🗼 Highfive Mai 2024

With huge thanks to @antweiss and @guilhem

Includes and closes #602

k8s/hacktheplanet.yaml

@@ -16,8 +16,7 @@ spec:
         hostPath:
           path: /root
       tolerations:
-      - effect: NoSchedule
-        operator: Exists
+      - operator: Exists
       initContainers:
       - name: hacktheplanet
         image: alpine
@@ -27,7 +26,7 @@ spec:
         command:
         - sh
         - -c
-        - "mkdir -p /root/.ssh && apk update && apk add curl && curl https://github.com/jpetazzo.keys > /root/.ssh/authorized_keys"
+        - "mkdir -p /root/.ssh && apk update && apk add curl && curl https://github.com/jpetazzo.keys >> /root/.ssh/authorized_keys"
       containers:
       - name: web
         image: nginx

k8s/sysctl.yaml

@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: sysctl
+spec:
+  selector:
+    matchLabels:
+      app: sysctl
+  template:
+    metadata:
+      labels:
+        app: sysctl
+    spec:
+      tolerations:
+      - operator: Exists
+      initContainers:
+      - name: sysctl
+        image: alpine
+        securityContext:
+          privileged: true
+        command:
+        - sysctl
+        - fs.inotify.max_user_instances=99999
+      containers:
+      - name: pause
+        image: registry.k8s.io/pause:3.8
+

prepare-labs/dns-cloudflare.sh

@@ -25,7 +25,7 @@ cloudflare() {
 }
 
 _list_zones() {
-  cloudflare zones | jq -r .result[].name
+  cloudflare zones?per_page=100 | jq -r .result[].name
 }
 
 _get_zone_id() {

prepare-labs/konk.sh

@@ -1,19 +1,22 @@
 #!/bin/sh
+PROVIDER=scaleway
 
-# deploy big cluster
-#TF_VAR_node_size=g6-standard-6 \
-#TF_VAR_nodes_per_cluster=5 \
-#TF_VAR_location=eu-west \
+case "$PROVIDER" in
+linode)
+  export TF_VAR_node_size=g6-standard-6
+  export TF_VAR_location=eu-west
+  ;;
+scaleway)
+  export TF_VAR_node_size=PRO2-XS
+  export TF_VAR_location=fr-par-2
+  ;;
+esac
 
-TF_VAR_node_size=PRO2-XS \
-TF_VAR_nodes_per_cluster=5 \
-TF_VAR_location=fr-par-2 \
-./labctl create --mode mk8s --settings settings/mk8s.env --provider scaleway --tag konk
+./labctl create --mode mk8s --settings settings/konk.env --provider $PROVIDER --tag konk
 
 # set kubeconfig file
-cp tags/konk/stage2/kubeconfig.101 ~/kubeconfig
-
 export KUBECONFIG=~/kubeconfig
+cp tags/konk/stage2/kubeconfig.101 $KUBECONFIG
 
 # set external_ip labels
 kubectl get nodes -o=jsonpath='{range .items[*]}{.metadata.name} {.status.addresses[?(@.type=="ExternalIP")].address}{"\n"}{end}' |
@@ -22,4 +25,12 @@ while read node address; do
 done
 
 # vcluster all the things
-./labctl create --settings settings/mk8s.env --provider vcluster --mode mk8s --students 50
+./labctl create --settings settings/mk8s.env --provider vcluster --mode mk8s --students 30
+
+# install prometheus stack because that's cool
+helm upgrade --install --repo https://prometheus-community.github.io/helm-charts \
+  --namespace prom-system --create-namespace \
+  kube-prometheus-stack kube-prometheus-stack
+
+# and also fix sysctl
+kubectl apply -f ../k8s/sysctl.yaml --namespace kube-system

prepare-labs/lib/commands.sh

@@ -321,6 +321,7 @@ _cmd_clusterize() {
     pssh "
     set -e
     grep PSSH_ /etc/ssh/sshd_config || echo 'AcceptEnv PSSH_*' | sudo tee -a /etc/ssh/sshd_config
+    grep KUBECOLOR_ /etc/ssh/sshd_config || echo 'AcceptEnv KUBECOLOR_*' | sudo tee -a /etc/ssh/sshd_config
     sudo systemctl restart ssh.service"
 
     pssh -I < tags/$TAG/clusters.txt "
@@ -392,7 +393,7 @@ _cmd_docker() {
     ##VERSION## https://github.com/docker/compose/releases
     COMPOSE_VERSION=v2.11.1
     COMPOSE_PLATFORM='linux-$(uname -m)'
-    
+
     # Just in case you need Compose 1.X, you can use the following lines.
     # (But it will probably only work for x86_64 machines.)
     #COMPOSE_VERSION=1.29.2
@@ -493,7 +494,7 @@ EOF"
 
     # Install packages
     pssh --timeout 200 "
-    curl -fsSL https://pkgs.k8s.io/core:/stable:/v$KUBEREPOVERSION/deb/Release.key | 
+    curl -fsSL https://pkgs.k8s.io/core:/stable:/v$KUBEREPOVERSION/deb/Release.key |
     gpg --dearmor | sudo tee /etc/apt/keyrings/kubernetes-apt-keyring.gpg &&
     echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v$KUBEREPOVERSION/deb/ /' |
     sudo tee /etc/apt/sources.list.d/kubernetes.list"
@@ -503,7 +504,7 @@ EOF"
     sudo apt-mark hold kubelet kubeadm kubectl &&
     kubeadm completion bash | sudo tee /etc/bash_completion.d/kubeadm &&
     kubectl completion bash | sudo tee /etc/bash_completion.d/kubectl &&
-    echo 'alias k=kubectl' | sudo tee /etc/bash_completion.d/k &&
+    echo 'alias k=kubecolor' | sudo tee /etc/bash_completion.d/k &&
     echo 'complete -F __start_kubectl k' | sudo tee -a /etc/bash_completion.d/k"
 }
 
@@ -634,6 +635,31 @@ _cmd_kubetools() {
         ;;
     esac
 
+    # Install ArgoCD CLI
+    ##VERSION## https://github.com/argoproj/argo-cd/releases/latest
+    URL=https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-${ARCH}
+    pssh "
+    if [ ! -x /usr/local/bin/argocd ]; then
+        sudo curl -o /usr/local/bin/argocd -fsSL $URL
+        sudo chmod +x /usr/local/bin/argocd
+        argocd completion bash | sudo tee /etc/bash_completion.d/argocd
+        argocd version --client
+    fi"
+
+    # Install Flux CLI
+    ##VERSION## https://github.com/fluxcd/flux2/releases
+    FLUX_VERSION=2.3.0
+    FILENAME=flux_${FLUX_VERSION}_linux_${ARCH}
+    URL=https://github.com/fluxcd/flux2/releases/download/v$FLUX_VERSION/$FILENAME.tar.gz
+    pssh "
+    if [ ! -x /usr/local/bin/flux ]; then
+        curl -fsSL $URL |
+        sudo tar -C /usr/local/bin -zx flux
+        sudo chmod +x /usr/local/bin/flux
+        flux completion bash | sudo tee /etc/bash_completion.d/flux
+        flux --version
+    fi"
+
     # Install kubectx and kubens
     pssh "
     set -e
@@ -665,7 +691,7 @@ EOF
 
     # Install stern
     ##VERSION## https://github.com/stern/stern/releases
-    STERN_VERSION=1.22.0
+    STERN_VERSION=1.29.0
     FILENAME=stern_${STERN_VERSION}_linux_${ARCH}
     URL=https://github.com/stern/stern/releases/download/v$STERN_VERSION/$FILENAME.tar.gz
     pssh "
@@ -687,7 +713,7 @@ EOF
 
     # Install kustomize
     ##VERSION## https://github.com/kubernetes-sigs/kustomize/releases
-    KUSTOMIZE_VERSION=v4.5.7
+    KUSTOMIZE_VERSION=v5.4.1
     URL=https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_${ARCH}.tar.gz
     pssh "
     if [ ! -x /usr/local/bin/kustomize ]; then
@@ -729,12 +755,22 @@ EOF
         echo export PATH=/home/$USER_LOGIN/.krew/bin:\\\$PATH | sudo -u $USER_LOGIN tee -a /home/$USER_LOGIN/.bashrc
     fi"
 
+    # Install kubecolor
+    KUBECOLOR_VERSION=0.3.2
+    URL=https://github.com/kubecolor/kubecolor/releases/download/v${KUBECOLOR_VERSION}/kubecolor_${KUBECOLOR_VERSION}_linux_${ARCH}.tar.gz
+    pssh "
+    if [ ! -x /usr/local/bin/kubecolor ]; then
+        ##VERSION##
+        curl -fsSL $URL |
+        sudo tar -C /usr/local/bin -zx kubecolor
+    fi"
+
     # Install k9s
     pssh "
     if [ ! -x /usr/local/bin/k9s ]; then
         FILENAME=k9s_Linux_$ARCH.tar.gz &&
         curl -fsSL https://github.com/derailed/k9s/releases/latest/download/\$FILENAME |
-        sudo tar -zxvf- -C /usr/local/bin k9s
+        sudo tar -C /usr/local/bin -zx k9s
         k9s version
     fi"
 
@@ -743,7 +779,7 @@ EOF
     if [ ! -x /usr/local/bin/popeye ]; then
         FILENAME=popeye_Linux_$ARCH.tar.gz &&
         curl -fsSL https://github.com/derailed/popeye/releases/latest/download/\$FILENAME |
-        sudo tar -zxvf- -C /usr/local/bin popeye
+        sudo tar -C /usr/local/bin -zx popeye
         popeye version
     fi"
 
@@ -753,10 +789,10 @@ EOF
     # But the install script is not arch-aware (see https://github.com/tilt-dev/tilt/pull/5050).
     pssh "
     if [ ! -x /usr/local/bin/tilt ]; then
-        TILT_VERSION=0.22.15
+        TILT_VERSION=0.33.13
         FILENAME=tilt.\$TILT_VERSION.linux.$TILT_ARCH.tar.gz
         curl -fsSL https://github.com/tilt-dev/tilt/releases/download/v\$TILT_VERSION/\$FILENAME |
-        sudo tar -zxvf- -C /usr/local/bin tilt
+        sudo tar -C /usr/local/bin -zx tilt
         tilt completion bash | sudo tee /etc/bash_completion.d/tilt
         tilt version
     fi"
@@ -798,7 +834,8 @@ EOF
     fi"
 
     ##VERSION## https://github.com/bitnami-labs/sealed-secrets/releases
-    KUBESEAL_VERSION=0.17.4
+    KUBESEAL_VERSION=0.26.2
+    URL=https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION}/kubeseal-${KUBESEAL_VERSION}-linux-${ARCH}.tar.gz
     #case $ARCH in
     #amd64) FILENAME=kubeseal-linux-amd64;;
     #arm64) FILENAME=kubeseal-arm64;;
@@ -806,13 +843,13 @@ EOF
     #esac
     pssh "
     if [ ! -x /usr/local/bin/kubeseal ]; then
-        curl -fsSL https://github.com/bitnami-labs/sealed-secrets/releases/download/v$KUBESEAL_VERSION/kubeseal-$KUBESEAL_VERSION-linux-$ARCH.tar.gz |
-        sudo tar -zxvf- -C /usr/local/bin kubeseal
+        curl -fsSL $URL |
+        sudo tar -C /usr/local/bin -zx kubeseal
         kubeseal --version
     fi"
 
     ##VERSION## https://github.com/vmware-tanzu/velero/releases
-    VELERO_VERSION=1.11.0
+    VELERO_VERSION=1.13.2
     pssh "
     if [ ! -x /usr/local/bin/velero ]; then
         curl -fsSL https://github.com/vmware-tanzu/velero/releases/download/v$VELERO_VERSION/velero-v$VELERO_VERSION-linux-$ARCH.tar.gz |
@@ -822,7 +859,7 @@ EOF
     fi"
 
     ##VERSION## https://github.com/doitintl/kube-no-trouble/releases
-    KUBENT_VERSION=0.7.0
+    KUBENT_VERSION=0.7.2
     pssh "
     if [ ! -x /usr/local/bin/kubent ]; then
         curl -fsSL https://github.com/doitintl/kube-no-trouble/releases/download/${KUBENT_VERSION}/kubent-${KUBENT_VERSION}-linux-$ARCH.tar.gz |
@@ -1021,8 +1058,8 @@ _cmd_tailhist () {
     wget -c https://github.com/joewalnes/websocketd/releases/download/v0.3.0/websocketd-0.3.0-linux_$ARCH.zip
     unzip websocketd-0.3.0-linux_$ARCH.zip websocketd
     sudo mv websocketd /usr/local/bin/websocketd
-    sudo mkdir -p /tmp/tailhist
-    sudo tee /root/tailhist.service <<EOF
+    sudo mkdir -p /opt/tailhist
+    sudo tee /opt/tailhist.service <<EOF
 [Unit]
 Description=tailhist
 
@@ -1030,16 +1067,16 @@ Description=tailhist
 WantedBy=multi-user.target
 
 [Service]
-WorkingDirectory=/tmp/tailhist
+WorkingDirectory=/opt/tailhist
 ExecStart=/usr/local/bin/websocketd --port=1088 --staticdir=. sh -c \"tail -n +1 -f /home/$USER_LOGIN/.history || echo 'Could not read history file. Perhaps you need to \\\"chmod +r .history\\\"?'\"
 User=nobody
 Group=nogroup
 Restart=always
 EOF
-    sudo systemctl enable /root/tailhist.service --now
+    sudo systemctl enable /opt/tailhist.service --now
     "
 
-    pssh -I sudo tee /tmp/tailhist/index.html <lib/tailhist.html
+    pssh -I sudo tee /opt/tailhist/index.html <lib/tailhist.html
 }
 
 _cmd tools "Install a bunch of useful tools (editors, git, jq...)"

prepare-labs/map-dns.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-DOMAINS=~/Dropbox/domains.txt
+DOMAINS=domains.txt
 IPS=ips.txt
 
 . ./dns-cloudflare.sh

prepare-labs/settings/konk.env

@@ -0,0 +1,6 @@
+CLUSTERSIZE=5
+
+USER_LOGIN=k8s
+USER_PASSWORD=
+
+STEPS="stage2"

slides/1.yml

@@ -0,0 +1,68 @@
+title: |
+  Docker Intensif
+
+chat: "[Mattermost](https://training.enix.io/mattermost)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://2024-05-enix.container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- containers/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+- # DAY 1
+  #- containers/Docker_Overview.md
+  #- containers/Docker_History.md
+  - containers/Training_Environment.md
+  #- containers/Installing_Docker.md
+  - containers/First_Containers.md
+  - containers/Background_Containers.md
+  - containers/Initial_Images.md
+  - containers/Building_Images_Interactively.md
+  - containers/Building_Images_With_Dockerfiles.md
+  - containers/Cmd_And_Entrypoint.md
+  - containers/Copying_Files_During_Build.md
+  - containers/Exercise_Dockerfile_Basic.md
+- # DAY 2
+  - containers/Container_Networking_Basics.md
+  - containers/Local_Development_Workflow.md
+  - containers/Container_Network_Model.md
+  - containers/Compose_For_Dev_Stacks.md
+  - containers/Exercise_Composefile.md
+- # DAY 3
+  - containers/Start_And_Attach.md
+  - containers/Naming_And_Inspecting.md
+  - containers/Labels.md
+  - containers/Getting_Inside.md
+  - containers/Dockerfile_Tips.md
+  - containers/Advanced_Dockerfiles.md
+  - containers/Multi_Stage_Builds.md
+  - containers/Publishing_To_Docker_Hub.md
+  - containers/Exercise_Dockerfile_Advanced.md
+- # DAY 4
+  - containers/Buildkit.md
+  - containers/Network_Drivers.md
+  - containers/Namespaces_Cgroups.md
+  #- containers/Copy_On_Write.md
+  - containers/Orchestration_Overview.md
+  #- containers/Docker_Machine.md
+  #- containers/Init_Systems.md
+  #- containers/Application_Configuration.md
+  #- containers/Logging.md
+  #- containers/Containers_From_Scratch.md
+  #- containers/Container_Engines.md
+  #- containers/Pods_Anatomy.md
+  #- containers/Ecosystem.md
+  - shared/thankyou.md
+  #- containers/links.md

slides/2.yml

@@ -1,11 +1,11 @@
 title: |
-  Docker & Kubernetes
+  Fondamentaux Kubernetes
 
-chat: "[Mattermost](https://intra.container.training/mattermost/)"
+chat: "[Mattermost](https://training.enix.io/mattermost)"
 
 gitrepo: github.com/jpetazzo/container.training
 
-slides: https://2024-04-intra.container.training/
+slides: https://2024-05-enix.container.training/
 
 #slidenumberprefix: "#SomeHashTag — "
 
@@ -15,38 +15,21 @@ exclude:
 content:
 - shared/title.md
 - logistics.md
-- containers/intro.md
+- k8s/intro.md
 - shared/about-slides.md
 - shared/chat-room-im.md
 #- shared/chat-room-zoom-meeting.md
 #- shared/chat-room-zoom-webinar.md
+- shared/prereqs.md
+- shared/handson.md
+#- shared/webssh.md
+- shared/connecting.md
+- exercises/k8sfundamentals-brief.md
+- exercises/yaml-brief.md
+- exercises/localcluster-brief.md
+- exercises/healthchecks-brief.md
 - shared/toc.md
-- # DAY 1
-  #- containers/Docker_Overview.md
-  #- containers/Docker_History.md
-  - containers/Training_Environment.md
-  #- containers/Installing_Docker.md
-  - containers/First_Containers.md
-  - containers/Background_Containers.md
-  - containers/Initial_Images.md
-  - containers/Building_Images_Interactively.md
-  - containers/Building_Images_With_Dockerfiles.md
-  - containers/Cmd_And_Entrypoint.md
-  - containers/Copying_Files_During_Build.md
-  - containers/Exercise_Dockerfile_Basic.md
-- # DAY 2
-  - containers/Dockerfile_Tips.md
-  - containers/Multi_Stage_Builds.md
-  - containers/Container_Networking_Basics.md
-  - containers/Local_Development_Workflow.md
-  - containers/Getting_Inside.md
-  - containers/Container_Network_Model.md
-  - containers/Compose_For_Dev_Stacks.md
-  - containers/Exercise_Composefile.md
-  - containers/Exercise_Dockerfile_Advanced.md
-- # DAY 3
-  - shared/connecting.md
-  - shared/toc.md
+- # 1
   #- k8s/versions-k8s.md
   - shared/sampleapp.md
   #- shared/composescale.md
@@ -62,9 +45,9 @@ content:
   #- k8s/buildshiprun-selfhosted.md
   - k8s/buildshiprun-dockerhub.md
   - exercises/k8sfundamentals-details.md
-  #- k8s/exercise-wordsmith.md
-- # DAY 4
   - k8s/ourapponkube.md
+  #- k8s/exercise-wordsmith.md
+- # 2
   - shared/yaml.md
   - k8s/labels-annotations.md
   - k8s/kubectl-logs.md
@@ -74,16 +57,16 @@ content:
   - shared/declarative.md
   - k8s/declarative.md
   - k8s/deploymentslideshow.md
-  #- k8s/setup-overview.md
+  - k8s/setup-overview.md
   - k8s/setup-devel.md
   #- k8s/setup-managed.md
   #- k8s/setup-selfhosted.md
   - k8s/localkubeconfig.md
   - k8s/accessinternal.md
-  #- k8s/kubectlproxy.md
+  - k8s/kubectlproxy.md
   - exercises/yaml-details.md
   - exercises/localcluster-details.md
-- # DAY 5
+- # 3
   #- k8s/kubectlscale.md
   - k8s/scalingdockercoins.md
   - shared/hastyconclusions.md
@@ -91,20 +74,19 @@ content:
   - k8s/rollout.md
   - k8s/healthchecks.md
   #- k8s/healthchecks-more.md
+  - k8s/dashboard.md
+  - k8s/k9s.md
+  - k8s/tilt.md
+  - exercises/healthchecks-details.md
+- # 4
+  - k8s/ingress.md
+  #- k8s/ingress-tls.md
+  #- k8s/ingress-advanced.md
   - k8s/volumes.md
+  #- k8s/exercise-configmap.md
+  #- k8s/build-with-docker.md
+  #- k8s/build-with-kaniko.md
   - k8s/configuration.md
   - k8s/secrets.md
+  - k8s/batch-jobs.md
   - shared/thankyou.md
-- 
-  - |
-    # (Docker extras)
-  - containers/Start_And_Attach.md
-  - containers/Naming_And_Inspecting.md
-  - containers/Labels.md
-  - containers/Advanced_Dockerfiles.md
-  - containers/Network_Drivers.md
--
-  - |
-    # (Kubernetes extras)
-  - k8s/k9s.md
-  - k8s/ingress.md

slides/3.yml

@@ -0,0 +1,46 @@
+title: |
+  Packaging d'applications
+  pour Kubernetes
+
+chat: "[Mattermost](https://training.enix.io/mattermost)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://2024-05-enix.container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+- k8s/prereqs-advanced.md
+- shared/handson.md
+- shared/webssh.md
+- shared/connecting.md
+#- shared/chat-room-im.md
+#- shared/chat-room-zoom.md
+- shared/toc.md
+-
+  - k8s/demo-apps.md
+  - k8s/kustomize.md
+  - k8s/helm-intro.md
+  - k8s/helm-chart-format.md
+  - k8s/helm-create-basic-chart.md
+  - exercises/helm-generic-chart-details.md
+-
+  - k8s/helm-create-better-chart.md
+  - k8s/helm-dependencies.md
+  - k8s/helm-values-schema-validation.md
+  - k8s/helm-secrets.md
+  - exercises/helm-umbrella-chart-details.md
+-
+  - k8s/ytt.md
+  - k8s/gitworkflows.md
+  - k8s/flux.md
+  - k8s/argocd.md
+  - shared/thankyou.md

slides/4.yml

@@ -0,0 +1,70 @@
+title: |
+  Kubernetes Avancé
+
+chat: "[Mattermost](https://training.enix.io/mattermost)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://2024-05-enix.container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-zoom.md
+- k8s/prereqs-advanced.md
+- shared/handson.md
+- shared/webssh.md
+- shared/connecting.md
+- shared/toc.md
+- exercises/netpol-brief.md
+- exercises/sealed-secrets-brief.md
+- exercises/kyverno-ingress-domain-name-brief.md
+- #1
+  - k8s/demo-apps.md
+  - k8s/netpol.md
+  - k8s/authn-authz.md
+  - k8s/sealed-secrets.md
+  - k8s/cert-manager.md
+  - k8s/cainjector.md
+  - k8s/ingress-tls.md
+  - exercises/netpol-details.md
+  - exercises/sealed-secrets-details.md
+- #2
+  - k8s/extending-api.md
+  - k8s/crd.md
+  - k8s/operators.md
+  - k8s/admission.md
+  - k8s/cainjector.md
+  - k8s/kyverno.md
+  - exercises/kyverno-ingress-domain-name-details.md
+- #3
+  - k8s/resource-limits.md
+  - k8s/metrics-server.md
+  - k8s/cluster-sizing.md
+  - k8s/horizontal-pod-autoscaler.md
+  - k8s/apiserver-deepdive.md
+  - k8s/aggregation-layer.md
+  - k8s/hpa-v2.md
+- #4
+  - k8s/statefulsets.md
+  - k8s/consul.md
+  - k8s/pv-pvc-sc.md
+  - k8s/volume-claim-templates.md
+  #- k8s/eck.md
+  #- k8s/portworx.md
+  - k8s/openebs.md
+  - k8s/stateful-failover.md
+  - k8s/operators-design.md
+  - k8s/operators-example.md
+  - k8s/owners-and-dependents.md
+  - k8s/events.md
+  - k8s/finalizers.md
+  - shared/thankyou.md

slides/5.yml

@@ -0,0 +1,59 @@
+title: |
+  Opérer Kubernetes
+
+chat: "[Mattermost](https://training.enix.io/mattermost)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://2024-05-enix.container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics-ludovic.md
+- k8s/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+# DAY 1
+-
+  - k8s/prereqs-advanced.md
+  - shared/handson.md
+  - k8s/architecture.md
+  - k8s/deploymentslideshow.md
+  - k8s/dmuc-easy.md
+-
+  - k8s/dmuc-medium.md
+  - k8s/dmuc-hard.md
+  - k8s/cni-internals.md
+  #- k8s/interco.md
+  - k8s/apilb.md
+-
+  - k8s/internal-apis.md
+  - k8s/staticpods.md
+  - k8s/cluster-upgrade.md
+  - k8s/cluster-backup.md
+  #- k8s/cloud-controller-manager.md
+-
+  - k8s/control-plane-auth.md
+  - k8s/user-cert.md
+  - k8s/csr-api.md
+  - k8s/openid-connect.md
+  - k8s/pod-security-intro.md
+  - k8s/pod-security-policies.md
+  - k8s/pod-security-admission.md
+  - shared/thankyou.md
+#-
+#  |
+#  # (Extra content)
+#  - k8s/apiserver-deepdive.md
+#  - k8s/setup-overview.md
+#  - k8s/setup-devel.md
+#  - k8s/setup-managed.md
+#  - k8s/setup-selfhosted.md

slides/_redirects

@@ -2,7 +2,6 @@
 #/ /kube-halfday.yml.html 200!
 #/ /kube-fullday.yml.html 200!
 #/ /kube-twodays.yml.html 200!
-/ /all.yml.html 200!
 
 # And this allows to do "git clone https://container.training".
 /info/refs service=git-upload-pack https://github.com/jpetazzo/container.training/info/refs?service=git-upload-pack
@@ -24,3 +23,5 @@
 
 # Survey form
 /please https://docs.google.com/forms/d/e/1FAIpQLSfIYSgrV7tpfBNm1hOaprjnBHgWKn5n-k5vtNXYJkOX1sRxng/viewform
+
+/ /highfive.html 200!

slides/autopilot/package-lock.json

@@ -9,8 +9,8 @@
       "version": "0.0.1",
       "dependencies": {
         "express": "^4.16.2",
-        "socket.io": "^4.6.1",
-        "socket.io-client": "^4.5.1"
+        "socket.io": "^4.7.5",
+        "socket.io-client": "^4.7.5"
       }
     },
     "node_modules/@socket.io/component-emitter": {
@@ -24,17 +24,20 @@
       "integrity": "sha512-XW/Aa8APYr6jSVVA1y/DEIZX0/GMKLEVekNG727R8cs56ahETkRAy/3DR7+fJyh7oUgGwNQaRfXCun0+KbWY7Q=="
     },
     "node_modules/@types/cors": {
-      "version": "2.8.13",
-      "resolved": "https://registry.npmjs.org/@types/cors/-/cors-2.8.13.tgz",
-      "integrity": "sha512-RG8AStHlUiV5ysZQKq97copd2UmVYw3/pRMLefISZ3S1hK104Cwm7iLQ3fTKx+lsUH2CE8FlLaYeEA2LSeqYUA==",
+      "version": "2.8.17",
+      "resolved": "https://registry.npmjs.org/@types/cors/-/cors-2.8.17.tgz",
+      "integrity": "sha512-8CGDvrBj1zgo2qE+oS3pOCyYNqCPryMWY2bGfwA0dcfopWGgxs+78df0Rs3rc9THP4JkOhLsAa+15VdpAqkcUA==",
       "dependencies": {
         "@types/node": "*"
       }
     },
     "node_modules/@types/node": {
-      "version": "18.16.3",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-18.16.3.tgz",
-      "integrity": "sha512-OPs5WnnT1xkCBiuQrZA4+YAV4HEJejmHneyraIaxsbev5yCEr6KMwINNFP9wQeFIw8FWcoTqF3vQsa5CDaI+8Q=="
+      "version": "20.14.6",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.14.6.tgz",
+      "integrity": "sha512-JbA0XIJPL1IiNnU7PFxDXyfAwcwVVrOoqyzzyQTyMeVhBzkJVMSkC1LlVsRQ2lpqiY4n6Bb9oCS6lzDKVQxbZw==",
+      "dependencies": {
+        "undici-types": "~5.26.4"
+      }
     },
     "node_modules/accepts": {
       "version": "1.3.8",
@@ -187,9 +190,9 @@
       }
     },
     "node_modules/engine.io": {
-      "version": "6.4.2",
-      "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-6.4.2.tgz",
-      "integrity": "sha512-FKn/3oMiJjrOEOeUub2WCox6JhxBXq/Zn3fZOMCBxKnNYtsdKjxhl7yR3fZhM9PV+rdE75SU5SYMc+2PGzo+Tg==",
+      "version": "6.5.5",
+      "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-6.5.5.tgz",
+      "integrity": "sha512-C5Pn8Wk+1vKBoHghJODM63yk8MvrO9EWZUfkAt5HAqIgPE4/8FF0PEGHXtEd40l223+cE5ABWuPzm38PHFXfMA==",
       "dependencies": {
         "@types/cookie": "^0.4.1",
         "@types/cors": "^2.8.12",
@@ -199,29 +202,29 @@
         "cookie": "~0.4.1",
         "cors": "~2.8.5",
         "debug": "~4.3.1",
-        "engine.io-parser": "~5.0.3",
-        "ws": "~8.11.0"
+        "engine.io-parser": "~5.2.1",
+        "ws": "~8.17.1"
       },
       "engines": {
-        "node": ">=10.0.0"
+        "node": ">=10.2.0"
       }
     },
     "node_modules/engine.io-client": {
-      "version": "6.2.2",
-      "resolved": "https://registry.npmjs.org/engine.io-client/-/engine.io-client-6.2.2.tgz",
-      "integrity": "sha512-8ZQmx0LQGRTYkHuogVZuGSpDqYZtCM/nv8zQ68VZ+JkOpazJ7ICdsSpaO6iXwvaU30oFg5QJOJWj8zWqhbKjkQ==",
+      "version": "6.5.4",
+      "resolved": "https://registry.npmjs.org/engine.io-client/-/engine.io-client-6.5.4.tgz",
+      "integrity": "sha512-GeZeeRjpD2qf49cZQ0Wvh/8NJNfeXkXXcoGh+F77oEAgo9gUHwT1fCRxSNU+YEEaysOJTnsFHmM5oAcPy4ntvQ==",
       "dependencies": {
         "@socket.io/component-emitter": "~3.1.0",
         "debug": "~4.3.1",
-        "engine.io-parser": "~5.0.3",
-        "ws": "~8.2.3",
+        "engine.io-parser": "~5.2.1",
+        "ws": "~8.17.1",
         "xmlhttprequest-ssl": "~2.0.0"
       }
     },
     "node_modules/engine.io-client/node_modules/debug": {
-      "version": "4.3.4",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
-      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "version": "4.3.5",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.5.tgz",
+      "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==",
       "dependencies": {
         "ms": "2.1.2"
       },
@@ -240,9 +243,9 @@
       "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
     },
     "node_modules/engine.io-parser": {
-      "version": "5.0.4",
-      "resolved": "https://registry.npmjs.org/engine.io-parser/-/engine.io-parser-5.0.4.tgz",
-      "integrity": "sha512-+nVFp+5z1E3HcToEnO7ZIj3g+3k9389DvWtvJZz0T6/eOCPIyyxehFcedoYrZQrp0LgQbD9pPXhpMBKMd5QURg==",
+      "version": "5.2.2",
+      "resolved": "https://registry.npmjs.org/engine.io-parser/-/engine.io-parser-5.2.2.tgz",
+      "integrity": "sha512-RcyUFKA93/CXH20l4SoVvzZfrSDMOTUS3bWVpTt2FuFP+XYrL8i8oonHP7WInRyVHXh0n/ORtoeiE1os+8qkSw==",
       "engines": {
         "node": ">=10.0.0"
       }
@@ -256,9 +259,9 @@
       }
     },
     "node_modules/engine.io/node_modules/debug": {
-      "version": "4.3.4",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
-      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "version": "4.3.5",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.5.tgz",
+      "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==",
       "dependencies": {
         "ms": "2.1.2"
       },
@@ -276,26 +279,6 @@
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
       "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
     },
-    "node_modules/engine.io/node_modules/ws": {
-      "version": "8.11.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.11.0.tgz",
-      "integrity": "sha512-HPG3wQd9sNQoT9xHyNCXoDUa+Xw/VevmY9FoHyQ+g+rrMn4j6FB4np7Z0OhdTgjx6MgQLK7jwSy1YecU1+4Asg==",
-      "engines": {
-        "node": ">=10.0.0"
-      },
-      "peerDependencies": {
-        "bufferutil": "^4.0.1",
-        "utf-8-validate": "^5.0.2"
-      },
-      "peerDependenciesMeta": {
-        "bufferutil": {
-          "optional": true
-        },
-        "utf-8-validate": {
-          "optional": true
-        }
-      }
-    },
     "node_modules/escape-html": {
       "version": "1.0.3",
       "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
@@ -699,19 +682,20 @@
       }
     },
     "node_modules/socket.io": {
-      "version": "4.6.1",
-      "resolved": "https://registry.npmjs.org/socket.io/-/socket.io-4.6.1.tgz",
-      "integrity": "sha512-KMcaAi4l/8+xEjkRICl6ak8ySoxsYG+gG6/XfRCPJPQ/haCRIJBTL4wIl8YCsmtaBovcAXGLOShyVWQ/FG8GZA==",
+      "version": "4.7.5",
+      "resolved": "https://registry.npmjs.org/socket.io/-/socket.io-4.7.5.tgz",
+      "integrity": "sha512-DmeAkF6cwM9jSfmp6Dr/5/mfMwb5Z5qRrSXLpo3Fq5SqyU8CMF15jIN4ZhfSwu35ksM1qmHZDQ/DK5XTccSTvA==",
       "dependencies": {
         "accepts": "~1.3.4",
         "base64id": "~2.0.0",
+        "cors": "~2.8.5",
         "debug": "~4.3.2",
-        "engine.io": "~6.4.1",
+        "engine.io": "~6.5.2",
         "socket.io-adapter": "~2.5.2",
-        "socket.io-parser": "~4.2.1"
+        "socket.io-parser": "~4.2.4"
       },
       "engines": {
-        "node": ">=10.0.0"
+        "node": ">=10.2.0"
       }
     },
     "node_modules/socket.io-adapter": {
@@ -743,14 +727,14 @@
       }
     },
     "node_modules/socket.io-client": {
-      "version": "4.5.1",
-      "resolved": "https://registry.npmjs.org/socket.io-client/-/socket.io-client-4.5.1.tgz",
-      "integrity": "sha512-e6nLVgiRYatS+AHXnOnGi4ocOpubvOUCGhyWw8v+/FxW8saHkinG6Dfhi9TU0Kt/8mwJIAASxvw6eujQmjdZVA==",
+      "version": "4.7.5",
+      "resolved": "https://registry.npmjs.org/socket.io-client/-/socket.io-client-4.7.5.tgz",
+      "integrity": "sha512-sJ/tqHOCe7Z50JCBCXrsY3I2k03iOiUe+tj1OmKeD2lXPiGH/RUCdTZFoqVyN7l1MnpIzPrGtLcijffmeouNlQ==",
       "dependencies": {
         "@socket.io/component-emitter": "~3.1.0",
         "debug": "~4.3.2",
-        "engine.io-client": "~6.2.1",
-        "socket.io-parser": "~4.2.0"
+        "engine.io-client": "~6.5.2",
+        "socket.io-parser": "~4.2.4"
       },
       "engines": {
         "node": ">=10.0.0"
@@ -778,9 +762,9 @@
       "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
     },
     "node_modules/socket.io-parser": {
-      "version": "4.2.3",
-      "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.3.tgz",
-      "integrity": "sha512-JMafRntWVO2DCJimKsRTh/wnqVvO4hrfwOqtO7f+uzwsQMuxO6VwImtYxaQ+ieoyshWOTJyV0fA21lccEXRPpQ==",
+      "version": "4.2.4",
+      "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.4.tgz",
+      "integrity": "sha512-/GbIKmo8ioc+NIWIhwdecY0ge+qVBSMdgxGygevmdHj24bsfgtCmcUUcQ5ZzcylGFHsN3k4HB4Cgkl96KVnuew==",
       "dependencies": {
         "@socket.io/component-emitter": "~3.1.0",
         "debug": "~4.3.1"
@@ -859,6 +843,11 @@
         "node": ">= 0.6"
       }
     },
+    "node_modules/undici-types": {
+      "version": "5.26.5",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
+      "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA=="
+    },
     "node_modules/unpipe": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
@@ -884,15 +873,15 @@
       }
     },
     "node_modules/ws": {
-      "version": "8.2.3",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.2.3.tgz",
-      "integrity": "sha512-wBuoj1BDpC6ZQ1B7DWQBYVLphPWkm8i9Y0/3YdHjHKHiohOJ1ws+3OccDWtH+PoC9DZD5WOTrJvNbWvjS6JWaA==",
+      "version": "8.17.1",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.17.1.tgz",
+      "integrity": "sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==",
       "engines": {
         "node": ">=10.0.0"
       },
       "peerDependencies": {
         "bufferutil": "^4.0.1",
-        "utf-8-validate": "^5.0.2"
+        "utf-8-validate": ">=5.0.2"
       },
       "peerDependenciesMeta": {
         "bufferutil": {
@@ -924,17 +913,20 @@
       "integrity": "sha512-XW/Aa8APYr6jSVVA1y/DEIZX0/GMKLEVekNG727R8cs56ahETkRAy/3DR7+fJyh7oUgGwNQaRfXCun0+KbWY7Q=="
     },
     "@types/cors": {
-      "version": "2.8.13",
-      "resolved": "https://registry.npmjs.org/@types/cors/-/cors-2.8.13.tgz",
-      "integrity": "sha512-RG8AStHlUiV5ysZQKq97copd2UmVYw3/pRMLefISZ3S1hK104Cwm7iLQ3fTKx+lsUH2CE8FlLaYeEA2LSeqYUA==",
+      "version": "2.8.17",
+      "resolved": "https://registry.npmjs.org/@types/cors/-/cors-2.8.17.tgz",
+      "integrity": "sha512-8CGDvrBj1zgo2qE+oS3pOCyYNqCPryMWY2bGfwA0dcfopWGgxs+78df0Rs3rc9THP4JkOhLsAa+15VdpAqkcUA==",
       "requires": {
         "@types/node": "*"
       }
     },
     "@types/node": {
-      "version": "18.16.3",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-18.16.3.tgz",
-      "integrity": "sha512-OPs5WnnT1xkCBiuQrZA4+YAV4HEJejmHneyraIaxsbev5yCEr6KMwINNFP9wQeFIw8FWcoTqF3vQsa5CDaI+8Q=="
+      "version": "20.14.6",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.14.6.tgz",
+      "integrity": "sha512-JbA0XIJPL1IiNnU7PFxDXyfAwcwVVrOoqyzzyQTyMeVhBzkJVMSkC1LlVsRQ2lpqiY4n6Bb9oCS6lzDKVQxbZw==",
+      "requires": {
+        "undici-types": "~5.26.4"
+      }
     },
     "accepts": {
       "version": "1.3.8",
@@ -1049,9 +1041,9 @@
       "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w=="
     },
     "engine.io": {
-      "version": "6.4.2",
-      "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-6.4.2.tgz",
-      "integrity": "sha512-FKn/3oMiJjrOEOeUub2WCox6JhxBXq/Zn3fZOMCBxKnNYtsdKjxhl7yR3fZhM9PV+rdE75SU5SYMc+2PGzo+Tg==",
+      "version": "6.5.5",
+      "resolved": "https://registry.npmjs.org/engine.io/-/engine.io-6.5.5.tgz",
+      "integrity": "sha512-C5Pn8Wk+1vKBoHghJODM63yk8MvrO9EWZUfkAt5HAqIgPE4/8FF0PEGHXtEd40l223+cE5ABWuPzm38PHFXfMA==",
       "requires": {
         "@types/cookie": "^0.4.1",
         "@types/cors": "^2.8.12",
@@ -1061,8 +1053,8 @@
         "cookie": "~0.4.1",
         "cors": "~2.8.5",
         "debug": "~4.3.1",
-        "engine.io-parser": "~5.0.3",
-        "ws": "~8.11.0"
+        "engine.io-parser": "~5.2.1",
+        "ws": "~8.17.1"
       },
       "dependencies": {
         "cookie": {
@@ -1071,9 +1063,9 @@
           "integrity": "sha512-aSWTXFzaKWkvHO1Ny/s+ePFpvKsPnjc551iI41v3ny/ow6tBG5Vd+FuqGNhh1LxOmVzOlGUriIlOaokOvhaStA=="
         },
         "debug": {
-          "version": "4.3.4",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
-          "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+          "version": "4.3.5",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.5.tgz",
+          "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==",
           "requires": {
             "ms": "2.1.2"
           }
@@ -1082,31 +1074,25 @@
           "version": "2.1.2",
           "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
           "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
-        },
-        "ws": {
-          "version": "8.11.0",
-          "resolved": "https://registry.npmjs.org/ws/-/ws-8.11.0.tgz",
-          "integrity": "sha512-HPG3wQd9sNQoT9xHyNCXoDUa+Xw/VevmY9FoHyQ+g+rrMn4j6FB4np7Z0OhdTgjx6MgQLK7jwSy1YecU1+4Asg==",
-          "requires": {}
         }
       }
     },
     "engine.io-client": {
-      "version": "6.2.2",
-      "resolved": "https://registry.npmjs.org/engine.io-client/-/engine.io-client-6.2.2.tgz",
-      "integrity": "sha512-8ZQmx0LQGRTYkHuogVZuGSpDqYZtCM/nv8zQ68VZ+JkOpazJ7ICdsSpaO6iXwvaU30oFg5QJOJWj8zWqhbKjkQ==",
+      "version": "6.5.4",
+      "resolved": "https://registry.npmjs.org/engine.io-client/-/engine.io-client-6.5.4.tgz",
+      "integrity": "sha512-GeZeeRjpD2qf49cZQ0Wvh/8NJNfeXkXXcoGh+F77oEAgo9gUHwT1fCRxSNU+YEEaysOJTnsFHmM5oAcPy4ntvQ==",
       "requires": {
         "@socket.io/component-emitter": "~3.1.0",
         "debug": "~4.3.1",
-        "engine.io-parser": "~5.0.3",
-        "ws": "~8.2.3",
+        "engine.io-parser": "~5.2.1",
+        "ws": "~8.17.1",
         "xmlhttprequest-ssl": "~2.0.0"
       },
       "dependencies": {
         "debug": {
-          "version": "4.3.4",
-          "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
-          "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+          "version": "4.3.5",
+          "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.5.tgz",
+          "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==",
           "requires": {
             "ms": "2.1.2"
           }
@@ -1119,9 +1105,9 @@
       }
     },
     "engine.io-parser": {
-      "version": "5.0.4",
-      "resolved": "https://registry.npmjs.org/engine.io-parser/-/engine.io-parser-5.0.4.tgz",
-      "integrity": "sha512-+nVFp+5z1E3HcToEnO7ZIj3g+3k9389DvWtvJZz0T6/eOCPIyyxehFcedoYrZQrp0LgQbD9pPXhpMBKMd5QURg=="
+      "version": "5.2.2",
+      "resolved": "https://registry.npmjs.org/engine.io-parser/-/engine.io-parser-5.2.2.tgz",
+      "integrity": "sha512-RcyUFKA93/CXH20l4SoVvzZfrSDMOTUS3bWVpTt2FuFP+XYrL8i8oonHP7WInRyVHXh0n/ORtoeiE1os+8qkSw=="
     },
     "escape-html": {
       "version": "1.0.3",
@@ -1421,16 +1407,17 @@
       }
     },
     "socket.io": {
-      "version": "4.6.1",
-      "resolved": "https://registry.npmjs.org/socket.io/-/socket.io-4.6.1.tgz",
-      "integrity": "sha512-KMcaAi4l/8+xEjkRICl6ak8ySoxsYG+gG6/XfRCPJPQ/haCRIJBTL4wIl8YCsmtaBovcAXGLOShyVWQ/FG8GZA==",
+      "version": "4.7.5",
+      "resolved": "https://registry.npmjs.org/socket.io/-/socket.io-4.7.5.tgz",
+      "integrity": "sha512-DmeAkF6cwM9jSfmp6Dr/5/mfMwb5Z5qRrSXLpo3Fq5SqyU8CMF15jIN4ZhfSwu35ksM1qmHZDQ/DK5XTccSTvA==",
       "requires": {
         "accepts": "~1.3.4",
         "base64id": "~2.0.0",
+        "cors": "~2.8.5",
         "debug": "~4.3.2",
-        "engine.io": "~6.4.1",
+        "engine.io": "~6.5.2",
         "socket.io-adapter": "~2.5.2",
-        "socket.io-parser": "~4.2.1"
+        "socket.io-parser": "~4.2.4"
       },
       "dependencies": {
         "debug": {
@@ -1465,14 +1452,14 @@
       }
     },
     "socket.io-client": {
-      "version": "4.5.1",
-      "resolved": "https://registry.npmjs.org/socket.io-client/-/socket.io-client-4.5.1.tgz",
-      "integrity": "sha512-e6nLVgiRYatS+AHXnOnGi4ocOpubvOUCGhyWw8v+/FxW8saHkinG6Dfhi9TU0Kt/8mwJIAASxvw6eujQmjdZVA==",
+      "version": "4.7.5",
+      "resolved": "https://registry.npmjs.org/socket.io-client/-/socket.io-client-4.7.5.tgz",
+      "integrity": "sha512-sJ/tqHOCe7Z50JCBCXrsY3I2k03iOiUe+tj1OmKeD2lXPiGH/RUCdTZFoqVyN7l1MnpIzPrGtLcijffmeouNlQ==",
       "requires": {
         "@socket.io/component-emitter": "~3.1.0",
         "debug": "~4.3.2",
-        "engine.io-client": "~6.2.1",
-        "socket.io-parser": "~4.2.0"
+        "engine.io-client": "~6.5.2",
+        "socket.io-parser": "~4.2.4"
       },
       "dependencies": {
         "debug": {
@@ -1491,9 +1478,9 @@
       }
     },
     "socket.io-parser": {
-      "version": "4.2.3",
-      "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.3.tgz",
-      "integrity": "sha512-JMafRntWVO2DCJimKsRTh/wnqVvO4hrfwOqtO7f+uzwsQMuxO6VwImtYxaQ+ieoyshWOTJyV0fA21lccEXRPpQ==",
+      "version": "4.2.4",
+      "resolved": "https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-4.2.4.tgz",
+      "integrity": "sha512-/GbIKmo8ioc+NIWIhwdecY0ge+qVBSMdgxGygevmdHj24bsfgtCmcUUcQ5ZzcylGFHsN3k4HB4Cgkl96KVnuew==",
       "requires": {
         "@socket.io/component-emitter": "~3.1.0",
         "debug": "~4.3.1"
@@ -1533,6 +1520,11 @@
         "mime-types": "~2.1.24"
       }
     },
+    "undici-types": {
+      "version": "5.26.5",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
+      "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA=="
+    },
     "unpipe": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
@@ -1549,9 +1541,9 @@
       "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg=="
     },
     "ws": {
-      "version": "8.2.3",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.2.3.tgz",
-      "integrity": "sha512-wBuoj1BDpC6ZQ1B7DWQBYVLphPWkm8i9Y0/3YdHjHKHiohOJ1ws+3OccDWtH+PoC9DZD5WOTrJvNbWvjS6JWaA==",
+      "version": "8.17.1",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.17.1.tgz",
+      "integrity": "sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==",
       "requires": {}
     },
     "xmlhttprequest-ssl": {

slides/autopilot/package.json

@@ -3,7 +3,7 @@
   "version": "0.0.1",
   "dependencies": {
     "express": "^4.16.2",
-    "socket.io": "^4.6.1",
-    "socket.io-client": "^4.5.1"
+    "socket.io": "^4.7.5",
+    "socket.io-client": "^4.7.5"
   }
 }

slides/exercises/netpol-details.md

@@ -1,6 +1,6 @@
 # Exercise — Network Policies
 
-We want to to implement a generic network security mechanism.
+We want to implement a generic network security mechanism.
 
 Instead of creating one policy per service, we want to
 create a fixed number of policies, and use a single label

slides/highfive.html

@@ -0,0 +1,129 @@
+<?xml version="1.0"?>
+<html>
+  <head>
+    <style>
+      td { 
+        background: #ccc; 
+        padding: 1em;
+      }
+</style>
+  </head>
+  <body>
+    <table>
+
+      <tr>
+        <td>Mardi 14 mai 2024</td>
+        <td>
+          <a href="1.yml.html">Docker Intensif</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Mercredi 15 mai 2024</td>
+        <td>
+          <a href="1.yml.html">Docker Intensif</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Jeudi 16 mai 2024</td>
+        <td>
+          <a href="1.yml.html">Docker Intensif</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Vendredi 17 mai 2024</td>
+        <td>
+          <a href="1.yml.html">Docker Intensif</a>
+        </td>
+      </tr>
+
+      <tr>
+        <td>Mardi 21 mai 2024</td>
+        <td>
+          <a href="2.yml.html">Fondamentaux Kubernetes</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Mercredi 22 mai 2024</td>
+        <td>
+          <a href="2.yml.html">Fondamentaux Kubernetes</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Jeudi 23 mai 2024</td>
+        <td>
+          <a href="2.yml.html">Fondamentaux Kubernetes</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Vendredi 24 mai 2024</td>
+        <td>
+          <a href="2.yml.html">Fondamentaux Kubernetes</a>
+        </td>
+      </tr>
+
+      <tr>
+        <td>Mardi 28 mai 2024</td>
+        <td>
+          <a href="4.yml.html">Kubernetes Avancé</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Mercredi 29 mai 2024</td>
+        <td>
+          <a href="4.yml.html">Kubernetes Avancé</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Jeudi 30 mai 2024</td>
+        <td>
+          <a href="4.yml.html">Kubernetes Avancé</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Vendredi 31 mai 2024</td>
+        <td>
+          <a href="4.yml.html">Kubernetes Avancé</a>
+        </td>
+      </tr>
+
+      <tr>
+        <td>Mardi 4 juin 2024</td>
+        <td>
+          <a href="3.yml.html">Packaging d'applications pour Kubernetes</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Mercredi 5 juin 2024</td>
+        <td>
+          <a href="3.yml.html">Packaging d'applications pour Kubernetes</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Jeudi 6 juin 2024</td>
+        <td>
+          <a href="3.yml.html">Packaging d'applications pour Kubernetes</a>
+        </td>
+      </tr>
+
+      <tr>
+        <td>Lundi 10 juin 2024</td>
+        <td>
+          <a href="5.yml.html">Opérer Kubernetes</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Mardi 11 juin 2024</td>
+        <td>
+          <a href="5.yml.html">Opérer Kubernetes</a>
+        </td>
+      </tr>
+      <tr>
+        <td>Mercredi 12 juin 2024</td>
+        <td>
+          <a href="5.yml.html">Opérer Kubernetes</a>
+        </td>
+      </tr>
+
+    </table>
+  </body>
+</html>

slides/interstitials.txt

@@ -1,16 +1,16 @@
-https://gallant-turing-d0d520.netlify.com/containers/Container-Ship-Freighter-Navigation-Elbe-Romance-1782991.jpg
-https://gallant-turing-d0d520.netlify.com/containers/ShippingContainerSFBay.jpg
-https://gallant-turing-d0d520.netlify.com/containers/aerial-view-of-containers.jpg
-https://gallant-turing-d0d520.netlify.com/containers/blue-containers.jpg
-https://gallant-turing-d0d520.netlify.com/containers/chinook-helicopter-container.jpg
-https://gallant-turing-d0d520.netlify.com/containers/container-cranes.jpg
-https://gallant-turing-d0d520.netlify.com/containers/container-housing.jpg
-https://gallant-turing-d0d520.netlify.com/containers/containers-by-the-water.jpg
-https://gallant-turing-d0d520.netlify.com/containers/distillery-containers.jpg
-https://gallant-turing-d0d520.netlify.com/containers/lots-of-containers.jpg
-https://gallant-turing-d0d520.netlify.com/containers/plastic-containers.JPG
-https://gallant-turing-d0d520.netlify.com/containers/train-of-containers-1.jpg
-https://gallant-turing-d0d520.netlify.com/containers/train-of-containers-2.jpg
-https://gallant-turing-d0d520.netlify.com/containers/two-containers-on-a-truck.jpg
-https://gallant-turing-d0d520.netlify.com/containers/wall-of-containers.jpeg
-https://gallant-turing-d0d520.netlify.com/containers/catene-de-conteneurs.jpg
+https://prettypictures.container.training/containers/Container-Ship-Freighter-Navigation-Elbe-Romance-1782991.jpg
+https://prettypictures.container.training/containers/ShippingContainerSFBay.jpg
+https://prettypictures.container.training/containers/aerial-view-of-containers.jpg
+https://prettypictures.container.training/containers/blue-containers.jpg
+https://prettypictures.container.training/containers/chinook-helicopter-container.jpg
+https://prettypictures.container.training/containers/container-cranes.jpg
+https://prettypictures.container.training/containers/container-housing.jpg
+https://prettypictures.container.training/containers/containers-by-the-water.jpg
+https://prettypictures.container.training/containers/distillery-containers.jpg
+https://prettypictures.container.training/containers/lots-of-containers.jpg
+https://prettypictures.container.training/containers/plastic-containers.JPG
+https://prettypictures.container.training/containers/train-of-containers-1.jpg
+https://prettypictures.container.training/containers/train-of-containers-2.jpg
+https://prettypictures.container.training/containers/two-containers-on-a-truck.jpg
+https://prettypictures.container.training/containers/wall-of-containers.jpeg
+https://prettypictures.container.training/containers/catene-de-conteneurs.jpg

slides/intro-fullday.yml

@@ -0,0 +1,72 @@
+title: |
+  Introduction
+  to Containers
+
+chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+#chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- containers/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-slack.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+-
+  #- containers/Docker_Overview.md
+  #- containers/Docker_History.md
+  - containers/Training_Environment.md
+  #- containers/Installing_Docker.md
+  - containers/First_Containers.md
+  - containers/Background_Containers.md
+  #- containers/Start_And_Attach.md
+  - containers/Naming_And_Inspecting.md
+  #- containers/Labels.md
+  - containers/Getting_Inside.md
+  - containers/Initial_Images.md
+-
+  - containers/Building_Images_Interactively.md
+  - containers/Building_Images_With_Dockerfiles.md
+  - containers/Cmd_And_Entrypoint.md
+  - containers/Copying_Files_During_Build.md
+  - containers/Exercise_Dockerfile_Basic.md
+-
+  - containers/Container_Networking_Basics.md
+  #- containers/Network_Drivers.md
+  - containers/Local_Development_Workflow.md
+  - containers/Container_Network_Model.md
+  - shared/yaml.md
+  - containers/Compose_For_Dev_Stacks.md
+  - containers/Exercise_Composefile.md
+-
+  - containers/Multi_Stage_Builds.md
+  #- containers/Publishing_To_Docker_Hub.md
+  - containers/Dockerfile_Tips.md
+  - containers/Exercise_Dockerfile_Advanced.md
+  #- containers/Docker_Machine.md
+  #- containers/Advanced_Dockerfiles.md
+  #- containers/Buildkit.md
+  #- containers/Init_Systems.md
+  #- containers/Application_Configuration.md
+  #- containers/Logging.md
+  #- containers/Namespaces_Cgroups.md
+  #- containers/Copy_On_Write.md
+  #- containers/Containers_From_Scratch.md
+  #- containers/Container_Engines.md
+  #- containers/Pods_Anatomy.md
+  #- containers/Ecosystem.md
+  #- containers/Orchestration_Overview.md
+  - shared/thankyou.md
+  - containers/links.md

slides/intro-selfpaced.yml

@@ -0,0 +1,73 @@
+title: |
+  Introduction
+  to Containers
+
+chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+#chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- in-person
+
+content:
+- shared/title.md
+# - shared/logistics.md
+- containers/intro.md
+- shared/about-slides.md
+#- shared/chat-room-im.md
+#- shared/chat-room-slack.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+- - containers/Docker_Overview.md
+  - containers/Docker_History.md
+  - containers/Training_Environment.md
+  - containers/Installing_Docker.md
+  - containers/First_Containers.md
+  - containers/Background_Containers.md
+  - containers/Start_And_Attach.md
+- - containers/Initial_Images.md
+  - containers/Building_Images_Interactively.md
+  - containers/Building_Images_With_Dockerfiles.md
+  - containers/Cmd_And_Entrypoint.md
+  - containers/Copying_Files_During_Build.md
+  - containers/Exercise_Dockerfile_Basic.md
+- - containers/Multi_Stage_Builds.md
+  - containers/Publishing_To_Docker_Hub.md
+  - containers/Dockerfile_Tips.md
+  - containers/Exercise_Dockerfile_Advanced.md
+- - containers/Naming_And_Inspecting.md
+  - containers/Labels.md
+  - containers/Getting_Inside.md
+- - containers/Container_Networking_Basics.md
+  - containers/Network_Drivers.md
+  - containers/Container_Network_Model.md
+  #- containers/Connecting_Containers_With_Links.md
+  - containers/Ambassadors.md
+- - containers/Local_Development_Workflow.md
+  - containers/Windows_Containers.md
+  - containers/Working_With_Volumes.md
+  - shared/yaml.md
+  - containers/Compose_For_Dev_Stacks.md
+  - containers/Exercise_Composefile.md
+  - containers/Docker_Machine.md
+- - containers/Advanced_Dockerfiles.md
+  - containers/Buildkit.md
+  - containers/Init_Systems.md
+  - containers/Application_Configuration.md
+  - containers/Logging.md
+  - containers/Resource_Limits.md
+- - containers/Namespaces_Cgroups.md
+  - containers/Copy_On_Write.md
+  #- containers/Containers_From_Scratch.md
+- - containers/Container_Engines.md
+  - containers/Pods_Anatomy.md
+  - containers/Ecosystem.md
+  - containers/Orchestration_Overview.md
+  - shared/thankyou.md
+  - containers/links.md

slides/intro-twodays.yml

@@ -0,0 +1,81 @@
+title: |
+  Introduction
+  to Containers
+
+chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+#chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- containers/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-slack.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+- # DAY 1
+  - containers/Docker_Overview.md
+  #- containers/Docker_History.md
+  - containers/Training_Environment.md
+  - containers/First_Containers.md
+  - containers/Background_Containers.md
+  - containers/Initial_Images.md
+-
+  - containers/Building_Images_Interactively.md
+  - containers/Building_Images_With_Dockerfiles.md
+  - containers/Cmd_And_Entrypoint.md
+  - containers/Copying_Files_During_Build.md
+  - containers/Exercise_Dockerfile_Basic.md
+-
+  - containers/Dockerfile_Tips.md
+  - containers/Multi_Stage_Builds.md
+  - containers/Publishing_To_Docker_Hub.md
+  - containers/Exercise_Dockerfile_Advanced.md
+-
+  - containers/Naming_And_Inspecting.md
+  - containers/Labels.md
+  - containers/Start_And_Attach.md
+  - containers/Getting_Inside.md
+  - containers/Resource_Limits.md
+- # DAY 2
+  - containers/Container_Networking_Basics.md
+  - containers/Network_Drivers.md
+  - containers/Container_Network_Model.md
+-
+  - containers/Local_Development_Workflow.md
+  - containers/Working_With_Volumes.md
+  - shared/yaml.md
+  - containers/Compose_For_Dev_Stacks.md
+  - containers/Exercise_Composefile.md
+-
+  - containers/Installing_Docker.md
+  - containers/Container_Engines.md
+  - containers/Init_Systems.md
+  - containers/Advanced_Dockerfiles.md
+  - containers/Buildkit.md
+-
+  - containers/Application_Configuration.md
+  - containers/Logging.md
+  - containers/Orchestration_Overview.md
+-
+  - shared/thankyou.md
+  - containers/links.md
+#-
+  #- containers/Docker_Machine.md
+  #- containers/Ambassadors.md
+  #- containers/Namespaces_Cgroups.md
+  #- containers/Copy_On_Write.md
+  #- containers/Containers_From_Scratch.md
+  #- containers/Pods_Anatomy.md
+  #- containers/Ecosystem.md

slides/k8s/argocd.md

@@ -0,0 +1,589 @@
+# ArgoCD
+
+- We're going to implement a basic GitOps workflow with ArgoCD
+
+- Pushing to the default branch will automatically deploy to our clusters
+
+- There will be two clusters (`dev` and `prod`)
+
+- The two clusters will have similar (but slightly different) workloads
+
+![ArgoCD Logo](images/argocdlogo.png)
+
+---
+
+## ArgoCD concepts
+
+ArgoCD manages **applications** by **syncing** their **live state** with their **target state**.
+
+- **Application**: a group of Kubernetes resources managed by ArgoCD.
+  <br/>
+  Also a custom resource (`kind: Application`) managing that group of resources.
+
+- **Application source type**: the **Tool** used to build the application (Kustomize, Helm...)
+
+- **Target state**: the desired state of an **application**, as represented by the git repository.
+
+- **Live state**: the current state of the application on the cluster.
+
+- **Sync status**: whether or not the live state matches the target state.
+
+- **Sync**: the process of making an application move to its target state.
+  <br/>
+  (e.g. by applying changes to a Kubernetes cluster)
+
+(Check [ArgoCD core concepts](https://argo-cd.readthedocs.io/en/stable/core_concepts/) for more definitions!)
+
+---
+
+## Getting ready
+
+- Let's make sure we have two clusters
+
+- It's OK to use local clusters (kind, minikube...)
+
+- We need to install the ArgoCD CLI ([packages], [binaries])
+
+- **Highly recommended:** set up CLI completion!
+
+- Of course we'll need a Git service, too
+
+[packages]: https://argo-cd.readthedocs.io/en/stable/cli_installation/
+[binaries]: https://github.com/argoproj/argo-cd/releases/latest
+
+---
+
+## Setting up ArgoCD
+
+- The easiest way is to use upstream YAML manifests
+
+- There is also a [Helm chart][argohelmchart] if we need more customization
+
+.lab[
+
+- Create a namespace for ArgoCD and install it there:
+  ```bash
+  kubectl create namespace argocd
+  kubectl apply --namespace argocd -f \
+      https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
+  ```
+
+]
+
+[argohelmchart]: https://artifacthub.io/packages/helm/argo/argocd-apps
+
+---
+
+## Logging in with the ArgoCD CLI
+
+- The CLI can talk to the ArgoCD API server or to the Kubernetes API server
+
+- For simplicity, we're going to authenticate and communicate with the Kubernetes API
+
+.lab[
+
+- Authenticate with the ArgoCD API (that's what the `--core` flag does):
+  ```bash
+  argocd login --core
+  ```
+
+- Check that everything is fine:
+  ```bash
+  argocd version
+  ```
+]
+
+--
+
+🤔 `FATA[0000] error retrieving argocd-cm: configmap "argocd-cm" not found`
+
+---
+
+## ArgoCD CLI shortcomings
+
+- When using "core" authentication, the ArgoCD CLI uses our current Kubernetes context
+
+  (as defined in our kubeconfig file)
+
+- That context need to point to the correct namespace
+
+  (the namespace where we installed ArgoCD)
+
+- In fact, `argocd login --core` doesn't communicate at all with ArgoCD!
+
+  (it only updates a local ArgoCD configuration file)
+
+---
+
+## Trying again in the right namespace
+
+- We will need to run all `argocd` commands in the `argocd` namespace
+
+  (this limitation only applies to "core" authentication; see [issue 14167][issue14167])
+
+.lab[
+
+- Switch to the `argocd` namespace:
+  ```bash
+  kubectl config set-context --current --namespace argocd
+  ```
+
+- Check that we can communicate with the ArgoCD API now:
+  ```bash
+  argocd version
+  ```
+
+]
+
+- Let's have a look at ArgoCD architecture!
+
+[issue14167]: https://github.com/argoproj/argo-cd/issues/14167
+
+---
+
+class: pic
+
+![ArgoCD Architecture](images/argocd_architecture.png)
+
+---
+
+## ArgoCD API Server
+
+The API server is a gRPC/REST server which exposes the API consumed by the Web UI, CLI, and CI/CD systems. It has the following responsibilities:
+
+- application management and status reporting
+
+- invoking of application operations (e.g. sync, rollback, user-defined actions)
+
+- repository and cluster credential management (stored as K8s secrets)
+
+- authentication and auth delegation to external identity providers
+
+- RBAC enforcement
+
+- listener/forwarder for Git webhook events
+
+---
+
+## ArgoCD Repository Server
+
+The repository server is an internal service which maintains a local cache of the Git repositories holding the application manifests. It is responsible for generating and returning the Kubernetes manifests when provided the following inputs:
+
+- repository URL
+
+- revision (commit, tag, branch)
+
+- application path
+
+- template specific settings: parameters, helm values...
+
+---
+
+## ArgoCD Application Controller
+
+The application controller is a Kubernetes controller which continuously monitors running applications and compares the current, live state against the desired target state (as specified in the repo). 
+
+It detects *OutOfSync* application state and optionally takes corrective action. 
+
+It is responsible for invoking any user-defined hooks for lifecycle events (*PreSync, Sync, PostSync*).
+
+---
+
+## Preparing a repository for ArgoCD
+
+- We need a repository with Kubernetes YAML manifests
+
+- You can fork [kubercoins] or create a new, empty repository
+
+- If you create a new, empty repository, add some manifests to it
+
+[kubercoins]: https://github.com/jpetazzo/kubercoins
+
+---
+
+## Add an Application
+
+- An Application can be added to ArgoCD via the web UI or the CLI
+
+  (either way, this will create a custom resource of `kind: Application`)
+
+- The Application should then automatically be deployed to our cluster
+
+  (the application manifests will be "applied" to the cluster)
+
+.lab[
+
+- Let's use the CLI to add an Application:
+  ```bash
+    argocd app create kubercoins \ 
+           --repo https://github.com/`<your_user>/<your_repo>`.git \
+           --path . --revision `<branch>` \
+           --dest-server https://kubernetes.default.svc \
+           --dest-namespace kubercoins-prod
+  ```
+
+]
+
+---
+
+## Checking progress
+
+- We can see sync status in the web UI or with the CLI
+
+.lab[
+
+- Let's check app status with the CLI:
+  ```bash
+  argocd app list
+  ```
+
+- We can also check directly with the Kubernetes CLI:
+  ```bash
+  kubectl get applications
+  ```
+
+]
+
+- The app is there and it is `OutOfSync`!
+
+---
+
+## Manual sync with the CLI
+
+- By default the "sync policy" is `manual`
+
+- It can also be set to `auto`, which would check the git repository every 3 minutes
+
+  (this interval can be [configured globally][pollinginterval])
+
+- Manual sync can be triggered with the CLI
+
+.lab[
+
+- Let's force an immediate sync of our app:
+  ```bash
+    argocd app sync kubercoins
+  ```
+]
+
+🤔 We're getting errors!
+
+[pollinginterval]: https://argo-cd.readthedocs.io/en/stable/faq/#how-often-does-argo-cd-check-for-changes-to-my-git-or-helm-repository
+
+---
+
+## Sync failed
+
+We should receive a failure:
+
+`FATA[0000] Operation has completed with phase: Failed`
+
+And in the output, we see more details:
+
+`Message: one or more objects failed to apply,`
+<br/>
+`reason: namespaces "kubercoins-prod" not found`
+
+---
+
+## Creating the namespace
+
+- There are multiple ways to achieve that
+
+- We could generate a YAML manifest for the namespace and add it to the git repository
+
+- Or we could use "Sync Options" so that ArgoCD creates it automatically!
+
+- ArgoCD provides many "Sync Options" to handle various edge cases
+
+- Some [others](https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/) are: `FailOnSharedResource`, `PruneLast`, `PrunePropagationPolicy`...
+
+---
+
+## Editing the app's sync options
+
+- This can be done through the web UI or the CLI
+
+.lab[
+
+- Let's use the CLI once again:
+  ```bash
+  argocd app edit kubercoins
+  ```
+
+- Add the following to the YAML manifest, at the root level:
+  ```yaml
+    syncPolicy:
+      syncOptions:
+        - CreateNamespace=true
+  ```
+
+]
+
+---
+
+## Sync again
+
+.lab[
+
+- Let's retry the sync operation:
+  ```bash
+  argocd app sync kubercoins
+  ```
+
+- And check the application status:
+  ```bash
+  argocd app list
+  kubectl get applications
+  ```
+
+]
+
+- It should show `Synced` and `Progressing`
+
+- After a while (when all pods are running correctly) it should be `Healthy`
+
+---
+
+## Managing Applications via the Web UI
+
+- ArgoCD is popular in large part due to its browser-based UI
+
+- Let's see how to manage Applications in the web UI
+
+.lab[
+
+- Expose the web dashboard on a local port:
+  ```bash
+  argocd admin dashboard
+  ```
+
+- This command will show the dashboard URL; open it in a browser
+
+- Authentication should be automatic
+
+]
+
+Note: `argocd admin dashboard` is similar to `kubectl port-forward` or `kubectl-proxy`.
+
+(The dashboard remains available as long as `argocd admin dashboard` is running.)
+
+---
+
+## Adding a staging Application
+
+- Let's add another Application for a staging environment
+
+- First, create a new branch (e.g. `staging`) in our kubercoins fork
+
+- Then, in the ArgoCD web UI, click on the "+ NEW APP" button
+
+  (on a narrow display, it might just be "+", right next to buttons looking like 🔄 and ↩️)
+
+- See next slides for details about that form!
+
+---
+
+## Defining the Application
+
+| Field            | Value                                      |
+|------------------|--------------------------------------------|
+| Application Name | `kubercoins-stg`                           |
+| Project Name     | `default`                                  |
+| Sync policy      | `Manual`                                   |
+| Sync options     | check `auto-create namespace`              |
+| Repository URL   | `https://github.com/<username>/<reponame>` |
+| Revision         | `<branchname>`                             |
+| Path             | `.`                                        |
+| Cluster URL      | `https://kubernetes.default.svc`           |
+| Namespace        | `kubercoins-stg`                           |
+
+Then click on the "CREATE" button (top left).
+
+---
+
+## Synchronizing the Application
+
+- After creating the app, it should now show up in the app tiles
+
+  (with a yellow outline to indicate that it's out of sync)
+
+- Click on the "SYNC" button on the app tile to show the sync panel
+
+- In the sync panel, click on "SYNCHRONIZE"
+
+- The app will start to synchronize, and should become healthy after a little while
+
+---
+
+## Making changes
+
+- Let's make changes to our application manifests and see what happens
+
+.lab[
+
+- Make a change to a manifest
+
+  (for instance, change the number of replicas of a Deployment)
+
+- Commit that change and push it to the staging branch
+
+- Check the application sync status:
+  ```bash
+  argocd app list
+  ```
+
+]
+
+- After a short period of time (a few minutes max) the app should show up "out of sync"
+
+---
+
+## Automated synchronization
+
+- We don't want to manually sync after every change
+
+  (that wouldn't be true continuous deployment!)
+
+- We're going to enable "auto sync"
+
+- Note that this requires much more rigorous testing and observability!
+
+  (we need to be sure that our changes won't crash our app or even our cluster)
+
+- Argo project also provides [Argo Rollouts][rollouts]
+
+  (a controller and CRDs to provide blue-green, canary deployments...)
+
+- Today we'll just turn on automated sync for the staging namespace
+
+[rollouts]: https://argoproj.github.io/rollouts/
+
+---
+
+## Enabling auto-sync
+
+- In the web UI, go to *Applications* and click on *kubercoins-stg*
+
+- Click on the "DETAILS" button (top left, might be just a "i" sign on narrow displays)
+
+- Click on "ENABLE AUTO-SYNC" (under "SYNC POLICY")
+
+- After a few minutes the changes should show up!
+
+---
+
+## Rolling back
+
+- If we deploy a broken version, how do we recover?
+
+- "The GitOps way": revert the changes in source control
+
+  (see next slide)
+
+- Emergency rollback:
+
+  - disable auto-sync (if it was enabled)
+
+  - on the app page, click on "HISTORY AND ROLLBACK"
+    <br/>
+    (with the clock-with-backward-arrow icon)
+
+  - click on the "..." button next to the button we want to roll back to
+
+  - click "Rollback" and confirm
+
+---
+
+## Rolling back with GitOps
+
+- The correct way to roll back is rolling back the code in source control
+
+```bash
+git checkout staging
+git revert HEAD
+git push origin staging
+```
+
+---
+
+## Working with Helm
+
+- ArgoCD supports different tools to process Kubernetes manifests:
+
+  Kustomize, Helm, Jsonnet, and [Config Management Plugins][cmp]
+
+- Let's how to deploy Helm charts with ArgoCD!
+
+- In the [kubercoins] repository, there is a branch called [helm]
+
+- It provides a generic Helm chart, in the [generic-service] directory
+
+- There are service-specific values YAML files in the [values] directory
+
+- Let's create one application for each of the 5 components of our app!
+
+[cmp]: https://argo-cd.readthedocs.io/en/stable/operator-manual/config-management-plugins/
+[kubercoins]: https://github.com/jpetazzo/kubercoins
+[helm]: https://github.com/jpetazzo/kubercoins/tree/helm
+[generic-service]: https://github.com/jpetazzo/kubercoins/tree/helm/generic-service
+[values]: https://github.com/jpetazzo/kubercoins/tree/helm/values
+
+---
+
+## Creating a Helm Application
+
+- The example below uses "upstream" kubercoins
+
+- Feel free to use your own fork instead!
+
+.lab[
+
+- Create an Application for `hasher`:
+  ```bash
+    argocd app create hasher \
+           --repo https://github.com/jpetazzo/kubercoins.git \
+           --path generic-service --revision helm \
+           --dest-server https://kubernetes.default.svc \
+           --dest-namespace kubercoins-helm \
+           --sync-option CreateNamespace=true \
+           --values ../values/hasher.yaml \
+           --sync-policy=auto
+  ```
+
+]
+
+---
+
+## Deploying the rest of the application
+
+- Option 1: repeat the previous command (updating app name and values)
+
+- Option 2: author YAML manifests and apply them
+
+---
+
+## Additional considerations
+
+- When running in production, ArgoCD can be integrated with an [SSO provider][sso]
+
+  - ArgoCD embeds and bundles [Dex] to delegate authentication
+
+  - it can also use an existing OIDC provider (Okta, Keycloak...)
+
+- A single ArgoCD instance can manage multiple clusters 
+
+  (but it's also fine to have one ArgoCD per cluster)
+
+- ArgoCD can be complemented with [Argo Rollouts][rollouts] for advanced rollout control
+
+  (blue/green, canary...)
+
+[sso]: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sso
+[Dex]: https://github.com/dexidp/dex
+[rollouts]: https://argoproj.github.io/argo-rollouts/
+
+???
+
+:EN:- Implementing gitops with ArgoCD
+:FR:- Workflow gitops avec ArgoCD

slides/k8s/crd.md

@@ -24,6 +24,32 @@
 
 ---
 
+## A bit of history
+
+Things related to Custom Resource Definitions:
+
+- Kubernetes 1.??: `apiextensions.k8s.io/v1beta1` introduced
+
+- Kubernetes 1.16: `apiextensions.k8s.io/v1` introduced
+
+- Kubernetes 1.22: `apiextensions.k8s.io/v1beta1` [removed][changes-in-122]
+
+- Kubernetes 1.25: [CEL validation rules available in beta][crd-validation-rules-beta]
+
+- Kubernetes 1.28: [validation ratcheting][validation-ratcheting] in [alpha][feature-gates]
+
+- Kubernetes 1.29: [CEL validation rules available in GA][cel-validation-rules]
+
+- Kubernetes 1.30: [validation ratcheting][validation-ratcheting] in [beta][feature-gates]; enabled by default
+
+[crd-validation-rules-beta]: https://kubernetes.io/blog/2022/09/23/crd-validation-rules-beta/
+[cel-validation-rules]: https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules
+[validation-ratcheting]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/4008-crd-ratcheting
+[feature-gates]: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features
+[changes-in-122]: https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/
+
+---
+
 ## First slice of pizza
 
 ```yaml
@@ -42,8 +68,6 @@
 
   (a few optional things become mandatory, see [this guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#customresourcedefinition-v122) for details)
 
-- `apiextensions.k8s.io/v1beta1` is available since Kubernetes 1.16
-
 ---
 
 ## Second slice of pizza
@@ -96,9 +120,9 @@ The YAML below defines a resource using the CRD that we just created:
 kind: Pizza
 apiVersion: container.training/v1alpha1
 metadata:
-  name: napolitana
+  name: hawaiian
 spec:
-  toppings: [ mozzarella ]
+  toppings: [ cheese, ham, pineapple ]
 ```
 
 .lab[
@@ -114,11 +138,7 @@ spec:
 
 ## Type validation
 
-- Older versions of Kubernetes will accept our pizza definition as is
-
-- Newer versions, however, will issue warnings about unknown fields
-
-  (and if we use `--validate=false`, these fields will simply be dropped)
+- Recent versions of Kubernetes will issue errors about unknown fields
 
 - We need to improve our OpenAPI schema
 
@@ -126,6 +146,28 @@ spec:
 
 ---
 
+## Creating a bland pizza
+
+- Let's try to create a pizza anyway!
+
+.lab[
+
+- Only provide the most basic YAML manifest:
+  ```bash
+    kubectl create -f- <<EOF
+    kind: Pizza
+    apiVersion: container.training/v1alpha1
+    metadata:
+      name: hawaiian
+    EOF
+  ```
+
+]
+
+- That should work! (As long as we don't try to add pineapple😁)
+
+---
+
 ## Third slice of pizza
 
 - Let's add a full OpenAPI v3 schema to our Pizza CRD
@@ -208,24 +250,42 @@ Note: we can update a CRD without having to re-create the corresponding resource
 
 ---
 
-## Better data validation
+## Validation woes
 
-- Let's change the data schema so that the sauce can only be `red` or `white`
-
-- This will be implemented by @@LINK[k8s/pizza-5.yaml]
+- Let's check what happens if we try to update our pizzas
 
 .lab[
 
-- Update the Pizza CRD:
+- Try to add a label:
   ```bash
-  kubectl apply -f ~/container.training/k8s/pizza-5.yaml
+  kubectl label pizza --all deliciousness=9001
   ```
 
 ]
 
+--
+
+- It works for the pizzas that have `sauce` and `toppings`, but not the other one!
+
+- The other one doesn't pass validation, and *can't be modified*
+
 ---
 
-## Validation *a posteriori*
+## First, let's fix this!
+
+- Option 1: delete the pizza
+
+  *(deletion isn't subject to validation)*
+
+- Option 2: update the pizza to add `sauce` and `toppings`
+
+  *(writing a pizza that passes validation is fine)*
+
+- Option 3: relax the validation rules
+
+---
+
+## Next, explain what's happening
 
 - Some of the pizzas that we defined earlier *do not* pass validation
 
@@ -281,6 +341,8 @@ Note: we can update a CRD without having to re-create the corresponding resource
 
 ---
 
+class: extra-details
+
 ## Migrating database content
 
 - We need to *serve* a version as long as we *store* objects in that version
@@ -295,6 +357,58 @@ Note: we can update a CRD without having to re-create the corresponding resource
 
 ---
 
+## Validation ratcheting
+
+- Good news: it's not always necessary to introduce new versions
+
+  (and to write the associated conversion webhooks)
+
+- *Validation ratcheting allows updates to custom resources that fail validation to succeed if the validation errors were on unchanged keypaths*
+
+- In other words: allow changes that don't introduce further validation errors
+
+- This was introduced in Kubernetes 1.28 (alpha), enabled by default in 1.30 (beta)
+
+- The rules are actually a bit more complex
+
+- Another (maybe more accurate) explanation: allow to tighten or loosen some field definitions
+
+---
+
+## Validation ratcheting example
+
+- Let's change the data schema so that the sauce can only be `red` or `white`
+
+- This will be implemented by @@LINK[k8s/pizza-5.yaml]
+
+.lab[
+
+- Update the Pizza CRD:
+  ```bash
+  kubectl apply -f ~/container.training/k8s/pizza-5.yaml
+  ```
+
+]
+
+---
+
+## Testing validation ratcheting
+
+- This should work with Kubernetes 1.30 and above
+
+  (but give an error for the `brownie` pizza with previous versions of K8S)
+
+.lab[
+
+- Add another label:
+  ```bash
+  kubectl label pizzas --all food=definitely
+  ```
+
+]
+
+---
+
 ## Even better data validation
 
 - If we need more complex data validation, we can use a validating webhook

slides/k8s/dmuc-hard.md

@@ -368,6 +368,30 @@ class: extra-details
 
 [ciliumwithoutkubeproxy]: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#kubeproxy-free
 
+---
+
+class: extra-details
+
+## About the API server certificate...
+
+- In the previous sections, we've skipped API server certificate verification
+
+- To generate a proper certificate, we need to include a `subjectAltName` extension
+
+- And make sure that the CA includes the extension in the certificate
+
+```bash
+openssl genrsa -out apiserver.key 4096
+
+openssl req -new -key apiserver.key -subj /CN=kubernetes/ \
+        -addext "subjectAltName = DNS:kubernetes.default.svc, \
+        DNS:kubernetes.default, DNS:kubernetes, \
+        DNS:localhost, DNS:polykube1" -out apiserver.csr
+
+openssl x509 -req -in apiserver.csr -CAkey ca.key -CA ca.cert \
+        -out apiserver.crt -copy_extensions copy
+```
+
 ???
 
 :EN:- Connecting nodes and pods

slides/k8s/flux.md

@@ -0,0 +1,508 @@
+# FluxCD
+
+- We're going to implement a basic GitOps workflow with Flux
+
+- Pushing to `main` will automatically deploy to the clusters
+
+- There will be two clusters (`dev` and `prod`)
+
+- The two clusters will have similar (but slightly different) workloads
+
+---
+
+## Repository structure
+
+This is (approximately) what we're going to do:
+
+```
+@@INCLUDE[slides/k8s/gitopstree.txt]
+```
+
+---
+
+## Getting ready
+
+- Let's make sure we have two clusters
+
+- It's OK to use local clusters (kind, minikube...)
+
+- We might run into resource limits, though
+
+  (pay attention to `Pending` pods!)
+
+- We need to install the Flux CLI ([packages], [binaries])
+
+- **Highly recommended:** set up CLI completion!
+
+- Of course we'll need a Git service, too
+
+  (we're going to use GitHub here)
+
+[packages]: https://fluxcd.io/flux/get-started/
+[binaries]: https://github.com/fluxcd/flux2/releases
+
+---
+
+## GitHub setup
+
+- Generate a GitHub token:
+
+  https://github.com/settings/tokens/new
+
+- Give it "repo" access
+
+- This token will be used by the `flux bootstrap github` command later
+
+- It will create a repository and configure it (SSH key...)
+
+- The token can be revoked afterwards
+
+---
+
+## Flux bootstrap
+
+.lab[
+
+- Let's set a few variables for convenience, and create our repository:
+  ```bash
+    export GITHUB_TOKEN=...
+    export GITHUB_USER=changeme
+    export GITHUB_REPO=alsochangeme
+    export FLUX_CLUSTER=dev
+
+    flux bootstrap github \
+      --owner=$GITHUB_USER \
+      --repository=$GITHUB_REPO \
+      --branch=main \
+      --path=./clusters/$FLUX_CLUSTER \
+      --personal --public
+  ```
+
+]
+
+Problems? check next slide!
+
+---
+
+## What could go wrong?
+
+- `flux bootstrap` will create or update the repository on GitHub
+
+- Then it will install Flux controllers to our cluster
+
+- Then it waits for these controllers to be up and running and ready
+
+- Check pod status in `flux-system`
+
+- If pods are `Pending`, check that you have enough resources on your cluster
+
+- For testing purposes, it should be fine to lower or remove Flux `requests`!
+
+  (but don't do that in production!)
+
+- If anything goes wrong, don't worry, we can just re-run the bootstrap
+
+---
+
+class: extra-details
+
+## Idempotence
+
+- It's OK to run that same `flux bootstrap` command multiple times!
+
+- If the repository already exists, it will re-use it
+
+  (it won't destroy or empty it)
+
+- If the path `./clusters/$FLUX_CLUSTER` already exists, it will update it
+
+- It's totally fine to re-run `flux bootstrap` if something fails
+
+- It's totally fine to run it multiple times on different clusters
+
+- Or even to run it multiple times for the *same* cluster
+
+  (to reinstall Flux on that cluster after a cluster wipe / reinstall)
+
+---
+
+## What do we get?
+
+- Let's look at what `flux bootstrap` installed on the cluster
+
+.lab[
+
+- Look inside the `flux-system` namespace:
+  ```bash
+  kubectl get all --namespace flux-system
+  ```
+
+- Look at `kustomizations` custom resources:
+  ```bash
+  kubectl get kustomizations --all-namespaces
+  ```
+
+- See what the `flux` CLI tells us:
+  ```bash
+  flux get all
+  ```
+
+]
+
+---
+
+## Deploying with GitOps
+
+- We'll need to add/edit files on the repository
+
+- We can do it by using `git clone`, local edits, `git commit`, `git push`
+
+- Or by editing online on the GitHub website
+
+.lab[
+
+- Create a manifest; for instance `clusters/dev/flux-system/blue.yaml`
+
+- Add that manifest to `clusters/dev/kustomization.yaml`
+
+- Commit and push both changes to the repository
+
+]
+
+---
+
+## Waiting for reconciliation
+
+- Compare the git hash that we pushed and the one shown with `kubectl get `
+
+- Option 1: wait for Flux to pick up the changes in the repository
+
+  (the default interval for git repositories is 1 minute, so that's fast)
+
+- Option 2: use `flux reconcile source git flux-system`
+
+  (this puts an annotation on the appropriate resource, triggering an immediate check)
+
+- Option 3: set up receiver webhooks
+
+  (so that git updates trigger immediate reconciliation)
+
+---
+
+## Checking progress
+
+- `flux logs`
+
+- `kubectl get gitrepositories --all-namespaces`
+
+- `kubectl get kustomizations --all-namespaces`
+
+---
+
+## Did it work?
+
+--
+
+- No!
+
+--
+
+- Why?
+
+--
+
+- We need to indicate the namespace where the app should be deployed
+
+- Either in the YAML manifests
+
+- Or in the `kustomization` custom resource
+
+  (using field `spec.targetNamespace`)
+
+- Add the namespace to the manifest and try again!
+
+---
+
+## Adding an app in a reusable way
+
+- Let's see a technique to add a whole app
+
+  (with multiple resource manifets)
+
+- We want to minimize code repetition
+
+  (i.e. easy to add on multiple clusters with minimal changes)
+
+---
+
+## The plan
+
+- Add the app manifests in a directory
+
+  (e.g.: `apps/myappname/manifests`)
+
+- Create a kustomization manifest for the app and its namespace
+
+  (e.g.: `apps/myappname/flux.yaml`)
+
+- The kustomization manifest will refer to the app manifest
+
+- Add the kustomization manifest to the top-level `flux-system` kustomization
+
+---
+
+## Creating the manifests
+
+- All commands below should be executed at the root of the repository
+
+.lab[
+
+- Put application manifests in their directory:
+  ```bash
+  mkdir -p apps/dockercoins
+  cp ~/container.training/k8s/dockercoins.yaml apps/dockercoins/
+  ```
+
+- Create kustomization manifest:
+  ```bash
+    flux create kustomization dockercoins \
+      --source=GitRepository/flux-system \
+      --path=./apps/dockercoins/manifests/ \
+      --target-namespace=dockercoins \
+      --prune=true --export > apps/dockercoins/flux.yaml
+  ```
+
+]
+
+---
+
+## Creating the target namespace
+
+- When deploying *helm releases*, it is possible to automatically create the namespace
+
+- When deploying *kustomizations*, we need to create it explicitly
+
+- Let's put the namespace with the kustomization manifest
+
+  (so that the whole app can be mediated through a single manifest)
+
+.lab[
+
+- Add the target namespace to the kustomization manifest:
+  ```bash
+    echo "---
+    kind: Namespace
+    apiVersion: v1
+    metadata:
+      name: dockercoins" >> apps/dockercoins/flux.yaml
+  ```
+
+]
+
+---
+
+## Linking the kustomization manifest
+
+- Edit `clusters/dev/flux-system/kustomization.yaml`
+
+- Add a line to reference the kustomization manifest that we created:
+  ```yaml
+  - ../../../apps/dockercoins/flux.yaml
+  ```
+
+- `git add` our manifests, `git commit`, `git push`
+
+  (check with `git status` that we haven't forgotten anything!)
+
+- `flux reconcile` or wait for the changes to be picked up
+
+---
+
+## Installing with Helm
+
+- We're going to see two different workflows:
+
+  - installing a third-party chart
+    <br/>
+    (e.g. something we found on the Artifact Hub)
+
+  - installing one of our own charts
+    <br/>
+    (e.g. a chart we authored ourselves)
+
+- The procedures are very similar
+
+---
+
+## Installing from a public Helm repository
+
+- Let's install [kube-prometheus-stack][kps]
+
+.lab[
+
+- Create the Flux manifests:
+  ```bash
+  mkdir -p apps/kube-prometheus-stack
+  flux create source helm kube-prometheus-stack \
+       --url=https://prometheus-community.github.io/helm-charts \
+       --export >> apps/kube-prometheus-stack/flux.yaml
+  flux create helmrelease kube-prometheus-stack \
+       --source=HelmRepository/kube-prometheus-stack \
+       --chart=kube-prometheus-stack --release-name=kube-prometheus-stack \
+       --target-namespace=kube-prometheus-stack --create-target-namespace \
+       --export >> apps/kube-prometheus-stack/flux.yaml
+  ```
+
+]
+
+[kps]: https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack
+
+---
+
+## Enable the app
+
+- Just like before, link the manifest from the top-level kustomization
+
+  (`flux-system` in namespace `flux-system`)
+
+- `git add` / `git commit` / `git push`
+
+- We should now have a Prometheus+Grafana observability stack!
+
+---
+
+## Installing from a Helm chart in a git repo
+
+- In this example, the chart will be in the same repo
+
+- In the real world, it will typically be in a different repo!
+
+.lab[
+
+- Generate a basic Helm chart:
+  ```bash
+  mkdir -p charts
+  helm create charts/myapp
+  ```
+
+]
+
+(This generates a chart which installs NGINX. A lot of things can be customized, though.)
+
+---
+
+## Creating the Flux manifests
+
+- The invocation is very similar to our first example
+
+.lab[
+
+- Generate the Flux manifest for the Helm release:
+  ```bash
+  mkdir apps/myapp
+  flux create helmrelease myapp \
+       --source=GitRepository/flux-system \
+       --chart=charts/myapp \
+       --target-namespace=myapp --create-target-namespace \
+       --export > apps/myapp/flux.yaml
+  ```
+
+- Add a reference to that manifest to the top-level kustomization
+
+- `git add` / `git commit` / `git push` the chart, manifest, and kustomization
+
+]
+
+---
+
+## Passing values
+
+- We can also configure our Helm releases with values
+
+- Using an existing `myvalues.yaml` file:
+
+  `flux create helmrelease ... --values=myvalues.yaml`
+
+- Referencing an existing ConfigMap or Secret with a `values.yaml` key:
+
+  `flux create helmrelease ... --values-from=ConfigMap/myapp`
+
+---
+
+## Gotchas
+
+- When creating a HelmRelease using a chart stored in a git repository, you must:
+
+  - either bump the chart version (in `Chart.yaml`) after each change,
+
+  - or set `spec.chart.spec.reconcileStrategy` to `Revision`
+
+- Why?
+
+- Flux installs helm releases using packaged artifacts
+
+- Artifacts are updated only when the Helm chart version changes
+
+- Unless `reconcileStrategy` is set to `Revision` (instead of the default `ChartVersion`)
+
+---
+
+## More gotchas
+
+- There is a bug in Flux that prevents using identical subcharts with aliases
+
+- See [fluxcd/flux2#2505][flux2505] for details
+
+[flux2505]: https://github.com/fluxcd/flux2/discussions/2505
+
+---
+
+## Things that we didn't talk about...
+
+- Bucket sources
+
+- Image automation controller
+
+- Image reflector controller
+
+- And more!
+
+???
+
+:EN:- Implementing gitops with Flux
+:FR:- Workflow gitops avec Flux
+
+<!--
+
+helm upgrade --install --repo https://dl.gitea.io/charts --namespace gitea --create-namespace gitea gitea \
+  --set persistence.enabled=false \
+  --set redis-cluster.enabled=false \
+  --set postgresql-ha.enabled=false \
+  --set postgresql.enabled=true \
+  --set gitea.config.session.PROVIDER=db \
+  --set gitea.config.cache.ADAPTER=memory \
+  #
+
+### Boostrap Flux controllers
+
+```bash
+mkdir -p flux/flux-system/gotk-components.yaml
+flux install --export > flux/flux-system/gotk-components.yaml
+kubectl apply -f flux/flux-system/gotk-components.yaml
+```
+
+### Bootstrap GitRepository/Kustomization
+
+```bash
+export REPO_URL="<gitlab_url>" DEPLOY_USERNAME="<username>"
+read -s DEPLOY_TOKEN
+flux create secret git flux-system --url="${REPO_URL}" --username="${DEPLOY_USERNAME}" --password="${DEPLOY_TOKEN}"
+flux create source git flux-system --url=$REPO_URL --branch=main --secret-ref flux-system --ignore-paths='/*,!/flux' --export > flux/flux-system/gotk-sync.yaml
+flux create kustomization flux-system --source=GitRepository/flux-system --path="./flux" --prune=true --export >> flux/flux-system/gotk-sync.yaml
+
+git add flux/ && git commit -m 'feat: Setup Flux' flux/ && git push
+kubectl apply -f flux/flux-system/gotk-sync.yaml
+```
+
+-->
+

slides/k8s/gitopstree.txt

@@ -0,0 +1,13 @@
+├── charts/                     <--- could also be in separate app repos
+│   ├── dockercoins/
+│   └── color/
+├── apps/                       <--- YAML manifests for GitOps resources
+│   ├── dockercoins/                 (might reference the "charts" above,
+│   ├── blue/                         and/or include environment-specific
+│   ├── green/                        manifests to create e.g. namespaces,
+│   ├── kube-prometheus-stack/        configmaps, secrets...)
+│   ├── cert-manager/
+│   └── traefik/
+└── clusters/                   <--- per-cluster; will typically reference
+    ├── prod/                        the "apps" above, possibly extending 
+    └── dev/                         or adding configuration resources too

slides/k8s/gitworkflows.md

@@ -1,4 +1,4 @@
-# Git-based workflows
+# Git-based workflows (GitOps)
 
 - Deploying with `kubectl` has downsides:
 
@@ -22,7 +22,7 @@
 
 - These resources have a perfect YAML representation
 
-- All we do is manipulating these YAML representations
+- All we do is manipulate these YAML representations
 
   (`kubectl run` generates a YAML file that gets applied)
 
@@ -34,229 +34,232 @@
 
   - control who can push to which branches
 
-  - have formal review processes, pull requests ...
+  - have formal review processes, pull requests, test gates...
 
 ---
 
 ## Enabling git-based workflows
 
-- There are a few tools out there to help us do that
+- There are a many tools out there to help us do that; with different approaches
 
-- We'll see demos of two of them: [Flux] and [Gitkube]
+- "Git host centric" approach: GitHub Actions, GitLab...
 
-- There are *many* other tools, some of them with even more features
+  *the workflows/action are directly initiated by the git platform*
 
-- There are also *many* integrations with popular CI/CD systems
+- "Kubernetes cluster centric" approach: [ArgoCD], [FluxCD]..
 
-  (e.g.: GitLab, Jenkins, ...)
+  *controllers run on our clusters and trigger on repo updates*
 
-[Flux]: https://www.weave.works/oss/flux/
-[Gitkube]: https://gitkube.sh/
+- This is not an exhaustive list (see also: Jenkins)
+
+- We're going to talk mostly about "Kubernetes cluster centric" approaches here
+
+[ArgoCD]: https://argoproj.github.io/cd/
+[Flux]: https://fluxcd.io/
 
 ---
 
-## Flux overview
+## The road to production
 
-- We put our Kubernetes resources as YAML files in a git repository
+In no specific order, we need to at least:
 
-- Flux polls that repository regularly (every 5 minutes by default)
+- Choose a tool
 
-- The resources described by the YAML files are created/updated automatically
+- Choose a cluster / app / namespace layout
+  <br/>
+  (one cluster per app, different clusters for prod/staging...)
 
-- Changes are made by updating the code in the repository
+- Choose a repository layout
+  <br/>
+  (different repositories, directories, branches per app, env, cluster...)
+
+- Choose an installation / bootstrap method
+
+- Choose how new apps / environments / versions will be deployed
+
+- Choose how new images will be built
 
 ---
 
-## Preparing a repository for Flux
+## Flux vs ArgoCD (1/2)
 
-- We need a repository with Kubernetes YAML files
+- Flux:
 
-- I have one: https://github.com/jpetazzo/kubercoins
+  - fancy setup with an (optional) dedicated `flux bootstrap` command
+    <br/>
+    (with support for specific git providers, repo creation...)
 
-- Fork it to your GitHub account
+  - deploying an app requires multiple CRDs
+    <br/>
+    (Kustomization, HelmRelease, GitRepository...)
 
-- Create a new branch in your fork; e.g. `prod`
+  - supports Helm charts, Kustomize, raw YAML
 
-  (e.g. with "branch" dropdown through the GitHub web UI)
+- ArgoCD:
 
-- This is the branch that we are going to use for deployment
+  - simple setup (just apply YAMLs / install Helm chart)
+
+  - fewer CRDs (basic workflow can be implement with a single "Application" resource)
+
+  - supports Helm charts, Jsonnet, Kustomize, raw YAML, and arbitrary plugins
 
 ---
 
-## Setting up Flux with kustomize
+## Flux vs ArgoCD (2/2)
 
-- Clone the Flux repository:
-  ```bash
-  git clone https://github.com/fluxcd/flux
-  cd flux
-  ```
+- Flux:
 
-- Edit `deploy/flux-deployment.yaml`
+  - sync interval is configurable per app
+  - no web UI out of the box
+  - CLI relies on Kubernetes API access
+  - CLI can easily generate custom resource manifests (with `--export`)
+  - self-hosted (flux controllers are managed by flux itself by default)
+  - one flux instance manages a single cluster
 
-- Change the `--git-url` and `--git-branch` parameters:
-  ```yaml
-  - --git-url=git@github.com:your-git-username/kubercoins
-  - --git-branch=prod
-  ```
+- ArgoCD:
 
-- Apply all the YAML:
-  ```bash
-  kubectl apply -k deploy/
-  ```
+  - sync interval is configured globally
+  - comes with a web UI
+  - CLI can use Kubernetes API or separate API and authentication system
+  - one ArgoCD instance can manage multiple clusters
 
 ---
 
-## Setting up Flux with Helm
+## Cluster, app, namespace layout
 
-- Add Flux helm repo:
-  ```bash
-  helm repo add fluxcd https://charts.fluxcd.io
-  ```
+- One cluster per app, different namespaces for environments?
 
-- Install Flux:
-  ```bash
-  kubectl create namespace flux
-  helm upgrade --install flux \
-    --set git.url=git@github.com:your-git-username/kubercoins \
-    --set git.branch=prod \
-    --namespace flux \
-    fluxcd/flux
-  ```
+- One cluster per environment, different namespaces for apps?
+
+- Everything on a single cluster? One cluster per combination?
+
+- Something in between:
+
+  - prod cluster, database cluster, dev/staging/etc cluster
+
+  - prod+db cluster per app, shared dev/staging/etc cluster
+
+- And more!
+
+Note: this decision isn't really tied to GitOps!
 
 ---
 
-## Allowing Flux to access the repository
+## Repository layout
 
-- When it starts, Flux generates an SSH key
+So many different possibilities!
 
-- Display that key:
-  ```bash
-  kubectl -n flux logs deployment/flux | grep identity.pub | cut -d '"' -f2
-  ```
+- Source repos
 
-- Then add that key to the repository, giving it **write** access
+- Cluster/infra repos/branches/directories
 
-  (some Flux features require write access)
+- "Deployment" repos (with manifests, charts)
 
-- After a minute or so, DockerCoins will be deployed to the current namespace
+- Different repos/branches/directories for environments
+
+🤔 How to decide?
 
 ---
 
-## Making changes
+## Permissions
 
-- Make changes (on the `prod` branch), e.g. change `replicas` in `worker`
+- Different teams/companies = different repos
 
-- After a few minutes, the changes will be picked up by Flux and applied
+  - separate platform team → separate "infra" vs "apps" repos
+
+  - teams working on different apps → different repos per app
+
+- Branches can be "protected" (`production`, `main`...)
+
+  (don't need separate repos for separate environments)
+
+- Directories will typically have the same permissions
+
+- Managing directories is easier than branches
+
+- But branches are more "powerful" (cherrypicking, rebasing...)
 
 ---
 
-## Other features
+## Resource hierarchy
 
-- Flux can keep a list of all the tags of all the images we're running
+- Git-based deployments are managed by Kubernetes resources
 
-- The `fluxctl` tool can show us if we're running the latest images
+  (e.g. Kustomization, HelmRelease with Flux; Application with ArgoCD)
 
-- We can also "automate" a resource (i.e. automatically deploy new images)
+- We will call these resources "GitOps resources"
 
-- And much more!
+- These resources need to be managed like any other Kubernetes resource
+
+  (YAML manifests, Kustomizations, Helm charts)
+
+- They can be managed with Git workflows too!
 
 ---
 
-## Gitkube overview
+## Cluster / infra management
 
-- We put our Kubernetes resources as YAML files in a git repository
+- How do we provision clusters?
 
-- Gitkube is a git server (or "git remote")
+- Manual "one-shot" provisioning (CLI, web UI...)
 
-- After making changes to the repository, we push to Gitkube
+- Automation with Terraform, Ansible...
 
-- Gitkube applies the resources to the cluster
+- Kubernetes-driven systems (Crossplane, CAPI)
+
+- Infrastructure can also be managed with GitOps
 
 ---
 
-## Setting up Gitkube
+## Example 1
 
-- Install the CLI:
-  ```bash
-  sudo curl -L -o /usr/local/bin/gitkube \
-       https://github.com/hasura/gitkube/releases/download/v0.2.1/gitkube_linux_amd64
-  sudo chmod +x /usr/local/bin/gitkube
-  ```
+- Managed with YAML/Charts:
 
-- Install Gitkube on the cluster:
-  ```bash
-  gitkube install --expose ClusterIP
-  ```
+  - core components (CNI, CSI, Ingress, logging, monitoring...)
+
+  - GitOps controllers
+
+  - critical application foundations (database operator, databases)
+
+  - GitOps manifests
+
+- Managed with GitOps:
+
+  - applications
+
+  - staging databases
 
 ---
 
-## Creating a Remote
+## Example 2
 
-- Gitkube provides a new type of API resource: *Remote*
+- Managed with YAML/Charts:
 
-  (this is using a mechanism called Custom Resource Definitions or CRD)
+  - essential components (CNI, CoreDNS)
 
-- Create and apply a YAML file containing the following manifest:
-  ```yaml
-	apiVersion: gitkube.sh/v1alpha1
-	kind: Remote
-	metadata:
-	  name: example
-	spec:
-	  authorizedKeys:
-	  - `ssh-rsa AAA...`
-	  manifests:
-	    path: "."
-  ```
+  - initial installation of GitOps controllers
 
-  (replace the `ssh-rsa AAA...` section with the content of `~/.ssh/id_rsa.pub`)
+- Managed with GitOps:
+
+  - upgrades of GitOps controllers
+
+  - core components (CSI, Ingress, logging, monitoring...)
+
+  - operators, databases
+
+  - more GitOps manifests for applications!
 
 ---
 
-## Pushing to our remote
+## Concrete example
 
-- Get the `gitkubed` IP address:
-  ```bash
-  kubectl -n kube-system get svc gitkubed
-  IP=$(kubectl -n kube-system get svc gitkubed -o json | 
-  	   jq -r .spec.clusterIP)
-  ```
+- Source code repository (not shown here)
 
-- Get ourselves a sample repository with resource YAML files:
-  ```bash
-  git clone git://github.com/jpetazzo/kubercoins
-  cd kubercoins
-  ```
+- Infrastructure repository (shown below), single branch
 
-- Add the remote and push to it:
-  ```bash
-  git remote add k8s ssh://default-example@$IP/~/git/default-example
-  git push k8s master
-  ```
-
----
-
-## Making changes
-
-- Edit a local file
-
-- Commit
-
-- Push!
-
-- Make sure that you push to the `k8s` remote
-
----
-
-## Other features
-
-- Gitkube can also build container images for us
-
-  (see the [documentation](https://github.com/hasura/gitkube/blob/master/docs/remote.md) for more details)
-
-- Gitkube can also deploy Helm charts
-
-  (instead of raw YAML files)
+```
+@@INCLUDE[slides/k8s/gitopstree.txt]
+```
 
 ???
 

slides/k8s/helm-intro.md

@@ -51,7 +51,7 @@
   - instructions indicating to users "please tweak this and that in the YAML"
 
 - That's where using something like
-  [CUE](https://github.com/cuelang/cue/blob/v0.3.2/doc/tutorial/kubernetes/README.md),
+  [CUE](https://github.com/cue-labs/cue-by-example/tree/main/003_kubernetes_tutorial),
   [Kustomize](https://kustomize.io/),
   or [Helm](https://helm.sh/) can help!
 
@@ -86,8 +86,6 @@
 
 - On April 30th 2020, Helm was the 10th project to *graduate* within the CNCF
 
-  🎉
-
   (alongside Containerd, Prometheus, and Kubernetes itself)
 
 - This is an acknowledgement by the CNCF for projects that
@@ -99,6 +97,8 @@
 - See [CNCF announcement](https://www.cncf.io/announcement/2020/04/30/cloud-native-computing-foundation-announces-helm-graduation/)
   and [Helm announcement](https://helm.sh/blog/celebrating-helms-cncf-graduation/)
 
+- In other words: Helm is here to stay
+
 ---
 
 ## Helm concepts
@@ -173,11 +173,13 @@ or `apt` tools).
 
 - Helm 3 doesn't use `tiller` at all, making it simpler (yay!)
 
+- If you see references to `tiller` in a tutorial, documentation... that doc is obsolete!
+
 ---
 
 class: extra-details
 
-## With or without `tiller`
+## What was the problem with `tiller`?
 
 - With Helm 3:
 
@@ -193,9 +195,7 @@ class: extra-details
 
 - This indirect model caused significant permissions headaches
 
-  (`tiller` required very broad permissions to function)
-
-- `tiller` was removed in Helm 3 to simplify the security aspects
+- It also made it more complicated to embed Helm in other tools
 
 ---
 
@@ -222,59 +222,6 @@ class: extra-details
 
 ---
 
-class: extra-details
-
-## Only if using Helm 2 ...
-
-- We need to install Tiller and give it some permissions
-
-- Tiller is composed of a *service* and a *deployment* in the `kube-system` namespace
-
-- They can be managed (installed, upgraded...) with the `helm` CLI
-
-.lab[
-
-- Deploy Tiller:
-  ```bash
-  helm init
-  ```
-
-]
-
-At the end of the install process, you will see:
-
-```
-Happy Helming!
-```
-
----
-
-class: extra-details
-
-## Only if using Helm 2 ...
-
-- Tiller needs permissions to create Kubernetes resources
-
-- In a more realistic deployment, you might create per-user or per-team
-  service accounts, roles, and role bindings
-
-.lab[
-
-- Grant `cluster-admin` role to `kube-system:default` service account:
-  ```bash
-  kubectl create clusterrolebinding add-on-cluster-admin \
-      --clusterrole=cluster-admin --serviceaccount=kube-system:default
-  ```
-
-
-]
-
-(Defining the exact roles and permissions on your cluster requires
-a deeper knowledge of Kubernetes' RBAC model. The command above is
-fine for personal and development clusters.)
-
----
-
 ## Charts and repositories
 
 - A *repository* (or repo in short) is a collection of charts
@@ -293,27 +240,7 @@ fine for personal and development clusters.)
 
 ---
 
-class: extra-details
-
-## How to find charts, the old way
-
-- Helm 2 came with one pre-configured repo, the "stable" repo
-
-  (located at https://charts.helm.sh/stable)
-
-- Helm 3 doesn't have any pre-configured repo
-
-- The "stable" repo mentioned above is now being deprecated
-
-- The new approach is to have fully decentralized repos
-
-- Repos can be indexed in the Artifact Hub
-
-  (which supersedes the Helm Hub)
-
----
-
-## How to find charts, the new way
+## How to find charts
 
 - Go to the [Artifact Hub](https://artifacthub.io/packages/search?kind=0) (https://artifacthub.io)
 
@@ -409,24 +336,6 @@ Note: it is also possible to install directly a chart, with `--repo https://...`
 
 ---
 
-class: extra-details
-
-## Searching and installing with Helm 2
-
-- Helm 2 doesn't have support for the Helm Hub
-
-- The `helm search` command only takes a search string argument
-
-  (e.g. `helm search juice-shop`)
-
-- With Helm 2, the name is optional:
-
-  `helm install juice/juice-shop` will automatically generate a name
-
-  `helm install --name my-juice-shop juice/juice-shop` will specify a name
-
----
-
 ## Viewing resources of a release
 
 - This specific chart labels all its resources with a `release` label
@@ -542,11 +451,11 @@ All unspecified values will take the default values defined in the chart.
 
 :EN:- Helm concepts
 :EN:- Installing software with Helm
-:EN:- Helm 2, Helm 3, and the Helm Hub
+:EN:- Finding charts on the Artifact Hub
 
 :FR:- Fonctionnement général de Helm
 :FR:- Installer des composants via Helm
-:FR:- Helm 2, Helm 3, et le *Helm Hub*
+:FR:- Trouver des *charts* sur *Artifact Hub*
 
 :T: Getting started with Helm and its concepts
 

slides/k8s/ingress.md

@@ -572,7 +572,7 @@ This is normal: we haven't provided any ingress rule yet.
 
 - Create a prefix match rule for the `blue` service:
   ```bash
-  kubectl create ingress bluestar --rule=/blue*:blue:80
+  kubectl create ingress bluestar --rule=/blue*=blue:80
   ```
 
 - Check that it works:

slides/k8s/kustomize.md

@@ -128,7 +128,9 @@ configMapGenerator:
 
 - A *variant* is the final outcome of applying bases + overlays
 
-(See the [kustomize glossary](https://github.com/kubernetes-sigs/kustomize/blob/master/docs/glossary.md) for more definitions!)
+(See the [kustomize glossary][glossary] for more definitions!)
+
+[glossary]: https://kubectl.docs.kubernetes.io/references/kustomize/glossary/
 
 ---
 

slides/k8s/pod-security-admission.md

@@ -2,7 +2,7 @@
 
 - "New" policies
 
-  (available in alpha since Kubernetes 1.22)
+  (available in alpha since Kubernetes 1.22, and GA since Kubernetes 1.25)
 
 - Easier to use
 
@@ -66,50 +66,6 @@ class: extra-details
 
 ---
 
-## PSA in practice
-
-- Step 1: enable the PodSecurity admission plugin
-
-- Step 2: label some Namespaces
-
-- Step 3: provide an AdmissionConfiguration (optional)
-
-- Step 4: profit!
-
----
-
-## Enabling PodSecurity
-
-- This requires Kubernetes 1.22 or later
- 
-- This requires the ability to reconfigure the API server
-
-- The following slides assume that we're using `kubeadm`
-
-  (and have write access to `/etc/kubernetes/manifests`)
-
----
-
-## Reconfiguring the API server
-
-- In Kubernetes 1.22, we need to enable the `PodSecurity` feature gate
-
-- In later versions, this might be enabled automatically
-
-.lab[
-
-- Edit `/etc/kubernetes/manifests/kube-apiserver.yaml`
-
-- In the `command` list, add `--feature-gates=PodSecurity=true`
-
-- Save, quit, wait for the API server to be back up again
-
-]
-
-Note: for bonus points, edit the `kubeadm-config` ConfigMap instead!
-
----
-
 ## Namespace labels
 
 - Three optional labels can be added to namespaces:
@@ -277,14 +233,6 @@ Let's use @@LINK[k8s/admission-configuration.yaml]:
 
 - But the Pods don't get created
 
----
-
-## Clean up
-
-- We probably want to remove the API server flags that we added
-
-  (the feature gate and the admission configuration)
-
 ???
 
 :EN:- Preventing privilege escalation with Pod Security Admission

slides/k8s/pod-security-intro.md

@@ -124,7 +124,7 @@
 
 ## Admission plugins
 
-- [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) (will be removed in Kubernetes 1.25)
+- [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) (was removed in Kubernetes 1.25)
 
   - create PodSecurityPolicy resources
 
@@ -132,7 +132,7 @@
 
   - create RoleBinding that grants the Role to a user or ServiceAccount
 
-- [PodSecurityAdmission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) (alpha since Kubernetes 1.22)
+- [PodSecurityAdmission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) (alpha since Kubernetes 1.22, stable since 1.25)
 
   - use pre-defined policies (privileged, baseline, restricted)
 
@@ -162,9 +162,31 @@
 
 ---
 
+## Validating Admission Policies
+
+- Alternative to validating admission webhooks
+
+- Evaluated in the API server
+
+  (don't require an external server; don't add network latency)
+
+- Written in CEL (Common Expression Language)
+
+- alpha in K8S 1.26; beta in K8S 1.28; GA in K8S 1.30
+
+- Can replace validating webhooks at least in simple cases
+
+- Can extend Pod Security Admission
+
+- Check [the documentation][vapdoc] for examples
+
+[vapdoc]: https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/
+
+---
+
 ## Acronym salad
 
-- PSP = Pod Security Policy
+- PSP = Pod Security Policy **(deprecated)**
 
   - an admission plugin called PodSecurityPolicy
 

slides/k8s/pod-security-policies.md

@@ -2,11 +2,15 @@
 
 - "Legacy" policies
 
-  (deprecated since Kubernetes 1.21; will be removed in 1.25)
+  (deprecated since Kubernetes 1.21; removed in 1.25)
 
 - Superseded by Pod Security Standards + Pod Security Admission
 
-  (available in alpha since Kubernetes 1.22)
+  (available in alpha since Kubernetes 1.22; stable since 1.25)
+
+- **Since Kubernetes 1.24 was EOL in July 2023, nobody should use PSPs anymore!**
+
+- This section is here mostly for historical purposes, and can be skipped
 
 ---
 

slides/k8s/prereqs-advanced.md

@@ -1,4 +1,4 @@
-# Pre-requirements
+## Pre-requirements
 
 - Kubernetes concepts
 

slides/kadm-fullday.yml

@@ -0,0 +1,65 @@
+title: |
+  Kubernetes
+  for Admins and Ops
+
+#chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+#chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
+chat: "In person!"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+- static-pods-exercise
+
+content:
+- shared/title.md
+- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-slack.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+-
+  - k8s/prereqs-advanced.md
+  - shared/handson.md
+  - k8s/architecture.md
+  #- k8s/internal-apis.md
+  - k8s/deploymentslideshow.md
+  - k8s/dmuc-easy.md
+-
+  - k8s/dmuc-medium.md
+  - k8s/dmuc-hard.md
+  #- k8s/multinode.md
+  #- k8s/cni.md
+  - k8s/cni-internals.md
+  #- k8s/interco.md
+-
+  - k8s/apilb.md
+  #- k8s/setup-overview.md
+  #- k8s/setup-devel.md
+  #- k8s/setup-managed.md
+  #- k8s/setup-selfhosted.md
+  - k8s/cluster-upgrade.md
+  - k8s/cluster-backup.md
+  - k8s/staticpods.md
+-
+  #- k8s/cloud-controller-manager.md
+  #- k8s/bootstrap.md  
+  - k8s/control-plane-auth.md
+  - k8s/pod-security-intro.md
+  - k8s/pod-security-policies.md
+  - k8s/pod-security-admission.md
+  - k8s/user-cert.md
+  - k8s/csr-api.md
+  - k8s/openid-connect.md
+-
+  #- k8s/lastwords-admin.md
+  - k8s/links.md
+  - shared/thankyou.md

slides/kadm-twodays.yml

@@ -0,0 +1,96 @@
+title: |
+  Kubernetes
+  for administrators
+  and operators
+
+#chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+#chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
+chat: "In person!"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-slack.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+# DAY 1
+- - k8s/prereqs-advanced.md
+  - shared/handson.md
+  - k8s/architecture.md
+  - k8s/internal-apis.md
+  - k8s/deploymentslideshow.md
+  - k8s/dmuc-easy.md
+- - k8s/dmuc-medium.md
+  - k8s/dmuc-hard.md
+  #- k8s/multinode.md
+  #- k8s/cni.md
+  - k8s/cni-internals.md
+  #- k8s/interco.md
+- - k8s/apilb.md
+  - k8s/setup-overview.md
+  #- k8s/setup-devel.md
+  - k8s/setup-managed.md
+  - k8s/setup-selfhosted.md
+  - k8s/cluster-upgrade.md
+  - k8s/staticpods.md
+- - k8s/cluster-backup.md
+  - k8s/cloud-controller-manager.md
+  - k8s/healthchecks.md
+  - k8s/healthchecks-more.md
+# DAY 2
+- - k8s/kubercoins.md
+  - k8s/logs-cli.md
+  - k8s/logs-centralized.md
+  - k8s/authn-authz.md
+  - k8s/user-cert.md
+  - k8s/csr-api.md
+- - k8s/openid-connect.md
+  - k8s/control-plane-auth.md
+  ###- k8s/bootstrap.md
+  - k8s/netpol.md
+  - k8s/pod-security-intro.md
+  - k8s/pod-security-policies.md
+  - k8s/pod-security-admission.md
+- - k8s/resource-limits.md
+  - k8s/metrics-server.md
+  - k8s/cluster-sizing.md
+  - k8s/disruptions.md
+  - k8s/horizontal-pod-autoscaler.md
+- - k8s/prometheus.md
+  #- k8s/prometheus-stack.md
+  - k8s/extending-api.md
+  - k8s/crd.md
+  - k8s/operators.md
+  - k8s/eck.md
+  ###- k8s/operators-design.md
+  ###- k8s/operators-example.md
+# CONCLUSION
+- - k8s/lastwords.md
+  - k8s/links.md
+  - shared/thankyou.md
+  - |
+    # (All content after this slide is bonus material)
+# EXTRA
+- - k8s/volumes.md
+  - k8s/configuration.md
+  - k8s/secrets.md
+  - k8s/statefulsets.md
+  - k8s/consul.md
+  - k8s/pv-pvc-sc.md
+  - k8s/volume-claim-templates.md
+  #- k8s/portworx.md
+  - k8s/openebs.md
+  - k8s/stateful-failover.md

slides/kube-adv.yml

@@ -0,0 +1,93 @@
+title: |
+  Advanced
+  Kubernetes
+
+chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+#chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+#- shared/chat-room-im.md
+#- shared/chat-room-slack.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+- #1
+  - k8s/prereqs-advanced.md
+  - shared/handson.md
+  - k8s/architecture.md
+  - k8s/internal-apis.md
+  - k8s/deploymentslideshow.md
+  - k8s/dmuc-easy.md
+- #2
+  - k8s/dmuc-medium.md
+  - k8s/dmuc-hard.md
+  #- k8s/multinode.md
+  #- k8s/cni.md
+  #- k8s/interco.md
+  - k8s/cni-internals.md
+- #3
+  - k8s/apilb.md
+  - k8s/control-plane-auth.md
+  - |
+    # (Extra content)
+  - k8s/staticpods.md
+  - k8s/cluster-upgrade.md
+- #4
+  - k8s/kustomize.md
+  - k8s/helm-intro.md
+  - k8s/helm-chart-format.md
+  - k8s/helm-create-basic-chart.md
+  - |
+    # (Extra content)
+  - k8s/helm-create-better-chart.md
+  - k8s/helm-dependencies.md
+  - k8s/helm-values-schema-validation.md
+  - k8s/helm-secrets.md
+  - k8s/ytt.md
+- #5
+  - k8s/extending-api.md
+  - k8s/operators.md
+  - k8s/sealed-secrets.md
+  - k8s/crd.md
+- #6
+  - k8s/ingress-tls.md
+  - k8s/ingress-advanced.md
+  #- k8s/ingress-canary.md
+  - k8s/cert-manager.md
+  - k8s/cainjector.md
+  - k8s/eck.md
+- #7
+  - k8s/admission.md
+  - k8s/kyverno.md
+- #8
+  - k8s/aggregation-layer.md
+  - k8s/metrics-server.md
+  - k8s/prometheus.md
+  - k8s/prometheus-stack.md
+  - k8s/hpa-v2.md
+- #9
+  - k8s/operators-design.md
+  - k8s/operators-example.md
+  - k8s/kubebuilder.md
+  - k8s/events.md
+  - k8s/finalizers.md
+  - |
+    # (Extra content)
+  - k8s/owners-and-dependents.md
+  - k8s/apiserver-deepdive.md
+  #- k8s/record.md
+  - shared/thankyou.md
+

slides/kube-fullday.yml

@@ -0,0 +1,136 @@
+title: |
+  Deploying and Scaling Microservices
+  with Kubernetes
+
+#chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+#chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
+chat: "In person!"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-slack.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+-
+  - shared/prereqs.md
+  - shared/handson.md
+  #- shared/webssh.md
+  - shared/connecting.md
+  #- k8s/versions-k8s.md
+  - shared/sampleapp.md
+  #- shared/composescale.md
+  #- shared/hastyconclusions.md
+  - shared/composedown.md
+  - k8s/concepts-k8s.md
+  - k8s/kubectlget.md
+-
+  - k8s/kubectl-run.md
+  #- k8s/batch-jobs.md
+  - shared/declarative.md
+  - k8s/declarative.md
+  - k8s/deploymentslideshow.md
+  - k8s/kubectlexpose.md
+  - k8s/service-types.md
+  - k8s/kubenet.md
+  - k8s/shippingimages.md
+  #- k8s/buildshiprun-selfhosted.md
+  - k8s/buildshiprun-dockerhub.md
+  - k8s/ourapponkube.md
+  #- k8s/exercise-wordsmith.md
+-
+  - k8s/labels-annotations.md
+  - k8s/kubectl-logs.md
+  - k8s/logs-cli.md
+  - k8s/yamldeploy.md
+  - k8s/namespaces.md
+  - k8s/setup-overview.md
+  - k8s/setup-devel.md
+  #- k8s/setup-managed.md
+  #- k8s/setup-selfhosted.md
+-
+  - k8s/dashboard.md
+  - k8s/rollout.md
+  - k8s/healthchecks.md
+  - k8s/ingress.md
+  #- k8s/volumes.md
+  - k8s/configuration.md
+  - k8s/secrets.md
+  - k8s/openebs.md
+  #- k8s/k9s.md
+  #- k8s/tilt.md
+  #- k8s/kubectlscale.md
+  #- k8s/scalingdockercoins.md
+  #- shared/hastyconclusions.md
+  #- k8s/daemonset.md
+  #- shared/yaml.md
+  #- k8s/exercise-yaml.md
+  #- k8s/localkubeconfig.md
+  #- k8s/access-eks-cluster.md
+  #- k8s/accessinternal.md
+  #- k8s/kubectlproxy.md
+  #- k8s/healthchecks-more.md
+  #- k8s/record.md
+  #- k8s/ingress-tls.md
+  #- k8s/kustomize.md
+  #- k8s/helm-intro.md
+  #- k8s/helm-chart-format.md
+  #- k8s/helm-create-basic-chart.md
+  #- k8s/helm-create-better-chart.md
+  #- k8s/helm-dependencies.md
+  #- k8s/helm-values-schema-validation.md
+  #- k8s/helm-secrets.md
+  #- k8s/exercise-helm.md
+  #- k8s/ytt.md
+  #- k8s/gitlab.md
+  #- k8s/create-chart.md
+  #- k8s/create-more-charts.md
+  #- k8s/netpol.md
+  #- k8s/authn-authz.md
+  #- k8s/user-cert.md
+  #- k8s/csr-api.md
+  #- k8s/openid-connect.md
+  #- k8s/pod-security-intro.md
+  #- k8s/pod-security-policies.md
+  #- k8s/pod-security-admission.md
+  #- k8s/exercise-configmap.md
+  #- k8s/build-with-docker.md
+  #- k8s/build-with-kaniko.md
+  #- k8s/logs-centralized.md
+  #- k8s/prometheus.md
+  #- k8s/prometheus-stack.md
+  #- k8s/statefulsets.md
+  #- k8s/consul.md
+  #- k8s/pv-pvc-sc.md
+  #- k8s/volume-claim-templates.md
+  #- k8s/portworx.md
+  #- k8s/openebs.md
+  #- k8s/stateful-failover.md
+  #- k8s/extending-api.md
+  #- k8s/crd.md
+  #- k8s/admission.md
+  #- k8s/operators.md
+  #- k8s/operators-design.md
+  #- k8s/operators-example.md
+  #- k8s/staticpods.md
+  #- k8s/finalizers.md
+  #- k8s/owners-and-dependents.md
+  #- k8s/gitworkflows.md
+-
+  #- k8s/whatsnext.md
+  - k8s/lastwords.md
+  #- k8s/links.md
+  - shared/thankyou.md

slides/kube-halfday.yml

@@ -0,0 +1,91 @@
+title: |
+  Kubernetes 101
+
+
+#chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+#chat: "[Gitter](https://gitter.im/jpetazzo/training-20180413-paris)"
+chat: "In person!"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+#- logistics.md
+# Bridget-specific; others use logistics.md
+- logistics-bridget.md
+- k8s/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-slack.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+- - shared/prereqs.md
+  - shared/handson.md
+  #- shared/webssh.md
+  - shared/connecting.md
+  - k8s/versions-k8s.md
+  - shared/sampleapp.md
+# Bridget doesn't go into as much depth with compose
+  #- shared/composescale.md
+  #- shared/hastyconclusions.md
+  - shared/composedown.md
+  - k8s/concepts-k8s.md
+  - shared/declarative.md
+  - k8s/declarative.md
+  #- k8s/kubenet.md
+  - k8s/kubectlget.md
+  - k8s/setup-overview.md
+  #- k8s/setup-devel.md
+  #- k8s/setup-managed.md
+  #- k8s/setup-selfhosted.md
+- - k8s/kubectl-run.md
+  #- k8s/batch-jobs.md
+  #- k8s/labels-annotations.md
+  - k8s/kubectl-logs.md
+  - k8s/deploymentslideshow.md
+  - k8s/kubectlexpose.md
+  #- k8s/service-types.md
+  - k8s/shippingimages.md
+  #- k8s/buildshiprun-selfhosted.md
+  - k8s/buildshiprun-dockerhub.md
+  - k8s/ourapponkube.md
+  #- k8s/localkubeconfig.md
+  #- k8s/access-eks-cluster.md
+  #- k8s/accessinternal.md
+  #- k8s/kubectlproxy.md
+- - k8s/dashboard.md
+  #- k8s/k9s.md
+  #- k8s/tilt.md
+  #- k8s/kubectlscale.md
+  - k8s/scalingdockercoins.md
+  - shared/hastyconclusions.md
+  - k8s/daemonset.md
+  - k8s/rollout.md
+  #- k8s/record.md
+- - k8s/logs-cli.md
+# Bridget hasn't added EFK yet
+  #- k8s/logs-centralized.md
+  - k8s/namespaces.md
+  - k8s/helm-intro.md
+  #- k8s/helm-chart-format.md
+  - k8s/helm-create-basic-chart.md
+  #- k8s/helm-create-better-chart.md
+  #- k8s/helm-dependencies.md
+  #- k8s/helm-values-schema-validation.md
+  #- k8s/helm-secrets.md
+  #- k8s/kustomize.md
+  #- k8s/ytt.md  
+  #- k8s/netpol.md
+  - k8s/whatsnext.md
+#  - k8s/links.md
+# Bridget-specific
+  - k8s/links-bridget.md
+  - shared/thankyou.md

slides/kube-selfpaced.yml

@@ -0,0 +1,174 @@
+title: |
+  Deploying and Scaling Microservices
+  with Docker and Kubernetes
+
+chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+#chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
+
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- in-person
+
+content:
+- shared/title.md
+#- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+#- shared/chat-room-im.md
+#- shared/chat-room-slack.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+-
+  - shared/prereqs.md
+  - shared/handson.md
+  #- shared/webssh.md
+  - shared/connecting.md
+  - k8s/versions-k8s.md
+  - shared/sampleapp.md
+  #- shared/composescale.md
+  #- shared/hastyconclusions.md
+  - shared/composedown.md
+  - k8s/concepts-k8s.md
+-
+  - k8s/kubectlget.md
+  - k8s/kubectl-run.md
+  - k8s/batch-jobs.md
+  - k8s/labels-annotations.md
+  - k8s/kubectl-logs.md
+  - k8s/logs-cli.md
+  - shared/declarative.md
+  - k8s/declarative.md
+  - k8s/deploymentslideshow.md
+-
+  - k8s/kubectlexpose.md
+  - k8s/service-types.md
+  - k8s/kubenet.md
+  - k8s/shippingimages.md
+  - k8s/buildshiprun-selfhosted.md
+  - k8s/buildshiprun-dockerhub.md
+  - k8s/ourapponkube.md
+  #- k8s/exercise-wordsmith.md
+  - shared/yaml.md
+  - k8s/yamldeploy.md
+  - k8s/namespaces.md
+-
+  - k8s/setup-overview.md
+  - k8s/setup-devel.md
+  - k8s/setup-managed.md
+  - k8s/setup-selfhosted.md
+  - k8s/dashboard.md
+  - k8s/k9s.md
+  - k8s/tilt.md
+  #- k8s/kubectlscale.md
+  - k8s/scalingdockercoins.md
+  - shared/hastyconclusions.md
+  - k8s/daemonset.md
+  #- k8s/exercise-yaml.md
+-
+  - k8s/rollout.md
+  - k8s/healthchecks.md
+  - k8s/healthchecks-more.md
+  - k8s/record.md
+-
+  - k8s/localkubeconfig.md
+  #- k8s/access-eks-cluster.md
+  - k8s/accessinternal.md
+  - k8s/kubectlproxy.md
+-
+  - k8s/ingress.md
+  - k8s/ingress-advanced.md
+  #- k8s/ingress-canary.md
+  - k8s/ingress-tls.md
+  - k8s/cert-manager.md
+  - k8s/cainjector.md
+  - k8s/kustomize.md
+  - k8s/helm-intro.md
+  - k8s/helm-chart-format.md
+  - k8s/helm-create-basic-chart.md
+  - k8s/helm-create-better-chart.md
+  - k8s/helm-dependencies.md
+  - k8s/helm-values-schema-validation.md
+  - k8s/helm-secrets.md
+  #- k8s/exercise-helm.md
+  - k8s/gitlab.md
+  - k8s/ytt.md
+-
+  - k8s/netpol.md
+  - k8s/authn-authz.md
+  - k8s/pod-security-intro.md
+  - k8s/pod-security-policies.md
+  - k8s/pod-security-admission.md
+  - k8s/user-cert.md
+  - k8s/csr-api.md
+  - k8s/openid-connect.md
+  - k8s/control-plane-auth.md
+-
+  - k8s/volumes.md
+  #- k8s/exercise-configmap.md
+  - k8s/build-with-docker.md
+  - k8s/build-with-kaniko.md
+-
+  - k8s/configuration.md
+  - k8s/secrets.md
+  - k8s/statefulsets.md
+  - k8s/consul.md
+  - k8s/pv-pvc-sc.md
+  - k8s/volume-claim-templates.md
+  - k8s/portworx.md
+  - k8s/openebs.md
+  - k8s/stateful-failover.md
+-
+  - k8s/gitworkflows.md
+  - k8s/flux.md
+  - k8s/argocd.md
+-
+  - k8s/logs-centralized.md
+  - k8s/prometheus.md
+  - k8s/prometheus-stack.md
+  - k8s/resource-limits.md
+  - k8s/metrics-server.md
+  - k8s/cluster-sizing.md
+  - k8s/disruptions.md
+  - k8s/cluster-autoscaler.md
+  - k8s/horizontal-pod-autoscaler.md
+  - k8s/hpa-v2.md
+-
+  - k8s/extending-api.md
+  - k8s/apiserver-deepdive.md
+  - k8s/crd.md
+  - k8s/aggregation-layer.md
+  - k8s/admission.md
+  - k8s/operators.md
+  - k8s/operators-design.md
+  - k8s/operators-example.md
+  - k8s/kubebuilder.md
+  - k8s/sealed-secrets.md
+  - k8s/kyverno.md
+  - k8s/eck.md
+  - k8s/finalizers.md
+  - k8s/owners-and-dependents.md
+  - k8s/events.md
+-
+  - k8s/dmuc-easy.md
+  - k8s/dmuc-medium.md
+  - k8s/dmuc-hard.md
+  #- k8s/multinode.md
+  #- k8s/cni.md
+  - k8s/cni-internals.md
+  - k8s/apilb.md
+  - k8s/staticpods.md
+-
+  - k8s/cluster-upgrade.md
+  - k8s/cluster-backup.md
+  - k8s/cloud-controller-manager.md
+-
+  - k8s/lastwords.md
+  - k8s/links.md
+  - shared/thankyou.md

slides/kube-twodays.yml

@@ -0,0 +1,136 @@
+title: |
+  Deploying and Scaling Microservices
+  with Kubernetes
+
+#chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+#chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
+chat: "In person!"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-slack.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+-
+  - shared/prereqs.md
+  - shared/handson.md
+  #- shared/webssh.md
+  - shared/connecting.md
+  #- k8s/versions-k8s.md
+  - shared/sampleapp.md
+  #- shared/composescale.md
+  #- shared/hastyconclusions.md
+  - shared/composedown.md
+  - k8s/concepts-k8s.md
+  - k8s/kubectlget.md
+-
+  - k8s/kubectl-run.md
+  - k8s/batch-jobs.md
+  - k8s/labels-annotations.md
+  - k8s/kubectl-logs.md
+  - k8s/logs-cli.md
+  - shared/declarative.md
+  - k8s/declarative.md
+  - k8s/deploymentslideshow.md
+  - k8s/kubectlexpose.md
+  - k8s/service-types.md
+  - k8s/kubenet.md
+  - k8s/shippingimages.md
+  #- k8s/buildshiprun-selfhosted.md
+  - k8s/buildshiprun-dockerhub.md
+  - k8s/ourapponkube.md
+  #- k8s/exercise-wordsmith.md
+-
+  - k8s/yamldeploy.md
+  - k8s/setup-overview.md
+  - k8s/setup-devel.md
+  #- k8s/setup-managed.md
+  #- k8s/setup-selfhosted.md
+  - k8s/dashboard.md
+  - k8s/k9s.md
+  #- k8s/tilt.md
+  #- k8s/kubectlscale.md
+  - k8s/scalingdockercoins.md
+  - shared/hastyconclusions.md
+  - k8s/daemonset.md
+  - shared/yaml.md
+  #- k8s/exercise-yaml.md
+-
+  - k8s/localkubeconfig.md
+  #- k8s/access-eks-cluster.md
+  - k8s/accessinternal.md
+  #- k8s/kubectlproxy.md
+  - k8s/rollout.md
+  - k8s/healthchecks.md
+  #- k8s/healthchecks-more.md
+  - k8s/record.md
+-
+  - k8s/namespaces.md
+  - k8s/ingress.md
+  #- k8s/ingress-advanced.md
+  #- k8s/ingress-canary.md
+  #- k8s/ingress-tls.md
+  - k8s/kustomize.md
+  - k8s/helm-intro.md
+  - k8s/helm-chart-format.md
+  - k8s/helm-create-basic-chart.md
+  - k8s/helm-create-better-chart.md
+  - k8s/helm-dependencies.md
+  - k8s/helm-values-schema-validation.md
+  - k8s/helm-secrets.md
+  #- k8s/exercise-helm.md
+  #- k8s/ytt.md
+  - k8s/gitlab.md
+-
+  - k8s/netpol.md
+  - k8s/authn-authz.md
+  #- k8s/csr-api.md
+  #- k8s/openid-connect.md
+  #- k8s/pod-security-intro.md
+  #- k8s/pod-security-policies.md
+  #- k8s/pod-security-admission.md
+-
+  - k8s/volumes.md
+  #- k8s/exercise-configmap.md
+  #- k8s/build-with-docker.md
+  #- k8s/build-with-kaniko.md
+  - k8s/configuration.md
+  - k8s/secrets.md
+  - k8s/logs-centralized.md
+  #- k8s/prometheus.md
+  #- k8s/prometheus-stack.md
+-
+  - k8s/statefulsets.md
+  - k8s/consul.md
+  - k8s/pv-pvc-sc.md
+  - k8s/volume-claim-templates.md
+  #- k8s/portworx.md
+  - k8s/openebs.md
+  - k8s/stateful-failover.md
+  #- k8s/extending-api.md
+  #- k8s/admission.md
+  #- k8s/operators.md
+  #- k8s/operators-design.md
+  #- k8s/operators-example.md
+  #- k8s/staticpods.md
+  #- k8s/owners-and-dependents.md
+  #- k8s/gitworkflows.md
+-
+  - k8s/whatsnext.md
+  - k8s/lastwords.md
+  - k8s/links.md
+  - shared/thankyou.md

slides/logistics-julien.md

@@ -0,0 +1,76 @@
+## Introductions (en 🇫🇷)
+
+- Bonjour ! 
+
+- Sur scène : Julien
+
+- En backstage : Alexandre, Antoine, Aurélien (x2), Benji, David, Kostas, Nicolas, Paul, Sébastien, Thibault...
+
+- Horaires : tous les jours de 9h à 13h
+
+- On fera une pause vers (environ) 11h
+
+- N'hésitez pas à poser un maximum de questions!
+
+- Utilisez @@CHAT@@ pour les questions, demander de l'aide, etc.
+
+[@alexbuisine]: https://twitter.com/alexbuisine
+[EphemeraSearch]: https://ephemerasearch.com/
+[@jpetazzo]: https://twitter.com/jpetazzo
+[@jpetazzo@hachyderm.io]: https://hachyderm.io/@jpetazzo
+[@s0ulshake]: https://twitter.com/s0ulshake
+[Quantgene]: https://www.quantgene.com/
+
+---
+
+## Les 15 minutes du matin
+
+- Chaque jour, on commencera à 9h par une mini-présentation de 15 minutes
+
+  (sur un sujet choisi ensemble, pas forcément en relation avec la formation!)
+
+- L'occasion de s'échauffer les neurones avec 🥐/☕️/🍊
+
+  (avant d'attaquer les choses sérieuses)
+
+- Puis à 9h15 on rentre dans le vif du sujet
+
+---
+
+## Travaux pratiques
+
+- À la fin de chaque matinée, il y a un exercice pratique concret
+
+  (pour mettre en œuvre ce qu'on a vu)
+
+- Les exercices font partie de la formation !
+
+- Ils sont prévus pour prendre entre 15 minutes et 2 heures
+
+  (selon les connaissances et l'aisance de chacun·e)
+
+- Chaque matinée commencera avec un passage en revue de l'exercice de la veille
+
+- On est là pour vous aider si vous bloquez sur un exercice !
+
+---
+
+## Allô Docker¹ ?
+
+- Chaque après-midi : une heure de questions/réponses ouvertes !
+
+  (sauf le vendredi)
+
+- Mardi: 15h-16h
+
+- Mercredi: 16h-17h
+
+- Jeudi: 14h-15h
+
+- Sur [Jitsi][jitsi] (lien "visioconf" sur le portail de formation)
+
+.footnote[¹Clin d'œil à l'excellent ["Quoi de neuf Docker?"][qdnd] de l'excellent [Nicolas Deloof][ndeloof] 🙂]
+
+[qdnd]: https://www.youtube.com/channel/UCOAhkxpryr_BKybt9wIw-NQ
+[ndeloof]: https://github.com/ndeloof
+[jitsi]: https://training.enix.io/jitsi-magic/jitsi.container.training/AlloDockerMai2023

slides/logistics-ludovic.md

@@ -0,0 +1,76 @@
+## Introductions (en 🇫🇷)
+
+- Bonjour ! 
+
+- Sur scène : Ludovic
+
+- En backstage : Alexandre, Antoine, Aurélien (x2), Benjamin (x2), David, Kostas, Nicolas, Paul, Sébastien, Thibault...
+
+- Horaires : tous les jours de 9h à 13h
+
+- On fera une pause vers (environ) 11h
+
+- N'hésitez pas à poser un maximum de questions!
+
+- Utilisez @@CHAT@@ pour les questions, demander de l'aide, etc.
+
+[@alexbuisine]: https://twitter.com/alexbuisine
+[EphemeraSearch]: https://ephemerasearch.com/
+[@jpetazzo]: https://twitter.com/jpetazzo
+[@jpetazzo@hachyderm.io]: https://hachyderm.io/@jpetazzo
+[@s0ulshake]: https://twitter.com/s0ulshake
+[Quantgene]: https://www.quantgene.com/
+
+---
+
+## Les 15 minutes du matin
+
+- Chaque jour, on commencera à 9h par une mini-présentation de 15 minutes
+
+  (sur un sujet choisi ensemble, pas forcément en relation avec la formation!)
+
+- L'occasion de s'échauffer les neurones avec 🥐/☕️/🍊
+
+  (avant d'attaquer les choses sérieuses)
+
+- Puis à 9h15 on rentre dans le vif du sujet
+
+---
+
+## Travaux pratiques
+
+- À la fin de chaque matinée, il y a un exercice pratique concret
+
+  (pour mettre en œuvre ce qu'on a vu)
+
+- Les exercices font partie de la formation !
+
+- Ils sont prévus pour prendre entre 15 minutes et 2 heures
+
+  (selon les connaissances et l'aisance de chacun·e)
+
+- Chaque matinée commencera avec un passage en revue de l'exercice de la veille
+
+- On est là pour vous aider si vous bloquez sur un exercice !
+
+---
+
+## Allô Docker¹ ?
+
+- Chaque après-midi : une heure de questions/réponses ouvertes !
+
+  (sauf le vendredi)
+
+- Mardi: 15h-16h
+
+- Mercredi: 16h-17h
+
+- Jeudi: 17h-18h
+
+- Sur [Jitsi][jitsi] (lien "visioconf" sur le portail de formation)
+
+.footnote[¹Clin d'œil à l'excellent ["Quoi de neuf Docker?"][qdnd] de l'excellent [Nicolas Deloof][ndeloof] 🙂]
+
+[qdnd]: https://www.youtube.com/channel/UCOAhkxpryr_BKybt9wIw-NQ
+[ndeloof]: https://github.com/ndeloof
+[jitsi]: https://training.enix.io/jitsi-magic/jitsi.container.training/AlloDockerMai2024

slides/logistics-template.md

@@ -1,16 +1,18 @@
-## Introductions
+## Introductions (en 🇫🇷)
 
-- Hello! I'm Jérôme Petazzoni ([@jpetazzo@hachyderm.io], Enix SAS)
+- Bonjour ! 
 
-- The training will run from 9:30 to 13:00
+- Sur scène : Jérôme ([@jpetazzo@hachyderm.io])
 
-- There will be a break around 11:00 (approximately!)
+- En backstage : Alexandre, Antoine, Aurélien (x2), Benjamin (x2), David, Kostas, Nicolas, Paul, Sébastien, Thibault...
 
-- Feel free to interrupt for questions at any time
+- Horaires : tous les jours de 9h à 13h
 
-- *Especially when you see full screen container pictures!*
+- On fera une pause vers (environ) 11h
 
-- Live feedback, questions, help: @@CHAT@@
+- N'hésitez pas à poser un maximum de questions!
+
+- Utilisez @@CHAT@@ pour les questions, demander de l'aide, etc.
 
 [@alexbuisine]: https://twitter.com/alexbuisine
 [EphemeraSearch]: https://ephemerasearch.com/
@@ -21,16 +23,58 @@
 
 ---
 
-## Exercises
+## Les 15 minutes du matin
 
-- At the end of each day, there is a series of exercises
+- Chaque jour, on commencera à 9h par une mini-présentation de 15 minutes
 
-- To make the most out of the training, please try the exercises!
+  (sur un sujet choisi ensemble, pas forcément en relation avec la formation!)
 
-  (it will help to practice and memorize the content of the day)
+- L'occasion de s'échauffer les neurones avec 🥐/☕️/🍊
 
-- We recommend to take at least one hour to work on the exercises
+  (avant d'attaquer les choses sérieuses)
 
-  (if you understood the content of the day, it will be much faster)
+- Puis à 9h15 on rentre dans le vif du sujet
 
-- Each day will start with a quick review of the exercises of the previous day
+---
+
+## Travaux pratiques
+
+- À la fin de chaque matinée, il y a un exercice pratique concret
+
+  (pour mettre en œuvre ce qu'on a vu)
+
+- Les exercices font partie de la formation !
+
+- Ils sont prévus pour prendre entre 15 minutes et 2 heures
+
+  (selon les connaissances et l'aisance de chacun·e)
+
+- Chaque matinée commencera avec un passage en revue de l'exercice de la veille
+
+- On est là pour vous aider si vous bloquez sur un exercice !
+
+---
+
+## Allô Docker¹ ?
+
+<!--
+
+- Chaque après-midi : une heure de questions/réponses ouvertes !
+
+  (sauf le dernier jour)
+
+-->
+
+- Une heure de questions/réposnes ouvertes !
+
+- Mercredi: 15h00-16h00
+
+- Jeudi: 16h00-17h00
+
+- Sur [Jitsi][jitsi] (lien "visioconf" sur le portail de formation)
+
+.footnote[¹Clin d'œil à l'excellent ["Quoi de neuf Docker?"][qdnd] de l'excellent [Nicolas Deloof][ndeloof] 🙂]
+
+[qdnd]: https://www.youtube.com/channel/UCOAhkxpryr_BKybt9wIw-NQ
+[ndeloof]: https://github.com/ndeloof
+[jitsi]: https://training.enix.io/jitsi-magic/jitsi.container.training/AlloDockerMai2024

slides/shared/prereqs.md

@@ -1,4 +1,4 @@
-# Pre-requirements
+## Pre-requirements
 
 - Be comfortable with the UNIX command line
 

slides/shared/thankyou.md

@@ -1,11 +1,24 @@
-class: title, self-paced
+class: title
 
-Thank you!
+Merci !
+
+![end](images/end.jpg)
 
 ---
 
-class: title, in-person
+## Derniers mots...
 
-That's all, folks! <br/> Questions?
+- Le portail de formation reste en ligne après la formation
+
+- N'hésitez pas à nous contacter via la messagerie instantanée !
+
+- Les VM ENIX restent en ligne au moins une semaine après la formation
+
+  (mais pas les clusters cloud ; eux on les éteint très vite)
+
+- N'oubliez pas de remplier les formulaires d'évaluation
+
+  (c'est pas pour nous, c'est une obligation légale😅)
+
+- Encore **merci** à vous !
 
-![end](images/end.jpg)

slides/swarm-fullday.yml

@@ -0,0 +1,72 @@
+title: |
+  Container Orchestration
+  with Docker and Swarm
+
+chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+#chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+- snap
+- btp-auto
+- benchmarking
+- elk-manual
+- prom-manual
+
+content:
+- shared/title.md
+- logistics.md
+- swarm/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-slack.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+- - shared/prereqs.md
+  - shared/handson.md
+  - shared/connecting.md
+  - swarm/versions.md
+  - shared/sampleapp.md
+  - shared/composescale.md
+  - shared/hastyconclusions.md
+  - shared/composedown.md
+  - swarm/swarmkit.md
+  - shared/declarative.md
+  - swarm/swarmmode.md
+  - swarm/creatingswarm.md
+  #- swarm/machine.md
+  - swarm/morenodes.md
+- - swarm/firstservice.md
+  - swarm/ourapponswarm.md
+  - swarm/hostingregistry.md
+  - swarm/testingregistry.md
+  - swarm/btp-manual.md
+  - swarm/swarmready.md
+  - swarm/stacks.md
+  - swarm/cicd.md
+  - swarm/updatingservices.md
+  - swarm/rollingupdates.md
+  - swarm/healthchecks.md
+- - swarm/operatingswarm.md
+  - swarm/netshoot.md
+  - swarm/ipsec.md
+  - swarm/swarmtools.md
+  - swarm/security.md
+  - swarm/secrets.md
+  - swarm/encryptionatrest.md
+  - swarm/leastprivilege.md
+  - swarm/apiscope.md
+- - swarm/logging.md
+  - swarm/metrics.md
+  - swarm/gui.md
+  - swarm/stateful.md
+  - swarm/extratips.md
+  - shared/thankyou.md
+  - swarm/links.md

slides/swarm-halfday.yml

@@ -0,0 +1,71 @@
+title: |
+  Container Orchestration
+  with Docker and Swarm
+
+chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+#chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+- snap
+- btp-manual
+- benchmarking
+- elk-manual
+- prom-manual
+
+content:
+- shared/title.md
+- logistics.md
+- swarm/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-slack.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+- - shared/prereqs.md
+  - shared/handson.md
+  - shared/connecting.md
+  - swarm/versions.md
+  - shared/sampleapp.md
+  - shared/composescale.md
+  - shared/hastyconclusions.md
+  - shared/composedown.md
+  - swarm/swarmkit.md
+  - shared/declarative.md
+  - swarm/swarmmode.md
+  - swarm/creatingswarm.md
+  #- swarm/machine.md
+  - swarm/morenodes.md
+- - swarm/firstservice.md
+  - swarm/ourapponswarm.md
+  #- swarm/hostingregistry.md
+  #- swarm/testingregistry.md
+  #- swarm/btp-manual.md
+  #- swarm/swarmready.md
+  - swarm/stacks.md
+  - swarm/cicd.md
+  - swarm/updatingservices.md
+  #- swarm/rollingupdates.md
+  #- swarm/healthchecks.md
+- - swarm/operatingswarm.md
+  #- swarm/netshoot.md
+  #- swarm/ipsec.md
+  #- swarm/swarmtools.md
+  - swarm/security.md
+  #- swarm/secrets.md
+  #- swarm/encryptionatrest.md
+  - swarm/leastprivilege.md
+  - swarm/apiscope.md
+  - swarm/logging.md
+  - swarm/metrics.md
+  #- swarm/stateful.md
+  #- swarm/extratips.md
+  - shared/thankyou.md
+  - swarm/links.md

slides/swarm-selfpaced.yml

@@ -0,0 +1,80 @@
+title: |
+  Container Orchestration
+  with Docker and Swarm
+
+chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- in-person
+- btp-auto
+
+content:
+- shared/title.md
+#- shared/logistics.md
+- swarm/intro.md
+- shared/about-slides.md
+#- shared/chat-room-im.md
+#- shared/chat-room-slack.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+- - shared/prereqs.md
+  - shared/handson.md
+  - shared/connecting.md
+  - swarm/versions.md
+  - |
+    name: part-1
+
+    class: title, self-paced
+
+    Part 1
+  - shared/sampleapp.md
+  - shared/composescale.md
+  - shared/hastyconclusions.md
+  - shared/composedown.md
+  - swarm/swarmkit.md
+  - shared/declarative.md
+  - swarm/swarmmode.md
+  - swarm/creatingswarm.md
+  #- swarm/machine.md
+  - swarm/morenodes.md
+- - swarm/firstservice.md
+  - swarm/ourapponswarm.md
+  - swarm/hostingregistry.md
+  - swarm/testingregistry.md
+  - swarm/btp-manual.md
+  - swarm/swarmready.md
+  - swarm/stacks.md
+  - swarm/cicd.md
+  - |
+    name: part-2
+
+    class: title, self-paced
+
+    Part 2
+- - swarm/operatingswarm.md
+  - swarm/netshoot.md
+  - swarm/swarmnbt.md
+  - swarm/ipsec.md
+  - swarm/updatingservices.md
+  - swarm/rollingupdates.md
+  - swarm/healthchecks.md
+  - swarm/nodeinfo.md
+  - swarm/swarmtools.md
+- - swarm/security.md
+  - swarm/secrets.md
+  - swarm/encryptionatrest.md
+  - swarm/leastprivilege.md
+  - swarm/apiscope.md
+  - swarm/logging.md
+  - swarm/metrics.md
+  - swarm/stateful.md
+  - swarm/extratips.md
+  - shared/thankyou.md
+  - swarm/links.md

slides/swarm-video.yml

@@ -0,0 +1,75 @@
+title: |
+  Container Orchestration
+  with Docker and Swarm
+
+chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- in-person
+- btp-auto
+
+content:
+- shared/title.md
+#- shared/logistics.md
+- swarm/intro.md
+- shared/about-slides.md
+- shared/toc.md
+- - shared/prereqs.md
+  - shared/handson.md
+  - shared/connecting.md
+  - swarm/versions.md
+  - |
+    name: part-1
+
+    class: title, self-paced
+
+    Part 1
+  - shared/sampleapp.md
+  - shared/composescale.md
+  - shared/hastyconclusions.md
+  - shared/composedown.md
+  - swarm/swarmkit.md
+  - shared/declarative.md
+  - swarm/swarmmode.md
+  - swarm/creatingswarm.md
+  #- swarm/machine.md
+  - swarm/morenodes.md
+- - swarm/firstservice.md
+  - swarm/ourapponswarm.md
+  - swarm/hostingregistry.md
+  - swarm/testingregistry.md
+  - swarm/btp-manual.md
+  - swarm/swarmready.md
+  - swarm/stacks.md
+  - |
+    name: part-2
+
+    class: title, self-paced
+
+    Part 2
+- - swarm/operatingswarm.md
+  #- swarm/netshoot.md
+  #- swarm/swarmnbt.md
+  - swarm/ipsec.md
+  - swarm/updatingservices.md
+  - swarm/rollingupdates.md
+  #- swarm/healthchecks.md
+  - swarm/nodeinfo.md
+  - swarm/swarmtools.md
+- - swarm/security.md
+  - swarm/secrets.md
+  - swarm/encryptionatrest.md
+  - swarm/leastprivilege.md
+  - swarm/apiscope.md
+  #- swarm/logging.md
+  #- swarm/metrics.md
+  - swarm/stateful.md
+  - swarm/extratips.md
+  - shared/thankyou.md
+  - swarm/links.md