[sui-proxy] Allow sui bridge validator metrics

[johnjmartin]

Description

Introduces the ability for sui proxy to accept metrics that are pushed to it from sui-bridge. Works by looking up the http_rest_url for each proxy in the on-chain metadata, and querying each endpoint for the metrics pub key

Depends on #18877.

Test plan

Tested in testnet

[vercel]

@johnjmartin is attempting to deploy a commit to the Mysten Labs Team on Vercel.

A member of the Team first needs to authorize it.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
sui-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Sep 12, 2024 5:03pm

3 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
multisig-toolkit	⬜️ Ignored (Inspect)	Visit Preview		Sep 12, 2024 5:03pm
sui-kiosk	⬜️ Ignored (Inspect)	Visit Preview		Sep 12, 2024 5:03pm
sui-typescript-docs	⬜️ Ignored (Inspect)	Visit Preview		Sep 12, 2024 5:03pm

[longbowlu]

why? don't we want this for sui-node?

[johnjmartin]

afaict, it's not used anywhere in the proxy. The downside of keeping it is it forces us to set meaningless defaults for the static peers feature (as well as for the bridge validators). For example, this is a snippet of what our prod config looks like right now:

static-peers:
  pub-keys:
    - name: ewr-mysten-ssfn1
      p2p-address: 0.0.0.1
      peer-id: c7bf6cb93ca8fdda655c47ebb85ace28e6931464564332bf63e27e90199c50ee
    - name: ewr-mysten-ssfn2
      p2p-address: 0.0.0.2
      peer-id: 3227f8a05f0faa1a197c075d31135a366a1c6f3d4872cb8af66c14dea3e0eb66
    - name: lhr-mysten-ssfn
      p2p-address: 0.0.0.3
      peer-id: c619a5e0f8f36eac45118c1f8bda28f0f508e2839042781f1d4a9818043f732c

[johnjmartin]

cc @suiwombat for thoughts too

[bmwill]

If its not uses for anything then i agree we should remove it

[longbowlu]

we don't need this check anymore?

[johnjmartin]

It goes with removing the p2p_address (#19076 (comment))

[suiwombat]

I'd prefer to see this approach instead. it's much safer, isolates these systems from each other, and if one fails, it won't take the other out.

#19173

[suiwombat]

I'd really prefer NOT to have these here and instead be in their own route handlers. It's dangerous, in my opinion to mix these together. Why? because if either get_bridge_validators fails, or get_validators fails, we don't update any peers with which we'll communicate. We double our failure modes in a hot path, critical function. super bad.

[johnjmartin]

It's only possible for the set of bridge or sui validators to change once per day (epoch change), while we poll for updates to the system state every 60s. I am comfortable with the risk that if our public rpc goes down for longer than a day, then we won't display metrics for newly joined validators

[suiwombat]

if the service restarts, you're dead in the water in that case. this is dangerous implementation, i'd implore you not to do it this way.

[johnjmartin]

How would you suggest we recover in the case where the service restarts and we're unable to communicate with the backing fullnode?

[bmwill]

So i don't think we necessarily need to separate these into their own "route handlers", i mean this isn't even a route handler, this is the background task that is responsible for updating the allowed peers, but i do think that this could be improved upon to be a bit more resilient to failures as well as to be a bit clearer about the source of each of the peers.

If the "AllowedPeers" set was able to curry with it a bit more information as to the source of each peer (static, SuiValidator, SuiBridgeNode, WalrusNode, etc) then we could handle the updates to each set independently of each other, and so that a failure to update one set doesn't impact an update to another set. This tagging could be done either by tagging each key, or having a separate set entirely for each type of peer (it doesn't matter which, the implementation is just going to be slightly different). Then we could have the update logic essentially be:

loop {
    update_sui_validator_set();
    update_sui_bridge_set();
    update_walrus_validator_set();
    // ... others
}

where on each tick we unconditionally try to update each type and a failure in one doesn't impact updates in the others.

[suiwombat]

the original design with the allowers was to enable the expansion of other routes to accommodate use cases like what john is doing here. I have to disagree with @bmwill on this. there isn't a legitimate reason to mix everything into one update loop and it is dangerous/flakey to do so.

the sui validators have a route they hit, with middleware they use and update loops that they depend on. the bridge should likewise, have its own route, use the same middleware when appropriate, and their own update loops. They definitely should not be integrated into the existing. I'm beating a dead horse here, but it's a poor design to do so. it leads to confusing code and needlessly mixes concerns of two different data flows.

The loop outlined here is even worse than what is already in this PR because it goes from an isolated update loop, to adding three (this pr adds 1, making 2). this is exactly what shouldn't happen. please just make a route for these and keep this logic isolated to their respective parts.

[bmwill]

the original design with the allowers was to enable the expansion of other routes to accommodate use cases like what john is doing here.

If you're referring to the TLS verifier we have that allows connections based on the Allower, then yes John is doing exactly as expected to extend the sets of peers that we allow to be connected. There can only be one allower per network endpoint so unless we have a full complete deployment of this for each "type" (which i don't think is the case), then this is exactly how we should extend it. As far as which http "route" we expect metrics to be pushed to, I think that's a completely orthogonal discussion

[bmwill]

If its not uses for anything then i agree we should remove it

[bmwill]

So i don't think we necessarily need to separate these into their own "route handlers", i mean this isn't even a route handler, this is the background task that is responsible for updating the allowed peers, but i do think that this could be improved upon to be a bit more resilient to failures as well as to be a bit clearer about the source of each of the peers.

If the "AllowedPeers" set was able to curry with it a bit more information as to the source of each peer (static, SuiValidator, SuiBridgeNode, WalrusNode, etc) then we could handle the updates to each set independently of each other, and so that a failure to update one set doesn't impact an update to another set. This tagging could be done either by tagging each key, or having a separate set entirely for each type of peer (it doesn't matter which, the implementation is just going to be slightly different). Then we could have the update logic essentially be:

loop {
    update_sui_validator_set();
    update_sui_bridge_set();
    update_walrus_validator_set();
    // ... others
}

where on each tick we unconditionally try to update each type and a failure in one doesn't impact updates in the others.

[bmwill]

For updating the sui validator set i do think it makes sense to maybe nuke the whole thing and replace it wholesale, but for the bridge node, since we have to do this awkward fetching of their pubkeys as an additional step (which i still don't like and think we should force this info to be encoded onchain, @longbowlu can do we this instead?), I think we probably want to have a map from Bridge node -> Pubkey and we only remove a entry here if the bridge node is no longer in the committee and update if we're able to successfully reach that bridge node to fetch its key. if the node is still a part of the committee but we happen to fail fetching its pubkey on one tick, we likely don't want to remove it from the set as it could result in losing some small window of data from that node.

[bmwill]

Thanks for making these changes! lgtm