Housekeeping

.devcontainer/.env

@@ -6,7 +6,8 @@ COCKROACH_URL="postgresql://root@crdb:26257/location_api_dev?sslmode=disable"
 # location-api config
 ATLAS_DB_URI="postgresql://root@crdb:26257/atlas_migrations?sslmode=disable"
 LOCATIONAPI_CRDB_URI="postgresql://root@crdb:26257/location_api_dev?sslmode=disable"
-LOCATIONAPI_EVENTS_PUBLISHER_NATS_CREDSFILE="/workspaces/location-api/.devcontainer/nsc/nkeys/creds/LOCAL/LOC/USER.creds"
+LOCATIONAPI_EVENTS_NATS_CREDSFILE="/workspaces/location-api/.devcontainer/nsc/nkeys/creds/LOCAL/LOC/USER.creds"
+LOCATIONAPI_EVENTS_NATS_PUBLISHPREFIX=com.infratographer
 # LOCATIONAPI_TRACING_ENABLED="true"
 # LOCATIONAPI_TRACING_PROVIDER="passthrough"
 

.devcontainer/Dockerfile

@@ -1,7 +1,9 @@
+ARG GO_VERSION=1.21
+
 # Used to install CRDB into the devcontainer
 FROM cockroachdb/cockroach:latest-v22.2 as CRDB
 
-FROM mcr.microsoft.com/vscode/devcontainers/go:1-1.20-bullseye
+FROM mcr.microsoft.com/vscode/devcontainers/go:1-${GO_VERSION}-bullseye
 
 # Set up crdb
 RUN mkdir /usr/local/lib/cockroach

.devcontainer/docker-compose.yml

@@ -9,7 +9,7 @@ services:
       context: .
       dockerfile: Dockerfile
       args:
-        VARIANT: 1.20-bullseye
+        VARIANT: 1.21-bullseye
         NODE_VERSION: "none"
     # Overrides default command so things don't shut down after the process ends.
     command: sleep infinity

.devcontainer/scripts/nats_account.sh

@@ -1,10 +1,10 @@
 #!/bin/bash
 
-
-sudo chown -Rh vscode:vscode $WORKSPACE_ROOT/.devcontainer/nsc
+set -e
+sudo chown -Rh vscode:vscode /workspaces/location-api/.devcontainer/nsc
 
 echo "Dumping NATS user creds file"
-nsc --data-dir=$WORKSPACE_ROOT/.devcontainer/nsc/nats/nsc/stores generate creds -a LOC -n USER > /tmp/user.creds
+nsc --data-dir=/workspaces/location-api/.devcontainer/nsc/nats/nsc/stores generate creds -a LOC -n USER > /tmp/user.creds
 
 echo "Dumping NATS sys creds file"
-nsc --data-dir=$WORKSPACE_ROOT/.devcontainer/nsc/nats/nsc/stores generate creds -a SYS -n sys > /tmp/sys.creds
+nsc --data-dir=/workspaces/location-api/.devcontainer/nsc/nats/nsc/stores generate creds -a SYS -n sys > /tmp/sys.creds

.devcontainer/scripts/nats_init.sh

@@ -1,6 +1,8 @@
 #!/bin/sh
 # script to bootstrap a nats operator environment
 
+set -e
+
 if nsc describe operator; then
     echo "operator exists, not overwriting config"
     exit 0

.github/workflows/test-go.yml

@@ -45,9 +45,7 @@ jobs:
       - name: Set up Go for ${{ matrix.ci-database }}
         uses: actions/setup-go@v4
         with:
-          #pinning to 1.20.5 until https://github.com/testcontainers/testcontainers-go/issues/1359 is resolved
-          #go-version-file: "go.mod"
-          go-version: "1.20.5"
+          go-version-file: "go.mod"
       - name: Install atlas for db migrations on ${{ matrix.ci-database }}
         run: go install ariga.io/atlas/cmd/atlas@latest
 

Makefile

@@ -75,7 +75,7 @@ generate: background-run .generate kill-running ## Generates code
 go-run: ## Runs the app
 	@echo --- Running binary...
 	@date --rfc-3339=seconds
-	@go run main.go serve --dev
+	@go run main.go serve --dev --oidc=false
 
 background-run:  ## Runs in the app in the background
 	@date --rfc-3339=seconds

chart/location-api/templates/api-config.yaml

@@ -20,6 +20,22 @@ data:
   LOCATIONAPI_OIDC_JWKS_REMOTE_TIMEOUT: "{{ .Values.api.oidc.jwksRemoteTimeout }}"
   LOCATIONAPI_SERVER_LISTEN: ":{{ .Values.api.listenPort }}"
   LOCATIONAPI_SERVER_SHUTDOWN_GRACE_PERIOD: "{{ .Values.api.shutdownGracePeriod }}"
+  METADATAAPI_PERMISSIONS_URL: "{{ .Values.api.permissions.url }}"
+{{- if .Values.api.tracing.enabled }}
+  METADATAAPI_TRACING_ENABLED: "{{ .Values.api.tracing.enabled }}"
+  METADATAAPI_TRACING_PROVIDER: "{{ .Values.api.tracing.provider }}"
+  METADATAAPI_TRACING_ENVIRONMENT: "{{ .Values.api.tracing.environment }}"
+{{- if eq .Values.api.tracing.provider "jaeger" }}
+  METADATAAPI_TRACING_JAEGER_ENDPOINT: "{{ .Values.api.tracing.jaeger.endpoint }}"
+  METADATAAPI_TRACING_JAEGER_USER: "{{ .Values.api.tracing.jaeger.user }}"
+  METADATA_TRACING_JAEGER_PASSWORD: "{{ .Values.api.tracing.jaeger.password }}"
+{{- end }}
+{{- if eq .Values.api.tracing.provider "otlpgrpc" }}
+  METADATAAPI_TRACING_OTLP_ENDPOINT: "{{ .Values.api.tracing.otlp.endpoint }}"
+  METADATAAPI_TRACING_OTLP_INSECURE: "{{ .Values.api.tracing.otlp.insecure }}"
+  METADATA_TRACING_OTLP_CERTIFICATE: "{{ .Values.api.tracing.otlp.certificate }}"
+{{- end }}
+{{- end }}
 {{- with .Values.api.trustedProxies }}
   LOCATIONAPI_SERVER_TRUSTED_PROXIES: "{{ join " " . }}"
 {{- end }}

chart/location-api/templates/deployment.yaml

@@ -37,6 +37,35 @@ spec:
       securityContext:
         {{- toYaml .Values.api.podSecurityContext | nindent 8 }}
       {{- end }}
+      {{- if .Values.api.migrateOnInit  }}
+      initContainers:
+        - name: {{ .Chart.Name }}-migrate
+          {{- if .Values.api.extraEnvVars }}
+          env:
+          {{- range .Values.api.extraEnvVars }}
+            - name: {{ .name }}
+              value: {{ .value }}
+          {{- end }}
+          {{- end }}
+          envFrom:
+          {{- if .Values.api.db.uriSecret }}
+            - secretRef:
+                name: {{ .Values.api.db.uriSecret }}
+          {{- end }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - migrate
+            - up
+          volumeMounts:
+            {{- if .Values.api.db.certSecret }}
+            - name: dbcerts
+              mountPath: "/dbcerts"
+              readOnly: true
+            {{- end }}
+          resources:
+            {{- toYaml .Values.api.resources | nindent 12 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           env:
@@ -81,7 +110,7 @@ spec:
               path: /readyz
               port: http
           volumeMounts:
-            {{- if .Values.api.events.auth.secretName  }}
+            {{- if .Values.api.events.nats.credsSecretName  }}
             - name: events-creds
               mountPath: /event-creds
             {{- end }}
@@ -105,10 +134,10 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-        {{- if .Values.api.events.auth.secretName  }}
+        {{- if .Values.api.events.nats.credsSecretName  }}
         - name: events-creds
           secret:
-            secretName: "{{ .Values.api.events.auth.secretName }}"
+            secretName: "{{ .Values.api.events.nats.credsSecretName }}"
         {{- end }}
         {{- if .Values.api.db.certSecret }}
         - name: dbcerts

chart/location-api/values.yaml

@@ -1,21 +1,12 @@
 image:
   repository: ghcr.io/infratographer/location-api
   pullPolicy: IfNotPresent
-  tag: "v0.1.0"
+  tag: "main-latest"
 
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # Annotations to add to the service account
-  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
-
 podAnnotations: {}
 
 service:
@@ -64,6 +55,7 @@ api:
   db:
     uriSecret: ""
     certSecret: ""
+  migrateOnInit: true
 
   oidc:
     enabled: false
@@ -72,6 +64,29 @@ api:
     jwks:
       remoteTimeout: 1m
 
+  permissions:
+    url: ""
+
+  tracing:
+    # enabled is true if OpenTelemetry tracing should be enabled for permissions-api
+    enabled: false
+    # environment is the OpenTelemetry tracing environment to use
+    environment: ""
+    # provider is the OpenTelemetry tracing provider to use
+    provider: stdout
+    jaeger:
+      # endpoint is the Jaeger collector to send traces to
+      endpoint: ""
+      # user is the user to use when authenticating against the Jaeger deployment
+      user: ""
+      # password is the password to use when authenticating against the Jaeger deployment
+      password: ""
+    otlp:
+      # endpoint is the OpenTelemetry Protocol (OTLP) collector endpoint to send traces to
+      endpoint: ""
+      # insecure is true if TLS should not be required when sending traces
+      insecure: false
+
   shutdownGracePeriod: 5s
   trustedProxies: []
   # - "1.2.3.4"

cmd/serve.go

@@ -5,6 +5,7 @@ import (
 	"os"
 	"strconv"
 	"syscall"
+	"time"
 
 	"entgo.io/ent/dialect"
 	entsql "entgo.io/ent/dialect/sql"
@@ -24,10 +25,14 @@ import (
 
 	"go.infratographer.com/location-api/internal/config"
 	ent "go.infratographer.com/location-api/internal/ent/generated"
+	"go.infratographer.com/location-api/internal/ent/generated/eventhooks"
 	"go.infratographer.com/location-api/internal/graphapi"
 )
 
-var defaultListenAddr = ":7909"
+const (
+	defaultListenAddr = ":7909"
+	shutdownTimeout   = 10 * time.Second
+)
 
 var (
 	enablePlayground bool
@@ -57,7 +62,7 @@ func init() {
 
 	echox.MustViperFlags(viper.GetViper(), serveCmd.Flags(), defaultListenAddr)
 	echojwtx.MustViperFlags(viper.GetViper(), serveCmd.Flags())
-	events.MustViperFlagsForPublisher(viper.GetViper(), serveCmd.Flags(), appName)
+	events.MustViperFlags(viper.GetViper(), serveCmd.Flags(), appName)
 	permissions.MustViperFlags(viper.GetViper(), serveCmd.Flags())
 
 	// only available as a CLI arg because it shouldn't be something that could accidentially end up in a config file or env var
@@ -78,9 +83,9 @@ func serve(ctx context.Context) error {
 		viper.Set("oidc.enabled", false)
 	}
 
-	publisher, err := events.NewPublisher(config.AppConfig.Events.Publisher)
+	events, err := events.NewConnection(config.AppConfig.Events, events.WithLogger(logger))
 	if err != nil {
-		logger.Fatal("unable to initialize event publisher", zap.Error(err))
+		logger.Fatalw("failed to initialize events", "error", err)
 	}
 
 	err = otelx.InitTracer(config.AppConfig.Tracing, appName, logger)
@@ -97,7 +102,7 @@ func serve(ctx context.Context) error {
 
 	entDB := entsql.OpenDB(dialect.Postgres, db)
 
-	cOpts := []ent.Option{ent.Driver(entDB), ent.EventsPublisher(publisher)}
+	cOpts := []ent.Option{ent.Driver(entDB), ent.EventsPublisher(events)}
 
 	if config.AppConfig.Logging.Debug {
 		cOpts = append(cOpts,
@@ -109,6 +114,14 @@ func serve(ctx context.Context) error {
 	client := ent.NewClient(cOpts...)
 	defer client.Close()
 
+	// Run the automatic migration tool to create all schema resources.
+	if err := client.Schema.Create(ctx); err != nil {
+		logger.Errorf("failed creating schema resources", zap.Error(err))
+		return err
+	}
+
+	eventhooks.EventHooks(client)
+
 	var middleware []echo.MiddlewareFunc
 
 	// jwt auth middleware
@@ -121,14 +134,15 @@ func serve(ctx context.Context) error {
 		middleware = append(middleware, auth.Middleware())
 	}
 
-	srv, err := echox.NewServer(logger.Desugar(), config.AppConfig.Server, versionx.BuildDetails())
+	srv, err := echox.NewServer(logger.Desugar(), config.AppConfig.Server, versionx.BuildDetails(), echox.WithLoggingSkipper(echox.SkipDefaultEndpoints))
 	if err != nil {
 		logger.Fatal("failed to initialize new server", zap.Error(err))
 	}
 
 	perms, err := permissions.New(config.AppConfig.Permissions,
 		permissions.WithLogger(logger),
 		permissions.WithDefaultChecker(permissions.DefaultAllowChecker),
+		permissions.WithEventsPublisher(events),
 	)
 	if err != nil {
 		logger.Fatal("failed to initialize permissions", zap.Error(err))
@@ -144,6 +158,13 @@ func serve(ctx context.Context) error {
 	// TODO: we should have a database check
 	// srv.AddReadinessCheck("database", r.DatabaseCheck)
 
+	defer func() {
+		ctx, cancel := context.WithTimeout(ctx, shutdownTimeout)
+		defer cancel()
+
+		_ = events.Shutdown(ctx)
+	}()
+
 	if err = srv.RunWithContext(ctx); err != nil {
 		logger.Fatal("failed to run server", zap.Error(err))
 	}