tailscale / gitops-acl-action

GitOps for your Tailscale ACLs
85 stars 25 forks source link

See warning about console changes to ACL file in Action log #25

Open arigesher opened 1 year ago

arigesher commented 1 year ago

Description

The Github action fires a warning when testing edits to the policy file. This appears to have no effect on the test, but it does issue a confusing warning message:

Warning: The policy file was modified externally in the admin console.

This is confusing because it implies that there may be edits via the console that shouldn't have been made when using GitOps to manage the file. (Or I'm really confused and we do have edits in the console that aren't being reflected).

Desired Behavior

Don't issue the warnning.

Logs/Screenshots

2023/05/11 22:51:46 no previous etag found, assuming local file is correct and recording that
Warning: The policy file was modified externally in the admin console.
2023/05/11 22:51:46 control: dc85ea67f801dfe78b3[9](https://github.com/KairosAerospace/tailscale-acls/actions/runs/4953251071/jobs/8860528687#step:5:10)0ee9c479c03b44267317c30efc0d440db79345e035b2
2023/05/[11](https://github.com/KairosAerospace/tailscale-acls/actions/runs/4953251071/jobs/8860528687#step:5:12) 22:51:46 local:   22ed067d02ddb5555d215d2007ce3271a6ed69189a01b9c939a1c3481eaef3[12](https://github.com/KairosAerospace/tailscale-acls/actions/runs/4953251071/jobs/8860528687#step:5:13)
2023/05/11 22:51:46 cache:   22ed067d02ddb5555d215d2007ce3271a6ed69189a01b9c939a1c3481eaef312
Screenshot 2023-05-11 at 4 30 16 PM

Here's line 1 from our policy file:

// This tailnet's ACLs are maintained in https://github.com/KairosAerospace/tailscale-acls

In the diff view, the annotation looks like this:

Screenshot 2023-05-11 at 4 31 53 PM
pmocek commented 1 year ago

This message appears to be generated from line 44 of the source code for gitops-pusher, which is apparently used by the GitHub Actions action of topic, part of the definition of function modifiedExternallyError(), which appears to be called in apply() lines 67-69, and also in test() lines 108-110, in each case like so:

if cache.PrevETag != controlEtag {
    modifiedExternallyError()
}

controlEtag comes from getACLEtag(), and cache.PrevETag is passed as an argument to the function.

getACLEtag appears to make an api call to /api/v2/tailnet/<my-tailnet>/acl, and to return an ETag value from the HTTP response header.

jordemort commented 6 months ago

We are also having this problem. Every pull request against our ACL results in this annotation.

I dug into the code and gitops-pusher seems to want to read the previously pushed ETag from a file called version-cache.json in the current directory: https://github.com/tailscale/tailscale/blob/main/cmd/gitops-pusher/gitops-pusher.go#L33

However, I don't see anything in this action that would populate that file, or override its path, or maintain it between runs: https://github.com/tailscale/gitops-acl-action/blob/main/action.yml

jordemort commented 4 months ago

Aha, from reading the README of this repo (which I should have done in the first place) I've learned that version-cache.json is meant to be saved and restored by using this action in combination with actions/cache - an example workflow is provided there.