added nsc cache sccache create-token/setup. (#1705)

Author: hugosantos

cmd/nsc/cmd/register.go

@@ -61,6 +61,12 @@ func RegisterCommands(root *cobra.Command) {
 	root.AddCommand(cluster.NewBazelCmd())
 	root.AddCommand(cluster.NewGradleCmd())
 	root.AddCommand(cluster.NewPantsCmd())
+	cacheCmd := &cobra.Command{Use: "cache", Short: "Build cache related functionality."}
+	cacheCmd.AddCommand(cluster.NewSccacheCmd())
+	cacheCmd.AddCommand(cluster.NewGradleCacheCmd())
+	cacheCmd.AddCommand(cluster.NewBazelCacheCmd())
+	cacheCmd.AddCommand(cluster.NewPantsCacheCmd())
+	root.AddCommand(cacheCmd)
 	root.AddCommand(cluster.NewArtifactCmd()) // nsc artifact
 
 	root.AddCommand(sdk.NewSdkCmd(true))

go.mod

@@ -3,9 +3,9 @@ module namespacelabs.dev/foundation
 go 1.24.4
 
 require (
-	buf.build/gen/go/namespace/cloud/connectrpc/go v1.19.1-20260126170837-18fd3dc306e3.2
+	buf.build/gen/go/namespace/cloud/connectrpc/go v1.19.1-20260212004106-290ae81f8d6d.2
 	buf.build/gen/go/namespace/cloud/grpc/go v1.6.0-20251207125149-931ce9589bd8.1
-	buf.build/gen/go/namespace/cloud/protocolbuffers/go v1.36.11-20260126170837-18fd3dc306e3.1
+	buf.build/gen/go/namespace/cloud/protocolbuffers/go v1.36.11-20260212004106-290ae81f8d6d.1
 	cloud.google.com/go/artifactregistry v1.14.7
 	cloud.google.com/go/container v1.31.0
 	connectrpc.com/connect v1.19.1

go.sum

@@ -1,9 +1,9 @@
-buf.build/gen/go/namespace/cloud/connectrpc/go v1.19.1-20260126170837-18fd3dc306e3.2 h1:s5d/VkA9SLniWD8ghO/C2+v4XulT68gTcUKp2OrGaAM=
-buf.build/gen/go/namespace/cloud/connectrpc/go v1.19.1-20260126170837-18fd3dc306e3.2/go.mod h1:WxkZDjOPKKXYMkN6YpnKGsHJ5BX1fbrhNgz8W8dmAYk=
+buf.build/gen/go/namespace/cloud/connectrpc/go v1.19.1-20260212004106-290ae81f8d6d.2 h1:XaeFtt6yN8G5q2uYoiTjyshOyai1Q+GzwfEKlxrTzVw=
+buf.build/gen/go/namespace/cloud/connectrpc/go v1.19.1-20260212004106-290ae81f8d6d.2/go.mod h1:QvCL7PUDMFotMXVUoWMeRClEEnCbh7S51xHy39mO+H4=
 buf.build/gen/go/namespace/cloud/grpc/go v1.6.0-20251207125149-931ce9589bd8.1 h1:e2vtAk9xps4Cg9Jom+pQMVzBxVowYR65XbnGmsV4mW0=
 buf.build/gen/go/namespace/cloud/grpc/go v1.6.0-20251207125149-931ce9589bd8.1/go.mod h1:DtCvgtjGxZqjPjhDeX1sJYZXr0nbinUHqa37KtMDXvE=
-buf.build/gen/go/namespace/cloud/protocolbuffers/go v1.36.11-20260126170837-18fd3dc306e3.1 h1:/gUYm1epQiOD/oCH46I1U9F6/m6oOmEfVAt8vhAU0so=
-buf.build/gen/go/namespace/cloud/protocolbuffers/go v1.36.11-20260126170837-18fd3dc306e3.1/go.mod h1:Il2wpJNQB40Yj3Rmuhg5xKJPSXaZVwij+Q30d1PNuNY=
+buf.build/gen/go/namespace/cloud/protocolbuffers/go v1.36.11-20260212004106-290ae81f8d6d.1 h1:xTgPJaOj5QNRPAA3nxW3fTz01aAOLr/6SG7C4Iqxm54=
+buf.build/gen/go/namespace/cloud/protocolbuffers/go v1.36.11-20260212004106-290ae81f8d6d.1/go.mod h1:Il2wpJNQB40Yj3Rmuhg5xKJPSXaZVwij+Q30d1PNuNY=
 c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805 h1:u2qwJeEvnypw+OCPUHmoZE3IqwfuN5kgDfo5MLzpNM0=
 c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805/go.mod h1:FomMrUJ2Lxt5jCLmZkG3FHa72zUprnhd3v/Z18Snm4w=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=

internal/cli/cmd/cluster/bazel.go

@@ -43,6 +43,19 @@ func NewBazelCmd() *cobra.Command {
 	return cmd
 }
 
+// NewBazelCacheCmd returns a "bazel" command with setup directly
+// underneath, for use under "nsc cache bazel setup".
+func NewBazelCacheCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "bazel",
+		Short: "Bazel cache related functionality.",
+	}
+
+	cmd.AddCommand(newSetupCacheCmd())
+
+	return cmd
+}
+
 func newSetupCacheCmd() *cobra.Command {
 	var bazelRcPath, output, certPath string
 	var sendBuildEvents, useAbsoluteCredHelperPath, static bool

internal/cli/cmd/cluster/gradle.go

@@ -49,11 +49,26 @@ func NewGradleCmd() *cobra.Command {
 	return cmd
 }
 
+// NewGradleCacheCmd returns a "gradle" command with setup/create-token directly
+// underneath, for use under "nsc cache gradle {setup|create-token}".
+func NewGradleCacheCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "gradle",
+		Short: "Gradle cache related functionality.",
+	}
+
+	cmd.AddCommand(newSetupGradleCacheCmd())
+	cmd.AddCommand(newCreateTokenCmd())
+
+	return cmd
+}
+
 func newSetupGradleCacheCmd() *cobra.Command {
 	var initGradlePath, output string
 	var push, user bool
 	var name, site string
 	var tokenFile string
+	var flags *pflag.FlagSet
 
 	return fncobra.Cmd(&cobra.Command{
 		Use:   "setup",
@@ -67,15 +82,22 @@ The generated init.gradle can be used with:
   gradle --init-script=/path/to/init.gradle build
 
 Or by placing it in ~/.gradle/init.d/ to apply to all builds.`,
-	}).WithFlags(func(flags *pflag.FlagSet) {
-		flags.StringVar(&initGradlePath, "init-gradle", "", "If specified, write the init.gradle to this path.")
-		flags.StringVarP(&output, "output", "o", "plain", "One of plain or json.")
-		flags.BoolVar(&push, "push", true, "Whether to enable pushing to the cache (default: true).")
-		flags.StringVar(&name, "name", "default", "A name for the cache.")
-		flags.StringVar(&site, "site", "", "Site preference (e.g., 'iad', 'fra'). If not set, determined automatically.")
-		flags.BoolVar(&user, "user", false, "If set, write the init.gradle to ~/.gradle/init.d/namespace.cache.gradle.")
-		flags.StringVar(&tokenFile, "token", "", "Use the bearer token stored at this location for authentication instead of the default.")
+	}).WithFlags(func(f *pflag.FlagSet) {
+		flags = f
+		f.StringVar(&initGradlePath, "init-gradle", "", "If specified, write the init.gradle to this path.")
+		f.StringVarP(&output, "output", "o", "plain", "One of plain or json.")
+		f.BoolVar(&push, "push", true, "Whether to enable pushing to the cache (default: true).")
+		f.StringVar(&name, "cache_name", "default", "A name for the cache.")
+		f.StringVar(&name, "name", "default", "Deprecated: use --cache_name instead.")
+		f.MarkHidden("name")
+		f.StringVar(&site, "site", "", "Site preference (e.g., 'iad', 'fra'). If not set, determined automatically.")
+		f.BoolVar(&user, "user", false, "If set, write the init.gradle to ~/.gradle/init.d/namespace.cache.gradle.")
+		f.StringVar(&tokenFile, "token", "", "Use the bearer token stored at this location for authentication instead of the default.")
 	}).Do(func(ctx context.Context) error {
+		if flags.Changed("name") {
+			fmt.Fprintf(console.Warnings(ctx), "--name is deprecated; use --cache_name\n")
+		}
+
 		if user && initGradlePath != "" {
 			return fnerrors.New("--user and --init-gradle are mutually exclusive")
 		}

internal/cli/cmd/cluster/pants.go

@@ -37,6 +37,19 @@ func NewPantsCmd() *cobra.Command {
 	return cmd
 }
 
+// NewPantsCacheCmd returns a "pants" command with setup directly
+// underneath, for use under "nsc cache pants setup".
+func NewPantsCacheCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "pants",
+		Short: "Pants cache related functionality.",
+	}
+
+	cmd.AddCommand(newSetupPantsCacheCmd())
+
+	return cmd
+}
+
 func newSetupPantsCacheCmd() *cobra.Command {
 	var pantsTomlPath string
 

internal/cli/cmd/cluster/sccache.go

@@ -0,0 +1,253 @@
+// Copyright 2022 Namespace Labs Inc; All rights reserved.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+
+package cluster
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/url"
+	"strings"
+	"time"
+
+	"buf.build/gen/go/namespace/cloud/connectrpc/go/proto/namespace/cloud/integrations/httpcache/v1beta/httpcachev1betaconnect"
+	iamv1beta "buf.build/gen/go/namespace/cloud/protocolbuffers/go/proto/namespace/cloud/iam/v1beta"
+	httpcachev1beta "buf.build/gen/go/namespace/cloud/protocolbuffers/go/proto/namespace/cloud/integrations/httpcache/v1beta"
+	"connectrpc.com/connect"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"google.golang.org/protobuf/types/known/timestamppb"
+	"namespacelabs.dev/foundation/internal/cli/fncobra"
+	"namespacelabs.dev/foundation/internal/console"
+	"namespacelabs.dev/foundation/internal/console/colors"
+	"namespacelabs.dev/foundation/internal/fnapi"
+	"namespacelabs.dev/foundation/internal/fnerrors"
+	"namespacelabs.dev/go-ids"
+	"namespacelabs.dev/integrations/api/iam"
+	"namespacelabs.dev/integrations/auth"
+)
+
+func NewSccacheCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "sccache",
+		Short: "sccache cache related functionality.",
+	}
+
+	cmd.AddCommand(newSetupSccacheCacheCmd())
+	cmd.AddCommand(newCreateSccacheTokenCmd())
+
+	return cmd
+}
+
+func newSetupSccacheCacheCmd() *cobra.Command {
+	var output string
+	var name, site string
+	var tokenFile string
+
+	return fncobra.Cmd(&cobra.Command{
+		Use:   "setup",
+		Short: "Set up a remote sccache cache and output the required environment variables.",
+		Long: `Set up a remote sccache cache and output the required environment variables.
+
+This command provisions a remote build cache and outputs the environment
+variables needed to configure sccache to use it.
+
+The output includes:
+  SCCACHE_WEBDAV_ENDPOINT - The WebDAV endpoint URL
+  SCCACHE_WEBDAV_KEY_PREFIX - The key prefix path
+  SCCACHE_WEBDAV_TOKEN - The authentication token`,
+	}).WithFlags(func(flags *pflag.FlagSet) {
+		flags.StringVarP(&output, "output", "o", "plain", "One of plain or json.")
+		flags.StringVar(&name, "cache_name", "", "A name for the cache.")
+		flags.StringVar(&site, "site", "", "Site preference (e.g., 'iad', 'fra'). If not set, determined automatically.")
+		flags.StringVar(&tokenFile, "token", "", "Use the bearer token stored at this location for authentication instead of the default.")
+	}).Do(func(ctx context.Context) error {
+		var client httpcachev1betaconnect.HttpCacheServiceClient
+		if tokenFile != "" {
+			tokenSource, err := loadTokenFromFile(tokenFile)
+			if err != nil {
+				return fnerrors.Newf("failed to load token from file: %w", err)
+			}
+
+			client = fnapi.NewHttpCacheServiceClientWithToken(tokenSource)
+		} else {
+			cli, err := fnapi.NewHttpCacheServiceClient(ctx)
+			if err != nil {
+				return err
+			}
+
+			client = cli
+		}
+
+		req := connect.NewRequest(&httpcachev1beta.EnsureHttpCacheRequest{
+			Name: name,
+			Site: site,
+		})
+
+		resp, err := client.EnsureHttpCache(ctx, req)
+		if err != nil {
+			return fnerrors.Newf("failed to provision sccache cache: %w", err)
+		}
+
+		if resp.Msg.GetCacheEndpointUrl() == "" {
+			return fnerrors.Newf("did not receive a valid cache endpoint")
+		}
+
+		var expiresAt *time.Time
+		if resp.Msg.GetExpiresAt() != nil {
+			t := resp.Msg.GetExpiresAt().AsTime()
+			expiresAt = &t
+		}
+
+		// Parse the cache URL into base endpoint and key prefix.
+		endpoint, keyPrefix, err := splitCacheURL(resp.Msg.GetCacheEndpointUrl())
+		if err != nil {
+			return fnerrors.Newf("failed to parse cache endpoint URL: %w", err)
+		}
+
+		token := resp.Msg.GetPassword()
+
+		out := sccacheSetup{
+			Endpoint:  endpoint,
+			KeyPrefix: keyPrefix,
+			Token:     token,
+			ExpiresAt: expiresAt,
+			Site:      resp.Msg.GetSite(),
+		}
+
+		switch output {
+		case "json":
+			d := json.NewEncoder(console.Stdout(ctx))
+			d.SetIndent("", "  ")
+			if err := d.Encode(out); err != nil {
+				return fnerrors.InternalError("failed to encode output as JSON: %w", err)
+			}
+
+		default:
+			if output != "" && output != "plain" {
+				fmt.Fprintf(console.Warnings(ctx), "unsupported output %q, defaulting to plain\n", output)
+			}
+
+			stdout := console.Stdout(ctx)
+			fmt.Fprintf(stdout, "SCCACHE_WEBDAV_ENDPOINT=%s\n", out.Endpoint)
+			fmt.Fprintf(stdout, "SCCACHE_WEBDAV_KEY_PREFIX=%s\n", out.KeyPrefix)
+			fmt.Fprintf(stdout, "SCCACHE_WEBDAV_TOKEN=%s\n", out.Token)
+		}
+
+		return nil
+	})
+}
+
+func newCreateSccacheTokenCmd() *cobra.Command {
+	var name string
+	var expiresIn time.Duration
+	var tokenFile, scope string
+
+	return fncobra.Cmd(&cobra.Command{
+		Use:   "create-token",
+		Short: "Create a revokable token for accessing the sccache cache.",
+	}).WithFlags(func(flags *pflag.FlagSet) {
+		flags.StringVar(&name, "cache_name", "", "Select a cache to grant access to. By default, all caches can be accessed.")
+		fncobra.DurationVar(flags, &expiresIn, "expires_in", 24*time.Hour, "Duration until the token expires (max 90 days).")
+		flags.StringVar(&tokenFile, "token", "token.json", "Write token to this file in JSON format.")
+		flags.StringVar(&scope, "scope", "user", "Set the scope of the generated access token. Valid options: `tenant`, `user`. Tokens with user scope are bound to the tenant membership of the current user.")
+	}).Do(func(ctx context.Context) error {
+		httpCacheClient, err := fnapi.NewHttpCacheServiceClient(ctx)
+		if err != nil {
+			return err
+		}
+
+		policyResp, err := httpCacheClient.GetAccessPolicy(ctx, connect.NewRequest(&httpcachev1beta.GetAccessPolicyRequest{
+			Name: name,
+		}))
+		if err != nil {
+			return fnerrors.Newf("failed to get access policy: %w", err)
+		}
+
+		requiredPerms := policyResp.Msg.GetRequiredPermission()
+		if len(requiredPerms) == 0 {
+			return fnerrors.New("no permissions required for this cache (unexpected)")
+		}
+
+		tokenSource, err := auth.LoadDefaults()
+		if err != nil {
+			return fnerrors.InvocationError("sccache", "failed to get authentication token: %w", err)
+		}
+
+		iamClient, err := iam.NewClient(ctx, tokenSource)
+		if err != nil {
+			return fnerrors.InvocationError("sccache", "failed to create IAM client: %w", err)
+		}
+		defer iamClient.Close()
+
+		suffix := ids.NewRandomBase32ID(4)
+		tokenName := fmt.Sprintf("sccache-%s-%s", name, suffix)
+		expiresAt := time.Now().Add(expiresIn)
+
+		req := &iamv1beta.CreateRevokableTokenRequest{
+			Name:        tokenName,
+			Description: fmt.Sprintf("sccache access token for cache %q", name),
+			ExpiresAt:   timestamppb.New(expiresAt),
+			Access: &iamv1beta.AccessPolicy{
+				Grants: requiredPerms,
+			},
+		}
+
+		switch scope {
+		case "tenant":
+			req.Scope = iamv1beta.RevokableToken_TENANT_SCOPE
+
+		case "user":
+			req.Scope = iamv1beta.RevokableToken_TENANT_MEMBERSHIP_SCOPE
+		}
+
+		resp, err := iamClient.Tokens.CreateRevokableToken(ctx, req)
+		if err != nil {
+			return fnerrors.InvocationError("token", "failed to create token: %w", err)
+		}
+
+		fmt.Fprintf(console.Stdout(ctx), "Token ID:    %s\n", resp.Token.GetTokenId())
+		fmt.Fprintf(console.Stdout(ctx), "Name:        %s\n", resp.Token.GetName())
+		fmt.Fprintf(console.Stdout(ctx), "Expires At:  %s\n", expiresAt.Format(time.RFC3339))
+
+		if err := writeGradleTokenToFile(tokenFile, resp.BearerToken); err != nil {
+			return fnerrors.InvocationError("token", "failed to write token to file: %w", err)
+		}
+
+		fmt.Fprintf(console.Stdout(ctx), "You can set up your sccache config with:\n")
+
+		style := colors.Ctx(ctx)
+		cmd := fmt.Sprintf("nsc cache sccache setup --token %s", tokenFile)
+		if name != "" {
+			cmd = fmt.Sprintf("%s --name %s", cmd, name)
+		}
+
+		fmt.Fprintf(console.Stdout(ctx), "  %s\n", style.Highlight.Apply(cmd))
+
+		return nil
+	})
+}
+
+// splitCacheURL parses a cache URL like "https://host:port/some/path/" into
+// base endpoint ("https://host:port") and key prefix ("/some/path/").
+func splitCacheURL(rawURL string) (string, string, error) {
+	u, err := url.Parse(rawURL)
+	if err != nil {
+		return "", "", fmt.Errorf("invalid URL %q: %w", rawURL, err)
+	}
+
+	endpoint := fmt.Sprintf("%s://%s", u.Scheme, u.Host)
+	keyPrefix := strings.TrimPrefix(u.Path, "/")
+
+	return endpoint, keyPrefix, nil
+}
+
+type sccacheSetup struct {
+	Endpoint  string     `json:"endpoint,omitempty"`
+	KeyPrefix string     `json:"key_prefix,omitempty"`
+	Token     string     `json:"token,omitempty"`
+	ExpiresAt *time.Time `json:"expires_at,omitempty"`
+	Site      string     `json:"site,omitempty"`
+}