feat(webui): Add log-ingestor and S3 auth config to deployment templates.

[junhaoliao]

Description

Extracted from the WIP prototype in #2169.

Adds deployment configuration for the log-ingestor service and S3 logs-input AWS credentials across
all deployment targets (Docker Compose, Helm, and the CLP package controller). This is independent
infrastructure that downstream PRs will consume when wiring up S3 ingestion job submission.

Key changes:

• controller.py: Writes LogIngestorHost, LogIngestorPort, LogsInputS3AwsAuthType, and
  LogsInputS3AwsProfile into settings.json. Passes CLP_LOGS_INPUT_AWS_* credentials as
  container env vars when logs-input uses S3 with credential-based auth. LogIngestorHost/Port
  are only published when both log_ingestor is configured AND logs_input.type is S3.
• clp_config.py: Adds LogIngestor.transform_for_container() so the log-ingestor hostname
  resolves to the container service name and port resets to DEFAULT_PORT. Adds
  DEFAULT_PORT: ClassVar[int] = 3002 following the pattern of other model classes.
• configmap.yaml: Adds LogIngestorHost, LogIngestorPort, LogsInputS3AwsAuthType, and
  LogsInputS3AwsProfile to the webui server settings template. LogIngestor* values are gated
  on both log_ingestor being configured and logs_input.type being s3.
• webui-deployment.yaml: Adds a logs_input credentials conditional block (mirrors the
  existing stream_output block) for CLP_LOGS_INPUT_AWS_* env vars.
• docker-compose-all.yaml: Adds CLP_LOGS_INPUT_AWS_ACCESS_KEY_ID and
  CLP_LOGS_INPUT_AWS_SECRET_ACCESS_KEY to the webui service environment.
• env.ts / .env: Declares the two new env vars with empty defaults in the Fastify env plugin.
• Chart.yaml: Bumps chart version to 0.2.1-dev.7.

Checklist

• The PR satisfies the contribution guidelines.
• This is a breaking change and that has been indicated in the PR title, OR this isn't a
  breaking change.
• Necessary docs have been updated, OR no docs need to be updated.

Validation performed

Scenario 1: Python syntax check

Task: Verify the modified Python files have no syntax errors.

Command:

python3 -m py_compile components/clp-package-utils/clp_package_utils/controller.py && echo "OK"
python3 -m py_compile components/clp-py-utils/clp_py_utils/clp_config.py && echo "OK"

Output:

OK
OK

Scenario 2: TypeScript build

Task: Verify the new env vars compile correctly in the Fastify env plugin.

Command:

cd components/webui/server && npm run build

Output:

> clp-webui-server@0.1.0 build
> tsc

(no errors)

Scenario 3: Helm template rendering

Task: Verify the updated Helm templates render correctly with S3 logs-input configuration.

Command:

helm template clp tools/deployment/package-helm/ \
  --set clpConfig.logs_input.type=s3 \
  --set clpConfig.logs_input.aws_authentication.type=credentials \
  --set clpConfig.logs_input.aws_authentication.credentials.access_key_id=TESTKEY \
  --set clpConfig.logs_input.aws_authentication.credentials.secret_access_key=TESTSECRET \
  2>&1 | grep -A2 CLP_LOGS_INPUT

Output:

            - name: "CLP_LOGS_INPUT_AWS_ACCESS_KEY_ID"
              value: "TESTKEY"
            - name: "CLP_LOGS_INPUT_AWS_SECRET_ACCESS_KEY"
              value: "TESTSECRET"

Explanation: The Helm template correctly renders the CLP_LOGS_INPUT_AWS_* env vars from the
values configuration, confirming the conditional block works as expected.

Scenario 4: LogIngestor settings gated on S3 input

Task: Verify LogIngestorHost/Port are null when logs_input.type is not S3.

Command:

helm template clp tools/deployment/package-helm/ \
  --set clpConfig.logs_input.type=fs \
  2>&1 | grep -A1 LogIngestor

Output:

      "LogIngestorHost": null,
      "LogIngestorPort": null,

Explanation: With logs_input.type=fs, the configmap correctly renders null values for
LogIngestor settings even if log_ingestor is configured, preventing the WebUI from advertising
an endpoint for an S3-only flow.

Summary by CodeRabbit

• New Features

  • Added configuration support for log ingestor host and port settings
  • Added AWS S3 credentials configuration for log input (access key ID and secret access key)

• Chores

  • Updated Helm chart version to 0.3.1-dev.1

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0ef7de47-95f8-4ad8-99f0-63db2ae4ce8e

📥 Commits

Reviewing files that changed from the base of the PR and between 9ab537c and 93497cb.

📒 Files selected for processing (1)

• tools/deployment/package-helm/Chart.yaml

---

Walkthrough

Conditionally configures LogIngestor host/port and S3-based logs input AWS auth/profile in generated WebUI settings, adds environment variables for S3 credentials, exposes them via Fastify config, propagates them through Docker Compose and Helm templates, and adds container-transform behavior for LogIngestor.

Changes

Cohort / File(s)	Summary
Log ingestor & config transform components/clp-py-utils/clp_py_utils/clp_config.py, components/clp-package-utils/clp_package_utils/controller.py	Added LogIngestor.DEFAULT_PORT and LogIngestor.transform_for_container(); ClpConfig.transform_for_container() now invokes it. WebUI settings.json generation conditionally emits LogIngestorHost/LogIngestorPort.
Logs input S3 auth/profile in settings components/clp-package-utils/clp_package_utils/controller.py, tools/deployment/package-helm/templates/configmap.yaml	Settings JSON updated to set LogsInputS3AwsAuthType and LogsInputS3AwsProfile to null for fs inputs, or populate from logs_input.aws_authentication when not fs.
WebUI environment & runtime config components/webui/server/.env, components/webui/server/src/plugins/external/env.ts	Added CLP_LOGS_INPUT_AWS_ACCESS_KEY_ID and CLP_LOGS_INPUT_AWS_SECRET_ACCESS_KEY to .env. Extended Fastify config/schema to include these optional string env vars with default empty values.
Deployment templates & manifests tools/deployment/package-helm/templates/webui-deployment.yaml, tools/deployment/package/docker-compose-all.yaml, tools/deployment/package-helm/Chart.yaml	Helm deployment injects S3 credential env vars when logs_input.type == "s3" and aws_authentication.type == "credentials". Docker Compose forwards CLP_LOGS_INPUT_AWS_*. Chart version bumped.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding log-ingestor and S3 authentication configuration support to deployment templates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch webui-deploy-log-ingestor-config

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[junhaoliao]

Suggested change

	// S3 Logs Input
	// S3

[junhaoliao]

Suggested change

	# S3 Logs Input
	# S3

[junhaoliao]

add {{/* */}} comments for these two lines

[junhaoliao]

revert this for now

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@components/clp-package-utils/clp_package_utils/controller.py`:
- Around line 797-807: The code is writing LogIngestorHost/Port whenever
log_ingestor exists even if log ingestion was disabled by
_set_up_env_for_log_ingestor(); update the conditional to only set
server_settings_json_updates["LogIngestorHost"] and ["LogIngestorPort"] when a
log_ingestor is configured AND the logs input type is S3 (i.e. check
container_clp_config.logs_input.type == StorageType.S3 or reuse the same enabled
condition used in _set_up_env_for_log_ingestor()); otherwise set both values to
None so the WebUI won't receive a non-functional endpoint. Ensure you reference
self._clp_config.log_ingestor, container_clp_config.log_ingestor,
container_clp_config.logs_input.type and StorageType.S3 in the new condition.
- Around line 1012-1023: The code that builds Docker Compose env vars in
controller.py drops AWS session credentials; when
self._clp_config.logs_input.aws_authentication.type == AwsAuthType.credentials
also check for logs_input_aws_auth.credentials.session_token and add it to
env_vars (e.g., "CLP_LOGS_INPUT_AWS_SESSION_TOKEN":
logs_input_aws_auth.credentials.session_token) alongside the access key and
secret; then propagate this new variable through the corresponding places
mentioned (components/webui/server/.env,
components/webui/server/src/plugins/external/env.ts, and
tools/deployment/package/docker-compose-all.yaml) so the WebUI receives the STS
session token.

In `@components/clp-py-utils/clp_py_utils/clp_config.py`:
- Around line 783-785: transform_for_container currently only rewrites the
LogIngestor host (in method transform_for_container) but leaves an overridden
log_ingestor.port visible to WebUI; update transform_for_container to also reset
the container's port to the container-default by assigning the LogIngestor port
to the constant (e.g., LOG_INGESTOR_PORT) or the literal default (3002) so that
self.port is set to the container listening port when you set self.host =
LOG_INGESTOR_COMPONENT_NAME.

In `@tools/deployment/package-helm/templates/configmap.yaml`:
- Around line 286-292: The LogIngestorHost/Port block is currently shown
whenever .Values.clpConfig.log_ingestor is true even for non-S3 log backends;
change the Helm conditional for the LogIngestorHost and LogIngestorPort
rendering so it only renders when log_ingestor is enabled AND logs_input.type ==
"s3" (use Helm's and and eq functions), i.e. replace the existing {{- if
.Values.clpConfig.log_ingestor }} test around the
"LogIngestorHost"/"LogIngestorPort" keys with {{- if and
.Values.clpConfig.log_ingestor (eq .Values.logs_input.type "s3") }} so the WebUI
won't advertise an ingestor endpoint for non-S3 deployments.

In `@tools/deployment/package-helm/templates/webui-deployment.yaml`:
- Around line 67-75: The template omits the AWS session token so STS temporary
credentials fail; update the helm template block for
.Values.clpConfig.logs_input (the if that checks .type "s3" and
.aws_authentication.type "credentials") to also inject the session token
environment variable (e.g., CLP_LOGS_INPUT_AWS_SESSION_TOKEN) by reading
.aws_authentication.credentials.session_token and quoting it, using the same
conditional scope as the existing CLP_LOGS_INPUT_AWS_ACCESS_KEY_ID and
CLP_LOGS_INPUT_AWS_SECRET_ACCESS_KEY entries.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b62b054c-dd62-416b-a970-78af6c2b5956

📥 Commits

Reviewing files that changed from the base of the PR and between 7d00951 and d98b781.

📒 Files selected for processing (8)

• components/clp-package-utils/clp_package_utils/controller.py
• components/clp-py-utils/clp_py_utils/clp_config.py
• components/webui/server/.env
• components/webui/server/src/plugins/external/env.ts
• tools/deployment/package-helm/Chart.yaml
• tools/deployment/package-helm/templates/configmap.yaml
• tools/deployment/package-helm/templates/webui-deployment.yaml
• tools/deployment/package/docker-compose-all.yaml

[coderabbitai]

♻️ Duplicate comments (3)

tools/deployment/package-helm/templates/configmap.yaml (1)

286-292: ⚠️ Potential issue | 🟠 Major

Gate LogIngestor* template fields on S3 logs input.

At Line [286], the condition still checks only log_ingestor. This can render an ingestor endpoint in non-S3 deployments.

Proposed fix

-      {{- if .Values.clpConfig.log_ingestor }}
+      {{- if and .Values.clpConfig.log_ingestor (eq .Values.clpConfig.logs_input.type "s3") }}
       "LogIngestorHost": "{{ include "clp.fullname" . }}-log-ingestor",
       "LogIngestorPort": 3002,
       {{- else }}
       "LogIngestorHost": null,
       "LogIngestorPort": null,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/deployment/package-helm/templates/configmap.yaml` around lines 286 -
292, The LogIngestor template currently gates "LogIngestorHost" and
"LogIngestorPort" only on .Values.clpConfig.log_ingestor, which can emit
ingestor endpoints even when logs aren't using S3; update the conditional around
the "LogIngestorHost"/"LogIngestorPort" block so it requires both
.Values.clpConfig.log_ingestor and the S3 logs input flag (e.g.
.Values.logs.input == "s3" or the project’s equivalent .Values.logs.s3.enabled)
before rendering those fields; modify the if in the template that surrounds the
"LogIngestorHost"/"LogIngestorPort" entries to check both conditions.

components/clp-package-utils/clp_package_utils/controller.py (2)

797-807: ⚠️ Potential issue | 🟠 Major

Gate LogIngestorHost/LogIngestorPort on S3 logs input too.

At Line [797], the block still publishes an ingestor endpoint whenever log_ingestor exists, even if logs_input.type is not S3. That advertises a non-existent service path in non-S3 deployments.

Proposed fix

-        if self._clp_config.log_ingestor is not None:
+        if (
+            self._clp_config.log_ingestor is not None
+            and self._clp_config.logs_input.type == StorageType.S3
+        ):
             server_settings_json_updates["LogIngestorHost"] = (
                 container_clp_config.log_ingestor.host
             )
             server_settings_json_updates["LogIngestorPort"] = (
                 container_clp_config.log_ingestor.port
             )
         else:
             server_settings_json_updates["LogIngestorHost"] = None
             server_settings_json_updates["LogIngestorPort"] = None

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@components/clp-package-utils/clp_package_utils/controller.py` around lines
797 - 807, The code currently sets
server_settings_json_updates["LogIngestorHost"/"LogIngestorPort"] whenever
self._clp_config.log_ingestor is present, but it should only advertise those
values for S3-backed logs; update the conditional around the block that writes
to server_settings_json_updates so it checks both that
container_clp_config.log_ingestor is not None and that
container_clp_config.logs_input.type (or equivalent logs_input property) equals
"S3" (or the S3 enum/value used in your config) and only then populate
LogIngestorHost/Port, otherwise set them to None; ensure you reference
container_clp_config.log_ingestor and container_clp_config.logs_input.type when
implementing the check and leave server_settings_json_updates as the target for
updates.

---

1019-1029: ⚠️ Potential issue | 🟠 Major

Do not drop temporary AWS session credentials for logs input.

At Line [1019], credential export still omits session_token. STS-based configs will fail because WebUI won’t receive complete credentials.

Proposed fix

         if self._clp_config.logs_input.type == StorageType.S3:
             logs_input_aws_auth = self._clp_config.logs_input.aws_authentication
             if logs_input_aws_auth.type == AwsAuthType.credentials:
                 env_vars |= {
                     "CLP_LOGS_INPUT_AWS_ACCESS_KEY_ID": (
                         logs_input_aws_auth.credentials.access_key_id
                     ),
                     "CLP_LOGS_INPUT_AWS_SECRET_ACCESS_KEY": (
                         logs_input_aws_auth.credentials.secret_access_key
                     ),
                 }
+                if logs_input_aws_auth.credentials.session_token is not None:
+                    env_vars["CLP_LOGS_INPUT_AWS_SESSION_TOKEN"] = (
+                        logs_input_aws_auth.credentials.session_token
+                    )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@components/clp-package-utils/clp_package_utils/controller.py` around lines
1019 - 1029, The code handling S3 logs input credentials omits temporary STS
session tokens, causing failures for AwsAuthType.credentials with session-based
creds; update the block that builds env_vars from
self._clp_config.logs_input.aws_authentication (when StorageType.S3 and
AwsAuthType.credentials) to also export the session token if present by adding
the environment variable key (e.g., "CLP_LOGS_INPUT_AWS_SESSION_TOKEN")
populated from logs_input_aws_auth.credentials.session_token so temporary
credentials are passed through to the WebUI alongside access_key_id and
secret_access_key.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@components/clp-package-utils/clp_package_utils/controller.py`:
- Around line 797-807: The code currently sets
server_settings_json_updates["LogIngestorHost"/"LogIngestorPort"] whenever
self._clp_config.log_ingestor is present, but it should only advertise those
values for S3-backed logs; update the conditional around the block that writes
to server_settings_json_updates so it checks both that
container_clp_config.log_ingestor is not None and that
container_clp_config.logs_input.type (or equivalent logs_input property) equals
"S3" (or the S3 enum/value used in your config) and only then populate
LogIngestorHost/Port, otherwise set them to None; ensure you reference
container_clp_config.log_ingestor and container_clp_config.logs_input.type when
implementing the check and leave server_settings_json_updates as the target for
updates.
- Around line 1019-1029: The code handling S3 logs input credentials omits
temporary STS session tokens, causing failures for AwsAuthType.credentials with
session-based creds; update the block that builds env_vars from
self._clp_config.logs_input.aws_authentication (when StorageType.S3 and
AwsAuthType.credentials) to also export the session token if present by adding
the environment variable key (e.g., "CLP_LOGS_INPUT_AWS_SESSION_TOKEN")
populated from logs_input_aws_auth.credentials.session_token so temporary
credentials are passed through to the WebUI alongside access_key_id and
secret_access_key.

In `@tools/deployment/package-helm/templates/configmap.yaml`:
- Around line 286-292: The LogIngestor template currently gates
"LogIngestorHost" and "LogIngestorPort" only on .Values.clpConfig.log_ingestor,
which can emit ingestor endpoints even when logs aren't using S3; update the
conditional around the "LogIngestorHost"/"LogIngestorPort" block so it requires
both .Values.clpConfig.log_ingestor and the S3 logs input flag (e.g.
.Values.logs.input == "s3" or the project’s equivalent .Values.logs.s3.enabled)
before rendering those fields; modify the if in the template that surrounds the
"LogIngestorHost"/"LogIngestorPort" entries to check both conditions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 60975dec-2c4d-4858-9ea9-34b8fb27ce59

📥 Commits

Reviewing files that changed from the base of the PR and between d98b781 and 9ef3b84.

📒 Files selected for processing (4)

• components/clp-package-utils/clp_package_utils/controller.py
• components/webui/server/.env
• components/webui/server/src/plugins/external/env.ts
• tools/deployment/package-helm/templates/configmap.yaml