Feedback microservice (#325)

* migrated the feedback service into an own subservice
* added an additional deployment
* added a CD for this service
* adapted our docs

.github/workflows/feedback.yml

@@ -0,0 +1,50 @@
+name: feedback CD
+
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  # JOB to run change detection
+  changes:
+    runs-on: ubuntu-latest
+    # Set job outputs to values from filter step
+    outputs:
+      feedback: ${{ steps.filter.outputs.feedback }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: dorny/paths-filter@v2
+        id: filter
+        with:
+          filters: |
+            feedback:
+              - '.github/**'
+              - 'feedback/**'
+  feedback-build:
+    needs:
+      - changes
+    if: ${{ needs.changes.outputs.feedback == 'true' }}
+    uses: ./.github/workflows/docker-build.yml
+    with:
+      image_suffix: feedback
+      context: ./feedback
+      dockerfile: Dockerfile
+    permissions:
+      contents: read
+      packages: write
+  feedback-deployment:
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    needs:
+      - feedback-build
+    steps:
+      - run: curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 && chmod +x /usr/local/bin/argocd
+      - run: argocd app actions run navigatum-prod restart --kind Deployment --resource-name feedback --auth-token ${{ secrets.ARGOCD_TOKEN }} --server ${{ secrets.ARGOCD_SERVER }}
+  feedback-staging-deployment:
+    if: github.ref != 'refs/heads/main'
+    runs-on: ubuntu-latest
+    needs:
+      - feedback-build
+    steps:
+      - run: curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 && chmod +x /usr/local/bin/argocd
+      - run: argocd app actions run pr-${{github.event.number}} restart --kind Deployment --resource-name feedback --auth-token ${{ secrets.ARGOCD_TOKEN }} --server ${{ secrets.ARGOCD_SERVER }}

README.md

@@ -45,6 +45,7 @@ For an overview of how the components work, have a look at the
 
 - `data/` contains the code to obtain and process the data
 - `server/` contains the API server written in Rust, including MeiliSearch as a search backend
+- `feedback/` contains the feedback-API server written in Rust
 - `webclient/` contains a JS based web-frontend for the API
 - `deployment/` contains deployment related configuration
 - `map/` contains information about our own map, how to style it and how to run it

deployment/README.md

@@ -5,8 +5,10 @@ This Project details how to deploy the NavigaTUM-API, the webclient and the CDN
 The documentation for the specific sub-services can be found in the respective directories:
 
 - [Data](../data/README.md)
-- [API/Server](../server/README.md)
+- [API Server](../server/README.md)
 - [Website](../webclient/README.md)
+- [Maps](../map/README.md)
+- [Feedback](../feedback/README.md)
 
 ## General description
 

deployment/k3s/templates/deployments/feedback-deployment.yaml

@@ -0,0 +1,78 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: server
+  labels:
+    app: navigatum
+    deployment: feedback
+  namespace: {{ .Values.namespace }}
+spec:
+  replicas: 1
+  revisionHistoryLimit: 1
+  selector:
+    matchLabels:
+      app: navigatum
+      deployment: feedback
+  strategy:
+    rollingUpdate:
+      maxSurge: 100%
+      maxUnavailable: 0%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: navigatum
+        deployment: api
+    spec:
+      containers:
+        - name: feedback
+          image: "ghcr.io/tum-dev/navigatum-feedback:{{ .Values.branch }}"
+          imagePullPolicy: Always
+          {{ if or (.Values.server.GITHUB_TOKEN) (.Values.server.JWT_KEY) }}
+          envFrom:
+            - secretRef:
+                name: feedback-api-keys # GITHUB_TOKEN, JWT_KEY
+          {{ end }}
+          ports:
+            - containerPort: 6001
+              name: feedback
+          securityContext:
+            readOnlyRootFilesystem: true
+          resources:
+            requests:
+              cpu: 1m
+              memory: 1Mi
+            limits:
+              cpu: 100m
+              memory: 100Mi
+          livenessProbe:
+            httpGet:
+              path: /api/feedback/health
+              port: api
+            failureThreshold: 2
+            periodSeconds: 1
+          startupProbe:
+            httpGet:
+              path: /api/feedback/health
+              port: api
+            failureThreshold: 6
+            periodSeconds: 1
+{{ if or (.Values.server.GITHUB_TOKEN) (.Values.server.JWT_KEY) }}
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: feedback-api-keys
+  namespace: {{ .Values.namespace }}
+  labels:
+    app: navigatum
+    deployment: feedback
+data:
+  {{ if .Values.server.GITHUB_TOKEN }}
+    GITHUB_TOKEN: {{ .Values.server.GITHUB_TOKEN }}
+  {{ end }}
+  {{ if .Values.server.JWT_KEY }}
+    JWT_KEY: {{ .Values.server.JWT_KEY }}
+  {{ end }}
+{{ end }}

deployment/k3s/templates/deployments/server-deployment.yaml

@@ -31,10 +31,10 @@ spec:
         - name: server
           image: "ghcr.io/tum-dev/navigatum-server:{{ .Values.branch }}"
           imagePullPolicy: Always
-          {{ if or (.Values.server.GITHUB_TOKEN) (.Values.server.MEILI_MASTER_KEY) (.Values.server.JWT_KEY) }}
+          {{ if .Values.server.MEILI_MASTER_KEY }}
           envFrom:
             - secretRef:
-                name: api-keys # GITHUB_TOKEN, MEILI_MASTER_KEY, JWT_KEY
+                name: server-api-keys # MEILI_MASTER_KEY
           {{ end }}
           ports:
             - containerPort: 8080
@@ -68,7 +68,7 @@ spec:
           {{ if .Values.server.MEILI_MASTER_KEY }}
           envFrom:
             - secretRef:
-                name: api-keys # MEILI_MASTER_KEY
+                name: server-api-keys # MEILI_MASTER_KEY
           env:
             - name: MEILI_ENV
               value: production
@@ -94,25 +94,19 @@ spec:
               port: mieli-search
             failureThreshold: 60
             periodSeconds: 1
-{{ if or (.Values.server.GITHUB_TOKEN) (.Values.server.MEILI_MASTER_KEY) (.Values.server.JWT_KEY) }}
+{{ if .Values.server.MEILI_MASTER_KEY }}
 ---
 apiVersion: v1
 kind: Secret
 type: Opaque
 metadata:
-  name: api-keys
+  name: server-api-keys
   namespace: {{ .Values.namespace }}
   labels:
     app: navigatum
     deployment: api
 data:
-  {{ if .Values.server.GITHUB_TOKEN }}
-    GITHUB_TOKEN: {{ .Values.server.GITHUB_TOKEN }}
-  {{ end }}
   {{ if .Values.server.MEILI_MASTER_KEY }}
     MEILI_MASTER_KEY: {{ .Values.server.MEILI_MASTER_KEY }}
   {{ end }}
-  {{ if .Values.server.JWT_KEY }}
-    JWT_KEY: {{ .Values.server.JWT_KEY }}
-  {{ end }}
 {{ end }}

deployment/k3s/templates/ingress/ingress.yaml

@@ -12,11 +12,17 @@ spec:
     # temporary workaround for traefik bug (interoperability with ingress)
     - kind: Rule
       match: Host(`{{ .Values.url }}`) && PathPrefix(`/.well-known/acme-challenge/`)
-      priority: 13
+      priority: 14
       services:
         - name: cm-acme-http-solver-wr5tp
           port: 8089
           kind: Service
+    - kind: Rule
+      match: Host(`{{ .Values.url }}`) && PathPrefix(`/api/feedback/`)
+      priority: 13
+      services:
+        - name: feedback-svc
+          port: 6001
     - kind: Rule
       match: Host(`{{ .Values.url }}`) && PathPrefix(`/api/`)
       priority: 12

deployment/k3s/templates/service.yaml

@@ -21,6 +21,24 @@ spec:
 ---
 apiVersion: v1
 kind: Service
+metadata:
+  name: feedback-svc
+  labels:
+    app: navigatum
+    deployment: feedback
+  namespace: {{ .Values.namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    app: navigatum
+    deployment: feedback
+  ports:
+    - name: feedback
+      port: 6001
+      targetPort: 6001
+---
+apiVersion: v1
+kind: Service
 metadata:
   name: maps-svc
   labels:

feedback/.dockerignore

@@ -0,0 +1,2 @@
+target
+Cargo.lock

feedback/.gitignore

@@ -0,0 +1,2 @@
+/target
+Cargo.lock

feedback/Cargo.toml

@@ -0,0 +1,32 @@
+[package]
+name = "navigatum-feedback"
+version = "1.0.0"
+authors = ["Markus A <[email protected]>", "Frank Elsinga <[email protected]>"]
+edition = "2021"
+description = "Navigating around TUM with excellence – A feedback system to submit feedback via github issues"
+repository = "https://github.com/TUM-Dev/navigatum"
+readme = "README.md"
+license = "GPL-3.0"
+keywords = ["website", "feedback", "api-rest", "tum"]
+
+[[bin]]
+name = "navigatum-feedback"
+path = "src/main.rs"
+
+[profile.release]
+strip = true
+
+[dependencies]
+regex = "1.7.0"
+log = "0.4.17"
+octocrab = "0.17.0"
+actix-web = "4.2.1"
+serde = { version = "1.0.148", features = ["derive"] }
+serde_json = "1.0.89"
+actix-cors = "0.6.4"
+tokio = { version = "1.22.0", features = ["full"] }
+rand = "0.8.5"
+structopt = "0.3.26"
+env_logger = "0.10.0"
+jsonwebtoken = "8.1.1"
+chrono = "0.4.23"

feedback/Dockerfile

@@ -0,0 +1,27 @@
+# Compile
+FROM    rust:1.65-alpine AS compiler
+
+RUN     apk add -q --update-cache --no-cache build-base openssl-dev
+
+WORKDIR /nav
+COPY    ./Cargo.* ./
+COPY    ./src ./src
+RUN     RUSTFLAGS="-C target-feature=-crt-static" cargo build --release
+
+# RUN
+FROM alpine:3.17
+
+RUN     apk update --quiet \
+        && apk add -q --no-cache openssl1.1-compat libgcc tini
+
+# add `navigatum-feedback` to the `/bin` so we can run it from anywhere and it's easy to find.
+COPY    --from=compiler /nav/target/release/navigatum-feedback /bin/navigatum-feedback
+
+ARG     GIT_COMMIT_SHA
+ENV     GIT_COMMIT_SHA=${GIT_COMMIT_SHA}
+
+EXPOSE  6001
+
+ENTRYPOINT ["tini", "--"]
+HEALTHCHECK --start-period=20m  --timeout=10s CMD curl --fail localhost:6001/api/feedback/health || exit 1
+CMD     /bin/navigatum-feedback

feedback/README.md

@@ -0,0 +1,66 @@
+# Server
+
+This folder contains the feedback-API server for NavigaTUM.
+
+This is separated from the server because:
+
+- it has virtually no shared dependencies (natural faultline)
+- this way, we can deploy the feedback-API independently of the main server (both in time, scaling and reliability)
+- security: this way, we can increase our isolation
+
+## Getting started
+
+### Prerequisites
+
+For getting started, there are some system dependencys which you will need.
+Please follow the [system dependencys docs](resources/documentation/Dependencys.md) before trying to run this part of our project.
+
+### Starting the server
+
+Run `cargo run` to start the server.
+The server should now be available on `localhost:6001`.
+
+Note that `cargo run --release` is used to start the server for an optimised production build (use this if you want to profile performance, it makes quite a difference).
+
+### API-Changes
+
+#### Editing
+
+If you have made changes to the API, you need to update the API documentation.
+
+There are two editors for the API documentation (both are imperfect):
+
+- [Swagger Editor](https://editor.swagger.io/?url=https://raw.githubusercontent.com/TUM-Dev/navigatum/main/openapi.yaml)
+- [stoplight](stoplight.io)
+
+#### Testing
+
+Of course documentation is one part of the process. If the changes are substantial, you should also run an API-Fuzz-Test:
+To make sure that this specification is up-to-date and without holes, we run [schemathesis](https://github.com/schemathesis/schemathesis) using the following command on API Server:
+
+```bash
+python -m venv venv
+source venv/bin/activate
+pip install schemathesis
+st run --workers=auto --base-url=http://localhost:6001 --checks=all ../openapi.yaml
+```
+
+Some fuzzing-goals may not be available for you locally, as they require prefix-routing (f.ex.`/cdn` to the CDN) and some fuzzing-goals are automatically tested in our CI.  
+You can exchange `--base-url=http://localhost:6001` to `--base-url=https://nav.tum.sexy` for the full public API, or restrict your scope using a option like `--endpoint=/api/feedback/`.
+
+## License
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+---

server/src/feedback/mod.rs → feedback/src/core/mod.rs

@@ -1,6 +1,6 @@
 mod github;
 mod tokens;
-use crate::feedback::tokens::{Claims, RateLimit};
+use crate::core::tokens::{Claims, RateLimit};
 use actix_web::web::{Data, Json};
 use actix_web::{post, web, HttpResponse};
 use jsonwebtoken::{encode, EncodingKey, Header};

server/src/feedback/tokens.rs → feedback/src/core/tokens.rs

@@ -7,7 +7,7 @@ use log::error;
 use serde::{Deserialize, Serialize};
 use std::sync::atomic::{AtomicU64, AtomicUsize, Ordering};
 
-use crate::feedback::{AppStateFeedback, TokenRecord};
+use crate::core::{AppStateFeedback, TokenRecord};
 
 // Additionally, there is a short delay until a token can be used.
 // Clients need to wait that time if (for some reason) the user submitted