Saltside recently migrated production applications to Kubernetes using Helm to deploy the application. This post describes how we built our chart to fit Saltside’s unique business requirements.
Saltside makes classifieds (user posted ads, not secret information) sites. We operate in multiple markets: Tonaton.com, Bikroy.com, Efritin.com, and Ikman.lk. I’ll refer to this as MARKET going forward. I suggest you checkout the sites. You’ll notice they look and feel the same. That’s by design!
Market infrastructure is deployed, scaled, and operated separately from the others. This ensures each market’s infrastructure scales correctly for load and other requirements while guarding against failures propagating to others. Deploying separately requires different configuration for each MARKET. Configurations must be tested in different stages in the deployment pipeline. Example stages are production or uat. I’ll refer to this as STAGE going forward.
Naturally this propagates down to individual codebases. Each code base must support different MARKET and STAGE values. Our product is composed of ~20 independent code bases that may themselves be composed of multiple deployed processes (such as a thrift server, web server, or working off messages in queue). I’ll use COMPONENT to refer to components or code bases and PROCESS to refer processes inside each COMPONENT.
You may be thinking “this sounds like a lot of stuff!” You’re right. It is. The total possible configuration is MARKET * STAGE * COMPONENT * PROCESS. You can learn more about our previous setup in my talk at DevOps Days India 2016. This the jumping off point for discussing our Kubernetes solution.
Requirements
The big idea is that we’ll move from independently configured and deployed COMPONENT to centrally configured and deployed mono-repo. The implementation is no surprise from the title. The entire product (all configuration for MARKET, STAGE, COMPONENT, and PROCESS) are wrapped up in a single repo that builds Helm charts. I’m not going into the reasons why we chose Helm. There are plenty of articles, talks, and presentations on what Helm is and what it can do. Let’s move onto specifics we need from our Helm chart.
Market, Stage, Component and Process Configuration
MARKET, STAGE, COMPONENT, and PROCESS specific environment variables and secrets. There is a hierarchy between those 4 values. MARKET is the most general and PROCESS is the most specific. A specific COMPONENT may need different environment variables depending on MARKET or STAGE. PROCESS may need the same. Here’s a concrete example. The same BUGSNAG_API_KEY may apply to all PROCESS inside a given COMPONENT. However something like EXTERNAL_REDIRECT_URL may need different values depending on MARKET or STAGE.
A Single Values File
No separate values files or requirements to pass -f or --set on helm install or helm upgrade. There are too many possible configurations. That also forces engineers to mange these files or pass in command line flags is simply unmanageable in our problem domain.
Encrypted Secrets Values
Our current solution is subpar in this area so we’d like to, at a minimum, encrypt sensitive data that’s committed to SCM.
Preconfigured Charts for MARKET and STAGE
This is somewhat a follow up to the previous point. The idea here is that anyone can run a command like helm install $MARKET and everything will work as expected. Preconfigured versions for different STAGE values are communicated through different semantic versions. This requirement opens up many use cases such as automatic environment creation from topic branches or allowing any engineer to stand up test environments against arbitrary configurations.
Easier or Better than our Current Solution
Different COMPONENT and PROCESS configurations should be as easy as current solution or easier. This one is subjective so here’s some background. Different COMPONENT have roughly the same shape. All COMPONENT values share the same Docker image. Different PROCESSS run as different containers using that Docker image. This may require a different command, ports, environment variables, or other things. This generally boils down to expressing configuration at our abstraction level rather than Helm’s.
Deployable to any Kubernetes Cluster
The chart should be deployable on any Kubernetes cluster. This means it should be self contained, specifically it should contain an image pull secret for access to private Docker images.
Those are the high level requirements around chart. Let’s see how this requirements drive the implementation.
Implementation at 10,000ft
The requirements dictate a single values.yaml file and a build process that can spit out preconfigured charts for different M and S values. Here’s what this looks like for us:
- Everything declared in values.yaml with a ton of YAML anchors (more on that later)
script/lint-valuestestsvalues.yamlfor correct semantics. Example: each combination of M, S, C, and P have declared environment variables (so range in chart templates works as expected).- Secret values kept in a
secrets.yamlmanaged with git-crypt. We initially tried using Ansible vault but aborted that effort. More on that later as well. - A parameterized build script that injects the correct values for
MARKETandSTAGEintovalues.yamlbefore building the final chart. The productionSTAGEproduces a chart namedMARKET-VERSION. The sandboxSTAGEproduces a chart namedMARKET-VERSION.betaN. AnySTAGEis supported through different version modifiers. The versioning information is determined by the commit and git branch. - Chart templates expect a specific structure in
$.Valuesto generate each Service, Deployment, and Pod etc. This allows defining everything aboutCOMPONENTandPROCESSinvalues.yamlwithout creating new templates.
In short, our mono repo is a template for producing MARKET * STAGE Helm charts. Let’s dive into implementation specifics.
Templates & Values
The chart templates are straight forward. There is one template for Service, Deployment, and Secret. Each template produces multiple resources (separated by ---) in YAML from range functions over various $.Values. The charts essentially loop over $.Values.applications[].containers[] (where application refers to COMPONENT and containers is PROCESS). One Deployment is created for each COMPONENT and PROCESS combination because this is how our system scales. One Service is generated for each COMPONENT with ports for each PROCESS. “Our” is emphasized on purpose. Your application may be different.
Our values.yaml and secrets.yaml rely on YAML anchors. This is especially useful for “overriding” the MARKET/STAGE/COMPONENT/PROCESS hierarchy. Initially this started out in in the templates (one loop for each). It was easier to move everything into values using YAML anchors.
The values.yaml defines images for each COMPONENT value; as well as common things like MARKET and STAGE values. There are many shared environment variables (like MARKET, STAGE, RACK_ENV, or NODE_ENV) that are defined as anchors and appended to. Let’s look at the main anchors. Anchors are prefixed with _ to prevent accidental clashes with real variables. They are also annotated with comments so readers know that these are not intended for direct use, but only referenced later in the file. Here is an example:
_anchors:
common_env: &COMMON_ENV
APP_VERSION: "${CHART_ID}"
APP_ENV: "${CHART_STAGE}"
NODE_ENV: "${CHART_STAGE}"
RACK_ENV: "${CHART_STAGE}"
RAILS_ENV: "${CHART_STAGE}"
MARKET: "${CHART_MARKET}"
STATSD_URL: "udp://localhost:8125"
LOG_LEVEL: info
# TODO: AWS variablesThe ${VARIABLE} is special. That’s inserted by the build process with envsubst. I’ll cover that later on. This anchor is reused in each STAGE and COMPONENT declaration as shown below:
env:
admin_service:
production: &ADMIN_SERVICE_PRODUCTION_ENV_VARS
<<: *COMMON_ENV
sandbox: &ADMIN_SERVICE_SANDBOX_ENV_VARS
<<: *COMMON_ENV
# FIXME: This is wrong!
APP_ENV: development
AWS_ACCESS_KEY_ID: foo
AWS_SECRET_ACCESS_KEY: fooInjecting COMMON_ENV anchor into the COMPONENT * STAGE context is easy as well as adding new values (in the sandbox STAGE in this example). That COMPONENT * STAGE configuration is assigned a new anchor name which can be customized by MARKET or PROCESS later on. Here’s an MARKET example:
env:
admin_service:
production:
bikroy:
<<: *ADMIN_SERVICE_PRODUCTION_ENV_VARS
ikman:
<<: *ADMIN_SERVICE_PRODUCTION_ENV_VARS
tonaton:
<<: *ADMIN_SERVICE_PRODUCTION_ENV_VARS
efritin:
<<: *ADMIN_SERVICE_PRODUCTION_ENV_VARS
sandbox:
bikroy:
<<: *ADMIN_SERVICE_SANDBOX_ENV_VARS
ikman:
<<: *ADMIN_SERVICE_SANDBOX_ENV_VARS
tonaton:
<<: *ADMIN_SERVICE_SANDBOX_ENV_VARS
efritin:
<<: *ADMIN_SERVICE_SANDBOX_ENV_VARSIt’s not the prettiest but it works. It removes effort for shared configuration and makes it easy override all levels in the hierarchy. This same structure applies to secrets.yaml.
Here’s an example COMPONENT and PROCESS configuration from values.yaml:
- name: image_service
tier: thrift
service_type: ClusterIP
containers:
- name: thrift
command:
- "thrift-server"
ports:
container: 9090
service: 9090
livenessProbe:
initialDelaySeconds: 5
tcpSocket:
port: 9090
resources:
sandbox:
requests:
memory: 128Mi
production:
requests:
memory: 128Mi
cpu: 50m
limits:
memory: 128Mi
cpu: 100mWe mix custom structures and existing Kubernetes ones (like livenessProbeor inside resources). This works well because data may directly dumped into the manifest.
This gist is our complete deployment template. That there are things that I’m not going to describe in this post. Note the use of index in combination with $.Values.market, $.Values.stage, and $.Values.topology.pods. Also note that generating JSON init containers is quite strange inside YAML since YAML is white space sensitive but JSON requires delimiters.
Kubernetes Services are declared through a combination of custom data structures and previously shown COMPONENT and PROCESS configuration.
Repo Organization & Building
I find this section the most interesting personally since it demonstrates what you can do with Helm when you throw some Bash into the mix. It requires a bit of funkiness to get everything to work. I’ll touch on those the most because they highlight curious choices in Helm chart packaging.
Here’s the tree:
.
├── Makefile
├── README.md
├── VERSION
├── chart
│ ├── charts
│ └── templates
│ ├── _helpers.tpl
│ ├── app_deployments.yaml
│ ├── app_services.yaml
│ ├── sandbox.yaml
│ ├── secrets.yaml
│ └── smoke_test.yaml
├── config
│ ├── Chart.yaml
│ └── values.yaml
├── script
│ ├── await-release
│ ├── build
│ ├── ci
│ │ └── test
│ ├── clean-releases
│ ├── lint-manifest
│ ├── lint-values
│ ├── package
│ ├── publish
│ ├── test-chart
│ ├── test-release
│ └── yaml2json
├── secrets.yamlBuilding
make coordinates the entire process. /chart and /config are the most relevant directories for this section. /chart contains files that are not parameterized and may be copied directly into the final output directory. /config contains files that are parameterized so each must pass through envsubst before coping into the final output directory. This is where ${MARKET} etc is inserted into the final values.yaml file.
script/build coordinates the process. It determines the correct VERSION along all other template variables, creates a specifically named directory for the chart, copies over everything in /templates, templates everything in /config and dumps that into the output directory. It’s shared in its entirety:
You’ll also notice chart our versioning semantics coded into that file. Astute readers will notice that this script does not package or publish the chart. This script only prepares the directory. That is enough to install the chart for testing. Other scripts produce the final .tgz archive and upload to our internal chart repository. There is nothing interesting in those script. They accept a directory as an argument and call the various helm commands.
This approach seems is working well enough for our production continuous delivery pipeline. The CD pipeline is a entire post in itself. Check back in the future for all the details once all the kinks are sorted out. I want to close out this post by discussing things we tried that didn’t work out.
What Didn’t Work
- Ansible vault for secrets. Internally we use Ansible to automate processes and glue various workflows together. We did not want to commit secrets in plain text to source control, but we could accept encrypting them in source control. Ansible vault was a natural fit for us. It worked in the beginning then we hit increased friction levels beyond the dev stage. We generated a Kubernetes Secret using Ansible templates and variables. The chart required a
$.Values.secret_name. This meant secret must exist in the cluster(s) where the chart would be installed on. This became more problematic as we have multiple Kubernetes clusters for different stages (namely production & non-production). This also opened up a question of what to do if the chart itself failed tests? The secret would need to be deleted from the clusters. That is possible but it’s an avoidable problem. Everything became much easier when switched to git-crypt which made the chart self-contained. I advise teams adopting Helm start and continue with git-crypt until it becomes a pain point. - Duplicating configuration in templates. Notice the Deployment template (naturally) defines the template pods and their init containers. The init containers use the same Docker image as
COMPONENTto run initPROCESS. EachPROCESSgenerally requires the same set of configuration values (such asCOMPONENTspecific values likeMYSQL_URLorMARKETorSTAGEglobal values). Previous versions duplicated generation in different parts of the templates. Things became much easier by moving things into values.yaml through YAML anchors. I doubt other teams will encounter problems of this scope. Regardless it’s an interesting approach to keep in your back pocket. - This is tangentially related to the chart but I think it’s important to discuss since it impact the chart’s usability. Initially we wanted to pre-authenticate all cluster nodes to our Docker registry. We did this through updated the default ServiceAccount to also use a custom image pull secret. This seemed like a good idea in the beginning, but turned out to be a bad one when it came down to it. All this did was introduce more pre-reqs to where the chart could be installed. In the end it was easier to create an image pull secret as part of chart (also not an issue since git-crypt manages our plain text secrets) and use that in all the templates. This was another step in making the chart more self contained.
- The chart’s flexibility correlates with the internal application’s (
COMPONENTandPROCESS). Our process currently has two stages: production and sandbox. Unfortunately our code bases are in various stages of being completely configured by environment variables and/or command line options. We cannot easily introduce a new stage because many code bases hard coded logic on something likeNODE_ENVorRACK_ENV. This is reminder that hard coding conditional is an anti pattern and should be avoided.
What’s Next?
We plan for future posts documenting our test strategy, workflow around the chart, and continuous delivery (and hopefully deployment!) processes. Stay tuned for more information. Also don’t hesitate to leave a comment or ask a question. You can also find the SRE team on the Kubernetes slack in #helm-users, #helm-dev, #in-users, and #kops if you want to chat with us.
Good luck out there and happy shipping!
