Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps

Conﬁdential do not distribute
Deploying Stateful Applications
Securely and Conﬁdently with
Ondat & Weave GitOps
In partnership with:

2
Webinar Platform - FAQs
Using Zoom
• You are in listen only mode
• This webinar is being recorded
• Q&A session will follow the presentation, please use the Q&A panel to
submit questions
• Hit escape to exit full screen
• Slides and recording will be shared after the webinar
Technical Issues - please visit Zoom Help
https://support.zoom.us/hc/en-us/articles/206175806-Top-Questions

3
Lewis Edginton
Product Reliability
Engineer, Ondat
A versatile engineer, having worked at a number of
UK startups including Starling Bank,
Lewis has years of experience in the cloud,
software development & delivery industry.
Darryl Weaver
Solutions Architect,
Weaveworks
Darryl has worked on Open Source technologies
for over 25 years as a consultant to small
businesses and at Canonical dealing with large
businesses and household names. He has
specialised in infrastructure and platform
engineering including products such as Openstack
and Kubernetes. Now working on GitOps practices
he works with industry leaders to evangelise
GitOps and deliver robust and reliable platforms to
increase velocity of development teams.
Speaker introductions

Conﬁdential do not distribute 4
Application Developer pain points:
● Possibly no experience of configuring storage for their Kubernetes application
● Not interested in Kubernetes storage interfaces or implementation details
● They want to be guided into the right way to configure their storage
Today we are going to show you a solution where Platform teams can:
● Deploy clusters with all the platform components needed for the app development teams to use
● Deploy Ondat Storage as part of any Kubernetes cluster across public cloud and on-premise
● Deploy policies that guide app devs to attach the right label and storage class for redundant storage
● Enforce those policies on the cluster and in CI tests to make sure no app gets deployed without the
required redundant storage
Introduction - Implementing App Developer Guardrails

Weaveworks is backed by solid investors
Weaveworks is a key partner with all the
major infrastructure and Kubernetes vendors
Weaveworks: the GitOps company
Weaveworks is deeply committed
to the Open Source Community

Battle Tested Weaveworks Approach Process
Technical support
Customer Reliability
Engineering (CRE)
● Weaveworks approved
expertise in Gitops,
kubernetes & cloud native
● “Virtual” SRE
● Traditionally embeds in
customers team
● Long term technical
resourcing (6 month or 12
Months)
Weave GitOps Services
Weave GitOps
Enterprise
● Curated platform-
Clusters on-demand &
Application Deployment
● Run Anywhere on any
K8 platform
● Integrated security &
Policy & Governance
● 24/7 Support
Consulting, Professional
Services, Training
● Workshops
○ Design, build, operate
and Optimize
● POC Delivery
● Training
○ Skills Development
● Time and materials
○ Day Rate
CAPABILITIES
Reconciliation loop
Monitor specific events in Git – repos,
branches and/or folders
Simple profile
bootstrap
Setup, provision and operate a custom,
production-ready cluster
Application
management UI
immediately detect drift between states
as well as cluster health problems.
Cluster fleet
management
Reuse cluster templates easily from git
Team Management
& Governance
Segment responsibilities and enforce
change control policies
Advanced Security
RBAC, Single Sign On (SSO)

Continuous Application Delivery -
use GitOps to deploy and operate
applications. Automation increases
deployment velocity and developer
productivity.
Weave GitOps - Use Cases
Kubernetes Everywhere - in the
cloud or the datacenter Kubernetes
is a universal platform that’s easy
to manage with GitOps.
DevOps Automation - Lifecycle
management of the entire platform.
All clusters and services, using
automation and policy.
1
4
2
5
3
6
Self-Service Platforms - a complete
platform giving developers
autonomy while ensuring
consistency and manageability.
Trusted Delivery - shift policy and
security left - governance, risk, and
compliance are non-negotiable.
Progressive Delivery - deploy
services across many environments
and regions reliably using GitOps

Weave GitOps Experience
DEVELOPER EXPERIENCE
• Continuous Delivery, observability, and monitoring
• Consistent developer workﬂows across multiple
deployments
• Team workspaces for multi-tenanted usage
OPERATOR EXPERIENCE
• Extend Kubernetes to managed platform using GitOps model
• An Open Source Kubernetes platform for on-premise deployment
• Additive to manage Kubernetes (e.g., EKS, AKS or GKE)
• Upgrades to new versions
• Extensible controls to implement security and policy controls

Test
IDE
Build
GitOps – An Operating Model for Cloud Native
Unifying Deployment,
Monitoring and Management.
Git as the single source of truth
of a system’s desired state
ALL intended operations are
committed by pull request
ALL diﬀs between intended and
observed state with automatic
convergence
ALL changes are observable,
veriﬁable and auditable
Kubernetes
GitOps
Continuous
Integration
GIT
“Immutability
Firewall”
Deployment
(clusters, apps)
Monitoring
Logging
(Observability)
Management
(operations)

Weave GitOps Enterprise
● Deploys Clusters to AWS, GCP, Azure and on-premise environments
● Bootstraps Weave GitOps into the clusters and sources all cluster components from git repos and helm
repos
● Installs all cluster platform components for a production ready environment
Ondat
● Provides Persistent Volumes for kubernetes stateful applications
● Replicated storage with additional support for compression, encryption
● Intelligent placement of volumes
● Support for volume snapshots & Kasten integration
Weave GitOps Enterprise with Ondat demo

App
Team
workspaces
App
Management Cluster
App
Leaf Cluster
Proﬁle Policy
Management
Management
UI
Kubernetes
Cluster Management UI
Management UI
Multi Cluster Installer (CAPI)
Kubernetes

Intro to Platform Components (Profiles)
What are Profiles?
● Helm chart
● Layer annotation for dependency ordering
● Default Values set for the organisation
● Profiles repo is a local Helm repository
● Platform Teams manage the repository and releases of Helm charts

Platform Components (Profiles) Examples
What typical profiles are there for platform components:
● Secrets Management, e.g. external-secrets-operator
● Certificate Management e.g. cert-manager
● Authentication e.g. Dex
● Monitoring and Dashboards e.g. Kube-prometheus-stack
● Logging, e.g. ELK Stack
● Ingress e.g ingress-nginx
● Service Mesh, e.g. Linkerd2
● Storage, e.g. Ondat
● Persistent Volume Backups, e.g. kasten

Container-native storage
for enterprise workloads, on-premises,
hybrid or cloud

https://docs.goo
gle.com/present
ation/d/18PtPs1
7XmtQ8FL6kSu
gjTpnF0RX7eQ
cZ/edit#slide=id.
p21
Highly Available
Performant Scalable
Secure
Agnostic Integrated
Cross-node
volume replication
Deterministic
low latency
Disaggregated
consensus
Encryption of data
in-transit & at rest
Runs on any platform Integrated with all
leading distributions
and services
Kubernetes
Cost
Performance and Ops
Declarative
self-service storage
Ondat in a Nutshell

End-to-End Data Service Platform

PersistentVolumeClaim
Dynamic Provisioning in K8s: How it Works
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: ondat
labels:
app: storageos
provisioner: csi.storageos.com
parameters:
fsType: ext4
adminSecretNamespace: default
adminSecretName: storageos-api
storageos.com/replicas : 1
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-1
labels:
storageos.com/replicas : 1
spec:
storageClassName: ondat
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
StorageClass
StorageClass PersistentVolumeClaim
Dynamic Provisioning in K8s: How it Works

22
● Built on OPA standard - Rego
● Curated library of 100+ policies
● SOC II, PCI-DSS, GDPR, HIPAA, MITRE ATTACK standards compliance
● Security, resilience and coding standards
● Validation throughout SDLC
○ Commit, Pull Request
○ Runtime
● Automatic remediation via pull request
● YAML conﬁguration of policies that are written in Rego policy code
Weave GitOps PaC

23
Demo

Demo
● Build a Kubernetes Cluster
○ Use Weave Gitops Enterprise to deploy a MicroVM Kubernetes Cluster
○ Use a local Helm repository to deploy platform components including:
■ Weave Policy Agent
■ Ondat Storage Provider
● Add an application to the deployed cluster for a Postgresql database
● Add the deployment manifest to the postgresql database repository
○ PR created and runs Weave Policy Validator
■ PR is blocked from merge due to infringement of the ondat storageclass not being
matched
● Fix the policy infringements and set the correct storageclass and replicas
● PostgresDB gets deployed complete with Ondat storage

25
Demo Architecture

Create
Cluster
CAPI
Templates
Bootstrap
Configuration
Pull Request Management Repo
Profiles
Ondat
Storage
Cluster
Grafana
Weave Policy
Agent
Prometheus

27
27
Create
App
Postgresql
Cluster
Pull Request Application Repo
Policy
Policy

28
Demo

29
Summary

Summary
● Cluster Lifecycle Management with ClusterAPI
● Platform Profiles in a Helm Repository
● Defining Clusters and Profiles and Values for cluster components
● Deploying Ondat Storage provisioner
● Creating an application git repository definition
● Adding a database requiring storage to the application git repository
● Preventing a bad configuration using policy controls
● Fixing the problem
● Deploying the database with storage provided by Ondat’s Storage provisioner
with required replicas

31
Q&A

32
Whitepaper: Shifting Security Left with GitOps
and Trusted Delivery
https://bit.ly/3MvzXgQ
Learn more about Weave GitOps
www.weave.works/enterprise
Request a personal demo
www.weave.works/contact
Thank You

Get started for free
https://portal.ondat.io/signup

Thank you
https://weave.works
34

Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps

More Related Content

Similar to Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps

More from Weaveworks

Recently uploaded

Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps