Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Distribution Team Demos / 10 Dec 2020
GitLab / Distribution Team Demos / 10 Dec 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Distribution Team Demo - Dec 10, 2020

Description

The Distribution team demos using gitlab pages with a in-progress MR deployed within the gitlab-helm chart. With self-signed certificates.

A

Welcome everyone to the demonstration for this uh approximately thursday december 10 2020, basically on your time zone and today we're going to be demonstrating the new gitlab charts feature, which is a merge request that has been submitted by balu. It is if you're wanting to follow along at home.

A

It is in the charge, repository merge, request, one six, seven, seven and uh just for giggles paulo- and I decided I just do it live here for the first time is the best way to do a demo to see if something is straightforward is to just see how bad it, how bad you trip trying to look at it for the very first time, so I'm gonna go ahead and share my screen all right.

A

So here is the merge request in question.

A

Now I did cheat a little bit. This is the testing values that value said. I should have break bring with me, so here's this and.

A

Over it build here's my pages demo, so for this it's going to be pages.cloud.

A

Now, for this it says external ip, don't know what that is yet so we'll have to reapply that after the fact so we'll get that from our ingress and then the secret will be pages tls.

A

So the way I'm going to start. This is just go ahead and deploy.

A

So this is my basic self sign and we're going to install this without pages support, and while that runs so, let's just say, I'm a customer and what I'm gonna assume is. I have no idea, I'm using the charts, because someone said kubernetes kind of like the uh the good old cartoon right, the dilbert cartoon, so once they're too ready, so I'm gonna try it. So, according to this documentation, I need to bring a wildcard certificate and I saw that in.

A

My scripps thing: I have a generated certificate, so I'm going to try and use the script that the project provided to generate my wildcard certificate, because I look at this and I see hey, I can get a wild card right here.

A

So with that in mind, let me look at what we got so we have a service name and according to this documentation, I need a star dot pages dot, kate's domain. Okay,.

A

Star dot, server's name is a pages dot kate's domain.

A

So all right.

A

So let us do. Let's see.

A

Build this down.

A

Okay, so service name, let's page these.

A

Pages.

A

Name, space, look at name, space I'll, think, that's an awfully weird name, because I'm a new person. So I have no idea what namespace means in the writing sense. So namespace. uh I guess I'll call that cloud native.

A

And then my dns.

A

Suffix, there's no thing there, so dot win. Okay, so that should give me what I think or expect.

A

And again for those who may have just joined us, I'm literally doing this as if someone who just checked this out for the first time, so I'm kind of role playing what maybe one persona that comes into our repositories.

A

So I'm going to source my cert environment.

B

And then I'm going to.

A

Generation, let me just go back to this and check this.

A

Out.

C

My working directory.

A

Okay, so let me.

D

Interesting.

E

Yeah, you didn't have your environment sourced.

A

I source it in the other window.

A

Wow.

A

Certain name, so I missed.

A

One.

B

Again,.

A

All right: well, I'm going to go with that because I don't know how long I want to sit here and spin, but I watch it one more time.

A

So certain name.

A

All.

A

Right.

E

If you look closely at the script, the documentation explicitly states to pass it as argument one. This is because cert name is taken from the value of argument, one and, if not present, is set to.

B

Giddily.

A

So.

A

Interesting that wrote that that quickly perceived the time worked in an extra second or so so we have that in place.

A

Now I need to.

A

Pages tls.

A

So let me very quickly remind myself on my on screen here what the methodology for saving a kubernetes.

A

So.

A

Okay, so I'm gonna go.

A

With.

D

Equals.

A

Okay, so looking at this here, we go are not live broadcasting to youtube. As far as I know so it is okay to show that in the.

D

Video.

B

Okay- and this is what I expect.

A

Because we are not using a validity, we're using a self-signed cert and I'm going to turn that off. I will ask this: I've noticed this. Lately we get this warning. Should we just not like turn this off by default, because default deployment being an open hole feels like a bad idea.

E

We can't see your screen, so you.

A

Don't.

F

Know what.

A

You're talking.

E

About yeah.

A

Did my screen shirt done? Okay, sorry,.

A

Is it do you see visibility, access and controls.

E

Yes, we can see your screen. We've discussed that warning at the top a bunch of times we're not touching it.

A

Okay,.

A

So I have turned that off all right.

A

So here's this so I'm going to come up over here, I'm going to go to my ingress.

A

This is my ip address.

A

Awesome.

A

So with that said, my external ip is going to be set to that. I have created my kubernetes secret and we'll just verify that here.

A

Pages tls right here with that all said: that's all ready and let's go back here, hit helm upgrade, and this is what we have deployed and have shown working. So now we're going to go ahead and.

A

Add this one all right before I hit that I'm going to look at the pods here we go so just to recap.

D

You need a second attack.

E

F.

A

Yes, I do, I did it the first time I typed it in the wrong path, ah brains, all right, so that running you now see the pods are running so just to recap, where we're at we have modified and adapted the generate certificates, uh wild card service from what uh I know to be from the getaway service, but what someone would use to uh if they were just coming into this new. We have built our wild card, self-signed secret and added it to kubernetes, and now we are trying to install pages.

A

And here come the page spots.

A

In the migrations pod.

A

So we got a migrations, tuber.

A

Seriously doubt there are any uh actual migration training, but yep.

E

They're in process it'll just be quick. If there's nothing to do, can you do me a favor and check the ingresses sure.

E

Okay, just so, we know what the the subdomain is provided.

A

Yep, what I found interesting is that when I relaunched this.

A

It was unhappy.

E

So to be clear, you're going to gitlab.pages.cloudnay.

E

So you're not going to where your ingress is.

E

Your ingress is gitlab.pages.cloudnative.com.

A

uh I'm trying to go just back to the main page. I haven't even set up a page of repo or checkout, yet I understand you sent.

E

Global hosts domain, which sets the primary domain when you set that value to pages dot, it created all of the hosts as subhosts on star.pages.gitlab or star.pages.cloudnative.

B

So do you ew.

A

Fix.

A

That.

A

Okay,.

B

Okay, yep.

D

Okay,.

B

Let's remove this.

B

Sure I've done that same full on the ingresses in history.

E

You may have to re. You may have to wait for the dns to repopulate, because when you change the base domain, external dns, if in use, would have flipped all of the addresses in the dns and removed the old ones.

E

Yep.

A

All right well for now, I'm going to grab.

B

The ip address.

A

And go back because why.

E

Not well, engine x is.

A

There.

A

Yep, those are still tronating and starting.

E

If one of them is up, you should be able to get an answer.

E

As soon as your dns resolves.

A

That is a deep should. I saw something similar the other night that I noted when testing the um upgraded engine and ingress going from version 0.20 to 0.41.2, where, if there's a deep, if there's enough of the change, all the pause for the web service will just stop responding as opposed to rolling over like I would have expected.

A

I did not go back and dig into that more because I was trying to just.

D

Test the.

E

So what I'm saying here is you did not reload nginx. So, therefore, as soon as nginx is capable of receiving traffic at the host header, as defined by the request, it should at least give you a 502 as opposed to 404 default backend, which you were always going to get when you hit it by ip.

E

Address.

E

Try doing a curl.

E

Okay iv capitalized lowercase, v, yep pretty straightforward, for whatever reason it doesn't know about this domain, can you double check? Dns is healthy.

E

Do you mean dns on the cluster? uh No, the clusters, dns doesn't matter.

F

I'm looking up at the uh google dashboard, it does show that the dns got updated. So it's looking good on the google side. Okay,.

E

Do you have dig or ns lookup.

B

Should.

G

It loads for me put it within the browser.

E

Okay, so four giggles do dig at 1.1.1.1 and then the.

E

Hostname.

E

Okay, so yeah it's somewhere in your local dns chain, because the the other dns servers see.

E

It.

A

Ever done this, while on a zoom stream before I'm assuming the dns, is already pre-established. So here we already established connections, you won't break them.

D

By flushing dns yep.

D

All.

A

Right.

A

Aha,.

A

So flushing the caches when in doubt flush your cash all right.

A

Let's create from a template somewhere in here we have the pages hugo, so our pages html, let's do a simple one.

A

This one yeah.

B

All right.

A

Beyond is gonna, be a public project we're going to create the.

E

Project: okay,.

A

Now I have to go back and find the pages documentation.

A

I've only done it like twice.

A

Let's forgive that.com I'll just pull this up. I just googled.

A

It.

A

Pages: okay,.

A

Work project template.

E

So really you just need to trigger the pipeline.

B

Okay, go to pipelines pipeline.

B

Goes, do I have runners.

B

That I.

D

Do.

A

Okay, you'll get my runners.

A

All right, so the runner is not attached.

G

uh That pod is the task runner, not the gateway burner. Did you turn off the runners in your yammel things, your value's.

G

Fine.

B

Yes, actually so.

A

See alacrity does not let me do the whole thing where I can show both, but I'm kind of interested to see if this job picks up once that owner comes online. So, let's see here.

A

So it's job stuck waiting for a.

A

Runner.

A

Here comes the.

A

Runner.

B

I just tried to run straight.

G

This might be because it doesn't like your self-signed cert.

E

Yeah, if you press w to turn on rap, we might be able to see more.

A

Yep yep unknown authority.

E

There's a trick to that. Isn't there.

G

And if you look at my kind values under examples, if you look at my kind values based ammo, I think it is there's a way to specify what secret to use for the runner. I believe.

G

Kind and then try values based, I am, should be near. The bottom.

G

Try values, ssl diamond.

G

Yeah, so if you pass that, I think you should just be able to pass the name of your actually. I think I believe it creates that wild card tls chain by default now. So, if you go to your kubernetes secrets, there should be a secret. Basically with that exact name.

E

Depending on how he configured the tls.

E

Yep, okay, there it is.

G

So you basically just.

E

Copy.

B

Paste that.

G

Yep from the values.

E

And what that does is basically injects the certificate contents in to be trusted, so the runner won't have this complaint.

A

So I will ask this question as a curiosity thing for quality of life improvement. Should we just make that a thing that's default if we're using that self-signed cert.

E

That may be something that we can get to or an improvement. I don't know that it's a directly automatable item.

A

Yet I'm only talking about adding it as an issue to schedule for when we can get to it, but that sounds like it is so.

E

We can investigate it. The fact is that you are able to pass one secret name. So if a customer overrides that and they're using self sign- and they try to add a self sign from somewhere else, they'll end up with a problem so documentation in the very least needs to be added.

E

To be fair, the likelihood that you're, using like a half dozen self-signed certificates throughout the broader chart is low in production.

E

Most of the time when you're doing this you'd be using a custom ca and you just load the ca and everybody's good.

G

And for what it's worth, when you're, deploying with kind, this does happen automatically. So as long as you use that values file, runner will come up and automatically attach.

A

That hey nice.

A

All right so now I remember right the way you get to this is you come over to your settings pages and it will give you that yeah that.

A

Link.

A

I'm just gonna ask cause I've seen this and I haven't got to dig up. Why does this say 30 minutes for the site to deploy.

E

Because this depends on where you are how your configuration is on gitlab.com, it could take up to 30 minutes for the background job to repopulate the objects from the artifacts cache into the file system distributed throughout the pages fleet.

E

That's changing.

B

Okay,.

G

Is it supposed to be http or is it supposed to be over tls.

E

So the first thing we should be doing is checking to see if the pages are actually up and running.

E

Now they don't issue a lot of logs. Unfortunately, can you double check the configuration for that pod.

E

Sure.

E

Okay, um my apologies. We need to check the configuration inside the pod.

E

So pop it into a shell.

E

Let's see, according to the mr, the configuration should be mounted to approximately etc.

E

Here.

E

Finger this in its config map, so we're looking for config.erb.

B

Right here.

E

Right so just do a find for config dot.

C

Erb, okay, just go ahead and cat it. It's not that long.

E

So the domain is indeed configured, as we said, the route for pages is etc. Gitlab pages.

E

Okay uh should be on port 8090. Http 2 is yes. I do not see the configuration that explicitly sets https because pages isn't serving https itself um and it is trying to hit the external api which is good.

E

Web server. Is the external url okay domain config is where it says gitlab. This is good. This is expected, okay, so now that we know that pages is actually up and running as a container with some possibly questionable config.

E

Let's go ahead and exit out of the container and check the engine x logs on the controllers, see where it is sending the traffic or where it is attempting to send the traffic. I should say.

H

Another thing to check might be the deploy job. I know we had checked out the page's job, but there should have been another job that launched after that, just to see if it actually passed or.

H

Not.

H

That looks.

E

Good yeah there's pages deploy, gets like no logs. You just see that it passed or did not.

F

Hey robert, when you get a moment, try to dig that uh host name, you tried to go to I'm showing in the google's dns dashboard that the uh ip is still something bizarre. Like previous installation.

A

That actually.

A

That actually might make sense.

A

So let me pull that up over here uh is showing this on the light on the screen share. Is that going to be a.

B

Thing see here.

A

So because I use uh our cloud native domain for pretty much every demo and every test will be.

F

Yup go under network, keep going down.

A

Yep, I always forget where they store this network.

F

Services.

A

Cloud dns, I'm almost positive that I set this manually at some point.

A

This right here is manually set a record.

A

So this is the thing where, if I remove that record and then rerun the job, will it create it.

C

Are you using external dns to automate your dns config.

F

Yes looks like he is giving his text records there right.

F

Yeah, I think you want that. First, one gone to the star pages.

E

That one yeah that's the primary one. You want going.

A

And then it'll just recreate itself.

E

External dns should do a configuration cycle which should regenerate that. um However, this ui does not auto update okay.

A

No way to force this to.

E

You could manually restart the external dns pod and it would correct itself, but it's more than likely in a different name.

E

Space.

B

So this one.

A

Leave the pod and it should come back.

F

All right, let's see uh it, did get updated, has a text record so externally and that's created correctly. It looks like.

A

All right, so that's good.

F

You're, probably gonna have to kill your cash again you're correct.

A

So.

A

There's there anything.

B

Boy logs.

B

There.

A

Another.

B

One.

E

Okay, I apologize. I looked away. What did you get in the web browser when you tried it.

E

Okay, so that's a dns problem. That's.

E

Not.

H

uh It's coming up over on my.

A

Side destroy my cash down. Let me go here and go back to the same thing.

E

Okay, so the probe is failing. Let's go manually, query your dns.

B

Moment yeah.

A

So here's my local heroes digging off of.

E

You probably want to not use the url.

A

For the record, whoever thought that copy pasting should automatically append stuff out of browsers mistakes were made.

A

All right, so we got. This is sticking off 111.

A

So yeah.

A

My answer section is.

E

This is the joy of dns due to hierarchy. It's entirely possible that it's not your local system at this point, but rather your router or your isp.

E

That has got an old cache and they're in the process of pulling down new record as you try, but due to the nature of dns and ttl's ttl's being time to lives if it gets removed here, and they need to update it here, your cache can be clean, but now I can't resolve it now. It's waiting.

F

Yay.

A

All right, so someone says that they can see it. That's dj right.

F

Yeah.

A

I I also have it up here too: I'm gonna stop my screen share and let somebody screen share. First, I could just uh prove to the posterity of the video that, yes, we can see this.

H

Okay, I'm gonna share my screen.

A

Yay there we have it yup so off by one errors in dns. So is the answer.

A

Okay,.

A

So I think that overall I'll declare this in working most of the issues encountered were just typical, systematic uh I'll think on whether or not that would be something that we could translate to think about, whether to translate back to things that we can document. That would be a follower to this, not part of this uh overall, though quite successful stuff went in. Is there anything else you want to kick the tires on?

A

We are at 11 17, so about 15 minutes past.

E

The demo at hour, I would like to know about an application feature flag um previously, now it's possible that recent versions of pages and even master on rails have changed this, but for the last month you actually had to set one or even two application feature flags for pages to serve directly from artifact storage.

E

um Did you at any point need to set that anything like it.

A

I said nothing. What you saw is what we did.

E

Okay,.

A

Can we.

E

Can we pop into the task manager and, let's just see which application flags are actually.

A

On.

A

Task runner right.

E

Yes, okay,.

A

My ears heard task manager which confused me for a second, so just making sure.

A

And what do you want to look at.

E

uh Pop a rails.

E

Console sorry, I'm looking for the command that you will need to be able to actually run.

A

No.

A

Worries.

A

Hopefully, by the time you find it rails console.

E

Will look fully loaded right? This is the this. Is the joy of rails, no matter what we do, we can only make it so fast.

A

I am curious, is this rails general or is this the fact that we have like a couple hundred gems loaded it's a little bit of.

A

Both.

C

What command did you run.

E

Oh yeah, so you need git lab. uh No, no, no! No.

E

Space.

C

Yep.

E

Well, that fired up nice and quick this time around. uh I am not actually seeing a nice way to get all of the feature flags.

E

I only see how to get them one by one all right, let me go see what the current documentation on what those feature flags are.

A

Well, how do you get the one by one.

E

Yeah you get them one by one using uh feature: capital f, feature, dot, enabled question mark and then the string which I will have to fetch. You said.

E

String.

A

Why do you do that? Hey.

E

That kind of not really what we get.

A

No, but while you're looking, I can see no argument.

H

Hey? What does that all do.

E

There there is one present and turned on.

E

That's enough, actually, um interestingly, it looks like they may have automatically flipped this.

E

Finally, okay: well, apparently, the feature flag may no longer be.

E

Needed.

E

Well, that uh for giggles, let's increase the scale of the gitlab page's deployment, does it have an hpa?

E

I.

A

Think I remember seeing one here.

E

Yes, okay, so what we'll do is to not have to redeploy with helm, we'll just go edit. The hpa directly.

E

You need colon hpa.

E

Please hit escape now call an hba.

E

Okay, so edit that one go down to set the min replicas to three.

E

uh No, not three hundred watch the cluster die. Okay,.

E

Right so now, just.

E

Wq.

E

Should see more pages come up.

E

Go back to the hpas.

A

Just as we left.

E

Of course,.

E

Lesson in.

A

Patience: okay, it's a long walk between the cube api server and back okay.

E

Everybody ready your browsers, we're going to generate some load.

F

And robert, the uh ttl on those records are 300 seconds. So by now you should be able to get there. I would.

E

Think yeah uh pro tip for developers, we should probably document how to set the ttls with external dns, so that they're, not five minutes.

E

Yeah all right, so everybody who has a browser window available and can join in there's our url root.pages.cloud. Can you go ahead and just copy the url to the the chat we can all click on it.

A

I can find the chat, that's the grid. That's come on zoom. I got.

F

It for you thank.

E

You thank you gerard.

F

ah We'll paste it.

A

Fun with zoom ui.

A

So I I just have a question: if we're trying to generate load so couldn't we just also do this with like.

E

We could, but I'm looking for parallel multi-origin load, I'm literally just looking for everybody to go ready, f5.

E

Yes, we could use apache bench, but let's like we, don't need to go that far. It's a simple demonstration.

E

Okay, what I would like you to do robert yep is to go back to k9s, okay, okay, so what I want to see is that actual work is being done by more than one gitlab pages instance and that everybody's getting successful returns on the objects.

E

That's what I'm looking for. I get a chance to say that, okay, so whenever anybody is ready, just mash f5 a couple of times.

A

It's all linux in there and that one's getting stuff.

A

So let me look at this one.

E

Okay, so we're definitely seeing nginx passing load. Let's just look at the cpu loads that we're actually seeing here.

E

Cpu yeah just sit on the pods, don't go into a log, just sit on the pods. There's a cpu percentage right. There.

A

Oh okay,.

E

Okay, so what what I'm seeing here is the important thing because we're seeing cpu loads north of 10 when it's sitting idle it's around three or four, so it's distributing load and I'm not hearing anybody saying that their requests are failing.

E

Why does this matter? You might ask architecturally speaking. The way pages used to work is that you would actually write this into the file system somewhere and then pages would serve from the file system. Hence pages couldn't work in cloud native due to the nfs requirement when they moved to doing this through artifact storage, they initially took it and instead of literally taking the output, bundle sticking in artifacts and then sidekicks comes along. It pulls the artifact down, extracts it and writes it to the file system.

E

Now they simply skip the sidekick job and they make sure that it's deployed into the correct location pages asks gitlab for the configuration instead of expecting it to be written on the file system with the files and then actually serves directly from chunks in object, storage by ensuring that multiple pods can be handling traffic.

E

At the same time, by the method that we all collectively just did, what we're doing is confirming that we're not having a problem with individual pods, having a specific cache work, having access to state we're proving that pages actually is able to operate in an entirely stateless fashion.

G

So there's no copy of the artifacts in these containers. Nope, it's cool.

A

And then I guess, at the end of the day, object storage is handling how fast it can serve out from its side. Essentially.

E

Yes, so, for example, if you look at the mini, I o, which is handily right, smackdown between the two gray lines, if we start doing the refresh again you'll see a small spike minnow has crap logs. Please do not look at the logs you'll see a very small spike in the load on that pod, when it.

E

Refreshes very small but you're like it's, not even showing me the load from from mine, of course, but essentially what we're limited at that point by the amount of time it takes for pages to go and go you're asking for this component off of this page, go: ask it lab gitlab says: oh, that's over here goes to the object, reads the chunk index and then reach the chunk out of it.

E

And then that serves back to you because we don't do we're not doing object. Storage, redirection, we're actually reading the chunk out, expanding it and then serving you. The.

D

Content yeah so I'd say that works.

A

Yep, do we have any other questions.

G

The only small thing was that the gitlab ui offered you an http link. I was curious if it always says http or if it should have. Given you an https thing.

E

um You actually have to tell gitlab that you're expecting to run pages over https, the reason being that gitlab pages has the ability to serve custom domain ssl certificates.

E

So the current implementation of the chart uses an ingress as opposed to directly exposing itself to the internet. As a result, it can actually use ssl through nginx for the base pages domain.

E

In the event that you wanted to use a custom one, like you know, pages dot, nip or pages dot ip address of external nip.io and serve ssl over that the nginx doesn't know about whatever those custom ones are on a per project basis.

E

It doesn't, we don't have a way to load extra tls certificates into it and it would actually turn around and go. I can't serve https on this because I don't have a certificate for it and it would go back to its default one and then you'd get a complaint like self-signed, nginx, ingress or kubernetes ingress doesn't match the hostname, so we actually have to do that in the next stages to actually make it possible to serve https.

E

So the ui is saying: http is actually correct. It's the browser, that's going, let me try https and if it's not there I'll go back to http, it's an automatic upgrade behavior in most modern browsers.

E

So unless you specifically say https, it will try that first.

A

And I believe balu called that out and tested notes as well somewhere, okay hold on.

C

Right there here.

E

Note that this is this is not a limitation when pages actually runs external to the charts, because we're running pages as its own damon. So it already has all of that stuff.

A

So I'm fairly convinced that it works so I'll. Take a look. I guess the next step for me is the reviewers to see if there's any naming style, other things from our decision uh records that I would quibble with and then yeah.

A

It looks good to me from a functional standpoint right now, so unless there are more questions that concludes today's demo, so I'll leave it open for crickets one cricket's, two all right. Well, thank you. Thank you all for coming to this week's demo and we'll see you next.

A

Week.