Skip to content

Containerised distribution of Guardian main branch #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
tonytw1 wants to merge 27 commits into
base: main
Choose a base branch
from
Draft

Containerised distribution of Guardian main branch #11

tonytw1 wants to merge 27 commits into from

Conversation

@tonytw1
Copy link
Member

@tonytw1 tonytw1 commented Jul 29, 2024
edited
Loading

What does this change?

Produces container images for a generalised Grid install based on the Guardian's main branch.

Reasonably opinionated towards "we use AWS services but we don't necessarily run the application on AWS".

  • Disables AWS CloudWatch and Kineses metrics to simplify the AWS dependencies.
  • Switches to ENV variable access tokens for AWS access
  • Alters the service URL scheme to present the Grid microservices under a single hostname (which makes local development and deployment behind a single load balancer simpler)
  • Removes the InnerServiceStatusCheckController as this is less relevant if deployed with a container orchastator.
  • Simplifies Reaper configuration to not need an additional S3 bucket.
  • Removes Guardian specific Composer usage stream consumer and Guardian Content API integration. The Usage API remains intact.
  • Migrates to imgproxy for image previews. Does not build imgops.

How should a reviewer test this change?

How can success be measured?

Who should look at this?

Tested? Documented?

  • locally by committer
  • locally by Guardian reviewer
  • on the Guardian's TEST environment
  • relevant documentation added or amended (if needed)

@tonytw1 tonytw1 force-pushed the containerised branch 2 times, most recently from b0942e9 to 887a0ca Compare August 6, 2024 17:35
@tonytw1 tonytw1 force-pushed the containerised branch 2 times, most recently from 5b3abf6 to 5df2f75 Compare August 30, 2024 19:54
@tonytw1 tonytw1 force-pushed the containerised branch 6 times, most recently from db06496 to 8f64bac Compare September 8, 2024 21:01
@tonytw1 tonytw1 force-pushed the containerised branch 7 times, most recently from e8ad009 to 3ce864b Compare September 25, 2024 11:37
@tonytw1 tonytw1 force-pushed the containerised branch 3 times, most recently from 4810e23 to 779c5c4 Compare October 11, 2024 20:39
@tonytw1 tonytw1 force-pushed the containerised branch 2 times, most recently from 766edbf to 8dadbde Compare November 22, 2025 20:25
tonytw1 added 27 commits January 18, 2026 10:50
@tonytw1
Fixes FileMetadataReaderTest fails locally during British summer by r…
6a8c92c 
…emoving non time zoned date formatter which was shadowing the long standing time zoned date formatter.

Add a British summer time YYYY-MM-dd example to show that this formatter is locale dependant.

DateTimeFormat.forPattern("yyyy-MM-dd") matches the same pattern as ISODateTimeFormat.date.withZoneUTC but removes the withZoneUTC behaviour.

I do not know if that was intentional but FileMetadataReaderTest was a long standing test so this could be considered a regression.

Additionally, that entire block of date formatters probably have an indeterminate outcome.
@tonytw1
CropController uses GridClient for it's get source image call to Medi…
2ac26b6 
…a API.

This call was probably the only service to service call circa 2021. GridClient appears to be how more recent service to service calls are done. Moving this call to GridClient helps to enclosure all the service to service url concerns in one place.
Get SourceImage requests additional fields via media-api query parameters.

Extract the media api uri to image id extraction to a function for testing.
@tonytw1
Neuter CloudWatchMetrics; TODO push to config.
d9d7f1c
@tonytw1
Want to disable Kinises client's noisey CloudWatch emissions.
b764c69
@tonytw1
Switch to EnvironmentVariableCredentialsProvider to defer having to w…
c5326ad 
…ork out AWS roles in containers for now.

Use only ENV AWS creds; should stop AWS auth endpoint timeouts on first hit.
@tonytw1
Play secret from ENV; need to explicitly resolve placeholders.
c75bd5c 
com.typesafe.config.ConfigException$NotResolved: need to Config#resolve() each config before using it, see the API docs for Config#resolve()
@tonytw1
Initial docker image builds
86aa4a3 
sbt universal, then straight to sbt docker may be the correct path now.

Play framework assembly docs do not help with Caused by: java.lang.ClassNotFoundException: play.core.server.ProdServerStart

Attempt to build thrall as a fat jar using assembly.

Reminder of what Thrall does.
@tonytw1
Fork image loader specific play project.
7e4c91d 
cmyk.icc is required for ingesting CMKY colour space JPEGs.
@tonytw1
Cropper asks for 'gm' so give it the same Debian packages as image-up…
05a8e16 
…loader.
@tonytw1
build.sbt drop Debian package related config which is not needed for …
572831c 
…image builds.

Remove redundant debianPackageDependencies options.
@tonytw1
Only log to stdout in the containerised world.
1aa7118
@tonytw1
Alter Syndication access check to use URIs not raw host name; allows …
3b8455a 
…all api host name to be internalised. Interface only talks about base URIs.
@tonytw1
Introduce an interface to document the exposed service uris.
b2b90ee 
Split url Services into a trait and a Guaridan specific implementation; exposes a few 4th wall breaking direct init's in services.
@tonytw1
Everyone using GuardianUrlSchemeServices directly should take Service…
130a781 
…s supplied by common config; no need to trouble yourselves with the details of how those urls are defined.
@tonytw1
Drop GuardianUrlSchemeServices val constructor fields; these allow un…
190c464 
…documented access to the private url building concerns.
@tonytw1
Add a Service URL implementation which map services to port numbers o…
bb051d4 
…n the single hostname.

Will work because HTTPS auth is not active.

CORS for single host urls.

Projection end points are on the image-loader service but have seperate config to permit reingession workloads to be on different instances.
@tonytw1
Drop Guardian services URL scheme.
22d904f 
We have used it to shape the Service interface. It can be dropped now.
@tonytw1
Move all public facing service urls to sub paths under single hostname.
a20c764 
Config single.host.url is exclusively for our single host setup.
@tonytw1
Disable CSRF with is no longer bypassed on a single origin CORS check.
8daf277 
No longer gets bypassed thanks to preceding CORS check; CORS filter does not appear to tag the request if it passes for same origin.
@tonytw1
Delete InnerServiceStatusCheckController
60e2a19 
"checks connectivity to all other internal services..." which sounds like something we can let the container orchestrator handle.
InnerServiceStatusCheckController was the only user of Services.allInternalUris
@tonytw1
Simplify reaper paused control to set by config only.
cc48711 
Removes a bucket dependency.
@tonytw1
Drop more usages composer references; drops composer url config requi…
9482487 
…rement.

Remove usages UsageGroups from Guardian Content methods.

Remove usages CAPI client and it's config.

Delete usages streaming mode Crier steam listening and CAPI specific reindexForContent end point.

Container consumers are never going to be Guardian internal. External users would integrate their streams by having a microapp or Lambda ping the instance specific usages API. We can drop this Guardian specific code and config.
@tonytw1
Use imgproxy rather than nginx imgops for optimised image previews.
acad460 
Faster and lighter. Better colour profile support.

Generate an imgproxy style preview URL. Move service name from imgops to imgproxy.

Disable EXIF autorotation and explicitly correct rotation.
imgproxy does not accept negative rotations.

Be explicit about stripping colour profile to force sRGB.
@tonytw1
Play base project heap size set to 50%; more heap for given container…
ce75077 
… size than default ergonomics.

60% was running close to the OOM kill limit on Java 11 and Java 22 has nudged it into OOM kill.
@tonytw1
image loader prints java memory settings.
3178f8d
@tonytw1
Cloudbuild all artifacts as 1 build.
ae93f7a 
x86 images only. Multi arch is too slow (14 mins) as buildx repeats the apt-get steps.
Cloudbuild uses node 24 for Kahuna build.

Explicit jdk 11 build in Cloudbuild build.
@tonytw1
Cloudbuild runs Kahuna tests.
b1d31d3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tonytw1