# -- Provide a name in place of the default application name nameOverride: "" # -- Provide a namespace in place of the default release namespace namespaceOverride: "" ollama: # -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure # @section -- External Tools configuration enabled: false # -- If enabling embedded Ollama, update fullnameOverride to your desired Ollama name value, or else it will use the default ollama.name value from the Ollama chart # @section -- External Tools configuration fullnameOverride: "open-webui-ollama" # -- Example Ollama configuration with nvidia GPU enabled, automatically downloading a model, and deploying a PVC for model persistence # ollama: # gpu: # enabled: true # type: 'nvidia' # number: 1 # models: # pull: # - llama3 # run: # - llama3 # runtimeClassName: nvidia # persistentVolume: # enabled: true # volumeName: "example-pre-existing-pv-created-by-smb-csi" # -- A list of Ollama API endpoints. These can be added in lieu of automatically installing the Ollama Helm chart, or in addition to it. # @section -- External Tools configuration ollamaUrls: [] # -- Disables taking Ollama Urls from `ollamaUrls` list # @section -- External Tools configuration ollamaUrlsFromExtraEnv: false pipelines: # -- Automatically install Pipelines chart to extend Open WebUI functionality using Pipelines: https://github.com/open-webui/pipelines # @section -- External Tools configuration enabled: true # -- This section can be used to pass required environment variables to your pipelines (e.g. Langfuse hostname) # @section -- External Tools configuration extraEnvVars: [] tika: # -- Automatically install Apache Tika to extend Open WebUI # @section -- External Tools configuration enabled: false websocket: # -- Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT` # @section -- Websocket configuration enabled: true # -- Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default) # @section -- Websocket configuration manager: redis # -- Specifies the URL of the Redis instance for websocket communication. Template with `redis://[:@]:/` # @section -- Websocket configuration url: redis://:${VALKEY_PASSWORD}@valkey.valkey.svc.cluster.local:6379/5 # -- Node selector for websocket pods # @section -- Websocket configuration nodeSelector: {} redis: # -- Enable redis installation # @section -- Websocket configuration enabled: false # -- Redis name # @section -- Websocket configuration name: open-webui-redis # -- Redis labels # @section -- Websocket configuration labels: {} # -- Redis annotations # @section -- Websocket configuration annotations: {} pods: # -- Redis pod labels # @section -- Websocket configuration labels: {} # -- Redis pod annotations # @section -- Websocket configuration annotations: {} image: # -- Redis image repository # @section -- Websocket configuration repository: redis # -- Redis image tag # @section -- Websocket configuration tag: 7.4.2-alpine3.21 # -- Redis image pull policy # @section -- Websocket configuration pullPolicy: IfNotPresent # -- Redis command (overrides default) # @section -- Websocket configuration command: [] # -- Redis arguments (overrides default) # @section -- Websocket configuration args: [] # -- Redis resources # @section -- Websocket configuration resources: {} service: # -- Redis container/target port # @section -- Websocket configuration containerPort: 6379 # -- Redis service type # @section -- Websocket configuration type: ClusterIP # -- Redis service labels # @section -- Websocket configuration labels: {} # -- Redis service annotations # @section -- Websocket configuration annotations: {} # -- Redis service port name. Istio needs this to be something like `tcp-redis` # @section -- Websocket configuration portName: http # -- Redis service port # @section -- Websocket configuration port: 6379 # -- Redis service node port. Valid only when type is `NodePort` # @section -- Websocket configuration nodePort: "" # -- Redis tolerations for pod assignment # @section -- Websocket configuration tolerations: [] # -- Redis affinity for pod assignment # @section -- Websocket configuration affinity: {} # -- Redis container security context (certain specs are not allowed on a pod level), if readOnlyRootFilesystem is true, an emtpyDir will be mounted on the redis container # @section -- Websocket configuration containerSecurityContext: {} # readOnlyRootFilesystem: true # runAsNonRoot: true # -- Redis pod security context # @section -- Websocket configuration podSecurityContext: {} # runAsUser: 999 # runAsGroup: 1000 # -- Value of cluster domain clusterDomain: cluster.local # -- Additional custom labels to add to the Open WebUI deployment/statefulset metadata extraLabels: {} # -- Additional annotations to add to the Open WebUI deployment/statefulset metadata annotations: {} # -- Additional annotations to add to the Open WebUI pods podAnnotations: {} # -- Additional custom labels to add to the Open WebUI pods podLabels: {} # -- Number of Open WebUI replicas replicaCount: 1 # -- Revision history limit for the workload manager (deployment). revisionHistoryLimit: 10 # -- Priority class name for the Open WebUI pods priorityClassName: "" # -- Strategy for updating the workload manager: deployment or statefulset strategy: {} image: # -- Open WebUI image repository # @section -- Image configuration repository: ghcr.io/open-webui/open-webui # -- Open WebUI image tag (Open WebUI image tags can be found here: https://github.com/open-webui/open-webui) # @section -- Image configuration tag: "" # -- Open WebUI image pull policy # @section -- Image configuration pullPolicy: "IfNotPresent" # -- Use a slim version of the Open WebUI image # @section -- Image configuration useSlim: false # -- Configure imagePullSecrets to use private registry # ref: # @section -- Image configuration imagePullSecrets: [] # imagePullSecrets: # - name: myRegistryKeySecretName # -- Open WebUI container command (overrides default entrypoint) command: [] # -- Open WebUI container arguments (overrides default) args: [] serviceAccount: # -- Enable service account creation # @section -- Service Account configuration enable: true # -- If create is set to false, set `name` to existing service account name # @section -- Service Account configuration create: true # -- Service account name to use. If `ServiceAccount.create` is false, this assumes an existing service account exists with the set name. If not set and `serviceAccount.create` is true, a name is generated using the fullname template. # @section -- Service Account configuration name: "existing-sa" # -- Additional annotations to add to the ServiceAccount # @section -- Service Account configuration annotations: {} # -- Automount service account token for the Open WebUI pods # @section -- Service Account configuration automountServiceAccountToken: false # -- Probe for liveness of the Open WebUI container # ref: # @section -- Probes configuration livenessProbe: {} # livenessProbe: # httpGet: # path: /health # port: http # failureThreshold: 1 # periodSeconds: 10 # -- Probe for readiness of the Open WebUI container # ref: # @section -- Probes configuration readinessProbe: {} # readinessProbe: # httpGet: # path: /health/db # port: http # failureThreshold: 1 # periodSeconds: 10 # -- Probe for startup of the Open WebUI container # ref: # @section -- Probes configuration startupProbe: {} # startupProbe: # httpGet: # path: /health # port: http # initialDelaySeconds: 30 # periodSeconds: 5 # failureThreshold: 20 # -- Resource requests and limits for the Open WebUI container resources: {} copyAppData: # -- Open WebUI copy-app-data init container command (overrides default) command: [] # -- Open WebUI copy-app-data init container arguments (overrides default) args: [] # -- Resource requests and limits for the Open WebUI copy-app-data init container resources: {} managedCertificate: # -- Enable GKE Managed Certificate for Ingress TLS # @section -- Ingress configuration enabled: false # -- Name of the Managed Certificate resource to create # @section -- Ingress configuration name: "mydomain-chat-cert" # You can override this name if needed # -- Domains to include in the Managed Certificate # @section -- Ingress configuration domains: - chat.example.com # update to your real domain ingress: # -- Enable Ingress controller for Open WebUI # @section -- Ingress configuration enabled: false # -- Ingress class to use, e.g., for GKE Ingress use "gce", for NGINX Ingress use "nginx". If using an Ingress class other than the default, ensure your cluster has the corresponding Ingress controller installed and configured. # @section -- Ingress configuration class: "" # -- Use appropriate annotations for your Ingress controller, e.g., for NGINX: # @section -- Ingress configuration annotations: {} # # Example for GKE Ingress # kubernetes.io/ingress.class: "gce" # kubernetes.io/ingress.global-static-ip-name: "open-webui-external-ip" # you need to create this address in GCP console # # Force HTTP to redirect to HTTPS # nginx.ingress.kubernetes.io/force-ssl-redirect: "true" # nginx.ingress.kubernetes.io/ssl-redirect: "true" # nginx.ingress.kubernetes.io/permanent-redirect: "https://chat.example.com" # networking.gke.io/managed-certificates: "mydomain-chat-cert" # # nginx.ingress.kubernetes.io/rewrite-target: / # -- Host for the Ingress record # @section -- Ingress configuration host: "chat.example.com" # update to your real domain # -- Additional hosts for the Ingress record # @section -- Ingress configuration additionalHosts: [] # -- TLS configuration for the Ingress resource # @section -- Ingress configuration tls: false # -- TLS secret name for the Ingress record # @section -- Ingress configuration existingSecret: "" # -- Additional custom labels to add to the Ingress metadata # @section -- Ingress configuration extraLabels: {} # extraLabels: # app.kubernetes.io/environment: "staging" persistence: # -- Enable persistence using PVC for Open WebUI data # @section -- Persistence configuration enabled: true # -- Size of the Open WebUI PVC # @section -- Persistence configuration size: 2Gi # -- Use existingClaim if you want to re-use an existing Open WebUI PVC instead of creating a new one # @section -- Persistence configuration existingClaim: "" # -- Subdirectory of Open WebUI PVC to mount. Useful if root directory is not empty. # @section -- Persistence configuration subPath: "" # -- If using multiple replicas, you must update accessModes to ReadWriteMany # @section -- Persistence configuration accessModes: - ReadWriteOnce # -- Storage class of the Open WebUI PVC # @section -- Persistence configuration storageClass: openebs-3-replicas # -- Selector to match to get the volume bound to the claim # @section -- Persistence configuration selector: {} # -- Additional annotations to add to the PVC # @section -- Persistence configuration annotations: {} # -- Sets the storage provider, availables values are `local`, `s3`, `gcs` or `azure` # @section -- Persistence configuration provider: local s3: # -- Sets the access key ID for S3 storage # @section -- Amazon S3 Storage configuration accessKey: "" # -- Sets the secret access key for S3 storage (ignored if secretKeyExistingSecret is set) # @section -- Amazon S3 Storage configuration secretKey: "" # -- Set the secret access key for S3 storage from existing k8s secret # @section -- Amazon S3 Storage configuration accessKeyExistingSecret: open-webui # -- Set the secret access key for S3 storage from existing k8s secret key # @section -- Amazon S3 Storage configuration accessKeyExistingAccessKey: aws_access_key_id # -- Set the secret key for S3 storage from existing k8s secret # @section -- Amazon S3 Storage configuration secretKeyExistingSecret: open-webui # -- Set the secret key for S3 storage from existing k8s secret key # @section -- Amazon S3 Storage configuration secretKeyExistingSecretKey: aws_secret_access_key # -- Sets the endpoint url for S3 storage # @section -- Amazon S3 Storage configuration endpointUrl: s3.home:9000 # -- Sets the region name for S3 storage # @section -- Amazon S3 Storage configuration region: home-nas # -- Sets the bucket name for S3 storage # @section -- Amazon S3 Storage configuration bucket: open-webui # -- Sets the key prefix for a S3 object # @section -- Amazon S3 Storage configuration keyPrefix: "" gcs: # -- Contents of Google Application Credentials JSON file (ignored if appCredentialsJsonExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account # @section -- Google Cloud Storage configuration appCredentialsJson: "" # -- Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret # @section -- Google Cloud Storage configuration appCredentialsJsonExistingSecret: "" # -- Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret key # @section -- Google Cloud Storage configuration appCredentialsJsonExistingSecretKey: "" # -- Sets the bucket name for Google Cloud Storage. Bucket must already exist # @section -- Google Cloud Storage configuration bucket: "" azure: # -- Sets the endpoint URL for Azure Storage # @section -- Azure Storage configuration endpointUrl: "" # -- Sets the container name for Azure Storage # @section -- Azure Storage configuration container: "" # -- Set the access key for Azure Storage (ignored if keyExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services # @section -- Azure Storage configuration key: "" # -- Set the access key for Azure Storage from existing secret # @section -- Azure Storage configuration keyExistingSecret: "" # -- Set the access key for Azure Storage from existing secret key # @section -- Azure Storage configuration keyExistingSecretKey: "" # -- Node labels for pod assignment. nodeSelector: {} # -- Tolerations for pod assignment tolerations: [] # -- Affinity for pod assignment affinity: {} # -- Topology Spread Constraints for pod assignment topologySpreadConstraints: [] # -- HostAliases to be added to hosts-file of each container hostAliases: [] service: # -- Service type to expose Open WebUI pods to cluster. Options are ClusterIP, NodePort, LoadBalancer, or ExternalName # @section -- Service configuration type: ClusterIP # -- Additional annotations to add to the Service # @section -- Service configuration annotations: {} # -- Port to expose Open WebUI service on # @section -- Service configuration port: 80 # -- Target port for the Open WebUI container # @section -- Service configuration containerPort: 8080 # -- Node port to use if service type is NodePort # @section -- Service configuration nodePort: "" # -- Additional custom labels to add to the Service metadata # @section -- Service configuration labels: {} # -- Load balancer class to use if service type is LoadBalancer (e.g., for GKE use "gce") # @section -- Service configuration loadBalancerClass: "" # -- Enables the use of OpenAI APIs # @section -- OpenAI API configuration enableOpenaiApi: true # -- OpenAI base API URL to use. Defaults to the Pipelines service endpoint when Pipelines are enabled, and "https://api.openai.com/v1" if Pipelines are not enabled and this value is blank # @section -- OpenAI API configuration openaiBaseApiUrl: "https://api.openai.com/v1" # -- OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set # @section -- OpenAI API configuration openaiBaseApiUrls: [] # - "https://api.openai.com/v1" # - "https://api.company.openai.com/v1" # -- OpenAI API key to use. Default API key value for Pipelines if `openaiBaseApiUrl` is blank. Should be updated in a production deployment, or be changed to the required API key if not using Pipelines # @section -- OpenAI API configuration openaiApiKey: "0p3n-w3bu!" # -- List of OpenAI API keys for each OpenAI base API URLs to use. The number of keys must match the number of URLs in `openaiBaseApiUrls` and respect the same order. If `pipelines.enabled` is true, it needs one more key (so the list length should be openaiBaseApiUrls length + 1) and the first key will be used for Pipelines. # @section -- OpenAI API configuration openaiApiKeys: [] # - "0p3n-w3bu!" # - "sk-4389759834759834" # -- Configure database URL, needed to work with Postgres (example: `postgresql://:@:/`), # leave empty to use the default sqlite database. Alternatively, use extraEnvVars to construct the database URL by setting the `DATABASE_TYPE`, `DATABASE_USER`, `DATABASE_PASSWORD`, `DATABASE_HOST`, and `DATABASE_NAME` environment variables. databaseUrl: "" # -- Env vars added to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration. Variables can be defined as list or map style. extraEnvVars: - name: VALKEY_PASSWORD valueFrom: secretKeyRef: name: open-webui key: valkey_password # - name: OPENAI_API_KEY # valueFrom: # secretKeyRef: # name: pipelines-api-key # key: api-key # - name: OPENAI_API_KEY # valueFrom: # secretKeyRef: # name: openai-api-key # key: api-key # - name: OLLAMA_DEBUG # value: "1" # # OPENAI_API_KEY: # valueFrom: # secretKeyRef: # name: pipelines-api-key # key: api-key # OPENAI_API_KEY: # valueFrom: # secretKeyRef: # name: openai-api-key # key: api-key # OLLAMA_DEBUG: "1" # -- Env vars added to the Open WebUI deployment, common across environments. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: environment variables defined in both `extraEnvVars` and `commonEnvVars` will result in a conflict. Avoid duplicates) commonEnvVars: [] # - name: RAG_EMBEDDING_ENGINE # value: "openai" # -- Env vars added from configmap or secret to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: `extraEnvVars` will take precedence over the value from `extraEnvFrom`) extraEnvFrom: [] # - configMapRef: # name: my-config # - secretRef: # name: my-secret # -- Configure runtime class # ref: runtimeClassName: "" # -- Configure container volume mounts # ref: volumeMounts: initContainer: [] # - name: "" # mountPath: "" container: [] # - name: "" # mountPath: "" # -- Additional init containers to add to the deployment/statefulset # ref: extraInitContainers: [] # - name: custom-init # image: busybox:latest # command: ['sh', '-c', 'echo "Custom init container running"'] # volumeMounts: # - name: data # mountPath: /data # -- Configure pod volumes # ref: volumes: [] # - name: "" # configMap: # name: "" # - name: "" # emptyDir: {} # -- Configure pod security context # ref: podSecurityContext: {} # fsGroupChangePolicy: Always # sysctls: [] # supplementalGroups: [] # fsGroup: 1001 # -- Configure container security context # ref: containerSecurityContext: {} # runAsUser: 1001 # runAsGroup: 1001 # runAsNonRoot: true # privileged: false # allowPrivilegeEscalation: false # readOnlyRootFilesystem: false # capabilities: # drop: # - ALL # seccompProfile: # type: "RuntimeDefault" sso: # -- **Enable SSO authentication globally** must enable to use SSO authentication # @section -- SSO Configuration enabled: true # -- Enable account creation when logging in with OAuth (distinct from regular signup) # @section -- SSO Configuration enableSignup: true # -- Allow logging into accounts that match email from OAuth provider (considered insecure) # @section -- SSO Configuration mergeAccountsByEmail: true # -- Enable OAuth role management through access token roles claim # @section -- SSO Configuration enableRoleManagement: true # -- Enable OAuth group management through access token groups claim # @section -- SSO Configuration enableGroupManagement: false google: # -- Enable Google OAuth # @section -- Google OAuth configuration enabled: false # -- Google OAuth client ID # @section -- Google OAuth configuration clientId: "" # -- Google OAuth client secret (ignored if clientExistingSecret is set) # @section -- Google OAuth configuration clientSecret: "" # -- Google OAuth client secret from existing secret # @section -- Google OAuth configuration clientExistingSecret: "" # -- Google OAuth client secret key from existing secret # @section -- Google OAuth configuration clientExistingSecretKey: "" microsoft: # -- Enable Microsoft OAuth # @section -- Microsoft OAuth configuration enabled: false # -- Microsoft OAuth client ID # @section -- Microsoft OAuth configuration clientId: "" # -- Microsoft OAuth client secret (ignored if clientExistingSecret is set) # @section -- Microsoft OAuth configuration clientSecret: "" # -- Microsoft OAuth client secret from existing secret # @section -- Microsoft OAuth configuration clientExistingSecret: "" # -- Microsoft OAuth client secret key from existing secret # @section -- Microsoft OAuth configuration clientExistingSecretKey: "" # -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts # @section -- Microsoft OAuth configuration tenantId: "" github: # -- Enable GitHub OAuth # @section -- GitHub OAuth configuration enabled: false # -- GitHub OAuth client ID # @section -- GitHub OAuth configuration clientId: "" # -- GitHub OAuth client secret (ignored if clientExistingSecret is set) # @section -- GitHub OAuth configuration clientSecret: "" # -- GitHub OAuth client secret from existing secret # @section -- GitHub OAuth configuration clientExistingSecret: "" # -- GitHub OAuth client secret key from existing secret # @section -- GitHub OAuth configuration clientExistingSecretKey: "" oidc: # -- Enable OIDC authentication # @section -- OIDC configuration enabled: true # -- OIDC client ID # @section -- OIDC configuration clientId: open-webui # -- OIDC client secret (ignored if clientExistingSecret is set) # @section -- OIDC configuration clientSecret: "" # -- OICD client secret from existing secret # @section -- OIDC configuration clientExistingSecret: open-webui # -- OIDC client secret key from existing secret # @section -- OIDC configuration clientExistingSecretKey: iam_client_secret # -- OIDC provider well known URL # @section -- OIDC configuration providerUrl: https://iam.borninpain.de/realms/home/.well-known/openid-configuration # -- Name of the provider to show on the UI # @section -- OIDC configuration providerName: Keycloak # -- Scopes to request (space-separated). # @section -- OIDC configuration scopes: "openid email profile" roleManagement: # -- The claim that contains the roles (can be nested, e.g., user.roles) # @section -- Role management configuration rolesClaim: realm_access.roles # -- Comma-separated list of roles allowed to log in (receive open webui role user) # @section -- Role management configuration allowedRoles: "default-roles-home" # -- Comma-separated list of roles allowed to log in as admin (receive open webui role admin) # @section -- Role management configuration adminRoles: "ADMIN" groupManagement: # -- The claim that contains the groups (can be nested, e.g., user.memberOf) # @section -- SSO Configuration groupsClaim: "groups" trustedHeader: # -- Enable trusted header authentication # @section -- SSO trusted header authentication enabled: false # -- Header containing the user's email address # @section -- SSO trusted header authentication emailHeader: "" # -- Header containing the user's name (optional, used for new user creation) # @section -- SSO trusted header authentication nameHeader: "" # -- Extra resources to deploy with Open WebUI extraResources: [] # - apiVersion: v1 # kind: ConfigMap # metadata: # name: example-configmap # data: # example-key: example-value # Configure Application logging levels (see. https://docs.openwebui.com/getting-started/advanced-topics/logging#-logging-levels-explained) logging: # -- Set the global log level ["notset", "debug", "info" (default), "warning", "error", "critical"] # @section -- Logging configuration level: "" # Optional granularity: override log levels per subsystem/component # if not set, it will use the global level (see. https://docs.openwebui.com/getting-started/advanced-topics/logging#%EF%B8%8F-appbackend-specific-logging-levels) components: # -- Set the log level for the Audio processing component # @section -- Logging configuration audio: "" # -- Set the log level for the ComfyUI Integration component # @section -- Logging configuration comfyui: "" # -- Set the log level for the Configuration Management component # @section -- Logging configuration config: "" # -- Set the log level for the Database Operations (Peewee) component # @section -- Logging configuration db: "" # -- Set the log level for the Image Generation component # @section -- Logging configuration images: "" # -- Set the log level for the Main Application Execution component # @section -- Logging configuration main: "" # -- Set the log level for the Model Management component # @section -- Logging configuration models: "" # -- Set the log level for the Ollama Backend Integration component # @section -- Logging configuration ollama: "" # -- Set the log level for the OpenAI API Integration component # @section -- Logging configuration openai: "" # -- Set the log level for the Retrieval-Augmented Generation (RAG) component # @section -- Logging configuration rag: "" # -- Set the log level for the Authentication Webhook component # @section -- Logging configuration webhook: ""