Proposal: Cloud Change Log

[negz]

What problem are you facing?

Per #1805 there's a strong demand for the ability to dry-run changes before making them to Crossplane. It's currently our most upvoted GitHub issue.

Dry-run means different things depending on who you ask, but I think it's safe to say a lot of folks are expecting a similar experience to what they're used to with terraform plan. They want to:

• Validate their Crossplane configuration (syntax, Composition logic, etc)
• Build trust in Crossplane - that it will only do what they expect it to do
• Notice and account for unexpected cloud drift (i.e. unexpected but correct changes)

We've made progress in this area. The crossplane beta render and crossplane beta validate commands for example help validate and build trust in Crossplane's Composition layer. They're not an end-to-end solution, though. They don't show you what actual changes Crossplane would make to the cloud.

Building end-to-end ("claim-to-cloud") dry-run into an always on, constantly reconciling control plane is pretty tricky for a number of reasons I won't go into here. I touch on some of them in #4723.

It would be ideal if we could take a smaller step in the right direction - something to help folks build trust in Crossplane, to help give them more insight into what it's doing.

How could Crossplane help solve your problem?

I propose we add a change log to Crossplane. A log of changes Crossplane providers make to external systems.

Ideally these logs should include:

• The provider name
• The relevant MR’s identifying data (GVK, name, etc)
• The type of operation being made to the external resource (create, update, delete)
• The observed state of the external resource immediately before the operation
• The desired state of the external resource immediately before the operation
• The result of the operation (success or error)

I think we should send these logs to a central location so that folks could easily see and query them in one place. We'd probably want to add a CLI tool, e.g. crossplane changelog to list recent changes.

[negz]

There's probably a couple of ways this could be done:

1. Have providers emit the change log as Kubernetes events.
2. Reconstruct the change log from Kubernetes audit logs.
3. Instrument providers to emit change logs to a centralized collector, e.g. via gRPC or similar.

Kubernetes events seem ideal, but I'm not sure what attaching a bunch of extra context (e.g. observed/desired state) would look like. Would we need to attach them using annotations on the event?

[bobh66]

Maybe integration with OpenTelemetry would be useful?

[negz]

@bobh66 Yeah, @luxas and I briefly discussed that.

Tracing a change all the way from claim change -> cloud API call would be neat but might be more than we want to tackle, at least at first.

Opentelemetry does also have a logging/events API we could use: https://opentelemetry.io/docs/specs/otel/logs/event-api/.

I'm somewhat torn on implementation. I think ideally:

• You can run crossplane changelog and see recent changes without needing to set anything up.
• We don't handle log persistence. If you want logs from O(days) ago, make sure to export them somewhere persistent.
• ...but on the other hand there should be "enough" history/persistence out of the box that crossplane changelog is useful.