larivierec / home-cluster

Home Kubernetes cluster                            --- Overview A monorepo that collects the pieces needed to run my homelab Kubernetes cluster and services. It contains infrastructure, cluster manifests, helper scripts and small service projects (for example the Bitwarden SDK server and a Rust connector). The repo is organized to keep infra, apps and bootstrap tooling together so a single place holds the canonical manifests and generation scripts. High level • Monorepo: infra, Kubernetes manifests, bootstrap helpers and service code live together. • Goal: reproducible, git-driven cluster configuration (Flux + sops) with a small Bootstrap helper to generate local TLS material and secrets. • Primary features used: Cilium for networking, Gateway API driven by Envoy (envoy-gateway) for ingress & edge, and the Bitwarden SDK as an out‑of‑cluster secrets provider. Kubernetes Core components • Kubernetes manifests • Path: — apps and components are organized per-namespace and per-app. • Flux and GitOps friendly YAML layout (Flux will pick manifests from the cluster repo). • Networking: Cilium • Cluster CNI: Cilium handles L3/L4 networking, policy and load-balancing. • Ingress / edge: Gateway API + Envoy (envoy-gateway) • Gateway resources live under . • Uses Gateway API (Gateway, HTTPRoute, Backend, BackendTLSPolicy, BackendTrafficPolicy, ClientTrafficPolicy) to explicitly configure client TLS and upstream TLS. • Secrets & Secrets provider • ExternalSecrets configuration lives under . • A ClusterSecretStore is configured to use the Bitwarden SDK provider; the provider typically talks to (or an in-cluster service). Bitwarden SDK / secrets flow (out-of-cluster mode) • The external-secrets provider can be run outside the cluster (e.g., on your NAS) or inside. • The ClusterSecretStore config points at the SDK server URL and a secret used to validate the server certificate: • File: • Common gotcha: When the provider runs outside the cluster, it must trust the CA that issued the server cert (or you must use an in-cluster service URL instead). TLS, certificates and common pitfalls • Two separate TLS problems commonly show up: • Client TLS (client → Gateway): configure the Gateway listener with pointing at a TLS secret in the Gateway's namespace (e.g., ). • Upstream TLS (Gateway/Envoy → backend): configure and to instruct Envoy how to speak TLS to upstream services: trust/CA, SNI/hostname, min/max TLS versions. Secrets referenced for upstream trust must be accessible to the Gateway/controller namespace. Where to look (quick map) • Bootstrap / cert generation • - (creates secret and optionally annotates it) • Gateway (Envoy) • - • ExternalSecrets store • Quick commands • Regenerate certs and update secret: Nodes/Hardware | Device | Count | OS Disk Size | Data Disk Size | Ram | Operating System | Purpose | | --------------------------|-------|-------------------------|-----------------------------|------|------------------|--------------------- | | MS-01 | 3 | 250Gi NVMe | 1Ti U.2 NVMe | 64Gi | Talos | Kubernetes | | Synology RS1221+ | 1 | 36Ti HDD / 2Ti NVMe | - | 4Gi | DSM 7 | NAS | | UDM Pro Max | 1 | | - | - | | Router / Gateway | | Unifi Core Switch XG-16 | 1 | - | - | - | | Switch | | Unifi Enterprise 24 PoE | 1 | - | - | - | | Switch | | Unifi Flex 2.5G PoE | 1 | - | - | - | | Switch | | Unifi Flex 2.5G Mini | 1 | - | - | - | | Switch | | Unifi PDU Pro | 1 | - | - | - | | Power Delivery | --- Extra Documentation • frigate • scrypted ⭐ Stargazers 🤝 Gratitude and Thanks Thanks to all the people who donate their time to the Home Operations Discord community. Be sure to check out kubesearch.dev for ideas on how to deploy applications or get ideas on what you may deploy. • onedr0p • bernd-schorgers / bjw-s • buroa • joryirving • home-operations For all their hard work and dedication