Expose backend security and org authorization settings#87
Conversation
Olmo Maldonado (ibolmo)
changed the title
The chart should pass through trimmed API URL security settings without blocking render-time values, leaving mode validation to the application.
* add allowed org ids * fix: Accept PRIMARY_ORG_NAME from API env Deploys that source the primary organization through extra environment variables should satisfy the same self-hosted service-token requirement as the chart value, while still rejecting wildcard or empty orgs with no primary organization configured.
Olmo Maldonado (ibolmo)
changed the title
Olmo Maldonado (ibolmo)
changed the title
Keep outbound URL validation behavior consistent between the API and AI Gateway when operators configure shared URL security values. Update tests and value guidance to preserve trimming and ID allowlist expectations.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: adaadcb50e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "Codex (@codex) review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".
| {{- $hasPrimaryOrgNameExtraEnv = true -}} | ||
| {{- end -}} | ||
| {{- end -}} | ||
| {{- if and (or (eq $orgName "") (eq $orgName "*")) (eq $primaryOrgName "") (not $hasPrimaryOrgNameExtraEnv) -}} |
There was a problem hiding this comment.
When api.extraEnvVars sets ORG_NAME to "*" or "", this guard still evaluates only global.orgName; because api-deployment.yaml injects the ConfigMap with envFrom and then appends api.extraEnvVars under env, that explicit env var becomes the runtime value. In that override scenario the pod can still run with a wildcard/empty org and no PRIMARY_ORG_NAME, bypassing the new primary-org requirement; derive the effective org name from api.extraEnvVars here or reject unsafe ORG_NAME overrides without a primary org.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
the api handler should take care of the validation. this is more of a user/dev convenience.
3 participants
Context
Self-hosted Braintrust deployments need first-class Helm values for two backend security controls that previously required
extraEnvVars: URL-security behavior for outbound requests to user-supplied URLs, and organization authorization settings for hybrid/self-hosted data planes. This mirrors the Terraform data-plane inputs for API and AI Gateway runtime security configuration.Description
BRAINTRUST_*ConfigMap env vars for the API and AI Gateway only when trimmed values are non-empty.proxy, while preserving application defaults when values are unset.ALLOWED_ORG_IDSandPRIMARY_ORG_NAME, preserving current behavior when unset or blank.global.orgNameis empty or"*", while preserving existing deployments that already providePRIMARY_ORG_NAMEthroughapi.extraEnvVars.