parameterize lightspeed-stack auth rules

[maorfr]

follow up on:

• Bump and other fixes #161
• https://gitlab.cee.redhat.com/service/app-interface/-/merge_requests/155231
• https://gitlab.cee.redhat.com/service/app-interface/-/merge_requests/155234

this PR extracts the actual rules into parameters to be passed during deployment time via app-interface.

Summary by CodeRabbit

• New Features
  • Added deployment parameters to configure authentication role rules and authorization access rules at deploy time, with empty-list defaults for opt-in customization.
  • Dev environment now includes sample role and access rule values mapping a "redhat_employee" role to a set of allowed actions.
• Refactor
  • Replaced fixed inline auth policy definitions with parameterized references for easier environment-specific configuration.

[coderabbitai]

Walkthrough

Adds two new template parameters (AUTHN_ROLE_RULES, AUTHZ_ACCESS_RULES) and replaces inlined authentication role rules and authorization access rules in the lightspeed-stack ConfigMap with parameter references; defaults are empty lists. No other logic changes.

Changes

Cohort / File(s)	Summary of Changes
Template parameters template.yaml	Added parameters AUTHN_ROLE_RULES and AUTHZ_ACCESS_RULES (both default '[]') with descriptive text.
Environment parameter file template-params.dev.env	Added AUTHN_ROLE_RULES and AUTHZ_ACCESS_RULES variables with concrete JSON-string defaults for dev (role mapping and access actions).
Lightspeed Stack ConfigMap template.yaml (lightspeed-stack-config .../lightspeed-stack.yaml)	Replaced inline authentication.jwt_configuration.role_rules with role_rules: ${{AUTHN_ROLE_RULES}} and replaced inline authorization.access_rules with access_rules: ${{AUTHZ_ACCESS_RULES}}.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Remove RBAC from config #159 — Also modifies the same ConfigMap rule blocks, removing them entirely; related to this PR’s parameterization of those blocks.
• Bump lightspeed-stack to authorization commit #152 — Touches the same authentication and authorization rule sections that this PR converts to parameter references.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbit in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbit in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbit gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbit read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbit help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbit ignore or @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbit summary or @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbit or @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[eranco74]

LGTM
Did you test it locally?

• We need a CI job to cover the local development

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

lightspeed-stack (1)

1-1: Confirm submodule bump reproducibility
The lightspeed-stack submodule is pinned to commit 969904b4aef1dbe4379b279effe065237233a687, which has no exact upstream tag. Add a one-liner in the PR description linking to the upstream commit (or release notes) for context. If possible, switch to a stable release tag for future reproducibility.

assisted-service-mcp (1)

1-1: Optional: consider pinning to a tag or branch for traceability.

If this commit corresponds to a release, referencing an annotated tag (or documenting the upstream release/PR) improves provenance and rollbacks.

template.yaml (1)

137-142: Document expected format for new params (JSON array) to avoid YAML shape issues.

These values are injected inline. To remain valid YAML, callers should pass JSON-encoded lists (e.g., [] or [{"effect":"allow",...}]). Make that explicit.

Apply this diff to clarify parameter descriptions:

 - name: AUTHN_ROLE_RULES
   value: '[]'
-  description: "lightspeed-stack authentication role rules"
+  description: "lightspeed-stack authentication role rules (JSON array string, e.g. [] or [{...}])"
 - name: AUTHZ_ACCESS_RULES
   value: '[]'
-  description: "lightspeed-stack authorization access rules"
+  description: "lightspeed-stack authorization access rules (JSON array string, e.g. [] or [{...}])"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5bf47af and 9b7c52c.

📒 Files selected for processing (5)

• assisted-service-mcp (1 hunks)
• lightspeed-stack (1 hunks)
• llama-stack (1 hunks)
• scripts/build-images.sh (1 hunks)
• template.yaml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Red Hat Konflux / assisted-chat-saas-main-on-pull-request

🔇 Additional comments (4)

assisted-service-mcp (1)

1-1: Submodule bump to 2beef39…: pointers and CI checkout
Confirm assisted-service-mcp is at commit 2beef39f0bd15cb3232f840181585a17bbad8d7d (e.g. via git submodule status), verify your lightspeed-stack and llama-stack submodules point to the commits containing the auth-parameterization changes, and ensure your CI pipeline runs

git submodule update --init --recursive

llama-stack (2)

1-1: LGTM: metadata-only submodule bump.

Pointer update only; no local code impact here.

---

1-1: Cross-repo compatibility check.

This PR parameterizes auth rules; please confirm this llama-stack revision is compatible with those parameters (no breaking config schema/API drift).

template.yaml (1)

174-176: Confirm rendering with multi-rule payloads and auth_enabled=true.

When LIGHTSPEED_SERVICE_AUTH_ENABLED=true but rules are [], effective behavior may deny everything depending on stack defaults. Also verify app-interface provides compact JSON so this line stays valid YAML.

I can generate a quick validation script that renders this template with sample JSON arrays and runs yamllint on the resulting ConfigMap to ensure correctness—want me to add it?

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Verify submodule commit exists and matches intent.

Confirm the hash resolves on the remote and (optionally) initialize to that exact commit.

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
HASH="eed25fc6e4f7e62c346a9d4ce5c7083e6500b7dd"
URL="$(git config -f .gitmodules --get submodule.llama-stack.url)"

# 1) Ensure the recorded tree entry matches the expected hash
git ls-tree HEAD llama-stack | awk '{print $3}' | tee /dev/stderr | grep -x "$HASH"

# 2) Ensure the hash exists on the remote
git ls-remote "$URL" | awk '{print $1}' | grep -x "$HASH"

# Optional: init and verify working tree is at the pinned commit
git submodule update --init --depth=1 llama-stack
git -C llama-stack rev-parse HEAD | tee /dev/stderr | grep -x "$HASH"

Length of output: 389

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
HASH="eed25fc6e4f7e62c346a9d4ce5c7083e6500b7dd"

# 1) Load submodule URL
if [ -f .gitmodules ]; then
  URL=$(git config -f .gitmodules --get submodule.llama-stack.url)
else
  echo "ERROR: .gitmodules not found" >&2
  exit 1
fi
echo "Submodule URL: $URL"

# 2) Verify recorded tree entry matches expected hash
TREE_HASH=$(git ls-tree HEAD llama-stack | awk '{print $3}')
echo "Tree entry hash: $TREE_HASH"
if [ "$TREE_HASH" != "$HASH" ]; then
  echo "ERROR: Recorded tree hash does not match expected $HASH" >&2
  exit 1
fi

# 3) Verify hash exists on remote
if ! git ls-remote "$URL" | awk '{print $1}' | grep -xq "$HASH"; then
  echo "ERROR: Hash $HASH not found on remote $URL" >&2
  exit 1
fi

# 4) Initialize submodule and verify working tree
git submodule update --init --depth=1 llama-stack
SUBMODULE_HEAD=$(git -C llama-stack rev-parse HEAD)
echo "Submodule HEAD commit: $SUBMODULE_HEAD"
if [ "$SUBMODULE_HEAD" != "$HASH" ]; then
  echo "ERROR: Submodule HEAD commit does not match expected $HASH" >&2
  exit 1
fi

echo "SUCCESS: Submodule commit $HASH verified."

Length of output: 1028

---

Fix missing submodule commit on remote
The pinned commit eed25fc6e4f7e62c346a9d4ce5c7083e6500b7dd doesn’t exist on the submodule’s remote (https://github.com/meta-llama/llama-stack); push the intended commit or update the submodule reference to a valid hash.

🤖 Prompt for AI Agents

In llama-stack around lines 1 to 1, the repository is referencing a submodule
commit hash (eed25fc6e4f7e62c346a9d4ce5c7083e6500b7dd) that does not exist on
the submodule remote; either push the intended commit to the submodule remote or
update the superproject to point to a valid hash: enter the submodule directory,
run git fetch origin --tags, confirm the correct commit (or checkout the desired
branch and create/push the missing commit), then in the superproject update the
submodule to a valid commit (git add the submodule change and commit/push the
updated reference) so the submodule pointer on the remote matches an existing
commit.

[coderabbitai]

🛠️ Refactor suggestion

Don’t silently drop the subscription precheck; gate it behind an opt-out flag.

Builds that rely on RHEL content will now fail later and less clearly. Make the check conditional on an env var or CLI flag instead of removing it.

Apply this diff to make the precheck skippable via SKIP_SUBSCRIPTION_CHECK=true:

-# check_redhat_subscription
+if [[ "${SKIP_SUBSCRIPTION_CHECK:-false}" != "true" ]]; then
+  check_redhat_subscription
+else
+  echo "Skipping Red Hat subscription check (SKIP_SUBSCRIPTION_CHECK=true)"
+fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# check_redhat_subscription
	if [[ "${SKIP_SUBSCRIPTION_CHECK:-false}" != "true" ]]; then
	check_redhat_subscription
	else
	echo "Skipping Red Hat subscription check (SKIP_SUBSCRIPTION_CHECK=true)"
	fi

🤖 Prompt for AI Agents

In scripts/build-images.sh around line 145, the RHEL subscription precheck was
removed; restore the precheck but make it skippable by gating it on an
environment variable SKIP_SUBSCRIPTION_CHECK (default false). Reintroduce the
existing check invocation and wrap it in an if that only runs when
SKIP_SUBSCRIPTION_CHECK is not "true"; if the check fails, emit a clear error
and exit non-zero so builds that depend on RHEL content fail fast; when
SKIP_SUBSCRIPTION_CHECK="true" print a one-line notice that the check was
skipped.

[maorfr]

Did you test it locally?

the deployment time can only be tested in... deployment time 😅
what else would i test?

[eranco74]

/hold

assisted-chat-pod-lightspeed-stack     validated_self = self.__pydantic_validator__.validate_python(data, self_instance=self)
assisted-chat-pod-lightspeed-stack                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
assisted-chat-pod-lightspeed-stack pydantic_core._pydantic_core.ValidationError: 2 validation errors for Configuration
assisted-chat-pod-lightspeed-stack authorization.access_rules.1.role
assisted-chat-pod-lightspeed-stack   Input should be a valid string [type=string_type, input_value=None, input_type=NoneType]
assisted-chat-pod-lightspeed-stack     For further information visit https://errors.pydantic.dev/2.11/v/string_type
assisted-chat-pod-lightspeed-stack authorization.access_rules.1.actions
assisted-chat-pod-lightspeed-stack   Field required [type=missing, input_value={'role': None}, input_type=dict]
assisted-chat-pod-lightspeed-stack     For further information visit https://errors.pydantic.dev/2.11/v/missing

[eranco74]

Did you test it locally?

the deployment time can only be tested in... deployment time 😅 what else would i test?

"local development" - make run...

[omertuc]

Let's set some values in template-params.dev.env?

[omertuc]

/lgtm

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 0fa68d8 and 44ae030.

📒 Files selected for processing (2)

• template-params.dev.env (1 hunks)
• template.yaml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• template.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Red Hat Konflux / assisted-chat-saas-main-on-pull-request

🔇 Additional comments (2)

template-params.dev.env (2)

9-10: Good parameterization — sensible dev defaults.

Moving hard-coded auth rules into deploy-time params is the right direction, and these dev values look aligned with the prior inlined config.

---

9-10: Correct Python invocation in verification script
Pass the tmpl variable into Python so sys.argv[1] isn’t empty. For example:

#!/bin/bash
set -euo pipefail

tmpl=$(rg -nI --glob '**/*.{yaml,yml}' 'AUTH(Z|N)_ACCESS_RULES|AUTHN_ROLE_RULES' -l | head -n1)
echo "Template: $tmpl"

set -a
# shellcheck disable=SC1091
source ./template-params.dev.env
set +a

python - "$tmpl" <<'PY'
import os, re, sys, yaml
from pathlib import Path

tmpl_text = Path(sys.argv[1]).read_text()
def repl(m):
    k = m.group(1)
    v = os.environ.get(k, '')
    if v == '':
        print(f"[WARN] Missing env for {k}", file=sys.stderr)
    return v

rendered = re.sub(r"\$\{\{\s*([A-Z0-9_]+)\s*\}\}", repl, tmpl_text)
# …rest of the checks…
PY

Rerun this updated script and ensure no [FAIL] appears, confirming the template renders correctly.

[coderabbitai]

⚠️ Potential issue

Fix the Pydantic validation: inject a YAML list, not a quoted string.

The reported error (authorization.access_rules.1.role=None / .actions missing) is consistent with the list being rendered incorrectly (e.g., as a quoted scalar or creating an extra empty item). Avoid wrapping the flow-style list in single quotes so it renders as a proper YAML list in the ConfigMap.

Apply this diff:

-AUTHN_ROLE_RULES='[{"jsonpath":"$.realm_access.roles[*]","operator":"contains","value":"redhat:employees","roles":["redhat_employee"]}]'
-AUTHZ_ACCESS_RULES='[{"role":"redhat_employee","actions":["get_models","query","streaming_query","get_conversation","list_conversations","delete_conversation","feedback","info","get_metrics"]}]'
+AUTHN_ROLE_RULES=[{"jsonpath":"$.realm_access.roles[*]","operator":"contains","value":"redhat:employees","roles":["redhat_employee"]}]
+AUTHZ_ACCESS_RULES=[{"role":"redhat_employee","actions":["get_models","query","streaming_query","get_conversation","list_conversations","delete_conversation","feedback","info","get_metrics"]}]

Rationale:

• Unquoted flow-style JSON/YAML will be injected as a list node, not a string.
• Since the assignment is unquoted, keep values whitespace-free (already the case here) to avoid shell word-splitting when sourced locally.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	AUTHN_ROLE_RULES='[{"jsonpath":"$.realm_access.roles[*]","operator":"contains","value":"redhat:employees","roles":["redhat_employee"]}]'
	AUTHZ_ACCESS_RULES='[{"role":"redhat_employee","actions":["get_models","query","streaming_query","get_conversation","list_conversations","delete_conversation","feedback","info","get_metrics"]}]'
	# template-params.dev.env, lines 9–10
	AUTHN_ROLE_RULES=[{"jsonpath":"$.realm_access.roles[*]","operator":"contains","value":"redhat:employees","roles":["redhat_employee"]}]
	AUTHZ_ACCESS_RULES=[{"role":"redhat_employee","actions":["get_models","query","streaming_query","get_conversation","list_conversations","delete_conversation","feedback","info","get_metrics"]}]

🤖 Prompt for AI Agents

In template-params.dev.env around lines 9 to 10 the flow-style list values are
wrapped in single quotes, causing Pydantic to receive a string instead of a YAML
list and producing validation errors; remove the surrounding single quotes so
AUTHN_ROLE_RULES and AUTHZ_ACCESS_RULES are unquoted flow-style lists (keep them
whitespace-free) so they are injected as proper YAML list nodes into the
ConfigMap.

[eranco74]

/unhold

[maorfr]

/hold

let's wait for next week

[carbonin]

/unhold
/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: carbonin, maorfr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [carbonin,maorfr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment