Add OpenWebUI application

This commit is contained in:
Marco van Zijl 2026-05-16 19:59:34 +02:00
parent 9ccce95b25
commit 7bd7a61ff9
4 changed files with 170 additions and 0 deletions

View File

@ -0,0 +1,11 @@
apiVersion: v2
name: open-webui
description: Open WebUI wrapper chart
type: application
version: 1.0.0
appVersion: "0.9.5"
dependencies:
- name: open-webui
version: 14.5.0
repository: https://helm.openwebui.com/

24
apps/open-webui/README.md Normal file
View File

@ -0,0 +1,24 @@
# OpenWebUI
OpenWebUI is exposed at `https://openwebui.noxxos.nl` and connects to the
OpenAI-compatible llama.cpp endpoint at `http://framework-llm:8080/v1`.
## Authentik
Create an Authentik OAuth2/OIDC provider and application with slug
`open-webui`.
Allowed redirect URI:
```text
https://openwebui.noxxos.nl/oauth/oidc/callback
```
Create the OIDC client secret in Kubernetes before syncing the app:
```bash
kubectl create namespace open-webui
kubectl -n open-webui create secret generic open-webui-oidc \
--from-literal=client-id='<authentik-client-id>' \
--from-literal=client-secret='<authentik-client-secret>'
```

View File

@ -0,0 +1,40 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: open-webui
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "2"
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: https://git.mvzijl.nl/marco/veda.git
targetRevision: applicationset-rewrite
path: apps/open-webui
helm:
releaseName: open-webui
valueFiles:
- values.yaml
destination:
server: https://kubernetes.default.svc
namespace: open-webui
ignoreDifferences:
- group: gateway.networking.k8s.io
kind: HTTPRoute
jqPathExpressions:
- .spec.parentRefs[] | .group, .kind
- .spec.rules[].backendRefs[] | .group, .kind, .weight
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
managedNamespaceMetadata:
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/audit: baseline
pod-security.kubernetes.io/warn: baseline

View File

@ -0,0 +1,95 @@
open-webui:
ollama:
enabled: false
ollamaUrls: []
pipelines:
enabled: true
ingress:
enabled: false
persistence:
enabled: true
storageClass: ceph-block
size: 5Gi
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 1Gi
extraEnvVars:
- name: PIPELINES_API_KEY
value: 0p3n-w3bu!
- name: PIPELINES_URLS
value: ""
websocket:
enabled: true
manager: redis
redis:
enabled: true
resources:
requests:
cpu: 25m
memory: 64Mi
limits:
memory: 256Mi
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
memory: 2Gi
service:
type: ClusterIP
route:
enabled: true
hostnames:
- openwebui.noxxos.nl
parentRefs:
- name: traefik-gateway
namespace: traefik
sectionName: websecure
persistence:
enabled: true
storageClass: ceph-block
size: 20Gi
enableOpenaiApi: true
openaiBaseApiUrls:
- http://framework-llm:8080/v1
openaiApiKeys:
- 0p3n-w3bu!
- not-needed
extraEnvVars:
- name: WEBUI_URL
value: https://openwebui.noxxos.nl
- name: CORS_ALLOW_ORIGIN
value: https://openwebui.noxxos.nl
- name: WEBUI_SESSION_COOKIE_SECURE
value: "true"
- name: WEBUI_AUTH_COOKIE_SECURE
value: "true"
- name: WEBUI_SESSION_COOKIE_SAME_SITE
value: lax
- name: WEBUI_AUTH_COOKIE_SAME_SITE
value: lax
sso:
enabled: true
enableSignup: true
oidc:
enabled: true
providerName: Authentik
providerUrl: https://sso.noxxos.nl/application/o/open-webui/.well-known/openid-configuration
clientExistingSecret: open-webui-oidc
clientIdExistingSecretKey: client-id
clientExistingSecretKey: client-secret