Merge pull request #14 from nsidc/scott-work

Initial work to update docker stack and reverse proxy

Author: scott-lewis-nsidc

.github/workflows/ci.yml

@@ -49,6 +49,6 @@ jobs:
           --durations=20
 
       - name: Upload coverage report
-        uses: codecov/codecov-action@v4.5.0
+        uses: codecov/codecov-action@v5.1.2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

Dockerfile

@@ -2,7 +2,7 @@ FROM python:3.12-alpine
 
 # git: for vcs-awareness during install
 # build-base, etc.: for building jupyterlab deps
-RUN apk add git build-base musl-dev linux-headers
+RUN apk add git build-base musl-dev linux-headers gdal-dev
 
 WORKDIR /app
 ADD . .

README.md

@@ -37,7 +37,7 @@ for more details!**
 Set up the development compose configuration to be automatically loaded:
 
 ```bash
-ln -s compose.dev.yml compose.override.dev.yml
+ln -s compose.dev.yml compose.override.yml
 ```
 
 
@@ -116,6 +116,10 @@ The stack is configured within `compose.yml` and includes containers:
 * `aross-stations-admin`: An [Adminer](https://www.adminer.org/) container for
   inspecting the database in the browser.
 * `aross-stations-api`: An HTTP API for accessing data in the database.
+* `aross-stations-ui` : The front-end with map and user interactivity for accessing data
+
+The UI and API containers are served behind a traefik reverse proxy, allowing for SSL,
+as well as having them to use the same port and path structure.
 
 ```bash
 docker compose --profile ui up --pull=always --detach
@@ -215,7 +219,15 @@ services.
 
 ### View UI
 
-Navigate to `http://localhost:80`.
+Navigate to `https://localhost/apps/aross-stations`. (Uses port 443)
+
+### Access API
+
+Use `https://localhost/api/aross-stations/v1/...`
+
+The API itself runs on port 8000 of its container, but with the `traefik` reverse proxy
+you can just use the same port (but with the `/api/aross-stations` path prefix) and it
+will direct the traffic there.
 
 
 ### Experiment in JupyterLab
@@ -224,6 +236,8 @@ This repository provides a demo notebook to experiment with the API. In your bro
 navigate to `http://localhost:8888`. The password is the same as the database password
 you set earlier.
 
+Note: This container is NOT handled by the traefix reverse proxy; you can just access it
+using the non-secure port shown here.
 
 ## Cleanup
 

compose.dev.yml

@@ -10,6 +10,8 @@ services:
   api:
     <<: *dev-common
     command: ["dev", "--host", "0.0.0.0", "./src/aross_stations_db/api"]
+    # ports:
+    #   - "8000:8000"
     # NOTE: In place of the above command, which uses the image's default
     # `fastapi` entrypoint, you can run the container with no server (using
     # "sleep" instead):
@@ -24,6 +26,6 @@ services:
 
   cli:
     <<: *dev-common
-
+  
   jupyterlab:
     <<: *dev-common

compose.integration.yml

@@ -0,0 +1,46 @@
+
+x-dev-common: &dev-common
+  image: "nsidc/aross-stations-db:dev"
+  build: "."
+  volumes:
+    - "${PWD}:/app"
+
+
+services:
+  ui:
+    labels:
+      - "traefik.enable=true"
+
+      - "traefik.http.routers.aross-ui.rule=(Host(`integration.aross-stations.apps.int.nsidc.org`) || Host(`integration.nsidc.org`)) && PathPrefix(`/apps/aross-stations`)"
+      - "traefik.http.routers.aross-ui.entrypoints=websecure"
+      - "traefik.http.routers.aross-ui.tls=true"
+      - "traefik.http.routers.aross-ui.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.aross-ui.middlewares=aross-ui"
+      - "traefik.http.routers.aross-ui.service=aross-ui"
+      - "traefik.http.middlewares.aross-ui.stripprefix.prefixes=/apps/aross-stations"
+      - "traefik.http.services.aross-ui.loadbalancer.server.port=80"
+
+
+  api:
+    <<: *dev-common
+    command: ["dev", "--host", "0.0.0.0", "./src/aross_stations_db/api"]
+
+    labels:
+      - "traefik.enable=true"
+
+      # local
+      - "traefik.http.routers.aross-api.rule=(Host(`integration.aross-stations.apps.int.nsidc.org`) || Host(`integration.nsidc.org`)) && PathPrefix(`/api/aross-stations`)"
+      - "traefik.http.routers.aross-api.entrypoints=websecure"
+      - "traefik.http.routers.aross-api.tls=true"
+      - "traefik.http.routers.aross-api.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.aross-api.middlewares=aross-api"
+      - "traefik.http.routers.aross-api.service=aross-api"
+      - "traefik.http.middlewares.aross-api.stripprefix.prefixes=/api/aross-stations"
+      - "traefik.http.services.aross-api.loadbalancer.server.port=8000"
+    
+
+  cli:
+    <<: *dev-common
+  
+  jupyterlab:
+    <<: *dev-common

compose.qa.yml

@@ -0,0 +1,46 @@
+
+x-dev-common: &dev-common
+  image: "nsidc/aross-stations-db:dev"
+  build: "."
+  volumes:
+    - "${PWD}:/app"
+
+
+services:
+  ui:
+    labels:
+      - "traefik.enable=true"
+
+      - "traefik.http.routers.aross-ui.rule=(Host(`qa.aross-stations.apps.int.nsidc.org`) || Host(`qa.nsidc.org`)) && PathPrefix(`/apps/aross-stations`)"
+      - "traefik.http.routers.aross-ui.entrypoints=websecure"
+      - "traefik.http.routers.aross-ui.tls=true"
+      - "traefik.http.routers.aross-ui.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.aross-ui.middlewares=aross-ui"
+      - "traefik.http.routers.aross-ui.service=aross-ui"
+      - "traefik.http.middlewares.aross-ui.stripprefix.prefixes=/apps/aross-stations"
+      - "traefik.http.services.aross-ui.loadbalancer.server.port=80"
+
+
+  api:
+    <<: *dev-common
+    command: ["dev", "--host", "0.0.0.0", "./src/aross_stations_db/api"]
+
+    labels:
+      - "traefik.enable=true"
+
+      # local
+      - "traefik.http.routers.aross-api.rule=(Host(`qa.aross-stations.apps.int.nsidc.org`) || Host(`qa.nsidc.org`)) && PathPrefix(`/api/aross-stations`)"
+      - "traefik.http.routers.aross-api.entrypoints=websecure"
+      - "traefik.http.routers.aross-api.tls=true"
+      - "traefik.http.routers.aross-api.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.aross-api.middlewares=aross-api"
+      - "traefik.http.routers.aross-api.service=aross-api"
+      - "traefik.http.middlewares.aross-api.stripprefix.prefixes=/api/aross-stations"
+      - "traefik.http.services.aross-api.loadbalancer.server.port=8000"
+    
+
+  cli:
+    <<: *dev-common
+  
+  jupyterlab:
+    <<: *dev-common

compose.staging.yml

@@ -0,0 +1,46 @@
+
+x-dev-common: &dev-common
+  image: "nsidc/aross-stations-db:dev"
+  build: "."
+  volumes:
+    - "${PWD}:/app"
+
+
+services:
+  ui:
+    labels:
+      - "traefik.enable=true"
+
+      - "traefik.http.routers.aross-ui.rule=(Host(`staging.aross-stations.apps.int.nsidc.org`) || Host(`staging.nsidc.org`)) && PathPrefix(`/apps/aross-stations`)"
+      - "traefik.http.routers.aross-ui.entrypoints=websecure"
+      - "traefik.http.routers.aross-ui.tls=true"
+      - "traefik.http.routers.aross-ui.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.aross-ui.middlewares=aross-ui"
+      - "traefik.http.routers.aross-ui.service=aross-ui"
+      - "traefik.http.middlewares.aross-ui.stripprefix.prefixes=/apps/aross-stations"
+      - "traefik.http.services.aross-ui.loadbalancer.server.port=80"
+
+
+  api:
+    <<: *dev-common
+    command: ["dev", "--host", "0.0.0.0", "./src/aross_stations_db/api"]
+
+    labels:
+      - "traefik.enable=true"
+
+      # local
+      - "traefik.http.routers.aross-api.rule=(Host(`staging.aross-stations.apps.int.nsidc.org`) || Host(`staging.nsidc.org`)) && PathPrefix(`/api/aross-stations`)"
+      - "traefik.http.routers.aross-api.entrypoints=websecure"
+      - "traefik.http.routers.aross-api.tls=true"
+      - "traefik.http.routers.aross-api.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.aross-api.middlewares=aross-api"
+      - "traefik.http.routers.aross-api.service=aross-api"
+      - "traefik.http.middlewares.aross-api.stripprefix.prefixes=/api/aross-stations"
+      - "traefik.http.services.aross-api.loadbalancer.server.port=8000"
+    
+
+  cli:
+    <<: *dev-common
+  
+  jupyterlab:
+    <<: *dev-common

compose.yml

@@ -8,12 +8,54 @@ x-common: &common
 x-image: &image "nsidc/aross-stations-db"
 
 services:
+  traefik:
+    image: traefik:v3.0
+    container_name: traefik
+    command:
+      - --entrypoints.web.address=:80
+      - --entrypoints.web.http.redirections.entryPoint.to=websecure
+      - --entrypoints.web.http.redirections.entryPoint.scheme=https
+      - --entrypoints.websecure.address=:443
+      - --entrypoints.api.address=:8000
+      - --certificatesresolvers.letsencrypt.acme.tlschallenge=true
+      - --certificatesresolvers.letsencrypt.acme.email=scott.lewis@colorado.edu
+      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
+      - --providers.docker=true
+      - --log.level=INFO
+    ports:
+      - "8000:8000"
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./config:/letsencrypt
+    labels:
+      - "traefik.enable=true"
+    restart: unless-stopped
+
   ui:
     container_name: "aross-stations-ui"
     depends_on: ["api"]
     image: "nsidc/aross-stations-ui:latest"
-    ports:
-      - "80:80"
+    labels:
+      - "traefik.enable=true"
+
+      - "traefik.http.routers.aross-ui.rule=Host(`localhost`) && PathPrefix(`/apps/aross-stations`)"
+      - "traefik.http.routers.aross-ui.entrypoints=websecure"
+      - "traefik.http.routers.aross-ui.tls=true"
+      - "traefik.http.routers.aross-ui.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.aross-ui.middlewares=aross-ui"
+      - "traefik.http.routers.aross-ui.service=aross-ui"
+      - "traefik.http.middlewares.aross-ui.stripprefix.prefixes=/apps/aross-stations"
+      - "traefik.http.services.aross-ui.loadbalancer.server.port=80"
+
+      # Production domain (nsidc.org)
+      # - "traefik.http.routers.aross-prod.rule=Host(`nsidc.org`) && PathPrefix(`/apps/aross`)"
+      # - "traefik.http.routers.aross-prod.entrypoints=websecure"
+      # - "traefik.http.routers.aross-prod.tls.certresolver=letsencrypt"
+      # - "traefik.http.routers.aross-prod.middlewares=strip-aross-path"
+
+    restart: unless-stopped
     profiles: ["ui"]
 
 
@@ -25,8 +67,20 @@ services:
 
     entrypoint: "fastapi"
     command: ["run", "--host", "0.0.0.0", "./src/aross_stations_db/api"]
-    ports:
-      - "8000:8000"
+
+    labels:
+      - "traefik.enable=true"
+
+      # local
+      - "traefik.http.routers.aross-api.rule=Host(`localhost`) && PathPrefix(`/api/aross-stations`)"
+      - "traefik.http.routers.aross-api.entrypoints=websecure"
+      - "traefik.http.routers.aross-api.tls=true"
+      - "traefik.http.routers.aross-api.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.aross-api.middlewares=aross-api"
+      - "traefik.http.routers.aross-api.service=aross-api"
+      - "traefik.http.middlewares.aross-api.stripprefix.prefixes=/api/aross-stations"
+      - "traefik.http.services.aross-api.loadbalancer.server.port=8000"
+
     environment:
       AROSS_DB_CONNSTR: null
 
@@ -40,6 +94,8 @@ services:
       POSTGRES_DB: "aross"
       POSTGRES_USER: "aross"
       POSTGRES_PASSWORD: null
+    ports:
+      - "5432:5432"
     volumes:
       - "./_data:/var/lib/postgresql/data"
 

src/aross_stations_db/api/__init__.py

@@ -8,6 +8,7 @@
         "Rain on snow events detected by"
         " Automated Surface Observing System (ASOS) stations"
     ),
+    openapi_url="/api/aross-stations/openapi.json"
 )
 api.include_router(v1_router, prefix="/v1", tags=["v1"])
 api.add_middleware(
@@ -20,7 +21,7 @@
 
 
 @api.get("/")
-def get() -> dict[str, str]:
+def get_root() -> dict[str, str]:
     return {
-        "Hello": "The root of this API doesn't do anything. Please check out '/docs'!"
+        "Hello": "The root of this API doesn't do anything. Please check out '/docs' or something!"
     }

src/aross_stations_db/config.py

@@ -16,7 +16,7 @@ class Settings(BaseSettings):
 
     DB_CONNSTR: PostgresDsn
 
-    @computed_field  # type:ignore[misc]
+    @computed_field  # type: ignore[prop-decorator]
     @cached_property
     def db_engine(self) -> Engine:
         return create_engine(str(self.DB_CONNSTR))
@@ -33,12 +33,12 @@ class CliLoadSettings(Settings):
     # TODO: Specifically ignore this type of error instead of using type-ignore; but
     # mypy doesn't yet categorize this error in its own type, so we need to wait for a
     # release, likely 1.11:  https://github.com/python/mypy/pull/16571/files
-    @computed_field  # type:ignore[misc]
+    @computed_field  # type: ignore[prop-decorator]
     @cached_property
     def events_dir(self) -> DirectoryPath:
         return self.DATA_BASEDIR / "events"
 
-    @computed_field  # type:ignore[misc]
+    @computed_field  # type: ignore[prop-decorator]
     @cached_property
     def stations_metadata_filepath(self) -> FilePath:
         return self.DATA_BASEDIR / "metadata" / "aross.asos_stations.metadata.csv"