https://github.com/timtorChen/homelab

🏡 My homelab uwu
https://github.com/timtorChen/homelab

home-operations homelab k8s-at-home kubesearch

Last synced: about 2 months ago
JSON representation

🏡 My homelab uwu

• Host: GitHub
• URL: https://github.com/timtorChen/homelab
• Owner: timtorChen
• License: mit
• Created: 2020-08-19T09:57:15.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2024-05-25T00:12:04.000Z (4 months ago)
• Last Synced: 2024-05-27T20:53:42.909Z (4 months ago)
• Topics: home-operations, homelab, k8s-at-home, kubesearch
• Language: HCL
• Homepage:
• Size: 3.5 MB
• Stars: 14
• Watchers: 3
• Forks: 0
• Open Issues: 36
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        


### My Homelab Repository :octocat:

... _progressed with the song [未来のミュージアム](https://www.youtube.com/watch?v=s8_vqfjYpBg)_ 🎧





[![Discord](https://img.shields.io/discord/673534664354430999?style=for-the-badge&label&logo=discord&logoColor=white&color=blue)](https://discord.gg/home-operations)  

[![Talos](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.timtor.dev%2Fquery%3Fformat%3Dendpoint%26metric%3Dtalos_version&style=for-the-badge&logo=talos&logoColor=white&color=blue&label=%20)](https://www.talos.dev/)  

[![Kubernetes](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.timtor.dev%2Fquery%3Fformat%3Dendpoint%26metric%3Dkubernetes_version&style=for-the-badge&logo=kubernetes&logoColor=white&color=blue&label=%20)](https://www.talos.dev/)  

[![Renovate](https://img.shields.io/github/actions/workflow/status/timtorChen/homelab/renovate.yaml?branch=main&label=&logo=renovatebot&style=for-the-badge&color=blue)](https://github.com/onedr0p/home-ops/actions/workflows/renovate.yaml)





[![Age](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.timtor.dev%2Fquery%3Fformat%3Dendpoint%26metric%3Dnode_age%26label%3D&style=flat-square&color=green&label=Age)](https://github.com/kashalls/kromgo/)  

[![Node-Count](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.timtor.dev%2Fquery%3Fformat%3Dendpoint%26metric%3Dnode_count%26label%3D&style=flat-square&color=green&label=Node)](https://github.com/kashalls/kromgo/)  

[![Pod-Count](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.timtor.dev%2Fquery%3Fformat%3Dendpoint%26metric%3Dpod_count%26label%3D&style=flat-square&color=green&label=Pod)](https://github.com/kashalls/kromgo/)  

[![CPU-Usage](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.timtor.dev%2Fquery%3Fformat%3Dendpoint%26metric%3Dcpu_usage%26label%3D&style=flat-square&label=CPU)](https://github.com/kashalls/kromgo/)  

[![Memory-Usage](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.timtor.dev%2Fquery%3Fformat%3Dendpoint%26metric%3Dmemory_usage%26label%3D&style=flat-square&label=Memory)](https://github.com/kashalls/kromgo/)  



---

## 📖 Overview

This is a mono repository for my home infrastructure and Kubernetes cluster. I use [Talos](https://github.com/siderolabs/talos) Kubernetes distribution, and follows the concept Infrastructure as Code (IaC), using the tools like [Flux](https://github.com/fluxcd/flux2), [Terraform](https://github.com/hashicorp/terraform), [Renovate](https://github.com/renovatebot/renovate) and [Github Actions](https://github.com/features/actions).

## ⛵ Kubernetes

### Core Components

- [Flux](https://github.com/fluxcd/flux2): gitops tool reconcile manifests from Git repository to Kubernetes.

- [Cilium](https://github.com/cilium/cilium): advanced networking.

- [Metallb](https://github.com/metallb/metallb): IP address announcement and allocation for Kubernetes LoadBalancer Service.

- [Cloudflared](https://github.com/cloudflare/cloudflared): encrypted tunnel between server and Cloudflare.

- [Cert-manager](https://github.com/cert-manager/cert-manager): public and private certificate controller.

- [Ingress-nginx](https://github.com/Kubernetes/ingress-nginx): simple ingress controller.

- [Rook-ceph](https://github.com/rook/rook): ceph operator. I use nvme and hdd to provide different performace of block, object and file storage.

- [Volsync](https://github.com/backube/volsync): Persistent Volume snapshot and backup. I use Restic-based backup to Backblaze S3 bucket.

- [CNPG](https://github.com/cloudnative-pg/cloudnative-pg): postgres operator.

- [Grafana LG~~T~~M](https://github.com/grafana): system monitoring stack.

- [Kyverno](https://github.com/kyverno/kyverno): Kubernetes policy manager.

- [Secrets-store-csi-driver](https://github.com/Kubernetes-sigs/secrets-store-csi-driver): mount secret volumes form external providers into a Pod, providing an alternative way to Kubernetes Secret.

- [Amazon-eks-pod-identity-webhook](https://github.com/aws/amazon-eks-pod-identity-webhook): ServiceAccount token injection for Pod to access AWS.

### Flux Reconcile Flow

...

### Networking

...

### Storage

...

### Secrets

Kubernetes secrets are sourced externally from AWS Parameter Store. To provide the namespace separation and reduce etcd secret storage, I put more effort on Kubernetes secret management using secret-store-csi-driver and AWS IRSA:

```

                                                                                                OIDC discovery documents

                                                                                                            ↑

                                                                                                        reference

                                                                                                            |

                                                         ---- 2. exchange the token to AWS credentail ---> AWS STS

secrets-store-csi-driver ---> secrets-store-csi-driver-  ---- 3. get secrets ---> AWS Parameter Store

                                provider-aws

                                    |

                  1. create ServiceAccount token by impersonating workload

                                    ↓

                                 kube-api

```

Secrets-store-csi-driver-provider-aws DaemonSet plays as central manager to the secret fetching flow. Starting from volume mount request, secrets-store-csi-driver-provider-aws will create a ServiceAccount token by impersonating the workload, and try to exchange an AWS credential. AWS STS validate the ServiceAccount token by referencing OIDC discovery documents [s3://amethyst-kubernetes-oidc/.well-known/openid-configuration](https://amethyst-kubernetes-oidc.s3.us-west-2.amazonaws.com/.well-known/openid-configuration), and return a temporary AWS credential. Finally, secrets-store-csi-driver-provider-aws get secrtes from AWS Parameter Store and write secrets to a target hostPath.

Notice that Talos Linux default use ES256 for Kubernetes ServiceAccount token, however [AWS STS only supports token with RS256](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html). We need to generate an RSA key, base64 encode and patch the talos configuration `cluster.serviceAccount.key` on control plane. The [blog](https://www.siderolabs.com/blog/workload-identity-for-Kubernetes-on-gcp) might be helpful.

## ☁️ Cloud Services

| Service       | Usage                                      | Cost            |

| :------------ | :----------------------------------------- | :-------------- |

| Github        | Code repository and automation chores/jobs | Free            |

| JumpCloud     | SSO identity provider                      | Free            |

| Cloudflare    | Domain registrar and tunnel                | $10/year        |

| Backblaze     | S3 bucket for buckup                       | ~$1/month       |

| AWS           | Parameter storage and terraform backend    | Free            |

| Grafana Cloud | External montoring                         | Free            |

| Let's Encrypt | Public certificate authroity               | Free            |

|               |                                            | Total ~$22/year |

## 🔧 Hardware

Click to see the rack



| Device                           | Description               | Count | RAM                          | Disk                                                                                                             |

| -------------------------------- | ------------------------- | ----- | ---------------------------- | ---------------------------------------------------------------------------------------------------------------- |

| Askey RTF8207W                   | Chunghwa Telecom modem    | 1     |                              |                                                                                                                  |

| Mikrotik
RB4011iGS+RM        | Router                    | 1     |                              |                                                                                                                  |

| Mikrotik
CRS328-24P-4S+RM    | PoE Switch                | 1     |                              |                                                                                                                  |

| Raspberry Pi 4Bwith PoE hat | Kubernetes worker nodes   | 3     | 8GB                          | 960GB SSD Micron 5200                                                                                            |

| Intel
NUC11TNHi50L           | Kubernetes control planes | 3     | 16-32GB Mircon CT16G4SFRA32A | 
• OS: 960GB SSD Mircon 5300


• Data: 960GB NVMe Mircon 7450, and 4TB HDD Seagate ST4000VN008
 |

| APC AP7902                       | 16p Switched PDU          | 1     |                              |                                                                                                                  |


## 🤝 Acknowledgments

Thanks to [Home Operations](https://discord.com/invite/home-operations) Discord community. I always find lots of cool ideas from chats. Also a special thanks to the great [series](https://greg.jeanmart.me/2020/04/13/build-your-very-own-self-hosting-platform-wi/), by Grégoire Jeanmart, which motivate me to start this project.

## 📄 License

See [Licesne](./LICENSE).