Introduce new mirroring and credential settings format and REST API

[ikhoon]

Motivation:

The ID for mirroring and credential configurations is optional, so I found it difficult to safely update a configuration with REST API. If a user updates a file manually on UI or commit API, the REST API may update a wrong configuration without a unique ID.

@trustin suggested changing the directory layout to store a configuration to a file with a unique ID. #838 (review)

This PR has three major changes:

• Migrate the old mirror and credential settings to the new layout.

  - mirrors
    - <mirror-id>.json
    - ...
  - credentials
    - <credentials-id>.json
    - ...
  

• Add a migration job to automatically migrate the old settings to the new format when a server starts. The old files are renamed by adding .bak suffix. e,g. mirrors.json -> mirrors.json.bak, credentials.json -> credentials.json.bak.
• Add REST API for mirroring and credential configurations. This is a necessary task to add mirror UI. Add Mirroring and Credential UI #838

Modifications:

• Add MirroringMigrationService that is executed when a server starts and scan all /mirrors.json and /credentials.json in the meta repo of projects and migrate them to the new format.
  • "id" is a required property in each configuration. Human-readable random words are used to create a unique ID.
    • Mirror ID format: mirror-<projectName>-<localRepo>-<shortWord>
    • Credential ID format: credential-<projectName>-<shortWord>
    • short_wordlist.txt is used as the word database.
• Change Mirror and related classes to have id, enabled as required fields.
• Add CredentailServiceV1 and MirrorServiceV1 to serve REST API for CRU.
  • Create, read, and update operations are implemented in DefaultMetaRepository.
• Add RepositoryUri to represent a repository-specific URI such as a Git repository URL.
• Add MirrorDto to serialize a mirroring configuration. Mirror represents a mirroring task, so Mirror is not suitable for serialization.
  • MirrorCredential is used as is instead of creating a new DTO.
• Migrated all mirroring tests to use the new configuration format.
• Updated site documentation with the new format.

Result:

• Mirroring and credential settings have been updated to the new formats.
• You can now access and modify mirroring and credential resources using the REST API.

[codecov]

Codecov Report

Attention: Patch coverage is 71.81529% with 177 lines in your changes missing coverage. Please review.

Project coverage is 70.19%. Comparing base (aae194c) to head (28e1023).
Report is 19 commits behind head on main.

❗ Current head 28e1023 differs from pull request most recent head 8acab6c

Please upload reports for the commit 8acab6c to get more accurate results.

Files	Patch %	Lines
...ver/internal/mirror/MirroringMigrationService.java	67.52%	54 Missing and 9 partials ⚠️
...necorp/centraldogma/internal/api/v1/MirrorDto.java	46.77%	19 Missing and 14 partials ⚠️
...rnal/storage/repository/DefaultMetaRepository.java	73.55%	20 Missing and 12 partials ⚠️
...ver/internal/storage/repository/RepositoryUri.java	39.13%	14 Missing ⚠️
...erver/internal/mirror/DefaultMirroringService.java	50.00%	10 Missing ⚠️
...er/storage/project/InternalProjectInitializer.java	64.00%	5 Missing and 4 partials ⚠️
...ldogma/server/internal/api/MirroringServiceV1.java	85.71%	4 Missing ⚠️
...com/linecorp/centraldogma/server/CentralDogma.java	91.89%	1 Missing and 2 partials ⚠️
...ecorp/centraldogma/server/CentralDogmaBuilder.java	0.00%	3 Missing ⚠️
...corp/centraldogma/server/mirror/MirrorContext.java	71.42%	2 Missing ⚠️
... and 4 more

Additional details and impacted files

@@             Coverage Diff              @@
##               main     #880      +/-   ##
============================================
+ Coverage     66.86%   70.19%   +3.33%     
- Complexity     3529     3820     +291     
============================================
  Files           370      382      +12     
  Lines         14531    15357     +826     
  Branches       1563     1643      +80     
============================================
+ Hits           9716    10780    +1064     
+ Misses         3936     3617     -319     
- Partials        879      960      +81     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[minwoox]

Looks great all in all. 👍 👍 👍

[jrhee17]

I didn't get a chance to look at the services, but overall looks nice. Left some questions 🙇

[jrhee17]

But I have no idea how to prevent JSON upsert operation. We may need to stop replication just before rolling updates.

Instead of the current approach of updating from a Leader directly, would it be possible to issue a custom command (i.e. MigrateMirrorCommand) ?

If we take a write lock while migrating, I guess there will be minimal issues regarding inconsistency.

[ikhoon]

This PR is now ready for review again.

[jrhee17]

Went through the controller layer for now, looks good overall 👍

[jrhee17]

I believe that applying RequiresReadPermission to both the class and method will apply both decorators. (So both READ and WRITE permissions are necessary for getMirror). I wanted to make sure if this is intended.

[ikhoon]

I thought method annotation had higher precedence. If so, it needs to be fixed.

[jrhee17]

Question) Is there a reason we separate create from update? (e.g. is it easier to express in the UI?) Given the distributed nature of CD, I think I usually prefer that we provide an upsert method instead which is why I'm asking. (e.g. the semantics of update may not hold if two concurrent requests go through).

[ikhoon]

I wanted to implement a more restful API.

• create needs POST method and 201 Created status is returned.
• update uses PUT method to replace the whole content and 200 status will be returned instead.

Aside from the REST endpoint, the internal goes through the same code path.

[jrhee17]

Aside from the REST endpoint, the internal goes through the same code path.

Understood. I personally I prefer simplicity but I think it's fine to keep as is then.

[ikhoon]

update is not necessary for this API, but a consistent convention for all REST endpoints would be better.

Users may get confused if only some resources provide the PUT operation.
As REST API continues to be added to CD, there will be a high possibility of using PUT in the future.

• POST is a non-idempotent operation but PUT is idempotent so retryable.
• We may add more validations to PUT if some fields should be immutable.

[jrhee17]

a consistent convention for all REST endpoints would be better.

I'm not strong on the definition/usefulness of REST. I just wanted to make clear the reasoning for adding this logic in case we need to revisit later.

[jrhee17]

Question on the null check here - am I understanding correctly that if a legacy mirrors.json/credentials.json doesn't exist for a project then no backup file will exist?

i.e. If there is a repository without mirroring configured, will this method always return false?

[ikhoon]

if a legacy mirrors.json/credentials.json doesn't exist for a project then no backup file will exist?

Correct. Backup files won't be created if no mirror is configured.

centraldogma/server/src/main/java/com/linecorp/centraldogma/server/internal/mirror/MirroringMigrationService.java

Lines 164 to 167 in a80425c

	final ArrayNode mirrors = getMetaData(repository, PATH_LEGACY_MIRRORS);
	if (mirrors == null) {
	return false;
	}

i.e. If there is a repository without mirroring configured, will this method always return false?

This method returns false but nothing will be performed.

[jrhee17]

This method returns false but nothing will be performed.

I see. I just wanted to make sure the following lines won't be executed after a migration is successfully completed.

centraldogma/server/src/main/java/com/linecorp/centraldogma/server/internal/mirror/MirroringMigrationService.java

Lines 100 to 108 in f0184f0

	// Enter read-only mode.
	commandExecutor.execute(Command.updateServerStatus(ServerStatus.REPLICATION_ONLY))
	.get(1, TimeUnit.MINUTES);
	logger.info("Starting Mirrors and credentials migration ...");
	if (commandExecutor instanceof ZooKeeperCommandExecutor) {
	logger.debug("Waiting for 30 seconds to make sure that all cluster have been notified of the " +
	"read-only mode ...");
	Thread.sleep(30000);
	}

[ikhoon]

/mirror-migration-job.json is added to check if a migration has been performed before.
/mirror-migration-job.json will be written even if there are no mirror and credential configurations.

[jrhee17]

Aside from the REST endpoint, the internal goes through the same code path.

Understood. I personally I prefer simplicity but I think it's fine to keep as is then.

[jrhee17]

Question) Am I understanding correctly that even if a mirroring attempt fails (e.g. due to timeout), the migration may go through? If so, is manual intervention required?

e.g. If a timeout results in a failed mirror migration at this line, the server will still proceed to start up.

In general, I think if a logical failure occurs it may be better to just throw and handle ourselves. If a sporadic failure (timeout) occurs, we could just retry by restarting the server and triggering migrateMirrors again (ideally progress won't be lost)

[ikhoon]

Agreed. Let me log the exception and rethrow it.

[jrhee17]

Proposal) I'm curious if the old meta/[mirrors|credentials].json will be visible to users in the new mirroring UI. If not, what do you think of doing the rename/backup migrations after a few versions to ensure stability?

I realize that changes to the new mirroring/credentials won't be reflected in the old mirrors (unless we pre-implement and release some logic). I still think it's better than nothing and provides us an escape hatch if something goes wrong in the new release (e.g. it may not necessarily be due to this feature, but an armeria bug may force us to revert versions)

[ikhoon]

Hmm. It's a good idea, but it's not easy to apply. What if a bug is discovered a certain amount of time after the new mirroring configuration is exposed to users?

If an update has already been made in the new file, converting to the old file does not seem to be a good option. The migration itself should be verified through testing, and for bugs caused by external libraries, it would be better to revert the version only rather than reverting the all changes.

Speaking of the release strategy, what do you think of releasing a new version only for this change to minimize side effects?

[jrhee17]

Hmm. It's a good idea, but it's not easy to apply. What if a bug is discovered a certain amount of time after the new mirroring configuration is exposed to users?

I see. I was thinking there is a higher probability that a bug is discovered right away rather than a long time. This comment also assumed that mirroring configurations are usually not updated often.

I understood we prefer the current approach - if a roll back to the previous version is needed, no mirrors will be executed.

[jrhee17]

This method returns false but nothing will be performed.

I see. I just wanted to make sure the following lines won't be executed after a migration is successfully completed.

centraldogma/server/src/main/java/com/linecorp/centraldogma/server/internal/mirror/MirroringMigrationService.java

Lines 100 to 108 in f0184f0

	// Enter read-only mode.
	commandExecutor.execute(Command.updateServerStatus(ServerStatus.REPLICATION_ONLY))
	.get(1, TimeUnit.MINUTES);
	logger.info("Starting Mirrors and credentials migration ...");
	if (commandExecutor instanceof ZooKeeperCommandExecutor) {
	logger.debug("Waiting for 30 seconds to make sure that all cluster have been notified of the " +
	"read-only mode ...");
	Thread.sleep(30000);
	}

[jrhee17]

Went through all of the files and looks good overall 👍 Just left a couple comments on whether migration can be done safely and we have a clear rollback plan. Other parts look good to me 👍

[jrhee17]

Question to make sure I'm understanding correctly. Does this scenario occur because of the server status update? If a server doesn't have the necessary internal files but an exception isn't thrown here, could a CD server exist without the dogma project?

[ikhoon]

Does this scenario occur because of the server status update?

Right. "server-status.properties" in a server was WRITABLE but READ_ONLY was applied from reply logs.

could a CD server exist without the dogma project?

No, impossible. However, a server's status mode can be changed after the server starts successfully. I don't think it will be a problem for new servers because the existing data in a replica should be copied to the new ones before starting them.

[jrhee17]

Forgot to ask one more question, what do you think of allowing null ids when creating mirrors and credentials from a usability perspective. CD server could generate random ids when no id is specified.

[ikhoon]

what do you think of allowing null ids when creating mirrors and credentials from a usability perspective.

ID is required to update the existing data. Previously, users updated the whole data such as mirrors.json or credentials.json at once. In the new UI, each configuration is updated separately, so we need ID to find the source file.

[ikhoon]

CD server could generate random ids when no id is specified.

I missed this point. A mirror configuration can refer to a credential so credential's ID will be used as a foreign key. ID is also an identifier in the listing paging.

After I think about it in many ways, I still think users have to create and manage their own IDs.

[jrhee17]

After I think about it in many ways, I still think users have to create and manage their own IDs.

Sure, I'm not sure what the UI will look like. If there is a good way for users to know in advance the used ids, I guess it will be fine.

[jrhee17]

I assume the changes will be released together with the new mirroring UI. Looks good to me once the build passes 👍 👍 👍

[ikhoon]

I assume the changes will be released together with the new mirroring UI

This PR is going to be released before the mirroring UI. It may be difficult to detect bugs and handle them if this change was released along with the mirroring UI, so I wanted to release it separately.

Do you have any concerns about that?

[jrhee17]

It may be difficult to detect bugs and handle them if this change was released along with the mirroring UI, so I wanted to release it separately.

Do you have any concerns about that?

I assume this comment is for the record since we already talked about this.
I misread the code thinking reading/writing to the new mirrors/credentials files is not allowed anymore. Releasing separately sounds good 👍

[minwoox]

Basically looks great. 👍 👍 👍

[minwoox]

So users always have to create the credential first before creating a mirror configuration.
Would it be worth if we provide an API that commits both together at once ?

[ikhoon]

A credential can be used in multiple mirror configs so the relation is 1(credential):N(mirror).

[minwoox]

Looks excellent.
Thanks a lot, @ikhoon! 👍 👍 👍

[minwoox]

nit: v1ResponseConverter

[minwoox]

v1ResponseConverter

[minwoox]

Can we also add numMigratedProjects to this log?

[minwoox]

We also need to remove this line.

[minwoox]

@ikhoon Could you check the failure?
https://github.com/line/centraldogma/actions/runs/9609269292/job/26503477206?pr=880#step:6:783
@trustin Could you take a look at this PR?