-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#WIP #FF fea: Log config changes. #236
Conversation
…void var values being accidentally loged. make a TODO note for it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for delay! This was compounded by the fact that I don't see perfect solutions to some of these challenges.
Generally, yes I think being able to trace through config changes is useful. I'm not in love with S3 as the destination because that's somewhat arbitrary and a significant new scope/dependency-increase for Hokusai. Logging the changes with our regular logging solution isn't desirable due to the sensitivity. Putting them in Horizon's database also seems like an arbitrary scope-increase for that system. I keep coming back to whether we can just use kubernetes's native concepts for this, like storing the config-map archives as config-maps (or maybe even within some meta-config-map). Or is there another handy key/value store?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@artsyjian as we discussed on Slack I think, would advise that we try and use a Kubernetes ConfigMap to log changes rather than an S3 bucket
One thought is to use AWS Parameter Store. I've used it the past along with segmentio/chamber to manage configuration for services running in Elastic Container Service. Some benefits
Would be great to stay as close to Kubernetes as possible. If there's a way to react whenever a ConfigMap is created/updated (via hokusai / UI dashboard / etc) and automatically persist the value into Parameter Store, that might be pretty cool. We could then use the Parameter Store APIs within hokusai to list config map versions and rollback to previous states. Resources
ExamplesSetting a secure parameter with a JSON payload
Retrieving a secure parameter with decryption
Parsing JSON from decrypted parameter
Retrieving parameter history
|
Thanks @dblandin for the idea. The concept is really cool. If we want configs archived, a non-k8s key/value store (AWS Parameter Store, HashiCorp Vault, ...) makes a lot of sense. @izakp , @joeyAghion - About using k8s configmap concept, it seems to depend on whether we want changelogs or archives. For logging, configmap should work. I imagine each
A configmap's size is limited at 1MB. If a line averages 200 bytes, However, if we want config archives, we probably shouldn't use configmaps. Say we archive each old version of
|
https://artsyproduct.atlassian.net/browse/PLATFORM-2958
Supported by: https://github.com/artsy/infrastructure/pull/257
To demonstrate the idea of logging config changes.
Every run of
hokusai...env set/unset...
generates a log like these (values may be sensitive so are omitted):and ships it to S3:
![Screenshot from 2020-11-02 19-57-37](https://user-images.githubusercontent.com/63004951/97935171-c2052c80-1d45-11eb-9fd5-1a053ed50941.png)
Might these logs be useful?
The implementation is not ideal. S3 files are clunky to work with, and updating them adds ~1 second delay to Hokusai's response, which is noticeable. If we consider config changes also as
releases
, perhaps better to let Horizon manage storage (in a DB), so that Hokusai can just POST these events to Horizon? And later on we make them retrievable via ahokusai...env log
command?If we do go with this implementation, I shall add tests.