Support templated values for numerous values

charts/open-webui/CHANGELOG.md

@@ -6,6 +6,12 @@ All notable changes to the Open WebUI Helm chart will be documented in this file
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v12.12.0]
+
+### Changed
+Update many values to support templated values.
+Allow using existing secret for OAuth ClientID and existing configmap for OAuth Provider URL
+
 ## [v12.11.0]
 
 ### Changed

charts/open-webui/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: open-webui
-version: 12.11.0
+version: 12.12.0
 appVersion: 0.8.11
 home: https://www.openwebui.com/
 icon: >-

charts/open-webui/README.md

@@ -1,6 +1,6 @@
 # open-webui
 
-![Version: 12.11.0](https://img.shields.io/badge/Version-12.11.0-informational?style=flat-square) ![AppVersion: 0.8.11](https://img.shields.io/badge/AppVersion-0.8.11-informational?style=flat-square)
+![Version: 12.12.0](https://img.shields.io/badge/Version-12.12.0-informational?style=flat-square) ![AppVersion: 0.8.11](https://img.shields.io/badge/AppVersion-0.8.11-informational?style=flat-square)
 
 Open WebUI: A User-Friendly Web Interface for Chat Interactions 👋
 
@@ -293,8 +293,11 @@ Please consult the [CHANGELOG](CHANGELOG.md) for important upgrade notes and bre
 | sso.oidc.clientExistingSecret | string | `""` | OICD client secret from existing secret |
 | sso.oidc.clientExistingSecretKey | string | `""` | OIDC client secret key from existing secret |
 | sso.oidc.clientId | string | `""` | OIDC client ID |
+| sso.oidc.clientIdExistingSecretKey | string | `""` | OIDC client ID key from existing secret |
 | sso.oidc.clientSecret | string | `""` | OIDC client secret (ignored if clientExistingSecret is set) |
 | sso.oidc.enabled | bool | `false` | Enable OIDC authentication |
+| sso.oidc.existingConfig | string | `""` | OIDC configuration existing configmap |
+| sso.oidc.existingConfigProviderUrlKey | string | `""` | OIDC provider URL key in the existing configmap |
 | sso.oidc.providerName | string | `"SSO"` | Name of the provider to show on the UI |
 | sso.oidc.providerUrl | string | `""` | OIDC provider well known URL |
 | sso.oidc.scopes | string | `"openid email profile"` | Scopes to request (space-separated). |

charts/open-webui/templates/_helpers.tpl

@@ -121,7 +121,7 @@ app.kubernetes.io/component: {{ .Chart.Name }}
 
 {{- define "open-webui.extraLabels" -}}
 {{- with .Values.extraLabels }}
-{{- toYaml . }}
+{{- tpl (toYaml .) $ }}
 {{- end }}
 {{- end }}
 
@@ -298,20 +298,25 @@ used to populate the variable WEBUI_URL
 {{- end }}
 
 {{/*
-Convert a map of environment variables to Kubernetes env var format
+Convert a map of environment variables to Kubernetes env var format.
+Accepts a dict with keys "envVars" (the env var data) and "root" (the root Helm context).
 */}}
 {{- define "open-webui.env" -}}
-{{- if kindIs "map" . }}
-  {{- range $key, $val := . }}
+{{- $root := .root -}}
+{{- $envVars := .envVars -}}
+{{- if kindIs "map" $envVars }}
+  {{- range $key, $val := $envVars }}
 - name: {{ $key }}
     {{- if kindIs "map" $val }}
-      {{- toYaml $val | nindent 2 }}
+      {{- tpl (toYaml $val) $root | nindent 2 }}
+    {{- else if kindIs "string" $val }}
+  value: {{ tpl $val $root | quote }}
     {{- else }}
   value: {{ $val | quote }}
     {{- end }}
   {{- end }}
 {{- else }}
-  {{- toYaml . }}
+  {{- tpl (toYaml $envVars) $root }}
 {{- end }}
 {{- end }}
 

charts/open-webui/templates/service.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     {{- include "open-webui.labels" . | nindent 4 }}
     {{- with .Values.service.labels }}
-    {{- toYaml . | nindent 4 }}
+    {{- tpl (toYaml .) $ | nindent 4 }}
     {{- end }}
   {{- with .Values.service.annotations }}
   annotations:

charts/open-webui/templates/workload-manager.yaml

@@ -41,7 +41,7 @@ spec:
       labels:
         {{- include "open-webui.labels" . | nindent 8 }}
         {{- with .Values.podLabels }}
-        {{- toYaml . | nindent 8 }}
+        {{- tpl (toYaml .) $ | nindent 8 }}
         {{- end }}
       {{- with .Values.podAnnotations }}
       annotations:
@@ -50,7 +50,7 @@ spec:
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
+        {{- tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
       {{- with .Values.priorityClassName }}
       priorityClassName: {{ . }}
@@ -156,15 +156,15 @@ spec:
         {{- if and .Values.enableOpenaiApi .Values.openaiBaseApiUrl (not .Values.openaiBaseApiUrls) (not .Values.pipelines.enabled) }}
         # If only an OpenAI API value is set, set it to OPENAI_API_BASE_URL
         - name: "OPENAI_API_BASE_URL"
-          value: {{ .Values.openaiBaseApiUrl | quote }}
+          value: {{ tpl .Values.openaiBaseApiUrl . | quote }}
         {{- if .Values.openaiApiKey }}
         - name: "OPENAI_API_KEY"
           value: {{ .Values.openaiApiKey | quote }}
         {{- end }}
         {{- else if and .Values.enableOpenaiApi .Values.openaiBaseApiUrl .Values.pipelines.enabled (not .Values.openaiBaseApiUrls) }}
         # If Pipelines is enabled and OpenAI API value is set, use OPENAI_API_BASE_URLS with combined values
         - name: "OPENAI_API_BASE_URLS"
-          value: "{{ include "pipelines.serviceEndpoint" . }};{{ .Values.openaiBaseApiUrl }}"
+          value: "{{ include "pipelines.serviceEndpoint" . }};{{ tpl .Values.openaiBaseApiUrl . }}"
         {{- if .Values.openaiApiKeys }}
         - name: "OPENAI_API_KEYS"
           value: {{ .Values.openaiApiKeys | join ";" | quote }}
@@ -324,19 +324,33 @@ spec:
         {{- end }}
         {{- if .Values.sso.oidc.enabled }}
         - name: "OAUTH_CLIENT_ID"
+        {{- if and .Values.sso.oidc.clientExistingSecret .Values.sso.oidc.clientIdExistingSecretKey }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ tpl .Values.sso.oidc.clientExistingSecret . | quote }}
+              key: {{ tpl .Values.sso.oidc.clientIdExistingSecretKey . | quote }}
+        {{- else }}
           value: {{ .Values.sso.oidc.clientId | quote }}
+        {{- end }}
         {{- include "sso.validateClientSecret" (dict "provider" "oidc" "values" .Values.sso) }}
         - name: "OAUTH_CLIENT_SECRET"
         {{- if .Values.sso.oidc.clientExistingSecret }}
           valueFrom:
             secretKeyRef:
-              name: {{ .Values.sso.oidc.clientExistingSecret | quote }}
-              key: {{ .Values.sso.oidc.clientExistingSecretKey | quote }}
+              name: {{ tpl .Values.sso.oidc.clientExistingSecret . | quote }}
+              key: {{ tpl .Values.sso.oidc.clientExistingSecretKey . | quote }}
         {{- else }}
           value: {{ .Values.sso.oidc.clientSecret | quote }}
         {{- end }}
         - name: "OPENID_PROVIDER_URL"
+        {{- if .Values.sso.oidc.existingConfig }}
+          valueFrom:
+            configMapKeyRef:
+              name: {{ tpl .Values.sso.oidc.existingConfig . | quote }}
+              key: {{ tpl .Values.sso.oidc.existingConfigProviderUrlKey . | quote }}
+        {{- else }}
           value: {{ .Values.sso.oidc.providerUrl | quote }}
+        {{- end }}
         - name: "OAUTH_PROVIDER_NAME"
           value: {{ .Values.sso.oidc.providerName | quote }}
         - name: "OAUTH_SCOPES"
@@ -349,11 +363,11 @@ spec:
           value: {{ .Values.sso.roleManagement.rolesClaim | quote }}
         {{- if .Values.sso.roleManagement.allowedRoles }}
         - name: "OAUTH_ALLOWED_ROLES"
-          value: {{ .Values.sso.roleManagement.allowedRoles | quote }}
+          value: {{ tpl .Values.sso.roleManagement.allowedRoles . | quote }}
         {{- end }}
         {{- if .Values.sso.roleManagement.adminRoles }}
         - name: "OAUTH_ADMIN_ROLES"
-          value: {{ .Values.sso.roleManagement.adminRoles | quote }}
+          value: {{ tpl .Values.sso.roleManagement.adminRoles . | quote }}
         {{- end }}
         {{- end }}
         {{- if .Values.sso.enableGroupManagement }}
@@ -384,19 +398,19 @@ spec:
         {{- end }}
         {{- end }}
         {{- if .Values.extraEnvVars }}
-          {{- include "open-webui.env" .Values.extraEnvVars | nindent 8 }}
+          {{- include "open-webui.env" (dict "envVars" .Values.extraEnvVars "root" .) | nindent 8 }}
         {{- end }}
         {{- if .Values.commonEnvVars }}
-          {{- toYaml .Values.commonEnvVars | nindent 8 }}
+          {{- tpl (toYaml .Values.commonEnvVars) . | nindent 8 }}
         {{- end }}
         {{- if .Values.extraEnvFrom }}
         envFrom:
-          {{- toYaml .Values.extraEnvFrom | nindent 8 }}
+          {{- tpl (toYaml .Values.extraEnvFrom) . | nindent 8 }}
         {{- end }}
         tty: true
       {{- with .Values.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+        {{- tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
       {{- with .Values.tolerations }}
       tolerations:

charts/open-webui/values.yaml

@@ -691,12 +691,21 @@ sso:
     # -- OICD client secret from existing secret
     # @section -- OIDC configuration
     clientExistingSecret: ""
+    # -- OIDC client ID key from existing secret
+    # @section -- OIDC configuration
+    clientIdExistingSecretKey: ""
     # -- OIDC client secret key from existing secret
     # @section -- OIDC configuration
     clientExistingSecretKey: ""
     # -- OIDC provider well known URL
     # @section -- OIDC configuration
     providerUrl: ""
+    # -- OIDC configuration existing configmap
+    # @section -- OIDC configuration
+    existingConfig: ""
+    # -- OIDC provider URL key in the existing configmap
+    # @section -- OIDC configuration
+    existingConfigProviderUrlKey: ""
     # -- Name of the provider to show on the UI
     # @section -- OIDC configuration
     providerName: "SSO"