fix(infra): harden AI service — graceful shutdown, rate limiting, API key auth, pinned deps, Grafana secrets

- Add dumb-init + --timeout-graceful-shutdown 30 to AI service Dockerfile - Add slowapi rate limiting (configurable via AI_RATE_LIMIT) and X-API-Key auth middleware - Pin all Python dependencies to exact versions for reproducible builds - Move Grafana admin credentials from env vars to Docker secrets in production compose Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-08 06:13:29 +07:00
parent e89c8f5810
commit e60b95cdec
5 changed files with 69 additions and 22 deletions
--- a/libs/ai-services/Dockerfile
+++ b/libs/ai-services/Dockerfile
@@ -2,21 +2,22 @@ FROM python:3.12-slim

 WORKDIR /app

-# Install system deps for underthesea / numpy
+# Install system deps for underthesea / numpy + dumb-init for signal handling
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends gcc g++ && \
+    apt-get install -y --no-install-recommends gcc g++ dumb-init && \
    rm -rf /var/lib/apt/lists/*

 COPY pyproject.toml .
 RUN pip install --no-cache-dir . 2>/dev/null || pip install --no-cache-dir \
-    "fastapi>=0.115.0" \
-    "uvicorn[standard]>=0.32.0" \
-    "xgboost>=2.1.0" \
-    "numpy>=1.26.0" \
-    "underthesea>=6.8.0" \
-    "pydantic>=2.9.0" \
-    "pydantic-settings>=2.5.0" \
-    "httpx>=0.27.0"
+    "fastapi==0.115.0" \
+    "uvicorn[standard]==0.32.0" \
+    "xgboost==2.1.0" \
+    "numpy==1.26.4" \
+    "underthesea==6.8.0" \
+    "pydantic==2.9.0" \
+    "pydantic-settings==2.5.0" \
+    "httpx==0.27.0" \
+    "slowapi==0.1.9"

 COPY app/ ./app/

@@ -28,4 +29,5 @@ EXPOSE 8000
 HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
    CMD python -c "import httpx; httpx.get('http://localhost:8000/health').raise_for_status()"

-CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]
+ENTRYPOINT ["dumb-init", "--"]
+CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--timeout-graceful-shutdown", "30"]
--- a/libs/ai-services/app/main.py
+++ b/libs/ai-services/app/main.py
@@ -1,15 +1,24 @@
-from fastapi import FastAPI
+from fastapi import Depends, FastAPI
 from fastapi.middleware.cors import CORSMiddleware
+from slowapi import Limiter, _rate_limit_exceeded_handler
+from slowapi.errors import RateLimitExceeded
+from slowapi.util import get_remote_address

 from app.config import settings
+from app.middleware import verify_api_key
 from app.routers import avm, moderation

+limiter = Limiter(key_func=get_remote_address, default_limits=[settings.rate_limit])
+
 app = FastAPI(
    title=settings.app_name,
    version="0.1.0",
    docs_url="/docs",
    redoc_url="/redoc",
+    dependencies=[Depends(verify_api_key)],
 )
+app.state.limiter = limiter
+app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)

 if not settings.cors_origin_list:
    raise RuntimeError("AI_CORS_ORIGINS must be set (comma-separated list of allowed origins)")
--- a/libs/ai-services/app/middleware.py
+++ b/libs/ai-services/app/middleware.py
@@ -0,0 +1,23 @@
+import hmac
+from typing import Optional
+
+from fastapi import Depends, HTTPException, Security, status
+from fastapi.security import APIKeyHeader
+
+from app.config import settings
+
+api_key_header = APIKeyHeader(name="X-API-Key", auto_error=False)
+
+
+async def verify_api_key(
+    api_key: Optional[str] = Security(api_key_header),
+) -> str:
+    """Validate X-API-Key header. Skipped when AI_API_KEY is not configured."""
+    if not settings.api_key:
+        return "no-auth"
+    if not api_key or not hmac.compare_digest(api_key, settings.api_key):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid or missing API key",
+        )
+    return api_key
--- a/libs/ai-services/pyproject.toml
+++ b/libs/ai-services/pyproject.toml
@@ -4,14 +4,15 @@ version = "0.1.0"
 description = "AI/ML services for Goodgo Platform — AVM, feature extraction, moderation"
 requires-python = ">=3.12"
 dependencies = [
-    "fastapi>=0.115.0",
-    "uvicorn[standard]>=0.32.0",
-    "xgboost>=2.1.0",
-    "numpy>=1.26.0",
-    "underthesea>=6.8.0",
-    "pydantic>=2.9.0",
-    "pydantic-settings>=2.5.0",
-    "httpx>=0.27.0",
+    "fastapi==0.115.0",
+    "uvicorn[standard]==0.32.0",
+    "xgboost==2.1.0",
+    "numpy==1.26.4",
+    "underthesea==6.8.0",
+    "pydantic==2.9.0",
+    "pydantic-settings==2.5.0",
+    "httpx==0.27.0",
+    "slowapi==0.1.9",
 ]

 [project.optional-dependencies]