Homelab with Kubernetes using Raspberry PIs 5
- 3 Raspberry PIs 5
- Debian Bookworm
- Ansible
- containerd
- Kubernetes
openssl genrsa -out username.key 2048
openssl req -new -key username.key -out username.csr -subj "/CN=username"
Encode the username csr
export csr=$(cat username.csr | base64 | tr -d '\n')
Create a new file with the following yaml and save to username-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
name: username
request: <base64-csr-here>
signerName: kubernetes.io/kube-apiserver-client
- digital signature
- key encipherment
- client auth
Place the encoded csr in the CRT request
sed -i "s|\(request: \).*|\1$csr|" username-csr.yaml
kubectl certificate approve username
kubectl get csr cflor -ojsonpath='{.status.certificate}'
Example of kube config
apiVersion: v1
- cluster:
certificate-authority: /home/cflor/.homelab/ca.crt
name: home
- context:
cluster: home
namespace: default
user: cflor
name: home
current-context: home
kind: Config
preferences: {}
- name: cflor
client-certificate: /home/cflor/.homelab/cflor.crt
client-key: /home/cflor/.homelab/cflor.key
Example of a cluster role binding with cluster admin permission
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
name: cflor
resourceVersion: "3944821"
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
- apiGroup: rbac.authorization.k8s.io
kind: User
name: cflor
In this case the user is cflor
By default kubelet use self-signed certificates generated by kubeadm, we can configure kubelet to use certificates generated by certificates.k8s.io
. external service like metrics-server can't be secured with kubelet through TLS.
Edit kubelet-config configmap and add serverTLSBootstrap: true
Edit kubelet config to each node and restart kubelet service
ansible all -b -i inventory.yaml -a "echo 'serverTLSBootstrap: true' >> /var/lib/kubelet/config.yaml" -m shell
ansible all -b -i inventory.yaml -a "sudo systemctl restart kubelet" -m shell
- Verify the admin.conf kubeconfig to understand - DONE
- Sign a certificate to use from the personal laptop - DONE
- Configure the other instances to join the cluster - DONE
- Deploy ArgoCD on it - DONE
- Deploy jackett
- Start working in the personal blogi
- Configure Samba in k8s with PV/PVC
- Refactor the changed_when to when and use changed_when whenever necessary
- Test how to ensure a pod will restart when a node get an unexpected shutdown
- Jackett
- Personal blog
- Plex server / DNLA
- Cripto Miner