apiVersion: apps/v1
kind: Deployment
metadata:
  name: open-webui
spec:
  replicas: 1
  selector:
    matchLabels:
      component: web
  template:
    metadata:
      labels:
        component: web
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: open-webui
        image: {{ .apps.openWebui.image }}
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: false
        ports:
        - name: http
          containerPort: {{ .apps.openWebui.port }}
        env:
        - name: WEBUI_AUTH
          value: "{{ .apps.openWebui.enableAuth }}"
        - name: ENABLE_SIGNUP
          value: "{{ .apps.openWebui.enableSignup }}"
        - name: OPENAI_API_BASE_URL
          value: "{{ .apps.openWebui.vllmApiUrl }}"
        - name: OPENAI_API_KEY
          value: "sk-placeholder"  # Required but not used with vLLM
        - name: WEBUI_SECRET_KEY
          valueFrom:
            secretKeyRef:
              name: open-webui-secrets
              key: apps.openWebui.secretKey
        volumeMounts:
        - name: data
          mountPath: /app/backend/data
        resources:
          requests:
            cpu: 100m
            memory: 512Mi
          limits:
            cpu: 1
            memory: 2Gi
        readinessProbe:
          httpGet:
            path: /
            port: http
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
        livenessProbe:
          httpGet:
            path: /
            port: http
          initialDelaySeconds: 60
          periodSeconds: 30
          timeoutSeconds: 5
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: open-webui-data