feat(google): scaffold sentinel-google service#90
Merged
Conversation
Boots, bootstraps its bearer JWT from core, and serves /google/ping. Mirrors the saml/oauth service skeleton (config, db, kerbecs resolver, sentinel client, gin router + auth middleware). Registers the sentinel-google internal SA on core and adds a docker-compose entry. First slice of the Sentinel-group -> Google-Group sync service; the binding model, Directory API client, and reconcile engine follow in later PRs.
Add .github/workflows/google.yml (mirrors saml.yml) to build and publish ghcr.io/gaucho-racing/sentinel-google, and add google to release.sh GO_SERVICES (version bump) and IMAGES (image tag). deploy.yml is deferred to the infra PR since it bumps the kustomization image tags that don't exist until the k8s manifest lands.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
First PR of the Sentinel-group → Google-Group sync feature. Stands up the new service skeleton + build pipeline — no Google API calls or sync logic yet.
What's here
google/module mirroring the saml/oauth service shape:main.go,config/(+verify, banner),database/(connection only, no models yet),pkg/{kerbecs,logger,sentinel}, and a ginapi/layer with auth middleware +/google/pingINTERNAL_BOOTSTRAP_SECRET→ serves pingsentinel-googleinternal service account incore/jobs/init.goso the bootstrap exchange is alloweddocker-compose.ymlentry (port 9995) +google_gopathvolume.github/workflows/google.yml(mirrors saml.yml) builds/publishesghcr.io/gaucho-racing/sentinel-google;scripts/release.shgainsgooglein GO_SERVICES (version bump) + IMAGESNot in this PR (later slices)
group_google_bindingmodel + CRUD APIgoogle.yamlmanifest, kustomization entry, anddeploy.ymlwiring (coupled — deploy.yml bumps kustomization tags that don't exist until the manifest lands), kerbecs gateway route for inbound callsVerification
go build ./...+go vet ./...pass in the new moduleDesign recap
One-way sync, Sentinel = source of truth. Per group: mirror Sentinel members into the mapped Google Group as role MEMBER; manually-added people are OWNER/MANAGER and never touched. Reconcile manages only MEMBER-role members.