diff --git a/LAB10.md b/LAB10.md deleted file mode 100644 index 12bde5264..000000000 --- a/LAB10.md +++ /dev/null @@ -1,44 +0,0 @@ -# 10 - -## Helm - -In this lab you need to get familiar with `Helm`. Setup local development environment and prepare a few manifests for your application. - -### 10 points - -1. Read about `Helm`: - * [Helm Architecture](https://helm.sh/docs/topics/architecture/) - * [Charts](https://helm.sh/docs/topics/charts/) - -2. Install helm: - * [Installing Helm](https://helm.sh/docs/intro/install/) - * [Chart repository](https://helm.sh/docs/intro/quickstart/#initialize-a-helm-chart-repository) - -3. Create your own chart: - * [Example](https://helm.sh/docs/intro/using_helm/#creating-your-own-charts) - * Inside the `k8s` folder use `helm create your-app` to create a template. - * To use your own application repository instead of the default repository provided, replace the default repository and tag inside the `values.yaml` with your repository name. - * Don't forget to change `containerPort` in the `deployment.yml`. - * If you can't troubleshoot `livenessProbe` and `readinessProbe` - comment it. - - > Use `minikube dashboard` command for troubleshooting. - -4. Install your helm chart and make sure that all services are healthy. Check `Workloads` page in the `minikube` dashboard. - -5. Check it with the `minikube service your_service_name` command. Also provide the output of the `kubectl get pods,svc` command in the report. - -6. Create a PR to the forked repo lab9 branch, ask your teammates to review it and review PRs of your teammates. - -7. Create a PR in your own repository from the lab10 branch to the lab9 one. It will help us with grading. - -### List of requirements - -* Helm Chart -* Output of `kubectl get pods,svc` command in `README.md` in `k8s` folder - -## Bonus - -### 1 point - -1. Prepare a helm chart for your extra app. -2. Read about `Library Charts` and `Umbrella charts`, provide the explanation in a nutshell, as you understand it. No copy paste. diff --git a/LAB11.md b/LAB11.md new file mode 100644 index 000000000..6274f1f42 --- /dev/null +++ b/LAB11.md @@ -0,0 +1,54 @@ +# 11 + +## K8s secrets and resources + +### 10 points + +In this lab you will figure out how to manage sensitive data such as a password, a token, or a key in kubernetes. Then you will set up CPU and memory limits for your app. + +1. Create a secret in your cluster using `kubctl`. + + * [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) + * [Managing secrets](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#decoding-secret) + +2. Verify and decode your secret, then create 11.md in the k8s folder and provide the output of the commands inside. + +3. So we'll skip configuration file for secret, let's use helm. + + * You need to create `secrets.yaml` file in `templates` folder. + * Create a `secret` object inside. + * Add `env` field to your `Deployment`. Path that you will need: `spec.template.spec.containers.env.` + + > [Helm secrets](https://www.youtube.com/watch?v=hRSlKRvYe1A) + + * Update your helm deployment (instructions are present in the video). Get pods: `kubectl get po.` Use the name of the pod to provide a proof of your success. Check your secret inside pod, example: `kubectl exec demo- 5f898f5f4c-2gpnd -- printenv | grep MY_PASS.` + +4. Read about Resources management: + + * [Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) + +5. Set up requests and limits for CPU and memory for your application and test that it works. + +6. Create a PR to the forked repo lab11 branch, ask your teammates to review it and review PRs of your teammates. + +7. Create a PR in your own repository from the lab11 branch to the lab10 one. It will help us with grading. + +### List of requirements + +* proof of work with a secret in 11.md for the step 2 +* secrets.yaml +* proof of work with a secret in 11.md for the step 3 +* resource requests and limits for cpu and memory + +## Bonus + +### 2 points + +1. Add environment variables for your containers: + + * Read about it: + + * [K8s env vars](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + + * Update your helm chart with several environment variables, but use named templates, move them to `_helpers.tpl` file: + * [Helm named templates](https://helm.sh/docs/chart_template_guide/named_templates/) diff --git a/k8s/.gitignore b/k8s/.gitignore new file mode 100644 index 000000000..231da07d3 --- /dev/null +++ b/k8s/.gitignore @@ -0,0 +1 @@ +*.dec diff --git a/k8s/11.md b/k8s/11.md new file mode 100644 index 000000000..6214ec05c --- /dev/null +++ b/k8s/11.md @@ -0,0 +1,21 @@ +# k8s secrets + +* Verify secret + +![](https://i.ibb.co/djxg1VT/1.png) + +* Decode secret + +![](https://i.ibb.co/yVVDR3b/2.png) + +* Created secrets and install the app + +![](https://i.ibb.co/MnMbWNW/3.png) + +* Check that the secret is in envs + +![](https://i.ibb.co/VJjHJGz/4.png) + +* Apply resources requests and limits + +![](https://i.ibb.co/JCBhHz4/5.png) diff --git a/k8s/secrets.yaml b/k8s/secrets.yaml new file mode 100644 index 000000000..e24a2848c --- /dev/null +++ b/k8s/secrets.yaml @@ -0,0 +1,27 @@ +mysupersecret: ENC[AES256_GCM,data:qmYMOKMUORFnsYo=,iv:fvO12q/kusb01PDqFhFLgu0k3oEOrMEupTV6GeAEPGc=,tag:1wF56n5IjjarD8hXutS7UA==,type:str] +sops: + kms: [] + gcp_kms: [] + lastmodified: '2022-11-14T12:57:47Z' + mac: ENC[AES256_GCM,data:2JrHoYXalnru+oZpz+d+7lzYP6SDGFN/Qo9WZCNDYTxG1eSyWwM5h4HJHT1WwL0BJXbiCDMh36I83THPhNlPEGQ8MRSObpgmcBc+/vGXOxCbAB/EVu8NFh9sp2JRoBqH4x3hVVqBf0ME/0BNaNI2qKO+Wq1t659qkjDLcM0M1ts=,iv:Zrivs0x2RnKE01TaW+T4MPTqd19Xn2oHp7wm9fKbkfg=,tag:bUgeTEe6Wx7Uj27N5oyCdw==,type:str] + pgp: + - created_at: '2022-11-14T12:57:34Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hQGMA/6XL2lOyjutAQv/dH4ZxyPYpTm/LbSs2BrCeIb73Wtya5meghYFh2UqKlze + 5SBZu86Zv0sDNXTqDGLfi4316PuanBeq/85WN3LuTSvg2Ht3YE67/AGRYTzH/XDJ + gl/UxcXj/ylOanwBCv/HpmL6e+Br0zxTw+16LWcgPP2ai6I7ual7q/C+f2lNuY3p + z9ZRLikQXjAwCJoTylsVvsmzRUqo2aZ+MRm2MPvDHViAYCylIzfUUw398Biw/HDz + 2Ed1FkLsXzvRVmvu9xkh+h3yRbY35cZxlAvMill0gGfKDcj5gpKy9rWMFQaI4asc + NxYPg16sx/m/Era6NzYf/tNslVt9w2hL5KdbNtVfXPmFd14QamT0jMAJ9AvdVeCg + AFjNAq5yRzdTvdLfRNJPdSeDCpdlMq8y5RI64yCu3YAvECg0o8vHgSqgxjnX78Ub + tuvMT1NzTQiejZnYnc+ElKxzAus/fMNjpMTQTduki3hxnV3dsK5qdMz7jRWNFBsZ + gvAGQ6Ic4+LlSzMG8txF0l4BiBgK7szPUede1knySwwN475LtM1lUv2jz7NJCoEJ + JlU2UYTJhHizflO981o8r+ZUQBmi9vKftQKM4dzBLdv8IUbuQlGPXpBiV0A30wcL + AluAaS4c5JkcX05RhOlD + =6R08 + -----END PGP MESSAGE----- + fp: 8963F045E474951F9FAB08801DBBA7A58A0FC87A + unencrypted_suffix: _unencrypted + version: 3.0.3 diff --git a/k8s/timeweb/templates/deployment.yaml b/k8s/timeweb/templates/deployment.yaml index 0e126a6b2..dca3136a6 100644 --- a/k8s/timeweb/templates/deployment.yaml +++ b/k8s/timeweb/templates/deployment.yaml @@ -33,6 +33,12 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: TEST_SECRET + valueFrom: + secretKeyRef: + name: secrets + key: mysupersecret ports: - name: http containerPort: 50000 diff --git a/k8s/timeweb/templates/secrets.yaml b/k8s/timeweb/templates/secrets.yaml new file mode 100644 index 000000000..a040d95d6 --- /dev/null +++ b/k8s/timeweb/templates/secrets.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: secrets + labels: + {{- include "timeweb.labels" . | nindent 4 }} +data: + mysupersecret: {{ .Values.mysupersecret | b64enc | quote }} diff --git a/k8s/timeweb/values.yaml b/k8s/timeweb/values.yaml index 3271d0d85..3a5ec4ed3 100644 --- a/k8s/timeweb/values.yaml +++ b/k8s/timeweb/values.yaml @@ -57,7 +57,14 @@ ingress: # hosts: # - chart-example.local -resources: {} +resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following