Ephemeral flows stuck in "Pending"
Symptom: The flow never reaches "Running" state.
Cause: The operator cannot pull the required worker image, or the cluster lacks resources.
Fix: Check the operator logs: oc logs -l app=openshift-integration-operator -n openshift-integration. Ensure Quay.io is accessible from the cluster.
AI flows failing with 401 Unauthorized
Symptom: Worker pod logs show java.lang.RuntimeException: 401 Unauthorized when calling LLMs.
Cause: Missing or incorrect API key in the Secret.
Fix: Verify the Secret exists and the keys match the properties (e.g., OPENAI_API_KEY). Ensure spec.secrets[].envFrom: true is set.
GitOps sync failing
Symptom: Argo CD reports "OutOfSync" or "Degraded".
Cause: The generated YAML might be invalid, or Tekton failed to build the image.
Fix: Check the Tekton PipelineRun logs in the OpenShift Console. Ensure the kaotoDesign YAML is valid.
MCP bridge returns 403 or SSRF concern
Symptom: GET /api/mcp/tools?serverUrl=... returns 403 Server URL not in allowlist, or security review flags open serverUrl proxying.
Cause: The MCP bridge proxies JSON-RPC to any URL when mcp.allowedServerUrls is empty. With a valid Kubernetes bearer token, this can reach internal cluster services (SSRF).
Fix: Configure an allowlist at install time — only URL prefixes in the list are accepted:
helm upgrade --install openshift-integration-operator \
helm/openshift-integration-operator \
--namespace openshift-integration \
--reuse-values \
--set mcp.allowedServerUrls[0]=https://mcp.example.com \
--set mcp.allowedServerUrls[1]=http://mcp-tools.my-namespace.svc