Conversation
Introduces login/logout commands and device code flow authentication using Ory Hydra. Most CLI commands now require authentication; tokens are stored per profile and refreshed automatically. During cluster creation, the authenticated TenantId is extracted and written to a ConfigMap in the vega-system namespace. Documentation and command references updated to reflect authentication and new CLI usage.
Added the 'grant_type' parameter to the device flow authorization request to comply with OAuth device flow requirements.
There was a problem hiding this comment.
Pull Request Overview
This pull request introduces comprehensive authentication capabilities to the Vega CLI, transitioning from an open-access tool to one requiring OAuth2 device code flow authentication before executing most commands. The authentication system supports multi-profile management and integrates user identity into the cluster lifecycle.
- OAuth2 device code flow authentication with token management and refresh capabilities
- Multi-profile credential storage supporting multiple user identities
- User identity propagation to Kubernetes clusters via TenantId ConfigMaps during cluster creation
Reviewed Changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
cli/src/Vdk/Services/AuthService.cs |
Core authentication service implementing login/logout, token management, and JWT claim extraction |
cli/src/Vdk/Services/HydraDeviceFlowClient.cs |
OAuth2 device code flow client for Ory Hydra integration |
cli/src/Vdk/Services/TokenStoreFile.cs |
File-based token storage with multi-profile support |
cli/src/Vdk/Commands/LoginCommand.cs |
CLI login command with optional profile parameter |
cli/src/Vdk/Commands/LogoutCommand.cs |
CLI logout command with optional profile parameter |
cli/src/Vdk/Commands/CreateClusterCommand.cs |
Enhanced cluster creation to inject user TenantId into Kubernetes ConfigMap |
cli/src/Vdk/Program.cs |
Modified program entry point to enforce authentication for most commands |
cli/src/Vdk/GlobalConfiguration.cs |
Added OAuth2 endpoint and claim configuration |
cli/src/Vdk/ServiceProviderBuilder.cs |
Registered authentication services in dependency injection |
ReadMe.md |
Updated documentation with authentication instructions and workflow changes |
docs/ |
Updated command references and usage examples to reflect new CLI name and authentication requirements |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| ["client_id"] = _config.OAuthClientId, | ||
|
|
There was a problem hiding this comment.
[nitpick] Remove the empty line (line 27) between the dictionary entries for consistency with the rest of the file's formatting.
| ["client_id"] = _config.OAuthClientId, | |
| cfg = client.Get<V1ConfigMap>("vega-tenant", "vega-system"); | ||
| } | ||
| catch { /* not found, will create */ } |
There was a problem hiding this comment.
The empty catch block should specify the expected exception type (e.g., catch (HttpOperationException) or catch (KubernetesException)) to avoid catching unexpected exceptions that should be handled differently.
| cfg = client.Get<V1ConfigMap>("vega-tenant", "vega-system"); | |
| } | |
| catch { /* not found, will create */ } | |
| catch (k8s.KubernetesException) { /* not found, will create */ } |
| # If/when a config file flag is added, document here | ||
| ``` | ||
| ``` |
There was a problem hiding this comment.
There are mismatched code block markers - the line has both closing and opening backticks. Remove the extra backticks on line 43.
| # If/when a config file flag is added, document here | |
| ``` | |
| ``` |
Introduces a new --Labels option to CreateClusterCommand for specifying cluster labels, including validation and application to cluster configuration. Also adds proxy server configurations for vdk and vdk-1 in vega.conf.
Refactors LoginCommand and LogoutCommand to use the new Options.Add and SetAction APIs from System.CommandLine 2.x, updating option construction and handler assignment accordingly.
1 participant
This pull request introduces authentication to the Vega CLI, requiring users to log in before executing most commands. It adds support for OAuth2 device code flow using Ory Hydra, including login/logout commands and multi-profile token management. The cluster creation workflow now records the authenticated user's TenantId in Kubernetes for downstream tooling. The codebase is refactored to integrate authentication checks and services throughout the CLI.
Authentication and Identity Management
LoginCommandandLogoutCommandto the CLI, supporting device code flow authentication and multi-profile management. Credentials are stored locally, and refresh tokens are used for automatic renewal. [1] [2]AuthServiceandHydraDeviceFlowClientfor OAuth2 device flow, token storage, refresh handling, and JWT claim extraction (TenantId). [1] [2] [3]Command and Workflow Changes
AppCommandto include login/logout commands, and updatedProgram.csto enforce authentication before running most commands. [1] [2]CreateClusterCommandto require authentication and write a ConfigMap containing the user's TenantId in thevega-systemnamespace during cluster creation. [1] [2] [3] [4]Documentation Updates
ReadMe.mdwith new authentication instructions, login/logout usage, and details about token storage and TenantId propagation. [1] [2]Configuration
GlobalConfigurationfor easy customization.Dependency Injection
These changes collectively introduce robust authentication, improve security, and enable user identity propagation throughout the Vega CLI and cluster lifecycle.