Highly opinionated template for deploying a single k3s cluster with Ansible and Terraform backed by Flux and SOPS.
The purpose here is to showcase how you can deploy an entire Kubernetes cluster and show it off to the world using the GitOps tool Flux. When completed, your Git repository will be driving the state of your Kubernetes cluster. In addition with the help of the Ansible, Terraform and Flux SOPS integrations you'll be able to commit Age encrypted secrets to your public repo.
The following components will be installed in your k3s cluster by default. Most are only included to get a minimum viable cluster up and running.
Additional applications include hajimari, error-pages, echo-server, system-upgrade-controller, reloader, and kured
For provisioning the following tools will be used:
Note: This template has not been tested on cloud providers like AWS EC2, Hetzner, Scaleway etc... Those cloud offerings probably have a better way of provsioning a Kubernetes cluster and it's advisable to use those instead of the Ansible playbooks included here. This repository can still be tweaked for the GitOps/Flux portion if there's a cluster working in one those environments.
π It is recommended to have 3 master nodes for a highly available control plane.
Install the most recent versions of the following CLI tools on your workstation, if you are using Homebrew on MacOS or Linux skip to steps 3 and 4.
This guide heavily relies on go-task as a framework for setting things up. It is advised to learn and understand the commands it is running under the hood.
Install go-task via Brew
brew install go-task/tap/go-task
Install workstation dependencies via Brew
task init
It is advisable to install pre-commit and the pre-commit hooks that come with this repository.
Install Pre-Commit
brew install pre-commit
brew install gcc@5
sops-pre-commit will check to make sure you are not committing non-encrypted Kubernetes secrets to your repository.
Enable Pre-Commit
task precommit:init
Update Pre-Commit, though it will occasionally make mistakes, so verify its results.
task precommit:update
The Git repository contains the following directories under cluster
and are ordered below by how Flux will apply them.
π cluster # k8s cluster defined as code
ββπ flux # flux, gitops operator, loaded before everything
ββπ crds # custom resources, loaded before π core and π apps
ββπ charts # helm repos, loaded before π core and π apps
ββπ config # cluster config, loaded before π core and π apps
ββπ core # crucial apps, namespaced dir tree, loaded before π apps
ββπ apps # regular apps, namespaced dir tree, loaded last
Very first step will be to create a new repository by clicking the Use this template button on this page.
Clone the repo to you local workstation and cd
into it.
π All of the below commands are run on your local workstation, not on any of your cluster nodes.
π Here we will create a Age Private and Public key. Using SOPS with Age allows us to encrypt secrets and use them in Ansible, Terraform and Flux.
Create a Age Private / Public Key
age-keygen -o age.agekey
Set up the directory for the Age key and move the Age file to it
mkdir -p ~/.config/sops/age
mv age.agekey ~/.config/sops/age/keys.txt
Export the SOPS_AGE_KEY_FILE
variable in your bashrc
, zshrc
or config.fish
and source it, e.g.
export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt
source ~/.bashrc
Fill out the Age public key in the .config.env
under BOOTSTRAP_AGE_PUBLIC_KEY
, note the public key should start with age
...
In order to use Terraform and cert-manager
with the Cloudflare DNS challenge you will need to create a API key.
Head over to Cloudflare and create a API key by going here.
Under the API Keys
section, create a global API Key.
Use the API Key in the configuration section below.
π You may wish to update this later on to a Cloudflare API Token which can be scoped to certain resources. I do not recommend using a Cloudflare API Key, however for the purposes of this template it is easier getting started without having to define which scopes and resources are needed. For more information see the Cloudflare docs on API Keys and Tokens.
π The .config.env
file contains necessary configuration that is needed by Ansible, Terraform and Flux.
Copy the .config.sample.env
to .config.env
and start filling out all the environment variables.
All are required unless otherwise noted in the comments.
cp .config.sample.env .config.env
Once that is done, verify the configuration is correct by running:
task verify
If you do not encounter any errors run start having the script wire up the templated files and place them where they need to be.
task configure
π Here we will be running a Ansible Playbook to prepare Fedora Server for running a Kubernetes cluster.
π Nodes are not security hardened by default, you can do this with dev-sec/ansible-collection-hardening or similar if it supports Fedora Server.
Ensure you are able to SSH into your nodes from your workstation using a private SSH key without a passphrase. This is how Ansible is able to connect to your remote nodes.
Install the Ansible deps
task ansible:init
Verify Ansible can view your config
task ansible:list
Verify Ansible can ping your nodes
task ansible:ping
Run the Fedora Server Ansible prepare playbook
task ansible:prepare
Run the Ansible disk playbook to
task ansible:prepare
Reboot the nodes
task ansible:reboot
π Here we will be running a Ansible Playbook to install k3s with this wonderful k3s Ansible galaxy role. After completion, Ansible will drop a kubeconfig
in ./provision/kubeconfig
for use with interacting with your cluster with kubectl
.
β’οΈ If you run into problems, you can run task ansible:nuke
to destroy the k3s cluster and start over.
Verify Ansible can view your config
task ansible:list
Verify Ansible can ping your nodes
task ansible:ping
Install k3s with Ansible
sudo chown -R rick:rick /tmp/.ansible
task ansible:install
Verify the nodes are online
task cluster:nodes
# NAME STATUS ROLES AGE VERSION
# k8s-0 Ready control-plane,master 4d20h v1.21.5+k3s1
# k8s-1 Ready worker 4d20h v1.21.5+k3s1
π Review the Terraform scripts under ./provision/terraform/cloudflare/
and make sure you understand what it's doing (no really review it).
If your domain already has existing DNS records be sure to export those DNS settings before you continue.
Pull in the Terraform deps
task terraform:init
Review the changes Terraform will make to your Cloudflare domain
task terraform:plan
Have Terraform apply your Cloudflare settings
task terraform:apply
If Terraform was ran successfully you can log into Cloudflare and validate the DNS records are present.
The cluster application external-dns will be managing the rest of the DNS records you will need.
π Here we will be installing flux after some quick bootstrap steps.
Verify Flux can be installed
task cluster:verify
# βΊ checking prerequisites
# β kubectl 1.21.5 >=1.18.0-0
# β Kubernetes 1.21.5+k3s1 >=1.16.0-0
# β prerequisites checks passed
Push you changes to git
π Verify all the *.sops.yaml
and *.sops.yml
files under the ./cluster
and ./provision
folders are encrypted with SOPS
git add -A
git commit -m "Initial commit :rocket:"
git push
Install Flux and sync the cluster to the Git repository
task cluster:install
# namespace/flux-system configured
# customresourcedefinition.apiextensions.k8s.io/alerts.notification.toolkit.fluxcd.io created
Verify Flux components are running in the cluster
task cluster:pods -- -n flux-system
# NAME READY STATUS RESTARTS AGE
# helm-controller-5bbd94c75-89sb4 1/1 Running 0 1h
# kustomize-controller-7b67b6b77d-nqc67 1/1 Running 0 1h
# notification-controller-7c46575844-k4bvr 1/1 Running 0 1h
# source-controller-7d6875bcb4-zqw9f 1/1 Running 0 1h
Mic check, 1, 2 - In a few moments applications should be lighting up like a Christmas tree π
You are able to run all the commands below with one task
task cluster:resources
View the Flux Git Repositories
task cluster:gitrepositories
View the Flux kustomizations
task cluster:kustomizations
View all the Flux Helm Releases
task cluster:helmreleases
View all the Flux Helm Repositories
task cluster:helmrepositories
View all the Pods
task cluster:pods
View all the certificates and certificate requests
task cluster:certificates
View all the ingresses
task cluster:ingresses
π Congratulations if all goes smooth you'll have a Kubernetes cluster managed by Flux, your Git repository is driving the state of your cluster.
β’οΈ If you run into problems, you can run task ansible:nuke
to destroy the k3s cluster and start over.
π§ Now it's time to pause and go get some coffee β because next is describing how DNS is handled.
π The external-dns application created in the networking
namespace will handle creating public DNS records. By default, echo-server
is the only public domain exposed on your Cloudflare domain. In order to make additional applications public you must set an ingress annotation like in the HelmRelease
for echo-server
. You do not need to use Terraform to create additional DNS records unless you need a record outside the purposes of your Kubernetes cluster (e.g. setting up MX records).
k8s_gateway is deployed on the IP choosen for ${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}
. Inorder to test DNS you can point your clients DNS to the ${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}
IP address and load https://hajimari.${BOOTSTRAP_CLOUDFLARE_DOMAIN}
in your browser.
You can also try debugging with the command dig
, e.g. dig @${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR} hajimari.${BOOTSTRAP_CLOUDFLARE_DOMAIN}
and you should get a valid answer containing your ${BOOTSTRAP_METALLB_INGRESS_ADDR}
IP address.
If your router (or Pi-Hole, Adguard Home or whatever) supports conditional DNS forwarding (also know as split-horizon DNS) you may have DNS requests for ${SECRET_DOMAIN}
only point to the ${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}
IP address. This will ensure only DNS requests for ${SECRET_DOMAIN}
will only get routed to your k8s_gateway service thus providing DNS resolution to your cluster applications/ingresses.
To access services from the outside world port forwarded 80
and 443
in your router to the ${BOOTSTRAP_METALLB_INGRESS_ADDR}
IP, in a few moments head over to your browser and you should be able to access https://echo-server.${BOOTSTRAP_CLOUDFLARE_DOMAIN}
from a device outside your LAN.
Now if nothing is working, that is expected. This is DNS after all!
By default in this template Kubernetes ingresses are set to use the Let's Encrypt Staging Environment. This will hopefully reduce issues from ACME on requesting certificates until you are ready to use this in "Production".
Once you have confirmed there are no issues requesting your certificates replace letsencrypt-staging
with letsencrypt-production
in your ingress annotations for cert-manager.io/cluster-issuer
Renovatebot will scan your repository and offer PRs when it finds dependencies out of date. Common dependencies it will discover and update are Flux, Ansible Galaxy Roles, Terraform Providers, Kubernetes Helm Charts, Kubernetes Container Images, Pre-commit hooks updates, and more!
The base Renovate configuration provided in your repository can be view at .github/renovate.json5. If you notice this only runs on weekends and you can change the schedule to anything you want or simply remove it.
To enable Renovate on your repository, click the 'Configure' button over at their Github app page and choose your repository. Over time Renovate will create PRs for out-of-date dependencies it finds. Any merged PRs that are in the cluster directory Flux will deploy.
Flux is pull-based by design meaning it will periodically check your git repository for changes, using a webhook you can enable Flux to update your cluster on git push
. In order to configure Github to send push
events from your repository to the Flux webhook receiver you will need two things:
Webhook URL - Your webhook receiver will be deployed on https://flux-receiver.${BOOTSTRAP_CLOUDFLARE_DOMAIN}/hook/:hookId
. In order to find out your hook id you can run the following command:
kubectl -n flux-system get receiver/github-receiver --kubeconfig=./provision/kubeconfig
# NAME AGE READY STATUS
# github-receiver 6h8m True Receiver initialized with URL: /hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
So if my domain was onedr0p.com
the full url would look like this:
https://flux-receiver.onedr0p.com/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
Webhook secret - Your webhook secret can be found by decrypting the secret.sops.yaml
using the following command:
sops -d ./cluster/apps/flux-system/webhooks/github/secret.sops.yaml | yq .stringData.token
Note: Don't forget to update the BOOTSTRAP_FLUX_GITHUB_WEBHOOK_SECRET
variable in your .config.env
file so it matches the generated secret if applicable
Now that you have the webhook url and secret, it's time to set everything up on the Github repository side. Navigate to the settings of your repository on Github, under "Settings/Webhooks" press the "Add webhook" button. Fill in the webhook url and your secret.
Rancher's local-path-provisioner
is a great start for storage but soon you might find you need more features like replicated block storage, or to connect to a NFS/SMB/iSCSI server. Check out the projects below to read up more on some storage solutions that might work for you.
Authenticating Flux to your git repository has a couple benefits like using a private git repository and/or using the Flux Image Automation Controllers.
By default this template only works on a public GitHub repository, it is advised to keep your repository public.
The benefits of a public repository include:
k8s-at-home
to be included in the k8s-at-home-search. This search helps people discover different configurations of Helm charts across others Flux based repositories.Our wiki (WIP, contributions welcome) is a good place to start troubleshooting issues. If that doesn't cover your issue, come join and say Hi in our community Discord.
The world is your cluster, have at it!
Big shout out to all the authors and contributors to the projects that we are using in this repository.
Community member @Whazor created this website as a creative way to search Helm Releases across GitHub. You may use it as a means to get ideas on how to configure an applications' Helm values.