Feat: Add skaffold support (#509)

Provide possibility to deploy the keystone into the K8 using
[skaffold](https://skaffold.dev)

Author: gtema

.dockerignore

@@ -3,4 +3,5 @@ doc
 .git/
 .gitignore
 .github/
-target
+tools/
+target/

Dockerfile

@@ -1,6 +1,6 @@
 ################
 ##### Builder
-FROM rust:1.90.0-slim-bookworm AS builder
+FROM rust:1.92.0-slim-bookworm AS builder
 
 #RUN rustup target add x86_64-unknown-linux-gnu &&\
 RUN apt update &&\

doc/src/SUMMARY.md

@@ -44,3 +44,4 @@
 
 [API](./swagger-ui.html)
 [Performance comparison](performance.md)
+[Developer's guide](developer.md)

doc/src/developer.md

@@ -0,0 +1,41 @@
+# Developer's guide
+
+Running and testing the Keystone locally requires additional components. Easiest
+way to achieve it is to use the docker-compose or the `skaffold` to deploy
+components into the small Kubernetes cluster.
+
+## Skaffold
+
+When a kubernetes is available for the local development and testing the
+[skaffold](https://skaffold.dev/) can be used to deploy Keystone, OPA, database
+and the python keystone together. This is very helpful for being able to test
+the compatibility between Keystone implementations and running the API tests
+that require the system to be up and running.
+
+It is necessary to have any sort of the image registry running that can be
+accessed by the K8 to pull images from. It depends heavily on the concrete K8
+implementation since some may come with the built-in registry that the local
+docker can push directly to or that the K8 accesses the images directly from the
+local docker. When not available the registry can be easily [deployed
+locally](https://www.docker.com/blog/how-to-use-your-own-registry-2/).
+
+Skaffold can be invoked with the following command to build and push images,
+deploy kubernetes manifests and watch for the changes for reload:
+
+```console
+
+skaffold dev --default-repo localhost:5000
+
+```
+
+It might be useful to add `--cleanup=false` flag to the above command to prevent
+skaffold from tearing down all resources when the process is stopped.
+
+Currently the manifests are built to expose the Kestone within the K8 cluster
+under: `http://keystone.local` (with certain routes pointing to the python
+version and others to the rust), `http://keystone-rs.local` (rust version) and
+`http://keystone-py.local` (the python version correspondingly). Depending on
+the how the K8 is being deployed and access the Keystone may be directly
+accessible from the localhost when i.e. the routes are added in the `/etc/hosts`
+file. The manifests are not currently designed to be used for production
+deployment.

skaffold.yaml

@@ -0,0 +1,32 @@
+apiVersion: skaffold/v4beta13
+kind: Config
+metadata:
+  name: keystone
+build:
+  insecureRegistries:
+    - localhost:5000
+  artifacts:
+    - image: localhost:5000/keystone-rs
+      context: .
+      docker:
+        dockerfile: Dockerfile
+    - image: localhost:5000/keystone-opa-policies
+      context: policy
+      docker:
+        dockerfile: ../tools/Dockerfile.opa # Just FROM opa, but allows syncing
+  local:
+    useDockerCLI: true
+    #tryImportMissing: true
+manifests:
+  kustomize:
+    paths:
+      - tools/k8s/keystone/overlays/dev
+deploy:
+  kubectl: {}
+  helm:
+    releases:
+      - name: cloudnative-pg
+        repo: https://cloudnative-pg.github.io/charts
+        remoteChart: cloudnative-pg
+        createNamespace: true
+        namespace: cnpg

src/config.rs

@@ -127,7 +127,13 @@ impl Config {
         let mut builder = config::Config::builder();
 
         if std::path::Path::new(&path).is_file() {
-            builder = builder.add_source(File::from(path).format(FileFormat::Ini));
+            builder = builder
+                .add_source(File::from(path).format(FileFormat::Ini))
+                .add_source(
+                    config::Environment::with_prefix("OS")
+                        .prefix_separator("_")
+                        .separator("__"),
+                );
         }
 
         builder.try_into()
@@ -146,6 +152,3 @@ impl TryFrom<config::ConfigBuilder<config::builder::DefaultState>> for Config {
             .wrap_err("Failed to parse configuration file")
     }
 }
-
-#[cfg(test)]
-mod tests {}

src/config/common.rs

@@ -67,3 +67,7 @@ where
 pub fn default_sql_driver() -> String {
     "sql".into()
 }
+
+pub fn default_true() -> bool {
+    true
+}

src/config/policy.rs

@@ -15,10 +15,13 @@ use serde::Deserialize;
 use url::Url;
 use url_macro::url;
 
+use super::common::default_true;
+
 /// The configuration options for the API policy enforcement.
 #[derive(Clone, Debug, Deserialize)]
 pub struct PolicyProvider {
     /// Whether the policy enforcement should be enforced or not.
+    #[serde(default = "default_true")]
     pub enable: bool,
 
     /// OpenPolicyAgent instance url to use for evaluating the policy.

tools/Dockerfile.opa

@@ -0,0 +1,3 @@
+FROM docker.io/alpine
+# This preserves your entire hierarchy
+COPY . /policy

tools/k8s/keystone/overlays/dev/bootstrap-job.yaml

@@ -0,0 +1,83 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "keystone-bootstrap"
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      initContainers:
+        - name: db-waiter
+          image: busybox:1.36.1
+          imagePullPolicy: IfNotPresent
+          command: ['sh', '-c', 'echo "Waiting for PostgreSQL to be available..."; while ! nc -z -w 1 $HOST 5432; do echo "Still waiting for postgres-service..."; sleep 2; done; echo "PostgreSQL is available! Starting application."']
+          env:
+            - name: "HOST"
+              valueFrom:
+                secretKeyRef:
+                  key: "host"
+                  name: "keystone-db-app"
+        - env:
+            - name: OS_DATABASE__CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  key: fqdn-uri
+                  name: keystone-db-app
+          image: py-keystone
+          name: keystone-db-py
+          command: [keystone-manage, db_sync]
+          volumeMounts:
+            - mountPath: /etc/keystone/keystone.conf
+              name: config
+              subPath: keystone.conf
+
+        - env:
+            - name: OS_DATABASE__CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  key: fqdn-uri
+                  name: keystone-db-app
+          image: keystone-rs
+          name: keystone-db-rs
+          command: [keystone-db, up]
+          volumeMounts:
+            - mountPath: /etc/keystone/keystone.conf
+              name: config
+              subPath: keystone.conf
+
+      containers:
+
+        - env:
+            - name: OS_DATABASE__CONNECTION
+              valueFrom:
+                secretKeyRef:
+                  key: fqdn-uri
+                  name: keystone-db-app
+          image: py-keystone
+          name: keystone-bootstrap
+          command: [keystone-manage, "bootstrap", "--bootstrap-username", "admin", "--bootstrap-password", "password", "--bootstrap-public-url", "http://keystone.local:80", "--bootstrap-internal-url", "http://keystone-rs.local:80"]
+          volumeMounts:
+            - mountPath: /etc/keystone/keystone.conf
+              name: config
+              subPath: keystone.conf
+            - mountPath: /etc/keystone/fernet-keys
+              name: fernet
+
+      volumes:
+
+        - name: "config"
+          configMap:
+            name: "keystone"
+
+        - name: "fernet"
+          secret:
+            defaultMode: 420
+            optional: false
+            secretName: "fernet-keys"
+            items:
+              - key: "k0"
+                path: "0"
+              - key: "k1"
+                path: "1"
+
+      restartPolicy: "Never"