Skip to content

feat: add credentials commands for opensearch, valkey, and kafka#667

Merged
rbjornstad merged 12 commits intomainfrom
aiven_credentials
Mar 16, 2026
Merged

feat: add credentials commands for opensearch, valkey, and kafka#667
rbjornstad merged 12 commits intomainfrom
aiven_credentials

Conversation

@jhrv
Copy link
Contributor

@jhrv jhrv commented Mar 13, 2026
edited by rbjornstad
Loading

Summary

Adds new credentials subcommands that create temporary Aiven service credentials via the nais-api GraphQL API, replacing the broken nais aiven flow that depended on direct Kubernetes secret access.

New commands

  • nais opensearch credentials <name> --environment --permission --ttl
  • nais valkey credentials <name> --environment --permission --ttl
  • nais kafka credentials --environment --ttl [--output env|kcat|java]

OpenSearch and Valkey print env vars to stdout. Kafka supports three output formats: env (stdout), kcat (config files), and java (PEM-based properties file).

Deprecations

All leaf commands under nais aiven are deprecated with pointers to the new commands where applicable.

Depends on

@github-actions
Copy link
Contributor

github-actions bot commented Mar 13, 2026
edited
Loading

📝 Changelog preview

Below is a preview of the Changelog that will be added to the next release. Only commit messages that follow the Conventional Commits specification will be included in the Changelog.

v5.15.0 - 2026-03-16

Full Changelog: v5.14.0...v5.15.0

🚀 Features

  • Add credentials commands for opensearch, valkey, and kafka (af70c33)

🐛 Bug Fixes

  • (credentials) Validate permission and filter autocomplete (1ce5e99)
  • Address remaining credentials review feedback (98a36fe)
  • Require environment for service credentials autocomplete (3743107)
  • Validate kafka environment and java property paths (2fb27ce)
  • Use deprecated metadata for aiven root command (e0bc6c5)
  • Remove invalid parent deprecation marker (8efcdb0)
  • Address remaining kafka credentials review feedback (86a1b92)
  • Address latest credentials review feedback (6caba29)
  • Finalize credentials review feedback (1608505)

⚙️ Miscellaneous Changes

  • (credentials) Simplify permission validation using slices.Contains (214ce57)

jhrv and others added 3 commits March 16, 2026 13:34
@jhrv @rbjornstad
feat: add credentials commands for opensearch, valkey, and kafka
af70c33 
Add new 'credentials' subcommands that create temporary Aiven service
credentials via the nais-api GraphQL API, replacing the broken 'nais aiven'
flow that depended on direct K8s secret access.

New commands:
- nais alpha opensearch credentials <name> --environment --permission --ttl
- nais alpha valkey credentials <name> --environment --permission --ttl
- nais kafka credentials --environment --ttl [--output env|kcat|java]

Deprecate all leaf commands under 'nais aiven' with appropriate replacements.
@jhrv @rbjornstad
Move opensearch/valkey from alpha to top-level commands
074f0ff 
Promote opensearch and valkey from 'nais alpha' subcommands to top-level
commands ('nais opensearch', 'nais valkey'). Update deprecation message in
old 'nais aiven create opensearch' to point to 'nais opensearch credentials'
instead of 'nais alpha opensearch credentials'.
@rbjornstad
fix(credentials): validate permission and filter autocomplete
1ce5e99
@rbjornstad rbjornstad requested a review from Copilot March 16, 2026 12:36
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds new CLI subcommands that create temporary Aiven service credentials via the nais-api GraphQL API, and deprecates the legacy nais aiven leaf commands that relied on direct Kubernetes secret access.

Changes:

  • Extends the GraphQL schema + generated client to support createOpenSearchCredentials, createValkeyCredentials, and createKafkaCredentials.
  • Adds credentials subcommands for OpenSearch, Valkey, and Kafka (Kafka supports env, kcat, and java outputs).
  • Marks relevant nais aiven leaf commands as deprecated and points users toward the new flows.

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
schema.graphql Adds schema types and mutations for temporary OpenSearch/Valkey/Kafka credentials.
internal/naisapi/gql/generated.go Regenerates Go GraphQL client types/ops for the new mutations + AivenPermission.
internal/opensearch/credentials.go Adds GraphQL client call wrapper for OpenSearch credential creation.
internal/opensearch/command/flag/flag.go Adds --permission and --ttl flags + autocomplete for OpenSearch credentials command.
internal/opensearch/command/credentials.go Implements nais opensearch credentials command (prints env vars).
internal/opensearch/command/command.go Registers the new OpenSearch credentials subcommand.
internal/valkey/credentials.go Adds GraphQL client call wrapper for Valkey credential creation.
internal/valkey/command/flag/flag.go Adds --permission and --ttl flags + autocomplete for Valkey credentials command.
internal/valkey/command/credentials.go Implements nais valkey credentials command (prints env vars).
internal/valkey/command/command.go Registers the new Valkey credentials subcommand.
internal/kafka/credentials.go Adds GraphQL client call wrapper for Kafka credential creation.
internal/kafka/command/flag/flag.go Adds Kafka credentials flags, including --output with autocomplete.
internal/kafka/command/credentials.go Implements nais kafka credentials with env, kcat, and java outputs.
internal/kafka/command/credentials_test.go Adds tests for cert file writing and Windows path conversion.
internal/kafka/command/command.go Registers the new Kafka credentials subcommand.
internal/application/application.go Adjusts command registration order (OpenSearch/Valkey placement).
internal/aiven/command/aiven.go Updates Aiven command title to communicate deprecation guidance.
internal/aiven/command/tidy.go Marks nais aiven tidy as deprecated (no replacement).
internal/aiven/command/get.go Marks nais aiven get as deprecated (no replacement).
internal/aiven/command/grant_access_topic.go Deprecates and points to kafka credentials.
internal/aiven/command/grant_access_stream.go Deprecates (no replacement).
internal/aiven/command/create_opensearch.go Deprecates and points to opensearch credentials.
internal/aiven/command/create_kafka.go Deprecates and points to kafka credentials.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@rbjornstad rbjornstad requested a review from Copilot March 16, 2026 12:59
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds new credentials subcommands for OpenSearch, Valkey, and Kafka that create temporary Aiven service credentials via the nais-api GraphQL API, and deprecates the legacy nais aiven leaf commands that relied on Kubernetes secret access.

Changes:

  • Extend GraphQL schema + generated client to support createOpenSearchCredentials, createValkeyCredentials, and createKafkaCredentials.
  • Add new CLI commands to create and output temporary credentials for OpenSearch/Valkey (env vars) and Kafka (env vars or config files).
  • Deprecate existing nais aiven leaf commands with replacements where applicable.

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
schema.graphql Adds new mutations and types for temporary credential creation.
internal/naisapi/gql/generated.go Updates generated GraphQL client/types for the new mutations and enum.
internal/opensearch/credentials.go Adds GraphQL-backed credential creation helper for OpenSearch.
internal/opensearch/command/flag/flag.go Adds credentials flags (permission, ttl) with autocomplete.
internal/opensearch/command/credentials.go Adds nais opensearch credentials command that prints env vars.
internal/opensearch/command/command.go Registers the new OpenSearch credentials subcommand.
internal/valkey/credentials.go Adds GraphQL-backed credential creation helper for Valkey.
internal/valkey/command/flag/flag.go Adds credentials flags (permission, ttl) with autocomplete.
internal/valkey/command/credentials.go Adds nais valkey credentials command that prints env vars.
internal/valkey/command/command.go Registers the new Valkey credentials subcommand.
internal/kafka/credentials.go Adds GraphQL-backed credential creation helper for Kafka.
internal/kafka/command/flag/flag.go Adds credentials flags (ttl, output) with autocomplete.
internal/kafka/command/credentials.go Adds nais kafka credentials command with env/kcat/java output.
internal/kafka/command/credentials_test.go Adds tests for certificate file writing and path formatting helper.
internal/kafka/command/command.go Registers the new Kafka credentials subcommand.
internal/application/application.go Reorders command registration (Kafka before OpenSearch/Valkey).
internal/aiven/command/aiven.go Updates Aiven command title to indicate deprecation guidance.
internal/aiven/command/create_kafka.go Deprecates legacy nais aiven create kafka with replacement pointer.
internal/aiven/command/create_opensearch.go Deprecates legacy nais aiven create opensearch with replacement pointer.
internal/aiven/command/get.go Deprecates legacy nais aiven get.
internal/aiven/command/tidy.go Deprecates legacy nais aiven tidy.
internal/aiven/command/grant_access_topic.go Deprecates legacy grant-access topic with replacement pointer.
internal/aiven/command/grant_access_stream.go Deprecates legacy grant-access stream without replacement.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@rbjornstad rbjornstad requested a review from Copilot March 16, 2026 13:12
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds new CLI flows for creating short-lived Aiven service credentials via the nais-api GraphQL API (OpenSearch, Valkey, Kafka), and deprecates legacy nais aiven leaf commands that relied on Kubernetes secret access.

Changes:

  • Extends GraphQL schema + generated client to support credential-creation mutations for OpenSearch/Valkey/Kafka.
  • Introduces new credentials subcommands under nais opensearch, nais valkey, and nais kafka (with Kafka supporting env|kcat|java outputs).
  • Marks legacy nais aiven leaf commands as deprecated and updates command wiring/ordering.

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
schema.graphql Adds new credential-creation mutations, inputs, payloads, and AivenPermission enum.
internal/naisapi/gql/generated.go Updates generated GraphQL client types/operations for the new mutations.
internal/opensearch/credentials.go Adds OpenSearch credential creation via GraphQL client.
internal/opensearch/command/flag/flag.go Adds --permission and --ttl flags + autocomplete for OpenSearch credentials.
internal/opensearch/command/credentials.go Implements nais opensearch credentials command and env-var output.
internal/opensearch/command/command.go Registers the new OpenSearch credentials subcommand.
internal/valkey/credentials.go Adds Valkey credential creation via GraphQL client.
internal/valkey/command/flag/flag.go Adds --permission and --ttl flags + autocomplete for Valkey credentials.
internal/valkey/command/credentials.go Implements nais valkey credentials command and env-var output.
internal/valkey/command/command.go Registers the new Valkey credentials subcommand.
internal/kafka/credentials.go Adds Kafka credential creation via GraphQL client.
internal/kafka/command/flag/flag.go Adds --ttl and --output flags + autocomplete for Kafka credentials.
internal/kafka/command/credentials.go Implements nais kafka credentials with env/kcat/java output (writes temp cert/config files).
internal/kafka/command/credentials_test.go Adds unit test coverage for writing cert files (content + 0600 perms).
internal/kafka/command/command.go Registers the new Kafka credentials subcommand.
internal/application/application.go Reorders top-level command registration (kafka/opensearch/valkey).
internal/aiven/command/aiven.go Updates aiven command title text to indicate deprecation guidance.
internal/aiven/command/tidy.go Deprecates nais aiven tidy.
internal/aiven/command/get.go Deprecates nais aiven get.
internal/aiven/command/create_opensearch.go Deprecates legacy OpenSearch access creation with replacement pointer.
internal/aiven/command/create_kafka.go Deprecates legacy Kafka access creation with replacement pointer.
internal/aiven/command/grant_access_topic.go Deprecates legacy topic ACL grant with replacement pointer.
internal/aiven/command/grant_access_stream.go Deprecates legacy stream ACL grant (no replacement).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@rbjornstad rbjornstad requested a review from Copilot March 16, 2026 13:42
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new “credentials” workflow for Aiven-backed services by introducing GraphQL mutations/types and wiring new CLI subcommands for OpenSearch, Valkey, and Kafka, while deprecating the legacy nais aiven leaf commands that relied on Kubernetes secret access.

Changes:

  • Extend GraphQL schema (and generated client) with mutations for creating temporary credentials for OpenSearch, Valkey, and Kafka.
  • Add new CLI commands: nais opensearch credentials, nais valkey credentials, and nais kafka credentials (with env|kcat|java output modes for Kafka).
  • Deprecate nais aiven leaf commands with replacements where applicable.

Reviewed changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
schema.graphql Adds new credential-creation mutations and credential payload/input types.
internal/naisapi/gql/generated.go Updates generated GraphQL client types/operations (AivenPermission + 3 new mutations).
internal/opensearch/credentials.go Adds OpenSearch credential mutation wrapper.
internal/opensearch/command/flag/flag.go Adds --permission and --ttl flags + autocomplete for OpenSearch credentials.
internal/opensearch/command/credentials.go Implements nais opensearch credentials output as env vars.
internal/opensearch/command/command.go Registers credentials subcommand under opensearch.
internal/valkey/credentials.go Adds Valkey credential mutation wrapper.
internal/valkey/command/flag/flag.go Adds --permission and --ttl flags + autocomplete for Valkey credentials.
internal/valkey/command/credentials.go Implements nais valkey credentials output as env vars.
internal/valkey/command/command.go Registers credentials subcommand under valkey.
internal/kafka/credentials.go Adds Kafka credential mutation wrapper.
internal/kafka/command/flag/flag.go Adds --ttl and --output (env/kcat/java) flags + autocomplete.
internal/kafka/command/credentials.go Implements nais kafka credentials including kcat/java file outputs.
internal/kafka/command/credentials_test.go Adds unit test coverage for writing Kafka cert files with correct perms/content.
internal/kafka/command/command.go Registers credentials subcommand under kafka.
internal/application/application.go Reorders top-level command registration (kafka before opensearch/valkey).
internal/aiven/command/tidy.go Deprecates nais aiven tidy.
internal/aiven/command/grant_access_topic.go Deprecates topic access command with replacement to kafka credentials.
internal/aiven/command/grant_access_stream.go Deprecates stream access command (no replacement).
internal/aiven/command/get.go Deprecates nais aiven get (no replacement).
internal/aiven/command/create_opensearch.go Deprecates with replacement to opensearch credentials.
internal/aiven/command/create_kafka.go Deprecates with replacement to kafka credentials.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@rbjornstad rbjornstad requested a review from Copilot March 16, 2026 14:18
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds new CLI support for creating temporary Aiven service credentials (OpenSearch, Valkey, Kafka) via the nais-api GraphQL API, and deprecates legacy nais aiven leaf commands that relied on Kubernetes secret access.

Changes:

  • Extend GraphQL schema + regenerate internal/naisapi/gql/generated.go for create{OpenSearch,Valkey,Kafka}Credentials mutations and payload types.
  • Introduce new credentials subcommands for opensearch, valkey, and kafka (with Kafka output formats: env, kcat, java).
  • Deprecate relevant nais aiven leaf commands (with replacements where applicable).

Reviewed changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
schema.graphql Adds credential-creation mutations, inputs, payloads, and AivenPermission enum.
internal/naisapi/gql/generated.go Regenerated genqlient bindings for new mutations/types.
internal/opensearch/credentials.go Adds GraphQL client call for OpenSearch credentials creation.
internal/opensearch/command/flag/flag.go Adds --permission + --ttl flags + autocomplete for OpenSearch credentials.
internal/opensearch/command/credentials.go Implements nais opensearch credentials command and env-var output.
internal/opensearch/command/command.go Wires credentials into opensearch command tree.
internal/valkey/credentials.go Adds GraphQL client call for Valkey credentials creation.
internal/valkey/command/flag/flag.go Adds --permission + --ttl flags + autocomplete for Valkey credentials.
internal/valkey/command/credentials.go Implements nais valkey credentials command and env-var output.
internal/valkey/command/command.go Wires credentials into valkey command tree.
internal/kafka/credentials.go Adds GraphQL client call for Kafka credentials creation.
internal/kafka/command/flag/flag.go Adds --ttl and `--output env
internal/kafka/command/credentials.go Implements nais kafka credentials with env output and file-based kcat/java outputs.
internal/kafka/command/credentials_test.go Adds tests for writeCertFiles file creation + permissions.
internal/kafka/command/command.go Wires credentials into kafka command tree.
internal/application/application.go Reorders command registration (opensearch/valkey).
internal/aiven/command/tidy.go Marks tidy as deprecated.
internal/aiven/command/grant_access_topic.go Deprecates topic access grant command (replacement: kafka credentials).
internal/aiven/command/grant_access_stream.go Deprecates stream access grant command (no replacement).
internal/aiven/command/get.go Deprecates legacy aiven get command (no replacement).
internal/aiven/command/create_opensearch.go Deprecates legacy OpenSearch access command (replacement: opensearch credentials).
internal/aiven/command/create_kafka.go Deprecates legacy Kafka access command (replacement: kafka credentials).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@rbjornstad rbjornstad requested a review from Copilot March 16, 2026 14:54
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds new CLI flows for creating temporary Aiven service credentials (OpenSearch, Valkey, Kafka) via the nais-api GraphQL API, and deprecates the legacy nais aiven leaf commands that relied on Kubernetes secret access.

Changes:

  • Extend the GraphQL schema + generated client to support createOpenSearchCredentials, createValkeyCredentials, and createKafkaCredentials.
  • Add new CLI subcommands: opensearch credentials, valkey credentials, and kafka credentials (with env|kcat|java output formats for Kafka).
  • Mark relevant nais aiven leaf commands as deprecated with replacements where applicable.

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated no comments.

Show a summary per file
File Description
schema.graphql Adds new mutations/types for temporary OpenSearch/Valkey/Kafka credentials and AivenPermission enum.
internal/naisapi/gql/generated.go Regenerates GraphQL client types and operations for the new credential mutations.
internal/opensearch/credentials.go Adds GraphQL-backed helper for creating OpenSearch credentials.
internal/opensearch/command/flag/flag.go Adds --permission / --ttl flags (with permission autocomplete) for OpenSearch credentials command.
internal/opensearch/command/credentials.go Implements nais opensearch credentials outputting env vars.
internal/opensearch/command/command.go Registers the new credentials subcommand.
internal/valkey/credentials.go Adds GraphQL-backed helper for creating Valkey credentials.
internal/valkey/command/flag/flag.go Adds --permission / --ttl flags (with permission autocomplete) for Valkey credentials command.
internal/valkey/command/credentials.go Implements nais valkey credentials outputting env vars.
internal/valkey/command/command.go Registers the new credentials subcommand.
internal/kafka/credentials.go Adds GraphQL-backed helper for creating Kafka credentials.
internal/kafka/command/flag/flag.go Adds --ttl and --output (autocomplete) for Kafka credentials.
internal/kafka/command/credentials.go Implements nais kafka credentials with env, kcat, and java output modes + temp-file writing.
internal/kafka/command/credentials_test.go Adds unit tests for Kafka credential output and temp-file writing behavior/permissions.
internal/kafka/command/command.go Registers the new credentials subcommand.
internal/application/application.go Reorders top-level command registration to include/position updated service commands.
internal/aiven/permission.go Adds shared permission validation helper for new commands.
internal/aiven/command/*.go Deprecates legacy nais aiven leaf commands with replacements where applicable.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@rbjornstad rbjornstad merged commit 979b4bc into main Mar 16, 2026
23 checks passed
@rbjornstad rbjornstad deleted the aiven_credentials branch March 16, 2026 15:21
@jhrv jhrv mentioned this pull request Mar 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rbjornstad rbjornstad rbjornstad left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jhrv @rbjornstad