Welcome to my opinionated and extensible template for deploying a single Kubernetes cluster. The goal of this project is to make it easier for people interested in using Kubernetes to deploy a cluster at home on bare-metal or VMs.
At a high level this project makes use of makejinja to read in a configuration file which renders out templates that will allow you to install and manage your Kubernetes cluster with.
The features included will depend on the type of configuration you want to use. There are currently 2 different types of configurations available with this template.
-
"Flux cluster" - a Kubernetes distribution of your choosing: k3s or Talos. Deploys an opinionated implementation of Flux using GitHub as the Git provider and sops to manage secrets.
- Required: Debian 12 or Talos Linux installed on bare metal (or VMs) and some knowledge of Containers and YAML. Some knowledge of Git practices & terminology is also required.
- Components: Cilium and kube-vip (k3s). flux, cert-manager, spegel, reloader, system-upgrade-controller (k3s), and openebs.
-
"Flux cluster with Cloudflare" - An addition to "Flux cluster" that provides DNS and SSL with Cloudflare. Cloudflare Tunnel is also included to provide external access to certain applications deployed in your cluster.
- Required: A Cloudflare account with a domain managed in your Cloudflare account.
- Components: ingress-nginx, external-dns and cloudflared.
Other features include:
- A Renovate-ready repository with pull request diffs provided by flux-local
- Integrated GitHub Actions with helpful workflows.
Hopefully some of this peeked your interests! If you are marching forward, now is a good time to choose whether you will deploy a Kubernetes cluster with k3s or Talos.
Note
- The included behaviour of Talos or k3s is that all nodes are able to run workloads, including the controller nodes. Worker nodes are therefore optional.
- Do you have 3 or more nodes? It is highly recommended to make 3 of them controller nodes for a highly available control plane.
- Running the cluster on Proxmox VE? My thoughts and recommendations about that are documented here.
| Role | Cores | Memory | System Disk |
|---|---|---|---|
| Control | 4 (6*) | 8GB (24GB*) | 100GB (500GB*) SSD/NVMe |
| Worker | 4 (6*) | 8GB (24GB*) | 100GB (500GB*) SSD/NVMe |
| * recommended |
-
Download the latest stable release of Talos from their GitHub releases. You will want to grab either
metal-amd64.isoormetal-rpi_generic-arm64.raw.xzdepending on your system. -
Take note of the OS drive serial numbers you will need them later on.
-
Flash the iso or raw file to a USB drive and boot to Talos on your nodes with it.
-
Continue on to 🚀 Getting Started
-
Download the latest stable release of Debian from here, then follow this guide to get it installed. Deviations from the guide:
Choose "Guided - use entire disk" Choose "All files in one partition" Delete Swap partition Uncheck all Debian desktop environment options
-
[Post install] Remove CD/DVD as apt source
su - sed -i '/deb cdrom/d' /etc/apt/sources.list apt update exit
-
[Post install] Enable sudo for your non-root user
su - apt update apt install -y sudo usermod -aG sudo ${username} echo "${username} ALL=(ALL) NOPASSWD:ALL" | tee /etc/sudoers.d/${username} exit newgrp sudo sudo apt update
-
[Post install] Add SSH keys (or use
ssh-copy-idon the client that is connecting)📍 First make sure your ssh keys are up-to-date and added to your github account as instructed.
mkdir -m 700 ~/.ssh sudo apt install -y curl curl https://github.com/${github_username}.keys > ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys
Click here to read about using a RasPi4
[!NOTE]
- It is recommended to have an 8GB RasPi model. Most important is to boot from an external SSD/NVMe rather than an SD card. This is supported natively, however if you have an early model you may need to update the bootloader first.
- Check the power requirements if using a PoE Hat and a SSD/NVMe dongle.
-
Download the latest stable release of Debian from here. Do not use Raspbian or DietPi or any other flavor Linux OS.
-
Flash the image onto an SSD/NVMe drive.
-
Re-mount the drive to your workstation and then do the following (per the official documentation):
Open 'sysconf.txt' in a text editor and save it upon updating the information below - Change 'root_authorized_key' to your desired public SSH key - Change 'root_pw' to your desired root password - Change 'hostname' to your desired hostname
-
Connect SSD/NVMe drive to the Raspberry Pi 4 and power it on.
-
[Post install] SSH into the device with the
rootuser and then create a normal user account withadduser ${username} -
[Post install] Follow steps 3 and 4 from k3s (AMD64).
-
[Post install] Install
python3which is needed by Ansible.sudo apt install -y python3
-
Continue on to 🚀 Getting Started
Once you have installed Talos or Debian on your nodes, there are six stages to getting a Flux-managed cluster up and runnning.
Note
For all stages below the commands MUST be ran on your personal workstation within your repository directory
-
Create a new public repository by clicking the big green "Use this template" button at the top of this page.
-
Clone your new repo to you local workstation and
cdinto it. -
Continue on to 🌱 Stage 2
You have two different options for setting up your local workstation.
- First option is using a
devcontainerwhich requires you to have Docker and VSCode installed. This method is the fastest to get going because all the required CLI tools are provided for you in my devcontainer image. - The second option is setting up the CLI tools directly on your workstation.
-
Start Docker and open your repository in VSCode. There will be a pop-up asking you to use the
devcontainer, click the button to start using it. -
Continue on to 🔧 Stage 3
-
Install the most recent version of task, see the installation docs for other supported platforms.
# Homebrew brew install go-task # or, Arch pacman -S --noconfirm go-task && ln -sf /usr/bin/go-task /usr/local/bin/task
-
Install the most recent version of direnv, see the installation docs for other supported platforms.
# Homebrew brew install direnv # or, Arch pacman -S --noconfirm direnv
-
Hook
direnvinto your preferred shell, then run:task workstation:direnv
📍 Verify that
direnvis setup properly by opening a new terminal andcding into your repository. You should see something like:cd /path/to/repo direnv: loading /path/to/repo/.envrc direnv: export +ANSIBLE_COLLECTIONS_PATH ... +VIRTUAL_ENV ~PATH
-
Install the additional required CLI tools
📍 Not using Homebrew or ArchLinux? Try using the generic Linux task below, if that fails check out the Brewfile/Archfile for what CLI tools needed and install them.
# Homebrew task workstation:brew # or, Arch with yay/paru task workstation:arch # or, Generic Linux (YMMV, this pulls binaires in to ./bin) task workstation:generic-linux
-
Setup a Python virual environment by running the following task command.
📍 This commands requires Python 3.11+ to be installed.
task workstation:venv
-
Continue on to 🔧 Stage 3
Note
The config.sample.yaml file contains config that is vital to the bootstrap process.
-
Generate the
config.yamlfrom the config.sample.yaml configuration file.task init
-
Fill out the
config.yamlconfiguration file using the comments in that file as a guide. -
Run the following command which will generate all the files needed to continue.
task configure
-
Push you changes to git
📍 Verify all the
./kubernetes/**/*.sops.*files are encrypted with SOPSgit add -A git commit -m "Initial commit :rocket:" git push -
Continue on to ⚡ Stage 4
Note
For Talos skip ahead to ⛵ Stage 5
📍 Here we will be running an Ansible playbook to prepare your nodes for running a Kubernetes cluster.
-
Ensure you are able to SSH into your nodes from your workstation using a private SSH key without a passphrase (for example using a SSH agent). This lets Ansible interact with your nodes.
-
Install the Ansible dependencies
task ansible:deps
-
Verify Ansible can view your config and ping your nodes
task ansible:list task ansible:ping
-
Run the Ansible prepare playbook (nodes wil reboot when done)
task ansible:run playbook=cluster-prepare
-
Continue on to ⛵ Stage 5
-
Deploy your cluster and bootstrap it. This generates secrets, generates the config files for your nodes and applies them. It bootstraps the cluster afterwards, fetches the kubeconfig file and installs Cilium and kubelet-csr-approver. It finishes with some health checks.
task talos:bootstrap
-
⚠️ It might take a while for the cluster to be setup (10+ minutes is normal), during which time you will see a variety of error messages like: "couldn't get current server API group list," "error: no matching resources found", etc. This is a normal. If this step gets interrupted, e.g. by pressing Ctrl + C, you likely will need to nuke the cluster before trying again.
-
Install Kubernetes depending on the distribution you chose
task ansible:run playbook=cluster-installation
-
The
kubeconfigfor interacting with your cluster should have been created in the root of your repository. -
Verify the nodes are online
📍 If this command fails you likely haven't configured
direnvas mentioned previously in the guide.kubectl get nodes -o wide # NAME STATUS ROLES AGE VERSION # k8s-0 Ready control-plane,etcd,master 1h v1.29.1 # k8s-1 Ready worker 1h v1.29.1
-
Continue on to 🔹 Stage 6
-
Verify Flux can be installed
flux check --pre # ► checking prerequisites # ✔ kubectl 1.27.3 >=1.18.0-0 # ✔ Kubernetes 1.27.3+k3s1 >=1.16.0-0 # ✔ prerequisites checks passed
-
Install Flux and sync the cluster to the Git repository
📍 Run
task flux:github-deploy-keyfirst if using a private repository.task flux:bootstrap # namespace/flux-system configured # customresourcedefinition.apiextensions.k8s.io/alerts.notification.toolkit.fluxcd.io created # ...
-
Verify Flux components are running in the cluster
kubectl -n flux-system get pods -o wide # NAME READY STATUS RESTARTS AGE # helm-controller-5bbd94c75-89sb4 1/1 Running 0 1h # kustomize-controller-7b67b6b77d-nqc67 1/1 Running 0 1h # notification-controller-7c46575844-k4bvr 1/1 Running 0 1h # source-controller-7d6875bcb4-zqw9f 1/1 Running 0 1h
Mic check, 1, 2 - In a few moments applications should be lighting up like Christmas in July 🎄
-
Output all the common resources in your cluster.
📍 Feel free to use the provided kubernetes tasks for validation of cluster resources or continue to get familiar with the
kubectlandfluxCLI tools.task kubernetes:resources
-
⚠️ It might takecert-managerawhile to generate certificates, this is normal so be patient. -
🏆 Congratulations if all goes smooth you will have a Kubernetes cluster managed by Flux and your Git repository is driving the state of your cluster.
-
🧠 Now it's time to pause and go get some motel motor oil ☕ and admire you made it this far!
The external-dns application created in the networking namespace will handle creating public DNS records. By default, echo-server and the flux-webhook are the only subdomains reachable from the public internet. In order to make additional applications public you must set set the correct ingress class name and ingress annotations like in the HelmRelease for echo-server.
k8s_gateway will provide DNS resolution to external Kubernetes resources (i.e. points of entry to the cluster) from any device that uses your home DNS server. For this to work, your home DNS server must be configured to forward DNS queries for ${bootstrap_cloudflare.domain} to ${bootstrap_cloudflare.gateway_vip} instead of the upstream DNS server(s) it normally uses. This is a form of split DNS (aka split-horizon DNS / conditional forwarding).
Tip
Below is how to configure a Pi-hole for split DNS. Other platforms should be similar.
- Apply this file on the Pihole server while substituting the variables
# /etc/dnsmasq.d/99-k8s-gateway-forward.conf
server=/${bootstrap_cloudflare.domain}/${bootstrap_cloudflare.gateway_vip}
- Restart dnsmasq on the server.
- Query an internal-only subdomain from your workstation (any
internalclass ingresses):dig @${home-dns-server-ip} echo-server-internal.${bootstrap_cloudflare.domain}. It should resolve to${bootstrap_cloudflare.ingress_vip}.
If you're having trouble with DNS be sure to check out these two GitHub discussions: Internal DNS and Pod DNS resolution broken.
... Nothing working? That is expected, this is DNS after all!
By default this template will deploy a wildcard certificate using the Let's Encrypt staging environment, which prevents you from getting rate-limited by the Let's Encrypt production servers if your cluster doesn't deploy properly (for example due to a misconfiguration). Once you are sure you will keep the cluster up for more than a few hours be sure to switch to the production servers as outlined in config.yaml.
📍 You will need a production certificate to reach internet-exposed applications through cloudflared.
By default Flux will periodically check your git repository for changes. In order to have Flux reconcile on git push you must configure Github to send push events to Flux.
Note
This will only work after you have switched over certificates to the Let's Encrypt Production servers.
-
Obtain the webhook path
📍 Hook id and path should look like
/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123kubectl -n flux-system get receiver github-receiver -o jsonpath='{.status.webhookPath}' -
Piece together the full URL with the webhook path appended
https://flux-webhook.${bootstrap_cloudflare.domain}/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123 -
Navigate to the settings of your repository on Github, under "Settings/Webhooks" press the "Add webhook" button. Fill in the webhook url and your
bootstrap_github_webhook_tokensecret and save.
There might be a situation where you want to destroy your Kubernetes cluster. This will completely clean the OS of all traces of the Kubernetes distribution you chose and then reboot the nodes.
# k3s: Remove all traces of k3s from the nodes
task ansible:run playbook=cluster-nuke
# Talos: Reset your nodes back to maintenance mode and reboot
task talos:soft-nuke
# Talos: Comletely format your the Talos installation and reboot
task talos:hard-nukeRenovate is a tool that automates dependency management. It is designed to scan your repository around the clock and open PRs for out-of-date dependencies it finds. Common dependencies it can discover are Helm charts, container images, GitHub Actions, Ansible roles... even Flux itself! Merging a PR will cause Flux to apply the update to your cluster.
To enable Renovate, click the 'Configure' button over at their Github app page and select your repository. Renovate creates a "Dependency Dashboard" as an issue in your repository, giving an overview of the status of all updates. The dashboard has interactive checkboxes that let you do things like advance scheduling or reattempt update PRs you closed without merging.
The base Renovate configuration in your repository can be viewed at .github/renovate.json5. By default it is scheduled to be active with PRs every weekend, but you can change the schedule to anything you want, or remove it if you want Renovate to open PRs right away.
Below is a general guide on trying to debug an issue with an resource or application. For example, if a workload/resource is not showing up or a pod has started but in a CrashLoopBackOff or Pending state.
-
Start by checking all Flux Kustomizations & Git Repository & OCI Repository and verify they are healthy.
flux get sources oci -A flux get sources git -A flux get ks -A
-
Then check all the Flux Helm Releases and verify they are healthy.
flux get hr -A
-
Then check the if the pod is present.
kubectl -n <namespace> get pods -o wide
-
Then check the logs of the pod if its there.
kubectl -n <namespace> logs <pod-name> -f # or stern -n <namespace> <fuzzy-name>
-
If a resource exists try to describe it to see what problems it might have.
kubectl -n <namespace> describe <resource> <name>
-
Check the namespace events
kubectl -n <namespace> get events --sort-by='.metadata.creationTimestamp'
Resolving problems that you have could take some tweaking of your YAML manifests in order to get things working, other times it could be a external factor like permissions on NFS. If you are unable to figure out your problem see the help section below.
- Make a post in this repository's Github Discussions.
- Start a thread in the
#supportor#cluster-templatechannels in the Home Operations Discord server.
The cluster is your oyster (or something like that). Below are some optional considerations you might want to review.
To browse or get ideas on applications people are running, community member @whazor created Kubesearch as a creative way to search Flux HelmReleases across Github and Gitlab.
The included CSI (openebs in local-hostpath mode) is a great start for storage but soon you might find you need more features like replicated block storage, or to connect to a NFS/SMB/iSCSI server. If you need any of those features be sure to check out the projects like rook-ceph, longhorn, openebs, democratic-csi, csi-driver-nfs, and synology-csi.
If this repo is too hot to handle or too cold to hold check out these following projects.
- khuedoan/homelab - Modern self-hosting framework, fully automated from empty disk to operating services with a single command.
- danmanners/aws-argo-cluster-template - A community opinionated template for deploying Kubernetes clusters on-prem and in AWS using Pulumi, SOPS, Sealed Secrets, GitHub Actions, Renovate, Cilium and more!
- ricsanfre/pi-cluster - Pi Kubernetes Cluster. Homelab kubernetes cluster automated with Ansible and ArgoCD
- techno-tim/k3s-ansible - The easiest way to bootstrap a self-hosted High Availability Kubernetes cluster. A fully automated HA k3s etcd install with kube-vip, MetalLB, and more
Big shout out to all the contributors, sponsors and everyone else who has helped on this project.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "github-actions[bot]")
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent