Skip to content

Add BYOK knowledge source support#264

Open
rajin-kichannagari wants to merge 11 commits into
redhat-ai-dev:developmentfrom
rajin-kichannagari:byok-knowledge-source
Open

Add BYOK knowledge source support#264
rajin-kichannagari wants to merge 11 commits into
redhat-ai-dev:developmentfrom
rajin-kichannagari:byok-knowledge-source

Conversation

@rajin-kichannagari

Copy link
Copy Markdown

What does this PR do?

Adds BYOK (Bring Your Own Knowledge) RAG support to the rolling demo. Includes a sample BYOK vector DB built from 3 internal RHDH team docs, configured with rag.tool for multi-source retrieval alongside product docs.

How to test changes / Special notes to the reviewer

  • Deploy with make install-no-rhoai
  • You may need to start you rquestion to Lightspeed with: "According to our internal documentation, ..." — should return BYOK sources
  • rag.tool is probabilistic — explicit prompts trigger file_search reliably, generic questions may not (LCORE tool_choice behavior)
  • Notebook test: BYOK sources do not leak into notebook responses with rag.tool

@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

Add BYOK RAG knowledge source support to rolling demo

✨ Enhancement ⚙️ Configuration changes 📝 Documentation 🕐 40+ Minutes

Grey Divider

AI Description

• Add a sample BYOK FAISS vector store and build tooling for internal docs.
• Configure Lightspeed to retrieve from product docs plus BYOK via rag.tool.
• Update Helm/CI values to stage/merge BYOK data and use guest sign-in.
Diagram

graph TD
  V["Helm values"] --> B["Backstage init: stage BYOK"] --> S[("Shared RAG volume")] --> L["Lightspeed init: copy+merge"] --> LS["Lightspeed Stack"] --> R["rag.tool: multi-source"]
  CM["ConfigMap: lightspeed-stack-config"] --> LS
  CI["CI values override"] --> S
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Mount BYOK vector DB as a dedicated volume (no merge/copy)
  • ➕ Avoids copying large artifacts at pod start
  • ➕ Clear separation of product vs BYOK sources (paths/ownership)
  • ➕ Easier to swap BYOK datasets per environment
  • ➖ Requires Lightspeed/byok_rag config to support multiple mount points cleanly
  • ➖ May complicate chart values and volume wiring across environments
2. Externalize vector stores to PVC/object storage (S3/OCI)
  • ➕ No large images; easier updates without rebuilds
  • ➕ Operationally closer to production BYOK patterns
  • ➕ Supports bigger datasets and multiple tenants/orgs
  • ➖ Adds infra dependencies (storage creds, lifecycle, backups)
  • ➖ More moving parts for a rolling demo environment
3. Bake BYOK content into the Lightspeed stack image
  • ➕ Simplest runtime (no extra init containers)
  • ➕ Fewer volume/permission concerns at startup
  • ➖ Couples content updates to stack image releases
  • ➖ Harder to demonstrate “bring your own” as a separate deliverable

Recommendation: For a demo, the current approach (separate BYOK image + staging initContainer + merge step + rag.tool configuration) is a good balance of clarity and low operational overhead. If this pattern is promoted beyond demo use, prefer a dedicated volume or external storage approach to avoid image rebuilds and reduce init-time copying, and ensure the auth changes (guest sign-in / disabled custom sign-in page) are gated per-environment.

Files changed (9) +374 / -5

Enhancement (1) +35 / -0
custom_processor.pyAdd custom rag-content processor for BYOK doc ingestion +35/-0

Add custom rag-content processor for BYOK doc ingestion

• Provides a small processor wrapper that assigns a fixed URL in metadata and runs rag-content DocumentProcessor to chunk, embed, and persist a FAISS vector store.

byok/custom_processor.py

Documentation (4) +188 / -0
README.mdDocument the sample BYOK vector store and rebuild steps +35/-0

Document the sample BYOK vector store and rebuild steps

• Adds usage notes for the prebuilt vector store (vector_store_id, embedding model, db path) and commands to build/push the BYOK image or regenerate embeddings using rag-content.

byok/README.md

RHDH AI Feature Exploration Process.mdAdd sample internal doc content for BYOK ingestion +35/-0

Add sample internal doc content for BYOK ingestion

• Adds a markdown doc (with frontmatter title/url) intended as input material for building the BYOK vector store.

byok/docs/RHDH AI Feature Exploration Process.md

RHDH Engineering Workflow.mdAdd engineering workflow sample doc for BYOK ingestion +37/-0

Add engineering workflow sample doc for BYOK ingestion

• Adds a second markdown doc used to populate the BYOK vector store and validate retrieval behavior.

byok/docs/RHDH Engineering Workflow.md

RHDH Onboarding.mdAdd onboarding sample doc for BYOK ingestion +81/-0

Add onboarding sample doc for BYOK ingestion

• Adds onboarding markdown content (with frontmatter) to serve as additional BYOK corpus data for vectorization and retrieval.

byok/docs/RHDH Onboarding.md

Other (4) +151 / -5
ContainerfileAdd minimal BYOK image packaging a prebuilt vector DB +2/-0

Add minimal BYOK image packaging a prebuilt vector DB

• Introduces a UBI micro-based image that ships the BYOK FAISS vector_db under /byok/vector_db for staging into the deployment.

byok/Containerfile

lightspeed-stack-config.yamlAdd Lightspeed stack ConfigMap enabling BYOK rag.tool sources +47/-0

Add Lightspeed stack ConfigMap enabling BYOK rag.tool sources

• Creates a lightspeed-stack-config ConfigMap defining a byok_rag FAISS source (custom-org-docs) and configuring rag.tool to query both product docs and BYOK.

charts/rhdh/templates/lightspeed-stack-config.yaml

values.yamlWire BYOK staging/merge init containers and switch demo auth to guest +61/-5

Wire BYOK staging/merge init containers and switch demo auth to guest

• Disables the custom sign-in page plugin, changes sign-in to guest (development), overrides the Lightspeed backend plugin image, and wires init containers to stage BYOK vector_db then merge it into the standard RAG data path. Also switches Lightspeed stack configMap creation to use the new lightspeed-stack-config template.

charts/rhdh/values.yaml

values-ci.yamlUpdate CI overrides for BYOK RAG directory/init behavior +41/-0

Update CI overrides for BYOK RAG directory/init behavior

• Ensures the custom_docs directory exists for CI runs and adds an initContainer override to initialize BYOK vector DB paths in the shared RAG volume.

ci/values-ci.yaml

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

@qodo-code-review

qodo-code-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (1) 📜 Skill insights (0)

Context used
✅ Compliance rules (platform): 4 rules

Grey Divider


Action required

1. Invalid lightspeed-backend OCI tag ✓ Resolved 📘 Rule violation ≡ Correctness
Description
The modified dynamic plugin package reference uses a tag that does not match the required
bs_<backstage-version>__<plugin-version> format. This breaks the enforced tag convention and can
cause inconsistent plugin versioning in deployments.
Code

charts/rhdh/values.yaml[349]

+      - package: oci://quay.io/rh-ee-rkichann/rhdh-plugin-lightspeed-backend:byok-fix!red-hat-developer-hub-backstage-plugin-lightspeed-backend
Relevance

⭐⭐⭐ High

Repo accepted enforcing pinned bs_<ver>__<ver> OCI tags in values.yaml (PR #63).

PR-#63

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
PR Compliance ID 902156 requires OCI plugin tags in charts/rhdh/values.yaml to match
bs_<backstage-version>__<plugin-version>. The updated package tag is
byok-fix!red-hat-developer-hub-backstage-plugin-lightspeed-backend, which lacks the bs_ prefix
and __ separator.

Rule 902156: Enforce OCI plugin image tag format in charts/rhdh/values.yaml
charts/rhdh/values.yaml[349-349]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The OCI plugin image tag in `charts/rhdh/values.yaml` does not follow the required `bs_<backstage-version>__<plugin-version>` format.

## Issue Context
Compliance requires all plugin tags in `charts/rhdh/values.yaml` to start with `bs_` and contain exactly one `__` separator with non-empty version segments.

## Fix Focus Areas
- charts/rhdh/values.yaml[349-349]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


2. Internal content checked in 🐞 Bug ⛨ Security
Description
The PR adds internal RHDH team documentation and packages it into a BYOK vector DB/container,
exposing internal processes/URLs to anyone who can access this repo or the resulting image. This is
a confidentiality/security leak and can violate content handling policies.
Code

byok/README.md[R3-6]

+Sample BYOK (Bring Your Own Knowledge) vector database for the AI Rolling Demo.
+
+Contains internal RHDH team docs (Feature Exploration Process, Engineering Workflow, Onboarding), built into a FAISS vector DB using [rag-content](https://github.com/lightspeed-core/rag-content) tooling.
+
Relevance

⭐⭐ Medium

No prior findings about internal/VPN docs in repo; only internal-ish URLs in setup docs seen.

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The README explicitly states the vector DB contains internal RHDH team docs, and the added markdown
sources contain internal-only URLs (VPN-required devhub/gitlab). The Containerfile copies the vector
DB into the image, making the internal content distributable as a container artifact.

byok/README.md[3-6]
byok/docs/RHDH Onboarding.md[1-11]
byok/Containerfile[1-2]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Internal RHDH team docs are being committed under `byok/docs/` and explicitly used to build/distribute a prebuilt FAISS vector DB (`byok/vector_db`) that is copied into an image. This broadens distribution of internal-only information (internal URLs, processes, tooling links) and should not ship in this repository by default.

### Issue Context
This repo appears to be a demo/deployment artifact; committing internal team onboarding/workflow content (and embedding it into a distributable vector store) creates a persistent disclosure path.

### Fix Focus Areas
- byok/README.md[1-6]
- byok/Containerfile[1-2]
- byok/docs/RHDH Onboarding.md[1-11]
- byok/docs/RHDH AI Feature Exploration Process.md[1-5]

### Recommended fix
1. Remove the internal documents from the repo (and remove any derived vector DB built from them).
2. Replace them with sanitized/public sample documents (or lorem-ipsum style content) that are explicitly safe to distribute.
3. If BYOK needs to be demonstrated with internal content, move it to a private repo/artifact store and keep this repo referencing only a safe sample (or require users to build the vector DB locally from their own private sources).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


3. Guest login default ✓ Resolved 🐞 Bug ⛨ Security
Description
The chart defaults Backstage auth to development, enables the guest provider with
dangerouslyAllowOutsideDevelopment: true, and selects guest as the sign-in page, allowing
unauthenticated access when these defaults are deployed. This can expose catalog/integrations/AI
functionality without identity controls.
Code

charts/rhdh/values.yaml[R422-427]

+          environment: development
          session:
            secret: "${BACKEND_SECRET}"
          providers:
+            guest:
+              dangerouslyAllowOutsideDevelopment: true
Relevance

⭐⭐ Medium

No historical review evidence around guest auth defaults / auth.environment=development in chart
values.

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The values file explicitly sets auth.environment: development and enables the guest provider with
dangerouslyAllowOutsideDevelopment: true, and separately selects guest as the sign-in page.

charts/rhdh/values.yaml[421-428]
charts/rhdh/values.yaml[499-503]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`charts/rhdh/values.yaml` now configures Backstage to run in `development` auth mode and enables `guest` sign-in (including `dangerouslyAllowOutsideDevelopment: true`) while setting `signInPage: guest`. This makes unauthenticated access the default behavior for anyone deploying the chart as-is.

### Issue Context
Even if this is intended for a demo, `values.yaml` acts as the baseline configuration and is easy to deploy into shared clusters/namespaces. Leaving guest auth as the default creates an easy foot-gun.

### Fix Focus Areas
- charts/rhdh/values.yaml[421-428]
- charts/rhdh/values.yaml[499-503]

### Recommended fix
1. Revert defaults to production-safe settings (e.g., `auth.environment: production` and `signInPage: oidc`).
2. Gate guest auth behind an explicit values flag (e.g., `global.demoGuestAuth.enabled: true`) and only enable `dangerouslyAllowOutsideDevelopment` when that flag is set.
3. Optionally provide a separate demo values file (e.g., `values-demo.yaml`) that enables guest auth, keeping the main defaults safe.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Remediation recommended

4. Mutable personal images ✓ Resolved 🐞 Bug ☼ Reliability
Description
The chart and CI reference mutable :latest images and personal Quay namespaces for critical
components (BYOK init image and Lightspeed backend plugin), making deployments non-reproducible and
fragile if tags are moved or images are removed. imagePullPolicy: Always amplifies this by pulling
whatever the tag currently points to on each restart.
Code

charts/rhdh/values.yaml[R741-743]

+        - name: byok-rag-init
+          image: quay.io/rh-ee-rkichann/byok-sample:latest
+          imagePullPolicy: Always
Relevance

⭐⭐⭐ High

Team has enforced avoiding :latest by switching images to immutable digests for reproducibility (PR
#72).

PR-#72

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The runtime values and CI values explicitly reference :latest tags and personal namespaces for the
BYOK init container and Lightspeed backend plugin, and CI uses busybox:latest. The BYOK
Containerfile also uses a floating ubi9-micro:latest base image, further reducing reproducibility.

charts/rhdh/values.yaml[349-350]
charts/rhdh/values.yaml[741-744]
ci/values-ci.yaml[50-52]
byok/Containerfile[1-2]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Several runtime/CI image references are mutable (`:latest`) and/or come from a personal namespace, which makes builds/deployments hard to reproduce and increases the chance of unexpected breakage over time.

### Issue Context
- Runtime uses `quay.io/rh-ee-rkichann/byok-sample:latest` with `imagePullPolicy: Always`.
- CI uses `busybox:latest`.
- The Lightspeed backend plugin package points at a personal Quay namespace.

### Fix Focus Areas
- charts/rhdh/values.yaml[349-350]
- charts/rhdh/values.yaml[741-744]
- ci/values-ci.yaml[50-52]
- byok/Containerfile[1-2]

### Recommended fix
1. Replace `:latest` tags with immutable version tags, and preferably pin by digest (e.g., `image@sha256:...`) for runtime-critical images.
2. Move/demo images to an org-owned namespace (or make them configurable via values with safe defaults).
3. For CI, pin `busybox` to a stable version/digest to avoid surprise failures.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Informational

5. Hardcoded Authorization header 📘 Rule violation ⛨ Security
Description
The new ConfigMap hardcodes an Authorization header value instead of sourcing it from a Kubernetes
Secret or other approved mechanism. If this value is ever a real credential/token, it risks
accidental exposure and violates the secret-management policy.
Code

charts/rhdh/templates/lightspeed-stack-config.yaml[R34-35]

+        authorization_headers:
+          Authorization: "client"
Relevance

⭐ Low

Same hardcoded Authorization: "client" was added/kept in merged PR #90.

PR-#90

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
PR Compliance ID 902158 requires sensitive values (tokens/credentials) to be managed via approved
scripts and Kubernetes Secrets, not embedded inline in manifests/charts. The new ConfigMap includes
authorization_headers: Authorization: client as a literal value.

Rule 902158: Manage credentials only via approved scripts and Kubernetes secrets
charts/rhdh/templates/lightspeed-stack-config.yaml[30-36]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
A fixed `Authorization` header value is embedded directly in a Helm-rendered ConfigMap, rather than being provided via Kubernetes Secrets / approved secret-loading mechanisms.

## Issue Context
Even if the current value is a placeholder, putting auth headers inline in manifests makes it easy for real credentials to be committed later and violates the intent of the credential-management policy.

## Fix Focus Areas
- charts/rhdh/templates/lightspeed-stack-config.yaml[30-36]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

Qodo Logo

Comment thread charts/rhdh/values.yaml Outdated
Comment thread byok/README.md
Comment on lines +3 to +6
Sample BYOK (Bring Your Own Knowledge) vector database for the AI Rolling Demo.

Contains internal RHDH team docs (Feature Exploration Process, Engineering Workflow, Onboarding), built into a FAISS vector DB using [rag-content](https://github.com/lightspeed-core/rag-content) tooling.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

3. Internal content checked in 🐞 Bug ⛨ Security

The PR adds internal RHDH team documentation and packages it into a BYOK vector DB/container,
exposing internal processes/URLs to anyone who can access this repo or the resulting image. This is
a confidentiality/security leak and can violate content handling policies.
Agent Prompt
### Issue description
Internal RHDH team docs are being committed under `byok/docs/` and explicitly used to build/distribute a prebuilt FAISS vector DB (`byok/vector_db`) that is copied into an image. This broadens distribution of internal-only information (internal URLs, processes, tooling links) and should not ship in this repository by default.

### Issue Context
This repo appears to be a demo/deployment artifact; committing internal team onboarding/workflow content (and embedding it into a distributable vector store) creates a persistent disclosure path.

### Fix Focus Areas
- byok/README.md[1-6]
- byok/Containerfile[1-2]
- byok/docs/RHDH Onboarding.md[1-11]
- byok/docs/RHDH AI Feature Exploration Process.md[1-5]

### Recommended fix
1. Remove the internal documents from the repo (and remove any derived vector DB built from them).
2. Replace them with sanitized/public sample documents (or lorem-ipsum style content) that are explicitly safe to distribute.
3. If BYOK needs to be demonstrated with internal content, move it to a private repo/artifact store and keep this repo referencing only a safe sample (or require users to build the vector DB locally from their own private sources).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment thread charts/rhdh/values.yaml Outdated
Comment thread charts/rhdh/values.yaml

@Jdubrick Jdubrick left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we might need to see if we can get unblocked on the plugin builds before merging changes

Comment on lines 1 to +47
kind: ConfigMap
apiVersion: v1
metadata:
name: lightspeed-stack-config
namespace: {{ .Release.Namespace }}
data:
lightspeed-stack.yaml: |
name: lightspeed-core-stack
service:
host: ${env.SERVICE_HOST:=127.0.0.1}
host: 0.0.0.0
port: 8080
auth_enabled: false
workers: 1
color_log: true
access_log: true
llama_stack:
use_as_library_client: true
config:
profile: /app-root/config.yaml
inference:
providers:
- type: vllm
id: vllm
api_key_env: VLLM_API_KEY
extra:
base_url: ${env.VLLM_URL:=}
max_tokens: ${env.VLLM_MAX_TOKENS:=4096}
network:
tls:
verify: ${env.VLLM_TLS_VERIFY:=true}
- type: openai
id: openai
api_key_env: OPENAI_API_KEY
extra:
allowed_models:
- gpt-4o-mini
- gpt-5.1
- gpt-4.1-mini
- gpt-4.1-nano
- type: sentence_transformers
library_client_config_path: /app-root/config.yaml
user_data_collection:
feedback_enabled: true
feedback_storage: '/tmp/data/feedback'
authentication:
module: 'noop'
conversation_cache:
type: 'sqlite'
sqlite:
db_path: '/tmp/cache.db'
customization:
profile_path: '/app-root/rhdh-profile.py'
mcp_servers:
- name: mcp-integration-tools
provider_id: 'model-context-protocol'
url: 'http://localhost:7007/api/mcp-actions/v1'
provider_id: "model-context-protocol"
url: "http://localhost:7007/api/mcp-actions/v1"
authorization_headers:
Authorization: 'client'
Authorization: "client"
byok_rag:
- rag_id: custom-org-docs
rag_type: inline::faiss
embedding_model: sentence-transformers//rag-content/embeddings_model
embedding_dimension: 768
vector_db_id: vs_727b6321-1ff4-47bf-a76b-1cc12426c954
db_path: /rag-content/vector_db/custom_docs/faiss_store.db
score_multiplier: 1.0
rag:
tool:
- rhdh-docs
- custom-org-docs

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes to the config should be defined in https://github.com/redhat-ai-dev/lightspeed-configs/blob/main/lightspeed-core-configs/lightspeed-stack.yaml because we have CI that runs on changes to the file. If they diverge we're going to end up overwriting this content

Rajin Kichannagari and others added 11 commits July 14, 2026 15:19
Add a custom BYOK RAG source using real RHDH team docs (Feature
Exploration, Engineering Workflow, Onboarding) alongside the existing
product docs RAG. Includes a pre-built FAISS vector DB, init container,
custom lightspeed-stack-config ConfigMap with byok_rag entries, and
CI overrides.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
imagePullPolicy was IfNotPresent, causing the node to reuse the
cached image with an empty vector store. Switch to Always.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The lightspeed-rag-init runs last and overwrites /rag-content/vector_db/,
clobbering BYOK data. Fix by staging BYOK data first, then merging it
after the standard rag-content copy completes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The args override was under a duplicate global.lightspeed that wasn't
being read by the subchart. Move it to the existing global.lightspeed
block so Helm correctly merges it.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The backstage plugin sets vector_store_ids to only product docs,
which filters out BYOK stores from inline RAG. This patch overrides
the filtering to always include all rag.inline stores.
Both BYOK custom-org-docs and the standard product docs vector
store are now queried via inline RAG, ensuring both sources
appear in referenced_documents.
Use rag.tool with rhdh-docs and custom-org-docs so file_search queries
both product docs and BYOK sources. Remove the vector-search-patch
ConfigMap mount since the plugin fix handles this properly now.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants