- Kubernetes: Orchestrates the deployment, scaling, and operations of containerized applications.
- Flux CD: GitOps continuous delivery solution for Kubernetes.
- Istio: A service mesh that provides advanced networking capabilities such as traffic management, security, and observability.
- Cert-Manager: Manages the issuance and renewal of TLS certificates.
- External Secrets: Integrates external secret stores (AWS Secrets Manager, HashiCorp Vault, etc.) with Kubernetes.
- External DNS: Dynamically updates DNS records based on Kubernetes resources.
- Renovatebot: Keeps track of updated versions for the manifests.
This repository is structured to follow GitOps principles, with Kubernetes manifests for different environments (e.g., development, staging, production) stored here and managed via Flux CD.
├── apps/
│ ├── app1/
│ ├── app2/
│ └── app3/
├── clusters/
│ ├── cluster-1/
│ ├── cluster-2/
│ ├── cluster-.../
│ ├── cluster-n/
├── contrib/
│ ├── flux/
│ ├── istio/
│ ├── terraform/
├── infra/
│ ├── app1/
│ ├── app2/- apps/: Application manifests for various services.
- clusters/: Environment-specific configurations for different Kubernetes clusters.
- contrib/: Tools to help boostrapping clusters.
- infra/: Low-level platform apps and configurations.
Navigate to contrib/flux/$CLUSTER_NAME and run
bash ../flux2/new-deploy-key.sh
kubectl apply -k .Navigate to contrib/terraform/envs/$CLUSTER_NAME.
Terraform creates a new (sub) hosted zone, IAM credentials and policies for cert-manager and external-dns.
sh contrib/istio/install.sh $CLUSTER_NAMEkubectl apply -k clusters/$CLUSTER_NAME/infra/vault-authRetrieve token reviewer JWT value. Handle this value with care!
kubectl get secrets -n vault-auth vault-kubernetes-auth-secret -o=jsonpath='{.data.token}' | base64 -dkubectl get secrets -n vault-auth vault-kubernetes-auth-secret -o=jsonpath="{.data['ca\.crt']}" | base64 -d