Add traefik placeholder service and fallback routers

Traefik placeholder will be used to define low priority traeifk
configuration that will kick in once main docker serviec is not heathy
(its configuration is removed)

Author: YuryHrytsuk

services/simcore/configs/fallback-service-nginx/api/default.conf

@@ -109,9 +109,7 @@ services:
         - traefik.tcp.services.${SWARM_STACK_NAME}_postgresRoute.loadbalancer.server.port=5432
         - "traefik.tcp.routers.${SWARM_STACK_NAME}_postgresRoute.rule=ClientIP(`195.176.8.0/24`) || ClientIP(`10.0.0.0/8`) || ClientIP(`172.16.0.0/12`) || ClientIP(`192.168.0.0/16`)"
       replicas: 1
-  traefik_api:
-    deploy:
-      replicas: 1
+
   webserver:
     deploy:
       replicas: 1

services/simcore/configs/fallback-service-nginx/web/default.conf

@@ -186,6 +186,7 @@ services:
         # internal traefik
         - traefik.enable=true
         - io.simcore.zone=${TRAEFIK_SIMCORE_ZONE}
+        # NOTE: keep in sync with fallback router (rule and entrypoint)
         - traefik.http.routers.${SWARM_STACK_NAME}_invitations.rule=(${DEPLOYMENT_FQDNS_CAPTURE_INVITATIONS})
         - traefik.http.routers.${SWARM_STACK_NAME}_invitations.entrypoints=http
         - traefik.http.services.${SWARM_STACK_NAME}_invitations.loadbalancer.server.port=8000
@@ -769,9 +770,11 @@ services:
         - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http.tls=true
         - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http.middlewares=ops_gzip@swarm, ops_sslheader@swarm, ops_ratelimit@swarm
         - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http.service=${SWARM_STACK_NAME}_simcore_http
+        # Note: keep in sync with fallback router (rule and entrypoint)
         - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http.rule=((${DEPLOYMENT_FQDNS_CAPTURE_TRAEFIK_RULE_CATCHALL}) && PathPrefix(`/`)) || ( (PathPrefix(`/dashboard`) || PathPrefix(`/api`) || PathPrefix(`/doc`) ) && Host(`traefikdashboard.${MACHINE_FQDN}`))
         - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http.priority=3
         # oSparc publicAPI
+        # Note: keep in sync with fallback router (rule and entrypoint)
         - traefik.http.routers.${SWARM_STACK_NAME}_simcore_api.rule=(${DEPLOYMENT_API_DOMAIN_CAPTURE_TRAEFIK_RULE}) && PathPrefix(`/`)
         - traefik.http.routers.${SWARM_STACK_NAME}_simcore_api.entrypoints=https
         - traefik.http.services.${SWARM_STACK_NAME}_simcore_api.loadbalancer.server.port=10081
@@ -813,31 +816,96 @@ services:
           memory: 128M
           cpus: '0.1'
 
-  traefik_api:
-    # NOTE: this is a trick to allow to access the internal traefik REST API
-    # A comment
-    # list router like so: curl https://domain/api/http/routers | jq
+  # use to define fallback routes for simcore traefik
+  # if docker healthcheck fails, simcore traefik configurarion is
+  # removed from ops traeifik https://github.com/traefik/traefik/issues/7842
+  #
+  # use fallback routes to return proper 503 (instead of 404)
+  # this service must be running at all times
+  ops-traefik-configuration-placeholder: # TODO reuse same skeleton
     image: busybox:1.35.0
-    command: sleep 900000d
+    command: sleep infinity
+    networks:
+      - public
+    deploy:
+      placement:
+        constraints:
+          - node.labels.traefik==true
+      resources:
+        limits:
+          memory: 16M
+          cpus: '0.1'
+        reservations:
+          memory: 8M
+          cpus: '0.1'
+
+      labels:
+        # external traefik
+        - traefik.enable=true
+
+        ### oSparc web (fallback low priority rule)
+        # TODO: remove copy / paste
+        - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http_fallback.entrypoints=https
+        - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http_fallback.tls=true
+        - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http_fallback.middlewares=ops_gzip@swarm, ops_sslheader@swarm, ops_ratelimit@swarm
+        - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http_fallback.service=${SWARM_STACK_NAME}_simcore_http_fallback
+        - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http_fallback.rule=((${DEPLOYMENT_FQDNS_CAPTURE_TRAEFIK_RULE_CATCHALL}) && PathPrefix(`/`)) || ( (PathPrefix(`/dashboard`) || PathPrefix(`/api`) || PathPrefix(`/doc`) ) && Host(`traefikdashboard.${MACHINE_FQDN}`))
+        - traefik.http.routers.${SWARM_STACK_NAME}_simcore_http_fallback.priority=1
+        # always return 503
+        - traefik.http.services.${SWARM_STACK_NAME}_simcore_http_fallback.loadbalancer.server.port=0
+        - traefik.http.services.${SWARM_STACK_NAME}_simcore_http_fallback.loadbalancer.healthcheck.path=/some/invalid/path/to/generate/a/503
+        - traefik.http.services.${SWARM_STACK_NAME}_simcore_http_fallback.loadbalancer.healthcheck.interval=10s
+        - traefik.http.services.${SWARM_STACK_NAME}_simcore_http_fallback.loadbalancer.healthcheck.timeout=1ms
+
+        ### oSparc publicAPI (fallback low priority rule)
+        # TODO: remove copy / paste
+        - traefik.http.routers.${SWARM_STACK_NAME}_simcore_api_fallback.rule=(${DEPLOYMENT_API_DOMAIN_CAPTURE_TRAEFIK_RULE}) && PathPrefix(`/`)
+        - traefik.http.routers.${SWARM_STACK_NAME}_simcore_api_fallback.priority=1
+        - traefik.http.routers.${SWARM_STACK_NAME}_simcore_api_fallback.entrypoints=https
+        - traefik.http.routers.${SWARM_STACK_NAME}_simcore_api_fallback.tls=true
+        - traefik.http.routers.${SWARM_STACK_NAME}_simcore_api_fallback.middlewares=ops_gzip@swarm, ops_ratelimit@swarm
+        - traefik.http.routers.${SWARM_STACK_NAME}_simcore_api_fallback.service=${SWARM_STACK_NAME}_simcore_api_fallback
+        # always return 503
+        - traefik.http.services.${SWARM_STACK_NAME}_simcore_api_fallback.loadbalancer.server.port=0
+        - traefik.http.services.${SWARM_STACK_NAME}_simcore_api_fallback.loadbalancer.healthcheck.path=/some/invalid/path/to/generate/a/503
+        - traefik.http.services.${SWARM_STACK_NAME}_simcore_api_fallback.loadbalancer.healthcheck.interval=10s
+        - traefik.http.services.${SWARM_STACK_NAME}_simcore_api_fallback.loadbalancer.healthcheck.timeout=1ms
+
+  traefik-configuration-placeholder: # simcore traefik with `io.simcore.zone=${TRAEFIK_SIMCORE_ZONE}` label
+    image: busybox:1.35.0
+    command: sleep infinity
     networks:
       - default
     deploy:
       labels:
         # route to internal traefik
+        - traefik.enable=true
         - io.simcore.zone=${TRAEFIK_SIMCORE_ZONE}
+
         # traefik UI
-        - traefik.enable=true
         - traefik.http.routers.${SWARM_STACK_NAME}_traefik_api.service=api@internal
         - traefik.http.routers.${SWARM_STACK_NAME}_traefik_api.rule=(PathPrefix(`/dashboard`) || PathPrefix(`/api`) ) && Host(`traefikdashboard.${MACHINE_FQDN}`)
         - traefik.http.routers.${SWARM_STACK_NAME}_traefik_api.entrypoints=http
-        - traefik.http.routers.${SWARM_STACK_NAME}_traefik_api.priority=6
         - traefik.http.routers.${SWARM_STACK_NAME}_traefik_api.middlewares=${SWARM_STACK_NAME}_auth@swarm, ${SWARM_STACK_NAME}_whitelist_ips@swarm
         - traefik.http.services.${SWARM_STACK_NAME}_traefik_api.loadbalancer.server.port=8080
+
         # Middlewares
         # basic authentication
         - traefik.http.middlewares.${SWARM_STACK_NAME}_auth.basicauth.users=${TRAEFIK_USER}:${TRAEFIK_PASSWORD}
         # OPS IP Whitelist
         - traefik.http.middlewares.${SWARM_STACK_NAME}_whitelist_ips.ipallowlist.sourcerange=${TRAEFIK_IPWHITELIST_SOURCERANGE}
+
+        ### Fallback for invitations
+        - traefik.http.routers.${SWARM_STACK_NAME}_invitations_fallback.rule=${DEPLOYMENT_FQDNS_CAPTURE_INVITATIONS}
+        - traefik.http.routers.${SWARM_STACK_NAME}_invitations_fallback.service=${SWARM_STACK_NAME}_invitations_fallback
+        - traefik.http.routers.${SWARM_STACK_NAME}_invitations_fallback.entrypoints=http
+        - traefik.http.routers.${SWARM_STACK_NAME}_invitations_fallback.priority=1
+        # always fail and return 503 via unhealthy loadbalancer healthcheck
+        - traefik.http.services.${SWARM_STACK_NAME}_invitations_fallback.loadbalancer.server.port=0
+        - traefik.http.services.${SWARM_STACK_NAME}_invitations_fallback.loadbalancer.healthcheck.path=/some/invalid/path/to/generate/a/503
+        - traefik.http.services.${SWARM_STACK_NAME}_invitations_fallback.loadbalancer.healthcheck.interval=10s
+        - traefik.http.services.${SWARM_STACK_NAME}_invitations_fallback.loadbalancer.healthcheck.timeout=1ms
+
       update_config:
         parallelism: 2
         order: start-first
@@ -992,78 +1060,6 @@ services:
           cpus: "0.5"
           memory: "512M"
 
-  fallback-service-web:
-    image: nginx:1.25.1
-    configs:
-      - source: {{ SWARM_STACK_NAME }}_web_html
-        target: /usr/share/nginx/html/503.html
-      - source: {{ SWARM_STACK_NAME }}_web_nginx_config
-        target: /etc/nginx/conf.d/default.conf
-    networks:
-      - public
-      - monitored
-    deploy:
-      placement:
-        constraints:
-          - node.labels.simcore==true
-      update_config:
-        order: start-first
-      labels:
-          - io.simcore.zone=${TRAEFIK_SIMCORE_ZONE}
-          - traefik.enable=true
-
-          # webserver
-          - traefik.http.routers.${PREFIX_STACK_NAME}_fallback_html.priority=1
-          - traefik.http.routers.${PREFIX_STACK_NAME}_fallback_html.rule=(Path(`/`) || Path(`/v0`) || Path(`/socket.io/`) || Path(`/static-frontend-data.json`) || PathRegexp(`^/study/(?P<study_uuid>\b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b)`) || Path(`/view`) || Path(`/#/view`) || Path(`/#/error`) || PathPrefix(`/v0/`))
-          - traefik.http.services.${PREFIX_STACK_NAME}_fallback_html.loadbalancer.server.port=80
-          - traefik.http.routers.${PREFIX_STACK_NAME}_fallback_html.entrypoints=http
-
-  fallback-service-api:
-    image: nginx:1.25.1
-    configs:
-      - source: {{ SWARM_STACK_NAME }}_api_json
-        target: /usr/share/nginx/api/503.json
-      - source: {{ SWARM_STACK_NAME }}_api_nginx_config
-        target: /etc/nginx/conf.d/default.conf
-    networks:
-      - public
-      - monitored
-    deploy:
-      placement:
-        constraints:
-          - node.labels.simcore==true
-      update_config:
-        order: start-first
-      labels:
-          - io.simcore.zone=${TRAEFIK_SIMCORE_ZONE}
-          - traefik.enable=true
-          # api-server
-          - traefik.http.routers.${PREFIX_STACK_NAME}_fallback_api.priority=1
-          - traefik.http.routers.${PREFIX_STACK_NAME}_fallback_api.rule=Path(`/`) || Path(`/v0`) ||  PathPrefix(`/v0/`) || Path(`/api/v0/openapi.json`)
-          - traefik.http.services.${PREFIX_STACK_NAME}_fallback_api.loadbalancer.server.port=80
-          - traefik.http.routers.${PREFIX_STACK_NAME}_fallback_api.entrypoints=simcore_api
-          - traefik.http.routers.${PREFIX_STACK_NAME}_fallback_api.service=${PREFIX_STACK_NAME}_fallback_api
-          # invitations
-          - traefik.http.routers.${PREFIX_STACK_NAME}_fallback_invitations_api.priority=1
-          - traefik.http.routers.${PREFIX_STACK_NAME}_fallback_invitations_api.rule=(${DEPLOYMENT_FQDNS_CAPTURE_INVITATIONS})
-          - traefik.http.routers.${PREFIX_STACK_NAME}_fallback_invitations_api.entrypoints=http
-          - traefik.http.services.${PREFIX_STACK_NAME}_fallback_invitations_api.loadbalancer.server.port=80
-          - traefik.http.routers.${PREFIX_STACK_NAME}_fallback_invitations_api.service=${PREFIX_STACK_NAME}_fallback_invitations_api
-
-configs:
-  {{ SWARM_STACK_NAME }}_web_html:
-    file: ./configs/fallback-service-nginx/web/503.html
-    name: {{ SWARM_STACK_NAME }}_web_html_{{ "./configs/fallback-service-nginx/web/503.html" | sha256file | substring(0,10) }}
-  {{ SWARM_STACK_NAME }}_api_json:
-    file: ./configs/fallback-service-nginx/api/503.json
-    name: {{ SWARM_STACK_NAME }}_api_json_{{ "./configs/fallback-service-nginx/api/503.json" | sha256file | substring(0,10) }}
-  {{ SWARM_STACK_NAME }}_web_nginx_config:
-    file: ./configs/fallback-service-nginx/web/default.conf
-    name: {{ SWARM_STACK_NAME }}_web_nginx_config_{{ "./configs/fallback-service-nginx/web/default.conf" | sha256file | substring(0,10) }}
-  {{ SWARM_STACK_NAME }}_api_nginx_config:
-    file: ./configs/fallback-service-nginx/api/default.conf
-    name: {{ SWARM_STACK_NAME }}_api_nginx_config_{{ "./configs/fallback-service-nginx/api/default.conf" | sha256file | substring(0,10) }}
-
 volumes:
   rabbit_data:
     name: ${SWARM_STACK_NAME}_rabbit_data

services/simcore/docker-compose.deploy.local.yml

@@ -0,0 +1,43 @@
+# api (json) fallback
+# once simcore needs special error pages different from OPS services,
+# it can be customized via url: /simcore/503.html /simcore/503.json
+server {
+    listen       8000;
+    listen  [::]:8000;
+    server_name  localhost;
+
+    error_page 503 /503.json;
+
+    location / {
+        return 503;
+    }
+
+    location = /503.json {
+        default_type application/json;
+
+        add_header Retry-After "10" always;  # https://serverfault.com/a/647552
+
+        root /usr/share/nginx/api;
+    }
+}
+
+# web (html) fallback
+server {
+    listen       80;
+    listen  [::]:80;
+    server_name  localhost;
+
+    error_page 503 /503.html;
+
+    location / {
+        return 503;
+    }
+
+    location = /503.html {
+        default_type text/html;
+
+        add_header Retry-After "10" always;
+
+        root /usr/share/nginx/html;
+    }
+}

services/simcore/docker-compose.yml.j2

@@ -194,6 +194,7 @@ services:
     networks:
       public: null
       monitored: null
+
   whoami:
     image: "containous/whoami"
     deploy:
@@ -220,15 +221,68 @@ services:
     networks:
       - public
 
+  error-pages-static-webserver:
+    image: nginx:1.25.1
+    networks:
+      - public
+    configs:
+      - source: ${STACK_NAME}_503_api_json
+        target: /usr/share/nginx/api/503.json
+      - source: ${STACK_NAME}_503_web_html
+        target: /usr/share/nginx/html/503.html
+      - source: ${STACK_NAME}_nginx_error_pages_config
+        target: /etc/nginx/conf.d/default.conf
+    deploy:
+      labels:
+        # defining labels as list has advantage in interpolation
+        # https://docs.docker.com/reference/compose-file/interpolation/
+        # disadvantage: we cannot reuse values with yaml `& and *` syntax
+        - traefik.enable=true
+
+        # middleware for ops traefik. Use for custom 503 (json) api response
+        - traefik.http.middlewares.custom-50x-json-errors.errors.status=500,501,503,505-599
+        - traefik.http.middlewares.custom-50x-json-errors.errors.service=traefik_error_page_json
+        - traefik.http.middlewares.custom-50x-json-errors.errors.query=/503.json
+
+        # middleware for ops traefik. Use for custom 503 html response
+        - traefik.http.middlewares.custom-50x-html-errors.errors.status=500,501,503,505-599
+        - traefik.http.middlewares.custom-50x-html-errors.errors.service=traefik_error_page_html
+        - traefik.http.middlewares.custom-50x-html-errors.errors.query=/503.json
+
+        # rule to serve custom 503 error html page
+        - traefik.http.routers.traefik_error_page_html.entrypoints=http
+        - traefik.http.routers.traefik_error_page_html.priority=1
+        - traefik.http.routers.traefik_error_page_html.rule=Path(`/503.html`)
+        - traefik.http.routers.traefik_error_page_html.tls=false
+        - traefik.http.routers.traefik_error_page_html.service=traefik_error_page_html
+        - traefik.http.services.traefik_error_page_html.loadbalancer.server.port=80 # nginx port for (non-api) http
+
+        # rule to serve custom 503 error json page
+        - traefik.http.routers.traefik_error_page_json.entrypoints=http
+        - traefik.http.routers.traefik_error_page_json.priority=1
+        - traefik.http.routers.traefik_error_page_json.rule=Path(`/503.json`)
+        - traefik.http.routers.traefik_error_page_json.tls=false
+        - traefik.http.routers.traefik_error_page_json.service=traefik_error_page_json
+        - traefik.http.services.traefik_error_page_json.loadbalancer.server.port=8000 # nginx port for (non-api) http
+
+configs:
+  traefik_dynamic_config.yml:
+    name: {{ STACK_NAME }}_traefik_dynamic_config_{{ "./traefik_dynamic_config.yml" | sha256file | substring(0,10) }}
+    file: ./traefik_dynamic_config.yml
+  {{ STACK_NAME }}_503_web_html:
+    file: ./config/error_pages/503.html
+    name: {{ STACK_NAME }}_web_html_{{ "./config/error_pages/503.html" | sha256file | substring(0,10) }}
+  {{ STACK_NAME }}_503_api_json:
+    file: ./config/error_pages/503.json
+    name: {{ STACK_NAME }}_api_json_{{ "./config/error_pages/503.json" | sha256file | substring(0,10) }}
+  {{ STACK_NAME }}_nginx_error_pages_config:
+    file: ./config/error_pages/default.conf
+    name: {{ STACK_NAME }}_web_nginx_config_{{ "./config/error_pages/default.conf" | sha256file | substring(0,10) }}
+
 networks:
   public:
     external: true
     name: ${PUBLIC_NETWORK}
   monitored:
     name: ${MONITORED_NETWORK}
     external: true
-
-configs:
-  traefik_dynamic_config.yml:
-    name: ${STACK_NAME}_traefik_dynamic_config_{{ "./traefik_dynamic_config.yml" | sha256file | substring(0,10) }}
-    file: ./traefik_dynamic_config.yml