feat(providersv2): inject static auth headers from v2 provider profiles#1891
feat(providersv2): inject static auth headers from v2 provider profiles#1891Cali0707 wants to merge 6 commits into
Conversation
PR Review StatusValidation: This PR is project-valid because it implements profile-driven credential injection work called out in roadmap issue #896, and the operator confirmed profile injection plus placeholder rewrite may be handled in the same request when they do not operate on the same credential. Review findings:
Suggested tests:
Docs: missing for a direct provider-v2 behavior change. Next state: |
BlockedGator is blocked because this PR currently has merge conflicts with Next action: @Cali0707, please rebase or merge the latest |
00f1bfd to
b96f329
Compare
Re-check After Author UpdateI re-evaluated latest head Disposition: partially resolved. Resolved from the previous gator review:
Remaining items:
I am moving this back to Next state: |
PR Review StatusValidation: This PR remains project-valid because it implements profile-driven credential injection work from roadmap issue #896 under the operator constraint that profile injection and placeholder rewrite may operate on the same request only when they are not targeting the same credential/header. Review findings:
Docs: Next state: |
b96f329 to
033803b
Compare
Re-check After Author UpdateI re-evaluated latest head Disposition: partially resolved. Resolved from the previous gator review:
Remaining items:
I am keeping this in Next state: |
033803b to
d18c6f0
Compare
Re-check After Author UpdateI re-evaluated latest head Disposition: partially resolved. Resolved from the previous gator review:
Remaining items:
I am keeping this in Next state: |
d18c6f0 to
0439907
Compare
Re-check After Author UpdateI re-evaluated latest head Disposition: partially resolved. Resolved from the previous gator review:
Remaining items:
I am keeping this in Next state: |
0439907 to
3c91a31
Compare
Re-check After Author UpdateI re-evaluated latest head Disposition: resolved. Resolved from the previous gator review:
Remaining items:
Docs: E2E: applying Next state: |
|
/ok to test 3c91a31 |
|
Label |
Re-check After CI FailureI re-checked head Disposition: author action required. Findings:
Next action: @Cali0707, please run Rust formatting and push the formatted update. Gator will re-check review status and CI on the new head. Next state: |
Re-check After Author UpdateI re-evaluated latest head Disposition: resolved for pipeline watch. Resolved from the previous gator review:
Remaining items:
Docs: E2E: Next state: |
|
/ok to test 2ab0da7 |
|
Looks like the e2e flake is still present - I think #1968 may be what is needed |
|
Yes that PR looks good although I left one piece of feedback. |
2ab0da7 to
7f6decf
Compare
PR Review StatusValidation: This PR remains project-valid because it implements provider-v2 profile-driven static credential injection work from roadmap issue #896, under the gate constraint that profile injection and placeholder rewrite must fail closed when they target the same credential/header. Review findings:
Resolved from the previous gator review:
Docs: E2E: Next state: |
Signed-off-by: Calum Murray <cmurray@redhat.com>
Signed-off-by: Calum Murray <cmurray@redhat.com>
…ntial validation Signed-off-by: Calum Murray <cmurray@redhat.com>
…gnostic wording Signed-off-by: Calum Murray <cmurray@redhat.com>
Signed-off-by: Calum Murray <cmurray@redhat.com>
Signed-off-by: Calum Murray <cmurray@redhat.com> Signed-off-by: John Myers <9696606+johntmyers@users.noreply.github.com>
6609467 to
515c495
Compare
|
/ok to test 515c495 |
|
Addressed the latest Gator finding in 515c495 after rebasing onto current main. The provider-v2 E2E coverage now verifies:
Local pre-commit and focused Docker E2E passed, and the full required Branch Checks and E2E workflows are green. |
|
@johntmyers thanks for the rebase! Sorry this PR is taking so long 😓 |
Re-check After Maintainer UpdateThanks @johntmyers. I checked your July 9 update for head Disposition: partially resolved. The prior missing-E2E blocker is resolved, but the independent code review found two new blocking credential-routing issues:
Non-blocking follow-up from the review:
Docs: E2E: Next state: |
|
Given the findings above, I worry that the overall approach that was outlined in #896 is a bit too fragile and risky. I'd like to first get Providers v2 as the default Provider system and complete the Proxy refactor then re-visit this approach, if we still even need it. While the env placeholders introduce other issues (such as not being able to dynamically update the env of an already running process), it at least gets us a better guarantee about which credentials get injected when. Relying only on the provider profile bypasses that and there are clearly some risks to it. I'm going to close this PR for now and we can re-visit later on. |
Monitoring CompleteMonitoring is complete because this PR has been closed without merge. Final status: the PR closed at head I removed the active |
Summary
This PR enables injection of static provider credentials that are auth headers when
providers_v2_enabledis set. It extends the existing token grant injection path to resolve and inject bearer/header credentials from provider profiles, without requiring child-env placeholder resolution.Related Issue
Part of #896
Changes
dynamic_credentialsbehindproviders_v2_enabledin the serverinject_if_neededto handle static credentials as well as the existing token grant pathTesting
mise run pre-commitpassesChecklist