imp: add postgrest job in perf ns

johnalotoski · johnalotoski · commit 4b405106532c · 2022-12-16T18:01:00.000-06:00
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -24,6 +24,7 @@
       inputs.bitte.follows = "bitte";
     };
     nix-inclusive.url = "github:input-output-hk/nix-inclusive";
+    nixpkgs-postgrest.url = "github:NixOS/nixpkgs/haskell-updates";
     nixpkgs-vector.url = "github:NixOS/nixpkgs/30d3d79b7d3607d56546dd2a6b49e156ba0ec634";
     nomad-driver-nix.url = "github:input-output-hk/nomad-driver-nix";
     spongix.url = "github:input-output-hk/spongix/extract-gc";
@@ -56,7 +57,7 @@
         (data "dashboards")
         (runnables "entrypoints")
         (functions "bitteProfile")
-        (functions "oci-images")
+        (containers "oci-images")
         (functions "library")
         (installables "packages")
         (functions "hydrationProfile")
@@ -86,6 +87,7 @@
     )
     {
       prod = bitte.lib.mkNomadJobs "prod" nomadEnvs;
+      perf = bitte.lib.mkNomadJobs "perf" nomadEnvs;
     }
     (inputs.tullia.fromStd {
       actions = inputs.std.harvest inputs.self ["cloud" "actions"];
diff --git a/nix/cloud/hydrationProfile.nix b/nix/cloud/hydrationProfile.nix
@@ -2,7 +2,7 @@
   inputs,
   cell,
 }: let
-  inherit (inputs) bitte-cells;
+  inherit (inputs) bitte-cells cells;
 in {
   # Bitte Hydrate Module
   # -----------------------------------------------------------------------
@@ -15,6 +15,7 @@ in {
     imports = [
       (bitte-cells.patroni.hydrationProfiles.hydrate-cluster ["prod"])
       (bitte-cells.tempo.hydrationProfiles.hydrate-cluster ["prod"])
+      (cells.perf.hydrationProfile.workload-policies-postgrest)
     ];
 
     # NixOS-level hydration
@@ -37,6 +38,7 @@ in {
       nomad.namespaces = {
         prod = {description = "CI Prod";};
         baremetal = {description = "CI Baremetal Builders";};
+        perf = {description = "CI Performance Benchmarking";};
       };
     };
 
@@ -55,6 +57,12 @@ in {
         policies = ["cicero"];
       };
 
+      resource.vault_github_team.performance-tracing = {
+        backend = "\${vault_github_auth_backend.employee.path}";
+        team = "performance-tracing";
+        policies = ["perf"];
+      };
+
       locals.policies = {
         consul.developer.servicePrefix."marlowe-" = {
           policy = "write";
@@ -119,6 +127,20 @@ in {
             "pki/roles/client" = [r];
             "sys/capabilities-self" = [u];
           };
+
+          perf.path = caps {
+            "auth/token/lookup" = [u];
+            "auth/token/lookup-self" = [r];
+            "auth/token/renew-self" = [u];
+            "sys/capabilities-self" = [u];
+            "kv/data/perf/*" = [r l];
+            "kv/metadata/perf/*" = [r l];
+            "nomad/creds/perf" = [r u];
+            "consul/creds/developer" = [r u];
+            "sops/keys/dev" = [r l];
+            "sops/decrypt/dev" = [r u l];
+            "sops/encrypt/dev" = [r u l];
+          };
         };
 
         nomad = {
@@ -204,6 +226,31 @@ in {
             };
             host_volume."marlowe".policy = "write";
           };
+
+          perf = {
+            description = "Performance tracing and benchmarking policies";
+
+            namespace."*".policy = "deny";
+
+            namespace."perf" = {
+              policy = "write";
+              capabilities = [
+                "alloc-exec"
+                "alloc-lifecycle"
+                "dispatch-job"
+                "list-jobs"
+                "list-scaling-policies"
+                "read-fs"
+                "read-job"
+                "read-job-scaling"
+                "read-logs"
+                "read-scaling-policy"
+                "scale-job"
+                "submit-job"
+              ];
+            };
+            node.policy = "read";
+          };
         };
       };
     };
diff --git a/nix/cloud/kv/vault/.sops.yaml b/nix/cloud/kv/vault/.sops.yaml
@@ -3,3 +3,5 @@ creation_rules:
     hc_vault_transit_uri: "https://vault.ci.iog.io/v1/sops/keys/ops"
   - path_regex: patroni/prod*
     hc_vault_transit_uri: "https://vault.ci.iog.io/v1/sops/keys/ops"
+  - path_regex: postgrest/*
+    hc_vault_transit_uri: "https://vault.ci.iog.io/v1/sops/keys/dev"
diff --git a/nix/cloud/kv/vault/postgrest/perf.enc.yaml b/nix/cloud/kv/vault/postgrest/perf.enc.yaml
@@ -0,0 +1,21 @@
+#ENC[AES256_GCM,data:WEjMvMIDqX1Jg92hCgva,iv:/sjGqs654JqWI/3vhVyrrAJRakuAd70t4YfKfr8Y628=,tag:4MLQGlbNZ/v7vAYoQjAgoQ==,type:comment]
+#ENC[AES256_GCM,data:WB+AqjTDkX90Xw5XywAiHfpJrRwNZrM8em8bEUNS54GAbQOTwz27dWY1HQ78KU0=,iv:83KYwq8C1PtkhQS30+b+SiARvBJLPe7zt5WVkD4uFAo=,tag:i26bNOjnfjulcfBoGcm6Aw==,type:comment]
+postgrestDbUser: ENC[AES256_GCM,data:csX7Xg==,iv:mipRz6MZmAAtOHtnQpgRyg40i2eXPK9m8DdddJSdM1o=,tag:fHt8gUz36M+DNvJGl6irDQ==,type:str]
+postgrestDbPass: ENC[AES256_GCM,data:CNFO2xcWmsrj0oIw3JXH3XO1rsNGfq3ZEgfopetFWeE=,iv:tdO+Udiz10NARYrLmd8AOiu3LMdZQPXset9vRTZiUn8=,tag:uxClRN3xqIPOsCJAd1u2qQ==,type:str]
+jwtSecret: ENC[AES256_GCM,data:21V7Vvcuv517K2oIoqwxApp3riZOCKVePWoyCyN4X1Y=,iv:eIp0vD+8WXnsBnPf8OKlvUsSHaFwB19ev0UQrLNjfPw=,tag:acS2HFFqesh/Yw0fah2Mww==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault:
+        - vault_address: https://vault.ci.iog.io
+          engine_path: sops
+          key_name: dev
+          created_at: "2022-12-16T19:26:21Z"
+          enc: vault:v1:0LluEnlsU4wV7x9VdY+rfGlu//vo5ryHki7sCg3dUVsxVEU6WQlrtAxDlhjZtP98bTjSzRl68jW9y+jF
+    age: []
+    lastmodified: "2022-12-16T22:34:13Z"
+    mac: ENC[AES256_GCM,data:idB9gqRKoFOAakkKHXMDp7gKPf1E+O90l3cibBJGpreiB9FBu0fcBw/Vz6hPIMN020gfToASziGrAIal6rUQHWSf5s5+uJ3LAsKS+S68m0NLDhu622AoJjExeHFIZJ/WV+XHUjy1E2Iyqxfpx7vsCoeDXx9jN3SNmbYq/d/GBrA=,iv:tjumEcugyoADxXbZGnA+fyVORoxgltSY/TA0FjDr9ZA=,tag:LoafwGKNEjvbn9TCpuVU+A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/nix/cloud/nomadEnvs/default.nix b/nix/cloud/nomadEnvs/default.nix
@@ -62,5 +62,20 @@ in {
       inherit inputs cell;
       inherit (constants.args.prod) domain namespace;
     };
+
+    postgrest = inputs.cells.perf.jobs.default;
+  };
+
+  perf = let
+    # inherit
+    #   (constants.perf)
+    #   # App constants
+    #   WALG_S3_PREFIX
+    #   # Job mod constants
+    #   patroniMods
+    #   tempoMods
+    #   ;
+  in {
+    postgrest = inputs.cells.perf.jobs.default inputs.cells.perf.constants.args.perf;
   };
 }
diff --git a/nix/metal/bitteProfile/default.nix b/nix/metal/bitteProfile/default.nix
@@ -110,6 +110,7 @@ in {
             (mkAsgs "eu-central-1" 10 "m5.8xlarge" 500 "prod" "prod" {withPatroni = true;} {})
             (mkAsgs "eu-central-1" 0 "m5.metal" 1000 "baremetal" "baremetal" {} {primaryInterface = "enp125s0";})
             (mkAsgs "eu-central-1" 1 "t3a.medium" 100 "test" "test" {} {})
+            (mkAsgs "eu-central-1" 1 "t3a.medium" 100 "perf" "perf" {} {})
           ]
           (args: let
             attrs =
diff --git a/nix/perf/constants.nix b/nix/perf/constants.nix
@@ -0,0 +1,27 @@
+{
+  inputs,
+  cell,
+}: let
+  # Metadata
+  # -----------------------------------------------------------------------
+  baseDomain = "ci.iog.io";
+in rec {
+  # App Component Import Parameterization
+  # -----------------------------------------------------------------------
+  args = {
+    perf = {
+      namespace = "perf";
+      domain = "${baseDomain}";
+      nodeClass = "perf";
+      datacenters = ["eu-central-1"];
+    };
+  };
+
+  perf = let
+    inherit (args.perf) namespace;
+  in rec {
+    # App constants
+
+    # Job mod constants
+  };
+}
diff --git a/nix/perf/entrypoints.nix b/nix/perf/entrypoints.nix
@@ -0,0 +1,17 @@
+{
+  inputs,
+  cell,
+}: let
+  inherit (inputs) nixpkgs;
+  inherit (inputs.bitte-cells._writers.library) writeShellApplication;
+  inherit (cell) packages;
+in {
+  postgrest = writeShellApplication {
+    debugInputs = with nixpkgs; [postgresql_12];
+    runtimeInputs = [packages.postgrest];
+    name = "entrypoint";
+    text = ''
+      exec postgrest /secrets/postgrest.conf
+    '';
+  };
+}
diff --git a/nix/perf/hydrationProfile.nix b/nix/perf/hydrationProfile.nix
@@ -0,0 +1,21 @@
+{
+  inputs,
+  cell,
+}: {
+  # Postgrest
+  workload-policies-postgrest = {
+    tf.hydrate-cluster.configuration.locals.policies = {
+      vault.postgrest = {
+        path."kv/data/postgrest/*".capabilities = ["read" "list"];
+        path."kv/metadata/postgrest/*".capabilities = ["read" "list"];
+      };
+    };
+
+    # FIXME: consolidate policy reconciliation loop with TF
+    # PROBLEM: requires bootstrapper reconciliation loop
+    # clients need the capability to impersonate the `postgrest` role
+    services.vault.policies.client = {
+      path."auth/token/roles/postgrest".capabilities = ["read"];
+    };
+  };
+}
diff --git a/nix/perf/jobs.nix b/nix/perf/jobs.nix
diff --git a/nix/perf/oci-images.nix b/nix/perf/oci-images.nix
diff --git a/nix/perf/packages/default.nix b/nix/perf/packages/default.nix

Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,7 @@ in {`
`110`	`110`	`(mkAsgs "eu-central-1" 10 "m5.8xlarge" 500 "prod" "prod" {withPatroni = true;} {})`
`111`	`111`	`(mkAsgs "eu-central-1" 0 "m5.metal" 1000 "baremetal" "baremetal" {} {primaryInterface = "enp125s0";})`
`112`	`112`	`(mkAsgs "eu-central-1" 1 "t3a.medium" 100 "test" "test" {} {})`
	`113`	`+ (mkAsgs "eu-central-1" 1 "t3a.medium" 100 "perf" "perf" {} {})`
`113`	`114`	`]`
`114`	`115`	`(args: let`
`115`	`116`	`attrs =`