The complete source code and configuration files along with setup instructions for our project can be found in GitLab<\/a>.<\/p>\n In this post we will dive into Kubernetes and Helm<\/a> \u2014 the<\/em> package manager for Kubernetes \u2014 and how we went from a basic microservice deployment with Docker Compose to a fully working and production-ready Kubernetes cluster with K3s<\/em> and k3sup<\/em>.<\/p>\n Initially, while we were developing our various microservice components (see our previous blog post<\/a>), we decided to package each service to a Docker container. This went quite smooth as we already had some experience in working with Docker. We ended up with 11 Dockerfiles, one for every of our microservices: auth manager<\/a>, conversion manager<\/a>, the two converters (converter-deepdream<\/a> and converter-basic<\/a>), job manager<\/a>, the image storage<\/a> and storage service<\/a>, web frontend<\/a>, the TLS terminating proxy<\/a>, the request annotation proxy<\/a> and the API gateway<\/a>.<\/p>\n A Dockerfile describes the steps required to build and package one or multiple apps into a Docker image. Docker images can be instantiated to a Docker container which then runs the application(s).<\/p>\n (Exemplary illustration of a To orchestrate our various Docker containers we decided to use Docker Compose, a tool which amongst other features helps in making some capabilities of Docker available to configure via a simple (Exemplary illustration of a This was great for our development setup which allowed our developers to work independently of each other by running the entire application on their local development machine without any external dependencies.<\/p>\n Once the backend of our application became usable with a web frontend, we decided it was time to make the app available on a public server so it could be used by our testers \u2014 finally it was time to explore Kubernetes!<\/p>\n At first, Kubernetes was quite intimidating to us when we only knew a bare minimum of what it can be used for. It was a beast we needed to tear apart and explore the parts each on their own. To deploy our application on Kubernetes, we first needed to move from our Docker Compose files to the equivalent Kubernetes Resources<\/a>.<\/p>\n While exploring the repos of the Kubernetes GitHub organization<\/a>, we found a tool which helps in migrating existing Docker Compose files to Kubernetes: Kompose<\/a>. The procedure was quite straightforward:<\/p>\n We ran this command for each of our 11 Unfortunately, some changes to the resource files as produced by Kompose were still required. The version of Kompose we were using wasn’t completely compatible with the then-recent release of Kubernetes which we used inside Minikube. We also dropped<\/a> all references to We needed to add a (Excerpt of (Configuring the Once the resource files were adjusted, it was time to test them \u2014 we needed a Kubernetes development cluster.<\/p>\n Minikube probably is the<\/i> most widely used one-node Kubernetes cluster solution for development. And it became quite clear why: it was super easy to set up; With only a single command and a bit of time for the bootstrapping process we had a Kubernetes development cluster up and running on our local machines.<\/p>\n Minikube even automatically merged its As a first step, to check whether our Kubernetes resource files were producing the desired state in our cluster, we We could see all our microservices spin up inside the cluster using To access the inside of the cluster from outside (our host machine), we needed to enable the Minikube It was time to extend the resource files with more awesome features.<\/p>\n 0<\/sup>: all services without additional dependencies such as a database<\/i><\/p>\n While skimming through the whole Kubernetes documentation<\/a>, we compiled a list of interesting directives we wanted to implement for our resource files. Amongst them were the By default, when the most basic unit of Kubernetes \u2014 a pod \u2014 has launched, Kubernetes will instantly begin to route traffic to it, even if the application running inside the pod is not ready to handle any traffic yet. This would make requests reaching such an “unhealthly” pod return a That’s where (Exemplary configuration of a Similarly, Next, it was time to configure minimum and maximum hardware resource limits for our deployments. Setting those limits was super easy, too:<\/p>\n (Exemplary configuration of a The memory limit can be expressed in various units (megabyte, gigabyte, etc., see here<\/a>), while the definition of the Quoting the documentation<\/a>, one “cpu”, in Kubernetes, is equivalent to: We played around a bit with various numbers and ended up configuring 0.1 \u2013 0.8 units of A scary discovery was that Kubernetes pods \u2014 just like Docker containers \u2014 are run with root privileges by default. We reconfigured our deployments accordingly to run the pods as non-root:<\/p>\n (Excerpt of As a last step, to make the number of pod replicas of a service scale up or down automatically based on their current load, we created a HorizontalPodAutoscaler<\/a> resource for every microservice:<\/p>\n (Exemplary illustration of a This basic file defines a minimum and maximum number of running replicas of a pod, and a CPU threshold ( Now that the Kubernetes development cluster was running fine on a single node with Minikube, we needed a staging \/ production cluster with more than just one node.<\/p>\n There are a number of solutions available to obtain access to a production-grade Kubernetes cluster. Probably the<\/em> most basic way is to simply get a Managed Kubernetes cluster from Google Cloud’s Kubernetes Engine (GKE<\/a>), Amazon AWS’ Elastic Kubernetes Service (EKS<\/a>), Microsoft Azure’s Kubernetes Service (AKS<\/a>), IBM Cloud<\/a>, DigitalOcean<\/a> or one of the other countless providers<\/a>.<\/p>\n Other solutions encompass:<\/p>\n \u2026 all of which, unfortunately, were not of an option to us. Installation of custom OS images (for In need of another solution we stumbled upon K3s<\/a>, a lightweight, certified and API-compliant Kubernetes distribution. K3s is actively developed by Rancher<\/a>, a company dedicated to making Kubernetes easier to use. Other software from Rancher was introduced on this blog before (click)<\/a>.<\/p>\n K3s<\/a> promises to spin up a production-ready Kubernetes cluster in around 30 seconds. This looked really promising, given that setting up, maintaining and grasping the inner workings of a cluster created by If this wasn’t already great enough, we found a wrapper around K3s aptly named We wrote a small shell script and had a 3-node Kubernetes cluster up and running \u2014 on our own machines \u2014 in just 20 lines!<\/p>\n To distribute load across the three cluster nodes ( The Just as before with Minikube, we applied all resources files as a quick check to see whether the cluster was handling the resource files as expected. It was0<\/sup> and autoscaling was working perfectly fine too after producing some load on the cluster.<\/p>\n 0<\/sup>: after deploying an We now each had a Minikube development cluster running on our local machines and a single, public production cluster running on the three This is where Helm<\/a> \u2014 the<\/em> package manager for Kubernetes comes in handy. It extends Kubernetes resource files by the Go template syntax<\/a>: hardcoded values in those resource files can be replaced by a placeholder value in double-curly-brace<\/a> syntax. This placeholder will eventually be replaced by Helm’s template renderer with the appropriate values as specified in a Helm makes it easy to upgrade or downgrade a specific service (= package = chart) to a different software release. The (Exemplary illustration of a Helm Chart, taken from Once the values of the resource files which we wanted to be configurable were templated, installing the entire application on our cluster became a no-brainer:<\/p>\n A lot of software packages are already available as a Helm chart. The Helm Hub<\/a> lists just a few of them. Now that we had a supposedly production-grade cluster running (which we didn’t really believe), we tried to break it by manually and automatically injecting faults.<\/p>\n The first attempt (which already made the cluster go kaput<\/em>) was to simply shutdown \/ reboot one of the three Crashing entire
\nFROM golang:alpine AS builder\n\nWORKDIR \/auth\n\nRUN apk add --no-cache make\n\nCOPY .\/config\/ .\/config\/\nCOPY .\/server\/ .\/server\/\nCOPY .\/vendor\/ .\/vendor\/\nCOPY .\/go.mod .\/go.mod\nCOPY .\/go.sum .\/go.sum\nCOPY .\/main.go .\/main.go\nCOPY .\/Makefile .\/Makefile\n\nRUN make\n\n# ---\n\nFROM alpine:latest\n\nWORKDIR \/auth\n\nRUN addgroup -g 1000 -S auth && \n adduser -u 1000 -S auth -G auth\n\nCOPY --from=builder \/auth\/bin\/server .\n\nUSER auth\n\nCMD [ "\/auth\/server" ]<\/code><\/pre>\nDockerfile<\/code> leveraging multi-stage builds<\/a>, taken from auth\/Dockerfile<\/a>)<\/i><\/p>\ndocker-compose.yml<\/code> file, for example to launch containers in a specified order, define their service dependencies, manage port mappings and implement a restart policy.<\/p>\nversion: "3"\n\nservices:\n auth:\n build:\n context: ${AUTH:-.}\n dockerfile: Dockerfile\n image: waa.edu.rndsh.it:5000\/auth:latest\n restart: unless-stopped\n ports:\n - "8443:8080\/tcp"\n env_file:\n - ${AUTH_ENV:-.env}\n cap_drop:\n - ALL<\/code><\/pre>\ndocker-compose.yml<\/code> file, taken from auth\/docker-compose.yml<\/a>)<\/i><\/p>\nDiving into Kubernetes<\/h1>\n
The official Kubernetes documentation<\/a> and tutorials<\/a> already gave a good introduction to what Kubernetes does and doesn’t try to achieve.<\/p>\n
\nIntroducing Kompose, the official Docker Compose to Kubernetes converter<\/h2>\n
$ kompose convert --chart --controller=deployment -f docker-compose.yml<\/code><\/pre>\ndocker-compose.yml<\/code> files. Out came a total of around 30 Kubernetes resource files. Kompose did its job impressively well! The tool not only reliably converted the well-known Docker Compose directives image<\/code><\/a>, ports<\/code><\/a> and restart<\/code><\/a>, but also converted less frequently used directives such as env_file<\/code><\/a>, cap_drop<\/code><\/a> \/ cap_add<\/code><\/a> and even volumes<\/code><\/a> to the equivalent Kubernetes syntax \/ resource type counterpart. It was super helpful and gave a headstart into becoming familiar with resource files \u2014 the first step into mastering the Kubernetes-Fu.<\/p>\nio.kompose<\/code> \u2014 they were no longer of any to us since we were already experienced enough to manage the files on our own.<\/p>\nimagePullSecrets<\/code> policy to every Deployment<\/code> resource and configure the referenced Docker Registry secret as we are pulling the Docker images from our own login-protected registry:<\/p>\nimagePullSecrets:\n- name: regcred<\/code><\/pre>\nauth\/kubernetes\/auth\/templates\/deployment.yaml<\/code><\/a>. The two lines instruct Kubernetes to use the regcred<\/code> secret to authenticate to the Docker Registry before pulling the image.)<\/i><\/p>\n$ kubectl create secret docker-registry regcred \n --docker-server=waa.edu.rndsh.it:5000 \n --docker-username=$REGISTRY_USERNAME --docker-password=$REGISTRY_PASSWORD<\/code><\/pre>\nregcred<\/code> secret via command line)<\/i><\/p>\nSetting up a private Kubernetes development cluster with Minikube<\/h2>\n
# Create and launch Minikube VM\n$ minikube start --memory='10240mb' --cpus=8\n\ud83d\ude04 minikube v1.7.3 on Darwin\n\u2728 Automatically selected the virtualbox driver\n\ud83d\udcbf Downloading VM boot image ...\n\ud83d\udd25 Creating virtualbox VM (CPUs=8, Memory=10240MB, Disk=20000MB) ...\n\ud83d\udc33 Preparing Kubernetes v1.17.3 on Docker 19.03.6 ...\n\ud83d\udcbe Downloading kubeadm v1.17.3\n\ud83d\udcbe Downloading kubelet v1.17.3\n\ud83d\udcbe Downloading kubectl v1.17.3\n\ud83d\ude80 Launching Kubernetes ...\n\ud83c\udf1f Enabling addons: default-storageclass, storage-provisioner\n\u231b Waiting for cluster to come online ...\n\ud83c\udfc4 Done! kubectl is now configured to use "minikube"<\/code><\/pre>\nkubeconfig<\/code> to ~\/.kube\/config<\/code> and switched the kubectl<\/code> context accordingly \u2014 we were ready to get started!<\/p>\n# Check cluster version\n$ kubectl version --short\nClient Version: v1.17.3\nServer Version: v1.17.3\n\n# \u2026 success!<\/code><\/pre>\nkubectl apply<\/code>‘ed all of them as follows:<\/p>\n$ find . -name '*.yaml' -not -name 'Chart.yaml' -not -name 'values*.yaml' \n -exec cat {} ; -exec echo '---' ; | kubectl apply -f -\nconfigmap\/auth-env created\ndeployment.apps\/auth created\nservice\/auth created\ndeployment.apps\/conversion-manager created\nservice\/conversion-manager created\ndeployment.apps\/converter-basic created\nservice\/converter-basic created\nconfigmap\/converter-deepdream-env created\ndeployment.apps\/converter-deepdream created\nservice\/converter-deepdream created\ndeployment.apps\/frontend created\nservice\/frontend created\nconfigmap\/imagestorage-env created\ndeployment.apps\/imagestorage created\nservice\/imagestorage created\ndeployment.apps\/ingress-backend created\nservice\/ingress-backend created\ningress.networking.k8s.io\/ingress-frontend created\nconfigmap\/ingress-middleware-env created\ndeployment.apps\/ingress-middleware created\nservice\/ingress-middleware created\nconfigmap\/jobmanager-env created\ndeployment.apps\/jobmanager created\nservice\/jobmanager created\nconfigmap\/storageservice-env created\ndeployment.apps\/storageservice created\nservice\/storageservice created<\/code><\/pre>\nkubectl get events --all-namespaces -w<\/code> \u2014 in real-time!
After a while, all deployments were READY<\/code> (verified with kubectl get all -o wide --all-namespaces<\/code>).<\/p>\ningress<\/code> addon via minikube addons enable ingress<\/code>. Minikube then made our application available to the world outside of the cluster.<\/p>\nminikube ip<\/code> shows the IP of the Minikube cluster, and curl<\/code>ing it returned our web frontend (\ud83c\udf89). To our surprise, the app0<\/sup> was already working fine \u2014 just as on our Docker Compose-managed cluster:<\/p>\n$ curl -Is $(minikube ip) | head -n1\nHTTP\/1.1 200 OK<\/code><\/pre>\nMaking the Kubernetes application highly-available<\/h2>\n
readinessProbe<\/code><\/a> and livenessProbe<\/code><\/a> directives for Deployment<\/code> resources.<\/p>\n502 Bad Gateway<\/code> response.<\/p>\nreadinessProbe<\/code> comes into play. It defines a check which needs to complete successfully before Kubernetes routes any traffic to the pod. For each of our deployments we created such a directive to instruct Kubernetes to either wait for a TCP port to become available or for a HTTP server to return a 2xx<\/code> response at a specified path:<\/p>\nreadinessProbe:\n httpGet:\n path: \/\n port: 8080\n periodSeconds: 2<\/code><\/pre>\nreadinessProbe<\/code> directive commanding Kubernetes to wait for a HTTP server on port 8080 of the pod to become available and answer a request to \/<\/code> with a 2xx<\/code> response before beginning to route traffic to the pod. Taken from frontend\/kubernetes\/frontend\/templates\/deployment.yaml<\/a>)<\/i><\/p>\nlivenessProbe<\/code>s are used to check if a pod is still<\/em> running correctly. Once a liveness check fails for a specific number of times (the failureThreshold<\/code>, default: 3, source<\/a>), Kubernetes automatically deletes (“restarts”) the pod and removes it from its internal service Load Balancer so traffic doesn’t reach it any longer.
Those two directives are configured in no more than 10 lines<\/a> \u2014 Kubernetes handles the rest of all the magic!<\/p>\nresources:\n requests:\n memory: "256Mi"\n cpu: "0.4"\n limits:\n memory: "512Mi"\n cpu: "0.8"<\/code><\/pre>\nresources<\/code> directive, taken from converter-deepdream\/kubernetes\/converter-deepdream\/templates\/deployment.yaml<\/a>)<\/i><\/p>\nrequests<\/code> specifies the minimum hardware resources required to run a pod, while limits<\/code> configures the maximum amount of hardware resources available to a pod. The values were initially either chosen arbitrarily or by looking at the output of kubectl top pods<\/code> which gave a rough estimate of how the values needed to be configured.<\/p>\ncpu<\/code> unit is a bit more complex:<\/p>\n
– 1 AWS vCPU
– 1 GCP Core
– 1 Azure vCore
– 1 IBM vCPU
– 1 Hyperthread on a bare-metal Intel processor with Hyperthreading<\/p>\ncpu<\/code> for our services.<\/p>\nsecurityContext:\n capabilities:\n drop:\n - ALL\n allowPrivilegeEscalation: false\n runAsUser: 18443<\/code><\/pre>\nauth\/kubernetes\/auth\/templates\/deployment.yaml<\/code><\/a>, allowPrivilegeEscalation: false<\/code> and runAsUser: 18443<\/code> prevent running the pod with root privileges)<\/i><\/p>\napiVersion: autoscaling\/v1\nkind: HorizontalPodAutoscaler\nmetadata:\n name: conversion-manager\nspec:\n scaleTargetRef:\n apiVersion: apps\/v1\n kind: Deployment\n name: conversion-manager\n minReplicas: 2\n maxReplicas: 8\n targetCPUUtilizationPercentage: 50<\/code><\/pre>\nHorizontalPodAutoscaler<\/code> resource, taken from conversion-manager\/kubernetes\/conversion-manager\/templates\/hpa.yaml<\/code><\/a>)<\/i><\/p>\ntargetCPUUtilizationPercentage<\/code>) which tells Kubernetes when to launch a new, or terminate an existing pod instance.<\/p>\nEntering bare-metal Kubernetes cluster solutions<\/h2>\n
\n
Talos<\/code> and k3OS<\/code>) were not allowed on the three machines we were given access to by our university, kubeadm<\/code> was too complex as we’d need to explore Kubernetes in a depth more than desired, and managed Kubernetes cluster solutions either required a credit card, or the student accounts were too constrained for our application in regards to hardware resources. We tried hosting our cluster in an AKS \u2014 just to see how easy it would be. It was indeed quite straightforward to deploy our cluster there (using a mix of both Azure’s web UI and the official az<\/code> CLI tool), but the hardware limitation of just four Azure vCores<\/em> (limit for student accounts) quickly spoiled any fun; We couldn’t even create replicas of all our services.<\/p>\nK3s and k3sup<\/h2>\n
kubeadm<\/code> would probably take us countless of hours or even days.
K3s is packaged as a single, static binary with no more than 40MB in size which can even be run on SoCs like the Raspberry Pi.<\/p>\nk3sup<\/code><\/a> which made installing K3s to multiple nodes even<\/em> simpler.<\/p>\n#!\/usr\/bin\/env bash\n\nset -eufo pipefail\n\nMASTER=$(dig +short -t a sem01.mi.hdm-stuttgart.de)\nSLAVES=(\n $(dig +short -t a sem02.mi.hdm-stuttgart.de)\n $(dig +short -t a sem03.mi.hdm-stuttgart.de)\n)\n\n# Set up \u201cMaster\u201d node\nk3sup install --ip $MASTER --sudo=false --cluster \n --context k3s-sem --local-path ~\/.kube\/config --merge \n --k3s-extra-args '--no-deploy traefik'\n# Configure firewall to allow access with kubectl\nssh root@$MASTER -- ufw allow 6443\/tcp\n\n# Set up \u201cSlave\u201d nodes\nfor SLAVE in ${SLAVES[*]}; do\n k3sup join --ip $SLAVE --server-ip $MASTER --sudo=false\ndone\n<\/code><\/pre>\nsem01<\/code>, sem02<\/code>, sem03<\/code>), we installed sem00<\/code> \u2014 a load balancer running nginx as a reverse proxy \u2014 in front of them:<\/p>\n![](\"\/wp-content\/uploads\/2020\/02\/image-editor-k3s-cluster.png\")
<\/a><\/p>\nk3sup install<\/code> command run above created a new context in ~\/.kube\/config<\/code> which we switched to with kubectl config use-context k3s-sem<\/code>.
A kubectl version --short<\/code> confirmed that the cluster was running:<\/p>\n$ kubectl version --short\nClient Version: v1.17.3\nServer Version: v1.17.2+k3s1<\/code><\/pre>\nnginx<\/code> ingress controller using helm install nginx stable\/nginx-ingress --namespace kube-system --set rbac.create=true --set serviceAccount.create=true --set podSecurityPolicy.enabled=true --set controller.replicaCount=3 --set controller.autoscaling.enabled=true --set controller.autoscaling.minReplicas=3 --set controller.autoscaling.maxReplicas=9<\/code>. We decided against using traefik<\/code> as the default ingress controller installed by K3s<\/em>.<\/i><\/p>\n$ curl -Is sem0{0,1,2,3}.mi.hdm-stuttgart.de 2>\/dev\/null | grep HTTP\/\nHTTP\/1.1 200 OK\nHTTP\/1.1 200 OK\nHTTP\/1.1 200 OK\nHTTP\/1.1 200 OK\n\n# All nodes and the load balancer are working fine! \ud83d\udc33<\/code><\/pre>\nHelm: Managing multiple application deployments the easy way<\/h2>\n
sem0x<\/code> servers.
Maintenance tasks such as microservice upgrades would always need to be performed on both clusters the same way, so that the development and production clusters would match. After a while this became cumbersome, especially as both clusters had slightly different configurations applied \u2014 different ConfigMaps<\/code>, different autoscaling parameters and different hardware resource constraints.<\/p>\nvalues.yaml<\/code><\/a> configuration file. Upon rendering, Helm also installs the rendered resource file to the Kubernetes cluster.<\/p>\n![](\"\/wp-content\/uploads\/2020\/02\/image-editor-helm-template.png\")
<\/a><\/p>\n
And the best: most of the work was already done for us by Kompose (see above), which created a Chart.yaml<\/code> file (as required for every Helm package \/ chart) and set up the correct directory structure<\/a> for it.<\/p>\nChart.yaml<\/code> file, amongst other directives<\/a>, must contain the name of the package name, the version of the packaged software, the version of the package itself, an optional package description and the package’s dependencies:<\/p>\napiVersion: v2\nname: storageservice\ndescription: Storage Service\nversion: 0.0.1\nappVersion: 0.0.1\ndependencies:\n- name: mongodb\n version: ">= 7.7.0"\n repository: "https:\/\/kubernetes-charts.storage.googleapis.com\/"\n- name: imagestorage\n version: "*"\n repository: "file:\/\/..\/..\/..\/image-storage\/kubernetes\/imagestorage"<\/code><\/pre>\nstorageservice\/kubernetes\/storageservice\/Chart.yaml<\/code><\/a>)<\/i><\/p>\n# Build Helm Charts (dependencies)\n$ helm dep build\n\n# View Helm's rendered resource files\n$ helm install --dry-run -f values.yaml waa .\/\n\n# Install Helm Charts\n$ helm install -f values.yaml waa .\/\n<\/code><\/pre>\nNoteworthy Helm packages<\/h3>\n
We played around with some packages, all of them deployable to the cluster with a simple helm install<\/code>:<\/p>\n\n
Fault injection<\/h2>\n
sem0x<\/code> nodes; the cluster stopped responding to some request for more than half a minute. A complete node failure is probably the worst of what could happen since it makes all pods on the node unavailable. It turned out that K3s set timeouts too generous for our use case (for example here<\/a>).
Drastically reducing the timeouts as explained here<\/a>, here<\/a> and here<\/a> \u2014 in some cases from 60 seconds (!) to only 4 \u2014 was enough to reduce the request stall in case of a complete node failure; Requests would no longer hang for more than 30 seconds but only a mere few which was tolerable.<\/p>\nCrashing all pod instances of a service<\/h3>\n