Public GitOps repository for showing how I run my services on k3s https://tobru.ch/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
Renovate Bot 67baafdfb5 Update ghost Docker tag to v3.42.0 2 days ago
_apps docspell no autosync 2 months ago
_test only warn for some policies 10 months ago
argocd Update redis Docker tag to v5.0.11 2 weeks ago
botkube Update infracloudio/botkube Docker tag to v0.12.0 1 month ago
cert-manager upgrade cert manager 7 months ago
docspell Merge pull request 'Update docker.io/postgres Docker tag to v13.2' (#416) from renovate/docker-docker.io-postgres-13.x into master 2 weeks ago
drone Update docker.io/drone/drone Docker tag to v1.10.1 2 months ago
goldilocks one replica is enough 8 months ago
graphs Update grafana/grafana Docker tag to v7.4.3 1 week ago
influxdb Update influxdb Docker tag to v1.8.4 1 month ago
ioteer update credentials for rising sensor 9 months ago
ipapi small improvement 9 months ago
jitsi update jitsi 5 months ago
k8up Update docker.io/vshn/k8up Docker tag to v0.1.10 9 months ago
kube-cleanup-operator Update quay.io/lwolf/kube-cleanup-operator Docker tag to v0.8.1 7 months ago
kube-system Update us.gcr.io/k8s-artifacts-prod/autoscaling/vpa-recommender Docker tag to v0.9.2 2 months ago
monitoring remove status from secret 3 months ago
mosquitto add mqtt sensor creds 2 months ago
owntracks Update docker.io/owntracks/frontend Docker tag to v2.8.0 2 weeks ago
pylokid install pylokid 1 year ago
renovate Update renovate/renovate Docker tag to v19.239 10 months ago
sealed-secrets upgrade sealed secret manifests 7 months ago
stakater-reloader Update stakater/reloader Docker tag to v0.0.81 2 weeks ago
statping Update docker.io/statping/statping Docker tag to v0.90.74 3 months ago
system-upgrade-controller Update rancher/system-upgrade-controller Docker tag to v0.6.2 8 months ago
tbrntmon Update quay.io/prometheus/prometheus Docker tag to v2.25.0 2 weeks ago
tobru-ch Update ghost Docker tag to v3.42.0 2 days ago
.drone.yml colorful output ftw 10 months ago
README.md update README with rego hint 10 months ago
renovate.json auto update statping 11 months ago

README.md

GitOps for tbrnt k3s hosting

Build Status

Repo structure

  • Each subdirectory is a namespace
  • _apps is the meta directory for Argo CD apps
  • Another private repo contains stuff in a more approachable format, f.e. for dealing with updating sealed-secrets: gitops-tbrnt-private
  • _tests contains some Open Policy Agent rego files which are used in the Drone CI pipeline to validate configuration.

Usage

Argo CD

Access

Either

sudo -E kubefwd svc -n argocd and then https://argocd-server/

or

kubectl port-forward svc/argocd-server -n argocd 8080:443 and then https://localhost:8080/

CLI

  • argocd login argocd-server
  • argocd app list
  • argocd app sync <name>

Kubeseal (Sealed Secrets)

See README of apps. Basically:

kubeseal --controller-namespace sealed-secrets -o yaml -n MYNS < ../../gitops-tbrnt-private/MYNS/MYSECRET.yaml > MYSECRET-secret.yaml

Bootstrap GitOps

After installing k3s, do:

# install Argo CD
kubectl create ns argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2
argocd login argocd-server

# Restore Sealed Secrets secret key
kubectl create ns sealed-secrets
kubectl apply -f ../gitops-tbrnt-private/sealed-secrets/master-key.yaml

# Instantiate Argo Root App
kubectl apply -f _apps/apps.yaml

# Let Argo CD do it's job
argocd app sync apps
argocd app sync sealed-secrets
argocd app sync -l app.kubernetes.io/instance=apps

TODO:

  • Restore PVCs via K8up

k3s on Alpine

Installing: Alpine

Basically follow the Alpine wiki.

Then install prerequisites and some essential packages:

apk add \
  vim \
  iptables \
  wireguard-virt \
  bash \
  curl

Needs community repo enabled in /etc/apk/repositories.

Tweak Sysctl in /etc/sysctl.conf:

fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 524288

Installing: k3s

Via k3sup:

k3sup install \
  --ip=185.95.218.11 \
  --user=root \
  --local-path=~/.kube/config_knurrli2 \
  --sudo=false \
  --k3s-extra-args='--tls-san knurrli.tobrunet.ch --cluster-cidr 10.44.0.0/16 --flannel-backend wireguard'

Helpful infos

Paths

  • Volumes: /var/lib/rancher/k3s/storage/
  • Config: /etc/rancher/k3s/
  • Manifests: /var/lib/rancher/k3s/server/manifests/

Links

Configure Wireguard

/etc/network/interfaces

auto wg0
iface wg0 inet static
    address 10.42.42.16
    netmask 255.255.255.0
    pre-up ip link add dev wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
    post-up ip route add 10.42.42.0/24 dev wg0
    post-down ip link delete dev wg0