# Bootstrap

Bootstrap chart for cluster initialization. Deploys all required infrastructure components in a single Helm release.

## Requirements

- 1-3 nodes
- External DNS for ingress access
- Internet access

## Components

The bootstrap umbrella chart (`charts/bootstrap/`) includes:

| Component | Description |
|-----------|-------------|
| Cilium | CNI for networking |
| ingress-nginx | Ingress controller |
| cert-manager | TLS certificate management |
| sealed-secrets | Encrypted secrets for GitOps |
| ArgoCD | GitOps continuous delivery |
| OpenEBS | Container storage (hostpath) |

Additional resources created:
- ClusterIssuer (Let's Encrypt)
- StorageClass (local-storage)

## Kubernetes

Install [k0s](https://k0sproject.io/) as the Kubernetes distribution:

```sh
curl -sSf https://get.k0s.sh | sudo sh
sudo k0s install controller --enable-worker --no-taints --config ./k0s.yaml
sudo k0s start
```

Verify and get kubeconfig:

```sh
sudo k0s status
k0s kubeconfig admin create > ~/.kube/config
```

## Bootstrap Installation

```sh
cd charts/bootstrap

# Download dependencies
helm dependency update

# Review what will be installed
helm template bootstrap . --namespace bootstrap | less

# Install
helm upgrade -i bootstrap . --namespace bootstrap --create-namespace
```

## Sealed Secrets

[Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) enables GitOps management of secrets using asymmetric encryption.

### Usage

```sh
# Create a secret (do not commit)
kubectl create secret generic my-secret \
  --from-literal=password=supersecret \
  --dry-run=client -o yaml > plaintext.yaml

# Seal it
kubeseal < plaintext.yaml > sealed-secret.yaml

# Delete plaintext
rm plaintext.yaml

# Apply sealed secret
kubectl apply -f sealed-secret.yaml
```

## ArgoCD

Available at https://argo.turbo.weystrom.dev

Get initial admin password:

```sh
kubectl -n bootstrap get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
```

## Configuration

Edit `charts/bootstrap/values.yaml` to customize components. Each subchart is configured under its own key:

```yaml
cilium:
  enabled: true

ingress-nginx:
  enabled: true
  controller:
    service:
      externalIPs:
        - 1.2.3.4

cert-manager:
  enabled: true

# ... etc
```

To disable a component, set `enabled: false`.