feat(kms-provider): measure the Vault Transit DEK operations#3536
Conversation
The KMS provider's three outbound Vault Transit calls -- encrypt, decrypt, and generate-data-key for DEK wrap/unwrap -- were invisible: a remote Transit failure surfaced in no metric. Each now runs through the framework's RED helper.
- `encrypt_dek`, `decrypt_dek`, and `generate_and_wrap_dek` wrap their Transit call in `red::instrumented("vault_transit", op, ...)`, recording `carbide_external_call_duration_milliseconds{backend = "vault_transit", operation, outcome}` -- the duration, the request and error rate (the `_count` split by outcome), and a WARN on failure.
- It reuses the existing outbound-RED family, so there are no new catalogue rows, and DEK plaintext and `kek_id` stay out of every label and log line, as before.
This supports NVIDIA#3173
Signed-off-by: Chet Nichols III <chetn@nvidia.com>
|
@coderabbitai full_review, thanks! |
|
🐰✨ ✅ Action performedFull review finished. |
Summary by CodeRabbit
WalkthroughThe KMS provider adds a local ChangesVault Transit instrumentation
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
crates/kms-provider/src/providers/transit.rs (1)
140-149: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAdd call-site regression coverage for all three operations.
The existing RED helper tests do not prove that the KMS provider emits the exact
vault_transit/operation labels for encrypt, decrypt, and data-key generation. Add table-driven tests covering success, failure metrics, WARN behavior, and unchanged error propagation.Also applies to: 171-180, 212-221
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@crates/kms-provider/src/providers/transit.rs` around lines 140 - 149, Add table-driven call-site regression tests for the provider’s encrypt, decrypt, and data-key generation methods, covering successful and failed RED calls, WARN behavior, and unchanged error propagation. Assert each operation emits the exact vault_transit service label and corresponding encrypt_dek, decrypt_dek, or generate_data_key operation label, while preserving existing helper tests and provider behavior.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@crates/kms-provider/src/providers/transit.rs`:
- Around line 140-149: Add table-driven call-site regression tests for the
provider’s encrypt, decrypt, and data-key generation methods, covering
successful and failed RED calls, WARN behavior, and unchanged error propagation.
Assert each operation emits the exact vault_transit service label and
corresponding encrypt_dek, decrypt_dek, or generate_data_key operation label,
while preserving existing helper tests and provider behavior.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: bb02d54f-24c9-467a-8b37-3a7ba6baf732
⛔ Files ignored due to path filters (1)
Cargo.lockis excluded by!**/*.lock
📒 Files selected for processing (2)
crates/kms-provider/Cargo.tomlcrates/kms-provider/src/providers/transit.rs
🔍 Container Scan Summary
Per-CVE detail lives in the per-service |
The KMS provider's three outbound Vault Transit calls -- encrypt, decrypt, and generate-data-key for DEK wrap/unwrap -- were invisible: a remote Transit failure surfaced in no metric. Each now runs through the framework's RED helper.
encrypt_dek,decrypt_dek, andgenerate_and_wrap_dekwrap their Transit call inred::instrumented("vault_transit", op, ...), recordingcarbide_external_call_duration_milliseconds{backend = "vault_transit", operation, outcome}-- the duration, the request and error rate (the_countsplit by outcome), and a WARN on failure.kek_idstay out of every label and log line, as before.This supports #3173