Lab11

LAB11.md

@@ -0,0 +1,54 @@
+# 11
+
+## K8s secrets and resources
+
+### 10 points
+
+In this lab you will figure out how to manage sensitive data such as a password, a token, or a key in kubernetes. Then you will set up CPU and memory limits for your app.
+
+1. Create a secret in your cluster using `kubctl`.
+
+    * [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/)
+    * [Managing secrets](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#decoding-secret)
+
+2. Verify and decode your secret, then create 11.md in the k8s folder and provide the output of the commands inside.
+
+3. So we'll skip configuration file for secret, let's use helm.
+
+    * You need to create `secrets.yaml` file in `templates` folder.
+    * Create a `secret` object inside.
+    * Add `env` field to your `Deployment`. Path that you will need: `spec.template.spec.containers.env.`
+
+        > [Helm secrets](https://www.youtube.com/watch?v=hRSlKRvYe1A)
+
+    * Update your helm deployment (instructions are present in the video). Get pods: `kubectl get po.` Use the name of the pod to provide a proof of your success. Check your secret inside pod, example: `kubectl exec demo- 5f898f5f4c-2gpnd -- printenv | grep MY_PASS.`
+
+4. Read about Resources management:
+
+    * [Resource management](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
+
+5. Set up requests and limits for CPU and memory for your application and test that it works.
+
+6. Create a PR to the forked repo lab11 branch, ask your teammates to review it and review PRs of your teammates.
+
+7. Create a PR in your own repository from the lab11 branch to the lab10 one. It will help us with grading.
+
+### List of requirements
+
+* proof of work with a secret in 11.md for the step 2
+* secrets.yaml
+* proof of work with  a secret in 11.md for the step 3
+* resource requests and limits for cpu and memory
+
+## Bonus
+
+### 2 points
+
+1. Add environment variables for your containers:
+
+   * Read about it:
+
+       * [K8s env vars](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
+
+   * Update your helm chart with several environment variables, but use named templates, move them to `_helpers.tpl` file:
+       * [Helm named templates](https://helm.sh/docs/chart_template_guide/named_templates/)

k8s/.gitignore

@@ -0,0 +1 @@
+*.dec

k8s/11.md

@@ -0,0 +1,21 @@
+# k8s secrets
+
+* Verify secret
+
+![](https://i.ibb.co/djxg1VT/1.png)
+
+* Decode secret
+
+![](https://i.ibb.co/yVVDR3b/2.png)
+
+* Created secrets and install the app
+
+![](https://i.ibb.co/MnMbWNW/3.png)
+
+* Check that the secret is in envs
+
+![](https://i.ibb.co/VJjHJGz/4.png)
+
+* Apply resources requests and limits
+
+![](https://i.ibb.co/JCBhHz4/5.png)

k8s/secrets.yaml

@@ -0,0 +1,27 @@
+mysupersecret: ENC[AES256_GCM,data:qmYMOKMUORFnsYo=,iv:fvO12q/kusb01PDqFhFLgu0k3oEOrMEupTV6GeAEPGc=,tag:1wF56n5IjjarD8hXutS7UA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    lastmodified: '2022-11-14T12:57:47Z'
+    mac: ENC[AES256_GCM,data:2JrHoYXalnru+oZpz+d+7lzYP6SDGFN/Qo9WZCNDYTxG1eSyWwM5h4HJHT1WwL0BJXbiCDMh36I83THPhNlPEGQ8MRSObpgmcBc+/vGXOxCbAB/EVu8NFh9sp2JRoBqH4x3hVVqBf0ME/0BNaNI2qKO+Wq1t659qkjDLcM0M1ts=,iv:Zrivs0x2RnKE01TaW+T4MPTqd19Xn2oHp7wm9fKbkfg=,tag:bUgeTEe6Wx7Uj27N5oyCdw==,type:str]
+    pgp:
+    -   created_at: '2022-11-14T12:57:34Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA/6XL2lOyjutAQv/dH4ZxyPYpTm/LbSs2BrCeIb73Wtya5meghYFh2UqKlze
+            5SBZu86Zv0sDNXTqDGLfi4316PuanBeq/85WN3LuTSvg2Ht3YE67/AGRYTzH/XDJ
+            gl/UxcXj/ylOanwBCv/HpmL6e+Br0zxTw+16LWcgPP2ai6I7ual7q/C+f2lNuY3p
+            z9ZRLikQXjAwCJoTylsVvsmzRUqo2aZ+MRm2MPvDHViAYCylIzfUUw398Biw/HDz
+            2Ed1FkLsXzvRVmvu9xkh+h3yRbY35cZxlAvMill0gGfKDcj5gpKy9rWMFQaI4asc
+            NxYPg16sx/m/Era6NzYf/tNslVt9w2hL5KdbNtVfXPmFd14QamT0jMAJ9AvdVeCg
+            AFjNAq5yRzdTvdLfRNJPdSeDCpdlMq8y5RI64yCu3YAvECg0o8vHgSqgxjnX78Ub
+            tuvMT1NzTQiejZnYnc+ElKxzAus/fMNjpMTQTduki3hxnV3dsK5qdMz7jRWNFBsZ
+            gvAGQ6Ic4+LlSzMG8txF0l4BiBgK7szPUede1knySwwN475LtM1lUv2jz7NJCoEJ
+            JlU2UYTJhHizflO981o8r+ZUQBmi9vKftQKM4dzBLdv8IUbuQlGPXpBiV0A30wcL
+            AluAaS4c5JkcX05RhOlD
+            =6R08
+            -----END PGP MESSAGE-----
+        fp: 8963F045E474951F9FAB08801DBBA7A58A0FC87A
+    unencrypted_suffix: _unencrypted
+    version: 3.0.3

k8s/timeweb/templates/deployment.yaml

@@ -33,6 +33,12 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: TEST_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: secrets
+                  key: mysupersecret
           ports:
             - name: http
               containerPort: 50000

k8s/timeweb/templates/secrets.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secrets
+  labels:
+    {{- include "timeweb.labels" . | nindent 4 }}
+data:
+  mysupersecret: {{ .Values.mysupersecret | b64enc | quote }}

k8s/timeweb/values.yaml

@@ -57,7 +57,14 @@ ingress:
   #    hosts:
   #      - chart-example.local
 
-resources: {}
+resources:
+  requests:
+    memory: "64Mi"
+    cpu: "250m"
+  limits:
+    memory: "128Mi"
+    cpu: "500m"
+
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following