Skip to content

refactor: consolidate platform-credentials on token-exchange/store#90

Merged
robertodauria merged 2 commits intomainfrom
sandbox-roberto-consolidate
Jan 27, 2026
Merged

refactor: consolidate platform-credentials on token-exchange/store#90
robertodauria merged 2 commits intomainfrom
sandbox-roberto-consolidate

Conversation

@robertodauria
Copy link
Contributor

@robertodauria robertodauria commented Jan 27, 2026
edited
Loading

Summary

  • Use token-exchange/store.AutojoinManager in main service (fixes namespace mismatch: was "autojoin", now "platform-credentials")
  • Remove duplicated internal/adminx/datastore.go (now uses token-exchange/store)
  • Remove dead code: internal/adminx/apikeys.go (unused GCP API Keys system)
  • Remove dead code: internal/adminx/keysiface/keys.go

Context

The platform-credentials system evolved organically, creating inconsistencies:

  • orgadm was already using token-exchange/store with namespace "platform-credentials"
  • The main autojoin service was using a local internal/adminx/datastore.go with namespace "autojoin"

This PR consolidates both to use token-exchange/store with the correct "platform-credentials" namespace.

This change is Reviewable

@robertodauria
refactor: consolidate platform-credentials on token-exchange/store
d18c23a 
- Use token-exchange/store.AutojoinManager in main service (fixes
  namespace mismatch: was "autojoin", now "platform-credentials")
- Remove duplicated internal/adminx/datastore.go (now uses token-exchange/store)
- Remove dead code: internal/adminx/apikeys.go (unused GCP API Keys system)
- Remove dead code: internal/adminx/keysiface/keys.go
@coveralls
Copy link
Collaborator

coveralls commented Jan 27, 2026
edited
Loading

Pull Request Test Coverage Report for Build 21392512518

Details

  • 0 of 10 (0.0%) changed or added relevant lines in 1 file are covered.
  • 9 unchanged lines in 1 file lost coverage.
  • Overall coverage increased (+1.6%) to 72.177%
Changes Missing Coverage Covered Lines Changed/Added Lines %
main.go 0 10 0.0%
Files with Coverage Reduction New Missed Lines %
internal/adminx/namer.go 9 70.0%
Totals Coverage Status
Change from base Build 21389054675: 1.6%
Covered Lines: 1253
Relevant Lines: 1736
💛 - Coveralls

bassosimone
bassosimone approved these changes Jan 27, 2026
View reviewed changes
Copy link
Collaborator

@bassosimone bassosimone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, make sure the datastore entities in autojoin and the entities in platform-credentials are equal before merging this pull request 🙏.

Motivation for the ask: in this PR and in #88, we are basically moving m-lab/autojoin away from the autojoin namespace.

Otherwise, trying to consolidate code that looks similar and should probably not be separated seems good to me. On this note, please, make sure that the commit you merge contains context about the overall plan that we're executing here (we're not using issues and commits are part of the repository history much more integrally than issues anyway, so it's probably good to have good documentation of the why).

@robertodauria
feat: add credentials-project flag for cross-project Datastore access
90a151f 
Add -credentials-project flag to allow autojoin to read credentials
from a different GCP project (mlab-oti) than where it runs (mlab-autojoin).
This enables both authentication flows (direct API key and JWT via
token-exchange) to use the same credential store in platform-credentials
namespace.
@robertodauria
Copy link
Contributor Author

robertodauria commented Jan 27, 2026

All the datastore entites in autojoin have been migrated to platform-credentials.

I have added another small but important piece: the ability to read credentials from adifferent project (-credentials-project). This way, we can really consolidate: the autojoin service verifies legacy API keys against mlab-oti.platform-credentials. When the JWT flow is used, token-exchange verifies API keys against the same datastore namespace, which becomes the only source of truth.

@robertodauria robertodauria merged commit 527619f into main Jan 27, 2026
8 checks passed
@robertodauria robertodauria deleted the sandbox-roberto-consolidate branch January 27, 2026 10:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bassosimone bassosimone bassosimone approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@robertodauria @coveralls @bassosimone