Package and launch trusted apps on Kubernetes with Stacksmith and Kubeapps. Part 2: Setting Up and Using Service Catalog in Kubernetes Cluster

This is the second of two blog posts which cover the whole process of defining a set of trusted applications and providing tools for your users to deploy said applications in a Kubernetes cluster using both Stacksmith and Kubeapps.

The first part of this blog post, Part 1: Creating a Trusted Set of Applications, introduces the concept of having a trusted set of applications and how it can help your organization manage compliance and governance of your IT infrastructure. Check it out if you’d like to better understand the underlying concepts.

This article assumes that you already have an account in one of the public clouds that Stacksmith supports, as well as a Kubernetes cluster. You can set up an Azure account by following the Getting Started with Azure guide as well as Introduction to Azure Kubernetes Service (AKS) guides.

In this article, we will go through the process of setting up Kubeapps, Stacksmith, and a Helm chart repository to provide a service catalog inside an AKS cluster on the Microsoft Azure Cloud.

Installing Kubeapps in your cluster

Kubeapps is an application, installed inside your cluster using Helm. Once installed, it acts as a service catalog for Kubernetes.

Kubeapps provides a user interface (UI) to deploy applications inside your cluster from configured repositories, and apply updates and configuration changes. This example shows how to do that with a catalog of trusted applications.

  • In order to set up Kubeapps, you will first need to install Helm in your cluster. Once Helm is installed, Kubeapps can be installed by simply adding the Bitnami chart repository and installing the Kubeapps chart from it—for example, by calling the Helm client and entering:

    $ helm repo add bitnami
    $ helm install --name kubeapps --namespace kubeapps bitnami/kubeapps

    This will set up Kubeapps in your cluster. To sign in to Kubeapps, we need a service account token. For production services, your SRE team would provide you with tokens with the appropriate rights.

  • For testing purposes, the simplest way is to create a service account and get the token for it:

    $ kubectl create serviceaccount kubeapps-operator
    $ kubectl create clusterrolebinding kubeapps-operator --clusterrole=cluster-admin --serviceaccount=default:kubeapps-operator
    $ kubectl get secret $(kubectl get serviceaccount kubeapps-operator -o jsonpath='{.secrets[].name}') -o jsonpath='{.data.token}' | base64 --decode ; echo ""

    The first command creates a service account. The second assigns a cluster-admin role binding, effectively making it an administrator of the entire cluster.

    The last command gets the service account token that should be passed to Kubeapps when logging in. Keep this safe, as you’ll need it to log in to Kubeapps in a moment.

  • The next step is to connect to Kubeapps. For production systems, the SRE team would expose it over internal or public IP addresses, using HTTPS protocol. For the purposes of this article, the simplest way to connect to it is to use port forwarding:

    $ kubectl port-forward --namespace kubeapps svc/kubeapps 8080:80

    This will forward any connections to http://localhost:8080 to be forwarded to Kubeapps. Go to that URL and pass the token you retrieved earlier to log in to Kubeapps:

    Kubeapps Login

    After that, you’re ready to use Kubeapps and deploy the standard applications that Helm charts provide.

  • After logging in, you will be prompted by list of applications, or if the Kubernetes cluster is not running any app yet, an empty list. Navigate to the “Catalog” section to see all of the applications available by default.

    Kubeapps Catalog

    Kubeapps takes all of its applications from repositories. It contains multiple repositories, but this list can be customized—removing all repositories and providing only the trusted set of applications packaged by your IT department, for example.

    Learn more about Kubeapps and how it can be used, in the following documentation: GitHub project, Get Started with Kubeapps and Using the Dashboard.

Setting up a Helm chart repository

Now, we need to create our own Helm chart repository. It’s a service that allows you to provide charts of applications—such as those built by Stacksmith—and provides a URL to allow clients such as Kubeapps or Helm CLI to download Helm charts.

Both Stacksmith and Kubeapps support multiple Helm chart repositories. JFrog Artifactory is one such supported solution. It’s a commercial repository manager that offers the ability to serve Helm charts. More details on configuring Artifactory can be found in the official documentation.

Another option is to use ChartMuseum—an open-source Helm chart repository that’s part of the Helm project. ChartMuseum can be created externally or inside your cluster, and can even be launched directly from Kubeapps.

Pushing Helm charts to both Artifactory and ChartMuseum is as simple as uploading the Helm chart tarball to a specific URL. After that, the repository updates its index file and the new chart is available to all clients, including Kubeapps.

  • Making Kubeapps use the Helm chart repository is also an easy process. All that is needed is to go to the Kubeapps dashboard, and go to the "Configuration -> App Repositories" settings:

    Kubeapps App Repositories

  • Next, add a new repository, specifying the URL of the Helm chart repository and anything you like for the name, such as:

    Adding a Repository in Kubeapps

    After this, Kubeapps will show all of the applications that have been uploaded to our Helm chart repository.

Packaging applications using Stacksmith

The final part of the process is to set up a way to package applications using Stacksmith. Stacksmith is a SaaS solution provided by Bitnami for the automation and streamlining of application packaging and continuous maintenance.

While this article focuses on Kubernetes and only uses that subset of functionality, Stacksmith supports packaging applications for multiple clouds.

To get started with Stacksmith, you need to sign up and create an account.

Stacksmith carries out builds for you on the public cloud of your choice. The process of onboarding onto Stacksmith requires you to perform a few steps to give Stacksmith access to your cloud account.

For this example we are using Azure cloud, which stores build outputs in Azure Container Registry (ACR) and Azure Blob Storage. This will also make it easier to configure a cluster running in the AKS where Kubeapps is running to have access to the container images stored in ACR. The process of onboarding onto the Azure cloud is described in more detail in the Connect your Stacksmith account with your Azure account section of the Stacksmith documentation.

After setting up the account, all you need to do is configure it to push the applications to the Helm chart repository. At the time of writing this article, setting up a custom repository requires you to contact Stacksmith support, as this option is not yet available in the Stacksmith GUI. This only has to be done once, and will be applied to all applications that will be built from that point on.

Now that everything is set up, let’s define the application. We’ll use a sample Java Tomcat application that uses a database. Its code is available from the following GitHub repository:

  • First up, sign in to Stacksmith and choose the "Package an application" option to define a new application. This will open a form to define the application and how it should be built.

    In the next screen, fill in the form as follows:

    1. Provide an "Application name" and "Application version" - such as CustomerApp for Kubeapps and version 1.0.
    2. In "Stack Template", choose the "Java Tomcat application with DB (MySQL)" option.
    3. For "Targets", deselect Microsoft Azure as target and ensure Kubernetes is selected - this is as we are only going to build the application for Kubernetes and do not need a VM image.
    4. For Application files, upload the customerapp-1.0.0.war file that can be downloaded from GitHub.
    5. In the "Script Location" field for application scripts choose the "Git repository" option
    6. In the "Repository URL" field, specify the following GitHub repository:
    7. In the "Repository Reference" field, specify the value master
    8. Click on the "Create" button.

    The resulting data should look like this:

    Packaging Application in Stacksmith

This application was chosen from Bitnami’s example applications, which are available on GitHub in the Bitnami-labs repository.

Once the build finishes and the output Helm chart is uploaded to the Helm chart repository, Stacksmith will show you the results, along with a log of everything that happened during the build.

Application Packaged in Stacksmith

It also provides information about all of the outputs and where they can be found:

Outputs from Application Packaged in Stacksmith

After it has been built, Stacksmith continuously monitors your applications for updates and patches. It can monitor system packages as well as your upstream application. Here’s an example of Stacksmith reporting that updates are available for the system packages:

System Packages Included in Packaged Application

The details also include information on whether any of the updates are fixing security issues. This information can be used to determine whether an application could be vulnerable and whether it should be rebuilt to mitigate the risks.

Your application will also be available inside Kubeapps:

Packaged Application Available in Kubeapps

And it can be launched directly from Kubeapps, customizing any of the available values that can be passed to the application, directly from the web user interface:

Deploying Application in Kubeapps

After clicking on "Submit", the application will be launched. Once the deployment finishes, you and your users will be able to access the application. Kubeapps will also allow you to manage the application, update it, or change its configuration at any time.

Providing Kubernetes users with a service catalog for your applications

As this article has demonstrated, Kubeapps and Stacksmith can be used to provide your IT organization and its users with a service catalog for a trusted set of applications.

Stacksmith can provide your IT organization with the tools to package applications in a consistent and reproducible way. Kubeapps will provide your users with a user interface for launching and managing applications in your Kubernetes cluster in an easy and convenient way.

This way, your users can deploy the applications that your organization has packaged according to your company’s best practices, and conveniently manage the applications after they have been launched.

Learn more about Kubeapps from the GitHub project.

Package, deploy, and maintain your own application today. Sign up for Stacksmith Public and find out how easy it is!

Do you have questions about how Stacksmith and Kubeapps can provide compliance and governance for your IT? Or want a personalized demo? Contact us at