Move to latest events/permissions (#68)

# Summary

- [x] bump go to `1.21`
- [x] uplift to latest events and permissions 
- [x] Remove manual pubsubhooks in favor of upstream `x`, now that it
has annotation to tag an ent field as an `additionalSubject` in the
event message
- [x] add tracing to chart

---------

Signed-off-by: Matt Siwiec <[email protected]>

Author: rizzza

.devcontainer/.env

@@ -6,8 +6,10 @@ COCKROACH_URL="postgresql://root@crdb:26257/ipam_dev?sslmode=disable"
 # ipam config
 ATLAS_DB_URI="postgresql://root@crdb:26257/atlas_migrations?sslmode=disable"
 IPAMAPI_CRDB_URI="postgresql://root@crdb:26257/ipam_dev?sslmode=disable"
-IPAMAPI_EVENTS_PUBLISHER_NATS_CREDSFILE="/workspaces/ipam-api/.devcontainer/nsc/nkeys/creds/LOCAL/IPAM/USER.creds"
-IPAMAPI_EVENTS_PUBLISHER_PREFIX="com.example"
+IPAMAPI_EVENTS_NATS_CREDSFILE="/workspaces/ipam-api/.devcontainer/nsc/nkeys/creds/LOCAL/IPAM/USER.creds"
+IPAMAPI_EVENTS_NATS_PUBLISHPREFIX=com.infratographer
+IPAMAPI_PERMISSIONS_IGNORENORESPONDERS=true
+
 # IPAMAPI_TRACING_ENABLED="true"
 # IPAMAPI_TRACING_PROVIDER="passthrough"
 

.devcontainer/Dockerfile

@@ -1,7 +1,9 @@
+ARG GO_VERSION=1.21
+
 # Used to install CRDB into the devcontainer
 FROM cockroachdb/cockroach:latest-v22.2 as CRDB
 
-FROM mcr.microsoft.com/vscode/devcontainers/go:0-1.20-bullseye
+FROM mcr.microsoft.com/vscode/devcontainers/go:1-${GO_VERSION}-bullseye
 
 # Set up crdb
 RUN mkdir /usr/local/lib/cockroach

.devcontainer/devcontainer.json

@@ -12,6 +12,7 @@
 					"editor.defaultFormatter": "golang.go"
 				},
 				"go.buildTags": "testtools",
+				"go.formatTool": "goimports",
 				"go.lintTool": "golangci-lint",
 				"gopls": {
 					"formatting.gofumpt": true,

.devcontainer/docker-compose.yml

@@ -9,7 +9,7 @@ services:
       context: .
       dockerfile: Dockerfile
       args:
-        VARIANT: 1.20-bullseye
+        VARIANT: 1.21-bullseye
         NODE_VERSION: "none"
     # Overrides default command so things don't shut down after the process ends.
     command: sleep infinity

chart/ipam-api/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: common
   repository: https://charts.bitnami.com/bitnami
-  version: 2.6.0
+  version: 2.13.4
 - name: reloader
   repository: https://stakater.github.io/stakater-charts
-  version: 1.0.32
-digest: sha256:698c6c812d8f6a1538349c9368c6caeaac412af707d431453c74600f1aba5761
-generated: "2023-07-29T00:57:46.327102562Z"
+  version: 1.0.54
+digest: sha256:2bfa09e93ff7ea83fb0aad3ddedbd4afcc2c578a3d2a4b7ab2feb4980c981338
+generated: "2023-12-20T18:32:04.737779584Z"

chart/ipam-api/Chart.yaml

@@ -11,8 +11,8 @@ dependencies:
     repository: https://charts.bitnami.com/bitnami
     tags:
       - bitnami-common
-    version: 2.6.0
+    version: 2.13.4
   - name: reloader
     condition: reloader.enabled
-    version: "1.0.32"
+    version: "1.0.54"
     repository: "https://stakater.github.io/stakater-charts"

chart/ipam-api/charts/common-2.1.1.tgz

@@ -5,15 +5,33 @@ metadata:
   labels:
     {{- include "common.labels.standard" . | nindent 4 }}
 data:
-  IPAMAPI_EVENTS_PUBLISHER_PREFIX: "{{ .Values.api.events.topicPrefix }}"
-  IPAMAPI_EVENTS_PUBLISHER_URL: "{{ .Values.api.events.connectionURL }}"
+  IPAMAPI_EVENTS_NATS_URL: "{{ .Values.api.events.nats.url }}"
+  IPAMAPI_EVENTS_NATS_PUBLISHPREFIX: "{{ .Values.api.events.nats.publishPrefix }}"
+  IPAMAPI_EVENTS_NATS_QUEUEGROUP: "{{ .Values.api.events.nats.queueGroup }}"
+  IPAMAPI_EVENTS_NATS_SOURCE: "{{ .Values.api.events.nats.source }}"
+  IPAMAPI_EVENTS_NATS_CONNECTTIMEOUT: "{{ .Values.api.events.nats.connectTimeout }}"
+  IPAMAPI_EVENTS_NATS_SHUTDOWNTIMEOUT: "{{ .Values.api.events.nats.shutdownTimeout }}"
+{{- if .Values.api.events.nats.credsSecretName }}
+  IPAMAPI_EVENTS_NATS_CREDSFILE: "{{ .Values.api.events.nats.credsFile }}"
+{{- end }}
   IPAMAPI_OIDC_ENABLED: "{{ .Values.api.oidc.enabled }}"
   IPAMAPI_OIDC_AUDIENCE: "{{ .Values.api.oidc.audience }}"
   IPAMAPI_OIDC_ISSUER: "{{ .Values.api.oidc.issuer }}"
   IPAMAPI_OIDC_JWKS_REMOTE_TIMEOUT: "{{ .Values.api.oidc.jwksRemoteTimeout }}"
+  IPAMAPI_PERMISSIONS_IGNORENORESPONDERS: "{{ .Values.api.permissions.ignoreNoResponders }}"
   IPAMAPI_PERMISSIONS_URL: "{{ .Values.api.permissions.url }}"
   IPAMAPI_SERVER_LISTEN: ":{{ .Values.api.listenPort }}"
   IPAMAPI_SERVER_SHUTDOWN_GRACE_PERIOD: "{{ .Values.api.shutdownGracePeriod }}"
+{{- if .Values.api.tracing.enabled }}
+  IPAMAPI_TRACING_ENABLED: "{{ .Values.api.tracing.enabled }}"
+  IPAMAPI_TRACING_PROVIDER: "{{ .Values.api.tracing.provider }}"
+  IPAMAPI_TRACING_ENVIRONMENT: "{{ .Values.api.tracing.environment }}"
+{{- if eq .Values.api.tracing.provider "otlpgrpc" }}
+  IPAMAPI_TRACING_OTLP_ENDPOINT: "{{ .Values.api.tracing.otlp.endpoint }}"
+  IPAMAPI_TRACING_OTLP_INSECURE: "{{ .Values.api.tracing.otlp.insecure }}"
+  IPAMAPI_TRACING_OTLP_CERTIFICATE: "{{ .Values.api.tracing.otlp.certificate }}"
+{{- end }}
+{{- end }}
 {{- with .Values.api.trustedProxies }}
   IPAMAPI_SERVER_TRUSTED_PROXIES: "{{ join " " . }}"
 {{- end }}

chart/ipam-api/charts/reloader-v0.0.124.tgz

@@ -67,6 +67,9 @@ spec:
           {{- end }}
           {{- end }}
           envFrom:
+          {{- if .Values.api.extraEnvFrom }}
+            {{- toYaml .Values.api.extraEnvFrom | nindent 12 }}
+          {{- end }}
             - secretRef:
                 name: {{ .Values.api.db.uriSecret }}
             - configMapRef:
@@ -92,7 +95,7 @@ spec:
               path: /readyz
               port: http
           volumeMounts:
-            {{- if .Values.api.events.auth.secretName  }}
+            {{- if .Values.api.events.nats.credsSecretName }}
             - name: events-creds
               mountPath: /nats
             {{- end }}
@@ -116,10 +119,10 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-        {{- if .Values.api.events.auth.secretName  }}
+        {{- if .Values.api.events.nats.credsSecretName  }}
         - name: events-creds
           secret:
-            secretName: "{{ .Values.api.events.auth.secretName }}"
+            secretName: "{{ .Values.api.events.nats.credsSecretName }}"
         {{- end }}
         {{- if .Values.api.db.certSecret }}
         - name: dbcerts

chart/ipam-api/templates/api-config.yaml

@@ -1,7 +1,7 @@
 image:
   repository: ghcr.io/infratographer/ipam-api
   pullPolicy: IfNotPresent
-  tag: "v0.0.13"
+  tag: "main-latest"
 
 imagePullSecrets: []
 nameOverride: ""
@@ -34,16 +34,31 @@ api:
   listenPort: 7608
   extraLabels: {}
   extraAnnotations: {}
+  extraEnvFrom: {}
   extraEnvVars: {}
   resources: {}
   podSecurityContext: {}
   securityContext: {}
   events:
-    connectionURL: "my-events-cluster.example.com:4222"
-    auth:
-      secretName: "events-creds"
-      credsPath: "/nats/creds"
-    topicPrefix: "com.infratographer"
+    nats:
+      # url is the event server connection url
+      url: "nats://my-events-cluster.example.com:4222"
+      # publishPrefix is the subscribe event prefix
+      publishPrefix: "com.infratographer"
+      # queueGroup defines the events queue group
+      queueGroup: ""
+      # source defines the source of the events (defaults to application name)
+      source: ""
+      # connectTimeout is event connection timeout
+      connectTimeout: "10s"
+      # shutdownTimeout is the shutdown grace period
+      shutdownTimeout: "5s"
+      # tokenSecretName is the secret to load the auth token
+      tokenSecretName: ""
+      # credsSecretName is the secret to load the creds auth file from
+      credsSecretName: ""
+      # credsFile is the location to read the creds file from
+      credsFile: "/nats/creds"
   db:
     uriSecret: ipam-api-db-uri
     certSecret: ipam-api-db-ca
@@ -58,12 +73,26 @@ api:
 
   permissions:
     url: ""
+    # ignoreNoResponders whether or not to ignore errors when no AuthRelationship request-reply responders are available
+    ignoreNoResponders: false
 
   shutdownGracePeriod: 5s
   trustedProxies: []
   # - "1.2.3.4"
   # - "1.2.3.4/32"
   # - "1.2.3.0/24"
+  tracing:
+    # enabled is true if OpenTelemetry tracing should be enabled for permissions-api
+    enabled: false
+    # environment is the OpenTelemetry tracing environment to use
+    environment: ""
+    # provider is the OpenTelemetry tracing provider to use
+    provider: stdout
+    otlp:
+      # endpoint is the OpenTelemetry Protocol (OTLP) collector endpoint to send traces to
+      endpoint: ""
+      # insecure is true if TLS should not be required when sending traces
+      insecure: false
 
 reloader:
   enabled: false

chart/ipam-api/templates/deployment.yaml

@@ -25,7 +25,7 @@ import (
 
 	"go.infratographer.com/ipam-api/internal/config"
 	ent "go.infratographer.com/ipam-api/internal/ent/generated"
-	"go.infratographer.com/ipam-api/internal/ent/generated/pubsubhooks"
+	"go.infratographer.com/ipam-api/internal/ent/generated/eventhooks"
 	"go.infratographer.com/ipam-api/internal/graphapi"
 )
 
@@ -65,7 +65,7 @@ func init() {
 	serveCmd.Flags().BoolVar(&enablePlayground, "playground", false, "enable the graph playground")
 	serveCmd.Flags().StringVar(&pidFileName, "pid-file", "", "path to the pid file")
 
-	events.MustViperFlagsForPublisher(viper.GetViper(), serveCmd.Flags(), appName)
+	events.MustViperFlags(viper.GetViper(), serveCmd.Flags(), appName)
 	permissions.MustViperFlags(viper.GetViper(), serveCmd.Flags())
 }
 
@@ -79,11 +79,15 @@ func serve(ctx context.Context) error {
 		logger = loggingx.InitLogger(appName, config.AppConfig.Logging)
 	}
 
-	pub, err := events.NewPublisher(config.AppConfig.Events.Publisher)
+	events, err := events.NewConnection(config.AppConfig.Events, events.WithLogger(logger))
 	if err != nil {
-		logger.Fatalw("failed to create publisher", "error", err)
+		logger.Fatalw("failed to create events connection", "error", err)
 	}
 
+	defer func() {
+		_ = events.Shutdown(ctx)
+	}()
+
 	err = otelx.InitTracer(config.AppConfig.Tracing, appName, logger)
 	if err != nil {
 		logger.Fatalw("failed to initialize tracer", "error", err)
@@ -98,7 +102,7 @@ func serve(ctx context.Context) error {
 
 	entDB := entsql.OpenDB(dialect.Postgres, db)
 
-	cOpts := []ent.Option{ent.Driver(entDB), ent.EventsPublisher(pub)}
+	cOpts := []ent.Option{ent.Driver(entDB), ent.EventsPublisher(events)}
 
 	if config.AppConfig.Logging.Debug {
 		cOpts = append(cOpts,
@@ -110,7 +114,7 @@ func serve(ctx context.Context) error {
 	client := ent.NewClient(cOpts...)
 	defer client.Close()
 
-	pubsubhooks.PubsubHooks(client)
+	eventhooks.EventHooks(client)
 
 	// Run the automatic migration tool to create all schema resources.
 	if err := client.Schema.Create(ctx); err != nil {
@@ -130,14 +134,15 @@ func serve(ctx context.Context) error {
 		middleware = append(middleware, auth.Middleware())
 	}
 
-	srv, err := echox.NewServer(logger.Desugar(), config.AppConfig.Server, versionx.BuildDetails())
+	srv, err := echox.NewServer(logger.Desugar(), config.AppConfig.Server, versionx.BuildDetails(), echox.WithLoggingSkipper(echox.SkipDefaultEndpoints))
 	if err != nil {
 		logger.Error("failed to create server", zap.Error(err))
 	}
 
 	perms, err := permissions.New(config.AppConfig.Permissions,
 		permissions.WithLogger(logger),
 		permissions.WithDefaultChecker(permissions.DefaultAllowChecker),
+		permissions.WithEventsPublisher(events),
 	)
 	if err != nil {
 		logger.Fatal("failed to initialize permissions", zap.Error(err))