github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 02:48:13 -05:00
Code Issues 1.1k Packages Projects Releases 126 Wiki Activity

[PR #23010] [CLOSED] feat: enable Terminals K8s Orchestrator policy management in Open WebUI #26972

New Issue
Closed
opened 2026-04-20 06:47:47 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-20 06:47:47 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/23010
Author: @westbrook-ai
Created: 3/25/2026
Status: Closed

Base: mainHead: feat-terminals-operator-ui-integration

📝 Commits (10+)

📊 Changes

362 files changed (+33568 additions, -31649 deletions)

View changed files

.github/workflows/ruff.yml (+49 -0)
.pre-commit-config.yaml (+8 -0)
📝 Dockerfile (+11 -10)
📝 backend/open_webui/__init__.py (+29 -35)
📝 backend/open_webui/config.py (+1483 -1793)
📝 backend/open_webui/constants.py (+60 -78)
📝 backend/open_webui/env.py (+292 -424)
📝 backend/open_webui/functions.py (+85 -95)
📝 backend/open_webui/internal/db.py (+20 -30)
📝 backend/open_webui/internal/migrations/001_initial_schema.py (+24 -24)
📝 backend/open_webui/internal/migrations/002_add_local_sharing.py (+2 -4)
📝 backend/open_webui/internal/migrations/003_add_auth_api_key.py (+2 -4)
📝 backend/open_webui/internal/migrations/004_add_archived.py (+2 -2)
📝 backend/open_webui/internal/migrations/005_add_updated_at.py (+16 -20)
📝 backend/open_webui/internal/migrations/006_migrate_timestamps_and_charfields.py (+20 -20)
📝 backend/open_webui/internal/migrations/007_add_user_last_active_at.py (+6 -6)
📝 backend/open_webui/internal/migrations/008_add_memory.py (+2 -2)
📝 backend/open_webui/internal/migrations/009_add_models.py (+2 -2)
📝 backend/open_webui/internal/migrations/010_migrate_modelfiles_to_models.py (+24 -24)
📝 backend/open_webui/internal/migrations/011_add_user_settings.py (+2 -2)

...and 80 more files

📄 Description

Pull Request Checklist

Before submitting, make sure you've checked the following:

  • Target branch: Verify that the pull request targets the dev branch. PRs targeting main will be immediately closed.
  • Description: Provide a concise description of the changes made in this pull request down below.
  • Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
  • Documentation: Add docs in Open WebUI Docs Repository. Document user-facing behavior, environment variables, public APIs/interfaces, or deployment steps.
  • Dependencies: Are there any new or upgraded dependencies? If so, explain why, update the changelog/docs, and include any compatibility notes. Actually run the code/function that uses updated library to ensure it doesn't crash.
  • Testing: Perform manual tests to verify the implemented fix/feature works as intended AND does not break any other functionality. Include reproducible steps to demonstrate the issue before the fix. Test edge cases (URL encoding, HTML entities, types). Take this as an opportunity to make screenshots of the feature/fix and include them in the PR description.
  • Agentic AI Code: Confirm this Pull Request is not written by any AI Agent or has at least gone through additional human review AND manual testing. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR.
  • Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
  • Design & Architecture: Prefer smart defaults over adding new settings; use local state for ephemeral UI logic. Open a Discussion for major architectural or UX changes.
  • Git Hygiene: Keep PRs atomic (one logical change). Clean up commits and rebase on dev to ensure no unrelated commits (e.g. from main) are included. Push updates to the existing PR branch instead of closing and reopening.
  • Title Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
    • feat: Introduces a new feature or enhancement to the codebase

Changelog Entry

Description

Adds admin-facing UI and backend proxy routes for managing Terminals Kubernetes Operator policies, monitoring active terminal instances, and inspecting server configuration, all from within Admin Settings → Integrations → Open Terminal.

When a terminal server connection is detected as an orchestrator type, the Open Terminal section gains three tabs: Connections (existing), Policies (new), and Active Terminals (new). Plain terminal server setups are unaffected — the tabs only appear when an orchestrator connection is present.

This is the Open WebUI-side companion to a Terminals repo PR that adds the instance listing and server info API endpoints consumed here. That PR is found here: https://github.com/open-webui/terminals/pull/6

Why this matters: The Terminals orchestrator provisions isolated terminal instances per user based on policies (named resource templates). Until now, policies could only be managed via direct API calls, admins had no visibility into running instances, and the connection modal had no way to select from existing policies. This PR solves all three.

Added

  • Admin-only proxy routes in terminals.py for policy CRUD, instance listing/teardown, and server info, forwarding requests to the in-cluster orchestrator so its API key never reaches the browser
  • Server type detection endpoint (POST /terminal_servers/verify) that probes a terminal server and identifies it as orchestrator or terminal
  • Direct policy creation endpoint (POST /terminal_servers/policy) for use during initial connection setup before a server ID exists
  • User name enrichment on the instance list — resolves user IDs to display names from the Open WebUI users table
  • TypeScript API client types and functions (PolicyData, PolicyResponse, TerminalInstance, TerminalServerInfo) with corresponding fetch helpers
  • PolicyEditor.svelte — modal for creating/editing policies (image, CPU, memory, storage, storage mode, idle timeout, environment variables)
  • Policies.svelte — policy list with server selector, search, create/edit/clone/delete actions
  • Instances.svelte — active terminal instance table with status badges, auto-refresh, relative timestamps, and delete action with confirmation
  • Tabbed interface in Terminals.svelte (Connections / Policies / Active Terminals) that appears when an orchestrator connection is detected
  • Automatic server_type detection on mount — connections without a stored type are probed and the result is persisted

Changed

  • AddTerminalServerModal.svelte — replaced inline policy fields with a policy selector dropdown; adds New/Edit buttons to manage policies in-place; stores policy_id on the connection instead of policy_data
  • Terminals.svelte — accepts an admin prop so it can be embedded in both admin and user settings pages
  • Connection.svelte — passes admin prop through to AddTerminalServerModal
  • Admin Integrations.svelte — replaced inline terminal HTML with the shared <Terminals admin> component so admin and user settings use the same tabbed UI

Deprecated

  • N/A

Removed

  • Inline policy editing fields from AddTerminalServerModal (replaced by policy selector + PolicyEditor)

Fixed

  • N/A

Security

  • All admin proxy routes require get_admin_user — regular users cannot access policy or instance management
  • Orchestrator API keys remain server-side; proxied through Open WebUI backend, never sent to the browser

Breaking Changes

  • N/A — existing plain terminal server connections continue to work unchanged. The new tabs only appear when an orchestrator-type connection is detected.

Additional Information

  • Companion PR (Terminals repo): Adds /api/v1/instances, /api/v1/instances/{id}, and /api/v1/info endpoints that this PR's proxy routes and frontend consume. The policy CRUD endpoints (/api/v1/policies/*) already exist in the Terminals main branch.
  • Multi-tenant pattern: Multiple connections can point at the same orchestrator URL with different policy_id values, each granted to a different user group via Open WebUI's existing group-based access control. This enables per-group terminal configurations (e.g., Developers → lightweight Python image, Data Scientists → GPU-capable image with 16 GB RAM).
  • No new dependencies.

Testing

Tested end-to-end on a local kind cluster with the Terminals orchestrator, Kopf operator, and Open WebUI.

Automated E2E tests:

  • Policy CRUD — create, read, update, list, delete via proxy routes
  • Instance listing — instances appear with correct user/policy/status
  • Instance teardown — DELETE removes the Terminal CR
  • Server info — backend type, resource caps, version
  • Auth — 401 for unauthenticated, 403 for non-admin

Manual multi-user testing:

User Group Connection Policy
Alice Developers Dev Terminal test-python
Bob Data Scientists Data Terminal data-science-v2
  • Alice sees only Dev Terminal, provisions with test-python policy
  • Bob sees only Data Terminal, provisions with data-science-v2 policy
  • Cross-access denied (Alice→Data Terminal returns 403)
  • Admin sees all connections, policies, and instances across tabs

Screenshots or Videos

New tabs for Open Terminal when Orchestrator is detected:
image

Policies tab with hover actions shown on top policy:
image

Active Terminals tab:
image

Delete Terminal confirmation window:
image

Contributor License Agreement

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/23010 **Author:** [@westbrook-ai](https://github.com/westbrook-ai) **Created:** 3/25/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `feat-terminals-operator-ui-integration` --- ### 📝 Commits (10+) - [`83fad5e`](https://github.com/open-webui/open-webui/commit/83fad5e9f7e83aab396193e48ccb202b01f062bc) refac - [`8970923`](https://github.com/open-webui/open-webui/commit/8970923940745a5912967ac490db7ef3242ba3ad) refac - [`86cce2c`](https://github.com/open-webui/open-webui/commit/86cce2cd88cb5dae27b8d5f6237a0831ba1d7cca) Update fi-FI translation.json (#22542) - [`418bd05`](https://github.com/open-webui/open-webui/commit/418bd05ae0db2470b67e3823540767fe844d5a68) refac: refined shimmer effect (#22516) - [`a407a7f`](https://github.com/open-webui/open-webui/commit/a407a7f1c0730f99a756dc2207f9e3c7592ad0ce) Updated pt-PT Translation (#22587) - [`06657b8`](https://github.com/open-webui/open-webui/commit/06657b81097b17d101699c75089ec2fde004ae87) fix: handle non-dict history/messages in chat_message migration (#22588) - [`f1c1004`](https://github.com/open-webui/open-webui/commit/f1c100422566c96397d073bd9e63e38b3aec69b9) fix: ddgs - [`a87f015`](https://github.com/open-webui/open-webui/commit/a87f0152464df8c6cf0f4d2b76cd26b1897a03f9) i18n: Update Catalan translation.json (#22570) - [`0a87c1e`](https://github.com/open-webui/open-webui/commit/0a87c1ecd078320a08c4cc62d41fe8727fb3b5f7) refac - [`b312318`](https://github.com/open-webui/open-webui/commit/b312318a99064b12be7de6ed5c1a081b9f62a999) refac: rm mariadb dep ### 📊 Changes **362 files changed** (+33568 additions, -31649 deletions) <details> <summary>View changed files</summary> ➕ `.github/workflows/ruff.yml` (+49 -0) ➕ `.pre-commit-config.yaml` (+8 -0) 📝 `Dockerfile` (+11 -10) 📝 `backend/open_webui/__init__.py` (+29 -35) 📝 `backend/open_webui/config.py` (+1483 -1793) 📝 `backend/open_webui/constants.py` (+60 -78) 📝 `backend/open_webui/env.py` (+292 -424) 📝 `backend/open_webui/functions.py` (+85 -95) 📝 `backend/open_webui/internal/db.py` (+20 -30) 📝 `backend/open_webui/internal/migrations/001_initial_schema.py` (+24 -24) 📝 `backend/open_webui/internal/migrations/002_add_local_sharing.py` (+2 -4) 📝 `backend/open_webui/internal/migrations/003_add_auth_api_key.py` (+2 -4) 📝 `backend/open_webui/internal/migrations/004_add_archived.py` (+2 -2) 📝 `backend/open_webui/internal/migrations/005_add_updated_at.py` (+16 -20) 📝 `backend/open_webui/internal/migrations/006_migrate_timestamps_and_charfields.py` (+20 -20) 📝 `backend/open_webui/internal/migrations/007_add_user_last_active_at.py` (+6 -6) 📝 `backend/open_webui/internal/migrations/008_add_memory.py` (+2 -2) 📝 `backend/open_webui/internal/migrations/009_add_models.py` (+2 -2) 📝 `backend/open_webui/internal/migrations/010_migrate_modelfiles_to_models.py` (+24 -24) 📝 `backend/open_webui/internal/migrations/011_add_user_settings.py` (+2 -2) _...and 80 more files_ </details> ### 📄 Description # Pull Request Checklist **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Verify that the pull request targets the `dev` branch. **PRs targeting `main` will be immediately closed.** - [x] **Description:** Provide a concise description of the changes made in this pull request down below. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [ ] **Documentation:** Add docs in [Open WebUI Docs Repository](https://github.com/open-webui/docs). Document user-facing behavior, environment variables, public APIs/interfaces, or deployment steps. - [ ] **Dependencies:** Are there any new or upgraded dependencies? If so, explain why, update the changelog/docs, and include any compatibility notes. Actually run the code/function that uses updated library to ensure it doesn't crash. - [x] **Testing:** Perform manual tests to **verify the implemented fix/feature works as intended AND does not break any other functionality**. Include reproducible steps to demonstrate the issue before the fix. Test edge cases (URL encoding, HTML entities, types). Take this as an opportunity to **make screenshots of the feature/fix and include them in the PR description**. - [x] **Agentic AI Code:** Confirm this Pull Request is **not written by any AI Agent** or has at least **gone through additional human review AND manual testing**. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR. - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Design & Architecture:** Prefer smart defaults over adding new settings; use local state for ephemeral UI logic. Open a Discussion for major architectural or UX changes. - [x] **Git Hygiene:** Keep PRs atomic (one logical change). Clean up commits and rebase on `dev` to ensure no unrelated commits (e.g. from `main`) are included. Push updates to the existing PR branch instead of closing and reopening. - [x] **Title Prefix:** To clearly categorize this pull request, prefix the pull request title using one of the following: - **feat**: Introduces a new feature or enhancement to the codebase # Changelog Entry ### Description Adds admin-facing UI and backend proxy routes for managing Terminals Kubernetes Operator policies, monitoring active terminal instances, and inspecting server configuration, all from within Admin Settings → Integrations → Open Terminal. When a terminal server connection is detected as an orchestrator type, the Open Terminal section gains three tabs: **Connections** (existing), **Policies** (new), and **Active Terminals** (new). Plain terminal server setups are unaffected — the tabs only appear when an orchestrator connection is present. This is the Open WebUI-side companion to a Terminals repo PR that adds the instance listing and server info API endpoints consumed here. That PR is found here: https://github.com/open-webui/terminals/pull/6 **Why this matters:** The Terminals orchestrator provisions isolated terminal instances per user based on policies (named resource templates). Until now, policies could only be managed via direct API calls, admins had no visibility into running instances, and the connection modal had no way to select from existing policies. This PR solves all three. ### Added - Admin-only proxy routes in `terminals.py` for policy CRUD, instance listing/teardown, and server info, forwarding requests to the in-cluster orchestrator so its API key never reaches the browser - Server type detection endpoint (`POST /terminal_servers/verify`) that probes a terminal server and identifies it as `orchestrator` or `terminal` - Direct policy creation endpoint (`POST /terminal_servers/policy`) for use during initial connection setup before a server ID exists - User name enrichment on the instance list — resolves user IDs to display names from the Open WebUI users table - TypeScript API client types and functions (`PolicyData`, `PolicyResponse`, `TerminalInstance`, `TerminalServerInfo`) with corresponding fetch helpers - `PolicyEditor.svelte` — modal for creating/editing policies (image, CPU, memory, storage, storage mode, idle timeout, environment variables) - `Policies.svelte` — policy list with server selector, search, create/edit/clone/delete actions - `Instances.svelte` — active terminal instance table with status badges, auto-refresh, relative timestamps, and delete action with confirmation - Tabbed interface in `Terminals.svelte` (Connections / Policies / Active Terminals) that appears when an orchestrator connection is detected - Automatic `server_type` detection on mount — connections without a stored type are probed and the result is persisted ### Changed - `AddTerminalServerModal.svelte` — replaced inline policy fields with a policy selector dropdown; adds New/Edit buttons to manage policies in-place; stores `policy_id` on the connection instead of `policy_data` - `Terminals.svelte` — accepts an `admin` prop so it can be embedded in both admin and user settings pages - `Connection.svelte` — passes `admin` prop through to `AddTerminalServerModal` - Admin `Integrations.svelte` — replaced inline terminal HTML with the shared `<Terminals admin>` component so admin and user settings use the same tabbed UI ### Deprecated - N/A ### Removed - Inline policy editing fields from `AddTerminalServerModal` (replaced by policy selector + PolicyEditor) ### Fixed - N/A ### Security - All admin proxy routes require `get_admin_user` — regular users cannot access policy or instance management - Orchestrator API keys remain server-side; proxied through Open WebUI backend, never sent to the browser ### Breaking Changes - N/A — existing plain terminal server connections continue to work unchanged. The new tabs only appear when an orchestrator-type connection is detected. --- ### Additional Information - **Companion PR (Terminals repo):** Adds `/api/v1/instances`, `/api/v1/instances/{id}`, and `/api/v1/info` endpoints that this PR's proxy routes and frontend consume. The policy CRUD endpoints (`/api/v1/policies/*`) already exist in the Terminals main branch. - **Multi-tenant pattern:** Multiple connections can point at the same orchestrator URL with different `policy_id` values, each granted to a different user group via Open WebUI's existing group-based access control. This enables per-group terminal configurations (e.g., Developers → lightweight Python image, Data Scientists → GPU-capable image with 16 GB RAM). - **No new dependencies.** ### Testing Tested end-to-end on a local `kind` cluster with the Terminals orchestrator, Kopf operator, and Open WebUI. **Automated E2E tests:** - Policy CRUD — create, read, update, list, delete via proxy routes - Instance listing — instances appear with correct user/policy/status - Instance teardown — DELETE removes the Terminal CR - Server info — backend type, resource caps, version - Auth — 401 for unauthenticated, 403 for non-admin **Manual multi-user testing:** | User | Group | Connection | Policy | |---|---|---|---| | Alice | Developers | Dev Terminal | test-python | | Bob | Data Scientists | Data Terminal | data-science-v2 | - Alice sees only Dev Terminal, provisions with `test-python` policy - Bob sees only Data Terminal, provisions with `data-science-v2` policy - Cross-access denied (Alice→Data Terminal returns 403) - Admin sees all connections, policies, and instances across tabs ### Screenshots or Videos New tabs for Open Terminal when Orchestrator is detected: <img width="1273" height="224" alt="image" src="https://github.com/user-attachments/assets/ee9cd2f3-992e-4dc6-a3ca-71131215a3c8" /> Policies tab with hover actions shown on top policy: <img width="1270" height="467" alt="image" src="https://github.com/user-attachments/assets/e8d59b57-efc1-477f-b148-541a4aca1261" /> Active Terminals tab: <img width="1272" height="340" alt="image" src="https://github.com/user-attachments/assets/f8a9546f-d0c6-42da-a4db-8efd3e5830a1" /> Delete Terminal confirmation window: <img width="1264" height="338" alt="image" src="https://github.com/user-attachments/assets/3e395d1a-b197-4f6c-a3e9-b716c22ee74a" /> ### Contributor License Agreement <!-- 🚨 DO NOT DELETE THE TEXT BELOW 🚨 Keep the "Contributor License Agreement" confirmation text intact. Deleting it will trigger the CLA-Bot to INVALIDATE your PR. Your PR will NOT be reviewed or merged until you check the box below confirming that you have read and agree to the terms of the CLA. --> - [x] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 06:47:47 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#26972
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?