veda/apps/litellm/README.md

1.6 KiB

LiteLLM

LiteLLM is the cluster-local LLM proxy for OpenWebUI. It routes requests to the external llama.cpp OpenAI-compatible endpoint at http://framework-llm:8080/v1.

The public dashboard is exposed at https://litellm.noxxos.nl through LiteLLM's native Authentik SSO. API clients should use LiteLLM bearer keys.

Secrets

Create the LiteLLM secret before syncing:

kubectl create namespace litellm
kubectl -n litellm create secret generic litellm-secrets \
  --from-literal=master-key='sk-<litellm-master-key>' \
  --from-literal=salt-key='<random-high-entropy-salt>'

OpenWebUI needs a copy of the LiteLLM key in its own namespace:

kubectl -n open-webui create secret generic litellm-secrets \
  --from-literal=openwebui-api-keys='0p3n-w3bu!;sk-<litellm-master-key>'

openwebui-api-keys is semicolon-separated because OpenWebUI is configured with two OpenAI-compatible endpoints: its internal Pipelines service first, then LiteLLM.

Create an Authentik OAuth2/OIDC provider and application for LiteLLM.

External URL:

https://litellm.noxxos.nl

Allowed redirect URI:

https://litellm.noxxos.nl/sso/callback

Launch URL:

https://litellm.noxxos.nl/ui

Include the scopes openid profile email litellm_role.

Create an Authentik scope mapping named litellm_role:

if ak_is_group_member(request.user, name="admins"):
    return {"litellm_role": "proxy_admin"}
return {"litellm_role": "internal_user"}

Create the LiteLLM SSO secret:

kubectl -n litellm create secret generic litellm-sso \
  --from-literal=GENERIC_CLIENT_SECRET='<authentik-client-secret>'