diff --git a/apps/litellm/Chart.yaml b/apps/litellm/Chart.yaml index aadef7f..bfce121 100644 --- a/apps/litellm/Chart.yaml +++ b/apps/litellm/Chart.yaml @@ -10,6 +10,3 @@ dependencies: alias: litellm version: 1.84.0 repository: oci://ghcr.io/berriai - - name: oauth2-proxy - version: 10.4.3 - repository: https://oauth2-proxy.github.io/manifests diff --git a/apps/litellm/README.md b/apps/litellm/README.md index 1c8ea61..ba36fd3 100644 --- a/apps/litellm/README.md +++ b/apps/litellm/README.md @@ -4,7 +4,7 @@ LiteLLM is the cluster-local LLM proxy for OpenWebUI. It routes requests to the external llama.cpp OpenAI-compatible endpoint at `http://framework-llm:8080/v1`. The public dashboard is exposed at `https://litellm.noxxos.nl` through -OAuth2 Proxy and Authentik. API clients should use LiteLLM bearer keys. +LiteLLM's native Authentik SSO. API clients should use LiteLLM bearer keys. ## Secrets @@ -28,7 +28,7 @@ kubectl -n open-webui create secret generic litellm-secrets \ two OpenAI-compatible endpoints: its internal Pipelines service first, then LiteLLM. -Create an Authentik OAuth2/OIDC provider and application for OAuth2 Proxy. +Create an Authentik OAuth2/OIDC provider and application for LiteLLM. External URL: @@ -39,20 +39,28 @@ https://litellm.noxxos.nl Allowed redirect URI: ```text -https://litellm.noxxos.nl/oauth2/callback +https://litellm.noxxos.nl/sso/callback ``` -Create the OAuth2 Proxy secret: +Launch URL: + +```text +https://litellm.noxxos.nl/ui +``` + +Include the scopes `openid profile email litellm_role`. + +Create an Authentik scope mapping named `litellm_role`: + +```python +if ak_is_group_member(request.user, name="admins"): + return {"litellm_role": "proxy_admin"} +return {"litellm_role": "internal_user"} +``` + +Create the LiteLLM SSO secret: ```bash -kubectl -n litellm create secret generic litellm-oauth2-proxy \ - --from-literal=client-id='' \ - --from-literal=client-secret='' \ - --from-literal=cookie-secret='<32-byte-base64-cookie-secret>' -``` - -Generate a cookie secret with: - -```bash -openssl rand -base64 32 | head -c 32 | base64 +kubectl -n litellm create secret generic litellm-sso \ + --from-literal=GENERIC_CLIENT_SECRET='' ``` diff --git a/apps/litellm/values.yaml b/apps/litellm/values.yaml index fdb1b34..c18bb9e 100644 --- a/apps/litellm/values.yaml +++ b/apps/litellm/values.yaml @@ -19,6 +19,8 @@ litellm: masterkeySecretName: litellm-secrets masterkeySecretKey: master-key + environmentSecrets: + - litellm-sso environmentConfigMaps: - litellm-env @@ -54,22 +56,37 @@ litellm: model: openai/qwen3.6-27B api_base: http://framework-llm:8080/v1 api_key: not-needed + model_info: + mode: chat - model_name: qwen3-122b-a10b litellm_params: model: openai/qwen3.5-122B-A10B api_base: http://framework-llm:8080/v1 api_key: not-needed + model_info: + mode: chat - model_name: qwen35-4b litellm_params: model: openai/qwen35-4b api_base: http://framework-llm:8080/v1 api_key: not-needed + model_info: + mode: chat general_settings: master_key: os.environ/PROXY_MASTER_KEY litellm_settings: drop_params: true envVars: + GENERIC_CLIENT_ID: litellm + GENERIC_AUTHORIZATION_ENDPOINT: https://sso.noxxos.nl/application/o/authorize/ + GENERIC_TOKEN_ENDPOINT: https://sso.noxxos.nl/application/o/token/ + GENERIC_USERINFO_ENDPOINT: https://sso.noxxos.nl/application/o/userinfo/ + GENERIC_SCOPE: openid profile email litellm_role + GENERIC_USER_ROLE_ATTRIBUTE: litellm_role + PROXY_BASE_URL: https://litellm.noxxos.nl + PROXY_LOGOUT_URL: https://sso.noxxos.nl/application/o/litellm/end-session/ + AUTO_REDIRECT_UI_LOGIN_TO_SSO: "true" DD_ENV: production DD_SERVICE: litellm USE_DDTRACE: "false" @@ -161,49 +178,23 @@ litellm: storageClassName: ceph-bucket additionalConfig: maxSize: "50Gi" - -oauth2-proxy: - config: - existingSecret: litellm-oauth2-proxy - emailDomains: - - "*" - configFile: |- - provider = "oidc" - oidc_issuer_url = "https://sso.noxxos.nl/application/o/litellm/" - insecure_oidc_allow_unverified_email = true - redirect_url = "https://litellm.noxxos.nl/oauth2/callback" - upstreams = [ "http://litellm:4000" ] - email_domains = [ "*" ] - reverse_proxy = true - trusted_proxy_ips = [ "10.244.0.0/16" ] - set_xauthrequest = true - skip_provider_button = true - cookie_secure = true - cookie_samesite = "lax" - cookie_domains = [ ".noxxos.nl" ] - whitelist_domains = [ ".noxxos.nl" ] - - service: - type: ClusterIP - portNumber: 80 - - gatewayApi: - enabled: true - gatewayRef: - name: traefik-gateway - namespace: traefik - sectionName: websecure - hostnames: - - litellm.noxxos.nl - rules: - - matches: - - path: - type: PathPrefix - value: / - - resources: - requests: - cpu: 50m - memory: 128Mi - limits: - memory: 256Mi + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + name: litellm + namespace: litellm + spec: + parentRefs: + - name: traefik-gateway + namespace: traefik + sectionName: websecure + hostnames: + - litellm.noxxos.nl + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: litellm + port: 4000