workloadmanager: prefer ENV for Router public key with Secret fallback

[aaradhychinche-alt]

This PR completes the fix proposed in Issue #60 by making WorkloadManager prefer loading the Router public key from an environment variable, while keeping the existing Secret-based mechanism as a fallback for backward compatibility.

Previously, although PicoD already supported ENV-based public key loading and CodeInterpreter sandboxes received the key via environment variables, WorkloadManager still depended on polling the picod-router-identity Secret. This created namespace coupling and operational complexity in multi-controller setups.

Changes included
Core logic

Added AGENTCUBE_ROUTER_PUBLIC_KEY as the preferred source for Router’s public key.

Introduced ENV-first loading logic with fallback to Secret polling.

Added clear logging to indicate whether ENV or Secret was used.

Added workloadmanager.routerPublicKey to Helm values.

Updated WorkloadManager template to inject the ENV variable when configured.

Documentation :-

Updated PicoD authentication design docs to reflect the new ENV-first flow.

Added usage examples and migration guidance.

fixes #60

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kevin-wangzefeng for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Summary of Changes

Hello @aaradhychinche-alt, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the WorkloadManager's public key retrieval process, introducing a more efficient and flexible environment variable-first approach. This change addresses operational complexities and namespace coupling previously associated with relying solely on Kubernetes Secrets for the Router's public key. By providing a clear preference for environment variables while maintaining a robust fallback to Secret polling, the PR enhances system startup performance and simplifies deployment configurations, all while ensuring full backward compatibility for existing setups.

Highlights

• Environment Variable Preference: WorkloadManager now prioritizes loading the Router public key from the AGENTCUBE_ROUTER_PUBLIC_KEY environment variable, offering a faster and more direct configuration method.
• Secret Fallback Mechanism: The existing method of polling the picod-router-identity Secret is retained as a robust fallback, ensuring full backward compatibility for current deployments.
• Helm Chart Integration: Helm charts (values.yaml and workloadmanager.yaml) have been updated to seamlessly support the injection of the public key via the new environment variable, simplifying deployment configurations.
• Enhanced Documentation: A new QUICK_REFERENCE.md file and updates to PicoD-Plain-Authentication-Design.md provide comprehensive guidance, including usage examples, verification steps, and a detailed comparison of benefits.
• Operational Improvements: This change aims to improve system startup speed, simplify operational procedures, and reduce namespace coupling by providing a direct environment variable injection method for the public key.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively introduces a new, preferred method for configuring the Router's public key via an environment variable, while maintaining backward compatibility by falling back to the existing Secret-based approach. The core logic changes in Go and the Helm chart updates are well-implemented. The new QUICK_REFERENCE.md is a great addition for usability.

My review focuses on a few key areas for improvement:

1. Correctness: There's a bug in loadPublicKeyFromEnv where an environment variable containing only whitespace is incorrectly treated as a valid key, which could lead to runtime failures.
2. Documentation Accuracy: The design document (PicoD-Plain-Authentication-Design.md) has several inconsistencies with the actual implementation. It incorrectly refers to ConfigMap instead of Secret, uses the wrong resource name, and misrepresents how the public key is injected into pods.

Addressing these points will improve the robustness and clarity of this new feature.

[volcano-sh-bot]

Keywords which can automatically close issues and at(@) or hashtag(#) mentions are not allowed in commit messages.

The list of commits with invalid commit messages:

• fc5a0fe Update pkg/workloadmanager/workload_builder.go
• 6ef0d0d Update docs/design/PicoD-Plain-Authentication-Design.md
• 9e6f8ae Update docs/design/PicoD-Plain-Authentication-Design.md
• 14f8243 Update docs/design/PicoD-Plain-Authentication-Design.md

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 0% with 13 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@ecea52a). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
pkg/workloadmanager/workload_builder.go	0.00%	13 Missing ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #171   +/-   ##
=======================================
  Coverage        ?   34.19%           
=======================================
  Files           ?       29           
  Lines           ?     2544           
  Branches        ?        0           
=======================================
  Hits            ?      870           
  Misses          ?     1551           
  Partials        ?      123           

Flag	Coverage Δ
unittests	34.19% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.