Skip to content

Expose allowed org ID authorization settings #88

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Olmo Maldonado (ibolmo) wants to merge 1 commit into
base: main
Choose a base branch
from
+104 −1
Open

Expose allowed org ID authorization settings #88

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion braintrust/templates/api-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
{{- $orgName := .Values.global.orgName | default "" | toString | trim -}}
{{- $primaryOrgName := .Values.global.primaryOrgName | default "" | toString | trim -}}
{{- if and (or (eq $orgName "") (eq $orgName "*")) (eq $primaryOrgName "") -}}
{{- fail "global.primaryOrgName is required when global.orgName is empty or \"*\"; self-hosted service-token management needs a primary organization." -}}
Comment on lines +3 to +4

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 15, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Honor existing PRIMARY_ORG_NAME overrides

In wildcard or empty-org deployments that already set PRIMARY_ORG_NAME through api.extraEnvVars, this validation still aborts because it only checks global.primaryOrgName. I checked api-deployment.yaml: api.extraEnvVars is appended as explicit env entries after the ConfigMap envFrom, so it is an existing supported path for supplying/overriding API environment variables; with this change those upgrades fail before the Deployment is rendered even though the pod would receive the required variable. Consider accepting the existing extra env override or avoiding the hard fail for that case.

Useful? React with 👍 / 👎.

{{- end -}}
{{- $allowedOrgIds := .Values.global.allowedOrgIds | default "" | toString | trim -}}
---
apiVersion: v1
kind: ConfigMap
Expand All @@ -13,7 +19,11 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
ORG_NAME: {{ .Values.global.orgName | quote }}
ORG_NAME: {{ $orgName | quote }}
PRIMARY_ORG_NAME: {{ $primaryOrgName | quote }}
{{- with $allowedOrgIds }}
ALLOWED_ORG_IDS: {{ . | quote }}
{{- end }}

{{- if eq .Values.cloud "azure" }}
AZURE_STORAGE_ACCOUNT_NAME: {{ .Values.objectStorage.azure.storageAccountName | quote }}
Expand Down
87 changes: 87 additions & 0 deletions braintrust/tests/api-configmap_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,100 @@ tests:
- equal:
path: data.ORG_NAME
value: "test-org"
- equal:
path: data.PRIMARY_ORG_NAME
value: ""
- equal:
path: data.BRAINSTORE_ENABLED
value: "true"
- equal:
path: data.BRAINSTORE_DEFAULT
value: "force"

- it: should omit allowed org IDs when unset
values:
- __fixtures__/base-values.yaml
release:
namespace: "braintrust"
asserts:
- isNull:
path: data.ALLOWED_ORG_IDS

- it: should omit allowed org IDs when blank
values:
- __fixtures__/base-values.yaml
set:
global.allowedOrgIds: " "
release:
namespace: "braintrust"
asserts:
- isNull:
path: data.ALLOWED_ORG_IDS

- it: should include allowed org IDs when configured
values:
- __fixtures__/base-values.yaml
set:
global.allowedOrgIds: " org_123,org_456 "
release:
namespace: "braintrust"
asserts:
- equal:
path: data.ALLOWED_ORG_IDS
value: "org_123,org_456"

- it: should include primary org name when configured
values:
- __fixtures__/base-values.yaml
set:
global.primaryOrgName: " primary-org "
release:
namespace: "braintrust"
asserts:
- equal:
path: data.PRIMARY_ORG_NAME
value: "primary-org"

- it: should allow wildcard org name when primary org name is configured
values:
- __fixtures__/base-values.yaml
set:
global.orgName: "*"
global.primaryOrgName: "primary-org"
release:
namespace: "braintrust"
asserts:
- equal:
path: data.ORG_NAME
value: "*"
- equal:
path: data.PRIMARY_ORG_NAME
value: "primary-org"

- it: should reject empty org name without primary org name
values:
- __fixtures__/base-values.yaml
set:
global.orgName: ""
global.primaryOrgName: ""
release:
namespace: "braintrust"
asserts:
- failedTemplate:
errorMessage: "global.primaryOrgName is required when global.orgName is empty or \"*\"; self-hosted service-token management needs a primary organization."

- it: should reject wildcard org name without primary org name
values:
- __fixtures__/base-values.yaml
set:
global.orgName: "*"
global.primaryOrgName: " "
release:
namespace: "braintrust"
asserts:
- failedTemplate:
errorMessage: "global.primaryOrgName is required when global.orgName is empty or \"*\"; self-hosted service-token management needs a primary organization."

- it: should use correct namespace from helper when createNamespace is false
values:
- __fixtures__/base-values.yaml
Expand Down
6 changes: 6 additions & 0 deletions braintrust/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
# Global configs
global:
orgName: "<your org name on Braintrust>"
# Required when orgName is empty or "*". Used to authorize self-hosted
# service-token management.
primaryOrgName: ""
# Optional comma-separated org ID allowlist. If orgName is a specific name,
# that org is included in the allowlist.
allowedOrgIds: ""
# When createNamespace is true, the namespace will be created and resources will be in global.namespace
# When createNamespace is false, resources will use .Release.Namespace (the namespace specified during helm install/upgrade)
createNamespace: false
Expand Down
Loading