My Kubernetes setup
In this post, I’ll show you which services I currently run on my Kubernetes cluster. (This list might not be complete, as I sometimes deploy new tools without updating the post.) But here’s the current setup.
Services
InvoicePlane
Sometimes I need to create invoices for services I’ve provided. For this, I use InvoicePlane, which lets me generate invoices for specific customers. For better security, I’ve added OAuth2-Proxy in front of the UI—with one exception: the guest path can be accessed without logging in.
Shlink
I use Shlink as a URL shortener. Occasionally, I need to share long links, and shortening them makes things easier. The Web UI is also protected by OAuth2-Proxy.
Zitadel
This is my preferred identity provider. I use it both for SaaS solutions and to secure my own services. It’s also the provider used for OAuth2-Proxy authentication.
My Website
Just a simple Nuxt-based website. You can visit it at mattiamueggler.ch.
My Blog
A small blog where I occasionally write posts about development, DevOps, or other tech topics.
My SaaS Solutions
Some applications I’ve built are also deployed on my Kubernetes cluster. These were actually the main reason I started setting up the cluster in the first place.
Paperless
This is the document management system I use to organize and manage all my documents. They’re also synced to my cloud provider. Like many of my tools, it’s protected by OAuth2-Proxy.
Homer Dashboards
Homer provides a dashboard that’s configured via YAML. I use it to list all my services with quick links. I’ve also built a custom image so I can include my own SVG icons.
WordPress Site
A small WordPress website I host for my sister.
Uptime-Kuma
Uptime-Kuma helps me monitor the availability of my services. I’ve added all my services to it and created dashboards to quickly check their status.
Fluent Bit
After one of my nodes crashed due to disk pressure, I looked for a better logging solution. I decided to use Fluent Bit to send logs to an S3 bucket and clean them up from the nodes to save space. I also added two new nodes with more disk capacity.
Kube-Prometheus Stack
To monitor not just the services, but also the nodes and the cluster itself, I set up the kube-prometheus-stack and added some dashboards. All services are only available internally within the cluster, and the Grafana dashboard is protected by OAuth2-Proxy.
Databases
Since many services require a database, I’ve deployed several kinds—MongoDB, PostgreSQL, and MariaDB. To save resources, I run each database as part of a shared cluster, rather than setting up one per service. I isolate access by creating individual users for each database.
The only exception is MariaDB: since I can’t easily add more databases via CRs, I created my own Helm chart on top of the operator. This allows me to manage everything as dependencies, with the correct configuration out of the box.
Additional Infrastructure
Kubernetes Dashboard
To interact with my cluster, I’ve installed the Kubernetes Dashboard and exposed it behind OAuth2-Proxy.
OAuth2-Proxy
This is a key part of my security setup. Any service that doesn’t need to be publicly accessible is protected with OAuth2-Proxy. This gives me secure access to internal tools. I might replace it with Tailscale at some point, since that would be even more secure.
NGINX Ingress Controller
This is the ingress controller I use to expose my services.
Cert Manager
I use Cert Manager so I don’t have to manually manage TLS certificates. I’ve set up two cluster issuers with Let’s Encrypt—one for staging and one for production—because Let’s Encrypt limits the number of requests to the production API.
1Password Operator
This operator is great for syncing secrets, credentials, and passwords directly to my cluster. That way, I don’t have to encrypt them (e.g., with Sealed Secrets) to store them in GitHub—they’re never stored there at all.
CNPG Operator
I use this operator to manage PostgreSQL instances, including user and database provisioning.
MariaDB Operator
This one handles my MariaDB setup, including backups.
MongoDB Operator
Used to deploy and manage MongoDB.