diff --git a/.secrets/postgres.env b/.secrets/postgres.env new file mode 100644 index 0000000..5c4170f --- /dev/null +++ b/.secrets/postgres.env @@ -0,0 +1,3 @@ +POSTGRES_DB=authz +POSTGRES_USER=authz +POSTGRES_PASSWORD=supersecretpassword \ No newline at end of file diff --git a/README.md b/README.md index ac3a07f..3845a29 100644 --- a/README.md +++ b/README.md @@ -69,3 +69,29 @@ docker build -t . docker run --rm -p 8000:8000 -p 9000:9000 -v :/data/conf ``` +## Deploy to a openshift cluster that has Clowder + +### Prerequisite +[bonfire](https://github.com/RedHatInsights/bonfire) +[oc](https://docs.openshift.com/container-platform/4.8/cli_reference/openshift_cli/getting-started-cli.html) + +You should have logged into a valid openshift cluster using the oc login command + +`oc login --token= --server=` + +### Deploying the components + +Note: the deploy script assumes you have a valid oc login and the necessary tools are in place. + +The deploy script under the deploy folder, will deploy all the needed components. + +`./deploy.sh` + +- Creates a postgres pod and service (Note: No PVC) +- Creates a spiceDB secret - that contains: a preshared key and Postgres connection URI +- Creates a Configmap object - that serves as a bootstrap schema for spiceDB (by default it uses the schema.yaml file under deploy) +- Creates the spiceDB service +- Creates the relations service + +You should be able to use the public route (relations-*) created by the clowder in your namespace, to use the service. + diff --git a/deploy/clowdapp.yaml b/deploy/clowdapp.yaml index 538e86f..247274d 100644 --- a/deploy/clowdapp.yaml +++ b/deploy/clowdapp.yaml @@ -9,14 +9,26 @@ objects: name: ${CLOWDAPP_NAME}-spicedb spec: config: - datastoreEngine: memory + logLevel: debug + replicas: 1 + datastoreEngine: postgres + datastoreBootstrapFiles: /etc/bootstrap/schema.yaml secretName: dev-spicedb-config - - apiVersion: v1 - kind: Secret - metadata: - name: dev-spicedb-config - stringData: - preshared_key: "averysecretpresharedkey" + patches: + - kind: Deployment + patch: + spec: + template: + spec: + volumes: + - name: bootstrap + configMap: + name: spicedb-schema + containers: + - name: spicedb + volumeMounts: + - name: bootstrap + mountPath: /etc/bootstrap - apiVersion: cloud.redhat.com/v1alpha1 kind: ClowdApp metadata: diff --git a/deploy/deploy.sh b/deploy/deploy.sh new file mode 100755 index 0000000..467de01 --- /dev/null +++ b/deploy/deploy.sh @@ -0,0 +1,68 @@ +#!/bin/bash +source ../.secrets/postgres.env + +# Export tags +IMAGE=quay.io/ciam_authz/insights-rebac +IMAGE_TAG=latest + +# Prepare bonfire env +VENV_DIR=~/bonfire_venv +mkdir -p $VENV_DIR +python3 -m venv $VENV_DIR +. $VENV_DIR/bin/activate + +# Function to check if a command is available +command_exists() { + command -v "$1" >/dev/null 2>&1 +} + +# pre-flight checks +if command_exists bonfire; then + echo "Bonfire is OK " +else + echo "bonfire needs to be installed" + exit 1 +fi + +# Reserve a namespace +bonfire namespace reserve --duration 8h +NAMESPACE=$(oc config view --minify -o 'jsonpath={..namespace}') + +if [[ -z "${NAMESPACE}" ]]; then + echo "Namespace is not set" + exit 1 +fi +echo "Using Namespace:" $NAMESPACE + +#Prepare the bonfire config yaml file +currentpath=$(pwd) +file_location=~/.config/bonfire/config.yaml +cat > $file_location </dev/null) ]]; do + echo "still waiting for postgres" + sleep 1 +done +echo "postgress is ready" + +# Create spiceDB bootstrap schema configmap +oc create configmap spicedb-schema --from-file=schema.yaml -n $NAMESPACE + +#Deploy Relations service, spiceDB service +bonfire deploy relationships -n $NAMESPACE --local-config-method override diff --git a/deploy/postgres.yaml b/deploy/postgres.yaml new file mode 100644 index 0000000..8367508 --- /dev/null +++ b/deploy/postgres.yaml @@ -0,0 +1,80 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: relationships +objects: + - apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app: postgres + name: postgres + namespace: ${NAMESPACE} + spec: + selector: + matchLabels: + app: postgres + template: + metadata: + labels: + app: postgres + spec: + containers: + - env: + - name: POSTGRESQL_DATABASE + value: ${POSTGRES_DB} + - name: POSTGRESQL_USER + value: ${POSTGRES_USER} + - name: POSTGRESQL_PASSWORD + value: ${POSTGRES_PASSWORD} + - name: PGDATA + value: /temp/data + image: registry.redhat.io/rhel9/postgresql-15:1-54 + imagePullPolicy: Always + name: postgres + ports: + - containerPort: 5432 + protocol: TCP + resources: + limits: + cpu: 60m + memory: 256Mi + requests: + cpu: 30m + memory: 128Mi + restartPolicy: Always + + - apiVersion: v1 + kind: Service + metadata: + labels: + app: postgres + name: postgres + namespace: ${NAMESPACE} + spec: + ports: + - name: http + port: 5432 + protocol: TCP + selector: + app: postgres + - apiVersion: v1 + kind: Secret + metadata: + name: dev-spicedb-config + stringData: + preshared_key: "averysecretpresharedkey" + datastore_uri: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres.${NAMESPACE}.svc.cluster.local:5432/${POSTGRES_DB}?sslmode=disable +parameters: + - description: Namespace to deploy into + name: NAMESPACE + value: ${NAMESPACE} + - description: Postgres DB name + name: POSTGRES_DB + value: ${POSTGRES_DB} + - description: Postgres DB username + name: POSTGRES_USER + value: ${POSTGRES_USER} + - description: Postgres DB password + name: POSTGRES_PASSWORD + value: ${POSTGRES_PASSWORD} diff --git a/deploy/schema.yaml b/deploy/schema.yaml new file mode 100644 index 0000000..0e3c3db --- /dev/null +++ b/deploy/schema.yaml @@ -0,0 +1,30 @@ +schema: |- + definition user {} + + definition group { + relation member: user | group#member + } + + definition role { + relation view_the_thing: user:* + } + + definition role_binding { + relation subject : user | group#member + relation granted: role + + permission view_the_thing = subject & granted->view_the_thing + } + + definition workspace { + relation parent: workspace + relation user_grant: role_binding + + permission view_the_thing = user_grant->view_the_thing + } + + definition thing { + relation workspace: workspace + + permission view = workspace->view_the_thing + } \ No newline at end of file