Add public_ip host vitals label support + LIKE operator#46931
Add public_ip host vitals label support + LIKE operator#46931robbiet480 wants to merge 4 commits into
Conversation
76a926a to
46f9f38
Compare
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds support for “domestic” host vitals (stored directly on hosts) in host vitals labels and introduces a LIKE operator for vitals matching.
Changes:
- Add host vitals for
public_ip,hardware_model, andhardware_vendorand adjust query generation to omit JOINs for domestic vitals. - Allow
LIKE(in addition to=) in host vitals criteria and add tests for domestic vitals + operator validation. - Document new vitals and operator support; extend gitops integration coverage.
Reviewed changes
Copilot reviewed 5 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| server/service/labels_test.go | Adds service-level test for creating a domestic host vitals label (public_ip). |
| server/fleet/labels_test.go | Adds unit tests for domestic vitals query generation and operator rejection. |
| server/fleet/labels.go | Avoids extra whitespace when no JOINs; adds LIKE support in vitals parsing. |
| server/fleet/hosts.go | Registers domestic vitals mapped to hosts columns. |
| docs/REST API/rest-api.md | Documents new vitals and optional operator field for criteria. |
| docs/Configuration/yaml-files.md | Documents new vitals/operator in YAML and adds example config. |
| cmd/fleetctl/integrationtest/gitops/gitops_enterprise_integration_test.go | Updates gitops integration to exercise domestic vital + LIKE operator. |
| changes/add-domestic-host-vitals-labels | Adds changelog entry describing domestic vitals + LIKE operator. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Ready to act? Review this PR in Change Stack to turn feedback into patch suggestions you can inspect and refine. Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds a domestic host vital entry for public_ip (mapped to hosts.public_ip), updates CalculateHostVitalsQuery to include JOINs only when foreign vitals are required, and extends parseHostVitalCriteria to accept both '=' and 'LIKE' operators. Unit and service tests assert generated SQL and parameter values for public_ip equality and LIKE cases and verify rejection of unsupported operators. The gitops integration test YAML and inline comments were updated to use public_ip with operator LIKE and a wildcard value; docs/changelog note public_ip and LIKE support. 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
46f9f38 to
2b5822e
Compare
…vendor) + LIKE operator Host vitals labels could previously only target IdP-sourced vitals (end_user_idp_group, end_user_idp_department), which are foreign vitals joined from the scim_* tables. The HostVitalTypeDomestic type — for vitals stored directly on the hosts table — was defined but unused. This registers three domestic vitals (public_ip, hardware_model, hardware_vendor) so labels can target host-table columns with no join. The motivating use case is labeling hosts by the office they connect from via their public egress IP, which osquery cannot observe. Also adds a LIKE operator for criteria matching (in addition to the default =), enabling SQL wildcard patterns, and fixes a doubled space in the generated query when a vital has no foreign-table joins. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2b5822e to
c416970
Compare
|
@coderabbitai full review |
✅ Action performedFull review finished. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #46931 +/- ##
==========================================
+ Coverage 67.02% 67.04% +0.01%
==========================================
Files 2862 2861 -1
Lines 224832 225014 +182
Branches 11739 11702 -37
==========================================
+ Hits 150699 150855 +156
- Misses 60480 60487 +7
- Partials 13653 13672 +19
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
@claude review |
…n docs example - Replace deprecated ptr.String/ptr.RawMessage with new(expr) in the new host vitals tests (per .claude/rules/fleet-go-backend.md, Go 1.26+). - Dedent the Engineering department and NYC office labels in the yaml-files.md 'Separate file' example to column 0 so the block is valid YAML (they were nested under the C-Suite mapping and failed to parse). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
I'm not sure I understand the use case behind this PR. You can already do all of this using labels without this code change. |
|
Via osquery? |
Yes. Here's an example of your New York office label: |
|
Totally fair, and I did know of that route and consider it beforehand but thought since we already have the live data in Fleet, why do a whole osquery + hit an external API for it? As for the make/model info, again, we already have it local in Fleet, why do a roundtrip for it to every host? |
|
Other than the public IP address example, the hardware vendor and hardware model info is also being populated by osquery. The roundtrip is negligible since your devices are likely already reaching out to run refetch, reports, and policies. |
|
Fair enough, will trim this down to just public IP |
Drop the hardware_model and hardware_vendor domestic vitals. Both are osquery-observable (system_info), so they can already be targeted with a dynamic label — they added no capability. public_ip is the vital that isn't reachable any other way: Fleet derives it server-side from the host's connection, so no osquery/dynamic label can express it. Keeps the public_ip domestic vital + LIKE operator support. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Summary
Host vitals labels currently only support foreign vitals sourced from IdP/SCIM data (
end_user_idp_group,end_user_idp_department), which are joined from thescim_*tables. TheHostVitalTypeDomestictype — for vitals stored directly on thehoststable — was already defined in the codebase but had no registered vitals.This PR registers
public_ipas a domestic host vital so labels can target it directly (no JOIN), and adds aLIKEoperator for criteria matching (in addition to the default=) for wildcard patterns.Motivation
The driving use case: labeling hosts by which network they connect from, keyed on their public egress IP — for example, scoping profiles or software to hosts physically in an office by its egress IP.
A host's public IP is server-side metadata: Fleet derives
hosts.public_ipfrom the source address of the host's own connection (seeserver/service/osquery_utils/queries.go—publicip.FromContext), not from anything on the device. osquery has no table that reports the host's public/egress IP, so a dynamic (osquery) label can't express it. A host vitals label is the only label type that can filter on a Fleet-sidehostscolumn, which is what makes this possible.Example GitOps usage:
Changes
server/fleet/hosts.go— registerpublic_ipas aHostVitalTypeDomesticvital.server/fleet/labels.go— allow theLIKEoperator inparseHostVitalCriteria(emitting the matching SQL operator); other operators (!=,>,<) remain rejected. Also fixes a doubled space in the generated query when a vital has no foreign-table joins.criteriatable (vital list + newoperatorfield) and the GitOpsyaml-files.mdlabels section.public_ipvital and theLIKEoperator inserver/fleet, a domestic-vital create test inserver/service(TestNewHostVitalsLabel), and the gitops enterprise integration test's host_vitals edit phase now switches to apublic_ip+LIKEcriteria to exercise the no-JOIN path end-to-end.Testing
go test ./server/fleet/✅go test ./server/service/ -run Label✅golangci-lint run server/fleet/...→ 0 issuescmd/fleetctl/integrationtest/gitops) requires MySQL; it compiles and the modified phase is covered there.Notes for reviewers
=/LIKEallowlist is intentionally conservative;And/Orand other operators remain unimplemented as before (existing TODOs).hosts.public_ipreflects the last-seen egress IP updated on host check-in — membership is as fresh as the host's last check-in, consistent with how the host vitals cron (5 min) materializes membership.🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Tests
Documentation