version v7.2.
For up-to-date documentation, see the
latest version.
Operations Guide
9 minute read
Reference
| Document reference | Document Name |
|---|---|
| LLD-CodeCompanion | Low level design of Code Companion |
Introduction
The Code Companion component is part of Software Factory as a Package (SWaaP).
Code Companion (previously known as Hermes) is a cloud-based artificial intelligence extension for Visual Studio Code developed by the LaetitiA squad to assist users in their work by generating code, unit tests or comments. It also allows the user to chat with the AI and ask for help with tasks such as explaining code, refactoring code, or detecting vulnerabilities and logic flaws, just to name a few.
Service Catalog Items
Onboarding
The onboarding process is designed to provision access
and necessary configurations for new users of the tool.
It is initiated by a TDF/Engineering account participant
and must be validated by the TDF/Engineering account owner.
Steps
- A list of users to be onboarded is submitted by a TDF/Engineering participant.
- The onboarding request is reviewed and validated by the TDF/Engineering account owner.
- Upon approval, access is granted, and the user is notified.
Responsibilities
- Initiator: TDF/Engineering account participant
- Validator: TDF/Engineering account owner
Offboarding
The offboarding process ensures that users who
no longer require access are properly removed from the system.
This is crucial for maintaining security and compliance.
Steps
- A list of users to be offboarded is submitted by a TDF/Engineering participant.
- The request is reviewed and validated by the TDF/Engineering account owner.
- Access rights are revoked and user data is archived or deleted as per policy.
Responsibilities
- Initiator: TDF/Engineering account participant
- Validator: TDF/Engineering account owner
Support Request
The support request service handles user inquiries related to tool features, issues, or bugs. It follows a classic L1/L2/L3 support escalation model.
Support Levels
- L1 (Level 1): Basic troubleshooting and common user issues. Typically handled by front-line support.
- L2 (Level 2): More in-depth technical support requiring knowledge of system configurations or intermediate debugging. Usually managed by platform teams.
- L3 (Level 3): Advanced support for complex issues or bugs requiring code-level investigation or engineering input. Usually managed by product team.
Workflow
- User submits a support request.
- L1 support attempts resolution or escalates if needed.
- If unresolved, the issue escalates to L2, and finally to L3 if necessary.
Billing and onboarding
This section aims at describing how billing related to the component is managed and at specifying offers including access to the component.
Billing & onboarding on TDP and CASTLE
This component is deprecated and will be transfered, like Offer Management, to platform operation teams.
The Ops manager can use a “Subscribe to GenAI premium offer” Post-it ticket to onboard users on a TDF account. The Ops manager can also use an “Unsubscribe to GenAI premium offer” Post-it ticket to offboard users on a TDF account. Behind the scenes, these Post-it tickets will call the onboarding and offboarding endpoints.
The onboarding or offboarding endpoints will add or removed users from production Premium Access group
The Billing team will then call the offers and consumptions endpoints to establish a bill for each TDF account / Ops manager.
As part of the offboarding process, a scheduler is set up to check every day at midnight that users who have requested to be unregistered are indeed unregistered on their “monthiversary” day.
Billing & onboarding on RTDP and RCastle
Not Available yet.
Component deployment and configuration
Requirements & Pre-requisite
- Identity Provider (IdP (e.g Azure AD))
- Kubernetes cluster v1.26 and later
- Flux v2.2.2 and later installed. Multi-tenancy lockdown supported
- LLM/SLM
- APIM (optional)
- Guardrails (optional, depending on the platform and its data sensibility)
Install Highlights for Flux managed by Kubernetes provider (e.g K8SaaS on TDP)
- Do not
flux bootstrapyour cluster since it will be done by your Kubernetes provider - Just fork the reference repository and apply the Flux manifests as explained into the documentation.
More information about how to install with Flux managed by Kubernetes provider
Configuration
IdP requirement: Configuring the API Service Principal
- Naming syntax:
sf[platform]-code-companion-api-[env]
Step 1: Authentication
Go to “Manage” section.
Configure Authentication Settings
To configure authentication settings for your service principal, follow these steps:
Add a Web Platform with Redirect URIs:
- Redirect URI:
https://jwt.ms
- Redirect URI:
Add a Mobile and Desktop applications Platform with Redirect URIs:
When necessary, replace
{service-principal-id}with the id of the Service Principal.- Redirect URI:
http://127.0.0.1/callback - Redirect URI:
https://vscode.dev/redirect - Redirect URI:
ms-appx-web://microsoft.aad.brokerplugin/{service-principal-id}
- Redirect URI:
Step 2: API Permissions
Configure API Permissions
To configure API permissions for your service principal, follow these steps:
Add APIM permissions:
- Browse service principals to search for the one of your APIM in the section owned by your organization.
- Check the permission and validate. (e.g In TrustNest, this step requires admin approval.)
Adding Specific permissions (e.g Microsoft Graph on TrustNest)
- In TrustNest for example, Microsoft Graph API Rights are required.
- To configure Microsoft Graph API rights for your service principal, follow these steps:
- (TrustNest specific) Add a permission => Microsoft Graph => Delegated permissions:
- Check the following boxes:
- OpenID permissions:
emailoffline_accessopenidprofile
- Directory:
Directory.Read.All(requires Admin approval)
- User:
User.ReadUser.ReadBasic.All
- OpenID permissions:
- Check the following boxes:
Step 3: Expose an API (api)
To expose an API for your service principal, follow these steps:
Add an “Application ID URI”:
- Save the changes
Add a scope (e.g.
codecompanion) for admins access only:- Display name:
codecompanion - Consent description:
Admin access only - State:
Enabled
- Display name:
Step 4: Configure App Roles (api)
To configure app roles for your service principal, follow these steps:
Create Premium app role:
- Display name:
Premium - Allowed member types:
Both - Value:
premium - Description:
Premium - Check “Do you want to enable this app role”
- Display name:
Create K6 app role:
- Display name:
k6 - Allowed member types:
Both - Value:
k6 - Description:
Tests k6 - Check “Do you want to enable this app role”
- Display name:
IdP requirement: Configuring the APP Service Principal
- Naming syntax: sf[platform]-code-companion-app-[env]
Step 1: Configure Authentication Settings
Go to “Manage” section.
To configure authentication settings for your service principal, follow these steps:
Add a Web Platform with Redirect URIs:
- Redirect URI:
https://jwt.ms
- Redirect URI:
Add a Mobile and Desktop applications Platform with Redirect URIs:
When necessary, replace
{service-principal-id}with the id of the Service Principal.- Redirect URI:
http://127.0.0.1/callback - Redirect URI:
https://vscode.dev/redirect - Redirect URI:
ms-appx-web://microsoft.aad.brokerplugin/{service-principal-id}
- Redirect URI:
Step 2: Configure API Permissions
To configure API permissions for your service principal, follow these steps:
Give access the other Service Principal:
- Select “Add a permission”, select “My APIs” and choose the one corresponding
to your environment previously set (e.g:
sfc3-saml-code-companion-api-dev)Select “Delegated permissions
Check the permission “default XXXX” and validate
This step require admin approval
- Select “Add a permission”, select “My APIs” and choose the one corresponding
to your environment previously set (e.g:
Adding Microsoft Graph API Rights
To configure Microsoft Graph API rights for your service principal, follow these steps:
- Add a permission => Microsoft Graph => Delegated permissions:
- Check the following boxes:
- OpenID permissions:
emailoffline_accessopenidprofile
- User:
User.ReadUser.ReadBasic.All
- OpenID permissions:
- Check the following boxes:
- Add a permission => Microsoft Graph => Delegated permissions:
Step 3: Expose an API (app)
To expose an API for your service principal, follow these steps:
Add an “Application ID URI”:
- Save the changes
Add a scope (e.g.
codecompanion) for admins access only:- Display name:
codecompanion - Consent description:
Admin access only - State:
Enabled
- Display name:
Step 4: Configure App Roles (app)
To configure app roles for your service principal, follow these steps:
Create Premium app role:
- Display name:
Premium - Allowed member types:
Both - Value:
premium - Description:
Premium - Check “Do you want to enable this app role”
- Display name:
IdP requirement: Configuring the APP Enterprise Application
- Naming syntax: sf[platform]-code-companion-app-[env]
Step 1: Configure users/groups Settings
Affects current user and groups:
- dp-trustnest-genai-hermes-c2-[env]-app-freemium (Freemium role)
- dp-trustnest-genai-hermes-c2-[env]-app-premium (Premium role)
- dp-trustnest-genai-hermes-c2-[env]-app-trial (Trial role)
- dp-trustnest-genai-hermes-c2-[env]-app-reader (Reader role)
Access Groups
There are four groups that can access our product, each with distinct permissions and use cases:
- Reader: Intended for the development team, management, and platform team.
- Trial: This group is used for trial periods and is managed by a script that controls trial access.
- Premium: This group offers premium access to the product (default offer), which is granted through the onboarding and offboarding script code.
- Freemium: Although not commonly used, this group allows for temporary access to be granted in cases where there are issues with premium access.
Setting Helm values
Mandatory Code Companion values are described in the SWaaP Readme - Helm values .
There’s also a list of required and optional ConfigMaps that are needed. These are described in the Code Companion package readme document
TLS Setting
We advise against setting the TLS verify option to false for production usage.
tlsVerify: false
This should be used in development environment only.
Configuring Kubernetes secrets
The required Code Companion secrets and how they are created is described in the SWaaP Readme - Code Companion secrets .
Deployment & update procedure
The deployment and update procedures are described in the SWaaP Readme - Quick start section .
Install Steps for Flux managed by Kubernetes provider (e.g K8SaaS on TDP)
- Fork the reference repository into your GitLab group (and/or into your restricted GitLab instance) (TODO: Update branch from ‘code-companion’ to the pre-release branch)
- Configure platform YAML specific values (link to reference section of values )
- Create required secrets (link to reference secrets section ))
- Apply Flux manifests into the cluster (link to
flux manifests applyin reference ) by running the following command:
kubectl apply -k setup/
The following command works as well:
kubectl kustomize setup/ | kubectl apply -f-
Test your deployment
There are k6 tests available to test your deployment.
Clone the project and run the tests locally with the following command :
k6 run
--env TENANT_ID=${YOUR_TENANT_ID}
--env CLIENT_ID=${YOUR_CLIENT_ID}
--env CLIENT_SECRET=${YOUR_CLIENT_SECRET}
--env SCOPE=${YOUR_SCOPE}
--env SVC_USERNAME=${YOUR_SVC_USERNAME}
--env SVC_PASSWORD=${YOUR_SVC_PASSWORD}
--env BASE_URL=${YOUR_SERVER_URL}
--summary-export=${FILE_PATH}.json
./${FILE_PATH}.js
Make sure to replace paramters with the correct values :
${YOUR_TENANT_ID},${YOUR_CLIENT_ID},${YOUR_CLIENT_SECRET}and${YOUR_SERVER_URL}are variables related to your service principal.${YOUR_SCOPE}is the API endpoint you want to target.- Replace
${YOUR_SVC_USERNAME}and${YOUR_SVC_PASSWORD}by the username and password of your K6 service account previously created.
At test completion k6 will generate a JSON file with test reports.
Settings
Capacity Planning
| Components | Requests | Limits |
|---|---|---|
continue-server.cpu | 200m | 200m |
continue-server.memory | 256Mi | 256Mi |
binami.redis.cpu | 150m | 150m |
binami.redis.memory | 192Mi | 192Mi |
(configured as nano sizing but could scale up according to a load test conducted in the integration environment)
Functional Configuration
This section is optional. describe here any customization which can be configurate on platform
Monitoring
This section is optional. It aims at describing what are the metrics we suggest to use.
Metrics for supervising health of components
- GET /health - API route to ensure the backend is UP and running
- (average, p99, p95) latency
- error rate on API http status code
- (average, p99, p95) token per seconds
Business Metrics
- (DAU, MAU) number of active users per day/month
- number of prompts (total, per user)
- token consumption (total, per user)
Common Operations
Secrets roation/expiration
List of secrets requiring rotation or being expired and requiring being updated:
- Subscription key
- Service principals Client secrets
How to rotate Subscription key
- Rotate the subscription key from your API Management portal/dependency
- Update the new subscription key value (key: trustnest-apim-subscription-key) in the secrets “apim-credentials”(SWaaP Readme - Helm values .)
How to rotate Service principals client secrets
- Rotate the service principals client secrets in your IdP portal (e.g on Azure AD, go to the service princiapl, Manage -> Certificates & Secrets -> (tab) Client secrets -> Create a new client secret and remove the previous secret once expired)
- Update the new subscription key value (key: oauth-client-secret) in the secrets “apim-credentials”