This repo contains all the manifests for resources running under Kubernetes (with Istio) at MHRA. It declares our intent, and then we use GitOps to realise this deployment configuration using ArgoCD. Note that all secrets in this repo are encrypted using Bitnami's Sealed Secrets.
All app-specific configurations (e.g. for the Document Index Updater and Medicines API) live in the Products repository so that they can be updated and applied alongside any changes to the applications.
- An engineer pushes a change to the Products monorepo
- A Github Action runs a workflow
- The workflow builds a Docker image, which also runs analysis and tests
- The workflow pushes the image to the relevant registry
- The workflow clones this repository (shallow clone), uses Kustomize to edit the relevant configuration with the new image's tag (which is the image's content digest [SHA]), commits and pushes back to this repository
- The workflow also builds any application-specific manifest changes in the Products monorepo and outputs the result into the relevant application and environment directory within this repository, compiling them into a single
manifests.yamlfile - Argo CD running in the cluster pulls the changed configuration
- Argo CD synchronises the configuration of the cluster with the configuration specified in this repository
- If required, new images are pulled (by Kubernetes) from the relevant registry and new pods started
- Production deployments can be manually synced (although the aim is to have these automatically synchronised as well)
-
Follow the steps in the products repo to set up a Kubernetes cluster on Azure using terraform.
-
Install Istio, Sealed Secrets and ArgoCD. Once installed, ArgoCD will deploy the rest of the configuration (using GitOps). The
overlayargument specifies the environment you are deploying to (the default isnon-prod):cd cluster-init make overlay=non-prod
-
If you only want to delete Istio, Sealed Secrets, Argo CD:
cd cluster-init make delete overlay=non-prod -
If you want to delete the cluster infrastructure for your environment you can do this from the products repo.
-
kubectl- The official client for the Kubernetes APIhttps://kubernetes.io/docs/reference/kubectl/overview/
brew install kubernetes-cli
It may be useful to alias this to something easier to type (and maybe add to your shell rc, e.g.
~/.zshrc).alias k=kubectlThere's also a
zshplugin forkubectlfor your~/.zshrc, e.g.:plugins=(git kubectl zsh-syntax-highlighting)
-
kustomize- create a set of manifests for Kubernetesbrew install kustomize
-
kubectx- tools for switching K8s contexts (clusters) and namespacesbrew install kubectx
It may be useful to alias these tools to something easier to type (and maybe add to your shell rc, e.g.
~/.zshrc).alias kctx=kubectx alias kns=kubens
You should be able to use
Tabautocompletion withkctxon contexts from your~/.kube/config, and withknson namespaces from the current context. Really useful for quickly changing clusters/namespaces. -
kube-ps1- customize your command prompt to display the current context and namespacehttps://github.com/jonmosco/kube-ps1
brew install kube-ps1
And for your
~/.zshrc...source "/usr/local/opt/kube-ps1/share/kube-ps1.sh" PS1='$(kube_ps1)'$PS1
-
stern- easily tail container logshttps://github.com/wercker/stern
brew install stern
Aggregates logs from all containers whose names match the pattern, e.g. tailing logs from
istio-ingressgateway:kns istio-system && stern ingress -
istioctl- official client for the Istio APIhttps://istio.io/docs/reference/commands/istioctl/
brew install istioctl
-
kubeseal- Bitnami Sealed Secrets CLIhttps://github.com/bitnami-labs/sealed-secrets
brew install kubeseal
This is used by some of the scripts/Makefiles in this repo to encrypt secrets so that they can be committed to this repo.
-
kind- Kubernetes In Dockerbrew install kind
Useful for creating a local multi-node cluster for testing configurations.
-
argocd- official cli for working with ArgoCDbrew install argocd
Your mileage may vary, and you may need to use port-forwarding (or grpc-web) for this to be useful, because we use Istio ingress gateway. It's probably easier to use the web gui.
-
helm- manage templating and installation of helm chartsbrew install helm
Currently used to configure the cert-manager.