Skip to content

Latest commit

 

History

History
81 lines (62 loc) · 2.49 KB

README.md

File metadata and controls

81 lines (62 loc) · 2.49 KB

My Homelab

... Powered by 📦

k8s k3s argo logos ... managed with ArgoCD, Ansible, Renovate, and GitHub Actions 🤖

Status

MegaLinter GitHub Release

Uptime Robot ratio (30 days) Uptime Robot status Uptime Robot status

Setup

Today is automated via Ansible. Make sure to:

  • Set node IP in inventory.
  • Enable ssh key auth using ssh-copy-id root@<ip>

To kick of the configuration:

ansible-playbook play.yml

Bootstrap "External Secrets" secret

Create an IAM user with the following policy attached:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Get",
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:*:012345678912:secret:k8s*"
    },
    {
      "Sid": "List",
      "Effect": "Allow",
      "Action": "secretsmanager:ListSecrets",
      "Resource": "*"
    }
  ]
}

This gives access to secrets prefixed with k8s. Your secrets can now be stored in AWS Secrets Manager.

# To bootstrap, we add AWS credentials via one secret:
kubectl create secret generic awssm-secret -n external-secrets \
  --from-literal=access-key=$ACCESS_KEY --from-literal=secret-access-key=$SECRET_KEY

Today, cert-manager and ddns-route53 rely on a secret in AWS Secrets Manager in the following format:

{
  "HOSTED_ZONE_ID": "<>",
  "RECORD_NAME": "<>",
  "AWS_ACCESS_KEY_ID": "<>",
  "AWS_SECRET_ACCESS_KEY": "<>",
  "AWS_DEFAULT_REGION": "eu-west-1"
}