apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: open-webui
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: default
  source:
    repoURL: 'https://helm.openwebui.com/'
    targetRevision: 9.*.*
    chart: open-webui
    helm:
      values: |
        serviceAccount:
          enable: false

        persistence:
          size: 200Gi
          storageClass: longhorn

        ollama:
          enabled: false
        
        extraEnvVars:
          - name: OAUTH_LOGOUT_REDIRECT_URL
            value: "https://innollm.innovation-hub-niedersachsen.de/"
          - name: ENABLE_OAUTH_LOGOUT
            value: "true"
          - name: WEBUI_SECRET_KEY
            value: "17e027e793724fcbf0400c91374d6960f1beec64b52939c4ee20c1b6faf859ad"

        ingress:
          enabled: true
          class: traefik
          host: "innollm.innovation-hub-niedersachsen.de"
          tls: true
          existingSecret: "innollm-tls"
          annotations:
            kubernetes.io/ingress.class: traefik
            traefik.ingress.kubernetes.io/router.tls: "true"
            cert-manager.io/cluster-issuer: lets-encrypt
        
        sso:
          enabled: true
          enableSignup: true
          mergeAccountsByEmail: false
          enableRoleManagement: false
          enableGroupManagement: false
          oidc:
            enabled: true
            clientId: "open-webui"
            clientSecret: "RFkQ5RDXv6KE4DiQsOq3BJejWFElu90G"
            providerUrl: "https://keycloak.innovation-hub-niedersachsen.de/realms/innohub/.well-known/openid-configuration"
            providerName: "Keycloak"

  destination:
    server: 'https://kubernetes.default.svc'
    namespace: open-webui
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        pod-security.kubernetes.io/enforce: 'privileged'
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true