[PR #1622] Modkit OoP requirments and draft design#1520
Conversation
orivaris
commented
May 26, 2026
- Add PRD, design document, and ADRs (0002–0007) for the Modkit distributed platform. Signed-off-by: Mike Yastrebtsov <3686170+MikeFalcon77@users.noreply.github.com>
Signed-off-by: Mike Yastrebtsov <3686170+MikeFalcon77@users.noreply.github.com>
|
coderabbitai[bot] commented on 2026-04-26T20:33:05Z: Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
codacy-production[bot] commented on 2026-04-26T20:34:32Z: Up to standards ✅🟢 Issues
|
|
MikeFalcon77 commented on 2026-05-20T11:33:49Z: Let's continue here: #3436 |
|
nonameffh reviewed I cannot agree that internal transport must necessarily be considered secure - it depends on a security model. Furthermore, the current wording implies that any subsystem capable of establishing a TCP connection with the OoP module can issue an arbitrary |
|
nonameffh reviewed I would suggest to extend profile-specific mechanisms by JWT authentication, service-to-service calls can be also done using JWT with specific subject type and id |
|
nonameffh reviewed The validation order is not specified: must the module first validate |
|
nonameffh reviewed The enablement of these endpoints should be configurable. In our company probes, metrics and any other debugging endpoints live on a separate port that's not exposed through K8s Service resources. |
|
nonameffh reviewed This ADR covers only inital phase, what about readiness management for graceful shutdown (readiness→false before shutting down the service), dependency failures, graceful degradation? Readiness isn't a simple "all dependencies are up" - it should represent "this instance can really handle a request" (for example, DB connection alive, we're not in shutdown, Redis isn't alive but we can handle that according to the graceful degradation model -> we're ready to handle requests) |
|
nonameffh reviewed For startup gate we can use also K8s |
|
nonameffh reviewed How the drain order is organized, especially for the case when ModuleA depends on ModuleB and to properly drain in-flight jobs it needs ModuleB to be drained after ModuleA? |
|
striped-zebra-dev reviewed How do we validate that a particular serialized security context is a derivative of a particular token? |
|
striped-zebra-dev reviewed If attacker has a token (any token, like a user's one) it can create a fake security context (above the user level) pass both to the |
|
striped-zebra-dev reviewed Sounds like DMZ |
|
striped-zebra-dev reviewed Well-known case: https://spring.io/blog/2020/03/25/liveness-and-readiness-probes-with-spring-boot |
|
striped-zebra-dev reviewed I believe we could utilize Rust type system and avoid three |
|
striped-zebra-dev reviewed I found it quite unexpected section, it is not really clear when we generate this client and how we use that. |
|
MikeFalcon77 reviewed addressed in #3436 |
|
MikeFalcon77 reviewed addressed in #3436 |
|
MikeFalcon77 reviewed addressed in #3436 |
|
MikeFalcon77 reviewed addressed in #3436 |
|
MikeFalcon77 reviewed addressed in #3436 |
|
MikeFalcon77 reviewed addressed in #3436 |
|
MikeFalcon77 reviewed addressed in #3436 |
|
MikeFalcon77 reviewed Closed at the connection level via mTLS (ADR-0002 + ADR-0008): peer identity is validated during the TLS handshake before Inside the trust domain, for example a compromised ModKit module, additional protection is provided by
|
|
MikeFalcon77 reviewed called it DMZ :) |
|
MikeFalcon77 reviewed mTLS at the connection level (see ADR-0002/0008 update) - now any non-ModKit peer fails during the handshake. Plain TCP listeners are forbidden. What is NOT covered yet and requires a separate design decision: signed/bound secctx. Options: (a) HMAC using a secret from Flight Control, (b) JWT-claim binding to the bearer token, (c) relying on mTLS as the primary defense and explicitly narrowing the threat model. This is a PRD-level security choice, so I’m moving it into a separate PR instead of patching it ad hoc here. |
|
MikeFalcon77 reviewed I've extended this ADR |
|
MikeFalcon77 reviewed It will be covered by another design (modkit contracts) |