Table of Contents
- Kubernetes Deployment Configuration
- charts/blueberry/templates/configmap.yml
- API Configuration
- GCP Configuration
Kubernetes Deployment Configuration
This directory contains documentation for Blueberry IDP's Kubernetes deployment configuration and integration patterns.
Overview
The Kubernetes deployment configuration system integrates Helm charts, ConfigMaps, Secrets, and External Secrets Operator to provide secure, automated configuration management for containerized applications.
Architecture Components
Helm Chart Integration
- Chart Templates: Kubernetes resource definitions with templating
- Values Files: Configuration data and overrides
- Dependencies: Sub-charts for Redis, MySQL, and other services
- Hooks: Pre/post deployment automation
Configuration Resources
- ConfigMaps: Non-sensitive configuration data
- Secrets: Sensitive configuration and credentials
- External Secrets: Synchronized secrets from Google Secret Manager
- Service Accounts: Pod identity and permissions
Deployment Pipeline
- ArgoCD: GitOps-based deployment automation
- Workload Identity: GCP service account integration
- External Secrets Operator: Secret synchronization
- Ingress Controllers: Traffic routing and TLS termination
Configuration Flow
1. Helm Chart Processing
# charts/blueberry/templates/configmap.yml
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "blueberry.fullname" . }}-config
labels:
{{- include "blueberry.labels" . | nindent 4 }}
data:
# API Configuration
API_TITLE: {{ .Values.config.apiTitle | quote }}
API_VERSION: {{ .Values.config.apiVersion | quote }}
DEBUG: {{ .Values.config.debug | quote }}
# GCP Configuration
GCP_PROJECT_ID: {{ .Values.config.gcpProjectId | quote }}
REGION: {{ .Values.config.region | quote }}
2. Secret Management
# External Secret for Google Secret Manager integration
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: blueberry-secrets
spec:
refreshInterval: 1h
secretStoreRef:
name: gcpsm-secret-store
kind: SecretStore
target:
name: blueberry-secrets
creationPolicy: Owner
data:
- secretKey: gitlab-token
remoteRef:
key: gitlab-token
- secretKey: redis-password
remoteRef:
key: redis-password
3. Pod Configuration
# Deployment with configuration injection
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
serviceAccountName: blueberry
containers:
- name: blueberry
image: us-docker.pkg.dev/development-454916/blueberry/blueberry:latest
envFrom:
- configMapRef:
name: blueberry-config
- secretRef:
name: blueberry-secrets
env:
- name: CONTAINER_IMAGE_ID
value: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
- name: GIT_COMMIT_SHA
value: "{{ .Values.gitCommitSha }}"
Configuration Categories
Application Configuration
Environment variables for application behavior:
# ConfigMap data
API_TITLE: "Blueberry IDP"
API_VERSION: "0.1.0"
DEBUG: "false"
HOST: "0.0.0.0"
PORT: "8000"
RELOAD: "false"
GCP Integration
Google Cloud Platform service configuration:
# ConfigMap data
GCP_PROJECT_ID: "development-454916"
REGION: "us-east1"
GCS_BUCKET: "blueberry-artifacts"
FIREBASE_PROJECT: "blueberry-e6167"
ARTIFACT_REGISTRY_URL: "us-docker.pkg.dev/development-454916/blueberry"
Service Integration
External service connection settings:
# ConfigMap data
GITLAB_URL: "https://gitlab.com"
REDIS_HOST: "blueberry-redis-master"
REDIS_PORT: "6379"
REDIS_DB: "0"
ARGOCD_URL: "https://argocd.florenciacomuzzi.com"
Secret References
Secret Manager secret identifiers:
# ConfigMap data (non-sensitive references)
GITLAB_TOKEN_SECRET_ID: "gitlab-token"
REDIS_PASSWORD_SECRET_ID: "redis-password"
FIREBASE_API_KEY_SECRET_ID: "firebase-api-key"
GITLAB_WEBHOOK_TOKEN_SECRET_ID: "gitlab-webhook-token"
SLACK_WEBHOOK_URL_SECRET_ID: "slack-webhook-url"
Security Integration
Workload Identity
GKE Workload Identity eliminates the need for service account keys:
# Service Account with Workload Identity annotation
apiVersion: v1
kind: ServiceAccount
metadata:
name: blueberry
annotations:
iam.gke.io/gcp-service-account: blueberry@development-454916.iam.gserviceaccount.com
External Secrets Operator
Automatic secret synchronization from Google Secret Manager:
# Secret Store configuration
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: gcpsm-secret-store
spec:
provider:
gcpsm:
projectId: "development-454916"
auth:
workloadIdentity:
clusterLocation: us-east1
clusterName: blueberry-dev-cluster
serviceAccountRef:
name: external-secrets-sa
RBAC Configuration
Role-Based Access Control for pod permissions:
# ServiceAccount, ClusterRole, and ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: blueberry-role
rules:
- apiGroups: ["argoproj.io"]
resources: ["applications"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "create", "delete"]
Environment-Specific Configuration
Development Environment
# charts/blueberry/values.yaml
config:
debug: true
corsOrigins:
- "http://localhost:3000"
- "http://localhost:8080"
gcpProjectId: "development-454916"
ephemeralDomain: "ephemeral.blueberry.florenciacomuzzi.com"
Production Environment
# Production values override
config:
debug: false
corsOrigins:
- "https://blueberry.florenciacomuzzi.com"
gcpProjectId: "production-project-id"
ephemeralDomain: "ephemeral.blueberry.production.com"
Deployment Patterns
GitOps with ArgoCD
# ArgoCD Application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: blueberry
namespace: argocd
spec:
project: blueberry-project
source:
repoURL: https://gitlab.com/florenciacomuzzi/blueberry
path: charts/blueberry
targetRevision: HEAD
helm:
valueFiles:
- values.yaml
destination:
server: https://kubernetes.default.svc
namespace: blueberry
syncPolicy:
automated:
prune: true
selfHeal: true
Multi-Environment Support
# Environment-specific ArgoCD Application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: env-pr-123
namespace: argocd
spec:
source:
repoURL: https://gitlab.com/florenciacomuzzi/blueberry
path: charts/environment
helm:
values: |
environment:
name: pr-123
namespace: ephemeral-pr-123
ttl: 72h
backend:
image:
tag: sha-abc123
gitCommitSha: abc123def456
Configuration Management Best Practices
Helm Chart Design
- Use consistent naming conventions
- Implement proper resource labeling
- Support multiple environments
- Include resource constraints
Secret Management
- Never store secrets in charts or values files
- Use External Secrets Operator for synchronization
- Implement proper secret rotation
- Monitor secret access patterns
Resource Organization
- Group related configurations in ConfigMaps
- Use meaningful resource names
- Implement proper labeling and annotations
- Support namespace isolation
Deployment Automation
- Use GitOps for all deployments
- Implement proper sync policies
- Use ArgoCD sync waves for ordering
- Include health checks and readiness probes
Troubleshooting
Configuration Not Loading
- Check ConfigMap and Secret existence
- Verify pod environment variables
- Review External Secrets synchronization
- Check Workload Identity binding
Secret Access Issues
- Verify External Secrets Operator status
- Check Google Secret Manager permissions
- Review service account annotations
- Test secret synchronization manually
Deployment Failures
- Check ArgoCD application status
- Review pod logs for configuration errors
- Verify Helm chart templating
- Check resource quotas and limits
Related Files
charts/blueberry/templates/configmap.yml- Main ConfigMap templatecharts/blueberry/templates/deployment.yml- Pod deployment configurationcharts/blueberry/templates/rbac.yml- RBAC configurationcharts/blueberry/values.yaml- Default configuration valuesargocd-apps/base/external-secrets/- External Secrets configuration
Document ID: reference/configuration/kubernetes/README