2018-05-14 Frontend Deployments Kickoff

Adam Stankiewicz, Greg Sham (Deactivated), Brittney Exline (Deactivated), Robert Raposa, Douglas Hall (Deactivated), Nimisha Asthagiri (Deactivated), Ari Rizzitano (Deactivated), George Babey, Zachary Rockwell (Deactivated)

Portal Status

• "POC++"
• Static frontend, no webserver dependencies, can be deployed anywhere
• Working entirely locally right now
• Sandbox deployment (nginx + static serving)

Portal Needs – First Cut

• Application code deployed to some location
• Application code accessible by anyone on the internet
• Enterprise will make use of subdomains
• Enterprise customers may upload custom assets (logo, stylesheet, etc) as well which will be served from a separate location
• Logging and monitoring

Hosting

• Options:
  • Deploy to S3 bucket
  • Host assets from a dedicated server
• S3
  • Access logs: where are assets pulled from?
    • May be pulled into Splunk
  • NR browser monitoring – React agent
    • Pricing is usage-based
    • NR agent enables custom events
  • Caching?
    • S3 can set cache headers (TTL) to be monitored by a CDN
    • API endpoints should be thoughtful about caching behavior
    • Blue-green?
      • CDN API enables this, but we have no prior art
      • Will this incur cost?
      • Retention policy?
    • Versioned individual files
    • How to bust the client cache between deployments?
  • Terraform
    • Define bucket, lifecycle, etc.
  • Environments
    • Each env (stage, prod, edge, sandbox?) should have its own bucket
  • Permissions
    • Be smart about this
  • Downside: sandboxes will be different
    • nginx can "play" CDN
    • Dump application static assets on the sandbox, use nginx to specify application static assets location
• Hosting assets from dedicated server?Heading 3

Permissions

• CORS
  • Hitting endpoints across different services is a potential pain point
  • If enterprise will be using subdomains, *.edx.org rules should work
  • Trial balloon:
    • What level of CORS wildcarding can we get away with? How will CORS interact with org-specific subdomains?
  • Do we have any restrictions on other static assets that will be served via this frontend?
    • Images - we're probably OK
    • Fonts, JS, styles – probably OK
    • Should we deploy images to a different domain (to set page-specific rules?)
• Iframe security policy on LMS?
  • Probably fine. Very permissive

Configuration

• Baked into individual application asset builds
• "Stage assets", "prod assets", etc.

Build MVP

• Set up build environment
  • npm, repos cloned, etc.
• Jenkins vs. GoCD
  • Jenkins flexibility: deploy any branch
  • GoCD: deploy specific branch, must edit pipeline itself to change. Rigorous!!
  • Maybe talk to Platform team also
• Set up buckets
  • Terraform
• Test suite
  • e2e/smoke tests
  • Contract based testing?
  • Potential areas of exploration around JS-based e2e tests
  • Tests should live alongside portal code
• CDN configuration
  • Start with Cloudflare defaults, evolve as necessary
• Subdomain setup
  • Follow-up about this

Next Steps

• Ari Rizzitano (Deactivated): create tickets for the above action items
• Ari Rizzitano (Deactivated): schedule technical detail followup meeting
• Nimisha Asthagiri (Deactivated): schedule contract-based-testing followup meeting next week
• George Babey & Ari Rizzitano (Deactivated): follow up about JS-based e2e tests