sandbox

module
v0.3.20 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 7, 2024 License: MIT

README

= Sandbox =

This repository is a consolidated codebase for everything related to sandboxes for the Red Hat Demo Platform. It contains:

* sandbox-api: The Backend API for all things sandbox.
* sandbox-issue-jwt: CLI to generate a new signed JWT login token
* sandbox-list:  Interact with the AWS Sandbox DB in a read-only way.
* sandbox-metrics: Prometheus Endpoint exposing metrics.
* sandbox-replicate: AWS Lambda function to replicate changes from DynamoDB to a Postgres database.
* sandbox-rotate-vault: Program to reencrypt the IAM keys using a new secret key (ansible-vault, AES256)

== Build ==

.Build all binaries

You will need to have 'go' setup on your machine. Please use version 1.21 onwards
----
make
----

.Build separately
----
make sandbox-api
make sandbox-list
make sandbox-metrics
make sandbox-replicate
make sandbox-issue-jwt
make sandbox-rotate-vault
----

== sandbox-api ==

=== Installation ===

Create a secret file and run helm.

.secrets.yaml
----
sandbox_api_secrets:
  database:
    url: postgres://...
    dynamodb_aws_access_key_id: ...
    dynamodb_aws_secret_access_key: ...
  # Secret to generate and validate JWT tokens
  auth:
    jwt_auth_secret: ...
  # ansible-vault (AES256) key to encrypt the secret in the DB
  vault:
    vault_secret: ...
  # AWS usser that can assume role into the accounts
  aws:
    assume_aws_access_key_id: ...
    assume_aws_secret_access_key: ...
----

.Install chart
----
helm install  -f secrets.yaml sandbox-api deploy/helm-api/
----

.Upgrade chart
----
helm upgrade  -f secrets.yaml sandbox-api deploy/helm-api/
----

To initialize or update the postgresql schema, use the following:

.Run the DB migration
----
oc run admin-$$  \
--image=quay.io/rhpds/sandbox-admin:latest -i -t \
--restart=Never --rm -- /bin/bash <1>

DATABASE_URL=postgres://postgres:PASSWORD@RDS_ADDRESS.us-west-2.rds.amazonaws.com:5432/sandbox_api_dev?sslmode=require

# git clone https://github.com/rhpds/sandbox.git
# cd sandbox
# migrate github://rhpds/sandbox/db/migrations#VERSION -database $DATABASE_URL up

# For example
migrate \
  -source github://rhpds/sandbox/db/migrations#main \
  -database $DATABASE_URL up
----
<1> Use the rhpds/sandbox-admin image which contains all the necessary binaries and tools.


.Bootstrap an admin login token
----
oc run admin-$$ --image=quay.io/rhpds/sandbox-admin:latest -i -t --restart=Never --rm -- /bin/bash

export DATABASE_URL=postgres://postgres:PASSWORD@RDS_ADDRESS.us-west-2.rds.amazonaws.com:5432/sandbox_api_dev?sslmode=require

./sandbox-issue-jwt
[root@admin sandbox]# ./sandbox-issue-jwt
JWT Auth secret: Enter Claims in the JSON format:
for example: {"kind": "login", "name": "gucore", "role": "admin"}
{"kind": "login", "name": "gucore", "role": "admin"}
token:
[TOKEN HERE]
----

.Create an access token
----
oc run admin-$$ --image=quay.io/rhpds/sandbox-admin:latest -i -t --restart=Never --rm -- /bin/bash

logintoken=[TOKEN]

curl -H "Authorization: Bearer ${logintoken}" sandbox-api:8080/api/v1/login

[ACCESS TOKEN]

token=[ACCESS TOKEN]
# check access
curl -H "Authorization: Bearer ${token}" sandbox-api:8080/api/v1/health
----

=== Setup local development environment ===

All filed used for the local development environment are prefixed by `.dev` and are ignored by Git, see link:.gitignore[`.gitignore`]

[source,shell]
----
make run-local-pg  # run postgresql locally in a Container
make migrate  # Run the DB migrations to setup the db schema
# Set the following secrets, notice the heading space ' ' to avoid shell history
# IAM secrets to access AWS sandboxes
 export ASSUMEROLE_AWS_SECRET_ACCESS_KEY=...
 export ASSUMEROLE_AWS_ACCESS_KEY_ID=...
# IAM secrets to access dynamodb table that contains info of the AWS sandboxes
 export AWS_ACCESS_KEY_ID=...
 export AWS_SECRET_ACCESS_KEY=...
# AES key to encrypt sensible data in the different databases
# If you're using the dynamoDB dev database for AWS sandboxes (which you probably are)
# Then this needs to match the one in use on the DEV environment
 export VAULT_SECRET=...

make issue-jwt  # issue some JWT token for access
make run-api # <1>
air # <2>
----
<1> When iterating, you will be stopping and relaunching this step
<2> You can use link:https://github.com/cosmtrek/air[cosmtrek/air] instead. That will watch local files and rebuild + launch the API automatically if any changes are made.


== sandbox-replicate ==

The role of the lambda function is to replicate any changes made to the dynamoDB table into a postgresql database.


=== Push lambda ===

----
export AWS_PROFILE=infra-dev
make push-lambda
----

That will:

. Create a role, a policy and a lambda function
. Attach the policy to the role and the role to the lambda function
. Push the updated 'build/sandbox-replicate' binary to the lambda function


== sandbox-metrics ==

=== Deploy Metrics Prometheus ===

. clone this repository
+
----
git clone --depth 1 https://github.com/rhpds/sandbox sandbox
----
. If it doesn't exist yet, create an IAM user in AWS to read-only access to dynamoDB
. Create the secret file containing the key for the IAM user that has read-only access to DynamoDB
+
[source,yaml]
.`aws_sandbox_readonly.yaml`
----
aws_sandbox_metrics_secrets:
  readonly:
    aws_access_key_id: ...
    aws_secret_access_key: ...
----
. Install the helm chart
+
----
helm install  sandbox-metrics sandbox/deploy/helm-metrics/ -f aws_sandbox_readonly.yaml
----
+
Output should look like:
+
----
NAME: sandbox-metrics
LAST DEPLOYED: Thu Jun 17 09:30:04 2021
NAMESPACE: user-gucore-redhat-com
STATUS: deployed
REVISION: 1
TEST SUITE: None
----

== Create AWS sandboxes ==

Use link:playbooks[ansible playbooks].

== Conan - Sandbox Cleanup Daemon ==

See link:conan[conan].

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL