This platform includes:
- Keycloak for SSO authentication
- APISIX for API gateway and proxy
- AI Proxy supporting multiple LLM providers
- ViolentUTF Python application with Streamlit
- Docker Desktop - Required for Keycloak and APISIX containers
- Python 3.9+ - Required for the ViolentUTF application
- Available Ports: 8080 (Keycloak), 9080 (APISIX), 9180 (APISIX Admin), 9001 (APISIX Dashboard), 8501 (Streamlit)
- This script uses winget for installing Python. If you prefer Chocolatey or any other package manager, replace that portion accordingly.
py --versionis the recommended approach on Windows to use the Python launcher.- After Python is installed via winget, you may need to open a new terminal or rerun the script to ensure the Python path is recognized.
- Docker Desktop for Mac must be installed and running
- Python 3.9+ must be installed before running the script
- Homebrew (optional but recommended):
brew install python3 - Make the script executable:
chmod +x setup_macos.sh- This example script is tailored to Debian/Ubuntu using apt-get.
- For Fedora, CentOS, Arch, or other distros, replace the package manager commands as appropriate (dnf, yum, pacman, etc.).
- If your distribution's python3 is older than 3.9, you may need an additional repository (e.g., ppa:deadsnakes/ppa for Ubuntu) or compile from source.
- Make the script executable before running it:
chmod +x setup_linux.sh- OpenAI (GPT-4, GPT-3.5-turbo, GPT-4-turbo)
- Anthropic (Claude-3 Opus, Sonnet, Haiku)
- Ollama (Local LLMs: llama2, codellama, mistral, llama3)
- Open WebUI (Web interface for local LLMs)
The script creates ai-tokens.env with the following structure:
# OpenAI Configuration
OPENAI_ENABLED=false
OPENAI_API_KEY=your_openai_api_key_here
# Anthropic Configuration
ANTHROPIC_ENABLED=false
ANTHROPIC_API_KEY=your_anthropic_api_key_here
# Ollama Configuration (local, no API key needed)
OLLAMA_ENABLED=true
OLLAMA_ENDPOINT=http://localhost:11434/v1/chat/completions
# Open WebUI Configuration
OPEN_WEBUI_ENABLED=false
OPEN_WEBUI_ENDPOINT=http://localhost:3000/ollama/v1/chat/completions
OPEN_WEBUI_API_KEY=your_open_webui_api_key_hereImportant: Edit this file with your actual API keys before running the script for full AI functionality.
./setup_macos.sh./setup_macos.sh --cleanupThis removes all containers, volumes, and configuration files while preserving:
- Python virtual environment
- AI tokens configuration file
- Template files
After successful setup, you can access:
- URL: http://localhost:8080
- Username: admin
- Password: admin
- Main URL: http://localhost:9080
- Admin API: http://localhost:9180
- Dashboard: http://localhost:9001
Base URL: http://localhost:9080/ai/
OpenAI routes:
/ai/openai/gpt4→ GPT-4/ai/openai/gpt35→ GPT-3.5-turbo/ai/openai/gpt4-turbo→ GPT-4-turbo
Anthropic routes:
/ai/anthropic/opus→ Claude-3 Opus/ai/anthropic/sonnet→ Claude-3 Sonnet/ai/anthropic/haiku→ Claude-3 Haiku
Ollama routes:
/ai/ollama/llama2→ Llama2/ai/ollama/codellama→ CodeLlama/ai/ollama/mistral→ Mistral/ai/ollama/llama3→ Llama3
The AI Gateway uses API key authentication for secure access. Each setup run generates a unique 32-character API key.
Key Features:
- ✅ Dynamic generation: New secure key generated on each setup run
- ✅ Environment integration: Automatically saved to
violentutf/.env - ✅ Zero configuration: No manual setup required
Usage: Include the API key in the apikey header:
curl -X POST http://localhost:9080/ai/openai/gpt4 \
-H "apikey: YOUR_GENERATED_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"messages": [
{"role": "user", "content": "Hello!"}
]
}'Finding Your API Key:
- Displayed in setup output as "ViolentUTF AI Gateway API Key"
- Stored in
violentutf/.envasVIOLENTUTF_API_KEY - Used automatically by the Streamlit application
project/
├── setup_macos.sh # Main setup script
├── ai-tokens.env # AI provider configuration
├── keycloak/
│ ├── docker-compose.yml # Keycloak containers
│ ├── env.sample # Environment template
│ ├── .env # Generated environment (secure)
│ └── realm-export.json # Keycloak realm configuration
├── apisix/
│ ├── docker-compose.yml # APISIX containers
│ └── conf/
│ ├── config.yaml.template # APISIX config template
│ ├── dashboard.yaml.template # Dashboard config template
│ ├── config.yaml # Generated config (secure)
│ └── dashboard.yaml # Generated config (secure)
├── violentutf/
│ ├── Home.py # Main Streamlit application
│ ├── requirements.txt # Python dependencies
│ ├── env.sample # Environment template
│ ├── .env # Generated environment (secure)
│ └── .streamlit/
│ ├── secrets.toml.sample # Secrets template
│ └── secrets.toml # Generated secrets (secure)
└── .vitutf/ # Python virtual environment
The script automatically generates secure random values for:
- Keycloak database passwords
- Keycloak client secrets
- APISIX admin API keys
- APISIX dashboard credentials
- ViolentUTF AI Gateway API key (32-character secure string)
- Application secrets
Important: These are displayed at the end of setup. Save them securely!
- All services communicate via a shared Docker network (
vutf-network) - APISIX acts as a reverse proxy for enhanced security
- Keycloak provides SSO authentication
- Docker not running: Ensure Docker Desktop is started
- Port conflicts: Check if ports 8080, 9080, 9180, 9001, 8501 are available
- Python version: Ensure Python 3.9+ is installed
- Permission errors: Make sure script is executable (
chmod +x setup_macos.sh)
This typically indicates an API key authentication problem:
Solution 1: Restart Streamlit Application
# Stop current Streamlit app (Ctrl+C)
cd violentutf
streamlit run Home.pySolution 2: Verify API Key
# Check if API key exists in environment file
cat violentutf/.env | grep VIOLENTUTF_API_KEY
# Test API key manually
curl -H "apikey: YOUR_API_KEY" -H "Content-Type: application/json" \
-X POST http://localhost:9080/ai/openai/gpt4 \
-d '{"messages":[{"role":"user","content":"test"}]}'Solution 3: Regenerate API Key
# Run setup again to generate new API key
./setup_macos.shIf the Streamlit app shows "Using fallback API key" in logs:
- Check file permissions:
ls -la violentutf/.env - Verify file content:
cat violentutf/.env | grep VIOLENTUTF_API_KEY - Restart application: The token manager loads environment on startup
The script includes comprehensive testing that checks:
- Docker container connectivity
- Service accessibility
- Network communication between containers
- Configuration file validity
- AI proxy functionality
- API key authentication for AI Gateway routes
View container logs:
# Keycloak logs
cd keycloak && docker-compose logs
# APISIX logs
cd apisix && docker-compose logs# Reset only Keycloak
cd keycloak && docker-compose down -v
# Reset only APISIX
cd apisix && docker-compose down -v
# Reset shared network
docker network rm vutf-networkTo add custom AI providers, edit the route creation functions in the setup script and add entries to the AI configuration file.
Additional APISIX plugins can be configured by editing apisix/conf/config.yaml.template before running setup.
For production use, consider:
- External databases for Keycloak
- Load balancing for APISIX
- Persistent storage for AI model caches
- SSL/TLS certificates for secure communication
Previous Version: Used OpenID Connect (OIDC) for AI Gateway authentication
- ❌ Complex JWT token flow
- ❌ Network connectivity issues between APISIX and Keycloak
- ❌ Bearer token management complexity
Current Version: Uses API key authentication
- ✅ Simple and reliable: Direct API key in header
- ✅ Dynamic generation: New key per setup run
- ✅ Automatic integration: No manual configuration
- ✅ Development-friendly: Easier debugging and testing
The migration to API key authentication was primarily driven by development and setup reliability concerns:
- Network Connectivity Issues: APISIX containers often failed to reach Keycloak's OIDC discovery endpoints during startup
- Container Dependencies: Complex service orchestration required careful timing of container starts
- Development Complexity: JWT token validation added debugging complexity for AI Gateway testing
- Setup Reliability: Docker network issues frequently broke OIDC flow in development environments
OIDC Advantages in Production:
- ✅ Token expiration: JWT tokens have built-in expiry for enhanced security
- ✅ Centralized authentication: Unified identity management across all services
- ✅ Audit capabilities: Comprehensive logging and user attribution
- ✅ Role-based access: Fine-grained permissions and scopes
- ✅ Standard compliance: Industry-standard OAuth 2.0/OIDC protocols
- ✅ Revocation: Ability to invalidate tokens immediately
API Key Limitations in Production:
- ❌ No expiration: Keys remain valid indefinitely unless manually rotated
- ❌ Limited attribution: Harder to track individual user actions
- ❌ Rotation complexity: Manual key management across services
- ❌ Security risk: Long-lived credentials increase exposure window
Production Migration Path:
# For production, configure OIDC by editing route creation functions
# Replace 'key-auth' plugin with 'openid-connect' in setup scripts
# Example OIDC configuration:
plugins:
openid-connect:
discovery: "http://keycloak:8080/auth/realms/your-realm/.well-known/openid_configuration"
client_id: "your-client-id"
client_secret: "your-client-secret"
scope: "openid profile"- Development: Current API key approach provides reliable setup experience
- Production: Plan migration to OIDC for enhanced security and compliance
- Existing users: Run
./setup_macos.shto migrate automatically - API consumers: Update to use
apikeyheader instead ofAuthorization: Bearer - No breaking changes: Streamlit application updated automatically
For issues specific to:
- Keycloak: Check Keycloak documentation
- APISIX: Check APISIX documentation
- AI Gateway Authentication: Follow troubleshooting guide above
- AI Provider Integration: Verify API keys in
ai-tokens.env - ViolentUTF: Check Python dependencies and Streamlit logs