This is a repository for my home infrastructure and Kubernetes cluster. I try to adhere to Infrastructure as Code (IaC) and GitOps practices using tools like Terraform, Kubernetes, Flux, Renovate and GitHub Actions.
There is a template over at onedr0p/flux-cluster-template if you wanted to try and follow along with some of the practices I use here.
This semi hyper-converged cluster runs Talos Linux, an immutable and ephemeral Linux distribution built for Kubernetes, deployed on bare-metal Apple Mac Mini's. Rook then provides my workloads with persistent block, object, and file storage; while a seperate server provides file storage for my media.
🔸 Click here to see my Talos configuration.
- actions-runner-controller: Self-hosted Github runners.
- cilium: Internal Kubernetes networking plugin.
- cert-manager: Creates SSL certificates for services in my Kubernetes cluster.
- external-dns: Automatically manages DNS records from my cluster in a cloud DNS provider.
- external-secrets: Managed Kubernetes secrets using 1Password Connect.
- ingress-nginx: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer.
- rook: Distributed block storage for peristent storage.
- sops: Managed secrets for Kubernetes and Terraform which are commited to Git.
- tf-controller: additional Flux component used to run Terraform from within a Kubernetes cluster.
- volsync and snapscheduler: Backup and recovery of persistent volume claims.
Flux watches my kubernetes folder (see Directories below) and makes the changes to my cluster based on the YAML manifests.
The way Flux works for me here is it will recursively search the kubernetes/apps folder until it finds the most top level kustomization.yaml per directory and then apply all the resources listed in it. That aforementioned kustomization.yaml will generally only have a namespace resource and one or many Flux kustomizations. Those Flux kustomizations will generally have a HelmRelease or other resources related to the application underneath it which will be applied.
Renovate watches my entire repository looking for dependency updates, when they are found a PR is automatically created. When some PRs are merged Flux applies the changes to my cluster.
This Git repository contains the following directories under kubernetes.
📁 kubernetes # Kubernetes cluster defined as code
├─📁 bootstrap # Flux installation
├─📁 flux # Main Flux configuration of repository
└─📁 apps # Apps deployed into my cluster grouped by namespace (see below)Below is a a high level look at the layout of how my directory structure with Flux works. In this brief example you are able to see that authelia will not be able to run until lldap and cloudnative-pg are running. It also shows that the Cluster custom resource depends on the cloudnative-pg Helm chart. This is needed because cloudnative-pg installs the Cluster custom resource definition in the Helm chart.
# Key: <kind> :: <metadata.name>
GitRepository :: k8s-gitops
Kustomization :: cluster
Kustomization :: cluster-apps
Kustomization :: cluster-apps-cloudnative-pg
HelmRelease :: cloudnative-pg
Kustomization :: cluster-apps-cloudnative-pg-cluster
DependsOn:
Kustomization :: cluster-apps-cloudnative-pg
Cluster :: postgres
Kustomization :: cluster-apps-lldap
HelmRelease :: lldap
DependsOn:
Kustomization :: cluster-apps-cloudnative-pg-cluster
Kustomization :: cluster-apps-authelia
DependsOn:
Kustomization :: cluster-apps-lldap
Kustomization :: cluster-apps-cloudnative-pg-cluster
HelmRelease :: authelia| Name | CIDR |
|---|---|
| Kubernetes nodes | 10.0.0.0/24 |
| Kubernetes pods | 10.244.0.0/16 |
| Kubernetes services | 10.245.0.0/16 |
| Kubernetes external services | 10.0.3.0/24 |
- cilium is configured with the
io.cilium/lb-ipam-ipsannotation to expose Kubernetes services with their own IP over L3 (BGP), which is configured on my router. L2 (ARP) can also be announced in addition to L3 via theio.cilium/lb-ipam-layer2label. - cloudflared provides a secure tunnel for Cloudflare to ingress into ingress-nginx, my ingress controller.
🔸 Click here to see my cloudflared configuration.
Click to see my high level network diagram
The UDM Pro resolves DNS queries via blocky, which provides first-hop DNS resolution for my network. Blocky forwards requests targeted towards my public domain via k8s-gateway. Last-hop DNS resolution resolves via 1.1.1.1, which is configured as my primary DNS upstream provider. If for any reason blocky becomes unavailable, the UDM Pro is configured to fallback to 1.1.1.1 until blocky becomes available again.
🔸 Click here to see my blocky configuration or here to see my k8s-gateway configuration.
external-dns is deployed in my cluster and configured to sync DNS records to Cloudflare using ingresses external-dns.alpha.kubernetes.io/target annotation.
Click to see my rack
| Device | Count | OS Disk Size | Data Disk Size | Ram | Operating System | Purpose |
|---|---|---|---|---|---|---|
| Ubiquiti UDM Pro | 1 | - | - | - | - | Router |
| Ubiquiti USW Enterprise XG 24 | 1 | - | - | - | - | 10GbE Switch |
| Apple Mac Mini (3.2GHz Intel i7) | 3 | 512GB NVMe | - | 32GB | Talos | Kubernetes Masters |
| Sonnet 10GbE Thunderbolt 3 Adapter | 3 | - | - | - | - | 10GbE / Masters |
| Apple Mac Mini (3.2GHz Intel i7 + 10GbE) | 3 | 1TB NVMe | - | 64GB | Talos | Kubernetes Workers |
| Sabrent NVMe M.2 Thunderbolt 3 Enclosure | 6 | - | 2TB NVMe ea. | - | - | Rook Ceph / Workers |
| Synology NAS RS1221+ | 1 | - | 8x22TB + 2x2TB NVMe | 32GB | - | NFS |
| CyberPower ATS PDU | 1 | - | - | - | - | PDU |
| CyberPower UPS | 1 | - | - | - | - | PSU |
Thanks to all the people who donate their time to the Kubernetes @Home Discord community. A lot of inspiration for my cluster comes from the people that have shared their clusters using the k8s-at-home GitHub topic. Be sure to check out the Kubernetes @Home search for ideas on how to deploy applications or get ideas on what you can deploy.
See my shitty commit history
See LICENSE