enable ssl and CA in llama-stack

[maorfr]

part of https://issues.redhat.com/browse/MGMT-21487

this PR enables secure connectivity between the service and the database for the llama-stack persistence layer.

we mount a DB CA certificate to a file on the pod and pass that file through the llama-stack configuration, as was implemented in llamastack/llama-stack#3182

related to #133

Summary by CodeRabbit

• Chores
  • Enabled TLS verification (verify-full) with a configured CA bundle for PostgreSQL connections across the stack, improving data-in-transit security and reliability.
  • Updated internal llama-stack dependency to a newer revision (no user-visible changes).

[coderabbitai]

Walkthrough

Updated the llama-stack submodule to a new commit. Added TLS parameters (ssl_mode and ca_cert_path) to PostgreSQL configurations within template.yaml for lightspeed-stack and llama-stack client ConfigMaps.

Changes

Cohort / File(s)	Summary of Changes
Submodule update llama-stack	Advanced submodule pointer from 9ed580e to 739b18e; no code/API changes in this repo.
PostgreSQL TLS config in Kubernetes templates template.yaml	Added ssl_mode: "verify-full" and ca_cert_path: /etc/tls/ca-bundle.pem to: lightspeed-stack-config (lightspeed-stack.yaml -> database.postgres), llama-stack-client-config (llama_stack_client_config.yaml -> providers.agents.config.persistence_store, providers.agents.config.responses_store, inference_store).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Bump lightspeed-stack #116 — Also modifies Lightspeed Postgres configuration in template.yaml (adds inference.database.postgres block).
• enable SSL and CA cert for lightspeed-stack #133 — Adjusts Lightspeed Postgres TLS settings in template.yaml similarly (ssl_mode and ca_cert_path).

Suggested labels

approved, lgtm

Suggested reviewers

• eranco74
• jhernand
• keitwb

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maorfr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [maorfr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

template.yaml (1)

317-318: TLS enabled: verify-full requires CA presence and hostname match; consider parameterizing and tightening the secret mount

Good move adding TLS. A few gotchas to avoid surprises at runtime:

• verify-full requires the server cert’s CN/SAN to match the hostname. Ensure ASSISTED_CHAT_POSTGRES_HOST is the FQDN on the cert (not an IP).
• The CA file is mounted from a Secret, but the volume sets items.optional: true. If the key isn’t present, the pod will start but DB connections will fail due to verify-full + missing CA. Either make the item mandatory or gate ssl_mode/ca_cert_path behind params.
• For flexibility across envs, parameterize ssl_mode and ca_cert_path instead of hard-coding.

Suggested diffs within the changed lines (parameterize the values):

@@
-              ssl_mode: "verify-full"
-              ca_cert_path: /etc/tls/ca-bundle.pem
+              ssl_mode: "${DB_SSL_MODE}"
+              ca_cert_path: "${DB_CA_CERT_PATH}"
@@
-              ssl_mode: "verify-full"
-              ca_cert_path: /etc/tls/ca-bundle.pem
+              ssl_mode: "${DB_SSL_MODE}"
+              ca_cert_path: "${DB_CA_CERT_PATH}"
@@
-        ssl_mode: "verify-full"
-        ca_cert_path: /etc/tls/ca-bundle.pem
+        ssl_mode: "${DB_SSL_MODE}"
+        ca_cert_path: "${DB_CA_CERT_PATH}"

Add parameters (outside this hunk) to allow safe overrides per environment:

parameters:
- name: DB_SSL_MODE
  value: "verify-full"
  description: "PostgreSQL SSL mode: disable|allow|prefer|require|verify-ca|verify-full"
- name: DB_CA_CERT_PATH
  value: "/etc/tls/ca-bundle.pem"
  description: "Path to the PostgreSQL CA bundle inside the container"

And, to avoid silent misconfiguration, consider making the CA item non-optional (outside this hunk):

volumes:
- name: db-ca-cert
  secret:
    secretName: ${ASSISTED_CHAT_DB_SECRET_NAME}
    items:
    - key: db.ca_cert
      path: ca-bundle.pem
      optional: false

If you need to keep the CA optional for certain envs, set DB_SSL_MODE to require (or disable) when the CA isn’t provided, and keep verify-full only where the CA is mounted and hostnames match.

Also applies to: 326-327, 361-362

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4a7696f and 0a20431.

📒 Files selected for processing (2)

• llama-stack (1 hunks)
• template.yaml (2 hunks)

🔇 Additional comments (1)

llama-stack (1)

1-1: Verify TLS support in llama-stack and manifest alignment
We’ve confirmed in template.yaml that:

• ssl_mode: "verify-full" and ca_cert_path: /etc/tls/ca-bundle.pem appear at lines 181/182, 317/318, 326/327, and 361/362.
• The CA bundle is mounted under /etc/tls with ca-bundle.pem at lines 485–486 and 547–550.
• All PostgreSQL host: entries use the ${env.ASSISTED_CHAT_POSTGRES_HOST} variable, so ensure this resolves to your service’s DNS name (not an IP) and matches the certificate SAN.

However, since submodules aren’t checked out in this sandbox, we couldn’t locate ssl_mode or ca_cert_path in the local llama-stack code. Please manually confirm that the bumped commit in the llama-stack submodule indeed adds support for these TLS fields in its configuration parsing (e.g. in the config schema or YAML loader).

[maorfr]

/test eval-test

[maorfr]

/test eval-test

[openshift-ci]

@maorfr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/eval-test	0a20431	link	false	/test eval-test

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[eranco74]

Will this work with the DB we use for local development?
What's in /etc/tls/ca-bundle.pem

[eranco74]

OK, I see https://github.com/rh-ecosystem-edge/assisted-chat/pull/133/files
Still unclear if this doesn't break make run

[maorfr]

doesn't make run use the pod template?

[eranco74]

/lgtm