Reviving service deployment docs

[BernardZhao]

Decided to put some work on trying to update and bring back the work @keur made in #508, especially since @pxhanus could use some documentation as to how to deploy the discordbridge. These are some preliminary changes, and I still need a lot of help describing parts of the process I don't understand as well.

• How should I go about formatting the Markdown? I found the existing file to be well spaced, but make lint didn't seem to do the trick.
• Are there some parts of Keur's original documentation that aren't true anymore? I tried to not cut stuff that I didn't 100% know was not relevant anymore, but I really ended up cutting nothing.

[BernardZhao]

This part is a little confusing to me, as in I described my understanding of it, but in other projects an empty upstreamProjects array also seemed to work fine. Perhaps @jvperrin could chime in on this?

[jvperrin]

Yeah, that's a great question! The only thing this does is mean that a service build pipeline gets kicked off if the upstream one listed here succeeds. The reason why you see ocf/dockers/master in a number of services is when they are both (1) built off the OCF base docker images and (2) redeploying them can be done smoothly. These redeploys are mainly done so that security updates are pulled into service containers in a timely manner, so it doesn't have to be a daily thing but could probably be weekly or something instead.

For instance, ocfweb has both ocflib and dockers as upstreams because it depends on the latest versions of both of those repos, and because redeploying after either one finishes building successfully can be done smoothly. slackbridge on the other hand doesn't have any upstream projects listed despite being built off the OCF base image because every time it rebuilt it causes large join/quit spam on IRC that wasn't a pleasant experience.

Essentially, to figure out what's listed here for a new service, you only need to know what base image the service is using, and how disruptive a deploy would be.

[BernardZhao]

This isn't relevant with Jenkins right? I thought this might be nice to include as example commands if someone was planning to deploy to dev-kubernetes.

[jvperrin]

I don't believe it's necessary because Jenkins will create the app namespace and all that when deploying, and I think it also does the service/deployment creation parts too but I'm not too familiar with that side of things.

Maybe just mention before this that it's something you can do with your dev namespace to test out running the service somewhere?

[BernardZhao]

We have a lot more services now - this many not be that accurate. What are the best examples at the OCF today?

[jvperrin]

templates is still a really good simple example, and I think mastodon is a good complex example, but I'm not sure about the others. I do know kanboard isn't running any more (gives a 503), and I don't really know the state of kafka.

[Baisang]

Thanks for restartingthis, OCF has really needed this for a while. It made sense to me as someone who has deployed services on OCF k8s before.

Only big change I think you should make is regarding the persistent volumes. I would try to direct people toward using the nfs-provisioner when possible. Ideally we should have people use ceph but I don't know if that is fully operational yet.

[Baisang]

"Docker repository" is the word you're looking for

[Baisang]

transfer

[Baisang]

It would be better for people who want to deploy services to just clone or copy these files somehow. They're just going to copy paste from this doc anyway. I would wager that the vast majority of people who want to deploy services on kubernetes don't need to know how this works, it just has to "work." (of course, we should provide docs somewhere that explain how it works anyway)

You could have them run some script that takes in their proposed service name and it could even generate a basic template for those kubernetes yaml files too.

Probably out of scope for this PR, but something to consider for the future.

[encadyma]

Github has template repositories that can help solve the issue of copying files, so we can create one for Kubernetes deployments.

[Baisang]

Docker repository

[Baisang]

Please have people try to use the https://github.com/ocf/nfs-provisioner instead. We set it up so you no longer need to make puppet changes to create PVs.

[Baisang]

It's a lot easier. All you need to do is make a PVC like in the README with the correct storageClassName.

[Baisang]

Technically you can include the yaml to create this within the .yaml file

[Baisang]

Eventually you'll want to add a section for adding keycloak auth and handling secrets, but that's out of scope.

[Baisang]

Does adding the name to https://github.com/ocf/puppet/blob/master/modules/ocf_kubernetes/manifests/master/loadbalancer.pp still apply? If so we need to include that step.

[jvperrin]

For what it's worth, this + 1 is to space out ports so you can run multiple services under one user without them colliding. I think we should probably come up with a better port allocation strategy, or just use the same port for the same user each time and forego this method as it's pretty confusing if you don't understand it.

[jvperrin]

make test is also a good one to mention, it's automatically run if it exists as part of the service pipeline so that's a great place to put any tests that a service may have.

[jvperrin]

Thanks for reviving this, I think this is really great to have and certainly something there should be docs on!

[jvperrin]

nit: I'd link to the root of the repo instead of just the kubernetes config

[jvperrin]

I'd assume that people reading this guide are less experienced at creating services and likely don't have these permissions. Instead, I'd probably suggest to ask in #rebuild or somewhere similar for creating a repo (or do so if you have the permissions already).

As a tangent to this, I am aiming to have this be done through https://github.com/ocf/terraform at some point in the future, as it has a GitHub provider and that would be a nice way to not rely on individual permissions but instead define the state of the ocf org in version-controlled code. I think that would make this part nicer, as creating a new repo would then involve creating and merging a PR and essentially nothing else.

[jvperrin]

For this, you might want to link to https://github.com/ocf/shared-pipeline/blob/4537c1ce537a6beffa1075c719e015cd60cc54eb/vars/servicePipeline.groovy if anyone is curious what the service pipeline actually does. It's not incredibly complicated, but I could also see not wanting to bog this down too much with implementation details like this. I think it could be useful for someone wanting to know what commands are run as part of the build or what runs in parallel though (tests and cooking the docker image for instance).

[jvperrin]

To do this in particular, it's not a build of any one job, but rather going to https://jenkins.ocf.berkeley.edu/job/ocf/, signing in, and clicking "Scan Organization Now" in the left sidebar. I think it would be good to recommend pushing a new commit to master after transferring the repo, and I believe that should trigger a pipeline creation (needs testing though to be sure).

[jvperrin]

Might be good to briefly mention here that the ports are not the same between the two (80 on both for instance) because stuff running within the container typically can't bind on anything 1024 or below. It's usually not running as root or a privileged user, as per security best practices.

Not sure that'll be clear to someone setting up a service for the first time otherwise.

[jvperrin]

Is this <myapp> instead of <app-name>?

[jvperrin]

++ this is quite good to specify, as is the warning below about being stuck in a pending state

[jvperrin]

I'd probably mention the term "search domain" somewhere in here as that's the keyword that can help to find more information on the internet about this behavior.

[jvperrin]

nit: For these 3 links that are referred to earlier on in the doc, I'd put them closer to their respective paragraphs just so that it's easier to see what is actually being linked to closer to the text that's doing the linking. (That or using the []() link syntax instead)

[jvperrin]

This'll also need a kinit $USER/admin before the ldapvi (either as a separate command or just put as a prefix to the command) to actually be able to edit and submit changes to ldap.

I think these editing DNS instructions should actually almost be their own docs. I looked and there's https://www.ocf.berkeley.edu/docs/staff/procedures/new-host/#h3_step-11-add-the-ldap-entry in the docs for adding a new host and DNS, but this is a bit different as it's just editing the existing lb-kubernetes pseudo-host instead. Anyway, something to think about, but this might be useful as a separate docs page that multiple places can link to.

[jvperrin]

Actually, lb-kubernetes no longer exists since there's no non-kubernetes version, it's just a cn=lb now (this is something that changed since the previous pull request).

[nikhiljha]

The funny thing is we might actually obsolete these docs before they're merged.

[BernardZhao]

The funny thing is we might actually obsolete these docs before they're merged.

Thats why I paused on updating this

[nikhiljha]

https://notes.ocf.berkeley.edu/jCl7t_M7RYGzcqQpbzWrOQ#