Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Configuring and deploying OpenShift Lightspeed

Configure and deploy the OpenShift Lightspeed Service to enable AI-powered assistance in your OpenShift Container Platform cluster.

Note

The instructions assume that you are installing OpenShift Lightspeed using the kubeadmin user account. If you are using a regular user account with cluster-admin privileges, read the section of the documentation that discusses Role-Based Access Control (RBAC).

First, create a credential secret using the credentials for your large language model (LLM) provider. Next, create the OLSConfig custom resource (CR) that the Operator uses to deploy the Service. Finally, verify that the OpenShift Lightspeed Service is operating.

Important

Starting with OpenShift Container Platform 4.19, the perspectives in the web console are unified. The Developer perspective is no longer enabled by default.

All users can interact with all OpenShift Container Platform web console features. However, if you are not the cluster owner, you might need to request permission to certain features from the cluster owner.

You can still enable the Developer perspective. On the Getting Started pane in the web console, you can take a tour of the console, find information on setting up your cluster, view a quick start for enabling the Developer perspective, and follow links to explore new features and capabilities.

Use the OpenShift Container Platform web console to store the API token that OpenShift Lightspeed uses to authenticate with the large language model (LLM) provider.

As another option, Microsoft Azure also supports authentication by using Microsoft Entra ID.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console as a user with the cluster-admin role. As another option, you can log in to a user account that has permission to create a secret to store the Provider tokens.
  • You have installed the OpenShift Lightspeed Operator.

Procedure

  1. Click the Quick create ( fa plus circle ) menu in the upper-right corner of the OpenShift web console and select Import YAML.

  2. Paste the YAML content for your LLM provider into the text area of the web console.

    Note

    The YAML parameter is always apitoken regardless of what the LLM provider calls the access details.

    1. Use the following example to create the Secret to provide OpenShift Lightspeed with the OpenAI API key. 

      apiVersion: v1
kind: Secret
metadata:
  name: openai
  namespace: openshift-lightspeed
type: Opaque
stringData:
  apitoken: <api_token>
      Copy to Clipboard Toggle word wrap
      • stringData.apitoken represents the API token, and is not base64 encoded.

    2. Use the following example to create the Secret to provide OpenShift Lightspeed with the Red Hat Enterprise Linux AI key. 

      apiVersion: v1
stringData:
  apitoken: <api_token>
kind: Secret
metadata:
  name: rhelai-api-keys
  namespace: openshift-lightspeed
type: Opaque
      Copy to Clipboard Toggle word wrap
      • stringData.apitoken represents the API token. The token must be base64 encoded when stored in a secret.

    3. Use the following example to create the Secret to provide OpenShift Lightspeed with the Red Hat OpenShift AI key. 

      apiVersion: v1
kind: Secret
metadata:
  name: rhoai-api-keys
  namespace: openshift-lightspeed
type: Opaque
stringData:
  apitoken: <api_token>
      Copy to Clipboard Toggle word wrap
      • stringData.apitoken represents the API token. The token must be base64 encoded when stored in a secret.

    4. Use the following example to create the Secret to provide OpenShift Lightspeed with the IBM watsonx key. 

      apiVersion: v1
kind: Secret
metadata:
  name: watsonx-api-keys
  namespace: openshift-lightspeed
type: Opaque
stringData:
  apitoken: <api_token>
      Copy to Clipboard Toggle word wrap
      • stringData.apitoken represents the API token. The token must be base64 encoded when stored in a secret.

    5. Use the following example to create the Secret to provide OpenShift Lightspeed with the Microsoft Azure OpenAI key. 

      apiVersion: v1
kind: Secret
metadata:
  name: azure-api-keys
  namespace: openshift-lightspeed
type: Opaque
stringData:
  apitoken: <api_token>
      Copy to Clipboard Toggle word wrap
      • stringData.apitoken represents the API token. The token must be base64 encoded when stored in a secret.

    6. Optional: As another option with Microsoft Azure OpenAI you can use Microsoft Entra ID to authenticate your LLM provider. Microsoft Entra ID users must configure the required roles for their Microsoft Azure OpenAI resource. For more information, see the official Microsoft Cognitive Services OpenAI Contributor(Microsoft Azure OpenAI Service documentation). Use the following example to authenticate by using Microsoft Entra ID. 

      apiVersion: v1
data:
  client_id: <base64_encoded_client_id>
  client_secret: <base64_encoded_client_secret>
  tenant_id: <base64_encoded_tenant_id>
kind: Secret
metadata:
  name: azure-api-keys
  namespace: openshift-lightspeed
type: Opaque
      Copy to Clipboard Toggle word wrap
      • data.apitoken represents the API token. The token must be base64 encoded when stored in a secret.
  3. Click Create.

Use the OpenShift Container Platform web console to create the custom resource (CR) file required to deploy OpenShift Lightspeed.

The specific content of the CR file is unique for each large language model (LLM) provider. Choose the configuration file for the LLM provider that you are using.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console as a user with the cluster-admin role. As another option, you have logged in to a user account that has permission to create a cluster-scoped CR file.
  • You have an LLM provider available for use with the OpenShift Lightspeed Service.
  • You have installed the OpenShift Lightspeed Operator.

Procedure

  1. Click the Quick create ( fa plus circle ) menu in the upper-right corner of the OpenShift web console and select Import YAML.

  2. Paste the YAML content for your LLM provider into the text area of the web console.

    1. Use the following example to create the OLSConfig CR to configure OpenShift Lightspeed with your OpenAI provider: 

      apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  llm:
    providers:
      - name: myOpenai
        type: openai
        credentialsSecretRef:
          name: credentials
        url: https://api.openai.com/v1
        models:
          - name: <model_name>
  ols:
    hideIcon: true
    defaultModel: <model_name>
    defaultProvider: myOpenai
      Copy to Clipboard Toggle word wrap
      • spec.ols.hideIcon specifies whether to hide the OpenShift Lightspeed icon in the OpenShift Container Platform web console. The default value is false. Set this field to true to hide the icon from users, such as those who do not have access to the OpenShift Lightspeed API.

    2. Use the following example to create the OLSConfig CR to configure OpenShift Lightspeed with your Red Hat Enterprise Linux AI provider: 

      apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  llm:
    providers:
    - credentialsSecretRef:
        name: rhelai-api-keys
      models:
      - name: models/<model_name>
      name: rhelai
      type: rhelai_vllm
      url: <url>
  ols:
    hideIcon: true
    defaultProvider: rhelai
    defaultModel: models/<model_name>
      Copy to Clipboard Toggle word wrap
      • spec.llm.providers.credentialsSecretRef.name specifies the name of the Secret that has the API key for the provider. By default, the Red Hat Enterprise Linux AI API key requires a token as part of the request. If your Red Hat Enterprise Linux AI endpoint does not require a token, you must still set the token value to any valid string for the request to authenticate.
      • spec.llm.providers.url specifies the URL endpoint for the provider. The URL must end with v1 to be valid. For example, https://3.23.103.8:8000/v1.
      • spec.ols.hideIcon specifies whether to hide the OpenShift Lightspeed icon in the OpenShift Container Platform web console. The default value is false. Set this field to true to hide the icon from users, such as those who do not have access to the OpenShift Lightspeed API.

    3. Use the following example to create the OLSConfig CR to configure OpenShift Lightspeed with your Red Hat OpenShift AI provider: 

      apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  llm:
    providers:
    - credentialsSecretRef:
        name: rhoai-api-keys
      models:
      - name: <model_name>
      name: red_hat_openshift_ai
      type: rhoai_vllm
      url: <url>
  ols:
    hideIcon: true
    defaultProvider: red_hat_openshift_ai
    defaultModel: <model_name>
      Copy to Clipboard Toggle word wrap
      • spec.llm.providers.credentialsSecretRef.name specifies the name of the Secret that has the API key for the provider. If your provider configuration does not require a token, you must still provide a Secret containing a valid string for the request to authenticate.
      • spec.llm.providers.url specifies the URL endpoint for the provider. The URL must end with v1 to be valid. For example, https://<model_name>.<domain_name>.com:443/v1.
      • spec.ols.hideIcon specifies whether to hide the OpenShift Lightspeed icon in the OpenShift Container Platform web console. The default value is false. Set this field to true to hide the icon from users, such as those who do not have access to the OpenShift Lightspeed API.

    4. Use the following example to create the OLSConfig CR to configure OpenShift Lightspeed with your Microsoft Azure OpenAI provider: 

      apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  llm:
    providers:
      - credentialsSecretRef:
          name: azure-api-keys
        apiVersion: <api_version_for_azure_model>
        deploymentName: <azure_ai_deployment_name>
        models:
        - name: <model_name>
        name: myAzure
        type: azure_openai
        url: <azure_ai_deployment_url>
  ols:
    hideIcon: true
    defaultModel: <model_name>
    defaultProvider: myAzure
      Copy to Clipboard Toggle word wrap
      • spec.ols.hideIcon specifies whether to hide the OpenShift Lightspeed icon in the OpenShift Container Platform web console. The default value is false. Set this field to true to hide the icon from users, such as those who do not have access to the OpenShift Lightspeed API.

    5. Use the following example to create the OLSConfig CR to configure OpenShift Lightspeed with your IBM watsonx provider: 

      apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  llm:
    providers:
      - name: myWatsonx
        type: watsonx
        credentialsSecretRef:
          name: watsonx-api-keys
        url: <ibm_watsonx_deployment_name>
        projectID: <ibm_watsonx_project_id>
        models:
          - name: ibm/<model_name>
  ols:
    hideIcon: true
    defaultModel: ibm/<model_name>
    defaultProvider: myWatsonx
      Copy to Clipboard Toggle word wrap
      • spec.ols.hideIcon specifies whether to hide the OpenShift Lightspeed icon in the OpenShift Container Platform web console. The default value is false. Set this field to true to hide the icon from users, such as those who do not have access to the OpenShift Lightspeed API.
  3. Click Create.

1.2.1. Configuring custom TLS certificates
Copy link

Use the OpenShift Container Platform web console to configure custom TLS certificates for secure communication between OpenShift Lightspeed and your service endpoints.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console as a user with the cluster-admin role. As another option, you have logged in to a user account that has permission to create or edit the OLSConfig custom resource (CR).
  • You have a large language model (LLM) provider.
  • You have installed the OpenShift Lightspeed Operator.
  • You have created the credentials secret and the OLSconfig CR.

Procedure

  1. In the OpenShift Container Platform web console, click Operators Installed Operators.
  2. Select All Projects in the Project dropdown at the top of the screen.
  3. Click OpenShift Lightspeed Operator.
  4. Click OLSConfig, then click the cluster configuration instance in the list.
  5. Click the YAML tab.

  6. Update the OLSconfig CR to contain the file that has the TLS secret. 

    apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  ols:
    tlsConfig:
      keyCertSecretRef:
        name: <lightspeed_tls>
---
apiVersion: v1
data:
  tls.crt: LS0tLS1CRUd...
  tls.key: LS0tLS1CRUd...
kind: Secret
metadata:
  name: <lightspeed_tls>
  namespace: <openshift_lightspeed>
    Copy to Clipboard Toggle word wrap
    • spec.ols.tlsConfig.keyCertSecretRef.name specifies the secret that has the tls.crt and tls.key file.
    • apiVersion.data.tls specifies that the name of the certificate must be tls.crt and the name of the key must be tls.key.
  7. Click Save.

Verification

  1. Verify that a new pod exists in the lightspeed-app-server deployment by running the following command: 

    $ oc get pod -n openshift-lightspeed
    Copy to Clipboard Toggle word wrap

Use the command line interface to store the API token that OpenShift Lightspeed uses to authenticate with the large language model (LLM) provider.

Alternatively, Microsoft Azure also supports authentication using Microsoft Entra ID.

Prerequisites

  • You have access to the OpenShift CLI (oc) as a user with the cluster-admin role. Alternatively, you are logged in to a user account that has permission to create a secret to store the Provider tokens.
  • You have installed the OpenShift Lightspeed Operator.

Procedure

  1. Create a YAML file that has the credential secret for the LLM provider that you are using.

    Note

    The YAML parameter is always apitoken regardless of what the LLM provider calls the access details.

    1. Use the following example to create the Secret to provide OpenShift Lightspeed with the OpenAI API key. 

      apiVersion: v1
kind: Secret
metadata:
  name: openai
  namespace: openshift-lightspeed
type: Opaque
stringData:
  apitoken: <api_token>
      Copy to Clipboard Toggle word wrap
      • stringData.apitoken represents the API token. The token must be base64 encoded when stored in a secret.

    2. Use the following example to create the Secret to provide OpenShift Lightspeed with the Red Hat OpenShift AI key. 

      apiVersion: v1
kind: Secret
metadata:
  name: rhoai-api-keys
  namespace: openshift-lightspeed
type: Opaque
stringData:
  apitoken: <api_token>
      Copy to Clipboard Toggle word wrap
      • stringData.apitoken represents the API token. The token must be base64 encoded when stored in a secret.

    3. Use the following example to create the Secret to provide OpenShift Lightspeed with the IBM watsonx key. 

      apiVersion: v1
kind: Secret
metadata:
  name: watsonx-api-keys
  namespace: openshift-lightspeed
type: Opaque
stringData:
  apitoken: <api_token>
      Copy to Clipboard Toggle word wrap
      • stringData.apitoken represents the API token. The token must be base64 encoded when stored in a secret.

    4. Use the following example to create the Secret to provide OpenShift Lightspeed with the Microsoft Azure OpenAI key. 

      apiVersion: v1
kind: Secret
metadata:
  name: azure-api-keys
  namespace: openshift-lightspeed
type: Opaque
stringData:
  apitoken: <api_token>
      Copy to Clipboard Toggle word wrap
      • stringData.apitoken represents the API token. The token must be base64 encoded when stored in a secret.

    5. Optional: As another option with Microsoft Azure OpenAI you can use Microsoft Entra ID to authenticate your LLM provider. Microsoft Entra ID users must configure the required roles for their Microsoft Azure OpenAI resource. For more information, see the official Microsoft Cognitive Services OpenAI Contributor(Microsoft Azure OpenAI Service documentation). Use the following example to authenticate by using Microsoft Entra ID. 

      apiVersion: v1
data:
  client_id: <base64_encoded_client_id>
  client_secret: <base64_encoded_client_secret>
  tenant_id: <base64_encoded_tenant_id>
kind: Secret
metadata:
  name: azure-api-keys
  namespace: openshift-lightspeed
type: Opaque
      Copy to Clipboard Toggle word wrap
      • data.apitoken represents the API token. The token must be base64 encoded when stored in a secret.

  2. Create the Secret by running the following command: 

    $ oc create -f /path/to/secret.yaml
    Copy to Clipboard Toggle word wrap

Use the command line interface to create the custom resource (CR) file required to deploy OpenShift Lightspeed.

The specific content of the CR file is unique for each large language model (LLM) provider. Choose the configuration file for the LLM provider that you are using.

Prerequisites

  • You have access to the OpenShift CLI (oc) and have logged in as a user with the cluster-admin role. As another option, you have logged in to a user account that has permission to create a cluster-scoped CR file.
  • You have an LLM provider available for use with the OpenShift Lightspeed Service.
  • You have installed the OpenShift Lightspeed Operator.

Procedure

  1. Create an OLSConfig file that has the YAML content for the LLM provider you use.

    1. Use the following example to create the OLSConfig CR to configure OpenShift Lightspeed with your OpenAI provider: 

      apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  llm:
    providers:
      - name: myOpenai
        type: openai
        credentialsSecretRef:
          name: credentials
        url: https://api.openai.com/v1
        models:
          - name: <model_name>
  ols:
    hideIcon: true
    defaultModel: <model_name>
    defaultProvider: myOpenai
      Copy to Clipboard Toggle word wrap
      • spec.ols.hideIcon specifies whether to hide the OpenShift Lightspeed icon in the OpenShift Container Platform web console. The default value is false. Set this field to true to hide the icon from users, such as those who do not have access to the OpenShift Lightspeed API.

    2. Use the following example to create the OLSConfig CR to configure OpenShift Lightspeed with your Red Hat Enterprise Linux AI provider: 

      apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  llm:
    providers:
    - credentialsSecretRef:
        name: rhelai-api-keys
      models:
      - name: models/<model_name>
      name: rhelai
      type: rhelai_vllm
      url: <url>
  ols:
    hideIcon: true
    defaultProvider: rhelai
    defaultModel: models/<model_name>
      Copy to Clipboard Toggle word wrap
      • spec.llm.providers.credentialsSecretRef.name specifies the name of the Secret that has the API key for the provider. By default, the Red Hat Enterprise Linux AI API key requires a token as part of the request. If your Red Hat Enterprise Linux AI endpoint does not require a token, you must still set the token value to any valid string for the request to authenticate.
      • spec.llm.providers.url specifies the URL endpoint for the provider. The URL must end with v1 to be valid. For example, https://3.23.103.8:8000/v1.
      • spec.ols.hideIcon specifies whether to hide the OpenShift Lightspeed icon in the OpenShift Container Platform web console. The default value is false. Set this field to true to hide the icon from users, such as those who do not have access to the OpenShift Lightspeed API.

    3. Use the following example to create the OLSConfig CR to configure OpenShift Lightspeed with your Red Hat OpenShift AI provider: 

      apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  llm:
    providers:
    - credentialsSecretRef:
        name: rhoai-api-keys
      models:
      - name: <model_name>
      name: red_hat_openshift_ai
      type: rhoai_vllm
      url: <url>
  ols:
    hideIcon: true
    defaultProvider: red_hat_openshift_ai
    defaultModel: <model_name>
      Copy to Clipboard Toggle word wrap
      • spec.llm.providers.credentialsSecretRef.name specifies the name of the Secret that has the API key for the provider. By default, the Red Hat OpenShift AI API key requires a token as part of the request. If your Red Hat OpenShift AI endpoint does not require a token, you must still set the token value to any valid string for the request to authenticate.
      • spec.llm.providers.url specifies the URL endpoint for the provider. The URL must end with v1 to be valid. For example, https://<model_name>.<domain_name>.com:443/v1.
      • spec.ols.hideIcon specifies whether to hide the OpenShift Lightspeed icon in the OpenShift Container Platform web console. The default value is false. Set this field to true to hide the icon from users, such as those who do not have access to the OpenShift Lightspeed API.

    4. Use the following example to create the OLSConfig CR to configure OpenShift Lightspeed with your Microsoft Azure OpenAI provider: 

      apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  llm:
    providers:
      - credentialsSecretRef:
          name: azure-api-keys
        apiVersion: <api_version_for_azure_model>
        deploymentName: <azure_ai_deployment_name>
        models:
        - name: <model_name>
        name: myAzure
        type: azure_openai
        url: <azure_ai_deployment_url>
  ols:
    hideIcon: true
    defaultModel: <model_name>
    defaultProvider: myAzure
      Copy to Clipboard Toggle word wrap
      • spec.ols.hideIcon specifies whether to hide the OpenShift Lightspeed icon in the OpenShift Container Platform web console. The default value is false. Set this field to true to hide the icon from users, such as those who do not have access to the OpenShift Lightspeed API.

    5. Use the following example to create the OLSConfig CR to configure OpenShift Lightspeed with your IBM watsonx provider: 

      apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  llm:
    providers:
      - name: myWatsonx
        type: watsonx
        credentialsSecretRef:
          name: watsonx-api-keys
        url: <ibm_watsonx_deployment_name>
        projectID: <ibm_watsonx_project_id>
        models:
          - name: ibm/<model_name>
  ols:
    hideIcon: true
    defaultModel: ibm/<model_name>
    defaultProvider: myWatsonx
      Copy to Clipboard Toggle word wrap
      • spec.ols.hideIcon specifies whether to hide the OpenShift Lightspeed icon in the OpenShift Container Platform web console. The default value is false. Set this field to true to hide the icon from users, such as those who do not have access to the OpenShift Lightspeed API.

  2. Run the following command so that the Operator deploys OpenShift Lightspeed using the information in the YAML configuration file. 

    $ oc create -f /path/to/config-cr.yaml
    Copy to Clipboard Toggle word wrap

Use the OpenShift Container Platform web console to configure custom TLS certificates for secure communication between OpenShift Lightspeed and your service endpoints.

The OpenShift Lightspeed Service supports adding trusted-ca certificates for the following LLM providers:

  • Red Hat Enterprise Linux AI vLLM
  • Red Hat OpenShift AI vLLM
  • OpenAI
  • Microsoft Azure OpenAI

To add a trusted-ca certificate you must create a ConfigMap object that has the certificates. Then, add the name of the object to the OLSConfig custom resource (CR) file as shown in the following example: 

ols:
  additionalCAConfigMapRef:
    name: <config_map_name>
Copy to Clipboard Toggle word wrap

Use the OpenShift Container Platform web console to configure a trusted CA certificate for secure communication between OpenShift Lightspeed and your large language model (LLM) provider.

Note

If the LLM provider you are using requires a trusted-ca certificate to authenticate the OpenShift Lightspeed Service you must perform this procedure. If the LLM provider does not require a trusted-ca certificate to authenticate the Service, you should skip this procedure.

Procedure

  1. Copy the contents of the certificate file and paste it into a file called caCertFileName.

  2. Create a ConfigMap object called trusted-certs by running the following command: 

    $ oc create configmap trusted-certs --from-file=caCertFileName --namespace openshift-lightspeed
    Copy to Clipboard Toggle word wrap

    This command returns an output similar to the following example: 

    kind: ConfigMap
apiVersion: v1
metadata:
  name: trusted-certs
  namespace: openshift-lightspeed
data:
  caCertFileName: |
    -----BEGIN CERTIFICATE-----
    .
    .
    .
    -----END CERTIFICATE-----
    Copy to Clipboard Toggle word wrap
    • data.caCertFileName specifies the CA certificates required to connect to your LLM provider. You can include one or more certificates within this block to ensure secure communication.

  3. Update the OLSConfig custom resource (CR) file to include the name of the ConfigMap object you just created. The following example uses Red Hat Enterprise Linux AI as the LLM provider. 

    apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  ols:
    defaultProvider: rhelai
    defaultModel: models/<model_name>
    additionalCAConfigMapRef:
      name: trusted-certs
    Copy to Clipboard Toggle word wrap
    • spec.ols.additionalCAConfigMapRef.name specifies the name of ConfigMap object.

  4. Create the custom CR by running the following command: 

    $ oc apply -f <olfconfig_cr_filename>
    Copy to Clipboard Toggle word wrap

1.5. Verifying the OpenShift Lightspeed deployment
Copy link

Use the OpenShift Container Platform web console to verify that the OpenShift Lightspeed Service is running and deployed.

Important

Starting with OpenShift Container Platform 4.19, the perspectives in the web console are unified. The Developer perspective is no longer enabled by default.

All users can interact with all OpenShift Container Platform web console features. However, if you are not the cluster owner, you might need to request permission to certain features from the cluster owner.

You can still enable the Developer perspective. On the Getting Started pane in the web console, you can take a tour of the console, find information on setting up your cluster, view a quick start for enabling the Developer perspective, and follow links to explore new features and capabilities.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.
  • You have access to the OpenShift CLI (oc).
  • You have installed the OpenShift Lightspeed Operator.
  • You have created the credentials secret and the OLSConfig Custom Resource configuration file.

Procedure

  1. In the OpenShift Container Platform web console, click the Project drop-down list.

    Note

    For OpenShift Container Platform 4.18 and earlier, select the Developer perspective from the drop-down list at the top of the pane to access the Project drop-down list.

  2. Enable the toggle switch to show default projects.
  3. Select openshift-lightspeed from the list.

  4. Verify that the OpenShift Lightspeed is ready by running the following command: 

    $ oc logs deployment/lightspeed-app-server -c lightspeed-service-api -n openshift-lightspeed | grep Uvicorn
    Copy to Clipboard Toggle word wrap

    Example output

    INFO: 	Uvicorn running on https://0.0.0.0:8443 (Press CTRL+C to quit)
    Copy to Clipboard Toggle word wrap

Use role-based access control (RBAC) to manage system security by assigning permissions to specific roles rather than individual users.

OpenShift Lightspeed RBAC is binary. By default, not all cluster users have access to the OpenShift Lightspeed interface. Only users with administrative rights can grant access. All users of an OpenShift cluster with OpenShift Lightspeed installed can see the OpenShift Lightspeed button; however, only users with permissions can submit questions to OpenShift Lightspeed.

If you want to evaluate the RBAC features of OpenShift Lightspeed, your cluster will need users other than the kubeadmin account. The kubeadmin account always has access to OpenShift Lightspeed.

1.6.1. Granting a user access by using the CLI
Copy link

Grant OpenShift Lightspeed permissions to an individual user by running a single oc adm command to apply the query-access role immediately.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console as a user with the cluster-admin role. As another option, you have logged in as a user with the ability to grant permissions.
  • You have deployed the OpenShift Lightspeed service.
  • You have access to the OpenShift CLI (oc).

Procedure

  • Grant the lightspeed-operator-query-access role to a user. Enter the actual user name in place of <user_name> when running the following command: 

    $ oc adm policy add-cluster-role-to-user \
    lightspeed-operator-query-access <user_name>
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the user has been successfully added to the cluster role binding by running the following command: 

    $ oc get clusterrolebinding lightspeed-operator-query-access
    Copy to Clipboard Toggle word wrap

Grant OpenShift Lightspeed permissions to an individual user by creating and applying a ClusterRoleBinding YAML file for reproducible access management.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console as a user with the cluster-admin role. As another option, you have logged in as a user with the ability to grant permissions.
  • You have deployed the OpenShift Lightspeed service.
  • You have access to the OpenShift CLI (oc).

Procedure

  1. Generate a YAML configuration file for the cluster role binding. Enter the actual user name in place of <user_name> when running the following command: 

    $ oc adm policy add-cluster-role-to-user lightspeed-operator-query-access <user_name> -o yaml --dry-run
    Copy to Clipboard Toggle word wrap

  2. Apply the generated configuration file to the cluster: 

    $ oc apply -f ols-user-access.yaml
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify the creation of the ClusterRoleBinding by running the following command: 

    $ oc get clusterrolebinding lightspeed-operator-query-access
    Copy to Clipboard Toggle word wrap

  2. Inspect the YAML configuration and ensure that it lists the correct user in the subjects section by running the following command: 

    $ oc get clusterrolebinding lightspeed-operator-query-access -o yaml
    Copy to Clipboard Toggle word wrap

    This command returns an output similar to the following example: 

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: null
  name: lightspeed-operator-query-access
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: lightspeed-operator-query-access
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: <user_name>
    Copy to Clipboard Toggle word wrap

Enable a user group to use the OpenShift Lightspeed Service by running a single command to apply cluster permissions immediately.

If your cluster has more advanced identity management configured, including user groups, you can grant all users of a specific group access to the OpenShift Lightspeed Service.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console as a user with the cluster-admin role. As another option, you have logged in as a user with the ability to grant permissions.
  • You have deployed the OpenShift Lightspeed Service.
  • You have access to the OpenShift CLI (oc).

Procedure

  1. Grant the lightspeed-operator-query-access role to your user group by running the following command. Replace <group_name> with the actual name of the user group in your cluster. 

    $ oc adm policy add-cluster-role-to-group \
lightspeed-operator-query-access <group_name>
    Copy to Clipboard Toggle word wrap

  2. Optional: Verify that the role binding contains the user group by running the following command: 

    $ oc get clusterrolebinding lightspeed-operator-query-access -o wide
    Copy to Clipboard Toggle word wrap

Grant multiple users access to the OpenShift Lightspeed Service by applying a YAML configuration file.

If your cluster has more advanced identity management configured, including user groups, you can grant all users of a specific group access to the OpenShift Lightspeed Service.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console as a user with the cluster-admin role. As another option, you have logged in as a user with the ability to grant permissions.
  • You have deployed the OpenShift Lightspeed Service.
  • You have access to the OpenShift CLI (oc).

Procedure

  1. Generate the YAML configuration by running the following command: 

    $ oc adm policy add-cluster-role-to-group lightspeed-operator-query-access <group_name> -o yaml --dry-run > access-policy.yaml
    Copy to Clipboard Toggle word wrap

  2. Open the access-policy.yaml file and verify the subjects section contains the correct group name: 

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: null
  name: lightspeed-operator-query-access
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: lightspeed-operator-query-access
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: <user_group>
    Copy to Clipboard Toggle word wrap
    • subjects.name specifies the name of the user group you are granting access to.

  3. Apply the configuration file to the cluster by running the following command: 

    $ oc create -f access-policy.yaml
    Copy to Clipboard Toggle word wrap

1.7. Filtering and redacting information
Copy link

Configure sensitive data filtering in OpenShift Lightspeed to redact private information before sending it to the large language model (LLM) provider.

Note

You should test your regular expressions against sample data to confirm that they identify the information you want to filter or redact, and that they do not identify information you want to send to the LLM. There are several third-party websites that you can use to test your regular expressions. When using third-party sites, you should practice caution with regards to sharing your private data. As another option, you can test the regular expressions locally using Python. In Python, it is possible to design very computationally-expensive regular expressions. Using several complex expressions as query filters can adversely impact the performance of OpenShift Lightspeed.

This example shows how to update the OLSConfig custom resource (CR) file to redact IP addresses, but you can also filter or redact other types of sensitive information.

Note

If you configure filtering or redacting in the OLSConfig CR file, and you configure introspectionEnabled to enable a Model Context Protocol (MCP) server, any content that the tools return is not filtered and is visible to the LLM.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.
  • You have access to the OpenShift CLI (oc).
  • You have installed the OpenShift Lightspeed Operator and deployed the OpenShift Lightspeed service.

Procedure

  1. Update the OLSConfig CR file and create an entry for each regular expression to filter. The following example redacts IP addresses: 

    spec:
  ols:
    queryFilters:
      - name: ip-address
        pattern: '((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}'
        replaceWith: <IP_ADDRESS>
    Copy to Clipboard Toggle word wrap

  2. Run the following command to apply the modified OpenShift Lightspeed custom configuration: 

    $ oc apply -f OLSConfig.yaml
    Copy to Clipboard Toggle word wrap

1.8. About the BYO Knowledge tool
Copy link

Enhance OpenShift Lightspeed responses by using the BYO Knowledge tool to create a retrieval-augmented generation (RAG) database that includes documentation specific to your organization.

When you create a RAG database, you customize the OpenShift Lightspeed service for your environment. For example, a network administrator can use a standard operating procedure (SOP) to provision an OpenShift Container Platform cluster. Then, the network administrator can use the BYO Knowledge tool to enhance the knowledge available to the LLM by including information from the SOP.

To bring your own knowledge to an LLM, you complete the following steps:

  • Create the custom content in Markdown format.
  • Use the BYO Knowledge tool to package the content as a container image.
  • Push the container image to an image registry, such as quay.io.
  • Update the OLSConfig custom resource file to list the image that you pushed to the image registry.

  • Access the OpenShift Lightspeed virtual assistant and submit a question associated with the custom knowledge that you made available to the LLM.

    Note

    When you use the BYO Knowledge tool, you provide documents directly to the LLM provider.

OpenShift Lightspeed supports automatic updates of BYO Knowledge images that use floating tags, such as latest. If over time a BYO Knowledge image tag points to different underlying images, OpenShift Lightspeed detects those changes and updates the corresponding BYO Knowledge database accordingly. This feature uses OpenShift ImageStream objects. OpenShift Container Platform clusters check for updates to ImageStream objects every 15 minutes.

1.8.1. About document title and URL
Copy link

Display the source titles and URLs OpenShift Lightspeed uses to verify the accuracy of generated responses and access the original documentation for additional context.

In the retrieval-augmented generation (RAG) database, titles and URLs accompany documents as metadata. The BYO Knowledge tool obtains the title and URL attributes from metadata if they reside in the Markdown files that the tool processes. 

---
title: "Introduction to Layers {#gimp-concepts-layers}"
url: "https://docs.gimp.org/3.0/en/gimp-using-layers.html"
---

# Introduction to Layers
...
Copy to Clipboard Toggle word wrap

If a Markdown file does not have metadata with the title and url attributes, the first top-level Markdown heading, for example # Introduction to Layers, becomes the title and the file path becomes the URL.

1.8.2. Providing custom knowledge to the LLM
Copy link

Customize the information available to the large language model (LLM) by providing access to a container image that resides in a remote image registry.

The container image that the tool generates contains a custom RAG database. The RAG database provides additional information to the LLM.

The examples in this procedure use quay.io as the remote container image registry, and the path for the custom image is quay.io/<username>/my-byok-image:latest.

Important

The BYO Knowledge tool is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console as a user account that has permission to create a cluster-scoped custom resource (CR) file, such as a user with the cluster-admin role.
  • You have an LLM provider available for use with the OpenShift Lightspeed Service.
  • You have installed the OpenShift Lightspeed Operator.
  • Your custom information consists of Markdown files with .md extensions. The tool does not support other file formats.
  • You have logged in to registry.redhat.io by using Podman.
  • You have an account for a container image registry, such as quay.io.

Procedure

  1. Specify the location of the directory with the Markdown files for the retrieval-augmented generation (RAG) database and the path for the image that the BYO Knowledge tool generates by running the following command: 

    $ podman run -it --rm --device=/dev/fuse \
  -v $XDG_RUNTIME_DIR/containers/auth.json:/run/user/0/containers/auth.json:Z \
  -v <dir_tree_with_markdown_files>:/markdown:Z \
  -v <dir_for_image_tar>:/output:Z \
  registry.redhat.io/openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9:latest
    Copy to Clipboard Toggle word wrap

  2. Load the container image that the BYO Knowledge tool generated by running the following command: 

    $ podman load < <directory_for_image_tar>/<my-byok-image.tar>
    Copy to Clipboard Toggle word wrap

  3. Display the Podman images that are on your local computer by running the following command: 

    $ podman images
    Copy to Clipboard Toggle word wrap

    This command returns an output similar to the following example: 

    REPOSITORY                            TAG                IMAGE ID      CREATED       SIZE
localhost/my-byok-image               latest             be7d1770bf10  1 minute  ago    2.37 GB
...
    Copy to Clipboard Toggle word wrap

  4. Tag the local image with a name and destination so that you can push the image to the container image registry by running the following command: 

    $ podman tag localhost/my-byok-image:latest quay.io/<username>/my-byok-image:latest
    Copy to Clipboard Toggle word wrap

  5. Push the local container image to the container image registry by running the following command: 

    $ podman push quay.io/<username>/my-byok-image:latest
    Copy to Clipboard Toggle word wrap

  6. Update the OLSconfig CR to deploy the newly created RAG database alongside the existing one:

    1. In the OpenShift Container Platform web console, click Operators Installed Operators.
    2. Select All Projects in the Project dropdown at the top of the screen.
    3. Click OpenShift Lightspeed Operator.
    4. Click OLSConfig, then click the cluster configuration instance in the list.
    5. Click the YAML tab.

    6. Insert the spec.ols.rag YAML code: 

      apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  ols:
    rag:
      - image: quay.io/<username>/my-byok-image:latest
      Copy to Clipboard Toggle word wrap
      • spec.ols.rag.image specifies the tag for the image that you pushed to the image registry so that the OpenShift Lightspeed Operator can access the custom content. The OpenShift Lightspeed Operator can work with more than one RAG database that you create.

  7. Optional: Specify pull secrets in the OLSSpec section of the OLSConfig CR file. These secrets provide authentication for remote registries. Use this optional field if your RAG BYO Knowledge images reside in a private registry that the standard cluster-wide pull secret cannot access. 

    apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
  namespace: openshift-lightspeed
spec:
  llm:
    providers:
...
  ols:
    imagePullSecrets:
      - name: <my_pull_secret_1>
      - name: <my_pull_secret_2>
    Copy to Clipboard Toggle word wrap
    • spec.ols.imagePullSecrets defines the pull secrets that OpenShift Lightspeed uses only when you specify BYO Knowledge RAG images. Instead of linking a specific secret to a specific image, the system maintains a general list of pull secrets. For every BYO Knowledge image, the system tries each pull secret in sequential order until it achieves a successful authentication.
  8. Click Save.

Verification

  • Access the OpenShift Lightspeed virtual assistant and submit a question associated with the custom content that you provided to the LLM.

    The OpenShift Lightspeed virtual assistant generates a response based on the custom content.

Disable the default OpenShift Container Platform documentation in the OLSConfig custom resource (CR) to prevent the service from using the built-in database that has the OpenShift Container Platform documentation.

Then, the only retrieval-augmented generation (RAG) databases OpenShift Lightspeed uses are the ones that you provide to the service by using the BYO Knowledge feature.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console as a user account with permission to create a cluster-scoped CR file, such as a user with the cluster-admin role.
  • You have installed the OpenShift Lightspeed Operator.
  • You have configured the large language model provider.
  • You have configured the OLSConfig CR file, which automatically deploys the OpenShift Lightspeed Service.
  • You have created a RAG database that contains the content you want to use, as described in "Providing custom knowledge to the LLM".

Procedure

  1. In the OpenShift Container Platform web console, click Operators Installed Operators.
  2. Select All Projects in the Project list at the top of the screen.
  3. Click OpenShift Lightspeed Operator.
  4. Click OLSConfig, then click the cluster configuration instance in the list.
  5. Click the YAML tab.

  6. Insert the spec.ols.byokRAGOnly YAML code. 

    apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  ols:
    byokRAGOnly: true
    Copy to Clipboard Toggle word wrap
    • spec.ols.byokRAGOnly specifies if the Service limits responses by using only the information found in the local documentation that you provide. Specify true so that OpenShift Lightspeed only uses RAG databases that you create by using the BYO Knowledge feature. When true, OpenShift Lightspeed does not use the default RAG database that contains the OpenShift Container Platform documentation.
  7. Click Save.

1.9. About cluster interaction
Copy link

Enable the cluster interaction feature to supply the large language model (LLM) with additional context about your OpenShift Container Platform cluster.

OpenShift Lightspeed uses a large language model (LLM) to answer your questions. When you share details about your cluster objects, the LLM can give specific answers for your environment.

The Model Context Protocol (MCP) is an open protocol. It creates a standard way for applications to give context to an LLM. Using the protocol, an MCP server offers a standardized way for an LLM to increase context by requesting and receiving real-time information from external resources.

Note

If you configure filtering or redacting in the OLSConfig CR file, and you configure introspectionEnabled to enable a Model Context Protocol (MCP) server, any content that the tools return is not filtered and is visible to the LLM.

When you enable cluster interaction, the OpenShift Lightspeed Operator installs an MCP server. The MCP server provides the OpenShift Lightspeed Service with access to the OpenShift API. Through this access, the Service performs read operations to gather more context for the LLM, enabling the Service to generate answers to questions about the Kubernetes objects that reside in your OpenShift cluster.

Note

The ability of OpenShift Lightspeed to choose and use a tool effectively is very sensitive to the large language (LLM) model. In general, a larger model with more parameters performs better, and the best performance comes from an extremely large frontier model that represents the latest AI capabilities. When using a small model, you might notice poor performance in tool selection or other aspects of cluster interaction.

You must enable tool calling in the LLM provider to activate the cluster interaction feature in the OpenShift Lightspeed Service.

Note

Enabling tool calling can dramatically increase token usage. When you use a public model provider, an increase in token usage usually increases billing costs.

1.9.1. Enabling cluster interaction
Copy link

Enable the cluster interaction feature by modifying the OLSConfig custom resource (CR) to give OpenShift Lightspeed cluster-specific context.

Important

The cluster interaction feature is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console as a user with the cluster-admin role. As another option, you have logged in to a user account that has permission to create a cluster-scoped custom resource.
  • You have configured the large language model (LLM) provider.
  • You have installed the OpenShift Lightspeed Operator.

Procedure

  1. In the OpenShift Container Platform web console, click Operators Installed Operators.
  2. Click OpenShift Lightspeed Operator.
  3. Click OLSConfig, then click the cluster configuration instance in the list.
  4. Click the YAML tab.

  5. Set the spec.ols.introspectionEnabled parameter to true to enable cluster interaction: 

    apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  ols:
    introspectionEnabled: true
    Copy to Clipboard Toggle word wrap
  6. Click Save.

Verification

  • Access the OpenShift Lightspeed virtual assistant and submit a question associated with your cluster.

    The OpenShift Lightspeed virtual assistant generates a highly refined response specific to your environment.

1.9.2. Enabling a custom MCP server
Copy link

Add an additional Model Context Protocol (MCP) server that interfaces with a tool in your environment so that the large language model (LLM) uses the tool to generate answers to your questions.

Important

The MCP server feature is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Prerequisites

  • You have installed the OpenShift Lightspeed Operator.
  • You have configured a large language model provider.
  • You have configured the OLSConfig CR file, which automatically deploys the OpenShift Lightspeed Service.

Procedure

  1. Open the OpenShift Lightspeed OLSconfig custom resource (CR) file by running the following command: 

    $ oc edit olsconfig cluster
    Copy to Clipboard Toggle word wrap

  2. Add MCPServer to the spec.featureGates specification file and include the MCP server information. 

    apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  featureGates:
    - MCPServer
  mcpServers:
  - name: mcp-server-1
    url: https://mcp.example.com
    timeout: 30
    headers:
      - name: Authorization
        valueFrom:
         type: kubernetes
  - name: mcp-server-2
    url: https://mcp.example.com
    timeout: 30
    headers:
      - name: X-Special
        valueFrom:
          type: secret
          secretRef:
            name: <secret_name>
    Copy to Clipboard Toggle word wrap
    • spec.featureGates specifies the MCP server functionality on the OpenShift Lightspeed pod.
    • spec.mcpServers.name specifies the name of the MCP server.
    • spec.mcpServers.url specifies the URL path that the MCP server uses to communicate
    • spec.mcpServers.timeout specifies the time that the MCP server has to respond to a query. If the client does not receive a query within the time specified, the MCP server times out. In this example, the timeout is 30 seconds.
    • spec.mcpServers.headers specifies MCP headers as an array of structured objects containing the key-value pairs required for server authentication and context.
    • spec.mcpServers.headers.name specifies the name of the header that gets sent to the MCP server.
    • spec.mcpServers.headers.valueFrom.type specify the string kubernetes to provide the user’s bearer token
    • spec.mcpServers.headers.valueFrom.secretRef.name specifies the name of the secret that contains the header value. Ensure that the secret has the key name header.

  3. Click Save.

    The save operation saves the file and applies the changes so that the MCP server is available to the OpenShift Lightspeed service.

1.10. Tokens and token quota limits
Copy link

Token quotas manage the amount of text that the OpenShift Lightspeed Service exchanges with a large language model (LLM). These limits control costs and ensure all users get fair access to resources.

The Service measures the text it exchanges with the LLM in tokens. A token is a small unit of text, ranging from a single character to a full word. Every chat between the Service and the LLM uses tokens.

Token quotas limit how many tokens you can use within a specific time frame. You can define token quota limits for OpenShift clusters or OpenShift user accounts.

1.10.1. Activating token quota limits
Copy link

Activate token quota limits for OpenShift Lightspeed by creating a ConfigMap resource and referencing it in the OLSConfig custom resource.

The OpenShift Lightspeed pod mounts the ConfigMap resource as a volume, enabling access to the file stored within it. The OLSConfig custom resource (CR) references the ConfigMap resource to obtain the quota limit information.

Prerequisites

  • You have installed the OpenShift Lightspeed Operator.
  • You have configured a large language model provider.
  • The OpenShift Lightspeed Service has access to a PostgreSQL database.

Procedure

  1. Open the OpenShift Lightspeed OLSconfig CR file by running the following command: 

    $ oc edit olsconfig cluster
    Copy to Clipboard Toggle word wrap

  2. Update the spec.ols.quotaHandlersConfig specification to include token quota limit information. 

    apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  ols:
    quotaHandlersConfig:
      limitersConfig:
      - name: user_limits
        type: user_limiter
        initialQuota: 100000
        quotaIncrease: 1000
        period: 30 days
      - name: cluster_limits
        type: cluster_limiter
        initialQuota: 1000000
        quotaIncrease: 100000
        period: 30 days
    Copy to Clipboard Toggle word wrap

    • User quota configuration fields

      • spec.ols.quotaHandlersConfig.limitersConfig.name specifies the token limit for the user account.
      • spec.ols.quotaHandlersConfig.limitersConfig.initialQuota specifies a token quota limit of 100,000 for each user over the time period specified in the period field.
      • spec.ols.quotaHandlersConfig.limitersConfig.quotaIncrease increases the token quota limit for the user by 1,000 at the end of the time period specified in the period field.

    • Cluster quota configuration fields

      • spec.ols.quotaHandlersConfig.limitersConfig.name specifies the token limit for a cluster.
      • spec.ols.quotaHandlersConfig.limitersConfig.initialQuota specifies a token quota limit of 1,000,000 for each cluster over the time period specified in the period field.
      • spec.ols.quotaHandlersConfig.limitersConfig.quotaIncrease increases the token quota limit for the cluster by 100,000 at the end of the time period specified in the period field.

    • Shared configuration field

      • spec.ols.quotaHandlersConfig.limitersConfig.period defines the amount of time that the scheduler waits before the period resets or the quota limit increases.

  3. Click Save.

    The save operation saves the file and applies the changes to activate the token quota limits.

PostgreSQL persistence ensures that OpenShift Lightspeed conversation history and quota usage data remain available across pod restarts and rescheduling events.

By default, the Service disables PostgreSQL persistence.

To enable the functionality, add the spec.ols.storage specification to the OLSConfig custom resource (CR).

1.11.1. Enabling PostgreSQL persistence
Copy link

Enable PostgreSQL persistence for OpenShift Lightspeed by modifying the OLSConfig custom resource (CR) file.

Important

PostgreSQL persistence is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console as a user account with permission to create a cluster-scoped CR file, such as a user with the cluster-admin role.
  • You have installed the OpenShift Lightspeed Operator.
  • You have configured the large language model provider.

Procedure

  1. In the OpenShift Container Platform web console, click Operators Installed Operators.
  2. Select All Projects in the Project list at the top of the screen.
  3. Click OpenShift Lightspeed Operator.
  4. Click OLSConfig, then click the cluster configuration instance in the list.
  5. Click the YAML tab.

  6. Insert the spec.ols.storage YAML code. 

    apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
  namespace: openshift-lightspeed
spec:
  llm:
    providers:
...
  ols:
    storage: {}
    Copy to Clipboard Toggle word wrap
    • spec.ols.storage specifies how the assistant stores persistent data, specifically conversation history. The class depends on the existing instances of the storage class in the cluster. If you leave the storage class empty, the assistant uses default values. The persistent volume allocated for the PostgreSQL database is 1 GB in size and uses the storage class of the default cluster. Specify empty braces for the storage parameter to use the default values.
  7. Click Save.

Customize the storage capacity and storage class for the OpenShift Lightspeed database by modifying the OLSConfig custom resource (CR).

Prerequisites

  • You have logged in to the OpenShift Container Platform web console as a user account with permission to create a cluster-scoped CR, such as a user with the cluster-admin role.
  • You have installed the OpenShift Lightspeed Operator.
  • You have configured the large language model provider.
  • You have access to the OpenShift CLI (oc).

Procedure

  1. In the OpenShift Container Platform web console, click Operators Installed Operators.
  2. Select All Projects in the Project dropdown at the top of the screen.
  3. Click OpenShift Lightspeed Operator.
  4. Click OLSConfig, then click the cluster configuration instance in the list.
  5. Click the YAML tab.

  6. Update the OLSconfig CR to override the default PVC specifications as shown in the following example. 

    apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
  namespace: openshift-lightspeed
spec:
  ols:
    storage:
      size: 768Mi
      class: gp2-csi
    Copy to Clipboard Toggle word wrap
    • spec.ols.storage.size specifies the total storage capacity for the database. If you do not specify this parameter, the Operator uses the default size of 1 GiB.
    • spec.ols.storage.class specifies the Storage Class for the database volume. If you do not specify this parameter, the Operator uses the default storage class setting of the cluster.
  7. Click Save.

Verification

  1. Verify that the cluster has successfully provisioned the storage by checking the status of the Persistent Volume Claim. 

    $ oc get pvc -n openshift-lightspeed
    Copy to Clipboard Toggle word wrap

1.12. About query-based tool filtering
Copy link

Query-based filtering uses a hybrid retrieval-augmented generation (RAG) system to identify the most appropriate set of tool for a user request.

When a large language model (LLM) application has access to hundreds of tools, sending the full list in one prompt slows performance and raises costs. Query-based filtering finds and retrieves the most relevant set of tools for a request in milliseconds. This pre-processing step removes selection interference, and ensures that the LLM focuses its reasoning capabilities on a small, high-quality subset of functions.

Restricting the set of tools available reduces token use, prevents model confusion, and maintains high execution accuracy. This approach transforms a massive tool library into a fast, lean interface.

1.12.1. Enabling query-based tool filtering
Copy link

Enable query-based tool filtering to automatically select the set of tools most relevant for your request.

Prerequisites

  • You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role. Alternatively, you are logged in to a user account that has permission to create a cluster-scoped CR file.
  • You have an LLM provider available for use with the OpenShift Lightspeed Service.
  • You have installed the OpenShift Lightspeed Operator.

Procedure

  1. In the OpenShift Container Platform web console, click Operators Installed Operators.
  2. Select All Projects in the Project dropdown at the top of the screen.
  3. Click OpenShift Lightspeed Operator.
  4. Click OLSConfig, then click the cluster configuration instance in the list.
  5. Click the YAML tab.

  6. Modify the ols.Config custom resource (CR) file to define a feature gate and the tools filtering configuration. 

    apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
  name: cluster
spec:
  featureGates:
    - ToolFiltering
  olsConfig:
    toolFilteringConfig:
      alpha: 0.8
      topK: 10
      threshold: 0.01
    Copy to Clipboard Toggle word wrap
    • spec.featureGates.ToolFilter specifies the feature gate.
    • spec.olsConfig.toolFilteringConfig.alpha specifies the weight balance between semantic (RAG-based) and keyword matching. Increasing the value provides more weight to the semantic search. The valid range of values is 0 to 1.
    • spec.olsConfig.toolFilteringConfig.topk specifies the maximum number of tools available for the LLM.

    • spec.olsConfig.toolFilteringConfig.threshold specifies the minimum score for the tool to be considered as a candidate. Tools with a value of the score lower then the threshold value are discarded. Increasing the value discards more tools. The valid range of values is 0.01 to 0.1.

      Note

      This example uses the default values for the alpha, tpok and threshold fields. If you use the default values in your configuration you do not have to specify them.

  7. Click Save.

Verification

  1. Navigate to the OpenShift Container Platform web console.
  2. Select Workloads Pods and then click the pod that contains OpenShift Lightspeed.
  3. Click Logs and confirm that the log displays RAG information.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top