Kubernetes Comprehensive 2-Day Videos

                WEBVTT

00:00:00.750 --> 00:00:08.550
All right. So we already worked with config maps while enabling the mini-cubata on metal LB.

00:00:09.010 --> 00:00:11.450
If you remember, we viewed that.

00:00:13.310 --> 00:00:19.430
Config maps are API objects used to store non-competential data in key value pairs.

00:00:21.110 --> 00:00:25.410
Pods consume config maps is environment variables.

00:00:25.830 --> 00:00:30.230
Config maps do not provide secrecy or encryption.

00:00:30.230 --> 00:00:35.670
If you want to store data that is confidential, use a secret rather than a config.

00:00:35.670 --> 00:00:38.990
The maximum size for config maps is one mega.

00:00:38.990 --> 00:00:44.470
ConfigMax have both data and binary data fields.

00:00:44.470 --> 00:00:56.470
The data field contains UTF8 strings, while the binary data field is designed to contain binary data as base 64 encoded strings.

00:00:56.470 --> 00:01:00.470
Secrets are objects that contain sensitive data.

00:01:00.470 --> 00:01:05.470
Secrets keep our confidential data out of the application code.

00:01:05.470 --> 00:01:12.470
Secrets are similar to config maps that are intended to hold confidential data.

00:01:12.470 --> 00:01:17.470
Just like a config map, the maximum file size is one megabyte.

00:01:17.470 --> 00:01:21.470
Secrets can also be used to provide environment various.

00:01:21.470 --> 00:01:25.470
Secrets by default store binary data under the data key.

00:01:25.470 --> 00:01:30.470
Again, binary data is base 64 encoded.

00:01:30.470 --> 00:01:36.470
However, secrets can also store stream data under the stream data key.

00:01:36.470 --> 00:01:43.470
So occasionally you have a workload that cannot read base 64 encoded data.

00:01:43.470 --> 00:01:48.470
So in that case, if you're using the secret, you would store it under a string data key.

00:01:48.470 --> 00:01:50.470
And that does happen in case.

00:01:50.470 --> 00:01:54.470
Secrets are stored unencrypted by default.

00:01:54.470 --> 00:02:00.770
So when you have a default deployment or this mini-cube cluster, for example, our secrets are not encrypted.

00:02:00.770 --> 00:02:06.470
Secrets are distorted in the EtsyD clusters, key value pairs.

00:02:06.470 --> 00:02:12.170
Encryption at rest should be enabled in production on Etsy and for secrets.

00:02:12.170 --> 00:02:18.570
Kubernetes distributions such as RKE2 encrypt, Etsy, and secret.

00:02:18.570 --> 00:02:23.870
And secrets enable Kublet to pull container images from private registries.

00:02:23.870 --> 00:02:26.030
So you can also create a secret.

00:02:26.030 --> 00:02:28.490
There are multiple types of secrets.

00:02:28.490 --> 00:02:32.030
As we just mentioned, pulling from a container registry,

00:02:32.030 --> 00:02:34.550
the old legacy method is Docker config.

00:02:34.550 --> 00:02:39.570
The replacement method is a secret with Docker config JSON.

00:02:39.570 --> 00:02:44.870
Not all repositories will work with Docker config JSON yet.

00:02:44.870 --> 00:02:48.630
Some of them still need the old Docker config.

00:02:48.630 --> 00:02:52.030
So both are still available in Kubernetes.

00:02:52.030 --> 00:02:54.030
So it has basic off.

00:02:54.030 --> 00:02:57.790
So if you are using IngenX Ingress with Basic Off,

00:02:57.790 --> 00:03:01.410
you would use a Basic Off secret.

00:03:01.410 --> 00:03:05.630
SSH off, if you need to store your SSH keys.

00:03:05.630 --> 00:03:11.790
TLS off, if you are embedding a TLS cert

00:03:11.790 --> 00:03:16.870
and a TLS key into a secret, you use the TLS.

00:03:16.870 --> 00:03:18.610
And there are additional types available

00:03:18.610 --> 00:03:22.010
that you won't run into this often, or maybe not

00:03:22.030 --> 00:03:23.790
All right, any questions so far about secrets?

00:03:23.790 --> 00:03:26.390
All right, container storage interface.

00:03:26.390 --> 00:03:28.950
So part of persistent volumes.

00:03:30.910 --> 00:03:33.670
Container storage interface or CSI

00:03:33.670 --> 00:03:37.390
is the Kubernetes standard method for accessing block stores.

00:03:37.390 --> 00:03:41.330
And it is used for enabling container A's workloads

00:03:41.330 --> 00:03:44.870
to specifically access block and file storage resources.

00:03:45.910 --> 00:03:47.010
In a production cluster,

00:03:47.010 --> 00:03:49.030
there are options for full featured CIS.

00:03:49.030 --> 00:03:51.230
One of the better CSI options is

00:03:51.230 --> 00:03:55.570
a product called Longhorn, which is also free open source.

00:03:57.670 --> 00:04:04.490
And Longhorn CSI enables important features such as high availability, snapshots,

00:04:05.210 --> 00:04:14.490
encryption at rest using Lux encryption, trim discard, logging, and minicube enables volume snapshots.

00:04:16.010 --> 00:04:20.890
And it uses a basic implementation of a CSI spec known as the

00:04:20.890 --> 00:04:30.850
CSI HostPath driver. So they do have a CSI that they now get to persistent volumes to utilize the CSI.

00:04:30.990 --> 00:04:37.670
A persistent volume or PV is a volume that is provisioned in cluster. It can be provisioned manually

00:04:37.670 --> 00:04:46.350
or dynamically. It is a resource, just like a node or pod, is a resource. PVs have a life cycle

00:04:46.350 --> 00:04:50.610
that is independent of the resource requesting it, such as a pod.

00:04:51.830 --> 00:04:57.570
So this is a similar concept to creating an external volume in Docker.

00:04:58.290 --> 00:05:00.950
So when you Docker Compose up, for example,

00:05:02.310 --> 00:05:07.430
and so you're installing a MariaDB database,

00:05:07.430 --> 00:05:12.010
and it will create a volume that's managed by Docker Compose,

00:05:12.110 --> 00:05:12.710
the state.

00:05:13.670 --> 00:05:15.270
And then when you Docker Compose down,

00:05:15.330 --> 00:05:16.330
it deletes that volume.

00:05:16.350 --> 00:05:20.350
With Docker, you can do an external volume,

00:05:20.350 --> 00:05:24.350
and then Docker Composed does not manage the state of that volume.

00:05:24.350 --> 00:05:26.350
It simply reads it or writes to it.

00:05:26.350 --> 00:05:31.350
A persistent volume claim or PVC is a request for storage.

00:05:31.350 --> 00:05:38.350
PVCs consume PV resources or persistent volume resources.

00:05:38.350 --> 00:05:44.350
PVCs can request specific size and access modes.

00:05:44.350 --> 00:05:53.070
modes. It can request two gig and a specific access mode. Access modes can be read write once,

00:05:53.950 --> 00:06:02.190
read only many, read write many, or read write once. All right, any questions about c

00:06:02.190 --> 00:06:14.190
and i's or cc's or pvs. Okay. All right, make sure you have a fresh mincube profile and we're just

00:06:14.190 --> 00:06:16.990
just going to spin up a basic cluster.

00:06:16.990 --> 00:06:19.810
All right, I'm going to create a config map at me.

00:06:19.810 --> 00:06:21.690
Made this file easy for you.

00:06:21.690 --> 00:06:25.570
I think this is the simplest one yet.

00:06:25.570 --> 00:06:38.080
These can get complex, but generally.

00:06:38.080 --> 00:06:39.840
Sticky slide here.

00:06:39.840 --> 00:06:42.520
Verify the config map does apply.

00:06:42.520 --> 00:06:46.400
And we can describe the config map.

00:06:46.400 --> 00:06:47.520
There we go.

00:06:47.520 --> 00:06:50.420
We've got two data points shown.

00:06:50.420 --> 00:06:53.120
K8's admin for the username.

00:06:53.120 --> 00:06:54.520
No binary data.

00:06:54.520 --> 00:06:55.340
Now we're going to create it.

00:06:55.340 --> 00:07:10.720
job to access the config back. Okay, I think ENV from, let's see. So under command, look at

00:07:10.720 --> 00:07:16.160
everything under command. Look at the first item under command. That looks good to me. YAML formatting,

00:07:16.160 --> 00:07:23.480
man. Fortunately, Coup control gives you some great feedback. But in the helm chart, not so much.

00:07:23.480 --> 00:07:44.790
All right, so we got to create the namespace, right? Let's do that real quick. We're going to view the

00:07:44.790 --> 00:07:55.700
pod events. What do you think that might be? That's correct. So you cannot read a config map

00:07:55.700 --> 00:08:01.860
from another namespace. Interesting. And delete the original config map and verify that it's been

00:08:01.860 --> 00:08:06.440
deleted. I think so. Yeah, I believe that is correct. And now we're going to describe the

00:08:06.440 --> 00:08:11.960
config map just to make sure it's correct. And you see something there. You see it says data

00:08:11.960 --> 00:08:18.840
to so that tells you have two fields. If you're expecting five and you see two, that's a good

00:08:18.860 --> 00:08:19.700
Let's find it.

00:08:19.700 --> 00:08:22.040
It's another troubleshooting technique.

00:08:22.040 --> 00:08:24.380
Okay, there's a namespace.

00:08:25.580 --> 00:08:29.040
Now we need to delete the config net job

00:08:29.040 --> 00:08:30.360
and then reapply it.

00:08:31.680 --> 00:08:33.320
Verify the pod status.

00:08:33.320 --> 00:08:35.180
Okay, because, yep,

00:08:35.180 --> 00:08:39.690
that's when we've designed a lot.

00:08:39.690 --> 00:08:44.170
So we're gonna view the logs for the desired output.

00:08:45.290 --> 00:08:46.290
All right.

00:08:46.290 --> 00:08:52.190
So what did we put in there for our Envy bars?

00:08:52.250 --> 00:08:55.250
We had two bars we put it in there, right?

00:08:55.250 --> 00:09:00.250
So we had an access level.

00:09:00.250 --> 00:09:02.250
Yep, both of them are in there.

00:09:02.250 --> 00:09:03.250
All right.

00:09:03.250 --> 00:09:06.250
It was the fastest way to remove all resources for this practice.

00:09:06.250 --> 00:09:08.250
And so we eat the namespace, that's right.

00:09:08.250 --> 00:09:12.250
It gives you minutes when you're testing.

00:09:12.250 --> 00:09:14.250
Minutes that up, right.

00:09:14.250 --> 00:09:22.250
Practice to create a base 64 encoded string of

00:09:22.250 --> 00:09:30.090
password. Okay, now we're going to decode it. Now, so you can see, encoding doesn't

00:09:30.090 --> 00:09:40.600
encrypt it. Anyone can decode what is in the stream. All right, let's read a fresh

00:09:40.600 --> 00:09:47.720
mini-cube profile, create a single node mini-cube cluster. So weird, it says minicube 1.36.0

00:09:47.720 --> 00:09:53.080
on Ubuntu 2404, but when you query it, it tells you're using Ubuntu 22.

00:09:53.080 --> 00:10:01.400
Yep. All right. We are going to create a local, self-signed search for an ingress secret.

00:10:02.200 --> 00:10:09.320
We're going to create a secret for ingress. All right, I'm guessing I did it. So it looks like normal output to me.

00:10:10.920 --> 00:10:21.380
So now we're going to take that, which we created at tls.ckey, a tls.sert. We are going to turn it into a secret.

00:10:21.380 --> 00:10:23.000
Now we're going to check that it was created.

00:10:26.290 --> 00:10:27.030
All right.

00:10:27.150 --> 00:10:28.590
Ingress PLS.

00:10:28.690 --> 00:10:29.830
Now we're going to give you the secret.

00:10:29.950 --> 00:10:30.550
All right.

00:10:30.670 --> 00:10:32.770
Tell me what you think about that.

00:10:32.890 --> 00:10:34.090
What are we looking at here?

00:10:34.190 --> 00:10:34.410
Yep.

00:10:34.530 --> 00:10:36.390
And they are base 64 encoded.

00:10:37.090 --> 00:10:42.770
And so what happened is when we told it to create a secret, TLS.

00:10:42.770 --> 00:10:45.710
If you remember back to that Kubernetes.io,

00:10:46.010 --> 00:10:47.230
forward slash TLS.

00:10:47.950 --> 00:10:51.550
So we told it to create the type of secret TLS.

00:10:51.870 --> 00:10:53.570
And it automatically knows to that.

00:10:53.590 --> 00:10:58.230
and take and throw that as base 64 and code a data

00:10:58.230 --> 00:11:04.810
into the TLS cert and TLS key fields that we can't read it.

00:11:04.810 --> 00:11:07.830
So to read them, we need to base 64 decode them.

00:11:07.830 --> 00:11:10.850
It's great, it shows us we have a TLS certain TLS key,

00:11:10.850 --> 00:11:16.620
but we need to see what is actually in our secret.

00:11:16.620 --> 00:11:22.040
Okay, so you can see that got us one step further.

00:11:22.040 --> 00:11:25.620
We have, you can see that they're in certificate format now.

00:11:25.640 --> 00:11:35.980
So we take it from base 64 encoded to certificate, but it's not in the open SSL X 509 format.

00:11:35.980 --> 00:11:38.980
So now we're going to base 64 decode and output.

00:11:38.980 --> 00:11:41.980
The first step is we're going to read the TLS.

00:11:41.980 --> 00:11:49.980
We'll find JQ is used quite frequently in reading data in Kubernetes clusters,

00:11:49.980 --> 00:11:50.980
parsing data.

00:11:50.980 --> 00:11:52.980
All right.

00:11:52.980 --> 00:11:54.980
What is the not after date?

00:11:54.980 --> 00:11:55.980
Yeah.

00:11:55.980 --> 00:11:57.980
And what is the issuer?

00:11:57.980 --> 00:11:58.980
Yeah.

00:11:58.980 --> 00:12:01.980
Does that sound familiar?

00:12:01.980 --> 00:12:05.930
Alright, do the same thing.

00:12:05.930 --> 00:12:07.930
Credit key.

00:12:07.930 --> 00:12:09.930
Slightly different.

00:12:09.930 --> 00:12:13.930
I'm going to use P-key instead of X-519.

00:12:13.930 --> 00:12:16.930
No, it's slightly different.

00:12:16.930 --> 00:12:18.930
We're using TLS.

00:12:18.930 --> 00:12:20.930
And then P-key.

00:12:20.930 --> 00:12:25.930
Change X-509 to P-key.

00:12:25.930 --> 00:12:26.930
Okay, how many bits in this?

00:12:26.930 --> 00:12:33.310
how many bits in the private key? All right. And now that we've just demonstrated that both

00:12:33.310 --> 00:12:38.170
the certain key are valid, we can use them in our cluster ingress. All right, so we have a base

00:12:38.170 --> 00:12:42.530
mini-cube cluster. Make sure it's up at running. There we go. We're going to configure

00:12:42.530 --> 00:12:50.790
ingress. We're going to do the add-on for configure ingress. The, yeah, poop system,

00:12:50.790 --> 00:12:56.910
and then we named it Ingress TLS, the name of the sequence. Now we need to

00:12:56.930 --> 00:13:04.130
enable the ingress. Okay, now we can get the ingress and there's no ingress bound, right?

00:13:04.130 --> 00:13:13.330
And that's because we need to create an ingress, a kind ingress that will communicate with the

00:13:13.330 --> 00:13:19.810
ingress API. So we have an ingress in place, but we don't have an ingress in the ingress

00:13:19.810 --> 00:13:26.530
controller, right? So now we're going to create a TLS as ingress.

00:13:26.530 --> 00:13:35.570
file and you'll notice some differences here and what we've done before when you get

00:13:35.570 --> 00:13:49.890
this up go ahead and deploy it I'll be right back so let's see let's try it again

00:13:49.890 --> 00:13:58.690
here the ingress okay all right now let's open a browser and test try htttps

00:13:58.690 --> 00:14:05.310
engine x dot example all right now let's describe the ingress you have

00:14:05.330 --> 00:14:10.990
an ingress and see we obtained our TLS search. All right, so let's go ahead and describe the

00:14:10.990 --> 00:14:20.970
ingress. Ingress. And then, there you go. Yeah. Yeah. All right. Okay, let's take a look

00:14:20.970 --> 00:14:28.010
at our services. Yeah, we don't have a service, do we? Yeah. Yeah. So we need to deploy our

00:14:28.010 --> 00:14:35.310
node port service, which is going to be node port dash service. Yeah. So it should still be there.

00:14:35.330 --> 00:14:43.650
in your tour every day now check your services all right we've got engine X service up and it's got a

00:14:43.650 --> 00:14:50.450
cluster it's got a node port okay so now let's check let's describe our TLS ingress again

00:14:50.450 --> 00:14:56.530
still says not found let's describe our well let's describe our service let's see what our service

00:14:56.530 --> 00:15:05.010
looks like now all right if you notice anything different anything else yeah so the ingress is

00:15:05.330 --> 00:15:34.530
for a for a service that's in the coop system namespace right and so what we need to do is we need to change the service to be in the gillus ingress namespace right so we're going to bring that service down so we're going to delete it and then we're going to modify that file and add the coop system namespace if I believe that's node port service

00:15:35.330 --> 00:15:40.330
I think that's what we just deployed minus us.

00:15:40.330 --> 00:15:42.330
All right.

00:15:42.330 --> 00:15:44.330
We'll modify it and...

00:15:44.330 --> 00:15:48.330
Yeah, and we'll add the kube system for the namespace.

00:15:48.330 --> 00:15:53.330
We've used other namespaces before, but this time we're sticking with kube system.

00:15:53.330 --> 00:15:56.330
Now, in a production cluster, you would not want your developers

00:15:56.330 --> 00:16:00.330
if they're deploying applications to work within the kube system namespace.

00:16:00.330 --> 00:16:04.330
But in our case, we're having fun today.

00:16:04.330 --> 00:16:11.370
today right now let's check our ingress again describe our ingress now we're going to describe

00:16:13.050 --> 00:16:21.210
there we good all right what do we have we have an endpoint okay so notice that we have an endpoint

00:16:21.850 --> 00:16:29.770
right engine X service 8080 nothing else beyond that okay so now let's go describe the service

00:16:29.770 --> 00:16:34.170
well what else is missing only thing there without a value well let's

00:16:34.330 --> 00:16:37.310
The only thing they're, yeah, there's no endpoints, right?

00:16:37.850 --> 00:16:43.130
And so in this case, the ingress terminates the TLS at the ingress,

00:16:43.470 --> 00:16:49.450
and then we go through the ingress, unencrypted to the service in the pods.

00:16:50.650 --> 00:16:54.950
So we would still be using 80 for our target report.

00:16:55.570 --> 00:17:00.590
We're using 80, and then we're targeting 80, but we're targeting 80 on what,

00:17:01.330 --> 00:17:03.050
targeting targeting 80 on it.

00:17:04.330 --> 00:17:11.010
an app with a selector, and so we're looking for an app named EngineX, and we don't have

00:17:11.010 --> 00:17:18.210
one, so there's no Ingrams, right? So now we need to deploy the IngenX app. So I take you through

00:17:18.210 --> 00:17:23.430
this a little bit backwards than I did on a previous lesson. Right, but in this case, we're

00:17:23.430 --> 00:17:27.150
actually doing a little bit of troubleshooting. So we're starting with our ingress, and then we're

00:17:27.150 --> 00:17:33.970
going backwards. That way it kind of tweaks the muscle memory a little bit. So my slides will be on

00:17:33.970 --> 00:17:35.970
up sync here and match up.

00:17:35.970 --> 00:17:38.970
Put it up on you a little bit.

00:17:38.970 --> 00:17:44.570
All right, so we need to add a namespace to this.

00:17:44.570 --> 00:17:46.570
So what namespace do we need to add?

00:17:46.570 --> 00:17:47.570
Where do we need to add it?

00:17:47.570 --> 00:17:49.570
Yep, that's correct.

00:17:49.570 --> 00:17:50.570
And we'll deploy that.

00:17:50.570 --> 00:17:52.570
Let's make sure it's deployed.

00:17:52.570 --> 00:17:54.570
Yep, it's running.

00:17:54.570 --> 00:17:56.570
Let's see, no.

00:17:56.570 --> 00:17:57.570
Where is it? There we go.

00:17:57.570 --> 00:17:59.570
Okay, so now let's check the service.

00:17:59.570 --> 00:18:01.570
Take a look at the service.

00:18:01.570 --> 00:18:02.570
What do we see?

00:18:02.570 --> 00:18:04.570
All right, now let's go look at the Ingress.

00:18:04.570 --> 00:18:11.450
ingress. Notice how the endpoints populated over. And why is that? Because the ingress

00:18:11.450 --> 00:18:17.370
controls the load balance, right? So it needs to be able to provide that information. So we're hitting

00:18:17.370 --> 00:18:25.770
the internet service on the 8080 and then the service is hitting the individual odds on our IP address

00:18:25.770 --> 00:18:32.250
on 48. So for troubleshooting when you're troubleshooting ingress, if you start at the ingress

00:18:32.250 --> 00:18:34.130
and work your way backwards.

00:18:35.790 --> 00:18:40.050
Sometimes that will help you with figuring out what is missing,

00:18:40.430 --> 00:18:42.750
what isn't connecting, what isn't working the way.

00:18:43.930 --> 00:18:46.250
Okay, so that put all my slides out of wax.

00:18:46.370 --> 00:18:47.410
Let me get them caught up here.

00:18:48.410 --> 00:18:50.370
I just wanted to switch it up on you

00:18:50.370 --> 00:18:53.250
because you were starting to figure out my technique.

00:18:53.250 --> 00:18:55.650
So I said, I didn't let's switch this up a little bit.

00:18:55.810 --> 00:19:02.090
Okay, and so now go to the browser and let's just see if we're all right.

00:19:02.250 --> 00:19:10.700
skip product here on the slides there we go welcome all right so how do you feel about about encrypted

00:19:10.700 --> 00:19:16.740
ingress and the way that worked out yeah and so just remember you can know all right so now we're

00:19:16.740 --> 00:19:23.060
going to create a docker config secret and you will use this for pulling containers from your

00:19:23.060 --> 00:19:29.120
own registry so if you have your own private containers so kubernetes will pull it in

00:19:29.120 --> 00:19:33.580
private registry if you're using the newer system something

00:19:33.600 --> 00:19:35.260
I'm not teaching you the older system.

00:19:35.260 --> 00:19:36.800
I'm teaching you the newer system,

00:19:36.800 --> 00:19:38.840
which is more slides or grows up here.

00:19:40.660 --> 00:19:44.000
And so instead of having this with the black background,

00:19:45.200 --> 00:19:47.840
it didn't show up, so I did it a little differently

00:19:47.840 --> 00:19:49.920
this time, so easier to read.

00:19:49.920 --> 00:19:52.420
Okay, let's check the secret was created.

00:19:54.560 --> 00:19:58.240
All right, okay, let's describe the secret.

00:19:59.240 --> 00:20:00.600
Well, it's not really helpful.

00:20:00.600 --> 00:20:02.600
All that tells us is that there's a dot,

00:20:02.600 --> 00:20:05.280
Docker could take JSON in there.

00:20:05.280 --> 00:20:07.200
They have 145 bytes.

00:20:07.200 --> 00:20:09.440
What's in there, right?

00:20:09.440 --> 00:20:11.280
We'd like to know.

00:20:11.280 --> 00:20:13.220
Inquiring minds, it won't connect.

00:20:13.220 --> 00:20:15.540
I have an image poll there.

00:20:15.540 --> 00:20:16.840
Improper credentials.

00:20:16.840 --> 00:20:17.840
What's in that?

00:20:17.840 --> 00:20:18.840
All right, take a look.

00:20:18.840 --> 00:20:21.660
It's not real helpful either, is it?

00:20:21.660 --> 00:20:22.920
It's all encoded.

00:20:22.920 --> 00:20:26.040
So we can see what's in Doctor can take JSON,

00:20:26.040 --> 00:20:27.840
but it's all still encoded.

00:20:27.840 --> 00:20:28.960
So what do we do?

00:20:30.160 --> 00:20:32.120
Right?

00:20:32.120 --> 00:20:32.480
Yeah.

00:20:32.480 --> 00:20:38.480
You encoded secret data, and you can hit enter to get a clean line if you want.

00:20:38.480 --> 00:20:40.480
Yeah, right?

00:20:40.480 --> 00:20:42.480
It decoded everything except the off.

00:20:42.480 --> 00:20:44.480
Well, that's not helpful.

00:20:44.480 --> 00:20:49.480
Now we need to base 64 decode the off, right?

00:20:49.480 --> 00:20:51.480
How do we do that?

00:20:51.480 --> 00:20:57.480
Well, remember when we went through the previous exercise and we encoded a string and decoded a stream called password?

00:20:57.480 --> 00:21:00.480
Let's do the same thing.

00:21:00.480 --> 00:21:01.480
Remember how to do that?

00:21:01.480 --> 00:21:11.360
do that? All right. Well, that was anti-comatic. It's just the username and password. That's how

00:21:11.360 --> 00:21:20.840
it stores it. So now you know how to create and read a credential secret to access a private

00:21:20.840 --> 00:21:25.600
repo. So if you have your own images that you're pulling into Kubernetes and you're using your

00:21:25.600 --> 00:21:31.160
own private repo, this is how you would connect with a modern system or if your system is still

00:21:31.160 --> 00:21:37.400
using Legacy, and instead of using a Docker config JSON, you just use a Docker config.

00:21:39.080 --> 00:21:45.320
All right. Next one, we're going to ensure a fresh mini-cube environment and create a persistent

00:21:45.320 --> 00:21:46.520
volume clean.

00:21:48.680 --> 00:21:54.600
You're right. As soon as you do delete, it disconnects. And that's because it's resetting the Docker

00:21:54.600 --> 00:21:59.880
network, I think. So Docker is gaining control over.

00:22:01.160 --> 00:22:03.320
the host network, which is what it does.

00:22:03.320 --> 00:22:04.580
It has root access.

00:22:04.580 --> 00:22:08.400
Docker, yes, Docker does that because Docker is a development environment,

00:22:08.400 --> 00:22:10.760
it's not a production environment.

00:22:10.760 --> 00:22:14.400
So it gains control, root control overall process

00:22:14.400 --> 00:22:17.320
as related to the network so that you don't have any issues

00:22:17.320 --> 00:22:19.240
when you're spinning something up.

00:22:19.240 --> 00:22:21.600
Because they don't want to listen to developers all day.

00:22:21.600 --> 00:22:26.740
They say, hey, my Docker for Mac or my Docker environment

00:22:26.740 --> 00:22:29.800
won't let me do this, so they just enable fruit access

00:22:29.800 --> 00:22:31.140
and it takes control over every day.

00:22:31.160 --> 00:22:34.160
When it just works, like Dockermann.

00:22:34.160 --> 00:22:39.160
Definitely don't want to run that in production though because it overrides firewalls and everything.

00:22:39.160 --> 00:22:45.160
Okay, now we need to enable our storage add-ons for the snapshot.

00:22:45.160 --> 00:22:48.160
All right, what do we have going different here?

00:22:48.160 --> 00:22:51.160
Snapshot controller. Let's take a look at that.

00:22:51.160 --> 00:22:52.160
Looks like it.

00:22:52.160 --> 00:22:56.160
So it's a replica set or we'll find out?

00:22:56.160 --> 00:22:59.160
Let's scroll up to the top there.

00:22:59.160 --> 00:23:00.160
Let's see, it's a replica set.

00:23:00.160 --> 00:23:07.680
replica set yeah okay so it's got two now it's got a leader election so it's high

00:23:07.680 --> 00:23:19.680
availability nice ensures it has one always running okay right now we're going to

00:23:19.680 --> 00:23:26.940
enable a storage add-on for CSI which is our container storage interface so

00:23:26.940 --> 00:23:31.540
that was our snapshot controller which is important

00:23:31.560 --> 00:23:38.280
have and now we're going to install the container storage interface. This is a simplified

00:23:38.280 --> 00:23:46.920
CSI. If we were doing complex, we'd be here through the middle of next week. We're going to keep it

00:23:46.920 --> 00:23:52.280
simple. Yes, like if we were doing long more setting it up the first time,

00:23:52.280 --> 00:23:59.640
ooh boy getting everything done right, it's about two weeks of times. Oh, what's going on? A lot going on,

00:23:59.640 --> 00:24:01.640
Uh-huh.

00:24:01.640 --> 00:24:04.640
All right, is everything else?

00:24:04.640 --> 00:24:05.640
Yep.

00:24:05.640 --> 00:24:07.640
Let's look at the node.

00:24:07.640 --> 00:24:10.640
Let's do what's going on in the node.

00:24:10.640 --> 00:24:14.640
Correct six containers in that pod.

00:24:14.640 --> 00:24:19.640
We can come back and look at that one in just a second time and see what all is involved in that.

00:24:19.640 --> 00:24:24.640
No requests or limits for anything.

00:24:24.640 --> 00:24:28.640
Well, that's kind of lazy as developers.

00:24:28.640 --> 00:24:30.640
Why not, right?

00:24:30.640 --> 00:24:32.640
All right, we'll look at that.

00:24:32.640 --> 00:24:36.640
We'll take a look at that one with six containers in the bottom.

00:24:36.640 --> 00:24:37.640
What do you see?

00:24:37.640 --> 00:24:38.640
Yeah.

00:24:38.640 --> 00:24:44.640
Every time I do that online, I have proxmox, and it does something really inconvenient that I think it out of.

00:24:44.640 --> 00:24:47.640
Well, we had to pull six images at least, right?

00:24:47.640 --> 00:24:49.640
Mm-hmm, mm-hmm.

00:24:49.640 --> 00:24:53.640
We've got live-ness probes, so let's scroll up to the top.

00:24:53.640 --> 00:24:55.640
It's going to be a long one.

00:24:55.640 --> 00:24:57.640
Here we go.

00:24:57.640 --> 00:24:59.640
See what we got in here.

00:24:59.640 --> 00:25:01.640
It's a demon set.

00:25:01.640 --> 00:25:03.640
Interesting.

00:25:03.640 --> 00:25:05.640
What does that tell us?

00:25:05.640 --> 00:25:06.640
Mm-hmm.

00:25:06.640 --> 00:25:09.640
Why might we not want that to take place?

00:25:09.640 --> 00:25:10.640
Yeah.

00:25:10.640 --> 00:25:11.640
Right.

00:25:11.640 --> 00:25:13.640
If we're actually doing a production cluster,

00:25:13.640 --> 00:25:16.640
we would definitely not want this

00:25:16.640 --> 00:25:18.640
to be on a control plane node.

00:25:18.640 --> 00:25:21.640
And ideally, we would not want this on a worker node.

00:25:21.640 --> 00:25:24.640
We would want this on its storage node.

00:25:24.640 --> 00:25:27.620
So we would force this to a node

00:25:27.640 --> 00:25:36.440
role of storage in high availability and that way it stays off the control plane it stays off the

00:25:36.440 --> 00:25:43.320
worker node we would taint the storage node and then we would tolerate it so it would select storage

00:25:43.320 --> 00:25:50.280
storage at a node role to storage select storage node we would taint the storage node and then we

00:25:50.280 --> 00:25:57.560
inside each of the pods we would tolerate that taint so that it forces

00:25:57.640 --> 00:26:02.200
it onto the storage node but doesn't let the workloads that you're running the

00:26:02.200 --> 00:26:08.760
stateless workloads deploy on the story. Yeah, a little complicated, but that keeps your

00:26:08.760 --> 00:26:15.560
storage separate from your status. Good. Let's get the class storage name. Stories

00:26:15.560 --> 00:26:19.240
class. Mm-hmm. Yeah. Yeah. Where's our storage class?

00:26:19.240 --> 00:26:27.480
Now I'm going to create a persistent volume claim. And remember, a persistent volume claim

00:26:27.480 --> 00:26:34.480
claim makes a reservation, which then creates the persistent ball.

00:26:34.480 --> 00:26:40.050
As soon as you get it done, I'll have you deployed it.

00:26:40.050 --> 00:26:47.050
You can see this is not the default class, so we have to tell it which storage class name.

00:26:47.050 --> 00:26:54.050
If you set it up as the default class, then you would not have to give it this storage class name.

00:26:54.050 --> 00:26:55.050
It would just use the default.

00:26:55.050 --> 00:26:57.050
So in my clip, I think you're missing an S.

00:26:57.050 --> 00:26:58.050
Yep, we'll give it a minute here.

00:26:58.050 --> 00:27:00.870
Give it a minute here.

00:27:00.870 --> 00:27:03.390
There we go.

00:27:03.390 --> 00:27:06.410
So it's storing it on the node,

00:27:06.410 --> 00:27:11.390
and the storage class determines how it's stored, okay,

00:27:11.390 --> 00:27:13.450
and how it's controlled.

00:27:13.450 --> 00:27:15.250
So I'll use Longhorn as an example.

00:27:15.250 --> 00:27:19.210
Again, we're using a, even though it installed a lot of images,

00:27:19.210 --> 00:27:22.610
we're using a very abbreviated version of a CSI

00:27:22.610 --> 00:27:24.390
or container storage interface.

00:27:24.390 --> 00:27:27.250
So with Longhorn, we would have two classes.

00:27:27.250 --> 00:27:31.970
So we would have a standard class and we would have an encrypted class.

00:27:32.770 --> 00:27:34.910
And so we would set the encrypted to default.

00:27:34.910 --> 00:27:44.690
So anything new that's deployed with that storage class controller would deploy on the default storage class controller, which is encrypted.

00:27:45.630 --> 00:27:52.610
So everything that would get in deployed automatically, so you're deploying a database, you wouldn't have to put that in there.

00:27:52.670 --> 00:27:57.170
It would automatically deploy it in the encrypted class.

00:27:57.250 --> 00:28:01.930
which would set your PVC to encrypted.

00:28:01.930 --> 00:28:05.770
So it controls the settings of how you're creating,

00:28:05.770 --> 00:28:09.190
how you're implementing the persistent volume claim.

00:28:09.190 --> 00:28:12.970
And then we would tie those to a specific namespace.

00:28:12.970 --> 00:28:16.130
So now we're going to check, what's that?

00:28:16.130 --> 00:28:19.850
Let's see, the storage class is CSI HostPath SC.

00:28:19.850 --> 00:28:23.810
So we did in our persistent volume claim.

00:28:23.810 --> 00:28:27.230
So that is pvc.e our storage

00:28:27.250 --> 00:28:33.190
class name. Yep. And so if if we had a default, say we were using Longhorn and we hadn't

00:28:33.190 --> 00:28:37.710
encrypted, we wouldn't need the storage class name because it would automatically assign

00:28:37.710 --> 00:28:42.750
you. And in that case, if we wanted unencrypted, we would assign it Longhorn unencrypted

00:28:42.750 --> 00:28:55.650
CSI. Otherwise, it would install it encrypted. So yeah, we use PVCs and a lot of the database applications

00:28:55.650 --> 00:29:04.030
will automatically provision a PVC, or you can provision it yourself and tell it what the

00:29:04.030 --> 00:29:09.170
PVC is, or what the persistent volume is. So you can provision your own persistent volume claim

00:29:09.170 --> 00:29:17.430
and then feed that into the database. And feed that into the configuration file. All right, so if you do

00:29:17.430 --> 00:29:22.590
both of them together now, KC, get PVC. Notice you don't need a namespace for the volume,

00:29:22.710 --> 00:29:25.270
but you need a namespace for the persistent volume.

00:29:25.650 --> 00:29:28.650
All right, let's see.

00:29:28.650 --> 00:29:32.650
So now I'm going to get a volume snapshot class.

00:29:32.650 --> 00:29:34.650
Let's see what that looks.

00:29:34.650 --> 00:29:38.650
So we have a CSI HostPath snap class for that.

00:29:38.650 --> 00:29:40.650
All right, so now that we have that,

00:29:40.650 --> 00:29:44.650
we know we can create a snapshot.

00:29:44.650 --> 00:29:47.650
So let's create a snapshot.

00:29:47.650 --> 00:29:49.650
So we have a persistent volume claim.

00:29:49.650 --> 00:29:52.650
We have a persistent volume created by that claim.

00:29:52.650 --> 00:29:54.650
And now we are going to create a snapshot of a

00:29:54.650 --> 00:29:58.650
snapshot of that volume.

00:29:58.650 --> 00:30:04.650
Well, that's why we go to the exercises of typing out the M, because this will save it a lot of time later on.

00:30:04.650 --> 00:30:07.650
All right, the volume snapshot.

00:30:07.650 --> 00:30:09.650
All right, it's the volume one there.

00:30:09.650 --> 00:30:10.650
There's our snapshot.

00:30:10.650 --> 00:30:16.650
We've snapshoted it, and now it's backed up in a way.

00:30:16.650 --> 00:30:19.650
It's not quite the same to the backup, but...

00:30:19.650 --> 00:30:23.650
All right, we're going to restore a snapshot of the volume.

00:30:23.650 --> 00:30:25.650
This could be fun.

00:30:25.650 --> 00:30:29.650
All right, we're going to create a CSI-dhistore.

00:30:29.650 --> 00:30:30.650
YAML file.

00:30:30.650 --> 00:30:32.650
What are we doing here?

00:30:32.650 --> 00:30:36.650
We're using a persistent volume claim of PVC.

00:30:36.650 --> 00:30:39.650
We're creating a persistent volume,

00:30:39.650 --> 00:30:44.650
but we're using a data source of Snapshot Volume 1

00:30:44.650 --> 00:30:47.650
to turn that into a new volume.

00:30:47.650 --> 00:30:51.650
All right, so now let's apply it.

00:30:51.650 --> 00:30:55.250
Okay, let's check the PVC for the restored snapshot.

00:30:55.250 --> 00:30:56.450
Okay, what happened?

00:30:56.450 --> 00:30:59.650
There's our original PVC.

00:30:59.650 --> 00:31:02.050
Well, we don't have a new one in there.

00:31:02.050 --> 00:31:02.850
Why is that?

00:31:02.850 --> 00:31:05.650
Check persistent volume claims for all.

00:31:05.650 --> 00:31:08.450
And let's get pvc minus a.

00:31:09.250 --> 00:31:11.250
Mm-hmm, give us a second here.

00:31:11.250 --> 00:31:14.050
Getting a fictitious gigabyte.

00:31:14.050 --> 00:31:16.850
It's got to go through all of the events and reporting

00:31:16.850 --> 00:31:21.250
and then give it back to us through the Kubernetes API server.

00:31:21.650 --> 00:31:23.710
A lot of stuff behind the scenes go on.

00:31:23.710 --> 00:31:27.150
We'll give it another second or two here

00:31:27.150 --> 00:31:29.110
and see if it can get itself out.

00:31:29.110 --> 00:31:29.990
Answer that as no.

00:31:29.990 --> 00:31:31.650
You're going to delete the failed restore.

00:31:31.650 --> 00:31:34.810
I'm going to change the name space.

00:31:34.810 --> 00:31:37.410
Now, to match the existing PV,

00:31:37.410 --> 00:31:39.270
and apply the modified restore file.

00:31:39.270 --> 00:31:42.530
So we're going to edit that restore file.

00:31:42.530 --> 00:31:44.150
It's already done.

00:31:44.150 --> 00:31:48.470
How do you feel about persistent volumes,

00:31:48.470 --> 00:31:50.210
persistent volume claims,

00:31:50.210 --> 00:32:01.570
of container storage interface works oh right right yeah yeah so that's the original way

00:32:01.570 --> 00:32:06.210
NFS is the original way with Kubernetes because we didn't have a CSI and now with

00:32:06.210 --> 00:32:13.730
modern Kubernetes we use CSIs to manage our claims whether it's a simple CSI which is what

00:32:13.730 --> 00:32:19.170
we've just demonstrated which is far simpler than what longhorn would involve or it's a

00:32:19.170 --> 00:32:27.170
longhorn which handles all of this for you with a GUI and encrypts everything and manages backups

00:32:27.170 --> 00:32:36.210
automated manages snapshots automated um yeah so we have a simple and longhorn will be complex on that

00:32:36.210 --> 00:32:45.010
and that's the modern way for but you can still use NFS and you can obviously still have a hybrid

00:32:45.010 --> 00:32:53.090
cluster where you run your stateless workloads on your cluster and then connect to a managed

00:32:53.090 --> 00:33:00.370
database or an external database for sure all right so in lesson eight we learned about

00:33:00.370 --> 00:33:09.010
config maps secrets and persistent volumes you know went a little beyond persistent volume

00:33:09.010 --> 00:33:16.730
config maps or API objects used to store non-confidential data in key values.

00:33:18.410 --> 00:33:21.850
Ogs consume config maps as the environment variables.

00:33:23.490 --> 00:33:26.910
Maximum config map size is one meg.

00:33:27.810 --> 00:33:30.970
Config maps do not provide secrecy or encryption.

00:33:31.770 --> 00:33:35.450
If you have confidential data, use a secret for that.

00:33:36.970 --> 00:33:38.810
Config maps have both data,

00:33:39.010 --> 00:33:44.010
and binary data fields, data fields contain UTF8 strings,

00:33:44.010 --> 00:33:49.010
binary data fields contain base 64 encoded stream.

00:33:49.010 --> 00:33:54.010
We learned how to base 64 encode and decode strings.

00:33:54.010 --> 00:33:57.010
We learned how to create a secret.

00:33:57.010 --> 00:34:01.010
The maximum secret size is one meg, one megabyte,

00:34:01.010 --> 00:34:03.010
just like a config map.

00:34:03.010 --> 00:34:08.990
We learned how to base 64 encode both a TLS cert and a TLS

00:34:09.010 --> 00:34:18.290
key. We learned how to read a secret that is base 64 encoded. We learned how to read an x509

00:34:18.290 --> 00:34:28.530
cert and key and a secret, both in certificate and x509 format, which is very useful. And we learn

00:34:28.530 --> 00:34:35.330
how to create a Docker config config secret. We learned how Docker config JSON secrets are used

00:34:35.330 --> 00:34:41.970
to access private registries and how to read and decode a docker config jason secret how to create a persistent

00:34:41.970 --> 00:34:51.490
volume claim with its thought persistent volume how to create a snapshot of a persistent volume claim

00:34:52.770 --> 00:35:00.770
and how to restore a persistent volume claim from a snapshot all right any questions on less than

00:35:00.770 --> 00:35:11.170
right we need to go ahead and take our lunch for 30 minutes we'll be back at 1.45 approximately

00:35:11.170 --> 00:35:13.890
would be a minute before all right see at 145.