Public GitOps repository for showing how I run my services on k3s
https://tobru.ch/
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
continuous-integration/drone/push Build is passing
Details
|
23 hours ago | |
---|---|---|
_apps | 23 hours ago | |
_test | 3 years ago | |
acmedns | 1 year ago | |
argocd | 6 months ago | |
cert-manager | 8 months ago | |
docspell | 2 months ago | |
drone | 10 months ago | |
familydb | 2 years ago | |
graphs | 6 months ago | |
headscale | 2 weeks ago | |
healthcheck | 2 years ago | |
influxdb | 6 months ago | |
ioteer | 1 year ago | |
ipapi | 1 year ago | |
k8up | 1 year ago | |
kube-cleanup-operator | 2 years ago | |
kube-system | 9 months ago | |
linkding | 7 months ago | |
mealie | 1 year ago | |
miniflux | 8 months ago | |
mosquitto | 2 months ago | |
mqttwarn | 2 months ago | |
odoo | 8 months ago | |
owntracks | 6 months ago | |
pylokid | 4 months ago | |
renovate | 3 weeks ago | |
sealed-secrets | 2 months ago | |
stakater-reloader | 3 weeks ago | |
system-upgrade-controller | 1 year ago | |
tobru-ch | 3 weeks ago | |
traccar | 7 months ago | |
.drone.yml | 2 years ago | |
.envrc | 3 weeks ago | |
.gitignore | 3 weeks ago | |
README.md | 2 years ago | |
renovate.json | 2 years ago |
README.md
GitOps for tbrnt k3s hosting
Repo structure
- Each subdirectory is a namespace
_apps
is the meta directory for Argo CD apps- Another private repo contains stuff in a more
approachable format, f.e. for dealing with
updating sealed-secrets:
gitops-tbrnt-private
_tests
contains some Open Policy Agent rego files which are used in the Drone CI pipeline to validate configuration.
Usage
Argo CD
Access
Either
sudo -E kubefwd svc -n argocd
and then https://argocd-server/
or
kubectl port-forward svc/argocd-server -n argocd 8080:443
and
then https://localhost:8080/
CLI
argocd login argocd-server
argocd app list
argocd app sync <name>
Kubeseal (Sealed Secrets)
See README of apps. Basically:
kubeseal --controller-namespace sealed-secrets -o yaml -n MYNS < ../../gitops-tbrnt-private/MYNS/MYSECRET.yaml > MYSECRET-secret.yaml
Bootstrap GitOps
After installing k3s, do:
# install Argo CD
kubectl create ns argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2
argocd login argocd-server
# Restore Sealed Secrets secret key
kubectl create ns sealed-secrets
kubectl apply -f ../gitops-tbrnt-private/sealed-secrets/master-key.yaml
# Instantiate Argo Root App
kubectl apply -f _apps/apps.yaml
# Let Argo CD do it's job
argocd app sync apps
argocd app sync sealed-secrets
argocd app sync -l app.kubernetes.io/instance=apps
TODO:
- Restore PVCs via K8up
k3s on Alpine
Installing: Alpine
Basically follow the Alpine wiki.
Then install prerequisites and some essential packages:
apk add \
vim \
iptables \
wireguard-virt \
bash \
curl
Needs community
repo enabled in /etc/apk/repositories
.
Tweak Sysctl in /etc/sysctl.conf
:
fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 524288
Add rshared
mount option to root filesystem for node-exporter to work correctly.
Installing: k3s
Via k3sup:
k3sup install \
--ip=185.95.218.11 \
--user=root \
--local-path=~/.kube/config_knurrli2 \
--sudo=false \
--k3s-extra-args='--tls-san knurrli.tobrunet.ch --cluster-cidr 10.44.0.0/16 --flannel-backend wireguard'
Helpful infos
Paths
- Volumes:
/var/lib/rancher/k3s/storage/
- Config:
/etc/rancher/k3s/
- Manifests:
/var/lib/rancher/k3s/server/manifests/
Links
- https://rancher.com/docs/k3s/latest/en/advanced/#additional-preparation-for-alpine-linux-setup
- https://github.com/rancher/k3s/issues/660
Configure Wireguard
/etc/network/interfaces
auto wg0
iface wg0 inet static
address 10.42.42.16
netmask 255.255.255.0
pre-up ip link add dev wg0 type wireguard
pre-up wg setconf wg0 /etc/wireguard/wg0.conf
post-up ip route add 10.42.42.0/24 dev wg0
post-down ip link delete dev wg0