Designed to empower modern engineering and platform teams that ship mission-critical business logic
syntax = "proto3";
package platform.v1;
import "buf/validate/validate.proto";
import "google/api/annotations.proto";
import "connectum/auth/v1/options.proto";
service DeploymentService {
option (connectum.auth.v1.service_auth) = {
default_policy: "deny"
default_requires: { roles: ["platform-engineer"] }
};
rpc CreateDeployment(CreateDeploymentRequest) returns (Deployment) {
option (google.api.http) = { post: "/v1/deployments" body: "*" };
}
rpc GetDeployment(GetDeploymentRequest) returns (Deployment) {
option (connectum.auth.v1.method_auth) = { public: true };
option (google.api.http) = { get: "/v1/deployments/{deployment_id}" };
}
}
message CreateDeploymentRequest {
string namespace = 1 [(buf.validate.field).string.min_len = 1];
string image = 2 [(buf.validate.field).string.pattern = "^[a-z0-9./:-]+$"];
int32 replicas = 3 [(buf.validate.field).int32 = { gte: 1, lte: 100 }];
}
message GetDeploymentRequest {
string deployment_id = 1 [(buf.validate.field).string.uuid = true];
}
message Deployment {
string deployment_id = 1;
string namespace = 2;
string image = 3;
int32 replicas = 4;
string status = 5;
string created_by = 6;
}import { create } from '@bufbuild/protobuf';
import type { ConnectRouter } from '@connectrpc/connect';
import { requireAuthContext } from '@connectum/auth';
import { getLogger, getMeter } from '@connectum/otel';
import { DeploymentService, DeploymentSchema } from '#gen/platform_pb.js';
const logger = getLogger('DeploymentService');
const deployments = getMeter().createCounter('platform.deployments.total');
export default (router: ConnectRouter) => {
router.service(DeploymentService, {
async createDeployment(req) {
const auth = requireAuthContext();
deployments.add(1, { namespace: req.namespace });
logger.info('Deployment created', {
namespace: req.namespace,
image: req.image,
createdBy: auth.subject,
});
return create(DeploymentSchema, {
deploymentId: crypto.randomUUID(),
namespace: req.namespace,
image: req.image,
replicas: req.replicas,
status: 'PENDING',
createdBy: auth.subject,
});
},
});
};import { createServer } from '@connectum/core';
import { Healthcheck, healthcheckManager, ServingStatus } from '@connectum/healthcheck';
import { Reflection } from '@connectum/reflection';
import { createDefaultInterceptors } from '@connectum/interceptors';
import { createOtelInterceptor } from '@connectum/otel';
import { createJwtAuthInterceptor, createProtoAuthzInterceptor } from '@connectum/auth';
import routes from '#services/deploymentService.js';
const server = createServer({
services: [routes],
port: 5000,
protocols: [Healthcheck({ httpEnabled: true }), Reflection()],
interceptors: [
createOtelInterceptor({ serverPort: 5000 }),
createJwtAuthInterceptor({ jwksUri: process.env.JWKS_URI! }),
createProtoAuthzInterceptor(),
...createDefaultInterceptors(),
],
shutdown: { autoShutdown: true },
});
server.on('ready', () => {
healthcheckManager.update(ServingStatus.SERVING);
});
await server.start();# Sync proto types from a running server (gRPC Server Reflection)
connectum proto sync --from localhost:5000 --out ./gen
# gRPC call (requires platform-engineer role)
grpcurl -d '{"namespace":"prod","image":"api:v2.1.0","replicas":3}' \
-H "Authorization: Bearer $TOKEN" \
localhost:5000 platform.v1.DeploymentService/CreateDeployment
# REST via Envoy Gateway (gRPC-JSON transcoding from google.api.http)
curl -X POST http://gateway:8080/v1/deployments \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"namespace":"prod","image":"api:v2.1.0","replicas":3}'