Isolated Deployment

I’m trying to understand the best way to do this in Rancher, if possible. I may be getting my terms wrong, so please bear with me. I have developed an application that has to be deployed to multiple clients. Right now, I have ti manually update them via ssh. In one case, the application is hosted in-house. A pain to say the least. What I’d like to be able to do is to have a single environment on Rancher called ‘Application’. In the Application environment, I want to have a stack for each client. Finally, I want my CI/CD to be able to run a single command that tells rancher to update each stack in the environment appropriately.

As an additional desire, I’d like this to be scalable/HA. So stack A may run one copy of the application, Stack B runs two that get load balanced, etc. Initially I thought I could do this with Docker Swarm, but Docker Swarm does not allow you to isolate the clients that I can tell.

It depends on what you mean by isolated; You can deploy the Network Manager catalog item and configure it so that containers in stack A cannot talk to containers in stack B. But if your clients have direct access to the management server, or the hosts, or a host is compromised, they’re going to see all the containers (no matter what product you’re using).

There is no built in orchestration of upgrading multiple stacks but you could script that with the API or CLI.

If I have to script it I can, or so I would think.

Allow me to describe what I’m after in a slightly different manner. Imagine that you created an in-house software comparable to WordPress called pressWord. The stack for this would have PW/DB/NGINX. You sell pressWord to 4 clients. We’ll say to Bob’s Car Wash, Jane’s Power Perfumes, John’s Smith, and Joes Pool Bar. When it comes time to update the software, for each of these, you’d have to first SSH into the server for Bob’s Car Wash, run the updates, then exit. You’d have repeat this process for the Jane, John, and Joe as well. When I say isolated, I mean in the sense that when I run an update in my CI, the CI contacts rancher saying to update the pressWord Environment. When it does this, it manages connecting out to the individual nodes and running the update. I want each to be isolated in that they all share the same code container, but the DBs are not the same.

During one dive into this, someone mentioned ‘Federated Clusters’ I believe. I’m not sure if this is the correct name or not, but it looks similar. Bob, Jane, John, and Joe would each be their own isolated cluster of containers and running the update would update each cluster without any additional involvement on my part. Each cluster is isolated from the sister clusters, and each cluster can be expanded or contracted based on the overall demand of the software.

I think you mean “code image” and not “code container”…

In order of increasing isolation there’s:

  • one service(cattle)/deployment (k8s) that dynamically selects a database based on host header. i.e. shared hosting
  • one svc/dep per customer in one environment (so separate containers on the same pool of hosts)
  • one environment per customer (so separate hosts for each customer but shared control plane)
  • k8s federation: entirely separate clusters and control panel

Only the first one has an easy “upgrade all the customers at once” story (in cattle, k8s, or any other product I know of). For the rest you need to call upgrade on each customer independently.

This is not necessarily a bad thing though. It may sound undesirable if you have 4 customers, but if you have 400 or 400,000 you’re not really going to want to update them all simultaneously. For one your hosts physically can’t, and you’ll have a really really bad day when you push a bad build and break all your customers simultaneously.