The Devil is in the Deployments

Carolyn Van Slyck

Principal Software Engineer at Microsoft
Maintainer of the CNAB Specification
Co-creator of Porter


  • What is CNAB
  • What problems it solves
  • When bundles may help
  • When they probably won't

Cloud Native Application Bundle Specification (CNAB)

What Problems Do Bundles Solve?

  • Package deployments into a versioned distributable artifact
  • Reduce complexity of deployments for the people running them
  • Provide tools and workflows for secure, tamper-proof deployments

What is Porter?

Package your application, deployment tools, configuration and deployment logic together as a versioned bundle that you can distribute, and then install with a single command! 🎩✨

Why I use bundles

Image by IronM17

Bundles contain everything they need to deploy

Example: Create and configure a new team cluster

  1. Create a cluster with kubeadm, aws, az, gcloud...
  2. Create a team secret store with vault, aws, aws, gcloud...
  3. Install Kubernetes Secrets Store CSI with helm

Bundles encapsulate the deployment logic

Example: Create and configure a new team cluster

  1. Clone a repository? The app's or a devops one?
  2. Set environment variables, and save config files to specific locations?
  3. Call multiple helm and terraform commands?
  4. Or a custom script?
  5. Or a utility docker container with a bunch of flags?

Every deployment is a snowflake ❄️

$ porter install staging-app --tag myorg/myapp:v1.17.1 --cred staging
  • I only need the bundle tag
  • I don't need to be familar with the app or tooling
  • This is much less intimidating to learn 😅

Distributed via OCI Registries

  • No new infra to support
  • Easy to find
  • Familiar 🐳

Bundle! Explain yourself

$ porter explain --tag myorg/myapp:v1.17.1
Name: myapp
Description: A really good application
Version: v1.17.1

Name         Description                       Required
kubeconfig   A kubeconfig with cluster admin   true

No parameters defined

No outputs defined

Name               Description                              Modifies Installation   Stateless
maintenance-mode   Pauses the app and puts up a cute sign   true                    false

Secret management that I can manage

Example: Create and configure a new team cluster

  • Read docs to know what credentials are required
  • Use local environment variables, files or if lucky a remote secret store
  • Specify credentials differently based on tools used
  • Cleanup local machine after deployment
  1. porter credentials generate walks you through where to find credentials
  2. porter install injects credentials just-in-time into the running bundle
  3. Credentials are destroyed with the bundle when it is done

Focus on the deployment, not the bash

  • Declarative syntax with built-in helpers
  • Error checking
  • Capture outputs with regex, json
  • Consume state, outputs, parameters, credentials
  • Connect unrelated tools like Lego™️

Why companies like bundles

  • Deploy across an airgap
  • Repeatable deployments
  • Supply chain security
  • Metadata for analysis and enforcement

When would you skip bundles?

Image by dropletx1

Single Stack and Satisfied

  • Aren't creating your cluster or infrastructure
  • Aren't making multiple helm calls or using other tools
  • Aren't collecting outputs and using it as input to another command
  • Don't need that enterprisy stuff

$ helm install staging-app myorg/myapp -f vars.yaml


$ porter install staging-app -t myorg/myapp:v1.17.1 -p myapp -c staging

Windows is Complicated Right Now

👍 Bundles can run on Windows

👎 Bundles currently only support linux containers

🚗 Windows container support is on our roadmap

Bundles In Review

  • Contain everything you need to deploy: artifacts, tools, logic
  • Distributed over OCI registries
  • Manage credentials securely
  • Flexible authoring experience
  • Tamper-proof, repeatable deployments


Thank you!

My Little Pony™️ belongs to Hasbro.