Funk-lab/k8s/apps/open-webui/deployment.yaml
alkatrazz 0230200863 feat(apps): Open WebUI (OIDC) + n8n sur le domaine public HTTPS
- open-webui : SSO OIDC Authentik (app openwebui) + route
  openwebui.funklab.online. Secret vault_openwebui_oauth_client_secret
  (= secret k8s ai/open-webui-oauth). Nouveaux comptes en rôle 'user'.
- n8n : route n8n.funklab.online (garde son propre login ; route interne
  n8n.lab.local conservée pour le webhook AlertManager)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-07 17:10:02 +02:00

94 lines
3 KiB
YAML

apiVersion: apps/v1
kind: Deployment
metadata:
name: open-webui
namespace: ai
spec:
replicas: 1
selector:
matchLabels:
app: open-webui
template:
metadata:
labels:
app: open-webui
spec:
containers:
- name: open-webui
image: ghcr.io/open-webui/open-webui:latest
ports:
- containerPort: 8080
env:
# LiteLLM comme backend OpenAI-compatible
- name: OPENAI_API_BASE_URL
value: "http://192.168.10.1:4000/v1"
- name: OPENAI_API_KEY
valueFrom:
secretKeyRef:
name: open-webui-secret
key: litellm-api-key
# PostgreSQL — migrations automatiques au démarrage
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: open-webui-secret
key: database-url
# Clé de session
- name: WEBUI_SECRET_KEY
valueFrom:
secretKeyRef:
name: open-webui-secret
key: webui-secret-key
# Désactiver Ollama (on passe par LiteLLM)
- name: ENABLE_OLLAMA_API
value: "false"
- name: OLLAMA_BASE_URL
value: ""
# Nom affiché dans l'interface
- name: WEBUI_NAME
value: "Funk AI"
- name: DEFAULT_LOCALE
value: "fr-FR"
# --- SSO OIDC → Authentik (app « openwebui ») ---
# Découverte server-side + navigateur sur l'URL publique (le pod la joint
# via hairpin). Redirect URI Authentik : .../oauth/oidc/callback
- name: WEBUI_URL
value: "https://openwebui.funklab.online"
- name: ENABLE_OAUTH_SIGNUP
value: "true"
- name: OAUTH_PROVIDER_NAME
value: "Authentik"
- name: OPENID_PROVIDER_URL
value: "https://auth.funklab.online/application/o/openwebui/.well-known/openid-configuration"
- name: OAUTH_CLIENT_ID
value: "openwebui"
- name: OAUTH_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: open-webui-oauth
key: client-secret
- name: OAUTH_SCOPES
value: "openid email profile"
# Nouveaux comptes OIDC directement utilisables (sinon 'pending' = à valider)
- name: DEFAULT_USER_ROLE
value: "user"
volumeMounts:
- name: data
mountPath: /app/backend/data
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 2Gi
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
volumes:
- name: data
persistentVolumeClaim:
claimName: open-webui-data