feat: health and config endpoint service #7524
Open
+508
−9
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
A-si-settings
Dependency Review✅ No vulnerabilities or OpenSSF Scorecard issues found.Scanned FilesNone |
sprutton1
force-pushed
the
scott/health
branch
from
f90e181 to
a160d3b
Compare
Contributor
Author
|
/try |
|
Okay, starting a try! I'll update this comment once it's running... |
There was a problem hiding this comment.
Pull Request Overview
Adds a reusable HTTP service for health and config endpoints and integrates it across services. Also introduces secure serialization/redaction for sensitive config fields to make /config dumps safe.
- New si-service-endpoints crate (Axum router + server + config)
- Integrates ServiceEndpointsConfig into multiple servers with sensible defaults
- Redacts sensitive fields (e.g., passwords/keys) in serialized configs
Reviewed Changes
Copilot reviewed 26 out of 32 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| lib/si-service-endpoints/src/lib.rs | Defines DefaultServiceEndpoints, ServiceEndpointsConfig, and error types to back health/config endpoints. |
| lib/si-service-endpoints/src/server.rs | Implements an HTTP server wrapper with graceful shutdown for the endpoints. |
| lib/si-service-endpoints/src/axum_integration.rs | Axum router and handlers for /health and /config. |
| lib/si-service-endpoints/Cargo.toml | New crate manifest for si-service-endpoints. |
| lib/si-service-endpoints/BUCK | Buck target for the new crate. |
| lib/si-std/src/string.rs | SensitiveString now serializes as "..." and updates tests accordingly. |
| lib/si-data-pg/src/lib.rs | Prevents certificate from being serialized in config dumps. |
| lib/si-crypto/src/veritech/config.rs | Skips serializing crypto key material in configs. |
| lib/si-crypto/src/symmetric.rs | Skips serializing symmetric key material in configs. |
| lib/pinga-server/* | Re-exports endpoint types, adds ServiceEndpointsConfig to runtime config and defaults. |
| lib/rebaser-server/* | Re-exports endpoint types, adds ServiceEndpointsConfig to runtime config and defaults. |
| lib/forklift-server/* | Re-exports endpoint types, adds ServiceEndpointsConfig to runtime config and defaults. |
| lib/edda-server/* | Re-exports endpoint types, adds ServiceEndpointsConfig to runtime config and defaults. |
| lib/veritech-server/* | Re-exports endpoint types, adds ServiceEndpointsConfig to runtime config and defaults. |
| BUCK/Cargo updates | Adds si-service-endpoints dependency to relevant crates. |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
sprutton1
force-pushed
the
scott/health
branch
from
a160d3b to
88c89be
Compare
sprutton1
force-pushed
the
scott/health
branch
from
88c89be to
95bf969
Compare
Contributor
Author
|
/try |
|
Okay, starting a try! I'll update this comment once it's running... |
nickgerace
approved these changes
Oct 23, 2025
Comment on lines
+75
to
+84
| let endpoints_server = if config.service_endpoints().enabled { | ||
| let endpoints = edda_server::DefaultServiceEndpoints::from_config("edda", &config)?; | ||
| Some(edda_server::EndpointsServer::new( | ||
| std::sync::Arc::new(endpoints), | ||
| config.service_endpoints().clone(), | ||
| endpoints_token.clone(), | ||
| )) | ||
| } else { | ||
| None | ||
| }; |
| @@ -44,7 +45,7 @@ impl ConfigError { | |||
| type Result<T> = std::result::Result<T, ConfigError>; | |||
|
|
|||
| /// The config for the forklift server. | |||
| #[derive(Debug, Builder)] | |||
| #[derive(Debug, Builder, Serialize)] | |||
Contributor
There was a problem hiding this comment.
Ah... we must serialize these for the config endpoint... took me a moment. This is a great idea.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
How does this PR change the system?
/healthendpoint and a/configendpoint that dumps the service's computed configSensitiveStringtypesScreenshots:
On service startup
Testing:
❯ curl -s localhost:33665/{health,config} | jq { "status": "healthy" } { "service": "rebaser", "config": { "pg_pool": { "user": "si", "password": "...", "dbname": "si", "application_name": "rebaser", "hostname": "localhost", "port": 5432, "pool_max_size": 128, "pool_timeout_wait_secs": null, "pool_timeout_create_secs": null, "pool_timeout_recycle_secs": null, "pool_total_connection_lifetime_secs": 72000, "pool_idle_connection_lifetime_secs": 21600, "pool_lifetime_check_interval_secs": null, "recycling_method": null }, "nats": { "connection_name": "rebaser", "creds": null, "creds_file": null, "subject_prefix": null, "url": "localhost" }, "crypto": {}, "symmetric_crypto_service": {}, "layer_db_config": { "pg_pool_config": { "user": "si", "password": "...", "dbname": "si_layer_db", "application_name": "rebaser", "hostname": "localhost", "port": 5432, "pool_max_size": 128, "pool_timeout_wait_secs": null, "pool_timeout_create_secs": null, "pool_timeout_recycle_secs": null, "pool_total_connection_lifetime_secs": 72000, "pool_idle_connection_lifetime_secs": 21600, "pool_lifetime_check_interval_secs": null, "recycling_method": null }, "nats_config": { "connection_name": "rebaser", "creds": null, "creds_file": null, "subject_prefix": null, "url": "localhost" }, "cache_config": { "name": "default", "memory_reserved_percent": 40, "memory_usable_max_percent": 100, "disk_layer": true, "disk_reserved_percent": 5, "disk_usable_max_percent": 100, "disk_admission_rate_limit": 1073741824, "disk_buffer_size": 134217728, "disk_buffer_flushers": 2, "disk_indexer_shards": 64, "disk_path": "/tmp/nix-shell.EHJBad/default-cache-2MGVoF", "disk_reclaimers": 2, "disk_recover_concurrency": 8 } }, "instance_id": "01K7MMJFQHSXD23B5MMXTEJN04", "concurrency_limit": null, "quiescent_period": { "secs": 300, "nanos": 0 }, "features": { "generate_mvs": true }, "snapshot_eviction_grace_period": { "secs": 0, "nanos": 0 }, "service_endpoints": { "enabled": true, "bind_address": "127.0.0.1:0", "health_endpoint": "/health", "config_endpoint": "/config" } } }Out of Scope:
I want to extend this to allow services that already have an axum stack to just use it there, but it's a but more complicated, so I'm punting for sdf and luminork for now.
How was it tested?
Locally it works! Try passes!
In short: 🔗