* setting up a generic Kubernetes system
* deploying Laravel onto it using Helm charts (versionable infrastructure description), with Postgres, Redis and workers
* employing a Gitlab repository for CI/CD for building container images
* managing per-deployment configuration and environment variables
* process health, logging and scaling
* using the artisan CLI tool for scheduled and one-off jobs on the cluster (as time permits)

In [None]:
cd ~/kubernetes-scotlandphp
./setup_account.sh
export USER=$GIT_COMMITTER

# Kubernetes Workshop

With Phil Weir
(the Belfast guy who is somewhere near this projector, hopefully)

* Structure of course
* Next steps

Initial set-up: _15min_ (-> 0:15)

### Why Kubernetes?

_10 min_ (-> 0:25)

* How is this relevant to PHP?
  * Scalable
  * Systematic
  * Within control

* Why Kubernetes over alternatives?
  * Other container orchestrators
    * Popularity and backing
    * Good balance of simplicity and complexity
  * IaaS/PaaS
    * Doesn't tie you to a single provider
    * Can be run off-cloud
    * Can be run on a dev machine
    * Abstracts and automates the provider-specific bits (mostly)
    * Separates out hardware from application infrastructure (containers vs 

* Brief (re)introduction to Docker
  * If you aren't already familiar with it, you can think of a docker _container_ as a VM that shares a kernel with the host
    * ...but don't as that loses key important differences
  * Recommended practice is to have one process per container
    * containers are very memory light compared to VMs, so this is much less wasteful than it may sound
    * this provides encapsulation and makes scaling easier
  * `docker-compose` is an _extremely_ handy tool that takes a short, app-specific _docker-compose.yml_ file as input and spins up a multi-container environment with all the expected dependencies and links
    * you can keep the `docker-compose.yml` file in the repo with your app
    * between docker and docker-compose, you can provide a rough alternative to VirtualBox and Vagrant developer flow (although those do not map directly)

### Setting up a system

_5 min_ (-> 0:30)

* Cloud
  * GKE: gcloud
  * AWS: EKS
  * Azure: AKS

* Manually (kubeadm / Kubernetes the Hard Way --->)
  * kops
  * kubeadm
  * [Kubernetes the Hard Way](https://github.com/kelseyhightower/kubernetes-the-hard-way)
  * For more information, see https://kubernetes.io/docs/setup/scratch/

* Minikube

_15 min_ (-> 0:45)

[GETTING STARTED - kubectl, minikube, git, docker-compose and docker]

In [None]:
git version

In [None]:
kubectl version

To begin with, I will talk a little bit about basic Kubernetes tools and concepts, then we can start building up practical steps...

The language of Kubernetes communication is JSON, under the hood, but generally the tooling lets you talk to it in YAML, which is actually a (much more readable) superset. Instead of

```json
{
    "apiVersion": "v1",
    "type": "Pod",
    "metadata": {
        "name": "hi-pod"
    }
    ...
}
```

we can write

```yaml
apiVersion: v1
type: Pod
metadata:
    name: "hi-pod"
```

We can build up all our Kubernetes objects on the cluster by sending declarative YAML files.

# Step 1: Just nginx

The easiest way to interact with a Kubernetes cluster is the `kubectl` tool. It's preinstalled here, but you can download it yourself locally. The configuration files are called `kubeconfig` files, and the default one lives at `~/.kube/config` on Mac/*nix.

In [None]:
kubectl run mynginx --image=nginx

This `run` command is not so common day-to-day, but is an opinionated shortcut, bundling a couple of more common steps, to get a Docker image running on a cluster as a standalone application or "deployment".

A _deployment_ is essentially a single application (perhaps running many times). It is normally one or more replicas of a specific process (in this case nginx), maybe with some helper process or some start-up/shutdown actions.

In [None]:
kubectl get deployments

We can run two identical instances of nginx, by scaling it

In [None]:
kubectl scale deployment mynginx --replicas=2
kubectl get deployments

However, for us to interact with nginx we have to encounter another concept: _services_ . Traditionally in the PHP ecosystem, we often think of a process and the service it provides as essentially equivalent - however, modern orchestration tools help decouple the idea of an advertised service (_services_) and the processes backing them up (_deployments_).

This means that we can link up different tools with them only knowing each others' services - Kubernetes will route requests through to the deployed processes behind the scenes, with simple load balancing. For example, there could be 100 nginx processes spread over a dozen VMs and any internal or external request just asks for the nginx service and magically gets a reply.

We still need to create a service though... as with `run` for deployments, there is a command to bundle a couple of steps: `expose`

In [None]:
kubectl expose deployment mynginx --port=80
kubectl get services

There are certain service types that involve Kubernetes creating and attaching an external load balancer on the cloud platform - so, for instance, you can tell an AWS-based Kubernetes cluster that you want an external load balancer to point to nginx, and it will tell AWS to fire one up and show the `EXTERNAL IP` in this list, without you having to plumb it in. Your nginx processes will then be available publicly (by default).

This is a short workshop to cover a lot of concepts, but lets take a brief break to check that works:

In [None]:
IP=$(kubectl get service mynginx --output=jsonpath="{.spec.clusterIP}")
curl http://$IP

[In another notebook](/user/philtweir/notebooks/kubernetes-scotlandphp/visual-notebook.ipynb), there is a bit of Python for showing a snippet view of the rendered page. We will use this further later also, so do open it in a new tab and check it works.

To keep things simple and consistent, we will use private IPs - so we can't navigate to the public URL in a browser, and instead show the output in a notebook - but the jump to public on a cloud provider is also pretty straightforward.

One final bit of machinery we should see before we move on:

In [None]:
kubectl get pods

_Pods_ are the individual processes running on a machine somewhere. Each of those is an nginx process. They are the basic unit of Kubernetes execution - here, two Pods were created as part of our Deployment (remember, we scaled it to 2 processes)

Strictly, pods _can_ be more than one process. They are usually, but not always one Docker container (which is _generally_ one OS process) - however, in some cases a "sidecar" container is useful. For instance, a postgres metric-exporter process running alongside the postgres database process, that sends resource usage stats. You see the `1/1` appearing under `READY` above - this means that all 1 of the 1 containers in the Pod are good to go.

In any case, conceptually, a Pod still represents one instance of one tool. They are created and destroyed as part of Deployments, Jobs, and many other Kubernetes objects.

Finally, we tidy up:

In [None]:
kubectl delete deployment mynginx
kubectl delete service mynginx

In [None]:
kubectl get deployment

In [None]:
kubectl get pods

All gone! (you might need to try a couple of times, while you wait for it to terminate) As the Deployment was deleted, the pods that made it up, went away too.

These are only a few of the Kubernetes concepts and objects, and the above is an intentionally hand-wavey introduction, to give you a feel for some key components. For the moment, we'll steer back to PHP.

### Local Development

_20 min_ (-> 1:05)

* docker-compose
  * like orchestration-lite
  * ties in closely with docker-swarm, but equally useful standalone
  * allows your process and connections to be described in one file
  * helps you manage variables, linking and persistance
  * great test-bed

* Buckram
  * an evolving set of git-based configuration templates
  * one of many options, helping to go from source repo to dockerized, deployable app

[Go through key points]

# Step 2: Bare LAMP

_25 min_ (-> 1:30)

* Setting up Helm
  * Helm describes itself as a Kubernetes package manager
  * What this means is that a whole set of interlinking components, secrets, services can be described under one banner and jointly deployed as a "Chart"
  * This could be a full app, or a self-backing-up database, or monitoring service

When setting Helm up on a new cluster, you should run `helm init`

In [None]:
export TILLER_NAMESPACE=$GIT_COMMITTER_NAME
helm init --service-account jupyter-user

This sets up a daemon on the cluster, called `tiller` (you can sea the theme...), which manages the actual deployment. The local `helm` binary mostly communicates with this daemon.

Helm can tell us what charts are installed already:

In [None]:
helm list

(you may need to re-run periodically until it no longer says "could not find a ready tiller pod")

The expected output is blank - this is because we haven't installed any charts (i.e. packages) so far.

Without getting too much into all the `helm` functionality, let's start by seeing how we can deploy an nginx server to our Kubernetes cluster. Helm uses Kubernetes libraries under the hood, so your default authentication configuration (from ~/.kube/config) will get used.

In [None]:
helm repo update
helm search php

In [None]:
helm install stable/lamp --name mylamp

You can see from the lines starting with `==>` that a whole series of objects have been created, including a Deployment and a Service. As we learned above, a Deployment will create one or more Pods - you can see the Pod starts with the same name and is marked "related".

In [None]:
kubectl get services
kubectl get pods

(the above may need re-run a few times until it stops showing "Init:0/2")

In [None]:
IP=$(kubectl get service mylamp-lamp --output=jsonpath="{.spec.clusterIP}")
curl http://$IP

Well, this does makes sense - our LAMP server has no particular PHP app set up on it, so there's nothing to serve - rather than giving a meaningless default page when the app is missing, it gives access denied.

In this case, the contributors of the `stable/lamp` Chart expect us to provide custom configuration when deploying, for instance, for a Wordpress or custom app deployment. There's no reason we _have_ to use this chart to do that (there's also a separate Wordpress chart above, for instance). We will show a more complete app, while we explore more of helm.

In [None]:
helm delete --purge mylamp

* Concepts of charts and Docker images

So what actually _is_ a Chart?

It is a filetree of, mostly, template [YAML](https://en.wikipedia.org/wiki/YAML) files. Each of these defines a Kubernetes object, such as a Deployment, Service or Secret. This way you can have all the boilerplate in a single git-versioned Chart, dynamically dropping in per-deployment settings using a handful of templated variables at deployment time - such the public URL for nginx, or the back-up retention period for postgres.

In [None]:
rm -rf ~/helm-charts
git clone https://github.com/helm/charts ~/helm-charts

In [None]:
cd ~/helm-charts/stable
ls

There are various chart repositories available (check out bitnami's as well the helm ones), but this is the git repo used to build the default stable repository. You can see the variety of charts currently there. Lets look inside the `lamp` one.

In [None]:
cd ~/helm-charts/stable/lamp
find .

The `./templates` directory is the set of templated YAML files that are used to build the core LAMP setup. To highlight a couple: deployment.yaml set up an Apache server as a Deployment, pvc.yaml requests persistent storage (for the DB to use, called a PersistentVolumeClaim), configmap-init.yaml sets up a config file mounted into the server.

In [None]:
cd ~/helm-charts/stable/lamp
helm install . --values ./examples/wordpress.yaml --name mywordpress

We just added some custom values in from `./examples/wordpress.yaml` to drop into the LAMP template. We could take a copy of this, fill in our own values and use it as a short per-deployment customization file.

In [None]:
cat ~/helm-charts/stable/lamp/examples/wordpress.yaml

In [None]:
kubectl get services

In [None]:
echo "Internal: " $(kubectl get service mywordpress-lamp --output=jsonpath="{.spec.clusterIP}")
echo "External: http://$(kubectl get service mywordpress-lamp --output=jsonpath="{.status.loadBalancer.ingress[0].ip}")"

(re-run the above until an external IP address appears - may take a few moments)

In [None]:
helm delete --purge mywordpress

* Theory of PHP on K8s

A simple app deployed on Kubernetes may look like the following:

[DIAGRAM of SIMPLE APP]

In the PHP case, there are a few caveats...

[DIAGRAM of a PHP APP]

We need the second nginx container to provide HTTP access to PHP-FPM.

# Step 3: Example Laravel App

In [None]:
rm -rf ~/buckram; cd ~
git clone https://gitlab.com/flaxandteal/buckram-starter ~/buckram

In [None]:
cd ~/buckram/kubernetes
ls

Here we have a few tools for Kubernetes, in particular an example file for setting deployment-specific values.

In [None]:
cd ~/buckram/kubernetes
cat values.yaml.example

As a quickstart, there is a basic Python tool in the `buckram` repository to autogenerate some values for these (`bookcloth`) - a sample output of this is in `dummy-values.yaml`. We will use this to demonstrate.

We go into the the Buckram Helm chart itself...

In [None]:
cd ~/buckram/kubernetes/buckram
helm dependencies update
helm install . --name=buckram --values=../dummy-values.yaml

In [None]:
cd ~/buckram/kubernetes
git status

As in every type of deployment, we need to have specific custom settings for our own deployment. This answers several questions:

In this approach:

* **Where is our app code stored?**: In the final built images. During continuous integration (or manual building, for smaller scale), pre-prepared base images have the code added in. The built images are then tagged for that code version and pushed to a Docker image registry that the Kubernetes cluster can access.
* **How do we keep our code secure?**: In this example, for simplicity we use the default base images, without custom app code - as such, they are pulled down from the public Docker Hub registry. However, there are private image registries within each cloud platform, e.g. AWS ECR, which Kubernetes can authenticate with to pull down images.
* **What about secrets?**: In this particular approach, we use Kubernetes Secrets, which is simple but only a minimum bar (although, the default implementation is improving). Better practice is to use something like the Kubernetes Vault Operator, but this takes more care to set up.

_None of these are hard and fast_. There are various approaches, with benefits and drawbacks.

In [None]:
kubectl get pods

Re-run the above until it quietens down and they all say "Running" or "Completed"^^^

In [None]:
IP=$(kubectl get service buckram-laravel-nginx --output=jsonpath="{.spec.clusterIP}")
curl http://$IP | head

([click here](/user/philtweir/notebooks/kubernetes-scotlandphp/visual-notebook.ipynb#Laravel) to get the rendered version)

* Work through the charts

Lets take a look at what just started up:

In [None]:
kubectl get pods

As above the list of pods is, roughly, the list of processes. There should be some familiar faces there: several PHP-FPM pods, nginx, PostgreSQL and redis.

Alongside them, you can see fluent-bit - it will forward logs from the processes to a single aggregated destination. Between this and redis (queueing, caching, sessions), the PHP-FPM pod does not need to have any state, easing scalability.

By telling PHP to send to stdout by default, we find that the logs from this Pod are indeed the PHP logs:

In [None]:
PHP_POD=$(kubectl get pods --selector=tier=middle -o=name)
kubectl logs $PHP_POD

This approach also simplified life for log aggregation, where logs can be gathered from the stdout/stderr of the various Pods.

### Gitlab CI

_20 min_ (-> 1:50)

* What is Gitlab CI?

Gitlab continuous integration (CI) provides us with an easy way to go from local development to built images. To follow along, you will need to have [your own Gitlab account or sign up](https://gitlab.com/users/sign_in), or can look through the [details of the pipeline](https://gitlab.com/flaxandteal/buckram-demo/pipelines) of the existing demo.

If you wish to use your own account, then you [should fork](https://gitlab.com/flaxandteal/buckram-demo/forks/new) a copy. You can clone it down here, or on your own machine/VM to make it easier to experiment. If you want to use your fork in this notebook, change the Gitlab URL below to your fork's.

In [None]:
cd ~
rm -rf buckram-demo
git clone https://gitlab.com/phil.weir/buckram-demo

This repository has only a couple of minor differences from the usual `composer create-project laravel` output, namely, running composer (after adding behat), a `.gitlab-ci.yml` file and a submodule containing the buckram content, which is in an `infrastructure` subfolder.

In [None]:
cd ~/buckram-demo
git submodule update --init

Note that our Buckram repository is not necessary for any of this, but is simply a way of bringing together common features, such as CI templates, Helm charts and config generation, which you could do independently. They are useful, accessible examples for a smallish context, but once familiar, you will find a number of features you will wish to add.

In [None]:
cd ~/buckram-demo
git diff $(git rev-list --max-parents=0 HEAD)..HEAD --summary

First off, we can take a look at the `.gitlab-ci.yml` file:

In [None]:
cat .gitlab-ci.yml

In this particular approach, for simplicity, both the nginx and PHP containers end up with the build code - a nicer tactic would be to have any static assets deployed separately, so that nginx only needs to proxy requests to PHP-FPM.

The first few sections are configuration, essentially preparing the environment. The following, `composer`, `build` and `release` steps are the sequence the CI will follow. The first runs composer (it does this inside the official composer Docker image), the second combines these with our pre-prepared base images. For more detail on the PHP-FPM setup used, have a look at `./infrastructure/containers/phpfpm` (while it starts from the official base it has, for instance, ext-redis added in).

In the Buckram repository, there is a template `gitlab-ci.yml` - while it isn't useful for our demo, you will see this has an additional `deploy-dev` section for deploying directly to a Kubernetes cluster. Over the last year or two, Gitlab's direct deployment integration for Kubernetes on Google has come on, so you may want to look at this option too. However, it may be illustrative:

In [None]:
grep -A 100 'deploy_dev:' ~/buckram/gitlab-ci/gitlab-ci.yml

Modern Kubernetes has Role Based Authorization Control (RBAC), so we can create a user with deployment credentials and Gitlab will ensure our CI user receives them. We use a Docker image with `kubectl` to run these commands. It would be possible do this via `curl` calls also, to the Kubernetes API. A particular benefit of Gitlab-CI is that it can be run internally, or even _on_ Kubernetes, while being usable as a free hosted service to experiment.

It is not the only option, however - Bitbucket now has a similar set-up. Jenkins, CircleCI and others can provide these types of pipeline also.

The rest of the CI steps show some of the Docker commands that could be run locally, if you wanted to get the hang of Docker in a manual way, building images and pushing them.

The test step lets us run `behat` and `phptest`, by default, when any branch is pushed. Gitlab will notify you of any errors, and can trigger a merge based on its outcome, for instance. Code coverage and linting could similarly be added here.

The magic of Gitlab-CI is that it will start working as soon as receives a commit with a valid `.gitlab-ci.yml` file in the root directory (note the first dot).

In [None]:
grep -C 5 ' Laravel' resources/views/welcome.blade.php

If you have taken a fork, then you can try the following (otherwise, keep an eye on my fork's [pipeline's page](https://gitlab.com/flaxandteal/buckram-demo/pipelines)):

https://gitlab.com/USERNAME/buckram-demo/blob/master/resources/views/welcome.blade.php

(change the USERNAME to your own). Edit the page (Edit button on upper right), perhaps changing the word Laravel on line 82 to something else. This is equivalent to making a manual change and pushing.

On the Pipelines page (under CI/CD on the left-hand menu), you will see the progress of the building through the stages. Gitlab uses its own container registry to manage the images back and forward, and some handy free CI runners. Running your own CI runner is easy, and generally much faster per run, not to mention allowing you to control the process. Another key benefit is that you can also cache composer downloads and Docker images between steps and runs - although many prefer to take the extra time to pull fresh from the package repository on each build anyway.

A note on frontend: if using little frontend code or a tightly-integrated frontend framework in the Laravel codebase, then this may be sufficient. Most of our work is with API-based backends and self-contained VueJS single-page applications. Our approach is to run the necessary CI steps on the frontend repository, producing a JS/CSS tarball that is released to S3, and trigger a new backend pipeline run from the final frontend step, to pull down and build a fresh final set of Docker images.

The following command manually updates the PHP-FPM image to point to the newly build Gitlab one (NB: only the web-serving one, not the queue worker or cronjob). You should swap the `phil.weir` and number at the end for your username and pipeline number, respectively.

_Make sure you don't confuse the pipeline and job numbers_, the pipeline number will be shown on the Pipelines page, usually starting with a hash.

In [None]:
kubectl set image deployment/buckram-laravel-phpfpm laravel-phpfpm=registry.gitlab.com/phil.weir/buckram-demo:phpfpm-31946481

In [None]:
kubectl get pods --selector=app=buckram-laravel-phpfpm

When the above command shows "Status: running", then try the Laravel call in the [other notebook](/user/philtweir/notebooks/kubernetes-scotlandphp/visual-notebook.ipynb#Laravel) again - you should see the altered welcome page from your newly built image!

Finally, we will see how to make changes to a Helm chart. Have a look at the nginx service template:

In [None]:
cat ~/buckram/kubernetes/buckram/subcharts/laravel-nginx/templates/service.yaml

There is a templated value, called `.Values.service.type` - as this is within the `laravel-nginx` subchart, we can refresh the Buckram Helm chart like so, and override its default value:

In [None]:
cd ~/buckram/kubernetes/buckram
helm upgrade buckram . --values=../dummy-values.yaml --set="laravel-nginx.service.type=LoadBalancer"

You might need to run the below code a few times, until the Load Balancer is no longer pending.

In [None]:
kubectl get services

In [None]:
echo "Internal: " $(kubectl get service buckram-laravel-nginx --output=jsonpath="{.spec.clusterIP}")
echo "External: http://$(kubectl get service buckram-laravel-nginx --output=jsonpath="{.status.loadBalancer.ingress[0].ip}")"

This change could have been made in `values.yaml` file as well or, more sensibly, if you are forking your own Buckram Helm chart app structure, within the (git versioned) chart defaults themselves.

### Debugging

Kubernetes debugging, as a system that has many levels, is a bigger topic than an introduction. However, to help you see where to start - try the following:

In [None]:
kubectl set image deployment/buckram-laravel-phpfpm laravel-phpfpm=nonexistant/image

You will notice that, having set it to run from a non-existant Docker image, the Laravel server no longer exists...

In [None]:
kubectl get pods

Trying the endpoint above will now likely timeout. To find out more, we can use the `kubectl describe` command:

In [None]:
kubectl describe pods --selector=app=buckram-laravel-phpfpm,tier=middle

Under the events section (near the end), you will see a whole set of recurring errors and their frequencies. These are being sent by the `kubelet` daemon, which manages the running of actual containers on VMs (nodes) - it has noticed that it cannot pull the node.

This can happen quite a bit if you have, for example, private container registry credentials that are expiring too fast, are missing or are incorrect. If you want to find out more about private registry credentials, have a look at the `imagePullSecrets` setting for Pods/Deployments.

### Rollout

Kubernetes provides some useful tools for managing roll-out. For instance:

In [None]:
kubectl rollout history deployments

Here you can see how many revisions have been made to your deployments - you should see 3, one for each of fluentd, nginx and phpfpm-worker, all with 1 revision, and a fourth for phpfpm, with an additional revision (assuming you correctly deleted the earlier experiments!). This additional revision represents the action of changing the Docker image used, above.

You can roll back deployments, you can require a certain minimum number of live pods at any time during the rolling update, or even decide where new Pods are scheduled on the underlying VMs/systems (termed Nodes). Kubernetes has concepts of liveness and readiness probes, so for some types of deployment, it can spot when Pods are functional or not. In addition, this allows it to undertake one of the most fundamental aspects of orchestration, replacing Pods when they become unresponsive or die.

### Artisan and Jobs
(moved from end?)

_20 min_ (-> 2:10)

We will address a few of the key features of Laravel, and PHP frameworks in general, here.

* Worker process & Redis

It's already been pointed out that there is an artisan Pod running - phpfpm-worker. For those unfamiliar, `artisan` is Laravel's command-line tool, providing console control for one-off tasks, but also entrypoints for worker processes and the task scheduler.

In normal usage, getting an artisan queue worker process running involves:

    php artisan queue:work

You may wish to use this to, for instance, submit emails to a sending service or call batch services.

In this context, it becomes part of the `development-artisan.yaml` Chart file (see the arrays around line 25):

In [None]:
cat ~/buckram/kubernetes/buckram/subcharts/laravel-phpfpm/templates/deployment-artisan.yaml | nl

You can contrast the in situ version, by pulling down the definition of the live pod, created from this template.

In [None]:
WORKER_POD=$(kubectl get pods --selector=tier=backend -o=name)
kubectl get $WORKER_POD -o=yaml

As running Redis in the cluster is an easy starting point, we use it to handle the queues (Laravel has Redis as an in-built option):

In [None]:
kubectl logs $(kubectl get pods --selector=app=buckram-redis -o=name)

### One-off Jobs

* Cronjobs

To make scheduled tasks work, we use the Kubernetes concept of Cronjobs.

In [None]:
kubectl get cronjobs

You will see this uses a similar format to traditional cron schedules. As with the normal Laravel approach, we set this to run an artisan job every minute (`php artisan schedule:run`), and Laravel's scheduler will decide whether any of the PHP-defined tasks are due to get kicked off.

This is quite configurable - we can say how many completed Pods we want to keep, for diagnostics, and how many failed ones, how long we give them to start up, and how many attempts each will get.

* Running artisan

This is part of a broader concept of Jobs. These are requests to schedule a one-off Pod to do some task or other. Kubernetes' Cronjobs are really just creating a "Job" each minute from a template. Jobs in general provide a reasonable way to run one-off artisan tasks also.

At present, we use a barebones script to simplify this process - running it creates a fresh new Job (from the template as the Cronjob, as it happens), and sets the internal artisan arguments to whichever command line flags we pass.

In [None]:
cd ~/buckram/kubernetes
./artisan.sh route:list


You will get a few Errors as it starts up (ending "ContainerCreating"), but it should follow the Pod's logs once the Pod has started. Note that this approach is non-interactive (in fact, asynchronous).

In [None]:
kubectl get jobs

Above you should see a range of Jobs that have been run, including your manual one as "laravel-job" and a timestamp.

### Managing Environments

_20 min_ (-> 2:30)

As in any other setting, you will want to have more than one app platform running at once: usually for development, staging and production; or perhaps blue/green deployments.

Gitlab provide tools to help manage separate environments, along with Kubernetes - some of that is quite tied to Google Kubernetes Engine, but some is platform agnostic.

Taking a separate Helm `values.yaml` file may be sufficient to give, e.g. a dev and staging cluster. You may be happy enough to have these both on the same Kubernetes cluster, treating it as an infrastructure provider, as long as they are namespaced.

Kubernetes does provide namespacing - the divisions are being hardened at each version, and it is possible to apply resource usage policies, user role policies and network segmentation.

In [None]:
kubectl get pods -n kube-system

You can see here that there are a number of Pods doing more fundamental things than nginx - providing internal DNS, managing Helm's requests, handling Kubernetes API calls, running controller loops. These are all in the `kube-system` namespace by default.

### Exercise

Explore everything in your own namespace - what does it all do?

In [None]:
kubectl get all

# Contexts

Kubectl works on a concept of users, contexts and clusters. You might not have spotted yet, but Kubernetes does not have a concept of user accounts, per se. It does have a concept of authentication, which can be by certificates, tokens, OpenID Connect, for example, and authorization Roles, which are bound to a username matching a RoleBinding rule when it successfully authenticates. However, no separate "User" object exists.

Contexts allow you to specify a user, a namespace and a cluster to work with by default. Switching contexts allows you to easily manage multiple clusters and namespaces.

In [None]:
kubectl config get-contexts

In the `~/buckram/docs` folder is a script, `update_cluster_to_ci_build_ref.sh`, to update one context from another - this can be very handy for manual promotion, where you want to have specific controls in place to control access to the update workflow.

## Ingresses

Ingresses allow you to add rules for redirecting traffic on a domain to a certain service. `kubectl` has a handy describe mode (with most objects) - for the Jupyterhub ingress, for example, it looks like

```
$ kubectl get ingress --namespace jupyterhub jupyterhub-internal
Name:             jupyterhub-internal
Namespace:        jupyterhub
Address:          35.239.24.66
Default backend:  default-http-backend:80 (10.8.0.4:8080)
TLS:
  kubelego-tls-proxy-jupyterhub terminates scotphp.flaxandteal.co.uk
Rules:
  Host                       Path  Backends
  ----                       ----  --------
  scotphp.flaxandteal.co.uk  
                             /   proxy-http:8000 (<none>)
Annotations:
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  CREATE  57m   nginx-ingress-controller  Ingress jupyterhub/jupyterhub-internal
  Normal  UPDATE  56m   nginx-ingress-controller  Ingress jupyterhub/jupyterhub-internal
```

The corresponding YAML looks something like:

```
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: jupyterhub-internal
  namespace: jupyterhub
spec:
  rules:
  - host: scotphp.flaxandteal.co.uk
    http:
      paths:
      - backend:
          serviceName: proxy-http
          servicePort: 8000
        path: /
  tls:
  - hosts:
    - scotphp.flaxandteal.co.uk
    secretName: TLSSECRET
```

In particular, you will notice that there is a Kubernetes Secret required. This represents the SSL certificate. One option to manage these, which is an evolution of `kube-lego` amongst other tools is `cert-manager` - it can be installed as a Helm chart and will watch for Ingresses to work out which certificates to request (and from where). For more information, see [http://docs.cert-manager.io/en/latest/](http://docs.cert-manager.io/en/latest/)

(note for minikube users: if using this with minikube, you will need to run `minikube addons enable ingress` on the host. When an ingress is created, you should also add a rule to `/etc/hosts` to direct traffic for that domain to the output of `minikube ip`)

## Health, Logging and Scaling

_30 min_ (-> 3:00)

* Monitoring

There are a number of monitoring solutions available. CoreOS, one of the driver organizations behind containerization, have provided a [Kubernetes Operator for Prometheus](https://github.com/coreos/prometheus-operator) - Operators are a relative recent, powerful tool for making Kubernetes more extensible, and allowing automated control loops, for example, to take care of dynamically-defined types of object.

Installing this operator, which can be done with `helm`, adds in several new types of Kubernetes object: PrometheusRule and AlertingRule being two examples. The operator can then keep a cluster-hosted Prometheus server dynamically changing its configuration as those are defined.

An additional Helm chart, [kube-prometheus](https://github.com/coreos/prometheus-operator/tree/master/helm/kube-prometheus) builds on this to provide live feeds of Pod, Service, Node resource usage, and alerting based off that. We have implemented a basic monitoring chart that adds support for Laravel failed job and exception tracking and alerts. While some of this can be done through the framework, this ensures that metrics and alerting can be managed centrally, and that individual, scaled out web-serving or queue processes are not responsible for contacting external APIs - rather they feed it back internally to be grouped, rate-managed, etc. in a standard way with the rest of the infrastructure.

* Log aggregation (fluentbit, fluentd)

As part of the deployment, we create fluent-bit DaemonSets - these are essentially Deployments that run one Pod on each Node (VM). Gathering logs is a perfect application for them. Fluent-bit is a reimplementation in C of a lot of Fluentd's functionality. Fluent-bit can gather logs from the containers' stdout/stderr and send these to Fluentd, or to a number of other aggregators, such as Elasticsearch.

In [None]:
kubectl get pods

In [None]:
helm list

In [None]:
kubectl logs $(kubectl get pods --selector=app=buckram-fluentd -o=name)

* Autoscaling

It is possible to scale the number of deployed Pods automatically, using a HorizontalPodAutoscaler object, which responds to [predefined or custom metrics](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). This is simplest to set up for CPU requests, but can work off, for example, [Prometheus metrics](https://github.com/directxman12/k8s-prometheus-adapter).

On the other hand, [Cluster Autoscaling](https://github.com/kubernetes/autoscaler) (where the number of Nodes changes) is cloud provider dependent. This is well-established especially for GKE, but also available for other Kubernetes providers.

# Minikube

(time permitting)

```
minikube start
[wait]
kubectl get nodes
```

This will show you one node - the VM that is running Kubernetes, and all that is on it. In normal usage, you would have a larger set of nodes - many setups will have a pool of nodes for masters, usually high in CPU resources, and a pool of nodes, perhaps smaller and more plentiful for granular horizontal scaling.

You can see the VM itself, once it has settled down, by running `minikube ssh`. Even more, you can see where Kubernetes rubber hits the road - if you run `docker ps`, you will see all the containers that make up Kubernetes and its apps.

### Exercise

Run an nginx deployment on minikube - check the output of `minikube ip` to see where it will be visible.

When you are finished, you can stop minikube with `minikube stop`, or delete it with `minikube delete`

# Docker-Compose

If you have `docker-compose` installed, clone down the https://gitlab.com/flaxandteal/buckram-demo-with-sample-docker Gitlab repository locally (your fork if you have it).

```
docker run -v $(pwd):/app composer install # or any other means of running composer, if you have it locally
cp .env.example .env
chmod -R ugo+rwX storage/logs bootstrap/cache   
./dartisan key:generate
./dartisan migrate
```

You should now be able to see a blank Laravel app at `localhost:8000` in your browser.

### Exercise

Run `make:auth` to scaffold login functionality. Can you get this running in Gitlab-CI and update it on the cluster here? In general, don't forget any migration and seeding that needs done on the live tool with `./artisan.sh`

### Exercise (includes some Python)

Start from a blank Laravel app. Run:
```
git init
git submodule add https://gitlab.com/flaxandteal/buckram-starter infrastructure
```

Install the Python script (if you are comfortable to do so) from ./infrastructure/python - this can be done with `pip3 install --user .` for instance and run `bookcloth local:initialize` in that directory. This should create a default docker-compose setup.

Push this to a new public Gitlab repo, and check it runs the CI. Update the images as above to run it in this cluster.

# Next steps

I hope you enjoyed this workshop and am looking forward to feedback!

* Follow-up course

# Notes

### Cloud Shell Setup

Local Development:
```
export PATH=~/.local/bin:$PATH
git clone https://gitlab.com/flaxandteal/buckram-demo-with-sample-docker
cd buckram-demo                                                                                                                                  
docker run -v $(pwd):/app composer install
git submodule init
git submodule update
(cd infrastructure; git pull origin master; git checkout master)
cp .env.example .env
./dartisan key:generate
./dartisan migrate
lynx localhost:8000
```

Helm Setup:
```
wget https://storage.googleapis.com/kubernetes-helm/helm-v2.11.0-linux-amd64.tar.gz 
tar -xzf helm-v2.11.0-linux-amd64.tar.gz
mv linux-amd64/helm ~/.local/bin
```