github robintra/perf-sentinel v0.5.3
on GitHub

latest releases: chart-v0.2.53, v0.8.8, chart-v0.2.52...
one month ago

What's new in v0.5.3

Authenticated Prometheus support on the daemon's three outbound scrapers. [green.cloud], [green.scaphandre] and the pg_stat Prometheus scrape path each gain an optional auth_header TOML field, plus --auth-header on perf-sentinel pg-stat and --pg-stat-auth-header on perf-sentinel report. Unlocks Grafana Cloud, Grafana Mimir and any Prometheus sitting behind bearer/basic auth without a local port-forward. Headers are marked sensitive so hyper redacts them from debug output and HPACK tables, each config's manual Debug impl replaces auth_header with [REDACTED] so a stray tracing::debug!(?cfg) never leaks the credential, and a parse failure at startup disables the scraper with a tracing::error! rather than retry-spamming. Three new env vars (PERF_SENTINEL_CLOUD_AUTH_HEADER, PERF_SENTINEL_SCAPHANDRE_AUTH_HEADER, PERF_SENTINEL_PGSTAT_AUTH_HEADER) take precedence over the config or flag value, matching the Electricity Maps PERF_SENTINEL_EMAPS_TOKEN precedence. A startup warn nudges toward the env var when the credential is supplied via the config file or CLI flag.

Added

  • auth_header on [green.cloud] and [green.scaphandre] TOML sections. Optional curl-format "Name: Value" string attached to every outbound Prometheus request. Required for Grafana Cloud, Grafana Mimir or any ingress enforcing bearer/basic auth. Manual Debug impl on both config structs redacts the field so it can never land in a diagnostic log.
  • --auth-header on perf-sentinel pg-stat. Pairs with --prometheus. Same "Name: Value" format as --auth-header on tempo / jaeger-query.
  • --pg-stat-auth-header on perf-sentinel report. Pairs with --pg-stat-prometheus. Same format and semantics.
  • Env-var precedence with startup warn. PERF_SENTINEL_CLOUD_AUTH_HEADER, PERF_SENTINEL_SCAPHANDRE_AUTH_HEADER and PERF_SENTINEL_PGSTAT_AUTH_HEADER take precedence over the config or CLI flag value. Mirrors PERF_SENTINEL_EMAPS_TOKEN.
  • Config-load validation. Malformed auth_header values (empty, wrong format, forbidden framing headers, CR/LF injection attempts, >8 KiB input) fail at .perf-sentinel.toml load time with a clear error instead of silently disabling the scraper at spawn.

Changed

  • BREAKING (perf-sentinel-core, pre-1.0 so minor-bump allowed). http_client::fetch_get and ingest::pg_stat::fetch_from_prometheus gain an auth / auth_header parameter. score::cloud_energy::config::CloudEnergyConfig and score::scaphandre::config::ScaphandreConfig gain an auth_header: Option<String> field and replace the derived Debug impl with a manual redacting one. External consumers calling these directly must pass None (or add auth_header: None to struct literals) for the current behavior.

Fixed

  • Cleartext HTTP + auth header emits tracing::warn!. When a configured scraper endpoint starts with http:// and an auth_header is set, a warning fires once at startup so a typo is caught before the credential traverses the network in clear.
  • Malformed auth headers fail fast. An invalid auth_header string logs a tracing::error! and disables the affected scraper subsystem at spawn rather than retry-spamming on every scrape tick.

Tests

  • New on-wire tests for fetch_get, fetch_from_prometheus, the cloud scraper and the scaphandre scraper that spawn a TcpListener, capture the outgoing request bytes and assert the Authorization header lands on the socket. Shared harness extracted into test_helpers::spawn_capture_server, removing ~110 lines of duplicated listener + mpsc scaffolding and consolidating the pattern in one place.
  • Shared assert_debug_redacts_secret! macro unifies the three config-Debug regression tests (cloud_energy, scaphandre, electricity_maps). Catches any accidental #[derive(Debug)] re-introduction on the config structs.

Docs

  • New "Authenticated Prometheus endpoint" subsections under the Scaphandre, cloud-native energy and pg_stat sections of docs/INTEGRATION.md plus French parity in docs/FR/INTEGRATION-FR.md. Full recipes for config, env var, and cleartext-warn behavior.

Install

Prebuilt binaries (Linux amd64 / arm64, macOS arm64, Windows amd64): 

curl -LO https://github.com/robintra/perf-sentinel/releases/download/v0.5.3/perf-sentinel-linux-amd64
chmod +x perf-sentinel-linux-amd64
sudo mv perf-sentinel-linux-amd64 /usr/local/bin/perf-sentinel

Linux binaries are statically linked against musl and run on any distribution (Alpine, Debian, RHEL, Ubuntu any version) regardless of glibc version, and inside FROM scratch images.

From crates.io: 

cargo install perf-sentinel

Docker: 

docker run --rm -p 4317:4317 -p 4318:4318 \
  ghcr.io/robintra/perf-sentinel:0.5.3 watch --listen-address 0.0.0.0

Also available on Docker Hub: robintrassard/perf-sentinel:0.5.3.

Helm (chart 0.2.3 ships 0.5.3 as its appVersion default): 

helm install perf-sentinel oci://ghcr.io/robintra/charts/perf-sentinel \
  --version 0.2.3 \
  --namespace observability --create-namespace

Verify the binary against SHA256SUMS.txt: 

curl -LO https://github.com/robintra/perf-sentinel/releases/download/v0.5.3/SHA256SUMS.txt
sha256sum -c SHA256SUMS.txt --ignore-missing

Full diff: v0.5.2...v0.5.3

Check out latest releases or
releases around robintra/perf-sentinel v0.5.3

Don't miss a new perf-sentinel release

NewReleases is sending notifications on new releases.

Get notifications