Containerize

.dockerignore

@@ -2,7 +2,15 @@
 # **/name   - exclude file/dir "name" in project root or any subdir
 # !name     - include previously excluded "name"
 # a*b?c/d[0-9]e[^a-z\]]f\[g     - pattern
-*
-!bin
-!ms/auth/internal/migrations/*.sql
-!ms/example/internal/migrations/*.sql
+.circleci
+.gitattributes
+.github
+.gitignore
+.gobincache
+
+bin
+Dockerfile
+docker-compose.yml
+docs
+README.md
+#scripts

Dockerfile

@@ -1,4 +1,32 @@
-FROM alpine:3.13
+FROM golang:1.16 as prepare
+
+ENV GO111MODULE on
+ENV GOBIN "/usr/local/bin"
+ENV CGO_ENABLED 0
+
+WORKDIR /app
+
+COPY . .
+
+RUN go install github.com/bufbuild/buf/cmd/[email protected]
+RUN go install \
+    github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway \
+    github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2 \
+    google.golang.org/protobuf/cmd/protoc-gen-go \
+    google.golang.org/grpc/cmd/protoc-gen-go-grpc
+
+FROM prepare as build
+
+ARG MONO_VERSION="latest"
+ENV BUILD_VERSION "${MONO_VERSION}"
+
+WORKDIR /app
+
+RUN go generate ./api/...
+
+RUN go build -ldflags "-X '$(go list -m)/pkg/def.ver=${BUILD_VERSION}'" -o bin/ ./cmd/mono
+
+FROM alpine:3.13 as runner
 
 LABEL org.opencontainers.image.source="https://github.com/powerman/go-monolith-example"
 
@@ -7,8 +35,10 @@ WORKDIR /app
 HEALTHCHECK --interval=30s --timeout=5s \
     CMD wget -q -O - http://$HOSTNAME:17000/health-check || exit 1
 
-COPY . .
+COPY --from=build "/app/bin/mono" "mono"
+COPY --from=build "/app/ms/auth/internal/migrations" "ms/auth/internal/migrations"
+COPY --from=build "/app/ms/example/internal/migrations" "ms/example/internal/migrations"
 
-ENTRYPOINT [ "bin/mono" ]
+ENTRYPOINT [ "/app/mono" ]
 
 CMD [ "serve" ]

README.md

@@ -113,9 +113,29 @@ for more details.
 - Go 1.16
 - [Docker](https://docs.docker.com/install/) 19.03+
 - [Docker Compose](https://docs.docker.com/compose/install/) 1.25+
+- [Buf Build](https://buf.build/docs/installation) 1.1.0
+- [protoc-gen-go v1.26.0-devel]() 1.26+
+- [Api Linter](https://linter.aip.dev/) 1.58+
+- [Shellcheck](https://www.shellcheck.net/) 0.9+
+- [golangci-lint](https://golangci-lint.run/) 1.55+
 
 ### Setup
 
+Install gRPC libraries
+```shell
+go install github.com/bufbuild/buf/cmd/[email protected]
+
+go install github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway \
+    github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2 \
+    google.golang.org/protobuf/cmd/protoc-gen-go \
+    google.golang.org/grpc/cmd/protoc-gen-go-grpc
+```
+
+Instsll API Linter
+```shell
+go install github.com/googleapis/api-linter/cmd/api-linter@latest
+```
+
 1. After cloning the repo copy `env.sh.dist` to `env.sh`.
 2. Review `env.sh` and update for your system as needed.
 3. It's recommended to add shell alias `alias dc="if test -f env.sh; then
@@ -129,7 +149,7 @@ for more details.
    and also it uses gRPC with authentication which also require TLS certs,
    so you'll need to create certificate to run it on localhost - follow
    instructions in [Create local CA to issue localhost HTTPS
-   certificates](https://gist.github.com/powerman/2fc4b1a5aee62dd9491cee7f75ead0b4).
+   certificates](./docs/ca-certificate.md).
 2. Or you can just use certificates in `configs/insecure-dev-pki`, which
    was created this way:
 

api/proto/powerman/example/auth/service.proto

@@ -1,5 +1,8 @@
 syntax = "proto3";
 
+// (-- api-linter: core::0191::proto-package=disabled
+//     aip.dev/not-precedent: The parent path is api/proto --)
+
 package powerman.example.auth;
 
 import "google/api/annotations.proto";
@@ -55,46 +58,46 @@ message CreateAccountRequest {
     Account account = 1 [(google.api.field_behavior) = REQUIRED];
     // The ID to use for the account.
     // This value should be 4-63 characters [a-z0-9-].
-    string account_id = 2;
+    string account_id = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // Request.
 message SigninIdentityRequest {
     // Authentication using username and password.
     message AccountAuth {
         // This value should be 4-63 characters [a-z0-9-].
-        string account_id = 1;
+        string account_id = 1 [(google.api.field_behavior) = REQUIRED];
         // Any value.
-        string password = 2;
+        string password = 2 [(google.api.field_behavior) = REQUIRED];
     }
     // Authentication user email and password.
     message EmailAuth {
         // This value should contain [@].
-        string email = 1;
+        string email = 1 [(google.api.field_behavior) = REQUIRED];
         // Any value.
-        string password = 2;
+        string password = 2 [(google.api.field_behavior) = REQUIRED];
     }
     // Different ways to authenticate.
     oneof auth {
         // By username.
-        AccountAuth account = 1;
+        AccountAuth account = 1 [(google.api.field_behavior) = REQUIRED];
         // By email.
-        EmailAuth email = 2;
+        EmailAuth email = 2 [(google.api.field_behavior) = REQUIRED];
     }
 }
 
 // Response.
 message SigninIdentityResponse {
     // Opaque.
-    string access_token = 1;
+    string access_token = 1 [(google.api.field_behavior) = REQUIRED];
     // User/Access details.
-    User user = 2;
+    User user = 2 [(google.api.field_behavior) = REQUIRED];
 }
 
 // Request.
 message SignoutIdentityRequest {
     // Set to true to invalidate all user's access_token.
-    bool everywhere = 1;
+    bool everywhere = 1 [(google.api.field_behavior) = REQUIRED];
 }
 
 // Response.
@@ -103,13 +106,13 @@ message SignoutIdentityResponse {}
 // Account contains data needed for authentication.
 message Account {
     // Format: "accounts/{account_id}".
-    string name = 1;
+    string name = 1 [(google.api.field_behavior) = REQUIRED];
     // Default identity connected to the account.
-    User user = 2;
+    User user = 2 [(google.api.field_behavior) = REQUIRED];
     // Must be strong enough.
-    string password = 16 [(google.api.field_behavior) = INPUT_ONLY];
+    string password = 16 [(google.api.field_behavior) = OPTIONAL];
     // Primary email, needed to reset password.
-    string email = 3;
+    string email = 3 [(google.api.field_behavior) = REQUIRED];
     // Account create time.
     // Output only.
     google.protobuf.Timestamp create_time = 15 [(google.api.field_behavior) = OUTPUT_ONLY];
@@ -118,11 +121,11 @@ message Account {
 // User is an identity tied to Account.
 message User {
     // Format: "users/{user_uid}".
-    string name = 1;
+    string name = 1 [(google.api.field_behavior) = REQUIRED];
     // By default set to {account_id}.
-    string display_name = 2;
+    string display_name = 2 [(google.api.field_behavior) = REQUIRED];
     // Permissions.
-    Access access = 3;
+    Access access = 3 [(google.api.field_behavior) = REQUIRED];
 }
 
 // Access describes identity's permissions.
@@ -139,5 +142,5 @@ message Access {
         ROLE_USER = 2;
     }
     // User's role.
-    Role role = 1;
+    Role role = 1 [(google.api.field_behavior) = REQUIRED];
 }

api/proto/powerman/example/auth/service_int.proto

@@ -2,6 +2,8 @@ syntax = "proto3";
 
 // (-- api-linter: core::0127::http-annotation=disabled
 //     aip.dev/not-precedent: No HTTP support for private API. --)
+// (-- api-linter: core::0191::proto-package=disabled
+//     aip.dev/not-precedent: The parent path is api/proto --)
 
 package powerman.example.auth;
 

docker-compose.yml

@@ -8,6 +8,7 @@ volumes:
 services:
 
   mysql:
+    platform: "linux/amd64"
     image: "mysql:5.7" # We're using 5.7.
     container_name: "mono_mysql"
     restart: "always"
@@ -98,7 +99,9 @@ services:
   mono:
     build:
       context: .
-      dockerfile: use `./scripts/build` instead of `docker-compose build`
+      args:
+        MONO_VERSION: ${MONO_VERSION:-latest}
+      dockerfile: Dockerfile
     image: "go-monolith-example:latest"
     container_name: mono_mono
     restart: always

docs/ca-certificate.md

@@ -0,0 +1,43 @@
+# Create local CA to issue localhost HTTPS certificates
+
+You can check [How to securely test local/staging HTTPS
+project](securely-test-local.md)
+for more details about required setup or just follow instructions below.
+
+**WARNING:** You'll need to run these commands just once, don't run them
+again if you already did this before for some other project.
+
+MacOS users should first prepare OpenSSL package:
+```
+brew install openssl
+export EASYRSA_OPENSSL="$(ls -1 $(brew --prefix)/bin/openssl | sort -n -t/ -k6 | tail -n1)"
+```
+
+Install EasyRSA into `~/.easyrsa/` to generate local CA and website
+certificates:
+```
+mkdir -p ~/.easyrsa &&
+  curl -L https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.6/EasyRSA-3.1.6.tgz |
+  tar xzvf - --strip-components=1 -C ~/.easyrsa
+```
+
+Create local CA for signing certificates for local websites plus
+Diffie-Hellman parameter for DHE cipher suites:
+```
+cd ~/.easyrsa
+./easyrsa init-pki
+echo Local CA $(hostname -f) | ./easyrsa build-ca nopass
+openssl dhparam 2048 | install -m 0600 /dev/stdin pki/private/dhparam2048.pem
+```
+
+Now import local CA certificate `~/.easyrsa/pki/ca.crt` into your browser:
+
+- MacOS: You can easily add the certificate as a trusted certificate
+  authority for the currently logged in user:
+  `sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/.easyrsa/pki/ca.crt`
+- Linux:
+    - Chrome-based browsers: go to chrome://settings/certificates,
+      AUTHORITIES, IMPORT, select file, check "Trust this certificate for
+      identifying websites", OK.
+    - Firefox, command-line tools (curl, etc.):
+      `sudo mkdir -p /usr/local/share/ca-certificates && sudo cp ~/.easyrsa/pki/ca.crt /usr/local/share/ca-certificates/ && sudo chmod 0644 /usr/local/share/ca-certificates/ca.crt && sudo update-ca-certificates`