mirror of
https://github.com/amkartashov/gf-k8s.git
synced 2026-01-08 16:59:42 +00:00
No description
| charts/test | ||
| scripts | ||
| state/gullfaxi | ||
| ZZ_arhived | ||
| README.rst | ||
===============================================================================
GitOps repository for kubernetes cluster
===============================================================================
Applications & Projects
===============================================================================
+-------------------------------------------------------------------------------------------------------------------------+
| Project |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Application | Description | Status |
+==============================+================================================================+=========================+
| `Default Project`_, **umbrella app-of-apps applications** |
+------------------------------+----------------------------------------------------------------+-------------------------+
| System_ | System app of apps | |system_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Apps_ | Main app of apps | |apps_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| `System Project`_, **cluster system applications** |
+------------------------------+----------------------------------------------------------------+-------------------------+
| ArgoCD_ | `GitOps tool for Kubernetes`_ | |argocd_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Cert-Manager_ | `Certificate Management`_ | |cert-manager_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Cilium_ | `Cluster CNI plugin`_ | |cilium_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Grafana-Operator_ | `Grafana Operator`_ | |grafana-op_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Grafana_ | Grafana | |grafana_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Ingress-Nginx_ | `Ingress Controller`_ | |ingress-nginx_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Kube-Api_ | Kube API exposed via ingress | |kube-api_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Kube-State-Metrics_ | `Kubernetes Metrics`_ | |ksm_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Local-Path-Provisioner_ | `Rancher Local-Path`_ | |local-path_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Loki_ | | |loki_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Promtail_ | | |promtail_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Prometheus-node-exporter_ | `Node exporter`_ | |pne_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Victoria-Metrics-Operator_ | `Victoria Metrics Operator`_ | |vm-op_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Victoria-Metrics_ | `Victoria Metrics`_ | |vm_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| victoria-metrics-k8s-stack_ | `Kubernetes Monitoring Stack`_ | |vmks_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| `Apps Project`_, **user level applications** |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Oauth2-proxy_ | `Oauth2 Proxy`_ | |oauth2-proxy_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| SSHCT_ | `Personal container with ssh`_ | |sshct_status| |
+------------------------------+----------------------------------------------------------------+-------------------------+
| Websites_ | * https://a.ioot.xyz | |websites_status| |
| | * https://router.ioot.xyz | |
+------------------------------+----------------------------------------------------------------+-------------------------+
.. _`Default Project`: https://argocd.ioot.xyz/applications?proj=default
.. _System: https://argocd.ioot.xyz/applications/argocd/system
.. |system_status| image:: https://argocd.ioot.xyz/api/badge?name=system&revision=true
.. _Apps: https://argocd.ioot.xyz/applications/argocd/apps
.. |apps_status| image:: https://argocd.ioot.xyz/api/badge?name=apps&revision=true
.. _`System Project`: https://argocd.ioot.xyz/applications?proj=system
.. _ArgoCD: https://argocd.ioot.xyz/applications/argocd/argocd
.. _GitOps tool for Kubernetes: https://argo-cd.readthedocs.io
.. |argocd_status| image:: https://argocd.ioot.xyz/api/badge?name=argocd&revision=true
.. _Cert-Manager: https://argocd.ioot.xyz/applications/argocd/cert-manager
.. _Certificate Management: https://cert-manager.io/
.. |cert-manager_status| image:: https://argocd.ioot.xyz/api/badge?name=cert-manager&revision=true
.. _Cilium: https://argocd.ioot.xyz/applications/argocd/cilium
.. _Cluster CNI plugin: https://github.com/cilium/cilium
.. |cilium_status| image:: https://argocd.ioot.xyz/api/badge?name=cilium&revision=true
.. _Ingress-Nginx: https://argocd.ioot.xyz/applications/argocd/ingress-nginx
.. _Ingress Controller: https://github.com/kubernetes/ingress-nginx
.. |ingress-nginx_status| image:: https://argocd.ioot.xyz/api/badge?name=ingress-nginx&revision=true
.. _Kube-State-Metrics: https://argocd.ioot.xyz/applications/argocd/kube-state-metrics
.. _Kubernetes Metrics: https://github.com/kubernetes/kube-state-metrics
.. |ksm_status| image:: https://argocd.ioot.xyz/api/badge?name=kube-state-metrics&revision=true
.. _Kube-Api: https://argocd.ioot.xyz/applications/argocd/kube-api
.. |kube-api_status| image:: https://argocd.ioot.xyz/api/badge?name=kube-api&revision=true
.. _Grafana-Operator: https://argocd.ioot.xyz/applications/argocd/grafana-operator
.. _Grafana Operator: https://github.com/grafana-operator/grafana-operator
.. |grafana-op_status| image:: https://argocd.ioot.xyz/api/badge?name=grafana-operator&revision=true
.. _Grafana: https://argocd.ioot.xyz/applications/argocd/grafana
.. |grafana_status| image:: https://argocd.ioot.xyz/api/badge?name=grafana&revision=true
.. _Local-Path-Provisioner: https://argocd.ioot.xyz/applications/argocd/local-path-provisioner
.. _Rancher Local-Path: https://github.com/rancher/local-path-provisioner
.. |local-path_status| image:: https://argocd.ioot.xyz/api/badge?name=local-path-provisioner&revision=true
.. _Loki: https://argocd.ioot.xyz/applications/argocd/loki
.. |loki_status| image:: https://argocd.ioot.xyz/api/badge?name=loki&revision=true
.. _Promtail: https://argocd.ioot.xyz/applications/argocd/promtail
.. |promtail_status| image:: https://argocd.ioot.xyz/api/badge?name=promtail&revision=true
.. _Prometheus-node-exporter: https://argocd.ioot.xyz/applications/argocd/prometheus-node-exporter
.. _Node exporter: https://github.com/prometheus/node_exporter
.. |pne_status| image:: https://argocd.ioot.xyz/api/badge?name=prometheus-node-exporter&revision=true
.. _Victoria-Metrics-Operator: https://argocd.ioot.xyz/applications/argocd/victoria-metrics-operator
.. _Victoria Metrics Operator: https://github.com/VictoriaMetrics/operator
.. |vm-op_status| image:: https://argocd.ioot.xyz/api/badge?name=victoria-metrics-operator&revision=true
.. _Victoria-Metrics: https://argocd.ioot.xyz/applications/argocd/victoria-metrics
.. _Victoria Metrics: https://victoriametrics.com/
.. |vm_status| image:: https://argocd.ioot.xyz/api/badge?name=victoria-metrics&revision=true
.. _victoria-metrics-k8s-stack: https://argocd.ioot.xyz/applications/argocd/victoria-metrics-k8s-stack
.. _Kubernetes Monitoring Stack: https://github.com/VictoriaMetrics/helm-charts/blob/master/charts/victoria-metrics-k8s-stack/
.. |vmks_status| image:: https://argocd.ioot.xyz/api/badge?name=victoria-metrics-k8s-stack&revision=true
.. _`Apps Project`: https://argocd.ioot.xyz/applications?proj=apps
.. _Oauth2-proxy: https://argocd.ioot.xyz/applications/argocd/oauth2-proxy
.. _Oauth2 Proxy: https://github.com/oauth2-proxy/oauth2-proxy
.. |oauth2-proxy_status| image:: https://argocd.ioot.xyz/api/badge?name=oauth2-proxy&revision=true
.. _SSHCT: https://argocd.ioot.xyz/applications/argocd/sshct
.. _Personal container with ssh: https://github.com/amkartashov/dockerfiles/tree/master/sshct
.. |sshct_status| image:: https://argocd.ioot.xyz/api/badge?name=sshct&revision=true
.. _Websites: https://argocd.ioot.xyz/applications/argocd/websites
.. |websites_status| image:: https://argocd.ioot.xyz/api/badge?name=websites&revision=true
Cluster initialization
===============================================================================
Single node cluster.
OS: Debian 11
Cluster created with kubeadm https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/
ArgoCD bootstrap
-------------------------------------------------------------------------------
* Create ssh key for argocd, f.e. ``ssh-keygen -f .ssh/argocd.ioot.xyz``
* Add pub key .ssh/argocd.ioot.xyz.pub to https://github.com/amkartashov/gf-k8s/settings/keys/new
* Run bootstrap script ``scripts/bootstrap.sh -k gullfaxi -e gullfaxi``
* Add git repo:
.. code-block:: bash
argocd login --grpc-web argocd.ioot.xyz --sso
argocd repo add git@github.com:amkartashov/gf-k8s --ssh-private-key-path ~/.ssh/argocd.ioot.xyz
* Create new Oauth application https://github.com/settings/applications/new:
* Application name: oauth2.ioot.xyz
* Homepage URL: https://oauth2.ioot.xyz
* Authorization callback URL: https://oauth2.ioot.xyz/oauth2/callback
* Update oauth2-proxy client id, secret and cookie secret:
.. code-block:: bash
argocd app set argocd/oauth2-proxy --parameter config.clientID REPLACE
argocd app set argocd/oauth2-proxy --parameter config.clientSecret REPLACE
argocd app set argocd/oauth2-proxy --parameter config.cookieSecret `pwgen -1 32`
* Create new Oauth application https://github.com/settings/applications/new:
* Application name: argocd.ioot.xyz
* Homepage URL: https://argocd.ioot.xyz/
* Authorization callback URL: https://argocd.ioot.xyz/api/dex/callback
* Update dex client id and secret:
.. code-block:: bash
kubectl --context gullfaxi -n argocd patch secret argocd-secret \
--patch='{"stringData": {
"dex.github.clientId": "REPLACE",
"dex.github.clientSecret": "REPLACE"
}}'
* Create new Oauth application https://github.com/settings/applications/new:
* Application name: grafana.ioot.xyz
* Homepage URL: https://grafana.ioot.xyz/
* Authorization callback URL: https://grafana.ioot.xyz/login/github
* Update client secret and admin password:
.. code-block:: bash
argocd app set argocd/grafana --parameter githubClientSecret=REPLACE
argocd app set argocd/grafana --parameter adminPassword=`pwgen -1 12`
* Create new Oauth application https://github.com/settings/applications/new:
* Application name: git.ioot.xyz
* Homepage URL: https://git.ioot.xyz/
* Authorization callback URL: https://git.ioot.xyz/user/oauth2/GitHub/callback
* Update client secret and admin password:
.. code-block:: bash
argocd app set argocd/forgejo --parameter 'gitea.oauth[0].key=REPLACE'
argocd app set argocd/forgejo --parameter 'gitea.oauth[0].secret=REPLACE'
argocd app set argocd/forgejo --parameter gitea.admin.password=`pwgen -1 12`
argocd app set argocd/forgejo --parameter gitea.config.database.PASSWD=$(\
kubectl --context gullfaxi -n forgejo get secret \
postgresql-app -o jsonpath='{.data.password}' \
| base64 -d \
)
* Remove secret ``kubectl --context gullfaxi -n argocd delete secret argocd-initial-admin-secret``.
Passing Sensitive Parameters in ArgoCD apps
===============================================================================
Used methods:
* manually creating K8s secrets
F.e. this way is used to configure repo secret in argocd.
* manually updating K8s secrets
F.e. this way is used to configure GitHub Oauth App client secret.
* modifying helm parameters in application
F.e. this is done for Oauth2 Proxy application.
ArgoCD application types which can be used
===============================================================================
Directory Application
-------------------------------------------------------------------------------
Helm Applications
-------------------------------------------------------------------------------
Helm Application with Embedded Values
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Helm Application with Values from Git
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Helm Application with Additional Manifests from Git
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~