Backend deployment tools and processes

This document should describe the deployment. The dev information you can find in the GitHub README of the Loono Backend repository.

Used tools

• AWS and Kubernetes services

• Docker

• Terraform

Deployment process

The backend server is an application running on JVM written in Kotlin and built by Gradle.

Versions:

• Kotlin 1.5.20

• JVM 11+ (compatibility with 11)

• Gradle 7.1

The server uses the PostgreSQL as a data storage.

We deploy a new version of the Loono Backend on commit in this way:

1. Docker image creation with Dockerfile

   1. Building the application by Gradle build to create a bootable JAR file

   2. Creation a final docker image with the application JAR

2. Upload the Docker image to the Docker repository (ECR)

3. Deployment of the new server version to the AWS

   1. Startup of the new version

   2. If the startup succeeds then the new version replaces the old one

Pipelines and configurations

• The AWS configuration and deployment is managed by Terraform. It is located in the GitHub repository.

  • The infrastructure definitions are owned by @Martin Wenisch and any changes have to be reviewed by him.

• The deployment pipelines (GitHub Actions)

  • Terraform Apply on Push - triggers the Terraform init

  • Deploy backend to ECS - uploading the new server version to the Docker repository and trigger a redeploy

GitHub Secrets

We use GitHub Secrets to hide access keys and passwords in our public repository. The GitHub Secrets are use in the Actions where provides secret values for the deployment process (access to AWS) or secrets needed by a pod.

Flow: Github Actions Secret → GitHub Actions → Terraform environment variable → Pod template with predefined system environment variables

AWS connection and deployment secrets

AWS_ACCESS_KEY_ID

AWS_REGION

AWS_REPOSITORY

AWS_SECRET_ACCESS_KEY

CERTIFICATE_ARN

Application secrets

DATABASE_PASSWORD

The password to the PostgreSQL database.

GOOGLE_APPLICATION_CREDENTIALS

The Firebase credentials for the Firebase Admin SDK. The secret contains the content of the JSON file downloaded from the Admin console.

Access to logs

We can get a read-only access the AWS CloudWatch. If you need the access please ask @Martin Wenisch .

Logs

We can access the logs in the AWS CloudWatch:

https://eu-west-3.console.aws.amazon.com/cloudwatch/home?region=eu-west-3#logsV2:log-groups/log-group/$252Fecs$252Fbackend

Open

Pod parameters

Hardware configuration:

• Memory: 512 (0.5 GB)

• CPU: 256 (.25 vCPU)

Application configuration:

• Instances: 1

DB configuration:

• Allocated space: 20 GB

• Maximum space: 100 GB

• Type and engine: PostgreSQL 12.5

• Backup retention period: 7 days

Testing and CI/CD

There is several testing levels to cover the quality.

1. The build - we cover main functionality by unit tests (code coverage is available by jacoco plugin in the project)

   1. We have the CI pipeline in the Github Actions executing the project build on each commit.

   2. The tests are part of docker image building, too.

2. The deployment

   1. The deployment succeeds if the health check passed 3-times.

   2. We have post-deploy tests which validate health check and the API documentation after the deployment itself.