feat: support ai dump and sync#2143
Conversation
b0c8cb5 to
8713afd
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## feat/ai-gateway-file-convert #2143 +/- ##
================================================================
- Coverage 36.32% 35.63% -0.69%
================================================================
Files 79 82 +3
Lines 7504 7753 +249
================================================================
+ Hits 2726 2763 +37
- Misses 4532 4740 +208
- Partials 246 250 +4 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
316bbe0 to
31d033c
Compare
| with: | ||
| egress-policy: audit | ||
| - name: Checkout repository | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
There was a problem hiding this comment.
GitHub Action actions/checkout persist Git credentials in workflow - low severity
actions/checkout v2 and above persist the default GITHUB_TOKEN in the repository's local git config when persist-credentials is not set to false, during the workflow run. Subsequent workflow steps or third-party actions can read this token from git configuration, increasing the risk of credential theft or misuse within the pipeline. In order to limit the attack surface when external actions are compromised, ensure persist-credentials is set to false.
Show fix
Remediation: Set persist-credentials: false on actions/checkout steps that do not need to push commits back to the repository. Only keep persist-credentials: true when the workflow explicitly performs authenticated git push operations.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
|
@Prashansa-K - The UX isnt perfect - I'm doing a self review and will add 1-2 more commits. Opened for review so that I could get another set of eyes on the integration tests for ai sync and dump - using the inputs and outputs from file_ai2kong itself. |
| SelectTags: dumpConfig.SelectorTags, | ||
| Workspace: aiDumpWorkspace, | ||
| Filename: "", | ||
| WithID: false, |
There was a problem hiding this comment.
revert layer of ai-deck-converter does not support retaining IDs
| // orders plugins by name and foreign-key ID (see FPlugin.sortKey in | ||
| // go-database-reconciler), so entities that share a name and route - such as | ||
| // the two ai-proxy-advanced plugins bound to one route - are emitted in a | ||
| // server-ID-dependent order that differs between independent syncs. A KeyAuth |
There was a problem hiding this comment.
Can this create unnecessary diffs for our endusers?
There was a problem hiding this comment.
Shouldn't - we already use sorting before comparing state for plugins in the integration tests (src) - it was missing model as part of its sort key
This needed a new function with own sorting logic because it is not comparing against a static kong state - let me check if this duplication can be resolved.
There was a problem hiding this comment.
Gave it some more thought - existing way of testing kong state in tests does this - creates a dump, and then compares with hardcoded kong state - but here we are comparing two dumps which have happened - and not hardcoded state.
Because these dumps are from different syncs - the IDs will be different, hence the custom comparison by parsing into file.Content.
Summary
In this PR, we are supporting two commands -
deck ai syncanddeck ai dump- which will accept, and return declarative config containing the AI Gateway entities - and internally convert to Kong 3.x format and sync with on-prem AI Gateway.Depends on -
Kong/go-database-reconciler#496
Kong/go-kong#624