# kubectl completions
kubectl completion -h
export do="-o yaml --dry-run=client"

# Creating Resources/Objects
======================================================================================================
# IMPERATIVE Paradigm - no embedded history
kubectl create -f (from FILE or STDIN) # if the resource exists it will error

# DECLARATIVE Paradigm
kubectl apply -f (from FILE or STDIN)

# kubectl run - create and run a particular image in a pod. creates deployment or jobs
# kubectl expose - creates services
# kubectl set,edit,patch - top dog
# kubectl replace -f deployment.yaml --save-config

# Creates a deployment
kubectl create deployment nginx --image=nginx
kubectl create deployment webapp --image=nginx:1.17.8 --replicas=2

# Create a pod with a shell
kubectl run -i --tty busybox --image=busybox --restart=Never -- sh
kubectl run -i --tty mykube --image=dejanualex/kubectl:1.0 --restart=Never -- sh

# naked broken 
kubectl run broken --image=dejanualex/kubectl:99 --restart=Never
kubectl run ephemeral-demo --image=registry.k8s.io/pause:3.1 --restart=Never

# Create a pod (the minimum needed flag is --image)
kubectl run nginx --image=nginx
# Create a pod named basic with port 80 open to TCP
kubectl run basic --image=nginx:stable-alpine-perl --restart=OnFailure --port=80
# Create a pod using  dry-run, e.g. the --image option is required
kubectl -run --image=nginx:stable-alpine-perl basic --dry-run=client -o yaml

# commmand vs arg: command coresponds to ENTRYPOINT and args corresponds to CMD instruction: 
# give cmd
kubectl run borg1 --image=busybox --restart=Always --command -- /bin/sh -c "echo working... && sleep 3600"

# gives args
kubectl run borg2 --image=busybox --restart=Always -- /bin/sh -c "echo working... && sleep 3600"

# what doc: https://jamesdefabia.github.io/docs/user-guide/kubectl/kubectl_run/

# ping from 
kubectl -n sec1 exec -it pod2 -- ping $pod1IP

# Labels
======================================================================================================
# overwrite po label
kubectl label po <pod_name> sidecar.istio.io/inject=false --overwrite

# create po label on the fly
kubectl run am-i-ready --image=nginx:1.16.1-alpine  --labels="id=cross-server-ready" 

# labels at runtime --show-labels
kubectl run <pod_name> --image=ngnix --labels='environment=dev','cluster=1' --overwrite

# start po with label e.g. set sidecar.istio.io/inject to false
kubectl run istiomssql -i --tty --labels=sidecar.istio.io/inject="false" --image=mcr.microsoft.com/mssql-tools:latest
# attach tty
kubectl attach istiomssql -c istiomssql -i -t

# use the kubectl debug node command to deploy a Pod to a Node that you want to troubleshoot
kubectl debug pods/mssql --image nicolaka/netshoot -it --target mssql -- bash

# Creating SERVICEs
======================================================================================================
# Service discovery via DNS: svc_name.namespace.svc.cluster.local

# creates proxy server or application-level gateway between localhost and the Kubernetes API server.
kubectl proxy -p 5555 # Default: 8001

# tunnel traffic: forward connection to a local port:8080 to a port on a pod:80
# forwards connections from LOCAL_PORT:to a POD_PORT
# is more generic as it can forward TCP traffic while kubectl proxy can only forward HTTP traffic
kubectl port-forward pod/<pod_name> 8080:80 

# create service
kubectl -n red expose po basic --name=cloudacademy-svc --type="ClusterIP" --port=8080 --target-port=80

# patch service, from ClusterIP to LoadBalancer
kubectl -n red patch svc cloudacademy-svc -p '{"spec":{"type":"LoadBalancer"}}

# Expose a Pod in the red Namespace with the following configuration: The Service name is cloudacademy, the Service port is8080, the Target port is80, the Service type isClusterIP
kubectl expose pod basic -n red --name=cloudacademy-svc --port=8080 --target-port=80

# create service NodePort on port 32080: expose deployment for an app that runs on port 80 Service 
# The command will assign a random port >= 30000. So use the Patch command to assign the port to a known, unused and desired port >= 30000

kubectl -n ca1 expose deployment cloudforce --name=cloudforce-svc --type="NodePort" --port=80

# get the port exposed by the service
kubectl -n ca1 get svc cloudforce-scv -ojsonpath="{.spec.ports[0].nodePort}"
# patch the service to a known port
kubectl -n ca1 patch service cloudforce-svc --type='json' --patch='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":32080}]'

# all the above in one command
kubectl -n ca1 expose --type=NodePort deployment cloudforce --port 80 --name cloudforce-svc --overrides '{ "apiVersion": "v1","spec":{"ports": [{"port":80,"protocol":"TCP","targetPort":
80,"nodePort":32080}]}}'

# create a nodeport service
kubectl -n accounting expose deployment nginx-one --type=NodePort --name=service-lab

# spin up pod that run curl to a service
kubectl run client -n skynet --image=appropriate/curl -it --rm --restart=Never -- curl http://t2-svc:8080 > /home/ubuntu/svc-output.txt

## Deployments
======================================================================================================

# create deployment webserver yaml file based on ngnix image
kubectl create deploy webserver --image nginx:1.22.1 --replicas=2 --dry-run=client -o yaml | tee dep.yaml

# get the deployment strategy
kubectl get deploy <deployment> -o yaml | grep -A 4 strategy

# a Deployment's revision is created when a Deployment's rollout is triggered 
# check previous rollout revision
kubectl rollout history deployment <deployment_name>

# restart deployment
kubectl rollout restart deployment <deployment_name>

# change the base image for the deployment aka trigger deployment rollout
kubectl set image deploy webserver nginx=nginx:1.23.1-alpine
kubectl set image deployment.v1.apps/cloudforce nginx=nginx:1.19.0-perl

# To manage the deployment history, use the annotate command to create a message.
kubectl annotate deployment cloudforce kubernetes.io/change-cause="set image to nginx:1.19.0-perl" --overwrite=true

# Deployment strategies / Update strategies: RollingUpdate vs. Recreate
# are defined under spec.strategy in the manifests

# rolling deployment is the default deployment strategy 
kubectl rollout status deloy/<deployment_name>

# view object revisions
kubectl rollout history deploy <deployment>

# rollback to a previous version or to a specific revision
kubectl rollout undo
kubectl rollout undo deploy <deployment> --to-revision=1

# create deployment named rtro
kubectl -n cal create deployment rtro --image=busybox:1.31.1

# autoscale deployments: Autoscaling creates a HorizontalPodAutoscaler
# horizontalpodautoscaler.autoscaling: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/
# this deployment to autoscale based on CPU utilisation. The autoscaling should be set for a minimum of 2, maximum of 4, and CPU usage of 65%.
kubectl autoscale deployment <deployment> --cpu-percent=65 --min=2 --max=4

## Secrets
======================================================================================================
# Secret = key/value pairs of sensitive data that can be accessed by pods (encoded in base64) so describe will show opaque data 

# create secret
kubectl create secret generic mysql --from-literal=password=root
kubectl create secret generic password-secret --from-file=./pass.txt

# describe secret
kubectl -n istio-system describe secret ingress-cert-cacert

# take the ca.crt from secret
kubectl get secrets -n istio-system ingress-cert-cacert -o json | jq -r '.data."ca.crt"' | base64 -d > ca.crt

# create ingress-cert-cacert
kubectl -n istio-system create secret generic ingress-cert-cacert --from-file=ca.crt --from-file=Publiccert.cer

# SECRETS example scenario
kubectl create secret generic <secret_name> --from-literal=MYSQL_ROOT_PASSWORD=test
kubectl get secrets <secret_name> -o yaml > sqlsecret.yml

# service accounts have token as a secret
kubectl -n test1 get sa <sa_name> -ojson | jq -r '.secrets[].name'

# getting the  service account token that is used for authentication: kubernetes.io/service-account-token
kubectl -n kube-system get secret default-token-gfnmr -oyaml
kubectl -n kube-system get secret default-token-gfnmr -o jsonpath={.data.token} | base64 -d
TOKEN=$(kubectl  get secret default-token-zc7s7 -o json |  jq -r '.data."token"' | base64 -d )

# configmap can be created from literal values, or individual files


## Scheduling and Nodes
======================================================================================================
# check node labels
kubectl describe nodes|grep -A5 -i label

# label node
kubectl label node <node> <label>=<label_values>

# view nodes labels
kubect get nodes --show-labels

# check node taints
kubectl describe nodes|grep -A5 -i taint

# check the maximum number of pods supported by a node
kubectl describe no <node> |  grep -i capacity -A10

# check running pods on a specific node
kubectl describe node <node> | grep -A10 "Non-terminated Pods"

# labels 101 for pods
kubectl get po --show-labels
# check all values for pods with label env
kubectl get po -L env
# get pod with label env=demo
kubectl get po -l env=demo

# get po with label colour in (orange,red,yellow) values and sort by column
kubectl -n rep get po -l "colour in (orange,red,yellow)" -owide | sort -k 5 |  awk '{ print $1 }'

## Get and sort field container/images from pod
======================================================================================================

# get all pods images from a namespace
for i in $(kubectl po -oname);do echo -e "\n${i}";kubectl get $i -ojsonpath="{.spec.containers[*].image}";done

# look at the specs kubectl explain <resource>.<key>
kubectl explain po --recursive 
kubectl explain pod.spec.containers
# explain requests and limits
kubectl explain pod.spec.containers.resources
# check the resources of a pod (limits and requests)
kubectl get po <pod_name> -o jsonpath='{.spec.containers[*].resources}'
kubectl get po <pod_name> -o jsonpath='{.spec.containers[*].resources.limits}'
kubectl get po <pod_name> -o jsonpath='{.spec.containers[*].resources.requests}'

# check request and limits for containers in pod
kubectl get po <pod_name> -o jsonpath='{.spec.containers[*].resources}'
kubectl get pod <pod_name> -o jsonpath='{.spec.containers[*].resources.limits}'
kubectl get pod <pod_name> -o jsonpath='{.spec.containers[*].resources.requests}'
# get QoS class of a pod
kubectl get pod <pod-name> -o jsonpath='{.status.qosClass}'

# sort like a pro

# discover the IP of ALL pods in test namespace
kubectl -n test get po -ojsonpath='{.items[*].status.podIP}'

# discover the IP of pod named testpo in test namespace
kubectl -n test get pod testpo -o jsonpath='{.status.podIP}'
# sort pods by IPs in test namespace
kubectl -n test get po -o wide --sort-by=.status.podIP

kubect -n <namespace> get po --sort-by=metadata.creationTimestamp

# get container running in a SINGLE POD
kubectl -n <namespace> get po <pod_name>  -o jsonpath="{.spec.containers[*].name}"

# get container running in a NAMESPACE
kubectl -n <namespace>  get po -o jsonpath="{.items[*].spec.containers[*].name}"

# get containers in a certain pod 
kubectl get pods <pod_name> -o jsonpath='{.spec.containers[*].name}'
# get containers in namespace
kubectl get pods -o=custom-columns=NAME:.metadata.name,CONTAINERS:.spec.containers[*].name 


## Storage
======================================================================================================

# get persistent volumes aka storage abstraction
kubectl get pv

# get  persistent volume claims 
kubectl get pvc

# get storage capacity and name
kubectl get pv -A -o=custom-columns="Storage:.spec.capacity.storage, NAME:.metadata.name"

## Cron
======================================================================================================
# Create a cronjob named matrix in the saas namespace. Use the radial/busyboxplus:curl image and set the schedule to */10 * * * *. The job should run the following command: curl www.google.com
kubectl -n saas create cronjob --image=radial/busyboxplus:curl --schedule='*/10 * * * *' matrix -- curl www.google.com


## Object intro
======================================================================================================

kubectl explain hr.status.phase
kubectl -n prod get hr -ojsonpath={.items[*].status.phase}

# https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/


kubectl get po -A -o jsonpath='{.items[*].status}' | jq . | grep -i phase
kubectl get po -A  --field-selector status.phase=Running

kubectl get hr -A -o jsonpath="{range.items[?(@.status.phase)]}{.metadata.name}:{end}"| tr ":" "\n"

# field type
kubectl get events --field-selector type=Warning -A
# events at the node level
kubectl get events --field-selector involvedObject.kind=Node -A

## API and control plane
======================================================================================================
# check available API resources: cm,deployments,ds,ingress,ns,pods,rc,rs,secrets,svc
kubectl api-resources

# check api services in the cluster: v1.certificates.k8s.io, v1.networking.io
kubectl get apiservices

# API endpoints for health checks without formatting
kubectl get --raw '/livez?verbose'
kubectl get --raw '/readyz?verbose'
kubectl get --raw "/healthz?verbose"    

# kubectl top nodes GET /apis/apiregistration.k8s.io/v1/apiservices/{name}/status
kubectl get --raw "/apis/metrics.k8s.io/v1beta1/nodes"
kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes | jq .items[].usage

# kubect top pods
kubectl get --raw /apis/metrics.k8s.io/v1beta1/pods | jq .items[].containers[].usage

# ingress endpoint
kubectl get --raw "/apis/networking.k8s.io/v1/ingresses/"

## Kubeconfig
======================================================================================================

# client-certificate-data contains PEM-encoded data from a client cert file for TLS. Overrides ClientCertificate

kubectl config view - raw -o jsonpath="{.clusters[?(@.name == 'INSERT_CLUSTER_NAME')].cluster.certificate-authority-data}" | b
ase64 -d | openssl x509 -text | grep -A2 Validity

kubectl config view --raw -o jsonpath="{.clusters[?(@.name == 'INSERT_CLUSTER_NAME')].cluster.certificate-authority-data}" | base64 -d | openssl x509 -text | grep -A2 Validity