To Helm Or Not To Helm

To Helm Or Not To Helm

320f3b558c773592bba16c976d1b28d1?s=128

Alex Khaerov

January 17, 2019
Tweet

Transcript

  1. @hayorov by Alex Khaerov To Helm Not To Helm Or

  2. @hayorov by Alex Khaerov To Helm Not To Helm Or

    ?
  3. @hayorov I’m Alex Khaerov $ Development Lead at Chainstack About

    Me
  4. @hayorov I’m Alex Khaerov $ Development Lead at Chainstack About

    Me ∞ blockchains
  5. @hayorov I’m Alex Khaerov $ Development Lead at Chainstack About

    Me ∞ blockchains ∞ cloud providers
  6. @hayorov I’m Alex Khaerov $ Development Lead at Chainstack About

    Me ∞ blockchains ∞ cloud providers
  7. @hayorov I’m Alex Khaerov $ Development Lead at Chainstack About

    Me ∞ blockchains ∞ cloud providers
  8. @hayorov I’m Alex Khaerov $ Development Lead at Chainstack About

    Me ∞ blockchains We ❤ Helm and K8s ∞ cloud providers
  9. @hayorov Functions of Helm Helm hidden gems Securing Helm Future

    of Helm and alternatives Q&A Agenda
  10. @hayorov HELM

  11. @hayorov is a package manager HELM

  12. @hayorov is a package manager HELM

  13. @hayorov is a package manager HELM ~1k⭐

  14. @hayorov Helm addresses several needs

  15. @hayorov Packaging Helm addresses several needs

  16. @hayorov Complexity mngt Packaging Helm addresses several needs

  17. @hayorov Complexity mngt Packaging Application lifecycle Helm addresses several needs

  18. @hayorov “Batteries included” Complexity mngt Packaging Application lifecycle Helm addresses

    several needs
  19. @hayorov “Batteries included” Complexity mngt Packaging Application lifecycle Application metadata

    Repositories Package dependancies Helm addresses several needs
  20. @hayorov “Batteries included” Complexity mngt Packaging Application lifecycle Application metadata

    Repositories Package dependancies Helm addresses several needs Parametrization Templating
  21. @hayorov “Batteries included” Complexity mngt Packaging Application lifecycle Application metadata

    Repositories Package dependancies Helm addresses several needs Parametrization Templating Deploy/config revisions Rollbacks Hooks Application probes
  22. @hayorov “Batteries included” Complexity mngt Packaging Application lifecycle Application metadata

    Repositories Package dependancies Helm addresses several needs Parametrization Templating Deploy/config revisions Rollbacks Hooks Application probes Command plugins
  23. @hayorov Where to browse charts? github.com/helm/charts

  24. @hayorov Where to browse charts? github.com/helm/charts

  25. @hayorov Where to browse charts? github.com/helm/charts ~270 charts

  26. @hayorov Where to browse charts? github.com/helm/charts ~270 charts stable
 incubator

  27. @hayorov Where to browse charts? github.com/helm/charts ~270 charts stable
 incubator

  28. @hayorov Helm Hub

  29. @hayorov Helm Hub hub.helm.sh

  30. @hayorov Helm Hub 469+ charts hub.helm.sh

  31. @hayorov Helm Hub 469+ charts 15+ outside 
 repos hub.helm.sh

  32. @hayorov Helm Hub 469+ charts 15+ outside 
 repos repo-values.yml

    hub.helm.sh
  33. @hayorov Helm Hub 469+ charts 15+ outside 
 repos repo-values.yml

    hub.helm.sh
  34. @hayorov Open Service Broker API integration What are Service Brokers?

  35. @hayorov My Cluster Open Service Broker API integration What are

    Service Brokers?
  36. @hayorov My Cluster Open Service Broker API integration What are

    Service Brokers?
  37. @hayorov My Cluster Open Service Broker API integration What are

    Service Brokers?
  38. @hayorov My Cluster Cloud Provider Open Service Broker API integration

    What are Service Brokers?
  39. @hayorov My Cluster Cloud Provider Open Service Broker API integration

    What are Service Brokers? Managed MySQL
  40. @hayorov My Cluster Cloud Provider Open Service Broker API integration

    What are Service Brokers? Managed MySQL manually
  41. @hayorov My Cluster Cloud Provider Open Service Broker API integration

    What are Service Brokers? Managed MySQL
  42. @hayorov My Cluster Cloud Provider Open Service Broker API integration

    What are Service Brokers? Managed MySQL Service Broker
  43. @hayorov My Cluster Cloud Provider Open Service Broker API integration

    What are Service Brokers? Managed MySQL Service Broker OSBA
  44. @hayorov My Cluster Cloud Provider Open Service Broker API integration

    What are Service Brokers? Managed MySQL Tier: Basic Service Broker OSBA
  45. @hayorov My Cluster Cloud Provider Open Service Broker API integration

    What are Service Brokers? Managed MySQL Tier: Basic Service Broker OSBA DB credentials
  46. @hayorov My Cluster Cloud Provider Open Service Broker API integration

    What are Service Brokers? Managed MySQL Tier: Basic Service Broker OSBA DB credentials
  47. @hayorov My Cluster Cloud Provider Open Service Broker API integration

    What are Service Brokers? Managed MySQL Tier: Basic Service Broker OSBA DB credentials Helm glues Service Broker and charts that consume OSB resources
  48. @hayorov Repositories on GCS ChartMuseum de-facto is a standard helm-gcs

    is a plugin that allows to manage private repos on GCS Authentification using: • application default credentials • service account 
 (via the global flag)

  49. @hayorov Helm architecture Helm client Chart Repo K8s cluster kube-system

    ns microservice ns Kube-api
 server Tiller-deploy svc Release configmap Microservice pod release ns(s) Release deployment Tiller-deploy pod Service Account Release svc Release configmap fetch Kubeconfig HTTPS gRPC gRPC RestAPI
  50. @hayorov Helm architecture Helm client Chart Repo K8s cluster kube-system

    ns microservice ns Kube-api
 server Tiller-deploy svc Release configmap Microservice pod release ns(s) Release deployment Tiller-deploy pod Service Account Release svc Release configmap fetch Kubeconfig HTTPS gRPC gRPC RestAPI
  51. @hayorov • Turn RBAC on • Tiller uses the default

    service account 
 in a namespace Kubernetes RBAC • helm init does not create the associated
 ServiceAccount/Roles/RoleBindings ☝ Tiller-deploy svc Tiller-deploy pod Service Account Release configmap RBAC Default Service Account RestAPI
  52. @hayorov • Turn RBAC on • Tiller uses the default

    service account 
 in a namespace Kubernetes RBAC • helm init does not create the associated
 ServiceAccount/Roles/RoleBindings ☝ Tiller-deploy svc Tiller-deploy pod Service Account Release configmap RBAC RestAPI
  53. @hayorov Role RoleBinding • Turn RBAC on • Tiller uses

    the default service account 
 in a namespace Kubernetes RBAC • helm init does not create the associated
 ServiceAccount/Roles/RoleBindings ☝ Tiller-deploy svc Tiller-deploy pod Service Account Release configmap RBAC RestAPI
  54. @hayorov Kubernetes RBAC Helm client Kubeconfig gRPC K8s cluster kube-system

    ns Kube-api
 server Tiller-deploy svc Release configmap Tiller-deploy pod Service Account Helm client Kubeconfig Cluster Admin X Team Kube-api
 server Tiller-deploy svc Release configmap Tiller-deploy pod Service Account Release deployment Release svc Release configmap RestAPI RBAC gRPC RestAPI RBAC • No multi-tenancy support • Solution - Multi-Tiller installations • Per developer, per team, per environment X Team ns ?
  55. @hayorov Kubernetes RBAC Helm client Kubeconfig gRPC K8s cluster kube-system

    ns Kube-api
 server Tiller-deploy svc Release configmap Tiller-deploy pod Service Account Helm client Kubeconfig Cluster Admin X Team Kube-api
 server Tiller-deploy svc Release configmap Tiller-deploy pod Service Account Release deployment Release svc Release configmap RestAPI RBAC gRPC RestAPI RBAC • No multi-tenancy support • Solution - Multi-Tiller installations • Per developer, per team, per environment X Team ns
  56. @hayorov • By default Tiller stores releases
 information in ConfigMaps

    Release information Tiller-deploy svc Tiller-deploy pod Service Account Role RoleBinding Release
 secrets RBAC Release
 secrets Release
 configmap • Secrets are still limited to 1MB in size
  57. @hayorov • By default Tiller stores releases
 information in ConfigMaps

    Release information Tiller-deploy svc Tiller-deploy pod Service Account Role RoleBinding Release
 secrets RBAC Release
 secrets • Secrets are still limited to 1MB in size
  58. @hayorov • Use HTTPS always • Publish signed charts •

    Helm client supports repo certs • Chartmuseum supports basic auth • helm-gcs plugin with GCP auth Chart Repos Helm client Signed Chart Repo fetch Chart Repo
  59. @hayorov • Use HTTPS always • Publish signed charts •

    Helm client supports repo certs • Chartmuseum supports basic auth • helm-gcs plugin with GCP auth Chart Repos Helm client Signed Chart Repo fetch HTTPS mTLS or basic auth
  60. @hayorov gRPC Helm client Kubeconfig gRPC • Tiller supports TLS

    on gRPC Tiller-deploy svc Tiller-deploy pod Service Account Role RoleBinding Release configmap RBAC Tiller-deploy svc
  61. @hayorov gRPC Helm client Kubeconfig gRPC • Tiller supports TLS

    on gRPC Tiller-deploy svc Tiller-deploy pod Service Account Role RoleBinding Release configmap RBAC TLS
  62. @hayorov Secured Helm Helm client Chart Repo K8s cluster kube-system

    ns microservice ns Kube-api
 server Tiller-deploy svc Release secret Microservice pod release ns(s) Release deployment Release svc Release configmap fetch Kubeconfig HTTPS gRPC gRPC Service Account HTTPS TLS or basic auth mTLS RBAC mTLS Tiller-deploy pod
  63. @hayorov Helm 3 is the next big thing • Single-server

    architecture (no more Tiller) • State storage based of Release object (CRD) • Embedded Lua engine for scripting • Schematized values files (values.schema.yaml) • Single event-driven model Current status: a design proposal document Future of Helm and alternatives 3
  64. @hayorov Any alternatives? • Ksonnet, Metaparticle • Your configuration mngt

    system 
 (ansible, terraform, chef …) • CoreOS Operator Framework
 (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives
  65. @hayorov Any alternatives? • Ksonnet, Metaparticle • Your configuration mngt

    system 
 (ansible, terraform, chef …) • CoreOS Operator Framework
 (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives more control more k8s native
  66. @hayorov Any alternatives? • Ksonnet, Metaparticle • Your configuration mngt

    system 
 (ansible, terraform, chef …) • CoreOS Operator Framework
 (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives more control more k8s native v2
  67. @hayorov Any alternatives? • Ksonnet, Metaparticle • Your configuration mngt

    system 
 (ansible, terraform, chef …) • CoreOS Operator Framework
 (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives more control more k8s native v3 v2
  68. @hayorov Any alternatives? • Ksonnet, Metaparticle • Your configuration mngt

    system 
 (ansible, terraform, chef …) • CoreOS Operator Framework
 (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives more control more k8s native v3 v2 K Ksonnet, Metaparticle
  69. @hayorov Any alternatives? • Ksonnet, Metaparticle • Your configuration mngt

    system 
 (ansible, terraform, chef …) • CoreOS Operator Framework
 (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives more control more k8s native v3 Y Your Cfg
 management v2 K Ksonnet, Metaparticle
  70. @hayorov Any alternatives? • Ksonnet, Metaparticle • Your configuration mngt

    system 
 (ansible, terraform, chef …) • CoreOS Operator Framework
 (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives more control more k8s native v3 Operator Framework Y Your Cfg
 management v2 K Ksonnet, Metaparticle
  71. @hayorov Any alternatives? • Ksonnet, Metaparticle • Your configuration mngt

    system 
 (ansible, terraform, chef …) • CoreOS Operator Framework
 (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives more control more k8s native v3 Operator Framework Y Your Cfg
 management v2 A Draft, Skaffold K Ksonnet, Metaparticle
  72. Thank You questions… Alex Khaerov
 @hayorov