Skip to content

Add AuditTokenRequest extended API#645

Merged
tamalsaha merged 8 commits into
masterfrom
feat-natscredentialrequest
Jun 4, 2026
Merged

Add AuditTokenRequest extended API#645
tamalsaha merged 8 commits into
masterfrom
feat-natscredentialrequest

Conversation

@tamalsaha

@tamalsaha tamalsaha commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Summary

  • New API type NatsCredentialRequest under identity.k8s.appscode.com/v1alpha1, modelled on InboxTokenRequest (create-only, cluster-scoped, request + response).
  • Adds GetNatsCredential method to the b3 client in pkg/identity — it POSTs to the appscode.com api/v1/register endpoint and returns subject/server/credential.
  • Generates the matching deepcopy, openapi, typed clientset, and fake-client glue.

Motivation

The audit library (go.bytebuilders.dev/audit) currently calls appscode.com/api/v1/register directly from inside every controller it's vendored into to obtain its NATS credential. In disconnected clusters this fails. Wrapping the call in an extended API lets the in-cluster ui-server proxy the registration so individual controllers don't need their own egress path.

Test plan

  • go build ./...
  • go vet ./...
  • downstream ui-server PR compiles against this branch (replace directive)

kodiakhq[bot]
kodiakhq Bot previously approved these changes Jun 4, 2026
View reviewed changes
This was referenced Jun 4, 2026
Merged
Merged
kodiakhq[bot]
kodiakhq Bot previously approved these changes Jun 4, 2026
View reviewed changes
kodiakhq[bot]
kodiakhq Bot previously approved these changes Jun 4, 2026
View reviewed changes
kodiakhq[bot]
kodiakhq Bot previously approved these changes Jun 4, 2026
View reviewed changes
kodiakhq[bot]
kodiakhq Bot previously approved these changes Jun 4, 2026
View reviewed changes
kodiakhq[bot]
kodiakhq Bot previously approved these changes Jun 4, 2026
View reviewed changes
kodiakhq[bot]
kodiakhq Bot previously approved these changes Jun 4, 2026
View reviewed changes
@tamalsaha tamalsaha force-pushed the feat-natscredentialrequest branch from 4495da0 to acd727b Compare June 4, 2026 04:59
kodiakhq[bot]
kodiakhq Bot previously approved these changes Jun 4, 2026
View reviewed changes
@tamalsaha tamalsaha force-pushed the feat-natscredentialrequest branch from acd727b to 08324e3 Compare June 4, 2026 05:00
kodiakhq[bot]
kodiakhq Bot previously approved these changes Jun 4, 2026
View reviewed changes
tamalsaha added 7 commits June 4, 2026 11:00
@tamalsaha
Add NatsCredentialRequest extended API
19223c7 
Adds a NatsCredentialRequest resource under identity.k8s.appscode.com that
wraps the appscode.com Register endpoint, so in-cluster callers (e.g. the
audit lib) can obtain NATS credentials via the Kubernetes API server when
direct egress to appscode.com is blocked. Includes the deepcopy / openapi /
clientset / fake-client glue and a GetNatsCredential method on the
identity b3 client used by the extended API storage in ui-server.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Expose GetNatsCredentialForCluster
76ed4d2 
Lets callers that already know the cluster UID hit the register endpoint
without needing a controller-runtime client. The existing
GetNatsCredential now resolves the cluster identity via c.kc and delegates.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
GetNatsCredential: skip the GetIdentity wrapper
a567029 
Only the UID is needed; reading clustermeta.ClusterMetadata directly avoids
building (and discarding) the ClusterIdentity object.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Make GetNatsCredentialForCluster a package-level function
bbe18c5 
It no longer needed any of *Client's state once the caller supplies the
cluster UID. Pulling baseURL, token, and *http.Client into the signature
keeps callers like ui-server able to customise the hub endpoint without
forcing audit (and similar one-shot callers) to construct a Client.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Revert "Make GetNatsCredentialForCluster a package-level function"
056d17e 
This reverts commit 6cc95eb.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Add NewDefaultClient helper
e981b57 
A zero-arg constructor for the common case of "talk to the production
appscode.com endpoint, no auth, no kc" — used by audit's
registerWithAppsCode now that the explicit nil/empty args were getting
noisy.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha
Rename NatsCredentialRequest -> AuditTokenRequest
505ea46 
Renames the extended-API kind, the typed clientset, the fake client, the
b3 helper methods (GetAuditToken / GetAuditTokenForCluster) and the
internal register payload struct. JSON tags on the response (natsSubject,
natsServer, credential) are unchanged because the appscode.com wire format
hasn't moved.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha tamalsaha force-pushed the feat-natscredentialrequest branch from 08324e3 to 505ea46 Compare June 4, 2026 05:00
@tamalsaha
make gen fmt
675eb62 
Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha tamalsaha merged commit ba20b64 into master Jun 4, 2026
7 checks passed
@tamalsaha tamalsaha changed the title Add NatsCredentialRequest extended API Add AuditTokenRequest extended API Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tamalsaha