+    # @section -- Logging configuration
+    images: ""
+    # -- Set the log level for the Main Application Execution component
+    # @section -- Logging configuration
+    main: ""
+    # -- Set the log level for the Model Management component
+    # @section -- Logging configuration
+    models: ""
+    # -- Set the log level for the Ollama Backend Integration component
+    # @section -- Logging configuration
+    ollama: ""
+    # -- Set the log level for the OpenAI API Integration component
+    # @section -- Logging configuration
+    openai: ""
+    # -- Set the log level for the Retrieval-Augmented Generation (RAG) component
+    # @section -- Logging configuration
+    rag: ""
+    # -- Set the log level for the Authentication Webhook component
+    # @section -- Logging configuration
+    webhook: ""

charts/pipelines/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: pipelines
-version: 0.5.0
+version: 0.6.0
 appVersion: "alpha"
 
 home: https://github.com/open-webui/pipelines

charts/pipelines/README.md

@@ -1,6 +1,6 @@
 # pipelines
 
-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: alpha](https://img.shields.io/badge/AppVersion-alpha-informational?style=flat-square)
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: alpha](https://img.shields.io/badge/AppVersion-alpha-informational?style=flat-square)
 
 Pipelines: UI-Agnostic OpenAI API Plugin Framework
 
@@ -33,6 +33,7 @@ helm upgrade --install open-webui open-webui/pipelines
 | affinity | object | `{}` | Affinity for pod assignment |
 | annotations | object | `{}` |  |
 | clusterDomain | string | `"cluster.local"` | Value of cluster domain |
+| containerSecurityContext | object | `{}` | Configure container security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe> |
 | extraEnvVars | list | `[{"name":"PIPELINES_URLS","value":"https://github.com/open-webui/pipelines/blob/main/examples/filters/detoxify_filter_pipeline.py"}]` | Additional environments variables on the output Deployment definition. These are used to pull initial Pipeline files, and help configure Pipelines with required values (e.g. Langfuse API keys) |
 | extraEnvVars[0] | object | `{"name":"PIPELINES_URLS","value":"https://github.com/open-webui/pipelines/blob/main/examples/filters/detoxify_filter_pipeline.py"}` | Example pipeline to pull and load on deployment startup, see current pipelines here: https://github.com/open-webui/pipelines/blob/main/examples |
 | extraInitContainers | list | `[]` | Additional init containers to add to the deployment ref: <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/> |
@@ -60,6 +61,7 @@ helm upgrade --install open-webui open-webui/pipelines
 | persistence.storageClass | string | `""` |  |
 | podAnnotations | object | `{}` |  |
 | podLabels | object | `{}` |  |
+| podSecurityContext | object | `{}` | Configure pod security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container> |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
 | service.annotations | object | `{}` |  |

charts/pipelines/templates/deployment.yaml

@@ -43,6 +43,10 @@ spec:
       {{- if .Values.serviceAccount.enable }}
       serviceAccountName: {{ .Values.serviceAccount.name | default (include "pipelines.name" .) }}
       {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
       - name: {{ .Chart.Name }}
         {{- with .Values.image }}
@@ -55,6 +59,10 @@ spec:
         {{- with .Values.resources }}
         resources: {{- toYaml . | nindent 10 }}
         {{- end }}
+        {{- with .Values.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: data
           mountPath: /app/pipelines
@@ -97,4 +105,4 @@ spec:
       {{- end }}
       {{- with .Values.volumes }}
       {{- toYaml . | nindent 6 }}
-      {{- end }}
+      {{- end }}

charts/pipelines/values.yaml

@@ -46,6 +46,31 @@ serviceAccount:
   enable: true
   automountServiceAccountToken: false
 
+# -- Configure pod security context
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container>
+podSecurityContext:
+  {}
+  # fsGroupChangePolicy: Always
+  # sysctls: []
+  # supplementalGroups: []
+  # fsGroup: 1001
+
+# -- Configure container security context
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe>
+containerSecurityContext:
+  {}
+  # runAsUser: 1001
+  # runAsGroup: 1001
+  # runAsNonRoot: true
+  # privileged: false
+  # allowPrivilegeEscalation: false
+  # readOnlyRootFilesystem: false
+  # capabilities:
+  #   drop:
+  #     - ALL
+  # seccompProfile:
+  #   type: "RuntimeDefault"
+
 # -- Node labels for pod assignment.
 nodeSelector: {}