feat: add label configuration and validation for key specs

cmd/root/main.go

@@ -99,7 +99,7 @@ func loadConfig() *config.RootConfig {
 				StartKind: "K0",
 				EndKind:   "K1",
 			},
-			Labels: spec.Labels{
+			SelectorLabels: spec.SelectorLabels{
 				"environment": "production",
 			},
 			KeyBindings: map[string]spec.KeyBinding{
@@ -153,7 +153,7 @@ func loadConfig() *config.RootConfig {
 								},
 							},
 						},
-						Labels: spec.Labels{
+						SelectorLabels: spec.SelectorLabels{
 							"cloud": "aws",
 						},
 					},

internal/config/config.go

@@ -40,14 +40,14 @@ type KryptonRoot struct {
 
 // RootConfig is the complete configuration for the root instance combining hierarchy and topology.
 type RootConfig struct {
-	Name        string                     `yaml:"name"`
-	Role        spec.AgentRole             `yaml:"role"`
-	Segment     spec.HierarchySegment      `yaml:"segment"`
-	Labels      spec.Labels                `yaml:"labels,omitempty"`
-	KeyBindings map[string]spec.KeyBinding `yaml:"key_bindings"`
-	Hierarchy   spec.KeyHierarchy          `yaml:"hierarchy"`
-	Topology    spec.Topology              `yaml:"topology"`
-	Reconciler  ReconcilerConfig           `yaml:"reconciler"`
+	Name           string                     `yaml:"name"`
+	Role           spec.AgentRole             `yaml:"role"`
+	Segment        spec.HierarchySegment      `yaml:"segment"`
+	SelectorLabels spec.SelectorLabels        `yaml:"selector_labels,omitempty"`
+	KeyBindings    map[string]spec.KeyBinding `yaml:"key_bindings"`
+	Hierarchy      spec.KeyHierarchy          `yaml:"hierarchy"`
+	Topology       spec.Topology              `yaml:"topology"`
+	Reconciler     ReconcilerConfig           `yaml:"reconciler"`
 }
 
 // AgentBootstrapConfig is the minimal configuration that agents load from file on startup. It contains just enough information to connect to root.

internal/config/config_test.go

@@ -18,7 +18,7 @@ func validRootConfig() *RootConfig {
 			StartKind: "K0",
 			EndKind:   "K1",
 		},
-		Labels: spec.Labels{"env": "prod"},
+		SelectorLabels: spec.SelectorLabels{"env": "prod"},
 		KeyBindings: map[string]spec.KeyBinding{
 			"K0": {
 				Vault: spec.VaultSpec{Name: "v", Type: "aws-kms"},
@@ -31,8 +31,20 @@ func validRootConfig() *RootConfig {
 		Hierarchy: spec.KeyHierarchy{
 			Name: "h",
 			KeySpecs: []spec.KeySpec{
-				{Kind: "K0", Role: spec.KeyRoleRoot, Algorithm: spec.KeyAlgorithmAES256},
-				{Kind: "K1", Role: spec.KeyRoleDek, Algorithm: spec.KeyAlgorithmAES256},
+				{
+					Kind: "K0", Role: spec.KeyRoleRoot, Algorithm: spec.KeyAlgorithmAES256,
+					LabelsSpec: spec.LabelsSpec{AllowUserLabels: true},
+				},
+				{
+					Kind: "K1", Role: spec.KeyRoleDek, Algorithm: spec.KeyAlgorithmAES256,
+					LabelsSpec: spec.LabelsSpec{
+						Requirements: map[string]spec.LabelRequirement{
+							"env": {
+								IsRequired: true,
+							},
+						},
+					},
+				},
 			},
 		},
 		Topology: spec.Topology{},
@@ -103,6 +115,22 @@ func TestValidateRootConfig(t *testing.T) {
 			},
 			wantErr: spec.ErrAgentNameEmpty,
 		},
+		{
+			name: "invalid LabelsSpec in hierarchy",
+			modify: func(c *RootConfig) {
+				c.Hierarchy.KeySpecs[0].LabelsSpec = spec.LabelsSpec{
+					Requirements: map[string]spec.LabelRequirement{
+						"env": {
+							IsRequired: true,
+							Validator: &spec.LabelValidator{
+								Type: "invalid",
+							},
+						},
+					},
+				}
+			},
+			wantErr: spec.ErrLabelValidatorInvalidType,
+		},
 		{
 			name:    "invalid segment",
 			modify:  func(c *RootConfig) { c.Segment.StartKind = "" },
@@ -129,9 +157,9 @@ func TestValidateRootConfig(t *testing.T) {
 				c.Hierarchy = spec.KeyHierarchy{
 					Name: "h",
 					KeySpecs: []spec.KeySpec{
-						{Kind: "K0", Role: spec.KeyRoleRoot, Algorithm: spec.KeyAlgorithmAES256},
-						{Kind: "K1", Role: spec.KeyRoleKek, Algorithm: spec.KeyAlgorithmAES256},
-						{Kind: "K2", Role: spec.KeyRoleDek, Algorithm: spec.KeyAlgorithmAES256},
+						{Kind: "K0", Role: spec.KeyRoleRoot, Algorithm: spec.KeyAlgorithmAES256, LabelsSpec: validLabelsSpec()},
+						{Kind: "K1", Role: spec.KeyRoleKek, Algorithm: spec.KeyAlgorithmAES256, LabelsSpec: validLabelsSpec()},
+						{Kind: "K2", Role: spec.KeyRoleDek, Algorithm: spec.KeyAlgorithmAES256, LabelsSpec: validLabelsSpec()},
 					},
 				}
 				c.Segment = spec.HierarchySegment{StartKind: "K1", EndKind: "K2"}
@@ -149,9 +177,9 @@ func TestValidateRootConfig(t *testing.T) {
 				c.Hierarchy = spec.KeyHierarchy{
 					Name: "h",
 					KeySpecs: []spec.KeySpec{
-						{Kind: "K0", Role: spec.KeyRoleRoot, Algorithm: spec.KeyAlgorithmAES256},
-						{Kind: "K1", Role: spec.KeyRoleTek, Algorithm: spec.KeyAlgorithmAES256},
-						{Kind: "K2", Role: spec.KeyRoleDek, Algorithm: spec.KeyAlgorithmAES256},
+						{Kind: "K0", Role: spec.KeyRoleRoot, Algorithm: spec.KeyAlgorithmAES256, LabelsSpec: validLabelsSpec()},
+						{Kind: "K1", Role: spec.KeyRoleTek, Algorithm: spec.KeyAlgorithmAES256, LabelsSpec: validLabelsSpec()},
+						{Kind: "K2", Role: spec.KeyRoleDek, Algorithm: spec.KeyAlgorithmAES256, LabelsSpec: validLabelsSpec()},
 					},
 				}
 				c.Segment = spec.HierarchySegment{StartKind: "K0", EndKind: "K1"}
@@ -169,9 +197,9 @@ func TestValidateRootConfig(t *testing.T) {
 				c.Hierarchy = spec.KeyHierarchy{
 					Name: "h",
 					KeySpecs: []spec.KeySpec{
-						{Kind: "K0", Role: spec.KeyRoleRoot, Algorithm: spec.KeyAlgorithmAES256},
-						{Kind: "K1", Role: spec.KeyRoleKek, Algorithm: spec.KeyAlgorithmAES256},
-						{Kind: "K2", Role: spec.KeyRoleDek, Algorithm: spec.KeyAlgorithmAES256},
+						{Kind: "K0", Role: spec.KeyRoleRoot, Algorithm: spec.KeyAlgorithmAES256, LabelsSpec: validLabelsSpec()},
+						{Kind: "K1", Role: spec.KeyRoleKek, Algorithm: spec.KeyAlgorithmAES256, LabelsSpec: validLabelsSpec()},
+						{Kind: "K2", Role: spec.KeyRoleDek, Algorithm: spec.KeyAlgorithmAES256, LabelsSpec: validLabelsSpec()},
 					},
 				}
 				c.Segment = spec.HierarchySegment{StartKind: "K0", EndKind: "K1"}
@@ -199,10 +227,10 @@ func TestValidateRootConfig(t *testing.T) {
 				c.Hierarchy = spec.KeyHierarchy{
 					Name: "h",
 					KeySpecs: []spec.KeySpec{
-						{Kind: "K0", Role: spec.KeyRoleRoot, Algorithm: spec.KeyAlgorithmAES256},
-						{Kind: "K1", Role: spec.KeyRoleKek, Algorithm: spec.KeyAlgorithmAES256},
-						{Kind: "K2", Role: spec.KeyRoleTek, Algorithm: spec.KeyAlgorithmAES256},
-						{Kind: "K3", Role: spec.KeyRoleDek, Algorithm: spec.KeyAlgorithmAES256},
+						{Kind: "K0", Role: spec.KeyRoleRoot, Algorithm: spec.KeyAlgorithmAES256, LabelsSpec: validLabelsSpec()},
+						{Kind: "K1", Role: spec.KeyRoleKek, Algorithm: spec.KeyAlgorithmAES256, LabelsSpec: validLabelsSpec()},
+						{Kind: "K2", Role: spec.KeyRoleTek, Algorithm: spec.KeyAlgorithmAES256, LabelsSpec: validLabelsSpec()},
+						{Kind: "K3", Role: spec.KeyRoleDek, Algorithm: spec.KeyAlgorithmAES256, LabelsSpec: validLabelsSpec()},
 					},
 				}
 				c.Segment = spec.HierarchySegment{StartKind: "K0", EndKind: "K1"}
@@ -291,7 +319,7 @@ role: "root"
 segment:
   start_kind: "K0"
   end_kind: "K1"
-labels:
+selector_labels:
   environment: "production"
 key_bindings:
   K0:
@@ -310,15 +338,37 @@ hierarchy:
     - kind: "K0"
       role: "root"
       algorithm: "AES256"
+      labels_spec:
+        allow_user_labels: true
     - kind: "K1"
       role: "kek"
       algorithm: "AES256"
+      labels_spec:
+        allow_user_labels: true
     - kind: "K2"
       role: "tek"
       algorithm: "AES256"
+      labels_spec:
+        allow_user_labels: true
+        requirements:
+          type:
+            is_required: true
+            validator:
+              type: enum
+              params:
+                values: "production,staging,development"
     - kind: "K3"
       role: "dek"
       algorithm: "AES256"
+      labels_spec:
+        allow_user_labels: true
+        requirements:
+          env:
+            is_required: true
+            validator:
+              type: regex
+              params:
+                pattern: "^(production|staging|development)$"
 topology:
   segments:
     - name: "agent-aws"
@@ -336,7 +386,7 @@ topology:
           vault:
             name: "aws-dek-vault"
             type: "in-memory"
-      labels:
+      selector_labels:
         cloud: "aws"
 reconciler:
   maxReconcileCount: 7
@@ -361,7 +411,7 @@ reconciler:
 				assert.Equal(t, spec.AgentRole("root"), cfg.Role)
 				assert.Equal(t, "K0", cfg.Segment.StartKind)
 				assert.Equal(t, "K1", cfg.Segment.EndKind)
-				assert.Equal(t, "production", cfg.Labels["environment"])
+				assert.Equal(t, "production", cfg.SelectorLabels["environment"])
 				assert.Len(t, cfg.KeyBindings, 2)
 				assert.Equal(t, "root-hsm-vault", cfg.KeyBindings["K0"].Vault.Name)
 				assert.Equal(t, "root-vault", cfg.KeyBindings["K1"].Vault.Name)
@@ -511,3 +561,9 @@ krypton_root:
 		assert.Contains(t, err.Error(), "failed to read file")
 	})
 }
+
+func validLabelsSpec() spec.LabelsSpec {
+	return spec.LabelsSpec{
+		AllowUserLabels: true,
+	}
+}

internal/spec/agent.go

@@ -13,24 +13,24 @@ var (
 
 // AgentConfig represents the configuration for an agent, including its name, key bindings, segment, labels, role, hierarchy, and keep-alive settings.
 type AgentConfig struct {
-	Name        string                `json:"name"`
-	KeyBindings map[string]KeyBinding `json:"key_bindings"`
-	Segment     HierarchySegment      `json:"segment"`
-	Labels      Labels                `json:"labels"`
-	Role        AgentRole             `json:"role"`
-	Hierarchy   KeyHierarchy          `json:"hierarchy"`
-	KeepAlive   KeepAliveConfig       `json:"keep_alive"`
+	Name           string                `json:"name"`
+	KeyBindings    map[string]KeyBinding `json:"key_bindings"`
+	Segment        HierarchySegment      `json:"segment"`
+	SelectorLabels SelectorLabels        `json:"selector_labels"`
+	Role           AgentRole             `json:"role"`
+	Hierarchy      KeyHierarchy          `json:"hierarchy"`
+	KeepAlive      KeepAliveConfig       `json:"keep_alive"`
 }
 
 // NewAgentConfig creates a new AgentConfig based on the provided KeyHierarchy and TopologySegment.
 func NewAgentConfig(h KeyHierarchy, seg TopologySegment) AgentConfig {
 	return AgentConfig{
-		Name:        seg.Name,
-		KeyBindings: seg.KeyBindings,
-		Segment:     seg.Segment,
-		Labels:      seg.Labels,
-		Role:        DefaultRole,
-		Hierarchy:   h,
-		KeepAlive:   30,
+		Name:           seg.Name,
+		KeyBindings:    seg.KeyBindings,
+		Segment:        seg.Segment,
+		SelectorLabels: seg.SelectorLabels,
+		Role:           DefaultRole,
+		Hierarchy:      h,
+		KeepAlive:      30,
 	}
 }

internal/spec/agent_test.go

@@ -11,8 +11,8 @@ import (
 func TestNewAgentConfig(t *testing.T) {
 	// given
 	topologySegment := spec.TopologySegment{
-		Name:   "segment1",
-		Labels: map[string]string{"region": "us-west"},
+		Name:           "segment1",
+		SelectorLabels: map[string]string{"region": "us-west"},
 		Segment: spec.HierarchySegment{
 			StartKind: "K2",
 			EndKind:   "K2",
@@ -21,7 +21,6 @@ func TestNewAgentConfig(t *testing.T) {
 			"binding1": {
 				Vault:             spec.VaultSpec{},
 				ParentKeyProvider: &spec.ParentKeyProviderRef{},
-				Labels:            spec.Labels{},
 			},
 		},
 	}
@@ -42,13 +41,13 @@ func TestNewAgentConfig(t *testing.T) {
 	}
 
 	expConfig := spec.AgentConfig{
-		Name:        "segment1",
-		KeyBindings: topologySegment.KeyBindings,
-		Segment:     topologySegment.Segment,
-		Labels:      topologySegment.Labels,
-		Role:        spec.DefaultRole,
-		Hierarchy:   expHierarchy,
-		KeepAlive:   30,
+		Name:           "segment1",
+		KeyBindings:    topologySegment.KeyBindings,
+		Segment:        topologySegment.Segment,
+		SelectorLabels: topologySegment.SelectorLabels,
+		Role:           spec.DefaultRole,
+		Hierarchy:      expHierarchy,
+		KeepAlive:      30,
 	}
 
 	// when

internal/spec/export_test.go

@@ -1,6 +1,10 @@
 package spec
 
 var (
-	ValidKeyUsageNames = validKeyUsageNames
-	ValidKeyUsages     = validKeyUsages
+	ValidKeyUsageNames     = validKeyUsageNames
+	ValidKeyUsages         = validKeyUsages
+	InitLabelsSpec         = (*LabelsSpec).init
+	InitLabelRequirement   = (*LabelRequirement).init
+	InitLabelValidator     = (*LabelValidator).init
+	ValidateLabelValidator = (*LabelValidator).validate
 )