Enhance Authentik and Newt configurations to support Open WebUI integration. Add necessary environment variables and secrets management for Open WebUI in .env.sample and Ansible tasks. Update README to clarify setup steps for automating HTTP resources with Pangolin, ensuring consistency with new branding and deployment practices.
This commit is contained in:
Nikholas Pcenicni
@@ -195,6 +195,69 @@
|
||||
- (noble_authentik_cs_o2_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
- name: Load NOBLE_AUTHENTIK_CLIENT_SECRET_OPEN_WEBUI from .env when unset
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
printf '%s' "${NOBLE_AUTHENTIK_CLIENT_SECRET_OPEN_WEBUI:-}"
|
||||
register: noble_authentik_cs_ow_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
- noble_authentik_client_secret_open_webui | default('') | length == 0
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply NOBLE_AUTHENTIK_CLIENT_SECRET_OPEN_WEBUI from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_authentik_client_secret_open_webui: "{{ noble_authentik_cs_ow_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_authentik_cs_ow_from_env is defined
|
||||
- (noble_authentik_cs_ow_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
- name: Load NOBLE_OPEN_WEBUI_OPENAI_API_KEY from .env when unset
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
printf '%s' "${NOBLE_OPEN_WEBUI_OPENAI_API_KEY:-}"
|
||||
register: noble_open_webui_openai_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
- noble_open_webui_openai_api_key | default('') | length == 0
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply NOBLE_OPEN_WEBUI_OPENAI_API_KEY from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_open_webui_openai_api_key: "{{ noble_open_webui_openai_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_open_webui_openai_from_env is defined
|
||||
- (noble_open_webui_openai_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
- name: Load NOBLE_OPEN_WEBUI_WEBUI_SECRET_KEY from .env when unset
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
printf '%s' "${NOBLE_OPEN_WEBUI_WEBUI_SECRET_KEY:-}"
|
||||
register: noble_open_webui_webui_secret_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
- noble_open_webui_webui_secret_key | default('') | length == 0
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply NOBLE_OPEN_WEBUI_WEBUI_SECRET_KEY from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_open_webui_webui_secret_key: "{{ noble_open_webui_webui_secret_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_open_webui_webui_secret_from_env is defined
|
||||
- (noble_open_webui_webui_secret_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
- name: Load NOBLE_AUTHENTIK_OAUTH2_PROXY_COOKIE_SECRET from .env when unset
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
|
||||
@@ -22,9 +22,16 @@
|
||||
- noble_authentik_client_secret_grafana | default('') | length > 0
|
||||
- noble_authentik_client_secret_headlamp | default('') | length > 0
|
||||
- noble_authentik_client_secret_oauth2_proxy | default('') | length > 0
|
||||
- noble_authentik_client_secret_open_webui | default('') | length > 0
|
||||
- noble_authentik_oauth2_proxy_cookie_secret | default('') | length > 0
|
||||
- noble_open_webui_openai_api_key | default('') | length > 0
|
||||
- noble_open_webui_webui_secret_key | default('') | length > 0
|
||||
- noble_open_webui_public_host | default('') | trim | length > 0
|
||||
fail_msg: >-
|
||||
Authentik requires secrets in .env (see ansible/roles/noble_authentik/README.md) or matching -e extra-vars.
|
||||
Includes Open WebUI: NOBLE_AUTHENTIK_CLIENT_SECRET_OPEN_WEBUI, NOBLE_OPEN_WEBUI_OPENAI_API_KEY,
|
||||
NOBLE_OPEN_WEBUI_WEBUI_SECRET_KEY (see .env.sample). Set **noble_open_webui_public_host** (must match
|
||||
**clusters/noble/apps/open-webui/values.yaml** ingress host; see README Pangolin section).
|
||||
|
||||
- name: Require Authentik S3 media settings (same endpoint/keys as Velero; dedicated bucket)
|
||||
ansible.builtin.assert:
|
||||
@@ -566,6 +573,32 @@
|
||||
no_log: true
|
||||
changed_when: true
|
||||
|
||||
- name: Ensure open-webui namespace exists (Secret before Argo first sync)
|
||||
ansible.builtin.shell: |
|
||||
set -euo pipefail
|
||||
kubectl create namespace open-webui --dry-run=client -o yaml | kubectl apply -f -
|
||||
environment:
|
||||
KUBECONFIG: "{{ noble_kubeconfig }}"
|
||||
when: noble_authentik_configure_idp | default(true) | bool
|
||||
changed_when: true
|
||||
|
||||
- name: Create Open WebUI secrets (OpenAI + WEBUI + OIDC client secret)
|
||||
ansible.builtin.shell: |
|
||||
set -euo pipefail
|
||||
kubectl -n open-webui create secret generic open-webui-secrets \
|
||||
--from-literal=OPENAI_API_KEY="${OPENAI_API_KEY}" \
|
||||
--from-literal=WEBUI_SECRET_KEY="${WEBUI_SECRET_KEY}" \
|
||||
--from-literal=OAUTH_CLIENT_SECRET="${OAUTH_CLIENT_SECRET}" \
|
||||
--dry-run=client -o yaml | kubectl apply -f -
|
||||
environment:
|
||||
KUBECONFIG: "{{ noble_kubeconfig }}"
|
||||
OPENAI_API_KEY: "{{ noble_open_webui_openai_api_key }}"
|
||||
WEBUI_SECRET_KEY: "{{ noble_open_webui_webui_secret_key }}"
|
||||
OAUTH_CLIENT_SECRET: "{{ noble_authentik_client_secret_open_webui }}"
|
||||
no_log: true
|
||||
when: noble_authentik_configure_idp | default(true) | bool
|
||||
changed_when: true
|
||||
|
||||
- name: Create oauth2-proxy credentials Secret (OIDC to Authentik; not BasicAuth)
|
||||
ansible.builtin.shell: |
|
||||
set -euo pipefail
|
||||
|
||||
Reference in New Issue
Block a user