An Infrastructure-as-Code (IaC) deployment wrapper that spelunks repository slugs, spins up Dockerized services with mTLS, and executes Python applications in a secure service mesh.
Install build dependencies to avoid cryptography compilation issues:
# Install system dependencies
sudo apt-get update
sudo apt-get install -y build-essential libssl-dev libffi-dev python3-dev# One-command setup and deployment
cp env.example .env
make bootstrap
source venv/bin/activate
make plan && make apply
iac deploy --file repos.yamlKarstKit supports multiple repository formats:
gh:owner/repo- GitHub repositorygh:owner/repo#branch- Specific branch or taggl:owner/repo- GitLab repositorybb:owner/repo- Bitbucket repository
The system automatically detects the repository type and fetches the source code using the most efficient method (tarball download preferred, shallow clone fallback).
KarstKit intelligently detects Python entrypoints in this order:
- Console Scripts: Checks
pyproject.tomlfor[project.scripts]and uses the first one - Package Main: Looks for
{package}/__main__.py - Root Main: Searches for
main.pyor__main__.pyat repository root - App Structure: Detects
app.py,app/__main__.py, orsrc/{package}/__main__.py - Function Detection: Scans Python files for
def main(orif __name__ == "__main__"
You can override the detected entrypoint using Docker labels:
# In your Dockerfile
LABEL ENTRYPOINT="custom.module:main_function"Or via environment variable:
export ENTRYPOINT="myapp.cli:start"View Envoy metrics and statistics:
# Access Envoy admin interface (per service)
curl http://localhost:9901/stats
# View service-specific metrics
curl http://localhost:9901/stats?filter=service_nameStream logs from deployed services:
# Stream all service logs
iac logs
# Stream specific service logs
iac logs --service my-service
# Follow logs in real-time
iac logs --followSet custom OTLP endpoint for distributed tracing:
export OTEL_EXPORTER_OTLP_ENDPOINT="https://your-otel-collector:4317"
export OTEL_SERVICE_NAME="karstkit-service"View traces in your OpenTelemetry-compatible backend (Jaeger, Zipkin, etc.).
KarstKit generates a development CA automatically:
- CA certificate:
./secrets/ca.pem - CA private key:
./secrets/ca.key - Service certificates:
./secrets/{service-name}.{crt,key}
To replace the self-signed CA with a production PKI:
-
Replace CA files:
# Copy your CA certificate and key cp /path/to/prod-ca.pem ./secrets/ca.pem cp /path/to/prod-ca.key ./secrets/ca.key -
Update certificate generation in
iac_wrapper/envoy.py:# Modify the certificate generation logic to use your PKI # instead of the self-signed CA generation
-
Configure service certificates:
- Ensure each service has a valid certificate from your PKI
- Update the certificate paths in Envoy configuration
- Verify certificate chain and trust relationships
- Single Docker Network: All services run on the
iacnetnetwork - Development CA: Default self-signed certificates for development only
- Local Storage: Repository cache and certificates stored locally
- No High Availability: Single control plane instance
- Python Focus: Optimized for Python applications (other languages supported via
/app/main)
KarstKit is built with a modular, test-driven architecture:
- Python CLI + Flask API: Thin control plane for orchestration
- Terraform: Declarative infrastructure using Docker provider
- Envoy Sidecars: mTLS service mesh for secure inter-service communication
- gRPC + Protobuf: Type-safe communication between services
- OpenTelemetry: Built-in observability and distributed tracing
.
βββ Makefile # Development workflow automation
βββ README.md # This file
βββ CLAUDE.md # Development guide for Claude Code
βββ .env.example # Environment template
βββ pyproject.toml # Python project configuration
βββ requirements.txt # Python dependencies
βββ .pre-commit-config.yaml # Code quality hooks
βββ repos.yaml # Example repository configuration
βββ proto/
β βββ controlplane.proto # gRPC service definitions
βββ infra/
β βββ main.tf # Terraform Docker resources
β βββ variables.tf # Terraform variables
β βββ outputs.tf # Terraform outputs
β βββ templates/
β βββ envoy.yaml.tmpl # Envoy sidecar configuration
β βββ app.Dockerfile.tmpl # Application container template
βββ iac_wrapper/
β βββ config.py # Configuration and environment handling
β βββ auth.py # Supabase JWT authentication
β βββ slug.py # Repository slug parsing
β βββ gitops.py # Git operations and entrypoint detection
β βββ dockerize.py # Docker image building and management
β βββ envoy.py # Envoy configuration and certificate management
β βββ grpc_pb/ # Generated protobuf code
β βββ controlplane.py # gRPC client for service communication
β βββ api.py # Flask admin API
β βββ cli.py # Command-line interface
βββ tests/
βββ conftest.py # Pytest fixtures and configuration
βββ test_*.py # Comprehensive test suite (131+ tests)
βββ test_integration_deploy.py # End-to-end deployment tests
βββ test_e2e_deployment_pipeline.py # Complete E2E pipeline validation
βββ E2E_DEPLOYMENT_TEST.md # E2E test documentation
- Docker Network: Single
iacnetbridge network (172.20.0.0/16) - Service Communication: gRPC on port 50051 per service
- Envoy Ports: 15000 (inbound), 15001 (outbound), 9901 (metrics)
- mTLS Certificates: Self-signed CA with per-service leaf certificates
- Admin API: HTTP on 127.0.0.1:8080 + Unix domain socket at
/run/iac_wrapper.sock
KarstKit includes a comprehensive test suite ensuring reliability and maintainability:
- 131+ Tests across all components
- Unit Tests: Slug parsing, Git operations, Docker management, authentication
- Integration Tests: Full deployment workflows with health checks
- Mocking: Comprehensive external dependency mocking
- Coverage Target: 80% minimum coverage requirement
# Run all tests
make test
# Run tests with coverage
make test-cov
# Run specific test categories
pytest -m "not slow" # Skip slow tests
pytest -m integration # Integration tests only
pytest tests/test_slug.py -v # Specific component tests
# Run end-to-end deployment pipeline test
make e2e-test # Complete deployment validation- Black: Code formatting (88 character line length)
- Pre-commit: Automated code quality checks
- MyPy: Static type checking
- Pytest: Testing framework with coverage reporting
# Setup development environment
make bootstrap
# Generate protobuf files
make proto
# Format code
make fmt
# Run linting
make lint
# Run tests
make test
# Run end-to-end deployment test
make e2e-test
# Infrastructure commands
make plan # Show Terraform plan
make apply # Apply infrastructure changes
make destroy # Destroy all resources- Create the module in
iac_wrapper/ - Write tests first in
tests/test_<component>.py - Implement functionality following existing patterns
- Update documentation as needed
- Run quality checks with
make fmt lint test
Required in .env file:
SUPABASE_URL=https://your-project.supabase.co
SUPABASE_SERVICE_ROLE_KEY=your-service-role-key
OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317 # Optional- gRPC Services: 50051
- Envoy Inbound: 15000
- Envoy Outbound: 15001
- Envoy Metrics: 9901
- Admin API: 8080
KarstKit includes automated testing and deployment validation:
- End-to-End Deployment Test: Validates complete deployment pipeline
- Runs on pushes to main/develop branches
- Daily scheduled runs to catch regressions
- Tests full deployment workflow for
gh:talosaether/dshbrd - Validates service mesh, health checks, and cleanup
# Run the same E2E test that runs in CI
make e2e-test
# Run with CI-friendly output
make e2e-test-ciCLAUDE.md: Comprehensive development guide for AI code assistantsREADME.md: This overview and usage guidetests/E2E_DEPLOYMENT_TEST.md: Complete E2E testing documentation- Inline Documentation: Extensive docstrings and type hints throughout codebase
- Test Examples: Tests serve as living documentation of component behavior