# Open WebUI — https://github.com/open-webui/helm-charts (chart **open-webui**).
# Ingress: Traefik + cert-manager (same pattern as **`clusters/noble/apps/homepage/values.yaml`**).
#
# **Secrets** (**`OPENAI_API_KEY`**, **`WEBUI_SECRET_KEY`**, **`OAUTH_CLIENT_SECRET`**) are created in-cluster by
# **`ansible-playbook … --tags authentik`** as **`open-webui/open-webui-secrets`** (see **noble_authentik** role and **`.env.sample`**).
# **OIDC** uses Authentik provider slug **`open-webui`** (issuer **`…/application/o/open-webui/`**). Do **not** put ForwardAuth on this Ingress while using native OIDC (same pattern as Headlamp).
# **Public host only** (Pangolin → Newt → Traefik): keep **ingress.host**, **OPENID_PROVIDER_URL**, **OPENID_REDIRECT_URI**, and **WEBUI_URL** in sync with **`noble_open_webui_public_host`** in Ansible **group_vars** (see **noble_authentik** README).
#
ollama:
  enabled: false

pipelines:
  enabled: false

ollamaUrls: []

ingress:
  enabled: true
  class: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  host: webui.nikflix.ca
  additionalHosts: []
  tls: true
  existingSecret: ""

enableOpenaiApi: true
openaiBaseApiUrl: "https://api.openai.com/v1"
openaiApiKey: ""
openaiApiKeyExistingSecret: open-webui-secrets
openaiApiKeyExistingSecretKey: OPENAI_API_KEY

extraEnvVars:
  - name: ENABLE_OAUTH_SIGNUP
    value: "true"
  - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
    value: "true"
  - name: OAUTH_PROVIDER_NAME
    value: "Authentik"
  - name: OAUTH_CLIENT_ID
    value: "open-webui"
  - name: OPENID_PROVIDER_URL
    value: "https://auth.nikflix.ca/application/o/open-webui/.well-known/openid-configuration"
  - name: OAUTH_SCOPES
    value: "openid email profile offline_access"
  - name: OPENID_REDIRECT_URI
    value: "https://webui.nikflix.ca/oauth/oidc/callback"
  - name: WEBUI_URL
    value: "https://webui.nikflix.ca"
  - name: ENABLE_OAUTH_PERSISTENT_CONFIG
    value: "false"
  - name: WEBUI_SECRET_KEY
    valueFrom:
      secretKeyRef:
        name: open-webui-secrets
        key: WEBUI_SECRET_KEY
  - name: OAUTH_CLIENT_SECRET
    valueFrom:
      secretKeyRef:
        name: open-webui-secrets
        key: OAUTH_CLIENT_SECRET

persistence:
  enabled: true
  size: 5Gi