# → https://bit.ly/fat-k8s-workshop

![Workshop Loading QR Code](bit.ly_fat-k8s-workshop.png)

* setting up a generic Kubernetes system
* deploying Laravel onto it using Helm charts (versionable infrastructure description), with Postgres, Redis and workers
* employing a Gitlab repository for CI/CD for building container images
* managing per-deployment configuration and environment variables
* process health, logging and scaling
* using the artisan CLI tool for scheduled and one-off jobs on the cluster (as time permits)

In [None]:
export GIT_COMMITTER_NAME=$JUPYTERHUB_USER

In [None]:
cd ~/kubernetes-workshop
./setup_account.sh
chmod go-r ~/.kube/config
export USER=$GIT_COMMITTER

# Kubernetes Workshop

With Phil Weir
(the guy who is somewhere near this projector, hopefully)

* Structure of course
* Next steps

### Basic notebook instructions

* Use Shift+Enter or Ctrl+Enter to execute a "cell" (each one of these rows)
* Those with [ ] in the left gutter are executable - the others are informational
* Up/Down arrows keys are the easiest way to navigate the notebook
* If you select a cell (click to the left, outside the text area), the 'b' key will give you a new executable box below
* If you accidentally edit an informational cell - it will switch to markdown - Ctrl+Enter will exit edit-mode
* If a step hangs, with a [ * ] on the left, you may need to click the recycle button in the toolbar (if you have any other issues afterwards, re-run the cell at the top, to set environment variables)

### Why Kubernetes?

* What is Kuernetes
    * Back in the day, if you wanted to run programs on a bunch of servers you had to log in and out of them all manually

* How is this relevant to Python?
  * Scalable
  * Systematic
  * Within control

* Why Kubernetes over alternatives?
  * Other container orchestrators
    * Popularity and backing
    * Good balance of simplicity and complexity
  * IaaS/PaaS
    * Doesn't tie you to a single provider
    * Can be run off-cloud
    * Can be run on a dev machine
    * Abstracts and automates the provider-specific bits (mostly)
    * Separates out hardware from application infrastructure (containers vs servers)

* Brief (re)introduction to Docker
  * If you aren't already familiar with it, you can think of a docker _container_ as a VM that shares a kernel with the host
    * ...but don't as that loses key important differences
  * Recommended practice is to have one process per container
    * containers are very memory light compared to VMs, so this is much less wasteful than it may sound
    * this provides encapsulation and makes scaling easier
  * `docker-compose` is an _extremely_ handy tool that takes a short, app-specific _docker-compose.yml_ file as input and spins up a multi-container environment with all the expected dependencies and links
    * you can keep the `docker-compose.yml` file in the repo with your app
    * between docker and docker-compose, you can provide a rough alternative to VirtualBox and Vagrant developer flow (although those do not map directly)

### Setting up a system

* Cloud
  * GKE: gcloud
  * AWS: EKS
  * Azure: AKS
  * IBM: IKS

* Manually (kubeadm / Kubernetes the Hard Way --->)
  * kops
  * kubeadm
  * [Kubernetes the Hard Way](https://github.com/kelseyhightower/kubernetes-the-hard-way)
  * For more information, see https://kubernetes.io/docs/setup/scratch/

* Minikube

### Sanity checks

In [None]:
git version

In [None]:
kubectl version

To begin with, I will talk a little bit about basic Kubernetes tools and concepts, then we can start building up practical steps...

The language of Kubernetes communication is JSON, under the hood, but generally the tooling lets you talk to it in YAML, which is actually a (much more readable) superset. Instead of

```json
{
    "apiVersion": "v1",
    "type": "Pod",
    "metadata": {
        "name": "hi-pod"
    }
    ...
}
```

we can write

```yaml
apiVersion: v1
type: Pod
metadata:
    name: "hi-pod"
```

We can build up all our Kubernetes objects on the cluster by sending declarative YAML files.

# Step 1: Just a webserver

The easiest way to interact with a Kubernetes cluster is the `kubectl` tool. It's preinstalled here, but you can download it yourself locally. The configuration files are called `kubeconfig` files, and the default one lives at `~/.kube/config` on Mac/*nix.

*nginx* is an extremely popular webserver. We can run it on Kubernetes with no further information -- this is the equivalent of logging into a Linux server and setting up Apache (or, indeed, nginx), but in one handy line:

In [None]:
kubectl create deployment mynginx --image=nginx

A _deployment_ is essentially a single application (perhaps running many times). It is normally one or more replicas of a specific process (in this case nginx), maybe with some helper process or some start-up/shutdown actions.

In [None]:
kubectl get deployments

We can run two identical instances of nginx, by scaling it

In [None]:
kubectl scale deployment mynginx --replicas=2
kubectl get deployments

However, for us to interact with nginx we have to encounter another concept: _services_ . Commonly, we often think of a process and the service it provides as essentially equivalent - however, modern "orchestration" tools help decouple the idea of an advertised service (_services_) and the processes backing them up (_deployments_).

This means that we can link up different tools with them only knowing each others' *services* - Kubernetes will route requests through to the deployed processes behind the scenes. If we have multiple processes running, it applies simple load balancing ("Round Robin" by default, passing one task/request to each processes in turn as they come in). For example, there could be 100 nginx processes spread over a dozen VMs and any internal or external request just asks for the nginx service and magically gets a reply.

We created a deployment, but we still need to create that service... as with `create` for deployments, there is a command to attach a service: `expose`

In [None]:
kubectl expose deployment mynginx --port=80
kubectl get services

There are certain service types that involve Kubernetes creating and attaching an external load balancer on the cloud platform - so, for instance, you can tell an AWS-based Kubernetes cluster that you want an external load balancer to point to nginx, and it will tell AWS to fire one up and show the `EXTERNAL IP` in this list, without you having to plumb it in. Your nginx processes will then be available publicly (by default).

This is a short workshop to cover a lot of concepts, but lets take a brief break to check that works:

---

In [None]:
IP=$(kubectl get service mynginx --output=jsonpath="{.spec.clusterIP}")
curl http://$IP | displayHTML

---

If a step hangs, click the stop (⏹) button in the toolbar to restart bash, and re-run it

To keep things simple and consistent, we will use mostly private IPs - so we can't navigate to the public URL in a browser, and instead show the output in a notebook - but the jump to public on a cloud provider is also pretty straightforward.

One final bit of machinery we should see before we move on:

In [None]:
kubectl get pods

_Pods_ are the individual processes running on a machine somewhere. Each of those is an nginx process. They are the basic unit of Kubernetes execution - here, two Pods were created as part of our Deployment (remember, we scaled it to 2 processes)

Strictly, pods _can_ be more than one process. They are usually, but not always, one Docker container (which is _generally_ one OS process) - however, in some cases a "sidecar" container is useful. For instance, a metric-exporter process running alongside your Python app, might send regular resource usage (CPU/memory/IO) statistics to a database so you can graph performance over time. Once you see the `1/1` appearing under `READY` above, this means that all 1 of the 1 containers in the Pod are good to go.

In any case, conceptually, a Pod still represents one instance of one tool/process. They are created and destroyed as part of Deployments, Jobs, and many other Kubernetes objects.

Finally, we tidy up:

In [None]:
kubectl delete deployment mynginx
kubectl delete service mynginx

In [None]:
kubectl get deployment

In [None]:
kubectl get pods

All gone! (you might need to try a couple of times, while you wait for it to terminate) As the Deployment was deleted, the pods that made it up, went away too.

These are only a few of the Kubernetes concepts and objects, and the above is an intentionally hand-wavey introduction, to give you a feel for some key components. For the moment, we'll steer back to PHP.

### Local Development

* docker-compose
  * like orchestration-lite
  * ties in closely with docker-swarm, but equally useful standalone
  * allows your process and connections to be described in one file
  * helps you manage variables, linking and persistance
  * great test-bed

* Minikube
  * a virtual machine for using Kubernetes on your own laptop
  * avoids running cloud servers for development/testing

# Step 2: Helm

* Setting up Helm
  * Helm describes itself as a Kubernetes package manager
  * What this means is that a whole set of interlinking components, secrets, services can be described under one banner and jointly deployed as a "Chart"
  * This could be a full app, or a self-backing-up database, or Thingsboard

Helm can tell us what charts are installed already:

In [None]:
helm list

The expected output is blank - this is because we haven't installed any charts (i.e. packages) so far.

Without getting too much into all the `helm` functionality, let's start by seeing how we can deploy an nginx server to our Kubernetes cluster. Helm uses Kubernetes libraries under the hood, so your default authentication configuration (from ~/.kube/config) will get used.

In [None]:
helm repo update
helm search hub python

We register a Helm repo (repository) to pull these charts (apps) from - for many more, see https://artifacthub.io

In [None]:
helm repo add python-fastapi-postgres https://archish27.github.io/python-fastapi-postgres-helm/

Now we can install from that repo - in this case, a trivially simply Python API that responds `{"Hello": "World"}` to requests

In [None]:
helm install my-python-fastapi-postgres python-fastapi-postgres/python-fastapi-postgres --version 0.1.0

You can see from the below that a whole series of objects have been created, including a Deployment and a Service. As we learned above, a Deployment will create one or more Pods - you can see the Pod starts with the same name and is marked "related".

In [None]:
kubectl get all

(the above may need re-run a few times until it stops showing "Init:0/2")

In [None]:
IP=$(kubectl get service my-python-fastapi-postgres --output=jsonpath="{.spec.clusterIP}")
curl http://$IP

We will see how this type of tool is built up from Python and Dockerfiles soon, but for now, the key takeaway is that you can take a Python app, dockerize it, and run it in a process on Kubernetes (here, a deployment, consisting of one pod, consisting of one container, which runs one Python process)

helm also gives us a neat way of cleaning up all the different related pieces for this app in one go -- deployments, services, etc.

In [None]:
helm delete my-python-fastapi-postgres

and sure enough (perhaps after a few seconds)...

In [None]:
kubectl get all

* Concepts of charts and Docker images

**Extension**: So what actually _is_ a Chart?

It is a filetree of, mostly, template [YAML](https://en.wikipedia.org/wiki/YAML) files. Each of these defines a Kubernetes object, such as a Deployment, Service or Secret. This way you can have all the boilerplate in a single git-versioned Chart, dynamically dropping in per-deployment settings using a handful of templated variables at deployment time - such the public URL for nginx, or the back-up retention period for postgres.

In [None]:
helm repo add bitnami https://charts.bitnami.com/bitnami
helm install wordpress bitnami/wordpress

In [None]:
kubectl get services
kubectl get pods

(re-run the above until an external IP address appears and the pods say `1/1` - may take a few moments.

In [None]:
echo "Internal: " $(kubectl get service wordpress --output=jsonpath="{.spec.clusterIP}")
echo "External: http://$(kubectl get service wordpress --output=jsonpath="{.status.loadBalancer.ingress[0].ip}")"
echo "Administration: http://$(kubectl get service wordpress --output=jsonpath="{.status.loadBalancer.ingress[0].ip}")/wp-admin"
  echo Username: user
  echo Password: $(kubectl get secret --namespace administrator wordpress -o jsonpath="{.data.wordpress-password}" | base64 -d)

In [None]:
helm delete wordpress

### Structure

How can we visualize this? F&T often works with PHP applications - these have a webserver (nginx), which sends data to a PHP process (phpfpm), which gets data from a database (mariadb)

![PHP diagram](https://s3.us-west-2.amazonaws.com/public.flaxandteal.co.uk/larakube-1-things.svg)

Now, let's try a similar idea in Python...

# Step 3: Example App

In [None]:
rm -rf ~/kubernetes-workshop-flask-example; cd ~
git clone https://github.com/flaxandteal/kubernetes-workshop-flask-example ~/kubernetes-workshop-flask-example

In [None]:
cd ~/kubernetes-workshop-flask-example
ls

Here we have a few tools for Kubernetes, in particular an example file for setting deployment-specific values.

In [None]:
cat values.yaml

Let us try installing this Helm chart:

In [None]:
cd ~/kubernetes-workshop-flask-example
helm install python-course-021cc .

As in every type of deployment, we need to have specific custom settings for our own deployment. This answers several questions:

In this approach:

* **Where is our app code stored?**: In the final built images. During continuous integration (or manual building, for smaller scale), pre-prepared base images have the code added in. The built images are then tagged for that code version and pushed to a Docker image registry that the Kubernetes cluster can access.
* **How do we keep our code secure?**: In this example, for simplicity we use the default base images, without custom app code - as such, they are pulled down from the public Docker Hub registry. However, there are private image registries within each cloud platform, e.g. AWS ECR, which Kubernetes can authenticate with to pull down images.
* **What about secrets?**: In this particular approach, we use Kubernetes Secrets, which is simple but only a minimum bar (although, the default implementation is improving). Better practice is to use something like the Kubernetes Vault Operator, but this takes more care to set up.

_None of these are hard and fast_. There are various approaches, with benefits and drawbacks.

In [None]:
kubectl get pods

Re-run the above until it quietens down and they all say "Running" or "Completed"^^^

In [None]:
IP=$(kubectl get service python-course-021cc-kubernetes-workshop-flask-example --output=jsonpath="{.spec.clusterIP}")
curl http://$IP:5000/alembic_instruction

If the above returns `null` this is working correctly.

* Work through the charts

Lets take a look at what just started up:

In [None]:
kubectl get pods

Here we have only one service, it contains our code: https://github.com/flaxandteal/kubernetes-workshop-flask-example-app/

We send our output to stdout by default (i.e. simply `print()` and `logging`), we find that the logs from this Pod are the logs of a `Flask`/`gunicorn` webserver:

In [None]:
FLASK_POD=$(kubectl get pods -o=name  --selector=app.kubernetes.io/name=kubernetes-workshop-flask-example)
kubectl logs $FLASK_POD

This approach also simplified life for log aggregation, where logs can be gathered from the stdout/stderr of the various Pods.

### Github Actions

* What is CI?

Github provides free basic continuous integration (CI) - when done well, this is an easy, reproducible and consistent way to go from local development to built images. To follow along, you will need to have [your own Github account or sign up](https://github.com), or can look through the [details of the pipeline](https://github.com/flaxandteal/kubernetes-workshop-flask-example-app/actions/) of the existing demo.

If you wish to use your own account, then you [should fork](https://github.com/flaxandteal/kubernetes-workshop-flask-example-app/fork) a copy. You can clone it down here, or on your own machine/VM to make it easier to experiment. If you want to use your fork in this notebook, then set your Github username here:

In [None]:
export GITHUB_USERNAME=philtweir

Our example app is a microservice for doing Alchemy with SQL (the result of a bad pun that I couldn't let go) - we can create the Philosopher's Stone (Magnum Opus) by requiring several Substances (Mercury, Salt and Sulphur) through web requests, mixing them to get Gloop, and then cooking, washing, pickling and fermenting them in that order, to obtain the Philosopher's Stone of legend.

(for anyone wondering, while vastly over-simplified, this does reflect the basic structure of the alchemical technique)

As well as the [app itself](https://github.com/philtweir/kubernetes-workshop-flask-example-app), we have a repository for the infrastructure code (the Helm chart) used to run it: https://github.com/philtweir/kubernetes-workshop-flask-example

### Docker

Finally, we get down to our lowest level for today. The Python code has to be wrapped up into a `container` - this is what it sounds like, a ringfenced set of files and resources that cannot see the outside world, except as explicitly permitted. They are similar, but different to, light virtual machines (side-note: but all share one operating system kernel when running on a laptop/server) - they may be as small as tens of megabytes, or very large, but they have their own filesystem. Two key objectives are that they can be reproducibly built - through a Dockerfile, which states the recipe - and are isolated enough to run anywhere without needing to know much about their environment (we will mention the "12 factor app" later that codifies this philosophy)

First off, we can take a look at the `Dockerfile`:

In [None]:
cd ~
git clone https://github.com/philtweir/kubernetes-workshop-flask-example-app
cd ~/kubernetes-workshop-flask-example-app; git pull

In [None]:
ls

In [None]:
cat Dockerfile

This starts from a well-known base - an official Python Docker image, with a very cut-down operating system (Alpine), and builds on top. Alpine is great for very light, small containers (which is important if you want to run 100s or 1000s in parallel on a few servers, to serve web requests in high volume) but has some optimisations that can make it difficult to use with the whole Python ecosystem -- there are also Debian and Ubuntu based images, that have the same commands and behaviour to your Linux servers/laptops but might be a little bulkier (e.g. `python:3.8-slim`)

Our next commands build on top. As we are starting from a nearly empty operating system, we start by adding a user, and then copy our files from the repo into the container. We tell the container that it will be running as a user called `user` and will expose a port `5000` where the Python webserver (gunicorn) will expect to see web requests. Have a look at `gunicorn_config.py` for a bit more info. Finally, we copy the app itself in.

You can build this locally with `docker build .` but the next question is, how does the container image (the output of this build) get moved onto Kubernetes to run as a new app? In short, we use Continuous Integration - handy short-lived servers that see changes comining into a git repository and re-run any commands like docker build, pushing container images to a *container (image) registry* that Kubernetes can see.

*Pro-tip: Modern Kubernetes has Role Based Authorization Control (RBAC), so we can create deployment users with special privileges that can ensure changes go directly from Github to our Kubernetes cluster without our intervention. Historically, it was common use `kubectl` to run these commands, but now tools like AgroCD or FluxCD automate the process more robustly. It would be possible do this via `curl` calls also, to the Kubernetes API. A particular benefit of Github Actions and, for example, Gitlab-CI, is that they can run for free on the code-hoster's platform, but can also be run internally, or even _on_ Kubernetes, if you need more speed or resources when building Docker images.*

These are not the only options, however - Bitbucket now has a similar set-up. Jenkins, CircleCI, Concourse and others can provide these types of pipeline also.

NB: the CI steps show some of the Docker commands that could be run locally, if you wanted to get the hang of Docker in a manual way, building images and pushing them.

#### CI on a fork

Verbal instructions will walk you through forking the repository and creating your own version (and CI). Once that is working, try the below:

In [None]:
GITHUB_USERNAME=philtweir
kubectl set image deployment/python-course-021cc-kubernetes-workshop-flask-example kubernetes-workshop-flask-example=ghcr.io/${GITHUB_USERNAME}/kubernetes-workshop-flask-example-app

In [None]:
kubectl get pods --selector=app.kubernetes.io/name=kubernetes-workshop-flask-example

So, now that it is running, what have we got? First, let us see the services:

In [None]:
kubectl get services

As we showed above with Wordpress, we can use IP addresses, but within the cluster, it manages its own DNS

In [None]:
echo "Internal: "http://$(kubectl get service python-course-021cc-kubernetes-workshop-flask-example --output=jsonpath="{.spec.clusterIP}")/alembic_instruction
echo "Equivalent alternative: http://python-course-021cc-kubernetes-workshop-flask-example.${JUPYTERHUB_USER}:5000/alembic_instruction"
curl http://python-course-021cc-kubernetes-workshop-flask-example.${JUPYTERHUB_USER}:5000/alembic_instruction

The format is `SERVICENAME.NAMESPACE` or, equivalently, `SERVICENAME.NAMESPACE.cluster.svc.local`

The namespace is a grouping mechanism, like multitenancy, where each of you can have your own resources, like services and pods, that do not interfere with each other. For convenience, I have chosen to give everybody a namespace name that is simply their username.

### Trying out the app

Now that we have an app, we still need to do something with it. Remember I said it's a fancy kitchen mixer for the Philosopher's Stone? Let us do a little bash scripting to make it easier to poke at:

In [None]:
get () {
    curl python-course-021cc-kubernetes-workshop-flask-example.$JUPYTERHUB_USER:5000$1
}
post () {
    curl    -H 'Content-Type: application/json' -X POST python-course-021cc-kubernetes-workshop-flask-example.$JUPYTERHUB_USER:5000$1 --data "$2"
}
delete () {
    curl    -H 'Content-Type: application/json' -X DELETE python-course-021cc-kubernetes-workshop-flask-example.$JUPYTERHUB_USER:5000$1 --data "$2"
}

The above is nothing to do with Kubernetes - in fact, it is bash scripting that lets us call curl without typing the same parameters every time.

In [None]:
echo Empty the Pantry \(forget any Substances that were already stored\)
delete /substance

echo Create some Substances, so we can mix them
post /substance '{"nature": "Mercury"}'
post /substance '{"nature": "Salt"}'
post /substance '{"nature": "Sulphur"}'

echo Mix the Substances to get Gloop in our Alembic \(old-school mixing pot\)
post /alembic_instruction '{"instruction_type": "mix", "natures": "Mercury,Salt,Sulphur"}'

echo Play with the Gloop until we have the Philosopher\'s Stone
post /alembic_instruction '{"instruction_type": "process", "natures": "Gloop", "action": "cook"}'
post /alembic_instruction '{"instruction_type": "process", "natures": "Gloop", "action": "wash"}'
post /alembic_instruction '{"instruction_type": "process", "natures": "Gloop", "action": "pickle"}'
post /alembic_instruction '{"instruction_type": "process", "natures": "Gloop", "action": "ferment"}'

Uh-oh, that does not look good. How do we find out where all the errors came from?

### Debugging

Kubernetes debugging, as a system that has many levels, is a bigger topic than an introduction. However, to help you see where to start - try the following:

In [None]:
FLASK_POD=$(kubectl get pods -o=name  --selector=app.kubernetes.io/name=kubernetes-workshop-flask-example)
kubectl logs $FLASK_POD | tail -n 100

That's a lot of logs. However, we should recognise that we are looking at Python exceptions - that is our first clue. Our second is that it tells us a database table is missing... if we have a database (which our app does), then we should initialize it! To do this, we can use the handy `kubectl exec` to execute a pre-defined initialization routine:

In [None]:
kubectl exec -ti deploy/python-course-021cc-kubernetes-workshop-flask-example -- python -m magnumopus.initialize

Now, try again!

In [None]:
echo Empty the Pantry \(forget any Substances that were already stored\)
delete /substance

echo Create some Substances, so we can mix them
post /substance '{"nature": "Mercury"}'
post /substance '{"nature": "Salt"}'
post /substance '{"nature": "Sulphur"}'

echo Mix the Substances to get Gloop in our Alembic \(old-school mixing pot\)
post /alembic_instruction '{"instruction_type": "mix", "natures": "Mercury,Salt,Sulphur"}'

echo Play with the Gloop until we have the Philosopher\'s Stone
post /alembic_instruction '{"instruction_type": "process", "natures": "Gloop", "action": "cook"}'
post /alembic_instruction '{"instruction_type": "process", "natures": "Gloop", "action": "wash"}'
post /alembic_instruction '{"instruction_type": "process", "natures": "Gloop", "action": "pickle"}'
post /alembic_instruction '{"instruction_type": "process", "natures": "Gloop", "action": "ferment"}'

Debugging doesn't just stop here though, we can also examine more configuration-type issues, outside the container:

In [None]:
kubectl set image deployment/python-course-021cc-kubernetes-workshop-flask-example kubernetes-workshop-flask-example=nonexistant/image

You will notice that, having set it to run from a non-existant Docker image, the Python server no longer exists...

In [None]:
kubectl get pods

Kubernetes is quite clever - as you have tried to update a deployment, but the resulting pod has not been successful, Kubernetes keeps the old one running until the problem is resolved, so your running service does not break (if it can be avoided).

To find out more, we can use the `kubectl describe` command:

In [None]:
kubectl describe pods --selector=app.kubernetes.io/name=kubernetes-workshop-flask-example

Under the events section (near the end), you will see a whole set of recurring errors and their frequencies. These are being sent by the `kubelet` daemon, which manages the running of actual containers on VMs (nodes) - it has noticed that it cannot pull the node.

This can happen quite a bit if you have, for example, private container registry credentials that are expiring too fast, are missing or are incorrect. If you want to find out more about private registry credentials, have a look at the `imagePullSecrets` setting for Pods/Deployments.

You can restore the image, like so (or with a `helm upgrade ...`)

In [None]:
kubectl set image deployment/python-course-021cc-kubernetes-workshop-flask-example kubernetes-workshop-flask-example=ghcr.io/$GITHUB_USERNAME/kubernetes-workshop-flask-example-app

### Rollout

Kubernetes provides some useful tools for managing roll-out. For instance:

In [None]:
kubectl rollout history deployments

We can give a bit more info by adding a certain annotation:

In [None]:
kubectl annotate deployment/python-course-021cc-kubernetes-workshop-flask-example kubernetes.io/change-cause='fix version'
kubectl set image deployment/python-course-021cc-kubernetes-workshop-flask-example kubernetes-workshop-flask-example=ghcr.io/${GITHUB_USERNAME}/kubernetes-workshop-flask-example-app
kubectl rollout history deployments

Kubernetes manages lots of its decisions by forms of "tagging", where `annotations` and/or `labels` are used to mark a deployment/service/pod for specific behaviour or treatment.

In [None]:
kubectl get deployment python-course-021cc-kubernetes-workshop-flask-example -o yaml | head -n 20

Labels, for instance, can be used as a handy filter:

In [None]:
kubectl get deployments --selector=app.kubernetes.io/name=kubernetes-workshop-flask-example

In [None]:
kubectl get pods --selector=app.kubernetes.io/name=kubernetes-workshop-flask-example

You can roll back deployments, you can require a certain minimum number of live pods at any time during the rolling update, or even decide where new Pods are scheduled on the underlying VMs/systems (termed Nodes). Kubernetes has concepts of liveness and readiness probes, so for some types of deployment, it can spot when Pods are functional or not. In addition, this allows it to undertake one of the most fundamental aspects of orchestration, replacing Pods when they become unresponsive or die.

### State

Now, what happens if we restart the pod? (because pods are "stateless", this is equivalent to deleting it)

In [None]:
kubectl delete pods --selector=app.kubernetes.io/name=kubernetes-workshop-flask-example

In [None]:
kubectl get pods

In [None]:
post /substance '{"nature": "Mercury"}'

Hmm, looks like our database disappeared. We have no concept of state right now, so nothing is saved when a pod/container restarts. We won't get into the details of `volumes` (except verbally) but suffice it to say, having an in-memory database lasts only as long as the memory. Let's try adding a real database. Helm makes this as easy as one command for most major (open source) databases!

Here we can take a [12 factor](https://12factor.net/) approach to override aspects of the app. Firstly, we can add a postgres server...

In [None]:
helm repo add bitnami https://charts.bitnami.com/bitnami
helm upgrade --install db bitnami/postgresql #  --set primary.resources.requests.cpu=100m --set primary.resources.requests.memory=100Mi --set primary.resources.limits.cpu=100m --set primary.resources.limits.memory=100Mi

Now we get a password (in production systems there is much more to secret management)

In [None]:
POSTGRES_PASSWORD=$(kubectl get secret db-postgresql -o jsonpath="{.data.postgres-password}" | base64 -d)
echo $POSTGRES_PASSWORD

Now, we upgrade our chart to apply some new values - we override an environment variable (one that the Python app knows about) to give Postgres credentials, and this time, rather than passing the image as a separate setting with `set image` or `--set`, we put it all together in a single `values` file. Think of this like per-environment configuration that gets rolled into your Chart or app when it is deployed.

In [None]:
cd ~/kubernetes-workshop-flask-example
git pull
echo '
env:
    DATABASE_URI: "postgresql://postgres:'${POSTGRES_PASSWORD}'@db-postgresql:5432/postgres"
image:
    repository: "ghcr.io/'${GITHUB_USERNAME}'/kubernetes-workshop-flask-example-app"
' > local.yaml
helm upgrade python-course-021cc . --values local.yaml

In [None]:
kubectl get pods

In [None]:
post /alembic_instruction '{"instruction_type": "mix", "natures": "Mercury,Salt,Sulphur"}'

We have a new DB, so we need to run our initialization again:

In [None]:
# kubectl exec -ti deploy/python-course-021cc-kubernetes-workshop-flask-example -- python -m magnumopus.initialize

but let's do it a slightly neater way - rather than hacking in to an existing pod, Kubernetes lets us create a `job` which is a single-execution task, that gets its own container:

In [None]:
kubectl create job python-course-initialize-db --image=ghcr.io/${GITHUB_USERNAME}/kubernetes-workshop-flask-example-app -- /bin/sh -c "export DATABASE_URI='postgresql://postgres:${POSTGRES_PASSWORD}@db-postgresql:5432/postgres'
    python -m magnumopus.initialize"

In [None]:
kubectl get jobs
kubectl get pods

When a pod successfully finishes, you can see it is `Completed`. Many charts provide post-installation jobs like this automatically, to avoid the need for manual steps, but sometimes it can cause confusion if actions are taken out of sequence, or before a database is ready, so don't assume too much when writing your Chart...

In [None]:
kubectl delete job python-course-initialize-db

Let's poke at the DB a little. Some bash scripting again will help:

In [None]:
run_sql_on_pg () {
  kubectl exec -ti db-postgresql-0 -- /bin/sh -c "PGPASSWORD=$POSTGRES_PASSWORD psql -U postgres -c '$1'"
}

In [None]:
run_sql_on_pg "\dt"

In [None]:
post /substance '{"nature": "Mercury"}'

In [None]:
run_sql_on_pg "SELECT * from substances"

Now does state stay?

In [None]:
kubectl delete pods --all

In [None]:
post /substance '{"nature": "Sulphur"}'

(it may take a few seconds)

In [None]:
run_sql_on_pg "SELECT * from substances"

Yes!

We won't spend time on volumes, but just to note that `persistent volumes` are the Kubernetes term for things like "disks" or cloud-based storage.

In [None]:
kubectl get pvc

This corresponds to a (snapshotable) storage disk in GCP/AWS/Azure/IBM, and usually survives after the pods using it (in this case db-postgresql-0) die - the association is called being `Bound`.

#### Exercise

Try deleting the postgres helm installation with `helm delete`. Create it again. Did the data survive? (use run_sql_on_pg to check)

Now try deleting both the postgres helm installation and, after, delete the pvc (persistent volume claim). Now reinstall postgres with helm. Has the PV come back? Is it the same? Is the data still there?

# Supplementary

### Cronjobs

* Cronjobs

To make scheduled tasks work, we use the Kubernetes concept of Cronjobs.

In [None]:
kubectl get cronjobs

You will see this uses a similar format to traditional cron schedules. As with the normal Laravel approach, we set this to run an artisan job every minute (`php artisan schedule:run`), and Laravel's scheduler will decide whether any of the PHP-defined tasks are due to get kicked off.

This is quite configurable - we can say how many completed Pods we want to keep, for diagnostics, and how many failed ones, how long we give them to start up, and how many attempts each will get.

* Running artisan

This is part of a broader concept of Jobs. These are requests to schedule a one-off Pod to do some task or other. Kubernetes' Cronjobs are really just creating a "Job" each minute from a template. Jobs in general provide a reasonable way to run one-off artisan tasks also.

At present, we use a barebones script to simplify this process - running it creates a fresh new Job (from the template as the Cronjob, as it happens), and sets the internal artisan arguments to whichever command line flags we pass.

In [None]:
cd ~/buckram/kubernetes
./artisan.sh route:list


You will get a few Errors as it starts up (ending "ContainerCreating"), but it should follow the Pod's logs once the Pod has started. Note that this approach is non-interactive (in fact, asynchronous).

In [None]:
kubectl get jobs

Above you should see a range of Jobs that have been run, including your manual one as "laravel-job" and a timestamp.

### Managing Environments

As in any other setting, you will want to have more than one app platform running at once: usually for development, staging and production; or perhaps blue/green deployments.

Gitlab provide tools to help manage separate environments, along with Kubernetes - some of that is quite tied to Google Kubernetes Engine, but some is platform agnostic.

Taking a separate Helm `values.yaml` file may be sufficient to give, e.g. a dev and staging cluster. You may be happy enough to have these both on the same Kubernetes cluster, treating it as an infrastructure provider, as long as they are namespaced.

Kubernetes does provide namespacing - the divisions are being hardened at each version, and it is possible to apply resource usage policies, user role policies and network segmentation.

In [None]:
kubectl get pods -n kube-system

You can see here that there are a number of Pods doing more fundamental things than nginx - providing internal DNS, managing Helm's requests, handling Kubernetes API calls, running controller loops. These are all in the `kube-system` namespace by default.

### Exercise

Explore everything in your own namespace - what does it all do?

In [None]:
kubectl get all

# Contexts

Kubectl works on a concept of users, contexts and clusters. You might not have spotted yet, but Kubernetes does not have a concept of user accounts, per se. It does have a concept of authentication, which can be by certificates, tokens, OpenID Connect, for example, and authorization Roles, which are bound to a username matching a RoleBinding rule when it successfully authenticates. However, no separate "User" object exists.

Contexts allow you to specify a user, a namespace and a cluster to work with by default. Switching contexts allows you to easily manage multiple clusters and namespaces.

In [None]:
kubectl config get-contexts

In the `~/buckram/docs` folder is a script, `update_cluster_to_ci_build_ref.sh`, to update one context from another - this can be very handy for manual promotion, where you want to have specific controls in place to control access to the update workflow.

## Ingresses

Ingresses allow you to add rules for redirecting traffic on a domain to a certain service. `kubectl` has a handy describe mode (with most objects) - for the Jupyterhub ingress, for example, it looks like

```
$ kubectl get ingress --namespace jupyterhub jupyterhub-internal
Name:             jupyterhub-internal
Namespace:        jupyterhub
Address:          35.239.24.66
Default backend:  default-http-backend:80 (10.8.0.4:8080)
TLS:
  kubelego-tls-proxy-jupyterhub terminates scotphp.flaxandteal.co.uk
Rules:
  Host                       Path  Backends
  ----                       ----  --------
  scotphp.flaxandteal.co.uk  
                             /   proxy-http:8000 (<none>)
Annotations:
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  CREATE  57m   nginx-ingress-controller  Ingress jupyterhub/jupyterhub-internal
  Normal  UPDATE  56m   nginx-ingress-controller  Ingress jupyterhub/jupyterhub-internal
```

The corresponding YAML looks something like:

```
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: jupyterhub-internal
  namespace: jupyterhub
spec:
  rules:
  - host: scotphp.flaxandteal.co.uk
    http:
      paths:
      - backend:
          serviceName: proxy-http
          servicePort: 8000
        path: /
  tls:
  - hosts:
    - scotphp.flaxandteal.co.uk
    secretName: TLSSECRET
```

In particular, you will notice that there is a Kubernetes Secret required. This represents the SSL certificate. One option to manage these, which is an evolution of `kube-lego` amongst other tools is `cert-manager` - it can be installed as a Helm chart and will watch for Ingresses to work out which certificates to request (and from where). For more information, see [http://docs.cert-manager.io/en/latest/](http://docs.cert-manager.io/en/latest/)

(note for minikube users: if using this with minikube, you will need to run `minikube addons enable ingress` on the host. When an ingress is created, you should also add a rule to `/etc/hosts` to direct traffic for that domain to the output of `minikube ip`)

## Health, Logging and Scaling

* Monitoring

There are a number of monitoring solutions available. CoreOS, one of the driver organizations behind containerization, have provided a [Kubernetes Operator for Prometheus](https://github.com/coreos/prometheus-operator) - Operators are a relative recent, powerful tool for making Kubernetes more extensible, and allowing automated control loops, for example, to take care of dynamically-defined types of object.

Installing this operator, which can be done with `helm`, adds in several new types of Kubernetes object: PrometheusRule and AlertingRule being two examples. The operator can then keep a cluster-hosted Prometheus server dynamically changing its configuration as those are defined.

An additional Helm chart, [kube-prometheus](https://github.com/coreos/prometheus-operator/tree/master/helm/kube-prometheus) builds on this to provide live feeds of Pod, Service, Node resource usage, and alerting based off that. We have implemented a basic monitoring chart that adds support for Laravel failed job and exception tracking and alerts. While some of this can be done through the framework, this ensures that metrics and alerting can be managed centrally, and that individual, scaled out web-serving or queue processes are not responsible for contacting external APIs - rather they feed it back internally to be grouped, rate-managed, etc. in a standard way with the rest of the infrastructure.

* Log aggregation (fluentbit, fluentd)

As part of the deployment, we create fluent-bit DaemonSets - these are essentially Deployments that run one Pod on each Node (VM). Gathering logs is a perfect application for them. Fluent-bit is a reimplementation in C of a lot of Fluentd's functionality. Fluent-bit can gather logs from the containers' stdout/stderr and send these to Fluentd, or to a number of other aggregators, such as Elasticsearch.

In [None]:
kubectl get pods

In [None]:
helm list

In [None]:
kubectl logs $(kubectl get pods --selector=app=buckram-fluentd -o=name)

* Autoscaling

It is possible to scale the number of deployed Pods automatically, using a HorizontalPodAutoscaler object, which responds to [predefined or custom metrics](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). This is simplest to set up for CPU requests, but can work off, for example, [Prometheus metrics](https://github.com/directxman12/k8s-prometheus-adapter).

On the other hand, [Cluster Autoscaling](https://github.com/kubernetes/autoscaler) (where the number of Nodes changes) is cloud provider dependent. This is well-established especially for GKE, but also available for other Kubernetes providers.

# Minikube

(time permitting)

```
minikube start
[wait]
kubectl get nodes
```

This will show you one node - the VM that is running Kubernetes, and all that is on it. In normal usage, you would have a larger set of nodes - many setups will have a pool of nodes for masters, usually high in CPU resources, and a pool of nodes, perhaps smaller and more plentiful for granular horizontal scaling.

You can see the VM itself, once it has settled down, by running `minikube ssh`. Even more, you can see where Kubernetes rubber hits the road - if you run `docker ps`, you will see all the containers that make up Kubernetes and its apps.

### Exercise

Run an nginx deployment on minikube - check the output of `minikube ip` to see where it will be visible.

When you are finished, you can stop minikube with `minikube stop`, or delete it with `minikube delete`

# Docker-Compose

If you have `docker-compose` installed, clone down the https://gitlab.com/flaxandteal/buckram-demo-with-sample-docker Gitlab repository locally (your fork if you have it).

```
docker run -v $(pwd):/app composer install # or any other means of running composer, if you have it locally
cp .env.example .env
chmod -R ugo+rwX storage/logs bootstrap/cache   
./dartisan key:generate
./dartisan migrate
```

You should now be able to see a blank Laravel app at `localhost:8000` in your browser.

### Exercise

Run `make:auth` to scaffold login functionality. Can you get this running in Gitlab-CI and update it on the cluster here? In general, don't forget any migration and seeding that needs done on the live tool with `./artisan.sh`

### Exercise (includes some Python)

Start from a blank Laravel app. Run:
```
git init
git submodule add https://gitlab.com/flaxandteal/buckram-starter infrastructure
```

Install the Python script (if you are comfortable to do so) from ./infrastructure/python - this can be done with `pip3 install --user .` for instance and run `bookcloth local:initialize` in that directory. This should create a default docker-compose setup.

Push this to a new public Gitlab repo, and check it runs the CI. Update the images as above to run it in this cluster.

# Next steps

I hope you enjoyed this workshop and am looking forward to feedback!

* Follow-up course

# Notes

### Cloud Shell Setup

Local Development:
```
export PATH=~/.local/bin:$PATH
git clone https://gitlab.com/flaxandteal/buckram-demo-with-sample-docker
cd buckram-demo                                                                                                                                  
docker run -v $(pwd):/app composer install
git submodule init
git submodule update
(cd infrastructure; git pull origin master; git checkout master)
cp .env.example .env
./dartisan key:generate
./dartisan migrate
lynx localhost:8000
```

Helm Setup:
```
wget https://storage.googleapis.com/kubernetes-helm/helm-v2.11.0-linux-amd64.tar.gz 
tar -xzf helm-v2.11.0-linux-amd64.tar.gz
mv linux-amd64/helm ~/.local/bin
```