Reverse search on cluster by IP, hostname etc #53
Labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set
Reference
Motstandskraft/spam#53
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
SPAM today centers on clusters for non-global / non-admin roles, which makes it hard for regular users to answer broad questions across the clusters they can view, e.g.:
Add a feature so users can search more broadly across the clusters they have view access to.
Scope: externally-exposed endpoints — the public-facing IPs/hosts behind ingresses, HTTPRoutes, Gateways, IngressRoutes. Not internal ranges (ClusterIPs, Node IPs, pod IPs).
Current state (what already exists)
Much of the hostname side already works for regular users; the gap is narrower than "add search".
HostsHandler(GET /api/clusters/hosts,approvedgroup).?q=runsILIKE '%q%'acrosshe.host,he.backends,he.lb_ips, namespace, name, kind, ingress_class (internal/scam/handler.go→buildHostFilterClauses), scoped byhe.cluster_idthroughclusterACLFilterCol. Surfaced in Clusters → Hosts tab (web/src/routes/(app)/clusters/+page.svelte) with an IP column fromlb_ips.ClusterSummaryHandler(/api/clusters/summary?q=) already does ACL-scoped name/slug/environment search.host_exposure(migration20260509) already ingests all relevant kinds: k8s Ingress (rules[].host+lb_ips), Gateway API HTTPRoute/GRPCRoute/TLSRoute (hostnames), Traefik IngressRoute (hosts).host_resolution.public_ips/ips(populated by theinternal/hostresolveworker) holds the DNS-resolved public IP of every exposed FQDN, kind-agnostically.Because the exposed IPs are already captured (
lb_ips) and resolved (host_resolution.public_ips), no SCAM-agent ingest or schema change is required.Gaps / the actual work
ILIKEover thehe.lb_ipsstring. The resolved public IPs inhost_resolution.public_ips/ipsare not searched. Reverse-IP should match against those columns — that covers ingress + all Gateway/route kinds with data we already have./api/search/*(AdvancedSearchHandler,target=cluster) sits behindAPIGuard(admin / global_reader) and only searchescluster_summarynames. Do not extend that surface — build on theapprovedgroup like/api/clusters/hosts.pg_trgmis repos-only; host search is sequentialILIKE. If this becomes primary UX, add a trigram/btree index on the host/IP columns (or a small dedicated projection).Constraints
clusterACLFilterCol(r, "<table>.cluster_id")before any DB read. Grants come from ROR (RORProvider) and resolve across three identity domains (cluster_id / ror_slug / ror_cluster_uid). Deny → empty response, never unfiltered.Suggested scope
approvedgroup) into a first-class "reverse search" entry point.host_resolution.public_ips/ips(not just thelb_ipssubstring).Open design questions (needs-design)
ILIKEperformance..status.addressesin the agent would close it, but is non-blocking.Key files
internal/scam/handler.go(HostsHandler,buildHostFilterClauses)internal/scam/acl.go(clusterACLFilterCol)internal/hostresolve+host_resolutiontable;host_exposure(migration20260509)internal/uiapi/advanced_search.go(admin-only — don't reuse)web/src/routes/(app)/clusters/+page.svelte(Hosts tab)