I've recently asked a question about how to structure multiple applications which should be bundled together and am thinking of going down a route of having each separate application have it's own Helm chart and own ingress controller. This would allow for CI/CD to update each component easily without affecting the rest.
I was also thinking about using a "Umbrella" chart to specify versions of the other charts when it comes to actual releases and keep that in another repo.
However, when using multiple Helm charts with an ingress controller for each, how would I handle some objects which are shared between them? Such as secrets, TLS issuers and volumes shared between these? I could put them in the umbrella chart but then I'd lose the benefit of being able to use this in CI/CD. I could duplicate them inside each individual chart but that seems wrong to me. I'm thinking that I'd need another Helm chart to manage these resources alone.
Is there a suggested standard for doing this or what way would you reccomend?
You can create one helm chart and inside of it your subcharts for app A, app B, and Shared chart, and you can define global Values for shared objects, and use this names in templates of main subcharts of app A & B.
For more information about subchart and global values, check this
Related
I've got a cluster with a number of already existing namespaces, and an automatization process that creates (and manages) new namespaces using Terraform.
The service account used for TF got the roles with permission to all namespaces - as I believe this is the only possible solution (TF needs them to manage namespaces).
But due to that, it is also able to modify (& delete) the namespaces that were created before, outside the Terraform processing - and this is something I'd like to prevent/block.
So here's my question - is it possible to restrict this automatization process from modifying already existing namespaces?
The idea to distinguish between old and new namespace is to simply add labels to the new ones created by TF, but I am not aware of any mechanism that could then prohibit modifications based on such labels...
*Admission controllers seem remotely suitable, but I'm completely new to that topic and not sure if those can be used for such purposes.
I'm fairly new to Kubernetes and only got started with an example project to learn everything. I'm currently running one .NET microservice which needs a MongoDB as a database. The microservice is packed into a Docker Image and I've created a single Helm chart to properly deploy my microservice and the required MongoDB.
Now I've thought about versioning and discovered one big problem with this approach: I can't just install multiple versions of that helm chart to support running multiple versions of the same microservice because that way each microservice gets its own database which is obviously not what I want.
Does this mean I have to create two helm charts for my microservice? So one api chart containing my .NET service and one db chart containing the MongoDB? That way I can deploy the MongoDB once and have multiple versions of my .NET service pointing to this single instance. However, that way I don't have a single Helm chart per microservice but multiple ones, which increases deployment overhead I'm guessing.
Is this how it's been done? Or is there something I'm missing? All clues that point me in the right direction are very welcome!
I would recommend one chart per service. The place where helm dependencies work well is where you have a service that embeds/hides specific single other parts. And as #christopher said if your .NET service and MongoDB have different lifecycles, they shouldn't be packaged together in the same helm chart.
The most basic way to use Helm is by having a single chart that holds a single application. The single chart will contain all the resources needed by your application such as deployments, services etc.
Chart versions and appVersions
The version of the chart itself (version field in Chart.yaml). The
version of the application contained in the chart (appVersion field in
Chart.yaml). These are unrelated and can be bumped up in any manner
that you see fit. You can sync them together or have them increase
independently. There is no right or wrong practice here as long as you
stick into one.
An important point here is that you need to adopt a policy in your team on what a “chart change” means.
Helm does not enforce chart version changes. You can deploy a different chart with the same version as the previous one. So, if this is something that you want to do, you need to make sure that all teams are on the same page for versioning practices.
On the plus side, this workflow allows you to individually version charts and applications and is very flexible for companies with teams that manage separately the charts from the application source code.
Umbrella charts
However, you can also create a chart with dependencies to other charts called umbrella chart.
They are completely external using the requirements.yaml file. Using this strategy is optional and can
work well in several organizations. Again, there is no definitive
answer on right and wrong here, it depends on your team process.
Take a look: umrella-charts-example.
In other words, a collection of software elements that each have their
own individual charts but, for whatever reason (e.g. design choices,
ease of deployability, versioning complexities), must be installed or
upgraded as a since atomic unit
An umbrella chart references the version of the Helm chart itself and
not the underlying version of the container image. This means that any
change to the image version will result in chart modifications to the
individual component charts.
What to take into account when deciding on an option
There are two dimensions to take into account:
Team structure: You have to ask yourself questions like: do you have small autonomous teams that are responsible for each service? Do you have developers who have
knowledge of DevOps?
Dependencies and reproducibility: You have to ask yourself questions like: How different are the dependencies for each service? What is the risk that a change to one
service will break another? How do you reproduce the conditions of a
specific development?
Read more in useful article: helm-managing-microservices.
Speaking about versioning of microservices for backward compatibility, see Product Versioning Microservices, in general Semantic Versioning is generaly adviced.
In the broader sense - there should be an agreed phase-out roadmap for major versions, that is communicated to API consumers (together with SLAs). This is why tracking who uses your APIs is important. Take a look on this useful article about versioning management.
See example tool for tracking microservice versions- DeployHub.
I am looking for keeping some kind of baseline for everything applied to kubernetes(or just a namespace).
Like versioning microservices in a list and then check that in to github, in case of the need to roll something back.
Check out Velero, it is a backup tool for kubernetes. I don’t think it can use git as a backend, but you could add that (or use s3 or similar).
You can write and deploy an application that Watch the resources you are interested in, e.g. all Deployment, Service and Ingress... including all changes, and then store the changes as you want. I can recommend client-go for this kind of service.
However
Like versioning microservices in a list and then check that in to github, in case of the need to roll something back.
It is more common, and recommended to work the other way around, first save your intended desired state in Git, have an CICD service to apply your changes in the cluster or clusters. This way of working is called Infrastructure as Code. The new edition of the book Kubernetes Up&Running have a new chapter (18) that describes how to work in this way.
I created charts in MongoDB Charts, but do not know how to use those charts in my web application. Are there ways to publish MongoDB charts to a link where everyone can access without logging in?
Many thanks
Are there ways to publish MongoDB charts to a link where everyone can access without logging in?
In MongoDB Charts version 0.10 , there is no way to publish charts into external web site/application.
In regards to permissions, that would include setting read role on the chart's data sources for everyone too. See also Charts Dashboard Permissions
UPDATE:
Now you can use the Embedding feature to render the charts in an external web application. When you embed a chart, you can choose whether you want it to be Unauthenticated (meaning anyone who has the embed code can view the chart), or to use Verified Signature authentication (which checks the integrity of a signature in the URL before the chart will render). See Charts Embedding Examples for more information.
We are currently serving around 140 webapps created by a bunch of different web agencies. The setup is the usual LEMP stack.
A 1.2 k8s cluster has been installed to migrate them as micro-services.
The problem we are facing is about serving static and dynamic content.
For this purpose we use, of course, two different containers (nginx and php-fpm) but we can't find an adequate solution to share data on both of them.
We hoped to be able to use versioned data containers but it is apparently not in the scope of k8s. Too bad.
gitRepo is not an option as we don't want to be dependent of a working git infra to instance pods. If it doesn't work we want to be autonomous and be able to serve traffic.
The other options (flocker, etc.) look heavy and complex in comparison to a simple data container. We also would like to be independent of data storage.
Is there an option I am not aware of? Does anyone have an advise on this?
Let me emphasise that we want to be able to version things in order to roll forward / backward easily.
Thank you for your time