You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Removes /dev/null as placeholder for the vertex mount as /dev/null is a special file and can produce errors when being mounted. Also conflicts with :Z flag
Adds dummy placeholder.json that can fill the role.
Built-in TechDocs updated if needed. Note that TechDocs changes may need to be reviewed by a Product Manager and/or Architect to ensure content accuracy, clarity, and alignment with user needs.
How to test changes / Special notes to the reviewer
Stop using /dev/null as the default bind mount source for Vertex AI credentials with :Z
Remove the /dev/null reference
Non-compliant requirements:
(empty)
Requires further human verification:
Validate in newer Podman versions that the updated default mount (placeholder file) works and no longer errors with SELinux labeling (:Z)
Validate runtime behavior when ENABLE_VERTEX_AI=false (service should not fail due to placeholder credentials content)
⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🔒 Security concerns
Potential sensitive information exposure: the default now mounts a repo file as /app-root/credentials.json. Ensure placeholder.json contains no secrets and is clearly a non-secret dummy file; also confirm docs/examples don’t encourage committing real credential JSON into the repo path referenced by default.
GOOGLE_APPLICATION_CREDENTIALS is always set to /app-root/credentials.json. With the new default bind mount pointing to a placeholder file, ensure the containerized app does not attempt to parse/load credentials unless Vertex AI is enabled; otherwise startup may fail due to invalid/empty credentials JSON.
# Vertex AI credentials (only used if ENABLE_VERTEX_AI=true)# Set VERTEX_AI_CREDENTIALS_PATH in your .env file to your Google Cloud credentials JSON file path
- ${VERTEX_AI_CREDENTIALS_PATH:-./developer-lightspeed/configs/extra-files/templates/placeholder.json}:/app-root/credentials.json:Zenvironment:
GOOGLE_APPLICATION_CREDENTIALS: /app-root/credentials.json
The new default path references ./developer-lightspeed/configs/extra-files/templates/placeholder.json. Ensure this file is present in the repo and included in distributions; otherwise docker/podman compose will fail with a missing bind mount source.
# Set VERTEX_AI_CREDENTIALS_PATH in your .env file to your Google Cloud credentials JSON file path
- ${VERTEX_AI_CREDENTIALS_PATH:-./developer-lightspeed/configs/extra-files/templates/placeholder.json}:/app-root/credentials.json:Z
The credentials JSON bind mount is not marked read-only, which makes it writable inside the container. Consider mounting the credentials file as read-only (e.g., :ro alongside :Z) to reduce risk of accidental modification or tampering of sensitive auth material. (Ref 1)
# Vertex AI credentials (only used if ENABLE_VERTEX_AI=true)# Set VERTEX_AI_CREDENTIALS_PATH in your .env file to your Google Cloud credentials JSON file path
- ${VERTEX_AI_CREDENTIALS_PATH:-./developer-lightspeed/configs/extra-files/templates/placeholder.json}:/app-root/credentials.json:Zenvironment:
GOOGLE_APPLICATION_CREDENTIALS: /app-root/credentials.json
Reference reasoning: Existing Kubernetes deployment patterns mount container registry auth/credential-related files with readOnly: true, indicating the repo’s established approach is to treat credential mounts as immutable within the runtime container.
# Set VERTEX_AI_CREDENTIALS_PATH in your .env file to your Google Cloud credentials JSON file path
+# Ensure developer-lightspeed/configs/extra-files/templates/placeholder.json contains "{}"
- ${VERTEX_AI_CREDENTIALS_PATH:-./developer-lightspeed/configs/extra-files/templates/placeholder.json}:/app-root/credentials.json:Z
Apply / Chat
Suggestion importance[1-10]: 7
__
Why: The suggestion correctly identifies a potential runtime error if the placeholder file is empty and provides a simple, effective fix to improve application robustness and error handling.
Medium
General
Use absolute placeholder path
Use an absolute path for the placeholder file by prefixing the path with ${PWD} to avoid issues when running docker-compose from different directories.
Why: The suggestion correctly points out that using a relative path in a Docker Compose volume can be brittle and proposes using ${PWD} to create a more robust absolute path.
Low
Security
Mount credentials file read-only
Add the ro (read-only) flag to the volume mount for the credentials.json file to prevent the container from modifying it.
Why: This is a valuable security enhancement that follows the principle of least privilege by preventing the container from writing to the host's credentials file.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![rhdh-qodo-merge[bot]](https://avatars.githubusercontent.com/in/1961108?s=60&v=4){kind=small}
Description
/dev/nullas placeholder for the vertex mount as/dev/nullis a special file and can produce errors when being mounted. Also conflicts with:Zflagplaceholder.jsonthat can fill the role.Which issue(s) does this PR fix or relate to
PR acceptance criteria
How to test changes / Special notes to the reviewer