Skip to main content
In this guide, you’ll learn how to:
  1. Clone and migrate a Kubernetes manifest repository.
  2. Create and encrypt MongoDB credentials with Bitnami Sealed Secrets.
  3. Deploy a Solar System application using Argo CD in a secure GitOps workflow.

1. Clone the Manifest Repository

Start by cloning the repository that holds your Kubernetes manifests: 
git clone https://github.com/username/manifest-repo.git
cd manifest-repo
ls kubernetes
# deployment.yaml  service.yaml
Open kubernetes/deployment.yaml to confirm its contents: 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: solar-system
  namespace: solar-system
  labels:
    app: solar-system
spec:
  replicas: 2
  selector:
    matchLabels:
      app: solar-system
  template:
    metadata:
      labels:
        app: solar-system
    spec:
      containers:
        - name: solar-system
          image: siddharth67/solar-system:3e906e3be059342b1916f020c034434fb267dca
          imagePullPolicy: Always
          ports:
            - containerPort: 3000
              name: http
This deployment expects a secret named mongo-db-creds, which you’ll create in the next sections.

2. Migrate to Your Git Host

If you need to host your manifests elsewhere (for example, Gitea or another GitHub organization), use your Git provider’s import or migration tools:
The image shows a web interface for migrating a Git repository, with fields for the repository URL, access token, and options for migration settings.
After migration, ensure that both kubernetes/deployment.yaml and kubernetes/service.yaml are present in your new repository.

3. Create the MongoDB Secret

Verify your Kubernetes cluster context and namespaces: 
kubectl get namespaces
# NAME              STATUS   AGE
# argocd            Active   2d20h
# default           Active   3d1h
# kube-system       Active   3d1h
kubectl get nodes -o wide
# NAME           STATUS   AGE   VERSION
# node-1         Ready    3d1h  v1.29.9
# node-2         Ready    3d1h  v1.29.9
Generate a Kubernetes Secret manifest for your MongoDB credentials without applying it: 
kubectl -n solar-system create secret generic mongo-db-creds \
  --from-literal=MONGO_URI='mongodb+srv://supercluster.d83jji.mongodb.net/superData' \
  --from-literal=MONGO_USERNAME='superuser' \
  --from-literal=MONGO_PASSWORD='SuperPassword' \
  --save-config --dry-run=client -o yaml > mongo-creds_k8s-secret.yaml
Inspect the output: 
apiVersion: v1
kind: Secret
metadata:
  name: mongo-db-creds
  namespace: solar-system
data:
  MONGO_URI: bW9uZ2RiOi8v...
  MONGO_USERNAME: c3VwZXJ1c2Vy
  MONGO_PASSWORD: U3VwZXJQYXdzd29yZA==
Do not commit raw secrets to Git. Use an encryption mechanism like Bitnami Sealed Secrets to secure your credentials.

4. Seal the Secret with Bitnami Sealed Secrets

4.1 Retrieve the Controller’s Public Certificate

Check that the Sealed Secrets controller is running: 
kubectl -n kube-system get pods | grep sealed-secrets
# sealed-secrets-controller-xxxxx   1/1     Running   20h
Find its TLS secret: 
kubectl -n kube-system get secrets | grep sealed
# sealed-secrets-key8dv5k   kubernetes.io/tls   2      20h
Extract the certificate: 
kubectl -n kube-system get secret sealed-secrets-key8dv5k \
  -o jsonpath='{.data.tls\.crt}' | base64 -d > sealed-secret-public-cert.crt

4.2 Install and Verify kubeseal

Ensure you have the kubeseal CLI: 
kubeseal --version
# kubeseal version: v0.27.1

4.3 Create the SealedSecret

Encrypt your Secret manifest: 
kubeseal --cert sealed-secret-public-cert.crt \
  --scope cluster-wide \
  -o yaml < mongo-creds_k8s-secret.yaml > mongo-creds_sealed-secret.yaml
The resulting file looks like this: 
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: mongo-db-creds
  namespace: solar-system
  annotations:
    sealedsecrets.bitnami.com/cluster-wide: "true"
spec:
  encryptedData:
    MONGO_URI: Ag0/...
    MONGO_USERNAME: A1gZx...
    MONGO_PASSWORD: Ag0/wX...
Commit only the sealed secret and other manifest files to Git.

5. Configure Argo CD

Verify Argo CD is running in the argocd namespace: 
kubectl -n argocd get all
# NAME                          TYPE        CLUSTER-IP       PORT(S)
# service/argocd-server         NodePort    10.245.106.185   80:31663/TCP,443:32346/TCP
# deployment.apps/argocd-server 1/1         1                2d20h
# statefulset/apps/argocd-application-controller 1/1   2d20h
The server’s NodePort is 31663, accessible via CLI or browser.
The image shows the Argo CD interface displaying an application named "bitnami-sealed-secrets" with its status as "Healthy" but "OutOfSync." The interface includes options to sync, refresh, or delete the application.

5.1 Create the Solar System Application

  1. In the Argo CD UI, click + New App.
  2. Enter the following:
    • Application Name: solar-system-argo-app
    • Project: default
    • Sync Policy: Manual
    • Destination Namespace: solar-system (enable auto-create)
    • Repository URL: <your-manifest-repo-url>
    • Revision: main
    • Path: kubernetes
  3. Click Create.
The image shows a Gitea repository interface for "solar-system-gitops-argocd," displaying recent commits and a README file outlining its use for Kubernetes manifest files in a project demo via Jenkins.
The image shows a user interface of Argo CD, displaying application settings with options for source repository configuration and sync status.
After creating the app, Argo CD will mark it OutOfSync:
The image shows the Argo CD interface displaying two applications, "bitnami-sealed-secrets" and "solar-system-argo-app," both marked as "OutOfSync" with different health statuses.
Inspect details to troubleshoot missing resources:
The image shows an Argo CD interface displaying the status of an application called "solar-system-argo-app," which is currently "OutOfSync" and "Missing." The interface includes a visual representation of the application's components and their statuses.
Whenever you update deployment.yaml (for example, bumping the Docker image tag) and push your commit, return to Argo CD and click Sync to deploy the changes.
The image shows a Git repository interface with a list of YAML files related to Kubernetes, including "deployment.yml," "secret.yml," and "service.yml." The files have recent commit messages and timestamps.

Conclusion

You’ve now:
  • Cloned and migrated a Kubernetes manifest repository.
  • Created and encrypted a MongoDB Secret using Bitnami Sealed Secrets.
  • Configured an Argo CD application to deploy the Solar System app.
This GitOps approach ensures all manifests and secrets remain in Git as the single source of truth, with strong encryption and declarative deployments.

Watch Video