Merge branch 'main' into feat/sort-sessions-by-last-activity

Author: EItanya

go/api/httpapi/types.go

@@ -49,17 +49,28 @@ type ModelConfigResource struct {
 	Status v1alpha2.ModelConfigStatus `json:"status,omitempty"`
 }
 
+// SecretMaterial describes a Secret key/value pair to create or update alongside a ModelConfig.
+type SecretMaterial struct {
+	Name  string `json:"name"`
+	Key   string `json:"key"`
+	Value string `json:"value"`
+}
+
 // CreateModelConfigRequest is a thin wrapper: ref + optional inline apiKey + full CRD spec.
 type CreateModelConfigRequest struct {
-	Ref    string                   `json:"ref"`
-	APIKey string                   `json:"apiKey,omitempty"`
-	Spec   v1alpha2.ModelConfigSpec `json:"spec"`
+	Ref string `json:"ref"`
+	// APIKey is an optional inline API key to store in a generated Secret.
+	APIKey string `json:"apiKey,omitempty"`
+	// Secrets are optional companion Secrets to create or update alongside the ModelConfig.
+	Secrets []SecretMaterial         `json:"secrets,omitempty"`
+	Spec    v1alpha2.ModelConfigSpec `json:"spec"`
 }
 
 // UpdateModelConfigRequest is a thin wrapper: optional inline apiKey + full CRD spec.
 type UpdateModelConfigRequest struct {
-	APIKey *string                  `json:"apiKey,omitempty"`
-	Spec   v1alpha2.ModelConfigSpec `json:"spec"`
+	APIKey  *string                  `json:"apiKey,omitempty"`
+	Spec    v1alpha2.ModelConfigSpec `json:"spec"`
+	Secrets []SecretMaterial         `json:"secrets,omitempty"`
 }
 
 // Agent types

go/core/internal/httpserver/handlers/modelconfig.go

@@ -1,8 +1,11 @@
 package handlers
 
 import (
+	"context"
 	"encoding/json"
+	stderrors "errors"
 	"fmt"
+	"maps"
 	"net/http"
 	"strings"
 
@@ -11,9 +14,11 @@ import (
 	"github.com/kagent-dev/kagent/go/core/internal/httpserver/errors"
 	common "github.com/kagent-dev/kagent/go/core/internal/utils"
 	"github.com/kagent-dev/kagent/go/core/pkg/auth"
+	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
 )
@@ -133,6 +138,10 @@ func (h *ModelConfigHandler) HandleCreateModelConfig(w ErrorResponseWriter, r *h
 		w.RespondWithError(errors.NewBadRequestError(err.Error(), err))
 		return
 	}
+	if err := validateSecretMaterials(req.Secrets); err != nil {
+		w.RespondWithError(errors.NewBadRequestError(err.Error(), err))
+		return
+	}
 
 	log.V(1).Info("Checking if ModelConfig already exists")
 	existingConfig := &v1alpha2.ModelConfig{}
@@ -181,6 +190,12 @@ func (h *ModelConfigHandler) HandleCreateModelConfig(w ErrorResponseWriter, r *h
 		}
 	}
 
+	if err := createOrUpdateCompanionSecrets(r.Context(), h.KubeClient, modelConfig, req.Secrets); err != nil {
+		log.Error(err, "Failed to create or update companion secrets")
+		w.RespondWithError(companionSecretAPIError(err))
+		return
+	}
+
 	log.Info("Successfully created ModelConfig", "ref", modelConfigRef)
 	RespondWithJSON(w, http.StatusCreated, api.NewResponse(modelConfigResource(modelConfig), "Successfully created ModelConfig", false))
 }
@@ -221,6 +236,10 @@ func (h *ModelConfigHandler) HandleUpdateModelConfig(w ErrorResponseWriter, r *h
 		w.RespondWithError(errors.NewBadRequestError(err.Error(), err))
 		return
 	}
+	if err := validateSecretMaterials(req.Secrets); err != nil {
+		w.RespondWithError(errors.NewBadRequestError(err.Error(), err))
+		return
+	}
 
 	log.V(1).Info("Getting existing ModelConfig")
 	modelConfig := &v1alpha2.ModelConfig{}
@@ -240,6 +259,13 @@ func (h *ModelConfigHandler) HandleUpdateModelConfig(w ErrorResponseWriter, r *h
 		req.Spec.APIKeySecret = configName
 		req.Spec.APIKeySecretKey = fmt.Sprintf("%s_API_KEY", strings.ToUpper(string(req.Spec.Provider)))
 	}
+	modelConfig.Spec = req.Spec
+	if err := h.KubeClient.Update(r.Context(), modelConfig); err != nil {
+		log.Error(err, "Failed to update ModelConfig resource")
+		w.RespondWithError(errors.NewInternalServerError("Failed to update ModelConfig", err))
+		return
+	}
+
 	if req.APIKey != nil && *req.APIKey != "" && req.Spec.Provider != v1alpha2.ModelProviderOllama {
 		log.V(1).Info("Updating API key secret")
 		if err := createOrUpdateSecretWithOwnerReference(
@@ -254,10 +280,9 @@ func (h *ModelConfigHandler) HandleUpdateModelConfig(w ErrorResponseWriter, r *h
 		log.V(1).Info("Successfully updated API key secret")
 	}
 
-	modelConfig.Spec = req.Spec
-	if err := h.KubeClient.Update(r.Context(), modelConfig); err != nil {
-		log.Error(err, "Failed to update ModelConfig resource")
-		w.RespondWithError(errors.NewInternalServerError("Failed to update ModelConfig", err))
+	if err := createOrUpdateCompanionSecrets(r.Context(), h.KubeClient, modelConfig, req.Secrets); err != nil {
+		log.Error(err, "Failed to create or update companion secrets")
+		w.RespondWithError(companionSecretAPIError(err))
 		return
 	}
 
@@ -324,3 +349,108 @@ func validateAPIKeySecretRef(apiKeySecret, apiKeySecretKey string, provider v1al
 	}
 	return nil
 }
+
+func validateSecretMaterials(secrets []api.SecretMaterial) error {
+	for _, secret := range secrets {
+		if errs := validation.IsDNS1123Subdomain(secret.Name); len(errs) > 0 {
+			return fmt.Errorf("invalid secret name %q: %s", secret.Name, strings.Join(errs, "; "))
+		}
+		if errs := validation.IsConfigMapKey(secret.Key); len(errs) > 0 {
+			return fmt.Errorf("invalid key %q for secret %q: %s", secret.Key, secret.Name, strings.Join(errs, "; "))
+		}
+	}
+	return nil
+}
+
+var errInvalidCompanionSecret = stderrors.New("invalid companion secret")
+
+// companionSecretAPIError returns an API error for companion secret validation errors.
+func companionSecretAPIError(err error) *errors.APIError {
+	if stderrors.Is(err, errInvalidCompanionSecret) {
+		return errors.NewBadRequestError(err.Error(), err)
+	}
+	return errors.NewInternalServerError("Failed to create or update companion secrets", err)
+}
+
+func createOrUpdateCompanionSecrets(ctx context.Context, kubeClient client.Client, owner *v1alpha2.ModelConfig, secrets []api.SecretMaterial) error {
+	// Group secrets by name and key.
+	secretsByName := map[string]map[string][]byte{}
+	for _, secret := range secrets {
+		if _, ok := secretsByName[secret.Name]; !ok {
+			secretsByName[secret.Name] = map[string][]byte{}
+		}
+		secretsByName[secret.Name][secret.Key] = []byte(secret.Value)
+	}
+
+	namespace := owner.GetNamespace()
+	for name, data := range secretsByName {
+		existingSecret := &corev1.Secret{}
+		// Get the existing secret by name and namespace.
+		err := kubeClient.Get(ctx, client.ObjectKey{Namespace: namespace, Name: name}, existingSecret)
+		if err != nil {
+			if !apierrors.IsNotFound(err) {
+				return fmt.Errorf("failed to get companion secret %s/%s: %w", namespace, name, err)
+			}
+
+			// Create the secret if it doesn't exist.
+			secret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            name,
+					Namespace:       namespace,
+					OwnerReferences: []metav1.OwnerReference{modelConfigOwnerReference(owner)},
+				},
+				Type: corev1.SecretTypeOpaque,
+				Data: data,
+			}
+			if err := kubeClient.Create(ctx, secret); err != nil {
+				return fmt.Errorf("failed to create companion secret %s/%s: %w", namespace, name, err)
+			}
+			continue
+		}
+
+		if existingSecret.Type != corev1.SecretTypeOpaque {
+			return fmt.Errorf("%w: companion secret %s/%s must be type %q, got %q", errInvalidCompanionSecret, namespace, name, corev1.SecretTypeOpaque, existingSecret.Type)
+		}
+		if !isOwnedByModelConfig(existingSecret, owner) {
+			return fmt.Errorf("%w: companion secret %s/%s is not managed by ModelConfig %s/%s", errInvalidCompanionSecret, namespace, name, owner.GetNamespace(), owner.GetName())
+		}
+
+		if existingSecret.Data == nil {
+			existingSecret.Data = map[string][]byte{}
+		}
+		maps.Copy(existingSecret.Data, data)
+		if err := kubeClient.Update(ctx, existingSecret); err != nil {
+			return fmt.Errorf("failed to update companion secret %s/%s: %w", namespace, name, err)
+		}
+	}
+
+	return nil
+}
+
+// modelConfigOwnerReference returns the owner reference for the model config.
+func modelConfigOwnerReference(owner *v1alpha2.ModelConfig) metav1.OwnerReference {
+	controller := true
+	return metav1.OwnerReference{
+		APIVersion: v1alpha2.GroupVersion.Identifier(),
+		Kind:       "ModelConfig",
+		Name:       owner.GetName(),
+		UID:        owner.GetUID(),
+		Controller: &controller,
+	}
+}
+
+// isOwnedByModelConfig checks if the secret is owned by the model config.
+func isOwnedByModelConfig(secret *corev1.Secret, owner *v1alpha2.ModelConfig) bool {
+	for _, ownerRef := range secret.GetOwnerReferences() {
+		if ownerRef.APIVersion != v1alpha2.GroupVersion.Identifier() ||
+			ownerRef.Kind != "ModelConfig" ||
+			ownerRef.Name != owner.GetName() {
+			continue
+		}
+		if owner.GetUID() != "" && ownerRef.UID != owner.GetUID() {
+			continue
+		}
+		return true
+	}
+	return false
+}