This directory contains infrastructure modules that provide foundational capabilities for the Kubernetes platform. These modules establish the core services, security, networking, and operational features that both the cluster itself and applications require.
| Category | Functional Areas | Module Capabilities |
|---|---|---|
| Security | Certificates Secrets SSO & Auth |
security-core: • Provides cert-manager operator that automatically obtains and renews TLS certificates from configured issuers (e.g., Let's Encrypt) • Enables applications to fetch secrets from Bitwarden Secrets Manager through external-secrets operator with automated synchronization • Uses trust-manager to copy certificates between namespaces based on bundle definitions, eliminating manual certificate distribution security-extra: • Deploys Authentik identity provider for SSO across all cluster services with policy-based access control • Implements forward authentication for securing service ingress endpoints with rich identity headers |
| Storage | Block Storage Object Storage Network Storage |
storage-core: • Deploys Longhorn to provide distributed block storage across cluster nodes with built-in replication and backup • Runs MinIO operator to provide S3-compatible object storage with bucket lifecycle management • Installs CSI driver for dynamic provisioning of volumes from existing NFS shares with custom mount options |
| Networking | Load Balancing DNS Management Ingress Control VPN & Network Management |
networking-core: • Deploys MetalLB to provide Layer 2 load balancing for Kubernetes services with automatic IP allocation • Runs external-dns to automatically manage DNS records in configured providers (PiHole/UniFi) • Configures Traefik for ingress control with automatic TLS and custom middleware chains networking-extra: • Installs Pi-hole for DNS filtering and ad blocking with custom blocklists • Deploys Tailscale operator for secure VPN access with MagicDNS support • Runs UniFi controller for comprehensive network device management |
| Observability | Metrics Collection Log Aggregation Visualization Event Management |
observability-core: • Deploys Prometheus stack for metrics collection with ServiceMonitor/PodMonitor support • Runs Loki for log aggregation with automated retention and S3 storage • Provides Grafana for unified visualization with auto-discovered dashboards observability-extra: • Exports Kubernetes events to Loki with custom stream labels • Collects SNMP metrics from network devices with custom MIBs • Detects node problems with custom problem definitions |
| Database | PostgreSQL Operations HA Management Backup & Recovery |
database-core: • Installs CloudNativePG operator for automated PostgreSQL cluster management • Enables other modules to create HA PostgreSQL clusters with automated failover • Configures S3 backup storage with customizable retention policies • Provides monitoring integration with pre-configured Grafana dashboards |
| Kubernetes | DNS Resolution API Access Hardware Management Resource Optimization |
kubernetes-core: • Configures CoreDNS for cluster-wide service discovery with custom zone support • Provides secure external access to Kubernetes API with load balancing kubernetes-extra: • Discovers and labels node hardware capabilities through node-feature-discovery • Runs Vertical Pod Autoscaler in recommendation mode for resource optimization • Manages device plugins for hardware access with shared device support • Balances workloads through descheduler with configurable policies |
| ClusterOps | GitOps Deployment System Upgrades Configuration Management Resource Tuning |
clusterops-core: • Manages Flux CD for GitOps-based deployment with OOM protection • Runs system-upgrade-controller for automated component upgrades clusterops-extra: • Provides Goldilocks for resource optimization visualization • Deploys reloader for automatic pod restarts on config changes • Runs Terraform controller for infrastructure management with Flux integration |
The following diagram shows the dependencies between infrastructure modules, illustrating how core services provide foundations for extended capabilities:
flowchart BT
%% Color scheme for better contrast in light/dark themes
classDef core fill:#86efac,stroke:#059669,color:#064e3b
classDef extra fill:#fca5a5,stroke:#dc2626,color:#7f1d1d
%% Layer 1 - Root
security-core[security-core]:::core
%% Layer 2 - Direct Dependencies
storage-core[storage-core]:::core
networking-core[networking-core]:::core
observability-core[observability-core]:::core
database-core[database-core]:::core
%% Layer 3 - Extended Components
kubernetes-core[kubernetes-core]:::core
clusterops-core[clusterops-core]:::core
security-extra[security-extra]:::extra
networking-extra[networking-extra]:::extra
kubernetes-extra[kubernetes-extra]:::extra
clusterops-extra[clusterops-extra]:::extra
observability-extra[observability-extra]:::extra
%% Dependencies - Organized by layers
storage-core & networking-core & observability-core --> security-core
observability-core --> storage-core
%% Extra module dependencies - Minimizing crossings
security-extra --> security-core
security-extra --> storage-core
security-extra --> database-core
networking-extra --> security-core
networking-extra --> storage-core
networking-extra --> networking-core
observability-extra --> observability-core
kubernetes-extra --> kubernetes-core
clusterops-extra --> clusterops-core
For detailed information about configuration methods used across all modules, including Kustomize patches, FluxCD post-build variables, and component overlays, refer to the Configuration Methods section in the project brief.