Welcome to my highly opinionated template for deploying a single Kubernetes (k3s) cluster with Ansible and managing applications with Flux. Upon completion you will be able to expose web applications you choose to the internet with Cloudflare Tunnel.
- Introduction
- Prerequisites
- Repository structure
- Lets go!
- Post installation
- Troubleshooting
- What's next
- Thanks
The following components will be installed in your k3s cluster by default. Most are only included to get a minimum viable cluster up and running.
- flux - GitOps operator for managing Kubernetes clusters from a Git repository
- kube-vip - Load balancer for the Kubernetes control plane nodes
- cert-manager - Operator to request SSL certificates and store them as Kubernetes resources
- cilium - Container networking interface for inter pod and service networking
- external-dns - Operator to publish DNS records to Cloudflare (and other providers) based on Kubernetes ingresses
- k8s_gateway - DNS resolver that provides local DNS to your Kubernetes ingresses
- ingress-nginx - Kubernetes ingress controller used for a HTTP reverse proxy of Kubernetes ingresses
- local-path-provisioner - provision persistent local storage with Kubernetes
Additional applications can be enabled in the addons configuration file
- Please bring a positive attitude and be ready to learn and fail a lot. The more you fail, the more you can learn from.
- This was designed to run in your home network on bare metal machines or VMs NOT in the cloud.
- You MUST have a domain you can manage on Cloudflare.
- Secrets will be commited to your Git repository AND they will be encrypted by SOPS.
- By default your domain name will NOT be visible to the public.
- To reach internal-only apps you MUST have a DNS server that supports split DNS (Pi-Hole, Blocky, Dnsmasq, Unbound, etc...) deployed somewhere outside your cluster ON your home network.
- In order for this all to work you have to use nodes that have access to the internet. This is not going to work in air-gapped environments.
- Only amd64 and/or arm64 nodes are supported.
With that out of the way please continue on if you are still interested...
Download Debian 12 (for raspi/arm64 use the tested images)
There is a decent guide here on how to get Debian installed.
-
Deviations from that guide
- Choose "Guided - use entire disk" - Choose "All files in one partition" - Delete Swap partition - Uncheck all Debian desktop environment options - Keep ssh server checked
-
[Post install] Remove CD/DVD as apt source
su - sed -i '/deb cdrom/d' /etc/apt/sources.list apt update exit
-
[Post install] Enable sudo for your non-root user
su - apt install sudo usermod -aG sudo ${username} echo "${username} ALL=(ALL) NOPASSWD:ALL" | tee /etc/sudoers.d/${username} exit newgrp sudo sudo apt update
-
[Post install] Add SSH keys (or use
ssh-copy-id
on the client that is connecting)mkdir -m 700 ~/.ssh sudo apt install curl curl https://github.com/${github_username}.keys > ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys
If you choose to use a Raspberry Pi for the cluster, it is recommended to have at minimum a Raspberry Pi4 (4GB) and preferably an 8GB model. Additionally, it is also recommended to boot from an external SSD, rather than the SD card. This is supported natively, however if you have an early Raspberry Pi4, you may need to update the bootloader.
According to the documentation here, after you have flashed the image onto a SSD/NVMe you must mount the drive and do the following.
- Edit the
sysconf.txt
- Add/change
root_authorized_key
to your desired public SSH key - Add/change
root_pw
to your desired root password - Add/change
hostname
to your desired hostname
Very first step will be to create a new public repository by clicking the big green Use this template button on this page.
Clone your new repo to you local workstation and cd
into it.
π All of the below commands are run on your local workstation, not on any of your cluster nodes.
π Install the most recent version of the CLI tools below. If you are having trouble with future steps, it is very likely you don't have the most recent version of these CLI tools. The most troublesome are ansible
, go-task
, and sops
.
-
Install the following CLI tools on your workstation, if you are using Homebrew skip this step and move onto 2 & 3.
-
[Homebrew] Install go-task
brew install go-task/tap/go-task
-
[Homebrew] Install the other workstation dependencies
task brew:deps
π Here we will create a Age Private and Public key. Using SOPS with Age allows us to encrypt secrets and use them in Ansible and Flux.
-
Create a Age Private / Public Key
age-keygen -o age.agekey
-
Set up the directory for the Age key and move the Age file to it
mkdir -p ~/.config/sops/age mv age.agekey ~/.config/sops/age/keys.txt
-
Export the
SOPS_AGE_KEY_FILE
variable in yourbashrc
,zshrc
orconfig.fish
and source it, e.g.export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt source ~/.bashrc
-
Fill out the Age public key in the appropriate variable in configuration section below, note the public key should start with
age
...
In order to use cert-manager
with the Cloudflare DNS challenge you will need to create a API Token.
-
Head over to Cloudflare and create a API Token by going here.
-
Under the
API Tokens
section, click the blue "Create Token" button. -
Click the "Use template" blue button for the
Edit zone DNS
template. -
Give your token a name like
home-k8s-cluster
-
Under
Permissions
, click+ Add More
and add each permission below:
Zone - DNS - Edit # should be there already if using the template from the previous step
Account - Cloudflare Tunnel - Read
π Feel free to limit the permissions to a specific account and zone resources.
- Use the API Token in the appropriate variable in configuration section below.
In order to expose services to the internet you will need to create a Cloudflare Tunnel.
-
Authenticate cloudflared to your domain
cloudflared tunnel login
-
Create the tunnel
cloudflared tunnel create k8s
-
In the
~/.cloudflared
directory there will be a json file with details you need to populate in configuration section below. You can ignore thecert.pem
file.
π The bootstrap/vars/config.yaml
file contains necessary configuration that is needed by Ansible and Flux. The bootstrap/vars/addons.yaml
file allows you to customize which additional apps you want deployed in your cluster. These files are added to the .gitignore
file and will not be tracked by Git.
-
Copy the configuration and addons files and start filling out all the variables.
task init
-
Once done run the following command which will verify and generate all the files needed to continue.
task configure
The configure script will have created a ./ansible
directory and the following directories under ./kubernetes
.
π kubernetes # Kubernetes cluster defined as code
ββπ bootstrap # Flux installation (not tracked by Flux)
ββπ flux # Main Flux configuration of repository
ββπ apps # Apps deployed into the cluster grouped by namespace
π Here we will be running an Ansible Playbook to prepare Debian server for running a Kubernetes cluster.
π Nodes are not security hardened by default, you can do this with dev-sec/ansible-collection-hardening or similar if supported. This is an advanced configuration and generally not recommended unless you want to DevSecOps your cluster and nodes.
-
Ensure you are able to SSH into your nodes from your workstation using a private SSH key without a passphrase. This is how Ansible is able to connect to your remote nodes.
-
Install the Ansible deps
task ansible:deps
-
Verify Ansible can view your config
task ansible:list
-
Verify Ansible can ping your nodes
task ansible:ping
-
Run the Ansible prepare playbook
task ansible:prepare
-
Reboot the nodes (if not done in step 5)
task ansible:force-reboot
π Here we will be running a Ansible Playbook to install k3s with this wonderful k3s Ansible galaxy role. After completion, Ansible will drop a kubeconfig
in ./kubeconfig
for use with interacting with your cluster with kubectl
.
β’οΈ If you run into problems, you can run task ansible:nuke
to destroy the k3s cluster and start over.
-
Verify Ansible can view your config
task ansible:list
-
Verify Ansible can ping your nodes
task ansible:ping
-
Install k3s with Ansible
task ansible:install
-
Verify the nodes are online
task cluster:nodes # NAME STATUS ROLES AGE VERSION # k8s-0 Ready control-plane,etcd,master 1h v1.27.3+k3s1 # k8s-1 Ready control-plane,etcd,master 1h v1.27.3+k3s1 # k8s-2 Ready control-plane,etcd,master 1h v1.27.3+k3s1 # k8s-3 Ready worker 1h v1.27.3+k3s1
π Here we will be installing flux after some quick bootstrap steps.
-
Verify Flux can be installed
task cluster:verify # βΊ checking prerequisites # β kubectl 1.27.3 >=1.18.0-0 # β Kubernetes 1.27.3+k3s1 >=1.16.0-0 # β prerequisites checks passed
-
Push you changes to git
π Verify all the
*.sops.yaml
and*.sops.yaml
files under the./ansible
, and./kubernetes
directories are encrypted with SOPSgit add -A git commit -m "Initial commit :rocket:" git push
-
Install Flux and sync the cluster to the Git repository
task cluster:install # namespace/flux-system configured # customresourcedefinition.apiextensions.k8s.io/alerts.notification.toolkit.fluxcd.io created
-
Verify Flux components are running in the cluster
task cluster:pods -- -n flux-system # NAME READY STATUS RESTARTS AGE # helm-controller-5bbd94c75-89sb4 1/1 Running 0 1h # kustomize-controller-7b67b6b77d-nqc67 1/1 Running 0 1h # notification-controller-7c46575844-k4bvr 1/1 Running 0 1h # source-controller-7d6875bcb4-zqw9f 1/1 Running 0 1h
Mic check, 1, 2 - In a few moments applications should be lighting up like a Christmas tree π
You are able to run all the commands below with one task
task cluster:resources
-
View the Flux Git Repositories
task cluster:gitrepositories
-
View the Flux kustomizations
task cluster:kustomizations
-
View all the Flux Helm Releases
task cluster:helmreleases
-
View all the Flux Helm Repositories
task cluster:helmrepositories
-
View all the Pods
task cluster:pods
-
View all the certificates and certificate requests
task cluster:certificates
-
View all the ingresses
task cluster:ingresses
π Congratulations if all goes smooth you'll have a Kubernetes cluster managed by Flux, your Git repository is driving the state of your cluster.
β’οΈ If you run into problems, you can run task ansible:nuke
to destroy the k3s cluster and start over.
π§ Now it's time to pause and go get some coffee β because next is describing additional things like how DNS is handled.
direnv will make it so anytime you cd
to your repo's directory it export the required environment variables (e.g. KUBECONFIG
). To set this up make sure you hook it into your shell and after that is done, run direnv allow
while in your repos directory.
The external-dns
application created in the networking
namespace will handle creating public DNS records. By default, echo-server
and the flux-webhook
are the only public sub-domains exposed. In order to make additional applications public you must set an ingress annotation (external-dns.alpha.kubernetes.io/target
) like done in the HelmRelease
for echo-server
.
For split DNS to work it is required to have ${SECRET_DOMAIN}
point to the ${K8S_GATEWAY_ADDR}
load balancer IP address on your home DNS server. This will ensure DNS requests for ${SECRET_DOMAIN}
will only get routed to your k8s_gateway
service thus providing internal DNS resolution to your cluster applications/ingresses from any device that uses your home DNS server.
For and example with Pi-Hole apply the following file and restart dnsmasq:
# /etc/dnsmasq.d/99-k8s-gateway-forward.conf
server=/${SECRET_DOMAIN}/${K8S_GATEWAY_ADDR}
Now try to resolve an internal-only domain with dig @${pi-hole-ip} hajimari.${SECRET_DOMAIN}
it should resolve to your ${INGRESS_NGINX_ADDR}
IP.
If having trouble you can ask for help in this Github discussion.
If nothing is working, that is expected. This is DNS after all!
By default this template will deploy a wildcard certificate with the Let's Encrypt staging servers. This is to prevent you from getting rate-limited on configuration that might not be valid on bootstrap using the production server. Once you have confirmed the certificate is created and valid, make sure to switch to the Let's Encrypt production servers as outlined below. Do not enable the production certificate until you are sure you will keep the cluster up for more than a few hours.
-
Update the resources to use the production Let's Encrypt server:
diff --git a/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml b/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml index e582d4a..0f80700 100644 --- a/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml +++ b/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml @@ -60,7 +60,7 @@ spec: namespaceSelector: any: true extraArgs: - default-ssl-certificate: "networking/${SECRET_DOMAIN/./-}-staging-tls" + default-ssl-certificate: "networking/${SECRET_DOMAIN/./-}-production-tls" resources: requests: cpu: 10m diff --git a/kubernetes/apps/networking/ingress-nginx/certificates/kustomization.yaml b/kubernetes/apps/networking/ingress-nginx/certificates/kustomization.yaml index d57147d..f58e4a7 100644 --- a/kubernetes/apps/networking/ingress-nginx/certificates/kustomization.yaml +++ b/kubernetes/apps/networking/ingress-nginx/certificates/kustomization.yaml @@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./staging.yaml - # - ./production.yaml + - ./production.yaml
-
Commit and push your changes:
git add -A git commit -m "fix: use production LE certificates" git push
-
Force Flux to pick up the changes:
task cluster:reconcile
- To view the certificate request run
kubectl -n networking get certificaterequests
- To verify the certificate is created run
kubectl -n networking get certificates
You should start to see your applications using the new certificate.
Renovatebot will scan your repository and offer PRs when it finds dependencies out of date. Common dependencies it will discover and update are Flux, Ansible Galaxy Roles, Terraform Providers, Kubernetes Helm Charts, Kubernetes Container Images, and more!
The base Renovate configuration provided in your repository can be view at .github/renovate.json5. If you notice this only runs on weekends and you can change the schedule to anything you want or simply remove it.
To enable Renovate on your repository, click the 'Configure' button over at their Github app page and choose your repository. Over time Renovate will create PRs for out-of-date dependencies it finds. Any merged PRs that are in the kubernetes directory Flux will deploy.
Flux is pull-based by design meaning it will periodically check your git repository for changes, using a webhook you can enable Flux to update your cluster on git push
. In order to configure Github to send push
events from your repository to the Flux webhook receiver you will need two things:
-
Webhook URL - Your webhook receiver will be deployed on
https://flux-webhook.${bootstrap_cloudflare_domain}/hook/:hookId
. In order to find out your hook id you can run the following command:kubectl -n flux-system get receiver/github-receiver # NAME AGE READY STATUS # github-receiver 6h8m True Receiver initialized with URL: /hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
So if my domain was
onedr0p.com
the full url would look like this:https://flux-webhook.onedr0p.com/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
-
Webhook secret - Your webhook secret can be found by decrypting the
secret.sops.yaml
using the following command:sops -d ./kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml | yq .stringData.token
Note: Don't forget to update the
bootstrap_flux_github_webhook_token
variable in theconfig.yaml
file so it matches the generated secret if applicable
Now that you have the webhook url and secret, it's time to set everything up on the Github repository side. Navigate to the settings of your repository on Github, under "Settings/Webhooks" press the "Add webhook" button. Fill in the webhook url and your secret.
Rancher's local-path-provisioner
is a great start for storage but soon you might find you need more features like replicated block storage, or to connect to a NFS/SMB/iSCSI server. Check out the projects below to read up more on some storage solutions that might work for you.
- rook-ceph
- longhorn
- openebs
- nfs-subdir-external-provisioner
- democratic-csi
- csi-driver-nfs
- synology-csi
Authenticating Flux to your git repository has a couple benefits like using a private git repository and/or using the Flux Image Automation Controllers.
By default this template only works on a public GitHub repository, it is advised to keep your repository public.
The benefits of a public repository include:
- Debugging or asking for help, you can provide a link to a resource you are having issues with.
- Adding a topic to your repository of
k8s-at-home
to be included in the k8s-at-home-search. This search helps people discover different configurations of Helm charts across others Flux based repositories.
Expand to read guide on adding Flux SSH authentication
-
Generate new SSH key:
ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f ./kubernetes/bootstrap/github-deploy.key -q -P ""
-
Paste public key in the deploy keys section of your repository settings
-
Create sops secret in
./kubernetes/bootstrap/github-deploy-key.sops.yaml
with the contents of:apiVersion: v1 kind: Secret metadata: name: github-deploy-key namespace: flux-system stringData: # 3a. Contents of github-deploy-key identity: | -----BEGIN OPENSSH PRIVATE KEY----- ... -----END OPENSSH PRIVATE KEY----- # 3b. Output of curl --silent https://api.github.com/meta | jq --raw-output '"github.com "+.ssh_keys[]' known_hosts: | github.com ssh-ed25519 ... github.com ecdsa-sha2-nistp256 ... github.com ssh-rsa ...
-
Encrypt secret:
sops --encrypt --in-place ./kubernetes/bootstrap/github-deploy-key.sops.yaml
-
Apply secret to cluster:
sops --decrypt ./kubernetes/bootstrap/github-deploy-key.sops.yaml | kubectl apply -f -
-
Update
./kubernetes/flux/config/cluster.yaml
:apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: GitRepository metadata: name: home-kubernetes namespace: flux-system spec: interval: 10m # 6a: Change this to your user and repo names url: ssh://[email protected]/$user/$repo ref: branch: main secretRef: name: github-deploy-key
-
Commit and push changes
-
Force flux to reconcile your changes
task cluster:reconcile
-
Verify git repository is now using SSH:
task cluster:gitrepositories
-
Optionally set your repository to Private in your repository settings.
Included in your cluster is the Kubernetes Dashboard. Inorder to log into this you will have to get the secret token from the cluster using the command below.
kubectl -n monitoring get secret kubernetes-dashboard -o jsonpath='{.data.token}' | base64 -d
You should be able to access the dashboard at https://kubernetes.${SECRET_DOMAIN}
Below is a general guide on trying to debug an issue with an resource or application. For example, if a workload/resource is not showing up or a pod has started but in a CrashLoopBackOff
or Pending
state.
- Start by checking all Flux Kustomizations & Git Repository & OCI Repository and verify they are healthy.
flux get sources oci -A
flux get sources git -A
flux get ks -A
- Then check all the Flux Helm Releases and verify they are healthy.
flux get hr -A
- Then check the if the pod is present.
kubectl -n <namespace> get pods
- Then check the logs of the pod if its there.
kubectl -n <namespace> logs <pod-name> -f
Note: If a resource exists, running kubectl -n <namespace> describe <resource> <name>
might give you insight into what the problem(s) could be.
Resolving problems that you have could take some tweaking of your YAML manifests in order to get things working, other times it could be a external factor like permissions on NFS. If you are unable to figure out your problem see the help section below.
- Make a post in this repository's GitHub Discussions.
- Start a thread in the
support
orflux-cluster-template
channel in the k8s@home Discord server.
The world is your cluster, have at it!
Big shout out to all the authors and contributors to the projects that we are using in this repository.
@whazor created this website as a creative way to search Helm Releases across GitHub. You may use it as a means to get ideas on how to configure an applications' Helm values.