feat(proxy): Add microservice to proxy ollama requests

Signed-off-by: Rodney Osodo <[email protected]>

.github/workflows/cd.yaml

@@ -0,0 +1,48 @@
+name: Create and publish Vault Proxy Docker image
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "v*"
+    paths:
+      - ".github/workflows/cd.yaml"
+      - "proxy/**"
+
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Fetch tags for the build
+        run: |
+          git fetch --prune --unshallow --tags
+
+      - name: Set up Docker Build
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        run: |
+          cd proxy
+          make latest

.github/workflows/proxy-ci.yaml

@@ -0,0 +1,45 @@
+name: Continuous Integration
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/cd.yaml"
+      - "proxy/**"
+
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/cd.yaml"
+      - "proxy/**"
+
+  workflow_dispatch:
+
+jobs:
+  lint-and-build: # Linting and building are combined to save time for setting up Go
+    name: Lint and Build
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./proxy
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.23.x
+          cache-dependency-path: "go.sum"
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: v1.60.1
+
+      - name: Build proxy
+        run: |
+          make all

.gitignore

@@ -8,3 +8,6 @@ cloud-init/meta-data
 
 # Traefik files
 acme.json
+
+# Proxy Build
+proxy/build

docker-compose/.env

@@ -142,3 +142,11 @@ MG_GOOGLE_STATE=
 
 # Docker image tag
 MG_RELEASE_TAG=latest
+
+# Proxy
+UV_VAULT_PROXY_LOG_LEVEL=info
+UV_VAULT_PROXY_HOST=0.0.0.0
+UV_VAULT_PROXY_PORT=8900
+UV_VAULT_PROXY_SERVER_CERT=
+UV_VAULT_PROXY_SERVER_KEY=
+UV_VAULT_PROXY_TARGET_URL=http://ollama:11434

docker-compose/compose.yaml

@@ -9,17 +9,19 @@ include:
     env_file: .env
   - path: ./magistrala-compose.yaml
     env_file: .env
+  - path: ./proxy-compose.yaml
+    env_file: .env
 
 services:
   traefik:
     container_name: traefik
-    image: traefik:v2.11.8
+    image: traefik:v3.1.2
     restart: unless-stopped
     command: --api.insecure=true --providers.docker
     ports:
       - 80:80
       - 443:443
-      # - 8089:8080 Enable for development
+      # - 8089:8080 # Enable for development
     volumes:
       - ./traefik/traefik.yaml:/etc/traefik/traefik.yaml
       - ./traefik/dynamic.yaml:/etc/traefik/dynamic.yaml

docker-compose/proxy-compose.yaml

@@ -0,0 +1,39 @@
+services:
+  vault-proxy:
+    container_name: vault-proxy
+    image: ghcr.io/ultravioletrs/vault/proxy:latest
+    restart: on-failure
+    networks:
+      - vault-network
+    depends_on:
+      - auth
+    environment:
+      UV_VAULT_PROXY_LOG_LEVEL: ${UV_VAULT_PROXY_LOG_LEVEL}
+      UV_VAULT_PROXY_HOST: ${UV_VAULT_PROXY_HOST}
+      UV_VAULT_PROXY_PORT: ${UV_VAULT_PROXY_PORT}
+      UV_VAULT_PROXY_SERVER_CERT: ${UV_VAULT_PROXY_SERVER_CERT}
+      UV_VAULT_PROXY_SERVER_KEY: ${UV_VAULT_PROXY_SERVER_KEY}
+      MG_AUTH_GRPC_URL: ${MG_AUTH_GRPC_URL}
+      MG_AUTH_GRPC_TIMEOUT: ${MG_AUTH_GRPC_TIMEOUT}
+      MG_AUTH_GRPC_CLIENT_CERT: ${MG_AUTH_GRPC_CLIENT_CERT:+/auth-grpc-client.crt}
+      MG_AUTH_GRPC_CLIENT_KEY: ${MG_AUTH_GRPC_CLIENT_KEY:+/auth-grpc-client.key}
+      MG_AUTH_GRPC_SERVER_CA_CERTS: ${MG_AUTH_GRPC_SERVER_CA_CERTS:+/auth-grpc-server-ca.crt}
+      MG_SEND_TELEMETRY: ${MG_SEND_TELEMETRY}
+      UV_VAULT_PROXY_TARGET_URL: ${UV_VAULT_PROXY_TARGET_URL}
+    volumes:
+      # Auth gRPC client certificates
+      - type: bind
+        source: ${MG_AUTH_GRPC_CLIENT_CERT:-ssl/certs/dummy/client_cert}
+        target: /auth-grpc-client${MG_AUTH_GRPC_CLIENT_CERT:+.crt}
+        bind:
+          create_host_path: true
+      - type: bind
+        source: ${MG_AUTH_GRPC_CLIENT_KEY:-ssl/certs/dummy/client_key}
+        target: /auth-grpc-client${MG_AUTH_GRPC_CLIENT_KEY:+.key}
+        bind:
+          create_host_path: true
+      - type: bind
+        source: ${MG_AUTH_GRPC_SERVER_CA_CERTS:-ssl/certs/dummy/server_ca}
+        target: /auth-grpc-server-ca${MG_AUTH_GRPC_SERVER_CA_CERTS:+.crt}
+        bind:
+          create_host_path: true

docker-compose/traefik/dynamic.yaml

@@ -56,15 +56,10 @@ http:
           interval: 10s
           timeout: 10s
 
-    ollama:
+    vault-proxy:
       loadBalancer:
         servers:
-          - url: http://ollama:11434
-        healthCheck:
-          scheme: http
-          path: /
-          interval: 10s
-          timeout: 10s
+          - url: http://vault-proxy:8900
 
   # Listed in ascending order of priority
 
@@ -116,25 +111,16 @@ http:
       rule: "PathPrefix(`/ollama`)"
       entryPoints:
         - websecure
-      service: ollama
+      service: vault-proxy
       middlewares:
         - strip-ollama-prefix-middleware
         - retry-middleware
         - headers-middleware
       priority: 9
 
-    users-groups:
-      rule: "Path(`/groups/{group_id}/users`)"
-      entryPoints:
-        - websecure
-      service: users
-      middlewares:
-        - retry-middleware
-        - headers-middleware
-      priority: 8
-
-    users-channels:
-      rule: "Path(`/channels/{channel_id}/users`)"
+    users-entities:
+      # /groups/{group_id}/users or /channels/{channel_id}/users or /domains/{domain_id}/users
+      rule: "PathRegexp(`^/(groups|channels|domains)/(.+)/users`)"
       entryPoints:
         - websecure
       service: users
@@ -153,18 +139,9 @@ http:
         - headers-middleware
       priority: 7
 
-    groups-channels:
-      rule: "Path(`/channels/{member_id}/groups`)"
-      entryPoints:
-        - websecure
-      service: users
-      middlewares:
-        - retry-middleware
-        - headers-middleware
-      priority: 8
-
-    groups-users:
-      rule: "Path(`/users/{member_id}/groups`)"
+    groups-entities:
+      # /channels/{member_id}/groups or /users/{member_id}/groups
+      rule: "PathRegexp(`^/(channels|users)/(.+)/groups`)"
       entryPoints:
         - websecure
       service: users
@@ -183,18 +160,9 @@ http:
         - headers-middleware
       priority: 7
 
-    domains:
-      rule: "Path(`/domains/{domain_id}/users`)"
-      entryPoints:
-        - websecure
-      service: users
-      middlewares:
-        - retry-middleware
-        - headers-middleware
-      priority: 8
-
-    auth-domains:
-      rule: "Path(`/users/{member_id}/domains`)"
+    auth-entities:
+      # /users/{member_id}/domains
+      rule: "PathRegexp(`^/users/(.+)/domains`)"
       entryPoints:
         - websecure
       service: auth

docker-compose/traefik/traefik.yaml

@@ -3,13 +3,18 @@ global:
   sendAnonymousUsage: false
 
 log:
-  compress:
+  compress: true
   format: json
   level: ERROR
 
 accessLog:
   format: json
 
+tracing:
+  otlp:
+    http:
+      endpoint: http://jaeger:4318/v1/traces
+
 api:
   dashboard: false # Change to true for development
   debug: true

proxy/Makefile

@@ -0,0 +1,54 @@
+VAULT_DOCKER_IMAGE_NAME ?= ghcr.io/ultravioletrs/vault/proxy
+CGO_ENABLED ?= 0
+GOOS ?= linux
+GOARCH ?= amd64
+BUILD_DIR = build
+VERSION ?= $(shell git describe --abbrev=0 --tags 2>/dev/null || echo 'v0.0.0')
+
+define compile_service
+	CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) GOARCH=$(GOARCH) \
+	go build -ldflags "-s -w" -o ${BUILD_DIR}/ 
+endef
+
+define make_docker
+	docker build \
+		--no-cache \
+		--build-arg GOOS=$(GOOS) \
+		--build-arg GOARCH=$(GOARCH) \
+		--tag=$(VAULT_DOCKER_IMAGE_NAME):$(VERSION) \
+		--tag=$(VAULT_DOCKER_IMAGE_NAME):latest \
+		-f docker/Dockerfile .
+endef
+
+define make_docker_dev
+	docker build \
+		--no-cache \
+		--tag=$(VAULT_DOCKER_IMAGE_NAME):$(VERSION) \
+		--tag=$(VAULT_DOCKER_IMAGE_NAME):latest \
+		-f docker/Dockerfile.dev ./build
+endef
+
+define docker_push
+	docker push $(VAULT_DOCKER_IMAGE_NAME):$(VERSION)
+	docker push $(VAULT_DOCKER_IMAGE_NAME):latest
+endef
+
+.PHONY: build
+build:
+	$(call compile_service)
+
+.PHONY: docker
+docker:
+	$(call make_docker)
+
+.PHONY: docker-dev
+docker-dev:
+	$(call make_docker_dev)
+
+all: build docker
+
+clean:
+	rm -rf build
+
+latest: docker
+	$(call docker_push)

proxy/docker/Dockerfile

@@ -0,0 +1,17 @@
+FROM golang:1.23-alpine AS builder
+ARG SVC
+ARG GOOS
+ARG GOARCH
+
+WORKDIR /go/src/github.com/ultraviolet/vault-proxy
+COPY . .
+RUN apk update \
+    && apk add make upx\
+    && make build \
+    && upx build/vault-proxy \
+    && mv build/vault-proxy /exe
+
+FROM scratch
+COPY --from=builder /exe /
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ENTRYPOINT ["/exe"]

proxy/docker/Dockerfile.dev

@@ -0,0 +1,4 @@
+FROM scratch
+COPY vault-proxy /exe
+COPY --from=alpine:latest /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ENTRYPOINT ["/exe"]