Skip to content

feat: updated the auth-proposal to reflect the actual implementation#402

Open
mahil-2040 wants to merge 1 commit into
volcano-sh:mainfrom
mahil-2040:feat/update-auth-proposal
Open

feat: updated the auth-proposal to reflect the actual implementation#402
mahil-2040 wants to merge 1 commit into
volcano-sh:mainfrom
mahil-2040:feat/update-auth-proposal

Conversation

@mahil-2040

Copy link
Copy Markdown
Contributor

What type of PR is this?

/kind documentation

What this PR does / why we need it:
This PR updates the authentication and authorization design proposal (docs/design/auth-proposal.md) to reflect the actual, shipped production implementation.
Key updates include:

  • mTLS Scope Reduction: Scoped down mTLS/SPIRE to the Router <-> WorkloadManager control-plane channel only. PicoD sandboxes are documented as using the HTTP + Router-signed JWT mechanism.
  • Namespace Cleanups: Replaced all outdated agentcube-system references with agentcube.
  • OIDC Provider-Agnostic Setup: Renamed Keycloak validator constructs to provider-agnostic OIDCValidator configurations using the coreos/go-oidc/v3 library.
  • Dual-Header Identity Propagation: Replaced the proposed OAuth 2.0 Token Exchange with the actual dual-header pattern (Authorization Kubernetes ServiceAccount token + X-AgentCube-User-Identity Router-signed JWT).
  • Owner-Based RLAC: Updated the resource-level access control section to specify agentcube.io/owner annotations and SHA-256 hashed labels, omitting unimplemented group-based isolation.

Which issue(s) this PR fixes:
Fixes #243

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

@volcano-sh-bot volcano-sh-bot added the kind/documentation Improvements or additions to documentation label Jun 24, 2026
@volcano-sh-bot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign hzxuzhonghu for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the authentication design proposal (docs/design/auth-proposal.md) to align with the actual implementation. Key changes include excluding ephemeral PicoD sandbox pods from the mTLS mesh to avoid bootstrap latency, replacing OAuth 2.0 Token Exchange with Router-signed lightweight identity JWTs for user identity propagation, introducing a dynamic CertWatcher for zero-downtime certificate rotation, and making the OIDC integration provider-agnostic. The review feedback points out a discrepancy in the NewOIDCValidator code snippet within the design document and suggests updating it to match the actual production code.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread docs/design/auth-proposal.md
@codecov-commenter

codecov-commenter commented Jun 24, 2026

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.66%. Comparing base (524e55e) to head (6d64566).
⚠️ Report is 146 commits behind head on main.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@             Coverage Diff             @@
##             main     #402       +/-   ##
===========================================
+ Coverage   47.57%   58.66%   +11.09%     
===========================================
  Files          30       37        +7     
  Lines        2819     3491      +672     
===========================================
+ Hits         1341     2048      +707     
+ Misses       1338     1234      -104     
- Partials      140      209       +69     
Flag Coverage Δ
unittests 58.66% <ø> (+11.09%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Signed-off-by: Mahil Patel <mahilpatel0808@gmail.com>
@mahil-2040 mahil-2040 force-pushed the feat/update-auth-proposal branch from 45af781 to 6d64566 Compare June 24, 2026 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kind/documentation Improvements or additions to documentation size/L

Projects

None yet

Development

Successfully merging this pull request may close these issues.

LFX 2026 Term 1 Project - Establishing AgentCube's Authentication and Authorization Capabilities

3 participants