wip: Start on wiring up hasura/config-api to each other (#373/#380)

Need to:
- Implement Go action handlers in config-api (on separate optional hasura-only listen port)
- Create `hasura-action-secret` Secret in controller (copy `hasura-admin-secret` handling)

Signed-off-by: Nick Parker <nick@opstrace.com>

go/cmd/config/main.go

@@ -47,6 +47,8 @@ func main() {
 	flag.StringVar(&loglevel, "loglevel", "info", "error|info|debug")
 	var listenAddress string
 	flag.StringVar(&listenAddress, "listen", "", "")
+	var actionAddress string
+	flag.StringVar(&actionAddress, "action", "", "")
 
 	flag.BoolVar(&disableAPIAuthentication, "disable-api-authn", false, "")
 
@@ -62,6 +64,7 @@ func main() {
 		log.Fatalf("missing required --listen")
 	}
 	log.Infof("listen address: %s", listenAddress)
+	log.Infof("action hook address: %s", actionAddress)
 
 	cortexDefault := "http://localhost"
 	rulerURL := envEndpointURL("CORTEX_RULER_ENDPOINT", &cortexDefault)
@@ -145,6 +148,11 @@ func main() {
 	exporters := router.PathPrefix("/api/v1/exporters").Subrouter()
 	setupConfigAPI(exporters, listExporters, writeExporters, getExporter, deleteExporter)
 
+	if actionAddress != "" {
+		// TODO set up and launch action listener (with its own router) in other thread
+		// TODO listener should have validators for credentials/exporters
+		// TODO listener should have setter/getter for alertmanager config that route to cortex GET,POST /api/v1/alerts: https://cortexmetrics.io/docs/api/#get-alertmanager-configuration
+	}
 	log.Fatalf("terminated: %v", http.ListenAndServe(listenAddress, router))
 }
 

packages/app/docker-compose.yml

@@ -28,9 +28,9 @@ services:
   graphql:
     image: hasura/graphql-engine:v1.3.3.cli-migrations-v2
     ports:
-      - "8080:8080"
+      - 8080:8080
     depends_on:
-      - "postgres"
+      - postgres
     restart: always
     volumes:
       - ./migrations:/hasura-migrations
@@ -47,26 +47,47 @@ services:
       HASURA_GRAPHQL_ADMIN_SECRET: myadminsecret
       ## https://hasura.io/docs/1.0/graphql/core/guides/telemetry.html
       HASURA_GRAPHQL_ENABLE_TELEMETRY: "false"
+      ## Referenced by Hasura actions.yaml
+      ACTION_CONFIG_API_ENDPOINT: http://localhost:8082
+      ACTION_CONFIG_API_SECRET: someactionsecret
+  # Config service for Hasura Actions that call into it
+  config:
+    image: opstrace/config-api:TODO
+    command:
+      - -listen=:8081
+      - -action=:8082
+      - -disable-api-authn
+    ports:
+      - 8081:8081
+    environment:
+      GRAPHQL_ENDPOINT: http://localhost:8080
+      HASURA_GRAPHQL_ADMIN_SECRET: myadminsecret
+      HASURA_ACTION_SECRET: someactionsecret
   # S3 service for storing modules
   s3:
     image: minio/minio
     ports:
-      - "9000:9000"
+      - 9000:9000
     environment:
       MINIO_ACCESS_KEY: AKIAIOSFODNN7EXAMPLE
       MINIO_SECRET_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
     command: server /data
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+      test:
+        - CMD
+        - curl
+        - -f
+        - http://localhost:9000/minio/health/live
       interval: 30s
       timeout: 20s
       retries: 3
     logging:
       driver: none
+  # Used by app directly
   redis:
     image: bitnami/redis:6.0.9
     environment:
       - REDIS_PASSWORD=myredispassword
       - REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL
     ports:
-      - 6379:6379
+      - 6379:6379

packages/app/metadata/actions.graphql

@@ -1,2 +1,57 @@
+type Mutation {
+  GetAlertmanagerConfig (
+    tenant: String!
+  ): GetAlertmanagerConfigOutput
+}
 
 
+type Mutation {
+  SetAlertmanagerConfig (
+    tenant: String!
+    config: String!
+  ): SetAlertmanagerConfigOutput
+}
+
+
+type Mutation {
+  ValidateCredential (
+    tenant: String!
+    name: String!
+    type: String!
+    value: json!
+  ): ValidateCredentialOutput
+}
+
+
+type Mutation {
+  ValidateExporter (
+    tenant: String!
+    name: String!
+    type: String!
+    credential: String
+    config: json!
+  ): ValidateExporterOutput
+}
+
+
+
+
+type GetAlertmanagerConfigOutput {
+  tenant : String!
+  config : String!
+}
+
+type SetAlertmanagerConfigOutput {
+  tenant : String!
+}
+
+type ValidateCredentialOutput {
+  tenant : String!
+  name : String!
+}
+
+type ValidateExporterOutput {
+  tenant : String!
+  name : String!
+}
+

packages/app/metadata/actions.yaml

@@ -1,6 +1,46 @@
-actions: []
+actions:
+- name: GetAlertmanagerConfig
+  definition:
+    kind: synchronous
+    handler: '{{ACTION_CONFIG_API_ENDPOINT}}'
+    headers:
+    - name: Hasura-Secret
+      value_from_env: ACTION_CONFIG_API_SECRET
+  permissions:
+  - role: user_admin
+- name: SetAlertmanagerConfig
+  definition:
+    kind: synchronous
+    handler: '{{ACTION_CONFIG_API_ENDPOINT}}'
+    headers:
+    - name: Hasura-Secret
+      value_from_env: ACTION_CONFIG_API_SECRET
+  permissions:
+  - role: user_admin
+- name: ValidateCredential
+  definition:
+    kind: synchronous
+    handler: '{{ACTION_CONFIG_API_ENDPOINT}}'
+    headers:
+    - name: Hasura-Secret
+      value_from_env: ACTION_CONFIG_API_SECRET
+  permissions:
+  - role: user_admin
+- name: ValidateExporter
+  definition:
+    kind: synchronous
+    handler: '{{ACTION_CONFIG_API_ENDPOINT}}'
+    headers:
+    - name: Hasura-Secret
+      value_from_env: ACTION_CONFIG_API_SECRET
+  permissions:
+  - role: user_admin
 custom_types:
   enums: []
   input_objects: []
-  objects: []
+  objects:
+  - name: GetAlertmanagerConfigOutput
+  - name: SetAlertmanagerConfigOutput
+  - name: ValidateCredentialOutput
+  - name: ValidateExporterOutput
   scalars: []

packages/controller/src/resources/app/api.ts

@@ -57,6 +57,7 @@ export function OpstraceAPIResources(
 
   const commandArgs = [
     "-listen=:8080",
+    "-action=:8081",
   ]
   const commandEnv: V1EnvVar[] = [
     {
@@ -79,6 +80,15 @@ export function OpstraceAPIResources(
           key: "HASURA_ADMIN_SECRET"
         }
       }
+    },
+    {
+      name: "HASURA_ACTION_SECRET",
+      valueFrom: {
+        secretKeyRef: {
+          name: "hasura-action-secret",
+          key: "HASURA_CONFIG_API_SECRET"
+        }
+      }
     }
   ]
 
@@ -134,6 +144,11 @@ export function OpstraceAPIResources(
                       name: "http",
                       protocol: "TCP",
                       containerPort: 8080
+                    },
+                    {
+                      name: "action",
+                      protocol: "TCP",
+                      containerPort: 8081
                     }
                   ],
                   readinessProbe: probeConfig,
@@ -169,7 +184,14 @@ export function OpstraceAPIResources(
               port: 8080,
               protocol: "TCP",
               // eslint-disable-next-line @typescript-eslint/no-explicit-any
-              targetPort: 8080 as any
+              targetPort: "http" as any
+            },
+            {
+              name: "action",
+              port: 8081,
+              protocol: "TCP",
+              // eslint-disable-next-line @typescript-eslint/no-explicit-any
+              targetPort: "action" as any
             }
           ],
           selector: {

packages/controller/src/resources/app/app.ts

@@ -415,6 +415,19 @@ export function OpstraceApplicationResources(
                     {
                       name: "HASURA_GRAPHQL_ENABLED_LOG_TYPES",
                       value: "startup, http-log, websocket-log"
+                    },
+                    {
+                      name: "ACTION_CONFIG_API_ENDPOINT",
+                      value: `http://config.${namespace}.svc.cluster.local:8081`,
+                    },
+                    {
+                      name: "ACTION_CONFIG_API_SECRET",
+                      valueFrom: {
+                        secretKeyRef: {
+                          name: "hasura-action-secret",
+                          key: "HASURA_CONFIG_API_SECRET"
+                        }
+                      }
                     }
                   ],
                   ports: [