Deploy check in to prod

ansible/deploy-clickhouse-proxy.yml

@@ -13,7 +13,7 @@
         tls_cert_dir: /var/lib/dehydrated/certs
     - role: clickhouse_proxy
       vars:
-        clickhouse_url: "clickhouse3.prod.ooni.io"
+        # clikchouse_url configured from host vars
         clickhouse_port: 9000
         clickhouse_proxy_public_fqdn: "{{ inventory_hostname }}"
     - role: prometheus_node_exporter

ansible/group_vars/clickhouse/vars.yml

@@ -15,6 +15,8 @@ nftables_clickhouse_allow:
     ip: 5.9.112.244
   - fqdn: clickhouseproxy.dev.ooni.io
     ip: "{{ lookup('dig', 'clickhouseproxy.dev.ooni.io/A') }}"
+  - fqdn: clickhouseproxy.prod.ooni.io
+    ip: "{{ lookup('dig', 'clickhouseproxy.prod.ooni.io/A') }}"
 
 nftables_zookeeper_allow:
   - fqdn: data1.htz-fsn.prod.ooni.nu

ansible/host_vars/clickhouseproxy.dev.ooni.io/vars.yml

@@ -0,0 +1 @@
+clickhouse_url: "clickhouse3.prod.ooni.io"

ansible/host_vars/clickhouseproxy.prod.ooni.io/vars.yml

@@ -0,0 +1 @@
+clickhouse_url: "clickhouse1.prod.ooni.io"

ansible/roles/fastpath/tasks/main.yml

@@ -0,0 +1,86 @@
+---
+# For prometheus scrape requests
+- name: Flush all handlers 
+  meta: flush_handlers
+
+- name: Allow traffic on port 9100
+  become: true
+  tags: prometheus-proxy
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/9100.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 9100 counter accept comment "node exporter"
+  notify:
+   - reload nftables  
+
+# For incoming fastpath traffic
+- name: Allow traffic on port 8472
+  become: true
+  tags: fastpath
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/8472.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 8472 counter accept comment "fastpath"
+  notify:
+   - reload nftables  
+
+# Docker seems to have problems with nftables, so this command will translate all iptables
+# commands to nftables commands
+- name: Update alternatives for iptables 
+  tags: docker
+  become: yes
+  ansible.builtin.command: "update-alternatives --set iptables /usr/sbin/iptables-nft"
+  notify: 
+   - restart docker
+
+- name: Update alternatives for iptables 
+  tags: docker
+  become: yes
+  ansible.builtin.command: "update-alternatives --set ip6tables /usr/sbin/ip6tables-nft"
+  notify: 
+   - restart docker
+
+- name: Flush all handlers # Required to apply iptables settings before docker runs
+  meta: flush_handlers
+
+### Create fastpath user 
+- name: Ensure the fastpath group exists
+  ansible.builtin.group:
+    name: "{{ fastpath_user }}"
+    state: present
+  become: yes
+- name: Create the fastpath user
+  ansible.builtin.user:
+    name: "{{ fastpath_user }}"
+    home: "{{ fastpath_home }}"
+    shell: "/bin/bash"
+    group: "{{ fastpath_user }}"
+    create_home: yes
+    system: yes
+  become: yes
+- name: Set ownership of the fastpath directory
+  ansible.builtin.file:
+    path: "{{ fastpath_home }}"
+    owner: "{{ fastpath_user }}"
+    group: "{{ fastpath_user }}"
+    state: directory
+    mode: '0755'
+  become: yes
+
+- name: Create configuration file
+  tags: fastpath
+  template:
+    src: templates/fastpath.conf
+    dest: "/opt/{{fastpath_user}}/backend/fastpath/fastpath.conf"
+    mode: 0444
+    owner: "{{fastpath_user}}"
+  become: yes
+
+- name: Run docker container
+  tags: fastpath
+  ansible.builtin.command: "make docker-all" # TODO Change to `make docker` when clickhouse is migrated
+  args:
+    chdir: "/opt/{{fastpath_user}}/backend/fastpath"
+

tf/environments/prod/main.tf

@@ -163,7 +163,7 @@ module "oonipg" {
   db_instance_class        = "db.t3.micro"
   db_storage_type          = "gp3"
   db_allocated_storage     = "50"
-  db_engine_version        = "16.4"
+  db_engine_version        = "16.8"
   db_max_allocated_storage = null
 
   # TODO: fix this to further restrict to only our subnets
@@ -219,6 +219,10 @@ data "aws_ssm_parameter" "oonipg_url" {
   name = "/oonidevops/secrets/ooni-tier0-postgres/postgresql_write_url"
 }
 
+data "aws_ssm_parameter" "clickhouse_readonly_url" {
+  name = "/oonidevops/secrets/clickhouse_readonly_url"
+}
+
 # Manually managed with the AWS console
 data "aws_ssm_parameter" "prometheus_metrics_password" {
   name = "/oonidevops/ooni_services/prometheus_metrics_password"
@@ -380,7 +384,7 @@ module "ooni_clickhouse_proxy" {
     from_port   = 9000,
     to_port     = 9000,
     protocol    = "tcp",
-    cidr_blocks = module.network.vpc_subnet_private[*].cidr_block,
+    cidr_blocks = module.network.vpc_subnet_public[*].cidr_block,
     }, {
     // For the prometheus proxy:
     from_port   = 9200,
@@ -563,6 +567,7 @@ module "ooniapi_ooniprobe" {
     POSTGRESQL_URL              = data.aws_ssm_parameter.oonipg_url.arn
     JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret.arn
     PROMETHEUS_METRICS_PASSWORD = data.aws_ssm_parameter.prometheus_metrics_password.arn
+    CLICKHOUSE_URL              = data.aws_ssm_parameter.clickhouse_readonly_url.arn
   }
 
   ooniapi_service_security_groups = [

tf/modules/ooniapi_frontend/main.tf

@@ -155,13 +155,13 @@ resource "aws_lb_listener_rule" "ooniapi_ooniprobe_rule" {
         "/api/v1/register",
         "/api/v1/update/*",
         # Activate this when the DB is connected in prod
-        # "/api/v1/check-in*" 
+        "/api/v1/check-in*",
       ]
     }
   }
 }
 
-resource "aws_lb_listener_rule" "ooniapi_ooniprobe_rule_host" {
+resource "aws_lb_listener_rule" "ooniapi_ooniprobe_rule_2" {
   listener_arn = aws_alb_listener.ooniapi_listener_https.arn
   priority     = 121
 
@@ -170,6 +170,24 @@ resource "aws_lb_listener_rule" "ooniapi_ooniprobe_rule_host" {
     target_group_arn = var.ooniapi_ooniprobe_target_group_arn
   }
 
+  condition {
+    path_pattern {
+      values = [
+        "/api/v1/test-helpers*"
+      ]
+    }
+  }
+}
+
+resource "aws_lb_listener_rule" "ooniapi_ooniprobe_rule_host" {
+  listener_arn = aws_alb_listener.ooniapi_listener_https.arn
+  priority     = 125
+
+  action {
+    type             = "forward"
+    target_group_arn = var.ooniapi_ooniprobe_target_group_arn
+  }
+
 
   condition {
     host_header {

tf/modules/postgresql/variables.tf

@@ -48,7 +48,7 @@ variable "db_max_allocated_storage" {
 }
 
 variable "db_engine_version" {
-  default = "16.4"
+  default = "16.8"
 }
 
 variable "db_parameter_group" {