Make developers self serving when using Kubernetes
Sander Rodenhuis
Posted on November 11, 2021
There's a lot of talk lately about developer self service for Kubernetes. It looks like every vendor in the Kubernetes space now claims they offer some kind of developer self service.
Some might disagree, but the overall opinion is that Kubernetes is not really developer friendly. Kubernetes has over 50 object types, complex RBAC and to get anything deployed, you'll need to write YAML manifest. But you also need to learn how to handle horizontal scaling, networking, secrets, ingress, and a hole lot more. The question is, why would a developer care about all this stuff. Developers don’t care about all the Kubernetes internals, they just like to get an HTTP(S) endpoint of their running application.
Operations and SRE on the other hand have a hard time guarantee application security and availability at all stages in the development lifecycle when using Kubernetes. Kubernetes is only the orchestrator and building a custom platform on top of Kubernetes (the DIY way) can be a daunting endeavor. Think of all the add-ons and applications required for observability, policy enforcement, network policies, tracing, vulnerability management, SSO, certificates, secrets management, and GitOps. Building some kind of developer self service features and automatic team onboarding would require even more time and a lot of companies would not even have the resources and money to do so.
So what if there was an easy and open source solution for this? Would you then try it out?
Introducing Otomi
Otomi is an open source project (see the GitHub project here) and is a single deployable package to offer a complete platform experience on top of (any) Kubernetes cluster. After installing Otomi on Kubernetes, you can create an account, sign in, create a team and add members to the team. Team members will get access to a project in Harbor (to push images to), all container logs of the team, a shared space in Vault, and self service features to publicly expose services or even deploy images using user friendly forms. By default Otomi is configured in permissive security mode, which means security policies are enabled, but non-blocking. This enables developers to learn Kubernetes security as they go.
Get started
To get started with Otomi, just spin up a Kubernetes cluster (or use the Quickstart) and deploy the chart.
Frist create a values.yaml
file with the following values:
cluster:
owner: myself
k8sVersion: '1.20'
name: my-cluster
provider: # use azure|aws|google
Then deploy the chart:
helm repo add otomi https://otomi.io/otomi-core
helm repo update
helm install -f values.yaml otomi otomi/otomi
The installer job will now install Otomi on your cluster. You can follow the progress of the installer by looking at the logs of the installer job:
kubectl logs jobs/otomi -n default -f
When the installer has finished (which can take around 20 to 30 minutes), copy the URL and the generated password from the bottom of the logs.
Now the first thing you need to do is create a new user in Keycloak and add the user to the otomi-admin group. Go to https://keycloak.your-ip.nip.io and sign in with the user admin and the generated password provided in the logs. Check here for complete instructions on how to create users in Keycloak.
Now you can sign in to the Otomi console. Go to https://otomi.your-ip.nip.io and sign in with your newly created user.
As you would have noticed, the browser says the connection to this site is not secure. Because we did not use DNS with LetsEncrypt and also did not provide our own CA, Otomi has automatically generated a CA for you. But no worries, you can add the generated CA to your keychain. In the left pane of the console, click on Download CA and then add the CA to your KeyChain:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/Downloads/ca.crt
To start using Otomi, you’ll first need to activate Drone.
To enable Drone, open the Drone app (using the shortcut in Otomi Console), and sign in with OpenID Connect using the newly created user. In Drone you’ll see the otomi/values
repository created by Otomi. Now click on Activate, then click Activate Repository, and then click on Save. Now you’re ready to use Otomi. On otomi.io you can find the full post-installation steps.
Recap
Otomi offers a full platform experience of top of Kubernetes. It integrates and pre-configures a complete suite of open-source projects like Harbor, Knative, Istio, Prometheus, Keycloak, Gatekeeper, and many more. By installing Otomi on Kubernetes, you can use all of these projects out-of-the-box with sane defaults. So instead of installing, configuring, and integrating all of these projects yourself, the only thing you’ll need to do is install Otomi.
Otomi is ideal to use as a (Kubernetes-based) Developer Platform. By default Otomi runs in permissive mode, meaning all actions contrary to the security policies are only logged. Teams can directly access all the security logs and improve the security posture. This offers a learn-as-you-go experience.
Running Otomi without dependencies, now makes it very easy to get started with Otomi and explore all of its features.
And if you run into any issues, please report them here.
Posted on November 11, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.