Is1304/add internal traefik instance for reverse proxy

[sanderegg]

What do these changes do?

Adds an internal Traefik instance in the simcore stack to replace the webserver failing reverse-proxy. All calls to /x/{node_uuid} are redirected through Traefik to the corresponding dynamic service.
This has the following consequences:
traefik:

• all traffic going that needs to be reverse-proxied by the internal traefik instance must be labelled with io.simcore.zone: ${TRAEFIK_SIMCORE_ZONE} or it will be picked up by the external Traefik instance.
• the traefik dashboard when running the stack in devel mode (traefik does not handle 2 dashboards at the moment) - in devel mode, the traefik UI is accessible through http://127.0.0.1:8080

director:

• the director now sets the dedicated traefik labels on the spawned services so they are available through the reverse proxy at /x/{node_uuid} as before
• depending on the service reverse-proxy special settings, the director will set the traefik strip_regex middleware on the service if the strip_path:true is set on the service (currently used for the 3d-viewer).

frontend:

• since the internal traefik instance now takes care of the reverse-proxy the frontend needs to poll the service to wait till the reverse-proxy is setup.

additional configurations:

• TRAEFIK_SIMCORE_ZONE: defines the name of the internal traefik zone (it acts as a constraint that traefik recognize to filter services that need reverse-proxy service)
• DIRECTOR_SELF_SIGNED_SSL_SECRET_ID, DIRECTOR_SELF_SIGNED_SSL_SECRET_NAME, DIRECTOR_SELF_SIGNED_SSL_FILENAME are used when deploying simcore in a osparc-ops environment where self-signed certificates are used. these certificates are passed down to the spawned services.

IMPORTANT: the 3D-viewer 3.x must be used from now on. version 2.x will fail.
IMPORTANT: a corresponding PR in osparc-ops shall be used to make the clusters compatible

Bonus:

• adds Hadolint in launch.json for linting Dockerfiles
• adds director in launch.json the list of remote python debugged services
• verbosifies some scripts

Related issue number

closes #1304

How to test

make build
make up
# then open http://localhost:9081

Checklist

• Did you change any service's API? Then make sure to bundle document and upgrade version (make openapi-specs, git commit ... and then make version-*)
• Unit tests for the changes exist
• Runs in the swarm
• Documentation reflects the changes
• New module? Add your github username to .github/CODEOWNERS

[codecov]

Codecov Report

Merging #1313 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #1313   +/-   ##
=======================================
  Coverage   60.66%   60.66%           
=======================================
  Files         241      241           
  Lines        9574     9574           
  Branches     1056     1056           
=======================================
  Hits         5808     5808           
  Misses       3489     3489           
  Partials      277      277           

Flag	Coverage Δ
#integrationtests	58.85% <0.00%> (ø)
#unittests	54.92% <0.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c2d57c1...c2d57c1. Read the comment docs.

[odeimaiz]

Frontend part looks good to me 👍

[pcrespov]

So, if I understand it well, in devel mode:

• All calls to http://127.0.0.1:8080 are routed into the traefik dashboard
• All calls to http://127.0.0.1:8082 exposes promethous metrics of traefik
• All http traffik to 9081 is forwarded either to the webserver or any of the backend services spawned by the director with the appropriate labels.

I have the following questions:

1. http://172.0.0.1:8080/ or http://172.0.0.1:8080/dashboard or http://172.0.0.1:8080/api returns 404 in devel-mode
2. are rules for webserver (hostregexp(`{host:.+}`)) and services spawned by the director (PathPrefix(`/x/{node_Uuid}`)) overlapping? e.g. http://172.0.0.1:9081/x/123 fulfill both rules? how is this resolved?

[sanderegg]

• All calls to http://127.0.0.1:8080 are routed into the traefik dashboard
• All calls to http://127.0.0.1:8082 exposes promethous metrics of traefik

So in general you got that right:

• All calls to http://127.0.0.1:9081 are re-directed to the webserver
• All calls to http://127.0.0.1:9081/x/{uuid} are re-directed to the relevant dynamic service
• All calls to http://127.0.0.1:8082 exposes promethous metrics of traefik
  in devel mode:
• All calls to http://127.0.0.1:8080/dashboard/ (note the last / it's important) are re-directed to the traefik dashboard
• For the api, look at the its definition https://docs.traefik.io/operations/api/. For example, http://127.0.0.1:8080/api/http/routers should give the list of routers.

1. http://172.0.0.1:8080/ or http://172.0.0.1:8080/dashboard or http://172.0.0.1:8080/api returns 404 in devel-mode

You need to add / after dashboard

2. are rules for webserver (hostregexp(`{host:.+}`)) and services spawned by the director (PathPrefix(`/x/{node_Uuid}`)) overlapping? e.g. http://172.0.0.1:9081/x/123 fulfill both rules? how is this resolved?

Yes that is correct.
Traefik handles a priority rule by default that is a bit weird to understand see https://docs.traefik.io/routing/routers/#priority
otherwise, which I find clearer is to set a priority to the router. the lowest number 1 being the lowest priority. see that the director sets a priority of 10 to ensure the /x/uuid rule is tested first.

Anyway I discovered some things while playing with the osparc-ops that I will try to add in here to make things clearer (especially with the dashboard and api). The problem is that the dashboard has issues with multiple traefik instances but I'll try to have a way to see both of them.

[pcrespov]

Traefik logs in devel mode show some warnings and one error:

time="2020-04-16T18:00:51Z" level=info msg="Configuration loaded from flags.",
time="2020-04-16T18:00:51Z" level=warning msg="Could not initialize jaeger tracer: lookup jaeger on 127.0.0.11:53: no such host",
time="2020-04-16T18:00:51Z" level=warning msg="Unable to create tracer: lookup jaeger on 127.0.0.11:53: no such host",
time="2020-04-16T18:01:06Z" level=error msg="middleware \"gzip@docker\" does not exist" routerName=api_internal@docker entryPointName=traefik_dashboard,

[pcrespov]

• All calls to http://127.0.0.1:8080/dashboard/ (note the last / it's important) are re-directed to the traefik dashboard

~/devp/osparc-simcore$ wget http://127.0.0.1:8080/dashboard/
--2020-04-16 20:04:59--  http://127.0.0.1:8080/dashboard/
Connecting to 127.0.0.1:8080... connected.
HTTP request sent, awaiting response... 404 Not Found
2020-04-16 20:04:59 ERROR 404: Not Found.

[sanderegg]

will check it out.

[sanderegg]

so my guess is that you were actually using make up-prod and not make up-devel which is what I meant by devel mode.

anyway this is fixed now by moving these labels in docker-compose.local.yml so it will now work in both cases.

so now you will find the following:

• http://127.0.0.1:9081 goes to the webserver
• http://127.0.0.1:9081/x/{node_uuid} goes to the dynamic service uuid
• http://127.0.0.1:8080/dashboard/ goes to the traefik dashboard
• http://127.0.0.1:8080/api/http/routers returns the list of routers (also visible in the dashboard)
• http://127.0.0.1:8080/whoami is a helper service that shows how the client is forwarded to a server by traefik

[pcrespov]

Excellent. Now it works fine !

[pcrespov]

much better

[pcrespov]

shouldn't we have also replicas of traefik ?