opensource/magistrala
1
0
Fork 0
mirror of https://github.com/absmach/magistrala.git synced 2026-06-23 04:10:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

remove core

Browse Source 
Signed-off-by: Arvindh <arvindh91@gmail.com>
This commit is contained in:
Arvindh
2026-06-19 16:16:00 +05:30
parent 4749217bc7
commit a410217c6f
18 changed files with 18 additions and 1406 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/api-tests.yaml
-14
View File
@@ -10,8 +10,6 @@ on:
paths:
- ".github/workflows/api-tests.yaml"
- "api/**"
- "core/**"
- "cmd/core/**"
- "internal/atom/**"
- "channels/api/http/**"
- "clients/api/http/**"
@@ -32,8 +30,6 @@ on:
paths:
- ".github/workflows/api-tests.yaml"
- "api/**"
- "core/**"
- "cmd/core/**"
- "internal/atom/**"
- "channels/api/http/**"
- "clients/api/http/**"
@@ -101,36 +97,26 @@ jobs:
domains:
- "apidocs/openapi/domains.yaml"
- "core/**"
- "cmd/core/**"
- "internal/atom/**"
- "domains/api/http/**"
clients:
- "apidocs/openapi/clients.yaml"
- "core/**"
- "cmd/core/**"
- "internal/atom/**"
- "clients/api/http/**"
channels:
- "apidocs/openapi/channels.yaml"
- "core/**"
- "cmd/core/**"
- "internal/atom/**"
- "channels/api/http/**"
groups:
- "apidocs/openapi/groups.yaml"
- "core/**"
- "cmd/core/**"
- "internal/atom/**"
- "groups/api/http/**"
users:
- "apidocs/openapi/users.yaml"
- "core/**"
- "cmd/core/**"
- "internal/atom/**"
- "users/api/**"
.github/workflows/tests.yaml
+1 -16
View File
@@ -68,8 +68,6 @@ jobs:
channels:
- "channels/**"
- "core/**"
- "cmd/core/**"
- "pkg/sdk/**"
- "clients/api/grpc/**"
- "groups/api/grpc/**"
@@ -83,8 +81,6 @@ jobs:
clients:
- "clients/**"
- "core/**"
- "cmd/core/**"
- "pkg/ulid/**"
- "pkg/uuid/**"
- "pkg/events/**"
@@ -95,14 +91,10 @@ jobs:
domains:
- "domains/**"
- "core/**"
- "cmd/core/**"
- "internal/grpc/**"
groups:
- "groups/**"
- "core/**"
- "cmd/core/**"
- "pkg/ulid/**"
- "pkg/uuid/**"
- "clients/api/grpc/**"
@@ -161,8 +153,6 @@ jobs:
users:
- "users/**"
- "core/**"
- "cmd/core/**"
- "pkg/ulid/**"
- "pkg/uuid/**"
- "pkg/events/**"
@@ -200,10 +190,6 @@ jobs:
reports:
- "reports/**"
- "cmd/reports/**"
core:
- "core/**"
- "cmd/core/**"
- "internal/atom/**"
- name: Set matrix for changed modules
id: set-matrix
@@ -212,11 +198,10 @@ jobs:
if [[ "${{ steps.changes.outputs.workflow }}" == "true" || "${{ steps.changes.outputs.pkg-errors }}" == "true" ]]; then
# If workflow or pkg/errors changed, test everything
modules=("auth" "core" "channels" "cli" "clients" "domains" "groups" "internal" "journal" "logger" "pkg-errors" "pkg-events" "pkg-grpcclient" "pkg-messaging" "pkg-sdk" "pkg-transformers" "pkg-ulid" "pkg-uuid" "users" "notifications" "api" "consumers" "readers" "re" "alarms" "reports")
modules=("auth" "channels" "cli" "clients" "domains" "groups" "internal" "journal" "logger" "pkg-errors" "pkg-events" "pkg-grpcclient" "pkg-messaging" "pkg-sdk" "pkg-transformers" "pkg-ulid" "pkg-uuid" "users" "notifications" "api" "consumers" "readers" "re" "alarms" "reports")
else
# Add only changed modules
[[ "${{ steps.changes.outputs.auth }}" == "true" ]] && modules+=("auth")
[[ "${{ steps.changes.outputs.core }}" == "true" ]] && modules+=("core")
[[ "${{ steps.changes.outputs.channels }}" == "true" ]] && modules+=("channels")
[[ "${{ steps.changes.outputs.cli }}" == "true" ]] && modules+=("cli")
[[ "${{ steps.changes.outputs.clients }}" == "true" ]] && modules+=("clients")
README.md
+2 -2
View File
@@ -46,7 +46,7 @@ It is extremely flexible and lets you build systems the way you want — from si
At the same time, it avoids the typical complexity of many IoT platforms, where you need to learn an entirely new set of concepts before you can even get started.
Magistrala is built around a small number of core concepts:
Magistrala is built around a small number of main concepts:
- users
- clients (devices)
- channels
@@ -143,7 +143,7 @@ Magistrala provides a complete set of building blocks for IoT systems — from d
## Atom Integration Model
Magistrala uses **Atom** as the backend for identity, authorization, and the core catalog.
Magistrala uses **Atom** as the backend for identity, authorization, and the catalog.
Atom is the source of truth for:
- domains
auth/middleware/logging.go
+1 -1
View File
@@ -21,7 +21,7 @@ type loggingMiddleware struct {
svc auth.Service
}
// NewLogging adds logging facilities to the core service.
// NewLogging adds logging facilities to the service.
func NewLogging(svc auth.Service, logger *slog.Logger) auth.Service {
return &loggingMiddleware{logger, svc}
}
auth/middleware/metrics.go
+1 -1
View File
@@ -22,7 +22,7 @@ type metricsMiddleware struct {
svc auth.Service
}
// NewMetrics instruments core service by tracking request count and latency.
// NewMetrics instruments service by tracking request count and latency.
func NewMetrics(svc auth.Service, counter metrics.Counter, latency metrics.Histogram) auth.Service {
return &metricsMiddleware{
counter: counter,
certs/middleware/logging.go
+1 -1
View File
@@ -20,7 +20,7 @@ type loggingMiddleware struct {
svc certs.Service
}
// LoggingMiddleware adds logging facilities to the core service.
// LoggingMiddleware adds logging facilities to the service.
func LoggingMiddleware(svc certs.Service, logger *slog.Logger) certs.Service {
return &loggingMiddleware{logger, svc}
}
certs/middleware/metrics.go
+1 -1
View File
@@ -20,7 +20,7 @@ type metricsMiddleware struct {
svc certs.Service
}
// MetricsMiddleware instruments core service by tracking request count and latency.
// MetricsMiddleware instruments service by tracking request count and latency.
func MetricsMiddleware(svc certs.Service, counter metrics.Counter, latency metrics.Histogram) certs.Service {
return &metricsMiddleware{
counter: counter,
consumers/README.md
+2 -2
View File
@@ -4,7 +4,7 @@ Consumers provide an abstraction for various “Magistrala consumers”.
A consumer is a generic pluginstyle service that handles received messages — for example, writing them to a database, sending notifications, or transforming them. Before consuming, messages from Magistrala can be transformed (e.g. to JSON or SenML) to match what a specific consumer expects.
This service (Notifiers) is optional — to use it, core services must be running (e.g. message broker + clients + channels etc.).
This service (Notifiers) is optional — to use it, services must be running (e.g. message broker + clients + channels etc.).
## Concepts & Consumer Types
@@ -25,7 +25,7 @@ When a subscriber receives messages from the message broker:
2. The transformed message is passed to a consumer — either synchronously (BlockingConsumer) or asynchronously (AsyncConsumer).
3. The consumer handles the message (e.g. storing to DB, sending notifications, writing files, etc.).
Consumers are decoupled from core messaging logic, making them flexible and pluggable.
Consumers are decoupled from messaging logic, making them flexible and pluggable.
## Supported Consumers
consumers/notifiers/api/logging.go
+1 -1
View File
@@ -20,7 +20,7 @@ type loggingMiddleware struct {
svc notifiers.Service
}
// LoggingMiddleware adds logging facilities to the core service.
// LoggingMiddleware adds logging facilities to the service.
func LoggingMiddleware(svc notifiers.Service, logger *slog.Logger) notifiers.Service {
return &loggingMiddleware{logger, svc}
}
consumers/notifiers/api/metrics.go
+1 -1
View File
@@ -21,7 +21,7 @@ type metricsMiddleware struct {
svc notifiers.Service
}
// MetricsMiddleware instruments core service by tracking request count and latency.
// MetricsMiddleware instruments service by tracking request count and latency.
func MetricsMiddleware(svc notifiers.Service, counter metrics.Counter, latency metrics.Histogram) notifiers.Service {
return &metricsMiddleware{
counter: counter,
docker/README.md
+2 -2
View File
@@ -29,7 +29,7 @@ To pull images from a specific release in `ghcr.io/absmach/magistrala`, change `
Magistrala supports configurable MQTT broker and Message broker, which also acts as an events store. Magistrala uses two types of brokers:
1. **MQTT_BROKER**: Handles MQTT communication between MQTT adapters and message broker. This can either be `RabbitMQ` or `NATS`.
2. **MESSAGE_BROKER**: Manages message exchange between Magistrala core, optional, and external services. This can either be `NATS` or `RabbitMQ`. This is used to store messages for distributed processing.
2. **MESSAGE_BROKER**: Manages message exchange between Magistrala services and external services. This can either be `NATS` or `RabbitMQ`. This is used to store messages for distributed processing.
Events store: This is used by Magistrala services to store events for distributed processing. Magistrala uses a single service to be the message broker and events store. This can either be `NATS` or `RabbitMQ`. Redis can also be used as an events store, but it requires a message broker to be deployed along with it for message exchange.
@@ -198,7 +198,7 @@ The certbot service keeps running and checks renewal twice a day. When a certifi
The included `Makefile` defines build and Dockerbuild targets for all Magistrala services. Key points:
- `SERVICES`: list of core services (auth, clients, channels, http, coap, mqtt, ws, etc.)
- `SERVICES`: list of services (auth, clients, channels, http, coap, mqtt, ws, etc.)
- `DOCKERS`, `DOCKERS_DEV`: build targets for production and development Docker images
- `make dockers`, `make dockers_dev`: always tag images as `ghcr.io/absmach/magistrala/<service>`
docker/docker-compose.yaml
-927
View File
@@ -12,15 +12,7 @@ networks:
- subnet: 172.30.0.0/24
volumes:
magistrala-users-db-volume:
magistrala-groups-db-volume:
magistrala-clients-db-volume:
magistrala-channels-db-volume:
magistrala-channels-redis-volume:
magistrala-clients-redis-volume:
magistrala-pat-db-volume:
magistrala-domains-db-volume:
magistrala-domains-redis-volume:
magistrala-ui-backend-db-volume:
magistrala-journal-volume:
magistrala-re-db-volume:
@@ -134,197 +126,6 @@ services:
networks:
- magistrala-base-net
domains-db:
image: docker.io/postgres:18.0-alpine3.22
container_name: magistrala-domains-db
profiles: ["legacy-core"]
restart: on-failure
ports:
- 6003:5432
environment:
POSTGRES_USER: ${MG_DOMAINS_DB_USER}
POSTGRES_PASSWORD: ${MG_DOMAINS_DB_PASS}
POSTGRES_DB: ${MG_DOMAINS_DB_NAME}
networks:
- magistrala-base-net
volumes:
- magistrala-domains-db-volume:/var/lib/postgresql/data
domains-redis:
image: docker.io/redis:8.2.2-alpine3.22
container_name: magistrala-domains-redis
profiles: ["legacy-core"]
restart: on-failure
networks:
- magistrala-base-net
volumes:
- magistrala-domains-redis-volume:/data
domains:
image: ghcr.io/absmach/magistrala/domains:${MG_RELEASE_TAG}
container_name: magistrala-domains
profiles: ["legacy-core"]
depends_on:
- domains-db
- nginx
expose:
- ${MG_DOMAINS_GRPC_PORT}
restart: on-failure
environment:
MG_DOMAINS_LOG_LEVEL: ${MG_DOMAINS_LOG_LEVEL}
MG_DOMAINS_HTTP_HOST: ${MG_DOMAINS_HTTP_HOST}
MG_DOMAINS_HTTP_PORT: ${MG_DOMAINS_HTTP_PORT}
MG_DOMAINS_HTTP_SERVER_CERT: ${MG_DOMAINS_HTTP_SERVER_CERT}
MG_DOMAINS_HTTP_SERVER_KEY: ${MG_DOMAINS_HTTP_SERVER_KEY}
MG_DOMAINS_GRPC_HOST: ${MG_DOMAINS_GRPC_HOST}
MG_DOMAINS_GRPC_PORT: ${MG_DOMAINS_GRPC_PORT}
## Compose supports parameter expansion in environment,
## Eg: ${VAR:+replacement} or ${VAR+replacement} -> replacement if VAR is set and non-empty, otherwise empty
## Eg :${VAR:-default} or ${VAR-default} -> value of VAR if set and non-empty, otherwise default
MG_DOMAINS_GRPC_SERVER_CERT: ${MG_DOMAINS_GRPC_SERVER_CERT:+/domains-grpc-server.crt}
MG_DOMAINS_GRPC_SERVER_KEY: ${MG_DOMAINS_GRPC_SERVER_KEY:+/domains-grpc-server.key}
MG_DOMAINS_GRPC_SERVER_CA_CERTS: ${MG_DOMAINS_GRPC_SERVER_CA_CERTS:+/domains-grpc-server-ca.crt}
MG_DOMAINS_GRPC_CLIENT_CA_CERTS: ${MG_DOMAINS_GRPC_CLIENT_CA_CERTS:+/domains-grpc-client-ca.crt}
MG_DOMAINS_DB_HOST: ${MG_DOMAINS_DB_HOST}
MG_DOMAINS_DB_PORT: ${MG_DOMAINS_DB_PORT}
MG_DOMAINS_DB_USER: ${MG_DOMAINS_DB_USER}
MG_DOMAINS_DB_PASS: ${MG_DOMAINS_DB_PASS}
MG_DOMAINS_DB_NAME: ${MG_DOMAINS_DB_NAME}
MG_DOMAINS_DB_SSL_MODE: ${MG_DOMAINS_DB_SSL_MODE}
MG_DOMAINS_DB_SSL_CERT: ${MG_DOMAINS_DB_SSL_CERT}
MG_DOMAINS_DB_SSL_KEY: ${MG_DOMAINS_DB_SSL_KEY}
MG_DOMAINS_DB_SSL_ROOT_CERT: ${MG_DOMAINS_DB_SSL_ROOT_CERT}
MG_DOMAINS_INSTANCE_ID: ${MG_DOMAINS_INSTANCE_ID}
MG_ES_URL: ${MG_ES_URL}
MG_DOMAINS_CACHE_URL: ${MG_DOMAINS_CACHE_URL}
MG_DOMAINS_CACHE_KEY_DURATION: ${MG_DOMAINS_CACHE_KEY_DURATION}
MG_AUTH_GRPC_URL: ${MG_AUTH_GRPC_URL}
MG_AUTH_GRPC_TIMEOUT: ${MG_AUTH_GRPC_TIMEOUT}
MG_AUTH_GRPC_CLIENT_CERT: ${MG_AUTH_GRPC_CLIENT_CERT:+/auth-grpc-client.crt}
MG_AUTH_GRPC_CLIENT_KEY: ${MG_AUTH_GRPC_CLIENT_KEY:+/auth-grpc-client.key}
MG_AUTH_GRPC_SERVER_CA_CERTS: ${MG_AUTH_GRPC_SERVER_CA_CERTS:+/auth-grpc-server-ca.crt}
MG_AUTH_KEYS_ALGORITHM: ${MG_AUTH_KEYS_ALGORITHM}
MG_GROUPS_GRPC_URL: ${MG_GROUPS_GRPC_URL}
MG_GROUPS_GRPC_TIMEOUT: ${MG_GROUPS_GRPC_TIMEOUT}
MG_GROUPS_GRPC_CLIENT_CERT: ${MG_GROUPS_GRPC_CLIENT_CERT:+/groups-grpc-client.crt}
MG_GROUPS_GRPC_CLIENT_KEY: ${MG_GROUPS_GRPC_CLIENT_KEY:+/groups-grpc-client.key}
MG_GROUPS_GRPC_SERVER_CA_CERTS: ${MG_GROUPS_GRPC_SERVER_CA_CERTS:+/groups-grpc-server-ca.crt}
MG_CHANNELS_URL: ${MG_CHANNELS_URL}
MG_CHANNELS_GRPC_URL: ${MG_CHANNELS_GRPC_URL}
MG_CHANNELS_GRPC_TIMEOUT: ${MG_CHANNELS_GRPC_TIMEOUT}
MG_CHANNELS_GRPC_CLIENT_CERT: ${MG_CHANNELS_GRPC_CLIENT_CERT:+/channels-grpc-client.crt}
MG_CHANNELS_GRPC_CLIENT_KEY: ${MG_CHANNELS_GRPC_CLIENT_KEY:+/channels-grpc-client.key}
MG_CHANNELS_GRPC_SERVER_CA_CERTS: ${MG_CHANNELS_GRPC_SERVER_CA_CERTS:+/channels-grpc-server-ca.crt}
MG_CLIENTS_GRPC_URL: ${MG_CLIENTS_GRPC_URL}
MG_CLIENTS_GRPC_TIMEOUT: ${MG_CLIENTS_GRPC_TIMEOUT}
MG_CLIENTS_GRPC_CLIENT_CERT: ${MG_CLIENTS_GRPC_CLIENT_CERT:+/clients-grpc-client.crt}
MG_CLIENTS_GRPC_CLIENT_KEY: ${MG_CLIENTS_GRPC_CLIENT_KEY:+/clients-grpc-client.key}
MG_CLIENTS_GRPC_SERVER_CA_CERTS: ${MG_CLIENTS_GRPC_SERVER_CA_CERTS:+/clients-grpc-server-ca.crt}
MG_JAEGER_URL: ${MG_JAEGER_URL}
MG_JAEGER_TRACE_RATIO: ${MG_JAEGER_TRACE_RATIO}
MG_SEND_TELEMETRY: ${MG_SEND_TELEMETRY}
MG_DOMAINS_CALLOUT_URLS: ${MG_DOMAINS_CALLOUT_URLS}
MG_DOMAINS_CALLOUT_METHOD: ${MG_DOMAINS_CALLOUT_METHOD}
MG_DOMAINS_CALLOUT_TLS_VERIFICATION: ${MG_DOMAINS_CALLOUT_TLS_VERIFICATION}
MG_DOMAINS_CALLOUT_TIMEOUT: ${MG_DOMAINS_CALLOUT_TIMEOUT}
MG_DOMAINS_CALLOUT_CA_CERT: ${MG_DOMAINS_CALLOUT_CA_CERT}
MG_DOMAINS_CALLOUT_CERT: ${MG_DOMAINS_CALLOUT_CERT}
MG_DOMAINS_CALLOUT_KEY: ${MG_DOMAINS_CALLOUT_KEY}
MG_DOMAINS_CALLOUT_OPERATIONS: ${MG_DOMAINS_CALLOUT_OPERATIONS}
MG_ALLOW_UNVERIFIED_USER: ${MG_ALLOW_UNVERIFIED_USER}
ports:
- ${MG_DOMAINS_HTTP_PORT}:${MG_DOMAINS_HTTP_PORT}
- ${MG_DOMAINS_GRPC_PORT}:${MG_DOMAINS_GRPC_PORT}
networks:
- magistrala-base-net
volumes:
- ./permission.yaml:/permission.yaml
# Domains gRPC mTLS server certificates
- type: bind
source: ${MG_DOMAINS_GRPC_SERVER_CERT:-./ssl/placeholder}
target: /domains-grpc-server.crt
bind:
create_host_path: true
- type: bind
source: ${MG_DOMAINS_GRPC_SERVER_KEY:-./ssl/placeholder}
target: /domains-grpc-server.key
bind:
create_host_path: true
- type: bind
source: ${MG_DOMAINS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /domains-grpc-server-ca.crt
bind:
create_host_path: true
- type: bind
source: ${MG_DOMAINS_GRPC_CLIENT_CA_CERTS:-./ssl/placeholder}
target: /domains-grpc-client-ca.crt
bind:
create_host_path: true
# Auth gRPC client certificates
- type: bind
source: ${MG_AUTH_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /auth-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_AUTH_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /auth-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_AUTH_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /auth-grpc-server-ca.crt
bind:
create_host_path: true
# Groups gRPC client certificates
- type: bind
source: ${MG_GROUPS_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /groups-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_GROUPS_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /groups-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_GROUPS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /groups-grpc-server-ca.crt
bind:
create_host_path: true
# Channels gRPC client certificates
- type: bind
source: ${MG_CHANNELS_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /channels-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_CHANNELS_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /channels-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_CHANNELS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /channels-grpc-server-ca.crt
bind:
create_host_path: true
# Clients gRPC client certificates
- type: bind
source: ${MG_CLIENTS_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /clients-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_CLIENTS_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /clients-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_CLIENTS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /clients-grpc-server-ca.crt
bind:
create_host_path: true
journal-db:
image: postgres:16.2-alpine
container_name: magistrala-journal-db
@@ -486,556 +287,6 @@ services:
sleep 12h & wait $$!
done
clients-db:
image: docker.io/postgres:18.0-alpine3.22
container_name: magistrala-clients-db
profiles: ["legacy-core"]
restart: on-failure
command: postgres -c "max_connections=${MG_POSTGRES_MAX_CONNECTIONS}"
environment:
POSTGRES_USER: ${MG_CLIENTS_DB_USER}
POSTGRES_PASSWORD: ${MG_CLIENTS_DB_PASS}
POSTGRES_DB: ${MG_CLIENTS_DB_NAME}
MG_POSTGRES_MAX_CONNECTIONS: ${MG_POSTGRES_MAX_CONNECTIONS}
networks:
- magistrala-base-net
ports:
- 6006:5432
volumes:
- magistrala-clients-db-volume:/var/lib/postgresql/data
clients-redis:
image: docker.io/redis:8.2.2-alpine3.22
container_name: magistrala-clients-redis
profiles: ["legacy-core"]
restart: on-failure
networks:
- magistrala-base-net
volumes:
- magistrala-clients-redis-volume:/data
clients:
image: ghcr.io/absmach/magistrala/clients:${MG_RELEASE_TAG}
container_name: magistrala-clients
profiles: ["legacy-core"]
depends_on:
clients-db:
condition: service_started
users:
condition: service_started
atom-bootstrap:
condition: service_completed_successfully
nginx:
condition: service_started
restart: on-failure
environment:
MG_CLIENTS_LOG_LEVEL: ${MG_CLIENTS_LOG_LEVEL}
MG_CLIENTS_STANDALONE_ID: ${MG_CLIENTS_STANDALONE_ID}
MG_CLIENTS_STANDALONE_TOKEN: ${MG_CLIENTS_STANDALONE_TOKEN}
MG_CLIENTS_CACHE_KEY_DURATION: ${MG_CLIENTS_CACHE_KEY_DURATION}
MG_CLIENTS_HTTP_HOST: ${MG_CLIENTS_HTTP_HOST}
MG_CLIENTS_HTTP_PORT: ${MG_CLIENTS_HTTP_PORT}
MG_CLIENTS_GRPC_HOST: ${MG_CLIENTS_GRPC_HOST}
MG_CLIENTS_GRPC_PORT: ${MG_CLIENTS_GRPC_PORT}
## Compose supports parameter expansion in environment,
## Eg: ${VAR:+replacement} or ${VAR+replacement} -> replacement if VAR is set and non-empty, otherwise empty
## Eg :${VAR:-default} or ${VAR-default} -> value of VAR if set and non-empty, otherwise default
MG_CLIENTS_GRPC_SERVER_CERT: ${MG_CLIENTS_GRPC_SERVER_CERT:+/clients-grpc-server.crt}
MG_CLIENTS_GRPC_SERVER_KEY: ${MG_CLIENTS_GRPC_SERVER_KEY:+/clients-grpc-server.key}
MG_CLIENTS_GRPC_SERVER_CA_CERTS: ${MG_CLIENTS_GRPC_SERVER_CA_CERTS:+/clients-grpc-server-ca.crt}
MG_CLIENTS_GRPC_CLIENT_CA_CERTS: ${MG_CLIENTS_GRPC_CLIENT_CA_CERTS:+/clients-grpc-client-ca.crt}
MG_ES_URL: ${MG_ES_URL}
MG_CLIENTS_CACHE_URL: ${MG_CLIENTS_CACHE_URL}
MG_CLIENTS_DB_HOST: ${MG_CLIENTS_DB_HOST}
MG_CLIENTS_DB_PORT: ${MG_CLIENTS_DB_PORT}
MG_CLIENTS_DB_USER: ${MG_CLIENTS_DB_USER}
MG_CLIENTS_DB_PASS: ${MG_CLIENTS_DB_PASS}
MG_CLIENTS_DB_NAME: ${MG_CLIENTS_DB_NAME}
MG_CLIENTS_DB_SSL_MODE: ${MG_CLIENTS_DB_SSL_MODE}
MG_CLIENTS_DB_SSL_CERT: ${MG_CLIENTS_DB_SSL_CERT}
MG_CLIENTS_DB_SSL_KEY: ${MG_CLIENTS_DB_SSL_KEY}
MG_CLIENTS_DB_SSL_ROOT_CERT: ${MG_CLIENTS_DB_SSL_ROOT_CERT}
MG_AUTH_GRPC_URL: ${MG_AUTH_GRPC_URL}
MG_AUTH_GRPC_TIMEOUT: ${MG_AUTH_GRPC_TIMEOUT}
MG_AUTH_GRPC_CLIENT_CERT: ${MG_AUTH_GRPC_CLIENT_CERT:+/auth-grpc-client.crt}
MG_AUTH_GRPC_CLIENT_KEY: ${MG_AUTH_GRPC_CLIENT_KEY:+/auth-grpc-client.key}
MG_AUTH_GRPC_SERVER_CA_CERTS: ${MG_AUTH_GRPC_SERVER_CA_CERTS:+/auth-grpc-server-ca.crt}
MG_AUTH_KEYS_ALGORITHM: ${MG_AUTH_KEYS_ALGORITHM}
MG_CHANNELS_URL: ${MG_CHANNELS_URL}
MG_CHANNELS_GRPC_URL: ${MG_CHANNELS_GRPC_URL}
MG_CHANNELS_GRPC_TIMEOUT: ${MG_CHANNELS_GRPC_TIMEOUT}
MG_CHANNELS_GRPC_CLIENT_CERT: ${MG_CHANNELS_GRPC_CLIENT_CERT:+/channels-grpc-client.crt}
MG_CHANNELS_GRPC_CLIENT_KEY: ${MG_CHANNELS_GRPC_CLIENT_KEY:+/channels-grpc-client.key}
MG_CHANNELS_GRPC_SERVER_CA_CERTS: ${MG_CHANNELS_GRPC_SERVER_CA_CERTS:+/channels-grpc-server-ca.crt}
MG_GROUPS_URL: ${MG_GROUPS_URL}
MG_GROUPS_GRPC_URL: ${MG_GROUPS_GRPC_URL}
MG_GROUPS_GRPC_TIMEOUT: ${MG_GROUPS_GRPC_TIMEOUT}
MG_GROUPS_GRPC_CLIENT_CERT: ${MG_GROUPS_GRPC_CLIENT_CERT:+/groups-grpc-client.crt}
MG_GROUPS_GRPC_CLIENT_KEY: ${MG_GROUPS_GRPC_CLIENT_KEY:+/groups-grpc-client.key}
MG_GROUPS_GRPC_SERVER_CA_CERTS: ${MG_GROUPS_GRPC_SERVER_CA_CERTS:+/groups-grpc-server-ca.crt}
MG_DOMAINS_GRPC_URL: ${MG_DOMAINS_GRPC_URL}
MG_DOMAINS_GRPC_TIMEOUT: ${MG_DOMAINS_GRPC_TIMEOUT}
MG_DOMAINS_GRPC_CLIENT_CERT: ${MG_DOMAINS_GRPC_CLIENT_CERT:+/domains-grpc-client.crt}
MG_DOMAINS_GRPC_CLIENT_KEY: ${MG_DOMAINS_GRPC_CLIENT_KEY:+/domains-grpc-client.key}
MG_DOMAINS_GRPC_SERVER_CA_CERTS: ${MG_DOMAINS_GRPC_SERVER_CA_CERTS:+/domains-grpc-server-ca.crt}
ATOM_URL: ${ATOM_URL}
ATOM_SERVICE_TOKEN: ${ATOM_SERVICE_TOKEN}
ATOM_SERVICE_USERNAME: ${ATOM_SERVICE_USERNAME}
ATOM_SERVICE_SECRET: ${ATOM_SERVICE_SECRET}
ATOM_ADMIN_TOKEN: ${ATOM_ADMIN_TOKEN}
ATOM_ADMIN_USERNAME: ${ATOM_ADMIN_USERNAME}
ATOM_ADMIN_SECRET: ${ATOM_ADMIN_SECRET}
ATOM_JWKS_URL: ${ATOM_JWKS_URL}
ATOM_TIMEOUT: ${ATOM_TIMEOUT}
MG_JAEGER_URL: ${MG_JAEGER_URL}
MG_JAEGER_TRACE_RATIO: ${MG_JAEGER_TRACE_RATIO}
MG_SEND_TELEMETRY: ${MG_SEND_TELEMETRY}
MG_CLIENTS_CALLOUT_URLS: ${MG_CLIENTS_CALLOUT_URLS}
MG_CLIENTS_CALLOUT_METHOD: ${MG_CLIENTS_CALLOUT_METHOD}
MG_CLIENTS_CALLOUT_TLS_VERIFICATION: ${MG_CLIENTS_CALLOUT_TLS_VERIFICATION}
MG_CLIENTS_CALLOUT_TIMEOUT: ${MG_CLIENTS_CALLOUT_TIMEOUT}
MG_CLIENTS_CALLOUT_CA_CERT: ${MG_CLIENTS_CALLOUT_CA_CERT}
MG_CLIENTS_CALLOUT_CERT: ${MG_CLIENTS_CALLOUT_CERT}
MG_CLIENTS_CALLOUT_KEY: ${MG_CLIENTS_CALLOUT_KEY}
MG_CLIENTS_CALLOUT_OPERATIONS: ${MG_CLIENTS_CALLOUT_OPERATIONS}
MG_ALLOW_UNVERIFIED_USER: ${MG_ALLOW_UNVERIFIED_USER}
ports:
- ${MG_CLIENTS_HTTP_PORT}:${MG_CLIENTS_HTTP_PORT}
- ${MG_CLIENTS_GRPC_PORT}:${MG_CLIENTS_GRPC_PORT}
networks:
- magistrala-base-net
volumes:
- ./permission.yaml:/permission.yaml
# Clients gRPC server certificates
- type: bind
source: ${MG_CLIENTS_GRPC_SERVER_CERT:-./ssl/placeholder}
target: /clients-grpc-server.crt
bind:
create_host_path: true
- type: bind
source: ${MG_CLIENTS_GRPC_SERVER_KEY:-./ssl/placeholder}
target: /clients-grpc-server.key
bind:
create_host_path: true
- type: bind
source: ${MG_CLIENTS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /clients-grpc-server-ca.crt
bind:
create_host_path: true
- type: bind
source: ${MG_CLIENTS_GRPC_CLIENT_CA_CERTS:-./ssl/placeholder}
target: /clients-grpc-client-ca.crt
bind:
create_host_path: true
# Auth gRPC client certificates
- type: bind
source: ${MG_AUTH_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /auth-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_AUTH_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /auth-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_AUTH_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /auth-grpc-server-ca.crt
bind:
create_host_path: true
# Channel gRPC client certificates
- type: bind
source: ${MG_CHANNELS_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /channels-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_CHANNELS_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /channels-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_CHANNELS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /channels-grpc-server-ca.crt
bind:
create_host_path: true
# Group gRPC client certificates
- type: bind
source: ${MG_GROUPS_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /groups-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_GROUPS_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /groups-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_GROUPS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /groups-grpc-server-ca.crt
bind:
create_host_path: true
# Domain gRPC client certificates
- type: bind
source: ${MG_DOMAINS_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /domains-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_DOMAINS_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /domains-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_DOMAINS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /domains-grpc-server-ca.crt
bind:
create_host_path: true
channels-db:
image: docker.io/postgres:18.0-alpine3.22
container_name: magistrala-channels-db
profiles: ["legacy-core"]
restart: on-failure
command: postgres -c "max_connections=${MG_POSTGRES_MAX_CONNECTIONS}"
environment:
POSTGRES_USER: ${MG_CHANNELS_DB_USER}
POSTGRES_PASSWORD: ${MG_CHANNELS_DB_PASS}
POSTGRES_DB: ${MG_CHANNELS_DB_NAME}
MG_POSTGRES_MAX_CONNECTIONS: ${MG_POSTGRES_MAX_CONNECTIONS}
networks:
- magistrala-base-net
ports:
- 6005:5432
volumes:
- magistrala-channels-db-volume:/var/lib/postgresql/data
channels-redis:
image: docker.io/redis:8.2.2-alpine3.22
container_name: magistrala-channels-redis
profiles: ["legacy-core"]
restart: on-failure
networks:
- magistrala-base-net
volumes:
- magistrala-channels-redis-volume:/data
channels:
image: ghcr.io/absmach/magistrala/channels:${MG_RELEASE_TAG}
container_name: magistrala-channels
profiles: ["legacy-core"]
depends_on:
- channels-db
- channels-redis
- users
- nginx
restart: on-failure
environment:
MG_CHANNELS_LOG_LEVEL: ${MG_CHANNELS_LOG_LEVEL}
MG_CHANNELS_INSTANCE_ID: ${MG_CHANNELS_INSTANCE_ID}
MG_CHANNELS_HTTP_HOST: ${MG_CHANNELS_HTTP_HOST}
MG_CHANNELS_HTTP_PORT: ${MG_CHANNELS_HTTP_PORT}
MG_CHANNELS_GRPC_HOST: ${MG_CHANNELS_GRPC_HOST}
MG_CHANNELS_GRPC_PORT: ${MG_CHANNELS_GRPC_PORT}
## Compose supports parameter expansion in environment,
## Eg: ${VAR:+replacement} or ${VAR+replacement} -> replacement if VAR is set and non-empty, otherwise empty
## Eg :${VAR:-default} or ${VAR-default} -> value of VAR if set and non-empty, otherwise default
MG_CHANNELS_GRPC_SERVER_CERT: ${MG_CHANNELS_GRPC_SERVER_CERT:+/channels-grpc-server.crt}
MG_CHANNELS_GRPC_SERVER_KEY: ${MG_CHANNELS_GRPC_SERVER_KEY:+/channels-grpc-server.key}
MG_CHANNELS_GRPC_SERVER_CA_CERTS: ${MG_CHANNELS_GRPC_SERVER_CA_CERTS:+/channels-grpc-server-ca.crt}
MG_CHANNELS_GRPC_CLIENT_CA_CERTS: ${MG_CHANNELS_GRPC_CLIENT_CA_CERTS:+/channels-grpc-client-ca.crt}
MG_CHANNELS_DB_HOST: ${MG_CHANNELS_DB_HOST}
MG_CHANNELS_DB_PORT: ${MG_CHANNELS_DB_PORT}
MG_CHANNELS_DB_USER: ${MG_CHANNELS_DB_USER}
MG_CHANNELS_DB_PASS: ${MG_CHANNELS_DB_PASS}
MG_CHANNELS_DB_NAME: ${MG_CHANNELS_DB_NAME}
MG_CHANNELS_DB_SSL_MODE: ${MG_CHANNELS_DB_SSL_MODE}
MG_CHANNELS_DB_SSL_CERT: ${MG_CHANNELS_DB_SSL_CERT}
MG_CHANNELS_DB_SSL_KEY: ${MG_CHANNELS_DB_SSL_KEY}
MG_CHANNELS_DB_SSL_ROOT_CERT: ${MG_CHANNELS_DB_SSL_ROOT_CERT}
MG_CHANNELS_CACHE_URL: ${MG_CHANNELS_CACHE_URL}
MG_CHANNELS_CACHE_KEY_DURATION: ${MG_CHANNELS_CACHE_KEY_DURATION}
MG_AUTH_GRPC_URL: ${MG_AUTH_GRPC_URL}
MG_AUTH_GRPC_TIMEOUT: ${MG_AUTH_GRPC_TIMEOUT}
MG_AUTH_GRPC_CLIENT_CERT: ${MG_AUTH_GRPC_CLIENT_CERT:+/auth-grpc-client.crt}
MG_AUTH_GRPC_CLIENT_KEY: ${MG_AUTH_GRPC_CLIENT_KEY:+/auth-grpc-client.key}
MG_AUTH_GRPC_SERVER_CA_CERTS: ${MG_AUTH_GRPC_SERVER_CA_CERTS:+/auth-grpc-server-ca.crt}
MG_AUTH_KEYS_ALGORITHM: ${MG_AUTH_KEYS_ALGORITHM}
MG_CLIENTS_GRPC_URL: ${MG_CLIENTS_GRPC_URL}
MG_CLIENTS_GRPC_TIMEOUT: ${MG_CLIENTS_GRPC_TIMEOUT}
MG_CLIENTS_GRPC_CLIENT_CERT: ${MG_CLIENTS_GRPC_CLIENT_CERT:+/clients-grpc-client.crt}
MG_CLIENTS_GRPC_CLIENT_KEY: ${MG_CLIENTS_GRPC_CLIENT_KEY:+/clients-grpc-client.key}
MG_CLIENTS_GRPC_SERVER_CA_CERTS: ${MG_CLIENTS_GRPC_SERVER_CA_CERTS:+/clients-grpc-server-ca.crt}
MG_GROUPS_GRPC_URL: ${MG_GROUPS_GRPC_URL}
MG_GROUPS_GRPC_TIMEOUT: ${MG_GROUPS_GRPC_TIMEOUT}
MG_GROUPS_GRPC_CLIENT_CERT: ${MG_GROUPS_GRPC_CLIENT_CERT:+/groups-grpc-client.crt}
MG_GROUPS_GRPC_CLIENT_KEY: ${MG_GROUPS_GRPC_CLIENT_KEY:+/groups-grpc-client.key}
MG_GROUPS_GRPC_SERVER_CA_CERTS: ${MG_GROUPS_GRPC_SERVER_CA_CERTS:+/groups-grpc-server-ca.crt}
MG_DOMAINS_GRPC_URL: ${MG_DOMAINS_GRPC_URL}
MG_DOMAINS_GRPC_TIMEOUT: ${MG_DOMAINS_GRPC_TIMEOUT}
MG_DOMAINS_GRPC_CLIENT_CERT: ${MG_DOMAINS_GRPC_CLIENT_CERT:+/domains-grpc-client.crt}
MG_DOMAINS_GRPC_CLIENT_KEY: ${MG_DOMAINS_GRPC_CLIENT_KEY:+/domains-grpc-client.key}
MG_DOMAINS_GRPC_SERVER_CA_CERTS: ${MG_DOMAINS_GRPC_SERVER_CA_CERTS:+/domains-grpc-server-ca.crt}
MG_ES_URL: ${MG_ES_URL}
MG_JAEGER_URL: ${MG_JAEGER_URL}
MG_JAEGER_TRACE_RATIO: ${MG_JAEGER_TRACE_RATIO}
MG_SEND_TELEMETRY: ${MG_SEND_TELEMETRY}
MG_CHANNELS_CALLOUT_URLS: ${MG_CHANNELS_CALLOUT_URLS}
MG_CHANNELS_CALLOUT_METHOD: ${MG_CHANNELS_CALLOUT_METHOD}
MG_CHANNELS_CALLOUT_TLS_VERIFICATION: ${MG_CHANNELS_CALLOUT_TLS_VERIFICATION}
MG_CHANNELS_CALLOUT_TIMEOUT: ${MG_CHANNELS_CALLOUT_TIMEOUT}
MG_CHANNELS_CALLOUT_CA_CERT: ${MG_CHANNELS_CALLOUT_CA_CERT}
MG_CHANNELS_CALLOUT_CERT: ${MG_CHANNELS_CALLOUT_CERT}
MG_CHANNELS_CALLOUT_KEY: ${MG_CHANNELS_CALLOUT_KEY}
MG_CHANNELS_CALLOUT_OPERATIONS: ${MG_CHANNELS_CALLOUT_OPERATIONS}
MG_ALLOW_UNVERIFIED_USER: ${MG_ALLOW_UNVERIFIED_USER}
ports:
- ${MG_CHANNELS_HTTP_PORT}:${MG_CHANNELS_HTTP_PORT}
- ${MG_CHANNELS_GRPC_PORT}:${MG_CHANNELS_GRPC_PORT}
networks:
- magistrala-base-net
volumes:
- ./permission.yaml:/permission.yaml
# Channels gRPC server certificates
- type: bind
source: ${MG_CHANNELS_GRPC_SERVER_CERT:-./ssl/placeholder}
target: /channels-grpc-server.crt
bind:
create_host_path: true
- type: bind
source: ${MG_CHANNELS_GRPC_SERVER_KEY:-./ssl/placeholder}
target: /channels-grpc-server.key
bind:
create_host_path: true
- type: bind
source: ${MG_CHANNELS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /channels-grpc-server-ca.crt
bind:
create_host_path: true
- type: bind
source: ${MG_CHANNELS_GRPC_CLIENT_CA_CERTS:-./ssl/placeholder}
target: /channels-grpc-client-ca.crt
bind:
create_host_path: true
# Auth gRPC client certificates
- type: bind
source: ${MG_AUTH_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /auth-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_AUTH_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /auth-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_AUTH_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /auth-grpc-server-ca.crt
bind:
create_host_path: true
# Clients gRPC client certificates
- type: bind
source: ${MG_CLIENTS_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /clients-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_CLIENTS_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /clients-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_CLIENTS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /clients-grpc-server-ca.crt
bind:
create_host_path: true
# Groups gRPC client certificates
- type: bind
source: ${MG_GROUPS_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /groups-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_GROUPS_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /groups-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_GROUPS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /groups-grpc-server-ca.crt
bind:
create_host_path: true
# Domains gRPC client certificates
- type: bind
source: ${MG_DOMAINS_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /domains-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_DOMAINS_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /domains-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_DOMAINS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /domains-grpc-server-ca.crt
bind:
create_host_path: true
users-db:
image: docker.io/postgres:18.0-alpine3.22
container_name: magistrala-users-db
profiles: ["legacy-core"]
restart: on-failure
command: postgres -c "max_connections=${MG_POSTGRES_MAX_CONNECTIONS}"
environment:
POSTGRES_USER: ${MG_USERS_DB_USER}
POSTGRES_PASSWORD: ${MG_USERS_DB_PASS}
POSTGRES_DB: ${MG_USERS_DB_NAME}
MG_POSTGRES_MAX_CONNECTIONS: ${MG_POSTGRES_MAX_CONNECTIONS}
ports:
- 6002:5432
networks:
- magistrala-base-net
volumes:
- magistrala-users-db-volume:/var/lib/postgresql/data
users:
image: ghcr.io/absmach/magistrala/users:${MG_RELEASE_TAG}
container_name: magistrala-users
profiles: ["legacy-core"]
depends_on:
- users-db
- nginx
restart: on-failure
environment:
MG_USERS_LOG_LEVEL: ${MG_USERS_LOG_LEVEL}
MG_USERS_SECRET_KEY: ${MG_USERS_SECRET_KEY}
MG_USERS_ADMIN_EMAIL: ${MG_USERS_ADMIN_EMAIL}
MG_USERS_ADMIN_PASSWORD: ${MG_USERS_ADMIN_PASSWORD}
MG_USERS_ADMIN_USERNAME: ${MG_USERS_ADMIN_USERNAME}
MG_USERS_ADMIN_FIRST_NAME: ${MG_USERS_ADMIN_FIRST_NAME}
MG_USERS_ADMIN_LAST_NAME: ${MG_USERS_ADMIN_LAST_NAME}
MG_USERS_PASS_REGEX: ${MG_USERS_PASS_REGEX}
MG_USERS_HTTP_HOST: ${MG_USERS_HTTP_HOST}
MG_USERS_HTTP_PORT: ${MG_USERS_HTTP_PORT}
MG_USERS_HTTP_SERVER_CERT: ${MG_USERS_HTTP_SERVER_CERT}
MG_USERS_HTTP_SERVER_KEY: ${MG_USERS_HTTP_SERVER_KEY}
MG_USERS_GRPC_HOST: ${MG_USERS_GRPC_HOST}
MG_USERS_GRPC_PORT: ${MG_USERS_GRPC_PORT}
## Compose supports parameter expansion in environment,
## Eg: ${VAR:+replacement} or ${VAR+replacement} -> replacement if VAR is set and non-empty, otherwise empty
## Eg :${VAR:-default} or ${VAR-default} -> value of VAR if set and non-empty, otherwise default
MG_USERS_GRPC_SERVER_CERT: ${MG_USERS_GRPC_SERVER_CERT:+/users-grpc-server.crt}
MG_USERS_GRPC_SERVER_KEY: ${MG_USERS_GRPC_SERVER_KEY:+/users-grpc-server.key}
MG_USERS_GRPC_SERVER_CA_CERTS: ${MG_USERS_GRPC_SERVER_CA_CERTS:+/users-grpc-server-ca.crt}
MG_USERS_GRPC_CLIENT_CA_CERTS: ${MG_USERS_GRPC_CLIENT_CA_CERTS:+/users-grpc-client-ca.crt}
MG_USERS_DB_HOST: ${MG_USERS_DB_HOST}
MG_USERS_DB_PORT: ${MG_USERS_DB_PORT}
MG_USERS_DB_USER: ${MG_USERS_DB_USER}
MG_USERS_DB_PASS: ${MG_USERS_DB_PASS}
MG_USERS_DB_NAME: ${MG_USERS_DB_NAME}
MG_USERS_DB_SSL_MODE: ${MG_USERS_DB_SSL_MODE}
MG_USERS_DB_SSL_CERT: ${MG_USERS_DB_SSL_CERT}
MG_USERS_DB_SSL_KEY: ${MG_USERS_DB_SSL_KEY}
MG_USERS_DB_SSL_ROOT_CERT: ${MG_USERS_DB_SSL_ROOT_CERT}
MG_USERS_ALLOW_SELF_REGISTER: ${MG_USERS_ALLOW_SELF_REGISTER}
MG_EMAIL_HOST: ${MG_EMAIL_HOST}
MG_EMAIL_PORT: ${MG_EMAIL_PORT}
MG_EMAIL_USERNAME: ${MG_EMAIL_USERNAME}
MG_EMAIL_PASSWORD: ${MG_EMAIL_PASSWORD}
MG_EMAIL_FROM_ADDRESS: ${MG_EMAIL_FROM_ADDRESS}
MG_EMAIL_FROM_NAME: ${MG_EMAIL_FROM_NAME}
MG_ES_URL: ${MG_ES_URL}
MG_JAEGER_URL: ${MG_JAEGER_URL}
MG_JAEGER_TRACE_RATIO: ${MG_JAEGER_TRACE_RATIO}
MG_SEND_TELEMETRY: ${MG_SEND_TELEMETRY}
MG_AUTH_GRPC_URL: ${MG_AUTH_GRPC_URL}
MG_AUTH_GRPC_TIMEOUT: ${MG_AUTH_GRPC_TIMEOUT}
MG_AUTH_GRPC_CLIENT_CERT: ${MG_AUTH_GRPC_CLIENT_CERT:+/auth-grpc-client.crt}
MG_AUTH_GRPC_CLIENT_KEY: ${MG_AUTH_GRPC_CLIENT_KEY:+/auth-grpc-client.key}
MG_AUTH_GRPC_SERVER_CA_CERTS: ${MG_AUTH_GRPC_SERVER_CA_CERTS:+/auth-grpc-server-ca.crt}
MG_AUTH_KEYS_ALGORITHM: ${MG_AUTH_KEYS_ALGORITHM}
MG_DOMAINS_GRPC_URL: ${MG_DOMAINS_GRPC_URL}
MG_DOMAINS_GRPC_TIMEOUT: ${MG_DOMAINS_GRPC_TIMEOUT}
MG_DOMAINS_GRPC_CLIENT_CERT: ${MG_DOMAINS_GRPC_CLIENT_CERT:+/domains-grpc-client.crt}
MG_DOMAINS_GRPC_CLIENT_KEY: ${MG_DOMAINS_GRPC_CLIENT_KEY:+/domains-grpc-client.key}
MG_DOMAINS_GRPC_SERVER_CA_CERTS: ${MG_DOMAINS_GRPC_SERVER_CA_CERTS:+/domains-grpc-server-ca.crt}
MG_GOOGLE_CLIENT_ID: ${MG_GOOGLE_CLIENT_ID}
MG_GOOGLE_CLIENT_SECRET: ${MG_GOOGLE_CLIENT_SECRET}
MG_GOOGLE_REDIRECT_URL: ${MG_GOOGLE_REDIRECT_URL}
MG_GOOGLE_STATE: ${MG_GOOGLE_STATE}
MG_OAUTH_UI_REDIRECT_URL: ${MG_OAUTH_UI_REDIRECT_URL}
MG_OAUTH_UI_ERROR_URL: ${MG_OAUTH_UI_ERROR_URL}
MG_USERS_DELETE_INTERVAL: ${MG_USERS_DELETE_INTERVAL}
MG_USERS_DELETE_AFTER: ${MG_USERS_DELETE_AFTER}
MG_PASSWORD_RESET_URL_PREFIX: ${MG_PASSWORD_RESET_URL_PREFIX}
MG_PASSWORD_RESET_EMAIL_TEMPLATE: ${MG_PASSWORD_RESET_EMAIL_TEMPLATE}
MG_VERIFICATION_URL_PREFIX: ${MG_VERIFICATION_URL_PREFIX}
MG_VERIFICATION_EMAIL_TEMPLATE: ${MG_VERIFICATION_EMAIL_TEMPLATE}
MG_ALLOW_UNVERIFIED_USER: ${MG_ALLOW_UNVERIFIED_USER}
ports:
- ${MG_USERS_HTTP_PORT}:${MG_USERS_HTTP_PORT}
- ${MG_USERS_GRPC_PORT}:${MG_USERS_GRPC_PORT}
networks:
- magistrala-base-net
volumes:
- ./templates/${MG_PASSWORD_RESET_EMAIL_TEMPLATE}:/${MG_PASSWORD_RESET_EMAIL_TEMPLATE}
- ./templates/${MG_VERIFICATION_EMAIL_TEMPLATE}:/${MG_VERIFICATION_EMAIL_TEMPLATE}
# Users gRPC server certificates
- type: bind
source: ${MG_USERS_GRPC_SERVER_CERT:-./ssl/placeholder}
target: /users-grpc-server.crt
bind:
create_host_path: true
- type: bind
source: ${MG_USERS_GRPC_SERVER_KEY:-./ssl/placeholder}
target: /users-grpc-server.key
bind:
create_host_path: true
- type: bind
source: ${MG_USERS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /users-grpc-server-ca.crt
bind:
create_host_path: true
- type: bind
source: ${MG_USERS_GRPC_CLIENT_CA_CERTS:-./ssl/placeholder}
target: /users-grpc-client-ca.crt
bind:
create_host_path: true
# Auth gRPC client certificates
- type: bind
source: ${MG_AUTH_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /auth-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_AUTH_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /auth-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_AUTH_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /auth-grpc-server-ca.crt
bind:
create_host_path: true
# Domains gRPC client certificates
- type: bind
source: ${MG_DOMAINS_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /domains-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_DOMAINS_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /domains-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_DOMAINS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /domains-grpc-server-ca.crt
bind:
create_host_path: true
notifications:
image: ghcr.io/absmach/magistrala/notifications:${MG_RELEASE_TAG}
container_name: magistrala-notifications
@@ -1079,184 +330,6 @@ services:
- ./templates/${MG_EMAIL_ACCEPTANCE_TEMPLATE}:/${MG_EMAIL_ACCEPTANCE_TEMPLATE}
- ./templates/${MG_EMAIL_REJECTION_TEMPLATE}:/${MG_EMAIL_REJECTION_TEMPLATE}
groups-db:
image: docker.io/postgres:18.0-alpine3.22
container_name: magistrala-groups-db
profiles: ["legacy-core"]
restart: on-failure
command: postgres -c "max_connections=${MG_POSTGRES_MAX_CONNECTIONS}"
environment:
POSTGRES_USER: ${MG_GROUPS_DB_USER}
POSTGRES_PASSWORD: ${MG_GROUPS_DB_PASS}
POSTGRES_DB: ${MG_GROUPS_DB_NAME}
MG_POSTGRES_MAX_CONNECTIONS: ${MG_POSTGRES_MAX_CONNECTIONS}
ports:
- 6004:5432
networks:
- magistrala-base-net
volumes:
- magistrala-groups-db-volume:/var/lib/postgresql/data
groups:
image: ghcr.io/absmach/magistrala/groups:${MG_RELEASE_TAG}
container_name: magistrala-groups
profiles: ["legacy-core"]
depends_on:
- groups-db
- nginx
restart: on-failure
environment:
MG_GROUPS_LOG_LEVEL: ${MG_GROUPS_LOG_LEVEL}
MG_GROUPS_HTTP_HOST: ${MG_GROUPS_HTTP_HOST}
MG_GROUPS_HTTP_PORT: ${MG_GROUPS_HTTP_PORT}
MG_GROUPS_HTTP_SERVER_CERT: ${MG_GROUPS_HTTP_SERVER_CERT}
MG_GROUPS_HTTP_SERVER_KEY: ${MG_GROUPS_HTTP_SERVER_KEY}
MG_GROUPS_GRPC_HOST: ${MG_GROUPS_GRPC_HOST}
MG_GROUPS_GRPC_PORT: ${MG_GROUPS_GRPC_PORT}
## Compose supports parameter expansion in environment,
## Eg: ${VAR:+replacement} or ${VAR+replacement} -> replacement if VAR is set and non-empty, otherwise empty
## Eg :${VAR:-default} or ${VAR-default} -> value of VAR if set and non-empty, otherwise default
MG_GROUPS_GRPC_SERVER_CERT: ${MG_GROUPS_GRPC_SERVER_CERT:+/groups-grpc-server.crt}
MG_GROUPS_GRPC_SERVER_KEY: ${MG_GROUPS_GRPC_SERVER_KEY:+/groups-grpc-server.key}
MG_GROUPS_GRPC_SERVER_CA_CERTS: ${MG_GROUPS_GRPC_SERVER_CA_CERTS:+/groups-grpc-server-ca.crt}
MG_GROUPS_GRPC_CLIENT_CA_CERTS: ${MG_GROUPS_GRPC_CLIENT_CA_CERTS:+/groups-grpc-client-ca.crt}
MG_GROUPS_DB_HOST: ${MG_GROUPS_DB_HOST}
MG_GROUPS_DB_PORT: ${MG_GROUPS_DB_PORT}
MG_GROUPS_DB_USER: ${MG_GROUPS_DB_USER}
MG_GROUPS_DB_PASS: ${MG_GROUPS_DB_PASS}
MG_GROUPS_DB_NAME: ${MG_GROUPS_DB_NAME}
MG_GROUPS_DB_SSL_MODE: ${MG_GROUPS_DB_SSL_MODE}
MG_GROUPS_DB_SSL_CERT: ${MG_GROUPS_DB_SSL_CERT}
MG_GROUPS_DB_SSL_KEY: ${MG_GROUPS_DB_SSL_KEY}
MG_GROUPS_DB_SSL_ROOT_CERT: ${MG_GROUPS_DB_SSL_ROOT_CERT}
MG_CHANNELS_URL: ${MG_CHANNELS_URL}
MG_CHANNELS_GRPC_URL: ${MG_CHANNELS_GRPC_URL}
MG_CHANNELS_GRPC_TIMEOUT: ${MG_CHANNELS_GRPC_TIMEOUT}
MG_CHANNELS_GRPC_CLIENT_CERT: ${MG_CHANNELS_GRPC_CLIENT_CERT:+/channels-grpc-client.crt}
MG_CHANNELS_GRPC_CLIENT_KEY: ${MG_CHANNELS_GRPC_CLIENT_KEY:+/channels-grpc-client.key}
MG_CHANNELS_GRPC_SERVER_CA_CERTS: ${MG_CHANNELS_GRPC_SERVER_CA_CERTS:+/channels-grpc-server-ca.crt}
MG_CLIENTS_GRPC_URL: ${MG_CLIENTS_GRPC_URL}
MG_CLIENTS_GRPC_TIMEOUT: ${MG_CLIENTS_GRPC_TIMEOUT}
MG_CLIENTS_GRPC_CLIENT_CERT: ${MG_CLIENTS_GRPC_CLIENT_CERT:+/clients-grpc-client.crt}
MG_CLIENTS_GRPC_CLIENT_KEY: ${MG_CLIENTS_GRPC_CLIENT_KEY:+/clients-grpc-client.key}
MG_CLIENTS_GRPC_SERVER_CA_CERTS: ${MG_CLIENTS_GRPC_SERVER_CA_CERTS:+/clients-grpc-server-ca.crt}
MG_DOMAINS_GRPC_URL: ${MG_DOMAINS_GRPC_URL}
MG_DOMAINS_GRPC_TIMEOUT: ${MG_DOMAINS_GRPC_TIMEOUT}
MG_DOMAINS_GRPC_CLIENT_CERT: ${MG_DOMAINS_GRPC_CLIENT_CERT:+/domains-grpc-client.crt}
MG_DOMAINS_GRPC_CLIENT_KEY: ${MG_DOMAINS_GRPC_CLIENT_KEY:+/domains-grpc-client.key}
MG_DOMAINS_GRPC_SERVER_CA_CERTS: ${MG_DOMAINS_GRPC_SERVER_CA_CERTS:+/domains-grpc-server-ca.crt}
MG_ES_URL: ${MG_ES_URL}
MG_JAEGER_URL: ${MG_JAEGER_URL}
MG_JAEGER_TRACE_RATIO: ${MG_JAEGER_TRACE_RATIO}
MG_SEND_TELEMETRY: ${MG_SEND_TELEMETRY}
MG_AUTH_GRPC_URL: ${MG_AUTH_GRPC_URL}
MG_AUTH_GRPC_TIMEOUT: ${MG_AUTH_GRPC_TIMEOUT}
MG_AUTH_GRPC_CLIENT_CERT: ${MG_AUTH_GRPC_CLIENT_CERT:+/auth-grpc-client.crt}
MG_AUTH_GRPC_CLIENT_KEY: ${MG_AUTH_GRPC_CLIENT_KEY:+/auth-grpc-client.key}
MG_AUTH_GRPC_SERVER_CA_CERTS: ${MG_AUTH_GRPC_SERVER_CA_CERTS:+/auth-grpc-server-ca.crt}
MG_AUTH_KEYS_ALGORITHM: ${MG_AUTH_KEYS_ALGORITHM}
MG_GROUPS_CALLOUT_URLS: ${MG_GROUPS_CALLOUT_URLS}
MG_GROUPS_CALLOUT_METHOD: ${MG_GROUPS_CALLOUT_METHOD}
MG_GROUPS_CALLOUT_TLS_VERIFICATION: ${MG_GROUPS_CALLOUT_TLS_VERIFICATION}
MG_GROUPS_CALLOUT_TIMEOUT: ${MG_GROUPS_CALLOUT_TIMEOUT}
MG_GROUPS_CALLOUT_CA_CERT: ${MG_GROUPS_CALLOUT_CA_CERT}
MG_GROUPS_CALLOUT_CERT: ${MG_GROUPS_CALLOUT_CERT}
MG_GROUPS_CALLOUT_KEY: ${MG_GROUPS_CALLOUT_KEY}
MG_GROUPS_CALLOUT_OPERATIONS: ${MG_GROUPS_CALLOUT_OPERATIONS}
MG_ALLOW_UNVERIFIED_USER: ${MG_ALLOW_UNVERIFIED_USER}
ports:
- ${MG_GROUPS_HTTP_PORT}:${MG_GROUPS_HTTP_PORT}
- ${MG_GROUPS_GRPC_PORT}:${MG_GROUPS_GRPC_PORT}
networks:
- magistrala-base-net
volumes:
- ./permission.yaml:/permission.yaml
# Groups gRPC server certificates
- type: bind
source: ${MG_GROUPS_GRPC_SERVER_CERT:-./ssl/placeholder}
target: /groups-grpc-server.crt
bind:
create_host_path: true
- type: bind
source: ${MG_GROUPS_GRPC_SERVER_KEY:-./ssl/placeholder}
target: /groups-grpc-server.key
bind:
create_host_path: true
- type: bind
source: ${MG_GROUPS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /groups-grpc-server-ca.crt
bind:
create_host_path: true
- type: bind
source: ${MG_GROUPS_GRPC_CLIENT_CA_CERTS:-./ssl/placeholder}
target: /groups-grpc-client-ca.crt
bind:
create_host_path: true
# Auth gRPC client certificates
- type: bind
source: ${MG_AUTH_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /auth-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_AUTH_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /auth-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_AUTH_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /auth-grpc-server-ca.crt
bind:
create_host_path: true
# Clients gRPC client certificates
- type: bind
source: ${MG_CLIENTS_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /clients-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_CLIENTS_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /clients-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_CLIENTS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /clients-grpc-server-ca.crt
bind:
create_host_path: true
# Channels gRPC client certificates
- type: bind
source: ${MG_CHANNELS_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /channels-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_CHANNELS_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /channels-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_CHANNELS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /channels-grpc-server-ca.crt
bind:
create_host_path: true
# Domains gRPC client certificates
- type: bind
source: ${MG_DOMAINS_GRPC_CLIENT_CERT:-./ssl/placeholder}
target: /domains-grpc-client.crt
bind:
create_host_path: true
- type: bind
source: ${MG_DOMAINS_GRPC_CLIENT_KEY:-./ssl/placeholder}
target: /domains-grpc-client.key
bind:
create_host_path: true
- type: bind
source: ${MG_DOMAINS_GRPC_SERVER_CA_CERTS:-./ssl/placeholder}
target: /domains-grpc-server-ca.crt
bind:
create_host_path: true
jaeger:
image: docker.io/jaegertracing/all-in-one:1.74.0
container_name: magistrala-jaeger
docker/nginx/nginx-key.conf
+1 -1
View File
@@ -12,7 +12,7 @@ include /etc/nginx/modules-enabled/*.conf;
events {
# Explanation: https://serverfault.com/questions/787919/optimal-value-for-nginx-worker-connections
# We'll keep 10k connections per core (assuming one worker per core)
# We'll keep 10k connections for each configured worker.
worker_connections 10000;
}
docker/nginx/nginx-x509.conf
+1 -1
View File
@@ -14,7 +14,7 @@ include /etc/nginx/modules-enabled/*.conf;
events {
# Explanation: https://serverfault.com/questions/787919/optimal-value-for-nginx-worker-connections
# We'll keep 10k connections per core (assuming one worker per core)
# We'll keep 10k connections for each configured worker.
worker_connections 10000;
}
docs/atom-migration-plan.md
-432
View File
@@ -1,432 +0,0 @@
# Magistrala to Atom Core Migration Plan
## Summary
Atom will become the source of truth for Magistrala core identity, catalog, and access-control data. Magistrala should stop running separate `domains`, `users`, `clients`, `groups`, and `channels` services and replace them with one small Atom-backed `core` proxy service.
This is a breaking cleanup migration. There is no temporary compatibility layer for old role fields. Existing Magistrala data backfill is out of scope for this phase and will be planned separately at the end.
## Current Status
The migration has moved the main domain/user/client/group/channel runtime path to a single Atom-backed Magistrala `core` service.
Completed runtime direction:
- `core` is the active service for:
- domains
- users
- clients
- groups
- channels
- `core` stores and reads these objects through Atom instead of local Magistrala service databases.
- `core` exposes compatibility HTTP and gRPC endpoints so existing Magistrala-style clients can keep calling the familiar routes while the backing implementation is Atom.
- `core` has Atom authentication and Atom PDP authorization middleware for protected endpoints.
- `core` has callout middleware and event publishing middleware.
- Old split-service implementations for domains, users, clients, groups, channels, bootstrap, provision, and roles were moved out of the active Go package tree into `_legacy/`.
- Old split-service command entrypoints were moved out of the active command tree into `_legacy/cmd`.
- SpiceDB runtime wiring and active SpiceDB packages were removed.
- Magistrala roles are intentionally removed from the active public contract.
- Rules, reports, and alarms keep their service-owned databases but maintain Atom resource projections for searchable authorized listing.
- A small Astro demo UI was added under `demo-ui/` for quickly exercising the Atom-backed `core` API without Postman.
Latest cleanup completed:
- Removed old Magistrala `auth`, `auth-db`, and `auth-redis` services from the default Docker Compose stack.
- Removed `auth` from `core` and other `depends_on` references.
- Removed old stopped Docker containers:
- `magistrala-auth`
- `magistrala-auth-db`
- `magistrala-auth-redis`
- Removed `auth` from the Makefile build service list.
- Removed `auth` from Makefile API-test service list.
- Removed the old Auth API Schemathesis workflow step.
- Removed auth gRPC certificate generation from the default Makefile certificate target.
- Verified Docker Compose no longer lists `auth`, `auth-db`, or `auth-redis`.
- Verified:
- `go test ./core ./internal/atom`
Important distinction:
- `fluxmq-auth` still exists in Docker Compose. This is FluxMQ broker authorization, not the removed Magistrala `auth` service.
Known remaining old-auth references:
- Several non-core services still contain `MG_AUTH_GRPC_*` environment wiring and Go imports through shared `pkg/authn`, `pkg/authz`, or old auth client packages.
- Those references are the next migration/fix area after removing the runtime `magistrala-auth` container.
- Removing the source-level `auth/` package immediately will currently break broad compilation because services such as journal, certs, readers, alarms, reports, and SDK tests still import old auth-related packages.
## Target Architecture
Run one Magistrala `core` service instead of five services:
- Remove separate runtime services:
- `cmd/domains`
- `cmd/users`
- `cmd/clients`
- `cmd/groups`
- `cmd/channels`
- Add:
- `cmd/core`
- `core/`
- `core` exposes the required HTTP/gRPC endpoints for domains, users, clients, groups, and channels.
- `core` has no local Postgres database for these objects.
- `core` calls Atom for storage, credentials, search/listing, and authorization.
- Other Magistrala services call `core` or Atom instead of five separate core services.
## Object Mapping
| Magistrala object | Atom object | Ownership |
| --- | --- | --- |
| Domain | Tenant | Atom stores name, route, status, tags, metadata, timestamps. |
| User | Entity | Atom stores identity metadata and credentials. |
| Client | Entity | Atom stores client identity metadata and client credentials. |
| Group | Group | Atom stores group metadata; hierarchy fields stay in attributes until Atom has first-class hierarchy support. |
| Channel | Resource `kind=channel` | Atom stores searchable channel catalog data and access policy target. |
| Rule | Resource `kind=rule` projection | Magistrala keeps full rule config; Atom stores searchable authorized projection. |
| Alarm | Resource `kind=alarm` projection | Magistrala keeps full alarm record; Atom stores searchable authorized projection. |
| Report | Resource `kind=report` projection | Magistrala keeps full report config/template; Atom stores searchable authorized projection. |
## Roles And SpiceDB Removal
Remove Magistrala `pkg/roles` completely. It was needed because SpiceDB could do authorization checks but did not provide good searchable authorized listing. Atom now owns both authorization and searchable access-controlled listing.
Remove:
- `pkg/roles`
- `roles.RoleManager` from service interfaces
- `roles.Repository` from repositories
- `[]roles.RoleProvision` return values from service methods
- built-in role provisioning code
- role tables/migrations from core service databases
- role event encode/decode paths
- role API endpoints
- role mocks
- role-related tests
- `role_id`, `role_name`, `roles`, `actions`, `access_type`, `access_provider_id`, `access_provider_role_id`, `access_provider_role_name`, and `access_provider_role_actions` from public structs and API responses
Remove SpiceDB-related code and deployment:
- `pkg/policies/spicedb`
- `pkg/spicedb`
- SpiceDB schema decoder usage
- SpiceDB config/env values
- SpiceDB Docker/Compose services
- SpiceDB permissions files when they are only used for role/policy provisioning
- duplicated local policy writes that existed only to support listing/search
Replace with Atom:
- Atom capabilities
- Atom roles only if Atom-side role grouping is useful
- Atom policy bindings
- Atom PDP checks
- Atom list/search APIs with authorization applied
## Public API Cleanup
This migration intentionally removes old role compatibility fields from public responses. API clients should not receive or send Magistrala role fields after the core migration.
Allowed response data should be object data only. If a caller needs access information, expose Atom-native concepts through new explicit endpoints such as:
- effective capabilities
- access checks
- authorized list/search
Do not preserve old role-shaped fields.
## Completed
- Added `internal/atom` package with:
- config loading for `ATOM_*` flags
- HTTP client
- projection types
- tenant/entity/group/resource mapping helpers
- unit tests
- Added Atom projection decorators for:
- domains
- users
- clients
- groups
- channels
- rules
- reports
- alarms create/update/delete
- Added initial `core` service skeleton:
- `core/` package
- `cmd/core`
- HTTP health/version endpoints
- typed Atom-backed HTTP handlers for domains, users, clients, groups, and channels
- Atom-backed compatibility gRPC services for domains, users, clients, groups, and channels
- gRPC server startup with reflection
- Atom config validation through `internal/atom`
- Removed raw Atom reverse proxy routing from `core`; public HTTP routes now translate Magistrala shapes explicitly.
- Client gRPC authentication now resolves shareable client keys from Atom device metadata instead of requiring a private credential introspection endpoint.
- Wired rule, report, and alarm Atom projection decorators into their service binaries. These services keep their own databases and maintain Atom resource projections for listing.
- Added `core` to the main Docker Compose stack and repointed shared domain/user/client/group/channel HTTP and gRPC client URLs in `docker/.env` to `core`.
- Repointed provisioning URLs for users, clients, and channels to `core`.
- Repointed API test targets for users, clients, domains, channels, and groups to the single `core` HTTP port.
- Moved the old `domains`, `users`, `clients`, `groups`, `channels` services and their DB/cache containers behind a `legacy-core` Docker Compose profile so they are not part of the default runtime stack.
- Repointed `journal` runtime dependency from the old `domains` service to `core`.
- Repointed nginx domain/user/client/group/channel HTTP routes, `/health`, and `/metrics` to `core`.
- Repointed `make run_addons` bootstrap startup from `domains` to `core`.
- Repointed GitHub API-test workflow core-object URLs to `localhost:9000`.
- Updated GitHub API-test path filters so core-object API tests run when `core`, `cmd/core`, or `internal/atom` changes.
- Updated GitHub API-test path filters so rule/alarm/report API tests run when their service, command, or Atom projection code changes.
- Repointed Prometheus addon default scrape target from old users/clients services to `magistrala-core:9000`.
- Updated service README endpoint examples so remaining domain/client/channel/group gRPC references use `core:7000`.
- Added Atom-backed `POST /users/tokens/issue` compatibility in `core`.
- Added compatibility handlers for token refresh/revoke/list refresh tokens in `core`.
- Added explicit `501` handlers in `core` for removed role endpoints and unsupported invitation/email-verification/password-reset flows.
- Added Atom-backed user email/profile-picture updates in `core`.
- Added `/metrics` to `core` so nginx and Prometheus can target the single service.
- Deleted old split service command entrypoints:
- `cmd/domains`
- `cmd/users`
- `cmd/clients`
- `cmd/groups`
- `cmd/channels`
- Updated CI test path filters to use `core`/`cmd/core` instead of deleted split service command paths.
- Added Atom-write mode constructors for rules and reports that skip legacy Magistrala role provisioning.
- Rules and reports now avoid connecting to SpiceDB at startup.
- Removed rule/report role-management HTTP route registration from active rule/report handlers.
- Removed role provisioning and role-manager middleware/event wrappers from the active rules and reports service chains.
- Removed `[]roles.RoleProvision` from the active rules service create contract.
- Removed rule role provisioning from the downstream rule event consumer used by alarms.
- Removed the remaining role-manager consumer dependency from the downstream rule event decoder.
- Removed built-in role setup from rule/report service constructors and command startup.
- Removed remaining rule/report repository role SQL paths:
- `RetrieveByIDWithRoles`
- `ListUserRules`
- `ListUserReportsConfig`
- rule/report role-table migrations
- Removed rule/report role/access fields from internal DTO mapping.
- Regenerated rule/report mocks after removing the stale repository role methods.
- Removed alarm user-list role SQL path and made alarm listing use the normal service repository path gated by Atom authorization.
- Regenerated alarm mocks after removing `ListUserAlarms`.
- Added shared Atom PDP authorization helper in `internal/atom`.
- Added Atom authorization middleware constructors for rules, reports, and alarms.
- Rules, reports, and alarms now skip authz/domain authorization gRPC clients and call Atom PDP directly.
- Added Atom-backed policy evaluator for `auth`.
- `cmd/auth` now skips SpiceDB startup and uses Atom PDP.
- Removed SpiceDB startup/import fallback from active `cmd/auth`, `cmd/re`, and `cmd/reports`.
- Removed obsolete SpiceDB env fields from active rule/report command config.
- Removed SpiceDB, SpiceDB migration, and SpiceDB Postgres containers from Docker Compose.
- Removed default Docker Compose dependencies from `auth`, rules, alarms, and reports to SpiceDB/SpiceDB migration.
- Added `ATOM_*` environment wiring to active `auth`, rules, alarms, and reports Docker Compose services.
- Removed unused SpiceDB environment variables and schema mounts from active `auth`, rules, alarms, and reports Docker Compose services.
- Added Atom-backed `policies.Service` implementation for Bootstrap's authorized client listing path.
- `cmd/bootstrap` now uses Atom for policy listing and no longer imports or initializes SpiceDB.
- Deleted legacy SpiceDB packages:
- `pkg/policies/spicedb`
- `pkg/spicedb`
- Removed SpiceDB environment variables from `docker/.env`.
- Removed remaining SpiceDB references from Go code, `go.mod`, `go.sum`, and default Docker runtime files.
- Removed rule/report hidden role fields from SDK DTOs.
- Known Atom model gap: group update/status/hierarchy routes return `501` until Atom groups support attributes/status/update semantics.
- Updated `Makefile` `SERVICES` to build `core` instead of the five old core service binaries.
- Removed old role/access fields from public JSON output for:
- domains
- clients
- channels
- groups
- rules
- reports
- Updated SDK response models and tests so removed role/access fields are not treated as public JSON contract.
- Made `core` self-contained for domain/user/client/group/channel request and response DTOs; it no longer imports the old split service packages for public shapes.
- Replaced shared gRPC client setup to use generated protobuf clients directly instead of importing old split service gRPC wrappers.
- Replaced the domain authorization status interface with a small package-local status type so active authorization code no longer imports the old `domains` package.
- Removed reports/rules migration dependency on old domain Postgres migrations; domain storage now belongs to Atom.
- Removed old domain event-store subscriptions from active rules, reports, and alarms command startup.
- Moved legacy split-service implementations out of the active Go package tree into `_legacy/oldservices`:
- domains
- users
- clients
- groups
- channels
- bootstrap
- provision
- `pkg/roles`
- Moved legacy command entrypoints out of the active Go package tree into `_legacy/cmd`:
- `cmd/bootstrap`
- `cmd/provision`
- `cmd/cli`
- Gated old CLI/SDK tests that depend on removed split services behind the `oldservices` build tag.
- Added Atom-authenticated HTTP guards to active `core` domain/user/client/group/channel routes.
- Added Atom PDP checks for protected `core` HTTP endpoints using the caller Bearer token.
- Added `core` callout execution before protected operations through `MG_CORE_CALLOUT_*`.
- Added `core` event publishing after successful protected operations through `MG_ES_URL`.
- Kept public exceptions for health/version/metrics, token issue/refresh/revoke/list, and explicitly unsupported compatibility routes.
- Added this migration plan document.
- Verified current repo with:
- `go test ./pkg/sdk`
- `go test ./core ./internal/atom`
- `go test ./internal/atom ./domains ./users ./clients ./channels ./groups ./re ./reports ./alarms`
- `go test ./...`
- `go test ./core ./cmd/core ./internal/atom`
- `make core`
- `go test ./domains ./clients ./channels ./groups ./re ./reports ./core`
- `go test ./core ./cmd/core ./internal/atom`
- `go test ./alarms ./alarms/middleware ./alarms/consumer`
- `go test ./cmd/re ./cmd/reports ./cmd/alarms ./re ./reports ./alarms`
- `go test ./re ./reports ./cmd/re ./cmd/reports`
- `go test ./re/api ./reports/api ./re ./reports`
- `go test ./...`
- `go test ./internal/atom ./re/middleware ./reports/middleware ./alarms/middleware ./cmd/re ./cmd/reports ./cmd/alarms`
- `go test ./re ./reports ./alarms ./cmd/re ./cmd/reports ./cmd/alarms ./internal/atom`
- `go test ./...`
- `go test ./internal/atom ./auth ./cmd/auth`
- default `docker compose --env-file docker/.env -f docker/docker-compose.yaml config` contains no SpiceDB services
- `go test ./cmd/auth ./cmd/re ./cmd/reports ./cmd/alarms ./internal/atom`
- `go test ./...`
- `docker compose --env-file docker/.env -f docker/docker-compose.yaml config`
- `go test ./re ./re/api ./re/events ./re/middleware ./reports ./reports/events ./reports/middleware ./cmd/re ./cmd/reports`
- `go test ./pkg/re/events/consumer ./alarms ./cmd/alarms`
- `go test ./re ./re/postgres ./re/api ./re/events ./re/middleware ./reports ./reports/postgres ./reports/api ./reports/events ./reports/middleware`
- `go test ./alarms ./alarms/postgres ./alarms/middleware ./cmd/alarms`
- `go test ./cmd/auth ./cmd/re ./cmd/reports ./auth ./re ./reports ./internal/atom`
- `go test ./...`
- `go test ./internal/atom ./bootstrap ./bootstrap/events/producer ./cmd/bootstrap`
- `go test ./...`
- `go mod tidy`
- `go test ./...`
- `go test ./pkg/sdk ./re ./reports`
- `go test ./pkg/sdk`
- `go test ./core`
- `go test ./core ./api/http ./pkg/grpcclient ./pkg/authz/authsvc ./pkg/domains ./pkg/domains/grpcclient`
- `go list ./...`
- `go test ./...`
- `go test ./core ./internal/atom ./cmd/core`
- `go test ./...`
- `go test ./...`
- `go test ./re ./re/middleware ./cmd/re ./reports ./reports/middleware ./cmd/reports`
- `go test ./...`
- `go test ./pkg/re/events/consumer ./alarms ./cmd/alarms`
## Next Phases
### Phase 1: Create Core Service Skeleton
Status: completed for the initial buildable skeleton, typed HTTP Atom adapters, and first-pass compatibility gRPC adapters for internal Magistrala callers.
- Add `cmd/core`.
- Add `core/` package.
- Start one HTTP server and one gRPC server.
- Load Atom config through `internal/atom`.
- Register grouped HTTP routes for:
- domains
- users
- clients
- groups
- channels
- Register compatibility gRPC services needed by other Magistrala services, but implement them through Atom/core logic.
### Phase 2: Move Core Writes To Atom
Status: started. HTTP writes for domains/users/clients/channels go to Atom. Client shareable keys are stored on Atom device metadata for MQTT/reader key resolution. Group create/delete go to Atom; group update/status/hierarchy needs Atom model support.
- Domain create/update/status/delete writes Atom tenants.
- User create/update/status/delete writes Atom entities and credentials.
- Client create/update/status/delete writes Atom entities and credentials.
- Group create/update/status/delete writes Atom groups.
- Channel create/update/status/delete writes Atom resources.
- Remove role provisioning from all these flows.
- Remove local Postgres writes for these objects.
### Phase 3: Move Core Reads To Atom
Status: started. HTTP reads/lists for domains/users/clients/groups/channels come from Atom. gRPC retrieve/list helpers also read from Atom.
- Domain list/search/read comes from Atom tenants.
- User list/search/read comes from Atom entities.
- Client list/search/read comes from Atom entities.
- Group list/search/read comes from Atom groups.
- Channel list/search/read comes from Atom resources.
- Remove Redis caches that only support old core lookup flows.
### Phase 4: Replace Authorization
- Status: mostly complete for active runtime. Public role/access response fields are hidden from JSON. Auth, rules, reports, alarms, and bootstrap now call Atom-backed authorization/listing paths and no longer initialize SpiceDB. Default Docker Compose no longer contains SpiceDB services or env. Legacy SpiceDB packages are deleted. Active rules and reports no longer provision Magistrala roles, no longer compute built-in roles at startup, and no longer wrap role-manager middleware/events. Rule/report/alarm repository role-list SQL paths and stale generated mocks have been removed. Remaining work is to move the legacy core entity packages and SDK role endpoint helpers off `pkg/roles`, then delete `pkg/roles`.
- Replace SpiceDB policy checks with Atom PDP checks.
- Replace authorization middleware internals with Atom client calls.
- Remove `pkg/policies/spicedb`. Done.
- Remove duplicated local policy writes. Started; active rule/report/alarm paths are done.
- Remove permissions schema decoding tied to SpiceDB/roles. SpiceDB decoder is deleted; role permission files still need deployment/doc review.
### Phase 5: Simplify Rules, Alarms, And Reports
Status: started. Rule and report create/update/delete projections are wired into runtime commands. In Atom-write mode, rule/report startup no longer requires SpiceDB. Rule/report create paths no longer provision Magistrala roles, active rule/report middleware and event wrappers no longer embed role-manager behavior, and command startup no longer builds legacy built-in role definitions. Rule/report repository role-list SQL paths are removed. Alarm create/update/delete projections are wired into runtime commands after changing alarm creation to return the inserted alarm for projection, and alarm listing no longer depends on rule/domain role tables.
- Keep full rule/alarm/report data in their service databases.
- Store searchable projection in Atom resources.
- Create/update/delete still happens through the owning service.
- List/search first queries Atom for authorized IDs, then hydrates from the service DB.
- Remove legacy role HTTP routes from rule/report APIs. Rule and report route registration is complete; OpenAPI cleanup still needs review.
### Phase 6: Remove Old Services
Status: started. Build list, shared Docker client URLs, provision URLs, API test targets, default Compose runtime, nginx routes, and CI filters now target `core`. Old split service command entrypoints are deleted. Old service packages still exist as DTO/API/test surfaces while downstream imports and role/SpiceDB dependencies are removed safely.
- Delete old runtime commands:
- `cmd/domains`
- `cmd/users`
- `cmd/clients`
- `cmd/groups`
- `cmd/channels`
- Remove old service packages or keep only API DTOs that are still used by `core`.
- Remove old Postgres repositories and migrations for core data.
- Remove old mocks generated only for deleted interfaces.
- Update Makefile service lists.
- Update Docker Compose and deployment manifests to run `core` instead of five services. Default Docker Compose runtime is complete; other deployment manifests still need review.
- Update dependent env vars so readers, writers, FluxMQ, notifications, rules, alarms, reports, certs, journal, bootstrap, and provision point to `core`. Docker `.env` is complete; other environment templates still need review.
### Phase 7: Final Backfill Plan
Existing Magistrala-to-Atom backfill is planned later. That plan must include:
- idempotent import
- count comparison
- referential integrity checks
- policy/capability migration
- rollback procedure
- cutover validation
## Test Plan
Unit tests:
- Atom config parsing.
- Atom HTTP client behavior.
- Atom mapping helpers.
- Core adapter mapping for all public request/response shapes.
- No role fields in public response structs.
Functional tests:
- Core HTTP endpoints create/read/update/delete through Atom.
- Core gRPC endpoints satisfy downstream service calls.
- Core list/search uses Atom authorization.
- No local Postgres writes for domains/users/clients/groups/channels.
Integration tests:
- Run Magistrala core + Atom + required remaining services.
- Create domain, user, client, group, and channel and verify Atom state.
- Verify Atom PDP allow/deny behavior.
- Verify rules/reports/alarms projections.
- Verify readers/writers/FluxMQ can still resolve clients/channels/domains through core.
End-to-end tests:
- Login/create user through Atom-backed core.
- Create tenant/domain.
- Create client and channel.
- Connect client/channel.
- List/search authorized core objects.
- Create/update/delete rule/report/alarm and list through Atom-backed authorized projection.
Removal tests:
- `go test ./...` passes after deleting roles and SpiceDB.
- No imports remain for `pkg/roles`, `pkg/policies/spicedb`, or `pkg/spicedb`.
- No deployment references remain for SpiceDB or the five old core services.
pkg/README.md
+1 -1
View File
@@ -27,7 +27,7 @@ import "github.com/absmach/magistrala/pkg/authn"
| `events` | Event store client abstractions and subscriber utilities. |
| `prometheus` | Metrics collectors for request counts/latency. |
| `jaeger`, `tracing` | OpenTelemetry tracing configuration and instrumentation helpers. |
| `channels`, `clients`, `groups`, `domains`, `roles` | Shared types and helpers for core Magistrala domain services. |
| `channels`, `clients`, `groups`, `domains`, `roles` | Shared types and helpers for Magistrala domain services. |
| `messaging`, `connections`, `callout` | Messaging DTOs, connection types, and outbound callout helpers. |
| `sdk` | Go SDK for interacting with Magistrala services. |
| `errors` | Error wrappers with consistent error typing. |
readers/middleware/logging.go
+1 -1
View File
@@ -19,7 +19,7 @@ type loggingMiddleware struct {
svc readers.MessageRepository
}
// LoggingMiddleware adds logging facilities to the core service.
// LoggingMiddleware adds logging facilities to the service.
func LoggingMiddleware(svc readers.MessageRepository, logger *slog.Logger) readers.MessageRepository {
return &loggingMiddleware{
logger: logger,
readers/middleware/metrics.go
+1 -1
View File
@@ -20,7 +20,7 @@ type metricsMiddleware struct {
svc readers.MessageRepository
}
// MetricsMiddleware instruments core service by tracking request count and latency.
// MetricsMiddleware instruments service by tracking request count and latency.
func MetricsMiddleware(svc readers.MessageRepository, counter metrics.Counter, latency metrics.Histogram) readers.MessageRepository {
return &metricsMiddleware{
counter: counter,