Docs For Ring Management

Added high level documentation and guidance for the though process surrounding
rings and the implementation for them in Bedrock/SPK

Author: evanlouie

guides/auth-private-helm-repos.md

@@ -9,7 +9,7 @@ Helm chart repository, we can piggy back off the ability for
 
 ## Utilizing The Default PAT (ACCESS_TOKEN_SECRET)
 
-By default, all services created via `spk service create` with the the
+By default, all services created via `spk service create` with the
 `--helm-config-*` family of options will be setup to consume the environment
 variable `ACCESS_TOKEN_SECRET` -- The PAT used to clone the application
 repository in the HLD-to-Materialized pipeline. So if the PAT used to setup your
@@ -45,7 +45,7 @@ spk service create my-service \
 
 **Note**: it is important that the git URI you pass is an `https` URI and does
 NOT contain a username in it. By default, the clone URIs that the Azure DevOps
-creates presents in the UI contain your username in them (eg.
+creates presents in the UI contain your username in them (e.g.
 `https://<my-username>@dev.azure.com/my-org/my-project/_git/my-repo`). Fabrikate
 will not inject the PAT if the username is there as the value contained in place
 of the username can be a PAT itself.
@@ -76,7 +76,7 @@ variableGroups:
 
 ### Updating/Changing The Environment Variable
 
-If you want to change the the environment variable used after creating your
-service, simply change the value of `accessTokenVariable` in your `bedrock.yaml`
-to the target environment variable (and ensure that the environment variable
-exists in your HLD-to-Materialized pipeline).
+If you want to change the environment variable used after creating your service,
+simply change the value of `accessTokenVariable` in your `bedrock.yaml` to the
+target environment variable (and ensure that the environment variable exists in
+your HLD-to-Materialized pipeline).

guides/rings-101.md

@@ -0,0 +1,169 @@
+# Rings
+
+## What are Deployment Rings?
+
+The concept of _Deployment Rings_ is an encapsulation of a production-first
+DevOps strategy to group your users into cohorts based on the features of your
+application your wish to expose to them -- think A/B or canary testing but in a
+more formalized matter in which you rollout changes from a smaller ring into a
+larger encompassing ring.
+
+Rings formalize around a the idea of having a single of production users and
+smaller rings targeting cohorts of the larger ring and potentially even smaller
+rings targeting cohorts of those cohorts. This enables the ability to measure
+the impact or _Blast Radius_ of the deployed version of the application.
+
+## When Should I Use a Ring?
+
+Rings are useful when you want:
+
+- To be able to test in production.
+- Have flexibility in the number of environments/rings available to your system
+  at any given time.
+- Have a standardized means to promote environments/rings to larger cohorts.
+
+## Bedrock -- Applying Rings To Microservices
+
+Generally speaking, rings are more traditionally applied to monolithic
+applications -- Delivering specific versions of a single application to specific
+cohorts as needed. When in the context of Kubernetes and microservices, this
+becomes a much larger problem to tackle as you need to be able to extend the
+concept and deployment of rings to not only a single application, but _sets_ of
+applications within your cluster.
+
+### Conceptual mapping to Git branches
+
+Bedrock maps rings to branches in your application git repository. As branches
+represent a divergence from your main production code (i.e; `master`), they map
+to the idea or rings cleanly.
+
+### How its implemented in Bedrock
+
+Due to the limitations of the `Service` type in Kubernetes, Bedrock adopts the
+usage of edge routers (Traefik2) with header-based routing capabilities to
+identify your Ring via a provided header at ingress time. Instead of only
+routing to vanilla Kubernetes `Service`s, for every Bedrock `Ring` and `Service`
+defined in your cluster, a Kubernetes `Service` is created to expose it (the
+Kubernetes service will be called `<service-name>-<ring-name>`). This _Ringed
+Service_ is then exposed via a Traefik2 IngressRoute which routes to it when a
+request is made to the router for `/<major-version>/<service-name>/` with a
+Header of `Ring: <ring-name>`
+
+To recap, lets imagine you have a Traefik2 ingress service in our cluster with
+the name `traefik` and we had an _Ringed Service_ to expose called
+`foobar-prod`. Instead of making requests to
+`foobar-prod.my-namespace.svc.cluster.local` in your cluster, you would instead
+make requests to `traefik.my-namespace.svc.cluster.local/<major-version>/foobar`
+with an HTTP header containing `Ring: prod`. The request would be routed via
+Traefik2 to the correct _Ringed Service_ based on the service requested and the
+`Ring` header -- routing the request to
+`foobar-prod.my-namespace.svc.cluster.local` for you.
+
+## Rings & SPK
+
+### Perquisites
+
+[SPK](https://github.com/CatalystCode/spk) is command line tool meant to ease
+the adoption of [Bedrock](https://github.com/microsoft/bedrock/) methodologies
+and patterns. With SPK, rings are first class citizens and are managed/tracked
+alongside your services, enabling quick scaffolding and deployment of your
+services to your rings.
+
+### Creating/Adding a Ring
+
+Creating/adding a Ring is based around a single command:
+`spk ring create <ring-name>`.
+
+This command adds a new ring to your spk project and tracks it in projects
+`bedrock.yaml` file. Subsequently, the command walks through every service in
+your project and updates their pipeline YAML to monitor the git branch the ring
+corresponds to. Making every merge into the ring branch trigger a new
+build/deployment of your ring.
+
+### Deleting/Removing a Ring
+
+Deleting/removing a ring does the inverse of [creating](#creatingadding-a-ring):
+`spk ring delete <ring-name>`.
+
+This command removes the ring from your `bedrock.yaml` file and walks through
+all the services in your project and removing the ring branch from the service
+pipeline YAML.
+
+### What Services Have What Rings?
+
+For each ring defined in your `bedrock.yaml` file, every services
+build-update-hld pipeline will be configured to trigger off the said
+rings/branches and build a _ringed_ version of it.
+
+Take for example the following `bedrock.yaml`:
+
+```yaml
+rings:
+  master:
+    isDefault: true
+  develop:
+    isDefault: false
+services:
+  ./foo:
+    displayName: ""
+    helm:
+      chart:
+        accessTokenVariable: MY_ENV_VAR
+        branch: master
+        git: https://dev.azure.com/my-org/my-project/_git/my-repo
+        path: foo-helm-chart
+    k8sBackend: foo
+    k8sBackendPort: 80
+    middlewares: []
+    pathPrefix: ""
+    pathPrefixMajorVersion: ""
+  ./bar:
+    displayName: ""
+    helm:
+      chart:
+        accessTokenVariable: MY_ENV_VAR
+        branch: master
+        git: https://dev.azure.com/my-org/my-project/_git/my-repo
+        path: bar-helm-chart
+    k8sBackend: bar
+    k8sBackendPort: 80
+    middlewares: []
+    pathPrefix: ""
+    pathPrefixMajorVersion: ""
+variableGroups:
+  - core
+```
+
+In this example we have defined 2 rings (`master` and `develop`) and 2 services
+(`foo` and `bar`) within our `bedrock.yaml`.
+
+The corresponding `build-update-hld.yaml` files for services `foo` and `bar`
+will contain:
+
+```yaml
+trigger:
+  branches:
+    include:
+      - master
+      - develop
+```
+
+Making the Azure DevOp pipeline trigger off those corresponding branches/rings.
+
+### Validating the Deployment of My Ringed Service
+
+After your services have been deployed, the next step is to validate that they
+are being correctly routed. Remember that route to rings based off a the header
+`Ring`.
+
+Imagine our Traefik2 Ingress has been given the IP address `88.88.88.88` we can
+ping our services now via a curl command containing the header
+`Ring: <target-ring>` where `<target-ring>` corresponds to the ring we wish to
+ping:
+
+```sh
+curl -H "Ring: master" 88.88.88.88/foo/
+curl -H "Ring: master" 88.88.88.88/bar/
+curl -H "Ring: develop" 88.88.88.88/foo/
+curl -H "Ring: develop" 88.88.88.88/bar/
+```

src/commands/service/create.md

@@ -4,26 +4,27 @@ Add a new service into this initialized spk project repository.
 
 ## Example
 
-  ```bash
-  spk service create . \ 
-    --display-name $app_name \
-    --helm-config-path $path_to_chart_in_repo \
-    --helm-config-git $helm_repo_url \ # Needs to start with https and not contain user name 
-    --helm-config-branch master \
-    --helm-chart-access-token-variable $ENV_VAR_NAME
-  ```
- 
+```bash
+spk service create . \
+  --display-name $app_name \
+  --helm-config-path $path_to_chart_in_repo \
+  --helm-config-git $helm_repo_url \ # Needs to start with https and not contain user name
+  --helm-config-branch master \
+  --helm-chart-access-token-variable $ENV_VAR_NAME
+```
+
 ## Note
 
-- `--helm-chart-*` and `--helm-config-*` settings are exclusive. **You may only
-  use one.**
+- `--helm-chart-*` and `--helm-config-*` settings are mutually-exclusive. **You
+  may only use one.**
   - If the git repository referenced in `--helm-config-git` is a private
     repository, you can specify an environment variable in your
     HLD-to-Materialized pipeline containing your a PAT to authenticate with via
     the `--helm-chart-access-token-variable` option.
 - `--middlewares`, `--k8s-backend-port`, `--path-prefix`,
   `--path-prefix-major-version`, and `--k8s-backend` are all used to configure
-  the generated Traefik2 IngressRoutes. ie.
+  the generated Traefik2 IngressRoutes. i.e.
+
   ```sh
   spk service create my-example-documents-service \
     --middlewares middleware \
@@ -32,7 +33,9 @@ Add a new service into this initialized spk project repository.
     --path-prefix documents \
     --path-prefix-major-version v2
   ```
+
   will result in an IngressRoute that looks like:
+
   ```yaml
   apiVersion: traefik.containo.us/v1alpha1
   kind: IngressRoute