Integrated notes from 20241112

Author: nicholasdille

.editorconfig

@@ -0,0 +1,16 @@
+# EditorConfig is awesome: https://editorconfig.org
+
+# top-most EditorConfig file
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+indent_size = 4
+
+[*.yaml,*.yml,*.json]
+indent_size = 2
+
+[Makefile]
+indent_style = tab

120_kubernetes/identity/slides.md

@@ -0,0 +1,23 @@
+## Workload Identity
+
+IAM Roles for Service Accounts (IRSA) https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
+
+https://azure.github.io/azure-workload-identity/docs/
+
+https://cloud.google.com/config-connector/docs/overview?hl=de
+
+
+### Token Review
+
+```shell
+#kubectl create sa bar
+TOKEN="$(kubectl create token bar)"
+cat <<EOF | kubectl apply -f - -o yaml
+kind: TokenReview
+apiVersion: authentication.k8s.io/v1
+metadata:
+  name: test
+spec:
+  token: ${TOKEN}
+EOF
+```

120_kubernetes/rbac/service_account_api.runme.md

@@ -86,11 +86,14 @@ Configure and test kubectl
 ```sh
 kubectl exec -i foo-test -- apk update
 kubectl exec -i foo-test -- apk add kubectl --repository=https://dl-cdn.alpinelinux.org/alpine/edge/testing
+kubectl exec -i foo-test -- apk add curl
 clear
+kubectl exec -i foo-test -- kubectl version
 kubectl exec -i foo-test -- sh <<"EOF"
-    kubectl version \
-        --server=https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS} \
-        --certificate-authority=/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-        --token="$(cat /run/secrets/kubernetes.io/serviceaccount/token)"
+    curl \
+        --silent \
+        --url https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api \
+        --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt \
+        --header "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)"
 EOF
 ```

120_kubernetes/rbac/service_account_pod_token.runme.md

@@ -0,0 +1,25 @@
+# Explore token mounted in a pod
+
+https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection
+
+Check projected volume with token, CA and namespace
+
+```sh
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: Pod
+metadata:
+  name: foo-test
+spec:
+  containers:
+  - name: foo
+    image: alpine
+    command:
+    - sh
+    args:
+    - -c
+    - sleep 3600
+EOF
+sleep 5
+kubectl get pod foo-test --output yaml
+```

160_gitlab_ci.yml

@@ -112,7 +112,7 @@ nav:
   - IDE: 000_rollout/exercise_ide.md
   - Project: 000_rollout/exercise_project.md
   - You are ready: you_are_ready.md
-- Basics:
+- Fundamentals:
   - Jobs and Stages: 010_jobs_and_stages/exercise.md
   - Variables: 020_variables/exercise.md
   - Scriptblocks: 030_script_blocks/exercise.md
@@ -139,5 +139,6 @@ nav:
   - Security: 280_security/exercise.md
   - CI/CD Components: 300_components/exercise.md
   - CI/CD Steps: 310_steps/exercise.md
+  - Secure Files: 320_secure_files/exercise.md
 - Wrap Up:
   - You are done: you_are_done.md

160_gitlab_ci/000_rollout/generate.sh

@@ -85,6 +85,6 @@ fi
 cat seats.json \
 | jq --raw-output '
         .seats[] |
-        "\nHost seat\(.index).vscode.inmylab.de\nUser seat\(.index)\nCode \(.code)\nPassword \(.password)"
+        "\nHost code.inmylab.de\nUser seat\(.index)\nCode \(.code)"
     ' \
 >seats.txt

160_gitlab_ci/000_rollout/server/nginx/code.html

@@ -12,5 +12,11 @@ <h1>Auth</h1>
         <p>WebDAV dev: ${SEAT_WEBDAV_DEV}</p>
 
         <p>WebDAV live: ${SEAT_WEBDAV_LIVE}</p>
+
+        <h1>Services</h1>
+
+        <p><a href="https://gitlab.inmylab.de" target="_blank">GitLab</a> (login using user seat${SEAT_INDEX} and your password)</p>
+
+        <p><a href="https://seat${SEAT_INDEX}.vscode.inmylab.de" target="_blank">seat${SEAT_INDEX}</a></p>
     </body>
 </html>

160_gitlab_ci/000_rollout/slides.md

@@ -12,6 +12,6 @@ Containerized service stack for this workshop
 
 ![](160_gitlab_ci/000_rollout/stack.drawio.svg) <!-- .element: style="width: 90%; margin-top: 1em;" -->
 
-Available from 2024-11-12 at 9:00 until 2024-11-12 at 18:00
+Available from 2024-11-21 at 9:00 until 2024-11-28 at 18:00
 
-See [introduction](/hands-on/2024-11-12/)
+Meet your demo environment by following the [introduction](/hands-on/2024-11-21/)

160_gitlab_ci/000_rollout/vscode/vscode/Dockerfile

@@ -3,12 +3,6 @@
 FROM codercom/code-server:4.93.1
 USER root
 
-RUN <<EOF
-code-server --install-extension redhat.vscode-yaml
-code-server --install-extension golang.go
-code-server --install-extension gitlab.gitlab-workflow
-EOF
-
 RUN <<EOF
 apt-get update
 apt-get -y install --no-install-recommends \
@@ -34,15 +28,19 @@ uniget install \
     glab
 EOF
 
-# See https://github.com/coder/code-server/issues/5177
-ENV ENTRYPOINTD=/opt/entrypoint.d
-RUN <<EOF
-mkdir -p "${ENTRYPOINTD}"
-EOF
-COPY --chmod=0755 git.sh ${ENTRYPOINTD}
+COPY --chmod=0755 git.sh /opt/entrypoint.d/
 
 RUN <<EOF
 useradd --user-group --create-home --shell /bin/bash seat
 EOF
 USER seat
-WORKDIR /home/seat
+WORKDIR /home/seat/demo
+
+# https://open-vsx.org/
+# code-server --install-extension <publisher>.<extension-name>
+RUN <<EOF
+code-server --install-extension redhat.vscode-yaml
+code-server --install-extension golang.go
+code-server --install-extension gitlab.gitlab-workflow
+code-server --install-extension editorConfig.editorConfig
+EOF

160_gitlab_ci/000_rollout/vscode/vscode/git.sh

@@ -19,3 +19,8 @@ git remote add origin https://gitlab.inmylab.de/${GIT_USER}/demo
 git remote add upstream https://github.com/nicholasdille/container-slides
 
 git pull origin main || true
+
+touch README.md
+git add README.md
+git commit -m "Initial commit"
+git push --set-upstream origin main

160_gitlab_ci/040_image/exercise.md

@@ -10,13 +10,13 @@
 
 In the previous exampes, we called `apk` at the beginning of every job to install Go. This had to be repeated for every job because Go was not present. Choosing an image for a job using the `image` directive, time is saved by avoiding commands to install required tools. See the [official documentation](https://docs.gitlab.com/ee/ci/yaml/#image).
 
-Replace the calls to `apk` with the container image `golang:1.19.2`.
+Replace the calls to `apk` with the container image `golang:1.23.2`.
 
 Afterwards check the pipeline in the GitLab UI. You should see a successful pipeline run.
 
 ??? info "Hint (Click if you are stuck)"
     - Remove `before_script`
-    - Add `image: golang:1.19.2` instead
+    - Add `image: golang:1.23.2` instead
 
 ??? example "Solution (Click if you are stuck)"
     `.gitlab-ci.yml`:
@@ -28,19 +28,19 @@ Afterwards check the pipeline in the GitLab UI. You should see a successful pipe
 
     lint:
       stage: check
-      image: golang:1.19.2
+      image: golang:1.23.2
       script:
       - go fmt .
 
     audit:
       stage: check
-      image: golang:1.19.2
+      image: golang:1.23.2
       script:
       - go vet .
 
     build:
       stage: build
-      image: golang:1.19.2
+      image: golang:1.23.2
       script:
       - |
         go build \

160_gitlab_ci/050_defaults/exercise.md

@@ -27,7 +27,7 @@ Afterwards check the pipeline in the GitLab UI. You should see a successful pipe
     - build
 
     default:
-      image: golang:1.19.2
+      image: golang:1.23.2
 
     lint:
       stage: check

160_gitlab_ci/050_defaults/slides.md

@@ -8,14 +8,12 @@
 
 ## Defaults
 
-Apply settings to all jobs using `default` [](https://docs.gitlab.com/ee/ci/yaml/#default)
-
-`default` can contain...
+Apply settings to all jobs using `default` [](https://docs.gitlab.com/ee/ci/yaml/#default), e.g.
 
 - `image`
-- `before_script`
-- `after_script`
-- and some more we will explore later <i class="fa-duotone fa-face-smile-halo fa-duotone-colors"></i>
+- `before_script`, `after_script`
+
+...and some more we will explore later <i class="fa-duotone fa-face-smile-halo fa-duotone-colors"></i>
 
 ### Example
 

160_gitlab_ci/060_artifacts/exercise.md

@@ -40,7 +40,7 @@ Afterwards check the pipeline in the GitLab UI. You should see a successful pipe
     - test
 
     default:
-      image: golang:1.19.2
+      image: golang:1.23.2
 
     lint:
       stage: check
@@ -93,7 +93,7 @@ Modify the job `test` to consume artifacts only from the job `build`.
     - test
 
     default:
-      image: golang:1.19.2
+      image: golang:1.23.2
 
     lint:
       stage: check
@@ -156,7 +156,7 @@ The following hint and solution are a working example.
     - test
 
     default:
-      image: golang:1.19.2
+      image: golang:1.23.2
 
     lint:
       stage: check

160_gitlab_ci/065_job_dependencies/exercise.md

@@ -22,7 +22,7 @@ Afterwards check the pipeline in the GitLab UI. You should see a successful pipe
     - test
 
     default:
-      image: golang:1.19.2
+      image: golang:1.23.2
 
     lint:
       stage: check
@@ -73,7 +73,7 @@ Afterwards check the pipeline in the GitLab UI. You should see a successful pipe
     - test
 
     default:
-      image: golang:1.19.2
+      image: golang:1.23.2
 
     lint:
       stage: check

160_gitlab_ci/065_job_dependencies/slides.md

@@ -54,12 +54,18 @@ Consume artifacts from parent (upstream) pipeline [](https://docs.gitlab.com/ee/
 job_name:
   script: cat artifact.txt
   needs:
-    - pipeline: $PARENT_PIPELINE_ID
-      job: create-artifact
+  - pipeline: $PARENT_PIPELINE_ID
+    job: create-artifact
 ```
 
 ---
 
 ## Hands-On
 
-See chapter [Job dependencies](/hands-on/2024-11-12/065_job_dependencies/exercise/)
+See chapter [Job dependencies](/hands-on/2024-11-12/065_job_dependencies/exercise/)
+
+---
+
+## Pro tip: XXX
+
+One stage with two jobs and `needs` -> artifacts work

160_gitlab_ci/090_unit_tests/exercise.md

@@ -54,7 +54,7 @@ Afterwards check the pipeline in the GitLab UI. You should see a successful pipe
     - test
 
     default:
-      image: golang:1.19.2
+      image: golang:1.23.2
 
     lint:
       stage: check

160_gitlab_ci/100_environments/exercise.md

@@ -26,7 +26,7 @@ curl https://seat${SEAT_INDEX}.dev.webdav.inmylab.de/ \
     --user seat${SEAT_INDEX}:${PASS}
 ```
 
-Mind that `curl` is not available in the default image `golang:1.19.2` but must be installed using the following commands. Apply what you learned about script blocks as well as separating commands into preparation, core steps and cleanup.
+Mind that `curl` is not available in the default image `golang:1.23.2` but must be installed using the following commands. Apply what you learned about script blocks as well as separating commands into preparation, core steps and cleanup.
 
 ```bash
 apt-get update
@@ -58,7 +58,7 @@ Afterwards check the pipeline in the GitLab UI. You should see a successful pipe
     - deploy
 
     default:
-      image: golang:1.19.2
+      image: golang:1.23.2
 
     lint:
       stage: check
@@ -135,7 +135,7 @@ Afterwards check the pipeline in the GitLab UI. You should see a successful pipe
     - deploy
 
     default:
-      image: golang:1.19.2
+      image: golang:1.23.2
 
     lint:
       stage: check

160_gitlab_ci/110_triggers/exercise.md

@@ -56,7 +56,7 @@ Afterwards check the pipeline in both projects in the GitLab UI. You should see
     - trigger
 
     default:
-      image: golang:1.19.2
+      image: golang:1.23.2
 
     lint:
       stage: check
@@ -151,7 +151,7 @@ Afterwards check the pipeline in the GitLab UI. You should see a successful pipe
     - trigger
 
     default:
-      image: golang:1.19.2
+      image: golang:1.23.2
 
     lint:
       stage: check
@@ -250,7 +250,7 @@ Afterwards check the pipeline in the GitLab UI. You should see a successful pipe
     - trigger
 
     default:
-      image: golang:1.19.2
+      image: golang:1.23.2
 
     lint:
       stage: check