Upgrade the document format (secretflow#118)

repo-sync-2023-09-19T11:28:29+0800
imwangyt · Sep 19, 2023 · 2b2b097 · 2b2b097
1 parent d0f38a4
commit 2b2b097
Show file tree

Hide file tree

Showing 107 changed files with 6,432 additions and 1,621 deletions.
diff --git a/.bazelrc b/.bazelrc
@@ -0,0 +1,80 @@
+# Copyright 2023 Ant Group Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+common --experimental_repo_remote_exec
+
+build --incompatible_new_actions_api=false
+build --copt=-fdiagnostics-color=always
+build --enable_platform_specific_config
+
+build --cxxopt=-std=c++17
+build --host_cxxopt=-std=c++17
+
+# Binary safety flags
+build --host_copt=-fPIE
+build --host_copt=-fstack-protector-strong
+build:linux --host_copt=-Wl,-z,noexecstack
+build:macos --host_copt=-Wa,--noexecstack
+
+# platform specific config
+# Bazel will automatic pick platform config since we have enable_platform_specific_config set
+
+build:macos --features=-supports_dynamic_linker
+build:macos --cxxopt -Wno-deprecated-enum-enum-conversion
+build:macos --cxxopt -Wno-deprecated-anon-enum-enum-conversion
+
+build:asan --strip=never
+build:asan --copt -fno-sanitize-recover=all
+build:asan --copt -fsanitize=address
+build:asan --copt -Og
+build:asan --copt -g
+build:asan --copt -fno-omit-frame-pointer
+build:asan --linkopt -fsanitize=address
+
+build:ubsan --strip=never
+build:ubsan --copt -fno-sanitize-recover=all
+build:ubsan --copt -fsanitize=undefined
+build:ubsan --copt -Og
+build:ubsan --copt -g
+build:ubsan --copt -fno-omit-frame-pointer
+build:ubsan --linkopt -fsanitize=undefined
+
+# see https://github.com/bazelbuild/bazel/issues/6932, _FORTIFY_SOURCE=1 is enabled by default
+# on Mac OS, which breaks ASAN. bazel has officially added sanitizer support to Apple Platforms,
+# see commit: https://github.com/bazelbuild/bazel/commit/6ab161e2d5b8ad9cf191be1b362cd4619f3bb956
+build:macos-asan --features=asan
+build:macos-ubsan --features=ubsan
+
+
+test --keep_going
+test --test_output=errors
+test --test_timeout=180
+
+test:asan --strip=never
+test:asan --copt -fno-sanitize-recover=all
+test:asan --copt -fsanitize=address
+test:asan --copt -O0
+test:asan --copt -g
+test:asan --copt -fno-omit-frame-pointer
+test:asan --linkopt -fsanitize=address
+test:asan --linkopt -static-libasan
+
+test:ubsan --strip=never
+test:ubsan --copt -fno-sanitize-recover=all
+test:ubsan --copt -fsanitize=undefined
+test:ubsan --copt -O0
+test:ubsan --copt -g
+test:ubsan --copt -fno-omit-frame-pointer
+test:ubsan --linkopt -fsanitize=undefined
+test:ubsan --linkopt -static-libubsan
diff --git a/.bazelversion b/.bazelversion
@@ -0,0 +1 @@
+5.4.1
diff --git a/.gitignore b/.gitignore
@@ -5,4 +5,11 @@
 .vscode
 /test-results/
 /docs/_build/
-/thirdparty/fate/build/apps/
+/thirdparty/fate/build/apps/
+
+# bazel
+bazel-*
+
+# Python virtualenv
+.venv
+.DS_Store
diff --git a/BUILD.bazel b/BUILD.bazel
@@ -0,0 +1,13 @@
+# Copyright 2023 Ant Group Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
diff --git a/WORKSPACE b/WORKSPACE
@@ -0,0 +1,20 @@
+workspace(name = "kuscia")
+
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+load("@bazel_tools//tools/build_defs/repo:utils.bzl", "maybe")
+
+
+maybe(
+    http_archive,
+    name = "com_google_protobuf",
+    sha256 = "ba0650be1b169d24908eeddbe6107f011d8df0da5b1a5a4449a913b10e578faf",
+    strip_prefix = "protobuf-3.19.4",
+    type = "tar.gz",
+    urls = [
+        "https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/protobuf-all-3.19.4.tar.gz",
+    ],
+)
+
+load("@com_google_protobuf//:protobuf_deps.bzl", "protobuf_deps")
+
+protobuf_deps()
diff --git a/cmd/kuscia/autonomy/autonomy.go b/cmd/kuscia/autonomy/autonomy.go
@@ -78,7 +78,7 @@ func getInitConfig(flagConfigFile string, flagDomainID string) *modules.Dependen
 			KubeConfig: conf.KubeconfigFile,
 			Endpoint:   conf.ApiserverEndpoint,
 		},
-		ApiWhitelist: conf.KusciaConfig.Master.ApiWhitelist,
+		APIWhitelist: conf.KusciaConfig.Master.APIWhitelist,
 	}
 
 	hostIP, err := network.GetHostIP()

diff --git a/cmd/kuscia/lite/lite.go b/cmd/kuscia/lite/lite.go
@@ -125,6 +125,7 @@ func NewLiteCommand(ctx context.Context) *cobra.Command {
 			wg.Wait()
 
 			modules.RunAgent(runCtx, cancel, conf)
+			modules.RunConfManager(runCtx, cancel, conf)
 			modules.RunDataMesh(runCtx, cancel, conf)
 			if debug {
 				utils.SetupPprof(debugPort)

diff --git a/cmd/kuscia/master/master.go b/cmd/kuscia/master/master.go
@@ -78,7 +78,7 @@ func getInitConfig(configFile string, flagDomainID string) *modules.Dependencies
 			KubeConfig: conf.KubeconfigFile,
 			Endpoint:   conf.ApiserverEndpoint,
 		},
-		ApiWhitelist: conf.KusciaConfig.Master.ApiWhitelist,
+		APIWhitelist: conf.KusciaConfig.Master.APIWhitelist,
 	}
 	err = modules.EnsureDir(conf)
 	if err != nil {
@@ -128,6 +128,7 @@ func NewMasterCommand(ctx context.Context) *cobra.Command {
 				// wait any controller failed
 			} else {
 				modules.RunK3s(runctx, cancel, conf)
+				modules.RunConfManager(runctx, cancel, conf)
 
 				// use the current context in kubeconfig
 				clients, err := kubeconfig.CreateClientSetsFromKubeconfig(conf.KubeconfigFile, conf.ApiserverEndpoint)

diff --git a/cmd/kuscia/modules/confmanager.go b/cmd/kuscia/modules/confmanager.go
@@ -0,0 +1,163 @@
+// Copyright 2023 Ant Group Co., Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package modules
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io"
+	"time"
+
+	"github.com/secretflow/kuscia/pkg/confmanager/commands"
+	"github.com/secretflow/kuscia/pkg/confmanager/config"
+	"github.com/secretflow/kuscia/pkg/utils/nlog"
+	tlsutils "github.com/secretflow/kuscia/pkg/utils/tls"
+	"github.com/secretflow/kuscia/pkg/web/constants"
+	"github.com/secretflow/kuscia/pkg/web/utils"
+	"github.com/secretflow/kuscia/proto/api/v1alpha1/kusciaapi"
+)
+
+type confManagerModule struct {
+	conf *config.ConfManagerConfig
+}
+
+func NewConfManager(d *Dependencies) Module {
+	// overwrite config
+	conf := config.NewDefaultConfManagerConfig(d.RootDir)
+	if d.ConfManager.HTTPPort != 0 {
+		conf.HTTPPort = d.ConfManager.HTTPPort
+	}
+	if d.ConfManager.GRPCPort != 0 {
+		conf.GRPCPort = d.ConfManager.GRPCPort
+	}
+	if d.ConfManager.ConnectTimeout != 0 {
+		conf.ConnectTimeout = d.ConfManager.ConnectTimeout
+	}
+	if d.ConfManager.ReadTimeout != 0 {
+		conf.ReadTimeout = d.ConfManager.ReadTimeout
+	}
+	if d.ConfManager.WriteTimeout != 0 {
+		conf.WriteTimeout = d.ConfManager.WriteTimeout
+	}
+	if d.ConfManager.IdleTimeout != 0 {
+		conf.IdleTimeout = d.ConfManager.IdleTimeout
+	}
+	if d.ConfManager.EnableConfAuth != false {
+		conf.EnableConfAuth = d.ConfManager.EnableConfAuth
+	}
+	if d.ConfManager.TLSConfig != nil {
+		conf.TLSConfig = d.ConfManager.TLSConfig
+	}
+	if d.ConfManager.SecretBackend != nil && d.ConfManager.SecretBackend.Driver != "" {
+		conf.SecretBackend = d.ConfManager.SecretBackend
+	}
+
+	// set namespace
+	nlog.Infof("ConfManager namespace:%s.", d.DomainID)
+	return &confManagerModule{
+		conf: conf,
+	}
+}
+
+func (m confManagerModule) Run(ctx context.Context) error {
+	return commands.Run(ctx, m.conf)
+}
+
+func (m confManagerModule) WaitReady(ctx context.Context) error {
+	timeoutTicker := time.NewTicker(30 * time.Second)
+	checkTicker := time.NewTicker(1 * time.Second)
+	for {
+		select {
+		case <-checkTicker.C:
+			if m.readyZ() {
+				return nil
+			}
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-timeoutTicker.C:
+			return fmt.Errorf("wait confmanager ready timeout")
+		}
+	}
+}
+
+func (m confManagerModule) Name() string {
+	return "confmanager"
+}
+
+func (m confManagerModule) readyZ() bool {
+	var clientTLSConfig *tls.Config
+	var err error
+	// init client tls config
+	tlsConfig := m.conf.TLSConfig
+	clientTLSConfig, err = tlsutils.BuildClientTLSConfig(tlsConfig.RootCAFile, tlsConfig.ServerCertFile, tlsConfig.ServerKeyFile)
+	if err != nil {
+		nlog.Errorf("local tls config error: %v", err)
+		return false
+	}
+
+	// check http server ready
+	httpClient := utils.BuildHTTPClient(clientTLSConfig)
+	httpURL := fmt.Sprintf("%s://%s:%d%s", constants.SchemaHTTPS, constants.LocalhostIP, m.conf.HTTPPort, constants.HealthAPI)
+	body, err := json.Marshal(&kusciaapi.HealthRequest{})
+	if err != nil {
+		nlog.Errorf("marshal health request error: %v", err)
+		return false
+	}
+	resp, err := httpClient.Post(httpURL, constants.HTTPDefaultContentType, bytes.NewReader(body))
+	if err != nil {
+		nlog.Errorf("send health request error: %v", err)
+		return false
+	}
+	if resp == nil || resp.Body == nil {
+		nlog.Error("resp must has body")
+		return false
+	}
+	defer resp.Body.Close()
+	healthResp := &kusciaapi.HealthResponse{}
+	respBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		nlog.Errorf("read response body error: %v", err)
+		return false
+	}
+	if err = json.Unmarshal(respBytes, healthResp); err != nil {
+		nlog.Errorf("Unmarshal health response error: %v", err)
+		return false
+	}
+	if healthResp.Data == nil || !healthResp.Data.Ready {
+		return false
+	}
+	nlog.Infof("http server is ready")
+	return true
+}
+
+func RunConfManager(ctx context.Context, cancel context.CancelFunc, conf *Dependencies) Module {
+	m := NewConfManager(conf)
+	go func() {
+		if err := m.Run(ctx); err != nil {
+			nlog.Error(err)
+			cancel()
+		}
+	}()
+	if err := m.WaitReady(ctx); err != nil {
+		nlog.Error(err)
+		cancel()
+	} else {
+		nlog.Info("confmanager is ready")
+	}
+	return m
+}
diff --git a/cmd/kuscia/modules/datamesh.go b/cmd/kuscia/modules/datamesh.go
@@ -82,8 +82,7 @@ func (m dataMeshModule) Name() string {
 func (m dataMeshModule) readyZ() bool {
 	var clientTLSConfig *tls.Config
 	var err error
-	host := "127.0.0.1"
-	schema := "http"
+	schema := constants.SchemaHTTP
 	// init client tls config
 	tlsConfig := m.conf.TLSConfig
 	if tlsConfig != nil {
@@ -92,12 +91,12 @@ func (m dataMeshModule) readyZ() bool {
 			nlog.Errorf("local tls config error: %v", err)
 			return false
 		}
-		schema = "https"
+		schema = constants.SchemaHTTPS
 	}
 
 	// check http server ready
 	httpClient := utils.BuildHTTPClient(clientTLSConfig)
-	httpURL := fmt.Sprintf("%s://%s:%d%s", schema, host, m.conf.HTTPPort, constants.HealthAPI)
+	httpURL := fmt.Sprintf("%s://%s:%d%s", schema, constants.LocalhostIP, m.conf.HTTPPort, constants.HealthAPI)
 	body, err := json.Marshal(&kusciaapi.HealthRequest{})
 	if err != nil {
 		nlog.Errorf("marshal health request error: %v", err)

diff --git a/cmd/kuscia/modules/kusciaapi.go b/cmd/kuscia/modules/kusciaapi.go
@@ -93,8 +93,7 @@ func (m kusciaAPIModule) Name() string {
 func (m kusciaAPIModule) readyZ() bool {
 	var clientTLSConfig *tls.Config
 	var err error
-	host := "127.0.0.1"
-	schema := "http"
+	schema := constants.SchemaHTTP
 	// init client tls config
 	tlsConfig := m.conf.TLSConfig
 	if tlsConfig != nil {
@@ -103,7 +102,7 @@ func (m kusciaAPIModule) readyZ() bool {
 			nlog.Errorf("local tls config error: %v", err)
 			return false
 		}
-		schema = "https"
+		schema = constants.SchemaHTTPS
 	}
 
 	// token auth
@@ -121,7 +120,7 @@ func (m kusciaAPIModule) readyZ() bool {
 
 	// check http server ready
 	httpClient := utils.BuildHTTPClient(clientTLSConfig)
-	httpURL := fmt.Sprintf("%s://%s:%d%s", schema, host, m.conf.HTTPPort, constants.HealthAPI)
+	httpURL := fmt.Sprintf("%s://%s:%d%s", schema, constants.LocalhostIP, m.conf.HTTPPort, constants.HealthAPI)
 	body, err := json.Marshal(&kusciaapi.HealthRequest{})
 	if err != nil {
 		nlog.Errorf("marshal health request error: %v", err)
@@ -174,7 +173,7 @@ func (m kusciaAPIModule) readyZ() bool {
 		dialOpts = append(dialOpts, grpc.WithUnaryInterceptor(interceptor.GrpcClientTokenInterceptor(token)))
 	}
 
-	grpcAddr := fmt.Sprintf("%s:%d", host, m.conf.GRPCPort)
+	grpcAddr := fmt.Sprintf("%s:%d", constants.LocalhostIP, m.conf.GRPCPort)
 	grpcConn, err := grpc.Dial(grpcAddr, dialOpts...)
 	if err != nil {
 		nlog.Fatalf("did not connect: %v", err)