feat: Add managed OpenGB (#535)

<!-- Please make sure there is an issue that this PR is correlated to. -->

## Changes

<!-- If there are frontend changes, please include screenshots. -->

errors/cloudflare/error.md

@@ -0,0 +1,9 @@
+---
+name = "CLOUDFLARE_ERROR"
+description = "Cloudflare returned an error: {error}"
+http_status = 400
+---
+
+# Cloudflare Error
+
+An error was returned by a cloudflare API and has been re-routed to this error response.

errors/opengb/env-never-deployed.md

@@ -0,0 +1,9 @@
+---
+name = "OPENGB_ENV_NEVER_DEPLOYED"
+description = "OpenGB environment was never deployed. Deploy it before trying again."
+http_status = 400
+---
+
+# OpenGB Environment Never Deployed
+
+The requested environment was never deployed. Deploy it before attempting to call this resource again.

errors/opengb/env-not-found.md

@@ -0,0 +1,9 @@
+---
+name = "OPENGB_ENV_NOT_FOUND"
+description = "OpenGB environment not found."
+http_status = 404
+---
+
+# OpenGB Environment Not Found
+
+The requested environment could not be found.

errors/opengb/invalid-neon-project-config.md

@@ -0,0 +1,9 @@
+---
+name = "OPENGB_INVALID_NEON_PROJECT_CONFIG"
+description = "Neon project config is invalid: {reason}."
+http_status = 400
+---
+
+# OpenGB Invalid Neon Project Config
+
+The Neon project config given was invalid. See https://api-docs.neon.tech/reference/updateproject for more info.

errors/opengb/invalid-variable.md

@@ -0,0 +1,9 @@
+---
+name = "OPENGB_INVALID_VARIABLE"
+description = "Environment variable is invalid: {reason}."
+http_status = 400
+---
+
+# OpenGB Invalid Variable
+
+A provided environment variable is invalid.

errors/opengb/module-db-not-found.md

@@ -0,0 +1,9 @@
+---
+name = "OPENGB_MODULE_DB_NOT_FOUND"
+description = "OpenGB module database not found."
+http_status = 404
+---
+
+# OpenGB Module DB Not Found
+
+The requested module database could not be found.

errors/opengb/project-not-found.md

@@ -0,0 +1,9 @@
+---
+name = "OPENGB_PROJECT_NOT_FOUND"
+description = "OpenGB project not found."
+http_status = 404
+---
+
+# OpenGB Project Not Found
+
+The requested project could not be found.

fern/definition/cloud/common.yml

@@ -13,9 +13,7 @@ types:
       svc_name:
         docs: The name of the service.
         type: string
-      ts:
-        docs: RFC3339 timestamp.
-        type: datetime
+      ts: commons.Timestamp
       duration:
         docs: Unsigned 64 bit integer.
         type: long

fern/definition/cloud/games/games.yml → fern/definition/cloud/games/__package__.yml

@@ -132,14 +132,7 @@ types:
       name_id:
         docs: >-
           **Deprecated**
-
-          A human readable short identifier used to references resources.
-          Different than a `rivet.common#Uuid` because this is intended to be
-          human readable.
-          Different than `rivet.common#DisplayName` because this should not
-          include special
-          characters and be short.
-        type: optional<string>
+        type: optional<commons.Identifier>
 
   ValidateGameResponse:
     properties:

fern/definition/cloud/games/cdn.yml

@@ -41,8 +41,6 @@ types:
 
   CreateGameCdnSiteResponse:
     properties:
-      site_id:
-        type: uuid
-      upload_id:
-        type: uuid
+      site_id: uuid
+      upload_id: uuid
       presigned_requests: list<uploadCommons.PresignedRequest>

fern/definition/cloud/games/namespaces/analytics.yml

@@ -9,9 +9,9 @@ service:
   path-parameters:
     game_id:
       type: uuid
-
     namespace_id:
       type: uuid
+
   endpoints:
     getAnalyticsMatchmakerLive:
       path: /matchmaker/live

fern/definition/common.yml

@@ -77,7 +77,7 @@ types:
   AccountNumber: integer
 
   Timestamp:
-    type: string
+    type: datetime
     docs: RFC3339 timestamp
 
   GlobalEventNotification:

fern/definition/group/common.yml

@@ -58,9 +58,7 @@ types:
     docs: A group join request.
     properties:
       identity: identityCommons.Handle
-      ts:
-        docs: RFC3339 timestamp.
-        type: datetime
+      ts: commons.Timestamp
 
   Member:
     docs: A group member.

fern/definition/identity/__package__.yml

@@ -71,7 +71,6 @@ service:
       request:
         name: GetHandlesRequest
         query-parameters:
-          # TODO: how is this list serialized over the wire
           # With allow-multiple, Fern assumes that lists are sent over the wire as
           # param=a&param=b&param=c.
           identity_ids:

fern/definition/identity/common.yml

@@ -11,7 +11,7 @@ types:
   GlobalEvent:
     docs: An event relevant to the current identity.
     properties:
-      ts: datetime
+      ts: commons.Timestamp
       kind: GlobalEventKind
       notification: optional<GlobalEventNotification>
 

infra/tf/dns/cert_packs.tf

@@ -14,8 +14,7 @@ locals {
 	certificate_authority = "lets_encrypt"
 }
 
-# TODO: Only if we use deprecated subdomains
-# Allow CLoudflare to serve TLS requests at the edge for our wildcard
+# Allow Cloudflare to serve TLS requests at the edge for our wildcard
 # subdomains.
 #
 # This requires paying money for these certs.
@@ -29,13 +28,22 @@ resource "cloudflare_certificate_pack" "main" {
 	certificate_authority = local.certificate_authority
 	# The certificate must include the root domain in it.
 	#
-	# We convert to set then back to list to remove potential duplicates of the root zoon.
-	hosts = sort(tolist(toset([
-		data.cloudflare_zone.main.name,
-		var.domain_main,
-		"*.${var.domain_main}",
-		"*.api.${var.domain_main}",
-	])))
+	# We convert to set then back to list to remove potential duplicates of the root zone.
+	hosts = sort(tolist(toset(
+		flatten([
+			[
+				data.cloudflare_zone.main.name,
+				var.domain_main,
+				"*.${var.domain_main}",
+				# TODO: Only if we use deprecated subdomains
+				"*.api.${var.domain_main}",
+			],
+			var.opengb_enabled ? [
+				"*.opengb.${var.domain_main}",
+				"db.opengb-internal.${var.domain_main}"
+			] : []
+		])
+	)))
 	type = "advanced"
 	validation_method = "txt"
 	validity_days = 90

infra/tf/dns/vars.tf

@@ -41,6 +41,11 @@ variable "extra_dns" {
 	}))
 }
 
+# MARK: OpenGB
+variable "opengb_enabled" {
+	type = bool
+}
+
 # MARK: Cloudflare
 variable "cloudflare_account_id" {
 	type = string

infra/tf/tls/cloudflare.tf

@@ -57,7 +57,18 @@ resource "tls_cert_request" "cf_origin_rivet_gg" {
 
 resource "cloudflare_origin_ca_certificate" "rivet_gg" {
 	csr = tls_cert_request.cf_origin_rivet_gg.cert_request_pem
-	hostnames = ["*.${var.domain_main}", "${var.domain_main}", "*.api.${var.domain_main}", "api.${var.domain_main}"]
+	hostnames = flatten([
+		[
+			"*.${var.domain_main}",
+			"${var.domain_main}",
+			"*.api.${var.domain_main}",
+			"api.${var.domain_main}",
+		],
+		var.opengb_enabled ? [
+			"*.opengb.${var.domain_main}",
+			"db.opengb-internal.${var.domain_main}"
+		] : []
+	])
 	request_type = "origin-rsa"
 	requested_validity = 15 * 365
 }

infra/tf/tls/vars.tf

@@ -25,6 +25,11 @@ variable "prometheus_enabled" {
 	type = bool
 }
 
+# MARK: OpenGB
+variable "opengb_enabled" {
+	type = bool
+}
+
 # MARK: K8s
 variable "kubeconfig_path" {
 	type = string

lib/bolt/config/src/ns.rs

@@ -515,6 +515,8 @@ pub struct Rivet {
 	pub cdn: Cdn,
 	#[serde(default)]
 	pub billing: Option<RivetBilling>,
+	#[serde(default)]
+	pub opengb: Option<RivetOpenGb>,
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug, Default)]
@@ -525,6 +527,10 @@ pub struct Telemetry {
 	pub disable: bool,
 }
 
+#[derive(Serialize, Deserialize, Clone, Debug, Default)]
+#[serde(deny_unknown_fields)]
+pub struct RivetOpenGb {}
+
 #[derive(Serialize, Deserialize, Clone, Debug)]
 #[serde(deny_unknown_fields)]
 pub enum RivetAccess {

lib/bolt/core/src/context/project.rs

@@ -194,16 +194,16 @@ impl ProjectContextData {
 				if self.ns().dns.is_some() {
 					assert_eq!(
 						80, *api_http_port,
-						"api_http_port must be 80 if dns is configured"
+						"api_http_port must be 80 if DNS is configured"
 					);
 					assert_eq!(
 						Some(443),
 						*api_https_port,
-						"api_https_port must be 443 if dns is configured"
+						"api_https_port must be 443 if DNS is configured"
 					);
 					assert_eq!(
 						9000, *minio_port,
-						"minio_port must not be changed if dns is configured"
+						"minio_port must not be changed if DNS is configured"
 					);
 				}
 			}
@@ -218,11 +218,19 @@ impl ProjectContextData {
 
 				assert!(
 					self.dns_enabled(),
-					"must have dns provider configured with a distributed cluster"
+					"must have DNS configured with a distributed cluster"
 				);
 			}
 		}
 
+		// MARK: OpenGB
+		if self.ns().rivet.opengb.is_some() {
+			assert!(
+				self.ns().dns.is_some(),
+				"must have DNS configured with for OpenGB"
+			);
+		}
+
 		// MARK: Cluster Provisioning
 		if let Some(cluster) = self
 			.ns()

lib/bolt/core/src/context/service.rs

@@ -877,6 +877,16 @@ impl ServiceContextData {
 			);
 		}
 
+		// OpenGB
+		if project_ctx.ns().rivet.opengb.is_some() {
+			let opengb_output = terraform::output::read_opengb(&project_ctx).await;
+
+			env.insert(
+				"CLOUDFLARE_OPENGB_DISPATCHER_NAMESPACE".into(),
+				opengb_output.dispatcher_namespace_name.to_string(),
+			);
+		}
+
 		if self.depends_on_captcha() {
 			if let Some(hcaptcha) = &project_ctx.ns().captcha.hcaptcha {
 				env.insert(

lib/bolt/core/src/dep/one_password/cli.rs

@@ -9,10 +9,7 @@ pub async fn command(service_token: Option<&str>) -> Command {
 	cmd.arg("op");
 
 	let installed = cmd.exec_quiet(true, true).await.is_ok();
-
-	if !installed {
-		panic!("1Password secret management is enabled in the namespace config but the 1Password CLI (`op`) is not installed");
-	}
+	assert!(installed, "1Password secret management is enabled in the namespace config but the 1Password CLI (`op`) is not installed");
 
 	let mut cmd = Command::new("op");
 
@@ -22,8 +19,6 @@ pub async fn command(service_token: Option<&str>) -> Command {
 		}
 
 		cmd.env("OP_SERVICE_ACCOUNT_TOKEN", service_token);
-	} else {
-		eprintln!("WARNING: 1Password secret management is enabled in the namespace config but the '1password.service_account_token' secret is not set.\n");
 	}
 
 	cmd

lib/bolt/core/src/dep/terraform/gen.rs

@@ -229,6 +229,12 @@ async fn vars(ctx: &ProjectContext) {
 		json!(config.rivet.provisioning.is_some()),
 	);
 
+	// OpenGB
+	vars.insert(
+		"opengb_enabled".into(),
+		json!(config.rivet.opengb.is_some()),
+	);
+
 	// Tunnels
 	if let Some(ns::Dns {
 		provider: Some(ns::DnsProvider::Cloudflare { access, .. }),
@@ -304,10 +310,14 @@ async fn vars(ctx: &ProjectContext) {
 			"name": domain_main_api,
 		}));
 
-		// OGS
+		// OpenGB
+		extra_dns.push(json!({
+			"zone_name": "main",
+			"name": format!("*.opengb.{domain_main}"),
+		}));
 		extra_dns.push(json!({
 			"zone_name": "main",
-			"name": format!("*.ogs.{domain_main}"),
+			"name": format!("db.opengb-internal.{domain_main}"),
 		}));
 
 		// Add services

lib/bolt/core/src/dep/terraform/output.rs

@@ -49,6 +49,11 @@ pub struct DnsZones {
 	pub job: String,
 }
 
+#[derive(Debug, Clone, Deserialize)]
+pub struct OpenGb {
+	pub dispatcher_namespace_name: TerraformOutputValue<String>,
+}
+
 #[derive(Debug, Clone, Deserialize)]
 pub struct KubernetesClusterAws {
 	pub eks_admin_role_arn: TerraformOutputValue<String>,
@@ -120,6 +125,10 @@ pub async fn read_redis(ctx: &ProjectContext) -> Redis {
 	}
 }
 
+pub async fn read_opengb(ctx: &ProjectContext) -> OpenGb {
+	read_plan::<OpenGb>(ctx, "opengb").await
+}
+
 /// Reads a Terraform plan's output and decodes in to type.
 pub async fn read_plan<T: serde::de::DeserializeOwned>(ctx: &ProjectContext, plan_id: &str) -> T {
 	let terraform_plans = crate::tasks::infra::all_terraform_plans(ctx).unwrap();