Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/k-foss/core-backplane

My personal infrastructure deployed by ArgoCD running entirely in Kubernetes
https://github.com/k-foss/core-backplane

kubernetes kubernetes-cluster self-hosted

Last synced: 1 day ago
JSON representation

My personal infrastructure deployed by ArgoCD running entirely in Kubernetes

Host: GitHub
URL: https://github.com/k-foss/core-backplane
Owner: K-FOSS
Created: 2022-06-20T05:01:50.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2025-02-07T19:43:20.000Z (4 days ago)
Last Synced: 2025-02-07T20:26:42.096Z (4 days ago)
Topics: kubernetes, kubernetes-cluster, self-hosted
Language: Mustache
Homepage:
Size: 4.88 MB
Stars: 2
Watchers: 1
Forks: 0
Open Issues: 1
Metadata Files:
- Readme: README.md
- Security: Security/Authorino/Chart.yaml

Awesome Lists containing this project

README

# CORE-Backplane

This serves as the base defintion for everything CoRE runs, this single repo, allows for the fully autonomous bootstrap of EVERYTHING.

## Initial Bootstrap

# UPDATE 2025

As of January 23, 2025 I've started to rebuild my infra using my Dell R620 located within dc1.resolvemy.host see [node1-k3s.dc1.resolvemy.host](https://github.com/K-FOSS/node1-k3s.dc1.resolvemy.host) for more details about the bootstrapping of that system.

# Introduction

CoRE is the name that I have assigned to my infrastructure and business, this repo serves as the repository where I do most of the work on the base systems that power my operation and business.

This is deployed by [ArgoCD](./ArgoCD/) which handles GitOps and allows me to have a simple web interface to control and handle rolling out new services and applications, currently I do not have auto sync setup as I slowly get my services back online, however this will change.

# Authentication

For AAA I have Authentik serving as the root source of truth for user accounts, service accounts, and groups and permisisons, the goal of my infrastructure is to allow users/staff/friends/services to only have a single set of credentials needed to access **EVERYTHING**, this is built up using LDAP, RADIUS, and lots and lots of OAuth2/OIDC (OpenID Connect), some header auth where [Envoy Gateway](https://github.com/envoyproxy/gateway) handles redirecting the user automatically to login and then uses the details obatained from Authentik to allow or deny users/service accounts in.

I say service account alot thats because even the end applications (GitLab, OpenProject, NextCloud, Grafana, Authentik) use credentials generated by [Crossplane](./Operations/Crossplane/) during the deployment by ArgoCD and these are what the applications/serviceAccounts use to access their databases and S3 buckets as well. Even the API credentials to access Netbox are generated automatically by Crossplane and stored in Kubernetes secrets which are then automatically picked up at runtime by the applications.

See [SSO Users Crossplane Configuration](./Operations/SSO/User/)

# Databases

## PostgreSQL

I run a 3 node cluster of [Patroni](https://github.com/patroni/patroni) handled entirely automatically by the [Postgres Operator](https://github.com/zalando/postgres-operator)

[PSQL & Related Services Deployment](./Databases/PSQL/)
[Database Operators](./Databases/Operator/)

# Observability

For observability I use the Grafana [GLTM Stack](https://grafana.com/go/webinar/getting-started-with-grafana-lgtm-stack/)

See [Observability Stack](./Observability/)

# Development

I have an [Eclipse Che](https://eclipse.dev/che/) cluster deployed via the [Che Operator](./IDE/Che/) this is deployed by the [Development Stack](./Development/)

The [.devfile.yaml](./.devfile.yaml) ensures everyone gets the same extensions and confiiguration when working on this repository

# Secrets

For my credential vault for machine and service credentials I use [Hashicorp Vault](https://www.hashicorp.com/products/vault) I have two instances running, one which is called [CoreVault](./Hashicorp/CoreVault/) and then [Vault](./Hashicorp/Vault/) CoreVault has to be manually unsealed, or at least it used to, I eventually got around to setting up a workflow using external secrets and Crossplane to automatically unseal CoREVault and then Vault uses CoreVault Transit seal to unseal. The keys to unlock CoREVault are also stored in the organizations 1Password.

Both CoreVault and Vault use [Consul](./Mesh/Service/Consul/) as their storage to allow for scalability and multi node high availability. This is also done to ensure there is no chicken and egg situation, CoreVault has some secrets that are synced down by [External-Secrets](https://external-secrets.io/latest/) deployed at [Operations/Secrets/](./Operations/Secrets/)