Implement Hasura Actions for updating AlertManager configs and validating Credential/Exporter configurations #373
Comments
Something pointed out in the above issue is that it will likely be tricky for the UI to invoke the Go APIs, because they do not have access to the auth tokens that an end user is expected to use with curl commands. Given this, it'd be way easier for the UI to just talk to Hasura/graphql directly. Hence why we'd want Hasura to implement any config validation via actions if possible. Figuring out whether this is feasible should be done soon to avoid blocking the UI on knowing what API to call. Assuming it works, the actual implementation of the validation isn't blocking, assuming that adding it would be transparent to the UI (and other graphql clients). |
It looks like this should be pretty straightforward to do and the Hasura docs specifically call out the idea of running validation before an insert/update is performed. I still need to look a bit more into the following details:
Refs:
|
…373) Signed-off-by: Nick Parker <nick@opstrace.com>
Just had a discussion with Nahum about doing a similar thing, using Hasura Actions fetching and storing alertmanager configs from the UI (#380). In that case, no follow-up calls to Postgres are needed, as the call would just be a wrapper around an existing Opstrace API. Given this it would be a good starting point to get the alertmanager calls working first, and then I can come back to the this credentials/exporters case where the data needs to also be written to Postgres. In summary I'm going to briefly switch to working on #380 since it feels like that will end up accomplishing the first half of this ticket in the process, after which I can switch back to this and look into how to have an action that also writes to postgres afterwards. Also note for future: If an action that also writes to Postgres isn't possible, then the alternate solution may be to have separate calls for "run validation and write to postgres" vs "just write to postgres", where the UI calls the first, which wraps to a Go endpoint that runs validation and calls the second. |
This wouldn't be a big deal as it'd be straight forward to abstract the calls away. Infact might be handy to have a validation only call in some places. |
Oh that's a good point actually. Maybe it'd be better to just have a separate "validate" call entirely and keep the "write" calls as-is. That would allow the UI to run the validation periodically while a config is being edited, without actually committing the config to storage. |
BTW, an interesting side effect of using Typescript for UI and apis is that validation code can also be shared. If only it were possible to use Go to create UIs :-) |
Need to: - Implement Go action handlers in config-api (on separate optional hasura-only listen port) - Create `hasura-action-secret` Secret in controller (copy `hasura-admin-secret` handling) Signed-off-by: Nick Parker <nick@opstrace.com>
Need to: - Implement Go action handlers in config-api (on separate optional hasura-only listen port) - Create `hasura-action-secret` Secret in controller (copy `hasura-admin-secret` handling) Signed-off-by: Nick Parker <nick@opstrace.com>
Need to: - Implement Go action handlers in config-api (on separate optional hasura-only listen port) - Create `hasura-action-secret` Secret in controller (copy `hasura-admin-secret` handling) Signed-off-by: Nick Parker <nick@opstrace.com>
Combining this with the (more urgent) support for getting/setting alertmanager configs, since they both touch the same code and need the same plumbing from hasura. Had a meeting with Nahum to discuss how the GraphQL API would look. It turned out that Hasura Actions allow pretty free-form editing of the GraphQL structure. There is one limitation imposed by Hasura, that response types must be flat and cannot have nested types. At this point, the status is:
|
…#373) This should allow the UI to communicate with other things in the cluster, with Hasura/GraphQL acting as the common portal. - Adds plumbing to Hasura for querying the config-api service, using a shared secret to authenticate Hasura to the service - Implements calls for getting/setting the per-tenant alertmanager configuration in cortex - Implements calls for validating credential/exporter configs Signed-off-by: Nick Parker <nick@opstrace.com>
…xporters (#373) This should allow the UI to communicate with other things in the cluster, with Hasura/GraphQL acting as the common portal. - Adds plumbing to Hasura for querying the config-api service, using a shared secret to authenticate Hasura to the service - Implements calls for getting/setting the per-tenant alertmanager configuration in cortex - Implements calls for validating credential/exporter configs Signed-off-by: Nick Parker <nick@opstrace.com>
…xporters (#373) This should allow the UI to communicate with other things in the cluster, with Hasura/GraphQL acting as the common portal. - Adds plumbing to Hasura for querying the config-api service, using a shared secret to authenticate Hasura to the service - Implements calls for getting/setting the per-tenant alertmanager configuration in cortex - Implements calls for validating credential/exporter configs Signed-off-by: Nick Parker <nick@opstrace.com>
The code's been updated and I've been able to test with everything deployed into a test cluster. CI is happy as well. It looks like things work as expected. i just made some improvements to the error passthrough. cortex's schema errors aren't great but it should be okay for now. getting config that doesn't exist yet
setting invalid config
setting valid config
getting config that was just set (note: isn't exact string match, cortex seems to insert blank
|
…xporters (#373) (#461) * config: Implement Hasura Actions for alertmanager get/set and creds/exporters (#373) This should allow the UI to communicate with other things in the cluster, with Hasura/GraphQL acting as the common portal. - Adds plumbing to Hasura for querying the config-api service, using a shared secret to authenticate Hasura to the service - Implements calls for getting/setting the per-tenant alertmanager configuration in cortex - Implements calls for validating credential/exporter configs Signed-off-by: Nick Parker <nick@opstrace.com> * controller: Sync graphql schema, update graphql/app to reflect added Hasura Actions Signed-off-by: Nick Parker <nick@opstrace.com> * config: Pass-through HTTP body (containing original errors) on error response Signed-off-by: Nick Parker <nick@opstrace.com>
Had a meeting yesterday with @MatApple where he mentioned Hasura Actions: https://hasura.io/docs/1.0/graphql/core/actions/index.html
We might be able to add use them to embed validation at the point when data is submitted to GraphQL. For example, there's additional sanity checks for Credentials and Exporter configurations in the Go code - such as raising an error if the user tries to assign a GCP credential to a CloudWatch (AWS) exporter. But these sanity checks currently aren't run if the data is submitted directly to GraphQL, skipping the Go HTTP API. If we can embed them in the GraphQL layer, then the UI for example could reuse the same validation without needing to reimplement it in TypeScript.
Relates to: #310 (credentials/exporters epic), #314 (go API implementation issue)
The text was updated successfully, but these errors were encountered: