Merge pull request #16 from flavienbwk/f/k8s-deployment

Production and K8S deployment

Author: flavienbwk

.env.example

@@ -0,0 +1,19 @@
+FLASK_API_VERSION="1.1"
+FLASK_SERVER_NAME="My API Project"
+FLASK_SERVER_DESCRIPTION="Dockerized Flask API boilerplate using an LDAP and token-based authentication"
+FLASK_SECRET_KEY="Some secret key"
+
+LDAP_ORGANISATION="My Company"
+LDAP_DOMAIN="mycompany.com"
+LDAP_HOST="ldap"
+LDAP_SCHEME="ldap" # "ldaps" if using secure LDAP, "ldap" else
+LDAP_PORT=389
+LDAP_USERS_DN="dc=mycompany,dc=com"
+LDAP_ADMIN_DN="cn=admin,dc=mycompany,dc=com"
+LDAP_ADMIN_PASSWORD="adminpwd"
+
+POSTGRES_HOST="database"
+POSTGRES_PORT=5432
+POSTGRES_USER="myproject"
+POSTGRES_PASSWORD="myprojectpwd"
+POSTGRES_DB="myproject"

.gitignore

@@ -1,8 +1,8 @@
 .vscode/
 
+.env
+
 web/app/node_modules/
-ldap/
 logs/
-migrations/
 
 api/database.mwb.bak

.travis.yml

@@ -11,3 +11,4 @@ before_install:
 
 script:
     - docker-compose build
+    - docker-compose -f prod.docker-compose.yml build

README.md

@@ -1,12 +1,12 @@
-# Dockerized ReactJS, Flask, LDAP-auth boilerplate
+# Dockerized ReactJS, Flask, LDAP boilerplate
 
 <p align="center">
     <a href="https://travis-ci.org/flavienbwk/reactjs-flask-ldap-boilerplate.svg?branch=master" target="_blank">
         <img src="https://travis-ci.org/flavienbwk/reactjs-flask-ldap-boilerplate.svg?branch=master"/>
     </a>
     <a href="https://codebeat.co/projects/github-com-flavienbwk-reactjs-flask-ldap-boilerplate-master"><img alt="codebeat badge" src="https://codebeat.co/badges/940a0bd0-5aa5-4f96-b6fc-39b6e1b7e14b" /></a>
 </p>
-<p align="center">ReactJS + Flask + Docker<br/>boilerplate using a token-based LDAP authentication</p>
+<p align="center">ReactJS + Flask + Docker (+ K8S)<br/>boilerplate using a token-based LDAP authentication</p>
 
 > :smiley: Suggestions and feedbacks are [highly appreciated](https://github.com/flavienbwk/reactjs-flask-ldap-boilerplate/issues/new)
 
@@ -15,17 +15,18 @@
 - Docker architecture
 - LDAP authentication
 - Token-based API authentication
-- Automatic [token renewal](./api/app/service/auth_service.py#L44) with [a Flask middleware](./api/app/service/auth_service.py#L31)
+- Automatic [token renewal](./api/app/service/auth_service.py#L45) with [a Flask middleware](./api/app/service/auth_service.py#L32)
 - Swagger documentation
 - Flask-Migrate
 - Flask-SQLAlchemy (PostgreSQL was chosen)
-- [Logging and logs rotation](./api/app/utils/Logger.py#L12)
-- [Choose](./app/app/src/App.js#L64) between sidebar and navbar (or use both !)
+- [Logging and logs rotation](./api/app/utils/Logger.py#L11)
+- [Choose](./app/app/src/App.js#L65) between sidebar and navbar (or use both !)
 - Responsive design
+- [Production](./prod.docker-compose.yml) and [development](./docker-compose.yml) builds
 
 ## API documentation
 
-I chose to use Swagger to document the API. Just run the API following the steps below and browse to [`http://localhost:5000`](http://localhost:5000)
+We've chosen Swagger to document the API. Run the API following the steps below and go to [`http://localhost:5000`](http://localhost:5000).
 
 Here you can take a look at the database architecture scheme :
 
@@ -35,76 +36,144 @@ Here you can take a look at the database architecture scheme :
 
 > Reminder : there is no `password` field because we use LDAP for authentication.
 
-## Setting up the API
+## Why using LDAP authentication ?
 
-The API is made to run with an LDAP server for managing users. Whether use the provided Docker LDAP server or remove the conf. in [`docker-compose.yml`](./docker-compose.yml) and use your own LDAP server.
+LDAP services are used in a lot of companies and institutions around the world to manage their user accounts and rights in a central place.
 
-This section will explain to you how to run this project and set-up the LDAP server with one user.
+With this boilerplate, you will be able to develop corporate-ready services AND avoid yourself the troubles of developing registration / password forgotten / change password / profile update code.
 
-### Starting services
+## Getting started (development)
 
-First, please change the database/LDAP passwords and keys in `docker-compose.yml`
+This section will explain how to properly run this project and set-up the LDAP server with one user.
 
-Then, run :
+1. Copy the `.env.example` file to `.env`
 
-```bash
-docker-compose up ldap phpldapadmin database adminer -d
-```
+    ```bash
+    cp .env.example .env
+    ```
 
-> **adminer** (PostgreSQL management) will be available through `http://localhost:8082`  
-> **phpLDAPAdmin** (LDAP management) will be available through `https://localhost:8081`
+    > This is a good practice so your `.env` can't be committed along with your modifications (is in `.gitignore`)
 
-### Creating the first user in the LDAP
+2. Start the authentication services
 
-Access phpLDAPAdmin with : `https://localhost:8081`
+    ```bash
+    docker-compose up ldap phpldapadmin database adminer -d
+    ```
 
-If you are not familiar with LDAP, [read my LDAP user creation guide](./CREATE_LDAP_USER.md) to add your first user
+   - **phpLDAPAdmin** (LDAP management) will be available at `https://localhost:8081`
+   - **adminer** (PostgreSQL management) will be available at `http://localhost:8082`
 
-### Run the API
+    **Create** your first user by accessing phpLDAPAdmin at `https://localhost:8081` and [following the LDAP user creation guide](./CREATE_LDAP_USER.md).
 
-The database will be automatically set-up thanks to Flask Migrate and any future modification brought to [models](./api/app/model) will be automatically applied to the database when the API is **restarted**.
+3. NGINX reverse-proxy
 
-```bash
-docker-compose up api
-```
+    This boilerplate includes NGINX as a reverse proxy so we can have a unique endpoint for our app and API. Else, we would have to open two endpoints : one for the app, the other for the API.
 
-Access the API and its documentation browsing [`http://localhost:5000`](http://localhost:5000)
+    ```bash
+    docker-compose up --build -d nginx
+    ```
 
-## Setting up the web application
+    > NGINX will auto restart until you have started the app and API below.
 
-:clock9: This step may take quite a lot of time due to npm's initial modules download
+4. Run the API
 
-Just run :
+    The database will be automatically set-up thanks to Flask Migrate and any future modification brought to [models](./api/app/model) will be automatically applied when the API is **restarted**.
 
-```bash
-# Build is quick, **first** launch is long (expect at least 5 min.)
-docker-compose up app
-```
+    You might wait some time before the database get updated after starting the API :
 
-You can now enjoy the app on [`http://localhost:8080`](http://localhost:8080)
+    ```bash
+    docker-compose up --build -d api
+    ```
 
-> :information_source: If you want to add a dependency, just stop & re-launch a `docker-compose up app`. You won't have to wait as for first launch.
+    > For development, go to [`http://localhost:5000`](http://localhost:5000) to access the API documentation
 
-## Why using LDAP authentication ?
+5. Run the web app
 
-LDAP services are used in a lot of companies and institutions around the world to manage their user accounts and rights in a central place.
+    ```bash
+    # Expect several minutes for first launch (npm install)
+    docker-compose up --build -d app
+    ```
 
-With this boilerplate, you will be able to develop corporate-ready services AND avoid yourself the troubles of developing registration / password forgotten / change password / profile update code.
+    > :information_source: If you want to add a NPM package, just stop & re-launch `docker-compose up app`.
+
+    Enjoy the app on [`http://localhost:8080`](http://localhost:8080)
+
+## Deploy to production
+
+1. Prepare environment configuration
+
+    Copy `.env.example` to `.env` and **edit** the passwords, keys and credentials
+
+    Use the provided Docker LDAP server or edit the config to use your own.
+
+    ```bash
+    cp .env.example .env
+    ```
+
+2. Build the application for production
+
+    ```bash
+    docker-compose -f prod.docker-compose.yml build
+    ```
+
+3. Start the authentication services
+
+    ```bash
+    docker-compose up ldap phpldapadmin database adminer -d
+    ```
+
+    **Create** your first user by accessing phpLDAPAdmin at `https://localhost:8081` and [following the LDAP user creation guide](./CREATE_LDAP_USER.md).
+
+    :information_source: We recommend you to hide this service behind a firewall
+
+4. Run the application
+
+    ```bash
+    docker-compose -f prod.docker-compose.yml up nginx api app -d
+    ```
+
+    Access the UI at `https://localhost:8080`
+
+### Deploy to K8S
+
+I pretend you have here your K8S instance configured to be accessed by your `kubectl` CLI.
+
+I've used [Scaleway Kapsule](https://www.scaleway.com/en/kubernetes-kapsule) to perform my tests. This is an easy way to have a Kubernetes cluster quickly ready.
+
+1. Building production images (optional)
+
+    Images are tagged `flavienb/reactjs-flask-ldap-boilerplate-{api,web,nginx}:latest` by default. Edit it in `prod.docker-compose.yml` before building.
+
+    :information_source: You might be interested in pushing your images in a private registry (e.g: [Scaleway's Container Registry service](https://www.scaleway.com/en/container-registry/)).
+
+    ```bash
+    docker-compose -f prod.docker-compose.yml build
+    ```
+
+    Finally, `docker push` the 3 images and edit K8S' configurations :
+
+    - [k8s/app.yaml, line 31](k8s/app.yaml#L31)
+    - [k8s/api.yaml, line 21](k8s/api.yaml#L21)
+    - [k8s/nginx.yaml, line 21](k8s/nginx.yaml#L21)
+
+2. Add a new `reactjs-flask-ldap-boilerplate` namespace
 
-## Left TODOs
+    ```bash
+    kubectl create namespace my-app
+    ```
 
-API :
+3. Configure your Ingress app endpoint
 
-_Completed_
+    - **Edit** the env variables in [k8s/env-configmap.yaml](./k8s/env-configmap.yaml)
+    - **Edit** the app and phpldapadmin endpoints in [k8s/ingress.yaml, line 10 and 35](./k8s/ingress.yaml#L10)
+    - **Check** the PersistentVolumeClaim if you're not using Scaleway in all `*-pvc.yaml` files
 
-App :
+    Deploy with :
 
-_Completed_
+    ```bash
+    kubectl apply -f ./k8s
+    ```
 
-Architecture :
+4. Configure the first user
 
-- [P3] Add "Deploy to prod" guide in README
-- [P3] Create a `prod.docker-compose.yml` file that :
-  - Uses NGINX with SSL
-  - Builds & serves the front-end
-  - Disables Swagger UI
+    **Create** your first user by accessing phpLDAPAdmin at [endpoint defined](./k8s/ingress.yaml#L35) and [following the LDAP user creation guide](./CREATE_LDAP_USER.md).

api/Dockerfile

@@ -1,7 +1,7 @@
 FROM python:3.7-alpine
 
 # python-ldap requirements
-RUN apk add openldap-dev libc-dev gcc
+RUN apk update && apk add openldap-dev libc-dev gcc g++
 
 # psycopg2 requirements
 RUN apk add libpq python3-dev musl-dev postgresql-dev

api/app/app.py

@@ -21,5 +21,6 @@ def create_app():
     app = Flask(__name__)
     app.register_error_handler(404, page_not_found)
     app.config.from_object(config_by_name[FLASK_LEVEL])
+    os.environ["FLASK_ENV"] = config_by_name[FLASK_LEVEL].FLASK_ENV
     database.initDatabase(app)
     return app

api/app/config.py

@@ -20,18 +20,21 @@ class Config:
 
 class DevelopmentConfig(Config):
     DEBUG = True
-    SQLALCHEMY_TRACK_MODIFICATIONS = False
+    SQLALCHEMY_TRACK_MODIFICATIONS = True
+    FLASK_ENV = "development"
 
 
 class TestingConfig(Config):
     DEBUG = True
     TESTING = True
     PRESERVE_CONTEXT_ON_EXCEPTION = False
     SQLALCHEMY_TRACK_MODIFICATIONS = False
+    FLASK_ENV = "development"
 
 
 class ProductionConfig(Config):
     DEBUG = False
+    FLASK_ENV = "production"
 
 
 config_by_name = dict(

api/app/manager.py

@@ -16,7 +16,7 @@
 app.app_context().push()
 
 manager = Manager(app)
-migrate = Migrate(app, database.getDatabase())
+migrate = Migrate(app, database.getDatabase(), "/migrations")
 manager.add_command('db', MigrateCommand)
 
 # Commands

api/app/service/auth_service.py

@@ -67,10 +67,12 @@ def authLDAPUser(username: str, password: str):
                 # from users's LDAP details
                 sql_datetime = datetime.datetime.utcnow()
                 last_id = (UserService.getLastUserID() + 1)
+                first_name = user_details[0][1]["givenName"][0].decode('utf-8')\
+                    if "givenName" in user_details[0][1] else "" # givenName is optional in LDAP
                 UserService.createUser({
                     "ids": sha256(hash_id(last_id) + str(time.time())),
                     "username": username,
-                    "first_name": user_details[0][1]["givenName"][0].decode('utf-8'),
+                    "first_name": first_name,
                     "last_name": user_details[0][1]["sn"][0].decode('utf-8'),
                     "created_at": sql_datetime,
                     "updated_at": sql_datetime

api/app/service/user_service.py

@@ -68,7 +68,8 @@ def updateLDAPUser(user: User):
             ldap_user = connection.search_s(LDAP_USERS_DN, ldap.SCOPE_SUBTREE, search_filter)
             if len(ldap_user):
                 ldap_user_details = {
-                    "first_name": ldap_user[0][1]["givenName"][0].decode('utf-8'),
+                    "first_name": ldap_user[0][1]["givenName"][0].decode('utf-8')\
+                        if "givenName" in ldap_user[0][1] else "", # givenName is optional in LDAP
                     "last_name": ldap_user[0][1]["sn"][0].decode('utf-8')
                 }
                 user_details = {

api/entrypoint.sh

@@ -1,4 +1,5 @@
 #!/bin/sh
+# These commands are here because they must be run at runtime
 
 python /app/manager.py db init
 

api/prod.Dockerfile

@@ -0,0 +1,20 @@
+FROM python:3.7-alpine
+
+# python-ldap requirements
+RUN apk update && apk add openldap-dev libc-dev gcc g++
+
+# psycopg2 requirements
+RUN apk add libpq python3-dev musl-dev postgresql-dev
+
+COPY ./requirements.txt .
+RUN pip install -r requirements.txt
+
+# Install WSGI server
+RUN pip install gunicorn==20.1.0
+
+WORKDIR /app
+COPY ./app /app
+
+# Run migrations and WSGI server
+COPY ./prod.entrypoint.sh /entrypoint.sh
+ENTRYPOINT [ "/entrypoint.sh" ]

api/prod.entrypoint.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+# These commands are here because they must be run at runtime
+
+python /app/manager.py db init
+
+python /app/manager.py db migrate --message 'initial database migration'
+python /app/manager.py db upgrade
+
+gunicorn manager:app -b 0.0.0.0:5000