Fix amp-api scopes#1318
Conversation
|
Warning Review limit reached
Next review available in: 50 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (9)
📝 WalkthroughWalkthroughThe Helm chart adds configurable hook ServiceAccount selection, gates hook-related resources, replaces cluster-scoped RBAC with namespaced permissions, and disables automatic ServiceAccount token mounting for the main workloads while preserving it for hook Jobs. ChangesServiceAccount security configuration
Namespaced hook RBAC
Hook and workload ServiceAccount wiring
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@deployments/helm-charts/wso2-agent-manager/templates/agent-manager-service/deployment.yaml`:
- Line 32: Update the Deployment pod spec’s automountServiceAccountToken setting
to reference the configured serviceAccount.automount value from values.yaml
instead of hardcoding false, preserving the user’s selected token-mount
behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: afe8e095-8ee6-4717-8c52-5ddd3f10b75d
📒 Files selected for processing (7)
deployments/helm-charts/wso2-agent-manager/templates/_helpers.tpldeployments/helm-charts/wso2-agent-manager/templates/agent-manager-service/deployment.yamldeployments/helm-charts/wso2-agent-manager/templates/jobs/jwt-keys-generation-job.yamldeployments/helm-charts/wso2-agent-manager/templates/jobs/tls-certs-job.yamldeployments/helm-charts/wso2-agent-manager/templates/rbac.yamldeployments/helm-charts/wso2-agent-manager/templates/serviceaccount.yamldeployments/helm-charts/wso2-agent-manager/values.yaml
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
deployments/helm-charts/wso2-agent-manager/templates/rbac.yaml (1)
1-6: 🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy liftEnsure legacy cluster-scoped RBAC is removed during upgrade.
Changing
ClusterRole/ClusterRoleBindingtoRole/RoleBindingdoes not necessarily delete previously installed cluster-scoped objects. Existing releases could therefore retain cluster-admin access after upgrade. Provide an enforced migration/cleanup path, or make the manual deletion requirement explicit and fail-safe.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@deployments/helm-charts/wso2-agent-manager/templates/rbac.yaml` around lines 1 - 6, Update the RBAC migration around the chart’s Role and RoleBinding resources so upgrades remove or explicitly block retention of legacy ClusterRole and ClusterRoleBinding objects. Provide an enforced cleanup path for previously installed cluster-scoped resources, or add a fail-safe upgrade mechanism that clearly requires their manual deletion before proceeding.deployments/helm-charts/wso2-agent-manager/templates/serviceaccount.yaml (1)
18-34: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick winEnsure hook Jobs can mount a token when reusing an existing ServiceAccount. When
hookServiceAccount.createis false, this template can’t forceautomountServiceAccountToken: true, and the TLS/JWT hook Jobs don’t set a pod-level override. An existing ServiceAccount with automount disabled will cause install/upgrade hooks to fail; either setautomountServiceAccountToken: trueondeployments/helm-charts/wso2-agent-manager/templates/jobs/tls-certs-job.yamlanddeployments/helm-charts/wso2-agent-manager/templates/jobs/jwt-keys-generation-job.yaml, or document the precondition.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@deployments/helm-charts/wso2-agent-manager/templates/serviceaccount.yaml` around lines 18 - 34, Update the hook pod specifications in the TLS and JWT job templates, identified by tls-certs-job.yaml and jwt-keys-generation-job.yaml, to set automountServiceAccountToken: true at the pod level. This must ensure hook Jobs receive a token even when hookServiceAccount.create is false and they reuse an existing ServiceAccount.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@deployments/helm-charts/wso2-agent-manager/values.yaml`:
- Around line 516-520: Add an explicit Helm cleanup or migration path for the
pre-install/pre-upgrade hook RBAC resources when hook Jobs are later disabled.
Ensure previously rendered ServiceAccount, Role, and RoleBinding resources are
deleted, including the Secret create/patch grant, rather than relying solely on
before-hook-creation. Keep the existing conditional rendering and create/name
behavior for enabled hooks unchanged.
---
Outside diff comments:
In `@deployments/helm-charts/wso2-agent-manager/templates/rbac.yaml`:
- Around line 1-6: Update the RBAC migration around the chart’s Role and
RoleBinding resources so upgrades remove or explicitly block retention of legacy
ClusterRole and ClusterRoleBinding objects. Provide an enforced cleanup path for
previously installed cluster-scoped resources, or add a fail-safe upgrade
mechanism that clearly requires their manual deletion before proceeding.
In `@deployments/helm-charts/wso2-agent-manager/templates/serviceaccount.yaml`:
- Around line 18-34: Update the hook pod specifications in the TLS and JWT job
templates, identified by tls-certs-job.yaml and jwt-keys-generation-job.yaml, to
set automountServiceAccountToken: true at the pod level. This must ensure hook
Jobs receive a token even when hookServiceAccount.create is false and they reuse
an existing ServiceAccount.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 8630e273-588a-4f59-a5d7-3047aa069036
📒 Files selected for processing (7)
deployments/helm-charts/wso2-agent-manager/templates/_helpers.tpldeployments/helm-charts/wso2-agent-manager/templates/agent-manager-service/deployment.yamldeployments/helm-charts/wso2-agent-manager/templates/console/deployment.yamldeployments/helm-charts/wso2-agent-manager/templates/jobs/db-migration-job.yamldeployments/helm-charts/wso2-agent-manager/templates/rbac.yamldeployments/helm-charts/wso2-agent-manager/templates/serviceaccount.yamldeployments/helm-charts/wso2-agent-manager/values.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- deployments/helm-charts/wso2-agent-manager/templates/agent-manager-service/deployment.yaml
Replace the cluster-admin wildcard ClusterRole with a namespaced Role granting only secrets get/create/patch, used solely by the chart's pre-install/pre-upgrade hook Jobs (TLS certs, JWT keys). The hook RBAC and its dedicated amp-hooks ServiceAccount are rendered only when a hook Job is enabled and are torn down after the hooks succeed, so no standing grant lingers. The amp-api Deployment, console, and db-migration pods keep token automount disabled and hold no RBAC.
7a0566d to
6d21eca
Compare
$Subject