GitOps - single cluster

This guide details how to set up a GitOps environment for Service Mesh Manager using Argo CD. The same principles can be used for other tools as well.

Architecture

The high level architecture for Argo CD with a single-cluster Service Mesh Manager consists of the following components:

  • A git repository that stores the various charts and manifests,
  • a management cluster that runs the Argo CD server, and
  • the Service Mesh Manager cluster managed by Argo CD.

Service Mesh Manager GitOps architecture Service Mesh Manager GitOps architecture

Prerequisites

To complete this procedure, you need:

  • A free registration for the Service Mesh Manager download page
  • A Kubernetes cluster to deploy Argo CD on (called mgmt in the examples).
  • A Kubernetes cluster to deploy Service Mesh Manager on (called cluster-1 in the examples).

CAUTION:

Supported providers and Kubernetes versions

The cluster must run a Kubernetes version that Istio supports. For Istio 1.13.x, these are Kubernetes 1.19, 1.20, 1.21 and 1.22.

Service Mesh Manager is tested and known to work on the following Kubernetes providers:

  • Cisco Intersight Kubernetes Service (IKS)
  • Amazon Elastic Kubernetes Service (Amazon EKS)
  • Google Kubernetes Engine (GKE)
  • Azure Kubernetes Service (AKS)
  • On-premises installation of stock Kubernetes with load balancer support (and optionally PVCs for persistence)

Resource requirements:

Make sure that your Kubernetes cluster has sufficient resources. The default installation (with Service Mesh Manager and demo application) requires the following amount of resources on the cluster:

  • CPU:
    • 12 vCPU in total
    • 4 vCPU available for allocation per worker node
  • Memory:
    • 16 GB in total
    • 2 GB available for allocation per worker node
  • 12 GB of ephemeral storage on the Kubernetes worker nodes (for Traces and Metrics)

Note: These minimum requirements need to be available for allocation within your cluster, in addition to the requirements of any other loads running in your cluster (for example, DaemonSets and Kubernetes node-agents). If Kubernetes cannot allocate sufficient resources to Service Mesh Manager, some pods will remain in Pending state, and Service Mesh Manager will not function properly.

Enabling additional features, such as High Availability increases this value.

The default installation, when enough headroom is available in the cluster, should be able to support at least 150 running Pods with the same amount of Services. For setting up Service Mesh Manager for bigger workloads, see scaling Service Mesh Manager.

Procedure overview

The high-level steps of the procedure are:

  1. Install Argo CD and register the clusters
  2. Prepare the Git repository
  3. Deploy Service Mesh Manager

Install Argo CD

Complete the following steps to install Argo CD on the management cluster.

  1. Make sure that your Kubernetes context is set to the mgmt cluster.

    kubectl config get-contexts
    

    Expected output:

    CURRENT   NAME                 CLUSTER              AUTHINFO
            cluster-1            cluster-1            cluster-1
    *         mgmt                 mgmt                 mgmt
    
  2. Install the Argo CD Server. Run the following commands.

    kubectl create namespace argocd
    kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
    
  3. Wait until the installation is complete, then check that the Argo CD pods are up and running.

    kubectl get pods -n argocd
    

    The output should be similar to:

    NAME                                                    READY   STATUS    RESTARTS   AGE
    pod/argocd-application-controller-0                     1/1     Running   0          7h59m
    pod/argocd-applicationset-controller-78b8b554f9-pgwbl   1/1     Running   0          7h59m
    pod/argocd-dex-server-6bbc85c688-8p7zf                  1/1     Running   0          16h
    pod/argocd-notifications-controller-75847756c5-dbbm5    1/1     Running   0          16h
    pod/argocd-redis-f4cdbff57-wcpxh                        1/1     Running   0          7h59m
    pod/argocd-repo-server-d5c7f7ffb-c8962                  1/1     Running   0          7h59m
    pod/argocd-server-76497676b-pnvf4                       1/1     Running   0          7h59m
    
  4. For the Argo CD UI, set the argocd-server service type to LoadBalancer.

    kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'
    
  5. Check the EXTERNAL-IP address of the argocd-server service by running:

    kubectl get svc -n argocd
    

    The output should be similar to:

    NAME                                      TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
    argocd-applicationset-controller          ClusterIP      10.108.6.106    <none>        7000/TCP,8080/TCP            7d13h
    argocd-dex-server                         ClusterIP      10.108.1.67     <none>        5556/TCP,5557/TCP,5558/TCP   7d13h
    argocd-metrics                            ClusterIP      10.108.7.191    <none>        8082/TCP                     7d13h
    argocd-notifications-controller-metrics   ClusterIP      10.108.4.120    <none>        9001/TCP                     7d13h
    argocd-redis                              ClusterIP      10.108.3.81     <none>        6379/TCP                     7d13h
    argocd-repo-server                        ClusterIP      10.108.2.194    <none>        8081/TCP,8084/TCP            7d13h
    argocd-server                             LoadBalancer   10.108.14.130   EXTERNAL-IP   80:31306/TCP,443:30063/TCP   7d13h
    argocd-server-metrics                     ClusterIP      10.108.11.82    <none>        8083/TCP                     7d13h
    
  6. Get the initial password for the admin user.

    kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo
    
  7. Open the https://EXTERNAL-IP url and login to the Argo CD server using the password received in the previous step.

  8. Install Argo CD CLI on your computer. For details, see the Argo CD documentation.

  9. Login with the CLI:

    argocd login <EXTERNAL-IP>
    

For more details about Argo CD installation, see the ArgoCD getting started guide.

Register clusters

  1. Register the clusters that will run Service Mesh Manager in Argo CD. In this example, register cluster-1 using one of the following methods.

    • Register the cluster from the command line by running:

      argocd cluster add cluster-1
      
    • Alternatively, you can register clusters declaratively as Kubernetes secrets. Modify the following YAML file for your environment and apply it. For details, see the Argo CD documentation.

      apiVersion: v1
      kind: Secret
      metadata:
      name: cluster-1-secret
      labels:
          argocd.argoproj.io/secret-type: cluster
      type: Opaque
      stringData:
      name: cluster-1
      server: https://CLUSTER-1-IP
      config: |
          {
          "bearerToken": "<authentication token>",
          "tlsClientConfig": {
              "insecure": false,
              "caData": "<base64 encoded certificate>"
          }
          }    
      
  2. Make sure that the cluster is registered in Argo CD by running the following command:

    argocd cluster list
    

    The output should be similar to:

    SERVER                          NAME           VERSION  STATUS   MESSAGE                                                  PROJECT
    https://CLUSTER-1-IP            cluster-1               Unknown  Cluster has no applications and is not being monitored.
    https://kubernetes.default.svc  mgmt                    Unknown  Cluster has no applications and is not being monitored.
    

Prepare Git repository

  1. Create an empty repository called smm-gitops on GitHub (or another provider that Argo CD supports) and initialize it with a README.md file so that you can clone the repository. Because Service Mesh Manager credentials will be stored in this repository, make it a private repository.

  2. Obtain a personal access token to the repository (on GitHub, see Creating a personal access token), that has the following permissions:

    • admin:org_hook
    • admin:repo_hook
    • read:org
    • read:public_key
    • repo
  3. Login with your personal access token with git.

  4. Clone the repository into your local workspace, for example:

    git clone https://github.com/<your-github-username>/smm-gitops.git
    
  5. Add the repository to Argo CD by running the following command. Alternatively, you can add it on Argo CD Web UI.

    argocd repo add https://github.com/<your-github-username>/smm-gitops.git --name smm-gitops-repo --username <your-github-username> --password <github-personal-access-token>
    
  6. Verify that the repository is connected by running:

    argocd repo list
    

    In the output, Status should be Successful:

    TYPE  NAME             REPO                                                      INSECURE  OCI    LFS    CREDS  STATUS      MESSAGE  PROJECT
    git   smm-gitops-repo  https://github.com/<your-github-username>/smm-gitops.git  false     false  false  true   Successful
    
  7. Change into the directory of the cloned repository (for example, smm-gitops) and create the following directories.

    mkdir -p charts apps manifests apps/smm-controlplane apps/smm-operator
    

    The final structure of the repository will look like this:

    .
    ├── README.md
    ├── apps
    │   ├── smm-controlplane
    │   │   └── app-controlplane-1.yaml
    │   └── smm-operator
    │       └── app-cluster-1.yaml
    ├── charts
    │   └── smm-operator
    │       ├── Chart.yaml
    │       ├── README.md
    │       ├── crds
    │       │   └── ...
    │       ├── templates
    │       │   └── ...
    │       └── values.yaml
    └── manifests
        └── smm-controlplane-1.yaml
    

Prepare the helm charts

  1. You need an active Service Mesh Manager registration to download the Service Mesh Manager charts and images. You can sign up for free, or obtain Enterprise credentials on the official Cisco Service Mesh Manager page. After registration, you can obtain your username and password on the download page.

  2. Activate your credentials by running the following command:

    SMM_REGISTRY_PASSWORD=<your-calisti-password> ./smm activate \
    --host=registry.eticloud.io \
    --prefix=smm \
    --user=<your-calisti-username>
    
  3. Download the smm-operator chart from registry.eticloud.io into the charts directory of your Service Mesh Manager GitOps repository and unpack it. Run the following commands:

    cd charts 
    
    export HELM_EXPERIMENTAL_OCI=1
    
    echo <calisti-password> | helm registry login registry.eticloud.io -u '<calisti-username>' --password-stdin
    
    helm pull oci://registry.eticloud.io/smm-charts/smm-operator --version 1.10.0 --untar
    

Deploy Service Mesh Manager

Deploy the smm-operator application

Complete the following steps to deploy the smm-operator chart using Argo CD.

  1. Navigate to the apps directory of your Service Mesh Manager GitOps repository.

    cd ../apps/smm-operator
    
  2. Create an Argo CD Application CR for smm-operator.

    1. Save the following YAML file into the <your-smm-gitops-repository>/apps/smm-operator directory.
    apiVersion: argoproj.io/v1alpha1
    kind: Application
    metadata:
    name: smm-operator
    namespace: argocd
    finalizers:
        - resources-finalizer.argocd.argoproj.io
    spec:
    project: default
    source:
        repoURL: https://github.com/<github-user>/smm-gitops.git
        targetRevision: HEAD
        path: charts/smm-operator
        helm:
        values: |
            global:
            ecr:
                enabled: false
            basicAuth:
                username: "<calisti-username>"
                password: "<calisti-password>"        
    destination:
        name: cluster-1
        namespace: smm-registry-access
    syncPolicy:
        automated:
        prune: true
        selfHeal: true
        syncOptions:
        - Validate=false
        - PruneLast=true
        - CreateNamespace=true
    1. Edit the file. In the basicAuthsection, use your Service Mesh Manager username and password.

    2. Commit and push the repository.

      git add .
      git commit -m "add smm-operator app"
      git push origin
      
  3. Apply the Application manifest.

    kubectl apply -f apps/smm-operator/app-cluster-1.yaml
    
  4. Verify that the application has been added to Argo CD and is healthy.

    argocd app list
    

    Expected output:

    NAME            CLUSTER    NAMESPACE            PROJECT  STATUS  HEALTH   SYNCPOLICY  CONDITIONS  REPO                                          PATH                 TARGET
    smm-operator    cluster-1  smm-registry-access  default  Synced  Healthy  Auto-Prune  <none>      https://github.com/<github-user>/smm-gitops.git  charts/smm-operator  HEAD
    

    You can check the smm-operator application on the Argo CD Web UI as well. SMM Operator SMM Operator

Deploy the smm-controlplane application

  1. Navigate to the manifests directory of your Service Mesh Manager GitOps repository.

  2. Download the following YAML file into the manifests directory.

    apiVersion: smm.cisco.com/v1alpha1
    kind: ControlPlane
    metadata:
      name: smm
    spec:
      certManager:
        enabled: true
        namespace: cert-manager
      clusterName: cluster-1
      clusterRegistry:
        enabled: true
        namespace: cluster-registry
      log: {}
      meshManager:
        enabled: true
        istio:
          enabled: true
          istioCRRef:
            name: cp-v113x
            namespace: istio-system
          operators:
            namespace: smm-system
        namespace: smm-system
      nodeExporter:
        enabled: true
        namespace: smm-system
        psp:
          enabled: false
        rbac:
          enabled: true
      oneEye: {}
      registryAccess:
        enabled: true
        imagePullSecretsController: {}
        namespace: smm-registry-access
        pullSecrets:
        - name: smm-registry.eticloud.io-pull-secret
          namespace: smm-registry-access
      repositoryOverride:
        host: registry.eticloud.io
        prefix: smm
      role: active
      smm:
        exposeDashboard:
          meshGateway:
            enabled: true
        als:
          enabled: true
          log: {}
        application:
          enabled: true
          log: {}
        auth:
          forceUnsecureCookies: true
          mode: anonymous
        certManager:
          enabled: true
        enabled: true
        federationGateway:
          enabled: true
          name: smm
          service:
            enabled: true
            name: smm-federation-gateway
            port: 80
        federationGatewayOperator:
          enabled: true
        impersonation:
          enabled: true
        istio:
          revision: cp-v113x.istio-system
        leo:
          enabled: true
          log: {}
        log: {}
        namespace: smm-system
        prometheus:
          enabled: true
          replicas: 1
        prometheusOperator: {}
        releaseName: smm
        role: active
        sre:
          enabled: true
        useIstioResources: true
    
  3. Navigate to the apps/smm-controlplane directory and download the smm-controlplane Application CR into this directory.

    apiVersion: argoproj.io/v1alpha1
    kind: Application
    metadata:
      name: smm
      namespace: argocd
      finalizers:
        - resources-finalizer.argocd.argoproj.io
    spec:
      project: default
      source:
        repoURL: https://github.com/<github-username>/smm-gitops.git
        targetRevision: HEAD
        path: manifests
      destination:
        name: cluster-1
      syncPolicy:
        automated: 
          prune: true
          selfHeal: true
        syncOptions:
        - Validate=false
        - CreateNamespace=true
        - PrunePropagationPolicy=foreground
        - PruneLast=true
    
  4. Commit the changes and push the smm-gitops repository.

    git add .
    git commit -m "add smm-controlplane application"
    git push origin
    
  5. Apply the Application manifests and verify the applications

    kubectl apply -f apps/smm-controlplane/app-controlplane-1.yaml
    
  6. Verify that the application has been added to Argo CD and is healthy.

    argocd app list
    

    Expected output:

    NAME            CLUSTER    NAMESPACE            PROJECT  STATUS     HEALTH   SYNCPOLICY  CONDITIONS  REPO                                             PATH                 TARGET
    smm             cluster-1                       default  Synced     Healthy  Auto-Prune  <none>      https://github.com/<github-user>/smm-gitops.git  manifests            HEAD
    smm-operator    cluster-1  smm-registry-access  default  Synced     Healthy  Auto-Prune  <none>      https://github.com/<github-user>/smm-gitops.git  charts/smm-operator  HEAD
    
  7. Check that all the pods are healthy and running in the smm-system namespace of cluster-1.

    kubectl --context cluster-1 get pods -n smm-system
    

    The output should be similar to:

    NAME                                               READY   STATUS    RESTARTS        AGE
    istio-operator-v113x-85495cd76f-q7n22              2/2     Running   4 (7m36s ago)   17m
    mesh-manager-0                                     2/2     Running   4 (7m35s ago)   18m
    prometheus-smm-prometheus-0                        4/4     Running   0               15m
    smm-7f95479ff7-rzh2g                               2/2     Running   0               16m
    smm-7f95479ff7-v52vp                               2/2     Running   0               16m
    smm-als-8487fdf4f7-ddklg                           2/2     Running   0               16m
    smm-authentication-7888dfc6d7-w7tdq                2/2     Running   0               16m
    smm-federation-gateway-84f9fbf54d-7glvp            2/2     Running   0               16m
    smm-federation-gateway-operator-6cb99c5798-9fj25   2/2     Running   4 (7m36s ago)   16m
    smm-grafana-95ff96dd9-m6rx6                        3/3     Running   0               16m
    smm-health-86dc8c98d6-pv7bk                        2/2     Running   3 (7m35s ago)   16m
    smm-health-api-5df5b76bf5-lvbsp                    2/2     Running   0               16m
    smm-ingressgateway-7d59684cf7-jsj7f                1/1     Running   0               16m
    smm-ingressgateway-external-59f9874787-p55wr       1/1     Running   0               16m
    smm-kubestatemetrics-f4766d7b8-9mc9f               2/2     Running   0               16m
    smm-leo-9fc8db6db-vlzpw                            2/2     Running   0               16m
    smm-prometheus-operator-6558dbddc8-bgdh9           3/3     Running   1 (16m ago)     16m
    smm-sre-alert-exporter-6656f98dd8-8wvdx            2/2     Running   0               16m
    smm-sre-api-77b65ff6bd-spzk2                       2/2     Running   0               16m
    smm-sre-controller-59d6cdd588-7cvbk                2/2     Running   3 (7m35s ago)   16m
    smm-tracing-6c85986bfd-xjjqw                       2/2     Running   0               16m
    smm-vm-integration-cdd8d8688-sk79s                 2/2     Running   3 (7m35s ago)   16m
    smm-web-84d697fdb4-2fbkm                           3/3     Running   0               16m
    
  8. At this point, you have successfully installed smm-operator and smm-controlplane on cluster-1. You can check the application on the Argo CD Web UI as well: Argo CD Web UI Argo CD Web UI

Access the Service Mesh Manager Web UI

  1. You can access the Service Mesh Manager Web UI via the smm-ingressgateway-external LoadBalancer EXTERNAL-IP address. Run the following command to retrieve the IP address:

    kubectl get services -n smm-system smm-ingressgateway-external --context cluster-1
    

    Expected output:

    NAME                          TYPE           CLUSTER-IP   EXTERNAL-IP      PORT(S)        AGE
    smm-ingressgateway-external   LoadBalancer   10.0.0.199   <smm-external-ip>    80:32505/TCP   2m28s
    
  2. Open the http://<smm-external-ip> URL in your browser, or if you have installed the Service Mesh Manager CLI on your machine, run the following command to open the Service Mesh Manager Dashboard in the default browser.

    smm dashboard --context cluster-1
    

    Service Mesh Manager Overview