sighupio · AndreaDellaValle · Apr 7, 2023 · Apr 7, 2023 · Apr 7, 2023 · Apr 13, 2023
diff --git a/.tool-versions b/.tool-versions
@@ -7,7 +7,7 @@ kind 0.17.0
 kubectl 1.26.0
 make 4.1
 mkcert 1.4.4
-nodejs 18.0.0
+nodejs 16.20.0
 shellcheck 0.9.0
 tilt 0.31.1
 yq 4.30.8

diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,3 @@
-## UI ##
-FROM node:18-alpine3.17 as ui-builder
-RUN mkdir /app
-COPY web-client /app
-
-ENV NODE_OPTIONS=--openssl-legacy-provider
-
-WORKDIR /app
-RUN yarn install && yarn build
-
 ## BACKEND ##
 FROM golang:1.19.5-alpine3.17 as go-base
 
@@ -39,15 +29,12 @@ RUN go mod download
 
 COPY cmd cmd
 COPY internal internal
-COPY static static
 
 FROM go-base as development
-COPY --from=ui-builder /app/build /app/static/build
 
 ENTRYPOINT ["go", "run", "cmd/run-server.go"]
 
 FROM go-base as builder
-COPY --from=ui-builder /app/build /app/static/build
 RUN go build --tags=release -o permission-manager cmd/run-server.go
 
 FROM scratch as release

diff --git a/Dockerfile-ui b/Dockerfile-ui
@@ -0,0 +1,25 @@
+## PERMISSION MANAGER UI ##
+
+# DEVELOPMENT
+FROM node:18-alpine3.17 as ui-development
+RUN mkdir /app
+COPY web-client /app
+
+ENV NODE_OPTIONS=--openssl-legacy-provider
+
+WORKDIR /app
+RUN yarn install && yarn build
+
+ENTRYPOINT ["yarn", "start"]
+
+# RELEASE
+# TODO test this draft and convert it for production
+FROM nginx:latest as release
+
+COPY --from=ui-development /app/build /usr/share/nginx/html
+
+COPY --from=ui-development /app/nginx.conf etc/nginx/nginx.conf
+
+EXPOSE 4001
+
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/Tiltfile b/Tiltfile
@@ -13,7 +13,6 @@ docker_build_with_restart(
     sync("./internal", "/app/internal"),
     sync("./go.mod", "/app/go.mod"),
     sync("./go.sum", "/app/go.sum"),
-    sync("./web-client", "/app/web-client"),
   ],
   build_args={
     "CLUSTER_NAME": os.getenv("CLUSTER_NAME"),
@@ -25,14 +24,32 @@ docker_build_with_restart(
   entrypoint=["go", "run", "cmd/run-server.go"]
 )
 
+docker_build(
+  "permission-manager-ui-image:local-dev",
+  ".",
+  dockerfile="Dockerfile-ui",
+  target="ui-development",
+  live_update=[
+    sync("./web-client", "/app/web-client"),
+  ],
+  build_args={
+    "CLUSTER_NAME": os.getenv("CLUSTER_NAME"),
+    "CONTROL_PLANE_ADDRESS": os.getenv("CONTROL_PLANE_ADDRESS"),
+    "BASIC_AUTH_PASSWORD": os.getenv("BASIC_AUTH_PASSWORD"),
+    "NAMESPACE": os.getenv("NAMESPACE"),
+    "PORT": os.getenv("PORT"),
+  }
+)
+
 k8s_yaml(
   helm(
     './helm_chart',
     name='permission-manager',
     namespace='permission-manager',
     values='development/helm/values.yaml',
     set=['config.controlPlaneAddress=' + os.getenv("CONTROL_PLANE_ADDRESS")]
-  ))
+  )
+)
 
 k8s_resource(
   workload="permission-manager",
@@ -42,3 +59,12 @@ k8s_resource(
   # objects=[] + cms,
   labels="control-plane"
 )
+
+k8s_resource(
+  workload="permission-manager-ui",
+  links=[
+    link("https://permission-manager.dev/", "permission-manager-ui"),
+  ],
+  # objects=[] + cms,
+  labels="front-end"
+)
diff --git a/development/helm/values.yaml b/development/helm/values.yaml
@@ -60,7 +60,7 @@ ingress:
   hosts:
     - host: permission-manager.dev
       paths:
-        - path: /
+        - path: /api/
           pathType: ImplementationSpecific
   tls:
     - secretName: permission-manager.dev-tls
@@ -105,6 +105,8 @@ config:
   # Password for basic auth to access the UI
   basicAuthPassword: "admin"
 
+  initialDelaySeconds: 60
+
   templates:
     - name: operation
       rules:

diff --git a/development/utils.sh b/development/utils.sh
@@ -43,5 +43,5 @@ function setup_certs {
 # This function will start the ctlptl registry (which is local registry used by Tilt) and the kind cluster.
 function start {
   echo "Starting cluster and local registry..."
-  docker start permission-manager-kind-registry permission-manager-kind-control-plane
+  docker start permission-manager-kind-registry permission-manager-kind-control-plane permission-manager-ui
 }
diff --git a/helm_chart/templates/deployment-ui.yaml b/helm_chart/templates/deployment-ui.yaml
@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "permission-manager.fullname" . }}-ui
+  labels:
+    {{- include "permission-manager.labels" . | nindent 4 }}
+spec:
+{{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+  selector:
+    matchLabels:
+      {{- include "permission-manager.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+    {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      labels:
+        {{- include "permission-manager.selectorLabels" . | nindent 8 }}
+        permission-manager: ui
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "permission-manager.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: permission-manager-ui-image:local-dev
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          envFrom:
+            - secretRef:
+                name: {{ include "permission-manager.fullname" . }}
+          ports:
+            - name: http
+              containerPort: 4001
+              protocol: TCP
+          livenessProbe:
+            initialDelaySeconds: {{ .Values.config.initialDelaySeconds }}
+            tcpSocket:
+              port: 4001
+          readinessProbe:
+            tcpSocket:
+              port: 4001
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/helm_chart/templates/deployment.yaml b/helm_chart/templates/deployment.yaml
@@ -19,6 +19,7 @@ spec:
     {{- end }}
       labels:
         {{- include "permission-manager.selectorLabels" . | nindent 8 }}
+        permission-manager: api
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
@@ -46,6 +47,7 @@ spec:
               containerPort: 4000
               protocol: TCP
           livenessProbe:
+            initialDelaySeconds: {{ .Values.config.initialDelaySeconds }}
             tcpSocket:
               port: 4000
           readinessProbe:

diff --git a/helm_chart/templates/ingress.yaml b/helm_chart/templates/ingress.yaml
@@ -57,5 +57,12 @@ spec:
               servicePort: {{ $svcPort }}
               {{- end }}
           {{- end }}
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: permission-manager-ui
+                port:
+                  number: 80
     {{- end }}
 {{- end }}
diff --git a/helm_chart/templates/service-ui.yaml b/helm_chart/templates/service-ui.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: permission-manager-ui
+  labels:
+    {{- include "permission-manager.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: 4001
+      protocol: TCP
+      name: http
+      {{- if .Values.service.nodePort }}
+      nodePort: {{ .Values.service.nodePort }}
+      {{- else }}
+      nodePort: null
+      {{- end }}
+  selector:
+    {{- include "permission-manager.selectorLabels" . | nindent 4 }}
+    permission-manager: ui
diff --git a/helm_chart/templates/service.yaml b/helm_chart/templates/service.yaml
@@ -18,3 +18,4 @@ spec:
       {{- end }}
   selector:
     {{- include "permission-manager.selectorLabels" . | nindent 4 }}
+    permission-manager: api
diff --git a/helm_chart/values.yaml b/helm_chart/values.yaml
@@ -56,8 +56,10 @@ ingress:
   hosts:
     - host: permission-manager.domain.com
       paths:
-        - path: /
+        - path: /api/
           pathType: ImplementationSpecific
+        # - path: /
+        #   pathType: ImplementationSpecific
   # tls:
   #   - secretName: permission-manager-tls
   #     hosts:
@@ -101,6 +103,8 @@ config:
   # Password for basic auth to access the UI
   basicAuthPassword: ""
 
+  initialDelaySeconds: 0
+
   templates:
     - name: operation
       rules:

diff --git a/internal/server/clusterrole.go b/internal/server/clusterrole.go
@@ -1,6 +1,8 @@
 package server
 
 import (
+	"fmt"
+
 	"github.com/labstack/echo/v4"
 	rbacv1 "k8s.io/api/rbac/v1"
 )
@@ -17,19 +19,20 @@ func createClusterRole(c echo.Context) error {
 	err := ac.validateAndBindRequest(r)
 
 	if err != nil {
-		return err
+		validateAndBindErr := fmt.Sprintf("Validate Cluster Role: %s", err)
+		return ac.errorResponse(validateAndBindErr)
 	}
 
 	_, err = ac.ResourceManager.ClusterRoleCreate(r.RoleName, r.Rules)
 
 	if err != nil {
-		return err
+		clusterRoleErr := fmt.Sprintf("Cluster Role creation: %s", err)
+		return ac.errorResponse(clusterRoleErr)
 	}
 
 	return ac.okResponse()
 }
 
-
 func deleteClusterRole(c echo.Context) error {
 	ac := c.(*AppContext)
 	type Request struct {

diff --git a/internal/server/clusterrolebinding.go b/internal/server/clusterrolebinding.go
@@ -1,6 +1,8 @@
 package server
 
 import (
+	"fmt"
+
 	"github.com/labstack/echo/v4"
 	rbacv1 "k8s.io/api/rbac/v1"
 )
@@ -19,7 +21,8 @@ func createClusterRolebinding(c echo.Context) error {
 	err := ac.validateAndBindRequest(r)
 
 	if err != nil {
-		return err
+		validateAndBindErr := fmt.Sprintf("Validate Cluster Role Binding: %s", err)
+		return ac.errorResponse(validateAndBindErr)
 	}
 
 	// This is only a workaround: https://github.com/sighupio/permission-manager/issues/140
@@ -32,7 +35,8 @@ func createClusterRolebinding(c echo.Context) error {
 	_, err = ac.ResourceManager.ClusterRoleBindingCreate(r.ClusterRolebindingName, r.Username, r.RoleName, subjs)
 
 	if err != nil {
-		return err
+		clusterRoleBindingErr := fmt.Sprintf("ClusterRoleBinding creation: %s", err)
+		return ac.errorResponse(clusterRoleBindingErr)
 	}
 
 	return ac.okResponse()

diff --git a/internal/server/role.go b/internal/server/role.go
@@ -1,6 +1,7 @@
 package server
 
 import (
+	"fmt"
 	"sighupio/permission-manager/internal/resources"
 
 	"github.com/labstack/echo/v4"
@@ -73,7 +74,8 @@ func createRoleBinding(c echo.Context) error {
 	err := ac.validateAndBindRequest(r)
 
 	if err != nil {
-		return err
+		validateAndBindErr := fmt.Sprintf("Validate Role: %s", err)
+		return ac.errorResponse(validateAndBindErr)
 	}
 
 	// This is only a workaround: https://github.com/sighupio/permission-manager/issues/140
@@ -91,7 +93,8 @@ func createRoleBinding(c echo.Context) error {
 	})
 
 	if err != nil {
-		return err
+		RoleErr := fmt.Sprintf("Role creation: %s", err)
+		return ac.errorResponse(RoleErr)
 	}
 
 	return ac.okResponse()