You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .ai/spec/what/app-server.md
+24-22Lines changed: 24 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,39 +5,40 @@ The App Server is the backend deployment for OpenShift Lightspeed. It runs the l
5
5
## Behavioral Rules
6
6
7
7
### Deployment Composition
8
-
1. The deployment contains a primary API container and up to two optional sidecar containers.
8
+
1. The deployment contains a primary API container and up to three sidecar containers.
9
9
2. The primary container (lightspeed-service-api) runs the OLS service, listening on HTTPS.
10
10
3. The data collector sidecar (lightspeed-to-dataverse-exporter) is added when data collection is enabled AND the telemetry pull secret exists in the openshift-config namespace with a cloud.openshift.com auth entry.
11
11
4. The OpenShift MCP server sidecar is added when `spec.ols.introspectionEnabled` is true. It provides Kubernetes resource access via MCP protocol.
12
-
5. A PostgreSQL wait init container always runs before the main containers to ensure database readiness.
13
-
6. When `spec.ols.rag` is configured, additional init containers copy RAG data from container images into a shared volume.
12
+
5. The RHOKP sidecar is always added to the deployment. It serves OKP (Offline Knowledge Portal) content via Solr HTTP on localhost:8080, providing Red Hat product documentation for tool-based retrieval. It requires ~75 GiB ephemeral storage. The RHOKP sidecar is NOT deployed when `spec.ols.byokRAGOnly` is true.
13
+
6. A PostgreSQL wait init container always runs before the main containers to ensure database readiness.
14
+
7. When `spec.ols.rag` is configured, additional init containers copy BYOK RAG data from container images into a shared volume.
14
15
15
16
### Configuration Mapping
16
-
7. The operator generates an OLS config file (olsconfig.yaml) from the CR spec. This ConfigMap is the primary interface between the operator and the service.
17
-
8. LLM provider credentials are mounted as files from their respective secrets, at a path derived from the secret name.
18
-
9. The default credential key read from each provider's secret is "apitoken", overridable by `spec.llm.providers[].credentialKey`.
19
-
10. PostgreSQL connection settings are hardcoded to point to the operator-managed PostgreSQL service within the same namespace.
20
-
11. If `spec.ols.querySystemPrompt` is set, the custom prompt is written as a second key in the config ConfigMap and referenced by file path in the config.
21
-
12. RAG reference content indexes are ordered: user-provided (BYOK) indexes first, then the OCP documentation index (unless `spec.ols.byokRAGOnly` is true).
22
-
13. The OCP documentation RAG index path is derived from the detected OpenShift cluster version.
17
+
8. The operator generates an OLS config file (olsconfig.yaml) from the CR spec. This ConfigMap is the primary interface between the operator and the service.
18
+
9. LLM provider credentials are mounted as files from their respective secrets, at a path derived from the secret name.
19
+
10. The default credential key read from each provider's secret is "apitoken", overridable by `spec.llm.providers[].credentialKey`.
20
+
11. PostgreSQL connection settings are hardcoded to point to the operator-managed PostgreSQL service within the same namespace.
21
+
12. If `spec.ols.querySystemPrompt` is set, the custom prompt is written as a second key in the config ConfigMap and referenced by file path in the config.
22
+
13. BYOK reference content indexes from `spec.ols.rag`are configured when present. OCP documentation is served by OKP via the RHOKP sidecar, not via FAISS indexes.
23
+
14. The operator always generates a `solr_hybrid` config section in `olsconfig.yaml` pointing to `http://localhost:8080` with default hybrid retrieval tuning parameters, unless `byokRAGOnly` is true.
23
24
24
25
### MCP Server Integration
25
-
14. When `spec.ols.introspectionEnabled` is true, an "openshift" MCP server entry is added to the config pointing to localhost on the sidecar port.
26
-
15. When the MCPServer feature gate is enabled, user-defined servers from `spec.mcpServers` are added to the config.
27
-
16. MCP header values of type "secret" are mounted as files from the referenced secret. Types "kubernetes" and "client" use placeholder strings that the service resolves at runtime.
26
+
15. When `spec.ols.introspectionEnabled` is true, an "openshift" MCP server entry is added to the config pointing to localhost on the sidecar port.
27
+
16. When the MCPServer feature gate is enabled, user-defined servers from `spec.mcpServers` are added to the config.
28
+
17. MCP header values of type "secret" are mounted as files from the referenced secret. Types "kubernetes" and "client" use placeholder strings that the service resolves at runtime.
28
29
29
30
### Service and Networking
30
-
17. The service exposes HTTPS on the configured port.
31
-
18. The network policy allows ingress from: Prometheus (openshift-monitoring), OpenShift Console (openshift-console), and ingress controllers.
32
-
19. Egress is unrestricted (empty egress rules).
31
+
18. The service exposes HTTPS on the configured port.
32
+
19. The network policy allows ingress from: Prometheus (openshift-monitoring), OpenShift Console (openshift-console), and ingress controllers.
33
+
20. Egress is unrestricted (empty egress rules).
33
34
34
35
### RBAC
35
-
20. The service account is granted SubjectAccessReview and TokenReview permissions for user authorization.
36
-
21. The service account can read the cluster version and the telemetry pull secret.
36
+
21. The service account is granted SubjectAccessReview and TokenReview permissions for user authorization.
37
+
22. The service account can read the cluster version and the telemetry pull secret.
37
38
38
39
### Change Detection
39
-
22. Deployment updates are triggered when: the deployment spec changes, the config ConfigMap resource version changes, the MCP config ConfigMap resource version changes, or the proxy CA certificate hash changes.
40
-
23. When any of these change, the operator forces a rolling restart by updating a pod template annotation with the current timestamp.
40
+
23. Deployment updates are triggered when: the deployment spec changes, the config ConfigMap resource version changes, the MCP config ConfigMap resource version changes, or the proxy CA certificate hash changes.
41
+
24. When any of these change, the operator forces a rolling restart by updating a pod template annotation with the current timestamp.
41
42
42
43
### Health Probes [CHANGED: OLS-3221]
43
44
24. The app server deployment's liveness probe must point to the `/liveness` endpoint with `failureThreshold: 3` and `periodSeconds: 30`, giving the pod 90 seconds to self-heal via the background health-check loop before Kubernetes restarts it. These values are not currently user-configurable.
@@ -64,12 +65,12 @@ The App Server is the backend deployment for OpenShift Lightspeed. It runs the l
64
65
|`spec.ols.logLevel`| Logging level for all service components |
65
66
|`spec.ols.maxIterations`| Maximum agent execution iterations |
66
67
|`spec.ols.querySystemPrompt`| Custom system prompt for LLM queries |
0 commit comments