feat(admin,organization): add realm claims, rover realm, and refactor TeamApis to ManagedRoutes#400
Open
ron96g wants to merge 6 commits into
Open
feat(admin,organization): add realm claims, rover realm, and refactor TeamApis to ManagedRoutes#400ron96g wants to merge 6 commits into
ron96g wants to merge 6 commits into
Conversation
… TeamApis to ManagedRoutes - Add originZone, originStargate (HardcodedClaim) and clientId (SessionNote) claims to the default identity realm so all tokens carry zone-of-origin metadata. - Create a dedicated "rover" identity realm per zone for internal admin-config clients (InternalIdentityRealm in ZoneStatus). - Replace ApiConfig/TeamApiConfig with ManagedRouteConfig/ManagedRoutesConfig, introducing a required ManagedRouteType field (TeamAPI or Proxy). TeamAPI routes behave as before (auth, no ACL, team-api realm). Proxy routes are pure passthrough on the default gateway realm. - Rename ZoneSpec.TeamApis to ManagedRoutes and ZoneStatus.TeamApiRoutes to ManagedRoutes across admin and organization modules. - Update organization field index to filter on spec.managedRoutes and only match zones with at least one TeamAPI-type route. - Remove emoji from remoteorganization error messages.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds zone-of-origin identity claims and introduces a new “rover” internal identity realm per zone, while refactoring Zone “Team APIs” into a more general “Managed Routes” model (TeamAPI vs Proxy) across admin + organization modules.
Changes:
- Add default realm claims (
originZone,originStargate) and a session-note claim (clientId), plus create a per-zone internal “rover” identity realm. - Replace
TeamApis/TeamApiRouteswithManagedRoutes(typed asTeamAPIorProxy) and update indexing/webhooks/tests accordingly. - Update docs/samples/CRDs/manifests to reflect the new route model and remove emoji from selected error messages.
Reviewed changes
Copilot reviewed 17 out of 18 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| organization/internal/webhook/v1/team_webhook_test.go | Update test Zone spec to use managedRoutes with type: TeamAPI. |
| organization/internal/webhook/v1/mutator/mutate.go | Switch zone lookup to new field index (spec.managedRoutes). |
| organization/internal/team_webhook_reconciler_test.go | Update reconciler test Zone spec to managedRoutes. |
| organization/internal/index/index.go | Rework field index to match zones that contain at least one TeamAPI managed route. |
| organization/internal/handler/util/zone.go | Switch zone lookup to FieldSpecManagedRoutes. |
| organization/internal/controller/team_controller_test.go | Update controller tests to use ManagedRoutes with explicit type. |
| install/overlays/local/resources/admin/zones/dataplane1.example.yaml | Rename teamApis → managedRoutes in example manifest. |
| install/overlays/local/resources/admin/zones/dataplane2.example.yaml | Rename teamApis → managedRoutes in example manifest. |
| admin/README.md | Document managedRoutes types and behaviors (TeamAPI vs Proxy). |
| admin/internal/handler/zone/handler.go | Add default realm claims, create internal “rover” realm, and implement ManagedRoutes reconciliation (TeamAPI realm vs default passthrough). |
| admin/internal/handler/util/urls/urls.go | Update ForRouteDownstream to accept ManagedRouteConfig. |
| admin/internal/handler/util/naming/naming.go | Add internal realm naming helper; update route naming signature for ManagedRouteConfig. |
| admin/internal/handler/remoteorganization/handler.go | Remove emoji from error messages. |
| admin/internal/controller/zone_controller_test.go | Extend zone controller tests to validate new claims and internal realm creation. |
| admin/config/samples/admin_v1_zone.yaml | Update sample Zone to use managedRoutes with type: TeamAPI. |
| admin/config/crd/bases/admin.cp.ei.telekom.de_zones.yaml | CRD schema updates: managed routes, internal identity realm status, managed route refs status. |
| admin/api/v1/zz_generated.deepcopy.go | Regenerate deep-copies for new/removed API types. |
| admin/api/v1/zone_types.go | API types: introduce ManagedRouteType, ManagedRouteConfig, ManagedRoutesConfig, new status fields. |
Files not reviewed (1)
- admin/api/v1/zz_generated.deepcopy.go: Language not supported
Comments suppressed due to low confidence (1)
admin/internal/handler/util/urls/urls.go:50
- The error message still refers to a "team api route path" even though the function now handles all managed routes. Updating the wording will make debugging less confusing.
func ForRouteDownstream(gatewayBaseUrl string, config adminv1.ManagedRouteConfig) (*url.URL, error) {
raw, err := url.JoinPath(gatewayBaseUrl, config.Path)
if err != nil {
return nil, errors.Wrapf(err, "Cannot combine gatewayBaseUrl %s with team api route path %s", gatewayBaseUrl, config.Path)
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Replace github.com/pkg/errors with fmt.Errorf and %w to preserve error
chains for upstream classification by ctrlerrors.HandleError.
Kong client:
- Enhance apiError with IsRetryable/IsBlocked/RetryDelay duck-typing
so errors propagate correctly through the controller error handler
- Add 429 Too Many Requests handling with retry delay
- Include HTTP status codes in all error messages for debuggability
- Add IsNotFound helper and comprehensive tests
Secret-manager API:
- Wrap network errors as retryable, 401 as blocked
- Add handleError classifier that distinguishes retryable 4xx (408/429)
from blocked 4xx and retryable 5xx
Also fix consumer handler error message typo ("route" -> "consumer")
and add context to last-mile-security secret resolution errors.
Introduce RouteOverwrite on RealmSpec to allow per-route control of identity routes (issuer, certs, discovery). Each overwrite can disable a route or prepend a custom path prefix to the downstream path. - Move RouteType enum from handler to gateway API for cross-module use - CreateRoute returns nil when a route is disabled via overwrite - Realm handler now cleans up orphaned Route objects via gc.Cleanup - Add owner index on Route for cleanup lookups - Handle nil route returns in createRoutes by clearing status fields
When a zone has Visibility=World, populate RouteOverwrites on the gateway realm with /spacegate prefix for issuer, certs, and discovery routes. This keeps the actual IDP unexposed on internet-facing gateways by proxying identity endpoints under a common prefix. - Enterprise zones get no route overwrites (tested) - Update Zone CRD: rename routes->realm, drop minItems constraint - Update existing zone controller tests with expected RouteOverwrites
Label managed routes with the Zone's owner UID and use OwnedByLabel with the JanitorClient to clean up routes that were not created or updated during reconciliation. This handles both the case where routes are modified and where managed routes are removed from the spec entirely. OwnedByLabel is used instead of OwnedBy because routes live in a different namespace than the Zone CR, preventing cross-namespace controller references.
ron96g
requested review from
BjoernKarma,
iagarba,
julius-malcovsky,
lukas016 and
stefan-ctrl
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
(SessionNote) claims to the default identity realm so all tokens
carry zone-of-origin metadata.
admin-config clients (InternalIdentityRealm in ZoneStatus).
introducing a required ManagedRouteType field (TeamAPI or Proxy).
TeamAPI routes behave as before (auth, no ACL, team-api realm).
Proxy routes are pure passthrough on the default gateway realm.
to ManagedRoutes across admin and organization modules.
only match zones with at least one TeamAPI-type route.