How we run GraphQL APIs in production on our (own) Kubernetes - - PowerPoint PPT Presentation

▶

Nov 27, 2022 434 likes •900 views

How we run GraphQL APIs in production on our (own) Kubernetes cluster @ @ultrabug Gentoo Linux developer PSF contributing member CTO at Numberly Couldnt you have more buzz words in your talk title? Previous workflow and its limitations

SLIDE 1

SLIDE 2

How we run GraphQL APIs in production on

ur (own) Kubernetes cluster

@

SLIDE 3

@ultrabug

Gentoo Linux developer PSF contributing member CTO at Numberly

SLIDE 4

Couldn’t you have more buzz words in your talk title?

SLIDE 5

Previous workflow and its limitations

SLIDE 6

Code repositories Configuration repositories Continuous Integration Code reviews

SLIDE 7

Code repositories Configuration repositories Continuous Integration Code reviews YAML configuration file

SLIDE 8

Code repositories Configuration repositories Continuous Integration Code reviews YAML configuration file

SLIDE 9

Code repositories Configuration repositories Continuous Integration Code reviews YAML configuration file

SLIDE 10

Code repositories Configuration repositories Continuous Integration Code reviews YAML configuration file ansible

SLIDE 11

Code repositories Configuration repositories Continuous Integration Code reviews YAML configuration file ansible SSL offloading

SLIDE 12

Code repositories Configuration repositories Continuous Integration Code reviews YAML configuration file ansible SSL offloading

SLIDE 13

Why Kubernetes?

SLIDE 14

ur own bare-metal Kubernetes cluster

SLIDE 15

5 4 3 2 1 3 4 5

Methodology

B u i l d a b a r e c l u s t e r D e c i d e

t h e t

i n g W r i t e d

u m e n t a t i

t e r a n d s u p p

t a d

t i

D i s t r i b u t e e x p e r t i s e

SLIDE 16

A bare-metal Kubernetes cluster?

Package it to deeply know what’s it’s made of and how it works
Automate installation, configuration, provisioning… everything!

SLIDE 17

Developer-driven

SLIDE 18

OpenID authentication

Developer goes to internal kubeconfig URL
Login using usual Google Suite account (openID) + free MFA (Yubikey)
Download Kubeconfig
Welcome to Kubernetes!

SLIDE 19

Gitlab based authorization

Gitlab based RBAC + Pod Security Policy since day 1
1 namespace = 1 team
Open sourced gitlab2rbac: https://github.com/numberly/gitlab2rbac

SLIDE 20

Cluster capabilities and choices

Gitlab registry for our Docker containers
Ensure only whitelisted images can be deployed
runAsNonRoot + strict Network Policies enforced
Ingress using nginx-ingress with fully automated LetsEncrypt certificate lifecycle
Multi-tenant cluster supporting all environments (production, staging, development)
Special “sandbox” namespace to test things:
No distributed persistent storage yet

SLIDE 21

A workflow-oriented documentation

SLIDE 22

Foster and scale Kubernetes adoption

We created an internal Kubernetes Certification

To make sure that in every team someone can help with Kubernetes
To help everyone identify who can support them when they need a Kubernetes expert
To value the expertise of members of our teams

SLIDE 23

T ke Away

SLIDE 24

T ke Away

Gitlab for RBAC and image registry + Kubernetes = gitlab2rbac
Balance security vs freedom: not opposed all the time!
Enforce security and QA rules from the start

○ TODO: work on admission controller to enforce whitelisted images only

Ops concentrate on features that are immediately available to all devs

○ TODO: automate F5 ingress SSL setup for public services

Practical and useful docs are key
Spread expertise to foster and scale adoption

○ TODO: create more certification levels

SLIDE 25

Our Kubernetized workflow

SLIDE 26

Code repositories Configuration repositories Continuous Integration Code reviews Users roles = k8s RBAC Groups = k8s namespaces Docker image registry YAML kubernetes deployment SSL offloading ingress-

Moved to k8s secrets Needs Dockerfile

SLIDE 27

Let’s build a GraphQL app on Kubernetes!

SLIDE 28

Demo app: Trello REST API to GraphQL

GraphQL REST

SLIDE 29

Demo app: Trello REST API to GraphQL

GraphQL REST

+ = ?

SLIDE 30

SLIDE 31

Demo app: Trello REST API to GraphQL

GraphQL REST

SLIDE 32

Tartiflette main features

Python 3.6+
Schema First (SDL)
Built on AsyncIO
aiohttp integration
Embedded GraphiQL development web interface
Tastes even better than it smells (AKA developer friendly)

SLIDE 33

Schema Definition Language

SLIDE 34

1 GraphQL request = x REST requests

These edges will resolve in multiple REST API calls 1 GraphQL call = multiple REST calls

SLIDE 35

'idBoards': ['5d1f33e746ea0a8020560465', '5d1f341e82d5a37d0efb97b1']

1x 2x resolved edge with full objects

SLIDE 36

Show me some code: aiohttp app definition

Generic SDL Resolver functions

SLIDE 37

Show me some code: GraphQL resolvers

Edge resolver Root query resolver

SLIDE 38

#shipit

SLIDE 39

Dockerfile: multi-stage build

Slim python3.7 run image Full python3.7 build image

SLIDE 40

Build + Image tag = git branch + Upload to Gitlab registry

Git branch workflow

development
staging
master + git tag = production

SLIDE 41

To Kubernetes!

Security Automated Let’s Encrypt SSL

SLIDE 42

Quick demo

SLIDE 43

SLIDE 44

T ke Away

SLIDE 45

T ke Away

GraphQL removes friction by normalizing how data is addressed between teams
Schema Definition Language lets you concentrate on the data, not the code
Tartiflette is a modern, fast and efficient way of doing Python + GraphQL
Workflow for environment deployment based on git branches

○ TODO: challenge environment multi-tenancy of the cluster later

Kubernetes secrets + environment variables to store and access secrets

○ TODO: generalize vault

Kubectl is powerful: give that power to developers!

○ TODO: allow some abstraction tools when adoption is higher if needed

SLIDE 46

Thanks!

https://github.com/ultrabug/ep2019 @ultrabug