GitOps repository that contains all the related configuration to manage the Pilot-HDC kubernetes clusters
This repo uses ArgoCD's app-of-apps pattern: a root Application (root-app.yaml) deploys all child Applications, each defined under clusters/dev/apps/<name>/.
| Wave | App | Notes |
|---|---|---|
| 2 | external-secrets | Operator + CRDs |
| 3 | vault | Deploys Vault server |
| 3 | registry-secrets | ExternalSecrets for docker-registry-secret (utility, keycloak, redis) |
| 4 | postgresql | |
| 4 | keycloak-postgresql | |
| 5 | redis | |
| 6 | keycloak | |
| 7 | auth |
Note: registry-secrets (wave 3) will show SecretSyncError until Vault is unsealed and the ClusterSecretStore can connect to it — expected on first deploy, resolves via selfHeal: true.
- Vault must be unsealed and initialized before apps in wave 3+ can sync
After ArgoCD deploys Vault, these manual steps are required once per cluster.
# Initialize - outputs 5 unseal keys + root token
kubectl exec -it vault-0 -n vault -- vault operator init
# Store keys securely (dev cluster uses gopass), e.g:
# gopass ebrains-dev/hdc/ovh/vault-unseal-keys
# Unseal (repeat 3x with different keys)
kubectl exec -it vault-0 -n vault -- vault operator unseal# Port-forward to Vault
kubectl port-forward -n vault svc/vault 8200:8200 &
export VAULT_ADDR=http://127.0.0.1:8200
vault login # paste root token
# Enable K8s auth
vault auth enable kubernetes
# Configure K8s auth endpoint
vault write auth/kubernetes/config \
kubernetes_host="https://kubernetes.default.svc"
# Enable KV v2 secrets engine
vault secrets enable -path=secret kv-v2
# Create read-only policy for ESO
vault policy write external-secrets - <<EOF
path "secret/data/*" {
capabilities = ["read"]
}
path "secret/metadata/*" {
capabilities = ["read", "list"]
}
EOF
# Create role bound to ESO service account
vault write auth/kubernetes/role/external-secrets \
bound_service_account_names=external-secrets \
bound_service_account_namespaces=external-secrets \
policies=external-secrets \
ttl=1h# Create test secret
vault kv put secret/test foo=bar
# Check ESO synced it (ClusterSecretStore "vault" is pre-configured)
kubectl get externalsecret -AThe development of the HealthDataCloud open source software was supported by the EBRAINS research infrastructure, funded from the European Union's Horizon 2020 Framework Programme for Research and Innovation under the Specific Grant Agreement No. 945539 (Human Brain Project SGA3) and H2020 Research and Innovation Action Grant Interactive Computing E-Infrastructure for the Human Brain Project ICEI 800858.
This project has received funding from the European Union’s Horizon Europe research and innovation programme under grant agreement No 101058516. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or other granting authorities. Neither the European Union nor other granting authorities can be held responsible for them.
