From fe45b11d1094ed404476cab19832cd5767c67816 Mon Sep 17 00:00:00 2001 From: Omer Tuchfeld Date: Thu, 28 Aug 2025 09:49:55 +0200 Subject: [PATCH] Bump and other fixes - Bump lsc to dev-20250828-691c83e - Fix annoying local dev /etc/tls/ca-bundle.pem issue - Fix query.sh to use OCM token for model listing - Bring back authz - taken from https://github.com/rh-ecosystem-edge/assisted-chat/pull/160 --- Containerfile.assisted-chat | 4 ++-- assisted-chat-pod.yaml | 4 ++++ config/ca-bundle.pem | 0 lightspeed-stack | 2 +- scripts/query.sh | 2 +- template.yaml | 45 +++++++++++++++++++++++++++++++++++++ 6 files changed, 53 insertions(+), 4 deletions(-) create mode 100644 config/ca-bundle.pem diff --git a/Containerfile.assisted-chat b/Containerfile.assisted-chat index 7d35fcd..f4d185a 100644 --- a/Containerfile.assisted-chat +++ b/Containerfile.assisted-chat @@ -1,6 +1,6 @@ # vim: set filetype=dockerfile -# This is the digest of quay.io/lightspeed-core/lightspeed-stack:dev-20250827-3e2d883 -FROM quay.io/lightspeed-core/lightspeed-stack@sha256:0171ec44c1684e0eb2961366a0e0cfcf99be49f25a28248deccc38dceef068ca +# This is the digest of quay.io/lightspeed-core/lightspeed-stack:dev-20250828-691c83e +FROM quay.io/lightspeed-core/lightspeed-stack@sha256:f1ec2f3880b0da80279aee20abb1cb20d681b244c17133470bb9399a75bc423e USER 1001 diff --git a/assisted-chat-pod.yaml b/assisted-chat-pod.yaml index 930d0aa..294ef56 100644 --- a/assisted-chat-pod.yaml +++ b/assisted-chat-pod.yaml @@ -38,6 +38,10 @@ spec: name: config subPath: vertex-credentials.json readOnly: true + - mountPath: /etc/tls/ca-bundle.pem + name: config + subPath: ca-bundle.pem + readOnly: true - name: assisted-service-mcp image: localhost/local-ai-chat-assisted-service-mcp:latest env: diff --git a/config/ca-bundle.pem b/config/ca-bundle.pem new file mode 100644 index 0000000..e69de29 diff --git a/lightspeed-stack b/lightspeed-stack index 3e2d883..691c83e 160000 --- a/lightspeed-stack +++ b/lightspeed-stack @@ -1 +1 @@ -Subproject commit 3e2d883d919e085f017bb52707aa339901f6eac0 +Subproject commit 691c83ebfecb27edc8d47ea200cdcbdbc24b207a diff --git a/scripts/query.sh b/scripts/query.sh index bb5b0cb..120f9f5 100755 --- a/scripts/query.sh +++ b/scripts/query.sh @@ -27,7 +27,7 @@ case "${QUERY_ENV:-}" in esac get_available_models() { - curl --silent --show-error -X 'GET' "${BASE_URL}/v1/models" -H 'accept: application/json' + curl --silent --show-error -X 'GET' "${BASE_URL}/v1/models" -H 'accept: application/json' -H "Authorization: Bearer ${OCM_TOKEN}" } select_model() { diff --git a/template.yaml b/template.yaml index d7cf3ad..de16f01 100644 --- a/template.yaml +++ b/template.yaml @@ -165,6 +165,51 @@ objects: jwt_configuration: user_id_claim: ${USER_ID_CLAIM} username_claim: ${USERNAME_CLAIM} + role_rules: + - jsonpath: "$.realm_access.roles[*]" + operator: "contains" + value: "redhat:employees" + roles: ["redhat_employee"] + - jsonpath: "$.org_id" + operator: "in" + value: [["6405426"]] + roles: ["redhat_employee"] + - jsonpath: "$.is_internal" + operator: "equals" + value: [true] + roles: ["redhat_employee"] + authorization: + access_rules: + - role: redhat_employee + actions: + - get_models + # Temporarily we only want redhat employees to be able to use the service, + # uncomment when we want to allow all authenticated users + # - role: "*" + # actions: + - query + - streaming_query + - get_conversation + - list_conversations + - delete_conversation + - feedback + # "nobody" is a made up role, doesn't do anything but just good for being explicit + # about what is not allowed by anyone + - role: nobody + actions: + # This exposes the database password - once LSC fixes this issue we + # can allow this for employees + - get_config + # For now we don't want to let even administrators / employees access other users conversations + - query_other_conversations + - delete_other_conversations + - list_other_conversations + - read_other_conversations + # For k8s pod probes + - role: "*" + actions: + - info + - get_metrics mcp_servers: - name: mcp::assisted url: "${MCP_SERVER_URL}"