gitops-tbrnt/README.md

# GitOps for tbrnt k3s hosting

## Repo structure

* Each subdirectory is a namespace
* `_apps` is the meta directory for Argo CD apps
* Another private repo contains stuff in a more
  approachable format, f.e. for dealing with
  updating sealed-secrets: `gitops-tbrnt-private`

## Usage

### Argo CD

#### Access

Either

`sudo -E kubefwd svc -n argocd` and then https://argocd-server/

or

`kubectl port-forward svc/argocd-server -n argocd 8080:443` and
then https://localhost:8080/

#### CLI

* `argocd login argocd-server`
* `argocd app list`
* `argocd app sync <name>`

### Kubeseal (Sealed Secrets)

See README of apps. Basically:

```
kubeseal --controller-namespace sealed-secrets -o yaml -n MYNS < ../../gitops-tbrnt-private/MYNS/MYSECRET.yaml > MYSECRET-secret.yaml
```

## Bootstrap GitOps

After installing k3s, do:

```
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
```

TODO:
* private key restore
* initial app provisioning
* ...

## k3s on Alpine

* Install k3s: `apk add k3s cni-plugins iptables wireguard-virt wireguard-tools-wg`
* Enable cgroups: `rc-update add cgroups default`
* Adapt service file `/etc/init.d/k3s`:

```
#!/sbin/openrc-run

export PATH=/usr/share/cni-plugins/bin:$PATH

name="k3s"
command="/usr/bin/k3s"
command_args="$K3S_OPTS"
command_background="yes"
output_log="/var/log/k3s.log"
error_log="/var/log/k3s.err"

start_stop_daemon_args="server"
pidfile="/run/k3s.pid"

depend() {
	need net
	after firewall
}
```

Helpful links:

* https://rancher.com/docs/k3s/latest/en/advanced/#additional-preparation-for-alpine-linux-setup
* https://github.com/rancher/k3s/issues/660

## Configure Wireguard

`/etc/network/interfaces`

```
auto wg0
iface wg0 inet static
    address 10.42.42.16
    netmask 255.255.255.0
    pre-up ip link add dev wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
    post-up ip route add 10.42.42.0/24 dev wg0
    post-down ip link delete dev wg0
```

* https://wiki.alpinelinux.org/wiki/Configure_a_Wireguard_interface_(wg)
initial commit 2020-01-25 19:01:21 +00:00			`# GitOps for tbrnt k3s hosting`

update README 2020-01-26 18:57:32 +00:00			`## Repo structure`

			`* Each subdirectory is a namespace`
			* `_apps` is the meta directory for Argo CD apps
			`* Another private repo contains stuff in a more`
			`approachable format, f.e. for dealing with`
			updating sealed-secrets: `gitops-tbrnt-private`
initial commit 2020-01-25 19:01:21 +00:00
adapt README 2020-01-28 20:15:57 +00:00			`## Usage`

			`### Argo CD`

			`#### Access`

			`Either`

			`sudo -E kubefwd svc -n argocd` and then https://argocd-server/

			`or`

			`kubectl port-forward svc/argocd-server -n argocd 8080:443` and
			`then https://localhost:8080/`

			`#### CLI`

			* `argocd login argocd-server`
			* `argocd app list`
			* `argocd app sync <name>`

			`### Kubeseal (Sealed Secrets)`

add hint how to use kubeseal 2020-02-08 14:24:09 +00:00			`See README of apps. Basically:`

			```
			`kubeseal --controller-namespace sealed-secrets -o yaml -n MYNS < ../../gitops-tbrnt-private/MYNS/MYSECRET.yaml > MYSECRET-secret.yaml`
			```
adapt README 2020-01-28 20:15:57 +00:00
			`## Bootstrap GitOps`

			`After installing k3s, do:`

			```
			`kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml`
			```

			`TODO:`
			`* private key restore`
			`* initial app provisioning`
			`* ...`

initial commit 2020-01-25 19:01:21 +00:00			`## k3s on Alpine`

wireguard hints 2020-02-07 20:36:38 +00:00			* Install k3s: `apk add k3s cni-plugins iptables wireguard-virt wireguard-tools-wg`
initial commit 2020-01-25 19:01:21 +00:00			* Enable cgroups: `rc-update add cgroups default`
			* Adapt service file `/etc/init.d/k3s`:
adapt README 2020-01-28 20:15:57 +00:00
update README 2020-01-26 18:57:32 +00:00			```
initial commit 2020-01-25 19:01:21 +00:00			`#!/sbin/openrc-run`

			`export PATH=/usr/share/cni-plugins/bin:$PATH`

			`name="k3s"`
			`command="/usr/bin/k3s"`
			`command_args="$K3S_OPTS"`
			`command_background="yes"`
			`output_log="/var/log/k3s.log"`
			`error_log="/var/log/k3s.err"`

			`start_stop_daemon_args="server"`
			`pidfile="/run/k3s.pid"`

			`depend() {`
			`need net`
			`after firewall`
			`}`
			```

			`Helpful links:`

			`* https://rancher.com/docs/k3s/latest/en/advanced/#additional-preparation-for-alpine-linux-setup`
			`* https://github.com/rancher/k3s/issues/660`
wireguard hints 2020-02-07 20:36:38 +00:00
			`## Configure Wireguard`

			`/etc/network/interfaces`

			```
			`auto wg0`
			`iface wg0 inet static`
			`address 10.42.42.16`
			`netmask 255.255.255.0`
			`pre-up ip link add dev wg0 type wireguard`
			`pre-up wg setconf wg0 /etc/wireguard/wg0.conf`
			`post-up ip route add 10.42.42.0/24 dev wg0`
			`post-down ip link delete dev wg0`
			```

			`* https://wiki.alpinelinux.org/wiki/Configure_a_Wireguard_interface_(wg)`