next-hat / nanocl Goto Github PK

Is your feature request related to a problem? Please describe.
We should remove the need of mustache in favor of liquid that will unlock more feature in the future
We should also make the option -f optional and try to look for a StateFile.yml or StateFile.yaml in the current directory !

Describe the bug
Nanocl doesn't compile with the latest version of Tabled see #221

To Reproduce
Upgrade Tabled and try to build

Expected behavior
We expect to build with last version

Additional context
It's basically a refactor of the print_table in bin/nanocl/src/utils/print.rs

Is your feature request related to a problem? Please describe.
We should add utoipa to the project and generate the openapi specification when the dev feature is enabled

Describe the bug
I'm unable to use self generated certificate to connect to the database

To Reproduce
Following this tutorial
I generate certificate for the node and the client, but after copying client.root.crt and client.root.key to ~/.postgresql folder i have an connection ssl error

Expected behavior
I expect a connection between my client and my server using a ssl/tls connection

Additional context
You can find the function to connect to the store and the config can be found at:
./bin/nanocld/src/utils/store
./bin/nanocld/specs/store.yml
To generate the ssl certificate you can do it using docker:

docker -v /var/lib/nanocl/store/certs:/certs -v /var/lib/nanocl/store/ca:/ca -it --rm cockroachdb/cockroach:v22.2.6 cockroach cert [...] --certs-dir=/certs --ca-key=/ca/ca.key

Is your feature request related to a problem? Please describe.
I'm change how nanocl is setup, right now the daemon start the required services with different configuration depending on if we are in development, test or release. This is now done with a docker compose for development and tests.
For production the nanocl setup command will start required services with the ability to override settings before starting the daemon.

After this change. Even in development, docker compose will have to be used.

Like @zhiburt show in #92
We should use build-time information to get version git hash and architecture instead of contantes in bin/nanocld/src/version.rs

We should build all man page and have automatic update into the documentation.

I just found out nanocl and I'm still speechless. Thanks for your work!

Since I'm not very experienced I ask you:

• is it conceivable today to use nanocl instead of kubernetes? (I'm referring to a very simple use of kubernetes: nginx as a reverse-proxy and a few pods (deployments) of simple web applications);

• are there any dashboards that can be used (even very simple ones)?

• are there online tutorials/guides?

Is your feature request related to a problem? Please describe.
This is wrong we should have two different structure StateApplyOpts and StateRevertOpts or StateDestroyOpts.

You can already generate an SSL Cert from Certbot using this command :

nanocl exec system-nano-proxy -- certbot --nginx --email [email protected] --agree-tos -d your-domain.com

But it maybe nice to be able to generate self signed certificate for authentication.

Is your feature request related to a problem? Please describe.
Error handling with IoError and HttpError on nanocld_client and nanocl

Could be nice to brainstorm about how the resource ProxyRule should be defined.

We should be able to :

• enable a hostname to target a cargo at specific location using http and https
• redirect domain to another eg: www.domain.com -> domain.com
• enable tcp / udp to target a specific cargo at specific port
• pass extra http header ?

What else should we have ?

This is for now how look look like http and https to target a cargo at specific location:

• Http

  Resources:
    - Name: resource-example
      Kind: ProxyRule
      Config:
        # List of cargo to watch updates
        Watch:
          - get-started@global
        Http:
          Domain: get-started.com
          Network: Public
          # Optional SSL config
          Ssl:
            Certificate: /path/to/cert
            CertificateKey: /path/to/cert
            DhParam: /path/to/dhparam
          # Http location
          Locations:
            - Path: /
              Target:
                # The cargo to target for the location
                Key: get-started@global
                Port: 9000

• Stream

  Resources:
      - Name: resource-example
        Kind: ProxyRule
        Config:
          # List of cargo to watch updates
          Watch:
            - get-started@global
          Stream:
            Network: Public
            # The protocol to use Tcp | Udp
            Protocol: Tcp
            Port: 8888
            # Optional SSL config
            Ssl:
              Certificate: /path/to/cert
              CertificateKey: /path/to/cert
              DhParam: /path/to/dhparam
            # Http location
            Target:
              # The cargo to target for the location
              Key: get-started@global
              Port: 9000

Is your feature request related to a problem? Please describe.
The ncdproxy log everything, even if you send credentials for example a login form.
If you don't disable loggin for this specific path the credentials of the user aka login and password, will be in clear text inside the logs.
I want to have loggin enable by default as zero trust policy, but we should give the ability to disable it.

A configuration like this should be considered:

Kind: Deployment
ApiVersion: v0.7

Namespace: global

Resources:
  - Name: deploy-example.com
    Kind: ProxyRule
    Version: v0.4
    Config:
      Watch:
        - deploy-example.global
        - deploy-example2.global
      Rules:
        - Domain: deploy-example.com
          Network: Public
          Locations:
            - Path: /
              Target:
                CargoKey: deploy-example.global
                CargoPort: 9000
            - Path: /users/login
              Target:
                CargoKey: deploy-example.global
                CargoPort: 9000
                Path: /users/login
                DisableLoggin: true

Cargoes:
  - Name: deploy-example
    Container:
      Image: nexthat/nanocl-get-started:latest
      Env:
        - APP=GET_STARTED1

Where Path and DisableLoggin are optinal values.
You have to take a look at nginx.

Is your feature request related to a problem? Please describe.
Like for cargoes we should be able to create set a virtual machine from a state file

Describe the solution you'd like
Create a new VirtualMachineState model with a new type and accept it inside our state service to create, patch and delete them. The model should be added inside crates/nanocl_stubs/src/state.rs the function to create, patch and delete a virtual machine already exists inside bin/nanocld/src/utils/vm.rs

Describe the solution you'd like
Add a new query parameter to filter cargoes on GET /cargoes :

• Name: to perform a like on the name
• Limit: to add a limit
• Offset: to add an offset

This will be usefull on the dashboard for example to enable data on scroll.

You can see an example on GET /namespaces.

We could also add filter parameters to the cli

We should be able to create cargoes and resources directly from configuration file see examples.
A command on the CLI should be created something like:

nanocl state apply -f examples/resource_example.yml

On the Daemon side the route should directly accept configuration file from examples folder.
We should have an extra parameter to know if we want delete them for example a query paramater.
If the delete parameter is not set we create or update our data based on the configuration file received.

We should be able to import image from tarball.
Something like:

nanocl cargo image import my-image.tar

That require to add a route in the Daemon and the command in the CLI

Is your feature request related to a problem? Please describe.

Since the refactor of the cargo logs endpoint nanocl state apply -a don't follow logs anymore and it's should.
We need to add the parameters follow to our request.

Is your feature request related to a problem? Please describe.
To make it less confusing we should considere renaming nanocl state revert into nanocl state remove

Is your feature request related to a problem? Please describe.
To make it more matching with docker i we should rename nanocl cargo image create into nanocl cargo image pull.

Is your feature request related to a problem? Please describe.
On docker we can do a command like this docker rm -f $(docker ps -aq) to delete everything.
It could be nice to be able to do the same thing using for example:

nanocl cargo rm -f $(nanocl cargo ls -q)

I'll need to update the developer documentation with better description in case of docker installed using docker desktop

Is your feature request related to a problem? Please describe.
When creating a namespace, we should take extra optionnal parameters to be abble to setup some network options.

Options to add are relation to options for create a network that can be found there

This is a DAEMON and CLI change.

A command like this should be considered:

nanocl namespace create my-namespace --attachable --gateway 172.25.0.1

Is your feature request related to a problem? Please describe.
A command to list and follow http logs should exists.

I am opening this issue to decide or set a goal of which license to use for our project.
A license determines how our code can be used, modified, and distributed by others. We need to consider factors such as the goals of the project, the level of openness we want to provide, and any legal requirements that may apply.

Describe the solution you'd like
Use a new query parameter for cargo logs to enable these features:

• since: number as unix tmestamp
• until: number as unix timestamp
• tail: "all" or number (see bollard types)
• timestamps: boolean Add timestamps to every log line
• follow: boolean return a stream or not (optional)

These options should be passed to bollard docker logs function.

We should also add CLI options to use them for example:

nanocl cargo logs my-cargo -f -t 100 --timestamps

Is your feature request related to a problem? Please describe.
We should save nginx logs inside the database with a TTL of 4 months ?
The logs have to be well save so we can sort them and be able to generate some statistics

Describe the solution you'd like
We should spawn a thread and watch for logs of our proxy container to save them in the database, we should also change nginx config in order to logs tcp/udp request, right now only http request are logged.

Describe the bug
The namespace global and system can be deleted but it shouldn't be allowed.

To Reproduce
Run:

nanocl namespace rm global

When no cargoes are created in the global namespace.

Expected behavior
This should return an error maybe a 401 because if both of this namespace doesn't exist it can cause unexpected behavior.

This is just a daemon/api change.

We should have a command to run command inside containers.

Something like:

nanocl cargo exec my-container -- my-command

or

nanocl exec my-container -- my-command

This feature include to create a method in the daemon

Is your feature request related to a problem? Please describe.
We should be able to create, patch and delete virtual machine from a state file

Describe the solution you'd like
Add and Vector of VmConfigPartial inside the DeploymentState model and update the state service to create, patch or delete them the DeploymentState model exists inside crates/nanocl_stubs/src/state.rs the VmConfigPartial models is inside crates/nanocl_stubs/src/vm_config.rs

Is your feature request related to a problem? Please describe.
It's already done for http request, we should do it aswell for tcp and udp stream.

This is a daemon change you can see how i did it for inside bin/nanocld/src/utils/proxy.rs
You basically have to create a database model with diesel then create the data when you receive it.
The receive process is already done. The ncdproxy should print a line starting with #STREAM when a tcp / udp request is fired.

An options should be added to force remove a cargo,

Something like

nanocl cargo rm -f my-cargo

These change include stubs, client, cli and daemon update

Is your feature request related to a problem? Please describe.
When deleting a namespace we should add a force option in the query to delete all cargoes and virtual machine existing in the namespace.

Additional context
The command should look like this:

nanocl namespace rm -f my-namespace

We should be able to browser history of Cargoes and Resources

A method GET /cargoes/{id}/histories and GET /resources/{id}/histories should be implemented to be able to browse them in the CLI
using those commands :

nanocl cargo history id
nanocl resource history id

Then a method to reset them you be implemented PATCH /cargoes/{cargo_id}/reset/{history_id}} and PATCH /resources/{cargo_id}/reset/{history_id}
That will create a new config from the history id it's basically like a patch but with a config from our history

Then add command like this:

nanocl cargo reset id history_id
nanocl cargo reset id history_id

Is your feature request related to a problem? Please describe.
Create a workflow to release the proxy, ctrl-proxy, dns and ctrl-dns

We should configure cockroachdb to be ready for multinode.
Remove his unsecure mode with a generated SSL certificat.
We should generate the certificate in the nanocl setup command or in nanocld boot.

Is your feature request related to a problem? Please describe.
When creating a namespace we also are creating a network.
The created network should have ipv6 enabled and actually maybe we should only support ipv6
That will allow us to manage more cargo/container inside a single network

Is your feature request related to a problem? Please describe.
It could be nice to try to improve the code coverage as much as possible.
Arround 75% would be really nice !
You should be able to go on this website to see what is covered or not !

I'll keep this issue open till the goal of 75% is reached.

Trying to execute both command just produce no output and never end :

nanocl cargo --namespace system exec proxy -- cat /var/log/nginx/error.log
docker exec system-proxy cat /var/log/nginx/error.log

Is your feature request related to a problem? Please describe.
Workflow start to take time since we moved to monorepo and are building a lot of stuff.
The image for the proxy and the dns could be build and cached using buildx so speed up the process

By default when creating a namespace it will create an associated network and all cargo created will use this network.
End-User may want to create other custom network ?

A command like :

nanocl namespace global network create my-network

or

nanocl network create --namespace global my-network

could be implemented. With associated list remove and inspect methods.

This can improove container network isolation.

Could be nice to brainstorm about how we can define a cargo replication.

We should be able to :

• run only one instance on all nodes
• run only one instance on targeted nodes
• run one instance in one node
• run x defined instances in all node
• run x defined instances in targeted nodes
• run x defined instances in one node
• autoscale on all nodes
• autoscale on targeted nodes
• autoscale on one node

What else we should be able to do ?
And how we define the data ?

Example of the enum that came in my mind:

/// Auto is used to automatically define that the number of replicas in the cluster
/// Number is used to manually set the number of replicas
/// Note: auto will ensure at least 1 replica exists in the cluster
#[derive(Debug, Clone)]
#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
#[cfg_attr(feature = "serde", serde(rename_all = "PascalCase"))]
#[cfg_attr(feature = "dev", derive(ToSchema))]
pub enum ReplicationMode {
  /// Auto is used to automatically define that the number of replicas in the cluster
  /// This will ensure at least 1 replica exists in the cluster
  /// And automatically add more replicas in the cluster if needed for redundancy
  Auto,
  /// Unique is used to ensure that only one replica exists in the cluster
  Unique,
  /// UniqueByNode is used to ensure one replica is running on each node
  UniqueByNode,
  /// UniqueByNodeGroups is used to ensure one replica is running on each node group
  UniqueByNodeGroups { groups: Vec<String> },
  /// UniqueByNodeNames is used to ensure one replica is running on each node name
  UniqueByNodeNames { names: Vec<String> },
  /// Number is used to manually set the number of replicas in one node
  Number(i64),
  /// NumberByNodes is used to manually set the number of replicas in each node
  NumberByNodes(i64),
  /// NumberByNodeGroups is used to manually set the number of replicas in each node group
  NumberByNodeGroups { groups: Vec<String>, number: i64 },
  /// NumberByNodeNames is used to manually set the number of replicas in each node name
  NumberByNodeNames { names: Vec<String>, number: i64 },
}

Is your feature request related to a problem? Please describe.
To fully unlock the control of the network, we need to think about a spec for the dns controller.
By default we use DNSMASQ

First the data type :

Type: Resource
ApiVersion: v0.5

Resources:
- Name: resource-example
  Kind: DnsRule
  Version: v0.1
  Config:
    Network: "Public" | "Private" | "Nsp.{namespace_name}" # To bind to specific namespace ip address
    Entries:
    - Name: test.com
      IpAddress: "127.0.0.1" | "Nsp.{namespace_name}" # To redirect to specific namespace ip address

We should handle two methods:

• PUT /rules to create new / update a DnsRule
• DELETE /rules/{Name} to delete the DnsRule

Creating a rule mean creating a file in this case, nothing have to be stored in database.
That mean we have to create specific dnsmasq config for given resource.

The service should generate an openapi spec aswell.

Feel free to share any though about the config spec for the DnsRule

Is your feature request related to a problem? Please describe.
We have to refactor the way Custom Resource can be created.

Currently we can create custom resource using this method:

Type: Resource
ApiVersion: v0.6

Resources:
  - Name: VpnUser
    Kind: Custom
    Version: v0.1
    Config:
      title: VpnUser
      description: Create a new vpn user
      type: object
      required:
        - Username
      properties:
        Username:
          description: Cargo to watch for changes
          type: string

I want to refactor it so we can add an extra url along the custom schema.
Note: the schema use json schema to be defined.

The refactor i want should access this configuration:

Type: Resource
ApiVersion: v0.6

Resources:
  - Name: VpnUser
    Kind: Kind
    Version: v0.1
    Config:
      Url: my-custom-url.com
      Schema:
        title: VpnUser
        description: Create a new vpn user
        type: object
        required:
          - Username
        properties:
          Username:
            description: Cargo to watch for changes
            type: string

By changing this configuration, ProxyRule and DnsRule should now be defined as Resources and we should ensure they exist during boot time of the daemon. By default they just have and Url property pointing to the url already existing in the project starting with unix://

Note that both Url and Schema property can be optional but if both are unset on the creation of the new Ressource Kind we should return an error.

We should create a custom structure for example ResourceKind.

pub struct ResourceKind {
  pub  url: Option<String>,
  pub schema: Option<serde_json::Value>,
}

Is your feature request related to a problem? Please describe.
I should definitely work on a good developer documentation so people will contribute more easily

Is your feature request related to a problem? Please describe.
Considering docker have a restart endpoint, we should implement it aswell for our cargoes,

This is an api / cli change