HelmとService Brokerで始める検証環境自動構築 / Helm and Service Broker

HelmͱService BrokerͰ
࢝ΊΔݕূ؀ڥࣗಈߏங
ୈ39ճ PaaSษڧձ
Teppei Fukuda (@knqyf263)

View Slide

ࣗݾ঺հ
• Teppei Fukuda (@knqyf263)
• ߪಡອըࡶࢽ
• δϟϯϓ
• αϯσʔ
• ϚΨδϯ
• Ϡϯάδϟϯϓ
• ϠϯάϚΨδϯ
• δϟϯϓSQ
• ผ࡭গ೥ϚΨδϯ
• ίϛοΫDAYSɾεϚϗΞϓϦଟ਺

View Slide

ຊ೔ͷྲྀΕ
• ݕূ؀ڥࣗಈߏஙͷఆٛ
• HelmʹΑΔݕূ؀ڥࣗಈߏங
• Service BrokerʹΑΔ֎෦αʔϏεϓϩϏδϣχϯά
• Helm + Service Broker
• Service Brokerͷݱঢ়ͷ໰୊఺

View Slide

஫ҙࣄ߲
• ର৅ऀ͸KubernetesΛ࢖͑ΔਓʹͳΓ·͢
• Kubernetesʹؔ͢Δઆ໌͸͠·ͤΜ
• Կ͕ग़དྷΔ͔ɺΛ఻͑Δ͜ͱΛॏࢹ͍ͯ͠·͢
• ඞཁͳઃఆΛҰ෦লུͨ͠Γ͍ͯ͠·͢
• ਤʹॻ͖੾Εͳ͔ͬͨࡉ͔͍࿩͸ޱ಄Ͱิ͍·͢
• ηΩϡϦςΟ෦ͷΤϯδχΞͳͷͰৄ͍͜͠ͱ͸Α͘෼͔Γ·ͤΜ

View Slide

ݕূ؀ڥ
ࠓݕূ؀ڥ
σϓϩΠ͍͍ͯ͠ʁ
͜͜Ͱ͸։ൃதʹ࢖ΘΕΔݕূ༻ͷڞ༗؀ڥͱఆٛ͠·͢
ࠓ࢖ͬͯΔ͔Βμϝ
ݕূ؀ڥ

View Slide

ݕূ؀ڥ
·ͩʔʁ
͜Μͳͱ͖ʹࣗ෼༻ͷݕূ؀ڥ͕͋Ε͹...
·ͩμϝʔ
ݕূ؀ڥ

View Slide

ઐ༻ͷݕূ؀ڥ
ࣗ෼༻ͷ؀ڥͰ
͙͢ςετͰ͖Δ
଴ͪ࣌ؒͳ͠ʂ
ݕূ؀ڥ
ݕূ؀ڥ
͔͠͠༧Ί؀ڥΛ༻ҙ͓ͯ͘͠ͷ͸େม
ʢ͍ͭ͘ඞཁ͔΋෼͔Βͳ͍ʣ

View Slide

ݕূ؀ڥࣗಈߏங
ݕূ؀ڥ ݕূ؀ڥ ݕূ؀ڥ
QVTI͞ΕͨΒ
ࣗಈͰ࡞Δ

View Slide

ίϯςφͳΒ؆୯ͳ͸ͣ...!!

View Slide

• KubernetesͷύοέʔδϚωʔδϟʔ
• apt/yum/homebrewͷΑ͏ͳ΋ͷ
• deb, rpmʹ૬౰͢Δ΋ͷ͸Chartͱ
ݺ͹ΕΔ
• ༗໊ͳΞϓϦέʔγϣϯͷChart͸
഑෍͞Ε͍ͯΔ
• helm install͢Δ͚ͩͰk8s্ʹల։
• e.g. helm install jenkins
https://github.com/helm/charts/tree/master/stable/
Helmͱ͸ʁ
https://helm.sh/

View Slide

Chartͱ͸ʁ
$ tree wordpress
wordpress
!"" Chart.yaml
…
!"" templates
# !"" NOTES.txt
# !"" _helpers.tpl
# !"" deployment.yaml
# !"" externaldb-secrets.yaml
# !"" ingress.yaml
# !"" pvc.yaml
# !"" secrets.yaml
# !"" svc.yaml
…
# %"" tls-secrets.yaml
!"" values-production.yaml
%"" values.yaml
• Kubernetestͷ 
Ϧιʔεͷू߹
• ࡶʹݴ͑͹ςϯϓϨʔ
τͱม਺ͷू߹
ςϯϓϨʔτ
ʢ%FQMPZNFOUͱ͔
*OHSFTTͱ͔ʣ
ม਺ఆٛ

View Slide

ςϯϓϨʔτ
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
...
spec:
rules:
- host: {{ .Values.ingress.hostname }}
http:
paths:
- path: /
backend:
serviceName: {{ template "fullname" . }}
servicePort: {{ .Values.service.port }}
ීஈॻ͍ͯΔYAMLΛςϯϓϨʔτԽ͢Δ͚ͩ
ม਺
ม਺

View Slide

ී௨ͷYAML
kind: Ingress
metadata:
...
spec:
rules:
- host: www.example.com
http:
paths:
- path: /
backend:
serviceName: test-svc
servicePort: 80
͜Ε͕

View Slide

ςϯϓϨʔτԽͨ͠YAML
kind: Ingress
metadata:
...
spec:
rules:
- host: {{ .Values.ingress.hostname }}
http:
paths:
- path: /
backend:
serviceName: {{ template "fullname" . }}
servicePort: {{ .Values.service.port }}
͜͏

View Slide

ม਺ఆٛ
$ cat values.yaml
service:
port: 80
ingress:
hostname: www.example.com
͋ͱ͸ values.yaml ʹม਺Λఆٛ͢Δ͚ͩ
γϯϓϧ
Πϯσϯτ͸υοτͰܨ͙
ʢJOHSFTTIPTUOBNF

View Slide

helm install
$ helm install --set ingress.hostname=test.example.com test-chart
CLIͰΠϯετʔϧ࣌ʹม਺ͷ্ॻ͖΋Մೳ

View Slide

ෳ਺ͷϦιʔεΛ·ͱΊΒΕΔ
$ tree wordpress
wordpress
!"" Chart.yaml
…
!"" templates
# !"" NOTES.txt
# !"" _helpers.tpl
# !"" externaldb-secrets.yaml
# !"" ingress.yaml
# !"" pvc.yaml
# !"" secrets.yaml
# !"" svc.yaml
…
# %"" tls-secrets.yaml
!"" values-production.yaml
%"" values.yaml
Service༻ͷYAML
Deployment༻ͷYAML
Ingress༻ͷYAML
helm installͰશͯk8s্ʹల։͞ΕΔ

View Slide

ґଘؔ܎΋هड़Մೳ
$ cat sentry/requirements.yaml
dependencies:
- name: postgresql
version: 0.18.0
repository: https://kubernetes-charts.storage.googleapis.com/
- name: redis
version: 3.8.1
repository: https://kubernetes-charts.storage.googleapis.com/
sentryͷChartʹ͸PostgreSQLͱRedis͕ඞཁ

View Slide

ChartΛࣗ࡞͢Δ
$ tree test-chart
test-chart
!"" Chart.yaml
!"" charts
!"" requirements.lock
!"" requirements.yaml
!"" templates
# !"" NOTES.txt
# !"" _helpers.tpl
# !"" api
# # !"" deployment.yaml
# # !"" ingress.yaml
# # %"" svc.yaml
# %"" ui
# !"" ingress.yaml
# %"" svc.yaml
%"" values.yaml
• ྫɿDBͱΩϟογϡαʔόΛ 
ඞཁͱ͢ΔγϯάϧϖʔδΞ
ϓϦέʔγϣϯ
• UI: ੩తϑΝΠϧΛ഑෍͢Δίϯςφ 
 
ʢຊ൪͸CDNʹஔ͘ͷͰݕূ؀ڥͷΈʣ
• API: APIαʔόΛ࣮૷ͨ͠ίϯςφ
• DB: PostgresQLʢطଘͷChartΛར༻ʣ
• ΩϟογϡɿRedisʢطଘͷChartΛར༻ʣ
3FEJTͱ1PTUHSF42-Λهड़
ʢલड़ʣ
"1*ؔ࿈
6*ؔ࿈
ม਺

View Slide

APIαʔό
kind: Deployment
...
spec:
template:
spec:
...
containers:
- name: {{ .Chart.Name }}-api
image: "{{ .Values.api.image.repository }}:{{ .Values.api.image.tag }}"
...
env:
- name: POSTGRES_HOST
value: {{ template "postgresql.fullname" . }}
- name: REDIS_HOST
value: {{ template "redis.fullname" . }}
DB৘ใ౳͸؀ڥม਺Ͱ౉ͤΔΑ͏ʹ͓ͯ͘͠
(౉͠ํ͸ConﬁgMap/Secretܦ༝Ͱ΋ԿͰ΋ྑ͍ʣ
%#αʔό৘ใ
Ωϟογϡαʔό৘ใ

View Slide

UIαʔό
kind: Deployment
...
spec:
template:
spec:
...
containers:
- name: {{ .Chart.Name }}-ui
...
env:
- name: API_HOST
value: {{ .Values.api.ingress.hostname }}
APIαʔόͷϗετ໊͸؀ڥม਺Ͱ౉͢
"1*αʔό৘ใ

View Slide

UIαʔό
{{- if .Values.test.enabled -}}
kind: Deployment
...
spec:
template:
spec:
...
containers:
- name: {{ .Chart.Name }}-ui
image: "{{ .Values.ui.image.repository }}:{{ .Values.ui.image.tag }}"
...
env:
- name: API_HOST
value: {{ .Values.api.ingress.hostname }}
{{- end -}}
ςετ࣌ͷΈ༗ޮʹ͢Δ
৚݅෼ذ༻ͷม਺Λ
ࣗ෼Ͱఆ͓ٛͯ͘͠

View Slide

ม਺ఆٛ
$ cat values.yaml
test
enabled: true
api
image:
tag: latest
ingress:
hostname: api.example.com
ui:
image:
tag: latest
ingress:
Hostname: ui.example.com
Ϧιʔεؒͷܨ͗໨Λશͯม਺Խ͢Δ
ʢͦͯ͠؀ڥม਺౳Ͱ౉ͤΔΑ͏ʹ͢Δʣ

View Slide

ॏཁͳ͜ͱͳͷͰ੔ཧ
• Ϧιʔεؒͷܨ͗໨Λશͯม਺Խ͢Δ
• UIαʔό <=> APIαʔό
• APIαʔό <=> DBαʔό
• APIαʔό <=> Ωϟογϡαʔό, etc.
• ม਺Խ͢Δ͜ͱͰಉ͡Chart͔Βෳ਺ੜ੒͠΍͘͢ͳΔ
• ݕূ࣌ͷΈඞཁͳϦιʔε͸৚݅෼ذ͢Δ

View Slide

׬੒ܗ
6*
Kubernetes
"1* 1PTUHSF42-
3FEJT
ui.example.com
api.example.com
ᶃ
ᶄ ᶅ

View Slide

helm installͰશͯల։͞ΕΔ
6*
"1* 1PTUHSF42-
3FEJT
6*
"1* 1PTUHSF42-
3FEJT
test-chart
helm install test-chart

View Slide

ϦϦʔε໊
• Helmʹ͸ϦϦʔεͷ֓೦͕͋Δ
• ϦϦʔε໊͕ҟͳΕ͹ಉ͡ύοέʔδΛෳ਺ల։Մೳ
Kubernetes
8PSEQSFTT
chart
XPSEQSFTT
XPSEQSFTT
helm install --name wordpress1 wordpress
helm install --name wordpress2 wordpress

View Slide

test-chart΋ෳ਺ల։Մೳ
6*
"1* 1PTUHSF42-
3FEJT
test-chart
6*
"1* 1PTUHSF42-
3FEJT
6*
"1* 1PTUHSF42-
3FEJT
test2
test1
helm install --name test1 test-chart
helm install --name test2 test-chart

View Slide

test-chart΋ෳ਺ల։Մೳ
test-chart
6*
"1* 1PTUHSF42-
3FEJT
helm install
--set api.ingress.hostname=test1-api.example.com
--set ui.ingress.hostname=test1-ui.example.com
--name test1 test-chart
6*
"1* 1PTUHSF42-
3FEJT
test1-ui.example.com
test1-api.example.com
6*
"1* 1PTUHSF42-
3FEJT
helm install
--set api.ingress.hostname=test2-api.example.com
--set ui.ingress.hostname=test2-ui.example.com
--name test2 test-chart
test2-ui.example.com
test2-api.example.com
%/4Ϩίʔυ΋ࣗಈੜ੒
ʢ؀ڥʹΑͬͯ͸ࣄલઃఆ͕ඞཁʣ

View Slide

͜ΕΛCIͰ࣮ߦ͢Ε͹...ʁ

View Slide

6*
"1* 1PTUHSF42-
3FEJT
pr1-api.example.com
helm install
--set api.ingress.hostname=pr1-api.example.com
--set ui.ingress.hostname=pr1-ui.example.com
--name pr1 test-chart
pr1-ui.example.com
PR࡞੒ʢ#1ʣ
Job࣮ߦ
Kubernetes
PR୯ҐͰͷݕূ؀ڥͷࣗಈߏங͕Մೳʂ

View Slide

6*
"1* 1PTUHSF42-
3FEJT
pr1-api.example.com
helm delete --purge pr1
pr1-ui.example.com
PRΫϩʔζʢ#1ʣ
Job࣮ߦ
Kubernetes
࡟আ΋؆୯

View Slide

શͯղܾ

View Slide

ͱ͸ͳΒͳ͍

View Slide

Ϋϥ΢υαʔϏεͷ
Ϧιʔε͕ࣗಈߏஙͰ͖ͳ͍

View Slide

AWSͷ৔߹
6*
Kubernetes
"1*
3%4
&MBTUJ$BDIF
ui.example.com
api.example.com
424
AWS
ϚωʔδυαʔϏεͱ૊Έ߹Θͤͯ࢖͏͜ͱ΋ଟ͍

View Slide

RDSΛ࢖͏৔߹
6*
"1*
3%4
ᶃઌʹϓϩϏδϣχϯά
AWS
Kubernetes
ᶄ%#৘ใΛίϯςφʹ౉͢
ϗετ໊*%18ʣ

View Slide

͠ΜͲ͍
ʢࣗಈߏங΋೉͍͠ʣ

View Slide

ͦ͜ͰService Broker
※ ྫͱͯ͠AWSΛ༻͍·͕͢GCP౳Ͱ΋جຊ͸ಉ͡Ͱ͢

View Slide

Service Brokerͱ͸ʁ
༷ʑͳαʔϏεΛϓϩϏδϣχϯά͢Δͷ͸ํ๏΋ҧ͏ͨΊେม

View Slide

Service Brokerͱ͸ʁ
஥հਓΛڬΉ͜ͱͰΠϯλϑΣʔεΛ౷Ұ͠ૄ݁߹ʹ
ϒϩʔΧʔʹґཔ
Service Broker
ϒϩʔΧʔ͕
ϓϩϏδϣχϯά
ݩʑ͸Cloud Foundryͷ࢓૊Έ

View Slide

Kubernetesͷ৔߹͸ʁ
YAMLͰ֎෦αʔϏε͕ѻ͑ΔΑ͏ʹͳΔ
:".-Λ౤͛Δ
Service Broker
ϒϩʔΧʔ͕
ϓϩϏδϣχϯά

View Slide

Service Broker಺Ͱ΋෼୲
Service Broker
AWS Service Broker
GCP Service Broker
ͦΕͧΕͷϦιʔεΛ୲౰
ࢦࣔΛड͚
ద੾ͳ૬खʹґཔ

View Slide

αʔϏε͕૿͑ͯ΋ରԠ͕༰қ
AWS Service Broker
GCP Service Broker
Azure Service Broker
৽͘͠௥Ճ

View Slide

Service Catalog
Kubernetes
AWS Service Broker
GCP Service Broker
,VCFSOFUFTͰ4FSWJDF#SPLFSΛ
ར༻͢ΔͨΊͷ࢓૊Έ
Service Catalog

View Slide

Service Catalog
Kubernetes
AWS Service Broker
GCP Service Broker
Service Catalog
:".-Λ౤͛Δ
ґཔ
ϓϩϏδϣχϯά

View Slide

SQSΛ࡞Γ͍ͨ৔߹
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceInstance
metadata:
name: sqs-test
spec:
clusterServiceClassExternalName: sqs
clusterServicePlanExternalName: standard
୹͍YAMLΛॻ͚ͩ͘
Ϧιʔεͷ͜ͱΛ4FSWJDF*OTUBODFͱݺͿ
424Λࢦఆ

View Slide

Kubernetes
LVCFDUM
Service Catalog AWS Service Broker
ґཔ
ϓϩϏδϣχϯά
ServiceInstance
ࣗಈͰߏங͞ΕΔ

View Slide

RDSΛ࢖͏৔߹
6*
"1*
3%4
ઌʹϓϩϏδϣχϯά͢Δ
AWS
Kubernetes
%#৘ใΛίϯςφʹ౉͢
͜Ε͸ղܾ
͜Ε͸ղܾ
͍ͯ͠ͳ͍

View Slide

ServiceBinding
• ServiceInstanceͷ৘ใΛSecretͱͯ͠࡞੒͢Δ࢓૊Έ
• YAMLΛॻ͚ͩ͘ͰࣗಈͰSecret͕ੜ੒͞ΕΔ
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceBinding
metadata:
name: sqs-test-binding
spec:
instanceRef:
name: sqs-test
৘ใΛऔಘ͍ͨ͠
4FSWJDF*OTUBODF໊Λࢦఆ
ʢ͖ͬ͞࡞ͬͨ΍ͭʣ

View Slide

Secret
$ kubectl get secret sqs-test-binding -o yaml
apiVersion: v1
data:
DEAD_LETTER_QUEUE_ARN: ""
DEAD_LETTER_QUEUE_NAME: ""
DEAD_LETTER_QUEUE_URL: ""
QUEUE_ARN: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
QUEUE_NAME: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
QUEUE_URL: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
...
kind: Secret
type: Opaque
ੜ੒͞ΕͨSQSʹؔ͢Δ৘ใ͕อଘ͞Ε͍ͯΔ

View Slide

Kubernetes
LVCFDUM
৘ใऔಘ
ServiceBinding
Secret
࡞੒

View Slide

Status
• Status͸CLIͰ֬ೝ͢Δ͜ͱ͕ग़དྷΔ
• Provisining, Ready, Deprovisioning, etc.
$ kubectl plugin svcat get instances
NAME NAMESPACE CLASS PLAN STATUS
+----------+-----------+-------+------------+--------------+
sqs-test default s3 custom Ready
$ kubectl plugin svcat get binding
NAME NAMESPACE INSTANCE STATUS
+------------------+-----------+-----------+------------+
sqs-test-binding default sqs-test Provisining

View Slide

શମ૾
https://aws.amazon.com/jp/partners/servicebroker/

View Slide

Kubernetes
LVCFDUM
৘ใऔಘ
ServiceInstance/ServiceBinding
Secret
࡞੒
ґཔ ϓϩϏδϣχϯά

View Slide

SecretΛPodʹ౉ͤ͹
HelmͰChartԽͰ͖ͦ͏

View Slide

APIαʔό
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: api
template:
spec:
containers:
...
env:
- name: RDS_HOSTNAME
valueFrom:
secretKeyRef:
name: rds-binding
key: ENDPOINT_ADDRESS
- name: QUEUE_NAME
valueFrom:
secretKeyRef:
name: sqs-binding
key: QUEUE_NAME
Secretܦ༝ͰDB৘ใ౳Λ౉͢
※Πϝʔδ

View Slide

HelmͰAWSϦιʔε΋ల։
6*
"1*
6*
"1*
3%4
4FSWJDF*OTUBODF 
 
4FSWJDF#JOEJOH
test-chart
424
4FSWJDF*OTUBODF 
 
4FSWJDF#JOEJOH
3%4
424
AWS
Secret
Secret
Kubernetes

View Slide

6*
"1*
pr1-api.example.com
pr1-ui.example.com
PR࡞੒ʢ#1ʣ
Job࣮ߦ
Kubernetes
PR୯ҐͰAWSϦιʔεΛ࡞Δ͜ͱ΋Մೳʂ
3%4
424
AWS
pr1-rds
pr1-sqs
Secret
13ઐ༻ͷ
3%4΍Ωϡʔ
helm install

View Slide

શͯղܾ

View Slide

ͱ͸ͳΒͳ͍

View Slide

࣮ࡍʹӡ༻͢Δͱ
೉͍͠఺͕ଟ਺
ʢࣄྫϕʔεͰ۪௚ʹ঺հʣ

View Slide

1. S3ͷόέοτ͕ফ͑ͳ͍
$ aws s3 ls
2018-10-12 20:44:25 aws-service-broker-s3-AAAAA-AAA-s3bucket-AAAAA
2018-10-15 17:58:44 aws-service-broker-s3-BBBBB-BBB-s3bucket-BBBBB
2018-10-15 17:59:12 aws-service-broker-s3-CCCCC-CCC-s3bucket-CCCCC
2018-10-15 18:12:53 aws-service-broker-s3-DDDDD-DDD-s3bucket-DDDDD
2018-10-16 17:58:39 aws-service-broker-s3-EEEEE-EEE-s3bucket-EEEEE
S3ͷServiceInstanceΛফͯ͠΋όέοτ͕࢒Δ
aws-servicebrokerͷ໰୊

View Slide

௚ͨ͠
ʢDeletionPolicy͕RetainݻఆͩͬͨͷͰม਺Խͨ͠ʣ
※όέοτ͕ۭ͡Όͳ͍ͱফ͑ͳ͍ͷͰ·ͩվળͷ༨஍͋Γ

View Slide

2. SNSͷ࠶ૹϙϦγʔ͕ઃఆͰ͖ͳ͍
$ aws sns list-subscriptions
{
"Subscriptions": [
{
"SubscriptionArn": "PendingConfirmation",
"Owner": "XXXXXXXXXXXX",
"Protocol": "https",
"Endpoint": "https://test.example.com",
"TopicArn": "arn:aws:sns:ap-northeast-1:XXXXXXXXXX:aws-service-broker-sns"
}
]
}
͏·͘࠶ૹ͞ΕͣPeindingConﬁrmationʹͳͬͯ͠·͏

View Slide

௚ͨ͠
ʢ࠶ૹϙϦγʔΛઃఆͰ͖ΔΑ͏ʹͨ͠ʣ

View Slide

3. ද͕ࣔͣΕͯΔ
$ kubectl plugin svcat get classes
NAME NAMESPACE DESCRIPTION
+------------------+-----------+----------------------------------------------+
dh-emr AWS Service Broker - Amazon EMR
dh-dynamodb AWS Service Broker - Amazon DynamoDB
dh-rdsmariadb AWS Service Broker - Amazon RDS for MariaDB
dh-rekognition AWS Service Broker - Amazon Rekognition
dh-athena AWS Service Broker - Amazon Athena.
dh-sqs AWS Servicebroker - Amazon SQS
dh-kms AWS Service Broker - KMS Key
dh-rdspostgresql AWS Service Broker - Amazon RDS for
...
SQS͚͓͔͍ͩ͠

View Slide

௚ͨ͠

View Slide

4. Service Brokerʹ༩͑Δݖݶ͕ڧ͍
{
"Sid": "ServiceClassPermissions",
"Action": [
"athena:*",
"dynamodb:*",
"kms:*",
"elasticache:*",
"elasticmapreduce:*",
"kinesis:*",
"rds:*",
"redshift:*",
"route53:*",
"s3:*",
"sns:*",
"sns:*",
"sqs:*",
"ec2:*",
"iam:*",
"lambda:*"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
IAMΠϯελϯεϩʔϧͰ༩͑ΔͱଞͷPod΋ڧ͍ݖݶΛ࣋ͬͯ͠·͏
AWSݻ༗ͷ࿩

View Slide

$ kubectl get pods -n aws-sb -o yaml
apiVersion: v1
items:
- apiVersion: v1
kind: Pod
metadata:
annotations:
iam.amazonaws.com/role: awssb_role
kiamΛ࢖͏
Pod୯ҐͰIAMϩʔϧΛׂΓ౰ͯΔ
1PEઐ༻ͷ
*".ϩʔϧ
https://github.com/uswitch/kiam

View Slide

͔͠͠kiamʹ΋೉఺͕...
※ ͕࣌ؒͳ͍ͷͰলུ

View Slide

5. annotation͕ઃఆͰ͖ͳ͍
$ cat values.yaml
image: awsservicebroker/aws-servicebroker:beta
imagePullPolicy: Always
authenticate: true
tls:
cert:
key:
deployClusterServiceBroker: true
aws:
region: us-east-1
bucket: awsservicebroker
key: templates/latest
s3region: us-east-1
tablename: awssb
accesskeyid: ""
secretkey: ""
targetaccountid: ""
targetrolename: ""
vpcid: ""
brokerconfig:
verbosity: 10
brokerid: awsservicebroker
prescribeoverrides: true
kiam͸annotationͰIAMϩʔϧΛ੍ޚ͍ͯ͠Δ

View Slide

௚ͨ͠

View Slide

6. λΠϛϯά໰୊ʢॏཁʣ
Secret
·ͩ࡞੒
͞Ε͍ͯͳ͍
ͨΊΤϥʔ
͕͔͔࣌ؒΔ
"1*
test-chart
6*
"1*
3%4
424
helm install

View Slide

initContainers:
- name: init-s3-binding
image: k8s-kubectl
command: ['sh', '-c', 'until kubectl get secrets s3-binding; do
echo waiting for s3-binding; sleep 5; done;']
initContainersΛ࢖͏
Secret͕ੜ੒͞ΕΔ·ͰPodͷੜ੒Λ଴ػ 
ʢղܾ͢Δͱ͸ݴ͑ਏ͍ʣ
https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

View Slide

7. ServiceCatalogෆ҆ఆ໰୊
kubectl get pods -n catalog
NAME READY STATUS RESTARTS AGE
catalog-catalog-apiserver-86d695b7dc-d78xf 0/2 CrashLoopBackOff 359 11d
catalog-catalog-controller-manager-64f69dd964-lzs7c 0/1 CrashLoopBackOff 206 11d
test-chart
6*
"1*
3%4
424
Service Catalog
4FSWJDF$BUBMPH͕
ࢮ͵ͱԿ΋Ͱ͖ͳ͘ͳΔ

View Slide

ະղܾ
ʢଟ෼ϝϞϦपΓʣ
Service Catalog࠶ΠϯετʔϧͰҰԠ௚Δ
HelmͰσϑΥϧτઃఆͩͱզʑͷ؀ڥͰ͸ࢮ͵

View Slide

Service CatalogΛ࠶Πϯετʔϧͨ͠৔߹ͷฐ֐
$ kubectl plugin svcat get brokers
NAME NAMESPACE URL STATUS
+-------------------+-----------+----------------------------------------------------+--------+
test-chart
6*
"1*
3%4
424
Service Catalog
4FSWJDF$BUBMPHʹొ࿥͍ͯͨ͠
4FSWJDF#SPLFS΋ফ͑Δ
4FSWJDF#JOEJOH΋ফ͑Δ
େࢂࣄ

View Slide

ྑ͍ײ͡ʹ௚͢ํ๏͕͋Ε͹
Ͳͳ͔ͨڭ͑ͯԼ͍͞
ʢetcdͷόοΫΞοϓͱ͔...ʁʣ

View Slide

8. Deprovisionʹࣦഊͨ͋͠ͱServiceInstance͕࢒Γଓ͚Δ
$ kubectl plugin svcat get instances
NAME NAMESPACE CLASS PLAN STATUS
+---------------------+-----------+--------+--------------+----------------------+
test-s3 default dh-s3 custom DeprovisionCallFailed
test-chart Service Catalog %FQSPWJTJPOGBJMFE
IFMNEFMFUF
ґཔ
YAMLࣗମ͸΋͏ফ͍͑ͯΔͷͰग़དྷΔ͜ͱ͕ͳ͍
6*
"1*
3%4
424

View Slide

ະղܾ
--forceͷΑ͏ͳΦϓγϣϯ͸ݱࡏະ࣮૷ͬΆ͍
https://github.com/kubernetes-incubator/service-catalog/issues/2268

View Slide

ڍ͛ͨͷ͸Ұྫ
·ͩ·ͩଟ਺͋Δ

View Slide

ServiceBroker·ͱΊ
• ServiceBrokerΛ࢖͏͜ͱͰଞͷϦιʔεͱಉ༷ʹΫϥ΢υαʔϏ
ε΋؅ཧͰ͖ͯඇৗʹศར
• Helm + ServiceBrokerͰ؀ڥߏஙͷࣗಈԽ͕େ෯ʹਪ͠ਐΊΒΕΔ
• ҰํͰ·ͩ໰୊΋ଟ͘ൃల్্ͳײ͡
• ಛʹaws-servicebroker͸·ͩ·ͩʢAzure΍GCP͸҆ఆͯͦ͠͏ʣ
• ࣗ෼ͰίʔυΛ௚͢ؾ͕֓͋ΔਓͳΒΦεεϝ
• ࠓ͙҆͢ఆͯ͠࢖͍͍ͨਓʹ͸Φεεϝ͠ͳ͍

View Slide

Appendix

View Slide

Open Service Broker API
Kubernetes
GCP Service Broker
0QFO4FSWJDF#SPLFS"1*
ͱͯ͠ఆٛ͞Ε͍ͯΔ

View Slide

Open Service Broker API
γϯϓϧͳHTTPαʔόͳͷͰ؆୯ʹࣗ࡞Մೳ
https://github.com/openservicebrokerapi/servicebroker/blob/v2.14/spec.md

View Slide

Open Service Broker for PostgreSQL
• PostgreSQLΛϓϩϏδϣχϯά͢ΔService Broker
• ษڧͷͨΊʹࣗ࡞ͯ͠Έͨ
• https://github.com/knqyf263/osbpsql
• ڵຯ͕͋Δਓ͕͍Ε͹͍͔ͭͦͷ࿩΋
• ຊ౰͸͜ͷลΓͷ࿩΋͔ͨͬͨ͠

View Slide

ࢀߟαΠτ
• k8s͕ಋೖ͢ΔService Brokerͷ࢓૊Έͱ͸
• http://jaco.udcp.info/entry/k8s-service-broker
• CFͷศརػೳΛଞͷ؀ڥͰ΋ɻOpen Service Broker
• https://www.slideshare.net/jacopen/cfopen-service-broker
• Open Service Broker for ͘͞ΒͷΫϥ΢υͰKubernetes + Service Catalogग़དྷΔΑ͏ʹ
ͳΓ·ͨ͠
• http://febc-yamamoto.hatenablog.jp/entry/2018/03/10/090229
• Open Service Broker APIΛ࢖ͬͯCloud FoundryͱKubernetesͰService BrokerΛ૬ޓ
ӡ༻͢Δ
• https://blog.ik.am/entries/497

View Slide

Thank you for your attention

View Slide

HelmとService Brokerで始める検証環境自動構築 / Helm and Service Broker

HelmとService Brokerで始める検証環境自動構築 / Helm and Service Broker

Teppei Fukuda

More Decks by Teppei Fukuda

Other Decks in Technology

Featured

Transcript