Application Developer Overview¶
We know software developers are busy people that want to get up and running as soon as possible!
Use the navigational bar to the side to jump to the section that interests you the most.
Orientation: The DevSecOps Loop¶
As an application platform, the main job of Welkin is to reduce your cognitive load. The picture above helps you get a good grasp of how Welkin can support your everyday work. It consists of a DevSecOps loop. As you can see, Welkin integrates open-source projects, which help you do application Ops (operations) and application Sec (security).
Specifically:
- Harbor: Is a container registry. You can use it to store container images produced by your Continuous Integration (CI) solution. Welkin does not require a particular CI solution. It facilitates security by having fine grained access control and built-in container image vulnerability scanning.
- Argo CD (Additional Managed Service): Is a Continuous Delivery (CD) solution. It helps you deploy your application -- usually represented by a Helm Chart -- into a Welkin environment. Argo CD pulls changes from a Git repository, hence, it allows you practice GitOps, which improves security by reducing the number of people who need Kubernetes access.
- Kubernetes: Is the "engine" of the platform, the "spider in the net" if you will. Welkin security-hardens Kubernetes, e.g., with restrictive access control, Pod Security Standards and OpenID authentication.
- Grafana: Allows you to observe application metrics. It also hosts several dashboards which allow you to demonstrate compliance with common security controls.
- OpenSearch: Allows you to observe application and platform logs. It is also home to platform audit logs, which allows you to determine who did what and when. This improves security both by reducing incentives to act carelessly and by facilitating after-the-fact investigations.
- Jaeger (Additional Managed Service): Allows you to observe application traces. Jaeger can further simplify incident and performance management.
- Falco: Observes your application and alerts in case of behavior which is suspecious security-wise. This improves security by watching for "unknown unknowns".
- cert-manager: Automates provisioning of TLS certificates. This makes it easy for you to implement encryption-at-rest over untrusted networks.
- Velero: Handles backups and disaster recovery. This enables the platform administrator to help you recover even from the worst incident.
- Open Policy Agent: Enforces guardrails to avoid trivial security mistakes, which may lead to compromising information confidentiality, integrity or availability. Guardrails instill a culture of security by making it easier to use Welkin the right way.
- Dex: Integrates Welkin with your Identity Provider (IdP). This improves security by making sure that each application developer accesses the platform with an individual account. Said individual account makes its way into platform audit logs, which store who did what and when.
- Trivy: Scans containers for known security vulnerabilities. This helps you deliver code which is free from vulnerabilities, which is an essential security requirement.
- Rclone: Copies the primary backup to a secondary backup infrastructure provider. This improves resilience against ransomware attacks by making it harder for an attacker to compromise backups.
- Kured: Automates application of kernel and base Operating System (OS) patches. This essentially it does automated vulnerability management "below" the container runtime.
Getting started quickly¶
Welkin is a Kubernetes distribution that consists of the best (community-driven) open source components in the cloud native space, configured for security and platform stability. It does not contain any proprietary technology, and no vendor-specific tooling, such as command-line tools or abstractions that only work in this distribution. To the greatest extent possible, all technology contained within the distribution is community-driven open source, as in, not under a single vendor's control or governance. The distribution is itself open source, and is also designed and developed in a transparent manner (see our Architectural Decision Records).
Your administrator has already set up the platform for you. You will therefore have received:
- URLs for the Service Endpoints: OpenSearch Dashboards, Grafana, and Harbor;
- a kubeconfig file for configuring
kubectl
or Lens access to the Workload Cluster; and - (optionally and rarely) a static username and password. Note that normally, you should log in via a username and a password of your organization's Identity Provider, such as LDAP, Azure Active Directory, or Google Identity.
Install Prerequisite Software¶
Required software:
- oidc-login, which helps you log into your Kubernetes cluster via OpenID Connect integration with your Identity Provider of choice
Your cluster management software of choice, of which you can choose either or both:
- kubectl, a command-line tool to help manage your Kubernetes resources
- OpenLens, a graphical user interface to help manage your Kubernetes resources (see also our dedicated page on Lens integration)
Optional, but very useful, tools for developers and DevOps engineers:
- docker, if you want to build (Docker) container images locally
- Helm, if you want to manage your application with the Helm package manager
You can verify that configuration is correct by issuing the following simple commands
Make sure you have configured your tools properly:
export KUBECONFIG=path/of/kubeconfig.yaml # leave empty if you use the default of ~/.kube/config
export DOMAIN= # the domain you received from the administrator
To verify if the required tools are installed and work as expected, type:
docker version
kubectl version --client
helm version
# You should see the version number of installed tools and no errors.
To verify the received KUBECONFIG, type:
# Notice that you will be asked to complete browser-based single sign-on
kubectl get nodes
# You should see the Nodes of your Kubernetes cluster
To verify the received URLs, type:
curl --head https://dex.$DOMAIN/healthz
curl --head https://harbor.$DOMAIN/healthz
curl --head https://grafana.$DOMAIN/healthz
curl --head https://opensearch.$DOMAIN/api/status
curl --insecure --head https://app.$DOMAIN/healthz # Ingress Controller
# All commands above should return 'HTTP/2 200'
Endpoint access¶
Those URLs that your Welkin administrator gave you all have a $DOMAIN
, which will typically include your company name and perhaps the environment name.
Your web portals are available at:
harbor.$DOMAIN
-- the Harbor container image registry, which will be the home to all your container imagesopensearch.$DOMAIN
-- the OpenSearch Dashboards portal, where you will view your application and audit logsgrafana.$DOMAIN
-- the Grafana portal, where you will view your monitoring metrics for both the platform, as such, and your application-specific metrics
Additional endpoints are also available, depending on if your platform has these additional managed services (AMS) or not:
jaeger.$DOMAIN
-- the Jaeger distributed tracing observability toolargocd.$DOMAIN
-- the Argo CD continuous deployment GitOps tool
Finding more information¶
If you are not familiar with Kubernetes since before, following our three-step process is a good idea, which includes a demo application for you to deploy and understand the entire process of containerizing an application and how to deploy it.
- The first step is about making necessary preparations such as installing prerequisite software on your laptop.
- The second step is about deploying your software.
- The third step is about how you continuously operate the software.
It may be a good idea to follow along in all of these, even if you have worked with similar systems before.
If you are familiar with similar systems, a common next step for Application Developers that are already used to Kubernetes is to read up on the guardrails that Welkin ships with. You may also wish to use the "Go Deeper" link in the site's navigational bar to find more information about specific topics, such as:
- how to set up log-based or metric-based alerts,
- configure long-term retention of logs, or
- how to use a user-friendly Kubernetes UI as an alternative or complement to the
kubectl
command line tool.