From 830d124e4d3adeb25bfd96fda2ce3d58faa8708c Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Thu, 21 May 2026 00:54:57 -0400 Subject: [PATCH] =?UTF-8?q?=F0=9F=AA=AA=20fix:=20Add=20Admin=20Panel=20SSO?= =?UTF-8?q?=20URL=20Config=20(#13220)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: Add admin panel URL Helm configuration * fix: Clarify admin panel URL configuration * fix: Avoid duplicate admin panel URL env --- .env.example | 8 ++++++++ helm/librechat/Chart.yaml | 2 +- helm/librechat/readme.md | 20 +++++++++++++++++++- helm/librechat/templates/configmap-env.yaml | 18 +++++++++++++++--- helm/librechat/values.yaml | 6 ++++++ 5 files changed, 49 insertions(+), 5 deletions(-) diff --git a/.env.example b/.env.example index 6d5195f016..a2e3de8bf1 100644 --- a/.env.example +++ b/.env.example @@ -33,6 +33,12 @@ MONGO_AUTO_CREATE= DOMAIN_CLIENT=http://localhost:3080 DOMAIN_SERVER=http://localhost:3080 +# External admin panel base URL used for admin OAuth/SSO redirects. +# Required when the admin panel is hosted separately from LibreChat. +# May include a path. Do not include a trailing slash. +# Example: https://admin.example.com/admin +ADMIN_PANEL_URL= + NO_INDEX=true # Use the address that is at most n number of hops away from the Express application. # req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left. @@ -535,6 +541,8 @@ OPENID_ISSUER= OPENID_SESSION_SECRET= OPENID_SCOPE="openid profile email" OPENID_CALLBACK_URL=/oauth/openid/callback +# Admin panel SSO uses ${DOMAIN_SERVER}/api/admin/oauth/openid/callback as the +# OpenID provider redirect URI. OPENID_REQUIRED_ROLE= OPENID_REQUIRED_ROLE_TOKEN_KIND= OPENID_REQUIRED_ROLE_PARAMETER_PATH= diff --git a/helm/librechat/Chart.yaml b/helm/librechat/Chart.yaml index 92bee49252..3f5a156db7 100755 --- a/helm/librechat/Chart.yaml +++ b/helm/librechat/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.0.3 +version: 2.0.4 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/librechat/readme.md b/helm/librechat/readme.md index b557825c3c..685c41e1e7 100755 --- a/helm/librechat/readme.md +++ b/helm/librechat/readme.md @@ -34,4 +34,22 @@ kind: Secret 3. Apply the Secret to the Cluster -4. Fill out values.yaml and apply the Chart to the Cluster \ No newline at end of file +4. Fill out values.yaml and apply the Chart to the Cluster + +## Admin Panel SSO + +When deploying the admin panel at a separate URL, set `librechat.adminPanelUrl` +to the external admin panel base URL. It may include a path, but it should not +end with a trailing `/` because LibreChat appends `/auth/...` callback paths. + +```yaml +librechat: + adminPanelUrl: https://admin.example.com/admin +``` + +This renders `ADMIN_PANEL_URL` for LibreChat's admin OAuth flow. For OpenID SSO, +also register this LibreChat callback URL with your identity provider: + +```text +https:///api/admin/oauth/openid/callback +``` diff --git a/helm/librechat/templates/configmap-env.yaml b/helm/librechat/templates/configmap-env.yaml index ed5ac822da..5fd43940d2 100755 --- a/helm/librechat/templates/configmap-env.yaml +++ b/helm/librechat/templates/configmap-env.yaml @@ -3,6 +3,9 @@ apiVersion: v1 metadata: name: {{ include "librechat.fullname" $ }}-configenv data: + {{- $configEnv := default dict .Values.librechat.configEnv }} + {{- $adminPanelUrl := .Values.librechat.adminPanelUrl }} + {{- $configAdminPanelUrl := dig "configEnv" "ADMIN_PANEL_URL" "" .Values.librechat }} {{- if (index .Values "librechat-rag-api" "enabled") }} RAG_API_URL: http://{{ include "rag.fullname" (index .Subcharts "librechat-rag-api") | lower }}.{{ .Release.Namespace | lower }}.svc.cluster.local:8000 {{- end }} @@ -18,6 +21,15 @@ data: {{- if and (not (dig "configEnv" "REDIS_URI" "" .Values.librechat)) .Values.redis.enabled }} REDIS_URI: redis://{{ include "common.names.fullname" .Subcharts.redis }}-master.{{ .Release.Namespace | lower }}.svc.cluster.local:6379 {{- end }} - {{- if .Values.librechat.configEnv }} - {{- toYaml .Values.librechat.configEnv | nindent 2 }} - {{- end }} \ No newline at end of file + {{- if and $adminPanelUrl (not $configAdminPanelUrl) }} + ADMIN_PANEL_URL: {{ $adminPanelUrl | quote }} + {{- end }} + {{- if $configEnv }} + {{- $renderedConfigEnv := $configEnv }} + {{- if and $adminPanelUrl (hasKey $configEnv "ADMIN_PANEL_URL") (not $configAdminPanelUrl) }} + {{- $renderedConfigEnv = omit $configEnv "ADMIN_PANEL_URL" }} + {{- end }} + {{- if $renderedConfigEnv }} + {{- toYaml $renderedConfigEnv | nindent 2 }} + {{- end }} + {{- end }} diff --git a/helm/librechat/values.yaml b/helm/librechat/values.yaml index 25b61e82d7..e5321c2a93 100755 --- a/helm/librechat/values.yaml +++ b/helm/librechat/values.yaml @@ -33,6 +33,12 @@ global: # key: client_id librechat: + # External admin panel base URL used for admin OAuth/SSO redirects. + # Required when deploying the admin panel on a separate URL. + # May include a path. Do not include a trailing slash. + # Example: https://admin.example.com/admin + adminPanelUrl: "" + configEnv: # IMPORTANT -- GENERATE your own: openssl rand -hex 32 and openssl rand -hex 16 for CREDS_IV. Best Practise: Put into Secret. See global.librechat.existingSecretName CREDS_KEY: 9e95d9894da7e68dd69c0046caf5343c8b1e80c89609b5a1e40e6568b5b23ce6