Deploy to openshift - clowder

.secrets/postgres.env

@@ -0,0 +1,3 @@
+POSTGRES_DB=authz
+POSTGRES_USER=authz
+POSTGRES_PASSWORD=supersecretpassword

README.md

@@ -69,3 +69,29 @@ docker build -t <your-docker-image-name> .
 docker run --rm -p 8000:8000 -p 9000:9000 -v </path/to/your/configs>:/data/conf <your-docker-image-name>
 ```
 
+## Deploy to a openshift cluster that has Clowder
+
+### Prerequisite 
+[bonfire](https://github.com/RedHatInsights/bonfire)
+[oc](https://docs.openshift.com/container-platform/4.8/cli_reference/openshift_cli/getting-started-cli.html) 
+
+You should have logged into a valid openshift cluster using the oc login command
+
+`oc login --token=<token> --server=<openshift server>`
+
+### Deploying the components
+
+Note: the deploy script assumes you have a valid oc login and the necessary tools are in place.
+
+The deploy script under the deploy folder, will deploy all the needed components.
+
+`./deploy.sh`
+
+- Creates a postgres pod and service (Note: No PVC)
+- Creates a spiceDB secret - that contains: a preshared key and Postgres connection URI
+- Creates a Configmap object  - that serves as a bootstrap schema for spiceDB (by default it uses the schema.yaml file under deploy)
+- Creates the spiceDB service
+- Creates the relations service
+
+You should be able to use the public route (relations-*) created by the clowder in your namespace, to use the service.
+

deploy/clowdapp.yaml

@@ -9,14 +9,26 @@ objects:
       name: ${CLOWDAPP_NAME}-spicedb
     spec:
       config:
-        datastoreEngine: memory
+        logLevel: debug
+        replicas: 1
+        datastoreEngine: postgres
+        datastoreBootstrapFiles: /etc/bootstrap/schema.yaml
       secretName: dev-spicedb-config
-  - apiVersion: v1
-    kind: Secret
-    metadata:
-      name: dev-spicedb-config
-    stringData:
-      preshared_key: "averysecretpresharedkey"
+      patches:
+      - kind: Deployment
+        patch:
+          spec:
+            template:
+              spec:
+                volumes:
+                - name:  bootstrap
+                  configMap:
+                    name: spicedb-schema
+                containers:
+                - name: spicedb
+                  volumeMounts:
+                  - name: bootstrap
+                    mountPath: /etc/bootstrap      
   - apiVersion: cloud.redhat.com/v1alpha1
     kind: ClowdApp
     metadata:

deploy/deploy.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+source ../.secrets/postgres.env
+
+# Export tags
+IMAGE=quay.io/ciam_authz/insights-rebac
+IMAGE_TAG=latest
+
+# Prepare bonfire env
+VENV_DIR=~/bonfire_venv
+mkdir -p $VENV_DIR
+python3 -m venv $VENV_DIR
+. $VENV_DIR/bin/activate
+
+# Function to check if a command is available
+command_exists() {
+  command -v "$1" >/dev/null 2>&1
+}
+
+# pre-flight checks
+if command_exists bonfire; then
+  echo "Bonfire is OK "
+else
+  echo "bonfire needs to be installed"
+  exit 1
+fi
+
+# Reserve a namespace
+bonfire namespace reserve --duration 8h
+NAMESPACE=$(oc config view --minify -o 'jsonpath={..namespace}')
+
+if [[ -z "${NAMESPACE}" ]]; then
+  echo "Namespace is not set"
+  exit 1
+fi
+echo "Using Namespace:" $NAMESPACE
+
+#Prepare the bonfire config yaml file
+currentpath=$(pwd)
+file_location=~/.config/bonfire/config.yaml
+cat > $file_location <<EOF
+apps:
+- name: relationships
+  components:
+    - name:  relationships
+      host: local
+      repo: $currentpath
+      path: clowdapp.yaml
+      parameters:
+        NAMESPACE: $NAMESPACE
+        IMAGE: $IMAGE
+        IMAGE_TAG: $IMAGE_TAG
+EOF
+
+# Create postgres pod,service and the spiceDB secret
+oc process -f postgres.yaml -p NAMESPACE=$NAMESPACE -p POSTGRES_USER=$POSTGRES_USER -p POSTGRES_PASSWORD=$POSTGRES_PASSWORD -p POSTGRES_DB=$POSTGRES_DB | oc apply --wait=true -f -
+
+# check the postgres service and secret are created
+while [[ -z $(oc get deployments.apps -n $NAMESPACE postgres -o jsonpath="{.status.readyReplicas}" 2>/dev/null) ]]; do
+  echo "still waiting for postgres"
+  sleep 1
+done
+echo "postgress is ready"
+
+# Create spiceDB bootstrap schema configmap
+oc create configmap spicedb-schema --from-file=schema.yaml -n $NAMESPACE
+
+#Deploy Relations service, spiceDB service
+bonfire deploy relationships -n $NAMESPACE --local-config-method override 

deploy/postgres.yaml

@@ -0,0 +1,80 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  name: relationships
+objects:
+  - apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels:
+        app: postgres
+      name: postgres
+      namespace: ${NAMESPACE}
+    spec:
+      selector:
+        matchLabels:
+          app: postgres
+      template:
+        metadata:
+          labels:
+            app: postgres
+        spec:
+          containers:
+          - env:
+            - name: POSTGRESQL_DATABASE
+              value: ${POSTGRES_DB}
+            - name: POSTGRESQL_USER
+              value: ${POSTGRES_USER}
+            - name: POSTGRESQL_PASSWORD
+              value: ${POSTGRES_PASSWORD}
+            - name: PGDATA
+              value: /temp/data
+            image: registry.redhat.io/rhel9/postgresql-15:1-54
+            imagePullPolicy: Always
+            name: postgres
+            ports:
+            - containerPort: 5432
+              protocol: TCP
+            resources:
+              limits:
+                cpu: 60m
+                memory: 256Mi
+              requests:
+                cpu: 30m
+                memory: 128Mi
+          restartPolicy: Always
+
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      labels:
+        app: postgres
+      name: postgres
+      namespace: ${NAMESPACE}
+    spec:
+      ports:
+      - name: http
+        port: 5432
+        protocol: TCP
+      selector:
+        app: postgres
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      name: dev-spicedb-config
+    stringData:
+      preshared_key: "averysecretpresharedkey"
+      datastore_uri: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres.${NAMESPACE}.svc.cluster.local:5432/${POSTGRES_DB}?sslmode=disable
+parameters:
+  - description: Namespace to deploy into
+    name: NAMESPACE
+    value: ${NAMESPACE} 
+  - description: Postgres DB name
+    name: POSTGRES_DB
+    value: ${POSTGRES_DB}
+  - description: Postgres DB username
+    name: POSTGRES_USER
+    value: ${POSTGRES_USER}   
+  - description: Postgres DB password
+    name: POSTGRES_PASSWORD
+    value: ${POSTGRES_PASSWORD}           

deploy/schema.yaml

@@ -0,0 +1,30 @@
+schema: |-
+  definition user {}
+
+  definition group {
+    relation member: user | group#member
+  }
+
+  definition role {
+    relation view_the_thing: user:*
+  }
+
+  definition role_binding {
+    relation subject : user | group#member
+    relation granted: role
+
+    permission view_the_thing = subject & granted->view_the_thing
+  }
+
+  definition workspace {
+    relation parent: workspace
+    relation user_grant: role_binding
+
+    permission view_the_thing = user_grant->view_the_thing
+  }
+
+  definition thing {
+    relation workspace: workspace
+
+    permission view = workspace->view_the_thing
+  }