Istio
This role helps in installing and configuring Argocd the Kubernetes cluster.
Requirements¶
Access to Kubernetes cluster,
For demo purpose you can have minikube cluster created locally as shown in the following example playbook,
e.g.
- name: "Create minikube Clusters"
hosts: all
vars:
# the demo work directory
work_dir: "{{ playbook_dir }}/work"
# the kubeconfig directory
kubeconfig_dir: "{{ work_dir }}/.kube"
# the kubernetes version to use with minikube
minikube_kubernetes_version: v1.21.6
# the minikube home directory
minikube_home_dir: "{{ work_dir }}/.minikube"
# minikube profiles
minikube_profiles:
mgmt: # profile name and Kubernetes context name
create: yes
destroy: no
addons:
- metallb
lbStartIP: 192.168.64.80
lbEndIP: 192.168.64.90
roles:
- role: kameshsampath.minikube
# Some extra configurations
tasks:
- name: "Configure metallb"
ansible.builtin.expect:
command: "{{ minikube_binary }} -p {{ item.key }} addons configure metallb"
responses:
"-- Enter Load Balancer Start IP:": "{{ item.value.lbStartIP}}"
"-- Enter Load Balancer End IP:": "{{ item.value.lbEndIP}}"
loop: "{{ minikube_profiles | dict2items }}"
loop_control:
label: "{{ item.key }}"
register: lb_setup_result
when: item.value.create and not item.value.destroy
- name: "Metallb result"
debug:
var: lb_setup_result
- name: "Ensure we are in mgmt context"
ansible.builtin.command:
argv:
- kubectl
- config
- use-context
- "mgmt"
environment:
KUBECONFIG: "{{ work_dir }}/.kube/config"
- name: "Ensure right permissions to kubeconfig directory"
ansible.builtin.file:
state: directory
recurse: yes
path: "{{ work_dir }}/.kube"
mode: "0700"
Variables¶
| Name | Description | Default |
|---|---|---|
| kubernetes_spices_argocd_k8s_context | The Kubernetes context where Argcod will be installed. The playbook will fail if this is not set. | |
| kubernetes_spices_argocd_namespace | The namespace to install Argocd | argocd |
| kubernetes_spices_argocd_version | The argocd version to be used | 2.1.6 |
| kubernetes_spices_argocd_helm_secerts_plugin | Use helm secrets plugin with argocd applications | false |
Example Playbook¶
- name: "Setup Argocd"
hosts: localhost
vars:
kubernetes_spices_argocd_k8s_context: 'mgmt'
roles:
- { role: kameshsampath.kubernetes_spices.argocd }
Important
- Based on the above example the
kubernetes_spices_argocd_k8s_contextshould be set tomgmt, the context which is created by minikube - The default credentials to access argocd will be
admin/password
Using helm secrets plugin¶
To use helm secrets plugin with Argocd applications, enable the plugin configuration by adding enable the flag kubernetes_spices_argocd_helm_secerts_plugin to true.
Lets take an example of sops and age,
Create age key¶
age-keygen -o key.txt
Move the key.txt to secure place, preferably $HOME/.ssh. Assuming you moved it to $HOME/.ssh, lets set that as local environment variables for convinience:
export SOPS_AGE_KEY_FILE="$HOME/.ssh/key.txt"
Also note and export the publickey in the $SOPS_AGE_KEY_FILE as $SOPS_AGE_RECIPIENTS
export SOPS_AGE_RECIPIENTS=$(cat $SOPS_AGE_KEY_FILE | awk 'NR==2{ print $4}')
Ensure the sops configration .sops.yml is updated with your age publickey,
yq eval '.creation_rules[0].age |= strenv(SOPS_AGE_RECIPIENTS)' .sops.yml
We need to make the age key to be available to the Argocd repo server so that it can decrypt the secrets,
kubectl create ns argocd
kubectl create secret generic helm-secrets-private-keys \
--namespace=argocd \
--from-file=key.txt="$SOPS_AGE_KEY_FILE"
Now you an use the same play to deploy Argocd with helm secrets enabled,
- name: "Setup Argocd"
hosts: localhost
vars:
kubernetes_spices_argocd_k8s_context: 'mgmt'
roles:
- { role: kameshsampath.kubernetes_spices.argocd }
You can check the example project to deploy Keycloak using helm secrets plugin enabled with Argocd.