Skip to content

Retire env-var codex auth path from LiteLLM pod (ADR-014 Phase A)#374

Merged
samxu01 merged 1 commit into
mainfrom
chore/codex-env-cleanup-phase-a
May 15, 2026
Merged

Retire env-var codex auth path from LiteLLM pod (ADR-014 Phase A)#374
samxu01 merged 1 commit into
mainfrom
chore/codex-env-cleanup-phase-a

Conversation

@samxu01
Copy link
Copy Markdown
Contributor

@samxu01 samxu01 commented May 15, 2026

Summary

  • Drop the env-var-fed codex auth fallback from the LiteLLM pod. Per ADR-014, ChatGPT OAuth is cluster-IP-bound and those tokens 401 `token_invalidated` on first cluster use — they've been dead since the codex-cli sidecar landed in PR feat(litellm): in-pod codex device-auth for cluster-bound sessions #365.
  • Rotator's `get_candidates()` now reads only pod-side `/chatgpt-auth/auth-N.json` (cluster-bound device-auth via `/scripts/auth-login.sh`).
  • `codex-auth-seed` init container rewritten to seed `auth.json` from the same pod-side files before LiteLLM boots, avoiding a startup race with the rotator sidecar.
  • All `OPENAI_CODEX_ACCESS_TOKEN[_2|_3]` / `_REFRESH_TOKEN[_2|_3]` / `_ID_TOKEN[_3]` env refs removed from rotator + main + init containers. `OPENAI_CODEX_CLIENT_ID` retained (used by rotator's OAuth refresh).
  • Net: −212 lines.

Phase B (deferred, filed as issues)

Test plan

  • `helm template` renders cleanly
  • Deploy Dev: confirm LiteLLM pod boots and `auth.json` is seeded by init container from `auth-1.json` or `auth-2.json`
  • Confirm cody + nova + pixel keep replying post-deploy
  • Rotator log shows `[rotator] active account-N (expires …)` on 30-min tick

🤖 Generated with Claude Code

@samxu01 @claude
chore(litellm): retire env-var codex auth path (ADR-014 Phase A)
360d275 
Pod-side device-auth via the codex-cli sidecar (ADR-014) is the live
auth source for ChatGPT/Codex. The env-var-fed path (laptop-device-auth
tokens uploaded to GCP SM → secret → env var) is dead-on-arrival under
cluster-IP-bound OAuth — those tokens 401 token_invalidated on first
cluster use regardless of JWT exp.

- codex-auth-rotator: drop env-var fallback branch in get_candidates;
  pod-side /chatgpt-auth/auth-N.json is the only source. Drop unused
  OPENAI_CODEX_*_{1,2,3} env vars (only CLIENT_ID remains for OAuth
  refresh).
- codex-auth-seed init: replace 150-line env-var seeder with a 40-line
  pod-side seeder so LiteLLM has auth.json ready before boot (avoids
  startup race with rotator sidecar). Drops all OPENAI_CODEX_* env vars
  from init container too.
- LiteLLM main container: drop unused OPENAI_CODEX_ACCESS_TOKEN[_2|_3]
  env vars; litellm-config no longer references them.

Net: 212 lines of legacy auth code gone.

Phase B follow-ups (#371-#373) cover clawdbot env vars, the daily refresh
job, and the presets.ts audit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@samxu01 samxu01 merged commit 360d275 into main May 15, 2026
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@samxu01