Dan Upton d4c435856b
grpc: protoc plugin for generating gRPC rate limit specifications (#15564)
Adds automation for generating the map of `gRPC Method Name → Rate Limit Type`
used by the middleware introduced in #15550, and will ensure we don't forget
to add new endpoints.

Engineers must annotate their RPCs in the proto file like so:

rpc Foo(FooRequest) returns (FooResponse) {
  option (consul.internal.ratelimit.spec) = {
    operation_type: READ,

When they run `make proto` a protoc plugin `protoc-gen-consul-rate-limit` will
be installed that writes rate-limit specs as a JSON array to a file called
`.ratelimit.tmp` (one per protobuf package/directory).

After running Buf, `make proto` will execute a post-process script that will
ingest all of the `.ratelimit.tmp` files and generate a Go file containing the
mappings in the `agent/grpc-middleware` package. In the enterprise repository,
it will write an additional file with the enterprise-only endpoints.

If an engineer forgets to add the annotation to a new RPC, the plugin will
return an error like so:

RPC Foo is missing rate-limit specification, fix it with:

	import "proto-public/annotations/ratelimit/ratelimit.proto";

	service Bar {
	  rpc Foo(...) returns (...) {
	    option (hashicorp.consul.internal.ratelimit.spec) = {

In the future, this annotation can be extended to support rate-limit
category (e.g. KV vs Catalog) and to determine the retry policy.
2023-01-04 16:07:02 +00:00

163 lines
4.9 KiB
Executable File

#!/usr/bin/env bash
readonly SCRIPT_NAME="$(basename ${BASH_SOURCE[0]})"
readonly SCRIPT_DIR="$(dirname "${BASH_SOURCE[0]}")"
readonly SOURCE_DIR="$(dirname "$(dirname "${SCRIPT_DIR}")")"
readonly FN_DIR="$(dirname "${SCRIPT_DIR}")/functions"
source "${SCRIPT_DIR}/functions.sh"
unset CDPATH
set -euo pipefail
usage() {
cat <<-EOF
Usage: ${SCRIPT_NAME} [<options ...>]
Regenerates regenerates all Go files from protobuf definitions. In addition
to running the protoc generator it will also fixup build tags in the
generated code and regenerate mog outputs and RPC stubs.
-h | --help Print this help text.
function err_usage {
err "$1"
err ""
err "$(usage)"
function main {
while test $# -gt 0
case "$1" in
-h | --help )
return 0
local mods=$(find . -name 'buf.gen.yaml' -exec dirname {} \; | sort)
for mod in $mods
# This looks special and it is. First of all this is not just `buf generate`
# from within the $mod directory because doing that would have caused global
# file registration conflicts when Consul starts. TLDR there is that Go's
# protobuf code tracks protobufs by their file paths so those filepaths all
# must be unique.
# To work around those constraints we are trying to get the file descriptors
# passed off to protoc-gen-go to include the top level path. The file paths
# in the file descriptors will be relative to where `buf` is run. Therefore
# we must run `buf` from the root of the repo but still tell it to only
# generate the singular directory. The --template argument allows us to
# point buf a particular configuration for what code to generate. The
# --path argument allows us to tell `buf` which files/directories to
# operate on. Hopefully in the future `buf` will be able to add prefixes
# to file descriptor paths and we can modify this to work in a more natural way.
buf generate --template ${mod}/buf.gen.yaml --path ${mod}
cd $mod
for proto_file in $(buf ls-files)
postprocess_protobuf_code $proto_file
status "Generated all protobuf Go files"
status "Generated all mog Go files"
generate_rate_limit_mappings $mods
status "Generated gRPC rate limit mapping file"
return 0
function postprocess_protobuf_code {
local proto_path="${1:-}"
if [[ -z "${proto_path}" ]]; then
err "missing protobuf path argument"
return 1
local proto_go_path="${proto_path%%.proto}.pb.go"
local proto_go_bin_path="${proto_path%%.proto}.pb.binary.go"
local proto_go_rpcglue_path="${proto_path%%.proto}.rpcglue.pb.go"
status_stage "Post-Processing generated files for ${proto_path}"
print_run protoc-go-inject-tag -input="${proto_go_path}" || {
err "Failed to run protoc-go-inject-tag for ${proto_path}"
return 1
local build_tags
build_tags="$(head -n 2 "${proto_path}" | grep '^//go:build\|// +build' || true)"
if test -n "${build_tags}"; then
for file in "${proto_go_bin_path}" "${proto_go_grpc_path}"
if test -f "${file}"
echo -e "${build_tags}\n" >> "${file}.new"
cat "${file}" >> "${file}.new"
mv "${file}.new" "${file}"
# NOTE: this has to run after we fix up the build tags above
rm -f "${proto_go_rpcglue_path}"
print_run go run ${SOURCE_DIR}/internal/tools/proto-gen-rpc-glue/main.go -path "${proto_go_path}" || {
err "Failed to generate consul rpc glue outputs from ${proto_path}"
return 1
return 0
function generate_mog_code {
local mog_order
mog_order="$(go list -tags "${GOTAGS}" -deps ./proto/pb... | grep "consul/proto/")"
for FULL_PKG in ${mog_order}; do
status_stage "Generating ${PKG}/*.pb.go into ${PKG}/*.gen.go with mog"
find "$PKG" -name '*.gen.go' -delete
if [[ -n "${GOTAGS}" ]]; then
print_run mog -tags "${GOTAGS}" -source "./${PKG}/*.pb.go"
print_run mog -source "./${PKG}/*.pb.go"
return 0
function generate_rate_limit_mappings {
local flags=(
"-output ${SOURCE_DIR}/agent/grpc-middleware/rate_limit_mappings.gen.go"
for path in $@; do
flags+=("-input $path")
print_run go run ${SOURCE_DIR}/internal/tools/protoc-gen-consul-rate-limit/postprocess/main.go ${flags[@]} || {
err "Failed to generate gRPC rate limit mappings"
return 1
main "$@"
exit $?