Introduce snippet-service

.github/workflows/build-publish.yaml

@@ -109,6 +109,10 @@ jobs:
           - name: cert-tool
             directory: tools/cert-tool
             file: tools/cert-tool/Dockerfile
+          - name: snippet-service
+            directory: snippet-service
+            file: .tmp/docker/snippet-service/Dockerfile
+            template-file: tools/docker/Dockerfile.in
     uses: ./.github/workflows/build-publish-cfg.yaml
     with:
       name: ${{ matrix.name }}

Makefile

@@ -42,7 +42,7 @@ CERT_TOOL_SIGN_ALG ?= ECDSA-SHA256
 CERT_TOOL_ELLIPTIC_CURVE ?= P256
 CERT_TOOL_IMAGE = ghcr.io/plgd-dev/hub/cert-tool:vnext
 
-SUBDIRS := bundle certificate-authority cloud2cloud-connector cloud2cloud-gateway coap-gateway grpc-gateway resource-aggregate resource-directory http-gateway identity-store test/oauth-server tools/cert-tool
+SUBDIRS := bundle certificate-authority cloud2cloud-connector cloud2cloud-gateway coap-gateway grpc-gateway resource-aggregate resource-directory http-gateway identity-store snippet-service test/oauth-server tools/cert-tool
 .PHONY: $(SUBDIRS) push proto/generate clean build test env mongo nats certificates hub-build http-gateway-www simulators
 
 default: build

bundle/Dockerfile

@@ -105,6 +105,13 @@ RUN go build \
     -o "/go/bin/$tool" \
     ./
 
+#snippet-service
+ARG service=snippet-service
+WORKDIR $root_directory/$service
+RUN go build -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \
+    -o "/go/bin/$service" \
+    ./cmd/service
+
 #nats
 WORKDIR $root_directory
 RUN apkArch="$(apk --print-arch)"; \
@@ -168,6 +175,8 @@ COPY --from=build /go/bin/cloud2cloud-connector /usr/local/bin/cloud2cloud-conne
 COPY --from=build /go/src/github.com/plgd-dev/hub/cloud2cloud-connector/config.yaml /configs/cloud2cloud-connector.yaml
 COPY --from=build /go/src/github.com/plgd-dev/hub/bundle/run.sh /usr/local/bin/run.sh
 COPY --from=build /go/src/github.com/plgd-dev/hub/bundle/nginx /nginx
+COPY --from=build /go/bin/snippet-service /usr/local/bin/snippet-service
+COPY --from=build /go/src/github.com/plgd-dev/hub/snippet-service/config.yaml /configs/snippet-service.yaml
 
 # install scylla
 RUN curl -sSf get.scylladb.com/server | sudo bash -s -- --scylla-version 5.2
@@ -222,6 +231,8 @@ ENV NATS_PORT=10001
 ENV SCYLLA_SMP=1
 ENV SCYLLA_DEVELOPER_MODE=true
 ENV SCYLLA_PORT=29142
+ENV SNIPPET_SERVICE_PORT=9091
+ENV HTTP_SNIPPET_SERVICE_PORT=9092
 
 # OAuth
 ENV DEVICE_PROVIDER=plgd

bundle/nginx/nginx.conf.template

@@ -107,6 +107,20 @@ http {
       proxy_set_header Connection $connection_upgrade;
       proxy_set_header Host $host;
     }
+    location ~ ^(/snippet-service) {
+      set $upstream_snippet_service https://127.0.0.1:REPLACE_HTTP_SNIPPET_SERVICE_PORT;
+      proxy_pass                     $upstream_snippet_service;
+      proxy_ssl_certificate           /data/certs/internal/endpoint.crt;
+      proxy_ssl_certificate_key       /data/certs/internal/endpoint.key;
+      proxy_ssl_trusted_certificate   /data/certs/root_ca.crt;
+      proxy_ssl_verify                on;
+      set $cors_headers 'Authority,Method,Path,Scheme,Accept,Accept-Encoding,Accept-Language,Content-Type,Origin,Refer,Sec-Fetch-Dest,Sec-Fetch-Mode,Sec-Fetch-Site,Authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,correlation-id';
+      include /nginx/cors.conf;
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+      proxy_set_header Host $host;
+    }
     location ~ ^/ {
       set $upstream_http_gateway https://127.0.0.1:REPLACE_HTTP_GATEWAY_PORT;
       proxy_pass                     $upstream_http_gateway;

bundle/run.sh

@@ -15,6 +15,7 @@ export NGINX_PATH="/data/nginx"
 export JETSTREAM_PATH="/data/jetstream"
 
 export CERTIFICATE_AUTHORITY_ADDRESS="localhost:${CERTIFICATE_AUTHORITY_PORT}"
+export CERTIFICATE_AUTHORITY_HTTP_ADDRESS="localhost:${HTTP_CERTIFICATE_AUTHORITY_PORT}"
 export MOCK_OAUTH_SERVER_ADDRESS="localhost:${MOCK_OAUTH_SERVER_PORT}"
 export RESOURCE_AGGREGATE_ADDRESS="localhost:${RESOURCE_AGGREGATE_PORT}"
 export RESOURCE_DIRECTORY_ADDRESS="localhost:${RESOURCE_DIRECTORY_PORT}"
@@ -23,6 +24,8 @@ export GRPC_GATEWAY_ADDRESS="localhost:${GRPC_GATEWAY_PORT}"
 export HTTP_GATEWAY_ADDRESS="localhost:${HTTP_GATEWAY_PORT}"
 export CLOUD2CLOUD_GATEWAY_ADDRESS="localhost:${CLOUD2CLOUD_GATEWAY_PORT}"
 export CLOUD2CLOUD_CONNECTOR_ADDRESS="localhost:${CLOUD2CLOUD_CONNECTOR_PORT}"
+export SNIPPET_SERVICE_ADDRESS="localhost:${SNIPPET_SERVICE_PORT}"
+export SNIPPET_SERVICE_HTTP_ADDRESS="localhost:${HTTP_SNIPPET_SERVICE_PORT}"
 
 export INTERNAL_CERT_DIR_PATH="$CERTIFICATES_PATH/internal"
 export GRPC_INTERNAL_CERT_NAME="endpoint.crt"
@@ -451,6 +454,7 @@ if [ "${OVERRIDE_FILES}" = "true" ] || [ ! -f "${NGINX_PATH}/nginx.conf" ]; then
   sed -i "s/REPLACE_CLOUD2CLOUD_GATEWAY_PORT/$CLOUD2CLOUD_GATEWAY_PORT/g" ${NGINX_PATH}/nginx.conf
   sed -i "s/REPLACE_CLOUD2CLOUD_CONNECTOR_PORT/$CLOUD2CLOUD_CONNECTOR_PORT/g" ${NGINX_PATH}/nginx.conf
   sed -i "s/REPLACE_HTTP_CERTIFICATE_AUTHORITY_PORT/$HTTP_CERTIFICATE_AUTHORITY_PORT/g" ${NGINX_PATH}/nginx.conf
+  sed -i "s/REPLACE_HTTP_SNIPPET_SERVICE_PORT/$HTTP_SNIPPET_SERVICE_PORT/g" ${NGINX_PATH}/nginx.conf
 fi
 
 # nats
@@ -917,6 +921,7 @@ cat /configs/certificate-authority.yaml | yq e "\
   .apis.grpc.authorization.http.tls.useSystemCAPool = true |
   .apis.grpc.authorization.authority = \"https://${OAUTH_ENDPOINT}\" |
   .apis.grpc.authorization.ownerClaim = \"${OWNER_CLAIM}\" |
+  .apis.http.address = \"${CERTIFICATE_AUTHORITY_HTTP_ADDRESS}\" |
   .clients.storage.use = \"${DATABASE_USE}\" |
   .clients.storage.mongoDB.uri = \"${MONGODB_URI}\" |
   .clients.storage.cqlDB.hosts = [ \"${SCYLLA_HOSTNAME}\" ] |
@@ -1144,7 +1149,51 @@ while true; do
   sleep 1
 done
 
+# snippet-service
+echo "starting snippet-service"
+## configuration
+if [ "${OVERRIDE_FILES}" = "true" ] || [ ! -f "/data/snippet-service.yaml" ]; then
+cat /configs/snippet-service.yaml | yq e "\
+  .hubID = \"${HUB_ID}\" |
+  .log.level = \"${LOG_LEVEL}\" |
+  .apis.grpc.address = \"${SNIPPET_SERVICE_ADDRESS}\" |
+  .apis.grpc.authorization.audience = \"${SERVICE_OAUTH_AUDIENCE}\" |
+  .apis.grpc.authorization.http.tls.useSystemCAPool = true |
+  .apis.grpc.authorization.authority = \"https://${OAUTH_ENDPOINT}\" |
+  .apis.grpc.authorization.ownerClaim = \"${OWNER_CLAIM}\" |
+  .apis.http.address = \"${SNIPPET_SERVICE_HTTP_ADDRESS}\" |
+  .clients.storage.use = \"${DATABASE_USE}\" |
+  .clients.storage.mongoDB.uri = \"${MONGODB_URI}\" |
+  .clients.storage.cqlDB.hosts = [ \"${SCYLLA_HOSTNAME}\" ] |
+  .clients.storage.cqlDB.port = ${SCYLLA_PORT} |
+  .clients.openTelemetryCollector.grpc.enabled = ${OPEN_TELEMETRY_EXPORTER_ENABLED} |
+  .clients.openTelemetryCollector.grpc.address = \"${OPEN_TELEMETRY_EXPORTER_ADDRESS}\" |
+  .clients.openTelemetryCollector.grpc.tls.caPool = \"${OPEN_TELEMETRY_EXPORTER_CA_POOL}\" |
+  .clients.openTelemetryCollector.grpc.tls.keyFile = \"${OPEN_TELEMETRY_EXPORTER_KEY_FILE}\" |
+  .clients.openTelemetryCollector.grpc.tls.certFile = \"${OPEN_TELEMETRY_EXPORTER_CERT_FILE}\" |
+  .clients.openTelemetryCollector.grpc.tls.useSystemCAPool = true
+" - > /data/snippet-service.yaml
+fi
+snippet-service --config /data/snippet-service.yaml >$LOGS_PATH/snippet-service.log 2>&1 &
+status=$?
+snippet_service_pid=$!
+if [ $status -ne 0 ]; then
+  echo "Failed to start snippet-service: $status"
+  sync
+  cat $LOGS_PATH/snippet-service.log
+  exit $status
+fi
 
+# waiting for ca. Without wait, sometimes the service didn't connect.
+i=0
+while true; do
+  i=$((i+1))
+  if openssl s_client -connect ${SNIPPET_SERVICE_ADDRESS} -cert ${INTERNAL_CERT_DIR_PATH}/${GRPC_INTERNAL_CERT_NAME} -key ${INTERNAL_CERT_DIR_PATH}/${GRPC_INTERNAL_CERT_KEY_NAME} <<< "Q" 2>/dev/null > /dev/null; then
+    break
+  fi
+  echo "Try to reconnect to snippet-service(${SNIPPET_SERVICE_ADDRESS}) $i"
+  sleep 1
+done
 
 echo "Open browser at https://${DOMAIN}"
 
@@ -1263,4 +1312,11 @@ while sleep 10; do
       exit 1
     fi
   fi
+  ps aux |grep $snippet_service_pid |grep -q -v grep
+  if [ $? -ne 0 ]; then
+    echo "snippet-service has already exited."
+    sync
+    cat $LOGS_PATH/snippet-service.log
+   exit 1
+  fi
 done

charts/plgd-hub/templates/snippet-service/_helpers.tpl

@@ -0,0 +1,60 @@
+{{- define "plgd-hub.snippetservice.fullname" -}}
+{{- if .Values.snippetservice.fullnameOverride }}
+{{- .Values.snippetservice.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Values.snippetservice.name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s-%s" .Release.Name $name .Values.snippetservice.name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define  "plgd-hub.snippetservice.image" -}}
+    {{- $registryName := .Values.snippetservice.image.registry | default "" -}}
+    {{- $repositoryName := .Values.snippetservice.image.repository -}}
+    {{- $tag := .Values.snippetservice.image.tag | default .Chart.AppVersion | toString -}}
+    {{- printf "%s%s:%s" $registryName $repositoryName  $tag -}}
+{{- end -}}
+
+{{- define  "plgd-hub.snippetservice.configName" -}}
+    {{- $fullName :=  include "plgd-hub.snippetservice.fullname" . -}}
+    {{- printf "%s-cfg" $fullName }}
+{{- end -}}
+
+{{- define "plgd-hub.snippetservice.createServiceCertByCm" }}
+    {{- $serviceTls := .Values.snippetservice.apis.grpc.tls.certFile }}
+    {{- if $serviceTls }}
+    {{- printf "" -}}
+    {{- else }}
+    {{- printf "true" -}}
+    {{- end }}
+{{- end }}
+
+{{- define "plgd-hub.snippetservice.domain" -}}
+  {{- if .Values.snippetservice.domain }}
+    {{- printf "%s" .Values.snippetservice.domain }}
+  {{- else }}
+    {{- printf "api.%s" .Values.global.domain }}
+  {{- end }}
+{{- end }}
+
+{{- define "plgd-hub.snippetservice.serviceCertName" -}}
+  {{- $fullName := include "plgd-hub.snippetservice.fullname" . -}}
+  {{- printf "%s-crt" $fullName -}}
+{{- end }}
+
+{{- define "plgd-hub.snippetservice.domainCertName" -}}
+    {{- if .Values.snippetservice.ingress.secretName }}
+        {{- printf "%s" .Values.snippetservice.ingress.secretName -}}
+    {{- else }}
+        {{- $fullName := include "plgd-hub.snippetservice.fullname" . -}}
+        {{- printf "%s-domain-crt" $fullName -}}
+    {{- end }}
+{{- end }}
+
+{{- define "plgd-hub.snippetservice.selectorLabels" -}}
+app.kubernetes.io/name: {{ .Values.snippetservice.name }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/plgd-hub/templates/snippet-service/config.yaml

@@ -0,0 +1,96 @@
+{{- if .Values.snippetservice.enabled }}
+{{- $cert := "/certs" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "plgd-hub.snippetservice.configName" . }}
+  namespace: {{ .Release.Namespace }}
+data:
+  {{ .Values.snippetservice.config.fileName }}: |
+    {{- with .Values.snippetservice }}
+    hubID: {{ required "snippetservice.hubId or global.hubId is required" ( .hubId | default $.Values.global.hubId) | quote }}
+    log:
+      level: {{ .log.level }}
+      dumpBody: {{ .log.dumpBody }}
+      encoding: {{ .log.encoding }}
+      stacktrace:
+        enabled: {{ .log.stacktrace.enabled }}
+        level: {{ .log.stacktrace.level }}
+      encoderConfig:
+        timeEncoder: {{ .log.encoderConfig.timeEncoder }}
+    apis:
+      grpc:
+        address: {{  .apis.grpc.address | default (printf "0.0.0.0:%v" .port) | quote }}
+        sendMsgSize: {{ int64 .apis.grpc.sendMsgSize | default 4194304 }}
+        recvMsgSize: {{ int64 .apis.grpc.recvMsgSize | default 4194304 }}
+        enforcementPolicy:
+          minTime: {{ .apis.grpc.enforcementPolicy.minTime }}
+          permitWithoutStream: {{ .apis.grpc.enforcementPolicy.permitWithoutStream }}
+        keepAlive:
+          # 0s - means infinity
+          maxConnectionIdle: {{ .apis.grpc.keepAlive.maxConnectionIdle }}
+          # 0s - means infinity
+          maxConnectionAge: {{ .apis.grpc.keepAlive.maxConnectionIdle }}
+          # 0s - means infinity
+          maxConnectionAgeGrace: {{ .apis.grpc.keepAlive.maxConnectionAgeGrace }}
+          time: {{ .apis.grpc.keepAlive.maxConnectionIdle }}
+          timeout: {{ .apis.grpc.keepAlive.maxConnectionIdle }}
+        tls:
+          {{- $tls := .apis.grpc.tls }}
+          {{- include "plgd-hub.certificateConfig" (list $ $tls $cert ) | indent 8 }}
+          clientCertificateRequired: {{ .apis.grpc.tls.clientCertificateRequired }}
+        authorization:
+          {{- $authorization := .apis.grpc.authorization }}
+          {{- include "plgd-hub.authorizationConfig" (list $ $authorization "snippetservice" ) | indent 8 }}
+          http:
+            maxIdleConns: {{ .apis.grpc.authorization.http.maxIdleConns }}
+            maxConnsPerHost: {{ .apis.grpc.authorization.http.maxIdleConnsPerHost }}
+            maxIdleConnsPerHost: {{ .apis.grpc.authorization.http.maxIdleConnsPerHost }}
+            idleConnTimeout: {{ .apis.grpc.authorization.http.idleConnTimeout }}
+            timeout: {{ .apis.grpc.authorization.http.timeout }}
+            tls:
+              {{- $grpcTls := .apis.grpc.authorization.http.tls }}
+              {{- include "plgd-hub.authorizationCaCertificateConfig" (list $ $grpcTls $cert ) | indent 12 }}
+              useSystemCAPool: {{ .apis.grpc.authorization.http.tls.useSystemCAPool }}
+      http:
+        address: {{  .apis.http.address | default (printf "0.0.0.0:%v" .httpPort) | quote }}
+        readTimeout: {{ .apis.http.readTimeout }}
+        readHeaderTimeout: {{ .apis.http.readHeaderTimeout }}
+        writeTimeout: {{ .apis.http.writeTimeout }}
+        idleTimeout: {{ .apis.http.idleTimeout }}
+    clients:
+      storage:
+        use: {{ include "plgd-hub.useDatabase" (list $ . .clients.storage.use)  | quote }}
+        mongoDB:
+          uri: {{ include "plgd-hub.mongoDBUri" (list $ .clients.storage.mongoDB.uri )  | quote }}
+          database: {{ .clients.storage.mongoDB.database }}
+          maxPoolSize: {{ .clients.storage.mongoDB.maxPoolSize }}
+          maxConnIdleTime: {{ .clients.storage.mongoDB.maxConnIdleTime }}
+          tls:
+            {{- $mongoDbTls := .clients.storage.mongoDB.tls }}
+            {{- include "plgd-hub.certificateConfig" (list $ $mongoDbTls $cert ) | indent 10 }}
+            useSystemCAPool: {{ .clients.storage.mongoDB.tls.useSystemCAPool }}
+        cqlDB:
+          hosts:
+          {{- include "plgd-hub.cqlDBHosts" (list $ .clients.storage.cqlDB.hosts ) | indent 8 }}
+          port: {{ .clients.storage.cqlDB.port | default 9142 }}
+          table: {{ .clients.storage.cqlDB.table | quote }}
+          numConnections: {{ .clients.storage.cqlDB.numConnections }}
+          connectTimeout: {{ .clients.storage.cqlDB.connectTimeout }}
+          useHostnameResolution: {{ .clients.storage.cqlDB.useHostnameResolution }}
+          reconnectionPolicy:
+            constant:
+              interval: {{ .clients.storage.cqlDB.reconnectionPolicy.constant.interval }}
+              maxRetries: {{ .clients.storage.cqlDB.reconnectionPolicy.constant.maxRetries }}
+          keyspace:
+            name: {{ .clients.storage.cqlDB.keyspace.name }}
+            create: {{ .clients.storage.cqlDB.keyspace.create }}
+            replication:
+              {{- toYaml .clients.storage.cqlDB.keyspace.replication | nindent 14 }}
+          tls:
+            {{- $cqlDbTls := .clients.storage.cqlDB.tls }}
+            {{- include "plgd-hub.certificateConfig" (list $ $cqlDbTls $cert ) | indent 10 }}
+            useSystemCAPool: {{ .clients.storage.cqlDB.tls.useSystemCAPool }}
+      {{- include "plgd-hub.openTelemetryExporterConfig" (list $ $cert ) | nindent 6 }}
+  {{- end }}
+{{- end }}