This repository implements a common inventory system with eventing.
make initmake api
make api_breaking
make build
By default the quay repository is quay.io/cloudservices/kessel-inventory. If you wish to use another for testing, set IMAGE value first
export IMAGE=your-quay-repo # if desired
make docker-build-pushmake migrate
make run
make inventory-up to setup inventory-api, relations-api, spicedb, postgres
make inventory-down
The inventory API includes health check endpoints for readiness and liveness probes.
The readyz endpoint checks if the service is ready to handle requests.
curl http://localhost:8081/api/inventory/v1/readyzThe livez endpoint checks if the service is alive and functioning correctly.
curl http://localhost:8081/api/inventory/v1/livezTo add hosts to the inventory, use the following curl command:
curl -H "Content-Type: application/json" --data "@data/host.json" http://localhost:8081/api/inventory/v1beta1/resources/rhel-hostsDepending on the config file you're using, the curl command will require additional headers for authorization of the request.
To add a k8s-policy_ispropagatedto-k8s-cluster relationship you can use the following curl command:
curl -H "Content-Type: application/json" --data "@data/k8spolicy_ispropagatedto_k8scluster.json" http://localhost:8081/api/inventory/v1beta1/resource-relationships/k8s-policy_is-propagated-to_k8s-clusterTo update it, use the PUT verb as follows:
curl -X PUT -H "Content-Type: application/json" --data "@data/k8spolicy_ispropagatedto_k8scluster.json" http://localhost:8081/api/inventory/v1beta1/resource-relationships/k8s-policy_is-propagated-to_k8s-clusterAnd finally, to delete it, use the DELETE verb, notice that the data file is different this time. We only need the reporter data to delete a relationship.
curl -X DELETE -H "Content-Type: application/json" --data "@data/relationship_reporter_data.json" http://localhost:8081/api/inventory/v1beta1/resource-relationships/k8s-policy_is-propagated-to_k8s-clusterWe are using the included .inventory-api.yaml file which allows guest access.
Guest access currently makes use of the user-agent header to
populate the Identity header.
data/host.json uses the reporter_id: user@example.com, hence you will need the following command:
curl -H "Content-Type: application/json" --user-agent user@example.com --data "@data/host.json" http://localhost:8081/api/inventory/v1beta1/resources/rhel-hostsThis provides a PSK file with a token "1234".
The default port in this setup are 8081 (http) and 9091.
The following command will add the host to the inventory:
curl -H "Content-Type: application/json" -H "Authorization: bearer 1234" --data "@data/host.json" http://localhost:8081/api/inventory/v1beta1/resources/rhel-hostsmake pr-check
make inventory-up-sso
- Set up a keycloak instance running at port 8084 with myrealm
- Set up a default service account with clientId:
test-svcand password. Refer get-token - Refer sso-inventory-api.yaml for configuration
- Refer docker-compose-sso.yaml for docker-compose
Use service account user as reporter_instance_id
"reporter_instance_id": "service-account-svc-test"
Refer host-service-account.json
make get-token
Export the token generated
export TOKEN=
Sample request with the authorization header
curl -H "Authorization: bearer ${TOKEN}" -H "Content-Type: application/json" --data "@data/host-service-account.json" http://localhost:8081/api/inventory/v1beta1/resources/rhel-hosts
Starts a local strimzi kafka and zookeeper:
make inventory-up-kafkaStart inventory-api using the ./kafka-inventory-api.yaml config.
./bin/inventory-api serve --config ./kafka-inventory-api.yamlIn a separate terminal exec into the kafka pod so you can watch messages.
source ./scripts/check_docker_podman.sh
KAFKA_CONTAINER_NAME=$(${DOCKER} ps | grep inventory-api-kafka | awk '{print $1}')
${DOCKER} exec -i -t ${KAFKA_CONTAINER_NAME} /bin/bashStart consuming messages in the pod.
./bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic kessel-inventoryIn a separate terminal, post a resource to inventory-api:
curl -H "Content-Type: application/json" -H "Authorization: bearer 1234" --data "@data/k8s-cluster.json" http://localhost:8081/api/inventory/v1beta1/resources/k8s-clustersManually stop the inventory-api and then run make inventory-down-kafka
Update the .inventory-api.yaml or inventory-api-compose.yaml
authz:
impl: kessel
kessel:
insecure-client: true
url: localhost:9000
enable-oidc-auth: falseEnable oidc authentication with sso
authz:
impl: kessel
kessel:
insecure-client: true
url: localhost:9000
enable-oidc-auth: true
sa-client-id: "svc-test"
sa-client-secret: "<secret>"
sso-token-endpoint: "http://localhost:8084/realms/redhat-external/protocol/openid-connect/token"Deploy Relations API first with Bonfire following the steps available HERE
Once its running, deploy Inventory using Bonfire:
bonfire deploy kessel -C inventory-api --no-get-dependencies
If you wish to test changes you've made that are unmerged, you can deploy them to ephemeral using a local config file Note: this requires building the image first and pushing to your local quay (see make docker-build-push)
# example local config under $HOME/.config/bonfire/config
apps:
- name: kessel
components:
- name: inventory-api
host: local
repo: /path/to/inventory-api-repo
path: deploy/kessel-inventory.yaml
parameters:
INVENTORY_IMAGE: quay.io/your-repo/image-name
IMAGE_TAG: your-image-tag # latest is not recommended due to pull policyThen run bonfire deploy kessel -c $HOME/.config/bonfire/config.yaml --local-config-method override --no-get-dependencies
Follow the DEBUG guide