Added Service as a new target type (#3022)

* Basic service support added

* Function rename + more doc

* Changelog

* Config doc

* Fixed .target docs

* Changelog 2

* Doc fixed

* operator setup fixed

* Assert some validity for service targets

* Added docs on why we already check user access to the service/workload pods

* Apply suggestions from code review

Co-authored-by: t4lz <[email protected]>

* Apply suggestions from code review

Co-authored-by: t4lz <[email protected]>

* Fix doc

* Updated schema and configuration.md

---------

Co-authored-by: t4lz <[email protected]>

changelog.d/+service-target.added.md

@@ -0,0 +1 @@
+Added Kubernetes Service as a new type of mirrord target (requires mirrord operator).

changelog.d/3009.fixed.md

@@ -0,0 +1 @@
+Fixed misleading doc for `.target.namespace` config.

mirrord-schema.json

@@ -1689,6 +1689,24 @@
       },
       "additionalProperties": false
     },
+    "ServiceTarget": {
+      "type": "object",
+      "required": [
+        "service"
+      ],
+      "properties": {
+        "container": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "service": {
+          "type": "string"
+        }
+      },
+      "additionalProperties": false
+    },
     "SplitQueuesConfig": {
       "description": "```json { \"feature\": { \"split_queues\": { \"first-queue\": { \"queue_type\": \"SQS\", \"message_filter\": { \"wows\": \"so wows\", \"coolz\": \"^very\" } }, \"second-queue\": { \"queue_type\": \"SQS\", \"message_filter\": { \"who\": \"you$\" } }, \"third-queue\": { \"queue_type\": \"Kafka\", \"message_filter\": { \"who\": \"you$\" } }, \"fourth-queue\": { \"queue_type\": \"Kafka\", \"message_filter\": { \"wows\": \"so wows\", \"coolz\": \"^very\" } }, } } } ```",
       "type": "object",
@@ -1715,56 +1733,64 @@
       "additionalProperties": false
     },
     "Target": {
-      "description": "<!--${internal}--> ## path\n\nSpecifies the running pod (or deployment) to mirror.\n\nSupports: - `pod/{sample-pod}`; - `deployment/{sample-deployment}`; - `container/{sample-container}`; - `containername/{sample-container}`. - `job/{sample-job}`; - `cronjob/{sample-cronjob}`; - `statefulset/{sample-statefulset}`;",
+      "description": "<!--${internal}--> ## path\n\nSpecifies the running pod (or deployment) to mirror.\n\nSupports: - `targetless` - `pod/{pod-name}[/container/{container-name}]`; - `deployment/{deployment-name}[/container/{container-name}]`; - `rollout/{rollout-name}[/container/{container-name}]`; - `job/{job-name}[/container/{container-name}]`; - `cronjob/{cronjob-name}[/container/{container-name}]`; - `statefulset/{statefulset-name}[/container/{container-name}]`; - `service/{service-name}[/container/{container-name}]`;",
       "anyOf": [
         {
-          "description": "<!--${internal}--> Mirror a deployment.",
+          "description": "<!--${internal}--> [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/).",
           "allOf": [
             {
               "$ref": "#/definitions/DeploymentTarget"
             }
           ]
         },
         {
-          "description": "<!--${internal}--> Mirror a pod.",
+          "description": "<!--${internal}--> [Pod](https://kubernetes.io/docs/concepts/workloads/pods/).",
           "allOf": [
             {
               "$ref": "#/definitions/PodTarget"
             }
           ]
         },
         {
-          "description": "<!--${internal}--> Mirror a rollout.",
+          "description": "<!--${internal}--> [Argo Rollout](https://argoproj.github.io/argo-rollouts/#how-does-it-work).",
           "allOf": [
             {
               "$ref": "#/definitions/RolloutTarget"
             }
           ]
         },
         {
-          "description": "<!--${internal}--> Mirror a Job.\n\nOnly supported when `copy_target` is enabled.",
+          "description": "<!--${internal}--> [Job](https://kubernetes.io/docs/concepts/workloads/controllers/job/).\n\nOnly supported when `copy_target` is enabled.",
           "allOf": [
             {
               "$ref": "#/definitions/JobTarget"
             }
           ]
         },
         {
-          "description": "<!--${internal}--> Targets a [CronJob](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/).\n\nOnly supported when `copy_target` is enabled.",
+          "description": "<!--${internal}--> [CronJob](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/).\n\nOnly supported when `copy_target` is enabled.",
           "allOf": [
             {
               "$ref": "#/definitions/CronJobTarget"
             }
           ]
         },
         {
-          "description": "<!--${internal}--> Targets a [StatefulSet](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/).\n\nOnly supported when `copy_target` is enabled.",
+          "description": "<!--${internal}--> [StatefulSet](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/).",
           "allOf": [
             {
               "$ref": "#/definitions/StatefulSetTarget"
             }
           ]
         },
+        {
+          "description": "<!--${internal}--> [Service](https://kubernetes.io/docs/concepts/services-networking/service/).",
+          "allOf": [
+            {
+              "$ref": "#/definitions/ServiceTarget"
+            }
+          ]
+        },
         {
           "description": "<!--${internal}--> Spawn a new pod.",
           "type": "null"

mirrord/cli/src/verify_config.rs

@@ -8,7 +8,8 @@ use mirrord_config::{
     feature::FeatureConfig,
     target::{
         cron_job::CronJobTarget, deployment::DeploymentTarget, job::JobTarget, pod::PodTarget,
-        rollout::RolloutTarget, stateful_set::StatefulSetTarget, Target, TargetConfig,
+        rollout::RolloutTarget, service::ServiceTarget, stateful_set::StatefulSetTarget, Target,
+        TargetConfig,
     },
 };
 use serde::Serialize;
@@ -43,6 +44,9 @@ enum VerifiedTarget {
 
     #[serde(untagged)]
     StatefulSet(StatefulSetTarget),
+
+    #[serde(untagged)]
+    Service(ServiceTarget),
 }
 
 impl From<Target> for VerifiedTarget {
@@ -54,6 +58,7 @@ impl From<Target> for VerifiedTarget {
             Target::Job(target) => Self::Job(target),
             Target::CronJob(target) => Self::CronJob(target),
             Target::StatefulSet(target) => Self::StatefulSet(target),
+            Target::Service(target) => Self::Service(target),
             Target::Targetless => Self::Targetless,
         }
     }
@@ -69,6 +74,7 @@ impl From<VerifiedTarget> for TargetType {
             VerifiedTarget::Job(_) => TargetType::Job,
             VerifiedTarget::CronJob(_) => TargetType::CronJob,
             VerifiedTarget::StatefulSet(_) => TargetType::StatefulSet,
+            VerifiedTarget::Service(_) => TargetType::Service,
         }
     }
 }
@@ -99,6 +105,7 @@ enum TargetType {
     Job,
     CronJob,
     StatefulSet,
+    Service,
 }
 
 impl core::fmt::Display for TargetType {
@@ -111,6 +118,7 @@ impl core::fmt::Display for TargetType {
             TargetType::Job => "job",
             TargetType::CronJob => "cronjob",
             TargetType::StatefulSet => "statefulset",
+            TargetType::Service => "service",
         };
 
         f.write_str(stringifed)
@@ -127,6 +135,7 @@ impl TargetType {
             Self::Job,
             Self::CronJob,
             Self::StatefulSet,
+            Self::Service,
         ]
         .into_iter()
     }
@@ -136,6 +145,7 @@ impl TargetType {
             Self::Targetless | Self::Rollout => !config.copy_target.enabled,
             Self::Pod => !(config.copy_target.enabled && config.copy_target.scale_down),
             Self::Job | Self::CronJob => config.copy_target.enabled,
+            Self::Service => !config.copy_target.enabled,
             Self::Deployment | Self::StatefulSet => true,
         }
     }

mirrord/config/configuration.md

@@ -1561,13 +1561,23 @@ Accepts a single value, or multiple values separated by `;`.
 
 ## target {#root-target}
 
-Specifies the target and namespace to mirror, see [`path`](#target-path) for a list of
-accepted values for the `target` option.
+Specifies the target and namespace to target.
 
 The simplified configuration supports:
 
-- `pod/{sample-pod}/[container]/{sample-container}`;
-- `deployment/{sample-deployment}/[container]/{sample-container}`;
+- `targetless`
+- `pod/{pod-name}[/container/{container-name}]`;
+- `deployment/{deployment-name}[/container/{container-name}]`;
+- `rollout/{rollout-name}[/container/{container-name}]`;
+- `job/{job-name}[/container/{container-name}]`;
+- `cronjob/{cronjob-name}[/container/{container-name}]`;
+- `statefulset/{statefulset-name}[/container/{container-name}]`;
+- `service/{service-name}[/container/{container-name}]`;
+
+Please note that:
+
+- `job`, `cronjob`, `statefulset` and `service` targets require the mirrord Operator
+- `job` and `cronjob` targets require the [`copy_target`](#feature-copy_target) feature
 
 Shortened setup:
 
@@ -1577,38 +1587,63 @@ Shortened setup:
 }
 ```
 
+The setup above will result in a session targeting the `bear-pod` Kubernetes pod
+in the user's default namespace. A target container will be chosen by mirrord.
+
+Shortened setup with target container:
+
+```json
+{
+  "target": "pod/bear-pod/container/bear-pod-container"
+}
+```
+
+The setup above will result in a session targeting the `bear-pod-container` container
+in the `bear-pod` Kubernetes pod in the user's default namespace.
+
 Complete setup:
 
 ```json
 {
  "target": {
    "path": {
-     "pod": "bear-pod"
+     "pod": "bear-pod",
+     "container": "bear-pod-container"
    },
-   "namespace": "default"
+   "namespace": "bear-pod-namespace"
  }
 }
 ```
 
+The setup above will result in a session targeting the `bear-pod-container` container
+in the `bear-pod` Kubernetes pod in the `bear-pod-namespace` namespace.
+
 ### target.namespace {#target-namespace}
 
 Namespace where the target lives.
 
-Defaults to `"default"`.
+Defaults to the Kubernetes user's default namespace (defined in Kubernetes context).
 
 ### target.path {#target-path}
 
-Specifies the running pod (or deployment) to mirror.
+Specifies the Kubernetes resource to target.
 
-Note: Deployment level steal/mirroring is available only in mirrord for Teams
-If you use it without it, it will choose a random pod replica to work with.
+Note: targeting services and whole workloads is available only in mirrord for Teams.
+If you target a workload without the mirrord Operator, it will choose a random pod replica
+to work with.
 
 Supports:
-- `pod/{sample-pod}`;
-- `deployment/{sample-deployment}`;
-- `container/{sample-container}`;
-- `containername/{sample-container}`.
-- `job/{sample-job}` (only when [`copy_target`](#feature-copy_target) is enabled).
+- `targetless`
+- `pod/{pod-name}[/container/{container-name}]`;
+- `deployment/{deployment-name}[/container/{container-name}]`;
+- `rollout/{rollout-name}[/container/{container-name}]`;
+- `job/{job-name}[/container/{container-name}]`; (requires mirrord Operator and the
+  [`copy_target`](#feature-copy_target) feature)
+- `cronjob/{cronjob-name}[/container/{container-name}]`; (requires mirrord Operator and the
+  [`copy_target`](#feature-copy_target) feature)
+- `statefulset/{statefulset-name}[/container/{container-name}]`; (requires mirrord
+  Operator)
+- `service/{service-name}[/container/{container-name}]`; (requires mirrord Operator)
 
 ## telemetry {#root-telemetry}
 Controls whether or not mirrord sends telemetry data to MetalBear cloud.

mirrord/config/src/lib.rs

@@ -540,6 +540,14 @@ impl LayerConfig {
                 ));
             }
 
+            if matches!(self.target.path, Some(Target::Service(..))) {
+                return Err(ConfigError::Conflict(
+                    "The copy target feature is not yet supported with service targets, \
+                    please either disable this option or specify an exact workload covered by this service."
+                        .into()
+                ));
+            }
+
             if !self.feature.network.incoming.is_steal() {
                 context.add_warning(
                     "Using copy target feature without steal mode \