alexei.dolgolyov
7733e64b08
A dockerfile or static workload can opt in to reading its deploy config from a
.tinyforge.yml in its own repo. Tinyforge fetches the file, shows field-level
drift vs the live config, and an admin applies it with an explicit Sync. The
repo becomes the source of truth for the declared fields. Manual-sync only;
no auto-apply on deploy, no multi-workload reconcile, no create/delete in v1.
Scope is deliberately source-aware and source_config-resident: dockerfile
declares port/healthcheck/deploy_strategy, static declares deploy_strategy.
The file never carries repo coords or secrets (those stay in the encrypted
DB), which keeps credentials out of the repo.
Backend:
- internal/gitops: Spec/ParseSpec (KnownFields rejects unknown keys), a
source-aware ApplyPlan/BuildPlan, MergeAndValidate (omitted-field-preserving
deep merge + validate-the-merged-result-then-commit — never a partial
config), declared-only Drift with normalization, and Fetch with
ok/no_file/fetch_failed/invalid statuses and token-redacted messages.
- staticsite: DownloadFile added to GitProvider + Gitea/GitHub/GitLab impls,
reusing each provider's SSRF-safe client; 64 KiB cap; ErrFileNotFound.
- store: 4 additive gitops_* columns + setters (disjoint from UpdateWorkload
so the edit-form save and a sync never clobber each other).
- api: GET /workloads/{id}/gitops (status + raw + live drift + managed_fields),
PUT /gitops (admin, enable/path, traversal-safe), POST /gitops/sync (admin,
per-workload locked read->merge->validate->write, audited to event_log).
Frontend:
- GitOpsPanel.svelte: status pill, a purpose-built field-level drift view,
.tinyforge.yml preview, enable ToggleSwitch, Sync via ConfirmDialog; all five
statuses handled, admin affordances gated on the real viewer role.
- GitOps-managed badge (list + detail hero) and a read-only edit-form banner.
- api.ts fetchers + types; i18n apps.detail.gitops.* (en + ru parity).
Built phase-by-phase with an adversarial plan review (caught 5 design flaws
pre-implementation) and an independent review per phase (go / security / ts /
final) — all APPROVE, 0 CRITICAL/HIGH. docs/gitops.md documents the schema and
what's intentionally out of v1. Plan: plans/gitops/.
272 lines
8.7 KiB
Go
272 lines
8.7 KiB
Go
package store
|
|
|
|
import (
|
|
"database/sql"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
const workloadColumns = `id, kind, ref_id, name, app_id,
|
|
source_kind, source_config, trigger_kind, trigger_config,
|
|
public_faces, parent_workload_id,
|
|
notification_url, notification_secret,
|
|
webhook_secret, webhook_signing_secret, webhook_require_signature,
|
|
gitops_enabled, gitops_path, gitops_last_sync_at, gitops_commit_sha,
|
|
created_at, updated_at`
|
|
|
|
func scanWorkload(scanner interface{ Scan(...any) error }) (Workload, error) {
|
|
var w Workload
|
|
err := scanner.Scan(
|
|
&w.ID, &w.Kind, &w.RefID, &w.Name, &w.AppID,
|
|
&w.SourceKind, &w.SourceConfig, &w.TriggerKind, &w.TriggerConfig,
|
|
&w.PublicFaces, &w.ParentWorkloadID,
|
|
&w.NotificationURL, &w.NotificationSecret,
|
|
&w.WebhookSecret, &w.WebhookSigningSecret, &w.WebhookRequireSignature,
|
|
&w.GitOpsEnabled, &w.GitOpsPath, &w.GitOpsLastSyncAt, &w.GitOpsCommitSHA,
|
|
&w.CreatedAt, &w.UpdatedAt,
|
|
)
|
|
return w, err
|
|
}
|
|
|
|
// CreateWorkload inserts a new workload row. The (Kind, RefID) pair
|
|
// must be unique; for plugin-native rows (Kind="plugin") the caller
|
|
// typically leaves RefID empty and we self-reference it to the row's
|
|
// own ID so the UNIQUE(kind, ref_id) constraint holds for many sibling
|
|
// plugin workloads. Legacy bridge code that wired ref_id to a
|
|
// project/stack/site row was deleted in the hard cutover.
|
|
func (s *Store) CreateWorkload(w Workload) (Workload, error) {
|
|
if w.ID == "" {
|
|
w.ID = uuid.New().String()
|
|
}
|
|
if w.RefID == "" {
|
|
w.RefID = w.ID
|
|
}
|
|
w.CreatedAt = Now()
|
|
w.UpdatedAt = w.CreatedAt
|
|
|
|
if w.SourceConfig == "" {
|
|
w.SourceConfig = "{}"
|
|
}
|
|
if w.TriggerConfig == "" {
|
|
w.TriggerConfig = "{}"
|
|
}
|
|
if w.PublicFaces == "" {
|
|
w.PublicFaces = "[]"
|
|
}
|
|
if w.GitOpsPath == "" {
|
|
w.GitOpsPath = ".tinyforge.yml"
|
|
}
|
|
_, err := s.db.Exec(
|
|
`INSERT INTO workloads (`+workloadColumns+`)
|
|
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
|
|
w.ID, w.Kind, w.RefID, w.Name, w.AppID,
|
|
w.SourceKind, w.SourceConfig, w.TriggerKind, w.TriggerConfig,
|
|
w.PublicFaces, w.ParentWorkloadID,
|
|
w.NotificationURL, w.NotificationSecret,
|
|
w.WebhookSecret, w.WebhookSigningSecret, BoolToInt(w.WebhookRequireSignature),
|
|
BoolToInt(w.GitOpsEnabled), w.GitOpsPath, w.GitOpsLastSyncAt, w.GitOpsCommitSHA,
|
|
w.CreatedAt, w.UpdatedAt,
|
|
)
|
|
if err != nil {
|
|
return Workload{}, fmt.Errorf("insert workload: %w", err)
|
|
}
|
|
return w, nil
|
|
}
|
|
|
|
// GetWorkloadByID returns a single workload by its ID.
|
|
func (s *Store) GetWorkloadByID(id string) (Workload, error) {
|
|
w, err := scanWorkload(s.db.QueryRow(
|
|
`SELECT `+workloadColumns+` FROM workloads WHERE id = ?`, id,
|
|
))
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
return Workload{}, fmt.Errorf("workload %s: %w", id, ErrNotFound)
|
|
}
|
|
if err != nil {
|
|
return Workload{}, fmt.Errorf("query workload: %w", err)
|
|
}
|
|
return w, nil
|
|
}
|
|
|
|
// GetWorkloadByRef returns the workload paired with a given (kind, ref_id).
|
|
// Returns ErrNotFound if the project/stack/site has no workload row yet
|
|
// (which means the boot-time backfill hasn't run, or the kind/ref pair is wrong).
|
|
func (s *Store) GetWorkloadByRef(kind WorkloadKind, refID string) (Workload, error) {
|
|
w, err := scanWorkload(s.db.QueryRow(
|
|
`SELECT `+workloadColumns+` FROM workloads WHERE kind = ? AND ref_id = ?`,
|
|
string(kind), refID,
|
|
))
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
return Workload{}, fmt.Errorf("workload (%s,%s): %w", kind, refID, ErrNotFound)
|
|
}
|
|
if err != nil {
|
|
return Workload{}, fmt.Errorf("query workload by ref: %w", err)
|
|
}
|
|
return w, nil
|
|
}
|
|
|
|
// ListWorkloads returns all workloads, optionally filtered by kind. Pass
|
|
// empty string to get every workload regardless of kind.
|
|
func (s *Store) ListWorkloads(kind WorkloadKind) ([]Workload, error) {
|
|
var rows *sql.Rows
|
|
var err error
|
|
if kind == "" {
|
|
rows, err = s.db.Query(
|
|
`SELECT ` + workloadColumns + ` FROM workloads ORDER BY name`,
|
|
)
|
|
} else {
|
|
rows, err = s.db.Query(
|
|
`SELECT `+workloadColumns+` FROM workloads WHERE kind = ? ORDER BY name`,
|
|
string(kind),
|
|
)
|
|
}
|
|
if err != nil {
|
|
return nil, fmt.Errorf("query workloads: %w", err)
|
|
}
|
|
defer rows.Close()
|
|
|
|
out := []Workload{}
|
|
for rows.Next() {
|
|
w, err := scanWorkload(rows)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("scan workload: %w", err)
|
|
}
|
|
out = append(out, w)
|
|
}
|
|
return out, rows.Err()
|
|
}
|
|
|
|
// UpdateWorkload updates the mutable fields of a workload (name, app_id,
|
|
// source/trigger config, public faces, parent chain, notification + webhook
|
|
// config). Kind and RefID are immutable post-create.
|
|
func (s *Store) UpdateWorkload(w Workload) error {
|
|
w.UpdatedAt = Now()
|
|
if w.SourceConfig == "" {
|
|
w.SourceConfig = "{}"
|
|
}
|
|
if w.TriggerConfig == "" {
|
|
w.TriggerConfig = "{}"
|
|
}
|
|
if w.PublicFaces == "" {
|
|
w.PublicFaces = "[]"
|
|
}
|
|
result, err := s.db.Exec(
|
|
`UPDATE workloads SET name=?, app_id=?,
|
|
source_kind=?, source_config=?, trigger_kind=?, trigger_config=?,
|
|
public_faces=?, parent_workload_id=?,
|
|
notification_url=?, notification_secret=?,
|
|
webhook_secret=?, webhook_signing_secret=?, webhook_require_signature=?,
|
|
updated_at=?
|
|
WHERE id=?`,
|
|
w.Name, w.AppID,
|
|
w.SourceKind, w.SourceConfig, w.TriggerKind, w.TriggerConfig,
|
|
w.PublicFaces, w.ParentWorkloadID,
|
|
w.NotificationURL, w.NotificationSecret,
|
|
w.WebhookSecret, w.WebhookSigningSecret, BoolToInt(w.WebhookRequireSignature),
|
|
w.UpdatedAt, w.ID,
|
|
)
|
|
if err != nil {
|
|
return fmt.Errorf("update workload: %w", err)
|
|
}
|
|
n, err := result.RowsAffected()
|
|
if err != nil {
|
|
return fmt.Errorf("rows affected: %w", err)
|
|
}
|
|
if n == 0 {
|
|
return fmt.Errorf("workload %s: %w", w.ID, ErrNotFound)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// DeleteWorkload removes a workload row. Cascading deletes for FK-backed
|
|
// child tables (workload_env, workload_volumes, workload_trigger_bindings)
|
|
// happen via SQLite's ON DELETE CASCADE. The `containers` table doesn't
|
|
// yet have an FK to workloads (planned migration — see ops notes), so we
|
|
// drop its rows explicitly here in the same transaction to prevent zombie
|
|
// container rows from outliving their owning workload.
|
|
func (s *Store) DeleteWorkload(id string) error {
|
|
tx, err := s.db.Begin()
|
|
if err != nil {
|
|
return fmt.Errorf("begin: %w", err)
|
|
}
|
|
defer func() { _ = tx.Rollback() }()
|
|
|
|
// Explicit container cleanup until the FK migration lands.
|
|
if _, err := tx.Exec(`DELETE FROM containers WHERE workload_id = ?`, id); err != nil {
|
|
return fmt.Errorf("delete containers: %w", err)
|
|
}
|
|
// Deploy ledger rows are FK-cascaded, but we delete them explicitly in
|
|
// the same transaction — consistent with the containers cleanup above
|
|
// and robust even if the cascade is ever disabled.
|
|
if _, err := tx.Exec(`DELETE FROM deploy_history WHERE workload_id = ?`, id); err != nil {
|
|
return fmt.Errorf("delete deploy history: %w", err)
|
|
}
|
|
result, err := tx.Exec(`DELETE FROM workloads WHERE id = ?`, id)
|
|
if err != nil {
|
|
return fmt.Errorf("delete workload: %w", err)
|
|
}
|
|
n, err := result.RowsAffected()
|
|
if err != nil {
|
|
return fmt.Errorf("rows affected: %w", err)
|
|
}
|
|
if n == 0 {
|
|
return fmt.Errorf("workload %s: %w", id, ErrNotFound)
|
|
}
|
|
if err := tx.Commit(); err != nil {
|
|
return fmt.Errorf("commit: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ListChildrenByParent returns every workload whose parent_workload_id
|
|
// equals the given id. Used to render the stages chain ("dev → staging
|
|
// → prod") on /apps/[id] without forcing a separate stages table.
|
|
//
|
|
// Returns rows ordered by name for a stable UI.
|
|
func (s *Store) ListChildrenByParent(parentID string) ([]Workload, error) {
|
|
if parentID == "" {
|
|
return []Workload{}, nil
|
|
}
|
|
rows, err := s.db.Query(
|
|
`SELECT `+workloadColumns+` FROM workloads WHERE parent_workload_id = ? ORDER BY name`,
|
|
parentID,
|
|
)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("query workload children: %w", err)
|
|
}
|
|
defer rows.Close()
|
|
|
|
out := []Workload{}
|
|
for rows.Next() {
|
|
w, err := scanWorkload(rows)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("scan child workload: %w", err)
|
|
}
|
|
out = append(out, w)
|
|
}
|
|
return out, rows.Err()
|
|
}
|
|
|
|
// Workload-level webhook secret accessors (Get/Set/Ensure) were dropped
|
|
// in the hard legacy cutover: the inbound `/api/webhook/workloads/...`
|
|
// route is gone. The trigger-split refactor's boot backfill still reads
|
|
// the `workloads.webhook_secret` column directly via SQL to lift any
|
|
// pre-cutover embedded secret onto its standalone Trigger row, then the
|
|
// column is effectively dead.
|
|
|
|
// DeleteWorkloadByRef removes the workload paired with a given (kind, ref_id).
|
|
// Idempotent — returns nil if no row exists, since the kind-specific Delete
|
|
// callers don't always know whether a workload row was created.
|
|
func (s *Store) DeleteWorkloadByRef(kind WorkloadKind, refID string) error {
|
|
_, err := s.db.Exec(
|
|
`DELETE FROM workloads WHERE kind = ? AND ref_id = ?`,
|
|
string(kind), refID,
|
|
)
|
|
if err != nil {
|
|
return fmt.Errorf("delete workload by ref: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|