A repository to keep resources and configuration files used with my Kubernetes homelab.

1. Content of the Repository
2. Homelab Network Diagram
3. Network Configuration
4. Homelab Infrastructure
   • Hardware
   • Guest Provisioning
   • Shared Storage
   • Other Services
   • Homelab Root CA
   • Average Power Consumption
5. Deployment
   • Ansible-defined Kubernetes Homelab
   • Manage Kubernetes Homelab with Terraform
   • Manage Kubernetes Homelab Manually
   • Install Istio
6. Upgrades
7. Blog Posts
8. Stargazers Over Time

• alertmanager - configuration files to deploy Alertmanager.
• ansible - Ansible playbooks to deploy Kubernetes homelab.
• calico - configuration files to deploy Calico CNI.
• cka - CKA study notes.
• dashboard - configuration files to deploy Kubernetes dashboard.
• docs - images and documentation files.
• grafana - configuration files to deploy Grafana.
• httpd-healthcheck - configuration files deploy a simple httpd healthcheck for Istio ingressgateway.
• istio - configuration files to deploy Istio.
• istio-addons - configuration files to deploy Istio add-ons (e.g. Kiali).
• kube-state-metrics - configuration files to deploy kube-state-metrics.
• kubecost - configuration files to deploy Kubecost.
• logging - configuration files to deploy Elastic Stack (Elasticsearch, Kibana etc).
• metallb - configuration files to deploy MetalLB.
• mikrotik-exporter - configuration files to deploy a Prometheus exporter for Mikrotik devices.
• openvpn - configuration files to deploy OpenVPN server.
• packer - configuration files build Qemu/KVM images with Packer.
• pihole-exporter - configuration files to deploy a Prometheus exporter for Pi-hole Raspberry Pi ad blocker.
• pii-demo - a demo PII application based on Apache, PHP and MySQL to test Istio's mTLS.
• pii-demo-blue-green - a demo PII application based that uses blue/green deployment.
• prometheus - configuration files to deploy Prometheus monitoring.
• pxe - configuration files for PXE boot and Kickstart.
• regcred - docker registry credentials.
• speedtest-influxdb - configuration files to deploy a Speedtest service that stores results in InfluxDB.
• terraform - configuration files to manage Kubernetes with Terraform.
• truenas-nfs - configuration files to deploy democratic-csi with TrueNAS NFS.
• x509-certificate-exporter - configuration files to deploy x509-certificate-exporter.

Network is configured as follows:

• LAN: 10.11.1.0/24.
• Gateway: 10.11.1.1.
• DNS/DHCP/NTP/SMTP servers: 10.11.1.2 and 10.11.1.3.
• Managed switch: 10.11.1.4 currently no special config but a couple of VLANs to separate homelab devices from the rest of the home network.
• PXE boot server: 10.11.1.20.
• DNS private zone: hl.test (a reserved top level DNS name .test, see rfc2606).
• DHCP: range 10.11.1.140-10.11.1.149.

Hostnames and their IP addresses:

Kubernetes environment runs on three KVM hypervisors. The goal is to maintain service in the event of a loss of a (single) host. This blog post explains how to build a multi-master Kubernetes homelab cluster by hand using KVM, PXE boot and kubeadm.

Commodity hardware is used to keep costs to a minimum.

Previously, provisioning of KVM guests was done by using a PXE boot server with Kickstart templates.

I have since migrated to Packer to make the VM deployment process faster. PXE boot is still used to provision physical hosts (hypervisors).

A TrueNAS NFS server is used to create persistent volumes claims using democratic-csi.

Homelab provides other services to Kubernetes that aren't covered here:

• Bind DNS servers with failover and dynamic updates
• DHCP failover with dynamic DNS
• Peered NTP servers
• Redundant SMTP relays

SSL certificates are signed by the homelab CA.

Create your own Certificate Authority (CA) for homelab environment. Run the following a CentOS 7 server:

$ vim /etc/pki/tls/certs/make-dummy-cert
$ openssl req -newkey rsa:2048 -keyout homelab-ca.key -nodes -x509 -days 3650 -out homelab-ca.crt

$ DOMAIN=wildcard.apps.hl.test
$ openssl genrsa -out "${DOMAIN}".key 2048 && chmod 0600 "${DOMAIN}".key
$ openssl req -new -sha256 -key "${DOMAIN}".key -out "${DOMAIN}".csr
$ openssl x509 -req -in "${DOMAIN}".csr -CA homelab-ca.crt -CAkey homelab-ca.key -CAcreateserial -out "${DOMAIN}".crt -days 1825 -sha256

~80W

Monthly, the homelab costs (((80W * 24h) / 1000) * £0.19/kWh * 365days) / 12months = £11.10 (~15$).

The deployment section assumes that the homelab environment has been provisioned.

See ansible/README.md.

Use this to deploy Kubernetes cluster with Ansible.

See terraform/README.md.

Use this to deploy various Kubernetes resources with Terraform.

Create a monitoring namespace:

$ kubectl apply -f ./monitoring-ns-istio-injection-enabled.yml

Deploy kube-state-metrics:

$ kubectl apply -f ./kube-state-metrics

Create a secret called prometheus-cluster-name that contains the cluster name the Prometheus instance is running in:

$ kubectl -n monitoring create secret generic \
  prometheus-cluster-name --from-literal=CLUSTER_NAME=kubernetes-homelab

Deploy prometheus:

$ kubectl apply -f ./prometheus

Deploy grafana:

$ kubectl apply -f ./grafana

Alertmanager uses the Incoming Webhooks feature of Slack, therefore you need to set it up if you want to receive Slack alerts.

Update the config map alertmanager/alertmanager-config-map.yml and specify your incoming webhook URL. Deploy alertmanager:

$ kubectl apply -f ./alertmanager

Update the secret file mikrotik-exporter/mikrotik-exporter-secret.yml and specify your password for the Mikrotik API user. Deploy mikrotik-exporter:

$ kubectl apply -f ./mikrotik-exporter

Deploy the Helm chart:

$ helm install x509-certificate-exporter \
  enix/x509-certificate-exporter \
  --namespace monitoring \
  --values ./x509-certificate-exporter/values.yml

Update the config map metallb/metallb-config-map.yml and specify the IP address range. Deploy MetalLB network load-balancer:

$ kubectl apply -f ./metallb

The Istio namespace must be created manually.

$ kubectl create ns istio-system

The kubectl apply command may show transient errors due to resources not being available in the cluster in the correct order. If that happens, simply run the command again.

kubectl apply -f ./istio/istio-kubernetes.yml

Install httpd-healthcheck:

$ kubectl apply -f ./httpd-healthcheck

$ kubectl apply -f istio-addons/prometheus

$ kubectl apply -f istio-addons/kiali

• Upgrading Kubernetes from 1.19 to 1.20
• Upgrading Kubernetes from 1.20 to 1.21
• Upgrading Kubernetes from 1.21 to 1.22

• Install and Configure a Multi-Master HA Kubernetes Cluster with kubeadm, HAProxy and Keepalived on CentOS 7
• Create Your Own Certificate Authority (CA) for Homelab Environment
• Install Kubernetes Dashboard
• Install Kube State Metrics on Kubernetes
• Install and Configure Prometheus Monitoring on Kubernetes
• Install and Configure Grafana on Kubernetes
• Install and Configure Alertmanager with Slack Integration on Kubernetes
• Monitor Etcd Cluster with Grafana and Prometheus
• Monitor Bind DNS Server with Grafana and Prometheus (bind_exporter)
• Monitor HAProxy with Grafana and Prometheus (haproxy_exporter)
• Monitor Linux Servers with Grafana and Prometheus (node_exporter)
• Monitor Mikrotik Router with Grafana and Prometheus (mikrotik-exporter)
• Install MetalLB and Istio Ingress Gateway with Mutual TLS for Kubernetes
• Moving to TrueNAS and Democratic CSI for Kubernetes Persistent Storage
• Configure PXE Boot Server for Rocky Linux 8 Kickstart Installation
• Migrating HA Kubernetes Cluster from CentOS 7 to Rocky Linux 8
• Blue/Green Deployment with Istio: Match Host Header and sourceLabels for Pod to Pod Communication
• Install Kubecost to Help Optimise Kubernetes Applications
• Speedtest with InfluxDB and Grafana on Kubernetes
• OpenVPN Server on Kubernetes