GitLab Ops

印章

2021/03/13

Play with Kubernetes (Maybe?)

醫療環境導入 GitOps

Agenda

  • What's GitOps?

  • Play GitLab CI

  • Play with docker

  • Play with Kubernetes

GitLab 13.0 之後

Login 頁面的標語

Who Am I ?

  • 印章 (seal.tw ),不是海豹

  • 本名 吳易璋

  • 「前」某醫學中心打雜

  • 兼任 On-Permise Cloud 架構師

  • 兼任 Infra 維運

  • 兼任 SRE

賭神從來不拍照

Who Am I ?

  • 印章 (seal.tw ),不是海豹

  • 本名 吳易璋

社群打雜:

  • Gitlab Taiwan

  • Cloud Native Taiwan User Group

What's GitOps?

GitOps = ArgoCD ?

https://argoproj.github.io/argo-cd/

What's GitOps?

  1. An operating model for Kubernetes to manage containerized applications.
     
  2. A DevOps experience for end-to-end CI/CD pipelines and Git workflows.

https://www.weave.works/technologies/gitops/

由 Weave Net 於 2017年提出:

What's GitOps?

  1. The entire system described declaratively(聲明式).

  2. The canonical desired system state versioned in Git.

  3. Approved changes that can be automatically applied to the system.  

  4. Software agents to ensure correctness and alert on divergence.

https://www.weave.works/technologies/gitops/

由 Weave Net 於 2017年提出:

What's GitOps?

  1. GitOps is an operational framework that takes DevOps best practices
     
  2. GitOps = IaC + MRs + CI/CD
                   (Automatic + SCM + Pipeline)

https://about.gitlab.com/topics/gitops/

GitLab flavor GitOps:
(GitLabOps) :

我都念作ikea

Why do I use DevOps?

常見的開發情況

  • 我的電腦可以跑,為什麼你的不行?

  • 不知道剛剛改了什麼,程式就壞掉了

  • 需.求.變.更 => 大.災.難

常見的維運情況

  • 為什麼你的電腦可以跑,我的卻不行?

  • 不知道怎麼安裝,或是安全性問題一大堆

  • 這是上個月安裝的,我已經忘記怎麼安裝了

常見的各種情況

  • 不敢重開機、不敢升級

  • 缺乏測試,Bug 滿天飛

https://commons.wikimedia.org/wiki/File:Agile-vs-iterative-flow.jpg

http://www.globalnerdy.com/2007/11/28/dilbert-on-extreme-and-agile-programming/

GitLabOps =

IaC + MRs + CI/CD

https://about.gitlab.com/topics/gitops/

Infrastructure as Code

  • 自動化佈署
     
  • 可重複執行,實現 Dev / Test / Production 環境一致
     
  • 狀態化管理,可快速 rollback
     
  • 撰寫為Code,可納入Git管理
     
  • Code 即為文件,減少重複性的工作

常見的 IaC 解決方案

傳統環境 (VM/Bare Metal):

容器化 (Container) :

  • Docker compose

  • Kubernetes

Merge Request
(MR aka PR)

  • aka Pull Request
     
  • GitLab Flow
     
  • GitLab EE 提供進階的專案管理功能
    (類似 Jira、Redmine)
     
  • GUI 整合 GitLab CI 、 DevSecOps
     

What's CI/CD?

  • Continuous Integration

  • Continuous Delivery

Unit Test

  1. Find problems early

  2. TDD / BDD

  3. Test Coverage

  4. Test for failure

Other Method

  1. e2e testing

  2. A / B Test

  3. Canary release

  4. Blue / Green Release

  5. Nightly Build

Final Target
(Auto DevOps)

  1. Auto Test

  2. Auto Deploy

  3. Faster Coding, Less Bug

  4. CaaS (Code as a Service)

  5. Rolling Update / Rollback

  6. High Avilible / Auto Healing

Gitlab CI

https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/

Gitlab CI Pipeline

https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/

Gitlab CI Pipeline

https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/

Gitlab CI Pipeline

https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/

Gitlab CI Pipeline

https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/

Gitlab CI Pipeline

https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/

todo: runner、running dashboard

Gitlab CI Pipeline

Gitlab CI Pipeline (Stages)

Gitlab CI Pipeline (Jobs)

build:
  image: node:14-alpine
  stage: build
  script:
    - apk update
    - yarn install --production=false
    - npx ng build       \
        --env=prod       \
        --base-href ./   \
        --progress=false \
        --verbose
  artifacts:
    paths:
      - dist
      - package.json
    expire_in: 1 hour

Dockerfile

FROM node:alpine AS base
WORKDIR /webapi

FROM node:alpine AS build

WORKDIR /webapi
RUN apk update

COPY . /webapi
RUN yarn install

FROM base
COPY --from=build /webapi /webapi
CMD /usr/local/bin/node dist/main.js 3000

todo: pipeline

Gitlab CI Pipeline

Play GitLab Runner
with Docker

Install GitLab Runner

$ docker run -d --rm                             \
    --name=gitlab-runner                         \
    --restart=always                             \
    -v $PWD/config.toml:/etc/gitlab/config.toml  \
    -v /var/run/docker.sock:/var/run/docker.sock \
    gitlab/gitlab-runner:alpine-v13.9.0
    
$ docker exec -it gitlab-runner register


# podman? I don't know, how to?

Docker Build

docker_build:
  image: docker:1903-dind
  stage: docker_build
  variables:
    IMAGE: registry.example.io/
      ${CI_PROJECT_NAME}:${CI_COMMIT_SHORT_SHA}
    #example:  quay.io/example-image:v1.0
  script:
    - docker login -u myusername -p mypassword
    - docker build . -t $IMAGE
    - docker push       $IMAGE
  dependencies:
    - build

Docker Run

review_docker:
  image: docker:1903-dind
  stage: review
  variables:
    IMAGE: registry.example.io/
      ${CI_PROJECT_NAME}:${CI_COMMIT_SHORT_SHA}
    #example:  quay.io/example-image:v1.0
  script:
    - docker rm -f ${CI_PROJECT_NAME}
    - docker run -d --rm          \
        --name=${CI_PROJECT_NAME} \
        --restart=always          \
        ${IMAGE}
  tags:
    - testing

Docker Compose

deploy_compose:
  image: rockwyc992/docker-compose:latest
  stage: deploy
  variables:
    IMAGE: registry.example.io/
      ${CI_PROJECT_NAME}:${CI_COMMIT_SHORT_SHA}
    #example:  quay.io/example-image:v1.0
  script:
    - envsubst                        \
        < docker-compose.template.yml \
        > docker-compose.yml
    - docker-compose up -d
  only:
    - master
  tags:
    - production

Why Kubernetes?

Kubernetes is an open source system 
for managing Container across multiple hosts.
  • Multi-host

  • Self-healing

  • Rolling Update

  • Open Source (Apache 2.0)

  • 豐富的生態圈

  • 標準化的架構 (CNI / CSI / Operator)

Why Kubernetes?

  • Concurrent Jobs
     

  • Role Base Access Control (RBAC)
     

  • Namespace (Dev / Test / Production)
     

  • NodeSelector (Linux / Windows)

Kubernetes is an open source system 
for managing Container across multiple hosts.

deployment.yaml for
Kubernetes
 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gitlab-runner
  namespace: gitlab
spec:
  template:
    spec:
      containers:
        image: gitlab/gitlab-runner:alpine-v13.9.0
        volumeMounts:
        - mountPath: /etc/gitlab-runner
          name: config
      serviceAccountName: runner
      volumes:
      - configMap:
          name: gitlab-runner
        name: config
  replicas: 1

config.toml for Kubernetes

concurrent = 10

[[runners]]
  name = "Kubernetes Runner"
  url = "https://gitlab.example.com"
  token = "__REDACTED__"
  executor = "kubernetes"
  [runners.kubernetes]
    #host = "http://localhost:9876/"
    image = "alpine:3.12"
    namespace = "gitlab"
    privileged = false
    service_account_overwrite_allowed = "runner"
    [runners.kubernetes.volumes]
      [[runners.kubernetes.volumes.host_path]]
        name = "docker"
        mount_path = "/var/run/docker.sock"

rbac.yaml for Kubernetes

apiVersion: v1
kind: ServiceAccount
metadata:
  name: runner
  namespace: gitlab
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: runner
  namespace: gitlab
subjects:
  - kind: ServiceAccount
    name: runner
    namespace: gitlab
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

rbac.yaml for Kubernetes

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: gitlab-runner
  namespace: mynamespace
subjects:
  - kind: ServiceAccount
    name: runner
    namespace: gitlab
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

Play GitLab Runner
with Kubernetes

kubectl with GitLab CI

.kubectl_template:
  image: lachlanevenson/k8s-kubectl:v1.19.8
  stage: deploy
  variables:
    NAMESPACE: default
  script:
    - envsubst                     \
        < deployment.template.yaml \
        > deployment.yaml
    - envsubst                     \
        < service.template.yaml    \
        > service.yaml
    - kubectl -n $NAMESPACE apply -f deployment.yaml
    - kubectl -n $NAMESPACE apply -f service.yaml
  tags:
    - kubernetes

kubectl with GitLab CI

review_kubectl:
  extends: .kubectl_template
  stage: review
  variables:
    NAMESPACE: gitlabops-review

staging_kubectl:
  extends: .kubectl_template
  stage: staging
  variables:
    NAMESPACE: gitlabops-staging
  only:
    - master

deploy_kubectl:
  extends: .kubectl_template
  stage: deploy
  variables:
    NAMESPACE: gitlabops-production
  when: manual
  only:
    - master

New Problems

  • Kubernetes 1.20 deprecated Docker
    (How to build image now?)
     

  • Template support ? (envsubst)
     

  • kubectl really successful?

New Problems

Build Image

  • Another Docker Machine Runner
     

  • GoogleContainerTools /kaniko
     

  • OpenShift Build Service

  • Podman / Buildah

Q&A

Thanks

for your attention!

GitLab Taipei Users Group

Code of Conduct 行爲準則

請參考 https://about.gitlab.com/company/culture/contribute/coc/