---
apiVersion: v1
kind: Namespace
metadata:
  name: open-webui
---
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
  name: open-webui-oidc-client-secret
  namespace: open-webui
spec:
  itemPath: "vaults/cluster/items/open-webui-oidc-client-secret"
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
  name: open-webui-repo
  namespace: flux-system
spec:
  interval: 15m0s
  url: https://helm.openwebui.com
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: open-webui
  namespace: open-webui
spec:
  chart:
    spec:
      chart: open-webui
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        name: open-webui-repo
        namespace: flux-system
      version: 8.6.x
  interval: 1m0s
  values:
    ollama:
      enabled: false
      fullnameOverride: open-webui-ollama
      ollama:
        gpu:
          enabled: true
          type: nvidia
          nvidiaResource: "nvidia.com/gpu-all"
          number: 1
      persistentVolume:
        enabled: true
        size: 100Gi
      resources:
        requests:
          memory: 4Gi
        limits:
          memory: 55Gi
    pipelines:
      enabled: false

    # Ingress via Traefik
    ingress:
      enabled: true
      class: traefik
      host: chat.yadunut.dev
      tls: true
      existingSecret: wildcard-cert-yadunut.dev-prod

    # Use built-in sqlite persistence (PVC)
    persistence:
      enabled: true
      accessModes: ["ReadWriteOnce"]

    # OIDC via Authentik
    sso:
      enabled: true
      enableSignup: false
      mergeAccountsByEmail: false
      oidc:
        enabled: true
        providerName: "SSO"
        providerUrl: "https://authentik.yadunut.dev/application/o/open-webui"
        clientId: "Z37HQwWBYxax4vwN047B8PWr3JxT6qMAOtCAyJ4Z"
        clientExistingSecret: open-webui-oidc-client-secret
        clientExistingSecretKey: password
        scopes: "openid email profile"