Production Deis Workflow on Google Container Engine, Part One
Deis Workflow has been in GA for a while. But what's it like to work with? Particularly, how do we set it up for production use?
In this two-part miniseries, I'll walk you through a full production setup of Deis Workflow.
This will include:
- How to set up off-cluster object storage, Docker registry, and Postgres database
- How to install Workflow on a Kubernetes cluster
- How to secure it with SSL and set up DNS for your Workflow domain
- How to upgrade Workflow to the latest release
Let's jump right in.
This walkthrough uses Google Container Engine (GKE), so you will need to have a Google Cloud account and a GKE Kubernetes cluster. For help with the latter, check out my previous tutorial that shows you how to spin up your first Kubernetes cluster on GKE.
You will also need a trial Compose account, because we are going to set up a Deis Workflow Postgres database and we can't do that with Google Cloud yet.
When we get to part two, you will need a CloudFlare account so we can set up SSL and secure our deployment.
Google Cloud Service Account
A Google Cloud service account is a special type of account that your applications can use to authenticate against Google Cloud Platform APIs.
In our case, we need to give Deis Workflow access to Google Cloud Storage.
To do this, open the Cloud Platform Console Credentials page. And if it's not already selected, select the project that you're creating credentials for.
To set up a new service account, select Create credentials and then select Service account key. Select the New service account option, set
deis-workflow as the Service account name, and then select Project and then Editor for the Role field.
That should look something like this:
Next, choose to download the key as a JSON file.
Finally, select Create and the service key file will be created and downloaded.
Our service account is set up and ready to use. Let's move on.
Once your Compose dashboard is open, select Deployments:
On the right, select Create Deployment:
You will get to a New Deployment window:
Select PostgreSQL from the left menu and you should see a screen like this:
Set the following:
- Deployment Name:
- Location: EU West 1 (Belgium)
- Database Version: 9.5.4
Leave the deployment resources at the default setting.
Now click on Create Deployment and wait for the deployment to be created:
Then you should see:
Click on the Browser on the left column and you should see this:
Click on Create Database and fill in
deis as the database name:
Then select Run and the
deis database will be created for you.
Go back to the Overview screen (from the left menu) and scroll down to Connection Info:
Click on Show:
That will show the password and fill in the Connection string. We don't need the connection string, but we will need the username and password later on.
Good job. Let's leave it there for now.
Set Up Workflow
Helm Classic CLI Installation
Install Deis Workflow using Helm Classic, which is a tool for installing and managing software in a Kubernetes cluster.
Install the latest
helmc CLI for Linux or Mac OS X with:
The installer places the
helmc binary in your current directory, but you should move it to somewhere in your
Next, install the Deis Workflow CLI.
Install the latest
deis CLI for Linux or Mac OS X with:
The installer places the
deis binary in your current directory, but you should move it to somewhere in your
Check Your Setup
Check that the
helmc command is available and the version is 0.8.1 or newer:
kubectl client is installed and can connect to your Kubernetes cluster.
kubectl to interact with your Kubernetes cluster.
You can test that
kubectl are working properly like so:
If you see a list of targets like the one above,
helmc can communicate with the Kubernetes master. Double check that the Kubernetes master returned by
helmc target matches the expected cluster.
Fetch the Deis Workflow Chart
The Deis Chart Repository contains everything you need to install Deis Workflow onto your Kubernetes cluster with a single
helmc install command.
Add the repository to Helm Classic:
Search for Workflow charts:
We see that the latest Workflow chart version is v2.5.0. But we are going to learn how to do Workflow updates in the next post, so let's fetch the v2.4.2 chart:
This copies the Workflow chart to our
Configuring an Off-Cluster Docker Registry and Object Storage
The Helm Classic chart for Deis Workflow can be easily configured to connect Workflow components to an off-cluster Docker registry, object storage, and PostgresSQL database. This means they are running outside of the Workflow cluster and hosted, for example, by Google Cloud or Compose.
Helm Classic lets you embed and run generators that can perform arbitrary modifications on charts before they are deployed and run. The Deis Workflow chart comes with a
generated_params.toml file, which is the main configuration file for Workflow.
You can find it in this directory:
The values in this file are passed into the appropriate services so they can configure themselves as needed.
Specifically, for us, we can use this file to specify off-cluster locations for:
- The Docker Registry
- Object storage (Minio, S3, Azure, GCS, Swift)
- The Workflow PostgresSQL Database (used to persist platform state)
By default, the
generated_params.toml file configures all of these to be on-cluster, which results in a stateless setup and is not recommended for a production setup.
To read more about Helm Classic generators, see the docs.
To continue, we must make some edits to the
generated_params.toml file that corresponds with the chart we fetched, which is here:
Set Up an Off-Cluster Registry
Deis Workflow currently supports these external Docker registries:
- Google Container Registry (GCR)
- EC2 Container Registry (ECR)
- Docker Hub, Quay, self-hosted registries, and so on
We are using GKE, so set
registry_location to to
Next, in the
gcr section of this file, we need to configure a few things.
key_json to the content of the Google Cloud service account JSON key file we saved before. And
hostname can be empty, but needs to be set if the hostname is different from
The resulting section should look something like this:
To read more about off-cluster registry setup, see the docs.
Set Up Off-Cluster Object Storage
Deis Workflow currently supports these off-cluster object stores:
- Google Cloud Storage (GCS)
- Amazon S3
- Azure Blob Storage
- OpenStack Swift Storage
We're using GCS, so set
Then, in the
gcs section, set
kew_json to the content of the Google Cloud service account JSON key file.
You also need to specify which bucket to use for the Workflow builder by editing
builder_bucket. The Workflow GCS integration also lets us use GCS for our registry and database but we're using GCR and a hosted PostgreSQL instance, so we can leave the
database_bucket values as they are.
If you configure a GCS bucket that does not exist, Workflow will create it for you in US region. If you do not want this, you can create the bucket for yourself in the region and zone prefered.
Also note that GCS bucket names must be unique across all Google Cloud projects.
When you're done, the
gcs section should look something like this:
To read more about off-cluster object storage, see the docs.
Configure an Off-Cluster Postgres Database
Because we have an off-cluster PostgreSQL database set up, we can configure
Now, grab those connection settings from before and fill in the connection config:
That's it. We're done.
To read more about off-cluster Postgres, see the docs.
Now, let's move on to Workflow installation.
generated_params.toml file has been configured. All that's left to do now is generate a customized Workflow chart by running:
This will generate Deis Workflow configuration files for Kubernetes namespaces, service accounts, services, secrets, deployments, and daemon sets.
Now, install Workflow like so:
Workflow is installed. Awesome.
In this post we learnt how to configure and install Deis Workflow on Google Container Engine with off-cluster persistent object storage, container registry, and platform database.
In the next post we will learn how to secure Workflow with SSL, set the platform domain, register a user, and perform a Workflow platform upgrade.