feat(conduit): Add conduit demo task (#102403)

Adds a demo task to asynchronously generate data and send it to the
Conduit Publish API. This serves as a reference implementation for
publishing data to Conduit and enables our demo to actually work.

I also updated some of the setting names to be more precise to avoid
confusion.

The next step is adding a frontend demo page that consumes the stream
via the conduit client.

Author: IanWoodard

src/sentry/conduit/auth.py

@@ -36,13 +36,13 @@ def generate_conduit_token(
         JWT token string
     """
     if issuer is None:
-        issuer = settings.CONDUIT_JWT_ISSUER
+        issuer = settings.CONDUIT_GATEWAY_JWT_ISSUER
     if audience is None:
-        audience = settings.CONDUIT_JWT_AUDIENCE
+        audience = settings.CONDUIT_GATEWAY_JWT_AUDIENCE
     if conduit_private_key is None:
-        conduit_private_key = settings.CONDUIT_PRIVATE_KEY
+        conduit_private_key = settings.CONDUIT_GATEWAY_PRIVATE_KEY
         if conduit_private_key is None:
-            raise ValueError("CONDUIT_PRIVATE_KEY not configured")
+            raise ValueError("CONDUIT_GATEWAY_PRIVATE_KEY not configured")
 
     now = int(time.time())
     exp = now + TOKEN_TTL_SEC

src/sentry/conduit/endpoints/organization_conduit_demo.py

@@ -3,11 +3,13 @@
 from rest_framework.request import Request
 from rest_framework.response import Response
 
+from sentry import features
 from sentry.api.api_owners import ApiOwner
 from sentry.api.api_publish_status import ApiPublishStatus
 from sentry.api.base import region_silo_endpoint
 from sentry.api.bases import OrganizationEndpoint
 from sentry.conduit.auth import get_conduit_credentials
+from sentry.conduit.tasks import stream_demo_data
 from sentry.models.organization import Organization
 
 
@@ -29,6 +31,8 @@ class OrganizationConduitDemoEndpoint(OrganizationEndpoint):
     owner = ApiOwner.INFRA_ENG
 
     def post(self, request: Request, organization: Organization) -> Response:
+        if not features.has("organizations:conduit-demo", organization, actor=request.user):
+            return Response(status=404)
         try:
             conduit_credentials = get_conduit_credentials(
                 organization.id,
@@ -39,9 +43,12 @@ def post(self, request: Request, organization: Organization) -> Response:
                 {"error": "Conduit is not configured properly"},
                 status=status.HTTP_500_INTERNAL_SERVER_ERROR,
             )
+        # Kick off a task to stream data to Conduit
+        stream_demo_data.delay(organization.id, conduit_credentials.channel_id)
         serializer = ConduitCredentialsResponseSerializer(
             {
                 "conduit": conduit_credentials._asdict(),
             }
         )
+        # Respond back to the user with the credentials needed to connect to Conduit
         return Response(serializer.data, status=status.HTTP_201_CREATED)

src/sentry/conduit/tasks.py

@@ -0,0 +1,165 @@
+import datetime
+import logging
+import time
+from functools import partial
+from uuid import uuid4
+
+import requests
+from django.conf import settings
+from google.protobuf.struct_pb2 import Struct
+from google.protobuf.timestamp_pb2 import Timestamp
+from requests import Response
+from requests.exceptions import RequestException
+from sentry_protos.conduit.v1alpha.publish_pb2 import Phase, PublishRequest
+
+from sentry.silo.base import SiloMode
+from sentry.tasks.base import instrumented_task
+from sentry.taskworker.namespaces import conduit_tasks
+from sentry.utils import jwt
+from sentry.utils.retries import ConditionalRetryPolicy, exponential_delay
+
+logger = logging.getLogger(__name__)
+
+PUBLISH_REQUEST_TIMEOUT_SECONDS = 5
+PUBLISH_REQUEST_MAX_RETRIES = 5
+NUM_DELTAS = 100
+SEND_INTERVAL_SECONDS = 0.15
+JWT_EXPIRATION_SECONDS = 300  # 5 minutes
+TASK_PROCESSING_DEADLINE_SECONDS = 60 * 3  # 3 minutes
+
+
+@instrumented_task(
+    name="sentry.conduit.tasks.stream_demo_data",
+    namespace=conduit_tasks,
+    processing_deadline_duration=TASK_PROCESSING_DEADLINE_SECONDS,
+    silo_mode=SiloMode.REGION,
+)
+def stream_demo_data(org_id: int, channel_id: str) -> None:
+    """Asynchronously stream data to Conduit."""
+    token = generate_jwt(subject="demo")
+    logger.info(
+        "conduit.stream_demo_data.started", extra={"org_id": org_id, "channel_id": channel_id}
+    )
+    sequence = 0
+    start_publish_request = PublishRequest(
+        channel_id=channel_id,
+        message_id=str(uuid4()),
+        sequence=sequence,
+        client_timestamp=get_timestamp(),
+        phase=Phase.PHASE_START,
+    )
+    publish_data(org_id, start_publish_request, token)
+    sequence += 1
+
+    for i in range(NUM_DELTAS):
+        payload = Struct()
+        payload.update({"value": str(i)})
+        delta_publish_request = PublishRequest(
+            channel_id=channel_id,
+            message_id=str(uuid4()),
+            sequence=sequence,
+            client_timestamp=get_timestamp(),
+            phase=Phase.PHASE_DELTA,
+            payload=payload,
+        )
+        publish_data(org_id, delta_publish_request, token)
+        sequence += 1
+        time.sleep(SEND_INTERVAL_SECONDS)
+
+    end_publish_request = PublishRequest(
+        channel_id=channel_id,
+        message_id=str(uuid4()),
+        sequence=sequence,
+        client_timestamp=get_timestamp(),
+        phase=Phase.PHASE_END,
+    )
+    publish_data(org_id, end_publish_request, token)
+    logger.info(
+        "conduit.stream_demo_data.ended", extra={"org_id": org_id, "channel_id": channel_id}
+    )
+
+
+def generate_jwt(
+    subject: str, issuer: str | None = None, audience: str | None = None, secret: str | None = None
+) -> str:
+    """
+    Generate a JWT token for the Conduit publish API.
+
+    Uses HS256 algorithm with a 5 minute expiration.
+    """
+    if issuer is None:
+        issuer = settings.CONDUIT_PUBLISH_JWT_ISSUER
+    if audience is None:
+        audience = settings.CONDUIT_PUBLISH_JWT_AUDIENCE
+    if secret is None:
+        secret = settings.CONDUIT_PUBLISH_SECRET
+        if secret is None:
+            raise ValueError("CONDUIT_PUBLISH_SECRET not configured")
+    claims = {
+        "sub": subject,
+        "iss": issuer,
+        "aud": audience,
+        "exp": int(time.time()) + JWT_EXPIRATION_SECONDS,
+    }
+    return jwt.encode(claims, secret, algorithm="HS256")
+
+
+def should_retry_publish(attempt: int, exception: Exception) -> bool:
+    return attempt < PUBLISH_REQUEST_MAX_RETRIES and isinstance(exception, RequestException)
+
+
+publish_retry_policy = ConditionalRetryPolicy(
+    should_retry_publish,
+    exponential_delay(0.5),
+)
+
+
+def publish_data(
+    org_id: int,
+    publish_request: PublishRequest,
+    token: str,
+    publish_url: str | None = None,
+) -> Response:
+    """
+    Publish a protobuf message to Conduit with retries.
+
+    Retries up to 5 times with exponential backoff.
+    """
+    if publish_url is None:
+        publish_url = settings.CONDUIT_PUBLISH_URL
+    return publish_retry_policy(
+        partial(
+            _do_publish,
+            org_id=org_id,
+            publish_request=publish_request,
+            token=token,
+            publish_url=publish_url,
+        )
+    )
+
+
+def _do_publish(
+    org_id: int,
+    publish_request: PublishRequest,
+    token: str,
+    publish_url: str,
+) -> Response:
+    response = requests.post(
+        url=f"{publish_url}/publish/{org_id}/{publish_request.channel_id}",
+        headers={
+            "Authorization": f"Bearer {token}",
+            "Content-Type": "application/x-protobuf",
+        },
+        data=publish_request.SerializeToString(),
+        timeout=PUBLISH_REQUEST_TIMEOUT_SECONDS,
+    )
+    response.raise_for_status()
+    return response
+
+
+def get_timestamp(dt: datetime.datetime | None = None) -> Timestamp:
+    if dt is None:
+        dt = datetime.datetime.now(datetime.UTC)
+    timestamp = Timestamp()
+    timestamp.FromDatetime(dt)
+    return timestamp

src/sentry/conf/server.py

@@ -828,6 +828,7 @@ def SOCIAL_AUTH_DEFAULT_USERNAME() -> str:
 # Taskworkers need to import task modules to make tasks
 # accessible to the worker.
 TASKWORKER_IMPORTS: tuple[str, ...] = (
+    "sentry.conduit.tasks",
     "sentry.data_export.tasks",
     "sentry.debug_files.tasks",
     "sentry.deletions.tasks.hybrid_cloud",
@@ -3186,7 +3187,12 @@ def custom_parameter_sort(parameter: dict) -> tuple[str, int]:
     SENTRY_OPTIONS["system.region-api-url-template"] = f"https://{{region}}.{ngrok_host}"
     SENTRY_FEATURES["system:multi-region"] = True
 
-CONDUIT_PRIVATE_KEY: str | None = os.getenv("CONDUIT_PRIVATE_KEY")
+CONDUIT_GATEWAY_PRIVATE_KEY: str | None = os.getenv("CONDUIT_GATEWAY_PRIVATE_KEY")
 CONDUIT_GATEWAY_URL: str = os.getenv("CONDUIT_GATEWAY_URL", "https://conduit.sentry.io")
-CONDUIT_JWT_ISSUER: str = os.getenv("CONDUIT_JWT_ISSUER", "sentry")
-CONDUIT_JWT_AUDIENCE: str = os.getenv("CONDUIT_JWT_AUDIENCE", "conduit")
+CONDUIT_GATEWAY_JWT_ISSUER: str = os.getenv("CONDUIT_GATEWAY_JWT_ISSUER", "sentry.io")
+CONDUIT_GATEWAY_JWT_AUDIENCE: str = os.getenv("CONDUIT_GATEWAY_JWT_AUDIENCE", "conduit")
+
+CONDUIT_PUBLISH_SECRET: str | None = os.getenv("CONDUIT_PUBLISH_SECRET")
+CONDUIT_PUBLISH_URL: str = os.getenv("CONDUIT_PUBLISH_URL", "http://127.0.0.1:9097")
+CONDUIT_PUBLISH_JWT_ISSUER: str = os.getenv("CONDUIT_PUBLISH_JWT_ISSUER", "sentry.io")
+CONDUIT_PUBLISH_JWT_AUDIENCE: str = os.getenv("CONDUIT_PUBLISH_JWT_AUDIENCE", "conduit")

src/sentry/features/temporary.py

@@ -605,6 +605,8 @@ def register_temporary_features(manager: FeatureManager) -> None:
     manager.add("organizations:notification-platform", OrganizationFeature, FeatureHandlerStrategy.FLAGPOLE, api_expose=True)
     manager.add("organizations:on-demand-gen-metrics-deprecation-prefill", OrganizationFeature, FeatureHandlerStrategy.FLAGPOLE, api_expose=False)
     manager.add("organizations:on-demand-gen-metrics-deprecation-query-prefill", OrganizationFeature, FeatureHandlerStrategy.FLAGPOLE, api_expose=False)
+    # Enables Conduit demo endpoint and UI
+    manager.add("organizations:conduit-demo", OrganizationFeature, FeatureHandlerStrategy.FLAGPOLE, api_expose=True)
 
     # NOTE: Don't add features down here! Add them to their specific group and sort
     #       them alphabetically! The order features are registered is not important.

src/sentry/taskworker/namespaces.py

@@ -26,6 +26,11 @@
     app_feature="errors",
 )
 
+conduit_tasks = app.taskregistry.create_namespace(
+    "conduit",
+    app_feature="conduit",
+)
+
 crons_tasks = app.taskregistry.create_namespace(
     "crons",
     app_feature="crons",

tests/sentry/conduit/endpoints/test_organization_conduit_demo.py

@@ -1,6 +1,9 @@
+from unittest.mock import MagicMock, patch
+
 from django.test.utils import override_settings
 
 from sentry.testutils.cases import APITestCase
+from sentry.testutils.helpers import with_feature
 from sentry.testutils.silo import region_silo_test
 from tests.sentry.utils.test_jwt import RS256_KEY
 
@@ -14,11 +17,12 @@ def setUp(self) -> None:
         self.login_as(user=self.user)
 
     @override_settings(
-        CONDUIT_PRIVATE_KEY=RS256_KEY,
-        CONDUIT_JWT_ISSUER="sentry",
-        CONDUIT_JWT_AUDIENCE="conduit",
+        CONDUIT_GATEWAY_PRIVATE_KEY=RS256_KEY,
+        CONDUIT_GATEWAY_JWT_ISSUER="sentry",
+        CONDUIT_GATEWAY_JWT_AUDIENCE="conduit",
         CONDUIT_GATEWAY_URL="https://conduit.example.com",
     )
+    @with_feature("organizations:conduit-demo")
     def test_post_generate_credentials(self) -> None:
         """Test that POST generates valid credentials."""
 
@@ -34,6 +38,7 @@ def test_post_generate_credentials(self) -> None:
         assert "url" in response.data["conduit"]
         assert str(self.organization.id) in response.data["conduit"]["url"]
 
+    @with_feature("organizations:conduit-demo")
     def test_post_without_org_access(self) -> None:
         """Test that users without org access cannot generate credentials."""
         other_org = self.create_organization()
@@ -44,6 +49,7 @@ def test_post_without_org_access(self) -> None:
             status_code=403,
         )
 
+    @with_feature("organizations:conduit-demo")
     def test_post_missing_conduit_config(self) -> None:
         """Test graceful failure when CONDUIT_PRIVATE_KEY is not configured."""
         response = self.get_error_response(
@@ -55,11 +61,12 @@ def test_post_missing_conduit_config(self) -> None:
         assert response.data == {"error": "Conduit is not configured properly"}
 
     @override_settings(
-        CONDUIT_PRIVATE_KEY=RS256_KEY,
-        CONDUIT_JWT_ISSUER="sentry",
-        CONDUIT_JWT_AUDIENCE="conduit",
+        CONDUIT_GATEWAY_PRIVATE_KEY=RS256_KEY,
+        CONDUIT_GATEWAY_JWT_ISSUER="sentry",
+        CONDUIT_GATEWAY_JWT_AUDIENCE="conduit",
         CONDUIT_GATEWAY_URL="https://conduit.example.com",
     )
+    @with_feature("organizations:conduit-demo")
     def test_credentials_are_unique(self) -> None:
         """Test that multiple calls generate different credentials."""
         response1 = self.get_success_response(
@@ -76,3 +83,26 @@ def test_credentials_are_unique(self) -> None:
 
         assert response1.data["conduit"]["token"] != response2.data["conduit"]["token"]
         assert response1.data["conduit"]["channel_id"] != response2.data["conduit"]["channel_id"]
+
+    @override_settings(
+        CONDUIT_GATEWAY_PRIVATE_KEY=RS256_KEY,
+        CONDUIT_GATEWAY_JWT_ISSUER="sentry",
+        CONDUIT_GATEWAY_JWT_AUDIENCE="conduit",
+        CONDUIT_GATEWAY_URL="https://conduit.example.com",
+    )
+    @patch("sentry.conduit.endpoints.organization_conduit_demo.stream_demo_data")
+    @with_feature("organizations:conduit-demo")
+    def test_post_queues_task(self, mock_task: MagicMock):
+        self.get_success_response(
+            self.organization.slug,
+            method="POST",
+            status_code=201,
+        )
+        mock_task.delay.assert_called_once()
+
+    def test_post_without_feature_flag(self) -> None:
+        self.get_error_response(
+            self.organization.slug,
+            method="POST",
+            status_code=404,
+        )