Package and launch trusted apps on Kubernetes with Stacksmith and Kubeapps. Part 1: Creating a Trusted Set of Applications

Published on November 28, 2018
Wojciech Kocjan

Wojciech Kocjan

Share this article

Companies with large IT infrastructures need an end-to-end way to manage what is running in their environment. At Bitnami, we understand this challenge very well. In this article, we will show how creating a set of trusted applications simplifies managing compliance and governance in your environment. And we’ll show you how this can be applied to your Kubernetes clusters.

The process starts by ensuring everything that gets run in your Kubernetes cluster has been packaged according to your company’s best practices. This means the solution does not contain known security issues and hardening policies have been applied, along with anything else that policies and regulations require. You can achieve this by defining a set of trusted deployable assets that you and others can safely use in your environment.

It is very important that those assets are kept fresh and up to date. This means that whenever any component of your application needs updating or the solution includes packages with known security issues, the application should be re-packaged with latest versions and fixes for all security issues. Bitnami Stacksmith helps you automate and optimize the packaging of your applications for deployment to cloud and container platforms, and continuously monitors your applications for updates and patches, allowing you to keep them up to date and secure.

The next thing to consider is the way in which your IT users can launch applications, and making sure that they are restricted to only the trusted applications you’ve just provided them with.

This means that anyone wanting to run workloads in your Kubernetes cluster or clusters should only choose from applications that your IT department has selected and packaged, and that they should use the latest version by default. The system should also provide a path for updating an existing deployment—so once an updated version of an application with security fixes or bug fixes is available, users can update their existing deployments. Kubeapps springs into action here to provide you an easy and consistent way to manage deployment of your applications in a Kubernetes cluster from a web-based UI.

Let's take a look at how Stacksmith and Kubeapps can be used to enable this flow inside your Kubernetes cluster:

Stacksmith Kubeapps workflow

As you can see, using Kubeapps along with Stacksmith allows your organization to create and maintain a catalog of trusted applications and services that can be launched in your clusters. This reduces the risk of users launching applications that are not compliant with your corporate standards and/or requirements.

This post consists of two parts. This first part goes through the process of setting up the suite of tools so they work together, allowing packaging custom applications, and launching them in a cluster. In this article, we will run an AKS (Azure Kubernetes Service) cluster on the Microsoft Azure Cloud. The process of setting up other clouds or on-premise Kubernetes clusters will be almost exactly the same—the only difference is how you onboard onto Stacksmith and how the Kubernetes cluster itself can be set up using cloud-native services.

In the second part of this post, Setting Up and Using Service Catalog in Kubernetes Cluster, we will go through the process of configuring all of the tools described previously and look at how the combination of Kubeapps, Stacksmith, and a Helm chart repository provides a complete solution for having a service catalog of trusted applications in your Kubernetes cluster.

Packaging your applications with Stacksmith

Stacksmith is a tool provided by Bitnami that can be used to package applications. It is currently offered as a SaaS solution and provides both a public tier that is free as well as team and enterprise paid tiers.

  • Stacksmith can be used for off-the-shelf applications as well as in-house developed solutions. It provides a way to package these applications for Kubernetes, doing this in a consistent and reproducible way. It can be integrated with your hardening scripts as well as any other tools that are part of your corporate standards.

  • Stacksmith also monitors your applications after they have been built—monitoring them for security vulnerabilities as well as checking for package updates. This can be used to decide when a fresh build of your application should be made, fixing security issues that it may be vulnerable to today.

The second part of this blog post includes more details on how Stacksmith handles and presents the results of continuous monitoring.

Launching applications with Kubeapps

Kubeapps is an open-source project for deploying and managing applications in Kubernetes clusters. It can be run inside your Kubernetes cluster to provide your users with a web-based UI for launching and managing applications.

  • Kubeapps provides a single place where people in your organization can start new applications, see what has been provisioned and manage their deployments inside the cluster.

  • Kubeapps allows you to manage available IT services and helps you achieve governance. It also helps you ensure that you meet your compliance requirements, while allowing users to deploy only the approved IT services they need.

By default, Kubeapps uses several sources for retrieving applications that can be deployed in your cluster, including stable and incubator Helm chart repositories. Many IT organizations replace the built-in catalog with a catalog of trusted deployable assets. This can be a subset of the default applications that have been verified to work properly in your environment and meeting your corporate standards. It can also be limited to applications that are relevant to your line of business. This last option is the one we will be setting up in this blog post.

Creating your service catalog

In this section, you will learn how to define a service catalog for your Kubernetes cluster. This is the point where integration between Stacksmith and Kubeapps will happen.

Stacksmith outputs different deployable artifacts depending on the target platform. For Kubernetes, Stacksmith outputs Helm charts, which are the de facto standard way of running applications in a cluster. Helm charts can be stored in a place called a Helm chart repository.

A sample of the different Stacksmith outputs is shown in the second part of this blog post: Part 2: Setting Up and Using Service Catalog in Kubernetes Cluster.

A Helm chart repository provides a way to list all available charts along with their versions, and download any chart and any version listed. There are a number of tools that provide this functionality—JFrog Artifactory or ChartMuseum, for example. The first is a commercial artifact repository that has the option of serving a Helm chart repository. The latter is an open-source project that is part of Helm, and provides the basic functionality of a repository. Both can be used with Stacksmith and Kubeapps.

Kubeapps can be configured to use the charts from such a repository, allowing your users to launch applications that have been packaged by Stacksmith, and ensuring that the applications are always up to date and maintained.

Check this video to see how Stacksmith can populate your service catalog and make it available from Kubeapps:

The second part of this blog post describes the setup of Stacksmith, Kubeapps, and a Helm chart repository in more details. Check it out!