Complete step-by-step setup of Kubernetes cluster with ArgoCD, Helm, Traefik Ingress Controller, and Cert-Manager
The first step was creating a Kubernetes cluster. This cluster serves as the foundation for all subsequent deployments.
A Kubernetes cluster is a set of nodes (machines) that run containerized applications. It consists of a control plane (manages the cluster) and worker nodes (run the applications).
default - Default namespace for resourceskube-system - System componentskube-public - Publicly accessible resourceskube-node-lease - Node heartbeat dataargocd - ArgoCD installationcert-manager - Certificate managementdev - Development environmentprod - Production environmentThe Kubernetes Metrics Server was deployed to collect resource metrics from kubelets and expose them via the Kubernetes API.
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yamlkubectl top commands to monitor CPU and memory usage# Check metrics server deployment
kubectl get deployment metrics-server -n kube-system
# View node resource usage
kubectl top nodes
# View pod resource usage across all namespaces
kubectl top pods -A
# View pod resource usage in dev namespace
kubectl top pods -n dev
# View container-level metrics in dev namespace
kubectl top pods -n dev --containersArgoCD is a declarative, GitOps continuous delivery tool for Kubernetes. It automates the deployment of applications by syncing them with Git repositories.
helm upgrade --install argocd ./argocd -n argocd --create-namespaceargocd namespace if it doesn't exist and upgrades if already installed.
| Component | Ready | Description |
|---|---|---|
| argocd-server | 1/1 | API server and UI |
| argocd-repo-server | 1/1 | Repository server (clones Git repos) |
| argocd-redis | 1/1 | Redis cache |
| argocd-applicationset-controller | 1/1 | Manages ApplicationSets |
| argocd-notifications-controller | 1/1 | Handles notifications |
# Port forward to access ArgoCD UI locally
kubectl port-forward svc/argocd-server -n argocd 8081:80# Get the initial admin password
kubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath="{.data.password}" | base64 -d && echo# Login to ArgoCD via CLI
argocd login localhost:8081 --insecure --username admin --password $(kubectl get secret \
argocd-initial-admin-secret -n argocd -o jsonpath="{.data.password}" | base64 -d)A project provides logical grouping of applications with access controls.
# Create a project named 'learning-hub'
argocd proj create learning-hub \
--dest https://kubernetes.default.svc,dev \
--dest https://kubernetes.default.svc,prod \
--src '*'Traefik is a modern HTTP reverse proxy and load balancer. It automatically discovers services and routes traffic to them.
kubectl get svc -n kube-system | grep traefikkubectl apply -f traefik/https-redirect-middleware.yamlThis middleware automatically redirects HTTP traffic to HTTPS.
Cert-Manager automates the management and issuance of TLS certificates from Let's Encrypt and other certificate authorities.
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yamlkubectl wait --for=condition=ready pod -l app.kubernetes.io/instance=cert-manager -n cert-manager --timeout=300s| Component | Status | Purpose |
|---|---|---|
| cert-manager | Running | Main controller |
| cert-manager-webhook | Running | Webhook for validating and mutating requests |
| cert-manager-cainjector | Running | Injects CA bundles into webhooks and APIServices |
kubectl apply -f cert-manager/letsencrypt-issuer.yamlletsencrypt-staging - For testing (higher rate limits)letsencrypt-prod - For production certificates| Namespace | Certificate | Status | Secret |
|---|---|---|---|
| dev | learning-hub-tls | Ready β | learning-hub-tls-cert |
| prod | learning-hub-tls | Ready β | learning-hub-tls-cert |
Cert-Manager automatically renews certificates before they expire. The certificates are stored as Kubernetes secrets and can be referenced in Ingress/IngressRoute resources.
Amazon Elastic Container Registry (ECR) access was configured to allow pulling private Docker images.
kubectl create secret docker-registry ecr-secret \
--docker-server=541770108352.dkr.ecr.us-east-1.amazonaws.com \
--docker-username=AWS \
--docker-password=$(aws ecr get-login-password --region us-east-1) \
-n devimagePullSecretsThe Learning Hub application is deployed to both dev and prod environments using ArgoCD with GitOps workflow.
argocd app create learning-hub-dev \
--repo https://github.com/hanov/helm.git \
--path learning-hub \
--dest-server https://kubernetes.default.svc \
--dest-namespace dev \
--values values-dev.yaml \
--project learning-hub \
--sync-policy automated \
--auto-prune \
--self-healargocd app create learning-hub-prod \
--repo https://github.com/hanov/helm.git \
--path learning-hub \
--dest-server https://kubernetes.default.svc \
--dest-namespace prod \
--values values-prod.yaml \
--project learning-hub \
--sync-policy automated \
--auto-prune \
--self-heal| Parameter | Value | Purpose |
|---|---|---|
| --repo | GitHub URL | Source Git repository |
| --path | learning-hub | Path to Helm chart in repo |
| --values | values-dev.yaml / values-prod.yaml | Environment-specific values |
| --sync-policy | automated | Auto-sync on Git changes |
| --auto-prune | enabled | Delete resources removed from Git |
| --self-heal | enabled | Revert manual cluster changes |
# Delete applications (if needed)
argocd app delete learning-hub-dev
argocd app delete learning-hub-prod
# List all ArgoCD applications
argocd app list
# View application details
argocd app get learning-hub-dev
argocd app get learning-hub-prod
# Sync application manually
argocd app sync learning-hub-devdefault - Age: ~4 hourskube-system - System components (Traefik, Metrics Server)argocd - ArgoCD installation (Age: ~2.5 hours)cert-manager - Certificate management (Age: ~40 minutes)dev - Development environment (Age: ~2 hours)prod - Production environment (Age: ~1 hour)kube-public - Public resourceskube-node-lease - Node heartbeats| Service | Namespace | Type | Status |
|---|---|---|---|
| traefik | kube-system | LoadBalancer | β Running with AWS ELB |
| metrics-server | kube-system | ClusterIP | β Running |
| argocd-server | argocd | NodePort | β Running (ports 30080/30443) |
| cert-manager | cert-manager | Multiple pods | β All components running |
| Environment | Deployment | Replicas | Status |
|---|---|---|---|
| dev | learning-hub | 1/1 | β Available |
| prod | learning-hub | 3/3 | β Available |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Internet β
ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββ
β AWS Load Balancer β
β (Traefik External) β
ββββββββββββ¬ββββββββββββ
β
ββββββββββββββββ΄βββββββββββββββ
β β
βΌ βΌ
βββββββββββ βββββββββββ
β HTTP βββ[redirect]βββββββΆβ HTTPS β
β :80 β β :443 β
βββββββββββ ββββββ¬βββββ
β
ββββββββββββ΄βββββββββββ
β Traefik Ingress β
β (kube-system) β
ββββββββββββ¬βββββββββββ
β
βββββββββββββββββββββββΌββββββββββββββββββββββ
β β β
βΌ βΌ βΌ
βββββββββββββββ βββββββββββββββ βββββββββββββββ
β Dev Env β β Prod Env β β ArgoCD β
β β β β β UI β
β learning-hubβ β learning-hubβ β β
β (1 pod) β β (3 pods) β β :8081 (fwd) β
βββββββββββββββ βββββββββββββββ βββββββββββββββ
β β
ββββββββββββ¬βββββββββββ
β
ββββββββββββ΄βββββββββββ
β Cert-Manager β
β (TLS Certificates) β
β β
β β’ letsencrypt-prod β
β β’ letsencrypt-stage β
βββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Support Services β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β’ Metrics Server (resource monitoring) β
β β’ ArgoCD (GitOps CD) β
β β’ ECR Secret (container registry access) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
# View all namespaces
kubectl get namespaces
# View all pods across namespaces
kubectl get pods -A
# Check resource usage
kubectl top nodes
kubectl top pods -A# Port forward to access UI
kubectl port-forward svc/argocd-server -n argocd 8081:80
# Get admin password
kubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath="{.data.password}" | base64 -d && echo
# List applications
argocd app list
# Sync application
argocd app sync learning-hub-dev# Check certificates
kubectl get certificate -A
# Check certificate issuers
kubectl get clusterissuer
# Describe certificate (for troubleshooting)
kubectl describe certificate learning-hub-tls -n dev# Watch deployments in dev
kubectl get deployments -n dev -w
# View deployment details
kubectl describe deployment learning-hub -n dev
# Check pod logs
kubectl logs -n dev -l app=learning-hub
# Get pod details
kubectl get pods -n dev -o wide# Check Traefik service
kubectl get svc traefik -n kube-system
# View Traefik logs
kubectl logs -n kube-system -l app.kubernetes.io/name=traefik
# Check IngressRoutes
kubectl get ingressroute -AThe Kubernetes cluster is fully operational with the following capabilities: