Public GitOps repository for showing how I run my services on k3s
https://tobru.ch/
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Renovate Bot
76f7c8565b
|
11 hours ago | |
|---|---|---|
| _apps | 2 months ago | |
| _test | 3 years ago | |
| acmedns | 1 year ago | |
| argocd | 3 months ago | |
| cert-manager | 4 months ago | |
| docspell | 4 months ago | |
| drone | 6 months ago | |
| familydb | 2 years ago | |
| graphs | 3 months ago | |
| headscale | 2 months ago | |
| healthcheck | 1 year ago | |
| influxdb | 3 months ago | |
| ioteer | 1 year ago | |
| ipapi | 12 months ago | |
| k8up | 12 months ago | |
| kube-cleanup-operator | 1 year ago | |
| kube-system | 5 months ago | |
| linkding | 3 months ago | |
| mealie | 10 months ago | |
| miniflux | 4 months ago | |
| mosquitto | 4 months ago | |
| mqttwarn | 3 months ago | |
| odoo | 4 months ago | |
| owntracks | 3 months ago | |
| pylokid | 3 years ago | |
| renovate | 11 hours ago | |
| sealed-secrets | 10 months ago | |
| stakater-reloader | 3 days ago | |
| system-upgrade-controller | 9 months ago | |
| tobru-ch | 1 day ago | |
| traccar | 3 months ago | |
| .drone.yml | 1 year ago | |
| README.md | 1 year ago | |
| renovate.json | 1 year ago | |
README.md
GitOps for tbrnt k3s hosting
Repo structure
- Each subdirectory is a namespace
_appsis the meta directory for Argo CD apps- Another private repo contains stuff in a more
approachable format, f.e. for dealing with
updating sealed-secrets:
gitops-tbrnt-private _testscontains some Open Policy Agent rego files which are used in the Drone CI pipeline to validate configuration.
Usage
Argo CD
Access
Either
sudo -E kubefwd svc -n argocd and then https://argocd-server/
or
kubectl port-forward svc/argocd-server -n argocd 8080:443 and
then https://localhost:8080/
CLI
argocd login argocd-serverargocd app listargocd app sync <name>
Kubeseal (Sealed Secrets)
See README of apps. Basically:
kubeseal --controller-namespace sealed-secrets -o yaml -n MYNS < ../../gitops-tbrnt-private/MYNS/MYSECRET.yaml > MYSECRET-secret.yaml
Bootstrap GitOps
After installing k3s, do:
# install Argo CD
kubectl create ns argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2
argocd login argocd-server
# Restore Sealed Secrets secret key
kubectl create ns sealed-secrets
kubectl apply -f ../gitops-tbrnt-private/sealed-secrets/master-key.yaml
# Instantiate Argo Root App
kubectl apply -f _apps/apps.yaml
# Let Argo CD do it's job
argocd app sync apps
argocd app sync sealed-secrets
argocd app sync -l app.kubernetes.io/instance=apps
TODO:
- Restore PVCs via K8up
k3s on Alpine
Installing: Alpine
Basically follow the Alpine wiki.
Then install prerequisites and some essential packages:
apk add \
vim \
iptables \
wireguard-virt \
bash \
curl
Needs community repo enabled in /etc/apk/repositories.
Tweak Sysctl in /etc/sysctl.conf:
fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 524288
Add rshared mount option to root filesystem for node-exporter to work correctly.
Installing: k3s
Via k3sup:
k3sup install \
--ip=185.95.218.11 \
--user=root \
--local-path=~/.kube/config_knurrli2 \
--sudo=false \
--k3s-extra-args='--tls-san knurrli.tobrunet.ch --cluster-cidr 10.44.0.0/16 --flannel-backend wireguard'
Helpful infos
Paths
- Volumes:
/var/lib/rancher/k3s/storage/ - Config:
/etc/rancher/k3s/ - Manifests:
/var/lib/rancher/k3s/server/manifests/
Links
- https://rancher.com/docs/k3s/latest/en/advanced/#additional-preparation-for-alpine-linux-setup
- https://github.com/rancher/k3s/issues/660
Configure Wireguard
/etc/network/interfaces
auto wg0
iface wg0 inet static
address 10.42.42.16
netmask 255.255.255.0
pre-up ip link add dev wg0 type wireguard
pre-up wg setconf wg0 /etc/wireguard/wg0.conf
post-up ip route add 10.42.42.0/24 dev wg0
post-down ip link delete dev wg0