Skip to main content
Version: v1alpha4

Technical Overview

Overview

Holos makes it easier for platform teams to integrate software into their platform. Existing tools in the Kubernetes ecosystem are narrowly focused on application management. Holos takes a holistic approach, focusing on the broad integration layer where applications are joined into the platform. Holos improves cross team collaboration through well defined, typed structures at the integration layer. These definitions provide golden paths for other teams to easily integrate their own services into the platform.

The Problem

Platform teams need to develop and maintain significant glue code to integrate Helm charts and YAML manifests into a platform built on Kubernetes. This glue code is often implemented with home grown umbrella charts and scripts. Maintaining these charts and scripts takes time and effort that could otherwise be spent improving the platform. The need for each organization to develop and maintain this glue code indicates a gap in the Kubernetes ecosystem. Holos is a Go command line tool leveraging CUE to fill this gap.

Key Features

  1. Holos enables teams to provide simple definitions for other teams to use as golden paths.
  2. Define integrations in CUE with strong type checking. No more text templates or bash scripts.
  3. Simplify complex integration. Order does not matter. Validation is early and quick.
  4. Reuse your existing Helm charts and Kustomize bases.
  5. Implement the rendered manifests pattern. Changes are clearly visible platform-wide.
  6. Fully render manifests to plain files. Use your existing GitOps tools and processes.
  7. Post-process with Kustomize from CUE instead of plain text files. Customize your Kustomizations.
  8. Mix in resources to Helm charts and Kustomize bases, for example ExternalSecrets.
  9. Render all of Helm, Kustomize, CUE, JSON, and YAML consistently with the same process.

Rendering Pipeline

Use Case

One of the development teams at the fictional Bank of Holos wants to deploy a simple web app for an experimental project they're working on.

The platform team at the bank wants to build a simple golden path for teams to provision projects consistently and easily in compliance with the bank's policies.

Platform Team

The platform team builds a golden path for development teams to register their project with the platform. In compliance with bank policy, the platform team needs to manage important security resources for each new project. All of these resources can be derived from only 3 pieces of information.

  1. The name of the project the dev team is working on.
  2. The name of the team who currently owns the project.
  3. The services, if any, the project is exposing.

The platform team defines a structure for the dev team to register this information. This structure provides the golden path for the dev team.

The development team registers their experimental project, creatively named "experiment" by submitting a pull request that contains this information.

package holos

// The development team registers a project name.
_Projects: experiment: {
// The project owner must be named.
Owner: Name: "dev-team"
// Expose Service podinfo at https://podinfo.example.com
Hostnames: podinfo: Port: 9898
}

The platform team uses these three pieces of information to derive all of the platform resources necessary to support the development team.

  1. Namespace for the project resources.
  2. RoleBinding to grant the dev team access to the project namespace.
  3. SecretStore which implements the secret management policy for the bank.
  4. ReferenceGrant to expose the project services through the Gateway API.
  5. HTTPRoutes to expose the project services, if any.
  6. AppProject to deploy and manage the project Applications with ArgoCD.
  7. Common Labels to ensure every resource is labeled for resource accounting.

Rendering the platform generates fully rendered manifests for all of these resources. These manifests are derived from the three pieces of information the dev team provided.

Note the platform team must manage these resources across multiple namespaces. The first four reside in the project namespace owned by the dev team. The HTTPRoute and AppProject go into two namespaces managed by the platform team. Holos makes it easier for the platform team to organize these resources into different components with different owners.

important

Holos supports CODEOWNERS by clearly defining the teams responsible for each platform component.

holos render platform ./platform

The fully rendered manifests are written into the deploy/ directory organized by cluster and component for GitOps.

cat deploy/clusters/local/components/namespaces/namespaces.gen.yaml
apiVersion: v1
kind: Namespace
metadata:
labels:
argocd.argoproj.io/instance: namespaces
example.com/owner.email: sg-dev-[email protected]
example.com/owner.name: dev-team
example.com/project.name: experiment
holos.run/component.name: namespaces
kubernetes.io/metadata.name: experiment
name: experiment

The rendered manifests are derived from the project registration information by definitions implemented by the platform team. The Author API provides a Project schema, but does not define an implementation. The platform team implements the Project schema by adding a _Projects struct to manage resources according to bank policies.

important

The Author API is intended as a convenient, ergonomic reference for component authors. Definitions are not confined to the Author API.

The following example shows how the platform team wrote the _Projects definition to derive the Namespace from the project registration provided by the dev team.

projects/platform/components/namespaces/namespaces.cue
package holos

_Kubernetes: #Kubernetes & {
Name: "namespaces"
Resources: Namespace: _Namespaces
}

// Produce a kubernetes objects build plan.
_Kubernetes.BuildPlan
  1. This is the namespaces component which manages a collection of Namespace resources derived from the project registration data shown in the second tab.
  2. Line 5 manages a Namespace for each value of the #Namespaces struct. See the second tab for how the platform team defines this structure.

The RoleBinding, SecretScore, and ReferenceGrant are managed in the projects component, similar to the previous namespaces example. The HTTPRoute is managed separately in the httproutes component.

All components are registered with the platform in the platform directory.

important

Multiple components, potentially owned by different teams, derive fully rendered resources from the same three project values. The dev team added these three values to the _Projects struct. The platform team wrote the definition to integrate software according to bank policies. CUE powers this unified platform configuration model.

tip

Components map 1:1 to ArgoCD Applications or Flux Kustomizations.

Development Team

The development team has the platform resources they need, but they still need to deploy their container. The development team submits a pull request adding the following two files to deploy their existing Helm chart.

projects/experiment/components/podinfo/podinfo.cue
package holos

// Produce a helm chart build plan.
_HelmChart.BuildPlan

_HelmChart: #Helm & {
Name: "podinfo"
Chart: {
version: "6.6.2"
repository: {
name: "podinfo"
url: "https://stefanprodan.github.io/podinfo"
}
}
}

This file represents a Helm chart component to add to the platform. The second tab registers this component with the platform.

The project tag links the component to the same field of the _Projects struct.

important

You can add your own key=value tags in your platform specification to inject values into components. This feature is useful to reuse one component path for several environments or customers.

Once the dev team's component is registered, rendering the platform will render their component.

holos render platform ./platform
cat deploy/clusters/local/components/podinfo/podinfo.gen.yaml

Note the rendered Helm chart resources have consistent project labels. The platform team added a constraint to the project so all Helm charts are post processed with Kustomize to add these common labels. The platform team accomplishes this by adding a constraint in the project directory. This can be seen in schema.cue where the platform team configures all component kinds for the platform.

We've covered how the platform team provides a golden path for development teams to register their projects by defining a Projects structure. We've also covered how the development team deploys their existing Helm chart onto the platform.

Support & Resources

  1. See our Quickstart guide to get started with Holos.
  2. Check out our other Guides which cover specific topics.
  3. Refer to the Author API when writing components.
  4. Consider the Core API if you need to do something more advanced than the Author API supports.
  5. Community and commercial Support is available.
  6. Discussions Forum