Skip to content

Commit

Permalink
Merge branch 'aws-ecr' into otel-qa
Browse files Browse the repository at this point in the history
  • Loading branch information
imnasnainaec committed Oct 21, 2024
2 parents 4fc9c86 + 3fae27e commit 1ce1b0a
Show file tree
Hide file tree
Showing 12 changed files with 46 additions and 80 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/deploy_qa.yml
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,9 @@ jobs:
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
- name: Remove old AWS ECR images
# Remove all images for previous version numbers.
# Example: for tag beginning with v1.2.5-, remove all images with tag v1.2.4-*
# Example: for tag beginning with v2.4.0-, remove all images with tag v2.3.*
run: |
TAG=${{ needs.build.outputs.image_tag }}
if [[ $TAG =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)-.* ]]; then
Expand Down
2 changes: 1 addition & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ scripts/*.js
!scripts/createBackendLicenses.js
!scripts/printVersion.js
!scripts/setRelease.js

setup_cluster.log
npm-debug.log*
yarn-debug.log*
yarn-error.log*
Expand Down
44 changes: 32 additions & 12 deletions docs/deploy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ separate organization. The characteristics of these systems are:
- the namespace `thecombine` is created
- the TLS certificate for the server is installed in `thecombine` namespace as a `kubernetes.io/tls` secret with the
name `thecombine-app-tls`
- PersistentVolumeClaims for `backend-data`, `database-data`, and `font-data`

- The QA server has services to login to a private AWS Elastic Container Registry to run private images for _The
Combine_. In contrast, the Production server only runs public images.
Expand Down Expand Up @@ -284,10 +285,25 @@ setup automatically by the Ansible playbook run in the previous section.

For the Production or QA server,

1. login to the Rancher Dashboard for the Production (or QA) server. You need to have an account on the server that was
1. Login to the Rancher Dashboard for the Production (or QA) server. You need to have an account on the server that was
created by the operations group.
2. Copy your `kubectl` configuration to the clipboard and paste it into a file on your host machine, e.g.
`${HOME}/.kube/prod/config` for the production server.
3. Check that the PVCs are annotated and labeled:
- Get the full list of `<pvc>`s with `kubectl [--context <context>] -n thecombine get pvc`
- Check the content of a `<pvc>` with `kubectl [--context <context>] -n thecombine get pvc <pvc> -o yaml`
- For all of them, make sure that `metadata:` includes the following lines:
```
annotations:
meta.helm.sh/release-name: thecombine
meta.helm.sh/release-namespace: thecombine
```
and
```
labels:
app.kubernetes.io/managed-by: Helm
```
- You can edit a `<pvc>` with `kubectl [--context <context>] -n thecombine edit pvc <pvc>`
### Setup Environment
Expand All @@ -308,6 +324,7 @@ deployments (NUC):
- COMBINE_CAPTCHA_SECRET_KEY
- COMBINE_SMTP_USERNAME
- COMBINE_SMTP_PASSWORD
- HONEYCOMB_API_KEY
You may also set the KUBECONFIG environment variable to the location of the `kubectl` configuration file. This is not
necessary if the configuration file is at `${HOME}/.kube/config`.
Expand Down Expand Up @@ -343,7 +360,8 @@ If using the Docker image,

## Install Helm Charts Required by _The Combine_

This step sets up the NGINX Ingress Controller and the Certificate Manager, [cert-manager.io](https://cert-manager.io/).
This step sets up the NGINX Ingress Controller, the Certificate Manager ([cert-manager.io](https://cert-manager.io/)),
and the OpenTelemetry analytics collector.

If using the Docker image, [open the Docker image terminal](#open-docker-image-terminal) and run:

Expand All @@ -358,6 +376,10 @@ cd <COMBINE>/deploy/scripts
./setup_cluster.py
```

Note: This script is not used for the QA/Production deployments. If you need to do a completely fresh install for either
of those, you can see all the cluster setup steps by executing `setup_cluster.py` with
`--type development --debug 2> setup_cluster.log`.

## Install _The Combine_

This step installs _The Combine_ application itself.
Expand Down Expand Up @@ -397,19 +419,13 @@ Notes:

### Maintenance Scripts for Kubernetes

There are several maintenance scripts that can be run in the kubernetes cluster:

- `combine-backup-job.sh` - performs a backup of _The Combine_ database and backend files, pushes the backup to AWS S3
storage and then removes old backups keeping the latest 3 backups.
- `combine_backup.py` - just performs the backup and pushes the result to AWS S3 storage.
- `combine-clean-aws.py` - removes the oldest backups, keeping up to `max_backups`. The default for `max_backups` is 3.
- `combine_restore.py` - restores _The Combine_ database and backend files from one of the backups in AWS S3 storage.
There are several maintenance scripts that can be run in the kubernetes cluster; they are listed in
[./kubernetes_design/README.md#combine_maint-image](./kubernetes_design/README.md#combine_maint-image).

The `combine-backup-job.sh` is currently being run daily on _The Combine_ QA and Production servers as a Kubernetes
CronJob.

In addition to the daily backup, any of the scripts can be run on-demand using the `kubectl` command. Using the
`kubectl` command takes the form:
In addition to the daily backup, any of the scripts can be run on-demand using the `kubectl` command as follows:

```bash
kubectl [--kubeconfig=<path-to-kubernetes-file>] [-n thecombine] exec -it deployment/maintenance -- <maintenance script> <script options>
Expand All @@ -429,7 +445,7 @@ Notes:
kubectl [--kubeconfig=<path-to-kubernetes-file>] [-n thecombine] exec -it deployment/maintenance -- <maintenance scripts> --help
```

The only exception is `combine-backup-job.sh` which does not have any script options.
The exception is `combine-backup-job.sh` which does not have any script options.

- The `-n thecombine` option is not required if you set `thecombine` as the default namespace for your kubeconfig file
by running:
Expand All @@ -438,6 +454,10 @@ Notes:
kubectl config set-context --current --namespace=thecombine
```

- The `maintenance/scripts/*.py` scripts begin with `#!/usr/bin/env python3` so that they can be run directly in the
`maintenance` deployment. If you need to execute one of them in a Python virtual environment `(venv)`, precede the
script name with `python`.

### Checking Certificate Expiration

The `check_cert.py` will print the expiration timestamp for _The Combine's_ TLS certificate.
Expand Down
4 changes: 3 additions & 1 deletion docs/deploy/kubernetes_design/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,13 +89,15 @@ features:
`sillsdev/aws-kubectl`)
- _Python 3_ - the maintenance scripts included in `combine_maint` are written in _Python_
- A collection of Maintenance Scripts:
- `add_user_to_proj.py` - add specified user to specified project (as harvester if role not specified)
- `combine_backup.py` - create a compressed tarball of the backend files and database contents and push it to AWS S3
storage
- `combine_restore.py` - pull a backup from AWS S3 storage and replace the database and backend files with the
contents of the backup
- `combine-clean-aws.sh` - a `bash` script to cleanup old backups from AWS S3 storage
- `combine-backup-job.sh` - a `bash` script to run the backup and then cleanup the S3 storage
- `combine-clean-aws.sh` - a `bash` script to cleanup old backups from AWS S3 storage
- `monitor.py` - monitor a set of TLS secrets for updates; when a secret is updated, it is pushed to AWS S3 storage
- `rm_project.py` - remove specified project(s) from database and all associated entries and files
- `update_cert.py` - a script to be used by the cert proxy clients on the NUCs. `update_cert.py` will update a TLS
certificate if the NUC is connected to the internet and if the certificate is ready for renewal. If these conditions
are met, it will update the certificate from AWS S3 storage.
Expand Down
2 changes: 1 addition & 1 deletion maintenance/scripts/add_user_to_proj.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/usr/bin/env python
#!/usr/bin/env python3
"""
Add user to a project.
Expand Down
2 changes: 1 addition & 1 deletion maintenance/scripts/combine_backup.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/usr/bin/env python
#!/usr/bin/env python3
"""Create a backup of TheCombine and push the file to AWS S3 service."""

import argparse
Expand Down
2 changes: 1 addition & 1 deletion maintenance/scripts/combine_restore.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/usr/bin/env python
#!/usr/bin/env python3
"""
Restore The Combine from a backup stored in the AWS S3 service.
Expand Down
59 changes: 0 additions & 59 deletions maintenance/scripts/db_update_audio_type.py

This file was deleted.

2 changes: 1 addition & 1 deletion maintenance/scripts/get_fonts.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/usr/bin/env python
#!/usr/bin/env python3
"""
Generates font support for all SIL fonts used in Mui-Language-Picker.
Expand Down
2 changes: 1 addition & 1 deletion maintenance/scripts/monitor.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/usr/bin/env python
#!/usr/bin/env python3
"""
Monitor TLS secrets for changes and push changes to AWS S3.
Expand Down
2 changes: 1 addition & 1 deletion maintenance/scripts/rm_project.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/usr/bin/env python
#!/usr/bin/env python3
"""
Remove a project and its associated data from TheCombine.
Expand Down
2 changes: 1 addition & 1 deletion maintenance/scripts/update_cert.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/usr/bin/env python
#!/usr/bin/env python3
"""
Check the expiration time of the TLS secret and update if needed.
Expand Down

0 comments on commit 1ce1b0a

Please sign in to comment.