This module is responsible for bootstrapping Kubernetes cluster for the Explorer projects.
Clusters can be bootstrapped using the init.sh script. Please check next paragraph to learn about the init script requirements
The init script will deploy both ArgoCD and the Main App. Once installed, ArgoCD will observe the patterns of the GitOps approach and ensure that the kubernetes cluster deployment(s) are in sync with the definition contained in the relevant git projects.
In order for ArgoCD to access GitHub, a number of secrets need to be created.
- Deployment keys for all the GitHub projects involved
- Sealed Secret main key required to decrypt deployment keys at the point above
In order to work, ArgoCD will need access to many GitHub repositories. At least it will require access to the main app repository: the one that bootstraps the cluster.
GitHub Deployment Keys can be setup to grant ArgoCD with the required permissions.
Configuring deployment keys secrets is done in two steps:
- deploying the relevant secrets via the init.sh script
- associate secret to repos: values.yaml
Kubernetes Secrets are not encrypted, but rather just base64 encoded. So it is recommended to NOT version control them.
Sealed Secrets is the simplest solution for safely dealing with secrets and allow developer to version control them.
From their own documentation:
Problem: "I can manage all my K8s config in git, except Secrets."
Solution: Encrypt your Secret into a SealedSecret, which is safe to store - even inside a public repository. The SealedSecret can be decrypted only by the controller running in the target cluster and nobody else (not even the original author) is able to obtain the original Secret from the SealedSecret.
Creating a Sealed Secrets is simple and can be done via openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out tls.crt -keyout tls.key.
This key needs to:
- be used to encrypt all the secrets
- deployed on the cluster as per the init.sh script
The key should be ideally secured on AWS Kms.