Introduction
Kubernetes is getting adopted rapidly across the software industry and is becoming the most preferred option for deploying and managing containerized applications. Once we have a fully functional Kubernetes cluster we need to have an automated process to deploy our applications on it. In this blog post, we will create a fully automated “commit to deploy” pipeline for Kubernetes. We will use CircleCI & helm for it.
What is CircleCI?
CircleCI is a fully managed saas offering which allows us to build, test or deploy our code on every check in. For getting started with circle we need to log into their web console with our GitHub or bitbucket credentials then add a project for the repository we want to build and then add the CircleCI config file to our repository. The CircleCI config file is a yaml file which lists the steps we want to execute on every time code is pushed to that repository.
Some salient features of CircleCI is:
- Little or no operational overhead as the infrastructure is managed completely by CircleCI.
- User authentication is done via GitHub or bitbucket so user management is quite simple.
- It automatically notifies the build status on the github/bitbucket email ids of the users who are following the project on CircleCI.
- The UI is quite simple and gives a holistic view of builds.
- Can be integrated with Slack, hipchat, jira, etc.
What is Helm?
Helm is chart manager where chart refers to package of Kubernetes resources. Helm allows us to bundle related Kubernetes objects into charts and treat them as a single unit of deployment referred to as release. For example, you have an application app1 which you want to run on Kubernetes. For this app1 you create multiple Kubernetes resources like deployment, service, ingress, horizontal pod scaler, etc. Now while deploying the application you need to create all the Kubernetes resources separately by applying their manifest files. What helm does is it allows us to group all those files into one chart (Helm chart) and then we just need to deploy the chart. This also makes deleting and upgrading the resources quite simple.
Some other benefits of Helm is:
- It makes the deployment highly configurable. Thus just by changing the parameters, we can use the same chart for deploying on multiple environments like stag/prod or multiple cloud providers.
- We can rollback to a previous release with a single helm command.
- It makes managing and sharing Kubernetes specific application much simpler.
Note: Helm is composed of two components one is helm client and the other one is tiller server. Tiller is the component which runs inside the cluster as deployment and serves the requests made by helm client. Tiller has potential security vulnerabilities thus we will use tillerless helm in our pipeline which runs tiller only when we need it.
Building the Pipeline
Overview:
We will create the pipeline for a Golang application. The pipeline will first build the binary, create a docker image from it, push the image to ECR, then deploy it on the Kubernetes cluster using its helm chart.
We will use a simple app which just exposes a `hello` endpoint and returns the hello world message:
package main
import (
"encoding/json"
"net/http"
"log"
"github.com/gorilla/mux"
)
type Message struct {
Msg string
}
func helloWorldJSON(w http.ResponseWriter, r *http.Request) {
m := Message{"Hello World"}
response, _ := json.Marshal(m)
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
w.Write(response)
}
func main() {
r := mux.NewRouter()
r.HandleFunc("/hello", helloWorldJSON).Methods("GET")
if err := http.ListenAndServe(":8080", r); err != nil {
log.Fatal(err)
}
}We will create a docker image for hello app using the following Dockerfile:
FROM centos/systemd MAINTAINER "Akash Gautam" <akash.gautam@velotio.com> COPY hello-app / ENTRYPOINT ["/hello-app"]
Creating Helm Chart:
Now we need to create the helm chart for hello app.
First, we create the Kubernetes manifest files. We will create a deployment and a service file:
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: helloapp
spec:
replicas: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
template:
metadata:
labels:
app: helloapp
env: {{ .Values.labels.env }}
cluster: {{ .Values.labels.cluster }}
spec:
containers:
- name: helloapp
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.imagePullPolicy }}
readinessProbe:
httpGet:
path: /hello
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1apiVersion: v1
kind: Service
metadata:
name: helloapp
spec:
type: {{ .Values.service.type }}
ports:
- name: helloapp
port: {{ .Values.service.port }}
protocol: TCP
targetPort: {{ .Values.service.targetPort }}
selector:
app: helloappIn the above file, you must have noticed that we have used .Values object. All the values that we specify in the values.yaml file in our helm chart can be accessed using the .Values object inside the template.
Let’s create the helm chart now:
helm create helloappAbove command will create a chart helm chart folder structure for us.
helloapp/
|
|- .helmignore # Contains patterns to ignore when packaging Helm charts.
|
|- Chart.yaml # Information about your chart
|
|- values.yaml # The default values for your templates
|
|- charts/ # Charts that this chart depends on
|
|- templates/ # The template filesWe can remove the charts/ folder inside our helloapp chart as our chart won’t have any sub-charts. Now we need to move our Kubernetes manifest files to the template folder and update our values.yaml and Chart.yaml
Our values.yaml looks like:
image:
tag: 0.0.1
repository: 123456789870.dkr.ecr.us-east-1.amazonaws.com/helloapp
imagePullPolicy: Always
labels:
env: "staging"
cluster: "eks-cluster-blog"
service:
port: 80
targetPort: 8080
type: LoadBalancerThis allows us to make our deployment more configurable. For example, here we have set our service type as LoadBalancer in values.yaml but if we want to change it to nodePort we just need to set is as NodePort while installing the chart (–set service.type=NodePort). Similarly, we have set the image pull policy as Always which is fine for development/staging environment but when we deploy to production we may want to set is as ifNotPresent. In our chart, we need to identify the parameters/values which may change from one environment to another and make them configurable. This allows us to be flexible with our deployment and reuse the same chart
Finally, we need to update Chart.yaml file. This file mostly contains metadata about the chart like the name, version, maintainer, etc, where name & version are two mandatory fields for Chart.yaml.
version: 1.0.0
appVersion: 0.0.1
name: helloapp
description: Helm chart for helloapp
source:
- https://github.com/akash-gautam/helloappNow our Helm chart is ready we can start with the pipeline. We need to create a folder named .circleci in the root folder of our repository and create a file named config.yml in it. In our config.yml we have defined two jobs one is build&pushImage and deploy.
Configure the pipeline:
build&pushImage:
working_directory: /go/src/hello-app (1)
docker:
- image: circleci/golang:1.10 (2)
steps:
- checkout (3)
- run: (4)
name: build the binary
command: go build -o hello-app
- setup_remote_docker: (5)
docker_layer_caching: true
- run: (6)
name: Set the tag for the image, we will concatenate the app verson and circle build number with a `-` char in between
command: echo 'export TAG=$(cat VERSION)-$CIRCLE_BUILD_NUM' >> $BASH_ENV
- run: (7)
name: Build the docker image
command: docker build . -t ${CIRCLE_PROJECT_REPONAME}:$TAG
- run: (8)
name: Install AWS cli
command: export TZ=Europe/Minsk && sudo ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > sudo /etc/timezone && sudo apt-get update && sudo apt-get install -y awscli
- run: (9)
name: Login to ECR
command: $(aws ecr get-login --region $AWS_REGION | sed -e 's/-e none//g')
- run: (10)
name: Tag the image with ECR repo name
command: docker tag ${CIRCLE_PROJECT_REPONAME}:$TAG ${HELLOAPP_ECR_REPO}:$TAG
- run: (11)
name: Push the image the ECR repo
command: docker push ${HELLOAPP_ECR_REPO}:$TAG- We set the working directory for our job, we are setting it on the gopath so that we don’t need to do anything additional.
- We set the docker image inside which we want the job to run, as our app is built using golang we are using the image which already has golang installed in it.
- This step checks out our repository in the working directory
- In this step, we build the binary
- Here we setup docker with the help of setup_remote_docker key provided by CircleCI.
- In this step we create the tag we will be using while building the image, we use the app version available in the VERSION file and append the $CIRCLE_BUILD_NUM value to it, separated by a dash (`-`).
- Here we build the image and tag.
- Installing AWS CLI to interact with the ECR later.
- Here we log into ECR
- We tag the image build in step 7 with the ECR repository name.
- Finally, we push the image to ECR.
Now we will deploy our helm charts. For this, we have a separate job deploy.
deploy:
docker: (1)
- image: circleci/golang:1.10
steps: (2)
- checkout
- run: (3)
name: Install AWS cli
command: export TZ=Europe/Minsk && sudo ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > sudo /etc/timezone && sudo apt-get update && sudo apt-get install -y awscli
- run: (4)
name: Set the tag for the image, we will concatenate the app verson and circle build number with a `-` char in between
command: echo 'export TAG=$(cat VERSION)-$CIRCLE_PREVIOUS_BUILD_NUM' >> $BASH_ENV
- run: (5)
name: Install and confgure kubectl
command: sudo curl -L https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl && sudo chmod +x /usr/local/bin/kubectl
- run: (6)
name: Install and confgure kubectl aws-iam-authenticator
command: curl -o aws-iam-authenticator https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/linux/amd64/aws-iam-authenticator && sudo chmod +x ./aws-iam-authenticator && sudo cp ./aws-iam-authenticator /bin/aws-iam-authenticator
- run: (7)
name: Install latest awscli version
command: sudo apt install unzip && curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" && unzip awscli-bundle.zip &&./awscli-bundle/install -b ~/bin/aws
- run: (8)
name: Get the kubeconfig file
command: export KUBECONFIG=$HOME/.kube/kubeconfig && /home/circleci/bin/aws eks --region $AWS_REGION update-kubeconfig --name $EKS_CLUSTER_NAME
- run: (9)
name: Install and configuire helm
command: sudo curl -L https://storage.googleapis.com/kubernetes-helm/helm-v2.11.0-linux-amd64.tar.gz | tar xz && sudo mv linux-amd64/helm /bin/helm && sudo rm -rf linux-amd64
- run: (10)
name: Initialize helm
command: helm init --client-only --kubeconfig=$HOME/.kube/kubeconfig
- run: (11)
name: Install tiller plugin
command: helm plugin install https://github.com/rimusz/helm-tiller --kubeconfig=$HOME/.kube/kubeconfig
- run: (12)
name: Release helloapp using helm chart
command: bash scripts/release-helloapp.sh $TAG- Set the docker image inside which we want to execute the job.
- Check out the code using `checkout` key
- Install AWS CLI.
- Setting the value of tag just like we did in case of build&pushImage job. Note that here we are using CIRCLE_PREVIOUS_BUILD_NUM variable which gives us the build number of build&pushImage job and ensures that the tag values are the same.
- Download kubectl and making it executable.
- Installing aws-iam-authenticator this is required because my k8s cluster is on EKS.
- Here we install the latest version of AWS CLI, EKS is a relatively newer service from AWS and older versions of AWS CLI doesn’t have it.
- Here we fetch the kubeconfig file. This step will vary depending upon where the k8s cluster has been set up. As my cluster is on EKS am getting the kubeconfig file via. AWS CLI similarly if your cluster in on GKE then you need to configure gcloud and use the command `gcloud container clusters get-credentials <cluster-name> –zone=<zone-name>`. We can also have the kubeconfig file on some other secure storage system and fetch it from there.</zone-name></cluster-name>
- Download Helm and make it executable
- Initializing helm, note that we are initializing helm in client only mode so that it doesn’t start the tiller server.
- Download the tillerless helm plugin
- Execute the release-helloapp.sh shell script and pass it TAG value from step 4.
In the release-helloapp.sh script we first start tiller, after this, we check if the release is already present or not if it is present then we upgrade otherwise we make a new release. Here we override the value of tag for the image present in the chart by setting it to the tag of the newly built image, finally, we stop the tiller server.
#!/bin/bash
TAG=$1
echo "start tiller"
export KUBECONFIG=$HOME/.kube/kubeconfig
helm tiller start-ci
export HELM_HOST=127.0.0.1:44134
result=$(eval helm ls | grep helloapp)
if [ $? -ne "0" ]; then
helm install --timeout 180 --name helloapp --set image.tag=$TAG charts/helloapp
else
helm upgrade --timeout 180 helloapp --set image.tag=$TAG charts/helloapp
fi
echo "stop tiller"
helm tiller stop The complete CircleCI config.yml file looks like:
version: 2
jobs:
build&pushImage:
working_directory: /go/src/hello-app
docker:
- image: circleci/golang:1.10
steps:
- checkout
- run:
name: build the binary
command: go build -o hello-app
- setup_remote_docker:
docker_layer_caching: true
- run:
name: Set the tag for the image, we will concatenate the app verson and circle build number with a `-` char in between
command: echo 'export TAG=$(cat VERSION)-$CIRCLE_BUILD_NUM' >> $BASH_ENV
- run:
name: Build the docker image
command: docker build . -t ${CIRCLE_PROJECT_REPONAME}:$TAG
- run:
name: Install AWS cli
command: export TZ=Europe/Minsk && sudo ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > sudo /etc/timezone && sudo apt-get update && sudo apt-get install -y awscli
- run:
name: Login to ECR
command: $(aws ecr get-login --region $AWS_REGION | sed -e 's/-e none//g')
- run:
name: Tag the image with ECR repo name
command: docker tag ${CIRCLE_PROJECT_REPONAME}:$TAG ${HELLOAPP_ECR_REPO}:$TAG
- run:
name: Push the image the ECR repo
command: docker push ${HELLOAPP_ECR_REPO}:$TAG
deploy:
docker:
- image: circleci/golang:1.10
steps:
- attach_workspace:
at: /tmp/workspace
- checkout
- run:
name: Install AWS cli
command: export TZ=Europe/Minsk && sudo ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > sudo /etc/timezone && sudo apt-get update && sudo apt-get install -y awscli
- run:
name: Set the tag for the image, we will concatenate the app verson and circle build number with a `-` char in between
command: echo 'export TAG=$(cat VERSION)-$CIRCLE_PREVIOUS_BUILD_NUM' >> $BASH_ENV
- run:
name: Install and confgure kubectl
command: sudo curl -L https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl && sudo chmod +x /usr/local/bin/kubectl
- run:
name: Install and confgure kubectl aws-iam-authenticator
command: curl -o aws-iam-authenticator https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/linux/amd64/aws-iam-authenticator && sudo chmod +x ./aws-iam-authenticator && sudo cp ./aws-iam-authenticator /bin/aws-iam-authenticator
- run:
name: Install latest awscli version
command: sudo apt install unzip && curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" && unzip awscli-bundle.zip &&./awscli-bundle/install -b ~/bin/aws
- run:
name: Get the kubeconfig file
command: export KUBECONFIG=$HOME/.kube/kubeconfig && /home/circleci/bin/aws eks --region $AWS_REGION update-kubeconfig --name $EKS_CLUSTER_NAME
- run:
name: Install and configuire helm
command: sudo curl -L https://storage.googleapis.com/kubernetes-helm/helm-v2.11.0-linux-amd64.tar.gz | tar xz && sudo mv linux-amd64/helm /bin/helm && sudo rm -rf linux-amd64
- run:
name: Initialize helm
command: helm init --client-only --kubeconfig=$HOME/.kube/kubeconfig
- run:
name: Install tiller plugin
command: helm plugin install https://github.com/rimusz/helm-tiller --kubeconfig=$HOME/.kube/kubeconfig
- run:
name: Release helloapp using helm chart
command: bash scripts/release-helloapp.sh $TAG
workflows:
version: 2
primary:
jobs:
- build&pushImage
- deploy:
requires:
- build&pushImageAt the end of the file, we see the workflows, workflows control the order in which the jobs specified in the file are executed and establishes dependencies and conditions for the job. For example, we may want our deploy job trigger only after my build job is complete so we added a dependency between them. Similarly, we may want to exclude the jobs from running on some particular branch then we can specify those type of conditions as well.
We have used a few environment variables in our pipeline configuration some of them were created by us and some were made available by CircleCI. We created AWS_REGION, HELLOAPP_ECR_REPO, EKS_CLUSTER_NAME, AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY variables. These variables are set via. CircleCI web console by going to the projects settings. Other variables that we have used are made available by CircleCI as a part of its environment setup process. Complete list of environment variables set by CircleCI can be found here.
Verify the working of the pipeline:
Once everything is set up properly then our application will get deployed on the k8s cluster and should be available for access. Get the external IP of the helloapp service and make a curl request to the hello endpoint
$ curl http://a31e25e7553af11e994620aebe144c51-242977608.us-west-2.elb.amazonaws.com/hello && printf "n"
{"Msg":"Hello World"}Now update the code and change the message “Hello World” to “Hello World Returns” and push your code. It will take a few minutes for the pipeline to complete execution and once it is complete make the curl request again to see the changes getting reflected.
$ curl http://a31e25e7553af11e994620aebe144c51-242977608.us-west-2.elb.amazonaws.com/hello && printf "n"
{"Msg":"Hello World Returns"}Also, verify that a new tag is also created for the helloapp docker image on ECR.
Conclusion
In this blog post, we explored how we can set up a CI/CD pipeline for kubernetes and got basic exposure to CircleCI and Helm. Although helm is not absolutely necessary for building a pipeline, it has lots of benefits and is widely used across the industry. We can extend the pipeline to consider the cases where we have multiple environments like dev, staging & production and make the pipeline deploy the application to any of them depending upon some conditions. We can also add more jobs like integration tests. All the codes used in the blog post are available here.
Related Reads:
