GitOps is a way to automatically manage and deliver Kubernetes infrastructure and applications using Git as a single fact source. It typically leverages software agents to detect and coordinate any discrepancies between version-controlled artifacts in Git and those running in a cluster.
This guide will show you how to set up the Argo CD to manage Linkerd installation and upgrade using the GitOps workflow.
Specifically, this guide provides instructions on how to securely generate and manage Linkerd’s mTLS private keys and certificates using Sealed Secrets and cert-Manager. It will also show you how to integrate the Auto Proxy Injection function into your workflow. Finally, this guide summarizes the steps to follow the GitOps workflow to upgrade Linkerd to a newer version.
The software and tools used in this guide are for demonstration purposes only. Feel free to choose other products that best suit your requirements.
You need to follow the steps defined in the next section to clone this Example Repository to your local machine and copy it to your Kubernetes cluster.
Setting up the repository
Clone the sample repository to the local machine:
git clone https://github.com/linkerd/linkerd-examples.git
Copy the codeThis repository will be used to demonstrate Git operations such as Add, Commit, and push later in this guide.
Add a new remote endpoint to the repository to point to an in-cluster Git server, which will be set up in the next section:
cd linkerd-examples
git remote add git-server git://localhost/linkerd-examples.git
Copy the codeTo simplify the steps in this guide, we will interact with Git servers in the cluster through port forwarding. Therefore, the remote endpoint we just created targets your Localhost.
Deploy Git server to SCM namespace in cluster:
kubectl apply -f gitops/resources/git-server.yaml
Copy the codeLater in this tutorial, the Argo CD will be configured to monitor the repository hosted by this Git server.
The Git server is configured to run as a daemon through the Git protocol for unauthenticated access to Git data. This setting is not recommended for production use.
Check Git server health:
kubectl -n scm rollout status deploy/git-server
Copy the codeClone the sample repository to an in-cluster Git server:
git_server=`kubectl -n scm get po -l app=git-server -oname | awk -F/ '{ print $2 }'`
kubectl -n scm exec "${git_server}" -- \
git clone --bare https://github.com/linkerd/linkerd-examples.git
Copy the codeConfirm the clone of the remote warehouse successfully:
kubectl -n scm exec "${git_server}" -- ls -al /git/linkerd-examples.git
Copy the codeConfirm that you can push from a local repository to a remote repository via port forwarding:
kubectl -n scm port-forward "${git_server}" 9418 &
git push git-server master
Copy the codeThe deployment of Argo CD
Install Argo CD:
kubectl create ns argocd
kubectl -n argocd apply -f \
https://raw.githubusercontent.com/argoproj/argo-cd/v1.6.1/manifests/install.yaml
Copy the codeVerify that all pods are ready:
for deploy in "application-controller" "dex-server" "redis" "repo-server" "server"; \
do kubectl -n argocd rollout status deploy/argocd-${deploy}; \
done
Copy the codeUse port-forward to access the Argo CD dashboard:
kubectl -n argocd port-forward svc/argocd-server 8080:443 \
> /dev/null 2>&1 &
Copy the codeThe Argo CD dashboard can now be accessed using the default admin username and password at https://localhost:8080.
The default administrator password is the automatically generated Argo CD API server POD name. You can change it using the argocd account update-password command.
Verify Argo CD CLI:
argocd_server=`kubectl -n argocd get pods -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2`
argocd login 127.0.0.1:8080 \
--username=admin \
--password="${argocd_server}" \
--insecure
Copy the codeConfigure project access and permissions
Set up demo Project to group our applications:
kubectl apply -f gitops/project.yaml
Copy the codeThis project defines a list of permitted resource types and target clusters that our application can use.
Verify that the project is correctly deployed:
argocd proj get demo
Copy the codeOn the dashboard:
Deploying the application
Deploy the main application as the “parent” application to all other applications:
kubectl apply -f gitops/main.yaml
Copy the codeThe “app of Apps “mode is typically used for Argo CD workflows to boot applications. See the Argo CD documentation for more information.
Verify the successful deployment of the main application:
argocd app get main
Copy the codeSynchronize the main application:
argocd app sync main
Copy the code
Note that only the main application is synchronized.
Next, we will synchronize the rest of the applications individually.
Deploy cert – manager
Synchronizing the cert-Manager application:
argocd app sync cert-manager
Copy the codeThis guide uses Cert-Manager 0.15.0 due to problems with Cert-Manager 0.16.0 and Kubectl <1.19, as well as Helm 3.2 used by Argo CD. See upgrade instructions here.
Confirm that cert-Manager is running:
for deploy in "cert-manager" "cert-manager-cainjector" "cert-manager-webhook"; \
do kubectl -n cert-manager rollout status deploy/${deploy}; \
done
Copy the code
The deployment of Sealed Secrets
Syncs sealed-secrets application:
argocd app sync sealed-secrets
Copy the codeMake sure sealed-secrets is running:
kubectl -n kube-system rollout status deploy/sealed-secrets
Copy the code
Create mTLS Trust Anchor
Before we can continue to deploy Linkerd, we need to create an mTLS trust anchor. Then we will also set up the Linkerd-Bootstrap application to manage the trust anchor certificates.
Create a new mTLS trust anchor private key and certificate:
step certificate create root.linkerd.cluster.local sample-trust.crt sample-trust.key \ --profile root-ca \ --no-password \ --not-after 43800h \ --insecureCopy the codeConfirm details of the new trust anchor (encryption algorithm, expiration date, SAN, etc.) :
step certificate inspect sample-trust.crt
Copy the codeCreate a SealedSecret resource to store encrypted trust anchors:
kubectl -n linkerd create secret tls linkerd-trust-anchor \
--cert sample-trust.crt \
--key sample-trust.key \
--dry-run=client -oyaml | \
kubeseal --controller-name=sealed-secrets -oyaml - | \
kubectl patch -f - \
-p '{"spec": {"template": {"type":"kubernetes.io/tls", "metadata": {"labels": {"linkerd.io/control-plane-component":"identity", "linkerd.io/control-plane-ns":"linkerd"}, "annotations": {" linkerd. IO/created - by ":" linkerd/cli stable - 2.8.1 ", "linkerd. IO/identity - the issuer - expiry" : "the 2021-07-19 T20:51:01 Z"}}}}} ' \
--dry-run=client \
--type=merge \
--local -oyaml > gitops/resources/linkerd/trust-anchor.yaml
Copy the codeThis will cover local gitops/resources/linkerd/trust – anchor. Existing SealedSecret resources in yaml files. We will push this change to Git servers in the cluster.
Verify that only spec.encryptedData has changed:
git diff gitops/resources/linkerd/trust-anchor.yaml
Copy the codeCommit and push the new trust anchor secret to your in-cluster Git server:
git add gitops/resources/linkerd/trust-anchor.yaml
git commit -m "update encrypted trust anchor"
git push git-server master
Copy the codeConfirm successful submission push:
kubectl -n scm exec "${git_server}" -- git --git-dir linkerd-examples.git log- 1Copy the codeDeploy linkerd – the bootstrap
Synchronizing the Linkerd-Bootstrap application:
argocd app sync linkerd-bootstrap
Copy the codeSealedSecrets controller may not be able to decrypt Sealed’s Linkerd-Trust-Anchor Secret if the issuer and certificate resource are degraded. Check the SealedSecrets controller for an error log.
For debugging purposes, you can use the kubectl -n linkerd get Sealedsecrets linkerd-trust-anchor -oyaml command to retrieve sealed Resource. To ensure that this resource with you before delivery to Git server within the cluster gitops/resources/linkerd/trust – anchor. Yaml files match.
SealedSecrets should have created a secret containing a decryption trust anchor. Retrieve the decrypted trust anchor from secret:
trust_anchor=`kubectl -n linkerd get secret linkerd-trust-anchor -ojsonpath="{.data['tls\.crt']}" | base64 -d -w 0 -`
Copy the codeVerify that it matches the decrypted trust anchor certificate you created in the local sample-trust. CRT file:
diff -b \
<(echo "${trust_anchor}" | step certificate inspect -) \
<(step certificate inspect sample-trust.crt)
Copy the codeDeploy Linkerd
Now we are ready to install Linkerd. The decrypted trust anchor we just retrieved will be passed to the installation process using the identityTrustAnchorsPEM parameter.
Before installing the Linkerd note gloval. IdentityTrustAnchorsPEM parameter is set to “empty” certificate of string:
argocd app get linkerd -ojson | \
jq -r '.spec.source.helm.parameters[] | select(.name == "identityTrustAnchorsPEM") | .value'
Copy the code
We will override this parameter in our Linkerd application with the value of ${trust_anchor}.
Find the identityTrustAnchorsPEM variable in your local gitops/argo-apps/linkerd.yaml file and set its value to the value of ${trust_anchor}.
Ensure that multi-line strings are indented correctly. For example. .
source:
chart: linkerd2
repoURL: https://helm.linkerd.io/stable
targetRevision: 2.8. 0
helm:
parameters:
- name: identityTrustAnchorsPEM
value: | -----BEGIN CERTIFICATE----- MIIBlTCCATygAwIBAgIRAKQr9ASqULvXDeyWpY1LJUQwCgYIKoZIzj0EAwIwKTEn MCUGA1UEAxMeaWRlbnRpdHkubGlua2VyZC5jbHVzdGVyLmxvY2FsMB4XDTIwMDkx ODIwMTAxMFoXDTI1MDkxNzIwMTAxMFowKTEnMCUGA1UEAxMeaWRlbnRpdHkubGlu a2VyZC5jbHVzdGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+PUp IR74PsU+geheoyseycyquYyes5eeksIb5FDm8ptOXQ2xPcBpvesZkj6uIyS3k4qV E0S9VtMmHNeycL7446NFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB Af8CAQEwHQYDVR0OBBYEFHypCh7hiSLNxsKhMylQgqD9t7NNMAoGCCqGSM49BAMC A0cAMEQCIEWhI86bXWEd4wKTnG07hBfBuVCT0bxopaYnn3wRFx7UAiAwXyh5uaVg MwCC5xL+PM+bm3PRqtrmI6TocWH07GbMxg== -----END CERTIFICATE-----Copy the codeConfirm only change a spec. Source. Helm. The parameters. The value field:
git diff gitops/argo-apps/linkerd.yaml
Copy the codeCommit and push changes to Git server:
git add gitops/argo-apps/linkerd.yaml
git commit -m "set identityTrustAnchorsPEM parameter"
git push git-server master
Copy the codeSynchronize the main application:
argocd app sync main
Copy the codeVerify that the new trust anchor is selected by the Linkerd application:
argocd app get linkerd -ojson | \
jq -r '.spec.source.helm.parameters[] | select(.name == "identityTrustAnchorsPEM") | .value'
Copy the code
Synchronizing linkerd applications:
argocd app sync linkerd
Copy the codeCheck if Linkerd is ready:
linkerd check
Copy the code
Use emojivoto test
Deploy Emojivoto to test automatic proxy injection:
argocd app sync emojivoto
Copy the codeCheck if the application is healthy:
for deploy in "emoji" "vote-bot" "voting" "web" ; \
do kubectl -n emojivoto rollout status deploy/${deploy}; \
done
Copy the code
Upgrade Linkerd to 2.8.1
Using your editor will gitops/Argo – apps/linkerd yaml file spec. Source. TargetRevision 2.8.1 field changes to:
Confirm that only the targetRevision field has changed:
git diff gitops/argo-apps/linkerd.yaml
Copy the codeCommit and push this change to Git server:
git add gitops/argo-apps/linkerd.yaml
git commit -m "upgrade Linkerd to 2.8.1"
git push git-server master
Copy the codeSynchronize the main application:
argocd app sync main
Copy the codeSynchronizing linkerd applications:
argocd app sync linkerd
Copy the codeConfirm that the upgrade is successful:
linkerd check
Copy the codeConfirm the new version of the control plane:
linkerd version
Copy the codeClean up the
All applications can be removed by deleting the main application:
argocd app delete main --cascade=true
Copy the codeLinkerd 2.10 series
- Linkerd v2.10 Service Mesh
- Tencent Cloud K8S deployment Service Mesh — Linkerd2 & Traefik2 deployment emojivoto application
- Learn about the basic features of Linkerd 2.10 and step into the era of Service Mesh
- Linkerd 2.10 – Add your service to Linkerd
- Linkerd 2.10 — Automated Canary release
- Linkerd 2.10 — Automatic rotation controls plane TLS and Webhook TLS credentials
- Linkerd 2.10 — How do I configure external Prometheus instances
- Linkerd 2.10 – Configure proxy concurrency
- Linkerd 2.10 – Configure retry
- Linkerd 2.10 — Configure timeout
- Linkerd 2.10 – Controls the plane debug endpoint
- Linkerd 2.10 – Use Kustomize to customize Linkerd configuration
- Linkerd 2.10 — Use Linkerd for distributed tracing
- Linkerd 2.10 — Debug 502S
- Linkerd 2.10 – Debug HTTP applications using each routing metric
- Linkerd 2.10 – Debug gRPC applications using request tracing
- Linkerd 2.10 — Export metrics
- Linkerd 2.10 — Expose Dashboard
- Linkerd 2.10 – Generate your own mTLS root certificate
- Linkerd 2.10 – Gets metrics for each route
- Linkerd 2.10 — Injection failures for chaos engineering
- Linkerd 2.10 — Elegant Pod shutdown
- 2.10 – Linkerd Ingress traffic
- Linkerd 2.10 – Install multiple cluster components
- Linkerd 2.10 — Install Linkerd
- Linkerd 2.10 — Install Linkerd using Helm
- Linkerd 2.10 — Linkerd and Pod Security Policy (PSP)
- Linkerd 2.10 — Manually rotate control plane TLS credentials
- Linkerd 2.10 – Changes the agent log level
- Linkerd 2.10 — Multi-cluster communication
Linkerd 2.10 中文 版
- linkerd.hacker-linner.com