07070100000000000081a400000000000000000000000167350461000001b1000000000000000000000000000000000000002e00000000patches/0001-Standardized-global-values.patchdiff --git a/packages/open-webui/0.3/values.yaml b/packages/open-webui/0.3/values.yaml index dcaaf72..314a9d3 100644 --- a/packages/open-webui/0.3/values.yaml +++ b/packages/open-webui/0.3/values.yaml @@ -1,3 +1,9 @@ +global: + # -- Global override for container image registry + imageRegistry: "" + # -- Global override for container image registry pull secrets + imagePullSecrets: [] + nameOverride: "" ollama: -- 2.43.0 07070100000001000081a40000000000000000000000016735046100001078000000000000000000000000000000000000001f00000000patches/0001-TLS-support.patchdiff --git a/packages/open-webui/0.3/templates/ingress.yaml b/packages/open-webui/0.3/templates/ingress.yaml index 12e3a28..6c4c46a 100644 --- a/packages/open-webui/0.3/templates/ingress.yaml +++ b/packages/open-webui/0.3/templates/ingress.yaml @@ -5,10 +5,14 @@ metadata: name: {{ include "open-webui.name" . }} labels: {{- include "open-webui.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} annotations: + {{- if ne .Values.global.tls.source "secret" }} + cert-manager.io/issuer: {{ .Values.global.tls.issuerName }} + cert-manager.io/issuer-kind: Issuer + {{- end }} + {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} - {{- end }} + {{- end }} spec: {{- with .Values.ingress.class }} ingressClassName: {{ . }} diff --git a/packages/open-webui/0.3/templates/tls-letsencrypt.yaml b/packages/open-webui/0.3/templates/tls-letsencrypt.yaml new file mode 100644 index 0000000..e8e888f --- /dev/null +++ b/packages/open-webui/0.3/templates/tls-letsencrypt.yaml @@ -0,0 +1,20 @@ +{{- if and (.Values.ingress.tls) (eq .Values.global.tls.source "letsEncrypt") -}} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: "{{ .Values.global.tls.issuerName }}" +spec: + acme: + {{- if eq .Values.global.tls.letsEncrypt.environment "production" }} + server: https://acme-v02.api.letsencrypt.org/directory + {{- else }} + server: https://acme-staging-v02.api.letsencrypt.org/directory + {{- end }} + email: {{ .Values.global.tls.letsEncrypt.email }} + privateKeySecretRef: + name: "{{ .Values.global.tls.issuerName }}-ca-issuer" + solvers: + - http01: + ingress: + class: {{ .Values.global.tls.letsEncrypt.ingress.class }} +{{- end }} diff --git a/packages/open-webui/0.3/templates/tls-selfsigned.yaml b/packages/open-webui/0.3/templates/tls-selfsigned.yaml new file mode 100644 index 0000000..c671fbd --- /dev/null +++ b/packages/open-webui/0.3/templates/tls-selfsigned.yaml @@ -0,0 +1,45 @@ +{{- if and (.Values.ingress.tls) (eq .Values.global.tls.source "suse-private-ai") -}} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.global.tls.issuerName }}-selfsigned +spec: + selfSigned: {} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.global.tls.issuerName }}-selfsigned-ca +spec: + isCA: true + commonName: {{ .Values.global.tls.issuerName }}-selfsigned-ca + secretName: {{ .Values.global.tls.issuerName }}-root-secret + duration: 2160h # 90d + renewBefore: 360h + subject: + organizations: + - Suse + countries: + - US + organizationalUnits: + - DEV + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: {{ .Values.global.tls.issuerName }}-selfsigned + kind: Issuer + group: cert-manager.io + dnsNames: + - "{{ index .Values "open-webui.ingress.host" }}" + +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.global.tls.issuerName }} +spec: + ca: + secretName: {{ .Values.global.tls.issuerName }}-root-secret +{{- end -}} diff --git a/packages/open-webui/0.3/templates/workload-manager.yaml b/packages/open-webui/0.3/templates/workload-manager.yaml index c28ebdd..2741e68 100644 --- a/packages/open-webui/0.3/templates/workload-manager.yaml +++ b/packages/open-webui/0.3/templates/workload-manager.yaml @@ -72,6 +72,12 @@ spec: volumeMounts: - name: data mountPath: /app/backend/data + {{- if .Values.global.tls.additionalTrustedCAs }} + - mountPath: /etc/pki/trust/anchors/ca-additional.pem + name: tls-ca-additional-volume + subPath: ca-additional.pem + readOnly: true + {{- end }} env: {{- if or .Values.ollamaUrls .Values.ollama.enabled }} - name: "OLLAMA_BASE_URLS" @@ -119,3 +125,9 @@ spec: persistentVolumeClaim: claimName: {{ include "open-webui.name" . }} {{- end }} + {{- if .Values.global.tls.additionalTrustedCAs }} + - name: tls-ca-additional-volume + secret: + defaultMode: 0400 + secretName: tls-ca-additional + {{- end }} -- 2.43.0 07070100000002000081a4000000000000000000000001673504610000067e000000000000000000000000000000000000003000000000patches/0002-Standardize-imagePullSecrets.patchdiff --git a/packages/open-webui/0.3/templates/_helpers.tpl b/packages/open-webui/0.3/templates/_helpers.tpl index 90381f5..f83e505 100644 --- a/packages/open-webui/0.3/templates/_helpers.tpl +++ b/packages/open-webui/0.3/templates/_helpers.tpl @@ -141,4 +141,35 @@ Create the service endpoint to use for Pipelines if the subchart is used {{- $pipelinesServicePort := .Values.pipelines.service.port | toString }} {{- printf "http://%s.%s.svc.%s:%s" (include "pipelines.name" .) (.Release.Namespace) $clusterDomain $pipelinesServicePort }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "open-webui.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + {{- $imagePullSecrets := list }} + {{- if kindIs "string" . }} + {{- $imagePullSecrets = append $imagePullSecrets (dict "name" .) }} + {{- else }} + {{- $imagePullSecrets = append $imagePullSecrets . }} + {{- end }} + {{- toYaml $imagePullSecrets | nindent 2 }} +{{- end }} +{{- else if .Values.imagePullSecrets }} +imagePullSecrets: + {{ toYaml .Values.imagePullSecrets }} +{{- end -}} +{{- else if .Values.imagePullSecrets }} +imagePullSecrets: + {{ toYaml .Values.imagePullSecrets }} +{{- end -}} +{{- end -}} -- 2.43.0 07070100000003000081a40000000000000000000000016735046100000ab2000000000000000000000000000000000000002d00000000patches/0003-Standardize-imageRegistry.patchdiff --git a/packages/open-webui/0.3/templates/workload-manager.yaml b/packages/open-webui/0.3/templates/workload-manager.yaml index c28ebdd..8bfb4e3 100644 --- a/packages/open-webui/0.3/templates/workload-manager.yaml +++ b/packages/open-webui/0.3/templates/workload-manager.yaml @@ -29,16 +29,11 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "open-webui.imagePullSecrets" . | nindent 6 }} initContainers: - name: copy-app-data - {{- with .Values.image }} - image: {{ .repository }}:{{ .tag | default $.Chart.AppVersion }} + image: "{{ with (coalesce .Values.global.imageRegistry .Values.image.registry) }}{{ . }}/{{ end }}{{ .Values.image.repository }}:{{ .Values.image.tag | default $.Chart.AppVersion }}" imagePullPolicy: {{ .pullPolicy }} - {{- end }} command: ['sh', '-c', 'cp -R -n /app/backend/data/* /tmp/app-data/'] {{- with .Values.containerSecurityContext }} securityContext: @@ -55,10 +50,8 @@ spec: {{- end }} containers: - name: {{ .Chart.Name }} - {{- with .Values.image }} - image: {{ .repository }}:{{ .tag | default $.Chart.AppVersion }} + image: "{{ with (coalesce .Values.global.imageRegistry .Values.image.registry) }}{{ . }}/{{ end }}{{ .Values.image.repository }}:{{ .Values.image.tag | default $.Chart.AppVersion }}" imagePullPolicy: {{ .pullPolicy }} - {{- end }} ports: - name: http containerPort: {{ .Values.service.containerPort }} diff --git a/packages/open-webui/0.3/values.yaml b/packages/open-webui/0.3/values.yaml index 314a9d3..ae35c65 100644 --- a/packages/open-webui/0.3/values.yaml +++ b/packages/open-webui/0.3/values.yaml @@ -39,11 +39,15 @@ clusterDomain: cluster.local annotations: {} podAnnotations: {} replicaCount: 1 -# -- Open WebUI image tags can be found here: https://github.com/open-webui/open-webui/pkgs/container/open-webui image: - repository: ghcr.io/open-webui/open-webui - tag: "" - pullPolicy: "IfNotPresent" + # -- Image registry to use for the open-webui container + registry: dp.apps.rancher.io + # -- Image repository to use for the open-webui container + repository: containers/open-webui + # -- Image tag to use for the open-webui container + tag: "" + # -- Image pull policy to use for the open-webui container + pullPolicy: IfNotPresent # -- Configure imagePullSecrets to use private registry # ref: -- 2.43.0 07070100000004000081a4000000000000000000000001673504610000041b000000000000000000000000000000000000001700000000patches/Chart.yaml.tpl# SPDX-License-Identifier: MIT #!BuildTag: charts/open-webui:${VERSION}-%RELEASE% #!BuildTag: charts/open-webui:${VERSION} annotations: licenses: MIT helm.sh/images: | - image: ${CONTAINER_REGISTRY}/containers/open-webui:${APP_VERSION} name: open-webui apiVersion: v2 name: open-webui version: ${VERSION} appVersion: ${APP_VERSION} home: https://apps.rancher.io/applications/open-webui icon: https://raw.githubusercontent.com/open-webui/open-webui/main/static/favicon.png description: "Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋" keywords: - llm - chat - web-ui maintainers: - url: https://www.suse.com name: SUSE LLC dependencies: - name: cert-manager condition: cert-manager.enabled version: 1.16.x - name: ollama version: 0.54.0 import-values: - child: service parent: ollama.service condition: ollama.enabled - name: pipelines version: 0.0.4 import-values: - child: service parent: pipelines.service condition: pipelines.enabled 07070100000005000081a4000000000000000000000001673504610000031e000000000000000000000000000000000000001d00000000patches/values-suse.yaml.tplglobal: tls: # options: suse-private-ai, letsEncrypt, secret source: suse-private-ai issuerName: suse-private-ai # This section to be filled out when using letsEncrypt as the tls source letsEncrypt: environment: staging email: none@example.com ingress: class: "" # Additional Trusted CAs. # Enable this flag and add your CA certs as a secret named tls-ca-additional in the suse-private-ai namespace. additionalTrustedCAs: false image: registry: ${CONTAINER_REGISTRY} repository: containers/open-webui tag: ${APP_VERSION} pipelines: enabled: false cert-manager: enabled: true ingress: enabled: true class: "" annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" host: "" tls: true existingSecret: "" 07070100000006000041ed0000000000000000000000016735046100000000000000000000000000000000000000000000000800000000patches07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000b00000000TRAILER!!!