Getting Started

The following guide is meant to outline the bare-minium configuration required to stand up the Traefik, Cert-Manager, and ArgoCD modules. Please visit the module documentation which will contain detailed implementation and feature information.

Prerequisites

A cloud based or on-prem Kubernetes cluster.
Sufficient access to deploy resources to the target cluster.
A working knowledge of Terraform workspace setup and configuration application.
A Provider for OAuth authentication
Some DNS configuration

Workspace Setup

These values might be stored in a terraform.tfvars file


# The Let's Encrypt account key encoded in Base64
letsencrypt_secret_base64_key = "aGFoLCBuaWNlIHRyeSA6LVA="

# The OIDC provider parameters needed by ArgoCD to authenticate and authorize users.
argocd_oidc_name = "Auth0"
argocd_oidc_issuer = "https://homestead.us.auth0.com/"
argocd_oidc_client_id = "r20485SomHEXRp8jF0RTvymSbrrT622l"
argocd_oidc_client_secret = "dGhpcyBvbmUgaXNuJ3Qgc3VwcG9zZWQgdG8gYmUgYmFzZTY0IGVuY29kZWQ="
argocd_oidc_requested_scopes = [
  "openid"
  "profile"
  "email"
  "https://turnbros.app/claims/groups"
]
argocd_oidc_requested_id_token_claims = {
  "groups": {
    "essential": true
  }
}

Configure Traefik

module "traefik" {
  source  = "project-octal/traefik/kubernetes"
  version = "0.0.1"
  
  image_tag                            = "2.4.8"
  namespace                            = "kube-traefik"
  log_level                            = "INFO"
  replicas                             = 2
  rolling_update_max_surge             = 1
  rolling_update_max_unavailable       = 1
  pod_termination_grace_period_seconds = 1
  service_type                         = "LoadBalancer"
  preferred_node_selector              = []
}

Configure Cert-Manager

module "cert_manager" {
  source  = "project-octal/cert-manager/kubernetes"
  version = "0.0.3"

  # If necessary multiple cluster issuers can be defined as { issuer-name => issuer-configuration }
  certificate_issuers = {
    letsencrypt = {
      name              = "letsencrypt-prod"
      server            = "https://acme-v02.api.letsencrypt.org/directory"
      email             = "dylanturn@gmail.com"
      secret_base64_key = var.letsencrypt_secret_base64_key
      default_issuer : true
      ingress_class = module.traefik.ingress_class
    }
  }
}

Configure ArgoCD

module "argocd" {
  source  = "project-octal/argocd/kubernetes"
  version = "0.0.4"

  argocd_url        = "argocd.turnbros.app"

  namespace              = "kube-argocd"
  argocd_server_replicas = 2
  argocd_repo_replicas   = 2

  enable_dex      = false
  enable_ha_redis = false

  cluster_cert_issuer = module.cert_manager.cert_issuer
  ingress_class       = module.traefik.ingress_class

  # OIDC Configuration Argo will use for authentication and authorization
  oidc_config = {
    name                      = var.argocd_oidc_name
    issuer                    = var.argocd_oidc_issuer
    client_id                 = var.argocd_oidc_client_id
    client_secret             = var.argocd_oidc_client_secret
    requested_scopes          = var.argocd_oidc_requested_scopes
    requested_id_token_claims = var.argocd_oidc_requested_id_token_claims
  }
}

Project Octal