Add status field to Kubernetes clusters to support discovery workflows#62161
Add status field to Kubernetes clusters to support discovery workflows#62161
Conversation
Adds a new Status field to KubernetesClusterV3 containing discovery-related information. The status includes cloud provider-specific data, starting with AWS which tracks the ARN for access setup, integration name, and the assumed role used during discovery. This enables the discovery service to persist state about clusters it discovers, which is needed to properly cleanup created access entries when a cluster is removed or no longer matches the label filtering. Without this information, dangling AWS resources would be left behind after discovery changes. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
| // Status is the resource status. | ||
| KubernetesClusterStatus Status = 6 [ | ||
| (gogoproto.nullable) = false, | ||
| (gogoproto.jsontag) = "status" | ||
| ]; |
There was a problem hiding this comment.
Please don't add gogoproto options if they're unnecessary.
Also, style: protobuf field names and protobuf docstrings should follow protobuf styling.
| // Status is the resource status. | |
| KubernetesClusterStatus Status = 6 [ | |
| (gogoproto.nullable) = false, | |
| (gogoproto.jsontag) = "status" | |
| ]; | |
| // the resource status, intended to be ignored by IaC tools | |
| KubernetesClusterStatus status = 6; |
There was a problem hiding this comment.
<the reason why I added json tags is mostly because the resource is always marshaled using json.Marshal which might create inconsistent namings
There was a problem hiding this comment.
The default encoding/json field name is the protobuf field name, so unless we're trying to match a specific go struct field name for the sake of existing code (which is not the case here) we can just pick the field name for the json and live with whatever field name ends up in the go codegen.
espadolini
left a comment
espadolini
left a comment
There was a problem hiding this comment.
Is this something that fits the "status" field or should it just be in "spec"?
No matter where we put the additional field, what can break if the field is discarded (because the auth might not support it) in the cleanup logic? Will it just keep the existing behavior?
Is it possible for this field to change between writes and thus trigger more writes and reconciliations? Should we change (*KubernetesClusterV3).IsEqual?
This belongs in the
If the field is discarded, the current behavior remains unchanged. The access entry will simply be left in place for future generations.
This field cannot change as part of normal writes. The only way it can change is via updates to the discovery configuration or It also does not affect Kubernetes heartbeats, since this field along with other sensitive fields are discarded during heartbeating. PS: I forgot that our goderive stuff ignores status fields. Updated |
| if kc1.GetStatus().IsEqual(kc2.GetStatus()) { | ||
| return services.Equal | ||
| } | ||
| return services.Different |
There was a problem hiding this comment.
nit for consistency
| if kc1.GetStatus().IsEqual(kc2.GetStatus()) { | |
| return services.Equal | |
| } | |
| return services.Different | |
| if !kc1.GetStatus().IsEqual(kc2.GetStatus()) { | |
| return services.Different | |
| } | |
| return services.Equal |
public-teleport-github-review-bot
bot
removed the request for review
from ryanclark
| return res | ||
| } | ||
| // Additionally compare Status field using its IsEqual method. | ||
| // This is needed because CompareResources ignores Status field of KubeCluster and for most |
There was a problem hiding this comment.
.. CompareResources ignores Status field of KubeCluster
Are you sure that this is true ?
based on the code status is ignored only for DatabaseV3 and UserSpecV2 and AccessList types:
func CompareResources[T any](resA, resB T) int {
var equal bool
if hasEqual, ok := any(resA).(compare.IsEqual[T]); ok {
equal = hasEqual.IsEqual(resB)
} else {
equal = cmp.Equal(resA, resB,
ignoreProtoXXXFields(),
cmpopts.IgnoreFields(types.Metadata{}, "Revision"),
cmpopts.IgnoreFields(types.DatabaseV3{}, "Status"),
cmpopts.IgnoreFields(types.UserSpecV2{}, "Status"),
cmpopts.IgnoreFields(accesslist.AccessList{}, "Status"),
cmpopts.IgnoreFields(header.Metadata{}, "Revision"),
cmpopts.IgnoreUnexported(headerv1.Metadata{}),
// Managed by IneligibleStatusReconciler, ignored by all others.
cmpopts.IgnoreFields(accesslist.AccessListMemberSpec{}, "IneligibleStatus"),
cmpopts.IgnoreFields(accesslist.Owner{}, "IneligibleStatus"),
cmpopts.EquateEmpty(),
)
}
if equal {
return Equal
}
return Different
}So the whole kc1.GetStatus().IsEqual(kc2.GetStatus()) call seems to be redundant here.
There was a problem hiding this comment.
The KubeCluster type implements an IsEqual method, which causes the comparison logic to use hasEqual.IsEqual(resB) instead of falling back to cmp.Equal.
This IsEqual method is generated by Teleport's Go derive plugin, which is responsible for generating comparison code. The plugin intentionally skips status fields during comparison, as shown in this code
There was a problem hiding this comment.
Ah, thanks. The CompareResources ignores Status statment suggested that the ignore logic is implemented in CompareResources like in case of filed like: IgnoreFields(types.DatabaseV3{}, "Status"),
#62161) * Add status field to Kubernetes clusters to support discovery workflows Adds a new Status field to KubernetesClusterV3 containing discovery-related information. The status includes cloud provider-specific data, starting with AWS which tracks the ARN for access setup, integration name, and the assumed role used during discovery. This enables the discovery service to persist state about clusters it discovers, which is needed to properly cleanup created access entries when a cluster is removed or no longer matches the label filtering. Without this information, dangling AWS resources would be left behind after discovery changes. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> * handle code review comments * handle code review comments * add comment --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
#62161) * Add status field to Kubernetes clusters to support discovery workflows Adds a new Status field to KubernetesClusterV3 containing discovery-related information. The status includes cloud provider-specific data, starting with AWS which tracks the ARN for access setup, integration name, and the assumed role used during discovery. This enables the discovery service to persist state about clusters it discovers, which is needed to properly cleanup created access entries when a cluster is removed or no longer matches the label filtering. Without this information, dangling AWS resources would be left behind after discovery changes. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> * handle code review comments * handle code review comments * add comment --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
#62161) * Add status field to Kubernetes clusters to support discovery workflows Adds a new Status field to KubernetesClusterV3 containing discovery-related information. The status includes cloud provider-specific data, starting with AWS which tracks the ARN for access setup, integration name, and the assumed role used during discovery. This enables the discovery service to persist state about clusters it discovers, which is needed to properly cleanup created access entries when a cluster is removed or no longer matches the label filtering. Without this information, dangling AWS resources would be left behind after discovery changes. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com> * handle code review comments * handle code review comments * add comment --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
#62161) (#62599) * Add status field to Kubernetes clusters to support discovery workflows Adds a new Status field to KubernetesClusterV3 containing discovery-related information. The status includes cloud provider-specific data, starting with AWS which tracks the ARN for access setup, integration name, and the assumed role used during discovery. This enables the discovery service to persist state about clusters it discovers, which is needed to properly cleanup created access entries when a cluster is removed or no longer matches the label filtering. Without this information, dangling AWS resources would be left behind after discovery changes. * handle code review comments * handle code review comments * add comment --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
#62161) (#62598) * Add status field to Kubernetes clusters to support discovery workflows Adds a new Status field to KubernetesClusterV3 containing discovery-related information. The status includes cloud provider-specific data, starting with AWS which tracks the ARN for access setup, integration name, and the assumed role used during discovery. This enables the discovery service to persist state about clusters it discovers, which is needed to properly cleanup created access entries when a cluster is removed or no longer matches the label filtering. Without this information, dangling AWS resources would be left behind after discovery changes. * handle code review comments * handle code review comments * add comment --------- Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
4 participants
Adds a new Status field to KubernetesClusterV3 containing discovery-related information. The status includes cloud provider-specific data, starting with AWS which tracks the ARN for access setup, integration name, and the assumed role used during discovery.
This enables the discovery service to persist state about clusters it discovers, which is needed to properly cleanup created access entries when a cluster is removed or no longer matches the label filtering. Without this information, dangling AWS resources would be left behind after discovery changes.
Changelog: Added cleanup of access entries for EKS auto-discovered clusters when they no longer match the filtering criteria and are removed.