07070100000000000081a400000000000000000000000168f6b9ad000001c4000000000000000000000000000000000000002e00000000patches/0001-Standardized-global-values.patchdiff --git a/packages/open-webui/0.6/values.yaml b/packages/open-webui/0.6/values.yaml index dcaaf72..314a9d3 100644 --- a/packages/open-webui/0.6/values.yaml +++ b/packages/open-webui/0.6/values.yaml @@ -1,3 +1,8 @@ +global: + # -- Global override for container image registry + imageRegistry: "" + # -- Global override for container image registry pull secrets + imagePullSecrets: [] nameOverride: "" namespaceOverride: "" ollama: -- 2.43.0 07070100000001000081a400000000000000000000000168f6b9ad00001199000000000000000000000000000000000000001f00000000patches/0002-TLS-support.patchdiff --git a/packages/open-webui/0.6/templates/ingress.yaml b/packages/open-webui/0.6/templates/ingress.yaml index a94f17c..f547608 100644 --- a/packages/open-webui/0.6/templates/ingress.yaml +++ b/packages/open-webui/0.6/templates/ingress.yaml @@ -9,10 +9,14 @@ metadata: {{- with .Values.ingress.extraLabels }} {{- toYaml . | nindent 4 }} {{- end }} - {{- if .Values.ingress.annotations }} annotations: - {{- tpl (toYaml .Values.ingress.annotations | nindent 4) . }} - {{- end }} + {{- if .Values.ingress.annotations }} + {{- tpl (toYaml .Values.ingress.annotations | nindent 4) . }} + {{- end }} + {{- if and (.Values.ingress.tls) (ne .Values.global.tls.source "secret") }} + cert-manager.io/issuer: {{ .Values.global.tls.issuerName }} + cert-manager.io/issuer-kind: Issuer + {{- end }} spec: {{- with .Values.ingress.class }} ingressClassName: {{ . }} diff --git a/packages/open-webui/0.6/templates/tls-letsencrypt.yaml b/packages/open-webui/0.6/templates/tls-letsencrypt.yaml new file mode 100644 index 0000000..e8e888f --- /dev/null +++ b/packages/open-webui/0.6/templates/tls-letsencrypt.yaml @@ -0,0 +1,20 @@ +{{- if and (.Values.ingress.enabled) (.Values.ingress.tls) (eq .Values.global.tls.source "letsEncrypt") -}} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: "{{ .Values.global.tls.issuerName }}" +spec: + acme: + {{- if eq .Values.global.tls.letsEncrypt.environment "production" }} + server: https://acme-v02.api.letsencrypt.org/directory + {{- else }} + server: https://acme-staging-v02.api.letsencrypt.org/directory + {{- end }} + email: {{ .Values.global.tls.letsEncrypt.email }} + privateKeySecretRef: + name: "{{ .Values.global.tls.issuerName }}-ca-issuer" + solvers: + - http01: + ingress: + class: {{ .Values.global.tls.letsEncrypt.ingress.class }} +{{- end }} diff --git a/packages/open-webui/0.6/templates/tls-selfsigned.yaml b/packages/open-webui/0.6/templates/tls-selfsigned.yaml new file mode 100644 index 0000000..c671fbd --- /dev/null +++ b/packages/open-webui/0.6/templates/tls-selfsigned.yaml @@ -0,0 +1,45 @@ +{{- if and (.Values.ingress.enabled) (.Values.ingress.tls) (eq .Values.global.tls.source "suse-private-ai") -}} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.global.tls.issuerName }}-selfsigned +spec: + selfSigned: {} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.global.tls.issuerName }}-selfsigned-ca +spec: + isCA: true + commonName: {{ .Values.global.tls.issuerName }}-selfsigned-ca + secretName: {{ .Values.global.tls.issuerName }}-root-secret + duration: 2160h # 90d + renewBefore: 360h + subject: + organizations: + - Suse + countries: + - US + organizationalUnits: + - DEV + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: {{ .Values.global.tls.issuerName }}-selfsigned + kind: Issuer + group: cert-manager.io + dnsNames: + - "{{ index .Values "open-webui.ingress.host" }}" + +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.global.tls.issuerName }} +spec: + ca: + secretName: {{ .Values.global.tls.issuerName }}-root-secret +{{- end -}} diff --git a/packages/open-webui/0.6/templates/workload-manager.yaml b/packages/open-webui/0.6/templates/workload-manager.yaml index f296222..1485d10 100644 --- a/packages/open-webui/0.6/templates/workload-manager.yaml +++ b/packages/open-webui/0.6/templates/workload-manager.yaml @@ -109,6 +109,12 @@ spec: {{- if .Values.persistence.subPath }} subPath: {{ .Values.persistence.subPath }} {{- end }} + {{- if .Values.global.tls.additionalTrustedCAs }} + - mountPath: /etc/pki/trust/anchors/ca-additional.pem + name: tls-ca-additional-volume + subPath: ca-additional.pem + readOnly: true + {{- end }} {{- with .Values.volumeMounts.container }} {{- toYaml . | nindent 8 }} {{- end }} @@ -185,6 +191,12 @@ spec: persistentVolumeClaim: claimName: {{ include "open-webui.name" . }} {{- end }} + {{- if .Values.global.tls.additionalTrustedCAs }} + - name: tls-ca-additional-volume + secret: + defaultMode: 0400 + secretName: tls-ca-additional + {{- end }} {{- with .Values.volumes }} {{- toYaml . | nindent 6 }} {{- end }} -- 2.43.0 07070100000002000081a400000000000000000000000168f6b9ad000005c4000000000000000000000000000000000000003000000000patches/0003-Standardize-imagePullSecrets.patchdiff --git a/packages/open-webui/0.6/templates/_helpers.tpl b/packages/open-webui/0.6/templates/_helpers.tpl index 953244b..82baab2 100644 --- a/packages/open-webui/0.6/templates/_helpers.tpl +++ b/packages/open-webui/0.6/templates/_helpers.tpl @@ -169,3 +169,35 @@ Create labels to include on chart all websocket resources {{ include "base.labels" . }} {{ include "websocket.redis.selectorLabels" . }} {{- end }} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "open-webui.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + {{- $imagePullSecrets := list }} + {{- if kindIs "string" . }} + {{- $imagePullSecrets = append $imagePullSecrets (dict "name" .) }} + {{- else }} + {{- $imagePullSecrets = append $imagePullSecrets . }} + {{- end }} + {{- toYaml $imagePullSecrets | nindent 2 }} +{{- end }} +{{- else if .Values.imagePullSecrets }} +imagePullSecrets: + {{ toYaml .Values.imagePullSecrets }} +{{- end -}} +{{- else if .Values.imagePullSecrets }} +imagePullSecrets: + {{ toYaml .Values.imagePullSecrets }} +{{- end -}} +{{- end -}} + -- 2.43.0 07070100000003000081a400000000000000000000000168f6b9ad00000b7a000000000000000000000000000000000000002d00000000patches/0004-Standardize-imageRegistry.patchdiff --git a/packages/open-webui/0.6/templates/workload-manager.yaml b/packages/open-webui/0.6/templates/workload-manager.yaml index c28ebdd..8bfb4e3 100644 --- a/packages/open-webui/0.6/templates/workload-manager.yaml +++ b/packages/open-webui/0.6/templates/workload-manager.yaml @@ -45,19 +45,14 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- include "open-webui.imagePullSecrets" . | nindent 6 }} {{- with .Values.priorityClassName }} priorityClassName: {{ . }} {{- end }} initContainers: - name: copy-app-data - {{- with .Values.image }} - image: {{ .repository }}:{{ .tag | default $.Chart.AppVersion }} - imagePullPolicy: {{ .pullPolicy }} - {{- end }} + image: "{{ with (coalesce .Values.global.imageRegistry .Values.image.registry) }}{{ . }}/{{ end }}{{ .Values.image.repository }}:{{ .Values.image.tag | default $.Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} command: {{- toYaml (.Values.copyAppData.command | default (list "sh" "-c" "cp -R -n /app/backend/data/* /tmp/app-data/")) | nindent 10 }} {{- with .Values.copyAppData.args }} @@ -97,10 +92,8 @@ spec: {{- end }} containers: - name: {{ .Chart.Name }} - {{- with .Values.image }} - image: {{ .repository }}:{{ .tag | default $.Chart.AppVersion }} - imagePullPolicy: {{ .pullPolicy }} - {{- end }} + image: "{{ with (coalesce .Values.global.imageRegistry .Values.image.registry) }}{{ . }}/{{ end }}{{ .Values.image.repository }}:{{ .Values.image.tag | default $.Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.command }} command: {{- toYaml . | nindent 10 }} diff --git a/packages/open-webui/0.6/values.yaml b/packages/open-webui/0.6/values.yaml index 54bdd02..deca648 100644 --- a/packages/open-webui/0.6/values.yaml +++ b/packages/open-webui/0.6/values.yaml @@ -114,11 +119,15 @@ revisionHistoryLimit: 10 priorityClassName: "" # -- Strategy for updating the workload manager: deployment or statefulset strategy: {} -# -- Open WebUI image tags can be found here: https://github.com/open-webui/open-webui image: - repository: ghcr.io/open-webui/open-webui - tag: "" - pullPolicy: "IfNotPresent" + # -- Image registry to use for the open-webui container + registry: dp.apps.rancher.io + # -- Image repository to use for the open-webui container + repository: containers/open-webui + # -- Image tag to use for the open-webui container + tag: "0.6.9" + # -- Image pull policy to use for the open-webui container + pullPolicy: IfNotPresent # -- Open WebUI container command (overrides default entrypoint) command: [] -- 2.43.0 07070100000004000081a400000000000000000000000168f6b9ad00000d05000000000000000000000000000000000000004800000000patches/0005-Standardization-of-redis-imageRegistry-and-imagePull.patchdiff --git a/packages/open-webui/0.6/templates/_helpers.tpl b/packages/open-webui/0.6/templates/_helpers.tpl index 674ebf2..82b3ac4 100644 --- a/packages/open-webui/0.6/templates/_helpers.tpl +++ b/packages/open-webui/0.6/templates/_helpers.tpl @@ -265,3 +265,34 @@ imagePullSecrets: {{- end -}} {{- end -}} +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "open-webui-redis.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + {{- $imagePullSecrets := list }} + {{- if kindIs "string" . }} + {{- $imagePullSecrets = append $imagePullSecrets (dict "name" .) }} + {{- else }} + {{- $imagePullSecrets = append $imagePullSecrets . }} + {{- end }} + {{- toYaml $imagePullSecrets | nindent 2 }} +{{- end }} +{{- else if .Values.websocket.redis.imagePullSecrets }} +imagePullSecrets: + {{ toYaml .Values.websocket.redis.imagePullSecrets }} +{{- end -}} +{{- else if .Values.websocket.redis.imagePullSecrets }} +imagePullSecrets: + {{ toYaml .Values.websocket.redis.imagePullSecrets }} +{{- end -}} +{{- end -}} + diff --git a/packages/open-webui/0.6/templates/websocket-redis.yaml b/packages/open-webui/0.6/templates/websocket-redis.yaml index 8b652f5..697f938 100644 --- a/packages/open-webui/0.6/templates/websocket-redis.yaml +++ b/packages/open-webui/0.6/templates/websocket-redis.yaml @@ -26,13 +26,10 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- if .Values.websocket.redis.image.pullSecretName }} - imagePullSecrets: - - name: {{ .Values.websocket.redis.image.pullSecretName }} - {{- end }} + {{- include "open-webui-redis.imagePullSecrets" . | nindent 6 }} containers: - name: {{ .Values.websocket.redis.name }} - image: "{{ .Values.websocket.redis.image.repository }}:{{ .Values.websocket.redis.image.tag }}" + image: "{{ with (coalesce .Values.global.imageRegistry .Values.websocket.redis.image.registry) }}{{ . }}/{{ end }}{{ .Values.websocket.redis.image.repository }}:{{ .Values.websocket.redis.image.tag }}" imagePullPolicy: {{ .Values.websocket.redis.image.pullPolicy }} {{- with .Values.websocket.redis.command }} command: diff --git a/packages/open-webui/0.6/values.yaml b/packages/open-webui/0.6/values.yaml index 82b3e6e..9b8d4e8 100644 --- a/packages/open-webui/0.6/values.yaml +++ b/packages/open-webui/0.6/values.yaml @@ -67,8 +67,13 @@ websocket: annotations: {} # -- Redis image image: - repository: redis - tag: 7.4.2-alpine3.21 + # -- Image registry to use for the redis container + registry: dp.apps.rancher.io + # -- Image repository to use for the redis container + repository: containers/redis + # -- Image tag to use for the redis container + tag: "7.4.2" + # -- Image pull policy to use for the redis container pullPolicy: IfNotPresent # -- Redis command (overrides default) command: [] 07070100000005000081a400000000000000000000000168f6b9ad00000e07000000000000000000000000000000000000004000000000patches/0006-Doc-Changes-and-Additional-EnvVar-WEBUI_NAME.patchdiff --git a/packages/open-webui/0.6/README.md b/packages/open-webui/0.6/README.md index cc60ec4..70.6ac9 100644 --- a/packages/open-webui/0.6/README.md +++ b/packages/open-webui/0.6/README.md @@ -73,7 +73,7 @@ oci://dp.apps.rancher.io/charts/open-webui | nameOverride | string | `""` | | | namespaceOverride | string | `""` | | | nodeSelector | object | `{}` | Node labels for pod assignment. | -| ollama.enabled | bool | `true` | Automatically install Ollama Helm chart from https://otwld.github.io/ollama-helm/. Use [Helm Values](https://github.com/otwld/ollama-helm/#helm-values) to configure | +| ollama.enabled | bool | `true` | Automatically install Ollama Helm chart from dp.apps.rancher.io/charts/ollama | | ollama.fullnameOverride | string | `"open-webui-ollama"` | If enabling embedded Ollama, update fullnameOverride to your desired Ollama name value, or else it will use the default ollama.name value from the Ollama chart | | ollamaUrls | list | `[]` | A list of Ollama API endpoints. These can be added in lieu of automatically installing the Ollama Helm chart, or in addition to it. | | ollamaUrlsFromExtraEnv | bool | `false` | Disables taking Ollama Urls from `ollamaUrls` list | @@ -138,4 +138,33 @@ oci://dp.apps.rancher.io/charts/open-webui ---------------------------------------------- +TLS sources: +- +-There are three recommended options for the source of the certificate: +- +-- **Self-Signed (suse-private-ai) TLS certificate:** This is the default option. In this case, you will need to install cert-manager into the cluster. suse-private-ai utilizes cert-manager to issue and maintain its certificates. suse-private-ai will generate a CA certificate of its own, and sign a cert using that CA. cert-manager is then responsible for managing that certificate. +- +-- **Let's Encrypt (letsEncrypt):** The Let's Encrypt option also uses cert-manager. However, in this case, cert-manager is combined with a special Issuer for Let's Encrypt that performs all actions (including request and validation) necessary for getting a Let's Encrypt issued cert. This configuration uses HTTP validation (HTTP-01), so the load balancer must have a public DNS record and be accessible from the internet. +- +-- **Bring your own certificate:** This option allows you to bring your own signed certificate. suse-private-ai will use that certificate to secure HTTPS traffic. In this case, you must upload this certificate (and associated key) as PEM-encoded files with the name tls.crt and tls.key. +- +-| Configuration | Helm Chart Option | Requires cert-manager | +-| ------------------------------ | ----------------------- | ------------------------------------- | +-| Self-Signed (suse-private-ai) Generated Certificates (Default) | `global.tls.source=suse-private-ai` | yes | +-| Let’s Encrypt | `global.tls.source=letsEncrypt` | yes | +-| Certificates from Files | `global.tls.source=secret` | no | +- +- +-Integration with Milvus DB: +- +-```console +-helm install my-release \ +---set 'global.imagePullSecrets[0].name'=my-pull-secrets \ +---set 'persistence.storageClass'=my-storage-class \ +---set 'ingress.host'=my-host \ +---set 'extraEnvVars[0].name=VECTOR_DB' --set 'extraEnvVars[0].value=milvus' \ +---set 'extraEnvVars[1].name=MILVUS_URI' --set-string 'extraEnvVars[1].value=http://' \ +-oci://dp.apps.rancher.io/charts/open-webui +-``` + Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/). -- 2.39.5 (Apple Git-154) 07070100000006000081a400000000000000000000000168f6b9ad00000530000000000000000000000000000000000000001700000000patches/Chart.yaml.tpl# SPDX-License-Identifier: MIT #!BuildTag: charts/open-webui:${VERSION}-%RELEASE% #!BuildTag: charts/open-webui:${VERSION} annotations: licenses: MIT helm.sh/images: | - image: ${CONTAINER_REGISTRY}/containers/open-webui:${APP_VERSION} name: open-webui apiVersion: v2 name: open-webui version: ${VERSION} appVersion: ${APP_VERSION} home: https://apps.rancher.io/applications/open-webui icon: https://apps.rancher.io/logos/open-webui.png description: "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI designed to operate entirely offline. It supports various LLM runners, including Ollama and OpenAI-compatible APIs." keywords: - llm - chat - web-ui maintainers: - url: https://www.suse.com name: SUSE LLC dependencies: - name: ollama version: 1.26.0 repository: oci://dp.apps.rancher.io/charts import-values: - child: service parent: ollama.service condition: ollama.enabled - name: open-webui-pipelines alias: pipelines version: 0.5.0 repository: oci://dp.apps.rancher.io/charts import-values: - child: service parent: pipelines.service condition: pipelines.enabled - name: apache-tika alias: tika repository: oci://dp.apps.rancher.io/charts version: 3.2.2 condition: tika.enabled 07070100000007000081a400000000000000000000000168f6b9ad0000039d000000000000000000000000000000000000001d00000000patches/values-suse.yaml.tplglobal: tls: # options: suse-private-ai, letsEncrypt, secret source: suse-private-ai issuerName: suse-private-ai # This section to be filled out when using letsEncrypt as the tls source letsEncrypt: environment: staging email: none@example.com ingress: class: "" # Additional Trusted CAs. # Enable this flag and add your CA certs as a secret named tls-ca-additional in the suse-private-ai namespace. additionalTrustedCAs: false image: registry: ${CONTAINER_REGISTRY} repository: containers/open-webui tag: ${APP_VERSION} pipelines: enabled: false ingress: enabled: true class: "" annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" host: "" tls: true existingSecret: "" websocket: enabled: true redis: enabled: true image: registry: ${CONTAINER_REGISTRY} repository: containers/redis tag: "8.0.2" 07070100000008000041ed00000000000000000000000168f6b9ad00000000000000000000000000000000000000000000000800000000patches07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000b00000000TRAILER!!!