Skip to content

Commit a7255d7

Browse files
fabianvfclaudedjzager
authored andcommitted
🐛 Fix llm-proxy JWT issuer mismatch on MTA profile (#552)
The llm-proxy configmap template always used keycloak_sso_url for the JWKS URI and issuer, which resolves to mta-keycloak-rhbk on the MTA profile. However, the actual RHBK service is mta-rhbk-service, and the hub already correctly uses rhbk_url for MTA. This caused the llm-proxy to reject all JWT tokens with "Invalid JWT token" because the issuer in the token didn't match what the proxy expected. Add the same app_profile == 'mta' conditional used by the hub and UI templates so the llm-proxy uses rhbk_url on MTA and keycloak_sso_url on konveyor. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Improved OAuth2/OpenID Connect configuration: the system now correctly interprets the authentication-required flag and selects the appropriate JWKS URI and issuer depending on the deployment profile (including a new branch for the "mta" profile). This improves authentication behavior across different environments. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Fabian von Feilitzsch <fabian@fabianism.us> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: David Zager <dzager@redhat.com> Signed-off-by: Cherry Picker <noreply@github.com>
1 parent 66fd0be commit a7255d7

1 file changed

Lines changed: 7 additions & 1 deletion

File tree

roles/tackle/templates/kai/llm-proxy-configmap.yaml.j2

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -104,17 +104,23 @@ data:
104104
tool_groups: []
105105
server:
106106
port: 8321
107-
{% if feature_auth_required %}
107+
{% if feature_auth_required|bool %}
108108
auth:
109109
provider_config:
110110
type: "oauth2_token"
111111
# Skip TLS verification for self-signed certificates (same as hub does)
112112
verify_tls: false
113113
jwks:
114114
# Use the same protocol and base URL that the hub uses for Keycloak
115+
{% if app_profile == 'mta' %}
116+
uri: "{{ rhbk_url }}/auth/realms/{{ keycloak_sso_realm }}/protocol/openid-connect/certs"
117+
# The issuer must match exactly what's in the JWT token from hub auth
118+
issuer: "{{ rhbk_url }}/auth/realms/{{ keycloak_sso_realm }}"
119+
{% else %}
115120
uri: "{{ keycloak_sso_url }}/auth/realms/{{ keycloak_sso_realm }}/protocol/openid-connect/certs"
116121
# The issuer must match exactly what's in the JWT token from hub auth
117122
issuer: "{{ keycloak_sso_url }}/auth/realms/{{ keycloak_sso_realm }}"
123+
{% endif %}
118124
audience: "{{ keycloak_api_audience }}"
119125
{% endif %}
120126
telemetry:

0 commit comments

Comments
 (0)