Skip to content

refactor(orgadm): use token-exchange/store for API key management#88

Merged
robertodauria merged 1 commit intomainfrom
sandbox-roberto-update-orgadm
Jan 27, 2026
Merged

refactor(orgadm): use token-exchange/store for API key management#88
robertodauria merged 1 commit intomainfrom
sandbox-roberto-update-orgadm

Conversation

@robertodauria
Copy link
Contributor

@robertodauria robertodauria commented Jan 26, 2026
edited
Loading

Replace local Datastore types and API Keys client with the shared
token-exchange/store package. This ensures orgadm uses the correct
namespace ("platform-credentials") for storing API keys, matching
what the token-exchange service expects.

Changes:

  • Remove apikeys client and locateProject flag (no longer needed)
  • Import github.com/m-lab/token-exchange/store
  • Use store.NewAutojoinManager() with namespace "platform-credentials"
  • Use store.GenerateAPIKey() and am.CreateAPIKeyWithValue() directly
  • Remove Keys interface from adminx.Org
  • Update tests accordingly

This change is Reviewable

@robertodauria
refactor(orgadm): use token-exchange/store for API key management
61d067b 
Replace local Datastore types and API Keys client with the shared
token-exchange/store package. This ensures orgadm uses the correct
namespace ("platform-credentials") for storing API keys, matching
what the token-exchange service expects.

Changes:
- Remove apikeys client and locateProject flag (no longer needed)
- Import github.com/m-lab/token-exchange/store
- Use store.NewAutojoinManager() with namespace "platform-credentials"
- Use store.GenerateAPIKey() and am.CreateAPIKeyWithValue() directly
- Remove Keys interface from adminx.Org
- Update tests accordingly
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 26, 2026
View reviewed changes
@coveralls
Copy link
Collaborator

coveralls commented Jan 26, 2026

Pull Request Test Coverage Report for Build 21377258026

Details

  • 0 of 9 (0.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.4%) to 70.544%
Changes Missing Coverage Covered Lines Changed/Added Lines %
cmd/orgadm/main.go 0 9 0.0%
Totals Coverage Status
Change from base Build 20966623398: 0.4%
Covered Lines: 1322
Relevant Lines: 1874
💛 - Coveralls

nkinkade
nkinkade approved these changes Jan 26, 2026
View reviewed changes
Copy link
Contributor

@nkinkade nkinkade left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@robertodauria robertodauria merged commit 1bf001c into main Jan 27, 2026
8 checks passed
@robertodauria robertodauria deleted the sandbox-roberto-update-orgadm branch January 27, 2026 07:54
@bassosimone bassosimone mentioned this pull request Jan 27, 2026
Merged
robertodauria added a commit that referenced this pull request Jan 27, 2026
@robertodauria
refactor: consolidate platform-credentials on token-exchange/store (#90)
527619f 
Consolidating credential storage under platform-credentials namespace

The autojoin API supports two authentication flows:
  1. Direct API key flow - Client sends API key directly to autojoin for validation
  2. JWT flow - Client obtains JWT from token-exchange service, autojoin validates JWT signature

Previously, these flows used separate Datastore namespaces in different GCP projects:
  - mlab-autojoin / "autojoin" namespace - credentials for direct API key flow
  - mlab-oti / "platform-credentials" namespace - credentials for JWT flow (via token-exchange)

This meant organizations and API keys had to be provisioned in both places.

The consolidation plan:                                                                                                                                                                                                                     
  1. PR #88: Make orgadm tool use token-exchange/store with "platform-credentials" namespace
  2. This PR: Make autojoin service use token-exchange/store with "platform-credentials" namespace
  3. Remove duplicated internal/adminx/datastore.go code

After this, both authentication flows validate credentials against the same "platform-credentials" namespace, providing a single source of truth for organization credentials.

* refactor: consolidate platform-credentials on token-exchange/store

- Use token-exchange/store.AutojoinManager in main service (fixes
  namespace mismatch: was "autojoin", now "platform-credentials")
- Remove duplicated internal/adminx/datastore.go (now uses token-exchange/store)
- Remove dead code: internal/adminx/apikeys.go (unused GCP API Keys system)
- Remove dead code: internal/adminx/keysiface/keys.go

* feat: add credentials-project flag for cross-project Datastore access

Add -credentials-project flag to allow autojoin to read credentials
from a different GCP project (mlab-oti) than where it runs (mlab-autojoin).
This enables both authentication flows (direct API key and JWT via
token-exchange) to use the same credential store in platform-credentials
namespace.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nkinkade nkinkade nkinkade approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@robertodauria @coveralls @nkinkade