Add TLS and static token authentication. Add kratos for managing app (#9

) * Add TLS and static token authentication. Add kratos for managing app * fix registry image
pbufio · Nov 22, 2023 · eb3f8e9 · eb3f8e9
1 parent 921d438
commit eb3f8e9
Show file tree

Hide file tree

Showing 28 changed files with 986 additions and 895 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,6 +4,7 @@ on:
   push:
     tags:
       - "v[0-9]+.[0-9]+.[0-9]+"
+      - "v[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
 
 permissions:
   contents: write

diff --git a/.gitignore b/.gitignore
@@ -15,6 +15,7 @@ bin/
 
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
+*.DS_store
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
@@ -24,3 +25,6 @@ go.work
 
 # IDE
 .idea
+
+# SSL Certificates
+gen/certs/
diff --git a/Makefile b/Makefile
@@ -72,6 +72,21 @@ run:
 stop:
 	docker-compose -f docker-compose.dev.yml down
 
+.PHONY: cert-gen
+# generate cert
+cert-gen:
+	./scripts/cert-gen.sh
+
+.PHONY: run-prod
+# run prod
+run-prod:
+	docker-compose -f docker-compose.yml up --force-recreate -d
+
+.PHONY: stop-prod
+# stop prod
+stop-prod:
+	docker-compose -f docker-compose.yml down
+
 # show help
 help:
 	@echo ''

diff --git a/README.md b/README.md
@@ -24,7 +24,14 @@ The registry solves this problem by providing a central place to store and manag
 #### Steps
 
 1. Clone the repository
-2. Run `docker-compose up -d`
+2. Generate certificates with `make certs-gen` command (they will appear in `gen/certs` folder) or put your own certificates in the folder
+3. Export `SERVER_STATIC_TOKEN` with static authorization token
+4. Run `make run-prod` to start the registry
+5. Run `make stop-prod` to stop the running registry
+
+#### Configuration
+
+The registry can be configured with environment variables that overrides values in the `config/config.yaml` file. For instance, to change the database DSN you can set `DATA_DATABASE_DSN` environment variable that is reflect to `data.database.dsn` yaml property.
 
 ### Helm Chart
 
@@ -63,7 +70,7 @@ The registry provides a REST API (`:8080` port by default). You can find the swa
 
 #### gRPC
 
-The registry provides a gRPC API (`:8081` port by default). You can find the protobuf definition [here](https://github.com/pbufio/pbuf-registry/blob/main/api/v1/registry.proto)
+The registry provides a gRPC API (`:6777` port by default). You can find the protobuf definition [here](https://github.com/pbufio/pbuf-registry/blob/main/api/v1/registry.proto)
 
 ## Development and Contributing
 

diff --git a/buf.gen.yaml b/buf.gen.yaml
@@ -6,8 +6,8 @@ plugins:
   - plugin: go-grpc
     out: gen
     opt: paths=source_relative
-  - plugin: grpc-gateway
+  - plugin: go-http
     out: gen
-    opt: paths=source_relative,generate_unbound_methods=true
+    opt: paths=source_relative
   - plugin: openapiv2
     out: gen
diff --git a/cmd/main.go b/cmd/main.go
@@ -2,88 +2,57 @@ package main
 
 import (
 	"context"
-	"log"
-	"net"
-	"net/http"
+	"os"
 
-	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+	"github.com/go-kratos/kratos/v2"
+	"github.com/go-kratos/kratos/v2/log"
 	"github.com/jackc/pgx/v5/pgxpool"
-	v1 "github.com/pbufio/pbuf-registry/gen/pbuf-registry/v1"
 	"github.com/pbufio/pbuf-registry/internal/config"
 	"github.com/pbufio/pbuf-registry/internal/data"
 	"github.com/pbufio/pbuf-registry/internal/server"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/reflection"
 )
 
-func startGRPCServer(address string, grpcServer *grpc.Server) error {
-	listen, err := net.Listen("tcp", address)
-	if err != nil {
-		return err
-	}
-	return grpcServer.Serve(listen)
-}
-
-func startHTTPServer(address string, grpcServer *server.RegistryServer) error {
-	ctx := context.Background()
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
-	mux := runtime.NewServeMux()
-	err := v1.RegisterRegistryHandlerServer(ctx, mux, grpcServer)
-	if err != nil {
-		return err
-	}
-
-	return http.ListenAndServe(address, mux)
-}
-
-func startDebugServer(address string) error {
-	// add /healthz endpoint
-	mux := runtime.NewServeMux()
+// go build -ldflags "-X main.Version=x.y.z"
+var (
+	// Name is the name of the compiled software.
+	Name string
+	// Version is the version of the compiled software.
+	Version string
 
-	err := mux.HandlePath("GET", "/healthz", func(w http.ResponseWriter, r *http.Request, pathParams map[string]string) {
-		w.WriteHeader(http.StatusOK)
-	})
-
-	if err != nil {
-		log.Fatalf("failed to register debug server: %v", err)
-	}
-
-	return http.ListenAndServe(address, mux)
-}
+	id, _ = os.Hostname()
+)
 
 func main() {
 	config.NewLoader().MustLoad()
 
-	grpcServer := grpc.NewServer()
+	logger := log.DefaultLogger
+	logHelper := log.NewHelper(logger)
 
 	pool, err := pgxpool.New(context.Background(), config.Cfg.Data.Database.DSN)
 	if err != nil {
-		log.Fatalf("failed to connect to database: %v", err)
+		logHelper.Errorf("failed to connect to database: %v", err)
+		return
 	}
-
-	registryRepository := data.NewRegistryRepository(pool)
-	registryServer := server.NewRegistryServer(registryRepository)
-	v1.RegisterRegistryServer(grpcServer, registryServer)
-	reflection.Register(grpcServer)
-
-	go func() {
-		err := startGRPCServer(config.Cfg.Server.GRPC.Addr, grpcServer)
-		if err != nil {
-			log.Fatalf("failed to start grpc server: %v", err)
-		}
-	}()
-
-	go func() {
-		err = startHTTPServer(config.Cfg.Server.HTTP.Addr, registryServer)
-		if err != nil {
-			log.Fatalf("failed to start http server: %v", err)
-		}
-	}()
-
-	err = startDebugServer(config.Cfg.Server.Debug.Addr)
+	defer pool.Close()
+
+	registryRepository := data.NewRegistryRepository(pool, logger)
+	registryServer := server.NewRegistryServer(registryRepository, logger)
+
+	app := kratos.New(
+		kratos.ID(id),
+		kratos.Name(Name),
+		kratos.Version(Version),
+		kratos.Metadata(map[string]string{}),
+		kratos.Logger(logger),
+		kratos.Server(
+			server.NewGRPCServer(&config.Cfg.Server, registryServer, logger),
+			server.NewHTTPServer(&config.Cfg.Server, registryServer, logger),
+			server.NewDebugServer(&config.Cfg.Server, logger),
+		),
+	)
+
+	err = app.Run()
 	if err != nil {
-		log.Fatalf("failed to start debug server: %v", err)
+		logHelper.Errorf("failed to run application: %v", err)
 	}
 }
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
@@ -22,7 +22,7 @@ services:
       - db
     ports:
     - "8080:8080"
-    - "8081:8081"
+    - "6777:6777"
     - "8082:8082"
     healthcheck:
       test: wget -O - http://localhost:8082/healthz || exit 1

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -17,20 +17,30 @@ services:
       timeout: 10s
       retries: 5
   pbuf-registry:
-    image: ghcr.io/pbufio/registry:v0.1.2
+    image: ghcr.io/pbufio/registry:v0.3.0-rc.1
     restart: always
     depends_on:
       - db
     ports:
       - "8080:8080"
-      - "8081:8081"
+      - "6777:6777"
       - "8082:8082"
     healthcheck:
       test: wget -O - http://localhost:8082/healthz || exit 1
       interval: 5s
       timeout: 10s
       retries: 5
+    volumes:
+      - ./gen/certs:/app/certs
     environment:
       DATA_DATABASE_DSN: "postgres://pbuf:pbuf@db:5432/pbuf_registry?sslmode=disable"
+      SERVER_GRPC_TLS_ENABLED: true
+      SERVER_GRPC_TLS_CERTFILE: /app/certs/server-cert.pem
+      SERVER_GRPC_TLS_KEYFILE: /app/certs/server-key.pem
+      SERVER_GRPC_AUTH_ENABLED: true
+      SERVER_GRPC_AUTH_TYPE: static-token
+      SERVER_HTTP_AUTH_ENABLED: true
+      SERVER_HTTP_AUTH_TYPE: static-token
+      SERVER_STATIC_TOKEN: ${SERVER_STATIC_TOKEN}
     command: >
       sh -c "/app/pbuf-migrations && /app/pbuf-registry"