Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes at the Home Office (PHPUK 16)

Kubernetes at the Home Office (PHPUK 16)

At the Home Office we had a problem. Hundreds of lines of infrastructure, everyone doing their own thing, and reinventing the wheel. During this talk I'll tell you how we are attempting resolve that using Docker, Kubernetes and changing developer culture. This talk consists of 3 parts. In the first I will introduce you to docker and talk about how to use it to create reusable infrastructure components, then I will talk about how to deploy and manage those components with the open source PaaS Kubernetes, and finally I'll talk about changing our culture using tools and techniques to ensure we keep reusing into the future.

Billie Thompson

February 19, 2016
Tweet

More Decks by Billie Thompson

Other Decks in Technology

Transcript

  1. –Docker “Docker is an open platform for developing, shipping, and

    running applications. Docker is designed to deliver your applications faster.”
  2. –Docker “Docker […] makes use of another technology called cgroups

    or control groups. A key to running applications in isolation is to have them only use the resources you want.”
  3. How do you run a container? $ docker run \

    --name=“flappy” \ -p “80:80" \ quay.io/purplebooth/flappy-endpoint
  4. Continuous Integration • Your artefact is now a container •

    Online build servers • https://hub.docker.com/ • https://quay.io/repository/
  5. 12 Factor • http://12factor.net/ • Key changes to your app:

    • Log to STDOUT • Configure using Environment variables
  6. Flappy Endpoint PHP Pod PHP Pod Flappy Service SSL Terminator

    Pod SSL Terminator Pod SSL Terminator Service Flappy RC SSL RC
  7. --- 
 apiVersion: v1
 kind: ReplicationController
 metadata: 
 labels: 


    facing: front
 service: flappy
 type: silex
 name: flappy-silex-v1
 spec: 
 replicas: 2
 selector: 
 service: flappy
 type: silex
 version: v1
 template:
 metadata: 
 labels: 
 service: flappy
 type: silex
 version: v1
 spec: 
 containers: 
 - 
 image: quay.io/purplebooth/flappy-endpoint
 imagePullPolicy: Always
 livenessProbe: 
 httpGet: 
 path: /
 port: 80
 initialDelaySeconds: 15
 timeoutSeconds: 1
 name: flappy-silex
 ports: 
 - 
 containerPort: 80
 name: http
 protocol: TCP
 restartPolicy: Always

  8. 
 image: quay.io/purplebooth/flappy-endpoint
 imagePullPolicy: Always
 livenessProbe: 
 httpGet: 
 path:

    /
 port: 80
 initialDelaySeconds: 15
 timeoutSeconds: 1
 name: flappy-silex
 ports: 
 - 
 containerPort: 80
 name: http
 protocol: TCP

  9. --- 
 apiVersion: v1
 kind: ReplicationController
 metadata: 
 labels: 


    facing: front
 service: flappy
 type: silex
 name: flappy-silex-v1
 spec: 
 replicas: 2
 selector: 
 service: flappy
 type: silex
 version: v1
 template:
 metadata: 
 labels: 
 service: flappy
 type: silex
 version: v1
 spec: 
 containers: 
 - … restartPolicy: Always

  10. Can you keep a secret? ---
 kind: Secret
 apiVersion: v1


    metadata:
 name: ssh-key-secret
 data:
 "id-rsa": "dmFsdWUtMg0KDQo="
 "id-rsa.pub": "dmFsdWUtMQ0K"
  11. Can you keep a secret? --- 
 apiVersion: v1
 kind:

    ReplicationController
 metadata: 
 labels: 
 facing: front
 service: flappy
 type: nginx
 name: flappy-nginx-v0
 spec: 
 replicas: 2
 selector: 
 service: flappy
 type: nginx
 version: v0
 template: 
 metadata: 
 labels:
 service: flappy
 type: nginx
 version: v0
 spec:
 containers: 
 - 
 env: 
 - 
 name: SSL_CRT_PATH
 value: /certs/purplebooth-co-uk.crt
 - 
 name: SSL_KEY_PATH
 value: /certs/purplebooth-co-uk.key
 - 
 name: UPSTREAM
 value: "flappy-silex:80"
 image: quay.io/purplebooth/nginx-ssl-terminator
 imagePullPolicy: Always
 livenessProbe: 
 httpGet: 
 path: /
 port: 80
 initialDelaySeconds: 15
 timeoutSeconds: 1
 name: flappy-nginx
 ports: 
 - 
 containerPort: 80
 name: http
 protocol: TCP
 - 
 containerPort: 443
 name: https
 protocol: TCP
 volumeMounts: 
 - 
 mountPath: /certs
 name: ssl-certs
 restartPolicy: Always
 volumes: 
 - 
 name: ssl-certs
 secret: 
 secretName: ssl-certs

  12. Can you keep a secret? env: 
 - 
 name:

    SSL_CRT_PATH
 value: /certs/purplebooth-co-uk.crt
 - 
 name: SSL_KEY_PATH
 value: /certs/purplebooth-co-uk.key
 … volumeMounts: 
 - 
 mountPath: /certs
 name: ssl-certs
 …
 volumes: 
 - 
 name: ssl-certs
 secret: 
 secretName: ssl-certs

  13. Load Balancer --- 
 apiVersion: v1
 kind: Service
 metadata: 


    labels: 
 facing: front
 service: flappy
 type: nginx
 name: flappy-nginx
 spec: 
 ports: 
 - 
 name: http
 port: 80
 protocol: TCP
 targetPort: http
 - 
 name: https
 port: 443
 protocol: TCP
 targetPort: https
 selector: 
 service: flappy
 type: nginx
 type: LoadBalancer

  14. Solving the Management Puzzle • No Ansible/Puppet/Chef/Hideous bash scripts •

    Rolling Updates • Health Checks • Services • Resource Limits
  15. Work like us • What and how we reuse things

    • Think like a platform • Work Securely
  16. Being a good person (inside and out) • Version stuff

    (SemVer) • Write Beautiful Documentation • License • Code of Conduct
  17. Thinking like a PaaS • AWS + Kubernetes • CoreOS

    on AWS (with Kubernetes) • Google Container Engine (Kubernetes) • Vagrant + Kubernetes • KUBERNETES!
  18. Work Securely • Use WAF Containers • Control your upstream

    containers! • Physical separation (sometimes)
  19. Come be cool • Still pretty early days • Management

    is easy • Hosting Agnostic • Reuse • You can play with it today
  20. Any Questions! @purplebooth • https://billie.codes/1MXEtRc - Kubernets on Vagrant •

    https://github.com/PurpleBooth/flappy-endpoint • https://github.com/ukhomeoffice • https://joind.in/talk/d436e