Thinking about redeploying my homelab from scratch, perhaps switching from xenserver back to vmware. I’d like to start out with external-secrets and have all secrets in a vault right from the beginning, also curious what a 100% open source, 100% kubernetes environment would look like. Maybe two networks, one 100% kubernetes, and a 2nd for windows client systems. Here’s the k8s plan so far:
k-seed:
- manual setup of seed cluster
- helm install argocd
- argocd install clusterapi/crossplane/etc...
- seed-argocd deploy non-production cluster using vcluster or clusterapi/crossplane/etc...
- deploy metallb & configure loadbalancer ip range (can we automate this w/ cluster deploy?)
- add cluster to seed-argocd instance
- seed-argocd deploy production cluster using vcluster or clusterapi/crossplane/etc...
- deploy metallb & configure loadbalancer ip range (can we automate this w/ cluster deploy?)
- add cluster to seed-argocd instance
- seed-argocd deploy argocd to production cluster (k-prod)
k-prod:
- argocd configure storageclass
- argocd deploy hashicorp vault
- configure as certificate authority
- configure as keyvault
- argocd deploy external-secrets
- configure to use keyvault
- add secret 'ca-bundle.crt': public certificate authority certificate in DER format
- *from now on all secrets to get values via external-secrets
- argocd deploy cert-manager
- configure to use hashicorp vault as certificate authority
- argocd deploy pihole
- configure dns1 & dns2
- argocd deploy external-dns
- configure to use pihole as dns
- update with annotations to use external-dns & cert-manager:
- argocd
- vault
- pihole
- *from now on all ingress yaml to include annotations for external-dns & cert-manager
- recommended: have annotations from the beginning, at this point they will start working
- argocd deploy keycloak
- configure realm: create or import from backup
- add secret 'default_oidc_client_secret': secret part of oidc client/secret
- configure a user account (or configure federation via AD, openldap, etc...)
- deploy all other apps
- oidc client_secret should come from external-secrets in all apps configured with oidc
- this might require an init container for some apps
k-ceph:
- pvc storage for all clusters
- block storage can be used for vm disks (making for easy hotswap)
- upgrade to 2 10gb ports on each host system
wdc: (kubevirt in theory but think i'll stick w/ a vm)
- domain controller
- user management
- dhcp
- wds
- wsus using dev sqlserver & data stored on e drive