0b7819bda3
Bump almalinux9 image tags to 20260606 Reviewed-on: #188 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
4.6 KiB
4.6 KiB
Migration Guide: Terragrunt to ArgoCD
Prerequisites
- Examine existing Terraform configuration in
sources/terraform-k8s/config/<app-name>/ - Identify Helm charts, values, storage classes, secrets, and other resources
Migration Steps
1. Branch Creation
- Change back to main branch:
git checkout main - Create new branch:
git checkout -b benvin/<app-name>
2. Create Base Application Structure
- Create directory:
apps/base/<app-name>/ - Create
apps/base/<app-name>/kustomization.yamlwith resources:namespace.yamlvaultauth.yaml(if needed)vaultstaticsecret.yaml(if needed)- Additional resources as required (storageclass.yaml, etc.)
3. Create Namespace
- Create
apps/base/<app-name>/namespace.yamlwith app namespace
4. Create Vault Integration (if needed)
- Create
apps/base/<app-name>/vaultauth.yamlfrom Terraformvault_auth.yaml- Convert snake_case to camelCase for Kubernetes
- Map Terraform fields to VaultAuth spec
- Create
apps/base/<app-name>/vaultstaticsecret.yamlfromvault_static_secret.yaml- Convert to VaultStaticSecret spec format
5. Create Additional Resources
- Create any additional resources (StorageClass, etc.) from Terraform config
- Maintain exact parameter parity with Terraform
6. Create Overlay Structure
- Create directory:
apps/overlays/au-syd1/<app-name>/ - Create
apps/overlays/au-syd1/<app-name>/kustomization.yaml:- Reference base:
../../../base/<app-name> - Add helmCharts section with repo, version, valuesFile
- Reference base:
- Create
apps/overlays/au-syd1/<app-name>/values.yamlfrom Terraform helm_release values
7. Update Project Configuration
- Add Helm repository to appropriate project in
argocd/projects/ - Add namespace to project destinations (if needed)
- Add required cluster resource permissions
8. Update ApplicationSet
- Add directory pattern to appropriate ApplicationSet in
argocd/applicationsets/ - Use existing patterns like
apps/overlays/*/csi-*orapps/overlays/*/<app-name>
9. Validation
- Run
kustomize build --enable-helm apps/overlays/au-syd1/<app-name>to generate all resources - Check resource types:
kustomize build --enable-helm apps/overlays/au-syd1/<app-name> | grep "^kind:" | sort | uniq -c - Verify all resource types are permitted in the target project's
clusterResourceWhitelistandnamespaceResourceWhitelist - Run
make kubeconformto validate all resources - Fix any validation errors
10. Git Workflow
- Add only created/modified files:
git add apps/base/<app-name>/ apps/overlays/au-syd1/<app-name>/ argocd/projects/<project>.yaml argocd/applicationsets/<project>.yaml - Never use
git add . - Create commit with descriptive message following existing patterns
- Push branch:
git push -u origin benvin/<app-name>
Project Organization
Platform Project
- Core infrastructure and system components
- Examples: cert-manager, external-dns, cnpg-system, reflector-system, etc.
Storage Project
- Storage-related components
- Pattern:
csi-*applications - Examples: csi-cephfs, csi-cephrbd
Application-Specific Projects
- Create new projects for logical groupings as needed
Common Patterns
Helm Chart Integration
helmCharts:
- name: <chart-name>
repo: <helm-repo-url>
version: "<version>"
releaseName: <release-name>
namespace: <namespace>
valuesFile: values.yaml
VaultAuth Template
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: <auth-name>
namespace: <namespace>
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- <namespace>
kubernetes:
role: <role>
serviceAccount: <service-account>
audiences:
- vault
tokenExpirationSeconds: 600
VaultStaticSecret Template
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: <secret-name>
namespace: <namespace>
spec:
vaultAuthRef: <auth-ref>
mount: kv
type: kv-v2
path: <vault-path>
refreshAfter: 5m
destination:
name: <k8s-secret-name>
create: true
Troubleshooting
Pre-commit Hook Issues
- If hooks modify files, add changes:
git add -u - Amend commit if safe:
git commit --amend --no-edit - Use
git push --force-with-leasefor amended commits
Validation Failures
- Check Helm chart compatibility with Kubernetes version
- Verify all required fields are present in resources
- Ensure proper YAML formatting
Missing Permissions
- Add required cluster resources to project clusterResourceWhitelist
- Add namespaces to project destinations
- Verify Helm repository is in project sourceRepos