helm-charts/charts/open-webui/templates/workload-manager.yaml

apiVersion: apps/v1
{{- if and .Values.persistence.enabled (eq .Values.persistence.provider "local") }}
kind: StatefulSet
{{- else }}
kind: Deployment
{{- end }}
metadata:
  name: {{ include "open-webui.name" . }}
  namespace: {{ include "open-webui.namespace" . }}
  labels:
    {{- include "open-webui.labels" . | nindent 4 }}
  {{- with .Values.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
spec:
  replicas: {{ .Values.replicaCount }}
  {{- if and .Values.persistence.enabled (eq .Values.persistence.provider "local") }}
  serviceName: {{ include "open-webui.name" . }}
  {{- end }}
  selector:
    matchLabels:
      {{- include "open-webui.selectorLabels" . | nindent 6 }}
  {{- if .Values.strategy }}
  {{- if and .Values.persistence.enabled (eq .Values.persistence.provider "local") }}
  updateStrategy:
    {{- toYaml .Values.strategy | nindent 4 }}
  {{- else }}
  strategy:
    {{- toYaml .Values.strategy | nindent 4 }}
  {{- end }}
  {{- end }}
  template:
    metadata:
      labels:
        {{- include "open-webui.labels" . | nindent 8 }}
        {{- with .Values.podLabels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- with .Values.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      initContainers:
      - name: copy-app-data
        {{- with .Values.image }}
        image: {{ .repository }}:{{ .tag | default $.Chart.AppVersion }}
        imagePullPolicy: {{ .pullPolicy }}
        {{- end }}
        command: ['sh', '-c', 'cp -R -n /app/backend/data/* /tmp/app-data/']
        {{- with .Values.containerSecurityContext }}
        securityContext:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        {{- with .Values.copyAppData.resources }}
        resources: {{- toYaml . | nindent 10 }}
        {{- end }}
        volumeMounts:
        - name: data
          mountPath: /tmp/app-data
          {{- if .Values.persistence.subPath }}
          subPath: {{ .Values.persistence.subPath }}
          {{- end }}
        {{- with .Values.volumeMounts.initContainer }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- with .Values.extraInitContainers }}
      {{- toYaml . | nindent 6 }}
      {{- end }}
      enableServiceLinks: false
      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
      {{- if .Values.runtimeClassName }}
      runtimeClassName: {{ .Values.runtimeClassName | quote }}
      {{- end }}
      {{- if .Values.serviceAccount.enable }}
      serviceAccountName: {{ .Values.serviceAccount.name | default (include "open-webui.name" .) }}
      {{- end }}
      {{- with .Values.podSecurityContext }}
      securityContext:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      containers:
      - name: {{ .Chart.Name }}
        {{- with .Values.image }}
        image: {{ .repository }}:{{ .tag | default $.Chart.AppVersion }}
        imagePullPolicy: {{ .pullPolicy }}
        {{- end }}
        ports:
        - name: http
          containerPort: {{ .Values.service.containerPort }}
        {{- with .Values.livenessProbe }}
        livenessProbe: {{- toYaml . | nindent 10 }}
        {{- end }}
        {{- with .Values.readinessProbe }}
        readinessProbe: {{- toYaml . | nindent 10 }}
        {{- end }}
        {{- with .Values.startupProbe }}
        startupProbe: {{- toYaml . | nindent 10 }}
        {{- end }}
        {{- with .Values.resources }}
        resources: {{- toYaml . | nindent 10 }}
        {{- end }}
        {{- with .Values.containerSecurityContext }}
        securityContext:
          {{- toYaml . | nindent 10 }}
        {{- end }}
        volumeMounts:
        - name: data
          mountPath: /app/backend/data
          {{- if .Values.persistence.subPath }}
          subPath: {{ .Values.persistence.subPath }}
          {{- end }}
        {{- with .Values.volumeMounts.container }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
        env:
        {{- if .Values.ollamaUrlsFromExtraEnv}}
        {{- else if or .Values.ollamaUrls .Values.ollama.enabled }}
        - name: "OLLAMA_BASE_URLS"
          value: {{ include "ollamaBaseUrls" . | quote }}
        {{- else }}
        - name: "ENABLE_OLLAMA_API"
          value: "False"
        {{- end }}
        {{- if and .Values.enableOpenaiApi .Values.openaiBaseApiUrl (not .Values.openaiBaseApiUrls) (not .Values.pipelines.enabled) }}
        # If only an OpenAI API value is set, set it to OPENAI_API_BASE_URL
        - name: "OPENAI_API_BASE_URL"
          value: {{ .Values.openaiBaseApiUrl | quote }}
        {{- else if and .Values.enableOpenaiApi .Values.openaiBaseApiUrl .Values.pipelines.enabled (not .Values.openaiBaseApiUrls) }}
        # If Pipelines is enabled and OpenAI API value is set, use OPENAI_API_BASE_URLS with combined values
        - name: "OPENAI_API_BASE_URLS"
          value: "{{ include "pipelines.serviceEndpoint" . }};{{ .Values.openaiBaseApiUrl }}"
        {{- else if and .Values.enableOpenaiApi .Values.pipelines.enabled (not .Values.openaiBaseApiUrl) (not .Values.openaiBaseApiUrls) }}
        # If Pipelines is enabled and no OpenAI API values are set, set OPENAI_API_BASE_URL to the Pipelines server endpoint 
        - name: "OPENAI_API_BASE_URL"
          value: {{ include "pipelines.serviceEndpoint" . | quote }}
        {{- else if and .Values.enableOpenaiApi .Values.openaiBaseApiUrls .Values.pipelines.enabled }}
        # If OpenAI API value(s) set and Pipelines is enabled, use OPENAI_API_BASE_URLS to support all the endpoints in the chart
        - name: "OPENAI_API_BASE_URLS"
          value: "{{ include "pipelines.serviceEndpoint" . }};{{ join ";" .Values.openaiBaseApiUrls }}"
        {{- else if not .Values.enableOpenaiApi }}
        - name: "ENABLE_OPENAI_API"
          value: "False"
        {{- end }}
        {{- if .Values.tika.enabled }}
        - name: "CONTENT_EXTRACTION_ENGINE"
          value: "Tika"
        - name: "TIKA_SERVER_URL"
          value: http://{{ .Chart.Name }}-tika:9998
        {{- end }}
        {{- if eq .Values.persistence.provider "s3" }}
        - name: "STORAGE_PROVIDER"
          value: {{ .Values.persistence.provider }}
        - name: "S3_ACCESS_KEY_ID"
          value: {{ .Values.persistence.s3.accessKey }}
        - name: "S3_SECRET_ACCESS_KEY"
          value: {{ .Values.persistence.s3.secretKey }}
        - name: "S3_ENDPOINT_URL"
          value: {{ .Values.persistence.s3.endpointUrl }}
        - name: "S3_BUCKET_NAME"
          value: {{ .Values.persistence.s3.bucket }}
        - name: "S3_REGION_NAME"
          value: {{ .Values.persistence.s3.region }}
        - name: "S3_KEY_PREFIX"
          value: {{ .Values.persistence.s3.keyPrefix }}
        {{- else if eq .Values.persistence.provider "gcs" }}
        - name: "STORAGE_PROVIDER"
          value: {{ .Values.persistence.provider }}
        - name: "GOOGLE_APPLICATION_CREDENTIALS_JSON"
          value: {{ .Values.persistence.gcs.appCredentialsJson }}
        - name: "GCS_BUCKET_NAME"
          value: {{ .Values.persistence.gcs.bucket }}
        {{- else if eq .Values.persistence.provider "azure" }}
        - name: "STORAGE_PROVIDER"
          value: {{ .Values.persistence.provider }}
        - name: "AZURE_STORAGE_ENDPOINT"
          value: {{ .Values.persistence.azure.endpointUrl }}
        - name: "AZURE_STORAGE_CONTAINER_NAME"
          value: {{ .Values.persistence.azure.container }}
        - name: "AZURE_STORAGE_KEY"
          value: {{ .Values.persistence.azure.key }}
        {{- end }}
        {{- if .Values.websocket.enabled }}
        - name: "ENABLE_WEBSOCKET_SUPPORT"
          value: "True"
        - name: "WEBSOCKET_MANAGER"
          value: {{ .Values.websocket.manager | default "redis" | quote }}
        - name: "WEBSOCKET_REDIS_URL"
          value: {{ .Values.websocket.url | quote }}
        {{- end }}
        {{- if or .Values.postgresql.enabled .Values.databaseUrl }}
        - name: "DATABASE_URL"
          value: {{ .Values.databaseUrl | default (printf "postgresql://%s:%s@%s:%s/%s" .Values.postgresql.auth.username .Values.postgresql.auth.password .Values.postgresql.fullnameOverride "5432" .Values.postgresql.auth.database) }}
        {{- end }}
        {{- if .Values.sso.enabled }}
        {{- if .Values.sso.enableSignup }}
        - name: "ENABLE_OAUTH_SIGNUP"
          value: "True"
        {{- end }}
        {{- if .Values.sso.mergeAccountsByEmail }}
        - name: "OAUTH_MERGE_ACCOUNTS_BY_EMAIL"
          value: "True"
        {{- end }}
        {{- if .Values.sso.google.enabled }}
        - name: "GOOGLE_CLIENT_ID"
          value: {{ .Values.sso.google.clientId | quote }}
        - name: "GOOGLE_CLIENT_SECRET"
          value: {{ .Values.sso.google.clientSecret | quote }}
        {{- end }}
        {{- if .Values.sso.microsoft.enabled }}
        - name: "MICROSOFT_CLIENT_ID"
          value: {{ .Values.sso.microsoft.clientId | quote }}
        - name: "MICROSOFT_CLIENT_SECRET"
          value: {{ .Values.sso.microsoft.clientSecret | quote }}
        - name: "MICROSOFT_CLIENT_TENANT_ID"
          value: {{ .Values.sso.microsoft.tenantId | quote }}
        {{- end }}
        {{- if .Values.sso.github.enabled }}
        - name: "GITHUB_CLIENT_ID"
          value: {{ .Values.sso.github.clientId | quote }}
        - name: "GITHUB_CLIENT_SECRET"
          value: {{ .Values.sso.github.clientSecret | quote }}
        {{- end }}
        {{- if .Values.sso.oidc.enabled }}
        - name: "OAUTH_CLIENT_ID"
          value: {{ .Values.sso.oidc.clientId | quote }}
        - name: "OAUTH_CLIENT_SECRET"
          value: {{ .Values.sso.oidc.clientSecret | quote }}
        - name: "OPENID_PROVIDER_URL"
          value: {{ .Values.sso.oidc.providerUrl | quote }}
        - name: "OAUTH_PROVIDER_NAME"
          value: {{ .Values.sso.oidc.providerName | quote }}
        - name: "OAUTH_SCOPES"
          value: {{ .Values.sso.oidc.scopes | quote }}
        {{- end }}
        {{- if .Values.sso.enableRoleManagement }}
        - name: "ENABLE_OAUTH_ROLE_MANAGEMENT"
          value: "True"
        - name: "OAUTH_ROLES_CLAIM"
          value: {{ .Values.sso.roleManagement.rolesClaim | quote }}
        {{- if .Values.sso.roleManagement.allowedRoles }}
        - name: "OAUTH_ALLOWED_ROLES"
          value: {{ .Values.sso.roleManagement.allowedRoles | quote }}
        {{- end }}
        {{- if .Values.sso.roleManagement.adminRoles }}
        - name: "OAUTH_ADMIN_ROLES"
          value: {{ .Values.sso.roleManagement.adminRoles | quote }}
        {{- end }}
        {{- end }}
        {{- if .Values.sso.enableGroupManagement }}
        - name: "ENABLE_OAUTH_GROUP_MANAGEMENT"
          value: "True"
        - name: "OAUTH_GROUP_CLAIM"
          value: {{ .Values.sso.groupManagement.groupsClaim | quote }}
        {{- end }}
        {{- if .Values.sso.trustedHeader.enabled }}
        - name: "WEBUI_AUTH_TRUSTED_EMAIL_HEADER"
          value: {{ .Values.sso.trustedHeader.emailHeader | quote }}
        {{- if .Values.sso.trustedHeader.nameHeader }}
        - name: "WEBUI_AUTH_TRUSTED_NAME_HEADER"
          value: {{ .Values.sso.trustedHeader.nameHeader | quote }}
        {{- end }}
        {{- end }}
        {{- end }}
        {{- if .Values.extraEnvVars }}
          {{- toYaml .Values.extraEnvVars | nindent 8 }}
        {{- end }}
        tty: true
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.topologySpreadConstraints }}
      topologySpreadConstraints:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.hostAliases }}
      hostAliases:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      volumes:
      {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
      - name: data
        persistentVolumeClaim:
          claimName: {{ .Values.persistence.existingClaim }}
      {{- else if or (not .Values.persistence.enabled) (not (eq .Values.persistence.provider "local")) }}
      - name: data
        emptyDir: {}
      {{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
      - name: data
        persistentVolumeClaim:
          claimName: {{ include "open-webui.name" . }}
      {{- end }}
      {{- with .Values.volumes }}
      {{- toYaml . | nindent 6 }}
      {{- end }}