Skip to content

Remove keycloak from llm-proxy and put it behind the auth-proxy #561

Open
Open
Remove keycloak from llm-proxy and put it behind the auth-proxy#561
Assignees
fabianvf
Labels
needs-kindIndicates an issue or PR lacks a `kind/foo` label and requires one.needs-priorityIndicates an issue or PR lacks a `priority/foo` label and requires one.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.
Milestone
v0.10.0
@fabianvf

Description

@fabianvf
fabianvf
opened on May 18, 2026

llm-proxy currently embeds its own keycloak-based authentication. With the
new auth model, all auth is handled by the auth-proxy that already fronts
the rest of the stack. llm-proxy should sit fully behind the auth-proxy
and stop doing its own auth.

What needs to happen

  • Strip the keycloak integration out of the operator-managed llm-proxy
    deployment (env vars, mounts, sidecars, anything related).
  • Reconfigure llm-proxy to be reached only through the auth-proxy so that
    requests arrive already-authenticated.
  • Clean up any operator-side configuration knobs that only existed to
    feed keycloak credentials.
  • Update generated manifests / CR docs to reflect the new topology.

Relies on #560

Metadata

Metadata

Assignees

Labels

needs-kindIndicates an issue or PR lacks a `kind/foo` label and requires one.needs-priorityIndicates an issue or PR lacks a `priority/foo` label and requires one.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.

Type

No type

Fields

No fields configured for issues without a type.

Projects

Planning
Status
🏗 In progress

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions