Improve runner launching - IAM Bindings, Disable Agent Service, Fix Generated Certificate#1041
Merged
sourishkrout merged 7 commits intomainfrom Feb 18, 2026
Merged
Improve runner launching - IAM Bindings, Disable Agent Service, Fix Generated Certificate#1041sourishkrout merged 7 commits intomainfrom
sourishkrout merged 7 commits intomainfrom
Conversation
jlewi
force-pushed
the
dev/jlewi/bindings
branch
from
9b4fc37 to
ac454b1
Compare
Contributor
Author
|
I'll fix DCO. Test failure looks unrelated. codex says Docker API is pinned; might open a separate PR for that. |
Contributor
Author
|
Triggered a re-run on main to see if it passes |
Contributor
Author
|
Yup that failed. |
jlewi
force-pushed
the
dev/jlewi/bindings
branch
from
aacaf2c to
40b7e94
Compare
Contributor
Author
|
We should merge |
Contributor
Author
|
@sourishkrout PTAL |
There was a problem hiding this comment.
Pull request overview
This PR adds support for launching runners without the agent service, improves certificate generation, and adds a command to manage IAM policy bindings. The changes support use cases where only the runner or parser services are needed without the AI agent functionality.
Changes:
- Added
add-iam-policy-bindingcommand to configure IAM access for agent services - Fixed TLS certificate Common Name from "Cloud Assistant" to "Runme" for self-generated certificates
- Added optional
agentServiceconfiguration flag (defaults to true) to allow disabling the agent service when launching runners - Improved Docker API version negotiation to avoid hard-coded version mismatches
- Refactored certificate generation logic into reusable
ensureTLSCertificatehelper
Reviewed changes
Copilot reviewed 16 out of 18 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/agent/tlsbuilder/tls.go | Updated certificate CommonName and Organization from "Cloud Assistant"/"Acme Inc." to "Runme" |
| pkg/agent/server/server.go | Added nil check for opts.Server and updated error message to include parser service |
| pkg/agent/server/agent_service_test.go | Added test verifying assets aren't initialized when agent is nil |
| pkg/agent/config/iam_policy_test.go | Comprehensive tests for IAM policy binding operations including add, preserve, append, and dedupe |
| pkg/agent/config/iam_policy.go | Core implementation for adding IAM policy bindings with YAML preservation |
| pkg/agent/config/config_test.go | Test for GetAgentService() method with default and explicit values |
| pkg/agent/config/config.go | Added AgentService field and GetAgentService() method with improved GetConfigFile() logic |
| pkg/agent/cmd/serve.go | Refactored to conditionally initialize agent based on GetAgentService(), extracted TLS setup |
| pkg/agent/cmd/run.go | Removed unused run command |
| pkg/agent/cmd/certificate_check_test.go | Tests for TLS certificate generation scenarios |
| pkg/agent/cmd/certificate_check.go | New command and helper function for checking/generating TLS certificates |
| pkg/agent/cmd/agent.go | Updated command registration (removed run, added certificate-check and add-iam-policy-binding) |
| pkg/agent/cmd/add_iam_policy_binding.go | New command implementation for adding IAM policy bindings |
| pkg/agent/README.md | Added documentation for agentService configuration option |
| internal/dockerexec/docker.go | Changed from hardcoded API version "1.43" to WithAPIVersionNegotiation() |
| go.sum | Added checksums for new kyaml and related dependencies |
| go.mod | Added sigs.k8s.io/kustomize/kyaml v0.20.1 and transitive dependencies |
| .gitignore | Added pattern to ignore .runme-script-* files in runner directory |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Jeremy lewi <jeremy@lewi.us>
Signed-off-by: Jeremy lewi <jeremy@lewi.us>
Signed-off-by: Jeremy lewi <jeremy@lewi.us>
Signed-off-by: Jeremy lewi <jeremy@lewi.us>
Signed-off-by: Jeremy lewi <jeremy@lewi.us>
sourishkrout
force-pushed
the
dev/jlewi/bindings
branch
from
40b7e94 to
2eaff9e
Compare
sourishkrout
requested review from
sourishkrout
and removed request for
sourishkrout
Contributor
|
✅ LGTM. |
sourishkrout
pushed a commit
that referenced
this pull request
Feb 20, 2026
…enerated Certificate (#1041) * Create a command to add IAM policy bindings This can be used in launcher scripts to create suitable IAM bindings e.g. ``` "${RUNME_BIN}" agent add-iam-policy-binding --member="user:${USER}@acme.com" --role="role/runner.user" --config "${RUNME_CONFIG}" "${RUNME_BIN}" agent add-iam-policy-binding --member="user:${USER}@acme.com" --role="role/parser.user" --config "${RUNME_CONFIG}" ``` * Fix the common name on the self generated certificate; it should be Runme not Cloud Assistant * Add the option to disable the agent service when launching a runner as we don't need it. --------- Signed-off-by: Jeremy lewi <jeremy@lewi.us>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This can be used in launcher scripts to create suitable IAM bindings e.g.
Fix the common name on the self generated certificate; it should be Runme not Cloud Assistant
Add the option to disable the agent service when launching a runner as we don't need it.