Skip to main content
The apps layer deploys user-facing services and GitOps tooling. This includes ArgoCD for continuous delivery, Traefik for ingress routing, and application-specific configurations like TLS certificates and Vault policies.

What Gets Deployed

This layer installs:
  • ArgoCD: GitOps continuous delivery platform
  • Traefik: Modern ingress controller and reverse proxy
  • EBS CSI Driver: Amazon EBS storage integration for Kubernetes
  • Application TLS Certificates: Automated certificate provisioning for services
  • Vault Roles & Policies: Application-specific secret access controls
  • External DNS: Automatic DNS record management

Environment Variables

Before deploying, ensure you have configured all required variables: 
# Source your main .env file
source .env

# Source Vault credentials from platform layer
source ~/.vault-secrets/vault.env

# Verify all variables are set
echo $TF_VAR_github_owner
echo $TF_VAR_github_app_id
echo $VAULT_TOKEN
echo $VAULT_ADDR

Required Variables

VariableDescriptionSource
VAULT_TOKENVault root tokenGenerated by vault-bootstrap.sh
VAULT_ADDRVault server URLSet by vault-bootstrap.sh
TF_VAR_github_ownerGitHub username or organizationYour .env file
TF_VAR_github_helm_charts_repoHelm charts repository nameYour .env file
TF_VAR_github_app_idGitHub App IDYour .env file
TF_VAR_github_app_installation_idGitHub App Installation IDYour .env file
TF_VAR_github_app_private_key_filePath to GitHub App private keyYour .env file
The Vault token is required for creating policies and roles. Make sure you’ve completed the platform layer initialization before proceeding.

Deployment Steps

1

Navigate to apps directory

cd terraform/dev/3-apps
2

Set environment variables

# Source main environment
source ~/.env

# Source Vault credentials
source ~/.vault-secrets/vault.env

# Verify Vault access
export VAULT_TOKEN="hvs.xxxxx"
export VAULT_ADDR="https://vault.yourdomain.com"
3

Initialize Terraform

terraform init
This initializes the remote backend and downloads provider plugins.
4

Review the plan

terraform plan
Review the resources that will be created:
  • ArgoCD deployment and configuration
  • Traefik Helm release
  • Application TLS certificates
  • Vault policies for applications
  • External DNS configuration
5

Apply the configuration

terraform apply
Type yes when prompted. This process takes approximately 5-10 minutes.

Application Components

ArgoCD

ArgoCD provides GitOps continuous delivery for Kubernetes. Features:
  • Declarative GitOps CD
  • Automated application deployment
  • Health status monitoring
  • Rollback capabilities
  • Multi-cluster management
Configuration:
  • Deployed in argocd namespace
  • Web UI accessible via ingress
  • ApplicationSets for dynamic app discovery
  • GitHub integration for Helm chart repositories
Access: 
# Get admin password
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

# Access UI (via Tailscale)
https://argocd.yourdomain.com

Traefik

Traefik is a modern HTTP reverse proxy and load balancer. Features:
  • Automatic service discovery
  • Let’s Encrypt integration
  • Middleware support (auth, rate limiting, etc.)
  • Metrics and tracing
  • Dynamic configuration
Configuration:
  • Deployed in traefik namespace
  • IngressRoute CRDs for routing
  • Automatic TLS certificate provisioning
  • Integration with cert-manager

EBS CSI Driver

The Amazon EBS CSI driver enables Kubernetes to manage EBS volumes. Features:
  • Dynamic volume provisioning
  • Volume snapshots
  • Volume expansion
  • EBS volume types support (gp3, gp2, io1, etc.)
Configuration:
  • Deployed in kube-system namespace
  • StorageClasses for different EBS volume types
  • IAM Roles for Service Accounts (IRSA)

Application TLS Certificates

Automated TLS certificates for application services. Certificates provisioned:
  • Wildcard certificate for *.yourdomain.com
  • ArgoCD certificate
  • Vault certificate
  • Traefik dashboard certificate
Configuration:
  • Uses cert-manager with Let’s Encrypt
  • DNS-01 challenge via Cloudflare
  • Automatic renewal before expiration

Vault Policies

Application-specific Vault policies for secret access. Policies created:
  • ArgoCD policy for Git credentials
  • Application policy for app secrets
  • External Secrets Operator policy
Example policy: 
path "secret/data/argocd/*" {
  capabilities = ["read", "list"]
}

Accessing Services

ArgoCD

1

Get admin password

kubectl -n argocd get secret argocd-initial-admin-secret \
  -o jsonpath="{.data.password}" | base64 -d && echo
2

Access UI

Connect to Tailscale, then navigate to:
https://argocd.yourdomain.com
Login with:
  • Username: admin
  • Password: (from step 1)
3

Change default password

In ArgoCD UI:
  1. Click on “User Info” (top right)
  2. Select “Update Password”
  3. Enter current and new password

Traefik Dashboard

Access the Traefik dashboard: 
# Port forward to Traefik dashboard
kubectl port-forward -n traefik svc/traefik 9000:9000
Then navigate to http://localhost:9000/dashboard/.

Verification

Check All Pods

# ArgoCD
kubectl get pods -n argocd

# Traefik
kubectl get pods -n traefik

# EBS CSI Driver
kubectl get pods -n kube-system | grep ebs-csi
All pods should be in Running state.

Verify ArgoCD

# Check ArgoCD applications
kubectl get applications -n argocd

# Check ArgoCD ApplicationSets
kubectl get applicationsets -n argocd

Verify Certificates

# List all certificates
kubectl get certificates -A

# Check certificate details
kubectl describe certificate <cert-name> -n <namespace>
Certificates should show Ready status.

Verify Vault Policies

Using the Vault CLI: 
# List policies
vault policy list

# Read a policy
vault policy read argocd

ArgoCD ApplicationSets

The deployment includes ApplicationSets that automatically discover and deploy Helm charts from your GitHub repository. Configuration:
  • Monitors specified GitHub repository for Helm charts
  • Automatically creates ArgoCD Applications for each chart
  • Syncs applications to the cluster
Example ApplicationSet: 
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: helm-charts
  namespace: argocd
spec:
  generators:
  - scmProvider:
      github:
        organization: myorg
        repository: helm-charts
        appSecretName: github-app-secret
  template:
    metadata:
      name: '{{path.basename}}'
    spec:
      source:
        repoURL: '{{url}}'
        path: '{{path}}'
        targetRevision: main
      destination:
        server: https://kubernetes.default.svc
        namespace: '{{path.basename}}'

Troubleshooting

ArgoCD Not Syncing

Check application status: 
kubectl get application -n argocd <app-name> -o yaml
Common issues:
  • GitHub credentials incorrect
  • Repository not accessible
  • Invalid Helm chart syntax
  • Resource quotas exceeded

Certificate Not Issuing

Check certificate and challenge status: 
kubectl describe certificate <cert-name> -n <namespace>
kubectl get challenges -A
Common issues:
  • Cloudflare API token permissions
  • DNS propagation delays
  • Let’s Encrypt rate limits

Vault Policy Errors

Verify Vault authentication: 
echo $VAULT_TOKEN
echo $VAULT_ADDR
vault token lookup
Common issues:
  • Token expired
  • Insufficient permissions
  • Vault address incorrect

Next Steps

With all layers deployed, you can now access and manage your services.

Accessing Services

Learn how to access Vault, ArgoCD, and EKS

Troubleshooting

Common issues and solutions

Build docs developers (and LLMs) love

Get started for freeTalk to us