https://mi-homes.org/docs/platform/Recent content in Platform on mi-homes.orgHugo -- gohugo.ioen-us© 2026 Minh Phuong Nguyenhttps://mi-homes.org/docs/k3s/Mon, 01 Jan 0001 00:00:00 +0000https://mi-homes.org/docs/k3s/<p>This guide documents how to create Proxmox VMs using Terraform for use as Kubernetes nodes in a k3s cluster. The Terraform configuration clones a cloud-init template, assigns fixed IPs and SSH keys, and tags VMs for k3s roles so they can be targeted by <code>k3s-ansible</code> or similar automation.</p> <h2 class="relative group">Overview <div id="overview" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#overview" aria-label="Anchor">#</a> </span> </h2> <p>The setup provisions two groups of VMs:</p> <ul> <li><strong>k3s masters</strong> (3 VMs): control-plane nodes for the Kubernetes cluster</li> <li><strong>k3s workers</strong> (2 VMs): worker nodes for running workloads</li> </ul> <p>All VMs are created by <strong>full clone</strong> from a cloud-init template (VM ID <code>9999</code> in the examples). They receive static IPs, a common SSH user and public key, and Proxmox tags (<code>k3s</code>, <code>master</code> or <code>worker</code>) for identification. After Terraform applies, you deploy k3s onto these VMs using Ansible or another method. This guide uses placeholders like <code>&lt;subnet&gt;</code> and <code>&lt;first-master-ip&gt;</code>; replace them with values that match your network.</p>https://mi-homes.org/docs/rancher/Mon, 01 Jan 0001 00:00:00 +0000https://mi-homes.org/docs/rancher/<p>This guide installs and operates <a href="https://ranchermanager.docs.rancher.com/" target="_blank" rel="noreferrer">Rancher</a> on an existing Kubernetes cluster using Helm and cert-manager.</p> <p><strong>Official docs:</strong> <a href="https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster" target="_blank" rel="noreferrer">Install/Upgrade Rancher on a Kubernetes Cluster</a></p> <h2 class="relative group">Prerequisites <div id="prerequisites" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#prerequisites" aria-label="Anchor">#</a> </span> </h2> <ul> <li>Kubernetes cluster (K3s, RKE2, EKS, or any supported distribution)</li> <li><code>kubectl</code> and <code>Helm</code> installed</li> </ul> <h2 class="relative group">Installation <div id="installation" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#installation" aria-label="Anchor">#</a> </span> </h2> <h3 class="relative group">1. Add Helm repos <div id="1-add-helm-repos" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#1-add-helm-repos" aria-label="Anchor">#</a> </span> </h3> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>helm repo add rancher-stable https://releases.rancher.com/server-charts/stable </span></span><span style="display:flex;"><span>helm repo update</span></span></code></pre></div></div> <h3 class="relative group">2. Create namespace <div id="2-create-namespace" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#2-create-namespace" aria-label="Anchor">#</a> </span> </h3> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl create namespace cattle-system</span></span></code></pre></div></div> <h3 class="relative group">3. Install cert-manager <div id="3-install-cert-manager" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#3-install-cert-manager" aria-label="Anchor">#</a> </span> </h3> <p>Required for Rancher-generated TLS certificates (default). Skip if you use your own certificates (<code>ingress.tls.source=secret</code>) or TLS termination on an external load balancer.</p>https://mi-homes.org/docs/helm/Mon, 01 Jan 0001 00:00:00 +0000https://mi-homes.org/docs/helm/<p>Use commands below to install <a href="https://helm.sh/" target="_blank" rel="noreferrer">Helm</a>, the package manager for Kubernetes.</p> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 </span></span><span style="display:flex;"><span>chmod <span style="color:#ae81ff">700</span> get_helm.sh </span></span><span style="display:flex;"><span>./get_helm.sh </span></span><span style="display:flex;"><span>helm version</span></span></code></pre></div></div>https://mi-homes.org/docs/hashicorp-vault/Mon, 01 Jan 0001 00:00:00 +0000https://mi-homes.org/docs/hashicorp-vault/<p><strong>HashiCorp Vault</strong> can hold API keys, database passwords, tokens, and other sensitive values so they never appear in Git or Helm values. A typical Kubernetes pattern is: <strong>Vault (KV v2)</strong> → <strong><a href="https://mi-homes.org/docs/external-secrets-operator/" >External Secrets Operator</a></strong> → <strong>Kubernetes <code>Secret</code></strong> → <strong>Pods</strong> (env or volumes). Any workload that reads from a <code>Secret</code> can use this flow; you only align Vault paths and <code>ExternalSecret</code> fields with your app’s expectations.</p> <h2 class="relative group">Role in the stack <div id="role-in-the-stack" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#role-in-the-stack" aria-label="Anchor">#</a> </span> </h2> <pre class="not-prose mermaid"> flowchart LR subgraph git["Git"] VY[Helm values / manifests] NS[Namespace and wiring] end subgraph cluster["Cluster"] V[Vault KV v2] ESO[External Secrets Operator] KS[Kubernetes Secret] end VY --> V NS --> V ESO -->|Vault API + token| V ESO --> KS </pre> <p>Vault must be <strong>running and unsealed</strong> before <code>ClusterSecretStore</code> and <code>ExternalSecret</code> resources can sync. In GitOps setups, install <strong>Vault first</strong>, then <strong>External Secrets Operator</strong>, then applications that declare <code>ExternalSecret</code> objects (or use equivalent sync waves / dependencies).</p>https://mi-homes.org/docs/external-secrets-operator/Mon, 01 Jan 0001 00:00:00 +0000https://mi-homes.org/docs/external-secrets-operator/<p><strong>External Secrets Operator (ESO)</strong> watches <strong><code>ExternalSecret</code></strong> resources and materializes ordinary Kubernetes <strong><code>Secret</code></strong> objects from an upstream backend. With <a href="https://mi-homes.org/docs/hashicorp-vault/" >HashiCorp Vault</a> as the backend, the same pattern works for <strong>any application</strong>: you store values in Vault, declare mappings in Git, and mount or env-inject the resulting <code>Secret</code> as usual.</p> <h2 class="relative group">Role in the stack <div id="role-in-the-stack" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#role-in-the-stack" aria-label="Anchor">#</a> </span> </h2> <pre class="not-prose mermaid"> flowchart LR subgraph git["Git"] CSS[ClusterSecretStore] X[ExternalSecret per app] end subgraph cluster["Cluster"] ESO[External Secrets Operator] V[Vault KV v2] KS[Kubernetes Secret] P[Pods] end CSS --> ESO X --> ESO ESO -->|token auth| V ESO -->|reconcile| KS KS --> P </pre> <ol> <li><strong>ClusterSecretStore</strong> (cluster-scoped): one connection from the cluster to Vault (URL, mount, auth). Every namespace can reference it.</li> <li><strong>ExternalSecret</strong> (namespace-scoped): one per app (or per secret bundle), mapping Vault paths and properties to keys on a target <code>Secret</code>.</li> <li>ESO <strong>reconciles</strong> on an interval and when specs change.</li> </ol> <p>Install ESO <strong>after</strong> Vault is available and unsealable; install <strong>before</strong> workloads that depend on synced secrets, or ensure those workloads tolerate a short delay until the <code>Secret</code> exists.</p>