Skip to content
Kubernetes Homelab
Terminal showing kubectl output alongside the Kubernetes logo

Kubernetes Homelab

A production-grade Kubernetes homelab running on bare metal — GitOps, canary deployments, observability, and cloud-native security patterns.
Cluster Architecture GitOps Pipeline

About This Homelab

Section titled “About This Homelab”

Hi, I’m Igor Furlan, a System Reliability Engineer passionate about platform engineering and cloud-native infrastructure.

This site documents a production-grade Kubernetes homelab running on a single bare-metal node — musashi, an AMD Ryzen 7 machine running Fedora 43 with 16 GB DDR5 RAM and a 1 TB SSD. The entire stack is built around real-world DevOps patterns: GitOps with ArgoCD, progressive delivery with Argo Rollouts, full-stack observability with Prometheus/Grafana/Loki, and encrypted secret management with Sealed Secrets.

Everything here is the result of hands-on, iterative work. The goal: build infrastructure that teaches production patterns, not shortcuts.

What’s Running

Section titled “What’s Running”

🖥️ Cluster Architecture

Single-node kubeadm cluster (Kubernetes v1.34.3) on Fedora 43. Cilium CNI with eBPF dataplane, Traefik with Gateway API, cert-manager with Let’s Encrypt DNS-01, and local-path storage.

Read the Architecture →

🔄 GitOps Pipeline

Two-repository GitOps pattern: GitHub Actions CI builds and pushes to GHCR, then ArgoCD syncs Kustomize overlays to the cluster. Argo Rollouts implements Prometheus-gated canary deployments with automatic rollback.

Read the GitOps Overview →

📊 Observability Stack

kube-prometheus-stack v81.6.4 (Prometheus + Grafana + AlertManager), Loki for log aggregation, Grafana Alloy as a DaemonSet log collector, Pushgateway for batch job metrics, and Blackbox Exporter for synthetic HTTP probes. Alerts route to Telegram and Gmail.

Read the Observability Stack →

🔒 Cluster Security

Sealed Secrets for GitOps-compatible encrypted secrets, Harbor with Trivy for private image registry and vulnerability scanning, cert-manager for automated TLS, and Cilium eBPF for network policy enforcement.

Read the Security Overview →

💾 Backup & Recovery

Four-layer backup strategy: Velero + Kopia for Kubernetes resources and PV data, restic for raw PVC data and host configuration, pg_dumpall for PostgreSQL logical backups — all stored in OCI Object Storage. A custom Grafana dashboard monitors every backup run in real time.

Read the Backup Strategy →

Tech Stack

Section titled “Tech Stack”

Kubernetes & Runtime

Kubernetes v1.34.3 Kubeadm Containerd v2.1.6 Fedora Linux 43

Networking & Ingress

Cilium (eBPF) Traefik Gateway API Cloudflare Tunnel

GitOps & CI/CD

ArgoCD Argo Rollouts GitHub Actions Kustomize GHCR

Observability

Prometheus Grafana Loki Grafana Alloy AlertManager

Security & Secrets

Sealed Secrets Harbor Trivy Cert-manager Let’s Encrypt

Data & Backup

CloudNativePG PostgreSQL Velero Kopia Restic OCI Object Storage

Applications

Backstage N8N Miniflux Harbor Registry