SLAC Kubernetes (K8s) app deployment template
This repo is intended to provide examples and best practices for deploying various workloads on SLAC Kubernetes clusters.
The example manifests provided in this repo can be customized by developers to get their application running on SLAC Kubernetes infrastructure. These examples will be updated as new best practices and technologies are introduced (e.g., new operators).
Below is an overview of a typical workload deployment on SLAC K8s infrastructure.
Generation and updating of manifests and K8s resources (Secrets, ConfigMaps, etc.) from external project repos, helm charts, or secrets databases are managed via Makefile targets. This is done to normalize our deployments and bring all Kubernetes configuration management under Kustomize control. Make targets are also defined such that they consolidate and simplify updating and applying changes to deployments.
Configuration management is handled by the Kubernetes-native Kustomize tool. Using this tool allows all aspects of a K8s deployment to be configured in a declarative, self-documenting manner, including off-the-shelf components like operators and helm charts (see below) via kustomization manifests. We also utilize the Kustomize base/overlay model for hierarchical/inherited deployments, which enable easier management of multiple deployments with common configurations, e.g.:
<application_root>
\__ kubernetes
|__ overlays
\__ dev/kustomization.yaml # (May inherit and override configurations from ../../base/kustomization.yaml)
|__ stage/kustomization.yaml # "
|__ prod/kustomization.yaml # "
We utilize the Kubernetes operator pattern when possible to automate tasks and streamline deployments. Several examples of off-the-shelf operators for common applications are provided: database administration (Postgres, MySQL, MongoDB), event/message streaming (Kafka). These operators are deployed by downloading/extracting their manifests via curl or helm and managed by Kustomize.
Kubernetes Secrets are stored in a Hashicorp Vault instance and passed via make to Kustomize's secretGenerator, which creates the appropriate Kubernetes Secret objects when applied. The secrets are then available to be consumed by other Kubernetes objects.