This repo has all the steps you need to create a modern GitOps style workflow with Kubernetes.
- A vanilla Kubernetes cluster
- A default
StorageClass
resource installed in the cluster helm
to install the Helm operatorbash
to run all the install scriptskubectl
to create Namespaces and Secretsmkcert
for all TLS certs
- Starting with a new cluster with a default StorageClass
helm-operator/install.sh
kapp deploy -a sealed-secrets -f manifests/sealed-secrets
./setup-secrets.sh
kapp deploy -a ingress-nginx -f manifests/ingress-nginx
kapp deploy -a harbor -f manifests/harbor
- Install TBS
kapp deploy -a concourse -f manifests/concourse
- Build and push Concourse Helper with
cd concourse/Helper && ./concourse/Helper/build.sh 1
setup-pipeline-secrets.sh
kapp deploy -a concourse-secrets -f manifests/concourse-main
cd concourse/pipeline
./fly.sh
cd ..
- Unpause the pipeline
Ingress controllers are easier to manage than NodePorts for every app. Use the Kubernetes in-tree nginx Ingress controller. It works fine for a lab environment. This implementation uses hostNetwork: true
to bind port 443 for convenience.
Harbor is an OCI image registry with lots of great security features. Harbor uses the nginx Ingress controller for convenience.
Concourse is a container-native automation tool commonly used as a "CI/CD" tool. Concourse uses the nginx Ingress controller for convenience.
Tanzu Build Service (TBS) uses Cloud Native Buildpacks to turn source code into OCI images. TBS has no UI and does not use the Ingress controller.
Use TBS to build Spring PetClinic
Your app is defined entirely in Kubernetes manifests. kapp
is used to deploy those manifests as part of a Concourse pipeline.
PetClinic is a good example of a Spring Boot app. Use Flux to monitor the PetClinic K8s manifests and deploy them
- I used Ubuntu instead of Alpine for the Concourse Helper image. musl behaves strangely sometimes. I was unable to run a particular Golang binary in Alpine.
- Need to deploy MySQL for PetClinic
- Write Wavefront Concourse task
- How to install everything at once
- How do you provide a username and password to
pks get-credentials
for use with Concourse? Otherwise I get a password prompt when using OIDC - Switch from nginx to Contour using the Bitnami chart
- Switch to Bitnami for Harbor