2.0 KiB
Bootstrap OneLab on this cluster
1. Private registry (hub.andrewalliance.com)
By default, gitops/values/k3s-example.yaml matches the Swarm installer (app/playbooks/tasks/manage-images.yml): user public, password Andrew01..Release, and the chart creates Secret hub-andrewalliance when registry.createPullSecret: true.
To use other credentials, override registry.username / registry.password or create the secret manually:
kubectl create secret docker-registry hub-andrewalliance -n onelab \
--docker-server=hub.andrewalliance.com \
--docker-username='YOUR_USER' \
--docker-password='YOUR_PASSWORD'
…and set registry.createPullSecret: false plus imagePullSecrets: [{ name: hub-andrewalliance }].
StatefulSet pods still get 401 Unauthorized / ImagePullBackOff after enabling registry auth
If db-0 / rabbitmq-0 were created before imagePullSecrets existed, their Pod spec can still use anonymous pulls until they are recreated:
kubectl delete pod -n onelab db-0 rabbitmq-0
The chart adds a pod-template checksum so a helm upgrade after changing registry credentials normally rolls these pods; a one-time delete is enough if you toggled pull secrets outside that path.
2. Argo CD + private Git (git.luneski.fr)
If the Application shows authentication required: Unauthorized, register the repo in Argo CD (CLI or UI):
# Example; use a deploy token or PAT with repo read access
argocd repo add https://git.luneski.fr/luneski/onelab-k8s.git \
--username git \
--password YOUR_TOKEN
Then apply the Application:
kubectl apply -f gitops/argocd/application.yaml
Helm vs Argo: If you already installed with helm upgrade --install onelab ..., either delete that Helm release before letting Argo manage the same resources, or keep Helm-only and do not apply the Application until you choose one controller.
3. RabbitMQ TLS
Secret onelab-rabbit-tls must exist before RabbitMQ starts (created once from app/rabbit/ssl/ or your own PEMs).