Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Terraform管理下のマネージドリソースとk8sリソースを一元的にGitOpsするまでの試行錯誤
Search
uya116
February 28, 2023
Technology
1
760
Terraform管理下のマネージドリソースとk8sリソースを一元的にGitOpsするまでの試行錯誤
2023/2/27 CI/CD Conference 2023 前夜祭で登壇した資料です。
https://cloudnativedays.connpass.com/event/274402/
uya116
February 28, 2023
Tweet
Share
More Decks by uya116
See All by uya116
競プロのすすめ
uya116
1
1k
Other Decks in Technology
See All in Technology
「全社導入」は結果。1人の熱狂が組織に伝播したmikanのn8n活用
sota_mikami
0
400
AI開発の落とし穴 〜馬には乗ってみよAIには添うてみよ〜
sansantech
PRO
4
1k
人はいかにして 確率的な挙動を 受け入れていくのか
vaaaaanquish
4
2.4k
純粋なイミュータブルモデルを設計してからイベントソーシングと組み合わせるDeciderの実践方法の紹介 /Introducing Decider Pattern with Event Sourcing
tomohisa
1
1.3k
かわいい身体と声を持つ そういうものに私はなりたい
yoshimura_datam
0
350
AI に「学ばせ、調べさせ、作らせる」。Auth0 開発を加速させる7つの実践的アプローチ
scova0731
0
360
GitHub Copilot CLI 現状確認会議
torumakabe
12
4.1k
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
10k
re:Inventで出たインフラエンジニアが嬉しかったアップデート
nagisa53
4
190
Riverpod3.xで実現する実践的UI実装
fumiyasac0921
1
320
Security Hub と出会ってから 1年半が過ぎました
rch850
0
180
SwiftDataを覗き見る
akidon0000
0
300
Featured
See All Featured
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
260
Introduction to Domain-Driven Design and Collaborative software design
baasie
1
560
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
kimpetersen
PRO
0
220
How to Ace a Technical Interview
jacobian
281
24k
The Language of Interfaces
destraynor
162
26k
Why Our Code Smells
bkeepers
PRO
340
58k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
The Power of CSS Pseudo Elements
geoffreycrofte
80
6.1k
Code Reviewing Like a Champion
maltzj
527
40k
Exploring anti-patterns in Rails
aemeredith
2
230
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
34k
Six Lessons from altMBA
skipperchong
29
4.1k
Transcript
Terraform ཧԼͷϚωʔδυϦιʔεͱ k8s ϦιʔεΛҰݩతʹ GitOps ͢Δ·Ͱͷ ࢼߦࡨޡ 2023/02/27 ιϑτόϯΫגࣜձࣾ ΫϥυΤϯδχΞϦϯάຊ෦
Cloud Native Days CI/CD Conference 2023 લࡇ ࡾվ ༟
ࡾվ ༟ (Mizorogi Yuya) 2 ࣗݾհ ॴଐ ιϑτόϯΫגࣜձࣾ ๏ਓࣄۀ౷ׅ
ΫϥυΤϯδχΞϦϯάຊ෦ ɾ2021ʹத్ೖࣾ ɾ๏ਓ͚ͷΞϓϦέʔγϣϯج൫ͷ։ൃΛ୲ ɾझຯย͚ͱڝϓϩ @_uya116
• ΞϓϦέʔγϣϯΤϯδχΞ͕ Kubernetes Λҙࣝ͠ͳͯ͘ྑ͍Έ 3 ιϑτόϯΫͰ͜ΜͳαʔϏεΛ࡞͍ͬͯ·͢ ϖʔδͪ͜Β
• Ϛωʔδυ Kubernetes ڥʹࣄલఆٛࡁͷ Helm ύοέʔδΛద༻ 4 ιϑτόϯΫͰ͜ΜͳαʔϏεΛ࡞͍ͬͯ·͢ DEPLOYMENT STORAGE
RDB VAULT MONITORING IAM ࣄલఆٛࡁύοέʔδ MESSAGING ͳͲ
• ϚωʔδυϦιʔεͱ Kubernetes Ϧιʔεͷํͷཧ͕ඞཁ ◦ ύϒϦοΫΫϥυͷϚωʔδυ Kubernetes Λ͏ͱͳ͓͞Β 5 എܠ
• IaC ܗࣜͱͦΕʹ͏ CD αʔϏε͕ҟͳΓύΠϓϥΠϯ͕͔Εͯ͠·͏ ◦ ͜ΕʹΑͬͯཧ͕ࡶʹͳΔ 6 ೋछྨͷϦιʔεΛཧ͢Δ͜ͱʹΑΔGitOpsͷ՝ Github
Actions Jenkins AWS Code γϦʔζ Ϧιʔε CD αʔϏε Git Terraform CloudFormation Kubernetes ϚχϑΣετ ͳͲ ͳͲ ͳͲ IaC ܗࣜ ϚωʔδυϦιʔε Kubernetes Ϧιʔε
• IaC ܗࣜ or CD αʔϏεΛἧ͑Δ͜ͱʹΑΓҰݩԽͰ͖ͳ͍͔ݕ౼ 7 ݕ౼ Github Actions
Jenkins AWS CodePipeline ͳͲ ͳͲ ͳͲ Ϧιʔε CD αʔϏε Git IaC ܗࣜ ϚωʔδυϦιʔε Kubernetes Ϧιʔε Terraform CloudFormation Kubernetes ϚχϑΣετ
• IaC ܗࣜΛἧ͑Δ߹ ◦ Terraform k8s provider ͔֤ϕϯμʔͷఏڙ͢Δ k8s controller
͕ީิ ◦ ύΠϓϥΠϯ͕؆ܿʹͳΔ͕ରԠϦιʔε͕ݶఆ͞Ε͍ͯΔ 8 ݕ౼ ʙIaC ܗࣜΛἧ͑Δʙ Github Actions Jenkins AWS CodePipeline ͳͲ ͳͲ ͳͲ Ϛωʔδυ Ϧιʔε ʹدͤΔ ᶃ Terraform k8s provider Kubernetes Ϧιʔε ʹدͤΔ ᶄ ConfigConnector / ASO / ACK controller ϚωʔδυϦιʔε Kubernetes Ϧιʔε IaC ܗࣜ Terraform CloudFormation Kubernetes ϚχϑΣετ
• CD αʔϏεΛἧ͑ͨ߹ ◦ ύΠϓϥΠϯద༻ڥͰίϚϯυΛ࣮ߦ͠ڧҾʹϦιʔεΛσϓϩΠ͢Δ ◦ ίϚϯυ࣮ߦͷͨΊࣗ༝ߴ͍͕ύΠϓϥΠϯ͕ෳࡶʹͳΔ 9 ݕ౼ ʙCD
αʔϏεΛἧ͑Δʙ Github Actions Jenkins AWS CodePipeline ͳͲ ͳͲ Ϛωʔδυ Ϧιʔε ʹدͤΔ ᶅ k8s ίϯςΩετΛऔಘͯ͠ apply Kubernetes Ϧιʔε ʹدͤΔ ᶆ k8s Ͱ Ϛωʔδυ༻ͷ IaC Λద༻ apply ϚωʔδυϦιʔε Kubernetes Ϧιʔε CD αʔϏε
10 ݕ౼ ʙ֤ํ๏ͷൺֱʙ IaC ܗࣜΛἧ͑Δ CD αʔϏεΛἧ͑Δ Ϛωʔδυ Ϧιʔε ʹدͤΔ
ᶃ Terraform k8s provider ᶅ k8s ίϯςΩετΛऔಘͯ͠ apply Kubernetes Ϧιʔε ʹدͤΔ ᶄ ConfigConnector / ASO / ACK ᶆ k8s Ͱ Ϛωʔδυ༻ͷ IaC Λద༻ controller apply ෳࡶʹͳΔ͕ ࣗ༝͕ߴ͍ Ϧιʔε੍ݶ͕ ͋Δ͕؆ܿ ͲͪΒ͕ ϝΠϯ͔
• ฐαʔϏε Kubernetes Ϧιʔεத৺ͷͨΊᶄᶆΛ࠾༻ ◦ ֤ϕϯμͷ k8s controller ʹରԠ͍ͯ͠ΔϚωʔδυϦιʔε →
ᶄͰ࡞ ◦ ະରԠ͘͠ k8s controller Ͱͷಈ࡞͕ෆ҆ఆͳϦιʔε → ᶆͰ࡞ 11 ݕ౼݁Ռ IaC ܗࣜΛἧ͑Δ CD αʔϏεΛἧ͑Δ Kubernetes Ϧιʔε ʹدͤΔ ᶄ ConfigConnector / ASO / ACK ᶆ k8s Ͱ Ϛωʔδυ༻ͷ IaC Λద༻ controller
• ݕ౼݁Ռʹैͬͯ GitOps ύΠϓϥΠϯΛߏங • Job Ͱ terraform ίϚϯυΛ࣮ߦ͢Δ͕࣮ͷෛՙ͕ߴ͍ ◦
Helm আ࣌ʹ Job Λ࣮ߦ͢Δ͕ terraform destroy ʹࣦഊ͢Δͱ Job ͕ࣦഊ͠ Helm ͕ফͤͳ͘ͳΔ → ঢ়ଶʹԠͨ͡ίϚϯυͷ੍ޚ͕ඞཁ ◦ drift ൃੜ࣌ͷ੍ޚ ࢪࡦ ʙฐαʔϏεͷ GitOps ύΠϓϥΠϯʙ vender controller 12 ϕϯμͷ k8s controller ࣗ࡞ Job Ͱ terraform ࣮ߦ ※ ฐαʔϏεͷ্ཱ͚ͯ Helm Ͱύοέʔδϯά͍ͯ͠Δ
• Terraform ϦιʔεΛཧ͢Δ Kubernetes Controller ◦ Flux ͱ࿈ܞͯ͠ Terraform ͷ
GitOps Λ࣮ݱ͢Δ ◦ TF state ϑΝΠϧͷΫϥυετϨʔδཧɺOIDC ࿈ܞͳͲඞཁͳػೳ͕ἧ͍ͬͯΔ 13 Weave GitOps Terraform Controller https://weaveworks.github.io/tf-controller/ Terraform Controller kind: Terraform ᶃݕ ᶅ࡞ ᶄ TF ϑΝΠϧऔಘ
Weave GitOps Terraform Controller “ࣗͷϖʔε”Ͱ GitOps ͱ͍͏ίϯηϓτΛܝ͓͛ͯΓ ϚχϑΣετʹ߹Θͤͨ Terraform
apply / destroy ͷࣗಈద༻͚ͩͰͳ͘ drift ͷݕग़ͷΈߦ͏͜ͱՄೳ TF ϑΝΠϧͷ֨ೲݩɻflux ͷ GitRepository / OCIRepository Λࢦఆ TF ϑΝΠϧʹΘͨ͢ڥมͷઃఆ terraform ίϚϯυΛ࣮ߦ͢Δ ServiceAccount Terraform CR Λআͨ͠ͱ͖ʹΫϥυ্ͷϦιʔεফ͔͢ backend ͷઃఆ
σϞ
• Weave GitOps Terraform Controller Λ༻͍Δ͜ͱͰҰݩ GitOps Λ࣮ݱ 16 ࢪࡦ
ʙฐαʔϏεͷ GitOps ύΠϓϥΠϯʢAfterʣʙ vender controller ϕϯμͷ k8s controller ͰϦιʔε࡞ Terraform Controller Ͱ terraform ࣮ߦ terraform controller
• Flux v0.32.0 ͰରԠͨ͠ OCI ϦϙδτϦ ʹ TF ϑΝΠϧΛ֨ೲ͍ͯ͠Δ ◦
͜ΕʹΑΓ Docker image, Helm Chart, TF ϑΝΠϧΛಉҰαʔϏεͰཧ͢Δ͜ͱ͕Մೳ ◦ ೝূํ๏ڞ௨ԽͰ͖Δ Weave GitOps Terraform Controller Ͱͷ 17 AKS ฐαʔϏεͷ୲ൣғ OCI ϦϙδτϦ (Artifact Registry) GKE EKS
• Artifact Registry ʹ֤ k8s ͔ΒΞΫηε͢Δඞཁ͕͋Δ ◦ ظݶ͕͍ΫϨσϯγϟϧใ࣋ͪͨ͘ͳ͍ͨΊ OIDC ࿈ܞ͍ͨ͠
◦ ͔͠͠ݱঢ় OCI ϦϙδτϦʹର͢Δ Flux source-controller Ͱ GC ͱͷ OIDC ࿈ܞ͕ະରԠ 18 Weave GitOps Terraform Controller Ͱͷ ✕ AWSͰݖݶҕ͞ΕͨτʔΫϯΛ༻͍ͯ GC ͱ࿈ܞ͍͕ͨ͠ɾɾɾ Flux
• OIDC ࿈ܞͨ͠ CronJob Ͱ imagePullSecret Λ࡞͢Δ ◦ imagePullSecret ͷߋ৽Λ
OIDC ࿈ܞͨ͠ CronJob Ͱఆظతʹ࣮ࢪ͢Δ͜ͱͰ՝Λճආ ◦ ֤Ϛωʔδυ k8s ͔Β Artifact Registry ͷΞΫηε͕Մೳͱͳͬͨ 19 Weave GitOps Terraform Controller Ͱͷ ˕ Flux ✕ Flux Before After
• GitOps Λڞ௨Խ͢Δͱ࣍ςετڞ௨Խͨ͘͠ͳΔɾɾɾ 20 ςετʹ͍ͭͯ ςετର vender controller terraform controller
• νʔϜϝϯόʔ͕ CI/CD ΧϯϑΝϨϯεຊฤͰ͠·͢ʂ 21 ςετʹ͍ͭͯ
22 ·ͱΊ 1. Weave GitOps Terraform Controller Λ༻͍Δ͜ͱͰ GitOps ͷҰݩԽΛ࣮ݱ
2. TF ϑΝΠϧ OCI ϦϙδτϦͰཧ͠ imagePullSecret ൃߦʹΑΓΞΫηε 3. ςετͷڞ௨Խʹ͍ͭͯຊฤΛָ͓͠Έʹ vender controller terraform controller OCI ϦϙδτϦ
uya116
sota_mikami
sansantech
vaaaaanquish
tomohisa
yoshimura_datam
scova0731
torumakabe
fullkaiten
nagisa53
fumiyasac0921
rch850
akidon0000
akashhashmi
baasie
kimpetersen
jacobian
destraynor
bkeepers
keithpitt
geoffreycrofte
maltzj
aemeredith
eileencodes
skipperchong
