Merge pull request #1897 from tisnik/lcore-1356-updated-config-docs

tisnik · web-flow · commit 9c1f722ff864 · 2026-06-11T11:49:34.000+02:00
LCORE-1356: Updated config docs
diff --git a/docs/config.html b/docs/config.html
@@ -381,6 +381,11 @@ <h2 id="authenticationconfiguration">AuthenticationConfiguration</h2>
           <td/>
           <td/>
         </tr>
+        <tr class="even">
+          <td>trusted_proxy_config</td>
+          <td/>
+          <td/>
+        </tr>
       </tbody>
     </table>
     <h2 id="authorizationconfiguration">AuthorizationConfiguration</h2>
@@ -464,7 +469,8 @@ <h2 id="byokrag">ByokRag</h2>
         <tr class="even">
           <td>rag_type</td>
           <td>string</td>
-          <td>Type of RAG database.</td>
+          <td>Type of RAG database (e.g.&#xA0;&#x2018;inline::faiss&#x2019;,
+&#x2018;remote::pgvector&#x2019;).</td>
         </tr>
         <tr class="odd">
           <td>embedding_model</td>
@@ -484,7 +490,7 @@ <h2 id="byokrag">ByokRag</h2>
         <tr class="even">
           <td>db_path</td>
           <td>string</td>
-          <td>Path to RAG database.</td>
+          <td>Path to RAG database. Required for inline::faiss.</td>
         </tr>
         <tr class="odd">
           <td>score_multiplier</td>
@@ -1993,6 +1999,61 @@ <h2 id="tlsconfiguration">TLSConfiguration</h2>
         </tr>
       </tbody>
     </table>
+    <h2 id="trustedproxyconfiguration">TrustedProxyConfiguration</h2>
+    <p>Configuration for trusted-proxy auth module.</p>
+    <table>
+      <colgroup>
+        <col style="width: 26%"/>
+        <col style="width: 23%"/>
+        <col style="width: 50%"/>
+      </colgroup>
+      <thead>
+        <tr class="header">
+          <th>Field</th>
+          <th>Type</th>
+          <th>Description</th>
+        </tr>
+      </thead>
+      <tbody>
+        <tr class="odd">
+          <td>user_header</td>
+          <td>string</td>
+          <td>HTTP header containing the forwarded user identity.</td>
+        </tr>
+        <tr class="even">
+          <td>allowed_service_accounts</td>
+          <td>array</td>
+          <td>Optional allowlist of Kubernetes ServiceAccount identities permitted
+to act as trusted proxies. When set to null/omitted, any ServiceAccount
+with a valid token is accepted. When set to a non-empty list, only the
+listed ServiceAccounts are allowed. An empty list behaves the same as
+null (no restriction).</td>
+        </tr>
+      </tbody>
+    </table>
+    <h2 id="trustedproxyserviceaccount">TrustedProxyServiceAccount</h2>
+    <p>A Kubernetes ServiceAccount identity for trusted-proxy allowlist.</p>
+    <table>
+      <thead>
+        <tr class="header">
+          <th>Field</th>
+          <th>Type</th>
+          <th>Description</th>
+        </tr>
+      </thead>
+      <tbody>
+        <tr class="odd">
+          <td>namespace</td>
+          <td>string</td>
+          <td>Kubernetes namespace of the ServiceAccount.</td>
+        </tr>
+        <tr class="even">
+          <td>name</td>
+          <td>string</td>
+          <td>Name of the Kubernetes ServiceAccount.</td>
+        </tr>
+      </tbody>
+    </table>
     <h2 id="userdatacollection">UserDataCollection</h2>
     <p>User data collection configuration.</p>
     <table>
diff --git a/docs/config.json b/docs/config.json
@@ -246,6 +246,17 @@
               }
             ],
             "default": null
+          },
+          "trusted_proxy_config": {
+            "anyOf": [
+              {
+                "$ref": "#/components/schemas/TrustedProxyConfiguration"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "default": null
           }
         },
         "title": "AuthenticationConfiguration",
@@ -1628,6 +1639,49 @@
         "title": "TLSConfiguration",
         "type": "object"
       },
+      "TrustedProxyConfiguration": {
+        "additionalProperties": false,
+        "description": "Configuration for trusted-proxy auth module.",
+        "properties": {
+          "user_header": {
+            "default": "X-Forwarded-User",
+            "description": "HTTP header containing the forwarded user identity.",
+            "title": "User identity header",
+            "type": "string"
+          },
+          "allowed_service_accounts": {
+            "type": "array",
+            "nullable": true,
+            "default": null,
+            "description": "Optional allowlist of Kubernetes ServiceAccount identities permitted to act as trusted proxies. When set to null/omitted, any ServiceAccount with a valid token is accepted. When set to a non-empty list, only the listed ServiceAccounts are allowed. An empty list behaves the same as null (no restriction).",
+            "title": "Allowed service accounts"
+          }
+        },
+        "title": "TrustedProxyConfiguration",
+        "type": "object"
+      },
+      "TrustedProxyServiceAccount": {
+        "additionalProperties": false,
+        "description": "A Kubernetes ServiceAccount identity for trusted-proxy allowlist.",
+        "properties": {
+          "namespace": {
+            "description": "Kubernetes namespace of the ServiceAccount.",
+            "title": "Namespace",
+            "type": "string"
+          },
+          "name": {
+            "description": "Name of the Kubernetes ServiceAccount.",
+            "title": "Name",
+            "type": "string"
+          }
+        },
+        "required": [
+          "namespace",
+          "name"
+        ],
+        "title": "TrustedProxyServiceAccount",
+        "type": "object"
+      },
       "UserDataCollection": {
         "additionalProperties": false,
         "description": "User data collection configuration.",
diff --git a/docs/config.md b/docs/config.md
@@ -113,6 +113,7 @@ Authentication configuration.
 | jwk_config             |         |                                                      |
 | api_key_config         |         |                                                      |
 | rh_identity_config     |         |                                                      |
+| trusted_proxy_config   |         |                                                      |
 
 
 ## AuthorizationConfiguration
@@ -149,17 +150,17 @@ BYOK (Bring Your Own Knowledge) RAG configuration.
 | Field               | Type    | Description                                                                                                                                                                                     |
 |---------------------|---------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | rag_id              | string  | Unique RAG ID                                                                                                                                                                                   |
-| rag_type            | string  | Type of RAG database.                                                                                                                                                                           |
+| rag_type            | string  | Type of RAG database (e.g. 'inline::faiss', 'remote::pgvector').                                                                                                                                |
 | embedding_model     | string  | Embedding model identification                                                                                                                                                                  |
 | embedding_dimension | integer | Dimensionality of embedding vectors.                                                                                                                                                            |
 | vector_db_id        | string  | Vector database identification.                                                                                                                                                                 |
-| db_path             | string  | Path to RAG database.                                                                                                                                                                           |
-| score_multiplier    | number  | Multiplier applied to relevance scores from this vector store. Used to weight results when querying multiple knowledge sources. Values > 1 boost this store's results; values < 1 reduce them.  |
-| host | string | PostgreSQL host for remote::pgvector. Defaults to ${env.POSTGRES_HOST} when rag_type is remote::pgvector. |
-| port | string | PostgreSQL port for remote::pgvector. Defaults to ${env.POSTGRES_PORT} when rag_type is remote::pgvector. |
-| db | string | PostgreSQL database name for remote::pgvector. Defaults to ${env.POSTGRES_DATABASE} when rag_type is remote::pgvector. |
-| user | string | PostgreSQL user for remote::pgvector. Defaults to ${env.POSTGRES_USER} when rag_type is remote::pgvector. |
-| password | string | PostgreSQL password for remote::pgvector. Defaults to ${env.POSTGRES_PASSWORD} when rag_type is remote::pgvector. |
+| db_path             | string  | Path to RAG database. Required for inline::faiss.                                                                                                                                               |
+| score_multiplier    | number  | Multiplier applied to relevance scores from this vector store. Used to weight results when querying multiple knowledge sources. Values > 1 boost this store's results; values < 1 reduce them. |
+| host                | string  | PostgreSQL host for remote::pgvector. Defaults to ${env.POSTGRES_HOST} when rag_type is remote::pgvector.                                                                                       |
+| port                | string  | PostgreSQL port for remote::pgvector. Defaults to ${env.POSTGRES_PORT} when rag_type is remote::pgvector.                                                                                       |
+| db                  | string  | PostgreSQL database name for remote::pgvector. Defaults to ${env.POSTGRES_DATABASE} when rag_type is remote::pgvector.                                                                          |
+| user                | string  | PostgreSQL user for remote::pgvector. Defaults to ${env.POSTGRES_USER} when rag_type is remote::pgvector.                                                                                       |
+| password            | string  | PostgreSQL password for remote::pgvector. Defaults to ${env.POSTGRES_PASSWORD} when rag_type is remote::pgvector.                                                                               |
 
 
 ## CORSConfiguration
@@ -750,6 +751,30 @@ Useful resources:
 | tls_key_password     | string | Path to file containing the password to decrypt the SSL/TLS private key. |
 
 
+## TrustedProxyConfiguration
+
+
+Configuration for trusted-proxy auth module.
+
+
+| Field                    | Type   | Description                                                                                                                                                                                                                                                                                                      |
+|--------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| user_header              | string | HTTP header containing the forwarded user identity.                                                                                                                                                                                                                                                              |
+| allowed_service_accounts | array  | Optional allowlist of Kubernetes ServiceAccount identities permitted to act as trusted proxies. When set to null/omitted, any ServiceAccount with a valid token is accepted. When set to a non-empty list, only the listed ServiceAccounts are allowed. An empty list behaves the same as null (no restriction). |
+
+
+## TrustedProxyServiceAccount
+
+
+A Kubernetes ServiceAccount identity for trusted-proxy allowlist.
+
+
+| Field     | Type   | Description                                 |
+|-----------|--------|---------------------------------------------|
+| namespace | string | Kubernetes namespace of the ServiceAccount. |
+| name      | string | Name of the Kubernetes ServiceAccount.      |
+
+
 ## UserDataCollection
 
 
