Merge pull request #3 from spotify/deployer

Add CloudFlare Resolver Deployer

Author: fabriziodemaria

.dockerignore

@@ -0,0 +1,13 @@
+# Keep .git included (do NOT list it here) so commit SHA is available if needed
+
+# Build outputs
+**/target
+**/node_modules
+
+# OS/editor files
+**/.DS_Store
+**/.idea
+**/.vscode
+
+# Unneeded runtime data; fetched/generated during build/run
+data/*

.github/workflows/deployer-image.yml

@@ -0,0 +1,65 @@
+name: Build and Push Deployer Image
+
+on:
+  push:
+    paths-ignore:
+      - 'wasm/**'
+      - 'wasm-msg/**'
+      - 'data/**'
+  pull_request:
+    paths-ignore:
+      - 'wasm/**'
+      - 'wasm-msg/**'
+      - 'data/**'
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  docker:
+    name: Build and (conditionally) push image
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        if: github.event_name == 'push'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/confidence-cloudflare-deployer
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build (and push on main/tags)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./confidence-cloudflare-resolver/deployer/Dockerfile
+          push: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) }}
+          build-args: |
+            COMMIT_SHA=${{ github.sha }}
+          platforms: linux/amd64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+

README.md

@@ -1,4 +1,4 @@
-## confidence-resolver-rs
+# Confidence Rust Flags Resolver
 
 The Confidence Flag Resolver implemented in Rust, plus example hosts and a Cloudflare Worker build. This workspace compiles the core resolver to native and WebAssembly and demonstrates how to call it from Go, Node.js, Python, and Java.
 

confidence-cloudflare-resolver/deployer/Dockerfile

@@ -0,0 +1,53 @@
+FROM rust:1.82
+
+RUN rustup update stable && rustup target add wasm32-unknown-unknown
+
+# Execute next commands in the directory /workspace
+WORKDIR /workspace
+
+RUN apt-get update && \
+    apt install -y protobuf-compiler jq && \
+    protoc --version && jq --version
+
+# Install curl and other necessary tools
+RUN apt-get update && apt-get install -y \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+ENV NVM_DIR=/root/.nvm
+ENV NODE_VERSION=22.12.0
+
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash \
+    && . $NVM_DIR/nvm.sh \
+    && nvm install $NODE_VERSION \
+    && nvm use $NODE_VERSION \
+    && nvm alias default $NODE_VERSION \
+    && npm install -g npm@latest
+
+# Add Node.js and npm to PATH
+ENV PATH="$NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH"
+
+# Confirm versions
+RUN node -v && npm -v
+
+# Install Wrangler CLI using npm
+RUN npm install -g wrangler@latest
+
+ENV PATH=/usr/local/bin:$PATH
+
+# Optionally pass the commit SHA at build time
+ARG COMMIT_SHA=""
+ENV COMMIT_SHA=${COMMIT_SHA}
+
+# Copy entire repository (build context is repo root) into a subdir
+# to match script paths (it cds into confidence-resolver-rust)
+COPY . .
+
+# Ensure deploy script is executable
+RUN chmod +x confidence-cloudflare-resolver/deployer/script.sh
+
+# Default command runs the deployer script
+CMD ["./confidence-cloudflare-resolver/deployer/script.sh"]
+
+# Remove sample/runtime data from the copied repo
+RUN rm -rf data/*

confidence-cloudflare-resolver/deployer/README.md

@@ -0,0 +1,37 @@
+# CloudFlare Resolver Worker Deployer
+
+Docker container used to deploy the Confidence Rust resolver to CloudFlare.
+
+# Build the image
+
+From the **root of the repository**, run:
+
+```
+docker build -f confidence-cloudflare-resolver/deployer/Dockerfile -t <YOUR_IMAGE_NAME> .
+```
+
+# Usage
+
+```
+docker run -it \
+	-e CLOUDFLARE_ACCOUNT_ID='<>’ \
+	-e CLOUDFLARE_API_TOKEN='<>’ \
+	-e CONFIDENCE_ACCOUNT_ID='<>' \
+	-e CONFIDENCE_CLIENT_ID='<>’ \
+	-e CONFIDENCE_CLIENT_SECRET='<>’ \
+	-e RESOLVE_TOKEN_ENCRYPTION_KEY='<>' \
+	-e CONFIDENCE_RESOLVER_STATE_ETAG_URL=‘<>/v1/state:etag' \
+	image-name
+```
+
+The RESOLVE_TOKEN_ENCRYPTION_KEY key has to be a valid AES-128 (16 bytes) key, base64 encoded.
+This key is used internally in the resolver, and shouldn't be changed once deployed in production.
+
+The CONFIDENCE_RESOLVER_STATE_ETAG_URL needs to point to the resolver you deployed / are about to deploy. 
+The `.../v1/state:etag` is the path used to retrieve the etag if available, ignored otherwise.
+The etag value is used to avoid re-deploy the worker if the state hasn't changed since the last deploy.
+
+Additional optional variables:
+- CONFIDENCE_RESOLVER_STATE_URL: Point to a custom resolver state protobuf file;
+- CONFIDENCE_RESOLVER_ALLOWED_ORIGIN: Configure allowed origins in the wrangler used to deploy the resolver;
+- FORCE_DEPLOY: Re-deploy the resolver worker, regardless if the state is detected as changed or not.