From 7baa6ed91ea788f1c476506ae3e5020ea2ba9b3d Mon Sep 17 00:00:00 2001 From: Timur Usmanov Date: Wed, 8 Apr 2026 14:53:07 +0300 Subject: [PATCH 1/4] Lab10 Complete --- k8s/HELM.md | 428 +++++++++++++++++ k8s/LAB10.md | 447 ++++++++++++++++++ k8s/deployment.yml | 43 -- k8s/dinfochart/.gitignore | 1 + k8s/dinfochart/.helmignore | 23 + k8s/dinfochart/Chart.yaml | 24 + k8s/dinfochart/templates/NOTES.txt | 0 k8s/dinfochart/templates/_helpers.tpl | 62 +++ k8s/dinfochart/templates/deployment.yaml | 41 ++ .../templates/hooks/post-install-job.yaml | 20 + .../templates/hooks/pre-install-job.yaml | 20 + k8s/dinfochart/templates/service.yaml | 14 + k8s/dinfochart/values-dev.yaml | 19 + k8s/dinfochart/values-prod.yaml | 23 + k8s/dinfochart/values.yaml | 32 ++ k8s/service.yml | 13 - 16 files changed, 1154 insertions(+), 56 deletions(-) create mode 100644 k8s/HELM.md create mode 100644 k8s/LAB10.md delete mode 100644 k8s/deployment.yml create mode 100644 k8s/dinfochart/.gitignore create mode 100644 k8s/dinfochart/.helmignore create mode 100644 k8s/dinfochart/Chart.yaml create mode 100644 k8s/dinfochart/templates/NOTES.txt create mode 100644 k8s/dinfochart/templates/_helpers.tpl create mode 100644 k8s/dinfochart/templates/deployment.yaml create mode 100644 k8s/dinfochart/templates/hooks/post-install-job.yaml create mode 100644 k8s/dinfochart/templates/hooks/pre-install-job.yaml create mode 100644 k8s/dinfochart/templates/service.yaml create mode 100644 k8s/dinfochart/values-dev.yaml create mode 100644 k8s/dinfochart/values-prod.yaml create mode 100644 k8s/dinfochart/values.yaml delete mode 100644 k8s/service.yml diff --git a/k8s/HELM.md b/k8s/HELM.md new file mode 100644 index 0000000000..726e0ca50a --- /dev/null +++ b/k8s/HELM.md @@ -0,0 +1,428 @@ +# Chart Overview +### Chart structure explanation +Here is the file tree structure: + +``` +dinfochart/ +├── charts +├── Chart.yaml +├── templates +│   ├── deployment.yaml +│   ├── _helpers.tpl +│   ├── hooks +│   │   ├── post-install-job.yaml +│   │   └── pre-install-job.yaml +│   ├── NOTES.txt +│   └── service.yaml +├── values-dev.yaml +├── values-prod.yaml +└── values.yaml +``` + +### Key template files and their purpose +- `_helpers.tpl`: defines helpful values for templates +- `deployment.yaml`: defines the structure for the k8s deployment +- `service.yaml`: defines the structure for the k8s service + +### Values organization strategy +We extract the values or blocks that we would like to be configurable from the `.yaml` files into `values.yaml`, +preserving the original names for clarity. + +# Configuration Guide +### Important values and their purpose + +- `replicaCount`: number of pods that will be run. +- `image`: the information about which image to pull (name, tag) +- `service`: configuration for the reverse proxy +- `resources`: limits and reservations for memory and CPU time +- `livenessProbe`: command for checking the responsiveness of a container +- `readinessProbe`: command for checking the health of a container + +### How to customize for different environments +We define another value file with overrides and later supply it in the command: + +```bash +helm install myapp-dev k8s/mychart -f k8s/mychart/values-dev.yaml +``` + +Or specify overrides right in the command line: +```bash +helm install myapp k8s/mychart --set replicaCount=10 +``` + +### Example installations with different configurations +As shown in the lab material: +```bash +# Development +helm install myapp-dev k8s/mychart -f k8s/mychart/values-dev.yaml + +# Production +helm install myapp-prod k8s/mychart -f k8s/mychart/values-prod.yaml + +# Override specific value +helm install myapp k8s/mychart --set replicaCount=10 +``` + +# Hook Implementation +### What hooks you implemented and why +I implemented the pre-install hook and the post-install one. I did that because it was prescribed by the lab. + +### Hook execution order and weights +Hook | Order | Weight +------------------------------ +Pre-install | Before | -5 +Post-install | After | 5 + +### Deletion policies explanation +It allows to set a rule that dictates when the executed hook jobs will be deleted. `before-hook-creation` means right +before the hook is run, its previous invokation will be deleted. `hook-succeeded` and `hook-failed` delete the hook +immediately after it succeeds or fails (respectively). + +# Installation Evidence +### `helm list` output +```text +NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION +myrelease default 1 2026-04-02 18:01:48.36966193 +0300 MSK deployed dinfochart-0.1.0 1.1.1 +``` + +### `kubectl get all` showing deployed resources +```text +NAME READY STATUS RESTARTS AGE +pod/myrelease-dinfochart-5b67fb98d9-2jk9d 1/1 Running 0 22m +pod/myrelease-dinfochart-5b67fb98d9-8c448 1/1 Running 0 22m +pod/myrelease-dinfochart-5b67fb98d9-fq5mz 1/1 Running 0 22m +pod/myrelease-dinfochart-5b67fb98d9-v5zjk 1/1 Running 0 22m +pod/myrelease-dinfochart-5b67fb98d9-wtx52 1/1 Running 0 22m + +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +service/kubernetes ClusterIP 10.96.0.1 443/TCP 9d +service/myrelease-dinfochart NodePort 10.102.118.72 80:30952/TCP 22m + +NAME READY UP-TO-DATE AVAILABLE AGE +deployment.apps/myrelease-dinfochart 5/5 5 5 22m + +NAME DESIRED CURRENT READY AGE +replicaset.apps/myrelease-dinfochart-5b67fb98d9 5 5 5 22m +``` +### Hook execution output (`kubectl get jobs`, `kubectl describe job`) +As per the deletion policy, the hook jobs get deleted after they run and succeed, which is my case. These commands +report errors because there are no jobs to inspect. + +### Different environment deployments (dev vs prod) +`dev` is for testing the latest changes (with the `latest` tag, plenty of resources). + +`prod` is for deployment on a real cluster (with a fixed version and limited resources). + +# Operations +### Installation commands used +```text +helm install [-f ] +``` + +### How to upgrade a release +```bash +helm upgrade myrelease ./mychart +``` + +### How to rollback +```bash +helm rollback myrelease 1 +``` + +### How to uninstall +```bash +helm uninstall myrelease +``` + +# Testing & Validation +### `helm lint` output +```text +==> Linting dinfochart/ +[INFO] Chart.yaml: icon is recommended + +1 chart(s) linted, 0 chart(s) failed +``` + +### `helm template` verification +```yaml +--- +# Source: dinfochart/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: release-name-dinfochart + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm +spec: + type: NodePort + selector: + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: release-name + ports: + - protocol: TCP + port: 80 + targetPort: 5000 +--- +# Source: dinfochart/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: release-name-dinfochart + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 5 + selector: + matchLabels: + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: release-name + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 # Extra pods during update + maxUnavailable: 0 # Ensure availability + template: + metadata: + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm + spec: + containers: + - name: dinfochart + image: "timurusmanov/devops-infoservice:1.1.1" + ports: + - containerPort: 80 + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + livenessProbe: + httpGet: + path: /health + port: 5000 + initialDelaySeconds: 10 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /health + port: 5000 + initialDelaySeconds: 5 + periodSeconds: 3 +--- +# Source: dinfochart/templates/hooks/post-install-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: 'release-name-dinfochart-post-install' + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: 'release-name-dinfochart-post-install' + spec: + restartPolicy: Never + containers: + - name: post-install-job + image: busybox + command: ['sh', '-c', 'echo Post-install validation && sleep 1 && echo Validation passed'] +--- +# Source: dinfochart/templates/hooks/pre-install-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: 'release-name-dinfochart-pre-install' + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: 'release-name-dinfochart-pre-install' + spec: + restartPolicy: Never + containers: + - name: pre-install-job + image: busybox + command: ['sh', '-c', 'echo Pre-install task running && sleep 1 && echo Pre-install completed'] +``` + +### Dry-run output +```yaml +NAME: test-release +LAST DEPLOYED: Thu Apr 2 18:29:57 2026 +NAMESPACE: default +STATUS: pending-install +REVISION: 1 +DESCRIPTION: Dry run complete +TEST SUITE: None +HOOKS: +--- +# Source: dinfochart/templates/hooks/post-install-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: 'test-release-dinfochart-post-install' + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: test-release + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: 'test-release-dinfochart-post-install' + spec: + restartPolicy: Never + containers: + - name: post-install-job + image: busybox + command: ['sh', '-c', 'echo Post-install validation && sleep 1 && echo Validation passed'] +--- +# Source: dinfochart/templates/hooks/pre-install-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: 'test-release-dinfochart-pre-install' + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: test-release + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: 'test-release-dinfochart-pre-install' + spec: + restartPolicy: Never + containers: + - name: pre-install-job + image: busybox + command: ['sh', '-c', 'echo Pre-install task running && sleep 1 && echo Pre-install completed'] +MANIFEST: +--- +# Source: dinfochart/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: test-release-dinfochart + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: test-release + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm +spec: + type: NodePort + selector: + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: test-release + ports: + - protocol: TCP + port: 80 + targetPort: 5000 +--- +# Source: dinfochart/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-release-dinfochart + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: test-release + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 5 + selector: + matchLabels: + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: test-release + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 # Extra pods during update + maxUnavailable: 0 # Ensure availability + template: + metadata: + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: test-release + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm + spec: + containers: + - name: dinfochart + image: "timurusmanov/devops-infoservice:1.1.1" + ports: + - containerPort: 80 + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + livenessProbe: + httpGet: + path: /health + port: 5000 + initialDelaySeconds: 10 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /health + port: 5000 + initialDelaySeconds: 5 + periodSeconds: 3 +``` + +### Application accessibility verification +```bash +kubectl port-forward service/myrelease-dinfochart 8080:80 & +curl localhost:8080/health +``` +```json +{"status":"healthy","timestamp":"2026-04-02T15:35:47.354190+00:00","uptime_seconds":2010} +``` diff --git a/k8s/LAB10.md b/k8s/LAB10.md new file mode 100644 index 0000000000..02f6061fef --- /dev/null +++ b/k8s/LAB10.md @@ -0,0 +1,447 @@ +# Task 1 + +### Installation +```sh +sudo pacman -S --needed helm +``` +```text +warning: helm-4.1.3-1 is up to date -- skipping + there is nothing to do +``` + +### Version +```sh +helm version +``` +```text +version.BuildInfo{Version:"v4.1.3", GitCommit:"c94d381b03be117e7e57908edbf642104e00eb8f", GitTreeState:"", GoVersion:"go1.26.1-X:nodwarf5", KubeClientVersion:"v1.35"} +``` + +### Output of exploring a public chart + +```sh +helm show chart prometheus-community/prometheus +``` +```yaml +annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/prometheus-community/helm-charts + - name: Upstream Project + url: https://github.com/prometheus/prometheus +apiVersion: v2 +appVersion: v3.10.0 +dependencies: +- condition: alertmanager.enabled + name: alertmanager + repository: https://prometheus-community.github.io/helm-charts + version: 1.34.* +- condition: kube-state-metrics.enabled + name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 7.2.* +- condition: prometheus-node-exporter.enabled + name: prometheus-node-exporter + repository: https://prometheus-community.github.io/helm-charts + version: 4.52.* +- condition: prometheus-pushgateway.enabled + name: prometheus-pushgateway + repository: https://prometheus-community.github.io/helm-charts + version: 3.6.* +description: Prometheus is a monitoring system and time series database. +home: https://prometheus.io/ +icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png +keywords: +- monitoring +- prometheus +kubeVersion: '>=1.19.0-0' +maintainers: +- email: gianrubio@gmail.com + name: gianrubio + url: https://github.com/gianrubio +- email: zanhsieh@gmail.com + name: zanhsieh + url: https://github.com/zanhsieh +- email: miroslav.hadzhiev@gmail.com + name: Xtigyro + url: https://github.com/Xtigyro +- email: naseem@transit.app + name: naseemkullah + url: https://github.com/naseemkullah +- email: rootsandtrees@posteo.de + name: zeritti + url: https://github.com/zeritti +name: prometheus +sources: +- https://github.com/prometheus/alertmanager +- https://github.com/prometheus/prometheus +- https://github.com/prometheus/pushgateway +- https://github.com/prometheus/node_exporter +- https://github.com/kubernetes/kube-state-metrics +type: application +version: 28.14.1 +``` + +# Task 2 + +```sh +helm lint dinfochart +``` +```text +==> Linting dinfochart +[INFO] Chart.yaml: icon is recommended + +1 chart(s) linted, 0 chart(s) failed +``` + +```sh +helm template dinfochart dinfochart/ +``` +```yaml +--- +# Source: dinfochart/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: dinfochart + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: dinfochart + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm +spec: + type: NodePort + selector: + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: dinfochart + ports: + - protocol: TCP + port: 80 + targetPort: 5000 +--- +# Source: dinfochart/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dinfochart + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: dinfochart + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 5 + selector: + matchLabels: + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: dinfochart + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 # Extra pods during update + maxUnavailable: 0 # Ensure availability + template: + metadata: + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: dinfochart + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm + spec: + containers: + - name: dinfochart + image: "timurusmanov/devops-infoservice:1.1.1" + ports: + - containerPort: 80 + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + livenessProbe: + httpGet: + path: /health + port: 5000 + initialDelaySeconds: 10 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /health + port: 5000 + initialDelaySeconds: 5 + periodSeconds: 3 +``` + +```sh +helm install --dry-run --debug test-release dinfochart/ +``` +```text +level=WARN msg="--dry-run is deprecated and should be replaced with '--dry-run=client'" +level=DEBUG msg="Original chart version" version="" +level=DEBUG msg="Chart path" path=/home/timur/proj/DevOps-Core-Course/k8s/dinfochart +level=DEBUG msg="number of dependencies in the chart" chart=dinfochart dependencies=0 +NAME: test-release +LAST DEPLOYED: Thu Apr 2 17:17:49 2026 +NAMESPACE: default +STATUS: pending-install +REVISION: 1 +DESCRIPTION: Dry run complete +TEST SUITE: None +USER-SUPPLIED VALUES: +{} + +COMPUTED VALUES: +image: + pullPolicy: IfNotPresent + repository: timurusmanov/devops-infoservice + tag: 1.1.1 +livenessProbe: + httpGet: + path: /health + port: 5000 + initialDelaySeconds: 10 + periodSeconds: 5 +readinessProbe: + httpGet: + path: /health + port: 5000 + initialDelaySeconds: 5 + periodSeconds: 3 +replicaCount: 5 +resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi +service: + port: 80 + targetPort: 5000 + type: NodePort + +HOOKS: +MANIFEST: +--- +# Source: dinfochart/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: test-release-dinfochart + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: test-release + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm +spec: + type: NodePort + selector: + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: test-release + ports: + - protocol: TCP + port: 80 + targetPort: 5000 +--- +# Source: dinfochart/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-release-dinfochart + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: test-release + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 5 + selector: + matchLabels: + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: test-release + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 # Extra pods during update + maxUnavailable: 0 # Ensure availability + template: + metadata: + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: test-release + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm + spec: + containers: + - name: dinfochart + image: "timurusmanov/devops-infoservice:1.1.1" + ports: + - containerPort: 80 + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + livenessProbe: + httpGet: + path: /health + port: 5000 + initialDelaySeconds: 10 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /health + port: 5000 + initialDelaySeconds: 5 + periodSeconds: 3 + +``` + +```sh +helm install myrelease dinfochart/ +``` +```text +NAME: myrelease +LAST DEPLOYED: Thu Apr 2 17:18:20 2026 +NAMESPACE: default +STATUS: deployed +REVISION: 1 +DESCRIPTION: Install complete +TEST SUITE: None +``` + +# Task 4 + +```sh +# Lint chart +helm lint k8s/dinfochart +``` +```text +==> Linting k8s/dinfochart +[INFO] Chart.yaml: icon is recommended + +1 chart(s) linted, 0 chart(s) failed +``` + +```sh +# Dry run to see hooks +helm install --dry-run=client --debug test-release k8s/dinfochart | grep -A 20 "HOOK\|hook" +``` +```text +level=DEBUG msg="Original chart version" version="" +level=DEBUG msg="Chart path" path=/home/timur/proj/DevOps-Core-Course/k8s/dinfochart +level=DEBUG msg="number of dependencies in the chart" chart=dinfochart dependencies=0 +HOOKS: +--- +# Source: dinfochart/templates/hooks/post-install-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: 'test-release-dinfochart-post-install' + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: test-release + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: 'test-release-dinfochart-post-install' + spec: + restartPolicy: Never + containers: + - name: post-install-job + image: busybox + command: ['sh', '-c', 'echo Post-install validation && sleep 1 && echo Validation passed'] +--- +# Source: dinfochart/templates/hooks/pre-install-job.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: 'test-release-dinfochart-pre-install' + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart + app.kubernetes.io/instance: test-release + app.kubernetes.io/version: "1.1.1" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: 'test-release-dinfochart-pre-install' + spec: + restartPolicy: Never + containers: + - name: pre-install-job + image: busybox + command: ['sh', '-c', 'echo Pre-install task running && sleep 1 && echo Pre-install completed'] +MANIFEST: +--- +# Source: dinfochart/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: test-release-dinfochart + labels: + helm.sh/chart: dinfochart-0.1.0 + app.kubernetes.io/name: dinfochart +``` + +```sh +# Install and watch hooks +helm install myrelease k8s/dinfochart +kubectl get jobs -w +kubectl get pods -w +``` +```text +NAME: myrelease +LAST DEPLOYED: Thu Apr 2 18:01:48 2026 +NAMESPACE: default +STATUS: deployed +REVISION: 1 +DESCRIPTION: Install complete +TEST SUITE: None +``` +```text +No resources found in default namespace. +``` +```text +NAME READY STATUS RESTARTS AGE +myrelease-dinfochart-5b67fb98d9-2jk9d 1/1 Running 0 39s +myrelease-dinfochart-5b67fb98d9-8c448 1/1 Running 0 39s +myrelease-dinfochart-5b67fb98d9-fq5mz 1/1 Running 0 39s +myrelease-dinfochart-5b67fb98d9-v5zjk 1/1 Running 0 39s +myrelease-dinfochart-5b67fb98d9-wtx52 1/1 Running 0 39s +``` + +```sh +# Verify deletion policy worked +kubectl get jobs +``` +```text +No resources found in default namespace. +``` + +# Task 5 + +Refer to `k8s/HELM.md`. diff --git a/k8s/deployment.yml b/k8s/deployment.yml deleted file mode 100644 index 5b57351844..0000000000 --- a/k8s/deployment.yml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: devops-infoservice - labels: - app: devops-infoservice -spec: - replicas: 5 - selector: - matchLabels: - app: devops-infoservice - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 # Extra pods during update - maxUnavailable: 0 # Ensure availability - template: - metadata: - labels: - app: devops-infoservice - spec: - containers: - - name: devops-infoservice - image: 127.0.0.1:5000/timurusmanov/devops-infoservice:latest - ports: - - containerPort: 5000 - resources: - requests: - memory: "128Mi" - cpu: "100m" - limits: - memory: "256Mi" - cpu: "200m" - livenessProbe: - httpGet: - path: /health - port: 5000 - initialDelaySeconds: 10 - readinessProbe: - httpGet: - path: /health - port: 5000 - initialDelaySeconds: 5 diff --git a/k8s/dinfochart/.gitignore b/k8s/dinfochart/.gitignore new file mode 100644 index 0000000000..721e9b3ae7 --- /dev/null +++ b/k8s/dinfochart/.gitignore @@ -0,0 +1 @@ +/charts/ diff --git a/k8s/dinfochart/.helmignore b/k8s/dinfochart/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/k8s/dinfochart/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/k8s/dinfochart/Chart.yaml b/k8s/dinfochart/Chart.yaml new file mode 100644 index 0000000000..9f61b15d84 --- /dev/null +++ b/k8s/dinfochart/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: dinfochart +description: A Helm chart for devops-infoservice + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.1.1" diff --git a/k8s/dinfochart/templates/NOTES.txt b/k8s/dinfochart/templates/NOTES.txt new file mode 100644 index 0000000000..e69de29bb2 diff --git a/k8s/dinfochart/templates/_helpers.tpl b/k8s/dinfochart/templates/_helpers.tpl new file mode 100644 index 0000000000..4c45c4b07d --- /dev/null +++ b/k8s/dinfochart/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "dinfochart.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "dinfochart.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "dinfochart.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "dinfochart.labels" -}} +helm.sh/chart: {{ include "dinfochart.chart" . }} +{{ include "dinfochart.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "dinfochart.selectorLabels" -}} +app.kubernetes.io/name: {{ include "dinfochart.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "dinfochart.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "dinfochart.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/k8s/dinfochart/templates/deployment.yaml b/k8s/dinfochart/templates/deployment.yaml new file mode 100644 index 0000000000..0cc9082554 --- /dev/null +++ b/k8s/dinfochart/templates/deployment.yaml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "dinfochart.fullname" . }} + labels: + {{- include "dinfochart.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "dinfochart.selectorLabels" . | nindent 6 }} + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 # Extra pods during update + maxUnavailable: 0 # Ensure availability + template: + metadata: + labels: + {{- include "dinfochart.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + ports: + - containerPort: {{ .Values.service.port }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} diff --git a/k8s/dinfochart/templates/hooks/post-install-job.yaml b/k8s/dinfochart/templates/hooks/post-install-job.yaml new file mode 100644 index 0000000000..fa5018c191 --- /dev/null +++ b/k8s/dinfochart/templates/hooks/post-install-job.yaml @@ -0,0 +1,20 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: '{{ include "dinfochart.fullname" . }}-post-install' + labels: + {{- include "dinfochart.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: '{{ include "dinfochart.fullname" . }}-post-install' + spec: + restartPolicy: Never + containers: + - name: post-install-job + image: busybox + command: ['sh', '-c', 'echo Post-install validation && sleep 1 && echo Validation passed'] diff --git a/k8s/dinfochart/templates/hooks/pre-install-job.yaml b/k8s/dinfochart/templates/hooks/pre-install-job.yaml new file mode 100644 index 0000000000..2afe4aef29 --- /dev/null +++ b/k8s/dinfochart/templates/hooks/pre-install-job.yaml @@ -0,0 +1,20 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: '{{ include "dinfochart.fullname" . }}-pre-install' + labels: + {{- include "dinfochart.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: '{{ include "dinfochart.fullname" . }}-pre-install' + spec: + restartPolicy: Never + containers: + - name: pre-install-job + image: busybox + command: ['sh', '-c', 'echo Pre-install task running && sleep 1 && echo Pre-install completed'] diff --git a/k8s/dinfochart/templates/service.yaml b/k8s/dinfochart/templates/service.yaml new file mode 100644 index 0000000000..ba11f6feea --- /dev/null +++ b/k8s/dinfochart/templates/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "dinfochart.fullname" . }} + labels: + {{- include "dinfochart.labels" . | nindent 4 }} +spec: + type: NodePort + selector: + {{- include "dinfochart.selectorLabels" . | nindent 4 }} + ports: + - protocol: TCP + port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} diff --git a/k8s/dinfochart/values-dev.yaml b/k8s/dinfochart/values-dev.yaml new file mode 100644 index 0000000000..5995b940e4 --- /dev/null +++ b/k8s/dinfochart/values-dev.yaml @@ -0,0 +1,19 @@ +replicaCount: 1 + +image: + tag: "latest" + +resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + +service: + type: NodePort + +livenessProbe: + initialDelaySeconds: 5 + periodSeconds: 10 diff --git a/k8s/dinfochart/values-prod.yaml b/k8s/dinfochart/values-prod.yaml new file mode 100644 index 0000000000..17836a184e --- /dev/null +++ b/k8s/dinfochart/values-prod.yaml @@ -0,0 +1,23 @@ +replicaCount: 5 + +image: + tag: "1.0.0" # Specific version + +resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 200m + memory: 256Mi + +service: + type: LoadBalancer + +livenessProbe: + initialDelaySeconds: 30 + periodSeconds: 5 + +readinessProbe: + initialDelaySeconds: 10 + periodSeconds: 3 diff --git a/k8s/dinfochart/values.yaml b/k8s/dinfochart/values.yaml new file mode 100644 index 0000000000..ddbdd5a6df --- /dev/null +++ b/k8s/dinfochart/values.yaml @@ -0,0 +1,32 @@ +replicaCount: 5 +image: + repository: timurusmanov/devops-infoservice + tag: "1.1.1" + pullPolicy: IfNotPresent + +service: + type: NodePort + port: 80 + targetPort: 5000 + +resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + +livenessProbe: + httpGet: + path: /health + port: 5000 + initialDelaySeconds: 10 + periodSeconds: 5 + +readinessProbe: + httpGet: + path: /health + port: 5000 + initialDelaySeconds: 5 + periodSeconds: 3 diff --git a/k8s/service.yml b/k8s/service.yml deleted file mode 100644 index 853cd0860f..0000000000 --- a/k8s/service.yml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: devops-infoservice-service -spec: - type: NodePort - selector: - app: devops-infoservice # Must match Deployment labels - ports: - - protocol: TCP - port: 80 # Service port - targetPort: 5000 # Container port - nodePort: 30080 # Optional: specific node port (30000-32767) From 2b65f8dbda5d2c7157ab8fb7f4b2a3d517198105 Mon Sep 17 00:00:00 2001 From: Timur Usmanov Date: Wed, 8 Apr 2026 17:43:12 +0300 Subject: [PATCH 2/4] Add secrets --- k8s/dinfochart/templates/secrets.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 k8s/dinfochart/templates/secrets.yaml diff --git a/k8s/dinfochart/templates/secrets.yaml b/k8s/dinfochart/templates/secrets.yaml new file mode 100644 index 0000000000..e53ee82943 --- /dev/null +++ b/k8s/dinfochart/templates/secrets.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-secret +type: Opaque +stringData: + username: {{ .Values.secret.username | quote }} + password: {{ .Values.secret.password | quote }} From 8f19f5810f50e7dfdd0234e3f676ce081f00a560 Mon Sep 17 00:00:00 2001 From: Timur Usmanov Date: Wed, 8 Apr 2026 18:34:28 +0300 Subject: [PATCH 3/4] Task2 done --- k8s/SECRETS.md | 112 +++++++++++++++++++++++ k8s/dinfochart/templates/deployment.yaml | 11 +++ k8s/dinfochart/templates/secrets.yaml | 2 +- k8s/dinfochart/values-dev.yaml | 4 + k8s/dinfochart/values-prod.yaml | 4 + k8s/dinfochart/values.yaml | 4 + 6 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 k8s/SECRETS.md diff --git a/k8s/SECRETS.md b/k8s/SECRETS.md new file mode 100644 index 0000000000..bc39e14774 --- /dev/null +++ b/k8s/SECRETS.md @@ -0,0 +1,112 @@ +# Kubernetes Secrets +### Output of creating and viewing your secret +```sh +kubectl get secret app-credentials -o yaml +``` +```text +apiVersion: v1 +data: + password: YWRtaW4xMjM= + username: dGltdXI= +kind: Secret +metadata: + creationTimestamp: "2026-04-08T14:10:34Z" + name: app-credentials + namespace: default + resourceVersion: "7121" + uid: cde19220-e95a-4b61-9386-b6b8f4b37f45 +type: Opaque +``` + +### Decoded secret values demonstration +```sh +base64 -d <<<"dGltdXI=" +``` +```text +timur +``` +```sh +base64 -d <<<"YWRtaW4xMjM=" +``` +```text +admin123 +``` + +### Explanation of base64 encoding vs encryption +`base64`-encoding is is still plaintext: it obfuscates the information to a human reader, but the data is decodeable +with one command. + +Real encryption requires the attacker to guess a key, which should be difficult to do. + +# Helm Secret Integration +### Chart structure showing secrets.yaml +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: app-credentials +type: Opaque +stringData: + username: {{ .Values.secret.username | quote }} + password: {{ .Values.secret.password | quote }} +``` + +### How secrets are consumed in deployment +Secrets are consumed through environment variables. + +### Verification output (env vars in pod, excluding actual values) +```sh +kubectl exec dinfoserv-dinfochart-575476d846-4424h -- env +``` +```text +PATH=/venv/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +HOSTNAME=dinfoserv-dinfochart-575476d846-4424h +username=placeholder +password=placeholder +DINFOSERV_DINFOCHART_PORT_80_TCP=tcp://10.100.233.185:80 +DINFOSERV_DINFOCHART_PORT_80_TCP_PROTO=tcp +KUBERNETES_PORT=tcp://10.96.0.1:443 +KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443 +DINFOSERV_DINFOCHART_PORT_80_TCP_PORT=80 +KUBERNETES_SERVICE_HOST=10.96.0.1 +KUBERNETES_SERVICE_PORT_HTTPS=443 +KUBERNETES_PORT_443_TCP_PORT=443 +KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1 +DINFOSERV_DINFOCHART_SERVICE_HOST=10.100.233.185 +DINFOSERV_DINFOCHART_SERVICE_PORT=80 +DINFOSERV_DINFOCHART_PORT=tcp://10.100.233.185:80 +DINFOSERV_DINFOCHART_PORT_80_TCP_ADDR=10.100.233.185 +KUBERNETES_SERVICE_PORT=443 +KUBERNETES_PORT_443_TCP_PROTO=tcp +GPG_KEY=7169605F62C751356D054A26A821E680E5FA6305 +PYTHON_VERSION=3.13.12 +PYTHON_SHA256=2a84cd31dd8d8ea8aaff75de66fc1b4b0127dd5799aa50a64ae9a313885b4593 +VIRTUAL_ENV=/venv +HOME=/home/infoservice +``` + +Note the "username" and "password" env variables. + +# Resource Management +### Resource limits configuration +Resource limits are configured with the `values` files. + +### Explanation of requests vs limits +Requests = how much is guaranteed. +Limits = how much is the hard maximum. + +### How to choose appropriate values +In the development environment, give more resources to debug and test. +In production, look at the cluster and see how much is available. Then assign that much as the limit. Requests are the +minimal requirements for the containers to function at all. + +# Vault Integration +### Vault installation verification (`kubectl get pods`) +### Policy and role configuration (sanitized) +### Proof of secret injection (show file exists, path structure) +### Explanation of the sidecar injection pattern + +# Security Analysis +### Comparison: K8s Secrets vs Vault +### When to use each approach +### Production recommendations diff --git a/k8s/dinfochart/templates/deployment.yaml b/k8s/dinfochart/templates/deployment.yaml index 0cc9082554..11d8f9720d 100644 --- a/k8s/dinfochart/templates/deployment.yaml +++ b/k8s/dinfochart/templates/deployment.yaml @@ -39,3 +39,14 @@ spec: readinessProbe: {{- toYaml . | nindent 12 }} {{- end }} + env: + - name: username + valueFrom: + secretKeyRef: + name: app-credentials + key: username + - name: password + valueFrom: + secretKeyRef: + name: app-credentials + key: password diff --git a/k8s/dinfochart/templates/secrets.yaml b/k8s/dinfochart/templates/secrets.yaml index e53ee82943..baf570432f 100644 --- a/k8s/dinfochart/templates/secrets.yaml +++ b/k8s/dinfochart/templates/secrets.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Secret metadata: - name: {{ .Release.Name }}-secret + name: app-credentials type: Opaque stringData: username: {{ .Values.secret.username | quote }} diff --git a/k8s/dinfochart/values-dev.yaml b/k8s/dinfochart/values-dev.yaml index 5995b940e4..3967731b96 100644 --- a/k8s/dinfochart/values-dev.yaml +++ b/k8s/dinfochart/values-dev.yaml @@ -17,3 +17,7 @@ service: livenessProbe: initialDelaySeconds: 5 periodSeconds: 10 + +secret: + username: "placeholder" + password: "placeholder" diff --git a/k8s/dinfochart/values-prod.yaml b/k8s/dinfochart/values-prod.yaml index 17836a184e..ebcfebdc55 100644 --- a/k8s/dinfochart/values-prod.yaml +++ b/k8s/dinfochart/values-prod.yaml @@ -21,3 +21,7 @@ livenessProbe: readinessProbe: initialDelaySeconds: 10 periodSeconds: 3 + +secrets: + username: "placeholder" + password: "placeholder" diff --git a/k8s/dinfochart/values.yaml b/k8s/dinfochart/values.yaml index ddbdd5a6df..220111925d 100644 --- a/k8s/dinfochart/values.yaml +++ b/k8s/dinfochart/values.yaml @@ -30,3 +30,7 @@ readinessProbe: port: 5000 initialDelaySeconds: 5 periodSeconds: 3 + +secrets: + username: "placeholder" + password: "placeholder" From fa134bff82e040fc42392babc9c3ebb5e8126d3e Mon Sep 17 00:00:00 2001 From: Timur Usmanov Date: Thu, 9 Apr 2026 10:05:09 +0300 Subject: [PATCH 4/4] Finish lab11 --- k8s/SECRETS.md | 47 +++++++++++++++++++++++- k8s/dinfochart/templates/deployment.yaml | 12 ++++++ k8s/dinfochart/values-prod.yaml | 2 +- k8s/dinfochart/values.yaml | 2 +- 4 files changed, 59 insertions(+), 4 deletions(-) diff --git a/k8s/SECRETS.md b/k8s/SECRETS.md index bc39e14774..79a74ca774 100644 --- a/k8s/SECRETS.md +++ b/k8s/SECRETS.md @@ -102,11 +102,54 @@ minimal requirements for the containers to function at all. # Vault Integration ### Vault installation verification (`kubectl get pods`) +```text +NAME READY STATUS RESTARTS AGE +dinfoserv-dinfochart-b9cc59fdf-2dv4n 2/2 Running 0 4m4s +dinfoserv-dinfochart-b9cc59fdf-6chxr 2/2 Running 0 4m4s +dinfoserv-dinfochart-b9cc59fdf-b6cqg 2/2 Running 0 4m4s +dinfoserv-dinfochart-b9cc59fdf-fkfwn 2/2 Running 0 4m4s +dinfoserv-dinfochart-b9cc59fdf-nh9r2 2/2 Running 0 4m4s +vault-0 1/1 Running 0 15h +vault-agent-injector-848dd747d7-b2pt4 1/1 Running 0 15h +``` + ### Policy and role configuration (sanitized) +Policy: +```sh +cat >dinfoservice-secret-access.hcl <