diff --git a/argocd/apps/keycloak/values-keycloak.yaml b/argocd/apps/keycloak/values-keycloak.yaml
index ababc30..73d7706 100644
--- a/argocd/apps/keycloak/values-keycloak.yaml
+++ b/argocd/apps/keycloak/values-keycloak.yaml
@@ -1,17 +1,15 @@
-#apiVersion: cert-manager.io/v1
-#kind: Certificate
-#metadata:
-#  name: keycloak-tls
-#  namespace: kube-system
-#spec:
-#  secretName: keycloak-tls
-#  issuerRef:
-#    name: lets-encrypt
-#    kind: ClusterIssuer
-#  dnsNames:
-#    - keycloak.innovation-hub-niedersachsen.de
-#
-#---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: keycloak-headers
+  namespace: kube-system
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+      X-Forwarded-Port: "443"
+
+---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -23,6 +21,8 @@ spec:
   routes:
     - match: Host(`keycloak.innovation-hub-niedersachsen.de`)
       kind: Rule
+      middlewares:
+        - name: keycloak-headers
       services:
         - name: keycloak-external
           port: 8080
@@ -40,3 +40,19 @@ spec:
   externalName: keycloak.innohub.local
   ports:
     - port: 8080
+
+
+#---
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: keycloak-tls
+#  namespace: kube-system
+#spec:
+#  secretName: keycloak-tls
+#  issuerRef:
+#    name: lets-encrypt
+#    kind: ClusterIssuer
+#  dnsNames:
+#    - keycloak.innovation-hub-niedersachsen.de
+#
diff --git a/argocd/apps/open-webui/openwebui.yaml b/argocd/apps/open-webui/openwebui.bak
similarity index 100%
rename from argocd/apps/open-webui/openwebui.yaml
rename to argocd/apps/open-webui/openwebui.bak
diff --git a/argocd/apps/open-webui/values-openwebui.yaml b/argocd/apps/open-webui/values-openwebui.yaml
new file mode 100644
index 0000000..11c3fd3
--- /dev/null
+++ b/argocd/apps/open-webui/values-openwebui.yaml
@@ -0,0 +1,48 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-webui
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: 'https://helm.openwebui.com/'
+    targetRevision: 8.*.*
+    chart: open-webui
+    helm:
+      values: |
+        serviceAccount:
+          enable: false
+
+        persistence:
+          size: 200Gi
+          existingClaim: "open-webui"
+          storageClass: longhorn
+
+        ollama:
+          enabled: false
+
+        ingress:
+          enabled: true
+          class: traefik
+          host: "innollm.innovation-hub-niedersachsen.de"
+          tls: true
+          existingSecret: "innollm-tls"
+          annotations:
+            kubernetes.io/ingress.class: traefik
+            traefik.ingress.kubernetes.io/router.tls: "true"
+            cert-manager.io/cluster-issuer: lets-encrypt
+
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: open-webui
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: 'privileged'
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true