8. Services API#
8.1. Introduction#
Without backing services, the running applications would not have a way to persist their state. The services API is responsible for the provisioning, deprovisioning, backup, and restore of backing services such as databases, message queues, and object storage.
8.2. Initial Configuration#
Before being able to provision a new Services API virtual machine, we need to perform some initial configuration. Start by adding (or requesting) a new OneLogin application as done for the appctl:
ddt create-onelogin-saml-app \
--allow-devs \
services.hackathon-XX.aldryn.net \
'Services API (Hackathon XX)'
Add the resulting app and entity IDs to your defaults file along with the
following entries:
services_api_rabbitmq_user: "divio-hackathon-XX-services"
services_api_rabbitmq_vhost: "divio-hackathon-XX-services"
services_api_color: Hackathon XX,#ffffff,#606060 # You can pick your own colors
services_api_saml_idp_app_id: "<OneLogin app ID>"
services_api_saml_idp_entity_id: "<OneLogin SAML entity UUID"
Next up, provision an Elastic IP for the Services API as done for the bastion host and app controller already (remember to also add the DNS record to DNSimple):
aws --profile divio-hackathon ec2 allocate-address \
--domain vpc \
--tag-specification 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=services.hackathon-XX.aldryn.net}]'
Generate four generic secrets…:
generate-secrets 64 4
…one Fernet encryption key by spinnning up a new Python interpreter session and executing…:
>>> from cryptography.fernet import Fernet
>>> print(Fernet.generate_key().decode())
sIgFc0gtyFlvQIq3NsW66tMrq-io01X4WMtssTyEJPY=
…and add everything to your vault:
vault_services_api_secrets_encryption_keys: "<fernet key>"
vault_services_api_db_password: <generated secret 1>
vault_services_api_rabbitmq_password: <generated secret 2>
vault_services_api_redis_password: <generated secret 3>
vault_services_api_secret_key: <generated secret 4>
Finally, add a user and a vhost to the RabbitMQ cluster as we did for the app
controller already. Use divio-hackathon-XX-services as name and the secret
generated above for the password.
8.3. Provisioning the services API#
You are now ready to provision the services API. By now you should know the command:
ddt provision --deploy divio-hackathon services
8.4. Base Configuration#
Log into the services API and solve the redirect issue as already done for the app controller by SSH’ing into the VM and granting the necessary permissions to your user.
Create a new user for the control panel and give it an API token.
Create an AWS bucket and an IAM user as done for the app controller, using
divio-hackathon-XX-backups as name.
You now need a second bucket for uploads; to do so, open the
platform/roles/aws-bucket-uploads/tasks/main.yml tasks file and manually
apply the described actions to your AWS account.
Todo
Add to storage configs (DSN format?)
8.5. Object Storage Configuration#
Todo
New user on same account, note about shards, Incl. billing, no CF integration
8.6. PostgreSQL Configuration#
Todo
New cluster (?), Note about rabbmitmq, mysql, elasticsearch
8.7. Control Panel Integration#
Todo
Backing services endpoints setup
8.8. Deploy a Stateful Application#
Todo
Django CMS
Todo
Shut down everything