Add cloudbuild deployment script (#7)

* Remove cap drop * Add cloudbuild.yml and deploy.sh * Rename cloudbuild.yml * Add --zone flag * Add probability flag, move some parameters to env vars * Add \n * Address PR comments * Only remove keys that were created >10m ago
m-lab · Aug 20, 2024 · 22d7bc6 · 22d7bc6
1 parent 7e9a831
commit 22d7bc6
Show file tree

Hide file tree

Showing 3 changed files with 82 additions and 9 deletions.
diff --git a/cloudbuild.yaml b/cloudbuild.yaml
@@ -0,0 +1,8 @@
+steps:
+# Run the deployment script. NOTE: the IATA depends on the region where the
+# VM is deployed. Our testing VM is always in us-central1, which is CBF.
+- name: gcr.io/$PROJECT_ID/gcloud-jsonnet-cbif
+  dir: '/workspace/'
+  args: [
+    '/workspace/deploy.sh $PROJECT_ID mlab ${_API_KEY}'
+  ]
diff --git a/deploy.sh b/deploy.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+set -euxo pipefail
+
+USAGE="$0 <project> <organization> <iata> <api-key>"
+PROJECT=${1:?Please provide the GCP project (e.g., mlab-sandbox): ${USAGE}}
+ORG=${2:?Please provide the organization (e.g., mlab): ${USAGE}}
+API_KEY=${3:?Please provide the API key: ${USAGE}}
+
+IATA="cbf"
+VM_ZONE="us-central1-a"
+VM_NAME="autonode"
+DOCKER_COMPOSE_FILE_PATH="examples/ndt-fullstack.yml"
+LOCATE_URL="locate-dot-${PROJECT}.appspot.com"
+PROBABILITY="1.0"
+INTERFACE_NAME="ens4"
+INTERFACE_MAXRATE="150000000"
+SA_ACCOUNT="autonode@${PROJECT}.iam.gserviceaccount.com"
+
+# NOTE: We don't use the VM's default credentials because we want to simulate
+# how a non-GCP user would set up an autonode. Instead, we generate a temporary
+# key for the autonode service account that will only exist until the next
+# deployment.
+
+# Delete any existing keys for the autonode SA. Ignore failures due to
+# system-managed keys that cannot be deleted.
+for key in $(gcloud iam service-accounts keys list \
+    --iam-account=${SA_ACCOUNT} \
+    --created-before=$(date --iso-8601=seconds -d "10 mins ago") | \
+    cut -f1 -d " " | tail -n +2)
+do
+    gcloud iam service-accounts keys delete --iam-account=${SA_ACCOUNT} ${key} -q || true
+done
+
+# Create a new key.
+gcloud iam service-accounts keys create key.json \
+    --iam-account=${SA_ACCOUNT}
+SA_KEY=$(<key.json)
+
+# Copy the docker compose file to the VM.
+gcloud --project ${PROJECT} compute scp --zone ${VM_ZONE} ${DOCKER_COMPOSE_FILE_PATH} ${VM_NAME}:~/docker-compose.yml --tunnel-through-iap
+
+# Setup script. This stops docker compose, creates the required folders, writes
+# the SA key, re-creates the .env file and restarts docker compose.
+gcloud --project ${PROJECT} compute ssh --zone ${VM_ZONE} ${VM_NAME} --tunnel-through-iap <<EOF
+    set -euxo pipefail
+    # Create volume folders if not present.
+    mkdir -p autocert autonode certs html schemas resultsdir
+
+    # Stop the docker compose if it's running.
+    docker compose -f docker-compose.yml down
+
+    # Create .env file
+    rm .env || true
+    echo "API_KEY=${API_KEY}" >> .env
+    echo "ORGANIZATION=${ORG}" >> .env
+    echo "PROJECT=${PROJECT}" >> .env
+    echo "IATA=${IATA}" >> .env
+    echo "LOCATE_URL=${LOCATE_URL}" >> .env
+    echo "PROBABILITY=${PROBABILITY}" >> .env
+    echo "INTERFACE_NAME=${INTERFACE_NAME}" >> .env
+    echo "INTERFACE_MAXRATE=${INTERFACE_MAXRATE}" >> .env
+
+    # Write service account key to the expected file.
+    echo "${SA_KEY}" > certs/service-account-autojoin.json
+
+    # Start the docker compose again.
+    docker compose -f docker-compose.yml up -d
+EOF
+
diff --git a/examples/ndt-fullstack.yml b/examples/ndt-fullstack.yml
@@ -15,6 +15,7 @@ services:
       - -output=/autonode
       - -healthcheck-addr=:8001
       - -ports=9990,9991,9992,9993
+      - -probability=${PROBABILITY}
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8001/ready"]
       interval: 3s
@@ -24,17 +25,15 @@ services:
   ndt-server:
     image: measurementlab/ndt-server:v0.22.0
     network_mode: host
+    cap_add:
+      - NET_BIND_SERVICE
     volumes:
       - ./certs:/certs
       - ./html:/html
       - ./schemas:/schemas
       - ./resultsdir:/resultsdir
       - ./autonode:/autonode
       - ./autocert:/autocert
-    cap_drop:
-      - ALL
-    cap_add:
-      - NET_BIND_SERVICE
     depends_on:
       generate-schemas-ndt7:
         condition: service_completed_successfully
@@ -76,15 +75,13 @@ services:
       # Allow ndt7 data to be autoloaded.
       - -compress-results=false
       # TODO(host): confirm device name.
-      - -txcontroller.device=eth0
-      - -txcontroller.max-rate=150000000
+      - -txcontroller.device=${INTERFACE_NAME}
+      - -txcontroller.max-rate=${INTERFACE_MAXRATE}
       - -prometheusx.listen-address=:9990
       # Add server metadata.
       - -label=type=virtual
       - -label=deployment=byos
       - -label=managed=none
-      # TODO(host): add helpful server location metadata labels.
-      #- -label=region=TODO
       # Effectively disable ndt5.
       - -ndt5_addr=127.0.0.1:3002
       - -ndt5_ws_addr=127.0.0.1:3001
@@ -115,7 +112,6 @@ services:
     volumes:
       - ./resultsdir:/resultsdir
       - ./schemas:/schemas
-      - ./testdata:/testdata
       - ./certs:/certs
       - ./autonode:/autonode
     depends_on: