devops with openshift - anz openshift meetup series - 2017

DevOps with OpenShift

Stefano Picozzi & Mike Hepburn

1.  Concerned with value delivery

2.  Professional empathy formed via shared sensibilities

3.  Automation as actionable intervention

DevOps – The Talent Dividend

Herzberg's OpenShift

SERVICE CATALOG LANGUAGE RUNTIMES,

MIDDLEWARE, DATABASES ..

SELF-SERVICE

APPLICATION LIFECYCLE MANAGEMENT (CI / CD)

BUILD AUTOMATION DEPLOYMENT AUTOMATION

CONTAINER

NETWORKING SECURITY STORAGE REGISTRY LOGS & METRICS

CONTAINER ORCHESTRATION & CLUSTER MANAGEMENT (KUBERNETES)

RED HAT ENTERPRISE LINUX

CONTAINER RUNTIME & PACKAGING (DOCKER)

ATOMIC HOST

INFRASTRUCTURE AUTOMATION & COCKPIT

CONTAINER

CONTAINER

Motivators

Hygiene Factors

DevOps Design Dilemmas

Automation Concern

Infrastructure Application

Low

H

igh

Infrastructure as code

Containers as code

Container primitives

Enterprise Management

Operational Convenience Opportunistic Productivity

Operational Efficiency

Organizational Innovation

Where should infrastructure automation end and application automation begin?

What is the right level of abstraction?

Separation of Concerns Projects Namespaces Registry, ImageStreams Multitenancy plugin SDN Quotas Roles Playbooks ...

Self-Service for All Source to Image Templates Storage Classes Console, CLI, REST Pipelines A/B, Canary, Software Catalog Log aggregation ...

Inte

rfac

e A

bstr

acti

on

Scale Invariance

•  oc cluster up, oc-cluster-wrapper, PowerShift

•  Minishift

•  OpenShift Online/Dedicated

•  OpenStack, BareMetal/RHEL, Red Hat Atomic, VMWare, RHEV

•  Red Hat CCSPs, AWS, Azure, Google, ...

oc cluster up [ using the not Docker Machine method ]

1.  Install native Docker

2.  Download oc client tools

3.  Verify docker and xip.io resolution

4.  Start with named profile

$ oc cluster up \

--public-hostname='127.0.0.1' \

--host-data-dir='$HOME/oc/profiles/$PROFILE/data' \

--host-config-dir='$HOME/oc/profiles/$PROFILE/config' \

--use-existing-config

$ oc new-app https://github.com/StefanoPicozzi/cotd.git

S2I: Source To Image

Application Artifacts

... source: type: Git git: uri: 'https://github.com/StefanoPicozzi/cotd.git' strategy: type: Source sourceStrategy: from: kind: ImageStreamTag namespace: openshift name: 'php:5.6' ...

BuildConfig

... strategy: type: Rolling rollingParams: triggers: - type: ConfigChange - type: ImageChange imageChangeParams: automatic: true containerNames: - cotd from: kind: ImageStreamTag namespace: myproject name: 'cotd:latest' ...

DeploymentConfig Service

... host: cotd-myproject.127.0.0.1.xip.io to: kind: Service name: cotd weight: 100 port: targetPort: 8080-tcp ...

Route

... ports: - name: 8080-tcp protocol: TCP port: 8080 targetPort: 8080 selector: app: cotd deploymentconfig: cotd clusterIP: 172.30.96.232 type: ClusterIP sessionAffinity: None ...

... dockerImageRepository: '172.30.188.253:5000/myproject/cotd' tags: - tag: latest items: - created: '2017-01-16T01:52:25Z' dockerImageReference: '172.30.188.253:5000/myproject/cotd@sha256:756140766ea2484110724b3ca00de159b5eb8142484b97fed639f1c63b93d53a' image: 'sha256:756140766ea2484110724b3ca00de159b5eb8142484b97fed639f1c63b93d53a' generation: 1 ...

ImageStream

Working with Storage

Create Persistent Volume Set up the Persistent Volume Claim * 1 2

$ oc login -u system:admin $ oc create -f - << EOF! apiVersion: v1 kind: PersistentVolume metadata: name: cotdvolume spec: capacity: storage: 1Gi accessModes: - ReadWriteOnce - ReadWriteMany persistentVolumeReclaimPolicy: Recycle hostPath: path: /home/johndoe/volumes EOF!

$ oc login -u developer -p developer $ oc project meetup $ oc set volume dc/pets --add \ --overwrite \ --name=images \ --type=persistentVolumeClaim \ --mount-path=/opt/app-root/src/data/images \ --claim-size=100Mi \ --claim-name=petsclaim --containers=pets

* Also using Console

A/B Deployments

Create A Application

Create the AB Route

1

3

$ oc new-app --name='cats' \ php~https://github.com/StefanoPicozzi/cotd.git \ -e SELECTOR=cats $ oc expose service cats --name=cats

$ oc expose service cats --name='cotd' $ oc annotate route/cotd \ haproxy.router.openshift.io/balance=roundrobin $ oc set route-backends cotd cats=50 cities=50

Create B Application 2

$ oc new-app --name='cities' \ php~https://github.com/StefanoPicozzi/cotd.git \ -e SELECTOR=cities $ oc expose service cities --name=cities

Blue Green Deployments

Create Blue Application

Switch Routes Green/Blue

1

3

$ oc new-app --name=blue \ https://github.com/devops-with-openshift/bluegreen#master $ oc expose service blue --name=bluegreen

$ oc patch route/bluegreen -p ‘{“spec:{“to”:{“name”:”green”}}}’ $ oc patch route/bluegreen -p ‘{“spec:{“to”:{“name”:”blue”}}}’

Create Green Application 2

$ oc new-app --name=green \ https://github.com/devops-with-openshift/bluegreen#green

Rollbacks

Create cats Application

Rollback & Rollforward

1

3 $ oc new-app --name='cats' \ php~https://github.com/StefanoPicozzi/cotd.git \ -e SELECTOR=cats $ oc expose service cotd --name=cotd $ oc rollback cotd --to-version=1 --dry-run

SELECTOR: cats $ oc rollback cotd --to-version=1 $ oc rollback cotd --to-version=2 $ oc set triggers dc/cotd --auto

Create cities Application 2

$ oc env dc/cotd SELECTOR=cities $ oc describe dc cotd

Canary Deployment Strategies

HAProxy Router Template Configuration

$ oc edit dc router frontend public # Custom acl # block users not in 192.168.137.0/24 network # from accessing cities host acl network_allowed src 192.168.137.0/24 acl host_city hdr(host) -i cities-cotd.192.168.137.3.xip.io acl restricted_page path_beg / http-request deny if restricted_page host_city \ !network_allowed

Users randomly directed to new version (A/B)

Users directed via route to canary application

Users directed to canary project for testing

Users directed to canary instance based on profile

Why Pipelines ?

“The Job of the deployment pipeline is to prove that the release candidate is unreleasable” - Jez Humble

What Should You Put in Your Pipeline ?

source code version control

optimum git branching strategies

static code analysis

>80% code coverage

vulnerability scanning

artifact version control

automated unit, int, performance testing

manual testing

build, deploy, test - for every commit

automated merge control

zero downtime releases

automated rollback

feature toggles

manage build and test environments on demand

Preparing your environment

Import Jenkins image streams 1

$ oc import-image --all --insecure=true --confirm -n openshift docker.io/openshift/jenkins-2-centos7 $ oc import-image --all --insecure=true --confirm -n openshift registry.access.redhat.com/openshift3/jenkins-2-rhel7

Import Jenkins Templates 2

BASEURL=”https://raw.githubusercontent.com/openshift/openshift-ansible/master/roles/openshift_examples/files/examples/v1.4” $ oc create -f $BASEURL/jenkins-ephemeral-template.json -n openshift $ oc create -f $BASEURL/jenkins-persistent-template.json -n openshift

Jenkins - Auto Provisioning

Cluster configuration - master-config.yaml 3

jenkinsPipelineConfig: autoProvisionEnabled: true parameters: JENKINS_IMAGE_STREAM_TAG: jenkins-2-rhel7:latest ENABLE_OAUTH: "true" serviceName: jenkins templateName: jenkins-persistent templateNamespace: openshift

A First Example

A Simple pipeline example 1

$ oc new-project samplepipeline $ oc new-app jenkins-pipeline-example $ oc start-build sample-pipeline

Blue Green Pipeline

This example showcases a blue green deployment using a Jenkins pipeline that pauses for approval and rollback.

2

$ oc patch route/bluegreen -p '{"spec":{"to":{"name":"green"}}}'

A/B Pipeline

Easily turn our bluegreen into A/B 3

$ oc annotate route/bluegreen haproxy.router.openshift.io/balance=roundrobin $ oc set route-backends routes/bluegreen blue=50 green=50

Multi-Project Pipeline

Use projects per environment 4

$ oc policy add-role-to-group system:image-puller system:serviceaccounts:testing -n development $ oc create dc myapp --image=172.30.18.201:5000/development/myapp:promotePRD

Resources

https://www.openshift.com/promotions/kubernetes.html

https://www.openshift.com/promotions/docker-security.html

https://t.co/4KH6iSZZ2H https://www.openshift.com/promotions/for-developers.html

•  https://blog.openshift.com/

•  https://developers.redhat.com/

•  https://www.openshift.com

•  https://access.redhat.com/documentation/en/

openshift-enterprise

•  https://aws.amazon.com/testdrive/redhat/

•  https://www.redhat.com/en/resources

•  https://openshift.katacoda.com/

•  https://StefanoPicozzi.blog

•  https://stefanopicozzi.blog/2016/06/21/openshift/

•  https://github.com/eformat