Enhance Authentik and Newt configurations to support Open WebUI integration. Add necessary environment variables and secrets management for Open WebUI in .env.sample and Ansible tasks. Update README to clarify setup steps for automating HTTP resources with Pangolin, ensuring consistency with new branding and deployment practices.

2026-05-15 00:04:34 -04:00
parent 97da42b15c
commit 2fb86f5930
18 changed files with 674 additions and 45 deletions
--- a/ansible/roles/noble_authentik/tasks/main.yml
+++ b/ansible/roles/noble_authentik/tasks/main.yml
@@ -22,9 +22,16 @@
          - noble_authentik_client_secret_grafana | default('') | length > 0
          - noble_authentik_client_secret_headlamp | default('') | length > 0
          - noble_authentik_client_secret_oauth2_proxy | default('') | length > 0
+          - noble_authentik_client_secret_open_webui | default('') | length > 0
          - noble_authentik_oauth2_proxy_cookie_secret | default('') | length > 0
+          - noble_open_webui_openai_api_key | default('') | length > 0
+          - noble_open_webui_webui_secret_key | default('') | length > 0
+          - noble_open_webui_public_host | default('') | trim | length > 0
        fail_msg: >-
          Authentik requires secrets in .env (see ansible/roles/noble_authentik/README.md) or matching -e extra-vars.
+          Includes Open WebUI: NOBLE_AUTHENTIK_CLIENT_SECRET_OPEN_WEBUI, NOBLE_OPEN_WEBUI_OPENAI_API_KEY,
+          NOBLE_OPEN_WEBUI_WEBUI_SECRET_KEY (see .env.sample). Set **noble_open_webui_public_host** (must match
+          **clusters/noble/apps/open-webui/values.yaml** ingress host; see README Pangolin section).

    - name: Require Authentik S3 media settings (same endpoint/keys as Velero; dedicated bucket)
      ansible.builtin.assert:
@@ -566,6 +573,32 @@
      no_log: true
      changed_when: true

+    - name: Ensure open-webui namespace exists (Secret before Argo first sync)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        kubectl create namespace open-webui --dry-run=client -o yaml | kubectl apply -f -
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      when: noble_authentik_configure_idp | default(true) | bool
+      changed_when: true
+
+    - name: Create Open WebUI secrets (OpenAI + WEBUI + OIDC client secret)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        kubectl -n open-webui create secret generic open-webui-secrets \
+          --from-literal=OPENAI_API_KEY="${OPENAI_API_KEY}" \
+          --from-literal=WEBUI_SECRET_KEY="${WEBUI_SECRET_KEY}" \
+          --from-literal=OAUTH_CLIENT_SECRET="${OAUTH_CLIENT_SECRET}" \
+          --dry-run=client -o yaml | kubectl apply -f -
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+        OPENAI_API_KEY: "{{ noble_open_webui_openai_api_key }}"
+        WEBUI_SECRET_KEY: "{{ noble_open_webui_webui_secret_key }}"
+        OAUTH_CLIENT_SECRET: "{{ noble_authentik_client_secret_open_webui }}"
+      no_log: true
+      when: noble_authentik_configure_idp | default(true) | bool
+      changed_when: true
+
    - name: Create oauth2-proxy credentials Secret (OIDC to Authentik; not BasicAuth)
      ansible.builtin.shell: |
        set -euo pipefail