External Services

Introduction

In this context, External Services are referred to as those services, provisioned on the WAN from the perspective of the cluster LAN, that the solution is dependant on, either at build or run-time. While the intention is to reduce external dependencies where possible, some need to be external (such as domain hosting) and some are currently not supported internally (such as repo and artefact hosting).

Existing public services

  • DynDns for domain hosting
  • iCloud for off-site storage
  • LetsEncrypt for https certificates
  • GitHub for source code repository

Additional public services

  • Cloudsmith for helm chart repository

Implementation details

Requirements

Non functional services requirements are as follows:

  1. Storage
  2. Internet ingress
  3. Application container
  4. Database
  5. Internet name service (DNS)
  6. Certificate for https

As-is implementation

The non function requirements are currently provisioned as follows

  1. Storage is supplied to the network using a NFS server, sigiriya
  2. Internet ingress is implemented using fibre router port forwarding to multiple internal network IP:Port listeners
  3. The application container is Zope, running in a VirtualBox host on mac host bukit
  4. The database is Postgres, running in a VirtualBox host on mac host bukit
  5. Updating of the DynDns host to IP mappings is managed by the fibre router
  6. The https certificate is managed using certbot on bukit

There are a number of these services that are implemented in such a way that they represent a single point of failure. This is not avoidable in the case of functionality provided by the fibre router. All other services can be highly available.

To-be solution

The following changes are required

  1. Migrate from NFS to distributed storage. Ceph has been selected
  2. Internet ingress fan-out will be handled by the k8s cluster. The router will only forward ports 80 and 443 to the cluster lbr (ovoo)
  3. Zope to be packaged and managed using k8s
  4. Postgres packaging for k8s
  5. Since multiple hosts IP mappings are required, and the fibre router being limited to one host update, this function moves out of the router. Ideally packaged for k8s.
  6. Kubernetes Certificate Manager to be used to update https certificates
--- title: Original application services --- graph TD subgraph Q Solutions subgraph Mac: bukit subgraph VirtualBox: ularu subgraph Zope Server QApps end subgraph Postgres qappsDB end end subgraph Apache WebSites end subgraph certbot qsolutions.endoftheinternet.org end end subgraph Fibre router subgraph DynDns Updater qsolutions.endoftheinternet.org end subgraph WAN to LAN port forwarding :80-bukit:443 end end subgraph Mac: sigiriya subgraph Network Storage nfs-service[(/srv/nfs/)] end end end
--- title: Refactored application services --- graph LR subgraph Q Solutions subgraph Fibre router subgraph WAN to LAN port forwarding :80-ovoo:443 end end subgraph Ceph storage cluster subgraph sigiriya /dev/hdb end subgraph bukit /dev/loop1 end subgraph james /dev/hdc end end subgraph Prometheus sigiriya:9090 end subgraph kubernetes cluster subgraph Zope Server QApps end subgraph Postgres qappsDB end subgraph Apache1 musings end subgraph Apache2 PodzoneDocs end subgraph DynDns Updater direction LR southern.podzone.net musings.thruhere.net, qsolutions.endoftheinternet.org end subgraph Certificate Manager direction LR https://southern.podzone.net https://musings.thruhere.net, https://qsolutions.endoftheinternet.org end end end