feat(gateway): eliminate the Sentry ingestion gap

Signed-off-by: Yordis Prieto <yordis.prieto@gmail.com>

Author: yordis

devops/docker/compose/.env.example

@@ -41,6 +41,13 @@
 # TROGON_SOURCE_NOTION_STREAM_MAX_AGE_SECS=604800
 # TROGON_SOURCE_NOTION_NATS_ACK_TIMEOUT_SECS=10
 
+# --- Sentry Source ---
+# TROGON_SOURCE_SENTRY_CLIENT_SECRET=
+# TROGON_SOURCE_SENTRY_SUBJECT_PREFIX=sentry
+# TROGON_SOURCE_SENTRY_STREAM_NAME=SENTRY
+# TROGON_SOURCE_SENTRY_STREAM_MAX_AGE_SECS=604800
+# TROGON_SOURCE_SENTRY_NATS_ACK_TIMEOUT_SECS=10
+
 # --- Discord Source ---
 # TROGON_SOURCE_DISCORD_BOT_TOKEN=
 # TROGON_SOURCE_DISCORD_GATEWAY_INTENTS=guilds,guild_members,guild_messages,guild_message_reactions,direct_messages,message_content,guild_voice_states

devops/docker/compose/services/trogon-gateway/README.md

@@ -16,6 +16,7 @@ prefix:
 | incident.io | `/incidentio/webhook` | `TROGON_SOURCE_INCIDENTIO_SIGNING_SECRET` |
 | Linear | `/linear/webhook` | `TROGON_SOURCE_LINEAR_WEBHOOK_SECRET` |
 | Notion | `/notion/webhook` | `TROGON_SOURCE_NOTION_VERIFICATION_TOKEN` |
+| Sentry | `/sentry/webhook` | `TROGON_SOURCE_SENTRY_CLIENT_SECRET` |
 
 The gateway port is configured via `TROGON_GATEWAY_PORT` (default `8080`).
 Liveness and readiness probes are available at `GET /-/liveness` and `GET /-/readiness`.
@@ -67,6 +68,13 @@ then point the Notion webhook endpoint at `/notion/webhook`. Verified events
 are forwarded to NATS on `{subject_prefix}.{type}` subjects such as
 `notion.page.created`.
 
+## Sentry webhooks
+
+Sentry integration-platform webhooks sign the raw JSON body with the app client
+secret. Configure `TROGON_SOURCE_SENTRY_CLIENT_SECRET`, point the webhook URL
+at `/sentry/webhook`, and the gateway will forward verified payloads to NATS on
+`{subject_prefix}.{resource}.{action}` subjects such as `sentry.issue.created`.
+
 ## Exposing webhooks with ngrok
 
 ```bash

rsworkspace/Cargo.lock

@@ -8,6 +8,9 @@ unexpected_cfgs = { level = "deny", check-cfg = ['cfg(coverage)'] }
 
 [workspace.lints.clippy]
 all = "deny"
+expect_used = "deny"
+panic = "deny"
+unwrap_used = "deny"
 
 [workspace.dependencies]
 # Internal crates
@@ -21,6 +24,7 @@ trogon-source-gitlab = { path = "crates/trogon-source-gitlab" }
 trogon-source-incidentio = { path = "crates/trogon-source-incidentio" }
 trogon-source-linear = { path = "crates/trogon-source-linear" }
 trogon-source-notion = { path = "crates/trogon-source-notion" }
+trogon-source-sentry = { path = "crates/trogon-source-sentry" }
 trogon-source-slack = { path = "crates/trogon-source-slack" }
 trogon-source-telegram = { path = "crates/trogon-source-telegram" }
 trogon-std = { path = "crates/trogon-std" }

rsworkspace/Cargo.toml

@@ -27,6 +27,7 @@ trogon-source-gitlab = { workspace = true }
 trogon-source-incidentio = { workspace = true }
 trogon-source-linear = { workspace = true }
 trogon-source-notion = { workspace = true }
+trogon-source-sentry = { workspace = true }
 trogon-source-slack = { workspace = true }
 trogon-source-telegram = { workspace = true }
 trogon-std = { workspace = true, features = ["clap", "telemetry-http"] }

rsworkspace/crates/trogon-gateway/Cargo.toml

@@ -15,6 +15,7 @@ use trogon_source_incidentio::config::IncidentioConfig as IncidentioSourceConfig
 use trogon_source_incidentio::incidentio_signing_secret::IncidentioSigningSecret;
 use trogon_source_linear::config::LinearWebhookSecret;
 use trogon_source_notion::NotionVerificationToken;
+use trogon_source_sentry::SentryClientSecret;
 use trogon_source_slack::config::SlackSigningSecret;
 use trogon_source_telegram::config::TelegramWebhookSecret;
 use trogon_std::{NonZeroDuration, ZeroDuration};
@@ -169,6 +170,8 @@ struct SourcesConfig {
     linear: LinearConfig,
     #[config(nested)]
     notion: NotionConfig,
+    #[config(nested)]
+    sentry: SentryConfig,
 }
 
 #[derive(Config)]
@@ -316,6 +319,22 @@ struct NotionConfig {
     nats_ack_timeout_secs: u64,
 }
 
+#[derive(Config)]
+struct SentryConfig {
+    #[config(env = "TROGON_SOURCE_SENTRY_STATUS")]
+    status: Option<String>,
+    #[config(env = "TROGON_SOURCE_SENTRY_CLIENT_SECRET")]
+    client_secret: Option<String>,
+    #[config(env = "TROGON_SOURCE_SENTRY_SUBJECT_PREFIX", default = "sentry")]
+    subject_prefix: String,
+    #[config(env = "TROGON_SOURCE_SENTRY_STREAM_NAME", default = "SENTRY")]
+    stream_name: String,
+    #[config(env = "TROGON_SOURCE_SENTRY_STREAM_MAX_AGE_SECS", default = 604_800)]
+    stream_max_age_secs: u64,
+    #[config(env = "TROGON_SOURCE_SENTRY_NATS_ACK_TIMEOUT_SECS", default = 10)]
+    nats_ack_timeout_secs: u64,
+}
+
 pub struct ResolvedHttpServerConfig {
     pub port: u16,
 }
@@ -332,6 +351,7 @@ pub struct ResolvedConfig {
     pub incidentio: Option<trogon_source_incidentio::IncidentioConfig>,
     pub linear: Option<trogon_source_linear::LinearConfig>,
     pub notion: Option<trogon_source_notion::NotionConfig>,
+    pub sentry: Option<trogon_source_sentry::SentryConfig>,
 }
 
 impl ResolvedConfig {
@@ -344,6 +364,7 @@ impl ResolvedConfig {
             || self.incidentio.is_some()
             || self.linear.is_some()
             || self.notion.is_some()
+            || self.sentry.is_some()
     }
 }
 
@@ -372,6 +393,7 @@ fn resolve(cfg: GatewayConfig, nats_overrides: &NatsArgs) -> Result<ResolvedConf
     let incidentio = resolve_incidentio(cfg.sources.incidentio, &mut errors);
     let linear = resolve_linear(cfg.sources.linear, &mut errors);
     let notion = resolve_notion(cfg.sources.notion, &mut errors);
+    let sentry = resolve_sentry(cfg.sources.sentry, &mut errors);
 
     let nats_max_payload_bytes = match NonZeroUsize::new(cfg.nats_max_payload_bytes) {
         Some(v) => v,
@@ -403,6 +425,7 @@ fn resolve(cfg: GatewayConfig, nats_overrides: &NatsArgs) -> Result<ResolvedConf
         incidentio,
         linear,
         notion,
+        sentry,
     })
 }
 
@@ -1072,6 +1095,88 @@ fn resolve_notion(
     })
 }
 
+fn resolve_sentry(
+    section: SentryConfig,
+    errors: &mut Vec<ConfigValidationError>,
+) -> Option<trogon_source_sentry::SentryConfig> {
+    if !resolve_source_status("sentry", section.status.as_deref(), errors) {
+        return None;
+    }
+
+    let client_secret = match section.client_secret {
+        Some(secret) => match SentryClientSecret::new(secret) {
+            Ok(secret) => secret,
+            Err(error) => {
+                errors.push(ConfigValidationError::invalid(
+                    "sentry",
+                    "client_secret",
+                    error,
+                ));
+                return None;
+            }
+        },
+        None => {
+            return None;
+        }
+    };
+
+    let subject_prefix = match NatsToken::new(section.subject_prefix) {
+        Ok(token) => token,
+        Err(error) => {
+            errors.push(ConfigValidationError::invalid_subject_token(
+                "sentry",
+                "subject_prefix",
+                error,
+            ));
+            return None;
+        }
+    };
+
+    let stream_name = match NatsToken::new(section.stream_name) {
+        Ok(token) => token,
+        Err(error) => {
+            errors.push(ConfigValidationError::invalid_subject_token(
+                "sentry",
+                "stream_name",
+                error,
+            ));
+            return None;
+        }
+    };
+
+    let nats_ack_timeout = match NonZeroDuration::from_secs(section.nats_ack_timeout_secs) {
+        Ok(duration) => duration,
+        Err(error) => {
+            errors.push(ConfigValidationError::invalid(
+                "sentry",
+                "nats_ack_timeout_secs",
+                error,
+            ));
+            return None;
+        }
+    };
+
+    let stream_max_age = match StreamMaxAge::from_secs(section.stream_max_age_secs) {
+        Ok(age) => age,
+        Err(error) => {
+            errors.push(ConfigValidationError::invalid(
+                "sentry",
+                "stream_max_age_secs",
+                error,
+            ));
+            return None;
+        }
+    };
+
+    Some(trogon_source_sentry::SentryConfig {
+        client_secret,
+        subject_prefix,
+        stream_name,
+        stream_max_age,
+        nats_ack_timeout,
+    })
+}
+
 fn resolve_source_status(
     source: &'static str,
     status: Option<&str>,
@@ -1185,6 +1290,15 @@ verification_token = "{token}"
         )
     }
 
+    fn sentry_toml(secret: &str) -> String {
+        format!(
+            r#"
+[sources.sentry]
+client_secret = "{secret}"
+"#
+        )
+    }
+
     fn incidentio_valid_test_secret() -> String {
         ["whsec_", "dGVzdC1zZWNyZXQ="].concat()
     }
@@ -1450,6 +1564,25 @@ verification_token = "notion-verification-token-example"
         assert!(cfg.notion.is_none());
     }
 
+    #[test]
+    fn sentry_resolves_with_valid_secret() {
+        let f = write_toml(&sentry_toml("sentry-client-secret"));
+        let cfg = load(Some(f.path())).expect("load failed");
+        assert!(cfg.sentry.is_some());
+    }
+
+    #[test]
+    fn sentry_disabled_returns_none() {
+        let toml = r#"
+[sources.sentry]
+status = "disabled"
+client_secret = "sentry-client-secret"
+"#;
+        let f = write_toml(toml);
+        let cfg = load(Some(f.path())).expect("load failed");
+        assert!(cfg.sentry.is_none());
+    }
+
     #[test]
     fn notion_missing_token_returns_none() {
         let toml = r#"
@@ -1992,6 +2125,15 @@ port = 9090
         );
     }
 
+    #[test]
+    fn sentry_empty_client_secret_is_invalid() {
+        let f = write_toml(&sentry_toml(""));
+        let result = load(Some(f.path()));
+        assert!(
+            matches!(result, Err(ConfigError::Validation(ref errs)) if errs.iter().any(|e| e.contains("sentry: invalid client_secret")))
+        );
+    }
+
     #[test]
     fn incidentio_invalid_secret_is_invalid() {
         let f = write_toml(&incidentio_toml("whsec_not-base64!"));
@@ -2274,6 +2416,34 @@ stream_max_age_secs = 0
         );
     }
 
+    #[test]
+    fn sentry_zero_nats_ack_timeout_is_error() {
+        let toml = r#"
+[sources.sentry]
+client_secret = "sentry-client-secret"
+nats_ack_timeout_secs = 0
+"#;
+        let f = write_toml(toml);
+        let result = load(Some(f.path()));
+        assert!(
+            matches!(result, Err(ConfigError::Validation(ref errs)) if errs.iter().any(|e| e.contains("sentry: nats_ack_timeout_secs must not be zero")))
+        );
+    }
+
+    #[test]
+    fn sentry_zero_stream_max_age_is_error() {
+        let toml = r#"
+[sources.sentry]
+client_secret = "sentry-client-secret"
+stream_max_age_secs = 0
+"#;
+        let f = write_toml(toml);
+        let result = load(Some(f.path()));
+        assert!(
+            matches!(result, Err(ConfigError::Validation(ref errs)) if errs.iter().any(|e| e.contains("sentry: stream_max_age_secs must not be zero")))
+        );
+    }
+
     #[test]
     fn incidentio_zero_timestamp_tolerance_is_error() {
         let toml = format!(

rsworkspace/crates/trogon-gateway/src/config.rs

@@ -78,6 +78,14 @@ where
         info!(source = "notion", "mounted at /notion");
     }
 
+    if let Some(ref cfg) = config.sentry {
+        app = app.nest(
+            "/sentry",
+            trogon_source_sentry::router(publisher.clone(), cfg),
+        );
+        info!(source = "sentry", "mounted at /sentry");
+    }
+
     app
 }
 
@@ -137,6 +145,9 @@ webhook_secret = "linear-secret"
 
 [sources.notion]
 verification_token = "notion-verification-token-example"
+
+[sources.sentry]
+client_secret = "sentry-client-secret"
 "#
         .to_string()
     }