Deployment for production

This document is meant to help the deployment of the collectives application on an host provider for production.

However, don’t hesitate to adapt scripts and definitions to your own needs. These indications are merely hints on how to install it. Especially, it might not be updated and become obsolete in the future.

Warning

Please note that you have to keep an informed eye while performing thoses indications. CAF Annecy or the collectives project cannot and will not be held accountable for any dommages or costs that may occurs from this how to.

Three solutions are suggested:

• The fancy and expensive Kubernetes installation

• The effective and cheap Microk8s installation

• The robust and hard to maintain Bare metal installation

Kubernetes installation

Managed Kubernetes is the method of choice, but might be more expensive than microk8s or bare metal. However, it should be more resilient and more scalable.

For this How To, we will explain an OVH installation. But you can deploy the app on other providers.

Installation

Requirements : kubectl and helm

1. Go to OVH and purchase a Public Cloud Managed Kubernetes. The cheapest with one node is OK.

2. Setup collectives.yaml by copy deployment/k8s/collectives.exemple.yaml with your hostnames and secrets: look for the 4 --to-be-replaced--

3. Download the kubeconfig.yml file, and set it up for kubectl and helm

4. Install cert-manager and nginx ingress :

   helm repo add jetstack https://charts.jetstack.io
   helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
   helm repo update
   helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true
   helm -n ingress-nginx install ingress-nginx ingress-nginx/ingress-nginx --create-namespace
   

5. Get the external IP with kubectl get svc -n ingress-nginx ingress-nginx-controller and setup your DNS record

6. Apply collectives.yaml : kubectl apply -f collectives.yaml

7. After a while, the website should be available on https://your-hostname.com

Warning

The file collectives.yaml contains secrets and it should not be shared publicly!!

Microk8s installation

Less expensive than a managed Kubernetes, it still leverages Kubernetes flexibility. It can be installed on any VPS with Ubuntu.

Installation

Requirement : an ssh client to connect to the VPS

1. Purchase a VPS at any host provider. Install it with latest Ubuntu version.

2. Update your DNS record with the VPS IP.

3. Setup collectives.yaml by copy deployment/k8s/collectives.example.yaml with your hostnames and secrets: look for the 4 --to-be-replaced--. Your file will be referred as collectives.yaml

4. Remove from collectives.yaml the lines with storageClassName

5. Install microk8s:

   sudo snap install microk8s --classic
   sudo microk8s enable ingress
   sudo microk8s enable cert-manager
   sudo microk8s enable hostpath-storage
   

6. Apply collectives.yaml sudo microk8s kubectl apply -f collectives.yaml

7. After a while, the website should be available on https://your-hostname.com

Warning

The file collectives.yaml contains secrets and it should not be shared publicly!!

Note on Kubernetes deployment structure

nginx is used as an ingress.

It automatically loads a Let’s Encrypt free certificate for TLS.

It works with the collectives docker published by the CAF Annecy on DockerHub.

Data persistence is achieved by :

• block storages for files

• a pod of MariaDB for database, itself using block storage.

No auto-scaling, replication, or load balancing is configured.

For more resilience, a managed mariadb/mysql is the way to go.

Bare metal installation

This deployment works, but is less modern than a Kubernetes and is the same costs as a microk8s.

Installation

For development, you can run FLASK_APP=collectives:create_app flask run. However, it is not the recommended method for production environment.

You can choose any production method you like, however, you can use waitress behind an nginx for SSL offloading. Waitress can be install with a pip pip install waitress, and a systemd service be created easily by adding deployment/systemd/collectives.service into /etc/systemd/system. In this case, please edit the file to update user and directory.

Configuration

See configuration

Flask and DB related configuration should be in instance/config.py. Since it might contains secrets, this file should be readable only by flask user (chmod 600).

Database

For production, a more robust database than the default sqlite is recommended. pymysql is recommended for its full python compatibility.

SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://username:password@localhost/db_name'