veda/apps/litellm/README.md

1.9 KiB

LiteLLM

LiteLLM is the cluster-local LLM proxy for OpenWebUI. It routes requests to the external llama.cpp OpenAI-compatible endpoint at http://framework-llm.open-webui.svc.cluster.local:8080/v1.

The public dashboard is exposed at https://litellm.noxxos.nl through LiteLLM's native Authentik SSO. API clients should use LiteLLM bearer keys.

Secrets

Create the LiteLLM secrets before syncing. The Helm chart references these secrets directly, so the LiteLLM pod will fail with secret "litellm-sso" not found until the SSO secret exists in the litellm namespace.

Create the LiteLLM master key and salt:

kubectl create namespace litellm
kubectl -n litellm create secret generic litellm-secrets \
  --from-literal=master-key='sk-<litellm-master-key>' \
  --from-literal=salt-key='<random-high-entropy-salt>'

OpenWebUI needs a copy of the LiteLLM key in its own namespace:

kubectl -n open-webui create secret generic litellm-secrets \
  --from-literal=openwebui-api-keys='0p3n-w3bu!;sk-<litellm-master-key>'

openwebui-api-keys is semicolon-separated because OpenWebUI is configured with two OpenAI-compatible endpoints: its internal Pipelines service first, then LiteLLM.

Create an Authentik OAuth2/OIDC provider and application for LiteLLM.

External URL:

https://litellm.noxxos.nl

Allowed redirect URI:

https://litellm.noxxos.nl/sso/callback

Launch URL:

https://litellm.noxxos.nl/ui

Include the scopes openid profile email litellm_role.

Create an Authentik scope mapping named litellm_role:

if ak_is_group_member(request.user, name="admins"):
    return {"litellm_role": "proxy_admin"}
return {"litellm_role": "internal_user"}

Then create the LiteLLM SSO secret before syncing the app:

kubectl -n litellm create secret generic litellm-sso \
  --from-literal=GENERIC_CLIENT_SECRET='<authentik-client-secret>'