docs: craft a gitops focused installation #18
Conversation
cardoe
force-pushed
the
gitops-install
branch
20 times, most recently
from
556884b to
670c244
Compare
cardoe
force-pushed
the
gitops-install
branch
2 times, most recently
from
5cec310 to
6a8a530
Compare
cardoe
force-pushed
the
gitops-install
branch
6 times, most recently
from
e6835b2 to
ba389c2
Compare
cardoe
force-pushed
the
gitops-install
branch
2 times, most recently
from
4cfbfe0 to
f613e11
Compare
There was a problem hiding this comment.
Aside from comments above, there is a bunch of things that did not fully converge on my installation:
❯ k -n argocd get applications.argoproj.io
NAME SYNC STATUS HEALTH STATUS
app-of-apps Synced Healthy
argo-events Unknown Healthy
argo-workflows Synced Degraded
cert-manager Synced Healthy
dexidp Synced Degraded
ironic OutOfSync Degraded
keystone OutOfSync Degraded
mariadb Synced Healthy
mariadb-operator Synced Healthy
memcached Synced Healthy
messaging-topology-operator Synced Healthy
nautobot Synced Progressing
postgres-db Synced Healthy
postgres-operator Synced Healthy
rabbitmq-cluster Synced Healthy
rabbitmq-operator Synced Healthy
- The ironic/keystone is most likely because of missing node labelling.
- dex is because of missing azure secret
- for
argo-eventsthessofile is missing in/components/12-argo-events/sso, so kustomize fails:
Message: Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = Manifest generation error (cached): `kustomize build <path to cached source>/components/12-argo-events --enable-helm` failed exit status 1: Error: loading KV pairs: file sources: [sso]: evalsymlink failure on '<path to cached source>/components/12-argo-events/sso' : lstat <path to cached source>/components/12-argo-events/sso: no such file or directory
scripts/gitops-secrets-gen.sh
Outdated
| labels: | ||
| argocd.argoproj.io/secret-type: repo-creds | ||
| data: | ||
| sshPrivateKey: $(cat "${UC_DEPLOY_SSH_FILE}" | base64) |
There was a problem hiding this comment.
| sshPrivateKey: $(cat "${UC_DEPLOY_SSH_FILE}" | base64) | |
| sshPrivateKey: $(openssl rsa -in ${UC_DEPLOY_SSH_FILE} | base64 | tr -d '\n') |
There was a problem hiding this comment.
So openssl rsa -in doesn't work on my SSH key.
There was a problem hiding this comment.
Interesting - can you post header of your SSH key? is it text or binary?
There was a problem hiding this comment.
-----BEGIN OPENSSH PRIVATE KEY-----
There was a problem hiding this comment.
oh okay, mine starts with:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,5BD
which is PKCS#1, yours seems to be the OpenSSH's standard. There are 4-5 formats out there, so looks like we probably should ssh-keygen for the conversion and decryption instead.
The command to remove the passphrase would be:
ssh-keygen -p -N "" -f /tmp/testkey
Unfortunately it modifies the keyfile in-place, so we need to operate on a copy that we have to remove from the disk after it's used.
|
So to reply to your top-level comments since I can't reply inline...
|
cardoe
force-pushed
the
gitops-install
branch
2 times, most recently
from
41e26a4 to
460ab3f
Compare
edit: did a clean test run and found the problem - #28 should fix it. |
Agreed. Logged as PUC-224 |
Each component and operator includes some bits to create the namespace it lives in. For ArgoCD, we don't need a component to create the namespace but instead use it's functionality to create the namespaces.
Create the nautobot pieces in one application.
Allow the understack project to deploy into the dex namespace.
This secret is actually in a different format and managed by jobs and cronjobs that rotate out the value in keystone. The fact that we create this is wrong and the value is wrong. This will result in jobs failing to rotate values.
We don't want to enable OpenStack Helm's helm.sh/hooks because they set them as post-install,post-upgrade which in ArgoCD maps to PostSync. However the deployments and statefulsets in OpenStack Helm depend on the jobs to complete, which they can't if they set to deploy in PostSync
We're not using the ingress controller that OpenStack Helm has for their deployment so we need to set the "use_external_ingress_controller" flag.
Add parameters to component deployments to pull secrets and values from a deployment repo that customizes the configuration of these components.
|
I think I've addressed all your feedback. |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
There was a problem hiding this comment.
just realised I forgot to include about missing argo-sso secret, which causes the secret-argo-sso-* files being generated in the wrong folder and as a result not included in the deploy repo.
also, this does not deploy the ingress anymore - which is a requirement for the argo-workflows and Nautobot to work. Do you plan to take care of this in separate PR?
Added the ability to write out the data into a target directory. Added the generation of the OpenStack Helm values file by the script. Allowed skipping of the usage of kubeseal when generating the secrets.
Write up a GitOps focused installation of Understack along with some helper scripts to assist the user with crafting their secrets and their initial layout of their data.
Absolutely agree. |
Craft a GitOps focused installation process which users can use to easily stand up a dev environment.