I'm Gatan

Setting Up ArgoCD with NGINX Ingress on a Bare-Metal Kubernetes Cluster

Sun, 21 Jun 2026 00:00:00 GMT

This guide walks you through setting up ArgoCD — a declarative, GitOps-based continuous delivery tool — on a bare-metal Kubernetes cluster. By the end, you'll have ArgoCD fully accessible through a web browser via an NGINX Ingress Controller, and you'll deploy sample applications using both the CLI and the Web UI.

Note: This guide assumes you already have a running Kubernetes cluster (e.g., set up with kubeadm). If you don't have one yet, check out my previous post on Kubernetes Single-Node Setup.

Installing ArgoCD
Setting Up NGINX Ingress Controller
Creating an Ingress for ArgoCD
Installing the ArgoCD CLI
Initial Login and Password Setup
Accessing the ArgoCD Web UI
Tuning the Refresh Interval
Deploying an Application via CLI
Deploying an Application via Web UI
ArgoCD CLI Tips

1. Installing ArgoCD

1.1 Download the Installation Manifest

First, download the official ArgoCD installation manifest:

wget https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

1.2 Configure a Custom Root Path (Optional)

If you want to access ArgoCD through a sub-path (e.g., http://<your-ip>/argocd-lab) instead of using a dedicated domain, you'll need to modify the argocd-server Deployment in the downloaded install.yaml.

Find the Deployment resource named argocd-server and add the --rootpath, --basehref, and --insecure arguments:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/name: argocd-server
    app.kubernetes.io/part-of: argocd
  name: argocd-server
...
# Add these under spec.template.spec.containers[0].args
spec:
     containers:
     - args:
       - /usr/local/bin/argocd-server
       - --staticassets
       - /shared/app
       - --insecure
       - --rootpath
       - /argocd-lab
       - --basehref
       - /argocd-lab

Note: The path /argocd-lab is used in this guide as an example to avoid conflicts with ArgoCD's default /argocd path. Feel free to change it to whatever path suits your needs — just make sure it stays consistent across your Ingress configuration and CLI login commands. If you're using a dedicated domain or want ArgoCD on the root URL, you can skip the --rootpath and --basehref flags entirely.

1.3 Create the Namespace and Deploy

Create the argocd namespace and apply the manifest:

kubectl create namespace argocd

kubectl apply -f install.yaml -n argocd

2. Setting Up NGINX Ingress Controller

A Note on NGINX Ingress: We are using NGINX Ingress Controller here because it is very easy to set up for demonstration purposes. However, if you are planning to deploy this in a production environment, you should consider alternatives that provide better long-term security support and active maintenance (such as Traefik, HAProxy, Contour, etc.).

Important for bare-metal/on-prem clusters: Clusters bootstrapped with kubeadm don't come with a built-in Ingress Controller. Without one, any Ingress resource you create won't work — kubectl get ingress will show no ADDRESS, and you'll get connection refused errors when trying to access services.

2.1 Check If an Ingress Controller Exists

kubectl get ingressclass

If the output is No resources found, you need to install one.

2.2 Install NGINX Ingress Controller

Since we're on bare-metal (no cloud LoadBalancer), install the NGINX Ingress Controller using the bare-metal manifest:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.3/deploy/static/provider/baremetal/deploy.yaml

2.3 Enable Host Networking

Edit the ingress-nginx-controller Deployment to enable hostNetwork, which allows the controller to bind directly to port 80/443 on the node — no external LoadBalancer or MetalLB required:

kubectl edit deployment ingress-nginx-controller -n ingress-nginx

Add hostNetwork: true under spec.template.spec, at the same level as containers:

spec:
  template:
    spec:
      hostNetwork: true
      containers:
      - name: controller
        ...

2.4 Verify the Installation

Wait a moment, then confirm the controller pod is running and the IngressClass is registered:

kubectl get pods -n ingress-nginx

kubectl get ingressclass

Expected output:

NAME    CONTROLLER             PARAMETERS   AGE
nginx   k8s.io/ingress-nginx   <none>       30s

3. Creating an Ingress for ArgoCD

Create an ingress.yaml file to expose ArgoCD through the /argocd-lab path:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-server-ingress
  namespace: argocd
  annotations:
    ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - http:
      paths:
      - path: /argocd-lab
        pathType: Prefix
        backend:
          service:
            name: argocd-server
            port:
              number: 80

Apply it:

kubectl apply -f ingress.yaml

4. Installing the ArgoCD CLI

Download and install the ArgoCD CLI binary:

curl -SL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64

sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd

Clean up the downloaded file:

rm argocd-linux-amd64

Verify the installation:

argocd version

Expected output:

argocd: v3.4.4+443415b
  BuildDate: 2026-06-18T09:15:00Z
  GitCommit: 443415b5527ac55366e0760c93ef0e1abd0cf273
  GitTreeState: clean
  GoVersion: go1.26.0
  Compiler: gc
  Platform: linux/amd64

Note: You may see a fatal message about the server address being unspecified — this is normal before logging in.

5. Initial Login and Password Setup

5.1 Retrieve the Default Admin Password

ArgoCD generates a random initial password for the admin account during installation:

argocd admin initial-password -n argocd

Example output:

[PASSWORD]

This password must be only used for first time login. We strongly recommend
you update the password using `argocd account update-password`.

5.2 Log In via CLI

argocd login <your-ip>:80 --grpc-web-root-path=/argocd-lab --plaintext --insecure

When prompted, enter admin as the username and the password from the previous step.

5.3 Change the Admin Password

For security, update the default password immediately:

argocd account update-password

*** Enter password of currently logged in user (admin):
*** Enter new password for user admin:
*** Confirm new password for user admin:
Password updated
Context '<your-ip>:80/argocd-lab' updated

6. Accessing the ArgoCD Web UI

Open your browser and navigate to:

http://<your-ip>/argocd-lab

7. Tuning the Refresh Interval

By default, ArgoCD polls your Git repositories every 3 minutes to check for changes. If you want faster feedback (e.g., during development), you can lower this interval.

Create a config.yaml file:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  timeout.reconciliation: 20s

Apply the configuration:

kubectl apply -f config.yaml

Verify the change:

kubectl describe configmap -n argocd argocd-cm

Restart the repo server to pick up the new setting:

kubectl -n argocd rollout restart deploy argocd-repo-server

Tip: A 20-second interval is great for development and testing, but for production environments you may want to keep it at the default 3 minutes (or higher) to reduce load on both ArgoCD and your Git server.

8. Deploying an Application via CLI

8.1 Create the Application

Create a sample application called simple-deploy pointing to a Git repository:

argocd app create simple-deploy \
  --repo https://github.com/maliqpotter/argo-simple-project.git \
  --path simple-demo \
  --dest-server https://kubernetes.default.svc \
  --dest-namespace default

application 'simple-deploy' created

8.2 Check the Application Status

argocd app get simple-deploy

The initial status will be OutOfSync because no Kubernetes resources have been created yet:

Name:               argocd/simple-deploy
Project:            default
Server:             https://kubernetes.default.svc
Namespace:          default
Source:
- Repo:             https://github.com/maliqpotter/argo-simple-project.git
  Path:             simple-demo
Sync Status:        OutOfSync from  (1873ef1)
Health Status:      Missing

GROUP  KIND        NAMESPACE  NAME          STATUS     HEALTH   HOOK  MESSAGE
apps   Deployment  default    simple-nginx  OutOfSync  Missing

8.3 Sync (Deploy) the Application

Trigger a sync to deploy the application:

argocd app sync simple-deploy

Once the sync completes, verify the status:

argocd app get simple-deploy

Name:               argocd/simple-deploy
Project:            default
Server:             https://kubernetes.default.svc
Namespace:          default
Source:
- Repo:             https://github.com/maliqpotter/argo-simple-project.git
  Path:             simple-demo
Sync Policy:        Manual
Sync Status:        Synced to  (1873ef1)
Health Status:      Healthy

GROUP  KIND        NAMESPACE  NAME          STATUS  HEALTH   HOOK  MESSAGE
apps   Deployment  default    simple-nginx  Synced  Healthy        deployment.apps/simple-nginx created

8.4 Verify the Resources

Check that the pods and deployment were created:

kubectl get pod -n default

NAME                             READY   STATUS    RESTARTS   AGE
simple-deploy-5d7468b6f8-75w68   1/1     Running   0          2m11s
simple-deploy-5d7468b6f8-mkkph   1/1     Running   0          2m11s
simple-deploy-5d7468b6f8-mkgdz   1/1     Running   0          2m11s

kubectl get deployment -n default

NAME            READY   UP-TO-DATE   AVAILABLE   AGE
simple-deploy   3/3     3            3           2m38s

9. Deploying an Application via Web UI

In addition to the CLI, you can create and deploy applications directly from the ArgoCD dashboard.

9.1 Open the Dashboard

After logging in, you'll see the ArgoCD dashboard showing your existing applications (like the simple-deploy app we just created via CLI).

Click the + NEW APP button to create a new application.

9.2 Fill in the General Settings

Under the GENERAL section, configure:

Application Name: nginx-with-ingress
Project Name: default
Sync Policy: Manual (or Automatic if you want auto-sync)

9.3 Configure the Source and Destination

Under the SOURCE section:

Repository URL: https://github.com/maliqpotter/argo-simple-project.git
Revision: HEAD (or the specific branch you want, e.g., main)
Path: nginx-with-ingress

Under the DESTINATION section:

Cluster URL: https://kubernetes.default.svc
Namespace: default

Then click the CREATE button at the top of the form.

9.4 Sync the Application

Once the nginx-with-ingress application appears on the dashboard with an OutOfSync status, click the SYNC button on the application card, then click SYNCHRONIZE to confirm.

After the sync completes, the application status will change to Synced and Healthy. You can click into the application to see a visual map of all the Kubernetes resources that were created (Deployments, ReplicaSets, Pods, etc.).

10. ArgoCD CLI Tips

10.1 Set Default Namespace

Since ArgoCD is installed in the argocd namespace, you can set it as your default to avoid typing -n argocd on every command:

Option A — Set the kubectl context:

kubectl config set-context --current --namespace=argocd

Option B — Use an environment variable:

export ARGOCD_OPTS='--port-forward-namespace argocd'

10.2 Enable Bash Completion

Speed up your CLI workflow with tab completion:

argocd completion bash | sudo tee /etc/bash_completion.d/argocd

source ~/.bashrc

References

This guide is based on a real-world deployment. Adjust IPs, paths, and version numbers to match your own environment.

Kubernetes Single-Node Setup on AlmaLinux 9.8 with Kubeadm, Containerd & Calico

Fri, 19 Jun 2026 00:00:00 GMT

This guide walks you through setting up a fully functional single-node Kubernetes cluster using Kubeadm, with containerd as the container runtime and Tigera Calico as the CNI plugin — all running on AlmaLinux 9.8 (Olive Jaguar).

By the end, you'll have a working Kubernetes node capable of scheduling and running pods, complete with networking provided by Calico.

Server Specifications

Component	Details
OS	AlmaLinux 9.8 (Olive Jaguar)
CPU	4 vCPU
RAM	10 GB
Container Runtime	containerd
CNI Plugin	Tigera Calico
Installer	kubeadm

System Preparation
Installing containerd
Configuring containerd for Kubernetes
Installing kubeadm, kubelet, kubectl
Initializing the Cluster with kubeadm
Configuring kubectl
Installing Tigera Calico
Verifying the Cluster

1. System Preparation

1.1 Set Hostname

hostnamectl set-hostname <your-hostname>

1.2 Disable Swap

Kubernetes requires swap to be disabled.

# Disable swap immediately
swapoff -a

# Disable swap permanently
sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab

1.3 Disable SELinux

# Disable temporarily
setenforce 0

# Disable permanently
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

1.4 Disable Firewall (or Configure Required Ports)

systemctl disable --now firewalld

Tip: If you prefer to keep the firewall active, open the following ports instead:

6443/tcp — Kubernetes API Server

2379-2380/tcp — etcd server client API

10250/tcp — kubelet API

10251/tcp — kube-scheduler

10252/tcp — kube-controller-manager

179/tcp — Calico BGP

4789/udp — Calico VXLAN (optional)

1.5 Load Required Kernel Modules

# Create module configuration
cat <<EOF | tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF

# Load modules immediately
modprobe overlay
modprobe br_netfilter

1.6 Configure Sysctl Parameters

cat <<EOF | tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables  = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward                 = 1
EOF

# Apply the configuration
sysctl --system

1.7 Verify Kernel Modules Are Loaded

lsmod | grep br_netfilter
lsmod | grep overlay

Expected output (values may vary):

br_netfilter           36864  0
bridge                421888  1 br_netfilter
overlay               237568  0

2. Installing containerd

Reference: Docker Engine on RHEL — docs.docker.com

Since we only need containerd (not the full Docker Engine), we'll use the Docker repository to install just the containerd.io package.

2.1 Remove Potentially Conflicting Packages

dnf remove -y docker \
    docker-client \
    docker-client-latest \
    docker-common \
    docker-latest \
    docker-latest-logrotate \
    docker-logrotate \
    docker-engine \
    podman \
    runc

2.2 Install DNF Plugin and Add Docker Repository

dnf -y install dnf-plugins-core
dnf config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo

2.3 Install containerd.io

Only install the containerd.io package — no need for docker-ce or other Docker components.

dnf install -y containerd.io

2.4 Enable and Start containerd

systemctl enable --now containerd

2.5 Verify containerd

systemctl status containerd
containerd --version

3. Configuring containerd for Kubernetes

3.1 Generate Default Configuration

mkdir -p /etc/containerd
containerd config default | tee /etc/containerd/config.toml

3.2 Enable SystemdCgroup

Kubernetes requires containerd to use systemd as the cgroup driver.

sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml

Verify the change:

grep 'SystemdCgroup' /etc/containerd/config.toml
# Expected output: SystemdCgroup = true

3.3 Restart containerd

systemctl restart containerd
systemctl status containerd

4. Installing kubeadm, kubelet, kubectl

Reference: Installing kubeadm — kubernetes.io

4.1 Add the Kubernetes Repository

cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://pkgs.k8s.io/core:/stable:/v1.36/rpm/
enabled=1
gpgcheck=1
gpgkey=https://pkgs.k8s.io/core:/stable:/v1.36/rpm/repodata/repomd.xml.key
exclude=kubelet kubeadm kubectl cri-tools kubernetes-cni
EOF

Note: Replace v1.36 with your desired Kubernetes version. Check the latest releases at kubernetes.io/releases.

4.2 Install kubelet, kubeadm, kubectl

dnf install -y kubelet kubeadm kubectl --disableexcludes=kubernetes

4.3 Enable kubelet

systemctl enable --now kubelet

Note: kubelet will enter a restart loop until kubeadm init completes — this is expected behavior.

4.4 Verify Versions

kubeadm version
kubectl version --client
kubelet --version

5. Initializing the Cluster with kubeadm

5.1 Initialize the Control Plane

kubeadm init \
  --pod-network-cidr=10.244.0.0/16 \
  --cri-socket unix:///run/containerd/containerd.sock

Important:

The --pod-network-cidr=10.244.0.0/16 flag is used here because some server networks (e.g., 192.168.x.x/24) may overlap with Calico's default CIDR (192.168.0.0/16). Using 10.244.0.0/16 avoids routing conflicts.

If your server has multiple network interfaces, add --apiserver-advertise-address=<your-server-ip> to specify which IP the API server should bind to.

Make sure to save the kubeadm join command from the output — you'll need it if you ever want to add worker nodes.

6. Configuring kubectl

6.1 Set Up kubeconfig for Root User

mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config

6.2 Verify the Node (NotReady Is Expected)

kubectl get nodes

Expected output:

NAME              STATUS     ROLES           AGE   VERSION
<your-hostname>   NotReady   control-plane   Xs    v1.36.x

The NotReady status is expected because the CNI plugin (Calico) hasn't been installed yet.

7. Installing Tigera Calico

Reference: Calico on single-host Kubernetes — docs.tigera.io

7.1 Install the Tigera Operator

kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.32.0/manifests/tigera-operator.yaml

7.2 Create the Custom Resource for Calico

Since we're using CIDR 10.244.0.0/16 (instead of the default 192.168.0.0/16), download the manifest first, update the CIDR, then apply:

curl -O https://raw.githubusercontent.com/projectcalico/calico/v3.32.0/manifests/custom-resources.yaml

# Replace Calico's default CIDR with ours
sed -i 's|192.168.0.0/16|10.244.0.0/16|g' custom-resources.yaml

# Verify the change
grep 'cidr' custom-resources.yaml

# Apply the configuration
kubectl create -f custom-resources.yaml

7.3 Wait for Calico to Deploy

watch kubectl get pods -n calico-system

Wait until all pods show Running status:

NAME                                       READY   STATUS    RESTARTS   AGE
calico-kube-controllers-xxx                1/1     Running   0          Xm
calico-node-xxx                            1/1     Running   0          Xm
calico-typha-xxx                           1/1     Running   0          Xm
csi-node-driver-xxx                        2/2     Running   0          Xm

Press Ctrl+C to exit watch.

7.4 Untaint the Control Plane Node

By default, Kubernetes prevents workloads from being scheduled on control plane nodes. For a single-node setup, we need to remove this taint:

kubectl taint nodes --all node-role.kubernetes.io/control-plane-

8. Verifying the Cluster

8.1 Check Node Status

kubectl get nodes -o wide

The node status should now show Ready:

NAME              STATUS   ROLES           AGE   VERSION   INTERNAL-IP     OS-IMAGE                      CONTAINER-RUNTIME
<your-hostname>   Ready    control-plane   Xm    v1.36.x   <your-ip>      AlmaLinux 9.8 (Olive Jaguar)  containerd://2.x.x

8.2 Check All System Pods

kubectl get pods -A

All pods across kube-system, calico-system, and tigera-operator namespaces should show Running status.

8.3 Test with a Simple Deployment

kubectl run nginx --image=nginx --port=80
kubectl get pods

Expected output:

NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          15s

Verify the pod details:

kubectl describe pod nginx

The pod should be scheduled on your node with a Calico-assigned IP from the 10.244.x.x range.

8.4 Check Cluster Information

kubectl cluster-info
kubectl version

Troubleshooting

Node remains NotReady after installing Calico

Inspect the node events and Calico logs:

kubectl describe node <your-hostname>
kubectl logs -n calico-system -l k8s-app=calico-node

Pod stuck in ContainerCreating

Check the pod events and kubelet logs:

kubectl describe pod <pod-name>
journalctl -u kubelet -f

Reset the cluster (start over)

If you need to completely reset and start fresh:

kubeadm reset -f
rm -rf /etc/cni/net.d
rm -rf $HOME/.kube
iptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X
ipvsadm --clear 2>/dev/null || true

References

This guide is based on a real-world deployment. Adjust hostnames, IPs, and version numbers to match your own environment.

Deploying OpenStack with Ceph Tentacle: A 3-Node Converged Setup Guide

Thu, 18 Jun 2026 00:00:00 GMT

In this guide, I'll walk you through deploying a fully functional OpenStack cloud platform integrated with Ceph Tentacle as the distributed storage backend — all on a 3-node converged cluster running Ubuntu Noble 24.04.

This setup uses Kolla-Ansible for deploying OpenStack services as Docker containers, and cephadm for bootstrapping the Ceph cluster. By the end of this guide, you'll have a working private cloud with:

☁️ OpenStack — Keystone, Glance, Nova, Neutron, Cinder, Horizon
💾 Ceph — Distributed storage for images, volumes, VMs, and backups
🌐 Networking — Provider + tenant networks with floating IPs
🖥️ VM Instances — Running CirrOS test instances with SSH access

Topology & Specifications
Node Preparation
Deploy Ceph Tentacle with cephadm
Ceph Pool & Keyring Setup for OpenStack
Install Kolla-Ansible
Kolla-Ansible Configuration
External Ceph Integration with Kolla-Ansible
Deploy OpenStack
OpenStack Network Setup
Create VM Instance
Verify VM Connectivity

1. Topology & Specifications

Network Topology

                    ┌──────────────────┐
                    │   Proxmox Host   │
                    │  vmbr0 (eno1)    │
                    │ 192.168.205.253  │
                    └────────┬─────────┘
           ┌─────────────────┼─────────────────┐
           │                 │                 │
    ens18 (Mgmt)       ens18 (Mgmt)       ens18 (Mgmt)
  192.168.205.101    192.168.205.102    192.168.205.103
    ens19 (Provider)   ens19 (Provider)   ens19 (Provider)
    (no IP)            (no IP)            (no IP)
           │                 │                 │
  ┌─────────────────┐ ┌──────────────┐ ┌──────────────┐
  │  ops-ceph-ctrl  │ │ops-ceph-comp1│ │ops-ceph-comp2│
  │  (controller)   │ │  (compute)   │ │  (compute)   │
  │                 │ │              │ │              │
  │ /dev/sda (OS)   │ │ /dev/sda(OS) │ │ /dev/sda(OS) │
  │ /dev/sdb OSD.0  │ │ /dev/sdb OSD │ │ /dev/sdb OSD │
  │ /dev/sdc OSD.1  │ │ /dev/sdc OSD │ │ /dev/sdc OSD │
  │ /dev/sdd OSD.2  │ │ /dev/sdd OSD │ │ /dev/sdd OSD │
  └─────────────────┘ └──────────────┘ └──────────────┘

Node Specifications

Parameter	ops-ceph-ctrl	ops-ceph-comp1	ops-ceph-comp2
CPU	8 vCPU	6 vCPU	6 vCPU
RAM	16 GB	12 GB	12 GB
Disk OS	50 GB `/dev/sda`	50 GB `/dev/sda`	50 GB `/dev/sda`
Disk OSD	3x 25 GB (`/dev/sdb`,`sdc`,`sdd`)	3x 25 GB	3x 25 GB
NIC 1	`ens18` → 192.168.205.101/24	`ens18` → 192.168.205.102/24	`ens18` → 192.168.205.103/24
NIC 2	`ens19` → no IP	`ens19` → no IP	`ens19` → no IP
OS	Ubuntu Noble 24.04	Ubuntu Noble 24.04	Ubuntu Noble 24.04
Ceph Role	MON, MGR, OSD	OSD	OSD
OpenStack Role	Controller, Network	Compute	Compute

2. Node Preparation

Run the following steps on all nodes unless stated otherwise.

2.1 Set Hostname

# On ops-ceph-ctrl
hostnamectl set-hostname ops-ceph-ctrl

# On ops-ceph-comp1
hostnamectl set-hostname ops-ceph-comp1

# On ops-ceph-comp2
hostnamectl set-hostname ops-ceph-comp2

2.2 Configure /etc/hosts

sudo nano /etc/hosts

Add on all nodes:

192.168.205.101  ops-ceph-ctrl
192.168.205.102  ops-ceph-comp1
192.168.205.103  ops-ceph-comp2

2.3 Configure Netplan

sudo nano /etc/netplan/50-cloud-init.yaml

Example for ops-ceph-ctrl:

network:
  version: 2
  renderer: networkd
  ethernets:
    ens18:
      addresses:
        - 192.168.205.101/24
      routes:
        - to: default
          via: 192.168.205.1
      nameservers:
        addresses: [8.8.8.8, 1.1.1.1]
    ens19:
      dhcp4: false

Adjust IP for comp1 (192.168.205.102) and comp2 (192.168.205.103). ens19 only needs dhcp4: false without an IP — Neutron will use it as the provider interface.

sudo netplan apply

2.4 Install Dependencies

sudo apt update
sudo apt install -y git curl wget python3-dev python3-venv \
  libffi-dev gcc libssl-dev libdbus-glib-1-dev chrony sshpass nano

2.5 Configure Passwordless SSH (from ops-ceph-ctrl)

# Generate SSH key (ed25519)
ssh-keygen -t ed25519 -C "ops-ceph-ctrl"

# Distribute public key to all nodes including self
ssh-copy-id opsce@ops-ceph-ctrl
ssh-copy-id opsce@ops-ceph-comp1
ssh-copy-id opsce@ops-ceph-comp2

2.6 Set NOPASSWD sudo (all nodes)

echo "opsce ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/opsce

2.7 Disable Swap & Time Sync

sudo swapoff -a
sudo sed -i '/swap/d' /etc/fstab

sudo timedatectl set-timezone Asia/Jakarta
sudo systemctl enable --now chrony
chronyc tracking

2.8 Sysctl Configuration

sudo nano /etc/sysctl.conf

Add:

net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1

sudo sysctl -p

2.9 Install Docker

curl -sL https://get.docker.com | bash
sudo systemctl enable --now docker

3. Deploy Ceph Tentacle with cephadm

All steps are executed from ops-ceph-ctrl unless stated otherwise.

3.1 Install cephadm

curl --silent --remote-name --location \
  https://download.ceph.com/rpm-tentacle/el9/noarch/cephadm

chmod +x cephadm
sudo install -m 0755 cephadm /usr/local/sbin/cephadm

sudo cephadm add-repo --release tentacle
sudo apt update
sudo apt install -y cephadm

3.2 Bootstrap Ceph Cluster

sudo cephadm bootstrap \
  --mon-ip <your-controller-ip> \
  --cluster-network <your-subnet>/24 \
  --initial-dashboard-user <dashboard-user> \
  --initial-dashboard-password <dashboard-password> \
  --allow-overwrite

Verify:

sudo cephadm shell -- ceph -s

3.3 Install ceph-common

# On ctrl
sudo cephadm install ceph-common

# On comp1 and comp2
ssh -t ops-ceph-comp1 "sudo cephadm add-repo --release tentacle && sudo apt update && sudo apt install -y ceph-common"
ssh -t ops-ceph-comp2 "sudo cephadm add-repo --release tentacle && sudo apt update && sudo apt install -y ceph-common"

3.4 Copy cephadm SSH Key to All Nodes

sudo cephadm shell -- ceph cephadm get-pub-key | \
  sudo tee /etc/ceph/ceph.pub

# Must run as root
sudo su
ssh-copy-id -f -i /etc/ceph/ceph.pub root@ops-ceph-comp1
ssh-copy-id -f -i /etc/ceph/ceph.pub root@ops-ceph-comp2
exit

3.5 Add Nodes to Cluster

sudo cephadm shell -- ceph orch host add ops-ceph-comp1 192.168.205.102
sudo cephadm shell -- ceph orch host add ops-ceph-comp2 192.168.205.103

# Verify
sudo cephadm shell -- ceph orch host ls

3.6 Deploy OSD

# ops-ceph-ctrl
sudo cephadm shell -- ceph orch daemon add osd ops-ceph-ctrl:/dev/sdb
sudo cephadm shell -- ceph orch daemon add osd ops-ceph-ctrl:/dev/sdc
sudo cephadm shell -- ceph orch daemon add osd ops-ceph-ctrl:/dev/sdd

# ops-ceph-comp1
sudo cephadm shell -- ceph orch daemon add osd ops-ceph-comp1:/dev/sdb
sudo cephadm shell -- ceph orch daemon add osd ops-ceph-comp1:/dev/sdc
sudo cephadm shell -- ceph orch daemon add osd ops-ceph-comp1:/dev/sdd

# ops-ceph-comp2
sudo cephadm shell -- ceph orch daemon add osd ops-ceph-comp2:/dev/sdb
sudo cephadm shell -- ceph orch daemon add osd ops-ceph-comp2:/dev/sdc
sudo cephadm shell -- ceph orch daemon add osd ops-ceph-comp2:/dev/sdd

Tip: Use hostname:/dev/sdX format — not user@hostname:/dev/sdX. The latter causes a "host not found" error. Also, warnings like Not using image... not in the list of non-dangling images are cosmetic and safe to ignore.

3.7 Verify Cluster

sudo cephadm shell -- ceph -s
sudo cephadm shell -- ceph osd tree
sudo cephadm shell -- ceph df

Make sure all 9 OSDs (3 nodes × 3 disks) are up and in.

Here's what the Ceph Block Images dashboard looks like after a successful deployment:

And the Grafana monitoring dashboard showing cluster health, OSD performance, and resource utilization:

4. Ceph Pool & Keyring Setup for OpenStack

4.1 Create Pools

sudo cephadm shell -- bash -c "
  ceph osd pool create volumes
  ceph osd pool create images
  ceph osd pool create backups
  ceph osd pool create vms

  rbd pool init volumes
  rbd pool init images
  rbd pool init backups
  rbd pool init vms
"

4.2 Create Keyrings

sudo cephadm shell -- bash -c "
  ceph auth get-or-create client.glance \
    mon 'allow r' \
    osd 'allow class-read object_prefix rbd_children, allow rwx pool=images' \
    -o /etc/ceph/ceph.client.glance.keyring

  ceph auth get-or-create client.cinder \
    mon 'allow r' \
    osd 'allow class-read object_prefix rbd_children, allow rwx pool=volumes, allow rwx pool=images' \
    -o /etc/ceph/ceph.client.cinder.keyring

  ceph auth get-or-create client.nova \
    mon 'allow r' \
    osd 'allow class-read object_prefix rbd_children, allow rwx pool=vms, allow rx pool=images' \
    -o /etc/ceph/ceph.client.nova.keyring

  ceph auth get-or-create client.cinder-backup \
    mon 'allow r' \
    osd 'allow class-read object_prefix rbd_children, allow rwx pool=backups' \
    -o /etc/ceph/ceph.client.cinder-backup.keyring
"

4.3 Export Keyrings to Host

sudo cephadm shell -- ceph auth get client.glance | sudo tee /etc/ceph/ceph.client.glance.keyring
sudo cephadm shell -- ceph auth get client.cinder | sudo tee /etc/ceph/ceph.client.cinder.keyring
sudo cephadm shell -- ceph auth get client.nova | sudo tee /etc/ceph/ceph.client.nova.keyring
sudo cephadm shell -- ceph auth get client.cinder-backup | sudo tee /etc/ceph/ceph.client.cinder-backup.keyring

sudo chmod 640 /etc/ceph/ceph.client.*.keyring

4.4 Generate ceph.conf

sudo cephadm shell -- ceph config generate-minimal-conf | sudo tee /etc/ceph/ceph.conf

# Remove leading tabs to prevent kolla-ansible issues
sudo sed -i 's/^\t//' /etc/ceph/ceph.conf

cat /etc/ceph/ceph.conf

5. Install Kolla-Ansible

Run from ops-ceph-ctrl as user opsce.

5.1 Create Virtual Environment

python3 -m venv ~/kolla-venv
source ~/kolla-venv/bin/activate

# Auto-activate on login
echo 'source ~/kolla-venv/bin/activate' >> ~/.bashrc

5.2 Install Kolla-Ansible

pip install -U pip
pip install 'ansible-core>=2.16,<2.17'
pip install docker dbus-python

# Install kolla-ansible from master
pip install git+https://opendev.org/openstack/kolla-ansible@master

5.3 Setup Kolla Directories

sudo mkdir -p /etc/kolla
sudo chown $USER:$USER /etc/kolla

cp -r ~/kolla-venv/share/kolla-ansible/etc_examples/kolla/* /etc/kolla/
cp ~/kolla-venv/share/kolla-ansible/ansible/inventory/multinode ~/multinode

5.4 Install Ansible Galaxy Dependencies

kolla-ansible install-deps

6. Kolla-Ansible Configuration

6.1 Ansible Config

sudo mkdir -p /etc/ansible
sudo tee /etc/ansible/ansible.cfg <<EOF
[defaults]
host_key_checking = False
pipelining = True
forks = 100
interpreter_python = /usr/bin/python3
EOF

6.2 Multinode Inventory

nano ~/multinode

Update the top section:

[control]
ops-ceph-ctrl

[network]
ops-ceph-ctrl

[compute]
ops-ceph-comp1
ops-ceph-comp2

[monitoring]
ops-ceph-ctrl

[storage]
ops-ceph-ctrl
ops-ceph-comp1
ops-ceph-comp2

[deployment]
localhost       ansible_connection=local

Leave all [xxx:children] groups as default from the template.

Verify:

ansible -i ~/multinode all -m ping

6.3 Generate Passwords

kolla-genpwd

# Set admin password (replace with your own secure password)
sed -i 's/^keystone_admin_password:.*/keystone_admin_password: <your-password>/' /etc/kolla/passwords.yml

6.4 Configure globals.yml

nano /etc/kolla/globals.yml

# =====================
# BASE IMAGE
# =====================
kolla_base_distro: "ubuntu"

# =====================
# NETWORKING
# =====================
network_interface: "ens18"
neutron_external_interface: "ens19"
kolla_internal_vip_address: "192.168.205.100"

# =====================
# ENABLE SERVICES
# =====================
enable_openstack_core: "yes"
enable_cinder: "yes"
enable_cinder_backup: "yes"

# =====================
# CEPH INTEGRATION
# =====================
glance_backend_ceph: "yes"
cinder_backend_ceph: "yes"
nova_backend_ceph: "yes"

ceph_glance_user: "glance"
ceph_glance_pool_name: "images"
ceph_cinder_user: "cinder"
ceph_cinder_pool_name: "volumes"
ceph_cinder_backup_user: "cinder-backup"
ceph_cinder_backup_pool_name: "backups"
ceph_nova_user: "nova"
ceph_nova_pool_name: "vms"

kolla_internal_vip_address must be an unused IP in the ens18 subnet. This IP will automatically appear on the ens18 interface of ops-ceph-ctrl after deployment as the HAProxy VIP.

7. External Ceph Integration with Kolla-Ansible

7.1 Create Directories

mkdir -p /etc/kolla/config/glance
mkdir -p /etc/kolla/config/nova
mkdir -p /etc/kolla/config/cinder/cinder-volume
mkdir -p /etc/kolla/config/cinder/cinder-backup

7.2 Copy ceph.conf

cp /etc/ceph/ceph.conf /etc/kolla/config/glance/ceph.conf
cp /etc/ceph/ceph.conf /etc/kolla/config/nova/ceph.conf
cp /etc/ceph/ceph.conf /etc/kolla/config/cinder/ceph.conf

7.3 Copy Keyrings

# Glance
cp /etc/ceph/ceph.client.glance.keyring \
   /etc/kolla/config/glance/ceph.client.glance.keyring

# Nova (needs both nova AND cinder keyrings)
sudo cp /etc/ceph/ceph.client.nova.keyring \
   /etc/kolla/config/nova/ceph.client.nova.keyring
sudo cp /etc/ceph/ceph.client.cinder.keyring \
   /etc/kolla/config/nova/ceph.client.cinder.keyring

# Cinder Volume
sudo cp /etc/ceph/ceph.client.cinder.keyring \
   /etc/kolla/config/cinder/cinder-volume/ceph.client.cinder.keyring

# Cinder Backup
sudo cp /etc/ceph/ceph.client.cinder.keyring \
   /etc/kolla/config/cinder/cinder-backup/ceph.client.cinder.keyring
sudo cp /etc/ceph/ceph.client.cinder-backup.keyring \
   /etc/kolla/config/cinder/cinder-backup/ceph.client.cinder-backup.keyring

7.4 Fix Ownership & Permissions

sudo chown -R opsce:opsce /etc/kolla/config
sudo chmod 640 /etc/kolla/config/cinder/cinder-backup/*.keyring
sudo chmod 640 /etc/kolla/config/cinder/cinder-volume/*.keyring
sudo chmod 640 /etc/kolla/config/nova/*.keyring
sudo chmod 640 /etc/kolla/config/glance/*.keyring

7.5 Verify File Structure

find /etc/kolla/config -type f -printf "%u %p\n" | sort

Expected output (all owned by opsce):

opsce /etc/kolla/config/cinder/ceph.conf
opsce /etc/kolla/config/cinder/cinder-backup/ceph.client.cinder-backup.keyring
opsce /etc/kolla/config/cinder/cinder-backup/ceph.client.cinder.keyring
opsce /etc/kolla/config/cinder/cinder-volume/ceph.client.cinder.keyring
opsce /etc/kolla/config/glance/ceph.conf
opsce /etc/kolla/config/glance/ceph.client.glance.keyring
opsce /etc/kolla/config/nova/ceph.conf
opsce /etc/kolla/config/nova/ceph.client.cinder.keyring
opsce /etc/kolla/config/nova/ceph.client.nova.keyring

8. Deploy OpenStack

8.1 Bootstrap Servers

kolla-ansible bootstrap-servers -i ~/multinode

Heads up: It's common for Ceph MON/MGR services to go inactive dead after this step, since kolla-ansible reconfigures Docker daemon settings. If this happens, a simple sudo reboot on affected nodes is the cleanest fix. After reboot, verify Ceph health with sudo ceph -s before proceeding.

8.2 Pre-checks

kolla-ansible prechecks -i ~/multinode

8.3 Deploy

kolla-ansible deploy -i ~/multinode

Expect this to take 20-60 minutes depending on your hardware and network speed. Occasional single-task failures on compute nodes are typically timing-related and generally resolve themselves — verify with openstack compute service list after deployment.

8.4 Post-Deploy

kolla-ansible post-deploy -i ~/multinode

8.5 Install OpenStack Client & Load Credentials

pip install python-openstackclient \
  -c https://releases.openstack.org/constraints/upper/2025.2

source /etc/kolla/admin-openrc.sh

8.6 Verify Services

openstack service list
openstack compute service list
openstack network agent list
openstack volume service list

All services should be up. Note that cinder-volume backend shows rbd-1, confirming successful Ceph integration.

Here's the actual output from a working deployment — all services, network agents, compute services, and volume services are confirmed up:

9. OpenStack Network Setup

9.1 Create Provider Network (External)

openstack network create \
  --share \
  --external \
  --provider-physical-network physnet1 \
  --provider-network-type flat \
  public-net

openstack subnet create \
  --network public-net \
  --subnet-range 17.19.21.0/24 \
  --gateway 17.19.21.254 \
  --allocation-pool start=17.19.21.100,end=17.19.21.200 \
  --dns-nameserver 8.8.8.8 \
  public-subnet

9.2 Create Private/Tenant Network

openstack network create private-net

openstack subnet create \
  --network private-net \
  --subnet-range 10.0.0.0/24 \
  --gateway 10.0.0.1 \
  --dns-nameserver 8.8.8.8 \
  private-subnet

9.3 Create Router

openstack router create main-router
openstack router set main-router --external-gateway public-net
openstack router add subnet main-router private-subnet

# Verify
openstack router show main-router
openstack port list --router main-router

Once the router is created, you can visualize the network topology in Horizon:

9.4 Create Security Group

openstack security group create security-group-net \
  --description 'Allow SSH and ICMP'

openstack security group rule create \
  --protocol icmp security-group-net

openstack security group rule create \
  --protocol tcp --ingress --dst-port 22 security-group-net

openstack security group rule list security-group-net

9.5 Create Floating IP

openstack floating ip create public-net
openstack floating ip list

Note: Floating IPs are only externally reachable if the provider network interface is bridged to your physical network. In isolated lab environments, you can still access VMs via their private IPs using the Neutron router namespace (see Section 11).

10. Create VM Instance

10.1 Upload Image

wget http://download.cirros-cloud.net/0.6.2/cirros-0.6.2-x86_64-disk.img

openstack image create \
  --disk-format qcow2 \
  --container-format bare \
  --public \
  --file ./cirros-0.6.2-x86_64-disk.img \
  cirros-0.6.2

openstack image list

10.2 Create Keypair

openstack keypair create \
  --public-key ~/.ssh/id_ed25519.pub \
  controller-key

openstack keypair list

10.3 Create Flavor

openstack flavor create \
  --ram 512 \
  --disk 8 \
  --vcpus 1 \
  --public \
  c1-small

openstack flavor list

10.4 Create Instance

# First instance
openstack server create \
  --flavor c1-small \
  --image cirros-0.6.2 \
  --key-name controller-key \
  --security-group security-group-net \
  --network private-net \
  cirros-instance-test

# Second instance (for inter-VM connectivity test)
openstack server create \
  --flavor c1-small \
  --image cirros-0.6.2 \
  --key-name controller-key \
  --security-group security-group-net \
  --network private-net \
  cirros-instance-test-2

# Check status
openstack server list

Wait until status is ACTIVE.

10.5 Assign Floating IP

# List available floating IPs
openstack floating ip list

# Assign to each instance
openstack server add floating ip cirros-instance-test <floating-ip-1>
openstack server add floating ip cirros-instance-test-2 <floating-ip-2>

# Verify — instances should have 2 IPs (private + floating)
openstack server list

Here's what it looks like in Horizon — both instances are Active and Running with their private and floating IPs assigned:

And the detailed server list from the CLI, confirming Ceph-backed storage and network connectivity:

11. Verify VM Connectivity

11.1 Check Router Namespace

# List all namespaces
sudo ip netns list
# Output: qrouter-xxx (id: N), qdhcp-xxx (id: N)

11.2 Ping VM from Namespace

# Replace <router-id> with the ID from ip netns list output
sudo ip netns exec qrouter-<router-id> ping -c 4 10.0.0.71
sudo ip netns exec qrouter-<router-id> ping -c 4 10.0.0.104

11.3 SSH to VM from Namespace

# SSH using key (recommended)
sudo ip netns exec qrouter-<router-id> ssh -i ~/.ssh/id_ed25519 cirros@10.0.0.71

# Or SSH with password (cirros password: gocubsgo)
sudo ip netns exec qrouter-<router-id> ssh cirros@10.0.0.71

11.4 Test Inter-VM Connectivity

From inside cirros-instance-test, ping the other VM:

# Enter the first VM
sudo ip netns exec qrouter-<router-id> ssh cirros@10.0.0.71

# From inside the VM, ping the second VM
ping 10.0.0.104

Note: You cannot ping VMs directly from the controller host — there's no route to the tenant or provider networks from the host's default namespace. Always use sudo ip netns exec qrouter-<id> to access VM networks from the controller.

11.5 Verify OVS Bridge

sudo docker exec openvswitch_vswitchd ovs-vsctl show

Verify:

br-ex has port ens19
br-int has qr-xxx (router port) and tap-xxx (VM port)
All bridge controllers show is_connected: true

Troubleshooting

MON/MGR dies after bootstrap-servers

kolla-ansible reconfigures Docker settings which can prevent Ceph containers from restarting. A sudo reboot is the cleanest fix. Alternatively, manually start the services:

sudo systemctl start ceph-<fsid>@mon.<hostname>.service
sudo systemctl start ceph-<fsid>@mgr.<hostname>.<id>.service

Error "host not found" when adding OSD

Use hostname:/dev/sdX format — not user@hostname:/dev/sdX:

# CORRECT
sudo cephadm shell -- ceph orch daemon add osd <hostname>:/dev/sdb
# WRONG
sudo cephadm shell -- ceph orch daemon add osd user@<hostname>:/dev/sdb

Warning "Not using image... non-dangling images"

Cosmetic warning, not an error. Safe to ignore.

kolla-ansible: command not found

Ensure the Python virtual environment is activated:

source ~/kolla-venv/bin/activate
which kolla-ansible

Missing sudo password during bootstrap-servers

Ensure passwordless sudo is configured for your deploy user:

echo "<user> ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/<user>

ceph.conf with leading tabs

Kolla-ansible may fail to parse ceph.conf if it contains tabs. Strip them:

sudo sed -i 's/^\t//' /etc/kolla/config/*/ceph.conf

Cannot ping VM directly from controller

This is expected — the host has no route to tenant/provider networks. Use the Neutron router namespace:

sudo ip netns list
sudo ip netns exec qrouter-<id> ping -c 4 <vm-ip>

References

This guide is based on a real-world deployment. Adjust IPs, hostnames, credentials, and disk paths to match your own environment.

I'm Gatan

Setting Up ArgoCD with NGINX Ingress on a Bare-Metal Kubernetes Cluster

Table of Contents

1. Installing ArgoCD

1.1 Download the Installation Manifest

1.2 Configure a Custom Root Path (Optional)

1.3 Create the Namespace and Deploy

2. Setting Up NGINX Ingress Controller

2.1 Check If an Ingress Controller Exists

2.2 Install NGINX Ingress Controller

2.3 Enable Host Networking

2.4 Verify the Installation

3. Creating an Ingress for ArgoCD

4. Installing the ArgoCD CLI

5. Initial Login and Password Setup

5.1 Retrieve the Default Admin Password

5.2 Log In via CLI

5.3 Change the Admin Password

6. Accessing the ArgoCD Web UI

7. Tuning the Refresh Interval

8. Deploying an Application via CLI

8.1 Create the Application

8.2 Check the Application Status

8.3 Sync (Deploy) the Application

8.4 Verify the Resources

9. Deploying an Application via Web UI

9.1 Open the Dashboard

9.2 Fill in the General Settings

9.3 Configure the Source and Destination

9.4 Sync the Application

10. ArgoCD CLI Tips

10.1 Set Default Namespace

10.2 Enable Bash Completion

References

Kubernetes Single-Node Setup on AlmaLinux 9.8 with Kubeadm, Containerd & Calico

Server Specifications

Table of Contents

1. System Preparation

1.1 Set Hostname

1.2 Disable Swap

1.3 Disable SELinux

1.4 Disable Firewall (or Configure Required Ports)

1.5 Load Required Kernel Modules

1.6 Configure Sysctl Parameters

1.7 Verify Kernel Modules Are Loaded

2. Installing containerd

2.1 Remove Potentially Conflicting Packages

2.2 Install DNF Plugin and Add Docker Repository

2.3 Install containerd.io

2.4 Enable and Start containerd

2.5 Verify containerd

3. Configuring containerd for Kubernetes

3.1 Generate Default Configuration

3.2 Enable SystemdCgroup

3.3 Restart containerd

4. Installing kubeadm, kubelet, kubectl

4.1 Add the Kubernetes Repository

4.2 Install kubelet, kubeadm, kubectl

4.3 Enable kubelet

4.4 Verify Versions

5. Initializing the Cluster with kubeadm

5.1 Initialize the Control Plane

6. Configuring kubectl

6.1 Set Up kubeconfig for Root User

6.2 Verify the Node (NotReady Is Expected)

7. Installing Tigera Calico

7.1 Install the Tigera Operator

7.2 Create the Custom Resource for Calico

7.3 Wait for Calico to Deploy

7.4 Untaint the Control Plane Node

8. Verifying the Cluster

8.1 Check Node Status

8.2 Check All System Pods

8.3 Test with a Simple Deployment

8.4 Check Cluster Information

Troubleshooting

Node remains NotReady after installing Calico

Pod stuck in ContainerCreating

Reset the cluster (start over)

References