chore: hive gateway as entrypoint for the public api (#6703)

Co-authored-by: Dotan Simha <[email protected]>

Author: n1ru4l

deployment/config/public-graphql-api-gateway/gateway.config.ts

@@ -0,0 +1,50 @@
+// @ts-expect-error not a dependency
+import { createOtlpHttpExporter, defineConfig } from '@graphql-hive/gateway';
+
+const defaultQuery = `#
+# Welcome to the Hive Console GraphQL API.
+#
+`;
+
+export const gatewayConfig = defineConfig({
+  transportEntries: {
+    graphql: {
+      location: process.env['GRAPHQL_SERVICE_ENDPOINT'],
+    },
+  },
+  supergraph: {
+    type: 'hive',
+    endpoint: process.env['SUPERGRAPH_ENDPOINT'],
+    key: process.env['HIVE_CDN_ACCESS_TOKEN'],
+  },
+  graphiql: {
+    title: 'Hive Console - GraphQL API',
+    defaultQuery,
+  },
+  propagateHeaders: {
+    fromClientToSubgraphs({ request }) {
+      return {
+        'x-request-id': request.headers.get('x-request-id'),
+        authorization: request.headers.get('authorization'),
+      };
+    },
+  },
+  disableWebsockets: true,
+  prometheus: true,
+  openTelemetry: process.env['OPENTELEMETRY_COLLECTOR_ENDPOINT']
+    ? {
+        serviceName: 'public-graphql-api-gateway',
+        exporters: [
+          createOtlpHttpExporter({
+            url: process.env['OPENTELEMETRY_COLLECTOR_ENDPOINT'],
+          }),
+        ],
+      }
+    : false,
+  demandControl: {
+    maxCost: 1000,
+    includeExtensionMetadata: true,
+  },
+  maxTokens: 1_000,
+  maxDepth: 20,
+});

deployment/index.ts

@@ -17,6 +17,7 @@ import { deployObservability } from './services/observability';
 import { deploySchemaPolicy } from './services/policy';
 import { deployPostgres } from './services/postgres';
 import { deployProxy } from './services/proxy';
+import { deployPublicGraphQLAPIGateway } from './services/public-graphql-api-gateway';
 import { deployRedis } from './services/redis';
 import { deployS3, deployS3AuditLog, deployS3Mirror } from './services/s3';
 import { deploySchema } from './services/schema';
@@ -285,12 +286,20 @@ const app = deployApp({
   sentry,
 });
 
+const publicGraphQLAPIGateway = deployPublicGraphQLAPIGateway({
+  environment,
+  graphql,
+  docker,
+  observability,
+});
+
 const proxy = deployProxy({
   observability,
   app,
   graphql,
   usage,
   environment,
+  publicGraphQLAPIGateway,
 });
 
 deployCloudFlareSecurityTransform({

deployment/services/proxy.ts

@@ -5,6 +5,7 @@ import { App } from './app';
 import { Environment } from './environment';
 import { GraphQL } from './graphql';
 import { Observability } from './observability';
+import { type PublicGraphQLAPIGateway } from './public-graphql-api-gateway';
 import { Usage } from './usage';
 
 export function deployProxy({
@@ -13,12 +14,14 @@ export function deployProxy({
   usage,
   environment,
   observability,
+  publicGraphQLAPIGateway,
 }: {
   observability: Observability;
   environment: Environment;
   graphql: GraphQL;
   app: App;
   usage: Usage;
+  publicGraphQLAPIGateway: PublicGraphQLAPIGateway;
 }) {
   const { tlsIssueName } = new CertManager().deployCertManagerAndIssuer();
   const commonConfig = new pulumi.Config('common');
@@ -103,10 +106,10 @@ export function deployProxy({
     ])
     .registerService({ record: environment.apiDns }, [
       {
-        name: 'graphql-api',
+        name: 'public-graphql-api',
         path: '/graphql',
-        customRewrite: '/graphql-public',
-        service: graphql.service,
+        customRewrite: '/graphql',
+        service: publicGraphQLAPIGateway.service,
         requestTimeout: '60s',
         retriable: true,
       },

deployment/services/public-graphql-api-gateway.ts

@@ -0,0 +1,105 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import * as kx from '@pulumi/kubernetesx';
+import * as pulumi from '@pulumi/pulumi';
+import { serviceLocalEndpoint } from '../utils/local-endpoint';
+import { ServiceSecret } from '../utils/secrets';
+import { ServiceDeployment } from '../utils/service-deployment';
+import { type Docker } from './docker';
+import { type Environment } from './environment';
+import { type GraphQL } from './graphql';
+import { type Observability } from './observability';
+
+/**
+ * Hive Gateway Docker Image Version
+ * Bump this to update the used gateway version.
+ */
+const dockerImage = 'ghcr.io/graphql-hive/gateway:1.13.6';
+
+const gatewayConfigDirectory = path.resolve(
+  __dirname,
+  '..',
+  'config',
+  'public-graphql-api-gateway',
+);
+const gatewayConfigPath = path.join(gatewayConfigDirectory, 'gateway.config.ts');
+// On global scope to fail early in case of a read error
+const gwConfigFile = fs.readFileSync(gatewayConfigPath, 'utf-8');
+
+export function deployPublicGraphQLAPIGateway(args: {
+  environment: Environment;
+  graphql: GraphQL;
+  docker: Docker;
+  observability: Observability;
+}) {
+  const apiConfig = new pulumi.Config('api');
+
+  // Note: The persisted documents cdn endpoint can also be used for reading the contract schema
+  const cdnEndpoint =
+    apiConfig.requireObject<Record<string, string>>('env')['HIVE_PERSISTED_DOCUMENTS_CDN_ENDPOINT'];
+
+  if (!cdnEndpoint) {
+    throw new Error("Missing cdn endpoint variable 'HIVE_PERSISTED_DOCUMENTS_CDN_ENDPOINT'.");
+  }
+
+  const supergraphEndpoint = cdnEndpoint + '/contracts/public';
+
+  // Note: The persisted documents access key is also valid for reading the supergraph
+  const publicGraphQLAPISecret = new ServiceSecret('public-graphql-api-secret', {
+    cdnAccessKeyId: apiConfig.requireSecret('hivePersistedDocumentsCdnAccessKeyId'),
+  });
+
+  const configMap = new kx.ConfigMap('public-graphql-api-gateway-config', {
+    data: {
+      'gateway.config.ts': gwConfigFile,
+    },
+  });
+
+  return new ServiceDeployment(
+    'public-graphql-api-gateway',
+    {
+      imagePullSecret: args.docker.secret,
+      image: dockerImage,
+      replicas: args.environment.isProduction ? 3 : 1,
+      availabilityOnEveryNode: true,
+      env: {
+        GRAPHQL_SERVICE_ENDPOINT: serviceLocalEndpoint(args.graphql.service).apply(
+          value => `${value}/graphql-public`,
+        ),
+        SUPERGRAPH_ENDPOINT: supergraphEndpoint,
+        OPENTELEMETRY_COLLECTOR_ENDPOINT: args.observability.tracingEndpoint ?? '',
+      },
+      port: 4000,
+      args: ['-c', '/config/gateway.config.ts', 'supergraph'],
+      volumes: [
+        {
+          name: 'gateway-config',
+          configMap: {
+            name: configMap.metadata.name,
+          },
+        },
+      ],
+      volumeMounts: [
+        {
+          mountPath: '/config/',
+          name: 'gateway-config',
+          readOnly: true,
+        },
+      ],
+      readinessProbe: '/readiness',
+      livenessProbe: '/healthcheck',
+      startupProbe: {
+        endpoint: '/healthcheck',
+        initialDelaySeconds: 60,
+        failureThreshold: 10,
+        periodSeconds: 15,
+        timeoutSeconds: 15,
+      },
+    },
+    [args.graphql.deployment, args.graphql.service],
+  )
+    .withSecret('HIVE_CDN_ACCESS_TOKEN', publicGraphQLAPISecret, 'cdnAccessKeyId')
+    .deploy();
+}
+
+export type PublicGraphQLAPIGateway = ReturnType<typeof deployPublicGraphQLAPIGateway>;