NCSA KubeShop 2021

Participants: NCSA staff who use Kubernetes in their work

Location: Zoom

Date: 2021/08/26

Links

• Slack channels
  • #ncsa-kubeshop-2021
  • #kubernetes

Overview

• NCSA KubeShop is a workshop designed to
  1. foster a collaborative spirit among the growing number of NCSA staff working with Kubernetes and to
  2. facilitate an exchange of knowledge and ideas related to the Kubernetes ecosystem.
• Presentations by speakers with time for questions and discussion
• Topical discussions with some guidance by conversation leaders
• Meeting will not be recorded
• The discussions should generate some kind of tangible output in the form of action items: plans for coordination/collaboration, documentation, implementing some concept.

Workshop action items and standing questions

• Research storage options and generate a recommendation document

• Where do we want to be along the spectrum between decentralized and centralized Kubernetes resources?

  • Perhaps use Terraform system to have de facto centralization for most projects even though the clusters generated are independent
  • Detail the concept of the shared ArgoCD instance for bootstrapping base services like ingress controller, ArgoCD, Longhorn, MetalLB

• Construct a pattern for Keycloak deployment for NCSA services. Perhaps a Helm chart with declarative Keycloak configuration illustrating

  • CILogon IdP
  • NCSA LDAP IdP
  • group and role mapping to auth token scope
  • Consider how we could run an NCSA Keycloak server managed by a dedicated staff

• Build a repo of Helm charts for common services in the context of the Terraform-provisioned Radiant Kubernetes cluster.

  • https://gitlab.com/manning-ncsa/ncsa-charts
  • https://github.com/ncsa/charts

Agenda

• [10:00-10:15] Introduction
• [10:15-11:30] Presentations
• [11:30-12:00] Topical discussions
• [12:00-13:00] Lunch break
• [13:00-14:00] Presentations
• Brief coffee break (or tea if you must)
• [14:00-15:00] Topical discussions

Presentations

Format: Presentations will be 20 min talks with 10 min for questions and discussion, typically during the talk in context instead of at the end.

• Time: 10:15 Presenter: Rob Kooper
  • Title: Automated cluster provisioning on Radiant using Terraform (PDF)
  • Keycloak configuration guide
• Time: 10:40 Presenter: Andrew Manning
  • Title: Application suite for collaborations
• Time: 11:00 Presenter: Mike Lambert
  • Title: Authentication and Authorization using Keycloak and CILogon (PDF)
• Time: 13:00 Presenter: Michael Johnson
  • Title: Service monitoring with Prometheus and Grafana (PDF)
• Time: 13:30 Presenter: Ben Galewsky
  • Title: GitOps tool survey: flux vs argocd vs fleet vs jenkins
  • Nice Blog Article

Topical discussions

Topical discussions allow us to share information on topics in a less formal way than presentations yet with some focus provided by the discussion leaders. The duration of these discussions is flexible.

Topics

Checked topics were discussed at some point during the workshop.

• Infrastructure
  • [x] Radiant
  • [x] Terraform
  • [x] Rancher
• GitOps
  • [x] ArgoCD
  • [x] Vault
  • [x] Sealed Secrets
  • [x] Helm
  • [x] GitHub/GitLab CI/CD
  • [ ] Keel
• Applications
  • [x] databases
  • [x] web services
  • [ ] JupyterHub
  • [x] Matrix
  • [x] Nextcloud
• Production
  • [ ] Resource management
  • [ ] Scalability
  • [x] High availability
  • [x] Monitoring and alerts
• Authentication and Authorization
  • [x] OAuth2/OpenID Connect
  • [x] CILogon
  • [x] GitHub/GitLab
  • [x] LDAP
• Collaboration
  • [ ] Communication channels (Slack, email list, etc)
  • [ ] Shared documentation
  • [x] Common methodologies and structures
• Security
  • [ ] Kubernetes hardening guidance
• Kubernetes updates
  • [x] Frequency of updating k8s version
  • [ ] Methods and workflows for updating
  • [x] Transition away from Docker for container runtime