ArgoCD and Application configurations

Want GitOps and Kubernetes on a single machine? Look no further!

This repo stores configurations to install

1. A kind cluster
2. Nginx Ingress controller
3. ArgoCD
4. Sealed Secrets
5. Other applications in hobby-cluster
   
   

Bootstrapping

First, create a Kubernetes cluster using kind.

Create a kind cluster

docker and kind must be installed.

Next, create a kind cluster using the kind cli and cluster config file
kind create cluster --config ./kind-cluster/cluster-config.yaml

1 master node and 2 worker nodes are created using docker containers
Note that 1 of the worker nodes has ports 30080 and 30443 exposed on the host machine for ingress
Observe this by running
docker ps

Install the Nginx Ingress Controller

Create a namespace for the nginx ingress controller
kubectl create ns ingress-nginx

Install nginx-ingress controller
kubectl -n ingress-nginx apply -f ./kind-cluster/ingress-nginx.yaml

Check that the ingress pod is running on worker 1
kubectl -n ingress-nginx get pod -owide

Test that the http ingress port is working
curl http://localhost:30080

Test that the https ingress port is working
curl https://localhost:30443 --insecure

Install ArgoCD

Create an argocd namespace
kubectl create ns argocd

Install the ArgoCD resources
kubectl -nargocd apply -f argocd/install.yaml

Install the ArgoCD ingress
kubectl -nargocd apply -f argocd/ingress.yaml

Get the ArgoCD admin password
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

Log into the ArgoCD at http://argocd.mlnow.frenoid.com:30080/
Username: admin
Password: argoCDAdminPassword

Install the repository secret

Install the repo-secret for hobby-cluster

In ./argocd/repo-secret.yaml, You will see

apiVersion: v1
kind: Secret
metadata:
  annotations:
    managed-by: argocd.argoproj.io
  labels:
    argocd.argoproj.io/secret-type: repository
  name: repo-secret-hobby-cluster
  namespace: argocd
type: Opaque
stringData:
  name: "kind-configs"
  project: "default"
  type: "git"
  url: "git@github.com:frenoid/hobby-cluster.git"
  sshPrivateKey: |
    <replaceMe>

Replace the <replaceMe> with the private key used to access the github repo and apply the secret
kubectl -nargocd apply -f argocd/repo-secret.yaml

Install the sealed-secrets application

The sealed-secrets application is needed to decrypt secrets and is a pre-requisite install other applications

Install the ArgoCD application

kubectl apply -f applications/sealed-secrets.yaml

Go to ArgoCD UI and you will see that the sealed-secrets application has been installed

Install the kubeseal binary

The kubeseal binary will allow you to encrypt/decrypt SealedSecrets. It obtains the public certificate from a secret in the Kubernetes cluster's sealed-secrets namespace

Install the kubeseal binary.

https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.26.2/kubeseal-0.26.2-linux-amd64.tar.gz
tar -xvzf kubeseal-0.26.2-linux-amd64.tar.gz kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

Retrieve the tls.crt and concatenate it into a file

kubeseal \
  --controller-namespace=sealed-secrets \
  --controller-name=sealed-secrets \
  --fetch-cert > ~/.ssh/kubeseal.crt

Test you are able to encrypt secrets using kubeseal

kubectl -n default \
  create secret generic test-secret \
  --from-literal=username=username \
  --from-literal=password=password \
  -oyaml \
  --dry-run=client | kubeseal \
  --controller-namespace=sealed-secrets \
  --controller-name=sealed-secrets

Replace the repo-secret-hobby-cluster with a Sealed Secret

Now, we will replace previously create repo-secret-hobby-cluster secret with a Sealed Secret

First, we patch the existing secret with a annotation allowing the secret to be overwritten when a Sealed Secret unsealed in the same name and namespace

kubectl -n argocd \
  patch secret repo-secret-hobby-cluster \
  -p '{"metadata": {"annotations": {"sealedsecrets.bitnami.com/managed": "true"}}}

Next, we create a Sealed Secret from the existing repo secret

kubectl -n argocd \
  get secret repo-secret-hobby-cluster -oyaml \
  | kubeseal --controller-namespace=sealed-secrets \
  --controller-name=sealed-secrets \
  --name repo-secret-hobby-cluster \
  --format yaml \
  -w sealed-secret-repo-secret-hobby-cluster.yaml

We can now create the Sealed Secret
kubectl -f apply sealed-secret-repo-secret-hobby-cluster.yaml

Check that the Sealed Secret was created successfully
kubectl -n argocd get sealedsecret

The secret repo-secret-hobby-cluster is now being managed by the Sealed Secrets controller and will be synced if the associated Sealed Secret changes

You can see this by deleting the secret repo-secret-hobby-cluster
kubectl -n argocd delete secret repo-secret-hobby-cluster

Now see that the secret is re-created almost instantaneously.
kubectl -n argocd get secret

Sealed Secrets are protected by asymmetric encryption. The public key can be used to encrypt the secret but only the private key, controlled by the Sealed Secrets controller in the cluster can decrypt the secret

It is safe to commit both the Sealed Secret and the public key to the code repository

However the private key used by the Sealed Secrets controller must remain a secret.

What's next?

Install even more applications by going here !