Skip to content
Snippets Groups Projects
Select Git revision
  • renovate/gitlab-runner-0.x
  • main default protected
  • renovate/external-dns-1.x
  • renovate/crowdsec-0.x
  • renovate/cloudflare-5.x
  • renovate/docker.io-library-nextcloud-31.x
  • renovate/longhorn-1.x
  • renovate/kubernetes-sigs-krew-0.x
  • renovate/kubernetes-sigs-cluster-api-1.x
  • renovate/docker.io-library-debian-12.x
  • renovate/docker.io-bitnami-kubectl-1.x
  • renovate/github.com-prometheus-common-0.x
  • renovate/siderolabs-talos-1.x
  • renovate/siderolabs-kubelet-1.x
  • renovate/kubernetes-go
  • renovate/siderolabs-kubelet-1.30.x
  • renovate/kubernetes-kubernetes-1.x
  • renovate/docker.io-rancher-system-upgrade-controller-0.x
  • renovate/tigera-operator-3.x
  • feat/keycloak-operator
  • v25.03
  • v25.02
  • v25.01
  • v24.12
  • v24.11
  • v24.10
  • v24.09
  • v24.08
  • v24.07
  • v24.06
  • v24.05
  • v24.04
  • v24.03
  • v24.02
  • v24.01
  • v23.12
  • v23.11
  • v23.10
  • v23.09
  • v23.08
40 results
Compare
Sheogorath's avatar
feat(views): Add first collection of kubectl custom-columns
Sheogorath authored 
This patch provides some custom-columns-file collection, that should
help to manage the cluster and workload.
0a682b5a
History
Sheogorath's avatar 0a682b5a
History
Name Last commit Last update
apps
bootstrap
cli
clusters/k8s01
infrastructure
shared/networkpolicies
utils
views
.gitignore
.sops.yaml
Makefile
README.md
renovate.json
README.md

Shivering-Isles GitOps Infrastructure

This repository contains the Kubernetes objects that are synced and managed by flux in order to be deployed.

Usage

Finally in order to boostrap fluxcd in your cluster. For SI-GitLab this would look like this:

export GITLAB_TOKEN=<project access token able to write the API and repository>
flux bootstrap gitlab \
  --hostname=git.shivering-isles.com \
  --ssh-hostname=git.shivering-isles.com:2222 \
  --ssh-key-algorithm ed25519 \
  --owner=<your user / team> \
  --repository=<your repository name> \
  --path=clusters/<your cluster name>

Ideas & ToDo's

This toolchain is still under development. Before it will be used in production there are still some things left to do:

  • Provide CLI container that contains all tools.
  • Automate overlay network deployment (calico)
  • Use encrypted overlay network (calico+wireguard)
  • Automate cluster monitoring deployment (kube-prometheus)
  • Automate ingress-controller deployment (ingress-nginx)
  • Automate policy enforcement (kyverno) deployment
  • Encrypt root filesystems for all nodes (LUKS + clevis)
  • Enforce SELinux on the deployed machines
  • Automate system upgrades using Kubernetes (system-upgrade-controller)
  • Automate system configuration using Kubernetes (system-upgrade-controller)
  • Provide an fully encrypted (handled on host level) storage class (longhorn)
  • Deploy cert-manager
  • Deploy kubelet with proper certificates
  • Deploy credentials for cert-manager
  • Automate ingress-controller default certificate deployment
  • Automate ingress-controller configuration for proxy-protocol
  • Add encrypted deployment instructions (SOPS + fluxcd)
  • Automate Kubernetes upgrades
  • Document usage and thoughts in repository and blog posts
  • Integrate OIDC-based authentication
  • Automate flux OpenPGP bootstrap
  • Integrate Renovatebot with this repository to manage updates.
  • Migrate apps to gitops and Kubernetes
  • Move to immutable base-system

Assumption

Building smaller, more-minimalistic, plain Kubernetes clusters will be cheaper than OpenShift with OKD and more stable since etcd doesn't have to write a ton of data to disk and there aren't two API server running that take up to 3GB of RAM per master node.

The goal is still to manage everything GitOps style, but more iterative and slowly grinding the way forward before clusters will become productive.

Original assumptions / Lessons Learned

This repository is focused on a setup based on OpenShift, OKD to be specific. Therefore some installations and settings might be based on the expectation of OKD's default setup instead of going the plain Kubernetes way of inventing everything ourselves.

Sadly this previous assumption didn't hold up. OpenShift on Hetzner Cloud resulted in quite annoying downtimes during upgrades. While the origin of the problem was not fully determined, it was proven that severe spikes in etcd writing fsyncs of up to 600ms did play a major role in it.

Tools

To handle things properly, try to get the following tools (all included in koolbox):

  • kubectl
  • flux
  • sops (for secret handling)
  • helm (just for sake of completeness and validation)
  • terraform
  • make
  • git