This repository contains applications deployed on the public-services-cluster
via Flux using GitOps.
The Kubernetes cluster needs to be bootstrapped with Flux pointing to this repository.
For sops and Flux to decrypt the initial secrets for configuring the External Secrets Operator using Doppler, a Google Cloud Service Account with access to the correct KMS key needs to be set in the flux
namespace.
Attention: some applications will be automatically deployed, others not (yet).
The repository follows the app-of-apps pattern.
The first Flux Kustomization
being defined needs to reference app-of-apps/
.
These are bootstrapping the main Flux applications, referring to the respective <PROJECT>/applications/
kosutomizations:
infrastructure
: core cluster infrastructurecore
: core applicationsapplications
: (user) applications running on the cluster/network
Each of these applications follows the app-of-apps pattern again using sub-kustomizations defined in the respective application directories.
The following applications are defined in infrastructure/
.
- Cilium - Provides the cluster CNI.
- External Secrets Operator - Synchronizes secrets from external stores to Kubernetes
Secret
objects.- External Secrets Stores - Deploys the required
ClusterSecretStore
s and Doppler Service Tokens as KubernetesSecret
s.
- External Secrets Stores - Deploys the required
- MetalLB - Provides a Kubernetes network load balancer to expose Kubernetes
Service
s. - Traefik - Exposes Kubernetes
Ingress
resources to the "outside world".
The following applications are defined in core/
.
- cert-manager - Certificate management using ACME Let's Encrypt.
- External DNS with Google Cloud DNS integration - Creates DNS records in Google Cloud DNS domains for publicly reachable services.
- Velero - Performs cluster backups.
- Includes deployment of backup schedules.
The following applications are defined in applications/
.
- SimpleLogin - Open Source e-mail relay.
The current backup and restore strategy consists of:
- Velero as a second layer disaster recovery for critical workloads
Timewise, the layers of backups follow the strategy:
12:00am
: in-application backups02:00am
: Velero backups
- GitHub Actions are linting all YAML files.
- Renovate Bot is updating Helm releases and used container images in the
values.yaml
files, and GitHub Actions.