Run eval with vertex instead of Gemini

[omertuc]

This is an attempt to run the eval test judge model with vertex instead of Gemini

If this works, we can remove Gemini and its credentials from the CI to align ourselves better with what we run in prod.

Summary by CodeRabbit

• Tests

  • CI evaluation now runs with a Vertex-based judge provider and passes the provider flag to the evaluator.
  • CI environment setup writes a non-sensitive placeholder for the API key to avoid exposing secrets.

• Chores

  • Job templates now support injecting Google Vertex credentials via environment variable and mounted secret, with new parameters to reference the secret names.
  • CI image now includes Google Cloud AI client tooling; minor formatting/alignment tweaks.

[coderabbitai]

Walkthrough

Adds Vertex AI credential handling to Prow test artifacts: entrypoint.sh writes GEMINI_API_KEY=dummy, appends GOOGLE_APPLICATION_CREDENTIALS to .env, and launches eval.py with --judge_provider="vertex". template.yaml mounts a Vertex service-account secret and adds VERTEX_API_SECRET_NAME and VERTEX_API_SECRET_KEY_NAME parameters. The Dockerfile installs google-cloud-aiplatform.

Changes

Cohort / File(s)	Summary
Prow entrypoint updates test/prow/entrypoint.sh	Writes GEMINI_API_KEY=dummy to .env, appends GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_APPLICATION_CREDENTIALS} to .env, and adds --judge_provider="vertex" to the python eval.py invocation.
Prow Job template wiring test/prow/template.yaml	Adds env var GOOGLE_APPLICATION_CREDENTIALS pointing to /opt/app-root/google-vertex-service-account.json; mounts a secret volume using parameters VERTEX_API_SECRET_NAME and VERTEX_API_SECRET_KEY_NAME; adds those two template parameters; minor formatting alignment.
Test image dependencies test/prow/Dockerfile	Adds installation of google-cloud-aiplatform (alongside yq) during image build.

Sequence Diagram(s)

sequenceDiagram
    participant K8s as Kubernetes Job (container)
    participant Entrypoint as entrypoint.sh
    participant FS as Container filesystem (.env)
    participant Eval as python eval.py

    Note over K8s: Secret mounted at /opt/app-root/google-vertex-service-account.json
    K8s->>Entrypoint: start container
    Entrypoint->>FS: write "GEMINI_API_KEY=dummy" to .env
    Entrypoint->>FS: append "GOOGLE_APPLICATION_CREDENTIALS=/opt/app-root/google-vertex-service-account.json" to .env
    Entrypoint->>Eval: exec python eval.py ... --judge_provider="vertex"
    Eval->>K8s: uses GOOGLE_APPLICATION_CREDENTIALS for Vertex AI calls

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• MGMT-20906: Re-enabling the evaluation tests. The eval test does not need to run in an openshift deployment #142 — Prior changes to test/prow/entrypoint.sh and test/prow/template.yaml for env/secret handling; closely related to the entrypoint/template edits here.
• MGMT-21406 Switch from Gemini to Vertex AI #126 — Related Vertex/Gemini wiring and secret mounting for Vertex credentials.

Suggested reviewers

• carbonin

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly describes the key change of replacing Gemini with Vertex for the evaluation provider, directly reflecting the PR’s primary objective.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6667b84 and a4a954c.

📒 Files selected for processing (2)

• test/prow/entrypoint.sh (1 hunks)
• test/prow/template.yaml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Red Hat Konflux / assisted-chat-test-image-saas-main-on-pull-request
• GitHub Check: Red Hat Konflux / assisted-chat-saas-main-on-pull-request

🔇 Additional comments (2)

test/prow/template.yaml (2)

74-77: Params LGTM; verify secret/key names exist and match the mounted filename.

• Names look reasonable. Ensure the secret key name equals the filename you expect under the mount (used in the path).

---

79-79: OCM_BASE_URL value change noted.

Looks fine for stage. Confirm this aligns with the AGENT envs for the CI cluster.

[omertuc]

/retest

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 67ddf6f and 5dc8564.

📒 Files selected for processing (3)

• test/prow/Dockerfile (1 hunks)
• test/prow/entrypoint.sh (1 hunks)
• test/prow/template.yaml (3 hunks)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix indentation: volumeMounts must live inside the container spec

Right now volumeMounts is aligned with the pod spec (same level as containers), so the generated manifest is invalid—Kubernetes rejects volumeMounts outside an individual container. Indent the block so it stays under - name: assisted-chat-eval-test (and mark it read-only while you’re there).

-        volumeMounts:
-        - name: google-vertex-service-account
-          mountPath: /opt/app-root/google-vertex-service-account.json
-          subPath: ${VERTEX_API_SECRET_KEY_NAME}
+          volumeMounts:
+          - name: google-vertex-service-account
+            mountPath: /opt/app-root/google-vertex-service-account.json
+            subPath: ${VERTEX_API_SECRET_KEY_NAME}
+            readOnly: true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	volumeMounts:
	- name: google-vertex-service-account
	mountPath: /opt/app-root/google-vertex-service-account.json
	subPath: ${VERTEX_API_SECRET_KEY_NAME}
	volumeMounts:
	- name: google-vertex-service-account
	mountPath: /opt/app-root/google-vertex-service-account.json
	subPath: ${VERTEX_API_SECRET_KEY_NAME}
	readOnly: true

🤖 Prompt for AI Agents

In test/prow/template.yaml around lines 50 to 53, the volumeMounts block is
incorrectly placed at the pod level instead of under the specific container (-
name: assisted-chat-eval-test); move/indent the entire volumeMounts block so it
is nested inside that container's spec and add readOnly: true to the mount entry
to ensure the secret is mounted as read-only.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (6)

test/prow/Dockerfile (1)

5-5: Pin dependency versions for reproducible CI builds

Unpinned google-cloud-aiplatform (and yq) may introduce breaking changes. Pin versions or use a constraints/requirements file.

Example:

-RUN pip install yq google-cloud-aiplatform
+RUN pip install \
+  yq==4.44.3 \
+  google-cloud-aiplatform==1.70.0

test/prow/entrypoint.sh (2)

23-24: Drop .env writes and the dummy GEMINI key

• Writing .env is unnecessary; GOOGLE_APPLICATION_CREDENTIALS is already provided via env as a file path.
• GEMINI_API_KEY=dummy is misleading now that --judge_provider=vertex is used.

Remove both lines.

-echo "GEMINI_API_KEY=dummy" > .env
-echo "GOOGLE_APPLICATION_CREDENTIALS=${GOOGLE_APPLICATION_CREDENTIALS}" >> .env

---

19-19: Quote paths/vars to avoid word-splitting and globbing issues

Safer, more robust shell usage.

-cd $TEMP_DIR
+cd "$TEMP_DIR"
-
-cp $TEST_DIR/eval_data.yaml $TEMP_DIR/eval_data.yaml
-sed -i "s/uniq-cluster-name/${UNIQUE_ID}/g" $TEMP_DIR/eval_data.yaml
-sed -i "s|: ../scripts|: ${WORK_DIR}/test/scripts|g" $TEMP_DIR/eval_data.yaml
-
-python $TEST_DIR/eval.py --agent_endpoint "${AGENT_URL}:${AGENT_PORT}" --agent_auth_token_file $TEMP_DIR/ocm_token.txt --eval_data_yaml $TEMP_DIR/eval_data.yaml --judge_provider="vertex"
+cp "$TEST_DIR/eval_data.yaml" "$TEMP_DIR/eval_data.yaml"
+sed -i "s/uniq-cluster-name/${UNIQUE_ID}/g" "$TEMP_DIR/eval_data.yaml"
+sed -i "s|: ../scripts|: ${WORK_DIR}/test/scripts|g" "$TEMP_DIR/eval_data.yaml"
+python "$TEST_DIR/eval.py" \
+  --agent_endpoint "${AGENT_URL}:${AGENT_PORT}" \
+  --agent_auth_token_file "$TEMP_DIR/ocm_token.txt" \
+  --eval_data_yaml "$TEMP_DIR/eval_data.yaml" \
+  --judge_provider="vertex"

Also applies to: 26-30

test/prow/template.yaml (3)

50-53: Mount secret read-only

Add readOnly: true on the volumeMount for defense-in-depth.

           volumeMounts:
           - name: google-vertex-service-account
             mountPath: /opt/app-root/google-vertex-service-account.json
             subPath: ${VERTEX_API_SECRET_KEY_NAME}
+            readOnly: true

---

35-39: Remove Gemini secret from the container if no longer used

If the judge is now Vertex-only, drop the GEMINI_API_KEY env to simplify CI and reduce secret surface.

-          - name: GEMINI_API_KEY
-            valueFrom:
-              secretKeyRef:
-                key: ${GEMINI_API_SECRET_KEY_NAME}
-                name: ${GEMINI_API_SECRET_NAME}

---

75-82: Also remove Gemini parameters if unused

Clean up template parameters to avoid confusion.

-- name: GEMINI_API_SECRET_NAME
-  value: gemini
-- name: GEMINI_API_SECRET_KEY_NAME
-  value: api_key

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5dc8564 and b3ccd79.

📒 Files selected for processing (3)

• test/prow/Dockerfile (1 hunks)
• test/prow/entrypoint.sh (1 hunks)
• test/prow/template.yaml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Red Hat Konflux / assisted-chat-test-image-saas-main-on-pull-request
• GitHub Check: Red Hat Konflux / assisted-chat-saas-main-on-pull-request

🔇 Additional comments (2)

test/prow/template.yaml (2)

40-41: Good: ADC points to a filesystem path

Setting GOOGLE_APPLICATION_CREDENTIALS to the mounted file path matches ADC requirements.

---

54-57: Volumes placement looks correct

volumes is at the pod spec level, sibling to containers. LGTM.

[omertuc]

/retest

[omertuc]

/retest

[omertuc]

/retest

[omertuc]

/retest

[omertuc]

/retest

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: carbonin, omertuc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [carbonin,omertuc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment