Update.

GitLab setup/GitLab runner.md

@@ -96,10 +96,8 @@ GitLab runner can be installed into Kubernetes using Helm chart[^helm]. You can
 7. Deploy gitlab-runner using helm: Deployment takes the values from `values.yaml` file, and uses `gitlab/gitlab-runner` chart to install service we named `gitlab-runner` into `gitlab-runner` namespace.
 
     ```sh
-    helm install -f "values.yaml" --namespace gitlab-runner gitlab-runner gitlab/gitlab-runner
+    helm upgrade --install -f "values.yaml" --namespace gitlab-runner gitlab-runner gitlab/gitlab-runner
     ```
-    !!! note
-        If you need to update config, replace `install` with `upgrade`.
 
 ![Gitlab runner installed using helm](./gitlab-runner-installed.png)
 

GitLab setup/Gitlab project fork.md

 # Create project fork
 
+The course provides a template for teams to implement their solution. If your team elects to use a different technology/approach and doesn't fork the repository, please provide your repository address (keep it public!) to mentors.
+
 ## JYU Gitlab project group
 
 1. In [JYU Gitlab](https://gitlab.jyu.fi), create new group by selecting from hamburger menu **[☰ Menu]** → **Groups** → [**Create group**](https://gitlab.jyu.fi/groups/new#create-group-pane). 

GitLab setup/Pipeline setup.md

 # Pipeline setup
 
+GitLab pipeline refers to the series of tasks that are executed automatically when certain events occur in a GitLab repository. These tasks are defined in a file called `.gitlab-ci.yml`, which is located in the root of the repository. The tasks can include building and testing code, deploying to different environments, and performing other actions.
+
+[GitLab runner](../GitLab%20setup/GitLab%20runner.md) executes this file, and "pushes" changes to targets, such as [container registry](../Infrastructure%20setup/Azure%20container%20registry.md) and [Kubernetes cluster](../Infrastructure%20setup/Kubernetes%20service.md).
+
 ## GitLab access to a container registry
 
-GitLab pipeline needs to access Docker registry, and for that it needs so [way of accessing credentials](https://docs.gitlab.com/ee/ci/docker/using_docker_images.html#access-an-image-from-a-private-container-registry).
+GitLab pipeline needs to access Docker registry, and for that, it needs so [way of accessing credentials](https://docs.gitlab.com/ee/ci/docker/using_docker_images.html#access-an-image-from-a-private-container-registry). For that retrieve "admin" account from ACR. It's also possible to use a service account for [more fine granular access control](https://learn.microsoft.com/en-gb/azure/container-registry/container-registry-roles).
 
 1. Retrieve credentials from azure:
     * In [Azure portal](https://portal.azure.com) go to team "**Container registry**" (ACR).
@@ -28,19 +32,13 @@ GitLab pipeline needs to access Docker registry, and for that it needs so [way o
 5. From GitLab left menu, select "**Settings**" ➜ "**CI/CD**", and from "**Variables**" ➜ **[ Expand ]**
 
 6. In the **Variables**, add two variables with **[ Add Variable ]**:
-      One to point towars correct docker registry:
+      One to point towards correct docker registry:
       * Key: `DOCKER_REGISTRY`
-      * Value: `<login-server>`
+      * Value: Address of container registry `<login-server>`
       * Type: `Variable`
 
       And another value for authentication:
       * Key: `DOCKER_AUTH_CONFIG`
       * Value: Contents of `.docker/config.json`
       * Type: `File`
-
-      Be careful not to add extra spaces.
-
-      ![Docker credentials on GitLab variables page.](./docker-credentials.png)
-
-## Configure deployment target
-
+            ![Docker credentials on GitLab variables page.](./docker-credentials.png)

GitLab setup/values.yaml

@@ -19,15 +19,52 @@ gitlabUrl: "https://gitlab.jyu.fi"
 ##
 unregisterRunners: true
 
+## Configure the maximum number of concurrent jobs
+## - Documentation: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
+## - Default value: 10
+concurrent: 3
+
 ## For RBAC support:
 rbac:
   create: true
+  clusterWideAccess: false
+  rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get", "create"]
+  - apiGroups: [""]
+    resources: ["pods/attach"]
+    verbs: ["create"]
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps"]
+    verbs: ["create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["create"]
 
 
 ## Configuration for the Pods that the runner launches for each new job
 ##
 runners:
 
+  image: ubuntu:20.04
+  builds: {}
+  services: {}
+  helpers: {}
+
+  name: "Kubernetes runner on Azure for TJTS5901"
+
+  ## Tags associated with the runner. Comma-separated list of tags.
+  ## - Documentation: https://docs.gitlab.com/ce/ci/runners/#using-tags
+  tags: kubernetes, cluster
+
+  ## Determine whether the runner should also run jobs without tags.
+  ## - Documentation: https://docs.gitlab.com/ee/ci/runners/configure_runners.html#set-a-runner-to-run-untagged-jobs
+  runUntagged: true
+
   # runner configuration, where the multi line strings is evaluated as
   # template so you can specify helm values inside of it.
   #
@@ -35,19 +72,22 @@ runners:
   # runner configuration: https://docs.gitlab.com/runner/configuration/advanced-configuration.html
   config: |
     [[runners]]
+      environment = ["DOCKER_DRIVER=overlay2"]
       [runners.kubernetes]
         namespace = "{{.Release.Namespace}}"
-        image = "docker:stable"
-        privileged = true
-
-      [[runners.kubernetes.volumes.empty_dir]]
-        name = "docker-certs"
-        mount_path = "/certs/client"
-        medium = "Memory"
+  #      privileged = true
 
-  ## Specify the name for the runner.
-  ##
-  name: "Kubernetes runner on Azure for TJTS5901"
+  #    [[runners.kubernetes.volumes.empty_dir]]
+  #      name = "docker-certs"
+  #      mount_path = "/certs/client"
+  #      medium = "Memory"
 
   ## The name of the secret containing runner-token and runner-registration-token
   secret: runner-registration-token
+
+  
+  ## Run all containers with the privileged flag enabled
+  ## This will allow the docker:dind image to run if you need to run Docker
+  ## commands. Please read the docs before turning this on:
+  ## - Documentation: https://docs.gitlab.com/runner/executors/kubernetes.html#using-docker-dind
+  #privileged: true

Infrastructure setup/Kubernetes service.md

@@ -97,8 +97,25 @@ If you have installed Azure Kubernetes extension into VS Code, you can use it to
 ![Merge Kubeconfig](./vscode-aks-cred.png)
 
 
+### Kubernetes context
+
+A Kubernetes context is a set of access and configuration information that defines which cluster you are communicating with and how you are authenticated to it. When you run commands using the `kubectl` command-line tool, you can switch between different contexts to target different clusters or namespaces within a cluster. The context is stored in the `.kube/config` file, and you can view and modify your current context using the `kubectl` config commands.
+
+```sh-session
+$ kubectl config get-contexts
+CURRENT   NAME             CLUSTER          AUTHINFO         NAMESPACE
+*         docker-desktop   docker-desktop   docker-desktop
+```
+
+
+If you have enabled Kubernetes in Docker desktop, or installed minikube, you need to select which context to use.
+
+
+
 ## Deploy app to Kubernetes
 
+https://kubernetes.io/blog/2019/07/23/get-started-with-kubernetes-using-python/
+
 There are a few different ways to deploy a containerized application to Kubernetes, depending on your specific needs and requirements. Here are the main steps involved in deploying an application to a Kubernetes cluster:
 
 - Build your container image: You'll need to create a container image for your application, which can be done using a tool like Docker.

Supplementary/Docs in blob storage.md

+# Docs in static storage
+
+These docs are static pages, and compiled from markdown to html using `mkdocs`. Template contains a section for compiling docs, and uploading them into storage. In Amazon static file storage is called "S3", Azure refers it as "blob storage", and Google simply "Cloud Storage".
+
+## Create a bucket for storing files
+
+Links:
+- [Static website hosting in Azure Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website).
+
+1. In [Azure portal](https://portal.azure.com), find the ["Storage accounts" service](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts).
+2. Select **[ Create ]**
+

Supplementary/Owasp.md

+# OWASP security considerations
+
+[The Open Web Application Security Project (OWASP)](https://owasp.org/) is a non-profit organization that aims to improve the security of software. OWASP provides a variety of resources, including documentation, tools, and training materials, to help developers create more secure applications. OWASP also maintains a [list of the top 10 most critical web application security risks](https://owasp.org/Top10/), which is updated regularly to reflect the current state of web security. The goal of OWASP is to make it easier for developers to create secure applications and for organizations to identify and mitigate security risks.
+
+## Common security consideration examples:
+
+- **Input validation**: Ensure that all input data is properly validated and sanitized before processing to prevent injection attacks (e.g. SQL injection, command injection).
+
+- **Authentication and access controls**: Use appropriate authentication mechanisms (e.g. OAuth, JWT) to ensure only authorized users can access the application and its resources. Use role-based access controls to restrict access to sensitive data and functionality.
+
+- **Secrets management**: Use Kubernetes secrets to securely manage sensitive information such as passwords, API keys, and certificates.
+
+- **Network segmentation**: Use Kubernetes network policies to segment the application's network and restrict communication between pods to only necessary traffic.
+
+- **Logging and monitoring**: Use centralized logging and monitoring tools to track and analyze application activity, and to quickly detect and respond to security incidents.
+
+- **Container hardening**: Use best practices for securing the underlying container environment, such as minimizing the attack surface by using minimal base images and running containers with the least privilege necessary.
+
+- **Secure communication**: Use secure protocols (e.g. HTTPS) for communication between the application and external systems and encrypt sensitive data at rest.
+
+- **Vulnerabilities management**: Use automated tools to regularly scan the application for known vulnerabilities and apply patches or upgrades as needed.
+
+- **Regular backups**: regularly backup your application data to prevent data loss or data breaches.
+
+- **Least privilege**: Ensure that your application runs with the least privilege necessary and that it only has access to the resources it needs to function.
+
+- **Pipeline security**: Use security best practices in the CI/CD pipeline, such as automated security testing, to ensure that vulnerabilities are identified and fixed before deployment. This can include using security scanning tools to check for known vulnerabilities in libraries and dependencies, and using static analysis tools to identify potential security issues in the application's code. Additionally, ensure that the pipeline is configured to deploy only code that has been reviewed and approved by the appropriate parties.

Supplementary/Service Pricipal.md

-# Service Principal Object (SP)
+# Service Principal Object (SP) / Service account
 
 A service principal is a security identity that is used to represent an application or service in Azure Active Directory (AAD). It is used to authenticate an application or service with Azure resources, and to authorize the application or service to access specific resources or perform specific actions, separating them from personal accounts. In Google Cloud Platform (GCP), the equivalent of an Azure service principal is a service account.
 
@@ -6,9 +6,9 @@ A service principal is a security identity that is used to represent an applicat
 
 ## Creating a Service Principal
 
-<https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli>
-
-<https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal>
+Resources:
+ - <https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli>
+ - <https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal>
 
 
 1. Add `*.pem` line into `.gitignore` file to prevent accidentally adding secrets to git
@@ -33,7 +33,7 @@ A service principal is a security identity that is used to represent an applicat
 5. Copy created `.pem` file somewhere safe for now. If you ran command in devcontainer, files in container __will__ be lost when container is rebuild or restarted.
 6. Attempt login with service principal account:
     ```sh
-    $ az login --service-principal -u "<sp-generated-name-or-id>" -p "<path-to-pem>" --tenant "jyu.onmicrosoft.com"
+    az login --service-principal -u "<sp-generated-name-or-id>" -p "<path-to-pem>" --tenant "jyu.onmicrosoft.com"
     ```
 
 ### Add service principal account into app service roles
@@ -41,15 +41,16 @@ A service principal is a security identity that is used to represent an applicat
 For service principal account to be able to do something, it needs to be added into IAM. You can add it into resource group, or use more restricted approach and add it only on individual services.
 
 1. In Azure portal find your **App Service**, and select **Access control (IAM)** ➜ **➕ Add** ➜ **Add role assignment**
-2. For **Role**, unless you wan't to be more specific, select "**Contributor**".
-3. From **Members** page add created service provider account by selecting **➕ Select members** and find `<your-team>.jyu.onmicrosoft.com`. Confirm with **[ Select ]**
+2. For **Role**, unless you want to be more specific, select "**Contributor**".
+3. (_Optional_) Instead of using "Contributor" role, create a more defined service account, and select the individual roles you need.
+4. From **Members** page add created service provider account by selecting **➕ Select members** and find `<your-team>.jyu.onmicrosoft.com`. Confirm with **[ Select ]**
     ![Role assignment](role-assignment.png)
-4. Select **[ Review + assign ]** ➜ **[ Review + assign ]**
-5. Test for access:
+5. Select **[ Review + assign ]** ➜ **[ Review + assign ]**
+6. Test for access:
     - Login if necessary as detailed in "Create azure service principal"
     - Stream logs from web service:
-        ```
-        $ az webapp log tail --name <app-service-name> --resource-group <resource-group>
+        ```sh
+        az webapp log tail --name <app-service-name> --resource-group <resource-group>
         ```
 
     If you see bunch of logs, you're good to go.

getting started/Local dev environment.md

@@ -35,7 +35,7 @@ Some popular options for devops projects include:
 
 - **Visual Studio Code**: This is a (relatively) lightweight, fast editor with strong support for a wide range of programming languages, including Python, Go, and Terraform. It also has a built-in debugger, a large number of extensions available, and works well with containers.
 
-I would recommend not to use editors such as **Vim**, as it lacks lot of automation and does not have a built-in debugger, which may make it less suitable for certain types of DevOps projects. And just 'cause punch cards had 80 character limit, we should not be adhered to such arbitrary limitations and legacy solutions[^80chars].
+I would recommend not to use editors such as **Vim**, as it lacks lot of automation and does not have a built-in debugger, which may make it less suitable for certain types of DevOps projects. And just 'cause punch cards had 80 character limit, we should not be adhered to such arbitrary limitations and legacy solutions[^80chars]. If you still absolutely prefer vim, check out the [neovim extension for vscode](https://github.com/vscode-neovim/vscode-neovim).
 
 ### Installing Visual Studio Code
 

getting started/Template structure.md

-# Template file structure
+# Project file structure
 
 ```title="/app -folder on container" 
 🗀app
@@ -44,7 +44,7 @@
 - :material-kubernetes:       `deployment.yaml`: [Kubernetes configuration file](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) that is used to deploy application(s) to a Kubernetes cluster, specifying details such as the number of replicas, the container image to use, and other deployment-related information.
 - :material-file-document-multiple: `docs/`: Course and project documentation.
 - :material-book-cog:         `docs/mkdocs.yml`: Configuration information for the [MkDocs documentation generator tool](https://www.mkdocs.org/), which is used to create and maintain project documentation written in the Markdown format.
-- :material-git:              `docs/tjts5901`: A [git submodule](https://git-scm.com/book/en/v2/Git-Tools-Submodules) for course documentation, allowing to keep documentation in a sub-repository separate and independently versioned.
+- :material-git:              `docs/tjts5901`: A [git submodule](https://git-scm.com/book/en/v2/Git-Tools-Submodules) for course documentation, allowing to keep documentation in a sub-repository separate and independently versioned. Run `git submodule init` to fetch it into local dev.
 - :material-git:              `.gitmodules`: Specifies the URLs of the submodule repositories, as well as the local path at which each submodule should be cloned and checked out.
 - :material-git:              `.gitignore`: A configuration file that specifies patterns for files and directories that Git should ignore, meaning they will not be tracked or included in commits.
 - :material-git:              `.pre-commit-hooks.yaml`: List of [commit hooks that are run by Git] before a commit is made](https://pre-commit.com/), allowing to automate tasks such as linting, testing, and formatting.