A configuration management service with support for secrets.

Go to file

Felipe Monteiro e4abca1cd7 Use DAG to resolve substitution dependency chain Currently, Deckhand fails to perform substitution given a substitution dependency chain for a group of documents. That is, if A depends on B and C depends on B for substitution then substitution will fail. Deckhand, at present, can only perform substitution if A depends on B and C depends on B and D depends on B, for example: In this case, the dependency chain is no bigger than 2. However, for cases where the substitution dependency chain is larger than 2, then the dependency is no longer trivial. This is because the substitution dependencies form a DAG that must be topologically sorted in order to derive the correct order of substitution. Once the documents are correctly sorted according to this scheme, then substitution can be carried out as usual. This PS makes the aforementioned changes to Deckhand's layering module to make substitution work for non-cyclical dependencies: A DAG is used to topologically sort the documents according to their substitution dependency chain. A unit and functional test has been added to verify the code. If a cycle is detected, a critical error is thrown. Unit tests have been added to validate this case as well. Change-Id: Iaca3963f44aec6c897ad9fd690ce314a3a4d97a2		2018-02-12 20:54:54 +00:00
charts/deckhand	Bug Fix - DeckHand/Barbican URI Lookup	2018-02-08 07:28:41 +00:00
deckhand	Use DAG to resolve substitution dependency chain	2018-02-12 20:54:54 +00:00
doc	Documentation for Exceptions	2018-02-09 15:33:30 -05:00
etc/deckhand	Rename Deckhand bucket endpoint to buckets for consistency	2017-10-27 19:21:03 +01:00
releasenotes	Only allow one LayeringPolicy to exist in the system.	2017-10-26 17:38:24 -04:00
tools	Merge "Improve document validation module."	2018-01-19 13:04:06 -05:00
.coveragerc	Add Deckhand coverage job	2017-08-15 16:11:35 -04:00
.gitignore	Deckhand Negative RBAC test scenarios	2017-10-31 17:37:39 +00:00
.gitreview	Add gitreview file	2017-08-11 01:22:26 -05:00
.testr.conf	[feat] DECKHAND-28: Document pre-validation logic and API integration	2017-08-08 18:52:44 +01:00
AUTHORS	[docs] Document schemas used for document validation	2017-11-30 16:36:27 -04:00
Dockerfile	DeckHand Dockerfile	2017-09-14 16:50:06 +00:00
HACKING.rst	Add sphinx job for auto-generating docs	2017-09-21 16:16:23 +01:00
LICENSE	Initial commit	2017-06-16 08:29:03 -07:00
Makefile	Fix initial 'make charts' failure	2017-11-09 16:23:32 -07:00
README.rst	Update Deckhand README	2018-02-02 10:59:53 -05:00
entrypoint.sh	Make the uWSGI http-timeout configurable	2018-01-17 15:16:06 -06:00
requirements.txt	Use DAG to resolve substitution dependency chain	2018-02-12 20:54:54 +00:00
setup.cfg	Integrate Deckhand with keystone auth	2017-10-16 19:54:46 +01:00
setup.py	Oslo config integration (#1 )	2017-06-26 16:57:50 -07:00
test-requirements.txt	Revert fix pifpaf run postgresql failing	2018-01-12 11:57:44 -04:00
tox.ini	Fix pifpaf not returning error code upon test failure	2018-01-15 17:01:34 -05:00
uwsgi.ini	Add health resource for ucp-integration API convention	2017-10-23 17:34:03 +01:00

README.rst

Deckhand

Deckhand is a storage service for YAML-based configuration documents, which are managed through version control and automatically validated. Deckhand provides users with a variety of different document types that describe complex configurations using the features listed below.

Core Responsibilities

layering - helps reduce duplication in configuration while maintaining auditability across many sites
substitution - provides separation between secret data and other configuration data, while allowing a simple interface for clients
revision history - improves auditability and enables services to provide functional validation of a well-defined collection of documents that are meant to operate together
validation - allows services to implement and register different kinds of validations and report errors

Getting Started

Pre-requisites

tox

To install tox run:
```
$ sudo apt-get install tox
```

PostgreSQL

Deckhand only supports PostgreSQL. Install it by running:

$ sudo apt-get update
$ sudo apt-get install postgresql postgresql-contrib

Quick Start

Docker can be used to quickly instantiate the Deckhand image. After installing Docker, create a basic configuration file:

$ tox -e genconfig

Resulting deckhand.conf.sample file is output to :path:etc/deckhand/deckhand.conf.sample

Move the sample configuration file into a desired directory (i.e. $CONF_DIR).

At a minimum the [database].connection config option must be set. Provide it with a PostgreSQL database connection. Or to conveniently create an ephemeral PostgreSQL DB run:

$ eval `pifpaf run postgresql`

Substitute the connection information (which can be retrieved by running export | grep PIFPAF_POSTGRESQL_URL) into the config file inside etc/deckhand/deckhand.conf.sample:

.. code-block:: ini

[database]

# # From oslo.db #

# The SQLAlchemy connection string to use to connect to the database. # (string value) connection = postgresql://localhost/postgres?host=/tmp/tmpsg6tn3l9&port=9824

Finally, run Deckhand:

$ [sudo] docker run --rm \
    --net=host \
    -p 9000:9000 \
    -v $CONF_DIR:/etc/deckhand
    quay.io/attcomdev/deckhand:latest

To kill the ephemeral DB afterward:

$ pifpaf_stop

Manual Installation

Note

The commands below assume that they are being executed from the root Deckhand directory.

Install dependencies needed to spin up Deckhand via uwsgi:

$ sudo pip install uwsgi
$ virtualenv -p python3 /var/tmp/deckhand
$ . /var/tmp/deckhand/bin/activate
$ pip install -r requirements.txt test-requirements.txt
$ python setup.py install

Afterward, create a sample configuration file automatically:

$ tox -e genconfig

Resulting deckhand.conf.sample file is output to :path:etc/deckhand/deckhand.conf.sample

Create the directory /etc/deckhand and copy the config file there:

$ [sudo] cp etc/deckhand/deckhand.conf.sample /etc/deckhand/deckhand.conf

To specify an alternative directory for the config file, run:

$ export OS_DECKHAND_CONFIG_DIR=<PATH>
$ [sudo] cp etc/deckhand/deckhand.conf.sample ${OS_DECKHAND_CONFIG_DIR}/deckhand.conf

To conveniently create an ephemeral PostgreSQL DB run:

$ eval `pifpaf run postgresql`

Retrieve the environment variable which contains connection information:

$ export | grep PIFPAF_POSTGRESQL_URL
declare -x PIFPAF_POSTGRESQL_URL="postgresql://localhost/postgres?host=/tmp/tmpsg6tn3l9&port=9824"

Substitute the connection information into the config file in ${OS_DECKHAND_CONFIG_DIR}:

.. code-block:: ini

[database]

# # From oslo.db #

# The SQLAlchemy connection string to use to connect to the database. # (string value) connection = postgresql://localhost/postgres?host=/tmp/tmpsg6tn3l9&port=9824

Finally, run Deckhand:

$ uwsgi --ini wsgi.ini

To kill the ephemeral DB afterward:

$ pifpaf_stop

Testing

Automated Testing

To run unit tests using sqlite, execute:

$ tox -epy27
$ tox -epy35

against a py27- or py35-backed environment, respectively. To run individual unit tests, run:

$ tox -e py27 -- deckhand.tests.unit.db.test_revisions

for example.

To run functional tests:

$ tox -e functional

You can also run a subset of tests via a regex:

$ tox -e functional -- gabbi.suitemaker.test_gabbi_document-crud-success-multi-bucket

Intgration Points

Deckhand has the following integration points:

Keystone (OpenStack Identity service) provides authentication and support for role based authorization.

PostgreSQL is used to persist information to correlate workflows with users and history of workflow commands.

Note

Currently, other database backends are not supported.

Though, being a low-level service, has many other UCP services that integrate with it, including:

Drydock is orchestrated by Shipyard to perform bare metal node provisioning.

Promenade is indirectly orchestrated by Shipyard to configure and join Kubernetes nodes.

Armada is orchestrated by Shipyard to deploy and test Kubernetes workloads.