External Services
Introduction
In this context, External Services are referred to as those services, provisioned on the WAN from the perspective of the cluster LAN, that the solution is dependant on, either at build or run-time. While the intention is to reduce external dependencies where possible, some need to be external (such as domain hosting) and some are currently not supported internally (such as repo and artefact hosting).
Existing public services
- DynDns for domain hosting
- iCloud for off-site storage
- LetsEncrypt for https certificates
- GitHub for source code repository
Additional public services
- Cloudsmith for helm chart repository
Implementation details
Requirements
Non functional services requirements are as follows:
- Storage
- Internet ingress
- Application container
- Database
- Internet name service (DNS)
- Certificate for https
As-is implementation
The non function requirements are currently provisioned as follows
- Storage is supplied to the network using a NFS server, sigiriya
- Internet ingress is implemented using fibre router port forwarding to multiple internal network IP:Port listeners
- The application container is Zope, running in a VirtualBox host on mac host bukit
- The database is Postgres, running in a VirtualBox host on mac host bukit
- Updating of the DynDns host to IP mappings is managed by the fibre router
- The https certificate is managed using certbot on bukit
There are a number of these services that are implemented in such a way that they represent a single point of failure. This is not avoidable in the case of functionality provided by the fibre router. All other services can be highly available.
To-be solution
The following changes are required
- Migrate from NFS to distributed storage. Ceph has been selected
- Internet ingress fan-out will be handled by the k8s cluster. The router will only forward ports 80 and 443 to the cluster lbr (ovoo)
- Zope to be packaged and managed using k8s
- Postgres packaging for k8s
- Since multiple hosts IP mappings are required, and the fibre router being limited to one host update, this function moves out of the router. Ideally packaged for k8s.
- Kubernetes Certificate Manager to be used to update https certificates