Skip to content
Snippets Groups Projects
Unverified Commit d2ed6350 authored by Marco Emilio "sphakka" Poleggi's avatar Marco Emilio "sphakka" Poleggi
Browse files
parent cd8e4a1d
No related branches found
No related tags found
No related merge requests found
# Project: web SSO service with K8s/KinD # Project: web SSO service with K8s/KinD
A pseudo web single-sing-on (SSO) service deployed on a Kubernets cluster A pseudo web single-sing-on (SSO) service deployed on a Kubernetes cluster
provisioned with KinD. This is mostly an integration project with some provisioned with KinD. This is mostly an integration project with some
application development. application development.
...@@ -73,7 +73,7 @@ The following files in directory `views/` handle the client-side workflow. ...@@ -73,7 +73,7 @@ The following files in directory `views/` handle the client-side workflow.
The file `main.py` handles the REST logic by conveying all requests to the The file `main.py` handles the REST logic by conveying all requests to the
back-end. back-end.
:bulb: **This part does not requires adaptations.** :bulb: **This part requires adaptations only for the [bonuses](bonuses).**
### Back-end ### Back-end
...@@ -287,6 +287,7 @@ The infrastructure (computing instance + S3 storage) shall be provisioned via ...@@ -287,6 +287,7 @@ The infrastructure (computing instance + S3 storage) shall be provisioned via
**Terraform**. **Terraform**.
:bulb: References: :bulb: References:
* Terraform: https://registry.terraform.io/providers/hashicorp/aws/latest/docs * Terraform: https://registry.terraform.io/providers/hashicorp/aws/latest/docs
...@@ -336,12 +337,14 @@ map: ...@@ -336,12 +337,14 @@ map:
:hammer_and_wrench: You shall: :hammer_and_wrench: You shall:
1. Fork this repository. 1. Fork this repository. **N.B. Your fork must be a new, private GitEdu
project. Please, invite the instructors as "reporters". Do not change the
files' layout or names!**
2. Complete the Python back-end file `Application/backend/main.py`. See the 2. Complete the Python back-end file `Application/backend/main.py`. See the
section [Development](#development) below. Test locally the application as section [Development](#development) below. Test locally the application as
explained in section [Local installation](#local-installation). explained in section [Local installation](#local-installation).
3. Rebuild the application's Docker images, then: 3. Rebuild the application's Docker images, then:
- test [locally the deployment](#local-docker-deployment), then - test [locally the deployment](#local-docker-deployment),
- push the images to your public Docker Hub repository. This task shall - push the images to your public Docker Hub repository. This task shall
be automated via Ansible -- see below. be automated via Ansible -- see below.
4. Complete your Terraform files from the version you developed in 4. Complete your Terraform files from the version you developed in
...@@ -350,7 +353,8 @@ map: ...@@ -350,7 +353,8 @@ map:
plus an S3 storage bucket -- no KinD/Kubectl package installation. Commit plus an S3 storage bucket -- no KinD/Kubectl package installation. Commit
your recipe files and in directory `Terraform/` -- Cloud-init files are your recipe files and in directory `Terraform/` -- Cloud-init files are
already in sub-folder `conf/`. already in sub-folder `conf/`.
5. Complete your Ansible playbook, starting from the version you developed in 5. Complete your Ansible playbook `lb-deployment.yaml`, starting from the
version you developed in
[Lab-Ansible](https://gitedu.hesge.ch/lsds/teaching/bachelor/cloud-and-deployment/lab-ansible) [Lab-Ansible](https://gitedu.hesge.ch/lsds/teaching/bachelor/cloud-and-deployment/lab-ansible)
Task #10, to (commit all related files in directory `Ansible/`): Task #10, to (commit all related files in directory `Ansible/`):
- expose the application portal's IP (i.e, the load-balancer's) to the - expose the application portal's IP (i.e, the load-balancer's) to the
...@@ -359,16 +363,29 @@ map: ...@@ -359,16 +363,29 @@ map:
repository. These shall be [`local_action` repository. These shall be [`local_action`
tasks.](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_delegation.html) tasks.](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_delegation.html)
Your **deliverables** are the following files:
* Python: `backend/main.py` (+ any other front-end files for the bonuses)
* Terraform: a single `main.tf` recipe (vars and outputs files are also OK)
* Ansible: a single `kind-metallb.yml` playbook. **N.B. Any other playbook
will be ignored!**
* K8s: the `lb-deployment.yaml` service manifest. The remaining files
shouldn't need to be modified.
:bulb: References: :bulb: References:
* Build and push Docker images: https://docs.docker.com/get-started/introduction/build-and-push-first-image/
* Ansible playbook delegation: - Build and push Docker images: https://docs.docker.com/get-started/introduction/build-and-push-first-image/
- Ansible playbook delegation:
https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_delegation.html https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_delegation.html
### Bonuses ### Bonuses
You will get bonus points for any of the following improvements. :star: You will get bonus points for any of the following improvements.
* Use [Kubernetes
secrets](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data)
instead of a plain ConfigMap. +0.1 points.
* Ask for the password when removing an account (unenroll) -- extra * Ask for the password when removing an account (unenroll) -- extra
safety. +0.2 points. safety. +0.2 points.
* Use password hashing in the back-end -- extra security. +0.1 points. * Use password hashing in the back-end -- extra security. +0.1 points.
...@@ -413,8 +430,9 @@ Otherwise, plain install -- you might need to install python dependencies ...@@ -413,8 +430,9 @@ Otherwise, plain install -- you might need to install python dependencies
$ make install $ make install
``` ```
Put your SwitchEngines EC2 credentials in file Put your SwitchEngines S3 credentials in file
`<sandbox>/Application/s3_credentials.env`, which should be already there. `<sandbox>/Application/s3_credentials.env`, which should be already
there. :warning: **Do not commit this file in your Git repo!**
Finally, run the application in the current console: Finally, run the application in the current console:
...@@ -427,12 +445,18 @@ Or, run it in its own terminal: ...@@ -427,12 +445,18 @@ Or, run it in its own terminal:
$ make trun $ make trun
``` ```
:bulb: The two images are quite compact, nevertheless, to reduce disk space
waste, please, **do frequent cleanups** with the command:
``` shell
$ docker system prune
```
#### Local Docker deployment #### Local Docker deployment
:hammer_and_wrench: **Install the following Docker packages on your workstation according :hammer_and_wrench: **Install the following Docker packages on your
to your distribution's instructions: docker(.io), docker-cli, workstation according to your distribution's instructions: docker(.io),
(docker-)buildx** docker-cli, (docker-)buildx**
:bulb: Please, peruse the `Makefile` to learn the real Docker commands. :bulb: Please, peruse the `Makefile` to learn the real Docker commands.
...@@ -466,6 +490,39 @@ You can manage your containers with the other make commands: dstop, dstart, ...@@ -466,6 +490,39 @@ You can manage your containers with the other make commands: dstop, dstart,
drm, etc. drm, etc.
#### Kubernetes
The local deployment uses an `.env` file to pass S3 credentials and other
variables to Docker. This shall be converted into a [Kubernetes
CofigMap](https://kubernetes.io/docs/concepts/configuration/configmap/). Even
though it is not safe for production use, it is enough for our purposes.
:hammer_and_wrench: You shall
1. write a ConfigMap file `s3_credentials.yaml` based on the
`s3_credentials.env` used for Docker;
2. extend your K8s deployment YAML file with
* support for the two app containers -- the front-end shall be
load-balanced;
* a `configMapRef` for the back-end using the above ConfigMap file.
Of course, once all files are ready, any related operations shall be handled
by Ansible. Specifically, a change in the ConfigMap shall trigger a back-end
service redeployment.
:bulb: For better security, you may use K8s secrets. This would be a
**bonus**.
:bulb: References:
* K8s ConfigMaps:
https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/
* K8s Secrets:
https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure
* ConfigMap/Secretes tutorial:
https://www.baeldung.com/ops/kubernetes-equivalent-of-env-file-docker
#### Test workflow #### Test workflow
The following tests shall be passed by your implementation: The following tests shall be passed by your implementation:
...@@ -475,7 +532,10 @@ The following tests shall be passed by your implementation: ...@@ -475,7 +532,10 @@ The following tests shall be passed by your implementation:
2. Ansible-playbook shall install KinD/Kubectl and deploy your 2. Ansible-playbook shall install KinD/Kubectl and deploy your
load-balanced application load-balanced application
3. Your application shall be reachable on port 80 (or another of your 3. Your application shall be reachable on port 80 (or another of your
choice) from any host outside the Cloud network. choice) **from any host outside the Cloud network.**
4. Your K8s deployment shall be reachable via an [SSH tunnel started
from your
workstation.](https://gitedu.hesge.ch/lsds/teaching/bachelor/cloud-and-deployment/lab-k8s#controlling-your-cluster-from-a-remote-console)
* Once your application is installed, you shall exercise all the branch * Once your application is installed, you shall exercise all the branch
conditions described by the above workflows: conditions described by the above workflows:
1. Enroll a new user: shall succeed 1. Enroll a new user: shall succeed
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment