Public Technical Demo

DataProfusion Kubernetes Platform

This page is a public-facing summary of the homelab Kubernetes platform used for GitOps operations, disaster recovery validation, observability practice, and Linux Foundation certification study. It is intentionally static and safe to expose: operational control planes remain private behind LAN and VPN policy.

k3s core cluster Flux GitOps Traefik + MetalLB cert-manager SOPS + age Admin UIs stay private
2 nodes single control-plane plus worker, with DR-ready recovery target on Chevelle
GitOps-driven cluster state reconciled from Gitea through Flux and reviewed through version control
Recovery tested etcd restore, SOPS age recovery, and workload-level backup and restore drills completed

Architecture

  • Firefox is the public TLS edge and WAN-facing reverse proxy.
  • Rocinante hosts the current always-on Kubernetes VM footprint and split-DNS helper.
  • Chevelle is the next DR and failover target and can host non-critical worker capacity when powered on.
  • Traefik serves in-cluster ingress on the MetalLB service IP and stays behind the Firefox edge.

Security and Operations

  • Public certificates terminate at the Firefox edge instead of inside the cluster.
  • Secrets are moving through a GitOps-safe path with SOPS and age.
  • Alerting fans out to Discord and ntfy while observability stays private.
  • Internal admin surfaces such as Grafana, Headlamp, and Rancher are not exposed on this public page.

What Is Running

  • Platform controllers: Traefik, MetalLB, cert-manager, kube-prometheus-stack, Flux.
  • Operational tools: Goldilocks, Headlamp, Rancher, Homepage, Uptime Kuma.
  • Validation apps: whoami, podinfo, changedetection.io.
  • Stateful trial workloads: Miniflux, Actual Budget, Linkwarden.

Certification Alignment

  • KCSA: platform security posture, secrets handling, ingress controls, DR, and monitoring.
  • CKA: cluster lifecycle, scheduling behavior, restore drills, ingress, and troubleshooting.
  • CKS: later focus on hardening, policy, supply chain, and runtime security.

GitOps and Delivery Flow

Changes are authored in Git, reconciled through Flux, validated in-cluster, and then selectively promoted to public hostnames through the Firefox edge. This keeps operational control explicit and makes rollback a Git operation instead of an ad hoc runtime fix.

1. Author Documentation, manifests, and recovery notes are version controlled in Git.
2. Reconcile Flux pulls desired state into the cluster and applies one reviewed change at a time.
3. Validate Rollouts, ingress, alerts, and restore behavior are checked before broader use.
4. Promote Only safe surfaces get public DNS and TLS through the Firefox edge pattern.

Disaster Recovery Model

The cluster is treated as recoverable infrastructure, not an unmanaged pet environment. Current DR work includes etcd snapshot export, SOPS/age recovery, application backup and restore runbooks, and a staged Chevelle recovery packet.

Public note: this page is intentionally descriptive rather than operational. It demonstrates architecture and practice without exposing sensitive endpoints, dashboards, credentials, or live control-plane actions.