The Kubernetes-native platform (v2).
The Package manager for Kubernetes.
The Kubernetes-native Service Broker.
When readying a Workflow deployment for production workloads, there are some additional recommendations.
Workflow makes use of Minio to provide storage for the Registry, Database, and Logger components. Minio is provided out of the box as a central storage compartment, but it is not resilient to cluster outages. If Minio is shut down, all data is lost.
In production, persistent storage can be achieved by running an external object store. For users on AWS, GCE/GKE or Azure, the convenience of Amazon S3, Google GCS or Microsoft Azure Storage makes the prospect of running a Minio-less Workflow cluster quite reasonable. For users who have restriction on using external object storage using swift object storage can be an option.
Running a Workflow cluster without Minio provides several advantages:
See Configuring Object Storage for details on removing this operational complexity.
There are some additional security-related considerations when running Workflow in production. See Security Considerations for details.
By default, registration with the Workflow controller is in "admin_only" mode. The first user
to run a
deis register command becomes the initial "admin" user, and registrations after that
are disallowed unless requested by an admin.
Please see the following documentation to learn about changing registration mode:
It is also recommended to disable signups for the Grafana dashboards.
Please see the following documentation to learn about disabling Grafana signups:
Using TLS to encrypt traffic (including Workflow client traffic, such as login credentials) is crucial. See Platform SSL for the platform.
If all router pods in your cluster become unavailable then you will be unable to access the workflow API or
any deployed applications. To reduce the potential of this happening it is recommended that you scale the
deis-router Deployment to run more than one router pod. This can be accomplished by running
kubectl --namespace=deis scale --replicas=2 deployment/deis-router
If you are using CNI for managing container network, you cannot use
hostPort notation due to this issue.
In this case you could enable CNI for
deis-registry-proxy by setting
use_cni variable to
values.yaml or by adding
--set global.use_cni=true to