Prod Auth for Lightspeed Exporter

[keitwb]

This uses sso auth in prod and makes the manual auth secret optional so
we don't have to have it in prod.

Summary by CodeRabbit

• New Features

  • Added a configurable authentication mode for the Lightspeed data exporter via a new parameter (default: "sso"). Supports "manual", "sso", and "openshift" modes.
  • Added a parameter to name the SSO client secret.

• Improvements

  • Exporter mode is driven by configuration instead of being hard-coded.
  • Deployment is more resilient: auth token and SSO client credentials are now optional based on the chosen mode.

• Documentation

  • Updated parameter descriptions to explain valid modes and secret requirements.

[coderabbitai]

Walkthrough

Adds parameters to template.yaml to support configurable LIGHTSPEED_EXPORTER_AUTH_MODE (manual|sso|openshift) and SSO_CLIENT_SECRET_NAME, wires the mode into the exporter --mode arg, makes ingress auth token secret optional, and adds optional SSO client env vars for the exporter.

Changes

Cohort / File(s)	Summary of changes
Template parameters & descriptions template.yaml	Added LIGHTSPEED_EXPORTER_AUTH_MODE (default "sso") and SSO_CLIENT_SECRET_NAME (default "ingress-sso"); expanded INSIGHTS_INGRESS_SECRET_NAME description to note conditional usage per mode.
Exporter container args & env template.yaml	Replaced hard-coded exporter arg --mode manual with --mode ${LIGHTSPEED_EXPORTER_AUTH_MODE}; added CLIENT_ID and CLIENT_SECRET env entries from ${SSO_CLIENT_SECRET_NAME} (both optional); marked INGRESS_SERVER_AUTH_TOKEN secretKeyRef as optional: true.

Sequence Diagram(s)

sequenceDiagram
  participant Deployer as Deployer
  participant Template as template.yaml
  participant K8s as Kubernetes API
  participant Exporter as lightspeed-to-dataverse-exporter
  participant SSOSecret as SSO secret (optional)
  participant IngressSecret as INSIGHTS_INGRESS_SECRET (optional)

  Deployer->>Template: set LIGHTSPEED_EXPORTER_AUTH_MODE & SSO_CLIENT_SECRET_NAME
  Template->>K8s: create/update Deployment with --mode=${LIGHTSPEED_EXPORTER_AUTH_MODE} and env refs
  K8s->>Exporter: start container

  alt mode == manual
    Exporter->>IngressSecret: read INGRESS_SERVER_AUTH_TOKEN (expected present)
  else mode == sso
    Exporter->>SSOSecret: read CLIENT_ID / CLIENT_SECRET (optional)
    Exporter->>IngressSecret: read INGRESS_SERVER_AUTH_TOKEN (optional)
  else mode == openshift
    Exporter->>IngressSecret: treat token as optional (use platform auth)
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Insights Export Config #78: Adjusts exporter --mode, makes ingress token optional, and adds SSO secret envs—directly related changes to exporter auth wiring.

Suggested labels

ok-to-test

Suggested reviewers

• maorfr

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

template.yaml (2)

77-79: Clarify secret behavior across auth modes; tighten wording

The current wording is a bit ambiguous. Explicitly call out when the Secret is optional vs required and the expected key name.

Apply this diff to improve clarity:

-  description: |
-    The name of a secret containing the auth_token for the insights ingress server. Will be ignored
-    if it doesn't exist but LIGHTSPEED_EXPORTER_AUTH_MODE should be set to 'openshift' in that case.
+  description: |
+    Name of the Secret that contains the insights ingress auth token (data key: auth_token).
+    In 'openshift' auth mode, this Secret is optional and will be ignored if missing.
+    In 'manual' auth mode, this Secret is required; if absent, the exporter will fail to authenticate.

---

89-95: Document default, valid values, and failure mode; ensure stage override

The parameter is a solid addition. Recommend tightening the description and confirming that stage explicitly sets 'manual' and has the Secret present.

Suggested description tweak for precision:

-  description: |
-    The type of authentication to use for the lightspeed data exporter. Valid values are 'manual'
-    and 'openshift'. If 'manual' is specified the INSIGHTS_INGRESS_SECRET_NAME secret should contain
-    a valid auth token in the data item `auth_token`.
+  description: |
+    Authentication mode for the lightspeed data exporter. Valid values: 'manual' or 'openshift'.
+    Default: 'openshift' (uses the pod's in-cluster service account token). In this mode the
+    ingress Secret may be absent and will be ignored.
+    When set to 'manual', the ${INSIGHTS_INGRESS_SECRET_NAME} Secret must exist and contain
+    the key 'auth_token' with a valid token; otherwise the exporter will fail to authenticate.

Verification: Please confirm the stage environment explicitly sets LIGHTSPEED_EXPORTER_AUTH_MODE=manual and that the ${INSIGHTS_INGRESS_SECRET_NAME} Secret exists with data.auth_token there. Also confirm the exporter image tag in stage/prod includes support for '--mode openshift'.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b0bb616 and 158f76d.

📒 Files selected for processing (1)

• template.yaml (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Red Hat Konflux / assisted-chat-saas-main-on-pull-request

🔇 Additional comments (2)

template.yaml (2)

490-490: Wires exporter mode to parameter (LGTM)

Passing the mode via parameter is correct and aligns with the new default behavior.

Please verify that the deployed lightspeed-to-dataverse-exporter image version supports the '--mode openshift' flag and behaves correctly when INGRESS_SERVER_AUTH_TOKEN is unset.

---

501-501: Optional Secret is appropriate; be aware of manual mode failure semantics

Marking the Secret as optional is correct for 'openshift' mode. In 'manual' mode, this will lead to startup/auth failures if the Secret is missing, which is acceptable but should be expected. The description updates above help set that expectation.

Please ensure environments that set LIGHTSPEED_EXPORTER_AUTH_MODE=manual also provision the ${INSIGHTS_INGRESS_SECRET_NAME} Secret with key 'auth_token'.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

template.yaml (2)

80-81: Clarify expected keys for SSO secret

Document the required keys to reduce deploy-time guesswork and misconfigurations.

-  description: "Name of the K8s secret that contains the SSO client credentials"
+  description: "Name of the K8s secret that contains the SSO client credentials (keys: client_id, client_secret)"

---

521-527: Token secret made optional: ensure manual mode fails fast and observably when missing

Making INGRESS_SERVER_AUTH_TOKEN optional is necessary for 'sso'/'openshift', but in 'manual' mode its absence should result in a clear, immediate failure (not a silent no-op). Ensure the exporter emits actionable logs and exits non-zero, or expose a health/readiness signal.

If the exporter exposes a health endpoint, consider adding a basic readinessProbe for this sidecar to surface misconfiguration:

        - name: lightspeed-to-dataverse-exporter
          image: quay.io/lightspeed-core/lightspeed-to-dataverse-exporter:${LIGHTSPEED_EXPORTER_IMAGE_TAG}
          imagePullPolicy: Always
+         readinessProbe:
+           httpGet:
+             path: /healthz
+             port: 8080
+           initialDelaySeconds: 10
+           periodSeconds: 10

If there’s no HTTP health endpoint, we can switch to an exec probe that checks for a recent successful send or a mode-specific config check. Happy to draft once we confirm exporter capabilities.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 158f76d and dbd8ce4.

📒 Files selected for processing (1)

• template.yaml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Red Hat Konflux / assisted-chat-saas-main-on-pull-request

🔇 Additional comments (3)

template.yaml (3)

503-503: LGTM: mode is now parameterized

Switching from a hard-coded mode to "${LIGHTSPEED_EXPORTER_AUTH_MODE}" is correct and aligns the deployment with environment-specific configuration.

---

509-520: Verify SSO mode env configuration and config injection

• The template already defines the SSO_BASE_URL parameter (lines 111–113) and injects it into the jwk_token module’s JWKS URL in the generated config.yaml (line 164). Ensure that the rendered config.yaml contains the correct URL (${SSO_BASE_URL}/protocol/openid-connect/certs).
• Confirm that the exporter binary actually consumes the CLIENT_ID and CLIENT_SECRET environment variables when invoked with --mode "sso". The grep scan did not reveal any code paths reading these vars directly, so please verify in the exporter source.
• Only if the exporter also reads SSO_BASE_URL from its environment (rather than from the config file), consider adding this env var to the container:

   env:
     - name: CLIENT_ID
       valueFrom:
         secretKeyRef:
           name: ${SSO_CLIENT_SECRET_NAME}
           key: client_id
           optional: true
     - name: CLIENT_SECRET
       valueFrom:
         secretKeyRef:
           name: ${SSO_CLIENT_SECRET_NAME}
           key: client_secret
           optional: true
+    - name: SSO_BASE_URL
+      value: ${SSO_BASE_URL}

Verification command used:

rg -n -C2 -i 'CLIENT_(ID|SECRET)|SSO_BASE_URL|LIGHTSPEED_EXPORTER_AUTH_MODE|--mode|openshift|sso|manual'

---

91-98: Set default LIGHTSPEED_EXPORTER_AUTH_MODE to 'openshift'

Verified that in template.yaml (lines 91–98) the default remains "sso", which contradicts the PR’s intent to default to OpenShift pull-secret authentication in production.

Locations needing change:

• template.yaml:91–92 (current default)
• template.yaml:503–504 (where --mode is passed to the exporter)

Proposed patch:

- name: LIGHTSPEED_EXPORTER_AUTH_MODE
-  value: "sso"
+ name: LIGHTSPEED_EXPORTER_AUTH_MODE
+  value: "openshift"

Follow-up: please confirm how the exporter resolves credentials in ‘openshift’ mode (e.g., via the Pod’s service-account imagePullSecrets or a mounted cluster pull-secret) and update the chart with any required mounts or RBAC.

[maorfr]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: keitwb, maorfr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [maorfr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment