Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ui] Sentinel Policies CRUD UI #20483

Merged
merged 18 commits into from
May 22, 2024
Merged

[ui] Sentinel Policies CRUD UI #20483

merged 18 commits into from
May 22, 2024

Conversation

philrenaud
Copy link
Contributor

@philrenaud philrenaud commented Apr 25, 2024

Provides access to Create, Edit, and Delete Sentinel Policies via the web UI.

By virtue of being within the /administration/ route (née /access-control/), this requires a management token. Additionally, this requires sentinel policies in the features list provided by the agent, which is an enterprise feature.

Sentinel policies are enforced and shown at plan and run stage, and can be set as hard-mandatory, soft-mandatory, or advisory (warning but not preventing).

This PR also provides a Gallery of demo/jumping-off-point sentinel policies for things like "no friday deploys" or "must include canaries".

Side-effects:

  • Renamed the "Access Control" section to "Administration" with an eye toward adding further sub-sections, like node pool CRUD.
  • Administration card layout widened to accommodate a default of 5 cards (was originally built for 3)

TODO:

image
image
image

@philrenaud philrenaud self-assigned this Apr 25, 2024
Copy link

github-actions bot commented Apr 25, 2024

Ember Test Audit comparison

main 03faca2 change
passes 1559 1562 +3
failures 0 0 0
flaky 0 0 0
duration 11m 40s 429ms 11m 27s 189ms -13s 240ms

// import vaultSecretsPolicy from './sentinel_policy_templates/vault-secrets-only';
// import dyanmicPortsPolicy from './sentinel_policy_templates/dynamic-ports-only';
import resourceLimitsPolicy from './sentinel_policy_templates/resource-limits';
// import constraintEnforcmentPolicy from './sentinel_policy_templates/constraint-enforcement';
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A big TODO with this PR: do we launch this without the commented-out policies (which are currently just placeholders below), or can we write them in such a way that they make sense as starter templates (knowing Nomad ships with Sentinel v0.15.x?)

@philrenaud philrenaud added this to the 1.8.0 milestone May 10, 2024
@philrenaud philrenaud requested a review from tgross May 10, 2024 02:29
@philrenaud philrenaud marked this pull request as ready for review May 10, 2024 02:29
Copy link
Contributor

@david-yu david-yu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you. Does anyone know how to bump the sentinel version to the latest?

@david-yu
Copy link
Contributor

We should definitely bump up sentinel and sentinel-sdk, as our sentinel version 0.15.x is over 2 years old.

@tgross
Copy link
Member

tgross commented May 10, 2024

We should definitely bump up sentinel and sentinel-sdk, as our sentinel version 0.15.x is over 2 years old.

@david-yu I had a look at that this morning, and we can't update Sentinel without also updating our HCL2 library. But we're on a fork of HCL2 with languages changes we needed to prevent breaking backwards compatibility when we shipped HCL2 support in Nomad 1.0. We made an attempt to update in #18122 but that never got wrapped up and it's now behind 2.19.

Ideally we'd either (a) get our HCL2 changes upstreamed to main, but that's going to be a lift because it involves language changes, or (b) accept that we're going to break backcompat in the jobspec as we probably should have done when we originally switched to HCL2 for Nomad 1.0. In any case, unfortunately this is work we'll need to plan rather than just a quick dependency bump. 😿

Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

I've left a few minor questions but nothing blocking.

@david-yu
Copy link
Contributor

@philrenaud Also wondering if Sentinel will show up as a submenu here?
image

@david-yu
Copy link
Contributor

david-yu commented May 10, 2024

We should definitely bump up sentinel and sentinel-sdk, as our sentinel version 0.15.x is over 2 years old.

@david-yu I had a look at that this morning, and we can't update Sentinel without also updating our HCL2 library. But we're on a fork of HCL2 with languages changes we needed to prevent breaking backwards compatibility when we shipped HCL2 support in Nomad 1.0. We made an attempt to update in #18122 but that never got wrapped up and it's now behind 2.19.

Ideally we'd either (a) get our HCL2 changes upstreamed to main, but that's going to be a lift because it involves language changes, or (b) accept that we're going to break backcompat in the jobspec as we probably should have done when we originally switched to HCL2 for Nomad 1.0. In any case, unfortunately this is work we'll need to plan rather than just a quick dependency bump. 😿

It looks like we're going to try to attempt a, and get our HCL2 changes into main for hcl2.

@philrenaud
Copy link
Contributor Author

Also wondering if Sentinel will show up as a submenu here?
@david-yu confirming that it does (when running ENT Nomad):
image

@david-yu
Copy link
Contributor

Submenu looks great, thank you!

@tgross tgross added the stage/needs-rebase This PR needs to be rebased on main before it can be backported to pick up new BPA workflows label May 17, 2024
@angrycub
Copy link
Contributor

This is looking so good. I've been using it while developing out sample policies and noticed a couple of things:

  • If I re-save the policy, could that auto-dismiss any previous result? Sometimes I get result buildup in the corner and partially dismiss some before saving again which leaves an odd visible state.

  • For some reason, I do not necessarily see the Sentinel editor UI the first pass into the Administration page and have to refresh it to get that card to appear the first time I enter the UI. (this has been intermittent)

  • Since we have hard validation rules for sentinel policy names, can we prevalidate the value without having to round trip it? Like with an invalid highlight on the box or something? (especially since the name is on the far side of the box from the submit.)

  • There is the seems syntax highlight hiccup around multiline block comments. (This is probably due to the highlighter picking a language that looks like Sentinel.

@david-yu
Copy link
Contributor

Would be nice if its possible to add a template to prevent job descriptions: #18292

@philrenaud
Copy link
Contributor Author

Since we have hard validation rules for sentinel policy names, can we prevalidate the value without having to round trip it? Like with an invalid highlight on the box or something? (especially since the name is on the far side of the box from the submit.)

Noting that we throw this error without roundtripping:
image

I'll highlight the name box on this error, though

@philrenaud philrenaud merged commit 86c858c into main May 22, 2024
15 checks passed
@philrenaud philrenaud deleted the sentinel-ui branch May 22, 2024 20:41
Copy link

github-actions bot commented Jan 7, 2025

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 7, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
stage/needs-rebase This PR needs to be rebased on main before it can be backported to pick up new BPA workflows
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants