feat: updated the auth-proposal to reflect the actual implementation#402
feat: updated the auth-proposal to reflect the actual implementation#402mahil-2040 wants to merge 1 commit into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Code Review
This pull request updates the authentication design proposal (docs/design/auth-proposal.md) to align with the actual implementation. Key changes include excluding ephemeral PicoD sandbox pods from the mTLS mesh to avoid bootstrap latency, replacing OAuth 2.0 Token Exchange with Router-signed lightweight identity JWTs for user identity propagation, introducing a dynamic CertWatcher for zero-downtime certificate rotation, and making the OIDC integration provider-agnostic. The review feedback points out a discrepancy in the NewOIDCValidator code snippet within the design document and suggests updating it to match the actual production code.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #402 +/- ##
===========================================
+ Coverage 47.57% 58.66% +11.09%
===========================================
Files 30 37 +7
Lines 2819 3491 +672
===========================================
+ Hits 1341 2048 +707
+ Misses 1338 1234 -104
- Partials 140 209 +69
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Signed-off-by: Mahil Patel <mahilpatel0808@gmail.com>
45af781 to
6d64566
Compare
What type of PR is this?
/kind documentation
What this PR does / why we need it:
This PR updates the authentication and authorization design proposal (
docs/design/auth-proposal.md) to reflect the actual, shipped production implementation.Key updates include:
Router <-> WorkloadManagercontrol-plane channel only. PicoD sandboxes are documented as using the HTTP + Router-signed JWT mechanism.agentcube-systemreferences withagentcube.OIDCValidatorconfigurations using thecoreos/go-oidc/v3library.AuthorizationKubernetes ServiceAccount token +X-AgentCube-User-IdentityRouter-signed JWT).agentcube.io/ownerannotations and SHA-256 hashed labels, omitting unimplemented group-based isolation.Which issue(s) this PR fixes:
Fixes #243
Special notes for your reviewer:
Does this PR introduce a user-facing change?: