From shipping rpms to helm charts - Lessons learned and best practices

www.jfrog.comCopyright © 2018 JFrog. All Rights Reserved
Lessons learned and best practices
From shipping rpms to containerized
microservices to run on k8s
Ankush Chadha – Senior Solution Developer
Sept 15th 2018

Copyright @ 2018 JFrog - All rights reserved. @ankushchadha111
Who’s Speaking?
ANKUSH CHADHA
Senior Solution Developer
@ankushchadha111

From app to k8s
3
app
docker-app:1.0
Manifest
sha256:252564
..
OS: SHA2
Layer n: SHA2
app: SHA2
docker-app:1.0
Manifest
sha256:252564
..
OS: SHA2
Layer n: SHA2
app: SHA2
helper-a:1.0
Manifest
OS
Layer n
helper-b:1.0
Manifest
OS
Layer n
1 2

From app to k8s
4
app
docker-app:1.0
Manifest
sha256:252564
..
OS: SHA2
Layer n: SHA2
app: SHA2
docker-app:1.0
Manifest
sha256:252564
..
OS: SHA2
Layer n: SHA2
app: SHA2
helper-a:1.0
Manifest
OS
Layer n
helper-b:1.0
Manifest
OS
Layer n
1 2
config compute

Let’s talk about app: Lessons learned
5
app
docker-app:1.0
Manifest
sha256:252564
..
OS: SHA2
Layer n: SHA2
app: SHA2
config
tools
OS
1
● Can we ship all tools? What about
license?
● What about configurations? Is it fine
tuned for staging?
● What’s the best way to containerize
the app?
● How do we patch security updates?

Best Practices: Containerize an app
● Build once and promote
6

Build Once and Promote
Manifest
sha256:252564..
OS: SHA2
Framework: SHA2
L
a
y
e
r
s
T
a
g
s
Application: SHA2:
3
ac-image:1.0-dev ac-image:1.0-qa
ac-image:1.0-
release

● Build once and promote
● Double tagging (for traceability)
8

Copyright @ 2018 JFrog - All rights reserved. @ankushchadha111 9
BUILD SCAN TEST PROMOTE
● 3 different and independent release cycles
base layer  known good version
containerized app
app

CI/CD
10
1
OS: SHA2
Layer n: SHA2
2
base-image:1.0 ac-app:1.0
Manifest
sha256:252564
Manifest
sha256:462564.
.
app: SHA2: 4
3 4
https://github.com/jfrogtraining/kubernetes_example

Approaches to build docker image
● Dockerfile approach
● Dockerfile-less approach
● Docker daemon less approach
11

Dockerfile
Dockerfile should be carefully
constructed
○ Number of layers
○ Size of layers
○ Changes in layers
○ Security

Copyright © 2018 JFrog. All Rights Reserved | www.swampup.jfrog.com
I am a developer, do I need to know docker to test a
containerized app?

Building Docker images without Dockerfile

s2i – source to image
s2i build https://github.com/$src cpp-conan-builder:0.1 timer-app:0.1
docker run -it timer-app:0.1
source builder image Docker image+ =

Behind the scenes ….

Takeaways
● https://github.com/JFrogDev/project-examples/tree/master/openshift-s2i-
examples/cpp-conan
● https://blog.openshift.com/conan-accelerates-your-c-c-applications-in-
openshift/

How can I build docker images in a secure
environment?

Building images in secure environments i.e. without
using Docker Daemon.

Challenges with existing approach (dind, dood)
● Docker Daemon is monolith
● Interactive access to a
docker daemon required to
build images
● Security Issues – requires
privilege access, root access.
https://robinsystems.com/blog/containers-deep-dive-lxc-vs-docker-comparison/

Kaniko
https://github.com/GoogleContainerTools/kaniko
Build images without having access to docker daemon

Is this really a microservice?
22
app
base-image:1.0
Manifest
sha256:252564
..
OS: SHA2
Layer n: SHA2
app: SHA2
config
tools
OS
● What’s the core responsibility of this
microservice?
● What else is this microservice doing
○ Bootstrapping database?
○ Pinging database to make sure that it’s up?
○ Include tools that are not required during runtime
○ Logging to third party services

How do we start?
23
● Identify common feature-set
● Identify ways to run the main microservice with reduced privileges
● Solution that k8s provides -
○ Init-Containers
○ Sidecar pattern -
https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45406.pdf
○ Readiness and liveness probes

This is what it looks like after 1st iteration
24

Best practices
25
● Resource consumption
● Modularize configuration (dev, staging, prod). Enable staging by default.
● Networking
● Persistence
○ Enabled/disabled
○ Storage Class (dynamic provisioning)
● Chaos Testing is mandatory
○ Scale up / down
○ Move services to another node

Source to Kubernetes
26
M I C R O S E R V I C E S
Deployment
Statefulsets
Job
DaemonSets
Secrets
Service
A
B

Challenges without helm
27
● Wrapper script (Context, Application lifecycle management)
● Lack of dependency management
● Lack of conventions (filename, folder name)
● Can’t add logic to templates

With Helm?
28
● Wrapper script (Application lifecycle management) - helm cli
● Lack of context - Release
● Lack of dependency management – sub charts
● Lack of conventions (filename, foldername) - helm create, starters
● Can’t add logic to templates - Go Templating

What’s helm?
29
● Easy way to get started on Kubernetes.
● Package manager for Kubernetes
● Application lifecycle management

Helm Chart Structure
30

Helm Tips and Tricks
31
● Go Templating ‘{{-’ vs ‘{{‘ or ‘-}}’ vs ‘}}’ or ‘.’
● Storage
○ persistence.enabled
 Dynamic Provisioning
● Default Storage Class
● Custom Storage Class (persistence.storageClass)
 Static Provisioning
● persistence.existingClaim

Helm Tips and Tricks
32
● How to avoid maintaining a third-party templates/chart?
#helm-users

Takeaways
33
● Chaos Testing, configuration & resource consumption
● Helm Tips and Tricks
○ Go Templating
○ Hooks
○ Storage
○ Network
● helm lint
● helm install --dry-run --debug

Q/A?

From shipping rpms to helm charts - Lessons learned and best practices

More Related Content

What's hot (20)

Similar to From shipping rpms to helm charts - Lessons learned and best practices (20)

Recently uploaded (20)

From shipping rpms to helm charts - Lessons learned and best practices