Merge pull request #255 from bdriggersTorch/openwebui-command-override

upgrade subcharts (redis v21.2.4 - postgresql v16.7.12)

.github/workflows/helm-release.yml

@@ -8,49 +8,49 @@ on:
       - "charts/**"
 
 jobs:
-  semantic-release:
-    runs-on: ubuntu-latest
-    steps:
-      # Checkout repo
-      - name: Checkout
-        uses: actions/checkout@v4
+  # semantic-release:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     # Checkout repo
+  #     - name: Checkout
+  #       uses: actions/checkout@v4
 
-      - name: Setup Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: 'lts/*'
-      - name: Install dependencies
-        run: npm install
-      - name: Release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: npx semantic-release
+  #     - name: Setup Node.js
+  #       uses: actions/setup-node@v3
+  #       with:
+  #         node-version: 'lts/*'
+  #     - name: Install dependencies
+  #       run: npm install
+  #     - name: Release
+  #       env:
+  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #       run: npx semantic-release
 
-      - name: Install yq
-        run: |
-          wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O yq &&\
-          chmod +x yq
+  #     - name: Install yq
+  #       run: |
+  #         wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O yq &&\
+  #         chmod +x yq
 
-      - name: Get version
-        id: get_version
-        run: |
-          echo "VERSION=$(cat charts/open-webui/Chart.yaml | ./yq -r  '.version')" >> $GITHUB_OUTPUT
+  #     - name: Get version
+  #       id: get_version
+  #       run: |
+  #         echo "VERSION=$(cat charts/open-webui/Chart.yaml | ./yq -r  '.version')" >> $GITHUB_OUTPUT
 
-      - name: Commit Chart.yaml
-        uses: stefanzweifel/git-auto-commit-action@v4
-        with:
-          commit_message: 'chore(release) bump version to ${{ steps.get_version.outputs.VERSION }}'
-          file_pattern: 'charts/open-webui/Chart.yaml'
+  #     - name: Commit Chart.yaml
+  #       uses: stefanzweifel/git-auto-commit-action@v4
+  #       with:
+  #         commit_message: 'chore(release) bump version to ${{ steps.get_version.outputs.VERSION }}'
+  #         file_pattern: 'charts/open-webui/Chart.yaml'
 
   release:
-    needs: semantic-release
+    #needs: semantic-release
     permissions:
       contents: write
       packages: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -64,9 +64,10 @@ jobs:
           helm repo add ollama https://otwld.github.io/ollama-helm/
           helm repo add open-webui https://helm.openwebui.com/
           helm repo add tika https://apache.jfrog.io/artifactory/tika/
+          helm repo add redis https://charts.bitnami.com/bitnami
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.6.0
+        uses: helm/chart-releaser-action@v1.7.0
         with:
           skip_existing: false
           packages_with_index: true

.github/workflows/helm-test-open-webui.yml

@@ -0,0 +1,76 @@
+name: Check Open WebUI Helm Charts (open-webui)
+
+on:
+  pull_request:
+    paths:
+      - "charts/open-webui/**"
+  push:
+    paths:
+      - "charts/open-webui/**"
+
+jobs:
+  lint-chart:
+    name: Lint Helm Chart
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+
+      - name: Add Dependency Repos
+        run: |
+          helm repo add ollama https://otwld.github.io/ollama-helm/
+          helm repo add open-webui https://helm.openwebui.com/
+          helm repo add tika https://apache.jfrog.io/artifactory/tika/
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+
+      - name: Build open-webui Helm dependencies
+        run: |
+          helm dependency build ./charts/open-webui
+
+      - name: Lint open-webui Helm Chart
+        run: |
+          helm lint ./charts/open-webui
+
+  test-deploy:
+    name: Test Chart Deployment
+    runs-on: ubuntu-latest
+    needs: lint-chart
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Set up kubectl
+        uses: azure/setup-kubectl@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+
+      - name: Set up KinD Cluster
+        uses: helm/kind-action@v1
+
+      - name: Add Dependency Repos
+        run: |
+          helm repo add ollama https://otwld.github.io/ollama-helm/
+          helm repo add open-webui https://helm.openwebui.com/
+          helm repo add tika https://apache.jfrog.io/artifactory/tika/
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+
+      - name: Build open-webui Helm dependencies
+        run: |
+          helm dependency build ./charts/open-webui
+
+      - name: Template open-webui Helm Chart
+        run: |
+          helm template open-webui ./charts/open-webui \
+            --namespace test-namespace --create-namespace > open-webui.yaml
+
+      - name: Verify open-webui
+        run: |
+          kubectl create namespace test-namespace
+          kubectl apply --namespace test-namespace -f open-webui.yaml
+          kubectl wait --namespace test-namespace pod/open-webui-0 --for=condition=Ready --timeout=600s

.github/workflows/helm-test-pipelines.yml

@@ -0,0 +1,55 @@
+name: Check Open WebUI Helm Charts (pipelines)
+
+on:
+  pull_request:
+    paths:
+      - "charts/pipelines/**"
+  push:
+    paths:
+      - "charts/pipelines/**"
+
+jobs:
+  lint-chart:
+    name: Lint Helm Chart
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+      
+      - name: Lint pipelines Helm Chart
+        run: |
+          helm lint ./charts/pipelines
+
+  test-deploy:
+    name: Test Chart Deployment
+    runs-on: ubuntu-latest
+    needs: lint-chart
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Set up kubectl
+        uses: azure/setup-kubectl@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+
+      - name: Set up KinD Cluster
+        uses: helm/kind-action@v1
+
+      - name: Template open-webui Helm Chart
+        run: |
+          helm template pipelines ./charts/pipelines \
+            --namespace test-namespace --create-namespace > pipelines.yaml
+
+      - name: Verify pipelines
+        run: |
+          kubectl create namespace test-namespace
+          kubectl apply --namespace test-namespace -f pipelines.yaml
+          PIPELINE_POD=$(kubectl get --namespace test-namespace pod -L app.kubernetes.io/component=pipelines -o jsonpath='{.items[*].metadata.name}')
+          kubectl wait --namespace test-namespace pod/${PIPELINE_POD} --for=condition=Ready --timeout=600s

.gitignore

@@ -0,0 +1,129 @@
+# Created by https://www.toptal.com/developers/gitignore/api/macos,intellij+all,helm
+# Edit at https://www.toptal.com/developers/gitignore?templates=macos,intellij+all,helm
+
+### Intellij+all ###
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# AWS User-specific
+.idea/**/aws.xml
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# SonarLint plugin
+.idea/sonarlint/
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+### Intellij+all Patch ###
+# Ignore everything but code style settings and run configurations
+# that are supposed to be shared within teams.
+
+.idea/*
+
+!.idea/codeStyles
+!.idea/runConfigurations
+
+### macOS ###
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### macOS Patch ###
+# iCloud generated files
+*.icloud
+
+### Helm ###
+# Chart dependencies
+**/charts/*.tgz
+
+# End of https://www.toptal.com/developers/gitignore/api/macos,intellij+all,helm

CONTRIBUTING.md

@@ -2,13 +2,10 @@
 
 ## How to Contribute
 
-> [!WARNING]
-> There is currently a bug in the Helm Chart Releaser Github Action that prevents you from deploying more than one chart on a single run. The best workaround for now is to ensure that pushes to `main` only include changes to a single chart. If you're contributing to more than one chart, please do it in separate PRs until the upstream issue is fixed, or until we can fork and fix the action ourselves. 
-
 1. **Fork the repository** and create your branch from `main`.
 2. **Make your changes** and ensure they follow the guidelines below.
 3. **Test your changes** locally to ensure everything works as expected. This should include deploying your updates to a live Kubernetes cluster (whether local or remote).
-4. **Run helm-docs** to ensure that the README is updated with the latest changes. 
+4. **Run [helm-docs]** to ensure that the README is updated with the latest changes. 
 5. **Commit your changes** using a descriptive commit message that follows the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification.
 6. **Push your changes** to your forked repository.
 7. **Create a Pull Request** and provide a detailed description of your changes. Please consider dropping us your redacted `values.yaml` file used during your testing in the PR so we can make sure we see consistent results. 
@@ -30,8 +27,12 @@
 
 - **Issues**: If you find any issues or have suggestions for improvements, please create a new issue in the repository before working on a Pull Request.
 
+- **Actions Updates**: If your Pull Request includes adding a new chart dependency, ensure to make the necessary updates to Github Actions to add the chart repo dependency, or else the release run will fail.
+
 ## Getting Help
 
 If you need any help or have questions about contributing, feel free to reach out to the maintainers of the repository.
 
 Thank you for your contributions!
+
+[helm-docs]: https://github.com/norwoodj/helm-docs

charts/open-webui/Chart.lock

@@ -1,12 +1,18 @@
 dependencies:
 - name: ollama
   repository: https://otwld.github.io/ollama-helm/
-  version: 0.64.0
+  version: 1.19.0
 - name: pipelines
   repository: https://helm.openwebui.com
-  version: 0.0.4
+  version: 0.7.0
 - name: tika
   repository: https://apache.jfrog.io/artifactory/tika
   version: 2.9.0
-digest: sha256:91c12b702598527a8b602af6f229f975abc8bd7cf95c31324bc013bb919ff14e
-generated: "2024-11-07T14:14:55.798831-07:10"
+- name: redis
+  repository: https://charts.bitnami.com/bitnami
+  version: 21.2.4
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 16.7.12
+digest: sha256:c321c315a3d0be92cb0de7e676564b3f1f550a0ab58436149dfb02e6afb6d2f1
+generated: "2025-06-17T10:58:01.903769+02:00"

charts/open-webui/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: open-webui
-version: 3.6.0
-appVersion: 0.3.36
+version: 6.22.0
+appVersion: 0.6.15
 home: https://www.openwebui.com/
 icon: >-
   https://raw.githubusercontent.com/open-webui/open-webui/main/static/favicon.png
@@ -10,11 +10,13 @@ keywords:
   - llm
   - chat
   - web-ui
+  - open-webui
 sources:
   - https://github.com/open-webui/helm-charts
   - https://github.com/open-webui/open-webui/pkgs/container/open-webui
   - https://github.com/otwld/ollama-helm/
   - https://hub.docker.com/r/ollama/ollama
+  - https://charts.bitnami.com/bitnami
 annotations:
   licenses: MIT
 dependencies:
@@ -36,3 +38,13 @@ dependencies:
     repository: https://apache.jfrog.io/artifactory/tika
     version: '>=2.9.0'
     condition: tika.enabled
+  - name: redis
+    repository: https://charts.bitnami.com/bitnami
+    version: '>=20.6.2'
+    alias: redis-cluster
+    condition: redis-cluster.enabled
+  - name: postgresql
+    repository: https://charts.bitnami.com/bitnami
+    version: '>=15.5.38'
+    alias: postgresql
+    condition: postgresql.enabled

charts/open-webui/README.md

@@ -1,6 +1,6 @@
 # open-webui
 
-![Version: 3.6.0](https://img.shields.io/badge/Version-3.6.0-informational?style=flat-square) ![AppVersion: 0.3.35](https://img.shields.io/badge/AppVersion-0.3.35-informational?style=flat-square)
+![Version: 6.22.0](https://img.shields.io/badge/Version-6.22.0-informational?style=flat-square) ![AppVersion: 0.6.15](https://img.shields.io/badge/AppVersion-0.6.15-informational?style=flat-square)
 
 Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋
 
@@ -12,6 +12,7 @@ Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋
 * <https://github.com/open-webui/open-webui/pkgs/container/open-webui>
 * <https://github.com/otwld/ollama-helm/>
 * <https://hub.docker.com/r/ollama/ollama>
+* <https://charts.bitnami.com/bitnami>
 
 ## Installing
 
@@ -33,37 +34,183 @@ helm upgrade --install open-webui open-webui/open-webui
 | Repository | Name | Version |
 |------------|------|---------|
 | https://apache.jfrog.io/artifactory/tika | tika | >=2.9.0 |
+| https://charts.bitnami.com/bitnami | postgresql(postgresql) | >=15.5.38 |
+| https://charts.bitnami.com/bitnami | redis-cluster(redis) | >=20.6.2 |
 | https://helm.openwebui.com | pipelines | >=0.0.1 |
 | https://otwld.github.io/ollama-helm/ | ollama | >=0.24.0 |
 
 ## Values
 
+### Logging configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| logging.components.audio | string | `""` | Set the log level for the Audio processing component |
+| logging.components.comfyui | string | `""` | Set the log level for the ComfyUI Integration component |
+| logging.components.config | string | `""` | Set the log level for the Configuration Management component |
+| logging.components.db | string | `""` | Set the log level for the Database Operations (Peewee) component |
+| logging.components.images | string | `""` | Set the log level for the Image Generation component |
+| logging.components.main | string | `""` | Set the log level for the Main Application Execution component |
+| logging.components.models | string | `""` | Set the log level for the Model Management component |
+| logging.components.ollama | string | `""` | Set the log level for the Ollama Backend Integration component |
+| logging.components.openai | string | `""` | Set the log level for the OpenAI API Integration component |
+| logging.components.rag | string | `""` | Set the log level for the Retrieval-Augmented Generation (RAG) component |
+| logging.components.webhook | string | `""` | Set the log level for the Authentication Webhook component |
+| logging.level | string | `""` | Set the global log level ["notset", "debug", "info" (default), "warning", "error", "critical"] |
+
+### Azure Storage configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| persistence.azure.container | string | `""` | Sets the container name for Azure Storage |
+| persistence.azure.endpointUrl | string | `""` | Sets the endpoint URL for Azure Storage |
+| persistence.azure.key | string | `""` | Set the access key for Azure Storage (ignored if keyExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services |
+| persistence.azure.keyExistingSecret | string | `""` | Set the access key for Azure Storage from existing secret |
+| persistence.azure.keyExistingSecretKey | string | `""` | Set the access key for Azure Storage from existing secret key |
+
+### Google Cloud Storage configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| persistence.gcs.appCredentialsJson | string | `""` | Contents of Google Application Credentials JSON file (ignored if appCredentialsJsonExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account |
+| persistence.gcs.appCredentialsJsonExistingSecret | string | `""` | Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret |
+| persistence.gcs.appCredentialsJsonExistingSecretKey | string | `""` | Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret key |
+| persistence.gcs.bucket | string | `""` | Sets the bucket name for Google Cloud Storage. Bucket must already exist |
+
+### Amazon S3 Storage configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| persistence.s3.accessKey | string | `""` | Sets the access key ID for S3 storage |
+| persistence.s3.bucket | string | `""` | Sets the bucket name for S3 storage |
+| persistence.s3.endpointUrl | string | `""` | Sets the endpoint url for S3 storage |
+| persistence.s3.keyPrefix | string | `""` | Sets the key prefix for a S3 object |
+| persistence.s3.region | string | `""` | Sets the region name for S3 storage |
+| persistence.s3.secretKey | string | `""` | Sets the secret access key for S3 storage (ignored if secretKeyExistingSecret is set) |
+| persistence.s3.secretKeyExistingSecret | string | `""` | Set the secret access key for S3 storage from existing k8s secret |
+| persistence.s3.secretKeyExistingSecretKey | string | `""` | Set the secret access key for S3 storage from existing k8s secret key |
+
+### SSO Configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.enableGroupManagement | bool | `false` | Enable OAuth group management through access token groups claim |
+| sso.enableRoleManagement | bool | `false` | Enable OAuth role management through access token roles claim |
+| sso.enableSignup | bool | `false` | Enable account creation when logging in with OAuth (distinct from regular signup) |
+| sso.enabled | bool | `false` | **Enable SSO authentication globally** must enable to use SSO authentication |
+| sso.groupManagement.groupsClaim | string | `"groups"` | The claim that contains the groups (can be nested, e.g., user.memberOf) |
+| sso.mergeAccountsByEmail | bool | `false` | Allow logging into accounts that match email from OAuth provider (considered insecure) |
+
+### GitHub OAuth configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.github.clientExistingSecret | string | `""` | GitHub OAuth client secret from existing secret |
+| sso.github.clientExistingSecretKey | string | `""` | GitHub OAuth client secret key from existing secret |
+| sso.github.clientId | string | `""` | GitHub OAuth client ID |
+| sso.github.clientSecret | string | `""` | GitHub OAuth client secret (ignored if clientExistingSecret is set) |
+| sso.github.enabled | bool | `false` | Enable GitHub OAuth |
+
+### Google OAuth configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.google.clientExistingSecret | string | `""` | Google OAuth client secret from existing secret |
+| sso.google.clientExistingSecretKey | string | `""` | Google OAuth client secret key from existing secret |
+| sso.google.clientId | string | `""` | Google OAuth client ID |
+| sso.google.clientSecret | string | `""` | Google OAuth client secret (ignored if clientExistingSecret is set) |
+| sso.google.enabled | bool | `false` | Enable Google OAuth |
+
+### Microsoft OAuth configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.microsoft.clientExistingSecret | string | `""` | Microsoft OAuth client secret from existing secret |
+| sso.microsoft.clientExistingSecretKey | string | `""` | Microsoft OAuth client secret key from existing secret |
+| sso.microsoft.clientId | string | `""` | Microsoft OAuth client ID |
+| sso.microsoft.clientSecret | string | `""` | Microsoft OAuth client secret (ignored if clientExistingSecret is set) |
+| sso.microsoft.enabled | bool | `false` | Enable Microsoft OAuth |
+| sso.microsoft.tenantId | string | `""` | Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts |
+
+### OIDC configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.oidc.clientExistingSecret | string | `""` | OICD client secret from existing secret |
+| sso.oidc.clientExistingSecretKey | string | `""` | OIDC client secret key from existing secret |
+| sso.oidc.clientId | string | `""` | OIDC client ID |
+| sso.oidc.clientSecret | string | `""` | OIDC client secret (ignored if clientExistingSecret is set) |
+| sso.oidc.enabled | bool | `false` | Enable OIDC authentication |
+| sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI |
+| sso.oidc.providerUrl | string | `""` | OIDC provider well known URL |
+| sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). |
+
+### Role management configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.roleManagement.adminRoles | string | `""` | Comma-separated list of roles allowed to log in as admin (receive open webui role admin) |
+| sso.roleManagement.allowedRoles | string | `""` | Comma-separated list of roles allowed to log in (receive open webui role user) |
+| sso.roleManagement.rolesClaim | string | `"roles"` | The claim that contains the roles (can be nested, e.g., user.roles) |
+
+### SSO trusted header authentication
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| sso.trustedHeader.emailHeader | string | `""` | Header containing the user's email address |
+| sso.trustedHeader.enabled | bool | `false` | Enable trusted header authentication |
+| sso.trustedHeader.nameHeader | string | `""` | Header containing the user's name (optional, used for new user creation) |
+
+### Other Values
+
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity for pod assignment |
 | annotations | object | `{}` |  |
+| args | list | `[]` | Open WebUI container arguments (overrides default) |
 | clusterDomain | string | `"cluster.local"` | Value of cluster domain |
+| command | list | `[]` | Open WebUI container command (overrides default entrypoint) |
+| commonEnvVars | list | `[]` | Env vars added to the Open WebUI deployment, common across environments. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: environment variables defined in both `extraEnvVars` and `commonEnvVars` will result in a conflict. Avoid duplicates) |
 | containerSecurityContext | object | `{}` | Configure container security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe> |
+| copyAppData.args | list | `[]` | Open WebUI copy-app-data init container arguments (overrides default) |
+| copyAppData.command | list | `[]` | Open WebUI copy-app-data init container command (overrides default) |
+| copyAppData.resources | object | `{}` |  |
+| databaseUrl | string | `""` | Configure database URL, needed to work with Postgres (example: `postgresql://<user>:<password>@<service>:<port>/<database>`), leave empty to use the default sqlite database |
+| enableOpenaiApi | bool | `true` | Enables the use of OpenAI APIs |
+| extraEnvFrom | list | `[]` | Env vars added from configmap or secret to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: `extraEnvVars` will take precedence over the value from `extraEnvFrom`) |
 | extraEnvVars | list | `[{"name":"OPENAI_API_KEY","value":"0p3n-w3bu!"}]` | Env vars added to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ |
 | extraEnvVars[0] | object | `{"name":"OPENAI_API_KEY","value":"0p3n-w3bu!"}` | Default API key value for Pipelines. Should be updated in a production deployment, or be changed to the required API key if not using Pipelines |
-| image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/open-webui/open-webui","tag":""}` | Open WebUI image tags can be found here: https://github.com/open-webui/open-webui/pkgs/container/open-webui |
+| extraInitContainers | list | `[]` | Additional init containers to add to the deployment/statefulset ref: <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/> |
+| extraResources | list | `[]` | Extra resources to deploy with Open WebUI |
+| hostAliases | list | `[]` | HostAliases to be added to hosts-file of each container |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/open-webui/open-webui","tag":""}` | Open WebUI image tags can be found here: https://github.com/open-webui/open-webui |
 | imagePullSecrets | list | `[]` | Configure imagePullSecrets to use private registry ref: <https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry> |
-| ingress.annotations | object | `{}` | Use appropriate annotations for your Ingress controller, e.g., for NGINX: nginx.ingress.kubernetes.io/rewrite-target: / |
+| ingress.additionalHosts | list | `[]` |  |
+| ingress.annotations | object | `{}` | Use appropriate annotations for your Ingress controller, e.g., for NGINX: |
 | ingress.class | string | `""` |  |
 | ingress.enabled | bool | `false` |  |
 | ingress.existingSecret | string | `""` |  |
-| ingress.host | string | `""` |  |
+| ingress.extraLabels | object | `{}` | Additional custom labels to add to the Ingress metadata Useful for tagging, selecting, or applying policies to the Ingress via labels. |
+| ingress.host | string | `"chat.example.com"` |  |
 | ingress.tls | bool | `false` |  |
+| livenessProbe | object | `{}` | Probe for liveness of the Open WebUI container ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes> |
+| managedCertificate.domains[0] | string | `"chat.example.com"` |  |
+| managedCertificate.enabled | bool | `false` |  |
+| managedCertificate.name | string | `"mydomain-chat-cert"` |  |
 | nameOverride | string | `""` |  |
+| namespaceOverride | string | `""` |  |
 | nodeSelector | object | `{}` | Node labels for pod assignment. |
 | ollama.enabled | bool | `true` | Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure |
 | ollama.fullnameOverride | string | `"open-webui-ollama"` | If enabling embedded Ollama, update fullnameOverride to your desired Ollama name value, or else it will use the default ollama.name value from the Ollama chart |
 | ollamaUrls | list | `[]` | A list of Ollama API endpoints. These can be added in lieu of automatically installing the Ollama Helm chart, or in addition to it. |
-| openaiBaseApiUrl | string | `""` | OpenAI base API URL to use. Defaults to the Pipelines service endpoint when Pipelines are enabled, and "https://api.openai.com/v1" if Pipelines are not enabled and this value is blank |
+| ollamaUrlsFromExtraEnv | bool | `false` | Disables taking Ollama Urls from `ollamaUrls`  list |
+| openaiBaseApiUrl | string | `"https://api.openai.com/v1"` | OpenAI base API URL to use. Defaults to the Pipelines service endpoint when Pipelines are enabled, and "https://api.openai.com/v1" if Pipelines are not enabled and this value is blank |
+| openaiBaseApiUrls | list | `[]` | OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set |
 | persistence.accessModes | list | `["ReadWriteOnce"]` | If using multiple replicas, you must update accessModes to ReadWriteMany |
 | persistence.annotations | object | `{}` |  |
 | persistence.enabled | bool | `true` |  |
 | persistence.existingClaim | string | `""` | Use existingClaim if you want to re-use an existing Open WebUI PVC instead of creating a new one |
+| persistence.provider | string | `"local"` | Sets the storage provider, availables values are `local`, `s3`, `gcs` or `azure` |
 | persistence.selector | object | `{}` |  |
 | persistence.size | string | `"2Gi"` |  |
 | persistence.storageClass | string | `""` |  |
@@ -71,15 +218,58 @@ helm upgrade --install open-webui open-webui/open-webui
 | pipelines.enabled | bool | `true` | Automatically install Pipelines chart to extend Open WebUI functionality using Pipelines: https://github.com/open-webui/pipelines |
 | pipelines.extraEnvVars | list | `[]` | This section can be used to pass required environment variables to your pipelines (e.g. Langfuse hostname) |
 | podAnnotations | object | `{}` |  |
-| podSecurityContext | object | `{}` | Configure pod security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe> |
+| podLabels | object | `{}` |  |
+| podSecurityContext | object | `{}` | Configure pod security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container> |
+| postgresql | object | `{"architecture":"standalone","auth":{"database":"open-webui","password":"0p3n-w3bu!","postgresPassword":"0p3n-w3bu!","username":"open-webui"},"enabled":false,"fullnameOverride":"open-webui-postgres","primary":{"persistence":{"size":"1Gi"},"resources":{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}}}` | Postgresql configuration (see. https://artifacthub.io/packages/helm/bitnami/postgresql) |
+| readinessProbe | object | `{}` | Probe for readiness of the Open WebUI container ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes> |
+| redis-cluster | object | `{"auth":{"enabled":false},"enabled":false,"fullnameOverride":"open-webui-redis","replica":{"replicaCount":3}}` | Deploys a Redis cluster with subchart 'redis' from bitnami |
+| redis-cluster.auth | object | `{"enabled":false}` | Redis Authentication |
+| redis-cluster.auth.enabled | bool | `false` | Enable Redis authentication (disabled by default). For your security, we strongly suggest that you switch to 'auth.enabled=true' |
+| redis-cluster.enabled | bool | `false` | Enable Redis installation |
+| redis-cluster.fullnameOverride | string | `"open-webui-redis"` | Redis cluster name (recommended to be 'open-webui-redis') - In this case, redis url will be 'redis://open-webui-redis-master:6379/0' or 'redis://[:<password>@]open-webui-redis-master:6379/0' |
+| redis-cluster.replica | object | `{"replicaCount":3}` | Replica configuration for the Redis cluster |
+| redis-cluster.replica.replicaCount | int | `3` | Number of Redis replica instances |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
+| runtimeClassName | string | `""` | Configure runtime class ref: <https://kubernetes.io/docs/concepts/containers/runtime-class/> |
 | service | object | `{"annotations":{},"containerPort":8080,"labels":{},"loadBalancerClass":"","nodePort":"","port":80,"type":"ClusterIP"}` | Service values to expose Open WebUI pods to cluster |
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.automountServiceAccountToken | bool | `false` |  |
+| serviceAccount.enable | bool | `true` |  |
+| serviceAccount.name | string | `""` |  |
+| startupProbe | object | `{}` | Probe for startup of the Open WebUI container ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes> |
+| strategy | object | `{}` | Strategy for updating the workload manager: deployment or statefulset |
 | tika.enabled | bool | `false` | Automatically install Apache Tika to extend Open WebUI |
 | tolerations | list | `[]` | Tolerations for pod assignment |
 | topologySpreadConstraints | list | `[]` | Topology Spread Constraints for pod assignment |
 | volumeMounts | object | `{"container":[],"initContainer":[]}` | Configure container volume mounts ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/> |
 | volumes | list | `[]` | Configure pod volumes ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/> |
+| websocket.enabled | bool | `false` | Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT` |
+| websocket.manager | string | `"redis"` | Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default) |
+| websocket.nodeSelector | object | `{}` | Node selector for websocket pods |
+| websocket.redis | object | `{"affinity":{},"annotations":{},"args":[],"command":[],"enabled":true,"image":{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"},"labels":{},"name":"open-webui-redis","pods":{"annotations":{},"labels":{}},"resources":{},"securityContext":{},"service":{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"},"tolerations":[]}` | Deploys a redis |
+| websocket.redis.affinity | object | `{}` | Redis affinity for pod assignment |
+| websocket.redis.annotations | object | `{}` | Redis annotations |
+| websocket.redis.args | list | `[]` | Redis arguments (overrides default) |
+| websocket.redis.command | list | `[]` | Redis command (overrides default) |
+| websocket.redis.enabled | bool | `true` | Enable redis installation |
+| websocket.redis.image | object | `{"pullPolicy":"IfNotPresent","repository":"redis","tag":"7.4.2-alpine3.21"}` | Redis image |
+| websocket.redis.labels | object | `{}` | Redis labels |
+| websocket.redis.name | string | `"open-webui-redis"` | Redis name |
+| websocket.redis.pods | object | `{"annotations":{},"labels":{}}` | Redis pod |
+| websocket.redis.pods.annotations | object | `{}` | Redis pod annotations |
+| websocket.redis.pods.labels | object | `{}` | Redis pod labels |
+| websocket.redis.resources | object | `{}` | Redis resources |
+| websocket.redis.securityContext | object | `{}` | Redis security context |
+| websocket.redis.service | object | `{"annotations":{},"containerPort":6379,"labels":{},"nodePort":"","port":6379,"type":"ClusterIP"}` | Redis service |
+| websocket.redis.service.annotations | object | `{}` | Redis service annotations |
+| websocket.redis.service.containerPort | int | `6379` | Redis container/target port |
+| websocket.redis.service.labels | object | `{}` | Redis service labels |
+| websocket.redis.service.nodePort | string | `""` | Redis service node port. Valid only when type is `NodePort` |
+| websocket.redis.service.port | int | `6379` | Redis service port |
+| websocket.redis.service.type | string | `"ClusterIP"` | Redis service type |
+| websocket.redis.tolerations | list | `[]` | Redis tolerations for pod assignment |
+| websocket.url | string | `"redis://open-webui-redis:6379/0"` | Specifies the URL of the Redis instance for websocket communication. Template with `redis://[:<password>@]<hostname>:<port>/<db>` |
 
 ----------------------------------------------
 

charts/open-webui/templates/NOTES.txt

@@ -0,0 +1,77 @@
+{{- `
+🎉 Welcome to Open WebUI!!
+ ██████╗ ██████╗ ███████╗███╗   ██╗    ██╗    ██╗███████╗██████╗ ██╗   ██╗██╗
+██╔═══██╗██╔══██╗██╔════╝████╗  ██║    ██║    ██║██╔════╝██╔══██╗██║   ██║██║
+██║   ██║██████╔╝█████╗  ██╔██╗ ██║    ██║ █╗ ██║█████╗  ██████╔╝██║   ██║██║
+██║   ██║██╔═══╝ ██╔══╝  ██║╚██╗██║    ██║███╗██║██╔══╝  ██╔══██╗██║   ██║██║
+╚██████╔╝██║     ███████╗██║ ╚████║    ╚███╔███╔╝███████╗██████╔╝╚██████╔╝██║
+ ╚═════╝ ╚═╝     ╚══════╝╚═╝  ╚═══╝     ╚══╝╚══╝ ╚══════╝╚═════╝  ╚═════╝ ╚═╝
+` }}
+v{{ .Chart.AppVersion }} - building the best open-source AI user interface.
+ - Chart Version: v{{ .Chart.Version }}
+ - Project URL 1: {{ .Chart.Home }}
+ - Project URL 2: https://github.com/open-webui/open-webui
+ - Documentation: https://docs.openwebui.com/
+ - Chart URL: https://github.com/open-webui/helm-charts
+
+Open WebUI is a web-based user interface that works with Ollama, OpenAI, Claude 3, Gemini and more.
+This interface allows you to easily interact with local AI models.
+
+1. Deployment Information:
+  - Chart Name: {{ .Chart.Name }}
+  - Release Name: {{ .Release.Name }}
+  - Namespace: {{ .Release.Namespace }}
+
+2. Access the Application:
+{{- if contains "ClusterIP" .Values.service.type }}
+  Access via ClusterIP service:
+
+    export LOCAL_PORT=8080
+    export POD_NAME=$(kubectl get pods -n {{ .Release.Namespace }} -l "app.kubernetes.io/component={{ include "open-webui.name" . }}" -o jsonpath="{.items[0].metadata.name}")
+    export CONTAINER_PORT=$(kubectl get pod -n {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+    kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME $LOCAL_PORT:$CONTAINER_PORT
+    echo "Visit http://127.0.0.1:$LOCAL_PORT to use your application"
+
+  Then, access the application at: http://127.0.0.1:$LOCAL_PORT or http://localhost:8080
+
+{{- else if contains "NodePort" .Values.service.type }}
+  Access via NodePort service:
+    export NODE_PORT=$(kubectl get -n {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "open-webui.name" . }})
+    export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}")
+    echo http://$NODE_IP:$NODE_PORT
+
+{{- else if contains "LoadBalancer" .Values.service.type }}
+  Access via LoadBalancer service:
+  NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+  NOTE: The external address format depends on your cloud provider:
+    - AWS: Will return a hostname (e.g., xxx.elb.amazonaws.com)
+    - GCP/Azure: Will return an IP address
+  You can watch the status by running:
+
+    kubectl get -n {{ .Release.Namespace }} svc {{ include "open-webui.name" . }} --watch
+    export EXTERNAL_IP=$(kubectl get -n {{ .Release.Namespace }} svc {{ include "open-webui.name" . }} -o jsonpath="{.status.loadBalancer.ingress[0].hostname:-.status.loadBalancer.ingress[0].ip}")
+    echo http://$EXTERNAL_IP:{{ .Values.service.port }}
+{{- end }}
+
+{{- if .Values.ingress.enabled }}
+
+  Ingress is enabled. Access the application at: http{{ if .Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.host }}
+{{- end }}
+
+3. Useful Commands:
+  - Check deployment status:
+      helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+  - Get detailed information:
+      helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+  - View logs:
+    {{- if .Values.persistence.enabled }}
+      kubectl logs -f statefulset/{{ include "open-webui.name" . }} -n {{ .Release.Namespace }}
+    {{- else }}
+      kubectl logs -f deployment/{{ include "open-webui.name" . }} -n {{ .Release.Namespace }}
+    {{- end }}
+
+4. Cleanup:
+  - Uninstall the deployment:
+      helm uninstall {{ .Release.Name }} -n {{ .Release.Namespace }}

charts/open-webui/templates/_helpers.tpl

@@ -1,3 +1,14 @@
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "open-webui.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
 {{/*
 Set the name of the Open WebUI resources
 */}}
@@ -141,4 +152,105 @@ Create the service endpoint to use for Pipelines if the subchart is used
 {{- $pipelinesServicePort := .Values.pipelines.service.port | toString }}
 {{- printf "http://%s.%s.svc.%s:%s" (include "pipelines.name" .) (.Release.Namespace) $clusterDomain $pipelinesServicePort }}
 {{- end }}
-{{- end }}
+{{- end }}
+
+{{/*
+Create selector labels to include on chart all websocket resources
+*/}}
+{{- define "websocket.redis.selectorLabels" -}}
+{{ include "base.selectorLabels" . }}
+app.kubernetes.io/component: {{ .Values.websocket.redis.name }}
+{{- end }}
+
+{{/*
+Create labels to include on chart all websocket resources
+*/}}
+{{- define "websocket.redis.labels" -}}
+{{ include "base.labels" . }}
+{{ include "websocket.redis.selectorLabels" . }}
+{{- end }}
+
+{{/*
+Validate SSO ClientSecret to be set literally or via Secret
+*/}}
+{{- define "sso.validateClientSecret" -}}
+{{- $provider := .provider }}
+{{- $values := .values }}
+{{- if and (empty (index $values $provider "clientSecret")) (empty (index $values $provider "clientExistingSecret")) }}
+  {{- fail (printf "You must provide either .Values.sso.%s.clientSecret or .Values.sso.%s.clientExistingSecret" $provider $provider) }}
+{{- end }}
+{{- end }}
+
+{{- /*
+Fail template rendering if invalid log component
+*/ -}}
+{{- define "logging.isValidComponent" -}}
+  {{- $component := . | lower -}}
+  {{- $validComponents := dict
+      "audio" true
+      "comfyui" true
+      "config" true
+      "db" true
+      "images" true
+      "main" true
+      "models" true
+      "ollama" true
+      "openai" true
+      "rag" true
+      "webhook" true
+  -}}
+  {{- hasKey $validComponents $component -}}
+{{- end }}
+
+
+{{- define "logging.assertValidComponent" -}}
+  {{- $component := lower . -}}
+  {{- $res := include "logging.isValidComponent" $component }}
+  {{- if ne $res "true" }}
+    {{- fail (printf "Invalid logging component name: '%s'. Valid names: audio, comfyui, config, db, images, main, models, ollama, openai, rag, webhook" $component) }}
+  {{- end }}
+{{- end }}
+
+{{- /*
+Fail template rendering if invalid log level
+*/ -}}
+{{- define "logging.assertValidLevel" -}}
+  {{- $level := lower . }}
+  {{- $validLevels := dict "notset" true "debug" true "info" true "warning" true "error" true "critical" true }}
+  {{- if not (hasKey $validLevels $level) }}
+    {{- fail (printf "Invalid log level: '%s'. Valid values are: notset, debug, info, warning, error, critical" $level) }}
+  {{- end }}
+{{- end }}
+
+{{- /*
+Render a logging env var for a component, validating value
+*/ -}}
+{{- define "logging.componentEnvVar" -}}
+  {{- $name := .componentName }}
+  {{- $level := .logLevel }}
+{{- include "logging.assertValidComponent" $name -}}
+{{- include "logging.assertValidLevel" $level }}
+- name: {{ printf "%s_LOG_LEVEL" (upper $name) | quote }}
+  value: {{ $level | quote | trim }}
+{{- end }}
+
+{{- /*
+Constructs a string containing the URLs of the Open WebUI based on the ingress configuration
+used to populate the variable WEBUI_URL  
+*/ -}}
+{{- define "openweb-ui.url" -}}
+  {{- $url := "" -}}
+  {{- range .Values.extraEnvVars }}
+    {{- if and (eq .name "WEBUI_URL") .value }}
+      {{- $url = .value }}
+    {{- end }}
+  {{- end }}
+  {{- if not $url }}
+    {{- $proto := "http" -}}
+    {{- if .Values.ingress.tls }}
+      {{- $proto = "https" -}}
+    {{- end }}
+    {{- $url = printf "%s://%s" $proto .Values.ingress.host }}
+  {{- end }}
+  {{- $url }}
+{{- end }}

charts/open-webui/templates/extra-resources.yaml

@@ -0,0 +1,6 @@
+{{- if .Values.extraResources }}
+{{- range .Values.extraResources }}
+---
+{{ toYaml . | nindent 0 }}
+{{- end }}
+{{- end }}

charts/open-webui/templates/ingress.yaml

@@ -3,8 +3,12 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ include "open-webui.name" . }}
+  namespace: {{ include "open-webui.namespace" . }}
   labels:
     {{- include "open-webui.labels" . | nindent 4 }}
+    {{- with .Values.ingress.extraLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   {{- with .Values.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
@@ -17,6 +21,9 @@ spec:
   tls:
     - hosts:
       - {{ .Values.ingress.host | quote }}
+      {{- range .Values.ingress.additionalHosts }}
+      - {{ . | quote }}
+      {{- end }}
       secretName: {{ default (printf "%s-tls" .Release.Name) .Values.ingress.existingSecret }}
   {{- end }}
   rules:
@@ -30,4 +37,16 @@ spec:
             name: {{ include "open-webui.name" . }}
             port:
               name: http
+  {{- range .Values.ingress.additionalHosts }}
+  - host: {{ . | quote }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: {{ include "open-webui.name" $ }}
+            port:
+              name: http
+  {{- end }}
 {{- end }}

charts/open-webui/templates/managed-cert.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.managedCertificate.enabled }}
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+  name: {{ .Values.managedCertificate.name | default "mydomain-cert" }}
+spec:
+  domains:
+    {{- range .Values.managedCertificate.domains }}
+    - {{ . | quote }}
+    {{- end }}
+{{- end }}

charts/open-webui/templates/pvc.yaml

@@ -1,8 +1,9 @@
-{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.provider "local") }}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: {{ include "open-webui.name" . }}
+  namespace: {{ include "open-webui.namespace" . }}
   labels:
     {{- include "open-webui.selectorLabels" . | nindent 4 }}
   {{- with .Values.persistence.annotations }}

charts/open-webui/templates/service-account.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.serviceAccount.enable }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name | default (include "open-webui.name" .) }}
+  namespace: {{ include "open-webui.namespace" . }}
+  labels:
+    {{- include "open-webui.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- end }}

charts/open-webui/templates/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "open-webui.name" . }}
+  namespace: {{ include "open-webui.namespace" . }}
   labels:
     {{- include "open-webui.labels" . | nindent 4 }}
     {{- with .Values.service.labels }}

charts/open-webui/templates/websocket-redis.yaml

@@ -0,0 +1,98 @@
+{{- if and .Values.websocket.enabled .Values.websocket.redis.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.websocket.redis.name }}
+  namespace: {{ include "open-webui.namespace" . }}
+  labels:
+    {{- include "websocket.redis.labels" . | nindent 4 }}
+    {{- with .Values.websocket.redis.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.websocket.redis.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "websocket.redis.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "websocket.redis.labels" . | nindent 8 }}
+        {{- with .Values.websocket.redis.pods.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        {{- with .Values.websocket.redis.pods.annotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- if .Values.websocket.redis.image.pullSecretName }}
+      imagePullSecrets:
+        - name: {{ .Values.websocket.redis.image.pullSecretName }}
+      {{- end }}
+      containers:
+      - name: {{ .Values.websocket.redis.name }}
+        image: "{{ .Values.websocket.redis.image.repository }}:{{ .Values.websocket.redis.image.tag }}"
+        imagePullPolicy: {{ .Values.websocket.redis.image.pullPolicy }}
+        {{- with .Values.websocket.redis.command }}
+        command:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.websocket.redis.args }}
+        args:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        ports:
+        - name: http
+          containerPort: {{ .Values.websocket.redis.service.containerPort }}
+        {{- with .Values.websocket.redis.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      {{- with .Values.websocket.redis.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.websocket.redis.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.websocket.redis.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.websocket.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.websocket.redis.name }}
+  namespace: {{ include "open-webui.namespace" . }}
+  labels:
+    {{- include "websocket.redis.labels" . | nindent 4 }}
+    {{- with .Values.websocket.redis.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.websocket.redis.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    {{- include "websocket.redis.selectorLabels" . | nindent 4 }}
+  type: {{ .Values.websocket.redis.service.type | default "ClusterIP" }}
+  ports:
+  - protocol: TCP
+    name: http
+    port: {{ .Values.websocket.redis.service.port }}
+    targetPort: http
+    {{- if .Values.websocket.redis.service.nodePort }}
+    nodePort: {{ .Values.websocket.redis.service.nodePort | int }}
+    {{- end }}
+{{- end }}

charts/open-webui/templates/workload-manager.yaml

@@ -1,11 +1,12 @@
 apiVersion: apps/v1
-{{- if .Values.persistence.enabled }}
+{{- if and .Values.persistence.enabled (eq .Values.persistence.provider "local") }}
 kind: StatefulSet
 {{- else }}
 kind: Deployment
 {{- end }}
 metadata:
   name: {{ include "open-webui.name" . }}
+  namespace: {{ include "open-webui.namespace" . }}
   labels:
     {{- include "open-webui.labels" . | nindent 4 }}
   {{- with .Values.annotations }}
@@ -14,16 +15,28 @@ metadata:
   {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
-  {{- if .Values.persistence.enabled }}
+  {{- if and .Values.persistence.enabled (eq .Values.persistence.provider "local") }}
   serviceName: {{ include "open-webui.name" . }}
   {{- end }}
   selector:
     matchLabels:
       {{- include "open-webui.selectorLabels" . | nindent 6 }}
+  {{- if .Values.strategy }}
+  {{- if and .Values.persistence.enabled (eq .Values.persistence.provider "local") }}
+  updateStrategy:
+    {{- toYaml .Values.strategy | nindent 4 }}
+  {{- else }}
+  strategy:
+    {{- toYaml .Values.strategy | nindent 4 }}
+  {{- end }}
+  {{- end }}
   template:
     metadata:
       labels:
         {{- include "open-webui.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- with .Values.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
@@ -39,11 +52,19 @@ spec:
         image: {{ .repository }}:{{ .tag | default $.Chart.AppVersion }}
         imagePullPolicy: {{ .pullPolicy }}
         {{- end }}
-        command: ['sh', '-c', 'cp -R -n /app/backend/data/* /tmp/app-data/']
+        command:
+          {{- toYaml (.Values.copyAppData.command | default (list "sh" "-c" "cp -R -n /app/backend/data/* /tmp/app-data/")) | nindent 10 }}
+        {{- with .Values.copyAppData.args }}
+        args:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         {{- with .Values.containerSecurityContext }}
         securityContext:
           {{- toYaml . | nindent 10 }}
         {{- end }}
+        {{- with .Values.copyAppData.resources }}
+        resources: {{- toYaml . | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: data
           mountPath: /tmp/app-data
@@ -53,8 +74,17 @@ spec:
         {{- with .Values.volumeMounts.initContainer }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
+      {{- with .Values.extraInitContainers }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
       enableServiceLinks: false
-      automountServiceAccountToken: false
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+      {{- if .Values.runtimeClassName }}
+      runtimeClassName: {{ .Values.runtimeClassName | quote }}
+      {{- end }}
+      {{- if .Values.serviceAccount.enable }}
+      serviceAccountName: {{ .Values.serviceAccount.name | default (include "open-webui.name" .) }}
+      {{- end }}
       {{- with .Values.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
@@ -65,9 +95,26 @@ spec:
         image: {{ .repository }}:{{ .tag | default $.Chart.AppVersion }}
         imagePullPolicy: {{ .pullPolicy }}
         {{- end }}
+        {{- with .Values.command }}
+        command:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.args }}
+        args:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         ports:
         - name: http
           containerPort: {{ .Values.service.containerPort }}
+        {{- with .Values.livenessProbe }}
+        livenessProbe: {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.readinessProbe }}
+        readinessProbe: {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.startupProbe }}
+        startupProbe: {{- toYaml . | nindent 10 }}
+        {{- end }}
         {{- with .Values.resources }}
         resources: {{- toYaml . | nindent 10 }}
         {{- end }}
@@ -85,21 +132,43 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
         env:
-        {{- if or .Values.ollamaUrls .Values.ollama.enabled }}
+        {{- $hasCustomWebUIUrl := false }}
+        {{- range .Values.extraEnvVars }}
+          {{- if eq .name "WEBUI_URL" }}
+            {{- $hasCustomWebUIUrl = true }}
+          {{- end }}
+        {{- end }}
+        {{- if and .Values.ingress.enabled (not $hasCustomWebUIUrl) }}
+        - name: WEBUI_URL
+          value: {{ include "openweb-ui.url" . | quote }}
+        {{- end }}
+        {{- if .Values.ollamaUrlsFromExtraEnv}}
+        {{- else if or .Values.ollamaUrls .Values.ollama.enabled }}
         - name: "OLLAMA_BASE_URLS"
           value: {{ include "ollamaBaseUrls" . | quote }}
         {{- else }}
         - name: "ENABLE_OLLAMA_API"
           value: "False"
         {{- end }}
+        {{- if and .Values.enableOpenaiApi .Values.openaiBaseApiUrl (not .Values.openaiBaseApiUrls) (not .Values.pipelines.enabled) }}
+        # If only an OpenAI API value is set, set it to OPENAI_API_BASE_URL
         - name: "OPENAI_API_BASE_URL"
-        {{- if .Values.pipelines.enabled }}
-          value: {{ include "pipelines.serviceEndpoint" . }}
-        {{- else if .Values.openaiBaseApiUrl }}
           value: {{ .Values.openaiBaseApiUrl | quote }}
-        {{- end }}
-        {{- if .Values.extraEnvVars }}
-          {{- toYaml .Values.extraEnvVars | nindent 8 }}
+        {{- else if and .Values.enableOpenaiApi .Values.openaiBaseApiUrl .Values.pipelines.enabled (not .Values.openaiBaseApiUrls) }}
+        # If Pipelines is enabled and OpenAI API value is set, use OPENAI_API_BASE_URLS with combined values
+        - name: "OPENAI_API_BASE_URLS"
+          value: "{{ include "pipelines.serviceEndpoint" . }};{{ .Values.openaiBaseApiUrl }}"
+        {{- else if and .Values.enableOpenaiApi .Values.pipelines.enabled (not .Values.openaiBaseApiUrl) (not .Values.openaiBaseApiUrls) }}
+        # If Pipelines is enabled and no OpenAI API values are set, set OPENAI_API_BASE_URL to the Pipelines server endpoint 
+        - name: "OPENAI_API_BASE_URL"
+          value: {{ include "pipelines.serviceEndpoint" . | quote }}
+        {{- else if and .Values.enableOpenaiApi .Values.openaiBaseApiUrls .Values.pipelines.enabled }}
+        # If OpenAI API value(s) set and Pipelines is enabled, use OPENAI_API_BASE_URLS to support all the endpoints in the chart
+        - name: "OPENAI_API_BASE_URLS"
+          value: "{{ include "pipelines.serviceEndpoint" . }};{{ join ";" .Values.openaiBaseApiUrls }}"
+        {{- else if not .Values.enableOpenaiApi }}
+        - name: "ENABLE_OPENAI_API"
+          value: "False"
         {{- end }}
         {{- if .Values.tika.enabled }}
         - name: "CONTENT_EXTRACTION_ENGINE"
@@ -107,6 +176,196 @@ spec:
         - name: "TIKA_SERVER_URL"
           value: http://{{ .Chart.Name }}-tika:9998
         {{- end }}
+        {{- if eq .Values.persistence.provider "s3" }}
+        - name: "STORAGE_PROVIDER"
+          value: {{ .Values.persistence.provider }}
+        - name: "S3_ACCESS_KEY_ID"
+          value: {{ .Values.persistence.s3.accessKey }}
+        - name: "S3_SECRET_ACCESS_KEY"
+        {{- if .Values.persistence.s3.secretKeyExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.s3.secretKeyExistingSecret }}
+              key: {{ .Values.persistence.s3.secretKeyExistingSecretKey }}
+        {{- else }}
+          value: {{ .Values.persistence.s3.secretKey }}
+        {{- end }}
+        - name: "S3_ENDPOINT_URL"
+          value: {{ .Values.persistence.s3.endpointUrl }}
+        - name: "S3_BUCKET_NAME"
+          value: {{ .Values.persistence.s3.bucket }}
+        - name: "S3_REGION_NAME"
+          value: {{ .Values.persistence.s3.region }}
+        - name: "S3_KEY_PREFIX"
+          value: {{ .Values.persistence.s3.keyPrefix }}
+        {{- else if eq .Values.persistence.provider "gcs" }}
+        - name: "STORAGE_PROVIDER"
+          value: {{ .Values.persistence.provider }}
+        - name: "GOOGLE_APPLICATION_CREDENTIALS_JSON"
+        {{- if .Values.persistence.gcs.appCredentialsJsonExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.gcs.appCredentialsJsonExistingSecret }}
+              key: {{ .Values.persistence.gcs.appCredentialsJsonExistingSecretKey }}
+        {{- else }}
+          value: {{ .Values.persistence.gcs.appCredentialsJson }}
+        {{- end }}
+        - name: "GCS_BUCKET_NAME"
+          value: {{ .Values.persistence.gcs.bucket }}
+        {{- else if eq .Values.persistence.provider "azure" }}
+        - name: "STORAGE_PROVIDER"
+          value: {{ .Values.persistence.provider }}
+        - name: "AZURE_STORAGE_ENDPOINT"
+          value: {{ .Values.persistence.azure.endpointUrl }}
+        - name: "AZURE_STORAGE_CONTAINER_NAME"
+          value: {{ .Values.persistence.azure.container }}
+        - name: "AZURE_STORAGE_KEY"
+        {{- if .Values.persistence.azure.keyExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.persistence.azure.keyExistingSecret }}
+              key: {{ .Values.persistence.azure.keyExistingSecretKey }}
+        {{- else }}
+          value: {{ .Values.persistence.azure.key }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.websocket.enabled }}
+        - name: "ENABLE_WEBSOCKET_SUPPORT"
+          value: "True"
+        - name: "WEBSOCKET_MANAGER"
+          value: {{ .Values.websocket.manager | default "redis" | quote }}
+        - name: "WEBSOCKET_REDIS_URL"
+          value: {{ .Values.websocket.url | quote }}
+        {{- end }}
+        {{- if or .Values.postgresql.enabled .Values.databaseUrl }}
+        - name: "DATABASE_URL"
+          value: {{ .Values.databaseUrl | default (printf "postgresql://%s:%s@%s:%s/%s" .Values.postgresql.auth.username .Values.postgresql.auth.password .Values.postgresql.fullnameOverride "5432" .Values.postgresql.auth.database) }}
+        {{- end }}
+        {{- if .Values.sso.enabled }}
+        {{- if .Values.sso.enableSignup }}
+        - name: "ENABLE_OAUTH_SIGNUP"
+          value: "True"
+        {{- end }}
+        {{- if .Values.sso.mergeAccountsByEmail }}
+        - name: "OAUTH_MERGE_ACCOUNTS_BY_EMAIL"
+          value: "True"
+        {{- end }}
+        {{- if .Values.sso.google.enabled }}
+        - name: "GOOGLE_CLIENT_ID"
+          value: {{ .Values.sso.google.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "google" "values" .Values.sso) }}
+        - name: "GOOGLE_CLIENT_SECRET"
+        {{- if .Values.sso.google.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.google.clientExistingSecret | quote }}
+              key: {{ .Values.sso.google.clientExistingSecretKey | quote }}
+        {{- else }}
+          value: {{ .Values.sso.google.clientSecret | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.sso.microsoft.enabled }}
+        - name: "MICROSOFT_CLIENT_ID"
+          value: {{ .Values.sso.microsoft.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "microsoft" "values" .Values.sso) }}
+        - name: "MICROSOFT_CLIENT_SECRET"
+        {{- if .Values.sso.microsoft.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.microsoft.clientExistingSecret | quote }}
+              key: {{ .Values.sso.microsoft.clientExistingSecretKey | quote }}
+        {{- else }}
+          value: {{ .Values.sso.microsoft.clientSecret | quote }}
+        {{- end }}
+        - name: "MICROSOFT_CLIENT_TENANT_ID"
+          value: {{ .Values.sso.microsoft.tenantId | quote }}
+        {{- end }}
+        {{- if .Values.sso.github.enabled }}
+        - name: "GITHUB_CLIENT_ID"
+          value: {{ .Values.sso.github.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "github" "values" .Values.sso) }}
+        - name: "GITHUB_CLIENT_SECRET"
+        {{- if .Values.sso.github.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.github.clientExistingSecret | quote }}
+              key: {{ .Values.sso.github.clientExistingSecretKey | quote }}
+        {{- else }}
+          value: {{ .Values.sso.github.clientSecret | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.sso.oidc.enabled }}
+        - name: "OAUTH_CLIENT_ID"
+          value: {{ .Values.sso.oidc.clientId | quote }}
+        {{- include "sso.validateClientSecret" (dict "provider" "oidc" "values" .Values.sso) }}
+        - name: "OAUTH_CLIENT_SECRET"
+        {{- if .Values.sso.oidc.clientExistingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.sso.oidc.clientExistingSecret | quote }}
+              key: {{ .Values.sso.oidc.clientExistingSecretKey | quote }}
+        {{- else }}
+          value: {{ .Values.sso.oidc.clientSecret | quote }}
+        {{- end }}
+        - name: "OPENID_PROVIDER_URL"
+          value: {{ .Values.sso.oidc.providerUrl | quote }}
+        - name: "OAUTH_PROVIDER_NAME"
+          value: {{ .Values.sso.oidc.providerName | quote }}
+        - name: "OAUTH_SCOPES"
+          value: {{ .Values.sso.oidc.scopes | quote }}
+        {{- end }}
+        {{- if .Values.sso.enableRoleManagement }}
+        - name: "ENABLE_OAUTH_ROLE_MANAGEMENT"
+          value: "True"
+        - name: "OAUTH_ROLES_CLAIM"
+          value: {{ .Values.sso.roleManagement.rolesClaim | quote }}
+        {{- if .Values.sso.roleManagement.allowedRoles }}
+        - name: "OAUTH_ALLOWED_ROLES"
+          value: {{ .Values.sso.roleManagement.allowedRoles | quote }}
+        {{- end }}
+        {{- if .Values.sso.roleManagement.adminRoles }}
+        - name: "OAUTH_ADMIN_ROLES"
+          value: {{ .Values.sso.roleManagement.adminRoles | quote }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.sso.enableGroupManagement }}
+        - name: "ENABLE_OAUTH_GROUP_MANAGEMENT"
+          value: "True"
+        - name: "OAUTH_GROUP_CLAIM"
+          value: {{ .Values.sso.groupManagement.groupsClaim | quote }}
+        {{- end }}
+        {{- if .Values.sso.trustedHeader.enabled }}
+        - name: "WEBUI_AUTH_TRUSTED_EMAIL_HEADER"
+          value: {{ .Values.sso.trustedHeader.emailHeader | quote }}
+        {{- if .Values.sso.trustedHeader.nameHeader }}
+        - name: "WEBUI_AUTH_TRUSTED_NAME_HEADER"
+          value: {{ .Values.sso.trustedHeader.nameHeader | quote }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.logging.level }}
+        {{- include "logging.assertValidLevel" .Values.logging.level }}
+        - name: "GLOBAL_LOG_LEVEL"
+          value: {{ .Values.logging.level | quote }}
+        {{- end }}
+
+        {{- if .Values.logging.components }}
+        {{- range $name, $level := .Values.logging.components }}
+        {{- if $level }}
+        {{- include "logging.componentEnvVar" (dict "componentName" $name "logLevel" $level) | indent 8 }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.extraEnvVars }}
+          {{- toYaml .Values.extraEnvVars | nindent 8 }}
+        {{- end }}
+        {{- if .Values.commonEnvVars }}
+          {{- toYaml .Values.commonEnvVars | nindent 8 }}
+        {{- end }}
+        {{- if .Values.extraEnvFrom }}
+        envFrom:
+          {{- toYaml .Values.extraEnvFrom | nindent 8 }}
+        {{- end }}
         tty: true
       {{- with .Values.nodeSelector }}
       nodeSelector:
@@ -124,12 +383,16 @@ spec:
       topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
       {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
       - name: data
         persistentVolumeClaim:
           claimName: {{ .Values.persistence.existingClaim }}
-      {{- else if not .Values.persistence.enabled }}
+      {{- else if or (not .Values.persistence.enabled) (not (eq .Values.persistence.provider "local")) }}
       - name: data
         emptyDir: {}
       {{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}

charts/open-webui/values-gke-min.yaml

@@ -0,0 +1,290 @@
+nameOverride: ""
+namespaceOverride: ""
+
+ollama:
+  # -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure
+  enabled: false
+  # -- If enabling embedded Ollama, update fullnameOverride to your desired Ollama name value, or else it will use the default ollama.name value from the Ollama chart
+  fullnameOverride: "open-webui-ollama"
+  # -- Example Ollama configuration with nvidia GPU enabled, automatically downloading a model, and deploying a PVC for model persistence
+  # ollama:
+  #   gpu:
+  #     enabled: true
+  #     type: 'nvidia'
+  #     number: 1
+  #   models:
+  #     - llama3
+  # runtimeClassName: nvidia
+  # persistentVolume:
+  #   enabled: true
+  #   volumeName: "example-pre-existing-pv-created-by-smb-csi"
+
+pipelines:
+  # -- Automatically install Pipelines chart to extend Open WebUI functionality using Pipelines: https://github.com/open-webui/pipelines
+  enabled: false
+  # -- This section can be used to pass required environment variables to your pipelines (e.g. Langfuse hostname)
+  extraEnvVars: []
+
+tika:
+  # -- Automatically install Apache Tika to extend Open WebUI
+  enabled: false
+
+# -- A list of Ollama API endpoints. These can be added in lieu of automatically installing the Ollama Helm chart, or in addition to it.
+ollamaUrls: []
+
+websocket:
+  # -- Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT`
+  enabled: false
+  # -- Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default)
+  manager: redis
+  # -- Specifies the URL of the Redis instance for websocket communication. Template with `redis://[:<password>@]<hostname>:<port>/<db>`
+  url: redis://open-webui-redis:6379/0
+  # -- Deploys a redis
+  redis:
+    # -- Enable redis installation
+    enabled: true
+    # -- Redis name
+    name: open-webui-redis
+    # -- Redis labels
+    labels: {}
+    # -- Redis annotations
+    annotations: {}
+    # -- Redis image
+    image:
+      repository: redis
+      tag: 7.4.2-alpine3.21
+      pullPolicy: IfNotPresent
+    # -- Redis command (overrides default)
+    command: []
+    # -- Redis arguments (overrides default)
+    args: []
+    # -- Redis resources
+    resources: {}
+    # -- Redis service
+    service:
+      # -- Redis container/target port
+      containerPort: 6379
+      # -- Redis service type
+      type: ClusterIP
+      # -- Redis service labels
+      labels: {}
+      # -- Redis service annotations
+      annotations: {}
+      # -- Redis service port
+      port: 6379
+      # -- Redis service node port. Valid only when type is `NodePort`
+      nodePort: ""
+
+# -- Deploys a Redis cluster with subchart 'redis' from bitnami
+redis-cluster:
+  # -- Enable Redis installation
+  enabled: false
+  # -- Redis cluster name (recommended to be 'open-webui-redis')
+  # - In this case, redis url will be 'redis://open-webui-redis-master:6379/0' or 'redis://[:<password>@]open-webui-redis-master:6379/0'
+  fullnameOverride: open-webui-redis
+  # -- Redis Authentication
+  auth:
+    # -- Enable Redis authentication (disabled by default). For your security, we strongly suggest that you switch to 'auth.enabled=true'
+    enabled: false
+  # -- Replica configuration for the Redis cluster
+  replica:
+    # -- Number of Redis replica instances
+    replicaCount: 3
+
+# -- Value of cluster domain
+clusterDomain: cluster.local
+
+annotations: {}
+podAnnotations: {}
+podLabels: {}
+replicaCount: 1
+# -- Strategy for updating the workload manager: deployment or statefulset
+strategy: {}
+# -- Open WebUI image tags can be found here: https://github.com/open-webui/open-webui
+image:
+  repository: ghcr.io/open-webui/open-webui
+  tag: ""
+  pullPolicy: "IfNotPresent"
+
+serviceAccount:
+  enable: true
+  name: ""
+  annotations: {}
+  automountServiceAccountToken: false
+
+# -- Configure imagePullSecrets to use private registry
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry>
+imagePullSecrets: []
+# imagePullSecrets:
+# - name: myRegistryKeySecretName
+
+# -- Probe for liveness of the Open WebUI container
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
+livenessProbe: {}
+# livenessProbe:
+#   httpGet:
+#     path: /health
+#     port: http
+#   failureThreshold: 1
+#   periodSeconds: 10
+
+# -- Probe for readiness of the Open WebUI container
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
+readinessProbe: {}
+# readinessProbe:
+#   httpGet:
+#     path: /health/db
+#     port: http
+#   failureThreshold: 1
+#   periodSeconds: 10
+
+# -- Probe for startup of the Open WebUI container
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
+startupProbe: {}
+# startupProbe:
+#   httpGet:
+#     path: /health
+#     port: http
+#   initialDelaySeconds: 30
+#   periodSeconds: 5
+#   failureThreshold: 20
+
+resources: {}
+
+copyAppData:
+  resources: {}
+
+managedCertificate:
+  enabled: true
+  name: "mydomain-chat-cert"  # You can override this name if needed
+  domains:
+    - chat.example.com # update to your real domain
+
+ingress:
+  enabled: true
+  class: ""
+  # -- Use appropriate annotations for your Ingress controller, e.g., for NGINX:  
+  annotations: 
+    # Example for GKE Ingress
+    kubernetes.io/ingress.class: "gce"
+    kubernetes.io/ingress.global-static-ip-name: "open-webui-external-ip"   #  you need to create this address in GCP console
+    # Force HTTP to redirect to HTTPS
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/permanent-redirect: "https://chat.example.com"
+    networking.gke.io/managed-certificates: "mydomain-chat-cert"
+    # nginx.ingress.kubernetes.io/rewrite-target: / 
+  host: "chat.example.com"  # update to your real domain 
+  additionalHosts: []
+  tls: false
+  existingSecret: ""
+persistence:
+  enabled: true
+  size: 2Gi
+  # -- Use existingClaim if you want to re-use an existing Open WebUI PVC instead of creating a new one
+  existingClaim: ""
+  # -- Subdirectory of Open WebUI PVC to mount. Useful if root directory is not empty.
+  subPath: ""
+  # -- If using multiple replicas, you must update accessModes to ReadWriteMany
+  accessModes:
+    - ReadWriteOnce
+  storageClass: ""
+  selector: {}
+  annotations: {}
+
+# -- Node labels for pod assignment.
+nodeSelector: {}
+
+# -- Tolerations for pod assignment
+tolerations: []
+
+# -- Affinity for pod assignment
+affinity: {}
+
+# -- Topology Spread Constraints for pod assignment
+topologySpreadConstraints: []
+
+# -- Service values to expose Open WebUI pods to cluster
+service:
+  type: LoadBalancer   # changed from ClusterIP to LoadBalancer for external access on GKE
+  annotations: {}
+  port: 80
+  containerPort: 8080
+  nodePort: ""
+  labels: {}
+  loadBalancerClass: ""
+
+# -- OpenAI base API URL to use. Defaults to the Pipelines service endpoint when Pipelines are enabled, and "https://api.openai.com/v1" if Pipelines are not enabled and this value is blank
+openaiBaseApiUrl: ""
+
+# -- Env vars added to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/
+extraEnvVars:
+  # -- Default API key value for Pipelines. Should be updated in a production deployment, or be changed to the required API key if not using Pipelines
+  - name: OPENAI_API_KEY
+    value: "0p3n-w3bu!"
+  # valueFrom:
+  #   secretKeyRef:
+  #     name: pipelines-api-key
+  #     key: api-key
+  # - name: OPENAI_API_KEY
+  #   valueFrom:
+  #     secretKeyRef:
+  #       name: openai-api-key
+  #       key: api-key
+  # - name: OLLAMA_DEBUG
+  #   value: "1"
+
+# -- Configure container volume mounts
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
+volumeMounts:
+  initContainer: []
+  # - name: ""
+  #   mountPath: ""
+  container: []
+  # - name: ""
+  #   mountPath: ""
+
+# -- Configure pod volumes
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
+volumes: []
+# - name: ""
+#   configMap:
+#     name: ""
+# - name: ""
+#   emptyDir: {}
+
+# -- Configure pod security context
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe>
+podSecurityContext:
+  {}
+  # fsGroupChangePolicy: Always
+  # sysctls: []
+  # supplementalGroups: []
+  # fsGroup: 1001
+
+
+# -- Configure container security context
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe>
+containerSecurityContext:
+  {}
+  # runAsUser: 1001
+  # runAsGroup: 1001
+  # runAsNonRoot: true
+  # privileged: false
+  # allowPrivilegeEscalation: false
+  # readOnlyRootFilesystem: false
+  # capabilities:
+  #   drop:
+  #     - ALL
+  # seccompProfile:
+  #   type: "RuntimeDefault"
+
+# -- Extra resources to deploy with Open WebUI
+extraResources:
+  []
+  # - apiVersion: v1
+  #   kind: ConfigMap
+  #   metadata:
+  #     name: example-configmap
+  #   data:
+  #     example-key: example-value

charts/open-webui/values.yaml

@@ -1,5 +1,5 @@
 nameOverride: ""
-
+namespaceOverride: ""
 ollama:
   # -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure
   enabled: true
@@ -12,7 +12,10 @@ ollama:
   #     type: 'nvidia'
   #     number: 1
   #   models:
-  #     - llama3
+  #     pull:
+  #       - llama3
+  #     run:
+  #       - llama3
   # runtimeClassName: nvidia
   # persistentVolume:
   #   enabled: true
@@ -31,34 +34,191 @@ tika:
 # -- A list of Ollama API endpoints. These can be added in lieu of automatically installing the Ollama Helm chart, or in addition to it.
 ollamaUrls: []
 
+# -- Disables taking Ollama Urls from `ollamaUrls`  list
+ollamaUrlsFromExtraEnv: false
+
+websocket:
+  # -- Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT`
+  enabled: false
+  # -- Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default)
+  manager: redis
+  # -- Specifies the URL of the Redis instance for websocket communication. Template with `redis://[:<password>@]<hostname>:<port>/<db>`
+  url: redis://open-webui-redis:6379/0
+  # -- Node selector for websocket pods
+  nodeSelector: {}
+  # -- Deploys a redis
+  redis:
+    # -- Enable redis installation
+    enabled: true
+    # -- Redis name
+    name: open-webui-redis
+    # -- Redis labels
+    labels: {}
+    # -- Redis annotations
+    annotations: {}
+    # -- Redis pod
+    pods:
+      # -- Redis pod labels
+      labels: {}
+      # -- Redis pod annotations
+      annotations: {}
+    # -- Redis image
+    image:
+      repository: redis
+      tag: 7.4.2-alpine3.21
+      pullPolicy: IfNotPresent
+    # -- Redis command (overrides default)
+    command: []
+    # -- Redis arguments (overrides default)
+    args: []
+    # -- Redis resources
+    resources: {}
+    # -- Redis service
+    service:
+      # -- Redis container/target port
+      containerPort: 6379
+      # -- Redis service type
+      type: ClusterIP
+      # -- Redis service labels
+      labels: {}
+      # -- Redis service annotations
+      annotations: {}
+      # -- Redis service port
+      port: 6379
+      # -- Redis service node port. Valid only when type is `NodePort`
+      nodePort: ""
+    # -- Redis tolerations for pod assignment
+    tolerations: []
+
+    # -- Redis affinity for pod assignment
+    affinity: {}
+
+    # -- Redis security context
+    securityContext:
+      {}
+      # runAsUser: 999
+      # runAsGroup: 1000
+
+# -- Deploys a Redis cluster with subchart 'redis' from bitnami
+redis-cluster:
+  # -- Enable Redis installation
+  enabled: false
+  # -- Redis cluster name (recommended to be 'open-webui-redis')
+  # - In this case, redis url will be 'redis://open-webui-redis-master:6379/0' or 'redis://[:<password>@]open-webui-redis-master:6379/0'
+  fullnameOverride: open-webui-redis
+  # -- Redis Authentication
+  auth:
+    # -- Enable Redis authentication (disabled by default). For your security, we strongly suggest that you switch to 'auth.enabled=true'
+    enabled: false
+  # -- Replica configuration for the Redis cluster
+  replica:
+    # -- Number of Redis replica instances
+    replicaCount: 3
+
 # -- Value of cluster domain
 clusterDomain: cluster.local
 
 annotations: {}
 podAnnotations: {}
+podLabels: {}
 replicaCount: 1
-# -- Open WebUI image tags can be found here: https://github.com/open-webui/open-webui/pkgs/container/open-webui
+# -- Strategy for updating the workload manager: deployment or statefulset
+strategy: {}
+# -- Open WebUI image tags can be found here: https://github.com/open-webui/open-webui
 image:
   repository: ghcr.io/open-webui/open-webui
   tag: ""
   pullPolicy: "IfNotPresent"
 
+# -- Open WebUI container command (overrides default entrypoint)
+command: []
+# -- Open WebUI container arguments (overrides default)
+args: []
+
+serviceAccount:
+  enable: true
+  name: ""
+  annotations: {}
+  automountServiceAccountToken: false
+
 # -- Configure imagePullSecrets to use private registry
 # ref: <https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry>
 imagePullSecrets: []
 # imagePullSecrets:
 # - name: myRegistryKeySecretName
 
+# -- Probe for liveness of the Open WebUI container
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
+livenessProbe: {}
+# livenessProbe:
+#   httpGet:
+#     path: /health
+#     port: http
+#   failureThreshold: 1
+#   periodSeconds: 10
+
+# -- Probe for readiness of the Open WebUI container
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
+readinessProbe: {}
+# readinessProbe:
+#   httpGet:
+#     path: /health/db
+#     port: http
+#   failureThreshold: 1
+#   periodSeconds: 10
+
+# -- Probe for startup of the Open WebUI container
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
+startupProbe: {}
+# startupProbe:
+#   httpGet:
+#     path: /health
+#     port: http
+#   initialDelaySeconds: 30
+#   periodSeconds: 5
+#   failureThreshold: 20
+
 resources: {}
+
+copyAppData:
+  # -- Open WebUI copy-app-data init container command (overrides default)
+  command: []
+  # -- Open WebUI copy-app-data init container arguments (overrides default)
+  args: []
+
+  resources: {}
+
+managedCertificate:
+  enabled: false
+  name: "mydomain-chat-cert" # You can override this name if needed
+  domains:
+    - chat.example.com # update to your real domain
+
 ingress:
   enabled: false
   class: ""
   # -- Use appropriate annotations for your Ingress controller, e.g., for NGINX:
-  # nginx.ingress.kubernetes.io/rewrite-target: /
   annotations: {}
-  host: ""
+  #   # Example for GKE Ingress
+  #   kubernetes.io/ingress.class: "gce"
+  #   kubernetes.io/ingress.global-static-ip-name: "open-webui-external-ip"   #  you need to create this address in GCP console
+  #   # Force HTTP to redirect to HTTPS
+  #   nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+  #   nginx.ingress.kubernetes.io/ssl-redirect: "true"
+  #   nginx.ingress.kubernetes.io/permanent-redirect: "https://chat.example.com"
+  #   networking.gke.io/managed-certificates: "mydomain-chat-cert"
+  #   # nginx.ingress.kubernetes.io/rewrite-target: /
+  host: "chat.example.com" # update to your real domain
+  additionalHosts: []
   tls: false
   existingSecret: ""
+
+  # -- Additional custom labels to add to the Ingress metadata
+  # Useful for tagging, selecting, or applying policies to the Ingress via labels.
+  extraLabels: {}
+  # extraLabels:
+  #   app.kubernetes.io/environment: "staging"
+
 persistence:
   enabled: true
   size: 2Gi
@@ -72,6 +232,62 @@ persistence:
   storageClass: ""
   selector: {}
   annotations: {}
+  # -- Sets the storage provider, availables values are `local`, `s3`, `gcs` or `azure`
+  provider: local
+  s3:
+    # -- Sets the access key ID for S3 storage
+    # @section -- Amazon S3 Storage configuration
+    accessKey: ""
+    # -- Sets the secret access key for S3 storage (ignored if secretKeyExistingSecret is set)
+    # @section -- Amazon S3 Storage configuration
+    secretKey: ""
+    # -- Set the secret access key for S3 storage from existing k8s secret
+    # @section -- Amazon S3 Storage configuration
+    secretKeyExistingSecret: ""
+    # -- Set the secret access key for S3 storage from existing k8s secret key
+    # @section -- Amazon S3 Storage configuration
+    secretKeyExistingSecretKey: ""
+    # -- Sets the endpoint url for S3 storage
+    # @section -- Amazon S3 Storage configuration
+    endpointUrl: ""
+    # -- Sets the region name for S3 storage
+    # @section -- Amazon S3 Storage configuration
+    region: ""
+    # -- Sets the bucket name for S3 storage
+    # @section -- Amazon S3 Storage configuration
+    bucket: ""
+    # -- Sets the key prefix for a S3 object
+    # @section -- Amazon S3 Storage configuration
+    keyPrefix: ""
+  gcs:
+    # -- Contents of Google Application Credentials JSON file (ignored if appCredentialsJsonExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account
+    # @section -- Google Cloud Storage configuration
+    appCredentialsJson: ""
+    # -- Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret
+    # @section -- Google Cloud Storage configuration
+    appCredentialsJsonExistingSecret: ""
+    # -- Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret key
+    # @section -- Google Cloud Storage configuration
+    appCredentialsJsonExistingSecretKey: ""
+    # -- Sets the bucket name for Google Cloud Storage. Bucket must already exist
+    # @section -- Google Cloud Storage configuration
+    bucket: ""
+  azure:
+    # -- Sets the endpoint URL for Azure Storage
+    # @section -- Azure Storage configuration
+    endpointUrl: ""
+    # -- Sets the container name for Azure Storage
+    # @section -- Azure Storage configuration
+    container: ""
+    # -- Set the access key for Azure Storage (ignored if keyExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services
+    # @section -- Azure Storage configuration
+    key: ""
+    # -- Set the access key for Azure Storage from existing secret
+    # @section -- Azure Storage configuration
+    keyExistingSecret: ""
+    # -- Set the access key for Azure Storage from existing secret key
+    # @section -- Azure Storage configuration
+    keyExistingSecretKey: ""
 
 # -- Node labels for pod assignment.
 nodeSelector: {}
@@ -85,6 +301,9 @@ affinity: {}
 # -- Topology Spread Constraints for pod assignment
 topologySpreadConstraints: []
 
+# -- HostAliases to be added to hosts-file of each container
+hostAliases: []
+
 # -- Service values to expose Open WebUI pods to cluster
 service:
   type: ClusterIP
@@ -95,8 +314,17 @@ service:
   labels: {}
   loadBalancerClass: ""
 
+# -- Enables the use of OpenAI APIs
+enableOpenaiApi: true
+
 # -- OpenAI base API URL to use. Defaults to the Pipelines service endpoint when Pipelines are enabled, and "https://api.openai.com/v1" if Pipelines are not enabled and this value is blank
-openaiBaseApiUrl: ""
+openaiBaseApiUrl: "https://api.openai.com/v1"
+
+# -- OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set
+openaiBaseApiUrls:
+  []
+  # - "https://api.openai.com/v1"
+  # - "https://api.company.openai.com/v1"
 
 # -- Env vars added to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/
 extraEnvVars:
@@ -115,6 +343,22 @@ extraEnvVars:
   # - name: OLLAMA_DEBUG
   #   value: "1"
 
+# -- Env vars added to the Open WebUI deployment, common across environments. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: environment variables defined in both `extraEnvVars` and `commonEnvVars` will result in a conflict. Avoid duplicates)
+commonEnvVars: []
+  # - name: RAG_EMBEDDING_ENGINE
+  #   value: "openai"
+
+# -- Env vars added from configmap or secret to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: `extraEnvVars` will take precedence over the value from `extraEnvFrom`)
+extraEnvFrom: []
+  # - configMapRef:
+  #     name: my-config
+  # - secretRef:
+  #     name: my-secret
+
+# -- Configure runtime class
+# ref: <https://kubernetes.io/docs/concepts/containers/runtime-class/>
+runtimeClassName: ""
+
 # -- Configure container volume mounts
 # ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
 volumeMounts:
@@ -125,6 +369,16 @@ volumeMounts:
   # - name: ""
   #   mountPath: ""
 
+# -- Additional init containers to add to the deployment/statefulset
+# ref: <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/>
+extraInitContainers: []
+# - name: custom-init
+#   image: busybox:latest
+#   command: ['sh', '-c', 'echo "Custom init container running"']
+#   volumeMounts:
+#   - name: data
+#     mountPath: /data
+
 # -- Configure pod volumes
 # ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
 volumes: []
@@ -135,7 +389,7 @@ volumes: []
 #   emptyDir: {}
 
 # -- Configure pod security context
-# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe>
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container>
 podSecurityContext:
   {}
   # fsGroupChangePolicy: Always
@@ -158,3 +412,204 @@ containerSecurityContext:
   #     - ALL
   # seccompProfile:
   #   type: "RuntimeDefault"
+
+sso:
+  # -- **Enable SSO authentication globally** must enable to use SSO authentication
+  # @section -- SSO Configuration
+  enabled: false
+  # -- Enable account creation when logging in with OAuth (distinct from regular signup)
+  # @section -- SSO Configuration
+  enableSignup: false
+  # -- Allow logging into accounts that match email from OAuth provider (considered insecure)
+  # @section -- SSO Configuration
+  mergeAccountsByEmail: false
+  # -- Enable OAuth role management through access token roles claim
+  # @section -- SSO Configuration
+  enableRoleManagement: false
+  # -- Enable OAuth group management through access token groups claim
+  # @section -- SSO Configuration
+  enableGroupManagement: false
+
+  google:
+    # -- Enable Google OAuth
+    # @section -- Google OAuth configuration
+    enabled: false
+    # -- Google OAuth client ID
+    # @section -- Google OAuth configuration
+    clientId: ""
+    # -- Google OAuth client secret (ignored if clientExistingSecret is set)
+    # @section -- Google OAuth configuration
+    clientSecret: ""
+    # -- Google OAuth client secret from existing secret
+    # @section -- Google OAuth configuration
+    clientExistingSecret: ""
+    # -- Google OAuth client secret key from existing secret
+    # @section -- Google OAuth configuration
+    clientExistingSecretKey: ""
+
+  microsoft:
+    # -- Enable Microsoft OAuth
+    # @section -- Microsoft OAuth configuration
+    enabled: false
+    # -- Microsoft OAuth client ID
+    # @section -- Microsoft OAuth configuration
+    clientId: ""
+    # -- Microsoft OAuth client secret (ignored if clientExistingSecret is set)
+    # @section -- Microsoft OAuth configuration
+    clientSecret: ""
+    # -- Microsoft OAuth client secret from existing secret
+    # @section -- Microsoft OAuth configuration
+    clientExistingSecret: ""
+    # -- Microsoft OAuth client secret key from existing secret
+    # @section -- Microsoft OAuth configuration
+    clientExistingSecretKey: ""
+    # -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts
+    # @section -- Microsoft OAuth configuration
+    tenantId: ""
+
+  github:
+    # -- Enable GitHub OAuth
+    # @section -- GitHub OAuth configuration
+    enabled: false
+    # -- GitHub OAuth client ID
+    # @section -- GitHub OAuth configuration
+    clientId: ""
+    # -- GitHub OAuth client secret (ignored if clientExistingSecret is set)
+    # @section -- GitHub OAuth configuration
+    clientSecret: ""
+    # -- GitHub OAuth client secret from existing secret
+    # @section -- GitHub OAuth configuration
+    clientExistingSecret: ""
+    # -- GitHub OAuth client secret key from existing secret
+    # @section -- GitHub OAuth configuration
+    clientExistingSecretKey: ""
+
+  oidc:
+    # -- Enable OIDC authentication
+    # @section -- OIDC configuration
+    enabled: false
+    # -- OIDC client ID
+    # @section -- OIDC configuration
+    clientId: ""
+    # -- OIDC client secret (ignored if clientExistingSecret is set)
+    # @section -- OIDC configuration
+    clientSecret: ""
+    # -- OICD client secret from existing secret
+    # @section -- OIDC configuration
+    clientExistingSecret: ""
+    # -- OIDC client secret key from existing secret
+    # @section -- OIDC configuration
+    clientExistingSecretKey: ""
+    # -- OIDC provider well known URL
+    # @section -- OIDC configuration
+    providerUrl: ""
+    # -- Name of the provider to show on the UI
+    # @section -- OIDC configuration
+    providerName: "SSO"
+    # -- Scopes to request (space-separated).
+    # @section -- OIDC configuration
+    scopes: "openid email profile"
+
+  roleManagement:
+    # -- The claim that contains the roles (can be nested, e.g., user.roles)
+    # @section -- Role management configuration
+    rolesClaim: "roles"
+    # -- Comma-separated list of roles allowed to log in (receive open webui role user)
+    # @section -- Role management configuration
+    allowedRoles: ""
+    # -- Comma-separated list of roles allowed to log in as admin (receive open webui role admin)
+    # @section -- Role management configuration
+    adminRoles: ""
+
+  groupManagement:
+    # -- The claim that contains the groups (can be nested, e.g., user.memberOf)
+    # @section -- SSO Configuration
+    groupsClaim: "groups"
+
+  trustedHeader:
+    # -- Enable trusted header authentication
+    # @section -- SSO trusted header authentication
+    enabled: false
+    # -- Header containing the user's email address
+    # @section -- SSO trusted header authentication
+    emailHeader: ""
+    # -- Header containing the user's name (optional, used for new user creation)
+    # @section -- SSO trusted header authentication
+    nameHeader: ""
+
+# -- Extra resources to deploy with Open WebUI
+extraResources:
+  []
+  # - apiVersion: v1
+  #   kind: ConfigMap
+  #   metadata:
+  #     name: example-configmap
+  #   data:
+  #     example-key: example-value
+
+# -- Configure database URL, needed to work with Postgres (example: `postgresql://<user>:<password>@<service>:<port>/<database>`), leave empty to use the default sqlite database
+databaseUrl: ""
+
+# -- Postgresql configuration (see. https://artifacthub.io/packages/helm/bitnami/postgresql)
+postgresql:
+  enabled: false
+  fullnameOverride: open-webui-postgres
+  architecture: standalone
+  auth:
+    database: open-webui
+    postgresPassword: 0p3n-w3bu!
+    username: open-webui
+    password: 0p3n-w3bu!
+  primary:
+    persistence:
+      size: 1Gi
+    resources:
+      requests:
+        memory: 256Mi
+        cpu: 250m
+      limits:
+        memory: 512Mi
+        cpu: 500m
+
+# Configure Application logging levels (see. https://docs.openwebui.com/getting-started/advanced-topics/logging#-logging-levels-explained)
+logging:
+  # -- Set the global log level ["notset", "debug", "info" (default), "warning", "error", "critical"]
+  # @section -- Logging configuration
+  level: ""
+
+  # Optional granularity: override log levels per subsystem/component
+  # if not set, it will use the global level (see. https://docs.openwebui.com/getting-started/advanced-topics/logging#%EF%B8%8F-appbackend-specific-logging-levels)
+  components:
+    # -- Set the log level for the Audio processing component
+    # @section -- Logging configuration
+    audio: ""
+    # -- Set the log level for the ComfyUI Integration component
+    # @section -- Logging configuration
+    comfyui: ""
+    # -- Set the log level for the Configuration Management component
+    # @section -- Logging configuration
+    config: ""
+    # -- Set the log level for the Database Operations (Peewee) component
+    # @section -- Logging configuration
+    db: ""
+    # -- Set the log level for the Image Generation component
+    # @section -- Logging configuration
+    images: ""
+    # -- Set the log level for the Main Application Execution component
+    # @section -- Logging configuration
+    main: ""
+    # -- Set the log level for the Model Management component
+    # @section -- Logging configuration
+    models: ""
+    # -- Set the log level for the Ollama Backend Integration component
+    # @section -- Logging configuration
+    ollama: ""
+    # -- Set the log level for the OpenAI API Integration component
+    # @section -- Logging configuration
+    openai: ""
+    # -- Set the log level for the Retrieval-Augmented Generation (RAG) component
+    # @section -- Logging configuration
+    rag: ""
+    # -- Set the log level for the Authentication Webhook component
+    # @section -- Logging configuration
+    webhook: ""

charts/pipelines/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: pipelines
-version: 0.0.4
+version: 0.7.0
 appVersion: "alpha"
 
 home: https://github.com/open-webui/pipelines

charts/pipelines/README.md

@@ -1,6 +1,6 @@
 # pipelines
 
-![Version: 0.0.4](https://img.shields.io/badge/Version-0.0.4-informational?style=flat-square) ![AppVersion: alpha](https://img.shields.io/badge/AppVersion-alpha-informational?style=flat-square)
+![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![AppVersion: alpha](https://img.shields.io/badge/AppVersion-alpha-informational?style=flat-square)
 
 Pipelines: UI-Agnostic OpenAI API Plugin Framework
 
@@ -33,8 +33,13 @@ helm upgrade --install open-webui open-webui/pipelines
 | affinity | object | `{}` | Affinity for pod assignment |
 | annotations | object | `{}` |  |
 | clusterDomain | string | `"cluster.local"` | Value of cluster domain |
+| commonEnvVars | list | `[]` | Additional environments variables on the output Deployment definition, common across environments |
+| containerSecurityContext | object | `{}` | Configure container security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe> |
 | extraEnvVars | list | `[{"name":"PIPELINES_URLS","value":"https://github.com/open-webui/pipelines/blob/main/examples/filters/detoxify_filter_pipeline.py"}]` | Additional environments variables on the output Deployment definition. These are used to pull initial Pipeline files, and help configure Pipelines with required values (e.g. Langfuse API keys) |
 | extraEnvVars[0] | object | `{"name":"PIPELINES_URLS","value":"https://github.com/open-webui/pipelines/blob/main/examples/filters/detoxify_filter_pipeline.py"}` | Example pipeline to pull and load on deployment startup, see current pipelines here: https://github.com/open-webui/pipelines/blob/main/examples |
+| extraInitContainers | list | `[]` | Additional init containers to add to the deployment ref: <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/> |
+| extraResources | list | `[]` | Extra resources to deploy with Open WebUI Pipelines |
+| hostAliases | list | `[]` | HostAliases to be added to hosts-file of each container |
 | image.pullPolicy | string | `"Always"` |  |
 | image.repository | string | `"ghcr.io/open-webui/pipelines"` |  |
 | image.tag | string | `"main"` |  |
@@ -46,6 +51,7 @@ helm upgrade --install open-webui open-webui/pipelines
 | ingress.host | string | `""` |  |
 | ingress.tls | bool | `false` |  |
 | nameOverride | string | `""` |  |
+| namespaceOverride | string | `""` |  |
 | nodeSelector | object | `{}` | Node labels for pod assignment. |
 | persistence.accessModes | list | `["ReadWriteOnce"]` | If using multiple replicas, you must update accessModes to ReadWriteMany |
 | persistence.annotations | object | `{}` |  |
@@ -55,6 +61,8 @@ helm upgrade --install open-webui open-webui/pipelines
 | persistence.size | string | `"2Gi"` |  |
 | persistence.storageClass | string | `""` |  |
 | podAnnotations | object | `{}` |  |
+| podLabels | object | `{}` |  |
+| podSecurityContext | object | `{}` | Configure pod security context ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container> |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
 | service.annotations | object | `{}` |  |
@@ -64,7 +72,12 @@ helm upgrade --install open-webui open-webui/pipelines
 | service.nodePort | string | `""` |  |
 | service.port | int | `9099` |  |
 | service.type | string | `"ClusterIP"` |  |
+| serviceAccount.automountServiceAccountToken | bool | `false` |  |
+| serviceAccount.enable | bool | `true` |  |
+| strategy | object | `{}` | Strategy for updating the deployment |
 | tolerations | list | `[]` | Tolerations for pod assignment |
+| volumeMounts | list | `[]` | Configure container volume mounts ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/> |
+| volumes | list | `[]` | Configure pod volumes ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/> |
 
 ----------------------------------------------
 

charts/pipelines/templates/_helpers.tpl

@@ -1,3 +1,14 @@
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "pipelines.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
 {{/*
 Set the name of the Pipelines resources
 */}}

charts/pipelines/templates/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "pipelines.name" . }}
+  namespace: {{ include "pipelines.namespace" . }}
   labels:
     {{- include "pipelines.labels" . | nindent 4 }}
   {{- with .Values.annotations }}
@@ -13,10 +14,17 @@ spec:
   selector:
     matchLabels:
       {{- include "pipelines.selectorLabels" . | nindent 6 }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   template:
     metadata:
       labels:
         {{- include "pipelines.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- with .Values.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
@@ -26,8 +34,19 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.extraInitContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       enableServiceLinks: false
-      automountServiceAccountToken: false
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken | default false }}
+      {{- if .Values.serviceAccount.enable }}
+      serviceAccountName: {{ .Values.serviceAccount.name | default (include "pipelines.name" .) }}
+      {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
       - name: {{ .Chart.Name }}
         {{- with .Values.image }}
@@ -40,13 +59,23 @@ spec:
         {{- with .Values.resources }}
         resources: {{- toYaml . | nindent 10 }}
         {{- end }}
+        {{- with .Values.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: data
-          mountPath: /app/backend/data
+          mountPath: /app/pipelines
+        {{- with .Values.volumeMounts }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
         env:
         {{- if .Values.extraEnvVars }}
           {{- toYaml .Values.extraEnvVars | nindent 8 }}
         {{- end }}
+        {{- if .Values.commonEnvVars }}
+          {{- toYaml .Values.commonEnvVars | nindent 8 }}
+        {{- end }}
         tty: true
       {{- with .Values.nodeSelector }}
       nodeSelector:
@@ -60,6 +89,10 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
       {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
       - name: data
@@ -73,3 +106,6 @@ spec:
         persistentVolumeClaim:
           claimName: {{ include "pipelines.name" . }}
       {{- end }}
+      {{- with .Values.volumes }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}

charts/pipelines/templates/extra-resources.yaml

@@ -0,0 +1,6 @@
+{{- if .Values.extraResources }}
+{{- range .Values.extraResources }}
+---
+{{ toYaml . | nindent 0 }}
+{{- end }}
+{{- end }}

charts/pipelines/templates/pvc.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: {{ include "pipelines.name" . }}
+  namespace: {{ include "pipelines.namespace" . }}
   labels:
     {{- include "pipelines.selectorLabels" . | nindent 4 }}
   {{- with .Values.persistence.annotations }}

charts/pipelines/templates/service-account.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.enable }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name | default (include "pipelines.name" .) }}
+  namespace: {{ include "pipelines.namespace" . }}
+  labels:
+    {{- include "pipelines.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/pipelines/templates/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "pipelines.name" . }}
+  namespace: {{ include "pipelines.namespace" . }}
   labels:
     {{- include "pipelines.labels" . | nindent 4 }}
     {{- with .Values.service.labels }}

charts/pipelines/values.yaml

@@ -1,11 +1,15 @@
 nameOverride: ""
+namespaceOverride: ""
 
 # -- Value of cluster domain
 clusterDomain: cluster.local
 
 annotations: {}
 podAnnotations: {}
+podLabels: {}
 replicaCount: 1
+# -- Strategy for updating the deployment
+strategy: {}
 image:
   repository: ghcr.io/open-webui/pipelines
   tag: main
@@ -38,6 +42,35 @@ persistence:
   selector: {}
   annotations: {}
 
+serviceAccount:
+  enable: true
+  automountServiceAccountToken: false
+
+# -- Configure pod security context
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container>
+podSecurityContext:
+  {}
+  # fsGroupChangePolicy: Always
+  # sysctls: []
+  # supplementalGroups: []
+  # fsGroup: 1001
+
+# -- Configure container security context
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe>
+containerSecurityContext:
+  {}
+  # runAsUser: 1001
+  # runAsGroup: 1001
+  # runAsNonRoot: true
+  # privileged: false
+  # allowPrivilegeEscalation: false
+  # readOnlyRootFilesystem: false
+  # capabilities:
+  #   drop:
+  #     - ALL
+  # seccompProfile:
+  #   type: "RuntimeDefault"
+
 # -- Node labels for pod assignment.
 nodeSelector: {}
 
@@ -47,6 +80,9 @@ tolerations: []
 # -- Affinity for pod assignment
 affinity: {}
 
+# -- HostAliases to be added to hosts-file of each container
+hostAliases: []
+
 service:
   type: ClusterIP
   annotations: {}
@@ -81,3 +117,44 @@ extraEnvVars:
   #       key: secret-key
   # - name: LANGFUSE_HOST
   #   value: https://us.cloud.langfuse.com
+
+# -- Additional environments variables on the output Deployment definition, common across environments.
+commonEnvVars: []
+
+# -- Configure container volume mounts
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
+volumeMounts: []
+  # - name: ""
+  #   mountPath: ""
+
+# -- Additional init containers to add to the deployment
+# ref: <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/>
+extraInitContainers: []
+# - name: custom-init
+#   image: busybox:latest
+#   command: ['sh', '-c', 'echo "Custom init container running"']
+#   volumeMounts:
+#   - name: data
+#     mountPath: /data
+
+# -- Configure pod volumes
+# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
+volumes: []
+# - name: ""
+#   configMap:
+#     name: ""
+# - name: ""
+#   secret:
+#     name: ""
+# - name: ""
+#   emptyDir: {}
+
+# -- Extra resources to deploy with Open WebUI Pipelines
+extraResources:
+  []
+  # - apiVersion: v1
+  #   kind: ConfigMap
+  #   metadata:
+  #     name: example-configmap
+  #   data:
+  #     example-key: example-value