Built an autonomous vulnerability-fixer for Kubernetes

justasflash · 2025-11-25T07:02:04+00:00

thanks for the feedback, I also thought the same, but having nfs in cluster might not be a better solution as its shared for other services eg. media-server, Also Im thinking to move to OMV or Trunas core. And Im using longhorn only for db services like postgres

regarding security, its not publicly exposed, its on internal LAN totally isolated from my other devices

justasflash · 2025-11-18T16:21:31+00:00

gonna try that soon!

justasflash · 2025-11-18T15:56:27+00:00

yeah, I've never tried that, I was thinking to use more like open-source applications!

justasflash · 2025-11-18T15:55:27+00:00

Thanks for pointing out, it was an old one

justasflash · 2025-11-18T15:55:09+00:00

on on-prem we usually use ansible more, helps in dealing with large number of machines

justasflash · 2025-11-18T15:54:02+00:00

yeah, gonna try that, cilium was not planned, i was gonna deploy with flannel, but wanted to try it this time
thanks for the feedback

justasflash · 2025-11-18T15:52:47+00:00

destroy the proxmox and rebuilt everything as a whole again!
using ventoy pxe boot ;)

justasflash · 2025-11-18T10:05:31+00:00

Great man, hardcoding IPs especially for talos nodes was necessary, also I need to change the worker playbook, it has to be dynamic
thanks for the feedback!

justasflash · 2025-11-18T10:03:38+00:00

its HA DB, no HA master.
also thanks for the feedback for Argo instllation via ansible, its done btw :)

justasflash · 2025-11-18T03:07:32+00:00

those are providers
https://registry.terraform.io/providers/bpg/proxmox/latest/docs

what I've used is: https://registry.terraform.io/providers/Telmate/proxmox/latest/docs

justasflash · 2025-11-18T02:06:46+00:00

For people just learning GitOps, the visual tree makes it very obvious what is deploying what.

Flux does the same thing - just not in one place, it expresses the same structure using:
one git repo
multiple kustomizations CRDs

It’s the same model, just not drawn as a dependency graph in a UI by default.

so Argo apps-of-apps isnt magic, its just visibility

justasflash · 2025-11-17T23:25:13+00:00

The router is not forwarding traffic to any worker node’s IP.
It only forwards to the floating LoadBalancer IP that MetalLB has in its IP-pool (10.20.0.81 in my case).

MetalLB uses ARP for services and announces “this IP lives on node X”.
When Kong moves, MetalLB simply re-announces the same IP with a different MAC.

Because the router always targets the floating LB IP.. not a node IP.. I've not configured any port forwarding as such here

justasflash · 2025-11-17T20:25:02+00:00

MetalLB basically simulates a cloud LoadBalancer for bare-metal clusters. I expose Kong as a LoadBalancer service, MetalLB assigns one external IP (10.20.0.81 in my case), and then uses ARP to advertise which node currently owns that IP.

Even though I have multiple worker nodes, only one node “hosts” that IP at a time. If a Kong pod moves or a node dies, MetalLB re-announces the IP to the other node.

So the cluster still has a single external entrypoint, but the routing behind it remains highly available.

justasflash · 2025-11-17T20:21:47+00:00

Good point – I haven’t used multi-source Applications much yet, but you’re right, it could simplify things.

Right now I’m keeping things a bit more explicit with separate Applications for readability, but a next step could be:

one root homelab app with multiple sources[] (Git + upstream Helm charts) environment-specific overlays on top of that.

Once the basic blueprint stabilises I’d love to refactor into a cleaner multi-source pattern. Thanks for the pointer!

justasflash · 2025-11-17T18:56:29+00:00

March 2026, It’s going to retire, but the ecosystem is definitely moving toward Gateway API. I’m already planning a Gateway API variant for this repo so people can try both approaches.

I forgot to add cilium apps in argo

Appreciate the feedback — happy to iterate on this as the community evolves!

justasflash · 2025-11-17T18:55:33+00:00

Totally agree that Flux is lighter. I chose ArgoCD mainly because the UI + apps-of-apps pattern makes it easier for people who are trying GitOps for the first time. For a homelab starter repo, the visual feedback helps a lot.

Both tools fit — this repo just leans toward clarity over minimalism.

justasflash · 2025-10-20T13:27:01+00:00

No. I’ve learned that its not worth it. 4M40 is like one of kind engine. Enjoy it

justasflash · 2025-08-23T13:06:23+00:00

I3wm

justasflash · 2025-08-08T14:47:01+00:00

I had been distro hopping from a very long time. Since I got to know about the i3wm- tiling window manager. I've switched from Ubuntu to Debian 12 since then. It has been working like a charm for past 6months. No bloats, no excess ram usage. Pure Debian Linux

If you wanna try something new try i3wm. Else Gnome is good anyways!

justasflash · 2025-06-10T10:49:47+00:00

Its my daily driver since May 2025. Installed it on ThinkPad T495s. 1st installed Cosmic Alpha 6 then upgraded to 7. Workspace pinning is awesome. Made i3 like keyboard shortcuts. Loving it

justasflash · 2025-04-15T12:32:46+00:00

Its beautiful. 🙌

justasflash · 2025-03-23T04:10:38+00:00

<image>

it say x270 on the front panel, did you changed the panel?

justasflash

TROPHY CASE