Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: get tunnels working, fix tls, wf bug fix #2025

Open
wants to merge 1 commit into
base: 02-12-fix_get_stuff_building
Choose a base branch
from

Conversation

MasterPtato
Copy link
Contributor

Changes

Copy link

cloudflare-workers-and-pages bot commented Feb 13, 2025

Deploying rivet with  Cloudflare Pages  Cloudflare Pages

Latest commit: 2e17256
Status:🚫  Build failed.

View logs

Copy link
Contributor Author

MasterPtato commented Feb 13, 2025

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more


How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

@MasterPtato MasterPtato marked this pull request as ready for review February 14, 2025 23:42
Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Summary

This PR focuses on improving tunnel functionality, TLS certificate management, and workflow execution in the Rivet platform, with significant changes to DNS handling and security configurations.

  • Reduced workflow polling interval from 120s to 5s in /packages/common/chirp-workflow/core/src/worker.rs, which could significantly impact system performance
  • Added new columns api_cert_pem and api_private_key_pem to datacenter_tls table but missing down migration in /packages/core/services/cluster/db/cluster/migrations/20250213000643_api_cert.down.sql
  • Disabled TLS certificate verification for CockroachDB and Redis in /packages/core/services/cluster/src/workflows/server/install/install_scripts/components/rivet/worker.rs, introducing potential security risks
  • Split DNS deletion into separate api_dns_delete and gg_dns_delete workflows with different proxying configurations
  • Added HTTP/HTTPS firewall rules (ports 80/443) for worker pools but missing UDP rules present in GG pool configuration

17 file(s) reviewed, 11 comment(s)
Edit PR Review Bot Settings | Greptile

@@ -6,7 +6,7 @@ use uuid::Uuid;
use crate::{ctx::WorkflowCtx, db::DatabaseHandle, metrics, registry::RegistryHandle, utils};

/// How often to pull workflows when polling.
pub const TICK_INTERVAL: Duration = Duration::from_secs(120);
pub const TICK_INTERVAL: Duration = Duration::from_secs(5);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logic: Reducing TICK_INTERVAL from 120s to 5s will significantly increase database load. Consider adding rate limiting or backoff mechanisms if many workers are running simultaneously.


/// Signifies a retryable executable entity in a workflow. For example: activity, tuple of activities (join),
/// closure.
#[async_trait]
pub trait Executable: Send + Sized {
pub trait Executable: Send + Sized + Sync {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logic: adding Sync bound may break existing code using non-Sync closures in workflows

Comment on lines +55 to +58
let history_res = ctx
.cursor()
.compare_activity(self.version.unwrap_or(ctx.version()), &event_id)?;
let location = ctx.cursor().current_location_for(&history_res);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logic: potential race condition if cursor state changes between compare_activity and current_location_for calls

Comment on lines 57 to 69
if let Some(inner) = self {
inner.execute(&mut branch).await.map(Some)
let mut branch = ctx.clone();

// Move to next event
inner.shift_cursor(ctx).map_err(GlobalError::raw)?;

let res = inner.execute(&mut branch).await?;

Ok(Some(res))
} else {
Ok(None)
}
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logic: Option::None case still increments cursor but doesn't create branch, could lead to cursor misalignment

Comment on lines +91 to +96
branch: {
let branch = ctx.clone();
$args.shift_cursor(ctx).map_err(GlobalError::raw)?;

branch
},
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: cloning context and shifting cursor before execution could cause issues if execution fails

Comment on lines 276 to 298
pub fn firewall_rules(&self) -> Vec<FirewallRule> {
FirewallRule::base_rules()
[
FirewallRule::base_rules(),
vec![
// HTTP(S)
FirewallRule {
label: "http-tcp".into(),
ports: "80".into(),
protocol: "tcp".into(),
inbound_ipv4_cidr: vec!["0.0.0.0/0".into()],
inbound_ipv6_cidr: vec!["::/0".into()],
},
FirewallRule {
label: "https-tcp".into(),
ports: "443".into(),
protocol: "tcp".into(),
inbound_ipv4_cidr: vec!["0.0.0.0/0".into()],
inbound_ipv6_cidr: vec!["::/0".into()],
},
],
]
.concat()
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: HTTP/HTTPS firewall rules are added for TCP only, while ClusterPoolGg includes UDP rules for the same ports. Consider whether UDP rules should also be added here for consistency.

Comment on lines +2 to +3
ADD COLUMN api_cert_pem TEXT,
ADD COLUMN api_private_key_pem TEXT;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: Consider adding NOT NULL constraints with DEFAULT values or ensuring existing rows are handled in application code, as NULL certificates could cause runtime errors

Comment on lines +24 to +32
if let Some(dns_record_id) = records_res.dns_record_id {
ctx.activity(DeleteDnsRecordInput {
dns_record_id,
zone_id: zone_id.to_string(),
})
.await?;
} else {
tracing::warn!("server has no primary dns record");
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: Consider adding a metric or structured log when DNS record is missing to help track frequency of this case

@@ -54,20 +54,20 @@ pub fn configure(config: &rivet_config::Config) -> GlobalResult<String> {
},
cockroachdb: CockroachDb {
url: Url::parse(&format!(
"postgres://127.0.0.1:{TUNNEL_CRDB_PORT}/postgres?sslmode=verify-ca"
"postgres://127.0.0.1:{TUNNEL_CRDB_PORT}/postgres?sslmode=require"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logic: Changing from sslmode=verify-ca to sslmode=require disables certificate verification. This is a security downgrade that could enable MITM attacks. Consider fixing the certificate configuration instead.

))?,
..server_config.cockroachdb.clone()
},
redis: RedisTypes {
ephemeral: Redis {
url: Url::parse(&format!(
"rediss://127.0.0.1:{TUNNEL_REDIS_EPHEMERAL_PORT}",
"rediss://127.0.0.1:{TUNNEL_REDIS_EPHEMERAL_PORT}/#insecure",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logic: Adding #insecure to Redis URL disables TLS certificate verification. This is a security risk that could enable MITM attacks. Consider fixing the certificate configuration instead.

@MasterPtato MasterPtato force-pushed the 02-12-fix_get_stuff_building branch from 290658d to 55a330f Compare February 15, 2025 01:52
@MasterPtato MasterPtato force-pushed the 02-13-fix_get_tunnels_working_fix_tls_wf_bug_fix branch from 56f8e31 to 998ea52 Compare February 15, 2025 01:52
@MasterPtato MasterPtato force-pushed the 02-12-fix_get_stuff_building branch from 55a330f to 95ef81c Compare February 18, 2025 02:32
@MasterPtato MasterPtato force-pushed the 02-13-fix_get_tunnels_working_fix_tls_wf_bug_fix branch from 998ea52 to 70935b0 Compare February 18, 2025 02:32
Copy link

cloudflare-workers-and-pages bot commented Feb 19, 2025

Deploying rivet-hub with  Cloudflare Pages  Cloudflare Pages

Latest commit: 2e17256
Status: ✅  Deploy successful!
Preview URL: https://c7c96a33.rivet-hub-7jb.pages.dev
Branch Preview URL: https://02-13-fix-get-tunnels-workin.rivet-hub-7jb.pages.dev

View logs

@NathanFlurry NathanFlurry force-pushed the 02-12-fix_get_stuff_building branch from 95ef81c to 08b4e1f Compare February 19, 2025 02:59
@NathanFlurry NathanFlurry force-pushed the 02-13-fix_get_tunnels_working_fix_tls_wf_bug_fix branch from 70935b0 to 29618f5 Compare February 19, 2025 02:59
@NathanFlurry NathanFlurry changed the base branch from 02-12-fix_get_stuff_building to graphite-base/2025 February 19, 2025 11:41
@MasterPtato MasterPtato force-pushed the 02-12-fix_get_stuff_building branch from 61641ee to 6a57b86 Compare February 25, 2025 02:45
@MasterPtato MasterPtato force-pushed the 02-13-fix_get_tunnels_working_fix_tls_wf_bug_fix branch from 590a2ac to 5bb2397 Compare February 25, 2025 02:45
@NathanFlurry NathanFlurry force-pushed the 02-12-fix_get_stuff_building branch from 6a57b86 to d8bf651 Compare February 26, 2025 01:05
@NathanFlurry NathanFlurry force-pushed the 02-13-fix_get_tunnels_working_fix_tls_wf_bug_fix branch from 5bb2397 to caf9cca Compare February 26, 2025 01:05
@MasterPtato MasterPtato force-pushed the 02-12-fix_get_stuff_building branch from d8bf651 to b9f0ded Compare February 26, 2025 03:27
@MasterPtato MasterPtato force-pushed the 02-13-fix_get_tunnels_working_fix_tls_wf_bug_fix branch from caf9cca to 2e17256 Compare February 26, 2025 03:27
@NathanFlurry NathanFlurry force-pushed the 02-12-fix_get_stuff_building branch from b9f0ded to d8bf651 Compare February 26, 2025 06:18
@NathanFlurry NathanFlurry force-pushed the 02-13-fix_get_tunnels_working_fix_tls_wf_bug_fix branch from 2e17256 to caf9cca Compare February 26, 2025 06:18
@NathanFlurry NathanFlurry force-pushed the 02-12-fix_get_stuff_building branch from d8bf651 to 228ff44 Compare February 27, 2025 00:49
@NathanFlurry NathanFlurry force-pushed the 02-13-fix_get_tunnels_working_fix_tls_wf_bug_fix branch from caf9cca to 20dfc77 Compare February 27, 2025 00:49
@MasterPtato MasterPtato force-pushed the 02-12-fix_get_stuff_building branch from 228ff44 to b9f0ded Compare February 27, 2025 02:42
@MasterPtato MasterPtato force-pushed the 02-13-fix_get_tunnels_working_fix_tls_wf_bug_fix branch from 20dfc77 to 2e17256 Compare February 27, 2025 02:42
@NathanFlurry NathanFlurry force-pushed the 02-13-fix_get_tunnels_working_fix_tls_wf_bug_fix branch from 2e17256 to caf9cca Compare February 27, 2025 07:59
@NathanFlurry NathanFlurry force-pushed the 02-12-fix_get_stuff_building branch from b9f0ded to d8bf651 Compare February 27, 2025 07:59
@MasterPtato MasterPtato force-pushed the 02-12-fix_get_stuff_building branch from d8bf651 to b9f0ded Compare February 27, 2025 18:55
@MasterPtato MasterPtato force-pushed the 02-13-fix_get_tunnels_working_fix_tls_wf_bug_fix branch from caf9cca to 2e17256 Compare February 27, 2025 18:56
@NathanFlurry NathanFlurry force-pushed the 02-12-fix_get_stuff_building branch from b9f0ded to d8bf651 Compare February 27, 2025 20:45
@NathanFlurry NathanFlurry force-pushed the 02-13-fix_get_tunnels_working_fix_tls_wf_bug_fix branch from 2e17256 to caf9cca Compare February 27, 2025 20:45
@MasterPtato MasterPtato force-pushed the 02-12-fix_get_stuff_building branch from d8bf651 to b9f0ded Compare February 28, 2025 03:05
@MasterPtato MasterPtato force-pushed the 02-13-fix_get_tunnels_working_fix_tls_wf_bug_fix branch from caf9cca to 2e17256 Compare February 28, 2025 03:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant