Deploy the app to staging

[humphd]

I had a good meeting with ITS today, and we have an initial plan for deploying. I'll try to capture what we discussed here.

We're going to try using Docker Swarm mode to host staging and production. I've written a walkthrough showing how it will work.

The basic idea is that we'll run 2 Linux VMs. We'll have Docker running on both, and one will be a manager node and the other a worker node in a swarm cluster. Because our app is so small, we won't need more than this, but we can easily add more nodes if we have to.

We'll run multiple copies (2?) of the Starchart container in production, which will let us have some fault-tolerance, load-balancing, and zero-downtime updates. For staging, we probably only need a single instance of the container.

We can run both staging and production on the same swarm cluster. ITS uses an F5 hardware-based load balancer, and they are going to configure it so that our apps get SSL certificates and handles routing to the appropriate ports.

Both staging and production will work like this:

Route	Port	App
/hooks/deploy	9000	webhook
/	3000	Starchart app

When we push to GitHub, we'll run a GitHub Action to build our Docker image and push it to Docker Hub. We'll then trigger an HTTP POST to a webhook that we have running on the manager node. It will send the new Docker image tag that we want to use and will trigger a script to update the service on the swarm cluster.

Our URLs are likely going to be:

Environment	URL
production	https://mycustomdomain.senecacollege.ca
staging	https://mycustomdomain-dev.senecacollege.ca

So the F5 load balancer will route https://mycustomdomain-dev.senecacollege.ca/ to the staging Remix server running on port 3000 on the swarm cluster, and https://mycustomdomain-dev.senecacollege.ca/hooks/deploy to the webhook server running on port 9000. Production will do do something similar, but with 2 different ports.

We'll use Docker Swarm Secrets to manage things like our AWS credentials, secret keys, certificates, passwords, etc. Our Remix app will be able to access those secrets by reading files at /run/secrets/<secret_name>. We can us something like https:/hwkd/docker-secret for the secrets loading in development.

I'm targeting this issue to staging, but the process for production will be very similar.

[humphd]

One issue we'll have to deal with: Prisma needs the database connection string to be available via an environment variable. However, since we'll use Secrets, it will be mounted as a file. A lot of database containers solve this problem by reading that file and re-exporting it into the container's environment. Here is what postgres does as an example, which is called via the container's ENTRYPOINT.

[humphd]

Here's an update on where this stands:

• Staging and Production clusters are created, and I have access
• docker and webhook have been installed on both
• F5 Load-Balancer has been configured to allow traffic
• MySQL databases have been created and firewall rules setup to the clusters, I have acounts
• SMTP accounts have been created to send email from staging and production, I have accounts
• AWS IAM Roles have been created with SDK access to the staging and production Hosted Zones, I have credentials

We are still waiting on SAML2 config, which depends on us knowing our URL layout.

I have the Docker container setup complete, and we need to add image build and deploy in CI/CD. We also need to finish the work on the webhook and secure it.

During 0.3/0.4, I'd like to get this moving, so we can start deploying on every commit to main before 0.5.

[humphd]

Filed #196 as part of this.

[humphd]

I think I'm only blocked on #291 now. Once that's in place, we can get this on staging.