Merge branch 'main' into gls-edit-non-funct-map

Author: eformat

docs/1-the-manual-menace/1-the-basics.md

@@ -49,7 +49,7 @@ oc new-project ${TEAM_NAME}-ci-cd
 ![new-project](./images/new-project.png)
 
 ### Helm 101
-> Helm is the package manager for Kubernetes. It provides a way to templatise the Kubernetes YAML that make up our application. The Kubernetes resources such as `DeploymentConfig`, `Route` & `Service` can be processed by supplying `values` to the templates. In Helm land, there are a few ways to do this. A package containing the templates and their default values is called a `chart`. 
+> Helm is the package manager for Kubernetes. It provides a way to create templates for the Kubernetes YAML that defines our application. The Kubernetes resources such as `DeploymentConfig`, `Route` & `Service` can be processed by supplying `values` to the templates. In Helm land, there are a few ways to do this. A package containing the templates and their default values is called a `chart`. 
 
 Let's deploy a simple application using Helm.
 

docs/1-the-manual-menace/4-extend-uj.md

@@ -21,7 +21,7 @@ git pull
         enabled: true
         source: https://redhat-cop.github.io/helm-charts
         chart_name: sonatype-nexus
-        source_ref: "1.1.2"
+        source_ref: "1.1.3"
         values:
           service:
             name: nexus

docs/3-revenge-of-the-automated-testing/5b-tekton.md

@@ -167,7 +167,7 @@ Let's run through a scenario where we break/fix the build with **kube-linter**.
 8. We can check the **kube-linter** command again and check these changes in:
 
     ```bash
-    cd /project/pet-battle-api
+    cd /projects/pet-battle-api
     git add .
     git commit -m  "🐊 ADD - kube-linter owner labels 🐊"
     git push

docs/3-revenge-of-the-automated-testing/8-image-signing.md

@@ -27,6 +27,11 @@
 
     You just generated two keys (one private key, one public key). Private key is used to sign the images and it is automatically saved as a secret in your `ci-cd` namespace alongside the password you choose. Public key is used to verify the signed images. You can share your public key for people to verify your images but private one should not be shared or at least sealed before storing publicly.
 
+    <p class="tip">
+    🐌 THIS IS NOT GITOPS - The generated private key is stored in a Kubernetes secret in you <TEAM_NAME>-ci-cd project. We'll leave it as an exercise to the reader to extract and store this as a SealedSecret instead! 🐎
+    </p>
+
+
 Now let's proceed to extend the pipelines with image signing step.
 
 _This step makes more sense when you use an external image registry and share images across clusters or publicly._

docs/3-revenge-of-the-automated-testing/8b-tekton.md

@@ -92,19 +92,19 @@
 
     ![cosign-image-signing](images/cosign-image-signing.png)
 
-5. Let's verify the signed image with the public key. Make sure you use the right `APP VERSION` for the image. (`1.3.1` in this case)
+5. Let's verify the signed image with the public key. Make sure you use the right `APP VERSION` for the image. (`1.2.0` in this case)
 
     ```bash
     cd /projects/pet-battle-api
     oc registry login $(oc registry info) --insecure=true
-    cosign verify --key k8s://<TEAM_NAME>-ci-cd/<TEAM_NAME>-cosign default-route-openshift-image-registry.<CLUSTER_DOMAIN>/<TEAM_NAME>-test/pet-battle-api:1.3.1
+    cosign verify --key k8s://<TEAM_NAME>-ci-cd/<TEAM_NAME>-cosign default-route-openshift-image-registry.<CLUSTER_DOMAIN>/<TEAM_NAME>-test/pet-battle-api:1.2.0
     ```
 
     The output should be like:
 
     <div class="highlight" style="background: #f7f7f7">
     <pre><code class="language-bash">
-    Verification for default-route-openshift-image-registry.<CLUSTER_DOMAIN>/<TEAM_NAME>-test/pet-battle-api:1.3.1 --
+    Verification for default-route-openshift-image-registry.<CLUSTER_DOMAIN>/<TEAM_NAME>-test/pet-battle-api:1.2.0 --
     The following checks were performed on each of these signatures:
       - The cosign claims were validated
       - The signatures were verified against the specified public key

docs/99-the-rise-of-the-cluster/666-here-be-dragons.md

@@ -0,0 +1,219 @@
+## Here be dragons!
+
+![oh-look-a-dragon](../images/oh-look-dragons.png)
+
+### Moving from one cluster to another!
+
+Because all of our code and configuration is in git, we can easily move our whole continuous delivery stack to another OpenShift cluster. This is useful if you wanted to try out all the exercises at a later stage using the code from this run.
+
+As a prerequisite - you will need to have setup TL500 using the previous section [Tooling Installation](99-the-rise-of-the-cluster/1-tooling-installation). Lets cover the steps once you have a cluster and tooling installed to get going with your code.
+
+Lets take our code from `cluster-a` to `cluster-b`.
+
+#### Guided Steps
+
+> Here are the short series of steps to make this work.
+
+1. You will need to git clone the `tech-exercise`, `pet-battle`, `pet-battle-api` repositories to your laptop for safe-keeping after taking this course.
+
+2. Use `vscode` IDE or similar to replace all the occurrances of `apps.cluster-a.com -> apps.cluster-b.com` in the code.
+
+3. Login to `gitlab` and create your ${TEAM_NAME}
+
+4. Let's push our code into the hosted `gitlab` instance in our new cluster:
+
+    ```bash
+    export GIT_SERVER=gitlab-ce.apps.cluster-b.com
+    export TEAM_NAME=ateam
+    ```
+
+    I'm assuming the code is in this folder locally on my laptop, adjust to suit. For each of the repos:
+
+    `Pet-Battle`
+
+    ```bash
+    cd ~/git/tl500/pet-battle
+    git remote set-url origin https://${GIT_SERVER}/${TEAM_NAME}/pet-battle.git
+    git push -u origin main
+    ```
+
+    `Pet-Battle-API`
+
+    ```bash
+    cd ~/git/tl500/pet-battle-api
+    git remote set-url origin https://${GIT_SERVER}/${TEAM_NAME}/pet-battle-api.git
+    git push -u origin main
+    ```
+
+    `Tech-Exercise`
+
+    ```bash
+    cd ~/git/tl500/tech-exercise
+    git remote set-url origin https://${GIT_SERVER}/${TEAM_NAME}/tech-exercise.git
+    git push -u origin main
+    ```
+
+5. Login to `gitlab` and make sure your newly created projects are set to **public** (they will be private by default).
+
+6. Regenerate the `sealed-secrets` for this new cluster. This assumes we did _not_ migrate the secret master key to the new cluster when setting up (obviously skip this step if you did migrate it!).
+
+    Set `git-auth`
+
+    ```bash
+    export GITLAB_USER=<user>
+    export GITLAB_PASSWORD=<password>
+
+    cat << EOF > /tmp/git-auth.yaml
+    kind: Secret
+    apiVersion: v1
+    data:
+      username: "$(echo -n ${GITLAB_USER} | base64 -w0)"
+      password: "$(echo -n ${GITLAB_PASSWORD} | base64 -w0)"
+    metadata:
+      annotations:
+        tekton.dev/git-0: https://${GIT_SERVER}
+      labels:
+        credential.sync.jenkins.openshift.io: "true"
+      name: git-auth
+    EOF
+
+    kubeseal < /tmp/git-auth.yaml > /tmp/sealed-git-auth.yaml \
+        -n ${TEAM_NAME}-ci-cd \
+        --controller-namespace tl500-shared \
+        --controller-name sealed-secrets \
+        -o yaml
+    ```
+
+    Set `sonarqube-auth`
+
+    ```bash
+    cat << EOF > /tmp/sonarqube-auth.yaml
+    apiVersion: v1
+    data:
+      username: "$(echo -n admin | base64 -w0)"
+      password: "$(echo -n admin123 | base64 -w0)"
+      currentAdminPassword: "$(echo -n admin | base64 -w0)"
+    kind: Secret
+    metadata:
+      labels:
+        credential.sync.jenkins.openshift.io: "true"
+      name: sonarqube-auth
+    EOF
+
+    kubeseal < /tmp/sonarqube-auth.yaml > /tmp/sealed-sonarqube-auth.yaml \
+        -n ${TEAM_NAME}-ci-cd \
+        --controller-namespace tl500-shared \
+        --controller-name sealed-secrets \
+        -o yaml
+
+    cat /tmp/sealed-sonarqube-auth.yaml| grep -E 'username|password|currentAdminPassword'
+    ```
+
+    Set `allure-auth`
+
+    ```bash
+    cat << EOF > /tmp/allure-auth.yaml
+    apiVersion: v1
+    data:
+      password: "$(echo -n password | base64 -w0)"
+      username: "$(echo -n admin | base64 -w0)"
+    kind: Secret
+    metadata:
+      name: allure-auth
+    EOF
+
+    kubeseal < /tmp/allure-auth.yaml > /tmp/sealed-allure-auth.yaml \
+        -n ${TEAM_NAME}-ci-cd \
+        --controller-namespace tl500-shared \
+        --controller-name sealed-secrets \
+        -o yaml
+
+    cat /tmp/sealed-allure-auth.yaml| grep -E 'username|password'
+    ```
+
+    Set `rox-auth`
+
+    ```bash
+    export ROX_API_TOKEN=$(oc -n stackrox get secret rox-api-token-tl500 -o go-template='{{index .data "token" | base64decode}}')
+    export ROX_ENDPOINT=central-stackrox.apps.cluster-b.com
+
+    cat << EOF > /tmp/rox-auth.yaml
+    apiVersion: v1
+    data:
+      password: "$(echo -n ${ROX_API_TOKEN} | base64 -w0)"
+      username: "$(echo -n ${ROX_ENDPOINT} | base64 -w0)"
+    kind: Secret
+    metadata:
+      labels:
+        credential.sync.jenkins.openshift.io: "true"
+      name: rox-auth
+    EOF
+
+    kubeseal < /tmp/rox-auth.yaml > /tmp/sealed-rox-auth.yaml \
+        -n ${TEAM_NAME}-ci-cd \
+        --controller-namespace tl500-shared \
+        --controller-name sealed-secrets \
+        -o yaml
+
+    cat /tmp/sealed-rox-auth.yaml | grep -E 'username|password'
+    ```
+
+7. Run the basics
+
+    ```bash
+    export TEAM_NAME="ateam"
+    export CLUSTER_DOMAIN="apps.cluster-b.com"
+    export GIT_SERVER="gitlab-ce.apps.cluster-b.com"
+
+    oc login --server=https://api.${CLUSTER_DOMAIN##apps.}:6443 -u mike
+    ```
+
+8. Install ArgoCD
+
+    Add our namespace to the operator env.var:
+
+    ```bash
+    run()
+    {
+      NS=$(oc get subscription/openshift-gitops-operator -n openshift-operators \
+        -o jsonpath='{.spec.config.env[?(@.name=="ARGOCD_CLUSTER_CONFIG_NAMESPACES")].value}')
+      if [ -z $NS ]; then
+        NS="${TEAM_NAME}-ci-cd"
+      elif [[ "$NS" =~ .*"${TEAM_NAME}-ci-cd".* ]]; then
+        echo "${TEAM_NAME}-ci-cd already added."
+        return
+      else
+        NS="${TEAM_NAME}-ci-cd,${NS}"
+      fi
+      oc -n openshift-operators patch subscription/openshift-gitops-operator --type=json \
+        -p '[{"op":"replace","path":"/spec/config/env/1","value":{"name": "ARGOCD_CLUSTER_CONFIG_NAMESPACES", "value":"'${NS}'"}}]'
+      echo "EnvVar set to: $(oc get subscription/openshift-gitops-operator -n openshift-operators \
+        -o jsonpath='{.spec.config.env[?(@.name=="ARGOCD_CLUSTER_CONFIG_NAMESPACES")].value}')"
+    }
+    run
+    ```
+
+    Deploy helm chart
+
+    ```bash
+    oc new-project ${TEAM_NAME}-ci-cd
+    helm repo add redhat-cop https://redhat-cop.github.io/helm-charts
+
+    helm upgrade --install argocd \
+    --namespace ${TEAM_NAME}-ci-cd \
+    -f tech-exercises/argocd-values.yaml \
+    redhat-cop/gitops-operator
+    ```
+
+9. Install UJ
+
+    ```bash
+    cd tech-exercises
+    helm upgrade --install uj --namespace ${TEAM_NAME}-ci-cd .
+    ```
+
+10. Add the integrations and web hooks to gitlab for `tech-exercise`, `pet-battle`, `pet-battle-api` git repos
+
+11. Kick off builds, make sure they work, fix up and helm chart version mismatches etc.
+
+12. 🎉🎉🎉 Celebrate a successful migration to a new cluster 🎉🎉🎉

docs/_sidebar.md

@@ -53,4 +53,5 @@
   * [🪄 A/B Deployments](5-the-deployments-strike-back/3-a-b-deployments.md)
   * [🐉 Here Be Dragons!](5-the-deployments-strike-back/666-here-be-dragons.md)
 * [99. Rise of the Cluster](99-the-rise-of-the-cluster/README.md)
-  * [🐼 Tooling Installation](99-the-rise-of-the-cluster/1-tooling-installation.md)
+  * [🐼 Tooling Installation](99-the-rise-of-the-cluster/1-tooling-installation.md)
+  * [🐉 Here Be Dragons!](99-the-rise-of-the-cluster/666-here-be-dragons.md)