 Hello everybody, welcome again to another OpenShift Commons briefing this time with another new member of Bitnami who's been around for a long time, but they've just joined the OpenShift Commons recently and Adnan did a wonderful blog post on monocular on OpenShift about probably two months ago or so and I read it with keen interest because anything OpenShift always pops up on my radar and it was very well done And I thought that it was timely too because he talked about helm and using helm and monocular and on OpenShift We get a lot of questions about that. So I'm gonna let Adnan Talk about using both of those things on OpenShift and introduce himself And there'll be some Q&A in the chat that I'll try and answer but we'll save most of the Q&A for the very end and Won't go live then at the end. So without any further ado Adnan. Thank you for joining us and take it away Thank you for having me, Diane. So everyone I'm here to talk about helm and monocular on OpenShift and if you haven't heard of helm briefly, it's a package manager for Kubernetes and Monocular is kind of a counterpart in that way in that it's a web UI for kind of browsing helm chart repositories So before we kind of get into That just a quick kind of background on who Bitnami are. So if you haven't heard of us Our kind of main kind of mission is to make applications Very easy to use on any platform So if you're you know, we have a long history of making applications easy to install in VMs in the cloud And recently we've been doing a lot in the container Container ecosystem and Kubernetes and we've been developing some solutions. We have A range of containers now for the different applications in our catalog And we've also been working on some pretty awesome tooling to to make applications easier to run on Kubernetes So if you've heard of things like Qubeless, which is the serverless framework for Kubernetes We've also been doing some great stuff with case on it and kube config And we're also pretty heavily involved in what's going on with helm and in particular in monocular as well So who am I? I started out at Bitnami almost three years ago now and initially Doing mostly web development stuff rails kind of stuff and I kind of shifted over to DevOps stuff things so I Think for about two years now I've been working on containers and and Kubernetes and along the way I've become a core maintainer of helm and Kubernetes charts and I've also Recently joined the cig apps group the special interest groups for applications with Kubernetes and become a co-lead there so if You're looking for me. I'll probably be somewhere around those communities. So you can probably find me there so Kubernetes resources are hard to manage. I think anyone who's used Kubernetes and has had to manage a bunch of YAML Probably knows this. So when we started out with helm, we wanted an easier way to manage and share these manifests make it really easy for other people in my team or You know even outside my team externally to to pick up something and just use that But also you you kind of need to tweak the definitions a bit and change a port here or change a Secret or a password for different environments. So that was something that wasn't very easy You'd have to do a nasty said script in Kubernetes to do to do that And you also can't easily manage a lifecycle of your application So you can manage the state of each Kubernetes resource deployment service, but you can't manage these things as a whole so That was also kind of a missing feature of Kubernetes So that's kind of what brought on this idea of helm, which is a way of logically grouping applications packages and Kind of giving a package manager interface over that so something like apt-get or YAM that you may be familiar with So packages in helm are called charts and these are again just application definitions So they consist of metadata about the chart your Kubernetes definitions and resources and There's also some configuration by the values.yaml file, which we'll see And you can also document your chart through a readme and through the notes.txt, which is a bit of useful information that gets printed out after you install a chart and These charts live in chart repositories, which are very simple HTTP servers that just have an index and serve packaged up charts So in this slide here, I have a diagram of what a chart package actually looks like So you can kind of see there's this templates directory where I think most of the stuff is going on you have your Kubernetes resources your YAML files, and then there's some other metadata and things about that So the way helm works is it has a in cluster component called tiller and tiller is the thing that tracks the state of these applications. So it's it's It's kind of an additional component on top of the on top of the Kubernetes API that holds the state of applications and renders your charts and creates and updates resources in Kubernetes So the helm client on your computer will connect to tiller via gRPC and And then tiller will make requests to the Kubernetes API as you can see in this diagram So for tiller to be able to go and install and update resources It needs cluster admin acts cluster admin privileges So there's a little bit of fun that you need to deal with with our back permissions here to get that to work There is a question of whether tiller really needs cluster admin privileges So for those of you who are probably more interested in the security Requirements for this you might want to figure out a way to run it with less privileges But it really comes down to how you end up using helm and tiller if you're using Helm to create name spaces Or doing other stuff that generally needs cluster admin privileges then you're gonna have to bump up the privileges but if you're If you're able to just stick to a specific namespace and just create very few resources Then you don't necessarily need all those privileges. So it really depends on what charts you're building and what what charts you're trying to install So helm is really easy to grab you can just grab it on github or install it with With homebrew so if you're on a Mac you can just do that So there's the link here for the Helm releases page where you can go and grab it and to get started All you do is run the helm in it come on. So I'll go ahead and show this Hopefully you can all see my terminal here and I have an open shift cluster running using mini-shift. So if I run mini-shift status See that's running there And so now if I run helm up so the first thing I need to do is create a service account. So So I'm creating a service account in the cube system namespace and calling it tiller and then I'm gonna go and give this cluster admin access Okay Well, I'm just adding the cluster role cluster admin to The service account tiller. Yeah, now that I have this I can go ahead and run sorry helm in it and Pass it to service account tiller And this will get installed in the cube system namespace. So if I take a look at what's running there Let's wait for let's get them running and now I can run helm version and I'm success successfully able to connect the tiller So that's awesome So now I can go and install a chart from the repository. So if I run On search here, I can see what charts I have available to me In a kind of jarring way But you can see here I have the stable repository, which is what comes baked out by default by default with helm I've also added a few other repositories. I've added the incubator repository here I've added the monocular repository, which we'll see in a moment and I've also got this to do app that I've been working on so I'm gonna go ahead and store my to do app and You see that helm has created a release for my for my application and it's called this release jumpy peacock So how will similar to Docker and all the other cool things nowadays helm comes up with a Kind of fun name to to give my release if I don't give it a name myself It also prints out what resources are available what resources it's going to install So my to-do application here has a service and a deployment And that's gonna configured an external IP for that and then there's this note section Which I kind of briefly mentioned it's kind of like a way to document your chart and and have a way to Just provide your users some next next steps to get them running. So I Can actually just copy these commands here and Then I can go and access this in my browser And I should be able to access my to-do app Right so I can add a to-do this item here I Mean monocular Well, so that's that's helm really you can see if I run helm list here And there's a couple of commands which give me some information about the state of my application So I can see that it's again this jumpy peacock. It's revision one. This is when it was last updated And this is the division of the chart. It's on and which namespace it's Installed in if I want to get back this information at any time it can simply run helm status on P peacock I Get all that information back so I can always get back to that So going back to my slides here So we've seen that helm makes managing and deploying Kubernetes apps a lot easier There is kind of still something missing It's it's difficult to discover what's available if you saw I did that helm search command and there was this Wall of text of things. It wasn't really easy to see what was actually available So this is where monocular comes in and actually what you're seeing here is the public version cube apps.com and Let's go ahead and take a look at this So cube app.com is you can kind of see it as a Ruby gems or NPM JS or Docker hub But for Kubernetes so all of these things, you know, Ruby gems NPM they all have command line tools that allow you to manage the the packages that are installed on your system and Helm was kind of the Equivalent of that so there needed to be an equivalent of NPM JS.org or Ruby gems or Docker hub And I think this is where monocular kind of really shines So on cube apps.com you can you can go there. It's live You can see a list of all the charts that are available and these are pulling out of the stable and incubator repositories from the the official Kubernetes charts repository which you can see the source that if you go to github.com slash Kubernetes Charts there we go So you see here you have this the stable and incubator repositories here So I can go to any one of these charts that's I can even search for stuff So if I guess if I search for WordPress for example, or if I search for log The order different blogging platforms if I go to WordPress I can see here. There's a there's the read me an order documentation about the chart Monocular also shows me the command that I can use to install the chart And I can see all the old versions. What what the application version is I have links here to the homepage of the project the Where the sources which is the this is a chart source who the maintainers are and Any related repositories or links for this chart down here in the read me I can see some configurations. So helm allows you to provide a configuration by the command line and I can Configure any of these values if I want or I can just leave them at the default when I go and install WordPress There's also a note here about persistence and ingress and this is all just pulling from the chart repository. So if I click on here and and Go to the source here. You'll see you'll find the exact same read me. I can Go back here through different versions and I can kind of see what changes were made You know, if there's anything of note in the in the read me I can kind of see that there I can go back all the way to the first version at 0 3 0 and see how much things have changed So the version on cube apps is kind of like a read-only version you can't really do much else apart from copying that Helm and saw command and and Run that in your terminal But you can also run monocular in cluster and that gives you a much more interesting experience So I'll just quickly go for the next few slides here. So I mentioned That the goals of the project are mainly to facilitate facilitate the discovery of Kubernetes applications You can also, you know, as I showed you the two different repository that there was the incubator repository and a stable repository but You may also have an internal chart repository for your company That you may also want to add to monocular and if you're running this in cluster, you can aggregate and Aggregate all your different chart repositories from different teams and have that all in one single UI As I showed you can easily drop changes across chart versions And the other thing you can do if you're running in cluster is install applications with one click So we'll see of that. We'll see a demo of this in a second So the way to install monocular in your cluster. It's via a chart. You saw that I had the monocular repo when I did Helm search and There was the monocular chart was in there so I can go ahead and run Helm install monocular monocular if I go ahead and do this And I'm also going to pass in some configuration specific to my environment on OpenShift here and I'm also going to call this monocular so that I can refer back to it So again monocular has gone in and stored it for me and this time because I specifically gave it a name Monocular it's gone and chosen that name instead for the release and I can see what resources and deployments and Other resources it's going to create for me And then I have my notes here, which mentions I can access it by the monocular local so While that's starting up. I'm going to show you The configuration that I that I used for this So I said Helm charts allow you to configure various aspects of the application and That's actually defined in the chart itself. So the monocular chart Defines this different these different configuration options for monocular itself So the first one is the UI back in hostname, which is basically just telling monocular the UI component monocular where the API is And I have kind of similar thing with the API here where I've configured it to allow requests from The monocular local domain. So this is just setting up the two domain names. I'm going to use But kind of more interestingly here, I have set up Some repos that I'm using with monocular. So here by default you get the stable and incubator repositories But I've gone and added an extra one here, which is my my to-do app that's the to-do application that I was working on and The repository for that is hosted here at using GitHub pages So you'll see this looks a lot like the Output that you see from Helm repo list as well. So you can see the stable and incubator repositories here have our pulling from Google Cloud storage But I have the monocular and the to-do repositories here pulling from my GitHub pages as well So we'll just wait for this to start up okay, so The UI and the UI and the pre-render service are running, but the API is is starting up So while that's doing that I'll talk just briefly about the architecture of monocular So monocular has a back-end that's written in Go And this is responsible for indexing chart repositories. So Each of the policies that you define it'll go and spin off a job every 15 minutes to go and fetch the index and fetch all Charts and then it'll go and process all that metadata and and sort that in monocular and It then exposes this via a JSON API that is used by the front-end So the front-end will talk to the API By this Jason by this vessel Jason API and consume data that way and Then when you go and install a chart Monocular will directly talk to tiller for the chart deployment So the front-end is written in Angular 2 and It basically just talks to the back-end to to grab all the data Hopefully I'm just running now. Okay, so So the API at the start has to go and fetch You should have repos and grab all the data. So it takes a couple minutes to start up But it looks like It does not look good Beauty of a live demo. Yeah, I've clearly offended demo gods here Well, hopefully that'll pick up In the meantime, does anyone have any questions? there's a couple of questions in the chat and And I think you've answered them, but I'm just going to repeat them What kind of repository do you need for an internal chart repository? And is that what monocular is the actual repository or is Monaco just the web UI on top of it registry? So monocular is just the web UI on top of the repository and the repositories are They can they can be very simple. I can actually show you the one that I'm using for monocular actually So it basically is Any HTTP server that can have that can host an index.yaml file and then the actual packages of charts themselves So if I look at the index.yaml file here, you can see it's just got Metadata about the chart and where The package for the chart is so both the Helm client and monocular will read this metadata and index the chart from there I think that answered Jonathan's question Let's see if the demo gods are smiling yet. Ah, we have something running If we can access this Yeah, it's awesome Clearly answering a question was the the correct sacrifice to the demo gods Okay, so we have this the kind of you've seen this before on cubeapps.com And you have the pretty much the same thing running in cluster, but it actually does there's an extra tab here Deployments, so this is where the in cluster experience gets a bit interesting So if I go over here to deployments, you can see what I've already installed in my cluster And I have my monocular chart, which I just deployed and also my to-do application My jumpy peacock is here as well and I can go into this and I can See again similar to running Helm status I can see what Resources have actually been installed. So there's a service here and it shows me the external IP And also the deployment as well And I can go right now. I can only delete this deployment, but the plan is to add further actions such as scaling out a deployment and Be becoming more of a management over over charts So if I go back here I can search for my To-do chart and I can also filter here by by the repository so I can Be just what's in the stable repository or just the incubator repository or just what's in the to-do repository if I wanted to If I go back to the to-do chart here You can see I have my read be and which explains how to go and install it But over here on the left instead of just seeing a Helm install command I actually get a button here where I can actually go and deploy this chart Just from the UI. So if I go ahead and click this I get a new deployment this time Sorry a new release this time called innocent sparrow eventually I Get the same information about resources. So This time I'll go to this one once this is up and running. I should be able to access it But if I run a Helm list here You also see that I have the new innocent sparrow chart installed as well. So So that's actually one of the nice things about Helm is that the Because the the state of your applications are stored in the cluster no matter who goes and installs a chart whether it's Me running the Helm install command Here or I do it on monocular or a co-worker does it you can all get the same state Just by querying the server in the same way that you can do with the Kubernetes API So this still doesn't look like it's tied up Or maybe my DNS is not working correctly So it is running and so Monocular by default will go and install things into the default namespace But again another extension to that would be able to pick the namespace that you want to go and install it in So going back to my slides here What's next for monocular? I Think the biggest thing that we're starting to think about now is authentication and authorization So this would be so right now basically anyone who has access to my monocular instance could go and install any chart They wish wish to so it'd be great to have a way to authenticate them either against the the Kubernetes API or just within monocular monocular itself and and have them have the right authorization to to be able to install a chart There's also some catalog features which are particularly nice. I think for the public version the cubabs.com So things like being able to rank charts and rate them and categorize them in different categories So people can find things easier For helm deployment manager management I did mention that, you know, there's some things that we can improve there in terms of being able to customize the deployment and Upgrade options. So when I installed the chart by the command line, I passed in some options by this config.yaml file So it'd be great if the UI could also allow you to enter some values before you go and install the chart It'll also be good to improve the releases information I kind of had to copy out the external IP there But it would be great if there was a link that just let me access my application There's also some kind of cool things we could do with third-party integrations such as checking for CVE checks so This would tell you if you're if the containers you're running have any CVE issues and if there's an upgrade available for that Also possibly integrating with something like cubeless So you can install functions as well as charts think some things go well with together like the the Minio chart Which is a kind of like an S3 Bucket store has events that you can trigger and cubeless can listen to those events and do particular things So there can be some interesting integrations between the two So a little bit on the helm community. We have over a hundred and seventy contributors, which is awesome it's almost two years old now and If you want to get involved we have a slack channel on in the kubernetes slack, which is called helm Actually, it's now called helm users and helm dev And we have public dev meetings Thursdays at 9 30 PT. So What happens there is each maintainer? Sorry the core maintainers go through a stand-up of Things that have been happening during the week and then we open the floor to anyone who who has any questions or Want to discuss anything regarding helm And then we also have weekly updates and demos at the cig apps meetings, which are Mondays at 9 a.m So helm is under the cig apps umbrella like charts and Monocular as well. So we often give updates during those meetings on what's been going on and finally, we are looking for contributors for monocular and Helping us take it to the next level. So if you're interested, you know, it's all open source at Kubernetes helm slash monocular Please check it out and and help us out Thank you very much Cool. Well, thanks, and there's a couple of questions Jonathan's been asking quite a few and So he asked the original one about the the repository questions Would you just clarify? Would you install helm on your host PC or in the VM running mini-shift? And I think the beginning of the demo clarified that but if you could just reiterate Yeah, so you you could install helm in in your mini-shift VM if you wanted to but I think typically people just install it on their their home PC and the way helm communicates with Taylor is through the cube config. So it'll read your cube config set up a Hey a port forward to the the tilapod and then communicate over gRPC from there And then there's another follow-up to that around security Is there a security roles concern about using helm on a shared cluster? Does it provide the role-based access control on individual users or is maybe that something you're looking on? So yeah, that's actually something that we're definitely looking at in the helm community as a whole So I think one of the blaring issues when it comes to security right now is that tiller has again cluster admin access and Everything goes through tiller right now. So There is no tiller doesn't really abide by role-based access control Per user. So there's no way for you right now For you to install a chart as your user it will always be installed as as tillers global access. So So we're definitely looking at figuring out how we can get tiller to To install things as the user in cube config. I Think that's kind of the way that we're looking at going about it either via impersonating the user or passing on the Token for that user and and setting up a helm client and installing it. There's actually a great issue with lots of Kind of back-and-forth comments on on that in the in the helm issue cube I think it's I think it's called Well Probably find it here We've also actually We discussed it in the last dev meeting. So if you're if you are interested in Asking about this and that's probably the best place to come on and ask about it and also share your ideas because I think We still haven't figured out exactly how we want to Get this working So this is the issue I was talking about it's one nine one eight And there's a great proposal here from tomorrow, but it goes on and there's a lot of back-and-forth discussions So but hopefully We'll reach some conclusions soon and There's another question coming in on the to-do list There was also a point about configuring deployments. There seems to be a lot of configuration in the demo deployments as shows How do people change these config values now? Before you're able to prompt the values So I so was a question about installing via monocular or installing via the helm command line You see if I could I'm going to try and unmute on John Finn and ask him to ask the question directly But Jonathan can you jump in? Hey, can you hear me now? Absolutely. Yeah. Hey, thanks guys. This is this is really exciting. I just I was Curious because you kept showing When you demoed monocular itself and also the to-do app there was a big list of configurations Which I'm used to with with OpenShift templates about you know, essentially things that turn into environment variables in the Docker containers And and so it it sounded like on your to-do list was a way for for you to to allow users to Configure those values before they deploy something and I'm wondering how you're doing that now Are you like changing them after the deployment or or how are you changing those config values? If you don't have a way to prompt users to do that either either in monocular or in helm Yeah, so so right now in monocular We basically installed a chart without any values. So Generally that means that they pick up. Oh, well always that means they pick up the default values So if I go to something like WordPress here again and take a look at the take a look at the configuration here. Usually All charts will have good defaults so that it so that a simple, you know, helm install stable slash WordPress will work out of the box It's only sometimes some more complex scenarios or where you're trying to do something more interesting Where you actually want to go and change things But for example, you know, the password here is a it's a random 10 character string So that's a that's an example of a good secure default other things here like the email or the first name These are all things that you can change within the application itself afterwards as well But so if I was to install this with monocular, it would just go and install it with all the defaults in the command line I can obviously using I just this here So You see there's this dash that set flag and this allows me to set each of these configuration Variables There's also the values file, which is what I use with monocular which Just allows me to provide a yaml file instead of Having each one on the command line But if I wanted to for example change the WordPress fast, I could do something like stables install stable fast WordPress That's a set WordPress password equals Hopefully that answered your question. That's great. Thanks Anyone else have questions? Give it a few seconds here. I think it was a great introduction both to Helm and and to the monocular project and I'd encourage everybody to take a look at both of those things and maybe attend one of the SIG meetings and listen in It sounds like there's a lot of good work going on and great ideas floating about in that space so If you have the time They definitely need the feedback and your input. So thanks Adnan for coming today and Telling us about this and then look forward to another follow-up or two on Other Helm related and package management related topics as well So it'll be interesting to see where all this goes in terms of the service catalog work and templates on OpenShift and You know this and so really kind of interesting to see this as this whole space evolves Thank You Diane. It was great to come on and show Helm and monocular All right, so this video for those of you who are looking and the slides hopefully will get Adnan to share them with me and They'll all be up on blog. OpenShift.com In the day or so. So again, thank you for taking the time Adnan and we'll be looking forward to More more from Bitnami and work on the Helm folks in the future Sounds good. Thanks a lot