roundtable app deployment guide

Deployment Roundtable app status
Edit on GitHub /deployments/roundtable
Type Kustomize
Parent app None

Overview

The roundtable app is responsible for deploying the core infrastructure of Roundtable. It follows the app of apps pattern. It deploys:

  • Namespaces for core infrastructure apps.
  • The faster (SSD) StorageClass.
  • The core infrastructure apps:
    • argo-cd for continuous delivery of Roundtable apps with Argo CD.
    • kube-prometheus-stack for the Kubernetes-native monitoring stack (Prometheus Operator, Prometheus, and Grafana).
    • vault-secrets-operator to retrieve secrets from Vault and store them as Kubernetes secrets.

This app depends on the security app, which provides secret management facilities and ingress.

Bootstrapping the application

Since roundtable is a parent app, its Application resource was not created automatically and is not managed by GitOps.

Before bootstrapping the roundtable app, the security app needs to be bootstrapped so that Vault is running. See its documentation for more information. Then, a Vault access token for the Vault Secrets Operator must be created in Vault and stored as the vault-secrets-operator Kubernetes secret. Here is the template for that secret:

apiVersion: v1
kind: Secret
metadata:
  name: vault-secrets-operator
  namespace: vault-secrets-operator
type: Opaque
stringData:
  VAULT_TOKEN: <token>
  VAULT_TOKEN_LEASE_DURATION: 86400

Replace <token> with the read Vault token for the path secret/k8s_operator/roundtable in Vault (see DMTN-112 for more information):

Finally, create the roundtable Application from the argocd CLI:

argocd app create roundtable \
  --dest-namespace argocd \
  --dest-server https://kubernetes.default.svc \
  --repo https://github.com/lsst-sqre/roundtable.git \
  --path deployments/roundtable \
  --sync-policy automated \
  --project default

Consequently, the roundtable Application’s properties (such as the sync policy) should be managed entirely through the Argo CD dashboard or CLI. Of course, the roundtable manifest in Git can be modified to manage the applications that are created by the roundtable parent application.