Service deployment
HeartAI deploys services to the Kubernetes-based Red Hat OpenShift container orchestration platform. This allows services to be packaged and deployed with a cloud-native approach, allowing for highly distributed, concurrent, and available systems.
The following examples from the HeartAI production environment HelloWorldService
show how Lagom developed services may be deployed to Red Hat OpenShift. These declaration files are specified with the YAML serialisation language and correspond to OpenShift / Kubernetes resources.
Further information about HeartAI service architecture may be found with the following documentation:
Red Hat OpenShift implementation
Red Hat OpenShift is an enterprise-grade implementation of Kubernetes, providing a modern and secure platform for the orchestration of container-based solutions. OpenShift provides general platform-level capabilities, including:
- Abstractions for container-level deployments.
- Software orchestration that is natively cloud-based and distributable.
- Secure implementations of software-defined networking.
- Real-time and aggregated logging, monitoring, and observability.
- Frameworks for eventing and alerting.
- Controls for resource management.
- Access-level controls based around service accounts, roles, groups, and role bindings.
- Graphical user interfaces for both administrators and developers.
HeartAI deploys OpenShift with Microsoft Azure Red Hat OpenShift (ARO), a fully-managed implementation of OpenShift within Microsoft Azure. ARO is deployed to instances of Microsoft Azure cloud resources, which are fully-managed by Microsoft Azure, including operational lifecycle management, patching and updating, logging, monitoring, and security hardening.
HeartAI orchestrates system services with the Kubernetes-based Red Hat OpenShift container platform. Further information about the HeartAI implementation of Red Hat OpenShift may be found with the following documentation:
OpenShift Namespaces
OpenShift Namespaces provides cluster scoping that logical separates individual namespaces within corresponding overlay VXLAN networks. Through this approach distinct namespaces are effectively compartmentalised from each other.
The following example shows an OpenShift Namespace declaration file for the HeartAI HelloWorldService
production environment:
apiVersion: v1
kind: Namespace
metadata:
name: heartai-hello-world-prod
OpenShift Roles
OpenShift Roles provide specifications to configure access control at the cluster- or namespace-level.
The following example shows a Role declaration from the HeartAI HelloWorldService
production environment. This particular Role declaration provides the permission required for the HelloWorldService
service Deployment to be able to locate corresponding Pods of the service, fulfilling the ability of individual Pod resources to provide location transparent service discovery to other Pod resources.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: heartai-pod-reader
namespace: heartai-hello-world-prod
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
OpenShift RoleBindings
OpenShift Role Bindings allow the association of Roles to corresponding ServiceAccounts.
The following example shows a Role Binding declaration from the HeartAI HelloWorldService
production environment.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: heartai-hello-world-prod
subjects:
- kind: ServiceAccount
name: default
roleRef:
kind: Role
name: heartai-pod-reader
apiGroup: rbac.authorization.k8s.io
OpenShift Deployments
OpenShift Deployments allow the declaration of Pod deployments and higher-level configuration for how these Pods should be orchestrated and managed within the OpenShift environment. The OpenShift Deployment Controller synchronises the actual state of the cluster to the declared state with configurable controls for how this synchronisation operates.
The following example shows an OpenShift Deployment declaration file for the HeartAI HelloWorldService
production environment namespace:
apiVersion: "apps/v1"
kind: Deployment
metadata:
name: heartai-service-hello-world-prod
namespace: heartai-hello-world-prod
labels:
app: heartai-service-hello-world-prod
spec:
replicas: 1
selector:
matchLabels:
app: heartai-service-hello-world-prod
strategy:
rollingUpdate:
maxSurge: 3
maxUnavailable: 0
template:
metadata:
labels:
app: heartai-service-hello-world-prod
version: v0.33.44
actorSystemName: heartai-service-hello-world-prod
annotations:
sidecar.istio.io/inject: "true"
traffic.sidecar.istio.io/includeInboundPorts: "2552,8558,14000,14020"
traffic.sidecar.istio.io/excludeOutboundPorts: "2552,8558"
spec:
containers:
- name: heartai-service-hello-world-prod
image: "quay.io/heartai/heartai-hello-world:0.33.44"
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /alive
port: management
initialDelaySeconds: 20
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: management
initialDelaySeconds: 20
periodSeconds: 10
ports:
- name: remoting
containerPort: 2552
protocol: TCP
- name: management
containerPort: 8558
protocol: TCP
- name: http
containerPort: 14000
protocol: TCP
- name: https
containerPort: 14020
protocol: TCP
env:
- name: OS_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: JAVA_OPTS
value: "-Xms1024m -Xmx1024m -Dconfig.resource=production.conf"
- name: APPLICATION_SECRET
valueFrom:
secretKeyRef:
name: heartai-play-secret
key: secret
- name: AKKA_DISCOVERY_SERVICE_NAME
value: "heartai-service-hello-world-prod"
- name: AKKA_CLUSTER_BOOTSTRAP_SERVICE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: "metadata.labels['app']"
- name: REQUIRED_CONTACT_POINT_NR
value: "1"
# - name: AKKA_REMOTING_HOST
# value: "heartai-service-hello-world-prod.heartai-hello-world-prod.svc.cluster.local"
- name: AKKA_REMOTING_PORT
value: "2552"
- name: AKKA_MANAGEMENT_PORT
value: "8558"
- name: HTTP_BIND_ADDRESS
value: "0.0.0.0"
- name: HTTP_PORT
value: "14000"
- name: HTTPS_PORT
value: "14020"
- name: KAFKA_SERVICE_NAME
value: "strimzi-kafka-kafka-brokers.heartai-strimzi.svc.cluster.local:9092"
- name: KAFKA_BROKERS_SERVICE_URL
value: "strimzi-kafka-kafka-bootstrap.heartai-strimzi.svc.cluster.local:9092"
- name: POSTGRESQL_CONTACT_POINT
valueFrom:
secretKeyRef:
name: postgres-url
key: secret
- name: POSTGRESQL_USERNAME
valueFrom:
secretKeyRef:
name: postgres-id
key: secret
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-key
key: secret
resources:
limits:
cpu: 1000m
memory: 2048Mi
requests:
cpu: 200m
memory: 1048Mi
OpenShift Services
OpenShift Services provide a cluster-internal access point to corresponding overlay network address spaces. For network routing to OpenShift Pods, Services allow consistent resolution to the virtual IP address space of one-or-more Pods, noting that such Pods may generally be transient. Access to deployment Pods through a Service is location transparent, scalable, and tolerant to Pod failure. Services may also be configured with load balancing, port-forwarding capability, and session affinity.
HeartAI services provide approaches for location transparent service discovery within corresponding HeartAI Red Hat OpenShift container platform instances. Further information about HeartAI service discovery may be found with the following documentation:
The following example shows an OpenShift Service declaration file for the HeartAI HelloWorldService
production environment namespace:
apiVersion: v1
kind: Service
metadata:
name: heartai-service-hello-world-prod
namespace: heartai-hello-world-prod
spec:
ports:
- name: http
port: 80
targetPort: 14000
selector:
app: heartai-service-hello-world-prod
type: LoadBalancer
Istio implementation
Within the HeartAI OpenShift implementation, an instance of OpenShift Service Mesh provides advanced mechanisms for communication across system services. Integrated into this framework is the cloud-native service-mesh software Istio that extends the OpenShift software-defined networking (SDN) with programmable and application-aware declarative network implementations. A core feature of Istio is the Envoy service proxy that is injectable as a sidecar into virtual IP hosts of the OpenShift SDN. Istio provides general approaches for network deployments, routing, traffic management, telemetry, and security.
Further information about the HeartAI implementation of Istio may be found with the following documentation:
Istio is also natively integrated into the OpenShift Service Mesh implementation of Kiali, an Istio management console that provides capabilities for configuration, eventing, metrics, visualisation, and validation
Further information about the HeartAI implementation of Kiali may be found with the following documentation:
Istio VirtualService
The following example shows an Istio VirtualService declaration file for the HeartAI HelloWorldService
production environment:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: heartai-service-hello-world-vs-prod
namespace: heartai-hello-world-prod
spec:
hosts:
- heartai-service-hello-world-prod.heartai-hello-world-prod.svc.cluster.local
gateways:
- mesh
# - heartai-service-hello-world-gw
http:
- match:
- uri:
prefix: "/"
route:
- destination:
host: heartai-service-hello-world-prod
Istio DestinationRule
The following example shows an Istio DestinationRule declaration file for the HeartAI HelloWorldService
production environment:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: heartai-service-hello-world-rule-prod
namespace: heartai-hello-world-prod
spec:
host: heartai-service-hello-world-prod
subsets:
- name: stable
labels:
version: v0.33.44
Istio ServiceEntry
Istio ServiceEntry Kafka bootstrap
The following example shows an Istio ServiceEntry declaration file for the HeartAI HelloWorldService
development environment. This ServiceEntry provides the SDN declaration to integrate the Kafka bootstrap provider as a backing service:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: kafka-bootstrap
namespace: heartai-hello-world-prod
spec:
hosts:
- strimzi-kafka-kafka-bootstrap.heartai-strimzi.svc.cluster.local
ports:
- number: 9092
name: kafka-bootstrap
protocol: tcp
resolution: DNS
location: MESH_EXTERNAL
Istio ServiceEntry Kafka brokers
The following example shows an Istio ServiceEntry declaration file for the HeartAI HelloWorldService
development environment. This ServiceEntry provides the SDN declaration to integrate the Kafka brokers provider as a backing service:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: kafka-brokers
namespace: heartai-hello-world-prod
spec:
hosts:
- strimzi-kafka-kafka-brokers.heartai-strimzi.svc.cluster.local
ports:
- number: 9092
name: kafka-brokers
protocol: tcp
resolution: DNS
location: MESH_EXTERNAL
Istio ServiceEntry PostgreSQL
The following example shows an Istio ServiceEntry declaration file for the HeartAI HelloWorldServiceService
development environment. This ServiceEntry provides the SDN declaration to integrate PostgreSQL as a backing service:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: postgresql
namespace: heartai-hello-world-prod
spec:
hosts:
- sah-heartai-psql-prod-aue-001.postgres.database.azure.com
ports:
- number: 5432
name: postgresql
protocol: tcp
resolution: DNS
location: MESH_EXTERNAL
Istio Gateway
The following example shows an Istio Gateway declaration file for the HeartAI HelloWorldService
production environment:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: heartai-hello-gw
namespace: heartai-hello-world-prod
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
tls:
httpsRedirect: true
hosts:
- hello.prod.apps.aro.sah.heartai.net
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: heartai-hello-world-prod-gw-cert
hosts:
- hello.prod.apps.aro.sah.heartai.net