Rodrigo Reis describes Zalando's Kubernetes Deployments using their self-made CDP (Continuous Delivery Platform), a CI/CD solution to automate all of it, so developers can focus more on the software they're building, and less on how to build / deploy.
2. 2
ZALANDO IN NUMBERS
> 4.5billion EUR
2017
> 200
million
visits
per
month
> 14,000
employees in
Europe
> 70%
of visits via
mobile devices
> 22
million
active customers
> 250,000
product choices
~ 2,000
brands
15
countries
3. 3
WE BRING FASHION TO PEOPLE IN 15 COUNTRIES
2008-2009
2010
2012-2013
2011
4. 4
OUR FOOTPRINT AROUND EUROPE
as of November 2017
1
8
10
11
12
13
BERLIN HEADQUARTERS AND OUTLET
BRIESELANG FULFILLMENT CENTER
ERFURT FULFILLMENT CENTER AND TECH OFFICE
MÖNCHENGLADBACH FULFILLMENT CENTER AND TECH OFFICE
LAHR FULFILLMENT CENTER
DORTMUND TECH HUB
FRANKFURT OUTLET
DUBLIN TECH HUB
HELSINKI TECH HUB
MILAN (STRADELLA) FULFILLMENT CENTER
KÖLN OUTLET
PARIS (MOISSY-CRAMAYEL) FULFILLMENT CENTER
SZCZECIN (GRYFINO) FULFILLMENT CENTER
HAMBURG ADTECH LAB
STOCKHOLM (BRUNNA) FULFILLMENT CENTER (start winter 2017)
10
9
7
6
5
3
2
1
11
12
13
4
14
15
15
14
9
8
7
6
5
4
3
2
1
5. 5
OUR FOOTPRINT AROUND EUROPE
TECH
as of November 2017
1
8
10
11
12
13
BERLIN HEADQUARTERS AND OUTLET
BRIESELANG FULFILLMENT CENTER
ERFURT FULFILLMENT CENTER AND TECH OFFICE
MÖNCHENGLADBACH FULFILLMENT CENTER AND TECH OFFICE
LAHR FULFILLMENT CENTER
DORTMUND TECH HUB
FRANKFURT OUTLET
DUBLIN TECH HUB
HELSINKI TECH HUB
MILAN (STRADELLA) FULFILLMENT CENTER
KÖLN OUTLET
PARIS (MOISSY-CRAMAYEL) FULFILLMENT CENTER
SZCZECIN (GRYFINO) FULFILLMENT CENTER
HAMBURG ADTECH LAB
STOCKHOLM (BRUNNA) FULFILLMENT CENTER (start winter 2017)
10
9
7
6
5
3
2
1
11
12
13
4
14
15
15
14
9
8
7
6
5
4
3
2
1
6. 6
WE ARE CONSTANTLY INNOVATING TECHNOLOGY
HOME-BREWED,
CUTTING-EDGE
& SCALABLE
technology solutions
~ 1,900
employees from
tech locations
(HQs in Berlin)7
77
nations
help our brand to
WIN ONLINE
18. 18
BUT FIRST...
Motivation for Kubernetes
● Resource Efficiency
● Cost Efficiency
● Velocity
● Cloud Independence
THIS IS AN OPPORTUNITY FOR CHANGE
19. 19
CHALLENGES
COMPLIANCE
Some Of Our Compliance Rules
● Applications must run on certified (or whitelisted) AMIs
● All images must:
○ Come from an authorized Docker repository
○ Contain an SCM Source file
○ Be versioned
● Code changes must be peer reviewed and approved (4 eyes principle)
20. 20
CHALLENGES
HOW TO DEPLOY
Options for CI/CD
● Jenkins
● GoCD
● Concourse
● Spinnaker
● Travis Enterprise
● AWS CodeBuild, CodePipeline
Problems
● Non reproducible builds
● Not cloud ready
● No automatic setup
● Difficult to scale up/down
● 2 Configuration Steps
● Manual credential configuration
● Lack of Kubernetes support
22. 22
QUESTION
What if the developer didn’t have to
worry about those steps?*
*coding not included
23. 23
● Hands Off
● Compliant By Default
● Secure By Default
A DIFFERENT APPROACH
24. 24
A DIFFERENT APPROACH
● Hands Off
● Compliant By Default
● Secure By Default
➢ No Manual Access to Live*
➢ Automate Setup/Deployment Steps
➢ Separate Test and Live Environments
*Some exceptions apply
25. 25
● Hands Off
● Compliant By Default
● Secure By Default
A DIFFERENT APPROACH
26. 26
A DIFFERENT APPROACH
HANDS OFF
Back to our Options for CI/CD....
● Jenkins
● GoCD
● Concourse
● Spinnaker
● Travis Enterprise
● AWS CodeBuild, CodePipeline
27. 27
A DIFFERENT APPROACH
HANDS OFF
Back to our Options for CI/CD....
● Jenkins
● GoCD
● Concourse
● Spinnaker
● Travis Enterprise
● AWS CodeBuild, CodePipeline
● In-house developed (CDP)
28. 28
A DIFFERENT APPROACH
HANDS OFF
CDP
● Fully Integrated With Kubernetes
● No Need To Manage CI Infrastructure
● Triggered By Code Changes
● More To Come...
33. 33
● Hands Off
● Compliant By Default
● Secure By Default
A DIFFERENT APPROACH
34. 34
A DIFFERENT APPROACH
COMPLIANT BY DEFAULT
Kubernetes AMIs
● Developers don’t have to choose instance type or AMI
○ Deployments result in Pods running in existing Worker Nodes
● All Kubernetes Nodes are based in compliant, whitelisted AMIs
Docker Repository
● CDP only pulls images from authorized repositories
● When pushing images, CDP automatically includes:
○ SCM Source information
○ Version tagging
38. 38
DEVELOPER CONSOLE
CREATING A NEW REPOSITORY
When a repository is created through the console:
● A hook is configured for triggering CDP
● Zappr is configured, enforcing Pull Request approvals before merge
○ Zappr is a Github extension developed in Zalando
OPEN SOURCE ☺
https://zappr.opensource.zalan.do
39. 39
A DIFFERENT APPROACH
COMPLIANT BY DEFAULT
Our Compliance Rules
● Applications must run on certified (or whitelisted) AMIs ✓
● All images must: ✓
○ Come from an authorized Docker repository ✓
○ Contain an SCM Source file ✓
○ Be versioned ✓
● Code changes must be peer reviewed and approved (4 eyes principle) ✓
40. 40
● Hands Off
● Compliant By Default
● Secure By Default
A DIFFERENT APPROACH
41. 41
A DIFFERENT APPROACH
SECURE BY DEFAULT
● Test and Production environments are completely isolated
● A Kubernetes Test Cluster is also provisioned
○ Manual access is permitted
● IAM Credentials are isolated between test and live environments
○ Different OAuth Provider in test environment
44. 44
Trigger
PUTTING IT ALL TOGETHER
CDPGHE
Prod Deploy
Test Deploy
PR
M
erge
M
aster
1. A user creates a Pull Request (PR) in Github Enterprise (GHE)
2. PR Triggers CDP
➢ CDP Deploys the PR to the Test Kubernetes Cluster
3. Another user approves the PR and merges to Master
4. Merge to Master triggers again CDP
➢ CDP Deploys Master to the Production Kubernetes Cluster
xpto
Account
xpto-test
Account
45. 45
CONCLUSION
● CDP enables hands off deployments to Kubernetes
● Compliance is automatically handled by CDP and Developer Console
● Test and Production are guaranteed to be separated through Credentials Isolation
Automation saves time
New features go live faster
Isolation secures environments
Developers focus on business specific features