Newer
Older
Shivering-Isles GitOps Infrastructure
===
This repository contains the Kubernetes objects that are synced and managed by [flux](https://fluxcd.io) in order to be deployed.
Usage
---
Finally in order to boostrap fluxcd in your cluster. For SI-GitLab this would look like this:
```
export GITLAB_TOKEN=<project access token able to write the API and repository>
flux bootstrap gitlab \
--hostname=git.shivering-isles.com \
--ssh-hostname=git.shivering-isles.com:2222 \
--ssh-key-algorithm ed25519 \
--owner=<your user / team> \
--repository=<your repository name> \
--path=clusters/<your cluster name>
```
Ideas & ToDo's
---
This toolchain is still under development. Before it will be used in production there are still some things left to do:
- [x] Provide CLI container that contains all tools.
- [x] Automate overlay network deployment (calico)
- [x] Use encrypted overlay network (calico+wireguard)
- [x] Automate cluster monitoring deployment (kube-prometheus)
- [x] Automate ingress-controller deployment (ingress-nginx)
- [x] Automate policy enforcement (kyverno) deployment
- [x] Encrypt root filesystems for all nodes (LUKS + clevis)
- [x] Enforce SELinux on the deployed machines
- [x] Automate system upgrades using Kubernetes (system-upgrade-controller)
- [x] Automate system configuration using Kubernetes (system-upgrade-controller)
- [x] Provide an fully encrypted (handled on host level) storage class (longhorn)
- [x] Deploy cert-manager
- [ ] Deploy credentials for cert-manager
- [ ] Automate ingress-controller default certificate deployment
- [ ] Automate ingress-controller configuration for proxy-protocol
- [ ] Add encrypted deployment instructions (SOPS + fluxcd)
- [ ] Automate Kubernetes upgrades
- [ ] Document usage and thoughts in repository and blog posts
- [ ] Automate flux OpenPGP bootstrap
- [ ] Integrate [Renovatebot](https://git.shivering-isles.com/shivering-isles/renovate-bot) with this repository to manage updates.
- [ ] Migrate [apps](https://git.shivering-isles.com/shivering-isles/infrastructure/) to gitops and Kubernetes
- [ ] Move to immutable base-system
Assumption
---
Building smaller, more-minimalistic, plain Kubernetes clusters will be cheaper than OpenShift with OKD and more stable since etcd doesn't have to write a ton of data to disk and there aren't two API server running that take up to 3GB of RAM per master node.
The goal is still to manage everything GitOps style, but more iterative and slowly grinding the way forward before clusters will become productive.
Original assumptions / Lessons Learned
> This repository is focused on a setup based on OpenShift, [OKD](https://okd.io) to be specific. Therefore some installations and settings might be based on the expectation of OKD's default setup instead of going the plain Kubernetes way of inventing everything ourselves.
Sadly this previous assumption didn't hold up. OpenShift on Hetzner Cloud resulted in quite annoying downtimes during upgrades. While the origin of the problem was not fully determined, it was proven that severe spikes in etcd writing fsyncs of up to 600ms did play a major role in it.
To handle things properly, try to get the following tools (all included in `koolbox`):
- flux
- [sops](https://github.com/mozilla/sops/releases/) (for secret handling)
- [helm](https://helm.sh/) (just for sake of completeness and validation)
- [terraform](https://terraform.io/)
- make