apiVersion: apps/v1 kind: Deployment metadata: name: open-webui namespace: ai spec: replicas: 1 selector: matchLabels: app: open-webui template: metadata: labels: app: open-webui spec: containers: - name: open-webui image: ghcr.io/open-webui/open-webui:latest ports: - containerPort: 8080 env: # LiteLLM comme backend OpenAI-compatible - name: OPENAI_API_BASE_URL value: "http://192.168.10.1:4000/v1" - name: OPENAI_API_KEY valueFrom: secretKeyRef: name: open-webui-secret key: litellm-api-key # PostgreSQL — migrations automatiques au démarrage - name: DATABASE_URL valueFrom: secretKeyRef: name: open-webui-secret key: database-url # Clé de session - name: WEBUI_SECRET_KEY valueFrom: secretKeyRef: name: open-webui-secret key: webui-secret-key # Désactiver Ollama (on passe par LiteLLM) - name: ENABLE_OLLAMA_API value: "false" - name: OLLAMA_BASE_URL value: "" # Nom affiché dans l'interface - name: WEBUI_NAME value: "Funk AI" - name: DEFAULT_LOCALE value: "fr-FR" # --- SSO OIDC → Authentik (app « openwebui ») --- # Découverte server-side + navigateur sur l'URL publique (le pod la joint # via hairpin). Redirect URI Authentik : .../oauth/oidc/callback - name: WEBUI_URL value: "https://openwebui.funklab.online" - name: ENABLE_OAUTH_SIGNUP value: "true" - name: OAUTH_PROVIDER_NAME value: "Authentik" - name: OPENID_PROVIDER_URL value: "https://auth.funklab.online/application/o/openwebui/.well-known/openid-configuration" - name: OAUTH_CLIENT_ID value: "openwebui" - name: OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: name: open-webui-oauth key: client-secret - name: OAUTH_SCOPES value: "openid email profile" # Nouveaux comptes OIDC directement utilisables (sinon 'pending' = à valider) - name: DEFAULT_USER_ROLE value: "user" volumeMounts: - name: data mountPath: /app/backend/data resources: requests: cpu: 200m memory: 512Mi limits: cpu: 1000m memory: 2Gi readinessProbe: httpGet: path: /health port: 8080 initialDelaySeconds: 30 periodSeconds: 10 volumes: - name: data persistentVolumeClaim: claimName: open-webui-data