Merge pull request #131 from SwissOpenEM/130-add-ssl-certificate-to-s…

…copem-openemethzch Deployment: add https endpoints and routing in traefik
SwissOpenEM · Jan 13, 2025 · 1997769 · 1997769
2 parents b4ab6f6 + 3f970a3
commit 1997769
Show file tree

Hide file tree

Showing 20 changed files with 300 additions and 285 deletions.
diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml
@@ -191,11 +191,14 @@ jobs:
         images: ${{ env.REGISTRY }}/${{ env.OPENEM_BACKEND_IMAGE_NAME }}
 
     - name: Build and push
-      uses: docker/bake-action@v5
+      uses: docker/bake-action@v6
       id: build-and-push
       with:
         workdir: ./
         targets: archiver-backend
         push: ${{ github.event_name != 'pull_request' }}
         set: |
             *.tags=${{ steps.meta.outputs.tags }}
+      env:
+        OPENEM_IMAGE_TAG: ${{ steps.meta.outputs.tags }}
+
diff --git a/.gitignore b/.gitignore
@@ -31,3 +31,4 @@ data/prefect/**
 data/uppy-server-data/**
 .site/**
 .secrets/**
+.certs/**
diff --git a/.prod.env b/.prod.env
@@ -1,13 +1,17 @@
 ### Global
 # Host where this instance is hosted
 HOST=scopem-openem.ethz.ch 
+# Certificate
+CERTIFICATE_FILE=.certs/cert_bundle.pem
+# Private Key
+CERTIFICATE_KEY_FILE=./certs/cert.key
 
 ### Backend
 # Image used for backend service
 OPENEM_BACKEND_IMAGE_NAME=ghcr.io/swissopenem/scopemarchiver-openem-backend
 OPENEM_IMAGE_TAG="latest"
 # Backend server api root path
-API_ROOT_PATH=/api/v1
+API_ROOT_PATH=/archiver/api/v1
 
 #### Minio
 MINIO_REGION="eu-west-1"
@@ -16,6 +20,7 @@ MINIO_LANDINGZONE_BUCKET="landingzone"
 MINIO_STAGING_BUCKET="staging"
 MINIO_ENDPOINT="scopem-openemdata.ethz.ch:9090"
 MINIO_EXTERNAL_ENDPOINT="scopem-openemdata.ethz.ch:9090"
+
 #### PREFECT
 # Prefect version used in all images
 PREFECT_VERSION=3.1.11-python3.11
@@ -36,5 +41,5 @@ PREFECT_RETRIEVAL_WORKPOOL_NAME=retrieval-docker-workpool
 # Root folder where Docker volume of LTS share is mounted, i.e. root folder of the LTS share
 LTS_ROOT_FOLDER = /tmp/LTS
 
-SCICAT_ENDPOINT=http://scopem-openem.ethz.ch:89
+SCICAT_ENDPOINT=https://scopem-openem.ethz.ch/scicat/backend
 
diff --git a/README.md b/README.md
@@ -12,13 +12,13 @@ Refer to the [Github pages](#github-pages) for more details.
 Build all the services:
 
 ```bash
-docker compose --env-file .env --env-file .development.env build
+docker compose --env-file .prod.env --env-file .development.env build
 ```
 
 Starting up all services for development:
 
 ```bash
-docker compose --env-file .env --env-file .development.env up -d
+docker compose --env-file .prod.env --env-file .development.env up -d
 ```
 
 ## Deploy Local Flows

diff --git a/archiver-service.docker-compose.yml b/archiver-service.docker-compose.yml
@@ -0,0 +1,205 @@
+services:
+  archiver-backend:
+    image: ${OPENEM_BACKEND_IMAGE_NAME}:${OPENEM_IMAGE_TAG}
+    container_name: archiver-backend
+    build:
+      context: ./backend/api
+      dockerfile: ./Dockerfile
+    environment:
+      - PREFECT_LOGGING_LEVEL=${PREFECT_LOGGING_LEVEL}
+      - PREFECT_API_URL=http://prefect-server:4200/api
+      - UVICORN_ROOT_PATH=/archiver/api/v1
+      - UVICORN_PORT=8000
+      - UVICORN_LOG_LEVEL=info
+      - UVICORN_RELOAD=False
+      - MINIO_ENDPOINT=${MINIO_EXTERNAL_ENDPOINT}
+    secrets:
+      - minio_user
+      - minio_password
+    expose:
+      - 8000
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.backend.rule=Host(`${HOST}`) && PathPrefix(`/archiver/api/v1`)"
+      - "traefik.http.middlewares.backend-stripprefix.stripprefix.prefixes=/archiver/api/v1"
+      - "traefik.http.routers.backend.entrypoints=websecure"
+      - "traefik.http.routers.backend.tls"
+      - "traefik.http.routers.backend.middlewares=backend-stripprefix"
+      - "traefik.http.services.backend.loadbalancer.server.port=8000"
+    networks:
+      - scopemarchiver_network
+  prefect-server:
+    image: prefecthq/prefect:${PREFECT_VERSION}
+    container_name: prefect-server
+    restart: always
+    volumes:
+      - prefect-volume-new:/root/.prefect
+    entrypoint:
+      - /bin/sh
+      - -c
+      - |
+        export PREFECT_API_DATABASE_PASSWORD=$$(cat /var/run/secrets/postgres_pass)
+        export PREFECT_API_DATABASE_USER=$$(cat /var/run/secrets/postgres_user)
+        export PREFECT_API_DATABASE_CONNECTION_URL=postgresql+asyncpg://$$PREFECT_API_DATABASE_USER:$$PREFECT_API_DATABASE_PASSWORD@postgres:5432/prefect
+        /opt/prefect/entrypoint.sh prefect server start
+
+    secrets:
+      - postgres_pass
+      - postgres_user
+    healthcheck:
+      test: [ "CMD", "prefect", "version" ]
+      interval: 5s
+      timeout: 15s
+      retries: 5
+      start_period: 5s
+    environment:
+      - PREFECT_LOGGING_LEVEL=${PREFECT_LOGGING_LEVEL}
+      - PREFECT_HOME=/opt/prefect
+      - PREFECT_API_DATABASE_ECHO=False
+      - PREFECT_API_DATABASE_MIGRATE_ON_START=True
+      - PREFECT_TASK_DEFAULT_RETRIES=2
+      - PREFECT_TASK_DEFAULT_RETRY_DELAY_SECONDS=[1,10,100]
+      # working; PREFECT has some issues with api prefixes...
+      - PREFECT_UI_SERVE_BASE=/archiver/prefect/ui
+      - PREFECT_UI_URL=http://prefect-server:4200/api
+      - PREFECT_API_URL=https://${HOST}/archiver/prefect/api
+      - PREFECT_SERVER_API_HOST=0.0.0.0
+    expose:
+      - 4200
+    depends_on:
+      - postgres
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.prefect-server.loadbalancer.server.port=4200"
+      # UI
+      - "traefik.http.routers.prefect-server.rule=Host(`${HOST}`) && PathPrefix(`/archiver/prefect/ui`)"
+      - "traefik.http.routers.prefect-server.entrypoints=websecure"
+      - "traefik.http.routers.prefect-server.tls"
+      - "traefik.http.services.prefect-server.loadbalancer.server.port=4200"
+
+      - "traefik.http.routers.prefect-api-server.rule=Host(`${HOST}`) && PathPrefix(`/archiver/prefect/api`)"
+      - "traefik.http.routers.prefect-api-server.entrypoints=websecure"
+      - "traefik.http.routers.prefect-api-server.tls"
+      - "traefik.http.middlewares.prefect-api-strip.stripprefix.prefixes=/archiver/prefect"
+      - "traefik.http.routers.prefect-api-server.middlewares=prefect-api-strip"
+    networks:
+      - scopemarchiver_network
+  postgres:
+    image: postgres:15.2-alpine
+    restart: always
+    environment:
+      - POSTGRES_USER_FILE=/run/secrets/postgres_user
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_pass
+      - POSTGRES_DB=prefect
+    secrets:
+      - postgres_user
+      - postgres_pass
+    expose:
+      - 5432
+    volumes:
+      - postgres-volume-new:/var/lib/postgresql/data
+    networks:
+      - scopemarchiver_network
+
+  prefect-config:
+    image: ${PREFECT_CONFIG_IMAGE_NAME}:${OPENEM_IMAGE_TAG:-latest}
+    container_name: prefect-config
+    build:
+      context: ./backend/
+      dockerfile: ./prefect-config.Dockerfile
+      args:
+        PREFECT_VERSION: ${PREFECT_VERSION}
+      tags:
+        - ${OPENEM_IMAGE_TAG}
+    networks:
+      - scopemarchiver_network
+    environment:
+      - PREFECT_LOGGING_LEVEL=${PREFECT_LOGGING_LEVEL}
+      - PREFECT_API_URL=http://prefect-server:4200/api
+      - SCICAT_ENDPOINT=${SCICAT_ENDPOINT}
+      - MINIO_EXTERNAL_ENDPOINT=${MINIO_EXTERNAL_ENDPOINT}
+      - MINIO_ENDPOINT=${MINIO_ENDPOINT}
+      # Secrets are stored as blocks, removing _FILE suffix
+      - MINIO_USER_FILE=/run/secrets/minio_user
+      - MINIO_PASSWORD_FILE=/run/secrets/minio_password
+      - GITHUB_USER_FILE=/run/secrets/github_user
+      - GITHUB_PASSWORD_FILE=/run/secrets/github_pass
+      - SCICAT_USER_FILE=/run/secrets/scicat_user
+      - SCICAT_PASSWORD_FILE=/run/secrets/scicat_pass
+    volumes:
+      - type: bind
+        source: ./backend/prefect-vars.toml
+        target: /var/local/prefect-vars.toml
+      - type: bind
+        source: ./backend/concurrency-limits.toml
+        target: /var/local/concurrency-limits.toml
+    command: "-v /var/local/prefect-vars.toml -s MINIO_USER_FILE MINIO_PASSWORD_FILE GITHUB_USER_FILE GITHUB_PASSWORD_FILE SCICAT_USER_FILE SCICAT_PASSWORD_FILE -l /var/local/concurrency-limits.toml"
+    depends_on:
+      prefect-server:
+        condition: service_healthy
+    secrets:
+      - minio_user
+      - minio_password
+      - github_user
+      - github_pass
+      - scicat_user
+      - scicat_pass
+  prefect-flows-deployment:
+    image: prefecthq/prefect:${PREFECT_VERSION}
+    container_name: prefect-flows-deployment
+    networks:
+      - scopemarchiver_network
+    environment:
+      ### Prefect specific values
+      - PREFECT_LOGGING_LEVEL=${PREFECT_LOGGING_LEVEL}
+      - PREFECT_API_URL=http://prefect-server:4200/api
+      - EXTRA_PIP_PACKAGES=prefect-docker==0.6.1
+      ### Deployment values for interpolation in prefect.yaml
+      - PREFECT_VERSION=${PREFECT_VERSION}
+      - PREFECT_WORKER_LTS_VOLUME_NAME=scopemarchiver_${PREFECT_WORKER_LTS_VOLUME_NAME}
+      - LTS_ROOT_FOLDER=${LTS_ROOT_FOLDER}
+      - PREFECT_NETWORK=scopemarchiver_network
+    command: prefect --no-prompt deploy --all --prefect-file /home/dev/backend/prefect.yaml
+    working_dir: /home/dev/
+    volumes:
+      - type: bind
+        source: ./
+        target: /home/dev/
+        read_only: true
+      - /usr/bin/docker:/usr/bin/docker
+      - /var/run/docker.sock:/var/run/docker.sock
+    depends_on:
+      prefect-server:
+        condition: service_healthy
+    labels:
+      - "traefik.enable=false"
+volumes:
+  lts-mock-volume:
+    driver: local
+  nfs-lts-share:
+    driver_opts:
+      type: "nfs"
+      o: "nfsvers=3,addr=lts22,nolock"
+      device: ":/scopem_lts_nfs_test_lts22"
+  postgres-volume-new:
+    driver: local
+  prefect-volume-new:
+    driver: local
+
+secrets:
+  postgres_user:
+    file: ./.secrets/postgresuser.txt
+  postgres_pass:
+    file: ./.secrets/postgrespass.txt
+  github_user:
+    file: ./.secrets/githubuser.txt
+  github_pass:
+    file: ./.secrets/githubpass.txt
+  scicat_user:
+    file: ./.secrets/scicatuser.txt
+  scicat_pass:
+    file: ./.secrets/scicatpass.txt
+  minio_user:
+    file: ./.secrets/miniouser.txt
+  minio_password:
+    file: ./.secrets/miniopass.txt
diff --git a/backend/.vscode/launch.json b/backend/.vscode/launch.json
@@ -14,7 +14,6 @@
         "PREFECT_LOGGING_LEVEL": "DEBUG",
         "MINIO_ENDPOINT": "scopem-openemdata.ethz.ch:9090",
         "MINIO_EXTERNAL_ENDPOINT": "scopem-openemdata.ethz.ch:9090",
-        "AWS_CA_BUNDLE": "/etc/ssl/certs/ca-certificates.crt",
         "LTS_STORAGE_ROOT": "/tmp/data/LTS/",
         "LTS_FREE_SPACE_PERCENTAGE": "0.2",
         "ARCHIVER_SCRATCH_FOLDER": "/tmp/data/scratch/",

diff --git a/backend/api/.vscode/launch.json b/backend/api/.vscode/launch.json
@@ -12,7 +12,6 @@
         "PREFECT_API_URL": "http://localhost:4200/api",
         "PREFECT_LOGGING_LEVEL": "DEBUG",
         "MINIO_ENDPOINT": "scopem-openemdata.ethz.ch:9090",
-        "AWS_CA_BUNDLE": "/etc/ssl/certs/ca-certificates.crt",
         "SECRETS_DIR": "${workspaceFolder}/../../.secrets",
         "UVICORN_ROOT_PATH": "",
         "UVICORN_RELOAD": "true",

diff --git a/backend/api/Dockerfile b/backend/api/Dockerfile
@@ -32,10 +32,4 @@ WORKDIR /root/app/site-packages
 COPY --from=builder /venv /venv
 ENV PATH=/venv/bin:$PATH
 
-RUN wget https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt.pem -O DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
-RUN cp DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt /usr/local/share/ca-certificates/
-RUN update-ca-certificates
-
-ENV AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
-
 ENTRYPOINT [ "python", "-m", "openapi_server" ]
diff --git a/backend/api/openapi.yaml b/backend/api/openapi.yaml
@@ -6,7 +6,7 @@ info:
 servers:
 - url: /
 paths:
-  /archiver/new_dataset/:
+  /archiver/new_dataset:
     post:
       operationId: create_new_dataset
       requestBody:
@@ -37,7 +37,7 @@ paths:
       summary: Create New Dataset
       tags:
       - archiving
-  /archiver/jobs/:
+  /archiver/jobs:
     post:
       operationId: create_job
       requestBody:

diff --git a/backend/api/src/openapi_server/apis/archiving_api.py b/backend/api/src/openapi_server/apis/archiving_api.py
@@ -39,7 +39,7 @@
 
 
 @router.post(
-    "/archiver/jobs/",
+    "/archiver/jobs",
     responses={
         200: {"model": CreateJobResp, "description": "Successful Response"},
         422: {"model": HTTPValidationError, "description": "Validation Error"},
@@ -58,7 +58,7 @@ async def create_job(
 
 
 @router.post(
-    "/archiver/new_dataset/",
+    "/archiver/new_dataset",
     responses={
         200: {"model": CreateDatasetResp, "description": "Successful Response"},
         422: {"model": HTTPValidationError, "description": "Validation Error"},

diff --git a/backend/archiver/tests/pytest.ini b/backend/archiver/tests/pytest.ini
@@ -1,2 +1,2 @@
 [pytest]
-asyncio_mode = function
+asyncio_mode = auto