HelmとService Brokerで始める検証環境自動構築 / Helm and Service Broker

by Teppei Fukuda

Slide 1

Slide 1 text

HelmͱService BrokerͰ ࢝ΊΔݕূ؀ڥࣗಈߏங ୈ39ճ PaaSษڧձ Teppei Fukuda (@knqyf263)

Slide 2

Slide 2 text

ࣗݾ঺հ • Teppei Fukuda (@knqyf263) • ߪಡອըࡶࢽ • δϟϯϓ • αϯσʔ • ϚΨδϯ • Ϡϯάδϟϯϓ • ϠϯάϚΨδϯ • δϟϯϓSQ • ผ࡭গ೥ϚΨδϯ • ίϛοΫDAYSɾεϚϗΞϓϦଟ਺

Slide 3

Slide 3 text

ຊ೔ͷྲྀΕ • ݕূ؀ڥࣗಈߏஙͷఆٛ • HelmʹΑΔݕূ؀ڥࣗಈߏங • Service BrokerʹΑΔ֎෦αʔϏεϓϩϏδϣχϯά • Helm + Service Broker • Service Brokerͷݱঢ়ͷ໰୊఺

Slide 4

Slide 4 text

஫ҙࣄ߲ • ର৅ऀ͸KubernetesΛ࢖͑ΔਓʹͳΓ·͢ • Kubernetesʹؔ͢Δઆ໌͸͠·ͤΜ • Կ͕ग़དྷΔ͔ɺΛ఻͑Δ͜ͱΛॏࢹ͍ͯ͠·͢ • ඞཁͳઃఆΛҰ෦লུͨ͠Γ͍ͯ͠·͢ • ਤʹॻ͖੾Εͳ͔ͬͨࡉ͔͍࿩͸ޱ಄Ͱิ͍·͢ • ηΩϡϦςΟ෦ͷΤϯδχΞͳͷͰৄ͍͜͠ͱ͸Α͘෼͔Γ·ͤΜ

Slide 5

Slide 5 text

ݕূ؀ڥ ࠓݕূ؀ڥ σϓϩΠ͍͍ͯ͠ʁ ͜͜Ͱ͸։ൃதʹ࢖ΘΕΔݕূ༻ͷڞ༗؀ڥͱఆٛ͠·͢ ࠓ࢖ͬͯΔ͔Βμϝ ݕূ؀ڥ

Slide 6

Slide 6 text

ݕূ؀ڥ ·ͩʔʁ ͜Μͳͱ͖ʹࣗ෼༻ͷݕূ؀ڥ͕͋Ε͹... ·ͩμϝʔ ݕূ؀ڥ

Slide 7

Slide 7 text

ઐ༻ͷݕূ؀ڥ ࣗ෼༻ͷ؀ڥͰ ͙͢ςετͰ͖Δ ଴ͪ࣌ؒͳ͠ʂ ݕূ؀ڥ ݕূ؀ڥ ͔͠͠༧Ί؀ڥΛ༻ҙ͓ͯ͘͠ͷ͸େม ʢ͍ͭ͘ඞཁ͔΋෼͔Βͳ͍ʣ

Slide 8

Slide 8 text

ݕূ؀ڥࣗಈߏங ݕূ؀ڥ ݕূ؀ڥ ݕূ؀ڥ QVTI͞ΕͨΒ ࣗಈͰ࡞Δ

Slide 9

Slide 9 text

ίϯςφͳΒ؆୯ͳ͸ͣ...!!

Slide 10

Slide 10 text

• KubernetesͷύοέʔδϚωʔδϟʔ • apt/yum/homebrewͷΑ͏ͳ΋ͷ • deb, rpmʹ૬౰͢Δ΋ͷ͸Chartͱ ݺ͹ΕΔ • ༗໊ͳΞϓϦέʔγϣϯͷChart͸ ഑෍͞Ε͍ͯΔ • helm install͢Δ͚ͩͰk8s্ʹల։ • e.g. helm install jenkins https://github.com/helm/charts/tree/master/stable/ Helmͱ͸ʁ https://helm.sh/

Slide 11

Slide 11 text

Chartͱ͸ʁ $ tree wordpress wordpress !"" Chart.yaml … !"" templates # !"" NOTES.txt # !"" _helpers.tpl # !"" deployment.yaml # !"" externaldb-secrets.yaml # !"" ingress.yaml # !"" pvc.yaml # !"" secrets.yaml # !"" svc.yaml … # %"" tls-secrets.yaml !"" values-production.yaml %"" values.yaml • Kubernetestͷ  Ϧιʔεͷू߹ • ࡶʹݴ͑͹ςϯϓϨʔ τͱม਺ͷू߹ ςϯϓϨʔτ ʢ%FQMPZNFOUͱ͔ *OHSFTTͱ͔ʣ ม਺ఆٛ

Slide 12

Slide 12 text

ςϯϓϨʔτ apiVersion: extensions/v1beta1 kind: Ingress metadata: ... spec: rules: - host: {{ .Values.ingress.hostname }} http: paths: - path: / backend: serviceName: {{ template "fullname" . }} servicePort: {{ .Values.service.port }} ීஈॻ͍ͯΔYAMLΛςϯϓϨʔτԽ͢Δ͚ͩ ม਺ ม਺

Slide 13

Slide 13 text

ී௨ͷYAML apiVersion: extensions/v1beta1 kind: Ingress metadata: ... spec: rules: - host: www.example.com http: paths: - path: / backend: serviceName: test-svc servicePort: 80 ͜Ε͕

Slide 14

Slide 14 text

ςϯϓϨʔτԽͨ͠YAML apiVersion: extensions/v1beta1 kind: Ingress metadata: ... spec: rules: - host: {{ .Values.ingress.hostname }} http: paths: - path: / backend: serviceName: {{ template "fullname" . }} servicePort: {{ .Values.service.port }} ͜͏

Slide 15

Slide 15 text

ม਺ఆٛ $ cat values.yaml service: port: 80 ingress: hostname: www.example.com ͋ͱ͸ values.yaml ʹม਺Λఆٛ͢Δ͚ͩ γϯϓϧ Πϯσϯτ͸υοτͰܨ͙ ʢJOHSFTTIPTUOBNF

Slide 16

Slide 16 text

helm install $ helm install --set ingress.hostname=test.example.com test-chart CLIͰΠϯετʔϧ࣌ʹม਺ͷ্ॻ͖΋Մೳ

Slide 17

Slide 17 text

ෳ਺ͷϦιʔεΛ·ͱΊΒΕΔ $ tree wordpress wordpress !"" Chart.yaml … !"" templates # !"" NOTES.txt # !"" _helpers.tpl # !"" deployment.yaml # !"" externaldb-secrets.yaml # !"" ingress.yaml # !"" pvc.yaml # !"" secrets.yaml # !"" svc.yaml … # %"" tls-secrets.yaml !"" values-production.yaml %"" values.yaml Service༻ͷYAML Deployment༻ͷYAML Ingress༻ͷYAML helm installͰશͯk8s্ʹల։͞ΕΔ

Slide 18

Slide 18 text

ґଘؔ܎΋هड़Մೳ $ cat sentry/requirements.yaml dependencies: - name: postgresql version: 0.18.0 repository: https://kubernetes-charts.storage.googleapis.com/ - name: redis version: 3.8.1 repository: https://kubernetes-charts.storage.googleapis.com/ sentryͷChartʹ͸PostgreSQLͱRedis͕ඞཁ

Slide 19

Slide 19 text

ChartΛࣗ࡞͢Δ $ tree test-chart test-chart !"" Chart.yaml !"" charts !"" requirements.lock !"" requirements.yaml !"" templates # !"" NOTES.txt # !"" _helpers.tpl # !"" api # # !"" deployment.yaml # # !"" ingress.yaml # # %"" svc.yaml # %"" ui # !"" deployment.yaml # !"" ingress.yaml # %"" svc.yaml %"" values.yaml • ྫɿDBͱΩϟογϡαʔόΛ  ඞཁͱ͢ΔγϯάϧϖʔδΞ ϓϦέʔγϣϯ • UI: ੩తϑΝΠϧΛ഑෍͢Δίϯςφ    ʢຊ൪͸CDNʹஔ͘ͷͰݕূ؀ڥͷΈʣ • API: APIαʔόΛ࣮૷ͨ͠ίϯςφ • DB: PostgresQLʢطଘͷChartΛར༻ʣ • ΩϟογϡɿRedisʢطଘͷChartΛར༻ʣ 3FEJTͱ1PTUHSF42-Λهड़ ʢલड़ʣ "1*ؔ࿈ 6*ؔ࿈ ม਺

Slide 20

Slide 20 text

APIαʔό apiVersion: extensions/v1beta1 kind: Deployment ... spec: template: spec: ... containers: - name: {{ .Chart.Name }}-api image: "{{ .Values.api.image.repository }}:{{ .Values.api.image.tag }}" ... env: - name: POSTGRES_HOST value: {{ template "postgresql.fullname" . }} - name: REDIS_HOST value: {{ template "redis.fullname" . }} DB৘ใ౳͸؀ڥม਺Ͱ౉ͤΔΑ͏ʹ͓ͯ͘͠ (౉͠ํ͸ConﬁgMap/Secretܦ༝Ͱ΋ԿͰ΋ྑ͍ʣ %#αʔό৘ใ Ωϟογϡαʔό৘ใ

Slide 21

Slide 21 text

UIαʔό apiVersion: extensions/v1beta1 kind: Deployment ... spec: template: spec: ... containers: - name: {{ .Chart.Name }}-ui ... env: - name: API_HOST value: {{ .Values.api.ingress.hostname }} APIαʔόͷϗετ໊͸؀ڥม਺Ͱ౉͢ "1*αʔό৘ใ

Slide 22

Slide 22 text

UIαʔό {{- if .Values.test.enabled -}} apiVersion: extensions/v1beta1 kind: Deployment ... spec: template: spec: ... containers: - name: {{ .Chart.Name }}-ui image: "{{ .Values.ui.image.repository }}:{{ .Values.ui.image.tag }}" ... env: - name: API_HOST value: {{ .Values.api.ingress.hostname }} {{- end -}} ςετ࣌ͷΈ༗ޮʹ͢Δ ৚݅෼ذ༻ͷม਺Λ ࣗ෼Ͱఆ͓ٛͯ͘͠

Slide 23

Slide 23 text

ม਺ఆٛ $ cat values.yaml test enabled: true api image: tag: latest ingress: hostname: api.example.com ui: image: tag: latest ingress: Hostname: ui.example.com Ϧιʔεؒͷܨ͗໨Λશͯม਺Խ͢Δ ʢͦͯ͠؀ڥม਺౳Ͱ౉ͤΔΑ͏ʹ͢Δʣ

Slide 24

Slide 24 text

ॏཁͳ͜ͱͳͷͰ੔ཧ • Ϧιʔεؒͷܨ͗໨Λશͯม਺Խ͢Δ • UIαʔό <=> APIαʔό • APIαʔό <=> DBαʔό • APIαʔό <=> Ωϟογϡαʔό, etc. • ม਺Խ͢Δ͜ͱͰಉ͡Chart͔Βෳ਺ੜ੒͠΍͘͢ͳΔ • ݕূ࣌ͷΈඞཁͳϦιʔε͸৚݅෼ذ͢Δ

Slide 25

Slide 25 text

׬੒ܗ 6* Kubernetes "1* 1PTUHSF42- 3FEJT ui.example.com api.example.com ᶃ ᶄ ᶅ

Slide 26

Slide 26 text

helm installͰશͯల։͞ΕΔ 6* "1* 1PTUHSF42- 3FEJT 6* "1* 1PTUHSF42- 3FEJT test-chart helm install test-chart

Slide 27

Slide 27 text

ϦϦʔε໊ • Helmʹ͸ϦϦʔεͷ֓೦͕͋Δ • ϦϦʔε໊͕ҟͳΕ͹ಉ͡ύοέʔδΛෳ਺ల։Մೳ Kubernetes 8PSEQSFTT chart XPSEQSFTT XPSEQSFTT helm install --name wordpress1 wordpress helm install --name wordpress2 wordpress

Slide 28

Slide 28 text

test-chart΋ෳ਺ల։Մೳ 6* "1* 1PTUHSF42- 3FEJT test-chart 6* "1* 1PTUHSF42- 3FEJT 6* "1* 1PTUHSF42- 3FEJT test2 test1 helm install --name test1 test-chart helm install --name test2 test-chart

Slide 29

Slide 29 text

test-chart΋ෳ਺ల։Մೳ test-chart 6* "1* 1PTUHSF42- 3FEJT helm install --set api.ingress.hostname=test1-api.example.com --set ui.ingress.hostname=test1-ui.example.com --name test1 test-chart 6* "1* 1PTUHSF42- 3FEJT test1-ui.example.com test1-api.example.com 6* "1* 1PTUHSF42- 3FEJT helm install --set api.ingress.hostname=test2-api.example.com --set ui.ingress.hostname=test2-ui.example.com --name test2 test-chart test2-ui.example.com test2-api.example.com %/4Ϩίʔυ΋ࣗಈੜ੒ ʢ؀ڥʹΑͬͯ͸ࣄલઃఆ͕ඞཁʣ

Slide 30

Slide 30 text

͜ΕΛCIͰ࣮ߦ͢Ε͹...ʁ

Slide 31

Slide 31 text

6* "1* 1PTUHSF42- 3FEJT pr1-api.example.com helm install --set api.ingress.hostname=pr1-api.example.com --set ui.ingress.hostname=pr1-ui.example.com --name pr1 test-chart pr1-ui.example.com PR࡞੒ʢ#1ʣ Job࣮ߦ Kubernetes PR୯ҐͰͷݕূ؀ڥͷࣗಈߏங͕Մೳʂ

Slide 32

Slide 32 text

6* "1* 1PTUHSF42- 3FEJT pr1-api.example.com helm delete --purge pr1 pr1-ui.example.com PRΫϩʔζʢ#1ʣ Job࣮ߦ Kubernetes ࡟আ΋؆୯

Slide 33

Slide 33 text

શͯղܾ

Slide 34

Slide 34 text

ͱ͸ͳΒͳ͍

Slide 35

Slide 35 text

Ϋϥ΢υαʔϏεͷ Ϧιʔε͕ࣗಈߏஙͰ͖ͳ͍

Slide 36

Slide 36 text

AWSͷ৔߹ 6* Kubernetes "1* 3%4 &MBTUJ$BDIF ui.example.com api.example.com 424 AWS ϚωʔδυαʔϏεͱ૊Έ߹Θͤͯ࢖͏͜ͱ΋ଟ͍

Slide 37

Slide 37 text

RDSΛ࢖͏৔߹ 6* "1* 3%4 ᶃઌʹϓϩϏδϣχϯά AWS Kubernetes ᶄ%#৘ใΛίϯςφʹ౉͢ ϗετ໊*%18ʣ

Slide 38

Slide 38 text

͠ΜͲ͍ ʢࣗಈߏங΋೉͍͠ʣ

Slide 39

Slide 39 text

ͦ͜ͰService Broker ※ ྫͱͯ͠AWSΛ༻͍·͕͢GCP౳Ͱ΋جຊ͸ಉ͡Ͱ͢

Slide 40

Slide 40 text

Service Brokerͱ͸ʁ ༷ʑͳαʔϏεΛϓϩϏδϣχϯά͢Δͷ͸ํ๏΋ҧ͏ͨΊେม

Slide 41

Slide 41 text

Service Brokerͱ͸ʁ ஥հਓΛڬΉ͜ͱͰΠϯλϑΣʔεΛ౷Ұ͠ૄ݁߹ʹ ϒϩʔΧʔʹґཔ Service Broker ϒϩʔΧʔ͕ ϓϩϏδϣχϯά ݩʑ͸Cloud Foundryͷ࢓૊Έ

Slide 42

Slide 42 text

Kubernetesͷ৔߹͸ʁ YAMLͰ֎෦αʔϏε͕ѻ͑ΔΑ͏ʹͳΔ :".-Λ౤͛Δ Service Broker ϒϩʔΧʔ͕ ϓϩϏδϣχϯά

Slide 43

Slide 43 text

Service Broker಺Ͱ΋෼୲ Service Broker AWS Service Broker GCP Service Broker ͦΕͧΕͷϦιʔεΛ୲౰ ࢦࣔΛड͚ ద੾ͳ૬खʹґཔ

Slide 44

Slide 44 text

αʔϏε͕૿͑ͯ΋ରԠ͕༰қ AWS Service Broker GCP Service Broker Azure Service Broker ৽͘͠௥Ճ

Slide 45

Slide 45 text

Service Catalog Kubernetes AWS Service Broker GCP Service Broker ,VCFSOFUFTͰ4FSWJDF#SPLFSΛ ར༻͢ΔͨΊͷ࢓૊Έ Service Catalog

Slide 46

Slide 46 text

Service Catalog Kubernetes AWS Service Broker GCP Service Broker Service Catalog :".-Λ౤͛Δ ґཔ ϓϩϏδϣχϯά

Slide 47

Slide 47 text

SQSΛ࡞Γ͍ͨ৔߹ apiVersion: servicecatalog.k8s.io/v1beta1 kind: ServiceInstance metadata: name: sqs-test spec: clusterServiceClassExternalName: sqs clusterServicePlanExternalName: standard ୹͍YAMLΛॻ͚ͩ͘ Ϧιʔεͷ͜ͱΛ4FSWJDF*OTUBODFͱݺͿ 424Λࢦఆ

Slide 48

Slide 48 text

Kubernetes LVCFDUM Service Catalog AWS Service Broker ґཔ ϓϩϏδϣχϯά ServiceInstance ࣗಈͰߏங͞ΕΔ

Slide 49

Slide 49 text

RDSΛ࢖͏৔߹ 6* "1* 3%4 ઌʹϓϩϏδϣχϯά͢Δ AWS Kubernetes %#৘ใΛίϯςφʹ౉͢ ͜Ε͸ղܾ ͜Ε͸ղܾ ͍ͯ͠ͳ͍

Slide 50

Slide 50 text

ServiceBinding • ServiceInstanceͷ৘ใΛSecretͱͯ͠࡞੒͢Δ࢓૊Έ • YAMLΛॻ͚ͩ͘ͰࣗಈͰSecret͕ੜ੒͞ΕΔ apiVersion: servicecatalog.k8s.io/v1beta1 kind: ServiceBinding metadata: name: sqs-test-binding spec: instanceRef: name: sqs-test ৘ใΛऔಘ͍ͨ͠ 4FSWJDF*OTUBODF໊Λࢦఆ ʢ͖ͬ͞࡞ͬͨ΍ͭʣ

Slide 51

Slide 51 text

Secret $ kubectl get secret sqs-test-binding -o yaml apiVersion: v1 data: DEAD_LETTER_QUEUE_ARN: "" DEAD_LETTER_QUEUE_NAME: "" DEAD_LETTER_QUEUE_URL: "" QUEUE_ARN: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX QUEUE_NAME: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY QUEUE_URL: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ ... kind: Secret type: Opaque ੜ੒͞ΕͨSQSʹؔ͢Δ৘ใ͕อଘ͞Ε͍ͯΔ

Slide 52

Slide 52 text

Kubernetes LVCFDUM Service Catalog AWS Service Broker ৘ใऔಘ ServiceBinding Secret ࡞੒

Slide 53

Slide 53 text

Status • Status͸CLIͰ֬ೝ͢Δ͜ͱ͕ग़དྷΔ • Provisining, Ready, Deprovisioning, etc. $ kubectl plugin svcat get instances NAME NAMESPACE CLASS PLAN STATUS +----------+-----------+-------+------------+--------------+ sqs-test default s3 custom Ready $ kubectl plugin svcat get binding NAME NAMESPACE INSTANCE STATUS +------------------+-----------+-----------+------------+ sqs-test-binding default sqs-test Provisining

Slide 54

Slide 54 text

શମ૾ https://aws.amazon.com/jp/partners/servicebroker/

Slide 55

Slide 55 text

Kubernetes LVCFDUM Service Catalog AWS Service Broker ৘ใऔಘ ServiceInstance/ServiceBinding Secret ࡞੒ ґཔ ϓϩϏδϣχϯά

Slide 56

Slide 56 text

SecretΛPodʹ౉ͤ͹ HelmͰChartԽͰ͖ͦ͏

Slide 57

Slide 57 text

APIαʔό apiVersion: apps/v1beta2 kind: Deployment metadata: name: api template: spec: containers: ... env: - name: RDS_HOSTNAME valueFrom: secretKeyRef: name: rds-binding key: ENDPOINT_ADDRESS - name: QUEUE_NAME valueFrom: secretKeyRef: name: sqs-binding key: QUEUE_NAME Secretܦ༝ͰDB৘ใ౳Λ౉͢ ※Πϝʔδ

Slide 58

Slide 58 text

HelmͰAWSϦιʔε΋ల։ 6* "1* 6* "1* 3%4 4FSWJDF*OTUBODF    4FSWJDF#JOEJOH test-chart 424 4FSWJDF*OTUBODF    4FSWJDF#JOEJOH 3%4 424 AWS Secret Secret Kubernetes

Slide 59

Slide 59 text

6* "1* pr1-api.example.com pr1-ui.example.com PR࡞੒ʢ#1ʣ Job࣮ߦ Kubernetes PR୯ҐͰAWSϦιʔεΛ࡞Δ͜ͱ΋Մೳʂ 3%4 424 AWS pr1-rds pr1-sqs Secret 13ઐ༻ͷ 3%4΍Ωϡʔ helm install

Slide 60

Slide 60 text

શͯղܾ

Slide 61

Slide 61 text

ͱ͸ͳΒͳ͍

Slide 62

Slide 62 text

࣮ࡍʹӡ༻͢Δͱ ೉͍͠఺͕ଟ਺ ʢࣄྫϕʔεͰ۪௚ʹ঺հʣ

Slide 63

Slide 63 text

1. S3ͷόέοτ͕ফ͑ͳ͍ $ aws s3 ls 2018-10-12 20:44:25 aws-service-broker-s3-AAAAA-AAA-s3bucket-AAAAA 2018-10-15 17:58:44 aws-service-broker-s3-BBBBB-BBB-s3bucket-BBBBB 2018-10-15 17:59:12 aws-service-broker-s3-CCCCC-CCC-s3bucket-CCCCC 2018-10-15 18:12:53 aws-service-broker-s3-DDDDD-DDD-s3bucket-DDDDD 2018-10-16 17:58:39 aws-service-broker-s3-EEEEE-EEE-s3bucket-EEEEE S3ͷServiceInstanceΛফͯ͠΋όέοτ͕࢒Δ aws-servicebrokerͷ໰୊

Slide 64

Slide 64 text

௚ͨ͠ ʢDeletionPolicy͕RetainݻఆͩͬͨͷͰม਺Խͨ͠ʣ ※όέοτ͕ۭ͡Όͳ͍ͱফ͑ͳ͍ͷͰ·ͩվળͷ༨஍͋Γ

Slide 65

Slide 65 text

2. SNSͷ࠶ૹϙϦγʔ͕ઃఆͰ͖ͳ͍ $ aws sns list-subscriptions { "Subscriptions": [ { "SubscriptionArn": "PendingConfirmation", "Owner": "XXXXXXXXXXXX", "Protocol": "https", "Endpoint": "https://test.example.com", "TopicArn": "arn:aws:sns:ap-northeast-1:XXXXXXXXXX:aws-service-broker-sns" } ] } ͏·͘࠶ૹ͞ΕͣPeindingConﬁrmationʹͳͬͯ͠·͏ aws-servicebrokerͷ໰୊

Slide 66

Slide 66 text

௚ͨ͠ ʢ࠶ૹϙϦγʔΛઃఆͰ͖ΔΑ͏ʹͨ͠ʣ

Slide 67

Slide 67 text

3. ද͕ࣔͣΕͯΔ $ kubectl plugin svcat get classes NAME NAMESPACE DESCRIPTION +------------------+-----------+----------------------------------------------+ dh-emr AWS Service Broker - Amazon EMR dh-dynamodb AWS Service Broker - Amazon DynamoDB dh-rdsmariadb AWS Service Broker - Amazon RDS for MariaDB dh-rekognition AWS Service Broker - Amazon Rekognition dh-athena AWS Service Broker - Amazon Athena. dh-sqs AWS Servicebroker - Amazon SQS dh-kms AWS Service Broker - KMS Key dh-rdspostgresql AWS Service Broker - Amazon RDS for ... SQS͚͓͔͍ͩ͠ aws-servicebrokerͷ໰୊

Slide 68

Slide 68 text

௚ͨ͠

Slide 69

Slide 69 text

4. Service Brokerʹ༩͑Δݖݶ͕ڧ͍ { "Sid": "ServiceClassPermissions", "Action": [ "athena:*", "dynamodb:*", "kms:*", "elasticache:*", "elasticmapreduce:*", "kinesis:*", "rds:*", "redshift:*", "route53:*", "s3:*", "sns:*", "sns:*", "sqs:*", "ec2:*", "iam:*", "lambda:*" ], "Resource": [ "*" ], "Effect": "Allow" } IAMΠϯελϯεϩʔϧͰ༩͑ΔͱଞͷPod΋ڧ͍ݖݶΛ࣋ͬͯ͠·͏ AWSݻ༗ͷ࿩

Slide 70

Slide 70 text

$ kubectl get pods -n aws-sb -o yaml apiVersion: v1 items: - apiVersion: v1 kind: Pod metadata: annotations: iam.amazonaws.com/role: awssb_role kiamΛ࢖͏ Pod୯ҐͰIAMϩʔϧΛׂΓ౰ͯΔ 1PEઐ༻ͷ *".ϩʔϧ https://github.com/uswitch/kiam

Slide 71

Slide 71 text

͔͠͠kiamʹ΋೉఺͕... ※ ͕࣌ؒͳ͍ͷͰলུ

Slide 72

Slide 72 text

5. annotation͕ઃఆͰ͖ͳ͍ $ cat values.yaml image: awsservicebroker/aws-servicebroker:beta imagePullPolicy: Always authenticate: true tls: cert: key: deployClusterServiceBroker: true aws: region: us-east-1 bucket: awsservicebroker key: templates/latest s3region: us-east-1 tablename: awssb accesskeyid: "" secretkey: "" targetaccountid: "" targetrolename: "" vpcid: "" brokerconfig: verbosity: 10 brokerid: awsservicebroker prescribeoverrides: true aws-servicebrokerͷ໰୊ kiam͸annotationͰIAMϩʔϧΛ੍ޚ͍ͯ͠Δ

Slide 73

Slide 73 text

௚ͨ͠

Slide 74

Slide 74 text

6. λΠϛϯά໰୊ʢॏཁʣ Secret ·ͩ࡞੒ ͞Ε͍ͯͳ͍ ͨΊΤϥʔ ͕͔͔࣌ؒΔ "1* test-chart 6* "1* 3%4 424 helm install

Slide 75

Slide 75 text

initContainers: - name: init-s3-binding image: k8s-kubectl command: ['sh', '-c', 'until kubectl get secrets s3-binding; do echo waiting for s3-binding; sleep 5; done;'] initContainersΛ࢖͏ Secret͕ੜ੒͞ΕΔ·ͰPodͷੜ੒Λ଴ػ  ʢղܾ͢Δͱ͸ݴ͑ਏ͍ʣ https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

Slide 76

Slide 76 text

7. ServiceCatalogෆ҆ఆ໰୊ kubectl get pods -n catalog NAME READY STATUS RESTARTS AGE catalog-catalog-apiserver-86d695b7dc-d78xf 0/2 CrashLoopBackOff 359 11d catalog-catalog-controller-manager-64f69dd964-lzs7c 0/1 CrashLoopBackOff 206 11d test-chart 6* "1* 3%4 424 Service Catalog 4FSWJDF$BUBMPH͕ ࢮ͵ͱԿ΋Ͱ͖ͳ͘ͳΔ

Slide 77

Slide 77 text

ະղܾ ʢଟ෼ϝϞϦपΓʣ Service Catalog࠶ΠϯετʔϧͰҰԠ௚Δ HelmͰσϑΥϧτઃఆͩͱզʑͷ؀ڥͰ͸ࢮ͵

Slide 78

Slide 78 text

Service CatalogΛ࠶Πϯετʔϧͨ͠৔߹ͷฐ֐ $ kubectl plugin svcat get brokers NAME NAMESPACE URL STATUS +-------------------+-----------+----------------------------------------------------+--------+ test-chart 6* "1* 3%4 424 Service Catalog 4FSWJDF$BUBMPHʹొ࿥͍ͯͨ͠ 4FSWJDF#SPLFS΋ফ͑Δ 4FSWJDF#JOEJOH΋ফ͑Δ େࢂࣄ

Slide 79

Slide 79 text

ྑ͍ײ͡ʹ௚͢ํ๏͕͋Ε͹ Ͳͳ͔ͨڭ͑ͯԼ͍͞ ʢetcdͷόοΫΞοϓͱ͔...ʁʣ

Slide 80

Slide 80 text

8. Deprovisionʹࣦഊͨ͋͠ͱServiceInstance͕࢒Γଓ͚Δ $ kubectl plugin svcat get instances NAME NAMESPACE CLASS PLAN STATUS +---------------------+-----------+--------+--------------+----------------------+ test-s3 default dh-s3 custom DeprovisionCallFailed test-chart Service Catalog %FQSPWJTJPOGBJMFE IFMNEFMFUF ґཔ YAMLࣗମ͸΋͏ফ͍͑ͯΔͷͰग़དྷΔ͜ͱ͕ͳ͍ 6* "1* 3%4 424

Slide 81

Slide 81 text

ະղܾ --forceͷΑ͏ͳΦϓγϣϯ͸ݱࡏະ࣮૷ͬΆ͍ https://github.com/kubernetes-incubator/service-catalog/issues/2268

Slide 82

Slide 82 text

ڍ͛ͨͷ͸Ұྫ ·ͩ·ͩଟ਺͋Δ

Slide 83

Slide 83 text

ServiceBroker·ͱΊ • ServiceBrokerΛ࢖͏͜ͱͰଞͷϦιʔεͱಉ༷ʹΫϥ΢υαʔϏ ε΋؅ཧͰ͖ͯඇৗʹศར • Helm + ServiceBrokerͰ؀ڥߏஙͷࣗಈԽ͕େ෯ʹਪ͠ਐΊΒΕΔ • ҰํͰ·ͩ໰୊΋ଟ͘ൃల్্ͳײ͡ • ಛʹaws-servicebroker͸·ͩ·ͩʢAzure΍GCP͸҆ఆͯͦ͠͏ʣ • ࣗ෼ͰίʔυΛ௚͢ؾ͕֓͋ΔਓͳΒΦεεϝ • ࠓ͙҆͢ఆͯ͠࢖͍͍ͨਓʹ͸Φεεϝ͠ͳ͍

Slide 84

Slide 84 text

Appendix

Slide 85

Slide 85 text

Open Service Broker API Kubernetes Service Catalog AWS Service Broker GCP Service Broker 0QFO4FSWJDF#SPLFS"1* ͱͯ͠ఆٛ͞Ε͍ͯΔ

Slide 86

Slide 86 text

Open Service Broker API γϯϓϧͳHTTPαʔόͳͷͰ؆୯ʹࣗ࡞Մೳ https://github.com/openservicebrokerapi/servicebroker/blob/v2.14/spec.md

Slide 87

Slide 87 text

Open Service Broker for PostgreSQL • PostgreSQLΛϓϩϏδϣχϯά͢ΔService Broker • ษڧͷͨΊʹࣗ࡞ͯ͠Έͨ • https://github.com/knqyf263/osbpsql • ڵຯ͕͋Δਓ͕͍Ε͹͍͔ͭͦͷ࿩΋ • ຊ౰͸͜ͷลΓͷ࿩΋͔ͨͬͨ͠

Slide 88

Slide 88 text

ࢀߟαΠτ • k8s͕ಋೖ͢ΔService Brokerͷ࢓૊Έͱ͸ • http://jaco.udcp.info/entry/k8s-service-broker • CFͷศརػೳΛଞͷ؀ڥͰ΋ɻOpen Service Broker • https://www.slideshare.net/jacopen/cfopen-service-broker • Open Service Broker for ͘͞ΒͷΫϥ΢υͰKubernetes + Service Catalogग़དྷΔΑ͏ʹ ͳΓ·ͨ͠ • http://febc-yamamoto.hatenablog.jp/entry/2018/03/10/090229 • Open Service Broker APIΛ࢖ͬͯCloud FoundryͱKubernetesͰService BrokerΛ૬ޓ ӡ༻͢Δ • https://blog.ik.am/entries/497

Slide 89

Slide 89 text

Thank you for your attention