* setting up a generic Kubernetes system
* deploying Laravel onto it using Helm charts (versionable infrastructure description), with Postgres, Redis and workers
* employing a Gitlab repository for CI/CD for building container images
* managing per-deployment configuration and environment variables
* process health, logging and scaling
* using the artisan CLI tool for scheduled and one-off jobs on the cluster (as time permits)

In [3]:
cd ~/kubernetes-scotlandphp
./setup_account.sh
export USER=$GIT_COMMITTER
export TILLER_NAMESPACE=$GIT_COMMITTER_NAME

eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJzY290bGFuZHBocC1tMjNvbCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJqdXB5dGVyLXVzZXItdG9rZW4tbGt3aDIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoianVweXRlci11c2VyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODZmNDAwYjktYzg2OC0xMWU4LTliMzgtNDIwMTBhODQwMDRjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnNjb3RsYW5kcGhwLW0yM29sOmp1cHl0ZXItdXNlciJ9.WwnwVVdpRyY_4dlz4lxazPKIH7F_4gbTfvsRgS7B8-5k22K3Symyaj8u4di9ttTJhso8dvNIsYf-2z19KHgXMiuyL1Ey55ZQN45MVJDToSI8HEySg6CdlAExRgZo7pDPZ_mnWg5UdXoaDNMsO7dx19hKv9OVEMFbCbf50WqgJ9TiHyCqjRbmwPzWmXTydgGKfNBFuEaKx3cmPMZuE7a2UScTeXJIHidRjGZJNdhfnUWw6UNyoh8ahokTXZKhHoQ1gmmNvkLbekmWoVTEd5fP3b6o_tpwTm3UWMTtgd93p4Dvp_3A7TBcVFWJGvLdcWF1QkgzDXMwrPzGtp-l6vQ-BA


# Kubernetes Workshop

With Phil Weir
(the Belfast guy who is somewhere near this projector, hopefully)

* Structure of course
* Next steps

### Basic notebook instructions

* Use Shift+Enter or Ctrl+Enter to execute a "cell" (each one of these rows)
* Those with [ ] in the left gutter are executable - the others are informational
* Up/Down arrows keys are the easiest way to navigate the notebook
* If you select a cell (click to the left, outside the text area), the 'b' key will give you a new executable box below
* If you accidentally edit an informational cell - it will switch to markdown - Ctrl+Enter will exit edit-mode
* If a step hangs, with a [ * ] on the left, you may need to click the recycle button in the toolbar (if you have any other issues afterwards, re-run the cell at the top, to set environment variables)

### Why Kubernetes?

* How is this relevant to PHP?
  * Scalable
  * Systematic
  * Within control

* Why Kubernetes over alternatives?
  * Other container orchestrators
    * Popularity and backing
    * Good balance of simplicity and complexity
  * IaaS/PaaS
    * Doesn't tie you to a single provider
    * Can be run off-cloud
    * Can be run on a dev machine
    * Abstracts and automates the provider-specific bits (mostly)
    * Separates out hardware from application infrastructure (containers vs 

* Brief (re)introduction to Docker
  * If you aren't already familiar with it, you can think of a docker _container_ as a VM that shares a kernel with the host
    * ...but don't as that loses key important differences
  * Recommended practice is to have one process per container
    * containers are very memory light compared to VMs, so this is much less wasteful than it may sound
    * this provides encapsulation and makes scaling easier
  * `docker-compose` is an _extremely_ handy tool that takes a short, app-specific _docker-compose.yml_ file as input and spins up a multi-container environment with all the expected dependencies and links
    * you can keep the `docker-compose.yml` file in the repo with your app
    * between docker and docker-compose, you can provide a rough alternative to VirtualBox and Vagrant developer flow (although those do not map directly)

### Setting up a system

* Cloud
  * GKE: gcloud
  * AWS: EKS
  * Azure: AKS

* Manually (kubeadm / Kubernetes the Hard Way --->)
  * kops
  * kubeadm
  * [Kubernetes the Hard Way](https://github.com/kelseyhightower/kubernetes-the-hard-way)
  * For more information, see https://kubernetes.io/docs/setup/scratch/

* Minikube

### Sanity checks

In [2]:
git version

git version 2.17.1


In [3]:
kubectl version

Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.2", GitCommit:"bb9ffb1654d4a729bb4cec18ff088eacc153c239", GitTreeState:"clean", BuildDate:"2018-08-07T23:17:28Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.7-gke.2", GitCommit:"8d9503f982872112eb283f78cefc6944af640427", GitTreeState:"clean", BuildDate:"2018-09-13T22:19:55Z", GoVersion:"go1.9.3b4", Compiler:"gc", Platform:"linux/amd64"}


To begin with, I will talk a little bit about basic Kubernetes tools and concepts, then we can start building up practical steps...

The language of Kubernetes communication is JSON, under the hood, but generally the tooling lets you talk to it in YAML, which is actually a (much more readable) superset. Instead of

```json
{
    "apiVersion": "v1",
    "type": "Pod",
    "metadata": {
        "name": "hi-pod"
    }
    ...
}
```

we can write

```yaml
apiVersion: v1
type: Pod
metadata:
    name: "hi-pod"
```

We can build up all our Kubernetes objects on the cluster by sending declarative YAML files.

# Step 1: Just nginx

The easiest way to interact with a Kubernetes cluster is the `kubectl` tool. It's preinstalled here, but you can download it yourself locally. The configuration files are called `kubeconfig` files, and the default one lives at `~/.kube/config` on Mac/*nix.

In [4]:
kubectl run mynginx --image=nginx --limits='cpu=200m,memory=512Mi' --requests='cpu=100m,memory=128Mi'

deployment.apps/mynginx created


This `run` command is not so common day-to-day, but is an opinionated shortcut, bundling a couple of more common steps, to get a Docker image running on a cluster as a standalone application or "deployment".

A _deployment_ is essentially a single application (perhaps running many times). It is normally one or more replicas of a specific process (in this case nginx), maybe with some helper process or some start-up/shutdown actions.

In [5]:
kubectl get deployments

NAME      DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
mynginx   1         1         1            0           4s


We can run two identical instances of nginx, by scaling it

In [6]:
kubectl scale deployment mynginx --replicas=2
kubectl get deployments

deployment.extensions/mynginx scaled
NAME      DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
mynginx   2         2         2            1           7s


However, for us to interact with nginx we have to encounter another concept: _services_ . Traditionally in the PHP ecosystem, we often think of a process and the service it provides as essentially equivalent - however, modern orchestration tools help decouple the idea of an advertised service (_services_) and the processes backing them up (_deployments_).

This means that we can link up different tools with them only knowing each others' services - Kubernetes will route requests through to the deployed processes behind the scenes, with simple load balancing. For example, there could be 100 nginx processes spread over a dozen VMs and any internal or external request just asks for the nginx service and magically gets a reply.

We still need to create a service though... as with `run` for deployments, there is a command to bundle a couple of steps: `expose`

In [7]:
kubectl expose deployment mynginx --port=80
kubectl get services

service/mynginx exposed
NAME      TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
mynginx   ClusterIP   10.55.249.24   <none>        80/TCP    0s


There are certain service types that involve Kubernetes creating and attaching an external load balancer on the cloud platform - so, for instance, you can tell an AWS-based Kubernetes cluster that you want an external load balancer to point to nginx, and it will tell AWS to fire one up and show the `EXTERNAL IP` in this list, without you having to plumb it in. Your nginx processes will then be available publicly (by default).

This is a short workshop to cover a lot of concepts, but lets take a brief break to check that works:

In [8]:
IP=$(kubectl get service mynginx --output=jsonpath="{.spec.clusterIP}")
curl http://$IP

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>


(if a step hangs, click the recycle button in the toolbar to restart bash, and re-run it)

[In another notebook](/user/philtweir/notebooks/kubernetes-scotlandphp/visual-notebook.ipynb), there is a bit of Python for showing a snippet view of the rendered page. We will use this further later also, so do open it in a new tab and check it works.

To keep things simple and consistent, we will use private IPs - so we can't navigate to the public URL in a browser, and instead show the output in a notebook - but the jump to public on a cloud provider is also pretty straightforward.

One final bit of machinery we should see before we move on:

In [9]:
kubectl get pods

NAME                      READY     STATUS    RESTARTS   AGE
mynginx-c6f6f5ccf-k2rxk   1/1       Running   0          15s
mynginx-c6f6f5ccf-v2l9v   1/1       Running   0          22s


_Pods_ are the individual processes running on a machine somewhere. Each of those is an nginx process. They are the basic unit of Kubernetes execution - here, two Pods were created as part of our Deployment (remember, we scaled it to 2 processes)

Strictly, pods _can_ be more than one process. They are usually, but not always one Docker container (which is _generally_ one OS process) - however, in some cases a "sidecar" container is useful. For instance, a postgres metric-exporter process running alongside the postgres database process, that sends resource usage stats. You see the `1/1` appearing under `READY` above - this means that all 1 of the 1 containers in the Pod are good to go.

In any case, conceptually, a Pod still represents one instance of one tool. They are created and destroyed as part of Deployments, Jobs, and many other Kubernetes objects.

Finally, we tidy up:

In [10]:
kubectl delete deployment mynginx
kubectl delete service mynginx

deployment.extensions "mynginx" deleted
service "mynginx" deleted


In [11]:
kubectl get deployment

No resources found.


In [12]:
kubectl get pods

NAME                      READY     STATUS        RESTARTS   AGE
mynginx-c6f6f5ccf-k2rxk   0/1       Terminating   0          23s
mynginx-c6f6f5ccf-v2l9v   0/1       Terminating   0          30s


All gone! (you might need to try a couple of times, while you wait for it to terminate) As the Deployment was deleted, the pods that made it up, went away too.

These are only a few of the Kubernetes concepts and objects, and the above is an intentionally hand-wavey introduction, to give you a feel for some key components. For the moment, we'll steer back to PHP.

### Local Development

* docker-compose
  * like orchestration-lite
  * ties in closely with docker-swarm, but equally useful standalone
  * allows your process and connections to be described in one file
  * helps you manage variables, linking and persistance
  * great test-bed

* Buckram
  * an evolving set of git-based configuration templates
  * one of many options, helping to go from source repo to dockerized, deployable app

# Step 2: Bare LAMP

* Setting up Helm
  * Helm describes itself as a Kubernetes package manager
  * What this means is that a whole set of interlinking components, secrets, services can be described under one banner and jointly deployed as a "Chart"
  * This could be a full app, or a self-backing-up database, or monitoring service

When setting Helm up on a new cluster, you should run `helm init`

In [13]:
export TILLER_NAMESPACE=$GIT_COMMITTER_NAME
helm init --service-account jupyter-user

Creating /home/jovyan/.helm 
Creating /home/jovyan/.helm/repository 
Creating /home/jovyan/.helm/repository/cache 
Creating /home/jovyan/.helm/repository/local 
Creating /home/jovyan/.helm/plugins 
Creating /home/jovyan/.helm/starters 
Creating /home/jovyan/.helm/cache/archive 
Creating /home/jovyan/.helm/repository/repositories.yaml 
Adding stable repo with URL: https://kubernetes-charts.storage.googleapis.com 
Adding local repo with URL: http://127.0.0.1:8879/charts 
$HELM_HOME has been configured at /home/jovyan/.helm.

Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.

Please note: by default, Tiller is deployed with an insecure 'allow unauthenticated users' policy.
For more information on securing your installation see: https://docs.helm.sh/using_helm/#securing-your-helm-installation
Happy Helming!


This sets up a daemon on the cluster, called `tiller` (you can sea the theme...), which manages the actual deployment. The local `helm` binary mostly communicates with this daemon.

Helm can tell us what charts are installed already:

In [14]:
helm list

(you may need to re-run periodically until it no longer says "could not find a ready tiller pod")

The expected output is blank - this is because we haven't installed any charts (i.e. packages) so far.

Without getting too much into all the `helm` functionality, let's start by seeing how we can deploy an nginx server to our Kubernetes cluster. Helm uses Kubernetes libraries under the hood, so your default authentication configuration (from ~/.kube/config) will get used.

In [15]:
helm repo update
helm search php

Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈ 
NAME             	CHART VERSION	APP VERSION            	DESCRIPTION                                       
stable/phpbb     	3.0.2        	3.2.3                  	Community forum that supports the notion of use...
stable/phpmyadmin	1.1.1        	4.8.2                  	phpMyAdmin is an mysql administration frontend    
stable/joomla    	3.0.2        	3.8.12                 	PHP content management system (CMS) for publish...
stable/lamp      	0.1.5        	5.7                    	Modular and transparent LAMP stack chart suppor...
stable/mediawiki 	4.0.3        	1.31.1                 	Extremely powerful, scalable software and a fea...
stable/osclass   	3.0.2        	3.7.4                  	Osclass is a php script that allows you to quic...
stable/dokuwiki  	3.0.2        	0.20180422.20180503

In [16]:
helm install stable/lamp --name mylamp

NAME:   mylamp
LAST DEPLOYED: Fri Oct  5 08:23:28 2018
NAMESPACE: scotlandphp-m23ol
STATUS: DEPLOYED

RESOURCES:
==> v1/Service
NAME         TYPE          CLUSTER-IP     EXTERNAL-IP  PORT(S)       AGE
mylamp-lamp  LoadBalancer  10.55.244.168  <pending>    80:31655/TCP  0s

==> v1beta1/Deployment
NAME         DESIRED  CURRENT  UP-TO-DATE  AVAILABLE  AGE
mylamp-lamp  1        1        1           0          0s

==> v1/Pod(related)
NAME                         READY  STATUS   RESTARTS  AGE
mylamp-lamp-ff75d949d-xg49m  0/2    Pending  0         0s

==> v1/Secret
NAME         TYPE    DATA  AGE
mylamp-lamp  Opaque  0     0s

==> v1/ConfigMap
NAME               DATA  AGE
mylamp-lamp-httpd  3     0s
mylamp-lamp-php    2     0s

==> v1/PersistentVolumeClaim
NAME         STATUS   VOLUME    CAPACITY  ACCESS MODES  STORAGECLASS  AGE
mylamp-lamp  Pending  standard  0s


NOTES:
INIT:
      Please wait for all init containers to finish before connecting to
      the charts services. This might take a

You can see from the lines starting with `==>` that a whole series of objects have been created, including a Deployment and a Service. As we learned above, a Deployment will create one or more Pods - you can see the Pod starts with the same name and is marked "related".

In [17]:
kubectl get services
kubectl get pods

NAME            TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
mylamp-lamp     LoadBalancer   10.55.244.168   <pending>     80:31655/TCP   4s
tiller-deploy   ClusterIP      10.55.253.99    <none>        44134/TCP      20s
NAME                             READY     STATUS    RESTARTS   AGE
mylamp-lamp-ff75d949d-xg49m      0/2       Pending   0          4s
tiller-deploy-55dd45bc65-2998f   1/1       Running   0          20s


(the above may need re-run a few times until it stops showing "Init:0/2")

In [1]:
IP=$(kubectl get service mylamp-lamp --output=jsonpath="{.spec.clusterIP}")
curl http://$IP

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
</body></html>


Well, this does makes sense - our LAMP server has no particular PHP app set up on it, so there's nothing to serve - rather than giving a meaningless default page when the app is missing, it gives access denied.

In this case, the contributors of the `stable/lamp` Chart expect us to provide custom configuration when deploying, for instance, for a Wordpress or custom app deployment. There's no reason we _have_ to use this chart to do that (there's also a separate Wordpress chart above, for instance). We will show a more complete app, while we explore more of helm.

In [4]:
helm delete --purge mylamp

release "mylamp" deleted


* Concepts of charts and Docker images

So what actually _is_ a Chart?

It is a filetree of, mostly, template [YAML](https://en.wikipedia.org/wiki/YAML) files. Each of these defines a Kubernetes object, such as a Deployment, Service or Secret. This way you can have all the boilerplate in a single git-versioned Chart, dynamically dropping in per-deployment settings using a handful of templated variables at deployment time - such the public URL for nginx, or the back-up retention period for postgres.

In [5]:
rm -rf ~/helm-charts
git clone https://github.com/helm/charts ~/helm-charts

Cloning into '/home/jovyan/helm-charts'...
remote: Enumerating objects: 3, done.        
remote: Counting objects: 100% (3/3), done.        
remote: Compressing objects: 100% (3/3), done.        
remote: Total 41061 (delta 0), reused 3 (delta 0), pack-reused 41058        
Receiving objects: 100% (41061/41061), 12.21 MiB | 21.40 MiB/s, done.
Resolving deltas: 100% (27289/27289), done.


In [6]:
cd ~/helm-charts/stable
ls

acs-engine-autoscaler	inbucket		 parse
aerospike		influxdb		 percona
anchore-engine		ipfs			 percona-xtradb-cluster
apm-server		janusgraph		 phabricator
ark			jasperreports		 phpbb
artifactory		jenkins			 phpmyadmin
artifactory-ha		joomla			 postgresql
auditbeat		k8s-spot-rescheduler	 prestashop
aws-cluster-autoscaler	kanister-operator	 presto
bitcoind		kapacitor		 prometheus
bookstack		karma			 prometheus-adapter
buildkite		katafygio		 prometheus-blackbox-exporter
burrow			keel			 prometheus-cloudwatch-exporter
centrifugo		keycloak		 prometheus-couchdb-exporter
cerebro			kiam			 prometheus-mysql-exporter
cert-manager		kibana			 prometheus-node-exporter
chaoskube		kong			 prometheus-postgres-exporter
chartmuseum		kube2iam		 prometheus-pushgateway
chronograf		kubed			 prometheus-rabbitmq-exporter
cluster-autoscaler	kubedb			 prometheus-redis-exporter
cockroachdb		kube-lego		 prometheus-to-sd
concourse		kube-ops-view		 quassel
consul			kubernetes-dashboard	 rabbitmq
coredns			kuberos			 

There are various chart repositories available (check out bitnami's as well the helm ones), but this is the git repo used to build the default stable repository. You can see the variety of charts currently there. Lets look inside the `lamp` one.

In [7]:
cd ~/helm-charts/stable/lamp
find .

.
./values.yaml
./examples
./examples/nextcloud.yaml
./examples/owncloud.yaml
./examples/grav.yaml
./examples/wordpress.yaml
./examples/wordpress-php-ini.yaml
./examples/wordpress-ingress-ssl.yaml
./examples/joomla.yaml
./examples/drupal.yaml
./README.md
./.helmignore
./templates
./templates/pvc.yaml
./templates/ingress-www.yaml
./templates/configmap-php.yaml
./templates/NOTES.txt
./templates/configmap-init.yaml
./templates/ingress.yaml
./templates/deployment.yaml
./templates/ingress-services.yaml
./templates/service.yaml
./templates/_helpers.tpl
./templates/service-sftp.yaml
./templates/configmap-httpd.yaml
./templates/secret.yaml
./Chart.yaml
./files
./files/httpd
./files/httpd/httpd-vhosts-socket.conf
./files/httpd/httpd-vhosts.conf
./files/httpd/httpd.conf
./files/init
./files/init/init_db_clone.sh
./files/init/init_wp.sh
./files/init/init_clone.sh
./files/init/init_wp_db.sh


The `./templates` directory is the set of templated YAML files that are used to build the core LAMP setup. To highlight a couple: deployment.yaml set up an Apache server as a Deployment, pvc.yaml requests persistent storage (for the DB to use, called a PersistentVolumeClaim), configmap-init.yaml sets up a config file mounted into the server.

In [8]:
cd ~/helm-charts/stable/lamp
helm install . --values ./examples/wordpress.yaml --name mywordpress

NAME:   mywordpress
LAST DEPLOYED: Fri Oct  5 08:25:04 2018
NAMESPACE: scotlandphp-m23ol
STATUS: DEPLOYED

RESOURCES:
==> v1/ConfigMap
NAME                    DATA  AGE
mywordpress-lamp-httpd  3     0s
mywordpress-lamp-php    2     0s

==> v1/PersistentVolumeClaim
NAME              STATUS   VOLUME    CAPACITY  ACCESS MODES  STORAGECLASS  AGE
mywordpress-lamp  Pending  standard  0s

==> v1/Service
NAME              TYPE          CLUSTER-IP     EXTERNAL-IP  PORT(S)                      AGE
mywordpress-lamp  LoadBalancer  10.55.249.249  <pending>    80:30666/TCP,3306:30753/TCP  0s

==> v1beta1/Deployment
NAME              DESIRED  CURRENT  UP-TO-DATE  AVAILABLE  AGE
mywordpress-lamp  1        1        1           0          0s

==> v1/Pod(related)
NAME                               READY  STATUS   RESTARTS  AGE
mywordpress-lamp-7b68d9d676-sv5rf  0/3    Pending  0         0s

==> v1/Secret
NAME              TYPE    DATA  AGE
mywordpress-lamp  Opaque  4     0s


NOTES:
INIT:
      Please wa

We just added some custom values in from `./examples/wordpress.yaml` to drop into the LAMP template. We could take a copy of this, fill in our own values and use it as a short per-deployment customization file.

In [9]:
cat ~/helm-charts/stable/lamp/examples/wordpress.yaml

mysql:
  rootPassword: "Root Password here..."
  user: wordpress
  password: "User Password here..."
  database: wordpress

php:
  repository: "wordpress"
  tag: "php7.1-fpm"
  envVars:
  - name: WORDPRESS_DB_HOST
    value: localhost
  - name: WORDPRESS_DB_USER
    value: wordpress
  - name: WORDPRESS_DB_PASSWORD
    value: "User Password here..."
  - name: WORDPRESS_DB_DATABASE
    value: wordpress


In [28]:
kubectl get services
kubectl get pods

NAME               TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)                       AGE
mywordpress-lamp   LoadBalancer   10.55.249.249   35.195.95.170   80:30666/TCP,3306:30753/TCP   1m
tiller-deploy      ClusterIP      10.55.253.99    <none>          44134/TCP                     2m
NAME                                READY     STATUS    RESTARTS   AGE
mywordpress-lamp-7b68d9d676-sv5rf   3/3       Running   0          1m
tiller-deploy-55dd45bc65-2998f      1/1       Running   0          2m


In [29]:
echo "Internal: " $(kubectl get service mywordpress-lamp --output=jsonpath="{.spec.clusterIP}")
echo "External: http://$(kubectl get service mywordpress-lamp --output=jsonpath="{.status.loadBalancer.ingress[0].ip}")"

Internal:  10.55.249.249
External: http://35.195.95.170


(re-run the above until an external IP address appears - may take a few moments - if you continue having difficulty with the external IP, try to request it internally in the [other notebook](/user/philtweir/notebooks/kubernetes-scotlandphp/visual-notebook.ipynb#Wordpress))

In [30]:
helm delete --purge mywordpress

release "mywordpress" deleted


While there are multiple ways to deploy PHP, one option is:

![PHP diagram](https://s3.us-west-2.amazonaws.com/public.flaxandteal.co.uk/larakube-1-things.svg)

We need use the nginx pod to provide HTTP access to PHP-FPM.

# Step 3: Example Laravel App

In [31]:
rm -rf ~/buckram; cd ~
git clone https://gitlab.com/flaxandteal/buckram-starter ~/buckram

Cloning into '/home/jovyan/buckram'...
remote: Enumerating objects: 28788, done.        
remote: Counting objects: 100% (28788/28788), done.        
remote: Compressing objects: 100% (10800/10800), done.        
remote: Total 28788 (delta 17412), reused 28742 (delta 17378)        
Receiving objects: 100% (28788/28788), 8.04 MiB | 9.34 MiB/s, done.
Resolving deltas: 100% (17412/17412), done.


In [32]:
cd ~/buckram/kubernetes
ls

artisan.sh  dummy-values.yaml  sundry	  values.yaml.example
buckram     README.md	       templates


Here we have a few tools for Kubernetes, in particular an example file for setting deployment-specific values.

In [33]:
cd ~/buckram/kubernetes
cat values.yaml.example

# This is a template for the Kubernetes production secrets.
# It is strongly recommended that you create and complete the
# production.yaml file outside of the file tree
laravel-nginx:
  image:
    repository: flaxandteal/buckram-nginx
    tag: stable
  ingress:
    hostname: DNS.DOMAIN
    annotations:
      certmanager.k8s.io/cluster-issuer: letsencrypt-staging
      kubernetes.io/ingress.class: nginx
  laravel:
    serverName: DNS.DOMAIN
laravel-phpfpm:
  image:
    repository: flaxandteal/buckram-phpfpm
    tag: stable
  workerImage:
    repository: flaxandteal/buckram-phpfpm
    tag: stable
  laravel:
    app:
      appKey: base64:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      appUrl: "https://DNS.DOMAIN"
      oauthPublicKey: OAUTH_PUBLIC_KEY_B64
      oauthPrivateKey: OAUTH_PRIVATE_KEY_B64
    mail:
      username: "mailuser"
      password: "mailpass"
      host: "smtp.host"
      port: "25"
      fromAddress: "from@example.com"
      fromName: "From Name"
postgresql:
  post

As a quickstart, there is a basic Python tool in the `buckram` repository to autogenerate some values for these (`bookcloth`) - a sample output of this is in `dummy-values.yaml`. We will use this to demonstrate.

We go into the the Buckram Helm chart itself...

In [34]:
cd ~/buckram/kubernetes/buckram
helm dependencies update
helm install . --name=buckram --values=../dummy-values.yaml

Hang tight while we grab the latest from your chart repositories...
...Unable to get an update from the "local" chart repository (http://127.0.0.1:8879/charts):
	Get http://127.0.0.1:8879/charts/index.yaml: dial tcp 127.0.0.1:8879: connect: connection refused
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈Happy Helming!⎈
Saving 6 charts
Deleting outdated charts
NAME:   buckram
LAST DEPLOYED: Fri Oct  5 08:26:42 2018
NAMESPACE: scotlandphp-m23ol
STATUS: DEPLOYED

RESOURCES:
==> v1/PersistentVolumeClaim
NAME           STATUS   VOLUME    CAPACITY  ACCESS MODES  STORAGECLASS  AGE
buckram-redis  Pending  standard  1s

==> v1/ServiceAccount
NAME                              SECRETS  AGE
buckram-fluent-bit-filter-kube    1        1s
buckram-postgresql-database-user  1        1s

==> v1beta1/RoleBinding
NAME                                  AGE
buckram-fluent-bit-filter-kube        1s
buckram-postgresql-database-accessor  1s
buckram-buckram-deploy           

As in every type of deployment, we need to have specific custom settings for our own deployment. This answers several questions:

In this approach:

* **Where is our app code stored?**: In the final built images. During continuous integration (or manual building, for smaller scale), pre-prepared base images have the code added in. The built images are then tagged for that code version and pushed to a Docker image registry that the Kubernetes cluster can access.
* **How do we keep our code secure?**: In this example, for simplicity we use the default base images, without custom app code - as such, they are pulled down from the public Docker Hub registry. However, there are private image registries within each cloud platform, e.g. AWS ECR, which Kubernetes can authenticate with to pull down images.
* **What about secrets?**: In this particular approach, we use Kubernetes Secrets, which is simple but only a minimum bar (although, the default implementation is improving). Better practice is to use something like the Kubernetes Vault Operator, but this takes more care to set up.

_None of these are hard and fast_. There are various approaches, with benefits and drawbacks.

In [40]:
kubectl get pods

NAME                                             READY     STATUS      RESTARTS   AGE
buckram-fluentd-79b748589f-psz7q                 1/1       Running     0          2m
buckram-laravel-nginx-6ddb575b85-s885l           1/1       Running     0          2m
buckram-laravel-phpfpm-1538728020-d82vq          0/1       Completed   0          2m
buckram-laravel-phpfpm-1538728080-dghxn          0/1       Completed   0          1m
buckram-laravel-phpfpm-1538728140-jwsp9          0/1       Completed   0          30s
buckram-laravel-phpfpm-577747c64b-pcd6h          1/1       Running     0          2m
buckram-laravel-phpfpm-worker-85dc7df75b-q6x2m   1/1       Running     3          2m
buckram-postgresql-0                             1/1       Running     0          2m
buckram-redis-0                                  1/1       Running     0          2m
fluent-bit-7jx7t                                 1/1       Running     0          2m
fluent-bit-8s9rm                                 1/1       Runn

Re-run the above until it quietens down and they all say "Running" or "Completed"^^^

In [41]:
IP=$(kubectl get service buckram-laravel-nginx --output=jsonpath="{.spec.clusterIP}")
curl http://$IP | head

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2383    0  2383    0     0   3035      0 --:--:-- --:--:-- --:--:--  3039
<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge">
        <meta name="viewport" content="width=device-width, initial-scale=1">

        <title>Laravel</title>

        <!-- Fonts -->


([click here](/user/philtweir/notebooks/kubernetes-scotlandphp/visual-notebook.ipynb#Laravel) to get the rendered version)

* Work through the charts

Lets take a look at what just started up:

In [42]:
kubectl get pods

NAME                                             READY     STATUS      RESTARTS   AGE
buckram-fluentd-79b748589f-psz7q                 1/1       Running     0          3m
buckram-laravel-nginx-6ddb575b85-s885l           1/1       Running     0          3m
buckram-laravel-phpfpm-1538728020-d82vq          0/1       Completed   0          2m
buckram-laravel-phpfpm-1538728080-dghxn          0/1       Completed   0          1m
buckram-laravel-phpfpm-1538728140-jwsp9          0/1       Completed   0          38s
buckram-laravel-phpfpm-577747c64b-pcd6h          1/1       Running     0          3m
buckram-laravel-phpfpm-worker-85dc7df75b-q6x2m   1/1       Running     3          3m
buckram-postgresql-0                             1/1       Running     0          3m
buckram-redis-0                                  1/1       Running     0          3m
fluent-bit-7jx7t                                 1/1       Running     0          3m
fluent-bit-8s9rm                                 1/1       Runn

As above the list of pods is, roughly, the list of processes. There should be some familiar faces there: several PHP-FPM pods, nginx, PostgreSQL and redis.

Alongside them, you can see fluent-bit - it will forward logs from the processes to a single aggregated destination. Between this and redis (queueing, caching, sessions), the PHP-FPM pod does not need to have any state, easing scalability.

By telling PHP to send to stdout by default, we find that the logs from this Pod are indeed the PHP logs:

In [43]:
PHP_POD=$(kubectl get pods --selector=tier=middle -o=name)
kubectl logs $PHP_POD

[05-Oct-2018 08:26:46] NOTICE: fpm is running, pid 1
[05-Oct-2018 08:26:46] NOTICE: ready to handle connections
10.52.5.37 -  05/Oct/2018:08:29:39 +0000 "GET /index.php" 200


This approach also simplified life for log aggregation, where logs can be gathered from the stdout/stderr of the various Pods.

### Gitlab CI

_20 min_ (-> 1:50)

* What is Gitlab CI?

Gitlab continuous integration (CI) provides us with an easy way to go from local development to built images. To follow along, you will need to have [your own Gitlab account or sign up](https://gitlab.com/users/sign_in), or can look through the [details of the pipeline](https://gitlab.com/flaxandteal/buckram-demo/pipelines) of the existing demo.

If you wish to use your own account, then you [should fork](https://gitlab.com/flaxandteal/buckram-demo/forks/new) a copy. You can clone it down here, or on your own machine/VM to make it easier to experiment. If you want to use your fork in this notebook, change the Gitlab URL below to your fork's.

In [44]:
cd ~
rm -rf buckram-demo
git clone https://gitlab.com/phil.weir/buckram-demo

Cloning into 'buckram-demo'...
remote: Enumerating objects: 146, done.        
remote: Counting objects: 100% (146/146), done.        
remote: Compressing objects: 100% (107/107), done.        
remote: Total 146 (delta 23), reused 139 (delta 19)        
Receiving objects: 100% (146/146), 198.09 KiB | 716.00 KiB/s, done.
Resolving deltas: 100% (23/23), done.


This repository has only a couple of minor differences from the usual `composer create-project laravel` output, namely, running composer (after adding behat), a `.gitlab-ci.yml` file and a submodule containing the buckram content, which is in an `infrastructure` subfolder.

In [45]:
cd ~/buckram-demo
git submodule update --init

Submodule 'infrastructure' (https://gitlab.com/flaxandteal/buckram) registered for path 'infrastructure'
Cloning into '/home/jovyan/buckram-demo/infrastructure'...
Submodule path 'infrastructure': checked out '53ab820046e457061b6401c6e1e3ef6bec2e55b5'


Note that our Buckram repository is not necessary for any of this, but is simply a way of bringing together common features, such as CI templates, Helm charts and config generation, which you could do independently. They are useful, accessible examples for a smallish context, but once familiar, you will find a number of features you will wish to add.

In [46]:
cd ~/buckram-demo
git diff $(git rev-list --max-parents=0 HEAD)..HEAD --summary

 create mode 100644 .gitmodules
 create mode 100644 features/bootstrap/FeatureContext.php
 create mode 160000 infrastructure
 delete mode 100644 tests/Feature/ExampleTest.php


First off, we can take a look at the `.gitlab-ci.yml` file:

In [47]:
cat .gitlab-ci.yml

image: docker:latest

variables:
  CONTAINER_NGINX_IMAGE: $CI_REGISTRY_IMAGE:nginx-$CI_PIPELINE_ID
  CONTAINER_NGINX_RELEASE_IMAGE: $CI_REGISTRY_IMAGE:nginx-latest
  CONTAINER_PHPFPM_IMAGE: $CI_REGISTRY_IMAGE:phpfpm-$CI_PIPELINE_ID
  CONTAINER_PHPFPM_RELEASE_IMAGE: $CI_REGISTRY_IMAGE:phpfpm-latest
  COMPOSER_CACHE_DIR: /cache
  DOCKER_DRIVER: overlay

stages:
- composer
- build
- test
- release
- deploy

services:
- docker:dind

before_script:
  - docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.gitlab.com

composer:
  stage: composer
  before_script:
  - echo "Building PHP dependencies"
  image: composer
  script:
  - composer install
  artifacts:
    paths:
    - vendor
    - bootstrap/cache
    - bootstrap/autoload.php
    - composer.lock

build:
  stage: build
  variables:
    GIT_SUBMODULE_STRATEGY: recursive
  script:
  - chown -R 33 storage/logs bootstrap/cache
  - docker build -f infrastructure/containers/nginx/Dockerfile -t $CONTAINER_NGINX_IMAGE .
  - docker build 

In this particular approach, for simplicity, both the nginx and PHP containers end up with the build code - a nicer tactic would be to have any static assets deployed separately, so that nginx only needs to proxy requests to PHP-FPM.

The first few sections are configuration, essentially preparing the environment. The following, `composer`, `build` and `release` steps are the sequence the CI will follow. The first runs composer (it does this inside the official composer Docker image), the second combines these with our pre-prepared base images. For more detail on the PHP-FPM setup used, have a look at `./infrastructure/containers/phpfpm` (while it starts from the official base it has, for instance, ext-redis added in).

In the Buckram repository, there is a template `gitlab-ci.yml` - while it isn't useful for our demo, you will see this has an additional `deploy-dev` section for deploying directly to a Kubernetes cluster. Over the last year or two, Gitlab's direct deployment integration for Kubernetes on Google has come on, so you may want to look at this option too. However, it may be illustrative:

In [48]:
grep -A 100 'deploy_dev:' ~/buckram/gitlab-ci/gitlab-ci.yml

deploy_dev:
  image: google/cloud-sdk:162.0.0
  before_script:
  - kubectl config set-cluster "$CI_PROJECT_ID" --server="$KUBE_URL" --certificate-authority="$KUBE_CA_PEM_FILE"
  - kubectl config set-credentials "$CI_PROJECT_ID" --token="$KUBE_TOKEN"
  - kubectl config set-context "$CI_PROJECT_ID" --cluster="$CI_PROJECT_ID" --user="$CI_PROJECT_ID" --namespace="$KUBE_NAMESPACE"
  - kubectl config use-context "$CI_PROJECT_ID"
  stage: deploy
  script:
  - >-
    kubectl patch cronjob.v2alpha1.batch $CI_ENVIRONMENT_SLUG-laravel-artisan
      -p "{
        \"spec\": {
          \"jobTemplate\": {
            \"spec\": {
              \"template\": {
                \"spec\": {
                  \"containers\": [
                    {
                      \"name\": \"$CI_ENVIRONMENT_SLUG-laravel-scheduler\",
                      \"image\": \"$AWS_ECR_URI:phpfpm-$CI_PIPELINE_ID\"
                    }
                  ]
                }
              }
            }
          }
        }


Modern Kubernetes has Role Based Authorization Control (RBAC), so we can create a user with deployment credentials and Gitlab will ensure our CI user receives them. We use a Docker image with `kubectl` to run these commands. It would be possible do this via `curl` calls also, to the Kubernetes API. A particular benefit of Gitlab-CI is that it can be run internally, or even _on_ Kubernetes, while being usable as a free hosted service to experiment.

It is not the only option, however - Bitbucket now has a similar set-up. Jenkins, CircleCI and others can provide these types of pipeline also.

The rest of the CI steps show some of the Docker commands that could be run locally, if you wanted to get the hang of Docker in a manual way, building images and pushing them.

The test step lets us run `behat` and `phptest`, by default, when any branch is pushed. Gitlab will notify you of any errors, and can trigger a merge based on its outcome, for instance. Code coverage and linting could similarly be added here.

The magic of Gitlab-CI is that it will start working as soon as receives a commit with a valid `.gitlab-ci.yml` file in the root directory (note the first dot).

In [49]:
grep -C 5 ' Laravel' resources/views/welcome.blade.php

                </div>
            @endif

            <div class="content">
                <div class="title m-b-md">
                    Laravel
                </div>

                <div class="links">
                    <a href="https://laravel.com/docs">Documentation</a>
                    <a href="https://laracasts.com">Laracasts</a>


If you have taken a fork, then you can try the following (otherwise, keep an eye on my fork's [pipeline's page](https://gitlab.com/flaxandteal/buckram-demo/pipelines)):

https://gitlab.com/USERNAME/buckram-demo/blob/master/resources/views/welcome.blade.php

(change the USERNAME to your own). Edit the page (Edit button on upper right), perhaps changing the word Laravel on line 82 to something else. This is equivalent to making a manual change and pushing.

On the Pipelines page (under CI/CD on the left-hand menu), you will see the progress of the building through the stages. Gitlab uses its own container registry to manage the images back and forward, and some handy free CI runners. Running your own CI runner is easy, and generally much faster per run, not to mention allowing you to control the process. Another key benefit is that you can also cache composer downloads and Docker images between steps and runs - although many prefer to take the extra time to pull fresh from the package repository on each build anyway.

A note on frontend: if using little frontend code or a tightly-integrated frontend framework in the Laravel codebase, then this may be sufficient. Most of our work is with API-based backends and self-contained VueJS single-page applications. Our approach is to run the necessary CI steps on the frontend repository, producing a JS/CSS tarball that is released to S3, and trigger a new backend pipeline run from the final frontend step, to pull down and build a fresh final set of Docker images.

The following command manually updates the PHP-FPM image to point to the newly build Gitlab one (NB: only the web-serving one, not the queue worker or cronjob). You should swap the `phil.weir` and number at the end for your username and pipeline number, respectively.

_Make sure you don't confuse the pipeline and job numbers_, the pipeline number will be shown on the Pipelines page, usually starting with a hash.

In [50]:
kubectl set image deployment/buckram-laravel-phpfpm laravel-phpfpm=registry.gitlab.com/flaxandteal/buckram-demo:phpfpm-32036782

deployment.extensions/buckram-laravel-phpfpm image updated


In [51]:
kubectl get pods --selector=app=buckram-laravel-phpfpm

NAME                                             READY     STATUS              RESTARTS   AGE
buckram-laravel-phpfpm-577747c64b-pcd6h          0/1       Terminating         0          3m
buckram-laravel-phpfpm-6f8ff6b9bd-lszsj          0/1       ContainerCreating   0          1s
buckram-laravel-phpfpm-worker-85dc7df75b-q6x2m   1/1       Running             3          3m


When the above command shows "Status: running", then try the Laravel call in the [other notebook](/user/philtweir/notebooks/kubernetes-scotlandphp/visual-notebook.ipynb#Laravel) again - you should see the altered welcome page from your newly built image!

Finally, we will see how to make changes to a Helm chart. Have a look at the nginx service template:

In [52]:
cat ~/buckram/kubernetes/buckram/subcharts/laravel-nginx/templates/service.yaml

apiVersion: v1
kind: Service
metadata:
  name: {{ template "fullname" . }}
  labels:
    app: {{ template "fullname" . }}
    service: {{ template "fullname" . }}
    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
spec:
  type: {{ .Values.service.type }}
  ports:
  - port: {{ .Values.service.externalPort }}
    targetPort: {{ .Values.service.internalPort }}
    protocol: TCP
    name: {{ .Values.service.name }}
  selector:
    app: {{ template "fullname" . }}
    service: {{ template "fullname" . }}


There is a templated value, called `.Values.service.type` - as this is within the `laravel-nginx` subchart, we can refresh the Buckram Helm chart like so, and override its default value:

In [53]:
cd ~/buckram/kubernetes/buckram
helm upgrade buckram . --values=../dummy-values.yaml --set="laravel-nginx.service.type=LoadBalancer"

Release "buckram" has been upgraded. Happy Helming!
LAST DEPLOYED: Fri Oct  5 08:31:02 2018
NAMESPACE: scotlandphp-m23ol
STATUS: DEPLOYED

RESOURCES:
==> v1beta1/Ingress
NAME                   HOSTS                  ADDRESS  PORTS  AGE
buckram-laravel-nginx  buckram-laravel-nginx  80, 443  4m

==> v1/PersistentVolumeClaim
NAME           STATUS  VOLUME                                    CAPACITY  ACCESS MODES  STORAGECLASS  AGE
buckram-redis  Bound   pvc-6374a8db-c878-11e8-9b38-42010a84004c  8Gi       RWO           standard      4m

==> v1/ServiceAccount
NAME                              SECRETS  AGE
buckram-fluent-bit-filter-kube    1        4m
buckram-postgresql-database-user  1        4m

==> v1beta1/Role
NAME                                AGE
buckram-fluent-bit-filter-kube      4m
buckram-postgresql-database-access  4m
buckram-buckram-deploy              4m

==> v1beta1/CronJob
NAME                    SCHEDULE   SUSPEND  ACTIVE  LAST SCHEDULE  AGE
buckram-laravel-phpfpm  * * * * * 

You might need to run the below code a few times, until the Load Balancer is no longer pending.

In [64]:
kubectl get services

NAME                     TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)        AGE
buckram-fluentd          ClusterIP      10.55.249.161   <none>           24284/TCP      5m
buckram-laravel-nginx    LoadBalancer   10.55.240.136   35.241.165.239   80:30735/TCP   5m
buckram-laravel-phpfpm   ClusterIP      10.55.245.189   <none>           9000/TCP       5m
buckram-postgresql       ClusterIP      None            <none>           5432/TCP       5m
buckram-redis            ClusterIP      10.55.243.56    <none>           6379/TCP       5m
tiller-deploy            ClusterIP      10.55.253.99    <none>           44134/TCP      8m


In [65]:
echo "Internal: " $(kubectl get service buckram-laravel-nginx --output=jsonpath="{.spec.clusterIP}")
echo "External: http://$(kubectl get service buckram-laravel-nginx --output=jsonpath="{.status.loadBalancer.ingress[0].ip}")"

Internal:  10.55.240.136
External: http://35.241.165.239


This change could have been made in `values.yaml` file as well or, more sensibly, if you are forking your own Buckram Helm chart app structure, within the (git versioned) chart defaults themselves.

### Debugging

Kubernetes debugging, as a system that has many levels, is a bigger topic than an introduction. However, to help you see where to start - try the following:

In [66]:
kubectl set image deployment/buckram-laravel-phpfpm laravel-phpfpm=nonexistant/image

deployment.extensions/buckram-laravel-phpfpm image updated


You will notice that, having set it to run from a non-existant Docker image, the Laravel server no longer exists...

In [69]:
kubectl get pods

NAME                                             READY     STATUS         RESTARTS   AGE
buckram-fluentd-79b748589f-psz7q                 1/1       Running        0          5m
buckram-laravel-nginx-6ddb575b85-s885l           1/1       Running        0          5m
buckram-laravel-phpfpm-1538728200-m9qdg          0/1       Completed      0          2m
buckram-laravel-phpfpm-1538728260-5nfnn          0/1       Completed      0          1m
buckram-laravel-phpfpm-1538728320-x5s2f          0/1       Completed      0          11s
buckram-laravel-phpfpm-64c8854bb4-62gxz          0/1       ErrImagePull   0          10s
buckram-laravel-phpfpm-6f8ff6b9bd-lszsj          0/1       Terminating    0          1m
buckram-laravel-phpfpm-worker-85dc7df75b-q6x2m   1/1       Running        3          5m
buckram-postgresql-0                             1/1       Running        0          5m
buckram-redis-0                                  1/1       Running        0          5m
fluent-bit-7jx7t             

Trying the endpoint above will now likely timeout. To find out more, we can use the `kubectl describe` command:

In [None]:
kubectl describe pods --selector=app=buckram-laravel-phpfpm,tier=middle

Under the events section (near the end), you will see a whole set of recurring errors and their frequencies. These are being sent by the `kubelet` daemon, which manages the running of actual containers on VMs (nodes) - it has noticed that it cannot pull the node.

This can happen quite a bit if you have, for example, private container registry credentials that are expiring too fast, are missing or are incorrect. If you want to find out more about private registry credentials, have a look at the `imagePullSecrets` setting for Pods/Deployments.

You can restore the image, like so (or with a `helm upgrade ...`)

In [None]:
kubectl set image deployment/buckram-laravel-phpfpm laravel-phpfpm=registry.gitlab.com/flaxandteal/buckram-demo:phpfpm-32036782

### Rollout

Kubernetes provides some useful tools for managing roll-out. For instance:

In [None]:
kubectl rollout history deployments

Here you can see how many revisions have been made to your deployments - you should see 3, one for each of fluentd, nginx and phpfpm-worker, all with 1 revision, and a fourth for phpfpm, with an additional revision (assuming you correctly deleted the earlier experiments!). This additional revision represents the action of changing the Docker image used, above.

You can roll back deployments, you can require a certain minimum number of live pods at any time during the rolling update, or even decide where new Pods are scheduled on the underlying VMs/systems (termed Nodes). Kubernetes has concepts of liveness and readiness probes, so for some types of deployment, it can spot when Pods are functional or not. In addition, this allows it to undertake one of the most fundamental aspects of orchestration, replacing Pods when they become unresponsive or die.

### Artisan and Jobs
(moved from end?)

We will address a few of the key features of Laravel, and PHP frameworks in general, here.

* Worker process & Redis

It's already been pointed out that there is an artisan Pod running - phpfpm-worker. For those unfamiliar, `artisan` is Laravel's command-line tool, providing console control for one-off tasks, but also entrypoints for worker processes and the task scheduler.

In normal usage, getting an artisan queue worker process running involves:

    php artisan queue:work

You may wish to use this to, for instance, submit emails to a sending service or call batch services.

In this context, it becomes part of the `development-artisan.yaml` Chart file (see the arrays around line 25):

In [70]:
cat ~/buckram/kubernetes/buckram/subcharts/laravel-phpfpm/templates/deployment-artisan.yaml | nl

     1	apiVersion: extensions/v1beta1
     2	kind: Deployment
     3	metadata:
     4	  name: {{ template "fullname" . }}-worker
     5	  labels:
     6	    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
     7	    release: "{{ .Release.Name }}"
     8	    heritage: "{{ .Release.Service }}"
     9	spec:
    10	  replicas: {{ .Values.replicaCount }}
    11	  template:
    12	    metadata:
    13	      labels:
    14	        app: {{ template "fullname" . }}
    15	        tier: "backend"
    16	    spec:
    17	{{- if .Values.workerImage.secrets }}
    18	      imagePullSecrets:
    19	      - name: {{ .Values.workerImage.secrets }}
    20	{{- end }}
    21	      containers:
    22	      - name: {{ .Chart.Name }}-worker
    23	        command:
    24	        - php
    25	        - /var/www/app/artisan
    26	        args:
    27	        - queue:work
    28	{{- if .Values.laravel.queue.tries }}
    29	        - --tries={{ .Values.laravel.queue.tries }}
    30	{{- end }}

You can contrast the in situ version, by pulling down the definition of the live pod, created from this template.

In [71]:
WORKER_POD=$(kubectl get pods --selector=tier=backend -o=name)
kubectl get $WORKER_POD -o=yaml

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: 2018-10-05T08:26:42Z
  generateName: buckram-laravel-phpfpm-worker-85dc7df75b-
  labels:
    app: buckram-laravel-phpfpm
    pod-template-hash: "4187389316"
    tier: backend
  name: buckram-laravel-phpfpm-worker-85dc7df75b-q6x2m
  namespace: scotlandphp-m23ol
  ownerReferences:
  - apiVersion: extensions/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: ReplicaSet
    name: buckram-laravel-phpfpm-worker-85dc7df75b
    uid: 63949396-c878-11e8-9b38-42010a84004c
  resourceVersion: "27238"
  selfLink: /api/v1/namespaces/scotlandphp-m23ol/pods/buckram-laravel-phpfpm-worker-85dc7df75b-q6x2m
  uid: 63a617f1-c878-11e8-9b38-42010a84004c
spec:
  containers:
  - args:
    - queue:work
    - --tries=3
    command:
    - php
    - /var/www/app/artisan
    env:
    - name: APP_KEY
      valueFrom:
        secretKeyRef:
          key: app-key
          name: buckram-laravel-phpfpm-env
    - name: MAIL_PASSWORD
      valueFrom:

As running Redis in the cluster is an easy starting point, we use it to handle the queues (Laravel has Redis as an in-built option):

In [72]:
kubectl logs $(kubectl get pods --selector=app=buckram-redis -o=name)

nami    INFO  Initializing redis
redis   INFO 
redis   INFO  ########################################################################
redis   INFO   Installation parameters for redis:
redis   INFO     Password: **********
redis   INFO   (Passwords are not shown for security reasons)
redis   INFO  ########################################################################
redis   INFO 
nami    INFO  redis successfully initialized
Starting application ...

  *** Welcome to the redis image ***
  *** Brought to you by Bitnami ***
  *** More information: https://github.com/bitnami/bitnami-docker-redis ***
  *** Issues: https://github.com/bitnami/bitnami-docker-redis/issues ***

 |    `-._`-._        _.-'_.-'    |                                  
  `-._    `-._`-.__.-'_.-'    _.-'                                   
      `-._    `-.__.-'    _.-'                                       
          `-._        _.-'                                           
              `-.__.-'                   

### One-off Jobs

* Cronjobs

To make scheduled tasks work, we use the Kubernetes concept of Cronjobs.

In [73]:
kubectl get cronjobs

NAME                     SCHEDULE    SUSPEND   ACTIVE    LAST SCHEDULE   AGE
buckram-laravel-phpfpm   * * * * *   False     0         1m              6m


You will see this uses a similar format to traditional cron schedules. As with the normal Laravel approach, we set this to run an artisan job every minute (`php artisan schedule:run`), and Laravel's scheduler will decide whether any of the PHP-defined tasks are due to get kicked off.

This is quite configurable - we can say how many completed Pods we want to keep, for diagnostics, and how many failed ones, how long we give them to start up, and how many attempts each will get.

* Running artisan

This is part of a broader concept of Jobs. These are requests to schedule a one-off Pod to do some task or other. Kubernetes' Cronjobs are really just creating a "Job" each minute from a template. Jobs in general provide a reasonable way to run one-off artisan tasks also.

At present, we use a barebones script to simplify this process - running it creates a fresh new Job (from the template as the Cronjob, as it happens), and sets the internal artisan arguments to whichever command line flags we pass.

In [74]:
cd ~/buckram/kubernetes
./artisan.sh route:list


job.batch/laravel-job-1538728385 created
Flag --show-all has been deprecated, will be removed in an upcoming release
Found pod: laravel-job-1538728385-rmv24
Error from server (BadRequest): container "laravel-phpfpm-scheduler" in pod "laravel-job-1538728385-rmv24" is waiting to start: ContainerCreating
Error from server (BadRequest): container "laravel-phpfpm-scheduler" in pod "laravel-job-1538728385-rmv24" is waiting to start: ContainerCreating
+--------+----------+----------+------+---------+--------------+
| Domain | Method   | URI      | Name | Action  | Middleware   |
+--------+----------+----------+------+---------+--------------+
|        | GET|HEAD | /        |      | Closure | web          |
|        | GET|HEAD | api/user |      | Closure | api,auth:api |
+--------+----------+----------+------+---------+--------------+


You will get a few Errors as it starts up (ending "ContainerCreating"), but it should follow the Pod's logs once the Pod has started. Note that this approach is non-interactive (in fact, asynchronous).

In [75]:
kubectl get jobs

NAME                                DESIRED   SUCCESSFUL   AGE
buckram-laravel-phpfpm-1538728200   1         1            3m
buckram-laravel-phpfpm-1538728260   1         1            2m
buckram-laravel-phpfpm-1538728320   1         1            1m
buckram-laravel-phpfpm-1538728380   1         1            9s
laravel-job-1538728385              1         1            8s


Above you should see a range of Jobs that have been run, including your manual one as "laravel-job" and a timestamp.

### Managing Environments

As in any other setting, you will want to have more than one app platform running at once: usually for development, staging and production; or perhaps blue/green deployments.

Gitlab provide tools to help manage separate environments, along with Kubernetes - some of that is quite tied to Google Kubernetes Engine, but some is platform agnostic.

Taking a separate Helm `values.yaml` file may be sufficient to give, e.g. a dev and staging cluster. You may be happy enough to have these both on the same Kubernetes cluster, treating it as an infrastructure provider, as long as they are namespaced.

Kubernetes does provide namespacing - the divisions are being hardened at each version, and it is possible to apply resource usage policies, user role policies and network segmentation.

In [76]:
kubectl get pods -n kube-system

NAME                                                      READY     STATUS    RESTARTS   AGE
event-exporter-v0.2.1-5f5b89fcc8-x6fjt                    2/2       Running   0          2h
fluentd-gcp-scaler-7c5db745fc-6qn5v                       1/1       Running   0          2h
fluentd-gcp-v3.1.0-6nrwk                                  2/2       Running   0          7m
fluentd-gcp-v3.1.0-7wlxf                                  2/2       Running   0          2h
fluentd-gcp-v3.1.0-f2trp                                  2/2       Running   0          2h
fluentd-gcp-v3.1.0-fkssb                                  2/2       Running   0          2h
fluentd-gcp-v3.1.0-gs2wv                                  2/2       Running   0          2h
fluentd-gcp-v3.1.0-llxz6                                  2/2       Running   0          2h
fluentd-gcp-v3.1.0-rpqwb                                  2/2       Running   0          2h
fluentd-gcp-v3.1.0-s87h7                                  2/2       Running   0

You can see here that there are a number of Pods doing more fundamental things than nginx - providing internal DNS, managing Helm's requests, handling Kubernetes API calls, running controller loops. These are all in the `kube-system` namespace by default.

### Exercise

Explore everything in your own namespace - what does it all do?

In [77]:
kubectl get all

NAME                                                 READY     STATUS             RESTARTS   AGE
pod/buckram-fluentd-79b748589f-psz7q                 1/1       Running            0          6m
pod/buckram-laravel-nginx-6ddb575b85-s885l           1/1       Running            0          6m
pod/buckram-laravel-phpfpm-1538728260-5nfnn          0/1       Completed          0          2m
pod/buckram-laravel-phpfpm-1538728320-x5s2f          0/1       Completed          0          1m
pod/buckram-laravel-phpfpm-1538728380-txfvv          0/1       Completed          0          14s
pod/buckram-laravel-phpfpm-64c8854bb4-62gxz          0/1       ImagePullBackOff   0          1m
pod/buckram-laravel-phpfpm-worker-85dc7df75b-q6x2m   1/1       Running            3          6m
pod/buckram-postgresql-0                             1/1       Running            0          6m
pod/buckram-redis-0                                  1/1       Running            0          6m
pod/fluent-bit-7jx7t                  

# Contexts

Kubectl works on a concept of users, contexts and clusters. You might not have spotted yet, but Kubernetes does not have a concept of user accounts, per se. It does have a concept of authentication, which can be by certificates, tokens, OpenID Connect, for example, and authorization Roles, which are bound to a username matching a RoleBinding rule when it successfully authenticates. However, no separate "User" object exists.

Contexts allow you to specify a user, a namespace and a cluster to work with by default. Switching contexts allows you to easily manage multiple clusters and namespaces.

In [78]:
kubectl config get-contexts

CURRENT   NAME              CLUSTER           AUTHINFO       NAMESPACE
*         jupyter-cluster   jupyter-cluster   jupyter-user   scotlandphp-m23ol


In the `~/buckram/docs` folder is a script, `update_cluster_to_ci_build_ref.sh`, to update one context from another - this can be very handy for manual promotion, where you want to have specific controls in place to control access to the update workflow.

## Ingresses

Ingresses allow you to add rules for redirecting traffic on a domain to a certain service. `kubectl` has a handy describe mode (with most objects) - for the Jupyterhub ingress, for example, it looks like

```
$ kubectl get ingress --namespace jupyterhub jupyterhub-internal
Name:             jupyterhub-internal
Namespace:        jupyterhub
Address:          35.239.24.66
Default backend:  default-http-backend:80 (10.8.0.4:8080)
TLS:
  kubelego-tls-proxy-jupyterhub terminates scotphp.flaxandteal.co.uk
Rules:
  Host                       Path  Backends
  ----                       ----  --------
  scotphp.flaxandteal.co.uk  
                             /   proxy-http:8000 (<none>)
Annotations:
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  CREATE  57m   nginx-ingress-controller  Ingress jupyterhub/jupyterhub-internal
  Normal  UPDATE  56m   nginx-ingress-controller  Ingress jupyterhub/jupyterhub-internal
```

The corresponding YAML looks something like:

```
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: jupyterhub-internal
  namespace: jupyterhub
spec:
  rules:
  - host: scotphp.flaxandteal.co.uk
    http:
      paths:
      - backend:
          serviceName: proxy-http
          servicePort: 8000
        path: /
  tls:
  - hosts:
    - scotphp.flaxandteal.co.uk
    secretName: TLSSECRET
```

In particular, you will notice that there is a Kubernetes Secret required. This represents the SSL certificate. One option to manage these, which is an evolution of `kube-lego` amongst other tools is `cert-manager` - it can be installed as a Helm chart and will watch for Ingresses to work out which certificates to request (and from where). For more information, see [http://docs.cert-manager.io/en/latest/](http://docs.cert-manager.io/en/latest/)

(note for minikube users: if using this with minikube, you will need to run `minikube addons enable ingress` on the host. When an ingress is created, you should also add a rule to `/etc/hosts` to direct traffic for that domain to the output of `minikube ip`)

## Health, Logging and Scaling

* Monitoring

There are a number of monitoring solutions available. CoreOS, one of the driver organizations behind containerization, have provided a [Kubernetes Operator for Prometheus](https://github.com/coreos/prometheus-operator) - Operators are a relative recent, powerful tool for making Kubernetes more extensible, and allowing automated control loops, for example, to take care of dynamically-defined types of object.

Installing this operator, which can be done with `helm`, adds in several new types of Kubernetes object: PrometheusRule and AlertingRule being two examples. The operator can then keep a cluster-hosted Prometheus server dynamically changing its configuration as those are defined.

An additional Helm chart, [kube-prometheus](https://github.com/coreos/prometheus-operator/tree/master/helm/kube-prometheus) builds on this to provide live feeds of Pod, Service, Node resource usage, and alerting based off that. We have implemented a basic monitoring chart that adds support for Laravel failed job and exception tracking and alerts. While some of this can be done through the framework, this ensures that metrics and alerting can be managed centrally, and that individual, scaled out web-serving or queue processes are not responsible for contacting external APIs - rather they feed it back internally to be grouped, rate-managed, etc. in a standard way with the rest of the infrastructure.

* Log aggregation (fluentbit, fluentd)

As part of the deployment, we create fluent-bit DaemonSets - these are essentially Deployments that run one Pod on each Node (VM). Gathering logs is a perfect application for them. Fluent-bit is a reimplementation in C of a lot of Fluentd's functionality. Fluent-bit can gather logs from the containers' stdout/stderr and send these to Fluentd, or to a number of other aggregators, such as Elasticsearch.

In [79]:
kubectl get pods

NAME                                             READY     STATUS             RESTARTS   AGE
buckram-fluentd-79b748589f-psz7q                 1/1       Running            0          6m
buckram-laravel-nginx-6ddb575b85-s885l           1/1       Running            0          6m
buckram-laravel-phpfpm-1538728260-5nfnn          0/1       Completed          0          2m
buckram-laravel-phpfpm-1538728320-x5s2f          0/1       Completed          0          1m
buckram-laravel-phpfpm-1538728380-txfvv          0/1       Completed          0          24s
buckram-laravel-phpfpm-64c8854bb4-62gxz          0/1       ImagePullBackOff   0          1m
buckram-laravel-phpfpm-worker-85dc7df75b-q6x2m   1/1       Running            3          6m
buckram-postgresql-0                             1/1       Running            0          6m
buckram-redis-0                                  1/1       Running            0          6m
fluent-bit-7jx7t                                 1/1       Running            

In [80]:
helm list

NAME   	REVISION	UPDATED                 	STATUS  	CHART        	NAMESPACE        
buckram	2       	Fri Oct  5 08:31:02 2018	DEPLOYED	buckram-0.0.2	scotlandphp-m23ol


In [81]:
kubectl logs $(kubectl get pods --selector=app=buckram-fluentd -o=name)

chown: /fluentd/etc/fluent.conf: Read-only file system
2018-10-05 08:28:18 +0000 [info]: reading config file path="/fluentd/etc/fluent.conf"
2018-10-05 08:28:18 +0000 [info]: starting fluentd-0.12.42
2018-10-05 08:28:18 +0000 [info]: gem 'fluent-mixin-config-placeholders' version '0.4.0'
2018-10-05 08:28:18 +0000 [info]: gem 'fluent-plugin-cloudwatch-logs' version '0.4.4'
2018-10-05 08:28:18 +0000 [info]: gem 'fluent-plugin-secure-forward' version '0.4.5'
2018-10-05 08:28:18 +0000 [info]: gem 'fluentd' version '0.12.42'
2018-10-05 08:28:18 +0000 [info]: adding match in @mainstream pattern="kube.var.log.containers.**_kube-system_**" type="null"
2018-10-05 08:28:18 +0000 [info]: adding match in @mainstream pattern="**" type="file"
2018-10-05 08:28:18 +0000 [info]: adding source type="forward"
2018-10-05 08:28:18 +0000 [info]: using configuration file: <ROOT>
  <source>
    @type forward
    @id input1
    @label @mainstream
    port 24284
  </source>
  <label @mainstream>
    <match kube

* Autoscaling

It is possible to scale the number of deployed Pods automatically, using a HorizontalPodAutoscaler object, which responds to [predefined or custom metrics](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). This is simplest to set up for CPU requests, but can work off, for example, [Prometheus metrics](https://github.com/directxman12/k8s-prometheus-adapter).

On the other hand, [Cluster Autoscaling](https://github.com/kubernetes/autoscaler) (where the number of Nodes changes) is cloud provider dependent. This is well-established especially for GKE, but also available for other Kubernetes providers.

# Minikube

(time permitting)

```
minikube start
[wait]
kubectl get nodes
```

This will show you one node - the VM that is running Kubernetes, and all that is on it. In normal usage, you would have a larger set of nodes - many setups will have a pool of nodes for masters, usually high in CPU resources, and a pool of nodes, perhaps smaller and more plentiful for granular horizontal scaling.

You can see the VM itself, once it has settled down, by running `minikube ssh`. Even more, you can see where Kubernetes rubber hits the road - if you run `docker ps`, you will see all the containers that make up Kubernetes and its apps.

### Exercise

Run an nginx deployment on minikube - check the output of `minikube ip` to see where it will be visible.

When you are finished, you can stop minikube with `minikube stop`, or delete it with `minikube delete`

# Docker-Compose

If you have `docker-compose` installed, clone down the https://gitlab.com/flaxandteal/buckram-demo-with-sample-docker Gitlab repository locally (your fork if you have it).

```
docker run -v $(pwd):/app composer install # or any other means of running composer, if you have it locally
cp .env.example .env
chmod -R ugo+rwX storage/logs bootstrap/cache   
./dartisan key:generate
./dartisan migrate
```

You should now be able to see a blank Laravel app at `localhost:8000` in your browser.

### Exercise

Run `make:auth` to scaffold login functionality. Can you get this running in Gitlab-CI and update it on the cluster here? In general, don't forget any migration and seeding that needs done on the live tool with `./artisan.sh`

### Exercise (includes some Python)

Start from a blank Laravel app. Run:
```
git init
git submodule add https://gitlab.com/flaxandteal/buckram-starter infrastructure
```

Install the Python script (if you are comfortable to do so) from ./infrastructure/python - this can be done with `pip3 install --user .` for instance and run `bookcloth local:initialize` in that directory. This should create a default docker-compose setup.

Push this to a new public Gitlab repo, and check it runs the CI. Update the images as above to run it in this cluster.

# Next steps

I hope you enjoyed this workshop and am looking forward to feedback!

* Follow-up course

# Notes

### Cloud Shell Setup

Local Development:
```
export PATH=~/.local/bin:$PATH
git clone https://gitlab.com/flaxandteal/buckram-demo-with-sample-docker
cd buckram-demo                                                                                                                                  
docker run -v $(pwd):/app composer install
git submodule init
git submodule update
(cd infrastructure; git pull origin master; git checkout master)
cp .env.example .env
./dartisan key:generate
./dartisan migrate
lynx localhost:8000
```

Helm Setup:
```
wget https://storage.googleapis.com/kubernetes-helm/helm-v2.11.0-linux-amd64.tar.gz 
tar -xzf helm-v2.11.0-linux-amd64.tar.gz
mv linux-amd64/helm ~/.local/bin
```