with TerraForm
We used CloudFlare for DNS Provider and EC2 for Kubernetes(k3s) node.
- vpc terraform: https://github.com/Hot-Spicy-Buffalo-Wing/check-out-infra/blob/main/vpc.tf
- ec2 terraform: https://github.com/Hot-Spicy-Buffalo-Wing/check-out-infra/blob/main/ec2.tf
- dns terraform: https://github.com/Hot-Spicy-Buffalo-Wing/check-out-infra/blob/main/dns.tf
all dns A record pointing the control plane node
also provide key pair to connect instances
- key-pairs terraform: https://github.com/Hot-Spicy-Buffalo-Wing/check-out-infra/blob/main/key-pairs.tf
ec2 terraform has output so public IPs of instances can be known with tf output
Connecting EC2 instance, install K3S
If you want to connect (access) with kubectl, there is TLS certification issue (hostname not matching) So, it is required to change the tls configuration after install
curl -sFL https://get.k3s.io | sh -change /etc/systemd/system/k3s.service
ExecStart=/usr/local/bin/k3s \
server \
'--node-name=k3s-node-a' \
'--tls-san=x.x.x.x' \
sudo kubectl -n kube-system delete secrets/k3s-serving
sudo mv /var/lib/rancher/k3s/server/tls/dynamic-cert.json /tmp/dynamic-cert.json
sudo systemctl daemon-reload
sudo systemctl restart k3sother nodes can be setup with K3S_TOKEN
in control plane, K3S_TOKEN can be known with /var/lib/rancher/k3s/server/node-token
curl -sfL https://get.k3s.io | K3S_URL="https://myserver:6443" K3S_TOKEN=mynodetoken sh -s -is in /etc/rancher/k3s/k3s.yaml
ArgoCD can be deployed with helm chart (is convenient)
Also, it can be configured with values.yaml
We can extract values.yaml from helm repository
brew install helm # in macOS
helm repo add argo https://argoproj.github.io/argo-helm
helm repo update
helm show values argo/argo-cd > argocd/values.yamlArgoCD values.yaml file: https://github.com/Hot-Spicy-Buffalo-Wing/check-out-gitops/blob/main/argocd/values.yaml
In values.yaml file, setup rbac(role-based access control), dex(SSO) with GitHub
then install ArgoCD
kubectl create namespace argocd
helm install argo -n argocd argo/argo-cd -f argocd/values.yamlvery simpe way
kubectl port-forward service/argo-argocd-server -n argocd 8080:443- set
server.ingress.enabledtrue- set ssl passthrough
- set
configs.params."server.insecure"true
- set
nameandpathofserver.ingress.extraHosts
after change values.yaml, enter below command
helm upgrade argo -n argocd argo/argo-cd -f argocd/values.yamlto connect, we should know initial credential
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
settings -> repositories -> connect repo
Webhook can boost-up deploy speed
gitops repository -> settings -> webhooks
URL: $ARGO_URL/api/webhook
content type: application/json
event: just push event
From ArgoCD 2.6, it supports multi source application, so we can use helm chart and other resources together in one application
Cert Manager Application File:
First, Add Cert-Manager Application and apply to create application
kubectl apply -f argocd/cert-manager.yaml -n argocdAfter create application, ArgoCD traces the changing in gitops repository (But when change the application manifest itself, it's required to re-apply manifest file)
we use CloudFlare for DNS Provider, so it can be used as issuers
issuers.yaml: https://github.com/Hot-Spicy-Buffalo-Wing/check-out-gitops/blob/main/cert-manager/clusterissuer.yaml
we can store secret file in gitops repository safely
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm install sealed-secrets -n kube-system --set-string fullnameOverride=sealed-secrets-controller sealed-secrets/sealed-secrets
brew install kubeseal # in macOS
echo "API KEY" | k create secret generic cloudflare-api-token-secret --from-file=api-token=/dev/stdin --dry-run=client --output=yaml > cert-manager/cloudflare-secret.yaml
kubeseal -f cert-manager/cloudflare-secret.yaml -w cert-manager/cloudflare-secret.sealed.yamlArgoCD certificate: https://github.com/Hot-Spicy-Buffalo-Wing/check-out-gitops/blob/main/cert-manager/certs/argocd.yaml
in above example, reflection (can be installed with helm) is used to change target namespace
helm repo add emberstack https://emberstack.github.io/helm-charts
helm repo update
helm upgrade --install reflector emberstack/reflector