gravitational · rosstimothy · May 5, 2025 · May 2, 2025
diff --git a/lib/cache/cache.go b/lib/cache/cache.go
@@ -33,14 +33,11 @@ import (
 	"go.opentelemetry.io/otel/attribute"
 	oteltrace "go.opentelemetry.io/otel/trace"
 	"golang.org/x/sync/errgroup"
-	protobuf "google.golang.org/protobuf/proto"
 
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/client/proto"
 	apidefaults "github.com/gravitational/teleport/api/defaults"
 	accessmonitoringrulesv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1"
-	clusterconfigpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1"
-	crownjewelv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/crownjewel/v1"
 	dbobjectv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/dbobject/v1"
 	identitycenterv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/identitycenter/v1"
 	kubewaitingcontainerpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/kubewaitingcontainer/v1"
@@ -509,7 +506,6 @@ type Cache struct {
 	dynamicAccessCache           services.DynamicAccessExt
 	presenceCache                services.Presence
 	restrictionsCache            services.Restrictions
-	crownJewelsCache             services.CrownJewels
 	databaseObjectsCache         *local.DatabaseObjectService
 	webTokenCache                types.WebTokenInterface
 	dynamicWindowsDesktopsCache  services.DynamicWindowsDesktops
@@ -980,12 +976,6 @@ func New(config Config) (*Cache, error) {
 		return nil, trace.Wrap(err)
 	}
 
-	crownJewelCache, err := local.NewCrownJewelsService(config.Backend)
-	if err != nil {
-		cancel()
-		return nil, trace.Wrap(err)
-	}
-
 	staticHostUserCache, err := local.NewStaticHostUserService(config.Backend)
 	if err != nil {
 		cancel()
@@ -1042,7 +1032,6 @@ func New(config Config) (*Cache, error) {
 		dynamicAccessCache:           local.NewDynamicAccessService(config.Backend),
 		presenceCache:                local.NewPresenceService(config.Backend),
 		restrictionsCache:            local.NewRestrictionsService(config.Backend),
-		crownJewelsCache:             crownJewelCache,
 		webTokenCache:                identityService.WebTokens(),
 		dynamicWindowsDesktopsCache:  dynamicDesktopsService,
 		accessMontoringRuleCache:     accessMonitoringRuleCache,
@@ -2213,32 +2202,6 @@ func (c *Cache) GetDiscoveryConfig(ctx context.Context, name string) (*discovery
 	return rg.reader.GetDiscoveryConfig(ctx, name)
 }
 
-// ListCrownJewels returns a list of CrownJewel resources.
-func (c *Cache) ListCrownJewels(ctx context.Context, pageSize int64, nextKey string) ([]*crownjewelv1.CrownJewel, string, error) {
-	ctx, span := c.Tracer.Start(ctx, "cache/ListCrownJewels")
-	defer span.End()
-
-	rg, err := readLegacyCollectionCache(c, c.legacyCacheCollections.crownJewels)
-	if err != nil {
-		return nil, "", trace.Wrap(err)
-	}
-	defer rg.Release()
-	return rg.reader.ListCrownJewels(ctx, pageSize, nextKey)
-}
-
-// GetCrownJewel returns the specified CrownJewel resource.
-func (c *Cache) GetCrownJewel(ctx context.Context, name string) (*crownjewelv1.CrownJewel, error) {
-	ctx, span := c.Tracer.Start(ctx, "cache/GetCrownJewel")
-	defer span.End()
-
-	rg, err := readLegacyCollectionCache(c, c.legacyCacheCollections.crownJewels)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-	defer rg.Release()
-	return rg.reader.GetCrownJewel(ctx, name)
-}
-
 // GetSecurityAuditQuery returns the specified audit query resource.
 func (c *Cache) GetSecurityAuditQuery(ctx context.Context, name string) (*secreports.AuditQuery, error) {
 	ctx, span := c.Tracer.Start(ctx, "cache/GetSecurityAuditQuery")
@@ -2652,31 +2615,6 @@ func buildListResourcesResponse[T types.ResourceWithLabels](resources iter.Seq[T
 	return &resp, nil
 }
 
-// GetAccessGraphSettings gets AccessGraphSettings from the backend.
-func (c *Cache) GetAccessGraphSettings(ctx context.Context) (*clusterconfigpb.AccessGraphSettings, error) {
-	ctx, span := c.Tracer.Start(ctx, "cache/GetAccessGraphSettings")
-	defer span.End()
-
-	rg, err := readLegacyCollectionCache(c, c.legacyCacheCollections.accessGraphSettings)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-	defer rg.Release()
-	if !rg.IsCacheRead() {
-		cachedCfg, err := utils.FnCacheGet(ctx, c.fnCache, clusterConfigCacheKey{"access_graph_settings"}, func(ctx context.Context) (*clusterconfigpb.AccessGraphSettings, error) {
-			cfg, err := rg.reader.GetAccessGraphSettings(ctx)
-			return cfg, err
-		})
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
-
-		clone := protobuf.Clone(cachedCfg).(*clusterconfigpb.AccessGraphSettings)
-		return clone, nil
-	}
-	return rg.reader.GetAccessGraphSettings(ctx)
-}
-
 func (c *Cache) GetProvisioningState(ctx context.Context, downstream services.DownstreamID, id services.ProvisioningStateID) (*provisioningv1.PrincipalState, error) {
 	ctx, span := c.Tracer.Start(ctx, "cache/GetProvisioningState")
 	defer span.End()

diff --git a/lib/cache/cache_test.go b/lib/cache/cache_test.go
@@ -1560,34 +1560,6 @@ func TestUserLoginStates(t *testing.T) {
 	})
 }
 
-// TestCrownJewel tests that CRUD operations on user notification resources are
-// replicated from the backend to the cache.
-func TestCrownJewel(t *testing.T) {
-	t.Parallel()
-
-	p := newTestPack(t, ForAuth)
-	t.Cleanup(p.Close)
-
-	testResources153(t, p, testFuncs153[*crownjewelv1.CrownJewel]{
-		newResource: func(name string) (*crownjewelv1.CrownJewel, error) {
-			return newCrownJewel(t, name), nil
-		},
-		create: func(ctx context.Context, item *crownjewelv1.CrownJewel) error {
-			_, err := p.crownJewels.CreateCrownJewel(ctx, item)
-			return trace.Wrap(err)
-		},
-		list: func(ctx context.Context) ([]*crownjewelv1.CrownJewel, error) {
-			items, _, err := p.crownJewels.ListCrownJewels(ctx, 0, "")
-			return items, trace.Wrap(err)
-		},
-		cacheList: func(ctx context.Context) ([]*crownjewelv1.CrownJewel, error) {
-			items, _, err := p.crownJewels.ListCrownJewels(ctx, 0, "")
-			return items, trace.Wrap(err)
-		},
-		deleteAll: p.crownJewels.DeleteAllCrownJewels,
-	})
-}
-
 func TestDatabaseObjects(t *testing.T) {
 	t.Parallel()
 

diff --git a/lib/cache/cluster_config.go b/lib/cache/cluster_config.go
@@ -21,7 +21,10 @@ import (
 
 	"github.com/gravitational/trace"
 
+	clusterconfigv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1"
+	headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
 	"github.com/gravitational/teleport/api/types"
+	apiutils "github.com/gravitational/teleport/api/utils"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/utils"
 )
@@ -327,3 +330,65 @@ func (c *Cache) GetSessionRecordingConfig(ctx context.Context) (types.SessionRec
 	cfg, err := c.Config.ClusterConfig.GetSessionRecordingConfig(ctx)
 	return cfg, trace.Wrap(err)
 }
+
+type accessGraphSettingsIndex string
+
+const accessGraphSettingsNameIndex accessGraphSettingsIndex = "name"
+
+func newAccessGraphSettingsCollection(upstream services.ClusterConfiguration, w types.WatchKind) (*collection[*clusterconfigv1.AccessGraphSettings, accessGraphSettingsIndex], error) {
+	if upstream == nil {
+		return nil, trace.BadParameter("missing parameter ClusterConfiguration")
+	}
+
+	return &collection[*clusterconfigv1.AccessGraphSettings, accessGraphSettingsIndex]{
+		store: newStore(map[accessGraphSettingsIndex]func(*clusterconfigv1.AccessGraphSettings) string{
+			accessGraphSettingsNameIndex: func(r *clusterconfigv1.AccessGraphSettings) string {
+				return r.GetMetadata().GetName()
+			},
+		}),
+		fetcher: func(ctx context.Context, loadSecrets bool) ([]*clusterconfigv1.AccessGraphSettings, error) {
+			set, err := upstream.GetAccessGraphSettings(ctx)
+			if err != nil {
+				return nil, trace.Wrap(err)
+			}
+
+			return []*clusterconfigv1.AccessGraphSettings{set}, nil
+		},
+		headerTransform: func(hdr *types.ResourceHeader) *clusterconfigv1.AccessGraphSettings {
+			return &clusterconfigv1.AccessGraphSettings{
+				Kind:    hdr.Kind,
+				Version: hdr.Version,
+				Metadata: &headerv1.Metadata{
+					Name: hdr.Metadata.Name,
+				},
+			}
+		},
+		watch: w,
+	}, nil
+}
+
+// GetAccessGraphSettings gets AccessGraphSettings from the backend.
+func (c *Cache) GetAccessGraphSettings(ctx context.Context) (*clusterconfigv1.AccessGraphSettings, error) {
+	ctx, span := c.Tracer.Start(ctx, "cache/GetAccessGraphSettings")
+	defer span.End()
+
+	getter := genericGetter[*clusterconfigv1.AccessGraphSettings, accessGraphSettingsIndex]{
+		cache:      c,
+		collection: c.collections.accessGraphSettings,
+		index:      accessGraphSettingsNameIndex,
+		upstreamGet: func(ctx context.Context, s string) (*clusterconfigv1.AccessGraphSettings, error) {
+			cachedCfg, err := utils.FnCacheGet(ctx, c.fnCache, clusterConfigCacheKey{"access_graph_settings"}, func(ctx context.Context) (*clusterconfigv1.AccessGraphSettings, error) {
+				cfg, err := c.Config.ClusterConfig.GetAccessGraphSettings(ctx)
+				return cfg, err
+			})
+			if err != nil {
+				return nil, trace.Wrap(err)
+			}
+
+			return apiutils.CloneProtoMsg(cachedCfg), nil
+		},
+		clone: apiutils.CloneProtoMsg[*clusterconfigv1.AccessGraphSettings],
+	}
+	out, err := getter.get(ctx, types.MetaNameAccessGraphSettings)
+	return out, trace.Wrap(err)
+}
diff --git a/lib/cache/cluster_config_test.go b/lib/cache/cluster_config_test.go
@@ -23,8 +23,10 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/gravitational/trace"
 	"github.com/stretchr/testify/require"
 
+	clusterconfigv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/services"
 )
@@ -171,3 +173,37 @@ func TestAuthPreference(t *testing.T) {
 
 	require.Empty(t, cmp.Diff(outAuthPref, authPref, cmpopts.IgnoreFields(types.Metadata{}, "Revision")))
 }
+
+func TestAccessGraphSettings(t *testing.T) {
+	t.Parallel()
+
+	p := newTestPack(t, ForAuth)
+	t.Cleanup(p.Close)
+
+	testResources153(t, p, testFuncs153[*clusterconfigv1.AccessGraphSettings]{
+		newResource: func(name string) (*clusterconfigv1.AccessGraphSettings, error) {
+			return newAccessGraphSettings(t), nil
+		},
+		create: func(ctx context.Context, item *clusterconfigv1.AccessGraphSettings) error {
+			_, err := p.clusterConfigS.UpsertAccessGraphSettings(ctx, item)
+			return trace.Wrap(err)
+		},
+		list: func(ctx context.Context) ([]*clusterconfigv1.AccessGraphSettings, error) {
+			item, err := p.clusterConfigS.GetAccessGraphSettings(ctx)
+			if trace.IsNotFound(err) {
+				return []*clusterconfigv1.AccessGraphSettings{}, nil
+			}
+			return []*clusterconfigv1.AccessGraphSettings{item}, trace.Wrap(err)
+		},
+		cacheList: func(ctx context.Context) ([]*clusterconfigv1.AccessGraphSettings, error) {
+			item, err := p.cache.GetAccessGraphSettings(ctx)
+			if trace.IsNotFound(err) {
+				return []*clusterconfigv1.AccessGraphSettings{}, nil
+			}
+			return []*clusterconfigv1.AccessGraphSettings{item}, trace.Wrap(err)
+		},
+		deleteAll: func(ctx context.Context) error {
+			return trace.Wrap(p.clusterConfigS.DeleteAccessGraphSettings(ctx))
+		},
+	})
+}
diff --git a/lib/cache/collections.go b/lib/cache/collections.go
@@ -22,6 +22,8 @@ import (
 	"github.com/gravitational/trace"
 
 	autoupdatev1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1"
+	clusterconfigv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1"
+	crownjewelv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/crownjewel/v1"
 	healthcheckconfigv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/healthcheckconfig/v1"
 	identitycenterv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/identitycenter/v1"
 	machineidv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1"
@@ -99,6 +101,8 @@ type collections struct {
 	accessLists                      *collection[*accesslist.AccessList, accessListIndex]
 	accessListMembers                *collection[*accesslist.AccessListMember, accessListMemberIndex]
 	accessListReviews                *collection[*accesslist.Review, accessListReviewIndex]
+	crownJewels                      *collection[*crownjewelv1.CrownJewel, crownJewelIndex]
+	accessGraphSettings              *collection[*clusterconfigv1.AccessGraphSettings, accessGraphSettingsIndex]
 }
 
 // setupCollections ensures that the appropriate [collection] is
@@ -468,6 +472,22 @@ func setupCollections(c Config) (*collections, error) {
 
 			out.accessListReviews = collect
 			out.byKind[resourceKind] = out.accessListReviews
+		case types.KindCrownJewel:
+			collect, err := newCrownJewelCollection(c.CrownJewels, watch)
+			if err != nil {
+				return nil, trace.Wrap(err)
+			}
+
+			out.crownJewels = collect
+			out.byKind[resourceKind] = out.crownJewels
+		case types.KindAccessGraphSettings:
+			collect, err := newAccessGraphSettingsCollection(c.ClusterConfig, watch)
+			if err != nil {
+				return nil, trace.Wrap(err)
+			}
+
+			out.accessGraphSettings = collect
+			out.byKind[resourceKind] = out.accessGraphSettings
 		}
 	}