VSHN – The DevOps Company Aarno Aukia, CTO Adrian Kosmaczewski, Developer Relations Kubernetes Configuration Management Swiss Re TEC Conference – Tuesday, October 5th, 2021 Hello, my name is Aarno Aukia, CTO and co-founder of VSHN and with me today is Adrian Kosmaczewski, Developer Relations, to talk about Kubernetes Configuration Management. Speaker notes 1

VSHN – The DevOps Company VSHN - The DevOps Company Challenges of managing Kubernetes on different cloud providers Project Syn Demo Agenda First, a few words about VSHN the company Then, the challenges we faced in 2019 when managing hundreds of clusters with hundreds of applications each Then, introducing Project syn, our open source tool to solve these challenges And lastly, a live demo by Adrian Speaker notes 2

VSHN – The DevOps Company Pronounced ˈvɪʒn – like "vision" The DevOps Company Founded 2014, 47 VSHNeers located in Zürich Switzerland’s leading DevOps, Docker & Kubernetes partner 24x7 support ISO 27001 certified ISAE 3402 Type 1 & 2 audited First Swiss Kubernetes Certified Service Provider Just a few words about VSHN; that’s how you pronounce the name, and we’re "The DevOps Company". We’ve been in Zurich since 2014, we’re 47 VSHNeers and we’re Switzerland’s leading DevOps, Docker & Kubernetes partner, offering 24/7 support to our customers. We’ve got a few certifications, and most importantly, we were the First Swiss Kubernetes Certified Service Provider by the CNCF. Speaker notes 3

VSHN – The DevOps Company We provide Kubernetes as a Service under the APPUiO brand name, with Red Hat OpenShift and SUSE Rancher Kubernetes. Today we’re going to tell you more about Project Syn, the kubernetes configuration management tool And K8up, our Kubernetes backup operator that we launched already at Kubecon 2019 All of our products are 100% open source, we have about 350 repositories in total on GitHub. Speaker notes 4

VSHN – The DevOps Company We’re partners with many companies very active in the Cloud Native space, you might recognize some of the logos on this slide. Speaker notes 5

VSHN – The DevOps Company Using Kubernetes on AWS, Azure, GCP, Exoscale, and on-premises - all different distributions Terraform ok for creating clusters, operators for long-term cluster management Provisioning native CSP services outside of the cluster Abstracting CSP & Kubernetes differences Uniform insights, secrets, maintenance-updates, policies, GitOps Challenges The main challenge we faced in 2019 was to manage hundreds of Kubernetes clusters of different distribution type on different infrastructures: hyperscalers, regional service providers customers' on- premises private clouds. There was no tooling at the time to manage EKS, AKS, GKE, SKS, OpenShift and Rancher Kubernetes at the same time. We were used to provision infrastructure using Terraform, but Terraforms approach to manage "the whole infrastructure" and the fast-paced change of contents in the Kubernetes cluster led us to want to use Kubernetes Operators instead We also saw the need to provision services outside of the Kubernetes cluster, for example databases as a service or object storage buckets. And we wanted to abstract a minimal set, a greatest common denominator, of common services across all these cloud providers, so that users can for example declaratively specify the need for a mysql-compatible database without having to know if their application will be deployed on AWS or Azure or on-premises. Many hyperscalers provide proprietary monitoring or secrets management services, to be able to have one unified solution that also works on-premises was yet another challenge to overcome. Speaker notes 6

VSHN – The DevOps Company Integrating: ArgoCD for GitOps Vault for secrets management Crossplane for service provisioning Kapitan for Kubernetes configuration templates Renovate for Maintenance/Updates GitLab for SCM K8up for backups OPA for security policies Prometheus, Grafana, Loki for insights Integrating a lot of existing open source tools Speaker notes 7

VSHN – The DevOps Company Contributing Steward: in-cluster agent Lieutenant: CMDB REST API Commodore: hierarchical configuration generator using Kapitan Enterprise Support including 24x7 Also available as managed service We contribute these three projects plus, optionally, provide 24x7 support and operations services Speaker notes 8

VSHN – The DevOps Company Open source syn.tools github.com/projectsyn No notes on this slide. Speaker notes 9

VSHN – The DevOps Company Prod infrastructure Steward ArgoCD Services Crossplane Backup K8up Insights Vault CSP services S3, RDS, etc Applications Persistent Volumes Corp infrastructure Git repositories for company/tenant/cluster/project level configurations Renovate Lieutenant Inventory Component templates Commodore & Kapitan Git repository for compiled cluster configuration Vault Insights Git VSHN CNCF Let me show you how the different parts work together. On the left is the cluster to be managed, on the right is the management infrastructure - the "headquarter" so to speak. To bootstrap the management of a new cluster, you install the Steward agent on it and provide it a secret to be able to authenticate at the Lieutenant inventory service. The Lieutenant verifies the request, and creates a set of Git repositories if they don’t exist yet. It also saves the cluster metadata like cloud provider, region, Kubernetes type and version in the inventory. Then it kicks off the Commodore service. The Commodore service looks up the configuration for this specific cluster based on a company-wide, a tenant-wide and a cluster specific configuration Git repo. This enables the administrator to set sensible defaults and/or to enforce certain configurations for all tenants and clusters. The configuration references templates, e.g. for a cloud provider or service, that are called "commodore components", which can then reference helm charts, operators, containers, etc. Renovate makes sure to detect and inform about new versions of upstream elements using Git pull requests. Commodore assembles all component templates according to the configuration and inventory, and saves it as actual Kubernetes config in a separate Git repository. Steward gets this repo, and deploys and configures ArgoCD, which can then pull the clusters configuration Speaker notes 10

VSHN – The DevOps Company One of the things we’re working on is a Components Hub, showcasing the 64+ components already available for Commodore! Speaker notes 11

VSHN – The DevOps Company …for Dev …for Ops …for Sec ⇒ for DevSecOps Benefits To answer this question, we are going to show advantages for each of the components of DevSecOps Speaker notes 12

VSHN – The DevOps Company Automated service deployment with Backup of data with , using GitOps with Secrets management with Service monitoring, alerting, metrics, and logs with , , , , Benefits for Developers Crossplane K8up Restic Argo CD Vault Prometheus Alertmanager Signalilo Grafana Loki The main benefit for users of the clusters is the "batteries included" approach to being able to declaratively configure not only the application itself but also all dependencies like services to have a single source of truth in Git: GitOps Speaker notes 13

VSHN – The DevOps Company Configuration management with , and with a hierarchical store in Git Central cluster registry and inventory (including GitOps Git repository management) provided by , and Automated component maintenance with Policy control through Benefits for Operations Commodore Kapitan Jsonnet Lieutenant API Lieutenant Operator Steward Renovate Open Policy Agent The automation of operations procedures supports visibility, reproducibility, and manageability. Speaker notes 14

VSHN – The DevOps Company GitOps: auditability, rollback Container Registry: vulnerability scanning & management Maintenance: immutability through hash verification Logging: traceability Policy Management: enforceability Benefits for DevSecOps No notes on this slide. Speaker notes 15

VSHN – The DevOps Company See it in live action! Demo No notes on this slide. Speaker notes 16

VSHN – The DevOps Company Call to Action vshn.ch/syn syn.tools github.com/projectsyn You can participate too! The development of Project Syn is 100% open source, including the design documents and decision processes. Speaker notes 17

VSHN – The DevOps Company Aarno Aukia, CTO & Adrian Kosmaczewski, Developer Relations VSHN AG – Neugasse 10 – CH-8005 Zürich – +41 44 545 53 00 – – Thanks! vshn.ch [email protected] No notes on this slide. Speaker notes 18