Skip to content

feat(kms-provider): measure the Vault Transit DEK operations#3536

Open
chet wants to merge 1 commit into
NVIDIA:mainfrom
chet:gh-issue-3173-kms
Open

feat(kms-provider): measure the Vault Transit DEK operations#3536
chet wants to merge 1 commit into
NVIDIA:mainfrom
chet:gh-issue-3173-kms

Conversation

@chet

@chet chet commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

The KMS provider's three outbound Vault Transit calls -- encrypt, decrypt, and generate-data-key for DEK wrap/unwrap -- were invisible: a remote Transit failure surfaced in no metric. Each now runs through the framework's RED helper.

  • encrypt_dek, decrypt_dek, and generate_and_wrap_dek wrap their Transit call in red::instrumented("vault_transit", op, ...), recording carbide_external_call_duration_milliseconds{backend = "vault_transit", operation, outcome} -- the duration, the request and error rate (the _count split by outcome), and a WARN on failure.
  • It reuses the existing outbound-RED family, so there are no new catalogue rows, and DEK plaintext and kek_id stay out of every label and log line, as before.

This supports #3173

The KMS provider's three outbound Vault Transit calls -- encrypt, decrypt, and generate-data-key for DEK wrap/unwrap -- were invisible: a remote Transit failure surfaced in no metric. Each now runs through the framework's RED helper.

- `encrypt_dek`, `decrypt_dek`, and `generate_and_wrap_dek` wrap their Transit call in `red::instrumented("vault_transit", op, ...)`, recording `carbide_external_call_duration_milliseconds{backend = "vault_transit", operation, outcome}` -- the duration, the request and error rate (the `_count` split by outcome), and a WARN on failure.
- It reuses the existing outbound-RED family, so there are no new catalogue rows, and DEK plaintext and `kek_id` stay out of every label and log line, as before.

This supports NVIDIA#3173

Signed-off-by: Chet Nichols III <chetn@nvidia.com>
@chet chet requested a review from a team as a code owner July 15, 2026 06:07
@chet

chet commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai full_review, thanks!

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

@chet, sure thing — kicking off a full review of all changes in this PR now.

🐰✨

✅ Action performed

Full review finished.

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Summary by CodeRabbit

  • New Features

    • Added enhanced monitoring around Vault Transit DEK operations (encrypt, decrypt, and data-key generation), capturing operation context for clearer visibility.
  • Bug Fixes

    • No user-facing bug fixes included.

Walkthrough

The KMS provider adds a local carbide-instrument dependency and instruments Vault Transit encryption, decryption, and data-key generation calls without changing their request arguments or response handling.

Changes

Vault Transit instrumentation

Layer / File(s) Summary
Instrument Transit operations
crates/kms-provider/Cargo.toml, crates/kms-provider/src/providers/transit.rs
Adds the instrumentation dependency and wraps Transit encrypt, decrypt, and data-key generation calls with red::instrumented(...) operation labels.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: measuring Vault Transit DEK operations in the KMS provider.
Description check ✅ Passed The description is directly related to the change and correctly describes the new RED instrumentation for Vault Transit calls.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
crates/kms-provider/src/providers/transit.rs (1)

140-149: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add call-site regression coverage for all three operations.

The existing RED helper tests do not prove that the KMS provider emits the exact vault_transit/operation labels for encrypt, decrypt, and data-key generation. Add table-driven tests covering success, failure metrics, WARN behavior, and unchanged error propagation.

Also applies to: 171-180, 212-221

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/kms-provider/src/providers/transit.rs` around lines 140 - 149, Add
table-driven call-site regression tests for the provider’s encrypt, decrypt, and
data-key generation methods, covering successful and failed RED calls, WARN
behavior, and unchanged error propagation. Assert each operation emits the exact
vault_transit service label and corresponding encrypt_dek, decrypt_dek, or
generate_data_key operation label, while preserving existing helper tests and
provider behavior.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@crates/kms-provider/src/providers/transit.rs`:
- Around line 140-149: Add table-driven call-site regression tests for the
provider’s encrypt, decrypt, and data-key generation methods, covering
successful and failed RED calls, WARN behavior, and unchanged error propagation.
Assert each operation emits the exact vault_transit service label and
corresponding encrypt_dek, decrypt_dek, or generate_data_key operation label,
while preserving existing helper tests and provider behavior.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bb02d54f-24c9-467a-8b37-3a7ba6baf732

📥 Commits

Reviewing files that changed from the base of the PR and between eb4ea22 and 2450fb9.

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (2)
  • crates/kms-provider/Cargo.toml
  • crates/kms-provider/src/providers/transit.rs

@github-actions

Copy link
Copy Markdown

🔍 Container Scan Summary

Service Total Critical High Medium Low Other
boot-artifacts-aarch64 3 0 0 3 0 0
boot-artifacts-x86_64 3 0 0 3 0 0
forge-admin-cli-x86_64 259 13 30 78 7 131
machine-validation-runner 807 40 234 288 36 209
machine_validation 807 40 234 288 36 209
machine_validation-aarch64 807 40 234 288 36 209
nvmetal-carbide 807 40 234 288 36 209
TOTAL 3493 173 966 1236 151 967

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant