configure open webui to use sso from authentik
This commit is contained in:
@@ -4,5 +4,6 @@ resources:
|
||||
- namespace.yaml
|
||||
- pvc.yaml
|
||||
- pvc-pipelines.yaml
|
||||
- secret.yaml
|
||||
- release.yaml
|
||||
- ingress.yaml
|
||||
|
||||
@@ -44,3 +44,30 @@ spec:
|
||||
persistence:
|
||||
enabled: true
|
||||
existingClaim: openwebui-pipelines-lvmhdd
|
||||
|
||||
# SSO with Authentik
|
||||
extraEnvVars:
|
||||
- name: WEBUI_URL
|
||||
value: "https://openwebui.lumpiasty.xyz"
|
||||
- name: OAUTH_CLIENT_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: openwebui-authentik
|
||||
key: client_id
|
||||
- name: OAUTH_CLIENT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: openwebui-authentik
|
||||
key: client_secret
|
||||
- name: OAUTH_PROVIDER_NAME
|
||||
value: "authentik"
|
||||
- name: OPENID_PROVIDER_URL
|
||||
value: "https://authentik.lumpiasty.xyz/application/o/open-web-ui/.well-known/openid-configuration"
|
||||
- name: OPENID_REDIRECT_URI
|
||||
value: "https://openwebui.lumpiasty.xyz/oauth/oidc/callback"
|
||||
- name: ENABLE_OAUTH_SIGNUP
|
||||
value: "true"
|
||||
- name: ENABLE_LOGIN_FORM
|
||||
value: "false"
|
||||
- name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
|
||||
value: "true"
|
||||
|
||||
43
apps/openwebui/secret.yaml
Normal file
43
apps/openwebui/secret.yaml
Normal file
@@ -0,0 +1,43 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: openwebui-secret
|
||||
namespace: openwebui
|
||||
---
|
||||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultAuth
|
||||
metadata:
|
||||
name: openwebui
|
||||
namespace: openwebui
|
||||
spec:
|
||||
method: kubernetes
|
||||
mount: kubernetes
|
||||
kubernetes:
|
||||
role: openwebui
|
||||
serviceAccount: openwebui-secret
|
||||
---
|
||||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: openwebui-authentik
|
||||
namespace: openwebui
|
||||
spec:
|
||||
type: kv-v2
|
||||
|
||||
mount: secret
|
||||
path: authentik/openwebui
|
||||
|
||||
destination:
|
||||
create: true
|
||||
name: openwebui-authentik
|
||||
type: Opaque
|
||||
transformation:
|
||||
excludeRaw: true
|
||||
templates:
|
||||
client_id:
|
||||
text: '{{ get .Secrets "client_id" }}'
|
||||
client_secret:
|
||||
text: '{{ get .Secrets "client_secret" }}'
|
||||
|
||||
vaultAuthRef: openwebui
|
||||
6
vault/kubernetes-roles/openwebui.yaml
Normal file
6
vault/kubernetes-roles/openwebui.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
bound_service_account_names:
|
||||
- openwebui-secret
|
||||
bound_service_account_namespaces:
|
||||
- openwebui
|
||||
token_policies:
|
||||
- openwebui
|
||||
3
vault/policy/openwebui.hcl
Normal file
3
vault/policy/openwebui.hcl
Normal file
@@ -0,0 +1,3 @@
|
||||
path "secret/data/authentik/openwebui" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
Reference in New Issue
Block a user