Openshift Container Platform Technical Overview

OPENSHIFT CONTAINER PLATFORM TECHNICAL OVERVIEW

Presenter Presenter’s title Date Self-Service Standards-based

Multi-language Web-scale

Automation Open Source

Collaboration Enterprise Grade

Multi-tenant Secure

2 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT ARCHITECTURE

3 OPENSHIFT TECHNICAL OVERVIEW LINUX CONTAINERS WHAT ARE CONTAINERS? It Depends Who You Ask

INFRASTRUCTURE APPLICATIONS

● Application processes on a shared kernel ● Package apps with all dependencies ● Simpler, lighter, and denser than VMs ● Deploy to any environment in seconds ● Portable across different environments ● Easily accessed and shared

5 OPENSHIFT TECHNICAL OVERVIEW VIRTUAL MACHINES AND CONTAINERS

VIRTUAL MACHINES CONTAINERS

VM Container Container Container Container

App App App App App App App App

OS Dependencies OS deps OS deps OS deps OS deps

Kernel Container Host (Kernel)

Hypervisor Hardware Hardware

virtual machines are isolated containers are isolated apps are not so are the apps

6 OPENSHIFT TECHNICAL OVERVIEW VIRTUAL MACHINES AND CONTAINERS

Virtual Machine Container

Application Application

OS dependencies OS dependencies

Operating System Container Host

VM Isolation Container Isolation Complete OS Shared Kernel Static Compute Burstable Compute Static Memory Burstable Memory High Resource Usage Low Resource Usage

7 OPENSHIFT TECHNICAL OVERVIEW VIRTUAL MACHINES AND CONTAINERS

Virtual Machine Container

Application Clear ownership boundary Application Dev IT Ops OS dependencies between Dev and IT Ops OS dependencies (and Dev, sort of) drives DevOps adoption Operating System and fosters agility Container Host IT Ops Infrastructure Infrastructure

Optimized for stability Optimized for agility

8 OPENSHIFT TECHNICAL OVERVIEW APPLICATION PORTABILITY WITH VM

Virtual machines are NOT portable across hypervisor and do NOT provide portable packaging for applications

Guest VM VM Type X VM Type Y VM Type Z

Application Application Application Application Application OS dependencies OS dependencies OS dependencies OS dependencies OS dependencies

Operating System Operating System Operating System Operating System Operating System

LAPTOP BARE METAL VIRTUALIZATION PRIVATE CLOUD PUBLIC CLOUD

9 OPENSHIFT TECHNICAL OVERVIEW APPLICATION PORTABILITY WITH CONTAINERS

RHEL Containers + RHEL Host = Guaranteed Portability Across Any Infrastructure

Container Container Container Container Container

Application Application Application Application Application

OS dependencies OS dependencies OS dependencies OS dependencies OS dependencies

RHEL RHEL RHEL RHEL RHEL Guest VM Virtual Machine Virtual Machine Virtual Machine

LAPTOP BARE METAL VIRTUALIZATION PRIVATE CLOUD PUBLIC CLOUD

10 OPENSHIFT TECHNICAL OVERVIEW RAPID SECURITY PATCHING USING CONTAINER IMAGE LAYERING

Image Layer 3 Application Layer

Image Layer 2 Java Runtime Layer

Image Layer 1 OS Update Layer

Base Image Base RHEL

Container Image Layers Example Container Image

11 OPENSHIFT TECHNICAL OVERVIEW A lightweight, OCI-compliant container runtime

Any OCI-compliant Optimized for container from any Improve Security and Kubernetes OCI registry Performance at scale (including docker)

Available in OpenShift Online (soon) Tech Preview in OCP 3.7, GA in OCP 3.8

12 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT ARCHITECTURE YOUR CHOICE OF INFRASTRUCTURE

14 OPENSHIFT TECHNICAL OVERVIEW NODES RHEL INSTANCES WHERE APPS RUN

15 OPENSHIFT TECHNICAL OVERVIEW APPS RUN IN CONTAINERS

16 OPENSHIFT TECHNICAL OVERVIEW PODS ARE THE UNIT OF ORCHESTRATION

17 OPENSHIFT TECHNICAL OVERVIEW MASTERS ARE THE CONTROL PLANE

18 OPENSHIFT TECHNICAL OVERVIEW API AND AUTHENTICATION

19 OPENSHIFT TECHNICAL OVERVIEW DESIRED AND CURRENT STATE

20 OPENSHIFT TECHNICAL OVERVIEW INTEGRATED CONTAINER REGISTRY

21 OPENSHIFT TECHNICAL OVERVIEW ORCHESTRATION AND SCHEDULING

22 OPENSHIFT TECHNICAL OVERVIEW PLACEMENT BY POLICY

23 OPENSHIFT TECHNICAL OVERVIEW AUTOSCALING PODS

24 OPENSHIFT TECHNICAL OVERVIEW SERVICE DISCOVERY

25 OPENSHIFT TECHNICAL OVERVIEW PERSISTENT DATA IN CONTAINERS

26 OPENSHIFT TECHNICAL OVERVIEW ROUTING AND LOAD-BALANCING

27 OPENSHIFT TECHNICAL OVERVIEW ACCESS VIA WEB, CLI, IDE AND API

28 OPENSHIFT TECHNICAL OVERVIEW TECHNICAL DEEP DIVE MONITORING APPLICATION HEALTH AUTO-HEALING FAILED PODS

31 OPENSHIFT TECHNICAL OVERVIEW AUTO-HEALING FAILED CONTAINERS

32 OPENSHIFT TECHNICAL OVERVIEW AUTO-HEALING FAILED CONTAINERS

33 OPENSHIFT TECHNICAL OVERVIEW AUTO-HEALING FAILED CONTAINERS

34 OPENSHIFT TECHNICAL OVERVIEW AUTO-HEALING FAILED CONTAINERS

c c

35 OPENSHIFT TECHNICAL OVERVIEW NETWORKING BUILT-IN SERVICE DISCOVERY INTERNAL LOAD-BALANCING

37 OPENSHIFT TECHNICAL OVERVIEW BUILT-IN SERVICE DISCOVERY INTERNAL LOAD-BALANCING

38 OPENSHIFT TECHNICAL OVERVIEW ROUTE EXPOSES SERVICES EXTERNALLY

39 OPENSHIFT TECHNICAL OVERVIEW ROUTING AND EXTERNAL LOAD-BALANCING

● Pluggable routing architecture ○ HAProxy Router ○ F5 Router

● Multiple-routers with traffic sharding ● Router supported protocols ○ HTTP/HTTPS ○ WebSockets ○ TLS with SNI

● Non-standard ports via cloud load-balancers, external IP, and NodePort

40 OPENSHIFT TECHNICAL OVERVIEW ROUTE SPLIT TRAFFIC

Split Traffic Between Multiple Services For A/B Testing, Blue/Green and Canary Deployments

41 OPENSHIFT TECHNICAL OVERVIEW EXTERNAL TRAFFIC TO A SERVICE ON A RANDOM PORT WITH NODEPORT

● NodePort binds a service to a unique port on all the nodes

● Traffic received on any node redirects to a node with the running service

● Ports in 30K-60K range which usually differs from the service

● Firewall rules must allow traffic to all nodes on the specific port

42 OPENSHIFT TECHNICAL OVERVIEW EXTERNAL TRAFFIC TO A SERVICE ON ANY PORT WITH INGRESS

● Access a service with an external IP on any TCP/UDP port, such as ○ Databases ○ Message Brokers

● Automatic IP allocation from a predefined pool using Ingress IP Self-Service

● IP failover pods provide high availability for the IP pool

43 OPENSHIFT TECHNICAL OVERVIEW CONTROL OUTGOING TRAFFIC SOURCE IP WITH EGRESS ROUTER

44 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT NETWORKING

● Built-in internal DNS to reach services by name

● Split DNS is supported via SkyDNS ○ Master answers DNS queries for internal services ○ Other nameservers serve the rest of the queries

● Software Defined Networking (SDN) for a unified cluster network to enable pod-to-pod communication

● OpenShift follows the Kubernetes Container Networking Interface (CNI) plug-in model

45 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT NETWORK PLUGINS

* Flannel is minimally verified and is supported only and exactly as deployed in the OpenShift on OpenStack reference architecture

46 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT NETWORKING

47 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT SDN

FLAT NETWORK (Default)

● All pods can communicate with each other across projects

MULTI-TENANT NETWORK NODE NODE

● Project-level network isolation POD POD POD POD ● Multicast support

● Egress network policies POD POD POD POD

NETWORK POLICY (Tech Preview)

● Granular policy-based isolation

48 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT SDN - NETWORK POLICY

Example Policies ● Allow all traffic inside the project ● Allow traffic from green to gray ● Allow traffic to purple on 8080

apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: allow-to-purple-on-8080 spec: podSelector: matchLabels: color: purple ingress: - ports: - protocol: tcp port: 8080

49 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT SDN - OVS PACKET FLOW

Container to Container on the Same Host

50 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT SDN - OVS PACKET FLOW

Container to Container on the Different Hosts

51 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT SDN - OVS PACKET FLOW

Container Connects to External Host

52 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT SDN WITH FLANNEL FOR OPENSTACK

Flannel is minimally verified and is supported only and exactly as deployed in the OpenShift on OpenStack reference architecture https://access.redhat.com/articles/2743631

53 OPENSHIFT TECHNICAL OVERVIEW LOGGING & METRICS CENTRAL LOG MANAGEMENT WITH EFK

● EFK stack to aggregate logs for hosts and applications

○ Elasticsearch: an object store to store all logs

○ Fluentd: gathers logs and sends to Elasticsearch.

○ Kibana: A web UI for Elasticsearch.

● Access control

○ Cluster administrators can view all logs

○ Users can only view logs for their projects

● Ability to send logs elsewhere

○ External elasticsearch, Splunk, etc

55 OPENSHIFT TECHNICAL OVERVIEW CENTRAL LOG MANAGEMENT WITH EFK

NODE

POD POD NODE ELASTIC ELASTIC POD POD FLUENTD ELASTIC ELASTIC

POD POD RHELNODE

POD POD FLUENTD

POD POD ELASTIC ELASTIC RHEL ELASTIC ELASTIC

POD POD FLUENTD

RHEL

56 OPENSHIFT TECHNICAL OVERVIEW CONTAINER METRICS

57 OPENSHIFT TECHNICAL OVERVIEW CONTAINER METRICS

NODE

POD POD NODE

POD POD FLUENTD

POD POD RHELNODE

POD POD FLUENTD

POD POD ELASTIC ELASTIC RHEL

POD POD CADVISOR

RHEL

58 OPENSHIFT TECHNICAL OVERVIEW SECURITY TEN LAYERS OF CONTAINER SECURITY

Container Host & Multi-tenancy Federated Clusters

Container Platform API Management

Network Isolation Deploying Container

Container Registry Container Content

Storage Building Containers

60 OPENSHIFT TECHNICAL OVERVIEW SECRET MANAGEMENT

● Secure mechanism for holding sensitive data e.g. ○ Passwords and credentials ○ SSH Keys ○ Certificates

● Secrets are made available as ○ Environment variables ○ Volume mounts ○ Interaction with external systems

● Encrypted in transit

● Never rest on the nodes

61 OPENSHIFT TECHNICAL OVERVIEW PERSISTENT STORAGE PERSISTENT STORAGE

● Persistent Volume (PV) is tied to a piece of network storage ● Provisioned by an administrator (static or dynamically) ● Allows admins to describe storage and users to request storage ● Assigned to pods based on the requested size, access mode, labels and type

OpenStack NFS iSCSI Azure Disk AWS EBS FlexVolume Cinder

GCE Persistent VMWare GlusterFS Ceph RBD Fiber Channel Azure File Disk vSphere VMDK

63 OPENSHIFT TECHNICAL OVERVIEW PERSISTENT STORAGE

64 OPENSHIFT TECHNICAL OVERVIEW DYNAMIC VOLUME PROVISIONING

65 OPENSHIFT TECHNICAL OVERVIEW CONTAINER-NATIVE STORAGE

● Containerized Red Hat Gluster Storage

● Native integration with OpenShift

● Unified Orchestration using Kubernetes for applications and storage

● Greater control & ease of use for developers

● Lower TCO through convergence

● Single vendor Support

66 OPENSHIFT TECHNICAL OVERVIEW CONTAINER-NATIVE STORAGE

MASTER

NODE NODE NODE NODE

POD POD POD POD POD POD POD

POD POD POD

67 OPENSHIFT TECHNICAL OVERVIEW SERVICE BROKER WHY A SERVICE BROKER?

Manual, Time-consuming and Inconsistent

69 OPENSHIFT TECHNICAL OVERVIEW A multi-vendor project to standardize how services are consumed on cloud-native platforms across service providers

70 OPENSHIFT TECHNICAL OVERVIEW WHAT IS A SERVICE BROKER?

Automated, Standard and Consistent

71 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT SERVICE CATALOG

72 OPENSHIFT TECHNICAL OVERVIEW SERVICE BROKER CONCEPTS

SERVICE: an offering that can be used by an app e.g. database

PLAN: a specific flavor of a service e.g. Gold Tier

SERVICE INSTANCE: an instance of the offering

SERVICE SERVICE SERVICE SERVICE PROVISION: creating a service instance CONSUMER CATALOG BROKER PROVIDER

BIND: associate a service instance and its credentials to an app

73 OPENSHIFT TECHNICAL OVERVIEW HOW TO ADD A SERVICE BROKER

● Deploy service broker on or off OpenShift

● Register the broker referring to the deployed broker

apiVersion: servicecatalog.k8s.io/v1alpha1 kind: Broker metadata: name: asb-broker spec: url: https://asb-1338-ansible-service-broker.10.2.2.15.nip.io

● Register the broker services by creating ServiceClass resources (the service broker might automatically perform this step)

74 OPENSHIFT TECHNICAL OVERVIEW TEMPLATE SERVICE BROKER

● Exposes Templates and Instant Apps in the Service Catalog

● Pulled from openshift namespace by default

● Multiple namespaces can be configured for template discovery

75 OPENSHIFT TECHNICAL OVERVIEW TEMPLATE SERVER BROKER PROVISIONING

openshift Service Broker creates a namespace the objects from the nodejs-template template OpenShift Service Catalog

Template Service Node.js Broker Container

76 OPENSHIFT TECHNICAL OVERVIEW TEMPLATE SERVICE BROKER BINDING

Service Broker creates a binding and secret for openshift namespace any credentials (config nodejs-template map, secret, etc) created

OpenShift by the template Service Catalog

Template Service Node.js Broker Container

create binding

77 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT ANSIBLE BROKER

● Use Ansible on OpenShift

○ Deploy containerized applications ○ Provision external services (e.g. Oracle database) ○ Provision cloud services (e.g. AWS RDS) ○ Orchestrate multi-service solutions ○ Conditional logic for control on deployments (e.g. database is initialized)

● Leverage existing Ansible playbooks

● Anything you can do with Ansible, you can do with OAB

78 OPENSHIFT TECHNICAL OVERVIEW ANSIBLE PLAYBOOK BUNDLES (APB)

● Lightweight application definition

● Packaged as a container image ├─ roles ├─ playbooks │ ├─ provision.yaml ● Embedded Ansible runtime │ ├─ unprovision.yaml │ ├─ bind.yaml ● Metadata for parameters │ └─ unbind.yaml └─ apb.yaml ● Named playbooks for actions Ansible Runtime ● Leverage existing Ansible playbooks Ansible Playbook Bundle ● Registry is queried to discover APBs (Container Image)

79 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT ANSIBLE BROKER PROVISIONING OpenShift Registry Docker Hub Red Hat Container Catalog

mediawiki-apb

postgresql-apb Discover and list APBs from the OpenShift Service Catalog configured image registries OpenShift

Ansible Broker

80 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT ANSIBLE BROKER PROVISIONING OpenShift Registry Docker Hub Red Hat Pull APB image and Container Catalog run it with the broker

mediawiki-apb action as a parameter postgresql-apb

OpenShift Service Catalog

OpenShift APB Container Ansible Broker (postgresql)

oc run postgresql-apb provision $vars

81 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT ANSIBLE BROKER PROVISIONING OpenShift Registry Docker Hub Red Hat APB container runs Container Catalog provision.yaml

mediawiki-apb playbook to create a

postgresql-apb PostgreSQL container OpenShift Service Catalog

Postgre AnsibleOpenShift APB Container SQL ServiceAnsible Broker (postgresql) Container

oc run postgresql-apb provision $vars ansible-playbook provision.yaml $vars

82 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT ANSIBLE BROKER BINDING OpenShift Registry Docker Hub Red Hat APB container runs Container Catalog bind.yaml

mediawiki-apb playbook to create

postgresql-apb database user OpenShift Service Catalog

Postgre OpenShift APB Container SQL Ansible Broker (postgresql) Container

oc run postgresql-apb bind $vars ansible-playbook bind.yaml $vars

MediaWiki Container

83 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT ANSIBLE BROKER BINDING OpenShift Registry Docker Hub Red Hat APB container goes Container Catalog

away and Service Broker mediawiki-apb creates a binding for

postgresql-apb the PostgreSQL service OpenShift Service Catalog

Postgre OpenShift SQL Ansible Broker Container

MediaWiki create binding Container

84 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT ANSIBLE BROKER BINDING OpenShift Registry Docker Hub Red Hat Service Catalog creates Container Catalog

a secret for the binding, mediawiki-apb containing the database

postgresql-apb credentials OpenShift Service Catalog

Postgre OpenShift SQL Ansible Broker Container

MediaWiki mount binding secret Container

85 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT ANSIBLE BROKER BINDING OpenShift Registry Docker Hub Red Hat MediaWiki container Container Catalog

uses the credentials in mediawiki-apb the secret to connect

postgresql-apb to the PostgreSQL OpenShift Service Catalog database

Postgre OpenShift SQL Ansible Broker Container

MediaWiki mount binding secret Container

86 OPENSHIFT TECHNICAL OVERVIEW AWS SERVICE BROKER

● Targets Top 10 AWS Services

● Uses Ansible Playbook Bundles

● Available in OpenShift 3.7

SQS SNS DynamoDB Redshift SES S3

RDS EMR AWS Batch ElastiCache Route 53

87 OPENSHIFT TECHNICAL OVERVIEW AWS PROVISIONING Registries Compatible Docker AWS ECR APB container runs

provision.yaml playbook s3-apb to interact with CFN and rds-apb create RDS instance OpenShift Service Catalog

AWS OpenShift APB AWS Container Cloud RDS Ansible Broker (rds) Formation

oc run rds-apb provision $vars ansible-playbook provision.yaml $vars

88 OPENSHIFT TECHNICAL OVERVIEW OPERATIONAL MANAGEMENT

TOP CHALLENGES OF RUNNING CONTAINERS AT SCALE

OPERATIONAL SERVICE SECURITY FINANCIAL EFFICIENCY HEALTH & COMPLIANCE MANAGEMENT

90 OPENSHIFT TECHNICAL OVERVIEW ● ● ● ● ● ● ● ●

91 OPENSHIFT TECHNICAL OVERVIEW OPERATIONAL EFFICIENCY

● CloudForms continuously discovers your infrastructure in near real time. ● CloudForms discovers and visualizes relationships between infra components

● CloudForms cross references inventory across technologies.

● CloudForms offers custom automation via control policy or UI extensions

92 OPENSHIFT TECHNICAL OVERVIEW OPERATIONAL EFFICIENCY

93 OPENSHIFT TECHNICAL OVERVIEW SERVICE HEALTH

● CloudForms monitors resource consumption and shows trends ● CloudForms alerts on performance thresholds or other events ● CloudForms offers right-sizing recommendations ● CloudForms enforces configuration and tracks it over time.

94 OPENSHIFT TECHNICAL OVERVIEW SERVICE HEALTH

95 OPENSHIFT TECHNICAL OVERVIEW SECURITY & COMPLIANCE

● CloudForms finds and marks nodes non-compliant with policy. ● CloudForms allows reporting on container provenance. ● CloudForms scans container images using OpenSCAP. ● CloudForms tracks genealogy between images and containers.

96 OPENSHIFT TECHNICAL OVERVIEW SECURITY & COMPLIANCE

97 OPENSHIFT TECHNICAL OVERVIEW FINANCIAL MANAGEMENT

● Define cost models for infrastructure and understand your cost. ● Rate schedules per platform and per tenant with multi-tiered and multi-currency support

● CloudForms shows top users for CPU, memory, as well as cost. ● Chargeback/showback to projects based on container utilization.

98 OPENSHIFT TECHNICAL OVERVIEW FINANCIAL MANAGEMENT

99 OPENSHIFT TECHNICAL OVERVIEW REFERENCE ARCHITECTURES REFERENCE ARCHITECTURES

OpenShift on VMware vCenter Application Release Strategies with OpenShift

OpenShift on Red Hat OpenStack Platform Building Polyglot Microservices on OpenShift

OpenShift on Amazon Web Services Building JBoss EAP 6 Microservices on OpenShift

OpenShift on Google Cloud Platform Building JBoss EAP 7 Microservices on OpenShift

OpenShift on Microsoft Azure Business Process Management with JBoss BPMS on OpenShift

OpenShift on Red Hat Virtualization Build and Deployment of Java Applications on OpenShift

OpenShift on HPE Servers with Ansible Tower Building Microservices on OpenShift with Fuse Integration...

OpenShift on VMware vCenter 6 with Gluster JFrog Artifactory on OpenShift Container Platform

Deploying an OpenShift Distributed Architecture Spring Boot Microservices on Red Hat OpenShift

OpenShift Architecture and Deployment Guide API Management with Red Hat 3scale on OpenShift

OpenShift Scaling, Performance, and Capacity Planning

101 OPENSHIFT TECHNICAL OVERVIEW BUILD AND DEPLOY CONTAINER IMAGES BUILD AND DEPLOY CONTAINER IMAGES

DEPLOY YOUR DEPLOY YOUR DEPLOY YOUR SOURCE CODE APP BINARY CONTAINER IMAGE

103 OPENSHIFT TECHNICAL OVERVIEW DEPLOY SOURCE CODE WITH SOURCE-TO-IMAGE (S2I)

User/Tool Does OpenShift Does

104 OPENSHIFT TECHNICAL OVERVIEW DEPLOY APP BINARY WITH SOURCE-TO-IMAGE (S2I)

User/Tool Does OpenShift Does

105 OPENSHIFT TECHNICAL OVERVIEW DEPLOY DOCKER IMAGE

User/Tool Does OpenShift Does

106 OPENSHIFT TECHNICAL OVERVIEW BUILD IMAGES IN MULTIPLE STAGES

107 OPENSHIFT TECHNICAL OVERVIEW EXAMPLE: USE ANY RUNTIME IMAGE WITH SOURCE-TO-IMAGE BUILDS

Use Source-to-Image to build app binaries and deploy on lean vanilla runtimes

read more on https://blog.openshift.com/chaining-builds/

108 OPENSHIFT TECHNICAL OVERVIEW EXAMPLE: USE ANY BUILD TOOL WITH OFFICIAL RUNTIME IMAGES

Use your choice of build tool like Gradle and deploy to official images like the JDK image

read more on https://blog.openshift.com/chaining-builds/

109 OPENSHIFT TECHNICAL OVERVIEW EXAMPLE: SMALL LEAN RUNTIMES

Build the app binary and deploy on small scratch images

read more on https://blog.openshift.com/chaining-builds/

110 OPENSHIFT TECHNICAL OVERVIEW CONTINUOUS INTEGRATION (CI) CONTINUOUS DELIVERY (CD) CI/CD WITH BUILD AND DEPLOYMENTS

BUILDS

● Webhook triggers: build the app image whenever the code changes ● Image trigger: build the app image whenever the base language or app runtime changes ● Build hooks: test the app image before pushing it to an image registry

DEPLOYMENTS

● Deployment triggers: redeploy app containers whenever configuration changes or the image changes in the OpenShift integrated registry or upstream registries

112 OPENSHIFT TECHNICAL OVERVIEW CONTINUOUS DELIVERY WITH CONTAINERS

113 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT LOVES CI/CD

JENKINS-AS-A SERVICE HYBRID JENKINS INFRA EXISTING CI/CD ON OPENSHIFT WITH OPENSHIFT DEPLOY TO OPENSHIFT

114 OPENSHIFT TECHNICAL OVERVIEW JENKINS-AS-A-SERVICE ON OPENSHIFT

● Certified Jenkins images with pre-configured plugins ○ Provided out-of-the-box ○ Follows Jenkins 1.x and 2.x LTS versions

● Jenkins S2I Builder for customizing the image ○ Install Plugins ○ Configure Jenkins ○ Configure Build Jobs

● OpenShift plugins to integrate authentication with OpenShift and also CI/CD pipelines

● Dynamically deploys Jenkins slave containers

115 OPENSHIFT TECHNICAL OVERVIEW HYBRID JENKINS INFRA WITH OPENSHIFT

● Scale existing Jenkins infrastructure by dynamically provisioning Jenkins slaves on OpenShift

● Use Kubernetes plug-in on existing Jenkin servers

116 OPENSHIFT TECHNICAL OVERVIEW EXISTING CI/CD DEPLOY TO OPENSHIFT

● Existing CI/CD infrastructure outside OpenShift performs operations against OpenShift ○ OpenShift Pipeline Jenkins Plugin for Jenkins ○ OpenShift CLI for integrating other CI Engines with OpenShift

● Without disrupting existing processes, can be combined with previous alternative

117 OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT PIPELINES

● OpenShift Pipelines allow defining a apiVersion: v1 CI/CD workflow via a Jenkins pipeline kind: BuildConfig metadata: which can be started, monitored, and name: app-pipeline spec: managed similar to other builds strategy: type: JenkinsPipeline jenkinsPipelineStrategy: ● Dynamic provisioning of Jenkins slaves jenkinsfile: |- node('maven') { stage('build app') { ● Auto-provisioning of Jenkins server git url: 'https://git/app.git' sh "mvn package" ● OpenShift Pipeline strategies } stage('build image') { ○ Embedded Jenkinsfile sh "oc start-build app --from-file=target/app.jar } ○ Jenkinsfile from a Git repository stage('deploy') { openshiftDeploy deploymentConfig: 'app' } }

118 OPENSHIFT TECHNICAL OVERVIEW 119 OPENSHIFT TECHNICAL OVERVIEW CONTINUOUS DELIVERY PIPELINE

● ● ●

120 OPENSHIFT TECHNICAL OVERVIEW CONTINUOUS DELIVERY PIPELINE

121 OPENSHIFT TECHNICAL OVERVIEW CONTINUOUS DELIVERY PIPELINE

122 OPENSHIFT TECHNICAL OVERVIEW CONTINUOUS DELIVERY PIPELINE

123 OPENSHIFT TECHNICAL OVERVIEW CONTINUOUS DELIVERY PIPELINE

ServiceNow JIRA Service Desk Zendeks BMC Remedy

☒ ☑

124 OPENSHIFT TECHNICAL OVERVIEW CONTINUOUS DELIVERY PIPELINE

☒ ☑

125 OPENSHIFT TECHNICAL OVERVIEW DEVELOPER WORKFLOW LOCAL DEVELOPMENT WORKFLOW

127 OPENSHIFT TECHNICAL OVERVIEW LOCAL DEVELOPMENT WORKFLOW

BOOTSTRAP

● Pick your programming language and application runtime of choice ● Create the project skeleton from scratch or use a generator such as ○ Maven archetypes ○ Quickstarts and Templates ○ OpenShift Generator ○ Spring Initializr

128 OPENSHIFT TECHNICAL OVERVIEW LOCAL DEVELOPMENT WORKFLOW

DEVELOP

● Pick your framework of choice such as Java EE, Spring, Ruby on Rails, Django, Express, ... ● Develop your application code using your editor or IDE of choice ● Build and test your application code locally using your build tools ● Create or generate OpenShift templates or Kubernetes objects

129 OPENSHIFT TECHNICAL OVERVIEW LOCAL DEVELOPMENT WORKFLOW

LOCAL DEPLOY

● Deploy your code on a local OpenShift cluster ○ Red Hat Container Development Kit (CDK), minishift and oc cluster ● Red Hat CDK provides a standard RHEL-based development environment ● Use binary deploy, maven or CLI rsync to push code or app binary directly into containers

130 OPENSHIFT TECHNICAL OVERVIEW LOCAL DEVELOPMENT WORKFLOW

VERIFY

● Verify your code is working as expected ● Run any type of tests that are required with or without other components (database, etc) ● Based on the test results, change code, deploy, verify and repeat

131 OPENSHIFT TECHNICAL OVERVIEW LOCAL DEVELOPMENT WORKFLOW

GIT PUSH

● Push the code and configuration to the Git repository ● If using Fork & Pull Request workflow, create a Pull Request ● If using code review workflow, participate in code review discussions

132 OPENSHIFT TECHNICAL OVERVIEW LOCAL DEVELOPMENT WORKFLOW

PIPELINE

● Pushing code to the Git repository triggers one or multiple deployment pipelines ● Design your pipelines based on your development workflow e.g. test the pull request ● Failure in the pipeline? Go back to the code and start again

133 OPENSHIFT TECHNICAL OVERVIEW APPLICATION SERVICES A PLATFORM THAT GROWS WITH YOUR BUSINESS

Web Data Intelligent Micro Application Virtualization Process services

API Single Java EE Mobile Management Sign-On Application

Real Time Integration Messaging Data Grid Decision

135 OPENSHIFT TECHNICAL OVERVIEW TRUE POLYGLOT PLATFORM

LANGUAGES

DATABASES CrunchyData GitLab Iron.io

WEB SERVERS Couchbase Sonatype EnterpriseDB NuoDB Fujitsu

MIDDLEWARE and many more

136 OPENSHIFT TECHNICAL OVERVIEW TESTED AND VERIFIED MICROSERVICES FRAMEWORKS

LAUNCH

Spring Boot Netflix Hystrix Netflix Ribbon

SUPPORTED MICROSERVICES RUNTIMES

Reactive MicroProfile Server-side JS Java EE Java EE Web Eclipse Vert.x WildFly Swarm Node.js JBoss EAP Embedded Tomcat

Modern, Cloud-Native Application Runtimes and an Opinionated Developer Experience

137 OPENSHIFT TECHNICAL OVERVIEW MICROSERVICES INFRASTRUCTURE: ISTIO SERVICE MESH WHAT YOU NEED FOR MICROSERVICES?

Visibility & Reporting

Resilience & Fault Tolerance

Routing & Traffic Control

Identity & Security

Policy Enforcement

139 OPENSHIFT TECHNICAL OVERVIEW WHAT YOU NEED FOR MICROSERVICES?

Visibility & Reporting

Resilience & Fault Tolerance Routing & Traffic Control Istio Identity & Security

Policy Enforcement

140 OPENSHIFT TECHNICAL OVERVIEW WHAT IS ISTIO?

a service mesh to connect, manage, and secure microservices

Control Pilot Mixer Auth Plane

Envoy Envoy Envoy Envoy

Data Plane App App App App

Pod Pod Pod Pod

141 OPENSHIFT TECHNICAL OVERVIEW