Git Webhook Relay demo app
- OTEL_ENABLED: Enable Open Telemetry, default is
false - OTEL_HOSTNAME: Hostname of the Open Telemetry Collector, default is
localhost - OTEL_PROTOCOL: Protocol of the Open Telemetry Collector, default is
grpc - OTEL_PORT: Port of the Open Telemetry Collector, default is
4317 - OTEL_SERVICE_NAME: Service Name of the component, default is
Gitstafette - OTEL_TRACE_SAMPLING_RATE: Sampling Rate of the Traces, default is
1
- Should we ignore
X-GitHub-Event: create? - set Kubernetes security
- SecurityContext: https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand/
- Seccomp profiles: https://itnext.io/seccomp-in-kubernetes-part-i-7-things-you-should-know-before-you-even-start-97502ad6b6d6
- Secrity Admission: https://kubernetes.io/blog/2022/08/25/pod-security-admission-stable/
- Network policies: https://kubernetes.io/docs/concepts/services-networking/network-policies/
- CI/CD In Kubernetes
- Build with Tekton / CloudNative BuildPacks
- generate SBOM/SPDX
- deploy via Crossplane
- Add Sentry support for client
- Expose State with GraphQL
- with authentication
- Gitstafette Explorer?
- track relay status per client
- alternative setup with CIVO cloud
- CI/CD In Kubernetes
- Scan with Snyk?
- Testcontainers?
- combine steps with Cartographer?
- Kubernetes Controller + CR for generating clients
- Metacontroller?
- Operator?
- (GRPC) Server should support multiple clients --> Does!
- add CR to cluster for individual Repo's, then spawn a client
- https://betterprogramming.pub/build-a-kubernetes-operator-in-10-minutes-11eec1492d30
- Clients in multiple languages?
- Java (20, spring boot 3, native?)
- Rust: https://blog.ediri.io/creating-a-microservice-in-rust-using-grpc?s=31
- GRPC Optimizations
- Multiplexing
- Multiple Servers with a LB (Client, separate server?)
- Compression
- Deadlines + Cancellation + Timeouts
- Metadata (Authentication, tracing, ...)
- Tracing via Interceptors?
- Business Metrics via Interceptors
- Do OAUTH 2 via Interceptors/per RPC
- JWT or Oauth2 via a server (Keycloak, Vault?)
- Gateway for the Webhook listening
- https://golangcode.com/generate-sha256-hmac/
- https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks
kubectl port-forward -n gitstafette svc/gitstafette-config 7777:1323http :7777kubectl port-forward -n gitstafette svc/gitstafette-config 7777:50051grpc-health-probe -addr=localhost:7777- https://github.com/fullstorydev/grpcurl
- https://github.com/grpc-ecosystem/grpc-cloud-run-example/tree/master/golang
- https://github.com/grpc/grpc-go/blob/master/Documentation/keepalive.md
- https://github.com/grpc/grpc-go/tree/master/examples/features/keepalive
- https://github.com/GoogleCloudPlatform/golang-samples/tree/main/run/grpc-server-streaming
- http://www.inanzzz.com/index.php/post/cvjx/using-oauth-authentication-tokens-for-grpc-client-and-server-communications-in-golang
- running server without TLS
grpcurl \
-plaintext \
-proto api/v1/gitstafette.proto \
-d '{"client_id": "me", "repository_id": "537845873", "last_received_event_id": 1}' \
localhost:50051 \
gitstafette.v1.Gitstafette.FetchWebhookEvents- running server with TLS
grpcurl \ ─╯
-proto api/v1/gitstafette.proto \
-d '{"client_id": "me", "repository_id": "537845873", "last_received_event_id": 1}' \
localhost:50051 \
gitstafette.v1.Gitstafette.FetchWebhookEventsgrpcurl \
-proto api/v1/gitstafette.proto \
-d '{"client_id": "me", "repository_id": "537845873", "last_received_event_id": 1}' \
-cacert /mnt/d/Projects/homelab-rpi/certs/ca.pem \
-cert /mnt/d/Projects/homelab-rpi/certs/gitstafette/client-local.pem \
-key /mnt/d/Projects/homelab-rpi/certs/gitstafette/client-local-key.pem \
localhost:50051 \
gitstafette.v1.Gitstafette.FetchWebhookEvents -
When insecure
grpc-health-probe -addr=localhost:50051
-
When secure
grpc-health-probe -addr=localhost:50051 \ -tls \ -tls-ca-cert /mnt/d/Projects/homelab-rpi/certs/ca.pem \ -tls-client-cert /mnt/d/Projects/homelab-rpi/certs/gitstafette/client-local.pem \ -tls-client-key /mnt/d/Projects/homelab-rpi/certs/gitstafette/client-local-key.pem -
https://stackoverflow.com/questions/59352845/how-to-implement-go-grpc-go-health-check
-
https://github.com/grpc/grpc/blob/master/doc/health-checking.md
http POST http://localhost:1323/v1/github/ \
X-Github-Delivery:d4049330-377e-11ed-9c2e-1ae286aab35f \
X-Github-Hook-Installation-Target-Id:537845873 \
X-Github-Hook-Installation-Target-Type:repository \
X-GitHub-Event:push \
Test=Truehttp POST http://localhost:1323/v1/github/ \
X-Github-Delivery:d4049330-377e-11ed-9c2e-1ae286aab35f \
X-Github-Hook-Installation-Target-Id:478599060 \
X-Github-Hook-Installation-Target-Type:repository \
X-GitHub-Event:push \
Test=Truehttp POST https://gitstafette-server-http-qad46fd4qq-ez.a.run.app/v1/github/ \
X-Github-Delivery:d4049330-377e-11ed-9c2e-1ae286aab35f \
X-Github-Hook-Installation-Target-Id:537845873 \
X-Github-Hook-Installation-Target-Type:repository \
X-GitHub-Event:push \
Test=Truehttp POST http://localhost:1323/v1/github/ \
X-Github-Delivery:d4049330-377e-11ed-9c2e-1ae286aab35f \
X-Github-Hook-Installation-Target-Id:537845873 \
X-Github-Hook-Installation-Target-Type:repository \
X-GitHub-Event:push \
x-hub-signature-256:sha256=b101fdde955cb8809872eaa41d56838c9fbaa7aace134743cfd1fea7b87dc74e \
Test=True- https://cloud.google.com/run/docs/configuring/containers
- https://cloud.google.com/run/docs/deploying#terraform
- https://ahmet.im/blog/cloud-run-multiple-processes-easy-way/
- https://github.com/ahmetb/multi-process-container-lazy-solution/blob/master/start.sh
- https://cloud.google.com/blog/products/serverless/cloud-run-healthchecks
We can only use one port with Cloud Run. But, we can use an Envoy proxy to route between the http and grpc servers.
kubectl run tmp-shell --rm -i --tty --image nicolaka/netshootapiVersion: packaging.carvel.dev/v1alpha1
kind: PackageRepository
metadata:
annotations:
kctrl.carvel.dev/repository-version: 0.0.0-08ddea6
creationTimestamp: "2022-12-11T19:31:21Z"
name: carvel.kearos.net
spec:
fetch:
imgpkgBundle:
image: index.docker.io/caladreas/carvel-repo@sha256:328ce1a61054c6fb1aa8f291b3d32ca1b92407ad159cb1e266556d931d1cc771apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
name: gitstafette-config
namespace: gitstafette
spec:
serviceAccountName: default
packageRef:
refName: config.gitstafette.kearos.net
versionSelection:
constraints: 0.0.0-08ddea6- https://gruchalski.com/posts/2022-02-20-keycloak-1700-with-tls-behind-envoy/
- https://github.com/envoyproxy/envoy/blob/main/examples/front-proxy/docker-compose.yaml
- https://docs.docker.com/compose/compose-file/#command
http POST https://localhost/v1/github/ \
Host:events.gitstafette.joostvdg.net \
X-Github-Delivery:d4049330-377e-11ed-9c2e-1ae286aab35f \
X-Github-Hook-Installation-Target-Id:537845873 \
X-Github-Hook-Installation-Target-Type:repository \
X-GitHub-Event:push \
Test=True --verify=falseexport GRPC_TRACE=all
export GRPC_VERBOSITY=INFO
export GRPC_GO_LOG_VERBOSITY_LEVEL=1
export GRPC_GO_LOG_SEVERITY_LEVEL=info- https://cloud-images.ubuntu.com/locator/ec2/
- https://developer.hashicorp.com/packer/tutorials/aws-get-started/aws-get-started-build-image
- https://docs.docker.com/engine/install/ubuntu/
- GOMock
- https://ghz.sh/docs/install
- single span containing both Server and Client
- client tag
internal.span.format proto
net.peer.name localhost
net.peer.port 50051
otel_util.library.name go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
otel_util.library.version semver:0.41.1
rpc.grpc.status_code 0
rpc.method searchOrders
rpc.service ecommerce.OrderManagement
rpc.system grpc
span.kind client- server tags
internal.span.format proto
net.sock.peer.addr 127.0.0.1
net.sock.peer.port 38842
otel_util.library.name go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
otel_util.library.version semver:0.41.1
rpc.grpc.status_code 0
rpc.method searchOrders
rpc.service ecommerce.OrderManagement
rpc.system grpc
span.kind server- client tags
internal.span.format proto
otel_util.library.name Gitstafette-Client
span.kind internal- server tags
internal.span.format proto
otel_util.library.name Server
span.kind internal- https://medium.com/@vcomposieux/opentelemetry-trace-and-instrument-your-application-code-3efd2a7b1de0
- https://lightstep.com/blog/opentelemetry-go-all-you-need-to-know
docker run \
-e AGENT_MODE=flow \
-v /home/joostvdg/projects/gitstafette/config.river:/etc/agent/config.river \
-p 12345:12345 \
grafana/agent:latest \
run --server.http.listen-addr=0.0.0.0:12345 /etc/agent/config.river"transport: Error while dialing: dial tcp: address http://localhost:12345: too many colons in address"
export OTEL_SERVICE_NAME=GSF-Server-1; export OTEL_PORT=12345; go \
run cmd/server/main.go --repositories 537845873 \
--port 1323 --grpcPort 50051 --grpcHealthPort 50051export OTEL_SERVICE_NAME=GSF-Client-1; export OTEL_PORT=12345; go \
run cmd/client/main.go --repo 537845873 --server "localhost" \
--port 50051 --insecure=true \
--streamWindow 15export OTEL_SERVICE_NAME=GSF-Server-1; export OTEL_PORT=4317; export OTEL_ENABLED=true; export OTEL_TRACE_SAMPLING_RATE="0.2"; go \
run cmd/server/main.go --repositories 537845873 \
--port 1323 --grpcPort 50051 --grpcHealthPort 50051export OTEL_SERVICE_NAME=GSF-Client-1; export OTEL_PORT=4317; export OTEL_ENABLED=true; export OTEL_TRACE_SAMPLING_RATE="0.2"; go \
run cmd/client/main.go --repo 537845873 --server "localhost" \
--port 50051 --insecure=true \
--streamWindow 15