Skip to content

feat: provision CLI data-plane service key#23

Closed
tkkhq wants to merge 1 commit into
mainfrom
ted/cli-data-plane-service-key
Closed

feat: provision CLI data-plane service key#23
tkkhq wants to merge 1 commit into
mainfrom
ted/cli-data-plane-service-key

Conversation

@tkkhq

@tkkhq tkkhq commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add service-key API helpers and a data-plane credential service that reuses or creates the reserved volcano-cli-data-plane key
  • wire cloud storage object commands and function invoke to use that key for data-plane routes
  • add tests for reuse, create-on-missing, race reload, and cloud command auth headers

Tests

  • go test ./...

Note

  • This uses the current service-key API, so the reserved key still has existing service-role semantics until scoped service keys are added server-side.

Copilot AI review requested due to automatic review settings July 2, 2026 19:32
@tkkhq tkkhq requested a review from a team as a code owner July 2, 2026 19:32

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a data-plane service-key provisioning path and integrates it into cloud commands so function invoke and storage object routes can authenticate with a reserved per-project key (volcano-cli-data-plane) when the platform token cannot access runtime/data-plane routes directly.

Changes:

  • Introduces a new internal/dataplane service that finds/creates the reserved project service key and returns its plaintext token.
  • Adds a configurable token-provider hook for function invoke workflows and wires cloud functions invoke to use the data-plane service key.
  • Adds API helpers and tests covering service-key reuse/create/conflict-reload and verifying cloud command auth headers.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
internal/function/function.go Adds invoke token provider plumbing and routes invoke auth through a configurable token source.
internal/dataplane/service_key.go Implements service-key lookup/create logic for the reserved data-plane key.
internal/dataplane/service_key_test.go Tests service-key reuse, create-on-missing, and conflict reload behavior.
internal/cmd/functions/invoke.go Allows passing function service options into functions invoke.
internal/cmd/functions/functions.go Adds command-level options to wire invoke token providers down to the function service.
internal/cmd/cloud/cloud.go Wires cloud storage object commands and cloud function invoke to use the data-plane service key.
internal/cmd/cloud/cloud_test.go Verifies cloud storage object and function invoke commands send Authorization headers with the CLI service key.
internal/api/service_keys.go Adds service-key API client helpers (list/create/get).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +283 to +286
if s.invokeTokenProvider != nil {
return s.invokeTokenProvider(ctx, project)
}
return project.Config.FunctionInvokeToken(), nil
@tkkhq

tkkhq commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Folded into #25 (provision + least-privilege scope in one PR; #25 now targets main and includes this commit).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants