Skip to content

Fix amp-api scopes#1318

Merged
jhivandb merged 1 commit into
wso2:mainfrom
jhivandb:worktree-scope-amp-api-rbac
Jul 15, 2026
Merged

Fix amp-api scopes#1318
jhivandb merged 1 commit into
wso2:mainfrom
jhivandb:worktree-scope-amp-api-rbac

Conversation

@jhivandb

@jhivandb jhivandb commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

$Subject

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@jhivandb, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 50 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8338e466-0784-4117-85c2-8fab1a3488e5

📥 Commits

Reviewing files that changed from the base of the PR and between 7a0566d and 6d21eca.

📒 Files selected for processing (9)
  • deployments/helm-charts/wso2-agent-manager/templates/_helpers.tpl
  • deployments/helm-charts/wso2-agent-manager/templates/agent-manager-service/deployment.yaml
  • deployments/helm-charts/wso2-agent-manager/templates/console/deployment.yaml
  • deployments/helm-charts/wso2-agent-manager/templates/jobs/db-migration-job.yaml
  • deployments/helm-charts/wso2-agent-manager/templates/jobs/jwt-keys-generation-job.yaml
  • deployments/helm-charts/wso2-agent-manager/templates/jobs/tls-certs-job.yaml
  • deployments/helm-charts/wso2-agent-manager/templates/rbac.yaml
  • deployments/helm-charts/wso2-agent-manager/templates/serviceaccount.yaml
  • deployments/helm-charts/wso2-agent-manager/values.yaml
📝 Walkthrough

Walkthrough

The Helm chart adds configurable hook ServiceAccount selection, gates hook-related resources, replaces cluster-scoped RBAC with namespaced permissions, and disables automatic ServiceAccount token mounting for the main workloads while preserving it for hook Jobs.

Changes

ServiceAccount security configuration

Layer / File(s) Summary
ServiceAccount configuration and naming
deployments/helm-charts/wso2-agent-manager/values.yaml, deployments/helm-charts/wso2-agent-manager/templates/_helpers.tpl, deployments/helm-charts/wso2-agent-manager/templates/serviceaccount.yaml
Adds hook ServiceAccount settings and naming, gates hook resources, disables main-account token automounting by default, and enables token mounting for hook accounts.

Namespaced hook RBAC

Layer / File(s) Summary
Namespaced hook RBAC
deployments/helm-charts/wso2-agent-manager/templates/rbac.yaml
Replaces cluster-scoped RBAC with namespaced Role and RoleBinding resources and binds the hook ServiceAccount to scoped secret permissions.

Hook and workload ServiceAccount wiring

Layer / File(s) Summary
Hook and workload ServiceAccount wiring
deployments/helm-charts/wso2-agent-manager/templates/jobs/*, deployments/helm-charts/wso2-agent-manager/templates/agent-manager-service/deployment.yaml, deployments/helm-charts/wso2-agent-manager/templates/console/deployment.yaml
Updates JWT and TLS hook Jobs to use the hook ServiceAccount and disables automatic token mounting for application and database migration workloads.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: narrowing agent-manager RBAC to least privilege.
Description check ✅ Passed The description covers purpose, goals, approach, testing, release notes, and operational notes; only the user stories section is not explicit.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@deployments/helm-charts/wso2-agent-manager/templates/agent-manager-service/deployment.yaml`:
- Line 32: Update the Deployment pod spec’s automountServiceAccountToken setting
to reference the configured serviceAccount.automount value from values.yaml
instead of hardcoding false, preserving the user’s selected token-mount
behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: afe8e095-8ee6-4717-8c52-5ddd3f10b75d

📥 Commits

Reviewing files that changed from the base of the PR and between 5dbb5ba and b791510.

📒 Files selected for processing (7)
  • deployments/helm-charts/wso2-agent-manager/templates/_helpers.tpl
  • deployments/helm-charts/wso2-agent-manager/templates/agent-manager-service/deployment.yaml
  • deployments/helm-charts/wso2-agent-manager/templates/jobs/jwt-keys-generation-job.yaml
  • deployments/helm-charts/wso2-agent-manager/templates/jobs/tls-certs-job.yaml
  • deployments/helm-charts/wso2-agent-manager/templates/rbac.yaml
  • deployments/helm-charts/wso2-agent-manager/templates/serviceaccount.yaml
  • deployments/helm-charts/wso2-agent-manager/values.yaml

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
deployments/helm-charts/wso2-agent-manager/templates/rbac.yaml (1)

1-6: 🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Ensure legacy cluster-scoped RBAC is removed during upgrade.

Changing ClusterRole/ClusterRoleBinding to Role/RoleBinding does not necessarily delete previously installed cluster-scoped objects. Existing releases could therefore retain cluster-admin access after upgrade. Provide an enforced migration/cleanup path, or make the manual deletion requirement explicit and fail-safe.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deployments/helm-charts/wso2-agent-manager/templates/rbac.yaml` around lines
1 - 6, Update the RBAC migration around the chart’s Role and RoleBinding
resources so upgrades remove or explicitly block retention of legacy ClusterRole
and ClusterRoleBinding objects. Provide an enforced cleanup path for previously
installed cluster-scoped resources, or add a fail-safe upgrade mechanism that
clearly requires their manual deletion before proceeding.
deployments/helm-charts/wso2-agent-manager/templates/serviceaccount.yaml (1)

18-34: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Ensure hook Jobs can mount a token when reusing an existing ServiceAccount. When hookServiceAccount.create is false, this template can’t force automountServiceAccountToken: true, and the TLS/JWT hook Jobs don’t set a pod-level override. An existing ServiceAccount with automount disabled will cause install/upgrade hooks to fail; either set automountServiceAccountToken: true on deployments/helm-charts/wso2-agent-manager/templates/jobs/tls-certs-job.yaml and deployments/helm-charts/wso2-agent-manager/templates/jobs/jwt-keys-generation-job.yaml, or document the precondition.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deployments/helm-charts/wso2-agent-manager/templates/serviceaccount.yaml`
around lines 18 - 34, Update the hook pod specifications in the TLS and JWT job
templates, identified by tls-certs-job.yaml and jwt-keys-generation-job.yaml, to
set automountServiceAccountToken: true at the pod level. This must ensure hook
Jobs receive a token even when hookServiceAccount.create is false and they reuse
an existing ServiceAccount.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deployments/helm-charts/wso2-agent-manager/values.yaml`:
- Around line 516-520: Add an explicit Helm cleanup or migration path for the
pre-install/pre-upgrade hook RBAC resources when hook Jobs are later disabled.
Ensure previously rendered ServiceAccount, Role, and RoleBinding resources are
deleted, including the Secret create/patch grant, rather than relying solely on
before-hook-creation. Keep the existing conditional rendering and create/name
behavior for enabled hooks unchanged.

---

Outside diff comments:
In `@deployments/helm-charts/wso2-agent-manager/templates/rbac.yaml`:
- Around line 1-6: Update the RBAC migration around the chart’s Role and
RoleBinding resources so upgrades remove or explicitly block retention of legacy
ClusterRole and ClusterRoleBinding objects. Provide an enforced cleanup path for
previously installed cluster-scoped resources, or add a fail-safe upgrade
mechanism that clearly requires their manual deletion before proceeding.

In `@deployments/helm-charts/wso2-agent-manager/templates/serviceaccount.yaml`:
- Around line 18-34: Update the hook pod specifications in the TLS and JWT job
templates, identified by tls-certs-job.yaml and jwt-keys-generation-job.yaml, to
set automountServiceAccountToken: true at the pod level. This must ensure hook
Jobs receive a token even when hookServiceAccount.create is false and they reuse
an existing ServiceAccount.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8630e273-588a-4f59-a5d7-3047aa069036

📥 Commits

Reviewing files that changed from the base of the PR and between b791510 and 56deb86.

📒 Files selected for processing (7)
  • deployments/helm-charts/wso2-agent-manager/templates/_helpers.tpl
  • deployments/helm-charts/wso2-agent-manager/templates/agent-manager-service/deployment.yaml
  • deployments/helm-charts/wso2-agent-manager/templates/console/deployment.yaml
  • deployments/helm-charts/wso2-agent-manager/templates/jobs/db-migration-job.yaml
  • deployments/helm-charts/wso2-agent-manager/templates/rbac.yaml
  • deployments/helm-charts/wso2-agent-manager/templates/serviceaccount.yaml
  • deployments/helm-charts/wso2-agent-manager/values.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • deployments/helm-charts/wso2-agent-manager/templates/agent-manager-service/deployment.yaml

Comment thread deployments/helm-charts/wso2-agent-manager/values.yaml
Replace the cluster-admin wildcard ClusterRole with a namespaced Role
granting only secrets get/create/patch, used solely by the chart's
pre-install/pre-upgrade hook Jobs (TLS certs, JWT keys). The hook RBAC
and its dedicated amp-hooks ServiceAccount are rendered only when a hook
Job is enabled and are torn down after the hooks succeed, so no standing
grant lingers. The amp-api Deployment, console, and db-migration pods
keep token automount disabled and hold no RBAC.
@jhivandb
jhivandb force-pushed the worktree-scope-amp-api-rbac branch from 7a0566d to 6d21eca Compare July 14, 2026 09:59
@jhivandb
jhivandb merged commit 712eff8 into wso2:main Jul 15, 2026
8 checks passed
@jhivandb jhivandb changed the title Scope amp-api RBAC to least privilege Fix amp-api scopes Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants