forked from whyservices/reclaim-the-stack-get-started

Reclaim the Stack in 15 minutes using this get-started stack

Find a file

whysthatso 9338e42383 more aliases		2024-06-27 11:10:13 +02:00
applications	README	2023-03-31 18:02:50 +02:00
generators	Update redis.yaml: Use camelName for config	2024-06-13 11:37:59 +02:00
platform	Update cloudflared config.yaml	2024-06-17 12:01:27 +02:00
platform-applications	Switch repository to git@git.whyservices.net:whyservices/rts-sandbox.git	2024-06-26 12:11:05 +03:00
.gitignore	.gitignore .DS_Store	2024-04-02 16:58:37 +02:00
argocd-root.yaml	Switch repository to git@git.whyservices.net:whyservices/rts-sandbox.git	2024-06-26 12:11:05 +03:00
MIT-LICENSE	Add license	2023-03-29 21:27:30 +02:00
README.md	more aliases	2024-06-27 11:10:13 +02:00
TODO.md	Add TODO	2023-04-03 14:03:20 +02:00

README.md

Reclaim the Stack: Get Started

Before proceeding fork and clone this repository. Then search and replace https://github.com/<your-github-user>/<your-repo-name>.git with the URL of your fork and commit + push the change.

The following script will do the search+replace for you provided that you cloned your fork via the https protocol:

ORIGINAL_URL="git@git.whyservices.net:wellhost/rts-sandbox.git"
NEW_URL=`git remote get-url origin`
# NOTE: sed -i '' is required on MacOS but breaks on Linux, on Linux use -i'' without space instead
grep -rl $ORIGINAL_URL | grep -v README.md | xargs sed -i'' "s|$ORIGINAL_URL|$NEW_URL|g"
git add .
git commit -m "Switch repository to $NEW_URL"
git push

You're now ready to follow this README step by step and start reclaiming that stack! 💪

Bootstrap a Local Cluster

If you already have an empty Kubernetes cluster ready you can skip this part. But if you don't here is a way to get a local Talos Linux based Kubernetes cluster going on top of Docker. When you're done experimenting you can follow the Tear Down instructions at the end of the README.

Prerequisites

Docker (eg. via Docker Desktop)
kubectl
yq
talosctl

Now bootstrap a local Docker based Talos cluster with:

rts_talosctl cluster create \
  --name reclaim-the-stack \
  --image ghcr.io/siderolabs/talos:v1.6.7 \
  --kubernetes-version 1.29.2 \
  --workers 1 \
  --cpus "2.0" \
  --cpus-workers "4.0" \
  --memory 2048 \
  --memory-workers 4096 \
  --config-patch-worker @platform/talos-worker-patch.yaml

When your cluster is up and running you can configure kubectl and talosctl to use it by:

rts_kubectl config use-context admin@reclaim-the-stack
rts_talosctl config context reclaim-the-stack
rts_talosctl config node $(rts_kubectl get node reclaim-the-stack-controlplane-1 -o yaml | yq .status.addresses.0.address)

You should now be able to list the nodes of your cluster via:

rts_kubectl get nodes -o wide
rts_talosctl get members

Before proceeding to the Installation section, ensure to label the worker node with both worker and database roles to allow scheduling all types of workloads on it (NOTE: on a real production cluster you might want to keep worker and database nodes separate):

rts_kubectl label nodes reclaim-the-stack-worker-1 node-role.kubernetes.io/worker=
rts_kubectl label nodes reclaim-the-stack-worker-1 node-role.kubernetes.io/database=

Installation

Prerequisites

The following assumes you have cloned this repository and changed current working directory into the git repository.

First we install the gitops tool ArgoCD:

rts_kubectl create -k platform/argocd

Give it a few seconds to resolve and now you should be able to log in to the ArgoCD UI. Get the admin password and start a port-forward to be able to access it:

# Copy the admin password
rts_kubectl -n argocd get secret argocd-initial-admin-secret -o yaml | yq '.data.password | @base64d'

# Port forward the argocd web server
rts_kubectl port-forward services/argocd-server -n argocd 8080:443

Now navigate to https://localhost:8080 in your web browser, proceed through the self signed certificate warning and login with username admin and the password you exposed using the above command.

You can now prepare the elevated security rights for the default namespace (to support linkerd injection) and apply our argocd-root manifest to get the platform installed via ArgoCD:

rts_kubectl label namespace default pod-security.kubernetes.io/enforce=privileged
rts_kubectl label namespace default pod-security.kubernetes.io/warn=privileged

rts_kubectl create -f argocd-root.yaml

Cloudflared Ingress Configuration

The following assumes that you have admin access to a domain managed by Cloudflare.

Enable the cloudflared component of the stack:

mv platform-applications/disabled/cloudflared.yaml platform-applications/

Create the Cloudflare tunnel:

cloudflared tunnel login
cloudflared tunnel --credentials-file tunnel-credentials.json create reclaim-the-stack
rts_kubectl create secret generic tunnel-credentials --dry-run=client \
  --from-file=credentials.json=tunnel-credentials.json \
  -o yaml | kubeseal -o yaml > platform/cloudflared/templates/tunnel-credentials.yaml

echo "" &&
echo "Check out your tunnel at https://one.dash.cloudflare.com/$(yq .AccountTag tunnel-credentials.json -oy)/access/tunnels" &&
echo "Add DNS entries at https://dash.cloudflare.com/$(yq .AccountTag tunnel-credentials.json -oy)" &&
echo "Configure DNS entries with CNAME target $(yq .TunnelID tunnel-credentials.json -oy).cfargotunnel.com"

For DNS entries you either have to manually configure a subdomain entry for each ingress entry you want to expose with or use a wildcard entry. Wildcard entry is strongly recommended as it significantly simplifies configuration, eg: *.example.com -> <tunnel-id>.cfargotunnel.com.

If you have Total TLS enabled on your Cloudflare domain you also have the option to put the ingress on a subdomain wildcard, eg. *.reclaim-the-stack.example.com -> <tunnel-id>.cfargotunnel.com.

Open platform/cloudflared/config.yaml and search + replace example.com with your own Cloudflare domain.

After pushing the changes and refreshing the platform application in ArgoCD cloudflared will start deploying. When everything is green, provided you have set up your DNS entries correctly, you should now be able to access ArgoCD and Grafana via your domain on their respective subdomains.

ArgoCD webhook

When you got ingress working and can reach ArgoCD via your domain you can add a webhook to this repository (via Settings -> Webhooks -> Add webhook) to allow ArgoCD to immediately sync changes after every git push.

The URL structure of the webhook is: https://argocd.<your-domain.com>/api/webhook The content type should be application/json For events you need "just the push event".

Tear-down

Wipe the local cluster and related config and the cloudflared tunnel:

rts_talosctl cluster destroy --name reclaim-the-stack
rts_kubectl config unset contexts.admin@reclaim-the-stack
rts_kubectl config unset users.admin@reclaim-the-stack
rts_kubectl config unset clusters.reclaim-the-stack
yq eval -i 'del(.contexts."reclaim-the-stack")' ~/.talos/config
cloudflared tunnel cleanup reclaim-the-stack
cloudflared tunnel delete reclaim-the-stack

If you set up any DNS records you'll have to delete those manually.