Access Log Policy Controller

[xWink]

What type of PR is this?

Feature

Which issue does this PR fix:
#200 partially

What does this PR do / Why do we need it:

• Adds new controller for AccessLogPolicy
  • This controller enables creating and deleting AccessLogPolicy resources, and appropriately sets statuses and finalizers. It does not yet support creating VPC Lattice Access Log Subscriptions, and thus has no real functionality for customers, but that will come in bite-sized followup PRs.
• Adds example AccessLogPolicy yaml

Output of kubectl describe alp test-policy after creation:

Name:         test-policy
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  application-networking.k8s.aws/v1alpha1
Kind:         AccessLogPolicy
Metadata:
  Creation Timestamp:  2023-10-05T02:14:37Z
  Finalizers:
    accesslogpolicy.k8s.aws/resources
  Generation:        1
  Resource Version:  24456853
  UID:               a67bb8b1-7744-4380-a22c-f35bdee92f3f
Spec:
  Destination Arn:  arn:aws:s3:::my-bucket
  Target Ref:
    Group:  gateway.networking.k8s.io
    Kind:   Gateway
    Name:   my-hotel
Status:
  Conditions:
    Last Transition Time:  2023-10-05T02:14:37Z
    Message:               application-networking.k8s.aws/gateway-api-controller
    Observed Generation:   1
    Reason:                Accepted
    Status:                True
    Type:                  Accepted
Events:                    <none>

Output after updating the destinationArn

Name:         test-policy
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  application-networking.k8s.aws/v1alpha1
Kind:         AccessLogPolicy
Metadata:
  Creation Timestamp:  2023-10-05T02:14:37Z
  Finalizers:
    accesslogpolicy.k8s.aws/resources
  Generation:        2
  Resource Version:  24584481
  UID:               a67bb8b1-7744-4380-a22c-f35bdee92f3f
Spec:
  Destination Arn:  arn:aws:s3:::my-bucket-1
  Target Ref:
    Group:  gateway.networking.k8s.io
    Kind:   Gateway
    Name:   my-hotel
Status:
  Conditions:
    Last Transition Time:  2023-10-05T02:14:37Z
    Message:               application-networking.k8s.aws/gateway-api-controller
    Observed Generation:   2
    Reason:                Accepted
    Status:                True
    Type:                  Accepted
Events:                    <none>

If an issue # is not available please add repro steps and logs from aws-gateway-controller showing the issue:

Testing done on this change:

Ran 32 of 32 Specs in 2227.128 seconds
SUCCESS! -- 32 Passed | 0 Failed | 0 Pending | 0 Skipped
--- PASS: TestIntegration (2228.35s)
PASS
ok      github.com/aws/aws-application-networking-k8s/test/suites/integration   2229.062s

Automation added to e2e:

Will this PR introduce any new dependencies?:

No

Will this break upgrades or downgrades. Has updating a running cluster been tested?:
No

Does this PR introduce any user-facing change?:

Not yet, since use of the AccessLogPolicy doesn't achieve anything

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[zijun726911]

Before, we handle TargetGroupPolicy (model build and stack deploy) as part of route_controller.go and handle VpcAssociation as part of gateway_controller.go. How we decide to handle XXXXXPolicy in the xxxxx_policy_controller or in the existing xxx_k8s_resource_controller?

[xWink]

Before, we handle TargetGroupPolicy (model build and stack deploy) as part of route_controller.go and handle VpcAssociation as part of gateway_controller.go. How we decide to handle XXXXXPolicy in the xxxxx_policy_controller or in the existing xxx_k8s_resource_controller?

We opted to handle AccessLogPolicy as its own standalone resource in the Kubernetes setting because it's its own standalone resource in the VPC Lattice setting. Since Access Log Subscription has its own lifecycle, so should Access Log Policy.

This simplifies handling some of the create/delete/update cases vs. only adding event handling to existing controllers, which would increase their complexities substantially.

[erikfuller]

Just a general question on the feature. How are we planning on reporting back the actual log paths? From what I recall, logs are based on unique resource ids, not names. How will folks using the controller know which logs apply to which k8s resources?

[xWink]

Not 100% sure I follow, so please correct me if I'm going down the wrong path here. When a user creates a Gateway or Route, that resource is associated to 1 VPC Lattice Service Network or Service. When they create an AccessLogPolicy with a targetRef of a Gateway or Route, it's the equivalent of creating a VPC Lattice Access Log Subscription for the corresponding ServiceNetwork or Service.

So if I create Gateway my-hotel, which in VPC Lattice is Service Network sn-12345678901234567, and then create an AccessLogPolicy which refers to Gateway my-hotel, then it will create an AccessLogSubscription with resourceIdentifier sn-12345678901234567, and any access logs flowing through that Service Network will wind up in the log destination I specified in the AccessLogPolicy.

[erikfuller]

Right. So the path in S3 would look like [1]:

[bucket]/[prefix]/AWSLogs/[accountId]/VpcLattice/AccessLogs/[region]/[YYYY/MM/DD]/[resource-id]/[accountId]_VpcLatticeAccessLogs_[region]_[resource-id]_YYYYMMDDTHHmmZ_[hash].json.gz

Let's assume I have a number of gateways I'm managing - how will I know the Lattice resource ID for each? For example, do we patch the gateway with the Lattice service network ID? I see it as a message here: https://github.com/aws/aws-application-networking-k8s/blob/main/controllers/gateway_controller.go#L279. Ideally, I would be able to find out the ID by doing something like kubectl get gateway.

Similarly, it may be difficult to map from a k8s route to a log line, or from a log line back to the k8s objects, since these log entries also use unique IDs rather than k8s-based names. Maybe for now just enabling the logs is enough, then customers can use the Lattice API out of band to determine the ID. Longer term we should look a improving this experience.

[zijun726911]

Patch the status(or annotation) of gateway and k8sService resource with lattice resource id and Patch AccessLogPolicy with als id seems a good approach to make mapping cleaner

[xWink]

Agreed, this would absolutely improve clarity for users. I'll look into making this an annotation for ALP (don't think status is the right place for this kind of data), and will add it as a followup once the Create workflow is done. We can also create an issue to add this behaviour to other resources, like Gateway and Route.

[xWink]

Are there any remaining concerns regarding this PR that need addressing?

[zijun726911]

LGTM