2.2 KiB
Homelab Kubernetes – GitOps Repository
Currently in process of major overhaul, so things may be a bit messy for a few days This repository contains the Kubernetes manifests and Helm configurations used to operate my self-hosted infrastructure.
The cluster runs on Talos OS and is fully managed using ArgoCD with the App-of-Apps pattern.
Overview
All infrastructure and applications are declaratively defined in this repository.
Core components:
- Talos OS (Kubernetes distribution)
- ArgoCD (GitOps controller)
- Sealed Secrets (encrypted secret management)
- cert-manager (certificate automation)
- Istio (Gateways for ingress and reverse proxy)
- MetalLB (bare-metal load balancing)
Repository Structure
├── apps/
├── audiobookshelf/
├── bytestash/
├── cert-manager/
├── cluster-issuer/
├── focalboard/
├── forgejo/
├── harbor-config/
├── hedgedoc/
├── karakeep/
├── linkwarden/
├── metallb/
├── minio/
├── navidrome/
├── sealed-secrets/
├── security/
├── stirling-pdf/
├── woodpecker/
├── yopass/
└── root-app.yaml
Each application directory contains the manifests or Helm values required to deploy the service.
root-app.yaml bootstraps all applications via ArgoCD.
GitOps Structure
root-app.yamldefines the parent ArgoCD application.- Child applications are defined under
apps/. - Infrastructure components and services are separated by directory.
- The repository represents the desired state of the cluster.
Secrets Management
Secrets are managed using Bitnami Sealed Secrets.
- Plain Kubernetes Secrets are sealed using
kubeseal. - Only encrypted SealedSecret resources are committed to Git.
- The Sealed Secrets controller decrypts them inside the cluster.
No unencrypted secrets are stored in this repository.
Networking
Load Balancing
MetalLB provides external IP addresses for services in the bare-metal cluster.
Ingress & Reverse Proxy
Istio Gateways are used to expose services externally and handle reverse proxy functionality.
TLS
cert-manager manages certificate issuance and renewal using configured ClusterIssuers.