luneski/onelab-k8s-1.27
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3802418582cee9c37b08e6ad04d3705d3772913c
onelab-k8s-1.27/gitops/docs/BOOTSTRAP.md
timotheereausanofi 3802418582 fix(argocd): multisource patch doc, Ingress grafana-onelab 
- Root cause: live Application kept spec.source; Argo ignored observability chart
- Add jsonpatch-multisource.json + argocd/README.md migration steps
- Grafana: disable subchart ingress; add templates/ingress-grafana-onelab.yaml

Made-with: Cursor
2026-03-20 11:13:55 +01:00

58 lines
2.8 KiB
Markdown
Raw Blame History

# Bootstrap OneLab on this cluster
## 1. Private registry (`hub.andrewalliance.com`)
By default, `gitops/values/k3s-example.yaml` matches the Swarm installer (`app/playbooks/tasks/manage-images.yml`): user **`public`**, password **`Andrew01..Release`**, and the chart creates Secret **`hub-andrewalliance`** when `registry.createPullSecret: true`.
To use other credentials, override `registry.username` / `registry.password` or create the secret manually:
```bash
kubectl create secret docker-registry hub-andrewalliance -n onelab \
--docker-server=hub.andrewalliance.com \
--docker-username='YOUR_USER' \
--docker-password='YOUR_PASSWORD'
```
…and set `registry.createPullSecret: false` plus `imagePullSecrets: [{ name: hub-andrewalliance }]`.
### StatefulSet pods still get `401 Unauthorized` / `ImagePullBackOff` after enabling registry auth
If `db-0` / `rabbitmq-0` were created **before** `imagePullSecrets` existed, their **Pod** spec can still use anonymous pulls until they are recreated:
```bash
kubectl delete pod -n onelab db-0 rabbitmq-0
```
The chart adds a pod-template checksum so a `helm upgrade` after changing registry credentials normally rolls these pods; a one-time delete is enough if you toggled pull secrets outside that path.
## 2. Argo CD + private Git (`git.luneski.fr`)
If the Application shows `authentication required: Unauthorized`, register the repo in Argo CD (CLI or UI):
```bash
# Example; use a deploy token or PAT with repo read access
argocd repo add https://git.luneski.fr/luneski/onelab-k8s.git \
--username git \
--password YOUR_TOKEN
```
Then apply the Application:
```bash
kubectl apply -f gitops/argocd/application.yaml
```
**Helm vs Argo:** If you already installed with `helm upgrade --install onelab ...`, either delete that Helm release before letting Argo manage the same resources, or keep Helm-only and do not apply the Application until you choose one controller.
## 3. RabbitMQ TLS
Secret `onelab-rabbit-tls` must exist before RabbitMQ starts (created once from `app/rabbit/ssl/` or your own PEMs).
## 4. Argo CD version + observability stack
`gitops/argocd/application.yaml` uses **`spec.sources`** (two Helm charts in one Application). Use **Argo CD 2.6 or newer**.
If the `onelab` Application was created earlier with **`spec.source` only**, Argo will **not** show the observability resources until you remove `source` and set `sources` (a plain `kubectl apply` often leaves the old field). Use [`gitops/argocd/jsonpatch-multisource.json`](../argocd/jsonpatch-multisource.json) as documented in [`gitops/argocd/README.md`](../argocd/README.md).
The second source installs Loki/Promtail/Grafana from `gitops/observability/` (`releaseName: onelab-obs`). Set a strong **`grafana.adminPassword`** in `gitops/observability/values.yaml` before production. Details: [OBSERVABILITY.md](OBSERVABILITY.md).
Reference in New Issue View Git Blame Copy Permalink