Erich Blume
32d5927838
- Add argocd CLI to Brewfile - Create argocd.yaml for ArgoCD self-management (manual sync) - Create apps.yaml app-of-apps root (auto-sync for Application resources) - Convert tailscale-operator to kustomize - Update READMEs with bootstrap steps and ArgoCD CLI commands - Change all workload Applications to manual sync policy App-of-apps auto-syncs to pick up new Application manifests, but child apps require manual sync for actual workload deployments. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| argocd-cmd-params-cm.yaml | ||
| kustomization.yaml | ||
| README.md | ||
| repo-forge-secret.yaml.tpl | ||
| service-tailscale.yaml | ||
ArgoCD
GitOps continuous delivery for Kubernetes, with self-management via ArgoCD.
Prerequisites
- Tailscale operator deployed (see
argocd/manifests/tailscale-operator/README.md) - Deploy key added to forge for SSH access to blumeops repo
Manual Bootstrap
Bootstrap is required when setting up a new cluster. After bootstrap, ArgoCD manages itself.
# 1. Create namespace
kubectl create namespace argocd
# 2. Apply ArgoCD manifests via kustomize
kubectl apply -k argocd/manifests/argocd/
# 3. Wait for ArgoCD to be ready
kubectl wait --for=condition=available deployment/argocd-server -n argocd --timeout=300s
# 4. Get initial admin password
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d && echo
# 5. Login and change password
argocd login argocd.tail8d86e.ts.net --username admin --grpc-web
argocd account update-password
# 6. Apply repo-forge secret for SSH access to forge
PRIV_KEY=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/csjncynh6htjvnh2l2da65y32q/private key?ssh-format=openssh")$'\n' && \
kubectl create secret generic repo-forge -n argocd \
--from-literal=type=git \
--from-literal=url='ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/blumeops.git' \
--from-literal=insecure=true \
--from-literal=sshPrivateKey="$PRIV_KEY" && \
kubectl label secret repo-forge -n argocd argocd.argoproj.io/secret-type=repository
# 7. Apply ArgoCD Applications (self-management + app-of-apps)
kubectl apply -f argocd/apps/argocd.yaml
kubectl apply -f argocd/apps/apps.yaml
After step 7, ArgoCD manages itself and all applications defined in argocd/apps/.
Access
- URL: https://argocd.tail8d86e.ts.net
- Username:
admin - Password: Stored in 1Password after initial setup
ArgoCD CLI Commands
# Check all applications
argocd app list
# Sync a specific application
argocd app sync <app-name>
# Check application status
argocd app get <app-name>
# Hard refresh (clear git cache)
argocd app get <app-name> --hard-refresh
Adding New Applications
- Create an Application manifest in
argocd/apps/<app-name>.yaml - Commit and push to forge
- ArgoCD (via app-of-apps) automatically picks it up
Example Application:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-app
namespace: argocd
spec:
project: default
source:
repoURL: ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/blumeops.git
targetRevision: main
path: argocd/manifests/my-app
destination:
server: https://kubernetes.default.svc
namespace: my-app
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
Files
| File | Description |
|---|---|
kustomization.yaml |
References upstream install.yaml + local customizations |
service-tailscale.yaml |
Tailscale Ingress for external access with Let's Encrypt TLS |
argocd-cmd-params-cm.yaml |
Patch to disable HTTPS redirect (TLS terminates at Ingress) |
repo-forge-secret.yaml.tpl |
Template documenting the forge SSH secret (manual) |
README.md |
This file |
Notes
- TODO: Secrets (
repo-forge) are not managed by ArgoCD and must be applied manually. Future improvement: integrate with a secrets operator (e.g., External Secrets). - ArgoCD uses Tailscale Ingress with Let's Encrypt for TLS termination.
- The
--grpc-webflag is required for CLI access through the Tailscale ingress.