Improving the Developer Experience of Infrastructure as Code and GitOps

Video in TIB AV-Portal: Improving the Developer Experience of Infrastructure as Code and GitOps

Formal Metadata

Title
Improving the Developer Experience of Infrastructure as Code and GitOps
Title of Series
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2021
Language
English

Content Metadata

Subject Area
Abstract
Kubernetes, GitOps, and Infrastructure as Code are as powerful as they are popular and seem like the perfect match. Consequently, using Terraform to maintain Kubernetes clusters and resources is a very common use-case. And it requires careful integration of many moving parts, from Terraform providers and modules, to CI/CD pipelines and triggers. However, despite this being such a popular use-case, teams previously had no alternative than writing everything from scratch. On the software development side we use frameworks to avoid reinventing the wheel for similarly common use-cases. But for the less mature infrastructure as code ecosystem use-case specific frameworks are a new concept. This talk will introduce Kubestack. An open-source framework for Terraform, that brings the developer experience of frameworks from application development to infrastructure as code. Get an overview of how you can use the framework as a foundation to build even advanced multi-cloud and multi-cluster Kubernetes automation. And how Kubestack's GitOps workflow allows teams to reliably suggest, review, validate and apply changes to their infrastructure environments.
Point (geometry) Complex (psychology) Game controller Group action Building Vapor barrier Link (knot theory) Software developer Connectivity (graph theory) Demo (music) Mereology Machine code Number Operator (mathematics) Cloning Software framework Software testing Point cloud Source code Demo (music) Software developer Physical law Core dump Bit Cartesian coordinate system Twitter Cube
Context awareness Building Information management State of matter Multiplication sign Mehrplatzsystem Mereology Software maintenance Formal language Mathematics Synchronization Software framework Abstraction Physical system Area Curve Programming paradigm Rational number Block (periodic table) Gradient Feedback Cloud computing Process (computing) Repository (publishing) Tower Software framework Configuration space Website Remote procedure call Programmschleife Resultant Service (economics) Feedback Connectivity (graph theory) Declarative programming Product (business) Revision control Anwendungsschicht Latent heat Term (mathematics) Operator (mathematics) Operating system Boundary value problem Computing platform Form (programming) Shift operator Dependent and independent variables Forcing (mathematics) Projective plane Coma Berenices Stack (abstract data type) Machine code Line (geometry) Cartesian coordinate system Software maintenance Leak Uniform resource locator Loop (music) Integrated development environment Software Personal digital assistant Cube Computing platform Abstraction Local ring
Torus Group action Greatest element Multiplication sign Demo (music) Set (mathematics) Client (computing) Stack (abstract data type) Duality (mathematics) Mathematics CNN Module (mathematics) Office suite Social class Source code Namespace Feedback Internet service provider Variable (mathematics) Modulo (jargon) Googol Process (computing) Repository (publishing) Internet service provider Compilation album output Electric current Spacetime Service (economics) Computer file Real number Connectivity (graph theory) Data recovery Gene cluster Maxima and minima Number Tablet computer Term (mathematics) Operator (mathematics) Analytic continuation Traffic reporting Engineering physics Module (mathematics) Game controller Dialect Ocean current Directory service Multilateration Cartesian coordinate system Integrated development environment Cube Speech synthesis Local ring
Ocean current File format Open set Surgery Mereology Metadata Goodness of fit Mathematics Different (Kate Ryan album) Integrated development environment Software testing Software framework Module (mathematics) Endliche Modelltheorie Local ring Form (programming) Social class Module (mathematics) Multiplication Dialect Rational number Internet service provider Bit System call Integrated development environment Spacetime
Mobile app Group action Greatest element Inheritance (object-oriented programming) Computer file Multiplication sign Ultraviolet photoelectron spectroscopy Set (mathematics) Number Attribute grammar Workload Mathematics Different (Kate Ryan album) Computer configuration Synchronization Operator (mathematics) Integrated development environment Software framework Configuration space Module (mathematics) Endliche Modelltheorie Analytic continuation Social class Rhombus Mobile app Boss Corporation Default (computer science) Scaling (geometry) Mapping Inheritance (object-oriented programming) Key (cryptography) Counting Machine code Cartesian coordinate system Uniform resource locator Integrated development environment Hash function Software Personal digital assistant Calculation Module (mathematics) Configuration space Right angle Spacetime
Group action Run time (program lifecycle phase) State of matter Multiplication sign Mereology Information privacy Medical imaging Mathematics Different (Kate Ryan album) Repository (publishing) Diagram Software framework Exception handling Computer icon Beta function Feedback Moment (mathematics) Repository (publishing) Internet service provider Chain Modul <Datentyp> Whiteboard Spacetime Windows Registry Point (geometry) Mobile app Computer file Real number Computer-generated imagery Ultraviolet photoelectron spectroscopy Online help Branch (computer science) Streaming media Number Revision control Frequency Operator (mathematics) Software testing Form (programming) Mobile app Dependent and independent variables Dataflow Demo (music) Run time (program lifecycle phase) Planning Line (geometry) Machine code Cartesian coordinate system Mathematics Integrated development environment Personal digital assistant Point cloud Iteration Exception handling Local ring
Ocean current Area Game controller Dependent and independent variables Validity (statistics) Spline (mathematics) State of matter Planning Mathematics Process (computing) Commitment scheme Personal digital assistant Tower Synchronization Googol Internet service provider Quicksort Form (programming) Social class Point cloud
Mobile app Multiplication Service (economics) Demo (music) Cartesian coordinate system Run-time system Workload Mathematics Integrated development environment Repository (publishing) Cluster Services Integrated development environment Multiplication Gibbs-sampling Social class
Building Software developer Feedback Solid geometry Coma Berenices Cartesian coordinate system Lattice (order) 2 (number) Personal digital assistant Repository (publishing) Core dump Software framework Software framework Data conversion Form (programming)
Element (mathematics)
hello and welcome to my talk today about improving the develop experience of infrastructure as coat and get ops using the cube sector work so the agenda for the talk first i'll talk a little bit about what is this developer experience gap that i see and will discuss how frame.
works solstice develop experience from camp already on the application development side and then give a quick demo so you can see the complex framework in action and see how to protect brings the same developer experience for application development to infrastructure as cold and then we will pass. about the main part of the talk well we will look at the coat of the framework teachers and the reusable components it provides and wean discuss how things are implemented and why they are implemented this way before we go there i want to give you a little bit of background on myself i started my korea night. your dropped out of law school and started to turn the clock control path and two thousand and nine and so for the last ten years done a lot of public clout and contentious for the last five years i've done a lot of current any says one i think it's very clear that if you look at the developments in the cloning of community that a lot of effort went into improving the develop. the experience of every aspect of building testing deploying applications on top of quantities meanwhile of i think the develop experience of infrastructures coat next very far behind i think is a problem for two reasons the number one it's if a such a high barrier to entry a lot of teams. are prevented from benefiting from infrastructures coat and obviously the benefits are real and the other aspect is i don't really see what's the point about all those advanced implement automation if the cluster it sits on his men and manually why are you i was there by the weakest link.
so to get started let me explain what i mean when i say develop experience gap in the context of her farm and couldn't think overall actually the three main issues first one is from the front of what so if you are new there's a very steep learning curve to both top form and quantities of course.
but even if you're not new you constantly reinvent the wheel every time you start a new project for example having to figure out the repository layout set up remote state and configure service accounts and i am right a pipeline from set up triggers force yesterday all these kind of things and it doesn't stop there so. you also have a lot of long term maintenance at what a production great quantities infrastructures coat court base can easily become thousands lines of code quite this covers the telephone configuration but also when any summer and u.c.s.d. pipeline five and all of this is not a static could face and. where is moving fast so you may remember one sixteen version of network policies and deployments and state was set on a number of august had to be updated and as a similar change upcoming for ingress with one twenty two a five member correctly of the cloud providers are moving very fast sometimes have to replicate. teachers are services which trigger huge make changes to your coat place. tom itself is also involving so both euro twelfth and the or thirteen have added long awaited and very useful features but they both also came with immigration effort and then finally there's the slow feedback loop when working with infrastructure as cold as a team because the remote state forces you to all. this fall back to committing pushing and running tough on through this yes the pipeline. if you don't you risk the co-pays and the state being out of sync when multiple users try to do this and you will definitely see we're tired from plants as a result of this that can be quite confusing and so if you look at these problems they're not unique necessary to infrastructures coat. they exist also publication development languages but there we have a solution for these in the sense of these use case pacific rim works that so if you won need a full state crime work whether because in credit you would probably go something like django of your pipes and shop or raises your. the shop if you're building a clarification job are using springboard will get you there much faster or if you're building one of those new gems tech websites using a framework like gets be also has tremendous value and so these remarks by being used a specific they may reduce up front efforts simply by providing we use a book. components for all those common requirements that use his hands and they also reduce the maintenance at what because she had with community us under the hood they have a lot of moving parts but if your use of the framework you can just follow the update the versions of the framework you don't have to care about her. under lying individual components and finally because they're so you say specifically swimmers can also provide a much faster back loop usually they do this by providing these out to updating local development environments no way you automatically you rebuilt but of obligation all excited it's as you make sure. mr the co-pays and so on infrastructure as coat side using tower form to automate communities my opinion is a very similar very specific and very popular use case so the idea behind cube sec is. we're building a framework and that's use a specific for this infrastructures coat use case we can still provide the same benefits and develop experience as the frameworks on the application development side too. of course this begs the question why did people not to this earlier and i think the reason here is that it didn't really make sense to have a framework like this before the paradigm shift two containers and communities simply because the stack was a very different and you didn't have those common requirements so if you look at all. grading systems there are a fairly weak abstraction there but they also traditionally owned by cops teams are infrastructure teams but because applications leak requirements and forms of dependency is on many could consideration into the operating system the teams that match the platform layer. but oftentimes have to build the automation specific role that application and this left very little room to have these common requirements where a framework with reusable components could offer value now this change with containers and communities for two reasons first we have another instance of operating. system inside the container and this one is the one which we can think your location specific i was independent season the country ration and this can also now be part of the responsibility of the application team and additionally we have a career as a p i could raise a.p.i. with this declarative building blocks that describe. what an application needs to be kept running far as i built this very powerful obstruction at the boundary between platform where an application layer and this means now the platform layer is much more easily kept entirely free from application specific requirements and this means now there are common requirements. for platform layer and a framework with reasonable components can provide value. additionally i think if you look at where the clot native communities heading this abstraction of the platform they are only getting stronger. and this will further increase the value and for such as coach frameworks can provide on the platform area.
now show me jump into learning more about how the campsite kraemer implement the speeches let's start with a quick them all how this looks like i'm have an empty directory currently the first thing for work office is a way to scaffold a new report the tory do this with the cube stack recall when it comes.
want and then you would select a star turn to uk each year for this example of execute this i now get this new directory. and this includes everything i need both provision the quants infrastructure as well as country you are those components class to us in terms of name spaces are back but also class the services that i need on the cluster before i can deploy application work of this is integrated into this one repository and you also have for some the doctor five. well that helps you i'm been this low for put strapping locally also for emergency recovery if the automation is working but also is used them to provide a unified environment every time the sea as it happened once so first thing you do this when you're in the repository anyone to work on a change to start the local europe and why. i'm and what you do is keep stacked local apply. by this is coming up when explain real quick how this works that you take a look at the class last year while you see that we low stakes manual for google cluster and for all these club provide us keepsake maintains the set of modules are wasted real clout cluster what you'll and. class the local variant both accept the same input variables but when the local development environments starts ingredients your child from continuation and detects one of these clout modules and then it replaces transparently the sauce here with the class to local variant and instead of talking to the club provider. in twelve provision now contains locally that simulate them these clusters and their notes this is done using kind quantities in dhaka while i'm a tough on provider for kind than the other thing you see in years to continuation file and we'll talk a little more about this later. but here is where you have and continuation for each one of the class once you specify and their respective eps pops and lock and once so you can see at the bottom that this and local government environments now up and running. i'm and what we can do now is that it's watching for changes so when we start working on either are back on and spaces or we would install a cluster service like prometheus operator so that we can at monitoring come to our class the capabilities always change faster notes all we add additional classed as to the classes tia because you could also have. more gk clusters in here all we could have them in the same regional different regions or it could also at the club classes in you can simulate a lot of these clients in the local development environment and drastically shorten the feedback loop we have and and months we happy without changes locally we can commit them to a branch and push the brown. such to start the review process with our team now it had a sneak peak at iu per second action i want to talk about a number of the common requirements you pack sauce how the side plummeted and why they are implement this way.
the first one is the ability to have multiple environments teams need multiple environments to be able to work on and test the infrastructure automation before they promoted to a mission critical environment otherwise you're constantly performing open heart surgery on a mission critical environment which is not a good. the top on has a feature called workspace this and its worst places they're very useful to implement these them separate environments basically you can think of every work space and its own individual top form stay this way you can apply coat place against one work space.
and then change the work space. to apply the exact same country gration against them the second workspace that this is how you can first validate your changes in a test environment. promote them to the mission critical one without making coach changes in between to do this however you have to write your modules and japan contrition a specific way so i have are simplified example you which tries to create to jake gk class that's the first once. simply uses a variable top name for the class the name and the second one can cut in its this variable with the variable the baton provides for the current work space and now what would happen if i apply this to a test work space is that possible classes would get created never try to now promote this. the same court also to my mission critical environment i change the workspace i run to affirm apply the second click submit your would work because it provides a unique name for the cluster but the first one would fail because the cluster name was already taken so this is an example of what you need to do in your telephone call place to work. reliable with these workspaces usec takes this concept a step further and use a dedicated what you're called the metadata much you and the medical model based on the name prefix and the base the main that you provide as part of the country ration and additionally provide a name and croat a region that you selected for a new infrastructure generates. the names that are not only unique across environments but are also unique for multiple classes in the same environment. and these classes can be in the same region or different club pro other regions they can even be in different club for us to have the name it also provides little bit more like a few other meta data entry is like a fully qualified to maine name price the work space and some other at a time. provides these are both tax and labels and then a framework will automatically use that made it out or whenever it creates courageous resources or clock resources where labels or text article.
another example of a common requirement for infrastructures coat is the ability to have calculation that different turn vironment once again we're going to look at i'm a simple example first so naive approach to implement this could be you can have them hashemite potash maps like you.
the on top you in your contract out or to your boss while for example. i'm an used to work space name as the key of the art has happened this case we have work space one and works best to us the examples and then when you try to access these attributes in for example a model like the example you see here on the bottom in your child home files you can use the telephone networks. is variable to select the correct king from the out a hash map and then address a genuine national to however there are two problems with this approach the first one is that as you do this you duplicate all your settings in all your environments. it wasn't only to banks are an example we only have two attributes but a reconfiguration would have significantly more costs and then as you do at or remove the tributes have to remember to do this and all the environments and this gets the opera on very quickly and my experience and the other thing is that you also have to keep. those values in sync and you need to know that some values should be the same between environments and other values should be different between environments and and this may also change during the lifetime of the code base and as you and your team making changes over time it gets harder and harder to keep his correct also for this key. sec has another a model that includes called inheritance module and this model solstice problem using inheritance very similar to how obligations frameworks oftentimes do this so by default huge that has these two environments called absent shops and absent aren't as them. one critical one where your applications one stops environment only exists to validate changes before they are promoted to the ups and diamond now to prevent country ranged between those two environments ops inherits everything from apps and ten you have the ability to explicitly over right certain. values in ops that you wanted to have different from apps. this does not pursue the prevent configuration tripped entirely new can over right there is still country racial but it makes any different explicit and makes it much easier to make sure if you make changes to something that's only contribute and apps you can rely on the inheritance. is to make sure there's also inherits to all the other environments we have an example here that in the ups and one and over rights a class to mexico count and cluster note locations on top of the settings that inherits from the epsom aren't and it does so because the option one doesn't. been any workloads and makes more sense to have ups and vironment being they expect same scaling number of notes as the action violent here which are scarce between three and thirty notes for example so instead we do is being reduced not locations and where you smoke smoke count and ops environment would have a cluster. that still multi availability is on and that has multiple notes to in this case but it does not a scale of doesn't need to know ten empty notes or something like this so you can keep costs down but still keep the benefit of having an environment that you can validate your consideration against. them and that you can trust to been similar enough so that the congregation you're very good and stops doesn't suddenly fein when you applied and steps now that we had a look at how to keep sector and work compliments and armaments and how it doesn't hurt ants for the continuation of those environments.
step is to take a look at how to kill sec from work provides stops workflow four teams as i said already keep secret work has to be fought environments called absent ups and the diagram you see here shows an example of how.
you go through this work from work always has four steps first to make a change then the change gets reviewed than the change gets validated and very things find the change can be promoted and so the way his work is in the middle and you get repository of same branch off of could commit and you start working on a chain. it is most likely by working in this local development environment that we saw in the demo earlier once you are happy with your change you would commit this trio branch pusher branch and ask your co-workers for you and them if there's any feedback for your review you can just follow up with additional come. it's every commit automatically trigger as a child from plan off the changes that you're proposing against the ups and vironment the benefit of this year is that you in your team can reason about the proposed change and s. feedback for the e.u. you have both the change to the code as well as. as the child from plan all put tells you what changes it would make to the ups and garment if you were to merge this change into the main branch but now if at some point you in your team are happy with the changes would merge the poor request and this would trigger a child from apply. can stop the environment to validate that those changes actually work against the real world clout environment additionally after the top form apply the pipeline will change into the apps work space and then run at our from planned against the absent vironment to give you a preview of what. changers it will make to the absent vironment if you know all promote this change right so you've just validated against the ups and government and the plan will help you understand what changes it would also do against the ups and government which should hopefully mirror or the same kind of changes that were just done against the optimum and if you. i'm happy with this you go ahead and your tech this specific commit that you've just that dated with the tech that triggers the pipeline again this time it would trigger the pipeline to apply the changes can steps environment and so now you have a workflow where you can independently every engine your local development. obama just three to work on that changes at some point they share those changes with the team and they can run through a period you to make sure everybody is on board with the changes and you know there was no nothing was forgotten and this is actually what's supposed to be happening can agree on how you know quality all these kind of thing. his and eventually a few iterations everybody will be happy and you can much and validate this and then there is the ability to control exactly which change now gets promoted also into the mission critical action plan as i mentioned already these are the chief. fault them environments you have ups and amps them and obst being the one that only exists to validate is most likely scared down. and action woman being the one that runs all your applications and all your application environment if you have the requirement to have those environments called differently or maybe you like them to be called test in prague for example and then you can do this this is something the you can control through consideration but he fought the called absent ops. because i'm trying to make clear that these should be separate and violence their infrastructure environments. they don't necessarily have to overlap with the environments you have for your applications if you have this kind of a pipeline and you run it through c.s.c. team then that two things that i think a crucial important first the pipeline needs like the pipeline run time he needs to be fast and also needs to be resilient. as a couple of things i do inside the framework to improve this so on one hand there is a set off the images that i built specific for each framework will ease and those will be under the cloud privacy lies a tough on version and a number of other things and to make sure that you have the most efficient image possible. i make very heavy use of the stage bills to give you a low number of layoffs for the final images and also provide variants of those images so that's the most the club variant which would include the sea ice for three club providers and everything else that they depend on them and then there's an ache cares and he cares. gk he personally version and there's also the kind person to person that's used for the local development environment we saw earlier it keeps the pipeline run time low but only downloading what it really needs every time with within these documents to talk him as a smaller they like s. only versus what the club for example you may remember also. from the damaged as a doctor file in your repository and the dock probably fall has just this one single from line and then the pipeline starts off by building this local doctor while every time it doesn't specify the upstream keepsake framework image from dhaka help directly but instead it just inherits from it in the. its own doctor while the benefit of this is a lousy you to extend the afi with certain requirements that you may have on top of the canaries framework so you can install additionally sea lions are maybe he said scientific assessment times use case like this let so you get the benefits of a shit and maintained upstream image. but you can add additional requirements on top them another thing the images do is that they bend or the top of a price on this was a future i'm tough from added recently and the idea is that you already have to download the dock image and its last by handling those go by injuries. which is basically what the top from providers are inside the dr imich means you don't have to dish only now reach out to actually called registry and start downloading those go by injuries during the tough on in it that's going to be part of the pipe and one. from this is to benefits first is of course it further decreases to run time it takes what this plan run to run but also improves the resilience seen by making sure you don't additionally depend on doing around time you don't also depend on the registry being up and running the idea is the only thing you depend on. it's the container registry during your c.s.c. to happen run there is one exception however the child from much use for all that keeps it from work as you may remember from the sauce we saw earlier aspect a fight with it up you are well and so they are currently being downloaded from get up every time the pipeline runs the reason for this is that i haven't. it found a really good ways similar to how the new entering for provide us works and to bundle this insight the image and also because i think it makes it very intuitive who uses to understand that if they want to try something different and maybe continue back to the. i'm framework they can simply for the repository and get up twenty five their forecasts the sauce work on that changes and eventually hopefully i'll send the poor request to contribute this change back into upstream and then can also their repository back to using the next up. stream really start hopefully that includes your changes let's take a moment and talk about the scope so keep sec distinguishes between committed desired and current state to protect responsibility in this is to provide work well for teams to reason about.
proposed changes to the committee state and to validate bought apply that to one of the environments so that you can have the validation and promotion workflow that we discussed earlier but its responsibilities entirely sinking committed and desired state once the desired state has been given to your the. well provided for clark resources it's the responsibility of the club provider to keep desired and current state in sync make sure the notes are configured correctly and from the class to learn that the quake control plane and a.p.i. are running or in case of courage resources keep saying will sink. committed state into the desired state inside a career as a pure and is now the responsibility of aquarius control plane and control us to ensure that when its resources desire at and current state are in sync so it's important to understanding the top form is not running in some sort of continues control point thing that doesn't have to. to because it triggered by changes to get and then sends committed and to that state is one that case imagine somebody manually through seelye or eweida changes resources inside the club provider change the desired state of iowa or does the same for does i had stayed off from. could raise resources to play doesn't currently so that educates but the idea how to do this is basically to run a tower from plan very unlikely to detect such a change for example every five minutes and then make it configurable to either notify. team that there is such a change between committed and desired state. or to retake the last committed state to force over right the desired state. could be an area where if somebody is interested could get involved and contribute questions would be he put this one and see as if the ship is run as some sort of crown job or long running process inside were any classes themselves i think that's a rather interesting question last but not least let's talk about customs.
so if you remember from the demo we saw earlier there's a manifest following year the manifesto allows you to include any curriculum or into our homes planned apply lights like this is useful for two main reasons. updates to certain classes services like ingress more service much a typical to test on the same classed as the workloads that rely on them. by including the sinking sex gibbs workflow these updates like service my showing us are validated in the opposite environment just like infrastructure changes before they are promoted to the epson vironment as well. so the second benefit is that if you run a multi cluster or even more to cloud that up including his classes persists in the infrastructure repository allows you to unify the environments across classed as or even kill provide us so that applications always find. the exact same application runtime environment.
to summarize keep seconds and use case pacific framework for top form of brings the awesome develop experience frameworks from application development to infrastructure as coat. and it provides everything teams need to build rock solid companies automation. thank you so much for your attention today.
i'd also like to thank all the users who already trite the framework and get feedback and then especially big thank you to all the current contributes to try the framework yourself go to cuba sector com click on get started and follow the tutorial you can also find the code on get up get up to become less. maybe his team he left her from desk you stack and if you want to support our mission to improve the developer experience of interest such as coat please leave as a star on our repository. finally the cube sexual on the core a slick as the best way to join the conversation with the rest of the community thank you very much.
Feedback