From bc22fa3a54d346c9dc4f9b4028a97cfea39cfeb1 Mon Sep 17 00:00:00 2001
From: Yadunand Prem <yadunand@yadunut.com>
Date: Fri, 26 Sep 2025 21:45:46 +0800
Subject: [PATCH] feat: deploy openwebui

---
 apps/base/open-webui.yaml    | 86 ++++++++++++++++++++++++++++++++++++
 apps/prod/kustomization.yaml |  1 +
 2 files changed, 87 insertions(+)
 create mode 100644 apps/base/open-webui.yaml

diff --git a/apps/base/open-webui.yaml b/apps/base/open-webui.yaml
new file mode 100644
index 0000000..16de67c
--- /dev/null
+++ b/apps/base/open-webui.yaml
@@ -0,0 +1,86 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: open-webui
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: open-webui-oidc-client-secret
+  namespace: open-webui
+spec:
+  itemPath: "vaults/cluster/items/open-webui-oidc-client-secret"
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: open-webui-repo
+  namespace: flux-system
+spec:
+  interval: 15m0s
+  url: https://helm.openwebui.com
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: open-webui
+  namespace: open-webui
+spec:
+  chart:
+    spec:
+      chart: open-webui
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: open-webui-repo
+        namespace: flux-system
+      version: 8.6.x
+  interval: 1m0s
+  values:
+    ollama:
+      enabled: false
+      fullnameOverride: open-webui-ollama
+      ollama:
+        gpu:
+          enabled: true
+          type: nvidia
+          nvidiaResource: "nvidia.com/gpu-all"
+          number: 1
+      persistentVolume:
+        enabled: true
+        size: 100Gi
+      resources:
+        requests:
+          memory: 4Gi
+        limits:
+          memory: 55Gi
+    pipelines:
+      enabled: false
+
+    # Ingress via Traefik
+    ingress:
+      enabled: true
+      class: traefik
+      host: chat.yadunut.dev
+      tls: true
+      existingSecret: wildcard-cert-yadunut.dev-prod
+
+    # Use built-in sqlite persistence (PVC)
+    persistence:
+      enabled: true
+      accessModes: ["ReadWriteOnce"]
+
+    # OIDC via Authentik
+    sso:
+      enabled: true
+      enableSignup: false
+      mergeAccountsByEmail: false
+      oidc:
+        enabled: true
+        providerName: "SSO"
+        providerUrl: "https://authentik.yadunut.dev/application/o/open-webui"
+        clientId: "mBfdpk6ruYSEtYUxBjzqXoW6rpVRYfG3FFncOXXK"
+        clientExistingSecret: open-webui-oidc-client-secret
+        clientExistingSecretKey: password
+        scopes: "openid email profile"
diff --git a/apps/prod/kustomization.yaml b/apps/prod/kustomization.yaml
index 84e23c7..3fa2d32 100644
--- a/apps/prod/kustomization.yaml
+++ b/apps/prod/kustomization.yaml
@@ -7,3 +7,4 @@ resources:
   - ../base/gitea.yaml
   - ../base/yadunut-dev.yaml
   - ../base/proxmox.yaml
+  - ../base/open-webui.yaml