openshift · onmete · May 21, 2026 · May 21, 2026 · May 20, 2026 · iNecas
diff --git a/.ai/spec/what/sandbox-execution.md b/.ai/spec/what/sandbox-execution.md
@@ -56,5 +56,5 @@ Behavioral specification for how workflow steps run inside ephemeral **sandboxes
 
 - [PLANNED: OLS-2957] **Sandbox template management** UX and CRD ergonomics (base/derived lifecycle, versioning) may change operator/template coupling described in rules 2–4.
 - [PLANNED: OLS-3038] **TLS verification and network policy** for agent traffic may replace permissive internal TLS client behavior.
-- [PLANNED: OLS-3044] **Provider parity**: environment variable contract for non-Claude providers in templates MUST track sandbox image capabilities.
+- **Sandbox provider selection**: Derived templates MUST set `LIGHTSPEED_AGENT_PROVIDER` from `LLMProvider.spec.type` (`Anthropic`/`AWSBedrock` → `claude`; `OpenAI`/`AzureOpenAI` → `openai`; `GoogleCloudVertex` → routed by `googleCloudVertex.modelProvider`: `Anthropic` → `claude`, `Google` → `gemini`, `OpenAI` → `openai`). Model env var follows the provider: `ANTHROPIC_MODEL`, `GEMINI_MODEL`, or `OPENAI_MODEL`.
 - [PLANNED: OLS-2894] Support **multiple concurrent skills images** in template derivation beyond the first `skills` entry if product requires composite skill bundles.
diff --git a/api/v1alpha1/llmprovider_types.go b/api/v1alpha1/llmprovider_types.go
@@ -72,6 +72,20 @@ type AnthropicConfig struct {
 	URL string `json:"url,omitempty"`
 }
 
+// GoogleCloudVertexModelProvider selects which model provider stack talks to Vertex AI.
+//
+// +kubebuilder:validation:Enum=Anthropic;Google;OpenAI
+type GoogleCloudVertexModelProvider string
+
+const (
+	// GoogleCloudVertexModelProviderAnthropic uses Anthropic models on Vertex (Claude SDK).
+	GoogleCloudVertexModelProviderAnthropic GoogleCloudVertexModelProvider = "Anthropic"
+	// GoogleCloudVertexModelProviderGoogle uses Google models on Vertex (GenAI SDK).
+	GoogleCloudVertexModelProviderGoogle GoogleCloudVertexModelProvider = "Google"
+	// GoogleCloudVertexModelProviderOpenAI uses OpenAI-compatible models on Vertex (OpenAI SDK).
+	GoogleCloudVertexModelProviderOpenAI GoogleCloudVertexModelProvider = "OpenAI"
+)
+
 // GoogleCloudVertexConfig contains configuration for the Google Cloud Vertex AI provider.
 type GoogleCloudVertexConfig struct {
 	// credentialsSecret references a Secret in the operator namespace
@@ -100,6 +114,13 @@ type GoogleCloudVertexConfig struct {
 	// +kubebuilder:validation:XValidation:rule="self.matches('^[a-z][a-z0-9-]*[a-z0-9]$')",message="region must contain only lowercase letters, digits, and hyphens, start with a letter, and not end with a hyphen"
 	Region string `json:"region,omitempty"`
 
+	// modelProvider selects which model provider stack talks to Vertex AI (required).
+	// "Anthropic" uses Anthropic models on Vertex; "Google" uses Google models on Vertex;
+	// "OpenAI" uses OpenAI-compatible models on Vertex.
+	// Enum is defined on GoogleCloudVertexModelProvider.
+	// +required
+	ModelProvider GoogleCloudVertexModelProvider `json:"modelProvider"`
+
 	// url is an optional override for the Vertex AI API endpoint.
 	// Only needed for custom deployments or API proxies.
 	// Must be a valid HTTP or HTTPS URL with a hostname. Paths and query
@@ -312,6 +333,7 @@ type LLMProviderSpec struct {
 //	      name: llm-credentials
 //	    projectID: my-gcp-project
 //	    region: us-central1
+//	    modelProvider: Anthropic
 type LLMProvider struct {
 	metav1.TypeMeta `json:",inline"`
 

diff --git a/config/crd/bases/agentic.openshift.io_llmproviders.yaml b/config/crd/bases/agentic.openshift.io_llmproviders.yaml
@@ -36,7 +36,8 @@ spec:
           AI provider (model specified on Agent, not here):\n\n\tapiVersion: agentic.openshift.io/v1alpha1\n\tkind:
           LLMProvider\n\tmetadata:\n\t  name: vertex-ai\n\tspec:\n\t  type: GoogleCloudVertex\n\t
           \ googleCloudVertex:\n\t    credentialsSecret:\n\t      name: llm-credentials\n\t
-          \   projectID: my-gcp-project\n\t    region: us-central1"
+          \   projectID: my-gcp-project\n\t    region: us-central1\n\t    modelProvider:
+          Anthropic"
         properties:
           apiVersion:
             description: |-
@@ -268,6 +269,17 @@ spec:
                     required:
                     - name
                     type: object
+                  modelProvider:
+                    description: |-
+                      modelProvider selects which model provider stack talks to Vertex AI (required).
+                      "Anthropic" uses Anthropic models on Vertex; "Google" uses Google models on Vertex;
+                      "OpenAI" uses OpenAI-compatible models on Vertex.
+                      Enum is defined on GoogleCloudVertexModelProvider.
+                    enum:
+                    - Anthropic
+                    - Google
+                    - OpenAI
+                    type: string
                   projectID:
                     description: |-
                       projectID is the Google Cloud Project ID where Vertex AI is enabled.
@@ -316,6 +328,7 @@ spec:
                       rule: '!self.contains(''#'')'
                 required:
                 - credentialsSecret
+                - modelProvider
                 - projectID
                 - region
                 type: object

diff --git a/controller/proposal/reconciler_test.go b/controller/proposal/reconciler_test.go
@@ -106,6 +106,7 @@ func testLLM(name string) *agenticv1alpha1.LLMProvider {
 				CredentialsSecret: agenticv1alpha1.SecretReference{Name: "llm-secret"},
 				ProjectID:         "test-project",
 				Region:            "us-central1",
+				ModelProvider:     agenticv1alpha1.GoogleCloudVertexModelProviderAnthropic,
 			},
 		},
 	}

diff --git a/controller/proposal/sandbox_agent.go b/controller/proposal/sandbox_agent.go
@@ -14,7 +14,7 @@ import (
 )
 
 const (
-	defaultSandboxTimeout  = 5 * time.Minute
+	defaultSandboxTimeout   = 5 * time.Minute
 	defaultBaseTemplateName = "lightspeed-agent"
 )
 

diff --git a/controller/proposal/sandbox_agent_test.go b/controller/proposal/sandbox_agent_test.go
@@ -58,11 +58,11 @@ func newTestSandboxAgentCaller(sandbox *mockSandboxProvider, httpClient *mockHTT
 	fc := fake.NewClientBuilder().WithScheme(testScheme()).Build()
 	_ = fc.Create(context.Background(), fakeBaseTemplate())
 	return &SandboxAgentCaller{
-		Sandbox:          sandbox,
-		K8sClient:        fc,
-		ClientFactory:    func(_ string) AgentHTTPClientInterface { return httpClient },
-		Namespace:        "test-ns",
-		Timeout:          5 * time.Minute,
+		Sandbox:       sandbox,
+		K8sClient:     fc,
+		ClientFactory: func(_ string) AgentHTTPClientInterface { return httpClient },
+		Namespace:     "test-ns",
+		Timeout:       5 * time.Minute,
 	}
 }
 
@@ -73,11 +73,11 @@ func newTestSandboxAgentCallerWithProposal(sandbox *mockSandboxProvider, httpCli
 		Build()
 	_ = fc.Create(context.Background(), fakeBaseTemplate())
 	return &SandboxAgentCaller{
-		Sandbox:          sandbox,
-		K8sClient:        fc,
-		ClientFactory:    func(_ string) AgentHTTPClientInterface { return httpClient },
-		Namespace:        "test-ns",
-		Timeout:          5 * time.Minute,
+		Sandbox:       sandbox,
+		K8sClient:     fc,
+		ClientFactory: func(_ string) AgentHTTPClientInterface { return httpClient },
+		Namespace:     "test-ns",
+		Timeout:       5 * time.Minute,
 	}
 }
 

diff --git a/controller/proposal/sandbox_templates.go b/controller/proposal/sandbox_templates.go
@@ -26,7 +26,8 @@ var sandboxTemplateGVK = schema.GroupVersionKind{
 }
 
 const (
-	agentModeEnvVar = "LIGHTSPEED_MODE"
+	agentModeEnvVar            = "LIGHTSPEED_MODE"
+	sandboxAgentProviderEnvVar = "LIGHTSPEED_AGENT_PROVIDER"
 
 	vertexCredsMountPath = "/var/secrets/google"
 	vertexCredsFileName  = "credentials.json"
@@ -245,14 +246,74 @@ func providerURL(llm *agenticv1alpha1.LLMProvider) string {
 	}
 }
 
+func vertexSandboxAgentProvider(mp agenticv1alpha1.GoogleCloudVertexModelProvider) (string, error) {
+	switch mp {
+	case agenticv1alpha1.GoogleCloudVertexModelProviderAnthropic:
+		return "claude", nil
+	case agenticv1alpha1.GoogleCloudVertexModelProviderGoogle:
+		return "gemini", nil
+	case agenticv1alpha1.GoogleCloudVertexModelProviderOpenAI:
+		return "openai", nil
+	default:
+		return "", fmt.Errorf("unsupported googleCloudVertex.modelProvider %q", mp)
+	}
+}
+
+func sandboxAgentProviderValue(llm *agenticv1alpha1.LLMProvider) (string, error) {
+	switch llm.Spec.Type {
+	case agenticv1alpha1.LLMProviderAnthropic, agenticv1alpha1.LLMProviderAWSBedrock:
+		return "claude", nil
+	case agenticv1alpha1.LLMProviderGoogleCloudVertex:
+		return vertexSandboxAgentProvider(llm.Spec.GoogleCloudVertex.ModelProvider)
+	case agenticv1alpha1.LLMProviderOpenAI, agenticv1alpha1.LLMProviderAzureOpenAI:
+		return "openai", nil
+	default:
+		return "", fmt.Errorf("unsupported LLM provider type %q", llm.Spec.Type)
+	}
+}
+
+func vertexModelEnvVar(mp agenticv1alpha1.GoogleCloudVertexModelProvider) string {
+	switch mp {
+	case agenticv1alpha1.GoogleCloudVertexModelProviderAnthropic:
+		return "ANTHROPIC_MODEL"
+	case agenticv1alpha1.GoogleCloudVertexModelProviderGoogle:
+		return "GEMINI_MODEL"
+	case agenticv1alpha1.GoogleCloudVertexModelProviderOpenAI:
+		return "OPENAI_MODEL"
+	default:
+		return ""
+	}
+}
+
+func modelEnvVarName(llm *agenticv1alpha1.LLMProvider) string {
+	switch llm.Spec.Type {
+	case agenticv1alpha1.LLMProviderOpenAI, agenticv1alpha1.LLMProviderAzureOpenAI:
+		return "OPENAI_MODEL"
+	case agenticv1alpha1.LLMProviderGoogleCloudVertex:
+		return vertexModelEnvVar(llm.Spec.GoogleCloudVertex.ModelProvider)
+	default:
+		return "ANTHROPIC_MODEL"
+	}
+}
+
 func patchLLMCredentials(tmpl *unstructured.Unstructured, llm *agenticv1alpha1.LLMProvider, model string) error {
 	secretName := credentialsSecretName(llm)
 
 	if err := addEnvFromSecret(tmpl, secretName); err != nil {
 		return fmt.Errorf("add credentials envFrom: %w", err)
 	}
-	if err := setEnvVar(tmpl, "ANTHROPIC_MODEL", model); err != nil {
-		return fmt.Errorf("set ANTHROPIC_MODEL: %w", err)
+
+	providerValue, err := sandboxAgentProviderValue(llm)
+	if err != nil {
+		return err
+	}
+	if err := setEnvVar(tmpl, sandboxAgentProviderEnvVar, providerValue); err != nil {
+		return fmt.Errorf("set %s: %w", sandboxAgentProviderEnvVar, err)
+	}
+
+	modelEnv := modelEnvVarName(llm)
+	if err := setEnvVar(tmpl, modelEnv, model); err != nil {
+		return fmt.Errorf("set %s: %w", modelEnv, err)
 	}
 
 	if u := providerURL(llm); u != "" {
@@ -264,8 +325,10 @@ func patchLLMCredentials(tmpl *unstructured.Unstructured, llm *agenticv1alpha1.L
 	switch llm.Spec.Type {
 	case agenticv1alpha1.LLMProviderGoogleCloudVertex:
 		cfg := llm.Spec.GoogleCloudVertex
-		if err := setEnvVar(tmpl, "CLAUDE_CODE_USE_VERTEX", "1"); err != nil {
-			return fmt.Errorf("set CLAUDE_CODE_USE_VERTEX: %w", err)
+		if cfg.ModelProvider == agenticv1alpha1.GoogleCloudVertexModelProviderAnthropic {
+			if err := setEnvVar(tmpl, "CLAUDE_CODE_USE_VERTEX", "1"); err != nil {
+				return fmt.Errorf("set CLAUDE_CODE_USE_VERTEX: %w", err)
+			}
 		}
 		if err := setEnvVar(tmpl, "GCP_PROJECT", cfg.ProjectID); err != nil {
 			return fmt.Errorf("set GCP_PROJECT: %w", err)
-Original file line number
+Diff line change
@@ Expand Up / @@ -14,7 +14,7 @@ import ( @@
     )
     const (
-    	defaultSandboxTimeout  = 5 * time.Minute
+    	defaultSandboxTimeout   = 5 * time.Minute
     	defaultBaseTemplateName = "lightspeed-agent"
     )
@@ Expand Down @@