Professional Documents
Culture Documents
Ingress
1
Anthony Macey
TOGAF certified architect with over 20 years of experience across public sector,
finance, health, oil, and telecoms. Keen pursuant of CPD and professional
member of the British Computing Society (BCS).
I have a special interests in data science, data integration, containers,
kubernetes and cloud infrastructure.
2
Synopsis
I don’t work for Oracle, any opinions expressed are my own and not that of Oracle or UKOUG. The content of this
talk is intended for information purposes only and is not a substitute for professional services. For all licencing
options I would refer you to your Oracle representative.
3
Background
4
Open Container Initiative
5
Cloud Native Computing Foundation
6
Docker
“Docker containers wrap a piece of software in a complete filesystem that contains everything needed to run: code,
runtime, system tools, system libraries – anything that can be installed on a server. This guarantees that the software
will always run the same, regardless of its environment.” http://www.docker.com
APP APP
APP APP APP APP
APP APP APP APP
Libs
Libs
Libs
Libs
Libs Libs
Libs
Libs
Libs
Hypervisor Linux OS
Host Host
http://domino.research.ibm.com/library/cyberdig.nsf/papers/0929052195DD819C85257D2300681E7B/$File/rc25482.pdf
https://coreos.com/, https://www.projectatomic.io/
7
Orchestration
8
Adoption Statistics
https://www.datadoghq.com/docker-adoption/
https://www.cncf.io/blog/2017/06/28/survey-shows-kubernetes-leading-orchestration-platform/
9
De Facto Standard
https://sysdig.com/blog/2018-docker-usage-report/
https://www.theregister.co.uk/2017/10/17/docker_ee_kubernetes_support/
https://www.theregister.co.uk/2018/04/17/docker_enterprise_kubernetes/
10
Case Study
https://www.finextra.com/newsarticle/30789/monzo-pays-a-high-price-for-popularity-as-losses-widen-to-79-million
https://www.youtube.com/watch?v=YkOY7DgXKyw
https://monzo.com/blog/2016/09/19/building-a-modern-bank-backend/
https://techcrunch.com/2018/02/14/monzo-ireland/
11
Kubernetes
Build Blocks
12
Docker + Kubernetes
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized
applications. It groups containers that make up an application into logical units for easy management and discovery.
Kubernetes builds upon 15 years of experience of running production workloads at Google, combined with best-of-
breed ideas and practices from the community.
13
Kubernetes // Namespaces
14
Kubernetes // Pods, Labels, Selectors, Services
apiVersion: v1 apiVersion: v1
kind: Pod kind: Service
metadata: metadata:
name: test-pod name: website-service
labels: spec:
app: website ports:
spec: - port: 80
containers: protocol: TCP
- name: private-reg-container selector:
image: tmdrg.azurecr.io/php71:v1 app: website
imagePullSecrets: type: NodePort
- name: tmdrg.azurecr.io
15
Kubernetes // Pods, Labels, Selectors & Services
amacey@builder:~/demo$ kubectl create -f shell-demo.yaml -n website
pod "shell-demo" created
16
Kubernetes // Pods, Labels, Selectors & Services
KUBE-DNS
KUBE-API
ETCD
17
Kubernetes // Secret Management
Objects of type secret are intended to hold sensitive information, such as passwords, OAuth tokens,
and ssh keys. Putting this information in a secret is safer and more flexible than putting it verbatim in POD POD
a pod definition or in a docker image. It allows you to change passwords and redeploy without
rebuilding the entire pipeline.
Application Code
K8's
18
Kubernetes // Volumes & State
POD A (LABEL X) POD B (LABEL X) POD A (LABEL Y) POD B (LABEL Y) POD A (LABEL Z) POD B (LABEL Z)
IMAGE A IMAGE A IMAGE B IMAGE B IMAGE C IMAGE C
/var/volume/pod /var/volume/pod
NFS
19
Kubernetes // Volumes
metadata: kind: PersistentVolumeClaim
name: private-reg apiVersion: v1
spec: metadata:
containers: name: nginx-volume
- name: storageex spec:
image: nginx storageClassName: "oci"
ports: selector:
- name: web matchLabels:
containerPort: 80 oci-availability-domain: "PHX-AD-1"
volumeMounts: accessModes:
- name: nfs - ReadWriteOnce
mountPath: "/var/www/html" resources:
volumes: requests:
- name: nfs storage: 50Gi
nfs:
server: <HOSTNAME> volumes:
path: "/web_content" - name: nginx-storage
persistentVolumeClaim:
claimName: nginx-volume
20
Kubernetes // ConfigMap
$ kubectl create configmap hostcfg --from-file=/etc/hosts
configmap "hostcfg" created
volumeMounts:
$ kubectl describe configmap hostcfg - mountPath: /some_data
Name: hostcfg name: data
Namespace: default
- mountPath: /etc
Labels: <none>
Annotations: <none> name: config
volumes:
Data - name: data
====
hosts: emptyDir: {}
---- - name: config
127.0.0.1 localhost configMap:
10.1.0.25 builder.dk0.uk builder
name: hostcfg
# The following lines are desirable for IPv6 capable hosts items:
::1 localhost ip6-localhost ip6-loopback - key: hostcfg
ff02::1 ip6-allnodes path: hosts
ff02::2 ip6-allrouters
21
Kubernetes // Services & Ingress
NodePort; Exposes the deployment via a
Cluster NodePort Loadbalancer mesh network on a ephemeral port. If
Internal IP External Port/Mesh External LB
you destroy and recreate the service the
port changes.
22
Kubernetes // Services & Ingress
An ingress controller is another way to expose an internal service externally, think virtual hosts and routing to backend
services. NGINX is a very typical tool used to implement an ingress controller. Essentially you define an ingress rule
that can contains all the information required to expose your service for example external DNS name, backend service
and any certificates.
Hostname
K8's Service
Certificates
23
Kubernetes // Deployments
apiVersion: apps/v1
kind: Deployment
metadata: replicas: 3
name: webapp-deployment
labels:
app: webapp
selector:
spec:
matchLabels:
replicas: 3
app: webapp
selector:
matchLabels:
app: webapp
template: livenessProbe:
metadata: httpGet:
labels: path: /
app: webapp port: 8001
spec: initialDelaySeconds: 15
containers: timeoutSeconds: 30
- name: webapp
image: tmdrg.azurecr.io/webapp:1
ports:
- containerPort: 8001
imagePullSecrets:
- name: regsecret
24
Kubernetes // Deployments
No
25
Kubernetes // Types of Deployment
Deployment You describe a desired state in a Deployment object, and the Deployment controller changes the
actual state to the desired state at a controlled rate. You can define Deployments to create new
ReplicaSets, or to remove existing Deployments and adopt all their resources with new
Deployments.
StatefulSets Like a Deployment , a StatefulSet manages Pods that are based on an identical container spec.
Unlike a Deployment, a StatefulSet maintains a sticky identity for each of their Pods
CronJob One CronJob object is like one line of a crontab (cron table) file. It runs a job periodically on a
given schedule, written in Cron format.
26
CI/CD
Monitoring// Operations // Deployments
27
Kubernetes // Oracle Cloud Infrastructure
https://cloud.oracle.com/containers/kubernetes-engine
https://blogs.oracle.com/cloud-infrastructure/kubernetes-a-cloud-and-data-center-operating-system
https://app.wercker.com/
28
Kubernetes // Kubernetes as a Service
https://cloud.oracle.com/containers
https://www.youtube.com/watch?v=GFANezgZqCY
https://thenewstack.io/openworld-oracle-sets-sites-aws-new-serverless-
cloud-offerings/
29
Kubernetes // DevOps Tooling
30
Kubernetes // JIRA Driven Pipeline
31
Kubernetes // JIRA Driven Pipeline
https://www.datadoghq.com/docker-adoption/
32
NGINX Ingress
NGINX // cert-manager // Kubernetes
33
Kubernetes // Services & Ingress
An ingress controller is another way to expose an internal service externally, think virtual hosts and routing to backend
services. NGINX is a very typical tool used to implement an ingress controller. Essentially you define an ingress rule
that can contains all the information required to expose your service for example external DNS name, backend service
and any certificates.
Hostname
K8's Service
Certificates
https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-controllers 34
Ingress // NGINX Install
helm init
35
Ingress // NGINX
apiVersion: certmanager.k8s.io/v1alpha1 apiVersion: extensions/v1beta1
kind: Certificate kind: Ingress
metadata: metadata:
name: tls-service name: service.internal
spec: annotations:
secretName: tls-service kubernetes.io/ingress.class: nginx
dnsNames: certmanager.k8s.io/cluster-issuer: vault-issuer
- service.internal spec:
issuerRef: tls:
name: vault-issuer - hosts:
kind: ClusterIssuer - service.internal
secretName: tls-service
rules:
- host: service.internal
http:
paths:
- path: /api/v1/
backend:
serviceName: service.v1
servicePort: 80
https://docs.cert-manager.io/en/venafi/tutorials/vault/creating-vault-issuers.html
36
Ingress // NGINX
kube-system application
cert-
update Secret
manager
updates
Security Controls (Firewall)
Load balancer Frontend
nginx-
https://service.internal/api/v1/p1?value ingress- application
controller
maps
maps
nginx-
default- service
backend
https://github.com/jetstack/cert-manager
https://kubernetes.github.io/ingress-nginx/
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ 37
Istio Ingress
Istio // Kubernetes
38
Ingress // Istio Install
helm init
39
Ingress // Istio Install
40
Kubernetes // Istio Deployments
apiVersion: apps/v1 apiVersion: networking.istio.io/v1alpha3
kind: Deployment kind: VirtualService
metadata: metadata:
name: service-deployment name: service-deployment
labels: spec:
app: service-v1 hosts:
spec: - service.internal
replicas: 3 gateways:
selector: - service-gateway
matchLabels: http:
app: service-v1 - match:
template: - uri:
metadata: prefix: /service1
labels: route:
app: service-v1 - destination:
spec: host: service1.default.svc.cluster.local
containers: - match:
- name: service-v1 - uri:
image: tmdrg.azurecr.io/service:1 prefix: /service2
ports: route:
- containerPort: 8001 - destination:
imagePullSecrets: host: service2.default.svc.cluster.local
- name: regsecret - match:
41
Ingress // Istio
https://www.envoyproxy.io/
https://istio.io/docs/
https://istio.io/docs/tasks/ 42
Questions?
43
Scratch
44