Installing a Phalanx environment¶
Once you have created the configuration for your new environment and set up secrets, you are ready to do the installation. Before starting this process, ensure that you have met the requirements to run Phalanx.
If you are setting up an environment that will be running a 1Password Connect server for itself, you will need to take special bootstrapping steps.
See onepassword-connect
for more information.
Installing Phalanx¶
Follow these steps to install Phalanx. These can be run repeatedly to reinstall Phalanx over an existing deployment.
Create a Vault AppRole that will be used by Vault Secrets Operator. Set the
VAULT_TOKEN
environment variable to a token with the ability to create new AppRoles (for SQuaRE clusters, use the admin token), and then run:phalanx vault create-read-approle <environment>
Unset
VAULT_TOKEN
when this command finishes.Be aware that this will invalidate any existing AppRole for that environment.
Set the environment variables
VAULT_ROLE_ID
andVAULT_SECRET_ID
to the Role ID and Secret ID printed out by that command. Don’t store these anywhere. If you repeat the installation from scratch, just generate new role and secret IDs.Ensure that your default Kubernetes cluster for kubectl and helm is set to point to the Kubernetes cluster into which you want to install the Phalanx environment. You can verify this with kubectl config current-context.
Start the install:
phalanx environment install <environment>
You will be prompted to confirm that you want to proceed.
If the installation is using a dynamically-assigned IP address, you will need to set up the A record (and AAAA record if using IPv6) in DNS once that address has been assigned. Wait until the
ingress-nginx
application has been installed, which happens after Argo CD has been installed but before most applications are synced. Then, wait for it to be assigned an external IP address. Obtain that IP address with kubectl get -n ingress-nginx service (look for the external IP). Then, set the A record in DNS for your environment to that address. For installations that are intended to be long-lived and that can reliably request the same address, add that IP address to thevalues-environment.yaml
file inapplications/ingress-nginx
for your environment. The setting to use isingress-nginx.controller.service.loadBalancerIP
. This ensures that ingress-nginx will always request that address.If you are deploying on Google Cloud Platform, consider converting the dynamically-assigned IP address to a static IP. You can do this in the GCP console under
.If you are doing a complete reinstallation of a Phalanx instance (e.g. Kubernetes has been completely destroyed and the cluster recreated), you may wish to run
phalanx secrets sync --regenerate
in order to recreate any randomly-generated secrets, rather than using the set from the previous installation.Debug any problems during installation. The most common source of problems are errors or missing configuration in the
values-environment.yaml
files you created for each application. You can safely run the installer repeatedly as you debug and fix issues.If you get a message indicating that
argocd
plaintext login has failed, the actual error is that your localargocd
executable is obsolete. Updateargocd
and try again. To see the version of the client that is currently tested, search forargocd-linux
in .github/workflows/ci.yaml.
Using a Vault token rather than AppRole¶
The default and recommended installation approach is to use a Vault AppRole for vault-secrets-operator to authenticate to Vault. However, using a read-only Vault token is still supported.
To use a Vault token instead of an AppRole, create an appropriate read-only token with access to the Vault path configured in enviroments/values-environment.yaml
for your environment.
Skip step 1 in the normal installation process, since you don’t need to create an AppRole.
In step 2, set VAULT_TOKEN
to the read-only token and do not set VAULT_ROLE_ID
or VAULT_SECRET_ID
.
Then continue the regular installation process.
Troubleshooting tools¶
The tools to use for troubleshooting will vary depending on how far the installer has gotten.
If something fails before Argo CD is installed, you will need to use kubectl to look around in Kubernetes, retrieve logs, and look at error messages.
If Argo CD is installed and working, but ingress-nginx fails, you can additionally use the argocd command-line tool. The installer will have created login credentials for Argo CD as the admin user for you, so you shouldn’t need to do that again. Pass the flags
--port-forward --port-forward-namespace argocd
to argocd to proxy to the Argo CD server without needing to have the ingress working.If the ingress was successfully installed and you’ve created the DNS record for your environment, you can use the Argo CD web UI the same as you would with a fully-installed cluster. If your Argo CD authentication configuration is working (see Argo CD authentication), you can log in as you normally would. If it is not, you will need to use the admin password. You can get this from Vault in the
admin.plaintext_password
key of theargocd
secret.