devedmonton / heyburrito

MIT License

6 stars 3 forks source link

Serve karma board over HTTPS #6

Open MarkBennett opened 5 years ago

MarkBennett commented 5 years ago

HTTPS is the new normal on the web, so we should move our server over.

It looks like if we setup our domain with Digital Ocean, then we can configure their load balancer to create and manage a cert with Let's Encrypt for us automatically:

https://www.digitalocean.com/docs/networking/load-balancers/how-to/ssl-termination/

TODO

[ ] change devedmonton.com to use Digital Ocean DNS name servers (@MarkBennett)
[ ] change load balancer forwarding rules to use Let's Encrypt certificates with the devedmonton.com domain

MarkBennett commented 5 years ago

@j-rewerts heads up. I'll take care of changing the name servers. This is a good way to share them anyway.

j-rewerts commented 5 years ago

One more todo:

[ ] Add support for websocket HTTPS upgrade

I think that one is the real blocking issue.

MarkBennett commented 5 years ago

Just a heads up that I was able to get a site running using Rio (https://rio.io) to serve a dockerized app on top of DO Kubernetes and deploying using GitHub Actions. It was pretty fast to setup and get running so we might want to try something like this for Hey Burrito?

This is the site:

https://alphabeta-staging.burmis.ca/

The repo is private but I can pull out the bits that are important and put them up in a Gist.

j-rewerts commented 5 years ago

That is a very pretty site. Nicely done!

Any ideas on the impact of having Rio inside a cluster with non-Rio workloads? I know it uses Istio as a service mesh.

MarkBennett commented 5 years ago

Since it just adds a couple CRD's on top of Kubernetes the only issue is the overhead it adds with Istio, prometheus (for monitoring), and cert-manager. My setup is using the Service Load Balancer from Digital Ocean, but I'm not sure how cert-manager actually applies the certs in front of the services.

In general, running WS behind a load balancer isn't something I've done before so I'm not sure if the Digital Ocean load balancer will be able to do the WSS and our service can just do the WS in node, or if we need to extract the certificate and key from cert-manager and then expose those to the node instance so it can handle the WSS side. If we need to do it on the node side it could be quite a bit more complicated.

I'm thinking that @awg might have some suggestions here. We should follow up with him to see if he knows about WSS on Kubernetes.