WIP: this is a full cleanup of my fork with all product specific stuff pulled out

prepare-pks/README.md

@@ -0,0 +1,36 @@
+# Instructions for preparing a PKS Kubernetes Cluster
+
+## pre-reqs
+
+* ingress controller (nginx or nsxt)
+* gangway (or similar for kubeconfig files)
+
+## Create users
+
+This example will create 50 random users in UAAC and corresponding Kubernetes users and rbac.
+
+```bash
+$ cd users
+$ ./random-users.sh 50
+...
+...
+$ ./create.sh
+...
+...
+```
+
+This will install helm tiller for each:
+
+```bash
+$ ./helm.sh
+...
+...
+```
+
+This will clean up:
+
+```bash
+$ ./delete.sh
+...
+...
+```

prepare-pks/users/create.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+while IFS=, read -r col1 col2
+do
+ echo "--> Adding user $col1 with password $col2"
+ echo "====> UAAC"
+ uaac user add $col1 --emails $col1@pks -p $col2
+ echo "====> Kubernetes"
+ cat user-role-etc.yaml | sed "s/__username__/$col1/" | kubectl apply -f -
+done < users.txt

prepare-pks/users/delete.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+while IFS=, read -r col1 col2
+do
+ echo "--> Deleting user $col1 with password $col2"
+ echo "====> UAAC"
+ uaac user delete $col1
+ echo "====> Kubernetes"
+ cat user-role-etc.yaml | sed "s/__username__/$col1/" | kubectl delete -f -
+done < users.txt

prepare-pks/users/helm.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+while IFS=, read -r col1 col2
+do
+
+kubectl -n $col1 create serviceaccount tiller
+
+kubectl -n $col1 create role tiller --verb '*' --resource '*'
+
+kubectl -n $col1 create rolebinding tiller --role tiller --serviceaccount ${col1}:tiller
+
+kubectl create clusterrole ns-tiller --verb 'get,list' --resource namespaces
+
+kubectl create clusterrolebinding tiller --clusterrole ns-tiller --serviceaccount ${col1}:tiller
+
+helm init --service-account=tiller --tiller-namespace=$col1
+
+kubectl -n $col1 delete service tiller-deploy
+
+kubectl -n $col1 patch deployment tiller-deploy --patch '
+spec:
+ template:
+ spec:
+ containers:
+ - name: tiller
+ ports: []
+ command: ["/tiller"]
+ args: ["--listen=localhost:44134"]
+'
+
+done < users.txt

prepare-pks/users/random-users.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+if [[ -z $1 ]]; then
+ echo "Usage: ./random-names.sh 55"
+ exit 1
+fi
+
+for i in {1..50}; do
+ PW=`cat /dev/urandom | tr -dc 'a-zA-Z1-9' | fold -w 10 | head -n 1`
+ echo "user$i,$PW"
+done

prepare-pks/users/user-role-etc.yaml

@@ -0,0 +1,57 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+ name: __username__
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: rbac-user-namespace
+rules:
+- apiGroups: ["", "extensions", "apps", "batch", "autoscaling","networking.k8s.io"]
+ resources: ["*"]
+ verbs: ["*"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: rbac-user-cluster
+rules:
+- apiGroups: ["", "extensions", "apps"]
+ resources: ["*"]
+ verbs: ["list"]
+- apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["list","get"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+ resources: ["*"]
+ verbs: ["list"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: __username__
+ namespace: __username__
+subjects:
+- kind: User
+ name: __username__
+ apiGroup: rbac.authorization.k8s.io
+roleRef:
+ kind: ClusterRole
+ name: rbac-user-namespace
+ apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: __username__
+ namespace: __username__
+subjects:
+- kind: User
+ name: __username__
+ apiGroup: rbac.authorization.k8s.io
+roleRef:
+ kind: ClusterRole
+ name: rbac-user-cluster
+ apiGroup: rbac.authorization.k8s.io

prepare-pks/users/users.txt

@@ -0,0 +1,2 @@
+user1,user1-password
+user2,user2-password

slides/k8s/kubectlexpose.md

@@ -221,6 +221,8 @@
 
 - We will now send a few HTTP requests to our pods
 
+- But first, we need to do it from *inside* the cluster. We'll explain why later.
+
 .exercise[
 
 - Let's obtain the IP address that was allocated for our service, *programmatically:*
@@ -234,24 +236,50 @@
 ```key ^C```
 -->
 
+- Run a Pod that we can connect to and run shell commands:
+ ```bash
+ kubectl run shpod --image=jpetazzo/shpod --restart=Never -- -c "sleep 2400"
+ ```
+]
+
+--
+
+This Pod will live for 2400 seconds (4 hours) before exiting. Which means we can re-use it throughout the workshop.
+
+---
+
+## Testing our service
+
+- *Now* we can send a few HTTP requests to our Pods
+
+.exercise[
+
 - Send a few requests:
  ```bash
- curl http://$IP:8888/
+ kubectl exec shpod -- curl -s http://$IP:8888/
  ```
 
 - Too much output? Filter it with `jq`:
  ```bash
- curl -s http://$IP:8888/ | jq .HOSTNAME
+ kubectl exec shpod -- curl -s http://$IP:8888/ | jq -r .HOSTNAME
+ ```
+
+- Loop it 5 times:
+ ```bash
+ for i in {1..5}; do
+ kubectl exec shpod -- curl -s http://$IP:8888/ | jq -r .HOSTNAME;
+ done
  ```
 
 ]
 
 --
 
-Try it a few times! Our requests are load balanced across multiple pods.
+Our requests are load balanced across multiple pods.
 
 ---
 
+
 class: extra-details
 
 ## `ExternalName`
@@ -407,7 +435,7 @@ class: extra-details
 
 - This is the internal DNS server that can resolve service names
 
-- The default domain name for the service we created is `default.svc.cluster.local`
+- The default domain name for the service we created is `default.svc.cluster.local` (unless you deployed to a namespace other than default)
 
 .exercise[
 
@@ -418,11 +446,34 @@ class: extra-details
 
 - Resolve the cluster IP for the `httpenv` service:
  ```bash
- host httpenv.default.svc.cluster.local $IP
+ kubectl exec shpod -- nslookup httpenv $IP
  ```
 
 ]
 
+---
+
+## Accessing services via DNS
+
+
+* When accessing `httpenv` from another Pod you can use DNS: `httpenv`, `httpenv.<namespace>` or `httpenv.<namespace>.svc.cluster.local`.
+
+.exercise[
+- curl the service from its name:
+ ```bash
+ kubectl exec shpod -- curl -s http://httpenv:8888/ | jq -r .HOSTNAME
+ ```
+
+- curl the service from its fqdn:
+ ```bash
+ NS=$(kubectl get svc httpenv -o go-template --template '{{ .metadata.namespace }}')
+
+ kubectl exec shpod -- curl -s http://httpenv.$NS.svc.cluster.local:8888/ | \
+ jq -r .HOSTNAME
+ ```
+]
+
+
 ---
 
 class: extra-details

slides/k8s/kubectlget.md

@@ -214,10 +214,14 @@ class: extra-details
 
 .exercise[
 
-- Look at the information available for `node1` with one of the following commands:
+- Look at the information available for all nodes with one of the following commands:
  ```bash
- kubectl describe node/node1
- kubectl describe node node1
+ kubectl describe nodes
+ ```
+
+- Look at just the first node using a node name from the previous `kubectl get nodes` command:
+ ```
+ kubectl describe node <node1>
  ```
 
 ]
@@ -358,6 +362,8 @@ class: extra-details
 
 ## What about `kube-public`?
 
+> _Not all clusters have a `kube-public`, you can skip these steps if your cluster does not have this namespace._
+
 .exercise[
 
 - List the pods in the `kube-public` namespace:
@@ -377,6 +383,8 @@ class: extra-details
 
 ## Exploring `kube-public`
 
+> _Not all clusters have a `kube-public`, you can skip these steps if your cluster does not have this namespace._
+
 - The only interesting object in `kube-public` is a ConfigMap named `cluster-info`
 
 .exercise[
@@ -403,6 +411,8 @@ class: extra-details
 
 ## Accessing `cluster-info`
 
+> _Not all clusters have a `kube-public`, you can skip these steps if your cluster does not have this namespace._
+
 - Earlier, when trying to access the API server, we got a `Forbidden` message
 
 - But `cluster-info` is readable by everyone (even without authentication)
@@ -426,6 +436,8 @@ class: extra-details
 
 ## Retrieving `kubeconfig`
 
+> _Not all clusters have a `kube-public`, you can skip these steps if your cluster does not have this namespace._
+
 - We can easily extract the `kubeconfig` file from this ConfigMap
 
 .exercise[
@@ -475,10 +487,10 @@ class: extra-details
 
 .exercise[
 
-- List the services on our cluster with one of these commands:
+- List the services in our default namespace with one of these commands:
  ```bash
- kubectl get services
- kubectl get svc
+ kubectl -n default get services
+ kubectl -n default get svc
  ```
 
 ]