Add files via upload

deployment/default

@@ -0,0 +1,179 @@
+# This nginx config should be deployed to server
+
+
+limit_req_zone $binary_remote_addr zone=mylimit:20m rate=10r/s;
+
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+    proxy_read_timeout 600;
+    proxy_connect_timeout 600;
+    proxy_send_timeout 600;
+    send_timeout 600;
+
+
+
+	# SSL configuration
+	#
+	# listen 443 ssl default_server;
+	# listen [::]:443 ssl default_server;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+	server_name _;
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		limit_req zone=mylimit;
+
+		proxy_pass http://127.0.0.1:3000/;
+	}
+
+	# pass PHP scripts to FastCGI server
+	#
+	#location ~ \.php$ {
+	#	include snippets/fastcgi-php.conf;
+	#
+	#	# With php-fpm (or other unix sockets):
+	#	fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+	#	# With php-cgi (or other tcp sockets):
+	#	fastcgi_pass 127.0.0.1:9000;
+	#}
+
+	# deny access to .htaccess files, if Apache's document root
+	# concurs with nginx's one
+	#
+	#location ~ /\.ht {
+	#	deny all;
+	#}
+}
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+#	listen 80;
+#	listen [::]:80;
+#
+#	server_name example.com;
+#
+#	root /var/www/example.com;
+#	index index.html;
+#
+#	location / {
+#		try_files $uri $uri/ =404;
+#	}
+#}
+
+server {
+
+	# SSL configuration
+	#
+	# listen 443 ssl default_server;
+	# listen [::]:443 ssl default_server;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+    server_name guardai.io www.guardai.io; # managed by Certbot
+    proxy_read_timeout 600;
+    proxy_connect_timeout 600;
+    proxy_send_timeout 600;
+    send_timeout 600;
+
+
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		limit_req zone=mylimit;
+		
+		proxy_pass http://127.0.0.1:3000/;
+	}
+
+	# pass PHP scripts to FastCGI server
+	#
+	#location ~ \.php$ {
+	#	include snippets/fastcgi-php.conf;
+	#
+	#	# With php-fpm (or other unix sockets):
+	#	fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+	#	# With php-cgi (or other tcp sockets):
+	#	fastcgi_pass 127.0.0.1:9000;
+	#}
+
+	# deny access to .htaccess files, if Apache's document root
+	# concurs with nginx's one
+	#
+	#location ~ /\.ht {
+	#	deny all;
+	#}
+
+
+    listen [::]:443 ssl ipv6only=on; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/guardai.io/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/guardai.io/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+
+
+}
+server {
+    if ($host = www.guardai.io) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    if ($host = guardai.io) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+	listen 80 ;
+	listen [::]:80 ;
+    server_name guardai.io www.guardai.io;
+    return 404; # managed by Certbot
+}

deployment/docker/nginx.conf

@@ -0,0 +1,21 @@
+server {
+    listen              80 default_server;
+    server_name         guardai.io www.guardai.io;
+
+    root /usr/share/nginx/html;
+    client_max_body_size 100M;
+    proxy_read_timeout 600;
+    proxy_connect_timeout 600;
+    proxy_send_timeout 600;
+    send_timeout 600;
+
+    # proxy api requests to flask server
+    location /api/ {
+        proxy_pass http://127.0.0.1:5000/;
+    }
+
+    location / {
+        try_files $uri /index.html;
+    }
+}
+

deployment/docker/serve.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+nohup nginx -g "daemon off;" & cd backend && gunicorn -b 0.0.0.0:5000 --workers=3 -t 600 "app:app" "$1"

deployment/eks-cluster/README.md

@@ -0,0 +1,36 @@
+# Provision
+
+Create EKS cluster
+```
+eksctl create cluster -f cluster.yaml
+```
+
+Install LB Controller dependencies
+```
+https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html
+```
+
+Provision Ingress service
+```
+kubectl create -f manifest/ingress.yaml
+```
+
+Provide docker registry secret
+```
+kubectl create secret docker-registry guardai-registry-key \
+--docker-server=DOCKER_REGISTRY_SERVER \
+--docker-username=DOCKER_USER \
+--docker-password=DOCKER_PASSWORD \
+--docker-email=DOCKER_EMAIL
+```
+
+Update Docker image in deployment chart if needed, then
+```
+helm install guardai ./helm/guardai/
+```
+
+
+Clean up
+```
+eksctl delete cluster --name cluster.k8s.local
+```

deployment/eks-cluster/cluster.yaml

@@ -0,0 +1,32 @@
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: cluster.k8s.local
+  region: us-east-2
+  version: "1.29"
+  tags:
+    guardai: eks-cluster
+vpc:
+  id: "vpc-99d8b3f2"
+  cidr: "172.31.0.0/16"
+  nat:
+    gateway: Disable
+  subnets:
+    private:
+      us-east-2a:
+        id: "subnet-64d6440f" 
+      us-east-2b:
+        id: "subnet-d9ca02a4" 
+managedNodeGroups:
+  - name: ng-1
+    instanceType: c5.large
+    desiredCapacity: 5
+    volumeSize: 10
+    minSize: 5
+    maxSize: 5
+    availabilityZones:
+      - us-east-2a
+    privateNetworking: true # Set to true if you want the node group to use private subnets only
+    tags:
+      guardai: eks-cluster

deployment/eks-cluster/helm/guardai/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for Kubernetes
+name: guardai
+version: 0.1.0

deployment/eks-cluster/helm/guardai/templates/_helpers.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "login.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "login.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "login.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

deployment/eks-cluster/helm/guardai/templates/configMap.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: guardai-config

deployment/eks-cluster/helm/guardai/templates/deployment.yaml

@@ -0,0 +1,46 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: guardai-deployment
+  labels:
+    app: guardai
+spec:
+  replicas: 12       # specify number of replicated Pods
+  selector:
+    matchLabels:
+      app: guardai
+
+  template:
+    metadata:
+      labels:
+        app: guardai
+
+    spec:
+      containers:
+      - name: guardai-container
+        image: paulcccccch/trustworthy-ai:latest
+        ports:
+        - containerPort: 8300
+        envFrom:
+        - configMapRef:
+            name: guardai-config
+        resources:
+          requests:
+            cpu: 500m
+      imagePullSecrets:
+      - name: guardai-registry-key
+
+---
+apiVersion: autoscaling/v1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: guardai-autoscaling
+  namespace: default
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: guardai-deployment
+  minReplicas: 12
+  maxReplicas: 18
+  targetCPUUtilizationPercentage: 50

deployment/eks-cluster/helm/guardai/templates/service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: guardai-service
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+spec:
+  type: LoadBalancer
+  selector:
+    app: guardai
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80

deployment/eks-cluster/manifest/ingress.yaml

@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: guardai-ingress
+  annotations:
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
+    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:172265936747:certificate/2f7081c3-b900-4aff-a321-a578e789655b
+    alb.ingress.kubernetes.io/ssl-redirect: "443"
+spec:
+  ingressClassName: alb
+  defaultBackend:
+    service:
+      name: cloud
+      port: guardai-service
+        number: 80
+
+  # rules:
+  # - http:
+  #     paths:
+  #     - path: /
+  #       pathType: Prefix
+  #       backend:
+  #         service:
+  #           name: guardai-service
+  #           port:
+  #             number: 80

deployment/single-instance/README.md

@@ -0,0 +1,2 @@
+# Provision
+Run `terraform apply`

deployment/single-instance/main.tf

@@ -0,0 +1,117 @@
+# Provides a resource to manage EC2 Fleets.
+#
+# Usage:
+# Configure the credentials first with `aws configure`
+# Create a file named `terraform.tfvars` and set the values of the variables defined in `variables.tf`
+#
+# terraform init      Initialize a Terraform working directory
+# terraform validate  Validates the Terraform files
+# terraform fmt       Rewrites config files to canonical format
+# terraform plan      Generate and show an execution plan
+# terraform apply     Builds or changes infrastructure
+# terraform destroy   Destroy Terraform-managed infrastructure
+
+provider "aws" {
+  region = var.region
+}
+
+locals {
+  common_tags = {
+    Name    = "guardai"
+    project = var.project_tag
+  }
+}
+
+resource "aws_security_group" "guardai_ami_sg" {
+  ingress {
+    from_port = 22
+    to_port   = 22
+    protocol  = "tcp"
+
+    cidr_blocks = [
+      "0.0.0.0/0",
+    ]
+  }
+
+  ingress {
+    from_port = 80
+    to_port   = 80
+    protocol  = "tcp"
+
+    cidr_blocks = [
+      "0.0.0.0/0",
+    ]
+  }
+
+  ingress {
+    from_port = 443
+    to_port   = 443
+    protocol  = "tcp"
+
+    cidr_blocks = [
+      "0.0.0.0/0",
+    ]
+  }
+
+
+  # outbound internet access
+  # allowed: any egress traffic to anywhere
+  egress {
+    from_port = 0
+    to_port   = 0
+    protocol  = "-1"
+
+    cidr_blocks = [
+      "0.0.0.0/0",
+    ]
+  }
+
+  tags = local.common_tags
+}
+
+# Provides an EC2 launch template resource.
+# Can be used to create EC2 instances or auto scaling groups.
+resource "aws_launch_template" "guardai_ami_lt" {
+  name_prefix = "guard_ai_launch_template"
+  image_id    = var.ami_id
+  key_name    = var.key_name
+
+  vpc_security_group_ids = [
+    aws_security_group.guardai_ami_sg.id,
+  ]
+
+  instance_type = var.instance_type
+
+  tag_specifications {
+    # Tags of EC2 instances
+    resource_type = "instance"
+    tags = local.common_tags
+  }
+
+  tag_specifications {
+    # Tags of EBS volumes
+    resource_type = "volume"
+    tags = local.common_tags
+  }
+}
+
+
+# Assign elastic IP to the instance
+resource "aws_eip_association" "eip_assoc" {
+  instance_id   = aws_instance.main_instance.id
+  allocation_id  = var.eip_id
+}
+
+
+# Launch an EC2 instance
+resource "aws_instance" "main_instance" {
+  launch_template {
+    id      = aws_launch_template.guardai_ami_lt.id
+    version = "$Latest"
+  }
+
+  # The tags of the Fleet resource itself.
+  # To tag instances at launch, specify the tags in the Launch Template.
+  tags = local.common_tags
+  availability_zone = var.zone
+}

deployment/single-instance/variables.tf

@@ -0,0 +1,42 @@
+
+variable "region" {
+  default = "us-east-2"
+}
+
+variable "zone" {
+  default = "us-east-2a"
+}
+
+# instance type
+variable "instance_type" {
+  default = "t3.medium"
+}
+
+variable "bid_price" {
+  default = "0.013"
+}
+
+variable "target_capacity_type" {
+  default = "on-demand"
+}
+
+# Update "project_tag" to match the tagging requirement of the ongoing project
+variable "project_tag" {
+  default = "single-instance"
+}
+
+# Update "ami_id"
+variable "ami_id" {
+  default = "ami-05fb0b8c1424f266b"
+}
+
+# Update "key_name" with the key pair name for SSH connection
+# Note: it is NOT the path of the pem file
+# you can find it in https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#KeyPairs:sort=keyName
+variable "key_name" {
+  default = "aws-key1"
+}
+
+variable "eip_id" {
+  default = "eipalloc-02216567b103be40a"
+}