k8s-gitops

:loudspeaker:  About

This repository contains my entire Kubernetes cluster setup built on K3s and managed by Flux v2.
Secrets are encrypted and managed with SOPS.

For initial deploy see this manuals:

• Install pre-commit Hooks
• Setting up GnuPG keys
• Initial flux deployment

GitOps

Flux watches my cluster folder (see Repository Structure below) and makes the changes to my cluster based on the YAML manifests.

Renovate is a very useful tool that when configured will start to create PRs in your GitHub repository when Docker images, Helm charts or anything else that can be tracked has a newer version. The configuration for Renovate is located here

There are also a couple GitHub workflows included in this repository that will help automate some processes. See here fore more information.

:open_file_folder:  Repository Structure

This Git Repository contains the following directories and are ordered below by how Flux will apply them:

• core directory is where Flux deployments are located
• crds directory (depends on core) contains CustomResourceDefinitions that need to exist before anything else
• infra directory (depends on crds) contains infrastructure applications such as ingress-nginx, MetalLB and so on
• base directory (depends on infra) contains applications that are useful for cluster operations such as kube-prometheus-stack, K8up and so on
• apps directory (depends on base) is where common applications are located

These directories are not tracked by Flux but are useful nonetheless:

• .github directory contains GitHub related files
• .taskfiles directory contains go-taks related files
• hack directory contains useful scrips

🌐 DNS

Ingress Controller

Over WAN, I have port forwarded ports 80 and 443 to the load balancer IP of my ingress controller that's running in my Kubernetes cluster.

Cloudflare works as a proxy to hide my homes WAN IP and also as a firewall. Cilium blocks all IPs not originating from the Cloudflares list of IP ranges, except the local network range ${LAN_NETWORK_RANGE}.

Internal DNS

For internal DNS i use the built-in dnsmasq of pihole deployed on a raspberry pi.

For adblocking, I have pihole deployed on a raspberry pi.

External DNS

cloudflare-operator is deployed in my cluster and ingresses with the annotation cloudflare-operator.io/type=CNAME and cloudflare-operator.io/content=${BASE_DOMAIN} will be synced with Cloudflare.

Dynamic DNS

cloudflare-operator syncs also my external IPv4 address with Cloudflare.

:hugs:  Thanks

Huge thanks to the community at k8s@home for the awesome templates and the Kubernetes at home logo!