adebaumann/vgui-cicd
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
137ed9d1a0acc0cc79fdf75f69e9d27647561b48
vgui-cicd/Documentation/ArgoCD.md

11 KiB
Raw Blame History

ArgoCD Configuration Documentation

Overview

This directory contains the ArgoCD application manifests for deploying the VorgabenUI application and its dependencies to Kubernetes.

Files

Application Manifests

001_pvc.yaml

  • Purpose: PersistentVolumeClaim for Django application data
  • Storage: 2Gi storage with ReadWriteMany access mode
  • Storage Class: Uses NFS storage class for shared storage across multiple pods
  • Namespace: vorgabenui

configmap.yaml

  • Purpose: Django application configuration
  • Contains: Environment variables, application settings, version information
  • Namespace: vorgabenui
  • Version: 0.990

deployment.yaml

  • Purpose: Main application deployment configuration
  • Contains: Django application container, environment variables, resource limits
  • Replicas: Configurable replica count for high availability
  • Version: 0.990

ingress.yaml

  • Purpose: External access configuration
  • Host: Configurable hostname for the application
  • TLS: SSL/TLS termination configuration
  • Backend: Routes traffic to the Django application service
  • Ingress Class: traefik

nfs-pv.yaml

  • Purpose: PersistentVolume definition for NFS storage
  • Server: 192.168.17.199
  • Path: /mnt/user/kubernetesdata/vorgabenui
  • Access: ReadWriteMany for multi-pod access
  • Reclaim Policy: Retain (data preserved after PVC deletion)

nfs-storageclass.yaml

  • Purpose: StorageClass definition for NFS volumes
  • Provisioner: kubernetes.io/no-provisioner (static provisioning)
  • Volume Expansion: Enabled for growing storage capacity
  • Binding Mode: Immediate (binds PV to PVC as soon as possible)

diagrammer.yaml

  • Purpose: Deployment configuration for the diagram generation service
  • Function: Handles diagram creation and caching for the application
  • Version: 0.026

secret.yaml (Template)

  • Purpose: Template for Django SECRET_KEY secret
  • Contains: Secret key configuration for cryptographic operations
  • Namespace: vorgabenui
  • Generated by: deploy-argocd-secret.sh script
  • Version: 0.026

secret.yaml (Template)

  • Purpose: Template for Django SECRET_KEY secret
  • Contains: Secret key configuration for cryptographic operations
  • Namespace: vorgabenui
  • Generated by: deploy-argocd-secret.sh script
  • Version: 0.026

MicroK8s Addons Required

Required Addons

Enable the following MicroK8s addons before deployment:

# Enable storage and NFS support
sudo microk8s enable storage
sudo microk8s enable nfs

# Enable ingress for external access
sudo microk8s enable ingress

# Enable DNS for service discovery
sudo microk8s enable dns

# Optional: Enable metrics for monitoring
sudo microk8s enable metrics-server

Addon Descriptions

storage

  • Purpose: Provides default storage class for persistent volumes
  • Required for: Basic PVC functionality
  • Note: Works alongside our custom NFS storage class

nfs

  • Purpose: Installs NFS client utilities on all MicroK8s nodes
  • Required for: Mounting NFS volumes in pods
  • Components: Installs nfs-common package with mount helpers

ingress

  • Purpose: Provides Ingress controller for external HTTP/HTTPS access
  • Required for: ingress.yaml to function properly
  • Implementation: Uses NGINX Ingress Controller

dns

  • Purpose: Provides DNS service for service discovery within cluster
  • Required for: Inter-service communication
  • Note: Usually enabled by default in MicroK8s

metrics-server (Optional)

  • Purpose: Enables resource usage monitoring
  • Required for: kubectl top commands and HPA (Horizontal Pod Autoscaling)
  • Recommended for: Production monitoring

Addon Verification

After enabling addons, verify they are running:

# Check addon status
microk8s status

# Check pods in kube-system namespace
microk8s kubectl get pods -n kube-system

# Check storage classes
microk8s kubectl get storageclass

# Check ingress controller
microk8s kubectl get pods -n ingress

Troubleshooting Addons

NFS Addon Issues

# Check if NFS utilities are installed
which mount.nfs

# Manually install if addon fails
sudo apt update && sudo apt install nfs-common

# Restart MicroK8s after manual installation
sudo microk8s restart

Ingress Issues

# Check ingress controller pods
microk8s kubectl get pods -n ingress

# Check ingress services
microk8s kubectl get svc -n ingress

# Test ingress connectivity
curl -k https://vorgabenportal.knowyoursecurity.com

Storage Issues

# List available storage classes
microk8s kubectl get storageclass

# Check default storage class
microk8s kubectl get storageclass -o yaml

Storage Architecture

  • Storage Class: nfs - Static provisioning for NFS shares
  • Persistent Volume: Pre-provisioned PV pointing to NFS server
  • Persistent Volume Claim: Claims the NFS storage for application use
  • Access Mode: ReadWriteMany allows multiple pods to access the same data

NFS Server Setup

On the NFS server (192.168.17.199), ensure the following:

# Create the shared directory
sudo mkdir -p /mnt/user/kubernetesdata/vorgabenui
sudo chmod 755 /mnt/user/kubernetesdata/vorgabenui

# Add to /etc/exports
echo "/mnt/user/kubernetesdata/vorgabenui *(rw,sync,no_subtree_check,no_root_squash)" | sudo tee -a /etc/exports

# Export the directory
sudo exportfs -a
sudo systemctl restart nfs-kernel-server

Configuration Management

ConfigMap Deployment

The Django application uses a ConfigMap for application configuration. The ConfigMap contains environment variables and settings for the Django application.

ConfigMap File

  • File: configmap.yaml
  • Name: django-config
  • Namespace: vorgabenui
  • Version: 0.990

Configuration Contents

apiVersion: v1
kind: ConfigMap
metadata:
  name: django-config
  namespace: vorgabenui
data:
  # Django Configuration
  DEBUG: "false"
  DJANGO_ALLOWED_HOSTS: "vorgabenportal.knowyoursecurity.com,localhost,127.0.0.1,*"
  DJANGO_SETTINGS_MODULE: "VorgabenUI.settings"
  
  # Application Configuration
  LANGUAGE_CODE: "de-ch"
  TIME_ZONE: "UTC"
  
  # Static and Media Configuration
  STATIC_URL: "/static/"
  MEDIA_URL: "/media/"
  
  # Application Version
  VERSION: "0.990"
  
  # Database Configuration (for future use)
  # DATABASE_ENGINE: "django.db.backends.sqlite3"
  # DATABASE_NAME: "/app/data/db.sqlite3"
  
  # Security Configuration
  # CSRF_TRUSTED_ORIGINS: "https://vorgabenportal.knowyoursecurity.com"

Deployment Script

The ConfigMap is deployed using the deploy-argocd-configmap.sh script located in the scripts/ directory.

Script Usage:

# Deploy ConfigMap
./scripts/deploy-argocd-configmap.sh

# Verify ConfigMap only (no deployment)
./scripts/deploy-argocd-configmap.sh --verify-only

# Dry-run (show what would be deployed)
./scripts/deploy-argocd-configmap.sh --dry-run

Script Features:

  • Validates kubectl availability
  • Checks if ConfigMap file exists
  • Creates namespace if it doesn't exist
  • Applies ConfigMap configuration
  • Verifies successful deployment
  • Provides detailed logging and error handling

Secret Deployment

The Django application requires a secure SECRET_KEY for cryptographic signing. This is managed through a Kubernetes Secret.

Secret Configuration

  • Secret Name: vorgabenui-secrets
  • Secret Key: vorgabenui_secret
  • Namespace: vorgabenui

Secret Generation

The secret is automatically generated using the deploy-argocd-secret.sh script, which creates a secure Django-style SECRET_KEY.

Script Usage:

# Generate and deploy new secret
./scripts/deploy-argocd-secret.sh

# Verify existing secret only (no new generation)
./scripts/deploy-argocd-secret.sh --verify-only

# Dry-run (show what would be done)
./scripts/deploy-argocd-secret.sh --dry-run

Secret Generation Features:

  • Generates secure 50-character SECRET_KEY using Python
  • Uses Django-style character set (letters, digits, special characters)
  • Creates or updates the secret in the vorgabenui namespace
  • Verifies secret deployment and accessibility
  • Tests secret accessibility in Django pods

Environment Variable Reference

The deployment.yaml references the secret through environment variables:

env:
  # Secret configuration
  - name: VORGABENUI_SECRET
    valueFrom:
      secretKeyRef:
        name: vorgabenui-secrets
        key: vorgabenui_secret

Security Notes

  • The SECRET_KEY is never logged or displayed in full
  • Only the first 10 characters are shown during generation for verification
  • The secret is stored securely in Kubernetes and only accessible to authorized pods
  • Regular secret rotation is recommended for production environments

Deployment Order

  1. StorageClass (nfs-storageclass.yaml) - Defines NFS storage class
  2. PersistentVolume (nfs-pv.yaml) - Creates the NFS volume
  3. PersistentVolumeClaim (001_pvc.yaml) - Claims storage for application
  4. ConfigMap (configmap.yaml) - Deploy Django configuration
  5. Secret (secret.yaml) - Generate and deploy Django SECRET_KEY
  6. Application Deployments (deployment.yaml, diagrammer.yaml) - Deploy application services
  7. Ingress (ingress.yaml) - Configure external access

Configuration Notes

Namespace

All resources are deployed to the vorgabenui namespace.

Storage Sizing

  • Current allocation: 2Gi
  • Volume expansion is enabled through the StorageClass
  • Monitor usage and adjust PVC size as needed

Access Control

  • NFS export uses no_root_squash for container root access
  • Ensure proper network security between Kubernetes nodes and NFS server
  • Consider implementing network policies for additional security

Troubleshooting

Common Issues

Mount Failures

  • Error: "bad option; for several filesystems you might need a /sbin/mount. helper program"
  • Solution: Install NFS client utilities or enable NFS addon in MicroK8s

Permission Issues

  • Error: Permission denied when accessing mounted volume
  • Solution: Check NFS export permissions and ensure no_root_squash is set

Network Connectivity

  • Error: Connection timeout to NFS server
  • Solution: Verify network connectivity and firewall rules between nodes and NFS server

Debug Commands

# Check PVC status
kubectl get pvc -n vorgabenui

# Check PV status
kubectl get pv

# Describe PVC for detailed information
kubectl describe pvc django-data-pvc -n vorgabenui

# Check pod mount status
kubectl describe pod <pod-name> -n vorgabenui

Maintenance

Backup Strategy

  • The NFS server should have regular backups of /mnt/user/kubernetesdata/vorgabenui
  • Consider snapshot capabilities if using enterprise NFS solutions

Monitoring

  • Monitor NFS server performance and connectivity
  • Track storage usage and plan capacity upgrades
  • Monitor pod restarts related to storage issues

Updates

  • When updating storage configuration, update PV first, then PVC
  • Test changes in non-production environment first
  • Ensure backward compatibility when modifying NFS exports