Services
Gateway
Haproxy
HAProxy is a free and open source software that provides a high availability load balancer and reverse proxy for TCP and HTTP-based applications that spreads requests across multiple servers.
Haproxy load-balances all incoming http and https traffic from the Internet (ports 80 and 443) via the master nodes, and also load-balances all Kubernetes api server traffic on the local network (port 6443). An ACL rule is defined to accept only local network IP address requests for the api server.
The web interface lets you view the health status of master nodes on both types of endpoints (server api and internet traffic).
Pi-Hole
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network. It is designed for low-power embedded devices with network capability, such as the Raspberry Pi, but can be installed on almost any Linux machine.
Pi-hole has the ability to block traditional website advertisements as well as advertisements in unconventional places, such as smart TVs and mobile operating system advertisements.
Using the web interface, you can enable/disable ad and tracker blocking, add a list of domains to be blocked, and configure local network DNS settings (and DHCP if required). It is also possible to view statistics on blocked domains according to the privacy rules set.
Wireguard
WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface.
Wireguard's web interface lets you create / delete / activate / deactivate VPN users, download their configuration file and display the user's QrCode. With this user configuration file, a user can access the homelab network to perform an ssh connection to the machines and then request the Kubernetes api server.
Access
Gateway web interface services are deployed and accessible for admin purpose, they are available on local network at :
| Name | Url |
|---|---|
| Haproxy dashboard | http://192.168.1.99:8404 |
| Pihole dashboard | http://192.168.1.99:5353 |
| Wireguard dashboard | http://192.168.1.99:51821 |
Notes: Replace
192.168.1.99with the gateway's ip address set in hosts.yml.
Kubernetes
Services
The following services are deployed in the cluster :
| Name | Description | Helm chart |
|---|---|---|
| Actions-runner-controller | Github Actions runners controller | actions-runner-controller/actions-runner-controller |
| ArgoCD | GitOps continuous delivery tool | argo/argo-cd |
| Argo-workflows | Workflow automation engine | argo/argo-workflows |
| Cert-manager | Cloud native certificate management | cert-manager/cert-manager |
| Cloud-native-postgres | Cloud native postgres database management | cnpg/cloudnative-pg |
| Coder | Remote selfhosted development environments | coder-v2/coder |
| Homepage | Home dashboard | unknowniq/homepage |
| Gitea | Private, Fast, Reliable DevOps Platform | gitea/gitea |
| Harbor | Cloud native registry | bitnami/harbor |
| Ingress-nginx | Kubernetes ingress controller | ingress-nginx/ingress-nginx |
| Keycloak | Single Sign On service | bitnami/keycloak |
| Kubernetes-dashboard | Kubernetes dashboard | k8s-dashboard/kubernetes-dashboard |
| Longhorn | Cloud native distributed block storage | longhorn/longhorn |
| Mattermost | Chat service with file sharing and integrations | mattermost/mattermost-team-edition |
| Minio | High Performance Object Storage | bitnami/minio |
| MLflow | ML experiment tracking and model registry | community-charts/mlflow |
| Outline | Share notes and wiki with your team | lrstanley/outline |
| Prometheus-stack | Open-source monitoring solution | prometheus-community/kube-prometheus-stack |
| RustFS | High Performance Object Storage | - |
| Sonarqube | Code quality analysis service | sonarqube/sonarqube |
| Sops | Secret manager that decode on the fly | sops-secrets-operator/sops-secrets-operator |
| System-upgrade-controller | K3S upgrade controller | - |
| Teleport | Secure access and identity for infrastructure | teleport/teleport-cluster |
| Trivy-operator | Kubernetes-native security toolkit | aqua/trivy-operator |
| Vault | Secret management service | hashicorp/vault |
| Vault-operator | Vault Secrets Operator for Kubernetes | hashicorp/vault-secrets-operator |
| Vaultwarden | Password management service | vaultwarden/vaultwarden |
Versions
All services helm charts and versions are managed through ArgoCD ApplicationSets with configuration stored in:
- App charts: ./argo-cd/apps/ - Each app has its own
Chart.yamldefining the version - Core instances: ./argo-cd/core/instances/ - Enable/disable core services
- Platform instances: ./argo-cd/platforms/instances/ - Enable/disable platform services
Management
Services are managed via GitOps using ArgoCD ApplicationSets:
Core services - Managed by core/manager.yaml:
- Enable/disable apps in ./argo-cd/core/instances/<instance>/<env>.json
- Configure values in ./argo-cd/core/values/<instance>/<app>/<env>.yaml
Platform services - Managed by platforms/manager.yaml:
- Enable/disable apps in ./argo-cd/platforms/instances/<instance>/<env>.json
- Configure values in ./argo-cd/platforms/values/<instance>/<app>/<env>.yaml
To enable/disable a service, edit the corresponding JSON instance file and set "enabled": "true" or "enabled": "false".
Access
Kubernetes services that are available through user interfaces are centralized on the Homepage dashboard, the full list is :
Admin
| Name | Url |
|---|---|
| ArgoCD (admin) | https://gitops.admin.domain.com |
| Longhorn (admin) | http://longhorn.admin.domain.com |
| Vault (admin) | https://vault.admin.domain.com |
Standard
| Name | Url |
|---|---|
| ArgoCD | https://gitops.domain.com |
| Coder | https://coder.domain.com |
| Homepage | https://domain.com |
| Gitea | https://git.domain.com |
| Grafana | https://monitoring.domain.com |
| Harbor | https://registry.domain.com |
| Keycloak | https://sso.domain.com |
| Kubernetes-dashboard | https://kube.domain.com |
| Mattermost | https://mattermost.domain.com |
| Minio - api | https://s3.domain.com |
| Minio - web | https://minio.domain.com |
| Outline | https://outline.domain.com |
| SonarQube | http://sonarqube.domain.com |
| Vault | https://vault.domain.com |
| Vaultwarden | https://vaultwarden.domain.com |
Notes: Replace
domain.comby your own domain configured in your values files.
Single sign on
Keycloak is deployed as the cluster single sign on tool, it give access to various services accross the same account (i.e: username / password pair) to improve user experience. On the other hand, keycloak can pass user groups and roles to control access level to theese services.
It is also usefull for admins to have a better control over homelab users and access, users can be manage connecting the keycloak interface (cf: keycloak service url) with admin credentials (keycloak.username and keycloak.password can be found in admin vault under the keycloak secrets).
Don't forget to select 'homelab' realm
By default an admin group is created to give admin access on each service that use keycloak sso registration, keycloak users that are not in the admin group get simple access.
Following services are connected through sso :
- ArgoCD
- Coder
- Harbor
- Gitea
- Grafana
- Minio
- Outline
- Sonarqube
- Vault
Monitoring
The cluster itself and some services are monitored using Prometheus and Grafana, ServiceMonitor are enabled for Vault, Minio, Argocd and Trivy-operator to increase metrics coming from these applications.
Some dashboards are already delivered with the installation but more can be added in argo-cd/apps/prometheus-stack/grafana-dashboards/, they will be automatically loaded on ArgoCD synchronization via the dashboards.yaml template. Already added dashboards are: