Helm

Transcript

1. Helm
   

   View Slide

2. What is Helm?
   Package manager for Kubernetes
   – Manage Complexity
   – Easy updates
   – Simple Sharing
   – Rollbacks
   

   View Slide

3. A bit of history...
   ●
   Deis Hackathon OCT 2015
   ●
   Helm 1.x NOV 2015
   ●
   Helm 2.x = Helm 1.x + Google Deployment Manager, NOV 2016
   ●
   Helm 3.x ~ NOV 2019 (?)
   

   View Slide

4. Helm 2
   ●
   Client – Server: Helm + Tiller
   ●
   Templated YAML + Metadata
   ●
   Charts
   

   View Slide

5. Charts
   ➜ crowd git:(master) tree
   ├── Chart.yaml
   ├── templates
   │ ├── deployment.yaml
   │ ├── _helpers.tpl
   │ ├── NOTES.txt
   │ ├── service.yaml
   │ └── tests
   │ └── test-connection.yaml
   └── values.yaml
   

   View Slide

6. Charts
   ➜ crowd git:(master) cat Chart.yaml
   apiVersion: v1
   appVersion: "1.0"
   description: A Helm chart for Kubernetes
   name: crowd
   version: 0.1.0
   

   View Slide

7. Charts
   ➜ crowd git:(master) cat values.yaml
   replicaCount: 1
   image:
   repository: crowd
   tag: latest
   pullPolicy: IfNotPresent
   # Hostname of the mysql server crowd will connect to
   mysql_server: localhost
   # Port of the mysql server, standard 3306
   mysql_port: 3306
   

   View Slide

8. Charts
   ➜ ipa git:(master) cat templates/deployment.yaml
   apiVersion: apps/v1
   kind: Deployment
   metadata:
   name: {{ include "ipa.fullname" . }}
   labels:
   {{ include "ipa.labels" . | indent 4 }}
   spec:
   replicas: {{ .Values.replicaCount }}
   selector:
   matchLabels:
   app.kubernetes.io/name: {{ include "ipa.name" . }}
   app.kubernetes.io/instance: {{ .Release.Name }}
   template:
   metadata:
   labels:
   app.kubernetes.io/name: {{ include "ipa.name" . }}
   app.kubernetes.io/instance: {{ .Release.Name }}
   

   View Slide

9. Charts
   initContainers:
   - name: wait-for-mysql
   image: "{{ .Values.validationCheck.image.repository }}:{{ .Values.validationCheck.image.tag }}"
   imagePullPolicy: {{ .Values.validationCheck.image.pullPolicy }}
   dnsPolicy: "ClusterFirst"
   command: ['sh', '-c', 'until nc -zv "{{ .Values.mysql_server }}" "{{ .Values.mysql_port }}"; do echo waiting for {{ .Values.mysql_server }};
   sleep 2; done;']
   containers:
   - name: {{ .Chart.Name }}
   image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
   imagePullPolicy: {{ .Values.image.pullPolicy }}
   dnsPolicy: "ClusterFirst"
   ports:
   - name: http
   containerPort: 8095
   protocol: TCP
   env:
   - name: MYSQL_SERVER
   value: "{{ .Values.mysql_server }}"
   - name: MYSQL_PORT
   value: "{{ .Values.mysql_port }}"
   

   View Slide

10. SubCharts
    ➜ cms git:(master) tree -L 2
    ├── charts
    │ ├── ipa
    │ ├── ipa-mysql
    │ ├── webapp
    │ ├── backend
    │ ├── doc
    │ ├── mysql
    │ ├── webapp2
    │ └── proxy
    ├── Chart.yaml
    ├── templates
    └── values.yaml
    

    View Slide

11. SubCharts
    ➜ cms git:(master) cat values.yaml
    ipa:
    image:
    repository: localhost:5000/ipa
    pullPolicy: Always
    mysql_server: "cms-ipa-mysql.default.svc.cluster.local"
    mysql_port: 3306
    

    View Slide

12. To Repo or Not To Repo?
    ●
    ~ helm repo list
    NAME URL
    stable https://
    kubernetescharts.storage.googleapis.com
    local http://127.0.0.1:8879/charts
    ●
    Chartmuseum
    ●
    Git + GitSubmodules
    

    View Slide

13. Workflow
    $ helm init --history-max 200
    $ helm repo update
    $ helm install stable/mysql
    NAME: wintering-rodent
    LAST DEPLOYED: Thu Sep 25 19:20:18 2019
    NAMESPACE: default
    STATUS: DEPLOYED
    $ helm upgrade --set pwd=3jk$o2,z=f\30.e wintering-rodent stable/mysql
    $ helm delete wintering-rodent
    

    View Slide

14. Workflow
    ➜ CMS-Release helm list
    NAME REVISION UPDATED STATUS CHART APP VERSION NAMESPACE
    cms 1 Thu Sep 26 19:48:52 2019 DEPLOYED cms-0.1.0 1.0 default
    

    View Slide

15. Testing
    ●
    Syntax
    ➜ helm template ipa
    ---
    # Source: ipa/templates/service.yaml
    apiVersion: v1
    kind: Service
    metadata:
    name: release-name-ipa
    – helm plugin install https://github.com/instrumenta/helm-kubeval
    ●
    Test config against Kube schemas
    

    View Slide

16. Testing
    ●
    Unit testing
    – helm test
    ●
    hooks: test-success, test-failure
    ●
    Container definition which must exit 0
    – Conftest: Open Policy Agent
    ●
    More broader than kubeval
    ●
    Rego Policy Language
    

    View Slide

17. Helmfile
    Declarative spec for deploying helm charts.
    ●
    Keep a directory of chart value files and maintain
    changes in version control.
    ●
    Apply CI/CD to configuration changes.
    ●
    Periodically sync to avoid skew in environments.
    

    View Slide

18. Helm v3
    ●
    Re-architecture
    – Based on community best practices
    – Dramatic simplification
    – Security
    ●
    Bye bye Tiller * and the crowd goes nuts *
    ●
    Talks directly to Kube API
    ●
    Security Security Security
    – Helm capabilities limited to user context/permissions
    

    View Slide

19. Helm v3
    ●
    Command-line changes
    – helm delete → helm uninstall
    – helm inspect → helm show
    – helm fetch → helm pull
    – --purge default (override: helm uninstall –-keep history)
    ●
    Default to single namespace for single release
    ●
    Chart dependency management
    ●
    Required to specify release name (unless –generate-name)
    ●
    Pluggable auth
    ●
    Optional Lua templating
    ●
    Validation if Release will be successful before applying
    ●
    Library Charts
    ●
    Personal Repos instead of stable upstream repo
    

    View Slide

20. View Slide