To Helm Or Not To Helm

@hayorov by Alex Khaerov To Helm Not To Helm Or

@hayorov by Alex Khaerov To Helm Not To Helm Or
?

@hayorov I’m Alex Khaerov $ Development Lead at Chainstack About
Me

Me ∞ blockchains

Me ∞ blockchains ∞ cloud providers

Me ∞ blockchains We ❤ Helm and K8s ∞ cloud providers

@hayorov Functions of Helm Helm hidden gems Securing Helm Future
of Helm and alternatives Q&A Agenda

@hayorov HELM

@hayorov is a package manager HELM

@hayorov is a package manager HELM ~1k⭐

@hayorov Helm addresses several needs

@hayorov Packaging Helm addresses several needs

@hayorov Complexity mngt Packaging Helm addresses several needs

@hayorov Complexity mngt Packaging Application lifecycle Helm addresses several needs

@hayorov “Batteries included” Complexity mngt Packaging Application lifecycle Helm addresses
several needs

@hayorov “Batteries included” Complexity mngt Packaging Application lifecycle Application metadata
Repositories Package dependancies Helm addresses several needs

Repositories Package dependancies Helm addresses several needs Parametrization Templating

Repositories Package dependancies Helm addresses several needs Parametrization Templating Deploy/conﬁg revisions Rollbacks Hooks Application probes

Repositories Package dependancies Helm addresses several needs Parametrization Templating Deploy/conﬁg revisions Rollbacks Hooks Application probes Command plugins

@hayorov Where to browse charts? github.com/helm/charts

@hayorov Where to browse charts? github.com/helm/charts ~270 charts

@hayorov Where to browse charts? github.com/helm/charts ~270 charts stable  incubator

@hayorov Helm Hub

@hayorov Helm Hub hub.helm.sh

@hayorov Helm Hub 469+ charts hub.helm.sh

@hayorov Helm Hub 469+ charts 15+ outside   repos hub.helm.sh

@hayorov Helm Hub 469+ charts 15+ outside   repos repo-values.yml
hub.helm.sh

@hayorov Open Service Broker API integration What are Service Brokers?

@hayorov My Cluster Open Service Broker API integration What are
Service Brokers?

@hayorov My Cluster Cloud Provider Open Service Broker API integration
What are Service Brokers?

What are Service Brokers? Managed MySQL

What are Service Brokers? Managed MySQL manually

What are Service Brokers? Managed MySQL

What are Service Brokers? Managed MySQL Service Broker

What are Service Brokers? Managed MySQL Service Broker OSBA

What are Service Brokers? Managed MySQL Tier: Basic Service Broker OSBA

What are Service Brokers? Managed MySQL Tier: Basic Service Broker OSBA DB credentials

What are Service Brokers? Managed MySQL Tier: Basic Service Broker OSBA DB credentials Helm glues Service Broker and charts that consume OSB resources

@hayorov Repositories on GCS ChartMuseum de-facto is a standard helm-gcs
is a plugin that allows to manage private repos on GCS Authentiﬁcation using: • application default credentials • service account   (via the global ﬂag) 

@hayorov Helm architecture Helm client Chart Repo K8s cluster kube-system
ns microservice ns Kube-api  server Tiller-deploy svc Release configmap Microservice pod release ns(s) Release deployment Tiller-deploy pod Service Account Release svc Release configmap fetch Kubeconfig HTTPS gRPC gRPC RestAPI

@hayorov • Turn RBAC on • Tiller uses the default
service account   in a namespace Kubernetes RBAC • helm init does not create the associated  ServiceAccount/Roles/RoleBindings ☝ Tiller-deploy svc Tiller-deploy pod Service Account Release conﬁgmap RBAC Default Service Account RestAPI

@hayorov • Turn RBAC on • Tiller uses the default
service account   in a namespace Kubernetes RBAC • helm init does not create the associated  ServiceAccount/Roles/RoleBindings ☝ Tiller-deploy svc Tiller-deploy pod Service Account Release conﬁgmap RBAC RestAPI

@hayorov Role RoleBinding • Turn RBAC on • Tiller uses
the default service account   in a namespace Kubernetes RBAC • helm init does not create the associated  ServiceAccount/Roles/RoleBindings ☝ Tiller-deploy svc Tiller-deploy pod Service Account Release conﬁgmap RBAC RestAPI

@hayorov Kubernetes RBAC Helm client Kubeconfig gRPC K8s cluster kube-system
ns Kube-api  server Tiller-deploy svc Release configmap Tiller-deploy pod Service Account Helm client Kubeconfig Cluster Admin X Team Kube-api  server Tiller-deploy svc Release configmap Tiller-deploy pod Service Account Release deployment Release svc Release configmap RestAPI RBAC gRPC RestAPI RBAC • No multi-tenancy support • Solution - Multi-Tiller installations • Per developer, per team, per environment X Team ns ?

@hayorov Kubernetes RBAC Helm client Kubeconfig gRPC K8s cluster kube-system
ns Kube-api  server Tiller-deploy svc Release configmap Tiller-deploy pod Service Account Helm client Kubeconfig Cluster Admin X Team Kube-api  server Tiller-deploy svc Release configmap Tiller-deploy pod Service Account Release deployment Release svc Release configmap RestAPI RBAC gRPC RestAPI RBAC • No multi-tenancy support • Solution - Multi-Tiller installations • Per developer, per team, per environment X Team ns

@hayorov • By default Tiller stores releases  information in ConﬁgMaps
Release information Tiller-deploy svc Tiller-deploy pod Service Account Role RoleBinding Release  secrets RBAC Release  secrets Release  conﬁgmap • Secrets are still limited to 1MB in size

@hayorov • By default Tiller stores releases  information in ConﬁgMaps
Release information Tiller-deploy svc Tiller-deploy pod Service Account Role RoleBinding Release  secrets RBAC Release  secrets • Secrets are still limited to 1MB in size

@hayorov • Use HTTPS always • Publish signed charts •
Helm client supports repo certs • Chartmuseum supports basic auth • helm-gcs plugin with GCP auth Chart Repos Helm client Signed Chart Repo fetch Chart Repo

@hayorov • Use HTTPS always • Publish signed charts •
Helm client supports repo certs • Chartmuseum supports basic auth • helm-gcs plugin with GCP auth Chart Repos Helm client Signed Chart Repo fetch HTTPS mTLS or basic auth

@hayorov gRPC Helm client Kubeconﬁg gRPC • Tiller supports TLS
on gRPC Tiller-deploy svc Tiller-deploy pod Service Account Role RoleBinding Release conﬁgmap RBAC Tiller-deploy svc

@hayorov gRPC Helm client Kubeconﬁg gRPC • Tiller supports TLS
on gRPC Tiller-deploy svc Tiller-deploy pod Service Account Role RoleBinding Release conﬁgmap RBAC TLS

@hayorov Secured Helm Helm client Chart Repo K8s cluster kube-system
ns microservice ns Kube-api  server Tiller-deploy svc Release secret Microservice pod release ns(s) Release deployment Release svc Release conﬁgmap fetch Kubeconﬁg HTTPS gRPC gRPC Service Account HTTPS TLS or basic auth mTLS RBAC mTLS Tiller-deploy pod

@hayorov Helm 3 is the next big thing • Single-server
architecture (no more Tiller) • State storage based of Release object (CRD) • Embedded Lua engine for scripting • Schematized values ﬁles (values.schema.yaml) • Single event-driven model Current status: a design proposal document Future of Helm and alternatives 3

@hayorov Any alternatives? • Ksonnet, Metaparticle • Your conﬁguration mngt
system   (ansible, terraform, chef …) • CoreOS Operator Framework  (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives

system   (ansible, terraform, chef …) • CoreOS Operator Framework  (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives more control more k8s native

system   (ansible, terraform, chef …) • CoreOS Operator Framework  (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives more control more k8s native v2

system   (ansible, terraform, chef …) • CoreOS Operator Framework  (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives more control more k8s native v3 v2

system   (ansible, terraform, chef …) • CoreOS Operator Framework  (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives more control more k8s native v3 v2 K Ksonnet, Metaparticle

system   (ansible, terraform, chef …) • CoreOS Operator Framework  (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives more control more k8s native v3 Y Your Cfg  management v2 K Ksonnet, Metaparticle

system   (ansible, terraform, chef …) • CoreOS Operator Framework  (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives more control more k8s native v3 Operator Framework Y Your Cfg  management v2 K Ksonnet, Metaparticle

system   (ansible, terraform, chef …) • CoreOS Operator Framework  (1k+ ⭐) Helm add-ons: • Draft, Scaffold Future of Helm and alternatives more control more k8s native v3 Operator Framework Y Your Cfg  management v2 A Draft, Skaffold K Ksonnet, Metaparticle

Thank You questions… Alex Khaerov  @hayorov

To Helm Or Not To Helm

To Helm Or Not To Helm

More Decks by Alex Khaerov

Other Decks in Technology

Featured

Transcript