One-click Bootstrap Deployment of ArgoCD
This is the second post in our series about Managing Complex Kubernetes Clusters. We describe how to create a bootstrap script that automates key prerequisites: deployment of ArgoCD and pointing it at the repo and cluster that it needs to use for deployments.
by Fong Han Ken and Brian Claus
Building a multi-cluster/multi-tenant solution require automation to set up a complete tenancy, either in a namespace or in separate cluster depending on the needs of the tenant. Our goal is a fully automated ‘1-click’ solution. GitOps and ArgoCD can automate the deployment of a tenancy and ensure the platform remains in the target state defined in the repo. This eliminates the problem of imperative pipelines to manage complex dependencies (see related article).
To achieve full ‘1-click’ automation, bootstrapping ArgoCD is still required as the main tool managing the automation for our deployments. However, this creates a “chicken and egg” dilemma. Our solution was to create a bootstrap script that automates key prerequisites: deployment of ArgoCD and pointing it at the repo and cluster that it needs to use for deployments.
This is managed via a ‘bootstrap.sh’ script which manages the boot-strapping of ArgoCD. There are two prerequisites for the bootstrap process:
- The cluster must exist:
a) automation of cluster creation is handled separately.
b) Choice of tooling is heavily dependent on where and how the cluster is being run.
2. The cluster cert and key must be available.
a) Our dev environments use AWS secrets manager.
b) for on-prem staging they are sitting in an S3 bucket but will eventually be inserted into the clients secret manager.
3. As we’re doing GitOps, all of the bootstrapping specifications must be stored in our repo (and images in our registry)
4. The repo must be cloned and git, kubectl and for cloud, the appropriate CLI must be installed on the machine being used to bootstrap
The Script
The ‘bootstrap.sh’ is a simple script. In all cases, only the pre-requisite steps are executed and configurations are taken from the cloned repo on the bootstrapped machine. The instructions below describe an AWS deployment.
1. Pull the sealed cert and sealed key from the secrets manager and put them somewhere accessible. For development we put them in a temporary bootstrap directory.
aws secretsmanager get-secret-value --secret-id dbs-ada/controller/sealedsecret-key --output text --query 'SecretString' > bootstrapdirectory/secrets/sealedsecret-key.json
2. Deploy the bitnami sealed secrets controller; needed in order to unseal the cert and keys
kubectl apply -f boostrapdirectory/cluster-config/sealedsecrets/base/sealedsecret-controller.yamlkubectl wait -n=kube-system --for=condition=ready pod -l name=sealed-secrets-controller
3. Create the ArgoCD namespace
kubectl apply -f boostrapdirectory/cluster-config/argocd/base/namespace.yaml
4. Deploy the secrets to the ArgoCD namespace which are unsealed using the Bitami sealed secrets controller
kubectl apply -f boostrapdirectory/cluster-config/sealedsecrets/overlays/stage/gitcred-ssh-dbs-ada-sealed.yaml
5. Deploy the ArgoCD Application
kubectl apply -k boostrapdirectory/cluster-config/argocd/overlays/argocd
6. Deploy the ArgoCD ‘default’ app — this kicks off the deployment to the rest of the platform
kubectl apply -k boostrapdirectory/argocd-config/overlays/default