tags: initial implementation of tags

[nicolehanjing]

first pass of tags implementation

What type of PR is this?
/kind feature

What this PR does / why we need it:
We have two formats of the cluster tags in the legacy implementation:

// TagNameKubernetesClusterPrefix is the tag name we use to differentiate multiple
// logically independent clusters running in the same AZ.
// The tag key = TagNameKubernetesClusterPrefix + clusterID
// The tag value is an ownership value
const TagNameKubernetesClusterPrefix = "kubernetes.io/cluster/"

// TagNameKubernetesClusterLegacy is the legacy tag name we use to differentiate multiple
// logically independent clusters running in the same AZ.  The problem with it was that it
// did not allow shared resources.
const TagNameKubernetesClusterLegacy = "KubernetesCluster"

As @nckturner mentioned before, the current format ("kubernetes.io/cluster/<clusterID>": <ownership>") causes issues for customers trying to use tags to organize billing.

After discussion, we'd like to see tags with formats:

1) kubernetes.io/cluster/ = <clusterID>
2) kubernetes.io/cluster/<clusterID> = ""

the second format is only used for shared resources e.g. subnets

and once we have other workarounds, will make corresponding updates.
Which issue(s) this PR fixes:

Part of #125

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[nckturner]

So just to summarize our conversation from this morning, we need to keep the kubernetes.io/cluster/<clusterID> = shared|owned for discovery, but we will allow passing in additionalTags (or something similar) via the config to aid in billing and other tag use cases, like where users automatically delete all resources from an account that aren't tagged a certain way. It also makes sense to use "tag-on-create" where possible because we believe it is better supported (although I am verifying that). There have been some changes to the APIs since V1 was written, so we should take advantage of those.

[nckturner]

So actually as of now I think the resource tagging API is fully supported in all regions, so I don't think we need to prefer tag-on-create for that reason. Tag-on-create might be nice for other reasons, like being eaiser to implement and fewer total number of api calls.

[nicolehanjing]

So just to summarize our conversation from this morning, we need to keep the kubernetes.io/cluster/<clusterID> = shared|owned for discovery, but we will allow passing in additionalTags (or something similar) via the config to aid in billing and other tag use cases, like where users automatically delete all resources from an account that aren't tagged a certain way. It also makes sense to use "tag-on-create" where possible because we believe it is better supported (although I am verifying that). There have been some changes to the APIs since V1 was written, so we should take advantage of those.

Thanks @nckturner for the summary
for my current implementation, I only used the first format which is kubernetes.io/cluster/ = <clusterID>, but as we are keeping kubernetes.io/cluster/<clusterID> = shared|owned, I will need to keep both of them in this initial implementation, right?

[andrewsykim]

Sorry for the late review @nicolehanjing

[andrewsykim]

nit: use errors.New instead since there's no args

[nicolehanjing]

gotcha!

[andrewsykim]

"invalid Kind for cloud config: %q"

[andrewsykim]

nit: pass in the pointer

[andrewsykim]

In general I tend to avoid naming functions init because init is a reserved function name in Go

[andrewsykim]

Recommend creating a constructor function for awsTagging like NewAWSTags and have it receive clusterName as one of the parameters

[andrewsykim]

nit: just name this tags?

[nicolehanjing]

@andrewsykim updated! PTAL :)

[nckturner]

Nit: wondering if this logic can be refactored slightly. IMO returning true from a function called hasClusterTag when there isn't a tag to look for is bit confusing (for the sole purpose of causing some side effect behavior in the caller), wondering if its worth separating return values to have distinct values for "is cluster tag configured" and "does cluster tag exist". We could return a specific error (or bool value) that the caller can check for if cluster tag is not configured.

[nicolehanjing]

good point, personally I prefer to return a specific error with some info for the caller to check, will update!

[ayberk]

Are there any other required fields we have to verify here?

[andrewsykim]

Good call, I think for this PR we don't technically have to validate anything since ClusterName is optional (I think) but there will be a need to validate field values at some point. Here's one example of how to do it:

https://github.com/kubernetes/kubernetes/blob/5344afd4fbfc3cb2ed6785d89b6f760886f100b5/pkg/credentialprovider/plugin/config.go#L71-L128

[ayberk]

If this is a sign of misconfigured cluster, we should log a warning here.

[andrewsykim]

Does this mean clusterName is actually required? If so we should validate it when we read the config and return an error if it's empty. I thought clusterName was optional and it can be discovered through instances but I might be mis-remembering the details.

[andrewsykim]

I think requiring clusterName is reasonable, it's an explicit step from the user requiring them to understand how/why the cluster name is needed.

[ayberk]

If there's a way to infer the cluster name, I think that'd be ideal. "We will add the cluster name automatically, but you can override it via config" sounds reasonable to me. Although I'm not sure if there's a case where the user would want to override it.

[nicolehanjing]

yeah I agree, will figure out if we can discover the cluster name through instances
for now I leave a TODO note here and a warning log in https://github.com/kubernetes/cloud-provider-aws/pull/149/files#diff-78811b2c178b96d8cf3e546ccbc24defbe15e8ef228da31b36d17ecfe29174ceR183

[andrewsykim]

This can be simplieifed to:

bytes.NewBufferString(testcase.configData)

[andrewsykim]

We also need to update the Instances implementation to use the clusterName tags for API calls.

[nicolehanjing]

@andrewsykim updated! PTAL :)

• added validation function & unit tests
• update the Instances implementation to use the clusterName tags for API calls

[andrewsykim]

import alias this to awsconfigv1alpha1

[andrewsykim]

use awsconfigv1alpha1.SchemeGroupVersion.String() instead of config.aws.io/v1alpha1

[andrewsykim]

field value should be the json serialized version field.NewPath("kind")

[andrewsykim]

APIVersion -> apiVersion

[andrewsykim]

Config -> config

[andrewsykim]

I don't think this check is required, it would fail in field-specific validation anyways

[andrewsykim]

ClusterName -> clusterName

[nicolehanjing]

@andrewsykim @nckturner @ayberk PTAL :)

[andrewsykim]

/approve
/lgtm

There's a few TODOs in the comments and the code but I think we can address those with #156

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andrewsykim, nicolehanjing

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [andrewsykim]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment