Skip to content

Latest commit

 

History

History
201 lines (144 loc) · 10.2 KB

ENVIRONMENT.md

File metadata and controls

201 lines (144 loc) · 10.2 KB
Raw

Cloud Environment setup

The ChatBot application is working in the cloud environment on the Google Cloud Platform (GCP) and this document provides an overview of the currently configured environment.

Cloud Run

The Cloud Run is used as the main compute platform for the ChatBot application. Cloud Run is a managed serverless solution that works with Docker images and is able to scale upon the load when needed.

The chat-bot-server service is configured in Cloud Run with the gcr.io/<projectName>/chat-bot-server container image. The image is built automatically using jib Gradle plugin and deployed to the Container Registry as part of the build process.

Upon pushes to the master branch, the Cloud Build performs the automatic deployment of the new Cloud Run revision (see Cloud Build section for details).

Cloud Build

The Cloud Build CI/CD solution is used to continuously build and deploy the application.

The Cloud Build configuration is available as cloudbuild.yaml and does the following:

  1. Starts Gradle build for the project.
  2. Deploys a new revision of the Cloud Run service.

In addition to the configuration, the Cloud Build trigger is configured to automatically start build and deploy process upon commits to the master branch. In order to allow Cloud Build to fetch code from the GitHub, the Cloud Build GitHub application is configured for the organization.

The Cloud Build itself uses GCP service accounts in order to access the APIs and should be configured to allow the Cloud Run deployment (see the IAM section for details).

Hangouts Chat API

The bot uses Hangout Chat API and is linked to the GCP project. It is only possible to have a single bot per GCP project.

The bot configuration is only available via the web UI console. The bot is published in accordance to the publishing guide where the essential configurations are:

  1. FunctionalityBot works in rooms is checked. The bot is not expected to work in direct messages.
  2. Connection settingsCloud Pub/Sub is choosen and a Pub/Sub topic name that is used to deliver messages from users to the bot is configured (for the Pub/Sub details see Pub/Sub section).
  3. Permissions — a list of individuals in the domain who are able to install the bot is configured in the Specific people and groups in your domain field.

Pub/Sub

The application is built with resilience in mind and even though it exposes some REST APIs, it is not intended to handle to load directly due to the security and performance considerations. Instead, it relies on the Google Pub/Sub async messaging service to receive the incoming messages and then stream them into the app. The Pub/Sub uses dedicated IAM configuration and is able to handle ultimate load at any pace.

The bot requires the following Pub/Sub topics to be configured:

  1. incoming-bot-messages — the topic that is used in the Connection settings of the bot configuration. The Hangouts Chat system takes care of propagating user messages to this topic.

    For the topic the incoming-bot-messages-cloud-run push subscription is created with a backoff retry policy and the acknowledgement deadline of 600 seconds. The subscription delivers messages to the /chat/incoming/event endpoint of the Cloud Run service.

    Also, the dead lettering is configured for the subscription, so all the undelivered messages are sent to the dead-incoming-bot-messages topic.

    The subscription uses cloud-run-pubsub-invoker service account to implement service2service authentication (see IAM section for details).

  2. dead-incoming-bot-messages — the topic that holds undelivered incoming messages.

    For the topic, the dead-incoming-bot-messages pull subscription that never expires is configured. In case of an undelivered message, it can be pulled from the subscription for the further analysis and investigation.

  3. repository-checks — the topic that delivers scheduled tasks to check the build state of the watched resources (see Cloud Scheduler section for details).

    The repository-checks-cloud-run subscription is configured for the topic. The subscription delivers messages to the /repositories/builds/check endpoint of the Cloud Run service. The subscription uses the same cloud-run-pubsub-invoker service account as the incoming-bot-messages-cloud-run (see IAM section for details).

Cloud Scheduler

The Cloud Scheduler service allows configuring multiple scheduled tasks that deliver the payload to a particular target (HTTP endpoint, Pub/Sub topic or AppEngine endpoint).

The CRON task repositories-check-trigger is configured for the bot. The task emits a Pub/Sub message with an empty payload to the repository-checks topic and is configured to run every hour using the following unix-cron format expression: 0 * * * *.

Secret Manager

The Secret Manager service is used to supply application secrets like API tokens and service accounts securely.

The secrets are managed in the Secret Manager Web UI, but in order to be able to read the secrets, developers and service accounts should have the roles/secretmanager.viewer role that is not configured by default (see IAM section for details).

The following secrets are configured for the bot:

  1. ChatServiceAccount — the private key of the chatbot actor that is used by the Hangouts Chat API.

    The key is stored in JSON format as string value.

  2. TravisApiToken — the Travis CI API token.

    The API token is used to authenticate calls to the Travis CI v3 API.

IAM

The Cloud Identity and Access Management (IAM) service is used to fine-tune the authorization and access management for the application.

In order to run the application, the following service accounts, and their respective roles are configured:

  1. [email protected] — a special Chat API service account used by the Chat to publish messages to the Pub/Sub topic.

    The Pub/Sub Publisher role must be assigned to the service account in order to grant the Chat permission to publish user messages to the defined topic.

  2. spine-chat-bot-actor@<projectName>.iam.gserviceaccount.com — a custom service account that is used as the credentials for the Chat API.

    The Hangouts Chat API works only with dedicated service account keys and could not be used with default credentials. The API itself does not require any specific AIM role, but during the authentication the chat.bot scope should be set.

  3. <projectId>[email protected] — default service account used by Cloud Run.

    It is not required to set a custom service account for the Cloud Run, but in order to use the Secret Manager API the service account should have the Secret Manager Viewer role applied.

  4. <projectId>@cloudbuild.gserviceaccount.comCloud Build service account used by the Cloud Build service to build and deploy the application.

    The Cloud Build service account is configured to act as a Service Account User and should have the Cloud Run Admin role in order to be able to deploy the application.

  5. cloud-run-pubsub-invoker@<projectName>.iam.gserviceaccount.com — a custom service account used to call the Cloud Run service from the Pub/Sub subscriptions.

    The Cloud Run is not accepting unauthenticated calls by default and is not exposed to the internet. In order to be able to call the service, the caller
    must have the Cloud Run Invoker role.