openkcm · alienvspredator · May 7, 2026 · May 26, 2026 · May 26, 2026 · May 26, 2026
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -7,6 +7,7 @@ run:
 linters:
   default: all
   disable:
+    - gomodguard # Replaced by gomodguard_v2, enabled by default: all
     - nilerr
     - tagliatelle
     - bodyclose

diff --git a/Makefile b/Makefile
@@ -106,37 +106,41 @@ docker-dev-build:
 .PHONY: codegen
 codegen:
 	go generate ./...
-	go run github.com/sqlc-dev/sqlc/cmd/sqlc@latest generate
+	go tool github.com/sqlc-dev/sqlc/cmd/sqlc generate
 
 .PHONY: clean
 clean:
-	rm -f cover.out cover.html session-manager
-	rm -rf cover/
+	@rm -f cover.out cover.html session-manager
+	@rm -rf cover/
+
+.PHONY: fix-lint
+fix-lint:
+	golangci-lint run --fix --build-tags=integration ./...
 
 .PHONY: lint
 lint:
-	golangci-lint run ./...
+	golangci-lint run --build-tags=integration ./...
 
 .PHONY: build
 build:
 	go build ./cmd/session-manager
 
 .PHONY: test
-test: clean install-gotestsum
+test: clean
 	@mkdir -p cover/integration cover/unit
 	@go clean -testcache
 
-	gotestsum --junitfile="${CURDIR}/junit-unit.xml" --format=testname -- -count=1 -race -cover ./... -args -test.gocoverdir="${CURDIR}/cover/unit"
-	GOCOVERDIR="${CURDIR}/cover/integration" gotestsum --junitfile="${CURDIR}/junit-integration.xml" --format=testname -- -v -count=1 -race -tags=integration ./integration
+	@go tool gotest.tools/gotestsum --junitfile="${CURDIR}/junit-unit.xml" --format=dots-v2 -- -count=1 -race -cover ./... -args -test.gocoverdir="${CURDIR}/cover/unit"
+	@GOCOVERDIR=${CURDIR}/cover/integration go tool gotest.tools/gotestsum --junitfile="${CURDIR}/junit-integration.xml" --format=dots-v2 -- -v -count=1 -race -tags=integration ./integration
 
 	@go tool covdata textfmt -i=./cover/unit,./cover/integration -o cover.out
 	@grep -v 'github.com/openkcm/session-manager/internal/openapi/'         cover.out > cover.tmp && mv cover.tmp cover.out
 	@grep -v 'github.com/openkcm/session-manager/internal/dbtest/'          cover.out > cover.tmp && mv cover.tmp cover.out
-	@grep -v 'github.com/openkcm/session-manager/internal/trust/trustmock/' cover.out > cover.tmp && mv cover.tmp cover.out
+	@grep -v 'github.com/openkcm/session-manager/modules/oidctrust/mocks/'  cover.out > cover.tmp && mv cover.tmp cover.out
 	@grep -v 'github.com/openkcm/session-manager/internal/session/mock/'    cover.out > cover.tmp && mv cover.tmp cover.out
 	@go tool cover -func=cover.out
 
-	@echo "On a Mac, you can use the following command to open the coverage report in the browser\ngo tool cover -html=cover.out -o cover.html && open cover.html"
+	@echo "On a Mac, you can use the following command to open the coverage report in the browser\ngo tool cover -html=cover.out"
 
 .PHONY: helm-test
 helm-test:
@@ -172,10 +176,6 @@ helm-integration-test-run:
 k3d-teardown:
 	k3d cluster delete $(K3D_CLUSTER_NAME)
 
-.PHONY: install-gotestsum
-install-gotestsum:
-	(cd /tmp && go install gotest.tools/gotestsum@latest)
-
 .PHONY: image
 image:
 	docker build -t ${IMG} .
diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -6,6 +6,6 @@ includes:
         flatten: true
         excludes: [] # put task names in here which are overwritten in this file
         vars:
-            CODE_DIRS: "{{.ROOT_DIR}}/cmd/... {{.ROOT_DIR}}/internal/... {{.ROOT_DIR}}/integration/... {{.ROOT_DIR}}/sql/..."
+            CODE_DIRS: "{{.ROOT_DIR}}/cmd/... {{.ROOT_DIR}}/internal/... {{.ROOT_DIR}}/integration/... {{.ROOT_DIR}} {{.ROOT_DIR}}/modules/..."
             COMPONENTS: session-manager
             REPO_URL: https://github.com/openkcm/session-manager
diff --git a/charts/session-manager/templates/configmap.yaml b/charts/session-manager/templates/configmap.yaml
@@ -43,6 +43,12 @@ data:
     database:
       {{- toYaml .database | nindent 6 }}
 
+    trust:
+      {{- toYaml .trust | nindent 6 }}
+
+    credentials:
+      {{- toYaml .credentials | nindent 6 }}
+
     valkey:
       {{- toYaml .valkey | nindent 6 }}
 
@@ -54,4 +60,7 @@ data:
 
     housekeeper:
       {{- toYaml .housekeeper | nindent 6 }}
+
+    apps:
+      {{- toYaml .apps | nindent 6 }}
     {{- end }}
diff --git a/charts/session-manager/values-dev.yaml b/charts/session-manager/values-dev.yaml
@@ -272,6 +272,7 @@ config:
         enabled: false
 
   database:
+    module: database.module.pgxpool
     name: session_manager
     port: 5432
     host:
@@ -284,7 +285,14 @@ config:
       source: embedded
       value: secret
 
+  trust:
+    module: trust.module.oidc
+
+  credentials:
+    module: credentials.module.oauth2
+
   valkey:
+    module: sessionstore.module.valkey
     host:
       source: embedded
       value: valkey-headless.session-manager.svc.cluster.local:6379
@@ -296,7 +304,7 @@ config:
       value: secret
     prefix: session-manager
     secretRef:
-      type: insecure # Supports "mtls" or "insecure"
+      type: insecure # Supported values: "mtls", "insecure", "client_secret_post"
       # mtls:
       #   cert:
       #     source: embedded
@@ -335,9 +343,18 @@ config:
       value: my-csrf-secret-at-least-thirty-two-bits-size
 
   migrate:
+    module: trust.migration.module.oidc
     source: file:///sql
 
   housekeeper:
     triggerInterval: 10m
     concurrencyLimit: 10
     tokenRefreshTriggerInterval: 15m
+
+  apps:
+    grpc:
+      module: app.module.grpcserver
+      services:
+        - module: service.module.grpc.session
+        - module: service.module.grpc.trustmapping
+        - module: service.module.grpc.oidcmapping
diff --git a/charts/session-manager/values.yaml b/charts/session-manager/values.yaml
@@ -280,6 +280,7 @@ config:
         enabled: false
 
   database:
+    module: database.module.pgxpool
     name: session_manager
     port: 5432
     host:
@@ -292,7 +293,14 @@ config:
       source: embedded
       value: secret
 
+  trust:
+    module: trust.module.oidc
+
+  credentials:
+    module: credentials.module.oauth2
+
   valkey:
+    module: sessionstore.module.valkey
     host:
       source: embedded
       value: host.ns.svc.cluster.local
@@ -304,7 +312,7 @@ config:
       value: secret
     prefix: session-manager
     secretRef:
-      type: insecure # Supports "mtls" or "insecure"
+      type: insecure # Supported values: "mtls", "insecure", "client_secret_post"
       # mtls:
       #   cert:
       #     source: embedded
@@ -348,9 +356,18 @@ config:
       value: my-csrf-secret-at-least-thirty-two-bits-size
 
   migrate:
+    module: trust.migration.module.oidc
     source: file:///sql
 
   housekeeper:
     triggerInterval: 10m
     concurrencyLimit: 10
     tokenRefreshTriggerInterval: 15m
+
+  apps:
+    grpc:
+      module: app.module.grpcserver
+      services:
+        - module: service.module.grpc.session
+        - module: service.module.grpc.trustmapping
+        - module: service.module.grpc.oidcmapping
diff --git a/cmd/session-manager/main.go b/cmd/session-manager/main.go
@@ -1,87 +1,14 @@
 package main
 
 import (
-	"context"
-	"log/slog"
-	"os"
-	"os/signal"
-	"time"
-
-	"github.com/openkcm/common-sdk/pkg/utils"
-	"github.com/spf13/cobra"
-
-	slogctx "github.com/veqryn/slog-context"
-
-	"github.com/openkcm/session-manager/cmd/session-manager/apiserver"
-	"github.com/openkcm/session-manager/cmd/session-manager/housekeeper"
-	"github.com/openkcm/session-manager/cmd/session-manager/migrate"
-)
-
-var (
-	// BuildInfo will be set by the build system
-	BuildInfo = "{}"
-
-	isVersionCmd     bool
-	gracefulShutdown time.Duration
+	"github.com/openkcm/session-manager/cmd/session-manager/maincmd"
+	_ "github.com/openkcm/session-manager/modules/standard"
 )
 
-var versionCmd = &cobra.Command{
-	Use:   "version",
-	Short: "Session Manager Version",
-	RunE: func(cmd *cobra.Command, _ []string) error {
-		isVersionCmd = true
-
-		value, err := utils.ExtractFromComplexValue(BuildInfo)
-		if err != nil {
-			return err
-		}
-
-		slog.InfoContext(cmd.Context(), value)
-
-		return nil
-	},
-}
-
-func rootCmd() *cobra.Command {
-	cmd := &cobra.Command{
-		Use:   "session-manager",
-		Short: "Session Manager",
-		Long:  "KCM Session Manager, implementing the OIDC authorization code flow.",
-	}
-
-	cmd.PersistentFlags().DurationVar(&gracefulShutdown, "graceful-shutdown", 1*time.Second, "graceful shutdown")
-
-	cmd.AddCommand(
-		versionCmd,
-		apiserver.Cmd(BuildInfo),
-		housekeeper.Cmd(BuildInfo),
-		migrate.Cmd(BuildInfo),
-	)
-
-	return cmd
-}
-
-func execute() error {
-	ctx, cancelOnSignal := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill)
-	defer cancelOnSignal()
-
-	err := rootCmd().ExecuteContext(ctx)
-	if err != nil {
-		slogctx.Error(ctx, "failed to start the application", "error", err)
-		return err
-	}
-
-	if !isVersionCmd {
-		slogctx.Info(ctx, "Graceful shutdown", "duration", gracefulShutdown)
-		time.Sleep(gracefulShutdown)
-	}
-
-	return nil
-}
+// BuildInfo will be set by the build system
+var BuildInfo = "{}"
 
 func main() {
-	err := execute()
-	if err != nil {
-		os.Exit(1)
-	}
+	maincmd.BuildInfo = BuildInfo
+	maincmd.Main()
 }
diff --git a/cmd/session-manager/maincmd/main.go b/cmd/session-manager/maincmd/main.go
@@ -0,0 +1,87 @@
+package maincmd
+
+import (
+	"context"
+	"log/slog"
+	"os"
+	"os/signal"
+	"time"
+
+	"github.com/openkcm/common-sdk/pkg/utils"
+	"github.com/spf13/cobra"
+
+	slogctx "github.com/veqryn/slog-context"
+
+	"github.com/openkcm/session-manager/cmd/session-manager/apiserver"
+	"github.com/openkcm/session-manager/cmd/session-manager/housekeeper"
+	"github.com/openkcm/session-manager/cmd/session-manager/migrate"
+)
+
+var (
+	// BuildInfo will be set by the build system
+	BuildInfo = "{}"
+
+	isVersionCmd     bool
+	gracefulShutdown time.Duration
+)
+
+var versionCmd = &cobra.Command{
+	Use:   "version",
+	Short: "Session Manager Version",
+	RunE: func(cmd *cobra.Command, _ []string) error {
+		isVersionCmd = true
+
+		value, err := utils.ExtractFromComplexValue(BuildInfo)
+		if err != nil {
+			return err
+		}
+
+		slog.InfoContext(cmd.Context(), value)
+
+		return nil
+	},
+}
+
+func rootCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "session-manager",
+		Short: "Session Manager",
+		Long:  "KCM Session Manager, implementing the OIDC authorization code flow.",
+	}
+
+	cmd.PersistentFlags().DurationVar(&gracefulShutdown, "graceful-shutdown", 1*time.Second, "graceful shutdown")
+
+	cmd.AddCommand(
+		versionCmd,
+		apiserver.Cmd(BuildInfo),
+		housekeeper.Cmd(BuildInfo),
+		migrate.Cmd(BuildInfo),
+	)
+
+	return cmd
+}
+
+func execute() error {
+	ctx, cancelOnSignal := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill)
+	defer cancelOnSignal()
+
+	err := rootCmd().ExecuteContext(ctx)
+	if err != nil {
+		slogctx.Error(ctx, "failed to start the application", "error", err)
+		return err
+	}
+
+	if !isVersionCmd {
+		slogctx.Info(ctx, "Graceful shutdown", "duration", gracefulShutdown)
+		time.Sleep(gracefulShutdown)
+	}
+
+	return nil
+}
+
+func Main() {
+	err := execute()
+	if err != nil {
+		os.Exit(1)
+	}
+}