luneski/onelab-k8s-1.27
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3802418582cee9c37b08e6ad04d3705d3772913c
onelab-k8s-1.27/gitops/docs/BOOTSTRAP.md
timotheereausanofi 3802418582 fix(argocd): multisource patch doc, Ingress grafana-onelab 
- Root cause: live Application kept spec.source; Argo ignored observability chart
- Add jsonpatch-multisource.json + argocd/README.md migration steps
- Grafana: disable subchart ingress; add templates/ingress-grafana-onelab.yaml

Made-with: Cursor
2026-03-20 11:13:55 +01:00

2.8 KiB
Raw Blame History

Bootstrap OneLab on this cluster

1. Private registry (hub.andrewalliance.com)

By default, gitops/values/k3s-example.yaml matches the Swarm installer (app/playbooks/tasks/manage-images.yml): user public, password Andrew01..Release, and the chart creates Secret hub-andrewalliance when registry.createPullSecret: true.

To use other credentials, override registry.username / registry.password or create the secret manually:

kubectl create secret docker-registry hub-andrewalliance -n onelab \
  --docker-server=hub.andrewalliance.com \
  --docker-username='YOUR_USER' \
  --docker-password='YOUR_PASSWORD'

…and set registry.createPullSecret: false plus imagePullSecrets: [{ name: hub-andrewalliance }].

StatefulSet pods still get 401 Unauthorized / ImagePullBackOff after enabling registry auth

If db-0 / rabbitmq-0 were created before imagePullSecrets existed, their Pod spec can still use anonymous pulls until they are recreated:

kubectl delete pod -n onelab db-0 rabbitmq-0

The chart adds a pod-template checksum so a helm upgrade after changing registry credentials normally rolls these pods; a one-time delete is enough if you toggled pull secrets outside that path.

2. Argo CD + private Git (git.luneski.fr)

If the Application shows authentication required: Unauthorized, register the repo in Argo CD (CLI or UI):

# Example; use a deploy token or PAT with repo read access
argocd repo add https://git.luneski.fr/luneski/onelab-k8s.git \
  --username git \
  --password YOUR_TOKEN

Then apply the Application:

kubectl apply -f gitops/argocd/application.yaml

Helm vs Argo: If you already installed with helm upgrade --install onelab ..., either delete that Helm release before letting Argo manage the same resources, or keep Helm-only and do not apply the Application until you choose one controller.

3. RabbitMQ TLS

Secret onelab-rabbit-tls must exist before RabbitMQ starts (created once from app/rabbit/ssl/ or your own PEMs).

4. Argo CD version + observability stack

gitops/argocd/application.yaml uses spec.sources (two Helm charts in one Application). Use Argo CD 2.6 or newer.

If the onelab Application was created earlier with spec.source only, Argo will not show the observability resources until you remove source and set sources (a plain kubectl apply often leaves the old field). Use gitops/argocd/jsonpatch-multisource.json as documented in gitops/argocd/README.md.

The second source installs Loki/Promtail/Grafana from gitops/observability/ (releaseName: onelab-obs). Set a strong grafana.adminPassword in gitops/observability/values.yaml before production. Details: OBSERVABILITY.md.

Reference in New Issue View Git Blame Copy Permalink