README
¶
= Sandbox =
This repository is a consolidated codebase for everything related to sandboxes for the Red Hat Demo Platform. It contains:
* sandbox-api: The Backend API for all things sandbox.
* sandbox-issue-jwt: CLI to generate a new signed JWT login token
* sandbox-list: Interact with the AWS Sandbox DB in a read-only way.
* sandbox-metrics: Prometheus Endpoint exposing metrics.
* sandbox-replicate: AWS Lambda function to replicate changes from DynamoDB to a Postgres database.
* sandbox-rotate-vault: Program to reencrypt the IAM keys using a new secret key (ansible-vault, AES256)
== Build ==
.Build all binaries
You will need to have 'go' setup on your machine. Please use version 1.21 onwards
----
make
----
.Build separately
----
make sandbox-api
make sandbox-list
make sandbox-metrics
make sandbox-replicate
make sandbox-issue-jwt
make sandbox-rotate-vault
----
== sandbox-api ==
=== Installation ===
Create a secret file and run helm.
.secrets.yaml
----
sandbox_api_secrets:
database:
url: postgres://...
dynamodb_aws_access_key_id: ...
dynamodb_aws_secret_access_key: ...
# Secret to generate and validate JWT tokens
auth:
jwt_auth_secret: ...
# ansible-vault (AES256) key to encrypt the secret in the DB
vault:
vault_secret: ...
# AWS usser that can assume role into the accounts
aws:
assume_aws_access_key_id: ...
assume_aws_secret_access_key: ...
----
.Install chart
----
helm install -f secrets.yaml sandbox-api deploy/helm-api/
----
.Upgrade chart
----
helm upgrade -f secrets.yaml sandbox-api deploy/helm-api/
----
To initialize or update the postgresql schema, use the following:
.Run the DB migration
----
oc run admin-$$ \
--image=quay.io/rhpds/sandbox-admin:latest -i -t \
--restart=Never --rm -- /bin/bash <1>
DATABASE_URL=postgres://postgres:PASSWORD@RDS_ADDRESS.us-west-2.rds.amazonaws.com:5432/sandbox_api_dev?sslmode=require
# git clone https://github.com/rhpds/sandbox.git
# cd sandbox
# migrate github://rhpds/sandbox/db/migrations#VERSION -database $DATABASE_URL up
# For example
migrate \
-source github://rhpds/sandbox/db/migrations#main \
-database $DATABASE_URL up
----
<1> Use the rhpds/sandbox-admin image which contains all the necessary binaries and tools.
.Bootstrap an admin login token
----
oc run admin-$$ --image=quay.io/rhpds/sandbox-admin:latest -i -t --restart=Never --rm -- /bin/bash
export DATABASE_URL=postgres://postgres:PASSWORD@RDS_ADDRESS.us-west-2.rds.amazonaws.com:5432/sandbox_api_dev?sslmode=require
./sandbox-issue-jwt
[root@admin sandbox]# ./sandbox-issue-jwt
JWT Auth secret: Enter Claims in the JSON format:
for example: {"kind": "login", "name": "gucore", "role": "admin"}
{"kind": "login", "name": "gucore", "role": "admin"}
token:
[TOKEN HERE]
----
.Create an access token
----
oc run admin-$$ --image=quay.io/rhpds/sandbox-admin:latest -i -t --restart=Never --rm -- /bin/bash
logintoken=[TOKEN]
curl -H "Authorization: Bearer ${logintoken}" sandbox-api:8080/api/v1/login
[ACCESS TOKEN]
token=[ACCESS TOKEN]
# check access
curl -H "Authorization: Bearer ${token}" sandbox-api:8080/api/v1/health
----
=== Setup local development environment ===
All filed used for the local development environment are prefixed by `.dev` and are ignored by Git, see link:.gitignore[`.gitignore`]
[source,shell]
----
make run-local-pg # run postgresql locally in a Container
make migrate # Run the DB migrations to setup the db schema
# Set the following secrets, notice the heading space ' ' to avoid shell history
# IAM secrets to access AWS sandboxes
export ASSUMEROLE_AWS_SECRET_ACCESS_KEY=...
export ASSUMEROLE_AWS_ACCESS_KEY_ID=...
# IAM secrets to access dynamodb table that contains info of the AWS sandboxes
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
# AES key to encrypt sensible data in the different databases
# If you're using the dynamoDB dev database for AWS sandboxes (which you probably are)
# Then this needs to match the one in use on the DEV environment
export VAULT_SECRET=...
make issue-jwt # issue some JWT token for access
make run-api # <1>
air # <2>
----
<1> When iterating, you will be stopping and relaunching this step
<2> You can use link:https://github.com/cosmtrek/air[cosmtrek/air] instead. That will watch local files and rebuild + launch the API automatically if any changes are made.
== sandbox-replicate ==
The role of the lambda function is to replicate any changes made to the dynamoDB table into a postgresql database.
=== Push lambda ===
----
export AWS_PROFILE=infra-dev
make push-lambda
----
That will:
. Create a role, a policy and a lambda function
. Attach the policy to the role and the role to the lambda function
. Push the updated 'build/sandbox-replicate' binary to the lambda function
== sandbox-metrics ==
=== Deploy Metrics Prometheus ===
. clone this repository
+
----
git clone --depth 1 https://github.com/rhpds/sandbox sandbox
----
. If it doesn't exist yet, create an IAM user in AWS to read-only access to dynamoDB
. Create the secret file containing the key for the IAM user that has read-only access to DynamoDB
+
[source,yaml]
.`aws_sandbox_readonly.yaml`
----
aws_sandbox_metrics_secrets:
readonly:
aws_access_key_id: ...
aws_secret_access_key: ...
----
. Install the helm chart
+
----
helm install sandbox-metrics sandbox/deploy/helm-metrics/ -f aws_sandbox_readonly.yaml
----
+
Output should look like:
+
----
NAME: sandbox-metrics
LAST DEPLOYED: Thu Jun 17 09:30:04 2021
NAMESPACE: user-gucore-redhat-com
STATUS: deployed
REVISION: 1
TEST SUITE: None
----
== Create AWS sandboxes ==
Use link:playbooks[ansible playbooks].
== Conan - Sandbox Cleanup Daemon ==
See link:conan[conan].
Directories
Click to show internal directories.
Click to hide internal directories.