feat: deploy openwebui

2025-09-26 21:45:46 +08:00
parent d1c3cdd693
commit bc22fa3a54
2 changed files with 87 additions and 0 deletions
--- a/apps/base/open-webui.yaml
+++ b/apps/base/open-webui.yaml
@@ -0,0 +1,86 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: open-webui
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: open-webui-oidc-client-secret
+  namespace: open-webui
+spec:
+  itemPath: "vaults/cluster/items/open-webui-oidc-client-secret"
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: open-webui-repo
+  namespace: flux-system
+spec:
+  interval: 15m0s
+  url: https://helm.openwebui.com
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: open-webui
+  namespace: open-webui
+spec:
+  chart:
+    spec:
+      chart: open-webui
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: open-webui-repo
+        namespace: flux-system
+      version: 8.6.x
+  interval: 1m0s
+  values:
+    ollama:
+      enabled: false
+      fullnameOverride: open-webui-ollama
+      ollama:
+        gpu:
+          enabled: true
+          type: nvidia
+          nvidiaResource: "nvidia.com/gpu-all"
+          number: 1
+      persistentVolume:
+        enabled: true
+        size: 100Gi
+      resources:
+        requests:
+          memory: 4Gi
+        limits:
+          memory: 55Gi
+    pipelines:
+      enabled: false
+
+    # Ingress via Traefik
+    ingress:
+      enabled: true
+      class: traefik
+      host: chat.yadunut.dev
+      tls: true
+      existingSecret: wildcard-cert-yadunut.dev-prod
+
+    # Use built-in sqlite persistence (PVC)
+    persistence:
+      enabled: true
+      accessModes: ["ReadWriteOnce"]
+
+    # OIDC via Authentik
+    sso:
+      enabled: true
+      enableSignup: false
+      mergeAccountsByEmail: false
+      oidc:
+        enabled: true
+        providerName: "SSO"
+        providerUrl: "https://authentik.yadunut.dev/application/o/open-webui"
+        clientId: "mBfdpk6ruYSEtYUxBjzqXoW6rpVRYfG3FFncOXXK"
+        clientExistingSecret: open-webui-oidc-client-secret
+        clientExistingSecretKey: password
+        scopes: "openid email profile"
--- a/apps/prod/kustomization.yaml
+++ b/apps/prod/kustomization.yaml
@@ -7,3 +7,4 @@ resources:
  - ../base/gitea.yaml
  - ../base/yadunut-dev.yaml
  - ../base/proxmox.yaml
+  - ../base/open-webui.yaml