Chef's Operations Workflow

Transcript

1. Chef's Operations Workflow Joshua Timberman <[email protected]> @jtimberman

2. https://commons.wikimedia.org/wiki/File:BalticServers_data_center.jpg % whoami

3. Why are we here? https://www.flickr.com/photos/10785432@N03/6570725517

4. None

5. Cloud Native

6. Many applications

7. Applications, sample set • Hosted Chef (api.chef.io) • Downloads (downloads.chef.io)

   • Omnitruck (omnitruck.chef.io) • Learn Chef (learn.chef.io) • Chef Community Cookbooks (supermarket.chef.io) • Internal and External utilities • "Gateway" and "glue" services • Kubernetes ;) • etc...

8. Platform Consistency

9. Cohesion

10. Industry awareness

11. Components

12. No Live Demo Today! https://flic.kr/p/RJ5xEs

13. Code Repository

14. GitHub

15. None
16. None
17. None
18. None

19. CI / CD

20. Buildkite + Chat Bot

21. == CI SaaS...

22. Expeditor, our chatbot ==

23. YAML

24. slack: notify_channel: ops-notify github: delete_branch_on_merge: true # These are our

    Buildkite pipelines where deploys take place pipelines: - verify: description: Pull Request validation tests - deploy/acceptance: description: Deploy changes to kubernetes.chef.co pods definition: .expeditor/deploy.pipeline.yml env: - ENVIRONMENT: acceptance - APP: chef-web-util - deploy/production: description: Deploy changes to kubernetes.chef.co pods definition: .expeditor/deploy.pipeline.yml env: - ENVIRONMENT: production - APP: chef-web-util # These actions are taken when `/expeditor promote` is run from Slack promote: action: - bash:.expeditor/promote.sh - trigger_pipeline:deploy/production: only_if_conditions: - value_one: "{{target_channel}}" operator: equals value_two: stable - bash:.expeditor/purge-cdn.sh: post_commit: true channels: - acceptance - stable merge_actions: - built_in:trigger_habitat_package_build: post_commit: true ignore_labels: - "Habitat: Skip Build" - "Expeditor: Skip All" habitat_packages: - chef-web-util: origin: chefops export: - docker subscriptions: - workload: docker_image_published:chefops/chef-web-util:acceptance actions: .expeditor/config.yml

25. Expeditor listens to webhooks and takes actions

26. Expeditor Integrations • Buildkite • Docker/Docker Hub • GitHub •

    Habitat/Habitat Builder • Slack

27. Slack notification

28. Delete merged branches

29. Artifact promotion

30. Trigger Habitat package builds

31. Publish Docker Images

32. pipelines: - verify: description: Pull Request validation tests - deploy/acceptance:

    description: Deploy changes to kubernetes definition: .expeditor/deploy.pipeline.yml env: - ENVIRONMENT: acceptance - APP: APPNAME - deploy/production: description: Deploy changes to kubernetes definition: .expeditor/deploy.pipeline.yml env: - ENVIRONMENT: production - APP: APPNAME .expeditor/config.yml: pipelines

33. pipelines: - verify: description: Pull Request validation tests - deploy/acceptance:

    description: Deploy changes to kubernetes definition: .expeditor/deploy.pipeline.yml env: - ENVIRONMENT: acceptance - APP: APPNAME - deploy/production: description: Deploy changes to kubernetes definition: .expeditor/deploy.pipeline.yml env: - ENVIRONMENT: production - APP: APPNAME .expeditor/config.yml: pipelines .expeditor/verify.pipeline.yml

34. pipelines: - verify: description: Pull Request validation tests - deploy/acceptance:

    description: Deploy changes to kubernetes definition: .expeditor/deploy.pipeline.yml env: - ENVIRONMENT: acceptance - APP: APPNAME - deploy/production: description: Deploy changes to kubernetes definition: .expeditor/deploy.pipeline.yml env: - ENVIRONMENT: production - APP: APPNAME .expeditor/config.yml: pipelines

35. steps: - label: static command: | static syntax and lint

    checking commands (shellcheck, rubocop, etc) plugins: docker#v1.1.1: image: "chefes/buildkite" - label: unit #... unit testing commands, rspec, etc - label: audit #... for auditing bundles in ruby apps for example .expeditor/verify.pipeline.yml

36. New PRs will run Verify pipeline

37. Verify Pipeline - Success!

38. steps: - command: .expeditor/buildkite/kubernetes.sh label: "Kubernetes" concurrency: 1 concurrency_group: chef-nginx-demo-master/deploy/$ENVIRONMENT

    plugins: docker#v1.1.1: always-pull: true image: "chefes/buildkite" environment: - CHEF_CD_AWS_ACCESS_KEY_ID - CHEF_CD_AWS_SECRET_ACCESS_KEY - AWS_SSL_ARN - ENVIRONMENT - CI - APP - HAB_AUTH_TOKEN deploy.pipeline.yml

39. View the new pipelines

40. None

41. Applications!

42. Habitat https:/ /www.habitat.sh

43. Build, Deploy, Manage

44. Service Lifecycle Management

45. Packaging

46. pkg_name="chef-web-util" pkg_origin="chefops" pkg_version="1.0.0" pkg_maintainer="Chef Operations <[email protected]>" pkg_license=("Proprietary") pkg_scaffolding="core/scaffolding-ruby" scaffolding_ruby_pkg="core/ruby/$(cat ${PLAN_CONTEXT}/../.ruby-version)"

    pkg_deps=(core/curl) plan.sh

47. chef-web-util: Source Path: /src chef-web-util: Installed Path: /hab/pkgs/chefops/chef-web-util/ 1.0.0/20181010192533 chef-web-util:

    Artifact: /src/results/chefops-chef-web- util-1.0.0-20181010192533-x86_64-linux.hart chef-web-util: Build Report: /src/results/last_build.env chef-web-util: SHA256 Checksum: a11540fb7908d4d1e67c56165b9a4388a0c10858aa729b029cc4aa9bf9770feb chef-web-util: Blake2b Checksum: 7a987da5536703ac1301d3c5ed17fe510dabf04d84b02ee052df1a1da7d6c467 chef-web-util: chef-web-util: I love it when a plan.sh comes together. chef-web-util: chef-web-util: Build time: 1m36s hab studio enter > build

48. Habitat packages: • Are timestamp-based artifacts • Declare all their

    dependencies • Are "self contained" • https://habitat.sh

49. Build Service

50. None
51. None

52. hab pkg export docker

53. Push Image to Docker Hub

54. Orchestration / Choreography

55. None

56. https://flic.kr/p/bFe9Bs

57. Kubernetes is a portable, extensible open-source platform for managing containerized

    workloads and services, that facilitates both declarative configuration and automation.

58. Tl;dr: Docker as a Service https://libreshot.com/container-ship-freighter/

59. https://flic.kr/p/4wWPEB

60. steps: - command: .expeditor/buildkite/kubernetes.sh label: "Kubernetes" concurrency: 1 concurrency_group: chef-nginx-demo-master/deploy/$ENVIRONMENT

    plugins: docker#v1.1.1: always-pull: true image: "chefes/buildkite" environment: - CHEF_CD_AWS_ACCESS_KEY_ID - CHEF_CD_AWS_SECRET_ACCESS_KEY - AWS_SSL_ARN - ENVIRONMENT - CI - APP - HAB_AUTH_TOKEN deploy.pipeline.yml

61. #!/bin/bash set -euo pipefail if [[ ! -z ${CI+x} ]];

    then aws-configure chef-cd mkdir -p ~/.kube aws --profile chef-cd s3 cp s3://chef-cd-citadel/kubernetes.chef.co.config ~/.kube/config else echo "WARN: Not running in Buildkite, assuming local manual deployment" echo "WARN: This requires that ~/.kube/config exists with the proper content" fi export ENVIRONMENT=${ENVIRONMENT:-dev} export APP=${APP} DEBUG=${DEBUG:-false} # This block translates the "environment" into the appropriate Habitat # channel from which to deploy the packages if [ "$ENVIRONMENT" == "acceptance" ]; then export CHANNEL=acceptance elif [ "$ENVIRONMENT" == "production" ]; then export CHANNEL=stable elif [ "$ENVIRONMENT" == "dev" ] || [ "$ENVIRONMENT" == "test" ]; then export CHANNEL=unstable else echo "We do not currently support deploying to $ENVIRONMENT" exit 1 fi # We need the HAB_AUTH_TOKEN set (via Buildkite pipeline) for private packages get_image_tag() { results=$(curl --silent -H "Authorization: Bearer $HAB_AUTH_TOKEN" https://willem.habitat.sh/v1/depot/channels/chefops/${CHANNEL}/pkgs/${APP}/latest | jq '.ident') pkg_version=$(echo "$results" | jq -r .version) pkg_release=$(echo "$results" | jq -r .release) echo "${pkg_version}-${pkg_release}" } # Retrieves the ELB's public DNS name get_elb_hostname() { kubectl get services ${APP}-${ENVIRONMENT} --namespace=${APP} -o json 2>/dev/null | \ jq '.status.loadBalancer.ingress[].hostname' -r } # The ELB isn't ready until the hostname is set, so wait until it's ready wait_for_elb() { attempts=0 max_attempts=10 elb_host="" while [[ $attempts -lt $max_attempts ]]; do elb_host=$(get_elb_hostname || echo) if [[ ! -n $elb_host ]]; then echo "Did not find ELB yet... sleeping 5s" attempts=$[$attempts + 1] sleep 5 else echo "Found ELB: $elb_host" break fi done } # Used for debugging on a local workstation if [[ $DEBUG == "true" ]]; then echo "--- DEBUG: Environment" echo "Application: ${APP}" echo "Channel: ${CHANNEL}" echo "Environment: ${ENVIRONMENT}" fi echo "--- Applying kubernetes configuration for ${ENVIRONMENT} to cluster" IMAGE_TAG=$(get_image_tag) erb -T- kubernetes/deployment.yml | kubectl apply -f - if [[ `grep -c "^kind: Service$" kubernetes/deployment.yml` -gt 0 ]]; then echo "+++ Waiting for Load Balancer..." wait_for_elb fi kubernetes.sh

62. .expeditor/buildkite/kubernetes.sh • Deploy pipeline in Buildkite runs the script •

    Copies credentials used for kubectl • Retrieves the Habitat package information from Builder • Applies the kubernetes/deployment.yml manifest • Waits until the ELB is available (if there is one) • Success!

63. Habitat package data • Version • Release • Channel(s)

64. export IMAGE_TAG=$(get_image_tag) erb -T- kubernetes/deployment.yml | kubectl apply -f -

    kubernetes.sh

65. Kubernetes Resources • Pods • StatefulSets & Deployments • Services

    • Namespaces • Custom Resource Definitions (CRDs)

66. --- apiVersion: v1 kind: Namespace metadata: name: nginx-demo --- apiVersion:

    habitat.sh/v1beta1 kind: Habitat metadata: name: nginx-demo-<%= ENV['ENVIRONMENT'] %> namespace: nginx-demo labels: app: nginx-demo-<%= ENV['ENVIRONMENT'] %> customVersion: v1beta2 spec: v1beta2: image: chefops/nginx-demo:<%= ENV['IMAGE_TAG'] %> count: 2 service: name: nginx-demo-<%= ENV['ENVIRONMENT'] %> topology: standalone --- apiVersion: v1 kind: Service metadata: name: nginx-demo-<%= ENV['ENVIRONMENT'] %> namespace: nginx-demo spec: selector: habitat-name: nginx-demo-<%= ENV['ENVIRONMENT'] %> ports: - name: http port: 80 targetPort: 80 protocol: TCP type: LoadBalancer Kubernetes: A Primer via Configuration

67. --- apiVersion: v1 kind: Namespace metadata: name: nginx-demo kubernetes/deployment.yml -

    Namespace • Namespaces isolate resources in "virtual clusters" • Each application gets a namespace

68. apiVersion: habitat.sh/v1beta1 kind: Habitat metadata: name: nginx-demo-<%= ENV['ENVIRONMENT'] %> namespace:

    nginx-demo labels: app: nginx-demo-<%= ENV['ENVIRONMENT'] %> customVersion: v1beta2 spec: v1beta2: image: chefops/nginx-demo:<%= ENV['IMAGE_TAG'] %> count: 2 service: name: nginx-demo-<%= ENV['ENVIRONMENT'] %> topology: standalone kubernetes/deployment.yml - Habitat • Applications are deployed using the Habitat Operator • This creates a StatefulSet with two pods • The pods will use the Docker image specified

69. Habitat Operator https:/ /www.habitat.sh/get-started/kubernetes/

70. apiVersion: v1 kind: Service metadata: name: nginx-demo-<%= ENV['ENVIRONMENT'] %> namespace:

    nginx-demo spec: selector: habitat-name: nginx-demo-<%= ENV['ENVIRONMENT'] %> ports: - name: http port: 80 targetPort: 80 protocol: TCP type: LoadBalancer kubernetes/deployment.yml - Service

71. % kubectl get all -n nginx-demo NAME READY STATUS RESTARTS

    AGE pod/nginx-demo-acceptance-0 1/1 Running 0 4m pod/nginx-demo-acceptance-1 1/1 Running 0 4m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/nginx-demo-acceptance LoadBalancer 100.64.186.238 ac1532ae98ed5... 80:31027/TCP 4m NAME DESIRED CURRENT AGE statefulset.apps/nginx-demo-acceptance 2 2 4m Kubernetes resources are created

72. Infrastructure Automation

73. Kops - "Kubernetes Operations"

74. apiVersion: kops/v1alpha2 kind: InstanceGroup metadata: labels: kops.k8s.io/cluster: kubernetes.chef-internal name: nodes

    spec: additionalUserData: - content: | #!/bin/sh - installs, configures, and runs chef name: chefbootstrap.sh type: text/x-shellscript cloudLabels: X-Application: kubernetes X-Contact: jtimberman X-Dept: Operations X-Environment: production image: kope.io/k8s-1.8-debian-jessie-amd64-hvm-ebs-2018-02-08 machineType: m4.xlarge maxSize: 6 minSize: 4 nodeLabels: kops.k8s.io/instancegroup: nodes role: Node subnets: - us-west-2a Kops nodes and masters configuration
75. None

76. additionalUserData: - content: | #!/bin/sh apt-get -y update apt-get -y

    install python-pip pip install awscli mkdir -p /etc/chef /usr/local/bin/aws --region us-east-1 s3 cp s3://citadel-bucket/validation.pem /etc/chef/validation.pem INSTANCE_ID=$(curl -s 169.254.169.254/1.0/meta-data/instance-id) cat >/etc/chef/client.rb <<EOF node_name "$INSTANCE_ID" log_location "/var/log/chef/client.log" chef_server_url "https://api.chef.io/organizations/chef-utility" validation_client_name "chef-utility-validator" verify_api_cert true use_policyfile true policy_group "prod" policy_name "k8s-node" EOF curl -L https://omnitruck.chef.io/install.sh | sudo bash -s -- -v 14.4.56 mkdir /var/log/chef chef-client name: chefbootstrap.sh type: text/x-shellscript Additional User Data - chef bootstrap script

77. cat >/etc/chef/client.rb <<EOF node_name "$INSTANCE_ID" log_location "/var/log/chef/client.log" chef_server_url "https://api.chef.io/organizations/chef-utility" validation_client_name

    "chef-utility-validator" verify_api_cert true use_policyfile true policy_group "prod" policy_name "k8s-node" EOF curl -L https://omnitruck.chef.io/install.sh | sudo bash -s chef-client Kops - chefbootstrap.sh

78. k8s-node Chef Policyfile recipes • User management (LDAP, SSH Keys)

    • Centralized Logging • Send Inspec profile data to Chef Automate • Keep Chef package updated • Ensure Chef is running on a schedule

79. Verification and Monitoring

80. None

81. Acceptance and Stakeholders https://en.wikipedia.org/wiki/Acceptance_testing#/media/File:James_Webb_Primary_Mirror.jpg

82. Monitoring

83. Monitoring Observability

84. Prometheus + Grafana

85. https://github.com/coreos/prometheus-operator

86. None

87. SECRETS??!!

88. Secrets Management • SSL certificates • API tokens • SSH

    keys • Configuration files • Repositories • AWS Accounts • Kubernetes
89. None

90. Walkthrough

91. Procedure 1.Make changes to the Repository, open a pull request

    2.Wait for Buildkite verification, peer approval, then merge 3.Wait for Expeditor to complete merge actions 4.Verify acceptance with stakeholders 5.Promote to Production

92. Previous Procedure • Let's just say... • It was more

    than 5 steps • And most of them were manual • Unfortunate, really • For an Automation Company

93. Make changes to the repository, open a pull request git

    checkout -b $USERNAME/my-branch # make some changes with your favorite editor git add . git commit -m 'updating the site with new features or fixes' git push origin $USERNAME/my-branch

94. Wait for Expeditor to complete merge actions

95. Verify Acceptance with stakeholders

96. Promote to Production

97. Coworker: "Wait... that's all?"

98. Conclusion

99. Procedure 1.Make changes to the Repository, open a pull request

    2.Wait for Buildkite verification, peer approval, then merge 3.Wait for Expeditor to complete merge actions 4.Verify acceptance with stakeholders 5.Promote to Production

100. Automation has shifted

101. Workflow > Infrastructure

102. Business benefit

103. Questions? Joshua Timberman <[email protected]> @jtimberman Resources and Links https://www.habitat.sh https://www.lita.io/

     https://buildkite.com https://github.com/habitat-sh/habitat-operator https://github.com/coreos/prometheus-operator