Helm

What is Helm? Package manager for Kubernetes – Manage Complexity
– Easy updates – Simple Sharing – Rollbacks

A bit of history... • Deis Hackathon OCT 2015 •
Helm 1.x NOV 2015 • Helm 2.x = Helm 1.x + Google Deployment Manager, NOV 2016 • Helm 3.x ~ NOV 2019 (?)

Helm 2 • Client – Server: Helm + Tiller •
Templated YAML + Metadata • Charts

Charts ➜ crowd git:(master) tree ├── Chart.yaml ├── templates │
├── deployment.yaml │ ├── _helpers.tpl │ ├── NOTES.txt │ ├── service.yaml │ └── tests │ └── test-connection.yaml └── values.yaml

Charts ➜ crowd git:(master) cat Chart.yaml apiVersion: v1 appVersion: "1.0"
description: A Helm chart for Kubernetes name: crowd version: 0.1.0

Charts ➜ crowd git:(master) cat values.yaml replicaCount: 1 image: repository:
crowd tag: latest pullPolicy: IfNotPresent # Hostname of the mysql server crowd will connect to mysql_server: localhost # Port of the mysql server, standard 3306 mysql_port: 3306

Charts ➜ ipa git:(master) cat templates/deployment.yaml apiVersion: apps/v1 kind: Deployment
metadata: name: {{ include "ipa.fullname" . }} labels: {{ include "ipa.labels" . | indent 4 }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: app.kubernetes.io/name: {{ include "ipa.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} template: metadata: labels: app.kubernetes.io/name: {{ include "ipa.name" . }} app.kubernetes.io/instance: {{ .Release.Name }}

Charts initContainers: - name: wait-for-mysql image: "{{ .Values.validationCheck.image.repository }}:{{ .Values.validationCheck.image.tag
}}" imagePullPolicy: {{ .Values.validationCheck.image.pullPolicy }} dnsPolicy: "ClusterFirst" command: ['sh', '-c', 'until nc -zv "{{ .Values.mysql_server }}" "{{ .Values.mysql_port }}"; do echo waiting for {{ .Values.mysql_server }}; sleep 2; done;'] containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} dnsPolicy: "ClusterFirst" ports: - name: http containerPort: 8095 protocol: TCP env: - name: MYSQL_SERVER value: "{{ .Values.mysql_server }}" - name: MYSQL_PORT value: "{{ .Values.mysql_port }}"

SubCharts ➜ cms git:(master) tree -L 2 ├── charts │
├── ipa │ ├── ipa-mysql │ ├── webapp │ ├── backend │ ├── doc │ ├── mysql │ ├── webapp2 │ └── proxy ├── Chart.yaml ├── templates └── values.yaml

SubCharts ➜ cms git:(master) cat values.yaml ipa: image: repository: localhost:5000/ipa
pullPolicy: Always mysql_server: "cms-ipa-mysql.default.svc.cluster.local" mysql_port: 3306

To Repo or Not To Repo? • ~ helm repo
list NAME URL stable https:// kubernetescharts.storage.googleapis.com local http://127.0.0.1:8879/charts • Chartmuseum • Git + GitSubmodules

Workflow $ helm init --history-max 200 $ helm repo update
$ helm install stable/mysql NAME: wintering-rodent LAST DEPLOYED: Thu Sep 25 19:20:18 2019 NAMESPACE: default STATUS: DEPLOYED $ helm upgrade --set pwd=3jk$o2,z=f\30.e wintering-rodent stable/mysql $ helm delete wintering-rodent

Workflow ➜ CMS-Release helm list NAME REVISION UPDATED STATUS CHART
APP VERSION NAMESPACE cms 1 Thu Sep 26 19:48:52 2019 DEPLOYED cms-0.1.0 1.0 default

Testing • Syntax ➜ helm template ipa --- # Source:
ipa/templates/service.yaml apiVersion: v1 kind: Service metadata: name: release-name-ipa – helm plugin install https://github.com/instrumenta/helm-kubeval • Test config against Kube schemas

Testing • Unit testing – helm test <chart> • hooks:
test-success, test-failure • Container definition which must exit 0 – Conftest: Open Policy Agent • More broader than kubeval • Rego Policy Language

Helmfile Declarative spec for deploying helm charts. • Keep a
directory of chart value files and maintain changes in version control. • Apply CI/CD to configuration changes. • Periodically sync to avoid skew in environments.

Helm v3 • Re-architecture – Based on community best practices
– Dramatic simplification – Security • Bye bye Tiller * and the crowd goes nuts * • Talks directly to Kube API • Security Security Security – Helm capabilities limited to user context/permissions

Helm v3 • Command-line changes – helm delete → helm
uninstall – helm inspect → helm show – helm fetch → helm pull – --purge default (override: helm uninstall –-keep history) • Default to single namespace for single release • Chart dependency management • Required to specify release name (unless –generate-name) • Pluggable auth • Optional Lua templating • Validation if Release will be successful before applying • Library Charts • Personal Repos instead of stable upstream repo

Helm

Helm

Christophe Vanlancker

More Decks by Christophe Vanlancker

Other Decks in Technology

Featured

Transcript

Helm

What is Helm? Package manager for Kubernetes – Manage Complexity

A bit of history... • Deis Hackathon OCT 2015 •

Helm 2 • Client – Server: Helm + Tiller •

Charts ➜ crowd git:(master) tree ├── Chart.yaml ├── templates │

Charts ➜ crowd git:(master) cat Chart.yaml apiVersion: v1 appVersion: "1.0"

Charts ➜ crowd git:(master) cat values.yaml replicaCount: 1 image: repository:

Charts ➜ ipa git:(master) cat templates/deployment.yaml apiVersion: apps/v1 kind: Deployment

Charts initContainers: - name: wait-for-mysql image: "{{ .Values.validationCheck.image.repository }}:{{ .Values.validationCheck.image.tag

SubCharts ➜ cms git:(master) tree -L 2 ├── charts │

SubCharts ➜ cms git:(master) cat values.yaml ipa: image: repository: localhost:5000/ipa

To Repo or Not To Repo? • ~ helm repo

Workflow $ helm init --history-max 200 $ helm repo update

Workflow ➜ CMS-Release helm list NAME REVISION UPDATED STATUS CHART

Testing • Syntax ➜ helm template ipa --- # Source:

Testing • Unit testing – helm test <chart> • hooks:

Helmfile Declarative spec for deploying helm charts. • Keep a

Helm v3 • Re-architecture – Based on community best practices

Helm v3 • Command-line changes – helm delete → helm