Home Media Server - Kubernetes Infrastructure

Key Features

• GitOps deployment model using ArgoCD for continuous delivery
• Centralized authentication with LLDAP and Authelia SSO
• Zero-trust network architecture with Cilium CNI and NetworkPolicies
• Distributed storage with Longhorn for persistent volumes
• Load balancing with MetalLB in Layer 2 mode
• Ingress management with Traefik and automatic SSL certificates
• Comprehensive monitoring with Prometheus and Grafana
• Automated backups and disaster recovery procedures

Achievements

• Orchestrated 22 stateful applications on K3s with LLDAP/Authelia authentication and ArgoCD GitOps
• Implemented zero-trust security with 52 network policies controlling ingress/egress traffic flows
• Configured component-based RBAC with 6 service accounts following least-privilege principles
• Deployed hybrid storage architecture using Longhorn for configs and local-path for 1.4TB media

Technical Challenges

• Implementing stateful applications in Kubernetes with data persistence
• Designing network policies for zero-trust security without breaking functionality
• Managing 1.4TB of media data with appropriate storage solutions
• Setting up SSO authentication for all applications
• Optimizing resource allocation for 22 applications on limited hardware
• Creating automated backup strategies for stateful workloads

System Architecture

The cluster runs K3s on bare metal with a single master node and two worker nodes. ArgoCD manages deployments from Git repositories, Longhorn provides distributed block storage, and Traefik handles ingress routing. All applications authenticate through Authelia with LLDAP as the identity provider. Network segmentation is enforced through Cilium CNI with strict NetworkPolicies.