Support In-App Notifications and Shared Secrets (#1334)

.gitignore

@@ -40,4 +40,6 @@ yalc.lock
 **/__pycache__
 **/venv
 
+secrets/
+
 # config/pubkey.pem

Makefile

@@ -47,7 +47,11 @@ reshim: ## reshims erlang into asdf
 deploy: ## deploy artifacts to plural
 	cd plural && plural apply
 
-testup: ## sets up dependent services for test
+secrets: ## dir to manage random secret
+	mkdir secrets
+
+
+testup: secrets ## sets up dependent services for test
 	docker compose up -d
 
 testdown: ## tear down test dependencies

assets/src/components/notifications/sinks/NotificationSinksColumns.tsx

@@ -98,6 +98,7 @@ const ColUrl = columnHelper.accessor(
 export const sinkTypeToIcon = {
   [SinkType.Slack]: <SlackLogoIcon />,
   [SinkType.Teams]: <MsTeamsLogoIcon />,
+  [SinkType.Plural]: null,
   '': null,
 } as const satisfies Record<SinkType | '', ReactElement | null>
 

assets/src/generated/graphql.ts

@@ -192,6 +192,28 @@ export type ApiDeprecation = {
   replacement?: Maybe<Scalars['String']['output']>;
 };
 
+export type AppNotification = {
+  __typename?: 'AppNotification';
+  id: Scalars['ID']['output'];
+  insertedAt?: Maybe<Scalars['DateTime']['output']>;
+  priority?: Maybe<NotificationPriority>;
+  readAt?: Maybe<Scalars['DateTime']['output']>;
+  text?: Maybe<Scalars['String']['output']>;
+  updatedAt?: Maybe<Scalars['DateTime']['output']>;
+};
+
+export type AppNotificationConnection = {
+  __typename?: 'AppNotificationConnection';
+  edges?: Maybe<Array<Maybe<AppNotificationEdge>>>;
+  pageInfo: PageInfo;
+};
+
+export type AppNotificationEdge = {
+  __typename?: 'AppNotificationEdge';
+  cursor?: Maybe<Scalars['String']['output']>;
+  node?: Maybe<AppNotification>;
+};
+
 export type Application = {
   __typename?: 'Application';
   configuration?: Maybe<Configuration>;
@@ -2869,6 +2891,12 @@ export type NotificationFilter = {
   service?: Maybe<ServiceDeployment>;
 };
 
+export enum NotificationPriority {
+  High = 'HIGH',
+  Low = 'LOW',
+  Medium = 'MEDIUM'
+}
+
 export type NotificationRouter = {
   __typename?: 'NotificationRouter';
   /** events this router subscribes to, use * for all */
@@ -2915,6 +2943,8 @@ export type NotificationSink = {
   insertedAt?: Maybe<Scalars['DateTime']['output']>;
   /** the name of the sink */
   name: Scalars['String']['output'];
+  /** the users/groups an in-app notification can be delivered to */
+  notificationBindings?: Maybe<Array<Maybe<PolicyBinding>>>;
   /** the channel type of the sink, eg slack or teams */
   type: SinkType;
   updatedAt?: Maybe<Scalars['DateTime']['output']>;
@@ -2925,6 +2955,8 @@ export type NotificationSinkAttributes = {
   configuration: SinkConfigurationAttributes;
   /** the name of this sink */
   name: Scalars['String']['input'];
+  /** the users/groups you want this sink to deliver to if it's PLURAL type */
+  notificationBindings?: InputMaybe<Array<InputMaybe<PolicyBindingAttributes>>>;
   /** the channel type of this sink */
   type: SinkType;
 };
@@ -3497,6 +3529,10 @@ export type PluralServiceDeployment = {
   status: PluralObjectStatus;
 };
 
+export type PluralSinkAttributes = {
+  priority: NotificationPriority;
+};
+
 export type PluralSubscription = {
   __typename?: 'PluralSubscription';
   id?: Maybe<Scalars['ID']['output']>;
@@ -4304,6 +4340,8 @@ export type RootMutationType = {
   cloneService?: Maybe<ServiceDeployment>;
   completeStackRun?: Maybe<StackRun>;
   configureBackups?: Maybe<Cluster>;
+  /** Reads and deletes a given shared secret */
+  consumeSecret?: Maybe<SharedSecret>;
   createAccessToken?: Maybe<AccessToken>;
   createAgentMigration?: Maybe<AgentMigration>;
   createBuild?: Maybe<Build>;
@@ -4411,6 +4449,7 @@ export type RootMutationType = {
   pingCluster?: Maybe<Cluster>;
   /** marks a service as being able to proceed to the next stage of a canary rollout */
   proceed?: Maybe<ServiceDeployment>;
+  readAppNotifications?: Maybe<Scalars['Int']['output']>;
   readNotifications?: Maybe<User>;
   reconfigureRenovate?: Maybe<ServiceDeployment>;
   /** registers a list of runtime services discovered for the current cluster */
@@ -4428,6 +4467,8 @@ export type RootMutationType = {
   selfManage?: Maybe<ServiceDeployment>;
   /** creates the service to enable self-hosted renovate in one pass */
   setupRenovate?: Maybe<ServiceDeployment>;
+  /** Shares a one-time-viewable secret to a list of eligible users */
+  shareSecret?: Maybe<SharedSecret>;
   signIn?: Maybe<User>;
   signup?: Maybe<User>;
   syncGlobalService?: Maybe<GlobalService>;
@@ -4519,6 +4560,11 @@ export type RootMutationTypeConfigureBackupsArgs = {
 };
 
 
+export type RootMutationTypeConsumeSecretArgs = {
+  handle: Scalars['String']['input'];
+};
+
+
 export type RootMutationTypeCreateAccessTokenArgs = {
   scopes?: InputMaybe<Array<InputMaybe<ScopeAttributes>>>;
 };
@@ -5089,6 +5135,11 @@ export type RootMutationTypeSetupRenovateArgs = {
 };
 
 
+export type RootMutationTypeShareSecretArgs = {
+  attributes: SharedSecretAttributes;
+};
+
+
 export type RootMutationTypeSignInArgs = {
   email: Scalars['String']['input'];
   password: Scalars['String']['input'];
@@ -5326,6 +5377,7 @@ export type RootQueryType = {
   accessTokens?: Maybe<AccessTokenConnection>;
   account?: Maybe<Account>;
   ai?: Maybe<Scalars['String']['output']>;
+  appNotifications?: Maybe<AppNotificationConnection>;
   application?: Maybe<Application>;
   applications?: Maybe<Array<Maybe<Application>>>;
   argoRollout?: Maybe<ArgoRollout>;
@@ -5484,6 +5536,7 @@ export type RootQueryType = {
   temporaryToken?: Maybe<Scalars['String']['output']>;
   /** exchanges a kubeconfig token for user info */
   tokenExchange?: Maybe<User>;
+  unreadAppNotifications?: Maybe<Scalars['Int']['output']>;
   unstructuredResource?: Maybe<KubernetesUnstructured>;
   upgradePlan?: Maybe<UpgradePlan>;
   upgradePolicies?: Maybe<Array<Maybe<UpgradePolicy>>>;
@@ -5516,6 +5569,14 @@ export type RootQueryTypeAiArgs = {
 };
 
 
+export type RootQueryTypeAppNotificationsArgs = {
+  after?: InputMaybe<Scalars['String']['input']>;
+  before?: InputMaybe<Scalars['String']['input']>;
+  first?: InputMaybe<Scalars['Int']['input']>;
+  last?: InputMaybe<Scalars['Int']['input']>;
+};
+
+
 export type RootQueryTypeApplicationArgs = {
   name: Scalars['String']['input'];
 };
@@ -7155,6 +7216,22 @@ export enum Severity {
   None = 'NONE'
 }
 
+export type SharedSecret = {
+  __typename?: 'SharedSecret';
+  handle: Scalars['String']['output'];
+  insertedAt?: Maybe<Scalars['DateTime']['output']>;
+  name: Scalars['String']['output'];
+  secret: Scalars['String']['output'];
+  updatedAt?: Maybe<Scalars['DateTime']['output']>;
+};
+
+export type SharedSecretAttributes = {
+  name: Scalars['String']['input'];
+  /** the users/groups you want this secret to be delivered to */
+  notificationBindings?: InputMaybe<Array<InputMaybe<PolicyBindingAttributes>>>;
+  secret: Scalars['String']['input'];
+};
+
 export type SinkConfiguration = {
   __typename?: 'SinkConfiguration';
   id: Scalars['ID']['output'];
@@ -7163,11 +7240,13 @@ export type SinkConfiguration = {
 };
 
 export type SinkConfigurationAttributes = {
+  plural?: InputMaybe<PluralSinkAttributes>;
   slack?: InputMaybe<UrlSinkAttributes>;
   teams?: InputMaybe<UrlSinkAttributes>;
 };
 
 export enum SinkType {
+  Plural = 'PLURAL',
   Slack = 'SLACK',
   Teams = 'TEAMS'
 }

charts/console-rapid/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: console-rapid
 description: rapid channel chart for the plural console (used for testing)
 appVersion: 0.10.23
-version: 0.3.49
+version: 0.3.50
 dependencies:
   - name: kas
     version: 0.1.0

charts/console/templates/deployment.yaml

@@ -48,12 +48,28 @@ spec:
             mountPath: /shared
       {{- end }}
       containers:
+      - name: auth
+        {{ if .Values.console.containerSecurityContext }}
+        securityContext:
+        {{- toYaml .Values.console.containerSecurityContext | nindent 10 }}
+        {{ end }}
+        image: "{{ .Values.global.registry }}/{{ .Values.ociAuth.repository }}:{{ .Values.ociAuth.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.ociAuth.imagePullPolicy }}
+        cmd:
+        - --token-file /shared/token
+        volumeMounts:
+        - name: conf-dir
+          mountPath: /shared
+        ports:
+        - name: http
+          containerPort: 3000
+          protocol: TCP
       - name: console
         {{ if .Values.console.containerSecurityContext }}
         securityContext:
         {{- toYaml .Values.console.containerSecurityContext | nindent 10 }}
         {{ end }}
-        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        image: "{{ .Values.global.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.imagePullPolicy }}
         envFrom:
         - secretRef:
@@ -66,6 +82,8 @@ spec:
         volumeMounts:
         - name: temp-dir
           mountPath: /tmp
+        - name: conf-dir
+          mountPath: /shared
         {{ if .Values.cloud.pgRootCert }}
         - mountPath: /opt/app/certs
           name: pg-cert
@@ -115,6 +133,8 @@ spec:
       volumes:
       - name: temp-dir
         emptyDir: {}
+      - name: conf-dir
+        emptyDir: {}
       {{ if .Values.cloud.pgRootCert }}
       - name: pg-cert
         secret:

charts/console/values.yaml

@@ -5,6 +5,7 @@
 global:
   additionalVolumes: ~
   additionalVolumeMounts: ~
+  registry: ghcr.io/pluralsh
 
 cloud: 
   enabled: false
@@ -31,7 +32,12 @@ secrets:
   admin_password: REPLACEME
 
 image:
-  repository: dkr.plural.sh/console/console
+  repository: console
+  tag: ~
+  imagePullPolicy: IfNotPresent
+
+ociAuth:
+  repository: oci-auth
   tag: ~
   imagePullPolicy: IfNotPresent
 

config/config.exs

@@ -52,6 +52,8 @@ config :console,
   audit_expiry: 30,
   admin_emails: [],
   cloud: false,
+  sidecar_token: "example",
+  sidecar_token_path: "./secrets",
   cache_adapter: Console.Cache,
   local_cache: Console.LocalCache,
   version: Mix.Project.config[:version],
@@ -122,5 +124,6 @@ config :libring,
     cluster: [monitor_nodes: true, node_type: :visible]
   ]
 
+config :tzdata, :autoupdate, :disabled
 
 import_config "#{Mix.env()}.exs"