Provisioning, configuration and manifests for my Kubernetes dev cluster on Hetzner Cloud, set up for GitOps with Flux CD.
- OpenTofu
- SOPS
- Age
- A Hetzner Cloud account and API token
- Cloudflare DNS API token
- A GitHub account and personal access token (for Flux)
- S3 compatible storage credentials
-
Generate an Age key:
age-keygen -o key.txt -
Edit
.sops.yamlfile in project root:creation_rules: - unencrypted_regex: "^(apiVersion|metadata|kind|type)$" age: <your-age-public-key>
Replace
<your-age-public-key>with the public key from yourkey.txtfile. -
Create a
secrets.yamlfile with your sensitive data:cd provisioningusername: <your-username> user_hashed_password: <your-hashed-password> user_ssh_public_keys: | <your-ssh-public-key> domain_name: <your-domain-name>
-
Encrypt the secrets file:
sops -e secrets.yaml > secrets.enc.yaml -
Create a
terraform.tfvarsfile for your Hetzner Cloud token and Cloudflare Token:hcloud_token = "your-hetzner-cloud-token" cloudflare_api_token = "your-cloudflare-token
-
Create
s3_env.yamlfile with your S3 compatible storage credentialsAWS_ENDPOINT_URL_S3AWS_ACCESS_KEY_IDAWS_REGIONAWS_SECRET_ACCESS_KEY -
Encrypt the
s3_env.yamlfile:sops -e s3_env.yaml > s3_env.enc.yaml -
Run OpenTofu:
sops exec-env s3_env.enc.yaml 'tofu init' sops exec-env s3_env.enc.yaml 'tofu apply'
-
Connect to the server
Replace username with your username and public ip with the output value of
tofu applyssh ${username}@${public_ip}
-
Create sops secret
Use the key generated in step 1. of the deployment
kubectl create ns flux-system echo 'AGE-SECRET-KEY-...' | kubectl create secret generic sops-age \ --namespace=flux-system \ --from-file=age.agekey=/dev/stdin
-
Create GitHub access token
-
Bootstrap flux
export GITHUB_TOKEN=your_github_token export GITHUB_USERNAME=your_github_username export GITHUB_REPO=your_github_repo flux bootstrap github \ --owner=$GITHUB_USERNAME \ --repository=$GITHUB_REPO \ --components-extra=image-reflector-controller,image-automation-controller \ --path=clusters/prod --personal