You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Go to file
Skyler 5b5d04e128
Update things
5 months ago
.github Initial commit 6 months ago
.taskfiles Initial commit 6 months ago
.vscode Initial commit 6 months ago
cluster Update things 5 months ago
provision Ansible: Add hosts 5 months ago
tmpl Initial commit 6 months ago
.config.sample.env Initial commit 6 months ago
.envrc Initial commit 6 months ago
.gitattributes Initial commit 6 months ago
.gitignore Initial commit 6 months ago
.pre-commit-config.yaml Initial commit 6 months ago
.secretlintignore Initial commit 6 months ago
.sourceignore Initial commit 6 months ago
LICENSE Update things 5 months ago
README.md Update things 5 months ago
Taskfile.yml Initial commit 6 months ago
ansible.cfg Initial commit 6 months ago
configure Initial commit 6 months ago

README.md

k3s cluster backed by Flux

Highly opinionated template for deploying a single k3s cluster with Ansible and Terraform backed by Flux and SOPS.

The purpose here is to showcase how you can deploy an entire Kubernetes cluster and show it off to the world using the GitOps tool Flux. When completed, your Git repository will be driving the state of your Kubernetes cluster. In addition with the help of the Ansible, Terraform and Flux SOPS integrations you'll be able to commit Age encrypted secrets to your public repo.

Overview

👋 Introduction

The following components will be installed in your k3s cluster by default. Most are only included to get a minimum viable cluster up and running.

  • flux - GitOps operator for managing Kubernetes clusters from a Git repository
  • kube-vip - Load balancer for the Kubernetes control plane nodes
  • metallb - Load balancer for Kubernetes services
  • cert-manager - Operator to request SSL certificates and store them as Kubernetes resources
  • calico - Container networking interface for inter pod and service networking
  • external-dns - Operator to publish DNS records to Cloudflare (and other providers) based on Kubernetes ingresses
  • k8s_gateway - DNS resolver that provides local DNS to your Kubernetes ingresses
  • ingress-nginx - Kubernetes ingress controller used for a HTTP reverse proxy of Kubernetes ingresses
  • local-path-provisioner - provision persistent local storage with Kubernetes

Additional applications include hajimari, error-pages, echo-server, system-upgrade-controller, reloader, and kured

For provisioning the following tools will be used:

  • Fedora 36 Server - Universal operating system that supports running all kinds of home related workloads in Kubernetes and has a faster release cycle
  • Ansible - Provision Fedora Server and install k3s
  • Terraform - Provision an already existing Cloudflare domain and certain DNS records to be used with your k3s cluster

📝 Prerequisites

Note: This template has not been tested on cloud providers like AWS EC2, Hetzner, Scaleway etc... Those cloud offerings probably have a better way of provsioning a Kubernetes cluster and it's advisable to use those instead of the Ansible playbooks included here. This repository can still be tweaked for the GitOps/Flux portion if there's a cluster working in one those environments.

📚 Reading material

💻 Systems

  • One or more nodes with a fresh install of Fedora Server 36.
    • These nodes can be ARM64/AMD64 bare metal or VMs.
    • An odd number of control plane nodes, greater than or equal to 3 is required if deploying more than one control plane node.
  • A Cloudflare account with a domain, this will be managed by Terraform and external-dns. You can register new domains directly thru Cloudflare.
  • Some experience in debugging problems and a positive attitude ;)

📍 It is recommended to have 3 master nodes for a highly available control plane.

🔧 Workstation Tools

  1. Install the most recent versions of the following CLI tools on your workstation, if you are using Homebrew on MacOS or Linux skip to steps 3 and 4.

  2. This guide heavily relies on go-task as a framework for setting things up. It is advised to learn and understand the commands it is running under the hood.

  3. Install go-task via Brew

    brew install go-task/tap/go-task
    
  4. Install workstation dependencies via Brew

    task init
    

⚠️ pre-commit

It is advisable to install pre-commit and the pre-commit hooks that come with this repository. sops-pre-commit will check to make sure you are not committing non-encrypted Kubernetes secrets to your repository.

  1. Enable Pre-Commit

    task precommit:init
    
  2. Update Pre-Commit, though it will occasionally make mistakes, so verify its results.

    task precommit:update
    

📂 Repository structure

The Git repository contains the following directories under cluster and are ordered below by how Flux will apply them.

📁 cluster      # k8s cluster defined as code
├─📁 flux       # flux, gitops operator, loaded before everything
├─📁 crds       # custom resources, loaded before 📁 core and 📁 apps
├─📁 charts     # helm repos, loaded before 📁 core and 📁 apps
├─📁 config     # cluster config, loaded before 📁 core and 📁 apps
├─📁 core       # crucial apps, namespaced dir tree, loaded before 📁 apps
└─📁 apps       # regular apps, namespaced dir tree, loaded last

🚀 Lets go

Very first step will be to create a new repository by clicking the Use this template button on this page.

Clone the repo to you local workstation and cd into it.

📍 All of the below commands are run on your local workstation, not on any of your cluster nodes.

🔐 Setting up Age

📍 Here we will create a Age Private and Public key. Using SOPS with Age allows us to encrypt secrets and use them in Ansible, Terraform and Flux.

  1. Create a Age Private / Public Key

    age-keygen -o age.agekey
    
  2. Set up the directory for the Age key and move the Age file to it

    mkdir -p ~/.config/sops/age
    mv age.agekey ~/.config/sops/age/keys.txt
    
  3. Export the SOPS_AGE_KEY_FILE variable in your bashrc, zshrc or config.fish and source it, e.g.

    export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt
    source ~/.bashrc
    
  4. Fill out the Age public key in the .config.env under BOOTSTRAP_AGE_PUBLIC_KEY, note the public key should start with age...

☁️ Global Cloudflare API Key

In order to use Terraform and cert-manager with the Cloudflare DNS challenge you will need to create a API key.

  1. Head over to Cloudflare and create a API key by going here.

  2. Under the API Keys section, create a global API Key.

  3. Use the API Key in the configuration section below.

📍 You may wish to update this later on to a Cloudflare API Token which can be scoped to certain resources. I do not recommend using a Cloudflare API Key, however for the purposes of this template it is easier getting started without having to define which scopes and resources are needed. For more information see the Cloudflare docs on API Keys and Tokens.

📄 Configuration

📍 The .config.env file contains necessary configuration that is needed by Ansible, Terraform and Flux.

  1. Copy the .config.sample.env to .config.env and start filling out all the environment variables.

    All are required unless otherwise noted in the comments.

    cp .config.sample.env .config.env
    
  2. Once that is done, verify the configuration is correct by running:

    task verify
    
  3. If you do not encounter any errors run start having the script wire up the templated files and place them where they need to be.

    task configure
    

⚡ Preparing Fedora Server with Ansible

📍 Here we will be running a Ansible Playbook to prepare Fedora Server for running a Kubernetes cluster.

📍 Nodes are not security hardened by default, you can do this with dev-sec/ansible-collection-hardening or similar if it supports Fedora Server.

  1. Ensure you are able to SSH into your nodes from your workstation using a private SSH key without a passphrase. This is how Ansible is able to connect to your remote nodes.

    How to configure SSH key-based authentication

  2. Install the Ansible deps

    task ansible:init
    
  3. Verify Ansible can view your config

    task ansible:list
    
  4. Verify Ansible can ping your nodes

    task ansible:ping
    
  5. Run the Fedora Server Ansible prepare playbook

    task ansible:prepare
    
  6. Reboot the nodes

    task ansible:reboot
    

⛵ Installing k3s with Ansible

📍 Here we will be running a Ansible Playbook to install k3s with this wonderful k3s Ansible galaxy role. After completion, Ansible will drop a kubeconfig in ./provision/kubeconfig for use with interacting with your cluster with kubectl.

☢️ If you run into problems, you can run task ansible:nuke to destroy the k3s cluster and start over.

  1. Verify Ansible can view your config

    task ansible:list
    
  2. Verify Ansible can ping your nodes

    task ansible:ping
    
  3. Install k3s with Ansible

    task ansible:install
    
  4. Verify the nodes are online

    task cluster:nodes
    # NAME           STATUS   ROLES                       AGE     VERSION
    # k8s-0          Ready    control-plane,master      4d20h   v1.21.5+k3s1
    # k8s-1          Ready    worker                    4d20h   v1.21.5+k3s1
    

☁️ Configuring Cloudflare DNS with Terraform

📍 Review the Terraform scripts under ./provision/terraform/cloudflare/ and make sure you understand what it's doing (no really review it).

If your domain already has existing DNS records be sure to export those DNS settings before you continue.

  1. Pull in the Terraform deps

    task terraform:init
    
  2. Review the changes Terraform will make to your Cloudflare domain

    task terraform:plan
    
  3. Have Terraform apply your Cloudflare settings

    task terraform:apply
    

If Terraform was ran successfully you can log into Cloudflare and validate the DNS records are present.

The cluster application external-dns will be managing the rest of the DNS records you will need.

🔹 GitOps with Flux

📍 Here we will be installing flux after some quick bootstrap steps.

  1. Verify Flux can be installed

    task cluster:verify
    # ► checking prerequisites
    # ✔ kubectl 1.21.5 >=1.18.0-0
    # ✔ Kubernetes 1.21.5+k3s1 >=1.16.0-0
    # ✔ prerequisites checks passed
    
  2. Push you changes to git

    📍 Verify all the *.sops.yaml and *.sops.yml files under the ./cluster and ./provision folders are encrypted with SOPS

    git add -A
    git commit -m "Initial commit :rocket:"
    git push
    
  3. Install Flux and sync the cluster to the Git repository

    task cluster:install
    # namespace/flux-system configured
    # customresourcedefinition.apiextensions.k8s.io/alerts.notification.toolkit.fluxcd.io created
    
  4. Verify Flux components are running in the cluster

    task cluster:pods -- -n flux-system
    # NAME                                       READY   STATUS    RESTARTS   AGE
    # helm-controller-5bbd94c75-89sb4            1/1     Running   0          1h
    # kustomize-controller-7b67b6b77d-nqc67      1/1     Running   0          1h
    # notification-controller-7c46575844-k4bvr   1/1     Running   0          1h
    # source-controller-7d6875bcb4-zqw9f         1/1     Running   0          1h
    

🎤 Verification Steps

Mic check, 1, 2 - In a few moments applications should be lighting up like a Christmas tree 🎄

You are able to run all the commands below with one task

task cluster:resources
  1. View the Flux Git Repositories

    task cluster:gitrepositories
    
  2. View the Flux kustomizations

    task cluster:kustomizations
    
  3. View all the Flux Helm Releases

    task cluster:helmreleases
    
  4. View all the Flux Helm Repositories

    task cluster:helmrepositories
    
  5. View all the Pods

    task cluster:pods
    
  6. View all the certificates and certificate requests

    task cluster:certificates
    
  7. View all the ingresses

    task cluster:ingresses
    

🏆 Congratulations if all goes smooth you'll have a Kubernetes cluster managed by Flux, your Git repository is driving the state of your cluster.

☢️ If you run into problems, you can run task ansible:nuke to destroy the k3s cluster and start over.

🧠 Now it's time to pause and go get some coffee ☕ because next is describing how DNS is handled.

📣 Post installation

🌐 DNS

📍 The external-dns application created in the networking namespace will handle creating public DNS records. By default, echo-server is the only public domain exposed on your Cloudflare domain. In order to make additional applications public you must set an ingress annotation like in the HelmRelease for echo-server. You do not need to use Terraform to create additional DNS records unless you need a record outside the purposes of your Kubernetes cluster (e.g. setting up MX records).

k8s_gateway is deployed on the IP choosen for ${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}. Inorder to test DNS you can point your clients DNS to the ${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR} IP address and load https://hajimari.${BOOTSTRAP_CLOUDFLARE_DOMAIN} in your browser.

You can also try debugging with the command dig, e.g. dig @${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR} hajimari.${BOOTSTRAP_CLOUDFLARE_DOMAIN} and you should get a valid answer containing your ${BOOTSTRAP_METALLB_INGRESS_ADDR} IP address.

If your router (or Pi-Hole, Adguard Home or whatever) supports conditional DNS forwarding (also know as split-horizon DNS) you may have DNS requests for ${SECRET_DOMAIN} only point to the ${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR} IP address. This will ensure only DNS requests for ${SECRET_DOMAIN} will only get routed to your k8s_gateway service thus providing DNS resolution to your cluster applications/ingresses.

To access services from the outside world port forwarded 80 and 443 in your router to the ${BOOTSTRAP_METALLB_INGRESS_ADDR} IP, in a few moments head over to your browser and you should be able to access https://echo-server.${BOOTSTRAP_CLOUDFLARE_DOMAIN} from a device outside your LAN.

Now if nothing is working, that is expected. This is DNS after all!

🔐 SSL

By default in this template Kubernetes ingresses are set to use the Let's Encrypt Staging Environment. This will hopefully reduce issues from ACME on requesting certificates until you are ready to use this in "Production".

Once you have confirmed there are no issues requesting your certificates replace letsencrypt-staging with letsencrypt-production in your ingress annotations for cert-manager.io/cluster-issuer

🤖 Renovatebot

Renovatebot will scan your repository and offer PRs when it finds dependencies out of date. Common dependencies it will discover and update are Flux, Ansible Galaxy Roles, Terraform Providers, Kubernetes Helm Charts, Kubernetes Container Images, Pre-commit hooks updates, and more!

The base Renovate configuration provided in your repository can be view at .github/renovate.json5. If you notice this only runs on weekends and you can change the schedule to anything you want or simply remove it.

To enable Renovate on your repository, click the 'Configure' button over at their Github app page and choose your repository. Over time Renovate will create PRs for out-of-date dependencies it finds. Any merged PRs that are in the cluster directory Flux will deploy.

🪝 Github Webhook

Flux is pull-based by design meaning it will periodically check your git repository for changes, using a webhook you can enable Flux to update your cluster on git push. In order to configure Github to send push events from your repository to the Flux webhook receiver you will need two things:

  1. Webhook URL - Your webhook receiver will be deployed on https://flux-receiver.${BOOTSTRAP_CLOUDFLARE_DOMAIN}/hook/:hookId. In order to find out your hook id you can run the following command:

    kubectl -n flux-system get receiver/github-receiver --kubeconfig=./provision/kubeconfig
    # NAME              AGE    READY   STATUS
    # github-receiver   6h8m   True    Receiver initialized with URL: /hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
    

    So if my domain was onedr0p.com the full url would look like this:

    https://flux-receiver.onedr0p.com/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
    
  2. Webhook secret - Your webhook secret can be found by decrypting the secret.sops.yaml using the following command:

    sops -d ./cluster/apps/flux-system/webhooks/github/secret.sops.yaml | yq .stringData.token
    

    Note: Don't forget to update the BOOTSTRAP_FLUX_GITHUB_WEBHOOK_SECRET variable in your .config.env file so it matches the generated secret if applicable

Now that you have the webhook url and secret, it's time to set everything up on the Github repository side. Navigate to the settings of your repository on Github, under "Settings/Webhooks" press the "Add webhook" button. Fill in the webhook url and your secret.

💾 Storage

Rancher's local-path-provisioner is a great start for storage but soon you might find you need more features like replicated block storage, or to connect to a NFS/SMB/iSCSI server. Check out the projects below to read up more on some storage solutions that might work for you.

🔏 Authenticate Flux over SSH

Authenticating Flux to your git repository has a couple benefits like using a private git repository and/or using the Flux Image Automation Controllers.

By default this template only works on a public GitHub repository, it is advised to keep your repository public.

The benefits of a public repository include:

  • Debugging or asking for help, you can provide a link to a resource you are having issues with.
  • Adding a topic to your repository of k8s-at-home to be included in the k8s-at-home-search. This search helps people discover different configurations of Helm charts across others Flux based repositories.
Expand to read guide on adding Flux SSH authentication
  1. Generate new SSH key:
    ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f ./cluster/github-deploy-key -q -P ""
    
  2. Paste public key in the deploy keys section of your repository settings
  3. Create sops secret in cluster/flux/flux-system/github-deploy-key.sops.yaml with the contents of:
    # yamllint disable
    apiVersion: v1
    kind: Secret
    metadata:
        name: github-deploy-key
        namespace: flux-system
    stringData:
        # 3a. Contents of github-deploy-key
        identity: |
            -----BEGIN OPENSSH PRIVATE KEY-----
                ...
            -----END OPENSSH PRIVATE KEY-----        
        # 3b. Output of curl --silent https://api.github.com/meta | jq --raw-output '"github.com "+.ssh_keys[]'
        known_hosts: |
            github.com ssh-ed25519 ...
            github.com ecdsa-sha2-nistp256 ...
            github.com ssh-rsa ...        
    
  4. Encrypt secret:
    sops --encrypt --in-place ./cluster/flux/flux-system/github-deploy-key.sops.yaml
    
  5. Apply secret to cluster:
    sops --decrypt cluster/flux/flux-system/github-deploy-key.sops.yaml | kubectl apply -f -
    
  6. Update cluster/flux/flux-system/flux-cluster.yaml:
    ---
    apiVersion: source.toolkit.fluxcd.io/v1beta2
    kind: GitRepository
    metadata:
      name: flux-cluster
      namespace: flux-system
    spec:
      interval: 10m
      # 6a: Change this to your user and repo names
      url: ssh://git@github.com/$user/$repo
      ref:
        branch: main
      secretRef:
        name: github-deploy-key
    
  7. Commit and push changes
  8. Force flux to reconcile your changes
    task cluster:reconcile
    
  9. Verify git repository is now using SSH:
    task cluster:gitrepositories
    
  10. Optionally set your repository to Private in your repository settings.

👉 Troubleshooting

Our wiki (WIP, contributions welcome) is a good place to start troubleshooting issues. If that doesn't cover your issue, come join and say Hi in our community Discord.

❔ What's next

The world is your cluster, have at it!

🤝 Thanks

Big shout out to all the authors and contributors to the projects that we are using in this repository.

Community member @Whazor created this website as a creative way to search Helm Releases across GitHub. You may use it as a means to get ideas on how to configure an applications' Helm values.