feat(flow-templates): inspect NetFlow/IPFIX templates in web UI #3243

Open

mikemiles-dev wants to merge 5 commits from mikemiles-dev/flow-templates-ui into staging AGit

pull from: mikemiles-dev/flow-templates-ui

merge into: carverauto:staging

carverauto:staging

carverauto:demo/prod-release

carverauto:add-dashboard-srql-service-views

carverauto:enhance-dashboard-creator-visual-builder

carverauto:fix-release-1-2-78-ci-failures

carverauto:refactor-agent-plugin-runtime

carverauto:add-dashboard-creator

carverauto:update/plugin-system

carverauto:add-service-monitoring-foundation

carverauto:fix/cli-auth-settings-navigation

carverauto:fix/device-unknown-facet

carverauto:fix-plugin-assignment-upgrades

carverauto:fix/sweep-profile-mode-status

carverauto:fix/armis-northbound-fixes

carverauto:fix-proxmox-console-react-client-render

carverauto:fix-openbao-signing-job-token-mount

carverauto:fix-services-plugin-status-read-model

carverauto:fix-stream-status-final-chunk

carverauto:codex/fix-prod-armis-sync-icmp

carverauto:fix-demo-cnpg-operator-networkpolicy

carverauto:update/docs-cleanup

carverauto:fix-armis-northbound-raw-token-auth

carverauto:fix-armis-northbound-stuck-running

carverauto:update-manual-device-hostname-readd

carverauto:fix/observability-severity-card-links

carverauto:renovate/debian_testing_slim-testing-slim

carverauto:docs/kubernetes-ingestion-gateway

carverauto:fix/flow-collector-external-network-policy

carverauto:fix/armis-availability-and-stream-config

carverauto:refactor-fast-fresh-db-bootstrap

carverauto:fix/cnpg-not-found

carverauto:fix/docker-update/cnpg

carverauto:renovate/debian_bookworm_slim-bookworm-slim

carverauto:add-socket-firewall-ci

carverauto:add-ipv6-sweep-scanners

carverauto:fix-armis-northbound

carverauto:add-streamed-agent-config

carverauto:fix/sweep-ip-family-routing

carverauto:codex/fix-core-migration-hook-upgrade

carverauto:renovate/arc_runner

carverauto:renovate/actions_runner

carverauto:codex/remote-access-desktop-rdp

carverauto:updates/missing-fixes

carverauto:fix/batched-sweep-targets

carverauto:fix/agent-sysmon-memory-growth

carverauto:fix/armis-northbound-single-run-and-timestamps

carverauto:release/1.2.67

carverauto:fix/wasm-plugin-service-status

carverauto:fix/armis-names-string

carverauto:codex/harden-remote-access-app-tcp-followup

carverauto:codex/harden-remote-access-app-tcp

carverauto:codex/harden-gateway-proxy-auth

carverauto:codex/harden-remote-access-destroy-rbac

carverauto:codex/harden-ssh-ca-remote-access

carverauto:codex/harden-remote-access-broker-registry

carverauto:codex/harden-remote-access-approval-policy

carverauto:codex/harden-remote-access-file-transfer

carverauto:codex/harden-remote-access-attach-ticket

carverauto:fix-release-plugin-list-cleanup

carverauto:codex/harden-grpc-logger-payloads

carverauto:propose-interface-action-target-context

carverauto:add-signed-northbound-action-callbacks

carverauto:fix/reap-stale-self-scheduled-oban-jobs

carverauto:fix/device-logs-tab-async

carverauto:fix/device-metadata-summary

carverauto:fix/northbound-launch-target-auth

carverauto:fix/northbound-provider-atomic-read

carverauto:proposal/add-sample-northbound-wasm-plugin

carverauto:proposal/northbound-action-integrations

carverauto:fix/ansible-run-job-device-launch

carverauto:codex/fix-audit-events-shell-theme

carverauto:codex/fix-sweep-tcp-availability

carverauto:codex/fix-armis-names-string

carverauto:fix/update-nats-2-14

carverauto:fix/elixir-quality-release-blockers

carverauto:fix/latest-release-device-ingest-ui-bugs

carverauto:fix/release-1.2.61-ci-failures

carverauto:fix/web-ng-precommit-format

carverauto:fix/wasm-tinygo-go125

carverauto:fix/agent-file-transfer-bazel-src

carverauto:fix/release-key-stamp-root

carverauto:fix/release-1.2.59-staging

carverauto:main

carverauto:fix/agent-accept-deprecated-remote-access-config

carverauto:fix/device-results-count-facets

carverauto:fix/bazelisk-installer-retries

carverauto:fix/tinygo-host-toolchain-fetch

carverauto:add-per-agent-availability

carverauto:fix/forgejo-release-multipart-assets

carverauto:fix/agent-config-stale-session

carverauto:fix/mtr-hop-dns-resolution

carverauto:fix/hostname-only-device-create

carverauto:fix/otlp-log-metadata-sanitization

carverauto:fix/sweep-icmp-legacy-mode-classification

carverauto:add-nats-object-store-retention

carverauto:fix/helm-serviceradar-state-pvc

carverauto:harden/forgejo-ci-nonroot

carverauto:codex/expand-remote-access-teleport-parity

carverauto:fix/sweep-port-history-consistency

carverauto:fix/remote-access-ssh-feature-flag

carverauto:fix/devices-refresh-artifacts

carverauto:fix/identity-ingestion-sweep-availability

carverauto:spec/identity-cache-ingestion-correctness

carverauto:fix/sweep-mapper-promotion-stale-cache

carverauto:fix/sweep-provisional-duplicate-ip

carverauto:fix/sweep-target-invalid-ip-order

carverauto:fix/armis-large-sync-streaming

carverauto:fix/docusaurus-blog-build-date

carverauto:fix/armis-sync-compat-deep-dive

carverauto:fix/awx-controller-credential-secret

carverauto:fix/demo-release-source-branch

carverauto:demo/release-v1.2.44-source-fix

carverauto:codex/teleport-agent-routed-remote-access

carverauto:feature/agent-config-dependency-catalog

carverauto:proposal/agent-config-dependency-catalog

carverauto:bugfix/armis-credentials-save-display

carverauto:bugfix/armis-integration-credentials

carverauto:fix/web-ng-precommit-formatting

carverauto:bugfix/armis-secret-config-push

carverauto:feature/close-controllers-to-pipelines

carverauto:carverauto/extract-palisade

carverauto:feature/migrate-dashboard-cli-to-plugs

carverauto:feature/audit-history-page

carverauto:feature/migrate-controllers-to-security-pipelines

carverauto:fix/security-events-test-and-retention-worker

carverauto:feature/add-platform-security-hardening

carverauto:demo-rollout-proxmox-bazel-fix

carverauto:bug/armis-sync-issues

carverauto:add-virtualization-srql-queries

carverauto:add-proxmox-ingestion-hardening-tests

carverauto:add-ssh-private-key-credential-rules

carverauto:redact-plugin-credential-material

carverauto:add-credential-rules-settings-entry

carverauto:add-credential-rules-settings-flows

carverauto:require-network-credential-broker-grants

carverauto:preview-credential-rule-target-scope

carverauto:add-proxmox-credential-secret-preset

carverauto:harden-credential-rules-live-tests

carverauto:clarify-proxmox-plugin-credential-modes

carverauto:docs-proxmox-credential-operations

carverauto:fingerprint-proxmox-candidates

carverauto:proxmox-resource-efficiency-dashboard

carverauto:proxmox-console-security-docs

carverauto:proxmox-focused-quality-validation

carverauto:proxmox-metric-baseline-alerts

carverauto:proxmox-device-scoped-logs

carverauto:proxmox-defer-vector-log-forwarding

carverauto:proxmox-console-session-tickets

carverauto:proxmox-console-xterm-shell

carverauto:proxmox-console-websocket-broker

carverauto:proxmox-console-control-frames

carverauto:proxmox-console-agent-session-manager

carverauto:proxmox-console-plugin-pty-bridge

carverauto:proxmox-console-assignment-materializer

carverauto:proxmox-console-ssh-connector

carverauto:proxmox-console-agent-local-broker

carverauto:proxmox-console-device-actions

carverauto:proxmox-console-stream-timeouts

carverauto:proxmox-console-guest-mode-gating

carverauto:proxmox-console-ci-race-fix

carverauto:fix/falco-alert-routing-datasvc-channel

carverauto:fix-agent-release-page-bugs

carverauto:add-proxmox-device-details-summary

carverauto:add-proxmox-virtualization-ingestor

carverauto:add-virtualization-inventory-schema

carverauto:add-proxmox-infrastructure-inventory

carverauto:add-proxmox-plugin-live-smoke

carverauto:add-proxmox-local-api-smoke

carverauto:add-proxmox-credential-test-dispatch

carverauto:add-proxmox-credential-test-plan

carverauto:add-network-credential-rule-preview

carverauto:add-proxmox-plugin-inventory-details

carverauto:add-proxmox-credential-reconcile-worker

carverauto:add-proxmox-credential-assignment-materializer

carverauto:add-plugin-input-template-secret-refs

carverauto:add-proxmox-plugin-policy-inputs

carverauto:add-proxmox-wasm-plugin-scaffold

carverauto:add-network-credential-rules-model

carverauto:add-proxmox-plugin-credential-rules

carverauto:fix/rperf-rustls-provider-demo

carverauto:fix/dashboard-template-sdk-014

carverauto:fix/tinygo-go126-release

carverauto:fix/reqsign-provider-bazel-deps

carverauto:fix/release-bazel-rust-crates

carverauto:fix/core-coordinator-connection-leak

carverauto:chore/security-updates

carverauto:update/readme-versions-update

carverauto:docs/readme-dashboard-sdk

carverauto:chore/cli-0.1.5

carverauto:fix/dashboard-cli-local-map-dev

carverauto:fix/dashboard-cli-hmr-map-libraries

carverauto:chore/bump-serviceradar-cli-0.1.2

carverauto:fix/dashboard-cli-hmr-harness

carverauto:fix/helm-contour-liveview-websocket

carverauto:fix/helm-cnpg-pooler-defaults

carverauto:updates/helm-fixes

carverauto:update/fix-light-mode-analytics

carverauto:ual/dashboard-sdk-dx

carverauto:security/postgres-update

carverauto:update-falco-alert-diagnostics

carverauto:ual/react-dashboard-sdk

carverauto:fix/cnpg-saturation-fk-and-bootstrap

carverauto:ual/wifi-site-map

carverauto:fix-coraza-log-db-writer

carverauto:fix-log-viewer-syslog-processed

carverauto:plan-fieldsurvey-spatial-selection

carverauto:plan-envoy-coraza-waf

carverauto:plan-alienvault-otx-integration

carverauto:plan-fieldsurvey-sidekick-daemon

carverauto:cleanup-openspec-archive-closed-proposals

carverauto:bug-core-elx-ip-enrichment-reap

carverauto:fix-release-libcap2-pin-v125

carverauto:fix-camera-stream-gateway-route

carverauto:add-core-elx-prometheus-metrics

carverauto:add-serviceradar-observability-dashboards

carverauto:add-pgbouncer-helm-cnpg

carverauto:renovate/ghcr.io-actions-actions-runner

carverauto:feat/cluster-agent-runtime-metadata-stability

carverauto:feat/observability-shell-standardization

carverauto:feat/observability-live-log-toggle

carverauto:fix/mtr-bulk-queue-and-srql-targets

carverauto:fix/mtr-profile-protocol-keyerror

carverauto:fix/mtr-diagnostics-keyerror

carverauto:add-demo-rollout-skills

carverauto:fix-web-ng-test-support-dialyzer

carverauto:fix-web-ng-dialyzer-findings

carverauto:add-bulk-queued-mtr-diagnostics

carverauto:fix-serviceradar-core-integration-failures

carverauto:harden-agent-updater-exec-arguments

carverauto:harden-agent-release-trust-boundaries

carverauto:fix-compose-hermetic-nats-datasvc-bootstrap

carverauto:fix/openbao-release-issues

carverauto:elixir/formatting-updates

carverauto:codex/demo-cnpg-signing-release-fixes

carverauto:chore/lint-fixes

carverauto:fix/bazel-alpine-bump-and-cosign-skip

carverauto:update-event-alert-dedup-and-suppression

carverauto:armis-northbound-events

carverauto:armis-northbound-availability-updates

carverauto:push-owvypksrmooo

carverauto:codex/topology-endpoint-evidence-investigation

carverauto:codex/topology-bootstrap-and-layout-simplification

carverauto:codex/remove-ingress-nginx-edge

carverauto:fix/forgejo-ci-snmp-cache-and-ubuntu24

carverauto:bug/cnpg-mtls-failure

carverauto:bug/log-collector

carverauto:fix/forgejo-runner-labels

carverauto:fix/cargo-lock-sync

carverauto:remove-arc-runner-from-push-all

carverauto:fix-push-all-cosign-preflight

carverauto:fix-go-ci

carverauto:add-versioned-openapi-publish

carverauto:chore/forgejo-hardening

carverauto:security/k8s-hardening

carverauto:update/cluster-page-agents

carverauto:updates/helm-security-updates

carverauto:2406-feat-agent-fleet-management-secure-self-update-system

carverauto:bug/k8s-helm-deployments

carverauto:chore/k8s-arc-update

carverauto:rust-fix

carverauto:2371-analytics-stats-cards-should-abbreviate-numbers

carverauto:chore/perl-cleanup

carverauto:2942-featweb-ng-add-logs-tab-to-device-details-page

carverauto:192-feat-tftp-server

carverauto:mikemiles-dev/feature/netflow_collection

carverauto:testing

carverauto:dependabot/cargo/hostname-0.4.1

carverauto:dependabot/cargo/redis-1.0.1

carverauto:dependabot/cargo/bb8-0.9.0

carverauto:dependabot/cargo/rcgen-0.14.6

carverauto:dependabot/cargo/hyper-1.8.1

carverauto:dependabot/cargo/hyper-util-0.1.19

carverauto:dependabot/cargo/clap-4.5.51

carverauto:dependabot/cargo/thiserror-2.0.17

carverauto:dependabot/cargo/time-tz-2.0.0

carverauto:dependabot/cargo/tonic-build-0.14.2

carverauto:backup/main-pre-staging-sync-2026-04-02

carverauto:dependabot/npm_and_yarn/docs/mdast-util-to-hast-13.2.1

carverauto:815-feat-support-win32-for-agentpoller

carverauto:gh-pages

Conversation 1 Commits 5 Files changed 45 +4855 -953

mikemiles-dev commented 2026-05-08 04:09:55 +00:00

Collaborator

Copy link

Adds an operator-facing view of NetFlow v9 / IPFIX templates the
flow-collector replicas have learned, decoded from the shared
flow_templates NATS KV bucket and grouped per exporter (router) with
per-template field lists.

Why: confirms multi-replica template propagation through the KV bucket
is working in deployed clusters and gives ops a way to see what each
router is sending without shelling into a collector pod.

Surfaces:

• Standalone page: /observability/flow-templates
• Inline tab card: /observability?tab=netflows&view=templates (5th
  card alongside Traffic Analysis, Talkers, Topology, Flow Explorer)
• JSON API: GET /api/flow-templates and /api/flow-templates/:scope

Plumbing:

• proto/kv.proto: optional bucket field on Get/BatchGet/ListKeys/Info
  so datasvc clients can read non-default KV buckets.
• go/pkg/datasvc: new GetEntryFromBucket / ListKeysInBucket interface
  methods, read-only and require the bucket to already exist (datasvc
  does not auto-create non-default buckets). nats_security mode "none"
  no longer requires a creds file (was rejecting plain unauth NATS dev
  setups).
• elixir/datasvc: bucket: opt on KV.list_keys/2, get/2, info/1.
• elixir/web-ng: pure-Elixir wire-format decoder for the netflow_parser
  template payloads (V9 / V9 options / IPFIX / IPFIX options + V9-style
  IPFIX), curated v9 + IPFIX field-name registry copied from the rust
  netflow_parser IANA enums (~158 v9 + ~500 IPFIX entries with
  field_NNN / enterprise_EEE_field_NNN fallbacks).
• rust/kvutil: GetRequest literal updated for the new bucket field.
• rust/flow-collector: dev config flips on metrics_addr + template_store
  by default; Dockerfile pinned to rust:1.88-bookworm so produced
  binaries match the bookworm-slim runtime GLIBC.
• docker/compose: simple-compose dev stack lands as tracked files
  (datasvc.simple.json + the relaxed validation), and the web-ng
  Dockerfile copies elixir_uuid which was a previously-missing path
  dep.

Tests: parser, decoder (round-trips rust encoder layouts incl
enterprise + scope fields), API controller error paths.

Adds an operator-facing view of NetFlow v9 / IPFIX templates the flow-collector replicas have learned, decoded from the shared flow_templates NATS KV bucket and grouped per exporter (router) with per-template field lists. Why: confirms multi-replica template propagation through the KV bucket is working in deployed clusters and gives ops a way to see what each router is sending without shelling into a collector pod. Surfaces: - Standalone page: /observability/flow-templates - Inline tab card: /observability?tab=netflows&view=templates (5th card alongside Traffic Analysis, Talkers, Topology, Flow Explorer) - JSON API: GET /api/flow-templates and /api/flow-templates/:scope Plumbing: - proto/kv.proto: optional bucket field on Get/BatchGet/ListKeys/Info so datasvc clients can read non-default KV buckets. - go/pkg/datasvc: new GetEntryFromBucket / ListKeysInBucket interface methods, read-only and require the bucket to already exist (datasvc does not auto-create non-default buckets). nats_security mode "none" no longer requires a creds file (was rejecting plain unauth NATS dev setups). - elixir/datasvc: bucket: opt on KV.list_keys/2, get/2, info/1. - elixir/web-ng: pure-Elixir wire-format decoder for the netflow_parser template payloads (V9 / V9 options / IPFIX / IPFIX options + V9-style IPFIX), curated v9 + IPFIX field-name registry copied from the rust netflow_parser IANA enums (~158 v9 + ~500 IPFIX entries with field_NNN / enterprise_EEE_field_NNN fallbacks). - rust/kvutil: GetRequest literal updated for the new bucket field. - rust/flow-collector: dev config flips on metrics_addr + template_store by default; Dockerfile pinned to rust:1.88-bookworm so produced binaries match the bookworm-slim runtime GLIBC. - docker/compose: simple-compose dev stack lands as tracked files (datasvc.simple.json + the relaxed validation), and the web-ng Dockerfile copies elixir_uuid which was a previously-missing path dep. Tests: parser, decoder (round-trips rust encoder layouts incl enterprise + scope fields), API controller error paths.

mikemiles-dev added 3 commits 2026-05-08 04:09:55 +00:00

feat(flow-collector): horizontal scale via NATS KV TemplateStore + DaemonSet ... d8e67a937c

Wire the netflow_parser 1.0.3 TemplateStore extension point into the
flow collector and switch the K8s deployment from a single Deployment
to a per-node DaemonSet behind `Service: LoadBalancer` with
`externalTrafficPolicy: Local`. Together these let the collector scale
horizontally with node count while preserving exporter source IP and
sharing learned NetFlow / IPFIX templates across pods via NATS
JetStream KV.

Why
---
A single flow-collector Deployment was a singleton bottleneck for UDP
ingest. Scaling required either source-IP-affinity routing (so every
exporter always lands on the same pod and templates stay local) or a
shared template store so any pod could decode any flow. We picked the
shared-store path because it doesn't depend on the LB layer.

The original plan was to front this with Envoy Gateway UDPRoute, but a
research spike found UDPRoute does not preserve client source IP today
— upstreams see the gateway pod's IP, which would collapse
AutoScopedParser's per-(source_ip,source_id) scoping. Service +
DaemonSet + `externalTrafficPolicy: Local` is the workable alternative
on MetalLB (L2 mode preserves source IP through to the pod). Gateway
API stays available for the rest of the stack (HTTP/gRPC/mTLS).

Code
----
* `Cargo.toml`: bump netflow_parser 1.0.0 -> 1.0.3 (TemplateStore API);
  add `bytes` for the NATS KV payload type.

* `src/nats_client.rs` (new): Shared `connect_once` and
  `connect_with_retry` helpers. Both publisher and template-store
  bootstrap go through these, applying TLS root CA + client cert +
  creds file from `Config.security` and `Config.nats_creds_file`.
  Eliminates the easy-to-miss bug where one path used bare
  `async_nats::connect(url)` and silently broke mTLS deployments.
  Bounded backoff (60 attempts, 0.5s -> 30s) so neither path
  crash-loops the pod when NATS is slow to come up.

* `src/template_store.rs` (new): `NatsKvTemplateStore` implements the
  parser's sync `TemplateStore` trait. async_nats is async-only so we
  bridge via `tokio::task::block_in_place` + `Handle::block_on`. NATS
  KV keys are restricted to `[A-Za-z0-9._=/-]`; the scope produced by
  AutoScopedParser (`v9:1.2.3.4:2055/0`, IPv6 with brackets, etc.)
  is sanitized via underscore replacement. `kind_tag` wildcard arm
  warns once via `std::sync::Once` if a future netflow_parser version
  ships a new `TemplateKind` variant.

* `src/netflow/mod.rs`: `NetflowHandler::new` accepts an optional
  `Arc<dyn TemplateStore>` and threads it through
  `NetflowParserBuilder::with_template_store`. New `TemplateEvent::
  Restored` arm in the event-callback (logs at info). When a store
  is configured, spawns a 1Hz background ticker that aggregates
  per-source `CacheMetrics` into the listener-level Prometheus
  counters via a `DeltaState` that tracks per-source last-known
  values plus a `retired` total — so listener counters never decrease
  when sources are LRU-evicted. Off the parse_datagram hot path.

* `src/listener.rs`: `build_handler` takes
  `Option<Arc<dyn TemplateStore>>`. sFlow ignores it (template-less).

* `src/config.rs`: new optional `TemplateStoreConfig` with
  `kv_bucket`, `kv_history` (u8, validated `1..=64`), `kv_ttl_secs`,
  and optional `nats_url` override for split-fault-domain setups.

* `src/main.rs`: `bootstrap_template_store(&Config, &TemplateStoreConfig)`
  uses `nats_client::connect_with_retry` (so TLS/creds/retry match
  the publisher), then `create_or_update_key_value` for genuinely
  idempotent KV bucket bootstrap across config drift. Independent
  NATS connection from the publisher's so KV failures cannot stall
  publishing and vice versa.

* `src/metrics.rs`: `ListenerMetrics` gains `template_store_restored`,
  `template_store_codec_errors`, `template_store_backend_errors`,
  `source_count` atomics. New `render_prometheus()` produces text
  exposition format with HELP/TYPE headers and properly escaped
  label values (`\` -> `\\`, `"` -> `\"`, `\n` -> `\n`). sFlow
  listeners are filtered out of `template_store_*` and
  `flow_collector_sources` rows since those are structurally zero
  for sFlow.

  New `run_prometheus_server()` is a hand-rolled HTTP/1.1 server on
  tokio's TcpListener — `GET /metrics` returns the exposition;
  anything else 404s. No new deps. Defensive measures against
  slowloris-style attacks: per-line read timeout (3s), response
  write timeout (5s), 8 KiB max-request-bytes cap via
  `AsyncReadExt::take`, and a `Semaphore`-bounded concurrency cap
  (64) that fast-fails excess connections rather than queueing them
  so an attacker cannot exhaust file descriptors.

  Spawned from main.rs when `metrics_addr` is set; runs
  independently of the log reporter and the publisher so a scrape
  failure can never stall ingestion.

K8s manifests
-------------
* `k8s/demo/base/serviceradar-flow-collector.yaml`: `Deployment` ->
  `DaemonSet`, replicas dropped, unused PVC removed (the Rust binary
  writes nothing to disk). ConfigMap JSON gains the `template_store`
  block. Service was already `externalTrafficPolicy: Local` — kept.
  Added `RollingUpdate` with `maxUnavailable: 1`. HTTP probes on the
  `/metrics` endpoint replace the old `pgrep` exec probes (catches
  deadlocked-but-running scenarios).

* `helm/serviceradar/templates/flow-collector.yaml`: same kind flip,
  PVC removal, plus `nodeSelector` / `tolerations` knobs.
  `templates/NOTES.txt` warns operators about the `replicaCount` and
  `data.*` value removals and prints the explicit
  `kubectl delete deployment / pvc` commands needed to clean up
  orphaned objects from a pre-DaemonSet install.

* `helm/serviceradar/values.yaml`: drop `replicaCount` and `data.*`,
  add `flowCollector.config.template_store` block, default
  `service.type: LoadBalancer` and
  `service.externalTrafficPolicy: Local`, add the IPFIX (4739) and
  metrics (50046) ports.

Tests
-----
55 tests pass; `clippy --all-targets -D warnings` clean. New tests:

* 5 `NatsKvTemplateStore` key-render tests (IPv4, IPv6, empty scope,
  distinct scopes, distinct kinds).
* 2 `TemplateStoreConfig` deserialization tests.
* 2 `DeltaState` monotonic-counter tests covering source eviction and
  re-emergence and multiple-sources / multiple-kinds aggregation.
* `escape_label_handles_quotes_backslashes_newlines`,
  `template_store_metrics_only_emit_for_netflow_listeners`.
* `http_server_serves_metrics_and_404` — end-to-end including a
  deliberate split-read of the request line that the old
  single-`read()` code would have failed.
* `http_server_drops_idle_connection_within_read_timeout` — slow
  client closed within 2x READ_TIMEOUT (was: would hang forever).
* `http_server_concurrency_cap_fast_fails_excess_connections` —
  saturate with 64 idle conns, verify a fresh request doesn't hang
  past 2s (was: would queue and starve real scrapers).

Docs
----
`docs/docs/flow-collector-scaling.md`: deployment model with diagram
and rationale for `externalTrafficPolicy: Local`; configuration knobs
table; small / medium / large / very-large sizing rules of thumb;
Prometheus metrics with healthy-vs-trouble interpretations and
alerting suggestions; signals you've outgrown the design plus the
sharding strategy when you do; "Upgrading from a Pre-DaemonSet
Install" section with explicit `kubectl delete deployment / pvc`
commands; "Rolling Upgrade Behavior" section explaining how
`externalTrafficPolicy: Local` interacts with DaemonSet rolling
updates and why `maxUnavailable: 1` is the floor; deploy verification
checklist (LB IP, source-IP smoke test, cross-pod template share
check, Prometheus scrape).

Deliberately avoids speculative throughput numbers — flagged as
"benchmark on your hardware" — until real load tests fill them in.

fix(flow-collector): bind IPFIX, gate probes on metrics, ASCII-ify scaling doc ... b7b68b7a69

- Add a default netflow listener on 0.0.0.0:4739 in Helm values and the
  demo manifest so the advertised IPFIX Service port has a real UDP
  socket behind it instead of silently dropping datagrams.
- Gate the flow-collector liveness/readiness probes on
  service.ports.metrics.enabled AND config.metrics_addr; fall back to
  a pgrep exec probe when metrics are off so disabling /metrics no
  longer crashloops the pod. Document the implication near the demo
  values' metrics.enabled toggle.
- Replace non-ASCII characters (em/en dashes, arrows, box drawing,
  less-than-or-equal) in docs/docs/flow-collector-scaling.md with
  ASCII equivalents to satisfy the docs ASCII-only constraint.

feat(flow-templates): inspect NetFlow/IPFIX templates in web UI ... 7089194ad1

Adds an operator-facing view of NetFlow v9 / IPFIX templates the
flow-collector replicas have learned, decoded from the shared
flow_templates NATS KV bucket and grouped per exporter (router) with
per-template field lists.

Why: confirms multi-replica template propagation through the KV bucket
is working in deployed clusters and gives ops a way to see what each
router is sending without shelling into a collector pod.

Surfaces:
- Standalone page: /observability/flow-templates
- Inline tab card: /observability?tab=netflows&view=templates (5th
  card alongside Traffic Analysis, Talkers, Topology, Flow Explorer)
- JSON API: GET /api/flow-templates and /api/flow-templates/:scope

Plumbing:
- proto/kv.proto: optional bucket field on Get/BatchGet/ListKeys/Info
  so datasvc clients can read non-default KV buckets.
- go/pkg/datasvc: new GetEntryFromBucket / ListKeysInBucket interface
  methods, read-only and require the bucket to already exist (datasvc
  does not auto-create non-default buckets). nats_security mode "none"
  no longer requires a creds file (was rejecting plain unauth NATS dev
  setups).
- elixir/datasvc: bucket: opt on KV.list_keys/2, get/2, info/1.
- elixir/web-ng: pure-Elixir wire-format decoder for the netflow_parser
  template payloads (V9 / V9 options / IPFIX / IPFIX options + V9-style
  IPFIX), curated v9 + IPFIX field-name registry copied from the rust
  netflow_parser IANA enums (~158 v9 + ~500 IPFIX entries with
  field_NNN / enterprise_EEE_field_NNN fallbacks).
- rust/kvutil: GetRequest literal updated for the new bucket field.
- rust/flow-collector: dev config flips on metrics_addr + template_store
  by default; Dockerfile pinned to rust:1.88-bookworm so produced
  binaries match the bookworm-slim runtime GLIBC.
- docker/compose: simple-compose dev stack lands as tracked files
  (datasvc.simple.json + the relaxed validation), and the web-ng
  Dockerfile copies elixir_uuid which was a previously-missing path
  dep.

Tests: parser, decoder (round-trips rust encoder layouts incl
enterprise + scope fields), API controller error paths.

mikemiles-dev requested review from mfreeman451 2026-05-08 04:09:55 +00:00

mikemiles-dev force-pushed mikemiles-dev/flow-templates-ui from 7089194ad1 to 1c47a0eaff 2026-05-08 04:15:33 +00:00 Compare

mikemiles-dev added 1 commit 2026-05-08 04:20:20 +00:00

docs(architecture): document scaling philosophy ... 3ab87a22e9

Captures the rationale for ServiceRadar not shipping HPA/VPA resources
and instead using manual replicaCount + cluster autoscaler at the
infra layer.

The question keeps coming up: most services are JetStream-driven (not
request-driven), so HPA doesn't speed work up — JetStream consumer
fan-out is the natural concurrency control. Per-node services run as
DaemonSets where source-IP preservation rules out HPA outright. This
section formalises the convention so future services know when an HPA
is/isn't appropriate.

Slots in under the existing "Kubernetes HA Profile" section.

mikemiles-dev added 1 commit 2026-05-08 04:40:15 +00:00

fix(flow-templates): address PR review comments ... 3cbbdc9f5a

- LiveView load is now async via start_async/3 so a slow datasvc can
  never block the WebSocket. Both the standalone page and the inline
  netflows view show a "loading…" state while the round-trip is in
  flight, and an explicit "Loaded HH:MM:SS UTC" stamp afterwards so
  staleness is visible to the operator.

- Hoisted the netflow_view enum to a single @netflow_views module
  attribute. Was duplicated in three places (parse, normalize, params)
  and a missed update in this PR caused view=templates to be silently
  rewritten to "overview" mid-review.

- datasvc kvByDomainBucket cache now caps at 32 buckets per domain.
  Real workloads use a handful; this is a guardrail against unbounded
  growth from a misbehaving caller spamming bucket names.

- Added a regen recipe to fields.ex so future drift against
  netflow_parser's IANA enums is fixable in minutes (with the grep/sed
  pipelines that produced the current 158 v9 + 500 IPFIX entries).

- datasvc logs a WARN at startup when nats_security.mode="none" so a
  misconfigured production cluster is visible in standard log scrapers
  instead of silently running unauth.

Note: per-template KV.get is still sequential. Adding BatchGet to the
elixir datasvc client (it already exists in the proto) would collapse
N+1 round-trips to 2 — left as a follow-up to keep this PR focused.

mikemiles-dev force-pushed mikemiles-dev/flow-templates-ui from 3cbbdc9f5a to d8ebafe923 2026-05-09 15:11:59 +00:00 Compare

mfreeman451 reviewed 2026-05-11 02:53:35 +00:00

mfreeman451 left a comment

Copy link

lgtm

lgtm

Some checks failed

Hide all checks

Secret Scan / gitleaks (pull_request) Successful in 23s

Details

lint / lint (pull_request) Successful in 1m9s

Details

CI / build (pull_request) Failing after 5m6s

Details

This pull request has changes conflicting with the target branch.

• Cargo.lock
• rust/flow-collector/Cargo.toml

View command line instructions

Manual merge helper

Use this merge commit message when completing the merge manually.

Merge commit title Merge pull request 'feat(flow-templates): inspect NetFlow/IPFIX templates in web UI' (#3243) from mikemiles-dev/flow-templates-ui into staging

Merge commit body Reviewed-on: https://code.carverauto.dev/carverauto/serviceradar/pulls/3243

Merge pull request 'feat(flow-templates): inspect NetFlow/IPFIX templates in web UI' (#3243) from mikemiles-dev/flow-templates-ui into staging Reviewed-on: https://code.carverauto.dev/carverauto/serviceradar/pulls/3243 Copy merge commit message

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin +refs/pull/3243/head:mikemiles-dev/flow-templates-ui

git switch mikemiles-dev/flow-templates-ui

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch staging

git merge --no-ff mikemiles-dev/flow-templates-ui

git switch mikemiles-dev/flow-templates-ui

git rebase staging

git switch staging

git merge --ff-only mikemiles-dev/flow-templates-ui

git switch mikemiles-dev/flow-templates-ui

git rebase staging

git switch staging

git merge --no-ff mikemiles-dev/flow-templates-ui

git switch staging

git merge --squash mikemiles-dev/flow-templates-ui

git switch staging

git merge --ff-only mikemiles-dev/flow-templates-ui

git switch staging

git merge mikemiles-dev/flow-templates-ui

git push origin staging

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

1week

  

2weeks

  

Failed compliance check

  

IP cameras

  

NATS

NATS JetStream

  

Possible security concern

  

Review effort 1/5

  

Review effort 2/5

  

Review effort 3/5

  

Review effort 4/5

  

Review effort 5/5

  

UI

  

aardvark

  

accessibility

  

amd64

  

api

  

arm64

  

auth

  

back-end

  

bgp

  

blog

  

bug

Something isn't working

  

build

  

checkers

  

ci-cd

continuous integration-continuous deployments

  

cleanup

  

cnpg

cloud-native postgres

  

codex

  

core

core service

  

dependencies

Pull requests that update a dependency file

  

device-management

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

dusk

  

ebpf

  

enhancement

New feature or request

  

eta 1d

  

eta 1hr

  

eta 3d

  

eta 3hr

  

feature

  

fieldsurvey

  

github_actions

Pull requests that update GitHub Actions code

  

go

Pull requests that update Go code

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

javascript

Pull requests that update Javascript code

  

k8s

  

log-collector

  

mapper

  

mtr

multi traceroute

  

needs-triage

  

netflow

  

network-sweep

  

observability

  

oracle

Oracle Linux related issues

  

otel

opentelemetry logs, traces, metrics

  

plug-in

  

proton

timeplus proton streaming database

  

python

  

question

Further information is requested

  

reddit

  

redhat

  

research

  

rperf

  

rperf-checker

  

rust

Pull requests that update rust code

  

sdk

  

security

  

serviceradar-agent

  

serviceradar-agent-gateway

  

serviceradar-web

  

serviceradar-web-ng

  

siem

  

snmp

  

sysmon

  

topology

  

ubiquiti

  

wasm

  

wontfix

This will not be worked on

  

zen-engine

No labels

1week

2weeks

Failed compliance check

IP cameras

NATS

Possible security concern

Review effort 1/5

Review effort 2/5

Review effort 3/5

Review effort 4/5

Review effort 5/5

UI

aardvark

accessibility

amd64

api

arm64

auth

back-end

bgp

blog

bug

build

checkers

ci-cd

cleanup

cnpg

codex

core

dependencies

device-management

documentation

duplicate

dusk

ebpf

enhancement

eta 1d

eta 1hr

eta 3d

eta 3hr

feature

fieldsurvey

github_actions

go

good first issue

help wanted

invalid

javascript

k8s

log-collector

mapper

mtr

needs-triage

netflow

network-sweep

observability

oracle

otel

plug-in

proton

python

question

reddit

redhat

research

rperf

rperf-checker

rust

sdk

security

serviceradar-agent

serviceradar-agent-gateway

serviceradar-web

serviceradar-web-ng

siem

snmp

sysmon

topology

ubiquiti

wasm

wontfix

zen-engine

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

carverauto/serviceradar!3243

No description provided.