Introduce snippet-service

plgd-dev · May 24, 2024 · 583e7b2 · 583e7b2
1 parent 3d487bf
commit 583e7b2
Show file tree

Hide file tree

Showing 42 changed files with 9,032 additions and 1 deletion.
diff --git a/.github/workflows/build-publish.yaml b/.github/workflows/build-publish.yaml
@@ -109,6 +109,10 @@ jobs:
           - name: cert-tool
             directory: tools/cert-tool
             file: tools/cert-tool/Dockerfile
+          - name: snippet-service
+            directory: snippet-service
+            file: .tmp/docker/snippet-service/Dockerfile
+            template-file: tools/docker/Dockerfile.in
     uses: ./.github/workflows/build-publish-cfg.yaml
     with:
       name: ${{ matrix.name }}

diff --git a/Makefile b/Makefile
@@ -42,7 +42,7 @@ CERT_TOOL_SIGN_ALG ?= ECDSA-SHA256
 CERT_TOOL_ELLIPTIC_CURVE ?= P256
 CERT_TOOL_IMAGE = ghcr.io/plgd-dev/hub/cert-tool:vnext
 
-SUBDIRS := bundle certificate-authority cloud2cloud-connector cloud2cloud-gateway coap-gateway grpc-gateway resource-aggregate resource-directory http-gateway identity-store test/oauth-server tools/cert-tool
+SUBDIRS := bundle certificate-authority cloud2cloud-connector cloud2cloud-gateway coap-gateway grpc-gateway resource-aggregate resource-directory http-gateway identity-store snippet-service test/oauth-server tools/cert-tool
 .PHONY: $(SUBDIRS) push proto/generate clean build test env mongo nats certificates hub-build http-gateway-www simulators
 
 default: build

diff --git a/bundle/Dockerfile b/bundle/Dockerfile
@@ -105,6 +105,13 @@ RUN go build \
     -o "/go/bin/$tool" \
     ./
 
+#snippet-service
+ARG service=snippet-service
+WORKDIR $root_directory/$service
+RUN go build -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \
+    -o "/go/bin/$service" \
+    ./cmd/service
+
 #nats
 WORKDIR $root_directory
 RUN apkArch="$(apk --print-arch)"; \
@@ -168,6 +175,8 @@ COPY --from=build /go/bin/cloud2cloud-connector /usr/local/bin/cloud2cloud-conne
 COPY --from=build /go/src/github.com/plgd-dev/hub/cloud2cloud-connector/config.yaml /configs/cloud2cloud-connector.yaml
 COPY --from=build /go/src/github.com/plgd-dev/hub/bundle/run.sh /usr/local/bin/run.sh
 COPY --from=build /go/src/github.com/plgd-dev/hub/bundle/nginx /nginx
+COPY --from=build /go/bin/snippet-service /usr/local/bin/snippet-service
+COPY --from=build /go/src/github.com/plgd-dev/hub/snippet-service/config.yaml /configs/snippet-service.yaml
 
 # install scylla
 RUN curl -sSf get.scylladb.com/server | sudo bash -s -- --scylla-version 5.2
@@ -222,6 +231,8 @@ ENV NATS_PORT=10001
 ENV SCYLLA_SMP=1
 ENV SCYLLA_DEVELOPER_MODE=true
 ENV SCYLLA_PORT=29142
+ENV SNIPPET_SERVICE_PORT=9091
+ENV HTTP_SNIPPET_SERVICE_PORT=9092
 
 # OAuth
 ENV DEVICE_PROVIDER=plgd

diff --git a/bundle/nginx/nginx.conf.template b/bundle/nginx/nginx.conf.template
@@ -107,6 +107,20 @@ http {
       proxy_set_header Connection $connection_upgrade;
       proxy_set_header Host $host;
     }
+    location ~ ^(/api/v1/snippets) {
+      set $upstream_snippet_service https://127.0.0.1:REPLACE_HTTP_SNIPPET_SERVICE_PORT;
+      proxy_pass                     $upstream_snippet_service;
+      proxy_ssl_certificate           /data/certs/internal/endpoint.crt;
+      proxy_ssl_certificate_key       /data/certs/internal/endpoint.key;
+      proxy_ssl_trusted_certificate   /data/certs/root_ca.crt;
+      proxy_ssl_verify                on;
+      set $cors_headers 'Authority,Method,Path,Scheme,Accept,Accept-Encoding,Accept-Language,Content-Type,Origin,Refer,Sec-Fetch-Dest,Sec-Fetch-Mode,Sec-Fetch-Site,Authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,correlation-id';
+      include /nginx/cors.conf;
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+      proxy_set_header Host $host;
+    }
     location ~ ^/ {
       set $upstream_http_gateway https://127.0.0.1:REPLACE_HTTP_GATEWAY_PORT;
       proxy_pass                     $upstream_http_gateway;

diff --git a/bundle/run.sh b/bundle/run.sh
@@ -15,6 +15,7 @@ export NGINX_PATH="/data/nginx"
 export JETSTREAM_PATH="/data/jetstream"
 
 export CERTIFICATE_AUTHORITY_ADDRESS="localhost:${CERTIFICATE_AUTHORITY_PORT}"
+export CERTIFICATE_AUTHORITY_HTTP_ADDRESS="localhost:${HTTP_CERTIFICATE_AUTHORITY_PORT}"
 export MOCK_OAUTH_SERVER_ADDRESS="localhost:${MOCK_OAUTH_SERVER_PORT}"
 export RESOURCE_AGGREGATE_ADDRESS="localhost:${RESOURCE_AGGREGATE_PORT}"
 export RESOURCE_DIRECTORY_ADDRESS="localhost:${RESOURCE_DIRECTORY_PORT}"
@@ -23,6 +24,8 @@ export GRPC_GATEWAY_ADDRESS="localhost:${GRPC_GATEWAY_PORT}"
 export HTTP_GATEWAY_ADDRESS="localhost:${HTTP_GATEWAY_PORT}"
 export CLOUD2CLOUD_GATEWAY_ADDRESS="localhost:${CLOUD2CLOUD_GATEWAY_PORT}"
 export CLOUD2CLOUD_CONNECTOR_ADDRESS="localhost:${CLOUD2CLOUD_CONNECTOR_PORT}"
+export SNIPPET_SERVICE_ADDRESS="localhost:${SNIPPET_SERVICE_PORT}"
+export SNIPPET_SERVICE_HTTP_ADDRESS="localhost:${HTTP_SNIPPET_SERVICE_PORT}"
 
 export INTERNAL_CERT_DIR_PATH="$CERTIFICATES_PATH/internal"
 export GRPC_INTERNAL_CERT_NAME="endpoint.crt"
@@ -451,6 +454,7 @@ if [ "${OVERRIDE_FILES}" = "true" ] || [ ! -f "${NGINX_PATH}/nginx.conf" ]; then
   sed -i "s/REPLACE_CLOUD2CLOUD_GATEWAY_PORT/$CLOUD2CLOUD_GATEWAY_PORT/g" ${NGINX_PATH}/nginx.conf
   sed -i "s/REPLACE_CLOUD2CLOUD_CONNECTOR_PORT/$CLOUD2CLOUD_CONNECTOR_PORT/g" ${NGINX_PATH}/nginx.conf
   sed -i "s/REPLACE_HTTP_CERTIFICATE_AUTHORITY_PORT/$HTTP_CERTIFICATE_AUTHORITY_PORT/g" ${NGINX_PATH}/nginx.conf
+  sed -i "s/REPLACE_HTTP_SNIPPET_SERVICE_PORT/$HTTP_SNIPPET_SERVICE_PORT/g" ${NGINX_PATH}/nginx.conf
 fi
 
 # nats
@@ -917,6 +921,7 @@ cat /configs/certificate-authority.yaml | yq e "\
   .apis.grpc.authorization.http.tls.useSystemCAPool = true |
   .apis.grpc.authorization.authority = \"https://${OAUTH_ENDPOINT}\" |
   .apis.grpc.authorization.ownerClaim = \"${OWNER_CLAIM}\" |
+  .apis.http.address = \"${CERTIFICATE_AUTHORITY_HTTP_ADDRESS}\" |
   .clients.storage.use = \"${DATABASE_USE}\" |
   .clients.storage.mongoDB.uri = \"${MONGODB_URI}\" |
   .clients.storage.cqlDB.hosts = [ \"${SCYLLA_HOSTNAME}\" ] |
@@ -1144,7 +1149,51 @@ while true; do
   sleep 1
 done
 
+# snippet-service
+echo "starting snippet-service"
+## configuration
+if [ "${OVERRIDE_FILES}" = "true" ] || [ ! -f "/data/snippet-service.yaml" ]; then
+cat /configs/snippet-service.yaml | yq e "\
+  .hubID = \"${HUB_ID}\" |
+  .log.level = \"${LOG_LEVEL}\" |
+  .apis.grpc.address = \"${SNIPPET_SERVICE_ADDRESS}\" |
+  .apis.grpc.authorization.audience = \"${SERVICE_OAUTH_AUDIENCE}\" |
+  .apis.grpc.authorization.http.tls.useSystemCAPool = true |
+  .apis.grpc.authorization.authority = \"https://${OAUTH_ENDPOINT}\" |
+  .apis.grpc.authorization.ownerClaim = \"${OWNER_CLAIM}\" |
+  .apis.http.address = \"${SNIPPET_SERVICE_HTTP_ADDRESS}\" |
+  .clients.storage.use = \"${DATABASE_USE}\" |
+  .clients.storage.mongoDB.uri = \"${MONGODB_URI}\" |
+  .clients.storage.cqlDB.hosts = [ \"${SCYLLA_HOSTNAME}\" ] |
+  .clients.storage.cqlDB.port = ${SCYLLA_PORT} |
+  .clients.openTelemetryCollector.grpc.enabled = ${OPEN_TELEMETRY_EXPORTER_ENABLED} |
+  .clients.openTelemetryCollector.grpc.address = \"${OPEN_TELEMETRY_EXPORTER_ADDRESS}\" |
+  .clients.openTelemetryCollector.grpc.tls.caPool = \"${OPEN_TELEMETRY_EXPORTER_CA_POOL}\" |
+  .clients.openTelemetryCollector.grpc.tls.keyFile = \"${OPEN_TELEMETRY_EXPORTER_KEY_FILE}\" |
+  .clients.openTelemetryCollector.grpc.tls.certFile = \"${OPEN_TELEMETRY_EXPORTER_CERT_FILE}\" |
+  .clients.openTelemetryCollector.grpc.tls.useSystemCAPool = true
+" - > /data/snippet-service.yaml
+fi
+snippet-service --config /data/snippet-service.yaml >$LOGS_PATH/snippet-service.log 2>&1 &
+status=$?
+snippet_service_pid=$!
+if [ $status -ne 0 ]; then
+  echo "Failed to start snippet-service: $status"
+  sync
+  cat $LOGS_PATH/snippet-service.log
+  exit $status
+fi
 
+# waiting for ca. Without wait, sometimes the service didn't connect.
+i=0
+while true; do
+  i=$((i+1))
+  if openssl s_client -connect ${SNIPPET_SERVICE_ADDRESS} -cert ${INTERNAL_CERT_DIR_PATH}/${GRPC_INTERNAL_CERT_NAME} -key ${INTERNAL_CERT_DIR_PATH}/${GRPC_INTERNAL_CERT_KEY_NAME} <<< "Q" 2>/dev/null > /dev/null; then
+    break
+  fi
+  echo "Try to reconnect to snippet-service(${SNIPPET_SERVICE_ADDRESS}) $i"
+  sleep 1
+done
 
 echo "Open browser at https://${DOMAIN}"
 
@@ -1263,4 +1312,11 @@ while sleep 10; do
       exit 1
     fi
   fi
+  ps aux |grep $snippet_service_pid |grep -q -v grep
+  if [ $? -ne 0 ]; then
+    echo "snippet-service has already exited."
+    sync
+    cat $LOGS_PATH/snippet-service.log
+   exit 1
+  fi
 done
diff --git a/snippet-service/Makefile b/snippet-service/Makefile
@@ -0,0 +1,64 @@
+SHELL = /bin/bash
+SERVICE_NAME = $(notdir $(CURDIR))
+LATEST_TAG ?= vnext
+BRANCH_TAG ?= $(shell git rev-parse --abbrev-ref HEAD | sed 's/[^a-zA-Z0-9]/-/g')
+ifneq ($(BRANCH_TAG),main)
+	LATEST_TAG = $(BRANCH_TAG)
+endif
+VERSION_TAG ?= $(LATEST_TAG)-$(shell git rev-parse --short=7 --verify HEAD)
+GOPATH ?= $(shell go env GOPATH)
+WORKING_DIRECTORY := $(shell pwd)
+REPOSITORY_DIRECTORY := $(shell cd .. && pwd)
+BUILD_COMMIT_DATE ?= $(shell date -u +%FT%TZ --date=@`git show --format='%ct' HEAD --quiet`)
+BUILD_SHORT_COMMIT ?= $(shell git show --format=%h HEAD --quiet)
+BUILD_DATE ?= $(shell date -u +%FT%TZ)
+BUILD_VERSION ?= $(shell git tag --sort version:refname | tail -1 | sed -e "s/^v//")
+
+default: build
+
+define build-docker-image
+	cd .. && \
+		mkdir -p .tmp/docker/$(SERVICE_NAME) && \
+		awk '{gsub("@NAME@","$(SERVICE_NAME)")} {gsub("@DIRECTORY@","$(SERVICE_NAME)")} {print}' tools/docker/Dockerfile.in > .tmp/docker/$(SERVICE_NAME)/Dockerfile && \
+		docker build \
+		--network=host \
+		--tag ghcr.io/plgd-dev/hub/$(SERVICE_NAME):$(VERSION_TAG) \
+		--tag ghcr.io/plgd-dev/hub/$(SERVICE_NAME):$(LATEST_TAG) \
+		--tag ghcr.io/plgd-dev/hub/$(SERVICE_NAME):$(BRANCH_TAG) \
+		--build-arg COMMIT_DATE="$(BUILD_COMMIT_DATE)" \
+		--build-arg SHORT_COMMIT="$(BUILD_SHORT_COMMIT)" \
+		--build-arg DATE="$(BUILD_DATE)" \
+		--build-arg VERSION="$(BUILD_VERSION)" \
+		--target $(1) \
+		-f .tmp/docker/$(SERVICE_NAME)/Dockerfile \
+		.
+endef
+
+build-servicecontainer:
+	$(call build-docker-image,service)
+
+build: build-servicecontainer
+
+push: build-servicecontainer
+	docker push plgd/$(SERVICE_NAME):$(VERSION_TAG)
+	docker push plgd/$(SERVICE_NAME):$(LATEST_TAG)
+
+GOOGLEAPIS_PATH := $(REPOSITORY_DIRECTORY)/dependency/googleapis
+GRPCGATEWAY_MODULE_PATH := $(shell go list -m -f '{{.Dir}}' github.com/grpc-ecosystem/grpc-gateway/v2 | head -1)
+
+proto/generate:
+	protoc -I=. -I=$(REPOSITORY_DIRECTORY) -I=$(GOPATH)/src -I=$(GOOGLEAPIS_PATH) -I=$(GRPCGATEWAY_MODULE_PATH) --go_out=$(GOPATH)/src $(WORKING_DIRECTORY)/pb/service.proto
+	protoc-go-inject-tag -remove_tag_comment -input=$(WORKING_DIRECTORY)/pb/service.pb.go
+	protoc -I=. -I=$(REPOSITORY_DIRECTORY) -I=$(GOPATH)/src -I=$(GOOGLEAPIS_PATH) -I=$(GRPCGATEWAY_MODULE_PATH) --openapiv2_out=$(REPOSITORY_DIRECTORY) \
+		--openapiv2_opt logtostderr=true \
+		$(WORKING_DIRECTORY)/pb/service.proto
+	protoc -I=. -I=$(REPOSITORY_DIRECTORY) -I=$(GOPATH)/src -I=$(GOOGLEAPIS_PATH) -I=$(GRPCGATEWAY_MODULE_PATH) --grpc-gateway_out=$(REPOSITORY_DIRECTORY) \
+		--grpc-gateway_opt logtostderr=true \
+		--grpc-gateway_opt paths=source_relative \
+		$(WORKING_DIRECTORY)/pb/service.proto
+	protoc -I=. -I=$(REPOSITORY_DIRECTORY) -I=$(GOPATH)/src -I=$(GOOGLEAPIS_PATH) -I=$(GRPCGATEWAY_MODULE_PATH) --go-grpc_out=$(GOPATH)/src \
+		$(WORKING_DIRECTORY)/pb/service.proto
+	protoc  -I=. -I=$(REPOSITORY_DIRECTORY) -I=$(GOPATH)/src -I=$(GOOGLEAPIS_PATH) -I=$(GRPCGATEWAY_MODULE_PATH) --doc_out=$(WORKING_DIRECTORY)/pb --doc_opt=markdown,README.md $(WORKING_DIRECTORY)/pb/*.proto
+	protoc  -I=. -I=$(REPOSITORY_DIRECTORY) -I=$(GOPATH)/src -I=$(GOOGLEAPIS_PATH) -I=$(GRPCGATEWAY_MODULE_PATH) --doc_out=$(WORKING_DIRECTORY)/pb --doc_opt=html,doc.html $(WORKING_DIRECTORY)/pb/*.proto
+
+.PHONY: build-servicecontainer build push proto/generate
diff --git a/snippet-service/cmd/service/main.go b/snippet-service/cmd/service/main.go
@@ -0,0 +1,48 @@
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/plgd-dev/hub/v2/pkg/build"
+	"github.com/plgd-dev/hub/v2/pkg/config"
+	"github.com/plgd-dev/hub/v2/pkg/fsnotify"
+	"github.com/plgd-dev/hub/v2/pkg/log"
+	"github.com/plgd-dev/hub/v2/snippet-service/service"
+)
+
+func run(cfg service.Config, logger log.Logger) error {
+	fileWatcher, err := fsnotify.NewWatcher(logger)
+	if err != nil {
+		return fmt.Errorf("cannot create file fileWatcher: %w", err)
+	}
+	defer func() {
+		_ = fileWatcher.Close()
+	}()
+
+	s, err := service.New(context.Background(), cfg, fileWatcher, logger)
+	if err != nil {
+		return fmt.Errorf("cannot create service: %w", err)
+	}
+	err = s.Serve()
+	if err != nil {
+		return fmt.Errorf("cannot serve service: %w", err)
+	}
+
+	return nil
+}
+
+func main() {
+	var cfg service.Config
+	if err := config.LoadAndValidateConfig(&cfg); err != nil {
+		log.Fatalf("cannot load config: %v", err)
+	}
+	logger := log.NewLogger(cfg.Log)
+	log.Set(logger)
+	logger.Debugf("version: %v, buildDate: %v, buildRevision %v", build.Version, build.BuildDate, build.CommitHash)
+	log.Infof("config: %v", cfg.String())
+
+	if err := run(cfg, logger); err != nil {
+		log.Fatalf("cannot run service: %v", err)
+	}
+}
diff --git a/snippet-service/config.yaml b/snippet-service/config.yaml
@@ -0,0 +1,106 @@
+hubID: ""
+log:
+  level: info
+  encoding: json
+  stacktrace:
+    enabled: false
+    level: warn
+  encoderConfig:
+    timeEncoder: rfc3339nano
+apis:
+  grpc:
+    address: "0.0.0.0:9100"
+    sendMsgSize: 4194304
+    recvMsgSize: 4194304
+    enforcementPolicy:
+      minTime: 5s
+      permitWithoutStream: true
+    keepAlive:
+      # 0s - means infinity
+      maxConnectionIdle: 0s
+      # 0s - means infinity
+      maxConnectionAge: 0s
+      # 0s - means infinity
+      maxConnectionAgeGrace: 0s
+      time: 2h
+      timeout: 20s
+    tls:
+      caPool: "/secrets/public/rootca.crt"
+      keyFile: "/secrets/private/cert.key"
+      certFile: "/secrets/private/cert.crt"
+      clientCertificateRequired: true
+    authorization:
+      ownerClaim: "sub"
+      authority: ""
+      audience: ""
+      http:
+        maxIdleConns: 16
+        maxConnsPerHost: 32
+        maxIdleConnsPerHost: 16
+        idleConnTimeout: "30s"
+        timeout: "10s"
+        tls:
+          caPool: "/secrets/public/rootca.crt"
+          keyFile: "/secrets/private/cert.key"
+          certFile: "/secrets/public/cert.crt"
+          useSystemCAPool: false
+  http:
+    address: "0.0.0.0:9101"
+    readTimeout: 8s
+    readHeaderTimeout: 4s
+    writeTimeout: 16s
+    idleTimeout: 30s
+clients:
+  storage:
+    use: mongoDB
+    mongoDB:
+      uri:
+      database: snippetService
+      maxPoolSize: 16
+      maxConnIdleTime: 4m0s
+      tls:
+        caPool: "/secrets/public/rootca.crt"
+        keyFile: "/secrets/private/cert.key"
+        certFile: "/secrets/public/cert.crt"
+        useSystemCAPool: false
+      bulkWrite:
+        timeout: 1m0s
+        throttleTime: 500ms
+        documentLimit: 1000
+    cqlDB:
+      table: "snippets"
+      hosts: []
+      port: 9142
+      numConnections: 16
+      connectTimeout: 10s
+      useHostnameResolution: true
+      reconnectionPolicy:
+        constant:
+          interval: 3s
+          maxRetries: 3
+      keyspace:
+        name: plgdhub
+        create: true
+        replication:
+          class: SimpleStrategy
+          replication_factor: 1
+      tls:
+        caPool: "/secrets/public/rootca.crt"
+        keyFile: "/secrets/private/cert.key"
+        certFile: "/secrets/public/cert.crt"
+        useSystemCAPool: false
+  openTelemetryCollector:
+    grpc:
+      enabled: false
+      address: ""
+      sendMsgSize: 4194304
+      recvMsgSize: 4194304
+      keepAlive:
+        time: 10s
+        timeout: 20s
+        permitWithoutStream: true
+      tls:
+        caPool: "/secrets/public/rootca.crt"
+        keyFile: "/secrets/private/cert.key"
+        certFile: "/secrets/public/cert.crt"
+        useSystemCAPool: false