mirror of
https://github.com/netbirdio/netbird.git
synced 2026-07-16 19:49:56 +00:00
* [agent-network] Shared proto, OpenAPI schema, and generated types * [agent-network] Management: store, manager, synthesizer, policy engine, provider catalog, HTTP/gRPC API Adds the account-scoped agent-network module: provider/policy/budget CRUD and store, the reverse-proxy service synthesizer, policy selection + limit enforcement, the provider catalog (incl. Vertex AI and AWS Bedrock entries), and the management HTTP + proxy gRPC surfaces. * [management] Fix agent-network proxy-peer fan-out on affected-peer recompute The affected-peers resolver loaded only persisted reverse-proxy services, but agent-network services are synthesized on demand and never persisted. As a result the embedded proxy peer was never folded into the affected set when a client's group changed, so the proxy received no network-map update for a newly authorised client and rejected its handshake until a full resync (restart). loadProxyServices now merges the synthesized agent-network services (injected via a registration hook to avoid an import cycle), so proxy peers learn newly authorised clients immediately. * [proxy] Reverse-proxy middleware framework, chain, and request plumbing The per-target middleware chain (slots, dispatcher, mutation gate, metadata merger), body capture, access-log terminal sink, and the proxy wiring that builds + runs chains for synthesized agent-network services. * [proxy] LLM parsers, pricing, and builtin middlewares (OpenAI, Anthropic, Vertex AI, AWS Bedrock) Request/response parsers and SSE/event-stream metering, the embedded pricing table, and the builtin middleware set: request parser, router, policy limit-check/record, cost meter, guardrail, identity inject, response parser. Includes the path-routed providers — Google Vertex AI (keyfile:: service-account OAuth minting) and AWS Bedrock (bearer auth, invoke/converse/streaming, optional /bedrock prefix) — plus the Models allowlist and unmeterable-publisher deny. * [proxy] IPv6 in-place apply and TCP accept-loop hardening on netstack listeners * [agent-network] End-to-end test suite, module docs, and deployment preset * [agent-network] Fix codespell typos and exclude false positives - labelgen word pool: vermillion -> vermilion, racoon -> raccoon. - codespell ignore list: add flate (Go compress/flate package), recordin (a test-local identifier), and unparseable (a valid alternative spelling used consistently across identifiers + a metadata-value constant). * [management] Set LastSeen on injected proxy peer in realstack test (MySQL strict-mode) The injected embedded proxy peer had a PeerStatus with a zero LastSeen, which serializes to '0000-00-00' and is rejected by MySQL in strict mode (SQLite tolerates it). Set LastSeen to a valid time so SaveAccount succeeds on both engines. * [agent-network] Remove e2e shell-script suite from this branch The end-to-end shell scripts under scripts/e2e/ are maintained in a separate testing suite and are not part of this change set. * [agent-network] Polish module docs: remove internal review scaffolding, fix links, verify diagrams Strip PR-review framing, commit references, absolute paths, and stale internal references from the agent-network module docs; fix broken relative links; verify all diagrams against the current architecture. Remove the internal AI-reviewer prompt file. * [management] Refine session expiration handling to support 3-state encoding for SSO deadlines * [agent-network] Relocate agentnetwork package to internals/modules Move management/server/agentnetwork (and its catalog/, labelgen/, types/ subpackages) to management/internals/modules/agentnetwork, alongside the reverse-proxy module, and rewrite all importers. Pure relocation: package names, the synthesizer + affectedpeers registration hook, and store access (shared store.Store) are unchanged, so no import cycle is introduced (affectedpeers still depends only on the agentnetwork/types leaf). * [agent-network] Co-locate HTTP handlers in the module (RegisterEndpoints) Move the agent-network HTTP handlers from server/http/handlers/agentnetwork into the module at internals/modules/agentnetwork/handlers (package handlers) and rename the entrypoint AddEndpoints -> RegisterEndpoints, matching the reverse-proxy module convention. Wiring in http/handler.go updated accordingly.
172 lines
4.8 KiB
Go
172 lines
4.8 KiB
Go
package middleware
|
|
|
|
import (
|
|
"context"
|
|
|
|
"go.opentelemetry.io/otel/attribute"
|
|
"go.opentelemetry.io/otel/metric"
|
|
"go.opentelemetry.io/otel/metric/noop"
|
|
)
|
|
|
|
// Metrics is the bundle of OTel instruments emitted by the middleware
|
|
// dispatcher. The constructor falls back to a noop meter when given
|
|
// nil so tests can skip metrics wiring entirely.
|
|
type Metrics struct {
|
|
requestsTotal metric.Int64Counter
|
|
durationMs metric.Int64Histogram
|
|
invocationsTotal metric.Int64Counter
|
|
errorsTotal metric.Int64Counter
|
|
metadataRejectedTotal metric.Int64Counter
|
|
headerMutationBlocked metric.Int64Counter
|
|
captureBypassTotal metric.Int64Counter
|
|
}
|
|
|
|
// NewMetrics registers the proxy.middleware.* instruments on the
|
|
// given meter. A nil meter is treated as the global no-op provider.
|
|
func NewMetrics(meter metric.Meter) (*Metrics, error) {
|
|
if meter == nil {
|
|
meter = noop.NewMeterProvider().Meter("proxy.middleware.noop")
|
|
}
|
|
|
|
m := &Metrics{}
|
|
var err error
|
|
|
|
m.requestsTotal, err = meter.Int64Counter(
|
|
"proxy.middleware.requests_total",
|
|
metric.WithUnit("1"),
|
|
metric.WithDescription("Middleware invocations grouped by outcome"),
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
m.durationMs, err = meter.Int64Histogram(
|
|
"proxy.middleware.duration_ms",
|
|
metric.WithUnit("milliseconds"),
|
|
metric.WithDescription("Middleware Invoke latency"),
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
m.invocationsTotal, err = meter.Int64Counter(
|
|
"proxy.middleware.invocations_total",
|
|
metric.WithUnit("1"),
|
|
metric.WithDescription("Middleware Invoke heartbeat counter"),
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
m.errorsTotal, err = meter.Int64Counter(
|
|
"proxy.middleware.errors_total",
|
|
metric.WithUnit("1"),
|
|
metric.WithDescription("Middleware errors grouped by kind"),
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
m.metadataRejectedTotal, err = meter.Int64Counter(
|
|
"proxy.middleware.metadata_rejected_total",
|
|
metric.WithUnit("1"),
|
|
metric.WithDescription("Middleware metadata entries rejected by the allowlist/caps"),
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
m.headerMutationBlocked, err = meter.Int64Counter(
|
|
"proxy.middleware.header_mutation_blocked_total",
|
|
metric.WithUnit("1"),
|
|
metric.WithDescription("Middleware header mutations dropped by the denylist"),
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
m.captureBypassTotal, err = meter.Int64Counter(
|
|
"proxy.middleware.capture_bypass_total",
|
|
metric.WithUnit("1"),
|
|
metric.WithDescription("Capture bypasses grouped by reason"),
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return m, nil
|
|
}
|
|
|
|
// IncRequest increments proxy.middleware.requests_total with the
|
|
// middleware, target, and outcome labels.
|
|
func (m *Metrics) IncRequest(ctx context.Context, middlewareID, targetID, outcome string) {
|
|
if m == nil {
|
|
return
|
|
}
|
|
m.requestsTotal.Add(ctx, 1, metric.WithAttributes(
|
|
attribute.String("middleware", middlewareID),
|
|
attribute.String("target_id", targetID),
|
|
attribute.String("outcome", outcome),
|
|
))
|
|
}
|
|
|
|
// ObserveDuration records the middleware Invoke latency in milliseconds.
|
|
func (m *Metrics) ObserveDuration(ctx context.Context, middlewareID string, ms int64) {
|
|
if m == nil {
|
|
return
|
|
}
|
|
m.durationMs.Record(ctx, ms, metric.WithAttributes(attribute.String("middleware", middlewareID)))
|
|
}
|
|
|
|
// IncInvocation increments the heartbeat counter regardless of outcome.
|
|
func (m *Metrics) IncInvocation(ctx context.Context, middlewareID string) {
|
|
if m == nil {
|
|
return
|
|
}
|
|
m.invocationsTotal.Add(ctx, 1, metric.WithAttributes(attribute.String("middleware", middlewareID)))
|
|
}
|
|
|
|
// IncError increments the error counter with the given failure kind label.
|
|
func (m *Metrics) IncError(ctx context.Context, middlewareID, kind string) {
|
|
if m == nil {
|
|
return
|
|
}
|
|
m.errorsTotal.Add(ctx, 1, metric.WithAttributes(
|
|
attribute.String("middleware", middlewareID),
|
|
attribute.String("kind", kind),
|
|
))
|
|
}
|
|
|
|
// IncMetadataRejected increments the rejected-metadata counter for a reason.
|
|
func (m *Metrics) IncMetadataRejected(ctx context.Context, middlewareID, reason string) {
|
|
if m == nil {
|
|
return
|
|
}
|
|
m.metadataRejectedTotal.Add(ctx, 1, metric.WithAttributes(
|
|
attribute.String("middleware", middlewareID),
|
|
attribute.String("reason", reason),
|
|
))
|
|
}
|
|
|
|
// IncHeaderMutationBlocked increments the blocked-header counter.
|
|
func (m *Metrics) IncHeaderMutationBlocked(ctx context.Context, middlewareID, header string) {
|
|
if m == nil {
|
|
return
|
|
}
|
|
m.headerMutationBlocked.Add(ctx, 1, metric.WithAttributes(
|
|
attribute.String("middleware", middlewareID),
|
|
attribute.String("header", header),
|
|
))
|
|
}
|
|
|
|
// IncCaptureBypass increments the capture-bypass counter for a reason.
|
|
func (m *Metrics) IncCaptureBypass(ctx context.Context, targetID, reason string) {
|
|
if m == nil {
|
|
return
|
|
}
|
|
m.captureBypassTotal.Add(ctx, 1, metric.WithAttributes(
|
|
attribute.String("target_id", targetID),
|
|
attribute.String("reason", reason),
|
|
))
|
|
}
|