Page MenuHomePhabricator

Create the MPIC Kubernetes chart
Closed, ResolvedPublic

Description

Goal

Starting from the chart template that the SRE team has created, we have to customize it with the specific details of this project

This is something that should be tackled by the Metrics Platform team, with help from the Data Platform SREs, as a way to share knowledge and experience.

AC

  • The SRE Team has created a chart template (merged)
  • The chart has been customized according to the project details

Notes

  • See below comments

Event Timeline

Change #1017034 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] mpic: scaffold chart

https://gerrit.wikimedia.org/r/1017034

https://gerrit.wikimedia.org/r/1017034 introduces a lot of YAML, but bear in mind that this is fully automatically generated, via the following command:

~/wmf/deployment-charts mpic-chart *17 ?3 ❯ ./create_new_service.sh
What will be the name of your chart? mpic
INFO:sextant:Loading available components
INFO:sextant:Creating the chart from /Users/brouberol/wmf/deployment-charts/_scaffold/service
===> Available components:

* generic-application
  Basic component for generic (non-LAMP) applications

* LAMP
  Basic LAMP application component.

* ingress
  Kubernetes ingress setup with istio.

* service-mesh
  Sets up the service mesh and the TLS termination (if needed)

* prometheus-statsd
  sets up prometheus-statsd-exporter

* mcrouter
  sets up mcrouter
==> Please select a component by name (q to quit)
> generic-application
INFO:wmflib.interactive:User input is: "generic-application"
===> Available components:

* ingress
  Kubernetes ingress setup with istio.

* service-mesh
  Sets up the service mesh and the TLS termination (if needed)

* prometheus-statsd
  sets up prometheus-statsd-exporter

* mcrouter
  sets up mcrouter
Already selected: generic-application
==> Please select a component by name (q to quit)
> ingress
INFO:wmflib.interactive:User input is: "ingress"
===> Available components:

* service-mesh
  Sets up the service mesh and the TLS termination (if needed)

* prometheus-statsd
  sets up prometheus-statsd-exporter

* mcrouter
  sets up mcrouter
Already selected: generic-application,ingress
==> Please select a component by name (q to quit)
> service-mesh
INFO:wmflib.interactive:User input is: "service-mesh"
===> Available components:

* prometheus-statsd
  sets up prometheus-statsd-exporter

* mcrouter
  sets up mcrouter
Already selected: generic-application,ingress,service-mesh
==> Please select a component by name (q to quit)
> q
INFO:wmflib.interactive:User input is: "q"
Selected components: generic-application,ingress,service-mesh


===> Please answer the following questions:

* Please input the complete name of the image (without the registry)

> repos/data-engineering/mpic
* Please input the port that this service will live on. If this service
  is not behind an ingress (i.e. you didn't select the "ingress"
  component), please reserve a port at
  https://wikitech.wikimedia.org/wiki/Kubernetes/Service_ports
> 8000
Chart mpic created, now vendoring dependencies.
INFO:sextant:Copied modules/app/generic_1.0.1.tpl => charts/mpic/templates/vendor/app/generic_1.0.1.tpl
INFO:sextant:Copied modules/base/helper_1.1.1.tpl => charts/mpic/templates/vendor/base/helper_1.1.1.tpl
INFO:sextant:Copied modules/base/meta_2.0.0.tpl => charts/mpic/templates/vendor/base/meta_2.0.0.tpl
INFO:sextant:Copied modules/base/name_1.0.0.tpl => charts/mpic/templates/vendor/base/name_1.0.0.tpl
INFO:sextant:Copied modules/app/job_1.0.0.tpl => charts/mpic/templates/vendor/app/job_1.0.0.tpl
INFO:sextant:Copied modules/base/external-services-networkpolicy_1.0.1.tpl => charts/mpic/templates/vendor/base/external-services-networkpolicy_1.0.1.tpl
INFO:sextant:Copied modules/base/networkpolicy_1.2.0.tpl => charts/mpic/templates/vendor/base/networkpolicy_1.2.0.tpl
INFO:sextant:Copied modules/ingress/istio_1.0.3.tpl => charts/mpic/templates/vendor/ingress/istio_1.0.3.tpl
INFO:sextant:Copied modules/mesh/configuration_1.7.0.tpl => charts/mpic/templates/vendor/mesh/configuration_1.7.0.tpl
INFO:sextant:Copied modules/mesh/certificate_1.1.0.tpl => charts/mpic/templates/vendor/mesh/certificate_1.1.0.tpl
INFO:sextant:Copied modules/mesh/name_1.1.0.tpl => charts/mpic/templates/vendor/mesh/name_1.1.0.tpl
INFO:sextant:Copied modules/mesh/deployment_1.3.0.tpl => charts/mpic/templates/vendor/mesh/deployment_1.3.0.tpl
INFO:sextant:Copied modules/mesh/networkpolicy_1.2.0.tpl => charts/mpic/templates/vendor/mesh/networkpolicy_1.2.0.tpl
INFO:sextant:Copied modules/mesh/service_1.1.0.tpl => charts/mpic/templates/vendor/mesh/service_1.1.0.tpl

This is how we bootstrap a new chart: we scaffold it with ./create_new_service.sh (which uses sextant to manage modules), and 💥 we get a good starting point.

I chose:

  • generic-application because this is our starting point
  • ingress because the traffic intended to the mpic application will be routed via the DSE K8s cluster ingress
  • service-mesh because I found out by experience that I needed to have both ingress and service-mesh to get things working

(I'm happy to get into more gory details, but these are the general main ideas.)

The next steps are:

  • building the image (that I provisionally named repos/data-engineering/mpic)
  • defining on which port does the application listen to (currently set to 8000)
  • having a look at an example of a configuration file used by the application, to start defining default values and per-release-overrides

The philosophy of the scaffolding tools is that is most cases, you should mostly need to tweak things in values.yaml (the chart default values).

By default, the chart generates a couple of Kubernetes resources, a couple of which are of interest to us:

  • Deployment (from templates/deployment.yaml): (doc) Manages stateless applications in Kubernetes
  • Configmap (from templates/configmap.yaml): (doc) Stores non-confidential data in key-value pairs. Pods can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a volume.
  • NetworkPolicy (from templates/networkpolicy.yaml): Kubernetes firewalls. Determines what services/IP-ports you can talk (egress) to.

Note: we will need to create a custom Configmap resource to generate the application config.yml file from YAML configuration values

The way the chart is rendered by injecting the values into the templates is by running (when located in ~/path/to/deployment-charts)

$ helm template test charts/mpic | head
---
# Source: mpic/templates/networkpolicy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: mpic-test
  labels:
    app: mpic
    chart: mpic-0.0.1
    release: test
...

This requires the helm binary to be locally installed (brew install helm for macOS, or follow https://helm.sh/docs/intro/install/).

helm is a "package manager for kubernetes", meaning that it is in charge of rendering charts with templates, installing the rendered YAML to kubernetes, creating releases so you can rollback, etc.

One thing to be aware of is that you can overlay YAML variables with precedence. Say I create a values-overrides.yaml file containing

app:
  image: repos/data-engineering/OVERRIDE

I can then run

$ helm template test charts/mpic -f charts/mpic/values-overrides.yaml | grep -C 3 image:                                                                                                     
      containers:
        # The main application container
        - name: mpic-test
          image: "docker-registry.wikimedia.org/repos/data-engineering/OVERRIDE:latest"
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8000

Note: when I specify charts/mpic to helm, it implicitly knows it needs to use charts/mpic/values.yaml as the lowest-precedence values.

If we now create a new values file values-overrides-highest.yaml containing

app:
  image: repos/data-engineering/OVERRIDE-THE-OVERRIDE

and run

$ helm template test charts/mpic -f charts/mpic/values-overrides.yaml -f charts/mpic/values-overrides-highest.yaml | grep -C 3 image:
      containers:
        # The main application container
        - name: mpic-test
          image: "docker-registry.wikimedia.org/repos/data-engineering/OVERRIDE-THE-OVERRIDE:latest"
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8000

we see that the overrides are evaluated left to right: values.yaml < values-overrides.yaml < values-overrides-highest.yaml

Change #1017034 merged by Brouberol:

[operations/deployment-charts@master] mpic: scaffold chart

https://gerrit.wikimedia.org/r/1017034

Change #1021494 had a related patch set uploaded (by Santiago Faci; author: Santiago Faci):

[operations/deployment-charts@master] Create the MPIC Kubernetes chart

https://gerrit.wikimedia.org/r/1021494

Just pausing this ticket because it seems that, so far, the current change is ok but we need to make some progress in related tasks to be sure which other parameters/configuration we need to add to the MPIC chart. For example:

  • At this time we are using some secrets to log to SAL but there is an open discussion about if it's the right way to do that
  • We'd need to add some config fields related to the login feature
  • We need to explore more about how monitoring works to be sure which parameters we need to parameterize here about it

Change #1024610 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] global_config: add analytics mariadb/postgresql instances

https://gerrit.wikimedia.org/r/1024610

Change #1021494 merged by jenkins-bot:

[operations/deployment-charts@master] Create the MPIC Kubernetes chart

https://gerrit.wikimedia.org/r/1021494

At this time we have a first approach for the mpic chart to try to deploy a first draft version of this webapp as soon as possible. The gitlab pipeline is now ready to publish docker images (T361345: Create the MPIC docker image build pipeline), the database is ready (T361955: Create an `mpic` MariaDB database), we have a first approach about the login (T361341: Add the MPIC idp client configuration) and we are already working on helmfiles (T361344: Create MPIC helmfiles). So our efforts right now are focused on deploying something to staging environment as soon as possible to see how/if everything is working fine there.

Monitoring configuration will be added later because it's completely done yet so, let's move this ticket to pause.

Change #1024610 merged by Brouberol:

[operations/puppet@production] global_config: add analytics mariadb/postgresql instances

https://gerrit.wikimedia.org/r/1024610

Change #1025694 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] mpic: specify extra TLS SAN for each release

https://gerrit.wikimedia.org/r/1025694

Change #1025694 merged by Brouberol:

[operations/deployment-charts@master] mpic: specify extra TLS SAN for each release

https://gerrit.wikimedia.org/r/1025694

Change #1025696 had a related patch set uploaded (by Santiago Faci; author: Santiago Faci):

[operations/deployment-charts@master] MPIC chart and helmfiles: Some fixes

https://gerrit.wikimedia.org/r/1025696

Change #1025696 merged by jenkins-bot:

[operations/deployment-charts@master] MPIC chart and helmfiles: Some fixes

https://gerrit.wikimedia.org/r/1025696

Change #1025768 had a related patch set uploaded (by Santiago Faci; author: Santiago Faci):

[operations/deployment-charts@master] MPIC Chart: Fixing single quotes and bumping the version

https://gerrit.wikimedia.org/r/1025768

Change #1025768 merged by jenkins-bot:

[operations/deployment-charts@master] MPIC Chart: Fixing single quotes and bumping the version

https://gerrit.wikimedia.org/r/1025768

Chart and helmfiles are already working and we have already deployed a first version of the webapp. Monitoring setup is still pending but we decided to close this task as done because the tool is already deployed to staging environment. Monitoring mechanism has its own task and chart/helmfile setup has been included there so we can address it: T361346: Setup monitoring for the MPIC applications.