Architecture

Control Flow

This flow uses Gateway API Inference Extension (GAIE) objects as upstream inputs.

                InferenceIdentityBinding
                         │
                     Deleted? ──yes──▶ Clean up ClusterSPIFFEIDs
                         │                  Remove finalizer
                         no
                         │
                   Ensure finalizer
                         │
    InferencePool ───────▶ Resolve poolRef → Pool
    InferenceObjective ──▶ Resolve objectiveRef when present
                         │
                  Derive selectors from pool
                  Add containerName selector (PerObjective)
                  Validate safety selectors
                  Render SPIFFE ID
                         │
                    Collision?
                    ╱        ╲
                 yes          no
                  │            │
          Set Conflict     Reconcile
          Clean up         ClusterSPIFFEID
          ClusterSPIFFEIDs      │
                  │        ClusterSPIFFEID
                  │             │
                  │        SPIRE Controller Manager
                  │             │
                  │        SPIRE registration entries
                  │            │
                  ╰──── Patch status ────╯
                        emit events

External Contracts

InferenceObjective API: objective-level inference intent and poolRef.
InferencePool API: serving pool selector source used by kleym-operator.
Gateway API Inference Extension (GAIE) API types: canonical schema reference for GAIE resources.
SPIFFE overview: identity model and SPIFFE ID/SVID concepts.
SPIRE concepts: server/agent architecture and attestation model.
SPIRE Controller Manager: Kubernetes reconciler that applies ClusterSPIFFEID.
ClusterSPIFFEID CRD: output resource shape reconciled by kleym-operator.

Architecture

Control Flow

External Contracts

See Also