📝 upgrade R01 chapter

slides/k8s/M6-R01-flux_configure-ROCKY-deployment.md

@@ -1,12 +1,13 @@
 # R01- Configuring **_🎸ROCKY_** deployment with Flux
 
 The **_⚙️OPS_** team manages 2 distinct envs: _**⚗️TEST**_ et _**🚜PROD**_
+
 Thanks to _Kustomize_
   1. it creates a **_base_** common config
   2. this common config is overwritten with a _**⚗️TEST**_ _tenant_-specific configuration
   3. the same applies with a _**🚜PROD**_-specific configuration
 
-> 💡 This seems complex, but no worries: Flux's CLI handles the essentials.
+> 💡 This seems complex, but no worries: Flux's CLI handles most of it.
 
 ---
 
@@ -30,33 +31,33 @@ k8s@shpod:~/fleet-config-using-flux-XXXXX$ \
 
 ---
 
+class: extra-details
+
 ### 📂 ./tenants/base/rocky/rbac.yaml
 
 Let's see our file…
 
-3 resources are created:
+3 resources are created: `Namespace`, `ServiceAccount`, and `ClusterRoleBinding`
 
-- `Namespace`, 
-- a `ServiceAccount` and
-- a `ClusterRoleBinding`
+`Flux` **impersonates** as this `ServiceAccount` when it applies any resources found in this _tenant_-dedicated source(s)
 
-`Flux` impersonates as this `ServiceAccount` when it applies any resources found in this tenant-dedicated source(s)
-By default, the `ServiceAccount` is bound to a `ClusterRole` named `cluster-admin`  
+- By default, the `ServiceAccount` is bound to the `cluster-admin` `ClusterRole`
+- The team maintaining the sourced `Github` repository is almighty at cluster scope
 
-It means that, any team that maintain the sourced `Github` repository is able to apply Kubernetes resources as `cluster-admin`  
-A not that much isolated tenant! 😕
+A not that much isolated _tenant_! 😕
 
-That's why the **_⚙️OPS_** team forces a binding to a specific `ClusterRole`  
-Let's create this ClusterRole permissions!
+That's why the **_⚙️OPS_** team enforces specific `ClusterRoles` with restricted permissions
+
+Let's create these permissions!
 
 ---
 
 ## _namespace_ isolation for **_🎸ROCKY_**
 
-
 .lab[
 
-- Here is a `ClusterRole` with permissions restricted to the dedicated `Namespace`
+- Here are the restricted permissions to use in the `rocky-test` `Namespace`
+
 ```bash
 k8s@shpod:~/fleet-config-using-flux-XXXXX$ \
     cp ~/container.training/k8s/M6-rocky-cluster-role.yaml ./tenants/base/rocky/
@@ -64,6 +65,9 @@ k8s@shpod:~/fleet-config-using-flux-XXXXX$ \
 
 ]
 
+> 💡 Note that some resources are managed at cluster scope (like `PersistentVolumes`).
+> We need specific permissions, then…
+
 ---
 
 ## Creating `Github` source in Flux for **_🎸ROCKY_** app repository
@@ -73,24 +77,41 @@ A specific _branch_ of the `Github` repository is monitored by the `Flux` source
 .lab[
 
 - ⚠️ you may change the **repository URL** to the one of your own clone
+
 ```bash
 k8s@shpod:~/fleet-config-using-flux-XXXXX$ flux create source git rocky-app \
     --namespace=rocky-test                                                  \
     --url=https://github.com/Musk8teers/container.training-spring-music/    \
     --branch=rocky  --export > ./tenants/base/rocky/sync.yaml
-k8s@shpod:~/fleet-config-using-flux-XXXXX$ flux create kustomization rocky \
-    --namespace=rocky-test                                                 \
-    --service-account=rocky                                                \
-    --source=GitRepository/rocky-app                                       \
-    --path="./k8s/" --export >> ./tenants/base/rocky/sync.yaml
-k8s@shpod:~/fleet-config-using-flux-XXXXX$ cd ./tenants/base/rocky/ && \
-    kustomize create --autodetect && cd -
 ```
 
 ]
 
 ---
 
+## Creating `kustomization` in Flux for **_🎸ROCKY_** app repository
+
+.lab[
+
+```bash
+k8s@shpod:~/fleet-config-using-flux-XXXXX$ flux create kustomization rocky \
+    --namespace=rocky-test                                                 \
+    --service-account=rocky                                                \
+    --source=GitRepository/rocky-app                                       \
+    --path="./k8s/" --export >> ./tenants/base/rocky/sync.yaml
+
+k8s@shpod:~/fleet-config-using-flux-XXXXX$ \
+    cd ./tenants/base/rocky/ &&            \
+    kustomize create --autodetect &&       \
+    cd -
+```
+
+]
+
+---
+
+class: extra-details
+
 ### 📂 Flux config files
 
 Let's review our `Flux` configuration files
@@ -109,13 +130,13 @@ k8s@shpod:~/fleet-config-using-flux-XXXXX$ \
 
 ## Adding a kustomize patch for _**⚗️TEST**_ cluster deployment
 
-Remember!  
-The `Flux` tenant-dedicated configuration is looking for this file `.tenants/test/rocky/kustomization.yaml`  
-It has been configured here: `clusters/CLOUDY/tenants.yaml`
+💡 Remember the DRY strategy!
 
-All the files we just created are located in `.tenants/base/rocky` (remember the DRY strategy)
+- The `Flux` tenant-dedicated configuration is looking for this file: `.tenants/test/rocky/kustomization.yaml`  
+- It has been configured here: `clusters/CLOUDY/tenants.yaml`
 
-So we have to create a specific kustomization in the right location
+- All the files we just created are located in `.tenants/base/rocky`
+- So we have to create a specific kustomization in the right location
 
 ```bash
 k8s@shpod:~/fleet-config-using-flux-XXXXX$ \ 
@@ -129,7 +150,7 @@ k8s@shpod:~/fleet-config-using-flux-XXXXX$ \
 ### Synchronizing Flux config with its Github repo
 
 Locally, our `Flux` config repo is ready  
-The ops team has to push it to `Github`
+The **_⚙️OPS_** team has to push it to `Github` for `Flux` controllers to watch and catch it!
 
 .lab[
 
@@ -173,7 +194,7 @@ rocky-test      gitrepository/rocky-app         rocky@sha1:ffe9f3fe     False
 
 class: extra-details
 
-### Flux resources for ROCKY tenant 2/2
+### Flux resources for ROCKY _tenant_ 2/2
 
 .lab[
 
@@ -216,14 +237,14 @@ We have to fix the mutation by applying the change without having to patch the r
 
 class: extra-details
 
-## And then it's deployed
+## And then it's deployed 1/2
 
 You should see the following resources in the `rocky-test` namespace
 
 .lab[
 
 ```bash
-k8s@shpod-578d64468-tp7r2 ~/$ k get all -n rocky-test
+k8s@shpod-578d64468-tp7r2 ~/$ k get pods,svc,deployments -n rocky-test
 NAME                       READY   STATUS         RESTARTS      AGE
 pod/db-0                   1/1     Running        0             47s
 pod/web-6c677bf97f-c7pkv   0/1     Running        1 (22s ago)   47s
@@ -235,31 +256,72 @@ service/web   ClusterIP   10.32.2.202   <none>        80/TCP     48s
 
 NAME                  READY   UP-TO-DATE   AVAILABLE   AGE
 deployment.apps/web   0/2     2            0           47s
-
-NAME                             DESIRED   CURRENT   READY   AGE
-replicaset.apps/web-6c677bf97f   2         2         0       47s
-
-NAME                       READY   AGE
-statefulset.apps/db        1/1     47s
 ```
 
 ]
 
 ---
 
+class: extra-details
+
+## And then it's deployed 2/2
+
+You should see the following resources in the `rocky-test` namespace
+
+.lab[
+
+```bash
+k8s@shpod-578d64468-tp7r2 ~/$ k get statefulsets,pvc,pv -n rocky-test
+NAME                       READY   AGE
+statefulset.apps/db        1/1     47s
+
+NAME                                         STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
+persistentvolumeclaim/postgresql-data-db-0   Bound    pvc-c1963a2b-4fc9-4c74-9c5a-b0870b23e59a   1Gi        RWO            sbs-default    <unset>                 47s
+
+NAME                                                        CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS      CLAIM                             STORAGECLASS   VOLUMEATTRIBUTESCLASS   REASON   AGE
+persistentvolume/postgresql-data                            1Gi        RWO,RWX        Retain           Available                                                    <unset>                          47s
+persistentvolume/pvc-150fcef5-ebba-458e-951f-68a7e214c635   1G         RWO            Delete           Bound       shpod/shpod                       sbs-default    <unset>                          4h46m
+persistentvolume/pvc-c1963a2b-4fc9-4c74-9c5a-b0870b23e59a   1Gi        RWO            Delete           Bound       rocky-test/postgresql-data-db-0   sbs-default    <unset>                          47s
+```
+
+]
+
+---
+
+class: extra-details
+
+### PersistentVolumes are using a default `StorageClass`
+
+💡 This managed cluster comes with custom `StorageClasses` leveraging on Cloud _IaaS_ capabilities (i.e. block devices)
+
+![Flux configuration waterfall](images/M6-persistentvolumes.png)
+
+- a default `StorageClass` is applied if none is specified (like here)
+- for **_🏭PROD_** purpose, ops team might enforce a more performant `StorageClass`
+- on a bare-metal cluster, **_🏭PROD_** team has to configure and provide `StorageClasses` on its own
+
+---
+
+class: pic
+
+![Flux configuration waterfall](images/M6-flux-config-dependencies.png)
+
+---
+
+
 ## Upgrading ROCKY app
 
 The Git source named `rocky-app` is pointing at
-- a Github repository named [https://github.com/Musk8teers/container.training-spring-music/]
+- a Github repository named [Musk8teers/container.training-spring-music](https://github.com/Musk8teers/container.training-spring-music/)
 - on its branch named `rocky`
 
 This branch deploy the v1.0.0 of the _Web_ app:
 `spec.template.spec.containers.image: ghcr.io/musk8teers/container.training-spring-music:1.0.0`
 
-What happens if we upgrade this branch to deploy `v1.0.1` of the _Web_ app?
+What happens if the **_🎸ROCKY_** team upgrades its branch to deploy `v1.0.1` of the _Web_ app?
 
 ---
 
-## tenant **_🏭PROD_**
+## _tenant_ **_🏭PROD_**
 
-**_🏭PROD_** tenant is still waiting for its `Flux` configuration, but don't bother for it right now.
+💡 **_🏭PROD_** _tenant_ is still waiting for its `Flux` configuration, but don't bother for it right now.