hasura / hasura-k8s-stack

A feature-complete Hasura stack on Kubernetes
MIT License
138 stars 26 forks source link

hasura-k8s-stack

A feature-complete Hasura stack on Kubernetes.

Components

Architecture

architecture

Setting up

This guide is written with the assumption that the user is well versed with Kubernetes and the user has a Kubernetes cluster with enough resources ready for consumption.

Postgres

Postgres is the primary datastore and is created as a Kubernetes Deployment backed by a Persistent Volume. This is only intended for a development setup and should not be used in a production scenario. If there is no first-class storage support, Postgres should be outside the Kubernetes cluster.

A Kubernetes Service object is created to direct traffic to Postgres pod in this Deployment.

Kubernetes Secrets are used to store the Postgres username, password etc. Actual secret files should never be committed to the repo.

Installation

cd postgres

# copy the secret.yaml file
cp secret.yaml secret.prod.yaml

# edit secret.prof.yaml and change username, password, dbname
vim secret.prod.yaml

# create the secret
kubectl apply -f secret.prod.yaml

# create the PVC
kubectl apply -f pvc.yaml

# create deployment and service
kubectl apply -f deployment-service.yaml

Once these components are successfully created, Postgres will be available at postgres://postgres:5432 on the Kubernetes cluster in the default namespace.

Hasura GraphQL Engine

Hasura GraphQL Engine is deployed as a Kubernetes Deployment along with a Service object to load balance traffic to multiple pods. The default deployment launches one instance of GraphQL Engine connected to the Postgres DB provisioned earlier.

Installation

cd hasura

# copy secret.yaml
cp secret.yaml secret.prod.yaml

# edit secret.prod.yaml and add an admin secret (access key) and db url
vim secret.prod.yaml

# create the secret
kubectl apply -f secret.prod.yaml

# create the deployment and service
kubectl apply -f deployment-service.yaml

Hasura should be available as http://hasura:80 inside the cluster. This service can be publicly exposed with an ingress rule and we'll explore it in the ingress section.

Scaling

Hasura can be horizontally scaled without any side-effects. Just increase the number of replicas for the Kubernetes deployment. Make sure that there is enough CPU/RAM available for the new replicas.

kubectl scale deployment/hasura --replicas 3

Migrations

Hasura can keep track of the database and metadata changes and store them as declarative files so that it can be version controlled. It is a flexible system that let's you write migrations by hand or it can auto-generate migrations when you use the console.

To use migrations, install the Hasura CLI - instructions are in the docs.

Once CLI is installed, open the console using CLI.

cd hasura

# open console
hasura console --endpoint <hasura-endpoint> --access-key <hasura-access-key>

As and when you use the console to make changes, CLI will write migration files (yaml) to the migrations directory.

Read more about migrations.

The same migrations can then be applied on another Hasura instance:

cd hasura

# apply migrations on another instance
hasura migrate apply --endpoint <another-hasura-endpoint> --access-key <access-key>

Until PR#1574 is merged, it is recommended to scale the replicas back to one to apply migrations and then scale them back up again.

Nginx Ingress

Nginx Ingress Controller let's us define ingress rules and expose services running in the cluster on an external domain. Behind the scenes, it is an Nginx container which can be configured using Ingress objects to add specific routing rules. It can also do SSL termination which we will be using along with cert manager.

Installation

cd nginx-ingress

# create namespace, configmaps and deployment
kubectl apply -f mandatory.yaml

# create the loadbalancer
kubectl apply -f cloud-generic.yaml

Ingress resource for Hasura

Now that the Ingress controller is created, we can create an Ingress object to route external traffic to our Hasura container.

Before that, we need to configure a domain and add the load balancer's IP address to the domain's DNS records.

# get load balancer ip
kubectl -n ingress-nginx get service

NAME            TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)                      AGE
ingress-nginx   LoadBalancer   10.0.162.204   52.172.9.111   80:31186/TCP,443:30609/TCP   30h

# copy the EXTERNAL-IP

Once you have the EXTERNAL-IP from the output above, add an A record for your domain from the DNS dashboard.

We'll use the same domain in our ingress configuration.

You can check the status by checking if the address is assigned. Once it is available you can go to the domain and it should load the Hasura console.

Cert Manager

Cert Manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources. We'll use it to provision certificates automatically from Let's Encrypt.

This step is optional if you have already bought certificates from another vendor as it can be configured directly with the Ingress controller.

Installation

cd cert-manager

# create the namespace
kubectl apply -f namespace.yaml

# create crds
kubectl apply -f 00-crds.yaml

# create the cert manager resources
kubectl apply -f cert-manager.yaml

# create letsencrypt staging and prod issuers
kubectl apply -f le-staging-issuer.yaml
kubectl apply -f le-prod-issuer.yaml

Once the manager starts running, it will contact the Let's Encrypt staging server and issues a fake certificate. This is to make sure that misconfigurations will not lead to hitting rate limits on the prod server.

For this to happen, let's create the Ingress resource.

cd hasura

# edit ingress.yaml and replace k8s-stack.hasura.app with your domain
vim ingress.yaml

# create the ingress resource
kubectl apply -f ingress.yaml

Depending on the load balancer and the networking plugin, it will take couple of minutes for the configuration to be active.

# check the status of ingress
kubectl get ingress

NAME     HOSTS                  ADDRESS        PORTS     AGE
hasura   k8s-stack.hasura.app   52.172.9.111   80, 443   30h

Once the Ingress resource is created, cert-manager should be triggered and it will start the certificate issuance process. You can check the status using the following command:

kubectl get certificate

Checkout of you're getting a SSL certificate for the domain (it will be invalid as it is a fake CA). If everything is alright, edit the ingress resource to use the prod issuer.

# open the ingress object in an editor
kubectl edit ingress hasura

# replace letsencrypt-statging to letsencrypt-prod
#    certmanager.k8s.io/issuer: letsencrypt-prod

# save and exit

# delete the certificate that is already issue to trigger a cert issuance 
# from prod server
kubectl delete certificate <cert-name-from-get-command-above>

The domain should have a proper SSL certificate once the issuance is completed.

Event Triggers

Event triggers can be used to trigger webhooks on database events like insert, update and delete. This is typically useful for executing asynchronous business logic, like sending emails, updating a search index etc. In this stack we are using a Node.js microservice written using Express.js which exposes our webhooks. Many community contributed boilerplates are available which includes serverless functions also.

Installation

cd event-tiggers

# create kubernetes deployment and service
kubectl apply -f k8s.yaml

Once the container has started, the triggers will be available at http://event-triggers from within the cluster, there is an echo trigger that is already setup at http://event-triggers/echo.

Remote Schema

To custom business logic that is synchronous in nature, you can write a dedicated GraphQL server in any preferred language and expose the queries and mutations from that server through Hasura's GraphQL API using Remote schema feature. The stack here includes a GraphQL server written in Node.js using Express.js and GraphQL.js with a sample Hello World schema.

Installation

cd remote-schema

# create kubernetes deployment and service
kubectl apply -f k8s.yaml

The GraphQL server should be available at http://remote-schema/graphql from within the cluster.

TODO


A big shoutout to the folks at appsintegra for collaborating with Hasura on this repo.