feat(helm): gate OpenShift UI Route behind ui.route.enabled#2031
Conversation
The OpenShift Route for the kagent UI rendered unconditionally whenever the route.openshift.io/v1 API was present, with no way to disable it. This left the UI exposed via an edge-terminated Route with no auth, even when fronting it with the bundled oauth2-proxy or a custom ingress. Add a `ui.route.enabled` value (default true to preserve behavior) and AND it with the existing CRD-presence check so the Route can be turned off while remaining a no-op off-OpenShift. Fixes kagent-dev#2028 Signed-off-by: David J. M. Karlsen <david@davidkarlsen.com>
davidkarlsen
requested review from
EItanya,
ilackarms,
iplay88keys,
jmhbh,
supreme-gg-gg and
yuval-k
as code owners
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a Helm value flag to gate creation of an OpenShift Route for the UI, and wires that flag into the OpenShift Route template so it only renders when enabled and the API is available.
Changes:
- Introduces
ui.route.enabledin chart values (defaulttrue) with documentation. - Updates the OpenShift
Routetemplate to require both the OpenShift Route API andui.route.enabled.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| helm/kagent/values.yaml | Adds ui.route.enabled configuration and documentation for gating the UI OpenShift Route. |
| helm/kagent/templates/openshift-route.yaml | Gates rendering of the Route resource on both API availability and the new values flag. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
1 gap: there is no |
thanks for the review - didn't realize there were tests there - added now! |
|
Hey there @davidkarlsen, you will need to sign your commits to pass DCO, you can check the job for more info |
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: David J. M. Karlsen <david.johan.macdonald.karlsen@dnb.no>
davidkarlsen
force-pushed
the
gate-openshift-ui-route
branch
from
3acf187 to
e788753
Compare
fixed |
Problem
The OpenShift
Routefor the kagent UI (helm/kagent/templates/openshift-route.yaml) renders unconditionally whenever theroute.openshift.io/v1API is present — the only guard is the CRD-existence check. There is no value to turn it off.As raised in #2028, this means that on OpenShift the UI is effectively always exposed via an edge-terminated
Routestraight tokagent-ui:8080, with no auth in front. Users who want to front the UI with the bundledoauth2-proxysubchart, a customRoute, or their own ingress have no supported way to stop the chart from also publishing this unauthenticatedRoute.Fix
Add a
ui.route.enabledvalue (defaulttrueto preserve current behavior — existing OpenShift users must not silently lose the Route on upgrade).AND it with the existing CRD-presence check, so the Route stays a no-op off-OpenShift and can now be disabled on OpenShift:
No other behavior changes.
Verification (
helm template)kind: Routerendered--api-versions route.openshift.io/v1(default)--api-versions route.openshift.io/v1 --set ui.route.enabled=false--api-versions(CRD guard)Fixes #2028