2024-04-26 Sys Ops & Management SIG Agenda and Meeting notes

Posted April 10 by Craig:

Architectural PoC Preview Feedback

The FOLIO Architectural PoC Review Feedback will serve as a mechanism to provide feedback and questions.

Looking at architectural proof-of-concept:

• Keycloak - replace home-grown auth. https://www.keycloak.org/guides ,  Guides set-up via Kubernetes or Docker environments.
• Kong Gateway - https://docs.konghq.com/gateway/latest/get-started/, create service not in Kubernetes, existing Helm charts.

Meeting Notes 26.04.

TC Meeting Notes 24.04.

• driving force for the change was authorisation and authentication
• want to have end-to-end encryption to fulfil legal requirements. Currently, encryption ends at Okapi, i.e. modules interact with each other insecure, via http. This will be replaced by an encrypted communucation via the sidecars.
• Many libraries use SAML/Shibboleth and/or OpenID Connect (OIDC) for authentication. Keycloak can do both.
• Question about Upgrades. Currently handled by Okapi's install endpoint. In Eureka, since mgr-applications handles module enablements, upgrades (=data base migrations from release to release) must be also handled there.
• Sidecars interact with Keycloak and do the authorisation. Then they pass requests to the module and return the response to the Kong gateway.
• Interaction with Kafka is also handled by sidecar
• Kong only knows the sidecar's route, not the module's (this is handled by the sidecar).
• keycloak interacts with mod-login and gets a token for stripes.
• Keycloak supports multiple identity providers for a single tenant
• Hard to manage withoiut Kubernetes on a single server. Twice as many containers + administrative overhead.
• Tying FOLIO even closer to Kubernetes appears of doubtful use for Sys Ops (=this audience).
• Kong enterprise not needed and Kong would have been rejected if it would have been needed
• Unlikely scenario that a hosting provider would both offer Okapi and Eureka installations to their clients. No reason to offer both.

• Tenants Manager brings up a tenant, manages tenants.
• Manager Applications github README
  • Registers an application.
  • Many environment variables, partially for Kong
  • many environment variables Keycloak specific
  • Replaces some Okapi functionalities:
    • Dependency Checks
    • Registration of modules
    • Enabling/Disabling of Applications
    • (Un)Deployment of an Application (optional) → means deployment handled over to K8s or similar ?
    • Optional integration with Kong gateway
  • Kong routes registration
  • Kafka integration
• Tenant Entitlement Manager github README
  • Bring Tenants Manager and Manager Applications together.
  • Does a lot of the dependency checks
  • Very similar to Manager Applications, seemingly the same set of env vars

• FOLIO folio-module-sidecar
  • This project uses Quarkus
  • module independent, uses Okapi Module Descriptors for self-configuration
  • Ingress request routing for underlying module (specified using environment variables)
  • can build with docker or GraalVM, its docker image's size is 102.56 MB
  • Question how much of RAM memory a sidecar will occupy ?
  • many environment variables

• FOLIO already focuses on Kubernetes, will even mor focus on it in Eureka environment. Question if single server deployment is still practical with Eureka. MiniKube environment might replace Vagrant setup for development purposes.
• Kubernets Sidecar Containers : In k8s, Sidecar containers are special cases of "init containers".

A few exciting updates to share for WOLFcon 2024:Call for Proposals Now Open:

 Got ideas about open-source to share? Talk about it at WOLFcon.

 Submit a presentation, panel, short talk, or pre-conference workshop. The deadline for submissions is March 31, 2024.

 Submit a session here.

  Early Bird Registration Now Open: Join us at Senate House, University of London. September 24-26, 2024. 

 Register now through July 31, 2024 for an early bird discounted rate

 .Learn more about WOLFcon 2024: Want to learn more about the Open Library Foundation and WOLFcon? Be sure to visit our website where you can learn more about the foundation, members projects, communities, and the annual conference.

Submissions for SysOps presentation, panel, short talk or pre-conference workshop? Have a SysOps session or talk, could be hybrid.

Notes 2024/03/22

• Jeremy, Florian Kreft, Jason and Tod expect to attend in person. Josh might also.
  
• A session on data migration could be of interest. New folks may now how to deploy, but still data migration is an issue
  
• Maybe a hands-on demo of deployment; could be with Ansible

Notes 2024/04/12

The submittal deadline has been extended til the end of this month.

Jeremy is bound with a day-long pre-conference workshop on AI which he leads.

Notes 2024/04/26

A SysOps session on Self-Hosting on a new platform is highly desired. We will meet on Tuesday, April 30th, 10-10:30 EST to submit a session together. Josh, Jason or Florian might chair.