In a joint webinar with Traefik Labs, we show how Traefik Hub, a SaaS-based cloud native networking platform, helps you publish your containers securely in seconds with tunnels, OIDC authentication and automated TLS certificate management. And, how you can combine that with Weave GitOps to achieve continuous application delivery using progressive delivery strategies for risk-free and reliable deployments.
Security is key, so we showcase multi-tenancy for full RBAC across the different deployment stages, and trusted delivery best practices for continuous security and compliance baked in.
Learn how:
- To utilize canary deployments for reliable and risk-free application deployments.
- GitOps lets you automate and secure the publishing of containers at the edge consistently.
- Easy it is to deploy, update and manage your application workloads on Kubernetes.
- To publish containers securely using tunnels, OIDC authentication and TLS certificate management.
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Delivery with Weave GitOps & Traefik Labs
1. Securing your App Deployments
with tunnels, OIDC, RBAC, and
progressive delivery with
Weave GitOps and Traefik Labs
In partnership with:
2. 2
Webinar Platform - FAQs
Using Zoom
• You are in listen only mode
• This webinar is being recorded
• Q&A session will follow the presentation, please use the Q&A panel to
submit questions
• Hit escape to exit full screen
• Slides and recording will be shared after the webinar
Technical Issues - please visit Zoom Help
https://support.zoom.us/hc/en-us/articles/206175806-Top-Questions
3. 3
Manuel Zapf
Product Manager, Traefik
Manuel creates and helps enact the vision for
Traefik Labs products and roadmaps. With nearly a
decade in product development and management,
Manuel understands what will help make the jobs
of engineers a little bit easier.
Steve Fraser
Consulting Reliability
Engineer, Weaveworks
Steve is passionate about delivering quality
resilient software with as little friction as possible.
He likes to spend his time thinking about how to
deliver flawless deployments allowing his
customers to increase their application and
infrastructure deployment velocity. Steve has
extensive knowledge in containerization
technologies in supporting, maintaining, and
architecting.
Speaker introductions
4. Weaveworks is backed by solid investors
Weaveworks is a key partner with all the
major infrastructure and Kubernetes vendors
Weaveworks: the GitOps company
Weaveworks is deeply committed
to the Open Source Community
5. 5
Traefik Labs, an OSS Leader
3 Billion+
Downloads
35K+
Stars on Github
600+
Contributors
100,000s
Nodes in Production
Trusted by leading enterprises worldwide
7. 7
Git as the single source of truth
for Desired State
ALL intended operations are
committed by pull request
ALL diffs between intended and
observed state with automatic
and continuous reconciliation
ALL changes are observable,
verifiable and auditable
Test
IDE
Build
Kubernetes
GitOps
Continuous
Integration
GIT
“Immutability
Firewall”
Deployment
(clusters, apps)
Monitoring
Logging
(Observability)
Management
(operations)
GitOps - The Operating Model for Cloud Native
Unifies Deployment,
Monitoring and Management
8. 8
Test
IDE
Build
Provides Separation of
Concerns between the
Development process and the
Deployment process
Transparency and Auditability
at All Levels is Automatic
Authentication & Authorization
Isolated Between Concerns
Risk Reduction: Complete
Application Rollback and
Logging
Security Policy: enforced
through code
Kubernetes
GitOps
Continuous
Integration
GIT
“Immutability
Firewall”
Deployment
(clusters, apps)
Monitoring
Logging
(Observability)
Management
(operations)
GitOps - The Operating Model for Cloud Native
10. Confidential do not distribute 10
● Implements a control loop that continuously
applies the desired state to your cluster,
offering protection against harmful actions like
deployments deletion or network policies
altering.
● Implements a declarative APIs installations for
your favorite installations types
flux
11. ● Shifts and routes traffic between app
versions using service mesh (Such as Traefik
Mesh) and ingress controllers (Such as
Traefik)
● Reduces the risk of introducing a bad
software change by continuously measuring
performance and reverting with user defined
gates
flagger
13. 13
Today’s emerging new challenges
● Creating prototype quickly in an isolated environment
● Promoting applications across multiple clusters
● Configuration sprawl
● The need for real time deployment feedback – at scale
● Lack of time for developing features
15. Confidential do not distribute 15
● Provides a single workflow for rapid
prototypes and production environments
● Provides modern promotion across
multi-region clusters with Canary
deployments
● Ensures development occurs under
organizational security policies
● Self-service pull based infrastructure and
application deployment
Weave GitOps
16. 16
Battle Tested Weaveworks Approach Process
Technical support
Customer Reliability
Engineering (CRE)
● Weaveworks approved
expertise in Gitops,
kubernetes & cloud native
● “Virtual” SRE
● Traditionally embeds in
customers team
● Long term technical
resourcing (6 month or 12
Months)
Weave GitOps Services
Weave GitOps
Enterprise
● Curated platform-
Clusters on-demand &
Application Deployment
● Run Anywhere on any
K8 platform
● Integrated security &
Policy & Governance
● 24/7 Support
Consulting, Professional
Services, Training
● Workshops
○ Design, build, operate
and Optimize
● POC Delivery
● Training
○ Skills Development
● Time and materials
○ Day Rate
CAPABILITIES
Reconciliation loop
Monitor specific events in Git – repos,
branches and/or folders
Simple profile
bootstrap
Setup, provision and operate a custom,
production-ready cluster
Application
management UI
immediately detect drift between states
as well as cluster health problems.
Cluster fleet
management
Reuse cluster templates easily from git
Team Management
& Governance
Segment responsibilities and enforce
change control policies
Advanced Security
RBAC, Single Sign On (SSO)
17. 17
Demo
Use Case
- Create a sandbox environment
- Install Traefik Hub and Proxy
- Create a GitOps Pipeline
- Install my new prototype application
- Share my prototype application with a colleague
- Promote to production with canary
19. 19
How to publish services traditionally
● Deploy Service on a
Cluster
● For local
development:
Port-Forward
● For external Access:
Install / Configure
Ingress Controller
● Setup Networking,
TLS et. all
k apply my-app/
k port-forward svc/my-app
8000:80
20. 20
Introducing Traefik Hub
Publish and secure containers at the edge instantly. Traefik Hub provides a gateway
to your services running on Kubernetes or other orchestrators.
21. 21
What about security?
● Security is crucial when publishing services
● Consists of multiple pillars
○ Encryption of the connection
○ State of the Art and battle proven access Control
○ Minimal Attack Surface
● Ideally, in a central place and not distributed amongst different places
22. 22
Secure tunnels and encryption
● Foundation for
minimal attack
footprint
● Encrypted connection
between Cluster and
the Edge
● Automated TLS
Certificate
Management to
encrypt HTTP Traffic
23. 23
Battle proven access control
● Access Control: Manage who can access a given application
● Should be flexible and simple / quick to add
● Most common once these days
○ OpenID Connect
○ JWT
● Dream case: Leverage access control without having to redeploy an entire stack /
architecture