From 580a6b3f4845819daab12965a630e602c3bb87f2 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 29 Jan 2024 20:16:09 -0800 Subject: [PATCH 01/10] Chapter 5 & 8 Signed-off-by: Lachlan Evenson --- 5-1-kuard-pod.yaml | 12 ++++++------ 5-2-kuard-pod-health.yaml | 2 +- 5-3-kaurd-pod-resreq.yaml | 2 +- 8-1-kuard-rs.yaml | 25 ------------------------- 8-1-simple-ingress.yaml | 10 ++++++++++ 8-2-host-ingress.yaml | 21 +++++++++++++++++++++ 8-3-path-ingress.yaml | 23 +++++++++++++++++++++++ 8-4-tls-secret.yaml | 9 +++++++++ 8-5-tls-ingress.yaml | 20 ++++++++++++++++++++ 9 files changed, 91 insertions(+), 33 deletions(-) delete mode 100644 8-1-kuard-rs.yaml create mode 100644 8-1-simple-ingress.yaml create mode 100644 8-2-host-ingress.yaml create mode 100644 8-3-path-ingress.yaml create mode 100644 8-4-tls-secret.yaml create mode 100644 8-5-tls-ingress.yaml diff --git a/5-1-kuard-pod.yaml b/5-1-kuard-pod.yaml index b1dc580..f7795da 100644 --- a/5-1-kuard-pod.yaml +++ b/5-1-kuard-pod.yaml @@ -4,9 +4,9 @@ metadata: name: kuard spec: containers: - - image: gcr.io/kuar-demo/kuard-amd64:1 - name: kuard - ports: - - containerPort: 8080 - name: http - protocol: TCP + - image: gcr.io/kuar-demo/kuard-amd64:blue + name: kuard + ports: + - containerPort: 8080 + name: http + protocol: TCP diff --git a/5-2-kuard-pod-health.yaml b/5-2-kuard-pod-health.yaml index f85c949..59efb02 100644 --- a/5-2-kuard-pod-health.yaml +++ b/5-2-kuard-pod-health.yaml @@ -4,7 +4,7 @@ metadata: name: kuard spec: containers: - - image: gcr.io/kuar-demo/kuard-amd64:1 + - image: gcr.io/kuar-demo/kuard-amd64:blue name: kuard livenessProbe: httpGet: diff --git a/5-3-kaurd-pod-resreq.yaml b/5-3-kaurd-pod-resreq.yaml index 8f7e5b3..efb95d7 100644 --- a/5-3-kaurd-pod-resreq.yaml +++ b/5-3-kaurd-pod-resreq.yaml @@ -4,7 +4,7 @@ metadata: name: kuard spec: containers: - - image: gcr.io/kuar-demo/kuard-amd64:1 + - image: gcr.io/kuar-demo/kuard-amd64:blue name: kuard resources: requests: diff --git a/8-1-kuard-rs.yaml b/8-1-kuard-rs.yaml deleted file mode 100644 index 0cad32d..0000000 --- a/8-1-kuard-rs.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: apps/v1 -kind: ReplicaSet -metadata: - labels: - app: kuard - version: "2" - name: kuard - labels: - app: kuard - version: "2" -spec: - replicas: 1 - selector: - matchLabels: - app: kuard - version: "2" - template: - metadata: - labels: - app: kuard - version: "2" - spec: - containers: - - name: kuard - image: "gcr.io/kuar-demo/kuard-amd64:2" diff --git a/8-1-simple-ingress.yaml b/8-1-simple-ingress.yaml new file mode 100644 index 0000000..23464f8 --- /dev/null +++ b/8-1-simple-ingress.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: simple-ingress +spec: + defaultBackend: + service: + name: alpaca + port: + number: 8080 diff --git a/8-2-host-ingress.yaml b/8-2-host-ingress.yaml new file mode 100644 index 0000000..fb6120a --- /dev/null +++ b/8-2-host-ingress.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: host-ingress +spec: + defaultBackend: + service: + name: be-default + port: + number: 8080 + rules: + - host: alpaca.example.com + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: alpaca + port: + number: 8080 diff --git a/8-3-path-ingress.yaml b/8-3-path-ingress.yaml new file mode 100644 index 0000000..8a41a44 --- /dev/null +++ b/8-3-path-ingress.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: path-ingress +spec: + rules: + - host: bandicoot.example.com + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: bandicoot + port: + number: 8080 + - pathType: Prefix + path: "/a/" + backend: + service: + name: alpaca + port: + number: 8080 diff --git a/8-4-tls-secret.yaml b/8-4-tls-secret.yaml new file mode 100644 index 0000000..684fc34 --- /dev/null +++ b/8-4-tls-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + name: tls-secret-name +type: kubernetes.io/tls +data: + tls.crt: + tls.key: diff --git a/8-5-tls-ingress.yaml b/8-5-tls-ingress.yaml new file mode 100644 index 0000000..4573092 --- /dev/null +++ b/8-5-tls-ingress.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: tls-ingress +spec: + tls: + - hosts: + - alpaca.example.com + secretName: tls-secret-name + rules: + - host: alpaca.example.com + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: alpaca + port: + number: 8080 From 99be61b40fbf633547eab52ce36dc5dce53d7679 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 29 Jan 2024 20:19:04 -0800 Subject: [PATCH 02/10] Fixed 5-1-kuard-pod.yaml formatting Signed-off-by: Lachlan Evenson --- 5-1-kuard-pod.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/5-1-kuard-pod.yaml b/5-1-kuard-pod.yaml index f7795da..1e15dd8 100644 --- a/5-1-kuard-pod.yaml +++ b/5-1-kuard-pod.yaml @@ -4,9 +4,9 @@ metadata: name: kuard spec: containers: - - image: gcr.io/kuar-demo/kuard-amd64:blue - name: kuard - ports: - - containerPort: 8080 - name: http - protocol: TCP + - image: gcr.io/kuar-demo/kuard-amd64:blue + name: kuard + ports: + - containerPort: 8080 + name: http + protocol: TCP From 7656b6a734af24b1f54a72d53bea855d31762d32 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 29 Jan 2024 20:24:13 -0800 Subject: [PATCH 03/10] Chapter 9 updates Signed-off-by: Lachlan Evenson --- 9-1-fluentd.yaml | 38 ------------------------------------- 9-1-kuard-rs.yaml | 26 +++++++++++++++++++++++++ 9-2-nginx-fast-storage.yaml | 23 ---------------------- 3 files changed, 26 insertions(+), 61 deletions(-) delete mode 100644 9-1-fluentd.yaml create mode 100644 9-1-kuard-rs.yaml delete mode 100644 9-2-nginx-fast-storage.yaml diff --git a/9-1-fluentd.yaml b/9-1-fluentd.yaml deleted file mode 100644 index ca46c0a..0000000 --- a/9-1-fluentd.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: fluentd - labels: - app: fluentd -spec: - selector: - matchLabels: - app: fluentd - template: - metadata: - labels: - app: fluentd - spec: - containers: - - name: fluentd - image: fluent/fluentd:v0.14.10 - resources: - limits: - memory: 200Mi - requests: - cpu: 100m - memory: 200Mi - volumeMounts: - - name: varlog - mountPath: /var/log - - name: varlibdockercontainers - mountPath: /var/lib/docker/containers - readOnly: true - terminationGracePeriodSeconds: 30 - volumes: - - name: varlog - hostPath: - path: /var/log - - name: varlibdockercontainers - hostPath: - path: /var/lib/docker/containers diff --git a/9-1-kuard-rs.yaml b/9-1-kuard-rs.yaml new file mode 100644 index 0000000..c9d8474 --- /dev/null +++ b/9-1-kuard-rs.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: ReplicaSet +metadata: + labels: + app: kuard + version: "2" + name: kuard +spec: + replicas: 1 + selector: + matchLabels: + app: kuard + version: "2" + template: + metadata: + labels: + app: kuard + version: "2" + spec: + containers: + - name: kuard + image: "gcr.io/kuar-demo/kuard-amd64:green" + resources: + requests: + cpu: "500m" + memory: "128Mi" diff --git a/9-2-nginx-fast-storage.yaml b/9-2-nginx-fast-storage.yaml deleted file mode 100644 index 8e66746..0000000 --- a/9-2-nginx-fast-storage.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: "DaemonSet" -metadata: - labels: - app: nginx - ssd: "true" - name: nginx-fast-storage -spec: - selector: - matchLabels: - app: nginx - ssd: "true" - template: - metadata: - labels: - app: nginx - ssd: "true" - spec: - nodeSelector: - ssd: "true" - containers: - - name: nginx - image: nginx:1.10.0 From 793b4f897d39d00eecd2ecdfaa90ccb813730532 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 29 Jan 2024 20:28:43 -0800 Subject: [PATCH 04/10] Chapter 10 updates Signed-off-by: Lachlan Evenson --- 10-1-job-oneshot.yaml | 21 --------------------- 10-1-kuard-deployment.yaml | 19 +++++++++++++++++++ 10-2-job-oneshot-failure1.yaml | 22 ---------------------- 10-3-job-parallel.yaml | 23 ----------------------- 10-4-rs-queue.yaml | 26 -------------------------- 10-5-service-queue.yaml | 16 ---------------- 10-6-load-queue.sh | 9 --------- 10-7-job-consumers.yaml | 27 --------------------------- 8 files changed, 19 insertions(+), 144 deletions(-) delete mode 100644 10-1-job-oneshot.yaml create mode 100644 10-1-kuard-deployment.yaml delete mode 100644 10-2-job-oneshot-failure1.yaml delete mode 100644 10-3-job-parallel.yaml delete mode 100644 10-4-rs-queue.yaml delete mode 100644 10-5-service-queue.yaml delete mode 100644 10-6-load-queue.sh delete mode 100644 10-7-job-consumers.yaml diff --git a/10-1-job-oneshot.yaml b/10-1-job-oneshot.yaml deleted file mode 100644 index 063ba65..0000000 --- a/10-1-job-oneshot.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: oneshot - labels: - chapter: jobs -spec: - template: - metadata: - labels: - chapter: jobs - spec: - containers: - - name: kuard - image: gcr.io/kuar-demo/kuard-amd64:1 - imagePullPolicy: Always - args: - - "--keygen-enable" - - "--keygen-exit-on-complete" - - "--keygen-num-to-gen=10" - restartPolicy: OnFailure diff --git a/10-1-kuard-deployment.yaml b/10-1-kuard-deployment.yaml new file mode 100644 index 0000000..701f695 --- /dev/null +++ b/10-1-kuard-deployment.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kuard + labels: + run: kuard +spec: + selector: + matchLabels: + run: kuard + replicas: 1 + template: + metadata: + labels: + run: kuard + spec: + containers: + - name: kuard + image: gcr.io/kuar-demo/kuard-amd64:blue diff --git a/10-2-job-oneshot-failure1.yaml b/10-2-job-oneshot-failure1.yaml deleted file mode 100644 index 88af786..0000000 --- a/10-2-job-oneshot-failure1.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: oneshot - labels: - chapter: jobs -spec: - template: - metadata: - labels: - chapter: jobs - spec: - containers: - - name: kuard - image: gcr.io/kuar-demo/kuard-amd64:1 - imagePullPolicy: Always - args: - - "--keygen-enable" - - "--keygen-exit-on-complete" - - "--keygen-exit-code=1" - - "--keygen-num-to-gen=3" - restartPolicy: OnFailure diff --git a/10-3-job-parallel.yaml b/10-3-job-parallel.yaml deleted file mode 100644 index c8ef106..0000000 --- a/10-3-job-parallel.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: parallel - labels: - chapter: jobs -spec: - parallelism: 5 - completions: 10 - template: - metadata: - labels: - chapter: jobs - spec: - containers: - - name: kuard - image: gcr.io/kuar-demo/kuard-amd64:1 - imagePullPolicy: Always - args: - - "--keygen-enable" - - "--keygen-exit-on-complete" - - "--keygen-num-to-gen=10" - restartPolicy: OnFailure diff --git a/10-4-rs-queue.yaml b/10-4-rs-queue.yaml deleted file mode 100644 index 28c9363..0000000 --- a/10-4-rs-queue.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: apps/v1 -kind: ReplicaSet -metadata: - labels: - app: work-queue - component: queue - chapter: jobs - name: queue -spec: - replicas: 1 - selector: - matchLabels: - app: work-queue - component: queue - chapter: jobs - template: - metadata: - labels: - app: work-queue - component: queue - chapter: jobs - spec: - containers: - - name: queue - image: "gcr.io/kuar-demo/kuard-amd64:1" - imagePullPolicy: Always diff --git a/10-5-service-queue.yaml b/10-5-service-queue.yaml deleted file mode 100644 index 883cbc4..0000000 --- a/10-5-service-queue.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: work-queue - component: queue - chapter: jobs - name: queue -spec: - ports: - - port: 8080 - protocol: TCP - targetPort: 8080 - selector: - app: work-queue - component: queue diff --git a/10-6-load-queue.sh b/10-6-load-queue.sh deleted file mode 100644 index facad66..0000000 --- a/10-6-load-queue.sh +++ /dev/null @@ -1,9 +0,0 @@ - -# Create a work queue called 'keygen' -curl -X PUT localhost:8080/memq/server/queues/keygen - -# Create 100 work items and load up the queue. -for i in work-item-{0..99}; do - curl -X POST localhost:8080/memq/server/queues/keygen/enqueue \ - -d "$i" -done diff --git a/10-7-job-consumers.yaml b/10-7-job-consumers.yaml deleted file mode 100644 index 9832fb5..0000000 --- a/10-7-job-consumers.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app: message-queue - component: consumer - chapter: jobs - name: consumers -spec: - parallelism: 5 - template: - metadata: - labels: - app: message-queue - component: consumer - chapter: jobs - spec: - containers: - - name: worker - image: "gcr.io/kuar-demo/kuard-amd64:1" - imagePullPolicy: Always - args: - - "--keygen-enable" - - "--keygen-exit-on-complete" - - "--keygen-memq-server=http://queue:8080/memq/server" - - "--keygen-memq-queue=keygen" - restartPolicy: OnFailure From 617d608be4a7f6311285f03f4beb417fc6e54d66 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 29 Jan 2024 20:53:29 -0800 Subject: [PATCH 05/10] Chapter 11 & 12 updates Signed-off-by: Lachlan Evenson --- 11-1-fluentd.yaml | 38 ++++++++++++++++++++++++++++++++++ 11-1-simple-config.txt | 3 --- 11-2-kuard-config.yaml | 31 --------------------------- 11-2-nginx-fast-storage.yaml | 23 ++++++++++++++++++++ 11-3-kuard-secret.yaml | 17 --------------- 11-4-kuard-secret-ips.yaml | 19 ----------------- 12-1-job-oneshot.yaml | 18 ++++++++++++++++ 12-2-job-oneshot-failure1.yaml | 24 +++++++++++++++++++++ 12-3-job-parallel.yaml | 25 ++++++++++++++++++++++ 12-4-rs-queue.yaml | 26 +++++++++++++++++++++++ 12-5-service-queue.yaml | 16 ++++++++++++++ 12-6-load-queue.sh | 9 ++++++++ 12-7-job-consumers.yaml | 29 ++++++++++++++++++++++++++ 13 files changed, 208 insertions(+), 70 deletions(-) create mode 100644 11-1-fluentd.yaml delete mode 100644 11-1-simple-config.txt delete mode 100644 11-2-kuard-config.yaml create mode 100644 11-2-nginx-fast-storage.yaml delete mode 100644 11-3-kuard-secret.yaml delete mode 100644 11-4-kuard-secret-ips.yaml create mode 100644 12-1-job-oneshot.yaml create mode 100644 12-2-job-oneshot-failure1.yaml create mode 100644 12-3-job-parallel.yaml create mode 100644 12-4-rs-queue.yaml create mode 100644 12-5-service-queue.yaml create mode 100755 12-6-load-queue.sh create mode 100644 12-7-job-consumers.yaml diff --git a/11-1-fluentd.yaml b/11-1-fluentd.yaml new file mode 100644 index 0000000..ca46c0a --- /dev/null +++ b/11-1-fluentd.yaml @@ -0,0 +1,38 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluentd + labels: + app: fluentd +spec: + selector: + matchLabels: + app: fluentd + template: + metadata: + labels: + app: fluentd + spec: + containers: + - name: fluentd + image: fluent/fluentd:v0.14.10 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: varlog + mountPath: /var/log + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + terminationGracePeriodSeconds: 30 + volumes: + - name: varlog + hostPath: + path: /var/log + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers diff --git a/11-1-simple-config.txt b/11-1-simple-config.txt deleted file mode 100644 index 5398066..0000000 --- a/11-1-simple-config.txt +++ /dev/null @@ -1,3 +0,0 @@ -# This is a sample config file that I might use to configure an application -parameter1 = value1 -parameter2 = value2 diff --git a/11-2-kuard-config.yaml b/11-2-kuard-config.yaml deleted file mode 100644 index efeb6be..0000000 --- a/11-2-kuard-config.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: kuard-config -spec: - containers: - - name: test-container - image: gcr.io/kuar-demo/kuard-amd64:1 - imagePullPolicy: Always - command: - - "/kuard" - - "$(EXTRA_PARAM)" - env: - - name: ANOTHER_PARAM - valueFrom: - configMapKeyRef: - name: my-config - key: another-param - - name: EXTRA_PARAM - valueFrom: - configMapKeyRef: - name: my-config - key: extra-param - volumeMounts: - - name: config-volume - mountPath: /config - volumes: - - name: config-volume - configMap: - name: my-config - restartPolicy: Never diff --git a/11-2-nginx-fast-storage.yaml b/11-2-nginx-fast-storage.yaml new file mode 100644 index 0000000..90ab57a --- /dev/null +++ b/11-2-nginx-fast-storage.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: 1DaemonSet +metadata: + labels: + app: nginx + ssd: "true" + name: nginx-fast-storage +spec: + selector: + matchLabels: + app: nginx + ssd: "true" + template: + metadata: + labels: + app: nginx + ssd: "true" + spec: + nodeSelector: + ssd: "true" + containers: + - name: nginx + image: nginx:1.10.0 diff --git a/11-3-kuard-secret.yaml b/11-3-kuard-secret.yaml deleted file mode 100644 index 3b1e41d..0000000 --- a/11-3-kuard-secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: kuard-tls -spec: - containers: - - name: kuard-tls - image: gcr.io/kuar-demo/kuard-amd64:1 - imagePullPolicy: Always - volumeMounts: - - name: tls-certs - mountPath: "/tls" - readOnly: true - volumes: - - name: tls-certs - secret: - secretName: kuard-tls diff --git a/11-4-kuard-secret-ips.yaml b/11-4-kuard-secret-ips.yaml deleted file mode 100644 index ae4c6da..0000000 --- a/11-4-kuard-secret-ips.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: kuard-tls -spec: - containers: - - name: kuard-tls - image: gcr.io/kuar-demo/kuard-amd64:1 - imagePullPolicy: Always - volumeMounts: - - name: tls-certs - mountPath: "/tls" - readOnly: true - imagePullSecrets: - - name: my-image-pull-secret - volumes: - - name: tls-certs - secret: - secretName: kuard-tls diff --git a/12-1-job-oneshot.yaml b/12-1-job-oneshot.yaml new file mode 100644 index 0000000..3e62b73 --- /dev/null +++ b/12-1-job-oneshot.yaml @@ -0,0 +1,18 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: oneshot +spec: + template: + spec: + containers: + - name: kuard + image: gcr.io/kuar-demo/kuard-amd64:blue + imagePullPolicy: Always + command: + - "/kuard" + args: + - "--keygen-enable" + - "--keygen-exit-on-complete" + - "--keygen-num-to-gen=10" + restartPolicy: OnFailure diff --git a/12-2-job-oneshot-failure1.yaml b/12-2-job-oneshot-failure1.yaml new file mode 100644 index 0000000..48b428a --- /dev/null +++ b/12-2-job-oneshot-failure1.yaml @@ -0,0 +1,24 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: oneshot + labels: + chapter: jobs +spec: + template: + metadata: + labels: + chapter: jobs + spec: + containers: + - name: kuard + image: gcr.io/kuar-demo/kuard-amd64:blue + imagePullPolicy: Always + command: + - "/kuard" + args: + - "--keygen-enable" + - "--keygen-exit-on-complete" + - "--keygen-exit-code=1" + - "--keygen-num-to-gen=3" + restartPolicy: OnFailure diff --git a/12-3-job-parallel.yaml b/12-3-job-parallel.yaml new file mode 100644 index 0000000..1e78fe8 --- /dev/null +++ b/12-3-job-parallel.yaml @@ -0,0 +1,25 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: parallel + labels: + chapter: jobs +spec: + parallelism: 5 + completions: 10 + template: + metadata: + labels: + chapter: jobs + spec: + containers: + - name: kuard + image: gcr.io/kuar-demo/kuard-amd64:blue + imagePullPolicy: Always + command: + - "/kuard" + args: + - "--keygen-enable" + - "--keygen-exit-on-complete" + - "--keygen-num-to-gen=10" + restartPolicy: OnFailure diff --git a/12-4-rs-queue.yaml b/12-4-rs-queue.yaml new file mode 100644 index 0000000..6e6bc94 --- /dev/null +++ b/12-4-rs-queue.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: ReplicaSet +metadata: + labels: + app: work-queue + component: queue + chapter: jobs + name: queue +spec: + replicas: 1 + selector: + matchLabels: + app: work-queue + component: queue + chapter: jobs + template: + metadata: + labels: + app: work-queue + component: queue + chapter: jobs + spec: + containers: + - name: queue + image: "gcr.io/kuar-demo/kuard-amd64:blue" + imagePullPolicy: Always diff --git a/12-5-service-queue.yaml b/12-5-service-queue.yaml new file mode 100644 index 0000000..883cbc4 --- /dev/null +++ b/12-5-service-queue.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: work-queue + component: queue + chapter: jobs + name: queue +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: work-queue + component: queue diff --git a/12-6-load-queue.sh b/12-6-load-queue.sh new file mode 100755 index 0000000..facad66 --- /dev/null +++ b/12-6-load-queue.sh @@ -0,0 +1,9 @@ + +# Create a work queue called 'keygen' +curl -X PUT localhost:8080/memq/server/queues/keygen + +# Create 100 work items and load up the queue. +for i in work-item-{0..99}; do + curl -X POST localhost:8080/memq/server/queues/keygen/enqueue \ + -d "$i" +done diff --git a/12-7-job-consumers.yaml b/12-7-job-consumers.yaml new file mode 100644 index 0000000..00865bf --- /dev/null +++ b/12-7-job-consumers.yaml @@ -0,0 +1,29 @@ +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app: message-queue + component: consumer + chapter: jobs + name: consumers +spec: + parallelism: 5 + template: + metadata: + labels: + app: message-queue + component: consumer + chapter: jobs + spec: + containers: + - name: worker + image: "gcr.io/kuar-demo/kuard-amd64:blue" + imagePullPolicy: Always + command: + - "/kuard" + args: + - "--keygen-enable" + - "--keygen-exit-on-complete" + - "--keygen-memq-server=http://queue:8080/memq/server" + - "--keygen-memq-queue=keygen" + restartPolicy: OnFailure From 538e70a3277bbf0cd6d28bfb62cab50bc6b1bb68 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 29 Jan 2024 21:08:40 -0800 Subject: [PATCH 06/10] Chapter 13 updates Signed-off-by: Lachlan Evenson --- 13-1-dns-service.yaml | 7 ----- 13-1-my-config.txt | 3 ++ 13-10-mongo-simple.yaml | 25 ---------------- 13-11-mongo-service.yaml | 11 ------- 13-12-mongo-configmap.yaml | 51 --------------------------------- 13-13-mongo.yaml | 37 ------------------------ 13-2-external-ip-service.yaml | 7 ----- 13-2-kuard-config.yaml | 35 ++++++++++++++++++++++ 13-3-external-ip-endpoints.yaml | 9 ------ 13-3-kuard-secret.yaml | 17 +++++++++++ 13-4-kuard-secret-ips.yaml | 19 ++++++++++++ 13-4-nfs-volume.yaml | 14 --------- 13-5-nfs-volume-claim.yaml | 13 --------- 13-6-mysql-replicaset.yaml | 43 --------------------------- 13-7-mysql-service.yaml | 10 ------- 13-8-storageclass.yaml | 9 ------ 13-9-dynamic-volume-claim.yaml | 12 -------- 14-1-parse.yaml | 26 ----------------- 14-10-redis.yaml | 40 -------------------------- 14-2-parse-service.yaml | 12 -------- 14-3-ghost-config.js | 25 ---------------- 14-4-ghost.yaml | 30 ------------------- 14-4-master.conf | 4 --- 14-5-slave.conf | 6 ---- 14-6-sentinel.conf | 7 ----- 14-7-init.sh | 6 ---- 14-8-sentinel.sh | 8 ------ 14-9-redis-service.yaml | 11 ------- 28 files changed, 74 insertions(+), 423 deletions(-) delete mode 100644 13-1-dns-service.yaml create mode 100644 13-1-my-config.txt delete mode 100644 13-10-mongo-simple.yaml delete mode 100644 13-11-mongo-service.yaml delete mode 100644 13-12-mongo-configmap.yaml delete mode 100644 13-13-mongo.yaml delete mode 100644 13-2-external-ip-service.yaml create mode 100644 13-2-kuard-config.yaml delete mode 100644 13-3-external-ip-endpoints.yaml create mode 100644 13-3-kuard-secret.yaml create mode 100644 13-4-kuard-secret-ips.yaml delete mode 100644 13-4-nfs-volume.yaml delete mode 100644 13-5-nfs-volume-claim.yaml delete mode 100644 13-6-mysql-replicaset.yaml delete mode 100644 13-7-mysql-service.yaml delete mode 100644 13-8-storageclass.yaml delete mode 100644 13-9-dynamic-volume-claim.yaml delete mode 100644 14-1-parse.yaml delete mode 100644 14-10-redis.yaml delete mode 100644 14-2-parse-service.yaml delete mode 100644 14-3-ghost-config.js delete mode 100644 14-4-ghost.yaml delete mode 100644 14-4-master.conf delete mode 100644 14-5-slave.conf delete mode 100644 14-6-sentinel.conf delete mode 100644 14-7-init.sh delete mode 100644 14-8-sentinel.sh delete mode 100644 14-9-redis-service.yaml diff --git a/13-1-dns-service.yaml b/13-1-dns-service.yaml deleted file mode 100644 index 23a7cd0..0000000 --- a/13-1-dns-service.yaml +++ /dev/null @@ -1,7 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: external-database -spec: - type: ExternalName - externalName: database.company.com diff --git a/13-1-my-config.txt b/13-1-my-config.txt new file mode 100644 index 0000000..5398066 --- /dev/null +++ b/13-1-my-config.txt @@ -0,0 +1,3 @@ +# This is a sample config file that I might use to configure an application +parameter1 = value1 +parameter2 = value2 diff --git a/13-10-mongo-simple.yaml b/13-10-mongo-simple.yaml deleted file mode 100644 index 9ef719f..0000000 --- a/13-10-mongo-simple.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: mongo -spec: - serviceName: "mongo" - replicas: 3 - selector: - matchLabels: - app: mongo - template: - metadata: - labels: - app: mongo - spec: - containers: - - name: mongodb - image: mongo:3.4.24 - command: - - mongod - - --replSet - - rs0 - ports: - - containerPort: 27017 - name: peer diff --git a/13-11-mongo-service.yaml b/13-11-mongo-service.yaml deleted file mode 100644 index 25a2cf4..0000000 --- a/13-11-mongo-service.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: mongo -spec: - ports: - - port: 27017 - name: peer - clusterIP: None - selector: - app: mongo diff --git a/13-12-mongo-configmap.yaml b/13-12-mongo-configmap.yaml deleted file mode 100644 index caa80bf..0000000 --- a/13-12-mongo-configmap.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: mongo-init -data: - init.sh: | - #!/bin/bash - - # Need to wait for the readiness health check to pass so that the - # mongo names resolve. This is kind of wonky. - until ping -c 1 ${HOSTNAME}.mongo; do - echo "waiting for DNS (${HOSTNAME}.mongo)..." - sleep 2 - done - - until /usr/bin/mongo --eval 'printjson(db.serverStatus())'; do - echo "connecting to local mongo..." - sleep 2 - done - echo "connected to local." - - HOST=mongo-0.mongo:27017 - - until /usr/bin/mongo --host=${HOST} --eval 'printjson(db.serverStatus())'; do - echo "connecting to remote mongo..." - sleep 2 - done - echo "connected to remote." - - if [[ "${HOSTNAME}" != 'mongo-0' ]]; then - until /usr/bin/mongo --host=${HOST} --eval="printjson(rs.status())" \ - | grep -v "no replset config has been received"; do - echo "waiting for replication set initialization" - sleep 2 - done - echo "adding self to mongo-0" - /usr/bin/mongo --host=${HOST} \ - --eval="printjson(rs.add('${HOSTNAME}.mongo'))" - fi - - if [[ "${HOSTNAME}" == 'mongo-0' ]]; then - echo "initializing replica set" - /usr/bin/mongo --eval="printjson(rs.initiate(\ - {'_id': 'rs0', 'members': [{'_id': 0, \ - 'host': 'mongo-0.mongo:27017'}]}))" - fi - echo "initialized" - - while true; do - sleep 3600 - done diff --git a/13-13-mongo.yaml b/13-13-mongo.yaml deleted file mode 100644 index 75f21ed..0000000 --- a/13-13-mongo.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: mongo -spec: - serviceName: "mongo" - replicas: 3 - selector: - matchLabels: - app: mongo - template: - metadata: - labels: - app: mongo - spec: - containers: - - name: mongodb - image: mongo:3.4.1 - command: - - mongod - - --replSet - - rs0 - ports: - - containerPort: 27017 - name: web - - name: init-mongo - image: mongo:3.4.1 - command: - - bash - - /config/init.sh - volumeMounts: - - name: config - mountPath: /config - volumes: - - name: config - configMap: - name: "mongo-init" diff --git a/13-2-external-ip-service.yaml b/13-2-external-ip-service.yaml deleted file mode 100644 index eef45ee..0000000 --- a/13-2-external-ip-service.yaml +++ /dev/null @@ -1,7 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: external-ip-database -spec: - ports: - - port: 3306 diff --git a/13-2-kuard-config.yaml b/13-2-kuard-config.yaml new file mode 100644 index 0000000..5edb44b --- /dev/null +++ b/13-2-kuard-config.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kuard-config +spec: + containers: + - name: test-container + image: gcr.io/kuar-demo/kuard-amd64:blue + imagePullPolicy: Always + command: + - "/kuard" + - "$(EXTRA_PARAM)" + env: + # An example of an environment variable used inside the container + - name: ANOTHER_PARAM + valueFrom: + configMapKeyRef: + name: my-config + key: another-param + # An example of an environment variable passed to the command to start + # the container (above). + - name: EXTRA_PARAM + valueFrom: + configMapKeyRef: + name: my-config + key: extra-param + volumeMounts: + # Mounting the ConfigMap as a set of files + - name: config-volume + mountPath: /config + volumes: + - name: config-volume + configMap: + name: my-config + restartPolicy: Never diff --git a/13-3-external-ip-endpoints.yaml b/13-3-external-ip-endpoints.yaml deleted file mode 100644 index 208f732..0000000 --- a/13-3-external-ip-endpoints.yaml +++ /dev/null @@ -1,9 +0,0 @@ -kind: Endpoints -apiVersion: v1 -metadata: - name: external-ip-database -subsets: - - addresses: - - ip: 192.168.0.1 - ports: - - port: 3306 diff --git a/13-3-kuard-secret.yaml b/13-3-kuard-secret.yaml new file mode 100644 index 0000000..bf064d6 --- /dev/null +++ b/13-3-kuard-secret.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kuard-tls +spec: + containers: + - name: kuard-tls + image: gcr.io/kuar-demo/kuard-amd64:blue + imagePullPolicy: Always + volumeMounts: + - name: tls-certs + mountPath: "/tls" + readOnly: true + volumes: + - name: tls-certs + secret: + secretName: kuard-tls diff --git a/13-4-kuard-secret-ips.yaml b/13-4-kuard-secret-ips.yaml new file mode 100644 index 0000000..ed1aff2 --- /dev/null +++ b/13-4-kuard-secret-ips.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kuard-tls +spec: + containers: + - name: kuard-tls + image: gcr.io/kuar-demo/kuard-amd64:blue + imagePullPolicy: Always + volumeMounts: + - name: tls-certs + mountPath: "/tls" + readOnly: true + imagePullSecrets: + - name: my-image-pull-secret + volumes: + - name: tls-certs + secret: + secretName: kuard-tls diff --git a/13-4-nfs-volume.yaml b/13-4-nfs-volume.yaml deleted file mode 100644 index f3ff6cb..0000000 --- a/13-4-nfs-volume.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: database - labels: - volume: my-volume -spec: - accessModes: - - ReadWriteMany - capacity: - storage: 1Gi - nfs: - server: 192.168.0.1 - path: "/exports" diff --git a/13-5-nfs-volume-claim.yaml b/13-5-nfs-volume-claim.yaml deleted file mode 100644 index 05e76af..0000000 --- a/13-5-nfs-volume-claim.yaml +++ /dev/null @@ -1,13 +0,0 @@ -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: database -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi - selector: - matchLabels: - volume: my-volume diff --git a/13-6-mysql-replicaset.yaml b/13-6-mysql-replicaset.yaml deleted file mode 100644 index 041ef76..0000000 --- a/13-6-mysql-replicaset.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: apps/v1 -kind: ReplicaSet -metadata: - name: mysql - # labels so that we can bind a Service to this Pod - labels: - app: mysql -spec: - replicas: 1 - selector: - matchLabels: - app: mysql - template: - metadata: - labels: - app: mysql - spec: - containers: - - name: database - image: mysql - resources: - requests: - cpu: 1 - memory: 2Gi - env: - # Environment variables are not a best practice for security, - # but we're using them here for brevity in the example. - # See Chapter 11 for better options. - - name: MYSQL_ROOT_PASSWORD - value: some-password-here - livenessProbe: - tcpSocket: - port: 3306 - ports: - - containerPort: 3306 - volumeMounts: - - name: database - # /var/lib/mysql is where MySQL stores its databases - mountPath: "/var/lib/mysql" - volumes: - - name: database - persistentVolumeClaim: - claimName: database diff --git a/13-7-mysql-service.yaml b/13-7-mysql-service.yaml deleted file mode 100644 index 521cde2..0000000 --- a/13-7-mysql-service.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: mysql -spec: - ports: - - port: 3306 - protocol: TCP - selector: - app: mysql diff --git a/13-8-storageclass.yaml b/13-8-storageclass.yaml deleted file mode 100644 index 09c93fd..0000000 --- a/13-8-storageclass.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: default - annotations: - storageclass.beta.kubernetes.io/is-default-class: "true" - labels: - kubernetes.io/cluster-service: "true" -provisioner: kubernetes.io/azure-disk diff --git a/13-9-dynamic-volume-claim.yaml b/13-9-dynamic-volume-claim.yaml deleted file mode 100644 index ab1637c..0000000 --- a/13-9-dynamic-volume-claim.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: my-claim - annotations: - volume.beta.kubernetes.io/storage-class: default -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi diff --git a/14-1-parse.yaml b/14-1-parse.yaml deleted file mode 100644 index ceec9c1..0000000 --- a/14-1-parse.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: parse-server -spec: - replicas: 1 - selector: - matchLabels: - run: parse-server - template: - metadata: - labels: - run: parse-server - spec: - containers: - - name: parse-server - image: ${DOCKER_USER}/parse-server - env: - - name: PARSE_SERVER_DATABASE_URI - value: "mongodb://mongo-0.mongo:27017,\ - mongo-1.mongo:27017,mongo-2.mongo\ - :27017/dev?replicaSet=rs0" - - name: PARSE_SERVER_APP_ID - value: "my-app-id" - - name: PARSE_SERVER_MASTER_KEY - value: "my-master-key" diff --git a/14-10-redis.yaml b/14-10-redis.yaml deleted file mode 100644 index 1a17b3e..0000000 --- a/14-10-redis.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: redis -spec: - replicas: 3 - serviceName: redis - selector: - matchLabels: - app: redis - template: - metadata: - labels: - app: redis - spec: - containers: - - command: [sh, -c, source /redis-config/init.sh ] - image: redis:3.2.7-alpine - name: redis - ports: - - containerPort: 6379 - name: redis - volumeMounts: - - mountPath: /redis-config - name: config - - mountPath: /redis-data - name: data - - command: [sh, -c, source /redis-config/sentinel.sh] - image: redis:3.2.7-alpine - name: sentinel - volumeMounts: - - mountPath: /redis-config - name: config - volumes: - - configMap: - defaultMode: 420 - name: redis-config - name: config - - emptyDir: - name: data diff --git a/14-2-parse-service.yaml b/14-2-parse-service.yaml deleted file mode 100644 index 2a6a29d..0000000 --- a/14-2-parse-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: parse-server - namespace: default -spec: - ports: - - port: 1337 - protocol: TCP - targetPort: 1337 - selector: - run: parse-server diff --git a/14-3-ghost-config.js b/14-3-ghost-config.js deleted file mode 100644 index 71675ba..0000000 --- a/14-3-ghost-config.js +++ /dev/null @@ -1,25 +0,0 @@ -var path = require('path'), - config; - -config = { - development: { - url: 'http://localhost:2368', - database: { - client: 'sqlite3', - connection: { - filename: path.join(process.env.GHOST_CONTENT, - '/data/ghost-dev.db') - }, - debug: false - }, - server: { - host: '0.0.0.0', - port: '2368' - }, - paths: { - contentPath: path.join(process.env.GHOST_CONTENT, '/') - } - } -}; - -module.exports = config; diff --git a/14-4-ghost.yaml b/14-4-ghost.yaml deleted file mode 100644 index 02b9596..0000000 --- a/14-4-ghost.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ghost -spec: - replicas: 1 - selector: - matchLabels: - run: ghost - template: - metadata: - labels: - run: ghost - spec: - containers: - - image: ghost - name: ghost - command: - - sh - - -c - - cp /ghost-config/ghost-config.js /var/lib/ghost/config.js - && docker-entrypoint.sh node current/index.js - volumeMounts: - - mountPath: /ghost-config - name: config - volumes: - - name: config - configMap: - defaultMode: 420 - name: ghost-config diff --git a/14-4-master.conf b/14-4-master.conf deleted file mode 100644 index 1924460..0000000 --- a/14-4-master.conf +++ /dev/null @@ -1,4 +0,0 @@ -bind 0.0.0.0 -port 6379 - -dir /redis-data diff --git a/14-5-slave.conf b/14-5-slave.conf deleted file mode 100644 index 87e300d..0000000 --- a/14-5-slave.conf +++ /dev/null @@ -1,6 +0,0 @@ -bind 0.0.0.0 -port 6379 - -dir . - -slaveof redis-0.redis 6379 diff --git a/14-6-sentinel.conf b/14-6-sentinel.conf deleted file mode 100644 index 10e4598..0000000 --- a/14-6-sentinel.conf +++ /dev/null @@ -1,7 +0,0 @@ -bind 0.0.0.0 -port 26379 - -sentinel monitor redis redis-0.redis 6379 2 -sentinel parallel-syncs redis 1 -sentinel down-after-milliseconds redis 10000 -sentinel failover-timeout redis 20000 diff --git a/14-7-init.sh b/14-7-init.sh deleted file mode 100644 index 738071a..0000000 --- a/14-7-init.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -if [[ ${HOSTNAME} == 'redis-0' ]]; then - redis-server /redis-config/master.conf -else - redis-server /redis-config/slave.conf -fi diff --git a/14-8-sentinel.sh b/14-8-sentinel.sh deleted file mode 100644 index 026f6e9..0000000 --- a/14-8-sentinel.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -while ! ping -c 1 redis-0.redis; do - echo 'Waiting for server' - sleep 1 -done - -redis-sentinel /redis-config/sentinel.conf - diff --git a/14-9-redis-service.yaml b/14-9-redis-service.yaml deleted file mode 100644 index 9f24a8c..0000000 --- a/14-9-redis-service.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: redis -spec: - ports: - - port: 6379 - name: peer - clusterIP: None - selector: - app: redis From a35d445fd1238e5d24501cd5febd2998c44502e9 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 29 Jan 2024 21:19:02 -0800 Subject: [PATCH 07/10] Chapter 16 updates Signed-off-by: Lachlan Evenson --- 16-1-dns-service.yaml | 7 +++++ 16-10-mongo-simple.yaml | 25 ++++++++++++++++ 16-11-mongo-service.yaml | 11 +++++++ 16-12-mongo-configmap.yaml | 51 +++++++++++++++++++++++++++++++++ 16-13-mongo.yaml | 37 ++++++++++++++++++++++++ 16-2-external-ip-service.yaml | 7 +++++ 16-3-external-ip-endpoints.yaml | 9 ++++++ 16-4-nfs-volume.yaml | 14 +++++++++ 16-5-nfs-volume-claim.yaml | 13 +++++++++ 16-6-mysql-replicaset.yaml | 43 +++++++++++++++++++++++++++ 16-7-mysql-service.yaml | 10 +++++++ 16-8-storageclass.yaml | 9 ++++++ 16-9-dynamic-volume-claim.yaml | 12 ++++++++ 13 files changed, 248 insertions(+) create mode 100644 16-1-dns-service.yaml create mode 100644 16-10-mongo-simple.yaml create mode 100644 16-11-mongo-service.yaml create mode 100644 16-12-mongo-configmap.yaml create mode 100644 16-13-mongo.yaml create mode 100644 16-2-external-ip-service.yaml create mode 100644 16-3-external-ip-endpoints.yaml create mode 100644 16-4-nfs-volume.yaml create mode 100644 16-5-nfs-volume-claim.yaml create mode 100644 16-6-mysql-replicaset.yaml create mode 100644 16-7-mysql-service.yaml create mode 100644 16-8-storageclass.yaml create mode 100644 16-9-dynamic-volume-claim.yaml diff --git a/16-1-dns-service.yaml b/16-1-dns-service.yaml new file mode 100644 index 0000000..23a7cd0 --- /dev/null +++ b/16-1-dns-service.yaml @@ -0,0 +1,7 @@ +kind: Service +apiVersion: v1 +metadata: + name: external-database +spec: + type: ExternalName + externalName: database.company.com diff --git a/16-10-mongo-simple.yaml b/16-10-mongo-simple.yaml new file mode 100644 index 0000000..9ef719f --- /dev/null +++ b/16-10-mongo-simple.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: mongo +spec: + serviceName: "mongo" + replicas: 3 + selector: + matchLabels: + app: mongo + template: + metadata: + labels: + app: mongo + spec: + containers: + - name: mongodb + image: mongo:3.4.24 + command: + - mongod + - --replSet + - rs0 + ports: + - containerPort: 27017 + name: peer diff --git a/16-11-mongo-service.yaml b/16-11-mongo-service.yaml new file mode 100644 index 0000000..25a2cf4 --- /dev/null +++ b/16-11-mongo-service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: mongo +spec: + ports: + - port: 27017 + name: peer + clusterIP: None + selector: + app: mongo diff --git a/16-12-mongo-configmap.yaml b/16-12-mongo-configmap.yaml new file mode 100644 index 0000000..caa80bf --- /dev/null +++ b/16-12-mongo-configmap.yaml @@ -0,0 +1,51 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mongo-init +data: + init.sh: | + #!/bin/bash + + # Need to wait for the readiness health check to pass so that the + # mongo names resolve. This is kind of wonky. + until ping -c 1 ${HOSTNAME}.mongo; do + echo "waiting for DNS (${HOSTNAME}.mongo)..." + sleep 2 + done + + until /usr/bin/mongo --eval 'printjson(db.serverStatus())'; do + echo "connecting to local mongo..." + sleep 2 + done + echo "connected to local." + + HOST=mongo-0.mongo:27017 + + until /usr/bin/mongo --host=${HOST} --eval 'printjson(db.serverStatus())'; do + echo "connecting to remote mongo..." + sleep 2 + done + echo "connected to remote." + + if [[ "${HOSTNAME}" != 'mongo-0' ]]; then + until /usr/bin/mongo --host=${HOST} --eval="printjson(rs.status())" \ + | grep -v "no replset config has been received"; do + echo "waiting for replication set initialization" + sleep 2 + done + echo "adding self to mongo-0" + /usr/bin/mongo --host=${HOST} \ + --eval="printjson(rs.add('${HOSTNAME}.mongo'))" + fi + + if [[ "${HOSTNAME}" == 'mongo-0' ]]; then + echo "initializing replica set" + /usr/bin/mongo --eval="printjson(rs.initiate(\ + {'_id': 'rs0', 'members': [{'_id': 0, \ + 'host': 'mongo-0.mongo:27017'}]}))" + fi + echo "initialized" + + while true; do + sleep 3600 + done diff --git a/16-13-mongo.yaml b/16-13-mongo.yaml new file mode 100644 index 0000000..75f21ed --- /dev/null +++ b/16-13-mongo.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: mongo +spec: + serviceName: "mongo" + replicas: 3 + selector: + matchLabels: + app: mongo + template: + metadata: + labels: + app: mongo + spec: + containers: + - name: mongodb + image: mongo:3.4.1 + command: + - mongod + - --replSet + - rs0 + ports: + - containerPort: 27017 + name: web + - name: init-mongo + image: mongo:3.4.1 + command: + - bash + - /config/init.sh + volumeMounts: + - name: config + mountPath: /config + volumes: + - name: config + configMap: + name: "mongo-init" diff --git a/16-2-external-ip-service.yaml b/16-2-external-ip-service.yaml new file mode 100644 index 0000000..eef45ee --- /dev/null +++ b/16-2-external-ip-service.yaml @@ -0,0 +1,7 @@ +kind: Service +apiVersion: v1 +metadata: + name: external-ip-database +spec: + ports: + - port: 3306 diff --git a/16-3-external-ip-endpoints.yaml b/16-3-external-ip-endpoints.yaml new file mode 100644 index 0000000..208f732 --- /dev/null +++ b/16-3-external-ip-endpoints.yaml @@ -0,0 +1,9 @@ +kind: Endpoints +apiVersion: v1 +metadata: + name: external-ip-database +subsets: + - addresses: + - ip: 192.168.0.1 + ports: + - port: 3306 diff --git a/16-4-nfs-volume.yaml b/16-4-nfs-volume.yaml new file mode 100644 index 0000000..f3ff6cb --- /dev/null +++ b/16-4-nfs-volume.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: database + labels: + volume: my-volume +spec: + accessModes: + - ReadWriteMany + capacity: + storage: 1Gi + nfs: + server: 192.168.0.1 + path: "/exports" diff --git a/16-5-nfs-volume-claim.yaml b/16-5-nfs-volume-claim.yaml new file mode 100644 index 0000000..05e76af --- /dev/null +++ b/16-5-nfs-volume-claim.yaml @@ -0,0 +1,13 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: database +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + selector: + matchLabels: + volume: my-volume diff --git a/16-6-mysql-replicaset.yaml b/16-6-mysql-replicaset.yaml new file mode 100644 index 0000000..041ef76 --- /dev/null +++ b/16-6-mysql-replicaset.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: ReplicaSet +metadata: + name: mysql + # labels so that we can bind a Service to this Pod + labels: + app: mysql +spec: + replicas: 1 + selector: + matchLabels: + app: mysql + template: + metadata: + labels: + app: mysql + spec: + containers: + - name: database + image: mysql + resources: + requests: + cpu: 1 + memory: 2Gi + env: + # Environment variables are not a best practice for security, + # but we're using them here for brevity in the example. + # See Chapter 11 for better options. + - name: MYSQL_ROOT_PASSWORD + value: some-password-here + livenessProbe: + tcpSocket: + port: 3306 + ports: + - containerPort: 3306 + volumeMounts: + - name: database + # /var/lib/mysql is where MySQL stores its databases + mountPath: "/var/lib/mysql" + volumes: + - name: database + persistentVolumeClaim: + claimName: database diff --git a/16-7-mysql-service.yaml b/16-7-mysql-service.yaml new file mode 100644 index 0000000..521cde2 --- /dev/null +++ b/16-7-mysql-service.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: mysql +spec: + ports: + - port: 3306 + protocol: TCP + selector: + app: mysql diff --git a/16-8-storageclass.yaml b/16-8-storageclass.yaml new file mode 100644 index 0000000..09c93fd --- /dev/null +++ b/16-8-storageclass.yaml @@ -0,0 +1,9 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: default + annotations: + storageclass.beta.kubernetes.io/is-default-class: "true" + labels: + kubernetes.io/cluster-service: "true" +provisioner: kubernetes.io/azure-disk diff --git a/16-9-dynamic-volume-claim.yaml b/16-9-dynamic-volume-claim.yaml new file mode 100644 index 0000000..ab1637c --- /dev/null +++ b/16-9-dynamic-volume-claim.yaml @@ -0,0 +1,12 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: my-claim + annotations: + volume.beta.kubernetes.io/storage-class: default +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi From 2d09842027d44af1b4d492f7d6c65d4e01fbfae5 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 29 Jan 2024 21:49:09 -0800 Subject: [PATCH 08/10] Chapter 19 updates Signed-off-by: Lachlan Evenson --- 19-1-kuard-pod-securitycontext.yaml | 21 +++++++++++++++ 19-10-kuard-pod.yaml | 14 ++++++++++ 19-11-networkpolicy-default-deny.yaml | 8 ++++++ ...networkpolicy-kuard-allow-test-source.yaml | 13 ++++++++++ 19-2-amicontained-pod.yaml | 10 +++++++ 19-3-amicontained-pod-securitycontext.yaml | 26 +++++++++++++++++++ 19-4-baseline-ns.yaml | 11 ++++++++ 19-5-baseline-ns.yaml | 11 ++++++++ 19-6-kuard-pod.yaml | 14 ++++++++++ 19-7-service-account.yaml | 5 ++++ 19-8-kuard-pod-runtimeclass.yaml | 15 +++++++++++ 19-9-networkpolicy-default-deny.yaml | 8 ++++++ 12 files changed, 156 insertions(+) create mode 100644 19-1-kuard-pod-securitycontext.yaml create mode 100644 19-10-kuard-pod.yaml create mode 100644 19-11-networkpolicy-default-deny.yaml create mode 100644 19-12-networkpolicy-kuard-allow-test-source.yaml create mode 100644 19-2-amicontained-pod.yaml create mode 100644 19-3-amicontained-pod-securitycontext.yaml create mode 100644 19-4-baseline-ns.yaml create mode 100644 19-5-baseline-ns.yaml create mode 100644 19-6-kuard-pod.yaml create mode 100644 19-7-service-account.yaml create mode 100644 19-8-kuard-pod-runtimeclass.yaml create mode 100644 19-9-networkpolicy-default-deny.yaml diff --git a/19-1-kuard-pod-securitycontext.yaml b/19-1-kuard-pod-securitycontext.yaml new file mode 100644 index 0000000..fce9adb --- /dev/null +++ b/19-1-kuard-pod-securitycontext.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kuard +spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + containers: + - image: gcr.io/kuar-demo/kuard-amd64:blue + name: kuard + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + ports: + - containerPort: 8080 + name: http + protocol: TCP diff --git a/19-10-kuard-pod.yaml b/19-10-kuard-pod.yaml new file mode 100644 index 0000000..77f5ae9 --- /dev/null +++ b/19-10-kuard-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kuard + labels: + app: kuard +spec: + containers: + - image: gcr.io/kuar-demo/kuard-amd64:blue + name: kuard + ports: + - containerPort: 8080 + name: http + protocol: TCP diff --git a/19-11-networkpolicy-default-deny.yaml b/19-11-networkpolicy-default-deny.yaml new file mode 100644 index 0000000..1a97947 --- /dev/null +++ b/19-11-networkpolicy-default-deny.yaml @@ -0,0 +1,8 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-ingress +spec: + podSelector: {} + policyTypes: + - Ingress diff --git a/19-12-networkpolicy-kuard-allow-test-source.yaml b/19-12-networkpolicy-kuard-allow-test-source.yaml new file mode 100644 index 0000000..8930a13 --- /dev/null +++ b/19-12-networkpolicy-kuard-allow-test-source.yaml @@ -0,0 +1,13 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: access-kuard +spec: + podSelector: + matchLabels: + app: kuard + ingress: + - from: + - podSelector: + matchLabels: + run: test-source diff --git a/19-2-amicontained-pod.yaml b/19-2-amicontained-pod.yaml new file mode 100644 index 0000000..0535dc5 --- /dev/null +++ b/19-2-amicontained-pod.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: amicontained +spec: + containers: + - image: jess/amicontained:v0.4.9 + name: amicontained + command: [ "/bin/sh", "-c", "--" ] + args: [ "amicontained" ] diff --git a/19-3-amicontained-pod-securitycontext.yaml b/19-3-amicontained-pod-securitycontext.yaml new file mode 100644 index 0000000..18a8276 --- /dev/null +++ b/19-3-amicontained-pod-securitycontext.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: amicontained + annotations: + container.apparmor.security.beta.kubernetes.io/amicontained: "runtime/default" +spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + seccompProfile: + type: RuntimeDefault + containers: + - image: jess/amicontained:v0.4.9 + name: amicontained + command: [ "/bin/sh", "-c", "--" ] + args: [ "amicontained" ] + securityContext: + capabilities: + add: ["SYS_TIME"] + drop: ["NET_BIND_SERVICE"] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false diff --git a/19-4-baseline-ns.yaml b/19-4-baseline-ns.yaml new file mode 100644 index 0000000..6767d14 --- /dev/null +++ b/19-4-baseline-ns.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: baseline-ns + labels: + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/enforce-version: v1.22 + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: v1.22 + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: v1.22 diff --git a/19-5-baseline-ns.yaml b/19-5-baseline-ns.yaml new file mode 100644 index 0000000..6767d14 --- /dev/null +++ b/19-5-baseline-ns.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: baseline-ns + labels: + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/enforce-version: v1.22 + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: v1.22 + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: v1.22 diff --git a/19-6-kuard-pod.yaml b/19-6-kuard-pod.yaml new file mode 100644 index 0000000..77f5ae9 --- /dev/null +++ b/19-6-kuard-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kuard + labels: + app: kuard +spec: + containers: + - image: gcr.io/kuar-demo/kuard-amd64:blue + name: kuard + ports: + - containerPort: 8080 + name: http + protocol: TCP diff --git a/19-7-service-account.yaml b/19-7-service-account.yaml new file mode 100644 index 0000000..fdf7895 --- /dev/null +++ b/19-7-service-account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: default +automountServiceAccountToken: false diff --git a/19-8-kuard-pod-runtimeclass.yaml b/19-8-kuard-pod-runtimeclass.yaml new file mode 100644 index 0000000..78b4933 --- /dev/null +++ b/19-8-kuard-pod-runtimeclass.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kuard + labels: + app: kuard +spec: + runtimeClassName: firecracker + containers: + - image: gcr.io/kuar-demo/kuard-amd64:blue + name: kuard + ports: + - containerPort: 8080 + name: http + protocol: TCP diff --git a/19-9-networkpolicy-default-deny.yaml b/19-9-networkpolicy-default-deny.yaml new file mode 100644 index 0000000..1a97947 --- /dev/null +++ b/19-9-networkpolicy-default-deny.yaml @@ -0,0 +1,8 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-ingress +spec: + podSelector: {} + policyTypes: + - Ingress From b9567e3248ee1e483fa95c697b6c8e0ddded1fc8 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Tue, 30 Jan 2024 20:58:00 -0800 Subject: [PATCH 09/10] Chapter 20 updates Signed-off-by: Lachlan Evenson --- 20-1-allowedrepos-constraint-template.yaml | 42 +++++++++++++++++++ 20-2-allowedrepos-constraint.yaml | 15 +++++++ 20-3-compliant-pod.yaml | 12 ++++++ 20-4-noncompliant-pod.yaml | 8 ++++ 20-5-allowedrepos-constraint-dryrun.yaml | 15 +++++++ 20-6-imagepullpolicyalways-mutation.yaml | 19 +++++++++ 20-7-config-sync.yaml | 14 +++++++ ...uniqueingresshost-constraint-template.yaml | 31 ++++++++++++++ 8 files changed, 156 insertions(+) create mode 100644 20-1-allowedrepos-constraint-template.yaml create mode 100644 20-2-allowedrepos-constraint.yaml create mode 100644 20-3-compliant-pod.yaml create mode 100644 20-4-noncompliant-pod.yaml create mode 100644 20-5-allowedrepos-constraint-dryrun.yaml create mode 100644 20-6-imagepullpolicyalways-mutation.yaml create mode 100644 20-7-config-sync.yaml create mode 100644 20-8-uniqueingresshost-constraint-template.yaml diff --git a/20-1-allowedrepos-constraint-template.yaml b/20-1-allowedrepos-constraint-template.yaml new file mode 100644 index 0000000..aecff62 --- /dev/null +++ b/20-1-allowedrepos-constraint-template.yaml @@ -0,0 +1,42 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8sallowedrepos + annotations: + description: Requires container images to begin with a repo string from a + specified list. +spec: + crd: + spec: + names: + kind: K8sAllowedRepos + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + repos: + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sallowedrepos + + violation[{"msg": msg}] { + container := input.review.object.spec.containers[_] + not strings.any_prefix_match(container.image, input.parameters.repos) + msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } + + violation[{"msg": msg}] { + container := input.review.object.spec.initContainers[_] + not strings.any_prefix_match(container.image, input.parameters.repos) + msg := sprintf("initContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } + + violation[{"msg": msg}] { + container := input.review.object.spec.ephemeralContainers[_] + not strings.any_prefix_match(container.image, input.parameters.repos) + msg := sprintf("ephemeralContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } diff --git a/20-2-allowedrepos-constraint.yaml b/20-2-allowedrepos-constraint.yaml new file mode 100644 index 0000000..0d89d94 --- /dev/null +++ b/20-2-allowedrepos-constraint.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sAllowedRepos +metadata: + name: repo-is-kuar-demo +spec: + enforcementAction: deny + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + namespaces: + - "default" + parameters: + repos: + - "gcr.io/kuar-demo/" diff --git a/20-3-compliant-pod.yaml b/20-3-compliant-pod.yaml new file mode 100644 index 0000000..f7795da --- /dev/null +++ b/20-3-compliant-pod.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kuard +spec: + containers: + - image: gcr.io/kuar-demo/kuard-amd64:blue + name: kuard + ports: + - containerPort: 8080 + name: http + protocol: TCP diff --git a/20-4-noncompliant-pod.yaml b/20-4-noncompliant-pod.yaml new file mode 100644 index 0000000..c6712cc --- /dev/null +++ b/20-4-noncompliant-pod.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-noncompliant +spec: + containers: + - name: nginx + image: nginx diff --git a/20-5-allowedrepos-constraint-dryrun.yaml b/20-5-allowedrepos-constraint-dryrun.yaml new file mode 100644 index 0000000..3e13d2b --- /dev/null +++ b/20-5-allowedrepos-constraint-dryrun.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sAllowedRepos +metadata: + name: repo-is-kuar-demo +spec: + enforcementAction: dryrun + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + namespaces: + - "default" + parameters: + repos: + - "gcr.io/kuar-demo/" diff --git a/20-6-imagepullpolicyalways-mutation.yaml b/20-6-imagepullpolicyalways-mutation.yaml new file mode 100644 index 0000000..5cfbe6b --- /dev/null +++ b/20-6-imagepullpolicyalways-mutation.yaml @@ -0,0 +1,19 @@ +apiVersion: mutations.gatekeeper.sh/v1alpha1 +kind: Assign +metadata: + name: demo-image-pull-policy +spec: + applyTo: + - groups: [""] + kinds: ["Pod"] + versions: ["v1"] + match: + scope: Namespaced + kinds: + - apiGroups: ["*"] + kinds: ["Pod"] + excludedNamespaces: ["system"] + location: "spec.containers[name:*].imagePullPolicy" + parameters: + assign: + value: Always diff --git a/20-7-config-sync.yaml b/20-7-config-sync.yaml new file mode 100644 index 0000000..ff2c7ed --- /dev/null +++ b/20-7-config-sync.yaml @@ -0,0 +1,14 @@ +apiVersion: config.gatekeeper.sh/v1alpha1 +kind: Config +metadata: + name: config + namespace: "gatekeeper-system" +spec: + sync: + syncOnly: + - group: "" + version: "v1" + kind: "Namespace" + - group: "" + version: "v1" + kind: "Pod" diff --git a/20-8-uniqueingresshost-constraint-template.yaml b/20-8-uniqueingresshost-constraint-template.yaml new file mode 100644 index 0000000..a724faf --- /dev/null +++ b/20-8-uniqueingresshost-constraint-template.yaml @@ -0,0 +1,31 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8suniqueingresshost + annotations: + description: Requires all Ingress hosts to be unique. +spec: + crd: + spec: + names: + kind: K8sUniqueIngressHost + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8suniqueingresshost + + identical(obj, review) { + obj.metadata.namespace == review.object.metadata.namespace + obj.metadata.name == review.object.metadata.name + } + + violation[{"msg": msg}] { + input.review.kind.kind == "Ingress" + regex.match("^(extensions|networking.k8s.io)$", input.review.kind.group) + host := input.review.object.spec.rules[_].host + other := data.inventory.namespace[_][otherapiversion]["Ingress"][name] + regex.match("^(extensions|networking.k8s.io)/.+$", otherapiversion) + other.spec.rules[_].host == host + not identical(other, input.review) + msg := sprintf("ingress host conflicts with an existing ingress <%v>", [host]) + } From fb7cd71936d0b0eeb2e0a8469e1e0af158cbe299 Mon Sep 17 00:00:00 2001 From: Lachlan Evenson Date: Mon, 5 Feb 2024 11:10:12 -0800 Subject: [PATCH 10/10] Fix typo Signed-off-by: Lachlan Evenson --- 11-2-nginx-fast-storage.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/11-2-nginx-fast-storage.yaml b/11-2-nginx-fast-storage.yaml index 90ab57a..6f58b63 100644 --- a/11-2-nginx-fast-storage.yaml +++ b/11-2-nginx-fast-storage.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: 1DaemonSet +kind: DaemonSet metadata: labels: app: nginx