Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/timtorChen/homelab
🏡 My homelab uwu
https://github.com/timtorChen/homelab
home-operations homelab k8s-at-home kubesearch
Last synced: 3 months ago
JSON representation
🏡 My homelab uwu
- Host: GitHub
- URL: https://github.com/timtorChen/homelab
- Owner: timtorChen
- License: mit
- Created: 2020-08-19T09:57:15.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2024-05-25T00:12:04.000Z (6 months ago)
- Last Synced: 2024-05-27T20:53:42.909Z (6 months ago)
- Topics: home-operations, homelab, k8s-at-home, kubesearch
- Language: HCL
- Homepage:
- Size: 3.5 MB
- Stars: 14
- Watchers: 3
- Forks: 0
- Open Issues: 36
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
### My Homelab Repository :octocat:
... _progressed with the song [未来のミュージアム](https://www.youtube.com/watch?v=s8_vqfjYpBg)_ 🎧
[![Discord](https://img.shields.io/discord/673534664354430999?style=for-the-badge&label&logo=discord&logoColor=white&color=blue)](https://discord.gg/home-operations)
[![Talos](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.timtor.dev%2Fquery%3Fformat%3Dendpoint%26metric%3Dtalos_version&style=for-the-badge&logo=talos&logoColor=white&color=blue&label=%20)](https://www.talos.dev/)
[![Kubernetes](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.timtor.dev%2Fquery%3Fformat%3Dendpoint%26metric%3Dkubernetes_version&style=for-the-badge&logo=kubernetes&logoColor=white&color=blue&label=%20)](https://www.talos.dev/)
[![Renovate](https://img.shields.io/github/actions/workflow/status/timtorChen/homelab/renovate.yaml?branch=main&label=&logo=renovatebot&style=for-the-badge&color=blue)](https://github.com/onedr0p/home-ops/actions/workflows/renovate.yaml)[![Age](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.timtor.dev%2Fquery%3Fformat%3Dendpoint%26metric%3Dnode_age%26label%3D&style=flat-square&color=green&label=Age)](https://github.com/kashalls/kromgo/)
[![Node-Count](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.timtor.dev%2Fquery%3Fformat%3Dendpoint%26metric%3Dnode_count%26label%3D&style=flat-square&color=green&label=Node)](https://github.com/kashalls/kromgo/)
[![Pod-Count](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.timtor.dev%2Fquery%3Fformat%3Dendpoint%26metric%3Dpod_count%26label%3D&style=flat-square&color=green&label=Pod)](https://github.com/kashalls/kromgo/)
[![CPU-Usage](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.timtor.dev%2Fquery%3Fformat%3Dendpoint%26metric%3Dcpu_usage%26label%3D&style=flat-square&label=CPU)](https://github.com/kashalls/kromgo/)
[![Memory-Usage](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.timtor.dev%2Fquery%3Fformat%3Dendpoint%26metric%3Dmemory_usage%26label%3D&style=flat-square&label=Memory)](https://github.com/kashalls/kromgo/)---
## 📖 Overview
This is a mono repository for my home infrastructure and Kubernetes cluster. I use [Talos](https://github.com/siderolabs/talos) Kubernetes distribution, and follows the concept Infrastructure as Code (IaC), using the tools like [Flux](https://github.com/fluxcd/flux2), [Terraform](https://github.com/hashicorp/terraform), [Renovate](https://github.com/renovatebot/renovate) and [Github Actions](https://github.com/features/actions).
## ⛵ Kubernetes
### Core Components
- [Flux](https://github.com/fluxcd/flux2): gitops tool reconcile manifests from Git repository to Kubernetes.
- [Cilium](https://github.com/cilium/cilium): advanced networking.
- [Metallb](https://github.com/metallb/metallb): IP address announcement and allocation for Kubernetes LoadBalancer Service.
- [Cloudflared](https://github.com/cloudflare/cloudflared): encrypted tunnel between server and Cloudflare.
- [Cert-manager](https://github.com/cert-manager/cert-manager): public and private certificate controller.
- [Ingress-nginx](https://github.com/Kubernetes/ingress-nginx): simple ingress controller.
- [Rook-ceph](https://github.com/rook/rook): ceph operator. I use nvme and hdd to provide different performace of block, object and file storage.
- [Volsync](https://github.com/backube/volsync): Persistent Volume snapshot and backup. I use Restic-based backup to Backblaze S3 bucket.
- [CNPG](https://github.com/cloudnative-pg/cloudnative-pg): postgres operator.
- [Grafana LG~~T~~M](https://github.com/grafana): system monitoring stack.
- [Kyverno](https://github.com/kyverno/kyverno): Kubernetes policy manager.
- [Secrets-store-csi-driver](https://github.com/Kubernetes-sigs/secrets-store-csi-driver): mount secret volumes form external providers into a Pod, providing an alternative way to Kubernetes Secret.
- [Amazon-eks-pod-identity-webhook](https://github.com/aws/amazon-eks-pod-identity-webhook): ServiceAccount token injection for Pod to access AWS.### Flux Reconcile Flow
...
### Networking
...
### Storage
...
### Secrets
Kubernetes secrets are sourced externally from AWS Parameter Store. To provide the namespace separation and reduce etcd secret storage, I put more effort on Kubernetes secret management using secret-store-csi-driver and AWS IRSA:
```
OIDC discovery documents
↑
reference
|
---- 2. exchange the token to AWS credentail ---> AWS STS
secrets-store-csi-driver ---> secrets-store-csi-driver- ---- 3. get secrets ---> AWS Parameter Store
provider-aws
|
1. create ServiceAccount token by impersonating workload
↓
kube-api
```Secrets-store-csi-driver-provider-aws DaemonSet plays as central manager to the secret fetching flow. Starting from volume mount request, secrets-store-csi-driver-provider-aws will create a ServiceAccount token by impersonating the workload, and try to exchange an AWS credential. AWS STS validate the ServiceAccount token by referencing OIDC discovery documents [s3://amethyst-kubernetes-oidc/.well-known/openid-configuration](https://amethyst-kubernetes-oidc.s3.us-west-2.amazonaws.com/.well-known/openid-configuration), and return a temporary AWS credential. Finally, secrets-store-csi-driver-provider-aws get secrtes from AWS Parameter Store and write secrets to a target hostPath.
Notice that Talos Linux default use ES256 for Kubernetes ServiceAccount token, however [AWS STS only supports token with RS256](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html). We need to generate an RSA key, base64 encode and patch the talos configuration `cluster.serviceAccount.key` on control plane. The [blog](https://www.siderolabs.com/blog/workload-identity-for-Kubernetes-on-gcp) might be helpful.
## ☁️ Cloud Services
| Service | Usage | Cost |
| :------------ | :----------------------------------------- | :-------------- |
| Github | Code repository and automation chores/jobs | Free |
| JumpCloud | SSO identity provider | Free |
| Cloudflare | Domain registrar and tunnel | $10/year |
| Backblaze | S3 bucket for buckup | ~$1/month |
| AWS | Parameter storage and terraform backend | Free |
| Grafana Cloud | External montoring | Free |
| Let's Encrypt | Public certificate authroity | Free |
| | | Total ~$22/year |## 🔧 Hardware
Click to see the rack
| Device | Description | Count | RAM | Disk |
| -------------------------------- | ------------------------- | ----- | ---------------------------- | ---------------------------------------------------------------------------------------------------------------- |
| Askey RTF8207W | Chunghwa Telecom modem | 1 | | |
| Mikrotik
RB4011iGS+RM | Router | 1 | | |
| Mikrotik
CRS328-24P-4S+RM | PoE Switch | 1 | | |
| Raspberry Pi 4Bwith PoE hat | Kubernetes worker nodes | 3 | 8GB | 960GB SSD Micron 5200 |
| Intel
NUC11TNHi50L | Kubernetes control planes | 3 | 16-32GB Mircon CT16G4SFRA32A |• OS: 960GB SSD Mircon 5300• Data: 960GB NVMe Mircon 7450, and 4TB HDD Seagate ST4000VN008 |
| APC AP7902 | 16p Switched PDU | 1 | | |## 🤝 Acknowledgments
Thanks to [Home Operations](https://discord.com/invite/home-operations) Discord community. I always find lots of cool ideas from chats. Also a special thanks to the great [series](https://greg.jeanmart.me/2020/04/13/build-your-very-own-self-hosting-platform-wi/), by Grégoire Jeanmart, which motivate me to start this project.
## 📄 License
See [Licesne](./LICENSE).