# GitOps for tbrnt k3s hosting ## Repo structure * Each subdirectory is a namespace * `_apps` is the meta directory for Argo CD apps * Another private repo contains stuff in a more approachable format, f.e. for dealing with updating sealed-secrets: `gitops-tbrnt-private` ## Usage ### Argo CD #### Access Either `sudo -E kubefwd svc -n argocd` and then https://argocd-server/ or `kubectl port-forward svc/argocd-server -n argocd 8080:443` and then https://localhost:8080/ #### CLI * `argocd login argocd-server` * `argocd app list` * `argocd app sync ` ### Kubeseal (Sealed Secrets) See README of apps. Basically: ``` kubeseal --controller-namespace sealed-secrets -o yaml -n MYNS < ../../gitops-tbrnt-private/MYNS/MYSECRET.yaml > MYSECRET-secret.yaml ``` ## Bootstrap GitOps After installing k3s, do: ``` kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml ``` TODO: * private key restore * initial app provisioning * ... ## k3s on Alpine * Install k3s: `apk add k3s cni-plugins iptables wireguard-virt wireguard-tools-wg` * Enable cgroups: `rc-update add cgroups default` * Adapt service file `/etc/init.d/k3s`: ``` #!/sbin/openrc-run export PATH=/usr/share/cni-plugins/bin:$PATH name="k3s" command="/usr/bin/k3s" command_args="$K3S_OPTS" command_background="yes" output_log="/var/log/k3s.log" error_log="/var/log/k3s.err" start_stop_daemon_args="server" pidfile="/run/k3s.pid" depend() { need net after firewall } ``` Helpful links: * https://rancher.com/docs/k3s/latest/en/advanced/#additional-preparation-for-alpine-linux-setup * https://github.com/rancher/k3s/issues/660 ## Configure Wireguard `/etc/network/interfaces` ``` auto wg0 iface wg0 inet static address 10.42.42.16 netmask 255.255.255.0 pre-up ip link add dev wg0 type wireguard pre-up wg setconf wg0 /etc/wireguard/wg0.conf post-up ip route add 10.42.42.0/24 dev wg0 post-down ip link delete dev wg0 ``` * https://wiki.alpinelinux.org/wiki/Configure_a_Wireguard_interface_(wg)