From 72ad446841703393fc6e1c119ffff7c77a1ad6ee Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Sat, 9 Dec 2023 09:54:24 -0800 Subject: [PATCH] Start to open up the CloudEvents modules. Signed-off-by: Matt Moore --- .chainguard/source.yaml | 13 ++ .github/workflows/actionlint.yaml | 29 +++++ .github/workflows/boilerplate.yaml | 39 ++++++ .github/workflows/documentation.yaml | 2 + .github/workflows/donotsubmit.yaml | 21 +++ .github/workflows/go-test.yaml | 41 ++++++ .github/workflows/style.yaml | 110 ++++++++++++++++ .golangci.yml | 35 +++++ authorize-private-service/README.md | 2 +- cloudevent-broker/README.md | 94 ++++++++++++++ cloudevent-broker/cmd/ingress/main.go | 63 +++++++++ cloudevent-broker/ingress.tf | 82 ++++++++++++ cloudevent-broker/main.tf | 15 +++ cloudevent-broker/outputs.tf | 15 +++ cloudevent-broker/variables.tf | 15 +++ cloudevent-trigger/README.md | 49 +++++++ cloudevent-trigger/main.tf | 80 ++++++++++++ cloudevent-trigger/outputs.tf | 1 + cloudevent-trigger/variables.tf | 25 ++++ go.mod | 44 +++++++ go.sum | 180 ++++++++++++++++++++++++++ pkg/pubsub/cloudevent.go | 42 ++++++ pkg/pubsub/cloudevent_test.go | 118 +++++++++++++++++ 23 files changed, 1114 insertions(+), 1 deletion(-) create mode 100644 .chainguard/source.yaml create mode 100644 .github/workflows/actionlint.yaml create mode 100644 .github/workflows/boilerplate.yaml create mode 100644 .github/workflows/donotsubmit.yaml create mode 100644 .github/workflows/go-test.yaml create mode 100644 .github/workflows/style.yaml create mode 100644 .golangci.yml create mode 100644 cloudevent-broker/README.md create mode 100644 cloudevent-broker/cmd/ingress/main.go create mode 100644 cloudevent-broker/ingress.tf create mode 100644 cloudevent-broker/main.tf create mode 100644 cloudevent-broker/outputs.tf create mode 100644 cloudevent-broker/variables.tf create mode 100644 cloudevent-trigger/README.md create mode 100644 cloudevent-trigger/main.tf create mode 100644 cloudevent-trigger/outputs.tf create mode 100644 cloudevent-trigger/variables.tf create mode 100644 go.mod create mode 100644 go.sum create mode 100644 pkg/pubsub/cloudevent.go create mode 100644 pkg/pubsub/cloudevent_test.go diff --git a/.chainguard/source.yaml b/.chainguard/source.yaml new file mode 100644 index 00000000..d01eb9b8 --- /dev/null +++ b/.chainguard/source.yaml @@ -0,0 +1,13 @@ +# Copyright 2023 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +spec: + authorities: + - keyless: + # allow commits signed by users using GitHub or Google OIDC + identities: + - issuer: https://accounts.google.com + - issuer: https://github.com/login/oauth + - key: + # allow commits signed by GitHub, e.g. the UI + kms: https://github.com/web-flow.gpg diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml new file mode 100644 index 00000000..ca76dcc8 --- /dev/null +++ b/.github/workflows/actionlint.yaml @@ -0,0 +1,29 @@ +# Copyright 2022 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +name: Action Lint + +on: + pull_request: + branches: [ 'main', 'release-*' ] + +jobs: + + action-lint: + name: Action lint + runs-on: ubuntu-latest + + steps: + - name: Check out code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Find yamls + id: get_yamls + run: | + yamls="$(find .github/workflows -name "*.y*ml" | grep -v dependabot. | xargs echo)" + echo "files=${yamls}" >> "$GITHUB_OUTPUT" + + - name: Action lint + uses: reviewdog/action-actionlint@82693e9e3b239f213108d6e412506f8b54003586 # v1.39.1 + with: + actionlint_flags: ${{ steps.get_yamls.outputs.files }} diff --git a/.github/workflows/boilerplate.yaml b/.github/workflows/boilerplate.yaml new file mode 100644 index 00000000..27d6abc9 --- /dev/null +++ b/.github/workflows/boilerplate.yaml @@ -0,0 +1,39 @@ +# Copyright 2022 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +name: Boilerplate + +on: + pull_request: + branches: [ 'main', 'release-*' ] + +jobs: + + check: + name: Boilerplate Check + runs-on: ubuntu-latest + strategy: + fail-fast: false # Keep running if one leg fails. + matrix: + extension: + - go + - sh + - yaml + + # Map between extension and human-readable name. + include: + - extension: go + language: Go + - extension: sh + language: Bash + - extension: yaml + language: YAML + + steps: + - name: Check out code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - uses: chainguard-dev/actions/boilerplate@main + with: + extension: ${{ matrix.extension }} + language: ${{ matrix.language }} diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml index 825fd998..16d12334 100644 --- a/.github/workflows/documentation.yaml +++ b/.github/workflows/documentation.yaml @@ -11,6 +11,8 @@ jobs: matrix: module: - authorize-private-service + - cloudevent-broker + - cloudevent-trigger steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml new file mode 100644 index 00000000..a8557d09 --- /dev/null +++ b/.github/workflows/donotsubmit.yaml @@ -0,0 +1,21 @@ +# Copyright 2022 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +name: Do Not Submit + +on: + pull_request: + branches: [ 'main', 'release-*' ] + +jobs: + + donotsubmit: + name: Do Not Submit + runs-on: ubuntu-latest + + steps: + - name: Check out code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Do Not Submit + uses: chainguard-dev/actions/donotsubmit@main diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml new file mode 100644 index 00000000..b8b4ad7d --- /dev/null +++ b/.github/workflows/go-test.yaml @@ -0,0 +1,41 @@ +# Copyright 2022 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +name: Test + +on: + pull_request: + branches: [ 'main', 'release-*' ] + push: + branches: [ 'main', 'release-*' ] + +jobs: + + test: + runs-on: ubuntu-latest + steps: + - name: Check out code onto GOPATH + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # In order: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + + - name: Set up Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version-file: './go.mod' + check-latest: true + + - run: | + # Exclude running unit tests against third_party repos. + go test -race ./... diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml new file mode 100644 index 00000000..af9e08bf --- /dev/null +++ b/.github/workflows/style.yaml @@ -0,0 +1,110 @@ +# Copyright 2022 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +name: Code Style + +on: + pull_request: + branches: [ 'main', 'release-*' ] + push: + branches: [ 'main', 'release-*' ] + +jobs: + + gofmt: + name: check gofmt + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Set up Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version-file: './go.mod' + check-latest: true + + - uses: chainguard-dev/actions/gofmt@main + with: + args: -s + + goimports: + name: check goimports + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Set up Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version-file: './go.mod' + check-latest: true + + - uses: chainguard-dev/actions/goimports@main + + golangci-lint: + name: golangci-lint + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Set up Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version-file: './go.mod' + check-latest: true + cache: true + + - name: golangci-lint + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 + with: + # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version. + version: v1.54 + args: --timeout=5m + + lint: + name: Lint + runs-on: ubuntu-latest + + steps: + - name: Check out code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Set up Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version-file: './go.mod' + check-latest: true + + - uses: chainguard-dev/actions/trailing-space@main + if: ${{ always() }} + + - uses: chainguard-dev/actions/eof-newline@main + if: ${{ always() }} + + - uses: reviewdog/action-tflint@master + if: ${{ always() }} + with: + github_token: ${{ secrets.github_token }} + fail_on_error: true + + - uses: reviewdog/action-misspell@cc799b020b057600b66eedf2b6e97ca26137de21 # v1.14.0 + if: ${{ always() }} + with: + github_token: ${{ secrets.github_token }} + fail_on_error: true + locale: "US" + exclude: | + **/go.sum + **/third_party/** + ./*.yml + + - uses: get-woke/woke-action-reviewdog@d71fd0115146a01c3181439ce714e21a69d75e31 # v0 + if: ${{ always() }} + with: + github-token: ${{ secrets.github_token }} + reporter: github-pr-check + level: error + fail-on-error: true diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 00000000..67034b12 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,35 @@ +# Copyright 2022 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +linters: + enable: + - asciicheck + - unused + - errcheck + - errorlint + - gofmt + - goimports + - gosec + - gocritic + - importas + - prealloc + - revive + - misspell + - stylecheck + - tparallel + - unconvert + - unparam + - whitespace +output: + uniq-by-line: false +issues: + exclude-rules: + - path: _test\.go + linters: + - errcheck + - gosec + max-issues-per-linter: 0 + max-same-issues: 0 +run: + issues-exit-code: 1 + timeout: 10m diff --git a/authorize-private-service/README.md b/authorize-private-service/README.md index 671af359..ab3ab2c0 100644 --- a/authorize-private-service/README.md +++ b/authorize-private-service/README.md @@ -44,4 +44,4 @@ No modules. | Name | Description | |------|-------------| | [uri](#output\_uri) | The URI of the private Cloud Run service. | - \ No newline at end of file + diff --git a/cloudevent-broker/README.md b/cloudevent-broker/README.md new file mode 100644 index 00000000..1ec28cac --- /dev/null +++ b/cloudevent-broker/README.md @@ -0,0 +1,94 @@ +# `cloudevent-broker` + +This module provisions a regionalizied Broker abstraction akin to the Knative +"Broker" concept. The dual "Trigger" concept is captured by the sibling +`cloudevent-trigger` module. The intended usage of this module for publishing +events is something like this: + +```hcl +// Create the Broker abstraction. +module "cloudevent-broker" { + source = "chainguard-dev/glue/cloudrun//cloudevent-broker" + + name = "my-broker" + project_id = var.project_id + regions = local.region-to-networking +} + +// Authorize the "foo" service account to publish events. +module "foo-emits-events" { + for_each = local.region-to-networking + + source = "chainguard-dev/glue/cloudrun//authorize-private-service" + + project_id = var.project_id + region = each.key + name = module.cloudevent-broker.ingress.name + + service-account = google_service_account.foo.email +} + +// Run a cloud run service as the "foo" service account, and pass in the address +// of the regional ingress endpoint. +resource "google_cloud_run_v2_service" "foo-service" { + for_each = local.region-to-networking + + project = var.project_id + name = "foo" + location = each.key + + launch_stage = "BETA" + + template { + vpc_access { + network_interfaces { + network = each.value.network + subnetwork = each.value.subnet + } + // Egress through VPC so we can talk to the private ingress endpoint. + egress = "PRIVATE_RANGES_ONLY" + } + + service_account = google_service_account.foo.email + + containers { + image = "..." + + // Pass the resolved regional URI to the service in this region. + env { + name = "EVENT_INGRESS_URL" + value = module.foo-emits-events[each.key].uri + } + } + } +} + +// TODO: DO NOT SUBMIT +// Add a section outlining how to create local.region-to-networking +``` + + +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +No modules. + +## Resources + +No resources. + +## Inputs + +No inputs. + +## Outputs + +No outputs. + diff --git a/cloudevent-broker/cmd/ingress/main.go b/cloudevent-broker/cmd/ingress/main.go new file mode 100644 index 00000000..4fff7369 --- /dev/null +++ b/cloudevent-broker/cmd/ingress/main.go @@ -0,0 +1,63 @@ +/* +Copyright 2022 Chainguard, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package main + +import ( + "context" + "log" + "time" + + "cloud.google.com/go/pubsub" + cloudevents "github.com/cloudevents/sdk-go/v2" + "github.com/kelseyhightower/envconfig" + "golang.org/x/oauth2/google" + "google.golang.org/api/option" + "knative.dev/pkg/signals" + + cgpubsub "github.com/chainguard-dev/terraform-cloudrun-glue/pkg/pubsub" +) + +const ( + retryDelay = 10 * time.Millisecond + maxRetry = 3 +) + +type envConfig struct { + Port int `envconfig:"PORT" default:"8080" required:"true"` + Project string `envconfig:"PROJECT_ID" required:"true"` + Topic string `envconfig:"PUBSUB_TOPIC" required:"true"` +} + +func main() { + ctx := signals.NewContext() + + var env envConfig + if err := envconfig.Process("", &env); err != nil { + log.Fatalf("failed to process env var: %s", err) + } + + c, err := cloudevents.NewClientHTTP(cloudevents.WithPort(env.Port)) + if err != nil { + log.Fatalf("failed to create CE client, %v", err) + } + + psc, err := pubsub.NewClient(ctx, env.Project, option.WithTokenSource(google.ComputeTokenSource(""))) + if err != nil { + log.Fatalf("failed to create pubsub client, %v", err) + } + + topic := psc.Topic(env.Topic) + defer topic.Stop() + + if err := c.StartReceiver(cloudevents.ContextWithRetriesExponentialBackoff(ctx, retryDelay, maxRetry), func(ctx context.Context, event cloudevents.Event) { + res := topic.Publish(ctx, cgpubsub.FromCloudEvent(ctx, event)) + if _, err := res.Get(ctx); err != nil { + log.Printf("failed to forward event: %v\n%v", err, event) + } + }); err != nil { + log.Panic(err) + } +} diff --git a/cloudevent-broker/ingress.tf b/cloudevent-broker/ingress.tf new file mode 100644 index 00000000..6d687dcd --- /dev/null +++ b/cloudevent-broker/ingress.tf @@ -0,0 +1,82 @@ +// Create a dedicated identity as which to run the broker ingress service +// (and authorize it's actions) +resource "google_service_account" "this" { + project = var.project_id + + account_id = var.name + display_name = "Broker Ingress" + description = "A dedicated identity for the ${var.name} broker ingress to operate as." +} + +// Authorize the ingress identity to publish events to each of +// the regional broker topics. +// NOTE: we use binding vs. member because we do not expect anything +// to publish to this topic other than the ingress service. +resource "google_pubsub_topic_iam_binding" "ingress-publishes-events" { + for_each = var.regions + + project = var.project_id + topic = google_pubsub_topic.this[each.key].name + role = "roles/pubsub.publisher" + members = ["serviceAccount:${google_service_account.this.email}"] +} + +// Build the ingress image using our minimal hardened base image. +resource "ko_build" "this" { + base_image = "cgr.dev/chainguard/static:latest-glibc" + importpath = "./cmd/ingress" + working_dir = path.module +} + +// Sign the image, assuming a keyless signing identity is available. +resource "cosign_sign" "this" { + image = ko_build.this.image_ref + + // DO NOT SUBMIT + // We need to adopt collision policies for our cosign_sign rules. +} + +resource "google_cloud_run_v2_service" "this" { + for_each = var.regions + + // Explicitly wait for the iam binding before provisioning the service, + // since the service functionally depends on being able to publish events + // to the topic. In practice, GCP IAM is "eventually consistent" and there + // will still invariably be some latency after even the service is created + // where publishing may fail. + depends_on = [google_pubsub_topic_iam_binding.ingress-publishes-events] + + project = var.project_id + name = var.name + location = each.key + + // The ingress service is an internal service, and so it should only + // be exposed to the internal network. + ingress = "INGRESS_TRAFFIC_INTERNAL_ONLY" + + launch_stage = "BETA" // Needed for vpc_access below + + template { + vpc_access { + network_interfaces { + network = each.value.network + subnetwork = each.value.subnet + } + egress = "ALL_TRAFFIC" // This should not egress + } + + service_account = google_service_account.this.email + containers { + image = cosign_sign.this.signed_ref + + env { + name = "PROJECT_ID" + value = var.project_id + } + env { + name = "PUBSUB_TOPIC" + value = google_pubsub_topic.this[each.key].name + } + } + } +} diff --git a/cloudevent-broker/main.tf b/cloudevent-broker/main.tf new file mode 100644 index 00000000..8bf86f62 --- /dev/null +++ b/cloudevent-broker/main.tf @@ -0,0 +1,15 @@ +terraform { + required_providers { + ko = { source = "ko-build/ko" } + cosign = { source = "chainguard-dev/cosign" } + } +} + +resource "google_pubsub_topic" "this" { + for_each = var.regions + + name = "${var.name}-${each.key}" + + // TODO: Tune this and/or make it configurable? + message_retention_duration = "600s" +} diff --git a/cloudevent-broker/outputs.tf b/cloudevent-broker/outputs.tf new file mode 100644 index 00000000..5c88b9cc --- /dev/null +++ b/cloudevent-broker/outputs.tf @@ -0,0 +1,15 @@ +output "ingress" { + depends_on = [google_cloud_run_v2_service.this] + description = "An object holding the name of the ingress service, which can be used to authorize callers to publish cloud events." + value = { + name = var.name + } +} + +output "broker" { + depends_on = [google_pubsub_topic.this] + description = "A map from each of the input region names to the name of the Broker topic in each region. These broker names are intended for use with the cloudevent-trigger module's broker input." + value = { + for region in keys(var.regions) : region => google_pubsub_topic.this[region].name + } +} diff --git a/cloudevent-broker/variables.tf b/cloudevent-broker/variables.tf new file mode 100644 index 00000000..b48cac25 --- /dev/null +++ b/cloudevent-broker/variables.tf @@ -0,0 +1,15 @@ +variable "project_id" { + type = string +} + +variable "name" { + type = string +} + +variable "regions" { + description = "A map from region names to a network and subnetwork. A pub/sub topic and ingress service (publishing to the respective topic) will be created in each region, with the ingress service configured to egress all traffic via the specified subnetwork." + type = map(object({ + network = string + subnet = string + })) +} diff --git a/cloudevent-trigger/README.md b/cloudevent-trigger/README.md new file mode 100644 index 00000000..0d597829 --- /dev/null +++ b/cloudevent-trigger/README.md @@ -0,0 +1,49 @@ +# `cloudevent-trigger` + +TODO + + + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [google](#provider\_google) | n/a | +| [google-beta](#provider\_google-beta) | n/a | +| [random](#provider\_random) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [authorize-delivery](#module\_authorize-delivery) | ../authorize-private-service | n/a | + +## Resources + +| Name | Type | +|------|------| +| [google-beta_google_project_service_identity.pubsub](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_project_service_identity) | resource | +| [google_pubsub_subscription.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource | +| [google_service_account.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | +| [google_service_account_iam_binding.allow-pubsub-to-mint-tokens](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource | +| [random_string.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [broker](#input\_broker) | The name of the pubsub topic we are using as a broker. | `string` | n/a | yes | +| [filter](#input\_filter) | A Knative Trigger-style filter over the cloud event attributes. | `map(string)` | n/a | yes | +| [name](#input\_name) | n/a | `string` | n/a | yes | +| [private-service](#input\_private-service) | The private cloud run service that is subscribing to these events. |
object({
name = string
region = string
})
| n/a | yes | +| [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/cloudevent-trigger/main.tf b/cloudevent-trigger/main.tf new file mode 100644 index 00000000..51dd9cf1 --- /dev/null +++ b/cloudevent-trigger/main.tf @@ -0,0 +1,80 @@ +resource "random_string" "suffix" { + length = 4 + upper = false + special = false +} + +// A dedicated service account for this subscription. +resource "google_service_account" "this" { + project = var.project_id + + account_id = "${var.name}-${random_string.suffix.result}" + display_name = "Delivery account for ${var.private-service.name} in ${var.private-service.region}." +} + +// Lookup the identity of the pubsub service agent. +resource "google_project_service_identity" "pubsub" { + provider = google-beta + project = var.project_id + service = "pubsub.googleapis.com" +} + +// Authorize Pub/Sub to impersonate the delivery service account to authorize +// deliveries using this service account. +// NOTE: we use binding vs. member because we expect nothing but pubsub to be +// able to assume this identity. +resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" { + service_account_id = google_service_account.this.name + + role = "roles/iam.serviceAccountTokenCreator" + members = ["serviceAccount:${google_project_service_identity.pubsub.email}"] +} + +// Authorize this service account to invoke the private service receiving +// events from this trigger. +module "authorize-delivery" { + source = "../authorize-private-service" + + project_id = var.project_id + region = var.private-service.region + name = var.private-service.name + + service-account = google_service_account.this.email +} + +locals { + filter-elements = [ + for key, value in var.filter : "attributes.ce-${key}=\"${value}\"" + ] +} + +// Configure the subscription to deliver the events matching our filter to this service +// using the above identity to authorize the delivery.. +resource "google_pubsub_subscription" "this" { + name = "${var.name}-${random_string.suffix.result}" + topic = var.broker + + // TODO: Tune this and/or make it configurable? + ack_deadline_seconds = 300 + + filter = join(" AND ", local.filter-elements) + + push_config { + push_endpoint = module.authorize-delivery.uri + + // Authenticate requests to this service using tokens minted + // from the given service account. + oidc_token { + service_account_email = google_service_account.this.email + } + + // Make the body of the push notification the raw Pub/Sub message. + // Include the Pub/Sub message attributes as HTTP headers. + // This aligns the shape of the notification with the "binary" + // Cloud Event delivery form. + // See: https://cloud.google.com/pubsub/docs/payload-unwrapping + no_wrapper { + write_metadata = true + } + } +} diff --git a/cloudevent-trigger/outputs.tf b/cloudevent-trigger/outputs.tf new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/cloudevent-trigger/outputs.tf @@ -0,0 +1 @@ + diff --git a/cloudevent-trigger/variables.tf b/cloudevent-trigger/variables.tf new file mode 100644 index 00000000..109a8790 --- /dev/null +++ b/cloudevent-trigger/variables.tf @@ -0,0 +1,25 @@ +variable "project_id" { + type = string +} + +variable "name" { + type = string +} + +variable "broker" { + description = "The name of the pubsub topic we are using as a broker." + type = string +} + +variable "filter" { + description = "A Knative Trigger-style filter over the cloud event attributes." + type = map(string) +} + +variable "private-service" { + description = "The private cloud run service that is subscribing to these events." + type = object({ + name = string + region = string + }) +} diff --git a/go.mod b/go.mod new file mode 100644 index 00000000..2a668680 --- /dev/null +++ b/go.mod @@ -0,0 +1,44 @@ +module github.com/chainguard-dev/terraform-cloudrun-glue + +go 1.21.1 + +require ( + cloud.google.com/go/pubsub v1.33.0 + github.com/cloudevents/sdk-go/v2 v2.14.0 + github.com/google/go-cmp v0.6.0 + github.com/kelseyhightower/envconfig v1.4.0 + golang.org/x/oauth2 v0.15.0 + google.golang.org/api v0.152.0 + knative.dev/pkg v0.0.0-20231204120332-9386ad6703ee +) + +require ( + cloud.google.com/go v0.110.10 // indirect + cloud.google.com/go/compute v1.23.3 // indirect + cloud.google.com/go/compute/metadata v0.2.3 // indirect + cloud.google.com/go/iam v1.1.5 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/protobuf v1.5.3 // indirect + github.com/google/s2a-go v0.1.7 // indirect + github.com/google/uuid v1.4.0 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect + github.com/googleapis/gax-go/v2 v2.12.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + go.opencensus.io v0.24.0 // indirect + go.uber.org/multierr v1.10.0 // indirect + go.uber.org/zap v1.26.0 // indirect + golang.org/x/crypto v0.16.0 // indirect + golang.org/x/net v0.19.0 // indirect + golang.org/x/sync v0.5.0 // indirect + golang.org/x/sys v0.15.0 // indirect + golang.org/x/text v0.14.0 // indirect + golang.org/x/time v0.5.0 // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f // indirect + google.golang.org/grpc v1.59.0 // indirect + google.golang.org/protobuf v1.31.0 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 00000000..7fb5cf4d --- /dev/null +++ b/go.sum @@ -0,0 +1,180 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.110.10 h1:LXy9GEO+timppncPIAZoOj3l58LIU9k+kn48AN7IO3Y= +cloud.google.com/go v0.110.10/go.mod h1:v1OoFqYxiBkUrruItNM3eT4lLByNjxmJSV/xDKJNnic= +cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk= +cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI= +cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= +cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= +cloud.google.com/go/iam v1.1.5 h1:1jTsCu4bcsNsE4iiqNT5SHwrDRCfRmIaaaVFhRveTJI= +cloud.google.com/go/iam v1.1.5/go.mod h1:rB6P/Ic3mykPbFio+vo7403drjlgvoWfYpJhMXEbzv8= +cloud.google.com/go/kms v1.15.5 h1:pj1sRfut2eRbD9pFRjNnPNg/CzJPuQAzUujMIM1vVeM= +cloud.google.com/go/kms v1.15.5/go.mod h1:cU2H5jnp6G2TDpUGZyqTCoy1n16fbubHZjmVXSMtwDI= +cloud.google.com/go/pubsub v1.33.0 h1:6SPCPvWav64tj0sVX/+npCBKhUi/UjJehy9op/V3p2g= +cloud.google.com/go/pubsub v1.33.0/go.mod h1:f+w71I33OMyxf9VpMVcZbnG5KSUkCOUHYpFd5U1GdRc= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cloudevents/sdk-go/v2 v2.14.0 h1:Nrob4FwVgi5L4tV9lhjzZcjYqFVyJzsA56CwPaPfv6s= +github.com/cloudevents/sdk-go/v2 v2.14.0/go.mod h1:xDmKfzNjM8gBvjaF8ijFjM1VYOVUEeUfapHMUX1T5To= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= +github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4= +github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= +github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= +github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= +github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8= +github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= +github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= +go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= +go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= +go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ= +go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY= +golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c= +golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ= +golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= +golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/api v0.152.0 h1:t0r1vPnfMc260S2Ci+en7kfCZaLOPs5KI0sVV/6jZrY= +google.golang.org/api v0.152.0/go.mod h1:3qNJX5eOmhiWYc67jRA/3GsDw97UFb5ivv7Y2PrriAY= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 h1:wpZ8pe2x1Q3f2KyT5f8oP/fa9rHAKgFPr/HZdNuS+PQ= +google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:J7XzRzVy1+IPwWHZUzoD0IccYZIrXILAQpc+Qy9CMhY= +google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 h1:JpwMPBpFN3uKhdaekDpiNlImDdkUAyiJ6ez/uxGaUSo= +google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:0xJLfVdJqpAPl8tDg1ujOCGzx6LFLttXT5NhllGOXY4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f h1:ultW7fxlIvee4HYrtnaRPon9HpEgFk5zYpmfMgtKB5I= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f/go.mod h1:L9KNLi232K1/xB6f7AlSX692koaRnKaWSR0stBki0Yc= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk= +google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +knative.dev/pkg v0.0.0-20231204120332-9386ad6703ee h1:O1bJlEC4pzAEyTt8+f0Qe50QqS2JJxhK269CAGZ68vg= +knative.dev/pkg v0.0.0-20231204120332-9386ad6703ee/go.mod h1:aJX49KSaKufMCwJgrCbHxXLTQ/j6LGspSZxn9VIv51w= diff --git a/pkg/pubsub/cloudevent.go b/pkg/pubsub/cloudevent.go new file mode 100644 index 00000000..ccbab8a3 --- /dev/null +++ b/pkg/pubsub/cloudevent.go @@ -0,0 +1,42 @@ +/* +Copyright 2023 Chainguard, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package pubsub + +import ( + "context" + "log" + "time" + + "cloud.google.com/go/pubsub" + cloudevents "github.com/cloudevents/sdk-go/v2" + "github.com/cloudevents/sdk-go/v2/types" +) + +func FromCloudEvent(_ context.Context, event cloudevents.Event) *pubsub.Message { + attributes := map[string]string{ + "ce-id": event.ID(), + "ce-specversion": event.SpecVersion(), + "ce-type": event.Type(), + "ce-source": event.Source(), + "ce-subject": event.Subject(), + "ce-time": event.Time().UTC().Format(time.RFC3339), + "content-type": event.DataContentType(), + } + + for k, v := range event.Extensions() { + sv, err := types.ToString(v) + if err != nil { + log.Printf("encountered non-string extension %q: %v", k, err) + continue + } + attributes["ce-"+k] = sv + } + + return &pubsub.Message{ + Attributes: attributes, + Data: event.Data(), + } +} diff --git a/pkg/pubsub/cloudevent_test.go b/pkg/pubsub/cloudevent_test.go new file mode 100644 index 00000000..0c27e56c --- /dev/null +++ b/pkg/pubsub/cloudevent_test.go @@ -0,0 +1,118 @@ +/* +Copyright 2023 Chainguard, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package pubsub + +import ( + "context" + "testing" + "time" + + "cloud.google.com/go/pubsub" + cloudevents "github.com/cloudevents/sdk-go/v2" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" +) + +func TestFromCloudEvent(t *testing.T) { + now := time.Unix(123456789, 0) + tests := []struct { + name string + in cloudevents.Event + out *pubsub.Message + }{{ + name: "simple empty payload", + in: func() cloudevents.Event { + event := cloudevents.NewEvent() + event.SetID("id") + event.SetSource("source") + event.SetType("type") + event.SetSubject("subject") + event.SetTime(now) + + event.SetData(cloudevents.ApplicationJSON, map[string]interface{}{}) + return event + }(), + out: &pubsub.Message{ + Attributes: map[string]string{ + "ce-id": "id", + "ce-source": "source", + "ce-specversion": "1.0", + "ce-type": "type", + "ce-subject": "subject", + "ce-time": "1973-11-29T21:33:09Z", + "content-type": "application/json", + }, + Data: []byte("{}"), + }, + }, { + name: "non-empty payload", + in: func() cloudevents.Event { + event := cloudevents.NewEvent() + event.SetID("id") + event.SetSource("source") + event.SetType("another-type") + event.SetSubject("subject") + event.SetTime(now) + + event.SetData(cloudevents.ApplicationJSON, map[string]interface{}{ + "foo": "bar", + "baz": 3, + }) + return event + }(), + out: &pubsub.Message{ + Attributes: map[string]string{ + "ce-id": "id", + "ce-source": "source", + "ce-specversion": "1.0", + "ce-type": "another-type", + "ce-subject": "subject", + "ce-time": "1973-11-29T21:33:09Z", + "content-type": "application/json", + }, + Data: []byte(`{"baz":3,"foo":"bar"}`), + }, + }, { + name: "with extensions", + in: func() cloudevents.Event { + event := cloudevents.NewEvent() + event.SetID("id") + event.SetSource("source") + event.SetType("another-type") + event.SetSubject("subject") + event.SetTime(now) + + event.SetData(cloudevents.ApplicationJSON, map[string]interface{}{}) + + event.SetExtension("ext1", "value1") + event.SetExtension("ext2", "value2") + return event + }(), + out: &pubsub.Message{ + Attributes: map[string]string{ + "ce-id": "id", + "ce-source": "source", + "ce-specversion": "1.0", + "ce-type": "another-type", + "ce-subject": "subject", + "ce-time": "1973-11-29T21:33:09Z", + "ce-ext1": "value1", + "ce-ext2": "value2", + "content-type": "application/json", + }, + Data: []byte("{}"), + }, + }} + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + out := FromCloudEvent(context.Background(), test.in) + if diff := cmp.Diff(out, test.out, cmpopts.IgnoreUnexported(pubsub.Message{})); diff != "" { + t.Errorf("(-got, +want): %s", diff) + } + }) + } +}