-
Notifications
You must be signed in to change notification settings - Fork 276
Run Forseti in Docker on Kubernetes or Container-Optimized OS (Proof of Concept) #2335
Conversation
So there's good news and bad news. 👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there. 😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request. Note to project maintainer: This is a terminal state, meaning the |
@angelsungoogle Can you please make sure that you have sign the CLA and that you have configured your github env to use the correct email? I will follow-up with you offline about this, in more detail. |
Confirming that I would like my initial changes merged into the docker-poc branch. Kubernetes (GKE) files will be added shortly. |
A Googler has manually verified that the CLAs look good. (Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.) |
@angelsungoogle This pull request is to dev. I thought we were going to keep a separate docker-poc branch for now? I'm OK either way, however you think best. |
@Red-Five we do have a separate branch docker-poc, which is the branch this PR is based on. For collaboration, people could continue to push to the docker-poc branch. I'm just keeping a PR here, so that docker related issues could refer to this PR for changes, and we have a summary view of what's changed compared to dev, since eventually our goal is to merge this in when we are ready |
Forseti Server Tasks
Forseti Client Tasks
|
* Add Docker entrypoint script to start Forseti Server in a container * Merge all docker related changes to this branch. * Fix entrypoint filename * Add.dockerignore * Update docker_entrpoint.sh comments and forseti dockerfile comments. * Update docker_entrpoint.sh Add new line at end of file. * Update docker_entrypoint.sh Add gsutil -DD debug flag * Update docker_entrypoint.sh Set forseti server log level to debug * Update docker_entrypoint.sh Remove & from forseti server command. Don't run it as background task. * Add poc k8s_setup_forseti.sh and forseti.template.yaml * Update comment in k8s_setup_forseti.sh * Update k8s_setup_forseti.sh * Add cos_setup_forseti.sh for proof of concept * Updated k8s_setup_forseti.sh, added newline at end of file * Update docker_entrypoint.sh Modified comments * Update .dockerignore. Added .git and .dockerignore entries. * Update to enable CronJob on k8s * Fix last line in k8s_setup_forseti.sh * wait 60s after starting server before running rest of job * Wait 60s after starting service to allow for it to fully start * Update forseti.template.yaml * docker_entrypoint.sh Wait 10s after servers start forseti.template.yaml Cloud SQL v1.13, never allow concurrent cronjob * Cloud SQL latest tag. Remove debugging. * Fix cloud sql connection string * Run forseti server as a background task * Temporarily add set -x for debugging * Modify forseti notifier run call * Refactor Cloud SQL Proxy to run as k8s service instead of a sidecar * Refactor Cloud SQL Proxy as k8s service instead of sidecar * Update comment * Use k8s env vars for Cloud SQL * Fix Cloud SQL connection string for Service
Codecov Report
@@ Coverage Diff @@
## dev #2335 +/- ##
==========================================
+ Coverage 88.55% 88.67% +0.11%
==========================================
Files 180 180
Lines 14073 13991 -82
==========================================
- Hits 12463 12406 -57
+ Misses 1610 1585 -25
|
Codecov Report
@@ Coverage Diff @@
## dev #2335 +/- ##
==========================================
- Coverage 88.55% 88.44% -0.12%
==========================================
Files 180 194 +14
Lines 14073 14640 +567
==========================================
+ Hits 12463 12949 +486
- Misses 1610 1691 +81
|
So there's good news and bad news. 👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there. 😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request. Note to project maintainer: This is a terminal state, meaning the |
A Googler has manually verified that the CLAs look good. (Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.) |
Very rough draft, not ready yet: #2440 |
Thanks Duncan! |
This might be worth looking into. https://cloud.google.com/knative/ |
* Add Docker entrypoint script to start Forseti Server in a container * Merge all docker related changes to this branch. * Fix entrypoint filename * Add.dockerignore * Update docker_entrpoint.sh comments and forseti dockerfile comments. * Update docker_entrpoint.sh Add new line at end of file. * Update docker_entrypoint.sh Add gsutil -DD debug flag * Update docker_entrypoint.sh Set forseti server log level to debug * Update docker_entrypoint.sh Remove & from forseti server command. Don't run it as background task. * Add poc k8s_setup_forseti.sh and forseti.template.yaml * Update comment in k8s_setup_forseti.sh * Update k8s_setup_forseti.sh * Add cos_setup_forseti.sh for proof of concept * Updated k8s_setup_forseti.sh, added newline at end of file * Update docker_entrypoint.sh Modified comments * Update .dockerignore. Added .git and .dockerignore entries. * Update to enable CronJob on k8s * Fix last line in k8s_setup_forseti.sh * wait 60s after starting server before running rest of job * Wait 60s after starting service to allow for it to fully start * Update forseti.template.yaml * docker_entrypoint.sh Wait 10s after servers start forseti.template.yaml Cloud SQL v1.13, never allow concurrent cronjob * Cloud SQL latest tag. Remove debugging. * Fix cloud sql connection string * Run forseti server as a background task * Temporarily add set -x for debugging * Modify forseti notifier run call * Refactor Cloud SQL Proxy to run as k8s service instead of a sidecar * Refactor Cloud SQL Proxy as k8s service instead of sidecar * Update comment * Use k8s env vars for Cloud SQL * Fix Cloud SQL connection string for Service * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh Refactor forseti.template.yaml * Refactor forseti.template.yaml * Refactor forseti.template.yaml * Refactor forseti.template.yaml * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * cloudbuild.yaml cache base image to speed up builds * cloudbuild.yaml cache base image to speed up builds * k8s-setup-forseti.sh use latest stackdriver k8s support Change disk size docker_entrypoint.sh fix scanner command * cloudbuild.yaml cache base image * Rename forseti.template.yaml to forseti.cronjob.template.yaml * Comment change * docker_entrypoint.sh default cloud sql host and port to localhost 3306 * cos_setup_forseti.sh add --bucket * cos_setup_forseti.sh comments * docker_entrypoint.sh comment change * k8s_setup_forseti.sh comment changes * Update docker_entrypoint.sh default RUN_CRONJOB=false * Run forseti as a k8s Cluster IP Service * Update usage comments. Remove start_client, its not needed Renamed download_configuration_files to download_server_configuration_files Added download_client_configuration_files placeholder Modified main accordingly * Update usage comments. * Turn off running server as default, set RUN_SERVER=FALSE * Refactor variables. * Rename forset.server.template.yaml to forseti.server.template.yaml * k8s_setup_forseti.sh exit on error, print commands, fix if statements. * k8s_setup_forseti.sh changed comment * docker_entrypoint.sh modify if statements in main * cloudbuild.yaml comment out optional unit tests step * docker_entrpoint.sh run long lived server as foreground process, short lived cronjob as background process * docker_entrpoint.sh run long lived server as foreground process, short lived cronjob as background process * docker_entrpoint.sh run long lived server as foreground process, short lived cronjob as background process * Added client_cli_setup() placeholder * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable server console log. * Revert * Revert "Temporarily enable StackDriver debugger. Do merge into upstream." This reverts commit b5ea186 * Revert "Temporarily enable StackDriver debugger. Do merge into upstream." This reverts commit 2fc42ae * Revert "Temporarily enable StackDriver debugger. Do merge into upstream." This reverts commit 385f8f2 * Revert "Temporarily enable StackDriver debugger. Do merge into upstream." This reverts commit eda058f * Temporary inventory service logging * Temporary inventory service logging
So there's good news and bad news. 👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there. 😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request. Note to project maintainer: This is a terminal state, meaning the |
* Add Docker entrypoint script to start Forseti Server in a container * Merge all docker related changes to this branch. * Fix entrypoint filename * Add.dockerignore * Update docker_entrpoint.sh comments and forseti dockerfile comments. * Update docker_entrpoint.sh Add new line at end of file. * Update docker_entrypoint.sh Add gsutil -DD debug flag * Update docker_entrypoint.sh Set forseti server log level to debug * Update docker_entrypoint.sh Remove & from forseti server command. Don't run it as background task. * Add poc k8s_setup_forseti.sh and forseti.template.yaml * Update comment in k8s_setup_forseti.sh * Update k8s_setup_forseti.sh * Add cos_setup_forseti.sh for proof of concept * Updated k8s_setup_forseti.sh, added newline at end of file * Update docker_entrypoint.sh Modified comments * Update .dockerignore. Added .git and .dockerignore entries. * Update to enable CronJob on k8s * Fix last line in k8s_setup_forseti.sh * wait 60s after starting server before running rest of job * Wait 60s after starting service to allow for it to fully start * Update forseti.template.yaml * docker_entrypoint.sh Wait 10s after servers start forseti.template.yaml Cloud SQL v1.13, never allow concurrent cronjob * Cloud SQL latest tag. Remove debugging. * Fix cloud sql connection string * Run forseti server as a background task * Temporarily add set -x for debugging * Modify forseti notifier run call * Refactor Cloud SQL Proxy to run as k8s service instead of a sidecar * Refactor Cloud SQL Proxy as k8s service instead of sidecar * Update comment * Use k8s env vars for Cloud SQL * Fix Cloud SQL connection string for Service * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh Refactor forseti.template.yaml * Refactor forseti.template.yaml * Refactor forseti.template.yaml * Refactor forseti.template.yaml * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * cloudbuild.yaml cache base image to speed up builds * cloudbuild.yaml cache base image to speed up builds * k8s-setup-forseti.sh use latest stackdriver k8s support Change disk size docker_entrypoint.sh fix scanner command * cloudbuild.yaml cache base image * Rename forseti.template.yaml to forseti.cronjob.template.yaml * Comment change * docker_entrypoint.sh default cloud sql host and port to localhost 3306 * cos_setup_forseti.sh add --bucket * cos_setup_forseti.sh comments * docker_entrypoint.sh comment change * k8s_setup_forseti.sh comment changes * Update docker_entrypoint.sh default RUN_CRONJOB=false * Run forseti as a k8s Cluster IP Service * Update usage comments. Remove start_client, its not needed Renamed download_configuration_files to download_server_configuration_files Added download_client_configuration_files placeholder Modified main accordingly * Update usage comments. * Turn off running server as default, set RUN_SERVER=FALSE * Refactor variables. * Rename forset.server.template.yaml to forseti.server.template.yaml * k8s_setup_forseti.sh exit on error, print commands, fix if statements. * k8s_setup_forseti.sh changed comment * docker_entrypoint.sh modify if statements in main * cloudbuild.yaml comment out optional unit tests step * docker_entrpoint.sh run long lived server as foreground process, short lived cronjob as background process * docker_entrpoint.sh run long lived server as foreground process, short lived cronjob as background process * docker_entrpoint.sh run long lived server as foreground process, short lived cronjob as background process * Added client_cli_setup() placeholder * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable server console log. * Revert * Revert "Temporarily enable StackDriver debugger. Do merge into upstream." This reverts commit b5ea186 * Revert "Temporarily enable StackDriver debugger. Do merge into upstream." This reverts commit 2fc42ae * Revert "Temporarily enable StackDriver debugger. Do merge into upstream." This reverts commit 385f8f2 * Revert "Temporarily enable StackDriver debugger. Do merge into upstream." This reverts commit eda058f * Temporary inventory service logging * Temporary inventory service logging * enable server console log * Cloud build cache step updates. * grpc issue investigation * Code style fix * Remove temporary logging code
Pending merge of PR #2590 |
* Add Docker entrypoint script to start Forseti Server in a container * Merge all docker related changes to this branch. * Fix entrypoint filename * Add.dockerignore * Update docker_entrpoint.sh comments and forseti dockerfile comments. * Update docker_entrpoint.sh Add new line at end of file. * Update docker_entrypoint.sh Add gsutil -DD debug flag * Update docker_entrypoint.sh Set forseti server log level to debug * Update docker_entrypoint.sh Remove & from forseti server command. Don't run it as background task. * Add poc k8s_setup_forseti.sh and forseti.template.yaml * Update comment in k8s_setup_forseti.sh * Update k8s_setup_forseti.sh * Add cos_setup_forseti.sh for proof of concept * Updated k8s_setup_forseti.sh, added newline at end of file * Update docker_entrypoint.sh Modified comments * Update .dockerignore. Added .git and .dockerignore entries. * Update to enable CronJob on k8s * Fix last line in k8s_setup_forseti.sh * wait 60s after starting server before running rest of job * Wait 60s after starting service to allow for it to fully start * Update forseti.template.yaml * docker_entrypoint.sh Wait 10s after servers start forseti.template.yaml Cloud SQL v1.13, never allow concurrent cronjob * Cloud SQL latest tag. Remove debugging. * Fix cloud sql connection string * Run forseti server as a background task * Temporarily add set -x for debugging * Modify forseti notifier run call * Refactor Cloud SQL Proxy to run as k8s service instead of a sidecar * Refactor Cloud SQL Proxy as k8s service instead of sidecar * Update comment * Use k8s env vars for Cloud SQL * Fix Cloud SQL connection string for Service * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh Refactor forseti.template.yaml * Refactor forseti.template.yaml * Refactor forseti.template.yaml * Refactor forseti.template.yaml * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * Refactor docker_entrypoint.sh * cloudbuild.yaml cache base image to speed up builds * cloudbuild.yaml cache base image to speed up builds * k8s-setup-forseti.sh use latest stackdriver k8s support Change disk size docker_entrypoint.sh fix scanner command * cloudbuild.yaml cache base image * Rename forseti.template.yaml to forseti.cronjob.template.yaml * Comment change * docker_entrypoint.sh default cloud sql host and port to localhost 3306 * cos_setup_forseti.sh add --bucket * cos_setup_forseti.sh comments * docker_entrypoint.sh comment change * k8s_setup_forseti.sh comment changes * Update docker_entrypoint.sh default RUN_CRONJOB=false * Run forseti as a k8s Cluster IP Service * Update usage comments. Remove start_client, its not needed Renamed download_configuration_files to download_server_configuration_files Added download_client_configuration_files placeholder Modified main accordingly * Update usage comments. * Turn off running server as default, set RUN_SERVER=FALSE * Refactor variables. * Rename forset.server.template.yaml to forseti.server.template.yaml * k8s_setup_forseti.sh exit on error, print commands, fix if statements. * k8s_setup_forseti.sh changed comment * docker_entrypoint.sh modify if statements in main * cloudbuild.yaml comment out optional unit tests step * docker_entrpoint.sh run long lived server as foreground process, short lived cronjob as background process * docker_entrpoint.sh run long lived server as foreground process, short lived cronjob as background process * docker_entrpoint.sh run long lived server as foreground process, short lived cronjob as background process * Added client_cli_setup() placeholder * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Client CLI container code * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable StackDriver debugger. Do merge into upstream. * Temporarily enable server console log. * Revert * Revert "Temporarily enable StackDriver debugger. Do merge into upstream." This reverts commit b5ea186 * Revert "Temporarily enable StackDriver debugger. Do merge into upstream." This reverts commit 2fc42ae * Revert "Temporarily enable StackDriver debugger. Do merge into upstream." This reverts commit 385f8f2 * Revert "Temporarily enable StackDriver debugger. Do merge into upstream." This reverts commit eda058f * Temporary inventory service logging * Temporary inventory service logging * enable server console log * Cloud build cache step updates. * grpc issue investigation * Code style fix * Remove temporary logging code * Update forseti.cronjob.template.yaml Change secretName * Update cloudbuild.yaml Comment out base image cache step. * Set allowPrivilegeEscalation: false * Update k8s_setup_forseti.sh Minor comment and formatting changes * Update apt_packages.txt Add cron to support running cronjobs in Docker container. * Update forset.cronjob.template.yaml Remove explain from list of services as its not used in k8s cronjobs * Changes to support both k8s and docker versions of cronjob * Update docker_entrypoint.sh Create env file needed for run_forseti.sh Call run_forseti.sh to execute the cronjob code * Update cloudbuild.yaml comment out additional cache lines * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update forseti.server.template.yaml Fix cmd args. * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Update docker_entrypoint.sh Continuation: Code for creating server env file * Rename client key file * Add disk type option * Try a workaround for the env setup issue. * Added flag to optionally create cluster * Run server as background process if running as k8s CronJob or Docker based cron process is running in the same container * Docker cronjob support * Docker cronjob support * Docker cronjob support * Docker cronjob support * Docker cronjob support * Docker cronjob support * Docker cronjob support * Docker cronjob support * Cache base image * Cache base image * Cache base image * allowPrivilegeEscalation: false in all k8s deployment templates * Source client env script in .bashrc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you so much for pulling all these together! Please ack the CLA one more time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have signed CLA and agree to all these changes going into dev branch.
# Install the CloudSDK for `gcloud`. | ||
RUN curl -sSL https://sdk.cloud.google.com 1> /dev/null | bash | ||
# Install Google Cloud SDK | ||
RUN curl -sSL https://sdk.cloud.google.com | bash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How to install Google Cloud SDK so that it doesn't require root to use it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Run chmod
or chown
?
Adding |
Many thanks to @Red-Five for pulling up these changes and fixes! Please feel free to contribute.
@andreyk-code is Kubernetes subject matter expert and will the peer reviewer for @Red-Five work here.
Thanks for opening a Pull Request!
Here's a handy checklist to ensure your PR goes smoothly.
pylint --rcfile=pylintrc
passes.These guidelines and more can be found in our contributing guidelines.