Update buildkite-metrics to use the agent metrics api #40
Conversation
|
Random idea, but what if we didn't pass the agent registration token over the wire and instead used a HMAC'd value with the account_id? Still vulnerable to reply attacks, but at least you can't then use that token to register an agent. |
|
@lox I'd love to look into a better authentication exchange, especially I'd love to homogenize our tokens so that a cluster token can do some limited agent api stuff, and an agent token can do limited rest api stuff, etc. It'd be a little interesting, trying to create tokens which included enough information to do a mac exchange. But I think we're sufficiently protected against replay by TLS for the moment: https://www.ssllabs.com/ssltest/analyze.html?d=agent.buildkite.com |
|
I wasn't proposing any sort of key exchange @sj26, just rather than passing in BUILDKITE_AGENT_TOKEN, we'd pass in It means we aren't encouraging people to put the BUILDKITE_AGENT_TOKEN in env anywhere. |
|
Right, right — for the agent setup and env, not the request channel. Yeah, that also kinda gels with what I mean. I was proposing opaque authorization tokens which actually pack information, like our graphql IDs, e.g. But yeah, step 2. |
|
Gotcha! That makes sense. Reckon getting it working like it is makes sense for now anyway. |
|
Tests are looking awesome @sj26 |
|
@lox thanks! They're rough, but they work. I think maybe some README updates and this is good for release, with some published caveats that it drops a bunch of metrics from the previous version around builds and historical — this is purely for job/agent workload metrics. Do you know many folks using it beyond the elastic stack? |
|
Happy to merge with some README changes! |
|
🚢 |
This is super rough, but it works.