Howard: Cloud infrastructure of the Canadian Food Inspection Agency (CFIA) ACIA-CFIA ai-Lab

About the project

The Howard project is named after Luke Howard, FRS, a notable British manufacturing chemist and amateur meteorologist known as "The Godfather of Clouds". His work laid foundational concepts in meteorology, including a nomenclature system for clouds introduced in 1802. Inspired by his innovation and legacy in categorizing the elements, our project aims to effectively manage and orchestrate the cloud-based infrastructure for the Canadian Food Inspection Agency (CFIA) ai-lab.

Howard is essentially the backbone that supports CFIA's ai-lab Kubernetes environment, where key applications such as Nachet, Finesse, and Louis are deployed and managed dynamically. This infrastructure emphasizes robustness, security, and efficiency to handle the critical workload involved in food inspection and safety.

Technology stack and tools

The Howard infrastructure leverages a comprehensive suite of tools designed to provide a resilient, secure, and scalable environment:

Cloud providers

• Initially hosted on Google Cloud, the infrastructure has transitioned to Azure.

Container orchestration

• Kubernetes: Orchestrates container deployment, scaling, and management.

GitOps

• ArgoCD: Used for continuous delivery, managing Kubernetes resources in a declarative way through Git repositories.

Monitoring and security

• Grafana: Visualization and analytics software.
• Kube-Prometheus-Stack: Comprehensive Kubernetes cluster monitoring with Prometheus.
• Grafana Tempo Distributed tracing of our applications.
• Grafana Loki: Logging and aggregation system.
• Grafana Alloy: Allows the collection and transmission of OpenTelemetry data from our applications.
• Falco: Open-source runtime security tool.
• Trivy: Vulnerability scanner for containers.
• Oneuptime: Monitoring tool for real-time performance and security insights.

Networking

• Vouch-Proxy: Authentication proxy.
• Nginx Ingress: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer.
• Istio: Service mesh that provides a secure interface for inter-service communication.

Secrets management

• HashiCorp Vault: Secures, stores, and tightly controls access to tokens, passwords, certificates, and other secrets.

Cloud infrastructure management

• Terraform: Open-source infrastructure as code software tool that allows managing service life cycle in cloud providers declaratively.
• Ansible: Automation tool for configuring and managing computers.

Installation

Terraform deployment

Current configuration is hosting a kubernetes cluster on Azure (AKS). We have an Azure Devops pipeline apply-terraform.yml that applies terraform's resources that are created on our Azure's subscription. The state is then saved to a blob storage in Azure.

Kubectl configuration

Assuming you have Azure's CLI and kubelogin plugin installed, here is how you can locally fetch the kube config :

az login
az account set --subscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
az aks get-credentials --resource-group resource-group-name --name aks-name --overwrite-existing
kubelogin convert-kubeconfig -l azurecli

Documentation

https://ai-cfia.github.io/howard/en/