Managing data models in Go

Claas Störtenbecker — Thu, 04 Mar 2021 18:59:25 GMT

Once upon a time a developer created a new Go service. He started by defining the service interface as protobuf spec, generated code, and saw it was good. The need to store data creeped up to him. Being a smart hackernews reader he chooses sqlc to generate CRUD and model code from sql. Then the product owner reached out to implement new business logic. Striving for a clean code base the developer creates a new data structure once again, adding methods to the new struct. After awhile inconsistency in the code base started to show.

In how many places does code break if we touch files code is generated from? Many.

Let's make some observations.

The database schema is most likely the root of the datamodel.
Protocol buffers exist mainly to define an interface, used for GRPC communication.
Business logic doesn't have to be a method of a struct, though it makes sense in many cases.

The goal should be to have a single struct for each data model which is used throughout the entire codebase. To achieve this we make use of struct embedding and methods that handle transcoding.

// generated

// /pkg/pb/account.pb.go

type Account struct {
    state         protoimpl.MessageState
    sizeCache     protoimpl.SizeCache
    unknownFields protoimpl.UnknownFields

    Id   string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
    Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
}

// generated

// /pkg/db/model.go

type Account struct {
    ID   uuid.UUID `json:"id"`
    Name string    `json:"name"`
}

// /pkg/business/account.go

import "pkg/db"
import "pkg/pb"

type Account struct {
    db.Account
} 

// This is pretty straight forward.
// Generated query functions will return a db.Account and we can transcode swiftly.
// Nothing can break here.
func AccountFromDB(a db.Account) Account {
    return Account{Account: a}
}

// Arguably the most complicated function.
// We need to transcode a protobuf struct to our business logic struct.
// Writing a generator for std data types shouldn't be to complicated.
// How to extend it to custom types needs some thought.
func AccountFromPB(a *pb.Account) (Account, error) {
    id, err := uuid.FromStringOrNil(a.Id)
    if err != nil {
        return Account{}, err
    }

    account := Account{}
    account.ID = id
    account.Name = a.Name

    return account, nil
}

// This is pretty simple again and could easily be generated.
func (a Account) PB() *pb.Account {
    return &pb.Account{
        Id:   a.ID.String(),
        Name: a.Name,
    }
}

When investing the effort to write robust generators one time, maintenance headache in the code base is reduced significantly. Mentioned generator could even be used universally over services.

Secure HA Kubernetes on bare metal using k3s

Claas Störtenbecker — Mon, 21 Dec 2020 19:04:46 GMT

This walkthrough will leave you with a kubeconfig to a fully functional, secure cluster.

What is k3s?

Kubernetes is was too hard for the solo developer. Using k3s you can deploy Kubernetes in a couple of commands per node. The Kubernetes distribution is:

fully conformant
production-ready
lightweight
packaged in a single binary

I personally run 3 SKVM-4G from MaxKVM for 18$/month with student discount. Each node has 2 EPYC cores, 4GB ECC, 3TB traffic @ 1GBs, 75GB NVME; unmatched for that price.

1. Setup node iptables

To isolate network communication we need to setup some firewall rules on each node. This tutorial will use ufw to configure iptables but you may use any other tool. I assume that each node will have two distinct network interfaces:

eth0 assigned with a public IP used for internet communication
eth1 assigned with a private IP used for intranet communication

We will start by blocking incoming and allowing outgoing traffic.

sudo ufw default allow outgoing
sudo ufw default deny incoming

Further we need to enable ssh access to the node.

sudo ufw allow ssh

We allow communication through the intranet. You can also add each node IP seperately. In this example eth1 is part of the subnet 172.16.0.0/12.

sudo ufw allow from 172.16.0.0/12

We allow communication to the CNI (Container Network Interface) from the Pod CIDR.

sudo ufw allow in on cni0 from 10.42.0.0/16

We allow communication to the Kubernetes API.

sudo ufw allow 6443/tcp

2. Install Kubernetes

To join nodes k3s needs a shared secret. We can generate one with:

openssl rand -base64 32

2.1 First node

We configure necassary installation parameters on the server:

K3S_TOKEN the secret we generated in step 2
INSTALL_K3S_EXEC arguments the k3s installer is called with
- --cluster-init this node initializes a completely new cluster
- -i {eth1_ip} this node uses the internal IP
- --flannel-iface eth1 the cluster network is build on the intranet
- --disable traefik k3s ships with outdated traefik as ingress

export K3S_TOKEN="{generated_secret}" &
export INSTALL_K3S_EXEC="server \ 
    --cluster-init \
    -i {eth1_ip} \
    --flannel-iface eth1 \
    --disable traefik"

Now we execute the install script.

curl -sfL https://get.k3s.io | sh -

2.2 Other nodes

Configuration is similar to the first node. Now we do not initialize a cluster, but join the cluster that was created in 2.1.

export K3S_TOKEN="{generated_secret}" &
export INSTALL_K3S_EXEC="server \ 
    --server https://{node1_internal_ip}:6443 \
    -i {eth1_ip} \
    --flannel-iface eth1 \
    --disable traefik"

Also execute the install script.

curl -sfL https://get.k3s.io | sh -

2.3 Finalize

On any node run kubectl get nodes to check if your cluster was build sucessfully. Now remove from /etc/systemd/system/k3s.service on every node:

--cluster-init if it is the first node
--server else

at the bottom of the file.

Reload and check the node after editing.

systemctl daemon-reload
service k3s restart
kubectl get nodes

Copy /etc/rancher/k3s/k3s.yaml to your machine. After that replace localhost with a node or loadbalancer IP and you are done.

clstBlog