Welcome to the tenth and final installment of That App You Love, a blog series in which I show you how to you can make almost any app into a first-class cloud citizen. If you want to start from the beginning, jump back and check out Part 1: Making a Connection. Youāll need the docker service and the oc utility to follow along in this post; for instructions check out Part 5: Upping Our (Cloud) Game.
Wow, weāve come a long way! Back in Part 1, we were struck with this crazy idea - letās take an app we love, containerize it, and then kick it up to the cloud in a way that is secure, robust, and stateful. Along the way, we explored:
- The idea of a Config-and-Run container image
- A mini-cloud that we can run on a single machine, with a single command
- A cast of objects that turned our app into a fully-fledged cloud citizen
And in this final installment, weāll hit on a few last items that will really put that minty fresh scent on That App You Love.
Taking a Pulse
Kubernetes and OpenShift Container Platform can do basic pod health tracking by checking if the container within it is still running. However, we can improve the granularity of this health checking by adding a Readiness probe to check if the pod is ready for business, and a Liveness probe to check if the pod is still able to serve requests.
- If you are just tuning in, or donāt have your mini-cluster running, jump back and replay Part 9, and leave your cluster running when you are done. If you donāt want to go through all of that, make sure youāve got the basic cloud setup from Part 5 and then hereās a three-command shortcut. Just be aware that this shortcut does not correctly mount persistent storage:
wget https://raw.githubusercontent.com/nhr/znc-cluster-app/master/znc-template-with-pvc.yaml oc process -f znc-template-with-pvc.yaml | oc create -f - oc deploy dc/znc-cluster-app --latest
- Weāll use a super-simple set of Readiness and Liveness checks for znc-cluster-app; in fact, weāll use the same test for both:
oc set probe dc/znc-cluster-app --readiness --liveness -- pgrep znc
The magic ātest commandā here is āpgrep zncā. This program gets run inside the container to this basic effect: āif you find a process with this name in the executable, weāve got a pulseā. Because weāre using a Config-and-Deploy inside of our container, this is pretty helpful in determining if the process we really care about is running, because the initial process in the container will be our config-and-run script rather than our actual app executable.
Also note that as with our environment variables and PVCās, weāre applying these probe rules to our Deployment object (dc/znc-cluster-app), so that they get set up in every Pod that gets spun up on our behalf.
A Few More Comments on Security
The sample app that I chose for this series is not a highly sensitive piece of software, but we made two basic improvements to it. In Part 4 we made a container that does not run as root, and in Part 8 we made a template that randomly generates a different starting password for each deployment. If we wanted to get more sophisticated, we could make two bigger improvements:
Secrets
A Secret is an object in OpenShift that references a sensitive piece of data, like a password. To populate the object, the system can look at a filesystem, or pull an image, or clone a repository to read the sensitive data. Then, to apply the secret, the Secret object is bound to a Pod at runtime (similar to a Persistent Volume Claim) and then the running pod has access to the sensitive information. If you are interested, you can read more about secrets in the docs.
A Trusted SSL Certificate Chain
Our sample app generates a self-signed .pem file. Conveniently, this .pem file is stored in the configuration directories that we learned how to expose using persistent storage in Part 9. This gives us a few avenues to choose from for providing our own, trusted certificate chain. As with the password, we could use a Secret object to inject a known-good .pem file into our app pods; alternately we could just replace the generated .pem file in our persistent storage with the trusted one.
A Final Accounting
If you youād like to continue to experiment with the templates and container image that Iāve created, all of the source code for these items lives on GitHub. You will also find a ācompleteā template there, along with information on how to deploy that complete template onto a running OpenShift Container Platform starting from scratch.
As I said in the beginning, of course, this series wasnāt just about ZNC - many applications can be prepared for the cloud following similar patterns, very likely including That App You Love. And to take it one step further, if it works for That App You Love, the same strategies will also set you in the right direction for That App You Wrote.
...But thatās another series of articles entirely!
Thanks for reading!
About the Author
Hi there! My name is N. Harrison Ripps, and I am an engineer and people manager on the Containers team at Red Hat. Together with the greater open source community, our team has taken the combination of the docker container format and Googleās Kubernetes orchestration system, and then extended this framework with a number of administrator- and developer-friendly features that we call the OpenShift Container Platform.
Last updated: March 17, 2023