191 lines
9.5 KiB
Makefile
191 lines
9.5 KiB
Makefile
# --- Backend Foundation (Cloud Run + Workers) ---
|
|
|
|
BACKEND_REGION ?= us-central1
|
|
BACKEND_ARTIFACT_REPO ?= krow-backend
|
|
|
|
BACKEND_CORE_SERVICE_NAME ?= krow-core-api
|
|
BACKEND_COMMAND_SERVICE_NAME ?= krow-command-api
|
|
BACKEND_RUNTIME_SA_NAME ?= krow-backend-runtime
|
|
BACKEND_RUNTIME_SA_EMAIL := $(BACKEND_RUNTIME_SA_NAME)@$(GCP_PROJECT_ID).iam.gserviceaccount.com
|
|
|
|
BACKEND_CORE_DIR ?= backend/core-api
|
|
BACKEND_COMMAND_DIR ?= backend/command-api
|
|
BACKEND_WORKERS_DIR ?= backend/cloud-functions
|
|
|
|
BACKEND_DEV_PUBLIC_BUCKET ?= krow-workforce-dev-public
|
|
BACKEND_DEV_PRIVATE_BUCKET ?= krow-workforce-dev-private
|
|
BACKEND_STAGING_PUBLIC_BUCKET ?= krow-workforce-staging-public
|
|
BACKEND_STAGING_PRIVATE_BUCKET ?= krow-workforce-staging-private
|
|
|
|
ifeq ($(ENV),staging)
|
|
BACKEND_PUBLIC_BUCKET := $(BACKEND_STAGING_PUBLIC_BUCKET)
|
|
BACKEND_PRIVATE_BUCKET := $(BACKEND_STAGING_PRIVATE_BUCKET)
|
|
BACKEND_RUN_AUTH_FLAG := --no-allow-unauthenticated
|
|
else
|
|
BACKEND_PUBLIC_BUCKET := $(BACKEND_DEV_PUBLIC_BUCKET)
|
|
BACKEND_PRIVATE_BUCKET := $(BACKEND_DEV_PRIVATE_BUCKET)
|
|
BACKEND_RUN_AUTH_FLAG := --allow-unauthenticated
|
|
endif
|
|
|
|
BACKEND_CORE_IMAGE ?= $(BACKEND_REGION)-docker.pkg.dev/$(GCP_PROJECT_ID)/$(BACKEND_ARTIFACT_REPO)/core-api:latest
|
|
BACKEND_COMMAND_IMAGE ?= $(BACKEND_REGION)-docker.pkg.dev/$(GCP_PROJECT_ID)/$(BACKEND_ARTIFACT_REPO)/command-api:latest
|
|
BACKEND_LOG_LIMIT ?= 100
|
|
BACKEND_LLM_MODEL ?= gemini-2.0-flash-001
|
|
BACKEND_MAX_SIGNED_URL_SECONDS ?= 900
|
|
BACKEND_LLM_RATE_LIMIT_PER_MINUTE ?= 20
|
|
|
|
.PHONY: backend-help backend-enable-apis backend-bootstrap-dev backend-migrate-idempotency backend-deploy-core backend-deploy-commands backend-deploy-workers backend-smoke-core backend-smoke-commands backend-logs-core
|
|
|
|
backend-help:
|
|
@echo "--> Backend Foundation Commands"
|
|
@echo " make backend-enable-apis [ENV=dev] Enable Cloud Run/Functions/Build/Secret APIs"
|
|
@echo " make backend-bootstrap-dev Bootstrap artifact repo, runtime SA, and buckets"
|
|
@echo " make backend-migrate-idempotency Create/upgrade idempotency table in Cloud SQL"
|
|
@echo " make backend-deploy-core [ENV=dev] Build + deploy core API service"
|
|
@echo " make backend-deploy-commands [ENV=dev] Build + deploy command API service"
|
|
@echo " make backend-deploy-workers [ENV=dev] Deploy worker scaffold"
|
|
@echo " make backend-smoke-core [ENV=dev] Smoke test core /health"
|
|
@echo " make backend-smoke-commands [ENV=dev] Smoke test commands /health"
|
|
@echo " make backend-logs-core [ENV=dev] Read core service logs"
|
|
|
|
backend-enable-apis:
|
|
@echo "--> Enabling backend APIs on project [$(GCP_PROJECT_ID)]..."
|
|
@for api in \
|
|
run.googleapis.com \
|
|
cloudbuild.googleapis.com \
|
|
artifactregistry.googleapis.com \
|
|
secretmanager.googleapis.com \
|
|
cloudfunctions.googleapis.com \
|
|
eventarc.googleapis.com \
|
|
aiplatform.googleapis.com \
|
|
storage.googleapis.com \
|
|
iam.googleapis.com \
|
|
iamcredentials.googleapis.com \
|
|
serviceusage.googleapis.com \
|
|
firebase.googleapis.com; do \
|
|
echo " - $$api"; \
|
|
gcloud services enable $$api --project=$(GCP_PROJECT_ID); \
|
|
done
|
|
@echo "✅ Backend APIs enabled."
|
|
|
|
backend-bootstrap-dev: backend-enable-apis
|
|
@echo "--> Bootstrapping backend foundation for [$(ENV)] on project [$(GCP_PROJECT_ID)]..."
|
|
@echo "--> Ensuring Artifact Registry repo [$(BACKEND_ARTIFACT_REPO)] exists..."
|
|
@if ! gcloud artifacts repositories describe $(BACKEND_ARTIFACT_REPO) --location=$(BACKEND_REGION) --project=$(GCP_PROJECT_ID) >/dev/null 2>&1; then \
|
|
gcloud artifacts repositories create $(BACKEND_ARTIFACT_REPO) \
|
|
--repository-format=docker \
|
|
--location=$(BACKEND_REGION) \
|
|
--description="KROW backend services" \
|
|
--project=$(GCP_PROJECT_ID); \
|
|
else \
|
|
echo " - Artifact Registry repo already exists."; \
|
|
fi
|
|
@echo "--> Ensuring runtime service account [$(BACKEND_RUNTIME_SA_NAME)] exists..."
|
|
@if ! gcloud iam service-accounts describe $(BACKEND_RUNTIME_SA_EMAIL) --project=$(GCP_PROJECT_ID) >/dev/null 2>&1; then \
|
|
gcloud iam service-accounts create $(BACKEND_RUNTIME_SA_NAME) \
|
|
--display-name="KROW Backend Runtime" \
|
|
--project=$(GCP_PROJECT_ID); \
|
|
else \
|
|
echo " - Runtime service account already exists."; \
|
|
fi
|
|
@echo "--> Ensuring runtime service account IAM roles..."
|
|
@gcloud projects add-iam-policy-binding $(GCP_PROJECT_ID) \
|
|
--member="serviceAccount:$(BACKEND_RUNTIME_SA_EMAIL)" \
|
|
--role="roles/storage.objectAdmin" \
|
|
--quiet >/dev/null
|
|
@gcloud projects add-iam-policy-binding $(GCP_PROJECT_ID) \
|
|
--member="serviceAccount:$(BACKEND_RUNTIME_SA_EMAIL)" \
|
|
--role="roles/aiplatform.user" \
|
|
--quiet >/dev/null
|
|
@gcloud iam service-accounts add-iam-policy-binding $(BACKEND_RUNTIME_SA_EMAIL) \
|
|
--member="serviceAccount:$(BACKEND_RUNTIME_SA_EMAIL)" \
|
|
--role="roles/iam.serviceAccountTokenCreator" \
|
|
--project=$(GCP_PROJECT_ID) \
|
|
--quiet >/dev/null
|
|
@echo "--> Ensuring storage buckets exist..."
|
|
@if ! gcloud storage buckets describe gs://$(BACKEND_PUBLIC_BUCKET) --project=$(GCP_PROJECT_ID) >/dev/null 2>&1; then \
|
|
gcloud storage buckets create gs://$(BACKEND_PUBLIC_BUCKET) --location=$(BACKEND_REGION) --project=$(GCP_PROJECT_ID); \
|
|
else \
|
|
echo " - Public bucket already exists: $(BACKEND_PUBLIC_BUCKET)"; \
|
|
fi
|
|
@if ! gcloud storage buckets describe gs://$(BACKEND_PRIVATE_BUCKET) --project=$(GCP_PROJECT_ID) >/dev/null 2>&1; then \
|
|
gcloud storage buckets create gs://$(BACKEND_PRIVATE_BUCKET) --location=$(BACKEND_REGION) --project=$(GCP_PROJECT_ID); \
|
|
else \
|
|
echo " - Private bucket already exists: $(BACKEND_PRIVATE_BUCKET)"; \
|
|
fi
|
|
@echo "✅ Backend foundation bootstrap complete for [$(ENV)]."
|
|
|
|
backend-migrate-idempotency:
|
|
@echo "--> Applying idempotency table migration..."
|
|
@test -n "$(IDEMPOTENCY_DATABASE_URL)" || (echo "❌ IDEMPOTENCY_DATABASE_URL is required" && exit 1)
|
|
@cd $(BACKEND_COMMAND_DIR) && IDEMPOTENCY_DATABASE_URL="$(IDEMPOTENCY_DATABASE_URL)" npm run migrate:idempotency
|
|
@echo "✅ Idempotency migration applied."
|
|
|
|
backend-deploy-core:
|
|
@echo "--> Deploying core backend service [$(BACKEND_CORE_SERVICE_NAME)] to [$(ENV)]..."
|
|
@test -d $(BACKEND_CORE_DIR) || (echo "❌ Missing directory: $(BACKEND_CORE_DIR)" && exit 1)
|
|
@test -f $(BACKEND_CORE_DIR)/Dockerfile || (echo "❌ Missing Dockerfile: $(BACKEND_CORE_DIR)/Dockerfile" && exit 1)
|
|
@gcloud builds submit $(BACKEND_CORE_DIR) --tag $(BACKEND_CORE_IMAGE) --project=$(GCP_PROJECT_ID)
|
|
@gcloud run deploy $(BACKEND_CORE_SERVICE_NAME) \
|
|
--image=$(BACKEND_CORE_IMAGE) \
|
|
--region=$(BACKEND_REGION) \
|
|
--project=$(GCP_PROJECT_ID) \
|
|
--service-account=$(BACKEND_RUNTIME_SA_EMAIL) \
|
|
--set-env-vars=APP_ENV=$(ENV),GCP_PROJECT_ID=$(GCP_PROJECT_ID),PUBLIC_BUCKET=$(BACKEND_PUBLIC_BUCKET),PRIVATE_BUCKET=$(BACKEND_PRIVATE_BUCKET),UPLOAD_MOCK=false,SIGNED_URL_MOCK=false,LLM_MOCK=false,LLM_LOCATION=$(BACKEND_REGION),LLM_MODEL=$(BACKEND_LLM_MODEL),LLM_TIMEOUT_MS=20000,MAX_SIGNED_URL_SECONDS=$(BACKEND_MAX_SIGNED_URL_SECONDS),LLM_RATE_LIMIT_PER_MINUTE=$(BACKEND_LLM_RATE_LIMIT_PER_MINUTE) \
|
|
$(BACKEND_RUN_AUTH_FLAG)
|
|
@echo "✅ Core backend service deployed."
|
|
|
|
backend-deploy-commands:
|
|
@echo "--> Deploying command backend service [$(BACKEND_COMMAND_SERVICE_NAME)] to [$(ENV)]..."
|
|
@test -d $(BACKEND_COMMAND_DIR) || (echo "❌ Missing directory: $(BACKEND_COMMAND_DIR)" && exit 1)
|
|
@test -f $(BACKEND_COMMAND_DIR)/Dockerfile || (echo "❌ Missing Dockerfile: $(BACKEND_COMMAND_DIR)/Dockerfile" && exit 1)
|
|
@gcloud builds submit $(BACKEND_COMMAND_DIR) --tag $(BACKEND_COMMAND_IMAGE) --project=$(GCP_PROJECT_ID)
|
|
@gcloud run deploy $(BACKEND_COMMAND_SERVICE_NAME) \
|
|
--image=$(BACKEND_COMMAND_IMAGE) \
|
|
--region=$(BACKEND_REGION) \
|
|
--project=$(GCP_PROJECT_ID) \
|
|
--service-account=$(BACKEND_RUNTIME_SA_EMAIL) \
|
|
--set-env-vars=APP_ENV=$(ENV),GCP_PROJECT_ID=$(GCP_PROJECT_ID),PUBLIC_BUCKET=$(BACKEND_PUBLIC_BUCKET),PRIVATE_BUCKET=$(BACKEND_PRIVATE_BUCKET) \
|
|
$(BACKEND_RUN_AUTH_FLAG)
|
|
@echo "✅ Command backend service deployed."
|
|
|
|
backend-deploy-workers:
|
|
@echo "--> Deploying worker scaffold for [$(ENV)]..."
|
|
@if [ ! -d "$(BACKEND_WORKERS_DIR)" ]; then \
|
|
echo "❌ Missing directory: $(BACKEND_WORKERS_DIR)"; \
|
|
exit 1; \
|
|
fi
|
|
@if [ -z "$$(find $(BACKEND_WORKERS_DIR) -mindepth 1 ! -name '.keep' -print -quit)" ]; then \
|
|
echo "⚠️ No worker code found in $(BACKEND_WORKERS_DIR). Skipping deployment."; \
|
|
exit 0; \
|
|
fi
|
|
@echo "⚠️ Worker deployment is scaffold-only for now."
|
|
@echo " Add concrete worker deployment commands once worker code is introduced."
|
|
|
|
backend-smoke-core:
|
|
@echo "--> Running core smoke check..."
|
|
@URL=$$(gcloud run services describe $(BACKEND_CORE_SERVICE_NAME) --region=$(BACKEND_REGION) --project=$(GCP_PROJECT_ID) --format='value(status.url)'); \
|
|
if [ -z "$$URL" ]; then \
|
|
echo "❌ Could not resolve URL for service $(BACKEND_CORE_SERVICE_NAME)"; \
|
|
exit 1; \
|
|
fi; \
|
|
TOKEN=$$(gcloud auth print-identity-token); \
|
|
curl -fsS -H "Authorization: Bearer $$TOKEN" "$$URL/health" >/dev/null && echo "✅ Core smoke check passed: $$URL/health"
|
|
|
|
backend-smoke-commands:
|
|
@echo "--> Running commands smoke check..."
|
|
@URL=$$(gcloud run services describe $(BACKEND_COMMAND_SERVICE_NAME) --region=$(BACKEND_REGION) --project=$(GCP_PROJECT_ID) --format='value(status.url)'); \
|
|
if [ -z "$$URL" ]; then \
|
|
echo "❌ Could not resolve URL for service $(BACKEND_COMMAND_SERVICE_NAME)"; \
|
|
exit 1; \
|
|
fi; \
|
|
TOKEN=$$(gcloud auth print-identity-token); \
|
|
curl -fsS -H "Authorization: Bearer $$TOKEN" "$$URL/health" >/dev/null && echo "✅ Commands smoke check passed: $$URL/health"
|
|
|
|
backend-logs-core:
|
|
@echo "--> Reading logs for core backend service [$(BACKEND_CORE_SERVICE_NAME)]..."
|
|
@gcloud run services logs read $(BACKEND_CORE_SERVICE_NAME) \
|
|
--region=$(BACKEND_REGION) \
|
|
--project=$(GCP_PROJECT_ID) \
|
|
--limit=$(BACKEND_LOG_LIMIT)
|