Both Docker and Kubernetes had interesting releases, while a free workshop for Go tooling was made available.
Docker 17.06 CE
Using the new naming scheme of year.month, Docker released version 17.06 CE(Community Edition). This version contains most of the things announced at DockerCon and which I highlighted at the time. Still, it’s worth going over a couple of these again.
From an organization perspective it’s important to mention that this is the first build based entirely on Moby, the renamed and open sourced base of Docker. This means that after the initial struggles1, that move has been completed.
In my opinion though, the single most important part of this release is that we now have multi-stage builds in a stable released version of Docker. One that can be run in production. In case you want a refresher, multi-stage builds mean that you can have multiple
FROM statements in a single Dockerfile. This leads the way of first having a container for compiling and/or packaging your software and then a smaller, leaner, one for running it.
The obvious use cases for this are with compiled languages such as Java or Go, but you can also use it to simplify your web applications CI/CD chain if you’re using something like SASS2 for compiling your front end assets. After all, the less code and applications you have in your container, the smaller any possible attack vector is. Aside from the usual benefits that a smaller image would bring for a deployment.
There are plenty of other improvements to this release, but for that I’ll refer you again to the release notes. I’d recommend to at least watch the 8 minute video embedded in there that gives a good summary.
Kubernetes also had a new release, version 1.7, but for this I’ll focus on a single aspect of the new release: secret encryption. This is still in alpha, but a useful and important addition to Kubernetes. Be aware that the way it works may change for 1.8 and therefore may not be upgradable or backwards compatible.
I haven’t used it myself yet, but the way I understand it3 is as follows. You provide an
EncryptionConfig yaml file where you set the encryption/decryption providers. The first provider in this ordered list is then used to encrypt, while for decryption the others may be used in order as well. Per provider you can also provide multiple keys that are used similarly in order.
The secrets are stored in etcd, like before, but now in an encrypted manner. The config key containing the secrets is stored on the master nodes, so obviously you’ll need to ensure access to that is limited.
Following up from a talk on this subject, Francesc Campoy created a GitHub repo for a workshop on tooling and generally how to start with Go. I’ve mentioned before that I like it when useful tools are released to help people get started with something and this is just another of those.
There isn’t a lot I can say about it, but I recommend to check it out regardless of your skill level in Go. And if it turns out that you know it all already, you can contribute instead and that way make it easier for someone else to learn something.