feat: add access_profile_id support to bifrost helm chart virtual key schema and helpers

[BearTS]

Summary

Adds support for access_profile_id as a virtual key assignment option in the Bifrost Helm chart, enabling enterprise users to associate virtual keys with access profile templates.

Changes

• Added access_profile_id field handling in the _helpers.tpl template so the value is included when constructing virtual key configurations
• Added access_profile_id to the JSON schema as an integer type with a description noting it is enterprise-only and mutually exclusive with team_id and customer_id
• Updated team_id and customer_id schema descriptions to reflect that they are also mutually exclusive with access_profile_id
• Updated values.yaml comments to document the new field and the mutual exclusivity constraints across all three assignment options

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (React)
• Docs

How to test

Deploy the Helm chart with a virtual key configured using access_profile_id:

bifrost:
  virtualKeys:
    - name: "test-key"
      access_profile_id: 1

Verify the rendered template includes access_profile_id in the virtual key configuration:

helm template ./helm-charts/bifrost --debug

Confirm that the schema validates correctly and rejects configurations where access_profile_id is used alongside team_id or customer_id.

Screenshots/Recordings

N/A

Breaking changes

• Yes
• No

Related issues

Security considerations

access_profile_id is an enterprise-only field that controls access profile assignment for virtual keys. Ensure that only authorized users can set this field, as it governs access control boundaries for the associated key.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[coderabbitai]

Warning

Rate limit exceeded

@BearTS has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 19 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9164a627-e980-4472-afae-723c24005551

📥 Commits

Reviewing files that changed from the base of the PR and between 9b9fc62 and 8fef3f3.

📒 Files selected for processing (3)

• helm-charts/bifrost/templates/_helpers.tpl
• helm-charts/bifrost/values.schema.json
• helm-charts/bifrost/values.yaml

📝 Walkthrough

Walkthrough

This PR extends the governance virtual keys configuration in the Bifrost Helm chart to support an optional access_profile_id field. The change updates the JSON schema definition to include access_profile_id as an integer with enterprise-only mutual-exclusion constraints, adds conditional logic to the template to include this field when provided, and documents the new field with example values and updated mutual-exclusivity comments.

Changes

Virtual Keys Access Profile Support

Layer / File(s)	Summary
Virtual key schema and mutual exclusivity rules helm-charts/bifrost/values.schema.json	Schema updated to define team_id (string), refine customer_id description, and introduce access_profile_id (integer) as an enterprise-only field with mutual-exclusion constraints against team_id and customer_id.
Template implementation and example values helm-charts/bifrost/templates/_helpers.tpl, helm-charts/bifrost/values.yaml	Template adds conditional mapping to set access_profile_id into virtual key objects when present; example configuration extended with access_profile_id sample field and broadened mutual-exclusivity comments.

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly Related PRs

• maximhq/bifrost#3560: Backend/model support for access_profile_id on virtual keys that pairs with this Helm chart schema and template update.

Suggested Reviewers

• danpiths
• akshaydeo

Poem

🐰 A profile flies into the keys,
Gently conditional, by the Helm breeze.
Teams, customers, profiles now choose—
Enterprise-wise, they cannot lose. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and specifically describes the main change: adding access_profile_id support to the Bifrost Helm chart's virtual key schema and helpers.
Description check	✅ Passed	The PR description is comprehensive, covering all major template sections including summary, changes, type of change, affected areas, testing instructions, breaking changes, and security considerations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 05-20-feat_support_for_helm_to_assign_vk_on_access_profile

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[BearTS]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• chore: bump Bifrost Helm chart to 2.1.18 with feature flags, model catalog URL, and bug fixes #3623
• feat: add access_profile_id support to bifrost helm chart virtual key schema and helpers #3622 👈 (View in Graphite)
• fix: sort provider secrets and weaviate env vars alphabetically for deterministic Helm rendering #3621
• feat: add default password warnings for PostgreSQL and Redis in Helm chart NOTES.txt #3620
• fix: gate Weaviate PVC creation on persistence.enabled #3619
• fix: use REDISCLI_AUTH env var to avoid passing password via -a flag in Redis health checks #3618
• feat: add optional gRPC port to bifrost cluster deployment and service #3617
• feat: add timeout comments to guardrail rule and provider entries in values.yaml #3612
• dev

This stack of pull requests is managed by Graphite. Learn more about stacking.

[greptile-apps]

Confidence Score: 5/5

Safe to merge — changes are additive, confined to the Helm chart layer, and the new schema constraint correctly enforces mutual exclusivity.

The change adds a single optional integer field to the virtual key configuration. The template follows the established conditional-field pattern, the JSON Schema not/anyOf block correctly prevents any two of the three mutually exclusive fields from coexisting, and no existing behaviour is altered.

No files require special attention.

Important Files Changed

Filename	Overview
helm-charts/bifrost/templates/_helpers.tpl	Adds access_profile_id conditional field using the same truthiness-guard pattern as team_id and customer_id; functionally consistent with existing code.
helm-charts/bifrost/values.schema.json	Adds access_profile_id as an integer property and introduces a not/anyOf block that correctly enforces mutual exclusivity among team_id, customer_id, and access_profile_id; schema logic is sound.
helm-charts/bifrost/values.yaml	Comment-only update documenting the new access_profile_id field and mutual exclusivity constraints on all three assignment options.

_{Reviews (4): Last reviewed commit: "feat: support for helm to assign vk on a..." | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@helm-charts/bifrost/templates/_helpers.tpl`:
- Line 466: The template currently checks truthiness with "if
.access_profile_id" which will skip valid zero values; change the presence check
to use hasKey so numeric zero isn't dropped: replace the conditional with
something like {{- if hasKey . "access_profile_id" }} and keep the set call {{-
$_ := set $vk "access_profile_id" .access_profile_id }} unchanged so the key is
set when the field exists even if it's 0.

In `@helm-charts/bifrost/values.schema.json`:
- Around line 1232-1243: The schema currently documents but does not enforce
that team_id, customer_id, and access_profile_id are mutually exclusive; add a
validation rule that disallows any pairwise combination by adding a "not" +
"anyOf" block at the same object schema level that contains these properties,
e.g. a "not": { "anyOf": [ { "required": ["team_id","customer_id"] }, {
"required": ["team_id","access_profile_id"] }, { "required":
["customer_id","access_profile_id"] } ] } to the object that defines team_id,
customer_id and access_profile_id so the validator rejects configs with more
than one of these keys present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 048bae26-53a4-4ede-ac83-f25028f7329d

📥 Commits

Reviewing files that changed from the base of the PR and between da12406 and 9b9fc62.

📒 Files selected for processing (3)

• helm-charts/bifrost/templates/_helpers.tpl
• helm-charts/bifrost/values.schema.json
• helm-charts/bifrost/values.yaml