Add Cloud Run service log destination

[robbiet480]

Summary

• Add a cloudrun_service log destination for osquery status logs, osquery result logs, and audit logs.
• Send each log as a raw JSON request body with strict error handling on request failures and non-2xx responses.
• Support authenticated Cloud Run service calls with per-destination Google ID token audiences.
• Document the new server configuration and expose the plugin in app config/frontend logging types.

Why

Fleet already supports AWS Lambda as a direct serverless log destination. This adds the analogous Cloud Run service path without changing the existing webhook behavior, which uses an envelope payload and best-effort delivery.

AI usage

This PR was implemented with AI assistance and human reviewed by Robbie Trencheny.

Testing

• go test ./server/logging
• go test ./server/service -run TestService_LoggingConfig
• go test ./server/config
• go test ./cmd/fleet -run '^$'
• make lint-go-incremental

Note: full go test ./cmd/fleet was not runnable locally because tests require the mysql_test service.

Summary by CodeRabbit

• New Features

  • Added Google Cloud Run as a logging destination for osquery status, result, and audit logs, with configurable endpoints and authentication audiences.
  • UI now shows "Google Cloud Run" as a log destination and includes a matching tooltip.

• Tests

  • Added unit tests and test helpers covering Cloud Run logging behavior and configuration.

[claude]

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

[codecov]

Codecov Report

❌ Patch coverage is 64.03509% with 41 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.67%. Comparing base (84b0b15) to head (acb066f).

Files with missing lines	Patch %	Lines
server/logging/cloudrun_service.go	59.18%	17 Missing and 3 partials ⚠️
server/logging/logging.go	0.00%	10 Missing ⚠️
cmd/fleet/serve.go	0.00%	7 Missing ⚠️
...ogDestinationIndicator/LogDestinationIndicator.tsx	0.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #44720      +/-   ##
==========================================
- Coverage   66.68%   66.67%   -0.01%     
==========================================
  Files        2651     2652       +1     
  Lines      213531   213687     +156     
  Branches     9613     9615       +2     
==========================================
+ Hits       142395   142484      +89     
- Misses      58172    58231      +59     
- Partials    12964    12972       +8     

Flag	Coverage Δ
backend	68.54% <66.36%> (-0.01%)	⬇️
frontend	54.21% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adds a new cloudrun_service logging destination so Fleet can send osquery status/result logs and audit logs directly to a Cloud Run service, alongside config/API/frontend/docs support for that option.

Changes:

• Added backend logging support for cloudrun_service, including optional Google ID token audiences and per-log raw JSON POST delivery.
• Wired the new destination through server config loading, serve logger setup, and app-config/logging API exposure.
• Updated frontend log-destination typing and docs to mention the new plugin.

Reviewed changes

Copilot reviewed 10 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
server/service/testing_utils.go	Added test config helper for Cloud Run logging.
server/service/service_appconfig.go	Exposed Cloud Run logging config in app config responses.
server/service/service_appconfig_test.go	Added LoggingConfig coverage for Cloud Run plugin.
server/logging/logging.go	Registered cloudrun_service in logger factory/config.
server/logging/cloudrun_service.go	Implemented Cloud Run log writer with optional ID token auth.
server/logging/cloudrun_service_test.go	Added unit tests for basic Cloud Run writer behavior.
server/fleet/app.go	Added API-facing Cloud Run logging config type.
server/config/config.go	Added Fleet config fields/flags/env loading for Cloud Run logging.
frontend/interfaces/config.ts	Added cloudrun_service to frontend log destination type union.
docs/Get started/FAQ.md	Documented new plugin in FAQ list of log destinations.
docs/Configuration/fleet-server-configuration.md	Documented Cloud Run logging plugin and related config keys.
cmd/fleet/serve.go	Passed Cloud Run config into status/result/audit logger setup.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2ff3a7f4-bdf9-4980-b206-a9ad76626372

📥 Commits

Reviewing files that changed from the base of the PR and between 4398086 and acb066f.

📒 Files selected for processing (2)

• server/logging/cloudrun_service.go
• server/logging/cloudrun_service_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• server/logging/cloudrun_service.go
• server/logging/cloudrun_service_test.go

---

Walkthrough

Adds Cloud Run service logging support across the codebase. Introduces a new CloudRunServiceConfig (status/result/audit URL and audience pairs), extends FleetConfig and logging Configs, and exposes a matching JSON-serializable type. Implements cloudRunServiceLogWriter to POST JSON log entries to Cloud Run endpoints with optional ID-token authentication and enforces a per-entry size limit. Integrates the plugin into JSON logger construction and server initialization, updates service app config and tests, and adds "cloudrun_service" to the frontend LogDestination type.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 7.69% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description covers summary, rationale, testing, and AI usage, but the provided checklist template is largely unchecked, indicating incomplete adherence to repository standards.	Review and complete the checklist items (e.g., confirm changes file added, validate security/timeouts, verify GitOps exclusion if applicable, confirm testing coverage).

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a new Cloud Run service log destination, which aligns with all file-level summaries.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@server/logging/cloudrun_service_test.go`:
- Around line 24-40: The test TestCloudRunServiceSendsEachRawLog references an
undefined variable logs causing a compile error; add a local declaration for
logs (e.g., match other tests in the package by declaring var logs
[]json.RawMessage or logs := []json.RawMessage{...} with the expected entries)
before calling makeCloudRunServiceWriterWithClient and writer.Write so the
subsequent require.Equal(t, logs, bodies) can compare against the sent payloads.

In `@server/logging/cloudrun_service.go`:
- Around line 33-36: In NewCloudRunServiceLogWriter validate the serviceURL
format up front: parse serviceURL (e.g., using url.Parse or url.ParseRequestURI)
and ensure it yields a non-empty Scheme and Host; if parsing fails or
scheme/host are missing, return an error immediately instead of deferring
failure to Write; this ensures malformed URLs are caught at logger
initialization and references the serviceURL parameter and
NewCloudRunServiceLogWriter constructor for where to add the check.
- Around line 73-93: The success path currently calls resp.Body.Close() without
draining, preventing reliable HTTP connection reuse; change the success branch
(the block around w.client.Do, the resp variable, and the final
resp.Body.Close()) to explicitly drain the response before closing — e.g.
read/discard up to a small limit or copy to io.Discard (handle/ignore read
errors) and then call resp.Body.Close(); keep the existing logging
(w.logger.DebugContext and platformhttp.MaskSecretURLParams(w.url)) and error
return behavior unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fcde6969-557f-4ab6-81d8-444c7a84a616

📥 Commits

Reviewing files that changed from the base of the PR and between 84b0b15 and 559978d.

⛔ Files ignored due to path filters (2)

• docs/Configuration/fleet-server-configuration.md is excluded by !**/*.md
• docs/Get started/FAQ.md is excluded by !**/*.md

📒 Files selected for processing (10)

• cmd/fleet/serve.go
• frontend/interfaces/config.ts
• server/config/config.go
• server/fleet/app.go
• server/logging/cloudrun_service.go
• server/logging/cloudrun_service_test.go
• server/logging/logging.go
• server/service/service_appconfig.go
• server/service/service_appconfig_test.go
• server/service/testing_utils.go