Jenkins X 3.x GitOps repository for a Kubernetes cluster with all the things you'll need preconfigured.
This is a work in progress... There are still some pending features:
- SQL backups for Keycloak DB
- Keycloak Backup CRD
- Velero chart and Velero Backups
- Strimzi Kafka Operator
- Strimzi Kafka cluster to back knative-eventing
** After forking, do a global search for "example.com" - making these variables is another todo :)
Keycloak operator for creating Keycloak and configuring Keycloak instances, and a Keycloak instance configured with a postgres-operator backed DB. Exposed via Istio.
Automatically provision TLS certificates from LetsEncrypt.
The istio operator chart installs the Istio operator, which allows you to configure Istio declaratively
Istio configuration and Certificates that will be used by Istio (most likely all of them, except those managed by Knative Serving)
JX3 with custom values for istio integration
Configure Knative Eventing via the Knative operator
Install and configure the Knative operator
Configure Knative Serving via the Knative operator
Install and configure Prometheus Stack for monitoring/alerting, and Loki for Centralized Logging, and Grafana as a dashboard.
Install OLM which is used to install the Keycloak Operator. If there were a good chart for Keycloak operator I probably wouldn't use this, but it's the recommended way.
Installs the Postgres Operator which allows you to declaratively create Postgres instances.
CRDs for declaratively controlling RBAC for your cluster.
Vault to store secrets, Kubernetes External Secrets to use them, and Pusher Wave for secret rotation.
Tekton, which JX uses to run pipelines.
make decrypt-secrets
To Decrypt only a subset of secrets, use SECRET_DIR
SECRET_DIR=secret-encrypted/monitor make decrypt-secrets
make encrypt-secrets
To Encrypt only a subset of secrets, use SECRET_DIR
SECRET_DIR=secret/monitor make encrypt-secrets
make sync-secrets
To Sync only a subset of secrets, use SECRET_DIR
SECRET_DIR=secret/monitor make sync-secrets
TODO: In a future version syncing will be done in the pipeline automatically
From https://jenkins-x.io/v3/admin/guides/secrets/vault/
In a terminal, run:
jx secret vault portforwardThen, in a second terminal
export VAULT_TOKEN=$(kubectl get secrets vault-unseal-keys -n secret-infra -o jsonpath={.data.vault-root} | base64 --decode)
# Tell the CLI that the Vault Cert is signed by a custom CA
kubectl get secret vault-tls -n secret-infra -o jsonpath="{.data.ca\.crt}" | base64 --decode > $PWD/secret/vault/vault-ca.crt
export VAULT_CACERT=$PWD/secret/vault/vault-ca.crt
# Tell the CLI where Vault is listening (the certificate has 127.0.0.1 as well as alternate names)
export VAULT_ADDR=https://127.0.0.1:8200You can now use the Vault CLI or Safe:
Vault CLI:
# Now we can use the vault CLI to list/read/write secrets...
# List all the current secrets
vault kv list secret
# Lets store a secert
vault kv put secret/mything foo=bar whatnot=cheeseSafe:
safe ls
safe ls secret
safe get secret/jx/adminUser:password