feat(open-webui): deploy Open WebUI with litellm backend #172

Open
unkinben wants to merge 4 commits from issue-155-open-webui-litellm into main
Owner

Closes #155

Summary

  • Adds apps/base/open-webui/ kustomize base with Namespace, Deployment, Service, PVC, Gateway, HTTPRoute, VaultAuth, and VaultStaticSecret manifests
  • Uses SQLite with a 10Gi cephrbd-fast-delete PVC for persistent chat history — avoids the CNPG overhead since Open WebUI requires sticky sessions and single-replica is appropriate
  • Routes model requests to the existing litellm deployment via http://litellm-pooler.litellm.svc.cluster.local:4000 using OPENAI_API_BASE_URL
  • Exposes the UI at chat.k8s.syd1.au.unkin.net through the traefik-external gateway with TLS terminated by cert-manager (vault-issuer)
  • Credentials (OPENAI_API_KEY, WEBUI_SECRET_KEY, and any OAuth keys) injected via VaultStaticSecret from kv/kubernetes/namespace/open-webui/default/open-webui-credentials
  • Adds apps/overlays/au-syd1/open-webui/kustomization.yaml pointing at the base
  • Adds apps/overlays/*/open-webui path to the aitooling-apps ApplicationSet generator
  • Adds open-webui namespace to the aitooling AppProject destinations

Pre-deploy checklist

  • Create Vault secret at kv/kubernetes/namespace/open-webui/default/open-webui-credentials with keys: OPENAI_API_KEY (litellm master key), WEBUI_SECRET_KEY (random 32-char string)
  • Optionally add OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, OPENID_PROVIDER_URL to the same secret for Kanidm SSO
  • Add ghcr.io/open-webui/open-webui to apps/base/artifactapi/resources/conf.d/remote-docker.yaml in a separate PR (as noted in the issue)

Test plan

  • ArgoCD syncs aitooling-open-webui application successfully
  • Pod reaches Running state and passes health checks at /health
  • https://chat.k8s.syd1.au.unkin.net loads the Open WebUI interface
  • HTTP → HTTPS redirect works
  • Models listed in the UI come from litellm
  • Data persists across pod restarts (SQLite on PVC)
Closes #155 ## Summary - Adds `apps/base/open-webui/` kustomize base with Namespace, Deployment, Service, PVC, Gateway, HTTPRoute, VaultAuth, and VaultStaticSecret manifests - Uses SQLite with a 10Gi `cephrbd-fast-delete` PVC for persistent chat history — avoids the CNPG overhead since Open WebUI requires sticky sessions and single-replica is appropriate - Routes model requests to the existing litellm deployment via `http://litellm-pooler.litellm.svc.cluster.local:4000` using `OPENAI_API_BASE_URL` - Exposes the UI at `chat.k8s.syd1.au.unkin.net` through the `traefik-external` gateway with TLS terminated by cert-manager (vault-issuer) - Credentials (`OPENAI_API_KEY`, `WEBUI_SECRET_KEY`, and any OAuth keys) injected via VaultStaticSecret from `kv/kubernetes/namespace/open-webui/default/open-webui-credentials` - Adds `apps/overlays/au-syd1/open-webui/kustomization.yaml` pointing at the base - Adds `apps/overlays/*/open-webui` path to the `aitooling-apps` ApplicationSet generator - Adds `open-webui` namespace to the `aitooling` AppProject destinations ## Pre-deploy checklist - [ ] Create Vault secret at `kv/kubernetes/namespace/open-webui/default/open-webui-credentials` with keys: `OPENAI_API_KEY` (litellm master key), `WEBUI_SECRET_KEY` (random 32-char string) - [ ] Optionally add `OAUTH_CLIENT_ID`, `OAUTH_CLIENT_SECRET`, `OPENID_PROVIDER_URL` to the same secret for Kanidm SSO - [ ] Add `ghcr.io/open-webui/open-webui` to `apps/base/artifactapi/resources/conf.d/remote-docker.yaml` in a separate PR (as noted in the issue) ## Test plan - ArgoCD syncs `aitooling-open-webui` application successfully - Pod reaches `Running` state and passes health checks at `/health` - `https://chat.k8s.syd1.au.unkin.net` loads the Open WebUI interface - HTTP → HTTPS redirect works - Models listed in the UI come from litellm - Data persists across pod restarts (SQLite on PVC)
unkinben added 1 commit 2026-05-26 00:11:55 +10:00
feat(open-webui): deploy Open WebUI with litellm backend
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
1bcb88d3dd
Deploys Open WebUI (chat.k8s.syd1.au.unkin.net) into the open-webui
namespace via the aitooling ArgoCD project. Uses SQLite with a 10Gi
cephrbd PVC for persistence, routes model requests to the existing
litellm deployment, and exposes the UI through the traefik-external
gateway. Credentials (OPENAI_API_KEY, WEBUI_SECRET_KEY) are injected
via VaultStaticSecret from kv/kubernetes/namespace/open-webui/default.

Closes #155
unkinben added 1 commit 2026-05-26 23:25:39 +10:00
fix(open-webui): use litellm external hostname as OPENAI_API_BASE_URL
ci/woodpecker/pr/pre-commit Pipeline was canceled
ci/woodpecker/pr/kubeconform Pipeline was canceled
16dabbbf8d
unkinben added 1 commit 2026-05-26 23:26:03 +10:00
fix(open-webui): use traefik-internal gateway for chat hostname
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
85a8cfe47d
unkinben added 1 commit 2026-05-26 23:37:16 +10:00
feat(open-webui): HA deployment with CNPG, PDB, and session persistence
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline failed
3d85105afd
- Switch from SQLite/PVC to CNPG PostgreSQL (3 instances, low-resource)
  with a transaction-mode PgBouncer pooler (2 instances)
- Raise open-webui replicas to 3 with priorityClassName: power
- Add PodDisruptionBudget (minAvailable: 1)
- Add Gateway API sessionPersistence (cookie) on the HTTPS HTTPRoute
  so WebSocket connections stick to the same backend pod
- Add postgres-credentials VaultStaticSecret; DATABASE_URL must be
  added to kv/kubernetes/namespace/open-webui/default/open-webui-credentials
Some required checks failed
ci/woodpecker/pr/pre-commit Pipeline was successful
Required
Details
ci/woodpecker/pr/kubeconform Pipeline failed
Required
Details
Checking for merge conflicts…
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin issue-155-open-webui-litellm:issue-155-open-webui-litellm
git checkout issue-155-open-webui-litellm
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#172