LiteLLM: SSO and fixed LLM config

This commit is contained in:
Marco van Zijl 2026-06-02 20:02:12 +02:00
parent beec5bbb57
commit cdf575a286
3 changed files with 59 additions and 63 deletions

View File

@ -10,6 +10,3 @@ dependencies:
alias: litellm alias: litellm
version: 1.84.0 version: 1.84.0
repository: oci://ghcr.io/berriai repository: oci://ghcr.io/berriai
- name: oauth2-proxy
version: 10.4.3
repository: https://oauth2-proxy.github.io/manifests

View File

@ -4,7 +4,7 @@ LiteLLM is the cluster-local LLM proxy for OpenWebUI. It routes requests to the
external llama.cpp OpenAI-compatible endpoint at `http://framework-llm:8080/v1`. external llama.cpp OpenAI-compatible endpoint at `http://framework-llm:8080/v1`.
The public dashboard is exposed at `https://litellm.noxxos.nl` through The public dashboard is exposed at `https://litellm.noxxos.nl` through
OAuth2 Proxy and Authentik. API clients should use LiteLLM bearer keys. LiteLLM's native Authentik SSO. API clients should use LiteLLM bearer keys.
## Secrets ## Secrets
@ -28,7 +28,7 @@ kubectl -n open-webui create secret generic litellm-secrets \
two OpenAI-compatible endpoints: its internal Pipelines service first, then two OpenAI-compatible endpoints: its internal Pipelines service first, then
LiteLLM. LiteLLM.
Create an Authentik OAuth2/OIDC provider and application for OAuth2 Proxy. Create an Authentik OAuth2/OIDC provider and application for LiteLLM.
External URL: External URL:
@ -39,20 +39,28 @@ https://litellm.noxxos.nl
Allowed redirect URI: Allowed redirect URI:
```text ```text
https://litellm.noxxos.nl/oauth2/callback https://litellm.noxxos.nl/sso/callback
``` ```
Create the OAuth2 Proxy secret: Launch URL:
```text
https://litellm.noxxos.nl/ui
```
Include the scopes `openid profile email litellm_role`.
Create an Authentik scope mapping named `litellm_role`:
```python
if ak_is_group_member(request.user, name="admins"):
return {"litellm_role": "proxy_admin"}
return {"litellm_role": "internal_user"}
```
Create the LiteLLM SSO secret:
```bash ```bash
kubectl -n litellm create secret generic litellm-oauth2-proxy \ kubectl -n litellm create secret generic litellm-sso \
--from-literal=client-id='<authentik-client-id>' \ --from-literal=GENERIC_CLIENT_SECRET='<authentik-client-secret>'
--from-literal=client-secret='<authentik-client-secret>' \
--from-literal=cookie-secret='<32-byte-base64-cookie-secret>'
```
Generate a cookie secret with:
```bash
openssl rand -base64 32 | head -c 32 | base64
``` ```

View File

@ -19,6 +19,8 @@ litellm:
masterkeySecretName: litellm-secrets masterkeySecretName: litellm-secrets
masterkeySecretKey: master-key masterkeySecretKey: master-key
environmentSecrets:
- litellm-sso
environmentConfigMaps: environmentConfigMaps:
- litellm-env - litellm-env
@ -54,22 +56,37 @@ litellm:
model: openai/qwen3.6-27B model: openai/qwen3.6-27B
api_base: http://framework-llm:8080/v1 api_base: http://framework-llm:8080/v1
api_key: not-needed api_key: not-needed
model_info:
mode: chat
- model_name: qwen3-122b-a10b - model_name: qwen3-122b-a10b
litellm_params: litellm_params:
model: openai/qwen3.5-122B-A10B model: openai/qwen3.5-122B-A10B
api_base: http://framework-llm:8080/v1 api_base: http://framework-llm:8080/v1
api_key: not-needed api_key: not-needed
model_info:
mode: chat
- model_name: qwen35-4b - model_name: qwen35-4b
litellm_params: litellm_params:
model: openai/qwen35-4b model: openai/qwen35-4b
api_base: http://framework-llm:8080/v1 api_base: http://framework-llm:8080/v1
api_key: not-needed api_key: not-needed
model_info:
mode: chat
general_settings: general_settings:
master_key: os.environ/PROXY_MASTER_KEY master_key: os.environ/PROXY_MASTER_KEY
litellm_settings: litellm_settings:
drop_params: true drop_params: true
envVars: envVars:
GENERIC_CLIENT_ID: litellm
GENERIC_AUTHORIZATION_ENDPOINT: https://sso.noxxos.nl/application/o/authorize/
GENERIC_TOKEN_ENDPOINT: https://sso.noxxos.nl/application/o/token/
GENERIC_USERINFO_ENDPOINT: https://sso.noxxos.nl/application/o/userinfo/
GENERIC_SCOPE: openid profile email litellm_role
GENERIC_USER_ROLE_ATTRIBUTE: litellm_role
PROXY_BASE_URL: https://litellm.noxxos.nl
PROXY_LOGOUT_URL: https://sso.noxxos.nl/application/o/litellm/end-session/
AUTO_REDIRECT_UI_LOGIN_TO_SSO: "true"
DD_ENV: production DD_ENV: production
DD_SERVICE: litellm DD_SERVICE: litellm
USE_DDTRACE: "false" USE_DDTRACE: "false"
@ -161,49 +178,23 @@ litellm:
storageClassName: ceph-bucket storageClassName: ceph-bucket
additionalConfig: additionalConfig:
maxSize: "50Gi" maxSize: "50Gi"
- apiVersion: gateway.networking.k8s.io/v1
oauth2-proxy: kind: HTTPRoute
config: metadata:
existingSecret: litellm-oauth2-proxy name: litellm
emailDomains: namespace: litellm
- "*" spec:
configFile: |- parentRefs:
provider = "oidc" - name: traefik-gateway
oidc_issuer_url = "https://sso.noxxos.nl/application/o/litellm/" namespace: traefik
insecure_oidc_allow_unverified_email = true sectionName: websecure
redirect_url = "https://litellm.noxxos.nl/oauth2/callback" hostnames:
upstreams = [ "http://litellm:4000" ] - litellm.noxxos.nl
email_domains = [ "*" ] rules:
reverse_proxy = true - matches:
trusted_proxy_ips = [ "10.244.0.0/16" ] - path:
set_xauthrequest = true type: PathPrefix
skip_provider_button = true value: /
cookie_secure = true backendRefs:
cookie_samesite = "lax" - name: litellm
cookie_domains = [ ".noxxos.nl" ] port: 4000
whitelist_domains = [ ".noxxos.nl" ]
service:
type: ClusterIP
portNumber: 80
gatewayApi:
enabled: true
gatewayRef:
name: traefik-gateway
namespace: traefik
sectionName: websecure
hostnames:
- litellm.noxxos.nl
rules:
- matches:
- path:
type: PathPrefix
value: /
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
memory: 256Mi