Use SeaweedFS with Apache jclouds

 Prior to this, there was very sparse documentation linking these two software. It might be common sense to some, but there was hardly any mention for setting up both to be used in tandem. So let's cut to the chase.

The main draw for Apache jclouds is support for S3 API in Java, across many platforms. The main concern for us in particular, was their BlobStore API.

Addition to pom.xml

<jclouds.version>2.6.0</jclouds.version>

<dependency>

        <groupId>org.apache.jclouds</groupId>

        <artifactId>jclouds-all</artifactId>

        <version>${jclouds.version}</version>

</dependency>

Code snippet

//Initialise connectivity 

BlobStoreContext context = ContextBuilder.newBuilder("s3")

    .credentials(identity, credential)

    .endpoint(weedMasterUrl)

        .buildView(BlobStoreContext.class);

// Access the BlobStore

BlobStore blobStore = context.getBlobStore(); 

ByteSource payload = ByteSource.wrap(payloadStr.getBytes("UTF-8"));

Blob blob = blobStore.blobBuilder(uuid)

    .payload(payload)

    .contentLength(payload.size())

    .build();

// Upload the Blob

blobStore.putBlob(containerName, blob);

// Don't forget to close the context when you're done!

context.close();

The above was practically lifted off the jclouds page. The specific point of attention would be the newBuilder("s3") that is used as a generic version of the "aws-s3" stated in their original sample.

"But SeaweedFS already has a large number of client libraries provided by the community!", you exclaimed. 

And you'd be correct. Yet they'd only be used specifically for SeaweedFS however. I'd neglected to elaborate earlier, that the S3 API offerd by jclouds is generically usable with any other (enterprise-grade) product besides SeaweedFS. By integrating the two, our development can adopt a lightweight alternative like SeaweedFS, while the main production deployment takes on a heftier software, all while using the same library, which is offered by Apache no less.

This was still largely unexplored territory for some of us, so setting up SeaweedFS was more nuanced than we expected. 

This is what it took:

1. Start the master server: sudo ./weed master &
2. Start a volume server: sudo ./weed volume -dir=”/data/seaweed/data1” -max=5 -mserver=”localhost:9333” -port=8080 &
3. Start filer and S3 service: sudo ./weed filer -s3 &

There was a gotcha in there that I had to figure out on my own. The Getting Started page only mentioned starting the master and volume. You could even interact with the service using cURL once it's started. But the Java codes still couldn't talk to seaweed.

The wiki even had a section describing how to use s3cmd to communicate with seaweed. I just didn't get it. Until I found this article that vaguely mentioning that the server needed to be started up specifically with s3 as an option.

I had to return to the ./weed --help to get more clues. On hindsight, none of this would have been an issue had I ran the server option instead of running the master and volume processes separately. But I felt it necessary to adopt a structure we might expect eventually. 

And with the filer -s3 started, the s3cmd could be made at last. I reckon I'd have been still scratching my head, had I not adopted s3cmd for verifying the setup outside of the codes. I could make my bucket and be on my way at last (because I think that our actual codes probably shouldn't be creating buckets on its own that easily).

Kubernetes Dashboard Secret

The short gist

 Running the Windows Command Prompt, load the local proxy:

kubectl proxy

Then execute cURL like so:

curl -H "Content-Type: application/json" -d "{}" http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/serviceaccounts/admin-user/token

The TokenResponse JSON object should appear in the reply that ends with

"status": {

"token": "eyJhb...",

"expirationTimestamp": "2022-09-30T10:01:13Z"

}

The long story

There used to be a time when the Kubernetes Dashboard came out of the box with a command for retrieving the default token using the command line. Until it didn't.

Scouring many forums and discussion threads, it seems to have been removed.

Secret token not generating - General Discussions - Discuss Kubernetes

Not able to login to Kubernetes dashboard using token with service account - Stack Overflow

Even the official documentation was nary a help.

dashboard/creating-sample-user.md at master · kubernetes/dashboard · GitHub

dashboard/README.md at master · kubernetes/dashboard · GitHub

Some people suggested overriding with the --enable-skip-login flag, which didn't work for me either.

Running Kubernetes and the dashboard with Docker Desktop (andrewlock.net)

The trail eventually lead me to the suggestion of calling the K8s API to get what I want.

TokenRequest | Kubernetes

Which in turn allowed me to locate this post that gave some useful headway.

A Look at How to Use TokenRequest Api | jpweber blog

This has troubled me for over a month as I had to repeatedly get interrupted with other tasks. I'm at least satisfied that this has arrived at a conclusion before the weekend.

Carving the Rosetta into an ink stone

Turning what was into what will be

If technology ages like people, then according to this, the system we worked on was old enough in human years to vote. The enterprise web application had served the team of users for a good many years, with a long-deserved refresh. Care and time was taken to assess the changes needed. This was all the more important given that there was practically zero code freeze period available, as the old system had to roll out new changes very close to the go-live of the new version. Things tend to be hectic when similar tasks have to run in parallel. Here were some of the key considerations that we had planning everything out. 

Replacing an important desktop feature

One of the major technology that had to be benched, were the Java applets. The industry had gradually shifted away from its use over the years, but it remained typical of intranet applications to continue in its use due to a variety of factors. 

In order to throw applets out the door, one substitute was the use of local services. Many consumer product manufacturers had been providing these desktop software already. These were small programs sitting in the system tray, that are responsible for minute tasks on the client operating system. 

An application running from a web browser can only do so much, when interacting with the user desktop. Installing such a software caters for flexibility that typical web apps cannot afford, like initiating the printer spool to the hardware device without launching a separate window. We had an two implementations, using REST-based asynchronous calls for basic functionality, and more tightly coupled integrations that required WebSockets for payment terminal communications. Separating the modules this way helps delineate separation of tasks. 

Certain pitfalls we encountered, were surrounding the XSS and CSRF protections. We had to factor in the SSL certificate as part of the package as well, ultimately culminating in an installer which was able to bundle a JRE of our choice. 

API-ing the monolith

Ye olde web app was built as a monolith. Like a good coming-of-age story, this concept also required a paradigm shift. Due to the many limitations, it was impossible for the upgrade to be completely rewired into microservices. It was also impractical for this application to be totally disassembled for our many use cases. I decided we should take the middle ground, and went with a hybrid approach; it was not quite a monolith, but not yet a microservice architecture. 

An authentication service was first built from the ground up. This was a module that could run on its own, within our traditional application server environment. By ensuring that it was mostly self-contained, there is an element of future-proofing by requiring APIs to be accessed via REST-based calls. I use "REST-based", because our environment discourages fully RESTful APIs due to security concerns. This was as close to a zero-trust API flow as I could build in our case. The use case for this service was mainly for M2M (machine-to-machine) communications. Products offering OAuth solutions in the wild typically expect three-point flows, meaning that it was not immediately available for an off-the-shelf framework that provides the M2M flow which I was looking for. 

Following this construction pattern, we'd also built another module for exposing APIs to external interfaces. More of the lean REST-based request/response pairs are applied here, to avoid encumbering the consumer with legacy fields. This API service was a companion to the authentication service, as the caller is forced to provide a token with each query. A token which can only be requested from the authentication service. This API service will then make an internal API call to the authentication service for validating the provided token. 

Speaking of internal APIs, we had further expanded on that in the existing monolith. There were further offsite modules that had data transmission requirements with the central application. Applets were used to address this, but without it, the gap had to be fulfilled by the more readily usable REST-based options instead. Endpoints were added to replace what used to be Java RMI objects. 

Modernising the team processes

The suite of development tools used to be CVS with Mantis. The new direction was with Gitlab and Jira. Getting the team onboard certainly took getting used to. The development workflow had to be adjusted as we got used to the different behaviour of Git, where the source code was committed locally first, and had to be "pushed" to the remote repository subsequently. 

The old issues in Mantis were boxed and shelved entirely, as we embraced a new leaf with Jira. Certain flexibilities we were used to in Mantis were no longer available with Jira. The team had to be regularly reminded to ensure that issue status and resolutions were kept updated. The web based interface definitely helped in maintaining oversight of the outstanding issues, with priorities and progress.

Code review remained manual. This was a necessary evil, due to the immense code base, containing a multitude of legacy codes, intermingled with business logic and potentially outdated or deprecated codes. It was pertinent that all new changes were annotated clearly with start/end comment blocks. The best practices I had for software development had to be reinforced and reminded regularly to the team.

The eventual go-live of the new system was no mean feat. Part of the effort was shaved considerably and efficiently. A colleague had taken up the heavy task of preparing a installer for the event. Packaging an installer helped to streamline the deployment process, as we had various software that had to be installed into more than 100 workstations on the network. It didn't help that the desktop engineers were operated by a different vendor. We were able to take advantage of the PowerShell script, further enabled by the PSADT framework. The ten plus different installers we needed to run, could then be consolidated into this single installation. It was not perfect, and still as yet can be improved further. But it is another step in the direction to be taken.

Getting here

Happy new year! Each step that was taken, had its own story. As we build into the future, we should always keep sight of what is on the horizon. In spite of the limitations of our time, certain concessions can be made to ensure that progress in made in the correct direction. Baby steps are better than no progress at all. 

A shout out and major thanks to the team that I'd worked with. Our work is just getting started on the new version of the system, but kudos to everybody for getting this far!