luneski/onelab-k8s-1.27
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b91c35c4100c9ef649da6e4a75f259464674d73a
onelab-k8s-1.27/gitops/docs/BOOTSTRAP.md
timotheereausanofi b91c35c410 gitops: observability stack (Loki/Promtail/Grafana), Grafana Ingress, Argo multi-source 
- Add gitops/observability umbrella chart with vendored Helm deps
- Grafana Ingress: Traefik, letsencrypt-prod, grafana.k8s.selair.it + root_url
- Argo Application: spec.sources (onelab + onelab-obs)
- OneLab: configuration secret override, compliance/LDAP values, logs.path /logs
- Docs: OBSERVABILITY, BOOTSTRAP, README, instance-overrides example

Made-with: Cursor
2026-03-20 11:10:06 +01:00

2.4 KiB
Raw Blame History

Bootstrap OneLab on this cluster

1. Private registry (hub.andrewalliance.com)

By default, gitops/values/k3s-example.yaml matches the Swarm installer (app/playbooks/tasks/manage-images.yml): user public, password Andrew01..Release, and the chart creates Secret hub-andrewalliance when registry.createPullSecret: true.

To use other credentials, override registry.username / registry.password or create the secret manually:

kubectl create secret docker-registry hub-andrewalliance -n onelab \
  --docker-server=hub.andrewalliance.com \
  --docker-username='YOUR_USER' \
  --docker-password='YOUR_PASSWORD'

…and set registry.createPullSecret: false plus imagePullSecrets: [{ name: hub-andrewalliance }].

StatefulSet pods still get 401 Unauthorized / ImagePullBackOff after enabling registry auth

If db-0 / rabbitmq-0 were created before imagePullSecrets existed, their Pod spec can still use anonymous pulls until they are recreated:

kubectl delete pod -n onelab db-0 rabbitmq-0

The chart adds a pod-template checksum so a helm upgrade after changing registry credentials normally rolls these pods; a one-time delete is enough if you toggled pull secrets outside that path.

2. Argo CD + private Git (git.luneski.fr)

If the Application shows authentication required: Unauthorized, register the repo in Argo CD (CLI or UI):

# Example; use a deploy token or PAT with repo read access
argocd repo add https://git.luneski.fr/luneski/onelab-k8s.git \
  --username git \
  --password YOUR_TOKEN

Then apply the Application:

kubectl apply -f gitops/argocd/application.yaml

Helm vs Argo: If you already installed with helm upgrade --install onelab ..., either delete that Helm release before letting Argo manage the same resources, or keep Helm-only and do not apply the Application until you choose one controller.

3. RabbitMQ TLS

Secret onelab-rabbit-tls must exist before RabbitMQ starts (created once from app/rabbit/ssl/ or your own PEMs).

4. Argo CD version + observability stack

gitops/argocd/application.yaml uses spec.sources (two Helm charts in one Application). Use Argo CD 2.6 or newer.

The second source installs Loki/Promtail/Grafana from gitops/observability/ (releaseName: onelab-obs). Set a strong grafana.adminPassword in gitops/observability/values.yaml before production. Details: OBSERVABILITY.md.

Reference in New Issue View Git Blame Copy Permalink