mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-06 15:24:10 +00:00
2727fa719d
# Which Problems Are Solved
The event execution system currently uses a projection handler that
subscribes to and processes all events for all instances. This creates a
high static cost because the system over-fetches event data, handling
many events that are not needed by most instances. This inefficiency is
also reflected in high "rows returned" metrics in the database.
# How the Problems Are Solved
Eliminate the use of a project handler. Instead, events for which
"execution targets" are defined, are directly pushed to the queue by the
eventstore. A Router is populated in the Instance object in the authz
middleware.
- By joining the execution targets to the instance, no additional
queries are needed anymore.
- As part of the instance object, execution targets are now cached as
well.
- Events are queued within the same transaction, giving transactional
guarantees on delivery.
- Uses the "insert many fast` variant of River. Multiple jobs are queued
in a single round-trip to the database.
- Fix compatibility with PostgreSQL 15
# Additional Changes
- The signing key was stored as plain-text in the river job payload in
the DB. This violated our [Secrets
Storage](https://zitadel.com/docs/concepts/architecture/secrets#secrets-storage)
principle. This change removed the field and only uses the encrypted
version of the signing key.
- Fixed the target ordering from descending to ascending.
- Some minor linter warnings on the use of `io.WriteString()`.
# Additional Context
- Introduced in https://github.com/zitadel/zitadel/pull/9249
- Closes https://github.com/zitadel/zitadel/issues/10553
- Closes https://github.com/zitadel/zitadel/issues/9832
- Closes https://github.com/zitadel/zitadel/issues/10372
- Closes https://github.com/zitadel/zitadel/issues/10492
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit a9ebc06c77)
93 lines
2.9 KiB
Go
93 lines
2.9 KiB
Go
package server
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"net/http"
|
|
|
|
"connectrpc.com/connect"
|
|
grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/credentials"
|
|
healthpb "google.golang.org/grpc/health/grpc_health_v1"
|
|
"google.golang.org/protobuf/reflect/protoreflect"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
grpc_api "github.com/zitadel/zitadel/internal/api/grpc"
|
|
"github.com/zitadel/zitadel/internal/api/grpc/server/middleware"
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
"github.com/zitadel/zitadel/internal/logstore"
|
|
"github.com/zitadel/zitadel/internal/logstore/record"
|
|
"github.com/zitadel/zitadel/internal/query"
|
|
"github.com/zitadel/zitadel/internal/telemetry/metrics"
|
|
system_pb "github.com/zitadel/zitadel/pkg/grpc/system"
|
|
)
|
|
|
|
type Server interface {
|
|
AppName() string
|
|
MethodPrefix() string
|
|
AuthMethods() authz.MethodMapping
|
|
}
|
|
|
|
type GrpcServer interface {
|
|
Server
|
|
RegisterServer(*grpc.Server)
|
|
}
|
|
|
|
type WithGateway interface {
|
|
Server
|
|
RegisterGateway() RegisterGatewayFunc
|
|
}
|
|
|
|
// WithGatewayPrefix extends the server interface with a prefix for the grpc gateway
|
|
//
|
|
// it's used for the System, Admin, Mgmt and Auth API
|
|
type WithGatewayPrefix interface {
|
|
GrpcServer
|
|
WithGateway
|
|
GatewayPathPrefix() string
|
|
}
|
|
|
|
type ConnectServer interface {
|
|
Server
|
|
RegisterConnectServer(interceptors ...connect.Interceptor) (string, http.Handler)
|
|
FileDescriptor() protoreflect.FileDescriptor
|
|
}
|
|
|
|
func CreateServer(
|
|
verifier authz.APITokenVerifier,
|
|
systemAuthz authz.Config,
|
|
authConfig authz.Config,
|
|
queries *query.Queries,
|
|
externalDomain string,
|
|
tlsConfig *tls.Config,
|
|
accessSvc *logstore.Service[*record.AccessLog],
|
|
targetEncAlg crypto.EncryptionAlgorithm,
|
|
) *grpc.Server {
|
|
metricTypes := []metrics.MetricType{metrics.MetricTypeTotalCount, metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode}
|
|
serverOptions := []grpc.ServerOption{
|
|
grpc.UnaryInterceptor(
|
|
grpc_middleware.ChainUnaryServer(
|
|
middleware.CallDurationHandler(),
|
|
middleware.MetricsHandler(metricTypes, grpc_api.Probes...),
|
|
middleware.NoCacheInterceptor(),
|
|
middleware.InstanceInterceptor(queries, externalDomain, system_pb.SystemService_ServiceDesc.ServiceName, healthpb.Health_ServiceDesc.ServiceName),
|
|
middleware.AccessStorageInterceptor(accessSvc),
|
|
middleware.ErrorHandler(),
|
|
middleware.LimitsInterceptor(system_pb.SystemService_ServiceDesc.ServiceName),
|
|
middleware.AuthorizationInterceptor(verifier, systemAuthz, authConfig),
|
|
middleware.TranslationHandler(),
|
|
middleware.QuotaExhaustedInterceptor(accessSvc, system_pb.SystemService_ServiceDesc.ServiceName),
|
|
middleware.ExecutionHandler(targetEncAlg),
|
|
middleware.ValidationHandler(),
|
|
middleware.ServiceHandler(),
|
|
middleware.ActivityInterceptor(),
|
|
),
|
|
),
|
|
grpc.StatsHandler(middleware.DefaultTracingServer()),
|
|
}
|
|
if tlsConfig != nil {
|
|
serverOptions = append(serverOptions, grpc.Creds(credentials.NewTLS(tlsConfig)))
|
|
}
|
|
return grpc.NewServer(serverOptions...)
|
|
}
|