Skip to content

Commit 619e8b9

Browse files
committed
cleanup
1 parent a1224a4 commit 619e8b9

6 files changed

Lines changed: 124 additions & 89 deletions

File tree

.gitignore

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -89,4 +89,16 @@ config.xml
8989
/infrastructure/networking/cilium/charts
9090
*.log
9191
credentials.base64
92-
credentials.base64
92+
93+
# Credentials
94+
*.json
95+
*.base64
96+
*.auto.tfvars
97+
98+
# Terraform state
99+
.terraform/
100+
*.tfstate
101+
*.tfstate.*
102+
103+
# Mac OS
104+
.DS_Store

README.md

Lines changed: 82 additions & 77 deletions
Original file line numberDiff line numberDiff line change
@@ -8,14 +8,8 @@ A GitOps-driven Kubernetes cluster using **Talos OS** (secure, immutable Linux f
88

99
- [Prerequisites](#-prerequisites)
1010
- [Architecture](#-architecture)
11+
- [GitOps Architecture](#️-gitops-architecture)
1112
- [Quick Start](#-quick-start)
12-
- [1. System Dependencies](#1-system-dependencies)
13-
- [2. Generate Talos Configs](#2-generate-talos-configs-with-talhelper)
14-
- [3. Boot & Bootstrap Talos Nodes](#3-boot--bootstrap-talos-nodes)
15-
- [4. Apply Machine Configs](#4-apply-machine-configs)
16-
- [5. Install Gateway API CRDs](#5-install-gateway-api-crds)
17-
- [6. Bootstrap ArgoCD (One Command)](#6-bootstrap-argocd-one-command)
18-
- [7. Configure Secret Management](#7-configure-secret-management)
1913
- [Verification](#-verification)
2014
- [Documentation](#-documentation)
2115
- [Hardware Stack](#-hardware-stack)
@@ -99,6 +93,48 @@ graph TD;
9993
- **GPU Integration**: Full NVIDIA GPU support via Talos system extensions and GPU Operator
10094
- **Zero SSH**: All node management via Talosctl API
10195

96+
## 🏗️ GitOps Architecture
97+
98+
This repository implements a **production-grade GitOps workflow** using a multi-tiered ApplicationSet pattern. This separates concerns, simplifies management, and provides a clear, scalable structure.
99+
100+
### Self-Managing ArgoCD
101+
102+
The process starts with a single command to install ArgoCD's components and CRDs. Then, a single `Application` resource (`infrastructure/argocd-app.yaml`) is applied, which configures ArgoCD to manage its own installation and upgrades directly from this Git repository. This is the core of the **self-healing infrastructure** pattern.
103+
104+
### Three-Tier ApplicationSets
105+
106+
The cluster is organized into three distinct `ApplicationSet` resources, each responsible for a different layer of the stack. This provides clear separation of concerns and access control.
107+
108+
| ApplicationSet | Directory | Deploys | Description |
109+
| :--- | :--- | :--- | :--- |
110+
| **Infrastructure** | `infrastructure/` | Core Services | Manages essential components like ArgoCD, Cilium, storage, and other operators. |
111+
| **Monitoring** | `monitoring/` | Observability | Deploys the full monitoring stack, including Prometheus, Grafana, and Loki. |
112+
| **Applications** | `my-apps/` | User Workloads | Manages all end-user applications, such as Plex, Ollama, and Home Assistant. |
113+
114+
Each `ApplicationSet` automatically discovers new applications when a new directory is added to its designated path (e.g., adding `my-apps/new-app/` will automatically create a new ArgoCD application).
115+
116+
### Directory Structure
117+
118+
The repository's structure directly maps to the ApplicationSet strategy, making it intuitive to manage.
119+
120+
```
121+
.
122+
├── infrastructure/ # Infrastucture ApplicationSet
123+
│ ├── controllers/
124+
│ │ └── argocd/ # ArgoCD self-management config
125+
│ ├── networking/ # Cilium, Gateway API, etc.
126+
│ ├── storage/ # Longhorn, CSI drivers, etc.
127+
│ └── infrastructure-components-appset.yaml
128+
├── monitoring/ # Monitoring ApplicationSet
129+
│ ├── prometheus-stack/ # Prometheus, Grafana, etc.
130+
│ └── monitoring-components-appset.yaml
131+
├── my-apps/ # Applications ApplicationSet
132+
│ ├── ai/ # AI tools
133+
│ ├── media/ # Media servers
134+
│ └── myapplications-appset.yaml
135+
└── docs/ # Documentation
136+
```
137+
102138
## 🚀 Quick Start
103139

104140
### 1. System Dependencies
@@ -146,23 +182,34 @@ kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/downloa
146182

147183
### 6. Bootstrap ArgoCD (Following k3s-argocd-starter Pattern)
148184

185+
This cluster uses a **proven GitOps bootstrap pattern** that ensures stability and avoids common race conditions. The process is carefully ordered:
186+
187+
1. **Install CRDs First**: We use `kustomize` to apply the base ArgoCD Helm chart, which safely installs the necessary Custom Resource Definitions (CRDs) into the cluster.
188+
2. **Bootstrap Self-Management**: With the CRDs in place, we apply the `projects.yaml` and the root `argocd-app.yaml`. This tells the running ArgoCD instance to take over its own management from Git.
189+
3. **Deploy ApplicationSets**: Once ArgoCD is self-managing, we deploy the three ApplicationSets, which then automatically discover and deploy all other applications and components.
190+
191+
This method prevents errors by ensuring resources are created only after their definitions are available in the cluster.
192+
149193
Deploy ArgoCD and ApplicationSets in the correct order:
150194

151195
```bash
152-
# Step 1: Deploy ArgoCD itself
153-
kubectl apply -f infrastructure/argocd-app.yaml
154-
kubectl apply -f infrastructure/projects.yaml
196+
# Step 1: Install ArgoCD Components & CRDs
197+
# This uses kustomize to install the ArgoCD helm chart, which includes the CRDs.
198+
kubectl apply -k infrastructure/controllers/argocd
155199

156200
# Wait for ArgoCD to be ready (2-5 minutes)
157201
kubectl wait --for=condition=Available deployment/argocd-server -n argocd --timeout=300s
158202

159-
# Step 2: Deploy Infrastructure ApplicationSet
160-
kubectl apply -f infrastructure/infrastructure-components-appset.yaml
203+
# Step 2: Bootstrap ArgoCD to Manage Itself and Create Projects
204+
# Now that ArgoCD is running, we apply the Application resource that tells
205+
# ArgoCD to manage its own installation from Git. We also apply the projects.
206+
kubectl apply -f infrastructure/controllers/argocd/projects.yaml
207+
kubectl apply -f infrastructure/argocd-app.yaml
161208

162-
# Step 3: Deploy Monitoring ApplicationSet
209+
# Step 3: Deploy ApplicationSets
210+
# With ArgoCD managing itself, we can deploy the ApplicationSets.
211+
kubectl apply -f infrastructure/infrastructure-components-appset.yaml
163212
kubectl apply -f monitoring/monitoring-components-appset.yaml
164-
165-
# Step 4: Deploy Applications ApplicationSet
166213
kubectl apply -f my-apps/myapplications-appset.yaml
167214
```
168215

@@ -211,9 +258,9 @@ This cluster uses **TrueNAS Scale MinIO** for S3-compatible storage backups, par
211258

212259
### MinIO Setup on TrueNAS Scale
213260

214-
1. **Install MinIO App** in TrueNAS Scale Apps
215-
2. **Access MinIO Console** at `http://192.168.10.133:9002`
216-
3. **Configure via MinIO Client (mc)**:
261+
1. **Install MinIO App** in TrueNAS Scale Apps
262+
2. **Access MinIO Console** at `http://192.168.10.133:9002`
263+
3. **Configure via MinIO Client (mc)**:
217264

218265
```bash
219266
# Access MinIO container shell in TrueNAS
@@ -277,19 +324,19 @@ mc ls local/longhorn-backups
277324

278325
Store MinIO credentials securely in 1Password:
279326

280-
1. **Create 1Password item** named `minio`
281-
2. **Add fields**:
282-
- `minio_access_key`: `ABC123XYZ789EXAMPLE0`
283-
- `minio_secret_key`: `ExampleSecretKey123+RandomChars/ForDocumentation`
284-
- `minio_endpoint`: `http://192.168.10.133:9000`
327+
1. **Create 1Password item** named `minio`
328+
2. **Add fields**:
329+
- `minio_access_key`: `ABC123XYZ789EXAMPLE0`
330+
- `minio_secret_key`: `ExampleSecretKey123+RandomChars/ForDocumentation`
331+
- `minio_endpoint`: `http://192.168.10.133:9000`
285332

286333
### Longhorn S3 Backup Configuration
287334

288335
The cluster automatically configures Longhorn to use MinIO via:
289336

290-
- **External Secret**: `infrastructure/storage/longhorn/externalsecret.yaml`
291-
- **Backup Settings**: `infrastructure/storage/longhorn/backup-settings.yaml`
292-
- **Backup Target**: `s3://longhorn-backups@us-east-1/`
337+
- **External Secret**: `infrastructure/storage/longhorn/externalsecret.yaml`
338+
- **Backup Settings**: `infrastructure/storage/longhorn/backup-settings.yaml`
339+
- **Backup Target**: `s3://longhorn-backups@us-east-1/`
293340

294341
### Backup Schedule
295342

@@ -377,48 +424,6 @@ While this setup uses a single node, you can add worker nodes for additional com
377424
| **Worker Nodes** | Add compute-only nodes | Increased capacity without storage complexity |
378425
| **Multi-Master** | High availability control plane | Production-grade resilience |
379426

380-
## 📁 Directory Structure
381-
382-
```
383-
.
384-
├── infrastructure/ # Infrastructure ApplicationSet
385-
│ ├── controllers/ # ArgoCD, External Secrets, etc.
386-
│ │ └── argocd/ # ArgoCD self-management configuration
387-
│ ├── networking/ # Cilium, Gateway API, etc.
388-
│ ├── storage/ # Longhorn, CSI drivers, etc.
389-
│ ├── database/ # PostgreSQL, Redis operators
390-
│ ├── projects.yaml # ArgoCD projects
391-
│ └── root-appset.yaml # Infrastructure ApplicationSet
392-
├── monitoring/ # Monitoring ApplicationSet
393-
│ ├── prometheus-stack/ # Prometheus, Grafana, AlertManager
394-
│ ├── loki-stack/ # Loki, Promtail
395-
│ └── monitoring-components-appset.yaml
396-
├── my-apps/ # Applications ApplicationSet
397-
│ ├── ai/ # AI tools (Ollama, ComfyUI, etc.)
398-
│ ├── media/ # Media servers (Plex, Jellyfin, etc.)
399-
│ ├── home/ # Home automation (Frigate, HA, etc.)
400-
│ ├── development/ # Dev tools (Headlamp, IT-Tools, etc.)
401-
│ ├── privacy/ # Privacy tools (SearXNG, ProxiTok, etc.)
402-
│ └── myapplications-appset.yaml
403-
└── docs/ # Documentation
404-
├── argocd.md # Enterprise GitOps setup
405-
├── network.md # Network configuration
406-
├── security.md # Security setup
407-
├── storage.md # Storage configuration
408-
└── external-services.md # External services setup
409-
```
410-
411-
## ✅ Enterprise GitOps Features
412-
413-
This setup implements **production-grade patterns** used in enterprise environments:
414-
415-
1. **Self-Managing Infrastructure**: ArgoCD manages its own lifecycle
416-
2. **Clear Separation of Concerns**: Three distinct ApplicationSets
417-
3. **Simple Directory Discovery**: Easy for developers to add applications
418-
4. **Automated Operations**: Zero-touch deployments after bootstrap
419-
5. **Production Monitoring**: Full observability stack
420-
6. **Proper RBAC**: Project-based access controls
421-
422427
## 🔍 Troubleshooting
423428

424429
| Issue Type | Troubleshooting Steps |
@@ -453,20 +458,20 @@ kubectl apply -f infrastructure/argocd-app.yaml
453458

454459
This homelab setup translates directly to enterprise environments:
455460

456-
1. **Replace Git repo** with your organization's repository
457-
2. **Add proper RBAC** for team-based access
458-
3. **Configure notifications** for Slack/Teams integration
459-
4. **Add policy enforcement** with tools like OPA Gatekeeper
460-
5. **Implement proper secrets management** with External Secrets or Vault
461-
6. **Add multi-cluster support** with ArgoCD ApplicationSets
461+
1. **Replace Git repo** with your organization's repository
462+
2. **Add proper RBAC** for team-based access
463+
3. **Configure notifications** for Slack/Teams integration
464+
4. **Add policy enforcement** with tools like OPA Gatekeeper
465+
5. **Implement proper secrets management** with External Secrets or Vault
466+
6. **Add multi-cluster support** with ArgoCD ApplicationSets
462467

463468
The patterns and structure remain the same - this is **production-grade GitOps**.
464469

465470
## 🤝 Contributing
466471

467-
1. Fork the repository
468-
2. Create a feature branch
469-
3. Submit a pull request
472+
1. Fork the repository
473+
2. Create a feature branch
474+
3. Submit a pull request
470475

471476
## 📜 License
472477

docs/argocd.md

Lines changed: 20 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -79,19 +79,23 @@ kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/downloa
7979
Deploy ArgoCD and ApplicationSets in the correct order to avoid circular dependencies:
8080

8181
```bash
82-
# Step 1: Deploy ArgoCD itself
83-
kubectl apply -f infrastructure/argocd-app.yaml
82+
# Step 1: Install ArgoCD Components & CRDs
83+
# This command uses kustomize to install the ArgoCD helm chart, which includes the CRDs.
84+
kubectl apply -k infrastructure/controllers/argocd
8485

8586
# Wait for ArgoCD to be ready (2-5 minutes)
8687
kubectl wait --for=condition=Available deployment/argocd-server -n argocd --timeout=300s
8788

88-
# Step 2: Deploy Infrastructure ApplicationSet
89-
kubectl apply -f infrastructure/infrastructure-components-appset.yaml
89+
# Step 2: Bootstrap ArgoCD to Manage Itself and Create Projects
90+
# Now that ArgoCD is running, we apply the Application resource that tells
91+
# ArgoCD to manage its own installation from Git. We also apply the projects.
92+
kubectl apply -f infrastructure/controllers/argocd/projects.yaml
93+
kubectl apply -f infrastructure/argocd-app.yaml
9094

91-
# Step 3: Deploy Monitoring ApplicationSet
95+
# Step 3: Deploy ApplicationSets
96+
# With ArgoCD managing itself and projects created, we can deploy the ApplicationSets.
97+
kubectl apply -f infrastructure/infrastructure-components-appset.yaml
9298
kubectl apply -f monitoring/monitoring-components-appset.yaml
93-
94-
# Step 4: Deploy Applications ApplicationSet
9599
kubectl apply -f my-apps/myapplications-appset.yaml
96100
```
97101

@@ -294,10 +298,17 @@ kubectl apply -k infrastructure/
294298

295299
### Production Deployment
296300
```bash
297-
# Step-by-step deployment following k3s-argocd-starter pattern
298-
kubectl apply -f infrastructure/argocd-app.yaml
301+
# Step 1: Install ArgoCD Components & CRDs
302+
kubectl apply -k infrastructure/controllers/argocd
303+
304+
# Wait for ArgoCD to be ready
299305
kubectl wait --for=condition=Available deployment/argocd-server -n argocd --timeout=300s
300306
307+
# Step 2: Bootstrap ArgoCD to Manage Itself and Create Projects
308+
kubectl apply -f infrastructure/controllers/argocd/projects.yaml
309+
kubectl apply -f infrastructure/argocd-app.yaml
310+
311+
# Step 3: Deploy ApplicationSets
301312
kubectl apply -f infrastructure/infrastructure-components-appset.yaml
302313
kubectl apply -f monitoring/monitoring-components-appset.yaml
303314
kubectl apply -f my-apps/myapplications-appset.yaml

infrastructure/argocd-app.yaml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,5 +23,13 @@ spec:
2323
automated:
2424
prune: true # Delete resources that are no longer defined in Git
2525
selfHeal: true # Automatically sync when the live state drifts from Git
26+
retry:
27+
limit: 5
28+
backoff:
29+
duration: 10s
30+
factor: 2
31+
maxDuration: 3m
2632
syncOptions:
27-
- CreateNamespace=true # Create the 'argocd' namespace if it doesn't exist
33+
- CreateNamespace=true # Create the 'argocd' namespace if it doesn't exist
34+
- ServerSideApply=true # Use server-side apply for fewer conflicts
35+
- PrunePropagationPolicy=foreground # Ensures resources are deleted before the owner

infrastructure/controllers/argocd/kustomization.yaml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
22
kind: Kustomization
33
resources:
44
- ns.yaml
5-
- ../../projects.yaml
65
- http-route.yaml
76
helmCharts:
87
- name: argo-cd
File renamed without changes.

0 commit comments

Comments
 (0)