GitLab Ops
印章
2021/03/13
Play with Kubernetes (Maybe?)
醫療環境導入 GitOps
Agenda
-
What's GitOps?
-
Play GitLab CI
-
Play with docker
-
Play with Kubernetes
GitLab 13.0 之後
Login 頁面的標語
Who Am I ?
-
印章 (seal.tw ),
不是海豹 -
本名 吳易璋
-
「前」某醫學中心打雜
-
兼任 On-Permise Cloud 架構師
-
兼任 Infra 維運
-
兼任 SRE
賭神從來不拍照
Who Am I ?
-
印章 (seal.tw ),
不是海豹 -
本名 吳易璋
社群打雜:
-
Gitlab Taiwan
-
Cloud Native Taiwan User Group
What's GitOps?
GitOps = ArgoCD ?
https://argoproj.github.io/argo-cd/
What's GitOps?
- An operating model for Kubernetes to manage containerized applications.
- A DevOps experience for end-to-end CI/CD pipelines and Git workflows.
https://www.weave.works/technologies/gitops/
由 Weave Net 於 2017年提出:
What's GitOps?
-
The entire system described declaratively(聲明式).
-
The canonical desired system state versioned in Git.
-
Approved changes that can be automatically applied to the system.
-
Software agents to ensure correctness and alert on divergence.
https://www.weave.works/technologies/gitops/
由 Weave Net 於 2017年提出:
What's GitOps?
- GitOps is an operational framework that takes DevOps best practices
- GitOps = IaC + MRs + CI/CD
(Automatic + SCM + Pipeline)
https://about.gitlab.com/topics/gitops/
GitLab flavor GitOps:
(GitLabOps) :
我都念作ikea
Why do I use DevOps?
常見的開發情況
-
我的電腦可以跑,為什麼你的不行?
-
不知道剛剛改了什麼,程式就壞掉了
-
需.求.變.更 => 大.災.難
常見的維運情況
-
為什麼你的電腦可以跑,我的卻不行?
-
不知道怎麼安裝,或是安全性問題一大堆
-
這是上個月安裝的,我已經忘記怎麼安裝了
常見的各種情況
-
不敢重開機、不敢升級
-
缺乏測試,Bug 滿天飛
https://commons.wikimedia.org/wiki/File:Agile-vs-iterative-flow.jpg
http://www.globalnerdy.com/2007/11/28/dilbert-on-extreme-and-agile-programming/
GitLabOps =
IaC + MRs + CI/CD
https://about.gitlab.com/topics/gitops/
Infrastructure as Code
- 自動化佈署
- 可重複執行,實現 Dev / Test / Production 環境一致
- 狀態化管理,可快速 rollback
- 撰寫為Code,可納入Git管理
- Code 即為文件,減少重複性的工作
常見的 IaC 解決方案
傳統環境 (VM/Bare Metal):
-
Ansible
http://note.drx.tw/2017/08/continuous-delivery-with-ansible-x-gitlab-ci.html -
Chef (GitLab Omnibus)
-
Puppet
-
Terraform
容器化 (Container) :
-
Docker compose
-
Kubernetes
Merge Request
(MR aka PR)
- aka Pull Request
- GitLab Flow
- GitLab EE 提供進階的專案管理功能
(類似 Jira、Redmine)
- GUI 整合 GitLab CI 、 DevSecOps
What's CI/CD?
-
Continuous Integration
-
Continuous Delivery
Unit Test
-
Find problems early
-
TDD / BDD
-
Test Coverage
-
Test for failure
Other Method
-
e2e testing
-
A / B Test
-
Canary release
-
Blue / Green Release
-
Nightly Build
Final Target
(Auto DevOps)
-
Auto Test
-
Auto Deploy
-
Faster Coding, Less Bug
-
CaaS (Code as a Service)
-
Rolling Update / Rollback
-
High Avilible / Auto Healing
Gitlab CI
https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/
Gitlab CI Pipeline
https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/
Gitlab CI Pipeline
https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/
Gitlab CI Pipeline
https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/
Gitlab CI Pipeline
https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/
Gitlab CI Pipeline
https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/
todo: runner、running dashboard
Gitlab CI Pipeline
Gitlab CI Pipeline (Stages)
Gitlab CI Pipeline (Jobs)
build:
image: node:14-alpine
stage: build
script:
- apk update
- yarn install --production=false
- npx ng build \
--env=prod \
--base-href ./ \
--progress=false \
--verbose
artifacts:
paths:
- dist
- package.json
expire_in: 1 hourDockerfile
FROM node:alpine AS base
WORKDIR /webapi
FROM node:alpine AS build
WORKDIR /webapi
RUN apk update
COPY . /webapi
RUN yarn install
FROM base
COPY --from=build /webapi /webapi
CMD /usr/local/bin/node dist/main.js 3000
todo: pipeline
Gitlab CI Pipeline
Play GitLab Runner
with Docker
Install GitLab Runner
$ docker run -d --rm \
--name=gitlab-runner \
--restart=always \
-v $PWD/config.toml:/etc/gitlab/config.toml \
-v /var/run/docker.sock:/var/run/docker.sock \
gitlab/gitlab-runner:alpine-v13.9.0
$ docker exec -it gitlab-runner register
# podman? I don't know, how to?Docker Build
docker_build:
image: docker:1903-dind
stage: docker_build
variables:
IMAGE: registry.example.io/
${CI_PROJECT_NAME}:${CI_COMMIT_SHORT_SHA}
#example: quay.io/example-image:v1.0
script:
- docker login -u myusername -p mypassword
- docker build . -t $IMAGE
- docker push $IMAGE
dependencies:
- buildDocker Run
review_docker:
image: docker:1903-dind
stage: review
variables:
IMAGE: registry.example.io/
${CI_PROJECT_NAME}:${CI_COMMIT_SHORT_SHA}
#example: quay.io/example-image:v1.0
script:
- docker rm -f ${CI_PROJECT_NAME}
- docker run -d --rm \
--name=${CI_PROJECT_NAME} \
--restart=always \
${IMAGE}
tags:
- testingDocker Compose
deploy_compose:
image: rockwyc992/docker-compose:latest
stage: deploy
variables:
IMAGE: registry.example.io/
${CI_PROJECT_NAME}:${CI_COMMIT_SHORT_SHA}
#example: quay.io/example-image:v1.0
script:
- envsubst \
< docker-compose.template.yml \
> docker-compose.yml
- docker-compose up -d
only:
- master
tags:
- productionWhy Kubernetes?
Kubernetes is an open source system for managing Container across multiple hosts.
-
Multi-host
-
Self-healing
-
Rolling Update
-
Open Source (Apache 2.0)
-
豐富的生態圈
-
標準化的架構 (CNI / CSI / Operator)
Why Kubernetes?
-
Concurrent Jobs
-
Role Base Access Control (RBAC)
-
Namespace (Dev / Test / Production)
-
NodeSelector (Linux / Windows)
Kubernetes is an open source system for managing Container across multiple hosts.
deployment.yaml for
Kubernetes
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab-runner
namespace: gitlab
spec:
template:
spec:
containers:
image: gitlab/gitlab-runner:alpine-v13.9.0
volumeMounts:
- mountPath: /etc/gitlab-runner
name: config
serviceAccountName: runner
volumes:
- configMap:
name: gitlab-runner
name: config
replicas: 1config.toml for Kubernetes
concurrent = 10
[[runners]]
name = "Kubernetes Runner"
url = "https://gitlab.example.com"
token = "__REDACTED__"
executor = "kubernetes"
[runners.kubernetes]
#host = "http://localhost:9876/"
image = "alpine:3.12"
namespace = "gitlab"
privileged = false
service_account_overwrite_allowed = "runner"
[runners.kubernetes.volumes]
[[runners.kubernetes.volumes.host_path]]
name = "docker"
mount_path = "/var/run/docker.sock"rbac.yaml for Kubernetes
apiVersion: v1
kind: ServiceAccount
metadata:
name: runner
namespace: gitlab
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: runner
namespace: gitlab
subjects:
- kind: ServiceAccount
name: runner
namespace: gitlab
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.iorbac.yaml for Kubernetes
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: gitlab-runner
namespace: mynamespace
subjects:
- kind: ServiceAccount
name: runner
namespace: gitlab
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.ioPlay GitLab Runner
with Kubernetes
kubectl with GitLab CI
.kubectl_template:
image: lachlanevenson/k8s-kubectl:v1.19.8
stage: deploy
variables:
NAMESPACE: default
script:
- envsubst \
< deployment.template.yaml \
> deployment.yaml
- envsubst \
< service.template.yaml \
> service.yaml
- kubectl -n $NAMESPACE apply -f deployment.yaml
- kubectl -n $NAMESPACE apply -f service.yaml
tags:
- kuberneteskubectl with GitLab CI
review_kubectl:
extends: .kubectl_template
stage: review
variables:
NAMESPACE: gitlabops-review
staging_kubectl:
extends: .kubectl_template
stage: staging
variables:
NAMESPACE: gitlabops-staging
only:
- master
deploy_kubectl:
extends: .kubectl_template
stage: deploy
variables:
NAMESPACE: gitlabops-production
when: manual
only:
- masterNew Problems
-
Kubernetes 1.20 deprecated Docker
(How to build image now?)
-
Template support ? (envsubst)
-
kubectl really successful?
New Problems
Cache? Arctifact?
GitLab Cloud Native Chart
https://docs.gitlab.com/charts/GitLab Kubernetes Agent
https://docs.gitlab.com/ee/user/clusters/agent/
Build Image
-
Another Docker Machine Runner
-
GoogleContainerTools /kaniko
-
OpenShift Build Service
-
Podman / Buildah
Q&A
Thanks
for your attention!
GitLab Taipei Users Group
- FB 粉絲團: https://www.facebook.com/groups/GitLabTaipei
- Telegram 聊天群組: https://t.me/GitLabTaiwan
- Meetup: https://www.meetup.com/GitLab-Meetup-Taipei
Code of Conduct 行爲準則
請參考 https://about.gitlab.com/company/culture/contribute/coc/
