STRAP

Last updated: 2025-11-03

Dates

Ongoing

The Simplified Technologies for Research Applications Platform (STRAP) project aims to provide common components for web-based research applications so that researchers are able to concentrate on developing their research software, lowering the barrier to deliver data and analysis portals while leveraging enterprise-grade computing and storage infrastructure, identity providers, database services, and other important supporting components.

Using a simple web application itself hosted by the Platform, and following a few basic conventions, researchers are able to deploy their container-based applications with storage, a Postgres database, logging and backups, and authentication via UVic and/or social identity providers such as GitHub, GitLab and Google.

STRAP is based on tried and tested open-source technologies such as Keycloak and Kubernetes and runs on an OpenStack cloud.

Goals and benefits

STRAP was designed to make web application deployment more accessible to researchers who don’t want to become experts in modern computing delivery systems, identity management, or database administration, so they can concentrate instead on their research software.

Plays to everybody’s strengths

The primary goal of STRAP can be expressed in two distinct yet equally important ways that basically mean the same thing:

Application developers–researchers for our target audience–can focus on developing software supporting their research, rather than the plumbing and wiring that every application deployed in the wild must have, like databases and authentication systems. At the same time, those supporting the applications–systems administrators, database administrators–don’t need to know anything about the application or the research.

Put more simply, everybody involved in a deployed application is focused on their strengths, and every aspect of the application is managed by a specialist in that area.

All components other than external identity providers (IdPs) are hosted at UVic, and operated by subject-matter experts: the IdP is operated by the Identity team, and the Postgres and MySQL stacks are operated by the DBA team. Velum is managed by the same team that runs the Arbutus system for the Digital Research Alliance federation (formerly Compute Canada Federation). Ubernetes is an opinionated Kubernetes cluster managed by that same team who operate multiple such clusters in a consistent and predictable way.

The one exception is the object store component, currently maintained by the ARCsoft team but expect to be replaced by a more robust solution as part of the Velum cloud in the near future.

Low(er) barrier to entry

Kubernetes is fantastic and advanced but quite complex and involves many concepts such as deployments, pods, services, replica sets, and so on. STRAP simplifies this as much as possible.

Similarly, database and identity systems are at the same time difficult to manage properly, and critical to manage properly. STRAP handles that so the developer doesn’t have to.

Less duplication

Users don’t need yet another password to remember, and the world doesn’t need another thrown-together authentication system. Instead, STRAP provides integration with existing identity systems, with benefits such as single sign-on across other applications served by the same providers, and multi-factor authentication.

Instead of every project deploying their own database server, databases are provisioned for applications from database stacks with full service support including backups. Among the benefits this provides is more effective use of compute and storage resources.

Security and integrity

Since everybody’s concentrating on their strengths, it’s less likely that: a poorly designed authentication system will allow weak passwords or leak secrets information, or a database won’t be backed up.

STRAP enforces best practices where it can, such as restricting application deployments to be from images stored in its own image registry, where it can scan the image for vulnerabilities tracked in community-supported databases.

Architecture

Key components and communication paths are as follows:

Most of the platform is hosted on an OpenStack cloud at UVic named Velum. The database services (Postgres is available, with MySQL planned for the future) are external and managed by another group, as is the identity provider (IdP). The external IdPs are the only components not hosted at UVic.

The Velum OpenStack cloud is an infrastructure-as-a-service cloud offering virtual machines, built the same way and by the same experts as the Arbutus Cloud, a major national ARC system.

Ubernetes is an opinionated Kubernetes deployment based on Kubespray and developed, maintained and managed by Kubernetes experts in RCS.

Postgres and MySQL are database services managed by the database team in UVic’s central information systems department. (MySQL is not currently available on STRAP but support is planned.)

The UVic IdP is a central identity provider supporting single sign-on (SSO) for university applications and serving faculty, staff and students. STRAP also optionally supports authentication via third-party identity providers such as Google and GitHub.

The object store is currently a virtual machine running Minio, an open-source alternative to S3, operated by the ARCsoft team. This will be replaced by the Velum object storage service once available.

The following components are container-based services hosted on the Ubernetes cluster:

Keycloak provides an authentication proxy to identity providers configured for the application.

An image registry (STRAP currently uses Harbor) is where projects store their application images. They are scanned for known vulnerabilities before deployment.

RabbitMQ provides a message queuing service for communication within multi-container applications with more complex needs.

Inside Ubernetes we have the following middleware services:

• Ingress and TLS termination and certificate management
• Routing
• Authentication forwarding

Finally, hosted by STRAP among the other applications is Strapper, the self-serve management application where platform users define, configure and deploy their applications.

Deploying an application with Strapper

Strapper is a web application hosted on STRAP where users define their application configurations and manage deployment. Members of the UVic community may request access from the portal and once granted will be able to define and deploy their first application.

A typical application may be defined and deployed as follows:

1. The developer chooses a short and longer name for the application, for example “myapp” and “My Application”. The application once deployed will be available at https://myapp.rs-dev.uvic.ca.

2. They chooses a database to be provisioned for the application. This is optional.

3. Next they choose what authentication to use (UVic, or UVic + Social to include external identity providers), and then which routes should be authenticated. For example, the landing page (route: /) may be unauthenticated, while a login page (route: /login) is authenticated.

4. A container is defined which may include environment variables, the command to pass, along with necessary information like the listening port. The developer is then provided login information for the registry and push their image.

5. Once the image is scanned and is clear of any major vulnerabilities, deployment may be initiated. The developer may observe this in real-time and will be advised of status on completion.

6. If the deployment was successful, the application will be immediately available on the web.

Strapper offers both a guided mode for defining applications, often referred to as a “wizard”, as well as an expert mode for those who don’t need to be led through the process step by step.

How does it work?

Deployment

When an application is defined and is ready to deploy, a JSON document is created from the parameters defined in the management application, such as the image, the application name and title, and what type of authentication is desired. This configuration is passed to a Terraform module which provisions the database, identity resources, and populates a Helm chart to publish the application to the Ubernetes cluster. Deployment status is provided to the user along with some necessary information such as the newly created database’s initial password.

Authentication

When a visitor accesses an application hosted on STRAP, the route is checked against definitions to determine if it’s an authenticated route or not. If not, the visitor’s browser will be directed directly to the application container. If an authenticated route, the visitor’s browser will instead be directed towards Keycloak.

If the authentication chosen for the app is UVic, then the visitor is directed to a UVic sign-on page and will go through standard UVic authentication including MFA. If the authentication is UVic+Social, the visitor will be given a choice and then directed towards the chosen IdP. The visitor will then authenticate to that provider, and an authentication token will be passed back to Keycloak, which verifies the token and if valid passed the browser on to the app, with an added HTTP header containing the visitor’s identifier and a token describing some details. (If the user failed authentication, the provider will tell them so and on redirection back to STRAP this header will not be present.)

Features and functionality

STRAP and Strapper provide the following features:

• Postgres database if needed
• Automatic domain name, DNS entry, TLS certificate
• Image registry and vulnerability scanning
• UVic and (limited) social identity providers
• Authentication-exempt routing for when authentication isn’t required or desired
• IP allow-listing to limit access to pre-defined and/or arbitrary IP sets
• Multiple-container application support
• Message queuing service

Planned functionality

What	When	Details
MySQL	Short months when we have a project requesting it	Fairly simple to implement, but will need DBA team to stand up instance
Custom domains	Mostly developed	Requires upgrades on Ubernetes cluster, dependency on Infrastructure team
Custom resources by request	Implementation in progress	Supports Kubernetes resources STRAP doesn’t natively
Filesystem-based storage	2026
Object storage for applications	2026…	Haven’t had a need yet
Further external IdPs	As needed	Based on feasibility, need, and provider policies. X, Meta: No, never.

User guide

A STRAP user guide is available!

External resources

• Harbor
• Keycloak
• Kubernetes
• Kubespray
• Minio
• MySQL
• OpenStack
• PostgreSQL
• RabbitMQ

News and updates

If you’re interested in following our progress, please subscribe to our RSS feed or come back and visit our development blogs.