Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RFC] hub dashboard orchestration #5

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

zkamvar
Copy link
Member

@zkamvar zkamvar commented Dec 14, 2024

This is still a draft, but it's most of the way there.

This is dependent on #3 and effectively is an RFC for a decision that was
already made and implemented, but it would be good to have a discussion around
this since there is still some uncertainty.

### Other Options Considered

- A set of GitHub workflows only
- **Not chosen because of maintenance burden for hubverse admins** (see
Copy link
Contributor

@bsweger bsweger Dec 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will host the App's webhook code on a free service like glitch.io

Assuming that this note about not relying solely on GitHub workflows is related to the quoted text from the above list of decisions...

I'm still unclear on why we need to host webhook code on Glitch, etc. instead of having a manually-triggered action in the hub-specific repos (e.g., variant-nowcast-hub-dashboard) that use the GitHub api to trigger a workflow/repository dispatch event in the central dashboard "control room"

Is there a technical and/or code-reuse reason we haven't tried on-demand updates w/o writing our own intervening API?

If not, it's appealing to remove the extra moving part (i.e., Glitch/server). Asking hub admins to manually run a GitHub workflow to update the dashboard doesn't seem overly-burdensome, especially for a first iteration of dashboards.

Copy link
Contributor

@bsweger bsweger Dec 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding that I also saw this note above:

The admins of at least one hubverse project has expressed a desire to not manage
any more workflows.

If there's a way to include a generalizable workflow in the dashboard template (i.e., admins don't have to make changes to it) or if there's a way to share the hub-specific version of the repo, that doesn't seem terrible.

In any case, I'd like to make sure we're making a good tradeoff between user desire for "no more workflows" and the added complexity introduced by another service into the dashboard update process.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there's a way to include a generalizable workflow in the dashboard template (i.e., admins don't have to make changes to it).

As soon as a workflow is introduced, it's out of our control. We can do our darnedest to make sure admins don't have to make changes to it, but I have yet to ever find an example where that's the case.

if there's a way to share the hub-specific version of the repo, that doesn't seem terrible.

I'm not sure I understand this. Can you elaborate?

Updating this section to reflect a brainstorming session with Evan, Matt, and Zhian
- We will build an experimental GitHub App that allows hub admins to
optionally register their repository to build the dashboard using our
centralized workflows.
- We will host the App's webhook code on a free service like glitch.io
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Repeating my question from a Zoom call: our synchronous discussion was helpful for understanding how the webhook/API component of this decision improves usability for hub admins while maintaining a good security posture.

That said, a lot of us have pushed back against running and maintaining an API/web service, as it adds a non-trivial moving part to our setup.

As expected, everyone has their own .02 about where to land on the hub admin usability <--> hub dev maintainability spectrum. I'm wondering how much (if at all) the choice of host/language for the API impacts that perspective.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering how much (if at all) the choice of host/language for the API impacts that perspective.

I suspect that a language for the API that is more aligned with the lab languages would make the app option more appealing (depending on how robust the abstraction is). Most of the challenge with the app code is dealing with GitHub's API: https://github.com/hubverse-org/hub-dashboard-control-room/blob/60fc0660a96f054123d702c7dbe4b2108545f73f/app/index.js#L4-L24

- PRO: Centralized workflows are easier for hub devs to maintain
- PRO: Doesn't require API/web service
- PRO: Less workflow boilerplate for hub admins (but not zero)
- CON: It replaces the API/web service moving part with a different moving part
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A way this could work ... GitHub actions in the hub dashboard repos could authenticate to a vault app via its GitHub OIDC provider and get the GitHub app token (HasiCorp Vault or AWS for example). OIDC is how the AWS Upload action is able to push data to a hub's S3 bucket.

As with getting hubs onto the Hubverse-hosted AWS cloud, there would need to be an onboarding process for hub dashboards. Essentially, we'd have to make sure each individual hubverse dashboard repo is allowed to access the vault, either manually or via infrastructure as code (the relevant bit for AWS cloud onboarding)

This might require less ongoing maintenance than running an API, but it's still not trivial.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Four things:

  1. there would be no need for an app here because the secret is a PAT for the control-room repository that's needed to send a repository dispatch event, not an app secret.
  2. we lose control of the PAT as soon as it leaves the vault.
  3. every solution that involves sharing a PAT or some sort of secret is effectively re-inventing one aspect of what an app is doing in a much less secure way.
  4. there's the ongoing maintenance of rotation of the token for security.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like some of the conversation here is hinging on security concerns. It's not fully clear to me what the concerns are, or what the implications would be if the token was either misused or fell into "bad actor" hands. What could get borked? What is a "worst case scenario" here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What could get borked? What is a "worst case scenario" here?

This token would be specific for the control-room repository. It would allow anyone with access to that token to insert any code they want into the this central repository. They could insert code that would insert malicious javascript in the dashboard websites so that it either redirects to another page (either adware, scam, or other malicious site), adds a popup asking for credentials, or any other number of attacks that can be pulled off with javascript.

Comment on lines +99 to +100
- CON: In practice, keeping things synchronized between individual repos and
a central repo is difficult
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To expand a bit on this, it is difficult not because the process involved is challenging per-se, but it requires folks to be careful about the permissions of the tokens they use. In order to update workflow files, a GitHub token needs both the contents: write and workflows: write contexts.

I've done this before and it's stressful: https://github.com/carpentries/sandpaper/tree/main/inst/workflows#updates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants