Service deployment

HeartAI deploys services to the Kubernetes-based Red Hat OpenShift container orchestration platform. This allows services to be packaged and deployed with a cloud-native approach, allowing for highly distributed, concurrent, and available systems.

The following examples from the HeartAI production environment HelloWorldService show how Lagom developed services may be deployed to Red Hat OpenShift. These declaration files are specified with the YAML serialisation language and correspond to OpenShift / Kubernetes resources.

Service architecture

Further information about HeartAI service architecture may be found with the following documentation:

Red Hat OpenShift implementation

Red Hat OpenShift is an enterprise-grade implementation of Kubernetes, providing a modern and secure platform for the orchestration of container-based solutions. OpenShift provides general platform-level capabilities, including:

  • Abstractions for container-level deployments.
  • Software orchestration that is natively cloud-based and distributable.
  • Secure implementations of software-defined networking.
  • Real-time and aggregated logging, monitoring, and observability.
  • Frameworks for eventing and alerting.
  • Controls for resource management.
  • Access-level controls based around service accounts, roles, groups, and role bindings.
  • Graphical user interfaces for both administrators and developers.

HeartAI deploys OpenShift with Microsoft Azure Red Hat OpenShift (ARO), a fully-managed implementation of OpenShift within Microsoft Azure. ARO is deployed to instances of Microsoft Azure cloud resources, which are fully-managed by Microsoft Azure, including operational lifecycle management, patching and updating, logging, monitoring, and security hardening.

Software: Red Hat OpenShift implementation

HeartAI orchestrates system services with the Kubernetes-based Red Hat OpenShift container platform. Further information about the HeartAI implementation of Red Hat OpenShift may be found with the following documentation:

OpenShift Namespaces

OpenShift Namespaces provides cluster scoping that logical separates individual namespaces within corresponding overlay VXLAN networks. Through this approach distinct namespaces are effectively compartmentalised from each other.

The following example shows an OpenShift Namespace declaration file for the HeartAI HelloWorldService production environment:

apiVersion: v1
kind: Namespace
metadata:
  name: heartai-hello-world-prod

OpenShift Roles

OpenShift Roles provide specifications to configure access control at the cluster- or namespace-level.

The following example shows a Role declaration from the HeartAI HelloWorldService production environment. This particular Role declaration provides the permission required for the HelloWorldService service Deployment to be able to locate corresponding Pods of the service, fulfilling the ability of individual Pod resources to provide location transparent service discovery to other Pod resources.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: heartai-pod-reader
  namespace: heartai-hello-world-prod
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "watch", "list"]

OpenShift RoleBindings

OpenShift Role Bindings allow the association of Roles to corresponding ServiceAccounts.

The following example shows a Role Binding declaration from the HeartAI HelloWorldService production environment.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: heartai-hello-world-prod
subjects:
  - kind: ServiceAccount
    name: default
roleRef:
  kind: Role
  name: heartai-pod-reader
  apiGroup: rbac.authorization.k8s.io

OpenShift Deployments

OpenShift Deployments allow the declaration of Pod deployments and higher-level configuration for how these Pods should be orchestrated and managed within the OpenShift environment. The OpenShift Deployment Controller synchronises the actual state of the cluster to the declared state with configurable controls for how this synchronisation operates.

The following example shows an OpenShift Deployment declaration file for the HeartAI HelloWorldService production environment namespace:

apiVersion: "apps/v1"
kind: Deployment
metadata:
  name: heartai-hello-world
  namespace: heartai-hello-world-prod
  labels:
    app: heartai-hello-world
spec:
  replicas: 1
  selector:
    matchLabels:
      app: heartai-hello-world
  strategy:
    rollingUpdate:
      maxSurge: 3
      maxUnavailable: 1
  template:
    metadata:
      labels:
        app: heartai-hello-world
        version: v0.31.106
        actorSystemName: heartai-hello-world
      annotations:
        sidecar.istio.io/inject: "true"
        traffic.sidecar.istio.io/includeInboundPorts: "2552,8558,14000,14020"
        traffic.sidecar.istio.io/excludeOutboundPorts: "2552,8558"
    spec:
      containers:
        - name: heartai-hello-world
          image: "quay.io/heartai/heartai-hello-world:0.31.106"
          imagePullPolicy: Always
          livenessProbe:
            httpGet:
              path: /alive
              port: management
            initialDelaySeconds: 20
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /ready
              port: management
            initialDelaySeconds: 20
            periodSeconds: 10
          ports:
            - name: remoting
              containerPort: 2552
              protocol: TCP
            - name: management
              containerPort: 8558
              protocol: TCP
            - name: http
              containerPort: 14000
              protocol: TCP
            - name: https
              containerPort: 14020
              protocol: TCP
          env:
            - name: OS_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: JAVA_OPTS
              value: "-Xms1024m -Xmx1024m -Dconfig.resource=production.conf"
            - name: APPLICATION_SECRET
              valueFrom:
                secretKeyRef:
                  name: heartai-play-secret
                  key: secret
            - name: AKKA_CLUSTER_BOOTSTRAP_SERVICE_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: "metadata.labels['app']"
            - name: REQUIRED_CONTACT_POINT_NR
              value: "1"
            - name: AKKA_REMOTING_PORT
              value: "2552"
            - name: AKKA_MANAGEMENT_PORT
              value: "8558"
            - name: HTTP_BIND_ADDRESS
              value: "0.0.0.0"
            - name: HTTP_PORT
              value: "14000"
            - name: HTTPS_PORT
              value: "14020"
            - name: KAFKA_BROKERS_SERVICE
              value: "strimzi-kafka-kafka-brokers.heartai-strimzi.svc.cluster.local:9092"
            - name: KAFKA_BOOTSTRAP_SERVICE
              value: "strimzi-kafka-kafka-bootstrap.heartai-strimzi.svc.cluster.local:9092"
            - name: POSTGRESQL_CONTACT_POINT
              valueFrom:
                secretKeyRef:
                  name: postgres-url
                  key: secret
            - name: POSTGRESQL_USERNAME
              valueFrom:
                secretKeyRef:
                  name: postgres-id
                  key: secret
            - name: POSTGRESQL_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: postgres-key
                  key: secret
            - name: SERVICE_TOPIC_GREETING_MESSAGES_CHANGED
              value: "hello_world_greeting_messages_changed_prod"
          resources:
            limits:
              cpu: 500m
              memory: 2048Mi
            requests:
              cpu: 100m
              memory: 1024Mi

OpenShift Services

OpenShift Services provide a cluster-internal access point to corresponding overlay network address spaces. For network routing to OpenShift Pods, Services allow consistent resolution to the virtual IP address space of one-or-more Pods, noting that such Pods may generally be transient. Access to deployment Pods through a Service is location transparent, scalable, and tolerant to Pod failure. Services may also be configured with load balancing, port-forwarding capability, and session affinity.

Service discovery

HeartAI services provide approaches for location transparent service discovery within corresponding HeartAI Red Hat OpenShift container platform instances. Further information about HeartAI service discovery may be found with the following documentation:

The following example shows an OpenShift Service declaration file for the HeartAI HelloWorldService production environment namespace:

apiVersion: v1
kind: Service
metadata:
  name: heartai-hello-world
  namespace: heartai-hello-world-prod
spec:
  ports:
    - name: http
      port: 80
      targetPort: 14000
  selector:
    app: heartai-hello-world
  type: LoadBalancer

Istio implementation

Within the HeartAI OpenShift implementation, an instance of OpenShift Service Mesh provides advanced mechanisms for communication across system services. Integrated into this framework is the cloud-native service-mesh software Istio that extends the OpenShift software-defined networking (SDN) with programmable and application-aware declarative network implementations. A core feature of Istio is the Envoy service proxy that is injectable as a sidecar into virtual IP hosts of the OpenShift SDN. Istio provides general approaches for network deployments, routing, traffic management, telemetry, and security.

Software: Istio implementation

Further information about the HeartAI implementation of Istio may be found with the following documentation:

Istio is also natively integrated into the OpenShift Service Mesh implementation of Kiali, an Istio management console that provides capabilities for configuration, eventing, metrics, visualisation, and validation

Software: Kiali implementation

Further information about the HeartAI implementation of Kiali may be found with the following documentation:

Istio VirtualService

The following example shows an Istio VirtualService declaration file for the HeartAI HelloWorldService production environment:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: heartai-hello-world-vs
  namespace: heartai-hello-world-prod
spec:
  hosts:
    - hello.prod.apps.aro.sah.heartai.net
  gateways:
    - heartai-hello-world-prod-gw
  http:
    - match:
        - uri:
            prefix: "/"
      route:
        - destination:
            host: heartai-hello-world

Istio DestinationRule

The following example shows an Istio DestinationRule declaration file for the HeartAI HelloWorldService production environment:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: heartai-hello-world-nw-rule
  namespace: heartai-hello-world-prod
spec:
  host: heartai-hello-world
  subsets:
    - name: stable
      labels:
        version: v0.31.106

Istio ServiceEntry

Istio ServiceEntry Kafka bootstrap

The following example shows an Istio ServiceEntry declaration file for the HeartAI HelloWorldService development environment. This ServiceEntry provides the SDN declaration to integrate the Kafka bootstrap provider as a backing service:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: kafka-bootstrap
  namespace: heartai-hello-world-prod
spec:
  hosts:
    - strimzi-kafka-kafka-bootstrap.heartai-strimzi.svc.cluster.local
  ports:
    - number: 9092
      name: kafka-bootstrap
      protocol: tcp
  resolution: DNS
  location: MESH_EXTERNAL

Istio ServiceEntry Kafka brokers

The following example shows an Istio ServiceEntry declaration file for the HeartAI HelloWorldService development environment. This ServiceEntry provides the SDN declaration to integrate the Kafka brokers provider as a backing service:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: kafka-brokers
  namespace: heartai-hello-world-prod
spec:
  hosts:
    - strimzi-kafka-kafka-brokers.heartai-strimzi.svc.cluster.local
  ports:
    - number: 9092
      name: kafka-brokers
      protocol: tcp
  resolution: DNS
  location: MESH_EXTERNAL

Istio ServiceEntry PostgreSQL

The following example shows an Istio ServiceEntry declaration file for the HeartAI HelloWorldServiceService development environment. This ServiceEntry provides the SDN declaration to integrate PostgreSQL as a backing service:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: postgresql
  namespace: heartai-hello-world-prod
spec:
  hosts:
    - sah-heartai-psql-prod-aue-001.postgres.database.azure.com
  ports:
    - number: 5432
      name: postgresql
      protocol: tcp
  resolution: DNS
  location: MESH_EXTERNAL

Istio Gateway

The following example shows an Istio Gateway declaration file for the HeartAI HelloWorldService production environment:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: heartai-hello-world-prod-gw
  namespace: heartai-hello-world-prod
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      tls:
        httpsRedirect: true
      hosts:
        - hello.prod.apps.aro.sah.heartai.net
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: heartai-hello-world-prod-gw-cert
      hosts:
        - hello.prod.apps.aro.sah.heartai.net