Skip to content
This repository has been archived by the owner on Jul 21, 2023. It is now read-only.

Migrate all ISRG owned storage to GCP cloud storage #68

Closed
tgeoghegan opened this issue Oct 20, 2020 · 4 comments
Closed

Migrate all ISRG owned storage to GCP cloud storage #68

tgeoghegan opened this issue Oct 20, 2020 · 4 comments
Labels
p1 Must be fixed for the corresponding milestone to be reached. schema-protocol issues with encoding formats or protocol between servers requiring coordination outside ISRG
Milestone
Production readiness

Comments

@tgeoghegan
Copy link
Contributor

We need to move our entire deployment, including all the buckets we use as mailboxes, to GCP for budget reasons. This will entail some protocol changes because we will have to figure out how Apple will authenticate, and what parameters we need to discover from them to be able to configure the ingestion buckets (probably a GCP service account).
@tgeoghegan tgeoghegan added schema-protocol issues with encoding formats or protocol between servers requiring coordination outside ISRG p1 Must be fixed for the corresponding milestone to be reached. labels Oct 20, 2020
@tgeoghegan tgeoghegan added this to the Production readiness milestone Oct 20, 2020
@tgeoghegan tgeoghegan mentioned this issue Oct 22, 2020
Closed
@winstrom
Copy link
Contributor

winstrom commented Oct 22, 2020
edited by tgeoghegan
Loading

Apple can provide a GCP account on its global manifest.

Our ingestor global manifest will have both an AWS account and a GCP account.

Maybe we can make it generic if we add to the data share processor specific manifests to include fields that details the protocol to use (AWS or GCP) to access the bucket and the account to use (AWS or GCP)

For Example:

{
	"format": 0,
	"ingestion-bucket": "us-west-1/prio-demo-gcp-test-pha-1-ingestor-1-ingestion",
	"ingestion-account":"aws-iam-entity" or "google-service-account",
	"ingestion-protocol":"AWS_S3" or "GCP_Cloud_Storage",
	"peer-validation-bucket": "us-west-1/prio-demo-gcp-test-pha-1-ingestor-1-peer-validation",
	"batch-signing-public-keys": {
    		"demo-gcp-test-pha-1-ingestor-1-batch-signing-key": {
        		"public-key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAlTcegCjPeFj4S1jHTDqHf8Zk56/\nWGVRHpx4wp6h/cRDq9JO+CTjuot/Z1S1bgcmpeB2ab6OKfiQpuFIcz/aqA==\n-----END PUBLIC KEY-----\n",
        	"expiration": "2021-01-15T18:53:20Z"
    		}
	},
	"packet-encryption-certificates": {
    		"demo-gcp-test-pha-1-ingestion-packet-decryption-key": {
        		"certificate": "TODO get certificate"
    		}
	}
}

Copied from https://docs.google.com/document/d/1MdfM3QT63ISU70l63bwzTrxr93Z7Tv7EDjLfammzo6Q/edit?ts=5f90e408#heading=h.f7uu5u7i5wfc with two extra keys: {"ingestion-account","ingestion-protocol"}

@tgeoghegan
Copy link
Contributor Author

I agree that the data share processor needs to advertise what kind of storage it uses. I might nest the structure a little. I don't think we need ingestion-account on the data share processor side, because the way the ingestion server authenticates will be implied by ingestion-protocol. If an ingestor sees that a data share processor manifest advertises an AWS_S3 bucket, Apple knows it needs to use its AWS credential, and Google knows it needs to use the service account that has been allowed to federate. If the manifest advertises GCP_Cloud_Storage, Apple needs to use its GCP credential and Google still uses its service account.

Correspondingly, we need to amend the schema for the ingestion server global manifest so its server-identity structure can contain google-service-account-email, alongside aws-iam-entity (in the Apple case where you use your AWS account to write to NCI's S3 buckets) or alongside google-service-account (in the Google case where they use OIDC Web Identity to write to NCI's S3 buckets). It seems silly but I'm pretty sure the Google ingestor manifest needs both the GCP SA email (google-service-account-email) and the numeric account ID (google-service-account), even though both refer to the same entity.

tgeoghegan added a commit that referenced this issue Oct 26, 2020
@tgeoghegan
Terraform: move storage to GCP
ac32613 
Per discussion in #68, ISRG is moving its storage to GCP Cloud Storage
buckets. This commit removes all the AWS resource management from
Terraform, and makes guesses as to how we will exchange the necessary
parameters with peers.
@tgeoghegan tgeoghegan mentioned this issue Nov 2, 2020
Closed
tgeoghegan added a commit that referenced this issue Nov 10, 2020
@tgeoghegan
Move storage to Google Cloud Storage
1bd8cd7 
This commit moves ISRG's storage from S3 to GCP, and sets up the peer
test env so that one has its ingestion and peer validation buckets in S3
and the other has all its storage in GCS. To that end, this adds new
modules cloud_storage_aws and cloud_storage_gcp which are responsible
for creating storage buckets and policies for the respective platforms.

This also includes bumps to the format versions of various manifests,
though they will change some more before we can finalize format = 1 of
various documents. Finally, facilitator and workflow-manager now accept
the argument "default" for their various identity parameters,
indicating that no special role assumption or service account
impersonation should take place.

Addresses #68 and #160.
tgeoghegan added a commit that referenced this issue Nov 23, 2020
@tgeoghegan
Move storage to Google Cloud Storage
7e33116 
This commit moves ISRG's storage from S3 to GCP, and sets up the peer
test env so that one has its ingestion and peer validation buckets in S3
and the other has all its storage in GCS. To that end, this adds new
modules cloud_storage_aws and cloud_storage_gcp which are responsible
for creating storage buckets and policies for the respective platforms.

This also includes bumps to the format versions of various manifests,
though they will change some more before we can finalize format = 1 of
various documents. Finally, facilitator and workflow-manager now accept
the argument "default" for their various identity parameters,
indicating that no special role assumption or service account
impersonation should take place.

Addresses #68 and #160.
tgeoghegan added a commit that referenced this issue Nov 24, 2020
@tgeoghegan
Move storage to Google Cloud Storage
986d2e9 
This commit moves ISRG's storage from S3 to GCP, and sets up the peer
test env so that one has its ingestion and peer validation buckets in S3
and the other has all its storage in GCS. To that end, this adds new
modules cloud_storage_aws and cloud_storage_gcp which are responsible
for creating storage buckets and policies for the respective platforms.

This also includes bumps to the format versions of various manifests,
though they will change some more before we can finalize format = 1 of
various documents. Finally, facilitator and workflow-manager now accept
the argument "default" for their various identity parameters,
indicating that no special role assumption or service account
impersonation should take place.

Addresses #68 and #160.
@tgeoghegan
Copy link
Contributor Author

#181 mostly addresses this, but we need to make sure the manifest format changes that PR implemented are OK with everyone. I will drive that discussion when everyone is back from Thanksgiving break next week.

@tgeoghegan
Copy link
Contributor Author

We did a successful integration test today and Apple signed off on the format changes. This is donezo.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
p1 Must be fixed for the corresponding milestone to be reached. schema-protocol issues with encoding formats or protocol between servers requiring coordination outside ISRG
Projects
None yet
Milestone
Production readiness
Development

No branches or pull requests
2 participants
@winstrom @tgeoghegan