OLS-3200: implement generic LIGHTSPEED_* env var contract (operator)

[onmete]

Summary

• Rewrites patchLLMCredentials to set only generic LIGHTSPEED_* env vars instead of SDK-specific vars
• Operator now sets: LIGHTSPEED_PROVIDER, LIGHTSPEED_MODEL, plus optional LIGHTSPEED_MODEL_PROVIDER, LIGHTSPEED_PROVIDER_URL, LIGHTSPEED_PROVIDER_PROJECT, LIGHTSPEED_PROVIDER_REGION, LIGHTSPEED_PROVIDER_API_VERSION
• Credentials mounted unconditionally for all providers via envFrom + volume at /var/run/secrets/llm-credentials/ (previously Vertex-only at /var/secrets/google)
• Removes all SDK-specific env vars: ANTHROPIC_MODEL, CLAUDE_CODE_USE_VERTEX, GCP_PROJECT, GCP_REGION, GOOGLE_APPLICATION_CREDENTIALS, AZURE_OPENAI_ENDPOINT, OPENAI_BASE_URL, ANTHROPIC_BASE_URL, etc.
• Azure URL resolution: url overrides endpoint for LIGHTSPEED_PROVIDER_URL

Companion PR: sandbox env var mapping in openshift/lightspeed-agentic-sandbox#62 (must merge together)

Jira: OLS-3200
Supersedes: OLS-3044, OLS-3051

Test plan

• Updated tests for Anthropic, Vertex, Bedrock providers
• Added tests for OpenAI, Azure, Azure URL override providers
• All tests assert LIGHTSPEED_* vars and absence of SDK-specific vars
• All tests assert unconditional credential volume mount
• Full operator test suite passes
• Coordinated merge with sandbox companion PR

Made with Cursor

Summary by CodeRabbit

Release Notes

• Documentation

  • Clarified sandbox environment variable specifications for LLM provider configuration and removed outdated configuration options.

• Refactor

  • Standardized credential mounting and environment variable handling across all supported LLM providers with improved consistency.

• Tests

  • Expanded test coverage for LLM provider credential configurations, environment variables, and provider-specific settings.

[openshift-ci-robot]

@onmete: This pull request references OLS-3200 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Rewrites patchLLMCredentials to set only generic LIGHTSPEED_* env vars instead of SDK-specific vars
• Operator now sets: LIGHTSPEED_PROVIDER, LIGHTSPEED_MODEL, plus optional LIGHTSPEED_MODEL_PROVIDER, LIGHTSPEED_PROVIDER_URL, LIGHTSPEED_PROVIDER_PROJECT, LIGHTSPEED_PROVIDER_REGION, LIGHTSPEED_PROVIDER_API_VERSION
• Credentials mounted unconditionally for all providers via envFrom + volume at /var/run/secrets/llm-credentials/ (previously Vertex-only at /var/secrets/google)
• Removes all SDK-specific env vars: ANTHROPIC_MODEL, CLAUDE_CODE_USE_VERTEX, GCP_PROJECT, GCP_REGION, GOOGLE_APPLICATION_CREDENTIALS, AZURE_OPENAI_ENDPOINT, OPENAI_BASE_URL, ANTHROPIC_BASE_URL, etc.
• Azure URL resolution: url overrides endpoint for LIGHTSPEED_PROVIDER_URL

Companion PR: sandbox env var mapping in openshift/lightspeed-agentic-sandbox#62 (must merge together)

Jira: OLS-3200
Supersedes: OLS-3044, OLS-3051

Test plan

• Updated tests for Anthropic, Vertex, Bedrock providers
• Added tests for OpenAI, Azure, Azure URL override providers
• All tests assert LIGHTSPEED_* vars and absence of SDK-specific vars
• All tests assert unconditional credential volume mount
• Full operator test suite passes
• Coordinated merge with sandbox companion PR

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Warning

Review limit reached

@onmete, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 39 minutes and 34 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2c5ea6fb-2d35-4f88-b36b-7c9b489eefb1

📥 Commits

Reviewing files that changed from the base of the PR and between e5c69b8 and 57f7333.

📒 Files selected for processing (1)

• controller/proposal/sandbox_templates_test.go

📝 Walkthrough

Walkthrough

This PR unifies LLM credential mounting and environment variable configuration across all provider types. The specification defines the new LIGHTSPEED_* environment variables, the implementation refactors credential patching logic to use shared mounting with provider-specific configuration, and the test suite validates the contract for all supported LLM providers.

Changes

Unified LLM Credential Mounting Architecture

Layer / File(s)	Summary
Environment variable specification update .ai/spec/what/sandbox-execution.md	Specification clarifies the new LIGHTSPEED_PROVIDER and LIGHTSPEED_MODEL environment variables with provider-specific conditional field mappings, removes the obsolete LIGHTSPEED_MODE row, and removes the planned-change reference to this contract migration.
Credential mounting and provider-specific environment variable patching controller/proposal/sandbox_templates.go	Credential mount constants updated to introduce shared llm-credentials path. patchLLMCredentials function refactored to set unified LIGHTSPEED_PROVIDER and LIGHTSPEED_MODEL variables, mount all credentials via shared volume, and configure provider-specific settings via LIGHTSPEED_PROVIDER_URL and provider-scoped variables (Vertex: model provider/project/region; Bedrock: region; Azure: endpoint/API version).
Test suite for credential mounting across all provider types controller/proposal/sandbox_templates_test.go	New helper assertCredentialVolumeMount validates read-only credential mount presence. Anthropic, Vertex, and Bedrock tests refactored to assert LIGHTSPEED_* variables and credential mounts. New exported tests for OpenAI and Azure validate provider-specific configuration. Azure URL override test updated to assert LIGHTSPEED_PROVIDER_URL precedence.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• openshift/lightspeed-agentic-operator#20: Implements the operator→sandbox environment variable and credential mounting contract that this PR's specification document defines.
• openshift/lightspeed-agentic-operator#14: Introduces CRD fields (e.g., googleCloudVertex.modelProvider) that are consumed by this PR's new Vertex-specific LIGHTSPEED_MODEL_PROVIDER environment variable.

Suggested labels

lgtm

Suggested reviewers

• harche
• blublinsky
• raptorsun

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 58.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately reflects the main change: implementing the generic LIGHTSPEED_* environment variable contract in the operator, which is the core focus of the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign blublinsky for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@controller/proposal/sandbox_templates_test.go`:
- Around line 245-267: Update the assertCredentialVolumeMount helper to validate
the full credential contract: in addition to verifying the volume mount named
llmCredsVolumeName at llmCredsMountPath and that it is readOnly (current checks
in assertCredentialVolumeMount), also assert the container has an envFrom entry
that references the secret (inspect container["envFrom"] for a secretRef with a
name) to ensure unconditional secret injection, and assert the container's env
does NOT include legacy SDK-specific variables (e.g. OPENAI_API_KEY,
AZURE_OPENAI_KEY, BEDROCK_API_KEY) so only the LIGHTSPEED_* / secret-based
config is present; locate these checks inside assertCredentialVolumeMount (which
reads containers via unstructured.NestedSlice) and fail the test with
t.Error/t.Fatalf when the envFrom secret is missing or legacy env vars are
present.

In `@controller/proposal/sandbox_templates.go`:
- Around line 31-33: The llmCredsMountPath constant currently uses
"/var/run/secrets/llm-credentials" but the spec requires the trailing slash
"/var/run/secrets/llm-credentials/"; update the llmCredsMountPath declaration to
include the trailing slash and ensure any related uses/tests referencing
llmCredsMountPath (and the new tests added) are aligned to the exact literal
with the trailing slash so the operator/spec/sandbox contract matches precisely.
- Around line 267-334: Replace inline error message strings in the fmt.Errorf
calls with package-level constant labels and wrap the original error using
fmt.Errorf("%s: %w", Err..., err); add const declarations (e.g.
ErrSetLightspeedProvider, ErrSetLightspeedModel, ErrAddCredentialsEnvFrom,
ErrAddCredentialsVolume, ErrMountCredentials, ErrSetProviderURL,
ErrSetModelProvider, ErrSetProviderProject, ErrSetProviderRegion,
ErrSetProviderAPIVersion) and update all occurrences in the code that call
setEnvVar, addEnvFromSecret, addSecretVolume, addVolumeMount and the
provider-specific branches to use fmt.Errorf("%s: %w", <const>, err) instead of
inline strings so the error labels are consistent with the repository guideline.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e9e60bfc-3ae5-4983-b4f9-09c9e61eae33

📥 Commits

Reviewing files that changed from the base of the PR and between d0644d5 and e5c69b8.

📒 Files selected for processing (3)

• .ai/spec/what/sandbox-execution.md
• controller/proposal/sandbox_templates.go
• controller/proposal/sandbox_templates_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Broaden the shared helper to assert the full credential contract.

Right now it only checks the volume mount, so the new OpenAI/Azure/Bedrock cases no longer verify the unconditional envFrom secret injection. It also leaves room for a regression where legacy SDK-specific env vars come back alongside LIGHTSPEED_* and the tests still pass.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controller/proposal/sandbox_templates_test.go` around lines 245 - 267, Update
the assertCredentialVolumeMount helper to validate the full credential contract:
in addition to verifying the volume mount named llmCredsVolumeName at
llmCredsMountPath and that it is readOnly (current checks in
assertCredentialVolumeMount), also assert the container has an envFrom entry
that references the secret (inspect container["envFrom"] for a secretRef with a
name) to ensure unconditional secret injection, and assert the container's env
does NOT include legacy SDK-specific variables (e.g. OPENAI_API_KEY,
AZURE_OPENAI_KEY, BEDROCK_API_KEY) so only the LIGHTSPEED_* / secret-based
config is present; locate these checks inside assertCredentialVolumeMount (which
reads containers via unstructured.NestedSlice) and fail the test with
t.Error/t.Fatalf when the envFrom secret is missing or legacy env vars are
present.

[onmete]

Fixed in 57f7333. Folded envFrom check into renamed assertCredentialMounts — all 6 provider tests now verify both envFrom and volume mount unconditionally. Skipped the SDK denylist suggestion: a static blocklist rots and the positive LIGHTSPEED_* assertions already catch regressions.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align the credential mount path literal with the documented contract.

The spec describes /var/run/secrets/llm-credentials/, but this constant and the new tests use /var/run/secrets/llm-credentials. Even if the filesystem behavior is equivalent, the operator/spec/sandbox contract should use one exact literal before the companion PR merges.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controller/proposal/sandbox_templates.go` around lines 31 - 33, The
llmCredsMountPath constant currently uses "/var/run/secrets/llm-credentials" but
the spec requires the trailing slash "/var/run/secrets/llm-credentials/"; update
the llmCredsMountPath declaration to include the trailing slash and ensure any
related uses/tests referencing llmCredsMountPath (and the new tests added) are
aligned to the exact literal with the trailing slash so the
operator/spec/sandbox contract matches precisely.

[onmete]

Skipping. The operator constant is a Kubernetes volumeMounts.mountPath where trailing slash is irrelevant — the kubelet treats both identically. The sandbox uses the same path as a prefix for f"{path}/filename" where no trailing slash is correct. The spec trailing slash is a documentation convention, not a contract violation.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Use constant error labels for the new fmt.Errorf branches.

These added paths introduce new inline error strings ("set LIGHTSPEED_PROVIDER", "add credentials volume", etc.). The repo guideline for Go files requires defining the labels as constants and wrapping with fmt.Errorf("%s: %w", Err..., err) for consistent context.

As per coding guidelines, **/*.go: Define errors as constants using const ErrFoo = "…" and wrap them with fmt.Errorf("%s: %w", …) for context.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controller/proposal/sandbox_templates.go` around lines 267 - 334, Replace
inline error message strings in the fmt.Errorf calls with package-level constant
labels and wrap the original error using fmt.Errorf("%s: %w", Err..., err); add
const declarations (e.g. ErrSetLightspeedProvider, ErrSetLightspeedModel,
ErrAddCredentialsEnvFrom, ErrAddCredentialsVolume, ErrMountCredentials,
ErrSetProviderURL, ErrSetModelProvider, ErrSetProviderProject,
ErrSetProviderRegion, ErrSetProviderAPIVersion) and update all occurrences in
the code that call setEnvVar, addEnvFromSecret, addSecretVolume, addVolumeMount
and the provider-specific branches to use fmt.Errorf("%s: %w", <const>, err)
instead of inline strings so the error labels are consistent with the repository
guideline.

[onmete]

Skipping — pre-existing pattern across sandbox_templates.go. All existing fmt.Errorf calls use inline strings. Extracting error constants for every wrapper would be a separate refactor touching the entire file, not scoped to this PR.

[openshift-ci]

@onmete: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.