feat: service discovery improvements

Author: evansims

config.integration.yaml

@@ -1,13 +1,21 @@
 # InferaDB Management API Configuration - Integration Tests
 # This config is optimized for Docker container E2E testing
 
-frontend_base_url: "http://localhost:3000"
+frontend_base_url: "http://localhost:9090"
 
 server:
+  # Public REST API server
   host: "0.0.0.0" # Bind to all interfaces for Docker
-  port: 8081 # Match docker-compose exposed port
+  port: 9090
+
+  # Public gRPC API server
   grpc_host: "0.0.0.0"
-  grpc_port: 8082
+  grpc_port: 9091
+
+  # Internal/Private REST API server
+  internal_host: "0.0.0.0"
+  internal_port: 9092
+
   worker_threads: 2 # Reduced for test environment
 
 storage:
@@ -23,7 +31,7 @@ auth:
   webauthn:
     rp_id: "localhost"
     rp_name: "InferaDB Test"
-    origin: "http://localhost:3000"
+    origin: "http://localhost:9090"
 
 email:
   smtp_host: "localhost"
@@ -45,16 +53,19 @@ observability:
 id_generation:
   worker_id: 0
 
-server_api:
-  grpc_endpoint: "http://server:8080" # Docker service name
+# Policy service (server) configuration for Kubernetes
+# Discovery mode discovers all server pod IPs
+policy_service:
+  service_url: "http://inferadb-server.inferadb"
+  grpc_port: 8081
+  internal_port: 8082
   tls_enabled: false
 
 identity:
   service_id: "management-integration-test"
   kid: "mgmt-test-2024"
 
 cache_invalidation:
-  server_internal_url: "http://inferadb-server.inferadb:9090"
   timeout_ms: 5000
   retry_attempts: 0
 

config.production.yaml

@@ -8,13 +8,17 @@
 
 # Server configuration
 server:
-  # HTTP server binding
+  # Public REST API server binding
   host: "0.0.0.0"
-  port: 3000
+  port: 9090
 
-  # gRPC server binding
+  # Public gRPC API server binding
   grpc_host: "0.0.0.0"
-  grpc_port: 3001
+  grpc_port: 9091
+
+  # Internal/Private REST API server binding
+  internal_host: "0.0.0.0"
+  internal_port: 9092
 
   # Worker threads (recommended: number of CPU cores)
   worker_threads: 8
@@ -110,11 +114,20 @@ id_generation:
   # Example: ${WORKER_ID}
   worker_id: 0
 
-# Server API (InferaDB policy engine) configuration
-server_api:
-  # gRPC endpoint for policy engine
-  # In production, use TLS-enabled endpoint
-  grpc_endpoint: "https://policy-engine.example.com:8080"
+# Policy service (server) configuration
+# All server instances are discovered from this base URL + ports
+# In production with Kubernetes/Tailscale discovery, set discovery.mode appropriately
+policy_service:
+  # Base service URL (without port)
+  # For Kubernetes: use the k8s service name (e.g., "http://inferadb-server.inferadb")
+  # For direct connection: use the host (e.g., "https://policy-engine.example.com")
+  service_url: "https://policy-engine.example.com"
+
+  # gRPC port for policy engine communication
+  grpc_port: 8081
+
+  # Internal/Private HTTP port for webhooks and JWKS
+  internal_port: 8082
 
   # Enable TLS for policy engine communication
   tls_enabled: true

config.yaml

@@ -1,24 +1,23 @@
 # InferaDB Management API Configuration
 
 # Frontend base URL for email verification and password reset links
-# Development: http://localhost:3000
+# Development: http://localhost:9090
 # Production: https://app.inferadb.com
-frontend_base_url: "http://localhost:3000"
+frontend_base_url: "http://localhost:9090"
 
 server:
-  # Public server (client-facing traffic - web, CLI, SDK)
+  # Public REST API server (client-facing traffic - web, CLI, SDK)
   host: "127.0.0.1"
-  port: 3000
+  port: 9090
 
-  # Internal server (server-to-server communication)
-  # Always enabled for network-level security isolation
+  # Public gRPC API server
+  grpc_host: "127.0.0.1"
+  grpc_port: 9091
+
+  # Internal/Private REST API server (server-to-server communication)
   # Runs a separate HTTP server for internal endpoints (JWKS)
   internal_host: "0.0.0.0"
-  internal_port: 9091 # Server uses 9090, Management uses 9091
-
-  # gRPC server configuration
-  grpc_host: "127.0.0.1"
-  grpc_port: 3001
+  internal_port: 9092
 
   worker_threads: 4
 
@@ -37,7 +36,7 @@ auth:
   webauthn:
     rp_id: "localhost"
     rp_name: "InferaDB"
-    origin: "http://localhost:3000"
+    origin: "http://localhost:9090"
   # Set via environment variable: INFERADB_MGMT__AUTH__KEY_ENCRYPTION_SECRET
   # key_encryption_secret: "your-secret-key-here"
 
@@ -64,6 +63,10 @@ observability:
 id_generation:
   worker_id: 0
 
-server_api:
-  grpc_endpoint: "http://localhost:8080"
+# Policy service (server) configuration
+# All server instances are discovered from this base URL + ports
+policy_service:
+  service_url: "http://localhost"
+  grpc_port: 8081
+  internal_port: 8082
   tls_enabled: false

crates/inferadb-management-api/src/handlers/auth.rs

@@ -195,13 +195,15 @@ id_generation:
   worker_id: 0
   max_clock_skew_ms: 1000
 
-server_api:
-  grpc_endpoint: "http://localhost:8080"
+policy_service:
+  service_url: "http://localhost"
+  grpc_port: 8080
+  internal_port: 9090
   tls_enabled: false
 "#;
 
         let config: ManagementConfig = serde_yaml::from_str(config_str).unwrap();
-        let server_client = ServerApiClient::new("http://localhost:8080".to_string()).unwrap();
+        let server_client = ServerApiClient::new("http://localhost".to_string(), 8080).unwrap();
 
         // Create mock email service for testing
         let email_sender = Box::new(inferadb_management_core::MockEmailSender::new());

crates/inferadb-management-api/src/middleware/server_auth.rs

@@ -139,12 +139,11 @@ pub async fn require_server_jwt(
 
     let kid = header.kid.ok_or_else(|| CoreError::Auth("JWT missing kid claim".to_string()))?;
 
-    // Derive server JWKS URL from server_api.grpc_endpoint
+    // Derive server JWKS URL from policy_service config
     // The JWKS endpoint is at /.well-known/jwks.json on the server's internal port
-    // server_api.grpc_endpoint typically points to the server's internal port
     let server_jwks_url = format!(
         "{}/.well-known/jwks.json",
-        state.config.server_api.grpc_endpoint.trim_end_matches('/')
+        state.config.effective_internal_url()
     );
 
     // Fetch JWKS and find the key