Want GitOps and Kubernetes on a single machine? Look no further!
This repo stores configurations to install
- A kind cluster
- Nginx Ingress controller
- ArgoCD
- Sealed Secrets
- Other applications in hobby-cluster
First, create a Kubernetes cluster using kind.
docker and kind must be installed.
Next, create a kind cluster using the kind cli and cluster config file
kind create cluster --config ./kind-cluster/cluster-config.yaml
1 master node and 2 worker nodes are created using docker containers
Note that 1 of the worker nodes has ports 30080 and 30443 exposed on the host machine for ingress
Observe this by running
docker ps
Create a namespace for the nginx ingress controller
kubectl create ns ingress-nginx
Install nginx-ingress controller
kubectl -n ingress-nginx apply -f ./kind-cluster/ingress-nginx.yaml
Check that the ingress pod is running on worker 1
kubectl -n ingress-nginx get pod -owide
Test that the http ingress port is working
curl http://localhost:30080
Test that the https ingress port is working
curl https://localhost:30443 --insecure
Create an argocd namespace
kubectl create ns argocd
Install the ArgoCD resources
kubectl -nargocd apply -f argocd/install.yaml
Install the ArgoCD ingress
kubectl -nargocd apply -f argocd/ingress.yaml
Get the ArgoCD admin password
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
Log into the ArgoCD at http://argocd.mlnow.frenoid.com:30080/
Username: admin
Password: argoCDAdminPassword
Install the repo-secret for hobby-cluster
In ./argocd/repo-secret.yaml, You will see
apiVersion: v1
kind: Secret
metadata:
annotations:
managed-by: argocd.argoproj.io
labels:
argocd.argoproj.io/secret-type: repository
name: repo-secret-hobby-cluster
namespace: argocd
type: Opaque
stringData:
name: "kind-configs"
project: "default"
type: "git"
url: "git@github.com:frenoid/hobby-cluster.git"
sshPrivateKey: |
<replaceMe>
Replace the <replaceMe>
with the private key used to access the github repo and apply the secret
kubectl -nargocd apply -f argocd/repo-secret.yaml
The sealed-secrets application is needed to decrypt secrets and is a pre-requisite install other applications
kubectl apply -f applications/sealed-secrets.yaml
Go to ArgoCD UI and you will see that the sealed-secrets application has been installed
The kubeseal binary will allow you to encrypt/decrypt SealedSecrets. It obtains the public certificate from a secret in the Kubernetes cluster's sealed-secrets namespace
Install the kubeseal binary.
https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.26.2/kubeseal-0.26.2-linux-amd64.tar.gz
tar -xvzf kubeseal-0.26.2-linux-amd64.tar.gz kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal
Retrieve the tls.crt and concatenate it into a file
kubeseal \
--controller-namespace=sealed-secrets \
--controller-name=sealed-secrets \
--fetch-cert > ~/.ssh/kubeseal.crt
Test you are able to encrypt secrets using kubeseal
kubectl -n default \
create secret generic test-secret \
--from-literal=username=username \
--from-literal=password=password \
-oyaml \
--dry-run=client | kubeseal \
--controller-namespace=sealed-secrets \
--controller-name=sealed-secrets
Now, we will replace previously create repo-secret-hobby-cluster secret with a Sealed Secret
First, we patch the existing secret with a annotation allowing the secret to be overwritten when a Sealed Secret unsealed in the same name and namespace
kubectl -n argocd \
patch secret repo-secret-hobby-cluster \
-p '{"metadata": {"annotations": {"sealedsecrets.bitnami.com/managed": "true"}}}
Next, we create a Sealed Secret from the existing repo secret
kubectl -n argocd \
get secret repo-secret-hobby-cluster -oyaml \
| kubeseal --controller-namespace=sealed-secrets \
--controller-name=sealed-secrets \
--name repo-secret-hobby-cluster \
--format yaml \
-w sealed-secret-repo-secret-hobby-cluster.yaml
We can now create the Sealed Secret
kubectl -f apply sealed-secret-repo-secret-hobby-cluster.yaml
Check that the Sealed Secret was created successfully
kubectl -n argocd get sealedsecret
The secret repo-secret-hobby-cluster is now being managed by the Sealed Secrets controller and will be synced if the associated Sealed Secret changes
You can see this by deleting the secret repo-secret-hobby-cluster
kubectl -n argocd delete secret repo-secret-hobby-cluster
Now see that the secret is re-created almost instantaneously.
kubectl -n argocd get secret
Sealed Secrets are protected by asymmetric encryption. The public key can be used to encrypt the secret but only the private key, controlled by the Sealed Secrets controller in the cluster can decrypt the secret
It is safe to commit both the Sealed Secret and the public key to the code repository
However the private key used by the Sealed Secrets controller must remain a secret.
Install even more applications by going here !