[FSN-13] feat(nf-tower): Retrieve and set Fusion license tokens in a process environment

[alberto-miranda]

Description

This PR adds a new TowerFusionEnv class to nf-tower that enables setting Platform-specific environment variables to Nextflow processes running with Fusion enabled. The class implements the FusionEnv interface and, as such, provides a getEnvironment() method that returns the relevant key-value pairs.

Currently, the provider is only being used to set the FUSION_LICENSE_TOKEN environment variable, the value of which is retrieved by sending a specific HTTP request to Platform in order to validate the run. Once the run is validated, Platform will reply with a corresponding token which will be injected into the process environment.

Note

Since fusion licenses are still not mandatory, if the license cannot be validated (or there's a configuration error affecting this validation process) a warning is emitted:

user@host$ nextflow run hello

N E X T F L O W   ~  version 24.11.0-edge

Launching `https://github.com/nextflow-io/hello` [mighty_liskov] DSL2 - revision: afff16a9b4 [master]

executor >  local (fusion enabled) (4)
[ec/6b82ba] process > sayHello (4) [100%] 4 of 4 ✔
Hello world!

Hello world!

Ciao world!

Ciao world!

Bonjour world!

Bonjour world!

Hola world!

Hola world!

WARN: Error retrieving Fusion license information: Missing personal access token -- Make sure there's a variable >TOWER_ACCESS_TOKEN in your environment
WARN: Error retrieving Fusion license information: Missing personal access token -- Make sure there's a variable >TOWER_ACCESS_TOKEN in your environment
WARN: Error retrieving Fusion license information: Missing personal access token -- Make sure there's a variable >TOWER_ACCESS_TOKEN in your environment
WARN: Error retrieving Fusion license information: Missing personal access token -- Make sure there's a variable >TOWER_ACCESS_TOKEN in your environment

Testing

This PR can be tested by following this guide.

[netlify]

✅ Deploy Preview for nextflow-docs-staging canceled.

Name	Link
🔨 Latest commit	43f8bba
🔍 Latest deploy log	https://app.netlify.com/sites/nextflow-docs-staging/deploys/67659be67516e400080a0dea

[alberto-miranda]

@pditommaso I have refactored the implementation into TowerClient as you suggested. A couple of comments:

1. I'm not very fond of making TowerClient implement FusionEnv: I'd rather have a dedicated TowerFusionEnv class with the getEnvironment() method and helpers, but then I cannot reuse the client itself or the sendHttpMessage() and co. functions. Any advice here?
2. It doesn't seem to be picking up TowerClient as an extension despite having defined it in plugins/nf-tower/src/resources/META-INF/extensions.idx. As such, it's not using it (e.g. this should fail and it's not failing). Is there anything else I need to do to register the extension?

[pditommaso]

I'm not very fond of making TowerClient implement FusionEnv: I'd rather have a dedicated TowerFusionEnv class

I agree, sorry if I may have suggested in that direction. My point was to move this logic in the tower client module

then I cannot reuse the client itself or the sendHttpMessage()

don't worry about that, use the java provider client for example

nextflow/plugins/nf-tower/src/main/io/seqera/tower/plugin/TowerXAuth.groovy

Lines 56 to 62 in 6183fdf

	this.httpClient = HttpClient.newBuilder()
	.version(HttpClient.Version.HTTP_1_1)
	.followRedirects(HttpClient.Redirect.NORMAL)
	.cookieHandler(cookieManager)
	.connectTimeout(Duration.ofSeconds(10))
	.build()
	}

[alberto-miranda]

@pditommaso I refactored the implementation based on our discussions. The PR is ready to review.

[alberto-miranda]

This basically replicates what TowerConfig does in nf-wave, but I didn't want to add a explicit dependency on that. If adding this dependency is not a problem, it would be better to reuse the code there.

[pditommaso]

Could make sense to turn those into PlatformHelper class shared across modules & plugins

[alberto-miranda]

I agree. Do you want it done in the context of this PR?

[pditommaso]

it could be better

[alberto-miranda]

Refactored with c1147cd. I created the PlatformHelper class under modules/nextflow/src/main/groovy/nextflow/platform since it seemed to fit with the existing conventions for common code. Please double check.

[pditommaso]

Looks good, left some comments. Question, what happens when using Fusion and Tower plugin is not enabled?

[pditommaso]

Suggested change

	'FUSION_LICENSE_TOKEN': token,
	FUSION_LICENSE_TOKEN: token,

Groovy magic

[alberto-miranda]

Fixed with f32f0ca

[pditommaso]

Built-in JsonOutout.toJson(Map) can be easier

[alberto-miranda]

I did it this way for symmetry with the deserialization but I don't have a preference for one or the other.

[pditommaso]

I'm fine keeping gson, then it would be better to isolate into its own method

[alberto-miranda]

Done with 2f11171

[pditommaso]

Could make sense to turn those into PlatformHelper class shared across modules & plugins

[alberto-miranda]

Looks good, left some comments. Question, what happens when using Fusion and Tower plugin is not enabled?

Nothing special, if nf-tower is enabled but Fusion is not, the TowerFusionEnv itself is never instantiated, and there are no calls made to retrieve a token. The same happens if both are disabled, but in this case nf-tower is also never loaded.

[pditommaso]

Will Fusion be able to run?

[alberto-miranda]

Will Fusion be able to run?

The license is not yet enforced in the Fusion side, so yes.

A side effect we didn't consider is that if fusion is run without nf-tower the license is not enforced currently (because TowerFusionEnv is not loaded in this case). Is this a use case that should concern us?

EDIT: Even if not enforced by nextflow, fusion will still fail once licenses become mandatory, but the error received by the user will probably be uglier.

[pditommaso]

Even if not enforced by nextflow, fusion will still fail once licenses become mandatory, but the error received by the user will probably be uglier

and slower, ie. after the job started. we should consider adding a "default" TowerFusionEnv implementation of this execution reporting a warning message.

The "default" TowerFusionEnv is "overridden" by the one provided by tower plugin when it's enabled

See here for example

nextflow/plugins/nf-wave/src/main/io/seqera/wave/plugin/resolver/WaveContainerResolver.groovy

Line 41 in 9eefd20

@Priority(-10) // <-- lower is higher, this is needed to override default provider behavior

[alberto-miranda]

Even if not enforced by nextflow, fusion will still fail once licenses become mandatory, but the error received by the user will probably be uglier

and slower, ie. after the job started. we should consider adding a "default" TowerFusionEnv implementation of this execution reporting a warning message.

The "default" TowerFusionEnv is "overridden" by the one provided by tower plugin when it's enabled

See here for example

nextflow/plugins/nf-wave/src/main/io/seqera/wave/plugin/resolver/WaveContainerResolver.groovy

Line 41 in 9eefd20

@Priority(-10) // <-- lower is higher, this is needed to override default provider behavior

It's a great idea, but if I understand correctly the mechanism you propose, it prioritizes between implementations of a specific interface doesn't it? For our case, we need to override one implementer of FusionEnv (i.e. TowerFusionEnv) but maintain any other implementers such as AwsFusionEnv. Can we do that automatically?

[pditommaso]

You are right, it may need some customisation in the plugins handling. Ignore it for now.

[stefanoboriero]

Nice, left a few comments but nothing blocking

[stefanoboriero]

This response is going to contain an authentication token right? Do we want to log it?

[alberto-miranda]

Good question. I'm not sure about what the preferred policy is in Nextflow logs (cc @pditommaso)

[stefanoboriero]

I'm not sure how I feel about retrying 503 and 504 errors, if Seqera Platform is under heavy load wouldn't this make it worse?

[alberto-miranda]

I took this from Wave's client to follow the existing approach. I don't have a specific preference 🤷‍♂️ (cc @pditommaso)

[pditommaso]

That's why it's used an exponential backoff. Actually think it should be added 408 (connection timeout) to that list

[stefanoboriero]

Makes sense, consider this resolved 👍

[alberto-miranda]

Error 408 added with 6ce5be3

[stefanoboriero]

It also throws other exceptions if the token is not valid or malformed

[alberto-miranda]

Addressed with 1fed859 and refactored into a9849f5

[alberto-miranda]

As discussed this morning, I have added caching of license token responses with a9849f5 and re-scoped the license-related error messages as debug instead of warning with eaa985e.

Having said that, I'm not at all convinced that the caching is working as it should, so I would appreciate more experienced eyes looking into it.

[alberto-miranda]

It looks like I broke some tests in the process. Fixing. Tests should be fixed! 🚀