RobustIntelligence · Alexanderchen929 · Feb 27, 2024 · Feb 29, 2024
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
+.firewall-releases
 .rime-releases
 .tmp-charts
-**/charts
+**/charts/*.tgz
 **/Chart.lock
diff --git a/Makefile b/Makefile
@@ -1,50 +1,80 @@
+# vim: filetype=make
 include ../../make_utils/env-var.mk
 
+# General configurations of make options.
+MAKEFLAGS += --no-print-directory
+
 # Creates a Helm chart releases:
 # See: https://helm.sh/docs/topics/chart_repository/
 #
 # To create a new release of the RIME chart:
-#   1. Ensure the helm dependency versions are correct in rime/charts
-#      and/or update with `helm dependency update`
-#   2. Run `make VERSION=##.##.## APP_VERSION=v## create_rime_charts_release`
+#   1. Run `make VERSION=##.##.## APP_VERSION=v## create_rime_charts_release`
+#
+# To create a new release of the Firewall chart:
+#   1. Run `make create_firewall_charts_release`
 
 SHELL = /bin/bash
 
 VERSION_FILE := ../../version.txt
 VERSION ?= $(shell cat ${VERSION_FILE})
 APP_VERSION := v$(VERSION)
+FW_VERSION_FILE := ../../fw_version.txt
+FW_VERSION ?= $(shell cat ${FW_VERSION_FILE})
+FW_APP_VERSION := v$(FW_VERSION)
 REPO_URL=https://robustintelligence.github.io/helm
-
-OPERATOR_ROLE_FILE := rime-agent/templates/operator/role.yaml
-
-.PHONY: clean .tmp-charts/rime  .tmp-charts/rime-agent  .tmp-charts/rime-extras .tmp-charts/rime-kube-system gen_operator_manifests
-
-clean:
+REPO_FW_URL=https://robustintelligence.github.io/helm/fw
+
+RIME_AGENT_OPERATOR_ROLE_FILE := $(shell pwd)/rime-agent/templates/operator/role.yaml
+RI_FIREWALL_OPERATOR_ROLE_FILE := $(shell pwd)/ri-firewall/templates/operator/role.yaml
+# We use absolute paths for the CRD_OUT_DIR paths because `controller-gen` is
+# run in the OPERATOR_DIR working directory, which is in `go/`.
+# It is easier to reason about an absolute path than a relative path from a
+# different project directory.
+# The OPERATOR_DIR is a relative path from this Makefile because we use it to
+# change directory to where the operator code is defined.
+RIME_AGENT_CRD_OUT_DIR := $(shell pwd)/rime-agent/crds
+RIME_AGENT_OPERATOR_DIR :=  ../../go/dataplane/operator
+RI_FIREWALL_CRD_OUT_DIR := $(shell pwd)/ri-firewall/crds
+RI_FIREWALL_OPERATOR_DIR := ../../go/generativefirewall/operator
+
+MAKEFLAGS += --no-print-directory
+
+define release_targets
+	$(patsubst %,.tmp-charts/%,$(shell find $(1) -type f -name '*.yaml' -o -name '*.tpl' -o -name '*.md' -o -name '*.txt'))
+endef
+
+.SECONDARY:
+.SECONDEXPANSION:
+.PHONY: clean-firewall clean-rime
+
+clean-rime:
 	rm -rf .tmp-charts/
 	rm -rf .rime-releases/
-	rm -rf rime-agent/crds
-	rm -rf $(OPERATOR_ROLE_FILE)
 
-# Rule to copy a file to .tmp-charts/
-.tmp-charts/%: %
-	mkdir -p $(@D)
+clean-firewall:
+	rm -rf .tmp-charts/
+	rm -rf .firewall-releases/
+
+.tmp-charts/%.yaml: %.yaml
+	@mkdir -p $(@D)
 	cp $< $@
 
-# Rules to create .tmp-charts by copying only the chart files.
-.tmp-charts/rime: .tmp-charts/rime/Chart.yaml .tmp-charts/rime/Chart.lock .tmp-charts/rime/values.yaml $(patsubst %, .tmp-charts/%, $(wildcard rime/templates/*.*)) $(patsubst %, .tmp-charts/%, $(wildcard rime/charts/*.tgz)) $(patsubst %, .tmp-charts/%, $(wildcard rime/custom-key-auth/*.*))
-	( \
-		cp -rf "rime/templates/." ".tmp-charts/rime/templates/." \
-	)
+.tmp-charts/%.tpl: %.tpl
+	@mkdir -p $(@D)
+	cp $< $@
 
-.tmp-charts/rime-agent: .tmp-charts/rime-agent/Chart.yaml .tmp-charts/rime-agent/values.yaml $(patsubst %, .tmp-charts/%, $(wildcard rime-agent/templates/*.*)) $(patsubst %, .tmp-charts/%, $(wildcard rime-agent/templates/operator/*.*)) $(patsubst %, .tmp-charts/%, $(wildcard rime-agent/crds/*.*))
-	( \
-		cp -rf "rime-agent/crds" ".tmp-charts/rime-agent/." && \
-		cp "$(OPERATOR_ROLE_FILE)" ".tmp-charts/rime-agent/templates/operator/." \
-	)
+.tmp-charts/%.txt: %.txt
+	@mkdir -p $(@D)
+	cp $< $@
 
-.tmp-charts/rime-extras: .tmp-charts/rime-extras/Chart.yaml .tmp-charts/rime-extras/Chart.lock .tmp-charts/rime-extras/values.yaml $(patsubst %, .tmp-charts/%, $(wildcard rime-extras/charts/*.tgz))
+.tmp-charts/%.md: %.md
+	@mkdir -p $(@D)
+	cp $< $@
 
-.tmp-charts/rime-kube-system: .tmp-charts/rime-kube-system/Chart.yaml .tmp-charts/rime-kube-system/Chart.lock .tmp-charts/rime-kube-system/values.yaml $(patsubst %, .tmp-charts/%, $(wildcard rime-kube-system/charts/*.tgz))
+# Rules to create .tmp-charts by copying only the chart files.
+.tmp-charts/%: $$(call release_targets,$$(@F))
+	@cd $@ && \
+		helm dependency update
 
 # Rules to create a release tar-ball for the rime chart in .tmp-charts
 # for the given VERSION.
@@ -57,7 +87,7 @@ clean:
 		popd \
 	)
 
-.rime-releases/rime-agent-$(VERSION).tgz: gen_operator_manifests .tmp-charts/rime-agent
+.rime-releases/rime-agent-$(VERSION).tgz: .tmp-charts/rime-agent
 	( \
 		$(call check_defined, APP_VERSION VERSION, helm chart version) \
 		mkdir -p .rime-releases && \
@@ -94,27 +124,122 @@ clean:
 	)
 
 # Creates a new rime Helm chart release.
-create_rime_charts_release: clean .rime-releases/index.yaml
+create_rime_charts_release: clean-rime .rime-releases/index.yaml
 
-### Operator manfiest files for rime-agent helm chart ###
-gen_operator_manifests: rime-agent/crds/rimejob-crd.yaml $(OPERATOR_ROLE_FILE)
-
-rime-agent/crds/rimejob-crd.yaml: rime-agent/crds ../../go/dataplane/operator/api/v1/rimejob.go ../../go/dataplane/operator/api/v1/groupversion_info.go
-	# TODO: make gen_go_protos a prereq instead
-	cd ../.. && make gen_go_protos
-	cd ../../go/dataplane/operator && \
-	controller-gen crd paths="./..." output:crd:stdout > ../../../deployments/helm/rime-agent/crds/rimejob-crd.yaml
+### Operator manifest files for RI Helm charts ###
+.PHONY: gen_operator_manifests
+gen_operator_manifests: gen_rime_agent_crds gen_ri_firewall_crds $(RIME_AGENT_OPERATOR_ROLE_FILE) $(RI_FIREWALL_OPERATOR_ROLE_FILE)
 
 # CRD is generated into a subdirectory called 'crds' so that helm will skip if already installed
 # as CRDs are cluster scope.
 # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/
-rime-agent/crds:
-	mkdir -p $@
-
-$(OPERATOR_ROLE_FILE): ../../go/dataplane/operator/controllers/rimejob_controller.go
-	# TODO: make gen_go_protos a prereq instead
+$(RIME_AGENT_CRD_OUT_DIR):
+	@mkdir -p $@
+
+$(RI_FIREWALL_CRD_OUT_DIR):
+	@mkdir -p $@
+
+define generate_crds
+	@cd ../.. && make gen_go_protos
+	@cd $(1) && \
+	controller-gen crd paths="./..." output:crd:stdout output:crd:dir=$(2)
+endef
+
+.PHONY: gen_rime_agent_crds
+gen_rime_agent_crds: $(wildcard ../../go/dataplane/operator/api/v1/*.go) $(RIME_AGENT_CRD_OUT_DIR)
+	$(call generate_crds,$(RIME_AGENT_OPERATOR_DIR),$(RIME_AGENT_CRD_OUT_DIR))
+
+.PHONY: gen_ri_firewall_crds
+gen_ri_firewall_crds: $(wildcard ../../go/generativefirewall/operator/api/v1/*.go) $(RI_FIREWALL_CRD_OUT_DIR)
+	$(call generate_crds,$(RI_FIREWALL_OPERATOR_DIR),$(RI_FIREWALL_CRD_OUT_DIR))
+
+
+define crd_diff_check_impl
+	$(eval $@_TMP := $(shell mktemp -d /tmp/crdXXXXXXXXXXXXXXX))
+	$(call generate_crds,$(1),$($@_TMP))
+	@diff $(2) $($@_TMP) || (echo 'ERROR: CRDs in "$(2)" need to be updated' && rm -rf $($@_TMP) && exit 1)
+	@rm -rf $($@_TMP)
+endef
+
+.PHONY: crd_diff_check
+crd_diff_check:
+	$(call crd_diff_check_impl,$(RIME_AGENT_OPERATOR_DIR),$(RIME_AGENT_CRD_OUT_DIR))
+	$(call crd_diff_check_impl,$(RI_FIREWALL_OPERATOR_DIR),$(RI_FIREWALL_CRD_OUT_DIR))
+
+# Arguments:
+# 1. Path to the output role YAML file.
+# 2. Operator Go source directory.
+# 3. The name of the Helm role (to be substituted)
+# 4. The name of the service account creation flag (to be substituted)
+define generate_operator_role
 	cd ../.. && make gen_go_protos
-	cd ../../go/dataplane/operator && \
-	controller-gen rbac:roleName="PLACEHOLDER_ROLE_NAME" paths="./..." output:rbac:stdout | sed 's/PLACEHOLDER_ROLE_NAME/{{ include "rime-agent.fullname" . }}-{{ .Values.rimeAgent.operator.name }}-role/1' > ../../../deployments/helm/$(OPERATOR_ROLE_FILE)
-	echo '{{- if .Values.rimeAgent.operator.serviceAccount.create -}}' | cat - $(OPERATOR_ROLE_FILE) > temp.yaml && mv temp.yaml $(OPERATOR_ROLE_FILE) && \
-	echo '{{- end }}' >> $(OPERATOR_ROLE_FILE)
+	cd $(2) && \
+	controller-gen rbac:roleName="PLACEHOLDER_ROLE_NAME" paths="./..." output:rbac:stdout | sed 's/PLACEHOLDER_ROLE_NAME/$(3)/1' > $(1)
+	echo '{{- if $(4) -}}' | cat - $(1) > temp.yaml && mv temp.yaml $(1) && \
+	echo '{{- end }}' >> $(1)
+endef
+
+$(RIME_AGENT_OPERATOR_ROLE_FILE): ../../go/dataplane/operator/controllers/rimejob_controller.go
+	$(call generate_operator_role,$(RIME_AGENT_OPERATOR_ROLE_FILE),$(RIME_AGENT_OPERATOR_DIR),{{ include "rime-agent.fullname" . }}-{{ .Values.rimeAgent.operator.name }}-role,.Values.rimeAgent.operator.serviceAccount.create)
+
+$(RI_FIREWALL_OPERATOR_ROLE_FILE): ../../go/generativefirewall/operator/controllers/firewall_instance_controller.go
+	$(call generate_operator_role,$(RI_FIREWALL_OPERATOR_ROLE_FILE),$(RI_FIREWALL_OPERATOR_DIR),{{ include "ri-firewall.fullname" . }}-{{ .Values.riFirewall.operator.name }}-role,.Values.riFirewall.operator.serviceAccount.create)
+
+# Arguments:
+# 1. Path to the output role YAML file.
+# 2. Operator Go source directory.
+# 3. The name of the Helm role (to be substituted)
+# 4. The name of the service account creation flag (to be substituted)
+define operator_role_diff_check_impl
+	$(eval $@_TMP := $(shell mktemp /tmp/operator-roleXXXXXXXXXXXXXXX))
+	$(call generate_operator_role,$($@_TMP),$(2),$(3),$(4))
+	@diff $(1) $($@_TMP) || (echo 'ERROR: Operator role "$(1)" needs update' && rm -rf $($@_TMP) && exit 1)
+	@rm -rf $($@_TMP)
+endef
+
+operator_role_diff_check:
+	$(call operator_role_diff_check_impl,$(RIME_AGENT_OPERATOR_ROLE_FILE),$(RIME_AGENT_OPERATOR_DIR),{{ include "rime-agent.fullname" . }}-{{ .Values.rimeAgent.operator.name }}-role,.Values.rimeAgent.operator.serviceAccount.create)
+	$(call operator_role_diff_check_impl,$(RI_FIREWALL_OPERATOR_ROLE_FILE),$(RI_FIREWALL_OPERATOR_DIR),{{ include "ri-firewall.fullname" . }}-{{ .Values.riFirewall.operator.name }}-role,.Values.riFirewall.operator.serviceAccount.create)
+
+# Rules to create a firewall release tar-balls for the
+# for the given VERSION.
+.firewall-releases/rime-extras-$(FW_VERSION).tgz: .tmp-charts/rime-extras
+	( \
+		$(call check_defined, FW_APP_VERSION FW_VERSION, helm chart version) \
+		mkdir -p .firewall-releases && \
+		pushd .tmp-charts/ && \
+		helm package --app-version=$(FW_APP_VERSION) --version=$(FW_VERSION) --destination=../.firewall-releases rime-extras && \
+		popd \
+	)
+
+.firewall-releases/rime-kube-system-$(FW_VERSION).tgz: .tmp-charts/rime-kube-system
+	( \
+		$(call check_defined, FW_APP_VERSION FW_VERSION, helm chart version) \
+		mkdir -p .firewall-releases && \
+		pushd .tmp-charts/ && \
+		helm package --app-version=$(FW_APP_VERSION) --version=$(FW_VERSION) --destination=../.firewall-releases rime-kube-system && \
+		popd \
+	)
+
+# Rules to create a release tar-ball for the firewall chart in .tmp-charts
+# for the given VERSION.
+.firewall-releases/ri-firewall-$(FW_VERSION).tgz: .tmp-charts/ri-firewall
+	( \
+		$(call check_defined, APP_VERSION VERSION, helm chart version) \
+		mkdir -p .firewall-releases && \
+		pushd .tmp-charts/ && \
+		helm package --app-version=$(FW_APP_VERSION) --version=$(FW_VERSION) --destination=../.firewall-releases ri-firewall && \
+		popd \
+	)
+
+# Rule to update the release index with metadata about release VERSION.
+.firewall-releases/index.yaml: .firewall-releases/ri-firewall-$(FW_VERSION).tgz .firewall-releases/rime-extras-$(FW_VERSION).tgz .firewall-releases/rime-kube-system-$(FW_VERSION).tgz
+	( \
+		mkdir -p .firewall-releases && \
+		pushd .firewall-releases/ && \
+		helm repo index --url=$(REPO_FW_URL) . && \
+		popd \
+	)
+
+# Creates a new RI firewall Helm chart release.
+create_firewall_charts_release: clean-firewall .firewall-releases/index.yaml