Merge pull request #711 from rushtehrani/fix/send-status

fix: Only inject one sys-send-status task

.github/workflows/push_tag.yaml

@@ -22,7 +22,7 @@ jobs:
       - name: Notify Slack Channels
         uses: rtCamp/action-slack-notify@v2.0.0
         env:
-          SLACK_CHANNEL: dev
+          SLACK_CHANNEL: org
           SLACK_ICON: https://avatars1.githubusercontent.com/u/30390575?s=48&v=4
           SLACK_TITLE: New Core Version
           SLACK_USERNAME: opBot

Makefile

@@ -33,6 +33,11 @@ docker-build:
 docker-push:
 	docker push onepanel/core:$(COMMIT_HASH)
 
+docker-custom:
+	docker build -t onepanel-core .
+	docker tag onepanel-core:latest onepanel/core:$(TAG)
+	docker push onepanel/core:$(TAG)
+
 docker: docker-build docker-push
 
 run-tests:

README.md

@@ -6,60 +6,37 @@
 [![sdk](https://img.shields.io/pypi/v/onepanel-sdk?color=01579b&label=sdk)](https://pypi.org/project/onepanel-sdk/)
 [![docs](https://img.shields.io/github/v/release/onepanelio/core?color=01579b&label=docs)](https://docs.onepanel.io)
 [![issues](https://img.shields.io/github/issues-raw/onepanelio/core?color=01579b&label=issues)](https://github.com/onepanelio/core/issues)
-[![chat](https://img.shields.io/badge/support-slack-01579b)](https://onepanel-ce.slack.com/join/shared_invite/zt-eyjnwec0-nLaHhjif9Y~gA05KuX6AUg#/)
+[![chat](https://img.shields.io/badge/support-dicussions-01579b)](https://github.com/onepanelio/core/discussions)
 [![license](https://img.shields.io/github/license/onepanelio/core?color=01579b)](https://opensource.org/licenses/Apache-2.0)
 
-Production scale, Kubernetes-native vision AI platform, with fully integrated components for model building, automated labeling, data processing and model training pipelines.
+Production scale vision AI platform with fully integrated components for model building, automated labeling, data processing and model training pipelines.
+
+<img width="100%" src="img/onepanel.gif">
 
 ## Why Onepanel?
 
--  End-to-end workflow and infrastructure automation for production scale vision AI
+-  End-to-end automation for production scale vision AI pipelines
--  Automatic resource management and on-demand scaling of CPU and GPU nodes
+-  Best of breed, open source deep learning tools seamlessly integrated in one unified platform
--  Easily scale your data processing and training pipelines to multiple nodes
+-  Infrastructure automation so you can easily scale your data processing and training pipelines to multiple nodes
--  Collaborate on all your deep learning tools and workflows through a unified web interface and SDKs
+-  Customizable, reproducible and version controlled tooling and pipeline templates
 -  Scalability, flexibility and resiliency of Kubernetes without the deployment and configuration complexities
 
 ## Features
-<table>
+-  Annotate images and video with automatic annotation of bounding boxes and polygon masks, integrated with training pipelines to iteratively improve models for pre-annotation and inference.
-  <tr>
+-  JupyterLab configured with extensions for debugging, Git/GitHub, notebook diffing and TensorBoard and support for Conda, OpenCV, Tensorflow and PyTorch with GPU and <a href="https://github.com/onepanelio/templates/tree/master/workspaces/jupyterlab">much more</a>.
-    <td width="50%" align="center">
+-  Build fully reproducible, distributed and parallel data processing and training pipelines with real-time logs and output snapshots.
-      <h3>Image and video annotation with automatic annotation</h3>
+-  Bring your own IDEs, annotation tools and pipelines with a version controlled YAML and Docker based template engine.
-      <img width="100%" src="img/auto-annotation.gif">
-      <p>
-        Annotate images and video with automatic annotation of bounding boxes and polygon masks, integrated with training pipelines to iteratively improve models for pre-annotation and inference
-      </p>
-    </td>
-    <td width="50%" align="center">
-      <h3>JupyterLab with TensorFlow, PyTorch and GPU support</h3>
-      <img width="100%" src="img/jupyterlab.gif">
-      <p>
-        JupyterLab configured with extensions for debugging, Git/GitHub, notebook diffing and TensorBoard and support for Conda, OpenCV, Tensorflow and PyTorch with GPU and <a href="https://github.com/onepanelio/templates/tree/master/workspaces/jupyterlab">much more</a>
-      </p>
-    </td>
-  </tr>
-  <tr>
-    <td width="50%" align="center">
-      <h3>Auto scaling, distributed and parallel data processing and training pipelines</h3>
-      <img width="100%" src="img/pipelines.gif">
-      <p>
-        Build fully reproducible, distributed and parallel data processing and training pipelines with real-time logs and output snapshots
-      </p>
-    </td>
-    <td width="50%" align="center">
-      <h3>Version controlled pipelines and environments as code</h3>
-      <img width="100%" src="img/tools.gif">
-      <p>
-        Bring your own IDEs, annotation tools and pipelines with a version controlled YAML and Docker based template engine
-      </p>
-    </td>
-  </tr>
-</table>
-
 -  Track and visualize model metrics and experiments with TensorBoard or bring your own experiment tracking tools.
--  Access and share tools like AirSim, Carla, Gazebo or OpenAI Gym through your browser with VNC enabled workspaces.
+-  Extend Onepanel with powerful REST APIs and SDKs to further automate your workflows.
--  Extend Onepanel with powerful REST APIs and SDKs to further automate your pipelines and environments.
+
--  Workflows, environments and infrastructure are all defined as code and version controlled, making them reproducible and portable.
+## Online demo
--  Powered by Kubernetes so you can deploy anywhere Kubernetes can run.
+We have created an [online demo environment](https://onepanel.typeform.com/to/kQfDX5Vf?product=github) so that you can quickly try Onepanel.
+
+Note that this is a shared demo environment with the following restrictions:
+
+- Data is reset every few hours
+- One type of node pool (machine type) with a limit of 5 concurrent nodes
+- Certain actions may be restricted
 
 ## Quick start
 See [quick start guide](https://docs.onepanel.ai/docs/getting-started/quickstart) to get started with the platform of your choice.
@@ -74,17 +51,17 @@ See [documentation](https://docs.onepanel.ai) to get started or for more detaile
 
 To submit a feature request, report a bug or documentation issue, please open a GitHub [pull request](https://github.com/onepanelio/core/pulls) or [issue](https://github.com/onepanelio/core/issues).
 
-For help, questions, release announcements and contribution discussions, join us on [Slack](https://join.slack.com/t/onepanel-ce/shared_invite/zt-eyjnwec0-nLaHhjif9Y~gA05KuX6AUg).
+For help, questions, release announcements and contribution discussions, join us on [GitHub discussions](https://github.com/onepanelio/core/discussions).
 
 ## Contributing
 
 Onepanel is modular and consists of the following repositories:
 
-[Core API](https://github.com/onepanelio/core/) (this repository) - Code base for backend (Go)\
+[Backend](https://github.com/onepanelio/core/) (this repository) - Code base for backend (Go)\
-[Core UI](https://github.com/onepanelio/core-ui/) - Code base for UI (Angular + TypeScript)\
+[Frontend](https://github.com/onepanelio/core-ui/) - Code base for frontend (Angular + TypeScript)\
-[CLI](https://github.com/onepanelio/cli/) - Code base for Go CLI for installation and management (Go)\
+[CLI](https://github.com/onepanelio/cli/) - Code base for installation and management CLI (Go)\
-[Manifests](https://github.com/onepanelio/core-ui/) - Kustomize manifests used by CLI for installation and management (YAML)\
+[Manifests](https://github.com/onepanelio/core-ui/) - Kustomize manifests used by installation and management CLI (YAML)\
-[Python SDK](https://github.com/onepanelio/python-sdk/) - Python SDK code and documentation\
+[Python SDK](https://github.com/onepanelio/python-sdk/) - Python SDK code and documentation (Python)\
 [Templates](https://github.com/onepanelio/templates) - Various Workspace, Workflow, Task and Sidecar Templates\
 [Documentation](https://github.com/onepanelio/core-docs/) - The repository for documentation site\
 [API Documentation](https://github.com/onepanelio/core-api-docs/) - API documentation if you choose to use the API directly

api/api.swagger.json

@@ -3,7 +3,7 @@
   "info": {
     "title": "Onepanel",
     "description": "Onepanel API",
-    "version": "0.13.0",
+    "version": "0.15.0",
     "contact": {
       "name": "Onepanel project",
       "url": "https://github.com/onepanelio/core"
@@ -54,6 +54,39 @@
         ]
       }
     },
+    "/apis/v1beta1/auth/get_access_token": {
+      "post": {
+        "operationId": "GetAccessToken",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/GetAccessTokenResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response",
+            "schema": {
+              "$ref": "#/definitions/grpc.gateway.runtime.Error"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/GetAccessTokenRequest"
+            }
+          }
+        ],
+        "tags": [
+          "AuthService"
+        ],
+        "security": []
+      }
+    },
     "/apis/v1beta1/auth/token": {
       "post": {
         "operationId": "IsValidToken",
@@ -77,7 +110,7 @@
             "in": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/TokenWrapper"
+              "$ref": "#/definitions/IsValidTokenRequest"
             }
           }
         ],
@@ -108,6 +141,54 @@
         ]
       }
     },
+    "/apis/v1beta1/labels/{namespace}/{resource}/labels": {
+      "get": {
+        "operationId": "GetAvailableLabels",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/GetLabelsResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response",
+            "schema": {
+              "$ref": "#/definitions/grpc.gateway.runtime.Error"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "namespace",
+            "in": "path",
+            "required": true,
+            "type": "string"
+          },
+          {
+            "name": "resource",
+            "in": "path",
+            "required": true,
+            "type": "string"
+          },
+          {
+            "name": "keyLike",
+            "in": "query",
+            "required": false,
+            "type": "string"
+          },
+          {
+            "name": "skipKeys",
+            "in": "query",
+            "required": false,
+            "type": "string"
+          }
+        ],
+        "tags": [
+          "LabelService"
+        ]
+      }
+    },
     "/apis/v1beta1/namespaces": {
       "get": {
         "operationId": "ListNamespaces",
@@ -2883,6 +2964,31 @@
         }
       }
     },
+    "GetAccessTokenRequest": {
+      "type": "object",
+      "properties": {
+        "username": {
+          "type": "string"
+        },
+        "token": {
+          "type": "string"
+        }
+      }
+    },
+    "GetAccessTokenResponse": {
+      "type": "object",
+      "properties": {
+        "domain": {
+          "type": "string"
+        },
+        "accessToken": {
+          "type": "string"
+        },
+        "username": {
+          "type": "string"
+        }
+      }
+    },
     "GetConfigResponse": {
       "type": "object",
       "properties": {
@@ -2967,11 +3073,28 @@
         }
       }
     },
+    "IsValidTokenRequest": {
+      "type": "object",
+      "properties": {
+        "username": {
+          "type": "string"
+        },
+        "token": {
+          "type": "string"
+        }
+      }
+    },
     "IsValidTokenResponse": {
       "type": "object",
       "properties": {
         "domain": {
           "type": "string"
+        },
+        "token": {
+          "type": "string"
+        },
+        "username": {
+          "type": "string"
         }
       }
     },
@@ -3394,14 +3517,6 @@
         }
       }
     },
-    "TokenWrapper": {
-      "type": "object",
-      "properties": {
-        "token": {
-          "type": "string"
-        }
-      }
-    },
     "UpdateSecretKeyValueResponse": {
       "type": "object",
       "properties": {

api/auth.pb.go

@@ -9,7 +9,7 @@ package api
 import (
 	context "context"
 	proto "github.com/golang/protobuf/proto"
-	_ "github.com/golang/protobuf/ptypes/empty"
+	_ "github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger/options"
 	_ "google.golang.org/genproto/googleapis/api/annotations"
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
@@ -31,6 +31,124 @@ const (
 // of the legacy proto package is being used.
 const _ = proto.ProtoPackageIsVersion4
 
+type IsValidTokenRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Username string `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"`
+	Token    string `protobuf:"bytes,2,opt,name=token,proto3" json:"token,omitempty"`
+}
+
+func (x *IsValidTokenRequest) Reset() {
+	*x = IsValidTokenRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_auth_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *IsValidTokenRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*IsValidTokenRequest) ProtoMessage() {}
+
+func (x *IsValidTokenRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_auth_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use IsValidTokenRequest.ProtoReflect.Descriptor instead.
+func (*IsValidTokenRequest) Descriptor() ([]byte, []int) {
+	return file_auth_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *IsValidTokenRequest) GetUsername() string {
+	if x != nil {
+		return x.Username
+	}
+	return ""
+}
+
+func (x *IsValidTokenRequest) GetToken() string {
+	if x != nil {
+		return x.Token
+	}
+	return ""
+}
+
+type IsValidTokenResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Domain   string `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
+	Token    string `protobuf:"bytes,2,opt,name=token,proto3" json:"token,omitempty"`
+	Username string `protobuf:"bytes,3,opt,name=username,proto3" json:"username,omitempty"`
+}
+
+func (x *IsValidTokenResponse) Reset() {
+	*x = IsValidTokenResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_auth_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *IsValidTokenResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*IsValidTokenResponse) ProtoMessage() {}
+
+func (x *IsValidTokenResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_auth_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use IsValidTokenResponse.ProtoReflect.Descriptor instead.
+func (*IsValidTokenResponse) Descriptor() ([]byte, []int) {
+	return file_auth_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *IsValidTokenResponse) GetDomain() string {
+	if x != nil {
+		return x.Domain
+	}
+	return ""
+}
+
+func (x *IsValidTokenResponse) GetToken() string {
+	if x != nil {
+		return x.Token
+	}
+	return ""
+}
+
+func (x *IsValidTokenResponse) GetUsername() string {
+	if x != nil {
+		return x.Username
+	}
+	return ""
+}
+
 type IsAuthorized struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -46,7 +164,7 @@ type IsAuthorized struct {
 func (x *IsAuthorized) Reset() {
 	*x = IsAuthorized{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_auth_proto_msgTypes[0]
+		mi := &file_auth_proto_msgTypes[2]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -59,7 +177,7 @@ func (x *IsAuthorized) String() string {
 func (*IsAuthorized) ProtoMessage() {}
 
 func (x *IsAuthorized) ProtoReflect() protoreflect.Message {
-	mi := &file_auth_proto_msgTypes[0]
+	mi := &file_auth_proto_msgTypes[2]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -72,7 +190,7 @@ func (x *IsAuthorized) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use IsAuthorized.ProtoReflect.Descriptor instead.
 func (*IsAuthorized) Descriptor() ([]byte, []int) {
-	return file_auth_proto_rawDescGZIP(), []int{0}
+	return file_auth_proto_rawDescGZIP(), []int{2}
 }
 
 func (x *IsAuthorized) GetNamespace() string {
@@ -121,7 +239,7 @@ type IsAuthorizedRequest struct {
 func (x *IsAuthorizedRequest) Reset() {
 	*x = IsAuthorizedRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_auth_proto_msgTypes[1]
+		mi := &file_auth_proto_msgTypes[3]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -134,7 +252,7 @@ func (x *IsAuthorizedRequest) String() string {
 func (*IsAuthorizedRequest) ProtoMessage() {}
 
 func (x *IsAuthorizedRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_auth_proto_msgTypes[1]
+	mi := &file_auth_proto_msgTypes[3]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -147,7 +265,7 @@ func (x *IsAuthorizedRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use IsAuthorizedRequest.ProtoReflect.Descriptor instead.
 func (*IsAuthorizedRequest) Descriptor() ([]byte, []int) {
-	return file_auth_proto_rawDescGZIP(), []int{1}
+	return file_auth_proto_rawDescGZIP(), []int{3}
 }
 
 func (x *IsAuthorizedRequest) GetIsAuthorized() *IsAuthorized {
@@ -168,7 +286,7 @@ type IsAuthorizedResponse struct {
 func (x *IsAuthorizedResponse) Reset() {
 	*x = IsAuthorizedResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_auth_proto_msgTypes[2]
+		mi := &file_auth_proto_msgTypes[4]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -181,7 +299,7 @@ func (x *IsAuthorizedResponse) String() string {
 func (*IsAuthorizedResponse) ProtoMessage() {}
 
 func (x *IsAuthorizedResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_auth_proto_msgTypes[2]
+	mi := &file_auth_proto_msgTypes[4]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -194,7 +312,7 @@ func (x *IsAuthorizedResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use IsAuthorizedResponse.ProtoReflect.Descriptor instead.
 func (*IsAuthorizedResponse) Descriptor() ([]byte, []int) {
-	return file_auth_proto_rawDescGZIP(), []int{2}
+	return file_auth_proto_rawDescGZIP(), []int{4}
 }
 
 func (x *IsAuthorizedResponse) GetAuthorized() bool {
@@ -204,110 +322,17 @@ func (x *IsAuthorizedResponse) GetAuthorized() bool {
 	return false
 }
 
-type TokenWrapper struct {
+type GetAccessTokenRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
+	Username string `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"`
+	Token    string `protobuf:"bytes,2,opt,name=token,proto3" json:"token,omitempty"`
 }
 
-func (x *TokenWrapper) Reset() {
+func (x *GetAccessTokenRequest) Reset() {
-	*x = TokenWrapper{}
+	*x = GetAccessTokenRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_auth_proto_msgTypes[3]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *TokenWrapper) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*TokenWrapper) ProtoMessage() {}
-
-func (x *TokenWrapper) ProtoReflect() protoreflect.Message {
-	mi := &file_auth_proto_msgTypes[3]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use TokenWrapper.ProtoReflect.Descriptor instead.
-func (*TokenWrapper) Descriptor() ([]byte, []int) {
-	return file_auth_proto_rawDescGZIP(), []int{3}
-}
-
-func (x *TokenWrapper) GetToken() string {
-	if x != nil {
-		return x.Token
-	}
-	return ""
-}
-
-type IsValidTokenRequest struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Token *TokenWrapper `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
-}
-
-func (x *IsValidTokenRequest) Reset() {
-	*x = IsValidTokenRequest{}
-	if protoimpl.UnsafeEnabled {
-		mi := &file_auth_proto_msgTypes[4]
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		ms.StoreMessageInfo(mi)
-	}
-}
-
-func (x *IsValidTokenRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*IsValidTokenRequest) ProtoMessage() {}
-
-func (x *IsValidTokenRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_auth_proto_msgTypes[4]
-	if protoimpl.UnsafeEnabled && x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use IsValidTokenRequest.ProtoReflect.Descriptor instead.
-func (*IsValidTokenRequest) Descriptor() ([]byte, []int) {
-	return file_auth_proto_rawDescGZIP(), []int{4}
-}
-
-func (x *IsValidTokenRequest) GetToken() *TokenWrapper {
-	if x != nil {
-		return x.Token
-	}
-	return nil
-}
-
-type IsValidTokenResponse struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Domain string `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
-}
-
-func (x *IsValidTokenResponse) Reset() {
-	*x = IsValidTokenResponse{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_auth_proto_msgTypes[5]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -315,13 +340,13 @@ func (x *IsValidTokenResponse) Reset() {
 	}
 }
 
-func (x *IsValidTokenResponse) String() string {
+func (x *GetAccessTokenRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 
-func (*IsValidTokenResponse) ProtoMessage() {}
+func (*GetAccessTokenRequest) ProtoMessage() {}
 
-func (x *IsValidTokenResponse) ProtoReflect() protoreflect.Message {
+func (x *GetAccessTokenRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_auth_proto_msgTypes[5]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -333,69 +358,161 @@ func (x *IsValidTokenResponse) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }
 
-// Deprecated: Use IsValidTokenResponse.ProtoReflect.Descriptor instead.
+// Deprecated: Use GetAccessTokenRequest.ProtoReflect.Descriptor instead.
-func (*IsValidTokenResponse) Descriptor() ([]byte, []int) {
+func (*GetAccessTokenRequest) Descriptor() ([]byte, []int) {
 	return file_auth_proto_rawDescGZIP(), []int{5}
 }
 
-func (x *IsValidTokenResponse) GetDomain() string {
+func (x *GetAccessTokenRequest) GetUsername() string {
+	if x != nil {
+		return x.Username
+	}
+	return ""
+}
+
+func (x *GetAccessTokenRequest) GetToken() string {
+	if x != nil {
+		return x.Token
+	}
+	return ""
+}
+
+type GetAccessTokenResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Domain      string `protobuf:"bytes,1,opt,name=domain,proto3" json:"domain,omitempty"`
+	AccessToken string `protobuf:"bytes,2,opt,name=accessToken,proto3" json:"accessToken,omitempty"`
+	Username    string `protobuf:"bytes,3,opt,name=username,proto3" json:"username,omitempty"`
+}
+
+func (x *GetAccessTokenResponse) Reset() {
+	*x = GetAccessTokenResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_auth_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetAccessTokenResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetAccessTokenResponse) ProtoMessage() {}
+
+func (x *GetAccessTokenResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_auth_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetAccessTokenResponse.ProtoReflect.Descriptor instead.
+func (*GetAccessTokenResponse) Descriptor() ([]byte, []int) {
+	return file_auth_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *GetAccessTokenResponse) GetDomain() string {
 	if x != nil {
 		return x.Domain
 	}
 	return ""
 }
 
+func (x *GetAccessTokenResponse) GetAccessToken() string {
+	if x != nil {
+		return x.AccessToken
+	}
+	return ""
+}
+
+func (x *GetAccessTokenResponse) GetUsername() string {
+	if x != nil {
+		return x.Username
+	}
+	return ""
+}
+
 var File_auth_proto protoreflect.FileDescriptor
 
 var file_auth_proto_rawDesc = []byte{
 	0x0a, 0x0a, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x03, 0x61, 0x70,
 	0x69, 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, 0x6e,
 	0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a,
-	0x1b, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2c, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x2d, 0x67, 0x65, 0x6e, 0x2d, 0x73, 0x77, 0x61, 0x67,
-	0x2f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x96, 0x01, 0x0a,
+	0x67, 0x65, 0x72, 0x2f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x61, 0x6e, 0x6e, 0x6f,
-	0x0c, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x12, 0x1c, 0x0a,
+	0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x47, 0x0a,
-	0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x13, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71,
-	0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x76,
+	0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65,
-	0x65, 0x72, 0x62, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x76, 0x65, 0x72, 0x62, 0x12,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65,
-	0x14, 0x0a, 0x05, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
+	0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x67, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x60, 0x0a, 0x14, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69,
-	0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16,
-	0x65, 0x12, 0x22, 0x0a, 0x0c, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4e, 0x61, 0x6d,
+	0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
-	0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18,
-	0x65, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x4c, 0x0a, 0x13, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x1a, 0x0a, 0x08,
-	0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x35, 0x0a, 0x0c,
+	0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08,
-	0x69, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01,
+	0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x96, 0x01, 0x0a, 0x0c, 0x49, 0x73, 0x41,
-	0x28, 0x0b, 0x32, 0x11, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f,
+	0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d,
-	0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x0c, 0x69, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
+	0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61,
-	0x7a, 0x65, 0x64, 0x22, 0x36, 0x0a, 0x14, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
+	0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x76, 0x65, 0x72, 0x62, 0x18,
-	0x7a, 0x65, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x61,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x76, 0x65, 0x72, 0x62, 0x12, 0x14, 0x0a, 0x05, 0x67,
-	0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52,
+	0x72, 0x6f, 0x75, 0x70, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x67, 0x72, 0x6f, 0x75,
-	0x0a, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x22, 0x24, 0x0a, 0x0c, 0x54,
+	0x70, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x04, 0x20,
-	0x6f, 0x6b, 0x65, 0x6e, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x74,
+	0x01, 0x28, 0x09, 0x52, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x22, 0x0a,
-	0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65,
+	0x0c, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20,
-	0x6e, 0x22, 0x3e, 0x0a, 0x13, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65,
+	0x01, 0x28, 0x09, 0x52, 0x0c, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4e, 0x61, 0x6d,
-	0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x27, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65,
+	0x65, 0x22, 0x4c, 0x0a, 0x13, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65,
-	0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x54, 0x6f,
+	0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x35, 0x0a, 0x0c, 0x69, 0x73, 0x41, 0x75,
-	0x6b, 0x65, 0x6e, 0x57, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65,
+	0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11,
-	0x6e, 0x22, 0x2e, 0x0a, 0x14, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65,
+	0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65,
-	0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d,
+	0x64, 0x52, 0x0c, 0x69, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x22,
-	0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69,
+	0x36, 0x0a, 0x14, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52,
-	0x6e, 0x32, 0xea, 0x01, 0x0a, 0x0b, 0x41, 0x75, 0x74, 0x68, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x75, 0x74, 0x68, 0x6f,
-	0x65, 0x12, 0x6c, 0x0a, 0x0c, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65,
+	0x72, 0x69, 0x7a, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x61, 0x75, 0x74,
-	0x6e, 0x12, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54,
+	0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x22, 0x49, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x41, 0x63,
-	0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x61, 0x70,
+	0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x69, 0x2e, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65,
+	0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x27, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x21, 0x22, 0x18,
+	0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05,
-	0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x61, 0x75,
+	0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b,
-	0x74, 0x68, 0x2f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x3a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x12,
+	0x65, 0x6e, 0x22, 0x6e, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54,
-	0x6d, 0x0a, 0x0c, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x12,
+	0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06,
-	0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a,
+	0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f,
-	0x65, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e,
+	0x6d, 0x61, 0x69, 0x6e, 0x12, 0x20, 0x0a, 0x0b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f,
-	0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x73, 0x70,
+	0x6b, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x63, 0x63, 0x65, 0x73,
-	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x28, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x22, 0x22, 0x12, 0x2f, 0x61,
+	0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61,
-	0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68,
+	0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61,
-	0x3a, 0x0c, 0x69, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x62, 0x06,
+	0x6d, 0x65, 0x32, 0xe6, 0x02, 0x0a, 0x0b, 0x41, 0x75, 0x74, 0x68, 0x53, 0x65, 0x72, 0x76, 0x69,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x63, 0x65, 0x12, 0x68, 0x0a, 0x0c, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b,
+	0x65, 0x6e, 0x12, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64,
+	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x61,
+	0x70, 0x69, 0x2e, 0x49, 0x73, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x23, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1d, 0x22,
+	0x18, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x61,
+	0x75, 0x74, 0x68, 0x2f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x3a, 0x01, 0x2a, 0x12, 0x7e, 0x0a, 0x0e,
+	0x47, 0x65, 0x74, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x1a,
+	0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f,
+	0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1b, 0x2e, 0x61, 0x70, 0x69,
+	0x2e, 0x47, 0x65, 0x74, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x33, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x28, 0x22,
+	0x23, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x61,
+	0x75, 0x74, 0x68, 0x2f, 0x67, 0x65, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x74,
+	0x6f, 0x6b, 0x65, 0x6e, 0x3a, 0x01, 0x2a, 0x92, 0x41, 0x02, 0x62, 0x00, 0x12, 0x6d, 0x0a, 0x0c,
+	0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x12, 0x18, 0x2e, 0x61,
+	0x70, 0x69, 0x2e, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x49, 0x73, 0x41,
+	0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x28, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x22, 0x22, 0x12, 0x2f, 0x61, 0x70, 0x69, 0x73,
+	0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x3a, 0x0c, 0x69,
+	0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x62, 0x06, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x33,
 }
 
 var (
@@ -410,27 +527,29 @@ func file_auth_proto_rawDescGZIP() []byte {
 	return file_auth_proto_rawDescData
 }
 
-var file_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
+var file_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
 var file_auth_proto_goTypes = []interface{}{
-	(*IsAuthorized)(nil),         // 0: api.IsAuthorized
+	(*IsValidTokenRequest)(nil),    // 0: api.IsValidTokenRequest
-	(*IsAuthorizedRequest)(nil),  // 1: api.IsAuthorizedRequest
+	(*IsValidTokenResponse)(nil),   // 1: api.IsValidTokenResponse
-	(*IsAuthorizedResponse)(nil), // 2: api.IsAuthorizedResponse
+	(*IsAuthorized)(nil),           // 2: api.IsAuthorized
-	(*TokenWrapper)(nil),         // 3: api.TokenWrapper
+	(*IsAuthorizedRequest)(nil),    // 3: api.IsAuthorizedRequest
-	(*IsValidTokenRequest)(nil),  // 4: api.IsValidTokenRequest
+	(*IsAuthorizedResponse)(nil),   // 4: api.IsAuthorizedResponse
-	(*IsValidTokenResponse)(nil), // 5: api.IsValidTokenResponse
+	(*GetAccessTokenRequest)(nil),  // 5: api.GetAccessTokenRequest
+	(*GetAccessTokenResponse)(nil), // 6: api.GetAccessTokenResponse
 }
 var file_auth_proto_depIdxs = []int32{
-	0, // 0: api.IsAuthorizedRequest.isAuthorized:type_name -> api.IsAuthorized
+	2, // 0: api.IsAuthorizedRequest.isAuthorized:type_name -> api.IsAuthorized
-	3, // 1: api.IsValidTokenRequest.token:type_name -> api.TokenWrapper
+	0, // 1: api.AuthService.IsValidToken:input_type -> api.IsValidTokenRequest
-	4, // 2: api.AuthService.IsValidToken:input_type -> api.IsValidTokenRequest
+	5, // 2: api.AuthService.GetAccessToken:input_type -> api.GetAccessTokenRequest
-	1, // 3: api.AuthService.IsAuthorized:input_type -> api.IsAuthorizedRequest
+	3, // 3: api.AuthService.IsAuthorized:input_type -> api.IsAuthorizedRequest
-	5, // 4: api.AuthService.IsValidToken:output_type -> api.IsValidTokenResponse
+	1, // 4: api.AuthService.IsValidToken:output_type -> api.IsValidTokenResponse
-	2, // 5: api.AuthService.IsAuthorized:output_type -> api.IsAuthorizedResponse
+	6, // 5: api.AuthService.GetAccessToken:output_type -> api.GetAccessTokenResponse
-	4, // [4:6] is the sub-list for method output_type
+	4, // 6: api.AuthService.IsAuthorized:output_type -> api.IsAuthorizedResponse
-	2, // [2:4] is the sub-list for method input_type
+	4, // [4:7] is the sub-list for method output_type
-	2, // [2:2] is the sub-list for extension type_name
+	1, // [1:4] is the sub-list for method input_type
-	2, // [2:2] is the sub-list for extension extendee
+	1, // [1:1] is the sub-list for extension type_name
-	0, // [0:2] is the sub-list for field type_name
+	1, // [1:1] is the sub-list for extension extendee
+	0, // [0:1] is the sub-list for field type_name
 }
 
 func init() { file_auth_proto_init() }
@@ -440,54 +559,6 @@ func file_auth_proto_init() {
 	}
 	if !protoimpl.UnsafeEnabled {
 		file_auth_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*IsAuthorized); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_auth_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*IsAuthorizedRequest); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_auth_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*IsAuthorizedResponse); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_auth_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*TokenWrapper); i {
-			case 0:
-				return &v.state
-			case 1:
-				return &v.sizeCache
-			case 2:
-				return &v.unknownFields
-			default:
-				return nil
-			}
-		}
-		file_auth_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*IsValidTokenRequest); i {
 			case 0:
 				return &v.state
@@ -499,7 +570,7 @@ func file_auth_proto_init() {
 				return nil
 			}
 		}
-		file_auth_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+		file_auth_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*IsValidTokenResponse); i {
 			case 0:
 				return &v.state
@@ -511,6 +582,66 @@ func file_auth_proto_init() {
 				return nil
 			}
 		}
+		file_auth_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*IsAuthorized); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_auth_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*IsAuthorizedRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_auth_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*IsAuthorizedResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_auth_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetAccessTokenRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_auth_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetAccessTokenResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -518,7 +649,7 @@ func file_auth_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_auth_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   6,
+			NumMessages:   7,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
@@ -545,6 +676,7 @@ const _ = grpc.SupportPackageIsVersion6
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
 type AuthServiceClient interface {
 	IsValidToken(ctx context.Context, in *IsValidTokenRequest, opts ...grpc.CallOption) (*IsValidTokenResponse, error)
+	GetAccessToken(ctx context.Context, in *GetAccessTokenRequest, opts ...grpc.CallOption) (*GetAccessTokenResponse, error)
 	IsAuthorized(ctx context.Context, in *IsAuthorizedRequest, opts ...grpc.CallOption) (*IsAuthorizedResponse, error)
 }
 
@@ -565,6 +697,15 @@ func (c *authServiceClient) IsValidToken(ctx context.Context, in *IsValidTokenRe
 	return out, nil
 }
 
+func (c *authServiceClient) GetAccessToken(ctx context.Context, in *GetAccessTokenRequest, opts ...grpc.CallOption) (*GetAccessTokenResponse, error) {
+	out := new(GetAccessTokenResponse)
+	err := c.cc.Invoke(ctx, "/api.AuthService/GetAccessToken", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *authServiceClient) IsAuthorized(ctx context.Context, in *IsAuthorizedRequest, opts ...grpc.CallOption) (*IsAuthorizedResponse, error) {
 	out := new(IsAuthorizedResponse)
 	err := c.cc.Invoke(ctx, "/api.AuthService/IsAuthorized", in, out, opts...)
@@ -577,6 +718,7 @@ func (c *authServiceClient) IsAuthorized(ctx context.Context, in *IsAuthorizedRe
 // AuthServiceServer is the server API for AuthService service.
 type AuthServiceServer interface {
 	IsValidToken(context.Context, *IsValidTokenRequest) (*IsValidTokenResponse, error)
+	GetAccessToken(context.Context, *GetAccessTokenRequest) (*GetAccessTokenResponse, error)
 	IsAuthorized(context.Context, *IsAuthorizedRequest) (*IsAuthorizedResponse, error)
 }
 
@@ -587,6 +729,9 @@ type UnimplementedAuthServiceServer struct {
 func (*UnimplementedAuthServiceServer) IsValidToken(context.Context, *IsValidTokenRequest) (*IsValidTokenResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method IsValidToken not implemented")
 }
+func (*UnimplementedAuthServiceServer) GetAccessToken(context.Context, *GetAccessTokenRequest) (*GetAccessTokenResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetAccessToken not implemented")
+}
 func (*UnimplementedAuthServiceServer) IsAuthorized(context.Context, *IsAuthorizedRequest) (*IsAuthorizedResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method IsAuthorized not implemented")
 }
@@ -613,6 +758,24 @@ func _AuthService_IsValidToken_Handler(srv interface{}, ctx context.Context, dec
 	return interceptor(ctx, in, info, handler)
 }
 
+func _AuthService_GetAccessToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetAccessTokenRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AuthServiceServer).GetAccessToken(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.AuthService/GetAccessToken",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AuthServiceServer).GetAccessToken(ctx, req.(*GetAccessTokenRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _AuthService_IsAuthorized_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(IsAuthorizedRequest)
 	if err := dec(in); err != nil {
@@ -639,6 +802,10 @@ var _AuthService_serviceDesc = grpc.ServiceDesc{
 			MethodName: "IsValidToken",
 			Handler:    _AuthService_IsValidToken_Handler,
 		},
+		{
+			MethodName: "GetAccessToken",
+			Handler:    _AuthService_GetAccessToken_Handler,
+		},
 		{
 			MethodName: "IsAuthorized",
 			Handler:    _AuthService_IsAuthorized_Handler,

api/auth.pb.gw.go

@@ -39,7 +39,7 @@ func request_AuthService_IsValidToken_0(ctx context.Context, marshaler runtime.M
 	if berr != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
 	}
-	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Token); err != nil && err != io.EOF {
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 
@@ -56,7 +56,7 @@ func local_request_AuthService_IsValidToken_0(ctx context.Context, marshaler run
 	if berr != nil {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
 	}
-	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Token); err != nil && err != io.EOF {
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
 		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
 	}
 
@@ -65,6 +65,40 @@ func local_request_AuthService_IsValidToken_0(ctx context.Context, marshaler run
 
 }
 
+func request_AuthService_GetAccessToken_0(ctx context.Context, marshaler runtime.Marshaler, client AuthServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq GetAccessTokenRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.GetAccessToken(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_AuthService_GetAccessToken_0(ctx context.Context, marshaler runtime.Marshaler, server AuthServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq GetAccessTokenRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := server.GetAccessToken(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 func request_AuthService_IsAuthorized_0(ctx context.Context, marshaler runtime.Marshaler, client AuthServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var protoReq IsAuthorizedRequest
 	var metadata runtime.ServerMetadata
@@ -124,6 +158,26 @@ func RegisterAuthServiceHandlerServer(ctx context.Context, mux *runtime.ServeMux
 
 	})
 
+	mux.Handle("POST", pattern_AuthService_GetAccessToken_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_AuthService_GetAccessToken_0(rctx, inboundMarshaler, server, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AuthService_GetAccessToken_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("POST", pattern_AuthService_IsAuthorized_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -205,6 +259,26 @@ func RegisterAuthServiceHandlerClient(ctx context.Context, mux *runtime.ServeMux
 
 	})
 
+	mux.Handle("POST", pattern_AuthService_GetAccessToken_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AuthService_GetAccessToken_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AuthService_GetAccessToken_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("POST", pattern_AuthService_IsAuthorized_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -231,11 +305,15 @@ func RegisterAuthServiceHandlerClient(ctx context.Context, mux *runtime.ServeMux
 var (
 	pattern_AuthService_IsValidToken_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3}, []string{"apis", "v1beta1", "auth", "token"}, "", runtime.AssumeColonVerbOpt(true)))
 
+	pattern_AuthService_GetAccessToken_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3}, []string{"apis", "v1beta1", "auth", "get_access_token"}, "", runtime.AssumeColonVerbOpt(true)))
+
 	pattern_AuthService_IsAuthorized_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"apis", "v1beta1", "auth"}, "", runtime.AssumeColonVerbOpt(true)))
 )
 
 var (
 	forward_AuthService_IsValidToken_0 = runtime.ForwardResponseMessage
 
+	forward_AuthService_GetAccessToken_0 = runtime.ForwardResponseMessage
+
 	forward_AuthService_IsAuthorized_0 = runtime.ForwardResponseMessage
 )

api/auth.proto

@@ -3,13 +3,24 @@ syntax = "proto3";
 package api;
 
 import "google/api/annotations.proto";
-import "google/protobuf/empty.proto";
+import "protoc-gen-swagger/options/annotations.proto";
 
 service AuthService {
     rpc IsValidToken(IsValidTokenRequest) returns (IsValidTokenResponse) {
         option (google.api.http) = {
             post: "/apis/v1beta1/auth/token"
-            body: "token"
+            body: "*"
+        };
+    }
+
+    rpc GetAccessToken(GetAccessTokenRequest) returns (GetAccessTokenResponse) {
+        option (google.api.http) = {
+            post: "/apis/v1beta1/auth/get_access_token"
+            body: "*"
+        };
+        option (grpc.gateway.protoc_gen_swagger.options.openapiv2_operation) = {
+			security: {
+            }
         };
     }
 
@@ -21,6 +32,17 @@ service AuthService {
     }
 }
 
+message IsValidTokenRequest {
+    string username = 1;
+    string token = 2;
+}
+
+message IsValidTokenResponse {
+    string domain = 1;
+    string token = 2;
+    string username = 3;
+}
+
 message IsAuthorized {
     string namespace = 1;
     string verb = 2;
@@ -37,14 +59,13 @@ message IsAuthorizedResponse {
     bool authorized = 1;
 }
 
-message TokenWrapper {
+message GetAccessTokenRequest {
-    string token = 1;
+    string username = 1;
+    string token = 2;
 }
 
-message IsValidTokenRequest {
+message GetAccessTokenResponse {
-    TokenWrapper token = 1;
-}
-
-message IsValidTokenResponse {
     string domain = 1;
+    string accessToken = 2;
+    string username = 3;
 }

api/label.pb.go

@@ -337,6 +337,77 @@ func (x *GetLabelsRequest) GetUid() string {
 	return ""
 }
 
+type GetAvailableLabelsRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"`
+	Resource  string `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"`
+	KeyLike   string `protobuf:"bytes,3,opt,name=keyLike,proto3" json:"keyLike,omitempty"`
+	SkipKeys  string `protobuf:"bytes,4,opt,name=skipKeys,proto3" json:"skipKeys,omitempty"`
+}
+
+func (x *GetAvailableLabelsRequest) Reset() {
+	*x = GetAvailableLabelsRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_label_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetAvailableLabelsRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetAvailableLabelsRequest) ProtoMessage() {}
+
+func (x *GetAvailableLabelsRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_label_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetAvailableLabelsRequest.ProtoReflect.Descriptor instead.
+func (*GetAvailableLabelsRequest) Descriptor() ([]byte, []int) {
+	return file_label_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *GetAvailableLabelsRequest) GetNamespace() string {
+	if x != nil {
+		return x.Namespace
+	}
+	return ""
+}
+
+func (x *GetAvailableLabelsRequest) GetResource() string {
+	if x != nil {
+		return x.Resource
+	}
+	return ""
+}
+
+func (x *GetAvailableLabelsRequest) GetKeyLike() string {
+	if x != nil {
+		return x.KeyLike
+	}
+	return ""
+}
+
+func (x *GetAvailableLabelsRequest) GetSkipKeys() string {
+	if x != nil {
+		return x.SkipKeys
+	}
+	return ""
+}
+
 type GetLabelsResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -348,7 +419,7 @@ type GetLabelsResponse struct {
 func (x *GetLabelsResponse) Reset() {
 	*x = GetLabelsResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_label_proto_msgTypes[5]
+		mi := &file_label_proto_msgTypes[6]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -361,7 +432,7 @@ func (x *GetLabelsResponse) String() string {
 func (*GetLabelsResponse) ProtoMessage() {}
 
 func (x *GetLabelsResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_label_proto_msgTypes[5]
+	mi := &file_label_proto_msgTypes[6]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -374,7 +445,7 @@ func (x *GetLabelsResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use GetLabelsResponse.ProtoReflect.Descriptor instead.
 func (*GetLabelsResponse) Descriptor() ([]byte, []int) {
-	return file_label_proto_rawDescGZIP(), []int{5}
+	return file_label_proto_rawDescGZIP(), []int{6}
 }
 
 func (x *GetLabelsResponse) GetLabels() []*KeyValue {
@@ -398,7 +469,7 @@ type DeleteLabelRequest struct {
 func (x *DeleteLabelRequest) Reset() {
 	*x = DeleteLabelRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_label_proto_msgTypes[6]
+		mi := &file_label_proto_msgTypes[7]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -411,7 +482,7 @@ func (x *DeleteLabelRequest) String() string {
 func (*DeleteLabelRequest) ProtoMessage() {}
 
 func (x *DeleteLabelRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_label_proto_msgTypes[6]
+	mi := &file_label_proto_msgTypes[7]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -424,7 +495,7 @@ func (x *DeleteLabelRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use DeleteLabelRequest.ProtoReflect.Descriptor instead.
 func (*DeleteLabelRequest) Descriptor() ([]byte, []int) {
-	return file_label_proto_rawDescGZIP(), []int{6}
+	return file_label_proto_rawDescGZIP(), []int{7}
 }
 
 func (x *DeleteLabelRequest) GetNamespace() string {
@@ -490,51 +561,69 @@ var file_label_proto_rawDesc = []byte{
 	0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
 	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
 	0x65, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
-	0x75, 0x69, 0x64, 0x22, 0x3a, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73,
+	0x75, 0x69, 0x64, 0x22, 0x8b, 0x01, 0x0a, 0x19, 0x47, 0x65, 0x74, 0x41, 0x76, 0x61, 0x69, 0x6c,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x25, 0x0a, 0x06, 0x6c, 0x61, 0x62, 0x65,
+	0x61, 0x62, 0x6c, 0x65, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x6c, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x4b,
+	0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01,
-	0x65, 0x79, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x22,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12,
-	0x72, 0x0a, 0x12, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x52, 0x65,
+	0x1a, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61,
+	0x09, 0x52, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x6b,
-	0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70,
+	0x65, 0x79, 0x4c, 0x69, 0x6b, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6b, 0x65,
-	0x61, 0x63, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18,
+	0x79, 0x4c, 0x69, 0x6b, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x6b, 0x69, 0x70, 0x4b, 0x65, 0x79,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12,
+	0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x6b, 0x69, 0x70, 0x4b, 0x65, 0x79,
-	0x10, 0x0a, 0x03, 0x75, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x69,
+	0x73, 0x22, 0x3a, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x52, 0x65,
-	0x64, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x25, 0x0a, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73,
-	0x6b, 0x65, 0x79, 0x32, 0x8d, 0x04, 0x0a, 0x0c, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x53, 0x65, 0x72,
+	0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x4b, 0x65, 0x79,
-	0x76, 0x69, 0x63, 0x65, 0x12, 0x75, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x4c, 0x61, 0x62, 0x65, 0x6c,
+	0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x22, 0x72, 0x0a,
-	0x73, 0x12, 0x15, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x4c, 0x61, 0x62, 0x65, 0x6c,
+	0x12, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63,
+	0x65, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x10, 0x0a,
+	0x03, 0x75, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x69, 0x64, 0x12,
+	0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65,
+	0x79, 0x32, 0x98, 0x05, 0x0a, 0x0c, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x53, 0x65, 0x72, 0x76, 0x69,
+	0x63, 0x65, 0x12, 0x88, 0x01, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x41, 0x76, 0x61, 0x69, 0x6c, 0x61,
+	0x62, 0x6c, 0x65, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x12, 0x1e, 0x2e, 0x61, 0x70, 0x69, 0x2e,
+	0x47, 0x65, 0x74, 0x41, 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x4c, 0x61, 0x62, 0x65,
+	0x6c, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x61, 0x70, 0x69, 0x2e,
+	0x47, 0x65, 0x74, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x3a, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x34, 0x12, 0x32, 0x2f, 0x61, 0x70, 0x69, 0x73,
+	0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x2f,
+	0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x7d, 0x2f, 0x7b, 0x72, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x7d, 0x2f, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x12, 0x75, 0x0a,
+	0x09, 0x47, 0x65, 0x74, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x12, 0x15, 0x2e, 0x61, 0x70, 0x69,
+	0x2e, 0x47, 0x65, 0x74, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x16, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x4c, 0x61, 0x62, 0x65, 0x6c,
+	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x39, 0x82, 0xd3, 0xe4, 0x93, 0x02,
+	0x33, 0x12, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31,
+	0x2f, 0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x7d, 0x2f, 0x7b, 0x72, 0x65,
+	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x7d, 0x2f, 0x7b, 0x75, 0x69, 0x64, 0x7d, 0x2f, 0x6c, 0x61,
+	0x62, 0x65, 0x6c, 0x73, 0x12, 0x7d, 0x0a, 0x09, 0x41, 0x64, 0x64, 0x4c, 0x61, 0x62, 0x65, 0x6c,
+	0x73, 0x12, 0x15, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41, 0x64, 0x64, 0x4c, 0x61, 0x62, 0x65, 0x6c,
 	0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47,
 	0x65, 0x74, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x22, 0x39, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x33, 0x12, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f,
+	0x22, 0x41, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x3b, 0x22, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f,
 	0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61,
 	0x63, 0x65, 0x7d, 0x2f, 0x7b, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x7d, 0x2f, 0x7b,
-	0x75, 0x69, 0x64, 0x7d, 0x2f, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x12, 0x7d, 0x0a, 0x09, 0x41,
+	0x75, 0x69, 0x64, 0x7d, 0x2f, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x3a, 0x06, 0x6c, 0x61, 0x62,
-	0x64, 0x64, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x12, 0x15, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x41,
+	0x65, 0x6c, 0x73, 0x12, 0x85, 0x01, 0x0a, 0x0d, 0x52, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x4c,
-	0x64, 0x64, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
+	0x61, 0x62, 0x65, 0x6c, 0x73, 0x12, 0x19, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x52, 0x65, 0x70, 0x6c,
-	0x16, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x52,
+	0x61, 0x63, 0x65, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x41, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x3b, 0x22,
+	0x1a, 0x16, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73,
-	0x31, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x7b,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x41, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x3b,
-	0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x7d, 0x2f, 0x7b, 0x72, 0x65, 0x73, 0x6f,
+	0x1a, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f,
-	0x75, 0x72, 0x63, 0x65, 0x7d, 0x2f, 0x7b, 0x75, 0x69, 0x64, 0x7d, 0x2f, 0x6c, 0x61, 0x62, 0x65,
+	0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x7d, 0x2f, 0x7b, 0x72, 0x65, 0x73,
-	0x6c, 0x73, 0x3a, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x12, 0x85, 0x01, 0x0a, 0x0d, 0x52,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x7d, 0x2f, 0x7b, 0x75, 0x69, 0x64, 0x7d, 0x2f, 0x6c, 0x61, 0x62,
-	0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x12, 0x19, 0x2e, 0x61,
+	0x65, 0x6c, 0x73, 0x3a, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x12, 0x7f, 0x0a, 0x0b, 0x44,
-	0x70, 0x69, 0x2e, 0x52, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73,
+	0x65, 0x6c, 0x65, 0x74, 0x65, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x12, 0x17, 0x2e, 0x61, 0x70, 0x69,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65,
+	0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x52, 0x65, 0x71, 0x75,
-	0x74, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x4c, 0x61, 0x62,
-	0x41, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x3b, 0x1a, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x76,
+	0x65, 0x6c, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x3f, 0x82, 0xd3, 0xe4,
-	0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63,
+	0x93, 0x02, 0x39, 0x2a, 0x37, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74,
-	0x65, 0x7d, 0x2f, 0x7b, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x7d, 0x2f, 0x7b, 0x75,
+	0x61, 0x31, 0x2f, 0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x7d, 0x2f, 0x7b,
-	0x69, 0x64, 0x7d, 0x2f, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x3a, 0x06, 0x6c, 0x61, 0x62, 0x65,
+	0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x7d, 0x2f, 0x7b, 0x75, 0x69, 0x64, 0x7d, 0x2f,
-	0x6c, 0x73, 0x12, 0x7f, 0x0a, 0x0b, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4c, 0x61, 0x62, 0x65,
+	0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x2f, 0x7b, 0x6b, 0x65, 0x79, 0x7d, 0x62, 0x06, 0x70, 0x72,
-	0x6c, 0x12, 0x17, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4c, 0x61,
+	0x6f, 0x74, 0x6f, 0x33,
-	0x62, 0x65, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x61, 0x70, 0x69,
-	0x2e, 0x47, 0x65, 0x74, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x22, 0x3f, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x39, 0x2a, 0x37, 0x2f, 0x61, 0x70, 0x69,
-	0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x7b, 0x6e, 0x61, 0x6d, 0x65, 0x73,
-	0x70, 0x61, 0x63, 0x65, 0x7d, 0x2f, 0x7b, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x7d,
-	0x2f, 0x7b, 0x75, 0x69, 0x64, 0x7d, 0x2f, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x2f, 0x7b, 0x6b,
-	0x65, 0x79, 0x7d, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -549,31 +638,34 @@ func file_label_proto_rawDescGZIP() []byte {
 	return file_label_proto_rawDescData
 }
 
-var file_label_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var file_label_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
 var file_label_proto_goTypes = []interface{}{
-	(*KeyValue)(nil),             // 0: api.KeyValue
+	(*KeyValue)(nil),                  // 0: api.KeyValue
-	(*Labels)(nil),               // 1: api.Labels
+	(*Labels)(nil),                    // 1: api.Labels
-	(*AddLabelsRequest)(nil),     // 2: api.AddLabelsRequest
+	(*AddLabelsRequest)(nil),          // 2: api.AddLabelsRequest
-	(*ReplaceLabelsRequest)(nil), // 3: api.ReplaceLabelsRequest
+	(*ReplaceLabelsRequest)(nil),      // 3: api.ReplaceLabelsRequest
-	(*GetLabelsRequest)(nil),     // 4: api.GetLabelsRequest
+	(*GetLabelsRequest)(nil),          // 4: api.GetLabelsRequest
-	(*GetLabelsResponse)(nil),    // 5: api.GetLabelsResponse
+	(*GetAvailableLabelsRequest)(nil), // 5: api.GetAvailableLabelsRequest
-	(*DeleteLabelRequest)(nil),   // 6: api.DeleteLabelRequest
+	(*GetLabelsResponse)(nil),         // 6: api.GetLabelsResponse
+	(*DeleteLabelRequest)(nil),        // 7: api.DeleteLabelRequest
 }
 var file_label_proto_depIdxs = []int32{
 	0, // 0: api.Labels.items:type_name -> api.KeyValue
 	1, // 1: api.AddLabelsRequest.labels:type_name -> api.Labels
 	1, // 2: api.ReplaceLabelsRequest.labels:type_name -> api.Labels
 	0, // 3: api.GetLabelsResponse.labels:type_name -> api.KeyValue
-	4, // 4: api.LabelService.GetLabels:input_type -> api.GetLabelsRequest
+	5, // 4: api.LabelService.GetAvailableLabels:input_type -> api.GetAvailableLabelsRequest
-	2, // 5: api.LabelService.AddLabels:input_type -> api.AddLabelsRequest
+	4, // 5: api.LabelService.GetLabels:input_type -> api.GetLabelsRequest
-	3, // 6: api.LabelService.ReplaceLabels:input_type -> api.ReplaceLabelsRequest
+	2, // 6: api.LabelService.AddLabels:input_type -> api.AddLabelsRequest
-	6, // 7: api.LabelService.DeleteLabel:input_type -> api.DeleteLabelRequest
+	3, // 7: api.LabelService.ReplaceLabels:input_type -> api.ReplaceLabelsRequest
-	5, // 8: api.LabelService.GetLabels:output_type -> api.GetLabelsResponse
+	7, // 8: api.LabelService.DeleteLabel:input_type -> api.DeleteLabelRequest
-	5, // 9: api.LabelService.AddLabels:output_type -> api.GetLabelsResponse
+	6, // 9: api.LabelService.GetAvailableLabels:output_type -> api.GetLabelsResponse
-	5, // 10: api.LabelService.ReplaceLabels:output_type -> api.GetLabelsResponse
+	6, // 10: api.LabelService.GetLabels:output_type -> api.GetLabelsResponse
-	5, // 11: api.LabelService.DeleteLabel:output_type -> api.GetLabelsResponse
+	6, // 11: api.LabelService.AddLabels:output_type -> api.GetLabelsResponse
-	8, // [8:12] is the sub-list for method output_type
+	6, // 12: api.LabelService.ReplaceLabels:output_type -> api.GetLabelsResponse
-	4, // [4:8] is the sub-list for method input_type
+	6, // 13: api.LabelService.DeleteLabel:output_type -> api.GetLabelsResponse
+	9, // [9:14] is the sub-list for method output_type
+	4, // [4:9] is the sub-list for method input_type
 	4, // [4:4] is the sub-list for extension type_name
 	4, // [4:4] is the sub-list for extension extendee
 	0, // [0:4] is the sub-list for field type_name
@@ -646,7 +738,7 @@ func file_label_proto_init() {
 			}
 		}
 		file_label_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*GetLabelsResponse); i {
+			switch v := v.(*GetAvailableLabelsRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -658,6 +750,18 @@ func file_label_proto_init() {
 			}
 		}
 		file_label_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetLabelsResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_label_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*DeleteLabelRequest); i {
 			case 0:
 				return &v.state
@@ -676,7 +780,7 @@ func file_label_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_label_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   7,
+			NumMessages:   8,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
@@ -702,6 +806,7 @@ const _ = grpc.SupportPackageIsVersion6
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
 type LabelServiceClient interface {
+	GetAvailableLabels(ctx context.Context, in *GetAvailableLabelsRequest, opts ...grpc.CallOption) (*GetLabelsResponse, error)
 	GetLabels(ctx context.Context, in *GetLabelsRequest, opts ...grpc.CallOption) (*GetLabelsResponse, error)
 	AddLabels(ctx context.Context, in *AddLabelsRequest, opts ...grpc.CallOption) (*GetLabelsResponse, error)
 	ReplaceLabels(ctx context.Context, in *ReplaceLabelsRequest, opts ...grpc.CallOption) (*GetLabelsResponse, error)
@@ -716,6 +821,15 @@ func NewLabelServiceClient(cc grpc.ClientConnInterface) LabelServiceClient {
 	return &labelServiceClient{cc}
 }
 
+func (c *labelServiceClient) GetAvailableLabels(ctx context.Context, in *GetAvailableLabelsRequest, opts ...grpc.CallOption) (*GetLabelsResponse, error) {
+	out := new(GetLabelsResponse)
+	err := c.cc.Invoke(ctx, "/api.LabelService/GetAvailableLabels", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *labelServiceClient) GetLabels(ctx context.Context, in *GetLabelsRequest, opts ...grpc.CallOption) (*GetLabelsResponse, error) {
 	out := new(GetLabelsResponse)
 	err := c.cc.Invoke(ctx, "/api.LabelService/GetLabels", in, out, opts...)
@@ -754,6 +868,7 @@ func (c *labelServiceClient) DeleteLabel(ctx context.Context, in *DeleteLabelReq
 
 // LabelServiceServer is the server API for LabelService service.
 type LabelServiceServer interface {
+	GetAvailableLabels(context.Context, *GetAvailableLabelsRequest) (*GetLabelsResponse, error)
 	GetLabels(context.Context, *GetLabelsRequest) (*GetLabelsResponse, error)
 	AddLabels(context.Context, *AddLabelsRequest) (*GetLabelsResponse, error)
 	ReplaceLabels(context.Context, *ReplaceLabelsRequest) (*GetLabelsResponse, error)
@@ -764,6 +879,9 @@ type LabelServiceServer interface {
 type UnimplementedLabelServiceServer struct {
 }
 
+func (*UnimplementedLabelServiceServer) GetAvailableLabels(context.Context, *GetAvailableLabelsRequest) (*GetLabelsResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetAvailableLabels not implemented")
+}
 func (*UnimplementedLabelServiceServer) GetLabels(context.Context, *GetLabelsRequest) (*GetLabelsResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetLabels not implemented")
 }
@@ -781,6 +899,24 @@ func RegisterLabelServiceServer(s *grpc.Server, srv LabelServiceServer) {
 	s.RegisterService(&_LabelService_serviceDesc, srv)
 }
 
+func _LabelService_GetAvailableLabels_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetAvailableLabelsRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(LabelServiceServer).GetAvailableLabels(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.LabelService/GetAvailableLabels",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(LabelServiceServer).GetAvailableLabels(ctx, req.(*GetAvailableLabelsRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _LabelService_GetLabels_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(GetLabelsRequest)
 	if err := dec(in); err != nil {
@@ -857,6 +993,10 @@ var _LabelService_serviceDesc = grpc.ServiceDesc{
 	ServiceName: "api.LabelService",
 	HandlerType: (*LabelServiceServer)(nil),
 	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "GetAvailableLabels",
+			Handler:    _LabelService_GetAvailableLabels_Handler,
+		},
 		{
 			MethodName: "GetLabels",
 			Handler:    _LabelService_GetLabels_Handler,

api/label.pb.gw.go

@@ -31,6 +31,97 @@ var _ = runtime.String
 var _ = utilities.NewDoubleArray
 var _ = descriptor.ForMessage
 
+var (
+	filter_LabelService_GetAvailableLabels_0 = &utilities.DoubleArray{Encoding: map[string]int{"namespace": 0, "resource": 1}, Base: []int{1, 1, 2, 0, 0}, Check: []int{0, 1, 1, 2, 3}}
+)
+
+func request_LabelService_GetAvailableLabels_0(ctx context.Context, marshaler runtime.Marshaler, client LabelServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq GetAvailableLabelsRequest
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["namespace"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "namespace")
+	}
+
+	protoReq.Namespace, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "namespace", err)
+	}
+
+	val, ok = pathParams["resource"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "resource")
+	}
+
+	protoReq.Resource, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "resource", err)
+	}
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_LabelService_GetAvailableLabels_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.GetAvailableLabels(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_LabelService_GetAvailableLabels_0(ctx context.Context, marshaler runtime.Marshaler, server LabelServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq GetAvailableLabelsRequest
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["namespace"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "namespace")
+	}
+
+	protoReq.Namespace, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "namespace", err)
+	}
+
+	val, ok = pathParams["resource"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "resource")
+	}
+
+	protoReq.Resource, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "resource", err)
+	}
+
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_LabelService_GetAvailableLabels_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := server.GetAvailableLabels(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 func request_LabelService_GetLabels_0(ctx context.Context, marshaler runtime.Marshaler, client LabelServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var protoReq GetLabelsRequest
 	var metadata runtime.ServerMetadata
@@ -482,6 +573,26 @@ func local_request_LabelService_DeleteLabel_0(ctx context.Context, marshaler run
 // StreamingRPC :currently unsupported pending https://github.com/grpc/grpc-go/issues/906.
 func RegisterLabelServiceHandlerServer(ctx context.Context, mux *runtime.ServeMux, server LabelServiceServer) error {
 
+	mux.Handle("GET", pattern_LabelService_GetAvailableLabels_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_LabelService_GetAvailableLabels_0(rctx, inboundMarshaler, server, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_LabelService_GetAvailableLabels_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("GET", pattern_LabelService_GetLabels_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -603,6 +714,26 @@ func RegisterLabelServiceHandler(ctx context.Context, mux *runtime.ServeMux, con
 // "LabelServiceClient" to call the correct interceptors.
 func RegisterLabelServiceHandlerClient(ctx context.Context, mux *runtime.ServeMux, client LabelServiceClient) error {
 
+	mux.Handle("GET", pattern_LabelService_GetAvailableLabels_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_LabelService_GetAvailableLabels_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_LabelService_GetAvailableLabels_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("GET", pattern_LabelService_GetLabels_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -687,6 +818,8 @@ func RegisterLabelServiceHandlerClient(ctx context.Context, mux *runtime.ServeMu
 }
 
 var (
+	pattern_LabelService_GetAvailableLabels_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 1, 0, 4, 1, 5, 4, 2, 2}, []string{"apis", "v1beta1", "labels", "namespace", "resource"}, "", runtime.AssumeColonVerbOpt(true)))
+
 	pattern_LabelService_GetLabels_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 1, 0, 4, 1, 5, 2, 1, 0, 4, 1, 5, 3, 1, 0, 4, 1, 5, 4, 2, 5}, []string{"apis", "v1beta1", "namespace", "resource", "uid", "labels"}, "", runtime.AssumeColonVerbOpt(true)))
 
 	pattern_LabelService_AddLabels_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 1, 0, 4, 1, 5, 2, 1, 0, 4, 1, 5, 3, 1, 0, 4, 1, 5, 4, 2, 5}, []string{"apis", "v1beta1", "namespace", "resource", "uid", "labels"}, "", runtime.AssumeColonVerbOpt(true)))
@@ -697,6 +830,8 @@ var (
 )
 
 var (
+	forward_LabelService_GetAvailableLabels_0 = runtime.ForwardResponseMessage
+
 	forward_LabelService_GetLabels_0 = runtime.ForwardResponseMessage
 
 	forward_LabelService_AddLabels_0 = runtime.ForwardResponseMessage

api/label.proto

@@ -5,6 +5,12 @@ package api;
 import "google/api/annotations.proto";
 
 service LabelService {
+    rpc GetAvailableLabels (GetAvailableLabelsRequest) returns (GetLabelsResponse) {
+        option (google.api.http) = {
+            get: "/apis/v1beta1/labels/{namespace}/{resource}/labels"
+        };
+    }
+
     rpc GetLabels (GetLabelsRequest) returns (GetLabelsResponse) {
         option (google.api.http) = {
             get: "/apis/v1beta1/{namespace}/{resource}/{uid}/labels"
@@ -61,6 +67,13 @@ message GetLabelsRequest {
     string uid = 3;
 }
 
+message GetAvailableLabelsRequest {
+    string namespace = 1;
+    string resource = 2;
+    string keyLike = 3;
+    string skipKeys = 4;
+}
+
 message GetLabelsResponse {
     repeated KeyValue labels = 1;
 }

db/data/20201016170415_cvat.yaml

@@ -0,0 +1,147 @@
+# Workspace arguments
+arguments:
+  parameters:
+    - name: sync-directory
+      displayName: Directory to sync raw input and training output
+      value: workflow-data
+      hint: Location to sync raw input, models and checkpoints from default object storage. Note that this will be relative to the current namespace.
+containers:
+  - name: cvat-db
+    image: postgres:10-alpine
+    env:
+      - name: POSTGRES_USER
+        value: root
+      - name: POSTGRES_DB
+        value: cvat
+      - name: POSTGRES_HOST_AUTH_METHOD
+        value: trust
+      - name: PGDATA
+        value: /var/lib/psql/data
+    ports:
+      - containerPort: 5432
+        name: tcp
+    volumeMounts:
+      - name: db
+        mountPath: /var/lib/psql
+  - name: cvat-redis
+    image: redis:4.0-alpine
+    ports:
+      - containerPort: 6379
+        name: tcp
+  - name: cvat
+    image: onepanel/cvat:0.14.0_cvat.1.0.0
+    env:
+      - name: DJANGO_MODWSGI_EXTRA_ARGS
+        value: ""
+      - name: ALLOWED_HOSTS
+        value: '*'
+      - name: CVAT_REDIS_HOST
+        value: localhost
+      - name: CVAT_POSTGRES_HOST
+        value: localhost
+      - name: CVAT_SHARE_URL
+        value: /home/django/data
+      - name: ONEPANEL_SYNC_DIRECTORY
+        value: '{{workspace.parameters.sync-directory}}'
+      - name: NVIDIA_VISIBLE_DEVICES
+        value: all
+      - name: NVIDIA_DRIVER_CAPABILITIES
+        value: compute,utility
+      - name: NVIDIA_REQUIRE_CUDA
+        value: "cuda>=10.0 brand=tesla,driver>=384,driver<385 brand=tesla,driver>=410,driver<411"
+    ports:
+      - containerPort: 8080
+        name: http
+    volumeMounts:
+      - name: data
+        mountPath: /home/django/data
+      - name: keys
+        mountPath: /home/django/keys
+      - name: logs
+        mountPath: /home/django/logs
+      - name: models
+        mountPath: /home/django/models
+      - name: share
+        mountPath: /home/django/share
+      - name: sys-namespace-config
+        mountPath: /etc/onepanel
+        readOnly: true
+  - name: cvat-ui
+    image: onepanel/cvat-ui:0.14.0_cvat.1.0.0
+    ports:
+      - containerPort: 80
+        name: http
+  # You can add multiple FileSyncer sidecar containers if needed
+  - name: filesyncer
+    image: onepanel/filesyncer:{{.ArtifactRepositoryType}}
+    imagePullPolicy: Always
+    args:
+      - download
+      - -server-prefix=/sys/filesyncer
+    env:
+      - name: FS_PATH
+        value: /mnt/share
+      - name: FS_PREFIX
+        value: '{{workflow.namespace}}/{{workspace.parameters.sync-directory}}'
+    volumeMounts:
+      - name: share
+        mountPath: /mnt/share
+      - name: sys-namespace-config
+        mountPath: /etc/onepanel
+        readOnly: true
+ports:
+  - name: cvat-ui
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  - name: cvat
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  - name: fs
+    port: 8888
+    protocol: TCP
+    targetPort: 8888
+routes:
+  - match:
+      - uri:
+          prefix: /sys/filesyncer
+    route:
+      - destination:
+          port:
+            number: 8888
+  - match:
+      - uri:
+          regex: /api/.*|/git/.*|/tensorflow/.*|/onepanelio/.*|/tracking/.*|/auto_annotation/.*|/analytics/.*|/static/.*|/admin/.*|/documentation/.*|/dextr/.*|/reid/.*
+      - queryParams:
+          id:
+            regex: \d+.*
+    route:
+      - destination:
+          port:
+            number: 8080
+  - match:
+      - uri:
+          prefix: /
+    route:
+      - destination:
+          port:
+            number: 80
+# DAG Workflow to be executed once a Workspace action completes (optional)
+# Uncomment the lines below if you want to send Slack notifications
+#postExecutionWorkflow:
+#  entrypoint: main
+#  templates:
+#  - name: main
+#    dag:
+#       tasks:
+#       - name: slack-notify
+#         template: slack-notify
+#  - name: slack-notify
+#     container:
+#       image: technosophos/slack-notify
+#       args:
+#       - SLACK_USERNAME=onepanel SLACK_TITLE="Your workspace is ready" SLACK_ICON=https://www.gravatar.com/avatar/5c4478592fe00878f62f0027be59c1bd SLACK_MESSAGE="Your workspace is now running" ./slack-notify
+#       command:
+#       - sh
+#       - -c

db/data/20201028145442_jupyterlab.yaml

@@ -0,0 +1,77 @@
+# Docker containers that are part of the Workspace
+containers:
+  - name: jupyterlab
+    image: onepanel/jupyterlab:1.0.1
+    command: ["/bin/bash", "-c", "pip install onepanel-sdk && start.sh jupyter lab --LabApp.token='' --LabApp.allow_remote_access=True --LabApp.allow_origin=\"*\" --LabApp.disable_check_xsrf=True --LabApp.trust_xheaders=True --LabApp.base_url=/ --LabApp.tornado_settings='{\"headers\":{\"Content-Security-Policy\":\"frame-ancestors * \'self\'\"}}' --notebook-dir='/data' --allow-root"]
+    env:
+      - name: tornado
+        value: "'{'headers':{'Content-Security-Policy':\"frame-ancestors\ *\ \'self'\"}}'"
+    ports:
+      - containerPort: 8888
+        name: jupyterlab
+      - containerPort: 6006
+        name: tensorboard
+    volumeMounts:
+      - name: data
+        mountPath: /data
+    lifecycle:
+      postStart:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - >
+              condayml="/data/.environment.yml";
+              jupytertxt="/data/.jupexported.txt";
+              if [ -f "$condayml" ]; then conda env update -f $condayml; fi;
+              if [ -f "$jupytertxt" ]; then cat $jupytertxt | xargs -n 1 jupyter labextension install --no-build && jupyter lab build --minimize=False; fi;
+      preStop:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - >
+              conda env export > /data/.environment.yml -n base;
+              jupyter labextension list 1>/dev/null 2> /data/.jup.txt;
+              cat /data/.jup.txt | sed -n '2,$p' | awk 'sub(/v/,"@", $2){print $1$2}' > /data/.jupexported.txt;
+ports:
+  - name: jupyterlab
+    port: 80
+    protocol: TCP
+    targetPort: 8888
+  - name: tensorboard
+    port: 6006
+    protocol: TCP
+    targetPort: 6006
+routes:
+  - match:
+      - uri:
+          prefix: /tensorboard
+    route:
+      - destination:
+          port:
+            number: 6006
+  - match:
+      - uri:
+          prefix: / #jupyter runs at the default route
+    route:
+      - destination:
+          port:
+            number: 80
+# DAG Workflow to be executed once a Workspace action completes (optional)
+#postExecutionWorkflow:
+#  entrypoint: main
+#  templates:
+#  - name: main
+#    dag:
+#       tasks:
+#       - name: slack-notify
+#         template: slack-notify
+#  - name: slack-notify
+#    container:
+#      image: technosophos/slack-notify
+#      args:
+#      - SLACK_USERNAME=onepanel SLACK_TITLE="Your workspace is ready" SLACK_ICON=https://www.gravatar.com/avatar/5c4478592fe00878f62f0027be59c1bd SLACK_MESSAGE="Your workspace is now running" ./slack-notify
+#      command:
+#      - sh
+#      - -c

db/data/20201031165106_jupyterlab.yaml

@@ -0,0 +1,79 @@
+# Docker containers that are part of the Workspace
+containers:
+  - name: jupyterlab
+    image: onepanel/jupyterlab:1.0.1
+    command: ["/bin/bash", "-c", "pip install onepanel-sdk && start.sh jupyter lab --LabApp.token='' --LabApp.allow_remote_access=True --LabApp.allow_origin=\"*\" --LabApp.disable_check_xsrf=True --LabApp.trust_xheaders=True --LabApp.base_url=/ --LabApp.tornado_settings='{\"headers\":{\"Content-Security-Policy\":\"frame-ancestors * \'self\'\"}}' --notebook-dir='/data' --allow-root"]
+    env:
+      - name: tornado
+        value: "'{'headers':{'Content-Security-Policy':\"frame-ancestors\ *\ \'self'\"}}'"
+      - name: TENSORBOARD_PROXY_URL
+        value: '//$(ONEPANEL_RESOURCE_UID)--$(ONEPANEL_RESOURCE_NAMESPACE).$(ONEPANEL_DOMAIN)/tensorboard'
+    ports:
+      - containerPort: 8888
+        name: jupyterlab
+      - containerPort: 6006
+        name: tensorboard
+    volumeMounts:
+      - name: data
+        mountPath: /data
+    lifecycle:
+      postStart:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - >
+              condayml="/data/.environment.yml";
+              jupytertxt="/data/.jupexported.txt";
+              if [ -f "$condayml" ]; then conda env update -f $condayml; fi;
+              if [ -f "$jupytertxt" ]; then cat $jupytertxt | xargs -n 1 jupyter labextension install --no-build && jupyter lab build --minimize=False; fi;
+      preStop:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - >
+              conda env export > /data/.environment.yml -n base;
+              jupyter labextension list 1>/dev/null 2> /data/.jup.txt;
+              cat /data/.jup.txt | sed -n '2,$p' | awk 'sub(/v/,"@", $2){print $1$2}' > /data/.jupexported.txt;
+ports:
+  - name: jupyterlab
+    port: 80
+    protocol: TCP
+    targetPort: 8888
+  - name: tensorboard
+    port: 6006
+    protocol: TCP
+    targetPort: 6006
+routes:
+  - match:
+      - uri:
+          prefix: /tensorboard
+    route:
+      - destination:
+          port:
+            number: 6006
+  - match:
+      - uri:
+          prefix: / #jupyter runs at the default route
+    route:
+      - destination:
+          port:
+            number: 80
+# DAG Workflow to be executed once a Workspace action completes (optional)
+#postExecutionWorkflow:
+#  entrypoint: main
+#  templates:
+#  - name: main
+#    dag:
+#       tasks:
+#       - name: slack-notify
+#         template: slack-notify
+#  - name: slack-notify
+#    container:
+#      image: technosophos/slack-notify
+#      args:
+#      - SLACK_USERNAME=onepanel SLACK_TITLE="Your workspace is ready" SLACK_ICON=https://www.gravatar.com/avatar/5c4478592fe00878f62f0027be59c1bd SLACK_MESSAGE="Your workspace is now running" ./slack-notify
+#      command:
+#      - sh
+#      - -c

db/data/20201102104048_cvat.yaml

@@ -0,0 +1,159 @@
+# Workspace arguments
+arguments:
+  parameters:
+    - name: sync-directory
+      displayName: Directory to sync raw input and training output
+      value: workflow-data
+      hint: Location (relative to current namespace) to sync raw input, models and checkpoints from default object storage to '/share'.
+containers:
+  - name: cvat-db
+    image: postgres:10-alpine
+    env:
+      - name: POSTGRES_USER
+        value: root
+      - name: POSTGRES_DB
+        value: cvat
+      - name: POSTGRES_HOST_AUTH_METHOD
+        value: trust
+      - name: PGDATA
+        value: /var/lib/psql/data
+    ports:
+      - containerPort: 5432
+        name: tcp
+    volumeMounts:
+      - name: db
+        mountPath: /var/lib/psql
+  - name: cvat-redis
+    image: redis:4.0-alpine
+    ports:
+      - containerPort: 6379
+        name: tcp
+  - name: cvat
+    image: onepanel/cvat:0.15.0_cvat.1.0.0
+    env:
+      - name: DJANGO_MODWSGI_EXTRA_ARGS
+        value: ""
+      - name: ALLOWED_HOSTS
+        value: '*'
+      - name: CVAT_REDIS_HOST
+        value: localhost
+      - name: CVAT_POSTGRES_HOST
+        value: localhost
+      - name: CVAT_SHARE_URL
+        value: /cvat/data
+      - name: CVAT_SHARE_DIR
+        value: /share
+      - name: CVAT_KEYS_DIR
+        value: /cvat/keys
+      - name: CVAT_DATA_DIR
+        value: /cvat/data
+      - name: CVAT_MODELS_DIR
+        value: /cvat/models
+      - name: CVAT_LOGS_DIR
+        value: /cvat/logs
+      - name: ONEPANEL_SYNC_DIRECTORY
+        value: '{{workspace.parameters.sync-directory}}'
+      - name: NVIDIA_VISIBLE_DEVICES
+        value: all
+      - name: NVIDIA_DRIVER_CAPABILITIES
+        value: compute,utility
+      - name: NVIDIA_REQUIRE_CUDA
+        value: "cuda>=10.0 brand=tesla,driver>=384,driver<385 brand=tesla,driver>=410,driver<411"
+    ports:
+      - containerPort: 8080
+        name: http
+    volumeMounts:
+      - name: cvat-data
+        mountPath: /cvat
+      - name: share
+        mountPath: /share
+      - name: sys-namespace-config
+        mountPath: /etc/onepanel
+        readOnly: true
+  - name: cvat-ui
+    image: onepanel/cvat-ui:0.15.0_cvat.1.0.0
+    ports:
+      - containerPort: 80
+        name: http
+  # You can add multiple FileSyncer sidecar containers if needed
+  - name: filesyncer
+    image: onepanel/filesyncer:s3
+    imagePullPolicy: Always
+    args:
+      - download
+      - -server-prefix=/sys/filesyncer
+    env:
+      - name: FS_PATH
+        value: /mnt/share
+      - name: FS_PREFIX
+        value: '{{workflow.namespace}}/{{workspace.parameters.sync-directory}}'
+    volumeMounts:
+      - name: share
+        mountPath: /mnt/share
+      - name: sys-namespace-config
+        mountPath: /etc/onepanel
+        readOnly: true
+ports:
+  - name: cvat-ui
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  - name: cvat
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  - name: fs
+    port: 8888
+    protocol: TCP
+    targetPort: 8888
+routes:
+  - match:
+      - uri:
+          prefix: /sys/filesyncer
+    route:
+      - destination:
+          port:
+            number: 8888
+  - match:
+      - uri:
+          regex: /api/.*|/git/.*|/tensorflow/.*|/onepanelio/.*|/tracking/.*|/auto_annotation/.*|/analytics/.*|/static/.*|/admin/.*|/documentation/.*|/dextr/.*|/reid/.*
+      - queryParams:
+          id:
+            regex: \d+.*
+    route:
+      - destination:
+          port:
+            number: 8080
+  - match:
+      - uri:
+          prefix: /
+    route:
+      - destination:
+          port:
+            number: 80
+volumeClaimTemplates:
+  - metadata:
+      name: db
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 20Gi
+# DAG Workflow to be executed once a Workspace action completes (optional)
+# Uncomment the lines below if you want to send Slack notifications
+#postExecutionWorkflow:
+#  entrypoint: main
+#  templates:
+#  - name: main
+#    dag:
+#       tasks:
+#       - name: slack-notify
+#         template: slack-notify
+#  - name: slack-notify
+#     container:
+#       image: technosophos/slack-notify
+#       args:
+#       - SLACK_USERNAME=onepanel SLACK_TITLE="Your workspace is ready" SLACK_ICON=https://www.gravatar.com/avatar/5c4478592fe00878f62f0027be59c1bd SLACK_MESSAGE="Your workspace is now running" ./slack-notify
+#       command:
+#       - sh
+#       - -c

db/data/jupyter_lab_20200929153931.yaml

@@ -0,0 +1,58 @@
+# Docker containers that are part of the Workspace
+containers:
+  - name: jupyterlab-tensorflow
+    image: onepanel/jupyterlab:1.0.1
+    command: ["/bin/bash", "-c", "pip install onepanel-sdk && start.sh jupyter lab --LabApp.token='' --LabApp.allow_remote_access=True --LabApp.allow_origin=\"*\" --LabApp.disable_check_xsrf=True --LabApp.trust_xheaders=True --LabApp.base_url=/ --LabApp.tornado_settings='{\"headers\":{\"Content-Security-Policy\":\"frame-ancestors * \'self\'\"}}' --notebook-dir='/data' --allow-root"]
+    env:
+      - name: tornado
+        value: "'{'headers':{'Content-Security-Policy':\"frame-ancestors\ *\ \'self'\"}}'"
+    args:
+    ports:
+      - containerPort: 8888
+        name: jupyterlab
+      - containerPort: 6006
+        name: tensorboard
+    volumeMounts:
+      - name: data
+        mountPath: /data
+ports:
+  - name: jupyterlab
+    port: 80
+    protocol: TCP
+    targetPort: 8888
+  - name: tensorboard
+    port: 6006
+    protocol: TCP
+    targetPort: 6006
+routes:
+  - match:
+      - uri:
+          prefix: /tensorboard
+    route:
+      - destination:
+          port:
+            number: 6006
+  - match:
+      - uri:
+          prefix: / #jupyter runs at the default route
+    route:
+      - destination:
+          port:
+            number: 80
+# DAG Workflow to be executed once a Workspace action completes (optional)
+#postExecutionWorkflow:
+#  entrypoint: main
+#  templates:
+#  - name: main
+#    dag:
+#       tasks:
+#       - name: slack-notify
+#         template: slack-notify
+#  - name: slack-notify
+#    container:
+#      image: technosophos/slack-notify
+#      args:
+#      - SLACK_USERNAME=onepanel SLACK_TITLE="Your workspace is ready" SLACK_ICON=https://www.gravatar.com/avatar/5c4478592fe00878f62f0027be59c1bd SLACK_MESSAGE="Your workspace is now running" ./slack-notify
+#      command:
+#      - sh
+#      - -c

db/data/vscode_20200929144301.yaml

@@ -0,0 +1,41 @@
+# Docker containers that are part of the Workspace
+containers:
+  - name: vscode
+    image: onepanel/vscode:1.0.0
+    command: ["/bin/bash", "-c", "pip install onepanel-sdk && /usr/bin/entrypoint.sh --bind-addr 0.0.0.0:8080 --auth none ."]
+    ports:
+      - containerPort: 8080
+        name: vscode
+    volumeMounts:
+      - name: data
+        mountPath: /data
+ports:
+  - name: vscode
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+routes:
+  - match:
+      - uri:
+          prefix: / #vscode runs at the default route
+    route:
+      - destination:
+          port:
+            number: 8080
+# DAG Workflow to be executed once a Workspace action completes (optional)
+#postExecutionWorkflow:
+#  entrypoint: main
+#  templates:
+#  - name: main
+#    dag:
+#       tasks:
+#       - name: slack-notify
+#         template: slack-notify
+#  -  name: slack-notify
+#     container:
+#       image: technosophos/slack-notify
+#       args:
+#       - SLACK_USERNAME=onepanel SLACK_TITLE="Your workspace is ready" SLACK_ICON=https://www.gravatar.com/avatar/5c4478592fe00878f62f0027be59c1bd SLACK_MESSAGE="Your workspace is now running" ./slack-notify
+#       command:
+#       - sh
+#       - -c

db/data/vscode_20201028145443.yaml

@@ -0,0 +1,60 @@
+# Docker containers that are part of the Workspace
+containers:
+  - name: vscode
+    image: onepanel/vscode:1.0.0
+    command: ["/bin/bash", "-c", "pip install onepanel-sdk && /usr/bin/entrypoint.sh --bind-addr 0.0.0.0:8080 --auth none ."]
+    ports:
+      - containerPort: 8080
+        name: vscode
+    volumeMounts:
+      - name: data
+        mountPath: /data
+    lifecycle:
+      postStart:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - >
+              condayml="/data/.environment.yml";
+              vscodetxt="/data/.vscode-extensions.txt";
+              if [ -f "$condayml" ]; then conda env update -f $condayml; fi;
+              if [ -f "$vscodetxt" ]; then cat $vscodetxt | xargs -n 1 code-server --install-extension; fi;
+      preStop:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - >
+              conda env export > /data/.environment.yml -n base;
+              code-server --list-extensions | tail -n +2 > /data/.vscode-extensions.txt;
+ports:
+  - name: vscode
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+routes:
+  - match:
+      - uri:
+          prefix: / #vscode runs at the default route
+    route:
+      - destination:
+          port:
+            number: 8080
+# DAG Workflow to be executed once a Workspace action completes (optional)
+#postExecutionWorkflow:
+#  entrypoint: main
+#  templates:
+#  - name: main
+#    dag:
+#       tasks:
+#       - name: slack-notify
+#         template: slack-notify
+#  -  name: slack-notify
+#     container:
+#       image: technosophos/slack-notify
+#       args:
+#       - SLACK_USERNAME=onepanel SLACK_TITLE="Your workspace is ready" SLACK_ICON=https://www.gravatar.com/avatar/5c4478592fe00878f62f0027be59c1bd SLACK_MESSAGE="Your workspace is now running" ./slack-notify
+#       command:
+#       - sh
+#       - -c

db/go/20201016170415_update_cvat.go

@@ -0,0 +1,25 @@
+package migration
+
+import (
+	"database/sql"
+	"github.com/pressly/goose"
+)
+
+func initialize20201016170415() {
+	if _, ok := initializedMigrations[20201016170415]; !ok {
+		goose.AddMigration(Up20201016170415, Down20201016170415)
+		initializedMigrations[20201016170415] = true
+	}
+}
+
+// Up20201016170415 updates cvat to a new version
+func Up20201016170415(tx *sql.Tx) error {
+	// This code is executed when the migration is applied.
+	return updateWorkspaceTemplateManifest("20201016170415_cvat.yaml", cvatTemplateName)
+}
+
+// Down20201016170415 does nothing
+func Down20201016170415(tx *sql.Tx) error {
+	// This code is executed when the migration is rolled back.
+	return nil
+}

db/go/20201028145442_update_jupyter_lab_template.go

@@ -0,0 +1,26 @@
+package migration
+
+import (
+	"database/sql"
+	"github.com/pressly/goose"
+)
+
+func initialize20201028145442() {
+	if _, ok := initializedMigrations[20201028145442]; !ok {
+		goose.AddMigration(Up20201028145442, Down20201028145442)
+		initializedMigrations[20201028145442] = true
+	}
+}
+
+// Up20201028145442 updates the jupyterlab workspace to include container lifecycle hooks.
+// These hooks will attempt to persist conda, pip, and jupyterlab extensions between pause and shut-down.
+func Up20201028145442(tx *sql.Tx) error {
+	// This code is executed when the migration is applied.
+	return updateWorkspaceTemplateManifest("20201028145442_jupyterlab.yaml", jupyterLabTemplateName)
+}
+
+// Down20201028145442 removes the lifecycle hooks from the template.
+func Down20201028145442(tx *sql.Tx) error {
+	// This code is executed when the migration is rolled back.
+	return nil
+}

db/go/20201028145443_update_vscode_template.go

@@ -0,0 +1,28 @@
+package migration
+
+import (
+	"database/sql"
+	"github.com/pressly/goose"
+)
+
+func initialize20201028145443() {
+	if _, ok := initializedMigrations[20201028145443]; !ok {
+		goose.AddMigration(Up20201028145443, Down20201028145443)
+		initializedMigrations[20201028145443] = true
+	}
+}
+
+// Up20201028145443 migration will add lifecycle hooks to VSCode template.
+// These hooks will attempt to export the conda, pip, and vscode packages that are installed,
+// to a text file.
+// On workspace resume / start, the code then tries to install these packages.
+func Up20201028145443(tx *sql.Tx) error {
+	// This code is executed when the migration is applied.
+	return updateWorkspaceTemplateManifest("vscode_20201028145443.yaml", vscodeWorkspaceTemplateName)
+}
+
+// Down20201028145443 removes the lifecycle hooks from VSCode workspace template.
+func Down20201028145443(tx *sql.Tx) error {
+	// This code is executed when the migration is rolled back.
+	return updateWorkspaceTemplateManifest("vscode_20201028145443.yaml", vscodeWorkspaceTemplateName)
+}

db/go/20201031165106_add_tensorboard_env_var_to_jupyterlab_template.go

@@ -0,0 +1,26 @@
+package migration
+
+import (
+	"database/sql"
+	"github.com/pressly/goose"
+)
+
+func initialize20201031165106() {
+	if _, ok := initializedMigrations[20201031165106]; !ok {
+		goose.AddMigration(Up20201031165106, Down20201031165106)
+		initializedMigrations[20201031165106] = true
+	}
+}
+
+// Up20201031165106 updates the jupyterlab workspace to include container lifecycle hooks.
+// These hooks will attempt to persist conda, pip, and jupyterlab extensions between pause and shut-down.
+func Up20201031165106(tx *sql.Tx) error {
+	// This code is executed when the migration is applied.
+	return updateWorkspaceTemplateManifest("20201031165106_jupyterlab.yaml", jupyterLabTemplateName)
+}
+
+// Down20201031165106 removes the lifecycle hooks from the template.
+func Down20201031165106(tx *sql.Tx) error {
+	// This code is executed when the migration is rolled back.
+	return updateWorkspaceTemplateManifest("20201028145442_jupyterlab.yaml", jupyterLabTemplateName)
+}

db/go/20201102104048_update_cvat_reduce_vols.go

@@ -0,0 +1,27 @@
+package migration
+
+import (
+	"database/sql"
+	"github.com/pressly/goose"
+)
+
+func initialize20201102104048() {
+	if _, ok := initializedMigrations[20201102104048]; !ok {
+		goose.AddMigration(Up20201102104048, Down20201102104048)
+		initializedMigrations[20201102104048] = true
+	}
+}
+
+// Up20201102104048 updates CVAT to use less volumes.
+// Through the use of environment variables, various CVAT data directories
+// are placed under one path, and that path is on one volume.
+func Up20201102104048(tx *sql.Tx) error {
+	// This code is executed when the migration is applied.
+	return updateWorkspaceTemplateManifest("20201102104048_cvat.yaml", cvatTemplateName)
+}
+
+// Down20201102104048 reverts CVAT back to original amount of volumes.
+func Down20201102104048(tx *sql.Tx) error {
+	// This code is executed when the migration is rolled back.
+	return updateWorkspaceTemplateManifest("20201016170415_cvat.yaml", cvatTemplateName)
+}

db/go/db.go

@@ -5,7 +5,10 @@ import (
 	sq "github.com/Masterminds/squirrel"
 	"github.com/jmoiron/sqlx"
 	v1 "github.com/onepanelio/core/pkg"
+	"io/ioutil"
 	"log"
+	"os"
+	"path/filepath"
 	"strings"
 )
 
@@ -60,6 +63,11 @@ func Initialize() {
 	initialize20200929144301()
 	initialize20200929153931()
 	initialize20201001070806()
+	initialize20201016170415()
+	initialize20201028145442()
+	initialize20201028145443()
+	initialize20201031165106()
+	initialize20201102104048()
 
 	if err := client.DB.Close(); err != nil {
 		log.Printf("[error] closing db %v", err)
@@ -128,3 +136,17 @@ func ReplaceArtifactRepositoryType(client *v1.Client, namespace *v1.Namespace, w
 
 	return nil
 }
+
+// readDataFile returns the contents of a file in the db/data/{name} directory
+func readDataFile(name string) (string, error) {
+	curDir, err := os.Getwd()
+	if err != nil {
+		return "", err
+	}
+	data, err := ioutil.ReadFile(filepath.Join(curDir, "db", "data", name))
+	if err != nil {
+		return "", err
+	}
+
+	return string(data), nil
+}

db/go/util.go

@@ -0,0 +1,49 @@
+package migration
+
+import (
+	v1 "github.com/onepanelio/core/pkg"
+	uid2 "github.com/onepanelio/core/pkg/util/uid"
+)
+
+// updateWorkspaceTemplateManifest will update the workspace template given by {{templateName}} with the contents
+// given by {{filename}}
+// It will do so for all namespaces.
+func updateWorkspaceTemplateManifest(filename, templateName string) error {
+	client, err := getClient()
+	if err != nil {
+		return err
+	}
+	defer client.DB.Close()
+
+	namespaces, err := client.ListOnepanelEnabledNamespaces()
+	if err != nil {
+		return err
+	}
+
+	newManifest, err := readDataFile(filename)
+	if err != nil {
+		return err
+	}
+
+	uid, err := uid2.GenerateUID(templateName, 30)
+	if err != nil {
+		return err
+	}
+
+	for _, namespace := range namespaces {
+		workspaceTemplate := &v1.WorkspaceTemplate{
+			UID:      uid,
+			Name:     templateName,
+			Manifest: newManifest,
+		}
+		err = ReplaceArtifactRepositoryType(client, namespace, nil, workspaceTemplate)
+		if err != nil {
+			return err
+		}
+		if _, err := client.UpdateWorkspaceTemplateManifest(namespace.Name, uid, workspaceTemplate.Manifest); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

db/sql/20201023121927_fix_null_labels.sql

@@ -0,0 +1,24 @@
+-- +goose Up
+-- SQL in this section is executed when the migration is applied.
+UPDATE workflow_executions
+SET labels = '{}'::jsonb
+WHERE labels = 'null'::jsonb;
+
+UPDATE workflow_templates
+SET labels = '{}'::jsonb
+WHERE labels = 'null'::jsonb;
+
+UPDATE workspace_templates
+SET labels = '{}'::jsonb
+WHERE labels = 'null'::jsonb;
+
+UPDATE workflow_template_versions
+SET labels = '{}'::jsonb
+WHERE labels = 'null'::jsonb;
+
+UPDATE workspace_template_Versions
+SET labels = '{}'::jsonb
+WHERE labels = 'null'::jsonb;
+
+-- +goose Down
+-- SQL in this section is executed when the migration is rolled back.

design-docs/Persist Packages during Workspace Switch or Update.md

@@ -0,0 +1,46 @@
+# Background
+A user may install pip packages, conda packages, jupyterlab extensions,
+or vscode extensions.
+
+To improve the user experience, we should save these packages
+when the user pauses and resumes the workspace.
+- And when the user changes the workspace machine.
+
+To achieve this end, we’re using lifecycle hooks for containers, via Kubernetes.
+
+We’ll add these hooks to workspace templates, to VSCode and JupyterLab.
+
+Note: We're not supporting CVAT Workspace persistence.
+- User does not have access to the terminal through the UI.
+
+# Problem(s)
+Originally, we attempted to tar up the packages of conda, vscode, and jupyter.
+This worked, but ate non-trivial amount of space. Roughly ~2 GB with a clean workspace,
+using our dockerfile image.
+- So we'd need to warn the user to have enough space for their volume mounts
+- We'd also have to warn the user that if there is not enough space, the packages
+may not persist.
+
+The other problem was we needed to extend the terminationGracePeriodSeconds of the
+pod.
+- K8s sets 30 seconds by default
+
+We use the preStop hook to do the back-up.
+- This operation runs for 2-3 minutes on a clean workspace image
+- For a user with more packages, it would take longer.
+- k8s will grant a 2 second increase once, if preStop is not done.
+
+Otherwise, k8s kills the preStop hook and the container.
+
+We thought about exposing the terminationGracePeriodSeconds to the user,
+allow them to change this value as needed.
+
+And lastly, k8s will wait the entire grace period.
+- Even if the preStop hook finishes early, k8s will wait to kill the container.
+- In testing, k8s waited 20 minutes before terminating the container
+
+So we decided to export the list of installed packages, as a text file.
+- Then, we re-install on workspace start-up with postStart hook.
+
+# References
+- https://github.com/onepanelio/core/issues/623

go.mod

@@ -43,4 +43,5 @@ require (
 	k8s.io/apimachinery v0.16.7-beta.0
 	k8s.io/client-go v0.16.4
 	sigs.k8s.io/yaml v1.2.0
-)
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+)

main.go

@@ -4,20 +4,6 @@ import (
 	"context"
 	"flag"
 	"fmt"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-	corev1 "k8s.io/api/core/v1"
-	apiv1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/fields"
-	k8runtime "k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/watch"
-	"k8s.io/client-go/tools/cache"
-	"math"
-	"net"
-	"net/http"
-	"path/filepath"
-	"strings"
-
 	"github.com/gorilla/handlers"
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	grpc_logrus "github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus"
@@ -34,6 +20,19 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/tmc/grpc-websocket-proxy/wsproxy"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	corev1 "k8s.io/api/core/v1"
+	apiv1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	k8runtime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/tools/cache"
+	"math"
+	"net"
+	"net/http"
+	"path/filepath"
+	"strings"
 )
 
 var (

pkg/client.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	sq "github.com/Masterminds/squirrel"
 	argoprojv1alpha1 "github.com/argoproj/argo/pkg/client/clientset/versioned/typed/workflow/v1alpha1"
+	"github.com/jmoiron/sqlx"
 	"github.com/onepanelio/core/pkg/util/gcs"
 	"github.com/onepanelio/core/pkg/util/router"
 	"github.com/onepanelio/core/pkg/util/s3"
@@ -18,6 +19,7 @@ type Config = rest.Config
 var sb = sq.StatementBuilder.PlaceholderFormat(sq.Dollar)
 
 type Client struct {
+	Token string
 	kubernetes.Interface
 	argoprojV1alpha1 argoprojv1alpha1.ArgoprojV1alpha1Interface
 	*DB
@@ -38,6 +40,37 @@ func NewConfig() (config *Config) {
 	return
 }
 
+// GetDefaultClient loads a default k8s client
+func GetDefaultClient() (*Client, error) {
+	kubeConfig := NewConfig()
+	client, err := NewClient(kubeConfig, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	config, err := client.GetSystemConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	dbDriverName, dbDataSourceName := config.DatabaseConnection()
+	client.DB = NewDB(sqlx.MustConnect(dbDriverName, dbDataSourceName))
+
+	return client, nil
+}
+
+// GetDefaultClientWithDB loads a default k8s client with an existing DB
+func GetDefaultClientWithDB(db *DB) (*Client, error) {
+	kubeConfig := NewConfig()
+	client, err := NewClient(kubeConfig, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	client.DB = db
+
+	return client, nil
+}
+
 // NewClient creates a client to interact with the Onepanel system.
 // It includes access to the database, kubernetes, argo, and configuration.
 func NewClient(config *Config, db *DB, systemConfig SystemConfig) (client *Client, err error) {

pkg/config_types.go

@@ -3,13 +3,12 @@ package v1
 import (
 	"encoding/base64"
 	"fmt"
-	"strings"
-
 	"github.com/onepanelio/core/pkg/util/ptr"
 	log "github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v3"
 	corev1 "k8s.io/api/core/v1"
 	k8yaml "sigs.k8s.io/yaml"
+	"strings"
 )
 
 // SystemConfig is configuration loaded from kubernetes config and secrets that includes information about the
@@ -38,6 +37,12 @@ func NewSystemConfig(configMap *ConfigMap, secret *Secret) (config SystemConfig,
 	}
 	config["databasePassword"] = string(databasePassword)
 
+	hmac, err := base64.StdEncoding.DecodeString(secret.Data["hmac"])
+	if err != nil {
+		return
+	}
+	config["hmac"] = string(hmac)
+
 	return
 }
 
@@ -183,6 +188,16 @@ func (s SystemConfig) UpdateNodePoolOptions(parameters []Parameter) ([]Parameter
 	return result, nil
 }
 
+// HMACKey gets the HMAC value, or nil.
+func (s SystemConfig) HMACKey() []byte {
+	hmac := s.GetValue("hmac")
+	if hmac == nil {
+		return []byte{}
+	}
+
+	return []byte(*hmac)
+}
+
 // ArtifactRepositoryS3Provider is meant to be used
 // by the CLI. CLI will marshal this struct into the correct
 // YAML structure for k8s configmap / secret.

pkg/filter.go

@@ -22,7 +22,7 @@ func ApplyLabelSelectQuery(labelSelector string, sb sq.SelectBuilder, filter Lab
 		return sb, err
 	}
 
-	sb = sb.Where("%v @> ?", labelSelector, labelsJSON)
+	sb = sb.Where(labelSelector+" @> ?", labelsJSON)
 
 	return sb, nil
 }

pkg/labels.go

@@ -8,8 +8,65 @@ import (
 	"github.com/onepanelio/core/pkg/util/mapping"
 	"github.com/onepanelio/core/pkg/util/types"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"strings"
 )
 
+// SelectLabelsQuery represents the options available to filter a select labels query
+type SelectLabelsQuery struct {
+	Table     string
+	Alias     string
+	Namespace string
+	KeyLike   string
+	Skip      []string
+}
+
+// SkipKeysFromString parses keys encoded in a string and returns an array of keys
+// The separator is ";"
+func SkipKeysFromString(keys string) []string {
+	results := make([]string, 0)
+	for _, key := range strings.Split(keys, ";") {
+		if key == "" {
+			continue
+		}
+
+		results = append(results, key)
+	}
+
+	return results
+}
+
+// SelectLabels returns a SelectBuilder that selects key, value columns from the criteria specified in query
+func SelectLabels(query *SelectLabelsQuery) sq.SelectBuilder {
+	// Sample query
+	// SELECT DISTINCT labels.*
+	//	FROM workflow_executions w,
+	//	jsonb_each_text(w.labels) labels
+	// WHERE labels.key LIKE 'ca%'
+	// AND labels.key NOT IN ('catdog')
+	// AND namespace = 'onepanel'
+	// AND labels != 'null'::jsonb
+
+	fromTable := fmt.Sprintf("%s %s", query.Table, query.Alias)
+	fromJsonb := fmt.Sprintf("jsonb_each_text(%s.labels) labels", query.Alias)
+
+	bld := sb.Select("key", "value").
+		Distinct().
+		From(fromTable + ", " + fromJsonb).
+		Where("labels != 'null'::jsonb")
+
+	if query.Namespace != "" {
+		bld = bld.Where(sq.Eq{query.Alias + ".namespace": query.Namespace})
+	}
+	if query.KeyLike != "" {
+		bld = bld.Where(sq.Like{"labels.key": query.KeyLike})
+	}
+	if len(query.Skip) != 0 {
+		bld = bld.Where(sq.NotEq{"labels.key": query.Skip})
+	}
+
+	return bld
+}
+
 func (c *Client) ListLabels(resource string, uid string) (labels []*Label, err error) {
 	sb := sb.Select("labels").
 		From(TypeToTableName(resource))
@@ -49,6 +106,22 @@ func (c *Client) ListLabels(resource string, uid string) (labels []*Label, err e
 	return
 }
 
+// ListAvailableLabels lists the labels available for the resource specified by the query
+func (c *Client) ListAvailableLabels(query *SelectLabelsQuery) (result []*Label, err error) {
+	selectLabelsBuilder := SelectLabels(query)
+
+	// Don't select labels from Terminated workspaces.
+	if query.Table == "workspaces" {
+		selectLabelsBuilder = selectLabelsBuilder.Where(sq.NotEq{
+			"workspaces.phase": "Terminated",
+		})
+	}
+
+	err = c.Selectx(&result, selectLabelsBuilder)
+
+	return
+}
+
 func (c *Client) AddLabels(namespace, resource, uid string, keyValues map[string]string) error {
 	source, meta, err := c.GetK8sLabelResource(namespace, resource, uid)
 	if err != nil {

pkg/util/sql/sql.go

@@ -1,6 +1,8 @@
 package sql
 
-import "fmt"
+import (
+	"fmt"
+)
 
 // FormatColumnSelect returns a list of column names to be used in a SQL Select modified with optional alias and destination.
 //

pkg/util/types/types.go

@@ -21,7 +21,12 @@ func (l *JSONLabels) Unmarshal(v interface{}) error {
 
 // Value returns j as a value.  This does a validating unmarshal into another
 // RawMessage.  If j is invalid json, it returns an error.
+// Note that nil values will return "{}" - empty JSON.
 func (l JSONLabels) Value() (driver.Value, error) {
+	if l == nil {
+		return json.Marshal(make(map[string]string))
+	}
+
 	return json.Marshal(l)
 }
 

pkg/workflow_execution.go

@@ -1340,7 +1340,7 @@ func (c *Client) ListFiles(namespace, key string) (files []*File, err error) {
 
 			doneCh := make(chan struct{})
 			defer close(doneCh)
-			for objInfo := range s3Client.ListObjectsV2(config.ArtifactRepository.S3.Bucket, key, false, doneCh) {
+			for objInfo := range s3Client.ListObjects(config.ArtifactRepository.S3.Bucket, key, false, doneCh) {
 				if objInfo.Key == key {
 					continue
 				}
@@ -1808,13 +1808,13 @@ func injectWorkflowExecutionStatusCaller(wf *wfv1.Workflow, phase wfv1.NodePhase
 				for j, task := range t.DAG.Tasks {
 					if task.Dependencies == nil {
 						wf.Spec.Templates[i].DAG.Tasks[j].Dependencies = []string{containerTemplate.Name}
-						wf.Spec.Templates[i].DAG.Tasks = append(t.DAG.Tasks, wfv1.DAGTask{
-							Name:     containerTemplate.Name,
-							Template: containerTemplate.Name,
-						})
 					}
 				}
 			}
+			wf.Spec.Templates[i].DAG.Tasks = append(t.DAG.Tasks, wfv1.DAGTask{
+				Name:     containerTemplate.Name,
+				Template: containerTemplate.Name,
+			})
 			break
 		}
 	}
@@ -1851,14 +1851,14 @@ func workflowExecutionsSelectBuilderNoColumns(namespace, workflowTemplateUID, wo
 
 func workflowExecutionsSelectBuilder(namespace, workflowTemplateUID, workflowTemplateVersion string, includeSystem bool) sq.SelectBuilder {
 	sb := workflowExecutionsSelectBuilderNoColumns(namespace, workflowTemplateUID, workflowTemplateVersion, includeSystem)
-	sb = sb.Columns(getWorkflowExecutionColumns("we", "")...).
+	sb = sb.Columns(getWorkflowExecutionColumns("we")...).
 		Columns(`wtv.version "workflow_template.version"`, `wtv.created_at "workflow_template.created_at"`, `wt.name "workflow_template.name"`, `wt.uid "workflow_template.uid"`)
 
 	return sb
 }
 
 func (c *Client) getWorkflowExecutionAndTemplate(namespace string, uid string) (workflow *WorkflowExecution, err error) {
-	sb := sb.Select(getWorkflowExecutionColumns("we", "")...).
+	sb := sb.Select(getWorkflowExecutionColumns("we")...).
 		Columns(getWorkflowTemplateColumns("wt", "workflow_template")...).
 		Columns(`wtv.manifest "workflow_template.manifest"`, `wtv.version "workflow_template.version"`).
 		From("workflow_executions we").

pkg/workspace_template.go

@@ -401,7 +401,7 @@ func createStatefulSetManifest(spec *WorkspaceSpec, config map[string]string, se
 		env.PrependEnvVarToContainer(container, "ONEPANEL_DOMAIN", config["ONEPANEL_DOMAIN"])
 		env.PrependEnvVarToContainer(container, "ONEPANEL_PROVIDER", config["ONEPANEL_PROVIDER"])
 		env.PrependEnvVarToContainer(container, "ONEPANEL_RESOURCE_NAMESPACE", "{{workflow.namespace}}")
-		env.PrependEnvVarToContainer(container, "ONEPANEL_RESOURCE_UID", "{{workflow.parameters.sys-name}}")
+		env.PrependEnvVarToContainer(container, "ONEPANEL_RESOURCE_UID", "{{workflow.parameters.sys-uid}}")
 
 		for _, service := range services {
 			envName := fmt.Sprintf("ONEPANEL_SERVICES_%v_API_URL", strings.ToUpper(service.Name))

server/auth/auth.go

@@ -2,9 +2,14 @@ package auth
 
 import (
 	"context"
+	"crypto/md5"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"github.com/onepanelio/core/api"
+	"github.com/onepanelio/core/pkg/util"
+	log "github.com/sirupsen/logrus"
+	v12 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"net/http"
 	"strings"
 
@@ -27,6 +32,9 @@ const (
 func getBearerToken(ctx context.Context) (*string, bool) {
 	md, ok := metadata.FromIncomingContext(ctx)
 	if !ok {
+		log.WithFields(log.Fields{
+			"Method": "getBearerToken",
+		}).Error("Unable to get metadata from incoming context")
 		return nil, false
 	}
 
@@ -36,6 +44,9 @@ func getBearerToken(ctx context.Context) (*string, bool) {
 			return nil, false
 		}
 		t = strings.ReplaceAll(t, prefix, "")
+		if t == "null" {
+			return nil, false
+		}
 		return &t, true
 	}
 
@@ -55,20 +66,36 @@ func getBearerToken(ctx context.Context) (*string, bool) {
 		return &t, true
 	}
 
+	log.WithFields(log.Fields{
+		"Method": "getBearerToken",
+	}).Error("Unable to get BearerToken:", md)
+
 	return nil, false
 }
 
 func getClient(ctx context.Context, kubeConfig *v1.Config, db *v1.DB, sysConfig v1.SystemConfig) (context.Context, error) {
+	if kubeConfig == nil {
+		return nil, fmt.Errorf("getClient - nil passed in for kubeConfig")
+	}
+	if db == nil {
+		return nil, fmt.Errorf("getClient - nil passed in for db")
+	}
+
 	bearerToken, ok := getBearerToken(ctx)
 	if !ok {
 		return nil, status.Error(codes.Unauthenticated, `Missing or invalid "authorization" header.`)
 	}
+	if bearerToken == nil {
+		return nil, status.Error(codes.Unauthenticated, "Bearer token is nil")
+	}
 
 	kubeConfig.BearerToken = *bearerToken
+
 	client, err := v1.NewClient(kubeConfig, db, sysConfig)
 	if err != nil {
 		return nil, err
 	}
+	client.Token = kubeConfig.BearerToken
 
 	return context.WithValue(ctx, ContextClientKey, client), nil
 }
@@ -98,6 +125,43 @@ func IsAuthorized(c *v1.Client, namespace, verb, group, resource, name string) (
 	return
 }
 
+func verifyLogin(client *v1.Client, tokenRequest *api.GetAccessTokenRequest) (rawToken string, err error) {
+	accountsList, err := client.CoreV1().ServiceAccounts("onepanel").List(v1.ListOptions{})
+	if err != nil {
+		return "", err
+	}
+
+	authTokenSecretName := ""
+	for _, serviceAccount := range accountsList.Items {
+		if serviceAccount.Name != tokenRequest.Username {
+			continue
+		}
+		for _, secret := range serviceAccount.Secrets {
+			if strings.Contains(secret.Name, "-token-") {
+				authTokenSecretName = secret.Name
+				break
+			}
+		}
+	}
+	if authTokenSecretName == "" {
+		return "", util.NewUserError(codes.InvalidArgument, fmt.Sprintf("unknown service account '%v'", tokenRequest.Username))
+	}
+
+	secret, err := client.CoreV1().Secrets("onepanel").Get(authTokenSecretName, v12.GetOptions{})
+	if err != nil {
+		return "", err
+	}
+
+	currentTokenBytes := md5.Sum(secret.Data["token"])
+	currentTokenString := hex.EncodeToString(currentTokenBytes[:])
+
+	if tokenRequest.Token != fmt.Sprintf("%s", currentTokenString) {
+		return "", util.NewUserError(codes.InvalidArgument, "token doesn't match what's on record")
+	}
+
+	return string(secret.Data["token"]), nil
+}
+
 // UnaryInterceptor performs authentication checks.
 // The two main cases are:
 //   1. Is the token valid? This is used for logging in.
@@ -105,6 +169,41 @@ func IsAuthorized(c *v1.Client, namespace, verb, group, resource, name string) (
 func UnaryInterceptor(kubeConfig *v1.Config, db *v1.DB, sysConfig v1.SystemConfig) grpc.UnaryServerInterceptor {
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
 		// Check if the provided token is valid. This does not require a token in the header.
+		if info.FullMethod == "/api.AuthService/GetAccessToken" {
+			md, ok := metadata.FromIncomingContext(ctx)
+			if !ok {
+				return resp, errors.New("unable to get metadata from incoming context")
+			}
+
+			getAccessTokenRequest, ok := req.(*api.GetAccessTokenRequest)
+			if !ok {
+				return resp, errors.New("invalid request object for GetAccessTokenRequest")
+			}
+
+			defaultClient, err := v1.GetDefaultClientWithDB(db)
+			if err != nil {
+				return nil, err
+			}
+
+			rawToken, err := verifyLogin(defaultClient, getAccessTokenRequest)
+			if err != nil {
+				return nil, err
+			}
+
+			sysConfig, err := defaultClient.GetSystemConfig()
+			if err != nil {
+				return nil, err
+			}
+
+			md.Set("authorization", "Bearer "+rawToken)
+
+			ctx, err = getClient(ctx, kubeConfig, db, sysConfig)
+			if err != nil {
+				ctx = nil
+			}
+
+			return handler(ctx, req)
+		}
 		if info.FullMethod == "/api.AuthService/IsValidToken" {
 			md, ok := metadata.FromIncomingContext(ctx)
 			if !ok {
@@ -113,10 +212,29 @@ func UnaryInterceptor(kubeConfig *v1.Config, db *v1.DB, sysConfig v1.SystemConfi
 
 			tokenRequest, ok := req.(*api.IsValidTokenRequest)
 			if !ok {
-				return resp, errors.New("IsValidToken does not have correct request type")
+				return resp, errors.New("invalid request object for GetAccessTokenRequest")
+			}
+			getAccessTokenRequest := &api.GetAccessTokenRequest{
+				Username: tokenRequest.Username,
+				Token:    tokenRequest.Token,
 			}
 
-			md.Set("authorization", tokenRequest.Token.Token)
+			defaultClient, err := v1.GetDefaultClientWithDB(db)
+			if err != nil {
+				return nil, err
+			}
+
+			rawToken, err := verifyLogin(defaultClient, getAccessTokenRequest)
+			if err != nil {
+				return nil, err
+			}
+
+			sysConfig, err := defaultClient.GetSystemConfig()
+			if err != nil {
+				return nil, err
+			}
+
+			md.Set("authorization", "Bearer "+rawToken)
 
 			ctx, err = getClient(ctx, kubeConfig, db, sysConfig)
 			if err != nil {

server/auth_server.go

@@ -50,13 +50,13 @@ func (a *AuthServer) IsAuthorized(ctx context.Context, request *api.IsAuthorized
 	return res, nil
 }
 
-func (a *AuthServer) IsValidToken(ctx context.Context, req *api.IsValidTokenRequest) (res *api.IsValidTokenResponse, err error) {
+// GetAccessToken is an alias for IsValidToken. It returns a token given a username and hashed token.
+func (a *AuthServer) GetAccessToken(ctx context.Context, req *api.GetAccessTokenRequest) (res *api.GetAccessTokenResponse, err error) {
 	if ctx == nil {
-		return nil, status.Error(codes.Unauthenticated, "Unauthenticated.")
+		return nil, status.Error(codes.Unauthenticated, "unauthenticated")
 	}
 
 	client := getClient(ctx)
-
 	err = a.isValidToken(err, client)
 	if err != nil {
 		return nil, err
@@ -66,10 +66,50 @@ func (a *AuthServer) IsValidToken(ctx context.Context, req *api.IsValidTokenRequ
 	if err != nil {
 		return
 	}
-	res = &api.IsValidTokenResponse{}
-	res.Domain = config["ONEPANEL_DOMAIN"]
 
-	return res, nil
+	domain := config.Domain()
+	if domain == nil {
+		return nil, fmt.Errorf("domain is not set")
+	}
+
+	res = &api.GetAccessTokenResponse{
+		Domain:      *domain,
+		AccessToken: client.Token,
+		Username:    req.Username,
+	}
+
+	return
+}
+
+// IsValidToken returns the appropriate token information given an md5 version of the token
+func (a *AuthServer) IsValidToken(ctx context.Context, req *api.IsValidTokenRequest) (res *api.IsValidTokenResponse, err error) {
+	if ctx == nil {
+		return nil, status.Error(codes.Unauthenticated, "unauthenticated")
+	}
+
+	client := getClient(ctx)
+	err = a.isValidToken(err, client)
+	if err != nil {
+		return nil, err
+	}
+
+	config, err := client.GetSystemConfig()
+	if err != nil {
+		return
+	}
+
+	domain := config.Domain()
+	if domain == nil {
+		return nil, fmt.Errorf("domain is not set")
+	}
+
+	res = &api.IsValidTokenResponse{
+		Domain:   *domain,
+		Token:    client.Token,
+		Username: req.Username,
+	}
+
+	return
 }
 
 func (a *AuthServer) isValidToken(err error, client *v1.Client) error {

server/converter/converter.go

@@ -37,6 +37,29 @@ func MappingToKeyValue(mapping map[string]string) []*api.KeyValue {
 	return keyValues
 }
 
+// LabelsToKeyValues converts []*v1.Label to []*api.Label
+func LabelsToKeyValues(labels []*v1.Label) []*api.KeyValue {
+	keyValues := make([]*api.KeyValue, 0)
+
+	for _, label := range labels {
+		keyValues = append(keyValues, LabelToKeyValue(label))
+	}
+
+	sort.Slice(keyValues, func(i, j int) bool {
+		return keyValues[i].Key < keyValues[j].Key
+	})
+
+	return keyValues
+}
+
+// LabelToKeyValue converts a *v1.Label to *api.Label
+func LabelToKeyValue(label *v1.Label) *api.KeyValue {
+	return &api.KeyValue{
+		Key:   label.Key,
+		Value: label.Value,
+	}
+}
+
 func ParameterOptionToAPI(option *v1.ParameterOption) *api.ParameterOption {
 	apiOption := &api.ParameterOption{
 		Name:  option.Name,

server/label_server.go

@@ -5,23 +5,25 @@ import (
 	"github.com/onepanelio/core/api"
 	v1 "github.com/onepanelio/core/pkg"
 	"github.com/onepanelio/core/server/auth"
+	"github.com/onepanelio/core/server/converter"
 )
 
-func resourceIdentifierToArgoResource(identifier string) string {
+func getGroupAndResourceByIdentifier(identifier string) (group, resource string) {
+	group = "argoproj.io"
 	switch identifier {
 	case v1.TypeWorkflowTemplate:
-		return "workflowtemplates"
+		return group, "workflowtemplates"
 	case v1.TypeWorkflowTemplateVersion:
-		return "workflowtemplates"
+		return group, "workflowtemplates"
 	case v1.TypeWorkflowExecution:
-		return "workflows"
+		return group, "workflows"
 	case v1.TypeCronWorkflow:
-		return "cronworkflows"
+		return group, "cronworkflows"
 	case v1.TypeWorkspace:
-		return "statefulset"
+		return "onepanel.io", "workspaces"
 	}
 
-	return ""
+	return "", ""
 }
 
 func mapLabelsToKeyValue(labels []*v1.Label) []*api.KeyValue {
@@ -54,10 +56,10 @@ func NewLabelServer() *LabelServer {
 }
 
 func (s *LabelServer) GetLabels(ctx context.Context, req *api.GetLabelsRequest) (*api.GetLabelsResponse, error) {
-	argoResource := resourceIdentifierToArgoResource(req.Resource)
+	group, resource := getGroupAndResourceByIdentifier(req.Resource)
 
 	client := getClient(ctx)
-	allowed, err := auth.IsAuthorized(client, req.Namespace, "get", "argoproj.io", argoResource, "")
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "get", group, resource, "")
 	if err != nil || !allowed {
 		return nil, err
 	}
@@ -73,10 +75,10 @@ func (s *LabelServer) GetLabels(ctx context.Context, req *api.GetLabelsRequest)
 }
 
 func (s *LabelServer) AddLabels(ctx context.Context, req *api.AddLabelsRequest) (*api.GetLabelsResponse, error) {
-	argoResource := resourceIdentifierToArgoResource(req.Resource)
+	group, resource := getGroupAndResourceByIdentifier(req.Resource)
 
 	client := getClient(ctx)
-	allowed, err := auth.IsAuthorized(client, req.Namespace, "create", "argoproj.io", argoResource, "")
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "create", group, resource, "")
 	if err != nil || !allowed {
 		return nil, err
 	}
@@ -97,10 +99,10 @@ func (s *LabelServer) AddLabels(ctx context.Context, req *api.AddLabelsRequest)
 }
 
 func (s *LabelServer) ReplaceLabels(ctx context.Context, req *api.ReplaceLabelsRequest) (*api.GetLabelsResponse, error) {
-	argoResource := resourceIdentifierToArgoResource(req.Resource)
+	group, resource := getGroupAndResourceByIdentifier(req.Resource)
 
 	client := getClient(ctx)
-	allowed, err := auth.IsAuthorized(client, req.Namespace, "update", "argoproj.io", argoResource, "")
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "update", group, resource, "")
 	if err != nil || !allowed {
 		return nil, err
 	}
@@ -121,11 +123,11 @@ func (s *LabelServer) ReplaceLabels(ctx context.Context, req *api.ReplaceLabelsR
 }
 
 func (s *LabelServer) DeleteLabel(ctx context.Context, req *api.DeleteLabelRequest) (*api.GetLabelsResponse, error) {
-	argoResource := resourceIdentifierToArgoResource(req.Resource)
+	group, resource := getGroupAndResourceByIdentifier(req.Resource)
 
 	client := getClient(ctx)
 	// update verb here since we are not deleting the resource, but labels
-	allowed, err := auth.IsAuthorized(client, req.Namespace, "update", "argoproj.io", argoResource, "")
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "update", group, resource, "")
 	if err != nil || !allowed {
 		return nil, err
 	}
@@ -146,3 +148,29 @@ func (s *LabelServer) DeleteLabel(ctx context.Context, req *api.DeleteLabelReque
 		Labels: mapLabelsToKeyValue(labels),
 	}, nil
 }
+
+// GetAvailableLabels returns the labels available for a resource specified by the GetAvailableLabelsRequest
+func (s *LabelServer) GetAvailableLabels(ctx context.Context, req *api.GetAvailableLabelsRequest) (*api.GetLabelsResponse, error) {
+	group, resource := getGroupAndResourceByIdentifier(req.Resource)
+
+	client := getClient(ctx)
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "get", group, resource, "")
+	if err != nil || !allowed {
+		return nil, err
+	}
+
+	labels, err := client.ListAvailableLabels(&v1.SelectLabelsQuery{
+		Table:     v1.TypeToTableName(req.Resource),
+		Alias:     "l",
+		Namespace: req.Namespace,
+		KeyLike:   req.KeyLike + "%",
+		Skip:      v1.SkipKeysFromString(req.SkipKeys),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &api.GetLabelsResponse{
+		Labels: converter.LabelsToKeyValues(labels),
+	}, nil
+}

server/workflow_template_server.go

@@ -43,6 +43,7 @@ func apiWorkflowTemplate(wft *v1.WorkflowTemplate) *api.WorkflowTemplate {
 	return res
 }
 
+// CreateWorkflowTemplate creates a workflow template and the initial version
 func (s *WorkflowTemplateServer) CreateWorkflowTemplate(ctx context.Context, req *api.CreateWorkflowTemplateRequest) (*api.WorkflowTemplate, error) {
 	client := getClient(ctx)
 	allowed, err := auth.IsAuthorized(client, req.Namespace, "create", "argoproj.io", "workflowtemplates", "")

server/workspace_server.go

@@ -363,7 +363,7 @@ func (s *WorkspaceServer) RetryLastWorkspaceAction(ctx context.Context, req *api
 func (s *WorkspaceServer) GetWorkspaceStatisticsForNamespace(ctx context.Context, req *api.GetWorkspaceStatisticsForNamespaceRequest) (*api.GetWorkspaceStatisticsForNamespaceResponse, error) {
 	client := getClient(ctx)
 
-	allowed, err := auth.IsAuthorized(client, req.Namespace, "list", "argoproj.io", "workspaces", "")
+	allowed, err := auth.IsAuthorized(client, req.Namespace, "list", "onepanel.io", "workspaces", "")
 	if err != nil || !allowed {
 		return nil, err
 	}