{"id":18982559,"url":"https://github.com/pyrrha/home-cluster","last_synced_at":"2025-11-11T07:03:08.439Z","repository":{"id":193329430,"uuid":"516727463","full_name":"Pyrrha/home-cluster","owner":"Pyrrha","description":"My cluster","archived":false,"fork":false,"pushed_at":"2024-04-10T23:27:46.000Z","size":444,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-04-11T02:09:12.352Z","etag":null,"topics":["helm","iac","infra","kubernetes"],"latest_commit_sha":null,"homepage":"","language":"Smarty","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Pyrrha.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-07-22T11:37:11.000Z","updated_at":"2024-04-15T12:57:59.883Z","dependencies_parsed_at":"2023-09-07T19:16:15.095Z","dependency_job_id":"4182caeb-c92e-48b2-a1bd-9b469f87ce15","html_url":"https://github.com/Pyrrha/home-cluster","commit_stats":null,"previous_names":["pyrrha/home-cluster"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Pyrrha%2Fhome-cluster","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Pyrrha%2Fhome-cluster/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Pyrrha%2Fhome-cluster/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Pyrrha%2Fhome-cluster/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Pyrrha","download_url":"https://codeload.github.com/Pyrrha/home-cluster/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239987191,"owners_count":19729759,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["helm","iac","infra","kubernetes"],"created_at":"2024-11-08T16:14:00.827Z","updated_at":"2025-11-11T07:03:08.433Z","avatar_url":"https://github.com/Pyrrha.png","language":"Smarty","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Home Cluster\n\n## Installation\n\n\u003e [!WARNING]\n\u003e If using root user, use `su -` instead of `su` to enable /etc/profile file reading.\n- Begin by configuring host:\n  ```sh\n  cat \u003c\u003cEOF | tee /etc/modules-load.d/containerd.conf \n  overlay \n  br_netfilter\n  EOF\n  modprobe overlay \n  modprobe br_netfilter\n  cat \u003c\u003cEOF | tee /etc/sysctl.d/99-kubernetes-k8s.conf\n  net.bridge.bridge-nf-call-iptables = 1\n  net.ipv4.ip_forward = 1 \n  net.bridge.bridge-nf-call-ip6tables = 1 \n  EOF\n  sysctl --system\n  ```\n- Install containerd:\n  ```sh\n  apt update \u0026\u0026 apt -y install containerd\n  ```\n- Generate default configuration:\n  ```sh\n  containerd config default | tee /etc/containerd/config.toml\n  ```\n- Edit freshly created `/etc/containerd/config.toml`\n  - Under `[plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes.runc.options]`, replace `SystemdCgroup = false` with `SystemdCgroup = true`\n- Restart containerd:\n  ```sh\n  systemctl restart containerd\n  systemctl enable containerd\n  ```\n\n- Follow Kubernetes documentation for [installing kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/)\n- Set `serverTLSBootstrap: true` to kubelet config file `/var/lib/kubelet/config.yaml`\n- Restart kubelet:\n  ```\n  systemctl restart kubelet\n  ```\n- Copy the configuration to `kubeadm.yaml`:\n  ```yaml\n  apiVersion: kubeadm.k8s.io/v1beta3\n  kind: InitConfiguration\n  ---\n  apiVersion: kubeadm.k8s.io/v1beta3\n  kind: ClusterConfiguration\n  kubernetesVersion: \"1.31.1\" # replace with current Kubernetes version\n  networking:\n    podSubnet: 10.96.0.0/12 # avoid conflicts with Calico. K8s default: 10.96.0.0/12. Calico default: 192.168.0.0/16\n  apiServer:\n    certSANs:\n    - dietz.dev\n    - home.dietz.dev\n    - localhost\n  ---\n  apiVersion: kubelet.config.k8s.io/v1beta1\n  kind: KubeletConfiguration\n  serverTLSBootstrap: true # generate self-signed certs\n  ```\n- Finally create the cluster:\n  ```sh\n  kubeadm init --config kubeadm.yaml\n  ```\n- Get admin configuration from `/etc/kubernetes/admin.conf`\n- Ensure `serverTLSBootstrap` is set to `true` in configmap `kubelet-config` (path: data.kubelet.serverTLSBootstrap)\n- List the freshly created certificate: `kubectl get csr`\n- Then approve pending one: `kubectl certificate approve \u003ccsr-id\u003e`\n- Untaint control-plane:\n  ```sh\n  kubectl taint nodes --all node-role.kubernetes.io/control-plane-\n  ```\n- Install [Tigera operator](https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart) for Calico\n  - Apply CRDs and operator (ensure using latest version):\n    ```sh\n    wget https://raw.githubusercontent.com/projectcalico/calico/v3.29.3/manifests/tigera-operator.yaml \u003e component-config/tigera-operator/tigera-operator.yaml\n    kubectl create -f component-config/tigera-operator/tigera-operator.yaml\n    ```\n  - Retrieve configuration and adapt the ipPool's CIDR:\n    ```sh\n    curl https://raw.githubusercontent.com/projectcalico/calico/v3.29.3/manifests/custom-resources.yaml \u003e component-config/calico/custom-resources.yaml\n    vim component-config/calico/custom-resources.yaml # set CIDR to the same of kubeadm.yaml file: 10.96.0.0/12\n    kubectl create -f component-config/calico/custom-resources.yaml\n    ```\n- Deploy `sealed-secrets`:\n  ```sh\n  helm upgrade -n sealed-secrets --create-namespace --install --dependency-update sealed-secrets component-config/sealed-secrets -f component-config/sealed-secrets/values.yaml\n  ```\n- Generate secrets:\n  ```sh\n  # ArgoCD\n  kubeseal --controller-namespace sealed-secrets --controller-name sealed-secrets -o yaml -n argocd \u003c component-config/argocd/my_secret.yaml \u003e component-config/argocd/templates/secrets.yaml\n\n  # IP\n  kubeseal --controller-namespace sealed-secrets --controller-name sealed-secrets -o yaml -n kube-system \u003c component-config/ip/my_secret.yaml \u003e component-config/ip/cloudflare-api-key.yaml\n\n  # Database\n  kubeseal --controller-namespace sealed-secrets --controller-name sealed-secrets -o yaml -n database \u003c component-config/database/my_secret.yaml \u003e component-config/database/templates/database.yaml\n\n  # Keycloak\n  kubeseal --controller-namespace sealed-secrets --controller-name sealed-secrets -o yaml -n keycloak \u003c component-config/keycloak/my_secret.yaml \u003e component-config/keycloak/templates/secrets.yaml\n  ```\n- Commit secrets to deploy them with ArgoCD\n- Deploy ArgoCD:\n  ```sh\n  helm upgrade -n argocd --create-namespace --install --dependency-update argocd component-config/argocd -f component-config/argocd/values.yaml\n  ```\n- Join cluster with other nodes\n- Apply app-of-apps.yaml:\n  ```sh\n  kubectl apply -f argo-config/applications/app-of-apps.yaml\n  ```\n- It will automaticaly create all other applications\n- Keycloak should automatically recover from data present in database. Otherwise:\n  - Connect to [auth portal](https://auth-admin.dietz.dev) and create a new realm named `dietz`\n  - Import backup realms 😉\n- Configure Kubernetes to use OIDC provider:\n  - Open `vim /etc/kubernetes/manifests/kube-apiserver.yaml`\n  - Copy the following content:\n    ```yaml\n    - --oidc-issuer-url=https://auth.dietz.dev/realms/dietz\n    - --oidc-client-id=kubernetes\n    - --oidc-groups-claim=groups\n    - --oidc-username-claim=email\n    ```\n- Configure `kubectl` to use OIDC provider:\n  ```sh\n  kubectl oidc-login setup \\\n    --oidc-issuer-url=https://auth.dietz.dev/realms/dietz \\\n    --oidc-client-id=kubernetes \\\n    --oidc-client-secret=\u003cclient-secret\u003e\n  ```\n- Follow instructions to configure `kubectl` to use OIDC provider\n- Finally, for conveniance: `kubectl config set-context oidc@home --cluster kubernetes --user oidc`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpyrrha%2Fhome-cluster","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpyrrha%2Fhome-cluster","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpyrrha%2Fhome-cluster/lists"}