rh-ecosystem-edge · eranco74 · Aug 28, 2025 · Aug 28, 2025 · coderabbitai · Aug 28, 2025
diff --git a/Containerfile.assisted-chat b/Containerfile.assisted-chat
@@ -1,6 +1,6 @@
 # vim: set filetype=dockerfile
-# This is the digest of quay.io/lightspeed-core/lightspeed-stack:dev-20250827-3e2d883
-FROM quay.io/lightspeed-core/lightspeed-stack@sha256:0171ec44c1684e0eb2961366a0e0cfcf99be49f25a28248deccc38dceef068ca
+# This is the digest of quay.io/lightspeed-core/lightspeed-stack:dev-20250828-691c83e
+FROM quay.io/lightspeed-core/lightspeed-stack@sha256:f1ec2f3880b0da80279aee20abb1cb20d681b244c17133470bb9399a75bc423e
 
 USER 1001
 

diff --git a/assisted-chat-pod.yaml b/assisted-chat-pod.yaml
@@ -38,6 +38,10 @@ spec:
           name: config
           subPath: vertex-credentials.json
           readOnly: true
+        - mountPath: /etc/tls/ca-bundle.pem
+          name: config
+          subPath: ca-bundle.pem
+          readOnly: true
     - name: assisted-service-mcp
       image: localhost/local-ai-chat-assisted-service-mcp:latest
       env:

diff --git a/config/ca-bundle.pem b/config/ca-bundle.pem
diff --git a/lightspeed-stack b/lightspeed-stack
diff --git a/scripts/query.sh b/scripts/query.sh
@@ -27,7 +27,7 @@ case "${QUERY_ENV:-}" in
 esac
 
 get_available_models() {
-    curl --silent --show-error -X 'GET' "${BASE_URL}/v1/models" -H 'accept: application/json'
+    curl --silent --show-error -X 'GET' "${BASE_URL}/v1/models" -H 'accept: application/json' -H "Authorization: Bearer ${OCM_TOKEN}"
 }
-get_available_models() {
-    curl --silent --show-error -X 'GET' "${BASE_URL}/v1/models" -H 'accept: application/json'
-    curl --silent --show-error -X 'GET' "${BASE_URL}/v1/models" -H 'accept: application/json' -H "Authorization: Bearer ${OCM_TOKEN}"
-}
+get_available_models() {
+    # Ensure token present (and fetch if not)
+    if [[ -z "${OCM_TOKEN:-}" ]]; then
+        if ! get_ocm_token; then
+            echo "Failed to get OCM token for models"
+            return 1
+        fi
+    fi
+    tmpfile=$(mktemp)
+    status=$(curl --silent --show-error --output "$tmpfile" --write-out "%{http_code}" \
+        -H 'accept: application/json' \
+        -H "Authorization: Bearer ${OCM_TOKEN}" \
+        "${BASE_URL}/v1/models")
+    body=$(cat "$tmpfile"); rm "$tmpfile"
+    if ! good_http_response "$status"; then
+        echo "Error: Failed to fetch models (HTTP $status)"
+        echo "Response: $body"
+        return 1
+    fi
+    echo "$body"
+}
-get_available_models() {
-    curl --silent --show-error -X 'GET' "${BASE_URL}/v1/models" -H 'accept: application/json'
-    curl --silent --show-error -X 'GET' "${BASE_URL}/v1/models" -H 'accept: application/json' -H "Authorization: Bearer ${OCM_TOKEN}"
-}
+get_available_models() {
+    # Ensure token present (and fetch if not)
+    if [[ -z "${OCM_TOKEN:-}" ]]; then
+        if ! get_ocm_token; then
+            echo "Failed to get OCM token for models"
+            return 1
+        fi
+    fi
+    tmpfile=$(mktemp)
+    status=$(curl --silent --show-error --output "$tmpfile" --write-out "%{http_code}" \
+        -H 'accept: application/json' \
+        -H "Authorization: Bearer ${OCM_TOKEN}" \
+        "${BASE_URL}/v1/models")
+    body=$(cat "$tmpfile"); rm "$tmpfile"
+    if ! good_http_response "$status"; then
+        echo "Error: Failed to fetch models (HTTP $status)"
+        echo "Response: $body"
+        return 1
+    fi
+    echo "$body"
+}
 
 select_model() {

diff --git a/template.yaml b/template.yaml
@@ -165,6 +165,51 @@ objects:
           jwt_configuration:
             user_id_claim: ${USER_ID_CLAIM}
             username_claim: ${USERNAME_CLAIM}
+            role_rules:
+            - jsonpath: "$.realm_access.roles[*]"
+              operator: "contains"
+              value: "redhat:employees"
+              roles: ["redhat_employee"]
+            - jsonpath: "$.org_id"
+              operator: "in"
+              value: [["6405426"]]
+              roles: ["redhat_employee"]
+            - jsonpath: "$.is_internal"
+              operator: "equals"
+              value: [true]
+              roles: ["redhat_employee"]
+      authorization:
+        access_rules:
+          - role: redhat_employee
+            actions:
+            - get_models
+          # Temporarily we only want redhat employees to be able to use the service,
+          # uncomment when we want to allow all authenticated users
+          # - role: "*"
+          #   actions:
+            - query
+            - streaming_query
+            - get_conversation
+            - list_conversations
+            - delete_conversation
+            - feedback
+          # "nobody" is a made up role, doesn't do anything but just good for being explicit
+          # about what is not allowed by anyone
+          - role: nobody
+            actions:
+            # This exposes the database password - once LSC fixes this issue we
+            # can allow this for employees
+            - get_config
+            # For now we don't want to let even administrators / employees access other users conversations
+            - query_other_conversations
+            - delete_other_conversations
+            - list_other_conversations
+            - read_other_conversations
+          # For k8s pod probes
+          - role: "*"
+            actions:
+            - info
+            - get_metrics
       mcp_servers:
         - name: mcp::assisted
           url: "${MCP_SERVER_URL}"
+1 −2		src/auth/jwk_token.py
+14 −2		src/authorization/resolvers.py
+3 −12		tests/unit/auth/test_jwk_token.py
+16 −2		tests/unit/authorization/test_resolvers.py