Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/prometheus: Fix match groups #127889

Closed
wants to merge 3 commits into from
Closed

nixos/prometheus: Fix match groups #127889

wants to merge 3 commits into from

Conversation

srhb
Copy link
Contributor

@srhb srhb commented Jun 23, 2021
edited
Loading

Motivation for this change

Attempt to fix #126083 without reverting the entire environment substitution mechanism.

This needs a backport to 21.05 to unbreak Prometheus configs using match groups, so please consider if my "transition scheme" wrt. assertions and options are acceptable for that purpose.

Things done
  • Test for match groups (which currently fails on unstable and 21.05) and substitution
  • Switch to GNU gettext envsubst -- I believe I've mostly preserved the semantics of the current option, but hopefully someone who uses it can test that. @pkern could you help? 🙂
  • Added a new option environmentVariables which explicitly needs to mention every variable that needs to be substituted. This is then fed to envsubst.
  • Added an assertion that hopefully protects anyone already using environmentFile from breaking their config in the opposite manner, by forgetting to mention the environment variables.
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • 21.11 Release Notes
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

srhb added 3 commits June 23, 2021 12:42
@srhb
nixos/tests/prometheus: Test match groups
ca22dad
@srhb
nixos/prometheus: add environmentVariables
85cfca8 
This commits limits runtime substitution to the variables mentioned in
the `environmentVariables` list, thereby fixing prometheus match groups
as long as no match group overlaps with the list.
@srhb
nixos/tests/prometheus: Test runtime substitution
e5f1892
@srhb srhb requested a review from WilliButz June 23, 2021 11:27
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Jun 23, 2021
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Jun 23, 2021
@pkern
Copy link
Contributor

pkern commented Jun 27, 2021

Kudos to attempting to fix it this way and thanks a lot for pointing out the issue in the first place - and apologies for the work necessary to deal with it. I will admit that this PR actually fixed a bug in my configuration as well (${1} being wrongly expanded). I tested your change and it does what it says on the tin. There doesn't seem to be much prior art beyond one instance where environmentVariables is actually a map. I guess I'd also not necessarily have expected the variables to be prefixed with $.

As it looks like there was a recent effort to add token file support to all service discovery methods on the Prometheus side, a rollback of my change might actually be cleaner. That was still missing from 20.09, but 21.05 has a recent enough version (>2.25). So passwords and bearer tokens are solved by password_file and bearer_token_file respectively.

(I'm not a maintainer though.)

@srhb
Copy link
Contributor Author

srhb commented Jun 28, 2021

Thanks for the comments. Yes, if it's the case that upstream has proper support for decoupling secrets from the config now, I'm inclined to revert instead. I'll open a PR when I have time later if no one beats me to it.

@srhb srhb mentioned this pull request Jun 30, 2021
Closed
11 tasks
@srhb
Copy link
Contributor Author

srhb commented Jun 30, 2021
edited
Loading

Opened #128731 instead

@srhb srhb closed this Jun 30, 2021
@basvandijk basvandijk mentioned this pull request Nov 7, 2021
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@WilliButz WilliButz Awaiting requested review from WilliButz

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Prometheus regex substitutions have to be escaped
2 participants
@srhb @pkern