feat(open-webui): deploy Open WebUI with litellm backend
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful

Deploys Open WebUI (chat.k8s.syd1.au.unkin.net) into the open-webui
namespace via the aitooling ArgoCD project. Uses SQLite with a 10Gi
cephrbd PVC for persistence, routes model requests to the existing
litellm deployment, and exposes the UI through the traefik-external
gateway. Credentials (OPENAI_API_KEY, WEBUI_SECRET_KEY) are injected
via VaultStaticSecret from kv/kubernetes/namespace/open-webui/default.

Closes #155
This commit is contained in:
2026-05-26 00:11:25 +10:00
parent d358098fff
commit 1bcb88d3dd
12 changed files with 247 additions and 0 deletions
+69
View File
@@ -0,0 +1,69 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: open-webui
namespace: open-webui
spec:
replicas: 1
selector:
matchLabels:
app: open-webui
strategy:
type: Recreate
template:
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app: open-webui
spec:
containers:
- name: open-webui
image: ghcr.io/open-webui/open-webui:main
imagePullPolicy: Always
ports:
- containerPort: 8080
name: http
protocol: TCP
env:
- name: OPENAI_API_BASE_URL
value: http://litellm-pooler.litellm.svc.cluster.local:4000
- name: WEBUI_URL
value: https://chat.k8s.syd1.au.unkin.net
envFrom:
- secretRef:
name: open-webui-credentials
livenessProbe:
httpGet:
path: /health
port: 8080
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /health
port: 8080
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: "2"
memory: 4Gi
requests:
cpu: 250m
memory: 512Mi
volumeMounts:
- mountPath: /app/backend/data
name: data
restartPolicy: Always
volumes:
- name: data
persistentVolumeClaim:
claimName: open-webui-data
+37
View File
@@ -0,0 +1,37 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
traefik.io/instance: external
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: chat.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: chat.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
name: open-webui
namespace: open-webui
spec:
gatewayClassName: traefik-external
listeners:
- allowedRoutes:
namespaces:
from: Same
hostname: chat.k8s.syd1.au.unkin.net
name: http
port: 80
protocol: HTTP
- allowedRoutes:
namespaces:
from: Same
hostname: chat.k8s.syd1.au.unkin.net
name: https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ""
kind: Secret
name: open-webui-tls
mode: Terminate
+49
View File
@@ -0,0 +1,49 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: open-webui-http-redirect
namespace: open-webui
spec:
hostnames:
- chat.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: open-webui
sectionName: http
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: open-webui
namespace: open-webui
spec:
hostnames:
- chat.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: open-webui
sectionName: https
rules:
- backendRefs:
- group: ""
kind: Service
name: open-webui
port: 8080
weight: 1
matches:
- path:
type: PathPrefix
value: /
+13
View File
@@ -0,0 +1,13 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- pvc.yaml
- deployment.yaml
- service.yaml
- gateway.yaml
- httproute.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: open-webui
+13
View File
@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: open-webui-data
namespace: open-webui
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: cephrbd-fast-delete
+17
View File
@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: Service
metadata:
name: open-webui
namespace: open-webui
spec:
internalTrafficPolicy: Cluster
ports:
- name: http
port: 8080
protocol: TCP
targetPort: http
selector:
app: open-webui
sessionAffinity: None
type: ClusterIP
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: open-webui
spec:
allowedNamespaces:
- open-webui
kubernetes:
audiences:
- vault
role: default
serviceAccount: default
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
@@ -0,0 +1,17 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: open-webui-credentials
namespace: open-webui
spec:
destination:
create: true
name: open-webui-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/open-webui/default/open-webui-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/open-webui
+1
View File
@@ -11,6 +11,7 @@ spec:
revision: HEAD
directories:
- path: apps/overlays/*/litellm
- path: apps/overlays/*/open-webui
- path: apps/overlays/*/paperclip
template:
metadata:
+2
View File
@@ -11,6 +11,8 @@ spec:
destinations:
- namespace: 'litellm'
server: https://kubernetes.default.svc
- namespace: 'open-webui'
server: https://kubernetes.default.svc
- namespace: 'paperclip'
server: https://kubernetes.default.svc
clusterResourceWhitelist: