roundtable app deployment guide¶
| Deployment | |
| Edit on GitHub | /deployments/roundtable |
| Type | Kustomize |
| Parent app | None |
Overview
The roundtable app is responsible for deploying the core infrastructure of Roundtable.
It follows the app of apps pattern.
It deploys:
- Namespaces for core infrastructure apps.
- The
faster(SSD) StorageClass. - The core infrastructure apps:
- argo-cd for continuous delivery of Roundtable apps with Argo CD.
- vault-secrets-operator to retrieve secrets from Vault and store them as Kubernetes secrets.
This app depends on the security app, which provides secret management facilities and ingress.
Bootstrapping the application
Since roundtable is a parent app, its Application resource was not created automatically and is not managed by GitOps.
Before bootstrapping the roundtable app, the security app needs to be bootstrapped so that Vault is running.
See its documentation for more information.
Then, a Vault access token for the Vault Secrets Operator must be created in Vault and stored as the vault-secrets-operator Kubernetes secret.
Here is the template for that secret:
apiVersion: v1
kind: Secret
metadata:
name: vault-secrets-operator
namespace: vault-secrets-operator
type: Opaque
stringData:
VAULT_TOKEN: <token>
VAULT_TOKEN_LEASE_DURATION: 86400
Replace <token> with the read Vault token for the path secret/k8s_operator/roundtable in Vault (see DMTN-112 for more information):
Finally, create the roundtable Application from the argocd CLI:
argocd app create roundtable \
--dest-namespace argocd \
--dest-server https://kubernetes.default.svc \
--repo https://github.com/lsst-sqre/roundtable.git \
--path deployments/roundtable \
--sync-policy automated \
--project default
Consequently, the roundtable Application’s properties (such as the sync policy) should be managed entirely through the Argo CD dashboard or CLI.
Of course, the roundtable manifest in Git can be modified to manage the applications that are created by the roundtable parent application.