Skip to content

Commit e18d534

Browse files
Merge pull request #1731 from onmete/okp-adoption-specs
OLS-2607 update specs for OKP adoption
2 parents d2814f5 + 2460d14 commit e18d534

3 files changed

Lines changed: 44 additions & 29 deletions

File tree

.ai/spec/how/config-generation.md

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -68,15 +68,21 @@ ols_config:
6868
tls_config:
6969
tls_certificate_path: /etc/certs/lightspeed-tls/tls.crt
7070
tls_key_path: /etc/certs/lightspeed-tls/tls.key
71-
reference_content:
71+
reference_content: # only when spec.ols.rag is configured (BYOK)
7272
indexes:
73-
- path: /app-root/rag/rag-0 # BYOK first (one per spec.ols.rag entry)
73+
- path: /app-root/rag/rag-0 # one per spec.ols.rag entry
7474
index_id: <rag.IndexID>
7575
origin: <rag.Image>
76-
- path: /app-root/vector_db/ocp_product_docs/<major>.<minor> # OCP docs (unless byokRAGOnly)
77-
index_id: ocp-product-docs-<major>_<minor>
78-
origin: "Red Hat OpenShift <major>.<minor> documentation"
7976
embeddings_model_path: /app-root/embeddings_model
77+
# OCP docs FAISS index entry removed — OCP docs are served by OKP via the RHOKP sidecar.
78+
79+
solr_hybrid: # always present unless byokRAGOnly
80+
solr_http_base: "http://localhost:8080"
81+
max_results: 10
82+
hybrid_vector_boost: 8.0
83+
hybrid_pool_docs: 100
84+
hybrid_score_threshold: 0.0
85+
hybrid_solr_timeout_s: 60
8086
user_data_collection:
8187
feedback_disabled: <computed: CRvalue || !dataCollectorEnabled>
8288
feedback_storage: /app-root/ols-user-data/feedback
@@ -201,8 +207,8 @@ These schemas are created by the bootstrap script.
201207
| Log level | CR `spec.ols.logLevel` | Enum: DEBUG, INFO, WARNING, ERROR, CRITICAL. Default: INFO |
202208
| PostgreSQL connection | `utils/constants.go` | Host built from service name + namespace + ".svc" |
203209
| TLS certs | Service-ca operator or user-provided secret | Path: `/etc/certs/lightspeed-tls/` |
204-
| RAG indexes | CR `spec.ols.rag[]` | File paths in config YAML |
205-
| OpenShift version | Reconciler options | Used for OCP docs RAG index path |
210+
| BYOK RAG indexes | CR `spec.ols.rag[]` | File paths in config YAML (BYOK only) |
211+
| RHOKP image | `--rhokp-image` flag | Image for RHOKP sidecar container |
206212
| MCP servers | CR `spec.mcpServers[]` + `spec.ols.introspectionEnabled` | Feature gated by `MCPServer` gate |
207213
| Tool filtering | CR `spec.ols.toolFilteringConfig` | Feature gated by `ToolFiltering` gate; requires MCP servers |
208214
| Proxy config | CR `spec.ols.proxyConfig` | Proxy URL + optional CA cert configmap |

.ai/spec/how/deployment-generation.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,11 @@ GenerateOLSDeployment(r, cr)
3939
18. Set owner reference to OLSConfig CR
4040
19. Conditionally add data collector sidecar container ("lightspeed-to-dataverse-exporter")
4141
20. Conditionally add OpenShift MCP server sidecar container ("openshift-mcp-server")
42+
21. Conditionally add RHOKP sidecar container ("rhokp") — always added unless byokRAGOnly is true.
43+
Container: image from r.GetRHOKPImage(), port 8080, resources 2 CPU / 2 GiB RAM / 75 GiB ephemeral,
44+
startup script disables Apache Listen 0.0.0.0:8443 to avoid port conflict.
45+
Optional ACCESS_KEY env from rhokp-access-key secret.
46+
Writable root filesystem (Solr data).
4247
```
4348

4449
### Change Detection Pattern
@@ -63,6 +68,7 @@ Default resources by container:
6368
| AppServer `lightspeed-service-api` | 500m | - | 1Gi | 4Gi |
6469
| Data collector | 50m | - | 64Mi | 200Mi |
6570
| MCP server | 50m | - | 64Mi | 200Mi |
71+
| RHOKP `rhokp` | 2000m | 2000m | 2Gi | 2Gi |
6672

6773
### Volume/Mount Construction
6874
Volumes and mounts are built as slices and conditionally appended using inline append patterns.
@@ -100,6 +106,7 @@ Both must be true. The service ID is `"ols"` unless the CR has `openstack.org/li
100106
| Volume configmaps | Generated ConfigMaps | OLS config, nginx config, MCP server config |
101107
| Proxy env vars | `utils.GetProxyEnvVars()` | HTTP_PROXY, HTTPS_PROXY, NO_PROXY from cluster |
102108
| RAG images | CR `spec.ols.rag[].image` | Container images for init containers |
109+
| RHOKP image | `--rhokp-image` flag | Container image for RHOKP sidecar |
103110

104111
## Agentic Controller Deployment (OLM-managed)
105112

.ai/spec/what/app-server.md

Lines changed: 24 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -5,39 +5,40 @@ The App Server is the backend deployment for OpenShift Lightspeed. It runs the l
55
## Behavioral Rules
66

77
### Deployment Composition
8-
1. The deployment contains a primary API container and up to two optional sidecar containers.
8+
1. The deployment contains a primary API container and up to three sidecar containers.
99
2. The primary container (lightspeed-service-api) runs the OLS service, listening on HTTPS.
1010
3. The data collector sidecar (lightspeed-to-dataverse-exporter) is added when data collection is enabled AND the telemetry pull secret exists in the openshift-config namespace with a cloud.openshift.com auth entry.
1111
4. The OpenShift MCP server sidecar is added when `spec.ols.introspectionEnabled` is true. It provides Kubernetes resource access via MCP protocol.
12-
5. A PostgreSQL wait init container always runs before the main containers to ensure database readiness.
13-
6. When `spec.ols.rag` is configured, additional init containers copy RAG data from container images into a shared volume.
12+
5. The RHOKP sidecar is always added to the deployment. It serves OKP (Offline Knowledge Portal) content via Solr HTTP on localhost:8080, providing Red Hat product documentation for tool-based retrieval. It requires ~75 GiB ephemeral storage. The RHOKP sidecar is NOT deployed when `spec.ols.byokRAGOnly` is true.
13+
6. A PostgreSQL wait init container always runs before the main containers to ensure database readiness.
14+
7. When `spec.ols.rag` is configured, additional init containers copy BYOK RAG data from container images into a shared volume.
1415

1516
### Configuration Mapping
16-
7. The operator generates an OLS config file (olsconfig.yaml) from the CR spec. This ConfigMap is the primary interface between the operator and the service.
17-
8. LLM provider credentials are mounted as files from their respective secrets, at a path derived from the secret name.
18-
9. The default credential key read from each provider's secret is "apitoken", overridable by `spec.llm.providers[].credentialKey`.
19-
10. PostgreSQL connection settings are hardcoded to point to the operator-managed PostgreSQL service within the same namespace.
20-
11. If `spec.ols.querySystemPrompt` is set, the custom prompt is written as a second key in the config ConfigMap and referenced by file path in the config.
21-
12. RAG reference content indexes are ordered: user-provided (BYOK) indexes first, then the OCP documentation index (unless `spec.ols.byokRAGOnly` is true).
22-
13. The OCP documentation RAG index path is derived from the detected OpenShift cluster version.
17+
8. The operator generates an OLS config file (olsconfig.yaml) from the CR spec. This ConfigMap is the primary interface between the operator and the service.
18+
9. LLM provider credentials are mounted as files from their respective secrets, at a path derived from the secret name.
19+
10. The default credential key read from each provider's secret is "apitoken", overridable by `spec.llm.providers[].credentialKey`.
20+
11. PostgreSQL connection settings are hardcoded to point to the operator-managed PostgreSQL service within the same namespace.
21+
12. If `spec.ols.querySystemPrompt` is set, the custom prompt is written as a second key in the config ConfigMap and referenced by file path in the config.
22+
13. BYOK reference content indexes from `spec.ols.rag` are configured when present. OCP documentation is served by OKP via the RHOKP sidecar, not via FAISS indexes.
23+
14. The operator always generates a `solr_hybrid` config section in `olsconfig.yaml` pointing to `http://localhost:8080` with default hybrid retrieval tuning parameters, unless `byokRAGOnly` is true.
2324

2425
### MCP Server Integration
25-
14. When `spec.ols.introspectionEnabled` is true, an "openshift" MCP server entry is added to the config pointing to localhost on the sidecar port.
26-
15. When the MCPServer feature gate is enabled, user-defined servers from `spec.mcpServers` are added to the config.
27-
16. MCP header values of type "secret" are mounted as files from the referenced secret. Types "kubernetes" and "client" use placeholder strings that the service resolves at runtime.
26+
15. When `spec.ols.introspectionEnabled` is true, an "openshift" MCP server entry is added to the config pointing to localhost on the sidecar port.
27+
16. When the MCPServer feature gate is enabled, user-defined servers from `spec.mcpServers` are added to the config.
28+
17. MCP header values of type "secret" are mounted as files from the referenced secret. Types "kubernetes" and "client" use placeholder strings that the service resolves at runtime.
2829

2930
### Service and Networking
30-
17. The service exposes HTTPS on the configured port.
31-
18. The network policy allows ingress from: Prometheus (openshift-monitoring), OpenShift Console (openshift-console), and ingress controllers.
32-
19. Egress is unrestricted (empty egress rules).
31+
18. The service exposes HTTPS on the configured port.
32+
19. The network policy allows ingress from: Prometheus (openshift-monitoring), OpenShift Console (openshift-console), and ingress controllers.
33+
20. Egress is unrestricted (empty egress rules).
3334

3435
### RBAC
35-
20. The service account is granted SubjectAccessReview and TokenReview permissions for user authorization.
36-
21. The service account can read the cluster version and the telemetry pull secret.
36+
21. The service account is granted SubjectAccessReview and TokenReview permissions for user authorization.
37+
22. The service account can read the cluster version and the telemetry pull secret.
3738

3839
### Change Detection
39-
22. Deployment updates are triggered when: the deployment spec changes, the config ConfigMap resource version changes, the MCP config ConfigMap resource version changes, or the proxy CA certificate hash changes.
40-
23. When any of these change, the operator forces a rolling restart by updating a pod template annotation with the current timestamp.
40+
23. Deployment updates are triggered when: the deployment spec changes, the config ConfigMap resource version changes, the MCP config ConfigMap resource version changes, or the proxy CA certificate hash changes.
41+
24. When any of these change, the operator forces a rolling restart by updating a pod template annotation with the current timestamp.
4142

4243
### Health Probes [CHANGED: OLS-3221]
4344
24. The app server deployment's liveness probe must point to the `/liveness` endpoint with `failureThreshold: 3` and `periodSeconds: 30`, giving the pod 90 seconds to self-heal via the background health-check loop before Kubernetes restarts it. These values are not currently user-configurable.
@@ -64,12 +65,12 @@ The App Server is the backend deployment for OpenShift Lightspeed. It runs the l
6465
| `spec.ols.logLevel` | Logging level for all service components |
6566
| `spec.ols.maxIterations` | Maximum agent execution iterations |
6667
| `spec.ols.querySystemPrompt` | Custom system prompt for LLM queries |
67-
| `spec.ols.byokRAGOnly` | Skip OCP documentation RAG index |
68+
| `spec.ols.byokRAGOnly` | Disable OKP (RHOKP sidecar not deployed, solr_hybrid config not generated). Only BYOK FAISS indexes are used. |
6869
| `spec.ols.introspectionEnabled` | Enable OpenShift MCP server sidecar |
6970
| `spec.ols.userDataCollection.feedbackDisabled` | Disable feedback collection |
7071
| `spec.ols.userDataCollection.transcriptsDisabled` | Disable transcript collection |
7172
| `spec.ols.queryFilters` | Query text pattern replacements |
72-
| `spec.ols.rag` | RAG database image references |
73+
| `spec.ols.rag` | BYOK RAG database image references |
7374
| `spec.ols.imagePullSecrets` | Pull secrets for RAG images |
7475
| `spec.ols.quotaHandlersConfig` | Token quota limiter configuration |
7576
| `spec.ols.toolFilteringConfig` | Tool filtering parameters (requires ToolFiltering feature gate) |
@@ -82,6 +83,7 @@ The App Server is the backend deployment for OpenShift Lightspeed. It runs the l
8283
2. Tool filtering requires MCP servers to be configured (either introspection or user-defined).
8384
3. The service always connects to PostgreSQL via the internal cluster service DNS.
8485
4. RAG init containers run in index order, copying data to subdirectories of the shared RAG volume.
86+
5. The RHOKP sidecar requires approximately 75 GiB of ephemeral storage for Solr data. This must be documented in product infrastructure requirements.
8587

8688
## Planned Changes
8789

0 commit comments

Comments
 (0)