feat(proxy): Add microservice to proxy ollama requests

Signed-off-by: Rodney Osodo <[email protected]>

.github/workflows/cd.yaml

@@ -0,0 +1,48 @@
+name: Create and publish Vault Proxy Docker image
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "v*"
+    paths:
+      - ".github/workflows/cd.yaml"
+      - "proxy/**"
+
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Fetch tags for the build
+        run: |
+          git fetch --prune --unshallow --tags
+
+      - name: Set up Docker Build
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        run: |
+          cd proxy
+          make latest

.github/workflows/proxy-ci.yaml

@@ -0,0 +1,43 @@
+name: Continuous Integration
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/cd.yaml"
+      - "proxy/**"
+
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/cd.yaml"
+      - "proxy/**"
+
+  workflow_dispatch:
+
+jobs:
+  lint-and-build: # Linting and building are combined to save time for setting up Go
+    name: Lint and Build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.23.x
+          cache-dependency-path: "go.sum"
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          working-directory: proxy
+          version: v1.60.1
+
+      - name: Build proxy
+        run: |
+          cd proxy && make all

.gitignore

@@ -8,3 +8,6 @@ cloud-init/meta-data
 
 # Traefik files
 acme.json
+
+# Proxy Build
+proxy/build

docker-compose/.env

@@ -142,3 +142,11 @@ MG_GOOGLE_STATE=
 
 # Docker image tag
 MG_RELEASE_TAG=latest
+
+# Proxy
+UV_VAULT_PROXY_LOG_LEVEL=info
+UV_VAULT_PROXY_HOST=0.0.0.0
+UV_VAULT_PROXY_PORT=8900
+UV_VAULT_PROXY_SERVER_CERT=
+UV_VAULT_PROXY_SERVER_KEY=
+UV_VAULT_PROXY_TARGET_URL=http://ollama:11434

docker-compose/compose.yaml

@@ -9,6 +9,8 @@ include:
     env_file: .env
   - path: ./magistrala-compose.yaml
     env_file: .env
+  - path: ./proxy-compose.yaml
+    env_file: .env
 
 services:
   traefik:

docker-compose/proxy-compose.yaml

@@ -0,0 +1,39 @@
+services:
+  vault-proxy:
+    container_name: vault-proxy
+    image: ghcr.io/ultravioletrs/vault/proxy:latest
+    restart: on-failure
+    networks:
+      - vault-network
+    depends_on:
+      - auth
+    environment:
+      UV_VAULT_PROXY_LOG_LEVEL: ${UV_VAULT_PROXY_LOG_LEVEL}
+      UV_VAULT_PROXY_HOST: ${UV_VAULT_PROXY_HOST}
+      UV_VAULT_PROXY_PORT: ${UV_VAULT_PROXY_PORT}
+      UV_VAULT_PROXY_SERVER_CERT: ${UV_VAULT_PROXY_SERVER_CERT}
+      UV_VAULT_PROXY_SERVER_KEY: ${UV_VAULT_PROXY_SERVER_KEY}
+      MG_AUTH_GRPC_URL: ${MG_AUTH_GRPC_URL}
+      MG_AUTH_GRPC_TIMEOUT: ${MG_AUTH_GRPC_TIMEOUT}
+      MG_AUTH_GRPC_CLIENT_CERT: ${MG_AUTH_GRPC_CLIENT_CERT:+/auth-grpc-client.crt}
+      MG_AUTH_GRPC_CLIENT_KEY: ${MG_AUTH_GRPC_CLIENT_KEY:+/auth-grpc-client.key}
+      MG_AUTH_GRPC_SERVER_CA_CERTS: ${MG_AUTH_GRPC_SERVER_CA_CERTS:+/auth-grpc-server-ca.crt}
+      MG_SEND_TELEMETRY: ${MG_SEND_TELEMETRY}
+      UV_VAULT_PROXY_TARGET_URL: ${UV_VAULT_PROXY_TARGET_URL}
+    volumes:
+      # Auth gRPC client certificates
+      - type: bind
+        source: ${MG_AUTH_GRPC_CLIENT_CERT:-ssl/certs/dummy/client_cert}
+        target: /auth-grpc-client${MG_AUTH_GRPC_CLIENT_CERT:+.crt}
+        bind:
+          create_host_path: true
+      - type: bind
+        source: ${MG_AUTH_GRPC_CLIENT_KEY:-ssl/certs/dummy/client_key}
+        target: /auth-grpc-client${MG_AUTH_GRPC_CLIENT_KEY:+.key}
+        bind:
+          create_host_path: true
+      - type: bind
+        source: ${MG_AUTH_GRPC_SERVER_CA_CERTS:-ssl/certs/dummy/server_ca}
+        target: /auth-grpc-server-ca${MG_AUTH_GRPC_SERVER_CA_CERTS:+.crt}
+        bind:
+          create_host_path: true

docker-compose/traefik/dynamic.yaml

@@ -56,15 +56,10 @@ http:
           interval: 10s
           timeout: 10s
 
-    ollama:
+    vault-proxy:
       loadBalancer:
         servers:
-          - url: http://ollama:11434
-        healthCheck:
-          scheme: http
-          path: /
-          interval: 10s
-          timeout: 10s
+          - url: http://vault-proxy:8900
 
   routers:
     users-health:
@@ -104,7 +99,7 @@ http:
       rule: "PathPrefix(`/ollama`)"
       entryPoints:
         - websecure
-      service: ollama
+      service: vault-proxy
       middlewares:
         - strip-ollama-prefix-middleware
         - retry-middleware

docker-compose/traefik/traefik.yaml

@@ -3,13 +3,18 @@ global:
   sendAnonymousUsage: false
 
 log:
-  compress:
+  compress: true
   format: json
   level: ERROR
 
 accessLog:
   format: json
 
+tracing:
+  otlp:
+    http:
+      endpoint: http://jaeger:4318/v1/traces
+
 api:
   dashboard: false # Change to true for development
   debug: true

proxy/Makefile

@@ -0,0 +1,54 @@
+VAULT_DOCKER_IMAGE_NAME ?= ghcr.io/ultravioletrs/vault/proxy
+CGO_ENABLED ?= 0
+GOOS ?= linux
+GOARCH ?= amd64
+BUILD_DIR = build
+VERSION ?= $(shell git describe --abbrev=0 --tags 2>/dev/null || echo 'v0.0.0')
+
+define compile_service
+	CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) GOARCH=$(GOARCH) \
+	go build -ldflags "-s -w" -o ${BUILD_DIR}/ 
+endef
+
+define make_docker
+	docker build \
+		--no-cache \
+		--build-arg GOOS=$(GOOS) \
+		--build-arg GOARCH=$(GOARCH) \
+		--tag=$(VAULT_DOCKER_IMAGE_NAME):$(VERSION) \
+		--tag=$(VAULT_DOCKER_IMAGE_NAME):latest \
+		-f docker/Dockerfile .
+endef
+
+define make_docker_dev
+	docker build \
+		--no-cache \
+		--tag=$(VAULT_DOCKER_IMAGE_NAME):$(VERSION) \
+		--tag=$(VAULT_DOCKER_IMAGE_NAME):latest \
+		-f docker/Dockerfile.dev ./build
+endef
+
+define docker_push
+	docker push $(VAULT_DOCKER_IMAGE_NAME):$(VERSION)
+	docker push $(VAULT_DOCKER_IMAGE_NAME):latest
+endef
+
+.PHONY: build
+build:
+	$(call compile_service)
+
+.PHONY: docker
+docker:
+	$(call make_docker)
+
+.PHONY: docker-dev
+docker-dev:
+	$(call make_docker_dev)
+
+all: build docker-dev
+
+clean:
+	rm -rf build
+
+latest: docker
+	$(call docker_push)

proxy/docker/Dockerfile

@@ -0,0 +1,17 @@
+FROM golang:1.23-alpine AS builder
+ARG SVC
+ARG GOOS
+ARG GOARCH
+
+WORKDIR /go/src/github.com/ultraviolet/vault-proxy
+COPY . .
+RUN apk update \
+    && apk add make upx\
+    && make build \
+    && upx build/vault-proxy \
+    && mv build/vault-proxy /exe
+
+FROM scratch
+COPY --from=builder /exe /
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ENTRYPOINT ["/exe"]

proxy/docker/Dockerfile.dev

@@ -0,0 +1,4 @@
+FROM scratch
+COPY vault-proxy /exe
+COPY --from=alpine:latest /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ENTRYPOINT ["/exe"]

proxy/go.mod

@@ -0,0 +1,50 @@
+module github.com/ultraviolet/vault-proxy
+
+go 1.23.1
+
+require (
+	github.com/absmach/callhome v0.14.0
+	github.com/absmach/magistrala v0.14.1-0.20240910164952-1ce5952d1abd
+	github.com/absmach/mproxy v0.4.3-0.20240712131952-28f88581126a
+	github.com/caarlos0/env/v11 v11.2.2
+	golang.org/x/sync v0.8.0
+)
+
+require (
+	github.com/absmach/senml v1.0.5 // indirect
+	github.com/eclipse/paho.mqtt.golang v1.5.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
+	github.com/go-kit/kit v0.13.0 // indirect
+	github.com/go-kit/log v0.2.1 // indirect
+	github.com/go-logfmt/logfmt v0.6.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/gofrs/uuid v4.4.0+incompatible // indirect
+	github.com/gopherjs/gopherjs v1.17.2 // indirect
+	github.com/jackc/pgio v1.0.0 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/pgtype v1.14.3 // indirect
+	github.com/jackc/pgx/v5 v5.7.1 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
+	github.com/jmoiron/sqlx v1.4.0 // indirect
+	github.com/jtolds/gls v4.20.0+incompatible // indirect
+	github.com/prometheus/common v0.59.1 // indirect
+	github.com/rogpeppe/go-internal v1.12.0 // indirect
+	github.com/rubenv/sql-migrate v1.7.0 // indirect
+	github.com/smarty/assertions v1.16.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect
+	go.opentelemetry.io/otel v1.29.0 // indirect
+	go.opentelemetry.io/otel/metric v1.29.0 // indirect
+	go.opentelemetry.io/otel/trace v1.29.0 // indirect
+	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/net v0.29.0 // indirect
+	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd // indirect
+	google.golang.org/grpc v1.66.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
+	moul.io/http2curl v1.0.0 // indirect
+)