Skip to content

feat(supervisor): stamp org identity label on compute microVMs #3899

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
0ski merged 1 commit into from
Jun 11, 2026
+17 −12
Merged

feat(supervisor): stamp org identity label on compute microVMs #3899

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .server-changes/compute-org-label.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
area: supervisor
type: improvement
---

Compute workload manager now sets an `org` label on every run (create +
restore) for network-policy selection, instead of a plan-gated label. The
Kubernetes workload manager is unchanged.
21 changes: 9 additions & 12 deletions apps/supervisor/src/workloadManager/compute.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,13 +133,11 @@ export class ComputeWorkloadManager implements WorkloadManager {
// Strip image digest - resolve by tag, not digest
const imageRef = stripImageDigest(opts.image);

// Labels forwarded to the compute provider for network-policy selection;
// the provider promotes a configured subset to its network layer. Mirrors
// the privatelink label the Kubernetes workload manager sets on the run pod.
const labels: Record<string, string> = {};
if (opts.hasPrivateLink) {
labels.privatelink = opts.orgId;
}
// Labels forwarded to the compute provider for network-policy selection.
// `org` is always set so every run carries its org identity.
const labels: Record<string, string> = {
org: opts.orgId,
};

// Wide event: single canonical log line emitted in finally
const event: Record<string, unknown> = {
Expand Down Expand Up @@ -319,12 +317,11 @@ export class ComputeWorkloadManager implements WorkloadManager {
TRIGGER_WORKER_INSTANCE_NAME: this.opts.runner.instanceName,
};

// Resupply the same labels on restore (mirror of the create path); the
// provider doesn't persist them across a snapshot, so without this a
// restored run would lose its policy-based network selection.
// Resupply labels on restore (the provider doesn't persist them across a
// snapshot). orgId is optional on the restore opts type, so guard it.
const labels: Record<string, string> = {};
if (opts.hasPrivateLink && opts.orgId) {
labels.privatelink = opts.orgId;
if (opts.orgId) {
labels.org = opts.orgId;
}

this.logger.verbose("restore request body", {
Expand Down