https://github.com/mylesagray/home-cluster-gitops

Repo for ArgoCD GitOps of raspberry pi K8s cluster
https://github.com/mylesagray/home-cluster-gitops

Last synced: about 1 month ago
JSON representation

Repo for ArgoCD GitOps of raspberry pi K8s cluster

• Host: GitHub
• URL: https://github.com/mylesagray/home-cluster-gitops
• Owner: mylesagray
• Created: 2021-02-12T19:21:42.000Z (almost 4 years ago)
• Default Branch: master
• Last Pushed: 2024-10-29T11:27:03.000Z (2 months ago)
• Last Synced: 2024-10-29T13:22:27.688Z (2 months ago)
• Language: Makefile
• Size: 1.75 MB
• Stars: 10
• Watchers: 2
• Forks: 0
• Open Issues: 10
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# K8s cluster bootstrap and app install

[![ArgoCD Status](https://argocd.apps.blah.cloud/api/badge?name=bootstrap&revision=true)](https://argocd.apps.blah.cloud/applications/bootstrap)

## K8s cluster installed via Ansible

Following on from cluster install, install apps as below.

## TL;DR

```sh

make fresh

```

## Manual Install

### Install Prometheus CRDs

```sh

kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml

kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml

kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml

kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml

kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml

kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml

kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml

kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.49.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml

```

### Bitnami Sealed Secrets

#### Install Sealed Secrets

```sh

helm upgrade --install sealed-secrets -n kube-system ./manifests/sealed-secrets -f manifests/sealed-secrets/values.yaml

```

#### Seal secrets

```sh

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/docker-creds.yaml > manifests/registry-creds/docker-creds-sealed.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/home/argocd-secret.yaml > manifests/argocd/templates/argocd-sealed-secret.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/argocd-github-secret.yaml > manifests/argocd/templates/argocd-github-sealed-secret.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/home/argocd-rak8s-cluster-secret.yaml > manifests/argocd/templates/argocd-rak8s-cluster-sealed-secret.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/argocd-notifications-secret.yaml > manifests/argocd-notifications/templates/argocd-notifications-secret-sealed.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/renovate-secret.yaml > manifests/renovate/templates/renovate-sealed-secret.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/home/external-dns-secret.yaml > manifests/external-dns/templates/external-dns-secret-sealed.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/keycloak-secret.yaml > manifests/keycloak/templates/keycloak-secret-sealed.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/keycloak-postgres-secret.yaml > manifests/keycloak/templates/keycloak-postgres-secret-sealed.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/argo-workflows-sso.yaml  > manifests/argocd-workflows/templates/argo-workflows-sso-sealed.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/argo-workflows-minio.yaml  > manifests/argocd-workflows/templates/argo-workflows-minio-sealed.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/argo-workflows-minio-minio.yaml  > manifests/minio-operator/templates/argo-workflows-minio-minio-sealed.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/minio-tenant-secret.yaml  > manifests/minio-operator/templates/minio-tenant-secret-sealed.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/cert-secret.yaml  > manifests/kube-prometheus-stack/templates/cert-secret-sealed.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/cloudflare-api-token.yaml  > manifests/cert-manager/templates/cloudflare-api-token-sealed.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/boilerjuice-creds.yaml > manifests/oil-monitor/boilerjuice-creds-sealed.yaml

kubeseal --format=yaml < ~/Desktop/ArgoCD-Secrets/influxdb-auth.yaml > manifests/influxdb/templates/influxdb-auth-sealed.yaml

```

#### Backup seal key

```sh

kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > ~/Desktop/ArgoCD-Secrets/sealed-secrets-master.key

```

### (Optional) Restore Bitnami SS from backup - if bad things happened...

```sh

helm upgrade --install sealed-secrets -n kube-system ./manifests/sealed-secrets -f manifests/sealed-secrets/values.yaml

kubectl delete secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key=active

kubectl apply -n kube-system -f ~/Desktop/ArgoCD-Secrets/sealed-secrets-master.key

kubectl delete pod -n kube-system -l app.kubernetes.io/name=sealed-secrets

```

### Initialise secrets needed for bootstrap

```sh

kubectl create ns argocd

kubectl apply -f manifests/argocd-notifications/templates/

kubectl apply -f manifests/argocd-workflows/templates/

```

### Install Argo and bootstrap cluster

```sh

make install-argocd

make get-argocd-password

```

## Use

```sh

argocd login argocd.apps.blah.cloud --sso --grpc-web

#login with GitHub account or admin password from above

argocd account update-password

argocd app list

```

## Cleanup

```sh

make cleanup

```

## Todo

### Apps

* Add ArgoCD Image Updater 

* ~~Add Oil Monitor app ~~

* ~~Move from traefik to traefik + cert-manager for ingress and TLS~~

  * ~~Traefik ~HA mode?~~

    * ~~~~

    * ~~~~

  * ~~Use cert-manager for TLS with DNS-01 challenges~~

  * ~~Use IngressClass for Traefik rather than making it a default IngressClass~~

    * Update all Ingress objects to use IngressClass explicitly

    * Migrate Ingress objects to v1

    * Investigate reloading Traefik when Cert-Manager changes a cert

      * 

      * 

      * 

* Move to kube-vip from metallb

  * For control plane: 

  * For svc type LB: 

* Add OIDC provider

  * Pinniped? 

* Add Argo Events

* Add Argo Rollouts

* Investigate Argo Operator

* ARM Builds of complex tools

  * Add Istio (needs ARM builds - )

  * Add Tekton (needs ARM builds - )

  * Add KNative (needs ARM builds - )

  * All above rely on ko builds for ARM: 

* ~~Build L4T base image for Jetson testing~~

  * Add Nvidia K8s Device Plugin (with custom ARM patches) 

* Add default DB to InfluxDB

  * Add consistent password to InfluxDB

* Add some extra game modes to Quake

* Add ingress for Traefik Dashboard

#### Availablility

* Make Prom stack HA

* Ensure anti-affinity across all HA apps

#### Ongoing

* Build ARM versions of containers I depend on

  * Do it scalably and open upstream PRs

### Monitoring

* Add cert-manager mixin 

  * 

  * Add grafana dashboards from 

  * Figure out how to reload grafana dashboards that are updated

* ~~Add carlosedp Cluster Dashboard to Grafana~~

### Organisational

* Refactor namespaces

* Refactor Apps into Projects

* Deploy from tags/branches rather than master

* Merge [tanzu-cluster-gitops](https://github.com/mylesagray/tanzu-cluster-gitops) with this repo and use Kustomized Helm to deploy to different clusters as Phase 1

  * 

  * Phase 2: Explore using `ApplicationSet` controller to supercede Kustomized Helm: 

    * 

    * Requires building ApplicationSet Controller for ARM64

### Security

* Remove all internal un/passwords and keys and turn into sealed secrets

  * Remove as many static passwords as possible and rely on auto-generated secrets

  * Keycloak tokens

  * Grafana tokens

* Make ArgoCD GitHub webhook authenticated