RSPEED-2435: fix rh-identity health probe path matching with root_path

[major]

Summary

• Fix health probe auth bypass in rh-identity auth plugin when root_path is configured

Problem

When root_path is set (e.g. /api/lightspeed), request paths become /api/lightspeed/liveness instead of /liveness. The skip_for_health_probes check in rh_identity.py uses an exact match (in ("/readiness", "/liveness")) which fails on the prefixed paths, causing health probes to get 401 and pods to crash-loop.

Fix

# Before
if request.url.path in ("/readiness", "/liveness"):

# After
if request.url.path.rsplit("/", 1)[-1] in ("readiness", "liveness"):

Matches only the final path segment — avoids false positives on paths like /api/v1/conversations/liveness.

Only the rh-identity auth plugin is affected — this is the only auth module used in our deployment.

Jira

https://issues.redhat.com/browse/RSPEED-2435

[coderabbitai]

Warning

Rate limit exceeded

@major has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 30 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

Changes the health-probe skip condition to use path suffix matching instead of exact equality, allowing requests ending with "/readiness" or "/liveness" to be skipped when skip_for_health_probes is enabled.

Changes

Cohort / File(s)	Summary
Health Probe Authentication Skip src/authentication/rh_identity.py	Modified path comparison from exact equality (==) to endswith() for health-probe endpoint detection, enabling pattern-based matching for readiness and liveness endpoints.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• LCORE-694: auth skip for health probes #992: Implements analogous health-probe authentication-skip behavior in the k8s.py authentication module for the same endpoint types.
• RSPEED-2429: Add health probe skip to RH Identity auth plugin #1144: Directly related change affecting the same file and health-probe skip logic in rh_identity.py.

Suggested reviewers

• tisnik

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: switching from exact path matching to endswith for health probe detection when root_path is configured.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/authentication/rh_identity.py`:
- Around line 220-222: The current endswith check in the authentication bypass
(request.url.path.endswith(...)) is too permissive and allows any multi-segment
path that ends with "/readiness" or "/liveness" to skip auth; update the
condition used where
configuration.authentication_configuration.skip_for_health_probes is checked so
it only compares the last path segment (e.g., compute segment =
request.url.path.rstrip("/").split("/")[-1] and check segment in
("readiness","liveness")) before returning NO_AUTH_TUPLE; keep the existing
skip_for_health_probes flag and maintain support for arbitrary root_path
prefixes.

[tisnik]

LGTM