Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Helm

 Helm

What is Helm, how it can help you deploy containers in Kubernetes.
Changes in Helm 3.

Christophe Vanlancker

September 27, 2019
Tweet

More Decks by Christophe Vanlancker

Other Decks in Technology

Transcript

  1. Helm

    View Slide

  2. What is Helm?
    Package manager for Kubernetes
    – Manage Complexity
    – Easy updates
    – Simple Sharing
    – Rollbacks

    View Slide

  3. A bit of history...

    Deis Hackathon OCT 2015

    Helm 1.x NOV 2015

    Helm 2.x = Helm 1.x + Google Deployment Manager, NOV 2016

    Helm 3.x ~ NOV 2019 (?)

    View Slide

  4. Helm 2

    Client – Server: Helm + Tiller

    Templated YAML + Metadata

    Charts

    View Slide

  5. Charts
    ➜ crowd git:(master) tree
    ├── Chart.yaml
    ├── templates
    │ ├── deployment.yaml
    │ ├── _helpers.tpl
    │ ├── NOTES.txt
    │ ├── service.yaml
    │ └── tests
    │ └── test-connection.yaml
    └── values.yaml

    View Slide

  6. Charts
    ➜ crowd git:(master) cat Chart.yaml
    apiVersion: v1
    appVersion: "1.0"
    description: A Helm chart for Kubernetes
    name: crowd
    version: 0.1.0

    View Slide

  7. Charts
    ➜ crowd git:(master) cat values.yaml
    replicaCount: 1
    image:
    repository: crowd
    tag: latest
    pullPolicy: IfNotPresent
    # Hostname of the mysql server crowd will connect to
    mysql_server: localhost
    # Port of the mysql server, standard 3306
    mysql_port: 3306

    View Slide

  8. Charts
    ➜ ipa git:(master) cat templates/deployment.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
    name: {{ include "ipa.fullname" . }}
    labels:
    {{ include "ipa.labels" . | indent 4 }}
    spec:
    replicas: {{ .Values.replicaCount }}
    selector:
    matchLabels:
    app.kubernetes.io/name: {{ include "ipa.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    template:
    metadata:
    labels:
    app.kubernetes.io/name: {{ include "ipa.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}

    View Slide

  9. Charts
    initContainers:
    - name: wait-for-mysql
    image: "{{ .Values.validationCheck.image.repository }}:{{ .Values.validationCheck.image.tag }}"
    imagePullPolicy: {{ .Values.validationCheck.image.pullPolicy }}
    dnsPolicy: "ClusterFirst"
    command: ['sh', '-c', 'until nc -zv "{{ .Values.mysql_server }}" "{{ .Values.mysql_port }}"; do echo waiting for {{ .Values.mysql_server }};
    sleep 2; done;']
    containers:
    - name: {{ .Chart.Name }}
    image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
    imagePullPolicy: {{ .Values.image.pullPolicy }}
    dnsPolicy: "ClusterFirst"
    ports:
    - name: http
    containerPort: 8095
    protocol: TCP
    env:
    - name: MYSQL_SERVER
    value: "{{ .Values.mysql_server }}"
    - name: MYSQL_PORT
    value: "{{ .Values.mysql_port }}"

    View Slide

  10. SubCharts
    ➜ cms git:(master) tree -L 2
    ├── charts
    │ ├── ipa
    │ ├── ipa-mysql
    │ ├── webapp
    │ ├── backend
    │ ├── doc
    │ ├── mysql
    │ ├── webapp2
    │ └── proxy
    ├── Chart.yaml
    ├── templates
    └── values.yaml

    View Slide

  11. SubCharts
    ➜ cms git:(master) cat values.yaml
    ipa:
    image:
    repository: localhost:5000/ipa
    pullPolicy: Always
    mysql_server: "cms-ipa-mysql.default.svc.cluster.local"
    mysql_port: 3306

    View Slide

  12. To Repo or Not To Repo?

    ~ helm repo list
    NAME URL
    stable https://
    kubernetescharts.storage.googleapis.com
    local http://127.0.0.1:8879/charts

    Chartmuseum

    Git + GitSubmodules

    View Slide

  13. Workflow
    $ helm init --history-max 200
    $ helm repo update
    $ helm install stable/mysql
    NAME: wintering-rodent
    LAST DEPLOYED: Thu Sep 25 19:20:18 2019
    NAMESPACE: default
    STATUS: DEPLOYED
    $ helm upgrade --set pwd=3jk$o2,z=f\30.e wintering-rodent stable/mysql
    $ helm delete wintering-rodent

    View Slide

  14. Workflow
    ➜ CMS-Release helm list
    NAME REVISION UPDATED STATUS CHART APP VERSION NAMESPACE
    cms 1 Thu Sep 26 19:48:52 2019 DEPLOYED cms-0.1.0 1.0 default

    View Slide

  15. Testing

    Syntax
    ➜ helm template ipa
    ---
    # Source: ipa/templates/service.yaml
    apiVersion: v1
    kind: Service
    metadata:
    name: release-name-ipa
    – helm plugin install https://github.com/instrumenta/helm-kubeval

    Test config against Kube schemas

    View Slide

  16. Testing

    Unit testing
    – helm test

    hooks: test-success, test-failure

    Container definition which must exit 0
    – Conftest: Open Policy Agent

    More broader than kubeval

    Rego Policy Language

    View Slide

  17. Helmfile
    Declarative spec for deploying helm charts.

    Keep a directory of chart value files and maintain
    changes in version control.

    Apply CI/CD to configuration changes.

    Periodically sync to avoid skew in environments.

    View Slide

  18. Helm v3

    Re-architecture
    – Based on community best practices
    – Dramatic simplification
    – Security

    Bye bye Tiller * and the crowd goes nuts *

    Talks directly to Kube API

    Security Security Security
    – Helm capabilities limited to user context/permissions

    View Slide

  19. Helm v3

    Command-line changes
    – helm delete → helm uninstall
    – helm inspect → helm show
    – helm fetch → helm pull
    – --purge default (override: helm uninstall –-keep history)

    Default to single namespace for single release

    Chart dependency management

    Required to specify release name (unless –generate-name)

    Pluggable auth

    Optional Lua templating

    Validation if Release will be successful before applying

    Library Charts

    Personal Repos instead of stable upstream repo

    View Slide

  20. View Slide