Run Forseti in Docker on Kubernetes or Container-Optimized OS (Proof of Concept)

[angelsungoogle]

Many thanks to @Red-Five for pulling up these changes and fixes! Please feel free to contribute.

@andreyk-code is Kubernetes subject matter expert and will the peer reviewer for @Red-Five work here.

Thanks for opening a Pull Request!

Here's a handy checklist to ensure your PR goes smoothly.

• I signed Google's Contributor License Agreement
• My code conforms to Google's python style.
• My PR at a minimum doesn't decrease unit-test coverage (if applicable).
• My PR has been functionally tested.
• All of the unit-tests still pass.
• Running pylint --rcfile=pylintrc passes.

These guidelines and more can be found in our contributing guidelines.

[googlebot]

So there's good news and bad news.

👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.

😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.

Note to project maintainer: This is a terminal state, meaning the cla/google commit status will not change from this state. It's up to you to confirm consent of all the commit author(s), set the cla label to yes (if enabled on your project), and then merge this pull request when appropriate.

[blueandgold]

@angelsungoogle Can you please make sure that you have sign the CLA and that you have configured your github env to use the correct email? I will follow-up with you offline about this, in more detail.

[Red-Five]

😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.

Confirming that I would like my initial changes merged into the docker-poc branch.

Kubernetes (GKE) files will be added shortly.

[googlebot]

A Googler has manually verified that the CLAs look good.

(Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.)

[Red-Five]

@angelsungoogle This pull request is to dev. I thought we were going to keep a separate docker-poc branch for now? I'm OK either way, however you think best.

[angelsungoogle]

@Red-Five we do have a separate branch docker-poc, which is the branch this PR is based on. For collaboration, people could continue to push to the docker-poc branch. I'm just keeping a PR here, so that docker related issues could refer to this PR for changes, and we have a summary view of what's changed compared to dev, since eventually our goal is to merge this in when we are ready

[angelsungoogle]

the docker poc branch

[Red-Five]

Forseti Server Tasks

• cloudbuild.yaml file path fix
• cloudbuild.yaml unittest step
• base dockerfile Google SDK Install
• Add docker_entrypoint.sh
• docker_entrypoint.sh: add var to toggle debugging
• docker_entrypoint.sh: add var to control which services to run in container
• Kubernetes CronJob Deployment file
• Kubernetes Services Deployment file
• Script to spin up GKE cluster, add credential secret and deploy app.
• Server on Container Optimized OS (cos)
• Cron job on Container Optimized OS (cos)
• Cron job on long running GKE server
• Supporting documentation in Docker FAQ

Forseti Client Tasks

• GKE Deployment File

[codecov]

Codecov Report

Merging #2335 into dev will increase coverage by 0.11%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##              dev    #2335      +/-   ##
==========================================
+ Coverage   88.55%   88.67%   +0.11%     
==========================================
  Files         180      180              
  Lines       14073    13991      -82     
==========================================
- Hits        12463    12406      -57     
+ Misses       1610     1585      -25

Impacted Files	Coverage Δ
...d/forseti/scanner/scanners/enabled_apis_scanner.py	84.61% <0%> (-4.97%)	⬇️
google/cloud/forseti/scanner/scanner_builder.py	86.95% <0%> (-2.33%)	⬇️
...loud/forseti/scanner/scanners/iam_rules_scanner.py	77.89% <0%> (-2.33%)	⬇️
.../cloud/forseti/services/model/importer/importer.py	91.35% <0%> (-0.31%)	⬇️
google/cloud/forseti/scanner/scanner.py	90.56% <0%> (-0.18%)	⬇️
...canner/scanners/external_project_access_scanner.py	86.59% <0%> (-0.14%)	⬇️
google/cloud/forseti/services/cli.py	85.4% <0%> (-0.12%)	⬇️
google/cloud/forseti/services/client.py	77.72% <0%> (ø)	⬆️
...cloud/forseti/services/inventory/base/resources.py	85.93% <0%> (+0.19%)	⬆️
...oogle/cloud/forseti/services/inventory/base/gcp.py	96.7% <0%> (+0.22%)	⬆️
... and 7 more

[codecov]

Codecov Report

Merging #2335 into dev will decrease coverage by 0.11%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##              dev    #2335      +/-   ##
==========================================
- Coverage   88.55%   88.44%   -0.12%     
==========================================
  Files         180      194      +14     
  Lines       14073    14640     +567     
==========================================
+ Hits        12463    12949     +486     
- Misses       1610     1691      +81

Impacted Files	Coverage Δ
...d/forseti/scanner/scanners/enabled_apis_scanner.py	84.61% <0%> (-4.97%)	⬇️
google/cloud/forseti/scanner/scanner_builder.py	86.95% <0%> (-2.33%)	⬇️
...loud/forseti/scanner/scanners/iam_rules_scanner.py	77.89% <0%> (-2.33%)	⬇️
.../cloud/forseti/services/model/importer/importer.py	91.35% <0%> (-0.31%)	⬇️
google/cloud/forseti/scanner/scanner.py	90.56% <0%> (-0.18%)	⬇️
...canner/scanners/external_project_access_scanner.py	86.59% <0%> (-0.14%)	⬇️
google/cloud/forseti/services/cli.py	85.4% <0%> (-0.12%)	⬇️
google/cloud/forseti/services/client.py	77.72% <0%> (ø)	⬆️
...cloud/forseti/services/server_config/server_pb2.py	100% <0%> (ø)
...ogle/cloud/forseti/services/explain/explain_pb2.py	100% <0%> (ø)
... and 21 more

[googlebot]

So there's good news and bad news.

👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.

😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.

Note to project maintainer: This is a terminal state, meaning the cla/google commit status will not change from this state. It's up to you to confirm consent of all the commit author(s), set the cla label to yes (if enabled on your project), and then merge this pull request when appropriate.

[googlebot]

A Googler has manually verified that the CLAs look good.

(Googler, please make sure the reason for overriding the CLA status is clearly documented in these comments.)

[Red-Five]

The next steps will likely be to make a forseti.service.template.yaml following the GKE Service Tutorial, and add something like a if statement here

Very rough draft, not ready yet: #2440

[angelsungoogle]

Thanks Duncan!
@blueandgold our favorite client has just done the work for us, right before Christmas XD

[Red-Five]

This might be worth looking into. https://cloud.google.com/knative/

[angelsungoogle]

@blueandgold

[codecov]

Codecov Report

Merging #2335 into dev will decrease coverage by 0.2%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##              dev    #2335      +/-   ##
==========================================
- Coverage   88.62%   88.41%   -0.21%     
==========================================
  Files         189      203      +14     
  Lines       14953    15602     +649     
==========================================
+ Hits        13252    13795     +543     
- Misses       1701     1807     +106

Impacted Files	Coverage Δ
...cloud/forseti/services/server_config/server_pb2.py	100% <0%> (ø)
...ogle/cloud/forseti/services/explain/explain_pb2.py	100% <0%> (ø)
google/cloud/forseti/enforcer/enforcer_log_pb2.py	100% <0%> (ø)
.../forseti/services/server_config/server_pb2_grpc.py	47.05% <0%> (ø)
...ogle/cloud/forseti/services/scanner/scanner_pb2.py	100% <0%> (ø)
google/cloud/forseti/services/model/model_pb2.py	100% <0%> (ø)
...cloud/forseti/services/scanner/scanner_pb2_grpc.py	52.63% <0%> (ø)
...d/forseti/services/inventory/inventory_pb2_grpc.py	53.84% <0%> (ø)
...le/cloud/forseti/services/notifier/notifier_pb2.py	100% <0%> (ø)
...le/cloud/forseti/enforcer/enforcer_log_pb2_grpc.py	0% <0%> (ø)
... and 4 more

[googlebot]

So there's good news and bad news.

👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.

😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.

Note to project maintainer: This is a terminal state, meaning the cla/google commit status will not change from this state. It's up to you to confirm consent of all the commit author(s), set the cla label to yes (if enabled on your project), and then merge this pull request when appropriate.

[Red-Five]

Pending merge of PR #2590

[blueandgold]

Thank you so much for pulling all these together! Please ack the CLA one more time.

[Red-Five]

I have signed CLA and agree to all these changes going into dev branch.

[Red-Five]

How to install Google Cloud SDK so that it doesn't require root to use it?

[blueandgold]

Run chmod or chown?

[blueandgold]

Adding cla: yes label, as all commit authors have contributed to this project.