How to run a Cloud Native ...

Cloud Native Meetup Bern 19.01.21

Agenda

• About CAOS
• ZITADEL
• How do we run it
• What did we learn
• The future

About CAOS

• Founded early 2019
• 11 Employees specialized in IAM and DevOps / GitOps
• 100% Partner Owned
• Open Source Company
• Swiss Made Software
• OpenID Foundation Sponsor

People

Fabienne Gerschwiler

Software Engineer

Jürg Rinaldi

UI/UX Designer

Livio Amstutz

Software Engineer

Elio Bischof

Automation Advocate

Maximilian Panne

Chief Operating Officer

Silvan Reusser

Software Engineer

Stefan Benz

Software Engineer

Christian Jakob

DevOps Enthusiast

Florian Forster

Head of CAOS

Maximilian Peintner

Software Engineer

Michael Wäger

Software Engineer

What we do

1. Develop two open-source projects
• ZITADEL: Cloud-native Identity & Access Management (IAM)
• ORBOS: Container Runtime Platform (CRP) based on GitOps
2. Offer Europe’s only cloud-based IAM-as-a-Service -> zitadel.ch
3. Operate or provide support service for clients
4. Provide consulting and engineering regarding IAM and DevOps

ZITADEL

What makes ZITADEL special

• Cloud Native Architecture
• Low Footprint written in Go and Angular
• API First
• Scales from One Server to Multiple Datacenters
• Supports modern Identity & Access Standards (OpenID Connect & OAuth 2.0)
• Security features are always included (Passwordless, 2FA)

Our Challenges & Goals

• Cloud Provider Agnostic / Multi Cloud
• Control as much as feasible
• Reproducible / Idempotent
• Treat clusters as cattle ...
• Start a ZITADEL cluster in < 15 min from scratch
• Keep everything auditable
• No tooling hell

How we run ZITADEL

GitOps

• Declarative approach
• Git as single source of truth
• Separation of build Software (Github Actions) and run Software (ORBOS)
• More secure and auditable then CIOps
• No access from pipeline (CD) to the clusters
• Full change track of all operational changes in Git

Kubernetes Cluster

Github Actions

GHCR

Registry

Git

Source

Git

Config

Release Decision

Development / Continuous Integration

Operations / Continuous Delivery

Dev.

Ops.

Operator

API Server

IaaS Provider

API

What is ORBOS

• Manages Infrastructure, Orchestration and Tools
• Is a reconciler that continuously ensures a given state
• Enables us to deliver hyperconverged IAM
• Highly reproducible through GitOps pattern
• Self Driving - No management server needed

Which Resources we manage with GitOps

• Infrastructure
• Platform
• Domain Names / Cloud LB / CDN / Certificates
• ZITADEL
• Database (CockroachDB)

Start of a cluster

1. Generate a repository with desired state files
2. Generate Orb file
3. Execute orbctl takeoff
4. Watch and wait ;-)

What will happen

• The local orbctl reads the Git Repository and starts ORBOS
• ORBOS then ensures ...
1. Infrastructure (nodes, lb, firewall, ...)
2. Kubernetes
3. Deploys itself to the cluster
4. Platform tools (ingress, metrics, logs, ...)
• Cluster is ready for ZITADEL

Learnings

Learnings

• Let users choose between Git and K8s as storage option for ZITADEL
• Provide easy UX to install
• Merged ORBITER and BOOM into ORBOS
• Split ZITADEL Operator from ORBOS
• Google Local SSD need some tweaking (High IOwait) ;-)
• Disable write cache flushing�
• East - West Connection across providers are no easy task

Future

Questions?

Links

https://zitadel.ch

​

https://github.com/caos/zitadel

​

https://github.com/caos/orbos

​