LiteLLM: SSO and fixed LLM config
This commit is contained in:
parent
beec5bbb57
commit
cdf575a286
@ -10,6 +10,3 @@ dependencies:
|
|||||||
alias: litellm
|
alias: litellm
|
||||||
version: 1.84.0
|
version: 1.84.0
|
||||||
repository: oci://ghcr.io/berriai
|
repository: oci://ghcr.io/berriai
|
||||||
- name: oauth2-proxy
|
|
||||||
version: 10.4.3
|
|
||||||
repository: https://oauth2-proxy.github.io/manifests
|
|
||||||
|
|||||||
@ -4,7 +4,7 @@ LiteLLM is the cluster-local LLM proxy for OpenWebUI. It routes requests to the
|
|||||||
external llama.cpp OpenAI-compatible endpoint at `http://framework-llm:8080/v1`.
|
external llama.cpp OpenAI-compatible endpoint at `http://framework-llm:8080/v1`.
|
||||||
|
|
||||||
The public dashboard is exposed at `https://litellm.noxxos.nl` through
|
The public dashboard is exposed at `https://litellm.noxxos.nl` through
|
||||||
OAuth2 Proxy and Authentik. API clients should use LiteLLM bearer keys.
|
LiteLLM's native Authentik SSO. API clients should use LiteLLM bearer keys.
|
||||||
|
|
||||||
## Secrets
|
## Secrets
|
||||||
|
|
||||||
@ -28,7 +28,7 @@ kubectl -n open-webui create secret generic litellm-secrets \
|
|||||||
two OpenAI-compatible endpoints: its internal Pipelines service first, then
|
two OpenAI-compatible endpoints: its internal Pipelines service first, then
|
||||||
LiteLLM.
|
LiteLLM.
|
||||||
|
|
||||||
Create an Authentik OAuth2/OIDC provider and application for OAuth2 Proxy.
|
Create an Authentik OAuth2/OIDC provider and application for LiteLLM.
|
||||||
|
|
||||||
External URL:
|
External URL:
|
||||||
|
|
||||||
@ -39,20 +39,28 @@ https://litellm.noxxos.nl
|
|||||||
Allowed redirect URI:
|
Allowed redirect URI:
|
||||||
|
|
||||||
```text
|
```text
|
||||||
https://litellm.noxxos.nl/oauth2/callback
|
https://litellm.noxxos.nl/sso/callback
|
||||||
```
|
```
|
||||||
|
|
||||||
Create the OAuth2 Proxy secret:
|
Launch URL:
|
||||||
|
|
||||||
|
```text
|
||||||
|
https://litellm.noxxos.nl/ui
|
||||||
|
```
|
||||||
|
|
||||||
|
Include the scopes `openid profile email litellm_role`.
|
||||||
|
|
||||||
|
Create an Authentik scope mapping named `litellm_role`:
|
||||||
|
|
||||||
|
```python
|
||||||
|
if ak_is_group_member(request.user, name="admins"):
|
||||||
|
return {"litellm_role": "proxy_admin"}
|
||||||
|
return {"litellm_role": "internal_user"}
|
||||||
|
```
|
||||||
|
|
||||||
|
Create the LiteLLM SSO secret:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
kubectl -n litellm create secret generic litellm-oauth2-proxy \
|
kubectl -n litellm create secret generic litellm-sso \
|
||||||
--from-literal=client-id='<authentik-client-id>' \
|
--from-literal=GENERIC_CLIENT_SECRET='<authentik-client-secret>'
|
||||||
--from-literal=client-secret='<authentik-client-secret>' \
|
|
||||||
--from-literal=cookie-secret='<32-byte-base64-cookie-secret>'
|
|
||||||
```
|
|
||||||
|
|
||||||
Generate a cookie secret with:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
openssl rand -base64 32 | head -c 32 | base64
|
|
||||||
```
|
```
|
||||||
|
|||||||
@ -19,6 +19,8 @@ litellm:
|
|||||||
|
|
||||||
masterkeySecretName: litellm-secrets
|
masterkeySecretName: litellm-secrets
|
||||||
masterkeySecretKey: master-key
|
masterkeySecretKey: master-key
|
||||||
|
environmentSecrets:
|
||||||
|
- litellm-sso
|
||||||
environmentConfigMaps:
|
environmentConfigMaps:
|
||||||
- litellm-env
|
- litellm-env
|
||||||
|
|
||||||
@ -54,22 +56,37 @@ litellm:
|
|||||||
model: openai/qwen3.6-27B
|
model: openai/qwen3.6-27B
|
||||||
api_base: http://framework-llm:8080/v1
|
api_base: http://framework-llm:8080/v1
|
||||||
api_key: not-needed
|
api_key: not-needed
|
||||||
|
model_info:
|
||||||
|
mode: chat
|
||||||
- model_name: qwen3-122b-a10b
|
- model_name: qwen3-122b-a10b
|
||||||
litellm_params:
|
litellm_params:
|
||||||
model: openai/qwen3.5-122B-A10B
|
model: openai/qwen3.5-122B-A10B
|
||||||
api_base: http://framework-llm:8080/v1
|
api_base: http://framework-llm:8080/v1
|
||||||
api_key: not-needed
|
api_key: not-needed
|
||||||
|
model_info:
|
||||||
|
mode: chat
|
||||||
- model_name: qwen35-4b
|
- model_name: qwen35-4b
|
||||||
litellm_params:
|
litellm_params:
|
||||||
model: openai/qwen35-4b
|
model: openai/qwen35-4b
|
||||||
api_base: http://framework-llm:8080/v1
|
api_base: http://framework-llm:8080/v1
|
||||||
api_key: not-needed
|
api_key: not-needed
|
||||||
|
model_info:
|
||||||
|
mode: chat
|
||||||
general_settings:
|
general_settings:
|
||||||
master_key: os.environ/PROXY_MASTER_KEY
|
master_key: os.environ/PROXY_MASTER_KEY
|
||||||
litellm_settings:
|
litellm_settings:
|
||||||
drop_params: true
|
drop_params: true
|
||||||
|
|
||||||
envVars:
|
envVars:
|
||||||
|
GENERIC_CLIENT_ID: litellm
|
||||||
|
GENERIC_AUTHORIZATION_ENDPOINT: https://sso.noxxos.nl/application/o/authorize/
|
||||||
|
GENERIC_TOKEN_ENDPOINT: https://sso.noxxos.nl/application/o/token/
|
||||||
|
GENERIC_USERINFO_ENDPOINT: https://sso.noxxos.nl/application/o/userinfo/
|
||||||
|
GENERIC_SCOPE: openid profile email litellm_role
|
||||||
|
GENERIC_USER_ROLE_ATTRIBUTE: litellm_role
|
||||||
|
PROXY_BASE_URL: https://litellm.noxxos.nl
|
||||||
|
PROXY_LOGOUT_URL: https://sso.noxxos.nl/application/o/litellm/end-session/
|
||||||
|
AUTO_REDIRECT_UI_LOGIN_TO_SSO: "true"
|
||||||
DD_ENV: production
|
DD_ENV: production
|
||||||
DD_SERVICE: litellm
|
DD_SERVICE: litellm
|
||||||
USE_DDTRACE: "false"
|
USE_DDTRACE: "false"
|
||||||
@ -161,49 +178,23 @@ litellm:
|
|||||||
storageClassName: ceph-bucket
|
storageClassName: ceph-bucket
|
||||||
additionalConfig:
|
additionalConfig:
|
||||||
maxSize: "50Gi"
|
maxSize: "50Gi"
|
||||||
|
- apiVersion: gateway.networking.k8s.io/v1
|
||||||
oauth2-proxy:
|
kind: HTTPRoute
|
||||||
config:
|
metadata:
|
||||||
existingSecret: litellm-oauth2-proxy
|
name: litellm
|
||||||
emailDomains:
|
namespace: litellm
|
||||||
- "*"
|
spec:
|
||||||
configFile: |-
|
parentRefs:
|
||||||
provider = "oidc"
|
- name: traefik-gateway
|
||||||
oidc_issuer_url = "https://sso.noxxos.nl/application/o/litellm/"
|
namespace: traefik
|
||||||
insecure_oidc_allow_unverified_email = true
|
sectionName: websecure
|
||||||
redirect_url = "https://litellm.noxxos.nl/oauth2/callback"
|
hostnames:
|
||||||
upstreams = [ "http://litellm:4000" ]
|
- litellm.noxxos.nl
|
||||||
email_domains = [ "*" ]
|
rules:
|
||||||
reverse_proxy = true
|
- matches:
|
||||||
trusted_proxy_ips = [ "10.244.0.0/16" ]
|
- path:
|
||||||
set_xauthrequest = true
|
type: PathPrefix
|
||||||
skip_provider_button = true
|
value: /
|
||||||
cookie_secure = true
|
backendRefs:
|
||||||
cookie_samesite = "lax"
|
- name: litellm
|
||||||
cookie_domains = [ ".noxxos.nl" ]
|
port: 4000
|
||||||
whitelist_domains = [ ".noxxos.nl" ]
|
|
||||||
|
|
||||||
service:
|
|
||||||
type: ClusterIP
|
|
||||||
portNumber: 80
|
|
||||||
|
|
||||||
gatewayApi:
|
|
||||||
enabled: true
|
|
||||||
gatewayRef:
|
|
||||||
name: traefik-gateway
|
|
||||||
namespace: traefik
|
|
||||||
sectionName: websecure
|
|
||||||
hostnames:
|
|
||||||
- litellm.noxxos.nl
|
|
||||||
rules:
|
|
||||||
- matches:
|
|
||||||
- path:
|
|
||||||
type: PathPrefix
|
|
||||||
value: /
|
|
||||||
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
cpu: 50m
|
|
||||||
memory: 128Mi
|
|
||||||
limits:
|
|
||||||
memory: 256Mi
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user