/deployments

GitOps deployment configuration

Primary LanguageShell

Deployments repo

This repo contains all the manifests for resources running under Kubernetes (with Istio) at MHRA. It declares our intent, and then we use GitOps to realise this deployment configuration using ArgoCD. Note that all secrets in this repo are encrypted using Bitnami's Sealed Secrets.

  1. An engineer pushes a change to the Products monorepo
  2. A Github Action runs a workflow
  3. The workflow builds a Docker image, which also runs analysis and tests
  4. The workflow pushes the image to the relevant registry
  5. The workflow clones this repository (shallow clone), uses Kustomize to edit the relevant configuration with the new image's tag (which is the image's content digest [SHA]), commits and pushes back to this repository
  6. Argo CD running in the cluster pulls the changed configuration
  7. Argo CD synchronises the configuration of the cluster with the configuration specified in this repository
  8. If required, new images are pulled (by Kubernetes) from the relevant registry and new pods started
  9. Production deployments can be manually synced (although the aim is to have these automatically synchronised as well)

Creating a cluster from scratch

  1. Follow the steps in the products repo to set up a Kubernetes cluster on Azure using terraform.

  2. Install Istio, Sealed Secrets and ArgoCD. Once installed, ArgoCD will deploy the rest of the configuration (using GitOps). The overlay argument specifies the environment you are deploying to (the default is non-prod):

    cd cluster-init
    
    make overlay=non-prod

Deleting the cluster

  1. If you only want to delete Istio, Sealed Secrets, Argo CD:

    cd cluster-init
    
    make delete overlay=non-prod
  2. If you want to delete the cluster infrastructure for your environment you can do this from the products repo.


Useful tools for working with this repo

  1. kubectl - The official client for the Kubernetes API

    https://kubernetes.io/docs/reference/kubectl/overview/

    brew install kubernetes-cli

    It may be useful to alias this to something easier to type (and maybe add to your shell rc, e.g. ~/.zshrc).

    alias k=kubectl

    There's also a zsh plugin for kubectl for your ~/.zshrc, e.g.:

    plugins=(git kubectl zsh-syntax-highlighting)
  2. kustomize - create a set of manifests for Kubernetes

    https://kustomize.io/

    brew install kustomize
  3. kubectx - tools for switching K8s contexts (clusters) and namespaces

    https://kubectx.dev/

    brew install kubectx

    It may be useful to alias these tools to something easier to type (and maybe add to your shell rc, e.g. ~/.zshrc).

    alias kctx=kubectx
    alias kns=kubens

    You should be able to use Tab autocompletion with kctx on contexts from your ~/.kube/config, and with kns on namespaces from the current context. Really useful for quickly changing clusters/namespaces.

  4. kube-ps1 - customize your command prompt to display the current context and namespace

    https://github.com/jonmosco/kube-ps1

    brew install kube-ps1

    And for your ~/.zshrc ...

    source "/usr/local/opt/kube-ps1/share/kube-ps1.sh"
    PS1='$(kube_ps1)'$PS1
  5. stern - easily tail container logs

    https://github.com/wercker/stern

    brew install stern

    Aggregates logs from all containers whose names match the pattern, e.g. tailing logs from istio-ingressgateway:

    kns istio-system && stern ingress
  6. istioctl - official client for the Istio API

    https://istio.io/docs/reference/commands/istioctl/

    brew install istioctl
  7. kubeseal - Bitnami Sealed Secrets CLI

    https://github.com/bitnami-labs/sealed-secrets

    brew install kubeseal

    This is used by some of the scripts/Makefiles in this repo to encrypt secrets so that they can be committed to this repo.

  8. kind - Kubernetes In Docker

    https://kind.sigs.k8s.io/

    brew install kind

    Useful for creating a local multi-node cluster for testing configurations.

  9. argocd - official cli for working with ArgoCD

    brew install argocd

    Your mileage may vary, and you may need to use port-forwarding (or grpc-web) for this to be useful, because we use Istio ingress gateway. It's probably easier to use the web gui.