gitops | Managing Fleets of Kubernetes Clusters

There is a very good plugin that does what you're looking for: https://github.com/helm/helm-2to3

There is also information on migrating a GitOps setup on the Flux CD page (assuming you're using Flux and Helm Operator for your GitOps) https://docs.fluxcd.io/projects/helm-operator/en/stable/helmrelease-guide/release-configuration/#migrating-from-helm-v2-to-v3

Even more information here: https://helm.sh/docs/topics/v2_v3_migration/

You are right about Argo CD project. The project CRD supports allowing/denying K8S resources using clusterResourceWhitelist, clusterResourceBlacklist etc fields. The sample project definition is also available in Argo CD documentation.

In order to restrict the list of managed resources globally, you can specify the resource.exclusions/resource.inclusions field in the argocd-cm ConfigMap. The example is available here.

I think I found the issue. You use the project name and not the project ID. Try this

Your question is mainly about security management. You have several possibilities and several point of views/level of security.

1. Project segregation

The most simple and secure way is to have Argo running in each project without relation/bridge between each environment. No risk in security or to deploy on the wrong project. Default project segregation (VPC and IAM role) are sufficient.

But it implies to deploy and maintain the same app on several clusters, and to pay several clusters (Dev, Staging and prod CD aren't used at the same frequency)

In term of security, you can use the Compute Engine default service account for the authorization, or you can rely on Workload identity (preferred way)

2. Namespace segregation

The other way is to have only one project with a cluster deployed on it and a kubernetes namespace per delivery project. By the way, you can reuse the same cluster for all the projects in your company.

You still have to update and maintain Argo in each namespace, but the cluster administration is easier because the node are the same.

In term of security, you can use the Workload identity per namespace (and thus to have 1 service account per namespace authorized in the delivery project) and to keep the permission segregated

Here, the trade off is the private IP access. If your deployment need to access to private IP inside the delivery project (for testing purpose or to access to private K8S master), you have to set up a VPC peering (and you are limited to 25 peering per project) or set up a shared VPC.

3. Service account segregation

The latest solution isn't recommended, but it's the easiest to maintain. You have only one GKE cluster for all the environment, and only 1 namespace with Argo deployed on it. By configuration, you can say to Argo to use a specific service account to access to the delivery project (with service account key files (not recommended solution) stored in GKE secrets or in secret manager, or (better) by using service account impersonation).

Here also, you have 1 service account authorized per delivery project. And the peering issue is the same in case of private IP access required in the delivery project.

When you use $(...) a new sub-shell will be created, but the parent shell will wait for the sub-shell to complete. Effectively making the code execute sequentially.

Side note: there is no need to use process substitution here. Consider the alternative:

There's no real hard rule other than everything about your environment should be represented in a git repo (e.g. stop storing config in Jenkins env variables Steve!). Where the config lives is more of an implementation detail.

If your app is managed as a mono repo then why not use the same setup for the deployment? It's usually best to fit in with your existing release processes rather than creating something new.

One catch is that a single version of the app will normally need to support multiple deployments and the deployment config can often change after an app release. So there needs to be a 1 app to many config relationship, whether that is files, directories, branches, or repos. They all work as long as it's versioned/released.

Another release consideration is application builds. For small deployment updates you don't want to build and release a complete new application image. It's preferable to just apply the config and reuse the existing artefacts. This is often a driver for the separate deploy/config repo, so concerns are completely separated.

Security can play a part. You may have system information in the deployment config that all developers don't need access to or you don't want to even have the chance of it making it into a container image. This also drives the use of separate repos.

Size of infrastructure is another. If I am managing multiple apps, the generic system config will not be stored in an apps repo.

From the docs of FluxCD here

Note: that Flux only works with immutable image tags (:latest is not supported). Every image tag must be unique, for this you can use the Git commit SHA or semver when tagging images.

Turn on automation based on timestamp:

The problem was with the version of kubectl used in the 1.19 flux release, so I fixed it by using a prerelease: https://hub.docker.com/r/fluxcd/flux-prerelease/tags

PATH is overridden in your Drone environment variables

It doesn't look like your PATH variable is intended to hold executable paths (PATH: keycloak-svc). I'd recommend using a different name.

If, after changing that environment variable name, you find that /usr/local/bin/ isn't on Drone's PATH, you can add it in the commands section, as described in the Drone docs.

Note:

I thought to look at PATH after finding logs of someone else's failed build and then taking a peek at a change they committed around the same time.