Teleterm: add support for access requesting kube namespaces

[kimlisa]

part of #46742

requires:

• Add a new role.options field called request_mode.kubernetes_resources #47173
• Web: implement requesting for kube namespace selector #47345
• Teleterm: Add listing kube resources endpoint #46753

if you want to test connect, i have a staging cluster that i can invite you to (dm me) then:

1. OS: check out this branch
2. build tsh, and then pnpm start-term and login to my cluster

when request mode requires you to request for namespace

  ... rest of role
  options:
    request_mode:
      kubernetes_resources:
      - kind: namespace   # wildcard '*' enforces the same namespace requirement on the UI (since UI only supports namespace selection)

when request mode is a kind that UI doesn't support, it disables the checkout regardless of other resources (it is enabled once user removes the kubernetes):

  ... rest of role
  options:
    request_mode:
      kubernetes_resources:
      - kind: pod   # only namespace is supported on the web UI, tsh supports all

demo (when no request mode is specified, allows requesting for a kube_cluster or a kube_clusters namespace):

  ... rest of role
  options:
    # no request mode defined

Screen.Recording.2024-10-08.at.11.58.11.PM.mov

changelog: Add Connect support for selecting Kubernetes namespaces during access requests

[github-actions]

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

[github-actions]

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

[ravicious]

In a similar vein to getPendingAccessRequestsPerResource, I think data needs to be rethought as well.

"Data" in itself is a super vague name. That'd be the most important thing, to find a name for it that better describes what data is.

When data is consumed in web/packages/teleterm/src/ui/AccessRequestCheckout/AccessRequestCheckout.tsx, it's usually filtered in different ways and the result is called filteredData, which is also pretty vague. Then we pass filteredData to some places and data to other. data is then filtered again.

As I understand, this is because sometimes we want to show items with kube clusters present and sometimes we want to ignore them and use only namespaces.

I think it'd be highly beneficial to find better names than data and filteredData which better describe in what scenarios certain values are used. Even better, once that is done, we can have separate types for them – this way we'll never pass kube_cluster items to places where they're not expected (think Exclude<Data, {kind: 'kube_cluster'}>.

[kimlisa]

i think (hope) i resolved this with rename here: #47722

[gzdunek]

I'm not sure about RequestRequest 🙈 Maybe workspaceAccessRequest?

[kimlisa]

workspaceAccessRequest already exists in line 94

[gzdunek]

excludeSubResourceParentResource doesn't exist.

[gzdunek]

Suggested change

	.map(d => {
	if (d.kind === 'namespace') {
	return {
	name: d.id,
	kind: d.kind,
	clusterName: d.clusterName,
	subResourceName: d.subResourceName,
	};
	}
	return {
	name: d.id,
	clusterName: d.clusterName,
	kind: d.kind,
	subResourceName: '',
	};
	}),
	.map(d => ({
	name: d.id,
	clusterName: d.clusterName,
	kind: d.kind,
	subResourceName: d.subResourceName || '',
	})),

[gzdunek]

Shouldn't this be an error state?

[kimlisa]

no b/c dry run is not a create request. i think i ran into an issue where, create resulted in an error, so the user modifies the checked out items which would trigger dry run again (so we are resetting here)

i moved it out to the top, since i realized we are clearing it on error and on success

[gzdunek]

I think it's more readable:

Suggested change

	test('fetching requestable roles kube_cluster resource without namespace request', async () => {
	test('fetching requestable roles for a kube_cluster resource without specifying a namespace', async () => {

[ravicious]

I'll take a look tomorrow and I'll try to use the UI.

[ravicious]

When I want to remove the labels by clicking the ❎ button next to each label, the list keeps opening, requiring me to click twice if I want to remove a bunch of labels consecutively.

removing-namespaces.mov

[kimlisa]

punted to this issue: #47823

the selector got kinda wonky after upgrade (i also previously supported bulk deleter too but removed it b/c it was too buggy)

[ravicious]

idk how to create a minimal repro for this, but sometimes after closing the select, the list of selected namespaces gets sorted. In the video it happens right at the end.

Is it because we sort it at some point or is it because the namespaces are kept in a set in Connect? FWIW, I think Set in JS keeps insertion order, so idk if it's plausible for this data structure to cause that.

sort-after-select-close.mov

[kimlisa]

that doesn't look like sorting, but just rearranging? maybe it's b/c of how we bulk toggle

[ravicious]

Is it actually possible to adjust the type? I don't think so, as AFAIK we can't just remove namespace from ResourceKind. I'm not sure how much sense would it make to use Exclude<ResourceKind, 'namespace'> in this particular example.

Perhaps it'd be best to add a comment to addOrRemoveResource explaining that it's used for adding individual resources from the unified resources view and then this comment here could simply say that it's impossible to add kube namespaces straight from the unified resources view, so this function returns early?