k8s-gitops
k8s-gitops copied to clipboard
My Kubernetes cluster built with K3s and managed by Flux v2
k8s-gitops
:loudspeaker: About
This repository contains my entire Kubernetes cluster setup built on K3s and managed by Flux v2.
Secrets are encrypted and managed with SOPS.
For initial deploy see this manuals:
- Install pre-commit Hooks
- Setting up GnuPG keys
- Initial flux deployment
GitOps
Flux watches my cluster folder (see Repository Structure
below) and makes the changes to my cluster based on the YAML manifests.
Renovate is a very useful tool that when configured will start to create PRs in your GitHub repository when Docker images, Helm charts or anything else that can be tracked has a newer version. The configuration for Renovate is located here
There are also a couple GitHub workflows included in this repository that will help automate some processes. See here fore more information.
:open_file_folder: Repository Structure
This Git Repository contains the following directories and are ordered below by how Flux will apply them:
- core directory is where Flux deployments are located
- crds directory (depends on core) contains CustomResourceDefinitions that need to exist before anything else
- infra directory (depends on crds) contains infrastructure applications such as ingress-nginx, MetalLB and so on
- base directory (depends on infra) contains applications that are useful for cluster operations such as kube-prometheus-stack, K8up and so on
- apps directory (depends on base) is where common applications are located
These directories are not tracked by Flux but are useful nonetheless:
- .github directory contains GitHub related files
- .taskfiles directory contains go-taks related files
- hack directory contains useful scrips
🌐 DNS
Ingress Controller
Over WAN, I have port forwarded ports 80
and 443
to the load balancer IP of my ingress controller that's running in my Kubernetes cluster.
Cloudflare works as a proxy to hide my homes WAN IP and also as a firewall. Cilium blocks all IPs not originating from the Cloudflares list of IP ranges, except the local network range ${LAN_NETWORK_RANGE}
.
Internal DNS
For internal DNS i use the built-in dnsmasq of pihole deployed on a raspberry pi.
For adblocking, I have pihole deployed on a raspberry pi.
External DNS
cloudflare-operator is deployed in my cluster and ingresses with the annotation cloudflare-operator.io/type=CNAME
and cloudflare-operator.io/content=${BASE_DOMAIN}
will be synced with Cloudflare.
Dynamic DNS
cloudflare-operator syncs also my external IPv4 address with Cloudflare.
:hugs: Thanks
Huge thanks to the community at k8s@home for the awesome templates and the Kubernetes at home logo!