mirrors/nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus synced 2026-01-07 14:05:44 +00:00
Code Issues Releases Wiki Activity

Make GKE the default in alpha and qa (#2624)

Browse Source
This commit is contained in:
Lai Jiang
2024-12-17 12:40:03 -05:00
committed by GitHub
parent f649d960c1
commit da8df1f4d9
7 changed files with 66 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
core/src/main/java/google/registry/request/auth/AuthModule.java
View File

@@ -15,6 +15,7 @@
package google.registry.request.auth; package google.registry.request.auth;
import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Suppliers.memoizeWithExpiration;
import static com.google.common.net.HttpHeaders.AUTHORIZATION; import static com.google.common.net.HttpHeaders.AUTHORIZATION;
import static google.registry.util.RegistryEnvironment.UNITTEST; import static google.registry.util.RegistryEnvironment.UNITTEST;
@@ -37,8 +38,11 @@ import google.registry.request.auth.OidcTokenAuthenticationMechanism.TokenVerifi
import google.registry.util.GoogleCredentialsBundle; import google.registry.util.GoogleCredentialsBundle;
import google.registry.util.RegistryEnvironment; import google.registry.util.RegistryEnvironment;
import java.io.IOException; import java.io.IOException;
import java.time.Duration;
import java.util.function.Supplier;
import javax.annotation.Nullable; import javax.annotation.Nullable;
import javax.inject.Named; import javax.inject.Named;
import javax.inject.Provider;
import javax.inject.Qualifier; import javax.inject.Qualifier;
import javax.inject.Singleton; import javax.inject.Singleton;
@@ -87,13 +91,13 @@ public class AuthModule {
TokenVerifier provideIapTokenVerifier( TokenVerifier provideIapTokenVerifier(
@Config("projectId") String projectId, @Config("projectId") String projectId,
@Config("projectIdNumber") long projectIdNumber, @Config("projectIdNumber") long projectIdNumber,
@Named("backendServiceIdMap") ImmutableMap<String, Long> backendServiceIdMap) { @Named("backendServiceIdMap") Supplier<ImmutableMap<String, Long>> backendServiceIdMap) {
com.google.auth.oauth2.TokenVerifier.Builder tokenVerifierBuilder = com.google.auth.oauth2.TokenVerifier.Builder tokenVerifierBuilder =
com.google.auth.oauth2.TokenVerifier.newBuilder().setIssuer(IAP_ISSUER_URL); com.google.auth.oauth2.TokenVerifier.newBuilder().setIssuer(IAP_ISSUER_URL);
return (String service, String token) -> { return (String service, String token) -> {
String audience; String audience;
if (RegistryEnvironment.isOnJetty()) { if (RegistryEnvironment.isOnJetty()) {
Long backendServiceId = backendServiceIdMap.get(service); Long backendServiceId = backendServiceIdMap.get().get(service);
checkNotNull( checkNotNull(
backendServiceId, backendServiceId,
"Backend service ID not found for service: %s, available IDs are %s", "Backend service ID not found for service: %s, available IDs are %s",
@@ -156,7 +160,6 @@ public class AuthModule {
} }
@Provides @Provides
@Singleton
@Named("backendServiceIdMap") @Named("backendServiceIdMap")
static ImmutableMap<String, Long> provideBackendServiceList( static ImmutableMap<String, Long> provideBackendServiceList(
Lazy<BackendServicesClient> client, @Config("projectId") String projectId) { Lazy<BackendServicesClient> client, @Config("projectId") String projectId) {
@@ -174,4 +177,15 @@ public class AuthModule {
} }
return builder.build(); return builder.build();
} }
// Use an expiring cache so that the backend service ID map can be refreshed without restarting
// the server. The map is very unlikely to change, except for when services are just deployed
// for the first time, because some pods might receive traffic before all services are deployed.
@Provides
@Singleton
@Named("backendServiceIdMap")
static Supplier<ImmutableMap<String, Long>> provideBackendServiceIdMapSupplier(
@Named("backendServiceIdMap") Provider<ImmutableMap<String, Long>> backendServiceIdMap) {
return memoizeWithExpiration(backendServiceIdMap::get, Duration.ofMinutes(15));
}
} }

14
core/src/main/java/google/registry/tools/RegistryCli.java
View File

@@ -25,6 +25,7 @@ import com.beust.jcommander.Parameters;
import com.beust.jcommander.ParametersDelegate; import com.beust.jcommander.ParametersDelegate;
import com.google.common.base.Throwables; import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables; import com.google.common.collect.Iterables;
import google.registry.persistence.transaction.JpaTransactionManager; import google.registry.persistence.transaction.JpaTransactionManager;
import google.registry.persistence.transaction.TransactionManagerFactory; import google.registry.persistence.transaction.TransactionManagerFactory;
@@ -41,6 +42,9 @@ import org.postgresql.util.PSQLException;
@Parameters(separators = " =", commandDescription = "Command-line interface to the registry") @Parameters(separators = " =", commandDescription = "Command-line interface to the registry")
final class RegistryCli implements CommandRunner { final class RegistryCli implements CommandRunner {
private static final ImmutableSet<RegistryToolEnvironment> DEFAULT_GKE_ENVIRONMENTS =
ImmutableSet.of(RegistryToolEnvironment.ALPHA, RegistryToolEnvironment.QA);
// The environment parameter is parsed twice: once here, and once with {@link // The environment parameter is parsed twice: once here, and once with {@link
// RegistryToolEnvironment#parseFromArgs} in the {@link RegistryTool#main} function. // RegistryToolEnvironment#parseFromArgs} in the {@link RegistryTool#main} function.
// //
@@ -73,6 +77,9 @@ final class RegistryCli implements CommandRunner {
@Parameter(names = "--gke", description = "Whether to use GKE runtime, instead of GAE") @Parameter(names = "--gke", description = "Whether to use GKE runtime, instead of GAE")
private boolean useGke = false; private boolean useGke = false;
@Parameter(names = "--gae", description = "Whether to use GAE runtime, instead of GKE")
private boolean useGae = false;
@Parameter(names = "--canary", description = "Whether to connect to the canary instances") @Parameter(names = "--canary", description = "Whether to connect to the canary instances")
private boolean useCanary = false; private boolean useCanary = false;
@@ -149,6 +156,13 @@ final class RegistryCli implements CommandRunner {
} }
throw e; throw e;
} }
checkState(!useGke || !useGae, "Cannot specify both --gke and --gae");
// Special logic to set the default based on the environment if neither --gae nor --gke is set.
if (!useGke && !useGae) {
useGke = DEFAULT_GKE_ENVIRONMENTS.contains(environment);
}
String parsedCommand = jcommander.getParsedCommand(); String parsedCommand = jcommander.getParsedCommand();
// Show the list of all commands either if requested or if no subcommand name was specified // Show the list of all commands either if requested or if no subcommand name was specified
// (which does not throw a ParameterException parse error above). // (which does not throw a ParameterException parse error above).

30
jetty/build.gradle
View File

@@ -82,8 +82,36 @@ tasks.register('run', JavaExec) {
dependsOn(tasks.named('stage')) dependsOn(tasks.named('stage'))
} }
tasks.register('buildDeployer', Exec) {
workingDir("${rootDir}/release/builder/")
commandLine 'go', 'build', '-o', "${buildDir}/deployer", 'deployCloudSchedulerAndQueue.go'
}
// Once GKE is the only option, we can use the same task in the root project instaead.
tasks.register('deployCloudSchedulerAndQueue') {
dependsOn(tasks.named('deployCloudScheduler'), tasks.named('deployQueue'))
}
tasks.register('deployCloudScheduler', Exec) {
dependsOn(tasks.named('buildDeployer'))
workingDir("$buildDir")
commandLine './deployer',
"${rootDir}/core/src/main/java/google/registry/config/files/nomulus-config-${rootProject.environment}.yaml",
"${rootDir}/core/src/main/java/google/registry/env/${rootProject.environment}/default/WEB-INF/cloud-scheduler-tasks.xml",
rootProject.gcpProject, '--gke'
}
tasks.register('deployQueue', Exec) {
dependsOn(tasks.named('buildDeployer'))
workingDir("$buildDir")
commandLine './deployer',
"${rootDir}/core/src/main/java/google/registry/config/files/nomulus-config-${rootProject.environment}.yaml",
"${rootDir}/core/src/main/java/google/registry/env/common/default/WEB-INF/cloud-tasks-queue.xml",
rootProject.gcpProject, '--gke'
}
tasks.register('deployNomulus', Exec) { tasks.register('deployNomulus', Exec) {
dependsOn('pushNomulusImage', ':proxy:pushProxyImage') dependsOn('pushNomulusImage', 'deployCloudSchedulerAndQueue')
configure verifyDeploymentConfig configure verifyDeploymentConfig
commandLine './deploy-nomulus-for-env.sh', "${rootProject.environment}", "${rootProject.baseDomain}" commandLine './deploy-nomulus-for-env.sh', "${rootProject.environment}", "${rootProject.baseDomain}"
} }

8
proxy/deploy-proxy-for-env.sh
View File

@@ -32,13 +32,13 @@ do
gcloud container clusters get-credentials "${parts[0]}" \ gcloud container clusters get-credentials "${parts[0]}" \
--project "${project}" --zone "${parts[1]}" --project "${project}" --zone "${parts[1]}"
sed s/GCP_PROJECT/${project}/g "./kubernetes/proxy-deployment-${environment}.yaml" | \ sed s/GCP_PROJECT/${project}/g "./kubernetes/proxy-deployment-${environment}.yaml" | \
kubectl replace -f - kubectl apply -f -
kubectl replace -f "./kubernetes/proxy-service.yaml" --force kubectl apply -f "./kubernetes/proxy-service.yaml" --force
# Alpha does not have canary # Alpha does not have canary
if [[ ${environment} != "alpha" ]]; then if [[ ${environment} != "alpha" ]]; then
sed s/GCP_PROJECT/${project}/g "./kubernetes/proxy-deployment-${environment}-canary.yaml" | \ sed s/GCP_PROJECT/${project}/g "./kubernetes/proxy-deployment-${environment}-canary.yaml" | \
kubectl replace -f - kubectl apply -f -
kubectl replace -f "./kubernetes/proxy-service-canary.yaml" --force kubectl apply -f "./kubernetes/proxy-service-canary.yaml" --force
fi fi
# Kills all running pods, new pods created will be pulling the new image. # Kills all running pods, new pods created will be pulling the new image.
kubectl delete pods --all kubectl delete pods --all

1
proxy/src/main/java/google/registry/proxy/ProxyConfig.java
View File

@@ -41,7 +41,6 @@ public class ProxyConfig {
public String projectId; public String projectId;
public String oauthClientId; public String oauthClientId;
public boolean canary;
public List<String> gcpScopes; public List<String> gcpScopes;
public int serverCertificateCacheSeconds; public int serverCertificateCacheSeconds;
public Gcs gcs; public Gcs gcs;

4
proxy/src/main/java/google/registry/proxy/ProxyModule.java
View File

@@ -281,8 +281,8 @@ public class ProxyModule {
@Singleton @Singleton
@Provides @Provides
@Named("canary") @Named("canary")
static boolean provideIsCanary(ProxyConfig config) { boolean provideIsCanary(Environment env) {
return config.canary; return env.name().endsWith("_CANARY");
} }
@Singleton @Singleton

3
proxy/src/main/java/google/registry/proxy/config/default-config.yaml
View File

@@ -8,9 +8,6 @@
# GCP project ID # GCP project ID
projectId: your-gcp-project-id projectId: your-gcp-project-id
# Whether to connect to the canary (instead of regular) service.
canary: false
# OAuth client ID set as the audience of the OIDC token. This value must be the # OAuth client ID set as the audience of the OIDC token. This value must be the
# same as the auth.oauthClientId value in Nomulus config file, which usually is # same as the auth.oauthClientId value in Nomulus config file, which usually is
# the IAP client ID, to allow the request to access IAP protected endpoints. # the IAP client ID, to allow the request to access IAP protected endpoints.