Helm

 Helm

What is Helm, how it can help you deploy containers in Kubernetes.
Changes in Helm 3.

Cd0a2e3d500c66c02d6ae3fa18389e89?s=128

Christophe Vanlancker

September 27, 2019
Tweet

Transcript

  1. Helm

  2. What is Helm? Package manager for Kubernetes – Manage Complexity

    – Easy updates – Simple Sharing – Rollbacks
  3. A bit of history... • Deis Hackathon OCT 2015 •

    Helm 1.x NOV 2015 • Helm 2.x = Helm 1.x + Google Deployment Manager, NOV 2016 • Helm 3.x ~ NOV 2019 (?)
  4. Helm 2 • Client – Server: Helm + Tiller •

    Templated YAML + Metadata • Charts
  5. Charts ➜ crowd git:(master) tree ├── Chart.yaml ├── templates │

    ├── deployment.yaml │ ├── _helpers.tpl │ ├── NOTES.txt │ ├── service.yaml │ └── tests │ └── test-connection.yaml └── values.yaml
  6. Charts ➜ crowd git:(master) cat Chart.yaml apiVersion: v1 appVersion: "1.0"

    description: A Helm chart for Kubernetes name: crowd version: 0.1.0
  7. Charts ➜ crowd git:(master) cat values.yaml replicaCount: 1 image: repository:

    crowd tag: latest pullPolicy: IfNotPresent # Hostname of the mysql server crowd will connect to mysql_server: localhost # Port of the mysql server, standard 3306 mysql_port: 3306
  8. Charts ➜ ipa git:(master) cat templates/deployment.yaml apiVersion: apps/v1 kind: Deployment

    metadata: name: {{ include "ipa.fullname" . }} labels: {{ include "ipa.labels" . | indent 4 }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: app.kubernetes.io/name: {{ include "ipa.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} template: metadata: labels: app.kubernetes.io/name: {{ include "ipa.name" . }} app.kubernetes.io/instance: {{ .Release.Name }}
  9. Charts initContainers: - name: wait-for-mysql image: "{{ .Values.validationCheck.image.repository }}:{{ .Values.validationCheck.image.tag

    }}" imagePullPolicy: {{ .Values.validationCheck.image.pullPolicy }} dnsPolicy: "ClusterFirst" command: ['sh', '-c', 'until nc -zv "{{ .Values.mysql_server }}" "{{ .Values.mysql_port }}"; do echo waiting for {{ .Values.mysql_server }}; sleep 2; done;'] containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} dnsPolicy: "ClusterFirst" ports: - name: http containerPort: 8095 protocol: TCP env: - name: MYSQL_SERVER value: "{{ .Values.mysql_server }}" - name: MYSQL_PORT value: "{{ .Values.mysql_port }}"
  10. SubCharts ➜ cms git:(master) tree -L 2 ├── charts │

    ├── ipa │ ├── ipa-mysql │ ├── webapp │ ├── backend │ ├── doc │ ├── mysql │ ├── webapp2 │ └── proxy ├── Chart.yaml ├── templates └── values.yaml
  11. SubCharts ➜ cms git:(master) cat values.yaml ipa: image: repository: localhost:5000/ipa

    pullPolicy: Always mysql_server: "cms-ipa-mysql.default.svc.cluster.local" mysql_port: 3306
  12. To Repo or Not To Repo? • ~ helm repo

    list NAME URL stable https:// kubernetescharts.storage.googleapis.com local http://127.0.0.1:8879/charts • Chartmuseum • Git + GitSubmodules
  13. Workflow $ helm init --history-max 200 $ helm repo update

    $ helm install stable/mysql NAME: wintering-rodent LAST DEPLOYED: Thu Sep 25 19:20:18 2019 NAMESPACE: default STATUS: DEPLOYED $ helm upgrade --set pwd=3jk$o2,z=f\30.e wintering-rodent stable/mysql $ helm delete wintering-rodent
  14. Workflow ➜ CMS-Release helm list NAME REVISION UPDATED STATUS CHART

    APP VERSION NAMESPACE cms 1 Thu Sep 26 19:48:52 2019 DEPLOYED cms-0.1.0 1.0 default
  15. Testing • Syntax ➜ helm template ipa --- # Source:

    ipa/templates/service.yaml apiVersion: v1 kind: Service metadata: name: release-name-ipa – helm plugin install https://github.com/instrumenta/helm-kubeval • Test config against Kube schemas
  16. Testing • Unit testing – helm test <chart> • hooks:

    test-success, test-failure • Container definition which must exit 0 – Conftest: Open Policy Agent • More broader than kubeval • Rego Policy Language
  17. Helmfile Declarative spec for deploying helm charts. • Keep a

    directory of chart value files and maintain changes in version control. • Apply CI/CD to configuration changes. • Periodically sync to avoid skew in environments.
  18. Helm v3 • Re-architecture – Based on community best practices

    – Dramatic simplification – Security • Bye bye Tiller * and the crowd goes nuts * • Talks directly to Kube API • Security Security Security – Helm capabilities limited to user context/permissions
  19. Helm v3 • Command-line changes – helm delete → helm

    uninstall – helm inspect → helm show – helm fetch → helm pull – --purge default (override: helm uninstall –-keep history) • Default to single namespace for single release • Chart dependency management • Required to specify release name (unless –generate-name) • Pluggable auth • Optional Lua templating • Validation if Release will be successful before applying • Library Charts • Personal Repos instead of stable upstream repo
  20. None