🍂 Highfive Sep-Oct-Nov 2025

Hyperkube isn't available anymore, so the previous version of
the script would constantly redownload the tarball over and over

.devcontainer/devcontainer.json

@@ -0,0 +1,26 @@
+{
+        "name": "container.training environment to get started with Docker and/or Kubernetes",
+        "image": "ghcr.io/jpetazzo/shpod",
+        "features": {
+                //"ghcr.io/devcontainers/features/common-utils:2": {}
+        },
+
+        // Use 'forwardPorts' to make a list of ports inside the container available locally.
+        "forwardPorts": [],
+
+        //"postCreateCommand": "... install extra packages...",
+        "postStartCommand": "dind.sh ; kind.sh",
+
+        // This lets us use "docker-outside-docker".
+        // Unfortunately, minikube, kind, etc. don't work very well that way;
+        // so for now, we'll likely use "docker-in-docker" instead (with a 
+        // privilege dcontainer). But we're still exposing that socket in case
+        // someone wants to do something interesting with it.
+        "mounts": ["source=/var/run/docker.sock,target=/var/run/docker-host.sock,type=bind"],
+
+        // This is for docker-in-docker.
+        "privileged": true,
+
+        // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+        "remoteUser": "k8s"
+}

.gitignore

@@ -9,6 +9,7 @@ prepare-labs/terraform/many-kubernetes/one-kubernetes-config/config.tf
 prepare-labs/terraform/many-kubernetes/one-kubernetes-module/*.tf
 prepare-labs/terraform/tags
 prepare-labs/terraform/virtual-machines/openstack/*.tfvars
+prepare-labs/terraform/virtual-machines/proxmox/*.tfvars
 prepare-labs/www
 
 slides/*.yml.html
@@ -16,6 +17,7 @@ slides/autopilot/state.yaml
 slides/index.html
 slides/past.html
 slides/slides.zip
+slides/_academy_*
 node_modules
 
 ### macOS ###

dockercoins/hasher/Dockerfile

@@ -1,7 +1,7 @@
 FROM ruby:alpine
 RUN apk add --update build-base curl
 RUN gem install sinatra --version '~> 3'
-RUN gem install thin
+RUN gem install thin --version '~> 1'
 ADD hasher.rb /
 CMD ["ruby", "hasher.rb"]
 EXPOSE 80

dockercoins/webui/Dockerfile

@@ -1,5 +1,5 @@
 FROM node:4-slim
-RUN npm install express
+RUN npm install express@4
 RUN npm install redis@3
 COPY files/ /files/
 COPY webui.js /

k8s/M6-ingress-nginx-cm-patch.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+data:
+  use-forwarded-headers: true
+  compute-full-forwarded-for: true
+  use-proxy-protocol: true

k8s/M6-ingress-nginx-components.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: flux-system
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: v2.5.1
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
+  name: ingress-nginx

k8s/M6-ingress-nginx-kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- M6-ingress-nginx-components.yaml
+- sync.yaml
+patches:
+  - path: M6-ingress-nginx-cm-patch.yaml 
+    target:
+      kind: ConfigMap
+  - path: M6-ingress-nginx-svc-patch.yaml 
+    target:
+      kind: Service

k8s/M6-ingress-nginx-svc-patch.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+  annotations:
+    service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: true
+    service.beta.kubernetes.io/scw-loadbalancer-use-hostname: true

k8s/M6-kyverno-components.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: flux-system
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: v2.5.1
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
+  name: kyverno

k8s/M6-kyverno-enforce-service-account.yaml

@@ -0,0 +1,72 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: flux-multi-tenancy
+spec:
+  validationFailureAction: enforce
+  rules:
+    - name: serviceAccountName
+      exclude:
+        resources:
+          namespaces:
+            - flux-system
+      match:
+        resources:
+          kinds:
+            - Kustomization
+            - HelmRelease
+      validate:
+        message: ".spec.serviceAccountName is required"
+        pattern:
+          spec:
+            serviceAccountName: "?*"
+    - name: kustomizationSourceRefNamespace
+      exclude:
+        resources:
+          namespaces:
+            - flux-system
+            - ingress-nginx
+            - kyverno
+            - monitoring
+            - openebs
+      match:
+        resources:
+          kinds:
+            - Kustomization
+      preconditions:
+        any:
+          - key: "{{request.object.spec.sourceRef.namespace}}"
+            operator: NotEquals
+            value: ""
+      validate:
+        message: "spec.sourceRef.namespace must be the same as metadata.namespace"
+        deny:
+          conditions:
+            - key: "{{request.object.spec.sourceRef.namespace}}"
+              operator: NotEquals
+              value:  "{{request.object.metadata.namespace}}"
+    - name: helmReleaseSourceRefNamespace
+      exclude:
+        resources:
+          namespaces:
+            - flux-system
+            - ingress-nginx
+            - kyverno
+            - monitoring
+            - openebs
+      match:
+        resources:
+          kinds:
+            - HelmRelease
+      preconditions:
+        any:
+          - key: "{{request.object.spec.chart.spec.sourceRef.namespace}}"
+            operator: NotEquals
+            value: ""
+      validate:
+        message: "spec.chart.spec.sourceRef.namespace must be the same as metadata.namespace"
+        deny:
+          conditions:
+            - key: "{{request.object.spec.chart.spec.sourceRef.namespace}}"
+              operator: NotEquals
+              value:  "{{request.object.metadata.namespace}}"

k8s/M6-monitoring-components.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: flux-system
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: v2.5.1
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
+  name: monitoring
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grafana
+  namespace: monitoring
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: grafana.test.metal.mybestdomain.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: kube-prometheus-stack-grafana
+                port:
+                  number: 80

k8s/M6-network-policies.yaml

@@ -0,0 +1,35 @@
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: deny-from-other-namespaces
+spec:
+  podSelector: {}
+  ingress:
+  - from:
+    - podSelector: {}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-webui
+spec:
+  podSelector:
+    matchLabels:
+      app: web
+  ingress:
+  - from: []
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-db
+spec:
+  podSelector:
+    matchLabels:
+      app: db
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: web

k8s/M6-openebs-components.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app.kubernetes.io/instance: flux-system
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: v2.5.1
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
+  name: openebs

k8s/M6-openebs-kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: openebs
+resources:
+  - M6-openebs-components.yaml
+  - sync.yaml
+configMapGenerator:
+  - name: openebs-values
+    files:
+      - values.yaml=M6-openebs-values.yaml
+configurations:
+  - M6-openebs-kustomizeconfig.yaml

k8s/M6-openebs-kustomizeconfig.yaml

@@ -0,0 +1,6 @@
+nameReference:
+- kind: ConfigMap
+  version: v1
+  fieldSpecs:
+  - path: spec/valuesFrom/name
+    kind: HelmRelease

k8s/M6-openebs-values.yaml

@@ -0,0 +1,15 @@
+# helm install openebs --namespace openebs openebs/openebs
+#                      --set engines.replicated.mayastor.enabled=false
+#                      --set lvm-localpv.lvmNode.kubeletDir=/var/lib/k0s/kubelet/
+#                      --create-namespace
+engines:
+  replicated:
+    mayastor:
+      enabled: false
+# Needed for k0s install since kubelet install is slightly divergent from vanilla install >:-(
+lvm-localpv:
+  lvmNode:
+    kubeletDir: /var/lib/k0s/kubelet/
+localprovisioner:
+  hostpathClass:
+    isDefaultClass: true

k8s/M6-rocky-cluster-role.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  namespace: rocky-test
+  name: rocky-full-access
+rules:
+- apiGroups: ["", extensions, apps]
+  resources: [deployments, replicasets, pods, services, ingresses, statefulsets]
+  verbs: [get, list, watch, create, update, patch, delete] # You can also use [*]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: rocky-pv-access
+rules:
+- apiGroups: [""]
+  resources: [persistentvolumes]
+  verbs: [get, list, watch, create, patch]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: rocky
+  name: rocky-reconciler2
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: rocky-pv-access
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: gotk:rocky-test:reconciler
+- kind: ServiceAccount
+  name: rocky
+  namespace: rocky-test
+  

k8s/M6-rocky-ingress.yaml

@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: rocky
+  namespace: rocky-test
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: rocky.test.mybestdomain.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: web
+                port:
+                  number: 80
+

k8s/M6-rocky-test-kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base/rocky
+patches:
+  - path: M6-rocky-test-patch.yaml
+    target:
+      kind: Kustomization

k8s/M6-rocky-test-patch.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+kind: Kustomization
+metadata:
+  name: rocky
+  namespace: rocky-test
+spec:
+  path: ./k8s/plain

k8s/blue.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: blue
+  name: blue
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: blue
+  template:
+    metadata:
+      labels:
+        app: blue
+    spec:
+      containers:
+      - image: jpetazzo/color
+        name: color
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: blue
+  name: blue
+spec:
+  ports:
+  - name: "80"
+    port: 80
+  selector:
+    app: blue

k8s/kustomize-examples/ollama-with-sidecar/add-haproxy-sidecar/cleanup/kustomization.yaml

@@ -0,0 +1,12 @@
+# This removes the haproxy Deployment.
+
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+- patch: |-
+    $patch: delete
+    kind: Deployment
+    apiVersion: apps/v1
+    metadata:
+      name: haproxy

k8s/kustomize-examples/ollama-with-sidecar/add-haproxy-sidecar/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+# Within a Kustomization, it is not possible to specify in which
+# order transformations (patches, replacements, etc) should be
+# executed. If we want to execute transformations in a specific
+# order, one possibility is to put them in individual components,
+# and then invoke these components in the order we want.
+# It works, but it creates an extra level of indirection, which
+# reduces readability and complicates maintenance.
+
+components:
+- setup
+- cleanup

k8s/kustomize-examples/ollama-with-sidecar/add-haproxy-sidecar/setup/haproxy.cfg

@@ -0,0 +1,20 @@
+global
+  #log stdout format raw local0
+  #daemon
+  maxconn 32
+defaults
+  #log global
+  timeout client 1h
+  timeout connect 1h
+  timeout server 1h
+  mode http
+  option abortonclose
+frontend metrics
+  bind :9000
+  http-request use-service prometheus-exporter
+frontend ollama_frontend
+  bind :8000
+  default_backend ollama_backend
+  maxconn 16
+backend ollama_backend
+  server ollama_server localhost:11434 check

k8s/kustomize-examples/ollama-with-sidecar/add-haproxy-sidecar/setup/haproxy.yaml

@@ -0,0 +1,39 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: haproxy
+  name: haproxy
+spec:
+  selector:
+    matchLabels:
+      app: haproxy
+  template:
+    metadata:
+      labels:
+        app: haproxy
+    spec:
+      volumes:
+      - name: haproxy
+        configMap:
+          name: haproxy
+      containers:
+      - image: haproxy:3.0
+        name: haproxy
+        volumeMounts:
+        - name: haproxy
+          mountPath: /usr/local/etc/haproxy
+        readinessProbe:
+          httpGet:
+            port: 9000
+        ports:
+        - name: haproxy
+          containerPort: 8000
+        - name: metrics
+          containerPort: 9000
+        resources:
+          requests:
+            cpu: 0.05
+          limits:
+            cpu: 1

k8s/kustomize-examples/ollama-with-sidecar/add-haproxy-sidecar/setup/kustomization.yaml

@@ -0,0 +1,75 @@
+# This adds a sidecar to the ollama Deployment, by taking
+# the pod template and volumes from the haproxy Deployment.
+# The idea is to allow to run ollama+haproxy in two modes:
+# - separately (each with their own Deployment),
+# - together in the same Pod, sidecar-style.
+# The YAML files define how to run them separetely, and this
+# "replacements" directive fetches a specific volume and
+# a specific container from the haproxy Deployment, to add
+# them to the ollama Deployment.
+#
+# This would be simpler if kustomize allowed to append or
+# merge lists in "replacements"; but it doesn't seem to be
+# possible at the moment.
+#
+# It would be even better if kustomize allowed to perform
+# a strategic merge using a fieldPath as the source, because
+# we could merge both the containers and the volumes in a
+# single operation.
+#
+# Note that technically, it might be possible to layer
+# multiple kustomizations so that one generates the patch
+# to be used in another; but it wouldn't be very readable
+# or maintainable so we decided to not do that right now.
+#
+# However, the current approach (fetching fields one by one)
+# has an advantage: it could let us transform the haproxy
+# container into a real sidecar (i.e. an initContainer with
+# a restartPolicy=Always).
+
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+- haproxy.yaml
+
+configMapGenerator:
+- name: haproxy
+  files:
+  - haproxy.cfg
+
+replacements:
+- source:
+    kind: Deployment
+    name: haproxy
+    fieldPath: spec.template.spec.volumes.[name=haproxy]
+  targets:
+  - select:
+      kind: Deployment
+      name: ollama
+    fieldPaths:
+    - spec.template.spec.volumes.[name=haproxy]
+    options:
+      create: true
+- source:
+    kind: Deployment
+    name: haproxy
+    fieldPath: spec.template.spec.containers.[name=haproxy]
+  targets:
+  - select:
+      kind: Deployment
+      name: ollama
+    fieldPaths:
+    - spec.template.spec.containers.[name=haproxy]
+    options:
+      create: true
+- source:
+    kind: Deployment
+    name: haproxy
+    fieldPath: spec.template.spec.containers.[name=haproxy].ports.[name=haproxy].containerPort
+  targets:
+  - select:
+      kind: Service
+      name: ollama
+    fieldPaths:
+    - spec.ports.[name=11434].targetPort

k8s/kustomize-examples/ollama-with-sidecar/blue.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: blue
+  name: blue
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: blue
+  template:
+    metadata:
+      labels:
+        app: blue
+    spec:
+      containers:
+      - image: jpetazzo/color
+        name: color
+        ports:
+        - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: blue
+  name: blue
+spec:
+  ports:
+  - port: 80
+  selector:
+    app: blue

k8s/kustomize-examples/ollama-with-sidecar/kustomization.yaml

@@ -0,0 +1,94 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# Each of these YAML files contains a Deployment and a Service.
+# The blue.yaml file is here just to demonstrate that the rest
+# of this Kustomization can be precisely scoped to the ollama
+# Deployment (and Service): the blue Deployment and Service
+# shouldn't be affected by our kustomize transformers.
+resources:
+- ollama.yaml
+- blue.yaml
+
+buildMetadata:
+
+# Add a label app.kubernetes.io/managed-by=kustomize-vX.Y.Z
+- managedByLabel
+
+# Add an annotation config.kubernetes.io/origin, indicating:
+# - which file defined that resource;
+# - if it comes from a git repository, which one, and which
+#   ref (tag, branch...) it was.
+- originAnnotations
+
+# Add an annotation alpha.config.kubernetes.io/transformations
+# indicating which patches and other transformers have changed
+# each resource.
+- transformerAnnotations
+
+# Let's generate a ConfigMap with literal values.
+# Note that this will actually add a suffix to the name of the
+# ConfigMaps (e.g.: ollama-8bk8bd8m76) and it will update all
+# references to the ConfigMap (e.g. in Deployment manifests)
+# accordingly. The suffix is a hash of the ConfigMap contents,
+# so that basically, if the ConfigMap is edited, any workload
+# using that ConfigMap will automatically do a rolling update.
+configMapGenerator:
+- name: ollama
+  literals:
+  - "model=gemma3:270m"
+  - "prompt=If you visit Paris, I suggest that you"
+  - "queue=4"
+  name: ollama
+
+patches:
+# The Deployment manifest in ollama.yaml doesn't specify
+# resource requests and limits, so that it can run on any
+# cluster (including resource-constrained local clusters
+# like KiND or minikube). The example belows add CPU
+# requests and limits using a strategic merge patch.
+# The patch is inlined here, but it could also be put
+# in a file and referenced with "path: xxxxxx.yaml".
+- patch: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: ollama
+    spec:
+      template:
+        spec:
+          containers:
+          - name: ollama
+            resources:
+              requests:
+                cpu: 1
+              limits:
+                cpu: 2
+# This will have the same effect, with one little detail:
+# JSON patches cannot specify containers by name, so this
+# assumes that the ollama container is the first one in
+# the pod template (whereas the strategic merge patch can
+# use "merge keys" and identify containers by their name).
+#- target:
+#    kind: Deployment
+#    name: ollama
+#  patch: |
+#    - op: add
+#      path: /spec/template/spec/containers/0/resources
+#      value:
+#        requests:
+#          cpu: 1
+#        limits:
+#          cpu: 2
+
+# A "component" is a bit like a "base", in the sense that
+# it lets us define some reusable resources and behaviors.
+# There is a key different, though:
+# - a "base" will be evaluated in isolation: it will
+#   generate+transform some resources, then these resources
+#   will be included in the main Kustomization;
+# - a "component" has access to all the resources that
+#   have been generated by the main Kustomization, which
+#   means that it can transform them (with patches etc).
+components:
+- add-haproxy-sidecar

k8s/kustomize-examples/ollama-with-sidecar/ollama.yaml

@@ -0,0 +1,73 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: ollama
+  name: ollama
+spec:
+  selector:
+    matchLabels:
+      app: ollama
+  template:
+    metadata:
+      labels:
+        app: ollama
+    spec:
+      volumes:
+      - name: ollama
+        hostPath:
+          path: /opt/ollama
+          type: DirectoryOrCreate
+      containers:
+      - image: ollama/ollama
+        name: ollama
+        env:
+        - name: OLLAMA_MAX_QUEUE
+          valueFrom:
+            configMapKeyRef:
+              name: ollama
+              key: queue
+        - name: MODEL
+          valueFrom:
+            configMapKeyRef:
+              name: ollama
+              key: model
+        volumeMounts:
+        - name: ollama
+          mountPath: /root/.ollama
+        lifecycle:
+          postStart:
+            exec:
+              command:
+                - /bin/sh
+                - -c
+                - ollama pull $MODEL
+        livenessProbe:
+          httpGet:
+            port: 11434
+        readinessProbe:
+          exec:
+            command:
+              - /bin/sh
+              - -c
+              - ollama show $MODEL
+        ports:
+        - name: ollama
+          containerPort: 11434
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: ollama
+  name: ollama
+spec:
+  ports:
+  - name: "11434"
+    port: 11434
+    protocol: TCP
+    targetPort: 11434
+  selector:
+    app: ollama
+  type: ClusterIP

k8s/kustomize-examples/registry-with-prefix-transformer/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- microservices
+- redis

k8s/kustomize-examples/registry-with-prefix-transformer/microservices/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- microservices.yaml
+transformers:
+- |
+  apiVersion: builtin
+  kind: PrefixSuffixTransformer
+  metadata:
+    name: use-ghcr-io
+  prefix: ghcr.io/
+  fieldSpecs:
+  - path: spec/template/spec/containers/image

k8s/kustomize-examples/registry-with-prefix-transformer/microservices/microservices.yaml

@@ -0,0 +1,125 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: hasher
+  name: hasher
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: hasher
+  template:
+    metadata:
+      labels:
+        app: hasher
+    spec:
+      containers:
+      - image: dockercoins/hasher:v0.1
+        name: hasher
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: hasher
+  name: hasher
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: hasher
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: rng
+  name: rng
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: rng
+  template:
+    metadata:
+      labels:
+        app: rng
+    spec:
+      containers:
+      - image: dockercoins/rng:v0.1
+        name: rng
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: rng
+  name: rng
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: rng
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: webui
+  name: webui
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: webui
+  template:
+    metadata:
+      labels:
+        app: webui
+    spec:
+      containers:
+      - image: dockercoins/webui:v0.1
+        name: webui
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: webui
+  name: webui
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: webui
+  type: NodePort
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: worker
+  name: worker
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: worker
+  template:
+    metadata:
+      labels:
+        app: worker
+    spec:
+      containers:
+      - image: dockercoins/worker:v0.1
+        name: worker

k8s/kustomize-examples/registry-with-prefix-transformer/redis/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- redis.yaml

k8s/kustomize-examples/registry-with-prefix-transformer/redis/redis.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: redis
+  name: redis
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+      - image: redis
+        name: redis
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: redis
+  name: redis
+spec:
+  ports:
+  - port: 6379
+    protocol: TCP
+    targetPort: 6379
+  selector:
+    app: redis
+  type: ClusterIP

k8s/kustomize-examples/registry-with-replacements/dockercoins.yaml

@@ -0,0 +1,160 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: hasher
+  name: hasher
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: hasher
+  template:
+    metadata:
+      labels:
+        app: hasher
+    spec:
+      containers:
+      - image: dockercoins/hasher:v0.1
+        name: hasher
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: hasher
+  name: hasher
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: hasher
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: redis
+  name: redis
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+      - image: redis
+        name: redis
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: redis
+  name: redis
+spec:
+  ports:
+  - port: 6379
+    protocol: TCP
+    targetPort: 6379
+  selector:
+    app: redis
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: rng
+  name: rng
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: rng
+  template:
+    metadata:
+      labels:
+        app: rng
+    spec:
+      containers:
+      - image: dockercoins/rng:v0.1
+        name: rng
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: rng
+  name: rng
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: rng
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: webui
+  name: webui
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: webui
+  template:
+    metadata:
+      labels:
+        app: webui
+    spec:
+      containers:
+      - image: dockercoins/webui:v0.1
+        name: webui
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: webui
+  name: webui
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: webui
+  type: NodePort
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: worker
+  name: worker
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: worker
+  template:
+    metadata:
+      labels:
+        app: worker
+    spec:
+      containers:
+      - image: dockercoins/worker:v0.1
+        name: worker

k8s/kustomize-examples/registry-with-replacements/kustomization.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- dockercoins.yaml
+replacements:
+- sourceValue: ghcr.io/dockercoins
+  targets:
+  - select:
+      kind: Deployment
+      labelSelector: "app in (hasher,rng,webui,worker)"
+      # It will soon be possible to use regexes in replacement selectors,
+      # meaning that the "labelSelector:" above can be replaced with the
+      # following "name:" selector which is a tiny bit simpler:
+      #name: hasher|rng|webui|worker
+      # Regex support in replacement selectors was added by this PR:
+      # https://github.com/kubernetes-sigs/kustomize/pull/5863
+      # This PR was merged in August 2025, but as of October 2025, the
+      # latest release of Kustomize is 5.7.1, which was released in July.
+      # Hopefully the feature will be available in the next release :)
+    # Another possibility would be to select all Deployments, and then
+    # reject the one(s) for which we don't want to update the registry;
+    # for instance:
+    #reject:
+    #  kind: Deployment
+    #  name: redis
+    fieldPaths:
+    - spec.template.spec.containers.*.image
+    options:
+      delimiter: "/"
+      index: 0

k8s/kyverno-pod-color-1.yaml

@@ -3,7 +3,6 @@ kind: ClusterPolicy
 metadata:
   name: pod-color-policy-1
 spec:
-  validationFailureAction: enforce
   rules:
   - name: ensure-pod-color-is-valid
     match:
@@ -18,5 +17,6 @@ spec:
             operator: NotIn
             values: [ red, green, blue ]
     validate:
+      failureAction: Enforce
       message: "If it exists, the label color must be red, green, or blue."
       deny: {}

k8s/kyverno-pod-color-2.yaml

@@ -3,7 +3,6 @@ kind: ClusterPolicy
 metadata:
   name: pod-color-policy-2
 spec:
-  validationFailureAction: enforce
   background: false
   rules:
   - name: prevent-color-change
@@ -22,6 +21,7 @@ spec:
       operator: NotEquals
       value: ""
     validate:
+      failureAction: Enforce
       message: "Once label color has been added, it cannot be changed."
       deny:
         conditions:

k8s/kyverno-pod-color-3.yaml

@@ -3,7 +3,6 @@ kind: ClusterPolicy
 metadata:
   name: pod-color-policy-3
 spec:
-  validationFailureAction: enforce
   background: false
   rules:
   - name: prevent-color-change
@@ -22,7 +21,6 @@ spec:
       operator: Equals
       value: ""
     validate:
+      failureAction: Enforce
       message: "Once label color has been added, it cannot be removed."
-      deny:
-        conditions:
-
+      deny: {}

prepare-labs/README.md

@@ -66,7 +66,7 @@ Here is where we look for credentials for each provider:
 - Civo: CLI configuration file (`~/.civo.json`)
 - Digital Ocean: CLI configuration file (`~/.config/doctl/config.yaml`)
 - Exoscale: CLI configuration file (`~/.config/exoscale/exoscale.toml`)
-- Google Cloud: FIXME, note that the project name is currently hard-coded to `prepare-tf`
+- Google Cloud: we're using "Application Default Credentials (ADC)"; run `gcloud auth application-default login`; note that we'll use the default "project" set in `gcloud` unless you set the `GOOGLE_PROJECT` environment variable
 - Hetzner: CLI configuration file (`~/.config/hcloud/cli.toml`)
 - Linode: CLI configuration file (`~/.config/linode-cli`)
 - OpenStack: you will need to write a tfvars file (check [that exemple](terraform/virtual-machines/openstack/tfvars.example))

prepare-labs/konk.sh

@@ -5,34 +5,53 @@
 # 10% CPU
 # (See https://docs.google.com/document/d/1n0lwp6rQKQUIuo_A5LQ1dgCzrmjkDjmDtNj1Jn92UrI)
 # PRO2-XS = 4 core, 16 gb
+#
+# With vspod:
+# 800 MB RAM
+# 33% CPU
+#
 
-PROVIDER=scaleway
+set -e
+
+KONKTAG=konk
+PROVIDER=linode
+STUDENTS=5
 
 case "$PROVIDER" in
 linode)
   export TF_VAR_node_size=g6-standard-6
-  export TF_VAR_location=eu-west
+  export TF_VAR_location=fr-par
   ;;
 scaleway)
   export TF_VAR_node_size=PRO2-XS
+  # For tiny testing purposes, these are okay too:
+  #export TF_VAR_node_size=PLAY2-NANO
   export TF_VAR_location=fr-par-2
   ;;
 esac
 
-./labctl create --mode mk8s --settings settings/konk.env --provider $PROVIDER --tag konk
-
 # set kubeconfig file
 export KUBECONFIG=~/kubeconfig
-cp tags/konk/stage2/kubeconfig.101 $KUBECONFIG
+
+if [ "$PROVIDER" = "kind" ]; then
+  kind create cluster --name $KONKTAG
+  ADDRTYPE=InternalIP
+else
+  if ! [ -f tags/$KONKTAG/stage2/kubeconfig.101 ]; then
+    ./labctl create --mode mk8s --settings settings/konk.env --provider $PROVIDER --tag $KONKTAG
+  fi
+  cp tags/$KONKTAG/stage2/kubeconfig.101 $KUBECONFIG
+  ADDRTYPE=ExternalIP
+fi
 
 # set external_ip labels
-kubectl get nodes -o=jsonpath='{range .items[*]}{.metadata.name} {.status.addresses[?(@.type=="ExternalIP")].address}{"\n"}{end}' |
-while read node address; do
+kubectl get nodes -o=jsonpath='{range .items[*]}{.metadata.name} {.status.addresses[?(@.type=="'$ADDRTYPE'")].address}{"\n"}{end}' |
+while read node address ignoredaddresses; do
   kubectl label node $node external_ip=$address
 done
 
 # vcluster all the things
-./labctl create --settings settings/mk8s.env --provider vcluster --mode mk8s --students 50
+./labctl create --settings settings/mk8s.env --provider vcluster --mode mk8s --students $STUDENTS
 
 # install prometheus stack because that's cool
 helm upgrade --install --repo https://prometheus-community.github.io/helm-charts \

prepare-labs/lib/commands.sh

@@ -49,6 +49,41 @@ _cmd_clean() {
 	done	
 }
 
+_cmd codeserver "Install code-server on the clusters"
+_cmd_codeserver() {
+    TAG=$1
+    need_tag
+
+    ARCH=${ARCHITECTURE-amd64}
+    CODESERVER_VERSION=4.96.4
+    CODESERVER_URL=https://github.com/coder/code-server/releases/download/v${CODESERVER_VERSION}/code-server-${CODESERVER_VERSION}-linux-${ARCH}.tar.gz
+    pssh "
+    set -e
+    i_am_first_node || exit 0
+    if ! [ -x /usr/local/bin/code-server ]; then
+        curl -fsSL $CODESERVER_URL | sudo tar zx -C /opt
+        sudo ln -s /opt/code-server-${CODESERVER_VERSION}-linux-${ARCH}/bin/code-server /usr/local/bin/code-server
+        sudo -u $USER_LOGIN -H code-server --install-extension ms-azuretools.vscode-docker
+        sudo -u $USER_LOGIN -H code-server --install-extension ms-kubernetes-tools.vscode-kubernetes-tools
+        sudo -u $USER_LOGIN -H mkdir -p /home/$USER_LOGIN/.local/share/code-server/User
+        echo '{\"workbench.startupEditor\": \"terminal\"}' | sudo -u $USER_LOGIN tee /home/$USER_LOGIN/.local/share/code-server/User/settings.json
+        sudo -u $USER_LOGIN mkdir -p /home/$USER_LOGIN/.config/systemd/user
+        sudo -u $USER_LOGIN tee /home/$USER_LOGIN/.config/systemd/user/code-server.service <<EOF
+[Unit]
+Description=code-server
+
+[Install]
+WantedBy=default.target
+
+[Service]
+ExecStart=/usr/local/bin/code-server --bind-addr [::]:1789
+Restart=always
+EOF
+        sudo systemctl --user -M $USER_LOGIN@ enable code-server.service --now
+        sudo loginctl enable-linger $USER_LOGIN
+    fi"
+}
+
 _cmd createuser "Create the user that students will use"
 _cmd_createuser() {
     TAG=$1
@@ -235,7 +270,27 @@ _cmd_create() {
 
     ln -s ../../$SETTINGS tags/$TAG/settings.env.orig
     cp $SETTINGS tags/$TAG/settings.env
-    . $SETTINGS
+
+    # For Google Cloud, it is necessary to specify which "project" to use.
+    # Unfortunately, the Terraform provider doesn't seem to have a way
+    # to detect which Google Cloud project you want to use; it has to be
+    # specified one way or another. Let's decide that it should be set with
+    # the GOOGLE_PROJECT env var; and if that var is not set, we'll try to
+    # figure it out from gcloud.
+    # (See https://github.com/hashicorp/terraform-provider-google/issues/10907#issuecomment-1015721600)
+    # Since we need that variable to be set each time we'll call Terraform
+    # (e.g. when destroying the environment), let's save it to the settings.env
+    # file.
+    if [ "$PROVIDER" = "googlecloud" ]; then
+        if ! [ "$GOOGLE_PROJECT" ]; then
+            info "PROVIDER=googlecloud but GOOGLE_PROJECT is not set. Detecting it."
+            GOOGLE_PROJECT=$(gcloud config get project)
+            info "GOOGLE_PROJECT will be set to '$GOOGLE_PROJECT'."
+        fi
+        echo "export GOOGLE_PROJECT=$GOOGLE_PROJECT" >> tags/$TAG/settings.env
+    fi
+
+    . tags/$TAG/settings.env
 
     echo $MODE > tags/$TAG/mode
     echo $PROVIDER > tags/$TAG/provider
@@ -262,20 +317,9 @@ _cmd_create() {
         if [ "$CLUSTERSIZE" ]; then
             echo nodes_per_cluster = $CLUSTERSIZE >> terraform.tfvars
         fi
-        for RETRY in 1 2 3; do
-            if terraform apply -auto-approve; then
-                touch terraform.ok
-                break
-            fi
-        done
-        if ! [ -f terraform.ok ]; then
-            die "Terraform failed."
-        fi
     )
 
     sep
-    info "Successfully created $COUNT instances with tag $TAG"
-    echo create_ok > tags/$TAG/status
 
     # If the settings.env file has a "STEPS" field,
     # automatically execute all the actions listed in that field.
@@ -350,9 +394,13 @@ _cmd_clusterize() {
     done < /tmp/cluster
     "
 
-    while read line; do
-        printf '{"login": "%s", "password": "%s", "ipaddrs": "%s"}\n' "$USER_LOGIN" "$USER_PASSWORD" "$line"
-    done < tags/$TAG/clusters.tsv > tags/$TAG/logins.jsonl
+    jq --raw-input --compact-output \
+       --arg USER_LOGIN "$USER_LOGIN" --arg USER_PASSWORD "$USER_PASSWORD" '
+    {
+      "login": $USER_LOGIN,
+      "password": $USER_PASSWORD,
+      "ipaddrs": .
+    }' < tags/$TAG/clusters.tsv > tags/$TAG/logins.jsonl
 
     echo cluster_ok > tags/$TAG/status
 }
@@ -455,7 +503,7 @@ _cmd_kubebins() {
         curl -L https://github.com/etcd-io/etcd/releases/download/$ETCD_VERSION/etcd-$ETCD_VERSION-linux-$ARCH.tar.gz \
         | sudo tar --strip-components=1 --wildcards -zx '*/etcd' '*/etcdctl'
     fi
-    if ! [ -x hyperkube ]; then
+    if ! [ -x kube-apiserver ]; then
         ##VERSION##
         curl -L https://dl.k8s.io/$K8SBIN_VERSION/kubernetes-server-linux-$ARCH.tar.gz \
         | sudo tar --strip-components=3 -zx \
@@ -592,7 +640,9 @@ EOF
     # Install weave as the pod network
     pssh "
     if i_am_first_node; then
-        kubectl apply -f https://github.com/weaveworks/weave/releases/download/v2.8.1/weave-daemonset-k8s-1.11.yaml
+        curl -fsSL https://github.com/weaveworks/weave/releases/download/v2.8.1/weave-daemonset-k8s-1.11.yaml |
+        sed s,weaveworks/weave,quay.io/rackspace/weave, |
+        kubectl apply -f-
     fi"
 
     # FIXME this is a gross hack to add the deployment key to our SSH agent,
@@ -948,7 +998,7 @@ _cmd_logins() {
     need_tag $TAG
 
     cat tags/$TAG/logins.jsonl \
-    | jq -r '"\(.password)\tssh -l \(.login)\(if .port then " -p \(.port)" else "" end)\t\(.ipaddrs)"'
+    | jq -r '"\(if .codeServerPort then "\(.codeServerPort)\t" else "" end )\(.password)\tssh -l \(.login)\(if .port then " -p \(.port)" else "" end)\t\(.ipaddrs)"'
 }
 
 _cmd maketag "Generate a quasi-unique tag for a group of instances"
@@ -1090,7 +1140,7 @@ _cmd_tailhist () {
     set -e
     sudo apt-get install unzip -y
     wget -c https://github.com/joewalnes/websocketd/releases/download/v0.3.0/websocketd-0.3.0-linux_$ARCH.zip
-    unzip websocketd-0.3.0-linux_$ARCH.zip websocketd
+    unzip -o websocketd-0.3.0-linux_$ARCH.zip websocketd
     sudo mv websocketd /usr/local/bin/websocketd
     sudo mkdir -p /opt/tailhist
     sudo tee /opt/tailhist.service <<EOF
@@ -1113,14 +1163,35 @@ EOF
     pssh -I sudo tee /opt/tailhist/index.html <lib/tailhist.html
 }
 
+_cmd terraform "Apply Terraform configuration to provision resources."
+_cmd_terraform() {
+    TAG=$1
+    need_tag
+    echo terraforming > tags/$TAG/status
+    (
+        cd tags/$TAG
+        terraform apply -auto-approve
+        # The Terraform provider for Proxmox has a bug; sometimes it fails
+        # to obtain VM address from the QEMU agent. In that case, we put
+        # ERROR in the ips.txt file (instead of the VM IP address). Detect
+        # that so that we run Terraform again (this typically solves the issue).
+        if grep -q ERROR ips.txt; then
+          die "Couldn't obtain IP address of some machines. Try to re-run terraform."
+        fi
+    )
+    echo terraformed > tags/$TAG/status
+
+}
+
 _cmd tools "Install a bunch of useful tools (editors, git, jq...)"
 _cmd_tools() {
     TAG=$1
     need_tag
 
     pssh "
+    set -e
     sudo apt-get -q update
-    sudo apt-get -qy install apache2-utils emacs-nox git httping htop jid joe jq mosh python-setuptools tree unzip
+    sudo apt-get -qy install apache2-utils argon2 emacs-nox git httping htop jid joe jq mosh tree unzip
     # This is for VMs with broken PRNG (symptom: running docker-compose randomly hangs)
     sudo apt-get -qy install haveged
     "
@@ -1167,14 +1238,17 @@ fi
     "
 }
 
-_cmd ssh "Open an SSH session to the first node of a tag"
+_cmd ssh "Open an SSH session to a node (first one by default)"
 _cmd_ssh() {
     TAG=$1
     need_tag
-    IP=$(head -1 tags/$TAG/ips.txt)
-    info "Logging into $IP (default password: $USER_PASSWORD)"
-    ssh $SSHOPTS $USER_LOGIN@$IP
-
+    if [ "$2" ]; then
+        ssh -l ubuntu -i tags/$TAG/id_rsa $2
+    else
+        IP=$(head -1 tags/$TAG/ips.txt)
+        info "Logging into $IP (default password: $USER_PASSWORD)"
+        ssh $SSHOPTS $USER_LOGIN@$IP
+    fi
 }
 
 _cmd tags "List groups of VMs known locally"
@@ -1260,7 +1334,13 @@ _cmd_passwords() {
     $0 ips "$TAG" | paste "$PASSWORDS_FILE" - | while read password nodes; do
         info "Setting password for $nodes..."
         for node in $nodes; do
-            echo $USER_LOGIN:$password | ssh $SSHOPTS -i tags/$TAG/id_rsa ubuntu@$node sudo chpasswd
+            echo $USER_LOGIN $password | ssh $SSHOPTS -i tags/$TAG/id_rsa ubuntu@$node '
+                read login password
+                echo $login:$password | sudo chpasswd
+                hashedpassword=$(echo -n $password | argon2 saltysalt$RANDOM -e)
+                sudo -u $login mkdir -p /home/$login/.config/code-server
+                echo "hashed-password: \"$hashedpassword\"" | sudo -u $login tee /home/$login/.config/code-server/config.yaml >/dev/null
+                '
         done
     done
     info "Done."
@@ -1292,6 +1372,11 @@ _cmd_wait() {
     pssh -l $SSH_USER "
     if [ -d /var/lib/cloud ]; then
         cloud-init status --wait
+        case $? in
+        0) exit 0;; # all is good
+        2) exit 0;; # recoverable error (happens with proxmox deprecated cloud-init payloads)
+        *) exit 1;; # all other problems
+        esac
     fi"
 }
 
@@ -1334,7 +1419,7 @@ WantedBy=multi-user.target
 
 [Service]
 WorkingDirectory=/opt/webssh
-ExecStart=/usr/bin/env python run.py --fbidhttp=false --port=1080 --policy=reject
+ExecStart=/usr/bin/env python3 run.py --fbidhttp=false --port=1080 --policy=reject
 User=nobody
 Group=nogroup
 Restart=always

prepare-labs/lib/pssh.sh

@@ -23,6 +23,14 @@ pssh() {
     # necessary - or down to zero, too.
     sleep ${PSSH_DELAY_PRE-1}
 
+    # When things go wrong, it's convenient to ask pssh to show the output
+    # of the failed command. Let's make that easy with a DEBUG env var.
+    if [ "$DEBUG" ]; then
+        PSSH_I=-i
+    else
+        PSSH_I=""
+    fi
+
     $(which pssh || which parallel-ssh) -h $HOSTFILE -l ubuntu \
         --par ${PSSH_PARALLEL_CONNECTIONS-100} \
         --timeout 300 \
@@ -31,5 +39,6 @@ pssh() {
         -O UserKnownHostsFile=/dev/null \
         -O StrictHostKeyChecking=no \
         -O ForwardAgent=yes \
+        $PSSH_I \
         "$@"
 }

prepare-labs/settings/admin-kubenet.env

@@ -7,6 +7,7 @@ USER_LOGIN=k8s
 USER_PASSWORD=training
 
 STEPS="
+  terraform
   wait
   standardize
   clusterize

prepare-labs/settings/admin-kuberouter.env

@@ -7,6 +7,7 @@ USER_LOGIN=k8s
 USER_PASSWORD=training
 
 STEPS="
+  terraform
   wait
   standardize
   clusterize

prepare-labs/settings/admin-monokube.env

@@ -11,6 +11,7 @@ USER_LOGIN=k8s
 USER_PASSWORD=training
 
 STEPS="
+  terraform
   wait
   standardize
   clusterize

prepare-labs/settings/admin-oldversion.env

@@ -10,6 +10,7 @@ USER_PASSWORD=training
 KUBEVERSION=1.28.9
 
 STEPS="
+  terraform
   wait
   standardize
   clusterize

prepare-labs/settings/admin-polykube.env

@@ -6,6 +6,7 @@ USER_LOGIN=k8s
 USER_PASSWORD=training
 
 STEPS="
+  terraform
   wait
   standardize
   clusterize

prepare-labs/settings/admin-test.env

@@ -6,6 +6,7 @@ USER_LOGIN=k8s
 USER_PASSWORD=training
 
 STEPS="
+  terraform
   wait
   standardize
   clusterize

prepare-labs/settings/docker.env

@@ -6,6 +6,7 @@ USER_LOGIN=docker
 USER_PASSWORD=training
 
 STEPS="
+  terraform
   wait
   standardize
   clusterize
@@ -14,6 +15,5 @@ STEPS="
   createuser
   webssh
   tailhist
-  cards
   ips
-"
+"

prepare-labs/settings/konk.env

@@ -3,4 +3,4 @@ CLUSTERSIZE=5
 USER_LOGIN=k8s
 USER_PASSWORD=
 
-STEPS="stage2"
+STEPS="terraform stage2"

prepare-labs/settings/kubernetes.env

@@ -6,6 +6,7 @@ USER_LOGIN=k8s
 USER_PASSWORD=training
 
 STEPS="
+  terraform
   wait
   standardize
   clusterize

prepare-labs/settings/largekube.env

@@ -7,6 +7,7 @@ USER_LOGIN=k8s
 USER_PASSWORD=training
 
 STEPS="
+  terraform
   wait
   standardize
   clusterize

prepare-labs/settings/mk8s.env

@@ -1,4 +1,4 @@
 USER_LOGIN=k8s
 USER_PASSWORD=
 
-STEPS="stage2"
+STEPS="terraform stage2"

prepare-labs/settings/portal.env

@@ -1,4 +1,4 @@
-#export TF_VAR_node_size=GP2.4
+#export TF_VAR_node_size=GP4.4
 #export TF_VAR_node_size=g6-standard-6
 #export TF_VAR_node_size=m7i.xlarge
 
@@ -11,6 +11,7 @@ USER_LOGIN=portal
 USER_PASSWORD=CHANGEME
 
 STEPS="
+  terraform
   wait
   standardize
   clusterize

prepare-labs/templates/cards.html

@@ -69,7 +69,7 @@ body {
 body {
     width: 6.75in; /* two cards wide */
     margin-left: 0.875in; /* (8.5in - 6.75in)/2 */
-    margin-top: 0; /* NOTE: we have to manually specify a top margin of e.g. 0.1875in when printing */
+    margin-top: 0.1875in; /* (11in - 5 cards)/2 */
 }
 {% endif %}
 

prepare-labs/templates/cards.yaml

@@ -8,11 +8,12 @@ backside: |
     Thanks for attending the Asynchronous Architecture Patterns workshop at QCON!
   </p>
   <p>
-    If you'd like me to send you a copy of the recording of the workshop
-    and of the training materials,
-    please scan that QR code to leave me your
-    contact information. Thank you!
+    <b>This QR code will give you my contact info</b> as well as a link to a feedback form.
   </p>
-qrcode: https://2024-11-qconsf.container.training/q
+  <p>
+    If you liked this workshop, I can train your team, in person or online, with custom
+    courses of any length and any level, on Docker, Kubernetes, and MLops.
+  </p>
+qrcode: https://2024-11-qconsf.container.training/#contact
 thing: Kubernetes cluster
-image: logo-bento.svg
+image: logo-kubernetes.png

prepare-labs/terraform/many-kubernetes/stage2.tmpl

@@ -2,7 +2,11 @@ terraform {
   required_providers {
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "2.16.1"
+      version = "~> 2.38.0"
+    }
+    helm = {
+      source = "hashicorp/helm"
+      version = "~> 3.0"
     }
   }
 }
@@ -14,6 +18,20 @@ provider "kubernetes" {
   config_path = "./kubeconfig.${index}"
 }
 
+provider "helm" {
+  alias = "cluster_${index}"
+  kubernetes = {
+    config_path = "./kubeconfig.${index}"
+  }
+}
+
+# Password used for SSH and code-server access
+resource "random_string" "shpod_${index}" {
+  length  = 6
+  special = false
+  upper   = false
+}
+
 resource "kubernetes_namespace" "shpod_${index}" {
   provider = kubernetes.cluster_${index}
   metadata {
@@ -21,121 +39,53 @@ resource "kubernetes_namespace" "shpod_${index}" {
   }
 }
 
-resource "kubernetes_deployment" "shpod_${index}" {
+data "kubernetes_service" "shpod_${index}" {
+  depends_on = [ helm_release.shpod_${index} ]
   provider = kubernetes.cluster_${index}
   metadata {
     name = "shpod"
-    namespace = kubernetes_namespace.shpod_${index}.metadata.0.name
-  }
-  spec {
-    selector {
-      match_labels = {
-        app = "shpod"
-      }
-    }
-    template {
-      metadata {
-        labels = {
-          app = "shpod"
-        }
-      }
-      spec {
-        service_account_name = "shpod"
-        container {
-          image = "jpetazzo/shpod"
-          name = "shpod"
-          env {
-            name = "PASSWORD"
-            value = random_string.shpod_${index}.result
-          }
-          lifecycle {
-            post_start {
-              exec {
-                command = [ "sh", "-c", "curl http://myip.enix.org/REMOTE_ADDR > /etc/HOSTIP || true" ]
-              }
-            }
-          }
-          resources {
-            limits = {
-              cpu    = "2"
-              memory = "500M"
-            }
-            requests = {
-              cpu    = "100m"
-              memory = "250M"
-            }
-          }
-        }
-      }
-    }
-  }
-}
-
-resource "kubernetes_service" "shpod_${index}" {
-  provider = kubernetes.cluster_${index}
-  lifecycle {
-    # Folks might alter their shpod Service to expose extra ports.
-    # Don't reset their changes.
-    ignore_changes = [ spec ]
-  }
-  metadata {
-    name = "shpod"
-    namespace = kubernetes_namespace.shpod_${index}.metadata.0.name
-  }
-  spec {
-    selector = {
-      app = "shpod"
-    }
-    port {
-      name = "ssh"
-      port = 22
-      target_port = 22
-    }
-    type = "NodePort"
-  }
-}
-
-resource "kubernetes_service_account" "shpod_${index}" {
-  provider = kubernetes.cluster_${index}
-  metadata {
-    name = "shpod"
-    namespace = kubernetes_namespace.shpod_${index}.metadata.0.name
-  }
-}
-
-resource "kubernetes_cluster_role_binding" "shpod_${index}" {
-  provider = kubernetes.cluster_${index}
-  metadata {
-    name = "shpod"
-  }
-  role_ref {
-    api_group = "rbac.authorization.k8s.io"
-    kind      = "ClusterRole"
-    name      = "cluster-admin"
-  }
-  subject {
-    kind      = "ServiceAccount"
-    name      = "shpod"
     namespace = "shpod"
   }
-  subject {
-    api_group = "rbac.authorization.k8s.io"
-    kind      = "Group"
-    name      = "shpod-cluster-admins"
-  }
 }
 
-resource "random_string" "shpod_${index}" {
-  length  = 6
-  special = false
-  upper   = false
-}
-
-provider "helm" {
-  alias = "cluster_${index}"
-  kubernetes {
-    config_path = "./kubeconfig.${index}"
-  }
+resource "helm_release" "shpod_${index}" {
+  provider = helm.cluster_${index}
+  repository = "https://shpod.in"
+  chart = "shpod"
+  name = "shpod"
+  namespace = "shpod"
+  create_namespace = false
+  values = [
+    yamlencode({
+      service = {
+        type = "NodePort"
+      }
+      resources = {
+        requests = {
+          cpu = "100m"
+          memory = "500M"
+        }
+        limits = {
+          cpu = "1"
+          memory = "1000M"
+        }
+      }
+      persistentVolume = {
+        enabled = true
+      }
+      ssh = {
+        password = random_string.shpod_${index}.result
+      }
+      rbac = {
+        cluster = {
+          clusterRoles = [ "cluster-admin" ]
+        }
+      }
+      codeServer = {
+        enabled = true
+      }
+    })
+  ]
 }
 
 resource "helm_release" "metrics_server_${index}" {
@@ -150,13 +100,75 @@ resource "helm_release" "metrics_server_${index}" {
   name = "metrics-server"
   namespace = "metrics-server"
   create_namespace = true
-  set {
-    name = "args"
-    value = "{--kubelet-insecure-tls}"
-  }
+  values = [
+    yamlencode({
+      args = [ "--kubelet-insecure-tls" ]
+    })
+  ]
 }
 
+# As of October 2025, the ebs-csi-driver addon (which is used on EKS
+# to provision persistent volumes) doesn't automatically create a
+# StorageClass. Here, we're trying to detect the DaemonSet created
+# by the ebs-csi-driver; and if we find it, we create the corresponding
+# StorageClass.
+data "kubernetes_resources" "ebs_csi_node_${index}" {
+  provider = kubernetes.cluster_${index}
+  api_version = "apps/v1"
+  kind = "DaemonSet"
+  label_selector = "app.kubernetes.io/name=aws-ebs-csi-driver"
+  namespace = "kube-system"
+}
+
+resource "kubernetes_storage_class" "ebs_csi_${index}" {
+  count =  (length(data.kubernetes_resources.ebs_csi_node_${index}.objects) > 0) ? 1 : 0
+  provider = kubernetes.cluster_${index}
+  metadata {
+    name = "ebs-csi"
+    annotations = {
+      "storageclass.kubernetes.io/is-default-class" = "true"
+    }
+  }
+  storage_provisioner = "ebs.csi.aws.com"
+}
+
+# This section here deserves a little explanation.
+#
+# When we access a cluster with shpod (either through SSH or code-server)
+# there is no kubeconfig file - we simply use "in-cluster" authentication
+# with a ServiceAccount token. This is a bit unusual, and ideally, I would
+# prefer to have a "normal" kubeconfig file in the students' shell.
+#
+# So what we're doing here, is that we're populating a ConfigMap with
+# a kubeconfig file; and in the initialization scripts (e.g. bashrc) we
+# automatically download the kubeconfig file from the ConfigMap and place
+# it in ~/.kube/kubeconfig.
+#
+# But, which kubeconfig file should we use? We could use the "normal"
+# kubeconfig file that was generated by the provider; but in some cases,
+# that kubeconfig file might use a token instead of a certificate for
+# user authentication - and ideally, I would like to have a certificate
+# so that in the section about auth and RBAC, we can dissect that TLS
+# certificate and explain where our permissions come from.
+#
+# So we're creating a TLS key pair; using the CSR API to issue a user
+# certificate belongong to a special group; and grant the cluster-admin
+# role to that group; then we use the kubeconfig file generated by the
+# provider but override the user with that TLS key pair.
+#
+# This is not strictly necessary but it streamlines the lesson on auth.
+#
+# Lastly - in the ConfigMap we actually put both the original kubeconfig,
+# and the one where we injected our new user (just in case we want to
+# use or look at the original for any reason).
+#
+# One more thing: the kubernetes.io/kube-apiserver-client signer is
+# disabled on EKS, so... we don't generate that ConfigMap on EKS.
+# To detect if we're on EKS, we're looking for the ebs-csi-node DaemonSet.
+# (Which means that the detection will break if the ebs-csi addon is missing.)
+
 resource "kubernetes_config_map" "kubeconfig_${index}" {
+  count =  (length(data.kubernetes_resources.ebs_csi_node_${index}.objects) > 0) ? 0 : 1
   provider = kubernetes.cluster_${index}
   metadata {
     name = "kubeconfig"
@@ -182,7 +194,7 @@ resource "kubernetes_config_map" "kubeconfig_${index}" {
       - name: cluster-admin
         user:
           client-key-data: $${base64encode(tls_private_key.cluster_admin_${index}.private_key_pem)}
-          client-certificate-data: $${base64encode(kubernetes_certificate_signing_request_v1.cluster_admin_${index}.certificate)}
+          client-certificate-data: $${base64encode(kubernetes_certificate_signing_request_v1.cluster_admin_${index}[0].certificate)}
     EOT
   }
 }
@@ -202,7 +214,25 @@ resource "tls_cert_request" "cluster_admin_${index}" {
   }
 }
 
+resource "kubernetes_cluster_role_binding" "shpod_cluster_admin_${index}" {
+  provider = kubernetes.cluster_${index}
+  metadata {
+    name = "shpod-cluster-admin"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind = "ClusterRole"
+    name = "cluster-admin"
+  }
+  subject {
+    api_group = "rbac.authorization.k8s.io"
+    kind = "Group"
+    name = "shpod-cluster-admins"
+  }
+}
+
 resource "kubernetes_certificate_signing_request_v1" "cluster_admin_${index}" {
+  count =  (length(data.kubernetes_resources.ebs_csi_node_${index}.objects) > 0) ? 0 : 1
   provider = kubernetes.cluster_${index}
   metadata {
     name = "cluster-admin"
@@ -234,7 +264,8 @@ output "logins_jsonl" {
     jsonencode({
       login = "k8s",
       password = random_string.shpod_${index}.result,
-      port = kubernetes_service.shpod_${index}.spec[0].port[0].node_port,
+      port = data.kubernetes_service.shpod_${index}.spec[0].port[0].node_port,
+      codeServerPort = data.kubernetes_service.shpod_${index}.spec[0].port[1].node_port,
       ipaddrs = replace(file("./externalips.${index}"), " ", "\t"),
     }),
   %{ endfor ~}

prepare-labs/terraform/many-kubernetes/variables.tf

@@ -23,7 +23,7 @@ variable "node_size" {
 }
 
 variable "location" {
-  type = string
+  type    = string
   default = null
 }
 

prepare-labs/terraform/one-kubernetes/aws/main.tf

@@ -1,60 +1,45 @@
-# Taken from:
-# https://github.com/hashicorp/learn-terraform-provision-eks-cluster/blob/main/main.tf
-
-data "aws_availability_zones" "available" {}
-
-module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "3.19.0"
-
-  name = var.cluster_name
-
-  cidr = "10.0.0.0/16"
-  azs  = slice(data.aws_availability_zones.available.names, 0, 3)
-
-  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
-  public_subnets  = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
-
-  enable_nat_gateway   = true
-  single_nat_gateway   = true
-  enable_dns_hostnames = true
-
-  public_subnet_tags = {
-    "kubernetes.io/cluster/${var.cluster_name}" = "shared"
-    "kubernetes.io/role/elb"                    = 1
-  }
-
-  private_subnet_tags = {
-    "kubernetes.io/cluster/${var.cluster_name}" = "shared"
-    "kubernetes.io/role/internal-elb"           = 1
-  }
+data "aws_eks_cluster_versions" "_" {
+  default_only = true
 }
 
 module "eks" {
-  source  = "terraform-aws-modules/eks/aws"
-  version = "19.5.1"
-
-  cluster_name    = var.cluster_name
-  cluster_version = "1.24"
-
-  vpc_id                         = module.vpc.vpc_id
-  subnet_ids                     = module.vpc.private_subnets
-  cluster_endpoint_public_access = true
-
-  eks_managed_node_group_defaults = {
-    ami_type = "AL2_x86_64"
+  source                                   = "terraform-aws-modules/eks/aws"
+  version                                  = "~> 21.0"
+  name                                     = var.cluster_name
+  kubernetes_version                       = data.aws_eks_cluster_versions._.cluster_versions[0].cluster_version
+  vpc_id                                   = local.vpc_id
+  subnet_ids                               = local.subnet_ids
+  endpoint_public_access                   = true
+  enable_cluster_creator_admin_permissions = true
+  upgrade_policy = {
+    # The default policy is EXTENDED, which incurs additional costs
+    # when running an old control plane. We don't advise to run old
+    # control planes, but we also don't want to incur costs if an
+    # old version is chosen accidentally.
+    support_type = "STANDARD"
+  }
 
+  addons = {
+    coredns = {}
+    eks-pod-identity-agent = {
+      before_compute = true
+    }
+    kube-proxy = {}
+    vpc-cni = {
+      before_compute = true
+    }
+    aws-ebs-csi-driver = {
+      service_account_role_arn = module.irsa-ebs-csi.iam_role_arn
+    }
   }
 
   eks_managed_node_groups = {
-    one = {
-      name = "node-group-one"
-
+    x86 = {
+      name           = "x86"
       instance_types = [local.node_size]
-
-      min_size     = var.min_nodes_per_pool
-      max_size     = var.max_nodes_per_pool
-      desired_size = var.min_nodes_per_pool
+      min_size       = var.min_nodes_per_pool
+      max_size       = var.max_nodes_per_pool
+      desired_size   = var.min_nodes_per_pool
     }
   }
 }
@@ -66,7 +51,7 @@ data "aws_iam_policy" "ebs_csi_policy" {
 
 module "irsa-ebs-csi" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version = "4.7.0"
+  version = "~> 5.39.0"
 
   create_role                   = true
   role_name                     = "AmazonEKSTFEBSCSIRole-${module.eks.cluster_name}"
@@ -75,13 +60,9 @@ module "irsa-ebs-csi" {
   oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"]
 }
 
-resource "aws_eks_addon" "ebs-csi" {
-  cluster_name             = module.eks.cluster_name
-  addon_name               = "aws-ebs-csi-driver"
-  addon_version            = "v1.5.2-eksbuild.1"
-  service_account_role_arn = module.irsa-ebs-csi.iam_role_arn
-  tags = {
-    "eks_addon" = "ebs-csi"
-    "terraform" = "true"
-  }
+resource "aws_vpc_security_group_ingress_rule" "_" {
+  security_group_id = module.eks.node_security_group_id
+  cidr_ipv4         = "0.0.0.0/0"
+  ip_protocol       = -1
+  description       = "Allow all traffic to Kubernetes nodes (so that we can use NodePorts, hostPorts, etc.)"
 }

prepare-labs/terraform/one-kubernetes/aws/provider.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.47.0"
+      version = "~> 6.17.0"
     }
   }
 }

prepare-labs/terraform/one-kubernetes/aws/vpc.tf

@@ -0,0 +1,61 @@
+# OK, we have two options here.
+# 1. Create our own VPC
+#    - Pros: provides good isolation from other stuff deployed in the
+#            AWS account; makes sure that we don't interact with
+#            existing security groups, subnets, etc.
+#    - Cons: by default, there is a quota of 5 VPC per region, so
+#            we can only deploy 5 clusters
+# 2. Use the default VPC
+#    - Pros/cons: the opposite :)
+
+variable "use_default_vpc" {
+  type    = bool
+  default = true
+}
+
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_subnets" "default" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
+}
+
+data "aws_availability_zones" "available" {}
+
+module "vpc" {
+  count   = var.use_default_vpc ? 0 : 1
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 6.0"
+
+  name = var.cluster_name
+
+  cidr = "10.0.0.0/16"
+  azs  = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  private_subnets = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"]
+  public_subnets  = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"]
+
+  enable_nat_gateway      = true
+  single_nat_gateway      = true
+  enable_dns_hostnames    = true
+  map_public_ip_on_launch = true
+
+  public_subnet_tags = {
+    "kubernetes.io/cluster/${var.cluster_name}" = "shared"
+    "kubernetes.io/role/elb"                    = 1
+  }
+
+  private_subnet_tags = {
+    "kubernetes.io/cluster/${var.cluster_name}" = "shared"
+    "kubernetes.io/role/internal-elb"           = 1
+  }
+}
+
+locals {
+  vpc_id     = var.use_default_vpc ? data.aws_vpc.default.id : module.vpc[0].vpc_id
+  subnet_ids = var.use_default_vpc ? data.aws_subnets.default.ids : module.vpc[0].public_subnets
+}

prepare-labs/terraform/one-kubernetes/googlecloud/locals.tf

@@ -1,12 +0,0 @@
-locals {
-  location = var.location != null ? var.location : "europe-north1-a"
-  region   = replace(local.location, "/-[a-z]$/", "")
-  # Unfortunately, the following line doesn't work
-  # (that attribute just returns an empty string)
-  # so we have to hard-code the project name.
-  #project = data.google_client_config._.project
-  project = "prepare-tf"
-}
-
-data "google_client_config" "_" {}
-

prepare-labs/terraform/one-kubernetes/googlecloud/main.tf

@@ -1,7 +1,7 @@
 resource "google_container_cluster" "_" {
-  name     = var.cluster_name
-  project  = local.project
-  location = local.location
+  name                = var.cluster_name
+  location            = local.location
+  deletion_protection = false
   #min_master_version = var.k8s_version
 
   # To deploy private clusters, uncomment the section below,
@@ -42,7 +42,7 @@ resource "google_container_cluster" "_" {
   node_pool {
     name = "x86"
     node_config {
-      tags         = var.common_tags
+      tags         = ["lab-${var.cluster_name}"]
       machine_type = local.node_size
     }
     initial_node_count = var.min_nodes_per_pool
@@ -62,3 +62,25 @@ resource "google_container_cluster" "_" {
     }
   }
 }
+
+resource "google_compute_firewall" "_" {
+  name    = "lab-${var.cluster_name}"
+  network = "default"
+
+  allow {
+    protocol = "tcp"
+    ports    = ["0-65535"]
+  }
+
+  allow {
+    protocol = "udp"
+    ports    = ["0-65535"]
+  }
+
+  allow {
+    protocol = "icmp"
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["lab-${var.cluster_name}"]
+}

prepare-labs/terraform/one-kubernetes/googlecloud/outputs.tf

@@ -6,6 +6,8 @@ output "has_metrics_server" {
   value = true
 }
 
+data "google_client_config" "_" {}
+
 output "kubeconfig" {
   sensitive = true
   value     = <<-EOT

prepare-labs/terraform/one-kubernetes/googlecloud/provider.tf

@@ -1,8 +0,0 @@
-terraform {
-  required_providers {
-    google = {
-      source  = "hashicorp/google"
-      version = "4.5.0"
-    }
-  }
-}

prepare-labs/terraform/one-kubernetes/googlecloud/provider.tf

@@ -0,0 +1 @@
+../../providers/googlecloud/provider.tf

prepare-labs/terraform/one-kubernetes/scaleway/main.tf

@@ -30,7 +30,7 @@ resource "scaleway_k8s_pool" "_" {
   max_size    = var.max_nodes_per_pool
   autoscaling = var.max_nodes_per_pool > var.min_nodes_per_pool
   autohealing = true
-  depends_on = [ scaleway_instance_security_group._ ]
+  depends_on  = [scaleway_instance_security_group._]
 }
 
 data "scaleway_k8s_version" "_" {

prepare-labs/terraform/one-kubernetes/vcluster/main.tf

@@ -4,25 +4,36 @@ resource "helm_release" "_" {
   create_namespace = true
   repository       = "https://charts.loft.sh"
   chart            = "vcluster"
-  version          = "0.19.7"
-  set {
-    name  = "service.type"
-    value = "NodePort"
-  }
-  set {
-    name  = "storage.persistence"
-    value = "false"
-  }
-  set {
-    name  = "sync.nodes.enabled"
-    value = "true"
-  }
-  set {
-    name  = "sync.nodes.syncAllNodes"
-    value = "true"
-  }
-  set {
-    name  = "syncer.extraArgs"
-    value = "{--tls-san=${local.guest_api_server_host}}"
-  }
+  version          = "0.27.1"
+  values = [
+    yamlencode({
+      controlPlane = {
+        proxy = {
+          extraSANs = [ local.guest_api_server_host ]
+        }
+        service = {
+          spec = {
+            type = "NodePort"
+          }
+        }
+        statefulSet = {
+          persistence = {
+            volumeClaim = {
+              enabled = true
+            }
+          }
+        }
+      }
+      sync = {
+        fromHost = {
+          nodes = {
+            enabled = true
+            selector = {
+              all = true
+            }
+          }
+        }
+      }
+    })
+  ]
 }

prepare-labs/terraform/one-kubernetes/vcluster/provider.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 3.0"
+    }
+  }
+}

prepare-labs/terraform/providers/googlecloud/provider.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 7.0"
+    }
+  }
+}

prepare-labs/terraform/providers/googlecloud/variables.tf

@@ -9,5 +9,9 @@ variable "node_sizes" {
 
 variable "location" {
   type    = string
-  default = null
+  default = "europe-north1-a"
 }
+
+locals {
+  location = (var.location != "" && var.location != null) ? var.location : "europe-north1-a"
+}

prepare-labs/terraform/providers/proxmox/config.tf

@@ -0,0 +1,30 @@
+variable "proxmox_endpoint" {
+  type    = string
+  default = "https://localhost:8006/"
+}
+
+variable "proxmox_username" {
+  type    = string
+  default = null
+}
+
+variable "proxmox_password" {
+  type    = string
+  default = null
+}
+
+variable "proxmox_storage" {
+  type    = string
+  default = "local"
+}
+
+variable "proxmox_template_node_name" {
+  type    = string
+  default = null
+}
+
+variable "proxmox_template_vm_id" {
+  type    = number
+  default = null
+}
+

prepare-labs/terraform/providers/proxmox/variables.tf

@@ -0,0 +1,11 @@
+# Since node size needs to be a string...
+# To indicate number of CPUs + RAM, just pass it as a string with a space between them.
+# RAM is in megabytes.
+variable "node_sizes" {
+  type = map(any)
+  default = {
+    S = "1 2048"
+    M = "2 4096"
+    L = "3 8192"
+  }
+}

prepare-labs/terraform/providers/vcluster/config.tf

@@ -1,5 +1,5 @@
 provider "helm" {
-  kubernetes {
+  kubernetes = {
     config_path = "~/kubeconfig"
   }
 }

prepare-labs/terraform/virtual-machines/common.tf

@@ -56,6 +56,7 @@ locals {
       cluster_name = format("%s-%03d", var.tag, cn[0])
       node_name    = format("%s-%03d-%03d", var.tag, cn[0], cn[1])
       node_size    = lookup(var.node_sizes, var.node_size, var.node_size)
+      node_index   = cn[0] * var.nodes_per_cluster + cn[1]
     }
   }
 }

prepare-labs/terraform/virtual-machines/googlecloud/common.tf

@@ -0,0 +1 @@
+../common.tf

prepare-labs/terraform/virtual-machines/googlecloud/config.tf

@@ -0,0 +1 @@
+../../providers/googlecloud/config.tf

prepare-labs/terraform/virtual-machines/googlecloud/main.tf

@@ -0,0 +1,54 @@
+# Note: names and tags on GCP have to match a specific regex:
+# (?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)
+# In other words, they must start with a letter; and generally,
+# we make them start with a number (year-month-day-etc, so 2025-...)
+# so we prefix names and tags with "lab-" in this configuration.
+
+resource "google_compute_instance" "_" {
+  for_each     = local.nodes
+  zone         = var.location
+  name         = "lab-${each.value.node_name}"
+  tags         = ["lab-${var.tag}"]
+  machine_type = each.value.node_size
+  boot_disk {
+    initialize_params {
+      image = "ubuntu-os-cloud/ubuntu-2404-lts-amd64"
+    }
+  }
+  network_interface {
+    network = "default"
+    access_config {}
+  }
+  metadata = {
+    "ssh-keys" = "ubuntu:${tls_private_key.ssh.public_key_openssh}"
+  }
+}
+
+locals {
+  ip_addresses = {
+    for key, value in local.nodes :
+    key => google_compute_instance._[key].network_interface[0].access_config[0].nat_ip
+  }
+}
+
+resource "google_compute_firewall" "_" {
+  name    = "lab-${var.tag}"
+  network = "default"
+
+  allow {
+    protocol = "tcp"
+    ports    = ["0-65535"]
+  }
+
+  allow {
+    protocol = "udp"
+    ports    = ["0-65535"]
+  }
+
+  allow {
+    protocol = "icmp"
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["lab-${var.tag}"]
+}

prepare-labs/terraform/virtual-machines/googlecloud/provider.tf

@@ -0,0 +1 @@
+../../providers/googlecloud/provider.tf

prepare-labs/terraform/virtual-machines/googlecloud/variables.tf

@@ -0,0 +1 @@
+../../providers/googlecloud/variables.tf

prepare-labs/terraform/virtual-machines/proxmox/common.tf

@@ -0,0 +1 @@
+../common.tf

prepare-labs/terraform/virtual-machines/proxmox/config.tf

@@ -0,0 +1 @@
+../../providers/proxmox/config.tf

prepare-labs/terraform/virtual-machines/proxmox/main.tf

@@ -0,0 +1,79 @@
+data "proxmox_virtual_environment_nodes" "_" {}
+
+locals {
+  pve_nodes = data.proxmox_virtual_environment_nodes._.names
+}
+
+resource "proxmox_virtual_environment_vm" "_" {
+  node_name       = local.pve_nodes[each.value.node_index % length(local.pve_nodes)]
+  for_each        = local.nodes
+  name            = each.value.node_name
+  tags            = ["container.training", var.tag]
+  stop_on_destroy = true
+  cpu {
+    cores = split(" ", each.value.node_size)[0]
+    type  = "x86-64-v2-AES" # recommended for modern CPUs
+  }
+  memory {
+    dedicated = split(" ", each.value.node_size)[1]
+  }
+  #disk {
+  #  datastore_id = var.proxmox_storage
+  #  file_id = proxmox_virtual_environment_file._.id
+  #  interface = "scsi0"
+  #  size = 30
+  #  discard = "on"
+  #}
+  clone {
+    vm_id     = var.proxmox_template_vm_id
+    node_name = var.proxmox_template_node_name
+    full      = false
+  }
+  agent {
+    enabled = true
+  }
+  initialization {
+    datastore_id = var.proxmox_storage
+    user_account {
+      username = "ubuntu"
+      keys     = [trimspace(tls_private_key.ssh.public_key_openssh)]
+    }
+    ip_config {
+      ipv4 {
+        address = "dhcp"
+        #gateway =
+      }
+    }
+  }
+  network_device {
+    bridge = "vmbr0"
+  }
+  operating_system {
+    type = "l26"
+  }
+}
+
+#resource "proxmox_virtual_environment_download_file" "ubuntu_2404_20250115" {
+#  content_type = "iso"
+#  datastore_id = "cephfs"
+#  node_name    = "pve-lsd-1"
+#  url          = "https://cloud-images.ubuntu.com/releases/24.04/release-20250115/ubuntu-24.04-server-cloudimg-amd64.img"
+#  file_name    = "ubuntu_2404_20250115.img"
+#}
+#
+#resource "proxmox_virtual_environment_file" "_" {
+#  datastore_id = "cephfs"
+#  node_name = "pve-lsd-1"
+#  source_file {
+#    path = "/root/noble-server-cloudimg-amd64.img"
+#  }
+#}
+
+locals {
+  ip_addresses = {
+    for key, value in local.nodes :
+    key => [for addr in flatten(concat(proxmox_virtual_environment_vm._[key].ipv4_addresses, ["ERROR"])) :
+    addr if addr != "127.0.0.1"][0]
+  }
+}
+

prepare-labs/terraform/virtual-machines/proxmox/provider.tf

@@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    proxmox = {
+      source  = "bpg/proxmox"
+      version = "~> 0.70.1"
+    }
+  }
+}
+
+provider "proxmox" {
+  endpoint = var.proxmox_endpoint
+  username = var.proxmox_username
+  password = var.proxmox_password
+  insecure = true
+}

prepare-labs/terraform/virtual-machines/proxmox/tfvars.example

@@ -0,0 +1,17 @@
+# If you want to deploy to Proxmox, you need to:
+# 1) copy that file to e.g. myproxmoxcluster.tfvars
+# 2) make sure you have a VM template with QEMU agent pre-installed
+# 3) customize the copy (you need to replace all the CHANGEME values)
+# 4) deploy with "labctl create --provider proxmox/myproxmoxcluster  ..."
+
+proxmox_endpoint = "https://localhost:8006/"
+proxmox_username = "terraform@pve"
+proxmox_password = "CHANGEME"
+
+# Which storage to use for VM disks. Defaults to "local".
+#proxmox_storage = "ceph"
+
+proxmox_template_node_name = "CHANGEME"
+proxmox_template_vm_id = CHANGEME
+
+

prepare-labs/terraform/virtual-machines/proxmox/variables.tf

@@ -0,0 +1 @@
+../../providers/proxmox/variables.tf

slides/1.yml

@@ -0,0 +1,68 @@
+title: |
+  Docker Intensif
+
+chat: "[Mattermost](https://training.enix.io/mattermost)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://2025-10-enix.container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- containers/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+- # DAY 1
+  #- containers/Docker_Overview.md
+  #- containers/Docker_History.md
+  - containers/Training_Environment.md
+  #- containers/Installing_Docker.md
+  - containers/First_Containers.md
+  - containers/Background_Containers.md
+  - containers/Initial_Images.md
+  - containers/Building_Images_Interactively.md
+  - containers/Building_Images_With_Dockerfiles.md
+  - containers/Cmd_And_Entrypoint.md
+  - containers/Copying_Files_During_Build.md
+  - containers/Exercise_Dockerfile_Basic.md
+- # DAY 2
+  - containers/Container_Networking_Basics.md
+  - containers/Local_Development_Workflow.md
+  - containers/Container_Network_Model.md
+  - containers/Compose_For_Dev_Stacks.md
+  - containers/Exercise_Composefile.md
+- # DAY 3
+  - containers/Start_And_Attach.md
+  - containers/Naming_And_Inspecting.md
+  - containers/Labels.md
+  - containers/Getting_Inside.md
+  - containers/Dockerfile_Tips.md
+  - containers/Advanced_Dockerfiles.md
+  - containers/Multi_Stage_Builds.md
+  - containers/Publishing_To_Docker_Hub.md
+  - containers/Exercise_Dockerfile_Multistage.md
+- # DAY 4
+  - containers/Buildkit.md
+  - containers/Network_Drivers.md
+  - containers/Namespaces_Cgroups.md
+  #- containers/Copy_On_Write.md
+  - containers/Orchestration_Overview.md
+  #- containers/Docker_Machine.md
+  #- containers/Init_Systems.md
+  #- containers/Application_Configuration.md
+  #- containers/Logging.md
+  #- containers/Containers_From_Scratch.md
+  #- containers/Container_Engines.md
+  #- containers/Pods_Anatomy.md
+  #- containers/Ecosystem.md
+  - shared/thankyou.md
+  #- containers/links.md

slides/2.yml

@@ -0,0 +1,92 @@
+title: |
+  Fondamentaux Kubernetes
+
+chat: "[Mattermost](https://training.enix.io/mattermost)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://2025-10-enix.container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/prereqs.md
+- shared/handson.md
+#- shared/webssh.md
+- shared/connecting.md
+- exercises/k8sfundamentals-brief.md
+- exercises/yaml-dockercoins-brief.md
+- exercises/localcluster-brief.md
+- exercises/healthchecks-brief.md
+- shared/toc.md
+- # 1
+  #- k8s/versions-k8s.md
+  - shared/sampleapp.md
+  #- shared/composescale.md
+  #- shared/hastyconclusions.md
+  - shared/composedown.md
+  - k8s/concepts-k8s.md
+  - k8s/kubectlget.md
+  - k8s/kubectl-run.md
+  - k8s/kubectlexpose.md
+  - k8s/service-types.md
+  - k8s/kubenet.md
+  - k8s/shippingimages.md
+  #- k8s/buildshiprun-selfhosted.md
+  - k8s/buildshiprun-dockerhub.md
+  - exercises/k8sfundamentals-details.md
+  - k8s/ourapponkube.md
+  #- k8s/exercise-wordsmith.md
+- # 2
+  - shared/yaml.md
+  - k8s/labels-annotations.md
+  - k8s/kubectl-logs.md
+  - k8s/logs-cli.md
+  - k8s/yamldeploy.md
+  - k8s/namespaces.md
+  - shared/declarative.md
+  - k8s/declarative.md
+  - k8s/deploymentslideshow.md
+  - k8s/setup-overview.md
+  - k8s/setup-devel.md
+  #- k8s/setup-managed.md
+  #- k8s/setup-selfhosted.md
+  - k8s/localkubeconfig.md
+  - k8s/accessinternal.md
+  - k8s/kubectlproxy.md
+  - exercises/yaml-dockercoins-details.md
+  - exercises/localcluster-details.md
+- # 3
+  #- k8s/kubectlscale.md
+  - k8s/scalingdockercoins.md
+  - shared/hastyconclusions.md
+  - k8s/daemonset.md
+  - k8s/rollout.md
+  - k8s/healthchecks.md
+  #- k8s/healthchecks-more.md
+  - k8s/dashboard.md
+  - k8s/k9s.md
+  - k8s/tilt.md
+  - exercises/healthchecks-details.md
+- # 4
+  - k8s/ingress.md
+  #- k8s/ingress-tls.md
+  #- k8s/ingress-advanced.md
+  - k8s/volumes.md
+  #- k8s/exercise-configmap.md
+  #- k8s/build-with-docker.md
+  #- k8s/build-with-kaniko.md
+  - k8s/configuration.md
+  - k8s/secrets.md
+  - k8s/batch-jobs.md
+  - shared/thankyou.md

slides/3.yml

@@ -0,0 +1,47 @@
+title: |
+  Packaging d'applications
+  pour Kubernetes
+
+chat: "[Mattermost](https://training.enix.io/mattermost)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://2025-10-enix.container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+- k8s/prereqs-advanced.md
+- shared/handson.md
+- shared/webssh.md
+- shared/connecting.md
+#- shared/chat-room-im.md
+#- shared/chat-room-zoom.md
+- shared/toc.md
+-
+  - k8s/demo-apps.md
+  - k8s/kustomize.md
+  - k8s/helm-intro.md
+  - k8s/helm-chart-format.md
+  - k8s/helm-create-basic-chart.md
+  - exercises/helm-generic-chart-details.md
+-
+  - k8s/helm-create-better-chart.md
+  - k8s/helm-dependencies.md
+  - k8s/helm-values-schema-validation.md
+  - k8s/helm-secrets.md
+  - exercises/helm-umbrella-chart-details.md
+-
+  - k8s/helmfile.md
+  - k8s/ytt.md
+  - k8s/gitworkflows.md
+  - k8s/flux.md
+  - k8s/argocd.md
+  - shared/thankyou.md

slides/4.yml

@@ -0,0 +1,74 @@
+title: |
+  Kubernetes Avancé
+
+chat: "[Mattermost](https://training.enix.io/mattermost)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://2025-10-enix.container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics.md
+- k8s/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-zoom.md
+- k8s/prereqs-advanced.md
+- shared/handson.md
+- shared/webssh.md
+- shared/connecting.md
+- shared/toc.md
+- exercises/netpol-brief.md
+- exercises/sealed-secrets-brief.md
+- exercises/rbac-brief.md
+- exercises/kyverno-ingress-domain-name-brief.md
+- exercises/reqlim-brief.md
+- #1
+  - k8s/demo-apps.md
+  - k8s/netpol.md
+  - k8s/authn-authz.md
+  - k8s/sealed-secrets.md
+  - k8s/cert-manager.md
+  - k8s/cainjector.md
+  - k8s/ingress-tls.md
+  - exercises/netpol-details.md
+  - exercises/sealed-secrets-details.md
+  - exercises/rbac-details.md
+- #2
+  - k8s/extending-api.md
+  - k8s/crd.md
+  - k8s/operators.md
+  - k8s/admission.md
+  - k8s/cainjector.md
+  - k8s/kyverno.md
+  - exercises/kyverno-ingress-domain-name-details.md
+- #3
+  - k8s/resource-limits.md
+  - k8s/metrics-server.md
+  - k8s/cluster-sizing.md
+  - k8s/horizontal-pod-autoscaler.md
+  - k8s/apiserver-deepdive.md
+  - k8s/aggregation-layer.md
+  - k8s/hpa-v2.md
+  - exercises/reqlim-details.md
+- #4
+  - k8s/statefulsets.md
+  - k8s/consul.md
+  - k8s/pv-pvc-sc.md
+  - k8s/volume-claim-templates.md
+  #- k8s/eck.md
+  #- k8s/portworx.md
+  - k8s/openebs.md
+  - k8s/stateful-failover.md
+  - k8s/operators-design.md
+  - k8s/operators-example.md
+  - k8s/owners-and-dependents.md
+  - k8s/events.md
+  - k8s/finalizers.md
+  - shared/thankyou.md

slides/5.yml

@@ -0,0 +1,63 @@
+title: |
+  Opérer Kubernetes
+
+chat: "[Mattermost](https://training.enix.io/mattermost)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: https://2025-10-enix.container.training/
+
+#slidenumberprefix: "#SomeHashTag — "
+
+exclude:
+- self-paced
+
+content:
+- shared/title.md
+- logistics-m5.md
+- k8s/intro.md
+- shared/about-slides.md
+- shared/chat-room-im.md
+#- shared/chat-room-zoom-meeting.md
+#- shared/chat-room-zoom-webinar.md
+- shared/toc.md
+-
+  - k8s/prereqs-advanced.md
+  - shared/handson.md
+  - k8s/architecture.md
+  - k8s/deploymentslideshow.md
+  - k8s/dmuc-easy.md
+  - k8s/dmuc-medium.md
+  - k8s/user-cert.md
+  - k8s/control-plane-auth.md
+  - k8s/staticpods.md
+  - exercises/dmuc-auth-details.md
+  - exercises/dmuc-networking-details.md
+  - exercises/dmuc-staticpods-details.md
+-
+  - k8s/dmuc-hard.md
+  - k8s/apilb.md
+  - k8s/cni-internals.md
+  - k8s/csr-api.md
+  - k8s/openid-connect.md
+  - k8s/pod-security-intro.md
+  - k8s/pod-security-policies.md
+  - k8s/pod-security-admission.md
+  #- k8s/interco.md
+  #- k8s/internal-apis.md
+  - k8s/cluster-upgrade.md
+  - k8s/cluster-backup.md
+  #- k8s/cloud-controller-manager.md
+-
+  - flux/scenario.md
+  - flux/bootstrap.md
+  - flux/tenants.md
+  - flux/app1-rocky-test.md
+  - flux/ingress.md
+  - flux/app2-movy-test.md
+  - k8s/k0s.md
+  - flux/add-cluster.md
+  - flux/openebs.md
+  - flux/observability.md
+  - flux/kyverno.md
+  - shared/thankyou.md

slides/_redirects

@@ -2,7 +2,6 @@
 #/ /kube-halfday.yml.html 200!
 #/ /kube-fullday.yml.html 200!
 #/ /kube-twodays.yml.html 200!
-/ /mlops.yml.html 200!
 
 # And this allows to do "git clone https://container.training".
 /info/refs service=git-upload-pack https://github.com/jpetazzo/container.training/info/refs?service=git-upload-pack
@@ -13,7 +12,7 @@
 #/kubernetesmastery https://www.udemy.com/course/kubernetesmastery/?couponCode=DOCKERALLDAY
 
 # Shortlink for the QRCode
-/q https://docs.google.com/forms/d/e/1FAIpQLScYloWur4uVhKgVNIdUrfHZ8pk_mBmPcQwmbhjK2FlR9KWDCA/viewform
+/q /qrcode.html 200
 
 # Shortlinks for next training in English and French
 #/next https://www.eventbrite.com/e/livestream-intensive-kubernetes-bootcamp-tickets-103262336428
@@ -22,3 +21,7 @@
 /us https://www.ardanlabs.com/live-training-events/deploying-microservices-and-traditional-applications-with-kubernetes-march-28-2022.html
 /uk https://skillsmatter.com/workshops/827-deploying-microservices-and-traditional-applications-with-kubernetes-with-jerome-petazzoni
 
+# Survey form
+/please https://docs.google.com/forms/d/e/1FAIpQLSfIYSgrV7tpfBNm1hOaprjnBHgWKn5n-k5vtNXYJkOX1sRxng/viewform
+
+/ /highfive.html 200!

slides/academy-build.py

@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+
+import os
+import re
+import sys
+
+html_file = sys.argv[1]
+output_file_template = "_academy_{}.html"
+title_regex = "name: toc-(.*)"
+redirects = open("_redirects", "w")
+
+sections = re.split(title_regex, open(html_file).read())[1:]
+
+while sections:
+    link, markdown = sections[0], sections[1]
+    sections = sections[2:]
+    output_file_name = output_file_template.format(link)
+    with open(output_file_name, "w") as f:
+        html = open("workshop.html").read()
+        html = html.replace("@@MARKDOWN@@", markdown)
+        titles = re.findall("# (.*)", markdown) + [""]
+        html = html.replace("@@TITLE@@", "{} — Kubernetes Academy".format(titles[0]))
+        html = html.replace("@@SLIDENUMBERPREFIX@@", "")
+        html = html.replace("@@EXCLUDE@@", "")
+        html = html.replace(".nav[", ".hide[")
+        f.write(html)
+    redirects.write("/{} /{} 200!\n".format(link, output_file_name))
+
+html = open(html_file).read()
+html = re.sub("#toc-([^)]*)", "_academy_\\1.html", html)
+sys.stdout.write(html)

slides/compose.yaml

@@ -1,5 +1,3 @@
-version: "2"
-
 services:
   www:
     image: nginx

slides/containers/Compose_For_Dev_Stacks.md

@@ -32,7 +32,7 @@ Compose enables a simple, powerful onboarding workflow:
 
 1. Checkout our code.
 
-2. Run `docker-compose up`.
+2. Run `docker compose up`.
 
 3. Our app is up and running!
 
@@ -66,19 +66,19 @@ class: pic
 
 1. Write Dockerfiles
 
-2. Describe our stack of containers in a YAML file called `docker-compose.yml`
+2. Describe our stack of containers in a YAML file (the "Compose file")
 
-3. `docker-compose up` (or `docker-compose up -d` to run in the background)
+3. `docker compose up` (or `docker compose up -d` to run in the background)
 
 4. Compose pulls and builds the required images, and starts the containers
 
 5. Compose shows the combined logs of all the containers
 
-   (if running in the background, use `docker-compose logs`)
+   (if running in the background, use `docker compose logs`)
 
 6. Hit Ctrl-C to stop the whole stack
 
-   (if running in the background, use `docker-compose stop`)
+   (if running in the background, use `docker compose stop`)
 
 ---
 
@@ -86,11 +86,11 @@ class: pic
 
 After making changes to our source code, we can:
 
-1. `docker-compose build` to rebuild container images
+1. `docker compose build` to rebuild container images
 
-2. `docker-compose up` to restart the stack with the new images
+2. `docker compose up` to restart the stack with the new images
 
-We can also combine both with `docker-compose up --build`
+We can also combine both with `docker compose up --build`
 
 Compose will be smart, and only recreate the containers that have changed.
 
@@ -114,7 +114,7 @@ cd trainingwheels
 Second step: start the app.
 
 ```bash
-docker-compose up
+docker compose up
 ```
 
 Watch Compose build and run the app.
@@ -141,7 +141,17 @@ After ten seconds (or if we press `^C` again) it will forcibly kill them.
 
 ---
 
-## The `docker-compose.yml` file
+## The Compose file
+
+* Historically: docker-compose.yml or .yaml
+
+* Recently (kind of): can also be named compose.yml or .yaml
+
+(Since [version 1.28.6, March 2021](https://docs.docker.com/compose/releases/release-notes/#1286))
+
+---
+
+## Example
 
 Here is the file used in the demo:
 
@@ -172,10 +182,10 @@ services:
 
 A Compose file has multiple sections:
 
-* `version` is mandatory. (Typically use "3".)
-
 * `services` is mandatory. Each service corresponds to a container.
 
+* `version` is optional (it used to be mandatory). It can be ignored.
+
 * `networks` is optional and indicates to which networks containers should be connected.
   <br/>(By default, containers will be connected on a private, per-compose-file network.)
 
@@ -183,24 +193,24 @@ A Compose file has multiple sections:
 
 ---
 
+class: extra-details
+
 ## Compose file versions
 
 * Version 1 is legacy and shouldn't be used.
 
-  (If you see a Compose file without `version` and `services`, it's a legacy v1 file.)
+  (If you see a Compose file without a `services` block, it's a legacy v1 file.)
 
 * Version 2 added support for networks and volumes.
 
 * Version 3 added support for deployment options (scaling, rolling updates, etc).
 
-* Typically use `version: "3"`.
-
 The [Docker documentation](https://docs.docker.com/compose/compose-file/)
 has excellent information about the Compose file format if you need to know more about versions.
 
 ---
 
-## Containers in `docker-compose.yml`
+## Containers in Compose file
 
 Each service in the YAML file must contain either `build`, or `image`.
 
@@ -278,7 +288,7 @@ For the full list, check: https://docs.docker.com/compose/compose-file/
 
   `frontcopy_www`, `frontcopy_www_1`, `frontcopy_db_1`
 
-- Alternatively, use `docker-compose -p frontcopy` 
+- Alternatively, use `docker compose -p frontcopy` 
 
   (to set the `--project-name` of a stack, which default to the dir name)
 
@@ -288,10 +298,10 @@ For the full list, check: https://docs.docker.com/compose/compose-file/
 
 ## Checking stack status
 
-We have `ps`, `docker ps`, and similarly, `docker-compose ps`:
+We have `ps`, `docker ps`, and similarly, `docker compose ps`:
 
 ```bash
-$ docker-compose ps
+$ docker compose ps
 Name                      Command             State           Ports          
 ----------------------------------------------------------------------------
 trainingwheels_redis_1   /entrypoint.sh red   Up      6379/tcp               
@@ -310,13 +320,13 @@ If you have started your application in the background with Compose and
 want to stop it easily, you can use the `kill` command:
 
 ```bash
-$ docker-compose kill
+$ docker compose kill
 ```
 
-Likewise, `docker-compose rm` will let you remove containers (after confirmation):
+Likewise, `docker compose rm` will let you remove containers (after confirmation):
 
 ```bash
-$ docker-compose rm
+$ docker compose rm
 Going to remove trainingwheels_redis_1, trainingwheels_www_1
 Are you sure? [yN] y
 Removing trainingwheels_redis_1...
@@ -327,19 +337,19 @@ Removing trainingwheels_www_1...
 
 ## Cleaning up (2)
 
-Alternatively, `docker-compose down` will stop and remove containers.
+Alternatively, `docker compose down` will stop and remove containers.
 
 It will also remove other resources, like networks that were created for the application.
 
 ```bash
-$ docker-compose down
+$ docker compose down
 Stopping trainingwheels_www_1 ... done
 Stopping trainingwheels_redis_1 ... done
 Removing trainingwheels_www_1 ... done
 Removing trainingwheels_redis_1 ... done
 ```
 
-Use `docker-compose down -v` to remove everything including volumes.
+Use `docker compose down -v` to remove everything including volumes.
 
 ---
 
@@ -369,15 +379,15 @@ Use `docker-compose down -v` to remove everything including volumes.
 
 - If the container is deleted, the volume gets orphaned
 
-- Example: `docker-compose down && docker-compose up`
+- Example: `docker compose down && docker compose up`
 
   - the old volume still exists, detached from its container
 
   - a new volume gets created
 
-- `docker-compose down -v`/`--volumes` deletes volumes
+- `docker compose down -v`/`--volumes` deletes volumes
 
-  (but **not** `docker-compose down && docker-compose down -v`!)
+  (but **not** `docker compose down && docker compose down -v`!)
  
 ---
 
@@ -396,9 +406,9 @@ volumes:
 
 - Volume will be named `<project>_data`
 
-- It won't be orphaned with `docker-compose down`
+- It won't be orphaned with `docker compose down`
 
-- It will correctly be removed with `docker-compose down -v`
+- It will correctly be removed with `docker compose down -v`
 
 ---
 
@@ -417,7 +427,7 @@ services:
 
   (for migration, backups, disk usage accounting...)
 
-- Won't be removed by `docker-compose down -v`
+- Won't be removed by `docker compose down -v`
 
 ---
 
@@ -451,7 +461,7 @@ services:
 
 - This is used when bringing up individual services
 
-  (e.g. `docker-compose up blah` or `docker-compose run foo`)
+  (e.g. `docker compose up blah` or `docker compose run foo`)
 
 ⚠️ It doesn't make a service "wait" for another one to be up!
 
@@ -471,7 +481,9 @@ class: extra-details
 
   - `docker compose` command to deploy Compose stacks to some clouds
 
-  - progressively getting feature parity with `docker-compose`
+  - in Go instead of Python
+
+  - progressively getting feature parity with `docker compose`
 
   - also provides numerous improvements (e.g. leverages BuildKit by default)
 

slides/containers/Container_Engines.md

@@ -84,9 +84,9 @@ like Windows, macOS, Solaris, FreeBSD ...
 
 * Each `lxc-start` process exposes a custom API over a local UNIX socket, allowing to interact with the container.
 
-* No notion of image (container filesystems have to be managed manually).
+* No notion of image (container filesystems had be managed manually).
 
-* Networking has to be set up manually.
+* Networking had to be set up manually.
 
 ---
 
@@ -98,10 +98,22 @@ like Windows, macOS, Solaris, FreeBSD ...
 
 * Daemon exposing a REST API.
 
+* Can run containers and virtual machines.
+
 * Can manage images, snapshots, migrations, networking, storage.
 
 * "offers a user experience similar to virtual machines but using Linux containers instead."
 
+* Driven by Canonical.
+
+---
+
+## Incus
+
+* Community-driven fork of LXD.
+
+* Relatively recent [announced in August 2023](https://linuxcontainers.org/incus/announcement/) so time will tell what the notable differences will be.
+
 ---
 
 ## CRI-O
@@ -140,7 +152,7 @@ We're not aware of anyone using it directly (i.e. outside of Kubernetes).
 
 ---
 
-## Kata containers
+## [Kata containers](https://katacontainers.io/)
 
 * OCI-compliant runtime.
 
@@ -152,7 +164,7 @@ We're not aware of anyone using it directly (i.e. outside of Kubernetes).
 
 ---
 
-## gVisor
+## [gVisor](https://gvisor.dev/)
 
 * OCI-compliant runtime.
 
@@ -170,7 +182,17 @@ We're not aware of anyone using it directly (i.e. outside of Kubernetes).
 
 ---
 
-## Overall ...
+## Others
+
+- Micro VMs: Firecracker, Edera...
+
+- [crun](https://github.com/containers/crun) (runc rewritten in C)
+
+- [youki](https://youki-dev.github.io/youki/) (runc rewritten in Rust)
+
+---
+
+## To Docker Or Not To Docker
 
 * The Docker Engine is very developer-centric:
 
@@ -184,8 +206,26 @@ We're not aware of anyone using it directly (i.e. outside of Kubernetes).
 
 * As a result, it is a fantastic tool in development environments.
 
-* On servers:
+* On Kubernetes clusters, containerd or CRI-O are better choices.
 
-  - Docker is a good default choice
+* On Kubernetes clusters, the container engine is an implementation detail.
 
-  - If you use Kubernetes, the engine doesn't matter
+---
+
+## Different levels
+
+- Directly use namespaces, cgroups, capabilities with custom code or scripts
+
+  *useful for troubleshooting/debugging and for educative purposes; e.g. pipework*
+
+- Use low-level engines like runc, crun, youki
+
+  *useful when building custom architectures; e.g. a brand new orchestrator*
+
+- Use low-level APIs like CRI or containerd grpc API
+
+  *useful to achieve high-level features like Docker, but without Docker; e.g. ctr, nerdctl*
+
+- Use high-level APIs like Docker and Kubernetes
+
+  *that's what most people will do*

slides/containers/Copy_On_Write.md

@@ -327,9 +327,7 @@ class: extra-details
 
 ## Which one is the best?
 
-- Eventually, overlay2 should be the best option.
-
-- It is available on all modern systems.
+- In modern (2015+) systems, overlay2 should be the best option.
 
 - Its memory usage is better than Device Mapper, BTRFS, or ZFS.
 

slides/containers/Docker_History.md

@@ -141,3 +141,13 @@ class: pic
   * etc.
 
 * Docker Inc. launches commercial offers.
+
+---
+
+## Standardization of container runtimes
+
+- Docker 1.11 (2016) introduces containerd and runc
+
+- [Kubernetes 1.5 (2016)](https://kubernetes.io/blog/2016/12/kubernetes-1-5-supporting-production-workloads/) introduces the CRI
+
+- First releases of CRI-O (2017), kata containers...