Skip to content
FractalOps

Novu Notifications

Novu Notifications

Section titled “Novu Notifications”

FractalOps uses Novu as the OSS notification plane for Portal inbox delivery.

Current integration points:

  • Portal bell / inbox UI mounts from yamonco/fractalops-frontend:portal
  • backend exposes GET /v1/portal/notifications/novu-config
  • backend exposes POST /v1/portal/notifications/test
  • subscriber identity is the FractalOps subject_key
  • HMAC subscriber hash is resolved from OpenBao on demand and derived from FRACTALOPS_NOVU_SECRET_KEY

Required settings:

  • FRACTALOPS_NOVU_ENABLED=true
  • FRACTALOPS_NOVU_API_URL=https://novu.yamon.io/api
  • FRACTALOPS_NOVU_SOCKET_URL=https://novu.yamon.io/ws
  • FRACTALOPS_NOVU_DASHBOARD_URL=https://novu.yamon.io
  • FRACTALOPS_NOVU_APPLICATION_IDENTIFIER=...
  • FRACTALOPS_NOVU_SECRET_KEY=ref:runtime/novu-client:FRACTALOPS_NOVU_SECRET_KEY
  • FRACTALOPS_NOVU_DEFAULT_WORKFLOW_ID=fractalops-portal-alert

OpenBao paths:

  • fractalops/default/runtime/novu
    • self-hosted Novu server secrets such as JWT_SECRET, STORE_ENCRYPTION_KEY, NOVU_SECRET_KEY, MONGO_INITDB_ROOT_USERNAME, MONGO_INITDB_ROOT_PASSWORD
  • fractalops/default/runtime/novu-client
    • FractalOps runtime values such as FRACTALOPS_NOVU_ENABLED, FRACTALOPS_NOVU_API_URL, FRACTALOPS_NOVU_SOCKET_URL, FRACTALOPS_NOVU_DASHBOARD_URL, FRACTALOPS_NOVU_APPLICATION_IDENTIFIER, FRACTALOPS_NOVU_SECRET_KEY, FRACTALOPS_NOVU_DEFAULT_WORKFLOW_ID
  • FRACTALOPS_PORTAL_WEBPUSH_CONTACT_EMAIL=alerts@yamon.io

Rotation contract:

  • runtime/novu-client uses ExternalSecret delivery with reload_strategy=hot_resolve and rotation_strategy=staged_dual_key.
  • Portal API resolves the Novu secret through resolve_env_or_secret(...) on each config/test request; it does not cache the secret in PortalNotificationService.
  • Portal UI re-fetches Novu config every 5 minutes with cache: no-store, so subscriber HMAC changes propagate without a frontend rebuild.
  • runtime/novu contains stateful MongoDB/Valkey/server keys and uses reload_strategy=staged_restart plus rotation_strategy=graceful_dual_credential.
  • refreshInterval is 15m; OpenBao Kubernetes auth token TTL is 1h and max TTL is 24h, preserving refreshInterval < token_ttl <= token_max_ttl.
  • DB/Valkey credentials must be staged: add new credential, roll Novu API/WS/worker, verify both datastore connections, then revoke the old credential. Do not single-step replace MongoDB/Valkey passwords.

Notes:

  • Portal inbox is live once Novu is configured and the target workflow exists.
  • Browser push delivery still depends on a Novu push provider integration such as FCM, OneSignal, or Pushpad.
  • FractalOps does not invent a separate push engine; Temporal and API code should trigger Novu workflows instead.
  • GitOps app path: platform/k8s/apps/novu
  • Argo application: platform/k8s/argocd/runtime/resources/novu.application.yaml