新增learn-kubernetes（https://github.com/yyong-brs/learn-kubernetes）相关文件

learn/learn-kubernetes-master/kiamol/ch15/add-to-hosts.ps1

@@ -0,0 +1,13 @@
+param (
+	[string] $domain,
+	[string] $ingress
+)
+
+$controller="$ingress-controller"
+$ns="kiamol-$ingress"
+$ip=$(kubectl get svc $controller -o jsonpath='{.status.loadBalancer.ingress[0].*}' -n $ns)
+if ($ip -eq 'localhost') {
+	$ip='127.0.0.1'
+}
+
+Add-Content -Value "$ip  $domain" -Path C:/windows/system32/drivers/etc/hosts

learn/learn-kubernetes-master/kiamol/ch15/add-to-hosts.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+CONTROLLER="$2-controller"
+NS="kiamol-$2"
+IP=$(kubectl get svc $CONTROLLER -o jsonpath='{.status.loadBalancer.ingress[0].*}' -n $NS)
+if [ "$IP" = "localhost" ]; then 
+    IP='127.0.0.1'
+fi
+
+echo "$IP  $1" | sudo tee -a /etc/hosts

learn/learn-kubernetes-master/kiamol/ch15/cert-generator.yaml

@@ -0,0 +1,18 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cert-generator
+  labels:
+    kiamol: ch15
+spec:
+  selector:
+    matchLabels:
+      app: cert-generator
+  template:
+    metadata:
+      labels:
+        app: cert-generator
+    spec:
+      containers:
+        - name: cert-generator
+          image: kiamol/ch15-cert-generator

learn/learn-kubernetes-master/kiamol/ch15/docker-images/amd64.yml

@@ -0,0 +1,5 @@
+version: "3.7"
+
+services:
+  ch15-cert-generator:
+    image: kiamol/ch15-cert-generator:latest-linux-amd64

learn/learn-kubernetes-master/kiamol/ch15/docker-images/arm64.yml

@@ -0,0 +1,5 @@
+version: "3.7"
+
+services:
+  ch15-cert-generator:
+    image: kiamol/ch15-cert-generator:latest-linux-arm64

learn/learn-kubernetes-master/kiamol/ch15/docker-images/cert-generator/Dockerfile

@@ -0,0 +1,15 @@
+FROM alpine:3.12
+
+RUN apk add --no-cache openssl
+RUN apk add --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing kubectl
+
+COPY start.sh /
+RUN chmod +x /start.sh
+
+ENV HOST_NAME="kiamol.local" \
+    HOST_IP="127.0.0.1" \
+    SAN="DNS:hello.kiamol.local,DNS:vweb.kiamol.local,DNS:todo.kiamol.local,DNS:todo2.kiamol.local,DNS:pi.kiamol.local" \
+    EXPIRY_DAYS=730
+
+WORKDIR /certs
+CMD /start.sh ${HOST_NAME} ${HOST_IP} ${SAN} ${EXPIRY_DAYS}

learn/learn-kubernetes-master/kiamol/ch15/docker-images/cert-generator/start.sh

@@ -0,0 +1,47 @@
+#!/bin/sh
+
+echo ----------------
+echo "Generating certs - hostname: $HOST_NAME; IP: $HOST_IP; SAN: $SAN, expiry days: $EXPIRY_DAYS"
+echo ----------------
+
+openssl rand -base64 32 > ca.password
+
+openssl genrsa -aes256 -passout file:ca.password -out ca-key.pem 4096
+openssl req -subj "/C=UK/ST=LONDON/L=London/O=KIAMOL/OU=elton" -new -x509 -days $EXPIRY_DAYS -passin file:ca.password -key ca-key.pem -sha256 -out ca.pem
+
+openssl genrsa -out server-key.pem 4096
+openssl req -subj "/CN=$HOST_NAME" -sha256 -new -key server-key.pem -out server.csr
+
+echo "subjectAltName = $SAN" >> extfile.cnf
+echo extendedKeyUsage = serverAuth >> extfile.cnf
+openssl x509 -req -days $EXPIRY_DAYS -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf -passin file:ca.password
+
+rm *.cnf
+rm *.csr
+rm *.srl
+
+echo ----------------
+echo Certs generated. 
+echo ----------------
+
+if [ -n "$CREATE_SECRET" ]; then
+    # set up access to Kube API
+    kubectl config set-cluster default --server=https://kubernetes.default.svc.cluster.local --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+    kubectl config set-context default --cluster=default
+    kubectl config set-credentials user --token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+    kubectl config set-context default --user=user
+    kubectl config use-context default
+
+    mv server-cert.pem tls.crt
+    mv server-key.pem tls.key
+    kubectl create secret tls $CREATE_SECRET --key=tls.key --cert=tls.crt
+    kubectl label secret $CREATE_SECRET kiamol=$SECRET_LABEL
+
+    echo ---------------
+    echo Created secret.
+    echo ---------------
+
+    openssl base64 -A <"ca.pem" > ca.base64
+fi
+
+trap : TERM INT; (while true; do sleep 1000; done) & wait

learn/learn-kubernetes-master/kiamol/ch15/docker-images/docker-compose.yml

@@ -0,0 +1,7 @@
+version: "3.7"
+
+services:
+  ch15-cert-generator:
+    image: kiamol/ch15-cert-generator:latest
+    build:
+      context: ./cert-generator

learn/learn-kubernetes-master/kiamol/ch15/docker-images/push-manifests.ps1

@@ -0,0 +1,10 @@
+$images=$(yq e '.services.[].image' docker-compose.yml)
+
+foreach ($image in $images)
+{    
+    docker manifest create --amend $image `
+      "$($image)-linux-arm64" `
+      "$($image)-linux-amd64"
+    
+    docker manifest push $image
+}

learn/learn-kubernetes-master/kiamol/ch15/hello-kiamol/deployment.yaml

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hello-kiamol
+  labels:
+    kiamol: ch15
+spec:
+  selector:
+    matchLabels:
+      app: hello-kiamol
+  template:
+    metadata:
+      labels:
+        app: hello-kiamol
+    spec:
+      containers:
+        - name: web
+          image: kiamol/ch02-hello-kiamol
+          ports:
+            - containerPort: 80
+              name: http

learn/learn-kubernetes-master/kiamol/ch15/hello-kiamol/ingress/hello.kiamol.local.yaml

@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: hello-kiamol
+  labels:
+    kiamol: ch15
+spec:
+  rules:
+  - host: hello.kiamol.local
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: hello-kiamol
+          servicePort: 80

learn/learn-kubernetes-master/kiamol/ch15/hello-kiamol/ingress/localhost.yaml

@@ -0,0 +1,14 @@
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: hello-kiamol
+  labels:
+    kiamol: ch15
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /
+        backend:
+          serviceName: hello-kiamol
+          servicePort: 80

learn/learn-kubernetes-master/kiamol/ch15/hello-kiamol/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: hello-kiamol
+  labels:
+    kiamol: ch15
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+  selector:
+    app: hello-kiamol
+  type: ClusterIP

learn/learn-kubernetes-master/kiamol/ch15/ingress-nginx/nginx-ingress-controller.yaml

@@ -0,0 +1,271 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kiamol-ingress-nginx
+  labels:
+    kiamol: ch15
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ingress-nginx-controller
+  namespace: kiamol-ingress-nginx
+data:
+  http-snippet: |
+    proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=static-cache:2m max_size=100m inactive=7d use_temp_path=off;
+    proxy_cache_key $scheme$proxy_host$request_uri;
+    proxy_cache_lock on;
+    proxy_cache_use_stale updating;
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingress-nginx-controller
+  namespace: kiamol-ingress-nginx
+spec:
+  type: LoadBalancer
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+    - name: https
+      port: 443
+      targetPort: https
+  selector:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/component: controller
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ingress-nginx-controller
+  namespace: kiamol-ingress-nginx
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: ingress-nginx
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/component: controller
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/component: controller
+    spec:
+      containers:
+        - name: controller
+          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.33.0
+          args:
+            - /nginx-ingress-controller
+            - --publish-service=kiamol-ingress-nginx/ingress-nginx-controller
+            - --election-id=ingress-controller-leader
+            - --ingress-class=nginx
+            - --configmap=kiamol-ingress-nginx/ingress-nginx-controller
+          securityContext:
+            runAsUser: 101
+            allowPrivilegeEscalation: true
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+            - name: https
+              containerPort: 443
+              protocol: TCP
+      serviceAccountName: ingress-nginx
+---
+# RBAC configuration
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ingress-nginx
+  namespace: kiamol-ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ingress-nginx
+  namespace: kiamol-ingress-nginx
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+      - endpoints
+      - nodes
+      - pods
+      - secrets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - nodes
+    verbs:
+      - get
+  - apiGroups:
+      - ''
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - update
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ingress-nginx
+  namespace: kiamol-ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+  - kind: ServiceAccount
+    name: ingress-nginx
+    namespace: kiamol-ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ingress-nginx
+  namespace: kiamol-ingress-nginx
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+    verbs:
+      - get
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+      - pods
+      - secrets
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - update
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    resourceNames:
+      - ingress-controller-leader-nginx
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - create
+  - apiGroups:
+      - ''
+    resources:
+      - endpoints
+    verbs:
+      - create
+      - get
+      - update
+  - apiGroups:
+      - ''
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ingress-nginx
+  namespace: kiamol-ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+  - kind: ServiceAccount
+    name: ingress-nginx
+    namespace: kiamol-ingress-nginx

learn/learn-kubernetes-master/kiamol/ch15/ingress-traefik/traefik-ingress-controller.yaml

@@ -0,0 +1,115 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kiamol-ingress-traefik
+  labels:
+    kiamol: ch15
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: ingress-traefik-controller
+  namespace: kiamol-ingress-traefik
+spec:
+  selector:
+    k8s-app: traefik-ingress-lb
+  ports:
+    - name: http
+      port: 8015      
+      targetPort: http
+    - name: https
+      port: 9443      
+      targetPort: https
+    - name: admin
+      port: 8080
+      targetPort: admin
+  type: LoadBalancer
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: ingress-traefik-controller
+  namespace: kiamol-ingress-traefik
+  labels:
+    k8s-app: traefik-ingress-lb
+spec:
+  selector:
+    matchLabels:
+      k8s-app: traefik-ingress-lb
+  template:
+    metadata:
+      labels:
+        k8s-app: traefik-ingress-lb
+        name: traefik-ingress-lb
+    spec:
+      containers:
+      - image: traefik:v2.2.1
+        name: traefik-ingress-lb
+        ports:
+        - name: http
+          containerPort: 80
+        - name: https
+          containerPort: 443
+        - name: admin
+          containerPort: 8080
+        args:
+        - --api.insecure
+        - --api.dashboard
+        - --providers.kubernetesingress
+        - --providers.kubernetesingress.ingressClass=traefik
+        - --entryPoints.web.address=:80
+        - --entryPoints.websecure.address=:443
+        - --log.level=debug
+      serviceAccountName: ingress-traefik
+---
+# RBAC configuration
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ingress-traefik
+  namespace: kiamol-ingress-traefik
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: ingress-traefik-controller
+  namespace: kiamol-ingress-traefik
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+    - extensions
+    resources:
+    - ingresses/status
+    verbs:
+    - update
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: ingress-traefik-controller
+  namespace: kiamol-ingress-traefik
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-traefik-controller
+subjects:
+- kind: ServiceAccount
+  name: ingress-traefik
+  namespace: kiamol-ingress-traefik

learn/learn-kubernetes-master/kiamol/ch15/lab/README.md

@@ -0,0 +1,51 @@
+# Ch15 lab
+
+## Setup
+
+Deploy the ingress controller:
+
+```
+kubectl apply -f lab/ingress-nginx/
+```
+
+## Sample Solution
+
+The background info is in the [Nginx ingress controller spec](./ingress-nginx/nginx-ingress-controller.yaml)
+
+- it's set to monitor one namespace with the argument:  `--watch-namespace=kiamol-ch15-lab`
+
+- it uses a custom ingress class name: `--ingress-class=nginx-lab`          
+
+Deploy the app to the correct namespace:
+
+```
+kubectl apply -f lab/apod/ -n kiamol-ch15-lab
+```
+
+My Ingress specs for the [API](./solution/ingress-api.yaml) and the [website](./solution/ingress-web.yaml) specify the ingress class and the rate limit in annotations:
+
+```
+kubectl apply -f lab/solution/ -n kiamol-ch15-lab
+```
+
+Add the domain to your hosts file (use .sh script file on Linux/macOS):
+
+```
+./add-to-hosts.ps1 api.apod.local ingress-lab
+
+./add-to-hosts.ps1 web.apod.local ingress-lab
+```
+
+> Browse to http://www.apod.local/ and http://api.apod.local/image and you'll get responses
+
+> Refresh a lot and you'll get a 503 error:
+
+![503 from a rate-limiting ingress controller](./docs/503.png)
+
+## Teardown
+
+Remove the lab namespaces:
+
+```
+kubectl delete ns -l kiamol=ch15-lab
+```

learn/learn-kubernetes-master/kiamol/ch15/lab/apod/api.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: apod-api
+spec:
+  ports:
+    - port: 80
+      targetPort: api
+  selector:
+    app: apod-api
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: apod-api
+spec:
+  selector:
+    matchLabels:
+      app: apod-api
+  template:
+    metadata:
+      labels:
+        app: apod-api
+    spec:
+      containers:
+        - name: api
+          image: kiamol/ch14-image-of-the-day
+          ports:
+            - containerPort: 80
+              name: api
+

learn/learn-kubernetes-master/kiamol/ch15/lab/apod/log.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: apod-log
+spec:
+  ports:
+    - port: 80
+      targetPort: api
+  selector:
+    app: apod-log
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: apod-log
+spec:
+  selector:
+    matchLabels:
+      app: apod-log
+  template:
+    metadata:
+      labels:
+        app: apod-log
+    spec:
+      containers:
+        - name: api
+          image: kiamol/ch14-access-log
+          ports:
+            - containerPort: 80
+              name: api
+

learn/learn-kubernetes-master/kiamol/ch15/lab/apod/web.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: apod-web
+spec:
+  ports:
+    - port: 80
+      targetPort: web
+  selector:
+    app: apod-web
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: apod-web
+spec:
+  selector:
+    matchLabels:
+      app: apod-web
+  template:
+    metadata:
+      labels:
+        app: apod-web
+    spec:
+      containers:
+        - name: web
+          image: kiamol/ch14-image-gallery
+          ports:
+            - containerPort: 80
+              name: web

learn/learn-kubernetes-master/kiamol/ch15/lab/ingress-nginx/nginx-ingress-controller.yaml

@@ -0,0 +1,268 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kiamol-ch15-lab
+  labels:
+    kiamol: ch15-lab
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kiamol-ingress-lab
+  labels:
+    kiamol: ch15-lab
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ingress-lab-controller
+  namespace: kiamol-ingress-lab
+data:
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingress-lab-controller
+  namespace: kiamol-ingress-lab
+spec:
+  type: LoadBalancer
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+  selector:
+    app.kubernetes.io/name: ingress-lab
+    app.kubernetes.io/instance: ingress-lab
+    app.kubernetes.io/component: controller
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ingress-lab-controller
+  namespace: kiamol-ingress-lab
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: ingress-lab
+      app.kubernetes.io/instance: ingress-lab
+      app.kubernetes.io/component: controller
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: ingress-lab
+        app.kubernetes.io/instance: ingress-lab
+        app.kubernetes.io/component: controller
+    spec:
+      containers:
+        - name: controller
+          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.33.0
+          args:
+            - /nginx-ingress-controller
+            - --election-id=ingress-controller-leader-lab
+            - --publish-service=kiamol-ingress-lab/ingress-lab-controller
+            - --configmap=kiamol-ingress-lab/ingress-lab-controller
+            - --ingress-class=nginx-lab            
+            - --watch-namespace=kiamol-ch15-lab
+          securityContext:
+            runAsUser: 101
+            allowPrivilegeEscalation: true
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+      serviceAccountName: ingress-lab
+---
+# RBAC configuration
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ingress-lab
+  namespace: kiamol-ingress-lab
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ingress-lab
+  namespace: kiamol-ingress-lab
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+      - endpoints
+      - nodes
+      - pods
+      - secrets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - nodes
+    verbs:
+      - get
+  - apiGroups:
+      - ''
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - update
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ingress-lab
+  namespace: kiamol-ingress-lab
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-lab
+subjects:
+  - kind: ServiceAccount
+    name: ingress-lab
+    namespace: kiamol-ingress-lab
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ingress-lab
+  namespace: kiamol-ingress-lab
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+    verbs:
+      - get
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+      - pods
+      - secrets
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - update
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    resourceNames:
+      - ingress-controller-leader-lab
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - create
+  - apiGroups:
+      - ''
+    resources:
+      - endpoints
+    verbs:
+      - create
+      - get
+      - update
+  - apiGroups:
+      - ''
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ingress-lab
+  namespace: kiamol-ingress-lab
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-lab
+subjects:
+  - kind: ServiceAccount
+    name: ingress-lab
+    namespace: kiamol-ingress-lab

learn/learn-kubernetes-master/kiamol/ch15/lab/solution/ingress-api.yaml

@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: apod-api
+  labels:
+    kiamol: ch15-lab
+  annotations:
+    kubernetes.io/ingress.class: nginx-lab
+    nginx.ingress.kubernetes.io/limit-rpm: "2"
+spec:
+  rules:
+  - host: api.apod.local
+    http:
+      paths:
+      - pathType: Exact
+        path: /image
+        backend:
+          serviceName: apod-api
+          servicePort: 80

learn/learn-kubernetes-master/kiamol/ch15/lab/solution/ingress-web.yaml

@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: apod-web
+  labels:
+    kiamol: ch15-lab
+  annotations:
+    kubernetes.io/ingress.class: nginx-lab
+    nginx.ingress.kubernetes.io/limit-rpm: "10"
+spec:
+  rules:
+  - host: www.apod.local
+    http:
+      paths:
+      - pathType: Exact
+        path: /
+        backend:
+          serviceName: apod-web
+          servicePort: 80

learn/learn-kubernetes-master/kiamol/ch15/pi/ingress.yaml

@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: pi
+  labels:
+    kiamol: ch15
+spec:
+  rules:
+  - host: pi.kiamol.local
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: pi-web
+          servicePort: 80

learn/learn-kubernetes-master/kiamol/ch15/pi/update/ingress-with-cache.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: pi
+  labels:
+    kiamol: ch15
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-buffering: "on" 
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_cache static-cache;
+      proxy_cache_valid 10m;
+spec:
+  rules:
+  - host: pi.kiamol.local
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: pi-web
+          servicePort: 80

learn/learn-kubernetes-master/kiamol/ch15/pi/web.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pi-web
+  labels:
+    kiamol: ch15
+spec:
+  ports:
+    - port: 80
+      targetPort: 80
+  selector:
+    app: pi-web
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pi-web
+  labels:
+    kiamol: ch15
+spec:
+  selector:
+    matchLabels:
+      app: pi-web
+  template:
+    metadata:
+      labels:
+        app: pi-web
+    spec:
+      containers:
+        - image: kiamol/ch05-pi
+          command: ["dotnet", "Pi.Web.dll", "-m", "web"]
+          name: web
+          ports:
+            - containerPort: 80
+              name: http

learn/learn-kubernetes-master/kiamol/ch15/todo-list/db.yaml

@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: todo-db
+  labels:
+    kiamol: ch15
+spec:
+  ports:
+    - port: 5432
+      targetPort: 5432
+  selector:
+    app: todo-db
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: todo-db-secret
+  labels:
+    kiamol: ch15
+type: Opaque
+stringData:
+  POSTGRES_PASSWORD: "kiamol-2*2*"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: todo-db
+  labels:
+    kiamol: ch15
+spec:
+  selector:
+    matchLabels:
+      app: todo-db
+  template:
+    metadata:
+      labels:
+        app: todo-db
+    spec:
+      containers:
+        - name: db
+          image: postgres:11.6-alpine
+          env:
+          - name: POSTGRES_PASSWORD_FILE
+            value: /secrets/postgres_password
+          volumeMounts:
+            - name: secret
+              mountPath: "/secrets"
+            - name: data
+              mountPath: /var/lib/postgresql/data
+      volumes:
+        - name: secret
+          secret:
+            secretName: todo-db-secret
+            defaultMode: 0400
+            items:
+            - key: POSTGRES_PASSWORD
+              path: postgres_password
+        - name: data
+          emptyDir: {}

learn/learn-kubernetes-master/kiamol/ch15/todo-list/ingress.yaml

@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo
+  labels:
+    kiamol: ch15
+spec:
+  rules:
+  - host: todo.kiamol.local
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: todo-web
+          servicePort: 80

learn/learn-kubernetes-master/kiamol/ch15/todo-list/update/ingress-exact.yaml

@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo
+  labels:
+    kiamol: ch15
+spec:
+  rules:
+  - host: todo.kiamol.local
+    http:
+      paths:
+      - pathType: Exact
+        path: /
+        backend:
+          serviceName: todo-web
+          servicePort: 80 
+      - pathType: Exact
+        path: /list
+        backend:
+          serviceName: todo-web
+          servicePort: 80
+      - pathType: Exact
+        path: /new
+        backend:
+          serviceName: todo-web
+          servicePort: 80
+      - pathType: Prefix
+        path: /static
+        backend:
+          serviceName: todo-web
+          servicePort: 80

learn/learn-kubernetes-master/kiamol/ch15/todo-list/update/ingress-https.yaml

@@ -0,0 +1,69 @@
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo-new
+  labels:
+    kiamol: ch15
+  annotations:
+    nginx.ingress.kubernetes.io/affinity: cookie
+spec:
+  rules:
+  - host: todo.kiamol.local
+    http:
+      paths:
+      - pathType: Exact
+        path: /new
+        backend:
+          serviceName: todo-web
+          servicePort: 80
+  tls:
+   - secretName: kiamol-cert
+---
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo-static
+  labels:
+    kiamol: ch15
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-buffering: "on" 
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_cache static-cache;
+      proxy_cache_valid 60m;
+      add_header X-Cache $upstream_cache_status;
+spec:
+  rules:
+  - host: todo.kiamol.local
+    http:
+      paths:
+      - pathType: Prefix
+        path: /static
+        backend:
+          serviceName: todo-web
+          servicePort: 80
+  tls:
+   - secretName: kiamol-cert
+---
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo
+  labels:
+    kiamol: ch15
+spec:
+  rules:
+  - host: todo.kiamol.local
+    http:
+      paths:
+      - pathType: Exact
+        path: /
+        backend:
+          serviceName: todo-web
+          servicePort: 80 
+      - pathType: Exact
+        path: /list
+        backend:
+          serviceName: todo-web
+          servicePort: 80
+  tls:
+   - secretName: kiamol-cert

learn/learn-kubernetes-master/kiamol/ch15/todo-list/update/ingress-sticky.yaml

@@ -0,0 +1,57 @@
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo-new
+  annotations:
+    nginx.ingress.kubernetes.io/affinity: cookie
+spec:
+  rules:
+  - host: todo.kiamol.local
+    http:
+      paths:
+      - pathType: Exact
+        path: /new
+        backend:
+          serviceName: todo-web
+          servicePort: 80
+---
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo-static
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-buffering: "on" 
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_cache static-cache;
+      proxy_cache_valid 60m;
+      add_header X-Cache $upstream_cache_status;
+spec:
+  rules:
+  - host: todo.kiamol.local
+    http:
+      paths:
+      - pathType: Prefix
+        path: /static
+        backend:
+          serviceName: todo-web
+          servicePort: 80
+---
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo
+spec:
+  rules:
+  - host: todo.kiamol.local
+    http:
+      paths:
+      - pathType: Exact
+        path: /
+        backend:
+          serviceName: todo-web
+          servicePort: 80 
+      - pathType: Exact
+        path: /list
+        backend:
+          serviceName: todo-web
+          servicePort: 80

learn/learn-kubernetes-master/kiamol/ch15/todo-list/update/ingress-traefik-certResolver.yaml

@@ -0,0 +1,66 @@
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo2-new
+  labels:
+    kiamol: ch15
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.pathmatcher: Path
+    traefik.ingress.kubernetes.io/router.tls: "true"    
+    traefik.ingress.kubernetes.io/router.tls.certresolver: default
+spec:
+  rules:
+  - host: todo2.kiamol.local
+    http:
+      paths:
+      - path: /new
+        backend:
+          serviceName: todo-web-sticky
+          servicePort: 80
+---
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo2-static
+  labels:
+    kiamol: ch15
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.pathmatcher: PathPrefix
+    traefik.ingress.kubernetes.io/router.tls: "true"    
+    traefik.ingress.kubernetes.io/router.tls.certresolver: default
+spec:
+  rules:
+  - host: todo2.kiamol.local
+    http:
+      paths:
+      - path: /static
+        backend:
+          serviceName: todo-web
+          servicePort: 80
+---
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo2
+  labels:
+    kiamol: ch15
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.pathmatcher: Path
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    traefik.ingress.kubernetes.io/router.tls.certresolver: default
+spec:
+  rules:
+  - host: todo2.kiamol.local
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: todo-web
+          servicePort: 80
+      - path: /list
+        backend:
+          serviceName: todo-web
+          servicePort: 80

learn/learn-kubernetes-master/kiamol/ch15/todo-list/update/ingress-traefik-https.yaml

@@ -0,0 +1,69 @@
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo2-new
+  labels:
+    kiamol: ch15
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.pathmatcher: Path
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: todo2.kiamol.local
+    http:
+      paths:
+      - path: /new
+        backend:
+          serviceName: todo-web-sticky
+          servicePort: 80
+  tls:
+   - secretName: kiamol-cert
+---
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo2-static
+  labels:
+    kiamol: ch15
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.pathmatcher: PathPrefix
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: todo2.kiamol.local
+    http:
+      paths:
+      - path: /static
+        backend:
+          serviceName: todo-web
+          servicePort: 80
+  tls:
+   - secretName: kiamol-cert
+---
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo2
+  labels:
+    kiamol: ch15
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.pathmatcher: Path
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  rules:
+  - host: todo2.kiamol.local
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: todo-web
+          servicePort: 80
+      - path: /list
+        backend:
+          serviceName: todo-web
+          servicePort: 80
+  tls:
+   - secretName: kiamol-cert

learn/learn-kubernetes-master/kiamol/ch15/todo-list/update/ingress-traefik.yaml

@@ -0,0 +1,76 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: todo-web-sticky
+  labels:
+    kiamol: ch15
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
+spec:
+  ports:
+    - port: 80
+      targetPort: 80
+  selector:
+    app: todo-web
+---
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo2-new
+  labels:
+    kiamol: ch15
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.pathmatcher: Path
+spec:
+  rules:
+  - host: todo2.kiamol.local
+    http:
+      paths:
+      - path: /new
+        backend:
+          serviceName: todo-web-sticky
+          servicePort: 80
+---
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo2-static
+  labels:
+    kiamol: ch15
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.pathmatcher: PathPrefix
+spec:
+  rules:
+  - host: todo2.kiamol.local
+    http:
+      paths:
+      - path: /static
+        backend:
+          serviceName: todo-web
+          servicePort: 80
+---
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: todo2
+  labels:
+    kiamol: ch15
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.pathmatcher: Path
+spec:
+  rules:
+  - host: todo2.kiamol.local
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: todo-web
+          servicePort: 80
+      - path: /list
+        backend:
+          serviceName: todo-web
+          servicePort: 80

learn/learn-kubernetes-master/kiamol/ch15/todo-list/web.yaml

@@ -0,0 +1,81 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: todo-web
+  labels:
+    kiamol: ch15
+spec:
+  ports:
+    - port: 80
+      targetPort: 80
+  selector:
+    app: todo-web
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: todo-web-config
+  labels:
+    kiamol: ch15
+data:
+  config.json: |-
+    {
+      "ConfigController": {
+        "Enabled" : true
+      },
+      "Database" : {
+        "Provider" : "Postgres"
+      },
+      "Metrics" : {
+        "Enabled" : true
+      }
+    }
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: todo-web-secret
+  labels:
+    kiamol: ch15
+type: Opaque
+stringData:
+  secrets.json: |-
+    {
+      "ConnectionStrings": {
+        "ToDoDb": "Server=todo-db;Database=todo;User Id=postgres;Password=kiamol-2*2*;"
+      }
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: todo-web
+  labels:
+    kiamol: ch15
+spec:
+  selector:
+    matchLabels:
+      app: todo-web
+  template:
+    metadata:
+      labels:
+        app: todo-web
+    spec:
+      containers:
+        - name: web
+          image: kiamol/ch04-todo-list
+          volumeMounts:
+            - name: config
+              mountPath: "/app/config"
+              readOnly: true
+            - name: secret
+              mountPath: "/app/secrets"
+              readOnly: true
+      volumes:
+        - name: config
+          configMap:
+            name: todo-web-config
+        - name: secret
+          secret:
+            secretName: todo-web-secret
+            defaultMode: 0400

learn/learn-kubernetes-master/kiamol/ch15/vweb/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1beta1 
+kind: Ingress
+metadata:
+  name: vweb
+  labels:
+    kiamol: ch15
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  rules:
+  - host: vweb.kiamol.local
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: vweb-v2
+          servicePort: 80
+      - path: /v1
+        backend:
+          serviceName: vweb-v1
+          servicePort: 80
+      - path: /v2
+        backend:
+          serviceName: vweb-v2
+          servicePort: 80

learn/learn-kubernetes-master/kiamol/ch15/vweb/v1.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: vweb-v1
+  labels:
+    kiamol: ch15
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+  selector:
+    app: vweb-v1
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name:  vweb-v1
+  labels:
+    kiamol: ch15
+spec:
+  selector:
+    matchLabels:
+      app: vweb-v1
+  template:
+    metadata:
+      labels:
+        app: vweb-v1
+    spec:
+      containers:
+        - name: web
+          image: kiamol/ch09-vweb:v1
+          ports:
+            - name: http
+              containerPort: 80
+

learn/learn-kubernetes-master/kiamol/ch15/vweb/v2.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: vweb-v2
+  labels:
+    kiamol: ch15
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+  selector:
+    app: vweb-v2
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name:  vweb-v2
+  labels:
+    kiamol: ch15
+spec:
+  selector:
+    matchLabels:
+      app: vweb-v2
+  template:
+    metadata:
+      labels:
+        app: vweb-v2
+    spec:
+      containers:
+        - name: web
+          image: kiamol/ch09-vweb:v2
+          ports:
+            - name: http
+              containerPort: 80
+