Docker cloud

.gitignore

@@ -49,4 +49,7 @@ dependency-reduced-pom.xml
 buildNumber.properties
 .mvn/timing.properties
 
-
+# Eclipse
+.classpath
+.settings
+.project

Dockerfile.example

@@ -9,11 +9,11 @@ RUN yum install -y openssl
 RUN mkdir -p /srv/app/config
 
 COPY target/grand-central-1.0-SNAPSHOT.jar /srv/app/
-COPY config/configuration.yaml /srv/app/config/
-COPY config/pod.yaml /srv/app/config/
+COPY config/configuration.yml /srv/app/config/
+COPY config/pod.yml /srv/app/config/
 
 RUN echo -n | openssl s_client -connect <KUBERNETES_MASTER_IP>:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /srv/app/config/k8s.pem
 RUN keytool -importkeystore -srckeystore /usr/java/latest/lib/security/cacerts -destkeystore /srv/app/config/grandcentral.jks -srcstorepass changeit -deststorepass changeit
 RUN echo "yes" | keytool -import -v -trustcacerts -alias local_k8s -file /srv/app/config/k8s.pem -keystore /srv/app/config/grandcentral.jks -keypass changeit -storepass changeit
 
-CMD cd /srv/app && /usr/bin/java -jar /srv/app/grand-central-1.0-SNAPSHOT.jar server /srv/app/config/configuration.yaml
+CMD cd /srv/app && /usr/bin/java -jar /srv/app/grand-central-1.0-SNAPSHOT.jar server /srv/app/config/configuration.yml

README.md

@@ -60,21 +60,34 @@ sudo route add -net 10.2.47 172.17.4.99
 ## Local K8S Certificate
 The K8S cluster has a self-signed SSL certificate. It must be added to a keystore as a trusted certificate before requests are permitted.
 
+To retrieve K8S master ip, assuming using GCP, you need to first get your username/password via:
+
+```
+gcloud container clusters describe hello-zeppelin --zone us-central1-f
+```
+
+Then you can look up the IP of the K8S dashboard via
+
+```
+kubectl cluster-info | grep kubernetes-dashboard
+```
+
+
 **OS X**
 
 ```
 brew install openssl
-echo -n | /usr/local/Cellar/openssl/1.0.2e/bin/openssl s_client -connect <kubernetes master ip>:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > config/local.pem
+echo -n | /usr/local/Cellar/openssl/1.0.2g/bin/openssl s_client -connect <kubernetes master ip>:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > config/local.pem
 keytool -importkeystore -srckeystore $JAVA_HOME/jre/lib/security/cacerts -destkeystore config/grandcentral.jks -srcstorepass changeit -deststorepass changeit
-ho "yes" | keytool -import -v -trustcacerts -alias local_k8s -file k8s/local.pem -keystore config/grandcentral.jks -keypass changeit -storepass changeit
+echo "yes" | keytool -import -v -trustcacerts -alias local_k8s -file config/local.pem -keystore config/grandcentral.jks -keypass changeit -storepass changeit
 ```
 
 **Linux**
 
 ```
 echo -n | openssl s_client -connect 172.17.4.99:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > config/local.pem
 keytool -importkeystore -srckeystore $JAVA_HOME/jre/lib/security/cacerts -destkeystore config/grandcentral.jks -srcstorepass changeit -deststorepass changeit
-echo "yes" | keytool -import -v -trustcacerts -alias local_k8s -file k8s/local.pem -keystore config/grandcentral.jks -keypass changeit -storepass changeit
+echo "yes" | keytool -import -v -trustcacerts -alias local_k8s -file config/local.pem -keystore config/grandcentral.jks -keypass changeit -storepass changeit
 ```
 
 ### Logging in to GCR.io

README_dockercloud.md

@@ -0,0 +1,88 @@
+# Grand Central
+*Quepid's automated review deployment tool. Gut-check in the cloud*
+
+Grand Central is a tool for automated deployment and cleanup of developer review environments / containers. Requests are parsed and routed based on their URL structure. If the target container exists the request is proxied along. If not Grand Central will spin up a container and forward the request once it comes online.
+
+## URL Structure
+The appropriate container is determined by parsing the first part of the domain name. `*.review.quepid.com` in DNS is directed at the Grand Central service. The application parses the domain name to retrieve the appropriate Git version to deploy. `http://db139cf.review.quepid.com/secure` would route to a container running version `db139cf` if it exists.
+
+## Request Flow
+When a request is received by the system the following processing takes place.
+
+1. Validate the git version supplied in the `Host` header. *Does it match a valid short hash signature?*
+1. Verify if the version is currently running
+   * If so, proxy the request
+   * If not, continue
+1. Verify version exists in Container Registry. *We can't deploy a version which doesn't exist.
+   * If so, continue
+   * If not, 404
+1. Create DockerCloud Stack (?) containing app version, database, and loader
+1. Create Service for Stack (routes requests internally within the cluster)
+1. Proxy the original request
+
+*Note* that all requests will have some metrics stored to determine activity for a give stack. This is useful when reaping old stacks.
+
+**BUT WAIT!** *What happens when two requests come in for the same version?*
+
+Easy, state is maintained within an Atomically accessed Map. As soon as a version is detected to not be running we instantiate it before releasing the lock. If a version exists, but isn't running we pause the request until the creation process is complete on another thread.
+
+## Stack Creation
+Should a container not be running in the DockerCloud cluster when the request is performed the following process starts.
+
+1. Create a Stack with the following components (ERIC: IS THIS AT ALL RIGHT?)
+   * Rails Application
+   * MySQL Instance
+   * Data dump loader (golden review image stored block store)
+1. Create a service referencing that stack
+
+## Stack Clean-up
+Every hour a janitorial task runs which cleans up stacks / services that have not received a request in the past *x* seconds. This keeps cluster resources available. Since stacks are trivial to create they can be re-instantiated easily.
+
+## Resource Constraints
+There is a hard limit to the number of simultaneous stacks running on the cluster. To prevent Denial of Service by our own team the maximum number of review environments is capped at *y*. Should a new stack be requested when the currently running count is already maxed the stack with the oldest most recent request will be removed.
+
+## Future Features
+* Persistent hashes - the ability to mark a version as persistent. This prevents the janitor from reaping the pod.
+* Admin interface - allow a RESTful interface to manage stacks. List all stacks, create a new one, delete an old one out of the janitorial process etc.
+* Security?!
+
+
+## Curling
+
+curl --user username:apikey "https://cloud.docker.com/api/app/v1/stack/"
+
+curl --user username:apikey "https://cloud.docker.com/api/app/v1/stack/"
+
+## Development/Testing
+There are a lot of moving pieces to GrandCentral, you need GC itself, plus the configuration to work with either Kubernetes or DockerCloud.   This is how I set up my local environment:
+
+1. Set up your /etc/hosts with a couple of fake DNS entries that map to two released versions of Apache.   You can see these tags at https://hub.docker.com/r/eboraas/apache/tags/.
+
+```
+127.0.0.1 latest.apache.grandcentral.com
+127.0.0.1 stretch.apache.grandcentral.com
+```
+
+1. I like to run the core GrandCentral application in Eclipse in debug mode.  Fortunately that is very easy.  Just setup a _Java Application_ run/debug configuration.   In the _Arguments_ tab tell Dropwizard to run in _server_ mode and pass in the configuration file: `server src/test/resources/local-dockercloud.yml`.  Then in the _Enrivonment_ tab, add an entry for `DOCKERCLOUD_APIKEY` and `DOCKERCLOUD_USERNAME`.
+
+1. Fire up the application, and you'll see some startup checks that verify access to DockerCloud.
+
+1. Browse to http://latest.apache.grandcentral.com:8080 and in about 10 seconds you should see a default Debian Apache install page load up!  Check your DockerCloud dashboard, you'll see the service fired up and running on an internal port.   Then, pull up http://stretch.apache.grandcentral.com:8080 and you'll see the new pod started, and the old pod deleted due to the _maximum_stack_count=1_.
+
+
+## /etc/hosts
+
+Add to make testing your local set up easier this to your `/etc/hosts` file:
+
+```
+127.0.0.1 v1.datastart.grandcentral.com
+127.0.0.1 v2.datastart.grandcentral.com
+```
+
+
+## Dockerizing GrandCentral
+
+
+## Implementation
+
+All logic for checking / creation of pods may be performed in a [`javax.servlet.Filter`](http://docs.oracle.com/javaee/7/api/javax/servlet/Filter.html?is-external=true). Requests may then be passed along to a [`org.eclipse.jetty.proxy.ProxyServlet`](http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/proxy/ProxyServlet.html) after stack management is complete.

config/configuration.yml.example

@@ -21,4 +21,10 @@ gcloud:
   project: quepid-1051
   container_name: quails
 
-
+dockercloud:
+  protocol: https
+  hostname: cloud.docker.com
+  namespace: datastart
+  stack_json_path: src/test/resources/docker-cloud.json
+  username: ${DOCKERCLOUD_USERNAME}
+  apikey: ${DOCKERCLOUD_APIKEY}

config/docker-cloud.json.example

@@ -0,0 +1,11 @@
+{
+  "name": "echostack",
+  "services": [
+      {
+        "name":"echoheaders",
+        "please_note": "Grand Central replaces __DOCKER_TAG__ in the image with the version",
+        "image": "gcr.io/google_containers/echoserver:__DOCKER_TAG__",
+        "ports": ["8080:8080"]
+      }
+  ]
+}

pom.xml

@@ -7,11 +7,12 @@
   <name>Grand Central</name>
   <groupId>com.o19s</groupId>
   <artifactId>grand-central</artifactId>
-  <version>1.0-SNAPSHOT</version>
+  <version>1.1-SNAPSHOT</version>
 
   <properties>
-    <dropwizard.version>0.9.1</dropwizard.version>
-    <jetty.version>9.2.13.v20150730</jetty.version>
+    <dropwizard.version>1.0.2</dropwizard.version>
+    <jetty.version>9.3.9.v20160517</jetty.version>
+    <junit.version>4.12</junit.version>
   </properties>
 
   <dependencies>
@@ -30,6 +31,53 @@
       <artifactId>jetty-proxy</artifactId>
       <version>${jetty.version}</version>
     </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>${junit.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.github.tomakehurst</groupId>
+      <artifactId>wiremock</artifactId>
+      <version>2.1.11</version>
+      <scope>test</scope>
+      <exclusions>
+        <exclusion> <!-- brings in older version of Jackson... -->
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+        <exclusion> <!-- brings in older version of Jackson... -->
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-annotations</artifactId>
+        </exclusion>
+        <exclusion> <!-- brings in older version of Jackson... -->
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-databind</artifactId>
+        </exclusion>
+        <exclusion> <!-- brings in older version of Jetty... -->
+          <groupId>org.eclipse.jetty</groupId>
+          <artifactId>jetty-server</artifactId>
+        </exclusion>
+        <exclusion> <!-- brings in older version of Jetty... -->
+          <groupId>org.eclipse.jetty</groupId>
+          <artifactId>jetty-security</artifactId>
+        </exclusion>
+        <exclusion> <!-- brings in older version of Jetty... -->
+          <groupId>org.eclipse.jetty</groupId>
+          <artifactId>jetty-webapp</artifactId>
+        </exclusion>
+        <exclusion> <!-- brings in older version of Jetty... -->
+          <groupId>org.eclipse.jetty</groupId>
+          <artifactId>jetty-servlet</artifactId>
+        </exclusion>
+        <exclusion> <!-- brings in older version of Jetty... -->
+          <groupId>org.eclipse.jetty</groupId>
+          <artifactId>jetty-servlets</artifactId>
+        </exclusion>
+      </exclusions>
+
+    </dependency>
   </dependencies>
 
   <build>
@@ -70,7 +118,7 @@
               <transformers>
                 <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
                 <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
-                  <mainClass>com.o19s.grandcentral.GrandCentralApplication</mainClass>
+                  <mainClass>com.o19s.grandcentral.GrandCentralApplication2</mainClass>
                 </transformer>
               </transformers>
             </configuration>
@@ -79,4 +127,4 @@
       </plugin>
     </plugins>
   </build>
-</project>
+</project>

src/main/java/com/o19s/grandcentral/GrandCentralApplication.java

@@ -1,17 +1,19 @@
 package com.o19s.grandcentral;
 
+import io.dropwizard.Application;
+import io.dropwizard.setup.Bootstrap;
+import io.dropwizard.setup.Environment;
+
+import java.util.EnumSet;
+
+import javax.servlet.DispatcherType;
+
 import com.o19s.grandcentral.gcloud.GCloudRegistry;
 import com.o19s.grandcentral.healthchecks.ContainerRegistryHealthCheck;
 import com.o19s.grandcentral.healthchecks.KubernetesMasterHealthCheck;
 import com.o19s.grandcentral.kubernetes.PodManager;
 import com.o19s.grandcentral.servlets.PodProxyServlet;
 import com.o19s.grandcentral.servlets.PodServletFilter;
-import io.dropwizard.Application;
-import io.dropwizard.setup.Bootstrap;
-import io.dropwizard.setup.Environment;
-
-import javax.servlet.DispatcherType;
-import java.util.EnumSet;
 
 public class GrandCentralApplication extends Application<GrandCentralConfiguration> {
   public static void main(String[] args) throws Exception {
@@ -44,15 +46,15 @@ public void run(GrandCentralConfiguration config, Environment environment) throw
         config.getKubernetesConfiguration().getNamespace()));
 
     // Build the PodManager
-    PodManager podManager = new PodManager(
+    LinkedContainerManager podManager = new PodManager(
         config.getKubernetesConfiguration(),
         config.getKeystorePath(),
         config.getRefreshIntervalInMs(),
         config.getMaximumPodCount(),
         config.getPodYamlPath()
     );
 
-    GCloudRegistry gCloudRegistry = new GCloudRegistry(config.getGCloudConfiguration(), config.getKeystorePath());
+    ImageRegistry gCloudRegistry = new GCloudRegistry(config.getGCloudConfiguration(), config.getKeystorePath());
 
     // Define the filter and proxy
     final PodServletFilter psv = new PodServletFilter(config.getGrandcentralDomain(), podManager, gCloudRegistry);

src/main/java/com/o19s/grandcentral/GrandCentralApplication2.java

@@ -0,0 +1,87 @@
+package com.o19s.grandcentral;
+
+import io.dropwizard.Application;
+import io.dropwizard.configuration.EnvironmentVariableSubstitutor;
+import io.dropwizard.configuration.SubstitutingSourceProvider;
+import io.dropwizard.setup.Bootstrap;
+import io.dropwizard.setup.Environment;
+
+import java.util.EnumSet;
+
+import javax.servlet.DispatcherType;
+
+import com.o19s.grandcentral.dockercloud.DockercloudRegistry;
+import com.o19s.grandcentral.dockercloud.StackManager;
+import com.o19s.grandcentral.servlets.PodProxyServlet;
+import com.o19s.grandcentral.servlets.PodServletFilter;
+//import com.o19s.grandcentral.healthchecks.ContainerRegistryHealthCheck;
+//import com.o19s.grandcentral.healthchecks.KubernetesMasterHealthCheck;
+
+public class GrandCentralApplication2 extends Application<GrandCentralConfiguration2> {
+  public static void main(String[] args) throws Exception {
+    new GrandCentralApplication2().run(args);
+  }
+
+  @Override
+  public String getName() {
+    return "Grand Central";
+  }
+
+  @Override
+  public void initialize(Bootstrap<GrandCentralConfiguration2> bootstrap) {
+	// Enable variable substitution with environment variables
+      bootstrap.setConfigurationSourceProvider(
+              new SubstitutingSourceProvider(bootstrap.getConfigurationSourceProvider(),
+                                                 new EnvironmentVariableSubstitutor(false)
+              )
+      );
+
+  }
+
+  @Override
+  public void run(GrandCentralConfiguration2 config, Environment environment) throws Exception {
+
+	 // FIXME: Should be a healthcheck that confirms access to DockerCloud.
+	 System.out.println("Username:" + config.getDockercloudConfiguration().getUsername());
+    // Add health checks
+	  /*
+    environment.healthChecks().register("container_registry", new ContainerRegistryHealthCheck(
+        config.getKeystorePath(),
+        config.getGCloudConfiguration().getRegistryDomain(),
+        config.getGCloudConfiguration().getProject(),
+        config.getGCloudConfiguration().getContainerName(),
+        config.getGCloudConfiguration().getRegistryUsername(),
+        config.getGCloudConfiguration().getRegistryPassword()));
+    environment.healthChecks().register("kubernetes_master", new KubernetesMasterHealthCheck(
+        config.getKubernetesConfiguration().getMasterIp(),
+        config.getKeystorePath(),
+        config.getKubernetesConfiguration().getUsername(),
+        config.getKubernetesConfiguration().getPassword(),
+        config.getKubernetesConfiguration().getNamespace()));
+        */
+
+    // Build the StackManager
+	LinkedContainerManager linkedContainerManager = new StackManager(
+        config.getDockercloudConfiguration(),
+        config.getRefreshIntervalInMs(),
+        config.getMaximumStackCount()
+        );
+
+
+    ImageRegistry imageRegistry = new DockercloudRegistry(config.getDockercloudConfiguration());
+
+
+    // Define the filter and proxy
+    final PodServletFilter psv = new PodServletFilter(config.getGrandcentralDomain(), linkedContainerManager, imageRegistry);
+    final PodProxyServlet pps = new PodProxyServlet(config.getPodPort());
+
+    // Disable Jersey in the proxy environment
+    environment.jersey().disable();
+
+    // Setup Servlet filters and proxies
+    environment.servlets().addFilter("Pod Servlet Filter", psv)
+        .addMappingForUrlPatterns(EnumSet.of(DispatcherType.REQUEST), true, "/*");
+    environment.servlets().addServlet("Pod Proxy Servlet", pps)
+        .addMapping("/*");
+  }
+}