flipt icon indicating copy to clipboard operation
flipt copied to clipboard
verified publisher icon flipt-io

feat(cmd/flipt-edge): lean, mean flag evaluating machine

Open GeorgeMac opened this issue 1 year ago • 3 comments

Lean, mean flag evaluating machine.

    _________       __      ______    __
   / ____/ (_)___  / /_    / ____/___/ /___ ____
  / /_  / / / __ \/ __/   / __/ / __  / __ ./ _ \
 / __/ / / / /_/ / /_    / /___/ /_/ / /_/ /  __/
/_/   /_/_/ .___/\__/   /_____/\__,_/\__, /\___/
         /_/                        /____/

Version: dev
Commit: 273158a316cbfff3114110a15d4df9dfe93ec4f1
Build Date: 2024-09-23T10:40:38Z
Go Version: go1.23.0
OS/Arch: darwin/arm64

Im opening this up as a draft to get it on folks radars, while I work on other related bits.

➜  mage go:buildedge
...
➜  du -h -d 1 bin/*
118M	bin/flipt
 89M	bin/flipt-edge

This is a proposal PR containing a thinned down Flipt binary, which only supports evaluation. You can think of it as a purely in-memory evaluation proxy. This leaner build is more appropriate for pairing with Cloud as it does not carry around unnecessary baggage.

The following is a list of changes compared with Flipt proper:

  • No UI (purely for evaluations).
  • No management API (read-only, cannot update flag and segment configuration).
  • Only supports the declarative backends (only local, git, object and oci backends).
  • No remote cache (i.e. redis). It doesn't need one, all evaluations already served directly from memory.
  • No auditing (nothing can be changed by flipt-edge, only evaluated).
  • Minimal authn methods (only JWT for now)

Notes

Storage

This build will continue to support sourcing from declarative (file / snapshot) stores. We're also considering some more remote backends in the near future (these will likely be supported in Flipt too):

  • Vercel Edge
  • Cloudflare KV

Authentication

We only support JWT for now as it is the only truly decentralized / stateless mechanism we have in Flipt. Even the k8s method exchanged a service account token for a client token stored in the backing DB.

We could add support for a few more stateless authn methods like:

  • static client token (configured via env var / file / htpasswd / other secret source).
  • new k8s method (simply always send and validate the service account token (no exchange)).

Outstanding

  • [ ] Review configuration and add validation warnings and errors for non-reachable config
  • [ ] Setup e2e ITs purely running the edge binary
  • [ ] Setup publishing pipelines (purely docker/OCI/linux based for now?)
  • [ ] Documentation including columns in config docs to demonstrate what is an isn't acknowledge between the build versions

GeorgeMac avatar Sep 23 '24 11:09 GeorgeMac

Codecov Report

Attention: Patch coverage is 19.27928% with 448 lines in your changes missing coverage. Please review.

Project coverage is 63.98%. Comparing base (490cc12) to head (2e67c3b). Report is 319 commits behind head on main.

Files with missing lines Patch % Lines
cmd/flipt-edge/main.go 0.00% 194 Missing :warning:
internal/cmd/edge/http.go 4.67% 102 Missing :warning:
internal/cmd/edge/grpc.go 51.39% 73 Missing and 14 partials :warning:
internal/cmd/edge/authn.go 23.25% 33 Missing :warning:
cmd/flipt-edge/completion.go 0.00% 17 Missing :warning:
cmd/flipt-edge/doc.go 0.00% 15 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3491      +/-   ##
==========================================
- Coverage   65.74%   63.98%   -1.77%     
==========================================
  Files         169      175       +6     
  Lines       13629    14206     +577     
==========================================
+ Hits         8961     9089     +128     
- Misses       3983     4415     +432     
- Partials      685      702      +17
Flag Coverage Δ
unittests 63.98% <19.27%> (-1.77%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Sep 23 '24 17:09 codecov[bot]

@GeorgeMac i setup a nightly workflow that I cant run until this is merged, to test the publishing

I also was trying to figure out how to setup ITs for just flipt-edge without redoing our entire dagger test suite.. but couldn't come up with a simple way. any ideas would be appreciated!

markphelps avatar Oct 01 '24 20:10 markphelps

@GeorgeMac i setup a nightly workflow that I cant run until this is merged, to test the publishing

I also was trying to figure out how to setup ITs for just flipt-edge without redoing our entire dagger test suite.. but couldn't come up with a simple way. any ideas would be appreciated!

@markphelps yeah I just took a run at this and then got as far as realizing we don't expose anything under /api/v1 in edge because we don't need it. Which even half of the read-only test suites exercise.

To me the quickest option I currently see is to write evaluation specific test suites in just to exercise edge. Better would be perhaps to split the readonly suite into separate api v1 and evaluation v1 test suites. Also, taking the opportunity to maybe bring in a more exhausting set of eval tests would be good here.

Also, we could defer doing that and consider edge to be alpha/beta for now until we have that settled.

GeorgeMac avatar Oct 02 '24 12:10 GeorgeMac

I will close this for now. We can revisit in v2 if we decide this is valuable (might even be a primary operating mode for v2).

GeorgeMac avatar Feb 03 '25 10:02 GeorgeMac