The platform provides the tools to increase productivity it should abstract away the operations tasks to get fast feedback loops but it also should design for change as we should be prepared that we have to change in the future:
Serverless (great speed and plattform) vs Istio (great portability) or Flask on Serverless for speed and platform but migratable?
SaaS Components for
Reliability aaS - Logging
... but don't forget ports and adapters
Architecture Decisions
Containers or serverless
Serverless increases the efficiency of your implementation. But at the same time you bind yourself very tightly to a special vendor like Amazon with AWS Lambda. Another Option is to use a multi cloud apporach and use Containers as your abstraction layer - Lambdas also use containers themselves. Downside you don't have the you pay only what you use and you miss the non functional features the platform provides like monitoring, routing ... This is where service meshs like Istio come into play.
Can you integrate serverless with a service mesh and when to do it?
Containers
Infrastructure Automation with - Terraform
Setup Docker Environment
Create Dockerfile
docker build -t products:1.0.0 .
Setup Kubernetes
Local Development Environment
minikube start --memory 4096
#find the locally configure cluster where tiller will be installed by helm
kubectl config current-context
#install helm on client / ci/cd pipeline
brew install kubernetes-helm
#https://github.com/istio/istio/tree/master/install/kubernetes/helm/istio
git clone https://github.com/istio/istio.git
cd istio
kubectl create -f install/kubernetes/helm/helm-service-account.yaml
# for production secure helm https://docs.helm.sh/using_helm/#securing-your-helm-installation
helm init \
--tiller-tls \
--tiller-tls-verify \
--tiller-tls-ca-cert=ca.pem \
--tiller-tls-cert=cert.pem \
--tiller-tls-key=key.pem \
--service-account=tiller
helm install install/kubernetes/helm/istio --name istio
To build images directly in minishift use minikube's built-in docker daemon:
In my experience maintaining and setting up a kuebrnetes cluster is hard - there are now many great fully manged offerings: Openshift, AWS EKS, IBM,
Microsoft, Google GKE, Joyent Kubernetes
TODO
Setup Service Mesh
What is Istio?
Source:
Istio Introduction:
Improve development time (library vs sidecar)
improve plattform (tracing, a/b testing, dashboarding, service graph)
... without changing the code!
Tutorial
Setup a kubernetes cluster (see chapter above) then install Istio:
#Retrieve your credentials for kubectl (replace <cluster-name> with the name of the cluster you want to use, and <zone> with the zone where that cluster is located):
gcloud container clusters get-credentials <cluster-name> --zone <zone> --project <project-name>
Grant cluster admin permissions to the current user (admin permissions are required to create the necessary RBAC rules for Istio):
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value core/account)
#download istio
curl -L https://git.io/getLatestIstio | sh -
# go to folder
cd istio-0.5.0
# add istiocrl
export PATH=$PWD/bin:$PATH
#Install Istio and enable mutual TLS authentication between sidecars.:
kubectl apply -f install/kubernetes/istio-auth.yaml
# Optional: If your cluster has Kubernetes version 1.9 or greater, and you wish to enable automatic proxy injection, install the sidecar injector webhook using the instructions at (/docs/setup/kubernetes/sidecar-injection.html#automatic-sidecar-injection).
#Verify
kubectl get svc -n istio-system
kubectl get pods -n istio-system
#create/update the namespace for my application with istio enabled
kubectl label namespace <namespace> istio-injection=enabled
# isnstall BookInfo Sample https://istio.io/docs/guides/bookinfo.html
kubectl create -n <namspace> -f <your-app-spec>.yaml
Access the non exposed components:
#login first
gcloud container clusters get-credentials marketplace-istio \
--zone us-east1-b --project trusty-acre-156607
kubectl -n istio-system port-forward \
$(kubectl -n istio-system get pod -l app=zipkin -o jsonpath='{.items[0].metadata.name}') \
9411:9411 &
kubectl -n istio-system port-forward \
$(kubectl -n istio-system get pod -l app=grafana -o jsonpath='{.items[0].metadata.name}') \
3000:3000 &
kubectl -n istio-system port-forward \
$(kubectl -n istio-system get pod -l app=servicegraph -o jsonpath='{.items[0].metadata.name}') \
8088:8088 &
kubectl -n istio-system port-forward \
$(kubectl -n istio-system get pod -l app=prometheus -o jsonpath='{.items[0].metadata.name}') \
9090:9090 &
kubectl proxy (8080/ui -> management ui)
Encryption - how to use the public cloud securly? N26?
Other Serverless Assets:
Containers on AWS:
Build the dockerfile ().
When you want to bring your docker containers into production - you need to orchestrate those containers. This is where helps getting a reliable and reporducable, production read ( scalable ...), "simple" (routes, services, ...), vendor independent (compared to serverless) and multi cloud ready solution.
Start minikube []
Setup and tiller [] and Istio [] / helm install currently not working check back in a few weeks.
Create Env variables:
Create secrets:
(Udemy Course Istio)
Set it up (you should do this with in Mind (Automation is everything!):
?
Register with
Install Istio:
To enable TLS create certficate and deploy it as a secret and add the following to the ingress config (
Add your own domain to the static ip address of the cluster:
Setup your DNS (with Route53)
Remove untagged images and stopped containers
Small images
testing with postman and different environments:
Egress Rules currently don't work well with HTTPS so better enable direct connection:
