Secret Management
System: Centralized Secret Generation ✅
Source: scripts/generate-secrets.sh
Storage: Kubernetes Secrets (etcd encrypted)
Access: RBAC + Namespace isolation
Mount: /etc/secrets (volume mount)
Examples: Registry auth, TLS certs, DB passwords
GitOps Deployment
Platform: K3s Kubernetes Cluster
Controller: FluxCD v2 GitOps ✅
Repository: rhodium289/cluster
Reconciliation: 5-minute automatic sync
Namespace: tech-summary (isolated)
Deployment: 2 replicas with rolling updates
Network & SSL
Domain: tech-summary.poc.downloadserver.co.uk
Load Balancer: MetalLB (bare metal)
Ingress: Traefik v3 + automatic SSL
Certificate: Let's Encrypt (cert-manager)
Protocol: HTTPS/TLS 1.3 ✅
DNS: Automatic certificate challenge
CI/CD Pipeline
Runners: Self-hosted in K3s cluster
Architecture: Docker-in-Docker (DinD)
Registry: GitHub Container Registry
Performance: ~5x faster than hosted
Features: Private registry + cluster access
Status: Active and processing builds ✅
🏗️ Complete Infrastructure Stack
This demonstration showcases a production-ready K3s cluster with modern GitOps practices and advanced CI/CD capabilities:
🚢 K3s Kubernetes
Lightweight container orchestration
🔄 FluxCD v2
GitOps continuous deployment
🔄 Traefik v3
Ingress controller with SSL/TLS
🔒 cert-manager
Let's Encrypt automation
⚖️ MetalLB
Bare-metal load balancer
🔑 OAuth2-Proxy
Google OIDC authentication
🛡️ Access Manager
Per-app authorization
🏗️ GitHub Actions
Self-hosted CI/CD runners
🔄 GitOps Workflow:
Git Push → GitHub Actions (Self-hosted) → Container Build → GHCR Push → FluxCD Sync → Kubernetes Deploy
🌐 Network Flow:
Internet → External DNS → MetalLB LoadBalancer → Traefik Ingress → Kubernetes Service → Pod
🔑 Authentication Flow:
Request → Traefik → OAuth2-Proxy (Google OIDC) → Access Manager (Per-App Authorization) → Application
🔐 Security Features:
• Google OAuth2 authentication via oauth2-proxy
• Per-application authorization via Access Manager
• Automated SSL/TLS certificates with Let's Encrypt
• Private container registry (GHCR) with authentication
• Namespace isolation and RBAC policies
• Centralized secret management with auto-generation