[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
09/14: cdn: Add a basic deployment plan to the README.org
From: |
Chris Marusich |
Subject: |
09/14: cdn: Add a basic deployment plan to the README.org |
Date: |
Sat, 29 Dec 2018 02:04:55 -0500 (EST) |
marusich pushed a commit to branch master
in repository maintenance.
commit b4eee7c69bf25c8bac722ae98d58de740ba6ef1e
Author: Chris Marusich <address@hidden>
Date: Fri Dec 28 17:38:37 2018 -0800
cdn: Add a basic deployment plan to the README.org
* cdn/README.org: Discuss the deployment plan.
---
cdn/README.org | 128 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 127 insertions(+), 1 deletion(-)
diff --git a/cdn/README.org b/cdn/README.org
index e030202..da5a438 100644
--- a/cdn/README.org
+++ b/cdn/README.org
@@ -966,7 +966,7 @@ signatures.
Currently, we have all the IAM configuration in Terraform config. That's
great!
- Integrate the CloudFront distribution with ACM.
-- Figure out how to share the state. Maybe use the S3 backend?
+- Set up locking with the S3 backend.
- Package Terraform
- Package the AWS Provider plugin for Terraform
- Simplify variable definitions by using .tfvars file?
@@ -1208,3 +1208,129 @@ See the following for details:
https://docs.aws.amazon.com/cli/latest/reference/cloudfront/create-invalidation.html
https://docs.aws.amazon.com/cli/latest/reference/cloudfront/get-invalidation.html
+* Deployment Plan
+** DNS
+For information about how Guix has configured its DNS, please contact
+one of the system administrators or address@hidden
+
+For now, we plan to use ci.guix.info as the entrypoint into the CDN.
+Currently, ci.guix.info points to the berlin build farm. To integrate
+ci.guix.info with the CDN, we must change ci.guix.info to be a CNAME
+that points to the CloudFront distribution.
+
+** HTTPS (TLS)
+Because ci.guix.info and berlin.guixsd.org currently allow both HTTP
+and HTTPS (i.e., HTTP over TLS), we will do the same for the
+CloudFront distribution. However, in the future, to protect the
+confidentiality of connections between clients and our build farm (or
+the CDN), we should stop serving requests over HTTP.
+
+In addition, because we want to support HTTPS, we will need to arrange
+for a TLS certificate for ci.guix.info to be used with the CloudFront
+distribution. For details on how this is done with CloudFront, see:
+
+https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-alternate-domain-names.html
+
+Currently, the server behind berlin.guixsd.org (which currently, like
+ci.guix.info, is a single A record pointing to 141.80.181.40) returns
+a Let's Encrypt certificate with the following two Subject Alternative
+Names:
+
+- berlin.guixsd.org
+- ci.guix.info
+
+You can see this by running:
+
+ echo -n | openssl s_client ci.guix.info:443 | openssl x509 -text
+
+We are not going to re-use this certificate. Instead, we are going to
+provision a new certificate using Amazon Certificate Manager (ACM).
+We will do this because if we use an ACM certificate, we gain the
+following benefits:
+
+- ACM will automatically rotate our certificate.
+- The ACM CA, like many CAs, is already trusted by Guix's client
+ software and so requires no additional action for clients to use.
+- By using ACM, we do not have to trust Amazon with the
+ berlin.guixsd.org server's private key.
+- Using ACM is a purely additive operation, so rollback is easy.
+- This use of ACM incurs zero additional cost.
+
+On the contrary, if we re-use berlin.guixsd.org's certificate, we must
+accept the following downsides:
+
+- Certificate rotation must be done manually, or via a cron job of
+ some kind that we would have to implement and maintain. Even if
+ Let's Encrypt makes it easy to rotate the certificate, importing
+ that certificate into AWS and using it with the CloudFront
+ distribution will require additional steps.
+- We must share the berlin.guixsd.org server's private key with AWS.
+ If rolling back also means eliminating the risk introduced by
+ sharing the private key, then rollback will also become more
+ complicated.
+
+We could provision a new Let's Encrypt certificate to make rollback
+easier, but we would still have to import it into Amazon ourselves and
+rotate it manually. It just makes more sense to use Amazon
+Certificate Manger for this test. Perhaps in the future, if we decide
+to stick with CloudFront for a long time, we will implement our own
+automatic rotation mechanism so that we can provision and manage our
+own certificate.
+
+Finally, note that to provision a certificate with ACM will require
+access to both the AWS account and also the DNS provider account.
+This is because, as part of the certificate provisioning process, ACM
+requires us to demonstrate domain ownership. This can be done via
+email verification (in which ACM emails a bunch of admin emails
+associated with the domain) or DNS record verification (in which we
+create a nonce DNS record, specified by ACM, to demonstrate
+ownership).
+
+** Deployment, Validation, and Rollback
+
+Summary of deployment, validation, and rollback plan.
+
+*** Pre-Deployment
+
+Before deploying, make sure the following has been done:
+
+- Fully prepare a working CloudFront distribution using Terraform.
+
+*** Deployment
+
+Deploy as follows:
+
+- Send an email to address@hidden and address@hidden, and notify the
+ #guix chat room on Freenode, to let people know you are beginning.
+- Update DNS so ci.guix.info is a CNAME pointing to the CloudFront
+ distribution's DNS name.
+
+*** Validation
+
+Validate ci.guix.info as follows:
+
+- Using "guix download", download a substitute. Confirm it succeeds.
+- Using "guix weather", check the weather of ci.guix.info. Confirm it
+ succeeds and has more than 0% substitutes available.
+- Using "guix build", build something using substitutes. Confirm that
+ Guix successfully updates substitute information and downloads
+ substitutes.
+- Using IceCat, view the Cuirass web interface. Confirm it loads and
+ behaves as expected.
+- After 24 hours, check the cache hit rate using the AWS Management
+ Console and confirm that it is greater than 0%.
+
+*** Rollback
+
+Rollback as follows:
+
+- Restore the original DNS record for ci.guix.info.
+- Disable the CloudFront distribution when the sooner of the following
+ two conditions occurs:
+ - Time passes equal to 2x the TTL of ci.guix.info.
+ - Request rate to the CloudFront distribution decreases by at
+ least 90% compared to before the rollback.
+- Repeat validation activities for ci.guix.info.
+- Send an email to address@hidden and address@hidden, and notify the
+ #guix chat room on Freenode, to let people know you have rolled
+ back.
- 13/14: cdn: Add billing alarms., (continued)
- 13/14: cdn: Add billing alarms., Chris Marusich, 2018/12/29
- 10/14: cdn: Switch default region to us-east-1., Chris Marusich, 2018/12/29
- 08/14: cdn: Add a lifecycle policy to the state bucket., Chris Marusich, 2018/12/29
- 06/14: cdn: Add an S3 bucket to hold Terraform state., Chris Marusich, 2018/12/29
- 12/14: cdn: Allow clients to use both HTTP and HTTPS., Chris Marusich, 2018/12/29
- 04/14: cdn: Do not hard-code the profile name., Chris Marusich, 2018/12/29
- 02/14: cdn: Give Ludo and Ricardo administrative access., Chris Marusich, 2018/12/29
- 05/14: cdn: Add a CloudFront distribution fronting berlin., Chris Marusich, 2018/12/29
- 03/14: cdn: Add thoughts about next steps to README., Chris Marusich, 2018/12/29
- 01/14: cdn: Initial commit of Terraform configuration., Chris Marusich, 2018/12/29
- 09/14: cdn: Add a basic deployment plan to the README.org,
Chris Marusich <=