Service Deployment
Goal:
Demonstrate packaging, hosting and deployment of interacting services.
Overview:
We extend existing ecosystem of Docker, Kubernetes and Helm with code that allows us to configure relationships and link services.
User will be able to configure their sandbox with services from the catalog, define settings and the sandbox will be deployed with working system.
Current services are:
- ApacheDS service
- Mitre's OpenID Connect server with LDAP overlay
Below we show:
- How to configure the service for the repository
- How to add the services to the install configuration of the sandbox
- How to define settings for instances of services in the sandbox
- Spin up a running environment
Configure Service For Repository
Preconditions:
- Existing Docker image or set of images implementing the service
- kubernetes deployment files for pods, replication controllers, etc.
Steps:
- Create a helm package for the service following instructions at https://github.com/kubernetes/helm/blob/master/docs/charts.md. As part of this process, a values.yaml file will be created.
- Extend helm package with service description (see examples in rialto/helm/repo/charts) - schema to come. Add this description as hspc.json to the chart.
Parametrize values.yaml using golang templating. Values can be accesses using the following patterns:
.Environment.ExternalIPs
.ServiceInstance.DependsOn.<serviceName>.Properties.<propertyName>
.ServiceInstance.Exposes.<serviceName>.Properties.<propertyName>
To test:
- Run server locally using helm commands or rialto/helm/repo/run-helm-server.sh
- Install to your local cluster using helm commands
To publish:
- Send a pull request
Deployment
Input the the deployment is a definitions of services in the environment - install.json/
Install.json defines instances for services in the environment and their connections to each other. Right now it defines only the instances. It is up to the user to define the connections by appropriately matching settings. In future iterations, we will be able to infer settings by examining service dependencies.
{
"instances": [
{
"name": "apache-ds-instance",
"serviceName": "apacheDS-svc",
"chartSource": {
"helmRepo":"hspc-helm",
"chartName":"ldap.ApacheDS",
"url": "http://hspc-helm.preparedmind.net"
}
},
{
"name": "openid-connect-instance",
"serviceName": "mitre-openid-connect-svc",
"chartSource": {
"helmRepo":"hspc-helm",
"chartName":"openid-connect-ldap-mitre",
"url": "http://hspc-helm.preparedmind.net"
}
}]
}
Configure value.yaml files:
The output of the configuration process is:
- a set of value.yaml files to setup each chart
- deploy.sh script to run all of the helm commands
Using the script execute:
go run rialto/src/rialto.go --install-file install.json
This will examine install.json and pull service config (hspc.json and value.template.yaml) from each service and prompt the user for services values.
Setup the environment:
Execute deploy.sh
Example: LDAP with MitreID Connect
This example defines an environment with an Apache Directory Server and MITREid Connect Server.
Preconditions:
- AWS, client is an Amazon Linux instance
- The following tools are installed on your client machine. I usually spin up an insance in EC2, but this can be any machine.
- Kubernetes (http://kubernetes.io/docs/getting-started-guides/aws/)
- Helm (https://github.com/kubernetes/helm/blob/master/docs/install.md)
- Install go
- git (
sudo yum install -y git
) - get examples and code (
git clone --depth=1
https://github.com/polyakov/rialto
)
Steps:
- Spin up kubernetes cluster (kube-up.sh) - see http://kubernetes.io/docs/getting-started-guides/aws/
- Add security groups to allow port 389 (ldap) and port 80 (http) access to kubernetes-minion nodes
- Install helm in kubernetes (helm init)
- Add hspc repo to the helm (
helm repo add hspc-helm http://hspc-helm.preparedmind.net). Once we have DNS, we'll move this to an HSPC url.
Optionally, remove preconfigured "local" and "stable" repos using helm repo remove stable and helm repo remove local
Find out External IPs for your nodes that we'll use for service configuration.
In EC2 console, this will be the "Private IP"
Using kubectl:
kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="LegacyHostIP")].address}'
- From rialto directory
- execute: go run src/rialto.go --install-file test/examples/ldap-mitreidconnect/install.json
- Enter IPs one a time and except the defaults
- execute deploy.sh
- Test by adding a user and authenticating
- Using one of your minion's Public IP addresses connect a LDAP client (e.g. Apache Directory Studio)
- Import test user (username: test, password: test). ldif file in rialto/test/examples/ldap-mitreidconnect/test-user.ldif
- Using web browser, navigate to http://<minion-ip>/ldap-openid-connect-server/ and login with test/test.