fix(kas): Allow admin to set registered kas uri #2624
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @c-r33d, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
I've updated the KAS (Key Access Server) configuration to allow administrators to explicitly define the registered KAS URI. Previously, the system would infer this URI based on network settings and hostname, which could lead to ambiguity. This change provides more direct control and predictability over how the KAS identifies itself, simplifying deployments and ensuring consistent behavior.
Highlights
- KAS URI Configuration: Introduced a new configuration option (registered_kas_uri) under kas.preview.key_management in opentdf-dev.yaml and opentdf-kas-mode.yaml, allowing the KAS URI to be explicitly set.
- Removal of Inferred URI Logic: Eliminated the code responsible for inferring the KAS URI from the server's public hostname and listening address, streamlining the KAS initialization process.
- Configuration Schema Update: Refactored the Preview and KeyManagement structs in service/kas/access/provider.go to properly support the new nested enabled and registered_kas_uri fields for key management.
- Cleanup of public_hostname: Removed the server.public_hostname configuration entry from opentdf-dev.yaml and opentdf-kas-mode.yaml as it is no longer used for KAS URI determination.
- Test and Fixture Alignment: Updated service/internal/fixtures/policy_fixtures.yaml to reflect the new explicit URI setting and modified service/kas/access/publicKey_test.go to remove outdated URI inference test logic.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
URI now defined,No more guessing, clear the path,Config's true control.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request introduces a configuration option to explicitly set the registered KAS URI, removing the previous logic that inferred it from the server's public hostname and port. The changes are well-implemented across configuration files, service logic, and tests. I've provided a couple of suggestions to improve robustness and code consistency. One suggestion is to add a validation check to ensure the KAS URI is not empty when key management is enabled. The other is a minor naming convention fix for better code consistency.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request refactors the Key Access Service (KAS) configuration to allow administrators to explicitly set the registered KAS URI, removing the previous logic that inferred it. This is a good improvement for configuration clarity and robustness. However, the implementation introduces a breaking change in the configuration format for key_management, which could impact existing deployments. I've also included a minor suggestion to improve code idiom.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
c-r33d
changed the title
c-r33d
changed the title
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a feature allowing administrators to explicitly set the registered KAS URI via a new configuration option, registered_kas_uri. When this option is not provided, the system falls back to the previous behavior of inferring the URI from the server's configuration. The implementation correctly refactors the URI determination logic into a new function, determineKASURL, and updates the necessary configuration files and tests. My review identifies one area for improvement in the new function regarding inconsistent error handling, where panic is used instead of returning an error as per the function's signature.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
|
/gemini review |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
There was a problem hiding this comment.
Code Review
This pull request introduces a new configuration option registered_kas_uri for the KAS service, allowing an administrator to explicitly set the KAS URI. When this option is not set, the system falls back to inferring the URI from the server configuration. The implementation correctly refactors the URI determination logic into a new function and updates the necessary configuration files, tests, and fixtures. The changes are well-structured. I have one suggestion to simplify the URI inference logic for better readability and efficiency.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
### Proposed Changes 1.) Allow admin to set the registered KAS URI, instead of inferring it if present. >[!NOTE] >If the registered_kas_uri is empty or not present we fallback to >inferring. ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> (cherry picked from commit 6203fba)
|
Successfully created backport PR for |
### Proposed Changes 1.) Allow admin to set the registered KAS URI, instead of inferring it if present. >[!NOTE] >If the registered_kas_uri is empty or not present we fallback to >inferring. ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> (cherry picked from commit 6203fba)
…service/v0.8] (#2628) # Description Backport of #2624 to `release/service/v0.8`. --------- Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Dave Mihalcik <[email protected]> Co-authored-by: Copilot <[email protected]> Co-authored-by: Chris Reed <[email protected]>
1.) Add `registered_kas_uri` to kas config. [Kas URI bug fix](opentdf/platform#2624) 2.) Deprecate `server.public_hostname` 3.) Change `preview_features` to `preview` --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
🤖 I have created a release *beep* *boop* --- ## [0.9.0](service/v0.8.0...service/v0.9.0) (2025-08-27) ### Features * **core:** add multi-strategy ERS to support ldap and sql ([#2596](#2596)) ([855611d](855611d)) * **policy:** Add legacy keys. ([#2613](#2613)) ([57370b0](57370b0)) * **policy:** add values to CreateObligationRequest ([#2614](#2614)) ([94535cc](94535cc)) * **policy:** Modify KAS indexer to support legacy keys. ([#2616](#2616)) ([ba96c18](ba96c18)) ### Bug Fixes * **deps:** bump github.com/docker/docker from 28.2.2+incompatible to 28.3.3+incompatible in /service ([#2598](#2598)) ([3c392aa](3c392aa)) * **deps:** bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0 in /service ([#2649](#2649)) ([b838bbc](b838bbc)) * **deps:** bump github.com/opentdf/platform/sdk from 0.5.0 to 0.7.0 in /service ([#2660](#2660)) ([2c998ac](2c998ac)) * **kas:** Allow admin to set registered kas uri ([#2624](#2624)) ([6203fba](6203fba)) * updated generated sqlc ([#2609](#2609)) ([e44a569](e44a569)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
3 participants
Proposed Changes
1.) Allow admin to set the registered KAS URI, instead of inferring it if present.
Note
If the registered_kas_uri is empty or not present we fallback to
inferring.
Checklist
Testing Instructions