feat: permit pdp in docker stack (#1697)

* feat: permit pdp in docker stack

* nit

* feat: add permit args to docker stack

* fix: permit args

Makefile

@@ -41,6 +41,7 @@ MONGO_INITDB_ROOT_USERNAME?=mongodb
 MONGO_INITDB_ROOT_PASSWORD?=password
 STRIPE_SECRET_KEY?=""
 AUTH_JWTSIGNING_PRIVATE_KEY?=""
+PERMIT_API_KEY?=""
 
 DD_ENV=$(SHUTTLE_ENV)
 ifeq ($(SHUTTLE_ENV),production)
@@ -127,7 +128,8 @@ DOCKER_COMPOSE_ENV=\
 	COMPOSE_PROFILES=$(COMPOSE_PROFILES)\
 	DOCKER_SOCK=$(DOCKER_SOCK)\
 	SHUTTLE_ENV=$(SHUTTLE_ENV)\
-	SHUTTLE_SERVICE_VERSION=$(SHUTTLE_SERVICE_VERSION)
+	SHUTTLE_SERVICE_VERSION=$(SHUTTLE_SERVICE_VERSION)\
+	PERMIT_API_KEY=$(PERMIT_API_KEY)
 
 .PHONY: clean deep-clean images the-shuttle-images shuttle-% postgres otel deploy test docker-compose.rendered.yml up down
 

auth/src/args.rs

@@ -39,16 +39,13 @@ pub struct StartArgs {
     /// Address to reach the permit.io API at
     #[arg(long, default_value = "https://api.eu-central-1.permit.io")]
     pub permit_api_uri: Uri,
-
     /// Address to reach the permit.io PDP at
     #[arg(long, default_value = "http://permit-pdp:7000")]
     pub permit_pdp_uri: Uri,
-
     /// Permit environment to use
     #[arg(long, default_value = "local")]
-    pub permit_environment: String,
-
-    /// Permit environment to use
+    pub permit_env: String,
+    /// Permit API key
     #[arg(long, default_value = "permit_")]
     pub permit_api_key: String,
 }

auth/src/lib.rs

@@ -27,7 +27,7 @@ pub async fn start(pool: PgPool, args: StartArgs) -> io::Result<()> {
             args.permit_api_uri,
             args.permit_pdp_uri,
             "default".to_string(),
-            args.permit_environment,
+            args.permit_env,
             &args.permit_api_key,
         ))
         .with_jwt_signing_private_key(args.jwt_signing_private_key)

docker-compose.dev.yml

@@ -68,6 +68,8 @@ services:
       - "--stripe-secret-key=${STRIPE_SECRET_KEY}"
       # used only for local development
       - "--jwt-signing-private-key=LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUR5V0ZFYzhKYm05NnA0ZGNLTEwvQWNvVUVsbUF0MVVKSTU4WTc4d1FpWk4KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo="
+      - "--permit-api=https://api.eu-central-1.permit.io"
+      - "--permit-api-key=${PERMIT_API_KEY}"
   otel-collector:
     ports:
       - 4317:4317
@@ -116,3 +118,6 @@ services:
       - 8004:8000
       # the shared postgres already uses 5432
       - 5434:5432
+  permit-pdp:
+    environment:
+      - PDP_DEBUG=True

docker-compose.yml

@@ -21,6 +21,8 @@ networks:
 services:
   auth:
     image: "${CONTAINER_REGISTRY}/auth:${AUTH_TAG}"
+    depends_on:
+      - permit-pdp
     ports:
       - 8008:8000
     deploy:
@@ -52,6 +54,10 @@ services:
       - "--address=0.0.0.0:8000"
       - "--stripe-secret-key=${STRIPE_SECRET_KEY}"
       - "--jwt-signing-private-key=${AUTH_JWTSIGNING_PRIVATE_KEY}"
+      - "--permit-api-uri=https://api.eu-central-1.permit.io"
+      - "--permit-pdp-uri=http://permit-pdp:7000"
+      - "--permit-env=${SHUTTLE_ENV}"
+      - "--permit-api-key=${PERMIT_API_KEY}"
     healthcheck:
       test: curl -f -s http://localhost:8000
       interval: 1m
@@ -66,6 +72,7 @@ services:
     depends_on:
       - provisioner
       - auth
+      - permit-pdp
     ports:
       - 7999:7999
       - 8000:8000
@@ -116,6 +123,10 @@ services:
       - "--proxy-fqdn=${APPS_FQDN}"
       - "--use-tls=${USE_TLS}"
       - "--admin-key=${GATEWAY_ADMIN_KEY}"
+      - "--permit-api-uri=https://api.eu-central-1.permit.io"
+      - "--permit-pdp-uri=http://permit-pdp:7000"
+      - "--permit-env=${SHUTTLE_ENV}"
+      - "--permit-api-key=${PERMIT_API_KEY}"
     healthcheck:
       test: curl -f -s http://localhost:8001
       interval: 1m
@@ -265,3 +276,17 @@ services:
       placement:
         constraints:
           - node.hostname==controller
+  permit-pdp:
+    image: docker.io/permitio/pdp-v2:0.2.37
+    restart: always
+    environment:
+      - PDP_CONTROL_PLANE=${PERMIT_API}
+      - PDP_API_KEY=${PERMIT_API_KEY}
+    ports:
+      - 7000:7000
+    networks:
+      user-net:
+    deploy:
+      placement:
+        constraints:
+          - node.hostname==controller

gateway/src/args.rs

@@ -77,6 +77,7 @@ pub struct ContextArgs {
     /// Api key for the user that has rights to start deploys
     #[arg(long, default_value = "gateway4deployes")]
     pub deploys_api_key: String,
+
     /// Maximum number of containers to start on this node before blocking cch projects
     #[arg(long, default_value = "900")]
     pub cch_container_limit: u32,
@@ -87,6 +88,19 @@ pub struct ContextArgs {
     #[arg(long, default_value = "990")]
     pub hard_container_limit: u32,
 
+    /// Address to reach the permit.io API at
+    #[arg(long, default_value = "https://api.eu-central-1.permit.io")]
+    pub permit_api_uri: Uri,
+    /// Address to reach the permit.io PDP at
+    #[arg(long, default_value = "http://permit-pdp:7000")]
+    pub permit_pdp_uri: Uri,
+    /// Permit environment to use
+    #[arg(long, default_value = "local")]
+    pub permit_env: String,
+    /// Permit API key
+    #[arg(long, default_value = "permit_")]
+    pub permit_api_key: String,
+
     /// Allow tests to set some extra /etc/hosts
     pub extra_hosts: Vec<String>,
 }

gateway/src/lib.rs

@@ -570,6 +570,10 @@ pub mod tests {
                     cch_container_limit: 1,
                     soft_container_limit: 2,
                     hard_container_limit: 3,
+                    permit_api_uri: Default::default(), // TODO: will need mock?
+                    permit_pdp_uri: Default::default(), // TODO: will need mock?
+                    permit_env: Default::default(),     // TODO: will need mock?
+                    permit_api_key: Default::default(), // TODO: will need mock?
 
                     // Allow access to the auth on the host
                     extra_hosts: vec!["host.docker.internal:host-gateway".to_string()],