saveourtool · nulls · Sep 28, 2022 · Sep 26, 2022 · Sep 26, 2022 · Sep 26, 2022
diff --git a/api-gateway/src/main/resources/application-dev.yml b/api-gateway/src/main/resources/application-dev.yml
@@ -3,6 +3,8 @@ gateway:
     url: http://localhost:5800
   frontend:
     url: http://localhost:5810
+  sandbox:
+    url: http://localhost:5400
 spring:
   security:
     oauth2:

diff --git a/api-gateway/src/main/resources/application.yml b/api-gateway/src/main/resources/application.yml
@@ -9,6 +9,8 @@ gateway:
     url: http://frontend:5810
   grafana:
     url: http://grafana:9100
+  sandbox:
+    url: http://sandbox:5400
 management:
   endpoints:
     web:
@@ -50,6 +52,14 @@ spring:
           uri: ${gateway.grafana.url}
           predicates:
             - Path=/grafana/**
+        - id: sandbox-api_route
+          uri: ${gateway.sandbox.url}
+          predicates:
+            - Path=/sandbox/api/**
+          filters:
+            # If SESSION cookie is passed to downstream, it is then removed, because downstream discards it
+            - RemoveRequestHeader=Cookie
+            - ConvertAuthorizationHeader=
 
 ---
 spring:

diff --git a/buildSrc/src/main/kotlin/com/saveourtool/save/buildutils/DockerStackConfiguration.kt b/buildSrc/src/main/kotlin/com/saveourtool/save/buildutils/DockerStackConfiguration.kt
@@ -105,6 +105,7 @@ fun Project.createStackDeployTask(profile: String) {
                     FRONTEND_TAG=${defaultVersionOrProperty("frontend.dockerTag")}
                     GATEWAY_TAG=${defaultVersionOrProperty("gateway.dockerTag")}
                     ORCHESTRATOR_TAG=${defaultVersionOrProperty("orchestrator.dockerTag")}
+                    SANDBOX_TAG=${defaultVersionOrProperty("sandbox.dockerTag")}
                     PREPROCESSOR_TAG=${defaultVersionOrProperty("preprocessor.dockerTag")}
                     PROFILE=$profile
                 """.trimIndent()

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -33,6 +33,30 @@ services:
       labels:
         - "prometheus-job=save-orchestrator"
     logging: *loki-logging-jvm
+  sandbox:
+    image: ghcr.io/saveourtool/save-sandbox:${SANDBOX_TAG}
+    user: root  # to access host's docker socket
+    environment:
+      - "SPRING_PROFILES_ACTIVE=${PROFILE}"
+      - "MYSQL_USER=/run/secrets/db_username"
+      - "MYSQL_PASSWORD_FILE=/run/secrets/db_password"
+    secrets:
+      - db_username
+      - db_password
+      - db_url
+    ports:
+      - "5400:5400"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+      - /home/saveu/configs/sandbox:/home/cnb/config
+      - save-fs-storage:/home/cnb/files
+      - save-tmp-resources:/tmp
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    deploy:
+      labels:
+        - "prometheus-job=save-sandbox"
+    logging: *loki-logging-jvm
   backend:
     image: ghcr.io/saveourtool/save-backend:${BACKEND_TAG}
     environment:

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -84,6 +84,7 @@ spring-boot-starter-test = { module = "org.springframework.boot:spring-boot-star
 spring-boot-starter-data-jpa = { module = "org.springframework.boot:spring-boot-starter-data-jpa" }
 spring-boot-starter-quartz = { module = "org.springframework.boot:spring-boot-starter-quartz" }
 spring-boot-starter-security = { module = "org.springframework.boot:spring-boot-starter-security" }
+spring-boot = { module = "org.springframework.boot:spring-boot" }
 spring-boot-configuration-processor = { module = "org.springframework.boot:spring-boot-configuration-processor", version.ref = "spring-boot" }
 spring-security-core = { module = "org.springframework.security:spring-security-core" }
 spring-security-oauth2-client = { module = "org.springframework.security:spring-security-oauth2-client" }

diff --git a/save-backend/src/main/resources/META-INF/spring.factories b/save-backend/src/main/resources/META-INF/spring.factories
@@ -1 +1 @@
-org.springframework.boot.env.EnvironmentPostProcessor=com.saveourtool.save.backend.postprocessor.DockerSecretsDatabaseProcessor
+org.springframework.boot.env.EnvironmentPostProcessor=com.saveourtool.save.spring.postprocessor.DockerSecretsDatabaseProcessor
diff --git a/save-cloud-charts/save-cloud/templates/sandbox-configmap.yaml b/save-cloud-charts/save-cloud/templates/sandbox-configmap.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.sandbox.name }}-config
+data:
+  application.properties: |
+    sandbox.backendUrl=http://backend/internal
+
+    sandbox.kubernetes.apiServerUrl=http://kubernetes.default.svc
+    sandbox.kubernetes.serviceAccount=${POD_SERVICE_ACCOUNT}
+    sandbox.kubernetes.namespace=${POD_NAMESPACE}
+
+    server.shutdown=graceful
+    management.endpoints.web.exposure.include=*
+    sandbox.agent-settings.orchestrator-url=http://{{ .Values.sandbox.name }}
+    sandbox.agent-settings.backend-url=http://{{ .Values.sandbox.name }}
+    sandbox.agent-settings.debug=true
+
+    sandbox.test-resources.tmp-path=/tmp/save/resources
+
+    logging.level.com.saveourtool.save.orchestrator.kubernetes=DEBUG
+
+    {{ if .Values.sandbox.applicationProperties }}
+    {{- .Values.sandbox.applicationProperties | nindent 4 }}
+    {{ end }}
diff --git a/save-cloud-charts/save-cloud/templates/sandbox-deployment.yaml b/save-cloud-charts/save-cloud/templates/sandbox-deployment.yaml
@@ -0,0 +1,125 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sandbox
+  labels:
+    {{- include "common.labels" (merge (dict "service" .Values.sandbox) .) | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      io.kompose.service: sandbox
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        {{- include "pod.common.labels" (merge (dict "service" .Values.sandbox ) .) | nindent 8 }}
+      annotations:
+        {{- include "pod.common.annotations" (dict "service" .Values.backend ) | nindent 8 }}
+    spec:
+      serviceAccountName: sandbox-sa
+      restartPolicy: Always
+      {{- if .Values.sandbox.nodeName }}
+      nodeName: {{ .Values.sandbox.nodeName }}
+      {{- end }}
+      {{- include "cnb.securityContext" . | nindent 6 }}
+      containers:
+        - name: sandbox
+          {{- include "spring-boot.common" (merge (dict "service" .Values.sandbox) .) | nindent 10 }}
+          env:
+            {{- include "spring-boot.common.env" (merge (dict "service" .Values.sandbox) .) | nindent 12 }}
+            - name: HOST_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.hostIP
+            - name: JAVA_TOOL_OPTIONS
+              value: -XX:ReservedCodeCacheSize=48M
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_SERVICE_ACCOUNT
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.serviceAccountName
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - {{ include "spring-boot.config-volume-mount" . | indent 14 | trim }}
+            - name: fs-storage
+              mountPath: /home/cnb/files
+            - name: database-secret
+              mountPath: {{ .Values.sandbox.dbPasswordFile }}
+          {{- include "spring-boot.management" .Values.sandbox | nindent 10 }}
+          resources:
+            limits:
+              memory: 800M
+            requests:
+              memory: 600M
+      initContainers:
+        - name: git-cloner
+          image: alpine/git
+          args:
+            - clone
+            - --single-branch
+            - --branch
+            - {{ .Values.mysql.migrations.branch | default "master" }}
+            - --
+            - https://github.com/saveourtool/save-cloud.git
+            - /data
+          volumeMounts:
+            - mountPath: /data
+              name: migrations-data
+        - name: liquibase-runner
+          image: liquibase/liquibase:4.15
+          securityContext:
+            runAsUser: 1001
+            runAsGroup: 1001
+          args:
+            - --url=$(DB_URL)
+            - --changeLogFile=save-sandbox/db/db.changelog-master.xml
+            - --username=$(DB_USERNAME)
+            - --password=$(DB_PASSWORD)
+            - --log-level=info
+            - --contexts={{ .Values.profile }}
+            - update
+          resources:
+            requests:
+              memory: 100M
+            limits:
+              memory: 300M
+          env:
+            # See https://hub.docker.com/r/liquibase/liquibase, section 'Notice for MySQL Users'
+            - name: INSTALL_MYSQL
+              value: 'true'
+            - name: DB_URL
+              valueFrom:
+                secretKeyRef:
+                  name: db-secrets
+                  key: spring.datasource.url
+            - name: DB_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: db-secrets
+                  key: spring.datasource.username
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: db-secrets
+                  key: spring.datasource.password
+          volumeMounts:
+            - mountPath: /liquibase/changelog
+              name: migrations-data
+            - mountPath: {{ .Values.sandbox.dbPasswordFile }}
+              name: database-secret
+      volumes:
+        - {{ include "spring-boot.config-volume" (dict "service" .Values.sandbox) | indent 10 | trim }}
+        - name: fs-storage
+          persistentVolumeClaim:
+            claimName: save-fs-storage
+        - name: database-secret
+          secret:
+            secretName: db-secrets
+        - name: migrations-data
+          emptyDir: { }
diff --git a/save-cloud-charts/save-cloud/templates/sandbox-service-account.yaml b/save-cloud-charts/save-cloud/templates/sandbox-service-account.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sandbox-sa
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jobs-executor
+rules:
+  - apiGroups: [batch]
+    resources: [jobs]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]  # "" indicates the core API group
+    resources: [pods]
+    verbs: [list, get, delete, create]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: sandbox-jobs-binding
+subjects:
+  - kind: ServiceAccount
+    name: sandbox-sa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jobs-executor
diff --git a/save-cloud-charts/save-cloud/templates/sandbox-service.yaml b/save-cloud-charts/save-cloud/templates/sandbox-service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+{{- include "service.common.metadata" (dict "service" .Values.sandbox) | nindent 2 }}
+spec:
+  {{ if .Values.sandbox.clusterIP }}
+  clusterIP: {{ .Values.sandbox.clusterIP }}
+  {{ end }}
+  ports:
+    {{- include "service.common.ports" (dict "service" .Values.sandbox) | nindent 4 }}
+  selector:
+    {{- include "service.common.selectors" (dict "service" .Values.sandbox) | nindent 4 }}
diff --git a/save-cloud-charts/save-cloud/values-minikube.yaml b/save-cloud-charts/save-cloud/values-minikube.yaml
@@ -16,6 +16,13 @@ orchestrator:
     orchestrator.docker.host=tcp://localhost:2376
     logging.level.com.saveourtool=DEBUG
     orchestrator.kubernetes.useGvisor=false
+sandbox:
+  profile: dev,kubernetes,minikube
+  dockerHost: tcp://${HOST_IP}:2376
+  applicationProperties: |
+    sandbox.docker.host=tcp://localhost:2376
+    logging.level.com.saveourtool=DEBUG
+    sandbox.kubernetes.useGvisor=false
 mysql:
   external: false
   ip: nil

diff --git a/save-cloud-charts/save-cloud/values.yaml b/save-cloud-charts/save-cloud/values.yaml
@@ -25,6 +25,14 @@ orchestrator:
   # Fixed ClusterIP can be assigned to make it easier to query orchestrator from services outside Kubernetes
   clusterIP: null
   dockerHost: tcp://${HOST_IP}:2375
+sandbox:
+  name: sandbox
+  imageName: save-sandbox
+  containerPort: 5400
+  # Fixed ClusterIP can be assigned to make it easier to query orchestrator from services outside Kubernetes
+  clusterIP: null
+  dockerHost: tcp://${HOST_IP}:2375
+  dbPasswordFile: /home/cnb/secrets/db_secrets
 preprocessor:
   name: preprocessor
   imageName: save-preprocessor

diff --git a/save-cloud-common/build.gradle.kts b/save-cloud-common/build.gradle.kts
@@ -45,6 +45,7 @@ kotlin {
                 implementation(project.dependencies.platform(libs.spring.boot.dependencies))
                 implementation(libs.spring.security.core)
                 implementation(libs.spring.web)
+                implementation(libs.spring.boot)
                 implementation(libs.jackson.module.kotlin)
                 implementation(libs.hibernate.jpa21.api)
                 api(libs.slf4j.api)

diff --git a/...ocessor/DockerSecretsDatabaseProcessor.kt → ...ocessor/DockerSecretsDatabaseProcessor.kt b/...ocessor/DockerSecretsDatabaseProcessor.kt → ...ocessor/DockerSecretsDatabaseProcessor.kt
@@ -1,4 +1,4 @@
-package com.saveourtool.save.backend.postprocessor
+package com.saveourtool.save.spring.postprocessor
 
 import org.springframework.boot.SpringApplication
 import org.springframework.boot.env.EnvironmentPostProcessor

diff --git a/save-sandbox/src/main/resources/META-INF/spring.factories b/save-sandbox/src/main/resources/META-INF/spring.factories
@@ -0,0 +1 @@
+org.springframework.boot.env.EnvironmentPostProcessor=com.saveourtool.save.spring.postprocessor.DockerSecretsDatabaseProcessor
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		org.springframework.boot.env.EnvironmentPostProcessor=com.saveourtool.save.backend.postprocessor.DockerSecretsDatabaseProcessor
		org.springframework.boot.env.EnvironmentPostProcessor=com.saveourtool.save.spring.postprocessor.DockerSecretsDatabaseProcessor
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		org.springframework.boot.env.EnvironmentPostProcessor=com.saveourtool.save.spring.postprocessor.DockerSecretsDatabaseProcessor