Kelsey Hightower HashiConf 2017 Keynote

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this is gonna be a very irresponsible talk some of the things I'm going to do today are irresponsible don't go back to work and say Kelsey said okay it's gonna be irresponsible but we're gonna have fun we're going to push the boundaries of a few things so if you see something odd straighten back up smile okay that's that's what we're doing today all right I'll record that mm maybe I go back to the bullet points I have some PowerPoint do you want PowerPoint someone's like hell yeah bullet points No so today we're going to talk about two of my favorite communities kubernetes and this whole hashey core community the whole hashey stack thing I use a lot of these tools sometimes together sometimes there's some weird unapproved ways it's my computer though I do whatever I want but today we're gonna make a new term you guys write the new term is called fashion Nettie's now you can't buy it I will totally take your money but this is not a new hashey core product so do not look at the product page there will be no press release okay so Hashem that is does this sound silly what is this Hashem Eddie's business well starts off pretty sing kubernetes or my first experience with the kubernetes was it felt like this cloud operating system if you've used terraform you feel that terraform of tracks away all the cloud providers and you express yourself in terraform and it makes things happen kubernetes is like that for me but at a much higher level if my app needs a load balancer kubernetes hides me highs the whole implementation detail and reconciles it and keeps it in place actively I can't remember the last time actually use the native tools to spin up infrastructure at all because I usually start with kubernetes but kubernetes doesn't solve all problems what happens when you have multiple kubernetes clusters anyone ever try to do service discovery across two or three kubernetes clusters you can't it's not designed for that it's designed for inter-cluster service discovery and it does a fantastic job but if you add something like console you can configure it in the way console works natively to kind of bridge that world and I'm not talking about the IPS of each containers if you try to bridge the IPS of your containers you're going to run out of IP space and it's going to be embarrassing as you attempt to rewrite key production doesn't work out well I've tried it before then secrets coverage has a very basic stickers implementation it's great for bootstrapping things we use it to bootstrap Cabernets itself we've added features around encryption at rest we added features around limiting what nose can see but it doesn't do everything and for a lot of people in the kubernetes world they're asking why is all of this attention on volts why did volt on kubernetes make it to the front page of hacker news we already have secrets thou shalt not bring in another secret implementation it gets real tribal and you won't have any product tattoos and that was a thing in the 90s you had meet people like FreeBSD tattoos you like people gonna not use that all the time like you don't know and it's like that ain't coming off shut up to all the Solaris tattoos in the audience yeah there's some Solaris tattoos all the people in long-sleeve is hot as hell but you got a long speech you're hot because this is a great stack this is the passion at ease but the other day I was experimenting if you're a manager in the office an audience if your people aren't experimenting is probably your fault you don't have to clap if you report to your manager just kind of do this for me let them play a little so I was experimenting I was like hey I have all this compute and sometimes I write these little statically linked binaries and having to put it in the container which is the price of admission for kubernetes even I get pissed off sometimes and I can do it in a single step but sometimes I want to avoid it and I cheat I was looking I reach for no man so in my world I have a little bit of this going on he was like dude is that I got to and people say you're crazy does this seem pretty odd but you do it all the time most people have some hypervisor underneath you use some cloud provider and when you click to create that VM I'll make an API call a use terraform there's a scheduler placing your VM somewhere in the infrastructure and you're totally okay with this and then you do it you install yet another one on top and do the same thing but you think you're saying so in this world I want people to say hey these are just interfaces to give us compute in the way we want to consume some schedulers give us a raw machine that we want to SSH into some of these schedulers are like passes that just take our app and just find the right where place to run it and we don't care about the machine abstraction but there are some cases and I think Circle C I recently put out a really good blog post about why they use both I'm not telling you to use both I'm just saying be irresponsible sometimes okay you're an adult you get to do that so I want to take us through this all right ready for some terminal they told me it was okay to use the command line all you power point people I'll get back to you with some slides okay so we're gonna start with this cluster cluster look at the name of it hashtag passion at ease so we have these seven nodes in this cluster and I have a few things running there okay so in this cluster I have console and vault now these are two stateful services and most people say you shouldn't run stateful stuff in containers I'm like wow containers themselves aren't the problem for stateful it's usually the underlying platform may not be able to pair up your storage so how does kubernetes make that any different I mean some databases you will probably lose your data okay so don't go and run everything in there but some things do make it easier console being one of them the fact that console does replication and has the ability to heal under certain conditions it does its part to make kubernetes life much easier so if I come here and I say coop CTL get pods we'll see if Y fire actually works you guys should clap cos Wi-Fi works the rules are them what you clap the more favor I get from the oh gods okay cuz they want to see how this goes okay so we have this three node console cluster and like one does you have to run the release that they did yesterday okay that's what we got going down so that means if anything breaks it's not my fault if you work on console I will look at you that means I need help all right so we have this three node console thing but the other thing that we get is this thing called a persistent volume claim so this is where all I do in my manifest is say hey I need storage of this kind based on where I'm running on Prem it could be I scuzzy or NFS my Amazon Toby their elastic block and Google Cloud would be their persistent disks don't need to think about that kubernetes job is to actually provision the storage give it an ID and make sure that the stores can be mounted in the zone where the workload needs to live and give me stable names to make sure they're always paired back together so all the stuff that you used to do around orchestrating stateful things Cooper neighs we'll meet you probably more than halfway so given that I can actually rely on Cooper neighs to do the right thing if these apps die they will ensure they're paired with the right storage even once they move to a different machine great again I'm gonna skip one of the use cases but if I had a VM on to the side you can actually delegate DNS to console for the console domains so what that looks like is we have this thing called coop DNS and when I could do the coop DNS and say hey Cooper nez is responsible for all the service discovery that happens in the cluster but if I'm running console side by side I can also do something like this with this config and tell coop DNS that if anyone looks up that console delegate that to the console service running and cluster so that allows me to actually go over a broader landscape than what I currently do I'm coverin it is sweet the next thing is volt all my kubernetes people like why are you using vault what's the use case the first thing that got me hooked on vault was a dynamic provisioning of secrets but I want people to be clear on what we're doing with vault it took me a long time to understand why do we have all of these systems why do we even need vault never thought about that why is vault even exists now some people say you just need it we got all these secrets it's bearing them putting it on disk and the more you think about it and I talk to colleagues and they say you know what if you think about it vault is an identity translator you have something that you know and trust so tale a certificate a jot token and the problem is your database or Redis or some other system has no idea how to use that identity or trust the thing that gave it to you but it does understand things like usernames and passwords so you trade volt for one of those things that it trusts and you go back to it so you could imagine a world of everything understood x.509 certificates but that's not where we are so vault is required so here's the magic sauce if your DBA I've seen DBAs do this before us like hey I need a username password for my app hey I got you covered then they do this what are you doing they're like hold on I got you covered and they keep on clicking if I do your mouse battery is running low probably from ball with that quickie there's better ways of doing this no no it was like I have the gooey so this isn't a modern thing for some people you can click into here use like how many usernames do you need I need three they're like no problem got your cover did have you ever seen their database anyone know what a pivot table is yeah and their databases you can build pivot tables it's like it's like it's a real programming language so here we have users and then what you see people do is click in there and say what tables do you want to access I'm like hello stop stop you're supposed to do this just give me credentials so the magic I show my friends is I slow all the way down this I'm gonna show you magic and it's like okay we're gonna bring in vault so volts installs I unseal it - are you guys like me do you do this how many people just make noise if this is you just be honest though don't be trying to be fake be real honest is that you hell yeah defeat the whole security mechanism you have to Air Force I do I have all the keys it's not it's like you are just not correctly okay so we're all on the same page at least so volt is ready so let's do a volt status here all right great we're unsealed so this is what I do so I have all these configs in place that hey bolts going to dynamically create secrets for you but yesterday they announced the ability to use service accounts in kubernetes to skip one of these bootstrapping steps right it's like how do you automate giving out secrets into end super-hard up is not built into the platform so in kubernetes we had what we call service accounts so service accounts are a way for us to give identity to these tokens and give them a set of permissions we have rich art back inside of kubernetes so if you have this you can actually assign and listen to me here do not give vault the default service account do not give vault the admin service account give it a service account that can do nothing but log into vault I don't want you to be on noose this is serious right back to being irresponsible so you got service accounts and what you do in kubernetes is you tell your workloads what service accounts they should use so one of the workloads I have is this very simple job so this job is a lot of config here skip most of it but I am doing things very secure that's one thing I won't compromise on so I'm using TLS and if you look here I'm saying I want this app to use this particular service account the nice thing is this is built into kubernetes Cooper nase will inject the service account at runtime vall only has to trust kubernetes and the holder of that service account to identify who you are ok and in volt you have catch all these two policies and so forth so here's the trick so we run this now okay so coo CTO get pods we have our control plane and now we want to run this thing and observe what happens it's going to go faster so here we're gonna run it Cochiti I'll get pods it's a job that goes so fast that it finished I still gonna do it in slow mo now what a type a little slower as this going to change anything but it won't so we'll just look at the exit worker I'd like that what did you do you just ran a job what do you do so we do couch ETL logs and then what we want to do is see what actually happened here so this particular app grabs that service account reads it presents it to vault up log in vault raise it for a real token that it can use and it goes out and says hey give me database credentials and you see here that it got this username they're like do your spreadsheets gonna get big if you're doing bad I was like there's a better way so we come over here and we look and they're like where's the user let's do it guesses I slip down so one more time we're going to delete the work so schoo CTO delete jobs worker all right now we're gonna run it again really fast and they're gonna switch really quick you saw that tab just keyboard shortcuts the user names there that was my fellow kubernetes user you slice I'm deleting always free sheets so now it's there and they don't like I who whose job is it to clean that up so you look at it and you scratch your head we could put a search engine and spreadsheet there's api's for spreadsheets these days and you look at the workload and it's not there anymore stop running so what we really want this to do is see tick-tock-tick their minds are blown who took it away magic you wait three days before you tell them his fault so volts and kubernetes to me make a really good pairing because I think this kind of capability really matches this idea of these dynamic workloads so we have this nice stack console vaults what else and I'm saying well sometimes I want to run things in a nomad ah man managing two schedulers these big tools you need to think about them how do you deploy them you need terraform you need all of these things I'm like I can just use the kubernetes api I can represent it so the beta came out yesterday I was like yeah that's like production-ready right like BAE is a slightly less support but it's still production-ready that's the way I think about it so say I'm gonna run in my cluster and how many people think it's hard to run to schedulers or even one schedule by itself badasses you're lying pretty badass okay so one way I thought about experimenting with this it's like what if you could just say give me a nomad cluster alright just try it and see so if someone calls me just ignore it all right so I'm going to see you make this work let's see Wi-Fi is not on my phone so this is when you do like LTE for the win just go talk to what does this thing called again anyone remind me of the name you guys all know - Eddie's I worked really hard on that name to like talk to Hoshi Nettie's sure getting the test version of hash and Eddie's hello Kelsey hello I see you're tempting the demo gods again over conference Wi-Fi that's extra bold how can I be of service all right so we need nomads we're just gonna watch and see what this thing can do hey where's okay bring my screen just have a simple question deployed no man creating a 3-node nomad cluster awesome yo dawg i heard you like schedulers so i deployed nomad using kubernetes so you can have a scheduler in your scheduler [Applause] irresponsible so we're going to allow this to bootstrap and what's happening underneath the covers is we're using the same mechanism of this is a stateful application it's also clustered we need to do them a specific order we need to mint the storage and make sure the storage is ready mounted to the machine configure configure console to have console or join the larger cluster so we can do the service discovery to fully blue strap this thing there's an entire config so as we're bringing this up we want to see the cluster form and then once the cluster forms we're gonna see if that fancy dashboards any good and you want to play the dashboard yet I show my wife this thing she's like why are you showing me what am I supposed to get out of this all right so we have three nodes here so is this actually a working cluster truth be told this didn't work this morning okay so one thing we can do is I'm going to source this a nomad environment variable because we're doing this over the web and we're gonna say Nomad server like I know what I'm doing you gotta do what a confidence may you just type harder oh we have a we yeah okay but let's see if there's dashboards available do you know how long it took me to figure out how to do client TLS off with a browser anyone ever got that to work well doesn't work easy but I got it to work and I'm very proud of myself so we're gonna do now is try to hit that fancy - border there's let's see here so we grabbed this and it's on for 64 if you don't think I'm using Tillis Mitchell off go ahead and try it and I will laugh at you on the inside so click this and all right we got some servers now you can drill around in here and this is this is this is pretty nice I'm like okay Louise are good now you answer somewhere that the workers go if you were thinking that I will deploy the workers inside the same cluster run them on docker on top that's ridiculous okay I'm irresponsible that's ridiculous you should run them and their own node pool right in the cloud or even in your own environments usually have the ability to have some elastic pools use them to your advantage we can say we have a certain set of jobs that are optimized for it no man wants to do just create another node pool it's gonna come over here like a badass with the mouse and we're gonna click on what you already know instance groups click grab one of these and we'll add a few how many should we do throw out a number a thousand divided by a hundred cut in half that's five all right I mean you're calling the shots all right so we're going to spin up these notes and I'm not trying to promote a cloud provider right now this is my on-prem okay now work at Google this is just my normal infrastructure all right legit you see how fast it came up hmm marketing I've done my part all right so we have notes now the nodes are doing a bunch of stuff right so this is what happens when a speaker's trying to buy time for things to boost up in the background this is what we do we wave our hands and then you may do this and say did you see that no you didn't see anything but we have these five notes okay now we'll go with these five nodes if it works that they will show up here at some point I'm gonna hit this heart refresh so you ask yourself like did you push it too far cuz there's a limit to this thing we got five notes I'm feeling good about myself so you click around the goo is actually really nice by the way like maybe you shouldn't see some of my secrets yeah I'm gonna worry about this one it's good this is why I turn off a TLS offs because I don't want you guys that do weird things to my do I think so all the clients are now fully bootstrap joined the cluster I didn't even do cross cluster service discovery they both have vault integration so what next they're out some jobs so I go to jobs so the jobs integration is actually super nice so let's see what we can do with that maybe we can talk to no man now we talked to kubernetes see we can talk to them run the I don't even know the name good job run dee ping Nomad job here are some results from the web run the ping Nomad job here are the top search results it's trolling me run the ping Nomad job these are the top results I'm not bending ship I'm gonna go through this one colleague talked to her she Nettie's all right let's get the test version of hash and Eddie's hello Kelsey from the ping nomad job how many twelve creating twelve ping tasks in the nomad cluster thank you when Seth said pick a scheduler I'm not sure this is what he had in mind but I gotta admit this is extra dope [Applause] funny [Applause]
Info
Channel: HashiCorp
Views: 25,150
Rating: 4.9659576 out of 5
Keywords:
Id: v77FFbQwC6E
Channel Id: undefined
Length: 26min 45sec (1605 seconds)
Published: Fri Oct 13 2017
Related Videos
Kubernetes for Sysadmins – Kelsey Hightower at PuppetConf 2016
Puppet
124K
Introduction to HashiCorp Consul
HashiCorp
140K
HashiConf 2017 Opening Keynote
HashiCorp
6.2K
POPCAST Episode 7 - Roots, Storytelling, and 90's Hip Hop with Google's Kelsey Hightower
The POPCAST
1.3K
you need to learn Kubernetes RIGHT NOW!!
NetworkChuck
438K
Kubernetes for Developers - Kelsey Hightower at AppsFlyer Hackweek 2019
AppsFlyer Engineering
1.6K
Keynote: Reflections - Kelsey Hightower, Staff Developer Advocate, Google
CNCF [Cloud Native Computing Foundation]
15K
HashiCorp Boundary - Human-to-Machine Access
Tech Field Day
692
Keynote: KubeCon Opening Keynote - Kelsey Hightower, Google
CNCF [Cloud Native Computing Foundation]
24K
Kelsey Hightower fireside chat at DevRelCon San Francisco
Dev Rel
4.2K
12-Factor Apps and the HashiStack
HashiCorp
20K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.