Build and Deploy Locally
For local development, we recommend using Tilt and KinD . Tilt is a tool that watches the local repository for changes, and when changes are detected, executes builds and updates Kubernetes resources. KinD (Kubernetes-in-Docker) allows the creation of multi-node Kubernetes clusters on a local machine by using Docker containers as nodes.
The repository contains Tiltfiles for a EuroDaT Trustee-platform cluster
together with a client cluster
containing simulated clients which can be used fort testing purposes. Our provided Makefile simplifies the
setup and maintenance.
Our architecture allows for rapid iteration of builds, image pushes and re-deployment of resources as we use jib in combination with local Docker registries. Image builds and pushes should be a matter of seconds (depending on your local machine).
A caveat of this setup is that builds often trigger base image pulls from Docker Hub. You may run into rate caps if you frequently re-build images. (At the time of writing, Docker Hub limited daily image pulls to 100 per day for anonymous users.)
System requirements
For optimal performance during local building and deployment, it is highly recommended to use a system with a minimum of 32GB RAM.
Local repository setup
Clone the Git repository:
Environment setup
On Windows 10
- Prerequisites:
- Install Git-Bash . Some scripts may not work otherwise.
- Install Chocolatey and Scoop.
- Install make (using Chocolatey).
- Install Docker Desktop .
- Install kubectl and Helm.
- Install Temurin Java 17
- Install Maven
- Install python3
- Install WSL2 Ubuntu 22.04 LTS and install GO language in it using
sudo apt install golang
- Install in the wsl shell jq with
sudo apt install jq
- Optional
- Docker Access Token
Change the WSL distribution
It might happen that the WSL default distribution is set to one docker installs. In this case Windows won't be able
to find the WSL command which leads to issues with Tilt. To fix this, change the default distribution with this
command: wsl -s <distro>
. If you have Ubuntu-22.04 installed the command would be wsl -s Ubuntu-22.04
. You can
check the available distributions with wsl -l
.
Install Tilt and Tilt dependencies (run with admin privileges)
Optional: Create access token and log in to Docker
It is possible that you'll run into pull-rate limits if you're restarting Tilt resources frequently within a short amount
of time. You can increase this limit by creating an access token for the Docker Hub.
For this, open Docker Desktop and click on your user and Account Settings. This will guide you to the Docker Hub page
with your profile. Go to Security
and click on new access token
. Then copy the generated password and open
a powershell. Run the command but replace your own Docker name and enter your copied password.
On Ubuntu Linux
All the necessary installations can be made using the Makefile from the repository. For this follow the steps below, else jump to the next step (make prep).
- Install "make":
- Install prerequisites (some helpers (Maven, jq, curl, ca-certificates, gnupg) and OpenAPI Generator, Docker, kubectl, Helm, Temurin-17-jdk on Ubuntu:
If you’re running Linux in a virtual machine, it may be necessary to restart the virtual machine for changes to take effect (see Docker for Linux )
- Install Tilt and the necessary dependencies (KinD, kubectx and ctlptl) and setup local Maven repository with:
- To avoid networking problems, add the following entry to /etc/hosts:
172.17.0.1 <FQDN>
Set up the local Maven repository
On Windows, you need to run this script using Git Bash:
Additional, useful tools
Use k9s
- We recommend k9s for Kubernetes debugging. Among its numerous features, note:
- painless access to logs, descriptions, and manifests.
- rapid switching between Kubernetes contexts,
- decryption of secrets,
- easily executing a shell in containers,
- easily managing port forwards.
Sysctl
In case you retrieve the warning "too many open files failed to create fsnotify watcher..." change sysctl limits to:
sysctl -n -w fs.inotify.max_user_watches=10485677 && sysctl -n -w fs.inotify.max_user_instances=512 && sysctl fs.inotify
You need to adapt this command for Windows, for example so:
wsl -d docker-desktop sh -c "sysctl -n -w fs.inotify.max_user_watches=10485677 && sysctl -n -w fs.inotify.max_user_instances=512 && sysctl fs.inotify"
Install the pre-commit hook
We use three pre-commit hooks to check our code:
- ktlint : kotlin files
- markdownlint-cli2 : markdown files
- Talisman : scans for possibly sensitive data
The script cluster/scripts/install-pre-commit-hook.sh
installs Talisman and ktlint only for the repository the file
was executed from and creates the .git/hooks/pre-commit
file. markdownlint-cli2
needs to be installed manually
(it requires node.js ).
Make sure to run the script from inside the repository you want the hooks to be installed in. If you run Git from a
different OS than you ran the installation script from, please rerun the script in that OS.
You must do commits through a command line to see Talisman warnings. However, Talisman errors are shown even by other tools, e.g., IntelliJ interface.
You must correct confidential information caught by Talisman right after it was shown to you by Talisman. It is needed because Talisman checks only git diff, and it will not catch your secrets or passwords again later if you will not do any changes in them. If you push then, that sensitive information will be caught by the Talisman job in a pipeline, but all the history with this information will leak.
For more information refer to this instruction.
Configure the SMTP Server
For Keycloak to be able to send an email to the user for verification, appropriate settings on the SMTP server must be configured.
These settings are defined within the values.yaml file of the eurodat-chart
, including smtpApiKey
, smtpApiSecretKey
, and smtpMailFrom
.
smtpMailFrom
specifies the email address from which the verification email is sent.
smtpApiKey
and smtpApiSecretKey
, your SMTP server's credentials, are locally overwritten by the get_smtp_keys.py
script.
To execute this, you have to first complete the env_template
and then relocate it to the main directory of the trustee-platform.
In addition, the connection settings such as Host, SSL, and the associated Port are configured within the kc_do
script. This completes the setting up of your SMTP server for Keycloak to perform email verification of users.
Tilt environment setup
The two clusters in the local setup are defined in ./Tiltfile
and ./Tiltfile_ext
. Most components are rolled out
by installing the Helm Charts defined in our repository, with values customised for the local settings, thereby acquired
as much dev-prod parity as possible.
The startup and teardown of a local setup is automated with a Makefile. To see all the make targets, you may invoke
make
or make help
.
Create KinD clusters and local Docker registries
Internal cluster
Start EuroDaT Tilt session (internal cluster):
Start without updating the Helm Charts:
It is possible to exclude (xcl) services or pre-specified groups of services from the Tilt session to speed-up builds and decrease resource consumption:
The groups of service currently available to disable in the internal cluster are:
Group | Services |
---|---|
argo-workflows | argo-workflows-controller, argo-workflows-server, argo-workflows-config |
broker | eurodat-controller, eurodat-postgresql, broker-config, broker-ingress, controller-argo |
config | cert-manager, eurodat-cluster-reflector, eurodat-cluster-reloader, restart-reflector, cluster-config, cert-management, restart-reflector-config, eurodat-certificates, eurodat-network-policies, trust-manager |
credential-service | eurodat-credential-service, credential-service-config, credential-service-ingress |
database-service | eurodat-database-service, database-service-config, database-service-ingress |
data-plane | eurodat-data-plane |
ingress | ingress-nginx |
keycloak | keycloak, keycloak-config-job |
kubernetes-secret-generator | eurodat-cluster-kubernetes-secret-generator |
monitoring | grafana, grafana-config, opentelemetry-collector, opentelemetry-collector-config, tempo, tempo-config, loki, loki-config |
postgres | eurodat-postgresql, postgresql-config |
rabbitmq | eurodat-rabbitmq, eurodat-rabbitmq-config |
transaction-service | eurodat-transaction-service, transaction-service-config |
transaction-vault | eurodat-transaction-vault, eurodat-transaction-vault-config |
Note that a service can not be disabled, if an enabled service depends on it. In this case, Tilt overrules the exclusion. For an overview of all internal services and their dependencies refer to the following image (click to enlarge):
In case Tilt does not display the option to start the web GUI, open localhost:10350
in your browser.
External cluster
Once the EuroDat Tilt session has fully started up, start the EuroDaT client Tilt session (external cluster) from a separate shell
Start without updating the Helm Charts:
The exclusion of services from the Tilt session is also available for the external cluster:
The groups of service currently available to disable in the external cluster are:
Group | Services |
---|---|
config | cert-manager, eurodat-ext-cluster-reflector, eurodat-ext-cluster-reloader, restart-reflector, cluster-config, cert-management, eurodat-ext-certificates,eurodat-ext-network-policies, restart-reflector-config |
consumer | eurodat-ext-consumer, consumer-config |
consumer-ingress | consumer-ingress-nginx, eurodat-ext-cluster-consumer-nginx-admission-create, eurodat-ext-cluster-consumer-nginx-admission-patch |
provider | eurodat-ext-provider, provider-config |
provider-ingress | provider-ingress-nginx, eurodat-ext-cluster-provider-nginx-admission-create, eurodat-ext-cluster-provider-nginx-admission-patch |
Note that a service can not be disabled, if an enabled service depends on it. In this case, Tilt overrules the exclusion. For an overview of all external services and their dependencies refer to the following image (click to enlarge):
The web GUI of the client Tilt session can be accessed by opening localhost:10351
in your browser.
- To update all the Helm dependencies, use
make update
. - To delete the local clusters, execute
make teardown
. Note: This should not be necessary between Tilt sessions. - The internal and external clusters can be setup and torndown separately with
make setup-int
/make teardown-int
andmake setup-ext
/make teardown-ext
. The teardown commands will only remove the KinD cluster but not the registry. make update-controller
updates thecontroller
Helm Chart and the charts that depend on it. The command is automatically executed by the internal Tiltfile if any file in thecontroller
Helm Chart changes.
Running the trustee locally
Scope of the local setup
The local setup described above is relatively complete. It contains the following resources:
- In both clusters:
- cert-manager for certificate management
- ingress-nginx as ingress controller/load balancer. The local Kubernetes clusters are reachable under the DNS name
<machine name>.local
and certificates are issued to this DNS name. The ingress controller is mapped to port443
for the trustee cluster and9443
/9444
for the provider/consumer in the external cluster, respectively. The Kubernetes API instances are mapped to the ports50000
and50001
, respectively.
- In the trustee cluster:
- Keycloak for client auth management
- The following Trustee platform components:
control plane
, consisting of thecontroller
data-plane
flash vaults
:ice-cream-app
- In the client (or external) cluster:
- One
controller
each for consumer and provider:
- One
A limitation of the current setup is that it is based on the KinD CNI which does not enforce NetworkPolicy. Thus, ingress and egress rules as defined by these are not respected.
Swagger UI
Once all necessary components are up and running you can use Swagger-UI (available at https://<machine name>.local/control-plane/api/v1/controller/swagger-ui/)
to test/try out the system.
Common Issues
- When running Tilt, some resources do not start correctly.
This can happen due to race conditions. Please restart all failed resources starting from ingresses (you can do several attempts).
Otherwise, it can happen due to errors. Please check them using Tilt logs for failed jobs and reviewing Kubernetes resources (e.g., in k9s).
-
In case you retrieve the warning "too many open files failed to create fsnotify watcher...":
Change sysctl limits for Linux systems:
sysctl -n -w fs.inotify.max_user_watches=10485677 && sysctl -n -w fs.inotify.max_user_instances=512 && sysctl fs.inotify
You need to adapt this command for Windows with wsl2, for example so: