Cloud Ops Chronicleshttps://www.ops-chronicles.cloud/fr/2026-05-14T00:00:00+02:00Le Workflow "AI-First" : Quand votre IDE ne démarre que pour valider l'IA2026-05-14T00:00:00+02:002026-05-14T00:00:00+02:00Mathieu GOULINtag:www.ops-chronicles.cloud,2026-05-14:/fr/workstation-cloudrun.html<p>Une Workstation VS Code reproductible sur Cloud Run, propulsée par Nix, conçue pour les boucles de collaboration Humain-IA — avec un coût de 0,00 $ au repos.</p><div class="toc">
<ul>
<li><a href="#lere-du-developpeur-validateur">L’ère du développeur-validateur</a></li>
<li><a href="#le-nouveau-cycle-de-vie-de-la-feature-a-la-release">Le nouveau cycle de vie : de la Feature à la Release</a></li>
<li><a href="#pourquoi-nix-larme-secrete-du-determinisme">Pourquoi Nix ? L’arme secrète du déterminisme</a></li>
<li><a href="#les-dessous-de-larchitecture-abattre-les-murs-pour-les-workstations-serverless">Les dessous de l’architecture : abattre les murs pour les workstations Serverless</a><ul>
<li><a href="#mur-n1-le-terminal-qui-refuse-de-souvrir">Mur n°1 — Le terminal qui refuse de s’ouvrir</a></li>
<li><a href="#mur-n2-les-websockets-vs-la-couche-proxy">Mur n°2 — Les WebSockets vs. la couche proxy</a></li>
<li><a href="#mur-n3-le-stockage-partage-humain-ia">Mur n°3 — Le stockage partagé Humain / IA</a></li>
<li><a href="#mur-n4-tourner-en-non-root-avec-nix-securite">Mur n°4 — Tourner en non-root avec Nix (Sécurité)</a></li>
</ul>
</li>
<li><a href="#le-nerf-de-la-guerre-pourquoi-le-scale-to-zero-change-tout-pour-le-budget">Le nerf de la guerre : Pourquoi le Scale-to-Zero change tout pour le budget</a></li>
<li><a href="#architecture-du-projet-et-pipeline-de-build">Architecture du projet et pipeline de build</a><ul>
<li><a href="#le-conteneur-de-base">Le conteneur de base</a></li>
<li><a href="#la-forge-lagent-ia-en-action">La forge : L’Agent IA en action</a></li>
</ul>
</li>
<li><a href="#pour-demarrer">Pour démarrer</a></li>
</ul>
</div>
<p><strong>Une Workstation VS Code reproductible sur Cloud Run, propulsée par Nix, conçue pour les boucles de collaboration Humain-IA — avec un coût de 0,00 $ au repos.</strong></p>
<p>🔗 <em>Source du projet : <a href="https://gitlab.com/matgou/workstation-nix">gitlab.com/matgou/workstation-nix</a></em></p>
<hr />
<h2 id="lere-du-developpeur-validateur">L’ère du développeur-validateur<a class="headerlink" href="#lere-du-developpeur-validateur" title="Permanent link">¶</a></h2>
<p>Il y a encore peu de temps, nos environnements de développement vivaient sur nos machines, lourds et personnalisés à l’excès. Puis sont arrivés les IDE Cloud (GitHub Codespaces, Google Cloud Workstations), pensés pour une ère bien précise : celle de développeurs humains codant activement 8 heures par jour en utilisant la puissance de serveurs déportés.</p>
<p>Mais l’émergence de l’IA générative bouleverse aussi cette donne. Aujourd’hui, face à la génération de code, on a besoin de GPU : locaux (pas chers), distants (chers) et, en plus, deux visions s’affrontent et on verra bien laquelle perdurera :</p>
<ol>
<li><strong>L’école du “les IA seront bientôt 100% autonomes”</strong> : Le développeur ne maintient plus que des spécifications en Markdown, l’IA fait tout le reste, de bout en bout.</li>
<li><strong>L’école du “L’IA prépare, l’humain valide”</strong> : L’IA abat le gros du travail, mais le développeur aura toujours un rôle de garant du code produit. Il sera amené à “mettre les mains dedans” pour tester, valider et ajuster.</li>
</ol>
<p>Soyons pragmatiques : la première école relève encore (pour l’instant) de la science-fiction pour la majorité des projets complexes ou critiques en entreprise. Et je suis d’avis que nous avons pour l’instant toujours besoin de mettre les mains dans le cambouis pour auditer et valider le code généré. Cependant, je constate que nos outils n’ont pas suivi, l’adoption des EDI déportés est encore trop anecdotique. Et payer un environnement permanent alors que l’humain n’intervient plus qu’en pointillé n’a aucun sens économique — et même écologique.</p>
<p>Je vous propose ici une réflexion autour des nouveaux EDI déportés et souhaite montrer qu’ils sont accessibles à tous avec, comme exemple, la mise en place d’une <strong>Workstation-CloudRun</strong>. Ces derniers, bien que n’ayant pas été construits précisément pour ce monde de symbiose entre le développeur et l’agent IA, s’y adaptent pourtant parfaitement. Aujourd’hui chacun peut disposer d’un EDI surpuissant, avec des GPUs, sur mesure, disponible instantanément, qui ne vit que le temps exact où nous avons besoin de réviser le code (et pas pendant que l’IA travaille).</p>
<hr />
<h2 id="le-nouveau-cycle-de-vie-de-la-feature-a-la-release">Le nouveau cycle de vie : de la Feature à la Release<a class="headerlink" href="#le-nouveau-cycle-de-vie-de-la-feature-a-la-release" title="Permanent link">¶</a></h2>
<p>Pour bien comprendre la nouvelle dynamique du développement piloté par les agents IA, il faut repenser notre pipeline de livraison. L’humain n’est plus à l’origine du code, il en devient le validateur final.</p>
<p>Voici une vision d’un workflow moderne :</p>
<ol>
<li><strong>Les spécifications</strong> d’un ticket ou d’une modification sont communiquées. (Je ne vais pas détailler ici comment écrire et faire valider de bonnes spécifications pour que l’IA puisse les traiter.)</li>
<li><strong>L’IA travaille dans l’ombre</strong> : Un agent IA (Gemini, Claude, ou un pipeline CI autonome) échafaude un projet, écrit une feature ou résout un bug.</li>
<li><strong>Le point de convergence</strong> : L’agent dépose tout ce code directement dans un <strong>grove</strong> — un bucket Google Cloud Storage (GCS) servant d’espace de travail partagé. J’ai emprunté le terme “grove” au framework <a href="https://googlecloudplatform.github.io/scion/concepts/#grove">Google Scion</a>. <em>(Coût : 0 $, le stockage objet étant quasi gratuit).</em></li>
<li><strong>Le passage de relais (Hand-off)</strong> : L’IA vous notifie que le code est prêt à être validé ou complété par l’humain.</li>
<li><strong>L’Humain prend la main</strong> : Vous cliquez sur une URL Cloud Run. En quelques secondes, une instance VS Code démarre dans la Workstation Nix. Le code généré par l’IA est déjà là, monté instantanément. Dans cette workstation, vous pouvez modifier, lancer, déboguer le code, ou même le vibecoder.</li>
<li><strong>Scale to Zero</strong> : Une fois la PR validée, vous fermez l’onglet. L’instance Cloud Run s’éteint. Vous ne payez plus.</li>
</ol>
<p>Voici comment se matérialise ce cycle, de la requête initiale jusqu’à la release :</p>
<div class="highlight"><pre><span></span><code><span class="n">flowchart</span><span class="w"> </span><span class="n">LR</span>
<span class="w"> </span><span class="n">A</span><span class="p">[</span><span class="s">"🎯 Feature Request"</span><span class="p">]</span><span class="w"> </span><span class="o">--></span><span class="w"> </span><span class="n">B</span><span class="p">{</span><span class="s">"🤖 Agent IA"</span><span class="p">}</span>
<span class="w"> </span><span class="n">B</span><span class="w"> </span><span class="o">==>|</span><span class="s">"git clone + code"</span><span class="o">|</span><span class="w"> </span><span class="n">C</span><span class="p">[(</span><span class="s">"☁️ Grove (GCS)"</span><span class="p">)]</span>
<span class="w"> </span><span class="n">D</span><span class="p">[</span><span class="s">"💻 Workstation Nix"</span><span class="p">]</span><span class="w"> </span><span class="o">-->|</span><span class="s">"GCS FUSE mount"</span><span class="o">|</span><span class="w"> </span><span class="n">C</span>
<span class="w"> </span><span class="n">B</span><span class="w"> </span><span class="o">--></span><span class="w"> </span><span class="o">|</span><span class="s">"spawn"</span><span class="o">|</span><span class="w"> </span><span class="n">D</span>
<span class="w"> </span><span class="n">E</span><span class="p">{</span><span class="s">"👨💻 Humain"</span><span class="p">}</span><span class="w"> </span><span class="o">--></span><span class="w"> </span><span class="o">|</span><span class="s">"review, test, fix"</span><span class="o">|</span><span class="w"> </span><span class="n">D</span>
<span class="w"> </span><span class="n">E</span><span class="w"> </span><span class="o">-->|</span><span class="s">"git merge"</span><span class="o">|</span><span class="w"> </span><span class="n">F</span><span class="p">[(</span><span class="s">"🚀 Git Release"</span><span class="p">)]</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">A</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="mf">4285f</span><span class="mi">4</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">B</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="n">ea4335</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">C</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="n">fbbc04</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="mi">333</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">D</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="mi">34</span><span class="n">a853</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">E</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="n">ea4335</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">F</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="mf">4285f</span><span class="mi">4</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
</code></pre></div>
<blockquote>
<p>Le gros avantage d’un workflow comme celui-ci est entre autres le principe du <strong>Scale to Zero</strong> : c’est-à-dire que le <strong>coût total au repos : 0,00 $</strong> — En effet, le grove (GCS) ne coûte que quelques centimes de stockage. La Workstation ne consomme des ressources <em>que</em> pendant la validation humaine.</p>
</blockquote>
<p>Des IA qui manipulent du code, ça semble maintenant classique, mais VS Code dans Cloud Run, c’est un concept. Pour le rendre fonctionnel et reproductible, il faut parfois contourner certaines limites. Ce projet est un bon exemple de comment repousser les limites de cette technologie.</p>
<p><img alt="Workstation Nix en action sur Cloud Run - Exécution de Nix en direct" src="/images/2026-Workstation-Cloudrun/CaptureEDI.png" /></p>
<hr />
<h2 id="pourquoi-nix-larme-secrete-du-determinisme">Pourquoi Nix ? L’arme secrète du déterminisme<a class="headerlink" href="#pourquoi-nix-larme-secrete-du-determinisme" title="Permanent link">¶</a></h2>
<p>Dans ce projet, il faut garantir que l’environnement dans lequel s’exécute le code est reproductible et qu’il disposera de tous les outils nécessaires aux suites de tests et au développement.</p>
<p>Un des défis est donc que l’environnement soit reproductible mais non figé (par exemple, si on compile un conteneur Docker, on embarque toutes les dépendances de manière statique mais aussi les failles de sécurité).</p>
<p>C’est ici que <strong>Nix</strong> entre en jeu en remplaçant l’approche impérative par une approche purement fonctionnelle. Chaque dépendance est managée as code et embarque son arbre de dépendances complet. “Le package.json/package-lock de la workstation” en quelque sorte.</p>
<p>Voici pourquoi Nix est devenu indispensable pour cette architecture :
- <strong>Reproductibilité bit-à-bit</strong> : Le même fichier <code>flake.lock</code> (généré par l’IA ou le template) produit toujours exactement la même image.
- <strong>Composition atomique</strong> : Ajouter un outil se résume à une ligne.</p>
<div class="highlight"><pre><span></span><code><span class="ss">coreTools</span> <span class="o">=</span> <span class="k">with</span> pkgs<span class="p">;</span> <span class="p">[</span>
bashInteractive coreutils curl git jq neovim nix ripgrep
<span class="p">];</span>
</code></pre></div>
<p>Chaque binaire — de <code>bash</code> à <code>code-server</code> — est tiré du Nix Store avec sa version exacte. Nix génère ensuite l’image Docker finale pour nous via <code>pkgs.dockerTools.buildLayeredImage</code>, sans même avoir besoin d’un daemon Docker complexe.
- <strong>Pas d’artefacts à stocker</strong> : Seul le fichier de code <code>flake.nix</code> est à stocker. La beauté de la chose, c’est que si l’on change de machine, on repart avec la même configuration.</p>
<p>C’est exactement le choix qui a été fait par <a href="https://devenv.sh/">devenv.sh</a>, un projet open source de <a href="https://github.com/cachix/devenv">Cachix</a> qui standardise la définition d’environnements de développement au-dessus de Nix. Son principe : décrire son environnement dans un simple fichier <code>devenv.nix</code> avec une syntaxe déclarative — langages, paquets, services, scripts — et laisser Nix matérialiser le tout de façon reproductible. Activating Python, Rust ou PostgreSQL se résume à une ligne (<code>languages.python.enable = true;</code>), l’activation d’un environnement se fait en moins de 100 ms grâce au cache, et le tout reste décorable via des profils et des imports.</p>
<p>Notre Workstation-CloudRun <strong>s’intègre naturellement avec le standard devenv</strong>. Une fois connecté à l’IDE, le développeur peut simplement lancer <code>devenv shell</code> dans le terminal VS Code pour activer l’environnement déclaré dans le dépôt du projet hébergé sur le grove. Les outils, les versions, les services — tout est déjà défini <em>as code</em> par l’équipe ou par l’IA. Le développeur n’a rien à installer manuellement : l’environnement de développement est aussi éphémère et reproductible que la workstation elle-même.</p>
<hr />
<h2 id="les-dessous-de-larchitecture-abattre-les-murs-pour-les-workstations-serverless">Les dessous de l’architecture : abattre les murs pour les workstations Serverless<a class="headerlink" href="#les-dessous-de-larchitecture-abattre-les-murs-pour-les-workstations-serverless" title="Permanent link">¶</a></h2>
<p>Sur le papier, faire tourner un IDE web comme VS Code sur Cloud Run semble facile. Nix propose un système de build permettant de créer des conteneurs. Mais dans la pratique (et particulièrement d’un point de vue DevSecOps), les plateformes Serverless ne sont <strong>pas du tout</strong> conçues pour héberger des environnements stateful avec des accès terminaux complexes.</p>
<p>Pour transformer cette vision en réalité, j’ai dû affronter et contourner quelques limites techniques majeures de l’écosystème cloud actuel. Je vous propose un petit retour d’expérience sur les problèmes rencontrés :</p>
<h3 id="mur-n1-le-terminal-qui-refuse-de-souvrir">Mur n°1 — Le terminal qui refuse de s’ouvrir<a class="headerlink" href="#mur-n1-le-terminal-qui-refuse-de-souvrir" title="Permanent link">¶</a></h3>
<p>Nous allons utiliser le terminal de VS Code pour interagir avec l’environnement. Mais manipuler un terminal oblige à interagir avec le noyau du système.</p>
<p>Le noyau gVisor par défaut (Gen1) de Cloud Run ne supporte pas les pseudo-terminaux (<code>/dev/ptmx</code>).</p>
<p><strong>La solution</strong> : Passer au moteur d’exécution Cloud Run de seconde génération (<code>--execution-environment gen2</code>). Cela exécute le conteneur dans une véritable micro-VM Linux. Nous montons ensuite <code>devpts</code> manuellement au démarrage pour débloquer les terminaux VS Code.</p>
<h3 id="mur-n2-les-websockets-vs-la-couche-proxy">Mur n°2 — Les WebSockets vs. la couche proxy<a class="headerlink" href="#mur-n2-les-websockets-vs-la-couche-proxy" title="Permanent link">¶</a></h3>
<p>La commande <code>gcloud run services proxy</code>, qui permet d’accéder à un service Cloud Run via un tunnel local, <strong>ne supporte pas les connexions WebSocket</strong>. Or, VS Code (code-server) repose massivement sur les WebSockets pour le terminal et l’édition en temps réel. Résultat : des freezes aléatoires du terminal et des déconnexions en pleine session. Ce problème bloque de facto l’utilisation d’IAP (Identity-Aware Proxy) comme couche d’authentification, puisque le proxy en est le point d’entrée.</p>
<p>Une alternative aurait été de placer un <strong>Load Balancer</strong> avec IAP devant Cloud Run — solution propre mais qui introduit un coût fixe permanent (~18 $/mois pour la règle de forwarding), ce qui va à l’encontre de notre philosophie <strong>Scale-to-Zero à coût nul au repos</strong>.</p>
<p><strong>La solution pragmatique</strong> : Exposer Cloud Run directement (avec son URL HTTPS native) et déléguer la sécurité au mécanisme natif <code>--auth password</code> de <code>code-server</code>, qui est pleinement compatible WebSocket. Le timeout de l’instance Cloud Run est également poussé à son <strong>maximum légal (3600 secondes)</strong> pour garantir une session ininterrompue, et le nombre maximum d’instances est verrouillé à <strong>1</strong> (<code>--max-instances 1</code>) pour garantir une session unique et maîtriser les coûts.</p>
<h3 id="mur-n3-le-stockage-partage-humain-ia">Mur n°3 — Le stockage partagé Humain / IA<a class="headerlink" href="#mur-n3-le-stockage-partage-humain-ia" title="Permanent link">¶</a></h3>
<p>À chaque scale-to-zero, le conteneur disparaît. Il nous fallait un espace persistant où l’IA peut déposer le code et où la workstation peut modifier et le récupérer. Puis le reprendre en cas de stop/start du conteneur. Le but étant de pouvoir travailler sur un projet, de l’abandonner et de le reprendre plus tard sans perdre son travail. Idéal pour les périodes d’essai.</p>
<p><strong>La solution : GCS FUSE et le mirage des permissions POSIX :</strong>
Un bucket Cloud Storage monté via GCS FUSE semblait la solution évidente. Cependant, un nouveau mur est apparu : GCS n’est pas un système de fichiers POSIX et ne gère pas nativement les changements de permissions (les fameux <code>chmod</code> et <code>chown</code>).
Conséquence ? Des outils modernes comme <code>devenv</code>, <code>npm</code> ou <code>git</code>, qui tentent de sécuriser leurs fichiers temporaires ou environnements virtuels, plantaient lamentablement avec une erreur fatale : <code>Operation not permitted</code>.</p>
<p>Pour contourner cette limitation stricte sans sacrifier la persistance temps réel, nous avons “trompé” l’outil de montage FUSE en forçant une simulation totale des permissions pour notre utilisateur exclusif. Voici la configuration de montage Cloud Run optimisée pour l’IDE (quelques options de performances ont aussi été ajoutées) :</p>
<div class="highlight"><pre><span></span><code>implicit-dirs
stat-cache-max-size-mb=32 # Alloue 32 Mo en RAM pour le cache des métadonnées
metadata-cache-ttl-secs=300 # Garde les métadonnées en cache pendant 5 minutes
enable-streaming-writes=true # Écritures en streaming direct
client-protocol=http1 # (Performance) Forcer HTTP/1.1 pour éviter le Head-of-Line blocking HTTP/2
max-conns-per-host=100 # (Performance) Massifier les I/O parallèles
cache-dir=cr-volume:cache # Indique à Cloud Run d'utiliser notre volume in-memory nommé "cache"
file-cache-max-size-mb=2048 # Alloue 2Go de RAM pour ce cache
uid=1000 # Force l'appartenance à l'utilisateur VS Code
gid=1000
file-mode=0777 # Simule une permissivité totale
dir-mode=0777
</code></pre></div>
<p><strong>L’Asynchronisme et la gestion des petits fichiers :</strong>
Créer un environnement virtuel (ex: <code>python -m venv</code>) implique la création de milliers de petits fichiers. Avec un montage réseau classique et le protocole HTTP/2 par défaut de GCS FUSE, toutes ces requêtes s’empilent de manière synchrone sur une seule connexion TCP.
Nous forçons donc le protocole HTTP/1.1 (<code>client-protocol=http1</code>), ouvrons un pool de 100 connexions simultanées pour paralléliser massivement les écritures. De plus, nous conservons un cache local en RAM (<code>cache-dir=cr-volume:cache</code>) de 2 Go pour accélérer considérablement la lecture du code source existant.</p>
<p>Cependant, il faut être conscient des limites du Serverless : même avec cette parallélisation et ces caches agressifs, la latence réseau synchrone incompressible de Google Cloud Storage reste un goulot d’étranglement pour la création pure d’arborescences massives. Voici l’évolution des performances mesurées pour la création d’un environnement Python (<code>devenv shell</code>) sur notre architecture Cloud Run :</p>
<table>
<thead>
<tr>
<th style="text-align: left;">Configuration GCS FUSE</th>
<th style="text-align: left;">Temps de création du <code>venv</code></th>
<th style="text-align: left;">Bilan</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left;">Standard (HTTP/2 par défaut)</td>
<td style="text-align: left;"><strong>~ 9 min 42 s</strong></td>
<td style="text-align: left;">Inutilisable au quotidien</td>
</tr>
<tr>
<td style="text-align: left;">Optimisé (HTTP/1.1 + max-conns=100 + Caches RAM)</td>
<td style="text-align: left;"><strong>~ 8 min 44 s</strong></td>
<td style="text-align: left;">Mieux, mais la latence synchrone bride le réseau</td>
</tr>
<tr>
<td style="text-align: left;"><strong>Optimisé + Déport <code>.devenv</code> en RAM (Symlink)</strong></td>
<td style="text-align: left;"><strong>~ 45 secondes</strong></td>
<td style="text-align: left;"><strong>Performances quasi locales !</strong></td>
</tr>
</tbody>
</table>
<p>L’ultime parade (implémentée via un wrapper transparent au sein même de l’image Nix) consiste à <strong>déporter le dossier d’état local <code>.devenv</code> dans la RAM (<code>tmpfs</code>)</strong> à l’aide d’un lien symbolique dynamique. Puisque le <code>/nix/store</code> est recréé à chaque démarrage de l’instance, le dossier d’état de l’environnement est par essence éphémère. En le générant en RAM, la création de milliers de fichiers devient atomique et immédiate.
Le développeur conserve ainsi un environnement persistant pour son code via GCS FUSE (bénéficiant des options de cache pour la réactivité de lecture), tout en esquivant totalement la latence GCS pour la création de l’outillage lourd.</p>
<p>Grâce aux drapeaux <code>uid</code>, <code>gid</code> et <code>mode</code>, GCS FUSE considère de plus que l’utilisateur possède déjà tous les droits. Lorsqu’un outil demande un <code>chmod</code>, GCS FUSE renvoie un code de succès factice au lieu de crasher. Le développeur obtient ainsi un environnement de développement persistant, tout en évitant les crashs liés aux exigences POSIX.</p>
<h3 id="mur-n4-tourner-en-non-root-avec-nix-securite">Mur n°4 — Tourner en non-root avec Nix (Sécurité)<a class="headerlink" href="#mur-n4-tourner-en-non-root-avec-nix-securite" title="Permanent link">¶</a></h3>
<p>Faire tourner un IDE en <code>root</code> complet est une hérésie de sécurité. Mais Nix a besoin d’écrire dans <code>/nix/store</code> pour installer des paquets. La solution naïve — donner l’ownership du store entier à l’utilisateur <code>coder</code> (mode single-user) — est un anti-pattern de sécurité : l’utilisateur pourrait alors modifier n’importe quel binaire du système.</p>
<p><strong>La solution</strong> : Utiliser le <strong>mode multi-user de Nix</strong> avec <code>nix-daemon</code>. Le conteneur démarre en root, lance le daemon Nix en arrière-plan (qui reste root et gère exclusivement le store), puis <strong>abandonne irrévocablement ses privilèges</strong> via <code>gosu</code> avant de lancer l’IDE sous l’UID 1000. Ainsi, le <code>/nix/store</code> reste en <strong>lecture seule</strong> pour l’utilisateur <code>coder</code> — il peut installer de nouveaux paquets via le daemon (qui vérifie et écrit pour lui), mais ne peut jamais altérer les binaires existants. C’est la même architecture que celle utilisée sur les machines NixOS de production.</p>
<p><strong>Quelques petites optimisations supplémentaires qui concernent Nix :</strong>
- <strong>Bypass du disque réseau :</strong> Nous forçons <code>export TMPDIR=/tmp/cache</code> pour orienter les builds vers notre volume <em>in-memory</em> ultra-rapide (RAM-disk de 4 Go monté spécialement pour l’occasion).
- <strong>Mise au pas de Nix :</strong> Nous bloquons la parallélisation sauvage en forçant <code>max-jobs = 4</code> et <code>cores = 2</code> dans la configuration de Nix pour respecter les vCPU réellement alloués au conteneur.</p>
<hr />
<h2 id="le-nerf-de-la-guerre-pourquoi-le-scale-to-zero-change-tout-pour-le-budget">Le nerf de la guerre : Pourquoi le Scale-to-Zero change tout pour le budget<a class="headerlink" href="#le-nerf-de-la-guerre-pourquoi-le-scale-to-zero-change-tout-pour-le-budget" title="Permanent link">¶</a></h2>
<p>Maintenant que nous avons réussi à packager Nix et VS Code dans un conteneur, nous pouvons l’utiliser avec une approche Cloud Run. Voici ce que ça change en termes de coûts.</p>
<p>L’approche Serverless brille particulièrement dans ce workflow hybride, car il permet de ne payer que ce qu’on consomme. Pour illustrer cela, prenons un scénario réaliste d’entreprise : un mois de travail standard (environ 160 heures) pour un développeur alternant entre validation IA et code manuel.</p>
<p>Dans un modèle cloud classique, votre environnement tourne (et vous facture) pendant ces 160 heures, que vous soyez en train de taper du code, en réunion, ou d’attendre qu’une IA finisse son travail. Regardons l’impact financier de notre approche face aux ténors du marché :</p>
<table>
<thead>
<tr>
<th></th>
<th>Google Cloud Workstations</th>
<th>GitHub Codespaces (4-core)</th>
<th>Notre Cloud Run Workstation</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Coût mensuel (160h)</strong></td>
<td><strong>~192 $</strong></td>
<td><strong>~61 $</strong></td>
<td><strong>~28 $</strong></td>
</tr>
<tr>
<td><strong>Coût d’attente (idle)</strong></td>
<td><strong>~171 $</strong> (Control plane 24/7)</td>
<td><strong>~3,50 $</strong> (Stockage persistant)</td>
<td><strong>0 $</strong></td>
</tr>
<tr>
<td><strong>Pénalité Asynchrone</strong></td>
<td>L’instance tourne à vide</td>
<td>Le stockage est facturé</td>
<td>Seul le bucket GCS est facturé (< 1$)</td>
</tr>
</tbody>
</table>
<p><strong>Comment lire ce tableau ?</strong> La différence radicale (28$ contre 192$) s’explique par la suppression pure et simple du <strong>coût d’attente</strong>. Si l’IA prépare une grosse feature le lundi, mais que vous ne trouvez le temps de la réviser que le jeudi pendant 2 heures, <strong>Cloud Run ne vous aura coûté que 0,40 $</strong> sur toute la semaine. Les autres solutions vous facturent des frais fixes en continu.</p>
<hr />
<h2 id="architecture-du-projet-et-pipeline-de-build">Architecture du projet et pipeline de build<a class="headerlink" href="#architecture-du-projet-et-pipeline-de-build" title="Permanent link">¶</a></h2>
<p>Une des étapes du projet est la création d’un conteneur de base qui sera utilisé par Cloud Run et l’autre partie du projet consiste en la création d’un catalogue GitLab permettant de préparer le code pour la reprise par la workstation.</p>
<h3 id="le-conteneur-de-base">Le conteneur de base<a class="headerlink" href="#le-conteneur-de-base" title="Permanent link">¶</a></h3>
<p>Le projet est volontairement minimaliste — trois dossiers, zéro framework superflu :</p>
<div class="highlight"><pre><span></span><code><span class="n">workstation</span><span class="o">-</span><span class="n">nix</span><span class="o">/</span>
<span class="err">├──</span><span class="w"> </span><span class="n">base</span><span class="o">-</span><span class="n">oss</span><span class="o">/</span><span class="w"> </span><span class="c1"># 🏗️ Golden Image Nix</span>
<span class="err">│</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="n">flake</span><span class="o">.</span><span class="n">nix</span><span class="w"> </span><span class="c1"># Définition déclarative de l'image Docker</span>
<span class="err">│</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="n">flake</span><span class="o">.</span><span class="n">lock</span><span class="w"> </span><span class="c1"># Verrouillage des dépendances (reproductibilité)</span>
<span class="err">│</span><span class="w"> </span><span class="err">└──</span><span class="w"> </span><span class="o">.</span><span class="n">trivyignore</span><span class="w"> </span><span class="c1"># CVE acceptées (revue mensuelle)</span>
<span class="err">├──</span><span class="w"> </span><span class="n">terraform</span><span class="o">/</span><span class="w"> </span><span class="c1"># ☁️ Infrastructure as Code</span>
<span class="err">│</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="n">main</span><span class="o">.</span><span class="n">tf</span><span class="w"> </span><span class="c1"># APIs GCP, Artifact Registry, Secret Manager</span>
<span class="err">│</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="n">iam</span><span class="o">.</span><span class="n">tf</span><span class="w"> </span><span class="c1"># Service Account & rôles (moindre privilège)</span>
<span class="err">│</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="n">variables</span><span class="o">.</span><span class="n">tf</span><span class="w"> </span><span class="c1"># Variables du projet</span>
<span class="err">│</span><span class="w"> </span><span class="err">└──</span><span class="w"> </span><span class="n">provider</span><span class="o">.</span><span class="n">tf</span><span class="w"> </span><span class="c1"># Configuration du provider GCP</span>
<span class="err">├──</span><span class="w"> </span><span class="n">cloudbuild</span><span class="o">.</span><span class="n">yaml</span><span class="w"> </span><span class="c1"># 🔄 Pipeline CI/CD (Cloud Build)</span>
<span class="err">└──</span><span class="w"> </span><span class="n">Makefile</span><span class="w"> </span><span class="c1"># 🎯 Point d'entrée développeur (init/build/deploy)</span>
</code></pre></div>
<p><strong><code>base-oss/flake.nix</code></strong> est le cœur du projet : il définit de manière purement déclarative tous les outils embarqués dans la Golden Image (bash, git, code-server, nix…) et génère l’image Docker via <code>pkgs.dockerTools.buildLayeredImage</code> — sans Dockerfile, sans daemon Docker.</p>
<p><strong><code>terraform/</code></strong> provisionne l’infrastructure GCP nécessaire : activation des APIs, création de l’Artifact Registry pour stocker les images, du Secret Manager pour le mot de passe IDE, et du Service Account avec le principe du moindre privilège.</p>
<p><strong><code>cloudbuild.yaml</code></strong> orchestre le pipeline CI/CD complet. Voici le flux de bout en bout, du <code>git push</code> à l’image déployable :</p>
<div class="highlight"><pre><span></span><code><span class="n">flowchart</span><span class="w"> </span><span class="n">LR</span>
<span class="w"> </span><span class="n">A</span><span class="p">[</span><span class="s">"📦 git push"</span><span class="p">]</span><span class="w"> </span><span class="o">--></span><span class="w"> </span><span class="n">B</span><span class="p">[</span><span class="s">"🔨 Nix Build\n(nixos/nix)"</span><span class="p">]</span>
<span class="w"> </span><span class="n">B</span><span class="w"> </span><span class="o">-->|</span><span class="s">"image.tar.gz"</span><span class="o">|</span><span class="w"> </span><span class="n">C</span><span class="p">[</span><span class="s">"🐳 Docker Load\n& Tag"</span><span class="p">]</span>
<span class="w"> </span><span class="n">C</span><span class="w"> </span><span class="o">--></span><span class="w"> </span><span class="n">D</span><span class="p">[</span><span class="s">"🔍 Trivy Scan\n(CRITICAL/HIGH)"</span><span class="p">]</span>
<span class="w"> </span><span class="n">D</span><span class="w"> </span><span class="o">-->|</span><span class="s">"✅ Pass"</span><span class="o">|</span><span class="w"> </span><span class="n">E</span><span class="p">[</span><span class="s">"📤 Push\nArtifact Registry"</span><span class="p">]</span>
<span class="w"> </span><span class="n">D</span><span class="w"> </span><span class="o">-->|</span><span class="s">"❌ Fail"</span><span class="o">|</span><span class="w"> </span><span class="n">F</span><span class="p">[</span><span class="s">"🚫 Build\nBloqué"</span><span class="p">]</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">A</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="mf">4285f</span><span class="mi">4</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">B</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="mi">34</span><span class="n">a853</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">C</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="mf">4285f</span><span class="mi">4</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">D</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="n">fbbc04</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="mi">333</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">E</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="mi">34</span><span class="n">a853</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">F</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="n">ea4335</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
</code></pre></div>
<p>Le pipeline se décompose en <strong>4 étapes</strong> :
1. <strong>Nix Build</strong> — Le conteneur <code>nixos/nix</code> évalue <code>flake.nix</code> et produit une archive Docker layered (<code>image.tar.gz</code>). Aucune dépendance implicite : tout est dans le lockfile.
2. <strong>Docker Tag</strong> — L’image est chargée puis taguée avec <code>latest</code> et le short SHA du commit pour la traçabilité.
3. <strong>Trivy Scan</strong> — Scan de sécurité automatique. Si des CVE critiques non acceptées sont détectées, <strong>le build est bloqué</strong> (exit code 1). Seules les CVE documentées dans <code>.trivyignore</code> sont autorisées.
4. <strong>Push</strong> — L’image validée est poussée vers Artifact Registry, prête à être déployée sur Cloud Run.</p>
<p>Le tout s’exécute via un simple <code>make build</code> côté développeur — Cloud Build s’occupe du reste.</p>
<h3 id="la-forge-lagent-ia-en-action">La forge : L’Agent IA en action<a class="headerlink" href="#la-forge-lagent-ia-en-action" title="Permanent link">¶</a></h3>
<p>Une workstation à la demande prend tout son sens lorsque le travail préparatoire a été mâché par une intelligence artificielle. Pour faire le pont entre une “Issue” métier (le besoin) et l’environnement Cloud Run (la validation), nous avons besoin d’une <strong>forge automatisée</strong>.</p>
<p>Plutôt que d’exécuter un agent IA en local sur la machine du développeur, nous déléguons cette tâche à la CI/CD (ici GitLab CI), via un composant réutilisable (CI/CD Catalog). Voici comment fonctionne ce pipeline asynchrone :</p>
<ol>
<li><strong>Déclenchement (Trigger) :</strong> Ce job CI est conçu pour scruter les issues portant un label spécifique (ex: <code>agent::run</code>). Il peut être déclenché <strong>manuellement</strong> par un développeur (via l’interface GitLab) ou planifié de manière régulière via un <strong>CRON job</strong> (Scheduled Pipeline) qui va parcourir la liste d’attente de façon autonome (par exemple, toutes les nuits).</li>
<li><strong>Exécution du Gemini CLI :</strong> Le job CI instancie un environnement léger contenant un outil en ligne de commande (<code>gemini-cli</code>) connecté à l’API Google Gemini. Ce CLI dispose d’outils (Function Calling / Tools) lui permettant de lire l’arborescence du projet, examiner le code existant et écrire de nouveaux fichiers.</li>
<li><strong>Pre-coding de la feature :</strong> L’agent IA analyse la demande contenue dans le ticket. Il crée une nouvelle branche depuis <code>main</code>, échafaude le code (scaffolding), écrit les tests de base et implémente la fonctionnalité demandée.</li>
<li><strong>Injection de l’environnement (<code>devenv.nix</code>) :</strong> C’est ici que la magie opère. L’IA sait de quels outils elle a besoin pour la feature (une nouvelle base Redis, l’ajout d’un compilateur Rust, un package Python spécifique, etc.). Elle va <strong>générer ou mettre à jour statiquement le fichier <code>devenv.nix</code></strong> à la racine du projet.</li>
<li><strong>Merge Request et Hand-off :</strong> Le code généré est poussé sur GitLab et une Merge Request est automatiquement ouverte. Le développeur reçoit une notification : le terrain est préparé.</li>
</ol>
<p><strong>Le passage de relais :</strong>
Lorsque le développeur humain clique sur le lien pour démarrer sa Workstation Nix (Cloud Run), il bascule directement sur la branche de l’agent. La Workstation détecte automatiquement le fichier <code>.vscode/extensions.json</code> généré par l’IA et installe silencieusement les extensions recommandées en arrière-plan pendant le démarrage. Grâce au fichier <code>devenv.nix</code> fraîchement injecté, il lui suffit de taper <code>devenv shell</code> dans le terminal. Instantanément, toutes les dépendances requises par la nouvelle feature sont téléchargées et configurées via Nix, de manière parfaitement isolée et reproductible.</p>
<p>Le développeur n’a plus qu’à relire le code généré par l’IA, l’exécuter dans l’environnement préparé pour lui, ajuster les détails métier complexes et valider la Merge Request. Le cycle est bouclé.</p>
<p>Je ne vais pas détailler toute l’intégration de l’IA dans le projet, ce billet se concentrant plutôt sur l’idée de Workstation dans Cloud Run. Cependant, voici quelques indications sur le workflow que j’imagine.</p>
<hr />
<p><strong>Exemple d’intégration dans <code>.gitlab-ci.yml</code> :</strong></p>
<p>Pour activer ce workflow dans n’importe quel projet, il suffit d’inclure le composant d’agent IA depuis le catalogue CI/CD GitLab :</p>
<div class="highlight"><pre><span></span><code><span class="nt">include</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">component</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{{</span><span class="nv">CI_SERVER_HOST</span><span class="p p-Indicator">}}</span><span class="l l-Scalar l-Scalar-Plain">/mon-orga/catalog/gemini-agent@1.0.0</span>
<span class="w"> </span><span class="nt">inputs</span><span class="p">:</span>
<span class="w"> </span><span class="nt">trigger_label</span><span class="p">:</span><span class="w"> </span><span class="s">"agent::run"</span>
<span class="w"> </span><span class="nt">gemini_model</span><span class="p">:</span><span class="w"> </span><span class="s">"gemini-2.5-pro"</span>
</code></pre></div>
<p>Ce simple composant suffit à transformer votre GitLab CI en une véritable équipe de développement asynchrone, prête à préparer le terrain pour vos Workstations Nix.</p>
<p><strong>Sous le capot : Le System Prompt de l’Agent</strong></p>
<p>Pour que cet agent soit réellement autonome, voici un exemple de prompt système. Il définit clairement le rôle de l’agent, le concept de “Grove”, et insiste fortement sur la reproductibilité.</p>
<details>
<summary>Voir le System Prompt de l'Agent Gemini</summary>
<div class="highlight"><pre><span></span><code>Tu es un Agent IA de Développement Autonome intégré dans une pipeline GitLab CI/CD.
Ton rôle est de préparer le terrain pour les développeurs humains en pré-codant des fonctionnalités et en provisionnant des environnements de développement (Workstations) entièrement prêts à l'emploi.
Voici ta mission. Tu dois exécuter ces étapes de manière séquentielle et autonome :
1. RECHERCHE DES ISSUES :
- Utilise l'API GitLab pour lister toutes les issues ouvertes du dépôt courant portant le label "{{trigger_label}}".
- Si aucune issue n'est trouvée, termine ton exécution avec succès.
2. POUR CHAQUE ISSUE TROUVÉE, exécute le workflow suivant :
A. ANALYSE ET PRÉPARATION :
- Lis attentivement la description de l'issue pour comprendre le besoin technique.
- Crée une nouvelle branche Git au nom explicite (ex: `feature/issue-<ID>-<nom-court>`).
B. CRÉATION DU GROVE (ESPACE DE TRAVAIL) :
- Provisionne un nouvel espace persistant (un "Grove") sur Google Cloud Storage (GCS) dédié à cette issue.
- Initialise ce grove en y clonant le code source de la branche nouvellement créée.
C. PRE-CODING & DEPENDANCES :
- Implémente la fonctionnalité demandée ou corrige le bug.
- Ajoute des tests unitaires basiques pour prouver le fonctionnement de ton code.
- CRITIQUE : Analyse les dépendances nécessaires à ton code (Node.js, Python, PostgreSQL, etc.). Tu DOIS générer ou mettre à jour le fichier `devenv.nix` à la racine du projet pour y déclarer ces dépendances, afin que l'environnement soit reproductible pour l'humain.
- CONFIGURATION IDE : Si le projet utilise Python, génère un fichier `.vscode/extensions.json` recommandant les extensions "ms-python.python" et "ms-python.vscode-pylance", ainsi qu'un fichier `.vscode/settings.json` configurant `python.defaultInterpreterPath` vers l'exécutable du virtualenv géré par devenv (c'est-à-dire `.devenv/state/venv/bin/python`).
- Commite tes changements et pousse la branche sur GitLab. Ouvre une Merge Request (WIP/Draft).
D. DEPLOIEMENT DE LA WORKSTATION :
- Utilise les scripts du dépôt (ex: `make deploy`) pour déployer une instance Cloud Run Workstation éphémère.
- Configure cette Workstation pour qu'elle monte le Grove GCS que tu as créé à l'étape B.
- Récupère l'URL d'accès HTTPS générée par Cloud Run et le mot de passe.
E. HAND-OFF (PASSAGE DE RELAIS) :
- Publie un commentaire détaillé sur l'Issue GitLab initiale contenant :
1. Le résumé de tes choix techniques.
2. Le lien vers la Merge Request.
3. Le lien d'accès direct vers la Workstation Cloud Run (avec la commande `devenv shell` suggérée).
4. Les instructions de connexion.
- Retire le label "{{trigger_label}}" et ajoute "ready-for-review".
RÈGLES STRICTES :
- Ne demande pas d'assistance humaine en cours de processus. Si tu rencontres une erreur, documente-la et passe à l'issue suivante.
- Le fichier `devenv.nix` est la source de vérité de l'infrastructure logicielle.
</code></pre></div>
</details>
<hr />
<h2 id="pour-demarrer">Pour démarrer<a class="headerlink" href="#pour-demarrer" title="Permanent link">¶</a></h2>
<p>L’ensemble de ce socle d’infrastructure est <strong>open source</strong>. Trois commandes suffisent pour déployer votre propre environnement de révision “Scale-to-Zero” :</p>
<p>Une fois déployée, ouvrez l’URL affichée, entrez votre mot de passe, et vous voilà dans l’environnement de révision idéal — prêt à collaborer avec votre agent IA. Quand c’est fini, fermez simplement l’onglet. <strong>Zéro gaspillage, sécurité maximale.</strong></p>
<p>🔗 <em>Source du projet : <a href="https://gitlab.com/matgou/workstation-nix">gitlab.com/matgou/workstation-nix</a></em></p>The "AI-First" Workflow: When Your IDE Only Starts to Validate AI2026-05-14T00:00:00+02:002026-05-14T00:00:00+02:00Mathieu GOULINtag:www.ops-chronicles.cloud,2026-05-14:/workstation-cloudrun.html<p>A reproducible VS Code Workstation on Cloud Run, powered by Nix, designed for Human-AI collaboration loops — with a $0.00 idle cost.</p><div class="toc">
<ul>
<li><a href="#the-developer-validator-era">The Developer-Validator Era</a></li>
<li><a href="#the-new-lifecycle-from-feature-to-release">The New Lifecycle: From Feature to Release</a></li>
<li><a href="#why-nix-the-secret-weapon-of-determinism">Why Nix? The Secret Weapon of Determinism</a></li>
<li><a href="#under-the-hood-breaking-down-walls-for-serverless-workstations">Under the Hood: Breaking Down Walls for Serverless Workstations</a><ul>
<li><a href="#wall-1-the-terminal-that-refuses-to-open">Wall #1 — The Terminal that Refuses to Open</a></li>
<li><a href="#wall-2-websockets-vs-the-proxy-layer">Wall #2 — WebSockets vs. the Proxy Layer</a></li>
<li><a href="#wall-3-shared-human-ai-storage">Wall #3 — Shared Human / AI Storage</a></li>
<li><a href="#wall-4-running-non-root-with-nix-security">Wall #4 — Running Non-Root with Nix (Security)</a></li>
</ul>
</li>
<li><a href="#the-sinews-of-war-why-scale-to-zero-changes-everything-for-the-budget">The Sinews of War: Why Scale-to-Zero Changes Everything for the Budget</a></li>
<li><a href="#project-architecture-and-build-pipeline">Project Architecture and Build Pipeline</a><ul>
<li><a href="#the-base-container">The Base Container</a></li>
<li><a href="#the-forge-the-ai-agent-in-action">The Forge: The AI Agent in Action</a></li>
</ul>
</li>
<li><a href="#to-get-started">To Get Started</a></li>
</ul>
</div>
<p>🔗 <em>Project source: <a href="https://gitlab.com/matgou/workstation-nix">gitlab.com/matgou/workstation-nix</a></em></p>
<p><strong>A reproducible VS Code Workstation on Cloud Run, powered by Nix, designed for Human-AI collaboration loops — with a $0.00 idle cost.</strong></p>
<hr />
<h2 id="the-developer-validator-era">The Developer-Validator Era<a class="headerlink" href="#the-developer-validator-era" title="Permanent link">¶</a></h2>
<p>Not long ago, our development environments lived on our machines, heavy and overly customized. Then came Cloud IDEs (GitHub Codespaces, Google Cloud Workstations), designed for a very specific era: one where human developers code actively for 8 hours a day using the power of remote servers.</p>
<p>But the emergence of generative AI is also disrupting this paradigm. Today, for code generation, we need GPUs: local (cheap), remote (expensive) and, moreover, two visions clash and we will see which one prevails:</p>
<ol>
<li><strong>The “AIs will soon be 100% autonomous” school</strong>: The developer only maintains specifications in Markdown, the AI does the rest, end-to-end.</li>
<li><strong>The “AI prepares, human validates” school</strong>: The AI does the bulk of the work, but the developer will always have a role as the guarantor of the produced code. They will have to “get their hands dirty” to test, validate, and adjust.</li>
</ol>
<p>Let’s be pragmatic: the first school is still (for now) science fiction for the majority of complex or critical enterprise projects. And I am of the opinion that for now, we still need to get our hands dirty to audit and validate the generated code. However, I notice that our tools have not kept up; the adoption of remote IDEs is still too anecdotal. And paying for a permanent environment when the human only intervenes intermittently makes no economic sense — or even ecological sense.</p>
<p>I propose here a reflection on new remote IDEs and want to show that they are accessible to all with, as an example, the implementation of a <strong>CloudRun-Workstation</strong>. These, although not built precisely for this world of symbiosis between the developer and the AI agent, adapt perfectly to it. Today everyone can have a super-powerful IDE, with GPUs, custom-made, available instantly, which only lives the exact time we need to review the code (and not while the AI is working).</p>
<hr />
<h2 id="the-new-lifecycle-from-feature-to-release">The New Lifecycle: From Feature to Release<a class="headerlink" href="#the-new-lifecycle-from-feature-to-release" title="Permanent link">¶</a></h2>
<p>To fully understand the new dynamic of AI-agent-driven development, we must rethink our delivery pipeline. The human is no longer the originator of the code, they become the final validator.</p>
<p>Here is a vision of a modern workflow:</p>
<ol>
<li><strong>The specifications</strong> of a ticket or a modification are communicated. (I won’t detail here how to write and validate good specifications for the AI to process.)</li>
<li><strong>The AI works in the shadows</strong>: An AI agent (Gemini, Claude, or an autonomous CI pipeline) scaffolds a project, writes a feature, or fixes a bug.</li>
<li><strong>The convergence point</strong>: The agent deposits all this code directly into a <strong>grove</strong> — a Google Cloud Storage (GCS) bucket serving as a shared workspace. I borrowed the term “grove” from the <a href="https://googlecloudplatform.github.io/scion/concepts/#grove">Google Scion</a> framework. <em>(Cost: $0, object storage being almost free).</em></li>
<li><strong>The hand-off</strong>: The AI notifies you that the code is ready to be validated or completed by the human.</li>
<li><strong>The Human takes over</strong>: You click on a Cloud Run URL. In seconds, a VS Code instance starts in the Nix Workstation. The AI-generated code is already there, mounted instantly. In this workstation, you can modify, run, debug the code, or even vibe-code it.</li>
<li><strong>Scale to Zero</strong>: Once the PR is validated, you close the tab. The Cloud Run instance shuts down. You stop paying.</li>
</ol>
<p>Here is how this cycle materializes, from the initial request to the release:</p>
<div class="highlight"><pre><span></span><code><span class="n">flowchart</span><span class="w"> </span><span class="n">LR</span>
<span class="w"> </span><span class="n">A</span><span class="p">[</span><span class="s">"🎯 Feature Request"</span><span class="p">]</span><span class="w"> </span><span class="o">--></span><span class="w"> </span><span class="n">B</span><span class="p">{</span><span class="s">"🤖 AI Agent"</span><span class="p">}</span>
<span class="w"> </span><span class="n">B</span><span class="w"> </span><span class="o">==>|</span><span class="s">"git clone + code"</span><span class="o">|</span><span class="w"> </span><span class="n">C</span><span class="p">[(</span><span class="s">"☁️ Grove (GCS)"</span><span class="p">)]</span>
<span class="w"> </span><span class="n">D</span><span class="p">[</span><span class="s">"💻 Nix Workstation"</span><span class="p">]</span><span class="w"> </span><span class="o">-->|</span><span class="s">"GCS FUSE mount"</span><span class="o">|</span><span class="w"> </span><span class="n">C</span>
<span class="w"> </span><span class="n">B</span><span class="w"> </span><span class="o">--></span><span class="w"> </span><span class="o">|</span><span class="s">"spawn"</span><span class="o">|</span><span class="w"> </span><span class="n">D</span>
<span class="w"> </span><span class="n">E</span><span class="p">{</span><span class="s">"👨💻 Human"</span><span class="p">}</span><span class="w"> </span><span class="o">--></span><span class="w"> </span><span class="o">|</span><span class="s">"review, test, fix"</span><span class="o">|</span><span class="w"> </span><span class="n">D</span>
<span class="w"> </span><span class="n">E</span><span class="w"> </span><span class="o">-->|</span><span class="s">"git merge"</span><span class="o">|</span><span class="w"> </span><span class="n">F</span><span class="p">[(</span><span class="s">"🚀 Git Release"</span><span class="p">)]</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">A</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="mf">4285f</span><span class="mi">4</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">B</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="n">ea4335</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">C</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="n">fbbc04</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="mi">333</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">D</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="mi">34</span><span class="n">a853</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">E</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="n">ea4335</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">F</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="mf">4285f</span><span class="mi">4</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
</code></pre></div>
<blockquote>
<p>The big advantage of a workflow like this is, among other things, the <strong>Scale to Zero</strong> principle: that is to say, the <strong>total idle cost: $0.00</strong> — Indeed, the grove (GCS) only costs a few cents in storage. The Workstation consumes resources <em>only</em> during human validation.</p>
</blockquote>
<p>AIs manipulating code seems standard now, but VS Code in Cloud Run is a concept. To make it functional and reproducible, we sometimes have to bypass certain limits. This project is a good example of how to push the boundaries of this technology.</p>
<p><img alt="Nix Workstation in action on Cloud Run - Live execution of Nix" src="/images/2026-Workstation-Cloudrun/CaptureEDI.png" /></p>
<hr />
<h2 id="why-nix-the-secret-weapon-of-determinism">Why Nix? The Secret Weapon of Determinism<a class="headerlink" href="#why-nix-the-secret-weapon-of-determinism" title="Permanent link">¶</a></h2>
<p>In this project, we must ensure that the environment in which the code runs is reproducible and that it will have all the tools necessary for test suites and development.</p>
<p>One of the challenges is therefore that the environment is reproducible but not frozen (for example, if we compile a Docker container, we embed all the dependencies statically but also the security flaws).</p>
<p>This is where <strong>Nix</strong> comes in by replacing the imperative approach with a purely functional approach. Each dependency is managed as code and embeds its complete dependency tree. “The package.json/package-lock of the workstation” in a way.</p>
<p>Here is why Nix has become indispensable for this architecture:
- <strong>Bit-for-bit reproducibility</strong>: The exact same <code>flake.lock</code> file (generated by the AI or the template) always produces exactly the same image.
- <strong>Atomic composition</strong>: Adding a tool comes down to one line.</p>
<div class="highlight"><pre><span></span><code><span class="ss">coreTools</span> <span class="o">=</span> <span class="k">with</span> pkgs<span class="p">;</span> <span class="p">[</span>
bashInteractive coreutils curl git jq neovim nix ripgrep
<span class="p">];</span>
</code></pre></div>
<p>Every binary — from <code>bash</code> to <code>code-server</code> — is pulled from the Nix Store with its exact version. Nix then generates the final Docker image for us via <code>pkgs.dockerTools.buildLayeredImage</code>, without even needing a complex Docker daemon.
- <strong>No artifacts to store</strong>: Only the <code>flake.nix</code> code file needs to be stored. The beauty of it is that if you change machines, you start again with the same configuration.</p>
<p>This is exactly the choice made by <a href="https://devenv.sh/">devenv.sh</a>, an open source project by <a href="https://github.com/cachix/devenv">Cachix</a> that standardizes the definition of development environments on top of Nix. Its principle: describe your environment in a simple <code>devenv.nix</code> file with declarative syntax — languages, packages, services, scripts — and let Nix materialize everything reproducibly. Activating Python, Rust or PostgreSQL comes down to one line (<code>languages.python.enable = true;</code>), activating an environment takes less than 100 ms thanks to the cache, and everything remains decoratable via profiles and imports.</p>
<p>Our CloudRun-Workstation <strong>integrates naturally with the devenv standard</strong>. Once connected to the IDE, the developer can simply launch <code>devenv shell</code> in the VS Code terminal to activate the environment declared in the project repository hosted on the grove. The tools, versions, services — everything is already defined <em>as code</em> by the team or by the AI. The developer has nothing to install manually: the development environment is as ephemeral and reproducible as the workstation itself.</p>
<hr />
<h2 id="under-the-hood-breaking-down-walls-for-serverless-workstations">Under the Hood: Breaking Down Walls for Serverless Workstations<a class="headerlink" href="#under-the-hood-breaking-down-walls-for-serverless-workstations" title="Permanent link">¶</a></h2>
<p>On paper, running a web IDE like VS Code on Cloud Run seems easy. Nix offers a build system to create containers. But in practice (and particularly from a DevSecOps point of view), Serverless platforms are <strong>not at all</strong> designed to host stateful environments with complex terminal accesses.</p>
<p>To turn this vision into reality, I had to confront and bypass some major technical limits of the current cloud ecosystem. Here is a quick retrospective on the problems encountered:</p>
<h3 id="wall-1-the-terminal-that-refuses-to-open">Wall #1 — The Terminal that Refuses to Open<a class="headerlink" href="#wall-1-the-terminal-that-refuses-to-open" title="Permanent link">¶</a></h3>
<p>We will use the VS Code terminal to interact with the environment. But manipulating a terminal requires interacting with the system kernel.</p>
<p>Cloud Run’s default gVisor kernel (Gen1) does not support pseudo-terminals (<code>/dev/ptmx</code>).</p>
<p><strong>The Solution</strong>: Switch to the second-generation Cloud Run execution engine (<code>--execution-environment gen2</code>). This runs the container in a real Linux micro-VM. We then manually mount <code>devpts</code> at startup to unblock the VS Code terminals.</p>
<h3 id="wall-2-websockets-vs-the-proxy-layer">Wall #2 — WebSockets vs. the Proxy Layer<a class="headerlink" href="#wall-2-websockets-vs-the-proxy-layer" title="Permanent link">¶</a></h3>
<p>The <code>gcloud run services proxy</code> command, which allows accessing a Cloud Run service via a local tunnel, <strong>does not support WebSocket connections</strong>. However, VS Code (code-server) relies heavily on WebSockets for the terminal and real-time editing. Result: random terminal freezes and disconnections mid-session. This problem de facto blocks the use of IAP (Identity-Aware Proxy) as an authentication layer, since the proxy is the entry point.</p>
<p>An alternative would have been to place a <strong>Load Balancer</strong> with IAP in front of Cloud Run — a clean solution but one that introduces a permanent fixed cost (~$18/month for the forwarding rule), which goes against our <strong>Scale-to-Zero philosophy with zero idle cost</strong>.</p>
<p><strong>The Pragmatic Solution</strong>: Expose Cloud Run directly (with its native HTTPS URL) and delegate security to <code>code-server</code>’s native <code>--auth password</code> mechanism, which is fully WebSocket compatible. The Cloud Run instance timeout is also pushed to its <strong>legal maximum (3600 seconds)</strong> to guarantee an uninterrupted session, and the maximum number of instances is locked to <strong>1</strong> (<code>--max-instances 1</code>) to guarantee a single session and control costs.</p>
<h3 id="wall-3-shared-human-ai-storage">Wall #3 — Shared Human / AI Storage<a class="headerlink" href="#wall-3-shared-human-ai-storage" title="Permanent link">¶</a></h3>
<p>At each scale-to-zero, the container disappears. We needed a persistent space where the AI can deposit the code and where the workstation can retrieve and modify it. Then pick it up in case of a stop/start of the container. The goal being to be able to work on a project, abandon it, and pick it up later without losing work. Ideal for testing periods.</p>
<p><strong>The Solution: GCS FUSE and the Mirage of POSIX Permissions:</strong>
A Cloud Storage bucket mounted via GCS FUSE seemed the obvious solution. However, a new wall appeared: GCS is not a POSIX file system and does not natively handle permission changes (the famous <code>chmod</code> and <code>chown</code>).
Consequence? Modern tools like <code>devenv</code>, <code>npm</code> or <code>git</code>, which try to secure their temporary files or virtual environments, crashed miserably with a fatal error: <code>Operation not permitted</code>.</p>
<p>To bypass this strict limitation without sacrificing real-time persistence, we “tricked” the FUSE mounting tool by forcing a total simulation of permissions for our exclusive user. Here is the Cloud Run mount configuration optimized for the IDE (some performance options were also added):</p>
<div class="highlight"><pre><span></span><code>implicit-dirs
stat-cache-max-size-mb=32 # Allocates 32 MB in RAM for metadata cache
metadata-cache-ttl-secs=300 # Keeps metadata in cache for 5 minutes
enable-streaming-writes=true # Direct streaming writes
client-protocol=http1 # (Performance) Force HTTP/1.1 to avoid HTTP/2 Head-of-Line blocking
max-conns-per-host=100 # (Performance) Massify parallel I/O
cache-dir=cr-volume:cache # Tells Cloud Run to use our in-memory volume named "cache"
file-cache-max-size-mb=2048 # Allocates 2GB of RAM for this cache
uid=1000 # Forces ownership to the VS Code user
gid=1000
file-mode=0777 # Simulates total permissiveness
dir-mode=0777
</code></pre></div>
<p><strong>Asynchrony and the Management of Small Files:</strong>
Creating a virtual environment (e.g., <code>python -m venv</code>) involves the creation of thousands of small files. With a classic network mount and the default HTTP/2 protocol of GCS FUSE, all these requests pile up synchronously on a single TCP connection.
We therefore force the HTTP/1.1 protocol (<code>client-protocol=http1</code>), open a pool of 100 simultaneous connections to massively parallelize the writes. Moreover, we keep a local RAM cache (<code>cache-dir=cr-volume:cache</code>) of 2 GB to considerably accelerate the reading of the existing source code.</p>
<p>However, one must be aware of the limits of Serverless: even with this parallelization and these aggressive caches, the incompressible synchronous network latency of Google Cloud Storage remains a bottleneck for the pure creation of massive tree structures. Here is the evolution of the performances measured for the creation of a Python environment (<code>devenv shell</code>) on our Cloud Run architecture:</p>
<table>
<thead>
<tr>
<th style="text-align: left;">GCS FUSE Configuration</th>
<th style="text-align: left;"><code>venv</code> Creation Time</th>
<th style="text-align: left;">Assessment</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left;">Standard (Default HTTP/2)</td>
<td style="text-align: left;"><strong>~ 9 min 42 s</strong></td>
<td style="text-align: left;">Unusable on a daily basis</td>
</tr>
<tr>
<td style="text-align: left;">Optimized (HTTP/1.1 + max-conns=100 + RAM Caches)</td>
<td style="text-align: left;"><strong>~ 8 min 44 s</strong></td>
<td style="text-align: left;">Better, but synchronous latency throttles the network</td>
</tr>
<tr>
<td style="text-align: left;"><strong>Optimized + <code>.devenv</code> Relocation to RAM (Symlink)</strong></td>
<td style="text-align: left;"><strong>~ 45 seconds</strong></td>
<td style="text-align: left;"><strong>Near-local performance!</strong></td>
</tr>
</tbody>
</table>
<p>The ultimate workaround (implemented via a transparent wrapper within the Nix image itself) consists of <strong>relocating the local <code>.devenv</code> state folder into RAM (<code>tmpfs</code>)</strong> using a dynamic symbolic link. Since the <code>/nix/store</code> is recreated at each startup of the instance, the environment’s state folder is by essence ephemeral. By generating it in RAM, the creation of thousands of files becomes atomic and immediate.
The developer thus keeps a persistent environment for their code via GCS FUSE (benefiting from the cache options for reading responsiveness), while totally avoiding GCS latency for the creation of heavy tooling.</p>
<p>Thanks to the <code>uid</code>, <code>gid</code> and <code>mode</code> flags, GCS FUSE also considers that the user already has all rights. When a tool requests a <code>chmod</code>, GCS FUSE returns a dummy success code instead of crashing. The developer thus obtains a persistent development environment, while avoiding crashes related to POSIX requirements.</p>
<h3 id="wall-4-running-non-root-with-nix-security">Wall #4 — Running Non-Root with Nix (Security)<a class="headerlink" href="#wall-4-running-non-root-with-nix-security" title="Permanent link">¶</a></h3>
<p>Running an IDE as full <code>root</code> is a security heresy. But Nix needs to write to <code>/nix/store</code> to install packages. The naive solution — giving ownership of the entire store to the <code>coder</code> user (single-user mode) — is an anti-pattern of security: the user could then modify any system binary.</p>
<p><strong>The Solution</strong>: Use the <strong>Nix multi-user mode</strong> with <code>nix-daemon</code>. The container starts as root, launches the Nix daemon in the background (which remains root and exclusively manages the store), then <strong>irrevocably drops its privileges</strong> via <code>gosu</code> before launching the IDE under UID 1000. Thus, the <code>/nix/store</code> remains <strong>read-only</strong> for the <code>coder</code> user — they can install new packages via the daemon (which verifies and writes for them), but can never alter existing binaries. This is the same architecture used on production NixOS machines.</p>
<p><strong>Some additional minor optimizations concerning Nix:</strong>
- <strong>Network disk bypass:</strong> We force <code>export TMPDIR=/tmp/cache</code> to direct builds to our ultra-fast <em>in-memory</em> volume (4 GB RAM-disk mounted specially for the occasion).
- <strong>Bringing Nix into line:</strong> We block wild parallelization by forcing <code>max-jobs = 4</code> and <code>cores = 2</code> in the Nix configuration to respect the vCPUs actually allocated to the container.</p>
<hr />
<h2 id="the-sinews-of-war-why-scale-to-zero-changes-everything-for-the-budget">The Sinews of War: Why Scale-to-Zero Changes Everything for the Budget<a class="headerlink" href="#the-sinews-of-war-why-scale-to-zero-changes-everything-for-the-budget" title="Permanent link">¶</a></h2>
<p>Now that we have managed to package Nix and VS Code in a container, we can use it with a Cloud Run approach. Here is what changes in terms of costs.</p>
<p>The Serverless approach shines particularly in this hybrid workflow, because it allows paying only for what is consumed. To illustrate this, let’s take a realistic corporate scenario: a standard working month (about 160 hours) for a developer alternating between AI validation and manual coding.</p>
<p>In a classic cloud model, your environment runs (and bills you) during these 160 hours, whether you are typing code, in a meeting, or waiting for an AI to finish its work. Let’s look at the financial impact of our approach against the market leaders:</p>
<table>
<thead>
<tr>
<th></th>
<th>Google Cloud Workstations</th>
<th>GitHub Codespaces (4-core)</th>
<th>Our Cloud Run Workstation</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Monthly Cost (160h)</strong></td>
<td><strong>~$192</strong></td>
<td><strong>~$61</strong></td>
<td><strong>~$28</strong></td>
</tr>
<tr>
<td><strong>Idle Cost</strong></td>
<td><strong>~$171</strong> (Control plane 24/7)</td>
<td><strong>~$3.50</strong> (Persistent storage)</td>
<td><strong>$0</strong></td>
</tr>
<tr>
<td><strong>Asynchronous Penalty</strong></td>
<td>The instance runs idle</td>
<td>Storage is billed</td>
<td>Only the GCS bucket is billed (< $1)</td>
</tr>
</tbody>
</table>
<p><strong>How to read this table?</strong> The radical difference ($28 vs $192) is explained by the pure and simple elimination of the <strong>idle cost</strong>. If the AI prepares a large feature on Monday, but you only find time to review it on Thursday for 2 hours, <strong>Cloud Run will have only cost you $0.40</strong> over the whole week. The other solutions bill you fixed fees continuously.</p>
<hr />
<h2 id="project-architecture-and-build-pipeline">Project Architecture and Build Pipeline<a class="headerlink" href="#project-architecture-and-build-pipeline" title="Permanent link">¶</a></h2>
<p>One of the project steps is the creation of a base container that will be used by Cloud Run and the other part of the project consists of creating a GitLab catalog allowing the code to be prepared for resumption by the workstation.</p>
<h3 id="the-base-container">The Base Container<a class="headerlink" href="#the-base-container" title="Permanent link">¶</a></h3>
<p>The project is intentionally minimalist — three folders, zero superfluous frameworks:</p>
<div class="highlight"><pre><span></span><code><span class="n">workstation</span><span class="o">-</span><span class="n">nix</span><span class="o">/</span>
<span class="err">├──</span><span class="w"> </span><span class="n">base</span><span class="o">-</span><span class="n">oss</span><span class="o">/</span><span class="w"> </span><span class="c1"># 🏗️ Golden Image Nix</span>
<span class="err">│</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="n">flake</span><span class="o">.</span><span class="n">nix</span><span class="w"> </span><span class="c1"># Declarative definition of the Docker image</span>
<span class="err">│</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="n">flake</span><span class="o">.</span><span class="n">lock</span><span class="w"> </span><span class="c1"># Dependency locking (reproducibility)</span>
<span class="err">│</span><span class="w"> </span><span class="err">└──</span><span class="w"> </span><span class="o">.</span><span class="n">trivyignore</span><span class="w"> </span><span class="c1"># Accepted CVEs (monthly review)</span>
<span class="err">├──</span><span class="w"> </span><span class="n">terraform</span><span class="o">/</span><span class="w"> </span><span class="c1"># ☁️ Infrastructure as Code</span>
<span class="err">│</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="n">main</span><span class="o">.</span><span class="n">tf</span><span class="w"> </span><span class="c1"># GCP APIs, Artifact Registry, Secret Manager</span>
<span class="err">│</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="n">iam</span><span class="o">.</span><span class="n">tf</span><span class="w"> </span><span class="c1"># Service Account & roles (least privilege)</span>
<span class="err">│</span><span class="w"> </span><span class="err">├──</span><span class="w"> </span><span class="n">variables</span><span class="o">.</span><span class="n">tf</span><span class="w"> </span><span class="c1"># Project variables</span>
<span class="err">│</span><span class="w"> </span><span class="err">└──</span><span class="w"> </span><span class="n">provider</span><span class="o">.</span><span class="n">tf</span><span class="w"> </span><span class="c1"># GCP provider configuration</span>
<span class="err">├──</span><span class="w"> </span><span class="n">cloudbuild</span><span class="o">.</span><span class="n">yaml</span><span class="w"> </span><span class="c1"># 🔄 CI/CD Pipeline (Cloud Build)</span>
<span class="err">└──</span><span class="w"> </span><span class="n">Makefile</span><span class="w"> </span><span class="c1"># 🎯 Developer entry point (init/build/deploy)</span>
</code></pre></div>
<p><strong><code>base-oss/flake.nix</code></strong> is the heart of the project: it declaratively defines all the tools embedded in the Golden Image (bash, git, code-server, nix…) and generates the Docker image via <code>pkgs.dockerTools.buildLayeredImage</code> — without Dockerfile, without Docker daemon.</p>
<p><strong><code>terraform/</code></strong> provisions the necessary GCP infrastructure: API activation, creation of the Artifact Registry to store images, the Secret Manager for the IDE password, and the Service Account with the principle of least privilege.</p>
<p><strong><code>cloudbuild.yaml</code></strong> orchestrates the complete CI/CD pipeline. Here is the end-to-end flow, from <code>git push</code> to the deployable image:</p>
<div class="highlight"><pre><span></span><code><span class="n">flowchart</span><span class="w"> </span><span class="n">LR</span>
<span class="w"> </span><span class="n">A</span><span class="p">[</span><span class="s">"📦 git push"</span><span class="p">]</span><span class="w"> </span><span class="o">--></span><span class="w"> </span><span class="n">B</span><span class="p">[</span><span class="s">"🔨 Nix Build\n(nixos/nix)"</span><span class="p">]</span>
<span class="w"> </span><span class="n">B</span><span class="w"> </span><span class="o">-->|</span><span class="s">"image.tar.gz"</span><span class="o">|</span><span class="w"> </span><span class="n">C</span><span class="p">[</span><span class="s">"🐳 Docker Load\n& Tag"</span><span class="p">]</span>
<span class="w"> </span><span class="n">C</span><span class="w"> </span><span class="o">--></span><span class="w"> </span><span class="n">D</span><span class="p">[</span><span class="s">"🔍 Trivy Scan\n(CRITICAL/HIGH)"</span><span class="p">]</span>
<span class="w"> </span><span class="n">D</span><span class="w"> </span><span class="o">-->|</span><span class="s">"✅ Pass"</span><span class="o">|</span><span class="w"> </span><span class="n">E</span><span class="p">[</span><span class="s">"📤 Push\nArtifact Registry"</span><span class="p">]</span>
<span class="w"> </span><span class="n">D</span><span class="w"> </span><span class="o">-->|</span><span class="s">"❌ Fail"</span><span class="o">|</span><span class="w"> </span><span class="n">F</span><span class="p">[</span><span class="s">"🚫 Build\nBlocked"</span><span class="p">]</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">A</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="mf">4285f</span><span class="mi">4</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">B</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="mi">34</span><span class="n">a853</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">C</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="mf">4285f</span><span class="mi">4</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">D</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="n">fbbc04</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="mi">333</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">E</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="mi">34</span><span class="n">a853</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
<span class="w"> </span><span class="n">style</span><span class="w"> </span><span class="n">F</span><span class="w"> </span><span class="n">fill</span><span class="o">:</span><span class="err">#</span><span class="n">ea4335</span><span class="p">,</span><span class="n">color</span><span class="o">:</span><span class="err">#</span><span class="n">fff</span><span class="p">,</span><span class="n">stroke</span><span class="o">:</span><span class="n">none</span>
</code></pre></div>
<p>The pipeline breaks down into <strong>4 steps</strong>:
1. <strong>Nix Build</strong> — The <code>nixos/nix</code> container evaluates <code>flake.nix</code> and produces a layered Docker archive (<code>image.tar.gz</code>). No implicit dependencies: everything is in the lockfile.
2. <strong>Docker Tag</strong> — The image is loaded then tagged with <code>latest</code> and the short commit SHA for traceability.
3. <strong>Trivy Scan</strong> — Automatic security scan. If unaccepted critical CVEs are detected, <strong>the build is blocked</strong> (exit code 1). Only CVEs documented in <code>.trivyignore</code> are allowed.
4. <strong>Push</strong> — The validated image is pushed to Artifact Registry, ready to be deployed on Cloud Run.</p>
<p>Everything is executed via a simple <code>make build</code> on the developer side — Cloud Build takes care of the rest.</p>
<h3 id="the-forge-the-ai-agent-in-action">The Forge: The AI Agent in Action<a class="headerlink" href="#the-forge-the-ai-agent-in-action" title="Permanent link">¶</a></h3>
<p>An on-demand workstation takes on its full meaning when the preparatory work has been chewed up by an artificial intelligence. To bridge the gap between a business “Issue” (the need) and the Cloud Run environment (the validation), we need an <strong>automated forge</strong>.</p>
<p>Rather than running an AI agent locally on the developer’s machine, we delegate this task to the CI/CD (here GitLab CI), via a reusable component (CI/CD Catalog). Here is how this asynchronous pipeline works:</p>
<ol>
<li><strong>Trigger:</strong> This CI job is designed to scan for issues bearing a specific label (e.g., <code>agent::run</code>). It can be triggered <strong>manually</strong> by a developer (via the GitLab interface) or scheduled regularly via a <strong>CRON job</strong> (Scheduled Pipeline) that will autonomously go through the waiting list (for example, every night).</li>
<li><strong>Gemini CLI Execution:</strong> The CI job instantiates a lightweight environment containing a command-line tool (<code>gemini-cli</code>) connected to the Google Gemini API. This CLI has tools (Function Calling / Tools) allowing it to read the project tree, examine existing code, and write new files.</li>
<li><strong>Feature Pre-coding:</strong> The AI agent analyzes the request contained in the ticket. It creates a new branch from <code>main</code>, scaffolds the code, writes basic tests, and implements the requested functionality.</li>
<li><strong>Environment Injection (<code>devenv.nix</code>):</strong> This is where the magic happens. The AI knows what tools it needs for the feature (a new Redis database, the addition of a Rust compiler, a specific Python package, etc.). It will <strong>generate or statically update the <code>devenv.nix</code> file</strong> at the root of the project to declare these dependencies, so that the environment is reproducible for the human.</li>
<li><strong>Merge Request and Hand-off:</strong> The generated code is pushed to GitLab and a Merge Request is automatically opened. The developer receives a notification: the groundwork is laid.</li>
</ol>
<p><strong>The Hand-off:</strong>
When the human developer clicks the link to start their Nix Workstation (Cloud Run), they switch directly to the agent’s branch. The Workstation automatically detects the <code>.vscode/extensions.json</code> file generated by the AI and silently installs the recommended extensions in the background during startup. Thanks to the freshly injected <code>devenv.nix</code> file, they just need to type <code>devenv shell</code> in the terminal. Instantly, all dependencies required by the new feature are downloaded and configured via Nix, in a perfectly isolated and reproducible manner.</p>
<p>The developer only has to read the code generated by the AI, execute it in the environment prepared for them, adjust complex business details, and validate the Merge Request. The cycle is complete.</p>
<p>I will not detail the entire integration of AI in the project, this post focusing more on the idea of Workstation in Cloud Run. However, here are some indications on the workflow I imagine.</p>
<hr />
<p><strong>Example Integration in <code>.gitlab-ci.yml</code>:</strong></p>
<p>To activate this workflow in any project, simply include the AI agent component from the GitLab CI/CD catalog:</p>
<div class="highlight"><pre><span></span><code><span class="nt">include</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">component</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{{</span><span class="nv">CI_SERVER_HOST</span><span class="p p-Indicator">}}</span><span class="l l-Scalar l-Scalar-Plain">/my-org/catalog/gemini-agent@1.0.0</span>
<span class="w"> </span><span class="nt">inputs</span><span class="p">:</span>
<span class="w"> </span><span class="nt">trigger_label</span><span class="p">:</span><span class="w"> </span><span class="s">"agent::run"</span>
<span class="w"> </span><span class="nt">gemini_model</span><span class="p">:</span><span class="w"> </span><span class="s">"gemini-2.5-pro"</span>
</code></pre></div>
<p>This simple component is enough to transform your GitLab CI into a true asynchronous development team, ready to lay the groundwork for your Nix Workstations.</p>
<p><strong>Under the Hood: The Agent’s System Prompt</strong></p>
<p>For this agent to be truly autonomous, here is an example of a system prompt. It clearly defines the role of the agent, the concept of “Grove”, and strongly insists on reproducibility.</p>
<details>
<summary>View the Gemini Agent System Prompt</summary>
<div class="highlight"><pre><span></span><code>You are an Autonomous Development AI Agent integrated into a GitLab CI/CD pipeline.
Your role is to lay the groundwork for human developers by pre-coding features and provisioning fully ready-to-use development environments (Workstations).
Here is your mission. You must execute these steps sequentially and autonomously:
1. ISSUE SEARCH:
- Use the GitLab API to list all open issues in the current repository bearing the label "{{trigger_label}}".
- If no issues are found, successfully terminate your execution.
2. FOR EACH ISSUE FOUND, execute the following workflow:
A. ANALYSIS AND PREPARATION:
- Carefully read the issue description to understand the technical need.
- Create a new Git branch with an explicit name (e.g., `feature/issue-<ID>-<short-name>`).
B. GROVE CREATION (WORKSPACE):
- Provision a new persistent space (a "Grove") on Google Cloud Storage (GCS) dedicated to this issue.
- Initialize this grove by cloning the source code of the newly created branch into it.
C. PRE-CODING & DEPENDENCIES:
- Implement the requested functionality or fix the bug.
- Add basic unit tests to prove the functioning of your code.
- CRITICAL: Analyze the dependencies needed for your code (Node.js, Python, PostgreSQL, etc.). You MUST generate or update the `devenv.nix` file at the project root to declare these dependencies there, so that the environment is reproducible for the human.
- IDE CONFIGURATION: If the project uses Python, generate a `.vscode/extensions.json` file recommending the "ms-python.python" and "ms-python.vscode-pylance" extensions, as well as a `.vscode/settings.json` file configuring `python.defaultInterpreterPath` to the executable of the virtualenv managed by devenv (i.e., `.devenv/state/venv/bin/python`).
- Commit your changes and push the branch to GitLab. Open a Merge Request (WIP/Draft).
D. WORKSTATION DEPLOYMENT:
- Use the repository scripts (e.g., `make deploy`) to deploy an ephemeral Cloud Run Workstation instance.
- Configure this Workstation to mount the GCS Grove you created in step B.
- Retrieve the generated HTTPS access URL by Cloud Run and the password.
E. HAND-OFF:
- Post a detailed comment on the initial GitLab Issue containing:
1. The summary of your technical choices.
2. The link to the Merge Request.
3. The direct access link to the Cloud Run Workstation (with the suggested `devenv shell` command).
4. Connection instructions.
- Remove the "{{trigger_label}}" label and add "ready-for-review".
STRICT RULES:
- Do not request human assistance during the process. If you encounter an error, document it and move on to the next issue.
- The `devenv.nix` file is the source of truth for the software infrastructure.
</code></pre></div>
</details>
<hr />
<h2 id="to-get-started">To Get Started<a class="headerlink" href="#to-get-started" title="Permanent link">¶</a></h2>
<p>This entire infrastructure base is <strong>open source</strong>. Three commands are enough to deploy your own “Scale-to-Zero” review environment:</p>
<p>Once deployed, open the displayed URL, enter your password, and there you are in the ideal review environment — ready to collaborate with your AI agent. When it’s finished, simply close the tab. <strong>Zero waste, maximum security.</strong></p>
<p>🔗 <em>Project source: <a href="https://gitlab.com/matgou/workstation-nix">gitlab.com/matgou/workstation-nix</a></em></p>J'ai automatisé ma veille technologique avec un Podcast généré par IA (Gemini & Cloud Run)2026-01-27T00:00:00+01:002026-01-27T00:00:00+01:00Mathieu GOULINtag:www.ops-chronicles.cloud,2026-01-27:/fr/gcp-podcast-generator.html<p>Comment j’ai utilisé Gemini 3, Vertex AI et Cloud Run pour transformer les release notes de Google Cloud en un podcast hebdomadaire engageant. Architecture et code détaillés.</p><div class="toc">
<ul>
<li><a href="#larchitecture-serverless">L’Architecture “Serverless”</a><ul>
<li><a href="#le-code-open-source">Le Code (Open Source)</a></li>
</ul>
</li>
<li><a href="#etape-1-la-source-de-donnees-bigquery">Étape 1 : La Source de Données (BigQuery)</a></li>
<li><a href="#etape-2-le-scenariste-gemini-3-pro">Étape 2 : Le Scénariste (Gemini 3 Pro)</a></li>
<li><a href="#etape-3-le-studio-audio-gemini-25-flash-tts">Étape 3 : Le Studio Audio (Gemini 2.5 Flash TTS)</a></li>
<li><a href="#etape-4-le-graphiste-imagen-3">Étape 4 : Le Graphiste (Imagen 3)</a></li>
<li><a href="#etape-5-la-diffusion-fastapi-rss">Étape 5 : La Diffusion (FastAPI & RSS)</a><ul>
<li><a href="#le-flux-rss-dynamique">Le Flux RSS Dynamique</a></li>
</ul>
</li>
<li><a href="#etape-6-linfrastructure-as-code-terraform">Étape 6 : L’Infrastructure as Code (Terraform)</a></li>
<li><a href="#etape-7-le-pipeline-cicd-gitlab-ci-cloud-deploy">Étape 7 : Le Pipeline CI/CD (GitLab CI & Cloud Deploy)</a></li>
<li><a href="#le-cout-finops">Le Coût (FinOps)</a></li>
</ul>
</div>
<p>Vous n’avez pas le temps de lire les centaines de release notes publiées par Google Cloud chaque semaine ? Moi non plus. C’est pour cela que j’ai créé le <strong>GCP News Podcast</strong>.</p>
<p>🎙️ <strong><a href="https://podcast.kapable.info/">Écoutez le résultat final ici : podcast.kapable.info</a></strong></p>
<p>Ce projet n’est pas juste une démo, c’est un pipeline de production entièrement automatisé “Serverless” qui :</p>
<ol>
<li><strong>Récupère</strong> l’actualité technique brute.</li>
<li><strong>Scénarise</strong> un dialogue entre deux experts virtuels (Marc et Sophie).</li>
<li><strong>Génère</strong> l’audio avec un réalisme bluffant (intonations, rires, pauses).</li>
<li><strong>Crée</strong> une couverture d’album unique pour chaque épisode.</li>
<li><strong>Publie</strong> le tout sur le web et les plateformes de podcast (Spotify, etc.).</li>
</ol>
<p>Voici comment j’ai construit ce système.</p>
<h2 id="larchitecture-serverless">L’Architecture “Serverless”<a class="headerlink" href="#larchitecture-serverless" title="Permanent link">¶</a></h2>
<p>Le système est conçu pour coûter près de zéro lorsqu’il ne tourne pas. Il s’appuie sur une architecture événementielle et des services managés.</p>
<p><img alt="Architecture du Podcast Generator" src="/images/2026-GCP-Podcast-Generator/architecture.png" /></p>
<h3 id="le-code-open-source">Le Code (Open Source)<a class="headerlink" href="#le-code-open-source" title="Permanent link">¶</a></h3>
<p>Tout le code est disponible sur GitLab : <a href="https://gitlab.com/matgou/podcast-generator"><strong>matgou/podcast-generator</strong></a>.
Il est divisé en deux parties :
* <code>generator/</code> : Le script Python batch qui crée l’épisode.
* <code>frontend/</code> : L’interface web FastAPI pour écouter les épisodes.</p>
<hr />
<h2 id="etape-1-la-source-de-donnees-bigquery">Étape 1 : La Source de Données (BigQuery)<a class="headerlink" href="#etape-1-la-source-de-donnees-bigquery" title="Permanent link">¶</a></h2>
<p>Contrairement à beaucoup de projets qui font du “scraping”, ici nous utilisons une source de vérité propre : le dataset public BigQuery de Google.</p>
<p>Le script exécute une simple requête SQL pour récupérer tout ce qui a changé depuis 7 jours.</p>
<div class="highlight"><pre><span></span><code><span class="n">QUERY</span> <span class="o">=</span> <span class="s2">"""</span>
<span class="s2"> SELECT description, published_at, product_name</span>
<span class="s2"> FROM `bigquery-public-data.google_cloud_release_notes.release_notes`</span>
<span class="s2"> WHERE published_at > DATE_SUB(CURRENT_DATE(), INTERVAL 7 DAY)</span>
<span class="s2"> ORDER BY published_at DESC</span>
<span class="s2">"""</span>
</code></pre></div>
<p>Cela nous donne une liste brute de texte, souvent très aride et technique. C’est là que l’IA entre en jeu.</p>
<h2 id="etape-2-le-scenariste-gemini-3-pro">Étape 2 : Le Scénariste (Gemini 3 Pro)<a class="headerlink" href="#etape-2-le-scenariste-gemini-3-pro" title="Permanent link">¶</a></h2>
<p>Nous injectons ces notes brutes dans <strong>Gemini 3 Pro</strong> avec un prompt système très spécifique (le <code>prompt_template.txt</code>).</p>
<p>Le but n’est pas de résumer, mais de <strong>scénariser</strong>.
* <strong>Marc</strong> est l’expert technique, précis et factuel.
* <strong>Sophie</strong> est l’animatrice curieuse, qui pose les questions que l’auditeur se poserait.</p>
<p>L’une des fonctionnalités clés utilisées ici est le <strong>Grounding</strong> avec Google Search. Cela permet à Gemini de vérifier les faits et d’ajouter des liens vers la documentation officielle dans les métadonnées de l’épisode.</p>
<div class="highlight"><pre><span></span><code><span class="c1">// Exemple de sortie structurée JSON attendue de Gemini</span>
<span class="p">{</span>
<span class="w"> </span><span class="nt">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Cloud Run s'accélère et BigQuery se sécurise"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"summary"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Cette semaine, Marc et Sophie discutent des nouvelles instances..."</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"script"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Sophie: Bonjour à tous ! ... Marc: Exactement, et c'est majeur..."</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"image_prompt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"An abstract representation of a fast server race in a neon city..."</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="etape-3-le-studio-audio-gemini-25-flash-tts">Étape 3 : Le Studio Audio (Gemini 2.5 Flash TTS)<a class="headerlink" href="#etape-3-le-studio-audio-gemini-25-flash-tts" title="Permanent link">¶</a></h2>
<p>C’est la partie la plus impressionnante. Nous n’utilisons pas l’ancien “Text-to-Speech” robotique. Nous utilisons le modèle <strong>Gemini 2.5 Flash TTS</strong> (encore en preview), capable de générer plusieurs locuteurs dans le même flux audio.</p>
<p>Le prompt définit les personnalités vocales :
* Marc utilise la voix <code>Fenrir</code>.
* Sophie utilise la voix <code>Laomedeia</code>.</p>
<p>Le script Python appelle directement l’API REST de Vertex AI pour générer l’audio.</p>
<div class="highlight"><pre><span></span><code><span class="c1"># Extrait simplifié de l'appel API</span>
<span class="n">payload</span> <span class="o">=</span> <span class="p">{</span>
<span class="s2">"contents"</span><span class="p">:</span> <span class="p">[{</span><span class="s2">"parts"</span><span class="p">:</span> <span class="p">[{</span><span class="s2">"text"</span><span class="p">:</span> <span class="n">script_text</span><span class="p">}]}],</span>
<span class="s2">"generationConfig"</span><span class="p">:</span> <span class="p">{</span>
<span class="s2">"speechConfig"</span><span class="p">:</span> <span class="p">{</span>
<span class="s2">"multiSpeakerVoiceConfig"</span><span class="p">:</span> <span class="p">{</span>
<span class="s2">"speakerVoiceConfigs"</span><span class="p">:</span> <span class="p">[</span>
<span class="p">{</span><span class="s2">"speaker"</span><span class="p">:</span> <span class="s2">"Marc"</span><span class="p">,</span> <span class="s2">"voiceConfig"</span><span class="p">:</span> <span class="p">{</span><span class="s2">"prebuiltVoiceConfig"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"voiceName"</span><span class="p">:</span> <span class="s2">"Fenrir"</span> <span class="p">}}},</span>
<span class="p">{</span><span class="s2">"speaker"</span><span class="p">:</span> <span class="s2">"Sophie"</span><span class="p">,</span> <span class="s2">"voiceConfig"</span><span class="p">:</span> <span class="p">{</span><span class="s2">"prebuiltVoiceConfig"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"voiceName"</span><span class="p">:</span> <span class="s2">"Laomedeia"</span> <span class="p">}}}</span>
<span class="p">]</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="etape-4-le-graphiste-imagen-3">Étape 4 : Le Graphiste (Imagen 3)<a class="headerlink" href="#etape-4-le-graphiste-imagen-3" title="Permanent link">¶</a></h2>
<p>Pour rendre le podcast visuel sur les plateformes, il nous faut une couverture. Gemini (le scénariste) a déjà généré un <code>image_prompt</code> basé sur le contenu de l’épisode.</p>
<p>Nous passons ce prompt à <strong>Imagen 3</strong> via Vertex AI pour générer une image carrée (1:1), que nous redimensionnons et compressons pour respecter les standards d’Apple Podcasts (1400x1400, <512KB).</p>
<h2 id="etape-5-la-diffusion-fastapi-rss">Étape 5 : La Diffusion (FastAPI & RSS)<a class="headerlink" href="#etape-5-la-diffusion-fastapi-rss" title="Permanent link">¶</a></h2>
<p>Une fois tous les fichiers générés (MP3, JSON, JPG, YAML), ils sont stockés sur <strong>Google Cloud Storage</strong>.</p>
<p>Le Frontend (une app <strong>FastAPI</strong> sur <strong>Cloud Run</strong>) ne stocke rien. Il agit comme une interface de lecture sur le Bucket GCS.</p>
<h3 id="le-flux-rss-dynamique">Le Flux RSS Dynamique<a class="headerlink" href="#le-flux-rss-dynamique" title="Permanent link">¶</a></h3>
<p>Pour s’abonner sur Apple Podcast ou Spotify, il faut un flux RSS XML conforme. L’application génère ce flux à la volée (<code>/feed.xml</code>) en lisant les manifestes des épisodes présents dans le bucket.</p>
<p>Elle gère aussi :
* La signature d’URL (Signed URLs) pour sécuriser l’accès aux fichiers audio.
* Les headers HTTP <code>HEAD</code> nécessaires pour la validation par les agrégateurs de podcasts.</p>
<h2 id="etape-6-linfrastructure-as-code-terraform">Étape 6 : L’Infrastructure as Code (Terraform)<a class="headerlink" href="#etape-6-linfrastructure-as-code-terraform" title="Permanent link">¶</a></h2>
<p>Pour éviter de cliquer partout dans la console Google Cloud, toute l’infrastructure est définie en <strong>Terraform</strong>.</p>
<p>Cela permet de créer des environnements reproductibles (Preprod, Prod) et de gérer les permissions finement.</p>
<div class="highlight"><pre><span></span><code><span class="c1"># Extrait de infra/production/main.tf</span>
<span class="kr">module</span><span class="w"> </span><span class="nv">"podcast_generator"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="na">source</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"../modules/podcast-generator"</span>
<span class="w"> </span><span class="na">project_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">var.project_id</span>
<span class="w"> </span><span class="na">region</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">var.region</span>
<span class="w"> </span><span class="na">bucket_name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"${var.project_id}-podcast-output"</span>
<span class="c1"> # Configuration du Job et du Service</span>
<span class="w"> </span><span class="na">podcast_model</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"gemini-3.0-pro-preview"</span>
<span class="w"> </span><span class="na">schedule_cron</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"0 9 * * 1"</span><span class="c1"> # Tous les lundis à 9h</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="etape-7-le-pipeline-cicd-gitlab-ci-cloud-deploy">Étape 7 : Le Pipeline CI/CD (GitLab CI & Cloud Deploy)<a class="headerlink" href="#etape-7-le-pipeline-cicd-gitlab-ci-cloud-deploy" title="Permanent link">¶</a></h2>
<p>Le déploiement est entièrement automatisé via <strong>GitLab CI</strong> et <strong>Google Cloud Deploy</strong>.</p>
<ol>
<li><strong>GitLab CI</strong> : Construit les images Docker (Generator & Frontend) et les pousse sur Artifact Registry.</li>
<li><strong>Cloud Deploy</strong> : Récupère ces images, génère les manifestes Kubernetes (YAML) via un script et déploie le tout sur Cloud Run.</li>
</ol>
<p>Le pipeline gère la promotion du code de la pré-production vers la production sans intervention manuelle risquée.</p>
<h2 id="le-cout-finops">Le Coût (FinOps)<a class="headerlink" href="#le-cout-finops" title="Permanent link">¶</a></h2>
<p>C’est la meilleure partie. Comme l’architecture est “Scale to Zero”, je ne paie que lorsque le podcast est généré ou écouté.</p>
<p><strong>Coût mensuel réel : ~0,20 €</strong></p>
<ul>
<li><strong>Cloud Run (Job)</strong> : Quelques centimes pour les 2-3 minutes de génération par semaine.</li>
<li><strong>Cloud Run (Service)</strong> : Gratuit (dans le Free Tier) car peu de trafic.</li>
<li><strong>Vertex AI</strong> : Le plus gros poste, mais reste très faible pour une utilisation hebdomadaire.</li>
<li><strong>Cloud Storage</strong> : Négligeable pour quelques fichiers MP3.</li>
</ul>
<p>C’est une solution extrêmement économique pour un média entièrement automatisé.</p>
<p>Ce projet démontre la puissance de la <strong>GenAI Multimodale</strong>. En moins de 500 lignes de code Python, nous avons remplacé toute une chaîne de production médiatique (recherche, écriture, enregistrement, graphisme).</p>
<p>Le résultat est une veille technologique agréable à écouter, toujours à jour, et qui tourne toute seule chaque lundi matin pendant que je prends mon café. ☕</p>
<p><strong>Liens utiles :</strong>
* 🎧 <a href="https://podcast.kapable.info/">Le Podcast</a>
* 🛠️ <a href="https://gitlab.com/matgou/podcast-generator">Code Source (GitLab)</a></p>I Automated My Tech Watch with an AI-Generated Podcast (Gemini & Cloud Run)2026-01-27T00:00:00+01:002026-01-27T00:00:00+01:00Mathieu GOULINtag:www.ops-chronicles.cloud,2026-01-27:/gcp-podcast-generator.html<p>How I used Gemini 3, Vertex AI, and Cloud Run to transform Google Cloud release notes into an engaging weekly podcast. Detailed architecture and code.</p><div class="toc">
<ul>
<li><a href="#the-serverless-architecture">The “Serverless” Architecture</a><ul>
<li><a href="#the-code-open-source">The Code (Open Source)</a></li>
</ul>
</li>
<li><a href="#step-1-the-data-source-bigquery">Step 1: The Data Source (BigQuery)</a></li>
<li><a href="#step-2-the-screenwriter-gemini-3-pro">Step 2: The Screenwriter (Gemini 3 Pro)</a></li>
<li><a href="#step-3-the-audio-studio-gemini-25-flash-tts">Step 3: The Audio Studio (Gemini 2.5 Flash TTS)</a></li>
<li><a href="#step-4-the-graphic-designer-imagen-3">Step 4: The Graphic Designer (Imagen 3)</a></li>
<li><a href="#step-5-distribution-fastapi-rss">Step 5: Distribution (FastAPI & RSS)</a><ul>
<li><a href="#the-dynamic-rss-feed">The Dynamic RSS Feed</a></li>
</ul>
</li>
<li><a href="#step-6-infrastructure-as-code-terraform">Step 6: Infrastructure as Code (Terraform)</a></li>
<li><a href="#step-7-the-cicd-pipeline-gitlab-ci-cloud-deploy">Step 7: The CI/CD Pipeline (GitLab CI & Cloud Deploy)</a></li>
<li><a href="#the-cost-finops">The Cost (FinOps)</a></li>
<li><a href="#conclusion">Conclusion</a></li>
</ul>
</div>
<p>Don’t have time to read the hundreds of release notes published by Google Cloud every week? Neither do I. That’s why I created the <strong>GCP News Podcast</strong>.</p>
<p>🎙️ <strong><a href="https://podcast.kapable.info/">Listen to the final result here: podcast.kapable.info</a></strong></p>
<p>This project isn’t just a demo, it’s a fully automated “Serverless” production pipeline that:</p>
<ol>
<li><strong>Retrieves</strong> raw technical news.</li>
<li><strong>Scripts</strong> a dialogue between two virtual experts (Marc and Sophie).</li>
<li><strong>Generates</strong> audio with stunning realism (intonations, laughter, pauses).</li>
<li><strong>Creates</strong> unique album art for each episode.</li>
<li><strong>Publishes</strong> everything to the web and podcast platforms (Spotify, etc.).</li>
</ol>
<p>Here is how I built this system.</p>
<h2 id="the-serverless-architecture">The “Serverless” Architecture<a class="headerlink" href="#the-serverless-architecture" title="Permanent link">¶</a></h2>
<p>The system is designed to cost almost zero when it’s not running. It relies on an event-driven architecture and managed services.</p>
<p><img alt="Podcast Generator Architecture" src="/images/2026-GCP-Podcast-Generator/architecture.png" /></p>
<h3 id="the-code-open-source">The Code (Open Source)<a class="headerlink" href="#the-code-open-source" title="Permanent link">¶</a></h3>
<p>All the code is available on GitLab: <a href="https://gitlab.com/matgou/podcast-generator"><strong>matgou/podcast-generator</strong></a>.
It is divided into two parts:
* <code>generator/</code>: The Python batch script that creates the episode.
* <code>frontend/</code>: The FastAPI web interface to listen to episodes.</p>
<hr />
<h2 id="step-1-the-data-source-bigquery">Step 1: The Data Source (BigQuery)<a class="headerlink" href="#step-1-the-data-source-bigquery" title="Permanent link">¶</a></h2>
<p>Unlike many projects that do “scraping”, here we use a clean source of truth: Google’s public BigQuery dataset.</p>
<p>The script executes a simple SQL query to retrieve everything that has changed in the last 7 days.</p>
<div class="highlight"><pre><span></span><code><span class="n">QUERY</span> <span class="o">=</span> <span class="s2">"""</span>
<span class="s2"> SELECT description, published_at, product_name</span>
<span class="s2"> FROM `bigquery-public-data.google_cloud_release_notes.release_notes`</span>
<span class="s2"> WHERE published_at > DATE_SUB(CURRENT_DATE(), INTERVAL 7 DAY)</span>
<span class="s2"> ORDER BY published_at DESC</span>
<span class="s2">"""</span>
</code></pre></div>
<p>This gives us a raw list of text, often very dry and technical. That’s where AI comes in.</p>
<h2 id="step-2-the-screenwriter-gemini-3-pro">Step 2: The Screenwriter (Gemini 3 Pro)<a class="headerlink" href="#step-2-the-screenwriter-gemini-3-pro" title="Permanent link">¶</a></h2>
<p>We inject these raw notes into <strong>Gemini 3 Pro</strong> with a very specific system prompt (<code>prompt_template.txt</code>).</p>
<p>The goal is not to summarize, but to <strong>script</strong>.
* <strong>Marc</strong> is the technical expert, precise and factual.
* <strong>Sophie</strong> is the curious host, asking the questions the listener would ask.</p>
<p>One of the key features used here is <strong>Grounding</strong> with Google Search. This allows Gemini to verify facts and add links to official documentation in the episode metadata.</p>
<div class="highlight"><pre><span></span><code><span class="c1">// Example of expected structured JSON output from Gemini</span>
<span class="p">{</span>
<span class="w"> </span><span class="nt">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Cloud Run speeds up and BigQuery gets safer"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"summary"</span><span class="p">:</span><span class="w"> </span><span class="s2">"This week, Marc and Sophie discuss the new instances..."</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"script"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Sophie: Hello everyone! ... Marc: Exactly, and it's major..."</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"image_prompt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"An abstract representation of a fast server race in a neon city..."</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="step-3-the-audio-studio-gemini-25-flash-tts">Step 3: The Audio Studio (Gemini 2.5 Flash TTS)<a class="headerlink" href="#step-3-the-audio-studio-gemini-25-flash-tts" title="Permanent link">¶</a></h2>
<p>This is the most impressive part. We don’t use the old robotic “Text-to-Speech”. We use the <strong>Gemini 2.5 Flash TTS</strong> model (still in preview), capable of generating multiple speakers in the same audio stream.</p>
<p>The prompt defines the voice personalities:
* Marc uses the <code>Fenrir</code> voice.
* Sophie uses the <code>Laomedeia</code> voice.</p>
<p>The Python script directly calls the Vertex AI REST API to generate the audio.</p>
<div class="highlight"><pre><span></span><code><span class="c1"># Simplified API call extract</span>
<span class="n">payload</span> <span class="o">=</span> <span class="p">{</span>
<span class="s2">"contents"</span><span class="p">:</span> <span class="p">[{</span><span class="s2">"parts"</span><span class="p">:</span> <span class="p">[{</span><span class="s2">"text"</span><span class="p">:</span> <span class="n">script_text</span><span class="p">}]}],</span>
<span class="s2">"generationConfig"</span><span class="p">:</span> <span class="p">{</span>
<span class="s2">"speechConfig"</span><span class="p">:</span> <span class="p">{</span>
<span class="s2">"multiSpeakerVoiceConfig"</span><span class="p">:</span> <span class="p">{</span>
<span class="s2">"speakerVoiceConfigs"</span><span class="p">:</span> <span class="p">[</span>
<span class="p">{</span><span class="s2">"speaker"</span><span class="p">:</span> <span class="s2">"Marc"</span><span class="p">,</span> <span class="s2">"voiceConfig"</span><span class="p">:</span> <span class="p">{</span><span class="s2">"prebuiltVoiceConfig"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"voiceName"</span><span class="p">:</span> <span class="s2">"Fenrir"</span> <span class="p">}}},</span>
<span class="p">{</span><span class="s2">"speaker"</span><span class="p">:</span> <span class="s2">"Sophie"</span><span class="p">,</span> <span class="s2">"voiceConfig"</span><span class="p">:</span> <span class="p">{</span><span class="s2">"prebuiltVoiceConfig"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"voiceName"</span><span class="p">:</span> <span class="s2">"Laomedeia"</span> <span class="p">}}}</span>
<span class="p">]</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="step-4-the-graphic-designer-imagen-3">Step 4: The Graphic Designer (Imagen 3)<a class="headerlink" href="#step-4-the-graphic-designer-imagen-3" title="Permanent link">¶</a></h2>
<p>To make the podcast visual on platforms, we need a cover. Gemini (the screenwriter) has already generated an <code>image_prompt</code> based on the episode content.</p>
<p>We pass this prompt to <strong>Imagen 3</strong> via Vertex AI to generate a square image (1:1), which we resize and compress to respect Apple Podcasts standards (1400x1400, <512KB).</p>
<h2 id="step-5-distribution-fastapi-rss">Step 5: Distribution (FastAPI & RSS)<a class="headerlink" href="#step-5-distribution-fastapi-rss" title="Permanent link">¶</a></h2>
<p>Once all files are generated (MP3, JSON, JPG, YAML), they are stored on <strong>Google Cloud Storage</strong>.</p>
<p>The Frontend (a <strong>FastAPI</strong> app on <strong>Cloud Run</strong>) stores nothing. It acts as a playback interface on the GCS Bucket.</p>
<h3 id="the-dynamic-rss-feed">The Dynamic RSS Feed<a class="headerlink" href="#the-dynamic-rss-feed" title="Permanent link">¶</a></h3>
<p>To subscribe on Apple Podcast or Spotify, a compliant XML RSS feed is required. The application generates this feed on the fly (<code>/feed.xml</code>) by reading the manifests of episodes present in the bucket.</p>
<p>It also handles:
* URL signing (Signed URLs) to secure access to audio files.
* <code>HEAD</code> HTTP headers necessary for validation by podcast aggregators.</p>
<h2 id="step-6-infrastructure-as-code-terraform">Step 6: Infrastructure as Code (Terraform)<a class="headerlink" href="#step-6-infrastructure-as-code-terraform" title="Permanent link">¶</a></h2>
<p>To avoid clicking everywhere in the Google Cloud console, the entire infrastructure is defined in <strong>Terraform</strong>.</p>
<p>This allows creating reproducible environments (Preprod, Prod) and managing permissions finely.</p>
<div class="highlight"><pre><span></span><code><span class="c1"># Extract from infra/production/main.tf</span>
<span class="kr">module</span><span class="w"> </span><span class="nv">"podcast_generator"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="na">source</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"../modules/podcast-generator"</span>
<span class="w"> </span><span class="na">project_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">var.project_id</span>
<span class="w"> </span><span class="na">region</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">var.region</span>
<span class="w"> </span><span class="na">bucket_name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"${var.project_id}-podcast-output"</span>
<span class="c1"> # Job and Service Configuration</span>
<span class="w"> </span><span class="na">podcast_model</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"gemini-3.0-pro-preview"</span>
<span class="w"> </span><span class="na">schedule_cron</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"0 9 * * 1"</span><span class="c1"> # Every Monday at 9am</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="step-7-the-cicd-pipeline-gitlab-ci-cloud-deploy">Step 7: The CI/CD Pipeline (GitLab CI & Cloud Deploy)<a class="headerlink" href="#step-7-the-cicd-pipeline-gitlab-ci-cloud-deploy" title="Permanent link">¶</a></h2>
<p>Deployment is fully automated via <strong>GitLab CI</strong> and <strong>Google Cloud Deploy</strong>.</p>
<ol>
<li><strong>GitLab CI</strong>: Builds Docker images (Generator & Frontend) and pushes them to Artifact Registry.</li>
<li><strong>Cloud Deploy</strong>: Retrieves these images, generates Kubernetes manifests (YAML) via a script, and deploys everything to Cloud Run.</li>
</ol>
<p>The pipeline handles code promotion from pre-production to production without risky manual intervention.</p>
<h2 id="the-cost-finops">The Cost (FinOps)<a class="headerlink" href="#the-cost-finops" title="Permanent link">¶</a></h2>
<p>This is the best part. Since the architecture is “Scale to Zero”, I only pay when the podcast is generated or listened to.</p>
<p><strong>Actual monthly cost: ~€0.20</strong></p>
<ul>
<li><strong>Cloud Run (Job)</strong>: A few cents for the 2-3 minutes of generation per week.</li>
<li><strong>Cloud Run (Service)</strong>: Free (in the Free Tier) because low traffic.</li>
<li><strong>Vertex AI</strong>: The biggest item, but remains very low for weekly use.</li>
<li><strong>Cloud Storage</strong>: Negligible for a few MP3 files.</li>
</ul>
<p>It’s an extremely economical solution for fully automated media.</p>
<h2 id="conclusion">Conclusion<a class="headerlink" href="#conclusion" title="Permanent link">¶</a></h2>
<p>This project demonstrates the power of <strong>Multimodal GenAI</strong>. In less than 500 lines of Python code, we replaced an entire media production chain (research, writing, recording, graphic design).</p>
<p>The result is a tech watch that is pleasant to listen to, always up to date, and runs by itself every Monday morning while I have my coffee. ☕</p>
<p><strong>Useful links:</strong>
* 🎧 <a href="https://podcast.kapable.info/">The Podcast</a>
* 🛠️ <a href="https://gitlab.com/matgou/podcast-generator">Source Code (GitLab)</a></p>InkFlowAI : De la note manuscrite au compte-rendu structuré (Grâce à l'IA)2026-01-20T00:00:00+01:002026-01-20T00:00:00+01:00Mathieu GOULINtag:www.ops-chronicles.cloud,2026-01-20:/fr/inkflowai-architecture.html<p>InkFlowAI : De la note manuscrite au compte-rendu structuré (Grâce à l’IA)</p><div class="toc">
<ul>
<li><a href="#le-probleme">Le Problème</a></li>
<li><a href="#la-solution-inkflowai">La Solution : InkFlowAI</a><ul>
<li><a href="#workflow-utilisateur">Workflow Utilisateur</a></li>
</ul>
</li>
<li><a href="#architecture-technique-sous-le-capot">Architecture Technique (Sous le capot)</a><ul>
<li><a href="#diagramme-de-flux-de-donnees">Diagramme de Flux de Données</a></li>
<li><a href="#etapes-cles">Étapes Clés</a></li>
</ul>
</li>
<li><a href="#conclusion">Conclusion</a></li>
</ul>
</div>
<p>Vous prenez des notes sur votre <strong>Kindle Scribe</strong> (ou toute autre tablette e-ink) et vous vous retrouvez avec des PDFs manuscrits difficiles à exploiter ? Voici comment <strong>InkFlowAI</strong> automatise la transformation de vos gribouillages en comptes-rendus professionnels, diagrammes inclus.</p>
<h2 id="le-probleme">Le Problème<a class="headerlink" href="#le-probleme" title="Permanent link">¶</a></h2>
<p>La prise de note manuscrite est fluide et naturelle, mais le partage et l’archivage sont pénibles. Retaper ses notes prend du temps. Rédiger des schémas sur ordinateur est laborieux.</p>
<h2 id="la-solution-inkflowai">La Solution : InkFlowAI<a class="headerlink" href="#la-solution-inkflowai" title="Permanent link">¶</a></h2>
<p>Un système <strong>Serverless</strong> et <strong>Réactif</strong> hébergé sur Google Cloud, qui agit comme un assistant personnel.</p>
<h3 id="workflow-utilisateur">Workflow Utilisateur<a class="headerlink" href="#workflow-utilisateur" title="Permanent link">¶</a></h3>
<ol>
<li>Vous terminez votre réunion.</li>
<li>Vous cliquez sur “Partager par email” sur votre Kindle.</li>
<li>30 secondes plus tard, vous recevez un email en réponse contenant :<ul>
<li>Un <strong>résumé structuré</strong> (Markdown) de la réunion.</li>
<li>La liste des <strong>actions</strong> et décisions.</li>
<li>Vos <strong>schémas manuscrits convertis</strong> en diagrammes propres (Mermaid/PNG).</li>
</ul>
</li>
</ol>
<hr />
<h2 id="architecture-technique-sous-le-capot">Architecture Technique (Sous le capot)<a class="headerlink" href="#architecture-technique-sous-le-capot" title="Permanent link">¶</a></h2>
<p>Nous avons récemment migré d’une architecture de <em>polling</em> (vérification périodique) vers une architecture <strong>événementielle</strong> (Push) pour une réactivité temps réel.</p>
<h3 id="diagramme-de-flux-de-donnees">Diagramme de Flux de Données<a class="headerlink" href="#diagramme-de-flux-de-donnees" title="Permanent link">¶</a></h3>
<p><img alt="image" src="/images/2026-InkflowAI-Architecture/2026-InkflowAI-Architecture.jpg" /></p>
<h3 id="etapes-cles">Étapes Clés<a class="headerlink" href="#etapes-cles" title="Permanent link">¶</a></h3>
<ol>
<li>
<p><strong>Réception Réactive (Gmail + Pub/Sub)</strong> :
Au lieu de demander toutes les minutes “J’ai du courrier ?”, notre service dort. Dès qu’un email arrive, Gmail notifie <strong>Cloud Pub/Sub</strong>, qui réveille instantanément notre container sur <strong>Cloud Run</strong>. Cela réduit les coûts et la latence.</p>
</li>
<li>
<p><strong>Analyse Multimodale (Gemini Pro Generation)</strong> :
Le cœur du système. Nous envoyons le PDF (images des pages manuscrites) directement à <strong>Gemini 3 Pro</strong> via Vertex AI.
Le prompt système est conçu pour :</p>
<ul>
<li>Déchiffrer l’écriture manuscrite (OCR avancé).</li>
<li>Comprendre le contexte (brainstorming, décision, TOD).</li>
<li><strong>Détecter les dessins</strong> et générer le code <code>Mermaid.js</code> correspondant.</li>
</ul>
</li>
<li>
<p><strong>Rendu de Diagrammes (“NanoBanana”)</strong> :
Si vous avez dessiné un carré fléché vers un cercle, Gemini le traduit en code. InkFlowAI compile ce code en une image PNG nette, prête à être insérée dans le rapport final.</p>
</li>
<li>
<p><strong>Stockage & Notification</strong> :
Tout est archivé sur <strong>Cloud Storage</strong> (S3-compatible) pour la pérennité. Un email formaté est renvoyé à l’expéditeur.</p>
</li>
</ol>
<h2 id="conclusion">Conclusion<a class="headerlink" href="#conclusion" title="Permanent link">¶</a></h2>
<p>InkFlowAI montre comment l’IA générative (multimodale) peut combler le fossé entre le monde analogique (papier/stylo) et le monde numérique (Jira/Wiki/Docs), en automatisant la partie la plus ennuyeuse du travail : la mise au propre.</p>
<p><em>Le code est Open Source et déployable sur votre propre projet GCP : <a href="https://gitlab.com/matgou/inkflowai">https://gitlab.com/matgou/inkflowai</a></em></p>InkFlowAI: From Handwritten Notes to Structured Reports (Powered by AI)2026-01-20T00:00:00+01:002026-01-20T00:00:00+01:00Mathieu GOULINtag:www.ops-chronicles.cloud,2026-01-20:/inkflowai-architecture.html<p>InkFlowAI: From Handwritten Notes to Structured Reports (Powered by AI)</p><div class="toc">
<ul>
<li><a href="#the-problem">The Problem</a></li>
<li><a href="#the-solution-inkflowai">The Solution: InkFlowAI</a><ul>
<li><a href="#user-workflow">User Workflow</a></li>
</ul>
</li>
<li><a href="#technical-architecture-under-the-hood">Technical Architecture (Under the Hood)</a><ul>
<li><a href="#data-flow-diagram">Data Flow Diagram</a></li>
<li><a href="#key-components">Key Components</a></li>
</ul>
</li>
<li><a href="#conclusion">Conclusion</a></li>
</ul>
</div>
<p>Do you take notes on your <strong>Kindle Scribe</strong> (or any e-ink tablet) only to end up with handwritten PDFs that sit in a digital graveyard? Here is how <strong>InkFlowAI</strong> automates the transformation of your scribbles into professional meeting minutes, diagrams included.</p>
<h2 id="the-problem">The Problem<a class="headerlink" href="#the-problem" title="Permanent link">¶</a></h2>
<p>Handwriting is fluid and natural for thinking, but terrible for sharing and archiving. Typing up notes takes time. Redrawing whiteboard sketches on a computer is tedious.</p>
<h2 id="the-solution-inkflowai">The Solution: InkFlowAI<a class="headerlink" href="#the-solution-inkflowai" title="Permanent link">¶</a></h2>
<p>A <strong>Serverless</strong> and <strong>Reactive</strong> system hosted on Google Cloud that acts as your personal secretary.</p>
<h3 id="user-workflow">User Workflow<a class="headerlink" href="#user-workflow" title="Permanent link">¶</a></h3>
<ol>
<li>You finish your meeting.</li>
<li>You click “Share via Email” on your Kindle.</li>
<li>30 seconds later, you receive a reply email containing:<ul>
<li>A <strong>structured summary</strong> (Markdown) of the meeting.</li>
<li>A list of <strong>action items</strong> and decisions.</li>
<li>Your <strong>handdrawn sketches converted</strong> into clean technical diagrams (Mermaid/PNG).</li>
</ul>
</li>
</ol>
<hr />
<h2 id="technical-architecture-under-the-hood">Technical Architecture (Under the Hood)<a class="headerlink" href="#technical-architecture-under-the-hood" title="Permanent link">¶</a></h2>
<p>We recently migrated from a <em>polling</em> architecture to an <strong>event-driven</strong> (Push) architecture for real-time responsiveness.</p>
<h3 id="data-flow-diagram">Data Flow Diagram<a class="headerlink" href="#data-flow-diagram" title="Permanent link">¶</a></h3>
<p><img alt="image" src="/images/2026-InkflowAI-Architecture/2026-InkflowAI-Architecture.jpg" /></p>
<h3 id="key-components">Key Components<a class="headerlink" href="#key-components" title="Permanent link">¶</a></h3>
<ol>
<li>
<p><strong>Reactive Ingestion (Gmail + Pub/Sub)</strong>:
Instead of asking “Do I have mail?” every minute, our service sleeps. As soon as an email arrives, Gmail notifies <strong>Cloud Pub/Sub</strong>, which instantly wakes up our container on <strong>Cloud Run</strong>. This minimizes cost and latency.</p>
</li>
<li>
<p><strong>Multimodal Analysis (Gemini Pro Generative AI)</strong>:
The core of the system. We send the raw PDF (images of handwritten pages) directly to <strong>Gemini 3 Pro</strong> via Vertex AI.
The system prompt is engineered to:</p>
<ul>
<li>Decipher handwriting (Advanced OCR).</li>
<li>Understand context (brainstorming, decisions, TODOs).</li>
<li><strong>Detect drawings</strong> and generate corresponding <code>Mermaid.js</code> code.</li>
</ul>
</li>
<li>
<p><strong>Diagram Rendering (“NanoBanana”)</strong>:
If you drew a box pointing to a circle, Gemini translates it into code. InkFlowAI compiles this code into a sharp PNG image, ready to be embedded in the final report.</p>
</li>
<li>
<p><strong>Storage & Notification</strong>:
Everything is archived on <strong>Cloud Storage</strong> (S3-compatible) for longevity. A formatted email is sent back to the sender.</p>
</li>
</ol>
<h2 id="conclusion">Conclusion<a class="headerlink" href="#conclusion" title="Permanent link">¶</a></h2>
<p>InkFlowAI demonstrates how Generative AI (multimodal) can bridge the gap between the analog world (pen/paper) and the digital world (Jira/Wiki/Docs), automating the most boring part of work: cleaning up notes.</p>
<p><em>The code is Open Source and deployable on your own GCP project: <a href="https://gitlab.com/matgou/inkflowai">https://gitlab.com/matgou/inkflowai</a></em></p>Votre propre Agent DevOps : L'avenir de l'observabilité2025-05-28T00:00:00+02:002025-05-28T00:00:00+02:00Mathieu GOULINtag:www.ops-chronicles.cloud,2025-05-28:/fr/own-devops-agents.html<p>Comment construire et utiliser un agent Kubernetes basé sur l’ADK (Python).</p><div class="toc">
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#demarrage-rapide-du-developpement-dagent-adk">Démarrage rapide du développement d’agent ADK</a><ul>
<li><a href="#prerequis">Prérequis</a></li>
<li><a href="#structure-de-base">Structure de base</a></li>
<li><a href="#donner-des-instructions-a-lagent">Donner des instructions à l’agent</a></li>
<li><a href="#tester-lagent">Tester l’agent</a></li>
</ul>
</li>
<li><a href="#donner-des-outils-a-mon-agent">Donner des outils à mon agent</a><ul>
<li><a href="#et-maintenant-un-vrai-test">Et maintenant un vrai test</a></li>
</ul>
</li>
<li><a href="#integration-kubernetes">Intégration Kubernetes</a><ul>
<li><a href="#construire-un-conteneur-docker">Construire un conteneur docker :</a></li>
</ul>
</li>
<li><a href="#dans-kubernetes_admindockerfile">Dans kubernetes_admin/Dockerfile</a><ul>
<li><a href="#ajouter-rbac">Ajouter RBAC</a></li>
<li><a href="#ajouter-un-secret-pour-les-identifiants-google">Ajouter un secret pour les identifiants google</a></li>
<li><a href="#deployer-le-service">Déployer le service</a></li>
<li><a href="#tests-et-experimentations">Tests et expérimentations</a><ul>
<li><a href="#diagnostiquer-oomkill">Diagnostiquer OOMKill</a></li>
</ul>
</li>
<li><a href="#conclusion-et-prospective">Conclusion et prospective</a></li>
</ul>
</li>
</ul>
</div>
<h2 id="introduction">Introduction<a class="headerlink" href="#introduction" title="Permanent link">¶</a></h2>
<p>Google a récemment publié l’Agent Development Kit (ADK), un framework conçu pour simplifier le développement et le déploiement d’agents pilotés par l’IA. Ce framework est remarquablement convivial. Dans ce contexte, un agent est une API interactive qui exploite un grand modèle de langage (LLM), comme Gemini, et qui est renforcée par vos scripts personnalisés pour générer des réponses basées sur leur sortie.</p>
<p>Dans le monde DevSecOps, nous sommes déjà équipés d’une multitude d’outils et de scripts (CLI, API, et plus). Maintenant, imaginez équiper une IA de toutes ces capacités.</p>
<p>En tant qu’ingénieurs DevOps, nous nous retrouvons souvent à lire manuellement des journaux, à décrire des ressources pour trouver des statuts et à surveiller des événements. Et si chacun de nous avait un assistant dédié pour effectuer ces étapes de diagnostic initiales pour vous, en pointant directement vers les informations pertinentes ?</p>
<p>Cet article explore comment construire et utiliser un agent Kubernetes ADK (basé sur Python). Cet agent agira comme un outil de diagnostic, appelable via chat ou une API, pour rassembler rapidement des informations cruciales sur notre cluster et fournir des aperçus de diagnostic initiaux.</p>
<p>Testez-le ; personnellement, je suis convaincu : c’est l’avenir de l’observabilité.</p>
<h2 id="demarrage-rapide-du-developpement-dagent-adk">Démarrage rapide du développement d’agent ADK<a class="headerlink" href="#demarrage-rapide-du-developpement-dagent-adk" title="Permanent link">¶</a></h2>
<p>Commencer avec l’Agent Development Kit (ADK) est simple. Cette section vous guidera sur la façon de configurer et de créer un agent (très) basique.</p>
<h3 id="prerequis">Prérequis<a class="headerlink" href="#prerequis" title="Permanent link">¶</a></h3>
<ul>
<li>Avant de commencer, assurez-vous d’avoir <strong>Python</strong> (y compris <code>venv</code> pour les environnements virtuels et <code>pip</code> pour l’installation de paquets) installé.</li>
<li>Vous aurez également besoin d’un projet Google Cloud Platform (GCP) configuré pour utiliser Vertex AI afin d’appeler le modèle Gemini.</li>
<li>Créez un dossier pour votre projet :
<code>bash
mkdir kubernetes-admin && cd kubernetes-admin</code></li>
<li>Initialisez un environnement virtuel :
<code>bash
python -m venv venv</code></li>
<li>Activez l’environnement virtuel :<ul>
<li>Sur macOS et Linux :
<code>bash
source venv/bin/activate</code></li>
<li>Sur Windows :
<code>bash
.\venv\Scripts\activate</code></li>
</ul>
</li>
<li>Installez poetry : <code>pip install poetry</code></li>
</ul>
<h3 id="structure-de-base">Structure de base<a class="headerlink" href="#structure-de-base" title="Permanent link">¶</a></h3>
<ul>
<li>Créez les fichiers et répertoires suivants dans le répertoire <code>kubernetes-admin</code> que vous avez créé plus tôt :</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="o">-</span><span class="w"> </span><span class="n">kubernetes_admin</span><span class="o">/</span>
<span class="w"> </span><span class="o">|-</span><span class="w"> </span><span class="n">agent</span><span class="o">.</span><span class="n">py</span><span class="w"> </span><span class="c1"># Contenant les instructions de l'agent : prompt initial et paramètres</span>
<span class="w"> </span><span class="o">|-</span><span class="w"> </span><span class="n">__init__</span><span class="o">.</span><span class="n">py</span><span class="w"> </span><span class="c1"># Un fichier init par défaut</span>
<span class="w"> </span><span class="o">|-</span><span class="w"> </span><span class="o">.</span><span class="n">env</span>
<span class="w"> </span><span class="o">|-</span><span class="w"> </span><span class="n">tools</span><span class="o">/</span><span class="w"> </span><span class="c1"># Pour héberger les futures interfaces d'outils</span>
<span class="w"> </span><span class="o">|-</span><span class="w"> </span><span class="n">__init__</span><span class="o">.</span><span class="n">py</span><span class="w"> </span><span class="c1"># Un fichier init par défaut pour le paquet tools</span>
</code></pre></div>
<ul>
<li>Naviguez dans le répertoire interne <code>kubernetes_admin</code> (c’est là que résidera votre paquet Python) :</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nb">cd</span><span class="w"> </span>kubernetes_admin
</code></pre></div>
<ul>
<li>Initialisez le projet Poetry dans ce répertoire <code>kubernetes_admin</code> :</li>
</ul>
<div class="highlight"><pre><span></span><code>poetry<span class="w"> </span>init
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="n">Suivez</span><span class="w"> </span><span class="n">les</span><span class="w"> </span><span class="n">invites</span><span class="p">.</span><span class="w"> </span><span class="n">Vous</span><span class="w"> </span><span class="n">pouvez</span><span class="w"> </span><span class="n">accepter</span><span class="w"> </span><span class="n">les</span><span class="w"> </span><span class="n">valeurs</span><span class="w"> </span><span class="n">par</span><span class="w"> </span><span class="n">défaut</span><span class="w"> </span><span class="n">pour</span><span class="w"> </span><span class="n">la</span><span class="w"> </span><span class="n">plupart</span><span class="p">,</span><span class="w"> </span><span class="n">mais</span><span class="w"> </span><span class="n">assurez</span><span class="o">-</span><span class="n">vous</span><span class="w"> </span><span class="n">que</span><span class="w"> </span><span class="n">le</span><span class="w"> </span><span class="n">nom</span><span class="w"> </span><span class="n">du</span><span class="w"> </span><span class="n">paquet</span><span class="w"> </span><span class="n">est</span><span class="w"> </span><span class="n n-Quoted">`kubernetes_admin`</span><span class="p">.</span>
</code></pre></div>
<ul>
<li>Ajoutez la dépendance ADK à votre projet :</li>
</ul>
<div class="highlight"><pre><span></span><code>poetry<span class="w"> </span>add<span class="w"> </span>google-ai-agent
</code></pre></div>
<div class="highlight"><pre><span></span><code>*(Note : Le nom du paquet est <span class="sb">`google-ai-agent`</span>, pas <span class="sb">`google-adk`</span>)*
</code></pre></div>
<ul>
<li>Remplissez le fichier <code>kubernetes_admin/__init__.py</code>. Cela rend le module <code>agent</code> accessible.</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="c1"># Dans kubernetes_admin/kubernetes_admin/__init__.py</span>
<span class="kn">from</span><span class="w"> </span><span class="nn">.</span><span class="w"> </span><span class="kn">import</span> <span class="n">agent</span>
</code></pre></div>
<ul>
<li>Le fichier <code>kubernetes_admin/tools/__init__.py</code> peut rester vide pour le moment.</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="c1"># Dans kubernetes_admin/kubernetes_admin/tools/</span>
touch<span class="w"> </span>__init__.py
</code></pre></div>
<ul>
<li>Créez un fichier <code>.env</code> vide dans le répertoire <code>kubernetes_admin/kubernetes_admin/</code>. Cela pourra être utilisé plus tard pour les configurations spécifiques à l’environnement si nécessaire.</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="c1"># Dans kubernetes_admin/kubernetes_admin/</span>
touch<span class="w"> </span>.env
</code></pre></div>
<p>Naviguez vers le répertoire racine du projet <code>kubernetes-admin</code> :</p>
<div class="highlight"><pre><span></span><code><span class="nb">cd</span><span class="w"> </span>..
</code></pre></div>
<h3 id="donner-des-instructions-a-lagent">Donner des instructions à l’agent<a class="headerlink" href="#donner-des-instructions-a-lagent" title="Permanent link">¶</a></h3>
<p>Le fichier <code>agent.py</code> (situé dans <code>kubernetes-admin/kubernetes_admin/agent.py</code>) est crucial dans l’Agent Development Kit (ADK). Il définit le prompt initial et les instructions de base pour l’agent IA. Plus tard, il sera étendu pour inclure les outils spécifiques que l’agent peut utiliser et la logique sur la façon dont il doit les utiliser.</p>
<p>Vous pouvez utiliser l’IA pour aider à générer le prompt initial et les instructions, ou les écrire vous-même.</p>
<p>Créez/éditez <code>kubernetes-admin/kubernetes_admin/agent.py</code> avec le contenu suivant :</p>
<div class="highlight"><pre><span></span><code><span class="c1"># Dans kubernetes_admin/kubernetes_admin/agent.py</span>
<span class="sd">"""Kubernetes_Admin: Agent pour interagir avec et gérer un cluster Kubernetes."""</span>
<span class="kn">from</span><span class="w"> </span><span class="nn">google.adk.agents</span><span class="w"> </span><span class="kn">import</span> <span class="n">LlmAgent</span>
<span class="n">MODEL</span> <span class="o">=</span> <span class="s2">"gemini-2.5-pro-preview-05-06"</span>
<span class="n">KUBERNETES_ADMIN_INSTRUCTION</span> <span class="o">=</span> <span class="s2">"""</span>
<span class="s2">You are Kubernetes Admin, an AI assistant designed to help users manage and understand their Kubernetes (K8s) clusters.</span>
<span class="s2">Your primary goal is to help users by:</span>
<span class="s2">- Answering questions about their Kubernetes cluster.</span>
<span class="s2">- Retrieving information about resources like pods, nodes, services, deployments, namespaces, etc. using the available tools.</span>
<span class="s2">- Explaining Kubernetes concepts relevant to their queries.</span>
<span class="s2">- Assisting in understanding resource status and configurations.</span>
<span class="s2">Always strive to be clear, concise, and helpful in your responses.</span>
<span class="s2">Example interactions:</span>
<span class="s2">- User: "How many pods are running in the 'default' namespace?"</span>
<span class="s2">- You: (After using a tool to get pod count) "There are X pods currently running in the 'default' namespace."</span>
<span class="s2">- User: "What's the status of the pod named 'my-app-pod-123'?"</span>
<span class="s2">- You: (After using a tool to get pod status) "The pod 'my-app-pod-123' is currently in a 'Running' state."</span>
<span class="s2">"""</span>
<span class="n">kubernetes_admin_agent</span> <span class="o">=</span> <span class="n">LlmAgent</span><span class="p">(</span>
<span class="n">name</span><span class="o">=</span><span class="s2">"kubernetes_admin_agent"</span><span class="p">,</span>
<span class="n">model</span><span class="o">=</span><span class="n">MODEL</span><span class="p">,</span>
<span class="n">description</span><span class="o">=</span><span class="p">(</span>
<span class="s2">"An AI agent that helps users explore and understand their Kubernetes cluster by answering questions and retrieving information about resources."</span>
<span class="p">),</span>
<span class="n">instruction</span><span class="o">=</span><span class="n">KUBERNETES_ADMIN_INSTRUCTION</span><span class="p">,</span>
<span class="n">tools</span><span class="o">=</span><span class="p">[],</span> <span class="c1"># Passer l'instance FunctionTool</span>
<span class="p">)</span>
<span class="n">root_agent</span> <span class="o">=</span> <span class="n">kubernetes_admin_agent</span>
</code></pre></div>
<h3 id="tester-lagent">Tester l’agent<a class="headerlink" href="#tester-lagent" title="Permanent link">¶</a></h3>
<p>Avant de lancer le test, vous devez configurer un environnement cloud :</p>
<div class="highlight"><pre><span></span><code><span class="k">export</span><span class="w"> </span><span class="n">GOOGLE_GENAI_USE_VERTEXAI</span><span class="o">=</span><span class="bp">true</span>
<span class="k">export</span><span class="w"> </span><span class="n">GOOGLE_CLOUD_PROJECT</span><span class="o">=<</span><span class="n">Complétez</span><span class="w"> </span><span class="n">avec</span><span class="w"> </span><span class="n">votre</span><span class="w"> </span><span class="n">ID</span><span class="w"> </span><span class="n">de</span><span class="w"> </span><span class="n">projet</span><span class="w"> </span><span class="n">GCP</span><span class="o">></span>
<span class="k">export</span><span class="w"> </span><span class="n">GOOGLE_CLOUD_LOCATION</span><span class="o">=</span><span class="n">us</span><span class="o">-</span><span class="n">central1</span>
<span class="k">export</span><span class="w"> </span><span class="n">GOOGLE_CLOUD_STORAGE_BUCKET</span><span class="o">=$</span><span class="p">{</span><span class="n">GOOGLE_CLOUD_PROJECT</span><span class="p">}</span><span class="o">-</span><span class="n">adk</span><span class="o">-</span><span class="n">bucket</span><span class="o">-$</span><span class="p">(</span><span class="n">openssl</span><span class="w"> </span><span class="n">rand</span><span class="w"> </span><span class="o">-</span><span class="n">hex</span><span class="w"> </span><span class="mi">4</span><span class="p">)</span><span class="w"> </span><span class="c1"># générer un nom de bucket unique</span>
<span class="n">gcloud</span><span class="w"> </span><span class="n">auth</span><span class="w"> </span><span class="n">application</span><span class="o">-</span><span class="n">default</span><span class="w"> </span><span class="n">login</span>
<span class="n">gcloud</span><span class="w"> </span><span class="n">storage</span><span class="w"> </span><span class="n">buckets</span><span class="w"> </span><span class="n">create</span><span class="w"> </span><span class="n">gs</span><span class="p">:</span><span class="o">//$</span><span class="n">GOOGLE_CLOUD_STORAGE_BUCKET</span>
</code></pre></div>
<p>Maintenant vous pouvez lancer le test avec la commande suivante :</p>
<div class="highlight"><pre><span></span><code>adk run .
</code></pre></div>
<p>Si tout est ok, vous verrez l’invite suivante :</p>
<div class="highlight"><pre><span></span><code><span class="nf">Log</span><span class="w"> </span><span class="n">setup</span><span class="w"> </span><span class="nl">complete</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">agents_log</span><span class="o">/</span><span class="n">agent</span><span class="mf">.20250528</span><span class="n">_200909</span><span class="p">.</span><span class="nf">log</span>
<span class="k">To</span><span class="w"> </span><span class="n">access</span><span class="w"> </span><span class="n">latest</span><span class="w"> </span><span class="nf">log</span><span class="err">:</span><span class="w"> </span><span class="n">tail</span><span class="w"> </span><span class="o">-</span><span class="n">F</span><span class="w"> </span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">agents_log</span><span class="o">/</span><span class="n">agent</span><span class="p">.</span><span class="n">latest</span><span class="p">.</span><span class="nf">log</span>
<span class="n">Running</span><span class="w"> </span><span class="n">agent</span><span class="w"> </span><span class="n">kubernetes_admin_agent</span><span class="p">,</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="k">exit</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">exit</span><span class="p">.</span>
<span class="o">[</span><span class="n">user</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">hello</span>
<span class="o">[</span><span class="n">kubernetes_admin_agent</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">Hello</span><span class="err">!</span><span class="w"> </span><span class="n">I</span><span class="err">'</span><span class="n">m</span><span class="w"> </span><span class="n">Kubernetes</span><span class="w"> </span><span class="k">Admin</span><span class="p">,</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">AI</span><span class="w"> </span><span class="n">assistant</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">managing</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">understanding</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">Kubernetes</span><span class="w"> </span><span class="n">cluster</span><span class="p">.</span>
<span class="n">How</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">help</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">today</span><span class="vm">?</span><span class="w"> </span><span class="k">For</span><span class="w"> </span><span class="n">example</span><span class="p">,</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">ask</span><span class="w"> </span><span class="n">me</span><span class="w"> </span><span class="n">about</span><span class="w"> </span><span class="n">pods</span><span class="p">,</span><span class="w"> </span><span class="n">nodes</span><span class="p">,</span><span class="w"> </span><span class="n">services</span><span class="p">,</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="ow">any</span><span class="w"> </span><span class="n">other</span><span class="w"> </span><span class="n">Kubernetes</span><span class="w"> </span><span class="n">resources</span><span class="p">.</span>
<span class="o">[</span><span class="n">user</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">how</span><span class="w"> </span><span class="n">many</span><span class="w"> </span><span class="n">pod</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">my</span><span class="w"> </span><span class="n">kubernetes</span><span class="w"> </span><span class="n">clusters</span><span class="w"> </span>
<span class="o">[</span><span class="n">kubernetes_admin_agent</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">help</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">that</span><span class="err">!</span><span class="w"> </span><span class="k">To</span><span class="w"> </span><span class="n">tell</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">how</span><span class="w"> </span><span class="n">many</span><span class="w"> </span><span class="n">pods</span><span class="w"> </span><span class="k">are</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">cluster</span><span class="p">,</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">need</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">check</span><span class="w"> </span><span class="ow">all</span><span class="w"> </span><span class="n">namespaces</span><span class="p">.</span>
<span class="n">Should</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">proceed</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">get</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">list</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="ow">all</span><span class="w"> </span><span class="n">pods</span><span class="w"> </span><span class="n">across</span><span class="w"> </span><span class="ow">all</span><span class="w"> </span><span class="n">namespaces</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">cluster</span><span class="vm">?</span>
</code></pre></div>
<h2 id="donner-des-outils-a-mon-agent">Donner des outils à mon agent<a class="headerlink" href="#donner-des-outils-a-mon-agent" title="Permanent link">¶</a></h2>
<p>D’abord, écrivons une fonction Python pour interagir avec <code>kubectl</code> et l’envelopper comme un outil ADK.</p>
<ul>
<li>Créez/éditez <code>kubernetes-admin/kubernetes_admin/tools/kubectl_tool.py</code> avec le contenu suivant :</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="c1"># Dans kubernetes_admin/kubernetes_admin/tools/kubectl_tool.py<<EOF</span>
<span class="sd">"""Tool for executing kubectl get commands."""</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">subprocess</span> <span class="c1"># For actual kubectl calls</span>
<span class="kn">from</span><span class="w"> </span><span class="nn">google.adk.tools</span><span class="w"> </span><span class="kn">import</span> <span class="n">FunctionTool</span>
<span class="k">def</span><span class="w"> </span><span class="nf">run_kubectl</span><span class="p">(</span><span class="n">verbs</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="s2">"get"</span><span class="p">,</span> <span class="n">resource_type</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="s2">"pods"</span><span class="p">,</span> <span class="n">resource_name</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="s2">""</span><span class="p">,</span> <span class="n">namespace</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="s2">"default"</span><span class="p">)</span> <span class="o">-></span> <span class="nb">str</span><span class="p">:</span>
<span class="w"> </span><span class="sd">"""</span>
<span class="sd"> Runs a kubectl command with the specified verb, resource type, optional resource name, and namespace.</span>
<span class="sd"> Exemples:</span>
<span class="sd"> To get configuration of a specific pod use verbs: "describe", namespace: "all", resource_type: "pods", resource_name: "<custom pod name>"</span>
<span class="sd"> To get logs of a specific pod use verbs: "logs", namespace: "<namespace>", resource_type: "", resource_name: "<custom pod name>"</span>
<span class="sd"> To list pods in all namespace use verbs: "get", namespace: "all", resource_type: "pods", resource_name: ""</span>
<span class="sd"> Args:</span>
<span class="sd"> verbs: The kubectl verb to use (e.g., 'get', 'describe', 'logs', 'top').</span>
<span class="sd"> resource_type: The type of Kubernetes resource (e.g., 'pods', 'nodes', 'services', 'deployments').</span>
<span class="sd"> resource_name: Optional. The specific name of the resource. If None, lists all resources of the type.</span>
<span class="sd"> namespace: Optional. The Kubernetes namespace. Defaults to 'default'.</span>
<span class="sd"> Returns:</span>
<span class="sd"> A string containing the output of the kubectl command or an error message.</span>
<span class="sd"> """</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">command</span> <span class="o">=</span> <span class="p">[</span><span class="s2">"kubectl"</span><span class="p">,</span> <span class="n">verbs</span><span class="p">]</span>
<span class="k">if</span> <span class="n">resource_name</span> <span class="o">!=</span> <span class="s2">""</span><span class="p">:</span>
<span class="n">command</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="sa">f</span><span class="s1">'</span><span class="si">{</span><span class="n">resource_type</span><span class="si">}</span><span class="s1">/</span><span class="si">{</span><span class="n">resource_name</span><span class="si">}</span><span class="s1">'</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">command</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="sa">f</span><span class="s1">'</span><span class="si">{</span><span class="n">resource_type</span><span class="si">}</span><span class="s1">'</span><span class="p">)</span>
<span class="k">if</span> <span class="n">namespace</span> <span class="o">!=</span> <span class="s2">"all"</span><span class="p">:</span>
<span class="n">command</span><span class="o">.</span><span class="n">extend</span><span class="p">([</span><span class="s2">"-n"</span><span class="p">,</span> <span class="n">namespace</span><span class="p">])</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">command</span><span class="o">.</span><span class="n">extend</span><span class="p">([</span><span class="s2">"--all-namespaces"</span><span class="p">])</span>
<span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="o">.</span><span class="n">run</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span> <span class="n">check</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">30</span><span class="p">)</span>
<span class="k">return</span> <span class="n">result</span><span class="o">.</span><span class="n">stdout</span>
<span class="k">except</span> <span class="ne">FileNotFoundError</span><span class="p">:</span>
<span class="k">return</span> <span class="s2">"Error: kubectl command not found. Please ensure kubectl is installed and in your PATH."</span>
<span class="k">except</span> <span class="n">subprocess</span><span class="o">.</span><span class="n">CalledProcessError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
<span class="k">return</span> <span class="sa">f</span><span class="s2">"Error executing kubectl command: </span><span class="si">{</span><span class="n">e</span><span class="o">.</span><span class="n">stderr</span><span class="si">}</span><span class="s2">"</span>
<span class="k">except</span> <span class="n">subprocess</span><span class="o">.</span><span class="n">TimeoutExpired</span><span class="p">:</span>
<span class="k">return</span> <span class="s2">"Error: kubectl command timed out."</span>
<span class="k">except</span> <span class="ne">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
<span class="k">return</span> <span class="sa">f</span><span class="s2">"An unexpected error occurred: </span><span class="si">{</span><span class="nb">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="s2">"</span>
<span class="n">kubectl_tool</span> <span class="o">=</span> <span class="n">FunctionTool</span><span class="p">(</span>
<span class="n">func</span><span class="o">=</span><span class="n">run_kubectl</span><span class="p">)</span>
</code></pre></div>
<ul>
<li>Maintenant, mettons à jour kubernetes-admin/kubernetes_admin/agent.py pour inclure ce nouvel outil.
Importez l’outil :</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="kn">from</span><span class="w"> </span><span class="nn">.tools.kubectl_tool</span><span class="w"> </span><span class="kn">import</span> <span class="n">kubectl_tool</span> <span class="c1"># Import the FunctionTool instance</span>
<span class="o">...</span>
<span class="o">...</span>
<span class="n">kubernetes_admin_agent</span> <span class="o">=</span> <span class="n">LlmAgent</span><span class="p">(</span>
<span class="n">name</span><span class="o">=</span><span class="s2">"kubernetes_admin_agent"</span><span class="p">,</span>
<span class="n">model</span><span class="o">=</span><span class="n">MODEL</span><span class="p">,</span>
<span class="n">description</span><span class="o">=</span><span class="p">(</span>
<span class="s2">"An AI agent that helps users explore and understand their Kubernetes cluster by answering questions and retrieving information about resources."</span>
<span class="p">),</span>
<span class="n">instruction</span><span class="o">=</span><span class="n">KUBERNETES_ADMIN_INSTRUCTION</span><span class="p">,</span>
<span class="n">tools</span><span class="o">=</span><span class="p">[</span><span class="n">kubectl_tool</span><span class="p">],</span> <span class="c1"># Pass the FunctionTool instance</span>
<span class="p">)</span>
</code></pre></div>
<ul>
<li>Mettez à jour les instructions de l’agent dans KUBERNETES_ADMIN_INSTRUCTION dans kubernetes-admin/kubernetes_admin/agent.py pour informer le LLM du nouvel outil et comment l’utiliser :</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="n">KUBERNETES_ADMIN_INSTRUCTION</span> <span class="o">=</span> <span class="s2">"""</span>
<span class="s2">...</span>
<span class="s2">...</span>
<span class="s2">You have a tool named 'run_kubectl_command' to fetch information from the Kubernetes cluster by executing kubectl commands.</span>
<span class="s2">Tool 'run_kubectl_command' arguments:</span>
<span class="s2">- 'verbs': (string, required) The kubectl verb to use (e.g., 'get', 'describe', 'logs', 'top').</span>
<span class="s2">- 'resource_type': (string, required) The type of Kubernetes resource (e.g., 'pods', 'nodes', 'services', 'deployments', 'namespaces').</span>
<span class="s2">- 'resource_name': (string, optional) The specific name of the resource. If not provided, all resources of the given type in the namespace will be listed.</span>
<span class="s2">- 'namespace': (string, optional, defaults to 'default') The Kubernetes namespace to query.</span>
<span class="s2">When a user asks for information that requires querying the cluster (e.g., "list pods", "get node status", "describe service my-service", "get logs for pod xyz"), you MUST use the 'run_kubectl_command' tool.</span>
<span class="s2">Clearly state that you are using the tool, what you are querying for, and then present the information returned by the tool.</span>
<span class="s2">Determine the correct 'verbs' argument based on the user's request (e.g., "list" or "how many" implies 'get', "what's the status" implies 'get', "describe" implies 'describe', "show logs" implies 'logs').</span>
<span class="s2">"""</span>
</code></pre></div>
<h3 id="et-maintenant-un-vrai-test">Et maintenant un vrai test<a class="headerlink" href="#et-maintenant-un-vrai-test" title="Permanent link">¶</a></h3>
<p>Maintenant, effectuons un vrai test pour voir si notre agent utilise <code>kubectl</code> comme prévu. (Assurez-vous d’avoir un fichier <code>kubeconfig</code> valide et d’être connecté à un cluster Kubernetes pour ce test.)</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>adk<span class="w"> </span>run<span class="w"> </span>.
...
<span class="o">[</span>user<span class="o">]</span>:<span class="w"> </span>how<span class="w"> </span>many<span class="w"> </span>pod<span class="w"> </span><span class="k">in</span><span class="w"> </span>my<span class="w"> </span>cluster<span class="w"> </span>all<span class="w"> </span>namespaces
<span class="o">[</span>kubernetes_admin_agent<span class="o">]</span>:<span class="w"> </span>Okay,<span class="w"> </span>I<span class="w"> </span>can<span class="w"> </span><span class="nb">help</span><span class="w"> </span>you<span class="w"> </span>with<span class="w"> </span>that.<span class="w"> </span>I<span class="w"> </span>will<span class="w"> </span>use<span class="w"> </span>the<span class="w"> </span><span class="sb">`</span>run_kubectl<span class="sb">`</span><span class="w"> </span>tool<span class="w"> </span>to<span class="w"> </span>list<span class="w"> </span>all<span class="w"> </span>pods<span class="w"> </span><span class="k">in</span><span class="w"> </span>all<span class="w"> </span>namespaces<span class="w"> </span>and<span class="w"> </span><span class="k">then</span><span class="w"> </span>count<span class="w"> </span>them<span class="w"> </span><span class="k">for</span><span class="w"> </span>you.
<span class="o">[</span>kubernetes_admin_agent<span class="o">]</span>:<span class="w"> </span>I<span class="w"> </span>have<span class="w"> </span>retrieved<span class="w"> </span>the<span class="w"> </span>list<span class="w"> </span>of<span class="w"> </span>all<span class="w"> </span>pods<span class="w"> </span>across<span class="w"> </span>all<span class="w"> </span>namespaces.<span class="w"> </span>There<span class="w"> </span>are<span class="w"> </span>a<span class="w"> </span>lot<span class="w"> </span>of<span class="w"> </span>them!
Based<span class="w"> </span>on<span class="w"> </span>the<span class="w"> </span>output,<span class="w"> </span>there<span class="w"> </span>are<span class="w"> </span><span class="m">119</span><span class="w"> </span>pods<span class="w"> </span><span class="k">in</span><span class="w"> </span>your<span class="w"> </span>cluster<span class="w"> </span>across<span class="w"> </span>all<span class="w"> </span>namespaces.
</code></pre></div>
<h2 id="integration-kubernetes">Intégration Kubernetes<a class="headerlink" href="#integration-kubernetes" title="Permanent link">¶</a></h2>
<p>Nous allons maintenant déployer notre agent dans un cluster Kubernetes, pour donner la possibilité à d’autres utilisateurs de l’utiliser.</p>
<h3 id="construire-un-conteneur-docker">Construire un conteneur docker :<a class="headerlink" href="#construire-un-conteneur-docker" title="Permanent link">¶</a></h3>
<ol>
<li>
<p>Voici un Dockerfile pour construire une image de conteneur pour votre agent Python. Ce Dockerfile :</p>
<ul>
<li>
<p>Utilise une image de base Python slim.</p>
</li>
<li>
<p>Installe <code>kubectl</code> (car l’outil de votre agent l’utilise) et Poetry.</p>
</li>
<li>
<p>Configure un utilisateur non-root pour une meilleure sécurité.</p>
</li>
<li>
<p>Installe les dépendances de votre projet en utilisant Poetry.</p>
</li>
<li>
<p>Définit la commande par défaut pour exécuter votre agent ADK en utilisant son serveur HTTP intégré.</p>
</li>
</ul>
<p>```Dockerfile</p>
<h1 id="dans-kubernetes_admindockerfile">Dans kubernetes_admin/Dockerfile<a class="headerlink" href="#dans-kubernetes_admindockerfile" title="Permanent link">¶</a></h1>
<p>FROM python:3.13-slim
WORKDIR /app</p>
<p>RUN pip install poetry
ENV PORT=8080
RUN apt update && apt install -y kubernetes-client/stable prometheus/stable && apt clean
COPY . .</p>
<p>RUN adduser –disabled-password –gecos “” myuser && \
chown -R myuser:myuser /app</p>
<p>USER myuser</p>
<p>RUN poetry install</p>
<p>ENV PATH=”/home/myuser/.local/bin:$PATH”
CMD poetry run uvicorn main:app –host 0.0.0.0 –port $PORT
```</p>
</li>
<li>
<p>(Configuration unique) Créez un dépôt Artifact Registry si vous ne l’avez pas déjà fait.
<code>bash
# Remplacez REGION et GOOGLE_CLOUD_PROJECT avec vos détails.
gcloud artifacts repositories create adk-repo --repository-format=docker \
--location=YOUR_REGION \
--description="ADK agent repository" \
--project=YOUR_GOOGLE_CLOUD_PROJECT</code></p>
</li>
<li>Construisez l’image Docker et poussez-la vers Artifact Registry.
<code>bash
# Remplacez REGION et GOOGLE_CLOUD_PROJECT avec vos détails.
gcloud builds submit --tag YOUR_REGION-docker.pkg.dev/YOUR_GOOGLE_CLOUD_PROJECT/adk-repo/k8s-admin-agent:latest \</code></li>
</ol>
<h3 id="ajouter-rbac">Ajouter RBAC<a class="headerlink" href="#ajouter-rbac" title="Permanent link">¶</a></h3>
<p>Le manifeste suivant crée un <code>ServiceAccount</code> Kubernetes dans l’espace de noms <code>kubernetes-admin-agent</code>. Il définit également un <code>ClusterRole</code> avec des permissions en lecture seule (get, list, watch) sur tous les groupes d’API et ressources, puis utilise un <code>ClusterRoleBinding</code> pour accorder ces permissions au <code>ServiceAccount</code> créé.</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>-<span class="w"> </span><span class="s"><<EOF</span>
<span class="s">apiVersion: v1</span>
<span class="s">kind: ServiceAccount</span>
<span class="s">metadata:</span>
<span class="s"> name: kubernetes-admin-agent</span>
<span class="s">---</span>
<span class="s">apiVersion: rbac.authorization.k8s.io/v1</span>
<span class="s">kind: ClusterRole</span>
<span class="s">metadata:</span>
<span class="s"> name: kubernetes-admin-agent</span>
<span class="s">rules:</span>
<span class="s">- apiGroups:</span>
<span class="s"> - "*"</span>
<span class="s"> resources:</span>
<span class="s"> - "*"</span>
<span class="s"> verbs:</span>
<span class="s"> - get</span>
<span class="s"> - list</span>
<span class="s"> - watch</span>
<span class="s">---</span>
<span class="s">apiVersion: rbac.authorization.k8s.io/v1</span>
<span class="s"># This cluster role binding allows the kubernetes-admin-agent ServiceAccount to read all resources in any namespace.</span>
<span class="s">kind: ClusterRoleBinding</span>
<span class="s">metadata:</span>
<span class="s"> name: kubernetes-admin-agent-global</span>
<span class="s">subjects:</span>
<span class="s">- kind: ServiceAccount</span>
<span class="s"> name: kubernetes-admin-agent</span>
<span class="s"> namespace: kubernetes-admin-agent</span>
<span class="s">roleRef:</span>
<span class="s"> kind: ClusterRole</span>
<span class="s"> name: kubernetes-admin-agent</span>
<span class="s"> apiGroup: rbac.authorization.k8s.io</span>
<span class="s">EOF</span>
</code></pre></div>
<h3 id="ajouter-un-secret-pour-les-identifiants-google">Ajouter un secret pour les identifiants google<a class="headerlink" href="#ajouter-un-secret-pour-les-identifiants-google" title="Permanent link">¶</a></h3>
<p>Pour permettre à votre agent fonctionnant dans Kubernetes de s’authentifier auprès des services Google Cloud (spécifiquement Vertex AI pour Gemini), vous devez créer un compte de service GCP, lui accorder les permissions nécessaires, générer une clé pour celui-ci, et stocker cette clé comme un secret Kubernetes.</p>
<p>Assurez-vous que votre variable d’environnement <code>GOOGLE_CLOUD_PROJECT</code> est correctement définie avant d’exécuter ces commandes.</p>
<div class="highlight"><pre><span></span><code><span class="c1"># 1. Créer le compte de service</span>
gcloud<span class="w"> </span>iam<span class="w"> </span>service-accounts<span class="w"> </span>create<span class="w"> </span>kubernetes-admin-agent
<span class="c1"># 2. Accorder au compte de service le rôle "Vertex AI User" sur votre projet</span>
gcloud<span class="w"> </span>projects<span class="w"> </span>add-iam-policy-binding<span class="w"> </span><span class="si">${</span><span class="nv">GOOGLE_CLOUD_PROJECT</span><span class="si">}</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--member<span class="o">=</span><span class="s2">"serviceAccount:kubernetes-admin-agent@</span><span class="si">${</span><span class="nv">GOOGLE_CLOUD_PROJECT</span><span class="si">}</span><span class="s2">.iam.gserviceaccount.com"</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--role<span class="o">=</span><span class="s2">"roles/aiplatform.user"</span>
<span class="c1"># 3. Créer et télécharger une clé pour le compte de service</span>
gcloud<span class="w"> </span>iam<span class="w"> </span>service-accounts<span class="w"> </span>keys<span class="w"> </span>create<span class="w"> </span>key.json<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--iam-account<span class="o">=</span><span class="s2">"kubernetes-admin-agent@</span><span class="si">${</span><span class="nv">GOOGLE_CLOUD_PROJECT</span><span class="si">}</span><span class="s2">.iam.gserviceaccount.com"</span>
<span class="c1"># 4. Créer un espace de noms Kubernetes pour l'agent (si pas déjà créé)</span>
kubectl<span class="w"> </span>create<span class="w"> </span>ns<span class="w"> </span>kubernetes-admin-agent
<span class="c1"># 5. Créer un secret Kubernetes à partir du fichier de clé téléchargé</span>
kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>google-cloud-key<span class="w"> </span>-n<span class="w"> </span>kubernetes-admin-agent<span class="w"> </span>--from-file<span class="o">=</span>key.json<span class="o">=</span>key.json
</code></pre></div>
<h3 id="deployer-le-service">Déployer le service<a class="headerlink" href="#deployer-le-service" title="Permanent link">¶</a></h3>
<h2 id="tests-et-experimentations">Tests et expérimentations<a class="headerlink" href="#tests-et-experimentations" title="Permanent link">¶</a></h2>
<h3 id="diagnostiquer-oomkill">Diagnostiquer OOMKill<a class="headerlink" href="#diagnostiquer-oomkill" title="Permanent link">¶</a></h3>
<h2 id="conclusion-et-prospective">Conclusion et prospective<a class="headerlink" href="#conclusion-et-prospective" title="Permanent link">¶</a></h2>Your Own Devops Agent: The future of observability2025-05-28T00:00:00+02:002025-05-28T00:00:00+02:00Mathieu GOULINtag:www.ops-chronicles.cloud,2025-05-28:/own-devops-agents.html<p>How to build and utilize an ADK (Python-based) Kubernetes agent.</p><div class="toc">
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#adk-agent-developpement-quick-start">ADK agent developpement quick start</a><ul>
<li><a href="#prerequisites">Prerequisites</a></li>
<li><a href="#basic-structure">Basic structure</a></li>
<li><a href="#giving-agent-instructions">Giving Agent Instructions</a></li>
<li><a href="#testing-agent">Testing agent</a></li>
</ul>
</li>
<li><a href="#giving-tools-to-my-agent">Giving tools to my agent</a><ul>
<li><a href="#and-now-real-testing">And now real testing</a></li>
</ul>
</li>
<li><a href="#kubernetes-integration">Kubernetes integration</a><ul>
<li><a href="#build-a-docker-container">Build a docker container :</a></li>
</ul>
</li>
<li><a href="#in-kubernetes_admindockerfile">In kubernetes_admin/Dockerfile</a><ul>
<li><a href="#add-rbac">Add RBAC</a></li>
<li><a href="#add-secret-for-google-credentials">Add secret for google credentials</a></li>
<li><a href="#deploy-service">Deploy service</a></li>
<li><a href="#testing-and-experimentings">Testing and experimentings</a><ul>
<li><a href="#diagnose-oomkill">Diagnose OOMKill</a></li>
</ul>
</li>
<li><a href="#conclusion-and-prospective">Conclusion and prospective</a></li>
</ul>
</li>
</ul>
</div>
<h2 id="introduction">Introduction<a class="headerlink" href="#introduction" title="Permanent link">¶</a></h2>
<p>Google has recently released the Agent Development Kit (ADK), a framework designed to simplify the development and deployment of AI-driven agents. This framework is remarkably user-friendly. In this context, an agent is an interactive API that leverages a Large Language Model (LLM), like Gemini, and is further empowered by your custom scripts to generate responses based on their output.</p>
<p>In the DevSecOps world, we’re already equipped with a multitude of tools and scripts (CLI, API, and more). Now, imagine equipping an AI with all of these capabilities. </p>
<p>As DevOps engineers, we often find ourselves manually reading logs, describing resources to find statuses, and watching events. What if each of us had a dedicated assistant to perform these initial diagnostic steps for you, directly pointing to relevant information?</p>
<p>This article explores how to build and utilize an ADK (Python-based) Kubernetes agent. This agent will act as a diagnostic tool, callable via chat or an API, to quickly gather crucial information about our cluster and provide initial diagnostic insights.</p>
<p>Test it; personally, I am convinced: this is the future of observability.</p>
<h2 id="adk-agent-developpement-quick-start">ADK agent developpement quick start<a class="headerlink" href="#adk-agent-developpement-quick-start" title="Permanent link">¶</a></h2>
<p>Getting started with the Agent Development Kit (ADK) is straightforward. This section will guide you through how to set up and create a (very) basic agent.</p>
<h3 id="prerequisites">Prerequisites<a class="headerlink" href="#prerequisites" title="Permanent link">¶</a></h3>
<ul>
<li>Before you begin, ensure you have <strong>Python</strong> (including <code>venv</code> for virtual environments and <code>pip</code> for package installation) installed.</li>
<li>You will also need a Google Cloud Platform (GCP) project set up to use Vertex AI for calling the Gemini model.</li>
<li>Create a folder for your project:
<code>bash
mkdir kubernetes-admin && cd kubernetes-admin</code></li>
<li>Initialize a virtual environment:
<code>bash
python -m venv venv</code></li>
<li>Activate the virtual environment:<ul>
<li>On macOS and Linux:
<code>bash
source venv/bin/activate</code></li>
<li>On Windows:
<code>bash
.\venv\Scripts\activate</code></li>
</ul>
</li>
<li>Install poetry: <code>pip install poetry</code></li>
</ul>
<h3 id="basic-structure">Basic structure<a class="headerlink" href="#basic-structure" title="Permanent link">¶</a></h3>
<ul>
<li>Create the following files and directories within the <code>kubernetes-admin</code> directory you created earlier:</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="o">-</span><span class="w"> </span><span class="n">kubernetes_admin</span><span class="o">/</span>
<span class="w"> </span><span class="o">|-</span><span class="w"> </span><span class="n">agent</span><span class="o">.</span><span class="n">py</span><span class="w"> </span><span class="c1"># Containing agent instructions : initial prompt and parameters</span>
<span class="w"> </span><span class="o">|-</span><span class="w"> </span><span class="n">__init__</span><span class="o">.</span><span class="n">py</span><span class="w"> </span><span class="c1"># A default init file</span>
<span class="w"> </span><span class="o">|-</span><span class="w"> </span><span class="o">.</span><span class="n">env</span>
<span class="w"> </span><span class="o">|-</span><span class="w"> </span><span class="n">tools</span><span class="o">/</span><span class="w"> </span><span class="c1"># To hosting futurer tools interfaces</span>
<span class="w"> </span><span class="o">|-</span><span class="w"> </span><span class="n">__init__</span><span class="o">.</span><span class="n">py</span><span class="w"> </span><span class="c1"># A default init file for the tools package</span>
</code></pre></div>
<ul>
<li>Navigate into the inner <code>kubernetes_admin</code> directory (this is where your Python package will reside):</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nb">cd</span><span class="w"> </span>kubernetes_admin
</code></pre></div>
<ul>
<li>Initialize the Poetry project within this <code>kubernetes_admin</code> directory:</li>
</ul>
<div class="highlight"><pre><span></span><code>poetry<span class="w"> </span>init
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="n">Follow</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">prompts</span><span class="p">.</span><span class="w"> </span><span class="n">You</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">accept</span><span class="w"> </span><span class="n">defaults</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">most</span><span class="p">,</span><span class="w"> </span><span class="n">but</span><span class="w"> </span><span class="n">ensure</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">package</span><span class="w"> </span><span class="k">name</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n n-Quoted">`kubernetes_admin`</span><span class="p">.</span>
</code></pre></div>
<ul>
<li>Add the ADK dependency to your project:</li>
</ul>
<div class="highlight"><pre><span></span><code>poetry<span class="w"> </span>add<span class="w"> </span>google-ai-agent
</code></pre></div>
<div class="highlight"><pre><span></span><code><span class="o">*</span><span class="p">(</span><span class="nx">Note</span><span class="p">:</span><span class="w"> </span><span class="nx">The</span><span class="w"> </span><span class="kn">package</span><span class="w"> </span><span class="nx">name</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="err">`</span><span class="nx">google</span><span class="o">-</span><span class="nx">ai</span><span class="o">-</span><span class="nx">agent</span><span class="err">`</span><span class="p">,</span><span class="w"> </span><span class="k">not</span><span class="w"> </span><span class="err">`</span><span class="nx">google</span><span class="o">-</span><span class="nx">adk</span><span class="err">`</span><span class="p">)</span><span class="o">*</span>
</code></pre></div>
<ul>
<li>Populate the <code>kubernetes_admin/__init__.py</code> file. This makes the <code>agent</code> module accessible.</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="c1"># In kubernetes_admin/kubernetes_admin/__init__.py</span>
<span class="kn">from</span><span class="w"> </span><span class="nn">.</span><span class="w"> </span><span class="kn">import</span> <span class="n">agent</span><span class="s2">" > __init__.py</span>
</code></pre></div>
<ul>
<li>The <code>kubernetes_admin/tools/__init__.py</code> file can remain empty for now.</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="c1"># In kubernetes_admin/kubernetes_admin/tools/</span>
touch<span class="w"> </span>__init__.py
</code></pre></div>
<ul>
<li>Create an empty <code>.env</code> file in the <code>kubernetes_admin/kubernetes_admin/</code> directory. This can be used later for environment-specific configurations if needed.</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="c1"># In kubernetes_admin/kubernetes_admin/</span>
touch<span class="w"> </span>.env
</code></pre></div>
<p>Navigate back to the root <code>kubernetes-admin</code> project directory:</p>
<div class="highlight"><pre><span></span><code><span class="nb">cd</span><span class="w"> </span>..
</code></pre></div>
<h3 id="giving-agent-instructions">Giving Agent Instructions<a class="headerlink" href="#giving-agent-instructions" title="Permanent link">¶</a></h3>
<p>The <code>agent.py</code> file (located at <code>kubernetes-admin/kubernetes_admin/agent.py</code>) is crucial in the Agent Development Kit (ADK). It defines the initial prompt and core instructions for the AI agent. Later, it will be expanded to include the specific tools the agent can use and the logic for how it should utilize them.</p>
<p>You can use AI to help generate the initial prompt and instructions, or write them yourself.</p>
<p>Create/edit <code>kubernetes-admin/kubernetes_admin/agent.py</code> with the following content:</p>
<div class="highlight"><pre><span></span><code><span class="c1"># In kubernetes_admin/kubernetes_admin/agent.py</span>
<span class="sd">"""Kubernetes_Admin: Agent for interacting with and managing a Kubernetes cluster."""</span>
<span class="kn">from</span><span class="w"> </span><span class="nn">google.adk.agents</span><span class="w"> </span><span class="kn">import</span> <span class="n">LlmAgent</span>
<span class="n">MODEL</span> <span class="o">=</span> <span class="s2">"gemini-2.5-pro-preview-05-06"</span>
<span class="n">KUBERNETES_ADMIN_INSTRUCTION</span> <span class="o">=</span> <span class="s2">"""</span>
<span class="s2">You are Kubernetes Admin, an AI assistant designed to help users manage and understand their Kubernetes (K8s) clusters.</span>
<span class="s2">Your primary goal is to help users by:</span>
<span class="s2">- Answering questions about their Kubernetes cluster.</span>
<span class="s2">- Retrieving information about resources like pods, nodes, services, deployments, namespaces, etc. using the available tools.</span>
<span class="s2">- Explaining Kubernetes concepts relevant to their queries.</span>
<span class="s2">- Assisting in understanding resource status and configurations.</span>
<span class="s2">Always strive to be clear, concise, and helpful in your responses.</span>
<span class="s2">Example interactions:</span>
<span class="s2">- User: "How many pods are running in the 'default' namespace?"</span>
<span class="s2">- You: (After using a tool to get pod count) "There are X pods currently running in the 'default' namespace."</span>
<span class="s2">- User: "What's the status of the pod named 'my-app-pod-123'?"</span>
<span class="s2">- You: (After using a tool to get pod status) "The pod 'my-app-pod-123' is currently in a 'Running' state."</span>
<span class="s2">"""</span>
<span class="n">kubernetes_admin_agent</span> <span class="o">=</span> <span class="n">LlmAgent</span><span class="p">(</span>
<span class="n">name</span><span class="o">=</span><span class="s2">"kubernetes_admin_agent"</span><span class="p">,</span>
<span class="n">model</span><span class="o">=</span><span class="n">MODEL</span><span class="p">,</span>
<span class="n">description</span><span class="o">=</span><span class="p">(</span>
<span class="s2">"An AI agent that helps users explore and understand their Kubernetes cluster by answering questions and retrieving information about resources."</span>
<span class="p">),</span>
<span class="n">instruction</span><span class="o">=</span><span class="n">KUBERNETES_ADMIN_INSTRUCTION</span><span class="p">,</span>
<span class="n">tools</span><span class="o">=</span><span class="p">[],</span> <span class="c1"># Pass the FunctionTool instance</span>
<span class="p">)</span>
<span class="n">root_agent</span> <span class="o">=</span> <span class="n">kubernetes_admin_agent</span>
</code></pre></div>
<h3 id="testing-agent">Testing agent<a class="headerlink" href="#testing-agent" title="Permanent link">¶</a></h3>
<p>Before running test, you must configure a cloud-environement :</p>
<div class="highlight"><pre><span></span><code><span class="k">export</span><span class="w"> </span><span class="n">GOOGLE_GENAI_USE_VERTEXAI</span><span class="o">=</span><span class="bp">true</span>
<span class="k">export</span><span class="w"> </span><span class="n">GOOGLE_CLOUD_PROJECT</span><span class="o">=<</span><span class="n">Complete</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">GCP</span><span class="w"> </span><span class="n">project</span><span class="w"> </span><span class="n">ID</span><span class="o">></span>
<span class="k">export</span><span class="w"> </span><span class="n">GOOGLE_CLOUD_LOCATION</span><span class="o">=</span><span class="n">us</span><span class="o">-</span><span class="n">central1</span>
<span class="k">export</span><span class="w"> </span><span class="n">GOOGLE_CLOUD_STORAGE_BUCKET</span><span class="o">=$</span><span class="p">{</span><span class="n">GOOGLE_CLOUD_PROJECT</span><span class="p">}</span><span class="o">-</span><span class="n">adk</span><span class="o">-</span><span class="n">bucket</span><span class="o">-$</span><span class="p">(</span><span class="n">openssl</span><span class="w"> </span><span class="n">rand</span><span class="w"> </span><span class="o">-</span><span class="n">hex</span><span class="w"> </span><span class="mi">4</span><span class="p">)</span><span class="w"> </span><span class="c1"># generate a unique bucket name</span>
<span class="n">gcloud</span><span class="w"> </span><span class="n">auth</span><span class="w"> </span><span class="n">application</span><span class="o">-</span><span class="n">default</span><span class="w"> </span><span class="n">login</span>
<span class="n">gcloud</span><span class="w"> </span><span class="n">storage</span><span class="w"> </span><span class="n">buckets</span><span class="w"> </span><span class="n">create</span><span class="w"> </span><span class="n">gs</span><span class="p">:</span><span class="o">//$</span><span class="n">GOOGLE_CLOUD_STORAGE_BUCKET</span>
</code></pre></div>
<p>Now you can run test with the following command :</p>
<div class="highlight"><pre><span></span><code>adk run .
</code></pre></div>
<p>If everything is ok, you will see the following prompt:</p>
<div class="highlight"><pre><span></span><code><span class="nf">Log</span><span class="w"> </span><span class="n">setup</span><span class="w"> </span><span class="nl">complete</span><span class="p">:</span><span class="w"> </span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">agents_log</span><span class="o">/</span><span class="n">agent</span><span class="mf">.20250528</span><span class="n">_200909</span><span class="p">.</span><span class="nf">log</span>
<span class="k">To</span><span class="w"> </span><span class="n">access</span><span class="w"> </span><span class="n">latest</span><span class="w"> </span><span class="nf">log</span><span class="err">:</span><span class="w"> </span><span class="n">tail</span><span class="w"> </span><span class="o">-</span><span class="n">F</span><span class="w"> </span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">agents_log</span><span class="o">/</span><span class="n">agent</span><span class="p">.</span><span class="n">latest</span><span class="p">.</span><span class="nf">log</span>
<span class="n">Running</span><span class="w"> </span><span class="n">agent</span><span class="w"> </span><span class="n">kubernetes_admin_agent</span><span class="p">,</span><span class="w"> </span><span class="n">type</span><span class="w"> </span><span class="k">exit</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">exit</span><span class="p">.</span>
<span class="o">[</span><span class="n">user</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">hello</span>
<span class="o">[</span><span class="n">kubernetes_admin_agent</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">Hello</span><span class="err">!</span><span class="w"> </span><span class="n">I</span><span class="err">'</span><span class="n">m</span><span class="w"> </span><span class="n">Kubernetes</span><span class="w"> </span><span class="k">Admin</span><span class="p">,</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">AI</span><span class="w"> </span><span class="n">assistant</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">managing</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">understanding</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">Kubernetes</span><span class="w"> </span><span class="n">cluster</span><span class="p">.</span>
<span class="n">How</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">help</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">today</span><span class="vm">?</span><span class="w"> </span><span class="k">For</span><span class="w"> </span><span class="n">example</span><span class="p">,</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">ask</span><span class="w"> </span><span class="n">me</span><span class="w"> </span><span class="n">about</span><span class="w"> </span><span class="n">pods</span><span class="p">,</span><span class="w"> </span><span class="n">nodes</span><span class="p">,</span><span class="w"> </span><span class="n">services</span><span class="p">,</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="ow">any</span><span class="w"> </span><span class="n">other</span><span class="w"> </span><span class="n">Kubernetes</span><span class="w"> </span><span class="n">resources</span><span class="p">.</span>
<span class="o">[</span><span class="n">user</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">how</span><span class="w"> </span><span class="n">many</span><span class="w"> </span><span class="n">pod</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">my</span><span class="w"> </span><span class="n">kubernetes</span><span class="w"> </span><span class="n">clusters</span><span class="w"> </span>
<span class="o">[</span><span class="n">kubernetes_admin_agent</span><span class="o">]</span><span class="err">:</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">help</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">that</span><span class="err">!</span><span class="w"> </span><span class="k">To</span><span class="w"> </span><span class="n">tell</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">how</span><span class="w"> </span><span class="n">many</span><span class="w"> </span><span class="n">pods</span><span class="w"> </span><span class="k">are</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">cluster</span><span class="p">,</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">need</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">check</span><span class="w"> </span><span class="ow">all</span><span class="w"> </span><span class="n">namespaces</span><span class="p">.</span>
<span class="n">Should</span><span class="w"> </span><span class="n">I</span><span class="w"> </span><span class="n">proceed</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">get</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">list</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="ow">all</span><span class="w"> </span><span class="n">pods</span><span class="w"> </span><span class="n">across</span><span class="w"> </span><span class="ow">all</span><span class="w"> </span><span class="n">namespaces</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">cluster</span><span class="vm">?</span>
</code></pre></div>
<h2 id="giving-tools-to-my-agent">Giving tools to my agent<a class="headerlink" href="#giving-tools-to-my-agent" title="Permanent link">¶</a></h2>
<p>First, let’s write a Python function to interact with <code>kubectl</code> and wrap it as an ADK tool.</p>
<ul>
<li>Create/edit <code>kubernetes-admin/kubernetes_admin/tools/kubectl_tool.py</code> with the following content:</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="c1"># In kubernetes_admin/kubernetes_admin/tools/kubectl_tool.py<<EOF</span>
<span class="sd">"""Tool for executing kubectl get commands."""</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">subprocess</span> <span class="c1"># For actual kubectl calls</span>
<span class="kn">from</span><span class="w"> </span><span class="nn">google.adk.tools</span><span class="w"> </span><span class="kn">import</span> <span class="n">FunctionTool</span>
<span class="k">def</span><span class="w"> </span><span class="nf">run_kubectl</span><span class="p">(</span><span class="n">verbs</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="s2">"get"</span><span class="p">,</span> <span class="n">resource_type</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="s2">"pods"</span><span class="p">,</span> <span class="n">resource_name</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="s2">""</span><span class="p">,</span> <span class="n">namespace</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="s2">"default"</span><span class="p">)</span> <span class="o">-></span> <span class="nb">str</span><span class="p">:</span>
<span class="w"> </span><span class="sd">"""</span>
<span class="sd"> Runs a kubectl command with the specified verb, resource type, optional resource name, and namespace.</span>
<span class="sd"> Exemples:</span>
<span class="sd"> To get configuration of a specific pod use verbs: "describe", namespace: "all", resource_type: "pods", resource_name: "<custom pod name>"</span>
<span class="sd"> To get logs of a specific pod use verbs: "logs", namespace: "<namespace>", resource_type: "", resource_name: "<custom pod name>"</span>
<span class="sd"> To list pods in all namespace use verbs: "get", namespace: "all", resource_type: "pods", resource_name: ""</span>
<span class="sd"> Args:</span>
<span class="sd"> verbs: The kubectl verb to use (e.g., 'get', 'describe', 'logs', 'top').</span>
<span class="sd"> resource_type: The type of Kubernetes resource (e.g., 'pods', 'nodes', 'services', 'deployments').</span>
<span class="sd"> resource_name: Optional. The specific name of the resource. If None, lists all resources of the type.</span>
<span class="sd"> namespace: Optional. The Kubernetes namespace. Defaults to 'default'.</span>
<span class="sd"> Returns:</span>
<span class="sd"> A string containing the output of the kubectl command or an error message.</span>
<span class="sd"> """</span>
<span class="k">try</span><span class="p">:</span>
<span class="n">command</span> <span class="o">=</span> <span class="p">[</span><span class="s2">"kubectl"</span><span class="p">,</span> <span class="n">verbs</span><span class="p">]</span>
<span class="k">if</span> <span class="n">resource_name</span> <span class="o">!=</span> <span class="s2">""</span><span class="p">:</span>
<span class="n">command</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="sa">f</span><span class="s1">'</span><span class="si">{</span><span class="n">resource_type</span><span class="si">}</span><span class="s1">/</span><span class="si">{</span><span class="n">resource_name</span><span class="si">}</span><span class="s1">'</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">command</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="sa">f</span><span class="s1">'</span><span class="si">{</span><span class="n">resource_type</span><span class="si">}</span><span class="s1">'</span><span class="p">)</span>
<span class="k">if</span> <span class="n">namespace</span> <span class="o">!=</span> <span class="s2">"all"</span><span class="p">:</span>
<span class="n">command</span><span class="o">.</span><span class="n">extend</span><span class="p">([</span><span class="s2">"-n"</span><span class="p">,</span> <span class="n">namespace</span><span class="p">])</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">command</span><span class="o">.</span><span class="n">extend</span><span class="p">([</span><span class="s2">"--all-namespaces"</span><span class="p">])</span>
<span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="o">.</span><span class="n">run</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span> <span class="n">check</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">30</span><span class="p">)</span>
<span class="k">return</span> <span class="n">result</span><span class="o">.</span><span class="n">stdout</span>
<span class="k">except</span> <span class="ne">FileNotFoundError</span><span class="p">:</span>
<span class="k">return</span> <span class="s2">"Error: kubectl command not found. Please ensure kubectl is installed and in your PATH."</span>
<span class="k">except</span> <span class="n">subprocess</span><span class="o">.</span><span class="n">CalledProcessError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
<span class="k">return</span> <span class="sa">f</span><span class="s2">"Error executing kubectl command: </span><span class="si">{</span><span class="n">e</span><span class="o">.</span><span class="n">stderr</span><span class="si">}</span><span class="s2">"</span>
<span class="k">except</span> <span class="n">subprocess</span><span class="o">.</span><span class="n">TimeoutExpired</span><span class="p">:</span>
<span class="k">return</span> <span class="s2">"Error: kubectl command timed out."</span>
<span class="k">except</span> <span class="ne">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span>
<span class="k">return</span> <span class="sa">f</span><span class="s2">"An unexpected error occurred: </span><span class="si">{</span><span class="nb">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="s2">"</span>
<span class="n">kubectl_tool</span> <span class="o">=</span> <span class="n">FunctionTool</span><span class="p">(</span>
<span class="n">func</span><span class="o">=</span><span class="n">run_kubectl</span><span class="p">)</span>
</code></pre></div>
<ul>
<li>Now, let’s update kubernetes-admin/kubernetes_admin/agent.py to include this new tool.
Import the tool:</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="kn">from</span><span class="w"> </span><span class="nn">.tools.kubectl_tool</span><span class="w"> </span><span class="kn">import</span> <span class="n">kubectl_tool</span> <span class="c1"># Import the FunctionTool instance</span>
<span class="o">...</span>
<span class="o">...</span>
<span class="n">kubernetes_admin_agent</span> <span class="o">=</span> <span class="n">LlmAgent</span><span class="p">(</span>
<span class="n">name</span><span class="o">=</span><span class="s2">"kubernetes_admin_agent"</span><span class="p">,</span>
<span class="n">model</span><span class="o">=</span><span class="n">MODEL</span><span class="p">,</span>
<span class="n">description</span><span class="o">=</span><span class="p">(</span>
<span class="s2">"An AI agent that helps users explore and understand their Kubernetes cluster by answering questions and retrieving information about resources."</span>
<span class="p">),</span>
<span class="n">instruction</span><span class="o">=</span><span class="n">KUBERNETES_ADMIN_INSTRUCTION</span><span class="p">,</span>
<span class="n">tools</span><span class="o">=</span><span class="p">[</span><span class="n">kubectl_tool</span><span class="p">],</span> <span class="c1"># Pass the FunctionTool instance</span>
<span class="p">)</span>
</code></pre></div>
<ul>
<li>Update the agent’s instructions within KUBERNETES_ADMIN_INSTRUCTION in kubernetes-admin/kubernetes_admin/agent.py to inform the LLM about the new tool and how to use it:</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="n">KUBERNETES_ADMIN_INSTRUCTION</span> <span class="o">=</span> <span class="s2">"""</span>
<span class="s2">...</span>
<span class="s2">...</span>
<span class="s2">You have a tool named 'run_kubectl_command' to fetch information from the Kubernetes cluster by executing kubectl commands.</span>
<span class="s2">Tool 'run_kubectl_command' arguments:</span>
<span class="s2">- 'verbs': (string, required) The kubectl verb to use (e.g., 'get', 'describe', 'logs', 'top').</span>
<span class="s2">- 'resource_type': (string, required) The type of Kubernetes resource (e.g., 'pods', 'nodes', 'services', 'deployments', 'namespaces').</span>
<span class="s2">- 'resource_name': (string, optional) The specific name of the resource. If not provided, all resources of the given type in the namespace will be listed.</span>
<span class="s2">- 'namespace': (string, optional, defaults to 'default') The Kubernetes namespace to query.</span>
<span class="s2">When a user asks for information that requires querying the cluster (e.g., "list pods", "get node status", "describe service my-service", "get logs for pod xyz"), you MUST use the 'run_kubectl_command' tool.</span>
<span class="s2">Clearly state that you are using the tool, what you are querying for, and then present the information returned by the tool.</span>
<span class="s2">Determine the correct 'verbs' argument based on the user's request (e.g., "list" or "how many" implies 'get', "what's the status" implies 'get', "describe" implies 'describe', "show logs" implies 'logs').</span>
<span class="s2">"""</span>
</code></pre></div>
<h3 id="and-now-real-testing">And now real testing<a class="headerlink" href="#and-now-real-testing" title="Permanent link">¶</a></h3>
<p>Now, let’s perform a real test to see if our agent uses <code>kubectl</code> as expected. (Ensure you have a valid <code>kubeconfig</code> file and are connected to a Kubernetes cluster for this test.)</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>adk<span class="w"> </span>run<span class="w"> </span>.
...
<span class="o">[</span>user<span class="o">]</span>:<span class="w"> </span>how<span class="w"> </span>many<span class="w"> </span>pod<span class="w"> </span><span class="k">in</span><span class="w"> </span>my<span class="w"> </span>cluster<span class="w"> </span>all<span class="w"> </span>namespaces
<span class="o">[</span>kubernetes_admin_agent<span class="o">]</span>:<span class="w"> </span>Okay,<span class="w"> </span>I<span class="w"> </span>can<span class="w"> </span><span class="nb">help</span><span class="w"> </span>you<span class="w"> </span>with<span class="w"> </span>that.<span class="w"> </span>I<span class="w"> </span>will<span class="w"> </span>use<span class="w"> </span>the<span class="w"> </span><span class="sb">`</span>run_kubectl<span class="sb">`</span><span class="w"> </span>tool<span class="w"> </span>to<span class="w"> </span>list<span class="w"> </span>all<span class="w"> </span>pods<span class="w"> </span><span class="k">in</span><span class="w"> </span>all<span class="w"> </span>namespaces<span class="w"> </span>and<span class="w"> </span><span class="k">then</span><span class="w"> </span>count<span class="w"> </span>them<span class="w"> </span><span class="k">for</span><span class="w"> </span>you.
<span class="o">[</span>kubernetes_admin_agent<span class="o">]</span>:<span class="w"> </span>I<span class="w"> </span>have<span class="w"> </span>retrieved<span class="w"> </span>the<span class="w"> </span>list<span class="w"> </span>of<span class="w"> </span>all<span class="w"> </span>pods<span class="w"> </span>across<span class="w"> </span>all<span class="w"> </span>namespaces.<span class="w"> </span>There<span class="w"> </span>are<span class="w"> </span>a<span class="w"> </span>lot<span class="w"> </span>of<span class="w"> </span>them!
Based<span class="w"> </span>on<span class="w"> </span>the<span class="w"> </span>output,<span class="w"> </span>there<span class="w"> </span>are<span class="w"> </span><span class="m">119</span><span class="w"> </span>pods<span class="w"> </span><span class="k">in</span><span class="w"> </span>your<span class="w"> </span>cluster<span class="w"> </span>across<span class="w"> </span>all<span class="w"> </span>namespaces.
</code></pre></div>
<h2 id="kubernetes-integration">Kubernetes integration<a class="headerlink" href="#kubernetes-integration" title="Permanent link">¶</a></h2>
<p>We will now deploy our agent into a kubernetes cluster, to give possibility to other user to use it.</p>
<h3 id="build-a-docker-container">Build a docker container :<a class="headerlink" href="#build-a-docker-container" title="Permanent link">¶</a></h3>
<ol>
<li>
<p>Here’s a Dockerfile to build a container image for your Python agent. This Dockerfile:</p>
<ul>
<li>
<p>Uses a slim Python base image.</p>
</li>
<li>
<p>Installs <code>kubectl</code> (as your agent’s tool uses it) and Poetry.</p>
</li>
<li>
<p>Sets up a non-root user for better security.</p>
</li>
<li>
<p>Installs your project dependencies using Poetry.</p>
</li>
<li>
<p>Sets the default command to run your ADK agent using its built-in HTTP server.</p>
</li>
</ul>
<p>```Dockerfile</p>
<h1 id="in-kubernetes_admindockerfile">In kubernetes_admin/Dockerfile<a class="headerlink" href="#in-kubernetes_admindockerfile" title="Permanent link">¶</a></h1>
<p>FROM python:3.13-slim
WORKDIR /app</p>
<p>RUN pip install poetry
ENV PORT=8080
RUN apt update && apt install -y kubernetes-client/stable prometheus/stable && apt clean
COPY . .</p>
<p>RUN adduser –disabled-password –gecos “” myuser && \
chown -R myuser:myuser /app</p>
<p>USER myuser</p>
<p>RUN poetry install</p>
<p>ENV PATH=”/home/myuser/.local/bin:$PATH”
CMD poetry run uvicorn main:app –host 0.0.0.0 –port $PORT
```</p>
</li>
<li>
<p>(One-time setup) Create an Artifact Registry repository if you haven’t already.
<code>bash
# Replace REGION and GOOGLE_CLOUD_PROJECT with your details.
gcloud artifacts repositories create adk-repo --repository-format=docker \
--location=YOUR_REGION \
--description="ADK agent repository" \
--project=YOUR_GOOGLE_CLOUD_PROJECT</code></p>
</li>
<li>Build the Docker image and push it to Artifact Registry.
<code>bash
# Replace REGION and GOOGLE_CLOUD_PROJECT with your details.
gcloud builds submit --tag YOUR_REGION-docker.pkg.dev/YOUR_GOOGLE_CLOUD_PROJECT/adk-repo/k8s-admin-agent:latest \</code></li>
</ol>
<h3 id="add-rbac">Add RBAC<a class="headerlink" href="#add-rbac" title="Permanent link">¶</a></h3>
<p>The following manifest creates a Kubernetes <code>ServiceAccount</code> in the <code>kubernetes-admin-agent</code> namespace. It also defines a <code>ClusterRole</code> with read-only permissions (get, list, watch) across all API groups and resources, and then uses a <code>ClusterRoleBinding</code> to grant these permissions to the created <code>ServiceAccount</code>.</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>-<span class="w"> </span><span class="s"><<EOF</span>
<span class="s">apiVersion: v1</span>
<span class="s">kind: ServiceAccount</span>
<span class="s">metadata:</span>
<span class="s"> name: kubernetes-admin-agent</span>
<span class="s">---</span>
<span class="s">apiVersion: rbac.authorization.k8s.io/v1</span>
<span class="s">kind: ClusterRole</span>
<span class="s">metadata:</span>
<span class="s"> name: kubernetes-admin-agent</span>
<span class="s">rules:</span>
<span class="s">- apiGroups:</span>
<span class="s"> - "*"</span>
<span class="s"> resources:</span>
<span class="s"> - "*"</span>
<span class="s"> verbs:</span>
<span class="s"> - get</span>
<span class="s"> - list</span>
<span class="s"> - watch</span>
<span class="s">---</span>
<span class="s">apiVersion: rbac.authorization.k8s.io/v1</span>
<span class="s"># This cluster role binding allows the kubernetes-admin-agent ServiceAccount to read all resources in any namespace.</span>
<span class="s">kind: ClusterRoleBinding</span>
<span class="s">metadata:</span>
<span class="s"> name: kubernetes-admin-agent-global</span>
<span class="s">subjects:</span>
<span class="s">- kind: ServiceAccount</span>
<span class="s"> name: kubernetes-admin-agent</span>
<span class="s"> namespace: kubernetes-admin-agent</span>
<span class="s">roleRef:</span>
<span class="s"> kind: ClusterRole</span>
<span class="s"> name: kubernetes-admin-agent</span>
<span class="s"> apiGroup: rbac.authorization.k8s.io</span>
<span class="s">EOF</span>
</code></pre></div>
<h3 id="add-secret-for-google-credentials">Add secret for google credentials<a class="headerlink" href="#add-secret-for-google-credentials" title="Permanent link">¶</a></h3>
<p>To allow your agent running in Kubernetes to authenticate with Google Cloud services (specifically Vertex AI for Gemini), you need to create a GCP service account, grant it the necessary permissions, generate a key for it, and store this key as a Kubernetes secret.</p>
<p>Make sure your <code>GOOGLE_CLOUD_PROJECT</code> environment variable is set correctly before running these commands.</p>
<div class="highlight"><pre><span></span><code><span class="c1"># 1. Create the service account</span>
gcloud<span class="w"> </span>iam<span class="w"> </span>service-accounts<span class="w"> </span>create<span class="w"> </span>kubernetes-admin-agent
<span class="c1"># 2. Grant the service account the "Vertex AI User" role on your project</span>
gcloud<span class="w"> </span>projects<span class="w"> </span>add-iam-policy-binding<span class="w"> </span><span class="si">${</span><span class="nv">GOOGLE_CLOUD_PROJECT</span><span class="si">}</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--member<span class="o">=</span><span class="s2">"serviceAccount:kubernetes-admin-agent@</span><span class="si">${</span><span class="nv">GOOGLE_CLOUD_PROJECT</span><span class="si">}</span><span class="s2">.iam.gserviceaccount.com"</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--role<span class="o">=</span><span class="s2">"roles/aiplatform.user"</span>
<span class="c1"># 3. Create and download a key for the service account</span>
gcloud<span class="w"> </span>iam<span class="w"> </span>service-accounts<span class="w"> </span>keys<span class="w"> </span>create<span class="w"> </span>key.json<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--iam-account<span class="o">=</span><span class="s2">"kubernetes-admin-agent@</span><span class="si">${</span><span class="nv">GOOGLE_CLOUD_PROJECT</span><span class="si">}</span><span class="s2">.iam.gserviceaccount.com"</span>
<span class="c1"># 4. Create a Kubernetes namespace for the agent (if not already created)</span>
kubectl<span class="w"> </span>create<span class="w"> </span>ns<span class="w"> </span>kubernetes-admin-agent
<span class="c1"># 5. Create a Kubernetes secret from the downloaded key file</span>
kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>google-cloud-key<span class="w"> </span>-n<span class="w"> </span>kubernetes-admin-agent<span class="w"> </span>--from-file<span class="o">=</span>key.json<span class="o">=</span>key.json
</code></pre></div>
<h3 id="deploy-service">Deploy service<a class="headerlink" href="#deploy-service" title="Permanent link">¶</a></h3>
<h2 id="testing-and-experimentings">Testing and experimentings<a class="headerlink" href="#testing-and-experimentings" title="Permanent link">¶</a></h2>
<h3 id="diagnose-oomkill">Diagnose OOMKill<a class="headerlink" href="#diagnose-oomkill" title="Permanent link">¶</a></h3>
<h2 id="conclusion-and-prospective">Conclusion and prospective<a class="headerlink" href="#conclusion-and-prospective" title="Permanent link">¶</a></h2>Pourquoi vous avez besoin de certificats dans SSH ?2024-07-25T00:00:00+02:002024-07-25T00:00:00+02:00Mathieu GOULINtag:www.ops-chronicles.cloud,2024-07-25:/fr/why-you-need-SSH-certificates.html<p>Les certificats SSH offrent une alternative plus sécurisée et plus gérable aux clés SSH traditionnelles en tirant parti d’une autorité de certification centralisée comme Hashicorp Vault.</p><div class="toc">
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#les-perils-des-cles-privees-pourquoi-le-partage-ou-une-mauvaise-gestion-est-risque">Les périls des clés privées : pourquoi le partage ou une mauvaise gestion est risqué</a></li>
<li><a href="#cas-dutilisation-acces-sre-et-developpeur-ssh-avec-hashicorp-vault">Cas d’utilisation : accès SRE et développeur SSH avec Hashicorp Vault</a></li>
<li><a href="#generer-et-distribuer-un-certificat-ssh">Générer et distribuer un certificat SSH</a><ul>
<li><a href="#prerequis">Prérequis:</a></li>
<li><a href="#activez-le-ssh-secrets-engine">Activez le “SSH Secrets Engine”:</a></li>
<li><a href="#creer-une-autorite-de-certification-pour-le-coffre-fort-hashicorp">Créer une autorité de certification pour le coffre-fort hashicorp</a></li>
<li><a href="#ajout-dune-autorisation-de-roles-pour-les-developpeurs-dans-hashicorp-vault">Ajout d’une autorisation de rôles pour les développeurs dans Hashicorp Vault</a></li>
<li><a href="#etape-0-injection-de-lautorite-de-certification-dans-les-serveurs-aws-azure-et-gcp">Étape 0 : Injection de l’autorité de certification dans les serveurs AWS, Azure et GCP</a><ul>
<li><a href="#aws">AWS</a></li>
<li><a href="#gcp">GCP</a></li>
<li><a href="#azure">Azure</a></li>
<li><a href="#custom-onprem-instances">Custom OnPrem Instances</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#comment-les-developpeurs-peuvent-se-connecter-avec-des-certificats-signes-ssh">Comment les développeurs peuvent se connecter avec des certificats signés SSH</a><ul>
<li><a href="#etape-1-demander-un-certificat-en-tant-que-developpeur-je-souhaite-signer-mes-cles-ssh">Étape 1 : Demander un certificat : En tant que développeur, je souhaite signer mes clés ssh</a></li>
<li><a href="#etape-2-connexion-ssh-en-tant-que-developpeur-je-souhaite-me-connecter-sur-mes-instances-via-ssh">Étape 2 : Connexion SSH : En tant que développeur, je souhaite me connecter sur mes instances via ssh</a></li>
</ul>
</li>
<li><a href="#conclusion">Conclusion</a></li>
<li><a href="#liens">Liens :</a></li>
</ul>
</div>
<h2 id="introduction">Introduction<a class="headerlink" href="#introduction" title="Permanent link">¶</a></h2>
<p>Lorsque vous travaillez dans le cloud, sécuriser l’accès aux serveurs Linux de production est essentiel car votre charge de travail est confrontée à Internet. Les grandes entreprises jonglent avec les besoins critiques : maintenir un contrôle strict, appliquer un accès granulaire et garantir le plus haut niveau de sécurité.</p>
<p>Les clés SSH traditionnelles, bien qu’elles constituent la pierre angulaire de l’accès à distance, peuvent présenter des défis dans ces domaines.
Cet article de blog explique pourquoi les certificats SSH, en combinant la puissance de Vault, offrent une alternative intéressante aux clés SSH traditionnelles. </p>
<p>Nous aborderons les aspects cruciaux de la gestion de l’accès aux environnements de production :</p>
<ul>
<li><strong>Contrôle centralisé et informations d’identification expirantes</strong> : les certificats SSH, émis et gérés par une autorité de certification (CA) centrale, fournissent un point de contrôle unique pour l’accès. Contrairement aux clés SSH statiques, les certificats peuvent avoir une durée de vie définie, garantissant que les informations d’identification compromises sont automatiquement révoquées après expiration.</li>
<li><strong>Banishing Root Login</strong> : Les dangers inhérents à la connexion root sont déjà bien documentés. Les certificats SSH vous permettent d’appliquer un accès non root, en promouvant un principe de moindre privilège et en minimisant les dommages potentiels.</li>
<li><strong>Visibilité granulaire et contrôle d’accès</strong> : les certificats offrent un niveau granulaire de contrôle d’accès. Vous pouvez définir non seulement qui peut accéder à un serveur, mais aussi quelles commandes ils peuvent exécuter et dans quelles conditions (permit-pty, port-forwarding, …). Ce niveau de détail fournit une piste d’audit claire et minimise la surface d’attaque.</li>
</ul>
<p>En mettant en œuvre des certificats SSH, les entreprises peuvent gagner un avantage significatif dans la sécurisation de leurs environnements de production.</p>
<h2 id="les-perils-des-cles-privees-pourquoi-le-partage-ou-une-mauvaise-gestion-est-risque">Les périls des clés privées : pourquoi le partage ou une mauvaise gestion est risqué<a class="headerlink" href="#les-perils-des-cles-privees-pourquoi-le-partage-ou-une-mauvaise-gestion-est-risque" title="Permanent link">¶</a></h2>
<p>Il existe plusieurs raisons pour lesquelles les utilisateurs/Administrateurs peuvent conserver leurs clés privées SSH sur leur ordinateur.</p>
<ul>
<li>C’est indéniablement pratique. Avoir votre clé privée à portée de main permet un accès rapide et facile aux serveurs sans avoir besoin de saisir un mot de passe à chaque fois. Cela peut représenter un gain de temps considérable, en particulier pour ceux qui se connectent fréquemment à plusieurs serveurs.</li>
<li>Certains utilisateurs comprennent mal les implications en matière de sécurité. Ils pourraient croire que tant que leur ordinateur est sécurisé (mots de passe forts, pare-feu, etc.), la clé privée qui y est stockée est également sécurisée.</li>
</ul>
<p><strong>Mais</strong>:</p>
<ul>
<li>Si votre clé privée tombe entre de mauvaises mains, les attaquants obtiennent un accès complet à n’importe quel serveur auquel vous pouvez accéder avec cette clé. Cela pourrait leur permettre de voler des données, d’installer des logiciels malveillants ou de perturber des opérations critiques.</li>
<li>si vous perdez votre clé privée, vous serez exclu des serveurs auxquels vous devez accéder. Cela peut entraîner des temps d’arrêt et des perturbations importants.</li>
</ul>
<p>La mise en œuvre et la gestion des certificats SSH, en particulier pour ceux qui ne les connaissent pas, peuvent sembler une étape supplémentaire complexe par rapport à la simplicité d’utilisation d’une clé privée. Cependant, l’utilisation d’outils de fournisseurs cloud tels que <a href="https://docs.aws.amazon.com/fr_fr/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html">AWS SSM Connect</a> ou <a href="https://cloud.google.com/compute/docs/oslogin?hl=fr">GCP oslogin</a> peut être une solution. Mais l’utilisation de certificats SSH offre l’avantage d’être nativement compatible multi-cloud, offrant une approche unifiée dans différents environnements cloud.</p>
<blockquote>
<p>💡💡💡 ** Nous avons donc besoin d’un outil pour nous aider ** 💡💡💡</p>
</blockquote>
<h2 id="cas-dutilisation-acces-sre-et-developpeur-ssh-avec-hashicorp-vault">Cas d’utilisation : accès SRE et développeur SSH avec Hashicorp Vault<a class="headerlink" href="#cas-dutilisation-acces-sre-et-developpeur-ssh-avec-hashicorp-vault" title="Permanent link">¶</a></h2>
<blockquote>
<p>Une équipe de développement a besoin d’accéder à un serveur de production à des fins de dépannage et de débogage. L’équipe SRE est responsable de la gestion de l’accès et de la sécurité du serveur.</p>
</blockquote>
<p><img alt="image" src="/images/2024-why-you-need-SSH-certificates/use-case.png" /></p>
<h2 id="generer-et-distribuer-un-certificat-ssh">Générer et distribuer un certificat SSH<a class="headerlink" href="#generer-et-distribuer-un-certificat-ssh" title="Permanent link">¶</a></h2>
<h3 id="prerequis">Prérequis:<a class="headerlink" href="#prerequis" title="Permanent link">¶</a></h3>
<ul>
<li><a href="https://www.ops-chronicles.cloud/fr/hosting-hashicorpvault-on-cloudrun.html">Une instance Vault</a></li>
<li>Une compréhension de base des concepts de Vault tels que les “secrets engines”, “policies”, et “roles”.</li>
</ul>
<h3 id="activez-le-ssh-secrets-engine">Activez le “SSH Secrets Engine”:<a class="headerlink" href="#activez-le-ssh-secrets-engine" title="Permanent link">¶</a></h3>
<p>Avant de plonger dans la configuration, il est essentiel de comprendre ce que fait le moteur de secrets SSH. Il fournit un moyen sécurisé de gérer les informations d’identification SSH, offrant des fonctionnalités telles que :</p>
<ul>
<li>Génération d’informations d’identification SSH dynamiques</li>
<li>Authentification basée sur un certificat</li>
<li>Contrôle d’accès basé sur les rôles</li>
<li>Intégration avec d’autres fonctionnalités de Vault</li>
</ul>
<p>Pour activer le moteur de secrets SSH, vous utiliserez la CLI Vault. Voici la commande :</p>
<div class="highlight"><pre><span></span><code>vault<span class="w"> </span>secrets<span class="w"> </span><span class="nb">enable</span><span class="w"> </span>-path<span class="o">=</span>ssh<span class="w"> </span>ssh
</code></pre></div>
<p>Cette commande monte le moteur de secrets SSH sur le chemin /ssh. Vous pouvez personnaliser le chemin si nécessaire.</p>
<h3 id="creer-une-autorite-de-certification-pour-le-coffre-fort-hashicorp">Créer une autorité de certification pour le coffre-fort hashicorp<a class="headerlink" href="#creer-une-autorite-de-certification-pour-le-coffre-fort-hashicorp" title="Permanent link">¶</a></h3>
<p>Nous disposons de deux méthodes pour établir une autorité de certification (CA) : l’<strong>interface de ligne de commande (CLI)</strong> et <strong>Terraform</strong>.</p>
<ul>
<li>Pour générer une CA via bash :</li>
</ul>
<div class="highlight"><pre><span></span><code>vault write ssh/config/ca generate_signing_key=true
</code></pre></div>
<ul>
<li>Soit pour générer une CA via terraform :</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nx">resource</span><span class="w"> </span><span class="s">"vault_mount"</span><span class="w"> </span><span class="s">"ssh_signer"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">path</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"ssh-client-signer"</span>
<span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"ssh"</span>
<span class="w"> </span><span class="nx">description</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"Sign ssh public keys"</span>
<span class="p">}</span>
<span class="nx">resource</span><span class="w"> </span><span class="s">"vault_ssh_secret_backend_ca"</span><span class="w"> </span><span class="s">"user"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">backend</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">vault_mount</span><span class="p">.</span><span class="nx">ssh_signer</span><span class="p">.</span><span class="nx">path</span>
<span class="w"> </span><span class="nx">generate_signing_key</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="kc">true</span>
<span class="p">}</span>
<span class="nx">output</span><span class="w"> </span><span class="s">"pub_key"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">value</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">vault_ssh_secret_backend_ca</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">public_key</span>
<span class="p">}</span>
</code></pre></div>
<h3 id="ajout-dune-autorisation-de-roles-pour-les-developpeurs-dans-hashicorp-vault">Ajout d’une autorisation de rôles pour les développeurs dans Hashicorp Vault<a class="headerlink" href="#ajout-dune-autorisation-de-roles-pour-les-developpeurs-dans-hashicorp-vault" title="Permanent link">¶</a></h3>
<p>Pour gérer efficacement l’accès des développeurs aux certificats SSH dans Hashicorp Vault, nous devons configurer les autorisations SSH pour signer les demandes des développeurs.</p>
<ul>
<li>Avec terraform</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nx">resource</span><span class="w"> </span><span class="s">"vault_ssh_secret_backend_role"</span><span class="w"> </span><span class="s">"user"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">name</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"mgoulin"</span>
<span class="w"> </span><span class="nx">backend</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">vault_mount</span><span class="p">.</span><span class="nx">ssh_signer</span><span class="p">.</span><span class="nx">path</span>
<span class="w"> </span><span class="nx">key_type</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"ca"</span>
<span class="w"> </span><span class="nx">allow_user_certificates</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="kc">true</span>
<span class="w"> </span><span class="nx">default_extensions</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="s">"permit-agent-forwarding"</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">""</span>
<span class="w"> </span><span class="s">"permit-pty"</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">""</span>
<span class="w"> </span><span class="s">"permit-port-forwarding"</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">""</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">ttl</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"1h"</span>
<span class="p">}</span>
</code></pre></div>
<h3 id="etape-0-injection-de-lautorite-de-certification-dans-les-serveurs-aws-azure-et-gcp">Étape 0 : Injection de l’autorité de certification dans les serveurs AWS, Azure et GCP<a class="headerlink" href="#etape-0-injection-de-lautorite-de-certification-dans-les-serveurs-aws-azure-et-gcp" title="Permanent link">¶</a></h3>
<p>L’injection de clés publiques SSH dans des instances cloud est une pratique courante pour permettre un accès SSH sécurisé. Voici comment procéder en tant que SRE sur AWS, Azure et GCP.</p>
<h4 id="aws">AWS<a class="headerlink" href="#aws" title="Permanent link">¶</a></h4>
<p>Ajoutez la clé publique à un objet paire de clés dans le service EC2 à l’aide de la commande <code>aws ec2 import-key-pair</code>.</p>
<div class="highlight"><pre><span></span><code>echo "cert-authority $(vault read -field public_key ssh-client-signer/config/ca)" > /tmp/authorized_keys.txt
aws ec2 import-key-pair --key-name "dev-key" --public-key-material fileb:///tmp/authorized_keys.txt
</code></pre></div>
<h4 id="gcp">GCP<a class="headerlink" href="#gcp" title="Permanent link">¶</a></h4>
<p>Ajoutez la clé publique aux métadonnées de l’instance à l’aide de la commande <code>gcloud compute project-info add-metadata</code>.</p>
<div class="highlight"><pre><span></span><code><span class="k">export</span><span class="w"> </span><span class="n">USERNAME</span><span class="o">=</span><span class="n">dev</span>
<span class="n">echo</span><span class="w"> </span><span class="s2">"$USERNAME:cert-authority $(terraform output -r pub_key)"</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">authorized_keys</span><span class="o">.</span><span class="n">txt</span>
<span class="n">cloud</span><span class="w"> </span><span class="n">compute</span><span class="w"> </span><span class="n">project</span><span class="o">-</span><span class="n">info</span><span class="w"> </span><span class="n">add</span><span class="o">-</span><span class="n">metadata</span><span class="w"> </span><span class="o">--</span><span class="n">metadata</span><span class="o">-</span><span class="n">from</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="n">ssh</span><span class="o">-</span><span class="n">keys</span><span class="o">=</span><span class="n">authorized_keys</span><span class="o">.</span><span class="n">txt</span>
</code></pre></div>
<h4 id="azure">Azure<a class="headerlink" href="#azure" title="Permanent link">¶</a></h4>
<p>Ajoutez la clé publique aux métadonnées de l’instance à l’aide de la commande <code>az sshkey</code>.</p>
<div class="highlight"><pre><span></span><code>echo "cert-authority $(vault read -field public_key ssh-client-signer/config/ca)" > /tmp/authorized_keys.txt
az sshkey create --name "dev-key" --public-key "@/tmp/authorized_keys.txt" --resource-group "myResourceGroup"
</code></pre></div>
<h4 id="custom-onprem-instances">Custom OnPrem Instances<a class="headerlink" href="#custom-onprem-instances" title="Permanent link">¶</a></h4>
<p>Ajoutez la clé publique à l’instance en tant que root en ajoutant la ligne suivante au fichier <code>/home/$USERNAME/authorized_keys</code>.</p>
<div class="highlight"><pre><span></span><code><span class="k">export</span><span class="w"> </span><span class="n">USERNAME</span><span class="o">=</span><span class="n">dev</span>
<span class="n">echo</span><span class="w"> </span><span class="s2">"cert-authority $(vault read -field public_key ssh-client-signer/config/ca)"</span><span class="w"> </span><span class="o">>></span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/$</span><span class="n">USERNAME</span><span class="o">/</span><span class="n">authorized_keys</span>
</code></pre></div>
<h2 id="comment-les-developpeurs-peuvent-se-connecter-avec-des-certificats-signes-ssh">Comment les développeurs peuvent se connecter avec des certificats signés SSH<a class="headerlink" href="#comment-les-developpeurs-peuvent-se-connecter-avec-des-certificats-signes-ssh" title="Permanent link">¶</a></h2>
<p>Traditionnellement, les connexions SSH reposaient sur des paires de clés publiques et privées pour l’authentification. Bien qu’efficace, cette méthode présente des défis en termes de gestion des clés, de révocation et de contrôle d’accès.
Avec Certificate-Authority et HashicorpVautl, les certificats lient l’identité d’un utilisateur à sa clé publique, permettant une authentification plus forte et un contrôle d’accès granulaire.</p>
<p>Avec les certificats SSH, les développeurs peuvent se connecter en toute sécurité aux serveurs distants sans avoir besoin de gérer directement les clés privées. Le processus implique :</p>
<h3 id="etape-1-demander-un-certificat-en-tant-que-developpeur-je-souhaite-signer-mes-cles-ssh">Étape 1 : Demander un certificat : En tant que développeur, je souhaite signer mes clés ssh<a class="headerlink" href="#etape-1-demander-un-certificat-en-tant-que-developpeur-je-souhaite-signer-mes-cles-ssh" title="Permanent link">¶</a></h3>
<p>Les développeurs demandent un certificat SSH à une autorité centralisée, souvent via un portail en libre-service ou en appelant l’API Vault.</p>
<p>Cela peut être fait avec la commande <code>vault</code> suivante. Lors de la requête, les développeurs fournissent leur clé publique, généralement stockée sous <code>id_rsa.pub</code>.</p>
<div class="highlight"><pre><span></span><code>vault write -field=signed_key ssh/sign/dev \
public_key=@$HOME/.ssh/id_rsa.pub > signed-cert.pub
</code></pre></div>
<h3 id="etape-2-connexion-ssh-en-tant-que-developpeur-je-souhaite-me-connecter-sur-mes-instances-via-ssh">Étape 2 : Connexion SSH : En tant que développeur, je souhaite me connecter sur mes instances via ssh<a class="headerlink" href="#etape-2-connexion-ssh-en-tant-que-developpeur-je-souhaite-me-connecter-sur-mes-instances-via-ssh" title="Permanent link">¶</a></h3>
<p>Les développeurs utilisent le certificat signé précédemment émis : <code>signed-cert.pub</code>, souvent appelé certificat client, pour s’authentifier auprès du serveur cible. Ce certificat, généralement au format PEM, contient la clé publique du développeur signée par l’autorité de certification (CA) de confiance, qui dans ce cas est Vault.</p>
<p>Lors de la connexion au serveur, le client SSH présente le certificat signé. Le serveur vérifie ensuite l’authenticité et la validité du certificat par rapport à la clé publique de l’autorité de certification. En cas de succès, la connexion est établie et le développeur accède au serveur.</p>
<div class="highlight"><pre><span></span><code>ssh -i ./signed-cert.pub -v -i ~/.ssh/id_rsa dev@<target_server>
</code></pre></div>
<h2 id="conclusion">Conclusion<a class="headerlink" href="#conclusion" title="Permanent link">¶</a></h2>
<p>En adoptant les certificats SSH et en tirant parti d’un outil de gestion de l’autorité de certification centralisée tel que Hashicorp Vault, les organisations peuvent améliorer considérablement leur posture de sécurité SSH. Cette approche offre une solution robuste aux défis posés par la gestion traditionnelle des clés SSH, offrant un contrôle granulaire, une auditabilité améliorée et une gestion rationalisée des accès.</p>
<p>En passant aux certificats SSH, les organisations peuvent atténuer les risques associés aux clés compromises, faciliter la rotation des clés et appliquer des politiques d’accès strictes. Cela conduit finalement à une infrastructure SSH plus sécurisée et efficace.</p>
<p>Même si la mise en œuvre de certificats SSH nécessite une planification et une configuration minutieuses, les avantages à long terme en termes de sécurité et de facilité de gestion dépassent de loin l’investissement initial.</p>
<p>En suivant les directives décrites dans cet article, les organisations peuvent déployer avec succès des certificats SSH et récolter les fruits d’un environnement SSH plus sécurisé et contrôlé.</p>
<h2 id="liens">Liens :<a class="headerlink" href="#liens" title="Permanent link">¶</a></h2>
<ul>
<li><a href="https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/sec-creating_ssh_ca_certificate_signing-keys">RedHat documentation about ssh-certificate</a></li>
<li><a href="https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates">Hashicorp Vault documentation about SSH</a></li>
</ul>Why You Need SSH Certificates2024-07-25T00:00:00+02:002024-07-25T00:00:00+02:00Mathieu GOULINtag:www.ops-chronicles.cloud,2024-07-25:/why-you-need-SSH-certificates.html<p>SSH certificates offer a more secure and manageable alternative to traditional SSH keys by leveraging a centralized Certificate Authority like Hashicorp Vault.</p><div class="toc">
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#the-perils-of-private-keys-why-sharing-or-poor-management-is-risky">The Perils of Private Keys: Why Sharing or Poor Management is Risky</a></li>
<li><a href="#use-case-sre-and-developer-ssh-access-with-hashicorp-vault">Use Case: SRE and Developer SSH Access with Hashicorp Vault</a></li>
<li><a href="#generating-and-distributing-ssh-certificate">Generating and distributing SSH Certificate</a><ul>
<li><a href="#prerequisites">Prerequisites:</a></li>
<li><a href="#enable-the-ssh-secrets-engine">Enable the SSH Secrets Engine:</a></li>
<li><a href="#create-certificate-authority-for-hashicorp-vault">Create Certificate-Authority for hashicorp vault</a></li>
<li><a href="#adding-roles-authorization-for-developers-in-hashicorp-vault">Adding Roles Authorization for Developers in Hashicorp Vault</a></li>
<li><a href="#step-0-injecting-certificate-authority-into-aws-azure-and-gcp-servers">Step 0: Injecting Certificate Authority into AWS, Azure, and GCP Servers</a><ul>
<li><a href="#aws">AWS</a></li>
<li><a href="#gcp">GCP</a></li>
<li><a href="#azure">Azure</a></li>
<li><a href="#custom-onprem-instances">Custom OnPrem Instances</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#how-developers-can-connect-with-ssh-signed-certificates">How developers can connect with ssh signed certificates</a><ul>
<li><a href="#step-1-requesting-a-certificate-as-a-developper-i-want-to-sign-my-ssh-keys">Step 1: Requesting a Certificate: As a developper I want to sign my ssh keys</a></li>
<li><a href="#step-2-ssh-connection-as-a-developper-i-want-to-connect-on-my-instances-via-ssh">Step 2: SSH Connection: As a developper I want to connect on my instances via ssh</a></li>
</ul>
</li>
<li><a href="#conclusion">Conclusion</a></li>
<li><a href="#links">Links :</a></li>
</ul>
</div>
<h2 id="introduction">Introduction<a class="headerlink" href="#introduction" title="Permanent link">¶</a></h2>
<p>When you work in the cloud, securing access to production Linux servers is essential as your workload are internet faced. Large companies juggle the critical needs of maintaining tight control, enforcing granular access, and ensuring the highest level of security.</p>
<p>Traditional SSH keys, while a cornerstone of remote access, can introduce challenges in these areas.
This blog post explores why, SSH certificates in combining the power of Vault offer a compelling alternative to traditional SSH keys. </p>
<p>We’ll delve into the crucial aspects of managing access to production environments:</p>
<ul>
<li><strong>Centralized Control and Expiring Credentials</strong>: SSH certificates, issued and managed by a central Certificate Authority (CA), provide a single point of control for access. Unlike static SSH keys, certificates can have defined lifespans, ensuring compromised credentials are automatically revoked after expiration.</li>
<li><strong>Banishing Root Login</strong>: The inherent dangers of root login are well documented. SSH certificates empower you to enforce non-root access, promoting a principle of least privilege and minimizing potential damage.</li>
<li><strong>Granular Visibility and Access Control</strong>: Certificates offer a granular level of access control. You can define not only who can access a server, but also what commands they can execute and under what conditions (permit-pty, port-forwarding, …). This level of detail provides a clear audit trail and minimizes the attack surface.</li>
</ul>
<p>By implementing SSH certificates, Compagnies can gain a significant edge in securing their production environments.</p>
<h2 id="the-perils-of-private-keys-why-sharing-or-poor-management-is-risky">The Perils of Private Keys: Why Sharing or Poor Management is Risky<a class="headerlink" href="#the-perils-of-private-keys-why-sharing-or-poor-management-is-risky" title="Permanent link">¶</a></h2>
<p>There are a few reasons why people or administrators might keep their SSH private keys on their computers. </p>
<ul>
<li>It’s undeniably convenient. Having your private key readily available allows for quick and easy access to servers without needing to enter a password every time. This can be a major time-saver, especially for those who connect to multiple servers frequently.</li>
<li>Some users misunderstand the security implications. They might believe that as long as their computer is secure (strong passwords, firewalls etc.) then the private key stored on it is safe as well.</li>
</ul>
<p><strong>But</strong>:</p>
<ul>
<li>If your private key falls into the wrong hands, attackers gain full access to any server you can access with that key. This could allow them to steal data, install malware, or disrupt critical operations.</li>
<li>if you lose your private key, you’ll be locked out of the servers you need to access. This can cause significant downtime and disruption.</li>
</ul>
<p>Implementing and managing SSH certificates, especially for those unfamiliar with them, might seem like a complex additional step compared to the simplicity of using a private key. However, while using cloud provider tools like <a href="https://docs.aws.amazon.com/fr_fr/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html">AWS SSM Connect</a> or <a href="https://cloud.google.com/compute/docs/oslogin?hl=fr">GCP oslogin</a> can be a solution. But using SSH certificates offer the advantage of being natively multi-cloud compatible, providing a unified approach across different cloud environments.</p>
<blockquote>
<p>💡💡💡 ** So we need a tools to help us ** 💡💡💡</p>
</blockquote>
<h2 id="use-case-sre-and-developer-ssh-access-with-hashicorp-vault">Use Case: SRE and Developer SSH Access with Hashicorp Vault<a class="headerlink" href="#use-case-sre-and-developer-ssh-access-with-hashicorp-vault" title="Permanent link">¶</a></h2>
<blockquote>
<p>A development team needs access to a production server for troubleshooting and debugging purposes. The SRE team is responsible for managing server access and security.</p>
</blockquote>
<p><img alt="image" src="/images/2024-why-you-need-SSH-certificates/use-case.png" /></p>
<h2 id="generating-and-distributing-ssh-certificate">Generating and distributing SSH Certificate<a class="headerlink" href="#generating-and-distributing-ssh-certificate" title="Permanent link">¶</a></h2>
<h3 id="prerequisites">Prerequisites:<a class="headerlink" href="#prerequisites" title="Permanent link">¶</a></h3>
<ul>
<li><a href="https://www.ops-chronicles.cloud/hosting-hashicorpvault-on-cloudrun.html">A running Vault instance </a></li>
<li>A basic understanding of Vault concepts like secrets engines, policies, and roles.</li>
</ul>
<h3 id="enable-the-ssh-secrets-engine">Enable the SSH Secrets Engine:<a class="headerlink" href="#enable-the-ssh-secrets-engine" title="Permanent link">¶</a></h3>
<p>Before diving into the configuration, it’s essential to understand what the SSH secrets engine does. It provides a secure way to manage SSH credentials, offering features like:</p>
<ul>
<li>Dynamic SSH credentials generation</li>
<li>Certificate-based authentication</li>
<li>Role-based access control</li>
<li>Integration with other Vault features</li>
</ul>
<p>To enable the SSH secrets engine, you’ll use the Vault CLI. Here’s the command:</p>
<div class="highlight"><pre><span></span><code>vault<span class="w"> </span>secrets<span class="w"> </span><span class="nb">enable</span><span class="w"> </span>-path<span class="o">=</span>ssh<span class="w"> </span>ssh
</code></pre></div>
<p>This command mounts the SSH secrets engine at the path /ssh. You can customize the path if needed.</p>
<h3 id="create-certificate-authority-for-hashicorp-vault">Create Certificate-Authority for hashicorp vault<a class="headerlink" href="#create-certificate-authority-for-hashicorp-vault" title="Permanent link">¶</a></h3>
<p>We have two methods for establishing a Certificate Authority (CA): the <strong>Command-Line Interface (CLI)</strong> and <strong>Terraform</strong>.</p>
<ul>
<li>To generate a CA via bash : </li>
</ul>
<div class="highlight"><pre><span></span><code>vault write ssh/config/ca generate_signing_key=true
</code></pre></div>
<ul>
<li>Or to generate a CA via terraform : </li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nx">resource</span><span class="w"> </span><span class="s">"vault_mount"</span><span class="w"> </span><span class="s">"ssh_signer"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">path</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"ssh-client-signer"</span>
<span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"ssh"</span>
<span class="w"> </span><span class="nx">description</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"Sign ssh public keys"</span>
<span class="p">}</span>
<span class="nx">resource</span><span class="w"> </span><span class="s">"vault_ssh_secret_backend_ca"</span><span class="w"> </span><span class="s">"user"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">backend</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">vault_mount</span><span class="p">.</span><span class="nx">ssh_signer</span><span class="p">.</span><span class="nx">path</span>
<span class="w"> </span><span class="nx">generate_signing_key</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="kc">true</span>
<span class="p">}</span>
<span class="nx">output</span><span class="w"> </span><span class="s">"pub_key"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">value</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">vault_ssh_secret_backend_ca</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">public_key</span>
<span class="p">}</span>
</code></pre></div>
<h3 id="adding-roles-authorization-for-developers-in-hashicorp-vault">Adding Roles Authorization for Developers in Hashicorp Vault<a class="headerlink" href="#adding-roles-authorization-for-developers-in-hashicorp-vault" title="Permanent link">¶</a></h3>
<p>To effectively manage developer access to SSH certificates within Hashicorp Vault, we need to configure SSH authorizations for signing developper requests.</p>
<ul>
<li>With terraform</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nx">resource</span><span class="w"> </span><span class="s">"vault_ssh_secret_backend_role"</span><span class="w"> </span><span class="s">"user"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">name</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"mgoulin"</span>
<span class="w"> </span><span class="nx">backend</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">vault_mount</span><span class="p">.</span><span class="nx">ssh_signer</span><span class="p">.</span><span class="nx">path</span>
<span class="w"> </span><span class="nx">key_type</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"ca"</span>
<span class="w"> </span><span class="nx">allow_user_certificates</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="kc">true</span>
<span class="w"> </span><span class="nx">default_extensions</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="s">"permit-agent-forwarding"</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">""</span>
<span class="w"> </span><span class="s">"permit-pty"</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">""</span>
<span class="w"> </span><span class="s">"permit-port-forwarding"</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">""</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">ttl</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"1h"</span>
<span class="p">}</span>
</code></pre></div>
<h3 id="step-0-injecting-certificate-authority-into-aws-azure-and-gcp-servers">Step 0: Injecting Certificate Authority into AWS, Azure, and GCP Servers<a class="headerlink" href="#step-0-injecting-certificate-authority-into-aws-azure-and-gcp-servers" title="Permanent link">¶</a></h3>
<p>Injecting SSH public keys into cloud instances is a common practice to enable secure SSH access. Here’s how to do as SRE it on AWS, Azure, and GCP.</p>
<h4 id="aws">AWS<a class="headerlink" href="#aws" title="Permanent link">¶</a></h4>
<p>Add the public key to a key-pair object in EC2 service using the <code>aws ec2 import-key-pair</code> command.</p>
<div class="highlight"><pre><span></span><code>echo "cert-authority $(vault read -field public_key ssh-client-signer/config/ca)" > /tmp/authorized_keys.txt
aws ec2 import-key-pair --key-name "dev-key" --public-key-material fileb:///tmp/authorized_keys.txt
</code></pre></div>
<h4 id="gcp">GCP<a class="headerlink" href="#gcp" title="Permanent link">¶</a></h4>
<p>Add the public key to the instance metadata using the <code>gcloud compute project-info add-metadata</code> command.</p>
<div class="highlight"><pre><span></span><code><span class="k">export</span><span class="w"> </span><span class="n">USERNAME</span><span class="o">=</span><span class="n">dev</span>
<span class="n">echo</span><span class="w"> </span><span class="s2">"$USERNAME:cert-authority $(terraform output -r pub_key)"</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">authorized_keys</span><span class="o">.</span><span class="n">txt</span>
<span class="n">cloud</span><span class="w"> </span><span class="n">compute</span><span class="w"> </span><span class="n">project</span><span class="o">-</span><span class="n">info</span><span class="w"> </span><span class="n">add</span><span class="o">-</span><span class="n">metadata</span><span class="w"> </span><span class="o">--</span><span class="n">metadata</span><span class="o">-</span><span class="n">from</span><span class="o">-</span><span class="n">file</span><span class="o">=</span><span class="n">ssh</span><span class="o">-</span><span class="n">keys</span><span class="o">=</span><span class="n">authorized_keys</span><span class="o">.</span><span class="n">txt</span>
</code></pre></div>
<h4 id="azure">Azure<a class="headerlink" href="#azure" title="Permanent link">¶</a></h4>
<p>Add the public key to the instance metadata using the <code>az sshkey</code> command.</p>
<div class="highlight"><pre><span></span><code>echo "cert-authority $(vault read -field public_key ssh-client-signer/config/ca)" > /tmp/authorized_keys.txt
az sshkey create --name "dev-key" --public-key "@/tmp/authorized_keys.txt" --resource-group "myResourceGroup"
</code></pre></div>
<h4 id="custom-onprem-instances">Custom OnPrem Instances<a class="headerlink" href="#custom-onprem-instances" title="Permanent link">¶</a></h4>
<p>Add the public key to the instance as root by adding the following line to <code>/home/$USERNAME/authorized_keys</code> file.</p>
<div class="highlight"><pre><span></span><code><span class="k">export</span><span class="w"> </span><span class="n">USERNAME</span><span class="o">=</span><span class="n">dev</span>
<span class="n">echo</span><span class="w"> </span><span class="s2">"cert-authority $(vault read -field public_key ssh-client-signer/config/ca)"</span><span class="w"> </span><span class="o">>></span><span class="w"> </span><span class="o">/</span><span class="n">home</span><span class="o">/$</span><span class="n">USERNAME</span><span class="o">/</span><span class="n">authorized_keys</span>
</code></pre></div>
<h2 id="how-developers-can-connect-with-ssh-signed-certificates">How developers can connect with ssh signed certificates<a class="headerlink" href="#how-developers-can-connect-with-ssh-signed-certificates" title="Permanent link">¶</a></h2>
<p>Traditionally, SSH connections relied on public and private key pairs for authentication. While effective, this method presents challenges in terms of key management, revocation, and access control.
With Certificate-Authority and HashicorpVautl, certificates bind a user’s identity to their public key, enabling stronger authentication and granular access control.</p>
<p>With SSH certificates, developers can connect to remote servers securely without the need to manage private keys directly. The process involves:</p>
<h3 id="step-1-requesting-a-certificate-as-a-developper-i-want-to-sign-my-ssh-keys">Step 1: Requesting a Certificate: As a developper I want to sign my ssh keys<a class="headerlink" href="#step-1-requesting-a-certificate-as-a-developper-i-want-to-sign-my-ssh-keys" title="Permanent link">¶</a></h3>
<p>Developers request an SSH certificate from a centralized authority, often through a self-service portal or calling Vault API.</p>
<p>It can be done with the following <code>vault</code> command. During the request, developers provide their public key, typically stored as <code>id_rsa.pub</code>.</p>
<div class="highlight"><pre><span></span><code>vault write -field=signed_key ssh/sign/dev \
public_key=@$HOME/.ssh/id_rsa.pub > signed-cert.pub
</code></pre></div>
<h3 id="step-2-ssh-connection-as-a-developper-i-want-to-connect-on-my-instances-via-ssh">Step 2: SSH Connection: As a developper I want to connect on my instances via ssh<a class="headerlink" href="#step-2-ssh-connection-as-a-developper-i-want-to-connect-on-my-instances-via-ssh" title="Permanent link">¶</a></h3>
<p>Developers utilize the previously issued signed certificate : <code>signed-cert.pub</code>, often referred to as a client certificate, to authenticate with the target server. This certificate, typically in PEM format, contains the developer’s public key signed by the trusted Certificate Authority (CA), which in this case is Vault.</p>
<p>When connecting to the server, the SSH client presents the signed certificate. The server then verifies the certificate’s authenticity and validity against the CA’s public key. If successful, the connection is established, and the developer gains access to the server.</p>
<div class="highlight"><pre><span></span><code>ssh -i ./signed-cert.pub -v -i ~/.ssh/id_rsa dev@<target_server>
</code></pre></div>
<h2 id="conclusion">Conclusion<a class="headerlink" href="#conclusion" title="Permanent link">¶</a></h2>
<p>By adopting SSH certificates and leveraging a centralized certificate authority management tool such as Hashicorp Vault, organizations can significantly enhance their SSH security posture. This approach offers a robust solution to the challenges posed by traditional SSH key management, providing granular control, improved auditability, and streamlined access management.</p>
<p>By transitioning to SSH certificates, organizations can mitigate risks associated with compromised keys, facilitate key rotation, and enforce strong access policies. This ultimately leads to a more secure and efficient SSH infrastructure.</p>
<p>While implementing SSH certificates requires careful planning and configuration, the long-term benefits in terms of security and manageability far outweigh the initial investment.</p>
<p>By following the guidelines outlined in this article, organizations can successfully deploy SSH certificates and reap the rewards of a more secure and controlled SSH environment.</p>
<h2 id="links">Links :<a class="headerlink" href="#links" title="Permanent link">¶</a></h2>
<ul>
<li><a href="https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/sec-creating_ssh_ca_certificate_signing-keys">RedHat documentation about ssh-certificate</a></li>
<li><a href="https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates">Hashicorp Vault documentation about SSH</a></li>
</ul>Sécurisez vos secret avec HashiCorp Vault : avec le PaaS GCP2024-07-22T00:00:00+02:002024-07-22T00:00:00+02:00Mathieu GOULINtag:www.ops-chronicles.cloud,2024-07-22:/fr/hosting-hashicorpvault-on-cloudrun.html<p>Heberger votre instance Vault en PaaS sur GCP : pour une gestion simple, évolutive et sécurisée des secrets de vos applications.</p><div class="toc">
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#prerequis">Prérequis</a></li>
<li><a href="#etape-1-creer-un-service-de-compte">Étape 1 : Créer un service de compte</a></li>
<li><a href="#etape-2-confirgurer-une-cle-kms">Étape 2 : Confirgurer une Clé KMS</a></li>
<li><a href="#etape-3-configurer-un-bucket-de-stockage">Étape 3 : Configurer un bucket de stockage</a></li>
<li><a href="#etape-4-generer-un-fichier-de-configuration-pour-le-container">Étape 4 : Générer un fichier de configuration pour le container</a></li>
<li><a href="#etape-5-configurer-le-lancement-de-notre-container">Étape 5 : Configurer le lancement de notre container</a></li>
<li><a href="#etape-6-initialiser-le-vault">Étape 6 : Initialiser le Vault</a></li>
<li><a href="#conclusion">Conclusion</a></li>
</ul>
</div>
<h2 id="introduction">Introduction<a class="headerlink" href="#introduction" title="Permanent link">¶</a></h2>
<p><a href="https://www.vaultproject.io/">HashiCorp Vault</a> est un outil de gestion des secrets populaire qui permet de centraliser et de sécuriser les secrets sensibles tels que les mots de passe, les jetons d’API, les certificats et toute sorte de données confidentielles.
C’est donc un outil d’exploitation qui devient très rapidement indispensable. À titre personnel, j’en ai en particulier besoin pour mon article sur la gestion des clés SSH.</p>
<p>Cependant même si l’éditeur de la solution le conseil de l’installer sur une plateforme IaaS (un cluster de machine), pour des raisons de coût je pense qu’on peut obtenir un très bon compromis sur une installation de type PaaS.
* IaaS apporterait la possibilité d’isoler au maximum les secrets du reste de l’infrastructure et comme beaucoup d’autres infrastructures sont dépendantes de ce service, cela permet aussi de la relancer en premier en cas de gros crash.
* PaaS lui évite les contraintes de gestion des mises à jour des serveurs, les pannes matérielles et offre une tarification à l’utilisation qui est très intéressante pour de petites infrastructures.</p>
<p>Il n’y a cependant pas beaucoup de documentation selon moi sur l’utilisation de Hashicorp Vault sur du PaaS. Voici ici une aide sur comment déployer la solution Hashicorp sur une infrastructure PaaS :</p>
<ul>
<li><strong>CloudRun</strong> pour l’hébergement du compute et le lancement de container à la demande. Vous êtes facturé en fonction du temps d’exécution de vos conteneurs, de la mémoire qu’ils utilisent et du nombre de requêtes qu’ils traitent. Lorsqu’il n’y a pas de requêtes vers vos containers, ceux-ci sont coupés et vous n’êtes pas facturé.</li>
<li><strong>GCS</strong> pour le stockage des secrets et la base de données. Vous êtes facturé en fonction de la quantité de données stockées dans vos buckets (négligeable, ici, car nous n’allons pas avoir des secrets de plusieurs Go) et le trafic entrant et sortant de vos buckets, y compris les requêtes API, les téléchargements et les téléchargements. Il existe des frais distincts pour le trafic standard et le trafic par API.</li>
<li><strong>KMS</strong> pour le chiffrement des données sur le bucket (ce qu’on appelle “Seal” dans le language Vault). Vous êtes facturé pour chaque opération de chiffrement ou de déchiffrement effectuée à l’aide d’une clé KMS. Il existe différents tarifs pour les opérations de chiffrement symétrique et asymétrique.</li>
</ul>
<p>En résumé, utiliser ces services permet de n’être facturé qu’as l’utilisation. Lectures de mot de passe au gestionnaire de secrets, décodage de flux, entraînera une facturation, mais si l’infrastructure “dort” elle ne coûtera rien.</p>
<p>Le schéma ci-dessous resume comment le service peut fonctionner sur du PaaS :
<img alt="image" src="/images/2024-Hosting-HashicorpVault-on-cloudrun/architecture.png" /></p>
<p>Voici maintenant comment installer HashiCorp Vault sur Cloud Run en utilisant un backend de stockage Cloud Storage (GCS) et un chiffrement Cloud Key Management Service (KMS) sur GCP.</p>
<h2 id="prerequis">Prérequis<a class="headerlink" href="#prerequis" title="Permanent link">¶</a></h2>
<p>Avant de commencer, vous devez avoir les éléments suivants :</p>
<ul>
<li>Un compte GCP avec les permissions appropriées</li>
<li>Gcloud SDK installé et configuré (inclus dans la CLI de la cloud-console GCP)</li>
<li>Terraform (inclus dans la CLI de la cloud-console GCP)</li>
</ul>
<h2 id="etape-1-creer-un-service-de-compte">Étape 1 : Créer un service de compte<a class="headerlink" href="#etape-1-creer-un-service-de-compte" title="Permanent link">¶</a></h2>
<p>Pour que notre application puisse interagir avec les APIs dans GCP (accès aux objets du bucket, KMS, …). Il sera utilisé par notre service CloudRUN et nous lui donnerons les droits en respectant scrupuleusement le principe des moindres-privilèges.</p>
<div class="highlight"><pre><span></span><code><span class="c1"># service_account.tf</span>
<span class="c1"># Create a new service account</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_service_account"</span><span class="w"> </span><span class="s2">"vault_sa"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">account_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"vault-${var.environment}-kapable-info-sa"</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="etape-2-confirgurer-une-cle-kms">Étape 2 : Confirgurer une Clé KMS<a class="headerlink" href="#etape-2-confirgurer-une-cle-kms" title="Permanent link">¶</a></h2>
<p>On initialise maintenant une clé KMS qui sera elle utilisé par hashicorp pour chiffrer les secrets avant de les déposer dans le bucket. Cette clé appelé “seal”, dans le verbiage Vault est une sécurité permettant de ne pas avoir “en clair” les données dans le bucket.</p>
<p>L’utilisation d’un service comme KMS pour ce chiffrement permet de ne pas avoir a “imprimer”/”stocker” des “unseal-key”, ces chaines de caractères demandés au lancement de Vault pour décoder les données présente dans Vault.</p>
<p>Voici le code terraform permettant de générer une tel clé dans GCP et de la rendre accessible a notre service-account préalablement généré.</p>
<div class="highlight"><pre><span></span><code><span class="c1"># kms.tf</span>
<span class="c1"># Generate random string for each ressource name</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"random_id"</span><span class="w"> </span><span class="s2">"vault_kms"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">byte_length</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">8</span>
<span class="p">}</span>
<span class="c1"># A keyring to store our keys</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_kms_key_ring"</span><span class="w"> </span><span class="s2">"vault"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"${var.environment}-vault-${random_id.vault_kms.hex}"</span>
<span class="w"> </span><span class="n">location</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"europe-west1"</span>
<span class="w"> </span><span class="n">project</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">var</span><span class="o">.</span><span class="n">project</span>
<span class="p">}</span>
<span class="c1"># The crypto-key ressources</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_kms_crypto_key"</span><span class="w"> </span><span class="s2">"vault-key"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"${var.environment}-vault-${random_id.vault_kms.hex}"</span>
<span class="w"> </span><span class="n">key_ring</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_kms_key_ring</span><span class="o">.</span><span class="n">vault</span><span class="o">.</span><span class="n">id</span>
<span class="w"> </span><span class="n">version_template</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">algorithm</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"GOOGLE_SYMMETRIC_ENCRYPTION"</span>
<span class="w"> </span><span class="n">protection_level</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"SOFTWARE"</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1"># If we lost this key, then we won't be able to read our data</span>
<span class="w"> </span><span class="n">lifecycle</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">prevent_destroy</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">true</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
<span class="c1"># Allow our application service account to use this key</span>
<span class="n">data</span><span class="w"> </span><span class="s2">"google_iam_policy"</span><span class="w"> </span><span class="s2">"seal"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">binding</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">role</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"roles/cloudkms.cryptoKeyEncrypterDecrypter"</span>
<span class="w"> </span><span class="n">members</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span>
<span class="w"> </span><span class="s2">"serviceAccount:${google_service_account.vault_sa.email}"</span><span class="p">,</span>
<span class="w"> </span><span class="p">]</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
<span class="c1"># Atach policy to our key</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_kms_key_ring_iam_policy"</span><span class="w"> </span><span class="s2">"seal"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">key_ring_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_kms_key_ring</span><span class="o">.</span><span class="n">vault</span><span class="o">.</span><span class="n">id</span>
<span class="w"> </span><span class="n">policy_data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">data</span><span class="o">.</span><span class="n">google_iam_policy</span><span class="o">.</span><span class="n">seal</span><span class="o">.</span><span class="n">policy_data</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="etape-3-configurer-un-bucket-de-stockage">Étape 3 : Configurer un bucket de stockage<a class="headerlink" href="#etape-3-configurer-un-bucket-de-stockage" title="Permanent link">¶</a></h2>
<p>Voici mon code standard pour la création d’un bucket de stockage</p>
<div class="highlight"><pre><span></span><code><span class="c1"># bucket.tf</span>
<span class="c1"># Define vars</span>
<span class="n">locals</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">buckets</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">vault</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"vault"</span><span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
<span class="c1"># Generate random string for each ressource name</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"random_id"</span><span class="w"> </span><span class="s2">"vault_bucket"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">byte_length</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">8</span>
<span class="p">}</span>
<span class="c1"># Create buckets</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_storage_bucket"</span><span class="w"> </span><span class="s2">"buckets"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">for_each</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">local</span><span class="o">.</span><span class="n">buckets</span>
<span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"${var.environment}-data-${each.key}-${random_id.vault_bucket.hex}"</span>
<span class="w"> </span><span class="n">location</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"europe-west1"</span>
<span class="w"> </span><span class="n">force_destroy</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">true</span>
<span class="w"> </span><span class="n">public_access_prevention</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"enforced"</span>
<span class="p">}</span>
<span class="c1"># Allow our application service account to use this bucket</span>
<span class="n">data</span><span class="w"> </span><span class="s2">"google_iam_policy"</span><span class="w"> </span><span class="s2">"data"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">binding</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">role</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"roles/storage.admin"</span>
<span class="w"> </span><span class="n">members</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span>
<span class="w"> </span><span class="s2">"serviceAccount:${google_service_account.vault_sa.email}"</span><span class="p">,</span>
<span class="w"> </span><span class="p">]</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
<span class="c1"># Atach policy to our key</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_storage_bucket_iam_policy"</span><span class="w"> </span><span class="s2">"policy"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">for_each</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">local</span><span class="o">.</span><span class="n">buckets</span>
<span class="w"> </span><span class="n">bucket</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_storage_bucket</span><span class="o">.</span><span class="n">buckets</span><span class="p">[</span><span class="n">each</span><span class="o">.</span><span class="n">key</span><span class="p">]</span><span class="o">.</span><span class="n">name</span>
<span class="w"> </span><span class="n">policy_data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">data</span><span class="o">.</span><span class="n">google_iam_policy</span><span class="o">.</span><span class="n">data</span><span class="o">.</span><span class="n">policy_data</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="etape-4-generer-un-fichier-de-configuration-pour-le-container">Étape 4 : Générer un fichier de configuration pour le container<a class="headerlink" href="#etape-4-generer-un-fichier-de-configuration-pour-le-container" title="Permanent link">¶</a></h2>
<p>Voici le fichier de configuration qui sera utilisé par le service Vault :</p>
<div class="highlight"><pre><span></span><code>#<span class="w"> </span>vault-server.hcl
default_max_request_duration<span class="w"> </span>=<span class="w"> </span>"90s"
disable_clustering<span class="w"> </span>=<span class="w"> </span>false
disable_mlock<span class="w"> </span>=<span class="w"> </span>true
ui<span class="w"> </span>=<span class="w"> </span>true
log_file<span class="w"> </span>=<span class="w"> </span>"/dev/stdout"
listener<span class="w"> </span>"tcp"<span class="w"> </span>{
<span class="w"> </span>address<span class="w"> </span>=<span class="w"> </span>"[::]:8200"
<span class="w"> </span>cluster_address<span class="w"> </span>=<span class="w"> </span>"[::]:8201"
<span class="w"> </span>tls_disable<span class="w"> </span>=<span class="w"> </span>"true"
}
#<span class="w"> </span>Utilisation<span class="w"> </span>du<span class="w"> </span>KMS<span class="w"> </span>Vault
seal<span class="w"> </span>"gcpckms"<span class="w"> </span>{
<span class="w"> </span>key_ring<span class="w"> </span>=<span class="w"> </span>"<span class="cp">${</span><span class="n">key_ring</span><span class="cp">}</span>"
<span class="w"> </span>crypto_key<span class="w"> </span>=<span class="w"> </span>"<span class="cp">${</span><span class="n">crypto_key</span><span class="cp">}</span>"
<span class="w"> </span>region<span class="w"> </span>=<span class="w"> </span>"<span class="cp">${</span><span class="n">region</span><span class="cp">}</span>"
}
#<span class="w"> </span>Utilisation<span class="w"> </span>du<span class="w"> </span>stockage<span class="w"> </span>GCS
storage<span class="w"> </span>"gcs"<span class="w"> </span>{
<span class="w"> </span>ha_enabled<span class="w"> </span>=<span class="w"> </span>"true"
}
</code></pre></div>
<p>On injecte ensuite le fichier ci-dessus dans le service GCP Secret Manager :</p>
<div class="highlight"><pre><span></span><code><span class="c1"># config.tf</span>
<span class="c1"># Generate random string for each ressource name</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"random_id"</span><span class="w"> </span><span class="s2">"config"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">byte_length</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">8</span>
<span class="p">}</span>
<span class="c1"># Secret to store config file</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_secret_manager_secret"</span><span class="w"> </span><span class="s2">"vault_config"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">secret_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"${var.environment}-vault-config-${random_id.vault-config.hex}"</span>
<span class="w"> </span><span class="n">labels</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">app</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"vault"</span>
<span class="w"> </span><span class="n">environment</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">var</span><span class="o">.</span><span class="n">environment</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">replication</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">user_managed</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">replicas</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">location</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"europe-west1"</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
<span class="c1"># Inject config into our secret and complete config-file with KMS values</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_secret_manager_secret_version"</span><span class="w"> </span><span class="s2">"vault_config"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">secret</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_secret_manager_secret</span><span class="o">.</span><span class="n">vault_config</span><span class="o">.</span><span class="n">id</span>
<span class="w"> </span><span class="n">secret_data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">templatefile</span><span class="p">(</span><span class="s2">"${path.module}/vault-server.hcl"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">key_ring</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_kms_key_ring</span><span class="o">.</span><span class="n">vault</span><span class="o">.</span><span class="n">name</span>
<span class="w"> </span><span class="n">crypto_key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_kms_crypto_key</span><span class="o">.</span><span class="n">vault</span><span class="o">-</span><span class="n">key</span><span class="o">.</span><span class="n">name</span>
<span class="w"> </span><span class="n">region</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_kms_key_ring</span><span class="o">.</span><span class="n">vault</span><span class="o">.</span><span class="n">location</span>
<span class="w"> </span><span class="p">})</span>
<span class="p">}</span>
<span class="c1"># Atach policy to our secret</span>
<span class="n">data</span><span class="w"> </span><span class="s2">"google_iam_policy"</span><span class="w"> </span><span class="s2">"vault_config"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">binding</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">role</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"roles/secretmanager.secretAccessor"</span>
<span class="w"> </span><span class="n">members</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span>
<span class="w"> </span><span class="s2">"serviceAccount:${google_service_account.vault_sa.email}"</span><span class="p">,</span>
<span class="w"> </span><span class="p">]</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_secret_manager_secret_iam_policy"</span><span class="w"> </span><span class="s2">"vault_config"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">project</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">var</span><span class="o">.</span><span class="n">project</span>
<span class="w"> </span><span class="n">secret_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_secret_manager_secret</span><span class="o">.</span><span class="n">vault_config</span><span class="o">.</span><span class="n">id</span>
<span class="w"> </span><span class="n">policy_data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">data</span><span class="o">.</span><span class="n">google_iam_policy</span><span class="o">.</span><span class="n">vault_config</span><span class="o">.</span><span class="n">policy_data</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="etape-5-configurer-le-lancement-de-notre-container">Étape 5 : Configurer le lancement de notre container<a class="headerlink" href="#etape-5-configurer-le-lancement-de-notre-container" title="Permanent link">¶</a></h2>
<p>Maintenant il est possible d’enfin lancer notre container pour cela on utilise un module perso et on prend soin de surcharger l’entrypoint du container. En effet par défaut le container utilise un mode “dev” pour se lancer.</p>
<div class="highlight"><pre><span></span><code><span class="n">module</span><span class="w"> </span><span class="s2">"vault_service"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">source</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"../modules/http-container"</span>
<span class="w"> </span><span class="n">project</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">var</span><span class="o">.</span><span class="n">project</span>
<span class="w"> </span><span class="n">fqdn</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">var</span><span class="o">.</span><span class="n">environment</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="s2">"prod"</span><span class="w"> </span><span class="err">?</span><span class="w"> </span><span class="s2">"vault-${var.environment}.kapable.info"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"vault.kapable.info"</span>
<span class="w"> </span><span class="n">docker_image</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"hashicorp/vault"</span>
<span class="w"> </span><span class="n">allways_on</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">false</span>
<span class="w"> </span><span class="n">container_port</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">8200</span>
<span class="w"> </span><span class="n">cpus</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">2</span>
<span class="w"> </span><span class="n">memory</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">2000</span>
<span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="s2">"/bin/vault"</span><span class="p">]</span>
<span class="w"> </span><span class="n">args</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="s2">"server"</span><span class="p">,</span><span class="w"> </span><span class="s2">"-config"</span><span class="p">,</span><span class="w"> </span><span class="s2">"/etc/vault/config.hcl"</span><span class="p">]</span>
<span class="w"> </span><span class="n">container_env</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">SKIP_SETCAP</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span>
<span class="w"> </span><span class="n">GOOGLE_PROJECT</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">var</span><span class="o">.</span><span class="n">project</span>
<span class="w"> </span><span class="n">GOOGLE_STORAGE_BUCKET</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_storage_bucket</span><span class="o">.</span><span class="n">buckets</span><span class="p">[</span><span class="s2">"vault"</span><span class="p">]</span><span class="o">.</span><span class="n">name</span>
<span class="w"> </span><span class="n">VAULT_LOG_LEVEL</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"info"</span>
<span class="w"> </span><span class="n">SKIP_CHOWN</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span>
<span class="w"> </span><span class="n">VAULT_ADDR</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"http://127.0.0.1"</span>
<span class="w"> </span><span class="n">VAULT_API_ADDR</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"http://127.0.0.1"</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">volumes</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">secret_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_secret_manager_secret</span><span class="o">.</span><span class="n">vault_config</span><span class="o">.</span><span class="n">id</span>
<span class="w"> </span><span class="n">secret_version</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_secret_manager_secret_version</span><span class="o">.</span><span class="n">vault_config</span><span class="o">.</span><span class="n">version</span>
<span class="w"> </span><span class="n">secret_file</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"config.hcl"</span>
<span class="w"> </span><span class="n">mount_path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"/etc/vault"</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">depends_on</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">google_kms_key_ring_iam_policy</span><span class="o">.</span><span class="n">seal</span><span class="p">]</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="etape-6-initialiser-le-vault">Étape 6 : Initialiser le Vault<a class="headerlink" href="#etape-6-initialiser-le-vault" title="Permanent link">¶</a></h2>
<ul>
<li>Créez un répertoire pour stocker vos fichiers de configuration Vault.</li>
<li>Téléchargez le binaire Vault depuis https://developer.hashicorp.com/vault/install.</li>
<li>Déplacez le binaire Vault dans le répertoire que vous avez créé à l’étape 1.</li>
<li>Initialisez Vault en exécutant la commande suivante :
̀``
vault operator init -key-shares=1 -key-threshold=1
```
Suivez les instructions à l’écran pour enregistrer les clés de déverrouillage et le jeton racine.</li>
</ul>
<h2 id="conclusion">Conclusion<a class="headerlink" href="#conclusion" title="Permanent link">¶</a></h2>
<p>Ce guide vous a montré comment déployer et configurer Hashicorp Vault sur Cloud Run en utilisant un backend de stockage Cloud Storage (GCS) et un chiffrement Cloud Key Management Service (KMS) sur GCP.</p>
<p><strong>Avantages de cette approche :</strong></p>
<ul>
<li><strong>Simplicité</strong>: Déploiement et gestion simplifiés via Cloud Run et Terraform.</li>
<li><strong>Évolution</strong>: Échelle automatique en fonction de la demande.</li>
<li><strong>Sécurité</strong>: Chiffrement des secrets avec KMS et isolation des conteneurs.</li>
<li><strong>Coût</strong>: Paiement à la consommation pour une optimisation des coûts.</li>
</ul>
<p><strong>Points importants à retenir:</strong></p>
<ul>
<li>Assurez-vous de suivre scrupuleusement les instructions de sécurité pour protéger vos secrets.</li>
<li>Utilisez des politiques IAM strictes pour limiter l’accès à vos ressources GCP.</li>
<li>Surveillez l’utilisation de vos ressources et ajustez la configuration de votre infrastructure en fonction de vos besoins.</li>
</ul>
<p>En conclusion, l’hébergement de Hashicorp Vault sur Cloud Run avec un backend de stockage GCS et un chiffrement KMS sur GCP offre une solution simple, évolutive et sécurisée pour la gestion des secrets de vos applications.</p>Securely Manage Secrets with HashiCorp Vault on Cloud Run: A GCP Guide2024-07-22T00:00:00+02:002024-07-22T00:00:00+02:00Mathieu GOULINtag:www.ops-chronicles.cloud,2024-07-22:/hosting-hashicorpvault-on-cloudrun.html<p>Leveraging Google Cloud Platform’s Platform-as-a-Service (PaaS) capabilities, you can effortlessly deploy and manage your HashiCorp Vault instance</p><div class="toc">
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#architecture">Architecture</a></li>
<li><a href="#prerequisites">Prerequisites</a></li>
<li><a href="#step-1-create-a-service-account">Step 1: Create a Service Account</a></li>
<li><a href="#step-2-configure-kms-key-management-service">Step 2: Configure KMS (Key Management Service)</a></li>
<li><a href="#step-3-configure-a-storage-backend">Step 3: Configure a Storage Backend</a></li>
<li><a href="#step-4-generate-a-configuration-file-for-the-container">Step 4: Generate a Configuration File for the Container</a></li>
<li><a href="#step-5-configure-container-deployment">Step 5: Configure Container Deployment</a></li>
<li><a href="#step-6-initialize-vault">Step 6: Initialize Vault</a></li>
<li><a href="#conclusion">Conclusion</a></li>
</ul>
</div>
<h2 id="introduction">Introduction<a class="headerlink" href="#introduction" title="Permanent link">¶</a></h2>
<p><a href="https://www.vaultproject.io/">HashiCorp Vault</a> is a powerful tool for managing application secrets, providing a centralized platform to store, control, and secure sensitive information. It offers a comprehensive suite of features to safeguard your critical secrets, including:</p>
<ul>
<li><strong>Secret Storage and Management</strong>: Vault securely stores a wide range of secrets, including passwords, API keys, certificates, and authentication tokens.</li>
<li><strong>Granular Access Control</strong>: Implement fine-grained access controls to manage who can access specific secrets, ensuring that only authorized users and applications have access.</li>
<li><strong>Robust Encryption</strong>: Vault encrypts secrets using strong encryption algorithms and utilizes system-managed encryption keys to guarantee data security.</li>
<li><strong>Auditing and Logging</strong>: Vault maintains a comprehensive audit log of all secret access and modifications, enabling you to monitor and audit activities effectively.</li>
</ul>
<p><strong>Vault: A Pillar for Enhanced Security and Control</strong></p>
<p>Vault has become an indispensable tool for organizations seeking to strengthen their security posture and protect sensitive data. Its centralized approach to secrets management simplifies the process of securing and controlling access to critical information, mitigating the risk of unauthorized access and data breaches.</p>
<p><strong>Simplifying Vault Deployment and Management with GCP</strong></p>
<p>While Vault offers immense value, deploying and managing a Vault instance can be a complex and time-consuming endeavor. This is where GCP PaaS simplify the process.</p>
<p>By leveraging the power of Google Cloud Platform (GCP), you can further enhance the security and scalability of your Vault deployment. GCP’s robust cloud infrastructure and suite of security services provide an ideal foundation for hosting and managing Vault:</p>
<ul>
<li><strong>Cloud Run</strong> is a fully managed serverless platform for deploying and running containerized applications. It provides an ideal environment for hosting Vault.</li>
<li><strong>Google Cloud Storage (GCS)</strong>: Utilize GCS as a secure and scalable backend storage solution for Vault data. GCS’s durability and high availability ensure that your secrets remain protected and accessible.</li>
<li><strong>Cloud Key Management Service (KMS)</strong>: Employ KMS to manage and control cryptographic keys used for encrypting Vault data. KMS’s centralized key management capabilities safeguard your encryption keys and simplify key rotation processes.</li>
</ul>
<p><strong>Leveraging Cloud Run for a Secure and Scalable Vault Solution</strong></p>
<p>By combining the strengths of HashiCorp Vault and Cloud Run, organizations can achieve a powerful and scalable solution for managing application secrets. Cloud Run eliminates the complexities of infrastructure management, allowing you to focus on the core functionalities of Vault.</p>
<p>With Cloud Run, you can:</p>
<ul>
<li><strong>Deploy Vault quickly and easily</strong>: Utilize Cloud Run’s simplified deployment process to get Vault up and running in no time.</li>
<li><strong>Scale Vault automatically</strong>: Cloud Run automatically scales Vault instances based on demand, ensuring it can handle fluctuating workloads efficiently.</li>
<li><strong>Optimize costs</strong>: Benefit from Cloud Run’s pay-per-use model, paying only for the resources consumed by Vault.</li>
</ul>
<p><strong>A Comprehensive Solution for Secure Secrets Management</strong></p>
<p>By combining the strengths of HashiCorp Vault, GCS, KMS, and Cloud Run on GCP, organizations can achieve a comprehensive and secure solution for managing application secrets:</p>
<ul>
<li><strong>Centralized Secret Storage</strong>: Vault provides a centralized repository for storing and managing all types of secrets.</li>
<li><strong>Robust Encryption</strong>: KMS ensures that secrets are encrypted with strong encryption keys and stored securely in GCS.</li>
<li><strong>Fine-grained Access Control</strong>: Vault enforces granular access controls to restrict access to secrets based on user identities and application permissions.</li>
</ul>
<p><strong>Embrace a Secure and Streamlined Approach to Secrets Management</strong></p>
<p>By adopting HashiCorp Vault on Cloud Run, you can streamline secrets management, enhance application security, and gain peace of mind knowing that your sensitive data is protected. Cloud Run’s serverless architecture and pay-per-use model further simplify the process, making it an ideal choice for organizations seeking a cost-effective and scalable solution.</p>
<h2 id="architecture">Architecture<a class="headerlink" href="#architecture" title="Permanent link">¶</a></h2>
<p><img alt="image" src="/images/2024-Hosting-HashicorpVault-on-cloudrun/architecture.png" /></p>
<h2 id="prerequisites">Prerequisites<a class="headerlink" href="#prerequisites" title="Permanent link">¶</a></h2>
<p>To embark on this journey of securing your application secrets with HashiCorp Vault on Cloud Run, ensure you have the following prerequisites in place:</p>
<ul>
<li><strong>Google Cloud Platform (GCP) Account</strong>: A GCP account is essential to access and utilize GCP’s services, including Cloud Run, GCS, and KMS.</li>
<li><strong>GCP Project</strong>: A GCP project serves as the container for your GCP resources, including the Vault deployment. Ensure you have a designated project for this purpose.</li>
<li><strong>gcloud Command-Line Tool</strong>: The gcloud command-line tool is a powerful interface for interacting with GCP services from your local machine. Install and configure gcloud to proceed.</li>
<li><strong>vault Command-Line Tool</strong>: The vault command-line tool is the primary interface for interacting with HashiCorp Vault. Install and configure vault to manage your Vault instance.</li>
</ul>
<h2 id="step-1-create-a-service-account">Step 1: Create a Service Account<a class="headerlink" href="#step-1-create-a-service-account" title="Permanent link">¶</a></h2>
<p>To enable Vault to interact with GCP APIs, we’ll create a <strong>service account</strong>. A <strong>service account</strong> is a special type of account used by applications or compute workloads, rather than a person. It allows applications to perform authorized actions on GCP resources, such as creating or deleting instances, or accessing Cloud Storage buckets.</p>
<div class="highlight"><pre><span></span><code><span class="c1"># service_account.tf</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_service_account"</span><span class="w"> </span><span class="s2">"vault_sa"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">account_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"vault-${var.environment}-kpabl-info-sa"</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="step-2-configure-kms-key-management-service">Step 2: Configure KMS (Key Management Service)<a class="headerlink" href="#step-2-configure-kms-key-management-service" title="Permanent link">¶</a></h2>
<p>In this step, we’ll set up a Key Management Service (KMS) to encrypt our secrets. KMS is a crucial component for ensuring the security of your secrets. It provides a centralized and secure way to manage cryptographic keys. Vault will encrypt and decrypting secrets and confidential information before it’s stored in GCS.</p>
<p>Also we need to create a :
* KMS key ring
* KMS cryptographic key </p>
<p>Refer to the official documentation for detailed instructions.</p>
<div class="highlight"><pre><span></span><code><span class="c1"># kms.tf</span>
<span class="c1"># Create a KMS</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_kms_crypto_key"</span><span class="w"> </span><span class="s2">"vault_kms"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">crypto_key_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"vault-${var.environment}-kpabl-info-key"</span>
<span class="w"> </span><span class="n">purpose</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"ENCRYPT_DECRYPT"</span>
<span class="w"> </span><span class="n">version_template</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">algorithm</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"GOOGLE_SYMMETRIC_ENCRYPTION"</span>
<span class="w"> </span><span class="n">protection_level</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"SOFTWARE"</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1"># If we lose this key, then we won't be able to read our data</span>
<span class="w"> </span><span class="n">lifecycle</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">prevent_destroy</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">true</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
<span class="c1"># Create a Keyring</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_kms_key_ring"</span><span class="w"> </span><span class="s2">"vault_keyring"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">location</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"europe-west1"</span>
<span class="w"> </span><span class="n">project</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">var</span><span class="o">.</span><span class="n">project</span>
<span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"vault-${var.environment}-kpabl-info-keyring"</span>
<span class="p">}</span>
<span class="c1"># Associate the Keyring with a KMS</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_kms_crypto_key"</span><span class="w"> </span><span class="s2">"vault_kms_keyring"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">crypto_key_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_kms_crypto_key</span><span class="o">.</span><span class="n">vault_kms</span><span class="o">.</span><span class="n">crypto_key_id</span>
<span class="w"> </span><span class="n">key_ring_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_kms_key_ring</span><span class="o">.</span><span class="n">vault_keyring</span><span class="o">.</span><span class="n">key_ring_id</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="step-3-configure-a-storage-backend">Step 3: Configure a Storage Backend<a class="headerlink" href="#step-3-configure-a-storage-backend" title="Permanent link">¶</a></h2>
<p>In this step, we’ll configure a storage backend using Google Cloud Storage (GCS) to securely store your Vault secrets. GCS provides a scalable, durable, and highly available object storage solution, making it an ideal choice for storing sensitive information like secrets.</p>
<div class="highlight"><pre><span></span><code><span class="c1"># backend.tf</span>
<span class="c1"># Create a Bucket</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_storage_bucket"</span><span class="w"> </span><span class="s2">"vault_bucket"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"vault-${var.environment}-kpabl-info-bucket"</span>
<span class="w"> </span><span class="n">location</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"europe-west1"</span>
<span class="w"> </span><span class="n">force_destroy</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">true</span>
<span class="w"> </span><span class="n">project</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">var</span><span class="o">.</span><span class="n">project</span>
<span class="w"> </span><span class="n">storage_class</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"STANDARD"</span>
<span class="p">}</span>
<span class="c1"># Give the service account access to the bucket</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_storage_bucket_iam_member"</span><span class="w"> </span><span class="s2">"vault_bucket_sa"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">bucket</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_storage_bucket</span><span class="o">.</span><span class="n">vault_bucket</span><span class="o">.</span><span class="n">name</span>
<span class="w"> </span><span class="n">role</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"roles/storage.admin"</span>
<span class="w"> </span><span class="n">member</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"serviceAccount:${google_service_account.vault_sa.email}"</span>
<span class="p">}</span>
</code></pre></div>
<p>Once you’ve created a GCS bucket, we’ll need to configure Vault to use it as the storage backend. This will involve setting up the necessary Vault configuration and policies to enable secure storage of secrets in your GCS bucket.</p>
<h2 id="step-4-generate-a-configuration-file-for-the-container">Step 4: Generate a Configuration File for the Container<a class="headerlink" href="#step-4-generate-a-configuration-file-for-the-container" title="Permanent link">¶</a></h2>
<p>With all the essential components in place, we’ll now generate a configuration file that will guide the containerized Vault application. This file will define the parameters and settings required for Vault to operate effectively within our GCP environment.</p>
<div class="highlight"><pre><span></span><code>#<span class="w"> </span>vault-server.hcl
default_max_request_duration<span class="w"> </span>=<span class="w"> </span>"90s"
disable_clustering<span class="w"> </span>=<span class="w"> </span>false
disable_mlock<span class="w"> </span>=<span class="w"> </span>true
ui<span class="w"> </span>=<span class="w"> </span>true
log_file<span class="w"> </span>=<span class="w"> </span>"/dev/stdout"
listener<span class="w"> </span>"tcp"<span class="w"> </span>{
<span class="w"> </span>address<span class="w"> </span>=<span class="w"> </span>"[::]:8200"
<span class="w"> </span>cluster_address<span class="w"> </span>=<span class="w"> </span>"[::]:8201"
<span class="w"> </span>tls_disable<span class="w"> </span>=<span class="w"> </span>"true"
}
seal<span class="w"> </span>"gcpckms"<span class="w"> </span>{
<span class="w"> </span>key_ring<span class="w"> </span>=<span class="w"> </span>"<span class="cp">${</span><span class="n">key_ring</span><span class="cp">}</span>"
<span class="w"> </span>crypto_key<span class="w"> </span>=<span class="w"> </span>"<span class="cp">${</span><span class="n">crypto_key</span><span class="cp">}</span>"
<span class="w"> </span>region<span class="w"> </span>=<span class="w"> </span>"<span class="cp">${</span><span class="n">region</span><span class="cp">}</span>"
}
storage<span class="w"> </span>"gcs"<span class="w"> </span>{
<span class="w"> </span>ha_enabled<span class="w"> </span>=<span class="w"> </span>"true"
}
</code></pre></div>
<p>To further enhance security, we’ll leverage Google Cloud Secret Manager (SM) to store and manage the sensitive Vault configuration file. SM provides a centralized and secure vault for storing sensitive information like configuration data, ensuring that your Vault configuration remains protected and accessible only to authorized entities.</p>
<div class="highlight"><pre><span></span><code><span class="c1"># config.tf</span>
<span class="c1"># Generate random string for each ressource name</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"random_id"</span><span class="w"> </span><span class="s2">"config"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">byte_length</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">8</span>
<span class="p">}</span>
<span class="c1"># Secret to store config file</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_secret_manager_secret"</span><span class="w"> </span><span class="s2">"vault_config"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">secret_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"${var.environment}-vault-config-${random_id.vault-config.hex}"</span>
<span class="w"> </span><span class="n">labels</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">app</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"vault"</span>
<span class="w"> </span><span class="n">environment</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">var</span><span class="o">.</span><span class="n">environment</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">replication</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">user_managed</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">replicas</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">location</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"europe-west1"</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
<span class="c1"># Inject config into our secret and complete config-file with KMS values</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_secret_manager_secret_version"</span><span class="w"> </span><span class="s2">"vault_config"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">secret</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_secret_manager_secret</span><span class="o">.</span><span class="n">vault_config</span><span class="o">.</span><span class="n">id</span>
<span class="w"> </span><span class="n">secret_data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">templatefile</span><span class="p">(</span><span class="s2">"${path.module}/vault-server.hcl"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">key_ring</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_kms_key_ring</span><span class="o">.</span><span class="n">vault</span><span class="o">.</span><span class="n">name</span>
<span class="w"> </span><span class="n">crypto_key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_kms_crypto_key</span><span class="o">.</span><span class="n">vault</span><span class="o">-</span><span class="n">key</span><span class="o">.</span><span class="n">name</span>
<span class="w"> </span><span class="n">region</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_kms_key_ring</span><span class="o">.</span><span class="n">vault</span><span class="o">.</span><span class="n">location</span>
<span class="w"> </span><span class="p">})</span>
<span class="p">}</span>
<span class="c1"># Atach policy to our secret</span>
<span class="n">data</span><span class="w"> </span><span class="s2">"google_iam_policy"</span><span class="w"> </span><span class="s2">"vault_config"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">binding</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">role</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"roles/secretmanager.secretAccessor"</span>
<span class="w"> </span><span class="n">members</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span>
<span class="w"> </span><span class="s2">"serviceAccount:${google_service_account.vault_sa.email}"</span><span class="p">,</span>
<span class="w"> </span><span class="p">]</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
<span class="n">resource</span><span class="w"> </span><span class="s2">"google_secret_manager_secret_iam_policy"</span><span class="w"> </span><span class="s2">"vault_config"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">project</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">var</span><span class="o">.</span><span class="n">project</span>
<span class="w"> </span><span class="n">secret_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_secret_manager_secret</span><span class="o">.</span><span class="n">vault_config</span><span class="o">.</span><span class="n">id</span>
<span class="w"> </span><span class="n">policy_data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">data</span><span class="o">.</span><span class="n">google_iam_policy</span><span class="o">.</span><span class="n">vault_config</span><span class="o">.</span><span class="n">policy_data</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="step-5-configure-container-deployment">Step 5: Configure Container Deployment<a class="headerlink" href="#step-5-configure-container-deployment" title="Permanent link">¶</a></h2>
<p>Now that we have all the components in place, it’s time to deploy the containerized Vault application using Cloud Run. However, we’ll make some adjustments to ensure Vault runs in a secure mode rather than the default “dev” mode.
By default, the official Vault Docker image runs in “dev” mode, which is not suitable for production environments. To operate Vault in a secure manner, we need to override the default entrypoint.</p>
<div class="highlight"><pre><span></span><code><span class="n">module</span><span class="w"> </span><span class="s2">"vault_service"</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">source</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"../modules/http-container"</span>
<span class="w"> </span><span class="n">project</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">var</span><span class="o">.</span><span class="n">project</span>
<span class="w"> </span><span class="n">fqdn</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">var</span><span class="o">.</span><span class="n">environment</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="s2">"prod"</span><span class="w"> </span><span class="err">?</span><span class="w"> </span><span class="s2">"vault-${var.environment}.kapable.info"</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s2">"vault.kapable.info"</span>
<span class="w"> </span><span class="n">docker_image</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"hashicorp/vault"</span>
<span class="w"> </span><span class="n">allways_on</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">false</span>
<span class="w"> </span><span class="n">container_port</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">8200</span>
<span class="w"> </span><span class="n">cpus</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">2</span>
<span class="w"> </span><span class="n">memory</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">2000</span>
<span class="w"> </span><span class="n">command</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="s2">"/bin/vault"</span><span class="p">]</span>
<span class="w"> </span><span class="n">args</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="s2">"server"</span><span class="p">,</span><span class="w"> </span><span class="s2">"-config"</span><span class="p">,</span><span class="w"> </span><span class="s2">"/etc/vault/config.hcl"</span><span class="p">]</span>
<span class="w"> </span><span class="n">container_env</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">SKIP_SETCAP</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span>
<span class="w"> </span><span class="n">GOOGLE_PROJECT</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">var</span><span class="o">.</span><span class="n">project</span>
<span class="w"> </span><span class="n">GOOGLE_STORAGE_BUCKET</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_storage_bucket</span><span class="o">.</span><span class="n">buckets</span><span class="p">[</span><span class="s2">"vault"</span><span class="p">]</span><span class="o">.</span><span class="n">name</span>
<span class="w"> </span><span class="n">VAULT_LOG_LEVEL</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"info"</span>
<span class="w"> </span><span class="n">SKIP_CHOWN</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span>
<span class="w"> </span><span class="n">VAULT_ADDR</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"http://127.0.0.1"</span>
<span class="w"> </span><span class="n">VAULT_API_ADDR</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"http://127.0.0.1"</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">volumes</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">config</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="n">secret_id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_secret_manager_secret</span><span class="o">.</span><span class="n">vault_config</span><span class="o">.</span><span class="n">id</span>
<span class="w"> </span><span class="n">secret_version</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">google_secret_manager_secret_version</span><span class="o">.</span><span class="n">vault_config</span><span class="o">.</span><span class="n">version</span>
<span class="w"> </span><span class="n">secret_file</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"config.hcl"</span>
<span class="w"> </span><span class="n">mount_path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"/etc/vault"</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="n">depends_on</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">[</span><span class="n">google_kms_key_ring_iam_policy</span><span class="o">.</span><span class="n">seal</span><span class="p">]</span>
<span class="p">}</span>
</code></pre></div>
<h2 id="step-6-initialize-vault">Step 6: Initialize Vault<a class="headerlink" href="#step-6-initialize-vault" title="Permanent link">¶</a></h2>
<p>With Vault successfully deployed and configured, it’s time to initialize it to enable secret management capabilities. This involves creating a storage directory, downloading the Vault binary, and executing the initialization command.</p>
<ul>
<li><strong>Create a Storage Directory</strong>: Create a directory to store your Vault configuration files. For example, create a directory named vault-config in your home directory:</li>
<li><strong>Initialize Vault</strong>: Navigate to the directory containing the Vault binary and execute the initialization command:</li>
<li><strong>Follow On-screen Instructions</strong>: The initialization process will generate five key shares and a root token. Carefully record and store these key shares and the root token in a secure location. You will need these to unseal and recover Vault if necessary.</li>
</ul>
<div class="highlight"><pre><span></span><code>vault operator init
</code></pre></div>
<h2 id="conclusion">Conclusion<a class="headerlink" href="#conclusion" title="Permanent link">¶</a></h2>
<p>This comprehensive guide has walked you through the process of deploying and configuring Hashicorp Vault on Cloud Run, leveraging a Cloud Storage (GCS) storage backend and Cloud Key Management Service (KMS) encryption on GCP. By following these steps, you have successfully established a secure and scalable solution for managing your secrets in the GCP environment.</p>
<p><strong>Key Benefits of this Approach:</strong></p>
<ul>
<li><strong>Simplicity</strong>: Streamlined deployment and management through Cloud Run and Terraform.</li>
<li><strong>Scalability</strong>: Automatic scaling based on demand, ensuring your infrastructure can handle fluctuating workloads.</li>
<li><strong>Security</strong>: Robust security measures, including encryption of secrets with KMS and container isolation, safeguard your sensitive data.</li>
<li><strong>Cost-Effectiveness</strong>: Pay-as-you-go model optimizes resource utilization and minimizes unnecessary expenses.</li>
</ul>
<p><strong>Essential Considerations:</strong></p>
<ul>
<li><strong>Adhere to Security Guidelines</strong>: Strictly follow security best practices to protect your secrets from unauthorized access and potential breaches.</li>
<li><strong>Implement IAM Policies</strong>: Enforce stringent IAM policies to restrict access to your GCP resources, ensuring only authorized users can manage your infrastructure.</li>
<li><strong>Monitor Resource Usage</strong>: Continuously monitor resource utilization and adjust your infrastructure configuration as needed to meet evolving demands.</li>
</ul>
<p>By hosting Hashicorp Vault on Cloud Run with a GCS storage backend and KMS encryption on GCP, you have gained a robust, scalable, and secure solution for managing your application secrets. This approach offers a streamlined deployment process, cost-effective operation, and enhanced security, making it an ideal choice for organizations seeking efficient and reliable secret management in the cloud.</p>
<p><strong>Trust in GCP’s KMS Service and Confidentiality:</strong></p>
<p>It is important to note that this model relies on trust in GCP’s KMS service and its commitment to confidentiality. By choosing to encrypt your secrets with KMS, you are entrusting GCP with the protection of your sensitive data. Therefore, it is crucial to carefully evaluate GCP’s security practices and ensure that they align with your organization’s risk tolerance and compliance requirements.</p>
<p>This model is suitable for organizations that have a high level of trust in GCP’s security practices and are comfortable with entrusting their secrets to a third-party service.</p>La quête du Graal Devops : Concilier scaling à zéro et disponibilité immédiate2024-06-02T00:00:00+02:002024-06-02T00:00:00+02:00Mathieu GOULINtag:www.ops-chronicles.cloud,2024-06-02:/fr/scaleto0-with-event-driven-ansible-and-istio.html<p>Dans le monde impitoyable du cloud, chaque ressource inutilisée représente un coût inutile. Que ce soit les environnements de recette le weekend ou les applications utilisés que ponctuelement, il y a autant de couts a optimiser. La solution : le scaling à zéro des deploiements Kubernetes, bien que séduisant pour optimiser les coûts, il se traduira souvent par une expérience utilisateur dégradée avec des applications indisponibles. Alors, comment concilier économies et réactivité ?</p><div class="toc">
<ul>
<li><a href="#comprendre-le-probleme">Comprendre le Problème</a></li>
<li><a href="#la-solution-autoscaling-pilote-par-les-evenements">La Solution : Autoscaling piloté par les Événements</a><ul>
<li><a href="#fonctionnement-du-systeme">Fonctionnement du Système</a></li>
</ul>
</li>
<li><a href="#mise-en-place-de-la-plateforme">Mise en place de la plateforme</a><ul>
<li><a href="#installation-de-kubernetesistio">Installation de kubernetes+istio</a></li>
<li><a href="#installation-du-monitoring-prometheus-alertmanager">Installation du monitoring : Prometheus / Alertmanager</a></li>
<li><a href="#installation-dune-application">Installation d’une application</a></li>
</ul>
</li>
<li><a href="#event-drivent-ansible">Event drivent Ansible</a></li>
<li><a href="#mise-en-oeuvre-de-eda-dans-le-cluster">Mise en oeuvre de EDA dans le cluster</a><ul>
<li><a href="#construction-dun-playbook-pour-le-scaling">Construction d’un playbook pour le scaling</a></li>
<li><a href="#integration-avec-la-supervision">Intégration avec la supervision</a></li>
<li><a href="#creation-de-lalerte-de-supervision">Création de l’alerte de supervision</a></li>
</ul>
</li>
<li><a href="#test-du-scaling-a-zero">Test du scaling à zéro</a></li>
<li><a href="#conclusion">Conclusion</a><ul>
<li><a href="#principaux-avantages-de-cette-approche">Principaux avantages de cette approche</a></li>
<li><a href="#questions-pour-reflexion">Questions pour réflexion</a></li>
<li><a href="#ressources-supplementaires">Ressources supplémentaires</a></li>
</ul>
</li>
</ul>
</div>
<p>Dans le monde impitoyable du cloud, chaque ressource inutilisée représente un coût inutile. Le scaling à zéro des pods Kubernetes, bien que séduisant pour optimiser les coûts, se traduit souvent par une expérience utilisateur dégradée avec des applications indisponibles. Comment alors concilier économies et réactivité ?</p>
<p>Oubliez les compromis, et adoptez une approche <strong>pilotée par les événements</strong>, en combinant la puissance d’<strong>Event Driven Ansible</strong> à la finesse d’outils tels qu’<strong>Istio, Prometheus et Alertmanager</strong>. Imaginez un système capable de :</p>
<ul>
<li><strong>Détecter instantanément</strong> les premiers appels HTTP vers vos applications.</li>
<li><strong>Déclencher automatiquement</strong> le lancement de vos pods Kubernetes pour répondre à la demande.</li>
<li><strong>Orchestrer la mise à l’échelle</strong> de vos ressources de manière dynamique et transparente.</li>
<li><strong>Réduire vos coûts d’infrastructure</strong> en stoppant les pods inactifs.</li>
</ul>
<p>Plus besoin d’attendre le redémarrage de vos applications, la disponibilité est quasi-immédiate, et vos utilisateurs ne se rendent compte de rien !</p>
<p><strong>Dans cet article, nous allons explorer en détail comment mettre en place cette solution élégante et efficace. Vous découvrirez :</strong></p>
<ul>
<li>Les mécanismes de détection d’événements basés sur le trafic HTTP.</li>
<li>La configuration d’alertes intelligentes pour déclencher l’autoscaling.</li>
<li>La mise en œuvre de playbooks Ansible pour automatiser le scaling de vos déploiements.</li>
</ul>
<p><strong>Préparez-vous à dire adieu aux compromis et à entrer dans l’ère du scaling à zéro intelligent !</strong></p>
<h3 id="comprendre-le-probleme">Comprendre le Problème<a class="headerlink" href="#comprendre-le-probleme" title="Permanent link">¶</a></h3>
<p>Considérons un environnement de développement ou de test. Un “opérateur” pourrait allumer l’environnement avant son utilisation et l’éteindre (scaling à zéro) après. Cependant, l’approche DevOps vise à automatiser ces processus pour éliminer les interventions manuelles.</p>
<p>Le défi réside dans la recherche d’une solution automatique pour gérer le scaling de manière dynamique, en s’adaptant aux fluctuations de la demande. Nous voulons que l’environnement soit disponible immédiatement lorsqu’il est nécessaire, sans que les utilisateurs ne subissent de délai d’attente.</p>
<h3 id="la-solution-autoscaling-pilote-par-les-evenements">La Solution : Autoscaling piloté par les Événements<a class="headerlink" href="#la-solution-autoscaling-pilote-par-les-evenements" title="Permanent link">¶</a></h3>
<p>L’autoscaling basé sur les événements est la clé pour concilier économies de ressources et disponibilité immédiate. L’idée est de surveiller le trafic HTTP vers les pods Kubernetes et de déclencher automatiquement le scaling (augmenter le nombre de pods) lorsque les demandes ne trouvent pas de destinations.</p>
<h4 id="fonctionnement-du-systeme">Fonctionnement du Système<a class="headerlink" href="#fonctionnement-du-systeme" title="Permanent link">¶</a></h4>
<ol>
<li><strong>Détection des Événements:</strong> Istio, un outil de gestion de trafic, surveille le trafic HTTP vers vos pods Kubernetes.</li>
<li><strong>Collecte de Données:</strong> Prometheus, un système de monitoring, collecte les données de trafic provenant d’Istio.</li>
<li><strong>Génération d’Alertes:</strong> Alertmanager analyse les données de Prometheus et déclenche des alertes lorsque le trafic HTTP dépasse un seuil défini.</li>
<li><strong>Action Automatique:</strong> Les alertes d’Alertmanager déclenchent des playbooks Ansible via Event Driven Ansible, qui lancent automatiquement les pods Kubernetes.</li>
<li><strong>Arrêt Automatique:</strong> Lorsqu’il n’y a plus de trafic HTTP pendant une période définie, Alertmanager déclenche un autre playbook Ansible qui arrête les pods.</li>
</ol>
<p><img alt="Architecture" src="/images/2024-scaleto0-with-event-driven-ansible/2024-scaleto0-with-event-driven-ansible_archi0.drawio.png" /></p>
<p><img alt="Sequences" src="/images/2024-scaleto0-with-event-driven-ansible/2024-scaleto0-with-event-driven-ansible_sequences.png" /></p>
<h2 id="mise-en-place-de-la-plateforme">Mise en place de la plateforme<a class="headerlink" href="#mise-en-place-de-la-plateforme" title="Permanent link">¶</a></h2>
<h3 id="installation-de-kubernetesistio">Installation de kubernetes+istio<a class="headerlink" href="#installation-de-kubernetesistio" title="Permanent link">¶</a></h3>
<p>Nous utiliserons Google Kubernetes Engine (GKE) avec Node-Autoscaling, qui s’occupe automatiquement de la mise à l’échelle des nœuds. Cela permet d’optimiser les ressources facturables en fonction du nombre de pods en cours d’exécution.</p>
<div class="highlight"><pre><span></span><code>gcloud<span class="w"> </span>compute<span class="w"> </span>networks<span class="w"> </span>create<span class="w"> </span>scaleto0-vpc<span class="w"> </span>--project<span class="w"> </span><span class="nv">$PROJECT_ID</span>
gcloud<span class="w"> </span>container<span class="w"> </span>clusters<span class="w"> </span>create<span class="w"> </span>scaleto0-demo<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--enable-autoscaling<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--num-nodes<span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--min-nodes<span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--max-nodes<span class="w"> </span><span class="m">3</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--network<span class="w"> </span>scaleto0-vpc<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--project<span class="w"> </span><span class="nv">$PROJECT_ID</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--release-channel<span class="o">=</span>regular<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--zone<span class="o">=</span><span class="si">${</span><span class="nv">REGION</span><span class="si">}</span>-b
gcloud<span class="w"> </span>container<span class="w"> </span>clusters<span class="w"> </span>get-credentials<span class="w"> </span>scaleto0-demo<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--zone<span class="o">=</span><span class="si">${</span><span class="nv">REGION</span><span class="si">}</span>-b<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--project<span class="o">=</span><span class="nv">$PROJECT_ID</span>
</code></pre></div>
<p>Ensuite, nous installerons Istio pour la gestion du trafic :</p>
<div class="highlight"><pre><span></span><code>curl<span class="w"> </span>-L<span class="w"> </span>https://istio.io/downloadIstio<span class="w"> </span><span class="p">|</span><span class="w"> </span>sh<span class="w"> </span>-
<span class="nb">cd</span><span class="w"> </span>istio-<<VERSION>>
./bin/istioctl<span class="w"> </span>install<span class="w"> </span>--set<span class="w"> </span><span class="nv">profile</span><span class="o">=</span>demo<span class="w"> </span>-y
</code></pre></div>
<p>Vérifiez l’installation d’Istio :</p>
<div class="highlight"><pre><span></span><code><span class="c1"># Vérifier l'état des pods</span>
kubectl<span class="w"> </span>get<span class="w"> </span>pods<span class="w"> </span>-n<span class="w"> </span>istio-system
<span class="c1"># Vérifier l'état des services et s'assurer qu'un LB externe est créé pour istio-ingressgateway</span>
kubectl<span class="w"> </span>get<span class="w"> </span>svc<span class="w"> </span>-n<span class="w"> </span>istio-system
</code></pre></div>
<h3 id="installation-du-monitoring-prometheus-alertmanager">Installation du monitoring : Prometheus / Alertmanager<a class="headerlink" href="#installation-du-monitoring-prometheus-alertmanager" title="Permanent link">¶</a></h3>
<p>Dans cet article nous réaliserons l’installation d’un système de surveillance minimaliste pour Istio, en se concentrant uniquement sur la surveillance d’Istio lui-même, sans surveiller les serveurs, les CPU ou la RAM. Nous utiliserons un chart Helm pour une installation simplifiée et maintiendrons la cohérence avec le reste de l’article en utilisant l’espace de noms <code>istio-system</code>.</p>
<div class="highlight"><pre><span></span><code>helm<span class="w"> </span>upgrade<span class="w"> </span>-i<span class="w"> </span>-n<span class="w"> </span>istio-system<span class="w"> </span>prometheus<span class="w"> </span>prometheus-community/prometheus<span class="w"> </span>-f<span class="w"> </span>-<span class="w"> </span><span class="s"><< EOF</span>
<span class="s">---</span>
<span class="s"># prometheus_values.yaml</span>
<span class="s">rbac:</span>
<span class="s"> create: true</span>
<span class="s">configmapReload:</span>
<span class="s"> prometheus:</span>
<span class="s"> enabled: false</span>
<span class="s">server:</span>
<span class="s"> namespaces:</span>
<span class="s"> - istio-system</span>
<span class="s"> resources:</span>
<span class="s"> limits:</span>
<span class="s"> cpu: 100m</span>
<span class="s"> memory: 512Mi</span>
<span class="s"> requests:</span>
<span class="s"> cpu: 100m</span>
<span class="s"> memory: 512Mi</span>
<span class="s"> global:</span>
<span class="s"> scrape_interval: 1s</span>
<span class="s"> scrape_timeout: 1s</span>
<span class="s"> evaluation_interval: 2s</span>
<span class="s">serverFiles:</span>
<span class="s"> prometheus.yml:</span>
<span class="s"> rule_files:</span>
<span class="s"> - /etc/config/recording_rules.yml</span>
<span class="s"> - /etc/config/alerting_rules.yml</span>
<span class="s"> scrape_configs:</span>
<span class="s"> - job_name: 'istiod'</span>
<span class="s"> kubernetes_sd_configs:</span>
<span class="s"> - role: pod</span>
<span class="s"> relabel_configs:</span>
<span class="s"> - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]</span>
<span class="s"> action: keep</span>
<span class="s"> regex: true</span>
<span class="s"> - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow]</span>
<span class="s"> action: drop</span>
<span class="s"> regex: true</span>
<span class="s"> - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]</span>
<span class="s"> action: replace</span>
<span class="s"> regex: (https?)</span>
<span class="s"> target_label: __scheme__</span>
<span class="s"> - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]</span>
<span class="s"> action: replace</span>
<span class="s"> target_label: __metrics_path__</span>
<span class="s"> regex: (.+)</span>
<span class="s"> - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip]</span>
<span class="s"> action: replace</span>
<span class="s"> regex: (\\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})</span>
<span class="s"> replacement: '[\$2]:\$1'</span>
<span class="s"> target_label: __address__</span>
<span class="s"> - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip]</span>
<span class="s"> action: replace</span>
<span class="s"> regex: (\\d+);((([0-9]+?)(\\.|$)){4})</span>
<span class="s"> replacement: \$2:\$1</span>
<span class="s"> target_label: __address__</span>
<span class="s"> - action: labelmap</span>
<span class="s"> regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+)</span>
<span class="s"> replacement: __param_$1</span>
<span class="s"> - action: labelmap</span>
<span class="s"> regex: __meta_kubernetes_pod_label_(.+)</span>
<span class="s"> - source_labels: [__meta_kubernetes_namespace]</span>
<span class="s"> action: replace</span>
<span class="s"> target_label: namespace</span>
<span class="s"> - source_labels: [__meta_kubernetes_pod_name]</span>
<span class="s"> action: replace</span>
<span class="s"> target_label: pod</span>
<span class="s"> - source_labels: [__meta_kubernetes_pod_phase]</span>
<span class="s"> regex: Pending|Succeeded|Failed|Completed</span>
<span class="s"> action: drop</span>
<span class="s"> - source_labels: [__meta_kubernetes_pod_node_name]</span>
<span class="s"> action: replace</span>
<span class="s"> target_label: node</span>
<span class="s">alertmanager:</span>
<span class="s"> enabled: true</span>
<span class="s">kube-state-metrics:</span>
<span class="s"> enabled: false</span>
<span class="s">prometheus-node-exporter:</span>
<span class="s"> enabled: false</span>
<span class="s">prometheus-pushgateway:</span>
<span class="s"> enabled: false</span>
<span class="s">EOF</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>create<span class="w"> </span>clusterrole<span class="w"> </span>prometheus-server<span class="w"> </span>--verb<span class="o">=</span>get,list,watch<span class="w"> </span>--resource<span class="o">=</span>pods,endpoints,services,nodes,namespaces<span class="w"> </span>
kubectl<span class="w"> </span>create<span class="w"> </span>clusterrolebinding<span class="w"> </span>prometheus-server<span class="w"> </span>--clusterrole<span class="o">=</span>prometheus-server<span class="w"> </span>--serviceaccount<span class="o">=</span>istio-system:prometheus-server
</code></pre></div>
<p>Pour tester le système de monitoring, nous pouvons utiliser la commande suivante afin de rediriger http://localhost:9090 vers le pod Prometheus :</p>
<div class="highlight"><pre><span></span><code>kubectl --namespace istio-system port-forward $(kubectl get pods --namespace istio-system -l "app.kubernetes.io/name=prometheus,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") 9090
</code></pre></div>
<p>Ouvrez ensuite un navigateur web à l’adresse : http://localhost:9090</p>
<p><img alt="Prometheus" src="/images/2024-scaleto0-with-event-driven-ansible/2024-scaleto0-with-event-driven-ansible_prometheus0.png" /></p>
<h3 id="installation-dune-application">Installation d’une application<a class="headerlink" href="#installation-dune-application" title="Permanent link">¶</a></h3>
<p>Pour simuler une application dans notre démo, nous allons utiliser “whoami” qui se contente de renvoyer la requête HTTP qu’il reçoit.
Si cela fonctionne avec “whoami”, on pourra appliquer le meme principe sur tous les déploiements du cluster Kubernetes.</p>
<p>Créons un fichier YAML pour le déploiement, comme suit :</p>
<p>Ce code YAML décrit la configuration d’un déploiement Kubernetes pour une application nommée “whoami”.</p>
<ul>
<li><strong>Déploiement “whoami”</strong>: Définit un déploiement avec le nom “whoami” qui utilise l’image Docker “traefik/whoami:latest”. Il indique que le déploiement devrait avoir 1 “replica” (scaling à 1).</li>
<li><strong>Service “whoami”</strong>: Définit un service Kubernetes nommé “whoami” qui se connecte à des pods avec l’étiquette “app: whoami”. Expose le port 80 du service, qui se redirige vers le port 80 du conteneur.</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="l l-Scalar l-Scalar-Plain">kubectl create ns whoami</span>
<span class="l l-Scalar l-Scalar-Plain">kubectl label namespace whoami istio-injection=enabled</span>
<span class="l l-Scalar l-Scalar-Plain">kubectl apply -n whoami -f - <<EOF</span>
<span class="l l-Scalar l-Scalar-Plain"># whoami_deployment.yaml</span>
<span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apps/v1</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="w"> </span><span class="nt">annotations</span><span class="p">:</span>
<span class="w"> </span><span class="s">"sidecar.istio.io/proxyCPU"</span><span class="p p-Indicator">:</span><span class="w"> </span><span class="s">"500m"</span>
<span class="w"> </span><span class="s">"sidecar.istio.io/proxyMemory"</span><span class="p p-Indicator">:</span><span class="w"> </span><span class="s">"512Mi"</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
<span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span>
<span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="w"> </span><span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span>
<span class="w"> </span><span class="nt">template</span><span class="p">:</span>
<span class="w"> </span><span class="nt">metadata</span><span class="p">:</span>
<span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
<span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="w"> </span><span class="nt">spec</span><span class="p">:</span>
<span class="w"> </span><span class="nt">containers</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">master</span>
<span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">traefik/whoami:latest</span>
<span class="w"> </span><span class="nt">resources</span><span class="p">:</span>
<span class="w"> </span><span class="nt">requests</span><span class="p">:</span>
<span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">500m</span>
<span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">512Mi</span>
<span class="w"> </span><span class="nt">limits</span><span class="p">:</span>
<span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">500m</span>
<span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">512Mi</span>
<span class="w"> </span><span class="nt">ports</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Service</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
<span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="w"> </span><span class="nt">ports</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<span class="w"> </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
<span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="l l-Scalar l-Scalar-Plain">EOF</span>
</code></pre></div>
<p>Et exposons ce service via Istio :</p>
<div class="highlight"><pre><span></span><code><span class="l l-Scalar l-Scalar-Plain">kubectl apply -n whoami -f - <<EOF</span>
<span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">networking.istio.io/v1alpha3</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Gateway</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami-gateway</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="w"> </span><span class="c1"># The selector matches the ingress gateway pod labels.</span>
<span class="w"> </span><span class="c1"># If you installed Istio using Helm following the standard documentation, this would be "istio=ingress"</span>
<span class="w"> </span><span class="nt">selector</span><span class="p">:</span>
<span class="w"> </span><span class="nt">istio</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ingressgateway</span>
<span class="w"> </span><span class="nt">servers</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">port</span><span class="p">:</span>
<span class="w"> </span><span class="nt">number</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">http</span>
<span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">HTTP</span>
<span class="w"> </span><span class="nt">hosts</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">"*"</span>
<span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">networking.istio.io/v1alpha3</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">VirtualService</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="w"> </span><span class="nt">hosts</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">"*"</span>
<span class="w"> </span><span class="nt">gateways</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami-gateway</span>
<span class="w"> </span><span class="nt">http</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">uri</span><span class="p">:</span>
<span class="w"> </span><span class="nt">prefix</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/</span>
<span class="w"> </span><span class="nt">route</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">destination</span><span class="p">:</span>
<span class="w"> </span><span class="nt">port</span><span class="p">:</span>
<span class="w"> </span><span class="nt">number</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<span class="w"> </span><span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="w"> </span><span class="nt">retries</span><span class="p">:</span>
<span class="w"> </span><span class="nt">attempts</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">15</span>
<span class="w"> </span><span class="nt">perTryTimeout</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">2s</span>
<span class="l l-Scalar l-Scalar-Plain">EOF</span>
</code></pre></div>
<p>Test de l’application</p>
<div class="highlight"><pre><span></span><code><span class="n">INGRESS_HOST</span><span class="o">=$</span><span class="p">(</span><span class="n">kubectl</span><span class="w"> </span><span class="n">get</span><span class="w"> </span><span class="n">svc</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="n">istio</span><span class="o">-</span><span class="n">system</span><span class="w"> </span><span class="n">istio</span><span class="o">-</span><span class="n">ingressgateway</span><span class="w"> </span><span class="o">-</span><span class="n">o</span><span class="w"> </span><span class="n">jsonpath</span><span class="o">=</span><span class="s2">"{.status.loadBalancer.ingress[0].ip}"</span><span class="w"> </span><span class="p">)</span>
<span class="n">curl</span><span class="w"> </span><span class="o">-</span><span class="n">s</span><span class="w"> </span><span class="o">-</span><span class="n">I</span><span class="w"> </span><span class="o">-</span><span class="n">HHost</span><span class="p">:</span><span class="n">whoami</span><span class="o">.</span><span class="n">scaleto0</span><span class="o">.</span><span class="n">demo</span><span class="w"> </span><span class="s2">"http://$INGRESS_HOST/"</span>
<span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span><span class="w"> </span><span class="mi">200</span><span class="w"> </span><span class="n">OK</span>
<span class="n">date</span><span class="p">:</span><span class="w"> </span><span class="n">Thu</span><span class="p">,</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="n">May</span><span class="w"> </span><span class="mi">2024</span><span class="w"> </span><span class="mi">20</span><span class="p">:</span><span class="mi">21</span><span class="p">:</span><span class="mi">32</span><span class="w"> </span><span class="n">GMT</span>
<span class="n">content</span><span class="o">-</span><span class="n">length</span><span class="p">:</span><span class="w"> </span><span class="mi">570</span>
<span class="n">content</span><span class="o">-</span><span class="n">type</span><span class="p">:</span><span class="w"> </span><span class="n">text</span><span class="o">/</span><span class="n">plain</span><span class="p">;</span><span class="w"> </span><span class="n">charset</span><span class="o">=</span><span class="n">utf</span><span class="o">-</span><span class="mi">8</span>
<span class="n">x</span><span class="o">-</span><span class="n">envoy</span><span class="o">-</span><span class="n">upstream</span><span class="o">-</span><span class="n">service</span><span class="o">-</span><span class="n">time</span><span class="p">:</span><span class="w"> </span><span class="mi">1073</span>
<span class="n">server</span><span class="p">:</span><span class="w"> </span><span class="n">istio</span><span class="o">-</span><span class="n">envoy</span>
</code></pre></div>
<p>Downscaling de l’application</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>-n<span class="w"> </span>whoami<span class="w"> </span>scale<span class="w"> </span>deployment<span class="w"> </span>whoami<span class="w"> </span>--replicas<span class="o">=</span><span class="m">0</span>
</code></pre></div>
<p>L’appliation une fois coupé (down) ne devrait plus fonctionner : Indisponnibilité de l’application</p>
<div class="highlight"><pre><span></span><code><span class="nx">curl</span><span class="w"> </span><span class="o">-</span><span class="nx">s</span><span class="w"> </span><span class="o">-</span><span class="nx">I</span><span class="w"> </span><span class="o">-</span><span class="nx">HHost</span><span class="p">:</span><span class="nx">whoami</span><span class="p">.</span><span class="nx">scaleto0</span><span class="p">.</span><span class="nx">demo</span><span class="w"> </span><span class="s">"http://$INGRESS_HOST:$INGRESS_PORT/"</span>
<span class="nx">HTTP</span><span class="o">/</span><span class="m m-Double">1.1</span><span class="w"> </span><span class="mi">503</span><span class="w"> </span><span class="nx">Service</span><span class="w"> </span><span class="nx">Unavailable</span>
<span class="nx">content</span><span class="o">-</span><span class="nx">length</span><span class="p">:</span><span class="w"> </span><span class="mi">19</span>
<span class="nx">content</span><span class="o">-</span><span class="k">type</span><span class="p">:</span><span class="w"> </span><span class="nx">text</span><span class="o">/</span><span class="nx">plain</span>
<span class="nx">date</span><span class="p">:</span><span class="w"> </span><span class="nx">Thu</span><span class="p">,</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="nx">May</span><span class="w"> </span><span class="mi">2024</span><span class="w"> </span><span class="mi">20</span><span class="p">:</span><span class="mi">22</span><span class="p">:</span><span class="mi">56</span><span class="w"> </span><span class="nx">GMT</span>
<span class="nx">server</span><span class="p">:</span><span class="w"> </span><span class="nx">istio</span><span class="o">-</span><span class="nx">envoy</span>
</code></pre></div>
<p><img alt="Prometheus" src="/images/2024-scaleto0-with-event-driven-ansible/2024-scaleto0-with-event-driven-ansible_app503.png" /></p>
<h2 id="event-drivent-ansible">Event drivent Ansible<a class="headerlink" href="#event-drivent-ansible" title="Permanent link">¶</a></h2>
<p>En suivant la documentation de Redhat, nous allons construire une image de conteneur pour servir notre rulebook. Voici le fichier Dockerfile qui crée un conteneur pour lancer la commande “ansible-rulebook”.</p>
<div class="highlight"><pre><span></span><code>cat<span class="w"> </span>><span class="w"> </span>Dockerfile<span class="w"> </span><span class="s"><< EOF</span>
<span class="s">FROM debian:latest</span>
<span class="s">RUN apt-get update && \</span>
<span class="s"> apt-get --assume-yes install openjdk-17-jdk python3-pip python3-psycopg && \</span>
<span class="s"> pip3 install ansible ansible-rulebook ansible-runner kubernetes --break-system-packages</span>
<span class="s">RUN mkdir /app && \</span>
<span class="s"> useradd -u 1001 -ms /bin/bash ansible && \</span>
<span class="s"> chown ansible:root /app</span>
<span class="s">WORKDIR /app</span>
<span class="s">USER ansible</span>
<span class="s">RUN ansible-galaxy collection install ansible.eda</span>
<span class="s">ENTRYPOINT ["ansible-rulebook", "-r", "/app/rules.yaml", "-i", "/app/inventory.yml", "-S", "/app"]</span>
<span class="s">EOF</span>
</code></pre></div>
<p>Nous pouvons construire et enregistrer notre image dans artifact-registry de Google :</p>
<div class="highlight"><pre><span></span><code><span class="c1"># Creation du repository</span>
gcloud<span class="w"> </span>artifacts<span class="w"> </span>repositories<span class="w"> </span>create<span class="w"> </span>scaleto0-demo-repo<span class="w"> </span>--repository-format<span class="o">=</span>docker<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--location<span class="o">=</span><span class="nv">$REGION</span><span class="w"> </span>--description<span class="o">=</span><span class="s2">"Docker scaleto0 Demo repository"</span>
<span class="c1"># Creation de l'image</span>
gcloud<span class="w"> </span>builds<span class="w"> </span>submit<span class="w"> </span>--region<span class="o">=</span><span class="nv">$REGION</span><span class="w"> </span>--tag<span class="w"> </span><span class="nv">$REGION</span>-docker.pkg.dev/<span class="nv">$PROJECT_ID</span>/scaleto0-demo-repo/rulebook-scaleto0-demo:v1
</code></pre></div>
<p>Ce conteneur sera déployé dans Kubernetes. Nous allons surcharger le fichier <code>/app/rules.yaml</code> pour y inclure nos règles et playbooks, notamment pour le scaling.</p>
<h2 id="mise-en-oeuvre-de-eda-dans-le-cluster">Mise en oeuvre de EDA dans le cluster<a class="headerlink" href="#mise-en-oeuvre-de-eda-dans-le-cluster" title="Permanent link">¶</a></h2>
<h3 id="construction-dun-playbook-pour-le-scaling">Construction d’un playbook pour le scaling<a class="headerlink" href="#construction-dun-playbook-pour-le-scaling" title="Permanent link">¶</a></h3>
<p>Ansible, un langage puissant pour la manipulation de composants d’infrastructure, nous permetant de créer un “playbook” qui permettra de scaller le déploiement Kubernetes.</p>
<div class="highlight"><pre><span></span><code>cat<span class="w"> </span>><span class="w"> </span>scale-deployment.yaml<span class="w"> </span><span class="s"><< EOF</span>
<span class="s">---</span>
<span class="s">- hosts: localhost</span>
<span class="s"> connection: local</span>
<span class="s"> gather_facts: false</span>
<span class="s"> tasks:</span>
<span class="s"> - name: Scale deployment up</span>
<span class="s"> kubernetes.core.k8s_scale:</span>
<span class="s"> api_version: v1</span>
<span class="s"> kind: Deployment</span>
<span class="s"> name: "{{ deployment_name }}"</span>
<span class="s"> namespace: "{{ namespace }}"</span>
<span class="s"> replicas: "{{ num_replicas }}"</span>
<span class="s"> wait_timeout: 60</span>
<span class="s">EOF</span>
</code></pre></div>
<p>Nous pouvons tester le playbook avec la commande ci-dessous :</p>
<div class="highlight"><pre><span></span><code>ansible-playbook<span class="w"> </span>-e<span class="w"> </span><span class="s1">'{"deployment_name":"whoami", "namespace":"whoami", "num_replicas": "1"}'</span><span class="w"> </span>scale-deployment.yaml
</code></pre></div>
<p>Ensuite, créons un fichier <code>rules.yaml</code> pour définir l’interface entre le monitoring et le playbook de scaling.</p>
<div class="highlight"><pre><span></span><code><span class="n">cat</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="n">rules</span><span class="o">.</span><span class="n">yaml</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">EOF</span>
<span class="o">-</span><span class="w"> </span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="n">Scale</span><span class="w"> </span><span class="n">deployment</span><span class="w"> </span><span class="n">up</span>
<span class="w"> </span><span class="n">hosts</span><span class="p">:</span><span class="w"> </span><span class="n">localhost</span>
<span class="w"> </span><span class="n">gather_facts</span><span class="p">:</span><span class="w"> </span><span class="bp">false</span>
<span class="w"> </span><span class="n">sources</span><span class="p">:</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="n">webhook</span>
<span class="w"> </span><span class="n">ansible</span><span class="o">.</span><span class="n">eda</span><span class="o">.</span><span class="n">webhook</span><span class="p">:</span>
<span class="w"> </span><span class="n">port</span><span class="p">:</span><span class="w"> </span><span class="mi">5000</span>
<span class="w"> </span><span class="n">rules</span><span class="p">:</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="n">whoami</span>
<span class="w"> </span><span class="n">condition</span><span class="p">:</span><span class="w"> </span><span class="bp">true</span>
<span class="w"> </span><span class="n">actions</span><span class="p">:</span>
<span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="n">run_playbook</span><span class="p">:</span>
<span class="w"> </span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="n">scale</span><span class="o">-</span><span class="n">deployment</span><span class="o">.</span><span class="n">yaml</span>
<span class="w"> </span><span class="n">extra_vars</span><span class="p">:</span>
<span class="w"> </span><span class="n">deployment_name</span><span class="p">:</span><span class="w"> </span><span class="n">whoami</span>
<span class="w"> </span><span class="n">namespace</span><span class="p">:</span><span class="w"> </span><span class="n">whoami</span>
<span class="w"> </span><span class="n">num_replicas</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span>
<span class="n">EOF</span>
<span class="n">cat</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="n">inventory</span><span class="o">.</span><span class="n">yml</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">EOF</span>
<span class="n">ungrouped</span><span class="p">:</span>
<span class="w"> </span><span class="n">hosts</span><span class="p">:</span>
<span class="w"> </span><span class="n">localhost</span><span class="p">:</span>
<span class="w"> </span><span class="n">ansible_connection</span><span class="p">:</span><span class="w"> </span><span class="n">local</span>
<span class="n">EOF</span>
</code></pre></div>
<p>Injecter le playbook dans Kubernetes :</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>create<span class="w"> </span>ns<span class="w"> </span>ansible-rulebook
kubectl<span class="w"> </span>create<span class="w"> </span>-n<span class="w"> </span>ansible-rulebook<span class="w"> </span>configmap<span class="w"> </span>ansible-rulebook-config<span class="w"> </span>--from-file<span class="o">=</span>.
</code></pre></div>
<p>Démarrer le conteneur:</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>-n<span class="w"> </span>ansible-rulebook<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>-<span class="w"> </span><span class="s"><< EOF</span>
<span class="s"># ansible-rulebook_deployment.yaml</span>
<span class="s">---</span>
<span class="s">apiVersion: apps/v1</span>
<span class="s">kind: Deployment</span>
<span class="s">metadata:</span>
<span class="s"> name: ansible-rulebook</span>
<span class="s">spec:</span>
<span class="s"> selector:</span>
<span class="s"> matchLabels:</span>
<span class="s"> app: ansible-rulebook</span>
<span class="s"> replicas: 1</span>
<span class="s"> template:</span>
<span class="s"> metadata:</span>
<span class="s"> labels:</span>
<span class="s"> app: ansible-rulebook</span>
<span class="s"> spec:</span>
<span class="s"> containers:</span>
<span class="s"> - name: master</span>
<span class="s"> image: $REGION-docker.pkg.dev/$PROJECT_ID/scaleto0-demo-repo/rulebook-scaleto0-demo:v1</span>
<span class="s"> resources:</span>
<span class="s"> requests:</span>
<span class="s"> cpu: 100m</span>
<span class="s"> memory: 128Mi</span>
<span class="s"> limits:</span>
<span class="s"> cpu: 500m</span>
<span class="s"> memory: 512Mi</span>
<span class="s"> ports:</span>
<span class="s"> - containerPort: 5000</span>
<span class="s"> volumeMounts:</span>
<span class="s"> - name: config</span>
<span class="s"> mountPath: /app</span>
<span class="s"> volumes:</span>
<span class="s"> - name: config</span>
<span class="s"> configMap:</span>
<span class="s"> name: ansible-rulebook-config</span>
<span class="s">---</span>
<span class="s">apiVersion: v1</span>
<span class="s">kind: Service</span>
<span class="s">metadata:</span>
<span class="s"> name: ansible-rulebook</span>
<span class="s"> labels:</span>
<span class="s"> app: ansible-rulebook</span>
<span class="s">spec:</span>
<span class="s"> ports:</span>
<span class="s"> - port: 5000</span>
<span class="s"> targetPort: 5000</span>
<span class="s"> selector:</span>
<span class="s"> app: ansible-rulebook</span>
<span class="s">EOF</span>
</code></pre></div>
<p>Accorder des droits à <code>ansible-rulebook</code> pour interagir avec Kubernetes :</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>-<span class="w"> </span><span class="s"><< EOF</span>
<span class="s"># ansible-rulebook_clusterrole.yaml</span>
<span class="s">---</span>
<span class="s">apiVersion: rbac.authorization.k8s.io/v1</span>
<span class="s">kind: ClusterRole</span>
<span class="s">metadata:</span>
<span class="s"> creationTimestamp: "2024-05-31T19:01:36Z"</span>
<span class="s"> name: deployment-scaler</span>
<span class="s">rules:</span>
<span class="s">- apiGroups:</span>
<span class="s"> - apps</span>
<span class="s"> resources:</span>
<span class="s"> - deployments/scale</span>
<span class="s"> - deployments</span>
<span class="s"> verbs:</span>
<span class="s"> - get</span>
<span class="s"> - list</span>
<span class="s"> - patch</span>
<span class="s"> - update</span>
<span class="s">EOF</span>
</code></pre></div>
<p>Enfin, mapper le rôle ansible-rulebook au déploiement :</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>create<span class="w"> </span>clusterrolebinding<span class="w"> </span>deployment-scaler<span class="w"> </span>--clusterrole<span class="o">=</span>deployment-scaler<span class="w"> </span>--serviceaccount<span class="o">=</span>ansible-rulebook:default
</code></pre></div>
<h3 id="integration-avec-la-supervision">Intégration avec la supervision<a class="headerlink" href="#integration-avec-la-supervision" title="Permanent link">¶</a></h3>
<p>Il faut connecter Alertmanager à Ansible rulebook. Pour ce faire, mettons à jour la configuration d’Alertmanager pour qu’elle envoie ses alertes vers le rulebook.</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>patch<span class="w"> </span>-n<span class="w"> </span>istio-system<span class="w"> </span>configmap<span class="w"> </span>prometheus-alertmanager<span class="w"> </span>--type<span class="w"> </span>merge<span class="w"> </span>-p<span class="w"> </span><span class="s2">"</span>
<span class="s2">data:</span>
<span class="s2"> alertmanager.yml: |</span>
<span class="s2"> global: {}</span>
<span class="s2"> receivers:</span>
<span class="s2"> - name: default-receiver</span>
<span class="s2"> webhook_configs:</span>
<span class="s2"> - url: http://ansible-rulebook.ansible-rulebook.svc.cluster.local:5000/endpoint</span>
<span class="s2"> route:</span>
<span class="s2"> group_interval: 5s</span>
<span class="s2"> group_wait: 10s</span>
<span class="s2"> receiver: default-receiver</span>
<span class="s2"> repeat_interval: 5m</span>
<span class="s2"> templates:</span>
<span class="s2"> - /etc/alertmanager/*.tmpl</span>
<span class="s2">"</span>
</code></pre></div>
<p>Relancer les pods de monitoring pour prendre en compte le nouveau configmap :</p>
<div class="highlight"><pre><span></span><code>kubectl -n istio-system rollout restart statefulset/prometheus-alertmanager
</code></pre></div>
<h3 id="creation-de-lalerte-de-supervision">Création de l’alerte de supervision<a class="headerlink" href="#creation-de-lalerte-de-supervision" title="Permanent link">¶</a></h3>
<p>Créons une alerte de supervision qui détectera les erreurs 503 dans Prometheus et déclenchera le “rulebook” Ansible.</p>
<p>Étant donné que Prometheus est installé avec Helm, nous mettrons à jour la configuration statique pour injecter l’alerte. Dans un environnement de production, les alertes seraient injectées via l’opérateur et les CRD “PrometheusRules”.</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>patch<span class="w"> </span>-n<span class="w"> </span>istio-system<span class="w"> </span>configmap<span class="w"> </span>prometheus-server<span class="w"> </span>--type<span class="w"> </span>merge<span class="w"> </span>-p<span class="w"> </span><span class="s2">"</span>
<span class="s2">data:</span>
<span class="s2"> alerting_rules.yml: |</span>
<span class="s2"> groups:</span>
<span class="s2"> - name: DeploymentDown</span>
<span class="s2"> rules:</span>
<span class="s2"> - alert: DeploymentDown</span>
<span class="s2"> expr: sum by (destination_service_name) (rate(istio_requests_total{response_code=\"503\"}[3s])) > 0</span>
<span class="s2"> for: 2s</span>
<span class="s2"> labels:</span>
<span class="s2"> severity: page</span>
<span class="s2"> annotations:</span>
<span class="s2"> description: 'No upstream on {{ \$labels.destination_service_name }}'</span>
<span class="s2"> summary: '{{ \$labels.destination_service_name }} down'</span>
<span class="s2">"</span>
</code></pre></div>
<p>Relancer les pods de monitoring pour prendre en compte le nouveau configmap :</p>
<div class="highlight"><pre><span></span><code>kubectl -n istio-system rollout restart deployment/prometheus-server
</code></pre></div>
<p>Après avoir généré quelques appels vers l’application sans pods, nous devrions retrouver l’alerte dans Prometheus :</p>
<p><img alt="Architecture" src="/images/2024-scaleto0-with-event-driven-ansible/2024-scaleto0-with-event-driven-ansible_alert0.png" /></p>
<h2 id="test-du-scaling-a-zero">Test du scaling à zéro<a class="headerlink" href="#test-du-scaling-a-zero" title="Permanent link">¶</a></h2>
<p><strong>1. Test de base:</strong></p>
<ul>
<li>
<p><strong>Scénario:</strong> Démarrez l’application “whoami” avec un seul pod et observez que l’application est accessible.</p>
</li>
<li>
<p>Accédez au service “whoami” via un navigateur ou curl : Verifier que le résultat est correct et garder la fenetre ouverte pour visualiser le status de l’application.</p>
</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nv">INGRESS_HOST</span><span class="o">=</span><span class="k">$(</span>kubectl<span class="w"> </span>get<span class="w"> </span>svc<span class="w"> </span>-n<span class="w"> </span>istio-system<span class="w"> </span>istio-ingressgateway<span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.status.loadBalancer.ingress[0].ip}"</span><span class="w"> </span><span class="k">)</span>
watch<span class="w"> </span>curl<span class="w"> </span>-s<span class="w"> </span>-I<span class="w"> </span>-HHost:whoami.scaleto0.demo<span class="w"> </span><span class="s2">"http://</span><span class="nv">$INGRESS_HOST</span><span class="s2">/"</span>
</code></pre></div>
<p><img alt="Watch App" src="/images/2024-scaleto0-with-event-driven-ansible/2024-scaleto0-with-event-driven-ansible_watch_app.png" />
* Assurez-vous que vous obtenez une réponse HTTP 200 et que le contenu renvoyé correspond à l’application “whoami”.
* Vérifiez que le pod “whoami” est en cours d’exécution dans le cluster Kubernetes.</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>kubectl<span class="w"> </span>-n<span class="w"> </span>whoami<span class="w"> </span>get<span class="w"> </span>pod
NAME<span class="w"> </span>READY<span class="w"> </span>STATUS<span class="w"> </span>RESTARTS<span class="w"> </span>AGE
whoami-5d696b585d-twv98<span class="w"> </span><span class="m">2</span>/2<span class="w"> </span>Running<span class="w"> </span><span class="m">0</span><span class="w"> </span>4m58s
</code></pre></div>
<p><strong>2. Test du scaling à zéro:</strong></p>
<ul>
<li><strong>Scénario:</strong> Mettez l’application “whoami” à zéro pods et déclenchez des requêtes HTTP vers l’application.</li>
<li><strong>Validation:</strong></li>
<li>Utilisez la commande <code>kubectl -n whoami scale deployment whoami --replicas=0</code> pour réduire le nombre de pods à zéro.</li>
<li>Effectuez plusieurs requêtes HTTP vers l’application “whoami” (via un navigateur ou curl).</li>
<li>Assurez-vous que les requêtes retournent une réponse HTTP 503 (service indisponible).</li>
<li>Vérifiez que le monitoring Prometheus détecte l’absence de pod et génère une alerte.</li>
<li>Vérifiez que l’alerte “DeploymentDown” est générée par Alertmanager et envoyée au webhook d’Ansible.</li>
<li>Vérifiez que le playbook Ansible “scale-deployment.yaml” est exécuté et qu’un nouveau pod “whoami” est crée</li>
</ul>
<div class="highlight"><pre><span></span><code>kubectl -n ansible-rulebook logs deployment/ansible-rulebook
</code></pre></div>
<p>De mon côté j’ai observé que le service répond en 25seconde après une coupure.</p>
<h2 id="conclusion">Conclusion<a class="headerlink" href="#conclusion" title="Permanent link">¶</a></h2>
<p>L’autoscaling basé sur les événements offre un équilibre parfait entre l’optimisation des ressources et la disponibilité immédiate des applications. En combinant Event Driven Ansible et des outils tels qu’Istio, Prometheus et Alertmanager, vous pouvez mettre en place un système robuste et efficace pour garantir une performance optimale et des coûts réduits.</p>
<h3 id="principaux-avantages-de-cette-approche">Principaux avantages de cette approche<a class="headerlink" href="#principaux-avantages-de-cette-approche" title="Permanent link">¶</a></h3>
<ul>
<li><strong>Disponibilité immédiate :</strong> Les pods sont lancés automatiquement lors des premiers appels HTTP, garantissant une réponse rapide aux demandes.</li>
<li><strong>Optimisation des ressources :</strong> Les pods sont arrêtés automatiquement lorsqu’ils ne sont plus utilisés, ce qui réduit les coûts de ressources.</li>
<li><strong>Efficacité et fiabilité :</strong> Le système fonctionne de manière automatique et fiable, sans intervention humaine.</li>
<li><strong>Évolutivité :</strong> La solution peut être facilement adaptée aux besoins évolutifs des applications.</li>
</ul>
<h3 id="questions-pour-reflexion">Questions pour réflexion<a class="headerlink" href="#questions-pour-reflexion" title="Permanent link">¶</a></h3>
<ul>
<li>Avez-vous déjà mis en place des solutions similaires pour le scaling à zéro dans vos environnements Kubernetes ?</li>
<li>Comment pouvez-vous adapter cette solution à vos besoins spécifiques et l’intégrer dans votre pipeline DevOps ?</li>
</ul>
<h3 id="ressources-supplementaires">Ressources supplémentaires<a class="headerlink" href="#ressources-supplementaires" title="Permanent link">¶</a></h3>
<ul>
<li>https://chimbu.medium.com/installing-istio-not-anthos-service-mesh-on-gke-autopilot-2b78f1bbe90a</li>
<li>https://developers.redhat.com/articles/2024/04/12/event-driven-ansible-rulebook-automation#ansible_rulebook_cli_setup</li>
<li>https://github.com/istio/istio/issues/10543#issuecomment-921179277</li>
<li>https://medium.com/@letsretry/retry-between-region-using-ingress-controller-ingress-level-retry-e8c000580bfe</li>
</ul>The Quest for the Devops Grail: Reconciling Zero Scaling and Immediate Availability2024-06-02T00:00:00+02:002024-06-02T00:00:00+02:00Mathieu GOULINtag:www.ops-chronicles.cloud,2024-06-02:/scaleto0-with-event-driven-ansible-and-istio.html<p>In the ruthless world of the cloud, every unused resource represents an unnecessary cost. Whether it’s test environments on weekends or applications used only intermittently, there are costs to optimize. The solution: zero scaling of Kubernetes deployments, while attractive for optimizing costs, often results in a degraded user experience with unavailable applications. So how do you reconcile savings and responsiveness?</p><div class="toc">
<ul>
<li><a href="#understanding-the-problem">Understanding the Problem</a></li>
<li><a href="#the-solution-event-driven-autoscaling">The Solution: Event-Driven Autoscaling</a><ul>
<li><a href="#how-the-system-works">How the System Works</a></li>
</ul>
</li>
<li><a href="#setting-up-the-platform">Setting up the Platform</a><ul>
<li><a href="#installing-kubernetesistio">Installing kubernetes+istio</a></li>
<li><a href="#installing-monitoring-prometheus-alertmanager">Installing monitoring: Prometheus / Alertmanager</a></li>
<li><a href="#installing-an-application">Installing an Application</a></li>
</ul>
</li>
<li><a href="#event-driven-ansible">Event Driven Ansible</a></li>
<li><a href="#implementing-eda-in-the-cluster">Implementing EDA in the Cluster</a><ul>
<li><a href="#building-a-playbook-for-scaling">Building a playbook for scaling</a></li>
<li><a href="#integration-with-supervision">Integration with Supervision</a></li>
<li><a href="#creating-the-supervision-alert">Creating the Supervision Alert</a></li>
</ul>
</li>
<li><a href="#testing-zero-scaling">Testing Zero Scaling</a></li>
<li><a href="#conclusion">Conclusion</a><ul>
<li><a href="#key-benefits-of-this-approach">Key Benefits of This Approach</a></li>
<li><a href="#questions-for-reflection">Questions for Reflection</a></li>
<li><a href="#additional-resources">Additional Resources</a></li>
</ul>
</li>
</ul>
</div>
<p>In the ruthless world of the cloud, every unused resource represents an unnecessary cost. Zero scaling of Kubernetes pods, while attractive for optimizing costs, often results in a degraded user experience with unavailable applications. How then can you reconcile savings and responsiveness?</p>
<p>Forget about compromises, and adopt an <strong>event-driven</strong> approach, combining the power of <strong>Event Driven Ansible</strong> with the finesse of tools like <strong>Istio, Prometheus, and Alertmanager</strong>. Imagine a system capable of:</p>
<ul>
<li><strong>Instantly detecting</strong> the first HTTP calls to your applications.</li>
<li><strong>Automatically triggering</strong> the launch of your Kubernetes pods to meet demand.</li>
<li><strong>Orchestrating the scaling</strong> of your resources dynamically and transparently.</li>
<li><strong>Reducing your infrastructure costs</strong> by stopping inactive pods.</li>
</ul>
<p>No more waiting for your applications to restart, availability is almost immediate, and your users don’t notice a thing!</p>
<p><strong>In this article, we will explore in detail how to implement this elegant and efficient solution. You will discover:</strong></p>
<ul>
<li>The mechanisms of event detection based on HTTP traffic.</li>
<li>The configuration of intelligent alerts to trigger autoscaling.</li>
<li>The implementation of Ansible playbooks to automate the scaling of your deployments.</li>
</ul>
<p><strong>Get ready to say goodbye to compromises and enter the era of intelligent zero scaling!</strong></p>
<h3 id="understanding-the-problem">Understanding the Problem<a class="headerlink" href="#understanding-the-problem" title="Permanent link">¶</a></h3>
<p>Consider a development or test environment. An “operator” could turn on the environment before using it and turn it off (zero scaling) afterwards. However, the DevOps approach aims to automate these processes to eliminate manual interventions.</p>
<p>The challenge lies in finding an automatic solution to manage scaling dynamically, adapting to fluctuations in demand. We want the environment to be immediately available when needed, without users experiencing any wait time.</p>
<h3 id="the-solution-event-driven-autoscaling">The Solution: Event-Driven Autoscaling<a class="headerlink" href="#the-solution-event-driven-autoscaling" title="Permanent link">¶</a></h3>
<p>Event-based autoscaling is the key to reconciling resource savings and immediate availability. The idea is to monitor HTTP traffic to Kubernetes pods and automatically trigger scaling (increase the number of pods) when requests do not find destinations.</p>
<h4 id="how-the-system-works">How the System Works<a class="headerlink" href="#how-the-system-works" title="Permanent link">¶</a></h4>
<ol>
<li><strong>Event Detection:</strong> Istio, a traffic management tool, monitors HTTP traffic to your Kubernetes pods.</li>
<li><strong>Data Collection:</strong> Prometheus, a monitoring system, collects traffic data from Istio.</li>
<li><strong>Alert Generation:</strong> Alertmanager analyzes Prometheus data and triggers alerts when HTTP traffic exceeds a defined threshold.</li>
<li><strong>Automatic Action:</strong> Alertmanager alerts trigger Ansible playbooks via Event Driven Ansible, which automatically launch Kubernetes pods.</li>
<li><strong>Automatic Shutdown:</strong> When there is no more HTTP traffic for a defined period, Alertmanager triggers another Ansible playbook that stops the pods.</li>
</ol>
<p><img alt="Architecture" src="/images/2024-scaleto0-with-event-driven-ansible/2024-scaleto0-with-event-driven-ansible_archi0.drawio.png" /></p>
<p><img alt="Sequences" src="/images/2024-scaleto0-with-event-driven-ansible/2024-scaleto0-with-event-driven-ansible_sequences.png" /></p>
<h2 id="setting-up-the-platform">Setting up the Platform<a class="headerlink" href="#setting-up-the-platform" title="Permanent link">¶</a></h2>
<h3 id="installing-kubernetesistio">Installing kubernetes+istio<a class="headerlink" href="#installing-kubernetesistio" title="Permanent link">¶</a></h3>
<p>We will use Google Kubernetes Engine (GKE) with Node-Autoscaling, which automatically handles node scaling. This helps optimize billable resources based on the number of pods running.</p>
<div class="highlight"><pre><span></span><code>gcloud<span class="w"> </span>compute<span class="w"> </span>networks<span class="w"> </span>create<span class="w"> </span>scaleto0-vpc<span class="w"> </span>--project<span class="w"> </span><span class="nv">$PROJECT_ID</span>
gcloud<span class="w"> </span>container<span class="w"> </span>clusters<span class="w"> </span>create<span class="w"> </span>scaleto0-demo<span class="w"> </span><span class="se">\</span>
--enable-autoscaling<span class="w"> </span><span class="se">\</span>
--num-nodes<span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="se">\</span>
--min-nodes<span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="se">\</span>
--max-nodes<span class="w"> </span><span class="m">3</span><span class="w"> </span><span class="se">\</span>
--network<span class="w"> </span>scaleto0-vpc<span class="w"> </span><span class="se">\</span>
--project<span class="w"> </span><span class="nv">$PROJECT_ID</span><span class="w"> </span><span class="se">\</span>
--release-channel<span class="o">=</span>regular<span class="w"> </span><span class="se">\</span>
--zone<span class="o">=</span><span class="si">${</span><span class="nv">REGION</span><span class="si">}</span>-b
gcloud<span class="w"> </span>container<span class="w"> </span>clusters<span class="w"> </span>get-credentials<span class="w"> </span>scaleto0-demo<span class="w"> </span><span class="se">\</span>
--zone<span class="o">=</span><span class="si">${</span><span class="nv">REGION</span><span class="si">}</span>-b<span class="w"> </span><span class="se">\</span>
--project<span class="o">=</span><span class="nv">$PROJECT_ID</span>
</code></pre></div>
<p>Next, we will install Istio for traffic management:</p>
<div class="highlight"><pre><span></span><code>curl<span class="w"> </span>-L<span class="w"> </span>https://istio.io/downloadIstio<span class="w"> </span><span class="p">|</span><span class="w"> </span>sh<span class="w"> </span>-
<span class="nb">cd</span><span class="w"> </span>istio-<<VERSION>>
./bin/istioctl<span class="w"> </span>install<span class="w"> </span>--set<span class="w"> </span><span class="nv">profile</span><span class="o">=</span>demo<span class="w"> </span>-y
</code></pre></div>
<p>Verify the Istio installation:</p>
<div class="highlight"><pre><span></span><code><span class="c1"># Check the status of pods</span>
kubectl<span class="w"> </span>get<span class="w"> </span>pods<span class="w"> </span>-n<span class="w"> </span>istio-system
<span class="c1"># Check the status of services and make sure an external LB is created for istio-ingressgateway</span>
kubectl<span class="w"> </span>get<span class="w"> </span>svc<span class="w"> </span>-n<span class="w"> </span>istio-system
</code></pre></div>
<h3 id="installing-monitoring-prometheus-alertmanager">Installing monitoring: Prometheus / Alertmanager<a class="headerlink" href="#installing-monitoring-prometheus-alertmanager" title="Permanent link">¶</a></h3>
<p>In this article we will perform the installation of a minimalist monitoring system for Istio, focusing only on monitoring Istio itself, without monitoring servers, CPU or RAM. We will use a Helm chart for simplified installation and maintain consistency with the rest of the article by using the <code>istio-system</code> namespace.</p>
<div class="highlight"><pre><span></span><code>helm<span class="w"> </span>upgrade<span class="w"> </span>-i<span class="w"> </span>-n<span class="w"> </span>istio-system<span class="w"> </span>prometheus<span class="w"> </span>prometheus-community/prometheus<span class="w"> </span>-f<span class="w"> </span>-<span class="w"> </span><span class="s"><< EOF</span>
<span class="s">---</span>
<span class="s"># prometheus_values.yaml</span>
<span class="s">rbac:</span>
<span class="s">create: true</span>
<span class="s">configmapReload:</span>
<span class="s">prometheus:</span>
<span class="s">enabled: false</span>
<span class="s">server:</span>
<span class="s">namespaces:</span>
<span class="s">- istio-system</span>
<span class="s">resources:</span>
<span class="s">limits:</span>
<span class="s">cpu: 100m</span>
<span class="s">memory: 512Mi</span>
<span class="s">requests:</span>
<span class="s">cpu: 100m</span>
<span class="s">memory: 512Mi</span>
<span class="s">global:</span>
<span class="s">scrape_interval: 1s</span>
<span class="s">scrape_timeout: 1s</span>
<span class="s">evaluation_interval: 2s</span>
<span class="s">serverFiles:</span>
<span class="s">prometheus.yml:</span>
<span class="s">rule_files:</span>
<span class="s">- /etc/config/recording_rules.yml</span>
<span class="s">- /etc/config/alerting_rules.yml</span>
<span class="s">scrape_configs:</span>
<span class="s">- job_name: 'istiod'</span>
<span class="s">kubernetes_sd_configs:</span>
<span class="s">- role: pod</span>
<span class="s">relabel_configs:</span>
<span class="s">- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]</span>
<span class="s">action: keep</span>
<span class="s">regex: true</span>
<span class="s">- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow]</span>
<span class="s">action: drop</span>
<span class="s">regex: true</span>
<span class="s">- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]</span>
<span class="s">action: replace</span>
<span class="s">regex: (https?)</span>
<span class="s">target_label: __scheme__</span>
<span class="s">- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]</span>
<span class="s">action: replace</span>
<span class="s">target_label: __metrics_path__</span>
<span class="s">regex: (.+)</span>
<span class="s">- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip]</span>
<span class="s">action: replace</span>
<span class="s">regex: (\\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})</span>
<span class="s">replacement: '[\$2]:\$1'</span>
<span class="s">target_label: __address__</span>
<span class="s">- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip]</span>
<span class="s">action: replace</span>
<span class="s">regex: (\\d+);((([0-9]+?)(\\.|$)){4})</span>
<span class="s">replacement: \$2:\$1</span>
<span class="s">target_label: __address__</span>
<span class="s">- action: labelmap</span>
<span class="s">regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+)</span>
<span class="s">replacement: __param_$1</span>
<span class="s">- action: labelmap</span>
<span class="s">regex: __meta_kubernetes_pod_label_(.+)</span>
<span class="s">- source_labels: [__meta_kubernetes_namespace]</span>
<span class="s">action: replace</span>
<span class="s">target_label: namespace</span>
<span class="s">- source_labels: [__meta_kubernetes_pod_name]</span>
<span class="s">action: replace</span>
<span class="s">target_label: pod</span>
<span class="s">- source_labels: [__meta_kubernetes_pod_phase]</span>
<span class="s">regex: Pending|Succeeded|Failed|Completed</span>
<span class="s">action: drop</span>
<span class="s">- source_labels: [__meta_kubernetes_pod_node_name]</span>
<span class="s">action: replace</span>
<span class="s">target_label: node</span>
<span class="s">alertmanager:</span>
<span class="s">enabled: true</span>
<span class="s">kube-state-metrics:</span>
<span class="s">enabled: false</span>
<span class="s">prometheus-node-exporter:</span>
<span class="s">enabled: false</span>
<span class="s">prometheus-pushgateway:</span>
<span class="s">enabled: false</span>
<span class="s">EOF</span>
</code></pre></div>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>create<span class="w"> </span>clusterrole<span class="w"> </span>prometheus-server<span class="w"> </span>--verb<span class="o">=</span>get,list,watch<span class="w"> </span>--resource<span class="o">=</span>pods,endpoints,services,nodes,namespaces
kubectl<span class="w"> </span>create<span class="w"> </span>clusterrolebinding<span class="w"> </span>prometheus-server<span class="w"> </span>--clusterrole<span class="o">=</span>prometheus-server<span class="w"> </span>--serviceaccount<span class="o">=</span>istio-system:prometheus-server
</code></pre></div>
<p>To test the monitoring system, we can use the following command to redirect http://localhost:9090 to the Prometheus pod:</p>
<div class="highlight"><pre><span></span><code>kubectl --namespace istio-system port-forward $(kubectl get pods --namespace istio-system -l "app.kubernetes.io/name=prometheus,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") 9090
</code></pre></div>
<p>Then open a web browser at the address: http://localhost:9090</p>
<p><img alt="Prometheus" src="/images/2024-scaleto0-with-event-driven-ansible/2024-scaleto0-with-event-driven-ansible_prometheus0.png" /></p>
<h3 id="installing-an-application">Installing an Application<a class="headerlink" href="#installing-an-application" title="Permanent link">¶</a></h3>
<p>To simulate an application in our demo, we will use “whoami” which simply returns the HTTP request it receives.
If it works with “whoami”, we can apply the same principle to all deployments on the Kubernetes cluster.</p>
<p>Let’s create a YAML file for the deployment, as follows:</p>
<p>This YAML code describes the configuration of a Kubernetes deployment for an application named “whoami”.</p>
<ul>
<li><strong>Deployment “whoami”</strong>: Defines a deployment with the name “whoami” that uses the Docker image “traefik/whoami:latest”. It indicates that the deployment should have 1 “replica” (scaling to 1).</li>
<li><strong>Service “whoami”</strong>: Defines a Kubernetes service named “whoami” that connects to pods with the label “app: whoami”. Exposes port 80 of the service, which redirects to port 80 of the container.</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="l l-Scalar l-Scalar-Plain">kubectl create ns whoami</span>
<span class="l l-Scalar l-Scalar-Plain">kubectl label namespace whoami istio-injection=enabled</span>
<span class="l l-Scalar l-Scalar-Plain">kubectl apply -n whoami -f - <<EOF</span>
<span class="l l-Scalar l-Scalar-Plain"># whoami_deployment.yaml</span>
<span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apps/v1</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="nt">annotations</span><span class="p">:</span>
<span class="s">"sidecar.istio.io/proxyCPU"</span><span class="p p-Indicator">:</span><span class="w"> </span><span class="s">"500m"</span>
<span class="s">"sidecar.istio.io/proxyMemory"</span><span class="p p-Indicator">:</span><span class="w"> </span><span class="s">"512Mi"</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">selector</span><span class="p">:</span>
<span class="nt">matchLabels</span><span class="p">:</span>
<span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span>
<span class="nt">template</span><span class="p">:</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">labels</span><span class="p">:</span>
<span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">containers</span><span class="p">:</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">master</span>
<span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">traefik/whoami:latest</span>
<span class="nt">resources</span><span class="p">:</span>
<span class="nt">requests</span><span class="p">:</span>
<span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">500m</span>
<span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">512Mi</span>
<span class="nt">limits</span><span class="p">:</span>
<span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">500m</span>
<span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">512Mi</span>
<span class="nt">ports</span><span class="p">:</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Service</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="nt">labels</span><span class="p">:</span>
<span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">ports</span><span class="p">:</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<span class="nt">selector</span><span class="p">:</span>
<span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="l l-Scalar l-Scalar-Plain">EOF</span>
</code></pre></div>
<p>And expose this service via Istio:</p>
<div class="highlight"><pre><span></span><code><span class="l l-Scalar l-Scalar-Plain">kubectl apply -n whoami -f - <<EOF</span>
<span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">networking.istio.io/v1alpha3</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Gateway</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami-gateway</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="c1"># The selector matches the ingress gateway pod labels.</span>
<span class="c1"># If you installed Istio using Helm following the standard documentation, this would be "istio=ingress"</span>
<span class="nt">selector</span><span class="p">:</span>
<span class="nt">istio</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ingressgateway</span>
<span class="nt">servers</span><span class="p">:</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">port</span><span class="p">:</span>
<span class="nt">number</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">http</span>
<span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">HTTP</span>
<span class="nt">hosts</span><span class="p">:</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="s">"*"</span>
<span class="nn">---</span>
<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">networking.istio.io/v1alpha3</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">VirtualService</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">hosts</span><span class="p">:</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="s">"*"</span>
<span class="nt">gateways</span><span class="p">:</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami-gateway</span>
<span class="nt">http</span><span class="p">:</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">uri</span><span class="p">:</span>
<span class="nt">prefix</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/</span>
<span class="nt">route</span><span class="p">:</span>
<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">destination</span><span class="p">:</span>
<span class="nt">port</span><span class="p">:</span>
<span class="nt">number</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">80</span>
<span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">whoami</span>
<span class="nt">retries</span><span class="p">:</span>
<span class="nt">attempts</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">15</span>
<span class="nt">perTryTimeout</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">2s</span>
<span class="l l-Scalar l-Scalar-Plain">EOF</span>
</code></pre></div>
<p>Testing the application</p>
<div class="highlight"><pre><span></span><code><span class="n">INGRESS_HOST</span><span class="o">=$</span><span class="p">(</span><span class="n">kubectl</span><span class="w"> </span><span class="n">get</span><span class="w"> </span><span class="n">svc</span><span class="w"> </span><span class="o">-</span><span class="n">n</span><span class="w"> </span><span class="n">istio</span><span class="o">-</span><span class="n">system</span><span class="w"> </span><span class="n">istio</span><span class="o">-</span><span class="n">ingressgateway</span><span class="w"> </span><span class="o">-</span><span class="n">o</span><span class="w"> </span><span class="n">jsonpath</span><span class="o">=</span><span class="s2">"{.status.loadBalancer.ingress[0].ip}"</span><span class="w"> </span><span class="p">)</span>
<span class="n">curl</span><span class="w"> </span><span class="o">-</span><span class="n">s</span><span class="w"> </span><span class="o">-</span><span class="n">I</span><span class="w"> </span><span class="o">-</span><span class="n">HHost</span><span class="p">:</span><span class="n">whoami</span><span class="o">.</span><span class="n">scaleto0</span><span class="o">.</span><span class="n">demo</span><span class="w"> </span><span class="s2">"http://$INGRESS_HOST/"</span>
<span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span><span class="w"> </span><span class="mi">200</span><span class="w"> </span><span class="n">OK</span>
<span class="n">date</span><span class="p">:</span><span class="w"> </span><span class="n">Thu</span><span class="p">,</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="n">May</span><span class="w"> </span><span class="mi">2024</span><span class="w"> </span><span class="mi">20</span><span class="p">:</span><span class="mi">21</span><span class="p">:</span><span class="mi">32</span><span class="w"> </span><span class="n">GMT</span>
<span class="n">content</span><span class="o">-</span><span class="n">length</span><span class="p">:</span><span class="w"> </span><span class="mi">570</span>
<span class="n">content</span><span class="o">-</span><span class="n">type</span><span class="p">:</span><span class="w"> </span><span class="n">text</span><span class="o">/</span><span class="n">plain</span><span class="p">;</span><span class="w"> </span><span class="n">charset</span><span class="o">=</span><span class="n">utf</span><span class="o">-</span><span class="mi">8</span>
<span class="n">x</span><span class="o">-</span><span class="n">envoy</span><span class="o">-</span><span class="n">upstream</span><span class="o">-</span><span class="n">service</span><span class="o">-</span><span class="n">time</span><span class="p">:</span><span class="w"> </span><span class="mi">1073</span>
<span class="n">server</span><span class="p">:</span><span class="w"> </span><span class="n">istio</span><span class="o">-</span><span class="n">envoy</span>
</code></pre></div>
<p>Downscaling the application</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>-n<span class="w"> </span>whoami<span class="w"> </span>scale<span class="w"> </span>deployment<span class="w"> </span>whoami<span class="w"> </span>--replicas<span class="o">=</span><span class="m">0</span>
</code></pre></div>
<p>Once the application is cut off (down), it should no longer work: Application unavailability</p>
<div class="highlight"><pre><span></span><code><span class="nx">curl</span><span class="w"> </span><span class="o">-</span><span class="nx">s</span><span class="w"> </span><span class="o">-</span><span class="nx">I</span><span class="w"> </span><span class="o">-</span><span class="nx">HHost</span><span class="p">:</span><span class="nx">whoami</span><span class="p">.</span><span class="nx">scaleto0</span><span class="p">.</span><span class="nx">demo</span><span class="w"> </span><span class="s">"http://$INGRESS_HOST:$INGRESS_PORT/"</span>
<span class="nx">HTTP</span><span class="o">/</span><span class="m m-Double">1.1</span><span class="w"> </span><span class="mi">503</span><span class="w"> </span><span class="nx">Service</span><span class="w"> </span><span class="nx">Unavailable</span>
<span class="nx">content</span><span class="o">-</span><span class="nx">length</span><span class="p">:</span><span class="w"> </span><span class="mi">19</span>
<span class="nx">content</span><span class="o">-</span><span class="k">type</span><span class="p">:</span><span class="w"> </span><span class="nx">text</span><span class="o">/</span><span class="nx">plain</span>
<span class="nx">date</span><span class="p">:</span><span class="w"> </span><span class="nx">Thu</span><span class="p">,</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="nx">May</span><span class="w"> </span><span class="mi">2024</span><span class="w"> </span><span class="mi">20</span><span class="p">:</span><span class="mi">22</span><span class="p">:</span><span class="mi">56</span><span class="w"> </span><span class="nx">GMT</span>
<span class="nx">server</span><span class="p">:</span><span class="w"> </span><span class="nx">istio</span><span class="o">-</span><span class="nx">envoy</span>
</code></pre></div>
<p><img alt="Prometheus" src="/images/2024-scaleto0-with-event-driven-ansible/2024-scaleto0-with-event-driven-ansible_app503.png" /></p>
<h2 id="event-driven-ansible">Event Driven Ansible<a class="headerlink" href="#event-driven-ansible" title="Permanent link">¶</a></h2>
<p>Following Redhat documentation, we will build a container image to serve our rulebook. Here is the Dockerfile that creates a container to run the “ansible-rulebook” command.</p>
<div class="highlight"><pre><span></span><code>cat<span class="w"> </span>><span class="w"> </span>Dockerfile<span class="w"> </span><span class="s"><< EOF</span>
<span class="s">FROM debian:latest</span>
<span class="s">RUN apt-get update && \</span>
<span class="s">apt-get --assume-yes install openjdk-17-jdk python3-pip python3-psycopg && \</span>
<span class="s">pip3 install ansible ansible-rulebook ansible-runner kubernetes --break-system-packages</span>
<span class="s">RUN mkdir /app && \</span>
<span class="s">useradd -u 1001 -ms /bin/bash ansible && \</span>
<span class="s">chown ansible:root /app</span>
<span class="s">WORKDIR /app</span>
<span class="s">USER ansible</span>
<span class="s">RUN ansible-galaxy collection install ansible.eda</span>
<span class="s">ENTRYPOINT ["ansible-rulebook", "-r", "/app/rules.yaml", "-i", "/app/inventory.yml", "-S", "/app"]</span>
<span class="s">EOF</span>
</code></pre></div>
<p>We can build and save our image in Google’s artifact-registry:</p>
<div class="highlight"><pre><span></span><code><span class="c1"># Creating the repository</span>
gcloud<span class="w"> </span>artifacts<span class="w"> </span>repositories<span class="w"> </span>create<span class="w"> </span>scaleto0-demo-repo<span class="w"> </span>--repository-format<span class="o">=</span>docker<span class="w"> </span><span class="se">\</span>
--location<span class="o">=</span><span class="nv">$REGION</span><span class="w"> </span>--description<span class="o">=</span><span class="s2">"Docker scaleto0 Demo repository"</span>
<span class="c1"># Creating the image</span>
gcloud<span class="w"> </span>builds<span class="w"> </span>submit<span class="w"> </span>--region<span class="o">=</span><span class="nv">$REGION</span><span class="w"> </span>--tag<span class="w"> </span><span class="nv">$REGION</span>-docker.pkg.dev/<span class="nv">$PROJECT_ID</span>/scaleto0-demo-repo/rulebook-scaleto0-demo:v1
</code></pre></div>
<p>This container will be deployed in Kubernetes. We will overload the <code>/app/rules.yaml</code> file to include our rules and playbooks, including those for scaling.</p>
<h2 id="implementing-eda-in-the-cluster">Implementing EDA in the Cluster<a class="headerlink" href="#implementing-eda-in-the-cluster" title="Permanent link">¶</a></h2>
<h3 id="building-a-playbook-for-scaling">Building a playbook for scaling<a class="headerlink" href="#building-a-playbook-for-scaling" title="Permanent link">¶</a></h3>
<p>Ansible, a powerful language for manipulating infrastructure components, allows us to create a “playbook” that will allow us to scale the Kubernetes deployment.</p>
<div class="highlight"><pre><span></span><code>cat<span class="w"> </span>><span class="w"> </span>scale-deployment.yaml<span class="w"> </span><span class="s"><< EOF</span>
<span class="s">---</span>
<span class="s">- hosts: localhost</span>
<span class="s">connection: local</span>
<span class="s">gather_facts: false</span>
<span class="s">tasks:</span>
<span class="s">- name: Scale deployment up</span>
<span class="s">kubernetes.core.k8s_scale:</span>
<span class="s">api_version: v1</span>
<span class="s">kind: Deployment</span>
<span class="s">name: "{{ deployment_name }}"</span>
<span class="s">namespace: "{{ namespace }}"</span>
<span class="s">replicas: "{{ num_replicas }}"</span>
<span class="s">wait_timeout: 60</span>
<span class="s">EOF</span>
</code></pre></div>
<p>We can test the playbook with the command below:</p>
<div class="highlight"><pre><span></span><code>ansible-playbook<span class="w"> </span>-e<span class="w"> </span><span class="s1">'{"deployment_name":"whoami", "namespace":"whoami", "num_replicas": "1"}'</span><span class="w"> </span>scale-deployment.yaml
</code></pre></div>
<p>Next, let’s create a <code>rules.yaml</code> file to define the interface between monitoring and the scaling playbook.</p>
<div class="highlight"><pre><span></span><code><span class="n">cat</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="n">rules</span><span class="o">.</span><span class="n">yaml</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">EOF</span>
<span class="o">-</span><span class="w"> </span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="n">Scale</span><span class="w"> </span><span class="n">deployment</span><span class="w"> </span><span class="n">up</span>
<span class="n">hosts</span><span class="p">:</span><span class="w"> </span><span class="n">localhost</span>
<span class="n">gather_facts</span><span class="p">:</span><span class="w"> </span><span class="bp">false</span>
<span class="n">sources</span><span class="p">:</span>
<span class="o">-</span><span class="w"> </span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="n">webhook</span>
<span class="n">ansible</span><span class="o">.</span><span class="n">eda</span><span class="o">.</span><span class="n">webhook</span><span class="p">:</span>
<span class="n">port</span><span class="p">:</span><span class="w"> </span><span class="mi">5000</span>
<span class="n">rules</span><span class="p">:</span>
<span class="o">-</span><span class="w"> </span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="n">whoami</span>
<span class="n">condition</span><span class="p">:</span><span class="w"> </span><span class="bp">true</span>
<span class="n">actions</span><span class="p">:</span>
<span class="o">-</span><span class="w"> </span><span class="n">run_playbook</span><span class="p">:</span>
<span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="n">scale</span><span class="o">-</span><span class="n">deployment</span><span class="o">.</span><span class="n">yaml</span>
<span class="n">extra_vars</span><span class="p">:</span>
<span class="n">deployment_name</span><span class="p">:</span><span class="w"> </span><span class="n">whoami</span>
<span class="n">namespace</span><span class="p">:</span><span class="w"> </span><span class="n">whoami</span>
<span class="n">num_replicas</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span>
<span class="n">EOF</span>
<span class="n">cat</span><span class="w"> </span><span class="o">></span><span class="w"> </span><span class="n">inventory</span><span class="o">.</span><span class="n">yml</span><span class="w"> </span><span class="o"><<</span><span class="w"> </span><span class="n">EOF</span>
<span class="n">ungrouped</span><span class="p">:</span>
<span class="n">hosts</span><span class="p">:</span>
<span class="n">localhost</span><span class="p">:</span>
<span class="n">ansible_connection</span><span class="p">:</span><span class="w"> </span><span class="n">local</span>
<span class="n">EOF</span>
</code></pre></div>
<p>Injecting the playbook into Kubernetes:</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>create<span class="w"> </span>ns<span class="w"> </span>ansible-rulebook
kubectl<span class="w"> </span>create<span class="w"> </span>-n<span class="w"> </span>ansible-rulebook<span class="w"> </span>configmap<span class="w"> </span>ansible-rulebook-config<span class="w"> </span>--from-file<span class="o">=</span>.
</code></pre></div>
<p>Starting the container:</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>-n<span class="w"> </span>ansible-rulebook<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>-<span class="w"> </span><span class="s"><< EOF</span>
<span class="s"># ansible-rulebook_deployment.yaml</span>
<span class="s">---</span>
<span class="s">apiVersion: apps/v1</span>
<span class="s">kind: Deployment</span>
<span class="s">metadata:</span>
<span class="s">name: ansible-rulebook</span>
<span class="s">spec:</span>
<span class="s">selector:</span>
<span class="s">matchLabels:</span>
<span class="s">app: ansible-rulebook</span>
<span class="s">replicas: 1</span>
<span class="s">template:</span>
<span class="s">metadata:</span>
<span class="s">labels:</span>
<span class="s">app: ansible-rulebook</span>
<span class="s">spec:</span>
<span class="s">containers:</span>
<span class="s">- name: master</span>
<span class="s">image: $REGION-docker.pkg.dev/$PROJECT_ID/scaleto0-demo-repo/rulebook-scaleto0-demo:v1</span>
<span class="s">resources:</span>
<span class="s">requests:</span>
<span class="s">cpu: 100m</span>
<span class="s">memory: 128Mi</span>
<span class="s">limits:</span>
<span class="s">cpu: 500m</span>
<span class="s">memory: 512Mi</span>
<span class="s">ports:</span>
<span class="s">- containerPort: 5000</span>
<span class="s">volumeMounts:</span>
<span class="s">- name: config</span>
<span class="s">mountPath: /app</span>
<span class="s">volumes:</span>
<span class="s">- name: config</span>
<span class="s">configMap:</span>
<span class="s">name: ansible-rulebook-config</span>
<span class="s">---</span>
<span class="s">apiVersion: v1</span>
<span class="s">kind: Service</span>
<span class="s">metadata:</span>
<span class="s">name: ansible-rulebook</span>
<span class="s">labels:</span>
<span class="s">app: ansible-rulebook</span>
<span class="s">spec:</span>
<span class="s">ports:</span>
<span class="s">- port: 5000</span>
<span class="s">targetPort: 5000</span>
<span class="s">selector:</span>
<span class="s">app: ansible-rulebook</span>
<span class="s">EOF</span>
</code></pre></div>
<p>Granting rights to <code>ansible-rulebook</code> to interact with Kubernetes:</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>apply<span class="w"> </span>-f<span class="w"> </span>-<span class="w"> </span><span class="s"><< EOF</span>
<span class="s"># ansible-rulebook_clusterrole.yaml</span>
<span class="s">---</span>
<span class="s">apiVersion: rbac.authorization.k8s.io/v1</span>
<span class="s">kind: ClusterRole</span>
<span class="s">metadata:</span>
<span class="s">creationTimestamp: "2024-05-31T19:01:36Z"</span>
<span class="s">name: deployment-scaler</span>
<span class="s">rules:</span>
<span class="s">- apiGroups:</span>
<span class="s">- apps</span>
<span class="s">resources:</span>
<span class="s">- deployments/scale</span>
<span class="s">- deployments</span>
<span class="s">verbs:</span>
<span class="s">- get</span>
<span class="s">- list</span>
<span class="s">- patch</span>
<span class="s">- update</span>
<span class="s">EOF</span>
</code></pre></div>
<p>Finally, mapping the ansible-rulebook role to the deployment:</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>create<span class="w"> </span>clusterrolebinding<span class="w"> </span>deployment-scaler<span class="w"> </span>--clusterrole<span class="o">=</span>deployment-scaler<span class="w"> </span>--serviceaccount<span class="o">=</span>ansible-rulebook:default
</code></pre></div>
<h3 id="integration-with-supervision">Integration with Supervision<a class="headerlink" href="#integration-with-supervision" title="Permanent link">¶</a></h3>
<p>Alertmanager needs to be connected to Ansible rulebook. To do this, let’s update the Alertmanager configuration to have it send its alerts to the rulebook.</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>patch<span class="w"> </span>-n<span class="w"> </span>istio-system<span class="w"> </span>configmap<span class="w"> </span>prometheus-alertmanager<span class="w"> </span>--type<span class="w"> </span>merge<span class="w"> </span>-p<span class="w"> </span><span class="s2">"</span>
<span class="s2">data:</span>
<span class="s2">alertmanager.yml: |</span>
<span class="s2">global: {}</span>
<span class="s2">receivers:</span>
<span class="s2">- name: default-receiver</span>
<span class="s2">webhook_configs:</span>
<span class="s2">- url: http://ansible-rulebook.ansible-rulebook.svc.cluster.local:5000/endpoint</span>
<span class="s2">route:</span>
<span class="s2">group_interval: 5s</span>
<span class="s2">group_wait: 10s</span>
<span class="s2">receiver: default-receiver</span>
<span class="s2">repeat_interval: 5m</span>
<span class="s2">templates:</span>
<span class="s2">- /etc/alertmanager/*.tmpl</span>
<span class="s2">"</span>
</code></pre></div>
<p>Restart the monitoring pods to take into account the new configmap:</p>
<div class="highlight"><pre><span></span><code>kubectl -n istio-system rollout restart statefulset/prometheus-alertmanager
</code></pre></div>
<h3 id="creating-the-supervision-alert">Creating the Supervision Alert<a class="headerlink" href="#creating-the-supervision-alert" title="Permanent link">¶</a></h3>
<p>Let’s create a supervision alert that will detect 503 errors in Prometheus and trigger the Ansible “rulebook”.</p>
<p>Since Prometheus is installed with Helm, we will update the static configuration to inject the alert. In a production environment, alerts would be injected via the operator and “PrometheusRules” CRDs.</p>
<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>patch<span class="w"> </span>-n<span class="w"> </span>istio-system<span class="w"> </span>configmap<span class="w"> </span>prometheus-server<span class="w"> </span>--type<span class="w"> </span>merge<span class="w"> </span>-p<span class="w"> </span><span class="s2">"</span>
<span class="s2">data:</span>
<span class="s2">alerting_rules.yml: |</span>
<span class="s2">groups:</span>
<span class="s2">- name: DeploymentDown</span>
<span class="s2">rules:</span>
<span class="s2">- alert: DeploymentDown</span>
<span class="s2">expr: sum by (destination_service_name) (rate(istio_requests_total{response_code=\"503\"}[3s])) > 0</span>
<span class="s2">for: 2s</span>
<span class="s2">labels:</span>
<span class="s2">severity: page</span>
<span class="s2">annotations:</span>
<span class="s2">description: 'No upstream on {{ \$labels.destination_service_name }}'</span>
<span class="s2">summary: '{{ \$labels.destination_service_name }} down'</span>
<span class="s2">"</span>
</code></pre></div>
<p>Restart the monitoring pods to take into account the new configmap:</p>
<div class="highlight"><pre><span></span><code>kubectl -n istio-system rollout restart deployment/prometheus-server
</code></pre></div>
<p>After generating a few calls to the application without pods, we should find the alert in Prometheus:</p>
<p><img alt="Architecture" src="/images/2024-scaleto0-with-event-driven-ansible/2024-scaleto0-with-event-driven-ansible_alert0.png" /></p>
<h2 id="testing-zero-scaling">Testing Zero Scaling<a class="headerlink" href="#testing-zero-scaling" title="Permanent link">¶</a></h2>
<p><strong>1. Basic test:</strong></p>
<ul>
<li>
<p><strong>Scenario:</strong> Start the “whoami” application with a single pod and observe that the application is accessible.</p>
</li>
<li>
<p>Access the “whoami” service via a browser or curl: Verify that the result is correct and keep the window open to view the status of the application.</p>
</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nv">INGRESS_HOST</span><span class="o">=</span><span class="k">$(</span>kubectl<span class="w"> </span>get<span class="w"> </span>svc<span class="w"> </span>-n<span class="w"> </span>istio-system<span class="w"> </span>istio-ingressgateway<span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.status.loadBalancer.ingress[0].ip}"</span><span class="w"> </span><span class="k">)</span>
watch<span class="w"> </span>curl<span class="w"> </span>-s<span class="w"> </span>-I<span class="w"> </span>-HHost:whoami.scaleto0.demo<span class="w"> </span><span class="s2">"http://</span><span class="nv">$INGRESS_HOST</span><span class="s2">/"</span>
</code></pre></div>
<p><img alt="Watch App" src="/images/2024-scaleto0-with-event-driven-ansible/2024-scaleto0-with-event-driven-ansible_watch_app.png" />
* Make sure you get an HTTP 200 response and that the content returned corresponds to the “whoami” application.
* Verify that the “whoami” pod is running in the Kubernetes cluster.</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>kubectl<span class="w"> </span>-n<span class="w"> </span>whoami<span class="w"> </span>get<span class="w"> </span>pod
NAME<span class="w"> </span>READY<span class="w"> </span>STATUS<span class="w"> </span>RESTARTS<span class="w"> </span>AGE
whoami-5d696b585d-twv98<span class="w"> </span><span class="m">2</span>/2<span class="w"> </span>Running<span class="w"> </span><span class="m">0</span><span class="w"> </span>4m58s
</code></pre></div>
<p><strong>2. Testing zero scaling:</strong></p>
<ul>
<li><strong>Scenario:</strong> Set the “whoami” application to zero pods and trigger HTTP requests to the application.</li>
<li><strong>Validation:</strong></li>
<li>Use the <code>kubectl -n whoami scale deployment whoami --replicas=0</code> command to reduce the number of pods to zero.</li>
<li>Make several HTTP requests to the “whoami” application (via a browser or curl).</li>
<li>Make sure the requests return an HTTP 503 (service unavailable) response.</li>
<li>Verify that Prometheus monitoring detects the absence of a pod and generates an alert.</li>
<li>Verify that the “DeploymentDown” alert is generated by Alertmanager and sent to the Ansible webhook.</li>
<li>Verify that the Ansible playbook “scale-deployment.yaml” is executed and a new “whoami” pod is created</li>
</ul>
<div class="highlight"><pre><span></span><code>kubectl -n ansible-rulebook logs deployment/ansible-rulebook
</code></pre></div>
<p>From my side I observed that the service responds in 25 seconds after a cut-off.</p>
<h2 id="conclusion">Conclusion<a class="headerlink" href="#conclusion" title="Permanent link">¶</a></h2>
<p>Event-based autoscaling provides a perfect balance between resource optimization and the immediate availability of applications. By combining Event Driven Ansible with tools like Istio, Prometheus, and Alertmanager, you can implement a robust and efficient system to ensure optimal performance and reduced costs.</p>
<h3 id="key-benefits-of-this-approach">Key Benefits of This Approach<a class="headerlink" href="#key-benefits-of-this-approach" title="Permanent link">¶</a></h3>
<ul>
<li><strong>Immediate availability:</strong> Pods are launched automatically on the first HTTP calls, ensuring a quick response to requests.</li>
<li><strong>Resource optimization:</strong> Pods are automatically shut down when they are no longer in use, reducing resource costs.</li>
<li><strong>Efficiency and reliability:</strong> The system works automatically and reliably, without human intervention.</li>
<li><strong>Scalability:</strong> The solution can be easily adapted to the evolving needs of applications.</li>
</ul>
<h3 id="questions-for-reflection">Questions for Reflection<a class="headerlink" href="#questions-for-reflection" title="Permanent link">¶</a></h3>
<ul>
<li>Have you already implemented similar solutions for zero scaling in your Kubernetes environments?</li>
<li>How can you adapt this solution to your specific needs and integrate it into your DevOps pipeline?</li>
</ul>
<h3 id="additional-resources">Additional Resources<a class="headerlink" href="#additional-resources" title="Permanent link">¶</a></h3>
<ul>
<li>https://chimbu.medium.com/installing-istio-not-anthos-service-mesh-on-gke-autopilot-2b78f1bbe90a</li>
<li>https://developers.redhat.com/articles/2024/04/12/event-driven-ansible-rulebook-automation#ansible_rulebook_cli_setup</li>
<li>https://github.com/istio/istio/issues/10543#issuecomment-921179277</li>
<li>https://medium.com/@letsretry/retry-between-region-using-ingress-controller-ingress-level-retry-e8c000580bfe</li>
</ul>Génération de texte pour les Merges-Requests automatique avec un LLM2024-05-29T00:00:00+02:002024-05-29T00:00:00+02:00Mathieu GOULINtag:www.ops-chronicles.cloud,2024-05-29:/fr/generate-mr-text.html<p>Générer automatiquement le texte des merges-request Gitlab à partir du git-diff</p><div class="toc">
<ul>
<li><a href="#1-configuration-de-vertex-ai">1. Configuration de Vertex AI</a></li>
<li><a href="#2-construction-dun-script-et-integration-dans-une-image-docker">2. Construction d’un script et intégration dans une image docker</a></li>
<li><a href="#3-integration-dans-gitlab-ci">3. Intégration dans GitLab CI</a></li>
<li><a href="#conclusion">Conclusion</a></li>
</ul>
</div>
<p>Notre métier consiste à installer des applications en respéctant l’état de l’art. Lorsque l’installation de l’application se fait via la mise à jour de code Gitlab, la documentation de ce code est primordiale. Toute mise à jour du code d’infrastructure est documenté dans une demande Gitlab de merge-request.</p>
<p>Aujourd’hui, je vous propose d’automatiser une des tâches de documentation: la rédaction de descriptions pour les merge-requests.
J’ai pu remarquer qu’au début des projets, on se force à écrire de la documentation et des descriptions de changements clair et complet. Cependant, avec la pression ou les changements qui sont à effectuer rapidement, avec le temps, il arrive qu’on se retrouve à rédiger des notes trop brèves, non-exhaustives, ou ne reflétant pas l’intégralité des changements effectués dans le code.</p>
<p>Du coup, nos MR ressemblent à ça et c’est assez vide.</p>
<p><img alt="GitlabCustomDomain" src="/images/2024-Generate-MR-text/2024-Generate-MR-text_1.png" /></p>
<p>Alors que la documentation et ces descriptions sont très importantes pour :</p>
<ul>
<li>les échanges avec l’équipe (Review, double checks, …)</li>
<li>l’audibilité des changements (savoir qui a changé quoi)</li>
<li>La gestion de la documentation du projet</li>
</ul>
<p>Heureusement, avec Vertex AI et GitLab CI, on peut automatiser cette tâche !</p>
<p>Dans cet article, nous allons explorer comment utiliser Vertex AI pour générer automatiquement du texte de merge-request à partir des changements effectués dans une branche GitLab.</p>
<h2 id="1-configuration-de-vertex-ai">1. Configuration de Vertex AI<a class="headerlink" href="#1-configuration-de-vertex-ai" title="Permanent link">¶</a></h2>
<p>Tout d’abord, il faut configurer l’API Vertex AI capable de générer du texte à partir de données textuelles. Dans cet article, j’ai utilisé le modèle “gemini-1.5-flash-001”.</p>
<p>Il faut bien sûr activer l’api Vertex AI en suivant la documentation.
On peut ensuite utiliser VertexAI via la console Google Cloud pour construire le meilleur prompt
Après quelques textes voici le prompt que j’ai mis en place :</p>
<div class="highlight"><pre><span></span><code><span class="nx">As</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="nx">senior</span><span class="w"> </span><span class="nx">DevOps</span><span class="w"> </span><span class="nx">engineer</span><span class="w"> </span><span class="nx">reviewing</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="nx">merge</span><span class="w"> </span><span class="nx">request</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="nx">Terraform</span><span class="w"> </span><span class="nx">module</span><span class="p">.</span><span class="w"> </span><span class="nx">Please</span><span class="w"> </span><span class="nx">provide</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="nx">comprehensive</span><span class="w"> </span><span class="nx">description</span><span class="w"> </span><span class="nx">of</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">changes</span><span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="nx">french</span><span class="p">,</span><span class="w"> </span><span class="nx">focusing</span><span class="w"> </span><span class="nx">on</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">following</span><span class="p">:</span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">What</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">overall</span><span class="w"> </span><span class="nx">purpose</span><span class="w"> </span><span class="nx">of</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">changes</span><span class="p">?</span><span class="o">**</span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">What</span><span class="w"> </span><span class="nx">specific</span><span class="w"> </span><span class="nx">resources</span><span class="w"> </span><span class="nx">are</span><span class="w"> </span><span class="nx">affected</span><span class="p">?</span><span class="o">**</span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">What</span><span class="w"> </span><span class="nx">are</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">main</span><span class="w"> </span><span class="nx">changes</span><span class="w"> </span><span class="nx">made</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">those</span><span class="w"> </span><span class="nx">resources</span><span class="p">?</span><span class="o">**</span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">Are</span><span class="w"> </span><span class="nx">there</span><span class="w"> </span><span class="nx">any</span><span class="w"> </span><span class="nx">security</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="nx">performance</span><span class="w"> </span><span class="nx">implications</span><span class="w"> </span><span class="nx">of</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">changes</span><span class="p">?</span><span class="o">**</span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">Are</span><span class="w"> </span><span class="nx">there</span><span class="w"> </span><span class="nx">any</span><span class="w"> </span><span class="nx">potential</span><span class="w"> </span><span class="nx">risks</span><span class="w"> </span><span class="k">or</span><span class="w"> </span><span class="nx">considerations</span><span class="p">?</span><span class="w"> </span>
</code></pre></div>
<p>On peut tester le prompt dans VertexAI, comme ci-dessous en glissant-déposser un fichier “git-diff”.</p>
<p><img alt="GitlabCustomDomain" src="/images/2024-Generate-MR-text/2024-Generate-MR-text_2.png" /></p>
<h2 id="2-construction-dun-script-et-integration-dans-une-image-docker">2. Construction d’un script et intégration dans une image docker<a class="headerlink" href="#2-construction-dun-script-et-integration-dans-une-image-docker" title="Permanent link">¶</a></h2>
<p>Pour commencer, on va créer un script python capable :</p>
<p>Interroger Gitlab pour obtenir le “gitdiff” changement
Le soumettre à VertexAI
Mettre a jour la MR Gitlab avec le résultat de VertexAI
Voici le script : generate-mr-text.py</p>
<div class="highlight"><pre><span></span><code><span class="kn">import</span><span class="w"> </span><span class="nn">base64</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">vertexai</span>
<span class="kn">from</span><span class="w"> </span><span class="nn">vertexai.generative_models</span><span class="w"> </span><span class="kn">import</span> <span class="n">GenerativeModel</span><span class="p">,</span> <span class="n">Part</span><span class="p">,</span> <span class="n">FinishReason</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">vertexai.preview.generative_models</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="nn">generative_models</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">gitlab</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">os</span><span class="o">,</span><span class="w"> </span><span class="nn">json</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">argparse</span><span class="p">;</span>
<span class="n">GCP_PROJECT_ID</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"GCP_PROJECT_ID"</span><span class="p">,</span> <span class="s2">"sandbox-mgoulin"</span><span class="p">)</span>
<span class="n">GCP_LOCATION</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"GCP_LOCATION"</span><span class="p">,</span> <span class="s2">"us-central1"</span><span class="p">)</span>
<span class="n">GCP_MODEL</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"GCP_MODEL"</span><span class="p">,</span> <span class="s2">"gemini-1.5-flash-preview-0514"</span><span class="p">)</span>
<span class="n">GITLAB_HOST</span><span class="o">=</span><span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"GITLAB_HOST"</span><span class="p">,</span><span class="s2">"https://gitlab.com"</span><span class="p">)</span>
<span class="n">GITLAB_TOKEN</span><span class="o">=</span><span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"GITLAB_TOKEN"</span><span class="p">,</span> <span class="kc">False</span><span class="p">)</span>
<span class="n">GITLAB_SSL_SKIP_VERIFY</span><span class="o">=</span><span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"GITLAB_SSL_SKIP_VERIFY"</span><span class="p">,</span><span class="kc">False</span><span class="p">)</span>
<span class="n">LLM_PROMPT</span> <span class="o">=</span> <span class="s2">"""As a senior DevOps engineer reviewing a merge request for a Terraform module. Please provide a comprehensive description of the changes in french, focusing on the following:</span>
<span class="s2">* **What is the overall purpose of the changes?**</span>
<span class="s2">* **What specific resources are affected?**</span>
<span class="s2">* **What are the main changes made to those resources?**</span>
<span class="s2">* **Are there any security or performance implications of the changes?**</span>
<span class="s2">* **Are there any potential risks or considerations?**"""</span>
<span class="k">def</span><span class="w"> </span><span class="nf">generate</span><span class="p">(</span><span class="n">diff</span><span class="p">):</span>
<span class="n">vertexai</span><span class="o">.</span><span class="n">init</span><span class="p">(</span><span class="n">project</span><span class="o">=</span><span class="n">GCP_PROJECT_ID</span><span class="p">,</span> <span class="n">location</span><span class="o">=</span><span class="n">GCP_LOCATION</span><span class="p">)</span>
<span class="n">model</span> <span class="o">=</span> <span class="n">GenerativeModel</span><span class="p">(</span>
<span class="n">GCP_MODEL</span><span class="p">,</span>
<span class="p">)</span>
<span class="n">responses</span> <span class="o">=</span> <span class="n">model</span><span class="o">.</span><span class="n">generate_content</span><span class="p">(</span>
<span class="p">[</span><span class="n">LLM_PROMPT</span><span class="p">,</span> <span class="n">diff</span><span class="p">],</span>
<span class="n">generation_config</span><span class="o">=</span><span class="n">generation_config</span><span class="p">,</span>
<span class="n">safety_settings</span><span class="o">=</span><span class="n">safety_settings</span><span class="p">,</span>
<span class="n">stream</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span>
<span class="p">)</span>
<span class="n">rep</span> <span class="o">=</span> <span class="s2">""</span>
<span class="k">for</span> <span class="n">response</span> <span class="ow">in</span> <span class="n">responses</span><span class="p">:</span>
<span class="n">rep</span> <span class="o">+=</span> <span class="n">response</span><span class="o">.</span><span class="n">text</span>
<span class="k">return</span> <span class="n">rep</span>
<span class="n">generation_config</span> <span class="o">=</span> <span class="p">{</span>
<span class="s2">"max_output_tokens"</span><span class="p">:</span> <span class="mi">8192</span><span class="p">,</span>
<span class="s2">"temperature"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span>
<span class="s2">"top_p"</span><span class="p">:</span> <span class="mf">0.95</span><span class="p">,</span>
<span class="p">}</span>
<span class="n">safety_settings</span> <span class="o">=</span> <span class="p">{</span>
<span class="n">generative_models</span><span class="o">.</span><span class="n">HarmCategory</span><span class="o">.</span><span class="n">HARM_CATEGORY_HATE_SPEECH</span><span class="p">:</span> <span class="n">generative_models</span><span class="o">.</span><span class="n">HarmBlockThreshold</span><span class="o">.</span><span class="n">BLOCK_MEDIUM_AND_ABOVE</span><span class="p">,</span>
<span class="n">generative_models</span><span class="o">.</span><span class="n">HarmCategory</span><span class="o">.</span><span class="n">HARM_CATEGORY_DANGEROUS_CONTENT</span><span class="p">:</span> <span class="n">generative_models</span><span class="o">.</span><span class="n">HarmBlockThreshold</span><span class="o">.</span><span class="n">BLOCK_MEDIUM_AND_ABOVE</span><span class="p">,</span>
<span class="n">generative_models</span><span class="o">.</span><span class="n">HarmCategory</span><span class="o">.</span><span class="n">HARM_CATEGORY_SEXUALLY_EXPLICIT</span><span class="p">:</span> <span class="n">generative_models</span><span class="o">.</span><span class="n">HarmBlockThreshold</span><span class="o">.</span><span class="n">BLOCK_MEDIUM_AND_ABOVE</span><span class="p">,</span>
<span class="n">generative_models</span><span class="o">.</span><span class="n">HarmCategory</span><span class="o">.</span><span class="n">HARM_CATEGORY_HARASSMENT</span><span class="p">:</span> <span class="n">generative_models</span><span class="o">.</span><span class="n">HarmBlockThreshold</span><span class="o">.</span><span class="n">BLOCK_MEDIUM_AND_ABOVE</span><span class="p">,</span>
<span class="p">}</span>
<span class="k">def</span><span class="w"> </span><span class="nf">find_mr</span><span class="p">(</span><span class="n">project</span><span class="p">,</span> <span class="n">mr_id</span><span class="p">):</span>
<span class="n">gl</span> <span class="o">=</span> <span class="n">gitlab</span><span class="o">.</span><span class="n">Gitlab</span><span class="p">(</span><span class="n">url</span><span class="o">=</span><span class="n">GITLAB_HOST</span><span class="p">,</span> <span class="n">private_token</span><span class="o">=</span><span class="n">GITLAB_TOKEN</span><span class="p">,</span> <span class="n">ssl_verify</span><span class="o">=</span><span class="ow">not</span><span class="p">(</span><span class="n">GITLAB_SSL_SKIP_VERIFY</span><span class="p">))</span>
<span class="n">prj</span> <span class="o">=</span> <span class="n">gl</span><span class="o">.</span><span class="n">projects</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">project</span><span class="p">)</span>
<span class="k">return</span> <span class="n">prj</span><span class="o">.</span><span class="n">mergerequests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">mr_id</span><span class="p">)</span>
<span class="n">parser</span> <span class="o">=</span> <span class="n">argparse</span><span class="o">.</span><span class="n">ArgumentParser</span><span class="p">(</span>
<span class="n">prog</span><span class="o">=</span><span class="s1">'generate-mr-text.py'</span><span class="p">,</span>
<span class="n">description</span><span class="o">=</span><span class="s1">'Use Gemini to update a merge request with a description'</span><span class="p">,</span>
<span class="p">)</span>
<span class="n">parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span><span class="s1">'-p'</span><span class="p">,</span> <span class="s1">'--gitlab_project'</span><span class="p">,</span> <span class="n">required</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span>
<span class="n">parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span><span class="s1">'-m'</span><span class="p">,</span> <span class="s1">'--gitlab_mr_id'</span><span class="p">,</span> <span class="n">required</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="nb">int</span><span class="p">)</span>
<span class="n">project</span> <span class="o">=</span> <span class="n">parser</span><span class="o">.</span><span class="n">parse_args</span><span class="p">()</span><span class="o">.</span><span class="n">gitlab_project</span>
<span class="n">mr_id</span> <span class="o">=</span> <span class="n">parser</span><span class="o">.</span><span class="n">parse_args</span><span class="p">()</span><span class="o">.</span><span class="n">gitlab_mr_id</span>
<span class="n">mr</span> <span class="o">=</span> <span class="n">find_mr</span><span class="p">(</span><span class="n">project</span><span class="p">,</span> <span class="n">mr_id</span><span class="p">)</span>
<span class="n">changes</span> <span class="o">=</span> <span class="n">mr</span><span class="o">.</span><span class="n">changes</span><span class="p">()</span>
<span class="c1">#print(json.dumps(changes, indent=4))</span>
<span class="c1">#diff=find_diff()</span>
<span class="n">text</span><span class="o">=</span><span class="n">generate</span><span class="p">(</span><span class="n">json</span><span class="o">.</span><span class="n">dumps</span><span class="p">(</span><span class="n">changes</span><span class="p">,</span> <span class="n">indent</span><span class="o">=</span><span class="mi">4</span><span class="p">))</span>
<span class="n">mr</span><span class="o">.</span><span class="n">description</span><span class="o">=</span><span class="n">mr</span><span class="o">.</span><span class="n">description</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s2">"=== Start block generated by generate-mr-text.py ==="</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span><span class="o">+</span><span class="s2">"""</span>
<span class="s2">=== Start block generated by generate-mr-text.py ===</span>
<span class="s2">"""</span><span class="o">+</span><span class="n">text</span>
<span class="n">mr</span><span class="o">.</span><span class="n">save</span><span class="p">()</span>
</code></pre></div>
<p>On peut intégrer rapidement ce script via Dockerfile et pip, pour cela, on a besoin de créer deux fichiers permettant d’installer le script dans un container docker. </p>
<p>Fichier requirements.txt</p>
<div class="highlight"><pre><span></span><code>python-gitlab
google-cloud-aiplatform
</code></pre></div>
<p>Fichier : Dockerfile</p>
<div class="highlight"><pre><span></span><code><span class="n">FROM</span><span class="w"> </span><span class="n">registry</span><span class="p">.</span><span class="n">access</span><span class="p">.</span><span class="n">redhat</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">ubi8</span><span class="o">/</span><span class="n">python</span><span class="o">-</span><span class="mh">38</span>
<span class="p">#</span><span class="w"> </span><span class="n">Add</span><span class="w"> </span><span class="n">application</span><span class="w"> </span><span class="n">sources</span><span class="w"> </span><span class="n">with</span><span class="w"> </span><span class="n">correct</span><span class="w"> </span><span class="n">permissions</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">OpenShift</span>
<span class="n">USER</span><span class="w"> </span><span class="mh">0</span>
<span class="n">ADD</span><span class="w"> </span><span class="p">.</span><span class="w"> </span><span class="p">.</span>
<span class="n">RUN</span><span class="w"> </span><span class="n">chown</span><span class="w"> </span><span class="o">-</span><span class="n">R</span><span class="w"> </span><span class="mh">1001</span><span class="o">:</span><span class="mh">0</span><span class="w"> </span><span class="p">.</span><span class="o">/</span>
<span class="n">USER</span><span class="w"> </span><span class="mh">1001</span>
<span class="p">#</span><span class="w"> </span><span class="n">Install</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">dependencies</span>
<span class="n">RUN</span><span class="w"> </span><span class="n">pip</span><span class="w"> </span><span class="n">install</span><span class="w"> </span><span class="o">-</span><span class="n">U</span><span class="w"> </span><span class="s">"pip>=19.3.1"</span><span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="se">\</span>
<span class="w"> </span><span class="n">pip</span><span class="w"> </span><span class="n">install</span><span class="w"> </span><span class="o">-</span><span class="n">r</span><span class="w"> </span><span class="n">requirements</span><span class="p">.</span><span class="n">txt</span><span class="w"> </span>
</code></pre></div>
<p>La commande <code>docker build .</code> permettra de construire le container et pour rester cohérent dans nos outils et rester dans le monde GCP, je propose de l’héberger dans <code>Artifact registry</code></p>
<p>Pour résumé voici les commandes :</p>
<div class="highlight"><pre><span></span><code>cloud artifacts repositories create --project sandbox-mgoulin --repository-format=DOCKER --location europe-west9 generate-mr-text
docker build . -t europe-west9-docker.pkg.dev/sandbox-mgoulin/generate-mr-text/generate-mr-text:latest
docker push europe-west9-docker.pkg.dev/sandbox-mgoulin/generate-mr-text/generate-mr-text:latest
</code></pre></div>
<p>Le container s’utilisera donc simplement de la façon suivante (d’autre variable d’environnement peuvent être ajouté dans le script).</p>
<div class="highlight"><pre><span></span><code>docker run \
-e GCP_PROJECT_ID=... \
-e GITLAB_TOKEN=... \
-e GOOGLE_APPLICATION_CREDENTIALS=... \
europe-west9-docker.pkg.dev/sandbox-mgoulin/generate-mr-text/generate-mr-text:latest \
python generate-mr-text.py -p -m
</code></pre></div>
<h2 id="3-integration-dans-gitlab-ci">3. Intégration dans GitLab CI<a class="headerlink" href="#3-integration-dans-gitlab-ci" title="Permanent link">¶</a></h2>
<p>Une fois le modèle Vertex AI configuré, le script crée, il faut l’intégrer dans le pipeline GitLab CI. Cela se fait en ajoutant une nouvelle étape dans le fichier : gitlab-ci.yml.</p>
<p>Voici un exemple de code :</p>
<div class="highlight"><pre><span></span><code><span class="n">merge_request_text</span><span class="o">:</span>
<span class="n">stage</span><span class="o">:</span><span class="w"> </span><span class="n">generate</span>
<span class="n">image</span><span class="o">:</span><span class="w"> </span><span class="n">europe</span><span class="o">-</span><span class="n">west9</span><span class="o">-</span><span class="n">docker</span><span class="o">.</span><span class="na">pkg</span><span class="o">.</span><span class="na">dev</span><span class="sr">/sandbox-mgoulin/generate-mr-text/g</span><span class="n">enerate</span><span class="o">-</span><span class="n">mr</span><span class="o">-</span><span class="n">text</span><span class="o">:</span><span class="n">latest</span><span class="w"> </span>
<span class="n">script</span><span class="o">:</span>
<span class="o">-</span><span class="w"> </span><span class="o">|</span>
<span class="n">python</span><span class="w"> </span><span class="n">generate</span><span class="o">-</span><span class="n">mr</span><span class="o">-</span><span class="n">text</span><span class="o">.</span><span class="na">py</span><span class="w"> </span><span class="o">-</span><span class="n">p</span><span class="w"> </span><span class="n">$CI_PROJECT_ID</span><span class="w"> </span><span class="o">-</span><span class="n">m</span><span class="w"> </span><span class="n">$vCI_MERGE_REQUEST_IID</span>
</code></pre></div>
<p>Fonctionnement du pipeline :</p>
<ul>
<li>Lorsque vous ouvrez une merge-request, le pipeline GitLab CI s’exécute.</li>
<li>L’étape merge_request_text lance le script écrit à l’étape 2.</li>
<li>Le modèle génère un texte de merge-request, qui peut ensuite être utilisé pour créer la description de la merge-request.</li>
</ul>
<h2 id="conclusion">Conclusion<a class="headerlink" href="#conclusion" title="Permanent link">¶</a></h2>
<p>Après la mise en place de ce job en pipeline nos Merge-Requests ont clairement changés. Voici un exemple pour illustrer la monté de version de nextcloud.</p>
<p><img alt="GitlabCustomDomain" src="/images/2024-Generate-MR-text/2024-Generate-MR-text_cover.png" /></p>
<div class="highlight"><pre><span></span><code><span class="err">##</span><span class="w"> </span><span class="nx">Revue</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">demande</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">fusion</span><span class="w"> </span><span class="nx">du</span><span class="w"> </span><span class="nx">module</span><span class="w"> </span><span class="nx">Terraform</span><span class="w"> </span><span class="nx">Nextcloud</span>
<span class="o">**</span><span class="nx">Objet</span><span class="w"> </span><span class="nx">des</span><span class="w"> </span><span class="nx">changements</span><span class="p">:</span><span class="o">**</span>
<span class="nx">Cette</span><span class="w"> </span><span class="nx">demande</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">fusion</span><span class="w"> </span><span class="nx">vise</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">mettre</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">niveau</span><span class="w"> </span><span class="nx">le</span><span class="w"> </span><span class="nx">module</span><span class="w"> </span><span class="nx">Terraform</span><span class="w"> </span><span class="nx">pour</span><span class="w"> </span><span class="nx">Nextcloud</span><span class="w"> </span><span class="nx">vers</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">version</span><span class="w"> </span><span class="mi">28</span><span class="p">.</span><span class="w"> </span><span class="nx">Cela</span><span class="w"> </span><span class="nx">implique</span><span class="w"> </span><span class="nx">une</span><span class="w"> </span><span class="nx">série</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">modifications</span><span class="w"> </span><span class="nx">pour</span><span class="w"> </span><span class="nx">assurer</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">compatibilité</span><span class="w"> </span><span class="nx">et</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">stabilité</span><span class="w"> </span><span class="nx">du</span><span class="w"> </span><span class="nx">service</span><span class="w"> </span><span class="nx">Nextcloud</span><span class="p">.</span>
<span class="o">**</span><span class="nx">Ressources</span><span class="w"> </span><span class="nx">affectées</span><span class="p">:</span><span class="o">**</span>
<span class="nx">Les</span><span class="w"> </span><span class="nx">changements</span><span class="w"> </span><span class="nx">affectent</span><span class="w"> </span><span class="nx">principalement</span><span class="w"> </span><span class="nx">les</span><span class="w"> </span><span class="nx">ressources</span><span class="w"> </span><span class="nx">suivantes</span><span class="w"> </span><span class="p">:</span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">Dockerfile</span><span class="p">:</span><span class="o">**</span><span class="w"> </span><span class="nx">La</span><span class="w"> </span><span class="kd">base</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">l</span><span class="err">'</span><span class="nx">image</span><span class="w"> </span><span class="nx">Docker</span><span class="w"> </span><span class="nx">est</span><span class="w"> </span><span class="nx">mise</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">jour</span><span class="w"> </span><span class="nx">vers</span><span class="w"> </span><span class="nx">PHP</span><span class="w"> </span><span class="m m-Double">8.2</span><span class="w"> </span><span class="nx">et</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">version</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">Nextcloud</span><span class="w"> </span><span class="nx">est</span><span class="w"> </span><span class="nx">modifiée</span><span class="w"> </span><span class="nx">en</span><span class="w"> </span><span class="mi">28</span><span class="p">.</span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">Fichier</span><span class="w"> </span><span class="nx">htaccess</span><span class="p">:</span><span class="o">**</span><span class="w"> </span><span class="nx">Un</span><span class="w"> </span><span class="nx">nouveau</span><span class="w"> </span><span class="nx">fichier</span><span class="w"> </span><span class="err">`</span><span class="p">.</span><span class="nx">htaccess</span><span class="err">`</span><span class="w"> </span><span class="nx">est</span><span class="w"> </span><span class="nx">ajouté</span><span class="p">,</span><span class="w"> </span><span class="nx">contenant</span><span class="w"> </span><span class="nx">des</span><span class="w"> </span><span class="nx">directives</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">configuration</span><span class="w"> </span><span class="nx">spécifiques</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">Nextcloud</span><span class="p">,</span><span class="w"> </span><span class="nx">notamment</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">gestion</span><span class="w"> </span><span class="nx">des</span><span class="w"> </span><span class="nx">en</span><span class="o">-</span><span class="nx">têtes</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">sécurité</span><span class="p">,</span><span class="w"> </span><span class="nx">des</span><span class="w"> </span><span class="nx">directives</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">cache</span><span class="w"> </span><span class="nx">pour</span><span class="w"> </span><span class="nx">les</span><span class="w"> </span><span class="nx">ressources</span><span class="w"> </span><span class="nx">statiques</span><span class="w"> </span><span class="nx">et</span><span class="w"> </span><span class="nx">des</span><span class="w"> </span><span class="nx">règles</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">réécriture</span><span class="w"> </span><span class="nx">d</span><span class="err">'</span><span class="nx">URL</span><span class="w"> </span><span class="nx">pour</span><span class="w"> </span><span class="nx">le</span><span class="w"> </span><span class="nx">bon</span><span class="w"> </span><span class="nx">fonctionnement</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">Nextcloud</span><span class="p">.</span><span class="w"> </span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">Fichier</span><span class="w"> </span><span class="nx">nextcloud</span><span class="p">.</span><span class="nx">tf</span><span class="p">:</span><span class="o">**</span><span class="w"> </span><span class="nx">L</span><span class="err">'</span><span class="nx">image</span><span class="w"> </span><span class="nx">Docker</span><span class="w"> </span><span class="nx">utilisée</span><span class="w"> </span><span class="nx">pour</span><span class="w"> </span><span class="nx">le</span><span class="w"> </span><span class="nx">conteneur</span><span class="w"> </span><span class="nx">Nextcloud</span><span class="w"> </span><span class="nx">est</span><span class="w"> </span><span class="nx">mise</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">jour</span><span class="w"> </span><span class="nx">pour</span><span class="w"> </span><span class="nx">refléter</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">nouvelle</span><span class="w"> </span><span class="nx">version</span><span class="p">.</span>
<span class="o">**</span><span class="nx">Principales</span><span class="w"> </span><span class="nx">modifications</span><span class="p">:</span><span class="o">**</span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">Mise</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">niveau</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">version</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">Nextcloud</span><span class="p">:</span><span class="o">**</span><span class="w"> </span><span class="nx">L</span><span class="err">'</span><span class="nx">image</span><span class="w"> </span><span class="nx">Docker</span><span class="w"> </span><span class="nx">est</span><span class="w"> </span><span class="nx">mise</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">jour</span><span class="w"> </span><span class="nx">vers</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">version</span><span class="w"> </span><span class="mi">28</span><span class="p">,</span><span class="w"> </span><span class="nx">incluant</span><span class="w"> </span><span class="nx">les</span><span class="w"> </span><span class="nx">dernières</span><span class="w"> </span><span class="nx">fonctionnalités</span><span class="w"> </span><span class="nx">et</span><span class="w"> </span><span class="nx">corrections</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">sécurité</span><span class="p">.</span><span class="w"> </span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">Configuration</span><span class="w"> </span><span class="nx">du</span><span class="w"> </span><span class="nx">fichier</span><span class="w"> </span><span class="err">`</span><span class="p">.</span><span class="nx">htaccess</span><span class="err">`</span><span class="p">:</span><span class="o">**</span><span class="w"> </span><span class="nx">Un</span><span class="w"> </span><span class="nx">nouveau</span><span class="w"> </span><span class="nx">fichier</span><span class="w"> </span><span class="err">`</span><span class="p">.</span><span class="nx">htaccess</span><span class="err">`</span><span class="w"> </span><span class="nx">est</span><span class="w"> </span><span class="nx">ajouté</span><span class="w"> </span><span class="nx">pour</span><span class="w"> </span><span class="nx">garantir</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">configuration</span><span class="w"> </span><span class="nx">optimale</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">Nextcloud</span><span class="w"> </span><span class="nx">et</span><span class="w"> </span><span class="nx">l</span><span class="err">'</span><span class="nx">application</span><span class="w"> </span><span class="nx">des</span><span class="w"> </span><span class="nx">meilleures</span><span class="w"> </span><span class="nx">pratiques</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">sécurité</span><span class="p">.</span><span class="w"> </span>
<span class="o">**</span><span class="nx">Implications</span><span class="w"> </span><span class="nx">en</span><span class="w"> </span><span class="nx">matière</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">sécurité</span><span class="w"> </span><span class="nx">et</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">performance</span><span class="p">:</span><span class="o">**</span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">Sécurité</span><span class="p">:</span><span class="o">**</span><span class="w"> </span><span class="nx">La</span><span class="w"> </span><span class="nx">mise</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">jour</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">Nextcloud</span><span class="w"> </span><span class="nx">vers</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">version</span><span class="w"> </span><span class="mi">28</span><span class="w"> </span><span class="nx">inclut</span><span class="w"> </span><span class="nx">des</span><span class="w"> </span><span class="nx">correctifs</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">sécurité</span><span class="w"> </span><span class="nx">importants</span><span class="p">.</span><span class="w"> </span><span class="nx">La</span><span class="w"> </span><span class="nx">configuration</span><span class="w"> </span><span class="nx">du</span><span class="w"> </span><span class="nx">fichier</span><span class="w"> </span><span class="err">`</span><span class="p">.</span><span class="nx">htaccess</span><span class="err">`</span><span class="w"> </span><span class="nx">contribue</span><span class="w"> </span><span class="nx">également</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">améliorer</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">sécurité</span><span class="w"> </span><span class="nx">en</span><span class="w"> </span><span class="nx">appliquant</span><span class="w"> </span><span class="nx">des</span><span class="w"> </span><span class="nx">en</span><span class="o">-</span><span class="nx">têtes</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">sécurité</span><span class="w"> </span><span class="nx">essentiels</span><span class="p">.</span><span class="w"> </span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">Performance</span><span class="p">:</span><span class="o">**</span><span class="w"> </span><span class="nx">La</span><span class="w"> </span><span class="nx">nouvelle</span><span class="w"> </span><span class="nx">image</span><span class="w"> </span><span class="nx">Docker</span><span class="w"> </span><span class="nx">basée</span><span class="w"> </span><span class="nx">sur</span><span class="w"> </span><span class="nx">PHP</span><span class="w"> </span><span class="m m-Double">8.2</span><span class="w"> </span><span class="nx">pourrait</span><span class="w"> </span><span class="nx">entraîner</span><span class="w"> </span><span class="nx">des</span><span class="w"> </span><span class="nx">améliorations</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">performance</span><span class="p">,</span><span class="w"> </span><span class="nx">en</span><span class="w"> </span><span class="nx">particulier</span><span class="w"> </span><span class="nx">pour</span><span class="w"> </span><span class="nx">les</span><span class="w"> </span><span class="nx">applications</span><span class="w"> </span><span class="nx">gourmandes</span><span class="w"> </span><span class="nx">en</span><span class="w"> </span><span class="nx">ressources</span><span class="p">.</span>
<span class="o">**</span><span class="nx">Risques</span><span class="w"> </span><span class="nx">et</span><span class="w"> </span><span class="nx">considérations</span><span class="p">:</span><span class="o">**</span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">Compatibilité</span><span class="p">:</span><span class="o">**</span><span class="w"> </span><span class="nx">Il</span><span class="w"> </span><span class="nx">est</span><span class="w"> </span><span class="nx">important</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">tester</span><span class="w"> </span><span class="nx">minutieusement</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">mise</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">jour</span><span class="w"> </span><span class="nx">pour</span><span class="w"> </span><span class="nx">s</span><span class="err">'</span><span class="nx">assurer</span><span class="w"> </span><span class="nx">que</span><span class="w"> </span><span class="nx">toutes</span><span class="w"> </span><span class="nx">les</span><span class="w"> </span><span class="nx">applications</span><span class="w"> </span><span class="nx">et</span><span class="w"> </span><span class="nx">les</span><span class="w"> </span><span class="nx">configurations</span><span class="w"> </span><span class="nx">existantes</span><span class="w"> </span><span class="nx">sont</span><span class="w"> </span><span class="nx">compatibles</span><span class="w"> </span><span class="nx">avec</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">version</span><span class="w"> </span><span class="mi">28</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">Nextcloud</span><span class="p">.</span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">Configurations</span><span class="w"> </span><span class="nx">spécifiques</span><span class="p">:</span><span class="o">**</span><span class="w"> </span><span class="nx">Des</span><span class="w"> </span><span class="nx">configurations</span><span class="w"> </span><span class="nx">spécifiques</span><span class="w"> </span><span class="nx">ou</span><span class="w"> </span><span class="nx">des</span><span class="w"> </span><span class="nx">extensions</span><span class="w"> </span><span class="nx">personnalisées</span><span class="w"> </span><span class="nx">pourraient</span><span class="w"> </span><span class="nx">nécessiter</span><span class="w"> </span><span class="nx">des</span><span class="w"> </span><span class="nx">ajustements</span><span class="w"> </span><span class="nx">supplémentaires</span><span class="p">.</span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">Intégration</span><span class="p">:</span><span class="o">**</span><span class="w"> </span><span class="nx">Assurez</span><span class="o">-</span><span class="nx">vous</span><span class="w"> </span><span class="nx">que</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">mise</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">jour</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">Nextcloud</span><span class="w"> </span><span class="nx">n</span><span class="err">'</span><span class="nx">impacte</span><span class="w"> </span><span class="nx">pas</span><span class="w"> </span><span class="nx">négativement</span><span class="w"> </span><span class="nx">d</span><span class="err">'</span><span class="nx">autres</span><span class="w"> </span><span class="nx">services</span><span class="w"> </span><span class="nx">ou</span><span class="w"> </span><span class="nx">composants</span><span class="w"> </span><span class="nx">du</span><span class="w"> </span><span class="nx">système</span><span class="p">.</span><span class="w"> </span>
<span class="o">*</span><span class="w"> </span><span class="o">**</span><span class="nx">Sauvegardes</span><span class="p">:</span><span class="o">**</span><span class="w"> </span><span class="nx">Il</span><span class="w"> </span><span class="nx">est</span><span class="w"> </span><span class="nx">crucial</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">créer</span><span class="w"> </span><span class="nx">des</span><span class="w"> </span><span class="nx">sauvegardes</span><span class="w"> </span><span class="nx">complètes</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="kd">base</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">données</span><span class="w"> </span><span class="nx">Nextcloud</span><span class="w"> </span><span class="nx">et</span><span class="w"> </span><span class="nx">des</span><span class="w"> </span><span class="nx">fichiers</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">données</span><span class="w"> </span><span class="nx">avant</span><span class="w"> </span><span class="nx">d</span><span class="err">'</span><span class="nx">effectuer</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">mise</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">jour</span><span class="p">.</span>
<span class="o">**</span><span class="nx">Conclusion</span><span class="p">:</span><span class="o">**</span>
<span class="nx">Cette</span><span class="w"> </span><span class="nx">demande</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">fusion</span><span class="w"> </span><span class="nx">vise</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">améliorer</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">sécurité</span><span class="w"> </span><span class="nx">et</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">stabilité</span><span class="w"> </span><span class="nx">du</span><span class="w"> </span><span class="nx">service</span><span class="w"> </span><span class="nx">Nextcloud</span><span class="w"> </span><span class="nx">en</span><span class="w"> </span><span class="nx">effectuant</span><span class="w"> </span><span class="nx">une</span><span class="w"> </span><span class="nx">mise</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">niveau</span><span class="w"> </span><span class="nx">vers</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">version</span><span class="w"> </span><span class="mi">28</span><span class="p">.</span><span class="w"> </span><span class="nx">Il</span><span class="w"> </span><span class="nx">est</span><span class="w"> </span><span class="nx">essentiel</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">procéder</span><span class="w"> </span><span class="nx">à</span><span class="w"> </span><span class="nx">des</span><span class="w"> </span><span class="nx">tests</span><span class="w"> </span><span class="nx">complets</span><span class="w"> </span><span class="nx">avant</span><span class="w"> </span><span class="nx">de</span><span class="w"> </span><span class="nx">la</span><span class="w"> </span><span class="nx">valider</span><span class="w"> </span><span class="nx">en</span><span class="w"> </span><span class="nx">production</span><span class="w"> </span><span class="nx">pour</span><span class="w"> </span><span class="nx">garantir</span><span class="w"> </span><span class="nx">une</span><span class="w"> </span><span class="nx">transition</span><span class="w"> </span><span class="nx">en</span><span class="w"> </span><span class="nx">douceur</span><span class="w"> </span><span class="nx">et</span><span class="w"> </span><span class="nx">minimiser</span><span class="w"> </span><span class="nx">les</span><span class="w"> </span><span class="nx">risques</span><span class="p">.</span>
</code></pre></div>
<p>Avantages de l’automatisation:</p>
<ul>
<li>Gain de temps: Plus besoin de rédiger manuellement les descriptions de merge-request.</li>
<li>Cohérence: Le texte généré est toujours cohérent et suit un format standard.</li>
<li>Précision: Le modèle Vertex AI peut identifier des informations importantes qui pourraient être oubliées.</li>
<li>Meilleure communication: Des descriptions claires et précises facilitent la communication entre les membres de l’équipe.</li>
</ul>
<p>En utilisant Vertex AI et GitLab CI, vous pouvez automatiser la génération de texte de merge-request et améliorer votre workflow de développement. Ce gain de temps et d’efficacité vous permettra de vous concentrer sur des tâches plus stratégiques.</p>
<p>N’hésitez pas à tester cette solution et à l’adapter à vos besoins !</p>Generation of text from Merge-Requests automatically in LLM2024-05-29T00:00:00+02:002024-05-29T00:00:00+02:00Mathieu GOULINtag:www.ops-chronicles.cloud,2024-05-29:/generate-mr-text.html<p>A simple automation to generate text from Merge-Requests Gitlab to add some description</p><div class="toc">
<ul>
<li><a href="#add-application-sources-with-correct-permissions-for-openshift">Add application sources with correct permissions for OpenShift</a></li>
<li><a href="#install-the-dependencies">Install the dependencies</a></li>
<li><a href="#run-the-dockerfile">Run the dockerfile</a></li>
<li><a href="#build-the-dockerfile">Build the dockerfile</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_1">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_2">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_3">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_4">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_5">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_6">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_7">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_8">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_9">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_10">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_11">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_12">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_13">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_14">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_15">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_16">The command docker build -t generate-mr-text . will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:</a></li>
<li><a href="#_1"></a></li>
</ul>
</div>
<p><strong>Note:</strong> This is an example, the implementation of the application may not be completely accurate. The purpose is to show you the general approach and the code may need to be adjusted to your specific needs. </p>
<p><strong>Foreword:</strong></p>
<p>The following guide aims to provide a comprehensive understanding of the process and code for generating a descriptive text from a Merge-Request. The objective is to automate this task, relieving developers from the need to manually write lengthy descriptions. </p>
<p><strong>Prerequisites:</strong></p>
<p>Before embarking on this endeavor, ensure you have the following prerequisites:</p>
<ul>
<li>A good understanding of the basic concept of merge-requests and its role in GitLab.</li>
<li>A working knowledge of Python.</li>
<li>A solid foundation in using GitLab’s API.</li>
</ul>
<p><strong>Context:</strong></p>
<p>In the world of software development, merge-requests are crucial for integrating code changes into a main branch. However, composing comprehensive descriptions for each merge-request can be time-consuming and sometimes tedious. </p>
<p><strong>Objective:</strong></p>
<p>The objective is to create a Python script that automatically generates a descriptive text for each merge-request based on the changes included. This text can include:</p>
<ul>
<li>A summary of the changes introduced.</li>
<li>A link to the relevant commit.</li>
<li>Any relevant context or background information.</li>
</ul>
<p><strong>Implementation:</strong></p>
<p>The script utilizes the GitLab API to retrieve information about the merge-request and its associated commits. This information is then processed and formatted into a comprehensive description.</p>
<p>The Python code is presented below, along with explanations of each section.</p>
<div class="highlight"><pre><span></span><code><span class="kn">import</span><span class="w"> </span><span class="nn">base64</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">vertexai</span>
<span class="kn">from</span><span class="w"> </span><span class="nn">vertexai.generative_models</span><span class="w"> </span><span class="kn">import</span> <span class="n">GenerativeModel</span><span class="p">,</span> <span class="n">Part</span><span class="p">,</span> <span class="n">FinishReason</span>
<span class="kn">from</span><span class="w"> </span><span class="nn">vertexai.preview.generative_models</span><span class="w"> </span><span class="kn">import</span> <span class="n">generative_models</span> <span class="k">as</span> <span class="n">generative_models</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">gitlab</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">os</span><span class="o">,</span><span class="w"> </span><span class="nn">json</span>
<span class="kn">import</span><span class="w"> </span><span class="nn">argparse</span><span class="p">;</span>
<span class="n">GCP_PROJECT_ID</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"GCP_PROJECT_ID"</span><span class="p">,</span> <span class="s2">"sandbox-mgoulin"</span><span class="p">)</span>
<span class="n">GCP_LOCATION</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"GCP_LOCATION"</span><span class="p">,</span> <span class="s2">"us-central1"</span><span class="p">)</span>
<span class="n">GCP_MODEL</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"GCP_MODEL"</span><span class="p">,</span> <span class="s2">"gemin-1.5-flash-preview-0514"</span><span class="p">)</span>
<span class="n">GITLAB_HOST</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"GITLAB_HOST"</span><span class="p">,</span> <span class="s2">"https://gitlab.com"</span><span class="p">)</span>
<span class="n">GITLAB_TOKEN</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"GITLAB_TOKEN"</span><span class="p">,</span> <span class="kc">False</span><span class="p">)</span>
<span class="n">GITLAB_SSL_VERIFY</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s2">"GITLAB_SSL_VERIFY"</span><span class="p">,</span> <span class="kc">False</span><span class="p">)</span>
<span class="n">LLM_PROMPT</span> <span class="o">=</span> <span class="s2">"""As a senior Devops engineer reviewing a merge request for a Terraform module. Please provide a comprehensive description of the changes in french, focusing on the following:</span>
<span class="s2">* **What is the overall purpose of the changes?**</span>
<span class="s2">* **What specific resources are affected?**</span>
<span class="s2">* **What are the main changes made to those resources?**</span>
<span class="s2">* **Are there any security or performance implications of the changes?**</span>
<span class="s2">* **Are there any potential risks or considerations?**</span>
<span class="s2">"""</span>
<span class="k">def</span><span class="w"> </span><span class="nf">generate</span><span class="p">(</span><span class="n">diff</span><span class="p">):</span>
<span class="n">vertexai</span><span class="o">.</span><span class="n">init</span><span class="p">(</span><span class="n">project</span><span class="o">=</span><span class="n">GCP_PROJECT_ID</span><span class="p">,</span> <span class="n">location</span><span class="o">=</span><span class="n">GCP_LOCATION</span><span class="p">)</span>
<span class="n">model</span> <span class="o">=</span> <span class="n">GenerativeModel</span><span class="p">(</span>
<span class="n">GCP_MODEL</span><span class="p">,</span>
<span class="p">)</span>
<span class="n">responses</span> <span class="o">=</span> <span class="n">model</span><span class="o">.</span><span class="n">generate_content</span><span class="p">(</span>
<span class="p">[</span><span class="n">LLM_PROMPT</span><span class="p">,</span> <span class="n">diff</span><span class="p">],</span>
<span class="n">generation_config</span><span class="o">=</span><span class="n">generation_config</span><span class="p">,</span>
<span class="n">safety_settings</span><span class="o">=</span><span class="n">safety_settings</span><span class="p">,</span>
<span class="n">stream</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span>
<span class="p">)</span>
<span class="n">resp</span> <span class="o">=</span> <span class="s2">""</span>
<span class="k">for</span> <span class="n">response</span> <span class="ow">in</span> <span class="n">responses</span><span class="p">:</span>
<span class="n">resp</span> <span class="o">+=</span> <span class="n">response</span><span class="o">.</span><span class="n">text</span>
<span class="k">return</span> <span class="n">resp</span>
<span class="n">generation_config</span> <span class="o">=</span> <span class="p">{</span>
<span class="s2">"max_output_tokens"</span><span class="p">:</span> <span class="mi">8192</span><span class="p">,</span>
<span class="s2">"temperature"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span>
<span class="s2">"top_p"</span><span class="p">:</span> <span class="mf">0.95</span><span class="p">,</span>
<span class="p">}</span>
<span class="n">safety_settings</span> <span class="o">=</span> <span class="p">{</span>
<span class="n">generative_models</span><span class="o">.</span><span class="n">HarmCategory</span><span class="o">.</span><span class="n">HARM_CATEGORY_HATE_SPEECH</span><span class="p">:</span> <span class="n">generative_models</span><span class="o">.</span><span class="n">HarmBlockThreshold</span><span class="o">.</span><span class="n">BLOCK_MEDIUM_AND_ABOVE</span><span class="p">,</span>
<span class="n">generative_models</span><span class="o">.</span><span class="n">HarmCategory</span><span class="o">.</span><span class="n">HARM_CATEGORY_DANGER_OR_VIOLENCE</span><span class="p">:</span> <span class="n">generative_models</span><span class="o">.</span><span class="n">HarmBlockThreshold</span><span class="o">.</span><span class="n">BLOCK_MEDIUM_AND_ABOVE</span><span class="p">,</span>
<span class="n">generative_models</span><span class="o">.</span><span class="n">HarmCategory</span><span class="o">.</span><span class="n">HARM_CATEGORY_SEXUAL_CONTENT</span><span class="p">:</span> <span class="n">generative_models</span><span class="o">.</span><span class="n">HarmBlockThreshold</span><span class="o">.</span><span class="n">BLOCK_MEDIUM_AND_ABOVE</span><span class="p">,</span>
<span class="n">generative_models</span><span class="o">.</span><span class="n">HarmCategory</span><span class="o">.</span><span class="n">HARM_CATEGORY_HARASSMENT</span><span class="p">:</span> <span class="n">generative_models</span><span class="o">.</span><span class="n">HarmBlockThreshold</span><span class="o">.</span><span class="n">BLOCK_MEDIUM_AND_ABOVE</span><span class="p">,</span>
<span class="p">}</span>
<span class="k">def</span><span class="w"> </span><span class="nf">find_mr</span><span class="p">(</span><span class="n">project</span><span class="p">,</span> <span class="n">mr_id</span><span class="p">):</span>
<span class="n">gl</span> <span class="o">=</span> <span class="n">gitlab</span><span class="o">.</span><span class="n">Gitlab</span><span class="p">(</span><span class="n">url</span><span class="o">=</span><span class="n">GITLAB_HOST</span><span class="p">,</span> <span class="n">private_token</span><span class="o">=</span><span class="n">GITLAB_TOKEN</span><span class="p">,</span> <span class="n">ssl_verify</span><span class="o">=</span><span class="n">GITLAB_SSL_VERIFY</span><span class="p">)</span>
<span class="n">proj</span> <span class="o">=</span> <span class="n">gl</span><span class="o">.</span><span class="n">projects</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">project</span><span class="p">)</span>
<span class="k">return</span> <span class="n">proj</span><span class="o">.</span><span class="n">mergerequests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="n">mr_id</span><span class="p">)</span>
<span class="n">parser</span> <span class="o">=</span> <span class="n">argparse</span><span class="o">.</span><span class="n">ArgumentParser</span><span class="p">(</span>
<span class="n">prog</span><span class="o">=</span><span class="s1">'generate-mr-text.py'</span><span class="p">,</span>
<span class="n">description</span><span class="o">=</span><span class="s1">'Use Gemini to update a merge request with a description'</span><span class="p">,</span>
<span class="p">)</span>
<span class="n">parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span><span class="s1">'-p'</span><span class="p">,</span> <span class="s1">'--gitlab_project'</span><span class="p">,</span> <span class="n">required</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span>
<span class="n">parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span><span class="s1">'-m'</span><span class="p">,</span> <span class="s1">'--gitlab_mr_id'</span><span class="p">,</span> <span class="n">required</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="nb">int</span><span class="p">)</span>
<span class="n">project</span> <span class="o">=</span> <span class="n">parser</span><span class="o">.</span><span class="n">parse_args</span><span class="p">()</span><span class="o">.</span><span class="n">gitlab_project</span>
<span class="n">mr_id</span> <span class="o">=</span> <span class="n">parser</span><span class="o">.</span><span class="n">parse_args</span><span class="p">()</span><span class="o">.</span><span class="n">gitlab_mr_id</span>
<span class="n">mr</span> <span class="o">=</span> <span class="n">find_mr</span><span class="p">(</span><span class="n">project</span><span class="p">,</span> <span class="n">mr_id</span><span class="p">)</span>
<span class="n">changes</span> <span class="o">=</span> <span class="n">mr</span><span class="o">.</span><span class="n">changes</span><span class="p">()</span>
<span class="c1">#print(json.dumps(changes, indent=4))</span>
<span class="c1">#diff = find_diff()</span>
<span class="n">text</span> <span class="o">=</span> <span class="n">generate</span><span class="p">(</span><span class="n">json</span><span class="o">.</span><span class="n">dumps</span><span class="p">(</span><span class="n">changes</span><span class="p">,</span> <span class="n">indent</span><span class="o">=</span><span class="mi">4</span><span class="p">))</span>
<span class="n">mr</span><span class="o">.</span><span class="n">description</span> <span class="o">=</span> <span class="n">mr</span><span class="o">.</span><span class="n">description</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s2">"=== START BLOCK GENERATED BY generate-mr-text.py ==="</span><span class="p">)</span> <span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">+</span> <span class="s2">"=== START BLOCK GENERATED BY generate-mr-text.py ===</span><span class="se">\n</span><span class="s2">"</span> <span class="o">+</span> <span class="n">text</span> <span class="o">+</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">=== END BLOCK GENERATED BY generate-mr-text.py ==="</span>
<span class="n">mr</span><span class="o">.</span><span class="n">save</span><span class="p">()</span>
</code></pre></div>
<p><strong>In this script:</strong></p>
<ol>
<li><strong>Import necessary modules</strong></li>
<li><strong>Get Environment variables:</strong> this step retrieves the necessary information for connecting to GitLab and Vertex AI</li>
<li><strong>Define the prompt:</strong> This sets up the instructions for the language model.</li>
<li><strong>Define the <code>generate</code> function:</strong> This function uses the Vertex AI client library to connect to the Gemini model and generate text based on the provided input.</li>
<li><strong>Define the <code>find_mr</code> function:</strong> This function retrieves the Merge-Request from GitLab using the specified project and merge-request ID.</li>
<li><strong>Define the argument parser:</strong> This section creates a user-friendly interface for passing project and merge-request ID as arguments.</li>
<li><strong>Retrieve the Merge-Request:</strong> The script uses the argument parser to get the project and merge-request ID and retrieves the relevant Merge-Request from GitLab.</li>
<li><strong>Generate the description:</strong> The changes are fetched, processed, and used to generate a description.</li>
<li><strong>Update the Merge-Request:</strong> The generated description is then added to the merge-request description field in GitLab.</li>
</ol>
<p><strong>How to use the script:</strong></p>
<ol>
<li><strong>Set up the environment variables:</strong> Replace the placeholders in the script with your actual values.</li>
<li><strong>Install the required libraries:</strong> Ensure that you have installed all the necessary libraries using <code>pip install -r requirements.txt</code>.</li>
<li><strong>Run the script:</strong> Execute the script using a command similar to <code>python generate-mr-text.py -p <gitlab_project> -m <gitlab_mr_id></code>. </li>
</ol>
<p><strong>Next Steps:</strong></p>
<p>This is just a basic example of what can be achieved with this approach. There are many other ways to enhance this script, such as:</p>
<ul>
<li>Integrating the script into a CI/CD pipeline to automate the description generation process completely.</li>
<li>Customizing the prompt to generate more detailed descriptions.</li>
<li>Adding error handling to make the script more robust.</li>
</ul>
<p><strong>Conclusion:</strong></p>
<p>By leveraging the power of the Vertex AI Gemini model, this script simplifies the process of generating descriptive text for merge-requests. This automation streamlines the development workflow and ensures that all merge-requests are well-documented.</p>
<h2 id="add-application-sources-with-correct-permissions-for-openshift">Add application sources with correct permissions for OpenShift<a class="headerlink" href="#add-application-sources-with-correct-permissions-for-openshift" title="Permanent link">¶</a></h2>
<p>USER 0
ADD . .
RUN chown -R 1001:0 ./*
USER 1001</p>
<h2 id="install-the-dependencies">Install the dependencies<a class="headerlink" href="#install-the-dependencies" title="Permanent link">¶</a></h2>
<p>RUN pip install -r requirements.txt && \
pip install -r requirements-dev.txt </p>
<h2 id="run-the-dockerfile">Run the dockerfile<a class="headerlink" href="#run-the-dockerfile" title="Permanent link">¶</a></h2>
<p>RUN pip install –upgrade pip && \
pip install -r requirements.txt && \
pip install -r requirements-dev.txt </p>
<h2 id="build-the-dockerfile">Build the dockerfile<a class="headerlink" href="#build-the-dockerfile" title="Permanent link">¶</a></h2>
<p>RUN pip install –upgrade pip && \
pip install -r requirements.txt && \
pip install -r requirements-dev.txt </p>
<div class="highlight"><pre><span></span><code>**The command <span class="sb">`docker build -t generate-mr-text .`</span> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:**
```bash
docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_1">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_1" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_2">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_2" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_3">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_3" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_4">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_4" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_5">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_5" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_6">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_6" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_7">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_7" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_8">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_8" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_9">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_9" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_10">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_10" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_11">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_11" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_12">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_12" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_13">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_13" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_14">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_14" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_15">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_15" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_16">The command <code>docker build -t generate-mr-text .</code> will generate the docker image. Then, you can run the docker image and specify the project and the merge request id as follows:<a class="headerlink" href="#the-command-docker-build-t-generate-mr-text-will-generate-the-docker-image-then-you-can-run-the-docker-image-and-specify-the-project-and-the-merge-request-id-as-follows_16" title="Permanent link">¶</a></h2>
<div class="highlight"><pre><span></span><code>docker<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>generate-mr-text<span class="w"> </span>-p<span class="w"> </span><gitlab_project><span class="w"> </span>-m<span class="w"> </span><gitlab_mr_id><span class="w"> </span>
</code></pre></div>
<p>**The command <code>docker run -it generate-mr-text -p <gitlab_project> -m <gitlab_mr_id></code> will run the container and generate a description for the specified merge-request. **</p>
<p><strong>Note:</strong> You need to replace <code><gitlab_project></code> and <code><gitlab_mr_id></code> with your project and merge-request id.</p>
<p><strong>The docker image will be built with the following steps:</strong></p>
<ol>
<li><strong>ADD . .</strong>: Copy all files from the current directory to the Docker image.</li>
<li><strong>RUN chown -R 1001:0 ./</strong>*: Change the ownership of all files in the image to user 1001.</li>
<li><strong>USER 1001</strong>: Switch to user 1001.</li>
<li><strong>RUN pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Install the Python dependencies.</li>
<li><strong>RUN pip install –upgrade pip && pip install -r requirements.txt && pip install -r requirements-dev.txt</strong>: Update pip and install the Python dependencies.</li>
</ol>
<p>The docker image will be built and tagged with the name <code>generate-mr-text</code>. You can then run the container using the <code>docker run</code> command.</p>
<h2 id="_1"><a class="headerlink" href="#_1" title="Permanent link">¶</a></h2>Initialisation d'un blog avec Pelican sur GitLab Pages!2024-05-28T00:00:00+02:002024-05-28T00:00:00+02:00Mathieu GOULINtag:www.ops-chronicles.cloud,2024-05-28:/fr/blog-on-gitlab-pages.html<p>Comment creer un blog avec Gitlab Pages et Pelican</p><div class="toc">
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#un-blog-as-code">Un blog as Code</a></li>
<li><a href="#creation-du-depot-git">Création du dépôt Git</a><ul>
<li><a href="#les-fichiers">Les fichiers</a></li>
<li><a href="#ajout-dun-themes">Ajout d’un themes</a></li>
</ul>
</li>
<li><a href="#ajout-de-domaines-pour-les-pages">Ajout de domaines pour les pages</a></li>
<li><a href="#contribuer">Contribuer</a></li>
</ul>
</div>
<h2 id="introduction">Introduction<a class="headerlink" href="#introduction" title="Permanent link">¶</a></h2>
<p>Un des défis quand on cherche à partager du contenu, c’est de le faire simplement et avec efficience. </p>
<p>Je suis à la recherche d’un moyen d’écrire des articles autour du Devops et de publier ces articles sur un blog. L’idée est simplement de décrire comment on pratique l’installation d’applications et l’automatisation des tâches dans une DSI.</p>
<p>J’ai donc essayé diverses méthodes pour créer un blog :</p>
<ul>
<li><a href="https://www.blogger.com">Blogger</a> de Google en SaaS, mais la mise en forme du code et du texte n’est pas simple</li>
<li><a href="https://wordpress.org">Wordpress</a> dans des containers, mais il y a beaucoup de paramètres à configurer avant l’utilisation.</li>
<li>Et enfin <a href="https://getpelican.com">Pelican</a> sur GitLab Pages, a découvrir</li>
</ul>
<p>Voici un petit exemple de ce que ça peut donner sur blogger. Mais j’ai eu beaucoup de mal à réaliser la mise en forme :</p>
<p><img alt="Blogger" src="/images/2024-static-blog-with-gitlab-pages/2024-static-blog-with-gitlab-pages_1.png" /></p>
<p>Dans cet article, je vous propose de décrire l’installation de <a href="https://getpelican.com">Pelican</a> et l’utilisation pour développer.</p>
<h2 id="un-blog-as-code">Un blog as Code<a class="headerlink" href="#un-blog-as-code" title="Permanent link">¶</a></h2>
<p>Gérer le contenu de mon blog comme du code permettra de fusionner la puissance d’un gestionnaire de version comme Git (et les pipelines qui compileront le contenu) avec l’efficience d’un site web statique (html).</p>
<ul>
<li>Workflow efficace : Git permet de gérer les modifications du contenu du blog et de les partager avec d’autres contributeurs, tandis que Pelican génère automatiquement les pages web statiques à partir du contenu.</li>
<li>Développement agile : Les branches Git permettent de tester de nouvelles fonctionnalités ou de corriger des bugs sans affecter le contenu principal du blog.</li>
<li>Hébergement flexible : Git permet d’héberger le blog sur des plateformes comme Gitlab Pages, tandis que Pelican génère des pages web statiques compatibles avec ces plateformes.</li>
</ul>
<h2 id="creation-du-depot-git">Création du dépôt Git<a class="headerlink" href="#creation-du-depot-git" title="Permanent link">¶</a></h2>
<p>Gitlab propose des modèles de projet déjà prévu pour Pelican. Il suffit de créer un nouveau projet Gitlab et de sélectionner le modèle : Pages/Pelican. </p>
<p>Ce template va initialiser le dépôt git et tout le code nécessaire pour utiliser <a href="https://getpelican.com">Pelican</a>.</p>
<p><img alt="GitlabTemplate" src="/images/2024-static-blog-with-gitlab-pages/2024-static-blog-with-gitlab-pages_2.png" /></p>
<p>Cette action a créé l’arborescence du dépôt comme décrite ci-dessous, il faudra maintenant cloner sur la station de travail le code pour l’éditer en local.</p>
<div class="highlight"><pre><span></span><code>git<span class="w"> </span>clone<span class="w"> </span>https://gitlab.com/<USERNAME>/<REPO_NAME>.git
</code></pre></div>
<h3 id="les-fichiers">Les fichiers<a class="headerlink" href="#les-fichiers" title="Permanent link">¶</a></h3>
<p>Voici un petit descritifs des fichiers initialisés :</p>
<div class="highlight"><pre><span></span><code>/
- content/ # Fichier de contenu du site web: articles markdown, images, ...
- pelicanconf.py # Fichier de configuration de pelican
...
</code></pre></div>
<p>Sous gitlab voici ce que ca donne :</p>
<p><img alt="GitlabTemplate" src="/images/2024-static-blog-with-gitlab-pages/2024-static-blog-with-gitlab-pages_3.png" /></p>
<h3 id="ajout-dun-themes">Ajout d’un themes<a class="headerlink" href="#ajout-dun-themes" title="Permanent link">¶</a></h3>
<p>Après quelques recherches, j’ai choisi d’utiliser le thème <a href="https://github.com/jvanz/pelican-hyde">pelican-hyde</a> suffisamment épuré et élégant pour mon besoin.</p>
<p>Pour l’installer, on télécharge le thème, on l’ajoute au dépôt git :</p>
<div class="highlight"><pre><span></span><code>curl -L -O https://github.com/jvanz/pelican-hyde/archive/refs/heads/master.zip
unzip master.zip
git add pelican-hyde-master
rm -r master.zip
echo "THEME = 'themes-hyde'" >> pelicanconf.py
git add pelicanconf.py
git commit -m "Add pelican-hyde-master themes"
git push origin master:feat/add-pelican-hyde-master
</code></pre></div>
<p>On ira ensuite sur Git pour créer la merge-request et la merger sur la branche master</p>
<h2 id="ajout-de-domaines-pour-les-pages">Ajout de domaines pour les pages<a class="headerlink" href="#ajout-de-domaines-pour-les-pages" title="Permanent link">¶</a></h2>
<p>On peut ajouter dans gitlab-pages des mapping de domaines. Cela permet de servir nos pages statiques sur nos domaines sans utiliser une URL trop compliqué.</p>
<p>De mon côté, j’ai configuré le domaine comme ci-dessous :
<img alt="GitlabCustomDomain" src="/images/2024-static-blog-with-gitlab-pages/2024-static-blog-with-gitlab-pages_4.png" /></p>
<h2 id="contribuer">Contribuer<a class="headerlink" href="#contribuer" title="Permanent link">¶</a></h2>
<p>Et voilà, il suffit maintenant de rédiger des articles au format markdown et de les pousser dans Git. On peut très bien utiliser les relectures et contributions (PullRequest) pour bénéficier de toute la puissance de Git.</p>Initialization of a Blog Using Pelican and GitLab Pages!2024-05-28T00:00:00+02:002024-05-28T00:00:00+02:00Mathieu GOULINtag:www.ops-chronicles.cloud,2024-05-28:/blog-on-gitlab-pages.html<p>How to create a blog using GitLab Pages and Pelican</p><div class="toc">
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#using-code">Using code</a></li>
<li><a href="#contribution-to-the-gitlab-git">Contribution to the GitLab Git</a></li>
<li><a href="#list-of-features">List of features</a></li>
<li><a href="#add-content-to-git">Add Content to Git</a></li>
<li><a href="#theming">Theming</a></li>
<li><a href="#adding-themes">Adding themes</a></li>
<li><a href="#adding-features">Adding features</a></li>
<li><a href="#automation">Automation</a></li>
<li><a href="#adding-domains">Adding domains</a></li>
<li><a href="#adding-custom-content">Adding custom content</a></li>
<li><a href="#conclusion">Conclusion</a></li>
</ul>
</div>
<h2 id="introduction">Introduction<a class="headerlink" href="#introduction" title="Permanent link">¶</a></h2>
<p>We will see in this quick guide how to create a blog using Pelican, which will be hosted on GitLab Pages, offering free hosting and a simple way to deploy a static site.</p>
<p>First, we will need to choose a place to store the blog:</p>
<ul>
<li><strong><a href="https://www.blogger.com">Blogger</a></strong> from Google is free, with a simple interface, and easy to use. You will be able to store content in the form of text and code.</li>
<li><strong><a href="https://wordpress.org">Wordpress</a></strong> offers more options for content creators. This option is also very easy to configure. It is free for personal use.</li>
<li>And finally, <strong><a href="https://getpelican.com">Pelican</a></strong> for GitLab Pages, a more advanced option.</li>
</ul>
<p>We will opt for Pelican for GitLab Pages, a more comprehensive solution.</p>
<h2 id="using-code">Using code<a class="headerlink" href="#using-code" title="Permanent link">¶</a></h2>
<p>Let’s start by creating the blog, we will need to install Pelican and create a blog using it.</p>
<div class="highlight"><pre><span></span><code>pip<span class="w"> </span>install<span class="w"> </span>pelican
pelican-quickstart
</code></pre></div>
<p>This will ask you several questions, like the title, author, description, etc. We will answer them to customize the initial blog setup.</p>
<p>Once this is done, we will be able to generate the site using Pelican:</p>
<div class="highlight"><pre><span></span><code>make<span class="w"> </span>html
</code></pre></div>
<p>This will generate the HTML files of the blog in the output folder.</p>
<h2 id="contribution-to-the-gitlab-git">Contribution to the GitLab Git<a class="headerlink" href="#contribution-to-the-gitlab-git" title="Permanent link">¶</a></h2>
<p>GitLab Pages lets you host a static site from a repository. To do this, we will need to create a GitLab repository and upload the content.</p>
<p>The easiest way is to add the output folder as a new branch of the repository.</p>
<div class="highlight"><pre><span></span><code>git<span class="w"> </span>init
git<span class="w"> </span>add<span class="w"> </span>.
git<span class="w"> </span>commit<span class="w"> </span>-m<span class="w"> </span><span class="s2">"Initial commit"</span>
git<span class="w"> </span>branch<span class="w"> </span>-M<span class="w"> </span>main
git<span class="w"> </span>remote<span class="w"> </span>add<span class="w"> </span>origin<span class="w"> </span>git@gitlab.com:<USERNAME>/<REPO_NAME>.git
git<span class="w"> </span>push<span class="w"> </span>-u<span class="w"> </span>origin<span class="w"> </span>main
</code></pre></div>
<p>You can then go to the GitLab repository and configure GitLab Pages. It will automatically detect the presence of the index.html file and serve your website.</p>
<h2 id="list-of-features">List of features<a class="headerlink" href="#list-of-features" title="Permanent link">¶</a></h2>
<p>We will find different features in Pelican:</p>
<div class="highlight"><pre><span></span><code><span class="o">-</span><span class="w"> </span><span class="nv">content</span><span class="o">/</span><span class="w"> </span>#<span class="w"> </span><span class="nv">The</span><span class="w"> </span><span class="nv">directory</span><span class="w"> </span><span class="nv">where</span><span class="w"> </span><span class="nv">your</span><span class="w"> </span><span class="nv">content</span><span class="w"> </span><span class="nv">lives</span>
<span class="o">-</span><span class="w"> </span><span class="nv">pelicanconf</span>.<span class="nv">py</span><span class="w"> </span>#<span class="w"> </span><span class="nv">Configuration</span><span class="w"> </span><span class="nv">file</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">Pelican</span>
<span class="o">-</span><span class="w"> </span><span class="nv">publishconf</span>.<span class="nv">py</span><span class="w"> </span>#<span class="w"> </span><span class="nv">Configuration</span><span class="w"> </span><span class="nv">file</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">Pelican</span><span class="w"> </span><span class="ss">(</span><span class="nv">publication</span><span class="w"> </span><span class="nv">settings</span><span class="ss">)</span>
<span class="o">-</span><span class="w"> </span><span class="nv">makefile</span><span class="w"> </span>#<span class="w"> </span><span class="nv">Makefile</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">generating</span><span class="w"> </span><span class="nv">output</span>
<span class="o">-</span><span class="w"> </span><span class="nv">themes</span><span class="o">/</span><span class="w"> </span>#<span class="w"> </span><span class="nv">Directory</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">themes</span>
<span class="o">-</span><span class="w"> </span><span class="nv">output</span><span class="o">/</span><span class="w"> </span>#<span class="w"> </span><span class="nv">Directory</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="nv">output</span><span class="w"> </span><span class="nv">HTML</span>
<span class="o">-</span><span class="w"> </span><span class="nv">content</span><span class="o">/</span><span class="w"> </span>#<span class="w"> </span><span class="nv">The</span><span class="w"> </span><span class="nv">directory</span><span class="w"> </span><span class="nv">where</span><span class="w"> </span><span class="nv">your</span><span class="w"> </span><span class="nv">content</span><span class="w"> </span><span class="nv">lives</span>
</code></pre></div>
<p>The most important files are:</p>
<ul>
<li><code>pelicanconf.py</code> for configuring the blog’s settings, including the theme, title, author, and more.</li>
<li><code>publishconf.py</code> for configuring the blog’s settings for publication on GitLab Pages.</li>
</ul>
<h2 id="add-content-to-git">Add Content to Git<a class="headerlink" href="#add-content-to-git" title="Permanent link">¶</a></h2>
<p>GitLab Pages allows you to easily host a static site from a repository. You can use any branch in your repository to host a site. For example, the content of the <code>main</code> branch is used for the <code>https://<USERNAME>.gitlab.io/<REPO_NAME></code> URL. If you want to create a site on the <code>gh-pages</code> branch, its content will be used for the <code>https://<USERNAME>.gitlab.io/<REPO_NAME>/gh-pages</code> URL.</p>
<h2 id="theming">Theming<a class="headerlink" href="#theming" title="Permanent link">¶</a></h2>
<p>Pelican is an easy way to host a static site on GitLab Pages. It’s a popular solution for a variety of blog configurations, but it’s not limited to these. You can even install a new theme:</p>
<div class="highlight"><pre><span></span><code>pelican-themes
</code></pre></div>
<p>This command will list all available themes. To use one of them, you simply need to copy the theme folder to the <code>themes</code> directory and modify the <code>pelicanconf.py</code> file to point to the theme.</p>
<h2 id="adding-themes">Adding themes<a class="headerlink" href="#adding-themes" title="Permanent link">¶</a></h2>
<p>Once you’ve set up the basic Pelican configuration, you can start adding content to your blog. This content is stored in the <code>content/</code> directory in Markdown files. For example, you can create a new file named <code>content/posts/my-first-post.md</code>.</p>
<p>The structure of the file is quite simple, it just includes the post’s title and the content, which can be formatted using Markdown. You can use this structure for all of your posts.</p>
<h2 id="adding-features">Adding features<a class="headerlink" href="#adding-features" title="Permanent link">¶</a></h2>
<p>You can add many features to your blog, such as:</p>
<ul>
<li>Comments: You can use a comment system like Disqus to add comments to your blog posts.</li>
<li>Analytics: You can use Google Analytics to track traffic to your blog.</li>
<li>Social media: You can add social media buttons to your blog to allow readers to share your content.</li>
</ul>
<p>Once you have added all the features you need, you can generate the site and deploy it to GitLab Pages.</p>
<h2 id="automation">Automation<a class="headerlink" href="#automation" title="Permanent link">¶</a></h2>
<p>It can be repetitive to generate and deploy the site. This can be done automatically with <code>make</code>. There are many automation solutions to do this, like Github actions or Gitlab CI/CD.</p>
<h2 id="adding-domains">Adding domains<a class="headerlink" href="#adding-domains" title="Permanent link">¶</a></h2>
<p>You can use a custom domain name to host your blog. This can be done by modifying the GitLab Pages settings.</p>
<h2 id="adding-custom-content">Adding custom content<a class="headerlink" href="#adding-custom-content" title="Permanent link">¶</a></h2>
<p>You can add custom content to your blog, such as a portfolio section, a contact page, or an about page. Pelican makes it easy to create new pages.</p>
<h2 id="conclusion">Conclusion<a class="headerlink" href="#conclusion" title="Permanent link">¶</a></h2>
<p>Pelican is a powerful tool for creating static blogs. GitLab Pages provides a simple and free way to host them. By combining these two tools, you can create a beautiful and functional blog in a few hours. You can easily customize it using themes and features.</p>