Initial commit: Turbo Mothership bare metal management cluster

- k0s bootstrap with Cilium and OpenEBS - ArgoCD apps for infra, CAPI, Tinkerbell, and Netris - Ansible playbooks for virtual baremetal lab and Netris switches - CAPI provider manifests for k0smotron and Tinkerbell
2025-12-15 19:59:58 +01:00
commit df9937f0c3
39 changed files with 1961 additions and 0 deletions
--- a/bootstrap/README.md
+++ b/bootstrap/README.md
@@ -0,0 +1,113 @@
+# Bootstrap
+
+Bootstrap chart for cluster initialization. Deploys all required infrastructure components in a single Helm release.
+
+## Requirements
+
+- 1-3 nodes
+- External DNS for ingress access
+- Internet access
+
+## Components
+
+The bootstrap umbrella chart (`charts/bootstrap/`) includes:
+
+| Component | Description |
+|-----------|-------------|
+| Cilium | CNI for networking |
+| ingress-nginx | Ingress controller |
+| cert-manager | TLS certificate management |
+| sealed-secrets | Encrypted secrets for GitOps |
+| ArgoCD | GitOps continuous delivery |
+| OpenEBS | Container storage (hostpath) |
+
+Additional resources created:
+- ClusterIssuer (Let's Encrypt)
+- StorageClass (local-storage)
+
+## Kubernetes
+
+Install [k0s](https://k0sproject.io/) as the Kubernetes distribution:
+
+```sh
+curl -sSf https://get.k0s.sh | sudo sh
+sudo k0s install controller --enable-worker --no-taints --config ./k0s.yaml
+sudo k0s start
+```
+
+Verify and get kubeconfig:
+
+```sh
+sudo k0s status
+k0s kubeconfig admin create > ~/.kube/config
+```
+
+## Bootstrap Installation
+
+```sh
+cd charts/bootstrap
+
+# Download dependencies
+helm dependency update
+
+# Review what will be installed
+helm template bootstrap . --namespace bootstrap | less
+
+# Install
+helm upgrade -i bootstrap . --namespace bootstrap --create-namespace
+```
+
+## Sealed Secrets
+
+[Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets) enables GitOps management of secrets using asymmetric encryption.
+
+### Usage
+
+```sh
+# Create a secret (do not commit)
+kubectl create secret generic my-secret \
+  --from-literal=password=supersecret \
+  --dry-run=client -o yaml > plaintext.yaml
+
+# Seal it
+kubeseal < plaintext.yaml > sealed-secret.yaml
+
+# Delete plaintext
+rm plaintext.yaml
+
+# Apply sealed secret
+kubectl apply -f sealed-secret.yaml
+```
+
+## ArgoCD
+
+Available at https://argo.turbo.weystrom.dev
+
+Get initial admin password:
+
+```sh
+kubectl -n bootstrap get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
+```
+
+## Configuration
+
+Edit `charts/bootstrap/values.yaml` to customize components. Each subchart is configured under its own key:
+
+```yaml
+cilium:
+  enabled: true
+
+ingress-nginx:
+  enabled: true
+  controller:
+    service:
+      externalIPs:
+        - 1.2.3.4
+
+cert-manager:
+  enabled: true
+
+# ... etc
+```
+
+To disable a component, set `enabled: false`.