From 892d77f6fcb3a74c7517f2bb9d01764cef4cd89c Mon Sep 17 00:00:00 2001 From: Daniel Adam Date: Tue, 20 Aug 2024 09:27:00 +0200 Subject: [PATCH] Update Makefile and documentation --- .github/workflows/measureMemory.yml | 52 +++++++++++- Makefile | 109 ++++++++++++++++++-------- charts/plgd-hub/README.md | 91 ++++++++++++++++++++- device-provisioning-service/README.md | 33 +++----- 4 files changed, 227 insertions(+), 58 deletions(-) diff --git a/.github/workflows/measureMemory.yml b/.github/workflows/measureMemory.yml index f011846ef..e17375074 100644 --- a/.github/workflows/measureMemory.yml +++ b/.github/workflows/measureMemory.yml @@ -70,41 +70,49 @@ jobs: numDevices: 1 numResources: 1 resourceDataSize: 16384 + expectedRssInMb: 50 timeout: 120m - name: devices/1/resources/1/size/1KB numDevices: 1 numResources: 1 resourceDataSize: 1024 + expectedRssInMb: 50 timeout: 120m - name: devices/1/resources/125/size/16KB numDevices: 1 numResources: 125 resourceDataSize: 16384 + expectedRssInMb: 50 timeout: 120m - name: devices/1/resources/125/size/1KB numDevices: 1 numResources: 125 resourceDataSize: 1024 + expectedRssInMb: 50 timeout: 120m - name: devices/1/resources/250/size/16KB numDevices: 1 numResources: 250 resourceDataSize: 16384 + expectedRssInMb: 50 timeout: 120m - name: devices/1/resources/250/size/1KB numDevices: 1 numResources: 250 resourceDataSize: 1024 + expectedRssInMb: 50 timeout: 120m - name: devices/1/resources/500/size/16KB numDevices: 1 numResources: 500 resourceDataSize: 16384 + expectedRssInMb: 50 timeout: 120m - name: devices/1/resources/500/size/1KB numDevices: 1 numResources: 500 resourceDataSize: 1024 + expectedRssInMb: 50 logLevel: info logDumpBody: true timeout: 120m @@ -113,164 +121,196 @@ jobs: numDevices: 1000 numResources: 1 resourceDataSize: 16384 + expectedRssInMb: 145 timeout: 120m - name: devices/1000/resources/1/size/1KB numDevices: 1000 numResources: 1 resourceDataSize: 1024 + expectedRssInMb: 145 timeout: 120m - name: devices/1000/resources/125/size/16KB numDevices: 1000 numResources: 125 resourceDataSize: 16384 + expectedRssInMb: 145 timeout: 120m - name: devices/1000/resources/125/size/1KB numDevices: 1000 numResources: 125 resourceDataSize: 1024 + expectedRssInMb: 145 timeout: 120m - name: devices/1000/resources/250/size/16KB numDevices: 1000 numResources: 250 resourceDataSize: 16384 + expectedRssInMb: 145 timeout: 120m - name: devices/1000/resources/250/size/1KB numDevices: 1000 numResources: 250 resourceDataSize: 1024 + expectedRssInMb: 145 timeout: 120m - name: devices/1000/resources/500/size/16KB numDevices: 1000 numResources: 500 resourceDataSize: 16384 + expectedRssInMb: 145 timeout: 120m - name: devices/1000/resources/500/size/1KB numDevices: 1000 numResources: 500 resourceDataSize: 1024 + expectedRssInMb: 145 timeout: 120m #2500 - name: devices/2500/resources/1/size/16KB numDevices: 2500 numResources: 1 resourceDataSize: 16384 + expectedRssInMb: 210 timeout: 120m - name: devices/2500/resources/1/size/1KB numDevices: 2500 numResources: 1 resourceDataSize: 1024 + expectedRssInMb: 210 timeout: 120m - name: devices/2500/resources/125/size/16KB numDevices: 2500 numResources: 125 resourceDataSize: 16384 + expectedRssInMb: 210 timeout: 120m - name: devices/2500/resources/125/size/1KB numDevices: 2500 numResources: 125 resourceDataSize: 1024 + expectedRssInMb: 210 timeout: 120m - name: devices/2500/resources/250/size/16KB numDevices: 2500 numResources: 250 resourceDataSize: 16384 + expectedRssInMb: 210 timeout: 120m - name: devices/2500/resources/250/size/1KB numDevices: 2500 numResources: 250 resourceDataSize: 1024 + expectedRssInMb: 210 timeout: 120m - name: devices/2500/resources/250/size/16KB numDevices: 2500 numResources: 500 resourceDataSize: 16384 + expectedRssInMb: 210 timeout: 120m - name: devices/2500/resources/500/size/1KB numDevices: 2500 numResources: 500 resourceDataSize: 1024 + expectedRssInMb: 210 timeout: 120m #5000 - name: devices/5000/resources/1/size/16KB numDevices: 5000 numResources: 1 resourceDataSize: 16384 + expectedRssInMb: 320 timeout: 120m - name: devices/5000/resources/1/size/1KB numDevices: 5000 numResources: 1 resourceDataSize: 1024 + expectedRssInMb: 320 timeout: 120m - name: devices/5000/resources/125/size/16KB numDevices: 5000 numResources: 125 resourceDataSize: 16384 + expectedRssInMb: 320 timeout: 120m - name: devices/5000/resources/125/size/1KB numDevices: 5000 numResources: 125 resourceDataSize: 1024 + expectedRssInMb: 320 timeout: 120m - name: devices/5000/resources/250/size/16KB numDevices: 5000 numResources: 250 resourceDataSize: 16384 + expectedRssInMb: 320 timeout: 120m - name: devices/5000/resources/250/size/1KB numDevices: 5000 numResources: 250 resourceDataSize: 1024 + expectedRssInMb: 320 timeout: 120m - name: devices/5000/resources/500/size/16KB numDevices: 5000 numResources: 500 resourceDataSize: 16384 + expectedRssInMb: 320 timeout: 120m - name: devices/5000/resources/500/size/1KB numDevices: 5000 numResources: 500 resourceDataSize: 1024 + expectedRssInMb: 320 timeout: 120m #10000 - name: devices/10000/resources/1/size/16KB numDevices: 10000 numResources: 1 resourceDataSize: 16384 + expectedRssInMb: 530 timeout: 120m - name: devices/10000/resources/1/size/1KB numDevices: 10000 numResources: 1 resourceDataSize: 1024 + expectedRssInMb: 530 timeout: 120m - name: devices/10000/resources/125/size/16KB numDevices: 10000 numResources: 125 resourceDataSize: 16384 + expectedRssInMb: 530 timeout: 120m - name: devices/10000/resources/125/size/1KB numDevices: 10000 numResources: 125 resourceDataSize: 1024 + expectedRssInMb: 530 timeout: 120m - name: devices/10000/resources/250/size/16KB numDevices: 10000 numResources: 250 resourceDataSize: 16384 + expectedRssInMb: 530 timeout: 120m - name: devices/10000/resources/250/size/1KB numDevices: 10000 numResources: 250 resourceDataSize: 1024 + expectedRssInMb: 530 timeout: 120m - name: devices/10000/resources/500/size/4KB numDevices: 10000 numResources: 500 resourceDataSize: 4096 + expectedRssInMb: 530 timeout: 300m - name: devices/10000/resources/500/size/1KB numDevices: 10000 numResources: 500 resourceDataSize: 1024 + expectedRssInMb: 530 timeout: 120m # Steps represent a sequence of tasks that will be executed as part of the job @@ -280,10 +320,9 @@ jobs: cat /proc/cpuinfo echo "Number of cores: $(nproc)" echo "Number of threads: $(nproc --all)" + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - name: Resolve database id: db @@ -295,9 +334,14 @@ jobs: fi - name: Run a test - continue-on-error: true + shell: bash -eo pipefail {0} run: | - make test/mem TEST_DATABASE=${{ steps.db.outputs.name }} TEST_MEMORY_COAP_GATEWAY_RESOURCE_DATA_SIZE=${{ matrix.resourceDataSize }} TEST_TIMEOUT=${{ matrix.timeout }} TEST_MEMORY_COAP_GATEWAY_NUM_DEVICES=${{ matrix.numDevices }} TEST_MEMORY_COAP_GATEWAY_NUM_RESOURCES=${{ matrix.numResources }} | tee >(grep "TestMemoryWithDevices.result:" | sed -e "s/.*TestMemoryWithDevices.result://g" | jq -r -c > out.json) + make test/mem TEST_DATABASE=${{ steps.db.outputs.name }} \ + TEST_MEMORY_COAP_GATEWAY_EXPECTED_RSS_IN_MB=${{ matrix.expectedRssInMb }} \ + TEST_MEMORY_COAP_GATEWAY_RESOURCE_DATA_SIZE=${{ matrix.resourceDataSize }} \ + TEST_TIMEOUT=${{ matrix.timeout }} \ + TEST_MEMORY_COAP_GATEWAY_NUM_DEVICES=${{ matrix.numDevices }} \ + TEST_MEMORY_COAP_GATEWAY_NUM_RESOURCES=${{ matrix.numResources }} | tee >(grep "TestMemoryWithDevices.result:" | sed -e "s/.*TestMemoryWithDevices.result://g" | jq -r -c > out.json) - name: Dump file if: success() diff --git a/Makefile b/Makefile index 5f3ca9d3a..fb26baead 100644 --- a/Makefile +++ b/Makefile @@ -49,9 +49,6 @@ CERT_TOOL_SIGN_ALG ?= ECDSA-SHA256 CERT_TOOL_ELLIPTIC_CURVE ?= P256 CERT_TOOL_IMAGE = ghcr.io/plgd-dev/hub/cert-tool:vnext -SUBDIRS := bundle certificate-authority cloud2cloud-connector cloud2cloud-gateway coap-gateway device-provisioning-service grpc-gateway resource-aggregate resource-directory http-gateway identity-store snippet-service m2m-oauth-server test/oauth-server tools/cert-tool -.PHONY: $(SUBDIRS) push proto/generate clean build test env mongo nats certificates hub-build http-gateway-www simulators - default: build hub-test: @@ -94,12 +91,22 @@ certificates: --cert.signatureAlgorithm=$(CERT_TOOL_SIGN_ALG) --cert.ellipticCurve=$(CERT_TOOL_ELLIPTIC_CURVE) \ --cert.validFrom=2000-01-01T12:00:00Z --cert.validFor=876000h +certificates/clean: + ( [ -n "$(CERT_PATH)" ] && sudo rm -rf $(CERT_PATH) ) || : + +.PHONY: certificates certificates/clean + privateKeys: mkdir -p $(WORKING_DIRECTORY)/.tmp/privKeys openssl genrsa -out $(WORKING_DIRECTORY)/.tmp/privKeys/idTokenKey.pem 4096 openssl ecparam -name prime256v1 -genkey -noout -out $(WORKING_DIRECTORY)/.tmp/privKeys/accessTokenKey.pem openssl ecparam -name prime256v1 -genkey -noout -out $(WORKING_DIRECTORY)/.tmp/privKeys/m2mAccessTokenKey.pem +privateKeys/clean: + sudo rm -rf $(WORKING_DIRECTORY)/.tmp/privKeys || : + +.PHONY: privateKeys privateKeys/clean + nats: certificates mkdir -p $(WORKING_DIRECTORY)/.tmp/jetstream/cloud mkdir -p $(WORKING_DIRECTORY)/.tmp/jetstream/cloud-connector @@ -120,9 +127,16 @@ nats: certificates --user $(USER_ID):$(GROUP_ID) \ nats --jetstream --store_dir /data --port 34222 --tls --tlsverify --tlscert=/certs/http.crt --tlskey=/certs/http.key --tlscacert=/certs/root_ca.crt +nats/clean: + docker rm -f nats || : + docker rm -f nats-cloud-connector || : + sudo rm -rf $(WORKING_DIRECTORY)/.tmp/jetstream || : + +.PHONY: nats nats/clean + scylla/clean: - docker rm -f scylla || true - sudo rm -rf $(WORKING_DIRECTORY)/.tmp/scylla || true + docker rm -f scylla || : + sudo rm -rf $(WORKING_DIRECTORY)/.tmp/scylla || : scylla: scylla/clean mkdir -p $(WORKING_DIRECTORY)/.tmp/scylla/data $(WORKING_DIRECTORY)/.tmp/scylla/commitlog $(WORKING_DIRECTORY)/.tmp/scylla/hints $(WORKING_DIRECTORY)/.tmp/scylla/view_hints $(WORKING_DIRECTORY)/.tmp/scylla/etc @@ -172,7 +186,7 @@ scylla: scylla/clean sleep 1; \ done -.PHONY: scylla +.PHONY: scylla scylla/clean # Pull latest mongo and start its in replica set # @@ -180,7 +194,7 @@ scylla: scylla/clean # $(1): name, used for: # - name of working directory for the device simulator (.tmp/$(1)) # - name of the docker container -# $(2): listen port +# $(2): additional opts define RUN-DOCKER-MONGO mkdir -p $(WORKING_DIRECTORY)/.tmp/$(1) ; \ docker run \ @@ -189,8 +203,8 @@ define RUN-DOCKER-MONGO --name=$(1) \ -v $(WORKING_DIRECTORY)/.tmp/$(1):/data/db \ -v $(CERT_PATH):/certs --user $(USER_ID):$(GROUP_ID) \ - mongo mongod -vvvvv --tlsMode requireTLS --wiredTigerCacheSizeGB 1 --tlsCAFile /certs/root_ca.crt --tlsCertificateKeyFile /certs/mongo.key \ - --replSet myReplicaSet --bind_ip localhost --port $(2) + mongo --tlsMode requireTLS --wiredTigerCacheSizeGB 1 --tlsCAFile /certs/root_ca.crt \ + --tlsCertificateKeyFile /certs/mongo.key $(2) endef MONGODB_REPLICA_0 := mongo0 @@ -201,9 +215,9 @@ MONGODB_REPLICA_2 := mongo2 MONGODB_REPLICA_2_PORT := 27019 mongo: certificates - $(call RUN-DOCKER-MONGO,$(MONGODB_REPLICA_0),$(MONGODB_REPLICA_0_PORT)) - $(call RUN-DOCKER-MONGO,$(MONGODB_REPLICA_1),$(MONGODB_REPLICA_1_PORT)) - $(call RUN-DOCKER-MONGO,$(MONGODB_REPLICA_2),$(MONGODB_REPLICA_2_PORT)) + $(call RUN-DOCKER-MONGO,$(MONGODB_REPLICA_0),-vvvvv --replSet myReplicaSet --bind_ip localhost --port $(MONGODB_REPLICA_0_PORT)) + $(call RUN-DOCKER-MONGO,$(MONGODB_REPLICA_1),-vvvvv --replSet myReplicaSet --bind_ip localhost --port $(MONGODB_REPLICA_1_PORT)) + $(call RUN-DOCKER-MONGO,$(MONGODB_REPLICA_2),-vvvvv --replSet myReplicaSet --bind_ip localhost --port $(MONGODB_REPLICA_2_PORT)) COUNTER=0; \ while [[ $${COUNTER} -lt 30 ]]; do \ echo "Checking mongodb connection ($${COUNTER}):"; \ @@ -224,10 +238,38 @@ mongo: certificates ] \ })" +mongo/clean: + $(call REMOVE-DOCKER-DEVICE,$(MONGODB_REPLICA_0)) + $(call CLEAN-DOCKER-DEVICE,$(MONGODB_REPLICA_0)) + sudo rm -rf ./.tmp/$(MONGODB_REPLICA_0) || : + $(call REMOVE-DOCKER-DEVICE,$(MONGODB_REPLICA_1)) + $(call CLEAN-DOCKER-DEVICE,$(MONGODB_REPLICA_1)) + sudo rm -rf ./.tmp/$(MONGODB_REPLICA_1) || : + $(call REMOVE-DOCKER-DEVICE,$(MONGODB_REPLICA_2)) + $(call CLEAN-DOCKER-DEVICE,$(MONGODB_REPLICA_2)) + sudo rm -rf ./.tmp/$(MONGODB_REPLICA_2) || : + +.PHONY: mongo mongo/clean + +mongo-no-replicas: certificates + $(call RUN-DOCKER-MONGO,mongo,) + +mongo-no-replicas/clean: + $(call REMOVE-DOCKER-DEVICE,mongo) + $(call CLEAN-DOCKER-DEVICE,mongo) + sudo rm -rf ./.tmp/mongo || : + +.PHONY: mongo-no-replicas mongo-no-replicas/clean + http-gateway-www: @mkdir -p $(WORKING_DIRECTORY)/.tmp/usr/local/www @cp -r $(WORKING_DIRECTORY)/http-gateway/web/public/* $(WORKING_DIRECTORY)/.tmp/usr/local/www/ +http-gateway-www/clean: + sudo rm -rf ./.tmp/usr || true + +.PHONY: http-gateway-www http-gateway-www/clean + # standard device DEVICE_SIMULATOR_NAME := devsim DEVICE_SIMULATOR_IMG := ghcr.io/iotivity/iotivity-lite/cloud-server-debug:vnext @@ -282,7 +324,8 @@ simulators/clean: simulators/remove simulators: simulators/clean $(call RUN-DOCKER-DEVICE,$(DEVICE_SIMULATOR_NAME),$(DEVICE_SIMULATOR_IMG)) $(call RUN-DOCKER-DEVICE,$(DEVICE_SIMULATOR_RES_OBSERVABLE_NAME),$(DEVICE_SIMULATOR_RES_OBSERVABLE_IMG)) -.PHONY: simulators + +.PHONY: simulators simulators/remove simulators/clean BRIDGE_DEVICE_SRC_DIR = $(WORKING_DIRECTORY)/test/bridge-device BRIDGE_DEVICE_IMAGE = ghcr.io/plgd-dev/device/bridge-device:vnext @@ -398,11 +441,21 @@ simulators/dps: simulators/dps/clean simulators/clean: simulators/dps/clean simulators: simulators/dps -env/test/mem: clean certificates nats mongo privateKeys scylla -.PHONY: env/test/mem +env: clean certificates nats privateKeys http-gateway-www mongo simulators +env/test/mem: clean certificates nats privateKeys + +ifeq ($(TEST_DATABASE),mongodb) +# github runners run out of file space if multiple mongodb replicas are started, so we start only a single instance +env/test/mem: mongo-no-replicas +else +# test uses mongodb for most tests, but scylla can be enabled for some; so we always need mongodb to be running +# but scylla needs to be started only if TEST_DATABASE=cqldb +env: scylla +# test/mem uses either mongodb or scylla, so just one needs to be started +env/test/mem: scylla +endif -env: env/test/mem http-gateway-www simulators -.PHONY: env +.PHONY: env env/test/mem define RUN-DOCKER docker run \ @@ -536,6 +589,7 @@ test/mem: env/test/mem hub-test TEST_SNIPPET_SERVICE_LOG_LEVEL=$(TEST_SNIPPET_SERVICE_LOG_LEVEL) TEST_SNIPPET_SERVICE_LOG_DUMP_BODY=$(TEST_SNIPPET_SERVICE_LOG_DUMP_BODY) \ TEST_LEAD_RESOURCE_TYPE_FILTER=$(TEST_LEAD_RESOURCE_TYPE_FILTER) TEST_LEAD_RESOURCE_TYPE_REGEX_FILTER='$(TEST_LEAD_RESOURCE_TYPE_REGEX_FILTER)' TEST_LEAD_RESOURCE_TYPE_USE_UUID=$(TEST_LEAD_RESOURCE_TYPE_USE_UUID) \ TEST_DATABASE=$(TEST_DATABASE)) + .PHONY: test/mem DIRECTORIES:=$(shell ls -d ./*/) @@ -564,31 +618,24 @@ $(test-targets): %: env hub-test .PHONY: $(test-targets) +SUBDIRS := bundle certificate-authority cloud2cloud-connector cloud2cloud-gateway coap-gateway device-provisioning-service grpc-gateway resource-aggregate resource-directory http-gateway identity-store snippet-service m2m-oauth-server test/oauth-server tools/cert-tool + build: $(SUBDIRS) -clean: simulators/clean scylla/clean - docker rm -f nats || true - docker rm -f nats-cloud-connector || true - $(call REMOVE-DOCKER-DEVICE,$(MONGODB_REPLICA_0)) - $(call CLEAN-DOCKER-DEVICE,$(MONGODB_REPLICA_0)) - $(call REMOVE-DOCKER-DEVICE,$(MONGODB_REPLICA_1)) - $(call CLEAN-DOCKER-DEVICE,$(MONGODB_REPLICA_1)) - $(call REMOVE-DOCKER-DEVICE,$(MONGODB_REPLICA_2)) - $(call CLEAN-DOCKER-DEVICE,$(MONGODB_REPLICA_2)) - sudo rm -rf ./.tmp/certs || true - sudo rm -rf ./.tmp/mongo || true +clean: simulators/clean nats/clean scylla/clean mongo/clean mongo-no-replicas/clean privateKeys/clean http-gateway-www/clean sudo rm -rf ./.tmp/home || true - sudo rm -rf ./.tmp/privateKeys || true sudo rm -rf ./.tmp/coverage || true sudo rm -rf ./.tmp/report || true - sudo rm -rf ./.tmp/usr || true proto/generate: $(SUBDIRS) protoc -I=. -I=$(GOPATH)/src --go_out=$(GOPATH)/src $(WORKING_DIRECTORY)/pkg/net/grpc/stub.proto protoc -I=. -I=$(GOPATH)/src --go-grpc_out=$(GOPATH)/src $(WORKING_DIRECTORY)/pkg/net/grpc/stub.proto mv $(WORKING_DIRECTORY)/pkg/net/grpc/stub.pb.go $(WORKING_DIRECTORY)/pkg/net/grpc/stub.pb_test.go mv $(WORKING_DIRECTORY)/pkg/net/grpc/stub_grpc.pb.go $(WORKING_DIRECTORY)/pkg/net/grpc/stub_grpc.pb_test.go -push: hub-build $(SUBDIRS) + +push: $(SUBDIRS) + +.PHONY: $(SUBDIRS) push proto/generate clean build $(SUBDIRS): $(MAKE) -C $@ $(MAKECMDGOALS) LATEST_TAG=$(BUILD_TAG) diff --git a/charts/plgd-hub/README.md b/charts/plgd-hub/README.md index 044d48ea2..1ca616b16 100644 --- a/charts/plgd-hub/README.md +++ b/charts/plgd-hub/README.md @@ -46,7 +46,7 @@ global: | Repository | Name | Version | |------------|------|---------| | | mongodb | 15.4.4 | -| | nats | 1.1.9 | +| | nats | 1.1.9 | | | scylla | 1.10.0 | ## Values @@ -305,6 +305,93 @@ global: | coapgateway.serviceHeartbeat.timeToLive | string | `"1m"` | Specifies validity of the presence record created by the gateway. Must be greater than 1s. | | coapgateway.taskQueue | object | `{"goPoolSize":1600,"maxIdleTime":"10m","size":"2097152"}` | For complete coap-gateway service configuration see [plgd/coap-gateway](https://github.com/plgd-dev/hub/tree/main/coap-gateway) | | coapgateway.tolerations | object | `{}` | Toleration definition | +| deviceProvisioningService.affinity | object | `{}` | Affinity definition | +| deviceProvisioningService.apiDomain | string | `nil` | Domain for dps HTTP API endpoint | +| deviceProvisioningService.apis | object | `{"coap":{"address":"","blockwiseTransfer":{"blockSize":"1024","enabled":true},"inactivityMonitor":{"timeout":"20s"},"maxMessageSize":262144,"messagePoolSize":1000,"protocols":["tcp"],"tls":{"certFile":null,"keyFile":null}},"http":{"address":null,"authorization":{"audience":null,"authority":null,"http":{"idleConnTimeout":"30s","maxConnsPerHost":32,"maxIdleConns":16,"maxIdleConnsPerHost":16,"timeout":"10s","tls":{"caPool":null,"certFile":null,"keyFile":null,"useSystemCAPool":true}},"ownerClaim":null},"enabled":true,"port":9100,"tls":{"caPool":null,"certFile":null,"clientCertificateRequired":false,"keyFile":null}}}` | For complete device-provisioning-service configuration see [plgd/device-provisioning-service](https://github.com/plgd-dev/hub/tree/main/device-provisioning-service) | +| deviceProvisioningService.clients | object | `{"storage":{"cacheExpiration":"10m","mongoDB":{"bulkWrite":{"documentLimit":1000,"throttleTime":"500ms","timeout":"1m0s"},"database":"deviceProvisioningService","maxConnIdleTime":"4m0s","maxPoolSize":16,"tls":{"caPool":null,"certFile":null,"keyFile":null,"useSystemCAPool":false},"uri":null}}}` | For complete dps service configuration see [plgd/device-provisioning-service](https://github.com/plgd-dev/hub/device-provisioning-service) | +| deviceProvisioningService.clients.storage.mongoDB.bulkWrite.documentLimit | int | `1000` | The maximum number of documents to cache before an immediate write. | +| deviceProvisioningService.clients.storage.mongoDB.bulkWrite.throttleTime | string | `"500ms"` | The amount of time to wait until a record is written to mongodb. Any records collected during the throttle time will also be written. A throttle time of zero writes immediately. If recordLimit is reached, all records are written immediately | +| deviceProvisioningService.clients.storage.mongoDB.bulkWrite.timeout | string | `"1m0s"` | A time limit for write bulk to mongodb. A Timeout of zero means no timeout. | +| deviceProvisioningService.config.fileName | string | `"service.yaml"` | Service configuration file name | +| deviceProvisioningService.config.mountPath | string | `"/config"` | Configuration mount path | +| deviceProvisioningService.config.volume | string | `"config"` | Volume name | +| deviceProvisioningService.deploymentAnnotations | object | `{}` | Additional annotations for dps deployment | +| deviceProvisioningService.deploymentLabels | object | `{}` | Additional labels for dps deployment | +| deviceProvisioningService.enabled | bool | `true` | Enable device-provisioning-service | +| deviceProvisioningService.extraContainers | object | `{}` | Extra POD containers | +| deviceProvisioningService.extraVolumeMounts | object | `{}` | Optional extra volume mounts | +| deviceProvisioningService.extraVolumes | list | `[]` | Optional extra volumes | +| deviceProvisioningService.fullnameOverride | string | `nil` | Full name to override | +| deviceProvisioningService.image.imagePullSecrets | object | `{}` | Image pull secrets | +| deviceProvisioningService.image.pullPolicy | string | `"Always"` | Image pull policy | +| deviceProvisioningService.image.registry | string | `"ghcr.io/"` | Image registry | +| deviceProvisioningService.image.repository | string | `"plgd-dev/hub/device-provisioning-service"` | Image repository | +| deviceProvisioningService.image.tag | string | `nil` | Image tag | +| deviceProvisioningService.imagePullSecrets | object | `{}` | Image pull secrets | +| deviceProvisioningService.ingress | object | `{"annotations":{},"domainCertName":null,"enabled":true,"paths":["/api/v1/provisioning-records","/api/v1/enrollment-groups","/api/v1/hubs"]}` | Ingress | +| deviceProvisioningService.ingress.annotations | object | `{}` | Ingress annotation | +| deviceProvisioningService.ingress.domainCertName | string | `nil` | Domain certificate name | +| deviceProvisioningService.ingress.enabled | bool | `true` | Enable ingress | +| deviceProvisioningService.ingress.paths | list | `["/api/v1/provisioning-records","/api/v1/enrollment-groups","/api/v1/hubs"]` | Ingress path | +| deviceProvisioningService.initContainersTpl | string | `nil` | Init containers definition | +| deviceProvisioningService.livenessProbe | object | `{}` | Liveness probe. dps doesn't have any default liveness probe | +| deviceProvisioningService.log.dumpBody | bool | `false` | Dump grpc messages | +| deviceProvisioningService.log.encoderConfig.timeEncoder | string | `"rfc3339nano"` | Time format for logs. The supported values are: "rfc3339nano", "rfc3339" | +| deviceProvisioningService.log.encoding | string | `"json"` | The supported values are: "json", "console" | +| deviceProvisioningService.log.level | string | `"info"` | Logging enabled from level | +| deviceProvisioningService.log.stacktrace.enabled | bool | `false` | Log stacktrace | +| deviceProvisioningService.log.stacktrace.level | string | `"warn"` | Stacktrace from level | +| deviceProvisioningService.name | string | `"device-provisioning-service"` | Name of component. Used in label selectors | +| deviceProvisioningService.nodeSelector | object | `{}` | Node selector | +| deviceProvisioningService.podAnnotations | object | `{}` | Annotations for dps pod | +| deviceProvisioningService.podLabels | object | `{}` | Labels for dps pod | +| deviceProvisioningService.podSecurityContext | object | `{}` | Pod security context | +| deviceProvisioningService.port | int | `15684` | Service and POD port | +| deviceProvisioningService.rbac | object | `{"enabled":false,"roleBindingDefinitionTpl":null,"serviceAccountName":"device-provisioning-service"}` | RBAC configuration | +| deviceProvisioningService.rbac.enabled | bool | `false` | Create RBAC config | +| deviceProvisioningService.rbac.roleBindingDefinitionTpl | string | `nil` | Template definition for Role/binding etc.. | +| deviceProvisioningService.rbac.serviceAccountName | string | `"device-provisioning-service"` | Name of dps SA | +| deviceProvisioningService.readinessProbe | object | `{}` | Readiness probe. dps doesn't have aby default readiness probe | +| deviceProvisioningService.replicas | int | `1` | Number of replicas | +| deviceProvisioningService.resources | object | `{}` | Resources limit | +| deviceProvisioningService.restartPolicy | string | `"Always"` | Restart policy for pod | +| deviceProvisioningService.securityContext | object | `{}` | Security context for pod | +| deviceProvisioningService.service.annotations | object | `{}` | Annotations for dps service | +| deviceProvisioningService.service.certificate | object | `{"annotations":{},"duration":null,"issuer":{"group":null,"kind":null,"name":null},"key":{"algorithm":null,"size":null},"labels":{},"mountPath":null,"renewBefore":null}` | Service certificate | +| deviceProvisioningService.service.certificate.annotations | object | `{}` | Annotations for dps service certificate | +| deviceProvisioningService.service.certificate.duration | string | `nil` | Certificate duration | +| deviceProvisioningService.service.certificate.issuer.group | string | `nil` | Group of issuer | +| deviceProvisioningService.service.certificate.issuer.kind | string | `nil` | Kind of issuer | +| deviceProvisioningService.service.certificate.issuer.name | string | `nil` | Name of issuer | +| deviceProvisioningService.service.certificate.key.algorithm | string | `nil` | Certificate key algorithm | +| deviceProvisioningService.service.certificate.key.size | string | `nil` | Certificate key size | +| deviceProvisioningService.service.certificate.labels | object | `{}` | Labels | +| deviceProvisioningService.service.certificate.mountPath | string | `nil` | Mount path | +| deviceProvisioningService.service.certificate.renewBefore | string | `nil` | Certificate renew before | +| deviceProvisioningService.service.http.annotations | object | `{}` | Annotations for coap-gateway service | +| deviceProvisioningService.service.http.labels | object | `{}` | Labels for coap-gateway service | +| deviceProvisioningService.service.http.name | string | `"http"` | Name | +| deviceProvisioningService.service.http.protocol | string | `"TCP"` | Protocol | +| deviceProvisioningService.service.http.targetPort | string | `"http"` | Target port | +| deviceProvisioningService.service.http.type | string | `nil` | Service type | +| deviceProvisioningService.service.labels | object | `{}` | Labels for dps service | +| deviceProvisioningService.service.nodePort | int | `15684` | Use nodePort, if specified, for one of the protocols. If both protocols are enabled, nodePort needs to be configured directly in the service to mutually different ports. | +| deviceProvisioningService.service.tcp.annotations | object | `{}` | Annotations for coap-gateway service | +| deviceProvisioningService.service.tcp.labels | object | `{}` | Labels for coap-gateway service | +| deviceProvisioningService.service.tcp.name | string | `"coaps-tcp"` | Name | +| deviceProvisioningService.service.tcp.nodePort | string | `nil` | Use nodePort if specified, must to be different as is in udp | +| deviceProvisioningService.service.tcp.protocol | string | `"TCP"` | Protocol | +| deviceProvisioningService.service.tcp.targetPort | string | `"coaps-tcp"` | Target port | +| deviceProvisioningService.service.tcp.type | string | `nil` | Service type | +| deviceProvisioningService.service.type | string | `"LoadBalancer"` | Service type | +| deviceProvisioningService.service.udp.annotations | object | `{}` | Annotations for coap-gateway service | +| deviceProvisioningService.service.udp.labels | object | `{}` | Labels for coap-gateway service | +| deviceProvisioningService.service.udp.name | string | `"coaps-udp"` | Name | +| deviceProvisioningService.service.udp.nodePort | string | `nil` | Use nodePort if specified. Must to be different as is in tcp | +| deviceProvisioningService.service.udp.protocol | string | `"UDP"` | Protocol | +| deviceProvisioningService.service.udp.targetPort | string | `"coaps-udp"` | Target port | +| deviceProvisioningService.service.udp.type | string | `nil` | Service type | +| deviceProvisioningService.tolerations | list | `[]` | Toleration definition | | extraCAPool | object | `{"authorization":{"configMapName":null,"enabled":"{{ include \"plgd-hub.extraCAPoolAuthorizationEnabled\" . }}","key":"{{ include \"plgd-hub.oldExtraCAPoolAuthorizationFileName\" . }}","mountPath":"/certs/extra/authorization","name":"authorization-ca-pool","secretName":"{{ include \"plgd-hub.oldExtraCAPoolAuthorizationSecretName\" . }}"},"coap":{"configMapName":null,"enabled":"{{ include \"plgd-hub.extraCAPoolCoapEnabled\" . }}","key":"ca.crt","mountPath":"/certs/extra/coap","name":"coap-ca-pool","secretName":"coap-ca-pool"},"internal":{"configMapName":null,"enabled":"{{ include \"plgd-hub.extraCAPoolInternalEnabled\" . }}","key":"ca.crt","mountPath":"/certs/extra/internal","name":"internal-ca-pool","secretName":"internal-ca-pool"},"storage":{"configMapName":null,"enabled":"{{ include \"plgd-hub.extraCAPoolStorageEnabled\" . }}","key":"ca.crt","mountPath":"/certs/extra/storage","name":"storage-ca-pool","secretName":"storage-ca-pool"}}` | Configuration parameters for extraCAPool used by services and clients | | extraCAPool.authorization | object | `{"configMapName":null,"enabled":"{{ include \"plgd-hub.extraCAPoolAuthorizationEnabled\" . }}","key":"{{ include \"plgd-hub.oldExtraCAPoolAuthorizationFileName\" . }}","mountPath":"/certs/extra/authorization","name":"authorization-ca-pool","secretName":"{{ include \"plgd-hub.oldExtraCAPoolAuthorizationSecretName\" . }}"}` | Authorization CAPool section to verify the OAuth service certificate. | | extraCAPool.authorization.enabled | string | `"{{ include \"plgd-hub.extraCAPoolAuthorizationEnabled\" . }}"` | Enable extra authorization ca pool | @@ -527,7 +614,7 @@ global: | httpgateway.service.targetPort | string | `"http"` | Target port | | httpgateway.service.type | string | `"ClusterIP"` | | | httpgateway.tolerations | object | `{}` | Toleration definition | -| httpgateway.ui | object | `{"directory":"/usr/local/var/www","enabled":true,"theme":"","webConfiguration":{"deviceOAuthClient":{"audience":null,"authority":"","clientID":null,"providerName":null,"scopes":[]},"deviceProvisioningService":"","httpGatewayAddress":"","m2mOAuthClient":{"audience":null,"authority":"","clientAssertionType":null,"clientID":null,"grantType":null,"scopes":[]},"snippetService":"","visibility":{"mainSidebar":{"apiTokens":false,"certificates":true,"chatRoom":true,"configuration":true,"dashboard":false,"deviceFirmwareUpdate":false,"deviceLogs":false,"deviceProvisioning":true,"devices":true,"docs":true,"integrations":false,"pendingCommands":true,"remoteClients":true,"schemaHub":false,"snippetService":true}},"webOAuthClient":{"audience":"","authority":"","clientID":"","scopes":[]}}}` | For complete http-gateway service configuration see [plgd/http-gateway](https://github.com/plgd-dev/hub/tree/main/http-gateway) | +| httpgateway.ui | object | `{"directory":"/usr/local/var/www","enabled":true,"theme":"","webConfiguration":{"deviceOAuthClient":{"audience":null,"authority":"","clientID":null,"providerName":null,"scopes":[]},"deviceProvisioningService":"","httpGatewayAddress":"","m2mOAuthClient":{"audience":null,"authority":"","clientAssertionType":null,"clientID":null,"grantType":null,"scopes":[]},"snippetService":"","visibility":{"mainSidebar":{"apiTokens":true,"certificates":true,"chatRoom":true,"configuration":true,"dashboard":false,"deviceFirmwareUpdate":false,"deviceLogs":false,"deviceProvisioning":true,"devices":true,"docs":true,"integrations":false,"pendingCommands":true,"remoteClients":true,"schemaHub":false,"snippetService":true}},"webOAuthClient":{"audience":"","authority":"","clientID":"","scopes":[]}}}` | For complete http-gateway service configuration see [plgd/http-gateway](https://github.com/plgd-dev/hub/tree/main/http-gateway) | | httpgateway.uiDomain | string | `nil` | Domain for UI Default: {{ global.domain }} | | identitystore.affinity | object | `{}` | Affinity definition | | identitystore.apis | object | `{"grpc":{"address":null,"authorization":{"audience":null,"authority":null,"http":{"idleConnTimeout":"30s","maxConnsPerHost":32,"maxIdleConns":16,"maxIdleConnsPerHost":16,"timeout":"10s","tls":{"caPool":null,"certFile":null,"keyFile":null,"useSystemCAPool":true}},"ownerClaim":null},"enforcementPolicy":{"minTime":"5s","permitWithoutStream":true},"keepAlive":{"maxConnectionAge":"0s","maxConnectionAgeGrace":"0s","maxConnectionIdle":"0s","time":"2h","timeout":"20s"},"recvMsgSize":4194304,"sendMsgSize":4194304,"tls":{"caPool":null,"certFile":null,"clientCertificateRequired":true,"keyFile":null}}}` | For complete identity service configuration see [plgd/identity](https://github.com/plgd-dev/hub/tree/main/identity) | diff --git a/device-provisioning-service/README.md b/device-provisioning-service/README.md index f7f55b779..698c846db 100644 --- a/device-provisioning-service/README.md +++ b/device-provisioning-service/README.md @@ -54,7 +54,7 @@ CoAP API as specified in the [workflow](./workflow.puml). ### HTTP API -The plgd device provisioning service REST API is defined by [swagger](https://raw.githubusercontent.com/plgd-dev/device-provisioning-service/main/pb/service.swagger.json). +The plgd device provisioning service REST API is defined by [swagger](https://raw.githubusercontent.com/plgd-dev/hub/main/device-provisioning-service/pb/service.swagger.json). | Property | Type | Description | Default | | ---------- | -------- | -------------- | ------- | @@ -64,17 +64,18 @@ The plgd device provisioning service REST API is defined by [swagger](https://ra | `apis.http.tls.keyFile` | string | `File path to private key in PEM format.` | `""` | | `apis.http.tls.certFile` | string | `File path to certificate in PEM format.` | `""` | | `apis.http.tls.clientCertificateRequired` | bool | `If true, require client certificate.` | `true` | -| `apis.http.authorization.authority` | string | `Authority is the address of the token-issuing authentication server. Services will use this URI to find and retrieve the public key that can be used to validate the token’s signature.` | `""` | +| `apis.http.authorization.ownerClaim` | string | `Claim used to identify owner of the device.` | `"sub"` | | `apis.http.authorization.audience` | string | `Identifier of the API configured in your OAuth provider.` | `""` | -| `apis.http.authorization.http.maxIdleConns` | int | `It controls the maximum number of idle (keep-alive) connections across all hosts. Zero means no limit.` | `16` | -| `apis.http.authorization.http.maxConnsPerHost` | int | `It optionally limits the total number of connections per host, including connections in the dialing, active, and idle states. On limit violation, dials will block. Zero means no limit.` | `32` | -| `apis.http.authorization.http.maxIdleConnsPerHost` | int | `If non-zero, controls the maximum idle (keep-alive) connections to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used.` | `16` | -| `apis.http.authorization.http.idleConnTimeout` | string | `The maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. Zero means no limit.` | `30s` | -| `apis.http.authorization.http.timeout` | string | `A time limit for requests made by this Client. A Timeout of zero means no timeout.` | `10s` | -| `apis.http.authorization.http.tls.caPool` | string | `File path to the root certificate in PEM format which might contain multiple certificates in a single file.` | `""` | -| `apis.http.authorization.http.tls.keyFile` | string | `File path to private key in PEM format.` | `""` | -| `apis.http.authorization.http.tls.certFile` | string | `File path to certificate in PEM format.` | `""` | -| `apis.http.authorization.http.tls.useSystemCAPool` | bool | `If true, use system certification pool.` | `false` | +| `apis.http.authorization.endpoints[].authority` | string | `Authority is the address of the token-issuing authentication server. Services will use this URI to find and retrieve the public key that can be used to validate the token’s signature.` | `""` | +| `apis.http.authorization.endpoints[].http.maxIdleConns` | int | `It controls the maximum number of idle (keep-alive) connections across all hosts. Zero means no limit.` | `16` | +| `apis.http.authorization.endpoints[].http.maxConnsPerHost` | int | `It optionally limits the total number of connections per host, including connections in the dialing, active, and idle states. On limit violation, dials will block. Zero means no limit.` | `32` | +| `apis.http.authorization.endpoints[].http.maxIdleConnsPerHost` | int | `If non-zero, controls the maximum idle (keep-alive) connections to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used.` | `16` | +| `apis.http.authorization.endpoints[].http.idleConnTimeout` | string | `The maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. Zero means no limit.` | `30s` | +| `apis.http.authorization.endpoints[].http.timeout` | string | `A time limit for requests made by this Client. A Timeout of zero means no timeout.` | `10s` | +| `apis.http.authorization.endpoints[].http.tls.caPool` | []string | `File paths to the root certificates in PEM format. The file may contain multiple certificates.` | `[]` | +| `apis.http.authorization.endpoints[].http.tls.keyFile` | string | `File path to private key in PEM format.` | `""` | +| `apis.http.authorization.endpoints[].http.tls.certFile` | string | `File path to certificate in PEM format.` | `""` | +| `apis.http.authorization.endpoints[].http.tls.useSystemCAPool` | bool | `If true, use system certification pool.` | `false` | | `apis.http.readTimeout` | string | `Maximum duration allowed for reading the entire request body, including the body by the server. A zero or negative value means there will be no timeout. Example: "8s" (8 seconds).` | `8s` | | `apis.http.readHeaderTimeout` | string | `The amount of time allowed to read request headers by the server. If readHeaderTimeout is zero, the value of readTimeout is used. If both are zero, there is no timeout.` | `4s` | | `apis.http.writeTimeout` | string | `The maximum duration before the server times out writing of the response. A zero or negative value means there will be no timeout.` | `16s` | @@ -171,13 +172,3 @@ OAuth2.0 Client is used to obtain JWT with ownerClaim and deviceIDClaim via the ::: tip Audience You might have one client, but multiple APIs registered in the OAuth2.0 Server. What you might want to prevent is to be able to contact all the APIs of your system with one token. This audience allows you to request the token for a specific API. If you configure it to myplgdc2c.api in the Auth0, you have to set it here if you want to also validate it. ::: - -### Task Queue - -| Property | Type | Description | Default | -| ---------- | -------- | -------------- | ------- | -| `taskQueue.goPoolSize` | int | `Maximum number of running goroutine instances.` | `1600` | -| `taskQueue.size` | int | `Size of queue. If it exhausted, submit returns error.` | `2097152` | -| `taskQueue.maxIdleTime` | string | `Sets up the interval time of cleaning up goroutines. Zero means never cleanup.` | `10m` | - -> Note that the string type related to time (i.e. timeout, idleConnTimeout, expirationTime) is decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us", "ms", "s", "m", "h".