The A-Z Stack
Let's say you wanted to write your own application platform from scratch in the modern workflow.
Not too long ago Kelsey Hightower posted a tweet about what you may require to run an application platform. While his list may look large, it's not all encompassing. It's just an example of how ridiculous our abstractions have gotten. Even taking one or two service on each category in the landscape.cncf.io page, would not give the full list of dependencies. So I started thinking. What would a full encompassing list of the 'recommended stack' look like?
I've been running a few posts now on striking a balance between what you do to run your software in a sustainable and manageable way. This post is not that. The design here is the A-Z stack. A platform of everything I could think of, from on top of my head, you may need for a modern application platform. Please don't try to implement the stack here at work. If you already have, I'm sorry and I know your pain. There's consoling we can probably get for our insanity.
First, you need a cloud provider. If we want to be realistic, this would certainly be AWS. A high chance you and your team are already AWS Architects with decades of experience collectively.
Next, you need an infrastructure as code software. The list can get quite large here on implementation. For the purpose of the A-Z stack list, let's just say you use Hashicorp's Terraform. With a team of
N > 1, you most certainly will be working on the code in terraform together. In other words, you need two parts to make terraform work properly here. One, you must be using version control. The famous single options are git and github. The second part is you need to have a backend that's not local for your terraform state. Since we using AWS, might as well use S3 with DynamoDB for state locking.
With your cloud provider and IaC ready, the next section is the OS. You should be running Linux, let's say CentOS. Make sure you have SELinux enabled and actually enforcing here. While the trend is to disable, don't. There are too many reasons to count why not. If you doing it to be fast, you are hurting yourself and your company far more later down the road. Moreover the OS security, you need something to actually provision the Linux of choice. Let's stay with Red Hat and go with Ansible. The provisioning alone can be its own series on lists of things you need, but we'll just keep it as is.
Ok, here we go with the container orchestrator. Sticking to the norm and the standard being Red Hat, let's say openshift. Openshift comes with a lot of batteries included, so the list would be much larger with what isn't set by default. However, for peace of mind, bringing up cri-o for CRI, Flannel for CNI, and CoreDNS for service discovery. For CSI here means probably Ceph with Rook. Secret management is a must and should be Vault.
Now comes networking. Already gave Flannel for CNI and CoreDNS, but you still need an ingress controller. The popular one here would probably be ambassador. Don't forget your services in this platform need to be able to communicate with one another. That means a service mesh is necessary. Here I'm going to cheat and use Linkerd. By cheat, I mean it covers the service proxy sidecar and the controller. Otherwise, we most certainly would then have to add Envoy. However, if your service does have proxy requirements not covered by the linkered sidecar, then Envoy is still required.
Here comes the home stretch! The actual application requirements. First is the Container registry, harbor. With it comes, Notary and Clair for build image security. Next, you need the deployments to Kubernetes using something structured like Helm. If not already brought up before, you need a key value store like etcd. You also need a CI/CD solution for your applications. So staying with the trends, Argo would suffice. Don't forget to monitor your application and platform. Most likely means Prometheus for metrics, Loki for logs, and Jaeger for tracing.
Now you can finally begin to write your application. Just so the point is made clear, here's the list of all that you must know, like the creators of the software themselves, to get this type of modern day application platform working:
- Cloud Provider : AWS
- IaC : Terraform
- Version Control: Git
- Version Control Host: Github
- S3 and dynamodb for state locking on terraform
- Linux Distribution: CentOS
- SELinux enabled and enforcing
- Linux Provisioner: Ansible
- Container Orchestrator: Kubernetes, Openshift
- CRI: CRI-O
- CNI: Flannel
- Service Discovery: CoreDNS
- CSI: Ceph with Rook
- Secret Management: Vault
- Ingress Controller: Ambassador
- Service Mesh: Linkerd
- Service Proxy: Envoy
- Container Registry: Harbor
- Version Security Management: Notary
- Build container image security: Clair
- Kubernetes deployment: Helm
- Key Value store: etcd
- Continuous Integration and Delivery: Argo
- Metrics Observability: Prometheus
- Logs Observability: Loki
- Tracing Observability: Jaeger