Terraform provisioning for Jupiter into Azure Cloud #2733
Conversation
Generated by 🚫 Danger |
| @@ -10,16 +9,13 @@ SAML_CERTIFICATE= | |||
| ROLLBAR_TOKEN= | |||
| GOOGLE_ANALYTICS_TOKEN= | |||
| RAILS_LOG_TO_STDOUT=true | |||
| # Comma delimited string of rack attack safelisted IPs | |||
There was a problem hiding this comment.
Rack attack gem was removed long time ago
| @@ -1,7 +1,6 @@ | |||
| #Rails application env variables | |||
| RAILS_ENV=uat | |||
| DATABASE_URL=postgresql://jupiter:mysecretpassword@postgres:5432/ | |||
| FCREPO_URL=http://fcrepo:8080/fcrepo/rest | |||
There was a problem hiding this comment.
Fedora was removed long time ago...updated all references I could find here
| @@ -39,14 +39,5 @@ | |||
| # | |||
| # preload_app! | |||
|
|
|||
| if ENV['RAILS_ENV'] == 'uat' | |||
There was a problem hiding this comment.
No need to fork puma workers
| } | ||
|
|
||
|
|
||
| resource "kubernetes_config_map" "solr-config" { |
There was a problem hiding this comment.
Solr helm charts were mostly around the idea of creating a cluster (multiple solrcloud instances and zookeeper/operator instances etc) which is probably overkill for us. Created a simple solr pod myself which mirrors the work we did in docker compose with old UAT.
For production, perhaps looking into these helm charts would be worth it.
(If Jupiter wasn't on the cutting block, I would suggest moving to ElasticSearch. The time it will take someone (maybe on Unix team) to figure out and rollout a game plan for a Solr Cluster, and then the time and effort to maintain this Solr Cluster would be a big undertaking. Never mind the fact that Jupiter requires an End of Life version of Solr (v6.6) and upgrading this would also be quite a bit of work. So for all this time and effort, you could easily rip out the functionality of Solr in Jupiter and transition to Elasticsearch instead. Then just use Azure's Elasticsearch service. This would be a far cheaper path to go down then keeping with an EOL Solr Cluster. Jupiter itself would also be in a far better place going forward into the future)
| } | ||
|
|
||
| data = { | ||
| "schema.xml" = "${file("${path.module}/../solr/config/schema.xml")}" |
There was a problem hiding this comment.
I think solrconfig.xml is required but not sure about schema.xml? Also we have a ton of junk in the solr/config and solr directory in Jupiter that we should delete if we not using it...as its just adds confusion.
In Docker compose we would mount this entire solr/config directory into the image, but honestly think we just need these 1 or 2 files.
In Kubernetes world, you create a ConfigMap with the file data, then mount this as a volume to do a similar thing
| } | ||
| } | ||
| } | ||
| volume { |
There was a problem hiding this comment.
TODO: We have no persistence layer here. So this be a good improvement where we want to look into storing the solr data in a persistent storage so things like recreating this solr pod doesn't delete all the data it currently has
| } | ||
| } | ||
|
|
||
| resource "kubernetes_service" "solr-service" { |
There was a problem hiding this comment.
We need to expose solr pod to rest of the pods, so that Rails can talk to it.
This allows traffic from Rails to Solr via "http://jupiter-solr:8983/solr/jupiter-uat" to work
| RAILS_LOG_TO_STDOUT = "true" | ||
| RAILS_SERVE_STATIC_FILES = "true" | ||
| DATABASE_URL = "postgresql://${urlencode("${var.postgresql-admin-login}@${azurerm_postgresql_server.db.name}")}:${urlencode(var.postgresql-admin-password)}@${azurerm_postgresql_server.db.fqdn}:5432/${azurerm_postgresql_database.postgresql-db.name}" | ||
| SOLR_URL = "http://${var.app-name}-solr:8983/solr/jupiter-uat" |
There was a problem hiding this comment.
Just noticed this name could be better, should be driven off the solr pod name instead:
"http://${kubernetes_deployment.solr.name}:8983/solr/jupiter-uat"
| } | ||
| spec { | ||
| rule { | ||
| # TODO: Figure out how we will use DNS/etc |
There was a problem hiding this comment.
As TODO states this is left as a manual task. Where either someone has to manually create an A Record in the DNS after we provisioned UAT environment... or for self local testing you can set your /etc/hosts to the correct ip mapping.
But this should get automated! Terraform can do this for us in a very trivial manner.
Same goes for SSL certificates and getting that configured.
| name = "${var.app-name}-ingress" | ||
| annotations = { | ||
| "kubernetes.io/ingress.class" = "nginx" | ||
| "nginx.ingress.kubernetes.io/proxy-body-size" = "16m" |
There was a problem hiding this comment.
This is an example of how you can configure NGINX via annotations. For example by default you can only upload images to nginx that I believe less then 1 MB in size, this makes it 16 MBs. Obviously we want to increase this and this is how you can do this.
There is a ton of other options you can configure NGINX to your liking. Could look into adding SSL certs, having nginx serve assets instead of Rails, etc.
More info: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
| collation = "English_United States.1252" | ||
| } | ||
|
|
||
| # TODO: Fix this, Currently we allow everything for now |
There was a problem hiding this comment.
This and the firewall rules for Redis needs to be played with and tightened.
At the end of the day we only want internal private traffic for our pods (flow from Rails/Sidekiq to Redis/Postgres). We ourselves have no business needing access to these resources.
Perhaps we can change to only allow private ip addresses or a virtual private network?
start_ip_address = "10.0.0.0"
end_ip_address = "10.255.255.255"
But this needs some investigation
| family = "C" | ||
| sku_name = "Standard" | ||
|
|
||
| # TODO: It possible to use SSL here? |
There was a problem hiding this comment.
For Postgres and Redis they provide SSL options but this is probably overkill especially if we keep this traffic to just inside our pods. But something that might be worth looking into
| account_tier = "Standard" | ||
| account_replication_type = "LRS" | ||
|
|
||
| # TODO: Probably not needed for Jupiter? |
There was a problem hiding this comment.
This can probably be removed. We only do file uploads from Rails server so we have no need for CORS. But I suppose if we ever do something with ActionText or using ActiveStorage direct upload then this might be useful
| @@ -0,0 +1,24 @@ | |||
| #################### | |||
There was a problem hiding this comment.
Sample file for terraform.tfvars This is an easy way to set the variables in variables.tf for terraform without having to pass them on the command line. The variables in terraform.tfvars should be kept secret as they will contain sensitive information (DB password, etc) and as a result are gitignored
|
|
||
| /public/packs | ||
| /public/packs-test | ||
| /node_modules |
There was a problem hiding this comment.
Probably shouldn't check all this stuff into our docker images 😆. This saves a good 100 MB or so from my images I was building
| @@ -80,6 +80,10 @@ gem 'google-api-client', | |||
| gem 'builder_deferred_tagging', github: 'ualbertalib/builder_deferred_tagging', tag: 'v0.01' | |||
| gem 'oaisys', github: 'ualbertalib/oaisys', tag: 'v1.0.3' | |||
|
|
|||
| group :uat do | |||
| gem 'azure-storage-blob', require: false | |||
There was a problem hiding this comment.
Required for Activestorage to use Azure blob storage as a bucket
| data = { | ||
| RAILS_ENV = "uat" | ||
| RAILS_LOG_TO_STDOUT = "true" | ||
| RAILS_SERVE_STATIC_FILES = "true" |
There was a problem hiding this comment.
Having Rails serve our assets currently. Nginx could easily do this instead. Could be nice improvement here to investigate this in the future.
| name = "${var.app-name}-config" | ||
| } | ||
| } | ||
| # TODO: Figure healthcheck out, seems to be failing on HTTP/HTTPS issue |
There was a problem hiding this comment.
Not sure why this is failing. Needs more investigation.
We need to white list host I believe via:
config.hosts << IPAddr.new('10.0.0.0/8') (maybe we need to do localhost too?)
Apparently you could also whitelist this route instead (but couldn't get this working locally 🤔) via
# Exclude requests for the /healthcheck/ path from host checking
Rails.application.config.host_configuration = {
exclude: ->(request) { request.path =~ /healthcheck/ }
}More info: https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization
But even after this I am seeing the following error:
2022-01-30 20:01:43 +0000 HTTP parse error, malformed request: #<Puma::HttpParserError: Invalid HTTP format, parsing fails. Are you trying to open an SSL connection to a non-SSL Puma?
Apparently this can happen when the site keep redirecting http to https when attempting to hit localhost (puma/puma#1128 (comment)).
So I set the scheme = "HTTPS" so the probe should happen with HTTPS instead but still no luck.
So anyways needs some playing around to figure out how we can get this to pass without issues.
Everything works without the healthcheck, but healthchecks are important for kubernetes as it helps the control plane when deploying/monitoring pods/etc
| spec { | ||
| container { | ||
| name = "${var.app-name}-workers" | ||
| image = "murny/jupiter:latest" |
There was a problem hiding this comment.
Using my own image I build instead of overwriting the ualberta stuff. So this will just need to updated to point to the correct one.
My own image does nothing special...just docker build -f Dockerfile.deployment and docker push
This PR adds the ability to provision and setup Jupiter in Azure Cloud via Kubernetes.
How to start
terraform.tfvars.sampletoterraform.tfvars. Add Azure login information and other information you needterraform init(need to be inside terraform directory to run this and following commands)terraform planand make sure no issuesterraform apply(warning: this takes about 30 minutes to finish)kubectl describe ing jupiter-ingress -n jupiter --kubeconfig kubeconfigand look for the "Address" in the output, this is the external IP.*.uat.library.ualberta.ca*.uat.library.ualberta.cadomain to this IP Address. But for testing we can just create some entries in our computer's/etc/hostslike so:https://era.uat.library.ualberta.ca! However first time we go here since we haven't configured SSL with real certificates you will get the following error:kubectl get pods -n jupiter --kubeconfig kubeconfigkubectl exec --stdin --tty jupiter-app-<REPLACE WITH POD ID FROM ABOVE> -n jupiter --kubeconfig kubeconfig -- bin/rails db:seedSidekiq running correctly:
Database seeds ran without issue:
Solr is working correctly, can search records with no problems:
Depositing and updatinga new item all works. Downloading files works. Everything works.
SAML could easily be configured and setup just like how we do for staging if we wanted too
terraform destroy(rarely but sometimes you need to do this twice because of ordering issues where postgres tries to be taken down before cluster, etc. Rerunning it again resolves everything) Destroying everything takes about 10 minutes.Next steps: