fix workload manager review comment

Signed-off-by: tjucoder <chinesecoder@foxmail.com>

Author: tjucoder

Makefile

@@ -153,39 +153,39 @@ install: build
 	sudo cp bin/workloadmanager /usr/local/bin/
 
 # Docker image variables
-APISERVER_IMAGE ?= workloadmanager:latest
+WORKLOAD_MANAGER_IMAGE ?= workloadmanager:latest
 ROUTER_IMAGE ?= agentcube-router:latest
 IMAGE_REGISTRY ?= ""
 
 # Docker and Kubernetes targets
 docker-build:
 	@echo "Building Docker image..."
-	docker build -t $(APISERVER_IMAGE) .
+	docker build -t $(WORKLOAD_MANAGER_IMAGE) .
 
 # Multi-architecture build (supports amd64, arm64)
 docker-buildx:
 	@echo "Building multi-architecture Docker image..."
-	docker buildx build --platform linux/amd64,linux/arm64 -t $(APISERVER_IMAGE) .
+	docker buildx build --platform linux/amd64,linux/arm64 -t $(WORKLOAD_MANAGER_IMAGE) .
 
 # Multi-architecture build and push
 docker-buildx-push:
 	@if [ -z "$(IMAGE_REGISTRY)" ]; then \
 		echo "Error: IMAGE_REGISTRY not set. Usage: make docker-buildx-push IMAGE_REGISTRY=your-registry.com"; \
 		exit 1; \
 	fi
-	@echo "Building and pushing multi-architecture Docker image to $(IMAGE_REGISTRY)/$(APISERVER_IMAGE)..."
+	@echo "Building and pushing multi-architecture Docker image to $(IMAGE_REGISTRY)/$(WORKLOAD_MANAGER_IMAGE)..."
 	docker buildx build --platform linux/amd64,linux/arm64 \
-		-t $(IMAGE_REGISTRY)/$(APISERVER_IMAGE) \
+		-t $(IMAGE_REGISTRY)/$(WORKLOAD_MANAGER_IMAGE) \
 		--push .
 
 docker-push: docker-build
 	@if [ -z "$(IMAGE_REGISTRY)" ]; then \
 		echo "Error: IMAGE_REGISTRY not set. Usage: make docker-push IMAGE_REGISTRY=your-registry.com"; \
 		exit 1; \
 	fi
-	@echo "Tagging and pushing Docker image to $(IMAGE_REGISTRY)/$(APISERVER_IMAGE)..."
-	docker tag $(APISERVER_IMAGE) $(IMAGE_REGISTRY)/$(APISERVER_IMAGE)
-	docker push $(IMAGE_REGISTRY)/$(APISERVER_IMAGE)
+	@echo "Tagging and pushing Docker image to $(IMAGE_REGISTRY)/$(WORKLOAD_MANAGER_IMAGE)..."
+	docker tag $(WORKLOAD_MANAGER_IMAGE) $(IMAGE_REGISTRY)/$(WORKLOAD_MANAGER_IMAGE)
+	docker push $(IMAGE_REGISTRY)/$(WORKLOAD_MANAGER_IMAGE)
 
 k8s-deploy:
 	@echo "Deploying to Kubernetes..."
@@ -202,7 +202,7 @@ k8s-logs:
 # Load image to kind cluster
 kind-load:
 	@echo "Loading image to kind..."
-	kind load docker-image $(APISERVER_IMAGE)
+	kind load docker-image $(WORKLOAD_MANAGER_IMAGE)
 
 # Router Docker targets
 docker-build-router:

cmd/workload-manager/main.go

@@ -41,6 +41,7 @@ func main() {
 		enableTLS        = flag.Bool("enable-tls", false, "Enable TLS (HTTPS)")
 		tlsCert          = flag.String("tls-cert", "", "Path to TLS certificate file")
 		tlsKey           = flag.String("tls-key", "", "Path to TLS key file")
+		enableAuth       = flag.Bool("enable-auth", false, "Enable Authentication")
 	)
 
 	// Parse command line flags
@@ -83,6 +84,7 @@ func main() {
 		EnableTLS:        *enableTLS,
 		TLSCert:          *tlsCert,
 		TLSKey:           *tlsKey,
+		EnableAuth:       *enableAuth,
 	}
 
 	// Create and initialize API server

pkg/common/types/sandbox.go

@@ -6,10 +6,10 @@ import (
 )
 
 type SandboxRedis struct {
+	Kind             string               `json:"kind"`
 	SandboxID        string               `json:"sandboxId"`
 	SandboxNamespace string               `json:"sandboxNamespace"`
-	SandboxName      string               `json:"sandboxName"`
-	SandboxClaimName string               `json:"sandboxClaimName"`
+	Name             string               `json:"name"`
 	EntryPoints      []SandboxEntryPoints `json:"entryPoints"`
 	SessionID        string               `json:"sessionId"`
 	CreatedAt        time.Time            `json:"createdAt"`
@@ -26,12 +26,13 @@ type SandboxEntryPoints struct {
 }
 
 type CreateSandboxRequest struct {
-	Kind      string            `json:"kind"`
-	Name      string            `json:"name"`
-	Namespace string            `json:"namespace"`
-	Auth      Auth              `json:"auth"`
-	Metadata  map[string]string `json:"metadata"`
-	PublicKey string            `json:"publicKey,omitempty"`
+	Kind               string            `json:"kind"`
+	Name               string            `json:"name"`
+	Namespace          string            `json:"namespace"`
+	Auth               Auth              `json:"auth"`
+	Metadata           map[string]string `json:"metadata"`
+	PublicKey          string            `json:"publicKey,omitempty"`
+	InitTimeoutSeconds int               `json:"initTimeoutSeconds,omitempty"`
 }
 
 type Auth struct {

pkg/common/types/types.go

@@ -3,4 +3,6 @@ package types
 const (
 	AgentRuntimeKind    = "AgentRuntime"
 	CodeInterpreterKind = "CodeInterpreter"
+	SandboxKind         = "Sandbox"
+	SandboxClaimsKind   = "SandboxClaim"
 )

pkg/redis/client_test.go

@@ -31,7 +31,7 @@ func newTestClient(t *testing.T) (*client, *miniredis.Miniredis) {
 func newTestSandbox(id string, sessionID string, expiresAt time.Time) *types.SandboxRedis {
 	return &types.SandboxRedis{
 		SandboxID:   id,
-		SandboxName: "test-sandbox-" + id,
+		Name:        "test-sandbox-" + id,
 		EntryPoints: nil,
 		SessionID:   sessionID,
 		CreatedAt:   time.Now().UTC(),
@@ -55,7 +55,7 @@ func TestClient_StoreSandbox(t *testing.T) {
 	sandboxRedis := &types.SandboxRedis{
 		SessionID:        "session-id-TestClient_StoreSandbox-01",
 		SandboxNamespace: "agent-cube",
-		SandboxName:      "fake-sandbox-01",
+		Name:             "fake-sandbox-01",
 		ExpiresAt:        time.Now(),
 	}
 	err := c.StoreSandbox(ctx, sandboxRedis, time.Hour)
@@ -72,7 +72,7 @@ func TestClient_UpdateSandbox(t *testing.T) {
 	sandboxRedis := &types.SandboxRedis{
 		SessionID:        "session-id-TestClient_StoreSandbox-02",
 		SandboxNamespace: "agent-cube",
-		SandboxName:      "fake-sandbox-01",
+		Name:             "fake-sandbox-01",
 		ExpiresAt:        time.Now(),
 	}
 	err := c.UpdateSandbox(ctx, sandboxRedis, time.Hour)

pkg/workloadmanager/auth.go

@@ -63,12 +63,7 @@ const (
 
 // authMiddleware provides service account token authentication middleware
 func (s *Server) authMiddleware(c *gin.Context) {
-	if !s.enableAuth {
-		c.Next()
-		return
-	}
-	// Skip authentication for health check endpoint
-	if c.Request.URL.Path == "/health" {
+	if !s.config.EnableAuth {
 		c.Next()
 		return
 	}

pkg/workloadmanager/codeinterpreter_controller.go

@@ -293,7 +293,7 @@ func (r *CodeInterpreterReconciler) convertToPodTemplate(template *runtimev1alph
 				Resources:       template.Resources,
 				VolumeMounts: []corev1.VolumeMount{
 					{
-						Name:      "jwt-public-key",
+						Name:      JWTPublicKeyVolumeName,
 						MountPath: "/etc/picod",
 						ReadOnly:  true,
 					},
@@ -303,10 +303,10 @@ func (r *CodeInterpreterReconciler) convertToPodTemplate(template *runtimev1alph
 		RuntimeClassName: template.RuntimeClassName,
 		Volumes: []corev1.Volume{
 			{
-				Name: "jwt-public-key",
+				Name: JWTPublicKeyVolumeName,
 				VolumeSource: corev1.VolumeSource{
 					Secret: &corev1.SecretVolumeSource{
-						SecretName: "agentcube-jwt-public-key",
+						SecretName: JWTPublicKeySecretName,
 					},
 				},
 			},

pkg/workloadmanager/garbage_collection.go

@@ -6,11 +6,11 @@ import (
 	"log"
 	"time"
 
+	"github.com/volcano-sh/agentcube/pkg/common/types"
+	"github.com/volcano-sh/agentcube/pkg/redis"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
-
-	"github.com/volcano-sh/agentcube/pkg/redis"
 )
 
 const (
@@ -23,13 +23,6 @@ type garbageCollector struct {
 	redisClient redis.Client
 }
 
-type garbageCollectorSandbox struct {
-	Kind      string // Sandbox or SandboxClaim
-	Name      string
-	Namespace string
-	SessionID string
-}
-
 func newGarbageCollector(k8sClient *K8sClient, redisClient redis.Client, interval time.Duration) *garbageCollector {
 	return &garbageCollector{
 		k8sClient:   k8sClient,
@@ -66,53 +59,27 @@ func (gc *garbageCollector) once() {
 	if err != nil {
 		log.Printf("garbage collector error listing expired sandboxes: %v", err)
 	}
-	gcSandboxes := make([]garbageCollectorSandbox, 0, len(inactiveSandboxes)+len(expiredSandboxes))
-	for _, inactive := range inactiveSandboxes {
-		gcSandboxObj := garbageCollectorSandbox{
-			Namespace: inactive.SandboxNamespace,
-			SessionID: inactive.SessionID,
-		}
-		if inactive.SandboxClaimName != "" {
-			gcSandboxObj.Kind = "SandboxClaim"
-			gcSandboxObj.Name = inactive.SandboxClaimName
-		} else {
-			gcSandboxObj.Kind = "Sandbox"
-			gcSandboxObj.Name = inactive.SandboxName
-		}
-		gcSandboxes = append(gcSandboxes, gcSandboxObj)
-	}
-	for _, expired := range expiredSandboxes {
-		gcSandboxObj := garbageCollectorSandbox{
-			Namespace: expired.SandboxNamespace,
-			SessionID: expired.SessionID,
-		}
-		if expired.SandboxClaimName != "" {
-			gcSandboxObj.Kind = "SandboxClaim"
-			gcSandboxObj.Name = expired.SandboxClaimName
-		} else {
-			gcSandboxObj.Kind = "Sandbox"
-			gcSandboxObj.Name = expired.SandboxName
-		}
-		gcSandboxes = append(gcSandboxes, gcSandboxObj)
-	}
+	gcSandboxes := make([]*types.SandboxRedis, 0, len(inactiveSandboxes)+len(expiredSandboxes))
+	gcSandboxes = append(gcSandboxes, inactiveSandboxes...)
+	gcSandboxes = append(gcSandboxes, expiredSandboxes...)
 
 	if len(gcSandboxes) > 0 {
-		log.Printf("garbage collector found %d sandboxes to be delete", len(gcSandboxes))
+		log.Printf("garbage collector found %d sandboxes to be deleted", len(gcSandboxes))
 	}
 
 	errs := make([]error, 0, len(gcSandboxes))
 	// delete sandboxes
 	for _, gcSandbox := range gcSandboxes {
-		if gcSandbox.Kind == "SandboxClaim" {
-			err = gc.deleteSandboxClaim(ctx, gcSandbox.Namespace, gcSandbox.Name)
+		if gcSandbox.Kind == types.SandboxClaimsKind {
+			err = gc.deleteSandboxClaim(ctx, gcSandbox.SandboxNamespace, gcSandbox.Name)
 		} else {
-			err = gc.deleteSandbox(ctx, gcSandbox.Namespace, gcSandbox.Name)
+			err = gc.deleteSandbox(ctx, gcSandbox.SandboxNamespace, gcSandbox.Name)
 		}
 		if err != nil {
 			errs = append(errs, err)
 			continue
 		}
-		log.Printf("garbage collector %s %s/%s session %s deleted", gcSandbox.Kind, gcSandbox.Namespace, gcSandbox.Name, gcSandbox.SessionID)
+		log.Printf("garbage collector %s %s/%s session %s deleted", gcSandbox.Kind, gcSandbox.SandboxNamespace, gcSandbox.Name, gcSandbox.SessionID)
 		err = gc.redisClient.DeleteSandboxBySessionIDTx(ctx, gcSandbox.SessionID)
 		if err != nil {
 			errs = append(errs, err)

pkg/workloadmanager/handlers.go

@@ -12,6 +12,7 @@ import (
 	"github.com/gin-gonic/gin"
 	redisv9 "github.com/redis/go-redis/v9"
 	sandboxv1alpha1 "sigs.k8s.io/agent-sandbox/api/v1alpha1"
+	"sigs.k8s.io/agent-sandbox/controllers"
 	extensionsv1alpha1 "sigs.k8s.io/agent-sandbox/extensions/api/v1alpha1"
 
 	"github.com/volcano-sh/agentcube/pkg/common/types"
@@ -76,7 +77,7 @@ func (s *Server) handleCreateSandbox(c *gin.Context) {
 	namespace := sandbox.Namespace
 
 	dynamicClient := s.k8sClient.dynamicClient
-	if s.enableAuth {
+	if s.config.EnableAuth {
 		// Extract user information from context
 		userToken, userNamespace, _, serviceAccountName := extractUserInfo(c)
 		if userToken == "" || userNamespace == "" || serviceAccountName == "" {
@@ -162,7 +163,7 @@ func (s *Server) handleCreateSandbox(c *gin.Context) {
 	}()
 
 	sandboxPodName := ""
-	if podName, exists := createdSandbox.Annotations["agents.x-k8s.io/pod-name"]; exists {
+	if podName, exists := createdSandbox.Annotations[controllers.SanboxPodNameAnnotation]; exists {
 		sandboxPodName = podName
 	}
 	podIP, err := s.k8sClient.GetSandboxPodIP(c.Request.Context(), namespace, sandboxName, sandboxPodName)
@@ -194,6 +195,12 @@ func (s *Server) handleCreateSandbox(c *gin.Context) {
 		return
 	}
 
+	if len(redisCacheInfo.EntryPoints) == 0 {
+		respondError(c, http.StatusInternalServerError, "SANDBOX_INIT_FAILED",
+			"No access endpoint found for sandbox initialization")
+		return
+	}
+
 	// Code Interpreter sandbox created, init code interpreter
 	// Find the /init endpoint from entryPoints
 	var initEndpoint string
@@ -204,17 +211,10 @@ func (s *Server) handleCreateSandbox(c *gin.Context) {
 		}
 	}
 
-	// If no /init path found, use the first entryPoint endpoint with /init appended
+	// If no /init path found, use the first entryPoint endpoint fallback
 	if initEndpoint == "" {
-		if len(redisCacheInfo.EntryPoints) > 0 {
-			initEndpoint = fmt.Sprintf("%s://%s",
-				redisCacheInfo.EntryPoints[0].Protocol,
-				redisCacheInfo.EntryPoints[0].Endpoint)
-		} else {
-			respondError(c, http.StatusInternalServerError, "SANDBOX_INIT_FAILED",
-				"No access endpoint found for sandbox initialization")
-			return
-		}
+		initEndpoint = fmt.Sprintf("%s://%s", redisCacheInfo.EntryPoints[0].Protocol,
+			redisCacheInfo.EntryPoints[0].Endpoint)
 	}
 
 	// Call sandbox init endpoint with JWT-signed request
@@ -224,6 +224,7 @@ func (s *Server) handleCreateSandbox(c *gin.Context) {
 		sandbox.Labels[SessionIdLabelKey],
 		createAgentRequest.PublicKey,
 		createAgentRequest.Metadata,
+		createAgentRequest.InitTimeoutSeconds,
 	)
 
 	if err != nil {
@@ -263,7 +264,7 @@ func (s *Server) handleDeleteSandbox(c *gin.Context) {
 	}
 
 	dynamicClient := s.k8sClient.dynamicClient
-	if s.enableAuth {
+	if s.config.EnableAuth {
 		// Extract user information from context
 		userToken, userNamespace, _, serviceAccountName := extractUserInfo(c)
 
@@ -282,20 +283,18 @@ func (s *Server) handleDeleteSandbox(c *gin.Context) {
 		dynamicClient = userClient.dynamicClient
 	}
 
-	if sandbox.SandboxClaimName != "" {
-		// SandboxClaimName is not empty, we should delete SandboxClaim
-		err = deleteSandboxClaim(c.Request.Context(), dynamicClient, sandbox.SandboxNamespace, sandbox.SandboxClaimName)
+	if sandbox.Kind == types.SandboxClaimsKind {
+		err = deleteSandboxClaim(c.Request.Context(), dynamicClient, sandbox.SandboxNamespace, sandbox.Name)
 		if err != nil {
-			log.Printf("failed to delete sandbox claim %s/%s: %v", sandbox.SandboxNamespace, sandbox.SandboxClaimName, err)
+			log.Printf("failed to delete sandbox claim %s/%s: %v", sandbox.SandboxNamespace, sandbox.Name, err)
 			respondError(c, http.StatusForbidden, "SANDBOX_CLAIM_DELETE_FAILED",
 				fmt.Sprintf("Failed to delete sandbox claim (namespace: %s): %v", sandbox.SandboxNamespace, err))
 			return
 		}
 	} else {
-		// SandboxClaimName is empty, we should delete Sandbox directly
-		err = deleteSandbox(c.Request.Context(), dynamicClient, sandbox.SandboxNamespace, sandbox.SandboxName)
+		err = deleteSandbox(c.Request.Context(), dynamicClient, sandbox.SandboxNamespace, sandbox.Name)
 		if err != nil {
-			log.Printf("failed to delete sandbox claim %s/%s: %v", sandbox.SandboxNamespace, sandbox.SandboxName, err)
+			log.Printf("failed to delete sandbox %s/%s: %v", sandbox.SandboxNamespace, sandbox.Name, err)
 			respondError(c, http.StatusForbidden, "SANDBOX_DELETE_FAILED",
 				fmt.Sprintf("Failed to delete sandbox (namespace: %s): %v", sandbox.SandboxNamespace, err))
 			return
@@ -309,12 +308,7 @@ func (s *Server) handleDeleteSandbox(c *gin.Context) {
 		return
 	}
 
-	objectType := SandboxGVR.Resource
-	objectName := sandbox.SandboxName
-	if sandbox.SandboxClaimName != "" {
-		objectName = sandbox.SandboxClaimName
-	}
-	log.Printf("delete %s %s/%s successfully, sessionID: %v ", objectType, sandbox.SandboxNamespace, objectName, sandbox.SessionID)
+	log.Printf("delete %s %s/%s successfully, sessionID: %v ", sandbox.Kind, sandbox.SandboxNamespace, sandbox.Name, sandbox.SessionID)
 	respondJSON(c, http.StatusOK, map[string]string{
 		"message": "Sandbox deleted successfully",
 	})