Note to devops: preparing Helm correctly

Several simple but useful recipes for practicing cubes

(photo source - https://unsplash.com/photos/XWNbUhUINB8yle
(photo source - https://unsplash.com/photos/XWNbUhUINB8yle

- ,  , @#$ ... , , . , . - , , , , .  ClusterSSH, .





, "workload", "" Kubernetes, 3/4 production .





Kubernetes - kubectl apply



  " , - , !".





, , , " ", - " , ".





Helm - Kubernetes, , kubectl apply -f ...







, Helm kubectl apply



, . , , , , . - .





, , Helm :













  • charts -





, , .





Helm :





, Helm :





  • ,





  • .yaml





  • .yaml , , ,





.yaml , Kubernetes.





Secrets ConfigMaps, .





kubectl, ( ) Helm. Helm - Secret, - .





Helm , , , - hello world:

















, . Test Production, . : , , , .





, , ( Production - ). , .





Production- , production, . , , : , "" , . production , SaaS.





12

, 12 - "" , Kubernetes . 3 , .





12 - , . , , . , ? Helm, chart.





Configuration code - like meat and milk?
- ?

, , , .





, - . , ! - , ( build) , , - .





(immutable) () , Helm chart, - docker-desktop production AWS.





, - Helm chart, , , . , - () , . - , , ().





, , , .





:





  • , -





  • ... , - , (conf properties)





  • - , , -





    • / ,





    • , ,





    • - : yaml-!





Helm chart.





, (+).





/env             // (+)    
/<chart-name>    // chart  
  /files         // (+)        
  /templates     //  Helm 
  Chart.yaml     //   chart
  values.yaml    //   
      
      



.





, TEST PROD , . TEST -STABLE -PR ( , ), PROD , EU US.





/env ( ) /files ( ):





/env                
  TEST.yaml            //      
  TEST-PR.yaml         //   PR/
  TEST-STABLE.yaml     //      
  PROD.yaml            //      
  PROD-EU.yaml         //  EU   
  PROD-US.yaml         //  US 

/files  /TEST                //      
  /TEST-PR             // ...
  /TEST-STABLE         // ...  /PROD                //       
  /PROD-EU             // ...
  /PROD-US             // ...
  /shared              //     
values.yaml             //     
      
      



/files - .





...
/PROD  /binary  /text
/PROD-EU  /binary  /text
 ...
/shared  /binary  /text  /secret-text
      
      



- / , .





, , .





1. . ? . ( .p12 ) , ( 120+ ) - , () . SOPS, Ansible Vault . - , - . , , - - .





Disclaimer: , , , service identity JKS java keystore: JKS , 120+ . , . , vault , Kubernetes Secret , base64 . , !





2. , , (shared) . - ( ), , . .





, , - yaml, , :





  • - (TEST-STABLE.yaml)





  • - (TEST.yaml)





  • (values.yaml)





Helm ,  --values



:





helm upgrade --install <chart> path/to/<chart> --strict \ 
    --values env/<env>.yaml --values env/<env>-<flavour>.yaml
      
      



.yaml- , TEST-STABLE.yaml :





envFlavour: STABLE
      
      



TEST.yaml





envClass: TEST
      
      



, , , , /files.





ConfigMap Secret

- , ConfigMap Secret, . ConfigMap, Secret.





#     range
{{- $self := . -}} 
 ,    - -, -      shared
{{ $sources := (list "shared" .Values.envClass (printf "%s-%s" .Values.envFlavour .Values.envClass ) }}
apiVersion: v1
kind: ConfigMap
metadata:
  name: myapp
#      
data:
{{ range $env := $sources }}
{{ range $path, $bytes := $self.Files.Glob (printf "files/%s/text/*" $env) }}
  {{ base $path }}: {{ tpl ($self.Files.Get $path) $ | quote }}
{{ end }}
{{ end }}
#   
binaryData:
{{ range $env := $sources }}
{{ range $path, $bytes := $self.Files.Glob (printf "files/%s/binary/*" $env) }}
  {{ base $path }}: {{ $self.Files.Get $path | b64enc | quote }}
{{ end }}
{{ end }}

apiVersion: v1
kind: Secret
metadata:
  name: myapp
  labels:
type: Opaque
data:
#      
{{ range $env := $sources }}
{{ range $path, $bytes := $self.Files.Glob (printf "files/%s/secret-text/*" $env) }}
  {{ base $path }}: {{ tpl ($self.Files.Get $path) $ | b64enc | quote }}
{{ end }}
{{ end }}
      
      



! , . , , .





Helm, , , , Helm   ConfigMaps Secrets?





. tpl, ? , , - {{ .Values.myValue }}  .





, .properties, yaml, HOCON, :





akka {
  persistence {
cassandra {

    keyspace = {{ .Values.cassandra.keyspace | quote }}
    table = "{{ .Values.cassandra.tablePrefix }}messages"</code></pre><h3> </h3><p>      ,   ,     .</p><p>- ,  ,   ,     ,     :</p><pre><code>databasePassword: {{ .Values.databasePassword | quote }}</code></pre><p>  ,    .properties,  , ,      :</p><pre><code>param/username={{ .Values.username | trimAll "\"" }}</code></pre><h3>  (projected volumes)</h3><p>      ,      :              ,         .      ,     - , ,      -    . </p><p>   Kubernetes   projected volumes -  ,      <em>ConfigMaps</em>  <em>Secrets</em>.</p><pre><code>volumes:


name: properties
projected:
  defaultMode: 0640
  sources:
- configMap:
    name: myapp
- secret:
    name: myapp</code></pre><p>    ""   &nbsp;<em>/conf&nbsp;</em> .</p><h3> </h3><p>       chart  ,         ,   .</p><p> Helm     lint  template:</p><pre><code>helm lint --debug path/to/&lt;chart&gt; --strict --values env/&lt;env&gt;.yaml \


-values env/<env>-<flavour>.yaml
helm template <chart> path/to/<chart> --strict --values env/<env>.yaml \

-values env/<env>-<flavour>.yaml
      
      



chart .





() - yamllint yaml-. , - , PROD PROD-EU, ConfigMap, .





, - API, TLS-, , .





  , Heroku Vault, Azure Vault, Google Cloud KMS . Helm ,  , , , production.





, . (Gitlab, Circle, Azure, ...) , - .





values.yaml





# secrets
database_username: "${UserNameSecret}"
database_password: "${DatabasePasswordSecret}"
      
      



 envsubst  :





cat <chart>/values.yaml | envsubst > <chart>/values-injected.yaml
mv <chart>/values-injected.yaml <chart>/values.yaml
      
      



{{ .Value.xxx }}  , .





, , .





, XXXSecret, - :





EXPOSED_SECRETS=$(grep Secret <chart>/files | grep -v secret-files | wc -l)
if [ $EXPOSED_SECRETS -gt 0 ]; then fail "Secrets are exposed"; fi
      
      



.





- Helm hooks , .





, . , -? , , - - , ​​ , : « 5xx?».





- , kubectl apply -f ...



, , Helm " ".





--atomic

 --atomic



  , :





helm upgrade --install my-chart some/path/to/my-chart  --atomic --debug --timeout 300s
      
      



Helm , health/readiness . , .





Hooks

, , Kubernetes Job  , " " . , , , - , , - .





, Helm , .





apiVersion: batch/v1
kind: Job
metadata:
name: myapp
labels:
annotations:
  "helm.sh/hook": post-install,post-upgrade
  "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
template:
 metadata:
   name: myapp-smoke-test
 spec:
   restartPolicy: Never
   containers:
 - name: tests
   image: test-image: 
   command: ['/bin/sh',
             '-c',
             '/test/run-test.sh']
      
      



 --atomic 



 post-upgrade/post-install  hook , . "" , , , .





- - Helm , , .





!





Helm Kubernetes’.





hooks, , continuous delivery , .





***





,





Details about the author





Please do not invite me to publish on your blogs.








All Articles