732 lines
28 KiB
YAML
732 lines
28 KiB
YAML
# -- Provide a name in place of the default application name
|
|
nameOverride: ""
|
|
|
|
# -- Provide a namespace in place of the default release namespace
|
|
namespaceOverride: ""
|
|
|
|
ollama:
|
|
# -- Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure
|
|
# @section -- External Tools configuration
|
|
enabled: false
|
|
# -- If enabling embedded Ollama, update fullnameOverride to your desired Ollama name value, or else it will use the default ollama.name value from the Ollama chart
|
|
# @section -- External Tools configuration
|
|
fullnameOverride: "open-webui-ollama"
|
|
# -- Example Ollama configuration with nvidia GPU enabled, automatically downloading a model, and deploying a PVC for model persistence
|
|
# ollama:
|
|
# gpu:
|
|
# enabled: true
|
|
# type: 'nvidia'
|
|
# number: 1
|
|
# models:
|
|
# pull:
|
|
# - llama3
|
|
# run:
|
|
# - llama3
|
|
# runtimeClassName: nvidia
|
|
# persistentVolume:
|
|
# enabled: true
|
|
# volumeName: "example-pre-existing-pv-created-by-smb-csi"
|
|
|
|
# -- A list of Ollama API endpoints. These can be added in lieu of automatically installing the Ollama Helm chart, or in addition to it.
|
|
# @section -- External Tools configuration
|
|
ollamaUrls: []
|
|
|
|
# -- Disables taking Ollama Urls from `ollamaUrls` list
|
|
# @section -- External Tools configuration
|
|
ollamaUrlsFromExtraEnv: false
|
|
|
|
pipelines:
|
|
# -- Automatically install Pipelines chart to extend Open WebUI functionality using Pipelines: https://github.com/open-webui/pipelines
|
|
# @section -- External Tools configuration
|
|
enabled: true
|
|
# -- This section can be used to pass required environment variables to your pipelines (e.g. Langfuse hostname)
|
|
# @section -- External Tools configuration
|
|
extraEnvVars: []
|
|
|
|
tika:
|
|
# -- Automatically install Apache Tika to extend Open WebUI
|
|
# @section -- External Tools configuration
|
|
enabled: false
|
|
|
|
websocket:
|
|
# -- Enables websocket support in Open WebUI with env `ENABLE_WEBSOCKET_SUPPORT`
|
|
# @section -- Websocket configuration
|
|
enabled: true
|
|
# -- Specifies the websocket manager to use with env `WEBSOCKET_MANAGER`: redis (default)
|
|
# @section -- Websocket configuration
|
|
manager: redis
|
|
# -- Specifies the URL of the Redis instance for websocket communication. Template with `redis://[:<password>@]<hostname>:<port>/<db>`
|
|
# @section -- Websocket configuration
|
|
url: redis://:${VALKEY_PASSWORD}@valkey.valkey.svc.cluster.local:6379/5
|
|
# -- Node selector for websocket pods
|
|
# @section -- Websocket configuration
|
|
nodeSelector: {}
|
|
redis:
|
|
# -- Enable redis installation
|
|
# @section -- Websocket configuration
|
|
enabled: false
|
|
# -- Redis name
|
|
# @section -- Websocket configuration
|
|
name: open-webui-redis
|
|
# -- Redis labels
|
|
# @section -- Websocket configuration
|
|
labels: {}
|
|
# -- Redis annotations
|
|
# @section -- Websocket configuration
|
|
annotations: {}
|
|
pods:
|
|
# -- Redis pod labels
|
|
# @section -- Websocket configuration
|
|
labels: {}
|
|
# -- Redis pod annotations
|
|
# @section -- Websocket configuration
|
|
annotations: {}
|
|
image:
|
|
# -- Redis image repository
|
|
# @section -- Websocket configuration
|
|
repository: redis
|
|
# -- Redis image tag
|
|
# @section -- Websocket configuration
|
|
tag: 7.4.2-alpine3.21
|
|
# -- Redis image pull policy
|
|
# @section -- Websocket configuration
|
|
pullPolicy: IfNotPresent
|
|
# -- Redis command (overrides default)
|
|
# @section -- Websocket configuration
|
|
command: []
|
|
# -- Redis arguments (overrides default)
|
|
# @section -- Websocket configuration
|
|
args: []
|
|
# -- Redis resources
|
|
# @section -- Websocket configuration
|
|
resources: {}
|
|
service:
|
|
# -- Redis container/target port
|
|
# @section -- Websocket configuration
|
|
containerPort: 6379
|
|
# -- Redis service type
|
|
# @section -- Websocket configuration
|
|
type: ClusterIP
|
|
# -- Redis service labels
|
|
# @section -- Websocket configuration
|
|
labels: {}
|
|
# -- Redis service annotations
|
|
# @section -- Websocket configuration
|
|
annotations: {}
|
|
# -- Redis service port name. Istio needs this to be something like `tcp-redis`
|
|
# @section -- Websocket configuration
|
|
portName: http
|
|
# -- Redis service port
|
|
# @section -- Websocket configuration
|
|
port: 6379
|
|
# -- Redis service node port. Valid only when type is `NodePort`
|
|
# @section -- Websocket configuration
|
|
nodePort: ""
|
|
# -- Redis tolerations for pod assignment
|
|
# @section -- Websocket configuration
|
|
tolerations: []
|
|
# -- Redis affinity for pod assignment
|
|
# @section -- Websocket configuration
|
|
affinity: {}
|
|
# -- Redis container security context (certain specs are not allowed on a pod level), if readOnlyRootFilesystem is true, an emtpyDir will be mounted on the redis container
|
|
# @section -- Websocket configuration
|
|
containerSecurityContext: {}
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# -- Redis pod security context
|
|
# @section -- Websocket configuration
|
|
podSecurityContext: {}
|
|
# runAsUser: 999
|
|
# runAsGroup: 1000
|
|
|
|
# -- Value of cluster domain
|
|
clusterDomain: cluster.local
|
|
|
|
# -- Additional custom labels to add to the Open WebUI deployment/statefulset metadata
|
|
extraLabels: {}
|
|
|
|
# -- Additional annotations to add to the Open WebUI deployment/statefulset metadata
|
|
annotations: {}
|
|
|
|
# -- Additional annotations to add to the Open WebUI pods
|
|
podAnnotations: {}
|
|
|
|
# -- Additional custom labels to add to the Open WebUI pods
|
|
podLabels: {}
|
|
|
|
# -- Number of Open WebUI replicas
|
|
replicaCount: 1
|
|
|
|
# -- Revision history limit for the workload manager (deployment).
|
|
revisionHistoryLimit: 10
|
|
|
|
# -- Priority class name for the Open WebUI pods
|
|
priorityClassName: ""
|
|
|
|
# -- Strategy for updating the workload manager: deployment or statefulset
|
|
strategy: {}
|
|
|
|
image:
|
|
# -- Open WebUI image repository
|
|
# @section -- Image configuration
|
|
repository: ghcr.io/open-webui/open-webui
|
|
# -- Open WebUI image tag (Open WebUI image tags can be found here: https://github.com/open-webui/open-webui)
|
|
# @section -- Image configuration
|
|
tag: ""
|
|
# -- Open WebUI image pull policy
|
|
# @section -- Image configuration
|
|
pullPolicy: "IfNotPresent"
|
|
# -- Use a slim version of the Open WebUI image
|
|
# @section -- Image configuration
|
|
useSlim: false
|
|
|
|
# -- Configure imagePullSecrets to use private registry
|
|
# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry>
|
|
# @section -- Image configuration
|
|
imagePullSecrets: []
|
|
# imagePullSecrets:
|
|
# - name: myRegistryKeySecretName
|
|
|
|
# -- Open WebUI container command (overrides default entrypoint)
|
|
command: []
|
|
|
|
# -- Open WebUI container arguments (overrides default)
|
|
args: []
|
|
|
|
serviceAccount:
|
|
# -- Enable service account creation
|
|
# @section -- Service Account configuration
|
|
enable: true
|
|
# -- If create is set to false, set `name` to existing service account name
|
|
# @section -- Service Account configuration
|
|
create: true
|
|
# -- Service account name to use. If `ServiceAccount.create` is false, this assumes an existing service account exists with the set name. If not set and `serviceAccount.create` is true, a name is generated using the fullname template.
|
|
# @section -- Service Account configuration
|
|
name: "existing-sa"
|
|
# -- Additional annotations to add to the ServiceAccount
|
|
# @section -- Service Account configuration
|
|
annotations: {}
|
|
# -- Automount service account token for the Open WebUI pods
|
|
# @section -- Service Account configuration
|
|
automountServiceAccountToken: false
|
|
|
|
# -- Probe for liveness of the Open WebUI container
|
|
# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
|
|
# @section -- Probes configuration
|
|
livenessProbe: {}
|
|
# livenessProbe:
|
|
# httpGet:
|
|
# path: /health
|
|
# port: http
|
|
# failureThreshold: 1
|
|
# periodSeconds: 10
|
|
|
|
# -- Probe for readiness of the Open WebUI container
|
|
# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
|
|
# @section -- Probes configuration
|
|
readinessProbe: {}
|
|
# readinessProbe:
|
|
# httpGet:
|
|
# path: /health/db
|
|
# port: http
|
|
# failureThreshold: 1
|
|
# periodSeconds: 10
|
|
|
|
# -- Probe for startup of the Open WebUI container
|
|
# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>
|
|
# @section -- Probes configuration
|
|
startupProbe: {}
|
|
# startupProbe:
|
|
# httpGet:
|
|
# path: /health
|
|
# port: http
|
|
# initialDelaySeconds: 30
|
|
# periodSeconds: 5
|
|
# failureThreshold: 20
|
|
|
|
# -- Resource requests and limits for the Open WebUI container
|
|
resources: {}
|
|
|
|
copyAppData:
|
|
# -- Open WebUI copy-app-data init container command (overrides default)
|
|
command: []
|
|
# -- Open WebUI copy-app-data init container arguments (overrides default)
|
|
args: []
|
|
# -- Resource requests and limits for the Open WebUI copy-app-data init container
|
|
resources: {}
|
|
|
|
managedCertificate:
|
|
# -- Enable GKE Managed Certificate for Ingress TLS
|
|
# @section -- Ingress configuration
|
|
enabled: false
|
|
# -- Name of the Managed Certificate resource to create
|
|
# @section -- Ingress configuration
|
|
name: "mydomain-chat-cert" # You can override this name if needed
|
|
# -- Domains to include in the Managed Certificate
|
|
# @section -- Ingress configuration
|
|
domains:
|
|
- chat.example.com # update to your real domain
|
|
|
|
ingress:
|
|
# -- Enable Ingress controller for Open WebUI
|
|
# @section -- Ingress configuration
|
|
enabled: false
|
|
# -- Ingress class to use, e.g., for GKE Ingress use "gce", for NGINX Ingress use "nginx". If using an Ingress class other than the default, ensure your cluster has the corresponding Ingress controller installed and configured.
|
|
# @section -- Ingress configuration
|
|
class: ""
|
|
# -- Use appropriate annotations for your Ingress controller, e.g., for NGINX:
|
|
# @section -- Ingress configuration
|
|
annotations: {}
|
|
# # Example for GKE Ingress
|
|
# kubernetes.io/ingress.class: "gce"
|
|
# kubernetes.io/ingress.global-static-ip-name: "open-webui-external-ip" # you need to create this address in GCP console
|
|
# # Force HTTP to redirect to HTTPS
|
|
# nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
|
# nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
|
# nginx.ingress.kubernetes.io/permanent-redirect: "https://chat.example.com"
|
|
# networking.gke.io/managed-certificates: "mydomain-chat-cert"
|
|
# # nginx.ingress.kubernetes.io/rewrite-target: /
|
|
# -- Host for the Ingress record
|
|
# @section -- Ingress configuration
|
|
host: "chat.example.com" # update to your real domain
|
|
# -- Additional hosts for the Ingress record
|
|
# @section -- Ingress configuration
|
|
additionalHosts: []
|
|
# -- TLS configuration for the Ingress resource
|
|
# @section -- Ingress configuration
|
|
tls: false
|
|
# -- TLS secret name for the Ingress record
|
|
# @section -- Ingress configuration
|
|
existingSecret: ""
|
|
# -- Additional custom labels to add to the Ingress metadata
|
|
# @section -- Ingress configuration
|
|
extraLabels: {}
|
|
# extraLabels:
|
|
# app.kubernetes.io/environment: "staging"
|
|
|
|
persistence:
|
|
# -- Enable persistence using PVC for Open WebUI data
|
|
# @section -- Persistence configuration
|
|
enabled: true
|
|
# -- Size of the Open WebUI PVC
|
|
# @section -- Persistence configuration
|
|
size: 2Gi
|
|
# -- Use existingClaim if you want to re-use an existing Open WebUI PVC instead of creating a new one
|
|
# @section -- Persistence configuration
|
|
existingClaim: ""
|
|
# -- Subdirectory of Open WebUI PVC to mount. Useful if root directory is not empty.
|
|
# @section -- Persistence configuration
|
|
subPath: ""
|
|
# -- If using multiple replicas, you must update accessModes to ReadWriteMany
|
|
# @section -- Persistence configuration
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
# -- Storage class of the Open WebUI PVC
|
|
# @section -- Persistence configuration
|
|
storageClass: openebs-3-replicas
|
|
# -- Selector to match to get the volume bound to the claim
|
|
# @section -- Persistence configuration
|
|
selector: {}
|
|
# -- Additional annotations to add to the PVC
|
|
# @section -- Persistence configuration
|
|
annotations: {}
|
|
# -- Sets the storage provider, availables values are `local`, `s3`, `gcs` or `azure`
|
|
# @section -- Persistence configuration
|
|
provider: local
|
|
s3:
|
|
# -- Sets the access key ID for S3 storage
|
|
# @section -- Amazon S3 Storage configuration
|
|
accessKey: ""
|
|
# -- Sets the secret access key for S3 storage (ignored if secretKeyExistingSecret is set)
|
|
# @section -- Amazon S3 Storage configuration
|
|
secretKey: ""
|
|
# -- Set the secret access key for S3 storage from existing k8s secret
|
|
# @section -- Amazon S3 Storage configuration
|
|
accessKeyExistingSecret: open-webui
|
|
# -- Set the secret access key for S3 storage from existing k8s secret key
|
|
# @section -- Amazon S3 Storage configuration
|
|
accessKeyExistingAccessKey: aws_access_key_id
|
|
# -- Set the secret key for S3 storage from existing k8s secret
|
|
# @section -- Amazon S3 Storage configuration
|
|
secretKeyExistingSecret: open-webui
|
|
# -- Set the secret key for S3 storage from existing k8s secret key
|
|
# @section -- Amazon S3 Storage configuration
|
|
secretKeyExistingSecretKey: aws_secret_access_key
|
|
# -- Sets the endpoint url for S3 storage
|
|
# @section -- Amazon S3 Storage configuration
|
|
endpointUrl: s3.home:9000
|
|
# -- Sets the region name for S3 storage
|
|
# @section -- Amazon S3 Storage configuration
|
|
region: home-nas
|
|
# -- Sets the bucket name for S3 storage
|
|
# @section -- Amazon S3 Storage configuration
|
|
bucket: open-webui
|
|
# -- Sets the key prefix for a S3 object
|
|
# @section -- Amazon S3 Storage configuration
|
|
keyPrefix: ""
|
|
gcs:
|
|
# -- Contents of Google Application Credentials JSON file (ignored if appCredentialsJsonExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Google Metadata server if run on a Google Compute Engine. File can be generated for a service account following this guide: https://developers.google.com/workspace/guides/create-credentials#service-account
|
|
# @section -- Google Cloud Storage configuration
|
|
appCredentialsJson: ""
|
|
# -- Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret
|
|
# @section -- Google Cloud Storage configuration
|
|
appCredentialsJsonExistingSecret: ""
|
|
# -- Set the Google Application Credentials JSON file for Google Cloud Storage from existing secret key
|
|
# @section -- Google Cloud Storage configuration
|
|
appCredentialsJsonExistingSecretKey: ""
|
|
# -- Sets the bucket name for Google Cloud Storage. Bucket must already exist
|
|
# @section -- Google Cloud Storage configuration
|
|
bucket: ""
|
|
azure:
|
|
# -- Sets the endpoint URL for Azure Storage
|
|
# @section -- Azure Storage configuration
|
|
endpointUrl: ""
|
|
# -- Sets the container name for Azure Storage
|
|
# @section -- Azure Storage configuration
|
|
container: ""
|
|
# -- Set the access key for Azure Storage (ignored if keyExistingSecret is set). Optional - if not provided, credentials will be taken from the environment. User credentials if run locally and Managed Identity if run in Azure services
|
|
# @section -- Azure Storage configuration
|
|
key: ""
|
|
# -- Set the access key for Azure Storage from existing secret
|
|
# @section -- Azure Storage configuration
|
|
keyExistingSecret: ""
|
|
# -- Set the access key for Azure Storage from existing secret key
|
|
# @section -- Azure Storage configuration
|
|
keyExistingSecretKey: ""
|
|
|
|
# -- Node labels for pod assignment.
|
|
nodeSelector: {}
|
|
|
|
# -- Tolerations for pod assignment
|
|
tolerations: []
|
|
|
|
# -- Affinity for pod assignment
|
|
affinity: {}
|
|
|
|
# -- Topology Spread Constraints for pod assignment
|
|
topologySpreadConstraints: []
|
|
|
|
# -- HostAliases to be added to hosts-file of each container
|
|
hostAliases: []
|
|
|
|
service:
|
|
# -- Service type to expose Open WebUI pods to cluster. Options are ClusterIP, NodePort, LoadBalancer, or ExternalName
|
|
# @section -- Service configuration
|
|
type: ClusterIP
|
|
# -- Additional annotations to add to the Service
|
|
# @section -- Service configuration
|
|
annotations: {}
|
|
# -- Port to expose Open WebUI service on
|
|
# @section -- Service configuration
|
|
port: 80
|
|
# -- Target port for the Open WebUI container
|
|
# @section -- Service configuration
|
|
containerPort: 8080
|
|
# -- Node port to use if service type is NodePort
|
|
# @section -- Service configuration
|
|
nodePort: ""
|
|
# -- Additional custom labels to add to the Service metadata
|
|
# @section -- Service configuration
|
|
labels: {}
|
|
# -- Load balancer class to use if service type is LoadBalancer (e.g., for GKE use "gce")
|
|
# @section -- Service configuration
|
|
loadBalancerClass: ""
|
|
|
|
# -- Enables the use of OpenAI APIs
|
|
# @section -- OpenAI API configuration
|
|
enableOpenaiApi: true
|
|
|
|
# -- OpenAI base API URL to use. Defaults to the Pipelines service endpoint when Pipelines are enabled, and "https://api.openai.com/v1" if Pipelines are not enabled and this value is blank
|
|
# @section -- OpenAI API configuration
|
|
openaiBaseApiUrl: "https://api.openai.com/v1"
|
|
|
|
# -- OpenAI base API URLs to use. Overwrites the value in openaiBaseApiUrl if set
|
|
# @section -- OpenAI API configuration
|
|
openaiBaseApiUrls: []
|
|
# - "https://api.openai.com/v1"
|
|
# - "https://api.company.openai.com/v1"
|
|
|
|
# -- OpenAI API key to use. Default API key value for Pipelines if `openaiBaseApiUrl` is blank. Should be updated in a production deployment, or be changed to the required API key if not using Pipelines
|
|
# @section -- OpenAI API configuration
|
|
openaiApiKey: "0p3n-w3bu!"
|
|
|
|
# -- List of OpenAI API keys for each OpenAI base API URLs to use. The number of keys must match the number of URLs in `openaiBaseApiUrls` and respect the same order. If `pipelines.enabled` is true, it needs one more key (so the list length should be openaiBaseApiUrls length + 1) and the first key will be used for Pipelines.
|
|
# @section -- OpenAI API configuration
|
|
openaiApiKeys: []
|
|
# - "0p3n-w3bu!"
|
|
# - "sk-4389759834759834"
|
|
|
|
# -- Configure database URL, needed to work with Postgres (example: `postgresql://<user>:<password>@<service>:<port>/<database>`),
|
|
# leave empty to use the default sqlite database. Alternatively, use extraEnvVars to construct the database URL by setting the `DATABASE_TYPE`, `DATABASE_USER`, `DATABASE_PASSWORD`, `DATABASE_HOST`, and `DATABASE_NAME` environment variables.
|
|
|
|
databaseUrl: ""
|
|
|
|
# -- Env vars added to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration. Variables can be defined as list or map style.
|
|
extraEnvVars:
|
|
- name: VALKEY_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: open-webui
|
|
key: valkey_password
|
|
# - name: OPENAI_API_KEY
|
|
# valueFrom:
|
|
# secretKeyRef:
|
|
# name: pipelines-api-key
|
|
# key: api-key
|
|
# - name: OPENAI_API_KEY
|
|
# valueFrom:
|
|
# secretKeyRef:
|
|
# name: openai-api-key
|
|
# key: api-key
|
|
# - name: OLLAMA_DEBUG
|
|
# value: "1"
|
|
#
|
|
# OPENAI_API_KEY:
|
|
# valueFrom:
|
|
# secretKeyRef:
|
|
# name: pipelines-api-key
|
|
# key: api-key
|
|
# OPENAI_API_KEY:
|
|
# valueFrom:
|
|
# secretKeyRef:
|
|
# name: openai-api-key
|
|
# key: api-key
|
|
# OLLAMA_DEBUG: "1"
|
|
|
|
# -- Env vars added to the Open WebUI deployment, common across environments. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: environment variables defined in both `extraEnvVars` and `commonEnvVars` will result in a conflict. Avoid duplicates)
|
|
commonEnvVars: []
|
|
# - name: RAG_EMBEDDING_ENGINE
|
|
# value: "openai"
|
|
|
|
# -- Env vars added from configmap or secret to the Open WebUI deployment. Most up-to-date environment variables can be found here: https://docs.openwebui.com/getting-started/env-configuration/ (caution: `extraEnvVars` will take precedence over the value from `extraEnvFrom`)
|
|
extraEnvFrom: []
|
|
# - configMapRef:
|
|
# name: my-config
|
|
# - secretRef:
|
|
# name: my-secret
|
|
|
|
# -- Configure runtime class
|
|
# ref: <https://kubernetes.io/docs/concepts/containers/runtime-class/>
|
|
runtimeClassName: ""
|
|
|
|
# -- Configure container volume mounts
|
|
# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
|
|
volumeMounts:
|
|
initContainer: []
|
|
# - name: ""
|
|
# mountPath: ""
|
|
container: []
|
|
# - name: ""
|
|
# mountPath: ""
|
|
|
|
# -- Additional init containers to add to the deployment/statefulset
|
|
# ref: <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/>
|
|
extraInitContainers: []
|
|
# - name: custom-init
|
|
# image: busybox:latest
|
|
# command: ['sh', '-c', 'echo "Custom init container running"']
|
|
# volumeMounts:
|
|
# - name: data
|
|
# mountPath: /data
|
|
|
|
# -- Configure pod volumes
|
|
# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/>
|
|
volumes: []
|
|
# - name: ""
|
|
# configMap:
|
|
# name: ""
|
|
# - name: ""
|
|
# emptyDir: {}
|
|
|
|
# -- Configure pod security context
|
|
# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container>
|
|
podSecurityContext: {}
|
|
# fsGroupChangePolicy: Always
|
|
# sysctls: []
|
|
# supplementalGroups: []
|
|
# fsGroup: 1001
|
|
|
|
# -- Configure container security context
|
|
# ref: <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containe>
|
|
containerSecurityContext: {}
|
|
# runAsUser: 1001
|
|
# runAsGroup: 1001
|
|
# runAsNonRoot: true
|
|
# privileged: false
|
|
# allowPrivilegeEscalation: false
|
|
# readOnlyRootFilesystem: false
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# seccompProfile:
|
|
# type: "RuntimeDefault"
|
|
|
|
sso:
|
|
# -- **Enable SSO authentication globally** must enable to use SSO authentication
|
|
# @section -- SSO Configuration
|
|
enabled: true
|
|
# -- Enable account creation when logging in with OAuth (distinct from regular signup)
|
|
# @section -- SSO Configuration
|
|
enableSignup: true
|
|
# -- Allow logging into accounts that match email from OAuth provider (considered insecure)
|
|
# @section -- SSO Configuration
|
|
mergeAccountsByEmail: true
|
|
# -- Enable OAuth role management through access token roles claim
|
|
# @section -- SSO Configuration
|
|
enableRoleManagement: true
|
|
# -- Enable OAuth group management through access token groups claim
|
|
# @section -- SSO Configuration
|
|
enableGroupManagement: false
|
|
google:
|
|
# -- Enable Google OAuth
|
|
# @section -- Google OAuth configuration
|
|
enabled: false
|
|
# -- Google OAuth client ID
|
|
# @section -- Google OAuth configuration
|
|
clientId: ""
|
|
# -- Google OAuth client secret (ignored if clientExistingSecret is set)
|
|
# @section -- Google OAuth configuration
|
|
clientSecret: ""
|
|
# -- Google OAuth client secret from existing secret
|
|
# @section -- Google OAuth configuration
|
|
clientExistingSecret: ""
|
|
# -- Google OAuth client secret key from existing secret
|
|
# @section -- Google OAuth configuration
|
|
clientExistingSecretKey: ""
|
|
microsoft:
|
|
# -- Enable Microsoft OAuth
|
|
# @section -- Microsoft OAuth configuration
|
|
enabled: false
|
|
# -- Microsoft OAuth client ID
|
|
# @section -- Microsoft OAuth configuration
|
|
clientId: ""
|
|
# -- Microsoft OAuth client secret (ignored if clientExistingSecret is set)
|
|
# @section -- Microsoft OAuth configuration
|
|
clientSecret: ""
|
|
# -- Microsoft OAuth client secret from existing secret
|
|
# @section -- Microsoft OAuth configuration
|
|
clientExistingSecret: ""
|
|
# -- Microsoft OAuth client secret key from existing secret
|
|
# @section -- Microsoft OAuth configuration
|
|
clientExistingSecretKey: ""
|
|
# -- Microsoft tenant ID - use 9188040d-6c67-4c5b-b112-36a304b66dad for personal accounts
|
|
# @section -- Microsoft OAuth configuration
|
|
tenantId: ""
|
|
github:
|
|
# -- Enable GitHub OAuth
|
|
# @section -- GitHub OAuth configuration
|
|
enabled: false
|
|
# -- GitHub OAuth client ID
|
|
# @section -- GitHub OAuth configuration
|
|
clientId: ""
|
|
# -- GitHub OAuth client secret (ignored if clientExistingSecret is set)
|
|
# @section -- GitHub OAuth configuration
|
|
clientSecret: ""
|
|
# -- GitHub OAuth client secret from existing secret
|
|
# @section -- GitHub OAuth configuration
|
|
clientExistingSecret: ""
|
|
# -- GitHub OAuth client secret key from existing secret
|
|
# @section -- GitHub OAuth configuration
|
|
clientExistingSecretKey: ""
|
|
oidc:
|
|
# -- Enable OIDC authentication
|
|
# @section -- OIDC configuration
|
|
enabled: true
|
|
# -- OIDC client ID
|
|
# @section -- OIDC configuration
|
|
clientId: open-webui
|
|
# -- OIDC client secret (ignored if clientExistingSecret is set)
|
|
# @section -- OIDC configuration
|
|
clientSecret: ""
|
|
# -- OICD client secret from existing secret
|
|
# @section -- OIDC configuration
|
|
clientExistingSecret: open-webui
|
|
# -- OIDC client secret key from existing secret
|
|
# @section -- OIDC configuration
|
|
clientExistingSecretKey: iam_client_secret
|
|
# -- OIDC provider well known URL
|
|
# @section -- OIDC configuration
|
|
providerUrl: https://iam.borninpain.de/realms/home/.well-known/openid-configuration
|
|
# -- Name of the provider to show on the UI
|
|
# @section -- OIDC configuration
|
|
providerName: Keycloak
|
|
# -- Scopes to request (space-separated).
|
|
# @section -- OIDC configuration
|
|
scopes: "openid email profile"
|
|
roleManagement:
|
|
# -- The claim that contains the roles (can be nested, e.g., user.roles)
|
|
# @section -- Role management configuration
|
|
rolesClaim: realm_access.roles
|
|
# -- Comma-separated list of roles allowed to log in (receive open webui role user)
|
|
# @section -- Role management configuration
|
|
allowedRoles: "default-roles-home"
|
|
# -- Comma-separated list of roles allowed to log in as admin (receive open webui role admin)
|
|
# @section -- Role management configuration
|
|
adminRoles: "ADMIN"
|
|
groupManagement:
|
|
# -- The claim that contains the groups (can be nested, e.g., user.memberOf)
|
|
# @section -- SSO Configuration
|
|
groupsClaim: "groups"
|
|
trustedHeader:
|
|
# -- Enable trusted header authentication
|
|
# @section -- SSO trusted header authentication
|
|
enabled: false
|
|
# -- Header containing the user's email address
|
|
# @section -- SSO trusted header authentication
|
|
emailHeader: ""
|
|
# -- Header containing the user's name (optional, used for new user creation)
|
|
# @section -- SSO trusted header authentication
|
|
nameHeader: ""
|
|
|
|
# -- Extra resources to deploy with Open WebUI
|
|
extraResources: []
|
|
# - apiVersion: v1
|
|
# kind: ConfigMap
|
|
# metadata:
|
|
# name: example-configmap
|
|
# data:
|
|
# example-key: example-value
|
|
|
|
# Configure Application logging levels (see. https://docs.openwebui.com/getting-started/advanced-topics/logging#-logging-levels-explained)
|
|
logging:
|
|
# -- Set the global log level ["notset", "debug", "info" (default), "warning", "error", "critical"]
|
|
# @section -- Logging configuration
|
|
level: ""
|
|
# Optional granularity: override log levels per subsystem/component
|
|
# if not set, it will use the global level (see. https://docs.openwebui.com/getting-started/advanced-topics/logging#%EF%B8%8F-appbackend-specific-logging-levels)
|
|
components:
|
|
# -- Set the log level for the Audio processing component
|
|
# @section -- Logging configuration
|
|
audio: ""
|
|
# -- Set the log level for the ComfyUI Integration component
|
|
# @section -- Logging configuration
|
|
comfyui: ""
|
|
# -- Set the log level for the Configuration Management component
|
|
# @section -- Logging configuration
|
|
config: ""
|
|
# -- Set the log level for the Database Operations (Peewee) component
|
|
# @section -- Logging configuration
|
|
db: ""
|
|
# -- Set the log level for the Image Generation component
|
|
# @section -- Logging configuration
|
|
images: ""
|
|
# -- Set the log level for the Main Application Execution component
|
|
# @section -- Logging configuration
|
|
main: ""
|
|
# -- Set the log level for the Model Management component
|
|
# @section -- Logging configuration
|
|
models: ""
|
|
# -- Set the log level for the Ollama Backend Integration component
|
|
# @section -- Logging configuration
|
|
ollama: ""
|
|
# -- Set the log level for the OpenAI API Integration component
|
|
# @section -- Logging configuration
|
|
openai: ""
|
|
# -- Set the log level for the Retrieval-Augmented Generation (RAG) component
|
|
# @section -- Logging configuration
|
|
rag: ""
|
|
# -- Set the log level for the Authentication Webhook component
|
|
# @section -- Logging configuration
|
|
webhook: ""
|
|
|