add spiffe to web-ng #2659

Merged

mfreeman451 merged 15 commits from refs/pull/2659/head into staging

2026-01-14 03:39:34 +00:00

mfreeman451 commented

2026-01-13 06:27:08 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #2276
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2276
Original created: 2026-01-13T06:27:08Z
Original updated: 2026-01-14T03:39:43Z
Original head: carverauto/serviceradar:update/spiffe-web-ng
Original base: staging
Original merged: 2026-01-14T03:39:34Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement, Documentation

Description

Add SPIFFE support for web-ng datasvc connections in Kubernetes
Deploy serviceradar-agent-gateway via Helm with tenant-CA mTLS
Enable environment-driven mode selection for SPIFFE vs file-based mTLS
Define requirements and migration plan for idempotent Helm installs

Diagram Walkthrough

flowchart LR
  A["web-ng"] -->|"SPIFFE SVID or file-based mTLS"| B["datasvc"]
  C["edge agents"] -->|"tenant-CA mTLS"| D["agent-gateway"]
  D -->|"ERTS cluster wiring"| E["core services"]
  F["Helm values"] -->|"env-driven config"| A
  F -->|"optional deployment"| D

File Walkthrough

Relevant files

Documentation

design.md `Design document for SPIFFE web-ng integration` openspec/changes/add-spiffe-web-ng-agent-gateway/design.md Establishes context for SPIFFE/SPIRE adoption in demo-staging Helm installs Defines goals to enable web-ng SPIFFE connectivity while preserving file-based mTLS backward compatibility Documents decisions on env-driven mode selection and optional agent-gateway deployment Outlines risks, mitigations, and migration plan for implementation	+36/-0
proposal.md `Proposal for SPIFFE web-ng and agent-gateway support` openspec/changes/add-spiffe-web-ng-agent-gateway/proposal.md Summarizes motivation for SPIFFE support in web-ng and agent-gateway deployment Describes changes to gRPC configuration and Helm chart templates Identifies affected specs and code components	+13/-0
spec.md `Edge architecture spec for SPIFFE and agent-gateway` openspec/changes/add-spiffe-web-ng-agent-gateway/specs/edge-architecture/spec.md Adds requirement for platform SPIFFE mTLS support in internal gRPC services Defines scenarios for SPIFFE-enabled and file-based mTLS fallback modes Specifies Helm deployment requirements for agent-gateway with tenant-CA mTLS Documents edge mTLS validation and rejection scenarios for unknown CAs	+50/-0
tasks.md `Implementation tasks for SPIFFE web-ng integration` openspec/changes/add-spiffe-web-ng-agent-gateway/tasks.md Defines implementation tasks for SPIFFE-aware datasvc client in web-ng Specifies Helm values wiring and agent-gateway deployment configuration Includes validation and documentation tasks for the feature	+7/-0

Imported from GitHub pull request. Original GitHub pull request: #2276 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/2276 Original created: 2026-01-13T06:27:08Z Original updated: 2026-01-14T03:39:43Z Original head: carverauto/serviceradar:update/spiffe-web-ng Original base: staging Original merged: 2026-01-14T03:39:34Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement, Documentation ___ ### **Description** - Add SPIFFE support for web-ng datasvc connections in Kubernetes - Deploy serviceradar-agent-gateway via Helm with tenant-CA mTLS - Enable environment-driven mode selection for SPIFFE vs file-based mTLS - Define requirements and migration plan for idempotent Helm installs ___ ### Diagram Walkthrough ```mermaid flowchart LR A["web-ng"] -->|"SPIFFE SVID or file-based mTLS"| B["datasvc"] C["edge agents"] -->|"tenant-CA mTLS"| D["agent-gateway"] D -->|"ERTS cluster wiring"| E["core services"] F["Helm values"] -->|"env-driven config"| A F -->|"optional deployment"| D ``` <details><summary><h3>File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Documentation</strong></td><td><table> <tr> <td> <details> <summary><strong>design.md</strong><dd><code>Design document for SPIFFE web-ng integration</code>                        </dd></summary> <hr> openspec/changes/add-spiffe-web-ng-agent-gateway/design.md <ul><li>Establishes context for SPIFFE/SPIRE adoption in demo-staging Helm <br>installs<br> <li> Defines goals to enable web-ng SPIFFE connectivity while preserving <br>file-based mTLS backward compatibility<br> <li> Documents decisions on env-driven mode selection and optional <br>agent-gateway deployment<br> <li> Outlines risks, mitigations, and migration plan for implementation</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2276/files#diff-2277b5eb3f6b6a88e76bc979a5ed557cc1408315a5ced909176721f22457ef07">+36/-0</a>    </td> </tr> <tr> <td> <details> <summary><strong>proposal.md</strong><dd><code>Proposal for SPIFFE web-ng and agent-gateway support</code>          </dd></summary> <hr> openspec/changes/add-spiffe-web-ng-agent-gateway/proposal.md <ul><li>Summarizes motivation for SPIFFE support in web-ng and agent-gateway <br>deployment<br> <li> Describes changes to gRPC configuration and Helm chart templates<br> <li> Identifies affected specs and code components</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2276/files#diff-f34f9f96bd16e3f140765b58f79bc029bbfa574e973c815225d75cabd4f57c73">+13/-0</a>    </td> </tr> <tr> <td> <details> <summary><strong>spec.md</strong><dd><code>Edge architecture spec for SPIFFE and agent-gateway</code>            </dd></summary> <hr> openspec/changes/add-spiffe-web-ng-agent-gateway/specs/edge-architecture/spec.md <ul><li>Adds requirement for platform SPIFFE mTLS support in internal gRPC <br>services<br> <li> Defines scenarios for SPIFFE-enabled and file-based mTLS fallback <br>modes<br> <li> Specifies Helm deployment requirements for agent-gateway with <br>tenant-CA mTLS<br> <li> Documents edge mTLS validation and rejection scenarios for unknown CAs</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2276/files#diff-36330a6619eae846fe043ee7d310cf2ccc0836e56e8d629c15117beea2cb053f">+50/-0</a>    </td> </tr> <tr> <td> <details> <summary><strong>tasks.md</strong><dd><code>Implementation tasks for SPIFFE web-ng integration</code>              </dd></summary> <hr> openspec/changes/add-spiffe-web-ng-agent-gateway/tasks.md <ul><li>Defines implementation tasks for SPIFFE-aware datasvc client in web-ng<br> <li> Specifies Helm values wiring and agent-gateway deployment <br>configuration<br> <li> Includes validation and documentation tasks for the feature</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2276/files#diff-b1d2a7607b57461c3f4b0ff50c1261a274066fadf6882288b12dc3917499ea90">+7/-0</a>      </td> </tr> </table></td></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2026-01-13 06:27:36 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2276#issuecomment-3742229739
Original created: 2026-01-13T06:27:36Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪
	Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2276#issuecomment-3742229739 Original created: 2026-01-13T06:27:36Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR:<br> <table><tbody><tr><td colspan='2'><strong>Security Compliance</strong></td></tr> <tr><td>🟢</td><td><details><summary><strong>No security concerns identified</strong></summary> No security vulnerabilities detected by AI analysis. Human verification advised for critical code. </details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary>🎫 <strong>No ticket provided </strong></summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td rowspan=1>🟢</td><td> <details><summary><strong>Generic: Meaningful Naming and Self-Documenting Code</strong></summary><br> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code <br>self-documenting<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=5>⚪</td> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant<br> 🟡 - Partial Compliant<br> 🔴 - Not Compliant<br> ⚪ - Requires Further Human Verification<br> 🏷️ - Compliance label<br> </details>

qodo-code-review[bot] commented

2026-01-13 06:28:33 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2276#issuecomment-3742233495
Original created: 2026-01-13T06:28:33Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Reconsider blanket exclusion of SPIFFE Reconsider the decision to completely exclude `agent-gateway` from using SPIFFE. A more flexible approach would be to use tenant-CA mTLS for edge-facing interfaces while allowing SPIFFE for internal communications to maintain architectural consistency. openspec/changes/add-spiffe-web-ng-agent-gateway/design.md [20-21] -- Decision: web-ng uses SPIFFE for in-cluster gRPC to datasvc; agent-gateway uses tenant-CA mTLS for edge gRPC and ERTS for core connectivity (no SPIFFE on gateway). - - Rationale: SPIFFE SVIDs would conflict with tenant-CA validation on the gateway and are not needed for its current responsibilities. +- Decision: web-ng uses SPIFFE for in-cluster gRPC to datasvc; agent-gateway uses tenant-CA mTLS for edge gRPC and ERTS for core connectivity. + - Rationale: The agent-gateway's edge-facing endpoint must validate tenant-issued certificates, so it will not use SPIFFE for that interface. For internal communications, SPIFFE identity may be adopted in the future to align with other platform services, but is not required for its current responsibilities. Apply / Chat Suggestion importance[1-10]: 8 __ Why: This is a high-value architectural suggestion that challenges a core design decision. It correctly points out that a blanket exclusion of SPIFFE for the `agent-gateway` could lead to future architectural inconsistency and suggests a more flexible, forward-looking approach that aligns with the overall goal of SPIFFE adoption.	Medium
General	Use Helm schema validation for robustness Instead of relying on comments for Helm value validation, use a `values.schema.json` file to enforce types, constraints, and defaults, preventing misconfigurations. openspec/changes/add-spiffe-web-ng-agent-gateway/design.md [24-25] - Risk: Mixed TLS modes (SPIFFE vs file-based) could misconfigure services if envs are inconsistent. - - Mitigation: Provide explicit Helm defaults and validation in values comments. + - Mitigation: Provide explicit Helm defaults and enforce configuration validation using a `values.schema.json` file. Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that "validation in values comments" is a weak mitigation for the identified risk. Proposing the use of a `values.schema.json` file is a best-practice, robust solution that significantly improves the quality and reliability of the proposed Helm chart implementation.	Medium
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2276#issuecomment-3742233495 Original created: 2026-01-13T06:28:33Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=2>General</td> <td> <details><summary>Reconsider blanket exclusion of SPIFFE</summary> ___ **Reconsider the decision to completely exclude <code>agent-gateway</code> from using SPIFFE. A <br>more flexible approach would be to use tenant-CA mTLS for edge-facing interfaces <br>while allowing SPIFFE for internal communications to maintain architectural <br>consistency.** [openspec/changes/add-spiffe-web-ng-agent-gateway/design.md [20-21]](https://github.com/carverauto/serviceradar/pull/2276/files#diff-2277b5eb3f6b6a88e76bc979a5ed557cc1408315a5ced909176721f22457ef07R20-R21) ```diff -- Decision: web-ng uses SPIFFE for in-cluster gRPC to datasvc; agent-gateway uses tenant-CA mTLS for edge gRPC and ERTS for core connectivity (no SPIFFE on gateway). - - Rationale: SPIFFE SVIDs would conflict with tenant-CA validation on the gateway and are not needed for its current responsibilities. +- Decision: web-ng uses SPIFFE for in-cluster gRPC to datasvc; agent-gateway uses tenant-CA mTLS for edge gRPC and ERTS for core connectivity. + - Rationale: The agent-gateway's edge-facing endpoint must validate tenant-issued certificates, so it will not use SPIFFE for that interface. For internal communications, SPIFFE identity may be adopted in the future to align with other platform services, but is not required for its current responsibilities. ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: This is a high-value architectural suggestion that challenges a core design decision. It correctly points out that a blanket exclusion of SPIFFE for the `agent-gateway` could lead to future architectural inconsistency and suggests a more flexible, forward-looking approach that aligns with the overall goal of SPIFFE adoption. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>Use Helm schema validation for robustness</summary> ___ **Instead of relying on comments for Helm value validation, use a <br><code>values.schema.json</code> file to enforce types, constraints, and defaults, preventing <br>misconfigurations.** [openspec/changes/add-spiffe-web-ng-agent-gateway/design.md [24-25]](https://github.com/carverauto/serviceradar/pull/2276/files#diff-2277b5eb3f6b6a88e76bc979a5ed557cc1408315a5ced909176721f22457ef07R24-R25) ```diff - Risk: Mixed TLS modes (SPIFFE vs file-based) could misconfigure services if envs are inconsistent. - - Mitigation: Provide explicit Helm defaults and validation in values comments. + - Mitigation: Provide explicit Helm defaults and enforce configuration validation using a `values.schema.json` file. ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly identifies that "validation in values comments" is a weak mitigation for the identified risk. Proposing the use of a `values.schema.json` file is a best-practice, robust solution that significantly improves the quality and reliability of the proposed Helm chart implementation. </details></details></td><td align=center>Medium </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>