core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon googlecloudrobotics

Extend token-vendor to aid with cleaning up stale robot registrations

Open ensonic opened this issue 1 year ago • 0 comments

See #PR/318.

Right now when deleting a registered robot (by deleting the robot-cr), the associated pubkey is not deleted, leading to an accumulation of stale pubkey configmaps in the app-tokenvendor namespace.

Some ideas:

  1. token vendor could watch robot-crs and also delete pubkeys when robots are deleted. I should not auto delete pubkey where we don't have a robot-cr in the cloud as we support a dev-setup, where the robot-cr is not synced to the cloud.
  2. token-vendor could build an in-memory map of last seen timestamps and on a low rate (every 15 min), write those back to the pubkeys. Then one can script against this.
  3. token-vendor could use a counter metric for the verify requests and label them with the robot-id. Not sure if this would cause too high cardinality.

We should also consider to label the pub-keys for easy filtering in the backup_robots.sh script.

ensonic avatar Feb 01 '24 09:02 ensonic