1. PKS Automation Station...All
Aboard: Enabling Team
Access to PKS with a
Concourse Pipeline
SpringOne Platform
October 8, 2019

2. 2
Vaseeharan Seevaratnam
Platform Engineer
svasee
John Paice
Senior Platform Engineer
@johnny_platform
INTRODUCTIONS

3. 3
• DSG’s Container Journey
• Challenges
• PKS Workloads
• Onboarding Prerequisites
• Demo!
AGENDA

4. 4
• Monolith application to microservices
• Teams were were working in silos more collaborative
• Buy vs. Build
• Cloud Native
• Twelve Factor Apps
CONTAINER JOURNEY

5. 5
Application Archaeology: Accelerating App Modernization at DICK’S
Sporting Goods
Today 4:20pm–5:30pm 16AB
Pivotal Vanguard Customer Deep Dive Expedition: Pearls of Wisdom
Wednesday 4:20pm–5:30pm. 17AB
Multi-cloud Deployments
Thursday. 9:15am Main Stage
#DSGTECH

6. 6
• Team onboarding challenges
• Short SLAs
• Consistent results
• Snowflake effects
• Peer code review
• PKS Challenges
PLATFORM CHALLENGES

7. 7
PKS WORKLOADS
• Not all applications fit the same mold
– Applications with custom containers
– Not twelve factor
– Applications that need persistent storage
• Kafka
• ELK
• RabbitMQ

8. 8
• Infrastructure as a code
• Easy auditing
• Predefined access control
• Build repeatable PKS clusters
• No snowflakes of servers, all the configurations are version
controlled
• Minimal administration of the cluster
• Delegated access control
REQUIREMENTS

9. 9
• Cloud Provider - vSphere, Azure, GCP, AWS
• Active Directory LDAP Integration for user access control
• Git as a source code repository
• Concourse pipeline
• PKS
SOLUTION

10. 10
ACCESS WORKFLOW
Create and
configure
LDAP groups
Configure
UAA > LDAP
in the PKS tile
Map LDAP
group to UAA
scope using
UAAC
Create a
service user
account in
UAA
Log in to the PKS CLI
as a Cluster Admin
Run pks get-
credentials to
generate kubeconfig
Use kubectl to
create a Admin
ClusterRoleBinding
Run pks get-
kubeconfig
targeting the cluster
PKS CLI generates
kubeconfig
Use kubectl to
access the cluster
Operator
Concourse
PipelineDeveloper
PKS
INSTALL
PKS
CLUSTER
CREATION
PKSCLUSTER
DAYTODAY
ACTIVITY

11. 11
ACCESS WORKFLOW
Create and
configure
LDAP groups
Configure
UAA > LDAP
in the PKS tile
Map LDAP
group to UAA
scope using
UAAC
Create a
service user
account in
UAA
Log in to the PKS CLI
as a Cluster Admin
Run pks get-
credentials to
generate kubeconfig
Use kubectl to
create a Admin
ClusterRoleBinding
Run pks get-
kubeconfig
targeting the cluster
PKS CLI generates
kubeconfig
Use kubectl to
access the cluster
Operator
Concourse
PipelineDeveloper
PKS
INSTALL
PKS
CLUSTER
CREATION
PKSCLUSTER
DAYTODAY
ACTIVITY

12. 12
LDAP STRUCTURE
LDAP Groups and Uses structure for PKS
integration:
pks-managerpks-cluster-admin pks-cluster-ro
pksadmin@dsgtech.co pksreader@dsgtech.copksdeveloper@dsgtech.co
K8s
Operator
K8s
Developer
K8s
Viewer

13. 13
ACCESS WORKFLOW
Create and
configure
LDAP groups
Configure
UAA > LDAP
in the PKS tile
Map LDAP
group to UAA
scope using
UAAC
Create a
service user
account in
UAA
Log in to the PKS CLI
as a Cluster Admin
Run pks get-
credentials to
generate kubeconfig
Use kubectl to
create a Admin
ClusterRoleBinding
Run pks get-
kubeconfig
targeting the cluster
PKS CLI generates
kubeconfig
Use kubectl to
access the cluster
Operator
Concourse
PipelineDeveloper
PKS
INSTALL
PKS
CLUSTER
CREATION
PKSCLUSTER
DAYTODAY
ACTIVITY

14. 14
UAA CONFIGURATION
• Enable created clusters to use
UAA as the OIDC provider.
Login to Ops Manager and perform following
configurations on PKS UAA:
• Configure PKS UAA to use LDAP
Server as external authentication
mechanisms.

15. 15
ACCESS WORKFLOW
Create and
configure
LDAP groups
Configure
UAA > LDAP
in the PKS tile
Map LDAP
group to UAA
scope using
UAAC
Create a
service user
account in
UAA
Log in to the PKS CLI
as a Cluster Admin
Run pks get-
credentials to
generate kubeconfig
Use kubectl to
create a Admin
ClusterRoleBinding
Run pks get-
kubeconfig
targeting the cluster
PKS CLI generates
kubeconfig
Use kubectl to
access the cluster
Operator
Concourse
PipelineDeveloper
PKS
INSTALL
PKS
CLUSTER
CREATION
PKSCLUSTER
DAYTODAY
ACTIVITY

16. 16
MAP LDAP GROUP
• Grant pks.clusters.admin scope to PKS Operators team by
Log In as a UAA .
uaac group map --name pks.clusters.admin
CN=pks-cluster-admin,OU=Groups,DC=dsgtech,DC=co

17. 17
ACCESS WORKFLOW
Create and
configure
LDAP groups
Configure
UAA > LDAP
in the PKS tile
Map LDAP
group to UAA
scope using
UAAC
Create a
service user
account in
UAA
Log in to the PKS CLI
as a Cluster Admin
Run pks get-
credentials to
generate kubeconfig
Use kubectl to
create a Admin
ClusterRoleBinding
Run pks get-
kubeconfig
targeting the cluster
PKS CLI generates
kubeconfig
Use kubectl to
access the cluster
Operator
Concourse
PipelineDeveloper
PKS
INSTALL
PKS
CLUSTER
CREATION
PKSCLUSTER
DAYTODAY
ACTIVITY

18. 18
AUTOMATION SERVICE
ACCOUNT
• Grant Enterprise PKS Access to a user by Log In as a UAA
Admin.
uaac user add srv-pksadmin --email
srv-pksadmin@dsgtech.com -p <password>
uaac member add pks.clusters.admin srv-pksadmin

19. 19
Add-Ons for tiller service account part of cluster provisioning.
PKS ADD-ONS
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system

20. 20
Add-Ons for Storage Class
PKS ADD-ONS
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: default
annotations:
storageclass.kubernetes.io/is-default-class: "true"
parameters:
cachingmode: ReadOnly
kind: Managed
storageaccounttype: Standard_LRS
provisioner: kubernetes.io/azure-disk
reclaimPolicy: Delete
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: managed-premium
parameters:
kind: Managed
storageaccounttype: Premium_LRS
provisioner: kubernetes.io/azure-disk
reclaimPolicy: Delete

21. 21
Add-Ons for subdomain nameserver
PKS ADD-ONS
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-dns
namespace: kube-system
data:
stubDomains: |
{"dsgtech.co": ["10.0.8.5"]}

22. 22
ACCESS WORKFLOW
Create and
configure
LDAP groups
Configure
UAA > LDAP
in the PKS tile
Map LDAP
group to UAA
scope using
UAAC
Create a
service user
account in
UAA
Log in to the PKS CLI
as a Cluster Admin
Run pks get-
credentials to
generate kubeconfig
Use kubectl to
create a Admin
ClusterRoleBinding
Run pks get-
kubeconfig
targeting the cluster
PKS CLI generates
kubeconfig
Use kubectl to
access the cluster
Operator
Concourse
PipelineDeveloper
PKS
INSTALL
PKS
CLUSTER
CREATION
PKSCLUSTER
DAYTODAY
ACTIVITY

23. 23
• Concourse Pipeline
• Parameter variable values:
Git:
– git_repo_uri
– git_branch
– git_private_key
PKS:
– pks_api
– pks_cli_username
– pks_cli_password
– pks_env
CONCOURSE PARAMETERS

24. 24
DEMO

25. 25
LINKS
References
https://docs.pivotal.io/pks/1-3/manage-users.html
https://github.com/pivotalservices/concourse-pipeline-
samples/tree/master/pipelines/pcf/pks
GitHub
https://github.com/dsg-tech/pks-onboarding
Careers
https://www.dickssportinggoods.jobs/

26. Q&A