Shivering-Isles GitOps Infrastructure
This repository has become the center of Shivering-Isles Infrastructure. It homes basically all deployments of software, various custom container images, various self-maintained helm charts and more.
Usage
For SI-GitLab this would look like this:
export GITLAB_TOKEN=<project access token able to write the API and repository>
flux bootstrap gitlab \
--hostname=git.shivering-isles.com \
--ssh-hostname=git.shivering-isles.com:2222 \
--ssh-key-algorithm ed25519 \
--owner=<your user / team> \
--repository=<your repository name> \
--path=clusters/<your cluster name>Ideas & ToDo's
This toolchain is still under development. Before it will be used in production there are still some things left to do:
- Buy hardware for the project.
- Provide CLI container that contains all tools.
- Automate overlay network deployment (calico)
- Use encrypted overlay network (calico+wireguard)
- Automate cluster monitoring deployment (kube-prometheus)
- Automate ingress-controller deployment (ingress-nginx)
- Automate policy enforcement (kyverno) deployment
- Encrypt root filesystems for all nodes (LUKS + clevis)
- Enforce SELinux on the deployed machines
- Automate system upgrades using Kubernetes (system-upgrade-controller)
- Automate system configuration using Kubernetes (system-upgrade-controller)
- Provide an fully encrypted (handled on host level) storage class (longhorn)
- Deploy cert-manager
- Deploy credentials for cert-manager
- Automate ingress-controller default certificate deployment
- Add encrypted deployment instructions (SOPS + fluxcd)
- Integrate Renovatebot with this repository to manage updates.
- Automate Kubernetes upgrades
- Automate ingress-controller configuration for proxy-protocol
- Migrate apps to gitops and Kubernetes
- Deploy kubelet with proper certificates
- Move to immutable base-system