Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Managing Helm Deployments with GitOPS at CERN

Ricardo Rocha
November 19, 2019
Technology
0
170

Managing Helm Deployments with GitOPS at CERN

Tuesday, November 19 • 2:25pm - 3:00pm
Managing Helm Deployments with Gitops at CERN - Ricardo Rocha, CERN
Click here to remove from My Sched.
https://sched.co/UabD
TweetShare
WHAT DID YOU THINK?

Please share details here.
Kubernetes has taken a key role at CERN both for physics analysis and core IT services, simplifying and accelerating deployments and allowing a much higher rate of updates and upgrades.

This session will describe how helm is used for managing the description and configuration of the services. How CERN uses chartmuseum to maintain its private chart repositories, and how a custom plugin is used to manage secrets in the configuration, safely pushing encrypted payloads into git repositories. How a well defined structure of umbrella charts (sometimes referred to as meta charts) is used to define high level applications with complex dependencies, and how the notion of service variants and environments is exposed.

A demo will show the full gitops lifecycle for both production and canary deployments, relying on weave flux to quickly propagate changes to clusters.

Ricardo Rocha

November 19, 2019
Tweet

More Decks by Ricardo Rocha

See All by Ricardo Rocha
Building Bridges: Cloud Native and High Performance Computing
rochaporto
0
62
Kubernetes no CERN
rochaporto
0
37
Kubernetes, Ingress and Traefik Usage at CERN
rochaporto
0
210
Kubernetes no CERN
rochaporto
1
60
Infrastructure at CERN Scale - DevOps Porto
rochaporto
0
91
Reperforming a Nobel Prize Discovery on Kubernetes
rochaporto
1
120
Kubernetes at CERN: Use Cases, Integration and Challenges
rochaporto
12
11k

Other Decks in Technology

See All in Technology
LLM開発・活用の舞台裏@2024.04.25
yushin_n
1
360
データベース02: データベースの概念
trycycle
0
160
MapLibreとAmazon Location Service
dayjournal
1
160
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
0
360
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
1
160
ChatGPT for IT Service Management (IT Pro)
dahatake
7
1.6k
VS CodeでAWSを操作しよう
smt7174
8
1.7k
いつか使うかも貯金してたらめちゃめちゃ機能が増えてた話
riyaamemiya
0
320
20240418_Google ColabにLLMが搭載されたようなのでPython x データ分析の勉強方法を考えてみる
doradora09
0
140
JAWS-UG Bedrock Claude Night
yamahiro
3
610
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
350
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
4
930

Featured

See All Featured
The Art of Programming - Codeland 2020
erikaheidi
42
12k
Web Components: a chance to create the future
zenorocha
305
41k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Six Lessons from altMBA
skipperchong
21
3k
10 Git Anti Patterns You Should be Aware of
lemiorhan
648
58k
GraphQLとの向き合い方2022年版
quramy
32
12k
Agile that works and the tools we love
rasmusluckow
325
20k
Debugging Ruby Performance
tmm1
70
11k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
Fireside Chat
paigeccino
21
2.6k
Gamification - CAS2011
davidbonilla
76
4.6k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
17
1.4k

Transcript

  1. Managing Helm Deployments with GitOPS at CERN Ricardo Rocha @ahcorporto

    [email protected]
  2. None
  3. None
  4. None
  5. None
  6. None

  7. Computing at CERN Increased numbers, increased automation 1970s 2007

  8. Computing at CERN Increased numbers, increased automation 1970 2007

  9. Computing at CERN Increased numbers, increased automation 1970 2007

  10. Computing at CERN Increased numbers, increased automation 1970 2007

  11. Automation and Efficiency

  12. Provisioning Deployment Update Physical Infrastructure Days or Weeks Minutes or

    Hours Minutes or Hours Utilization Poor Maintenance Highly Intrusive

  13. Provisioning Deployment Update Physical Infrastructure Days or Weeks Minutes or

    Hours Minutes or Hours Utilization Poor Maintenance Highly Intrusive Cloud API Virtualization Minutes Minutes or Hours Minutes or Hours Good Potentially Less Intrusive

  14. Provisioning Deployment Update Physical Infrastructure Days or Weeks Minutes or

    Hours Minutes or Hours Utilization Poor Maintenance Highly Intrusive Cloud API Virtualization Minutes Minutes or Hours Minutes or Hours Good Potentially Less Intrusive Containers Seconds Seconds Seconds Very Good Less Intrusive

  15. “ Where is my machine hosted? “ “ What is

    the state of the hypervisor? “ “ Could you check for noisy neighbors? “ But similar automation tools, ssh, systemd, syslog, etc Physical to Virtualization and Cloud

  16. “ How do i retrieve my application’s logs? And how

    to log rotate? “ “ How do i access the node running container X ? “ “ How do i install package X on the nodes? “ “ Seems like one of the cluster node’s filesystem went read-only... “ “ Docker, Kubernetes, Ingress … now Helm … this is a lot of new stuff! “ Significant change in mindset and a steeper learning curve And then to containers ...

  17. Container Use Cases Experiment Trigger farms Spark as a Service,

    on demand Spark clusters on Kubernetes KubeFlow and distributed ML training Batch on Kubernetes, Native and HTCondor WebLogic and other internal services

  18. Making it easier... Container Trainings, Workshops, Office Hours One thing

    is similar … what is now called GitOps We’ve used git for years to store and manage configuration Maybe that can help onboarding more service managers Puppet to Helm Manifests vs Golang, YAML config for both Much faster turn-around
  19. None

  20. Charts Repository Initially package charts stored in plain S3 Moved

    to chartmuseum to have a management API, with S3 as backend Mirrored and home grown chart repositories All triggered by GitLab CI Versions include commit hash (x.y.z-cern-x.y.z) CERN STABLE INCUB. OPENST ACK TUNGST EN ... git push helm lint helm test helm package git tag helm lint helm test helm package helm push

  21. Umbrella Charts Meta charts wrapping the different charts required per

    application Units of deployment with all dependencies and any additional manifests Stored separately as they manage cluster state ( permissions and visibility ) First go relied on branches for environments and a custom structure $ cat requirements.yaml dependencies: - name: binderhub version: 0.2.0-575fb2a repository: https://charts.cern.ch/jupyterhub $ ls templates ds-gpu.yaml psp.yaml $ ls Chart.yaml requirements.yaml secrets.yaml templates/ values.yaml

  22. Managing Secrets Option 1: Building on Kubernetes Secrets or similar

    CRDs No easy or obvious way to plug external secrets Bitnami SealedSecrets: works well, but hard with existing charts Vault an option to fully delegate secret management Option 2: Take (part of) the helm values as secret data, not the resources Versioning of secrets along the rest of the configuration Futuresimple helm-secrets (existing plugin) with sops

  23. A Barbican Secret Plugin for Helm Similar interface to futuresimple

    helm-secrets Builds on existing identity scheme to access and manage encryption keys $ helm --name <release> secrets view secrets.yaml edit secrets.yaml install stable/nginx --values secrets.yaml upgrade stable/nginx --values secrets.yaml lint --values secrets.yaml Similar wrapper for kubectl https://github.com/cernops/helm-barbican

  24. Our end goal from the start Relying on chart updates

    only Flux and GitOps Meta Chart Registry git push docker push FluxCD git pull Helm Release CRD $ helm install fluxcd/flux \ --namespace flux --name flux --values flux-values.yaml --set git.pollInterval=1m --set git.url=https://gitlab.cern.ch/.../hub $ cat flux-values.yaml rbac: create: true helmOperator: create: true chartsSyncInterval: 5m configureRepositories: enable: true repositories: - name: jupyterhub url: https://charts.cern.ch/jupyterhub ... Helm Operator

  25. Flux and GitOps What’s in a Helm Release? apiVersion: flux.weave.works/v1beta1

    kind: HelmRelease metadata: name: hub namespace: prod spec: releaseName: hub chart: git: https://gitlab.cern.ch/.../hub.git path: charts/hub ref: master valuesFrom: - secretKeyRef: name: hub-secrets key: values.yaml values: binderhub: ... This is how we plug our encrypted values data |-- charts |-- hub Chart.yaml requirements.yaml values.yaml |-- templates custom-manifest.yaml |-- namespaces prod.yaml stg.yaml |-- releases |-- prod hub.yaml |-- stg hub.yaml |-- secrets |-- prod secrets.yaml |-- stg secrets.yaml

  26. Use Case: JupyterHub + BinderHub Demo time

  27. Ongoing: GitOps for Cluster Lifecycle Currently validating this solution to

    centrally manage upgrades Reduce the scope of the cluster orchestration tool to base components Let a single Flux HelmRelease manage all add-ons (staging, prod) dependencies: - name: eosxd version: 0.3.1-cern-0.1.0-7+ba5e81 repository: http://charts.cern.ch/cern - name: fluentd version: 2.2.1-cern-0.1.0-3+1c551a1 repository: http://charts.cern.ch/ stable - name: prometheus version: 9.3.1-cern-0.1.0-3+1c551a1 repository: http://charts.cern.ch/stable - name: traefik version: 1.79.0-cern-0.1.0-3+1c551a1 repository: http://charts.cern.ch/stable ...

  28. Conclusion & Next Steps Helm and (Argo) Flux give us

    a familiar toolset for containerized applications Git as the source of truth Helm v3 and goodbye Tiller Helm Hub, Signed Helm Charts (re) Consider automation of charts and container image updates Cattle clusters, Blue / Green, Canary with Service Mesh

  29. Next Steps Helm v3 , goodbye Tiller Signed charts

  30. Questions? LHC is in a long shutdown for the next

    year, underground visits possible https://visit.cern Follow our tech blog https://techblog.web.cern.ch @ahcorporto , [email protected]