initial commit

Author: jr200

.dockerignore

@@ -0,0 +1,12 @@
+# .dockerignore
+
+.git
+.history
+.vscode
+*.bak
+*.swp
+.DS_Store
+
+private
+service/service
+test-client/test-client

.github/workflows/create_release.yml

@@ -0,0 +1,24 @@
+name: Create Release
+
+on:
+  workflow_run:
+    workflows: ["Build Image"]
+    types:
+      - completed
+  push:
+    tags: ["v*.*.*"]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Create Release
+        uses: ncipollo/release-action@v1
+        with:
+          generateReleaseNotes: true
+          allowUpdates: true

.github/workflows/docker_image.yml

@@ -0,0 +1,97 @@
+name: Build Image
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+  push:
+    # branches: ["main"]
+    # Publish semver tags as releases.
+    tags: ["v*.*.*"]
+  # pull_request:
+  #   branches: ["main"]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
+        with:
+          cosign-release: "v2.2.4"
+
+      # Set up BuildKit Docker container builder to be able to build
+      # multi-platform images and export cache
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            GOOS=${{ matrix.os }}
+            GOARCH=${{ matrix.architecture }}
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

.gitignore

@@ -11,15 +11,29 @@
 # Test binary, built with `go test -c`
 *.test
 
+# Application binaries
+service/service
+test-client/test-client
+
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 
 # Dependency directories (remove the comment below to include it)
-# vendor/
+vendor/
 
 # Go workspace file
 go.work
 go.work.sum
 
-# env file
-.env
+# Mac OS X files
+.DS_Store
+
+# Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
+.glide/
+
+# Other
+.history/
+
+private/
+build/
+dist/

Dockerfile

@@ -0,0 +1,27 @@
+ARG GOVERSION=1.22
+
+FROM golang:${GOVERSION}-alpine
+LABEL org.opencontainers.image.source "https://github.com/jr200/nats-iam-broker"
+LABEL org.opencontainers.image.description "nats-iam-broker alpine image"
+
+ARG GOARCH
+ARG GOOS
+
+RUN echo nats-iam-broker-${GOOS}-${GOARCH}
+
+RUN apk update && apk add git bash curl jq make
+RUN go install github.com/nats-io/nats-server/[email protected]
+RUN go install github.com/nats-io/natscli/[email protected]
+RUN go install github.com/nats-io/nsc/[email protected]
+
+# RUN curl -L https://github.com/openbao/openbao/releases/download/v2.0.0/bao_2.0.0_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin bao
+
+WORKDIR /usr/src/app
+
+COPY . .
+
+RUN make build && \
+    ln build/nats-iam-broker-${GOOS}-${GOARCH} /usr/local/bin/nats-iam-broker && \
+    ln build/test-client-${GOOS}-${GOARCH} /usr/local/bin/test-client
+
+ENTRYPOINT ["bash"]

Makefile

@@ -0,0 +1,107 @@
+# get target architecture
+LOCAL_ARCH := $(shell uname -m)
+ifeq ($(LOCAL_ARCH),x86_64)
+	TARGET_ARCH_LOCAL=amd64
+else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
+	TARGET_ARCH_LOCAL=arm64
+else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 4),armv)
+	TARGET_ARCH_LOCAL=arm
+else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),arm64)
+	TARGET_ARCH_LOCAL=arm64
+else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 7),aarch64)
+	TARGET_ARCH_LOCAL=arm64
+else
+	TARGET_ARCH_LOCAL=amd64
+endif
+export GOARCH ?= $(TARGET_ARCH_LOCAL)
+
+# get docker tag
+ifeq ($(GOARCH),amd64)
+	LATEST_TAG?=latest
+else
+	LATEST_TAG?=latest-$(GOARCH)
+endif
+
+# get target os
+LOCAL_OS := $(shell uname -s)
+ifeq ($(LOCAL_OS),Linux)
+   TARGET_OS_LOCAL = linux
+else ifeq ($(LOCAL_OS),Darwin)
+   TARGET_OS_LOCAL = darwin
+   PATH := $(PATH):$(HOME)/go/bin/darwin_$(GOARCH)
+else
+   echo "Not Supported"
+   TARGET_OS_LOCAL = windows
+endif
+export GOOS ?= $(TARGET_OS_LOCAL)
+
+# Default docker container and e2e test target.
+TARGET_OS ?= linux
+TARGET_ARCH ?= amd64
+
+OUT_DIR := ./dist
+
+.DEFAULT_GOAL := all
+
+DOCKER_REGISTRY ?= ghcr.io/jr200
+IMAGE_NAME ?= nats-iam-broker
+
+
+################################################################################
+# Target: all                                                                  #
+################################################################################
+.PHONY: all
+all: fmt build
+
+################################################################################
+# Target: fmt                                                                  #
+################################################################################
+.PHONY: fmt
+fmt:
+	go fmt $$(go list ./...)
+
+################################################################################
+# Target: build                                                                #
+################################################################################
+.PHONY: build
+build:
+	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) \
+	go build -o build/nats-iam-broker-$(GOOS)-$(GOARCH) -gcflags "all=-N -l" -ldflags '-extldflags "-static"' \
+	cmd/nats-iam-broker/main.go
+
+	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) \
+	go build -o build/test-client-$(GOOS)-$(GOARCH) -gcflags "all=-N -l" -ldflags '-extldflags "-static"' \
+	cmd/test-client/main.go
+
+
+################################################################################
+# Target: docker-build-example                                                 #
+################################################################################
+.PHONY: docker-build-example
+docker-build-example:
+	docker build \
+		-f Dockerfile \
+		--build-arg GOOS=linux --build-arg GOARCH=amd64 \
+		-t nats-iam-broker:debug \
+		.
+
+################################################################################
+# Target: example-shell                                                        #
+################################################################################
+.PHONY: example-shell
+example-shell: docker-build-example
+	docker run --rm -it --entrypoint bash nats-iam-broker:debug
+
+################################################################################
+# Target: example-basic                                                        #
+################################################################################
+.PHONY: example-basic
+example-basic: docker-build-example
+	docker run --rm --entrypoint examples/basic/run.sh nats-iam-broker:debug -log-human -log=info
+
+################################################################################
+# Target: example-rgb_org                                                      #
+################################################################################
+.PHONY: example-rgb_org
+example-rgb_org: docker-build-example
+	docker run --rm --entrypoint examples/rgb_org/run.sh nats-iam-broker:debug -log-human -log=info