include source_app label in StatsD

[omgitsbillryan]

Description of change

Adds a source_app label to the StatsD metrics that vets-api serves to prometheus. This value comes from a header that vets-website passes on each request to vets-api (link to that PR)

Testing done

rspec

Testing planned

• Discover if nginx (revproxy) automatically passes on the header from the browser onto vets-api

Applies to all PRs

• Appropriate logging
• Swagger docs have been updated, if applicable
• Provide link to originating GitHub issue, or connected to it via ZenHub
• Does not contain any sensitive information (i.e. PII/credentials/internal URLs/etc., in logging, hardcoded, or in specs)
• Provide which alerts would indicate a problem with this functionality (if applicable)

[omgitsbillryan]

    # We should never use a dynamic path to apply the tag for the instrumentation,
    # since this will permit a rogue actor to increase the number of time series
    # exported from the process and causes instability in the metrics system.

@wyattwalter do you see a problem with this given the ominous comment ☝️ . We do perform a whitelist later on.

[omgitsbillryan]

I suppose my real question is: does this warrant some changes in our prometheus storage config?

I came across a prior postmortem, where we created a new label that had an infinite number of possible values. In practice, I'm not sure where that breaking point is of how many possible values warrant config changes.

Is trying to calculate the storage impact upfront a practical solution? Or is it best to merge and then monitor?

[annaswims]

LGTM - I'd still like to hear @wyattwalter's opinion on additional tags before it's merged

[omgitsbillryan]

@cvalarida I got this list by looking in vets-website for all manifest.json files and finding the line:

"entryName": "foo"

Do you know if this list is complete?

[cvalarida]

That's as complete as I think we can get right now. You can verify this by running yarn apps or (npm run apps). That'll do the same thing.

[wyattwalter]

I think ideally we'd put this into configuration somehow. Either load it from an endpoint on process startup or during the rendering of the deploy configuration.

[omgitsbillryan]

Created a ticket for this: department-of-veterans-affairs/va.gov-team#4421

[annaswims]

how do we intend for FE engineers to know to keep this list up to date? Can you add a comment, so people in the future know that this should be kept up to date manually and FE engineers

[omgitsbillryan]

Good question. Some thoughts and stuff:

• added logic to warn to sentry when an unrecognized Source-App-Name header comes in
• add instructional comment on how to regenerate
• if we're out of date on the whitelist it isnt that big of a deal, it will result in some small holes in our metrics

[wyattwalter]

Would this send an alert to Sentry? That would create a similar problem if we're generating a job just for that. Though, I suppose we want to know when it happens?

[omgitsbillryan]

Yes it sends to sentry, and yes we want to know when this happens.

You're poking at the fact that a malicious user could load up our sidekiq queues? Since we use sidekiq enterprise, we could enforce some rate limiting / throttling on this call to Sentry.

Alternatively, we could use the Rails.logger and setup a metric log filter + alert.

I think I'll just remove it altogether for now and create a new ticket since knowing when this happens can happen a bit later.

[wyattwalter]

We need to make sure that every metric sent to statsd with the same name has the same labels too. I'm not sure if null or an empty string is preferable to the library, but they should all have the same "shape" (i.e. labels).

[omgitsbillryan]

K. J/w - what happens if we don't?