Skip to content

💄 Improve Attack of the Pipelines section💄 #347

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 10, 2025
Merged

💄 Improve Attack of the Pipelines section💄 #347

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions docs/2-attack-of-the-pipelines/1-sealed-secrets.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@

When we say GitOps, we say _"if it's not in Git, it's NOT REAL"_. But how are we going to store our sensitive data like credentials in Git repositories, where many people can access?! Sure, Kubernetes provides a way to manage secrets, but the problem is that it stores the sensitive information as a base64 string - anyone can decode the base64 string! Therefore, we cannot store `Secret` manifest files openly. We use an open-source tool called Sealed Secrets to address this problem.

Sealed Secrets allows us to _seal_ Kubernetes secrets by using a utility called `kubeseal`. The `SealedSecrets` are Kubernetes resources that contain encrypted `Secret` object that only the controller can decrypt. Therefore, a `SealedSecret` is safe to store even in a public repository.
Sealed Secrets allows us to _seal_ Kubernetes secrets by using a utility called `kubeseal`. The `SealedSecrets` are Kubernetes resources that contain an encrypted `Secret` object that only the controller can decrypt. Therefore, a `SealedSecret` is safe to store even in a public repository.

<p class="warn">
⛷️ <b>NOTE</b> ⛷️ - If you switch to a different Dev Spaces Workspaces environment, please run below commands before going forward.
⛷️ <b>NOTE</b> ⛷️ - If you switch to a different Dev Spaces Workspace environment, please run below commands before going forward.
</p>

```bash
Expand All @@ -16,7 +16,7 @@ git pull

### Sealed Secrets in action

1. The observant among you will have noticed that in the previous exercise we created a secret for git and added it to the cluster WITHOUT putting it in git...😳 Let's start by fixing this and sealing our Git credentials so they can be safely checked in to the code. First, we'll create the secret in a tmp directory. Make sure you have your gitlab user and PAT from the previous exercise set in your environment
1. The observant among you will have noticed that in the previous exercise we created a secret for git and added it to the cluster WITHOUT putting it in git...😳 Let's start by fixing this and sealing our Git credentials so they can be safely checked into the code. First, we'll create the secret in a tmp directory. Make sure you have your gitlab user and PAT from the previous exercise set in your environment

```bash
echo ${GITLAB_USER}
Expand Down Expand Up @@ -67,7 +67,7 @@ EOF
cat /tmp/sealed-git-auth.yaml
```

We should now see the secret is sealed, so it is safe for us to store in our repository. It should look something a bit like this, but with longer password and username output.
We should now see the secret is sealed, so it is safe for us to store in our repository. It should look something like this, but with longer password and username output.

<div class="highlight" style="background: #f7f7f7">
<pre><code class="language-yaml">
Expand Down Expand Up @@ -107,7 +107,7 @@ EOF
source_ref: "1.0.3"
values:
secrets:
# Additional secrets will be added to this list along the exercises.
# Additional secrets will be added to this list throughout the exercises.
- name: git-auth
type: kubernetes.io/basic-auth
annotations:
Expand Down Expand Up @@ -148,7 +148,7 @@ EOF

![argocd-git-auth-synced.png](images/argocd-git-auth-synced.png)

9. You can also verify it's been synced to Jenkins now by opening `Jenkins -> Manage Jenkins -> Manage Credentials` to view the `<TEAM_NAME>-ci-cd-git-auth` credential
9. You can also verify it's been synced to Jenkins now by opening `Jenkins -> Manage Jenkins -> Credentials` to view the `<TEAM_NAME>-ci-cd-git-auth` credential

```bash#test
echo https://$(oc get route jenkins --template='{{ .spec.host }}' -n ${TEAM_NAME}-ci-cd)
Expand Down
49 changes: 24 additions & 25 deletions docs/2-attack-of-the-pipelines/2-app-of-apps.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,15 @@

We need a way to bundle up all of our applications and deploy them into each environment. Each PetBattle application has its own Git repository and Helm chart, making it easier to code and deploy independently from other apps.

A developer can get the same experience and end result installing an application chart using `helm install` as our fully automated pipeline. This is important from a useability perspective. Argo CD has great support for all sorts of packaging formats that suit Kubernetes deployments, `Kustomize`, `Helm`, as well as just raw YAML files. Because Helm is a template language, we can mutate the Helm chart templates and their generated Kubernetes objects with various values allowing us to configure them with a custom configuration per environment.
A developer can get the same experience and end result installing an application chart using `helm install` as our fully automated pipeline. This is important from a usability perspective. Argo CD has great support for all sorts of packaging formats that suit Kubernetes deployments, `Kustomize`, `Helm`, as well as just raw YAML files. Because Helm is a template language, we can mutate the Helm chart templates and their generated Kubernetes objects with various values allowing us to configure them with a custom configuration per environment.

We deploy each of our applications using an Argo CD `application` definition. We use one Argo CD `application` definition for every environment in which we wish to deploy the application. We make use of Argo CD `app of apps pattern` to bundle all of these all up; some might call this an application suite or a system! In PetBattle we generate the app-of-apps definitions using a Helm chart.
We deploy each of our applications using an Argo CD `application` definition. We use one Argo CD `application` definition for every environment in which we wish to deploy the application. We make use of Argo CD `app-of-apps pattern` to bundle all of these up; some might call this an application suite or a system! In Pet Battle we generate the app-of-apps definitions using a Helm chart.

### Deploying Pet Battle - Keycloak

> In this exercise we'll deploy PetBattle and a supporting piece of tech it uses (Keycloak) using the same pattern. We'll deploy PetBattle to two environments - `test` and `stage` by configuring the values files in `pet-battle/stage/values.yaml` && `pet-battle/test/values.yaml`

1. In your IDE - open `tech-exercises/values.yaml` file at the root of this project and **swap** `enabled: false` to `enabled: true` as shown below for each of the app-of-pb definitions:
1. In your IDE - open `tech-exercise/values.yaml` file at the root of this project and **swap** `enabled: false` to `enabled: true` as shown below for each of the app-of-pb definitions:

<div class="highlight" style="background: #f7f7f7">
<pre><code class="language-yaml">
Expand Down Expand Up @@ -102,6 +102,7 @@ We deploy each of our applications using an Argo CD `application` definition. We
image_version: latest # container image version
hpa:
enabled: false
servicemonitor: false

pet-battle:
name: pet-battle
Expand All @@ -118,7 +119,7 @@ We deploy each of our applications using an Argo CD `application` definition. We
```bash#test
# test
if [[ $(yq e '.applications[] | select(.name=="pet-battle-api") | length' /projects/tech-exercise/pet-battle/test/values.yaml) < 1 ]]; then
yq e '.applications.pet-battle-api = {"name": "pet-battle-api","enabled": true,"source": "https://petbattle.github.io/helm-charts","chart_name": "pet-battle-api","source_ref": "1.5.0","values": {"image_name": "pet-battle-api","image_version": "latest", "hpa": {"enabled": false}}}' -i /projects/tech-exercise/pet-battle/test/values.yaml
yq e '.applications.pet-battle-api = {"name": "pet-battle-api","enabled": true,"source": "https://petbattle.github.io/helm-charts","chart_name": "pet-battle-api","source_ref": "1.5.0","values": {"image_name": "pet-battle-api","image_version": "latest", "hpa": {"enabled": false}}, "servicemonitor": false }' -i /projects/tech-exercise/pet-battle/test/values.yaml
fi
if [[ $(yq e '.applications[] | select(.name=="pet-battle") | length' /projects/tech-exercise/pet-battle/test/values.yaml) < 1 ]]; then
yq e '.applications.pet-battle = {"name": "pet-battle","enabled": true,"source": "https://petbattle.github.io/helm-charts","chart_name": "pet-battle","source_ref": "1.0.6","values": {"image_version": "latest"}}' -i /projects/tech-exercise/pet-battle/test/values.yaml
Expand All @@ -128,7 +129,7 @@ We deploy each of our applications using an Argo CD `application` definition. We
sed -i '/^# Pet Battle Apps/d' /projects/tech-exercise/pet-battle/test/values.yaml
# stage
if [[ $(yq e '.applications[] | select(.name=="pet-battle-api") | length' /projects/tech-exercise/pet-battle/stage/values.yaml) < 1 ]]; then
yq e '.applications.pet-battle-api = {"name": "pet-battle-api","enabled": true,"source": "https://petbattle.github.io/helm-charts","chart_name": "pet-battle-api","source_ref": "1.5.0","values": {"image_name": "pet-battle-api","image_version": "latest", "hpa": {"enabled": false}}}' -i /projects/tech-exercise/pet-battle/stage/values.yaml
yq e '.applications.pet-battle-api = {"name": "pet-battle-api","enabled": true,"source": "https://petbattle.github.io/helm-charts","chart_name": "pet-battle-api","source_ref": "1.5.0","values": {"image_name": "pet-battle-api","image_version": "latest", "hpa": {"enabled": false}}, "servicemonitor": false }' -i /projects/tech-exercise/pet-battle/stage/values.yaml
fi
if [[ $(yq e '.applications[] | select(.name=="pet-battle") | length' /projects/tech-exercise/pet-battle/stage/values.yaml) < 1 ]]; then
yq e '.applications.pet-battle = {"name": "pet-battle","enabled": true,"source": "https://petbattle.github.io/helm-charts","chart_name": "pet-battle","source_ref": "1.0.6","values": {"image_version": "latest"}}' -i /projects/tech-exercise/pet-battle/stage/values.yaml
Expand All @@ -138,7 +139,7 @@ We deploy each of our applications using an Argo CD `application` definition. We
sed -i '/^# Pet Battle Apps/d' /projects/tech-exercise/pet-battle/stage/values.yaml
```

2. The frontend needs to have some configuration applied to it. This could be packaged up in the helm chart or baked into the image - BUT we should really apply configuration as *code*. We should build our apps once so they can be initialized in many environments with configuration supplied at runtime. For the frontend, this means supplying the information about where the API live. We use ArgoCD to manage our application deployments, hence we should update the values supplied to this chart as such.
2. The frontend needs to have some configuration applied to it. This could be packaged up in the helm chart or baked into the image - BUT we should really apply configuration as *code*. We should build our apps once so they can be initialized in many environments with configuration supplied at runtime. For the frontend, this means supplying the information about where the API lives. We use ArgoCD to manage our application deployments, hence we should update the values supplied to this chart as such.

```bash#test
export JSON="'"'{
Expand Down Expand Up @@ -239,30 +240,28 @@ We deploy each of our applications using an Argo CD `application` definition. We

![test-pet-battle-apps-topology.png](images/test-pet-battle-apps-topology.png)

</br>
🔐🔐 If you have not seen the Keycloak Test or Stage dashboard, visit the following URL to test the access and accept the respective SSL certificate 🔐🔐
### Accessing the Pet Battle Application

```bash#test
https://keycloak-<TEAM_NAME>-test.<CLUSTER_DOMAIN>/auth
https://keycloak-<TEAM_NAME>-stage.<CLUSTER_DOMAIN>/auth
```
As we saw when configuring the `pet-battle` application in the `values.yaml` file, it consists of three components:

![test-pet-battle-apps-first.png](images/keycloak.png)
* **Pet Battle API**: API that serves the Pet Battle application.
* **Pet Battle**: Frontend application.
* **Keycloak**: Serves the authentication and authorization for the Pet Battle application.

</br>
🔐🔐 If you have not seen the Pet Battle API service, visit the following URL to test the access and accept the respective SSL certificate 🔐🔐
Let's see how to access each of these components:

```bash#test
https://pet-battle-api-<TEAM_NAME>-test.<CLUSTER_DOMAIN>
https://pet-battle-api-<TEAM_NAME>-stage.<CLUSTER_DOMAIN>
```
1. 🔐🔐 **Keycloak** 🔐🔐
* https://keycloak-<TEAM_NAME>-test.<CLUSTER_DOMAIN>/auth
* https://keycloak-<TEAM_NAME>-stage.<CLUSTER_DOMAIN>/auth

![test-pet-battle-apps-first.png](images/keycloak.png)

</br>
😻😻 Finally, select the Pet Battle URL link highlighted above and you should see ... 😻😻
2. 🔗🔗 **Pet Battle API** 🔗🔗
* https://pet-battle-api-<TEAM_NAME>-test.<CLUSTER_DOMAIN>
* https://pet-battle-api-<TEAM_NAME>-stage.<CLUSTER_DOMAIN>

```bash#test
https://pet-battle-<TEAM_NAME>-test.<CLUSTER_DOMAIN>
https://pet-battle-<TEAM_NAME>-stage.<CLUSTER_DOMAIN>
```
3. 😻😻 **Pet Battle** 😻😻
* https://pet-battle-<TEAM_NAME>-test.<CLUSTER_DOMAIN>
* https://pet-battle-<TEAM_NAME>-stage.<CLUSTER_DOMAIN>

![test-pet-battle-apps-first.png](images/test-pet-battle-apps-first.png)
4 changes: 2 additions & 2 deletions docs/2-attack-of-the-pipelines/3-the-pipelines.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
## Pipelines

Why creating pipelines:
Why create pipelines:

* Assurance - drive up code quality and remove the need for dedicated deployment / release management teams
* Freedom - allow developers to take ownership of how and when code gets built and shipped
Expand Down Expand Up @@ -33,7 +33,7 @@ Choose your own adventure! Each group will get to perform similar tasks:
| * We need to fork PetBattle (clone from GitHub and push to GitLab) | * We need to fork PetBattle API (clone from GitHub and push to GitLab) |
| * Update `Jenkinsfile` task to leave out some stuff for participants | * Update Tekton task to leave out some stuff for participants |
| * Add a webhook into GitLab repositories for triggering jobs | * Add webhook into GitLab repositories for triggering jobs |
| * Update `pet-battle/stage/values.yaml` && `pet-battle/test/values.yaml` with services information. (That's where two teams integrate their work.) | * Update `pet-battle/stage/values.yaml` && `pet-battle/test/values.yaml` with services information. (That's where two teams integrate their work.)
| * Update `pet-battle/stage/values.yaml` && `pet-battle/test/values.yaml` with services information. (That's where two groups integrate their work.) | * Update `pet-battle/stage/values.yaml` && `pet-battle/test/values.yaml` with services information. (That's where two groups integrate their work.)
| * By updating version files (pom.xml etc), kick off the pipelines | * By updating version files (pom.xml etc), kick off the pipelines |
| <span style="color:blue;">[jenkins](2-attack-of-the-pipelines/3a-jenkins.md)</span> | <span style="color:blue;">[tekton](2-attack-of-the-pipelines/3b-tekton.md)</span> |

Expand Down
Loading