Add synthetic canopy: tags to the /tags endpoint#231
Open
passcod wants to merge 2 commits into
Open
Conversation
The public /tags endpoint now injects read-only synthetic tags describing the server, under a reserved "canopy:" namespace: - canopy:kind — the server's kind (always present) - canopy:rank — the server's rank, when one is set - canopy:group-id — the server's group id, when grouped - canopy:group-name — the server's group name, when grouped To guarantee these never collide with operator-set tags, the "canopy:" prefix is reserved: server and server-group tag writes reject any key under it (400 Bad Request), enforced centrally in the database model create/update paths.
The committed_spec_matches_generated drift test caught the stale spec after the /tags handler doc comment changed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 The device-facing
/tagsendpoint now injects read-only synthetic tags describing the calling server, on top of its merged server+group tags. They live under a reservedcanopy:namespace:canopy:kind— the server's kind (always present)canopy:rank— the server's rank, only when one is setcanopy:group-id— the server's group id, only when groupedcanopy:group-name— the server's group name, only when groupedTo guarantee these can never collide with — or be spoofed by — operator-set tags, the
canopy:prefix is reserved: server and server-group tag writes now reject any key under it with 400 Bad Request. The check is enforced centrally in the database model create/update paths, so every write path is covered.Notes
tags_merged_with_group(used by the healthcheck-sample and status endpoints for rule evaluation) is unchanged; the synthetic tags are added by a newServer::tags_for_deviceused only by/tags.canopy:rankis emitted only when the server has a rank set, mirroring how an unset rank is treated as absent elsewhere rather than defaulted todev.Covered by new tests: synthetic tags on the
/tagsresponse (grouped + ranked, and the ungrouped/rankless case), plus reserved-prefix rejection across all four server/group create/update paths.