LiteLLM: SSO and fixed LLM config

This commit is contained in:
Marco van Zijl 2026-06-02 20:02:12 +02:00
parent beec5bbb57
commit cdf575a286
3 changed files with 59 additions and 63 deletions

View File

@ -10,6 +10,3 @@ dependencies:
alias: litellm
version: 1.84.0
repository: oci://ghcr.io/berriai
- name: oauth2-proxy
version: 10.4.3
repository: https://oauth2-proxy.github.io/manifests

View File

@ -4,7 +4,7 @@ LiteLLM is the cluster-local LLM proxy for OpenWebUI. It routes requests to the
external llama.cpp OpenAI-compatible endpoint at `http://framework-llm:8080/v1`.
The public dashboard is exposed at `https://litellm.noxxos.nl` through
OAuth2 Proxy and Authentik. API clients should use LiteLLM bearer keys.
LiteLLM's native Authentik SSO. API clients should use LiteLLM bearer keys.
## Secrets
@ -28,7 +28,7 @@ kubectl -n open-webui create secret generic litellm-secrets \
two OpenAI-compatible endpoints: its internal Pipelines service first, then
LiteLLM.
Create an Authentik OAuth2/OIDC provider and application for OAuth2 Proxy.
Create an Authentik OAuth2/OIDC provider and application for LiteLLM.
External URL:
@ -39,20 +39,28 @@ https://litellm.noxxos.nl
Allowed redirect URI:
```text
https://litellm.noxxos.nl/oauth2/callback
https://litellm.noxxos.nl/sso/callback
```
Create the OAuth2 Proxy secret:
Launch URL:
```text
https://litellm.noxxos.nl/ui
```
Include the scopes `openid profile email litellm_role`.
Create an Authentik scope mapping named `litellm_role`:
```python
if ak_is_group_member(request.user, name="admins"):
return {"litellm_role": "proxy_admin"}
return {"litellm_role": "internal_user"}
```
Create the LiteLLM SSO secret:
```bash
kubectl -n litellm create secret generic litellm-oauth2-proxy \
--from-literal=client-id='<authentik-client-id>' \
--from-literal=client-secret='<authentik-client-secret>' \
--from-literal=cookie-secret='<32-byte-base64-cookie-secret>'
```
Generate a cookie secret with:
```bash
openssl rand -base64 32 | head -c 32 | base64
kubectl -n litellm create secret generic litellm-sso \
--from-literal=GENERIC_CLIENT_SECRET='<authentik-client-secret>'
```

View File

@ -19,6 +19,8 @@ litellm:
masterkeySecretName: litellm-secrets
masterkeySecretKey: master-key
environmentSecrets:
- litellm-sso
environmentConfigMaps:
- litellm-env
@ -54,22 +56,37 @@ litellm:
model: openai/qwen3.6-27B
api_base: http://framework-llm:8080/v1
api_key: not-needed
model_info:
mode: chat
- model_name: qwen3-122b-a10b
litellm_params:
model: openai/qwen3.5-122B-A10B
api_base: http://framework-llm:8080/v1
api_key: not-needed
model_info:
mode: chat
- model_name: qwen35-4b
litellm_params:
model: openai/qwen35-4b
api_base: http://framework-llm:8080/v1
api_key: not-needed
model_info:
mode: chat
general_settings:
master_key: os.environ/PROXY_MASTER_KEY
litellm_settings:
drop_params: true
envVars:
GENERIC_CLIENT_ID: litellm
GENERIC_AUTHORIZATION_ENDPOINT: https://sso.noxxos.nl/application/o/authorize/
GENERIC_TOKEN_ENDPOINT: https://sso.noxxos.nl/application/o/token/
GENERIC_USERINFO_ENDPOINT: https://sso.noxxos.nl/application/o/userinfo/
GENERIC_SCOPE: openid profile email litellm_role
GENERIC_USER_ROLE_ATTRIBUTE: litellm_role
PROXY_BASE_URL: https://litellm.noxxos.nl
PROXY_LOGOUT_URL: https://sso.noxxos.nl/application/o/litellm/end-session/
AUTO_REDIRECT_UI_LOGIN_TO_SSO: "true"
DD_ENV: production
DD_SERVICE: litellm
USE_DDTRACE: "false"
@ -161,49 +178,23 @@ litellm:
storageClassName: ceph-bucket
additionalConfig:
maxSize: "50Gi"
oauth2-proxy:
config:
existingSecret: litellm-oauth2-proxy
emailDomains:
- "*"
configFile: |-
provider = "oidc"
oidc_issuer_url = "https://sso.noxxos.nl/application/o/litellm/"
insecure_oidc_allow_unverified_email = true
redirect_url = "https://litellm.noxxos.nl/oauth2/callback"
upstreams = [ "http://litellm:4000" ]
email_domains = [ "*" ]
reverse_proxy = true
trusted_proxy_ips = [ "10.244.0.0/16" ]
set_xauthrequest = true
skip_provider_button = true
cookie_secure = true
cookie_samesite = "lax"
cookie_domains = [ ".noxxos.nl" ]
whitelist_domains = [ ".noxxos.nl" ]
service:
type: ClusterIP
portNumber: 80
gatewayApi:
enabled: true
gatewayRef:
name: traefik-gateway
namespace: traefik
sectionName: websecure
hostnames:
- litellm.noxxos.nl
rules:
- matches:
- path:
type: PathPrefix
value: /
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
memory: 256Mi
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: litellm
namespace: litellm
spec:
parentRefs:
- name: traefik-gateway
namespace: traefik
sectionName: websecure
hostnames:
- litellm.noxxos.nl
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: litellm
port: 4000