Thursday, December 26, 2019

Continuous Deployment (CD) with Jenkins and Kubernetes on Google Cloud

Jenkins on Kubernetes Engine

https://cloud.google.com/solutions/jenkins-on-kubernetes-engine

https://cloud.google.com/solutions/jenkins-on-kubernetes-engine-tutorial

Provision a Jenkins environment on a Kubernetes Engine Cluster, using the Helm Package Manager.
Google Kubernetes Engine (GKE) is the hosted version of Kubernetes on Google Cloud Platform (GCP).

Create k8s cluster

gcloud container clusters create jenkins-cd \

  --num-nodes 2 \

  --machine-type n1-standard-2 \

  --cluster-version 1.13 \

  --service-account "jenkins-sa@$GOOGLE_CLOUD_PROJECT.iam.gserviceaccount.com"


 Jenkins Kubernetes plugin
https://wiki.jenkins-ci.org/display/JENKINS/Kubernetes+Plugin 

Scale

kubectl --namespace=production scale deployment gceme-frontend-production --replicas=4


Port forward

export DEV_POD_NAME=$(kubectl get pods -n new-feature -l "app=gceme,env=dev,role=frontend" -o jsonpath="{.items[0].metadata.name}")

kubectl port-forward -n new-feature $DEV_POD_NAME 8001:80 >> /dev/null &




export FRONTEND_SERVICE_IP=$(kubectl get -o jsonpath="{.status.loadBalancer.ingress[0].ip}" --namespace=production services gceme-frontend)


while true; do curl http://$FRONTEND_SERVICE_IP/version; sleep 1; done






Application deployment into Google Kubernetes Engine on Google Cloud

Kubernetes https://kubernetes.io/

Google Kubernetes Engine  https://cloud.google.com/container-engine

Sample app https://github.com/kelseyhightower/app
 It's a 12-Factor application with the following Docker images:
  • Monolith: includes auth and hello services.
  • Auth microservice: generates JWT tokens for authenticated users.
  • Hello microservice: greets authenticated users.
  • nginx: frontend to the auth and hello services.
 

Tools

The gcloud command-line interface is a tool that provides the primary CLI to Google Cloud Platform.
https://cloud.google.com/sdk/gcloud/

Access the Kubernetes pods


Pods are allocated a private IP address by default that cannot be reached outside of the cluster. Use the kubectl port-forward command to map a local port to a port inside the monolith pod.

kubectl port-forward myapp  9999:80  
 
  
 
TOKEN=$(curl http://127.0.0.1:9999/login -u user|jq -r '.token') 
 
  
 
curl -H "Authorization: Bearer $TOKEN" http://127.0.0.1:9999/secure  


Run shell inside pod

kubectl exec myapp --stdin --tty -c myapp /bin/sh


This uploads cert files from the local directory tls/ and stores them in a secret called tls-certs.

kubectl create secret generic tls-certs --from-file tls/

kubectl create configmap nginx-proxy-conf --from-file nginx/proxy.conf


more nginx/proxy.conf

server {

  listen 443;

  ssl    on;

 
  ssl_certificate     /etc/tls/cert.pem;

  ssl_certificate_key /etc/tls/key.pem;

 
  location / {

    proxy_pass http://127.0.0.1:80;

  }

}


Setup firewall
gcloud compute firewall-rules create allow-myapp-nodeport --allow=tcp:31000



NAME                     NETWORK  DIRECTION  PRIORITY  ALLOW      DENY  DISABLED

allow-myapp-nodeport  default  INGRESS    1000      tcp:31000        False


Get pods with secure=enabled

kubectl get pods -l "app=myapp,secure=enabled"


Get endpoints

kubectl get endpoints monolith