feat(prod): SealedSecret + Authentik SSO + pinned image digest

Bring prod (litellm namespace) in line with staging:

- Migrate litellm-secret to a Bitnami SealedSecret. Adds 3 new
  Authentik OIDC keys (issuer, client id, secret) on top of the
  existing 6 keys. Encrypted with the in-cluster controller's pubkey,
  strict-scoped to litellm/litellm-secret.
- Add a litellm-prod-authentik-sso patch mirroring staging, with
  PROXY_BASE_URL=https://api.aisc.hpi.de.
- Repair the dead images: override (was ghcr.io/aihpi/litellm, base
  is ghcr.io/aihpi/tool-litellm) and pin to the staging-validated
  digest sha256:594851...3615 so prod runs the same build staging
  just validated. Digest change forces a re-pull regardless of
  imagePullPolicy: IfNotPresent.

Apply note: existing in-cluster litellm-secret in litellm namespace
must be annotated sealedsecrets.bitnami.com/managed=true once so the
controller can adopt it on first reconcile.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: felixboelter

overlays/prod/kustomization.yaml

@@ -7,15 +7,17 @@ resources:
   - ../../base
   - ../../models
   - ingress.yaml
+  - sealed-secrets/litellm-secret.yaml
 
 patches:
   - path: patches/litellm-prod.yaml
   - path: patches/nginx-prod-service.yaml
+  - path: patches/litellm-prod-authentik-sso.yaml
 
 replicas:
   - name: litellm-proxy
     count: 1
 
 images:
-  - name: ghcr.io/aihpi/litellm
-    newTag: aihpi-provider
+  - name: ghcr.io/aihpi/tool-litellm
+    digest: sha256:594851f36bd27511f8d2607d56bf93e86072b77d8e97f713c44c179932dd3615

overlays/prod/patches/litellm-prod-authentik-sso.yaml

@@ -0,0 +1,31 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: litellm-proxy
+spec:
+  template:
+    spec:
+      containers:
+        - name: litellm
+          env:
+            - name: AUTHENTIK_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: litellm-secret
+                  key: AUTHENTIK_CLIENT_ID
+            - name: AUTHENTIK_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: litellm-secret
+                  key: AUTHENTIK_CLIENT_SECRET
+            - name: AUTHENTIK_ISSUER
+              valueFrom:
+                secretKeyRef:
+                  name: litellm-secret
+                  key: AUTHENTIK_ISSUER
+            - name: AUTHENTIK_ADMIN_GROUP
+              value: SCI-ADMINS
+            - name: AUTHENTIK_GROUPS_ATTRIBUTE
+              value: groups
+            - name: PROXY_BASE_URL
+              value: https://api.aisc.hpi.de

overlays/prod/sealed-secrets/litellm-secret.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: litellm-secret
+  namespace: litellm
+spec:
+  encryptedData:
+    AUTHENTIK_CLIENT_ID: AgAd0J5fV0dCat/J8kY+pOaT1zF0xpVjalZQIieGT7GihkAle7hPchzTUhYQeVjz6TSe4DobsLMiXwEXdgfwTNPa4NprWBg4DYwKJT+D4LgK28cXUeNsDwTLKidl9G1OCGSSAc+fFxmwYIjtXded2UCw0+kpyaRxubf6he2D+4uBK8vNVWzvpSzyKdvbNQHSD4KAv5TBsldbIMB4AiZfjFyFQo+hUdAI2PHywJmgczNa5CRMQwV/V4YnaS7jyjTV3yS82gvcKnfCDdYSb/swjMep3T0sqoIlrxSCR3M4FgCdc+Ld+q3kUUzW6HC5mp3q8umeoPHx/0QojhUIC3JgK6vlxz+GhrPFWc3Nj3QX8gwE4sKoeX++6vXzlD2UND1lyw17mvmXFVqWZI0Lnna7UCYUCjFbbQx1mPp1nIM8AOhSXNqIPxh5IGULPqTxNd3F64pijBzJ6tv+4mNwfVqW0lWfN7OXiPQEJmPbuFEhxZrx3dBh90881r1EE34xtLQHJFdx/Njt0tnwf4AcEv9DzRQhJftP3x+TiU6bbYGuvjnAVBVx/OZyNq1GfQgNz1TzkEnchYLUF0kp0C7epIw4PK6+8wAAnv4p8Uk7TExr01BCYMNml2qFNjgHeZEfCs5S+5PUkCEgvOyyvayc/gMZQD4g6tZQjZU5i1moBLOgp75iLbwT0WetXHt52Nl1zU4g9zepJZ8D8K3Y0K9IU+gxK7ckE2dfXPxA/kX1jiXxGyh1vPMekkBIuKa2
+    AUTHENTIK_CLIENT_SECRET: AgCuwMY1Q6p1JUIFG/mZfEJQAC70lDs3UZb0vW+rNZPuVzdUJuVnem6/4t/amFJzHFJ+TQynsjID87BwyIV+GAhVLxgH5D/kLz0gb57h5Zh/HCEeOzfZmd70DOjqFf8VAHXPGpkHPyICrPOUYCVoE20Fi26OX4mdlpB+kRKKrL8inIQYCRNLFz6Xej+ciPzcR3NqICTr72mDrjJgzYCUlLdO1WahUFFgJuyIivH4+zdP8jn5InbZnA3vV1Y+H6my0oF2FWueU7AMm8EcGv8c9OpwJ6uiPdRq9bibFZlkBUcewL57IZaJoVU8qG2lJZh1SLhYI6E3JJO+ZKgpdN32Mf5O3DfBDnKVTkOGgeToFCHkirLoYnVsPqMBoOIHIkveuwseQBYIypVHg3Bfvkx1JdcN5m6nErqpahwVWq0UfEMV70/awZx94vzw3t4RB8lBmc17A4OtE74O4g+R4+sIMhtqxxbrxJjyN0JrCbxI6MnRAVnwIT11lSe7H1AYMbK24AWoBUmO62M1HrDFCuW8BdHSsRhWwnkU3z/sonFyUjt9jhI6fd2f2kYKzX+g1cMb31QRZB7KJ/r+Aj74e9qL+6mt36VwccAA+rtTDNdnRwxb8BayhtAWtwS5q4WGkMx71S5YG6CdsSY06QlwxENxYfew20/ez9n3AadAomJ5/vEfTJunsQbXncpngdQOozK0M1xZsfYBoxDlmdCk+djrVl2TkT/jwqunAPsjNSfecNj0ZWn5CssQFfb7VVH1eZUbNZ9XeqD8R2FhrtggCy0XI2lvi9VLdVq2Una2h3LjuFHjbw23PcipTcXzXLXGLRLKi3ePrpBFY0ruwAIr2mwy8Hb0NSFOp5qZEjDMRlE+E72TLA==
+    AUTHENTIK_ISSUER: AgBhJJm15DIrtshb0+3g/SdidfTIXUjnswIMJqF5WS2OXAth3Y3Apdw+7EFfKXFAj66wRrmzLAHSvQB30cP+Noc3XRvzNNooCNK4mxgaTYwN8KpS0QN0OH3wrhuP2Ji8dahSj9FAHSYEcWZnzKxzE74CukWxJiu3tg+BeoALiNKSJP0CtJHQFGT9yuUZrEc/a+s6ANjPPLBvda3OJcVbqF/ny24+4uB2Oa+Zo1QCOXPqpCn0bRqHEBkvh+SiEZkD6aEmWVT5aAfCF5KzmVlh9Y0eY9gdWOywKleULTmZ9vyW2b0V4r0vZwuc66M4SEzAtJ7f/jMZ7/JQaJWi7m/XCgG/fTw5iT29Joph8GRjpAvdYKFica9YB44pbqURyIlxms3+kUZr3u9G9udpuDTR4QWeSBHwXC/d5WfK97UbfnY+kCS+Q5RrQCLctZ+vxLjSAqcR1iHRWmDRftnit0wLC5inC+taTjXOO9lkbhurH3F62LlD7qnEhct2ewOpeSktjGuwf1jhqz5sIktoMG9EVK0A06L9qlGacWYIRQJgGZgwDibNP5l0UVp7Brzpi0+w+n/CQrFT02faW6Y4ZF98AZS4O4XGO1rATlIxZsB7YHio+F8c7c8nMOOXQrMfSDH6odQmWxrm12oWGERH9yBREjew9Qqr0Ken8W6xQ7fHQN2rRS71l3G567/vQ7ez1hgyXdkimi8GMYD/aABiIzBSIdAkzdrdloJAy+akcK2AezIvQI+RjWau6/tKcKTmOKVp6/CJ/kU=
+    DATABASE_URL: AgA79I23r2ZAXbjSBaES5edyHKN79t3FIOa60R+sGDhPIBKfTrfEq1yV4CUjrAeZ8BrdR1yRDAsdV+u7kjx7BMsgJerXNhl+32CiN6DXIkcZBnLcdIrXJ2lMIa5hI+v5iv/PRqPv4B5IxtDTKQCys9D1OyxCuwSCo5gPfGUYEKRfq9vIxAQi9mMH4+fdvynQ95LUOP0bZ1ECZLUvwK5Sr0r5Bzsg42NslRuEvyrhnF+fzFpibGqbDc4zVzMmXWA5BuTC9LaIkgYwaSYYbBY5Z4MzvWoyVKqgM/UV+DzRHmwiu3EpskG4Z3aj9KuUKtUbrTpQ9xp/FziXGgnJ0ZdONVA3p2V1xJk3RdS1GWitB5ecm0785vPlQCJq4D7YJzEhkH7YpRb4tTWeXsuUZAXIjdYNFWQRWMP4/H7pQRq6s9GgLAnKTpiPFGwteIaepAASTRvIGRnI2S2LwIPh8CixOc1jZXXAEGbCkiICEwPtI7HqmugdNB9xkd0F349s426I2afnLuOYQH8QBaoZbATi1UUMGeEsTWERGA8ABoHYXynqxPw74bawZFwN4oonyoSJJJxz/G0kGZj0YmnqUej7pw5shoIu0b0ez3FKG08wGWpXMiKS4WP1ei7wcHJeKMndb/TcWBq2qmH/iojSkxK7HOH+KCeI8IQFHvuoLF6SP4XnPxRmSTsywwJSd9ukcJE4/uESvPJwALcK6B2NW1zfvpc/wbB4/rZUhCRkvAeoWymuh6VhjlGtVA/OsOrtRgS03Ai2sL0gvOtZaU03k4zwD2ONTDE6yDz+BWE3MCn9u2848001mZQH1Qh/ipan176nYCSz0cM=
+    HF_TOKEN: AgCqcMHlVwWB3RNJU9tkY+6hPwRsojrIuj6AA/b9cpPnD4fJW8A+ZntepvNUbIm/vppbzZHdTjHSfCQaEJ5sYlyzH82las1yCx5jOSe+/l703Yl/XxraeGStabY1c+0gj91TosE5xJR6D1k1IOThvfoUG7XBoNHL+djeoZpOA6W6r3FBp2+B2WIylLM02fE14o5raxlLJ+xeRGeRCTgl3LsdoFNI9E9cWaqgNsKF6h/Kq2ZZ9RvpWinMsIW5foD2GYkbkq/bA1mWy44M82e1bFQWaoZfj/f4k3l6c5xX6nSHvhxzOpWRiZ9FOEZ5hSHWvM3OqM4Ku2phmLwTifNCToWzoT2GlGpxx0+HonQvnm2HCEGatHAlsc28Kv3l0Cf74zkFTKjjcQzJsetavYY5oivwEH1MYx6R0yNNYXSmgzDi55kGpH8FZ7tDW1NefRjGTOgaWYrPK0kpLID8MTfJYHA8l7GgHDgauvdi1FBB2PX/ZK6NJGDuWYwy6ZD5JFFKjQ9YMLjUT6q9Ks7Gp6pNWT9/FH2gXjiN1l84yX3+SjbVJoJV6FnNgQa3lMmk6/zvrMWjlOu1B/dMy70sLpZ27PquPEQWtcx8KD8cToXBI3gQQ1GhkQG/VopC71LOgPueZ8hyzy64opGZ1/hlUKuasuFL3xIt543c1+9Gk5m0UNvZpfJfEj2CH7zDXNgoETsjlkVvEKCIp+bVJYC2N78nilFA0y1+p6luR5wBmpONelvyWTU30KCc
+    LITELLM_MASTER_KEY: AgBb5paZoQydhYs+BCz6VNsQVdeY2CONkUIW8Kwtli0RRuaIx2T0Os6ijIT9tZ2SPtlskiEXeikoYcR4pScJ5tiyzOZQmsowtsT39p6O/QEMtywQ5GYYWtnH9x4eveEhL8jkV8m65fm0LCyj9FRj0PeYBq2UiOJRMgHogUelduf5bmLkPJaeLIDzeFmCbkp/BR/tHeUnq0O7KJlJZAdJoa0ldadeENpufvsZIaH+3LWzNILMDXv77IZnLF5JN+SwNMqEwYfnlaUBr3q13BjKMvq4tYPylvADjfWSo+DJCacyYFyeVpiHFWzzgYgZTP7Kqn9j7C4wZB/KORgNt2hT95FFZrn5UoPB95S4Fgsa8VbtHYSFm2PIzKIWCtbnUOsHkGgTHkMsIGkyPQdtwJHo7NP0Z6PVf5jXU+rN2zWtRLQd/uylfUmhv//ekQK3VlHFfJ5rSbdRClaXbcV/zUfSSonsuxPNsMS1kuHLHltBBcZfwg2eJvtS2qIriXz/nWPgZNJBqUrJobNUGVIKT0iJ1YvechJ3QWQPg5JE7cxkpBG8GOSwC2SUNCI56h/Yz74MAf/oB1+iOiaSllsvztM7RfTZAVGB5HPAe1D5mNoh6FHUyKNQUzr3ceLgmt8NYsbZcaUc7QCqmREz8xPeMLyv+lhaebnaZfRFClm9sirQqG0kfp7wbXt4yM2xF5OJJ5uNUaRFdCyDqGa6hSFUjQEqxdOpF7WYLYVwFjXwMdga0Spp0hhxNdW8XOWgIaCHF8W4ZizIJs0=
+    POSTGRES_PASSWORD: AgAd00CymDRVWnDnKEkQ/P8MKMpn41zV6NOlRPe3IRwYmzqwlB8kf905ve86QvwzsadW7/YFYlFYNavKhguV06SOS127lz5qIKiFOUk7nORy3z9/lUx8MjkbOJk027Jhd04VudAznuZVseoFwPORZ8FM0MK06Yh7rI7QHjvwUwi2LUi2AbU8WF1OskTStcYuX5FcnBc+PA1y2dC9hX54FgfS8N8ueIxr9rNGg56Z8hwxop06bxwCprsS4JwRluAVmmQ7B9+BnwTdAHIxn7wU/QOJWR4xfmckLzjv8cyRNHODfChJNM1uAHFSZi7pZRHAiu6FwTIXznKRlLS/m7S1qgfxFmO/8XKAJydnKzdDrZAPmHVM2tuHGNgrnQ/DCr0Gd+PH+R0s3alL13GOwHGgzJAFdiIgPRUjBKAuU2BW7e4dytu0DCzUbnUVy6L0EzeiXGGp/uMLWRNt5QCITC+IMo1VBzktK7YSBeaSvVdCBOwiFw25BAen1/BUj+6G6ppMM3393GJ7/8VAcvX/B5BfI5uhEr684fpSAgsRJLb/6jOV2ajk3u9ogvuefrytsMlylPP+SlyRWFY+4I3XqbH4bhmg7l7rDPdn9PsRoXmgPhqLZP0PPkQUld5OWicEylBgPvZ1yRK32Kb+PGXXS53AigJDPAjahBcgHvwef1slyZgwocv8AhNXzXvZoB/JsMa33Z6fnXWYrUfLJZjLGxf49zJzG4cGsznj1odNonvplSoMqVsi2n/XrhCzUbLNA9dYVz4=
+    UI_PASSWORD: AgCScNo20YiY3CDIzKuCbFF+Yd9Aju5dgN8H3rtKdfZzGS52GirzJwLx6kpuZ8HXY+2qpchwTMVxovSBZp5SfGY+VhcViyWrkS6zyp3WmreeFiXvPsXbsr7R90LmBgYsOmg2o5FyOpP7L/p4hgPtnbtb9xqi2rdCFj8ooY7E1ificgdd20WcmYQT78iS93xsCAmF+agLq6abvlXjPLXCMQFj+/3INQwu5AwG52aHyjNAKntqZXzgZvGZ9owI/ktFWdhYhAF+UmH4k9UvEq/mNr8DhNmZCrYB9f6YVMlQoAbaPLFQHgTpebEYe4g0zULMu87ATFkSxjppZrYP4wRO+BWBXsEVcDoAU6EJDvnXHFUMbuaqDEppAytH1MDm0GmCXdcaNbNMJ6g2PUN/ib4xALF+FIdv8A7a3e+TOes2VmBCslM6gPWvjumdAG1VMpt9aqEHZhIcJFW66JmtvEMp1iN8emyAdYcZzgyaoNFV5BAwZahBQBfv6Wh2uoJBx4CN0z2PHJpVsUtDLI59VsvGhk82lhiMAiCfnb4FTNXo0fyMZ78+XZE4FFGPmtC4JJ3g29zDoxYJW0JNL1WQUiCL8/3Ucj/zNGCzqLRcgBS1hoUAu0RCULsvXrIDUHCnP6Qa5bqJOHzj1xC0cFcXqvt3piyuN4tqdd9VVogFbTANmxoOhNHE8tM3CQ1c6sA/B9UFG2h8NPjyyj+v5LIrLbdcX8zGqplCfl7HxnVRen+NmKf9NA==
+    UI_USERNAME: AgCt9c7FD+Epj2h0ljS7ilFuFom+o/njpKuYV5/VdJvOra11weDuc6F8G4n0WSPotSVDS0BvprDsiJ4UQ3GYdW4O3uVK0MQNdk3WjsXXKWGn9BG+LmEva8fDdgg84fpBZETE78pBtvLwBBm0UJLXayM08El+emK8Unw2Iq0VaNhsXtqC1Wr4iTQwkkEdnPIA1MshnuQRLvIa9CWNuB90Ax1SRM8jMqsHtNlIj6JEHhW39GbalriKJ5EOqj0+0ofka3DG+R5xIm/T2v4VDdzH/kdExImpsHoXAHdlfeiprXxEKrN7WxnsNJtNglfY/lGzPrA4NzCGESL61K69+ujhyAOtHvNYTGlKS/2K+HxStRr9r0deB15EGFt9nneEtO1syd94lcdARctm4a1HHx5ofwh9CF8qgXNCvWTDmoCqzCD9Q5fSGDZhORpmI12uyZd2ZeawODz26QL9shVh+tqE8dz7NykI+b46YQtRTaKxo0NGfWqF0EddceqN6Yg7+X2i1qzGHwbNMZsLb9LzXrzCglEnr2C6jS6D0IAJIwzlHe4JJ1H1nzm1Cexo2JfbIEL5lIkPdrXNFZiEz2nTWHuOJOdcrH9yTFV4SUd4nyFteEpOVxa25o4yssZ+HpUaxlt5RAO/+VPewA9rIO1GPqUfrinfooWmw5zRugx0y037oev8BVFC7sbf0/V83fOqXOnh3u3zFeMEQw==
+  template:
+    metadata:
+      name: litellm-secret
+      namespace: litellm
+    type: Opaque