Software requirements
To continue with this guide you need to install some open-source software:
- docker: https://docs.docker.com/engine/install/
- minikube: https://minikube.sigs.k8s.io/docs/start/
- kubectl: https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
- helm3: https://helm.sh/docs/intro/install/
- helm diff plugin: https://github.com/databus23/helm-diff#install (Workaround for Windows if there are problems with installation )
- helmfile: https://helmfile.readthedocs.io/en/latest/#installation
All software can be installed on any popular operating systems, such as Windows, macOS or Linux. The following examples were tested on Ubuntu 22.04.
You may use following bash scripts to install the all necessary utilities
Introduction to Kubernetes
Resources listed below will help you understand how Kubernetes works.
- Kubernetes concepts - Kubernetes official page. It will allow you to learn about pods, deployments, services and more.
- Very simple introduction - short overview of how Kubernetes works and what its benefits are.
- A Kubernetes quick start for people who know just enough about Docker - quick guide that can come in handy when you already understand Docker a little and want to master Kubernetes.
Prepare environment
For our task, we will use a minimalist local Kubernetes cluster with one node - a minikube. In order for it to work, you need an installed container or virtual machine manager, like Docker, QEMU, KVM, VMWare Workstation or VirtualBox
To start minikube cluster, run the following command from a terminal with administrator access (but not logged in as root):
minikube start
If minikube fails to start, сheck out the official guide by link
Make sure that minikube is running and check availability of necessary tools:
$ minikube status
minikube
type: Control Plane
host: Running
kubelet: Running
apiserver: Running
kubeconfig: Configured
# check the helm version (it should be v3 or higher)
$ helm version
version.BuildInfo{Version:"v3.13.0", GitCommit:"825e86f6a7a38cef1112bfa606e4127a706749b1", GitTreeState:"clean", GoVersion:"go1.20.8"}
# check if "helm diff" plugin was installed successfully
helm plugin list
NAME VERSION DESCRIPTION
diff 3.6.0 Preview helm upgrade changes as a diff
# check if "helmfile" was installed successfully
$ helmfile version
▓▓▓ helmfile
Version 0.154.0
Git Commit c498af3
Build Date 24 May 23 02:31 EEST (4 months ago)
Commit Date 24 May 23 02:29 EEST (4 months ago)
Dirty Build no
Go version 1.20.4
Compiler gc
Platform linux/amd64
Application development
Docker image requirements
- The application should not store SSL certificates and keys inside the container. TLS processing is provided by Kubernetes tools. Your application should work with HTTP
If you already have a ready-made docker image, you can skip this point
Start helming
To check whether everything is ready to work, you can create a basic helm chart at link and deploy it to a Kubernetes cluster.
You can also read a detailed guide on creating a helm chart. All basic steps are described there, after reading it you will understand the structure of a helm chart and learn how to deploy and roll back changes.
Creating helm chart for your application
Helm chart requirements
- We use Oracle cloud provider. If you are creating some specific applications, you should read the Oracle documentation (use cases such as using load balancers, etc.)
- Traefik is used as an ingress controller. You should use such resources as IngressRoutes, etc. (default "Ingress" resources will not work).
- You cannot use Services with the NodePort type (our nodes are in a private network).
- You should retain the ability to add common annotations or labels to all helm chart resources (this may be necessary to identify applications).
How to install traefik in minikube
It can be deployed in two ways.
1 Method.
Create helmfile-traefik.yaml file with the following configuration
repositories:
- name: traefik
url: https://helm.traefik.io/traefik
releases:
- name: traefik
namespace: default
chart: traefik/traefik
version: 24.0.0 #remove the version to automatically install the latest version
values:
- providers:
kubernetesCRD:
allowCrossNamespace: true # Allows IngressRoute to reference resources in namespace other than theirs
- ingressRoute:
dashboard:
entryPoints: ["web", "traefik"] # Allows to access the dashboard on the "web" entrypoint
Deploy traefik to minikube cluster with the following command:
~/api-project$ helmfile -f helmfile-traefik.yaml apply
2 Method.
Deploy using the helm command
In order to check whether the traffic is working, you can open its dashboard
In a separate console, run the command (and leave this command running, it should be running all the time)
minikube tunnel
The command requires the user to enter a password a few seconds after it is launched
See External-IP
$ kubectl get service traefik NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE traefik LoadBalancer 10.97.210.197 10.97.210.197 80:31977/TCP,443:31863/TCP 62s
Open traefik dashboard in browser at the url: http://10.97.210.197/dashboard/ . The dashboard looks like this in the figure below
Development of the chart
We have created a basic chart that meets our requirements and you can use it as an example to create your own personal chart.
Let's extract files from archive with the following command
#create separate directory ~/api-chart$ mkdir chart && cd chart #extract archive ~/api-chart/chart$ tar -xvzf basic-chart-1.0.0.tgz basic-chart/Chart.yaml basic-chart/values.yaml basic-chart/templates/_helpers.tpl basic-chart/templates/configmap-app-config.yaml basic-chart/templates/configmap-app-envs.yaml basic-chart/templates/deployment.yaml basic-chart/templates/ingressroute.yaml basic-chart/templates/secret-app-config.yaml basic-chart/templates/secret-app-envs.yaml basic-chart/templates/service.yaml basic-chart/templates/tls-secret.yaml basic-chart/.helmignore
Adjust the helm chart to the configuration you need
Helm syntax explanation
Open directory basic-chart in any text editor and make the following changes. Usually, the repository and port of your application do not change, so it is worth changing it to the default values so that it is not specified every time the application is deployed.
app:
....
image:
repository: "" #please specify the repository (like docker.io/mongo)
pullPolicy: IfNotPresent
tag: "" # please specify a default tag
....
service:
type: ClusterIP
port: 8081 # Specify the port that is exposed in your docker container
Change the name of the chart to match the name of your application
- Modify file
basic-chart/Chart.yamlChart.yamlapiVersion: v2 name: basic-chart # Set an appropriate <chart-name> here description: A Helm chart for Kubernetes version: 1.0.0
Version
Please pay attention to the "version" field.
We recommend setting the same version as the version of the docker image (if your helm chart describes a single container deployment). If your chart describes more than one deployment, we recommend using a version of one of the main docker images. It is also not recommended to change the version of an existing chart. That is, if the configuration changes, then you should release a new version of the chart with corrections. - Change directory name
~/api-project/chart$ mv basic-chart/ <chart-name>/
- Change templates
~/api-project/chart$ sed -i 's/basic-chart/<chart-name>/g' <chart-name>/templates/*
Application configuration methods
To begin, let's create our custom configuration file in which we will store our settings for the application
~/api-project$ touch custom-values.yaml
Via environment variables
For non-sensitive variables, you should use Configmap. Please open the file templates/configmap-app-envs.yaml and specify the variables which are required for your application. For example, we want to pass two environment variables and the file should be like this.
{{- if .Values.app.confEnvs }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-app-envs
labels:
{{ include "basic-chart.labels" . | indent 4 }}
data:
ENV1: {{ .Values.app.confEnvs.env1 | quote }} # where ENV1 is the name of the variable
ENV2: {{ .Values.app.confEnvs.env2 | quote }}
{{- end }}
Then in file custom-values.yaml you should specify values. For example
app:
confEnvs:
env1: "value 1"
env2: "value 2"
For sensitive variables, you should use Secret. Please open the file templates/secret-app-envs.yaml and specify the variables which are required for your application.
{{- if .Values.app.confSecretEnvs }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-app-secret-envs
labels:
{{- include "basic-chart.labels" . | nindent 4 }}
type: Opaque
stringData:
ENV1: {{ .Values.app.confSecretEnvs.env1 | quote }}
ENV2: {{ .Values.app.confSecretEnvs.env2 | quote }}
{{- end }}
Then in file custom-values.yaml you should specify secret values. For example
app:
confSecretEnvs:
env1: "secret value 1"
env2: "secret value 2"
If you want two specify both sensitive and non-sensitive variables you can combain it in your custom-values.yaml.
app:
confEnvs:
env1: "value 1"
env2: "value 2"
confSecretEnvs:
env1: "secret value 1"
env2: "secret value 2"
Via configuration file
If your file doesn't contain sensitive data you should use Configmap. The file can have any extension. For example, you have some config.xml file. Then your Configmap will look like this
{{- if .Values.app.confFileParams }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-xml-config
labels:
{{ include "basic-chart.labels" . | indent 4 }}
data:
config.xml: |-
<?xml version="1.0"?>
<catalog>
<book id="book1">
<author>{{ .Values.app.confFileParams.book1.author }}</author>
<title>{{ .Values.app.confFileParams.book1.title }}</title>
</book>
<book id="book2">
<author>{{ .Values.app.confFileParams.book2.author }}</author>
<title>{{ .Values.app.confFileParams.book2.title }}</title>
</book>
</catalog>
{{- end }}
Then in file custom-values.yaml you should specify values which will be substituted to config.xml . For example
app:
confFileParams:
book1:
author: "Harry Potter"
title: "J.K. Rowling"
book2:
author: "J.R.R. Tolkien"
title: "The Lord of the Rings"
If your file contains sensitive data you should use Secret. The file can have any extension. For example, we have some config.ini file. Then your Secret will look like this
{{- if .Values.app.confFileSecretParams }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-ini-secret-config
labels:
{{- include "basic-chart.labels" . | nindent 4 }}
type: Opaque
stringData:
config.ini: |-
[server]
port = {{ .Values.app.confFileSecretParams.server.port }}
host = {{ .Values.app.confFileSecretParams.server.host }}
[database]
host = {{ .Values.app.confFileSecretParams.database.host }}
port = {{ .Values.app.confFileSecretParams.database.port }}
login = {{ .Values.app.confFileSecretParams.database.login }}
password = {{ .Values.app.confFileSecretParams.database.password }}
{{- end }}
Then in file custom-values.yaml you should specify values which will be substituted to config.ini . For example
app:
confFileSecretParams:
server:
port: "8080"
host: "localhost"
database:
host: "localhost"
port: "27017"
login: "user"
password: "password123"
If your file contains even one sensitive parameter, you must fully describe it in Secret. It is not possible to describe part of the file in the Configmap and part in the Secret, as this could be done with environment variables
Configuration notes
After you have decided how your application is configured, you should update the templates.
Possible cases:
- If you don't use configuration files at all you should:
a) Delete filestemplates/configmap-app-config.yamlandtemplates/secret-app-config.yaml
b) Delete this section from the filetemplates/deployment.yaml{{- if or .Values.app.confFileParams .Values.app.confFileSecretParams }} volumeMounts: {{- if .Values.app.confFileSecretParams }} - name: config-from-secret mountPath: /app/config.ini subPath: config.ini {{- end }} {{- if .Values.app.confFileParams }} - name: config-from-configmap mountPath: /app/config.xml subPath: config.xml {{- end }} volumes: {{- if .Values.app.confFileSecretParams }} - name: config-from-secret secret: secretName: {{ .Release.Name }}-ini-secret-config # {{- end }} {{- if .Values.app.confFileParams }} - name: config-from-configmap configMap: name: {{ .Release.Name }}-xml-config {{- end }} {{- end }} - If you use configuration files, you should pay attention to the following points
a) You must specify the correct names for the configuration files indeployment.yamlb) Specify the correct file names in Secret or Configmap{{- if or .Values.app.confFileParams .Values.app.confFileSecretParams }} volumeMounts: {{- if .Values.app.confFileSecretParams }} - name: config-from-secret # mount by local name, which is described below mountPath: /app/config.ini # path where your file will be mounted subPath: config.ini # name of the file you specified in Secret {{- end }} {{- if .Values.app.confFileParams }} - name: config-from-configmap mountPath: /app/config.xml # path where your file will be mounted subPath: config.xml # name of the file you specified in Configmap {{- end }} volumes: {{- if .Values.app.confFileSecretParams }} - name: config-from-secret # local name for the volume within this deployment secret: secretName: {{ .Release.Name }}-ini-secret-config # the name of the secret that the file contains {{- end }} {{- if .Values.app.confFileParams }} - name: config-from-configmap configMap: name: {{ .Release.Name }}-xml-config {{- end }} {{- end }}apiVersion: v1 kind: ConfigMap metadata: name: {{ .Release.Name }}-xml-config labels: {{ include "basic-chart.labels" . | indent 4 }} data: # config.xml is the file name that will be specified during mounting as subPath config.xml: |- <?xml version="1.0"?> ...... - Pay attention to the
ingresroute.yamlfile
a) Our infrastructure can provide self-signed Let's Encrypt certificates. You can read more about it on your own here. Please do not delete this section from the configuration file.b) IngressRoute - provides an opportunity to make your service available from the Internet. For example, an ingressroute without tls is given - you can use it for local testing. You only need to configure DNS for that domain on the IP of the load balancer that creates the traefik (see the section "How to deploy traefik"){{- if .Values.app.ingress.tls.secretAutoCreate }} #The Certificate resource allows you to use self-signed Let's Encrypt certificates #In order to use it, you need to install a cert-manager #Installation guide: https://cert-manager.io/docs/installation/helm/ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: {{ .Values.app.ingress.host.name }} spec: secretName: {{ .Values.app.ingress.tls.secretName }} secretTemplate: annotations: meta.helm.sh/release-name: {{ .Release.Name }} meta.helm.sh/release-namespace: {{ .Release.Namespace }} app.kubernetes.io/managed-by: Helm labels: app.kubernetes.io/managed-by: Helm issuerRef: name: {{ .Values.app.ingress.tls.issuerName }} kind: Issuer commonName: {{ .Values.app.ingress.host.name }} dnsNames: - {{ .Values.app.ingress.host.name }} {{- end }}--- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: {{ .Release.Name }}-http annotations: kubernetes.io/ingress.class: {{ .Values.app.ingress.class }} {{- include "basic-chart.ingressRouteAnnotations" . | nindent 4 }} spec: entryPoints: - web routes: - match: Host(`{{ .Values.app.ingress.host.name }}`) && PathPrefix(`{{ .Values.app.ingress.host.path }}`) kind: Rule services: - name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} port: {{ .Values.app.service.port }} middlewares: - name: {{ .Release.Name }}-strip-prefix - The configuration should be stored in a separate file (in our case, it is custom-values.yaml)
For example:#the application is configured using environment variables app: confEnvs: # non-sensitive env1: env1 image: repository: "docker.io/vovan4/example" pullPolicy: IfNotPresent tag: "1.0.0" ingress: enabled: true host: path: "/app" name: "my-domain.com"
Push new/updated helm chart to the remote helm repository
In order for the chart to be used not only locally, it needs to be uploaded to a remote helm chart repository.
Login to the helm registry.
$ helm registry login <repository> --username <username> --password ******
$ helm registry login registry.portaone.com --username <username> --password ******
Create a helm package
$ helm package <path-to-local-chart-directory>
~/api-project/chart$ helm package ./basic-chart Successfully packaged chart and saved it to: /home/<username>/api-project/chart/basic-chart-1.0.0.tgz
Push your chart to the remote registry.
$ helm push <path-to-local-chart-archive>.tgz oci://<registry>/<project>/charts
~/api-project/chart$ helm push ./basic-chart.tgz oci://<registry>/<project>/charts
In this way, you can push both new charts and release new versions of already existing charts.
Please, if you update the chart, release it with the new version. It is not recommended to change a chart version that is already in use.
And to check, you can pull the chart from the remote registry using the command
$ helm pull oci://<registry>/<project>/charts/basic-chart --version 1.0.0
Deploy to Kubernetes using helm
Specify created secret with credentials in custom-values.yaml to ensure pulling the image from the registry.
... # add this line (specify the name of the secret that contains credentials) imagePullSecrets: - name: dockercred ...
Now you can deploy your API to Kubernetes cluster using helm install command.
$ helm install -f <custom-values-file> <name-of-release> <path-to-chart>
~/api-project$ helm install -f ./custom-values.yaml api ./chart/basic-chart
This method is complicated, because the more settings, the longer the command. Therefore, for ease of understanding, we recommend using the helmfile utility, which is described below
Uninstall helm release from Kubernetes using helm
In order to remove the release from the cluster, you need to execute the "helm uninstall" command
$ helm uninstall <release-name> -n <optional-namespace> #example $ helm uninstall api
Create helmfile
It is sufficient to use helm chart to deploy and destroy application in the cluster. However if you work with many helm charts you might want to consider deploying with help of "helmfile"
Helmfile is a declarative spec for deploying helm charts. It lets you…
- Keep a directory of chart value files and maintain changes in version control.
- Apply CI/CD to configuration changes.
- Periodically sync to avoid skew in environments.
Create file api-project/helmfile.yaml and add the following content to it.
~/api-project$ touch helmfile.yaml
#helmfile.yaml
releases:
- name: api
chart: ./chart/basic-chart
installed: true
values:
- custom-values.yaml
Deploy to Kubernetes using helmfile
Let's run the command to check if everything is correct(from the directory where helmfile.yaml is located)
~/api-project$ helmfile diff
If the diff plugin worked without errors, you can run the command bellow to deploy our API in the cluster
~/api-project$ helmfile apply
Uninstall helm release from Kubernetes using helmfile
If you are using a helmfile, then to uninstall the release you need to perform the following actions:
- change the release option "installed" to false
#helmfile.yaml releases: - name: api chart: ./chart/basic-chart installed: false values: - custom-values.yaml- apply configuration
~/api-project$ helmfile apply Listing releases matching ^api$ api default 1 2023-10-09 10:46:59.500783363 +0300 EEST deployed basic-chart-1.0.0 Deleting api release "api" uninstalled DELETED RELEASES: NAME DURATION api 0s
Checking result
Initially, our pod will be in ContainerCreating status. It will take some time until our application image is downloaded from the repository
$ kubectl get pods NAME READY STATUS RESTARTS AGE api-7cc7fb489d-c88k8 1/1 ContainerCreating 0 26s traefik-5c7ff68df4-xmnq9 1/1 Running 2 (7m55s ago) 4d
After the image is downloaded, the pod will start and have a status of Running
$ kubectl get pods NAME READY STATUS RESTARTS AGE api-7cc7fb489d-c88k8 1/1 Running 0 92s traefik-5c7ff68df4-xmnq9 1/1 Running 2 (9m1s ago) 4d
Also, let's check that the service has been created
$ kubectl get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE api ClusterIP 10.109.171.59 <none> 8081/TCP 7m3s kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 9d traefik LoadBalancer 10.97.210.197 10.97.210.197 80:31977/TCP,443:31863/TCP 4d
Let's check our ingressroute
$ kubectl get ingressroutes.traefik.io NAME AGE api-http 8m traefik-dashboard 4dh
Find out the IP address of the traefik load balancer (Don't forget to run minikube tunnel command in a separate console)
$ kubectl get service traefik NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE traefik LoadBalancer 10.97.210.197 10.97.210.197 80:31977/TCP,443:31863/TCP 4d
Copy the value of the External-Ip address and add to the file /etc/hosts using command or manually.
$ sudo sh -c "echo '10.97.210.197 my-domain.com' >> /etc/hosts"
#/etc/hosts 10.97.210.197 my-domain.com
Make requests to our API
$ curl http://my-domain.com/app/env1
{"env1":"env1"}
$ curl http://my-domain.com/app/env2
{"env2":"Default value of env2"}
As a result, we can see that our API is working correctly. As you can see that one query returns the env1 value that we passed to the container via custom-values.yaml . And the another query returns the default value since we didn't pass any value.
How to update the application and helm chart to a new version?
Updating the logic of the application
For example you want to update your API and for that you need to add a new environment variable. First, you need to update the logic of the application. So, change the code of the server.js file as follows
Updating the docker image
Build a new image with a new tag of 2.0.0 (Sometimes it is possible to update a docker image with the same tag of 1.0.0, that is, to roll out a hotfix, but then this requires more skill from the developer).
Updating the helm chart
If your application has changes that require additional environment variables or configs, you need to modify the helm chart. In our case, we only add one new environment variable. Therefore, first you need to change the deployment.yaml file.