init

.gitignore

@@ -0,0 +1,5 @@
+k8s-secrets.yaml
+charts
+credentials-velero
+secrets.json
+aws-secret.yaml

README.md

@@ -0,0 +1,78 @@
+# k8s-gitops
+
+Project to configure a kubernetes cluster using Gitops. ArgoCD is used to deploy components. 
+
+Currently has been tested only for minikube, testing on EKS is planned.
+
+For the application containers the following repos are used:
+
+- https://github.com/konkerama/rust-crud-api
+- https://github.com/konkerama/python-crud-api
+
+The following technologies are used:
+
+- Python & Rust custom application containers
+- MongoDB and PostgresDB as databases using their respective helm charts
+- MongoExpress and PGAdmin for db management
+- ArgoCD for deployment
+- Prometheus for monitoring of metrics
+- Loki & Promtail for logging
+- Opentelemetry & Jaeger for tracing
+- External Secrets using AWS Systems Manager Parameter Store as a secret management solution
+
+## Setup
+
+## minikube config
+
+Before starting ensure minikube has at least the following allocated resources to avoid potential performance issues.
+
+``` bash
+minikube config set memory 4096
+minikube config set cpus 4
+```
+
+Configure secret management solution
+Create files for AWS Credentials and AWS Systems Manager Parameter store value
+
+1. Create yaml for aws credentials
+
+``` bash
+cp init/aws-secret.yaml.template init/aws-secret.yaml
+```
+
+modify the fields of `access-key` & `secret-access-key` values using the equivalent base64 encoded values of the aws credentials.
+
+2. Create json for db passwords
+
+``` bash
+cp init/secrets.json.template init/secrets.json
+```
+
+modify all the values according to your preferred database password.
+
+For more information see the [secrets management](#secret-management) section.
+
+Run the following script to perform the initial set up of the k8s envrionment
+
+``` bash
+
+./init/setup.sh
+
+```
+
+The script will create the necessary initial configuration of ArgoCD and then deploys all the components via ArgoCD.
+
+ArgoCD then monitors all the files in this repository in case there are changes and modifies all the resources accordingly.
+
+## Secret Management
+
+This implementation utilizes Kubernetes External Secrets for management of sensitive values.
+
+Initially an encrypted parameter in AWS Systems Manager Parameter Store is created. Later, Kubernetes External Secrets will point to this parameter and create "local" Kubernetes secrets based on those values. Those local secrets are then references by all the K8s components. K8s External Secrets is responsible for keeping the local secrets in sync based the source parameter in AWS Systems Manager Parameter Store.
+
+In order for Kubernetes to have the necessary permissions to communicate to AWS a secret is create in Kubernetes in the `init/setup.sh`
+
+## TODO:
+
+- test on EKS
+- add istio service mesh

argocd/db-mgmt.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: db-mgmt
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "3"
+spec:
+  project: default
+  sources:
+  - repoURL: https://github.com/konkerama/k8s-project.git
+    targetRevision: HEAD
+    path: db-mgmt
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: orders
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

argocd/monitoring-jaeger.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: system
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  project: default
+  sources:
+  - repoURL: https://github.com/konkerama/k8s-project.git
+    targetRevision: HEAD
+    path: mon
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

argocd/monitoring-loki.yaml

@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: loki
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  project: default
+  sources:
+  - repoURL: https://grafana.github.io/helm-charts
+    chart: loki
+    targetRevision: 5.8.9
+    # path: k8s
+    helm:
+      valueFiles:
+        - $values/helm-values/monitoring-loki.yaml
+  - repoURL: 'https://github.com/konkerama/k8s-project.git'
+    targetRevision: HEAD
+    ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

argocd/monitoring-opentelemetry.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: otel
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  project: default
+  sources:
+  - repoURL: https://open-telemetry.github.io/opentelemetry-helm-charts
+    chart: opentelemetry-collector
+    targetRevision: 0.62.2
+    helm:
+      valueFiles:
+        - $values/helm-values/monitoring-opentelemetry.yaml
+  - repoURL: 'https://github.com/konkerama/k8s-project.git'
+    targetRevision: HEAD
+    ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

argocd/monitoring-prometheus.yaml

@@ -0,0 +1,31 @@
+# https://blog.ediri.io/kube-prometheus-stack-and-argocd-25-server-side-apply-to-the-rescue
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prom
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  project: default
+  sources:
+  - repoURL: https://prometheus-community.github.io/helm-charts
+    chart: kube-prometheus-stack
+    targetRevision: 48.1.1
+    # path: k8s
+    helm:
+      valueFiles:
+        - $values/helm-values/monitoring-prometheus.yaml
+  - repoURL: 'https://github.com/konkerama/k8s-project.git'
+    targetRevision: HEAD
+    ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

argocd/monitoring-promtail.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: promtail
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  project: default
+  sources:
+  - repoURL: https://grafana.github.io/helm-charts
+    chart: promtail
+    targetRevision: 6.11.6
+    helm:
+      valueFiles:
+        - $values/helm-values/loki.yaml
+  - repoURL: 'https://github.com/konkerama/k8s-project.git'
+    targetRevision: HEAD
+    ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

argocd/orders-mongo.yaml

@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mongodb
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+spec:
+  project: default
+  sources:
+  - repoURL: https://charts.bitnami.com/bitnami
+    chart: mongodb
+    path: k8s
+    targetRevision: 13.15.5
+    helm:
+      valueFiles:
+        - $values/helm-values/orders-mongo.yaml
+  - repoURL: 'https://github.com/konkerama/k8s-project.git'
+    targetRevision: HEAD
+    ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: orders
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

argocd/orders-postgres.yaml

@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: postgresql
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+spec:
+  project: default
+  sources:
+  - repoURL: https://charts.bitnami.com/bitnami
+    chart: postgresql
+    path: k8s
+    targetRevision: 12.6.6
+    helm:
+      valueFiles:
+        - $values/helm-values/orders-postgres.yaml
+  - repoURL: 'https://github.com/konkerama/k8s-project.git'
+    targetRevision: HEAD
+    ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: orders
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

argocd/orders-secrets.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: secrets
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "2"
+spec:
+  project: default
+  sources:
+  - repoURL: https://github.com/konkerama/k8s-project.git
+    targetRevision: HEAD
+    path: secrets
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: orders
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

argocd/python-app.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: python-application
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "3"
+spec:
+  project: default
+  sources:
+  - repoURL: https://github.com/konkerama/k8s-project.git
+    targetRevision: HEAD
+    path: python-app/overlays/dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: orders
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

argocd/rust-app.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: rust-application
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "3"
+spec:
+  project: default
+  sources:
+  - repoURL: https://github.com/konkerama/k8s-project.git
+    targetRevision: HEAD
+    path: rust-app/overlays/dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: orders
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true