BE: Allow disabling GitHub release info #1108
Conversation
kapybro
bot
added
status/triage
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hi stklcode! 👋
Welcome, and thank you for opening your first PR in the repo!
Please wait for triaging by our maintainers.
Please take a look at our contributing guide.
| if (githubInfoEnabled) { | ||
| this.githubReleaseInfo = new GithubReleaseInfo(githubApiMaxWaitTime); | ||
| } else { | ||
| this.githubReleaseInfo = null; |
There was a problem hiding this comment.
let's either mark the field as nullable or replace it with some empty object instead to prevent NPEs
There was a problem hiding this comment.
Let's also output a bold warning into logs on startup in case this is disabled that running outdated versions is dangerous due to CVEs and we will not provide support for outdated versions per our security policy
There was a problem hiding this comment.
Let's also output a bold warning into logs on startup ...
A real "warning", i.e. WARN log level? INFO ... OK, but warning seems little overdone. I'm running about 400 instances in various test clusters and remote systems, no online access, updates and security scans are done by external tooling. Simply shifting Firewall/eBPF warnings to application warnings was not what I had in mind....
There was a problem hiding this comment.
It might seem "overdone" until folks start coming up with air-gapped installations requesting support for 2 yo releases.
There was a problem hiding this comment.
I get the point. But does a warning really prevent these folks from requesting anything? My experience is you can write "UNMAINTEINED" in 50px bold at the top of a GH issue template and you still get new tickets with the warning not even removed 🤷♂️
There was a problem hiding this comment.
Nevertheless I've added a log warning. (yet another one to ignore, but at least consistent with other config scenarios).
WARN [restartedMain] i.k.u.s.ApplicationInfoService: Check for latest release is disabled. Note that old versions are not supported, please make sure that your system is up to date.
There was a problem hiding this comment.
yet another one to ignore
do you export them to some external systems like sentry or something?
There was a problem hiding this comment.
Yes, quite a few deployments on K8s where pod's logs are scraped and some generic checks for warnings and errors.
Not really a big deal.
Mostly dev/qa stuff where this is non-critical and for the remaining staging/prod-like namespaces there are filters in the deployment templates - almost impossible to run every third-party tool 100% warning-free in every environment, but normal under normal conditions we don't want any warning without actual impact. So just accept some "unfixable" ones (like version checks in an offline environment) explicitly and move on.
| @@ -19,7 +19,7 @@ const Version: React.FC = () => { | |||
|
|
|||
| return ( | |||
| <S.Wrapper> | |||
| {!isLatestRelease && ( | |||
| {isLatestRelease === false && ( | |||
There was a problem hiding this comment.
I'd like to see a visual difference between "no latest release present" and "user disabled version check" in the UI. This is crucial as it's often only the UI screenshots I have to deduct things from.
There was a problem hiding this comment.
Any suggestion how such information should look?
Frankly, I don't see any benefit in such information. Currently running version is displayed, if the check failed there's a warning symbol and the information if there's an update available or not can change 1 second after a screenshot was taken, because it's dynamic info.
There was a problem hiding this comment.
Perhaps a red (rather than yellow) exclamation mark icon (most likely it's an svg, so altering stroke-color should work) with a different text about version check disabled.
The benefit is offloading responsibility of running an oudated and possibly CVE-"enriched" version and giving the maintainers visual signal of what the user's running (red icon -> no version check = most likely outdated -> no support)
There was a problem hiding this comment.
A red warning, really?
I've learned to ignore the yellow icon due do failing version checks and yet there are frequent questions if there's something wrong. So annoying users, who have no control whatsoever about the deployed version in our case, with read warning sign that typically means "something is wrong here" ...
Our use case are - you guessed it - isolated systems, mostly dev/staging environments. We allow users some access to the underlying Kafka and deployment/updates are done by some automation/opt team who don't see the UI warnings anyway.
We were looking for a solution to remove the frontend warning, not making it look worse.
There was a problem hiding this comment.
You wouldn't imagine the number of issues I've seen where people come with their "up-to-date" installations, only to realize after wasting some time that it's not only an outdated version, but also a fork with completely unrelated functionality that we don't even have. Not sure of a middle ground here. @germanosin thoughts?
There was a problem hiding this comment.
On the oder end, I've seen questions from users about the warning of "UNKNOWN" version and regular tickets from ops about log warnings that nobody can do anything about.
We have filters on our network logs to prevent alerting from unauthorized access attempts and injected a logging config to suppress the "Authentication is disabled" warning for instances running behind an external auth gateway. But we cannot filter the human eye and regular "just ignore the warning" is not really a satisfactory answer.
Evaluated red and gray symbol (current yellow and none for reference). My preference is "none" or maybe gray 😉
There was a problem hiding this comment.
My personal preference: gray
There was a problem hiding this comment.
I extended the <WarningIcon> component to (a) use theme's warningIcon color instead of hardcoded color (was #F2C94C, now #FFDD57 ... close enough for me) and (b) allow override by parameter.
Override to infoIcon color (#ABB5BA) with adjusted message in case the check info is not available.
There was a problem hiding this comment.
I think we could hide the whole icon tbh. Even if the person reporting issues is not the same as the one managing the installation, they can still check if the version is up to date by clicking the commit hash. Given the counterpoint by @stklcode about "users screaming due to an alert", it might be alright.
@germanosin thoughts?
Haarolean
added
type/enhancement
Haarolean
changed the title
stklcode
force-pushed
the
feat/disable-releaseinfo
branch
from
f1f15de to
3c4131c
Compare
The application info object contains details about the latest version which is queried online from GitHub API. While this info can be useful, it raises warning when Kafbat UI is deployed in environments with restricted internet access. Introduce a new property "github.release.info.enabled" (default: true) that can be set to "false" to disable release info and just display the currently running version/commit.
stklcode
force-pushed
the
feat/disable-releaseinfo
branch
from
3c4131c to
bc55bce
Compare
Extend he WarningIcon template to allow custom coloring with fallback to theme's "warningIcon" color. If version check is disabled, show a corresponding info with a "infoIcon" (gray) colored icon instead.
stklcode
force-pushed
the
feat/disable-releaseinfo
branch
from
c3a87e3 to
c4f2562
Compare
| if (githubInfoEnabled) { | ||
| this.githubReleaseInfo = new GithubReleaseInfo(githubApiMaxWaitTime); | ||
| } else { | ||
| this.githubReleaseInfo = null; |
There was a problem hiding this comment.
yet another one to ignore
do you export them to some external systems like sentry or something?
| @Test | ||
| void testCustomGithubReleaseInfoTimeout() { | ||
| assertEquals(100, service.githubReleaseInfo().getGithubApiMaxWaitTime()); | ||
| } | ||
|
|
||
| @Test | ||
| void testDisabledReleaseInfo() { |
There was a problem hiding this comment.
Thank you for adding the tests
| @@ -19,7 +19,7 @@ const Version: React.FC = () => { | |||
|
|
|||
| return ( | |||
| <S.Wrapper> | |||
| {!isLatestRelease && ( | |||
| {isLatestRelease === false && ( | |||
There was a problem hiding this comment.
I think we could hide the whole icon tbh. Even if the person reporting issues is not the same as the one managing the installation, they can still check if the version is up to date by clicking the commit hash. Given the counterpoint by @stklcode about "users screaming due to an alert", it might be alright.
@germanosin thoughts?
What changes did you make?
The application info object contains details about the latest version which is queried online from GitHub API. While this info can be useful, it raises warning when Kafbat UI is deployed in environments with restricted internet access.
Introduce a new property
github.release.info.enabled(default:true) that can be set tofalseto disable release info and just display the currently running version/commit.Is there anything you'd like reviewers to focus on?
The original feature was introduced in provectus/kafka-ui#3570
Apparently, the issue was already known during development (provectus/kafka-ui#3570 (review)):
Did I miss anything or was this point just ignored? Anyway with this PR now there it is.
How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)
For manual testing, start the app with environment variable or property, e.g.
GITHUB_RELEASE_INFO_ENABLED=false.Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)
PR for documentation update: kafbat/ui-docs#56