Run Copr infrastructure with podman kube play

[nikromen]

I know this is a really long PR :/, this is summary what is capable of:

Run the full Copr infrastructure locally with a single command. All services (frontend, backend, distgit, keygen, database, redis, resalloc, pulp) deploy as pods via podman kube play with Kustomize overlays.

Four deployment modes: just up - latest development packages from @copr/copr-dev; just up-release - stable Fedora RPMs just up-pr 3127 - test a specific pull request just up-local - live editing with host source code mounted

See other operational helpful commands by running just help

Per-service ConfigMaps for easy configuration without image rebuilds. Multiple Kustomize overlays (base, dev, dev-local) for different use cases.

Beaker integration test environment included - run the full test suite against the local stack via setup-local-copr.sh.

Designed as the foundation for the possibility of future OpenShift deployment.

[gemini-code-assist]

Code Review

This pull request introduces an impressive and comprehensive setup for running the COPR infrastructure locally using podman kube play. The use of an orchestration script, detailed Containerfiles, and Kubernetes manifests is a great step towards modernizing the development environment. My review focuses on enhancing security, maintainability, and robustness. Key areas for improvement include removing hardcoded secrets, reducing container privileges, and simplifying complex commands within manifests and container definitions. While this is a work-in-progress, addressing these points will establish a more secure and maintainable foundation for local COPR development.

[github-actions]

Pull Request validation

Failed

🔴 Review - Missing review from a member (2 required)

Success

🟢 CI - All checks have passed

[nikromen]

whoops, missclick

[nikromen]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive local deployment environment for the COPR infrastructure using podman kube play and Kubernetes manifests, supported by a justfile for automation and updated beaker test configurations. Feedback identifies a fragile DNS resolver detection in the backend HTTP server, a destructive database re-initialization policy on version mismatches, overly broad database user permissions, and a syntax error in the DistGit Apache configuration.

[gemini-code-assist]

The resolver detection is fragile. If /etc/resolv.conf does not contain a nameserver entry (which can happen in some container environments), the RESOLVER variable will be empty. This results in an invalid Nginx configuration (resolver valid=30s ...), causing the container to fail at startup. Consider adding a check or a fallback DNS server.

CMD ["sh", "-c", "RESOLVER=$(awk '/^nameserver/{print $2; exit}' /etc/resolv.conf); if [ -z \"$RESOLVER\" ]; then echo 'ERROR: No nameserver found in /etc/resolv.conf' >&2; exit 1; fi; sed -i \"s|__RESOLVER__|${RESOLVER}|g\" /etc/nginx/nginx.conf && exec nginx -g 'daemon off;'"]

[gemini-code-assist]

Automatically wiping the database data directory on a version mismatch is very destructive. While this is a development environment, it might lead to unexpected data loss if a user accidentally upgrades their container image. It would be safer to exit with an error message instructing the user to manually clear the volume if they wish to reinitialize.

[gemini-code-assist]

Granting SUPERUSER privileges to the application user ($POSTGRESQL_USER) is a security risk, even in a development environment. While Alembic migrations might require elevated permissions for certain operations (like creating extensions), it is better to grant only the necessary privileges or run migrations as a separate, more privileged user.

[gemini-code-assist]

There is a typo in the AliasMatch directive. The trailing \" inside the single quotes will result in a literal backslash and double quote in the Apache configuration, which will cause the regex to fail to match standard Copr URLs.

    echo 'AliasMatch "/repo(/.*)/md5(/.*)" "/var/lib/dist-git/cache/lookaside$1$2"' >> /etc/httpd/conf.d/dist-git/lookaside-copr.conf && \

[nikromen]

/packit test

[praiskup]

/packit test

[nikromen]

/packit test

[nikromen]

/packit test

[nikromen]

/packit test

[praiskup]

Can we have a better name of the directory rather than deployment? I'm sure people would confuse it with some real deployment of Copr. edit: kube-deploy?

[nikromen]

could be, eventually I would want to merge this with openshift deployment and see whether and when we could possibly migrate to it, but that is big if... it could be renamed later then

[nikromen]

/packit test

[FrostyX]

I am not -1 on the PR because it is a self-contained change that doesn't affect anything else. But the fact that we cannot call it kubernetes because we have one already, is IMHO a clear sign that we are not doing things correctly.

I hope that one day we will be able to refactor all of our deployment methods and share as much between them as possible. Now that I think about it, I think I had the same rant about the single machine testing-farm deployment.

[nikromen]

I want this one day to swallow kubernetes and openshift. But since it is not yet ready I can't.

But I think we probably can delete the kubernetes - it was once created by someone who maintained his own copr stack and used it for their purposes - not by us. I think it is deprecated though and it can be deleted? Perhaps I should ask them

[praiskup]

I scratched my head, and opened #4328 :-)

[nikromen]

ack, let's handle this separately in #4328.

[nikromen]

I am going to run tests (also locally against kube) to investigate whether anything is broken by my latest change

/packit test

[nikromen]

both tests seems to work, @praiskup PTAL