Note
I recently talked about Platform Engineering at a conference, you can find the slides here.
Dogcat is a complex demo trying to illustrate an application delivery process involving both the development team, but also a platform team providing an internal developer platform (IDP).
This demo covers a lot of ground some familiarity with the technology used by the demo is preferable. Check out the section below!
In chapter01 the development team leverages serverless technology to quickly
execute their POC and make it available. However the decision is made to migrate
the application to the existing Kubernetes platform.
From the perspective of the platform-team chapter02a goes into how the platform
is assembled and how functionality is provided to development teams leveraging
Kubernetes' resource model (KRM).
Finally chapter02b is migrating and deploying the application to the platform
and illustrating how the team is adopting the established workflows.
NOTE: Keep in mind that the platform created by this demo might not fit
your needs and was tailored to the (fictional) needs of the (fictional) teams.
You can find some background about the development team in chapter01 and chapter02a
gives an outline of the platform team.
A rough overview of the technology involed can be seen in the following diagram which does not cover all cloud services (check section below for more details):
As seen in the diagram above, the platform leverages several OSS projects, most of which are under the Cloud Native Computing Foundation (CNCF, sub-organization of the Linux Foundation) umbrella.
To quickly get an idea about the purpose and scope of this demo, see the below list with comments regarding their usage:
- terraform: Used by the platform team to provision the cloud resources for the IDP and indirectly used by Crossplane Compositions to expose functionality to development teams.
- Crossplane: Platform team provides Crossplane Compositions to development teams for extended capabilities in Kubernetes, such as WorkloadIdentity, IAP and CloudSQL.
- ArgoCD: Used for continuous declarative deployments following GitOps paradigm.
- Tekton: Primary CI system of the IDP: Platform team provides task templates that can be leveraged by development teams. Tekton chains will automatically attest and sign the process and artifacts.
- cert-manager: Automatically provides TLS certifcates using DNS01 challenges for Ingress resources.
- external-dns: Automatically create DNS records for Ingress resources.
- Kyverno: Policies and constraints for GKE clusters, e.g. only allow signed images, enforce labels, ...
While chapter01 mainly leverages:
This is extended in chapter02a which also touches the following Google Cloud resources:
- VPC provides the underlying network for the platform.
- Cloud DNS is used for dedicated zones for each project.
- Artifact Registry is the docker container registry and also stores the signatures.
- Cloud Key Management is used to sign images and attest the CI process.
- Google Kubernetes Engine (GKE) provides the Kubernetes cluster and some related functionality such as WorkloadIdentity and an Ingress controller to create load-balancers.
- Identity-Aware Proxy is used to protect internal services to only allow access by particular users or domains.