Regenerated config diagram

[tisnik]

Description

Regenerated config diagram

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Summary by CodeRabbit

• New Features

  • Added authorization settings with access rules, actions, and role-based access control.
  • Introduced JWT role rules with JSONPath-based matching and optional negation.
  • Expanded authentication options, including Kubernetes cluster API and CA certificate configuration.
  • Improved consistency across configuration by aligning shared settings.

• Documentation

  • Updated configuration diagrams to reflect new authorization and authentication options.

[coderabbitai]

Walkthrough

Adds authorization modeling to the configuration UML: introduces Action/AccessRule, AuthorizationConfiguration, JsonPathOperator, JwtRoleRule with validation methods, extends JwtConfiguration with role_rules, Configuration with authorization, and AuthenticationConfiguration with Kubernetes fields; centralizes config entities under ConfigurationBase and updates associations in docs/config.puml.

Changes

Cohort / File(s)	Summary
UML Config Diagram docs/config.puml	Added classes: Action, AccessRule, AuthorizationConfiguration, ConfigurationBase, JsonPathOperator, JwtRoleRule. Extended: JwtConfiguration.role_rules, Configuration.authorization, AuthenticationConfiguration.k8s_ca_cert_path/k8s_cluster_api/module. Added inheritance/associations to unify under ConfigurationBase and link JwtRoleRule→JsonPathOperator.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant App as Application
  participant Cfg as Configuration
  participant Auth as AuthorizationConfiguration
  participant JWT as JwtConfiguration
  participant Rule as JwtRoleRule
  participant AR as AccessRule

  App->>Cfg: Load Configuration
  Cfg-->>JWT: Access jwt settings (role_rules)
  Cfg-->>Auth: Access authorization (access_rules)

  rect rgb(240,248,255)
    note over JWT,Rule: Evaluate JWT role rules
    App->>Rule: check_jsonpath()
    Rule-->>App: Valid/Invalid JSONPath
    App->>Rule: check_roles()
    Rule-->>App: Derived roles
  end

  rect rgb(245,255,240)
    note over Auth,AR: Authorize action
    App->>Auth: Find matching AccessRule for role
    Auth->>AR: Lookup actions for role
    AR-->>App: Permit/Deny
  end

  alt Authorized
    App-->>App: Proceed
  else Denied
    App-->>App: Reject request
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• LCORE-336: Updated configuration diagram #405 — Also updates configuration models/diagram, adding database-related sub-configurations that align with this PR’s expansion of config entities.
• LCORE-248: update config diagram #299 — Modifies Configuration, AuthenticationConfiguration, and JwtConfiguration in the same diagram, overlapping with new fields added here.
• LCORE-304: Updated config diagram #263 — Renames/adjusts LlamaStackConfiguration in the same config diagram touched by this PR’s new relationships.

Poem

A bunny drafts new rules so neat,
With roles and actions, check and meet.
Jwt paths hop true or false—
Carrots count, no need for drolls.
Config fields bloom like clover bright,
Approve or deny—then bound to light! 🥕✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/config.puml (1)

10-18: Duplicate/ambiguous JWK fields in AuthenticationConfiguration

Both jwk_config (typed) and jwk_configuration (untyped) are present. Drop the untyped duplicate or standardize the name consistently across code and diagram.

 class "AuthenticationConfiguration" as src.models.config.AuthenticationConfiguration {
   jwk_config : Optional[JwkConfiguration]
-  jwk_configuration
   k8s_ca_cert_path : Optional[FilePath]
   k8s_cluster_api : Optional[AnyHttpUrl]
   module : str
   skip_tls_verification : bool
   check_authentication_model() -> Self
 }

🧹 Nitpick comments (3)

docs/config.puml (3)

63-65: Type JsonPathOperator.name and consider modeling as enum

Add name : str (or render as an enum if the operator set is closed).

 class "JsonPathOperator" as src.models.config.JsonPathOperator {
-  name
+  name : str
 }

---

75-83: Type the operator field in JwtRoleRule

Make operator explicitly reference JsonPathOperator for clarity.

 class "JwtRoleRule" as src.models.config.JwtRoleRule {
   jsonpath : str
   negate : bool
-  operator
+  operator : JsonPathOperator
   roles : list[str]
   value : Any
   check_jsonpath() -> Self
   check_roles() -> Self
 }

---

51-57: Add a few missing compositions for existing fields

• DatabaseConfiguration.postgres exists but no arrow.
• Configuration.customization and Configuration.mcp_servers exist but no arrows.

+src.models.config.PostgreSQLDatabaseConfiguration --* src.models.config.DatabaseConfiguration : postgres
+src.models.config.Customization --* src.models.config.Configuration : customization
+src.models.config.ModelContextProtocolServer --* src.models.config.Configuration : mcp_servers

Also applies to: 159-164

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5058eba and a6abb42.

⛔ Files ignored due to path filters (2)

• docs/config.png is excluded by !**/*.png
• docs/config.svg is excluded by !**/*.svg

📒 Files selected for processing (1)

• docs/config.puml (6 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build-pr
• GitHub Check: e2e_tests

🔇 Additional comments (4)

docs/config.puml (4)

31-31: Field added but not linked

authorization field is present; ensure the composition line above is added so the diagram reflects it.

---

42-44: Confirm base membership completeness

If ConfigurationBase is the shared base for config models, consider adding Action and JsonPathOperator to the inheritance block for consistency (unless intentionally excluded).

+src.models.config.Action --|> src.models.config.ConfigurationBase
+src.models.config.JsonPathOperator --|> src.models.config.ConfigurationBase

---

135-152: Inheritance block completeness

If everything is centralized under ConfigurationBase, consider adding Action and JsonPathOperator here (see earlier note). If they’re intentionally plain helpers, ignore.

---

122-127: tls_key_password type looks off

tls_key_password is a password; modeling it as Optional[FilePath] is misleading. Consider Optional[str]/SecretStr.

[coderabbitai]

🛠️ Refactor suggestion

Wire AccessRule.actions to Action and type Action.name

• Add composition from AccessRule to Action for actions list.
• Make Action.name typed for consistency.

 class "Action" as src.models.config.Action {
-  name
+  name : str
 }

+src.models.config.Action --* src.models.config.AccessRule : actions

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	class "AccessRule" as src.models.config.AccessRule {
	actions : list[Action]
	role : str
	}
	class "Action" as src.models.config.Action {
	name
	}
	class "AccessRule" as src.models.config.AccessRule {
	actions : list[Action]
	role : str
	}
	class "Action" as src.models.config.Action {
	name : str
	}
	src.models.config.Action --* src.models.config.AccessRule : actions

🤖 Prompt for AI Agents

In docs/config.puml around lines 3 to 9, the AccessRule.actions list is not
wired to the Action class and Action.name lacks a type; add a composition
relationship from AccessRule to Action for the actions collection (composition
that labels the association "actions" and implies multiplicity of many) and
update the Action class to declare name with an explicit type (string) so it
reads consistently with other attributes.

[coderabbitai]

🛠️ Refactor suggestion

Missing association for Configuration.authorization

Configuration has authorization but there’s no composition line. Add it to keep diagram navigable.

+src.models.config.AuthorizationConfiguration --* src.models.config.Configuration : authorization

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	class "AuthorizationConfiguration" as src.models.config.AuthorizationConfiguration {
	access_rules : Optional[list[AccessRule]]
	}
	class "AuthorizationConfiguration" as src.models.config.AuthorizationConfiguration {
	access_rules : Optional[list[AccessRule]]
	}
	src.models.config.AuthorizationConfiguration --* src.models.config.Configuration : authorization

🤖 Prompt for AI Agents

In docs/config.puml around lines 19 to 21, the class AuthorizationConfiguration
is declared but there is no composition/association from the main Configuration
class; add a composition line from Configuration to AuthorizationConfiguration
(using the appropriate PlantUML composition notation) so Configuration shows it
contains the authorization configuration, and place it near the existing class
declarations to keep the diagram layout consistent and navigable.

[coderabbitai]

⚠️ Potential issue

Misplaced and mistyped relationship between JWK and JWT

JwkConfiguration currently lists jwt_configuration (untyped). This is likely inverted and mistyped. Typically, JwtConfiguration contains a JwkConfiguration (jwk_configuration).

 class "JwkConfiguration" as src.models.config.JwkConfiguration {
-  jwt_configuration
   url : AnyHttpUrl
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	class "JwkConfiguration" as src.models.config.JwkConfiguration {
	jwt_configuration
	url : AnyHttpUrl
	}
	class "JwkConfiguration" as src.models.config.JwkConfiguration {
	url : AnyHttpUrl
	}

🤖 Prompt for AI Agents

In docs/config.puml around lines 66 to 69, the UML shows JwkConfiguration
containing an untyped and misplaced field "jwt_configuration"; instead model
JwtConfiguration as the owner of a JwkConfiguration. Remove the
jwt_configuration field from JwkConfiguration and add a properly typed field on
JwtConfiguration (e.g., jwk_configuration : JwkConfiguration or same fully
qualified type) so JwtConfiguration references JwkConfiguration with a clear
name and type.

[coderabbitai]

🛠️ Refactor suggestion

Add link from JwtConfiguration to JwtRoleRule (role_rules)

role_rules is a list but there’s no composition line; add it.

+src.models.config.JwtRoleRule --* src.models.config.JwtConfiguration : role_rules

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In docs/config.puml around line 71, the JwtConfiguration class documents
role_rules as Optional[list[JwtRoleRule]] but lacks a composition/association;
add a composition from JwtConfiguration to JwtRoleRule using PlantUML syntax
(filled diamond on JwtConfiguration side) and include multiplicity 0..* and the
role name/label (e.g., role_rules : Optional[list[JwtRoleRule]]), so the diagram
shows JwtConfiguration *-- "0..*" JwtRoleRule : role_rules.

[coderabbitai]

⚠️ Potential issue

Invert composition and fix label: jwk_configuration (not jwt_configuration)

Current line implies JwkConfiguration contains JwtConfiguration. In practice JwtConfiguration should contain JwkConfiguration and the role name should be jwk_configuration.

-src.models.config.JwtConfiguration --* src.models.config.JwkConfiguration : jwt_configuration
+src.models.config.JwkConfiguration --* src.models.config.JwtConfiguration : jwk_configuration

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	src.models.config.JsonPathOperator --* src.models.config.JwtRoleRule : operator
	src.models.config.JwtConfiguration --* src.models.config.JwkConfiguration : jwt_configuration
	src.models.config.LlamaStackConfiguration --* src.models.config.Configuration : llama_stack
	src.models.config.JsonPathOperator --* src.models.config.JwtRoleRule : operator
	src.models.config.JwkConfiguration --* src.models.config.JwtConfiguration : jwk_configuration
	src.models.config.LlamaStackConfiguration --* src.models.config.Configuration : llama_stack

🤖 Prompt for AI Agents

In docs/config.puml around lines 157-159, invert the composition so
JwtConfiguration contains JwkConfiguration (i.e., ensure the composition edge
points from src.models.config.JwtConfiguration to
src.models.config.JwkConfiguration) and correct the role/label text from
"jwt_configuration" to "jwk_configuration".