Public GitOps repository for showing how I run my services on k3s https://tobru.ch/
This repository has been archived on 2023-04-02. You can view files and clone it, but cannot push or open issues or pull requests.
Go to file
Renovate Bot c1b872b515
continuous-integration/drone/pr Build is passing Details
continuous-integration/drone/push Build is passing Details
Update rancher/system-upgrade-controller Docker tag to v0.6.2
2020-07-10 00:00:37 +00:00
_apps add label selector to prometheus 2020-07-02 21:31:54 +02:00
_test only warn for some policies 2020-05-04 21:15:38 +02:00
argocd Update argoproj/argocd Docker tag to v1.6.1 2020-06-19 01:00:33 +00:00
cert-manager Merge pull request 'Update quay.io/jetstack/cert-manager-webhook Docker tag to v0.15.2' (#271) from renovate/docker-quay.io-jetstack-cert-manager-webhook-0.x into master 2020-07-02 19:12:44 +00:00
drone Update docker.io/drone/drone Docker tag to v1.8.1 2020-06-23 19:00:36 +00:00
goldilocks one replica is enough 2020-06-29 20:49:11 +02:00
graphs Merge pull request 'Update busybox Docker tag to v1.32.0' (#265) from renovate/docker-busybox-1.x into master 2020-07-02 19:13:21 +00:00
influxdb Update influxdb Docker tag to v1.8.0 2020-04-14 00:00:32 +00:00
ioteer update credentials for rising sensor 2020-06-11 21:29:19 +02:00
ipapi small improvement 2020-05-27 21:37:04 +02:00
jitsi update jitsi 2020-05-31 21:16:10 +02:00
k8up Update docker.io/vshn/k8up Docker tag to v0.1.10 2020-05-27 15:00:36 +00:00
kube-cleanup-operator install kube-cleanup-operator 2020-06-21 13:11:06 +02:00
kube-system/vertical-pod-autoscaler use v1 crds for vpa 2020-06-29 20:33:59 +02:00
loki stop loki 2020-06-21 12:39:14 +02:00
monitoring add label selector to prometheus 2020-07-02 21:31:54 +02:00
mosquitto change to recreate strategy for mosquitto 2020-05-31 21:32:53 +02:00
owntracks owntracks prom mon 2020-06-29 21:36:27 +02:00
pylokid install pylokid 2020-02-08 15:59:06 +01:00
renovate Update renovate/renovate Docker tag to v19.239 2020-05-14 14:00:28 +00:00
sealed-secrets Update quay.io/bitnami/sealed-secrets-controller Docker tag to v0.12.2 2020-05-06 17:00:41 +00:00
stakater-reloader Update stakater/reloader Docker tag to v0.0.60 2020-06-23 08:00:31 +00:00
statping Update docker.io/statping/statping Docker tag to v0.90.57 2020-07-04 22:00:36 +00:00
system-upgrade-controller Update rancher/system-upgrade-controller Docker tag to v0.6.2 2020-07-10 00:00:37 +00:00
tbrntmon Update quay.io/prometheus/prometheus Docker tag to v2.19.2 2020-06-30 10:00:32 +00:00
tobru-ch Update ghost Docker tag to v3.22.2 2020-07-08 19:00:45 +00:00
.drone.yml colorful output ftw 2020-05-06 20:30:53 +02:00
README.md update README with rego hint 2020-05-04 21:23:44 +02:00
renovate.json auto update statping 2020-04-01 21:15:49 +02:00

README.md

GitOps for tbrnt k3s hosting

Build Status

Repo structure

  • Each subdirectory is a namespace
  • _apps is the meta directory for Argo CD apps
  • Another private repo contains stuff in a more approachable format, f.e. for dealing with updating sealed-secrets: gitops-tbrnt-private
  • _tests contains some Open Policy Agent rego files which are used in the Drone CI pipeline to validate configuration.

Usage

Argo CD

Access

Either

sudo -E kubefwd svc -n argocd and then https://argocd-server/

or

kubectl port-forward svc/argocd-server -n argocd 8080:443 and then https://localhost:8080/

CLI

  • argocd login argocd-server
  • argocd app list
  • argocd app sync <name>

Kubeseal (Sealed Secrets)

See README of apps. Basically:

kubeseal --controller-namespace sealed-secrets -o yaml -n MYNS < ../../gitops-tbrnt-private/MYNS/MYSECRET.yaml > MYSECRET-secret.yaml

Bootstrap GitOps

After installing k3s, do:

# install Argo CD
kubectl create ns argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2
argocd login argocd-server

# Restore Sealed Secrets secret key
kubectl create ns sealed-secrets
kubectl apply -f ../gitops-tbrnt-private/sealed-secrets/master-key.yaml

# Instantiate Argo Root App
kubectl apply -f _apps/apps.yaml

# Let Argo CD do it's job
argocd app sync apps
argocd app sync sealed-secrets
argocd app sync -l app.kubernetes.io/instance=apps

TODO:

  • Restore PVCs via K8up

k3s on Alpine

Installing: Alpine

Basically follow the Alpine wiki.

Then install prerequisites and some essential packages:

apk add \
  vim \
  iptables \
  wireguard-virt \
  bash \
  curl

Needs community repo enabled in /etc/apk/repositories.

Tweak Sysctl in /etc/sysctl.conf:

fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 524288

Installing: k3s

Via k3sup:

k3sup install \
  --ip=185.95.218.11 \
  --user=root \
  --local-path=~/.kube/config_knurrli2 \
  --sudo=false \
  --k3s-extra-args='--tls-san knurrli.tobrunet.ch --cluster-cidr 10.44.0.0/16 --flannel-backend wireguard'

Helpful infos

Paths

  • Volumes: /var/lib/rancher/k3s/storage/
  • Config: /etc/rancher/k3s/
  • Manifests: /var/lib/rancher/k3s/server/manifests/

Links

Configure Wireguard

/etc/network/interfaces

auto wg0
iface wg0 inet static
    address 10.42.42.16
    netmask 255.255.255.0
    pre-up ip link add dev wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
    post-up ip route add 10.42.42.0/24 dev wg0
    post-down ip link delete dev wg0