środa, 19 lutego 2020

Deploy applications with Helm 3 to OpenShift

Helm is a package manager for Kubernetes which helps users create templated packages called Helm Charts to include all Kubernetes resources that are required to deploy a particular application. Helm then assists with installing the Helm Chart on Kubernetes, and afterwards it can upgrade or rollback the installed package when new versions are available. Helm Charts are particularly useful for installation and upgrade of stateless applications given that the Kubernetes resources and the application image can simply be updated to newer versions. 

Helm 2 was based on a server-side component named Tiller which was responsible for performing Helm operations on Kubernetes clusters. Tiller was designed prior to Kubernetes role-based access control (RBAC) and although useful for single-tenant clusters, its permissive configuration could grant users a wide array of unintended permissions. Therefore it was recognised as a major security concern on multi-tenant clusters, which prevented many enterprise users from using Helm in production environments. OpenShift is an enterprise Kubernetes platform, and therefore we didn’t recommend the use of Helm 2 in production, even though it was possible to disable OpenShift security features in order for Helm 2 to be used on OpenShift.
Helm 3 was recently released as GA in the Helm community, and a major update has been removing Tiller and pivoting to a client-side architecture to address the aforementioned security concerns, removing the barrier tor using Helm in enterprise environments.

Starting from OpenShift 4.3 you can download Helm 3 via OpenShift Web Console or directly from our mirror as per documentation

Nevertheless if you are using earlier version of OpenShift or would like to try latest Helm 3 version you can do it easly.

$ #Download latest Helm 3 from https://github.com/helm/helm/releases 
$ tar -xvf helm-v3*.tar.gz 
$ mv helm /usr/local/bin
$ helm version
$ helm repo add stable https://kubernetes-charts.storage.googleapis.com

Once Helm 3 is up and running on your workstation let's deploy sample tomcat Chart to OpenShift.

The easiest way would be to install it directly to OpenShift using helm install command but this will fail due to OpenShift Security Context Constrains configuration which prohibits deployments of pods exposing host ports. Of course we can disable this configuration, but I don't want to introduce unnecessary security vulnerability to my OpenShift cluster. Hence first we need to pull and modify tomcat Chart locally:

$ helm pull stable/tomcat
$ sed -i "s/hostPort/#hostPort/g" ./tomcat/values.yaml

Now we can install tomcat chart to OpenShift:

$ oc new-project helm-tomcat-demo
$ helm install ./tomcat --generate-name

After a while you should see tomcat pod up ad running. Since this chart doesn't define ingress you can easily create OpenShift Route to access the tomcat sample application from outside of the cluster:

$ oc expose svc $(oc get svc --no-headers | awk '{print $1}')
$ curl $(oc get route --no-headers | awk '{print $2'})/sample/

Finally you can also use Helm to uninstall your tomcat Chart deployment:

$ helm uninstall $(helm ls | grep tomcat | awk '{print $1}')
$ oc delete project helm-tomcat-test


Learn more about OpenShift 4.3 and Helm 3 integration here.

Brak komentarzy:

Prześlij komentarz