LiteLLM: SSO and fixed LLM config
This commit is contained in:
parent
beec5bbb57
commit
cdf575a286
@ -10,6 +10,3 @@ dependencies:
|
||||
alias: litellm
|
||||
version: 1.84.0
|
||||
repository: oci://ghcr.io/berriai
|
||||
- name: oauth2-proxy
|
||||
version: 10.4.3
|
||||
repository: https://oauth2-proxy.github.io/manifests
|
||||
|
||||
@ -4,7 +4,7 @@ LiteLLM is the cluster-local LLM proxy for OpenWebUI. It routes requests to the
|
||||
external llama.cpp OpenAI-compatible endpoint at `http://framework-llm:8080/v1`.
|
||||
|
||||
The public dashboard is exposed at `https://litellm.noxxos.nl` through
|
||||
OAuth2 Proxy and Authentik. API clients should use LiteLLM bearer keys.
|
||||
LiteLLM's native Authentik SSO. API clients should use LiteLLM bearer keys.
|
||||
|
||||
## Secrets
|
||||
|
||||
@ -28,7 +28,7 @@ kubectl -n open-webui create secret generic litellm-secrets \
|
||||
two OpenAI-compatible endpoints: its internal Pipelines service first, then
|
||||
LiteLLM.
|
||||
|
||||
Create an Authentik OAuth2/OIDC provider and application for OAuth2 Proxy.
|
||||
Create an Authentik OAuth2/OIDC provider and application for LiteLLM.
|
||||
|
||||
External URL:
|
||||
|
||||
@ -39,20 +39,28 @@ https://litellm.noxxos.nl
|
||||
Allowed redirect URI:
|
||||
|
||||
```text
|
||||
https://litellm.noxxos.nl/oauth2/callback
|
||||
https://litellm.noxxos.nl/sso/callback
|
||||
```
|
||||
|
||||
Create the OAuth2 Proxy secret:
|
||||
Launch URL:
|
||||
|
||||
```text
|
||||
https://litellm.noxxos.nl/ui
|
||||
```
|
||||
|
||||
Include the scopes `openid profile email litellm_role`.
|
||||
|
||||
Create an Authentik scope mapping named `litellm_role`:
|
||||
|
||||
```python
|
||||
if ak_is_group_member(request.user, name="admins"):
|
||||
return {"litellm_role": "proxy_admin"}
|
||||
return {"litellm_role": "internal_user"}
|
||||
```
|
||||
|
||||
Create the LiteLLM SSO secret:
|
||||
|
||||
```bash
|
||||
kubectl -n litellm create secret generic litellm-oauth2-proxy \
|
||||
--from-literal=client-id='<authentik-client-id>' \
|
||||
--from-literal=client-secret='<authentik-client-secret>' \
|
||||
--from-literal=cookie-secret='<32-byte-base64-cookie-secret>'
|
||||
```
|
||||
|
||||
Generate a cookie secret with:
|
||||
|
||||
```bash
|
||||
openssl rand -base64 32 | head -c 32 | base64
|
||||
kubectl -n litellm create secret generic litellm-sso \
|
||||
--from-literal=GENERIC_CLIENT_SECRET='<authentik-client-secret>'
|
||||
```
|
||||
|
||||
@ -19,6 +19,8 @@ litellm:
|
||||
|
||||
masterkeySecretName: litellm-secrets
|
||||
masterkeySecretKey: master-key
|
||||
environmentSecrets:
|
||||
- litellm-sso
|
||||
environmentConfigMaps:
|
||||
- litellm-env
|
||||
|
||||
@ -54,22 +56,37 @@ litellm:
|
||||
model: openai/qwen3.6-27B
|
||||
api_base: http://framework-llm:8080/v1
|
||||
api_key: not-needed
|
||||
model_info:
|
||||
mode: chat
|
||||
- model_name: qwen3-122b-a10b
|
||||
litellm_params:
|
||||
model: openai/qwen3.5-122B-A10B
|
||||
api_base: http://framework-llm:8080/v1
|
||||
api_key: not-needed
|
||||
model_info:
|
||||
mode: chat
|
||||
- model_name: qwen35-4b
|
||||
litellm_params:
|
||||
model: openai/qwen35-4b
|
||||
api_base: http://framework-llm:8080/v1
|
||||
api_key: not-needed
|
||||
model_info:
|
||||
mode: chat
|
||||
general_settings:
|
||||
master_key: os.environ/PROXY_MASTER_KEY
|
||||
litellm_settings:
|
||||
drop_params: true
|
||||
|
||||
envVars:
|
||||
GENERIC_CLIENT_ID: litellm
|
||||
GENERIC_AUTHORIZATION_ENDPOINT: https://sso.noxxos.nl/application/o/authorize/
|
||||
GENERIC_TOKEN_ENDPOINT: https://sso.noxxos.nl/application/o/token/
|
||||
GENERIC_USERINFO_ENDPOINT: https://sso.noxxos.nl/application/o/userinfo/
|
||||
GENERIC_SCOPE: openid profile email litellm_role
|
||||
GENERIC_USER_ROLE_ATTRIBUTE: litellm_role
|
||||
PROXY_BASE_URL: https://litellm.noxxos.nl
|
||||
PROXY_LOGOUT_URL: https://sso.noxxos.nl/application/o/litellm/end-session/
|
||||
AUTO_REDIRECT_UI_LOGIN_TO_SSO: "true"
|
||||
DD_ENV: production
|
||||
DD_SERVICE: litellm
|
||||
USE_DDTRACE: "false"
|
||||
@ -161,36 +178,14 @@ litellm:
|
||||
storageClassName: ceph-bucket
|
||||
additionalConfig:
|
||||
maxSize: "50Gi"
|
||||
|
||||
oauth2-proxy:
|
||||
config:
|
||||
existingSecret: litellm-oauth2-proxy
|
||||
emailDomains:
|
||||
- "*"
|
||||
configFile: |-
|
||||
provider = "oidc"
|
||||
oidc_issuer_url = "https://sso.noxxos.nl/application/o/litellm/"
|
||||
insecure_oidc_allow_unverified_email = true
|
||||
redirect_url = "https://litellm.noxxos.nl/oauth2/callback"
|
||||
upstreams = [ "http://litellm:4000" ]
|
||||
email_domains = [ "*" ]
|
||||
reverse_proxy = true
|
||||
trusted_proxy_ips = [ "10.244.0.0/16" ]
|
||||
set_xauthrequest = true
|
||||
skip_provider_button = true
|
||||
cookie_secure = true
|
||||
cookie_samesite = "lax"
|
||||
cookie_domains = [ ".noxxos.nl" ]
|
||||
whitelist_domains = [ ".noxxos.nl" ]
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
portNumber: 80
|
||||
|
||||
gatewayApi:
|
||||
enabled: true
|
||||
gatewayRef:
|
||||
name: traefik-gateway
|
||||
- apiVersion: gateway.networking.k8s.io/v1
|
||||
kind: HTTPRoute
|
||||
metadata:
|
||||
name: litellm
|
||||
namespace: litellm
|
||||
spec:
|
||||
parentRefs:
|
||||
- name: traefik-gateway
|
||||
namespace: traefik
|
||||
sectionName: websecure
|
||||
hostnames:
|
||||
@ -200,10 +195,6 @@ oauth2-proxy:
|
||||
- path:
|
||||
type: PathPrefix
|
||||
value: /
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
memory: 256Mi
|
||||
backendRefs:
|
||||
- name: litellm
|
||||
port: 4000
|
||||
|
||||
Loading…
Reference in New Issue
Block a user