commit 8812b024583c611262bbce8d4e4f330aeac64f5b Author: gitea-actions Date: Sat Apr 18 18:39:51 2026 +0000 Deploy docs diff --git a/404.html b/404.html new file mode 100644 index 0000000..a5df2cc --- /dev/null +++ b/404.html @@ -0,0 +1,460 @@ + + + + + + + + + + + + + + + + + + + + + + + + K8s Launchpad + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ +

+ + + + + + +

+ + + + + + + + + + +

+ + K8s Launchpad + +

+ + + + + +

+ + + + + + + + + + + + + + + + + + + + +

+ +

+ + +

+ Forte/launchpad +

+ +

+ + + + + + +

+ + + + + + + + + + + +

+ +

404 - Not found

+ +

+ + + +

+ + + + + + + + + + + + + \ No newline at end of file diff --git a/DEVELOPER-GUIDE/index.html b/DEVELOPER-GUIDE/index.html new file mode 100644 index 0000000..b923dea --- /dev/null +++ b/DEVELOPER-GUIDE/index.html @@ -0,0 +1,4914 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + Developer Guide - K8s Launchpad + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + Skip to content + + +

+ +

+ + + + + + +

+ + + + + + + + + + +

+ + K8s Launchpad + +

+ + + Developer Guide + + +

+ + + + + + + + + + + + + + + + + + + + +

+ +

+ + +

+ Forte/launchpad +

+ +

+ + + + + + +

+ + + + + + + + + + + +

+ +

+ + + + + +

Developer Onboarding Guide¶

Getting Started¶

Welcome! This guide will help you understand how to develop and deploy applications on our Kubernetes cluster using GitOps principles powered by ArgoCD.

What You'll Learn¶

How our GitOps architecture works
How to deploy a new application
How to update existing applications
How to manage secrets securely
Common troubleshooting techniques

Who This Guide Is For¶

Developers deploying new applications
Developers maintaining existing applications
Team members who need to understand the deployment process

Prerequisites¶

Required Knowledge¶

✅ Basic Git workflow (clone, commit, push, pull)
✅ Docker basics (Dockerfile, building images)
✅ YAML syntax
✅ Basic understanding of Kubernetes concepts (pods, deployments, services)
⚠️ Helm knowledge (helpful but not required - templates are provided)

Required Tools¶

Most developers do NOT need kubectl access to the cluster. You'll primarily work with Git repositories.

If you do need cluster access, install:

kubectl - Kubernetes CLI +

# macOS
+brew install kubectl
+
+# Windows
+choco install kubernetes-cli
+
+# Linux
+curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+

kubeseal - For sealing secrets +

# macOS
+brew install kubeseal
+
+# Windows
+choco install kubeseal
+
+# Linux
+wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/kubeseal-0.24.0-linux-amd64.tar.gz
+tar -xvzf kubeseal-0.24.0-linux-amd64.tar.gz
+sudo mv kubeseal /usr/local/bin/
+

Git - Version control +

git --version  # Should already be installed
+

Docker - For local development +

# macOS/Windows: Install Docker Desktop
+# Linux: Install Docker Engine
+docker --version
+

Repository Access¶

You'll need read/write access to these repositories:

launchpad (Config repo) +

git clone https://git.forteapps.net/Forte/launchpad.git
+cd launchpad
+

helm-values (Values repo) +

git clone https://git.forteapps.net/Forte/helm-prod-values.git
+cd helm-values
+

forte-helm (Chart repo - read-only for most developers) +

git clone https://git.forteapps.net/Forte/forte-helm.git
+cd forte-helm
+

Cluster Access (If Needed)¶

If you need kubectl access, ask the platform team for: +- Kubeconfig file +- Cluster context setup instructions

Save to ~/.kube/config and verify: +

kubectl cluster-info
+kubectl get nodes
+

Local Development Setup¶

1. Clone the Repositories¶

Set up a consistent folder structure:

mkdir -p ~/dev/k8s
+cd ~/dev/k8s
+
+# Clone repositories
+git clone https://git.forteapps.net/Forte/launchpad.git launchpad
+git clone https://git.forteapps.net/Forte/helm-prod-values helm-prod-values
+git clone https://git.forteapps.net/Forte/forte-helm forte-helm
+
+# Your folder structure:
+# ~/dev/k8s/
+# ├── launchpad/           (Config repo)
+# ├── helm-prod-values/    (Values repo)
+# └── forte-helm/          (Chart repo)
+

2. Local Development Environment¶

Most applications use Docker Compose for local development:

# In your application repository
+docker-compose up
+
+# Or for frontend applications
+npm install
+npm run dev
+

You DO NOT run applications locally on Kubernetes. Use Docker Compose or native tooling (npm, python, etc.).

3. Understanding the Deployment Flow¶

┌─────────────────────────────────────────────────────────────────┐
+│  Step 1: Develop Locally                                        │
+│  - Write code in your application repository                    │
+│  - Test with Docker Compose or npm/python/etc.                  │
+│  - Build Docker image                                            │
+└─────────────────────────────────────────────────────────────────┘
+                            │
+                            ▼
+┌─────────────────────────────────────────────────────────────────┐
+│  Step 2: CI/CD Pipeline (Automated)                             │
+│  - GitHub Actions builds image                                  │
+│  - Pushes to container registry (GHCR, Docker Hub)              │
+│  - Tags with version (e.g., v2.0.4)                             │
+│  - Updates helm-values repository with new tag                  │
+└─────────────────────────────────────────────────────────────────┘
+                            │
+                            ▼
+┌─────────────────────────────────────────────────────────────────┐
+│  Step 3: GitOps Sync (Automated)                                │
+│  - ArgoCD detects change in helm-values                         │
+│  - Pulls updated configuration                                  │
+│  - Syncs to Kubernetes cluster                                  │
+│  - Sends Slack notification on success/failure                  │
+└─────────────────────────────────────────────────────────────────┘
+

Key Insight: You don't deploy directly. You push code, CI/CD builds it, and ArgoCD deploys it.

Understanding the Workflow¶

Three-Repository Pattern¶

Our setup uses three repositories:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Repository	Purpose	Who Edits	How Often
forte-helm	Helm chart templates (generic, reusable)	Platform engineers	❌ Rarely
helm-values	Application configuration (image tag, env vars)	Developers / CI pipelines	✅ Sometimes
launchpad	ArgoCD Applications (what gets deployed)	Platform / DevOps engineers	✅ Per new app

Example: Deploying "myapp"¶

Repository: `forte-helm` (Chart Templates)¶

# forteapp/templates/deployment.yaml
+# Generic template used by ALL apps
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.app.name }}
+spec:
+  containers:
+  - name: app
+    image: "{{ .Values.app.image.repository }}:{{ .Values.app.image.tag }}"
+    env:
+    - name: PORT
+      value: {{ .Values.app.port }}
+

Repository: `helm-values` (Your App Config)¶

# myapp/values.yaml
+# Your app's specific configuration
+app:
+  image:
+    repository: ghcr.io/fortedigital/myapp
+    tag: v1.0.0                    # CI/CD updates this
+  port: 3000
+  extraEnv:
+  - name: API_URL
+    value: https://api.example.com
+

Repository: `launchpad` (ArgoCD Application)¶

# apps/myapp.yaml
+# Tells ArgoCD to deploy your app
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: myapp
+  namespace: argocd
+spec:
+  sources:
+  - repoURL: https://github.com/fortedigital/forte-helm
+    path: forteapp
+    helm:
+      valueFiles:
+      - $values/myapp/values.yaml
+
+  - repoURL: git@github.com:fortedigital/helm-values.git
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: myapp
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
+

Deploying Your First Application¶

Scenario: You've Built a New Application¶

Let's deploy a new Node.js application called "hello-world".

Step 1: Prepare Your Application Repository¶

Ensure your app repository has:

Dockerfile +

FROM node:18-alpine
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci --only=production
+COPY . .
+EXPOSE 3000
+CMD ["node", "server.js"]
+

+
GitHub Actions Workflow (.github/workflows/deploy.yml) +
```
 +on + + +jo + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
```
href="#__codelineno-15-1">name: Build and Deploy class="p">: push: branches: [ main ] bs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Set version id: version run: echo "VERSION=v$(date +%Y%m%d-%H%M%S)" >> $GITHUB_OUTPUT - name: Build and push Docker image run: | echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin docker build -t ghcr.io/fortedigital/hello-world:${{ steps.version.outputs.VERSION }} . docker push ghcr.io/fortedigital/hello-world:${{ steps.version.outputs.VERSION }} - name: Update helm-values run: | git clone git@github.com:fortedigital/helm-values.git cd helm-values mkdir -p hello-world cat > hello-world/values.yaml <<EOF app: image: repository: ghcr.io/fortedigital/hello-world tag: ${{ steps.version.outputs.VERSION }} EOF git add hello-world/values.yaml git commit -m "Update hello-world to ${{ steps.version.outputs.VERSION }}" git push
+

Step 2: Create Helm Values¶

Create a folder in helm-values repository:

cd ~/dev/k8s/helm-prod-values
+mkdir -p hello-world
+

Create hello-world/values.yaml: +

app:
+  image:
+    repository: ghcr.io/fortedigital/hello-world
+    tag: v1.0.0                    # Will be updated by CI/CD
+    containerPort: 3000
+
+  replicaCount: 1
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 500m
+      memory: 512Mi
+
+  extraEnv:
+  - name: PORT
+    value: "3000"
+  - name: NODE_ENV
+    value: "production"
+
+  envSecretName: ""                # Optional: reference to secrets
+
+service:
+  port: 3000
+
+ingress:
+  enabled: true
+  host: hello-world.forteapps.net  # Your subdomain
+
+db:
+  enabled: false                   # Set to true if you need PostgreSQL
+

Commit and push: +

git add hello-world/values.yaml
+git commit -m "Add hello-world application values"
+git push
+

Step 3: Create ArgoCD Application Manifest¶

In the launchpad repository, create apps/hello-world.yaml:

apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: hello-world
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
+    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
+    notifications.argoproj.io/subscribe.on-degraded.slack: ""
+  labels:
+    app.kubernetes.io/name: hello-world
+    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+
+spec:
+  project: default
+
+  sources:
+  # Source 1: Helm chart templates
+  - repoURL: https://github.com/fortedigital/forte-helm
+    path: forteapp
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+      - $values/hello-world/values.yaml
+
+  # Source 2: Helm values
+  - repoURL: git@github.com:fortedigital/helm-values.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: hello-world
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  ignoreDifferences:
+  - group: apps
+    kind: Deployment
+    jsonPointers:
+    - /spec/replicas
+

Commit and push: +

cd ~/dev/k8s/launchpad
+git add apps/hello-world.yaml
+git commit -m "Add hello-world application"
+git push
+

Step 4: Verify Deployment¶

ArgoCD will automatically detect the new application within 60 seconds.

Option 1: Check Slack +- Watch for sync notifications in your Slack channel +- ✅ "Application hello-world sync succeeded"

Option 2: Check ArgoCD UI (if you have access) +

# Port forward to ArgoCD UI
+kubectl port-forward svc/argocd-server -n argocd 8080:443
+
+# Open browser: https://localhost:8080
+# Look for "hello-world" application
+

Option 3: Check with kubectl (if you have access) +

# List ArgoCD applications
+kubectl get applications -n argocd
+
+# Check application status
+kubectl get application hello-world -n argocd
+
+# Verify pods are running
+kubectl get pods -n hello-world
+

Step 5: Access Your Application¶

Once deployed, access via the configured domain:

# Check if ingress is created
+kubectl get ingressroute -n hello-world
+
+# Access application
+curl https://hello-world.forteapps.net
+

⚠️ Note: DNS must be manually configured for new subdomains. Contact the platform team to add DNS records.

Updating an Existing Application¶

Scenario: Deploying a Code Change¶

You've made changes to your application code and want to deploy them.

Method 1: Automatic (Recommended)¶

Just push to main branch - CI/CD handles everything:

# In your application repository
+git add .
+git commit -m "Fix bug in user login"
+git push origin main
+

What Happens Next: +1. ✅ GitHub Actions triggers +2. ✅ Builds new Docker image +3. ✅ Tags with new version (e.g., v20260316-143022) +4. ✅ Pushes to container registry +5. ✅ Updates helm-values/myapp/values.yaml with new tag +6. ✅ ArgoCD detects change +7. ✅ Syncs new version to cluster +8. ✅ Sends Slack notification

Timeline: ~5-10 minutes from push to deployment

Method 2: Manual Image Tag Update¶

If CI/CD is not set up, manually update the image tag:

cd ~/dev/k8s/helm-prod-values
+
+# Edit your app's values.yaml
+vim myapp/values.yaml
+
+# Change:
+app:
+  image:
+    tag: v1.0.0  # Old version
+# To:
+app:
+  image:
+    tag: v1.0.1  # New version
+
+# Commit and push
+git add myapp/values.yaml
+git commit -m "Update myapp to v1.0.1"
+git push
+

ArgoCD will sync within 60 seconds.

Method 3: Configuration Changes¶

To update environment variables, resources, or other config:

cd ~/dev/k8s/helm-prod-values
+vim myapp/values.yaml
+

Example changes:

app:
+  # Increase resources
+  resources:
+    requests:
+      cpu: 200m      # Was 100m
+      memory: 256Mi  # Was 128Mi
+
+  # Add new environment variable
+  extraEnv:
+  - name: API_URL
+    value: https://api.example.com
+  - name: DEBUG          # NEW
+    value: "true"        # NEW
+
+  # Enable HPA
+  hpa:
+    enabled: true        # Was false
+    minReplicas: 2
+    maxReplicas: 10
+

Commit and push: +

git add myapp/values.yaml
+git commit -m "Increase myapp resources and enable HPA"
+git push
+

Method 4: Application Manifest Changes¶

To change ArgoCD sync behavior, namespace, or other meta-config:

cd ~/dev/k8s/launchpad
+vim apps/myapp.yaml
+

Example changes:

spec:
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: false    # Disable self-healing temporarily
+

Commit and push: +

git add apps/myapp.yaml
+git commit -m "Disable self-healing for myapp"
+git push
+

Working with Secrets¶

Understanding Secret Management¶

NEVER commit plain secrets to Git. We use Sealed Secrets to encrypt secrets before committing.

Creating a New Secret¶

Step 1: Create Plain Secret Locally¶

cd ~/dev/k8s/launchpad
+
+# Create secret in private/ folder (Git-ignored)
+kubectl create secret generic myapp-credentials \
+  --from-literal=API_KEY=your-secret-key-here \
+  --from-literal=DB_PASSWORD=super-secret-password \
+  --dry-run=client -o yaml > private/myapp-credentials.yaml
+

DO NOT commit this file! It's in private/ which is Git-ignored.

Step 2: Seal the Secret¶

Get the public certificate (one-time setup):

# Fetch public cert from cluster
+kubeseal --fetch-cert \
+  --controller-name=sealed-secrets-controller \
+  --controller-namespace=kube-system \
+  > pub-cert.pem
+

Seal your secret:

kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  < private/myapp-credentials.yaml \
+  > secrets/myapp-credentials-sealed.yaml
+

Step 3: Commit Sealed Secret¶

git add secrets/myapp-credentials-sealed.yaml
+git commit -m "Add myapp credentials (sealed)"
+git push
+

Step 4: Reference Secret in Application¶

Update your helm-values/myapp/values.yaml:

app:
+  envSecretName: "myapp-credentials"  # References the SealedSecret
+

Commit and push: +

cd ~/dev/k8s/helm-prod-values
+git add myapp/values.yaml
+git commit -m "Reference myapp credentials"
+git push
+

Updating a Secret¶

To update an existing secret:

# 1. Create new version of secret
+kubectl create secret generic myapp-credentials \
+  --from-literal=API_KEY=new-key-here \
+  --from-literal=DB_PASSWORD=new-password \
+  --dry-run=client -o yaml > private/myapp-credentials.yaml
+
+# 2. Seal it
+kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  < private/myapp-credentials.yaml \
+  > secrets/myapp-credentials-sealed.yaml
+
+# 3. Commit sealed version
+git add secrets/myapp-credentials-sealed.yaml
+git commit -m "Update myapp credentials"
+git push
+
+# 4. Restart pods to pick up new secret
+kubectl rollout restart deployment myapp -n myapp
+

Secret Best Practices¶

✅ DO: +- Store secrets in private/ folder locally +- Always seal secrets before committing +- Delete plain secrets after sealing +- Use meaningful secret names +- Document what each secret contains

❌ DON'T: +- Commit plain secrets to Git +- Share secrets via Slack/email +- Hard-code secrets in code +- Use the same secret across multiple environments +- Store secrets in Docker images

Where Secrets Are Stored¶

┌─────────────────────────────────────────────────────────────┐
+│  Location                │  Content           │  Committed?│
+├──────────────────────────┼────────────────────┼────────────┤
+│  private/                │  Plain secrets     │  ❌ NO      │
+│  secrets/                │  Sealed secrets    │  ✅ YES     │
+│  Kubernetes cluster      │  Unsealed secrets  │  N/A       │
+└─────────────────────────────────────────────────────────────┘
+

Sealed Secrets Controller in the cluster decrypts sealed secrets automatically.

Enabling Authentication for Applications¶

The cluster supports automatic authentication sidecar injection for applications via Kyverno policies. This allows you to add authentication to your applications without modifying application code.

How It Works¶

When you enable authentication in your Helm values, the Kyverno policy automatically: +1. ✅ Injects an authentication sidecar container into your pod +2. ✅ Routes all incoming traffic through the auth sidecar (port 8080) +3. ✅ Validates credentials before forwarding requests to your application +4. ✅ Creates necessary secrets (if they don't exist) +5. ✅ Adds a NetworkPolicy to restrict ingress

Architecture: +

Internet → Traefik → Service:8080 → Auth Sidecar:8080 → localhost → Your App:3000
+                                         │
+                                         ├─ Validates credentials
+                                         └─ Forwards if valid
+

Authentication Modes¶

Three authentication modes are supported: +1. Token-based: Static tokens (simple, good for service-to-service or internal apps) +2. OIDC: OpenID Connect (full SSO, good for user-facing apps) +3. MCP: OAuth 2.0 for MCP servers via RFC 9728 / RFC 7591 (good for MCP tool servers requiring OAuth-based access control)

Token-Based Authentication¶

Step 1: Configure Helm Values¶

# In helm-values/myapp/values.yaml
+auth:
+  enabled: true
+  type: token                    # Token mode (default)
+  tokens:
+  - d4f88f6d9292c10cc3e21c4aad56d2be485db532b54fe961d738e1137d247823
+  - 8803f621acc3898df1d7a8f514bc3602551a0681a8f747bd4e43c3c5849d57a7
+

Step 2: Generate Token (if needed)¶

# Generate a secure random token
+openssl rand -hex 32
+
+# Or using Python
+python3 -c "import secrets; print(secrets.token_hex(32))"
+
+# Example output:
+# d4f88f6d9292c10cc3e21c4aad56d2be485db532b54fe961d738e1137d247823
+

Step 3: Deploy Application¶

Commit and push your changes: +

cd ~/dev/k8s/helm-prod-values
+git add myapp/values.yaml
+git commit -m "Enable token auth for myapp"
+git push
+

ArgoCD will sync, and the Kyverno policy will: +- Inject the auth sidecar container +- Create an auth-tokens Secret with your tokens +- Configure the sidecar to validate against these tokens

Step 4: Access Application¶

Use your token in the Authorization header:

# Access application with token
+curl -H "Authorization: Bearer d4f88f6d9292c10cc3e21c4aad56d2be485db532b54fe961d738e1137d247823" \
+  https://myapp.forteapps.net/api/data
+
+# Without token (will be rejected)
+curl https://myapp.forteapps.net/api/data
+# Response: 401 Unauthorized
+

Advanced: Custom Secret Name¶

To use a different secret for tokens:

# In Helm values
+auth:
+  enabled: true
+  type: token
+  tokens: []                     # Empty - using external secret
+
+# Tokens will be read from custom secret
+

Then reference it via annotation (configured by Helm chart automatically): +

# Helm chart sets this annotation:
+policies.forteapps.io/auth-token-secret-name: "myapp-auth-tokens"
+

Create the secret manually: +

kubectl create secret generic myapp-auth-tokens \
+  --from-file=tokens=tokens.txt \
+  --namespace=myapp
+

OIDC Authentication¶

OIDC mode integrates with identity providers like Keycloak, Okta, Auth0, Azure AD, etc.

Step 1: Configure Identity Provider¶

In your identity provider (e.g., Keycloak): +1. Create a new client (e.g., myapp) +2. Set redirect URI: https://myapp.forteapps.net/auth/callback +3. Note the Client ID and Client Secret +4. Note the Authority URL (e.g., https://keycloak.forteapps.net/realms/master)

Step 2: Create OIDC Secret¶

# Create plain secret
+kubectl create secret generic auth-oidc \
+  --from-literal=client-secret=your-oidc-client-secret \
+  --from-literal=cookie-secret=$(openssl rand -hex 32) \
+  --namespace=myapp \
+  --dry-run=client -o yaml > private/myapp-auth-oidc.yaml
+
+# Seal it
+kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  --namespace=myapp \
+  < private/myapp-auth-oidc.yaml \
+  > secrets/myapp-auth-oidc-sealed.yaml
+
+# Commit sealed secret
+cd ~/dev/k8s/launchpad
+git add secrets/myapp-auth-oidc-sealed.yaml
+git commit -m "Add OIDC secrets for myapp"
+git push
+
+# Clean up
+rm private/myapp-auth-oidc.yaml
+

Step 3: Configure Helm Values¶

# In helm-values/myapp/values.yaml
+auth:
+  enabled: true
+  type: oidc                     # OIDC mode
+  oidc:
+    authority: https://keycloak.forteapps.net/realms/master
+    clientId: myapp
+    scopes: "openid,profile,email"
+    callbackPath: /auth/callback
+

Step 4: Deploy Application¶

cd ~/dev/k8s/helm-prod-values
+git add myapp/values.yaml
+git commit -m "Enable OIDC auth for myapp"
+git push
+

Step 5: Access Application¶

When users access https://myapp.forteapps.net: +1. They're redirected to the identity provider login page +2. After successful login, redirected back to /auth/callback +3. Session cookie is set +4. Subsequent requests are authenticated via cookie

User flow: +

User → https://myapp.forteapps.net
+  ↓
+Redirect → https://keycloak.forteapps.net/login
+  ↓
+Login successful → Redirect with auth code
+  ↓
+https://myapp.forteapps.net/auth/callback?code=xyz
+  ↓
+Auth sidecar exchanges code for tokens
+  ↓
+Sets session cookie
+  ↓
+Redirects to application → https://myapp.forteapps.net
+  ↓
+User sees application (authenticated)
+

Authentication Configuration Reference¶

Helm Values Schema¶

auth:
+  enabled: false                 # Enable/disable authentication
+  type: token                    # "token", "oidc", or "mcp"
+
+  # Token mode configuration
+  tokens: []                     # List of valid bearer tokens
+  # - token1
+  # - token2
+
+  # OIDC mode configuration
+  oidc:
+    authority: ""                # OIDC provider URL (required for OIDC)
+    clientId: ""                 # OIDC client ID (required for OIDC)
+    scopes: "openid,profile,email"  # OIDC scopes (optional)
+    callbackPath: /auth/callback    # OAuth callback path (optional)
+
+  # MCP mode configuration (RFC 9728 / RFC 7591)
+  mcp:
+    resource: ""                 # Protected resource URL (required for MCP)
+    authority: ""                # Authorization server URL (required for MCP)
+    scopes: "read,write"         # Supported scopes (optional)
+

Annotations Set by Helm Chart¶

When auth.enabled: true, the Helm chart sets these pod annotations:

Token mode: +

policies.forteapps.io/auth: "true"
+policies.forteapps.io/auth-type: "token"
+policies.forteapps.io/auth-token-secret-name: "auth-tokens"
+policies.forteapps.io/auth-upstream-url: "http://localhost:3000"
+

OIDC mode: +

policies.forteapps.io/auth: "true"
+policies.forteapps.io/auth-type: "oidc"
+policies.forteapps.io/auth-oidc-authority: "https://keycloak.forteapps.net/realms/master"
+policies.forteapps.io/auth-oidc-client-id: "myapp"
+policies.forteapps.io/auth-oidc-scopes: "openid,profile,email"
+policies.forteapps.io/auth-oidc-callback-path: "/auth/callback"
+policies.forteapps.io/auth-upstream-url: "http://localhost:3000"
+

MCP mode (OAuth 2.0 for MCP servers): +

policies.forteapps.io/auth: "true"
+policies.forteapps.io/auth-type: "mcp"
+policies.forteapps.io/auth-mcp-resource: "https://mcp.forteapps.net"
+policies.forteapps.io/auth-mcp-authority: "https://keycloak.forteapps.net/realms/master"
+policies.forteapps.io/auth-mcp-scopes: "read,write"
+policies.forteapps.io/auth-upstream-url: "http://localhost:3000"
+

Sidecar Configuration¶

The auth sidecar container: +- Image: ghcr.io/fortedigital/auth-sidecar:latest +- Port: 8080 +- Resources: 10m CPU / 32Mi memory (requests), 50m CPU / 64Mi memory (limits) +- Health checks: /healthz endpoint +- Security: Read-only root filesystem, no privilege escalation

Advanced: Custom Sidecar Image¶

To use a different auth sidecar image:

# These annotations can be set in the Helm chart template if needed
+policies.forteapps.io/auth-image: "your-registry/your-auth-proxy"
+policies.forteapps.io/auth-image-version: "v1.2.3"
+

Authentication Examples¶

Example 1: Internal API with Token Auth¶

# helm-values/internal-api/values.yaml
+app:
+  image:
+    repository: ghcr.io/company/internal-api
+    tag: v1.0.0
+
+auth:
+  enabled: true
+  type: token
+  tokens:
+  - d4f88f6d9292c10cc3e21c4aad56d2be485db532b54fe961d738e1137d247823  # Service A
+  - 8803f621acc3898df1d7a8f514bc3602551a0681a8f747bd4e43c3c5849d57a7  # Service B
+
+ingress:
+  enabled: true
+  host: internal-api.forteapps.net
+

Usage: +

# Service A calls API
+curl -H "Authorization: Bearer d4f88f..." \
+  https://internal-api.forteapps.net/api/endpoint
+

Example 2: User-Facing App with OIDC¶

# helm-values/web-app/values.yaml
+app:
+  image:
+    repository: ghcr.io/company/web-app
+    tag: v2.1.0
+
+auth:
+  enabled: true
+  type: oidc
+  oidc:
+    authority: https://auth.company.com/realms/employees
+    clientId: web-app-prod
+    scopes: "openid,profile,email,groups"
+    callbackPath: /auth/callback
+
+ingress:
+  enabled: true
+  host: web-app.forteapps.net
+

With sealed OIDC secret: +

# Create and seal secret
+kubectl create secret generic auth-oidc \
+  --from-literal=client-secret=super-secret-value \
+  --from-literal=cookie-secret=$(openssl rand -hex 32) \
+  --namespace=web-app \
+  --dry-run=client -o yaml | \
+  kubeseal --format=yaml --cert=pub-cert.pem --namespace=web-app \
+  > secrets/web-app-auth-oidc-sealed.yaml
+

Example 3: MCP Server with OAuth 2.0¶

# helm-values/mcp-server/values.yaml
+app:
+  image:
+    repository: ghcr.io/company/mcp-server
+    tag: v1.0.0
+
+auth:
+  enabled: true
+  type: mcp
+  mcp:
+    resource: https://mcp-server.forteapps.net
+    authority: https://auth.company.com/realms/mcp
+    scopes: "read,write,admin"
+
+ingress:
+  enabled: true
+  host: mcp-server.forteapps.net
+

The MCP auth mode implements RFC 9728 (OAuth 2.0 Protected Resource Metadata) for authorization server discovery and RFC 7591 (OAuth 2.0 Dynamic Client Registration) for automatic client registration. MCP clients discover the authorization server and scopes from the /.well-known/oauth-protected-resource endpoint served by the sidecar.

Example 4: Disabling Authentication¶

# helm-values/public-api/values.yaml
+auth:
+  enabled: false                 # No authentication
+
+ingress:
+  enabled: true
+  host: public-api.forteapps.net
+

Troubleshooting Authentication¶

Issue: 401 Unauthorized (Token Mode)¶

Check token validity: +

# Get auth-tokens secret
+kubectl get secret auth-tokens -n myapp -o yaml
+
+# Decode tokens
+kubectl get secret auth-tokens -n myapp \
+  -o jsonpath='{.data.tokens}' | base64 -d
+
+# Verify your token is in the list
+

Test with different token: +

curl -v -H "Authorization: Bearer YOUR-TOKEN-HERE" \
+  https://myapp.forteapps.net/
+

+ +

Check OIDC configuration: +

# Verify auth-oidc secret exists
+kubectl get secret auth-oidc -n myapp
+
+# Check sidecar logs
+kubectl logs -n myapp <pod-name> -c authn
+
+# Common issues:
+# - Wrong authority URL
+# - Wrong client ID
+# - Missing client-secret in auth-oidc Secret
+# - Redirect URI not configured in identity provider
+

Verify redirect URI in your identity provider matches: +

https://<your-app-domain>/auth/callback
+

Issue: Auth Sidecar Not Injected¶

Check pod annotations: +

kubectl get pod -n myapp <pod-name> -o yaml | grep policies.forteapps.io
+
+# Should show:
+# policies.forteapps.io/auth: "true"
+

Check Kyverno policy: +

kubectl get clusterpolicy inject-auth-sidecar
+kubectl describe clusterpolicy inject-auth-sidecar
+

Check Kyverno logs: +

kubectl logs -n kyverno deployment/kyverno | grep inject-auth
+

Issue: Auth Sidecar Crashes¶

Check sidecar logs: +

kubectl logs -n myapp <pod-name> -c authn
+

Common causes: +- Missing secret (auth-tokens or auth-oidc) +- Invalid OIDC configuration +- Can't reach OIDC authority URL +- Network policy blocking outbound OIDC requests

Authentication Best Practices¶

✅ DO: +- Use OIDC for user-facing applications +- Use token auth for service-to-service communication +- Rotate tokens and secrets regularly +- Use strong random tokens (32+ bytes) +- Store client secrets in SealedSecrets +- Test authentication before deploying to production +- Document which tokens/users have access

❌ DON'T: +- Share tokens between environments +- Commit tokens to application code +- Use predictable tokens +- Reuse tokens across multiple applications +- Disable authentication on sensitive APIs +- Log tokens or secrets

Adding a New Keycloak Client¶

There are two ways to add an OIDC client, depending on your use case:

+ + + + + + + + + + + + + + + + + + + + +

Method	Best for	Who edits the infra repo?
Self-service (recommended)	New apps that deploy their own resources	App developer — no infra changes needed
Legacy (realm JSON)	Existing clients already defined in forte-realm.json (e.g., Gitea)	Platform engineer

Both methods are served by the Keycloak Client Registrar CronJob, which runs every 2 minutes.

Self-Service OIDC Client Registration¶

This is the recommended flow for new applications. Your app deploys a labeled config Secret in its own namespace; the platform handles everything else.

How It Works¶

You deploy a Secret with label keycloak.forteapps.net/client-config: "true" containing a client.json definition
A Kyverno ClusterPolicy (keycloak-client-config-cloner) clones it to the keycloak namespace
The Client Registrar CronJob picks it up within 2 minutes:
Registers (or updates) the client in Keycloak
Fetches the auto-generated client secret
Creates a credential Secret in your app's namespace
Annotates the config Secret with sync status

Step 1: Create the Config Secret¶

Deploy this Secret in your application's namespace (e.g., as part of your Helm chart or Kustomize overlay):

apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-myapp
+  namespace: myapp
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "myapp",
+      "name": "My Application",
+      "redirectUris": ["https://myapp.forteapps.net/*"],
+      "webOrigins": ["https://myapp.forteapps.net"],
+      "defaultClientScopes": ["openid", "email", "profile"],
+      "protocolMappers": [],
+      "secret": {
+        "namespace": "myapp",
+        "name": "myapp-oidc-credentials",
+        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
+      }
+    }
+

client.json fields:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Field	Required	Description
`clientId`	Yes	Keycloak client ID
`name`	Yes	Display name in Keycloak
`redirectUris`	Yes	Allowed redirect URIs
`webOrigins`	Yes	Allowed web origins (CORS)
`defaultClientScopes`	No	Scopes (default: `["openid", "email", "profile"]`)
`protocolMappers`	No	Custom claim mappers (default: `[]`)
`secret.namespace`	No	Namespace for the credential Secret (default: source namespace)
`secret.name`	No	Name of the credential Secret (default: `<clientId>-oidc-credentials`)
`secret.keys.clientId`	No	Key name for client ID in credential Secret (default: `client-id`)
`secret.keys.clientSecret`	No	Key name for client secret in credential Secret (default: `client-secret`)

Step 2: Reference the Credential Secret¶

In your application's deployment config, reference the credential Secret that the registrar creates:

env:
+- name: OIDC_CLIENT_ID
+  valueFrom:
+    secretKeyRef:
+      name: myapp-oidc-credentials
+      key: client-id
+- name: OIDC_CLIENT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: myapp-oidc-credentials
+      key: client-secret
+

Step 3: Deploy and Wait¶

Commit and push your changes. The credential Secret will appear within 2 minutes:

# Watch for the credential Secret to be created
+kubectl get secret myapp-oidc-credentials -n myapp -w
+
+# Check registrar logs
+kubectl logs -n keycloak job/$(kubectl get jobs -n keycloak --sort-by=.metadata.creationTimestamp -o jsonpath='{.items[-1].metadata.name}')
+
+# Check sync status on the config Secret
+kubectl get secret keycloak-client-myapp -n keycloak -o jsonpath='{.metadata.annotations}'
+

Change Detection¶

The registrar computes a SHA-256 hash of client.json and stores it as an annotation. On subsequent runs, it skips processing if: +- The hash hasn't changed, AND +- The credential Secret already exists in the target namespace

To force a re-sync, update any field in client.json (e.g., add a trailing space to name).

Legacy Method: Realm JSON¶

Existing clients (like Gitea) are defined directly in forte-realm.json inside keycloak-values.yaml. The registrar syncs their secrets via client attributes.

Step 1: Add Client to Realm Config¶

In infra/values/base/keycloak-values.yaml, add a new entry to the clients array in forte-realm.json:

{
+  "clientId": "myapp",
+  "name": "My Application",
+  "enabled": true,
+  "protocol": "openid-connect",
+  "clientAuthenticatorType": "client-secret",
+  "standardFlowEnabled": true,
+  "directAccessGrantsEnabled": false,
+  "publicClient": false,
+  "redirectUris": ["https://myapp.forteapps.net/*"],
+  "webOrigins": ["https://myapp.forteapps.net"],
+  "defaultClientScopes": ["openid", "email", "profile"],
+  "attributes": {
+    "k8s.secret.sync": "true",
+    "k8s.secret.namespace": "myapp",
+    "k8s.secret.name": "myapp-oidc-credentials",
+    "k8s.secret.client-id-key": "key",
+    "k8s.secret.client-secret-key": "secret"
+  }
+}
+

Important: +- Do NOT include a "secret" field — Keycloak generates one automatically +- The attributes block tells the registrar where to create the K8s Secret +- Set client-id-key / client-secret-key to match what the consuming app expects (defaults: client-id / client-secret)

Step 2: Reference the Secret in Your Application¶

existingSecret: myapp-oidc-credentials
+

Step 3: Commit and Push¶

cd ~/dev/k8s/launchpad
+git add infra/values/base/keycloak-values.yaml
+git commit -m "Add myapp Keycloak client with auto-sync"
+git push
+

ArgoCD will sync the Keycloak config, and the registrar CronJob will pick up the new client within 2 minutes.

Legacy Sync Attribute Reference¶

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Attribute	Required	Default	Description
`k8s.secret.sync`	Yes	—	Set to `"true"` to enable syncing
`k8s.secret.namespace`	Yes	—	Target K8s namespace for the secret
`k8s.secret.name`	Yes	—	Name of the K8s Secret to create
`k8s.secret.client-id-key`	No	`client-id`	Field name for the client ID in the K8s Secret
`k8s.secret.client-secret-key`	No	`client-secret`	Field name for the client secret in the K8s Secret

Retrieving Secrets for External Deployments¶

The registrar always writes a central copy of every synced secret to the secrets namespace, in addition to the target namespace. This allows operators to retrieve client credentials for applications deployed outside this cluster:

# View the central copy
+kubectl get secret gitea-oidc-credentials -n secrets -o yaml
+
+# Extract the client secret for use elsewhere
+kubectl get secret myapp-oidc-credentials -n secrets \
+  -o jsonpath='{.data.client-secret}' | base64 -d
+

Registrar Behavior Notes¶

The registrar runs as a CronJob every 2 minutes (concurrencyPolicy: Forbid)
If the target namespace doesn't exist, the target write is skipped with a warning (the central copy still happens)
A central copy is always written to the secrets namespace for every synced client
The registrar uses the keycloak-credentials secret for admin authentication
Created secrets have the label app.kubernetes.io/managed-by: keycloak-client-registrar

Troubleshooting¶

Application Not Deploying¶

Problem: Application stuck in "Syncing" state¶

Check ArgoCD status: +

kubectl get application myapp -n argocd -o yaml
+

Look for errors in status.conditions.

Common causes: +- ❌ Image doesn't exist or is not accessible +- ❌ Invalid YAML syntax +- ❌ Resource quota exceeded +- ❌ Namespace conflicts +- ❌ Invalid Helm values

Solutions: +

# Check image exists
+docker pull ghcr.io/fortedigital/myapp:v1.0.0
+
+# Validate YAML syntax
+kubectl apply --dry-run=client -f apps/myapp.yaml
+
+# Check ArgoCD logs
+kubectl logs -n argocd deployment/argocd-application-controller | grep myapp
+

Problem: Pods crashing (CrashLoopBackOff)¶

Check pod logs: +

kubectl get pods -n myapp
+kubectl logs -n myapp <pod-name>
+kubectl describe pod -n myapp <pod-name>
+

Common causes: +- ❌ Application error (check logs) +- ❌ Missing environment variables +- ❌ Incorrect port configuration +- ❌ Missing secrets +- ❌ Insufficient resources

Solutions: +

# Check environment variables
+kubectl exec -n myapp <pod-name> -- env
+
+# Check if secrets exist
+kubectl get secrets -n myapp
+
+# Increase resources in helm-values
+vim ~/dev/k8s/helm-prod-values/myapp/values.yaml
+

Problem: Application not accessible via domain¶

Check ingress: +

kubectl get ingressroute -n myapp
+kubectl describe ingressroute myapp -n myapp
+

Common causes: +- ❌ DNS not configured +- ❌ TLS certificate not issued +- ❌ Incorrect domain in values.yaml +- ❌ Traefik not routing correctly

Solutions: +

# Check certificate
+kubectl get certificate -n myapp
+
+# Check cert-manager logs
+kubectl logs -n cert-manager deployment/cert-manager
+
+# Verify domain configuration
+cat ~/dev/k8s/helm-prod-values/myapp/values.yaml | grep host
+
+# Test with port-forward
+kubectl port-forward -n myapp service/myapp 8080:3000
+curl http://localhost:8080
+

Secret Issues¶

Problem: Secret not found¶

Check if SealedSecret exists: +

kubectl get sealedsecret -n myapp
+kubectl get secret -n myapp
+

Solutions: +

# Check if secret is in Git
+ls -l secrets/myapp-credentials-sealed.yaml
+
+# Re-apply sealed secret
+kubectl apply -f secrets/myapp-credentials-sealed.yaml
+
+# Check sealed-secrets-controller logs
+kubectl logs -n kube-system deployment/sealed-secrets-controller
+

Problem: Secret exists but pods can't access it¶

Check pod events: +

kubectl describe pod -n myapp <pod-name>
+

Look for: Error: secret "myapp-credentials" not found

Solutions: +

# Verify secret name in values.yaml matches actual secret
+cat ~/dev/k8s/helm-prod-values/myapp/values.yaml | grep envSecretName
+kubectl get secrets -n myapp
+
+# Restart pods
+kubectl rollout restart deployment myapp -n myapp
+

Sync Failures¶

Problem: ArgoCD shows "Out of Sync"¶

Manual sync: +

# Using kubectl
+kubectl patch application myapp -n argocd --type merge -p '{"operation":{"initiatedBy":{"username":"admin"},"sync":{"syncStrategy":{"hook":{}}}}}'
+
+# Or via ArgoCD UI
+# Click "Sync" button in UI
+

Check what's different: +

kubectl get application myapp -n argocd -o yaml
+

Look at status.sync.comparedTo vs desired state.

Problem: Sync succeeds but application is "Degraded"¶

Check resource health: +

kubectl get application myapp -n argocd -o jsonpath='{.status.resources[*].health}'
+

Common causes: +- ❌ Pods not ready +- ❌ Deployments not at desired replica count +- ❌ Jobs failed

Solutions: +

# Check all resources in namespace
+kubectl get all -n myapp
+
+# Check pod events
+kubectl get events -n myapp --sort-by='.lastTimestamp'
+

Getting Help¶

If you're stuck:

Check Slack notifications - Error details are often in sync failure messages
Check ArgoCD UI - Visual representation of what's wrong
Ask platform team - They have full cluster access and can debug further
Check documentation - Operations Runbook has more troubleshooting

Documentation¶

This repository's documentation is built with MkDocs using the Material theme and published automatically to Gitea Pages.

Viewing the Docs¶

The live documentation site is available at:

https://git.forteapps.net/Forte/launchpad/pages/

Editing Documentation¶

All documentation source files live in the docs/ directory as Markdown. To make changes:

Edit the relevant .md file in docs/
Commit and push to main
The Gitea Actions workflow automatically rebuilds and deploys the site

Local Preview¶

To preview documentation changes locally before pushing:

# Install dependencies (one-time)
+pip install mkdocs mkdocs-material
+
+# Start the local dev server
+mkdocs serve
+

Then open http://127.0.0.1:8000 in your browser. The server live-reloads on file changes.

How It Works¶

Workflow: .gitea/workflows/docs.yaml triggers on pushes to main that change docs/**, mkdocs.yml, Dockerfile.docs, or nginx.conf
Build: Installs MkDocs + Material theme, runs mkdocs build
Deploy: Force-pushes the built site/ directory to the gitea-pages branch
Serve: Gitea Pages serves the static site from the gitea-pages branch

Best Practices¶

Development Workflow¶

✅ DO: +- Develop and test locally with Docker Compose +- Use semantic versioning for releases +- Write descriptive commit messages +- Test changes in a separate namespace first (if possible) +- Monitor Slack for deployment notifications +- Document environment variables and configuration

❌ DON'T: +- Push directly to production without testing +- Use latest tag for Docker images +- Bypass CI/CD for "quick fixes" +- Hard-code configuration values +- Ignore deployment failures

Configuration Management¶

✅ DO: +- Keep configuration in helm-values repository +- Use environment variables for config +- Document what each value does +- Use reasonable resource limits +- Enable ingress and TLS for public services

❌ DON'T: +- Hard-code config in application code +- Over-allocate resources (wastes money) +- Under-allocate resources (causes crashes) +- Use HTTP for production services

Secret Management¶

✅ DO: +- Use kubeseal for all secrets +- Store plain secrets in password manager +- Rotate secrets regularly +- Use different secrets per environment +- Document what each secret contains

❌ DON'T: +- Commit plain secrets +- Share secrets in Slack/email +- Reuse secrets across apps +- Log secrets in application code

Git Workflow¶

✅ DO: +- Use feature branches for changes +- Write clear commit messages +- Use pull requests for review +- Keep commits atomic and focused +- Tag releases in application repos

❌ DON'T: +- Push directly to main without review (for config repos) +- Make multiple unrelated changes in one commit +- Use vague commit messages ("fix", "update") +- Force-push to main branches

Quick Reference¶

Common Commands¶

# Check application status
+kubectl get application myapp -n argocd
+
+# View application details
+kubectl describe application myapp -n argocd
+
+# Check pods
+kubectl get pods -n myapp
+
+# View pod logs
+kubectl logs -n myapp <pod-name>
+
+# Restart deployment
+kubectl rollout restart deployment myapp -n myapp
+
+# Port-forward to service
+kubectl port-forward -n myapp service/myapp 8080:3000
+
+# Create secret
+kubectl create secret generic myapp-credentials \
+  --from-literal=KEY=value \
+  --dry-run=client -o yaml > private/myapp-credentials.yaml
+
+# Seal secret
+kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  < private/myapp-credentials.yaml \
+  > secrets/myapp-credentials-sealed.yaml
+

Repository Locations¶

# Config repository
+cd ~/dev/k8s/launchpad
+
+# Helm values repository
+cd ~/dev/k8s/helm-prod-values
+
+# Helm charts repository
+cd ~/dev/k8s/forte-helm
+

File Paths¶

# New application manifest
+~/dev/k8s/launchpad/apps/myapp.yaml
+
+# Application values
+~/dev/k8s/helm-prod-values/myapp/values.yaml
+
+# Sealed secrets
+~/dev/k8s/launchpad/secrets/myapp-credentials-sealed.yaml
+
+# Plain secrets (local only)
+~/dev/k8s/launchpad/private/myapp-credentials.yaml
+

Next Steps¶

Now that you understand the basics:

✅ Deploy your first application (follow steps above)
📖 Read the Operations Runbook for common tasks
📖 Review Technical Reference for detailed component docs
📖 Understand GitOps Architecture for the big picture
🚀 Start contributing!

Questions? +- Slack: #platform-support +- Docs: Full documentation index +- Help: Contact platform team

Last Updated: 2026-04-16

+ + + + + + + + + + + + + +

+ + + +

+ + + + + + + + + + + + + \ No newline at end of file diff --git a/GITOPS-ARCHITECTURE/index.html b/GITOPS-ARCHITECTURE/index.html new file mode 100644 index 0000000..496f881 --- /dev/null +++ b/GITOPS-ARCHITECTURE/index.html @@ -0,0 +1,1969 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + GitOps Architecture - K8s Launchpad + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + Skip to content + + +

+ +

+ + + + + + +

+ + + + + + + + + + +

+ + K8s Launchpad + +

+ + + GitOps Architecture + + +

+ + + + + + + + + + + + + + + + + + + + +

+ +

+ + +

+ Forte/launchpad +

+ +

+ + + + + + +

+ + + + + + + + + + + +

+ +

+ + + + + +

GitOps Architecture & Repository Guide¶

Table of Contents¶

Overview
Architecture Diagram
Repository Structure
GitOps Workflow
CI/CD Pipeline
Security Model

Overview¶

This Kubernetes cluster uses a GitOps approach powered by ArgoCD, where Git repositories serve as the single source of truth for both infrastructure and application deployments. The cluster is running on UpCloud Managed Kubernetes but is designed to be cloud-agnostic.

Key Characteristics¶

Environment: Production (internal use only)
Cluster Type: Multi-cluster (upc-dev, upc-prod) via Kustomize overlays
GitOps Tool: ArgoCD
Deployment Pattern: App-of-Apps
Secret Management: Sealed Secrets (kubeseal)
Ingress: Traefik with Let's Encrypt TLS
Monitoring: Prometheus + Grafana + Loki + Tempo + Fluent-Bit
Policy Engine: Kyverno
Notifications: Slack integration for sync status

Architecture Diagram¶

┌─────────────────────────────────────────────────────────────────────────┐
+│                          Developer Workflow                              │
+└─────────────────────────────────────────────────────────────────────────┘
+                                    │
+                                    ▼
+┌─────────────────────┐      ┌──────────────────┐      ┌─────────────────┐
+│  Application Code   │      │   Helm Charts    │      │   Helm Values   │
+│  Repositories       │──────│   Repository     │──────│   Repository    │
+│  (Source Code)      │      │   (Templates)    │      │  (Config/Env)   │
+└─────────────────────┘      └──────────────────┘      └─────────────────┘
+         │                            │                          │
+         │                            │                          │
+    GitHub Actions                    │                          │
+    Build & Push Image                │                          │
+         │                            │                          │
+         │                            │                          │
+         └────────► Update image tag ─┴──────────────────────────┘
+                    in helm-values                               │
+                                                                 │
+                                                                 ▼
+                                           ┌────────────────────────────────┐
+                                           │   Config Repository            │
+                                           │   (ArgoCD Applications)        │
+                                           │   git.forteapps.net/Forte/     │
+                                           │   launchpad                    │
+                                           └────────────────────────────────┘
+                                                        │
+                                                        │
+                                         ArgoCD monitors & syncs
+                                                        │
+                                                        ▼
+                                           ┌────────────────────────────────┐
+                                           │   Kubernetes Clusters          │
+                                           │   (UpCloud: upc-dev, upc-prod) │
+                                           │                                │
+                                           │  ┌──────────────────────────┐  │
+                                           │  │    ArgoCD                │  │
+                                           │  │    (GitOps Controller)   │  │
+                                           │  └──────────────────────────┘  │
+                                           │                                │
+                                           │  ┌──────────────────────────┐  │
+                                           │  │  Infrastructure Layer    │  │
+                                           │  │  - Traefik (Ingress)     │  │
+                                           │  │  - Cert-Manager (TLS)    │  │
+                                           │  │  - Kyverno (Policies)    │  │
+                                           │  │  - Sealed Secrets        │  │
+                                           │  └──────────────────────────┘  │
+                                           │                                │
+                                           │  ┌──────────────────────────┐  │
+                                           │  │  Monitoring Stack        │  │
+                                           │  │  - Prometheus            │  │
+                                           │  │  - Grafana               │  │
+                                           │  │  - Loki                  │  │
+                                           │  │  - Tempo                 │  │
+                                           │  │  - Fluent-Bit            │  │
+                                           │  └──────────────────────────┘  │
+                                           │                                │
+                                           │  ┌──────────────────────────┐  │
+                                           │  │  Application Layer       │  │
+                                           │  │  - mcp10x                │  │
+                                           │  │  - musicman              │  │
+                                           │  │  - dot-ai-stack          │  │
+                                           │  │  - argo-mcp              │  │
+                                           │  └──────────────────────────┘  │
+                                           └────────────────────────────────┘
+                                                        │
+                                                        │
+                                                        ▼
+                                              ┌──────────────────┐
+                                              │  Slack Channel   │
+                                              │  (Notifications) │
+                                              └──────────────────┘
+

Repository Structure¶

1. Config Repository (Current Repo)¶

Repository: https://git.forteapps.net/Forte/launchpad +Purpose: GitOps configuration - ArgoCD Applications and cluster resources +Location: C:\dev\k8s\launchpad

launchpad/
+├── bootstrap.sh                      # Cluster initialization script
+├── _app-of-apps-upc-dev.yaml        # Root ArgoCD Application (upc-dev cluster)
+├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
+│
+├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
+│   ├── base/                         # Base Application manifests (upc-dev defaults)
+│   │   ├── kustomization.yaml
+│   │   ├── traefik-application.yaml
+│   │   ├── keycloak.yaml
+│   │   ├── grafana.yaml
+│   │   ├── gitea.yaml
+│   │   ├── gitea-actions.yaml
+│   │   ├── tempo.yaml
+│   │   ├── renovate.yaml
+│   │   ├── ...                       # All other Application manifests
+│   │   └── secrets.yaml
+│   ├── overlays/                     # Per-cluster overrides
+│   │   ├── upc-dev/                  # UpCloud Dev (uses base as-is)
+│   │   └── upc-prod/                # UpCloud Prod (patches value paths)
+│   ├── dashboards/                   # Grafana dashboard ConfigMaps
+│   └── values/                       # Helm value overrides for infra
+│       ├── base/                     # Shared values (all clusters)
+│       │   ├── traefik-values.yaml
+│       │   ├── keycloak-values.yaml
+│       │   ├── grafana-values.yaml
+│       │   ├── prometheus-values.yaml
+│       │   ├── gitea-values.yaml
+│       │   └── ...
+│       ├── upc-dev/                  # upc-dev cluster-specific values
+│       │   ├── traefik-values.yaml
+│       │   ├── keycloak-values.yaml
+│       │   └── grafana-values.yaml
+│       └── upc-prod/                # upc-prod cluster-specific values
+│           ├── traefik-values.yaml
+│           ├── keycloak-values.yaml
+│           └── grafana-values.yaml
+│
+├── apps/                             # Business Application ArgoCD manifests (Kustomize)
+│   ├── base/                         # Base app manifests
+│   │   ├── kustomization.yaml
+│   │   ├── dot-ai-stack.yaml
+│   │   └── ...
+│   └── overlays/
+│       ├── upc-dev/                  # Uses base as-is
+│       └── upc-prod/                # Patches value paths
+│
+├── cluster-resources/                # Cluster-wide Kubernetes resources
+│   ├── ...
+│   └── policies/                     # Kyverno policies
+│
+├── secrets/                          # Application secrets (sealed, per-cluster)
+│   └── upc-dev/                      # Secrets for upc-dev cluster
+│
+├── private/                          # Local-only files (NOT in Git)
+│
+└── docs/                             # Documentation
+

Key Points: +- _app-of-apps-upc-dev.yaml and _app-of-apps-upc-prod.yaml are the per-cluster root Applications +- Kustomize overlays in infra/overlays/ render base Applications with per-cluster patches +- Helm values are split: values/base/ (shared) + values/upc-dev/ or values/upc-prod/ (cluster-specific) +- apps/ follows the same base/overlays pattern for business applications +- Changes pushed to this repo trigger automatic syncs in ArgoCD +- private/ folder contains local-only files (Git-ignored)

2. Helm Charts Repository¶

Repository: https://github.com/fortedigital/forte-helm +Purpose: Reusable Helm chart templates for Forte applications +Location: C:\dev\k8s\forte-helm

forte-helm/
+└── forteapp/                         # Generic Forte application chart
+    ├── Chart.yaml                    # Chart metadata (v0.1.0)
+    ├── values.yaml                   # Default values (base template)
+    ├── templates/
+    │   ├── _helpers.tpl              # Template helpers
+    │   ├── namespace.yaml
+    │   ├── deployment.yaml           # Main app deployment
+    │   ├── service.yaml
+    │   ├── ingressroute.yaml         # Traefik IngressRoute
+    │   ├── certificate.yaml          # Cert-Manager Certificate
+    │   ├── configmap.yaml
+    │   ├── secret-auth-tokens.yaml
+    │   ├── hpa.yaml                  # Horizontal Pod Autoscaler
+    │   ├── database-statefulset.yaml # Optional PostgreSQL DB
+    │   └── database-service.yaml
+    └── README.md
+

Key Points: +- Single generic chart (forteapp) used by all Forte applications +- Supports optional PostgreSQL database (StatefulSet) +- Configurable authentication (token-based or OIDC) +- Traefik IngressRoute with automatic TLS via Cert-Manager +- Designed for microservices with similar patterns

3. Helm Values Repository¶

Repository: git@github.com:fortedigital/helm-values.git +Purpose: Environment-specific configuration for each application +Location: C:\dev\k8s\helm-prod-values

helm-prod-values/
+├── mcp10x/
+│   └── values.yaml                   # MCP 10X configuration
+├── musicman/
+│   └── values.yaml                   # Music Man configuration
+├── mcpcoder/
+│   └── values.yaml                   # MCP Coder configuration
+└── argocd-mcp/
+    └── values.yaml                   # ArgoCD MCP configuration
+

Key Points: +- Each app has its own folder with values.yaml +- Contains environment-specific settings (image tags, env vars, resources, etc.) +- Referenced by ArgoCD Applications using multi-source pattern +- Image tags are updated here by CI/CD pipelines +- Secrets are referenced by name (actual secrets stored as SealedSecrets)

Example (mcp10x/values.yaml): +

app:
+  image:
+    repository: ghcr.io/fortedigital/10x
+    tag: 2.0.4                         # Updated by CI/CD
+  extraEnv:
+    - name: PORT
+      value: "3000"
+  envSecretName: "app-credentials"     # References SealedSecret
+
+ingress:
+  enabled: true
+  host: mcp10x.forteapps.net           # Public domain
+

4. Application Source Code Repositories¶

Purpose: Application source code with CI/CD pipelines +Examples: Various private repositories

Typical Structure: +

app-repository/
+├── src/                              # Application source code
+├── Dockerfile                        # Container build definition
+├── .github/
+│   └── workflows/
+│       └── build-and-deploy.yml      # GitHub Actions workflow
+└── package.json / requirements.txt   # Dependencies
+

CI/CD Workflow (GitHub Actions): +1. Trigger on push to main branch +2. Build Docker image +3. Tag with version (e.g., v2.0.4) +4. Push to container registry (GHCR, Docker Hub, etc.) +5. Update image tag in helm-values repository +6. ArgoCD detects change and syncs automatically

GitOps Workflow¶

The App-of-Apps Pattern¶

_app-of-apps-{upc-dev,upc-prod}.yaml (Root, per cluster)
+    │
+    ├── infrastructure-apps (manages infra/)
+    │   ├── cluster-resources-application
+    │   ├── traefik-application
+    │   ├── cert-manager-application
+    │   ├── kyverno
+    │   ├── prometheus
+    │   ├── grafana
+    │   ├── tempo
+    │   └── ... (other infra apps)
+    │
+    └── enterprise-apps (manages apps/)
+        ├── mcp10x
+        ├── musicman
+        ├── dot-ai-stack
+        └── argo-mcp
+

How It Works: +1. Bootstrap script installs ArgoCD and applies _app-of-apps-upc-dev.yaml (or upc-prod) +2. ArgoCD creates the root Application which monitors the appropriate infra/overlays/ folder +3. Kustomize renders base Applications with cluster-specific patches +4. enterprise-apps Application monitors the cluster's apps/overlays/ folder +5. ArgoCD continuously syncs (every 60s) and auto-heals drift

Sync Waves & Ordering¶

Applications deploy in order using argocd.argoproj.io/sync-wave annotations:

Wave -1: Namespaces (created first)
+Wave  0: Kyverno (policies ready before resources)
+Wave  1: Cluster resources, infrastructure apps
+Wave  2+: Business applications
+

Example: +

metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+

Multi-Source Pattern¶

Applications like mcp10x and musicman use multiple sources:

spec:
+  sources:
+  - repoURL: https://github.com/fortedigital/forte-helm
+    path: forteapp                     # Helm chart templates
+    helm:
+      valueFiles:
+      - $values/mcp10x/values.yaml     # Reference to second source
+
+  - repoURL: git@github.com:fortedigital/helm-values.git
+    targetRevision: HEAD
+    ref: values                        # Named reference
+

Benefits: +- Chart templates separated from configuration +- Single chart reused across all apps +- Easy to update all apps by changing the chart +- Environment-specific values isolated in separate repo

Multi-Cluster Pattern¶

Kustomize overlays enable deploying the same Applications across clusters with different configurations:

# infra/base/ contains default (upc-dev) Applications
+# Helm values are layered: base + cluster-specific
+valueFiles:
+- $values/infra/values/base/traefik-values.yaml    # Shared config
+- $values/infra/values/upc-dev/traefik-values.yaml  # Cluster-specific
+
+# infra/overlays/upc-prod/kustomization.yaml patches the second valueFile
+patches:
+- target:
+    kind: Application
+    name: traefik
+  patch: |
+    - op: replace
+      path: /spec/sources/0/helm/valueFiles/1
+      value: $values/infra/values/upc-prod/traefik-values.yaml
+

Benefits: +- Single source of truth for Application definitions +- Cluster-specific values isolated per overlay +- Easy to add new clusters by creating a new overlay +- Base values shared across all clusters reduce duplication

CI/CD Pipeline¶

Continuous Integration¶

Application Repositories contain GitHub Actions workflows:

name: Build and Deploy
+
+on:
+  push:
+    branches: [ main ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Build Docker image
+        run: docker build -t ghcr.io/fortedigital/app:$VERSION .
+
+      - name: Push to registry
+        run: docker push ghcr.io/fortedigital/app:$VERSION
+
+      - name: Update Helm values
+        run: |
+          git clone git@github.com:fortedigital/helm-values.git
+          cd helm-values/app
+          sed -i "s/tag: .*/tag: $VERSION/" values.yaml
+          git commit -am "Update app to $VERSION"
+          git push
+

Continuous Deployment¶

ArgoCD automatically syncs when changes are detected:

Config Repo Change:
Developer updates apps/myapp.yaml
Pushes to launchpad repo
ArgoCD detects change (60s reconciliation)
+
Syncs application to cluster
+
+
Helm Values Change:
+
CI/CD updates helm-values/myapp/values.yaml
ArgoCD detects change
Pulls new Helm chart with updated values
+
Applies to cluster
+

Sync Policy: +

syncPolicy:
+  automated:
+    prune: true        # Remove deleted resources
+    selfHeal: true     # Revert manual changes
+  retry:
+    limit: 5           # Retry up to 5 times
+    backoff:
+      duration: 5s
+      maxDuration: 3m
+

Deployment Validation¶

Before applying, ArgoCD: +- ✅ Validates YAML syntax +- ✅ Checks Kubernetes schema +- ✅ Runs server-side dry-run +- ✅ Verifies resource quotas +- ✅ Applies Kyverno policies

After applying: +- ✅ Waits for resources to become healthy +- ✅ Sends Slack notification (success/failure) +- ✅ Tracks sync status in UI

Security Model¶

Secret Management¶

Sealed Secrets encrypt secrets for safe Git storage:

# Developer creates plain secret locally
+kubectl create secret generic app-creds \
+  --from-literal=API_KEY=secret123 \
+  --dry-run=client -o yaml > private/app-creds.yaml
+
+# Seal the secret using kubeseal
+kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  < private/app-creds.yaml \
+  > secrets/app-creds-sealed.yaml
+
+# Commit sealed secret to Git
+git add secrets/app-creds-sealed.yaml
+git commit -m "Add app credentials"
+

Storage: +- ✅ Sealed secrets committed to Git +- ❌ Plain secrets kept in private/ (Git-ignored) or discarded +- ⚠️ Secret rotation process not yet established

Kyverno Policies¶

Policy Engine enforces security rules:

Secret Cloning: Automatically clones secrets to new namespaces +

# cluster-resources/policies/secret-cloner.yaml
+# Secrets labeled "allowedToBeCloned: true" are synced
+

+
Default Namespace Blocker: Prevents use of default namespace
+
Bare Pod Cleaner: Removes pods without controllers (Deployments/StatefulSets)
Deployment Verifier: Ensures pods have proper controllers
Auth Sidecar Injector: Injects authentication proxy based on annotations

Repository Access¶

Private Repository Credentials stored as SealedSecrets:

# cluster-resources/forte10x-repo-credentials-sealed.yaml
+

ArgoCD uses these to access private Helm values repositories.

Network Security¶

Traefik Ingress with TLS: +- All HTTP traffic redirects to HTTPS +- Let's Encrypt automatic certificate renewal +- Cert-Manager manages certificate lifecycle +- Per-application IngressRoutes with dedicated certificates

Authentication¶

Application-Level Auth (optional): +- Token-based authentication (static tokens) +- OIDC integration (Keycloak, Okta, etc.) +- Auth sidecar injected via Kyverno policy +- Tokens stored in SealedSecrets

Example: +

# In deployment.yaml template
+annotations:
+  policies.forteapps.io/auth: "true"
+  policies.forteapps.io/auth-token-secret-name: "app-tokens"
+

Monitoring & Observability¶

Stack Components¶

Prometheus: Metrics collection and storage
Grafana: Metrics visualization and dashboards
Loki: Log aggregation
Tempo: Distributed tracing (OTLP)
Fluent-Bit: Log shipping from pods to Loki
Trivy: Container vulnerability scanning

Slack Notifications¶

All ArgoCD applications send notifications to shared Slack channel:

metadata:
+  annotations:
+    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
+    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
+    notifications.argoproj.io/subscribe.on-degraded.slack: ""
+

Notifications include: +- ✅ Sync succeeded +- ❌ Sync failed +- ⚠️ Application degraded

Disaster Recovery¶

Cluster Rebuild¶

Current State: No backup routines exist yet. Cluster can be rebuilt from Git.

Rebuild Process: +1. Provision new Kubernetes cluster +2. Clone launchpad repository +3. Run ./bootstrap.sh +4. ArgoCD installs and syncs all applications +5. Manually recreate unsealed secrets and seal them

Data Loss: +- Currently: Data loss is acceptable (internal use) +- Future: One stateful application may require backup strategy

GitOps Advantages for DR¶

✅ Infrastructure as Code: Entire cluster defined in Git +✅ Reproducible: Cluster can be rebuilt identically +✅ Auditable: All changes tracked in Git history +✅ Rollback: Easy to revert to previous Git commit +✅ Multi-Cluster: Same config can deploy to multiple clusters

Best Practices¶

Repository Organization¶

✅ DO: +- Separate infrastructure (infra/) from applications (apps/) +- Use sync waves to control deployment order +- Keep secrets in private/ folder (Git-ignored) +- Commit only sealed secrets to Git +- Use multi-source pattern for chart/values separation

❌ DON'T: +- Commit plain secrets to Git +- Mix infrastructure and application configs +- Hard-code environment-specific values in charts +- Manually modify resources in cluster (use Git)

GitOps Workflow¶

✅ DO: +- All changes through Git (single source of truth) +- Use PR reviews for production changes +- Test changes in isolated namespaces first +- Monitor ArgoCD sync status +- Respond to Slack notifications

❌ DON'T: +- Use kubectl apply directly (breaks GitOps) +- Ignore sync failures +- Bypass ArgoCD for "quick fixes" +- Edit resources in place (kubectl edit)

Application Development¶

✅ DO: +- Follow the forteapp chart pattern +- Use semantic versioning for image tags +- Update helm-values via CI/CD +- Test locally with Docker Compose +- Document environment variables

❌ DON'T: +- Use latest image tag +- Hard-code configuration in code +- Skip local testing +- Deploy untested images to production

Next Steps¶

📖 Continue to: +- Developer Guide - Learn how to deploy and manage applications +- Operations Runbook - Common operational tasks +- Technical Reference - Detailed component documentation

Last Updated: 2026-03-16 +Maintained By: Platform Team +Questions?: Contact #platform-support on Slack

+ + + + + + + + + + + + + +

+ + + +

+ + + + + + + + + + + + + \ No newline at end of file diff --git a/OPERATIONS-RUNBOOK/index.html b/OPERATIONS-RUNBOOK/index.html new file mode 100644 index 0000000..e5491fa --- /dev/null +++ b/OPERATIONS-RUNBOOK/index.html @@ -0,0 +1,4649 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + Operations Runbook - K8s Launchpad + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + Skip to content + + +

+ +

+ + + + + + +

+ + + + + + + + + + +

+ + K8s Launchpad + +

+ + + Operations Runbook + + +

+ + + + + + + + + + + + + + + + + + + + +

+ +

+ + +

+ Forte/launchpad +

+ +

+ + + + + + +

+ + + + + + + + + + + +

+ +

+ + + + + +

Operations Runbook¶

Table of Contents¶

Overview
Cluster Bootstrap
Initial Cluster Setup
ArgoCD Repository Access Setup
Day-to-Day Operations
Application Management
Secret Management
Monitoring & Alerting
Troubleshooting
Disaster Recovery
Maintenance Procedures

Overview¶

This runbook provides operational procedures for maintaining the Kubernetes cluster and managing applications. It's intended for platform engineers and operators with full cluster access.

Operator Prerequisites¶

✅ Full kubectl access to cluster
✅ Write access to all Git repositories
✅ ArgoCD UI access
✅ Slack notifications configured
✅ Understanding of Kubernetes concepts

Cluster Bootstrap¶

Initial Cluster Setup¶

Bootstrap a new cluster from scratch:

Prerequisites¶

Kubernetes cluster running (UpCloud or any K8s cluster)
kubectl configured with admin access
Repositories cloned locally

# Verify cluster access
+kubectl cluster-info
+kubectl get nodes
+

Bootstrap Procedure¶

# 1. Clone config repository
+git clone https://git.forteapps.net/Forte/launchpad
+cd launchpad
+
+# 2. Set cluster name (optional)
+export CLUSTER_NAME="prod-cluster-01"
+
+# 3. Run bootstrap script
+./bootstrap.sh
+

What Happens: +1. ✅ Installs ArgoCD via Helm +2. ✅ Configures ArgoCD with custom values +3. ✅ Applies root App-of-Apps manifest +4. ✅ ArgoCD automatically syncs all applications +5. ✅ Infrastructure and apps deploy in waves

Verify Bootstrap¶

# Wait for ArgoCD to be ready
+kubectl wait --for=condition=available --timeout=300s \
+  deployment/argocd-server -n argocd
+
+# Check ArgoCD applications
+kubectl get applications -n argocd
+
+# Expected output: infrastructure-apps, enterprise-apps, and all child apps
+

Post-Bootstrap Steps¶

Configure DNS for ingress domains:
argocd.127.0.0.1.nip.io (local dev)
+
*.forteapps.net (production)
+

Verify Let's Encrypt certificates: +

kubectl get certificate --all-namespaces
+kubectl get clusterissuer
+

+
Check Kyverno policies: +
```
kubectl get clusterpolicy
+
```
+
+
Verify monitoring stack: +
```
kubectl get pods -n monitoring
+
```
+
+
Test Slack notifications by triggering a sync
+

ArgoCD Repository Access Setup¶

ArgoCD needs SSH access to private Git repositories to pull manifests and Helm values. This section covers setting up deploy keys for GitHub repositories.

Why Deploy Keys?¶

Read-only access: Deploy keys provide secure, read-only access to repositories
No user credentials: No need to share personal SSH keys or tokens
Repository-specific: Each repository gets its own key for better security
Revocable: Easy to revoke access without affecting other repositories

Prerequisites¶

kubectl access to the cluster
Write access to the GitHub repository
ArgoCD installed and running

Setup Procedure¶

Step 1: Generate SSH Key Pair

Generate a dedicated SSH key for ArgoCD without a passphrase (required for automated access):

# Generate ED25519 key (recommended - smaller and more secure)
+ssh-keygen -t ed25519 -C "argocd-deploy-key-launchpad" -f argocd-deploy-key -N ""
+
+# Or RSA key if ED25519 is not supported
+ssh-keygen -t rsa -b 4096 -C "argocd-deploy-key-launchpad" -f argocd-deploy-key -N ""
+

This creates two files: +- argocd-deploy-key - Private key (keep secret) +- argocd-deploy-key.pub - Public key (add to GitHub)

Step 2: Add Public Key to GitHub

+
Copy the public key: +
```
cat argocd-deploy-key.pub
+
```
+
+
Go to GitHub repository settings:
+
Navigate to: https://git.forteapps.net/Forte/launchpad/settings/keys
+
Or: Repository → Settings → Deploy keys
+
+
Click "Add deploy key"
+
Title: ArgoCD Production Cluster
Key: Paste the public key content
☐ Allow write access (leave unchecked - read-only is sufficient)
+
Click "Add key"
+

Repeat for the helm-values repository if it's private: +

# Generate separate key for helm-values repo
+ssh-keygen -t ed25519 -C "argocd-deploy-key-helm-values" -f argocd-helm-values-key -N ""
+
+# Add to: https://github.com/fortedigital/helm-values/settings/keys
+

Step 3: Create Kubernetes Secret

Add the private key to ArgoCD as a repository secret:

Save the following file in private/ (gitignored) folder as secret.yaml +

  apiVersion: v1
+  kind: Secret
+  metadata:
+    name: forte-helm-repo
+    namespace: argocd
+    labels:
+      argocd.argoproj.io/secret-type: repository
+  stringData:
+    type: git
+    url: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
+    sshPrivateKey: |
+      <paste your private key here>
+    project: default
+

+Seal the secret using kubeseal command +

kubeseal --format=yaml \
+  --namespace=argocd \
+  < private/secret.yaml \
+  > secrets/forte-helm-repo-secret-sealed.yaml
+

Step 4: Register Repository in ArgoCD

Check in secrets/forte-helm-repo-secret-sealed.yaml and let Argo sync and create the secret.

Step 5: Verify Repository Access

# Check if repository is connected
+kubectl get secrets -n argocd -l argocd.argoproj.io/secret-type=repository
+
+# Verify connection in ArgoCD UI
+# Settings → Repositories → Should show "Successful" status
+
+# Test by creating an application
+kubectl apply -f _app-of-apps-upc-dev.yaml   # or _app-of-apps-upc-prod.yaml
+
+# Check application sync status
+kubectl get applications -n argocd
+

Testing Repository Access¶

Create a test application to verify SSH access:

cat > /tmp/test-repo-access.yaml <<EOF
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: test-repo-access
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: main
+    path: cluster-resources
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated: null  # Manual sync for testing
+EOF
+
+kubectl apply -f /tmp/test-repo-access.yaml
+
+# Check if ArgoCD can access the repository
+kubectl describe application test-repo-access -n argocd
+
+# Look for sync status - should show repository contents
+kubectl get application test-repo-access -n argocd -o jsonpath='{.status.sync.status}'
+
+# Clean up test application
+kubectl delete application test-repo-access -n argocd
+rm /tmp/test-repo-access.yaml
+

Security Best Practices¶

Secure Private Keys +

# Store private key securely and delete local copy
+# Option 1: Store in password manager (recommended)
+# Option 2: Backup to encrypted storage
+
+# Delete local private key after adding to Kubernetes
+shred -u argocd-deploy-key
+
+# Or on Windows
+# Remove-Item -Path argocd-deploy-key -Force
+

Rotate Keys Regularly +

# Generate new key
+ssh-keygen -t ed25519 -C "argocd-deploy-key-$(date +%Y%m)" -f argocd-new-key -N ""
+
+# Add new public key to GitHub (keep old key for now)
+
+# Update Kubernetes secret
+kubectl create secret generic repo-launchpad \
+  --from-file=sshPrivateKey=argocd-new-key \
+  --namespace=argocd \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+# Test access, then remove old deploy key from GitHub
+
+# Clean up
+shred -u argocd-new-key
+

Audit Repository Access +

# List all repository secrets
+kubectl get secrets -n argocd -l argocd.argoproj.io/secret-type=repository
+
+# Review deploy keys in GitHub
+# Visit: https://git.forteapps.net/Forte/launchpad/settings/keys
+

+
Use Different Keys per Repository
+
Don't reuse the same deploy key across repositories
If one key is compromised, only one repository is affected
Easier to track and audit access

Troubleshooting Repository Access¶

Issue: "permission denied (publickey)"

# Check if secret exists
+kubectl get secret repo-launchpad -n argocd
+
+# Verify secret has correct label
+kubectl get secret repo-launchpad -n argocd -o yaml | grep argocd.argoproj.io/secret-type
+
+# Check ArgoCD application controller logs
+kubectl logs -n argocd deployment/argocd-application-controller | grep -i "permission denied"
+
+# Verify deploy key is added to GitHub
+# Visit: https://git.forteapps.net/Forte/launchpad/settings/keys
+

Issue: "Host key verification failed"

# Add GitHub to known_hosts
+kubectl exec -n argocd deployment/argocd-repo-server -- \
+  ssh-keyscan github.com >> ~/.ssh/known_hosts
+
+# Or disable strict host key checking (less secure)
+kubectl patch secret repo-launchpad -n argocd \
+  --type merge \
+  -p '{"stringData":{"insecure":"true"}}'
+

Issue: Repository shows as "Unknown" status

# Check repository server logs
+kubectl logs -n argocd deployment/argocd-repo-server
+
+# Refresh repository connection
+kubectl delete secret repo-launchpad -n argocd
+# Recreate secret (see Step 3 above)
+
+# Restart ArgoCD components
+kubectl rollout restart deployment argocd-repo-server -n argocd
+kubectl rollout restart deployment argocd-application-controller -n argocd
+

Multiple Repository Setup¶

For the three-repository pattern (launchpad, forte-helm, helm-values):

# 1. launchpad (main config repo)
+ssh-keygen -t ed25519 -C "argocd-launchpad" -f key-sturdy -N ""
+# Add key-sturdy.pub to: https://git.forteapps.net/Forte/launchpad/settings/keys
+
+# 2. helm-values (private values repo)
+ssh-keygen -t ed25519 -C "argocd-helm-values" -f key-helm-values -N ""
+# Add key-helm-values.pub to: https://github.com/fortedigital/helm-values/settings/keys
+
+# 3. forte-helm (private helm charts repo)
+
+# Create secrets
+kubectl create secret generic repo-launchpad \
+  --from-file=sshPrivateKey=key-sturdy \
+  --namespace=argocd --dry-run=client -o yaml | \
+  kubectl label --local -f - argocd.argoproj.io/secret-type=repository --dry-run=client -o yaml | \
+  kubectl apply -f -
+
+kubectl create secret generic repo-helm-values \
+  --from-file=sshPrivateKey=key-helm-values \
+  --namespace=argocd --dry-run=client -o yaml | \
+  kubectl label --local -f - argocd.argoproj.io/secret-type=repository --dry-run=client -o yaml | \
+  kubectl apply -f -
+
+# Clean up keys
+shred -u key-sturdy key-helm-values
+

Converting HTTPS to SSH¶

If you're currently using HTTPS and want to switch to SSH:

# 1. Generate and add deploy key (see steps above)
+
+# 2. Update all Application manifests
+# Change from:
+#   repoURL: https://git.forteapps.net/Forte/launchpad
+# To:
+#   repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+
+# 3. Update and commit
+find . -name "*.yaml" -type f -exec sed -i 's|https://github.com/fortedigital/|git@github.com:fortedigital/|g' {} +
+
+git add .
+git commit -m "Switch from HTTPS to SSH for repository access"
+git push
+
+# 4. ArgoCD will automatically re-sync with new SSH URLs
+

Day-to-Day Operations¶

Monitoring ArgoCD Sync Status¶

Via Slack¶

All applications send notifications to shared Slack channel: +- ✅ on-sync-succeeded - Deployment succeeded +- ❌ on-sync-failed - Deployment failed +- ⚠️ on-degraded - Application unhealthy

Via CLI¶

# List all applications
+kubectl get applications -n argocd
+
+# Watch application status
+kubectl get applications -n argocd -w
+
+# Get detailed status
+kubectl describe application myapp -n argocd
+

Via ArgoCD UI¶

# Port forward to UI
+kubectl port-forward svc/argocd-server -n argocd 8080:443
+
+# Access: https://localhost:8080
+# No login required (insecure mode for internal use)
+

Checking Application Health¶

# Quick health check for all apps
+kubectl get applications -n argocd \
+  -o custom-columns=NAME:.metadata.name,SYNC:.status.sync.status,HEALTH:.status.health.status
+
+# Expected output:
+# NAME                  SYNC        HEALTH
+# infrastructure-apps   Synced      Healthy
+# enterprise-apps       Synced      Healthy
+# mcp10x                Synced      Healthy
+# musicman              Synced      Healthy
+

Manual Sync¶

Force sync an application:

# Trigger sync
+kubectl patch application myapp -n argocd \
+  --type merge \
+  -p '{"metadata":{"annotations":{"argocd.argoproj.io/refresh":"hard"}}}'
+
+# Or via ArgoCD CLI (if installed)
+argocd app sync myapp
+

Pausing Auto-Sync¶

Temporarily disable automatic syncing:

# Edit application
+kubectl edit application myapp -n argocd
+
+# Set automated to null
+spec:
+  syncPolicy:
+    automated: null  # Disable auto-sync
+
+# Re-enable later
+spec:
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+

Application Management¶

Deploying a New Application¶

See Developer Guide for detailed steps.

Quick checklist: +- [ ] Create helm-values/myapp/values.yaml +- [ ] Create apps/myapp.yaml in config repo +- [ ] Create SealedSecret if needed +- [ ] Commit and push changes +- [ ] Verify sync in Slack/ArgoCD +- [ ] Configure DNS for domain +- [ ] Test application accessibility

Removing an Application¶

Safe Removal Procedure¶

# 1. Delete ArgoCD Application (with cascade)
+kubectl delete application myapp -n argocd
+
+# This will:
+# - Remove application from ArgoCD
+# - Delete all Kubernetes resources (cascade)
+# - Remove namespace
+
+# 2. Clean up Git repositories
+cd ~/dev/k8s/launchpad
+git rm apps/myapp.yaml
+git commit -m "Remove myapp application"
+git push
+
+cd ~/dev/k8s/helm-prod-values
+git rm -r myapp/
+git commit -m "Remove myapp values"
+git push
+
+# 3. Remove sealed secrets (if any)
+cd ~/dev/k8s/launchpad
+git rm secrets/myapp-credentials-sealed.yaml
+git commit -m "Remove myapp secrets"
+git push
+

Removal Without Cascade¶

To remove from ArgoCD but keep resources running:

# Delete application with no cascade
+kubectl patch application myapp -n argocd \
+  -p '{"metadata":{"finalizers":[]}}' --type merge
+kubectl delete application myapp -n argocd
+
+# Resources remain in cluster but are no longer managed
+

Scaling Applications¶

Manual Scaling¶

# Scale deployment directly
+kubectl scale deployment myapp -n myapp --replicas=3
+
+# Note: If selfHeal is enabled, this will be reverted
+

GitOps Scaling¶

Update helm-values/myapp/values.yaml:

app:
+  replicaCount: 3  # Change from 1 to 3
+

Commit and push - ArgoCD will sync.

Auto-Scaling (HPA)¶

Enable Horizontal Pod Autoscaler:

# In helm-values/myapp/values.yaml
+app:
+  hpa:
+    enabled: true
+    minReplicas: 2
+    maxReplicas: 10
+    targetCPUUtilizationPercentage: 70
+

Note: Remove replicaCount from ArgoCD ignore list if using HPA:

# In apps/myapp.yaml
+ignoreDifferences:
+- group: apps
+  kind: Deployment
+  jsonPointers:
+  - /spec/replicas  # Remove this line
+

Rolling Back Deployments¶

Option 1: Git Revert¶

# Find the commit before the bad change
+cd ~/dev/k8s/helm-prod-values
+git log --oneline myapp/values.yaml
+
+# Revert to previous version
+git revert <commit-hash>
+git push
+
+# ArgoCD will sync the rollback
+

Option 2: Manual Rollback¶

# Rollback to previous revision
+kubectl rollout undo deployment myapp -n myapp
+
+# Note: This will be reverted by ArgoCD selfHeal
+# Make permanent by updating Git
+

Option 3: Change Image Tag¶

# Edit helm-values
+cd ~/dev/k8s/helm-prod-values
+vim myapp/values.yaml
+
+# Change image tag to previous version
+app:
+  image:
+    tag: v1.0.0  # Roll back from v1.0.1
+
+# Commit and push
+git add myapp/values.yaml
+git commit -m "Rollback myapp to v1.0.0"
+git push
+

Resource Updates¶

Update Resource Limits¶

# In helm-values/myapp/values.yaml
+app:
+  resources:
+    requests:
+      cpu: 200m      # Increased from 100m
+      memory: 512Mi  # Increased from 256Mi
+    limits:
+      cpu: 1000m
+      memory: 2Gi
+

Enable Database¶

# In helm-values/myapp/values.yaml
+db:
+  enabled: true
+  persistence:
+    size: 10Gi  # Increase storage
+

Secret Management¶

Creating Secrets¶

Step 1: Get Public Certificate¶

# Fetch sealed-secrets public cert (one-time)
+kubeseal --fetch-cert \
+  --controller-name=sealed-secrets-controller \
+  --controller-namespace=kube-system \
+  > pub-cert.pem
+
+# Save this certificate for future use
+

Step 2: Create Plain Secret¶

# Method 1: From literal values
+kubectl create secret generic myapp-credentials \
+  --from-literal=API_KEY=secret123 \
+  --from-literal=DB_PASSWORD=pass456 \
+  --namespace=myapp \
+  --dry-run=client -o yaml > private/myapp-credentials.yaml
+
+# Method 2: From file
+kubectl create secret generic myapp-credentials \
+  --from-file=.env \
+  --namespace=myapp \
+  --dry-run=client -o yaml > private/myapp-credentials.yaml
+
+# Method 3: From multiple files
+kubectl create secret generic myapp-credentials \
+  --from-file=api-key.txt \
+  --from-file=db-password.txt \
+  --namespace=myapp \
+  --dry-run=client -o yaml > private/myapp-credentials.yaml
+

Step 3: Seal Secret¶

kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  --namespace=myapp \
+  < private/myapp-credentials.yaml \
+  > secrets/myapp-credentials-sealed.yaml
+

Step 4: Commit Sealed Secret¶

git add secrets/myapp-credentials-sealed.yaml
+git commit -m "Add myapp credentials"
+git push
+
+# Delete plain secret
+rm private/myapp-credentials.yaml
+

Updating Secrets¶

# 1. Create new version
+kubectl create secret generic myapp-credentials \
+  --from-literal=API_KEY=new-secret-key \
+  --from-literal=DB_PASSWORD=new-password \
+  --namespace=myapp \
+  --dry-run=client -o yaml > private/myapp-credentials.yaml
+
+# 2. Seal it
+kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  --namespace=myapp \
+  < private/myapp-credentials.yaml \
+  > secrets/myapp-credentials-sealed.yaml
+
+# 3. Commit
+git add secrets/myapp-credentials-sealed.yaml
+git commit -m "Update myapp credentials"
+git push
+
+# 4. Restart pods to pick up new secret
+kubectl rollout restart deployment myapp -n myapp
+
+# 5. Delete plain secret
+rm private/myapp-credentials.yaml
+

Viewing Secrets (Unsealed)¶

# List secrets in namespace
+kubectl get secrets -n myapp
+
+# Describe secret (doesn't show values)
+kubectl describe secret myapp-credentials -n myapp
+
+# View secret values (base64 encoded)
+kubectl get secret myapp-credentials -n myapp -o yaml
+
+# Decode secret value
+kubectl get secret myapp-credentials -n myapp \
+  -o jsonpath='{.data.API_KEY}' | base64 -d
+

Secret Cloning (Kyverno)¶

Secrets labeled allowedToBeCloned: "true" in the secrets namespace are automatically cloned to new namespaces.

# Example: secrets-namespace.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: shared-credentials
+  namespace: secrets
+  labels:
+    allowedToBeCloned: "true"
+type: Opaque
+data:
+  API_KEY: <base64-encoded-value>
+

When a new namespace is created, Kyverno automatically copies this secret.

Authentication Secrets¶

Applications using the authentication sidecar require specific secrets depending on the auth mode.

Token Mode Secrets¶

Token-based auth uses an auth-tokens Secret:

# Method 1: From Helm values (automatic)
+# Tokens specified in values.yaml are automatically created
+
+# Method 2: Manual creation
+kubectl create secret generic auth-tokens \
+  --from-literal=tokens="token1
+token2
+token3" \
+  --namespace=myapp
+
+# Method 3: From file
+echo "d4f88f6d9292c10cc3e21c4aad56d2be485db532b54fe961d738e1137d247823" > tokens.txt
+echo "8803f621acc3898df1d7a8f514bc3602551a0681a8f747bd4e43c3c5849d57a7" >> tokens.txt
+kubectl create secret generic auth-tokens \
+  --from-file=tokens=tokens.txt \
+  --namespace=myapp
+rm tokens.txt
+

OIDC Mode Secrets¶

OIDC auth requires an auth-oidc Secret with two keys:

# Generate secrets
+CLIENT_SECRET="your-oidc-client-secret-from-provider"
+COOKIE_SECRET=$(openssl rand -hex 32)
+
+# Create plain secret
+kubectl create secret generic auth-oidc \
+  --from-literal=client-secret=$CLIENT_SECRET \
+  --from-literal=cookie-secret=$COOKIE_SECRET \
+  --namespace=myapp \
+  --dry-run=client -o yaml > private/myapp-auth-oidc.yaml
+
+# Seal it
+kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  --namespace=myapp \
+  < private/myapp-auth-oidc.yaml \
+  > secrets/myapp-auth-oidc-sealed.yaml
+
+# Apply sealed secret
+kubectl apply -f secrets/myapp-auth-oidc-sealed.yaml
+
+# Commit to Git
+git add secrets/myapp-auth-oidc-sealed.yaml
+git commit -m "Add OIDC secrets for myapp"
+git push
+
+# Clean up
+rm private/myapp-auth-oidc.yaml
+

Rotating Authentication Secrets¶

Token Rotation:

# Generate new token
+NEW_TOKEN=$(openssl rand -hex 32)
+
+# Get current tokens
+kubectl get secret auth-tokens -n myapp -o yaml > /tmp/tokens.yaml
+
+# Edit tokens (add new, optionally remove old)
+# Then re-seal and apply
+
+# Restart pods to use new tokens
+kubectl rollout restart deployment myapp -n myapp
+

OIDC Secret Rotation:

# Rotate cookie secret (safe - invalidates existing sessions)
+NEW_COOKIE_SECRET=$(openssl rand -hex 32)
+
+# Recreate secret
+kubectl create secret generic auth-oidc \
+  --from-literal=client-secret=$CLIENT_SECRET \
+  --from-literal=cookie-secret=$NEW_COOKIE_SECRET \
+  --namespace=myapp \
+  --dry-run=client -o yaml | \
+  kubeseal --format=yaml --cert=pub-cert.pem --namespace=myapp | \
+  kubectl apply -f -
+
+# Restart to pick up new secret
+kubectl rollout restart deployment myapp -n myapp
+

Viewing Authentication Secrets¶

# List auth-related secrets
+kubectl get secrets -n myapp | grep auth
+
+# View token secret (tokens are in plain text in the Secret)
+kubectl get secret auth-tokens -n myapp -o jsonpath='{.data.tokens}' | base64 -d
+
+# View OIDC secret keys (values are base64 encoded)
+kubectl get secret auth-oidc -n myapp -o jsonpath='{.data.client-secret}' | base64 -d
+kubectl get secret auth-oidc -n myapp -o jsonpath='{.data.cookie-secret}' | base64 -d
+

See: Developer Guide - Enabling Authentication for complete authentication setup guide.

Monitoring & Alerting¶

Prometheus Metrics¶

# Port forward to Prometheus
+kubectl port-forward -n monitoring svc/prometheus-server 9090:80
+
+# Access: http://localhost:9090
+

Common Queries: +

# CPU usage per pod
+sum(rate(container_cpu_usage_seconds_total[5m])) by (pod)
+
+# Memory usage per pod
+sum(container_memory_usage_bytes) by (pod)
+
+# Request rate per service
+rate(http_requests_total[5m])
+

Grafana Dashboards¶

# Port forward to Grafana
+kubectl port-forward -n monitoring svc/grafana 3000:80
+
+# Access: http://localhost:3000
+

Loki Logs¶

# Port forward to Loki
+kubectl port-forward -n monitoring svc/loki 3100:3100
+
+# Query logs
+curl -G -s 'http://localhost:3100/loki/api/v1/query_range' \
+  --data-urlencode 'query={namespace="myapp"}' \
+  --data-urlencode 'start=1h' | jq
+

Tempo Traces¶

# Port forward to Tempo query API
+kubectl port-forward -n monitoring svc/tempo 3200:3200
+
+# Access: http://localhost:3200
+

Query traces via Grafana: +1. Open Grafana → Explore +2. Select Tempo datasource +3. Use TraceQL or search by service name

Verify Traefik is sending traces: +

# Check Traefik logs for OTLP export errors
+kubectl logs -n traefik-system -l app.kubernetes.io/name=traefik | grep -i "traces export"
+
+# Check Tempo is receiving data
+kubectl logs -n monitoring -l app.kubernetes.io/name=tempo | grep "receiver"
+

Trace-to-log correlation: +- Click a trace span in Grafana → linked Loki logs appear (by namespace, pod, container) +- Trace-to-metrics links to Prometheus by service name

Fluent-Bit Log Shipping¶

Verify Fluent-Bit is shipping logs:

# Check Fluent-Bit pods
+kubectl get pods -n monitoring | grep fluent-bit
+
+# Check logs
+kubectl logs -n monitoring daemonset/fluent-bit
+
+# Verify Loki is receiving logs
+kubectl logs -n monitoring deployment/loki | grep "POST /loki/api/v1/push"
+

Trivy Vulnerability Scanning¶

# Check Trivy scan results
+kubectl get vulnerabilityreports --all-namespaces
+
+# View report for specific pod
+kubectl describe vulnerabilityreport -n myapp <report-name>
+

Slack Notifications¶

All applications have Slack notifications enabled:

metadata:
+  annotations:
+    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
+    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
+    notifications.argoproj.io/subscribe.on-degraded.slack: ""
+

Test Notification: +

# Trigger a sync to test
+kubectl patch application myapp -n argocd \
+  --type merge \
+  -p '{"metadata":{"annotations":{"argocd.argoproj.io/refresh":"hard"}}}'
+

Troubleshooting¶

Application Won't Sync¶

Check Application Status¶

kubectl describe application myapp -n argocd
+

Look for errors in: +- Status.Conditions +- Status.OperationState

Common Issues¶

Issue 1: Image Pull Error +

# Error: ErrImagePull, ImagePullBackOff
+
+# Check if image exists
+docker pull ghcr.io/fortedigital/myapp:v1.0.0
+
+# Check image pull secrets
+kubectl get secrets -n myapp | grep regcred
+
+# Check pod events
+kubectl describe pod -n myapp <pod-name>
+

Issue 2: Invalid YAML +

# Error: unable to decode manifest
+
+# Validate YAML locally
+kubectl apply --dry-run=client -f apps/myapp.yaml
+
+# Check ArgoCD application controller logs
+kubectl logs -n argocd deployment/argocd-application-controller | grep myapp
+

Issue 3: Resource Quota Exceeded +

# Error: exceeded quota
+
+# Check namespace quotas
+kubectl get resourcequota -n myapp
+kubectl describe resourcequota -n myapp
+
+# Increase quota or reduce resource requests
+

Pod Crashes¶

CrashLoopBackOff¶

# Check pod status
+kubectl get pods -n myapp
+
+# View logs
+kubectl logs -n myapp <pod-name>
+kubectl logs -n myapp <pod-name> --previous  # Previous container
+
+# Check events
+kubectl describe pod -n myapp <pod-name>
+

Common Causes: +- Application error (check logs) +- Missing environment variables +- Wrong port configuration +- Missing secrets +- Insufficient memory/CPU

ImagePullBackOff¶

# Check image name
+kubectl get deployment myapp -n myapp -o yaml | grep image
+
+# Verify credentials
+kubectl get secret -n myapp
+

Pending¶

# Check why pod is pending
+kubectl describe pod -n myapp <pod-name>
+
+# Common reasons:
+# - Insufficient resources on nodes
+# - PVC not bound
+# - Node selector doesn't match
+

Ingress / TLS Issues¶

Application Not Accessible¶

# Check IngressRoute
+kubectl get ingressroute -n myapp
+kubectl describe ingressroute myapp -n myapp
+
+# Check Traefik
+kubectl get pods -n traefik
+kubectl logs -n traefik deployment/traefik
+
+# Test with port-forward
+kubectl port-forward -n myapp service/myapp 8080:3000
+curl http://localhost:8080
+

Certificate Issues¶

# Check certificates
+kubectl get certificate -n myapp
+kubectl describe certificate myapp-tls -n myapp
+
+# Check cert-manager
+kubectl get clusterissuer
+kubectl logs -n cert-manager deployment/cert-manager
+
+# Check Let's Encrypt challenges
+kubectl get challenges --all-namespaces
+

Manual Certificate Renewal: +

# Delete and recreate certificate
+kubectl delete certificate myapp-tls -n myapp
+
+# Certificate will be automatically recreated
+

Database Issues¶

PostgreSQL Won't Start¶

# Check StatefulSet
+kubectl get statefulset -n myapp
+kubectl describe statefulset postgres -n myapp
+
+# Check PVC
+kubectl get pvc -n myapp
+kubectl describe pvc -n myapp
+
+# Check logs
+kubectl logs -n myapp postgres-0
+

Data Persistence¶

# Verify PVC is bound
+kubectl get pvc -n myapp
+
+# Check storage class
+kubectl get storageclass
+
+# Resize PVC (if supported)
+kubectl edit pvc postgres-data-postgres-0 -n myapp
+# Change: storage: 10Gi (from 5Gi)
+

Kyverno Policy Issues¶

Policy Violations¶

# List policies
+kubectl get clusterpolicy
+
+# Check policy reports
+kubectl get policyreport --all-namespaces
+
+# View specific policy
+kubectl describe clusterpolicy secret-cloner
+

Secret Not Cloned¶

# Check if secret has label
+kubectl get secret -n secrets --show-labels
+
+# Check Kyverno logs
+kubectl logs -n kyverno deployment/kyverno
+
+# Manually trigger by recreating namespace
+kubectl delete ns test-ns
+kubectl create ns test-ns
+

ArgoCD Issues¶

ArgoCD UI Not Accessible¶

# Check ArgoCD pods
+kubectl get pods -n argocd
+
+# Restart ArgoCD server
+kubectl rollout restart deployment argocd-server -n argocd
+
+# Port forward
+kubectl port-forward svc/argocd-server -n argocd 8080:443
+

Sync Takes Too Long¶

# Check application controller logs
+kubectl logs -n argocd deployment/argocd-application-controller
+
+# Increase timeout (in apps/myapp.yaml)
+spec:
+  syncPolicy:
+    retry:
+      backoff:
+        maxDuration: 5m  # Increase from 3m
+

Disaster Recovery¶

Backup Strategy¶

Current State: No automated backups

What Needs Backup: +- ❌ Cluster state (not backed up - recreate via GitOps) +- ❌ Persistent volumes (currently not critical) +- ✅ Git repositories (GitHub provides backup) +- ⚠️ Secrets (sealed secrets in Git, unseal keys need safekeeping)

Cluster Rebuild¶

Scenario: Complete cluster failure

# 1. Provision new Kubernetes cluster
+
+# 2. Configure kubectl
+kubectl config use-context new-cluster
+kubectl cluster-info
+
+# 3. Bootstrap cluster
+cd ~/dev/k8s/launchpad
+./bootstrap.sh
+
+# 4. Wait for ArgoCD to sync all applications
+kubectl get applications -n argocd -w
+
+# 5. Recreate any unsealed secrets (from password manager)
+# 6. Configure DNS for new cluster IPs
+# 7. Verify all applications are healthy
+

Time Estimate: 30-60 minutes

Data Loss: +- Ephemeral data: Lost +- Database data: Lost (no backups currently) +- Configuration: No loss (in Git)

Future Backup Plan¶

Recommended:

Velero for cluster backups +

helm install velero vmware-tanzu/velero \
+  --namespace velero \
+  --create-namespace \
+  --set configuration.provider=aws \
+  --set configuration.backupStorageLocation[0].bucket=cluster-backups
+

PostgreSQL backups via CronJob +

# pg-backup-cronjob.yaml
+kind: CronJob
+spec:
+  schedule: "0 2 * * *"  # Daily at 2am
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: pg-dump
+            image: postgres:16-alpine
+            command:
+            - /bin/sh
+            - -c
+            - pg_dump -U $DB_USER -d $DB_NAME > /backup/dump-$(date +%Y%m%d).sql
+

Sealed Secrets private key backup +

# Backup sealed-secrets controller private key
+kubectl get secret -n kube-system sealed-secrets-key \
+  -o yaml > sealed-secrets-key-backup.yaml
+
+# Store in secure location (password manager, vault)
+

Maintenance Procedures¶

Upgrading ArgoCD¶

# Check current version
+kubectl get deployment argocd-server -n argocd \
+  -o jsonpath='{.spec.template.spec.containers[0].image}'
+
+# Update version in values
+vim infra/values/base/argocd-values.yaml
+
+# Or upgrade via Helm directly
+helm upgrade argocd argo-cd \
+  --repo https://argoproj.github.io/argo-helm \
+  --namespace argocd \
+  --values infra/values/base/argocd-values.yaml \
+  --version 6.0.0  # New version
+
+# Verify
+kubectl get pods -n argocd
+

Upgrading Kubernetes Version¶

# UpCloud: Upgrade via control panel or CLI
+
+# After upgrade, verify cluster
+kubectl version
+kubectl get nodes
+
+# Check for deprecated APIs
+kubectl api-resources
+
+# Update any deprecated resources in Git
+

Rotating TLS Certificates¶

Let's Encrypt certificates auto-renew, but if manual rotation is needed:

# Delete certificate to force renewal
+kubectl delete certificate myapp-tls -n myapp
+
+# Cert-manager will automatically recreate
+kubectl get certificate -n myapp -w
+

Cleaning Up Old Resources¶

# List all namespaces
+kubectl get namespaces
+
+# Remove unused namespaces
+kubectl delete namespace old-app
+
+# Clean up ArgoCD applications
+kubectl get applications -n argocd
+kubectl delete application old-app -n argocd
+
+# Clean up old Docker images (on nodes)
+# SSH to nodes and run:
+docker image prune -a --filter "until=720h"  # 30 days
+

DNS Management¶

Adding New Subdomain:

Add DNS A record pointing to Traefik LoadBalancer IP +

# Get LoadBalancer IP
+kubectl get svc -n traefik traefik -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
+

Add to DNS provider: +

myapp.forteapps.net  A  <LoadBalancer-IP>
+

Verify DNS propagation: +

nslookup myapp.forteapps.net
+dig myapp.forteapps.net
+

Monitoring Resource Usage¶

# Node resource usage
+kubectl top nodes
+
+# Pod resource usage
+kubectl top pods --all-namespaces
+
+# Identify resource hogs
+kubectl top pods --all-namespaces --sort-by=memory
+kubectl top pods --all-namespaces --sort-by=cpu
+

Advanced Operations¶

Adding a New Infrastructure Component¶

Example: Adding Redis

# 1. Create application manifest in base/
+cat > infra/base/redis-application.yaml <<EOF
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: redis
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  project: default
+  sources:
+  - repoURL: https://charts.bitnami.com/bitnami
+    chart: redis
+    targetRevision: 18.0.0
+    helm:
+      releaseName: redis
+      valueFiles:
+      - \$values/infra/values/base/redis-values.yaml
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    targetRevision: HEAD
+    ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: redis
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
+EOF
+
+# 2. Add to base kustomization
+# Edit infra/base/kustomization.yaml and add: - redis-application.yaml
+
+# 3. Create base values file
+cat > infra/values/base/redis-values.yaml <<EOF
+auth:
+  enabled: true
+EOF
+
+# 4. Commit and push
+git add infra/base/redis-application.yaml infra/values/base/redis-values.yaml infra/base/kustomization.yaml
+git commit -m "Add Redis infrastructure component"
+git push
+
+# 5. ArgoCD will auto-sync within 60 seconds
+

Multi-Cluster Setup¶

The repository supports multiple clusters via Kustomize overlays:

upc-dev (default): infra/overlays/upc-dev/ — uses base Applications as-is
upc-prod: infra/overlays/upc-prod/ — patches value file paths from upc-dev to upc-prod

Each cluster has its own: +- Root app-of-apps file: _app-of-apps-upc-dev.yaml / _app-of-apps-upc-prod.yaml +- Cluster-specific Helm values: infra/values/upc-dev/ / infra/values/upc-prod/ +- Sealed secrets: secrets/upc-dev/ (others as needed) +- Apps overlay: apps/overlays/upc-dev/ / apps/overlays/upc-prod/

To add a new cluster, create a new overlay directory (e.g., infra/overlays/upc-staging/) with patches that swap the value file paths.

Blue-Green Deployments¶

# Deploy blue version
+helm install myapp-blue forteapp \
+  --set app.image.tag=v1.0.0
+
+# Deploy green version
+helm install myapp-green forteapp \
+  --set app.image.tag=v2.0.0
+
+# Switch traffic via IngressRoute
+kubectl patch ingressroute myapp -n myapp --type merge \
+  -p '{"spec":{"routes":[{"services":[{"name":"myapp-green"}]}]}}'
+
+# Remove blue deployment after validation
+helm uninstall myapp-blue
+

Emergency Procedures¶

Emergency Rollback¶

# Immediate rollback
+kubectl rollout undo deployment myapp -n myapp
+
+# Update Git to make permanent
+cd ~/dev/k8s/helm-prod-values
+git revert HEAD
+git push
+

Emergency Scale Down¶

# Scale to zero (maintenance mode)
+kubectl scale deployment myapp -n myapp --replicas=0
+
+# Update Git
+vim helm-values/myapp/values.yaml
+# Set replicaCount: 0
+git commit -am "Scale down myapp for maintenance"
+git push
+

Emergency Application Removal¶

# Remove application but keep data
+kubectl patch application myapp -n argocd \
+  -p '{"metadata":{"finalizers":[]}}' --type merge
+kubectl delete application myapp -n argocd
+
+# Resources remain in cluster
+

Useful Scripts¶

Sync All Applications¶

#!/bin/bash
+# sync-all.sh
+for app in $(kubectl get applications -n argocd -o name); do
+  kubectl patch $app -n argocd \
+    --type merge \
+    -p '{"metadata":{"annotations":{"argocd.argoproj.io/refresh":"hard"}}}'
+done
+

Check All Applications Health¶

#!/bin/bash
+# health-check.sh
+kubectl get applications -n argocd \
+  -o custom-columns=\
+NAME:.metadata.name,\
+SYNC:.status.sync.status,\
+HEALTH:.status.health.status,\
+MESSAGE:.status.health.message
+

Seal Secret Helper¶

#!/bin/bash
+# seal-secret.sh
+NAMESPACE=${1:-default}
+SECRET_FILE=${2:-private/secret.yaml}
+OUTPUT_FILE=${3:-secrets/secret-sealed.yaml}
+
+kubeseal --format=yaml \
+  --cert=pub-cert.pem \
+  --namespace=$NAMESPACE \
+  < $SECRET_FILE \
+  > $OUTPUT_FILE
+
+echo "Sealed secret created: $OUTPUT_FILE"
+echo "Remember to delete: $SECRET_FILE"
+

Checklist Templates¶

New Application Deployment Checklist¶

[ ] Application code repository created
[ ] Dockerfile created and tested
[ ] GitHub Actions workflow configured
[ ] Helm values created in helm-prod-values/
[ ] ArgoCD application manifest created in apps/
[ ] Secrets created and sealed
[ ] DNS record added for domain
[ ] Application synced successfully
[ ] Health check passed
[ ] Slack notification received
[ ] Application accessible via domain
[ ] Monitoring configured
[ ] Documentation updated

Incident Response Checklist¶

[ ] Incident identified (Slack alert, monitoring)
[ ] Severity assessed
[ ] Incident channel created
[ ] Initial investigation (logs, metrics, events)
[ ] Root cause identified
[ ] Mitigation applied
[ ] Verification of fix
[ ] Post-mortem scheduled
[ ] Documentation updated

Last Updated: 2026-03-16 +Maintained By: Platform Team +Emergency Contact: #platform-support on Slack

+ + + + + + + + + + + + + +

+ + + +

+ + + + + + + + + + + + + \ No newline at end of file diff --git a/REFERENCE/index.html b/REFERENCE/index.html new file mode 100644 index 0000000..9930d82 --- /dev/null +++ b/REFERENCE/index.html @@ -0,0 +1,4220 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + Technical Reference - K8s Launchpad + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ + + + Skip to content + + +

+ +

+ + + + + + +

+ + + + + + + + + + +

+ + K8s Launchpad + +

+ + + Technical Reference + + +

+ + + + + + + + + + + + + + + + + + + + +

+ +

+ + +

+ Forte/launchpad +

+ +

+ + + + + + +

+ + + + + + + + + + + +

+ +

+ + + + + +

Technical Reference¶

Table of Contents¶

Architecture Components
Repository Reference
Helm Chart Reference
ArgoCD Configuration
Infrastructure Components
Kyverno Policies
Configuration Reference
API Endpoints
Glossary

Architecture Components¶

Cluster Specifications¶

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Component	Value
Provider	UpCloud Managed Kubernetes
Environment	Production (internal use)
Cluster Count	Multi-cluster (upc-dev, upc-prod)
GitOps Tool	ArgoCD
Ingress Controller	Traefik v2
Certificate Management	Cert-Manager + Let's Encrypt
Policy Engine	Kyverno
Secret Management	Sealed Secrets (Bitnami)
Monitoring	Prometheus + Grafana
Logging	Loki + Fluent-Bit
Tracing	Tempo (OTLP)
Container Scanning	Trivy
Version Control	Gitea

Network Architecture¶

Internet
+   │
+   ▼
+[DNS: *.forteapps.net]
+   │
+   ▼
+[UpCloud LoadBalancer]
+   │
+   ▼
+[Traefik Ingress Controller]
+   │
+   ├──► IngressRoute (TLS termination via Cert-Manager)
+   │
+   ├──► Service (ClusterIP)
+   │    │
+   │    └──► Pod (Application Container)
+   │
+   └──► Service (Database - ClusterIP)
+        │
+        └──► StatefulSet (PostgreSQL)
+

Repository Reference¶

Config Repository: `launchpad`¶

URL: https://git.forteapps.net/Forte/launchpad

Directory Structure¶

launchpad/
+├── bootstrap.sh                   # Cluster initialization script
+├── _app-of-apps-upc-dev.yaml     # Root ArgoCD Application (upc-dev)
+├── _app-of-apps-upc-prod.yaml    # Root ArgoCD Application (upc-prod)
+│
+├── infra/                         # Infrastructure applications
+│   ├── cluster-resources-application.yaml
+│   ├── enterprise-apps.yaml
+│   ├── traefik-application.yaml
+│   ├── cert-manager-application.yaml
+│   ├── kyverno.yaml
+│   ├── kyverno-policies.yaml
+│   ├── prometheus.yaml
+│   ├── grafana.yaml
+│   ├── loki.yaml
+│   ├── tempo.yaml
+│   ├── fluent-bit.yaml
+│   ├── trivy.yaml
+│   ├── gitea.yaml
+│   ├── gitea-actions.yaml
+│   ├── sealedsecrets.yaml
+│   ├── secrets.yaml
+│   ├── renovate.yaml
+│   └── values/
+│       ├── argocd-values.yaml
+│       ├── prometheus-values.yaml
+│       ├── grafana-values.yaml
+│       ├── loki-values.yaml
+│       ├── tempo-values.yaml
+│       ├── gitea-values.yaml
+│       ├── gitea-actions-values.yaml
+│       ├── fluent-bit-values.yaml
+│       └── renovate-values.yaml
+│
+├── apps/                          # Business applications
+│   ├── mcp10x.yaml
+│   ├── musicman.yaml
+│   ├── dot-ai-stack.yaml
+│   └── argo-mcp.yaml
+│
+├── cluster-resources/             # Cluster-level resources
+│   ├── cert-manager-namespace.yaml
+│   ├── secrets-namespace.yaml
+│   ├── letsencrypt-issuer.yaml
+│   ├── kyverno-config.yaml
+│   ├── argocd-notifications-secret-sealed.yaml
+│   ├── forte10x-repo-credentials-sealed.yaml
+│   ├── mcp10x-repo-credentials-sealed.yaml
+│   └── policies/
+│       ├── deployment-verifier.yaml
+│       ├── label-checker.yaml
+│       ├── bare-pod-cleaner.yaml
+│       ├── replicaset-cleaner.yaml
+│       ├── default-ns-blocker.yaml
+│       ├── secret-cloner.yaml
+│       ├── keycloak-client-cloner.yaml
+│       └── auth-sidecar-injector.yaml
+│
+├── secrets/                       # Application secrets (sealed)
+│   ├── argocd-mcp-credentials.yaml
+│   ├── dot-ai-secrets.yaml
+│   ├── gitea-credentials-sealed.yaml
+│   ├── gitea-runner-token-sealed.yaml
+│   ├── mcp10x-credentials-sealed.yaml
+│   └── musicman-credentials.yaml
+│
+├── private/                       # Local-only (Git-ignored)
+│   ├── *.yaml
+│   └── *.sh
+│
+└── docs/                          # Documentation
+    ├── GITOPS-ARCHITECTURE.md
+    ├── DEVELOPER-GUIDE.md
+    ├── OPERATIONS-RUNBOOK.md
+    └── REFERENCE.md
+

Key Files¶

bootstrap.sh +

#!/bin/zsh
+# Initializes cluster with ArgoCD
+
+ArgoCd() {
+  helm upgrade --install argocd argo-cd \
+    --repo https://argoproj.github.io/argo-helm \
+    --namespace argocd --create-namespace \
+    --values infra/values/base/argocd-values.yaml \
+    --set notifications.context.clusterName="$CLUSTER_NAME" \
+    --timeout 60s --atomic
+
+  kubectl apply -f _app-of-apps-upc-dev.yaml -n argocd   # or _app-of-apps-upc-prod.yaml
+}
+

_app-of-apps-upc-dev.yaml / _app-of-apps-upc-prod.yaml +

apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infrastructure-apps
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+    path: infra
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+

Helm Charts Repository: `forte-helm`¶

URL: https://github.com/fortedigital/forte-helm

Chart: `forteapp`¶

Version: 0.1.0 +App Version: 1.0.0 +Type: application

Templates¶

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Template	Purpose
`_helpers.tpl`	Template helper functions
`namespace.yaml`	Namespace resource
`deployment.yaml`	Main application Deployment
`service.yaml`	ClusterIP Service
`ingressroute.yaml`	Traefik IngressRoute
`certificate.yaml`	Cert-Manager Certificate
`configmap.yaml`	Application ConfigMap
`secret-auth-tokens.yaml`	Authentication tokens
`hpa.yaml`	Horizontal Pod Autoscaler
`database-statefulset.yaml`	Optional PostgreSQL StatefulSet
`database-service.yaml`	PostgreSQL Service

Default Values Schema¶

app:
+  image:
+    repository: ""              # Required
+    tag: ""                     # Required
+    pullPolicy: IfNotPresent
+    containerPort: 3000
+
+  replicaCount: 1
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 500m
+      memory: 512Mi
+
+  hpa:
+    enabled: false
+    minReplicas: 2
+    maxReplicas: 10
+    targetCPUUtilizationPercentage: 70
+
+  extraEnv: []
+  # - name: KEY
+  #   value: "value"
+
+  envSecretName: ""             # Reference to Secret
+  nodeEnv: production
+
+db:
+  enabled: false
+  name: postgres
+  image:
+    repository: postgres
+    tag: "16-alpine"
+
+  service:
+    type: ClusterIP
+    port: 5432
+    targetPort: 5432
+
+  persistence:
+    enabled: true
+    storageClass: ""
+    accessMode: ReadWriteOnce
+    size: 5Gi
+
+  resources:
+    requests:
+      memory: "256Mi"
+      cpu: "250m"
+    limits:
+      memory: "1Gi"
+      cpu: "1000m"
+
+  extraEnv: []
+  envSecretName: ""
+
+  livenessProbe:
+    exec:
+      command:
+      - pg_isready
+      - -U
+      - db_user
+      - -d
+      - db_name
+    initialDelaySeconds: 30
+    periodSeconds: 10
+
+  readinessProbe:
+    exec:
+      command:
+      - pg_isready
+      - -U
+      - db_user
+      - -d
+      - db_name
+    initialDelaySeconds: 5
+    periodSeconds: 5
+
+service:
+  type: ClusterIP
+  port: 3000
+
+ingress:
+  enabled: false
+  host: ""
+  entrypoint: websecure
+  tls:
+    enabled: true
+    secretName: ""
+    clusterIssuer: letsencrypt-prod
+
+auth:
+  enabled: false                 # Enable authentication sidecar injection
+  type: token                    # Authentication mode: "token" or "oidc"
+
+  # Token-based authentication configuration
+  tokens: []                     # List of valid bearer tokens (hex strings, 32+ bytes recommended)
+  # - d4f88f6d9292c10cc3e21c4aad56d2be485db532b54fe961d738e1137d247823
+  # - 8803f621acc3898df1d7a8f514bc3602551a0681a8f747bd4e43c3c5849d57a7
+
+  # OIDC authentication configuration
+  oidc:
+    authority: ""                # OIDC provider URL (e.g., https://auth.example.com/realms/master)
+    clientId: ""                 # OIDC client ID registered with provider
+    scopes: "openid,profile,email"  # OAuth scopes (comma-separated)
+    callbackPath: /auth/callback    # OAuth callback path (default: /auth/callback)
+    # Note: Client secret must be in 'auth-oidc' Secret (client-secret key)
+    #       Cookie secret must be in 'auth-oidc' Secret (cookie-secret key)
+
+configmap: []                    # Application ConfigMap key-value pairs
+# KEY: value
+# DB_HOST: postgres
+# DB_PORT: "5432"
+

Helm Values Repository: `helm-values`¶

URL: https://github.com/fortedigital/helm-values.git

Structure¶

helm-values/
+├── mcp10x/
+│   └── values.yaml
+├── musicman/
+│   └── values.yaml
+├── mcpcoder/
+│   └── values.yaml
+└── argocd-mcp/
+    └── values.yaml
+

Example: `mcp10x/values.yaml`¶

app:
+  image:
+    repository: ghcr.io/fortedigital/10x
+    tag: 2.0.4                  # Updated by CI/CD
+
+  extraEnv:
+  - name: PORT
+    value: "3000"
+  - name: SKILLS_DIR
+    value: "/app/skills"
+  - name: FLOWCASE_ENDPOINT
+    value: "https://forte.cvpartner.com/api/"
+
+  envSecretName: "app-credentials"
+
+auth:
+  enabled: false
+  tokens:
+  - d4f88f6d9292c10cc3e21c4aad56d2be485db532b54fe961d738e1137d247823
+
+ingress:
+  enabled: true
+  host: mcp10x.forteapps.net
+

Helm Chart Reference¶

Template Functions¶

`forteapp.fullname`¶

{{ include "forteapp.fullname" . }}
+# Output: <release-name>
+

`forteapp.labels`¶

{{ include "forteapp.labels" . }}
+# Output:
+# app.kubernetes.io/name: forteapp
+# app.kubernetes.io/instance: <release-name>
+# app.kubernetes.io/version: <chart-version>
+# app.kubernetes.io/managed-by: Helm
+

`forteapp.selectorLabels`¶

{{ include "forteapp.selectorLabels" . }}
+# Output:
+# app.kubernetes.io/name: forteapp
+# app.kubernetes.io/instance: <release-name>
+

Deployment Specification¶

apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "forteapp.fullname" . }}
+  labels:
+    {{- include "forteapp.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.app.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "forteapp.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        policies.forteapps.io/auth: {{ .Values.auth.enabled | quote }}
+      labels:
+        {{- include "forteapp.selectorLabels" . | nindent 8 }}
+    spec:
+      containers:
+      - name: app
+        image: "{{ .Values.app.image.repository }}:{{ .Values.app.image.tag }}"
+        imagePullPolicy: {{ .Values.app.image.pullPolicy }}
+        ports:
+        - name: http
+          containerPort: {{ .Values.app.image.containerPort }}
+        env:
+        - name: NODE_ENV
+          value: {{ .Values.app.nodeEnv | quote }}
+        {{- with .Values.app.extraEnv }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- if .Values.app.envSecretName }}
+        envFrom:
+        - secretRef:
+            name: {{ .Values.app.envSecretName }}
+        {{- end }}
+        resources:
+          {{- toYaml .Values.app.resources | nindent 10 }}
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+

IngressRoute Specification¶

apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ include "forteapp.fullname" . }}
+spec:
+  entryPoints:
+  - {{ .Values.ingress.entrypoint }}
+  routes:
+  - match: Host(`{{ .Values.ingress.host }}`)
+    kind: Rule
+    services:
+    - name: {{ include "forteapp.fullname" . }}
+      port: {{ .Values.service.port }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    secretName: {{ default .Release.Name .Values.ingress.tls.secretName }}-tls
+  {{- end }}
+

Certificate Specification¶

apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "forteapp.fullname" . }}-tls
+spec:
+  secretName: {{ default .Release.Name .Values.ingress.tls.secretName }}-tls
+  issuerRef:
+    name: {{ .Values.ingress.tls.clusterIssuer }}
+    kind: ClusterIssuer
+  dnsNames:
+  - {{ .Values.ingress.host }}
+

ArgoCD Configuration¶

Application Manifest Schema¶

apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <app-name>
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
+    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
+    notifications.argoproj.io/subscribe.on-degraded.slack: ""
+  labels:
+    app.kubernetes.io/name: <app-name>
+    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/managed-by: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+
+spec:
+  project: default
+
+  # Multi-source configuration
+  sources:
+  - repoURL: https://github.com/fortedigital/forte-helm
+    path: forteapp
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+      - $values/<app-name>/values.yaml
+
+  - repoURL: git@github.com:fortedigital/helm-values.git
+    targetRevision: HEAD
+    ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: <app-name>
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+    - CreateNamespace=true
+    - Validate=true
+    - ServerSideApply=true
+    - Replace=false
+
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  ignoreDifferences:
+  - group: apps
+    kind: Deployment
+    jsonPointers:
+    - /spec/replicas
+

Sync Waves¶

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Wave	Components	Purpose
`-1`	Namespaces	Create namespaces first
`0`	Kyverno	Install policy engine
`1`	Cluster resources, infrastructure	Base infrastructure
`2+`	Applications	Business applications

Sync Options¶

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Option	Description
`CreateNamespace=true`	Automatically create target namespace
`Validate=true`	Validate resources before applying
`ServerSideApply=true`	Use server-side apply (safer)
`Replace=false`	Don't use kubectl replace
`Prune=true`	Delete resources not in Git

Retry Policy¶

retry:
+  limit: 5                 # Max retry attempts
+  backoff:
+    duration: 5s           # Initial backoff
+    factor: 2              # Exponential factor
+    maxDuration: 3m        # Max backoff time
+

Retry Schedule: +1. 5 seconds +2. 10 seconds +3. 20 seconds +4. 40 seconds +5. 80 seconds (capped at 3 minutes)

Infrastructure Components¶

Traefik¶

Chart: traefik/traefik +Version: Latest +Namespace: traefik

Configuration: +

# infra/base/traefik-application.yaml
+replicas: 2
+
+service:
+  type: LoadBalancer
+
+ingressRoute:
+  dashboard:
+    enabled: false
+
+ports:
+  web:
+    redirectTo: websecure  # HTTP → HTTPS redirect
+  websecure:
+    tls:
+      enabled: true
+

Endpoints: +- HTTP: :80 → Redirects to HTTPS +- HTTPS: :443

Cert-Manager¶

Chart: jetstack/cert-manager +Namespace: cert-manager

ClusterIssuer: +

apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: admin@forteapps.net
+    privateKeySecretRef:
+      name: letsencrypt-prod-key
+    solvers:
+    - http01:
+        ingress:
+          class: traefik
+

Kyverno¶

Chart: kyverno/kyverno +Namespace: kyverno

Policies: +- Secret cloner +- Default namespace blocker +- Bare pod cleaner +- ReplicaSet cleaner +- Deployment verifier +- Auth sidecar injector

Sealed Secrets¶

Chart: sealed-secrets/sealed-secrets-controller +Namespace: kube-system

Public Certificate: +

kubeseal --fetch-cert \
+  --controller-name=sealed-secrets-controller \
+  --controller-namespace=kube-system \
+  > pub-cert.pem
+

Prometheus¶

Chart: prometheus-community/prometheus +Namespace: monitoring

Configuration: +

server:
+  persistentVolume:
+    enabled: true
+    size: 10Gi
+
+alertmanager:
+  enabled: false
+
+nodeExporter:
+  enabled: true
+
+kubeStateMetrics:
+  enabled: true
+

Grafana¶

Chart: grafana/grafana +Namespace: monitoring

Datasources: +- Prometheus +- Loki +- Tempo

Loki¶

Chart: grafana/loki-stack +Namespace: monitoring

Configuration: +

loki:
+  persistence:
+    enabled: true
+    size: 10Gi
+
+promtail:
+  enabled: false  # Using Fluent-Bit instead
+

Tempo¶

Chart: grafana/tempo +Version: 1.24.4 +Namespace: monitoring

Purpose: Distributed tracing backend receiving OTLP traces from Traefik and other instrumented services.

Configuration: +

tempo:
+  storage:
+    trace:
+      backend: local
+      local:
+        path: /var/tempo/traces
+  receivers:
+    otlp:
+      protocols:
+        grpc:
+          endpoint: "0.0.0.0:4317"
+        http:
+          endpoint: "0.0.0.0:4318"
+
+persistence:
+  enabled: true
+  size: 10Gi
+

Endpoints: +- gRPC OTLP receiver: :4317 +- HTTP OTLP receiver: :4318 +- Query API: :3200

Grafana Integration: +- Trace-to-logs correlation with Loki (by namespace, pod, container) +- Trace-to-metrics correlation with Prometheus (by service name) +- Service graph and node graph visualization

Fluent-Bit¶

Chart: fluent/fluent-bit +Namespace: monitoring

Output: Loki

Gitea¶

Chart: gitea/gitea +Version: 12.5.0 (app v1.25.4) +Namespace: gitea

Purpose: Self-hosted Git repository hosting with pull requests, issues, CI/CD (Gitea Actions), container registry, and package registry.

Configuration: +

# infra/base/gitea.yaml + infra/values/base/gitea-values.yaml
+ingress:
+  host: git.forteapps.net
+  tls: cert-manager (letsencrypt-prod)
+
+gitea:
+  admin:
+    existingSecret: gitea-credentials
+  config:
+    service:
+      DISABLE_REGISTRATION: true
+      ALLOW_ONLY_EXTERNAL_REGISTRATION: true
+    actions:
+      ENABLED: true
+    packages:
+      ENABLED: true
+    metrics:
+      ENABLED: true
+
+postgresql:
+  enabled: true
+  persistence: 8Gi (upcloud-block-storage-maxiops)
+

Authentication: Keycloak OIDC via forte realm (client ID: gitea). Protocol mapper: email_verified hardcoded claim (true, boolean) on ID token, Access token, and Userinfo.

Endpoints: +- Web UI: https://git.forteapps.net +- SSH: port 22 (ClusterIP) +- Metrics: /metrics (Prometheus scrape)

Secrets: gitea-credentials (SealedSecret) containing admin-password, postgres-password, secret (OIDC client secret)

Gitea Actions Runners¶

Chart: actions (from https://dl.gitea.com/charts) +Namespace: gitea +Sync Wave: 2 (deploys after Gitea)

Purpose: Act runners execute Gitea Actions CI/CD workflows. Deployed as a StatefulSet with a Docker-in-Docker sidecar for container-based job execution.

Configuration: +

# infra/base/gitea-actions.yaml + infra/values/base/gitea-actions-values.yaml
+replicaCount: 3
+
+runner:
+  labels:
+    - "ubuntu-latest:docker://node:20-bookworm"
+    - "ubuntu-22.04:docker://node:20-bookworm"
+  existingSecret: gitea-runner-token
+
+gitea:
+  instance:
+    url: http://gitea-http.gitea.svc.cluster.local:3000
+
+dind:
+  enabled: true  # Docker-in-Docker sidecar (privileged)
+

Resources:

+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Container	CPU Request	Memory Request	CPU Limit	Memory Limit
Runner	250m	256Mi	1	1Gi
DinD sidecar	250m	256Mi	1	1Gi

Secrets: gitea-runner-token (SealedSecret) containing token (instance-level runner registration token from /admin/runners)

Setup Steps: +1. Get runner registration token from Gitea admin panel (/admin/runners) +2. Fill in private/gitea-runner-token.yaml with the token +3. Seal: kubeseal --format yaml < private/gitea-runner-token.yaml > secrets/gitea-runner-token-sealed.yaml +4. Commit and push — ArgoCD deploys runners automatically

Verification: +- kubectl get statefulset -n gitea — 3/3 runners ready +- Gitea admin panel (/admin/runners) — runners show as Online +- Create test workflow in .gitea/workflows/test.yml — job executes

Keycloak Client Registrar¶

Type: CronJob (deployed via Keycloak Helm chart extraDeploy) +Namespace: keycloak +Schedule: */2 * * * * (every 2 minutes)

Purpose: Handles two responsibilities: +1. Legacy sync — extracts secrets from Keycloak clients with k8s.secret.sync: "true" attribute (same as former PostSync syncer) +2. Self-service registration — processes config Secrets (cloned by Kyverno) to register new OIDC clients and sync their credentials

How It Works:

Legacy path (existing clients like Gitea): +1. Authenticates to Keycloak Admin API using admin credentials from keycloak-credentials secret +2. Queries all clients in the forte realm +3. Filters clients with k8s.secret.sync: "true" attribute +4. For each matching client, retrieves the auto-generated secret via Keycloak Admin API +5. Creates/updates a K8s Secret in the target namespace (from k8s.secret.namespace attribute) +6. Always writes a central copy to the secrets namespace

Self-service path (new clients): +1. Lists Secrets in keycloak namespace with label keycloak.forteapps.net/client-config=true +2. For each config Secret, parses client.json and computes a config hash +3. Skips if hash matches annotation and credential Secret already exists +4. Creates or updates the Keycloak client via Admin API +5. Fetches the generated client secret +6. Upserts credential Secret in target namespace + central secrets namespace +7. Annotates config Secret with sync status, config hash, and timestamp

Resources: +- ServiceAccount: keycloak-client-registrar (namespace: keycloak) +- ClusterRole: keycloak-client-registrar (secrets: get/list/create/update/patch; namespaces: get/list) +- ClusterRoleBinding: keycloak-client-registrar +- CronJob: keycloak-client-registrar

Kyverno Policy: keycloak-client-config-cloner — clones labeled Secrets from app namespaces to keycloak namespace (see Kyverno Policies)

Legacy Client Attributes (set in forte-realm.json):

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Attribute	Required	Default	Description
`k8s.secret.sync`	Yes	—	Set to `"true"` to enable syncing
`k8s.secret.namespace`	Yes	—	Target K8s namespace
`k8s.secret.name`	Yes	—	Name of the K8s Secret
`k8s.secret.client-id-key`	No	`client-id`	Field name for client ID in the Secret
`k8s.secret.client-secret-key`	No	`client-secret`	Field name for client secret in the Secret

Self-Service Config Secret Schema: +

apiVersion: v1
+kind: Secret
+metadata:
+  name: keycloak-client-<app>
+  namespace: <app-namespace>
+  labels:
+    keycloak.forteapps.net/client-config: "true"
+stringData:
+  client.json: |
+    {
+      "clientId": "<app>",
+      "name": "<App Name>",
+      "redirectUris": ["https://<app>.forteapps.net/*"],
+      "webOrigins": ["https://<app>.forteapps.net"],
+      "defaultClientScopes": ["openid", "email", "profile"],
+      "protocolMappers": [],
+      "secret": {
+        "namespace": "<app-namespace>",
+        "name": "<app>-oidc-credentials",
+        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
+      }
+    }
+

Created Credential Secret Format: +

apiVersion: v1
+kind: Secret
+metadata:
+  name: <target-name>
+  namespace: <target-namespace>
+  labels:
+    app.kubernetes.io/managed-by: keycloak-client-registrar
+type: Opaque
+data:
+  <client-id-key>: <base64-encoded client ID>
+  <client-secret-key>: <base64-encoded client secret>
+

Config Secret Annotations (set by registrar):

+ + + + + + + + + + + + + + + + + + + + + +

Annotation	Description
`keycloak.forteapps.net/config-hash`	SHA-256 hash of client.json for change detection
`keycloak.forteapps.net/sync-status`	`synced` or `error`
`keycloak.forteapps.net/last-sync`	ISO 8601 timestamp of last successful sync

Verification: +

# Check CronJob status
+kubectl get cronjobs -n keycloak
+
+# View latest registrar logs
+kubectl logs -n keycloak job/$(kubectl get jobs -n keycloak --sort-by=.metadata.creationTimestamp -o jsonpath='{.items[-1].metadata.name}')
+
+# Verify created secret
+kubectl get secret <name> -n <namespace> -o yaml
+
+# Check config Secret annotations (self-service)
+kubectl get secret keycloak-client-<app> -n keycloak -o jsonpath='{.metadata.annotations}'
+

See: Developer Guide - Adding a New Keycloak Client

Renovate¶

Chart: renovate (OCI: ghcr.io/renovatebot/charts) +Version: 46.109.0 (app v43.113.0) +Namespace: renovate +Sync Wave: 2

Purpose: Automated dependency update bot. Runs as a CronJob that scans Gitea repositories for outdated dependencies and creates pull requests with updates.

Configuration: +

# infra/base/renovate.yaml + infra/values/base/renovate-values.yaml
+cronjob:
+  schedule: "@daily"
+  concurrencyPolicy: Forbid
+
+renovate:
+  config:
+    platform: gitea
+    endpoint: https://git.forteapps.net
+    autodiscover: true
+    gitAuthor: "Renovate Bot <renovate@forteapps.net>"
+    packageRules:
+      - matchRepositories: ["**/10x"]
+        assignees: ["edvard.unsvag"]
+        reviewers: ["edvard.unsvag"]
+      - matchRepositories: ["**/auth-sidecar"]
+        assignees: ["danijel.simeunovic"]
+        reviewers: ["danijel.simeunovic"]
+      - matchRepositories: ["**/forte-helm"]
+        assignees: ["danijel.simeunovic"]
+        reviewers: ["danijel.simeunovic"]
+
+resources:
+  requests: { cpu: 500m, memory: 1Gi }
+  limits: { cpu: "2", memory: 4Gi }
+

Note: Assignees and reviewers are only applied at PR creation time. Existing PRs must be closed and recreated for new assignment rules to take effect.

Secrets: renovate-env (SealedSecret in secrets namespace, cloned by Kyverno) containing: +- RENOVATE_TOKEN — Gitea PAT with repo write + issue write permissions +- RENOVATE_GITHUB_COM_TOKEN — GitHub PAT (public_repo read-only) for changelog fetching

Setup Steps: +1. Fill in private/renovate-env.yaml with tokens +2. Seal: kubeseal --format yaml < private/renovate-env.yaml > secrets/renovate-env-sealed.yaml +3. Commit and push — ArgoCD deploys the CronJob, Kyverno clones the secret

Verification: +- kubectl get cronjob -n renovate — CronJob exists +- kubectl create job --from=cronjob/renovate renovate-test -n renovate — manual trigger +- kubectl logs -n renovate job/renovate-test — check logs

Gitea Pages¶

Purpose: Hosts the MkDocs documentation site for this repository.

How It Works: +- A Gitea Actions workflow (.gitea/workflows/docs.yaml) builds MkDocs on push to main +- The built site is force-pushed to the gitea-pages branch +- Gitea serves the static site from that branch

URL: https://git.forteapps.net/Forte/launchpad/pages/

Configuration: +- Gitea server config: ENABLE_GITEA_PAGES: true (in gitea-values.yaml) +- MkDocs config: mkdocs.yml (repo root) +- Source files: docs/ directory +- Theme: Material for MkDocs

Trigger Paths: +- docs/** +- mkdocs.yml +- Dockerfile.docs +- nginx.conf

Kyverno Policies¶

Secret Cloner¶

File: cluster-resources/policies/secret-cloner.yaml

Purpose: Automatically clone secrets from secrets namespace to new namespaces

apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-secret-with-multi-clone
+spec:
+  rules:
+  - name: clone-secret
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: "{{ request.object.metadata.name }}"
+      namespace: "{{ request.object.metadata.name }}"
+      synchronize: true
+      clone:
+        namespace: secrets
+        name: shared-credentials
+

Label Requirement: Secrets must have allowedToBeCloned: "true"

Keycloak Client Config Cloner¶

File: cluster-resources/policies/keycloak-client-cloner.yaml

Purpose: Clones Secrets labeled keycloak.forteapps.net/client-config: "true" from app namespaces to the keycloak namespace. This allows apps to declare their OIDC client configuration in their own namespace, which the Keycloak Client Registrar then processes.

Trigger: Any Secret with label keycloak.forteapps.net/client-config: "true" created outside the keycloak namespace.

Behavior: +- Generates a copy of the Secret in the keycloak namespace with the same name +- Adds source tracking annotations (keycloak.forteapps.net/source-namespace, keycloak.forteapps.net/source-name) +- synchronize: true — changes to the source Secret are reflected in the clone

Default Namespace Blocker¶

File: cluster-resources/policies/default-ns-blocker.yaml

Purpose: Prevent resources from being created in default namespace

apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-default-namespace
+spec:
+  validationFailureAction: enforce
+  rules:
+  - name: validate-namespace
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+          - Deployment
+          - Service
+    validate:
+      message: "Using 'default' namespace is not allowed"
+      pattern:
+        metadata:
+          namespace: "!default"
+

Bare Pod Cleaner¶

File: cluster-resources/policies/bare-pod-cleaner.yaml

Purpose: Delete pods without ownerReferences (not managed by Deployment/StatefulSet)

apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: cleanup-bare-pods
+spec:
+  rules:
+  - name: delete-bare-pod
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    preconditions:
+      all:
+      - key: "{{ request.object.metadata.ownerReferences[] || '' }}"
+        operator: Equals
+        value: ""
+    validate:
+      message: "Bare pods (without controllers) are not allowed"
+      deny: {}
+

Auth Sidecar Injector¶

File: cluster-resources/policies/auth-sidecar-injector.yaml

Purpose: Automatically inject authentication sidecar into pods with authentication enabled

Rules: 6 rules in the policy +1. generate-auth-tokens-secret - Creates Secret for token mode +2. generate-auth-oidc-secret - Creates Secret for OIDC mode +3. inject-sidecar-token - Injects auth sidecar for token mode +4. inject-sidecar-oidc - Injects auth sidecar for OIDC mode +5. inject-sidecar-mcp - Injects auth sidecar for MCP OAuth mode (RFC 9728 / RFC 7591) +6. generate-auth-network-policy - Creates NetworkPolicy to restrict ingress

Trigger Annotation¶

policies.forteapps.io/auth: "true"
+

Authentication Modes¶

Token Mode (default): +

# Annotations
+policies.forteapps.io/auth: "true"
+policies.forteapps.io/auth-type: "token"
+policies.forteapps.io/auth-token-secret-name: "auth-tokens"
+policies.forteapps.io/auth-upstream-url: "http://localhost:3000"
+
+# Optional customization
+policies.forteapps.io/auth-image: "ghcr.io/fortedigital/auth-sidecar"
+policies.forteapps.io/auth-image-version: "latest"
+

OIDC Mode: +

# Annotations (required)
+policies.forteapps.io/auth: "true"
+policies.forteapps.io/auth-type: "oidc"
+policies.forteapps.io/auth-oidc-authority: "https://auth.example.com/realms/master"
+policies.forteapps.io/auth-oidc-client-id: "myapp"
+
+# Optional annotations
+policies.forteapps.io/auth-oidc-callback-path: "/auth/callback"
+policies.forteapps.io/auth-oidc-scopes: "openid,profile,email"
+policies.forteapps.io/auth-upstream-url: "http://localhost:3000"
+policies.forteapps.io/auth-image: "ghcr.io/fortedigital/auth-sidecar"
+policies.forteapps.io/auth-image-version: "latest"
+

MCP Mode (OAuth 2.0 for MCP servers, implements RFC 9728 / RFC 7591): +

# Annotations (required)
+policies.forteapps.io/auth: "true"
+policies.forteapps.io/auth-type: "mcp"
+policies.forteapps.io/auth-mcp-resource: "https://mcp.example.com"
+policies.forteapps.io/auth-mcp-authority: "https://auth.example.com"
+
+# Optional annotations
+policies.forteapps.io/auth-mcp-scopes: "read,write"
+policies.forteapps.io/auth-upstream-url: "http://localhost:3000"
+policies.forteapps.io/auth-log-level: "info"
+policies.forteapps.io/auth-image: "ghcr.io/fortedigital/auth-sidecar"
+policies.forteapps.io/auth-image-version: "latest"
+

Sidecar Container Specification¶

Token Mode: +

name: authn
+image: ghcr.io/fortedigital/auth-sidecar:latest
+ports:
+- containerPort: 8080
+  name: auth
+  protocol: TCP
+env:
+- name: AUTH_MODE
+  value: "token"
+- name: AUTH_LISTEN_ADDR
+  value: ":8080"
+- name: AUTH_UPSTREAM_URL
+  value: "http://localhost:3000"
+- name: AUTH_TOKEN_FILE
+  value: "/etc/auth/tokens"
+volumeMounts:
+- name: auth-tokens
+  mountPath: /etc/auth
+  readOnly: true
+resources:
+  requests:
+    cpu: 10m
+    memory: 32Mi
+  limits:
+    cpu: 50m
+    memory: 64Mi
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop: [ALL]
+

OIDC Mode: +

name: authn
+image: ghcr.io/fortedigital/auth-sidecar:latest
+ports:
+- containerPort: 8080
+  name: auth
+  protocol: TCP
+env:
+- name: AUTH_MODE
+  value: "oidc"
+- name: AUTH_LISTEN_ADDR
+  value: ":8080"
+- name: AUTH_UPSTREAM_URL
+  value: "http://localhost:3000"
+- name: AUTH_OIDC_AUTHORITY
+  value: "https://auth.example.com/realms/master"
+- name: AUTH_OIDC_CLIENT_ID
+  value: "myapp"
+- name: AUTH_OIDC_CALLBACK_PATH
+  value: "/auth/callback"
+- name: AUTH_OIDC_SCOPES
+  value: "openid,profile,email"
+- name: AUTH_OIDC_COOKIE_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: auth-oidc
+      key: cookie-secret
+- name: AUTH_OIDC_CLIENT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: auth-oidc
+      key: client-secret
+resources:
+  requests:
+    cpu: 10m
+    memory: 32Mi
+  limits:
+    cpu: 50m
+    memory: 64Mi
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop: [ALL]
+

MCP Mode: +

name: authn
+image: ghcr.io/fortedigital/auth-sidecar:latest
+ports:
+- containerPort: 8080
+  name: auth
+  protocol: TCP
+env:
+- name: AUTH_MODE
+  value: "mcp"
+- name: AUTH_LISTEN_ADDR
+  value: ":8080"
+- name: AUTH_LOG_LEVEL
+  value: "info"
+- name: AUTH_UPSTREAM_URL
+  value: "http://localhost:3000"
+- name: AUTH_MCP_RESOURCE
+  value: "https://mcp.example.com"
+- name: AUTH_MCP_AUTHORIZATION_SERVERS
+  value: "https://auth.example.com"
+- name: AUTH_MCP_SCOPES_SUPPORTED
+  value: "read,write"
+resources:
+  requests:
+    cpu: 10m
+    memory: 32Mi
+  limits:
+    cpu: 50m
+    memory: 64Mi
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop: [ALL]
+

Generated Resources¶

Secret (Token Mode): +

apiVersion: v1
+kind: Secret
+metadata:
+  name: auth-tokens
+  namespace: <app-namespace>
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+    app.kubernetes.io/created-by: inject-auth-sidecar
+type: Opaque
+data: {}  # Populated by Helm chart
+

Secret (OIDC Mode): +

apiVersion: v1
+kind: Secret
+metadata:
+  name: auth-oidc
+  namespace: <app-namespace>
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+    app.kubernetes.io/created-by: inject-auth-sidecar
+type: Opaque
+data:
+  client-secret: <base64>
+  cookie-secret: <base64>
+

NetworkPolicy: +

apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: <pod-name>-auth-ingress
+  namespace: <app-namespace>
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+    app.kubernetes.io/created-by: inject-auth-sidecar
+spec:
+  podSelector:
+    matchLabels: <pod-labels>
+  policyTypes:
+  - Ingress
+  ingress:
+  - ports:
+    - port: 8080
+      protocol: TCP
+

Excluded Namespaces¶

The policy does NOT apply to: +- kube-system +- kyverno +- argocd +- cert-manager +- monitoring

Health Checks¶

readinessProbe:
+  httpGet:
+    path: /healthz
+    port: 8080
+  initialDelaySeconds: 2
+  periodSeconds: 5
+
+livenessProbe:
+  httpGet:
+    path: /healthz
+    port: 8080
+  initialDelaySeconds: 5
+  periodSeconds: 10
+

Request Flow¶

External Request → Traefik
+    ↓
+Service (port 8080)
+    ↓
+Pod: Auth Sidecar (port 8080)
+    ├─ Validate credentials
+    │  • Token mode: Check Bearer token
+    │  • OIDC mode: Validate session or redirect to IdP
+    │  • MCP mode: OAuth 2.0 via RFC 9728 discovery / RFC 7591 dynamic registration
+    ↓
+Forward to Application (localhost:3000)
+    ↓
+Application processes request
+

See: Developer Guide - Enabling Authentication for usage examples.

Configuration Reference¶

Environment Variables¶

Common environment variables used across applications:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Variable	Purpose	Example
`NODE_ENV`	Node.js environment	`production`
`PORT`	Application port	`3000`
`DB_HOST`	Database host	`postgres`
`DB_PORT`	Database port	`5432`
`DB_USER`	Database user	`app_user`
`DB_NAME`	Database name	`app_db`
`DB_PASSWORD`	Database password	From secret
`API_KEY`	External API key	From secret

Resource Limits¶

Recommended resource allocation:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Application Type	CPU Request	Memory Request	CPU Limit	Memory Limit
Lightweight API	100m	128Mi	500m	512Mi
Standard Web App	200m	256Mi	1000m	1Gi
Heavy Processing	500m	512Mi	2000m	2Gi
Database	250m	256Mi	1000m	1Gi

Storage Classes¶

Default storage class used: UpCloud default (varies by provider)

persistence:
+  enabled: true
+  storageClass: ""     # Uses default
+  accessMode: ReadWriteOnce
+  size: 5Gi
+

API Endpoints¶

ArgoCD API¶

# Server
+https://argocd.127.0.0.1.nip.io
+
+# Applications endpoint
+GET /api/v1/applications
+
+# Application details
+GET /api/v1/applications/{name}
+
+# Sync application
+POST /api/v1/applications/{name}/sync
+

Prometheus API¶

# Query endpoint
+GET /api/v1/query?query={promql}
+
+# Query range
+GET /api/v1/query_range?query={promql}&start={time}&end={time}&step={duration}
+
+# Metrics
+GET /api/v1/label/__name__/values
+

Tempo API¶

# Search traces
+GET /api/search?q={traceql}
+
+# Get trace by ID
+GET /api/traces/{traceID}
+
+# Service tag values
+GET /api/v2/search/tag/resource.service.name/values
+

Loki API¶

# Query logs
+GET /loki/api/v1/query?query={logql}
+
+# Query range
+GET /loki/api/v1/query_range?query={logql}&start={time}&end={time}
+
+# Push logs
+POST /loki/api/v1/push
+

Glossary¶

Terms¶

App-of-Apps: ArgoCD pattern where a parent Application manages child Applications

GitOps: Operations approach where Git is the single source of truth

IngressRoute: Traefik CRD for routing external traffic to services

Multi-Source: ArgoCD feature allowing multiple Git sources per Application

SealedSecret: Encrypted secret that can be safely stored in Git

Sync Wave: Ordered deployment using annotations

Self-Heal: ArgoCD automatically reverts manual cluster changes

Prune: Automatically delete resources removed from Git

Annotations Reference¶

ArgoCD Annotations¶

# Sync wave (deployment order)
+argocd.argoproj.io/sync-wave: "1"
+
+# Refresh application
+argocd.argoproj.io/refresh: "hard"
+
+# Compare options
+argocd.argoproj.io/compare-options: IgnoreExtraneous
+
+# Sync options per resource
+argocd.argoproj.io/sync-options: Prune=false
+

Kyverno Annotations¶

# Exclude from policy
+policies.kyverno.io/exclude: "true"
+
+# Severity
+policies.kyverno.io/severity: high
+

Custom Annotations¶

# Authentication enabled
+policies.forteapps.io/auth: "true"
+
+# OIDC configuration
+policies.forteapps.io/auth-oidc-authority: "https://..."
+policies.forteapps.io/auth-oidc-client-id: "client-id"
+

Labels Reference¶

Standard Labels¶

# Application name
+app.kubernetes.io/name: myapp
+
+# Application instance
+app.kubernetes.io/instance: myapp
+
+# Application version
+app.kubernetes.io/version: "1.0.0"
+
+# Component type
+app.kubernetes.io/component: frontend
+
+# Part of larger application
+app.kubernetes.io/part-of: ecommerce
+
+# Managed by
+app.kubernetes.io/managed-by: argocd
+

Custom Labels¶

# Allow secret cloning
+allowedToBeCloned: "true"
+
+# Environment
+environment: production
+
+# Team ownership
+team: platform
+

Version Matrix¶

Component Versions¶

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Component	Version	Chart Version
ArgoCD	2.9.0+	Latest
Traefik	2.10.0+	Latest
Cert-Manager	1.13.0+	Latest
Kyverno	1.10.0+	Latest
Sealed Secrets	0.24.0+	Latest
Prometheus	2.47.0+	Latest
Grafana	10.0.0+	Latest
Loki	2.9.0+	Latest
Tempo	2.6.0+	1.24.4
Fluent-Bit	2.1.0+	Latest
Gitea	1.25.4	12.5.0
Gitea Act Runner	Latest	Latest
Renovate	v43.113.0	46.109.0
PostgreSQL	16-alpine	N/A
Trivy	Latest	Latest

Kubernetes Compatibility¶

Minimum: 1.24+
Tested: 1.28+
Recommended: Latest stable

Last Updated: 2026-04-16 +Maintained By: Platform Team +Version: 1.0.0

+ + + + + + + + + + + + + +

+ + + +

404 - Not found

Developer Onboarding Guide¶

Table of Contents¶

Getting Started¶

What You'll Learn¶

Who This Guide Is For¶

Prerequisites¶

Required Knowledge¶

Required Tools¶

Repository Access¶

Cluster Access (If Needed)¶

Local Development Setup¶

1. Clone the Repositories¶

2. Local Development Environment¶

3. Understanding the Deployment Flow¶

Understanding the Workflow¶

Three-Repository Pattern¶

Example: Deploying "myapp"¶

Repository: forte-helm (Chart Templates)¶

Repository: helm-values (Your App Config)¶

Repository: launchpad (ArgoCD Application)¶

Deploying Your First Application¶

Scenario: You've Built a New Application¶

Step 1: Prepare Your Application Repository¶

Step 2: Create Helm Values¶

Step 3: Create ArgoCD Application Manifest¶

Step 4: Verify Deployment¶

Step 5: Access Your Application¶

Updating an Existing Application¶

Scenario: Deploying a Code Change¶

Method 1: Automatic (Recommended)¶

Method 2: Manual Image Tag Update¶

Method 3: Configuration Changes¶

Method 4: Application Manifest Changes¶

Working with Secrets¶

Understanding Secret Management¶

Creating a New Secret¶

Step 1: Create Plain Secret Locally¶

Step 2: Seal the Secret¶

Step 3: Commit Sealed Secret¶

Step 4: Reference Secret in Application¶

Updating a Secret¶

Secret Best Practices¶

Where Secrets Are Stored¶

Enabling Authentication for Applications¶

How It Works¶

Authentication Modes¶

Token-Based Authentication¶

Step 1: Configure Helm Values¶

Step 2: Generate Token (if needed)¶

Step 3: Deploy Application¶

Step 4: Access Application¶

Advanced: Custom Secret Name¶

OIDC Authentication¶

Step 1: Configure Identity Provider¶

Step 2: Create OIDC Secret¶

Step 3: Configure Helm Values¶

Step 4: Deploy Application¶

Step 5: Access Application¶

Authentication Configuration Reference¶

Helm Values Schema¶

Annotations Set by Helm Chart¶

Sidecar Configuration¶

Advanced: Custom Sidecar Image¶

Authentication Examples¶

Example 1: Internal API with Token Auth¶

Example 2: User-Facing App with OIDC¶

Example 3: MCP Server with OAuth 2.0¶

Example 4: Disabling Authentication¶

Troubleshooting Authentication¶

Issue: 401 Unauthorized (Token Mode)¶

Issue: OIDC Login Loop¶

Issue: Auth Sidecar Not Injected¶

Issue: Auth Sidecar Crashes¶

Authentication Best Practices¶

Adding a New Keycloak Client¶

Self-Service OIDC Client Registration¶

How It Works¶

Step 1: Create the Config Secret¶

Step 2: Reference the Credential Secret¶

Repository: `forte-helm` (Chart Templates)¶

Repository: `helm-values` (Your App Config)¶

Repository: `launchpad` (ArgoCD Application)¶