Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: observability and security for HTTP gateway #1825

Merged
merged 58 commits into from
May 8, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
58 commits
Select commit Hold shift + click to select a range
551303e
build: actual dapi-grpc clients
shumkov Apr 20, 2024
c36cc63
chore: secure platform API with limits and timeouts
shumkov Apr 20, 2024
4084338
fix: incorrect duration format
shumkov Apr 20, 2024
8b7ee1c
chore: update envoy to latest version
shumkov Apr 21, 2024
8bb2a2f
fix: rate limiter is not disabled and limit only new connections
shumkov Apr 22, 2024
63e2a82
feat: limit requests by ip
shumkov Apr 22, 2024
c8bc3cd
fix: rate limit service configuration
shumkov Apr 22, 2024
4a83f75
Merge branch 'v1.0-dev' into chore/dashmate/secure-api
shumkov Apr 23, 2024
71ae7d3
feat(dashmate): expose metrics and admin interface
shumkov Apr 23, 2024
b0332da
fix: incorrect rate limiter config mount
shumkov Apr 23, 2024
a78ce87
chore: bump version
shumkov Apr 24, 2024
a693e7c
chore: bump version 2
shumkov Apr 24, 2024
b783278
refactor: rename dapi envoy to gateway
shumkov Apr 24, 2024
d975a9b
chore: bump version to 3
shumkov Apr 24, 2024
b88ffdd
chore: revert default network name
shumkov Apr 24, 2024
8dd172d
chore: bump version to 4
shumkov Apr 24, 2024
80c24ae
chore: cargo lock
shumkov Apr 24, 2024
679081a
chore: rename dapi core streams service
shumkov Apr 25, 2024
892893c
fix: access logs configuration
shumkov Apr 25, 2024
cb399a5
feat: allow to configure log template
shumkov Apr 25, 2024
ab01400
feat(drive): query logging and metrics
shumkov Apr 26, 2024
c4ba18c
Merge branch 'v1.0-dev' into chore/dashmate/secure-api
shumkov Apr 26, 2024
c30cb57
chore: bump version to 5
shumkov Apr 26, 2024
3909b28
chore: commit lock
shumkov Apr 26, 2024
d867fe1
chore(dashmate): expose metrics from Drive
shumkov Apr 26, 2024
6f2a13e
fix: incorrect code label
shumkov Apr 26, 2024
5caf678
chore: bump version to 6
shumkov Apr 26, 2024
5150edf
chore: remove unnecessary query counter
shumkov Apr 26, 2024
c706bca
chore: bump version to 7
shumkov Apr 26, 2024
d1df04f
chore: remove unnecessary circuit breaker params
shumkov Apr 29, 2024
f50dee7
fix: ratelimiter metrics enable flag
shumkov Apr 29, 2024
b5cbbc4
chore: bump version to 8
shumkov Apr 29, 2024
ef9f47f
chore: push lock
shumkov Apr 29, 2024
39bea60
fix: required property 'maxConnections'
shumkov Apr 29, 2024
15ff409
chore: bump version to 9
shumkov Apr 29, 2024
b9d4d2c
fix: dapiJsonRpc is not required
shumkov Apr 30, 2024
c09aab6
chore: disable getProofs endpoint for external requests
shumkov Apr 30, 2024
89c863c
chore: bump version to 10
shumkov Apr 30, 2024
47e16bc
chore: push lock
shumkov Apr 30, 2024
f1c7fab
fix: invalid envoy config
shumkov Apr 30, 2024
94dfa9b
chore: bump version to 11
shumkov Apr 30, 2024
0bd343a
revert: package versions
shumkov Apr 30, 2024
f29cb30
Merge branch 'refs/heads/v1.0-dev' into chore/dashmate/secure-api
shumkov Apr 30, 2024
133886b
chore: push lock
shumkov Apr 30, 2024
83160c7
chore: add tonic to Drive abci logger
shumkov May 1, 2024
2aa8ed6
chore: update gateway configuration
shumkov May 1, 2024
0a4b741
fix: dapi json rpc doesn't support http2
shumkov May 1, 2024
ae6e664
docs: remove implemented todo
shumkov May 1, 2024
32af0df
docs: document PROMETHEUS_BIND_ADDRESS param
shumkov May 1, 2024
c47be9b
chore: solve security vulnerability
shumkov May 1, 2024
0180812
docs: add a todo
shumkov May 2, 2024
dbc1006
Merge branch 'refs/heads/v1.0-dev' into chore/dashmate/secure-api
shumkov May 8, 2024
9738018
chore: update with v1
shumkov May 8, 2024
13ab149
chore: tune limits
shumkov May 8, 2024
a759a4b
revert: ipv6 format support for JSON Schema
shumkov May 8, 2024
adb5146
Merge remote-tracking branch 'origin/chore/dashmate/secure-api' into …
shumkov May 8, 2024
d525434
chore: remove duplicates
shumkov May 8, 2024
3603cb8
fix: user errors mixed with system errors
shumkov May 8, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
310 changes: 254 additions & 56 deletions Cargo.lock

Large diffs are not rendered by default.

3 changes: 2 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,8 @@ RUN --mount=type=cache,sharing=shared,id=cargo_registry_index,target=${CARGO_HOM
if [[ -z "${SCCACHE_MEMCACHED}" ]] ; then unset SCCACHE_MEMCACHED ; fi ; \
cargo build \
--profile "$CARGO_BUILD_PROFILE" \
--package drive-abci && \
--package drive-abci \
--locked && \
cp /platform/target/*/drive-abci /artifacts/ && \
if [[ "${RUSTC_WRAPPER}" == "sccache" ]] ; then sccache --show-stats; fi

Expand Down
6 changes: 3 additions & 3 deletions packages/dashmate/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,11 +71,11 @@ $ dashmate update
║ Drive ABCI │ dashpay/drive:0.24 │ updated ║
║ Drive Tenderdash │ dashpay/tenderdash:0.11.2 │ up to date ║
║ DAPI API │ dashpay/dapi:0.24 │ updated ║
DAPI Envoy │ dashpay/envoy:0.24 │ updated ║
Gateway │ dashpay/envoy:0.24 │ updated ║
║ Dashmate Helper │ dashpay/dashmate-helper:0.24 │ updated ║
╚══════════════════╧══════════════════════════════╧════════════╝
$ dashmate update --format=json
[{"name":"core","title":"Core","updated":false,"image":"dashpay/dashd:19.2.0"},{"name":"drive_abci","title":"Drive ABCI","pulled":false,"image":"dashpay/drive:0.24"},{"name":"drive_tenderdash","title":"Drive Tenderdash","pulled":true,"image":"dashpay/tenderdash:0.11.2"},{"name":"dapi_api","title":"DAPI API","pulled":false,"image":"dashpay/dapi:0.24"},{"name":"dapi_envoy","title":"DAPI Envoy","pulled":false,"image":"dashpay/envoy:0.24"},{"name":"dashmate_helper","title":"Dashmate Helper","pulled":false,"image":"dashpay/dashmate-helper:0.24"}]
[{"name":"core","title":"Core","updated":false,"image":"dashpay/dashd:19.2.0"},{"name":"drive_abci","title":"Drive ABCI","pulled":false,"image":"dashpay/drive:0.24"},{"name":"drive_tenderdash","title":"Drive Tenderdash","pulled":true,"image":"dashpay/tenderdash:0.11.2"},{"name":"dapi_api","title":"DAPI API","pulled":false,"image":"dashpay/dapi:0.24"},{"name":"gateway","title":"Gateway","pulled":false,"image":"dashpay/envoy:0.24"},{"name":"dashmate_helper","title":"Dashmate Helper","pulled":false,"image":"dashpay/dashmate-helper:0.24"}]
$ dashmate start
```

Expand Down Expand Up @@ -503,7 +503,7 @@ again all your service configs (dashd.conf, config.toml, etc.), you can issue th

```bash
dashmate config render
Config "testnet" service configs rendered
"testnet" service configs rendered
```

### Development
Expand Down
96 changes: 76 additions & 20 deletions packages/dashmate/configs/defaults/getBaseConfigFactory.js
Original file line number Diff line number Diff line change
Expand Up @@ -125,34 +125,85 @@ export default function getBaseConfigFactory(homeDir) {
indexes: true,
},
platform: {
dapi: {
envoy: {
docker: {
image: 'dashpay/envoy:1.22.11',
gateway: {
docker: {
image: 'dashpay/envoy:1.30.2-impr.1',
},
maxConnections: 1000,
maxHeapSizeInBytes: 125000000, // 1 Gb
upstreams: {
driveGrpc: {
maxRequests: 100,
},
http: {
dapiApi: {
maxRequests: 100,
},
dapiCoreStreams: {
maxRequests: 100,
},
dapiJsonRpc: {
maxRequests: 100,
},
},
metrics: {
enabled: false,
host: '127.0.0.1',
port: 9090,
},
admin: {
enabled: false,
host: '127.0.0.1',
port: 9901,
},
listeners: {
dapiAndDrive: {
http2: {
maxConcurrentStreams: 10,
},
host: '0.0.0.0',
port: 443,
connectTimeout: '5s',
responseTimeout: '15s',
},
rateLimiter: {
maxTokens: 300,
tokensPerFill: 150,
fillInterval: '60s',
enabled: true,
},
log: {
level: 'info',
accessLogs: [
{
type: 'stdout',
format: 'text',
template: null,
},
],
},
rateLimiter: {
docker: {
image: 'envoyproxy/ratelimit:3fcc3609',
},
ssl: {
metrics: {
enabled: false,
provider: 'zerossl',
providerConfigs: {
zerossl: {
apiKey: null,
id: null,
},
docker: {
image: 'prom/statsd-exporter:v0.26.1',
},
host: '127.0.0.1',
port: 9102,
},
unit: 'minute',
requestsPerUnit: 150,
blacklist: [],
whitelist: [],
enabled: true,
},
ssl: {
enabled: false,
provider: 'zerossl',
providerConfigs: {
zerossl: {
apiKey: null,
id: null,
},
},
},
},
dapi: {
api: {
docker: {
image: `dashpay/dapi:${dockerImageVersion}`,
Expand Down Expand Up @@ -191,7 +242,7 @@ export default function getBaseConfigFactory(homeDir) {
enabled: false,
host: '127.0.0.1',
port: 6669,
retention_secs: 60 * 3,
retention: 60 * 3,
},
validatorSet: {
llmqType: 4,
Expand All @@ -201,6 +252,11 @@ export default function getBaseConfigFactory(homeDir) {
dkgInterval: 288,
llmqSize: 400,
},
metrics: {
enabled: false,
host: '127.0.0.1',
port: 29090,
},
epochTime: 788400,
},
tenderdash: {
Expand Down
18 changes: 9 additions & 9 deletions packages/dashmate/configs/defaults/getLocalConfigFactory.js
Original file line number Diff line number Diff line change
Expand Up @@ -36,17 +36,17 @@ export default function getLocalConfigFactory(getBaseConfig) {
},
},
platform: {
dapi: {
envoy: {
ssl: {
provider: SSL_PROVIDERS.SELF_SIGNED,
},
http: {
gateway: {
ssl: {
provider: SSL_PROVIDERS.SELF_SIGNED,
},
listeners: {
dapiAndDrive: {
port: 2443,
},
rateLimiter: {
enabled: false,
},
},
rateLimiter: {
enabled: false,
},
},
drive: {
Expand Down
6 changes: 3 additions & 3 deletions packages/dashmate/configs/defaults/getTestnetConfigFactory.js
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,9 @@ export default function getTestnetConfigFactory(homeDir, getBaseConfig) {
},
},
platform: {
dapi: {
envoy: {
http: {
gateway: {
listeners: {
dapiAndDrive: {
port: 1443,
},
},
Expand Down
95 changes: 89 additions & 6 deletions packages/dashmate/configs/getConfigFileMigrationsFactory.js
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ export default function getConfigFileMigrationsFactory(homeDir, defaultConfigs)

options.platform.dapi.api.docker.image = base.get('platform.dapi.api.docker.image');

options.platform.dapi.envoy.docker.image = base.get('platform.dapi.envoy.docker.image');
options.platform.gateway.docker.image = base.get('platform.gateway.docker.image');
});

return configFile;
Expand Down Expand Up @@ -106,7 +106,7 @@ export default function getConfigFileMigrationsFactory(homeDir, defaultConfigs)
'0.24.16': (configFile) => {
Object.entries(configFile.configs)
.forEach(([, options]) => {
options.platform.dapi.envoy.docker = base.get('platform.dapi.envoy.docker');
options.platform.gateway.docker = base.get('platform.gateway.docker');

options.platform.dapi.api.docker.build = base.get('platform.dapi.api.docker.build');

Expand Down Expand Up @@ -382,7 +382,7 @@ export default function getConfigFileMigrationsFactory(homeDir, defaultConfigs)

options.core.p2p.host = base.get('core.p2p.host');
options.core.rpc.host = base.get('core.rpc.host');
options.platform.dapi.envoy.http.host = base.get('platform.dapi.envoy.http.host');
options.platform.dapi.envoy.http.host = '0.0.0.0';
options.platform.drive.tenderdash.p2p.host = base.get('platform.drive.tenderdash.p2p.host');
options.platform.drive.tenderdash.rpc.host = base.get('platform.drive.tenderdash.rpc.host');
options.platform.drive.tenderdash.metrics.host = base.get('platform.drive.tenderdash.metrics.host');
Expand All @@ -401,8 +401,8 @@ export default function getConfigFileMigrationsFactory(homeDir, defaultConfigs)
'0.25.20': (configFile) => {
Object.entries(configFile.configs)
.forEach(([name, options]) => {
options.platform.dapi.envoy.http.connectTimeout = base.get('platform.dapi.envoy.http.connectTimeout');
options.platform.dapi.envoy.http.responseTimeout = base.get('platform.dapi.envoy.http.responseTimeout');
options.platform.dapi.envoy.http.connectTimeout = '5s';
options.platform.dapi.envoy.http.responseTimeout = '15s';

options.platform.drive.tenderdash.rpc.maxOpenConnections = base.get('platform.drive.tenderdash.rpc.maxOpenConnections');

Expand Down Expand Up @@ -523,9 +523,92 @@ export default function getConfigFileMigrationsFactory(homeDir, defaultConfigs)
},
'1.0.0-dev.12': (configFile) => {
Object.entries(configFile.configs)
.forEach(([, options]) => {
.forEach(([name, options]) => {
// Update tenderdash config
options.platform.drive.tenderdash.docker.image = base.get('platform.drive.tenderdash.docker.image');
options.platform.drive.tenderdash.mempool.maxConcurrentCheckTx = base.get('platform.drive.tenderdash.mempool.maxConcurrentCheckTx');

// Add metrics to Drive ABCI
options.platform.drive.abci.metrics = base.get('platform.drive.abci.metrics');

// Envoy -> Gateway
if (options.platform.dapi.envoy) {
options.platform.gateway = lodash.cloneDeep(options.platform.dapi.envoy);

// add new options
options.platform.gateway.maxConnections = base.get('platform.gateway.maxConnections');
options.platform.gateway.maxHeapSizeInBytes = base.get('platform.gateway.maxHeapSizeInBytes');
options.platform.gateway.metrics = base.get('platform.gateway.metrics');
options.platform.gateway.admin = base.get('platform.gateway.admin');
options.platform.gateway.upstreams = base.get('platform.gateway.upstreams');
options.platform.gateway.log = base.get('platform.gateway.log');

// http -> listeners
options.platform.gateway.listeners = lodash.cloneDeep(
base.get('platform.gateway.listeners'),
);

options.platform.gateway.listeners.dapiAndDrive.host = options.platform.dapi.envoy
.http.host;
options.platform.gateway.listeners.dapiAndDrive.port = options.platform.dapi.envoy
.http.port;

delete options.platform.gateway.http;

// update rate limiter
options.platform.gateway.rateLimiter.docker = base.get('platform.gateway.rateLimiter.docker');
options.platform.gateway.rateLimiter.unit = base.get('platform.gateway.rateLimiter.unit');
options.platform.gateway.rateLimiter.requestsPerUnit = base.get('platform.gateway.rateLimiter.requestsPerUnit');
options.platform.gateway.rateLimiter.blacklist = base.get('platform.gateway.rateLimiter.blacklist');
options.platform.gateway.rateLimiter.whitelist = base.get('platform.gateway.rateLimiter.whitelist');
options.platform.gateway.rateLimiter.metrics = base.get('platform.gateway.rateLimiter.metrics');

delete options.platform.gateway.rateLimiter.fillInterval;
delete options.platform.gateway.rateLimiter.maxTokens;
delete options.platform.gateway.rateLimiter.tokensPerFill;

// delete envoy
delete options.platform.dapi.envoy;

// update image
options.platform.gateway.docker.image = base.get('platform.gateway.docker.image');
}

// rename non conventional field
if (options.platform.drive.abci.tokioConsole.retention_secs) {
options.platform.drive.abci.tokioConsole.retention = options.platform.drive.abci
.tokioConsole.retention_secs;
delete options.platform.drive.abci.tokioConsole.retention_secs;
}

// move SSL files
if (options.network !== NETWORK_MAINNET) {
const filenames = ['private.key', 'bundle.crt', 'bundle.csr', 'csr.pem'];

for (const filename of filenames) {
const oldFilePath = homeDir.joinPath(
name,
'platform',
'dapi',
'envoy',
'ssl',
filename,
);
const newFilePath = homeDir.joinPath(
name,
'platform',
'gateway',
'ssl',
filename,
);

if (fs.existsSync(oldFilePath)) {
fs.mkdirSync(path.dirname(newFilePath), { recursive: true });
fs.copyFileSync(oldFilePath, newFilePath);
fs.rmSync(oldFilePath, { recursive: true });
}
}
}
});

return configFile;
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
version: '3.7'

services:
dapi_tx_filter_stream:
dapi_core_streams:
build:
context: ${PLATFORM_DAPI_API_DOCKER_BUILD_CONTEXT:?err}
dockerfile: ${PLATFORM_DAPI_API_DOCKER_BUILD_DOCKER_FILE:?err}
Expand Down
20 changes: 20 additions & 0 deletions packages/dashmate/docker-compose.rate_limiter.metrics.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
version: '3.7'

services:
gateway_rate_limiter_metrics:
image: ${PLATFORM_GATEWAY_RATE_LIMITER_METRICS_DOCKER_IMAGE:?err}
labels:
org.dashmate.service.title: "Gateway rate limiter metrics exporter"
restart: unless-stopped
entrypoint: /bin/statsd_exporter
command:
- "--statsd.mapping-config=/etc/statsd-exporter/config.yaml"
networks:
- gateway_rate_limiter
volumes:
- ${DASHMATE_HOME_DIR:?err}/${CONFIG_NAME:?err}/platform/gateway/rate_limiter/statsd_exporter.yaml:/etc/statsd-exporter/config.yaml:ro
expose:
- 9125
- 9125/udp
ports:
- ${PLATFORM_GATEWAY_RATE_LIMITER_METRICS_HOST:?err}:${PLATFORM_GATEWAY_RATE_LIMITER_METRICS_PORT:?err}:9102
Loading
Loading