Reserve tag names our code reads from cloud resources

gjoranv · gjoranv · commit 9596391d35a2 · 2026-05-21T19:15:37.000+02:00
(future-proofing)

- NLB ownership check: tenant, tenantName, app, clusterid
- VPC endpoint service filters: system, application, cluster, generation, auth-method
- Preprovisioned LB branching: preprovisioned
diff --git a/config-provisioning/src/main/java/com/yahoo/config/provision/CloudResourceTags.java b/config-provisioning/src/main/java/com/yahoo/config/provision/CloudResourceTags.java
@@ -28,9 +28,20 @@ public class CloudResourceTags {
 
     private static final Pattern TEMPLATE_VARIABLE = Pattern.compile("\\$\\{[^}]+\\}");
 
-    /** System tag names reserved by the platform. Compared case-insensitively against customer keys. */
+    /**
+     * System tag names reserved by the platform. Compared case-insensitively against customer keys.
+     * Add a key here when our code reads it from a tag on a Vespa-managed resource, so a customer
+     * override cannot break our lookups or ownership checks.
+     */
     private static final List<String> RESERVED_TAG_NAMES = List.of(
-            "applicationid", "athenz", "athenz-domain", "athenzservice", "fqdn", "name", "owner", "zone");
+            // EC2 instance and EBS volume identification
+            "applicationid", "athenz", "athenz-domain", "athenzservice", "fqdn", "name", "owner", "zone",
+            // NLB and target group ownership check
+            "tenant", "tenantName", "app", "clusterid",
+            // VPC endpoint service identification
+            "system", "application", "cluster", "generation", "auth-method",
+            // Load balancer preprovisioning
+            "preprovisioned");
 
     /** Key prefixes reserved by the platform. Compared case-insensitively against customer keys. */
     private static final List<String> RESERVED_KEY_PREFIXES = List.of("vai_", "corp_", "bastion_");
diff --git a/config-provisioning/src/test/java/com/yahoo/config/provision/CloudResourceTagsTest.java b/config-provisioning/src/test/java/com/yahoo/config/provision/CloudResourceTagsTest.java
@@ -160,6 +160,7 @@ void vai_prefix_rejected() {
 
     @Test
     void reserved_tag_names_rejected() {
+        // EC2 instance / EBS volume
         assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("applicationid", "value")));
         assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("athenz", "value")));
         assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("athenz-domain", "value")));
@@ -168,6 +169,19 @@ void reserved_tag_names_rejected() {
         assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("name", "value")));
         assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("owner", "value")));
         assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("zone", "value")));
+        // NLB / target group
+        assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("tenant", "value")));
+        assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("tenantName", "value")));
+        assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("app", "value")));
+        assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("clusterid", "value")));
+        // VPC endpoint service
+        assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("system", "value")));
+        assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("application", "value")));
+        assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("cluster", "value")));
+        assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("generation", "value")));
+        assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("auth-method", "value")));
+        // Load balancer preprovisioning
+        assertThrows(IllegalArgumentException.class, () -> CloudResourceTags.from(Map.of("preprovisioned", "value")));
     }
 
     @Test
@@ -462,15 +476,15 @@ void resolve_substitutes_all_placeholders() {
                 "env", "${environment}",
                 "loc", "${region}",
                 "team", "${tenant}-${application}-${instance}",
-                "cluster", "${clustername}",
+                "cluster_name", "${clustername}",
                 "type", "${clustertype}",
                 "combined", "${environment}-${clustername}-${clustertype}"));
         var resolved = tags.resolve(testApp, testEnv, testRegion,
                                     ClusterSpec.Id.from("my-search"), ClusterSpec.Type.content);
         assertEquals("prod", resolved.asMap().get("env"));
         assertEquals("aws-us-east-1c", resolved.asMap().get("loc"));
         assertEquals("tenant1-app1-default", resolved.asMap().get("team"));
-        assertEquals("my-search", resolved.asMap().get("cluster"));
+        assertEquals("my-search", resolved.asMap().get("cluster_name"));
         assertEquals("content", resolved.asMap().get("type"));
         assertEquals("prod-my-search-content", resolved.asMap().get("combined"));
     }
