fix(access): Exclude inline provider from reconciliation changes

The `ReconcileProviders` function was incorrectly including the default inline provider (`access.teleport.dev`) in the lists of added, updated, and removed providers. The inline provider is a special case managed directly by the access controller and does not correspond to a separate, reloadable resource. Including it in the change lists could lead to errors when attempting to perform lifecycle operations on it. This commit modifies the reconciliation logic to explicitly ignore the inline provider when calculating changes. This ensures that only external, reloadable providers are reported as changed, preventing incorrect lifecycle management.
2026-02-03 04:50:52 +08:00 · 2025-09-26 20:48:20 +08:00
parent b6d5ce2d4d
commit 08856a97fb
1 changed files with 21 additions and 8 deletions
--- a/sdk/access/reconcile.go
+++ b/sdk/access/reconcile.go
@@ -31,6 +31,16 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 	result = make([]Provider, 0, len(newEntries))
 	finalIDs := make(map[string]struct{}, len(newEntries))

+	isInlineProvider := func(id string) bool {
+		return strings.EqualFold(id, config.DefaultAccessProviderName)
+	}
+	appendChange := func(list *[]string, id string) {
+		if isInlineProvider(id) {
+			return
+		}
+		*list = append(*list, id)
+	}
+
 	for _, providerCfg := range newEntries {
 		key := providerIdentifier(providerCfg)
 		if key == "" {
@@ -54,12 +64,12 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 		}
 		if _, ok := oldCfgMap[key]; ok {
 			if _, existed := existingMap[key]; existed {
-				updated = append(updated, key)
+				appendChange(&updated, key)
 			} else {
-				added = append(added, key)
+				appendChange(&added, key)
 			}
 		} else {
-			added = append(added, key)
+			appendChange(&added, key)
 		}
 		result = append(result, provider)
 		finalIDs[key] = struct{}{}
@@ -81,9 +91,9 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 								return nil, nil, nil, nil, buildErr
 							}
 							if _, existed := existingMap[key]; existed {
-								updated = append(updated, key)
+								appendChange(&updated, key)
 							} else {
-								added = append(added, key)
+								appendChange(&added, key)
 							}
 							result = append(result, provider)
 						}
@@ -93,9 +103,9 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 							return nil, nil, nil, nil, buildErr
 						}
 						if _, existed := existingMap[key]; existed {
-							updated = append(updated, key)
+							appendChange(&updated, key)
 						} else {
-							added = append(added, key)
+							appendChange(&added, key)
 						}
 						result = append(result, provider)
 					}
@@ -104,7 +114,7 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 					if buildErr != nil {
 						return nil, nil, nil, nil, buildErr
 					}
-					added = append(added, key)
+					appendChange(&added, key)
 					result = append(result, provider)
 				}
 				finalIDs[key] = struct{}{}
@@ -115,6 +125,9 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 	removedSet := make(map[string]struct{})
 	for id := range existingMap {
 		if _, ok := finalIDs[id]; !ok {
+			if isInlineProvider(id) {
+				continue
+			}
 			removedSet[id] = struct{}{}
 		}
 	}