Skip to content

Latest commit

 

History

History
71 lines (50 loc) · 3.73 KB

README.md

File metadata and controls

71 lines (50 loc) · 3.73 KB

synapse-docker-registry

CDK-based template for deploying the Synapse Docker registry

Configuration

We use the AWS Secrets Manager

In dev the secret is named registry-dev-DockerFargateStack/dev/ecs and in the prod stack, registry-prod-DockerFargateStack/prod/ecs

A secret is a collection of key-value pairs. For this application there are two pairs. The key for the first should be notification_auth and the value is the Base64 encoded "Basic auth" credentials which are a shared-secret with Synapse as the event notification recipient. The key for the second should be 'http_secret' and the value is a cryptogrphically generated string for use by the server as described here.

Registry container

We use the open source Docker registry, available on DockerHub. This container requires several configuration files to be mounted. To achieve this cleanly, we embed the files into our own copy of the registry, created at synth' time, on the fly.

To build the container image manually during development:

openssl req -x509 -days 3650 -newkey rsa:2048 -sha256 \
-nodes -keyout privatekey.pem -out certificate.pem \
-subj "/C=US/ST=WA/L=Seattle/O=SageBionetworks/OU=IT/CN=www.synapse.org"

docker build --build-arg stack=dev .

Note that when deployed the container is behind a load balancer which uses its own certificate. The self-signed-cert' only serves to allow encryption of data in transit between the load balancer and the container, which is a HIPAA security requirement.

Missing Secrets

Each new environment (dev/staging/prod/etc..) requires adding secrets in AWS Secrets Manager. If a secret is not created for the environment you may get an error with the following stack trace:

Resource handler returned message: "Error occurred during operation 'ECS Deployment Circuit Breaker was triggered'." (RequestToken: d180e115-ba94-d8a2-acf9-abe17a3aaed9, HandlerErrorCode: GeneralServiceException)
    new BaseService (/private/var/folders/qr/ztb40vmn2pncyh8jpsgfnrt40000gp/T/jsii-kernel-4PEWmj/node_modules/aws-cdk-lib/aws-ecs/lib/base/base-service.js:1:3583)
    \_ new FargateService (/private/var/folders/qr/ztb40vmn2pncyh8jpsgfnrt40000gp/T/jsii-kernel-4PEWmj/node_modules/aws-cdk-lib/aws-ecs/lib/fargate/fargate-service.js:1:967)
    \_ new ApplicationLoadBalancedFargateService (/private/var/folders/qr/ztb40vmn2pncyh8jpsgfnrt40000gp/T/jsii-kernel-4PEWmj/node_modules/aws-cdk-lib/aws-ecs-patterns/lib/fargate/application-load-balanced-fargate-service.js:1:2300)
    \_ Kernel._create (/private/var/folders/qr/ztb40vmn2pncyh8jpsgfnrt40000gp/T/tmpqkmckdm2/lib/program.js:9964:29)
    \_ Kernel.create (/private/var/folders/qr/ztb40vmn2pncyh8jpsgfnrt40000gp/T/tmpqkmckdm2/lib/program.js:9693:29)
    \_ KernelHost.processRequest (/private/var/folders/qr/ztb40vmn2pncyh8jpsgfnrt40000gp/T/tmpqkmckdm2/lib/program.js:11544:36)
    \_ KernelHost.run (/private/var/folders/qr/ztb40vmn2pncyh8jpsgfnrt40000gp/T/tmpqkmckdm2/lib/program.js:11504:22)
    \_ Immediate._onImmediate (/private/var/folders/qr/ztb40vmn2pncyh8jpsgfnrt40000gp/T/tmpqkmckdm2/lib/program.js:11505:46)
    \_ processImmediate (node:internal/timers:464:21)

Testing

Static Analysis

As a pre-deployment step we syntatically validate the CDK json, yaml and python files with pre-commit.

Please install pre-commit, once installed the file validations will automatically run on every commit. Alternatively you can manually execute the validations by running pre-commit run --all-files.

Python Tests

Tests are available in the tests folder. Execute the following to run tests:

python -m pytest tests/ -s -v