docs: add tutorial for securing internal traffic with SPIRE (mTLS)

[mahil-2040]

What type of PR is this?

/kind documentation

What this PR does / why we need it:

Description

This PR adds a comprehensive user guide (docs/tutorials/internal-auth-spire.md) for the newly implemented SPIRE mTLS internal authentication system.

The tutorial explains the architecture of our zero-trust control plane and acts as a definitive reference for developers and operators.

Key Additions

• Architecture Overview: Explains how the Router and WorkloadManager cryptographically verify each other's SPIFFE identities, and how the CertWatcher achieves zero-downtime certificate rotation via fsnotify.
• Configuration Guide: Documents the exact CLI flags required to enable mTLS on both components (--mtls-* for Router, --tls-* for WorkloadManager).
• Sidecar Mechanics: Details how the spiffe-helper sidecar is deployed alongside the control plane pods to automatically provision and rotate SVIDs.
• Architectural Justification: Adds a section explicitly explaining why PicoD and AgentRuntime sandboxes continue to use JWT authentication (avoiding TLS handshake overhead to preserve ultra-low cold-start latency, and keeping user-defined runtimes pure).

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NO

NONE

[gemini-code-assist]

Code Review

This pull request adds a new tutorial documentation file explaining how SPIRE is used to secure internal traffic with mTLS in AgentCube. The reviewer pointed out two critical discrepancies between the documentation and the actual codebase: the documentation references a CertWatcher and hot-reloading mechanism that does not exist in the code, and it lists incorrect CLI flags (--mtls-* and --tls-ca) that are not supported by the current implementation.

[gemini-code-assist]

The documentation describes a CertWatcher that monitors certificates on disk using fsnotify for zero-downtime rotation. However, in pkg/router/server.go and pkg/workloadmanager/server.go, the servers are started using standard ListenAndServeTLS with static certificate paths, and there is no CertWatcher or fsnotify implementation in the codebase.\n\nPlease update the documentation to reflect the current capabilities, or implement the CertWatcher and hot-reloading mechanism in the server code.

[gemini-code-assist]

The documented CLI flags do not match the actual flags implemented in the codebase.\n\nIn cmd/router/main.go and cmd/workload-manager/main.go, the defined flags are --tls-cert and --tls-key (along with --enable-tls). There are no --mtls-* or --tls-ca flags defined in the command-line parsers, nor is there any client CA verification (ClientCAs / ClientAuth) configured in the http.Server setups in pkg/router/server.go or pkg/workloadmanager/server.go.\n\nPlease update the documentation to reflect the actual flags, or implement the corresponding CLI flags and mTLS configuration in the codebase.\n\nFor example, the actual flags are:\nbash\n# For Router\n--enable-tls\n--tls-cert=/path/to/tls.crt\n--tls-key=/path/to/tls.key\n\n# For WorkloadManager\n--enable-tls\n--tls-cert=/path/to/tls.crt\n--tls-key=/path/to/tls.key\n

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.56%. Comparing base (524e55e) to head (a145259).
⚠️ Report is 103 commits behind head on main.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #364      +/-   ##
==========================================
+ Coverage   47.57%   55.56%   +7.99%     
==========================================
  Files          30       34       +4     
  Lines        2819     3191     +372     
==========================================
+ Hits         1341     1773     +432     
+ Misses       1338     1239      -99     
- Partials      140      179      +39     

Flag	Coverage Δ
unittests	55.56% <100.00%> (+7.99%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[hzxuzhonghu]

This isnot a good tutorial, think about if you are a new user, can you run it by this guide?

[mahil-2040]

This isnot a good tutorial, think about if you are a new user, can you run it by this guide?

I have completely rewritten the guide with step by step instructions, commands and expected outputs of each step, PTAL!

[acsoto]

The linked Getting Started guide installs into the agentcube namespace, but every command here uses agentcube-system. A new user following both guides will check and upgrade the wrong release unless the namespace is made consistent or parameterized.

[mahil-2040]

I checked the inconsistency, the Getting Started guide installs into -n agentcube, but pkg/mtls/spiffeid.go defaults to agentcube-system. In practice this default is never hit in Helm deployments because both manifests inject AGENTCUBE_NAMESPACE from the pod's actual namespace via fieldRef: metadata.namespace. But it's still confusing to have two different names.

Would you be okay with me changing the Go default from agentcube-system to agentcube to make it consistent with the Getting Started guide? I'd also update the 4 unit test files and the e2e script that reference the old default.

[acsoto]

Please add --reuse-values or repeat the required install values here. helm upgrade without it rebuilds values from chart defaults, so users who set Redis, images, RBAC, or service account values during install can lose them when enabling SPIRE.

[mahil-2040]

added the --reuse-values to preserve the install-time values.

[acsoto]

The expected output includes All mTLS cert/key/CA files are present, but the current code returns silently after the files appear. Please either update the expected output or add this log, otherwise this verification step asks users to look for a line that never appears.

[mahil-2040]

Added klog.Infof to wait.go to match the expected output

[acsoto]

Same issue here: disabling SPIRE should preserve the existing release values. Without --reuse-values or the original required --sets, cleanup can unintentionally reset the deployment while only trying to turn SPIRE off.

[mahil-2040]

fixed this too.

[acsoto]

This does not remove the CRDs; they were installed manually in Step 1 and are deleted separately below. This should say it removes the SPIRE workloads, sidecars, and ClusterSPIFFEID resources from this Helm release.

[mahil-2040]

This is my mistake, accidently added CRDs, but now removed it.

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kevin-wangzefeng for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• docs/OWNERS
• pkg/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment