Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support adding ResourceManagerTags to GCP resources #1008

Conversation

salasberryfin
Copy link
Contributor

@salasberryfin salasberryfin commented Aug 24, 2023

What type of PR is this?

kind/feature

What this PR does / why we need it

This PR allows users to bind tags to GCP resources, including Compute Instances, GKE clusters and attached disks. As described in the original issue #992, Tags are used for defining IAM policy conditions, Organization conditionals policies and integrating with Cloud billing for cost management, which are not supported by labels.

Which issue(s) this PR fixes

Fixes #992

Special notes for your reviewer

With this solution, users are able to bind resource-manager tags to infrastructure resources. The Tag Key/Tag Value must already exist in GCP and CAPG converts the provided list of key/value ( resourceManagerTags) into the unique IDs generated by GCP. For any tags that cannot be retrieved (whether it is a permission issue or the tags don't exist), an empty value will be returned, effectively ignoring the key/value pair. Any other valid tags will be added.

This is an example of how a simple tag could be added to the yaml definition:

resourceManagerTags:
  - {parentID: "parent-project", key: "foo", value: "bar"}

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

Release note:

Users can now pass existing `resourceManagerTags` to bind them to cloud resources. If this is not provided, the behavior stays the same and no tags are added to the resource.

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 24, 2023
@k8s-ci-robot
Copy link
Contributor

Welcome @salasberryfin!

It looks like this is your first PR to kubernetes-sigs/cluster-api-provider-gcp 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cluster-api-provider-gcp has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Aug 24, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @salasberryfin. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Aug 24, 2023
@salasberryfin salasberryfin changed the title WIP: feat: support adding ResourceManagerTags to compute instances feat: support adding ResourceManagerTags to compute instances Aug 28, 2023
@salasberryfin salasberryfin marked this pull request as ready for review August 28, 2023 09:39
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 28, 2023
@k8s-ci-robot k8s-ci-robot requested a review from dims August 28, 2023 09:39
@richardcase
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 29, 2023
@salasberryfin salasberryfin force-pushed the support-adding-resourcemanagertags branch from ce232ab to 11d3567 Compare August 29, 2023 09:14
@richardcase
Copy link
Member

/test pull-cluster-api-provider-gcp-verify

Copy link
Member

@richardcase richardcase left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A quick review, mostly just nits.

I'll take a proper look and look at the verification failure later today/tomorrow

api/v1beta1/gcpcluster_types.go Outdated Show resolved Hide resolved
api/v1beta1/gcpcluster_types.go Outdated Show resolved Hide resolved
api/v1beta1/gcpcluster_types.go Outdated Show resolved Hide resolved
api/v1beta1/gcpcluster_types.go Outdated Show resolved Hide resolved
api/v1beta1/gcpcluster_types.go Outdated Show resolved Hide resolved
api/v1beta1/gcpmachine_types.go Outdated Show resolved Hide resolved
api/v1beta1/tags.go Outdated Show resolved Hide resolved
@salasberryfin salasberryfin force-pushed the support-adding-resourcemanagertags branch from 11d3567 to 71e33e5 Compare August 29, 2023 15:36
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 29, 2023
@salasberryfin
Copy link
Contributor Author

I addressed some of the comments but my changes broke something. I'll be fixing it and updating the code as soon as possible.

@salasberryfin salasberryfin force-pushed the support-adding-resourcemanagertags branch 2 times, most recently from 0a90467 to c0eb2c2 Compare August 30, 2023 08:42
@salasberryfin
Copy link
Contributor Author

salasberryfin commented Aug 30, 2023

Hopefully I addressed all comments and CI issues with the last commit 🙂

Copy link
Member

@richardcase richardcase left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work on this @salasberryfin .

Lets find some time to chat about this

api/v1beta1/gcpcluster_types.go Outdated Show resolved Hide resolved
cloud/scope/machine.go Show resolved Hide resolved
@@ -338,6 +338,9 @@ func (m *MachineScope) InstanceSpec(log logr.Logger) *compute.Instance {
m.ClusterGetter.Name(),
),
},
Params: &compute.InstanceParams{
ResourceManagerTags: infrav1.AddResourceManagerTags(context.TODO(), m.GCPMachine.Spec.ResourceManagerTags),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably capture the additional permissions required in the docs somewhere:

  • roles/resourcemanager.tagAdmin
  • roles/resourcemanager.tagUser

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think, TagUser role should be enough since listing tags and creating tag bindings are the operations implementation is dependent on.

cloud/scope/machine.go Outdated Show resolved Hide resolved
@salasberryfin salasberryfin force-pushed the support-adding-resourcemanagertags branch 2 times, most recently from fae628a to 430be9f Compare October 17, 2023 16:23
@salasberryfin
Copy link
Contributor Author

Last change moves tag related functions to cloud/services (under shared services). I still have to fix the creation of the resource manager client.

@salasberryfin salasberryfin force-pushed the support-adding-resourcemanagertags branch from 430be9f to 48f508f Compare October 18, 2023 11:06
@salasberryfin
Copy link
Contributor Author

NewTagBindingsClient is now created in cloud/scope/clients.go aligned with other client creation. In this case, due to the regional nature of some resource manager tagging operations, the endpoint (including location) needs to be appended to the default client options.

@salasberryfin salasberryfin force-pushed the support-adding-resourcemanagertags branch from 48f508f to c58badf Compare October 26, 2023 12:14
@salasberryfin salasberryfin force-pushed the support-adding-resourcemanagertags branch from c58badf to 6292a28 Compare October 26, 2023 12:51
@richardcase
Copy link
Member

This is only adding optional API fields so:

/override pull-cluster-api-provider-gcp-apidiff

@k8s-ci-robot
Copy link
Contributor

@richardcase: Overrode contexts on behalf of richardcase: pull-cluster-api-provider-gcp-apidiff

In response to this:

This is only adding optional API fields so:

/override pull-cluster-api-provider-gcp-apidiff

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@richardcase
Copy link
Member

Thanks for the hard work on this @salasberryfin. I have created #1053 as a follow-up to add E2E test coverage for this feature.

From my side:

/lgtm

For final approval:

/assign cpanato

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 26, 2023
@salasberryfin
Copy link
Contributor Author

Thanks @richardcase. I'll be happy to work on #1053 as well.

@salasberryfin salasberryfin force-pushed the support-adding-resourcemanagertags branch from 6292a28 to 2b58598 Compare October 31, 2023 10:35
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 31, 2023
@richardcase
Copy link
Member

Like before:

/override pull-cluster-api-provider-gcp-apidiff

@k8s-ci-robot
Copy link
Contributor

@richardcase: Overrode contexts on behalf of richardcase: pull-cluster-api-provider-gcp-apidiff

In response to this:

Like before:

/override pull-cluster-api-provider-gcp-apidiff

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@richardcase
Copy link
Member

Thanks @salasberryfin

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 31, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: richardcase, salasberryfin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 31, 2023
@k8s-ci-robot k8s-ci-robot merged commit 173d8a2 into kubernetes-sigs:main Oct 31, 2023
5 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.1.0 milestone Oct 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support to add ResoureManagerTags to Compute Instances
5 participants