Skip to content

Add Aiven credentials mutations (OpenSearch, Valkey, Kafka)#358

Merged
jhrv merged 5 commits intomainfrom
aiven_credentials
Mar 16, 2026
Merged

Add Aiven credentials mutations (OpenSearch, Valkey, Kafka)#358
jhrv merged 5 commits intomainfrom
aiven_credentials

Conversation

@jhrv
Copy link
Contributor

@jhrv jhrv commented Mar 13, 2026

Summary

Adds three new GraphQL mutations for creating temporary Aiven service credentials, replacing the broken nais aiven create/get CLI flow (which relied on users having direct K8s access).

  • createOpenSearchCredentials — creates temporary OpenSearch credentials with configurable permission (read/write/readwrite/admin) and TTL
  • createValkeyCredentials — same pattern for Valkey instances
  • createKafkaCredentials — creates temporary Kafka credentials (mTLS certs + broker info)

How it works

Each mutation:

  1. Creates/updates an AivenApplication CRD using the system-authenticated dynamic K8s client
  2. Polls for the resulting Secret (created by Aivenator) with 2s interval / 60s timeout
  3. Extracts and returns credentials from the Secret
  4. Logs an activity log entry capturing who, what service, permission level, and TTL

Files

File Purpose
internal/graph/schema/aiven_credentials.graphqls GraphQL schema (3 mutations, enums, input/payload types)
internal/persistence/aivencredentials/models.go Go types matching the GraphQL schema
internal/persistence/aivencredentials/queries.go Business logic (CRD creation, Secret polling, credential extraction)
internal/persistence/aivencredentials/activitylog.go Activity log integration
internal/persistence/aivencredentials/dataloader.go Context injection for dynamic K8s clients
internal/graph/aiven_credentials.resolvers.go Resolver layer (authz + delegation)
internal/auth/authz/queries.go New CanCreateAivenCredentials auth function
internal/cmd/api/http.go Wiring into per-request context
.configs/gqlgen.yaml Autobind for new package

Part of the Aiven Credentials initiative. CLI side is next.

@jhrv
Add GraphQL mutations for Aiven credentials (OpenSearch, Valkey, Kafka)
e394562 
Implement three new mutations that create temporary credentials by
managing AivenApplication CRDs and polling for the resulting secrets:
- createOpenSearchCredentials
- createValkeyCredentials
- createKafkaCredentials

Each mutation creates/updates an AivenApplication CRD, waits for the
Aivenator to provision a Secret (60s timeout), and returns the
credentials to the caller. Activity log entries track who created
credentials, for which service, with what permission level and TTL.
@jhrv
Address PR review feedback: refactor aiven credentials
31f2ee6 
- Collapse three Create*Credentials into one parameterized createCredentials()
  with credentialRequest struct carrying buildSpec/extractCreds callbacks
- Delete getSecretField (use map index directly)
- Fix generateAppName dead code (unused name variable)
- Delete KafkaPermission enum from Go code and GraphQL schema
- Fix secretData: log unexpected non-string types instead of silent drop
- Replace logCredentialCreation string params with credentialRequest struct
- Rename loaders/NewLoaderContext to clients/NewClientContext
- Factor TTL validation into single path (parse then validate once)
- Replace init() with explicit Register() called from wiring code
- Add tests for parseTTL, generateSecretName, generateAppName, secretData,
  waitForSecret, and createOrUpdateAivenApplication
- Regenerate gqlgen output
@jhrv jhrv mentioned this pull request Mar 13, 2026
Merged
jhrv added 2 commits March 14, 2026 12:49
@jhrv
Fix aiven credentials: base64 decode secrets, add authz migration, us…
f3ad05d 
…e init()

- Base64-decode Kubernetes secret data values (dynamic client returns
  base64-encoded strings in the data field)
- Add migration 0059 to register aiven:credentials:create authorization
  for Team member and Team owner roles
- Use func init() for activity log registration instead of explicit
  Register() call, matching the codebase convention
@jhrv
Fix lint: apply prettier formatting to SQL and GraphQL schema files
c936698
@jhrv jhrv marked this pull request as ready for review March 16, 2026 08:57
@jhrv jhrv requested a review from a team as a code owner March 16, 2026 08:57
thokra-nav
thokra-nav approved these changes Mar 16, 2026
View reviewed changes
Copy link
Contributor

@thokra-nav thokra-nav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

En integrasjonstest eller to hadde også vært fint :)

@jhrv
Add integration tests and fix TTL validation error handling
00eff7a 
Add Lua integration tests for aiven credentials covering authz (4 tests)
and input validation (3 tests). Fix TTL validation errors to use
apierror.Errorf so they propagate as user-facing GraphQL errors instead
of being swallowed as unhandled server errors.
@jhrv jhrv enabled auto-merge (squash) March 16, 2026 09:40
@jhrv jhrv merged commit a7b2c25 into main Mar 16, 2026
10 checks passed
@jhrv jhrv deleted the aiven_credentials branch March 16, 2026 09:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thokra-nav thokra-nav thokra-nav approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jhrv @thokra-nav