feat: allow users to pause prebuilt workspace reconciliation #18700
Conversation
…whether prebuilds are currently paused
|
Might be good to also avoid the term |
| @@ -29,6 +29,7 @@ const ( | |||
| MetricEligibleGauge = namespace + "eligible" | |||
| MetricPresetHardLimitedGauge = namespace + "preset_hard_limited" | |||
| MetricLastUpdatedGauge = namespace + "metrics_last_updated" | |||
| MetricReconciliationPausedGauge = namespace + "reconciliation_paused" | |||
There was a problem hiding this comment.
Paused is difficult to reason about; I'd suggest inverting and make it _running so that a good value is 1 and a bad value is 0.
There was a problem hiding this comment.
paused in this case has a technical meaning relating to a specific setting. If we rename this to running then I think we need to change the setting to be {"reconciliation_running": true}, which doesn't communicate the intent of the API clearly.
I'd like to keep it how it currently is, but as compensatory measures I will:
- update the metric documentation to be clear about its meaning
- add a second metric to represent a general "check engine light" for prebuilds
| return | ||
| } | ||
|
|
||
| if bytes.Equal(settingsJSON, []byte(currentSettingsJSON)) { |
There was a problem hiding this comment.
Nit: not a problem now but when we add more settings, map ordering may cause this check to fail.
| require.Len(t, workspaces, 2, "should have created 2 prebuilds") | ||
|
|
||
| // Now pause prebuilds reconciliation | ||
| err = db.UpsertPrebuildsSettings(ctx, `{"reconciliation_paused": true}`) |
There was a problem hiding this comment.
I'd suggest going via the API here to avoid duplicating this business logic.
There was a problem hiding this comment.
LGTM 🎉 Thanks for creating this.
There is just a question about rbac: with this change we require the permission rbac.ResourceDeploymentConfig, so that means that only the owner of the resouce or a user with role auditorRole can upsert this setting. Should we extend it to Admins?
| @@ -113,6 +113,8 @@ func ResourceTarget[T Auditable](tgt T) string { | |||
| return "" // no target? | |||
| case database.NotificationsSettings: | |||
| return "" // no target? | |||
| case database.PrebuildsSettings: | |||
There was a problem hiding this comment.
What is the reason of this file update? 🤔
There was a problem hiding this comment.
We need to be able to audit who pauses prebuilds.
| @@ -5101,6 +5105,13 @@ func (q *querier) UpsertOAuthSigningKey(ctx context.Context, value string) error | |||
| return q.db.UpsertOAuthSigningKey(ctx, value) | |||
| } | |||
|
|
|||
| func (q *querier) UpsertPrebuildsSettings(ctx context.Context, value string) error { | |||
| if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceDeploymentConfig); err != nil { | |||
There was a problem hiding this comment.
Just to clarify here on the rbac side, this means that only a user with this permission can update the setting. From https://github.com/coder/coder/blob/main/coderd/rbac/roles.go currently, only the auditorRole has this permission. Is that intended?
There was a problem hiding this comment.
Auditor only has read though?
Line 327 in 8a69f6a
| @@ -35,6 +35,11 @@ type NotificationsSettings struct { | |||
| NotifierPaused bool `db:"notifier_paused" json:"notifier_paused"` | |||
| } | |||
|
|
|||
| type PrebuildsSettings struct { | |||
| ID uuid.UUID `db:"id" json:"id"` | |||
| ReconciliationPaused bool `db:"reconciliation_paused" json:"reconciliation_paused"` | |||
There was a problem hiding this comment.
Do you think it would also be useful to add a timestamp?
|
|
||
| if bytes.Equal(settingsJSON, []byte(currentSettingsJSON)) { | ||
| // See: https://www.rfc-editor.org/rfc/rfc7232#section-4.1 | ||
| httpapi.Write(ctx, rw, http.StatusNotModified, nil) |
There was a problem hiding this comment.
nit: according to the RFC the 304 Not Modified is normally a response to a GET request.
Maybe a 204 No Content makes more sense in this case, wdyt? https://datatracker.ietf.org/doc/html/rfc7231#section-6.3.5
| return xerrors.Errorf("unable to pause prebuilds: %w", err) | ||
| } | ||
|
|
||
| _, _ = fmt.Fprintln(inv.Stderr, "Prebuilds are now paused.") |
There was a problem hiding this comment.
Why not?
| _, _ = fmt.Fprintln(inv.Stderr, "Prebuilds are now paused.") | |
| _, _ = fmt.Fprintln(inv.Stdout, "Prebuilds are now paused.") |
| assert.Contains(t, buf.String(), "Prebuilds are now paused.") | ||
|
|
||
| // Verify the settings were actually updated | ||
| //nolint:gocritic // Only owners can change deployment settings |
There was a problem hiding this comment.
Why the //nolint:gocritic? 🤔
| err = db.UpsertPrebuildsSettings(ctx, `{"reconciliation_paused": false}`) | ||
| require.NoError(t, err) | ||
|
|
||
| // Run reconciliation again - it should now recreate the prebuilds |
This PR provides two commands:
coder prebuilds pausecoder prebuilds resumeThese allow the suspension of all prebuilds activity, intended for use if prebuilds are misbehaving.