Several simple but useful recipes for practicing cubes
- , , @#$ ... , , . , . - , , , , . ClusterSSH, .
, "workload", "" Kubernetes, 3/4 production .
Kubernetes - kubectl apply
" , - , !".
, , , " ", - " , ".
Helm - Kubernetes, , kubectl apply -f ...
, Helm kubectl apply
, . , , , , . - .
, , Helm :
charts -
, , .
Helm :
, Helm :
,
.yaml
.yaml , , ,
.yaml , Kubernetes.
Secrets ConfigMaps, .
kubectl, ( ) Helm. Helm - Secret, - .
Helm , , , - hello world:
, . Test Production, . : , , , .
, , ( Production - ). , .
Production- , production, . , , : , "" , . production , SaaS.
12
, 12 - "" , Kubernetes . 3 , .
12 - , . , , . , ? Helm, chart.
, - . , ! - , ( build) , , - .
(immutable) () , Helm chart, - docker-desktop production AWS.
, - Helm chart, , , . , - () , . - , , ().
, , , .
:
, -
... , - , (conf properties)
- , , -
/ ,
, ,
- : yaml-!
Helm chart.
, (+).
/env // (+)
/<chart-name> // chart
/files // (+)
/templates // Helm
Chart.yaml // chart
values.yaml //
.
, TEST PROD , . TEST -STABLE -PR ( , ), PROD , EU US.
/env ( ) /files ( ):
/env
TEST.yaml //
TEST-PR.yaml // PR/
TEST-STABLE.yaml //
PROD.yaml //
PROD-EU.yaml // EU
PROD-US.yaml // US
/files /TEST //
/TEST-PR // ...
/TEST-STABLE // ... /PROD //
/PROD-EU // ...
/PROD-US // ...
/shared //
values.yaml //
/files - .
...
/PROD /binary /text
/PROD-EU /binary /text
...
/shared /binary /text /secret-text
- / , .
, , .
1. . ? . ( .p12 ) , ( 120+ ) - , () . SOPS, Ansible Vault . - , - . , , - - .
Disclaimer: , , , service identity JKS java keystore: JKS , 120+ . , . , vault , Kubernetes Secret , base64 . , !
2. , , (shared) . - ( ), , . .
, , - yaml, , :
- (TEST-STABLE.yaml)
- (TEST.yaml)
(values.yaml)
Helm , --values
:
helm upgrade --install <chart> path/to/<chart> --strict \
--values env/<env>.yaml --values env/<env>-<flavour>.yaml
.yaml- , TEST-STABLE.yaml :
envFlavour: STABLE
TEST.yaml
envClass: TEST
, , , , /files.
ConfigMap Secret
- , ConfigMap Secret, . ConfigMap, Secret.
# range
{{- $self := . -}}
, - -, - shared
{{ $sources := (list "shared" .Values.envClass (printf "%s-%s" .Values.envFlavour .Values.envClass ) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: myapp
#
data:
{{ range $env := $sources }}
{{ range $path, $bytes := $self.Files.Glob (printf "files/%s/text/*" $env) }}
{{ base $path }}: {{ tpl ($self.Files.Get $path) $ | quote }}
{{ end }}
{{ end }}
#
binaryData:
{{ range $env := $sources }}
{{ range $path, $bytes := $self.Files.Glob (printf "files/%s/binary/*" $env) }}
{{ base $path }}: {{ $self.Files.Get $path | b64enc | quote }}
{{ end }}
{{ end }}
apiVersion: v1
kind: Secret
metadata:
name: myapp
labels:
type: Opaque
data:
#
{{ range $env := $sources }}
{{ range $path, $bytes := $self.Files.Glob (printf "files/%s/secret-text/*" $env) }}
{{ base $path }}: {{ tpl ($self.Files.Get $path) $ | b64enc | quote }}
{{ end }}
{{ end }}
! , . , , .
Helm, , , , Helm ConfigMaps Secrets?
. tpl, ? , , - {{ .Values.myValue }} .
, .properties, yaml, HOCON, :
akka {
persistence {
cassandra {
keyspace = {{ .Values.cassandra.keyspace | quote }}
table = "{{ .Values.cassandra.tablePrefix }}messages"</code></pre><h3> </h3><p> , , .</p><p>- , , , , :</p><pre><code>databasePassword: {{ .Values.databasePassword | quote }}</code></pre><p> , .properties, , , :</p><pre><code>param/username={{ .Values.username | trimAll "\"" }}</code></pre><h3> (projected volumes)</h3><p> , : , . , - , , - . </p><p> Kubernetes projected volumes - , <em>ConfigMaps</em> <em>Secrets</em>.</p><pre><code>volumes:
name: properties
projected:
defaultMode: 0640
sources:
- configMap:
name: myapp
- secret:
name: myapp</code></pre><p> "" <em>/conf </em> .</p><h3> </h3><p> chart , , .</p><p> Helm lint template:</p><pre><code>helm lint --debug path/to/<chart> --strict --values env/<env>.yaml \
-values env/<env>-<flavour>.yaml
helm template <chart> path/to/<chart> --strict --values env/<env>.yaml \
-values env/<env>-<flavour>.yaml
chart .
() - yamllint yaml-. , - , PROD PROD-EU, ConfigMap, .
, - API, TLS-, , .
, Heroku Vault, Azure Vault, Google Cloud KMS . Helm , , , , production.
, . (Gitlab, Circle, Azure, ...) , - .
values.yaml
# secrets
database_username: "${UserNameSecret}"
database_password: "${DatabasePasswordSecret}"
envsubst :
cat <chart>/values.yaml | envsubst > <chart>/values-injected.yaml
mv <chart>/values-injected.yaml <chart>/values.yaml
{{ .Value.xxx }} , .
, , .
, XXXSecret, - :
EXPOSED_SECRETS=$(grep Secret <chart>/files | grep -v secret-files | wc -l)
if [ $EXPOSED_SECRETS -gt 0 ]; then fail "Secrets are exposed"; fi
.
- Helm hooks , .
, . , -? , , - - , , : « 5xx?».
- , kubectl apply -f ...
, , Helm " ".
--atomic
--atomic
, :
helm upgrade --install my-chart some/path/to/my-chart --atomic --debug --timeout 300s
Helm , health/readiness . , .
Hooks
, , Kubernetes Job , " " . , , , - , , - .
, Helm , .
apiVersion: batch/v1
kind: Job
metadata:
name: myapp
labels:
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
template:
metadata:
name: myapp-smoke-test
spec:
restartPolicy: Never
containers:
- name: tests
image: test-image:
command: ['/bin/sh',
'-c',
'/test/run-test.sh']
--atomic
post-upgrade/post-install hook , . "" , , , .
- - Helm , , .
!
Helm Kubernetes’.
hooks, , continuous delivery , .
***
Please do not invite me to publish on your blogs.