Automated branch deployments to subdomains

[drewvolz]

We want a simplified setup of testing different ccc branches in-app without booting a local server to test PRs of ccc-server before they merge. Essentially, we want heroku-like deploys of branches for the app to use in dev.

Rather than bundle the code as an artifact (in #749), we could set up a system where a Caddy server listens for authenticated requests, pulls a matching tag from Docker Hub, boots the image, then exits. We need to integrate several components.

Thoughts and proposal below.

Step 1: Set Up the Wildcard DNS Record

Create a wildcard DNS record for *.branch.stolaf.api.frogpond.tech. Point it to the IP address of the server where Caddy will be running.

Step 2: Install and Configure Caddy

Follow the official instructions to install Caddy on our server.

{
    on_demand_tls {
        ask http://localhost:3000/validate
    }
}

*.branch.stolaf.api.frogpond.tech {
    reverse_proxy stolaf:3000
}

Step 3: Create a Validation Endpoint

Set up a service that Caddy can query to validate incoming requests for TLS certificates. This service should run on our server at http://localhost:3000/validate.

import Koa from 'koa'
import Router from 'koa-router'

const app = new Koa()
const router = new Router()

const allowedHostnames = ['*.branch.stolaf.api.frogpond.tech']
const apiKey = 'OUR_API_KEY' // todo

router.get('/validate', async ctx => {
    const hostname = ctx.query.hostname
    const providedApiKey = ctx.headers['x-api-key']

    if (providedApiKey !== apiKey) {
        ctx.status = 403
        ctx.body = 'Invalid Request'
        return
    }

    if (!hostname || !allowedHostnames.includes(hostname)) {
        ctx.status = 400
        ctx.body = 'Invalid or unauthorized hostname'
        return
    }

    ctx.body = 'ok'
})

app .use(router.routes()) .use(router.allowedMethods())

app.listen(3000, () => {
    console.log('Validation service running on port 3000')
})

Step 4: Docker Management

Use Docker's api to manage containers.

 import express from 'express'
 import Docker from 'dockerode'

 const app = express()
 const docker = new Docker()

 app.post('/deploy/:branch', async (req, res) => {
     const branch = req.params.branch
     const imageName = `dockerhubusername/imagename:${branch}`
     try {
         const stream = await docker.pull(imageName)
         docker.modem.followProgress(stream, async (err, output) => {
             if (err) return res.status(500).send(err)

             try {
                 const container = await docker.createContainer({
                     Image: imageName,
                     name: `container-${branch}`,
                     ExposedPorts: { "80/tcp": {} },
                     HostConfig: { PortBindings: { "80/tcp": [{ HostPort: "9000" }] } }
                 })

                 await container.start()
                 res.send(`Container for ${branch} started.`)
             } catch (err) {
                 res.status(500).send(err.toString())
             }
         }, event => {
             console.log(event)
         })
     } catch (error) {
         res.status(500).send(error.toString())
     }
 })

 app.listen(9001, () => {
     console.log('Deployment service running on port 9001')
 })

Step 5: Automate Stopping Containers

Stop and remove containers when they are no longer needed.

Step 6: Authentication

Ensure that only authorized requests can deploy new containers. We can use basic auth, JWT, or another method.

1. Install the jsonwebtoken and express-jwt packages.

npm install jsonwebtoken express-jwt

2. Generate JWT Tokens

import jwt from 'jsonwebtoken'

const secret = 'secret-key'
const payload = { user: 'authorizedUser' }

const token = jwt.sign(payload, secret, { expiresIn: '1h' })
console.log('Generated JWT Token:', token)

3. Modify the deployment service to use JWT for authentication.

import express from 'express'
import Docker from 'dockerode'
import jwt from 'jsonwebtoken'
import expressJwt from 'express-jwt'

const app = express()
const docker = new Docker()
const secret = 'secret-key'

app.use(expressJwt({ secret, algorithms: ['HS256'] }).unless({ path: ['/'] }))

app.post('/deploy/:branch', async (req, res) => {
    const branch = req.params.branch
    const imageName = `dockerhubusername/ourimagename:${branch}`

    try {
        await new Promise((resolve, reject) => {
            docker.pull(imageName, (err, stream) => {
                if (err) return reject(err)
                docker.modem.followProgress(stream, onFinished, onProgress)

                function onFinished(err, output) {
                    if (err) return reject(err)

                    docker.createContainer({
                        Image: imageName,
                        name: `container-${branch}`,
                        ExposedPorts: { '80/tcp': {} },
                        HostConfig: { PortBindings: { '80/tcp': [{ HostPort: '9000' }] } }
                    }).then(container => {
                        container.start()
                        res.send(`Container for ${branch} started.`)
                        resolve()
                    }).catch(reject)
                }

                function onProgress(event) {
                    console.log(event)
                }
            })
        })
    } catch (error) {
        res.status(500).send(error.toString())
    }
})

app.listen(9001, () => {
    console.log('Deployment service running on port 9001')
})

4. Test the Authentication

curl -X POST http://frogpond:9001/deploy/branch \
-H "Authorization: Bearer JWT_TOKEN"

Step 7: Integration

Ensure that the Caddy server, validation service, and Docker deployment service are running and correctly configured.