Add chai-bot service account for MCP write access#81417
Conversation
|
Hi @arnavmeduri. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Tip We noticed you've done this a few times! Consider joining the org to skip this step and gain Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: arnavmeduri The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
WalkthroughThis PR adds chai-bot Kubernetes credentials and RBAC for ship-status, mounts the token into the dashboard deployment, and adds the service account to several dashboard ownership entries. Changeschai-bot auth and dashboard wiring
Estimated code review effort: 3 (Moderate) | ~20 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml (1)
9-18: 🔒 Security & Privacy | 🔵 TrivialNon-expiring token: plan for rotation and least-privilege RBAC.
This manually-created
kubernetes.io/service-account-tokenSecret produces a token that never expires and won't rotate — this is the documented approach for obtaining a token for an identity other than the pod's own (needed here since the deployment's pod runs as theship-statusSA, notchai-bot), so the mechanism itself is appropriate. However, since this token is used for mutating operations (create/update/delete outages) and has no built-in expiry, ensure: (1)chai-botis bound to the minimum RBAC/SAR permissions needed (see companion comment indeployment.yaml), and (2) there's a process to manually rotate/revoke this token if it's ever suspected leaked, since the cluster won't do it automatically.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml` around lines 9 - 18, The Secret in chai-bot-serviceaccount.yaml intentionally uses a non-expiring service-account token, so update the surrounding setup to account for that risk. Keep the token mechanism, but ensure the chai-bot identity has only the minimum RBAC needed for the mutating outages workflow, and add a clear rotation/revocation plan for the chai-bot-token Secret since it will not expire or rotate automatically.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@clusters/app.ci/ship-status-dash/dashboard/deployment.yaml`:
- Around line 180-185: The deployment mounts the chai-bot token, but the
workload still lacks the RBAC needed for oauth-proxy to authorize requests. Add
the missing namespaces/get permission by creating or updating the
Role/ClusterRole and the corresponding RoleBinding/ClusterRoleBinding for
chai-bot, and make sure the existing deployment for SHIP_STATUS_AUTH_TOKEN_FILE
continues to use that service account.
---
Nitpick comments:
In `@clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml`:
- Around line 9-18: The Secret in chai-bot-serviceaccount.yaml intentionally
uses a non-expiring service-account token, so update the surrounding setup to
account for that risk. Keep the token mechanism, but ensure the chai-bot
identity has only the minimum RBAC needed for the mutating outages workflow, and
add a clear rotation/revocation plan for the chai-bot-token Secret since it will
not expire or rotate automatically.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: f45fa92a-d812-437e-a1e0-e3d3242e5720
📒 Files selected for processing (3)
clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yamlclusters/app.ci/ship-status-dash/dashboard/deployment.yamlcore-services/ship-status/dashboard-config.yaml
|
[REHEARSALNOTIFIER] Note: If this PR includes changes to step registry files ( Interacting with pj-rehearseComment: Once you are satisfied with the results of the rehearsals, comment: |
|
@coderabbitai full review |
✅ Action performedFull review finished. |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml (1)
1-19: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low valueStatic, non-expiring SA token — consider a rotation story.
This creates a long-lived
kubernetes.io/service-account-tokenSecret forchai-bot. Unlike TokenRequest-based bound/projected tokens, this token does not expire or auto-rotate. Given it's used for write/authenticated operations from the MCP server, consider documenting a manual rotation process or periodic re-issuance, since a leaked token here has no automatic mitigation.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml` around lines 1 - 19, The chai-bot ServiceAccount Secret is a long-lived static token with no auto-rotation, so update the manifest or accompanying documentation around chai-bot to include a clear rotation/re-issuance story. Use the ServiceAccount and Secret definitions in chai-bot-serviceaccount.yaml to add guidance for manual token rotation or switch the auth flow to a TokenRequest/projected token approach if supported by the MCP server.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml`:
- Around line 1-19: The chai-bot ServiceAccount Secret is a long-lived static
token with no auto-rotation, so update the manifest or accompanying
documentation around chai-bot to include a clear rotation/re-issuance story. Use
the ServiceAccount and Secret definitions in chai-bot-serviceaccount.yaml to add
guidance for manual token rotation or switch the auth flow to a
TokenRequest/projected token approach if supported by the MCP server.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: b8e78edf-600d-4469-86a4-df90edbcf312
📒 Files selected for processing (4)
clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yamlclusters/app.ci/ship-status-dash/dashboard/deployment.yamlclusters/app.ci/ship-status-dash/dashboard/rbac.yamlcore-services/ship-status/dashboard-config.yaml
Creates a ServiceAccount and token Secret for the chai-bot MCP server to authenticate write operations (create/update/delete outages).
Changes:
chai-botServiceAccount +kubernetes.io/service-account-tokenSecretnamespaces/get(required by oauth-proxy delegate-urls)chai-botSA to component owners in dashboard configSummary by CodeRabbit
This updates the OpenShift CI
ship-statusdashboard infrastructure so thechai-botMCP server can authenticate and perform privileged write operations (e.g., outage create/update/delete) throughoauth-proxy. It introduces a dedicatedchai-botServiceAccountplus akubernetes.io/service-account-tokenSecret (chai-bot-token), mounts that token into theship-status-mcpcontainer, and points the container to it viaSHIP_STATUS_AUTH_TOKEN_FILE. It also adds cluster-wide RBAC for thechai-botservice account—specificallynamespaces/getto supportoauth-proxydelegate-URL lookups—and updatesdashboard-config.yamlto includesystem:serviceaccount:ship-status:chai-botas an owner for the relevant dashboard components (Hook, Boskos, Downstream CI, Sippy, and Build Farm).