feat(license-verifier): add license verifier (#352)

## 📝 Description

Adds `license-verifier` service to EE installation for validating the
license via the license server.

**Changes**
- Introduced `license-verifier` pod that polls the license server using
a license stored in a secret.
- App services (`front`, `github_hooks`, `hooks_receiver`) check the
verifier endpoint to enforce license validity.
  - On missing, invalid or expired license:
    - Frontend shows a top banner.
    - GitHub, Bitbucket, and GitLab hooks are rejected.

Related
[task](renderedtext/project-tasks#2393).

## ✅ Checklist
- [x] I have tested this change
- [ ] This change requires documentation update

Author: dexyk

bootstrapper/cmd/serve.go

@@ -0,0 +1,75 @@
+package cmd
+
+import (
+	"fmt"
+	"log"
+	"net"
+	"os"
+	"strconv"
+
+	license "github.com/semaphoreio/semaphore/bootstrapper/pkg/license"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+)
+
+var (
+	grpcPort         int
+	licenseServerURL string
+	licenseFile      string
+	enableGRPC       bool
+)
+
+const (
+	defaultGRPCPort    = 50051
+	defaultLicenseFile = "/app/config/app.license"
+)
+
+var serveCmd = &cobra.Command{
+	Use:   "serve",
+	Short: "Start the license verification gRPC server",
+	PreRun: func(cmd *cobra.Command, args []string) {
+		if envPort := os.Getenv("BOOTSTRAPPER_GRPC_PORT"); envPort != "" {
+			if port, err := strconv.Atoi(envPort); err == nil {
+				grpcPort = port
+			} else {
+				log.Fatalf("Invalid gRPC port: %s", envPort)
+			}
+		} else {
+			grpcPort = defaultGRPCPort
+		}
+
+		licenseServerURL = os.Getenv("BOOTSTRAPPER_LICENSE_SERVER_URL")
+		if envLicenseFile := os.Getenv("BOOTSTRAPPER_LICENSE_FILE"); envLicenseFile != "" {
+			licenseFile = envLicenseFile
+		} else {
+			licenseFile = defaultLicenseFile
+		}
+		enableGRPC = os.Getenv("BOOTSTRAPPER_ENABLE_GRPC") == "true"
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if !enableGRPC {
+			log.Println("gRPC server is disabled")
+			return nil
+		}
+		grpcServer := grpc.NewServer()
+
+		licenseServer := license.NewServer(licenseServerURL, licenseFile)
+		license.RegisterServer(grpcServer, licenseServer)
+
+		lis, err := net.Listen("tcp", fmt.Sprintf(":%d", grpcPort))
+		if err != nil {
+			return fmt.Errorf("failed to listen: %v", err)
+		}
+
+		log.Printf("Starting gRPC server on port %d", grpcPort)
+		if err := grpcServer.Serve(lis); err != nil {
+			return fmt.Errorf("failed to serve: %v", err)
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	RootCmd.AddCommand(serveCmd)
+}

bootstrapper/helm/templates/license-checker.yaml

@@ -0,0 +1,92 @@
+{{- if eq .Values.global.edition "ee" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: license-checker
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: license-checker
+spec:
+  replicas: {{ .Values.licenseChecker.replicaCount | default 1 }}
+  selector:
+    matchLabels:
+      app: license-checker
+  template:
+    metadata:
+      labels:
+        app: license-checker
+    spec:
+      serviceAccountName: license-checker
+{{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{- range .Values.imagePullSecrets }}
+        - name: {{ . }}
+{{- end }}
+{{- end }}
+      automountServiceAccountToken: true
+      containers:
+      - name: license-checker
+        image: "{{ .Values.global.image.registry }}/{{ .Values.image }}:{{ .Values.imageTag }}"
+        imagePullPolicy: {{ .Values.imagePullPolicy | default "IfNotPresent" }}
+        command:
+          - /app/build/bootstrapper
+        args:
+          - "serve"
+        ports:
+        - name: grpc
+          containerPort: {{ .Values.licenseChecker.grpc.port }}
+        envFrom:
+          - configMapRef:
+              name: {{ .Values.global.internalApi.configMapName }}
+        env:
+          - name: BOOTSTRAPPER_GRPC_PORT
+            value: "{{ .Values.licenseChecker.grpc.port }}"
+          - name: BOOTSTRAPPER_LICENSE_SERVER_URL
+            value: {{ .Values.global.licenseServerUrl }}
+          - name: BOOTSTRAPPER_LICENSE_FILE
+            value: "/app/app.license"
+          - name: BOOTSTRAPPER_ENABLE_GRPC
+            value: "true"
+          - name: CE_VERSION
+            value: {{ .Chart.Version }}
+          - name: KUBERNETES_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+        volumeMounts:
+        - name: license
+          mountPath: /app/app.license
+          readOnly: true
+          subPath: app.license
+        resources:
+          {{- toYaml .Values.licenseChecker.resources | nindent 12 }}
+      volumes:
+      - name: license
+        secret:
+          secretName: "{{ .Release.Name }}-license"
+          items:
+            - key: license
+              path: app.license
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: license-checker
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: license-checker
+spec:
+  type: ClusterIP
+  ports:
+  - name: grpc
+    port: {{ .Values.licenseChecker.grpc.port }}
+    targetPort: grpc
+  selector:
+    app: license-checker
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: license-checker
+  namespace: {{ .Release.Namespace }}
+{{- end }}

bootstrapper/helm/values.yaml

@@ -9,3 +9,18 @@ resources:
   requests:
     cpu: '0.01'
     memory: 25Mi
+
+licenseChecker:
+  enabled: true
+  replicaCount: 1
+  resources:
+    limits:
+      cpu: 100m
+      memory: 100Mi
+    requests:
+      cpu: 50m
+      memory: 30Mi
+  licenseServerUrl: "http://license-server"
+  licenseFile: "/app/config/app.license"
+  grpc:
+    port: 50051

bootstrapper/pkg/clients/instance_config_client.go

@@ -45,6 +45,41 @@ func (c *InstanceConfigClient) ConfigureInstallationDefaults(params map[string]s
 	return c.configure(params, protoconfig.ConfigType_CONFIG_TYPE_INSTALLATION_DEFAULTS, "Installation defaults")
 }
 
+// GetInstallationID returns the installation ID from the instance configuration.
+// If the configuration is not found or not in configured state, returns an empty string.
+func (c *InstanceConfigClient) GetInstallationID() string {
+	return c.getConfigField("installation_id")
+}
+
+// getConfigField retrieves a specific field from the installation defaults configuration.
+// If the configuration is not found or not in configured state, returns an empty string.
+func (c *InstanceConfigClient) getConfigField(field string) string {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
+	defer cancel()
+
+	req := &protoconfig.ListConfigsRequest{
+		Types: []protoconfig.ConfigType{protoconfig.ConfigType_CONFIG_TYPE_INSTALLATION_DEFAULTS},
+	}
+
+	resp, err := c.client.ListConfigs(ctx, req)
+	if err != nil {
+		log.Errorf("Failed to list installation configurations: %v", err)
+		return ""
+	}
+
+	for _, config := range resp.Configs {
+		if config.State == protoconfig.State_STATE_CONFIGURED {
+			for _, f := range config.Fields {
+				if f.Key == field {
+					return f.Value
+				}
+			}
+		}
+	}
+	log.Errorf("Failed to get configuration field: %v", field)
+	return ""
+}
+
 func (c *InstanceConfigClient) configure(params map[string]string, configType protoconfig.ConfigType, configName string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
 	defer cancel()

bootstrapper/pkg/clients/org_client.go

@@ -47,8 +47,8 @@ func (c *OrgClient) Describe(orgID, orgUsername string) (*organization.Organizat
 	defer cancel()
 
 	req := &organization.DescribeRequest{
-		OrgId:        orgID,
-		OrgUsername:  orgUsername,
+		OrgId:         orgID,
+		OrgUsername:   orgUsername,
 		IncludeQuotas: false,
 	}
 
@@ -73,3 +73,45 @@ func (c *OrgClient) Describe(orgID, orgUsername string) (*organization.Organizat
 	log.Debugf("Found organization: username=%s, orgId=%s", org.GetOrgUsername(), org.GetOrgId())
 	return org, nil
 }
+
+// ListOrganizations returns a list of all organizations.
+// If pageSize is 0, a default page size will be used.
+// If pageToken is empty, it will fetch the first page.
+func (c *OrgClient) ListOrganizations(pageSize int32, pageToken string) ([]*organization.Organization, string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
+	defer cancel()
+
+	req := &organization.ListRequest{
+		PageSize:  pageSize,
+		PageToken: pageToken,
+	}
+
+	resp, err := c.client.List(ctx, req)
+	if err != nil {
+		log.Errorf("Failed to list organizations: %v", err)
+		return nil, "", err
+	}
+
+	log.Debugf("Retrieved %d organizations", len(resp.GetOrganizations()))
+	return resp.GetOrganizations(), resp.GetNextPageToken(), nil
+}
+
+func (c *OrgClient) ListAllOrganizations() ([]*organization.Organization, error) {
+	organizations := []*organization.Organization{}
+	pageSize := int32(100)
+	pageToken := ""
+	for {
+		orgs, nextToken, err := c.ListOrganizations(pageSize, pageToken)
+		if err != nil {
+			return nil, err
+		}
+
+		organizations = append(organizations, orgs...)
+		if nextToken == "" {
+			break
+		}
+		pageToken = nextToken
+	}
+
+	return organizations, nil
+}

bootstrapper/pkg/clients/user_client.go

@@ -58,3 +58,26 @@ func (c *UserClient) RegenerateToken(userId string) (string, error) {
 	log.Infof("Regenerated token for user: ID=%s", userId)
 	return resp.GetApiToken(), nil
 }
+
+// SearchUsers searches for users based on a query string.
+// The query can match against user's name, email, or other searchable fields.
+// limit specifies the maximum number of users to return (0 means use server default).
+func (c *UserClient) SearchUsers(query string, limit int32) ([]*user.User, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
+	defer cancel()
+
+	req := &user.SearchUsersRequest{
+		Query: query,
+		Limit: limit,
+	}
+
+	resp, err := c.client.SearchUsers(ctx, req)
+	if err != nil {
+		log.Errorf("Failed to search users with query '%s': %v", query, err)
+		return nil, err
+	}
+
+	users := resp.GetUsers()
+	log.Debugf("Found %d users matching query '%s'", len(users), query)
+	return users, nil
+}

bootstrapper/pkg/kubernetes/kubernetes.go

@@ -76,7 +76,7 @@ func (c *KubernetesClient) CreateSecretWithLabelsIfNotExists(secretName string,
 }
 
 // createSecret is an internal helper function that creates a new secret with the given name, data, and labels.
-// It handles the common logic for creating a Kubernetes secret used by both UpsertSecretWithLabels and 
+// It handles the common logic for creating a Kubernetes secret used by both UpsertSecretWithLabels and
 // CreateSecretWithLabelsIfNotExists.
 func (c *KubernetesClient) createSecret(secretName string, data map[string]string, labels map[string]string) error {
 	log.Infof("Secret %s does not exist in namespace %s - creating a new one", secretName, c.Namespace)
@@ -143,3 +143,15 @@ func (c *KubernetesClient) UpsertSecretWithLabels(secretName string, data map[st
 	log.Infof("Secret %s updated", secretName)
 	return nil
 }
+
+// GetKubeVersion returns the Kubernetes server version as a string.
+// If there's an error getting the version, it returns an empty string and logs the error.
+func (c *KubernetesClient) GetKubeVersion() string {
+	serverVersion, err := c.Clientset.Discovery().ServerVersion()
+	if err != nil {
+		log.Errorf("Failed to get Kubernetes server version: %v", err)
+		return ""
+	}
+
+	return serverVersion.String()
+}

bootstrapper/pkg/license/client.go

@@ -0,0 +1,54 @@
+package license
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+)
+
+type Client struct {
+	httpClient *http.Client
+	serverURL  string
+}
+
+func NewClient(serverURL string, httpClient *http.Client) *Client {
+	if httpClient == nil {
+		httpClient = &http.Client{
+			Timeout: 10 * time.Second,
+		}
+	}
+	return &Client{
+		httpClient: httpClient,
+		serverURL:  serverURL,
+	}
+}
+
+func (c *Client) VerifyLicense(req LicenseVerificationRequest) (*LicenseVerificationResponse, error) {
+	jsonData, err := json.Marshal(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal request: %w", err)
+	}
+
+	resp, err := c.httpClient.Post(
+		fmt.Sprintf("%s/api/v1/verify/license", c.serverURL),
+		"application/json",
+		bytes.NewBuffer(jsonData),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to make request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("unexpected status code: %d", resp.StatusCode)
+	}
+
+	var verificationResp LicenseVerificationResponse
+	if err := json.NewDecoder(resp.Body).Decode(&verificationResp); err != nil {
+		return nil, fmt.Errorf("failed to decode response: %w", err)
+	}
+
+	return &verificationResp, nil
+}