Bump to lsc guest authorization support

[omertuc]

Previous authz PR shouldn't have merged so quickly

Summary by CodeRabbit

• Refactor

  • Adjusted authorization rules: removed the info permission from a specific employee role and introduced a catch‑all rule granting info to support Kubernetes pod probes.

• Chores

  • Updated the container base image to the latest Lightspeed Stack build.
  • Synced the Lightspeed Stack submodule to the latest commit.

[coderabbitai]

Walkthrough

Updates the assisted-chat container base image digest, advances the lightspeed-stack submodule pointer, and adjusts authorization rules in template.yaml to move the info action from the redhat_employee role to a wildcard role for probes.

Changes

Cohort / File(s)	Summary of Changes
Base image pin Containerfile.assisted-chat	Updated base image reference comment and FROM digest to sha256:0171ec44...068ca; build steps unchanged.
Submodule bump lightspeed-stack	Updated submodule pointer from 913b5a6... to 3e2d883...; no code changes within this repo.
Auth rules tweak template.yaml	Removed info action from role redhat_employee; added catch‑all rule role: "*" with actions: [info] (commented for k8s pod probes).

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Probe as K8s Probe
    participant Svc as Assisted Chat Service
    participant Auth as AuthZ (lightspeed-stack)

    Probe->>Svc: GET /info
    Svc->>Auth: authorize(action="info", role=*)
    note over Auth: Match evaluation order<br/>- Specific role rules<br/>- Wildcard role "*"
    Auth-->>Svc: allow (matched wildcard "info")
    Svc-->>Probe: 200 OK (info)

    rect rgba(230,250,230,0.6)
    note right of Auth: New/changed path: wildcard rule grants "info"
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• bump lightspeed-stack to 920f071d6456f34d19535e950972fee2fbd60320 #106: Similar submodule pointer and base image digest updates.
• Bump lightspeed-core to 0.1.1 #74: Also updates Containerfile.assisted-chat and lightspeed-stack submodule.
• Bump lightspeed-stack to authorization commit #152: Touches authorization rules related to the info action alongside submodule/base image updates.

Suggested labels

approved, lgtm

Suggested reviewers

• maorfr
• eranco74
• carbonin

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[maorfr]

/lgtm

[eranco74]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: eranco74, maorfr, omertuc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [eranco74,maorfr,omertuc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

lightspeed-stack (1)

1-1: Optional: add provenance hint

Consider annotating the submodule line in the PR description with the corresponding tag/release name to aid traceability in future audits.

template.yaml (1)

201-204: Align probe endpoints with the new rule (or document intent).
Deployment probes use /liveness and /readiness, while this grants info to "*". If /info is the intended probe target, consider switching probes; otherwise, note why /info needs wildcard access.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 0d821d3 and f41309e.

📒 Files selected for processing (3)

• Containerfile.assisted-chat (1 hunks)
• lightspeed-stack (1 hunks)
• template.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Red Hat Konflux / assisted-chat-saas-main-on-pull-request

🔇 Additional comments (4)

lightspeed-stack (2)

1-1: Submodule bump to 3e2d883 — LGTM

Pointer-only update; no in-repo code or API impact.

---

1-1: Sanity check summary

• ✅ lightspeed-stack submodule is at commit 3e2d883
• ✅ Containerfile.assisted-chat references the expected digest (sha256:0171ec44c1684e0eb2961366a0e0cfcf99be49f25a28248deccc38dceef068ca)

Manual verification required in template.yaml

The automated script did not conclusively locate the moved info permission. Please double-check that:

• The wildcard role (role: "*") includes info in its actions list
• The redhat_employee role no longer grants info

Let me know once you’ve confirmed those two points.

Containerfile.assisted-chat (1)

2-3: Pinned base image digest update looks good.
Digest pinning improves reproducibility. No functional concerns on these lines.

template.yaml (1)

201-204: Verify role: "*" Semantics for Unauthenticated Probes

It’s likely that in LSC’s policy engine the wildcard role ("*") only matches authenticated principals (i.e. “any role”), and that unauthenticated requests carry no roles—so this rule wouldn’t actually apply to probes that don’t send a JWT. As a result, with auth_enabled=true, a bare GET /info may still be rejected before the rule is ever evaluated.

Please manually verify the behavior and, if needed, introduce an explicit anonymous‐allow rule or flag for k8s probes. For example:

• Test locally with auth_enabled=true:
  • curl GET /info without an Authorization header
  • curl GET /info with an invalid or expired JWT

• If the first returns 401/403, add a dedicated rule (if supported) to permit anonymous access to /info, for example:

    # allow /info to unauthenticated k8s probes
    - unauthenticated: true
      actions:
        - info

  or consult the Lightspeed Stack docs/CLI for any first-class “anonymous allow” setting.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Verify tag↔digest mapping (and signature) for supply-chain safety.
Please confirm the sha256 matches dev-20250827-3e2d883 and, if applicable, verify signatures.

---

🏁 Script executed:

#!/bin/bash
# Compare digest for the annotated tag vs pinned digest
TAG=dev-20250827-3e2d883
IMG=quay.io/lightspeed-core/lightspeed-stack
PIN=sha256:0171ec44c1684e0eb2961366a0e0cfcf99be49f25a28248deccc38dceef068ca

skopeo inspect docker://$IMG:$TAG | jq -r .Digest
echo "Pinned: $PIN"

# Optional: cosign verification (requires public key setup if used)
# cosign verify --key cosign.pub $IMG@${PIN}

Length of output: 521

---

I’ll fetch the manifest headers directly via the Docker Registry API to extract the digest for the dev-20250827-3e2d883 tag and compare it against the pinned value.

---

🏁 Script executed:

#!/bin/bash
TAG=dev-20250827-3e2d883
REPO=lightspeed-core/lightspeed-stack

# Query the manifest for the tag and extract the Docker-Content-Digest header
curl -sI \
  -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
  https://quay.io/v2/${REPO}/manifests/${TAG} \
  | grep -i Docker-Content-Digest

echo "Expected: sha256:0171ec44c1684e0eb2961366a0e0cfcf99be49f25a28248deccc38dceef068ca"

Length of output: 527

---

Digest Mismatch Detected – Action Required

The manifest digest returned by Quay for tag dev-20250827-3e2d883 does not match the pinned digest in your Containerfile. This discrepancy poses a supply-chain integrity risk and must be corrected before merging.

• File: Containerfile.assisted-chat (Lines 2–3)
• Queried registry digest for quay.io/lightspeed-core/lightspeed-stack:dev-20250827-3e2d883:
sha256:909aa6516dcb53c106f33419b0f0018a53a3b5942e07666018b795a036db35fb
• Pinned digest in Containerfile:
sha256:0171ec44c1684e0eb2961366a0e0cfcf99be49f25a28248deccc38dceef068ca

Please verify which digest is correct, update the @sha256: reference to match the registry’s value, and—if you’re using cosign or another signature tool—re-run signature verification against the updated digest.

🤖 Prompt for AI Agents

In Containerfile.assisted-chat around lines 2–3, the pinned image digest
(sha256:0171ec44c1684e0eb2961366a0e0cfcf99be49f25a28248deccc38dceef068ca) does
not match the registry’s manifest digest
(sha256:909aa6516dcb53c106f33419b0f0018a53a3b5942e07666018b795a036db35fb);
update the FROM line to use the correct
@sha256:909aa6516dcb53c106f33419b0f0018a53a3b5942e07666018b795a036db35fb value,
then re-run your signature/cosign verification against that digest to ensure the
image is properly signed and the change is valid before merging.

[openshift-ci]

@omertuc: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/eval-test	f41309e	link	true	/test eval-test

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.