Read the Pi hostname from config instead of rule_type #1313
Conversation
|
I was thinking more along the lines of having pi be handled via a provider, and configuring it from there instead. |
interesting idea, let me simmer on that. |
First thought - currently for the Pi evaluator we'd need two providers - GitHub to reply to PRs and then the Pi provider. We'd need to extend the Context message in the protobuf to hold an array of providers, then. We'd also need to extend the EntityContext to keep the providers private and instead of accessing the single Provider by name, we'd need to have a It really seems like something we want, but I'm unsure if it's something we can deliver in the remaining week without regressions. |
To get the provider, the only thing we really need is the project that's already available in the context and the provider name. Why do we need a list of providers? |
jhrozek
force-pushed
the
config_mediator
branch
from
4275dd4 to
c2a7aa7
Compare
To sum up the discussion we had earlier - we have technical debt in the Pi evaluator and the OSV evaluator in the sense that they both analyse the PR but also reply to it. This is because the evaluators predate the remediations. We need to split them into an evaluator and a remediator, then each would be using a single provider and we can do what @JAORMX suggested. In the meantime, to not add even more technical debt, I added just a simple env variable. |
| package_intelligence: {} |
There was a problem hiding this comment.
unrelated, but should we rename the evaluator to trusty?
There was a problem hiding this comment.
Probably, yes. You can do it now or in the big rename.
There was a problem hiding this comment.
Since we're squashing PRs I would prefer a separate PR - otherwise this PR that adds a single env variable would /also/ rename a bunch of identifiers and it would be too hard to search git history.
There was a problem hiding this comment.
and I was asking explicitly because I think this is too easy to miss in the big rename - I assume that whoever is doing the big rename would be looking for mediator, but not necessarily for package_intelligence.
| package_intelligence: {} |
There was a problem hiding this comment.
Probably, yes. You can do it now or in the big rename.
| return nil, fmt.Errorf("rule type engine missing package_intelligence configuration") | ||
| } | ||
| if pie.GetEndpoint() == "" { |
There was a problem hiding this comment.
I'm confused on how this is getting used -- it looks like we're getting pie from rt.Def.Eval, modifying the returned result (maybe it's a pointer?), and then passing e's package intelligence.
Should this be using e.GetPackageIntelligence()?
There was a problem hiding this comment.
ah, I should have passed in pie. Thanks for noticing that. But in this specific case, it doesn't matter, because rt.Def.Eval is a pointer to a protobuf representation of that evaluator configuration. This protobuf represtatation is instantiated every time we evaluate a rule, so setting its attribute doesn't affect any other rules that might be using the same rule_type.
(Hopefully this answers the question)
There was a problem hiding this comment.
I figured there was some aliasing going on, but I played dumb because I suspected the using of aliases was accidental.
…efaults Fixes: #1276
… an environment variable
jhrozek
force-pushed
the
config_mediator
branch
from
c2a7aa7 to
086879a
Compare
| return nil, fmt.Errorf("rule type engine missing package_intelligence configuration") | ||
| } | ||
| if pie.GetEndpoint() == "" { | ||
| pie.Endpoint = os.Getenv("MEDIATOR_UNSTABLE_PACKAGE_INTELLIGENCE_ENDPOINT") |
There was a problem hiding this comment.
I think an env var is okay for now, but it would be nice eventually to have a set of options in Config from internal/config rather than reading from the environment here. But we can defer that refactor for now.
There was a problem hiding this comment.
The idea is actually to move this to be a provider. But yeah, it'll be refactored.
There was a problem hiding this comment.
the config was what this PR started with but we had a call today with @JAORMX and decided against it in favour of addressing some of the technical debt in the evaluators first which will allow us to use just provider config instead.
| return nil, fmt.Errorf("rule type engine missing package_intelligence configuration") | ||
| } | ||
| if pie.GetEndpoint() == "" { |
There was a problem hiding this comment.
I figured there was some aliasing going on, but I played dumb because I suspected the using of aliases was accidental.
even better, we have an issue that tracks the refactor #1203 |
… a constant instead (#1473) When we first developed the Trusty evaluator, we had a configurable Trusty endpoint which we used to both talk to the API endpoint and to construct the HTTP URL to link to a package alternative. Nowadays, we use the name/namespace of the k8s service to contact trusty by default (See PR #1313 and #1401), but that means our PR replies were pointing to `http://pi.pi:8000` as well. Instead, let's use the new prod/staging constants to add a HTTP URL of a Trusty instance and point to that. Since Trusty is a hosted service only, let's just use a constant.
This PR adds a policy engine configuration struct that can be set in the config
file or through an environment variable. The only use now is to override the Pi
hostname so that our staging instance can default to staging Pi and production
can default to production Pi. In Kube, the easiest way to set the Pi hostname is
probably through enviornment variables, you can test that with:
Fixes: #1276