Make agent-secret demo route correctly: inject session header + fix DNS suffix#61
Open
Davanum Srinivas (dims) wants to merge 2 commits into
Open
Make agent-secret demo route correctly: inject session header + fix DNS suffix#61Davanum Srinivas (dims) wants to merge 2 commits into
Davanum Srinivas (dims) wants to merge 2 commits into
Conversation
…quests The router rewrites :authority to the resolved worker pod IP before the request is forwarded, which strips the actor-ID prefix from any header the workload would otherwise have seen. Workloads that need to know their own actor identity (e.g. to call SuspendActor on themselves, as the agent-secret demo does) currently have no reliable source for it. Inject the resolved actor ID as the x-agentset-session request header on every successful resume. The header name matches the lookup order already used by the agent-secret demo, so workloads that read it Just Work without further changes. The success-case test assertion is updated to expect both :authority and x-agentset-session mutations, indexed by key so it is independent of the order the router emits them. Signed-off-by: Davanum Srinivas <davanum@gmail.com>
The router routes requests by the actors.resources.substrate.ate.dev suffix (internal/resources/actor.go:27). References to the legacy substrate.k8s.io suffix in this demo's README and inline comments caused requests run verbatim from the docs to silently fail routing. Replace the stale suffix with the current one in three curl examples and two source comments. Signed-off-by: Davanum Srinivas <davanum@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two compact changes that together make the
agent-secretdemo run as documented:feat(atenet/router)— inject the resolved actor ID as anx-agentset-sessionrequest header on every successful resume, so workloads can identify their own actor without parsing the rewritten:authority.fix(demos/agent-secret)— replace the stalesubstrate.k8s.ioDNS suffix withsubstrate.ate.dev(the live router suffix perinternal/resources/actor.go:27) in three curl examples and two source comments.Running the demo's README verbatim today fails in two ways:
Hostheader uses the legacysubstrate.k8s.iosuffix and is rejected by the router with a 404.:authorityto the worker pod IP before the workload sees it. The workload's fallback prefix-extraction then grabs the first octet of the IP (10for10.244.0.30),SuspendActor(actor_id="10")returnsNotFound, and the actor never self-suspends.The header-injection change is also useful beyond this demo: any future workload that needs its own actor identity now has a stable header to read it from, instead of either reverse-engineering
:authorityor relying on an environment-variable mount.Testing:
End-to-end on a local kind cluster:
curl -H "Host: my-agent.actors.resources.substrate.ate.dev" http://localhost:8000(no other headers) — workload now logsDEBUG: Identified ActorID: [my-agent], the response readsSession: my-agent(wasSession: 10), and the actor flips toSTATUS_SUSPENDED~9 s after the response.SECRET-NNNNreturned across resume cycles, including worker-pod migration) is unchanged.