Public GitOps repository for showing how I run my services on k3s https://tobru.ch/

gitops kubernetes k3s argo

You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Go to file

Tobias Brunner 42f0e59a37 continuous-integration/drone/push Build is passing Details traccar is now on zurrli		23 hours ago
_apps	traccar is now on zurrli	23 hours ago
_test	only warn for some policies	3 years ago
acmedns	disable registration	1 year ago
argocd	only cm once	6 months ago
cert-manager	Merge pull request 'Update quay.io/jetstack/cert-manager-cainjector Docker tag to v1.9.1' (#968 ) from renovate/quay.io-jetstack-cert-manager-cainjector-1.x into master	8 months ago
docspell	set weasyprint to convert pdfs	2 months ago
drone	Update dependency docker.io/drone/drone to v2.12.1	10 months ago
familydb	allways pull image	2 years ago
graphs	update grafana chart	6 months ago
headscale	entry for argocd	2 weeks ago
healthcheck	correct ns for hc	2 years ago
influxdb	modernize influx ingress	6 months ago
ioteer	traccar env var	1 year ago
ipapi	fix ingresses	1 year ago
k8up	install k8up crds	1 year ago
kube-cleanup-operator	Update quay.io/lwolf/kube-cleanup-operator Docker tag to v0.8.2	2 years ago
kube-system	add traefik redirect middleware	9 months ago
linkding	Update sissbruecker/linkding Docker tag to v1.15.0	7 months ago
mealie	Update docker.io/hkotel/mealie Docker tag to v0.5.6	1 year ago
miniflux	Merge pull request 'Update docker.io/postgres Docker tag to v13.8' (#1000 ) from renovate/docker.io-postgres-13.x into master	8 months ago
mosquitto	add addnl ttn conn	2 months ago
mqttwarn	add rssi	2 months ago
odoo	pull odoo addons in initcontainer	8 months ago
owntracks	set http prefix for tours	6 months ago
pylokid	update pylokid for mailbox.org migration	4 months ago
renovate	Update renovate/renovate Docker tag to v35	3 weeks ago
sealed-secrets	correct ns	2 months ago
stakater-reloader	Update stakater/reloader Docker tag to v1.0.15	3 weeks ago
system-upgrade-controller	Update dependency rancher/system-upgrade-controller to v0.9.1	1 year ago
tobru-ch	Update ghost Docker tag to v5.38.0	3 weeks ago
traccar	Update docker.io/mariadb Docker tag to v10.9	7 months ago
.drone.yml	use kubernetes for drone build	2 years ago
.envrc	add envrc and gitignore	3 weeks ago
.gitignore	add envrc and gitignore	3 weeks ago
README.md	rshared info	2 years ago
renovate.json	statping is gone	2 years ago

README.md

GitOps for tbrnt k3s hosting

Repo structure

Each subdirectory is a namespace
_apps is the meta directory for Argo CD apps
Another private repo contains stuff in a more approachable format, f.e. for dealing with updating sealed-secrets: gitops-tbrnt-private
_tests contains some Open Policy Agent rego files which are used in the Drone CI pipeline to validate configuration.

Usage

Argo CD

Access

Either

sudo -E kubefwd svc -n argocd and then https://argocd-server/

kubectl port-forward svc/argocd-server -n argocd 8080:443 and then https://localhost:8080/

CLI

argocd login argocd-server
argocd app list
argocd app sync <name>

Kubeseal (Sealed Secrets)

See README of apps. Basically:

kubeseal --controller-namespace sealed-secrets -o yaml -n MYNS < ../../gitops-tbrnt-private/MYNS/MYSECRET.yaml > MYSECRET-secret.yaml

Bootstrap GitOps

After installing k3s, do:

# install Argo CD
kubectl create ns argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2
argocd login argocd-server

# Restore Sealed Secrets secret key
kubectl create ns sealed-secrets
kubectl apply -f ../gitops-tbrnt-private/sealed-secrets/master-key.yaml

# Instantiate Argo Root App
kubectl apply -f _apps/apps.yaml

# Let Argo CD do it's job
argocd app sync apps
argocd app sync sealed-secrets
argocd app sync -l app.kubernetes.io/instance=apps

TODO:

Restore PVCs via K8up

k3s on Alpine

Installing: Alpine

Basically follow the Alpine wiki.

Then install prerequisites and some essential packages:

apk add \
  vim \
  iptables \
  wireguard-virt \
  bash \
  curl

Needs community repo enabled in /etc/apk/repositories.

Tweak Sysctl in /etc/sysctl.conf:

fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 524288

Add rshared mount option to root filesystem for node-exporter to work correctly.

Installing: k3s

Via k3sup:

k3sup install \
  --ip=185.95.218.11 \
  --user=root \
  --local-path=~/.kube/config_knurrli2 \
  --sudo=false \
  --k3s-extra-args='--tls-san knurrli.tobrunet.ch --cluster-cidr 10.44.0.0/16 --flannel-backend wireguard'

Helpful infos

Paths

Volumes: /var/lib/rancher/k3s/storage/
Config: /etc/rancher/k3s/
Manifests: /var/lib/rancher/k3s/server/manifests/

Links

Configure Wireguard

/etc/network/interfaces

auto wg0
iface wg0 inet static
    address 10.42.42.16
    netmask 255.255.255.0
    pre-up ip link add dev wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
    post-up ip route add 10.42.42.0/24 dev wg0
    post-down ip link delete dev wg0

https://wiki.alpinelinux.org/wiki/Configure_a_Wireguard_interface_(wg)