MGMT-21376: Tweak the systemprompt to not return ISO, kubeconfig and credentials URLs #110
Conversation
WalkthroughRevisions to Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Suggested labels
Suggested reviewers
📜 Recent review detailsConfiguration used: CodeRabbit UI 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
rawagner
changed the title
rawagner
changed the title
|
@rawagner: This pull request references MGMT-21376 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.20.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: omertuc, rawagner The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
template.yaml(2 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Red Hat Konflux / assisted-chat-saas-main-on-pull-request
| 2. **Infrastructure Setup / ISO Download:** | ||
| * After a cluster is created, the next step is typically to **download the Discovery ISO**. | ||
| * Proactively offer to provide the ISO download URL. | ||
| * **Crucially, if a tool returns a URL for the Discovery ISO, do not include the URL in your response.** | ||
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Resolve contradiction and reference UI button for ISO download
Line 174 asks to “offer to provide the ISO download URL” while Line 175 says not to include the URL. Reword to remove the URL mention and guide the assistant to reference the UI button.
Apply this diff:
2. **Infrastructure Setup / ISO Download:**
* After a cluster is created, the next step is typically to **download the Discovery ISO**.
- * Proactively offer to provide the ISO download URL.
- * **Crucially, if a tool returns a URL for the Discovery ISO, do not include the URL in your response.**
+ * Proactively offer to provide the Discovery ISO. Do not include or echo any direct download URL.
+ * **If a tool returns a URL for the Discovery ISO, do not include the URL in your response. Instead, tell the user that a "Download Discovery ISO" button is available in the UI.**I can propagate this phrasing consistently if there are other prompt files.
🏁 Script executed:
#!/bin/bash
# Scan for other guidance that suggests pasting ISO URLs directly.
rg -n "ISO.*URL|Discovery ISO.*URL|download URL" -A2 -B2Length of output: 546
Resolve ISO download guidance contradiction in template.yaml
Lines 172–176 currently ask to “offer to provide the ISO download URL” yet immediately forbid including it. Update to remove the URL reference and point users to the UI button instead.
• File: template.yaml
• Lines: 172–176
Suggested diff:
2. **Infrastructure Setup / ISO Download:**
* After a cluster is created, the next step is typically to **download the Discovery ISO**.
- * Proactively offer to provide the ISO download URL.
- * **Crucially, if a tool returns a URL for the Discovery ISO, do not include the URL in your response.**
+ * Proactively offer to provide the Discovery ISO. Do not include or echo any direct download URL.
+ * **If a tool returns a URL for the Discovery ISO, do not include the URL in your response. Instead, instruct the user to click the “Download Discovery ISO” button in the UI.**A quick repo scan shows no other occurrences of ISO URL guidance.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| 2. **Infrastructure Setup / ISO Download:** | |
| * After a cluster is created, the next step is typically to **download the Discovery ISO**. | |
| * Proactively offer to provide the ISO download URL. | |
| * **Crucially, if a tool returns a URL for the Discovery ISO, do not include the URL in your response.** | |
| 2. **Infrastructure Setup / ISO Download:** | |
| * After a cluster is created, the next step is typically to **download the Discovery ISO**. | |
| * Proactively offer to provide the Discovery ISO. Do not include or echo any direct download URL. | |
| * **If a tool returns a URL for the Discovery ISO, do not include the URL in your response. Instead, instruct the user to click the “Download Discovery ISO” button in the UI.** |
🤖 Prompt for AI Agents
In template.yaml around lines 172 to 176, the guidance currently contradicts
itself by saying to “offer to provide the ISO download URL” and then forbidding
including the URL; remove any mention of providing or offering the ISO URL and
replace it with a pointer to use the web UI download button (e.g., instruct
users to click the “Download Discovery ISO” button in the cluster UI); update
the wording so it no longer references returning or offering a URL and instead
directs users to the UI for obtaining the ISO; ensure the surrounding text reads
smoothly and that no other lines in this block imply providing an external ISO
URL.
There was a problem hiding this comment.
i've updated the systemprompt. But without mentioning UI, which should be given.
| 7. **Installation Complete:** | ||
| * **Once the installation is successfully completed**, proactively inform the user and offer to provide the **kubeconfig file** and the **kubeadmin password**. This is crucial for accessing their new OpenShift cluster. | ||
| * **Crucially, if a tool returns a URL for the kubeconfig file or a URL/link for the kubeadmin password, do not include the URL/link in your response.** | ||
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Prevent disclosure of secret contents and URLs for kubeconfig/kubeadmin
Current text blocks URLs/links but still “offers to provide” kubeconfig and the kubeadmin password, which could be read as pasting secret contents. Explicitly forbid including both URLs and secret contents; reference UI buttons instead.
Apply this diff:
7. **Installation Complete:**
- * **Once the installation is successfully completed**, proactively inform the user and offer to provide the **kubeconfig file** and the **kubeadmin password**. This is crucial for accessing their new OpenShift cluster.
- * **Crucially, if a tool returns a URL for the kubeconfig file or a URL/link for the kubeadmin password, do not include the URL/link in your response.**
+ * **Once the installation is successfully completed**, proactively inform the user and offer to provide access to the **kubeconfig** and the **kubeadmin password** via the UI. Do not paste the kubeconfig content or the password value into the response.
+ * **If a tool returns a URL for the kubeconfig file or a URL/link for the kubeadmin password, do not include the URL/link in your response. Instead, inform the user that UI buttons are available to retrieve these securely.**Optional: Add a general security principle to make this policy global:
# Under **General Proactive Principles:**
* Never paste or echo credentials, tokens, passwords, kubeconfig contents, or direct download URLs.
* When tools return such items or URLs, inform the user that the UI provides secure buttons/controls to access them.I can submit a follow-up patch adding the general principle and synchronizing wording across prompts.
🏁 Script executed:
#!/bin/bash
# Scan for any remaining guidance that suggests sharing kubeconfig or kubeadmin password directly.
rg -n "kubeconfig|kubeadmin password|password URL|kubeconfig URL" -A2 -B2Length of output: 667
Prevent disclosure of kubeconfig and kubeadmin secrets via chat
File: template.yaml
Lines: 210–213
The current guidance still “offers to provide” the kubeconfig file and kubeadmin password directly, which could be misunderstood as pasting secret contents. We need to explicitly forbid sharing both URLs and secret contents, and instead point users to secure UI controls.
Apply this diff:
7. **Installation Complete:**
- * **Once the installation is successfully completed**, proactively inform the user and offer to provide the **kubeconfig file** and the **kubeadmin password**. This is crucial for accessing their new OpenShift cluster.
- * **Crucially, if a tool returns a URL for the kubeconfig file or a URL/link for the kubeadmin password, do not include the URL/link in your response.**
+ * **Once the installation is successfully completed**, inform the user that the **kubeconfig** and **kubeadmin password** are available via secure UI controls. Do not paste the kubeconfig content or password value into the response.
+ * **If a tool returns a URL for the kubeconfig file or for the kubeadmin password, do not include the link in your response.** Instead, tell the user to use the UI buttons to retrieve them securely.Optional: Under General Proactive Principles, add:
* Never paste or echo credentials, tokens, passwords, kubeconfig contents, or direct download URLs.
* When tools return such items or URLs, inform users that the UI provides secure buttons/controls to access them.🤖 Prompt for AI Agents
In template.yaml around lines 210 to 213, the wording currently "offer to
provide the kubeconfig file and the kubeadmin password" risks encouraging
pasting secrets or URLs; update the text to explicitly forbid sharing kubeconfig
contents, kubeadmin passwords, tokens, or direct download URLs in chat and
instead instruct the assistant to tell users to use the secure UI
controls/buttons to retrieve those items; also add the optional bullets under
"General Proactive Principles" that state "Never paste or echo credentials,
tokens, passwords, kubeconfig contents, or direct download URLs" and "When tools
return such items or URLs, inform users that the UI provides secure
buttons/controls to access them."
|
/hold Code rabbit is making some good points |
|
/lgtm |
…URLs UI render these URLs as buttons
rawagner
force-pushed
the
prompt_actions
branch
from
350d3ab to
ddc9533
Compare
|
@rawagner: This pull request references MGMT-21376 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.20.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/lgtm |
|
/unhold |
openshift-merge-bot
bot
merged commit ac0445e
into
rh-ecosystem-edge:main
4 participants
UI will render the URLs as buttons
Summary by CodeRabbit