Skip to content

Add chai-bot service account for MCP write access#81417

Open
arnavmeduri wants to merge 1 commit into
openshift:mainfrom
arnavmeduri:chai-bot-sa
Open

Add chai-bot service account for MCP write access#81417
arnavmeduri wants to merge 1 commit into
openshift:mainfrom
arnavmeduri:chai-bot-sa

Conversation

@arnavmeduri

@arnavmeduri arnavmeduri commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Creates a ServiceAccount and token Secret for the chai-bot MCP server to authenticate write operations (create/update/delete outages).

Changes:

  • New chai-bot ServiceAccount + kubernetes.io/service-account-token Secret
  • ClusterRole + ClusterRoleBinding granting namespaces/get (required by oauth-proxy delegate-urls)
  • Mount token into MCP container
  • Add chai-bot SA to component owners in dashboard config

Summary by CodeRabbit

This updates the OpenShift CI ship-status dashboard infrastructure so the chai-bot MCP server can authenticate and perform privileged write operations (e.g., outage create/update/delete) through oauth-proxy. It introduces a dedicated chai-bot ServiceAccount plus a kubernetes.io/service-account-token Secret (chai-bot-token), mounts that token into the ship-status-mcp container, and points the container to it via SHIP_STATUS_AUTH_TOKEN_FILE. It also adds cluster-wide RBAC for the chai-bot service account—specifically namespaces/get to support oauth-proxy delegate-URL lookups—and updates dashboard-config.yaml to include system:serviceaccount:ship-status:chai-bot as an owner for the relevant dashboard components (Hook, Boskos, Downstream CI, Sippy, and Build Farm).

@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jul 2, 2026
@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Hi @arnavmeduri. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot requested review from Prucek and smg247 July 2, 2026 18:02
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: arnavmeduri
Once this PR has been reviewed and has the lgtm label, please assign bear-redhat for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

This PR adds chai-bot Kubernetes credentials and RBAC for ship-status, mounts the token into the dashboard deployment, and adds the service account to several dashboard ownership entries.

Changes

chai-bot auth and dashboard wiring

Layer / File(s) Summary
Service account and token secret
clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml
Adds a ServiceAccount named chai-bot and a matching kubernetes.io/service-account-token Secret named chai-bot-token in the ship-status namespace.
RBAC and deployment token mount
clusters/app.ci/ship-status-dash/dashboard/rbac.yaml, clusters/app.ci/ship-status-dash/dashboard/deployment.yaml
Adds ship-status-chai-bot RBAC, sets SHIP_STATUS_AUTH_TOKEN_FILE, mounts the chai-bot-token Secret into ship-status-mcp, and adds the Secret-backed Pod volume.
Dashboard ownership entries
core-services/ship-status/dashboard-config.yaml
Adds system:serviceaccount:ship-status:chai-bot to the owners lists for Hook, Boskos, Downstream CI, Sippy, and Build Farm.

Estimated code review effort: 3 (Moderate) | ~20 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding the chai-bot service account to enable MCP write access.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo test definitions were added or changed; the modified files are YAML manifests/config and contain no It/Describe/Context/When titles.
Test Structure And Quality ✅ Passed No Ginkgo tests were added or modified; the PR only changes YAML manifests and dashboard config, so the test-structure check is not applicable.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only changes YAML manifests and dashboard config, so MicroShift test compatibility is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only changes YAML manifests/config; no Ginkgo e2e tests were added, so SNO compatibility is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Changed manifests add SA/Secret/RBAC and a token mount; no nodeSelector, affinity, topologySpread, tolerations, or PDB changes were introduced.
Ote Binary Stdout Contract ✅ Passed PASS: The PR only changes Kubernetes YAML manifests (ServiceAccount, Secret, Deployment, RBAC, config); no binary/main/TestMain/init code or stdout writes were added.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No Ginkgo/e2e test files were added; the PR only changes Kubernetes manifests and config, so the IPv6/disconnected test check is not applicable.
No-Weak-Crypto ✅ Passed No weak crypto, custom crypto, or secret/token comparisons were added; the only crypto string is sha256 for oauth-proxy signature-key.
Container-Privileges ✅ Passed Reviewed the changed manifests; none set privileged, hostPID/network/IPC, allowPrivilegeEscalation, or SYS_ADMIN, and no explicit root settings appear.
No-Sensitive-Data-In-Logs ✅ Passed The PR only adds Kubernetes manifests/config; I found no new logging or log output exposing secrets, PII, or internal data.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml (1)

9-18: 🔒 Security & Privacy | 🔵 Trivial

Non-expiring token: plan for rotation and least-privilege RBAC.

This manually-created kubernetes.io/service-account-token Secret produces a token that never expires and won't rotate — this is the documented approach for obtaining a token for an identity other than the pod's own (needed here since the deployment's pod runs as the ship-status SA, not chai-bot), so the mechanism itself is appropriate. However, since this token is used for mutating operations (create/update/delete outages) and has no built-in expiry, ensure: (1) chai-bot is bound to the minimum RBAC/SAR permissions needed (see companion comment in deployment.yaml), and (2) there's a process to manually rotate/revoke this token if it's ever suspected leaked, since the cluster won't do it automatically.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml`
around lines 9 - 18, The Secret in chai-bot-serviceaccount.yaml intentionally
uses a non-expiring service-account token, so update the surrounding setup to
account for that risk. Keep the token mechanism, but ensure the chai-bot
identity has only the minimum RBAC needed for the mutating outages workflow, and
add a clear rotation/revocation plan for the chai-bot-token Secret since it will
not expire or rotate automatically.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@clusters/app.ci/ship-status-dash/dashboard/deployment.yaml`:
- Around line 180-185: The deployment mounts the chai-bot token, but the
workload still lacks the RBAC needed for oauth-proxy to authorize requests. Add
the missing namespaces/get permission by creating or updating the
Role/ClusterRole and the corresponding RoleBinding/ClusterRoleBinding for
chai-bot, and make sure the existing deployment for SHIP_STATUS_AUTH_TOKEN_FILE
continues to use that service account.

---

Nitpick comments:
In `@clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml`:
- Around line 9-18: The Secret in chai-bot-serviceaccount.yaml intentionally
uses a non-expiring service-account token, so update the surrounding setup to
account for that risk. Keep the token mechanism, but ensure the chai-bot
identity has only the minimum RBAC needed for the mutating outages workflow, and
add a clear rotation/revocation plan for the chai-bot-token Secret since it will
not expire or rotate automatically.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f45fa92a-d812-437e-a1e0-e3d3242e5720

📥 Commits

Reviewing files that changed from the base of the PR and between de4e52d and 884b48d.

📒 Files selected for processing (3)
  • clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml
  • clusters/app.ci/ship-status-dash/dashboard/deployment.yaml
  • core-services/ship-status/dashboard-config.yaml

Comment thread clusters/app.ci/ship-status-dash/dashboard/deployment.yaml
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@arnavmeduri: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@arnavmeduri

Copy link
Copy Markdown
Contributor Author

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Full review finished.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml (1)

1-19: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Static, non-expiring SA token — consider a rotation story.

This creates a long-lived kubernetes.io/service-account-token Secret for chai-bot. Unlike TokenRequest-based bound/projected tokens, this token does not expire or auto-rotate. Given it's used for write/authenticated operations from the MCP server, consider documenting a manual rotation process or periodic re-issuance, since a leaked token here has no automatic mitigation.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml`
around lines 1 - 19, The chai-bot ServiceAccount Secret is a long-lived static
token with no auto-rotation, so update the manifest or accompanying
documentation around chai-bot to include a clear rotation/re-issuance story. Use
the ServiceAccount and Secret definitions in chai-bot-serviceaccount.yaml to add
guidance for manual token rotation or switch the auth flow to a
TokenRequest/projected token approach if supported by the MCP server.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml`:
- Around line 1-19: The chai-bot ServiceAccount Secret is a long-lived static
token with no auto-rotation, so update the manifest or accompanying
documentation around chai-bot to include a clear rotation/re-issuance story. Use
the ServiceAccount and Secret definitions in chai-bot-serviceaccount.yaml to add
guidance for manual token rotation or switch the auth flow to a
TokenRequest/projected token approach if supported by the MCP server.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b8e78edf-600d-4469-86a4-df90edbcf312

📥 Commits

Reviewing files that changed from the base of the PR and between 43e89b9 and 6c85ab7.

📒 Files selected for processing (4)
  • clusters/app.ci/ship-status-dash/dashboard/chai-bot-serviceaccount.yaml
  • clusters/app.ci/ship-status-dash/dashboard/deployment.yaml
  • clusters/app.ci/ship-status-dash/dashboard/rbac.yaml
  • core-services/ship-status/dashboard-config.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant