Init OPA rules with API instead of file binding (#5047)

3 years ago · 9cf2989546
parent 86f586174c
commit 9cf2989546
12 changed files with 61 additions and 53 deletions
--- a/4
+++ b/4
@ -154,7 +154,9 @@ COPY --chown=${USER} cvat/ ${HOME}/cvat
 USER ${USER}
 WORKDIR ${HOME}
-RUN mkdir data share media keys logs /tmp/supervisord
+RUN mkdir -p data share keys logs /tmp/supervisord static/opa
 RUN find cvat/apps/iam/rules -name "*.rego" -and ! -name '*test*' -exec basename {} \; | \
    tar -czf static/opa/bundle.tar.gz --transform 's,^,rules/,' -C cvat/apps/iam/rules/ -T -
 EXPOSE 8080
 ENTRYPOINT ["/usr/bin/supervisord"]
--- a/cvat/apps/iam/urls.py
+++ b/cvat/apps/iam/urls.py
@ -12,12 +12,13 @@ from dj_rest_auth.views import (
 from allauth.account.views import ConfirmEmailView, EmailVerificationSentView
 from allauth.account import app_settings as allauth_settings
-from cvat.apps.iam.views import SigningView, RegisterViewEx
+from cvat.apps.iam.views import SigningView, RegisterViewEx, RulesView
 urlpatterns = [
    path('login', LoginView.as_view(), name='rest_login'),
    path('logout', LogoutView.as_view(), name='rest_logout'),
-    path('signing', SigningView.as_view(), name='signing')
+    path('signing', SigningView.as_view(), name='signing'),
    path('rules', RulesView.as_view(), name='rules'),
 ]
 if settings.IAM_TYPE == 'BASIC':
--- a/cvat/apps/iam/views.py
+++ b/cvat/apps/iam/views.py
@ -3,11 +3,18 @@
 #
 # SPDX-License-Identifier: MIT
 import hashlib
 import os.path as osp
 from django_sendfile import sendfile
 from django.core.exceptions import BadRequest
 from django.utils.functional import SimpleLazyObject
 from rest_framework import views, serializers
 from rest_framework.exceptions import ValidationError
 from django.conf import settings
 from django.views import View
 from django.utils.decorators import method_decorator
 from django.views.decorators.http import etag
 from rest_framework.response import Response
 from dj_rest_auth.registration.views import RegisterView
 from allauth.account import app_settings as allauth_settings
@ -16,7 +23,6 @@ from furl import furl
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer, extend_schema_view
 from .authentication import Signer
 def get_context(request):
@ -116,3 +122,20 @@ class RegisterViewEx(RegisterView):
            data['email_verification_required'] = False
            data['key'] = user.auth_token.key
        return data
 # Django Generic View is used here instead of DRF APIView due to native support of etag
 # that doesn't supported by DRF without extra dependencies
 class RulesView(View):
    @staticmethod
    def _get_bundle_path():
        return osp.join(settings.STATIC_ROOT, 'opa', 'bundle.tar.gz')
    @staticmethod
    def _etag_func(file_path):
        with open(file_path, 'rb') as f:
            return hashlib.blake2b(f.read()).hexdigest()
    @method_decorator(etag(lambda _: RulesView._etag_func(RulesView._get_bundle_path())))
    def get(self, request):
        file_path = self._get_bundle_path()
        return sendfile(request, file_path)
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@ -25,3 +25,10 @@ services:
        no_proxy:
        socks_proxy:
      dockerfile: Dockerfile.ui
  cvat_opa:
    volumes:
      - ./cvat/apps/iam/rules:/rules
    ports:
      - '8181:8181'
    command: run --server --set=decision_logs.console=true /rules
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -53,7 +53,9 @@ services:
      - cvat_keys:/home/django/keys
      - cvat_logs:/home/django/logs
    networks:
-      - cvat
+      cvat:
        aliases:
          - cvat-server
  cvat_utils:
    container_name: cvat_utils
@ -185,11 +187,15 @@ services:
      cvat:
        aliases:
          - opa
-    volumes:
+    command:
-      - ./cvat/apps/iam/rules:/rules
+      - run
-    ports:
+      - --server
-      - '8181:8181'
+      - --set=decision_logs.console=true
-    command: run --server --addr :8181 --set=decision_logs.console=true /rules
+      - --set=services.cvat.url=http://cvat-server:8080
      - --set=bundles.cvat.service=cvat
      - --set=bundles.cvat.resource=/api/auth/rules
      - --set=bundles.cvat.polling.min_delay_seconds=5
      - --set=bundles.cvat.polling.max_delay_seconds=15
 volumes:
  cvat_db:
--- a/helm-chart/Chart.yaml
+++ b/helm-chart/Chart.yaml
@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.4.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/helm-chart/templates/cvat_opa/config.yml
+++ b/helm-chart/templates/cvat_opa/config.yml
@ -1,17 +0,0 @@
 {{- if .Values.cvat.opa.defaultStorage.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ .Release.Name }}-opa-rules
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "cvat.labels" . | nindent 4 }}
    app: cvat-app
    tier: opa
 {{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion }}
 immutable: true
 {{- end }}
 binaryData:
  rules.tar.gz: |-
    {{ .Files.Get "rules.tar.gz" | b64enc }}
 {{- end}}
--- a/helm-chart/templates/cvat_opa/deployment.yml
+++ b/helm-chart/templates/cvat_opa/deployment.yml
@ -36,10 +36,12 @@ spec:
          args:
            - run
            - --server
            - --addr
            - :8181
            - --set=decision_logs.console=true
-            - /rules/rules.tar.gz
+            - --set=services.cvat.url=http://{{ .Release.Name }}-backend-service:8080
            - --set=bundles.cvat.service=cvat
            - --set=bundles.cvat.resource=/api/auth/rules
            - --set=bundles.cvat.polling.min_delay_seconds=10
            - --set=bundles.cvat.polling.max_delay_seconds=15
          {{- with .Values.cvat.opa.resources }}
          resources:
          {{- toYaml . | nindent 12 }}
@ -50,24 +52,14 @@ spec:
          env:
          {{- toYaml . | nindent 10 }}
          {{- end }}
          volumeMounts:
          - mountPath: /rules
            name: cvat-opa-rules
          {{- with .Values.cvat.opa.additionalVolumeMounts }}
          volumeMounts:
          {{- toYaml . | nindent 10 }}
          {{- end }}
      {{- with .Values.cvat.opa.additionalVolumes }}
      volumes:
        {{- if .Values.cvat.opa.defaultStorage.enabled }}
        - name: cvat-opa-rules
          configMap:
            name: "{{ .Release.Name }}-opa-rules"
            items:
            - key: "rules.tar.gz"
              path: "rules.tar.gz"
        {{- end }}
        {{- with .Values.cvat.opa.additionalVolumes }}
        {{- toYaml . | nindent 8 }}
-        {{- end }}
+      {{- end }}
      {{- with .Values.cvat.opa.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@ -166,8 +166,6 @@ cvat:
          targetPort: 8181
          protocol: TCP
          name: http
    defaultStorage:
        enabled: true
 postgresql:
  #See https://github.com/bitnami/charts/blob/master/bitnami/postgresql/ for more info
--- a/site/content/en/docs/administration/advanced/k8s_deployment_with_helm.md
+++ b/site/content/en/docs/administration/advanced/k8s_deployment_with_helm.md
@ -69,10 +69,6 @@ helm dependency update
 1. Create `values.override.yaml` file inside `helm-chart` directory.
 1. Fill `values.override.yaml` with new parameters for chart.
 1. Override [postgresql password](#postgresql-password)
 1. Create a rules.tar.gz archive containing all OPA rules inside this `helm-chart` directory.
   ```shell
   find ../cvat/apps/iam/rules -name "*.rego" -and ! -name '*test*' -exec basename {} \; | tar -czf rules.tar.gz -C ../cvat/apps/iam/rules/ -T -
   ```
 ### Postgresql password?
 Put below into your `values.override.yaml`
--- a/site/content/en/docs/contributing/development-environment.md
+++ b/site/content/en/docs/contributing/development-environment.md
@ -125,10 +125,10 @@ description: 'Installing a development environment for different operating syste
 - Install [Docker Engine](https://docs.docker.com/engine/install/ubuntu/) and [Docker-Compose](https://docs.docker.com/compose/install/)
- Pull OpenPolicyAgent Docker-image (run from CVAT root dir):
+- Pull and run OpenPolicyAgent Docker image (run from CVAT root dir):
  ```bash
-  sudo docker-compose -f docker-compose.yml -f docker-compose.dev.yml up cvat_opa
+  sudo docker-compose -f docker-compose.yml -f docker-compose.dev.yml up -d cvat_opa
  ```
 ### Run CVAT
--- a/site/content/en/docs/manual/basics/workspace.md
+++ b/site/content/en/docs/manual/basics/workspace.md
@ -31,7 +31,7 @@ In addition the workspace also has the following functions:
  ![](/images/image068_mapillary_vistas.jpg)
  - Adjust `Brightness`/`Contrast`/`Saturation` of too exposed or too
-  dark images using color settings (it affects only how a user sees the image, not the image itself).
+    dark images using color settings (it affects only how a user sees the image, not the image itself).
  ![](/images/image164_mapillary_vistas.jpg)