feat: 支持 provider profile auth.json 写入

This commit is contained in:
Codex
2026-06-08 10:59:38 +08:00
parent f86bee4563
commit 47b02b5101
2 changed files with 53 additions and 22 deletions
+31 -19
View File
@@ -167,10 +167,9 @@ export async function setProviderProfileCredential(profileValue: string, body: u
const profile = validateBackendProfile(profileValue);
const spec = requiredSpec(profile);
const record = asRecord(body ?? {}, "providerProfileCredential");
const apiKey = stringField(record, "apiKey");
if (apiKey.length < 8) throw new AgentRunError("secret-unavailable", "apiKey is too short", { httpStatus: 400 });
const credential = credentialAuthJson(record);
const delegatedBy = delegatedBySummary(record.delegatedBy);
const rendered = renderCredential(apiKey, await renderedConfigForWrite(profile, record, options));
const renderedConfig = await renderedConfigForWrite(profile, record, options);
const namespace = profileNamespace(options);
const secretManifest: JsonRecord = {
apiVersion: "v1",
@@ -184,16 +183,16 @@ export async function setProviderProfileCredential(profileValue: string, body: u
},
annotations: {
[`${credentialAnnotationPrefix}-profile`]: profile,
[`${credentialAnnotationPrefix}-credential-hash-suffix`]: shortHash(rendered.authJson),
[`${credentialAnnotationPrefix}-config-hash-suffix`]: shortHash(rendered.config.configToml),
[`${credentialAnnotationPrefix}-credential-hash-suffix`]: shortHash(credential.authJson),
[`${credentialAnnotationPrefix}-config-hash-suffix`]: shortHash(renderedConfig.configToml),
[`${credentialAnnotationPrefix}-updated-at`]: new Date().toISOString(),
...(delegatedBy ? { [`${credentialAnnotationPrefix}-delegated-system`]: delegatedBy.system, [`${credentialAnnotationPrefix}-delegated-request-id`]: delegatedBy.requestId ?? "" } : {}),
},
},
type: "Opaque",
data: {
"auth.json": base64Data(rendered.authJson),
"config.toml": base64Data(rendered.config.configToml),
"auth.json": base64Data(credential.authJson),
"config.toml": base64Data(renderedConfig.configToml),
},
};
const applied = await kubectlUpsertSecret(secretManifest, options.kubectlCommand ?? "kubectl");
@@ -204,12 +203,13 @@ export async function setProviderProfileCredential(profileValue: string, body: u
configured: true,
secretRef: secretRefSummary(profile, namespace),
resourceVersion: objectPath(applied, ["metadata", "resourceVersion"]),
credentialHashSuffix: shortHash(rendered.authJson),
configHashSuffix: shortHash(rendered.config.configToml),
credentialHashSuffix: shortHash(credential.authJson),
configHashSuffix: shortHash(renderedConfig.configToml),
updatedAt: objectPath(applied, ["metadata", "annotations", `${credentialAnnotationPrefix}-updated-at`]) ?? new Date().toISOString(),
configSummary: rendered.config.configSummary,
credentialSource: credential.source,
configSummary: renderedConfig.configSummary,
delegatedBy,
requiresExternalBridgeUpdate: profileUsesMoonBridge(profile, rendered.config.configToml),
requiresExternalBridgeUpdate: profileUsesMoonBridge(profile, renderedConfig.configToml),
valuesPrinted: false,
pollCommands: {
show: `./scripts/agentrun provider-profiles show ${profile}`,
@@ -357,20 +357,32 @@ function profileFromSecretName(name: string | null): string | null {
return profile.length > 0 ? profile : null;
}
function renderCredential(apiKey: string, config: RenderedConfig): { authJson: string; config: RenderedConfig } {
const authJson = `${JSON.stringify(authPayload(apiKey))}\n`;
return {
authJson,
config,
};
}
function providerProfileSecretData(input: { authJsonData?: string | null; configToml: string }): JsonRecord {
const data: JsonRecord = { "config.toml": base64Data(input.configToml) };
if (input.authJsonData) data["auth.json"] = input.authJsonData;
return data;
}
function credentialAuthJson(record: JsonRecord): { authJson: string; source: "auth-json" | "api-key" } {
const authJson = record.authJson;
if (typeof authJson === "string" && authJson.trim().length > 0) return { authJson: authJsonField(authJson), source: "auth-json" };
const apiKey = stringField(record, "apiKey");
if (apiKey.length < 8) throw new AgentRunError("secret-unavailable", "apiKey is too short", { httpStatus: 400 });
return { authJson: `${JSON.stringify(authPayload(apiKey))}\n`, source: "api-key" };
}
function authJsonField(value: string): string {
if (!value.trim()) throw new AgentRunError("schema-invalid", "authJson is required", { httpStatus: 400 });
let parsed: unknown;
try {
parsed = JSON.parse(value);
} catch {
throw new AgentRunError("schema-invalid", "authJson must be valid JSON", { httpStatus: 400 });
}
if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) throw new AgentRunError("schema-invalid", "authJson must be a JSON object", { httpStatus: 400 });
return value;
}
function authPayload(apiKey: string): JsonRecord {
return { OPENAI_API_KEY: apiKey };
}