My home infrastructure using IAC and GitOps to manage a Kubernetes cluster.
MIT License
This is the repo for my home infrastructure including a small kubernetes cluster.
"Flux cluster with Cloudflare" - a Kubernetes cluster running on Talos using Cloudflare for DNS and SSL and Cloudflare Tunnel to provide external access to certain applications deployed in the cluster. Deploys an opinionated implementation of Flux using GitHub as the Git provider and sops to manage secrets.
Other features include:
Device | Count | OS Disk | Data Disk | RAM | OS | Purpose |
---|---|---|---|---|---|---|
Protectli VP2410 | 1 | 1TB SSD | - | 16GB | OPNSense | Router |
TP-Link SG2016P | 1 | - | - | - | - | 1Gb PoE Switch |
Intel NUC11PAHi7 | 3 | 500GB SSD | 1TB NVMe | 32GB | Talos | Kubernetes Controllers |
Custom Tower | 1 | - | 4x12TB HDD | 32GB | Debian | NFS |
ADJ PC-100A | - | - | - | - | - | PDU |
CyberPower OR500LCDRM1U | - | - | - | - | - | UPS |
Download the latest stable release of Talos from their GitHub releases. You will want to grab the metal-amd64-secureboot.iso
image linked here.
Take note of the OS drive serial numbers you will need them later on.
Go to your BOIS and enable secure boot setup mode
Flash the iso or raw file to a USB drive and boot to Talos on your nodes with it. Select the option to "Enroll Secure Boot keys".
Boot from your Talos USB once again.
Continue on to π Getting Started
Once you have installed Talos on your nodes, there are a few stages to getting a Flux-managed cluster up and running.
[!NOTE] For all stages below the commands MUST be ran on your personal workstation within your repository directory
First clone the repo to your local workstation and cd
into it.
You have two different options for setting up your local workstation.
devcontainer
which requires you to have Docker and VSCode installed. This method is the fastest to get going because all the required CLI tools are provided for you.Start Docker and open your repository in VSCode. There will be a pop-up asking you to use the devcontainer
, click the button to start using it.
Continue on to π§ Stage 3
Install the most recent version of task, see the installation docs for other supported platforms.
# Homebrew
brew install go-task
# or, Arch
pacman -S --noconfirm go-task && ln -sf /usr/bin/go-task /usr/local/bin/task
Install the most recent version of direnv, see the installation docs for other supported platforms.
# Homebrew
brew install direnv
# or, Arch
pacman -S --noconfirm direnv
π After direnv
is installed be sure to hook it into your preferred shell and then run task workstation:direnv
Install the additional required CLI tools
π Not using Homebrew or ArchLinux? Try using the generic Linux task below, if that fails check out the Brewfile/Archfile for what CLI tools needed and install them.
# Homebrew
task workstation:brew
# or, Arch with yay/paru
task workstation:arch
# or, Generic Linux (YMMV, this pulls binaires in to ./bin)
task workstation:generic-linux
Setup a Python virtual environment by running the following task command.
π This commands requires Python 3.11+ to be installed.
task workstation:venv
Continue on to β΅ Stage 2
Deploy your cluster and bootstrap it. This generates secrets, generates the config files for your nodes and applies them. It bootstraps the cluster afterwards, fetches the kubeconfig file and installs Cilium and kubelet-csr-approver. It finishes with some health checks.
task talos:bootstrap
The kubeconfig
for interacting with your cluster should have been created in the root of your repository.
Verify the nodes are online
π If this command fails you likely haven't configured direnv
as mentioned previously in the guide.
kubectl get nodes -o wide
# NAME STATUS ROLES AGE VERSION
# k8s-0 Ready control-plane,etcd,master 1h v1.29.1
# k8s-1 Ready worker 1h v1.29.1
Prepare the disks for rook
task bootstrap:rook nodes=nuc1,nuc2,nuc3 disk=/dev/nvme0n1
talosctl disks
Continue on to πΉ Stage 3
Verify Flux can be installed
flux check --pre
# βΊ checking prerequisites
# β kubectl 1.27.3 >=1.18.0-0
# β Kubernetes 1.27.3+k3s1 >=1.16.0-0
# β prerequisites checks passed
Install Flux and sync the cluster to the Git repository
task flux:github-deploy-key
task flux:bootstrap
# namespace/flux-system configured
# customresourcedefinition.apiextensions.k8s.io/alerts.notification.toolkit.fluxcd.io created
# ...
Verify Flux components are running in the cluster
kubectl -n flux-system get pods -o wide
# NAME READY STATUS RESTARTS AGE
# helm-controller-5bbd94c75-89sb4 1/1 Running 0 1h
# kustomize-controller-7b67b6b77d-nqc67 1/1 Running 0 1h
# notification-controller-7c46575844-k4bvr 1/1 Running 0 1h
# source-controller-7d6875bcb4-zqw9f 1/1 Running 0 1h
Mic check, 1, 2 - In a few moments applications should be lighting up like Christmas in July π
Output all the common resources in your cluster.
π Feel free to use the provided kubernetes tasks for validation of cluster resources or continue to get familiar with the kubectl
and flux
CLI tools.
task kubernetes:resources
β οΈ It might take cert-manager
awhile to generate certificates, this is normal so be patient.
π Congratulations if all goes smooth you will have a Kubernetes cluster managed by Flux and your Git repository is driving the state of your cluster.
The external-dns
application created in the networking
namespace will handle creating public DNS records. By default, echo-server
and the flux-webhook
are the only subdomains reachable from the public internet. In order to make additional applications public you must set set the correct ingress class name and ingress annotations like in the HelmRelease for echo-server
.
k8s_gateway
will provide DNS resolution to external Kubernetes resources (i.e. points of entry to the cluster) from any device that uses your home DNS server. For this to work, your home DNS server must be configured to forward DNS queries for ${bootstrap_cloudflare.domain}
to ${bootstrap_cloudflare.gateway_vip}
instead of the upstream DNS server(s) it normally uses. This is a form of split DNS (aka split-horizon DNS / conditional forwarding).
[!TIP] Below is how to configure a Pi-hole for split DNS. Other platforms should be similar.
- Apply this file on the Pihole server while substituting the variables
# /etc/dnsmasq.d/99-k8s-gateway-forward.conf server=/${bootstrap_cloudflare.domain}/${bootstrap_cloudflare.gateway_vip}
- Restart dnsmasq on the server.
- Query an internal-only subdomain from your workstation (any
internal
class ingresses):dig @${home-dns-server-ip} echo-server-internal.${bootstrap_cloudflare.domain}
. It should resolve to${bootstrap_cloudflare.ingress_vip}
.
If you're having trouble with DNS be sure to check out these two GitHub discussions: Internal DNS and Pod DNS resolution broken.
... Nothing working? That is expected, this is DNS after all!
There might be a situation where you want to destroy your Kubernetes cluster. This will completely clean the OS of all traces of the Kubernetes distribution you chose and then reboot the nodes.
# Talos: Reset your nodes back to maintenance mode and reboot
task talos:nuke
Below is a general guide on trying to debug an issue with an resource or application. For example, if a workload/resource is not showing up or a pod has started but in a CrashLoopBackOff
or Pending
state.
Start by checking all Flux Kustomizations & Git Repository & OCI Repository and verify they are healthy.
flux get sources oci -A
flux get sources git -A
flux get ks -A
Then check all the Flux Helm Releases and verify they are healthy.
flux get hr -A
Then check the if the pod is present.
kubectl -n <namespace> get pods -o wide
Then check the logs of the pod if its there.
kubectl -n <namespace> logs <pod-name> -f
# or
stern -n <namespace> <fuzzy-name>
If a resource exists try to describe it to see what problems it might have.
kubectl -n <namespace> describe <resource> <name>
Check the namespace events
kubectl -n <namespace> get events --sort-by='.metadata.creationTimestamp'
Resolving problems that you have could take some tweaking of your YAML manifests in order to get things working, other times it could be a external factor like permissions on NFS. If you are unable to figure out your problem see the help section below.
# Upgrade Talos to a newer version
# NOTE: This needs to be run once on every node
task talos:upgrade node=? image=?
# e.g.
# task talos:upgrade node=192.168.42.10 image=factory.talos.dev/installer/${schematic_id}:v1.7.4
# Upgrade Kubernetes to a newer version
# NOTE: This only needs to be run once against a controller node
task talos:upgrade-k8s node=? to=?
# e.g.
# task talos:upgrade-k8s controller=192.168.42.10 to=1.30.1
A huge thank you for all the maintainers of the dependencies used by this project as well as onedr0p for the awesome cluster template which was used to initially create this repo. If you'd like to get started with your own cluster be sure to check it out.