veda/apps/litellm
2026-06-02 20:45:57 +02:00
..
application.yaml Add LiteLLM proxy 2026-05-17 10:51:30 +02:00
Chart.yaml LiteLLM: SSO and fixed LLM config 2026-06-02 20:02:12 +02:00
README.md LiteLLM: fix model routing config 2026-06-02 20:24:53 +02:00
values.yaml LiteLLM: set Authentik client ID 2026-06-02 20:45:57 +02:00

LiteLLM

LiteLLM is the cluster-local LLM proxy for OpenWebUI. It routes requests to the external llama.cpp OpenAI-compatible endpoint at http://framework-llm.open-webui.svc.cluster.local:8080/v1.

The public dashboard is exposed at https://litellm.noxxos.nl through LiteLLM's native Authentik SSO. API clients should use LiteLLM bearer keys.

Secrets

Create the LiteLLM secrets before syncing. The Helm chart references these secrets directly, so the LiteLLM pod will fail with secret "litellm-sso" not found until the SSO secret exists in the litellm namespace.

Create the LiteLLM master key and salt:

kubectl create namespace litellm
kubectl -n litellm create secret generic litellm-secrets \
  --from-literal=master-key='sk-<litellm-master-key>' \
  --from-literal=salt-key='<random-high-entropy-salt>'

OpenWebUI needs a copy of the LiteLLM key in its own namespace:

kubectl -n open-webui create secret generic litellm-secrets \
  --from-literal=openwebui-api-keys='0p3n-w3bu!;sk-<litellm-master-key>'

openwebui-api-keys is semicolon-separated because OpenWebUI is configured with two OpenAI-compatible endpoints: its internal Pipelines service first, then LiteLLM.

Create an Authentik OAuth2/OIDC provider and application for LiteLLM.

External URL:

https://litellm.noxxos.nl

Allowed redirect URI:

https://litellm.noxxos.nl/sso/callback

Launch URL:

https://litellm.noxxos.nl/ui

Include the scopes openid profile email litellm_role.

Create an Authentik scope mapping named litellm_role:

if ak_is_group_member(request.user, name="admins"):
    return {"litellm_role": "proxy_admin"}
return {"litellm_role": "internal_user"}

Then create the LiteLLM SSO secret before syncing the app:

kubectl -n litellm create secret generic litellm-sso \
  --from-literal=GENERIC_CLIENT_SECRET='<authentik-client-secret>'