Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Terraform管理下のマネージドリソースとk8sリソースを一元的にGitOpsするまでの試行錯誤

Avatar for uya116 uya116
February 28, 2023
Technology
770
1

 Terraform管理下のマネージドリソースとk8sリソースを一元的にGitOpsするまでの試行錯誤

2023/2/27 CI/CD Conference 2023 前夜祭で登壇した資料です。
https://cloudnativedays.connpass.com/event/274402/

Avatar for uya116

uya116

February 28, 2023

More Decks by uya116

See All by uya116
競プロのすすめ
Avatar for uya116 uya116
1
1k

Other Decks in Technology

See All in Technology
AI時代のガードレールとしてのAPIガバナンス
Avatar for 草薙昭彦 nagix
0
210
生成AI時代のエンジニア育成 変わる時代と変わらないコト
Avatar for starfish719 starfish719
0
9.5k
小説執筆のハーネスエンジニアリング
Avatar for osushi_cr yoshitetsu
0
320
Standards et agents IA : un tour d’horizon de MCP, A2A, ADK et plus encore
Avatar for Guillaume Laforge glaforge
0
130
The Journey of Box Building
Avatar for Satoshi Tagomori tagomoris
4
380
AIを共同作業者にして書籍を執筆する方法 / How to Write a Book with AI as a Co-Creator
Avatar for ama-ch ama_ch
2
130
EBS暗号化に失敗してEC2が動かなくなった話
Avatar for Moe Hamaguchi hamaguchimmm
2
180
Claude Code を安全に使おう勉強会 / Claude Code Security Basics
Avatar for MasahiroKawahara masahirokawahara
2
21k
AzureのIaC管理からログ調査まで、​随所に役立つ​SkillsとCustom-Instructions​ / Boosting IaC and Log Analysis with Skills
Avatar for AEON aeonpeople
0
190
弁護士ドットコム株式会社 エンジニア職向け 会社紹介資料
Avatar for 弁護士ドットコム bengo4com
1
120
自分のハンドルは自分で握れ! ― 自分のケイパビリティを増やし、メンバーのケイパビリティ獲得を支援する ― / Take the wheel yourself
Avatar for TAKAKING22 takaking22
1
840
Oracle AI Database@AWS:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
4
2.3k

Featured

See All Featured
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
Avatar for Ines Montani inesmontani
PRO
3
3.3k
A Soul's Torment
Avatar for Nat Ma seathinner
6
2.7k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
302
51k
It's Worth the Effort
Avatar for 3n 3n
188
29k
Ten Tips & Tricks for a 🌱 transition
Avatar for Manu Carrasco Molina stuffmc
0
98
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
Avatar for mongodb mongodb
49
9.9k
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
Avatar for Aleyda Solis aleyda
2
10k
A better future with KSS
Avatar for Kyle Neath kneath
240
18k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.4k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
82
6.2k
Chasing Engaging Ingredients in Design
Avatar for Sebastian Deterding codingconduct
0
170
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
7k

Transcript

  1. Terraform ؅ཧԼͷϚωʔδυϦιʔεͱ k8s ϦιʔεΛҰݩతʹ GitOps ͢Δ·Ͱͷ ࢼߦࡨޡ 2023/02/27 ιϑτόϯΫגࣜձࣾ Ϋϥ΢υΤϯδχΞϦϯάຊ෦

    Cloud Native Days CI/CD Conference 2023 લ໷ࡇ ࡾվ໦ ༟໼

  2. ࡾվ໦ ༟໼ (Mizorogi Yuya) 2 ࣗݾ঺հ ॴଐ ιϑτόϯΫגࣜձࣾ 
 ๏ਓࣄۀ౷ׅ

    Ϋϥ΢υΤϯδχΞϦϯάຊ෦ ɾ2021೥ʹத్ೖࣾ ɾ๏ਓ޲͚ͷΞϓϦέʔγϣϯج൫ͷ։ൃΛ୲౰ ɾझຯ͸ย෇͚ͱڝϓϩ 
 @_uya116

  3. • ΞϓϦέʔγϣϯΤϯδχΞ͕ Kubernetes Λҙࣝ͠ͳͯ͘ྑ͍࢓૊Έ 3 ιϑτόϯΫͰ͸͜ΜͳαʔϏεΛ࡞͍ͬͯ·͢ ੡඼ϖʔδ͸ͪ͜Β

  4. • Ϛωʔδυ Kubernetes ؀ڥʹࣄલఆٛࡁͷ Helm ύοέʔδΛద༻ 4 ιϑτόϯΫͰ͸͜ΜͳαʔϏεΛ࡞͍ͬͯ·͢ DEPLOYMENT STORAGE

    RDB VAULT MONITORING IAM ࣄલఆٛࡁύοέʔδ MESSAGING ͳͲ

  5. • ϚωʔδυϦιʔεͱ Kubernetes Ϧιʔεͷ૒ํͷ؅ཧ͕ඞཁ ◦ ύϒϦοΫΫϥ΢υͷϚωʔδυ Kubernetes Λ࢖͏ͱͳ͓͞Β 5 എܠ

  6. • IaC ܗࣜͱͦΕʹ൐͏ CD αʔϏε͕ҟͳΓύΠϓϥΠϯ͕෼͔Εͯ͠·͏ ◦ ͜ΕʹΑͬͯ؅ཧ͕൥ࡶʹͳΔ 6 ೋछྨͷϦιʔεΛ؅ཧ͢Δ͜ͱʹΑΔGitOpsͷ՝୊ Github

    Actions Jenkins AWS Code γϦʔζ Ϧιʔε CD αʔϏε Git Terraform CloudFormation Kubernetes ϚχϑΣετ ͳͲ ͳͲ ͳͲ IaC ܗࣜ ϚωʔδυϦιʔε Kubernetes Ϧιʔε

  7. • IaC ܗࣜ or CD αʔϏεΛἧ͑Δ͜ͱʹΑΓҰݩԽͰ͖ͳ͍͔ݕ౼ 7 ݕ౼ Github Actions

    Jenkins AWS CodePipeline ͳͲ ͳͲ ͳͲ Ϧιʔε CD αʔϏε Git IaC ܗࣜ ϚωʔδυϦιʔε Kubernetes Ϧιʔε Terraform CloudFormation Kubernetes ϚχϑΣετ

  8. • IaC ܗࣜΛἧ͑Δ৔߹ ◦ Terraform k8s provider ͔֤ϕϯμʔͷఏڙ͢Δ k8s controller

    ͕ީิ ◦ ύΠϓϥΠϯ͕؆ܿʹͳΔ͕ରԠϦιʔε͕ݶఆ͞Ε͍ͯΔ 8 ݕ౼ ʙIaC ܗࣜΛἧ͑Δʙ Github Actions Jenkins AWS CodePipeline ͳͲ ͳͲ ͳͲ Ϛωʔδυ Ϧιʔε ʹدͤΔ ᶃ Terraform k8s provider Kubernetes Ϧιʔε ʹدͤΔ ᶄ ConfigConnector / ASO / ACK controller ϚωʔδυϦιʔε Kubernetes Ϧιʔε IaC ܗࣜ Terraform CloudFormation Kubernetes ϚχϑΣετ

  9. • CD αʔϏεΛἧ͑ͨ৔߹ ◦ ύΠϓϥΠϯ಺΍ద༻؀ڥͰίϚϯυΛ࣮ߦ͠ڧҾʹϦιʔεΛσϓϩΠ͢Δ ◦ ίϚϯυ࣮ߦͷͨΊࣗ༝౓͸ߴ͍͕ύΠϓϥΠϯ͕ෳࡶʹͳΔ 9 ݕ౼ ʙCD

    αʔϏεΛἧ͑Δʙ Github Actions Jenkins AWS CodePipeline ͳͲ ͳͲ Ϛωʔδυ Ϧιʔε ʹدͤΔ ᶅ k8s ίϯςΩετΛऔಘͯ͠ apply Kubernetes Ϧιʔε ʹدͤΔ ᶆ k8s ಺Ͱ Ϛωʔδυ༻ͷ IaC Λద༻ apply ϚωʔδυϦιʔε Kubernetes Ϧιʔε CD αʔϏε

  10. 10 ݕ౼ ʙ֤ํ๏ͷൺֱʙ IaC ܗࣜΛἧ͑Δ CD αʔϏεΛἧ͑Δ Ϛωʔδυ Ϧιʔε ʹدͤΔ

    ᶃ Terraform k8s provider ᶅ k8s ίϯςΩετΛऔಘͯ͠ apply Kubernetes Ϧιʔε ʹدͤΔ ᶄ ConfigConnector / ASO / ACK ᶆ k8s ಺Ͱ Ϛωʔδυ༻ͷ IaC Λద༻ controller apply ෳࡶʹͳΔ͕ ࣗ༝౓͕ߴ͍ Ϧιʔε੍ݶ͕ ͋Δ͕؆ܿ ͲͪΒ͕ ϝΠϯ͔

  11. • ฐαʔϏε͸ Kubernetes Ϧιʔεத৺ͷͨΊᶄᶆΛ࠾༻ ◦ ֤ϕϯμͷ k8s controller ʹରԠ͍ͯ͠ΔϚωʔδυϦιʔε →

    ᶄͰ࡞੒ ◦ ະରԠ΋͘͠͸ k8s controller Ͱͷಈ࡞͕ෆ҆ఆͳϦιʔε → ᶆͰ࡞੒ 11 ݕ౼݁Ռ IaC ܗࣜΛἧ͑Δ CD αʔϏεΛἧ͑Δ Kubernetes Ϧιʔε ʹدͤΔ ᶄ ConfigConnector / ASO / ACK ᶆ k8s ಺Ͱ Ϛωʔδυ༻ͷ IaC Λద༻ controller

  12. • ݕ౼݁Ռʹैͬͯ GitOps ύΠϓϥΠϯΛߏங • Job Ͱ terraform ίϚϯυΛ࣮ߦ͢Δ͕࣮૷ͷෛՙ͕ߴ͍ ◦

    Helm ࡟আ࣌ʹ Job Λ࣮ߦ͢Δ͕ terraform destroy ʹࣦഊ͢Δͱ Job ͕ࣦഊ͠ 
 Helm ͕ফͤͳ͘ͳΔ → ঢ়ଶʹԠͨ͡ίϚϯυͷ੍ޚ͕ඞཁ ◦ drift ൃੜ࣌ͷ੍ޚ ࢪࡦ ʙฐαʔϏεͷ GitOps ύΠϓϥΠϯʙ vender controller 12 ϕϯμͷ k8s controller ࣗ࡞ Job Ͱ terraform ࣮ߦ ※ ฐαʔϏεͷཱͯ෇্͚ Helm Ͱύοέʔδϯά͍ͯ͠Δ

  13. • Terraform ϦιʔεΛ؅ཧ͢Δ Kubernetes Controller ◦ Flux ͱ࿈ܞͯ͠ Terraform ͷ

    GitOps Λ࣮ݱ͢Δ ◦ TF state ϑΝΠϧͷΫϥ΢υετϨʔδ؅ཧɺOIDC ࿈ܞͳͲඞཁͳػೳ͕ἧ͍ͬͯΔ 13 Weave GitOps Terraform Controller https://weaveworks.github.io/tf-controller/ Terraform Controller kind: Terraform ᶃݕ஌ ᶅ࡞੒ ᶄ TF ϑΝΠϧऔಘ

  14. Weave GitOps Terraform Controller “ࣗ෼ͷϖʔε”Ͱ GitOps ͱ͍͏ίϯηϓτΛܝ͓͛ͯΓ 
 ϚχϑΣετʹ߹Θͤͨ Terraform

    apply / destroy ͷࣗಈద༻͚ͩͰͳ͘ 
 drift ͷݕग़ͷΈߦ͏͜ͱ΋Մೳ TF ϑΝΠϧͷ֨ೲݩɻflux ͷ GitRepository / OCIRepository Λࢦఆ TF ϑΝΠϧʹΘͨ͢؀ڥม਺ͷઃఆ terraform ίϚϯυΛ࣮ߦ͢Δ ServiceAccount Terraform CR Λ࡟আͨ͠ͱ͖ʹΫϥ΢υ্ͷϦιʔε΋ফ͔͢ backend ͷઃఆ

  15. σϞ

  16. • Weave GitOps Terraform Controller Λ༻͍Δ͜ͱͰҰݩ GitOps Λ࣮ݱ 16 ࢪࡦ

    ʙฐαʔϏεͷ GitOps ύΠϓϥΠϯʢAfterʣʙ vender controller ϕϯμͷ k8s controller ͰϦιʔε࡞੒ Terraform Controller Ͱ terraform ࣮ߦ terraform controller

  17. • Flux v0.32.0 ͰରԠͨ͠ OCI ϦϙδτϦ ʹ TF ϑΝΠϧΛ֨ೲ͍ͯ͠Δ ◦

    ͜ΕʹΑΓ Docker image, Helm Chart, TF ϑΝΠϧΛಉҰαʔϏεͰ؅ཧ͢Δ͜ͱ͕Մೳ ◦ ೝূํ๏΋ڞ௨ԽͰ͖Δ Weave GitOps Terraform Controller Ͱͷ޻෉ 17 AKS ฐαʔϏεͷ୲౰ൣғ OCI ϦϙδτϦ (Artifact Registry) GKE EKS

  18. • Artifact Registry ʹ֤ k8s ͔ΒΞΫηε͢Δඞཁ͕͋Δ ◦ ظݶ͕௕͍ΫϨσϯγϟϧ৘ใ͸࣋ͪͨ͘ͳ͍ͨΊ OIDC ࿈ܞ͍ͨ͠

    ◦ ͔͠͠ݱঢ় OCI ϦϙδτϦʹର͢Δ Flux source-controller Ͱ͸ GC ͱͷ OIDC ࿈ܞ͕ະରԠ 18 Weave GitOps Terraform Controller Ͱͷ޻෉ ✕ AWSͰݖݶҕ೚͞ΕͨτʔΫϯΛ༻͍ͯ GC ͱ࿈ܞ͍͕ͨ͠ɾɾɾ Flux

  19. • OIDC ࿈ܞͨ͠ CronJob Ͱ imagePullSecret Λ࡞੒͢Δ ◦ imagePullSecret ͷߋ৽Λ

    OIDC ࿈ܞͨ͠ CronJob Ͱఆظతʹ࣮ࢪ͢Δ͜ͱͰ՝୊Λճආ ◦ ֤Ϛωʔδυ k8s ͔Β Artifact Registry ΁ͷΞΫηε͕Մೳͱͳͬͨ 19 Weave GitOps Terraform Controller Ͱͷ޻෉ ˕ Flux ✕ Flux Before After

  20. • GitOps Λڞ௨Խ͢Δͱ࣍͸ςετ΋ڞ௨Խͨ͘͠ͳΔɾɾɾ 20 ςετʹ͍ͭͯ ςετର৅ vender controller terraform controller

  21. • νʔϜϝϯόʔ͕ CI/CD ΧϯϑΝϨϯεຊฤͰ࿩͠·͢ʂ 21 ςετʹ͍ͭͯ

  22. 22 ·ͱΊ 1. Weave GitOps Terraform Controller Λ༻͍Δ͜ͱͰ GitOps ͷҰݩԽΛ࣮ݱ

    2. TF ϑΝΠϧ͸ OCI ϦϙδτϦͰ؅ཧ͠ imagePullSecret ൃߦʹΑΓΞΫηε 3. ςετͷڞ௨Խʹ͍ͭͯ͸ຊฤΛָ͓͠Έʹ vender controller terraform controller OCI ϦϙδτϦ