beawolf - Fotolia

Infrastructure-as-code upstart boosts Kubernetes deployment

Pulumi has expanded its integrations with Kubernetes deployment tools including OPA, Helm v3 and Kustomize, offering a central collaboration point for DevOps container management.

An emerging infrastructure-as-code vendor broadened its tie-ins with Kubernetes deployment and policy enforcement utilities this week, in an appeal to DevOps shops that want a consistent interface for both app developers and infrastructure managers.

Pulumi Corp. first launched an infrastructure-as-code, or IaC, tool in 2018 that supports higher-level programming languages (e.g., JavaScript, Go and .NET), as opposed to scripting languages (e.g., YAML) used natively in Kubernetes or domain-specific languages employed by IaC products (e.g., HashiCorp Terraform).

Along the way, it also created integrations with popular cloud-native infrastructure tools and frameworks, from Kubernetes to Helm charts, and sought to poach customers directly from Terraform.

This week, Pulumi expanded its Kubernetes tie-ins with support in both its open source and paid versions for Helm v3 and Kustomize application deployment tools, a Kubernetes Operator and integration with Open Policy Agent (OPA). The Kubernetes Operator and new OPA integration mean that Pulumi's code can be deployed within Kubernetes clusters using the same role-based access controls as the Kubernetes infrastructure, rather than requiring separate configuration via an outside command-line interface (CLI).

Gregg SiegfriedGregg Siegfried

"Their policy as code capabilities, including support for OPA, is potentially quite attractive," said Gregg Siegfried, a research director at Gartner. By contrast, "HashiCorp's Sentinel is a great start, but needs a little more polish and fleshing out, including figuring out whether there is to be any OPA integration."

This week's Pulumi update may also help ease Kubernetes deployments for application developers, with additions such as a YAML Converter tool that translates between higher-level languages and YAML scripts.

It also adds support for strongly typed Kubernetes CustomResourceDefinitions (CRDs), which brings dev-friendly features such as error reporting and failure notifications on Kubernetes infrastructure as code into existing integrated development environments.

Pulumi appeals as DevOps inflection point

Pinpoint Software Inc., an Agile workflow toolmaker in Austin, Texas, rolled out Pulumi last year. Two Pinpoint engineers hired after that purchase came in more familiar with Terraform but now prefer Pulumi's flexibility.

Andrew KunzelAndrew Kunzel

"The great thing about being able to do all this in a higher-level language such as TypeScript or Go is you have the ability to use all of the other clients and APIs out there right next to your infrastructure code," said Andrew Kunzel, software engineer at Pinpoint. "For example, we're able to use the AWS API to get the Spot price for a certain instance type right next to our code defining the node groups, and we didn't need to go to a different system or make a CLI call."

Pulumi will provide a common language for developers and ops to communicate as infrastructure management "shifts left" along the DevOps timeline.

Michael GoodeMichael Goode

"[Terraform] makes it easy to stand up infrastructure, but you end up working yourself into this hole where … you need to learn the language or you need to work with teams that are well-versed in it," said Michael Goode, platform operations engineer at Pinpoint. "Those teams tend to become siloed, [but] Pulumi fills the gap so you don't have to learn specific declarative type languages, or even YAML, for that matter."

This week's addition of support for strongly typed CRDs will be key to helping developers learn about Kubernetes deployments and, potentially, prevent mistakes from reaching production.

"Monitoring Kubernetes is a challenge, so being able to tell right away at deploy time, 'Hey, this is not going to work,' is a lot better than someone trying to figure out why things aren't working, and it turns out, it's because someone used an integer instead of a string," Kunzel said. "That's really hard to diagnose."

Pulumi offers a consistent interface between Helm and Kustomize, which simplifies Kubernetes deployments between test and production environments to a matter of updating an image tag and changing a few configuration values, Kunzel said.

Pulumi fills the gap so you don't have to learn specific declarative type languages, or even YAML, for that matter.
Michael GoodePlatform operations engineer, Pinpoint Software

Pulumi CrossGuard and its new OPA-compatible access controller are on the to-do list for Pinpoint to evaluate as the company grows, Goode said. For now, Pulumi is most commonly used by the company's ops-focused engineers, but as Pinpoint's engineering team of 15 expands in the next year or so, the company will need to take a more systematized approach to DevOps collaboration and Kubernetes deployments.

"Where we are now works for 15 people, but if we get to 50 or more developers, what we have right now won't work," Kunzel said. "Pulumi is a more scalable [approach], and as we grow as a company, our reliance on Pulumi will expand."

Pulumi, the underdog, vs. HashiCorp, the heavyweight

Pulumi has gained a couple hundred customers since it first launched in 2018, according to its CEO, Joe Duffy, but the company still faces a rigorous battle against IaC incumbents -- mainly, Terraform -- and the perception that Pulumi's appeal is limited to niches within the market so far.

"From what I've seen, Pulumi has an interesting dichotomy of appeal," Gartner's Siegfried said. "Either larger organizations and service providers where a specific 'cloud engineering' function exists that's able to treat collections of cloud resources just like software products … [or] smaller organizations that are running single-team DevOps where it may be attractive to use the same programming languages."

As IT ops pros take on a site reliability engineering (SRE) role, they may form an audience for Pulumi that fits in between those two extremes, Siegfried said. But HashiCorp has its own strong appeal to that audience, as well as with the other cloud-native infrastructure management tools in its portfolio such as Consul and Vault.

"SREs also have an eye on the entire ecosystem, and the HashiCorp stack presents such a productive toolkit as a whole, that there may be some favorable momentum toward Terraform in that instance as well," Siegfried said.

Dig Deeper on Containers and virtualization