Empower your Kubernetes deployment with kubelogic - a comprehensive repository of modules and playbooks for managing and provisioning highly available Kubernetes clusters, services, and resources on the edge.
Whether you're a developer, IT administrator, or DevOps engineer, kubelogic offers a powerful and intuitive logic that simplifies the complexities of Kubernetes deployment. With tools like Ansible, Terraform, Metallb, KubeVIP, and more, kubelogic provides a complete solution for deploying and managing containerized workloads in modern computing environments. Take control of your Kubernetes deployment on the edge with kubelogic and unlock its full potential.
This repository contains a collection of scripts, modules, and playbooks for provisioning kubernetes clusters, and managing operators, monitoring and logging, security, backup and and recovey across multiple providers.
Our repositories for our Kubernetes standard tools like Ansible, Terraform, Kubernetes, Flux, Renovate and GitHub Actions.
There is a template over at imaginestudio-io/flux-cluster-template if you wanted to try and follow along with some of the best practices utilized right here.
Our k3s clusters are provisioned using the Ansible galaxy role ansible-role-k3s. They are simultaneously provisioned with kube-vip to create a load balancer for control plane, and metal-lb for its service LoadBalancer
overlayed on Ubuntu VM Server's. There are hyper-converged as well as semi-hyper converged clusters, workloads and block storage that sharing the differing resources on our internally and externally exposed nodes,backed with HA (NFS) file storage servers.
๐ธ Click here to see my Ansible playbooks and roles.
- actions-runner-controller: Self-hosted Github runners.
- calico: Internal Kubernetes networking plugin.
- traefik-proxy: Open-Source Edge Router that optimizes publishing your services.
- metalLB: Load Balancer implementation for Bare-Metal kubernetes services.
- kube-vip: Virtual IP and Load Balancer for HA control plane.
- cert-manager: Creates SSL certificates for services in my Kubernetes cluster.
- external-dns: Automatically manages DNS records from my cluster in a cloud DNS provider.
- [external-secrets](
- twingate: Zero-Trust Infrastructure access gateway.
- ingress-nginx: Ingress controller to expose HTTP traffic to pods over DNS.
- rook: Distributed block storage for peristent storage.
- sops: Managed secrets for Kubernetes, Ansible and Terraform which are commited to Git.
- tf-controller: Additional Flux component used to run Terraform from within a Kubernetes cluster.
- volsync and snapscheduler: Backup and recovery of persistent volume claims.
Flux watches my kubernetes folder (see Directories below) and makes the changes to my cluster based on the YAML manifests.
The way Flux works for me here is it will recursively search the kubernetes/apps folder until it finds the most top level kustomization.yaml
per directory and then apply all the resources listed in it. That aforementioned kustomization.yaml
will generally only have a namespace resource and one or many Flux kustomizations. Those Flux kustomizations will generally have a HelmRelease
or other resources related to the application underneath it which will be applied.
Renovate watches my entire repository looking for dependency updates, when they are found a PR is automatically created. When some PRs are merged Flux applies the changes to my cluster.
This Git repository contains the following directories under kubernetes.
๐ kubernetes # Kubernetes cluster defined as code
โโ๐ bootstrap # Flux installation
โโ๐ flux # Main Flux configuration of repository
โโ๐ apps # Apps deployed into my cluster grouped by namespace (see below)
Below is a a high level look at the layout of how my directory structure with Flux works. In this brief example you are able to see that authelia
will not be able to run until glauth
and cloudnative-pg
are running. It also shows that the Cluster
custom resource depends on the cloudnative-pg
Helm chart. This is needed because cloudnative-pg
installs the Cluster
custom resource definition in the Helm chart.
# Key: <kind> :: <metadata.name>
GitRepository :: home-ops-kubernetes
Kustomization :: cluster
Kustomization :: cluster-apps
Kustomization :: cluster-apps-authelia
DependsOn:
Kustomization :: cluster-apps-glauth
Kustomization :: cluster-apps-cloudnative-pg-cluster
HelmRelease :: authelia
Kustomization :: cluster-apps-glauth
HelmRelease :: glauth
Kustomization :: cluster-apps-cloudnative-pg
HelmRelease :: cloudnative-pg
Kustomization :: cluster-apps-cloudnative-pg-cluster
DependsOn:
Kustomization :: cluster-apps-cloudnative-pg
Cluster :: postgres
Name | CIDR |
---|---|
Management VLAN | 192.168.1.0/24 |
Kubernetes Nodes VLAN | 192.168.42.0/24 |
Kubernetes external services (Calico w/ BGP) | 192.168.69.0/24 |
Kubernetes pods (Calico w/ BGP) | 10.42.0.0/16 |
Kubernetes services (Calico w/ BGP) | 10.43.0.0/16 |
- HAProxy is configured on my
VyOS
router for the Kubernetes Control Plane Load Balancer. - Calico is configured with
externalIPs
to expose Kubernetes services with their own IP over BGP which is configured on my router.
While most of my infrastructure and workloads are selfhosted I do rely upon the cloud for certain key parts of my setup. This saves me from having to worry about two things. (1) Dealing with chicken/egg scenarios and (2) services I critically need whether my cluster is online or not.
The alternative solution to these two problems would be to host a Kubernetes cluster in the cloud and deploy applications like HCVault, Vaultwarden, ntfy, and Gatus. However, maintaining another cluster and monitoring another group of workloads is a lot more time and effort than I am willing to put in.
Service | Use | |
---|---|---|
1Password | Secrets with External Secrets | |
B2 Storage | Offsite application backups | |
Cloudflare | Domain, DNS and proxy management | |
Fastmail | Email hosting | |
GCP | Voice interactions with Home Assistant over Google Assistant | Free |
GitHub | Hosting this repository and continuous integration/deployments | Free |
Newsgroup Ninja | Usenet access | |
NextDNS | My routers DNS server which includes AdBlocking | ~20/yr |
Pushover | Kubernetes Alerts and application notifications | Free |
Terraform Cloud | Storing Terraform state | Free |
Over WAN, I have port forwarded ports 80
and 443
to the load balancer IP of my ingress controller that's running in my Kubernetes cluster.
Cloudflare works as a proxy to hide my homes WAN IP and also as a firewall. When not on my home network, all the traffic coming into my ingress controller on port 80
and 443
comes from Cloudflare. In VyOS
I block all IPs not originating from the Cloudflares list of IP ranges.
CoreDNS is deployed on my VyOS
router and listening on :53
. All DNS queries for my domains are forwarded to k8s_gateway that is running in my cluster. With this setup k8s_gateway
has direct access to my clusters ingresses and services and serves DNS for them in my internal network.
The upstream server in CoreDNS is set to NextDNS which provides me with AdBlocking for all devices on my network.
external-dns is deployed in my cluster and configure to sync DNS records to Cloudflare. The only ingresses external-dns
looks at to gather DNS records to put in Cloudflare
are ones that have an annotation of external-dns.alpha.kubernetes.io/target
๐ธ Click here to see how else I manage Cloudflare with Terraform.
Thanks to all the people who donate their time to the Kubernetes @Home Discord community. A lot of inspiration for my cluster comes from the people that have shared their clusters using the k8s-at-home GitHub topic. Be sure to check out the Kubernetes @Home search for ideas on how to deploy applications or get ideas on what you can deploy.
See my awful commit history
See LICENSE
GitOps is a set of best practices where the entire code delivery process is controlled via Git, including infrastructure and application definition as code and automation to complete updates and rollbacks.
The core idea of GitOps is to have a git repository that contains declarative descriptions of the desired infrastructure in the production environment and has an automated process to make the production environment match the state described in that repository.
Now that we know the central idea, let's go back a little bit to the acronym GitOps and let's understand the role of git, the role of ops and how they meet.
The Key GitOps Principles:
- The entire system (infrastructure and applications) is described declaratively.
- The canonical desired system state is versioned in Git.
- Changes approved are automated and applied to the system.
- Software agents ensure correctness and alert on divergence.
New users to GitOps and Argo CD are not often sure how they should structure their repos, add applications, promote apps across environments, and manage the Argo CD installation itself using GitOps.
argocd-autopilot app create argo-events --app github.com/argoproj/argo-events/blob/master/manifests/namespace-install.yaml -p ops --wait-timeout 2m
Argo CD automates the deployment of the desired application states in the specified target environments. Application deployments can track updates to branches, tags, or pinned to a specific version of manifests at a Git commit. See tracking strategies for additional details about the different tracking strategies available.
Argo Events is an event-driven workflow automation framework for Kubernetes which helps you trigger K8s objects, Argo Workflows, Serverless workloads, etc. on events from a variety of sources like webhooks, S3, schedules, messaging queues, gcp pubsub, sns, sqs, etc.
Argo Rollouts is a Kubernetes controller and set of CRDs which provide advanced deployment capabilities such as blue-green, canary, canary analysis, experimentation, and progressive delivery features to Kubernetes.
Argo Rollouts (optionally) integrates with ingress controllers and service meshes, leveraging their traffic shaping abilities to gradually shift traffic to the new version during an update. Additionally, Rollouts can query and interpret metrics from various providers to verify key KPIs and drive automated promotion or rollback during an update.
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Argo Workflows is implemented as a Kubernetes CRD (Custom Resource Definition).
Tools | Version | Deployed |
---|---|---|
argocd-autopilot | v0.3.0 | โ |
argocd | 2.3.0 | โ |
argo-events | 1.5.5 | โ |
argo-workflows | 3.2.8 | โ |
argo-rollouts | 1.1.1 | โ |
kustomize | โ | |
sealed-secrets | 0.17.3 | โ |
istio | 1.11.4 | โ |
wordpress | 5.9 | โ |
cert-manager | 1.6.1 | โ |
prometheus | x | โ |
grafana | x | โ |
metrics-server | 0.5.1 | โ |
Issue | Description | Status |
---|---|---|
wordpress | Fix kustomize | โ |
argo-worflows | Fix Build | โ |
yaml-validate | Fix CI Workflow | โ |
Tools | Version |
---|---|
kubectl | v1.22.3 |
argocd-autopilot | v0.2.28 |
.
โโโ apps
โ โโโ argo-rollouts
โ โโโ backstage
โ โโโ cert-manager
โ โโโ crossplane
โ โโโ grafana
โ โโโ istio-base
โ โโโ istio-ingress
โ โโโ istiod
โ โโโ jaeger
โ โโโ kiali-operator
โ โโโ kubernetes-dashboard
โ โโโ loki
โ โโโ metrics-server
โ โโโ prometheus
โ โโโ promtail
โ โโโ rollout-demo
โ โโโ sealed-secrets
โ โโโ sonarqube
โ โโโ wordpress
โโโ bootstrap
โ โโโ argo-cd
โ โโโ cluster-resources
โโโ infra
โ โโโ networking
โโโ projects
โโโ secrets
See CODE-OF-CONDUCT.md.
See SECURITY.md.
We โค๏ธ contributions big or small. See our guide on how to get started.
A curated list for awesome GitOps resources inspired by @sindresorhus' awesome
We follow this code of conduct.
GitOps is a way to do Kubernetes cluster management and application delivery. It works by using Git as a single source of truth for declarative infrastructure and applications, together with tools ensuring the actual state of infrastructure and applications converges towards the desired state declared in Git. With Git at the center of your delivery pipelines, developers can make pull requests to accelerate and simplify application deployments and operations tasks to your infrastructure or container-orchestration system (e.g. Kubernetes).
It increases developer productivity, enhances developer experience, improves stability, all while having higher reliability, higher consistency and stronger security guarantees.
Modern software development practices assume support for reviewing changes, tracking history, comparing versions, and rolling back bad updates; GitOps applies the same tooling and engineering perspective to managing the systems that deliver direct business value to users and customers.
- Operations by pull request - a blog entry about how GitOps came about at Weaveworks
- GitOps.tech - a summary of how GitOps works
- GitOps Conversation Kit - How to showcase GitOps awesomeness and convince all stakeholders to implement it
- GitOps Working Group - GitHub repo of GitOps working group under the CNCF App Delivery SIG.
- ArgoCD - Declarative continuous deployment for Kubernetes
- Atlantis - Terraform pull request automation
- Autoapply - Automatically apply changes from a Git repository to a Kubernetes cluster
- Carvel โ Tool suite for building, packaging, and managing software on Kubernetes in a GitOps way
- CloudBees Rollout - Feature Flag as-a-Service that leverages GitOps & Config-as-Code (commercial product from CloudBees)
- Flux - Open and extensible continuous delivery solution for Kubernetes. Powered by GitOps Toolkit
- Helm Operator - Automates Helm Chart releases in a GitOps manner
- Flagger - Progressive delivery Kubernetes operator (Canary, A/B testing and Blue/Green deployments automation)
- Ignite - A Virtual Machine manager with a container UX and built-in GitOps
- Faros - CRD based GitOps controller
- Jenkins X - a CI/CD platform for Kubernetes that provides pipeline automation, built-in GitOps and preview environments
- KubeStack - GitOps framework using Terraform for Cloud Kubernetes distros (AKS, GKE, and EKS) with CI/CD examples for common tools
- Sceptre - Sceptre is a tool to drive AWS CloudFormation as part of a CI/CD pipeline by using Hooks
- Weave GitOps OSS - Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise.
- Weave GitOps Enterprise - Weave GitOps Enterprise is a continuous operations product that makes it easy to deploy and manage Kubernetes clusters and applications at scale in any environment. (commercial product from Weaveworks)
- Werf - GitOps tool with advanced features to build images and deploy them to Kubernetes (integrates with any existing CI system)
- PipeCD - Continuous Delivery for Declarative Kubernetes, Serverless and Infrastructure Applications
- Grant.rs - Manage Redshift/Postgres privileges in GitOps style
- Fluxcloud - Slack notifications for Flux without Weave Cloud
- argocd-vault-plugin - An ArgoCD plugin to retrieve secrets from Vault and inject them into Kubernetes resources
- git-secret - A bash-tool to store your private data inside a git repository
- Kamus - Zero-trust secret encryption/decryption solution for Kubernetes applications
- Sealed Secrets - One-way encrypted Secrets
- SOPS - Secrets OPerationS
- Vault Secrets Operator - Sync secrets from Vault with Kubernetes
- Managing Helm releases the GitOps way - Flux and Helm Operator tutorial
- Automating Istio canary deployments with GitOps - Progressive Delivery tutorial with Flagger, Flux, Helm Operator and Istio
- Managing a multi-tenant cluster with GitOps - Flux and Kustomize tutorial
- GitOps-style continuous delivery with Cloud Build - Google Cloud Build tutorial
- Kubernetes slack - #gitops channel for discussion of GitOps patterns and tooling
- CNCF slack - #flux channel for discussion of GitOps patterns and tooling
- Weaveworks slack - multiple channels (including #flagger, #wksctl and others) to discuss Weaveworks GitOps products, give feedback, and talk about general approaches