Add support for deploying app in kubernetes

.gitignore

@@ -3,6 +3,7 @@
 # would ignore tools/ directories in dependencies, causing CI issues that are
 # hard to debug locally.
 builds/compserv-server
+builds/compserv-migrate
 tools/golangci-lint
 tools/kubectl
 tools/migrate

Dockerfile

@@ -2,6 +2,7 @@ FROM golang:1.18
 
 WORKDIR /app
 
+COPY migrations ./migrations/
 COPY Makefile ./Makefile
 COPY cmd ./cmd
 COPY pkg ./pkg

Makefile

@@ -26,7 +26,8 @@ $(TOOLS_DIR):
 
 .PHONY: build
 build: $(BUILDS_DIR)
-	go build -o $(BUILDS_DIR) cmd/compserv-server.go
+	go build -o $(BUILDS_DIR) cmd/server/compserv-server.go
+	go build -o $(BUILDS_DIR) cmd/migrate/compserv-migrate.go
 
 .PHONY: build-image
 build-image: $(BUILDS_DIR)
@@ -101,7 +102,9 @@ $(TOOLS_DIR)/golangci-lint:
 
 .PHONY: deploy
 deploy: $(TOOLS_DIR)/kubectl
+	sed -e 's%quay.io/compliance-service/compserv:latest%$(IMAGE_REPO):$(TAG)%' kustomize/deployment.yaml -i
 	$(KUBECTL) apply -k kustomize
+	sed -e 's%$(IMAGE_REPO):$(TAG)%quay.io/compliance-service/compserv:latest%' kustomize/deployment.yaml -i
 
 .PHONY: undeploy
 undeploy: $(TOOLS_DIR)/kubectl

cmd/migrate/compserv-migrate.go

@@ -0,0 +1,86 @@
+package main
+
+import (
+	"database/sql"
+	"errors"
+	"flag"
+	"log"
+	"net"
+	"time"
+
+	"github.com/golang-migrate/migrate/v4"
+	"github.com/golang-migrate/migrate/v4/database/postgres"
+	_ "github.com/golang-migrate/migrate/v4/source/file" // Necessary to invoke migrations from files
+	config "github.com/rhmdnd/compserv/pkg/config"
+	"github.com/spf13/viper"
+)
+
+func main() {
+	configDir := flag.String("config-dir", "configs/",
+		"Path to YAML configuration directory containing a config.yaml file.")
+	configFile := flag.String("config-file", "config.yaml",
+		"File name of the service config")
+	flag.Parse()
+	v := config.ParseConfig(*configDir, *configFile)
+	db := getDatabaseConnection(v)
+	log.Printf("Connected to database: %v", v.GetString("database.host"))
+	driver, err := postgres.WithInstance(db, &postgres.Config{})
+	if err != nil {
+		log.Fatalf("Unable to initialize database driver for migrations: %s", err)
+	}
+	// The file path to the migration could be a configuration option, but
+	// I'm not sure how useful that would be since they're copied into the
+	// container during the build process. Might only be useful for people
+	// building their own container images.
+	m, err := migrate.NewWithDatabaseInstance("file:///app/migrations", "postgres", driver)
+	if err != nil {
+		log.Fatalf("Unable to initialize migrations: %s", err)
+	}
+	if err := m.Up(); err != nil {
+		log.Fatalf("Unable to upgrade the database: %s", err)
+	}
+	version, _, err := m.Version()
+	if err != nil {
+		log.Fatalf("Unable to determine database version: %s", err)
+	}
+	log.Printf("Database successful migrated to version %d", version)
+}
+
+func getDatabaseConnection(v *viper.Viper) *sql.DB {
+	// This should be updated so that we don't have to disable ssl
+	connStr := config.GetDatabaseConnectionString(v) + " sslmode=disable"
+
+	db, err := sql.Open("postgres", connStr)
+	if err != nil {
+		log.Fatalf("Unable to initialize connection to database: %s", err)
+	}
+
+	// Wait up to 30 seconds to establish a connection with the database.
+	// Remove this logic when we have the ability to set retries in the
+	// database connection directly
+	// (https://github.com/golang/go/issues/48309).
+	for i := 0; i < 10; i++ {
+		if err := db.Ping(); err != nil {
+			// We should only retry if we're dealing with a network
+			// issue of some kind. No amount of retries is going to
+			// fix incorrect credentials.
+			var netError *net.OpError
+			if errors.As(err, &netError) {
+				log.Fatalf("Retrying database connection due to error: %s", err)
+				// Linting says we shouldn't use the following:
+				// time.Sleep(3 * time.Second)
+				// but we can't use
+				// duration := 3
+				// time.Sleep(duration * time.Second)
+				// which causes a type mismatch.
+				duration, _ := time.ParseDuration("0m3s")
+				time.Sleep(duration)
+				continue
+			} else {
+				log.Fatalf("Unable to establish connection to database: %s", err)
+			}
+		}
+	}
+
+	return db
+}

go.mod

@@ -12,7 +12,6 @@ require (
 	google.golang.org/protobuf v1.28.1
 	gorm.io/driver/postgres v1.3.9
 	gorm.io/gorm v1.23.8
-	k8s.io/apimachinery v0.22.5
 	k8s.io/client-go v0.22.5
 )
 
@@ -68,6 +67,7 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.22.5 // indirect
+	k8s.io/apimachinery v0.22.5 // indirect
 	k8s.io/klog/v2 v2.30.0 // indirect
 	k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect

kustomize/configmap.yaml

@@ -0,0 +1,14 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: compserv-config
+  namespace: compserv
+data:
+  config: |
+    database:
+      host: "postgres.compserv"
+      username: "postgres"
+      password:
+        provider: "kubernetes"
+        secret_name: "postgres-secret"
+        secret_namespace: "compserv"

kustomize/deployment.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -20,7 +21,11 @@ spec:
         name: postgres
         env:
           - name: PGDATA
-            value: /var/lib/postgres/data
+            value: /var/lib/postgres/data/compliance
+          - name: POSTGRES_DB
+            value: compliance
+          - name: POSTGRES_USER
+            value: postgres
           - name: POSTGRES_PASSWORD
             valueFrom:
               secretKeyRef:
@@ -30,8 +35,55 @@ spec:
           - containerPort: 5432
             name: postgres
         volumeMounts:
-          - name: postgres-persistent-storage
-            mountPath: /var/lib/postgres
+          - name: postgres-pv
+            mountPath: /var/lib/postgres/data/
+            subPath: compliance
       volumes:
-        - name: postgres-persistent-storage
-          emptyDir: {}
+        - name: postgres-pv
+          persistentVolumeClaim:
+            claimName: postgres-pvc
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: compserv
+  labels:
+    app: compserv
+spec:
+  selector:
+    matchLabels:
+      app: compserv
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: compserv
+    spec:
+      initContainers:
+      - image: quay.io/compliance-service/compserv:latest
+        name: compserv-init
+        command: ["/app/builds/compserv-migrate", "--config-dir", "config/", "--config-file", "config.yaml"]
+        volumeMounts:
+        - name: compserv-config
+          mountPath: "/app/config"
+          readOnly: true
+      containers:
+      - image: quay.io/compliance-service/compserv:latest
+        name: compserv
+        ports:
+          - containerPort: 50051
+            name: grpc
+        volumeMounts:
+        - name: compserv-config
+          mountPath: "/app/config"
+          readOnly: true
+        command: ["/app/builds/compserv-server", "--config-dir", "config/", "--config-file", "config.yaml"]
+      serviceAccountName: compserv-sa
+      volumes:
+        - name: compserv-config
+          configMap:
+            name: compserv-config
+            items:
+              - key: config
+                path: "config.yaml"

kustomize/kustomization.yaml

@@ -1,7 +1,10 @@
 namespace: compserv
 resources:
   - namespace.yaml
-  - deployment.yaml
   - service.yaml
+  - service-account.yaml
+  - persistent-disk.yaml
+  - deployment.yaml
   - secret.yaml
-
+  - configmap.yaml
+  - rbac.yaml

kustomize/persistent-disk.yaml

@@ -0,0 +1,17 @@
+# The volume created dynamically from this claim will be reclaimed when the pod
+# is gone. Is that the behavior we want or do we want to create a persistent
+# volume directly and use that?
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app: postgres
+  name: postgres-pvc
+spec:
+  storageClassName: "gp2"
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi

kustomize/rbac.yaml

@@ -0,0 +1,25 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: compserv-service-account-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: compserv-service-account-role
+subjects:
+  - kind: ServiceAccount
+    name: compserv-sa
+    namespace: compserv
+roleRef:
+  kind: Role
+  name: compserv-service-account-role
+  apiGroup: rbac.authorization.k8s.io

kustomize/service-account.yaml

@@ -0,0 +1,6 @@
+
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: compserv-sa