nicholasdille
diff --git a/‎120_kubernetes/ci_cd/hpa.demo
+25 b/‎120_kubernetes/ci_cd/hpa.demo
+25
diff --git a/‎120_kubernetes/ci_cd/inside.drawio.svg
+11-12 b/‎120_kubernetes/ci_cd/inside.drawio.svg
+11-12
diff --git a/‎120_kubernetes/ci_cd/side-by-side.drawio.svg
+9-9 b/‎120_kubernetes/ci_cd/side-by-side.drawio.svg
+9-9
diff --git a/‎120_kubernetes/ci_cd/slides.md
+82-39 b/‎120_kubernetes/ci_cd/slides.md
+82-39
diff --git a/‎120_kubernetes/helm/chart.demo
+22 b/‎120_kubernetes/helm/chart.demo
+22
diff --git a/‎120_kubernetes/helm/helm.demo
+35-2 b/‎120_kubernetes/helm/helm.demo
+35-2
@@ -0,0 +1,25 @@
+# Horizontal Pod Autoscaler (HPA)
+
+# Deploy metrics-server
+helm repo add metrics-server https://kubernetes-sigs.github.io/metrics-server/
+helm upgrade --install --namespace=kube-system metrics-server metrics-server/metrics-server \
+    --set args[0]=--kubelet-insecure-tls
+
+# Deploy nginx
+helm upgrade --install my-nginx bitnami/nginx \
+    --set service.type=ClusterIP \
+    --set resources.requests.cpu=50m \
+    --set autoscaling.enabled=true \
+    --set autoscaling.minReplicas=2 \
+    --set autoscaling.maxReplicas=10 \
+    --set autoscaling.targetCPU=20
+
+# Monitor replicas
+watch kubectl get pods
+
+# Monitor HPA
+watch kubectl get hpa
+
+# Create load
+kubectl run -it --rm --image=cmd.cat/bash/curl --command -- bash
+while true; do curl -so /dev/null http://my-nginx; done
@@ -2,51 +2,76 @@
 
 ![](images/automate_all_the_things.webp) <!-- .element: style="float: right; width: 40%;" -->
 
-XXX version control because YAML is text
+Handle Ops stuff like a developer would
 
-XXX separate instance for testing
+Everything in version control...
 
-XXX PR/MR for Ops changes
+...because YAML is text
 
-XXX automated tests
+Use branches for stages (e.g. dev, qa, live)
+
+Pipeline to deploy to stages
+
+Integrate changes using pull/merge requests
+
+Add automated tests to pipeline
+
+Changes are pushed into Kubernetes cluster
 
 ---
 
 ## Cluster access 1/
 
 Different approches to access the cluster from a pipeline
 
+![](120_kubernetes/ci_cd/inside.drawio.svg) <!-- .element: style="float: right; width: 20%; margin-top: 1em;" -->
+
 ### Inside cluster
 
 Pipeline runs inside the target cluster
 
-![](120_kubernetes/ci_cd/inside.drawio.svg) <!-- .element: style="width: 50%;" -->
-
 Direct API access with RBAC
 
-### Demo
+![](120_kubernetes/ci_cd/side-by-side.drawio.svg) <!-- .element: style="float: right; width: 20%; margin-top: 1em;" -->
 
-XXX
+### Next to cluster
 
----
+Pipeline runs somewhere else...
 
-## Cluster access 2/2
+...or does not have direct access to Kubernetes API
 
-Different approches to access the cluster from a pipeline
+Pipeline fetches (encrypted) kubeconfig
 
-### Next to cluster
+---
 
-Pipeline runs somewhere else...
+## Useful tools
 
-...or does not have direct access to Kubernetes API
+Validate YAML using `yamllint` [](https://github.com/adrienverge/yamllint)
 
-![](120_kubernetes/ci_cd/side-by-side.drawio.svg) <!-- .element: style="width: 50%;" -->
+```bash
+helm template my-ntpd ../helm/ntpd/ >ntpd.yaml
+yamllint ntpd.yaml
+cat <<EOF >.yamllint
+rules:
+  indentation:
+    indent-sequences: consistent
+EOF
+yamllint ntpd.yaml
+```
 
-Pipeline fetches (encrypted) kubeconfig
+Validate against official schemas using `kubeval` [](https://github.com/instrumenta/kubeval):
 
-### Demo
+```bash
+kubeval ntpd.yaml
+```
 
-XXX
+Static analysis using `kube-linter` [](https://github.com/stackrox/kube-linter)
+
+```bash
+kube-linter lint ntpd.yaml
+kube-linter lint ../helm/ntpd/
+kube-linter checks list
+```
 
 ---
 
@@ -121,8 +146,6 @@ Resource requests are important for scheduling
 
 Limits are important for eviction
 
-XXX usage
-
 ### You want `(requests == limits)`
 
 Pods will not be evicted...
@@ -162,7 +185,10 @@ Next pipeline run will fail because resource already exists
 Instead create resource definition on-the-fly:
 
 ```bash
-kubectl create secret --dry-run=client \
+kubectl create secret generic foo \
+    --from-literal=bar=baz \
+    --dry-run=client \
+    --output=yaml \
 | kubectl apply -f -
 ```
 
@@ -179,8 +205,17 @@ Do not use sleep after apply, scale, delete
 Let `kubectl` do the waiting:
 
 ```bash
-kubectl wait --for=condition=ready pod/foo
-kubectl rollout status deployment bar --timeout=15m
+helm upgrade --install my-nginx bitnami/nginx \
+    --set service.type=ClusterIP
+kubectl rollout status deployment my-nginx --timeout=15m
+kubectl wait pods \
+    --for=condition=ready \
+    --selector app.kubernetes.io/instance=my-nginx
+```
+
+Works for jobs as well:
+
+```bash
 kubectl wait --for=condition=complete job/baz
 ```
 
@@ -195,13 +230,22 @@ Finding the pod name is error prone
 Filter by label:
 
 ```bash
-kubectl delete pod --selector app=foo,component=db
+helm upgrade --install my-nginx bitnami/nginx \
+    --set service.type=ClusterIP \
+    --set replicaCount=2
+kubectl delete pod --selector app.kubernetes.io/instance=my-nginx
+```
+
+Show logs of the first pod of a deployment:
+
+```bash
+kubectl logs deployment/my-nginx
 ```
 
-Show logs of a deployment with a single pod:
+Show logs of multiple pods at once with stern [](https://github.com/stern/stern):
 
 ```bash
-kubectl logs deployment/foo
+stern --selector app.kubernetes.io/instance=my-nginx
 ```
 
 ---
@@ -215,15 +259,24 @@ When a pod is broken, it can be investigated
 Remove a label to exclude it from `ReplicaSet`, `Deployment`, `Service`
 
 ```bash
-kubectl label pod foo-12345 app-
+helm upgrade --install my-nginx bitnami/nginx \
+    --set service.type=ClusterIP \
+    --set replicaCount=2
+kubectl get pods -l app.kubernetes.io/instance=my-nginx -o name \
+| head -n 1 \
+| xargs -I{} kubectl label {} app.kubernetes.io/instance-
 ```
 
 `ReplicaSet` replaces missing pod
 
-Pod `foo-12345` can be investigated
-
 Remove after troubleshooting
 
+```bash
+kubectl logs --selector '!app.kubernetes.io/instance'
+kubectl delete pod \
+    -l 'app.kubernetes.io/name=nginx,!app.kubernetes.io/instance'
+```
+
 ---
 
 ## Lessons Learnt 5/
@@ -267,13 +320,3 @@ Doing updates regularly is easier
 Automerge for patches can help stay on top of things
 
 Automated tests help decide whether an update is safe
-
----
-
-## Lessons Learnt 7/7
-
-### Image tags
-
-XXX immutable tags
-
-XXX version pinning
 
@@ -0,0 +1,22 @@
+# Create chart
+
+# Check files
+cat Chart.yaml
+cat templates/daemonset.yaml
+cat templates/_helpers.tpl
+
+# Lint chart
+helm lint .
+
+# Create resources
+helm template my-ntpd .
+
+# Check resources
+helm template my-ntpd . \
+| kubectl apply --dry-run=server -f -
+
+# Package chart (upload to repository is manual)
+helm package .
+
+# Push to OCI registry
+helm push ntpd-1.0.0.tgz oci://nicholasdille/ntpd
@@ -1,4 +1,37 @@
 # Helm
 
-## XXX
-echo
+# Add repository
+helm repo add bitnami https://charts.bitnami.com/bitnami
+
+# Search for chart
+helm search repo bitnami/nginx
+
+# Search for chart versions
+helm search repo bitnami/nginx --versions
+
+# Install chart
+helm install my-nginx bitnami/nginx
+
+# Check release
+helm list
+
+# Check resources
+kubectl get all
+
+# Fix service
+helm upgrade my-nginx bitnami/nginx --set service.type=ClusterIP
+
+# Check service
+kubectl get service my-nginx -o yaml
+
+# Downgrade nginx to stable
+helm upgrade my-nginx bitnami/nginx --reuse-values --set image.tag=1.24.0
+
+# Check image tag
+kubectl get deployments.apps my-nginx -o yaml | grep image:
+
+# Read values from release
+helm get values my-nginx
+
+# Display release history
+helm history my-nginx