Highly opinionated template for deploying a single k3s cluster with Ansible and Terraform backed by Flux and SOPS.
The purpose here is to showcase how you can deploy an entire Kubernetes cluster and show it off to the world using the GitOps tool Flux. When completed, your Git repository will be driving the state of your Kubernetes cluster. In addition with the help of the Ansible, Terraform and Flux SOPS integrations you'll be able to commit Age encrypted secrets to your public repo.
- Introduction
- Prerequisites
- Repository structure
- Lets go!
- Post installation
- Troubleshooting
- What's next
- Thanks
The following components will be installed in your k3s cluster by default. Most are only included to get a minimum viable cluster up and running.
- flux - GitOps operator for managing Kubernetes clusters from a Git repository
- kube-vip - Load balancer for the Kubernetes control plane nodes
- metallb - Load balancer for Kubernetes services
- cert-manager - Operator to request SSL certificates and store them as Kubernetes resources
- calico - Container networking interface for inter pod and service networking
- external-dns - Operator to publish DNS records to Cloudflare (and other providers) based on Kubernetes ingresses
- k8s_gateway - DNS resolver that provides local DNS to your Kubernetes ingresses
- ingress-nginx - Kubernetes ingress controller used for a HTTP reverse proxy of Kubernetes ingresses
- local-path-provisioner - provision persistent local storage with Kubernetes
Additional applications include hajimari, error-pages, echo-server, system-upgrade-controller, reloader, and kured
For provisioning the following tools will be used:
- Fedora 36 Server - Universal operating system that supports running all kinds of home related workloads in Kubernetes and has a faster release cycle
- Ansible - Provision Fedora Server and install k3s
- Terraform - Provision an already existing Cloudflare domain and certain DNS records to be used with your k3s cluster
Note: This template has not been tested on cloud providers like AWS EC2, Hetzner, Scaleway etc... Those cloud offerings probably have a better way of provsioning a Kubernetes cluster and it's advisable to use those instead of the Ansible playbooks included here. This repository can still be tweaked for the GitOps/Flux portion if there's a cluster working in one those environments.
- One or more nodes with a fresh install of Fedora Server 36.
- These nodes can be ARM64/AMD64 bare metal or VMs.
- An odd number of control plane nodes, greater than or equal to 3 is required if deploying more than one control plane node.
- A Cloudflare account with a domain, this will be managed by Terraform and external-dns. You can register new domains directly thru Cloudflare.
- Some experience in debugging problems and a positive attitude ;)
π It is recommended to have 3 master nodes for a highly available control plane.
-
Install the most recent versions of the following CLI tools on your workstation, if you are using Homebrew on MacOS or Linux skip to steps 3 and 4.
-
This guide heavily relies on go-task as a framework for setting things up. It is advised to learn and understand the commands it is running under the hood.
-
Install go-task via Brew
brew install go-task/tap/go-task
-
Install workstation dependencies via Brew
task init
It is advisable to install pre-commit and the pre-commit hooks that come with this repository. sops-pre-commit will check to make sure you are not committing non-encrypted Kubernetes secrets to your repository.
-
Enable Pre-Commit
task precommit:init
-
Update Pre-Commit, though it will occasionally make mistakes, so verify its results.
task precommit:update
The Git repository contains the following directories under cluster
and are ordered below by how Flux will apply them.
π cluster # k8s cluster defined as code
ββπ flux # flux, gitops operator, loaded before everything
ββπ crds # custom resources, loaded before π core and π apps
ββπ charts # helm repos, loaded before π core and π apps
ββπ config # cluster config, loaded before π core and π apps
ββπ core # crucial apps, namespaced dir tree, loaded before π apps
ββπ apps # regular apps, namespaced dir tree, loaded last
Very first step will be to create a new repository by clicking the Use this template button on this page.
Clone the repo to you local workstation and cd
into it.
π All of the below commands are run on your local workstation, not on any of your cluster nodes.
π Here we will create a Age Private and Public key. Using SOPS with Age allows us to encrypt secrets and use them in Ansible, Terraform and Flux.
-
Create a Age Private / Public Key
age-keygen -o age.agekey
-
Set up the directory for the Age key and move the Age file to it
mkdir -p ~/.config/sops/age mv age.agekey ~/.config/sops/age/keys.txt
-
Export the
SOPS_AGE_KEY_FILE
variable in yourbashrc
,zshrc
orconfig.fish
and source it, e.g.export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt source ~/.bashrc
-
Fill out the Age public key in the
.config.env
underBOOTSTRAP_AGE_PUBLIC_KEY
, note the public key should start withage
...
In order to use Terraform and cert-manager
with the Cloudflare DNS challenge you will need to create a API key.
-
Head over to Cloudflare and create a API key by going here.
-
Under the
API Keys
section, create a global API Key. -
Use the API Key in the configuration section below.
π You may wish to update this later on to a Cloudflare API Token which can be scoped to certain resources. I do not recommend using a Cloudflare API Key, however for the purposes of this template it is easier getting started without having to define which scopes and resources are needed. For more information see the Cloudflare docs on API Keys and Tokens.
π The .config.env
file contains necessary configuration that is needed by Ansible, Terraform and Flux.
-
Copy the
.config.sample.env
to.config.env
and start filling out all the environment variables.All are required unless otherwise noted in the comments.
cp .config.sample.env .config.env
-
Once that is done, verify the configuration is correct by running:
task verify
-
If you do not encounter any errors run start having the script wire up the templated files and place them where they need to be.
task configure
π Here we will be running a Ansible Playbook to prepare Fedora Server for running a Kubernetes cluster.
π Nodes are not security hardened by default, you can do this with dev-sec/ansible-collection-hardening or similar if it supports Fedora Server.
-
Ensure you are able to SSH into your nodes from your workstation using a private SSH key without a passphrase. This is how Ansible is able to connect to your remote nodes.
-
Install the Ansible deps
task ansible:init
-
Verify Ansible can view your config
task ansible:list
-
Verify Ansible can ping your nodes
task ansible:ping
-
Run the Fedora Server Ansible prepare playbook
task ansible:prepare
-
Reboot the nodes
task ansible:reboot
π Here we will be running a Ansible Playbook to install k3s with this wonderful k3s Ansible galaxy role. After completion, Ansible will drop a kubeconfig
in ./provision/kubeconfig
for use with interacting with your cluster with kubectl
.
β’οΈ If you run into problems, you can run task ansible:nuke
to destroy the k3s cluster and start over.
-
Verify Ansible can view your config
task ansible:list
-
Verify Ansible can ping your nodes
task ansible:ping
-
Install k3s with Ansible
task ansible:install
-
Verify the nodes are online
task cluster:nodes # NAME STATUS ROLES AGE VERSION # k8s-0 Ready control-plane,master 4d20h v1.21.5+k3s1 # k8s-1 Ready worker 4d20h v1.21.5+k3s1
π Review the Terraform scripts under ./provision/terraform/cloudflare/
and make sure you understand what it's doing (no really review it).
If your domain already has existing DNS records be sure to export those DNS settings before you continue.
-
Pull in the Terraform deps
task terraform:init
-
Review the changes Terraform will make to your Cloudflare domain
task terraform:plan
-
Have Terraform apply your Cloudflare settings
task terraform:apply
If Terraform was ran successfully you can log into Cloudflare and validate the DNS records are present.
The cluster application external-dns will be managing the rest of the DNS records you will need.
π Here we will be installing flux after some quick bootstrap steps.
-
Verify Flux can be installed
task cluster:verify # βΊ checking prerequisites # β kubectl 1.21.5 >=1.18.0-0 # β Kubernetes 1.21.5+k3s1 >=1.16.0-0 # β prerequisites checks passed
-
Push you changes to git
π Verify all the
*.sops.yaml
and*.sops.yml
files under the./cluster
and./provision
folders are encrypted with SOPSgit add -A git commit -m "Initial commit :rocket:" git push
-
Install Flux and sync the cluster to the Git repository
task cluster:install # namespace/flux-system configured # customresourcedefinition.apiextensions.k8s.io/alerts.notification.toolkit.fluxcd.io created
-
Verify Flux components are running in the cluster
task cluster:pods -- -n flux-system # NAME READY STATUS RESTARTS AGE # helm-controller-5bbd94c75-89sb4 1/1 Running 0 1h # kustomize-controller-7b67b6b77d-nqc67 1/1 Running 0 1h # notification-controller-7c46575844-k4bvr 1/1 Running 0 1h # source-controller-7d6875bcb4-zqw9f 1/1 Running 0 1h
Mic check, 1, 2 - In a few moments applications should be lighting up like a Christmas tree π
You are able to run all the commands below with one task
task cluster:resources
-
View the Flux Git Repositories
task cluster:gitrepositories
-
View the Flux kustomizations
task cluster:kustomizations
-
View all the Flux Helm Releases
task cluster:helmreleases
-
View all the Flux Helm Repositories
task cluster:helmrepositories
-
View all the Pods
task cluster:pods
-
View all the certificates and certificate requests
task cluster:certificates
-
View all the ingresses
task cluster:ingresses
π Congratulations if all goes smooth you'll have a Kubernetes cluster managed by Flux, your Git repository is driving the state of your cluster.
β’οΈ If you run into problems, you can run task ansible:nuke
to destroy the k3s cluster and start over.
π§ Now it's time to pause and go get some coffee β because next is describing how DNS is handled.
π The external-dns application created in the networking
namespace will handle creating public DNS records. By default, echo-server
is the only public domain exposed on your Cloudflare domain. In order to make additional applications public you must set an ingress annotation like in the HelmRelease
for echo-server
. You do not need to use Terraform to create additional DNS records unless you need a record outside the purposes of your Kubernetes cluster (e.g. setting up MX records).
k8s_gateway is deployed on the IP choosen for ${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}
. Inorder to test DNS you can point your clients DNS to the ${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}
IP address and load https://hajimari.${BOOTSTRAP_CLOUDFLARE_DOMAIN}
in your browser.
You can also try debugging with the command dig
, e.g. dig @${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR} hajimari.${BOOTSTRAP_CLOUDFLARE_DOMAIN}
and you should get a valid answer containing your ${BOOTSTRAP_METALLB_INGRESS_ADDR}
IP address.
If your router (or Pi-Hole, Adguard Home or whatever) supports conditional DNS forwarding (also know as split-horizon DNS) you may have DNS requests for ${SECRET_DOMAIN}
only point to the ${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}
IP address. This will ensure only DNS requests for ${SECRET_DOMAIN}
will only get routed to your k8s_gateway service thus providing DNS resolution to your cluster applications/ingresses.
To access services from the outside world port forwarded 80
and 443
in your router to the ${BOOTSTRAP_METALLB_INGRESS_ADDR}
IP, in a few moments head over to your browser and you should be able to access https://echo-server.${BOOTSTRAP_CLOUDFLARE_DOMAIN}
from a device outside your LAN.
Now if nothing is working, that is expected. This is DNS after all!
By default in this template Kubernetes ingresses are set to use the Let's Encrypt Staging Environment. This will hopefully reduce issues from ACME on requesting certificates until you are ready to use this in "Production".
Once you have confirmed there are no issues requesting your certificates replace letsencrypt-staging
with letsencrypt-production
in your ingress annotations for cert-manager.io/cluster-issuer
Renovatebot will scan your repository and offer PRs when it finds dependencies out of date. Common dependencies it will discover and update are Flux, Ansible Galaxy Roles, Terraform Providers, Kubernetes Helm Charts, Kubernetes Container Images, Pre-commit hooks updates, and more!
The base Renovate configuration provided in your repository can be view at .github/renovate.json5. If you notice this only runs on weekends and you can change the schedule to anything you want or simply remove it.
To enable Renovate on your repository, click the 'Configure' button over at their Github app page and choose your repository. Over time Renovate will create PRs for out-of-date dependencies it finds. Any merged PRs that are in the cluster directory Flux will deploy.
Flux is pull-based by design meaning it will periodically check your git repository for changes, using a webhook you can enable Flux to update your cluster on git push
. In order to configure Github to send push
events from your repository to the Flux webhook receiver you will need two things:
-
Webhook URL - Your webhook receiver will be deployed on
https://flux-receiver.${BOOTSTRAP_CLOUDFLARE_DOMAIN}/hook/:hookId
. In order to find out your hook id you can run the following command:kubectl -n flux-system get receiver/github-receiver --kubeconfig=./provision/kubeconfig # NAME AGE READY STATUS # github-receiver 6h8m True Receiver initialized with URL: /hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
So if my domain was
onedr0p.com
the full url would look like this:https://flux-receiver.onedr0p.com/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
-
Webhook secret - Your webhook secret can be found by decrypting the
secret.sops.yaml
using the following command:sops -d ./cluster/apps/flux-system/webhooks/github/secret.sops.yaml | yq .stringData.token
Note: Don't forget to update the
BOOTSTRAP_FLUX_GITHUB_WEBHOOK_SECRET
variable in your.config.env
file so it matches the generated secret if applicable
Now that you have the webhook url and secret, it's time to set everything up on the Github repository side. Navigate to the settings of your repository on Github, under "Settings/Webhooks" press the "Add webhook" button. Fill in the webhook url and your secret.
Rancher's local-path-provisioner
is a great start for storage but soon you might find you need more features like replicated block storage, or to connect to a NFS/SMB/iSCSI server. Check out the projects below to read up more on some storage solutions that might work for you.
- rook-ceph
- longhorn
- openebs
- nfs-subdir-external-provisioner
- democratic-csi
- csi-driver-nfs
- synology-csi
Authenticating Flux to your git repository has a couple benefits like using a private git repository and/or using the Flux Image Automation Controllers.
By default this template only works on a public GitHub repository, it is advised to keep your repository public.
The benefits of a public repository include:
- Debugging or asking for help, you can provide a link to a resource you are having issues with.
- Adding a topic to your repository of
k8s-at-home
to be included in the k8s-at-home-search. This search helps people discover different configurations of Helm charts across others Flux based repositories.
Expand to read guide on adding Flux SSH authentication
- Generate new SSH key:
ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f ./cluster/github-deploy-key -q -P ""
- Paste public key in the deploy keys section of your repository settings
- Create sops secret in
cluster/flux/flux-system/github-deploy-key.sops.yaml
with the contents of:# yamllint disable apiVersion: v1 kind: Secret metadata: name: github-deploy-key namespace: flux-system stringData: # 3a. Contents of github-deploy-key identity: | -----BEGIN OPENSSH PRIVATE KEY----- ... -----END OPENSSH PRIVATE KEY----- # 3b. Output of curl --silent https://api.github.com/meta | jq --raw-output '"github.com "+.ssh_keys[]' known_hosts: | github.com ssh-ed25519 ... github.com ecdsa-sha2-nistp256 ... github.com ssh-rsa ...
- Encrypt secret:
sops --encrypt --in-place ./cluster/flux/flux-system/github-deploy-key.sops.yaml
- Apply secret to cluster:
sops --decrypt cluster/flux/flux-system/github-deploy-key.sops.yaml | kubectl apply -f -
- Update
cluster/flux/flux-system/flux-cluster.yaml
:--- apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: GitRepository metadata: name: flux-cluster namespace: flux-system spec: interval: 10m # 6a: Change this to your user and repo names url: ssh://git@github.com/$user/$repo ref: branch: main secretRef: name: github-deploy-key
- Commit and push changes
- Force flux to reconcile your changes
task cluster:reconcile
- Verify git repository is now using SSH:
task cluster:gitrepositories
- Optionally set your repository to Private in your repository settings.
Our wiki (WIP, contributions welcome) is a good place to start troubleshooting issues. If that doesn't cover your issue, come join and say Hi in our community Discord.
The world is your cluster, have at it!
Big shout out to all the authors and contributors to the projects that we are using in this repository.
Community member @Whazor created this website as a creative way to search Helm Releases across GitHub. You may use it as a means to get ideas on how to configure an applications' Helm values.