configure open webui to use sso from authentik
This commit is contained in:
@@ -4,5 +4,6 @@ resources:
|
|||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
- pvc.yaml
|
- pvc.yaml
|
||||||
- pvc-pipelines.yaml
|
- pvc-pipelines.yaml
|
||||||
|
- secret.yaml
|
||||||
- release.yaml
|
- release.yaml
|
||||||
- ingress.yaml
|
- ingress.yaml
|
||||||
|
|||||||
@@ -44,3 +44,30 @@ spec:
|
|||||||
persistence:
|
persistence:
|
||||||
enabled: true
|
enabled: true
|
||||||
existingClaim: openwebui-pipelines-lvmhdd
|
existingClaim: openwebui-pipelines-lvmhdd
|
||||||
|
|
||||||
|
# SSO with Authentik
|
||||||
|
extraEnvVars:
|
||||||
|
- name: WEBUI_URL
|
||||||
|
value: "https://openwebui.lumpiasty.xyz"
|
||||||
|
- name: OAUTH_CLIENT_ID
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: openwebui-authentik
|
||||||
|
key: client_id
|
||||||
|
- name: OAUTH_CLIENT_SECRET
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: openwebui-authentik
|
||||||
|
key: client_secret
|
||||||
|
- name: OAUTH_PROVIDER_NAME
|
||||||
|
value: "authentik"
|
||||||
|
- name: OPENID_PROVIDER_URL
|
||||||
|
value: "https://authentik.lumpiasty.xyz/application/o/open-web-ui/.well-known/openid-configuration"
|
||||||
|
- name: OPENID_REDIRECT_URI
|
||||||
|
value: "https://openwebui.lumpiasty.xyz/oauth/oidc/callback"
|
||||||
|
- name: ENABLE_OAUTH_SIGNUP
|
||||||
|
value: "true"
|
||||||
|
- name: ENABLE_LOGIN_FORM
|
||||||
|
value: "false"
|
||||||
|
- name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
|
||||||
|
value: "true"
|
||||||
|
|||||||
43
apps/openwebui/secret.yaml
Normal file
43
apps/openwebui/secret.yaml
Normal file
@@ -0,0 +1,43 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: openwebui-secret
|
||||||
|
namespace: openwebui
|
||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: openwebui
|
||||||
|
namespace: openwebui
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: kubernetes
|
||||||
|
kubernetes:
|
||||||
|
role: openwebui
|
||||||
|
serviceAccount: openwebui-secret
|
||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: openwebui-authentik
|
||||||
|
namespace: openwebui
|
||||||
|
spec:
|
||||||
|
type: kv-v2
|
||||||
|
|
||||||
|
mount: secret
|
||||||
|
path: authentik/openwebui
|
||||||
|
|
||||||
|
destination:
|
||||||
|
create: true
|
||||||
|
name: openwebui-authentik
|
||||||
|
type: Opaque
|
||||||
|
transformation:
|
||||||
|
excludeRaw: true
|
||||||
|
templates:
|
||||||
|
client_id:
|
||||||
|
text: '{{ get .Secrets "client_id" }}'
|
||||||
|
client_secret:
|
||||||
|
text: '{{ get .Secrets "client_secret" }}'
|
||||||
|
|
||||||
|
vaultAuthRef: openwebui
|
||||||
6
vault/kubernetes-roles/openwebui.yaml
Normal file
6
vault/kubernetes-roles/openwebui.yaml
Normal file
@@ -0,0 +1,6 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- openwebui-secret
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- openwebui
|
||||||
|
token_policies:
|
||||||
|
- openwebui
|
||||||
3
vault/policy/openwebui.hcl
Normal file
3
vault/policy/openwebui.hcl
Normal file
@@ -0,0 +1,3 @@
|
|||||||
|
path "secret/data/authentik/openwebui" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user