🐛 Fix llm-proxy JWT issuer mismatch on MTA profile#552
Conversation
The llm-proxy configmap template always used keycloak_sso_url for the JWKS URI and issuer, which resolves to mta-keycloak-rhbk on the MTA profile. However, the actual RHBK service is mta-rhbk-service, and the hub already correctly uses rhbk_url for MTA. This caused the llm-proxy to reject all JWT tokens with "Invalid JWT token" because the issuer in the token didn't match what the proxy expected. Add the same app_profile == 'mta' conditional used by the hub and UI templates so the llm-proxy uses rhbk_url on MTA and keycloak_sso_url on konveyor. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Fabian von Feilitzsch <fabian@fabianism.us>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughA Jinja config template was modified to cast Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@roles/tackle/templates/kai/llm-proxy-configmap.yaml.j2`:
- Around line 115-123: The rhbk_url default is constructed using the wrong
protocol/port vars (it uses rhsso_proto and rhsso_port) which causes incorrect
URLs when rhbk_tls_enabled differs; update the rhbk_url definition in defaults
to use rhbk_proto and rhbk_port (or compute rhbk_proto/rhbk_port from
rhbk_tls_enabled the same way rhsso_* are computed) so rhbk_url consistently
reflects rhbk_tls_enabled and the intended rhbk_* values referenced by templates
like llm-proxy-configmap.yaml.j2 and deployment-hub.yml.j2.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: db5253a2-0f74-4c9c-bdbb-51161332f2a5
📒 Files selected for processing (1)
roles/tackle/templates/kai/llm-proxy-configmap.yaml.j2
| {% if app_profile == 'mta' %} | ||
| uri: "{{ rhbk_url }}/auth/realms/{{ keycloak_sso_realm }}/protocol/openid-connect/certs" | ||
| # The issuer must match exactly what's in the JWT token from hub auth | ||
| issuer: "{{ rhbk_url }}/auth/realms/{{ keycloak_sso_realm }}" | ||
| {% else %} | ||
| uri: "{{ keycloak_sso_url }}/auth/realms/{{ keycloak_sso_realm }}/protocol/openid-connect/certs" | ||
| # The issuer must match exactly what's in the JWT token from hub auth | ||
| issuer: "{{ keycloak_sso_url }}/auth/realms/{{ keycloak_sso_realm }}" | ||
| {% endif %} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify rhbk_url construction and check if rhsso/rhbk TLS settings could diverge
echo "=== Checking rhbk_url definition ==="
rg -n 'rhbk_url:' roles/tackle/defaults/
echo ""
echo "=== Checking rhsso_tls_enabled vs rhbk_tls_enabled definitions ==="
rg -n '(rhsso_tls_enabled|rhbk_tls_enabled):' roles/tackle/defaults/
echo ""
echo "=== Checking all usages of rhbk_url to see if this is a known pattern ==="
rg -n 'rhbk_url' --type jinja2 2>/dev/null || rg -n 'rhbk_url' -g '*.j2'Repository: konveyor/operator
Length of output: 1006
Conditional pattern is consistent with hub deployment.
The app_profile == 'mta' conditional mirrors the pattern in deployment-hub.yml.j2 for KEYCLOAK_HOST, ensuring the LLM proxy uses the same Keycloak endpoint as the hub.
However, note a pre-existing bug in roles/tackle/defaults/main.yml (line 276) affecting rhbk_url construction:
rhbk_url: "{{ rhsso_proto }}://{{ rhbk_service_name }}-service.{{ app_namespace }}.svc:{{ rhsso_port }}"The rhbk_url uses rhsso_proto and rhsso_port instead of rhbk_proto and rhbk_port. Since rhsso_tls_enabled is always true but rhbk_tls_enabled is conditional on OpenShift clusters, rhbk_url will have incorrect protocol/port values on non-OpenShift clusters. This affects deployments of the UI, hub, and kai/llm-proxy.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@roles/tackle/templates/kai/llm-proxy-configmap.yaml.j2` around lines 115 -
123, The rhbk_url default is constructed using the wrong protocol/port vars (it
uses rhsso_proto and rhsso_port) which causes incorrect URLs when
rhbk_tls_enabled differs; update the rhbk_url definition in defaults to use
rhbk_proto and rhbk_port (or compute rhbk_proto/rhbk_port from rhbk_tls_enabled
the same way rhsso_* are computed) so rhbk_url consistently reflects
rhbk_tls_enabled and the intended rhbk_* values referenced by templates like
llm-proxy-configmap.yaml.j2 and deployment-hub.yml.j2.
dymurray
added
the
cherry-pick/release-0.9
djzager
left a comment
djzager
left a comment
There was a problem hiding this comment.
Doing this will prevent this section from showing up in the llm-proxy configuration when auth is disabled.
Co-authored-by: David Zager <dzager@redhat.com> Signed-off-by: Fabian von Feilitzsch <fabian@fabianism.us>
The llm-proxy configmap template always used keycloak_sso_url for the JWKS URI and issuer, which resolves to mta-keycloak-rhbk on the MTA profile. However, the actual RHBK service is mta-rhbk-service, and the hub already correctly uses rhbk_url for MTA. This caused the llm-proxy to reject all JWT tokens with "Invalid JWT token" because the issuer in the token didn't match what the proxy expected. Add the same app_profile == 'mta' conditional used by the hub and UI templates so the llm-proxy uses rhbk_url on MTA and keycloak_sso_url on konveyor. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Improved OAuth2/OpenID Connect configuration: the system now correctly interprets the authentication-required flag and selects the appropriate JWKS URI and issuer depending on the deployment profile (including a new branch for the "mta" profile). This improves authentication behavior across different environments. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Fabian von Feilitzsch <fabian@fabianism.us> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: David Zager <dzager@redhat.com> Signed-off-by: Cherry Picker <noreply@github.com>
|
PR cherry-picked to branch release-0.9. Backport PR: #554 |
The llm-proxy configmap template always used keycloak_sso_url for the JWKS URI and issuer, which resolves to mta-keycloak-rhbk on the MTA profile. However, the actual RHBK service is mta-rhbk-service, and the hub already correctly uses rhbk_url for MTA. This caused the llm-proxy to reject all JWT tokens with "Invalid JWT token" because the issuer in the token didn't match what the proxy expected. Add the same app_profile == 'mta' conditional used by the hub and UI templates so the llm-proxy uses rhbk_url on MTA and keycloak_sso_url on konveyor. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Improved OAuth2/OpenID Connect configuration: the system now correctly interprets the authentication-required flag and selects the appropriate JWKS URI and issuer depending on the deployment profile (including a new branch for the "mta" profile). This improves authentication behavior across different environments. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Fabian von Feilitzsch <fabian@fabianism.us> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: David Zager <dzager@redhat.com> Signed-off-by: Cherry Picker <noreply@github.com> Signed-off-by: Fabian von Feilitzsch <fabian@fabianism.us> Signed-off-by: Cherry Picker <noreply@github.com> Co-authored-by: Fabian von Feilitzsch <fabian@fabianism.us> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: David Zager <dzager@redhat.com>
3 participants
The llm-proxy configmap template always used keycloak_sso_url for the JWKS URI and issuer, which resolves to mta-keycloak-rhbk on the MTA profile. However, the actual RHBK service is mta-rhbk-service, and the hub already correctly uses rhbk_url for MTA. This caused the llm-proxy to reject all JWT tokens with "Invalid JWT token" because the issuer in the token didn't match what the proxy expected.
Add the same app_profile == 'mta' conditional used by the hub and UI templates so the llm-proxy uses rhbk_url on MTA and keycloak_sso_url on konveyor.
Summary by CodeRabbit