11# 🚀 Talos ArgoCD Proxmox Cluster
2- =========================
32
43> Modern GitOps deployment structure using Talos OS, ArgoCD, and Cilium, with Proxmox virtualization
54
6- A GitOps-driven Kubernetes cluster using ** Talos OS** (secure, immutable Linux for K8s), ArgoCD, and Cilium, with integrated Cloudflare Tunnel for secure external access. Built for both home lab and small production environments.
5+ A GitOps-driven Kubernetes cluster using ** Talos OS** (secure, immutable Linux for K8s), ArgoCD, and Cilium, with integrated Cloudflare Tunnel for secure external access. Built for both home lab and production environments using ** enterprise-grade GitOps patterns ** .
76
87## 📋 Table of Contents
98
@@ -15,9 +14,8 @@ A GitOps-driven Kubernetes cluster using **Talos OS** (secure, immutable Linux f
1514 - [ 3. Boot & Bootstrap Talos Nodes] ( #3-boot--bootstrap-talos-nodes )
1615 - [ 4. Apply Machine Configs] ( #4-apply-machine-configs )
1716 - [ 5. Install Gateway API CRDs] ( #5-install-gateway-api-crds )
18- - [ 6. Install ArgoCD & All Apps ] ( #6-install -argocd--all-apps )
17+ - [ 6. Bootstrap ArgoCD (One Command) ] ( #6-bootstrap -argocd-one-command )
1918 - [ 7. Configure Secret Management] ( #7-configure-secret-management )
20- - [ 8. Final Deployment] ( #8-final-deployment )
2119- [ Verification] ( #-verification )
2220- [ Documentation] ( #-documentation )
2321- [ Hardware Stack] ( #-hardware-stack )
@@ -40,54 +38,64 @@ A GitOps-driven Kubernetes cluster using **Talos OS** (secure, immutable Linux f
4038``` mermaid
4139graph TD;
4240 subgraph "Git Repository"
43- Root["root-appset .yaml<br/>(path: infrastructure/root-appset.yaml )"]
41+ Bootstrap["argocd-app .yaml<br/>(Bootstrap Application )"]
4442
45- DirInfra["infrastructure/*/*<br/>(e.g., controllers/argocd)"]
46- DirMon["monitoring/*<br/>(e.g., loki-stack)"]
47- DirApps["my-apps/*/*<br/>(e.g., media/plex)"]
43+ InfraAppSet["infrastructure/root-appset.yaml<br/>(Infrastructure ApplicationSet)"]
44+ MonAppSet["monitoring/monitoring-components-appset.yaml<br/>(Monitoring ApplicationSet)"]
45+ AppsAppSet["my-apps/myapplications-appset.yaml<br/>(Applications ApplicationSet)"]
46+
47+ InfraDirs["infrastructure/*/*<br/>(e.g., controllers/argocd)"]
48+ MonDirs["monitoring/*/*<br/>(e.g., prometheus-stack)"]
49+ AppDirs["my-apps/*/*<br/>(e.g., media/plex)"]
4850
49- Root -- "scans path " --> DirInfra
50- Root -- "scans path " --> DirMon
51- Root -- "scans path " --> DirApps
51+ InfraAppSet -- "scans" --> InfraDirs
52+ MonAppSet -- "scans" --> MonDirs
53+ AppsAppSet -- "scans" --> AppDirs
5254 end
5355
54- subgraph "Argo CD"
55- Argo["Argo CD Controller"] -- "Syncs" --> Root;
56+ subgraph "ArgoCD Self-Management"
57+ ArgoCD["ArgoCD Controller"] -- "Deploys itself via" --> Bootstrap
58+
59+ subgraph "Self-Managed ApplicationSets"
60+ InfraAS["Infrastructure ApplicationSet"]
61+ MonAS["Monitoring ApplicationSet"]
62+ AppsAS["Applications ApplicationSet"]
63+ end
64+
65+ Bootstrap -- "Creates & Manages" --> InfraAS
66+ Bootstrap -- "Creates & Manages" --> MonAS
67+ Bootstrap -- "Creates & Manages" --> AppsAS
5668
5769 subgraph "Generated Applications"
58- App1["App: controllers-argocd"]
59- App2["App: database-redis"]
60- App3["App: monitoring-loki-stack"]
61- App4["App: media-plex"]
62- AppEtc["... and so on"]
70+ InfraApps["infra-argocd<br/>infra-cilium<br/>infra-longhorn<br/>..."]
71+ MonApps["monitoring-prometheus-stack<br/>monitoring-loki-stack<br/>..."]
72+ UserApps["media-plex<br/>ai-ollama<br/>home-frigate<br/>..."]
6373 end
6474
65- Argo -- "Generates from Template" --> App1
66- Argo -- "Generates from Template" --> App2
67- Argo -- "Generates from Template" --> App3
68- Argo -- "Generates from Template" --> App4
75+ InfraAS -- "Generates" --> InfraApps
76+ MonAS -- "Generates" --> MonApps
77+ AppsAS -- "Generates" --> UserApps
6978 end
7079
7180 subgraph "Kubernetes Cluster"
72- Res1["Argo CD Pods & CRDs"]
73- Res2["Redis Pods & Services"]
74- Res3["Loki Pods & Services"]
75- Res4["Plex Pod & Ingress"]
81+ InfraRes["Infrastructure Resources<br/>(ArgoCD, Cilium, Storage)"]
82+ MonRes["Monitoring Resources<br/>(Prometheus, Grafana, Loki)"]
83+ AppRes["Application Resources<br/>(Plex, Ollama, Frigate)"]
7684 end
7785
78- App1 -- "syncs infrastructure/controllers/argocd" --> Res1;
79- App2 -- "syncs infrastructure/database/redis" --> Res2;
80- App3 -- "syncs monitoring/loki-stack" --> Res3;
81- App4 -- "syncs my-apps/media/plex" --> Res4;
86+ InfraApps -- "deploys" --> InfraRes
87+ MonApps -- "deploys" --> MonRes
88+ UserApps -- "deploys" --> AppRes
8289
83- style Root fill:#f9f,stroke:#333,stroke-width:2px;
84- style Argo fill:#9cf,stroke:#333,stroke-width:2px
90+ style Bootstrap fill:#f9f,stroke:#333,stroke-width:2px
91+ style ArgoCD fill:#9cf,stroke:#333,stroke-width:2px
8592```
8693
8794### Key Features
88- - ** Three-Tier Architecture** : Separate infrastructure, monitoring, and applications
89- - ** Sync Waves** : Controlled deployment order via ArgoCD
90- - ** Declarative GitOps** : All cluster state managed in Git
95+ - ** Enterprise GitOps Pattern** : Three separate ApplicationSets for clear separation of concerns
96+ - ** Self-Managing ArgoCD** : ArgoCD manages its own installation, upgrades, and ApplicationSets
97+ - ** Simple Directory Discovery** : No complex patterns - easy to understand and maintain
98+ - ** Production Ready** : Proper error handling, retries, and monitoring integration
9199- ** GPU Integration** : Full NVIDIA GPU support via Talos system extensions and GPU Operator
92100- ** Zero SSH** : All node management via Talosctl API
93101
@@ -136,17 +144,22 @@ kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/downloa
136144kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/experimental-install.yaml
137145```
138146
139- ### 6. Install ArgoCD & All Apps
140- With the CRDs in place, we can bootstrap Argo CD and deploy the entire cluster with a single command.
141-
142- This ` Application ` manifest tells Argo CD how to manage its own installation. Once running, Argo CD will automatically sync the ` root-appset.yaml ` located in the ` infrastructure ` directory. This ` ApplicationSet ` will then discover and deploy every other component and application in the repository.
147+ ### 6. Bootstrap ArgoCD (One Command)
148+ Deploy the self-managing ArgoCD bootstrap application. This will:
149+ 1 . ** Install ArgoCD itself** using Helm
150+ 2 . ** Create all three ApplicationSets** (infrastructure, monitoring, applications)
151+ 3 . ** Automatically discover and deploy** all components and applications
143152
144153``` bash
145- # Apply the Argo CD application. It will self- manage and deploy everything else.
154+ # Single command to deploy everything - ArgoCD will manage itself from here
146155kubectl apply -f infrastructure/argocd-app.yaml
147156```
148157
149- From this point on, every component of your cluster is managed via Git. Any changes pushed to the ` main ` branch will be automatically synced by Argo CD.
158+ ** That's it!** ArgoCD will now:
159+ - Manage its own installation and upgrades
160+ - Deploy all infrastructure components (Cilium, storage, etc.)
161+ - Deploy monitoring stack (Prometheus, Grafana, Loki)
162+ - Deploy all applications (media, AI, home automation, etc.)
150163
151164### 7. Configure Secret Management
152165``` bash
@@ -173,12 +186,6 @@ kubectl create secret generic 1passwordconnect \
173186 --namespace external-secrets
174187```
175188
176- ### Key Deployment Features
177- - Three-tier architecture separating infrastructure, monitoring, and applications
178- - Sync waves ensure proper deployment order
179- - Simple directory patterns without complex include/exclude logic
180- - All components managed through just three top-level ApplicationSets
181-
182189## 🛡️ Talos-Specific Notes
183190- ** No SSH** : All management via ` talosctl ` API
184191- ** Immutable OS** : No package manager, no shell
@@ -196,9 +203,14 @@ talosctl health --nodes <node-ip>
196203kubectl get pods -A
197204cilium status
198205
199- # Check ArgoCD
200- kubectl get application -A
201- kubectl get pods -n argocd
206+ # Check ArgoCD self-management
207+ kubectl get applications -n argocd
208+ kubectl get applicationsets -n argocd
209+
210+ # Check generated applications
211+ kubectl get applications -n argocd -l type=infrastructure
212+ kubectl get applications -n argocd -l type=monitoring
213+ kubectl get applications -n argocd -l type=application
202214
203215# Check secrets
204216kubectl get pods -n 1passwordconnect
@@ -208,7 +220,7 @@ kubectl get externalsecret -A
208220## 📋 Documentation
209221- ** [ View Documentation Online] ( https://mitchross.github.io/k3s-argocd-proxmox ) ** - Full documentation website
210222- ** [ Local Documentation] ( docs/ ) ** - Browse documentation in the repository:
211- - [ ArgoCD Setup] ( docs/argocd.md )
223+ - [ ArgoCD Setup] ( docs/argocd.md ) - ** Enterprise GitOps patterns and self-management **
212224 - [ Network Configuration] ( docs/network.md )
213225 - [ Storage Configuration] ( docs/storage.md )
214226 - [ Security Setup] ( docs/security.md )
@@ -249,37 +261,53 @@ While this setup uses a single node, you can add worker nodes for additional com
249261
250262```
251263.
252- ├── infrastructure/ # Infrastructure components
253- │ ├── controllers/ # Kubernetes controllers
254- │ │ └── argocd/ # ArgoCD configuration and projects
255- │ ├── networking/ # Network configurations
256- │ ├── storage/ # Storage configurations
257- │ └── root-appset.yaml # Main infrastructure ApplicationSet
258- ├── monitoring/ # Monitoring components
259- │ ├── loki-stack/ # Loki logging stack
260- │ └── prometheus-stack/ # Prometheus monitoring stack
261- ├── my-apps/ # User applications
262- │ ├── ai/ # AI-related applications
263- │ ├── media/ # Media applications
264- │ ├── development/ # Development tools
265- │ ├── home/ # Home automation apps
266- │ └── privacy/ # Privacy-focused applications
267- ├── docs/ # Documentation
268- │ ├── argocd.md # ArgoCD setup and workflow
269- │ ├── network.md # Network configuration
270- │ ├── security.md # Security setup
271- │ ├── storage.md # Storage configuration
272- │ └── external-services.md # External services setup
264+ ├── infrastructure/ # Infrastructure ApplicationSet
265+ │ ├── controllers/ # ArgoCD, External Secrets, etc.
266+ │ │ └── argocd/ # ArgoCD self-management configuration
267+ │ ├── networking/ # Cilium, Gateway API, etc.
268+ │ ├── storage/ # Longhorn, CSI drivers, etc.
269+ │ ├── database/ # PostgreSQL, Redis operators
270+ │ ├── projects.yaml # ArgoCD projects
271+ │ └── root-appset.yaml # Infrastructure ApplicationSet
272+ ├── monitoring/ # Monitoring ApplicationSet
273+ │ ├── prometheus-stack/ # Prometheus, Grafana, AlertManager
274+ │ ├── loki-stack/ # Loki, Promtail
275+ │ └── monitoring-components-appset.yaml
276+ ├── my-apps/ # Applications ApplicationSet
277+ │ ├── ai/ # AI tools (Ollama, ComfyUI, etc.)
278+ │ ├── media/ # Media servers (Plex, Jellyfin, etc.)
279+ │ ├── home/ # Home automation (Frigate, HA, etc.)
280+ │ ├── development/ # Dev tools (Headlamp, IT-Tools, etc.)
281+ │ ├── privacy/ # Privacy tools (SearXNG, ProxiTok, etc.)
282+ │ └── myapplications-appset.yaml
283+ └── docs/ # Documentation
284+ ├── argocd.md # Enterprise GitOps setup
285+ ├── network.md # Network configuration
286+ ├── security.md # Security setup
287+ ├── storage.md # Storage configuration
288+ └── external-services.md # External services setup
273289```
274290
291+ ## ✅ Enterprise GitOps Features
292+
293+ This setup implements ** production-grade patterns** used in enterprise environments:
294+
295+ 1 . ** Self-Managing Infrastructure** : ArgoCD manages its own lifecycle
296+ 2 . ** Clear Separation of Concerns** : Three distinct ApplicationSets
297+ 3 . ** Simple Directory Discovery** : Easy for developers to add applications
298+ 4 . ** Automated Operations** : Zero-touch deployments after bootstrap
299+ 5 . ** Production Monitoring** : Full observability stack
300+ 6 . ** Proper RBAC** : Project-based access controls
301+
275302## 🔍 Troubleshooting
276303
277304| Issue Type | Troubleshooting Steps |
278305| ------------| ----------------------|
279306| ** Talos Node Issues** | • ` talosctl health ` <br >• Check Talos logs: ` talosctl logs -n <node-ip> -k ` |
307+ | ** ArgoCD Self-Management** | • ` kubectl get application argocd -n argocd ` <br >• Check ApplicationSet status<br >• Review ArgoCD logs |
308+ | ** ApplicationSet Issues** | • ` kubectl get applicationsets -n argocd ` <br >• Check directory patterns<br >• Verify Git connectivity |
280309| ** Network Issues** | • Check Cilium status<br >• Verify Gateway API<br >• Test DNS resolution |
281310| ** Storage Issues** | • Verify PV binding<br >• Check Longhorn/Local PV logs<br >• Validate node affinity |
282- | ** ArgoCD Issues** | • Check application sync status<br >• Review application logs |
283311| ** Secrets Issues** | • Check External Secrets Operator logs<br >• Verify 1Password Connect status |
284312| ** GPU Issues** | • Check GPU node labels<br >• Verify NVIDIA Operator pods<br >• Check ` nvidia-smi ` on GPU nodes |
285313
@@ -297,11 +325,23 @@ kubectl delete applications --all -n argocd
297325kubectl get applicationsets -n argocd -o name | xargs -I{} kubectl patch {} -n argocd --type json -p ' [{"op": "remove","path": "/metadata/finalizers"}]'
298326kubectl delete applicationsets --all -n argocd
299327
300- # Only then apply the new structure in order
328+ # Bootstrap with the new enterprise pattern
301329kubectl apply -f infrastructure/argocd-app.yaml
302- kubectl apply -f infrastructure/root-appset.yaml
303330```
304331
332+ ## 🚀 Taking to Production
333+
334+ This homelab setup translates directly to enterprise environments:
335+
336+ 1 . ** Replace Git repo** with your organization's repository
337+ 2 . ** Add proper RBAC** for team-based access
338+ 3 . ** Configure notifications** for Slack/Teams integration
339+ 4 . ** Add policy enforcement** with tools like OPA Gatekeeper
340+ 5 . ** Implement proper secrets management** with External Secrets or Vault
341+ 6 . ** Add multi-cluster support** with ArgoCD ApplicationSets
342+
343+ The patterns and structure remain the same - this is ** production-grade GitOps** .
344+
305345## 🤝 Contributing
306346
3073471 . Fork the repository
0 commit comments