Skip to content

Expose allowed org ID authorization settings#88

Open
Olmo Maldonado (ibolmo) wants to merge 1 commit into
mainfrom
sec-allowed-org-ids
Open

Expose allowed org ID authorization settings#88
Olmo Maldonado (ibolmo) wants to merge 1 commit into
mainfrom
sec-allowed-org-ids

Conversation

@ibolmo

@ibolmo Olmo Maldonado (ibolmo) commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown

Context

Hybrid/self-hosted data planes need a first-class Helm value for authorizing access by stable Braintrust organization IDs, matching the Terraform data-plane support for ALLOWED_ORG_IDS. Deployments that use wildcard or empty org-name access also need an explicit primary org for self-hosted service-token management.

Description

  • Adds global.allowedOrgIds and renders ALLOWED_ORG_IDS into the API ConfigMap only when the trimmed value is non-empty.
  • Adds global.primaryOrgName and renders PRIMARY_ORG_NAME alongside the existing trimmed ORG_NAME.
  • Fails template rendering when global.orgName is empty or "*" and global.primaryOrgName is empty, matching the Terraform module validation boundary.
  • Covers omitted, blank, configured, wildcard-with-primary, and invalid empty/wildcard cases in API ConfigMap tests.

@ibolmo Olmo Maldonado (ibolmo) changed the title add allowed org ids Expose allowed org ID authorization settings Jun 15, 2026
@ibolmo Olmo Maldonado (ibolmo) marked this pull request as ready for review June 15, 2026 17:34
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 15, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a35bb1b6ae

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "Codex (@codex) review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".

Comment thread braintrust/templates/api-configmap.yaml
Comment on lines +3 to +4
{{- if and (or (eq $orgName "") (eq $orgName "*")) (eq $primaryOrgName "") -}}
{{- fail "global.primaryOrgName is required when global.orgName is empty or \"*\"; self-hosted service-token management needs a primary organization." -}}

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 15, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Honor existing PRIMARY_ORG_NAME overrides

In wildcard or empty-org deployments that already set PRIMARY_ORG_NAME through api.extraEnvVars, this validation still aborts because it only checks global.primaryOrgName. I checked api-deployment.yaml: api.extraEnvVars is appended as explicit env entries after the ConfigMap envFrom, so it is an existing supported path for supplying/overriding API environment variables; with this change those upgrades fail before the Deployment is rendered even though the pod would receive the required variable. Consider accepting the existing extra env override or avoiding the hard fail for that case.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@ibolmo Olmo Maldonado (ibolmo)

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ibolmo