No description

Find a file

Sebastian Mark 17675f31d1 fix(argocd): add baseline project and application - Add `argocd-apps` HelmChart to deploy baseline project and application - Define `baseline` project with source repos, destinations, and cluster resource whitelist - Define `baseline` application with source, destination, and sync policy ArgoCD v5.0 removes support for the parameters server.additionalApplications and server.additionalProjects. Parameters are moved to argocd-apps. See: https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd#500		2023-06-26 10:37:28 +02:00
_templates	REFACTOR: merge templates into one	2022-04-17 19:00:24 +02:00
bin	FEAT(bin): add get_applications.sh	2022-04-18 23:32:07 +02:00
k8s-manifests	FEAT: bump nginx to v4.3.*	2022-10-17 10:36:43 +02:00
.gitignore	FEAT: get kubeconfig after k3s installation	2022-05-01 20:04:05 +02:00
argocd-init.yml	fix(argocd): add baseline project and application	2023-06-26 10:37:28 +02:00
logo.png	FEAT: add logo	2021-11-30 14:49:29 +01:00
pb_install.yml	refactor(pb_install.yml): add tags to playbook tasks	2023-06-26 10:37:09 +02:00
README.md	FEAT: add LetsEncrypt issuers	2022-05-01 20:04:05 +02:00

README.md

Kubernetes Baseline

ArgoCD
- NGINX Ingress Controller
- cert-manager
  - selfsigned issuer
  - LetsEncrypt issuers (Prod and Staging)
- prometheus and grafana
- loki
- keel
- reloader

Installation (k3s + baseline)

ansible-playbook -i <host|ip>, pb_install.yml

Installation (baseline only)

make sure kubectl is configure to reach the destination cluster, then:

kubectl apply -f argocd-init.yml

Notes

Linode

PROXY protocol needs to be enabled for ingress-nginx to see the clients IP in ingress log.

Add the PROXY protocol annotation to the ingress-nginx service:

annotations:
    service.beta.kubernetes.io/linode-loadbalancer-proxy-protocol: v2

Update the ingress-nginx ConfigMap to make nginx expect PROXY protocol data:

data:
  use-proxy-protocol: "true"

cert-manager

However, when you have the PROXY protocol enabled, the external load balancer does modify the traffic, prepending the PROXY line before each TCP connection. If you connect directly to the web server internally, bypassing the external load balancer, then it will receive traffic without the PROXY line.

This is particularly a problem when using cert-manager for provisioning SSL certificates.

After enabling the PROXY protocol cert-manager is unable to perform a self check ("propagation check failed", "failed to perform self check GET request").

hairpin-proxy adds PROXY protocol support for internal-to-LoadBalancer traffic for Kubernetes Ingress users, specifically for cert-manager self-checks (no further configuration needed).