The following article describes the steps to install the Deepfactor portal using Argo CD with Azure Load Balancer and Vault for storing secrets.
1. Create secrets for TLS certificate and root CA
In this document, we will use a Let's Encrypt certificate with dns01 challenge.
In order to verify using the dns01 challenge, you will need to create a DNS zone for your preferred in Azure. You can verify that Azure is resolving the domain by executing the following command.
nslookup -type=SOA your-preferred-domain-name # output will be of the form origin = ns1-34.azure-dns.com
# azure cli should be installed to run the following commands
az ad sp create-for-rbac --name deepfactor.acme.org
# Replace appid from the output of the above command az role assignment delete --assignee appid --role Contributor
# Retrieve dns-zone-name and resource-group from azure portal and replace in the command below az network dns zone show --name dns-zone-name --resource-group resource-group --query "id" --output tsv
# Replace appid from first command & dns-zone-id from the output of the previous command az role assignment create --assignee appid --role "DNS Zone Contributor" --scope dns-zone-id
# Replace password from the output of the first command kubectl -n deepfactor create secret generic azuredns-config --from-literal=client-secret=password
where
deepfactor.acme.org is the hostname for the Deepfactor portal
2. Enable vault plugin in Argo CD installation
Please follow steps mentioned in the following section to enable vault plugin in Argo CD
Enable vault plugin in Argo CD installation
3. Install vault in your kubernetes cluster
Please follow steps mentioned in the following section to install vault
4. Configure vault and add Deepfactor portal secrets
Please follow steps mentioned in the following section to configure vault and add Deepfactor secrets
Configure vault and add Deepfactor portal secrets
5. Install cert manager
Please follow steps mentioned in the following section to install cert manager in your K8s cluster
After you have installed cert manager, please create an issuer for Let's Encrypt using the following commands.
Create a yaml file (le-issuer.yaml) with the following commands
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: le-cert-issuer
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: EMAIL_ID
privateKeySecretRef:
name: letsencrypt-issuer
solvers:
- dns01:
azureDNS:
clientID: AZURE_CERT_MANAGER_SP_APP_ID # retrieve from output of az ad sp create-for-rbac.. command
clientSecretSecretRef:
name: azuredns-config # secret created in previous step
key: client-secret
subscriptionID: AZURE_SUBSCRIPTION_ID
tenantID: AZURE_TENANT_ID # retrieve from output of az ad sp create-for-rbac.. command
resourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUP
hostedZoneName: AZURE_DNS_ZONE
environment: AzurePublicCloud
Run the following command to create the issuer
kubectl apply -n deepfactor -f ./le-issuer.yaml
Create secret for Let's Encrypt root CA. This will be used in the next step when we install Deepfactor portal.
wget https://letsencrypt.org/certs/isrgrootx1.pem kubectl -n deepfactor create secret generic letsencrypt-ca-secret --from-file=ca.crt=isrgrootx1.pem
6. Install Deepfactor Portal
Create a yaml file (deepfactor-portal.yaml) with the following contents
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: df-stable
namespace: argocd
spec:
destination:
namespace: deepfactor
server: https://kubernetes.default.svc
project: default
source:
repoURL: https://static.deepfactor.io/helm-charts
chart: deepfactor
targetRevision: 2.4.60
plugin:
name: argocd-vault-helm
env:
# These are the arguments we pass to "helm template"
- name: helm_args
value: |
--dependency-update
--set dfstartup.config.emailID=portal_admin_email_address
--set dfstartup.config.firstName=portal_admin_first_name
--set dfstartup.config.lastName=portal_admin_last_name
--set dfstartup.config.password=<path:internal/data/database/config/deepfactor/portal#portalpassword>
--set dfstartup.config.portalToken=<path:internal/data/database/config/deepfactor/portal#portaltoken>
--set clickhouse.password=<path:internal/data/database/config/deepfactor/portal#clickhousepassword>
--set postgres.password=<path:internal/data/database/config/deepfactor/portal#postgrespassword>
--set appsettings.jwt=<path:internal/data/database/config/deepfactor/portal#jwtkey>
--set ingress-nginx.enablemodule=false
--set ingress.hostName=your_preferred_portal_hostname
--set nginx.ingress.enabled=false
--set nginx.service.type=LoadBalancer
--set ingress.caSecretName=letsencrypt-ca-secret
--set ingress.certManager.enabled=true
--set ingress.certManager.issuerRef.name=le-cert-issuer
--set ingress.certManager.issuerRef.kind=Issuer
syncPolicy:
automated: {}
syncOptions:
- CreateNamespace=true
Note: Deepfactor portal pods will be installed in the 'deepfactor' namespace.
Please enter appropriate values for the following in the above yaml file
portal_admin_email_address: This is the email address you will use to login to the portal once it is installed
portal_admin_first_name: First name of the admin user
portal_admin_last_name: Last name of the admin user
your_preferred_portal_hostname: The hostname you would like the Deepfactor portal to use. Please note, you will need to create a DNS entry for this hostname to ensure applications running with Deepfactor can reach the portal.
Run the following command to create the Argo CD application for Deepfactor portal
kubectl apply -f ./deepfactor-portal.yaml
Verify that the Deepfactor portal pods are up by running the following command
kubectl get pods -n deepfactor
Comments
Please sign in to leave a comment.