https://blog.nerdz.cloud/ Recent content on Nerdz Hugo -- gohugo.io en Gavin McFall Tue, 05 May 2026 00:00:00 +1200 https://blog.nerdz.cloud/2026/three-990-pros-all-dying-part-1/ Tue, 05 May 2026 00:00:00 +1200 https://blog.nerdz.cloud/2026/three-990-pros-all-dying-part-1/ <blockquote> <p>&ldquo;PASSED&rdquo; doesn&rsquo;t mean what you think it means.</p> </blockquote> <h2 id="the-2am-alert-storm">The 2am alert storm </h2><p>My phone exploded with critical alerts overnight. ntfy was angry. Alertmanager was angry. Ceph was angry. Sonarr was rolling back to a state that didn&rsquo;t exist. Prometheus had even disconnected itself from Alertmanager — the canary alert that fires when alerting itself is broken.</p> <p>The root cause was buried under several cascading consequences, but the actual finding was simple: the NVMe holding <code>/var</code> on stanton-02 had stopped responding to interrupts. The kernel logged <code>Disabling IRQ #173</code> and gave up. Ceph&rsquo;s <code>osd.1</code> went <code>down</code>, <code>mon.b</code> lost its RocksDB, and the whole cluster started swimming.</p> <p>Over the next several hours of recovery, I confirmed that this wasn&rsquo;t a one-off. It was the latest event in a documented escalation that had been building for weeks. The Samsung 990 PRO 1TB on stanton-02 had been throwing controller-fatal-status events since mid-April — six events over 19 days, each interval shorter than the last, until the kernel finally gave up on the IRQ and walked away.</p> <p>But that&rsquo;s not the interesting bit. The interesting bit is that the drive&rsquo;s two siblings — same batch, same firmware, same workload, in the same cluster — are also dying. Just at different rates.</p> <p>This is part 1 of 2. Part 1 is the autopsy. Part 2 will come when the new drives arrive.</p> <h2 id="the-cluster">The cluster </h2><p>Three <a class="link" href="https://store.minisforum.com/products/minisforum-ms-01" target="_blank" rel="noopener" >Minisforum MS-01</a> mini-PCs, each running Talos Linux as a Kubernetes control-plane node. Cluster name: stanton <em>(cf. <a class="link" href="https://robertsspaceindustries.com/" target="_blank" rel="noopener" >Star Citizen</a>)</em>. Each box has two NVMe drives:</p> <ul> <li><strong>nvme0</strong> — Samsung PM9A3 1.92TB. Enterprise-class with PLP. Rook-Ceph OSD storage. Rock solid.</li> <li><strong>nvme1</strong> — Samsung 990 PRO 1TB. <strong>Consumer</strong>. Holds <code>/var</code>: etcd WAL, Ceph mon RocksDB, container logs, kubelet state.</li> </ul> <p>You can probably already see where this is going.</p> <p>I bought the three 990 PROs as a matched batch from Amazon AU&rsquo;s Global Store on 2024-06-18. Same firmware revision (<code>4B2QJXD7</code> — the one Samsung released after the <a class="link" href="https://www.tomshardware.com/news/samsung-issues-firmware-update-for-990-pro-ssds" target="_blank" rel="noopener" >990 PRO firmware-killing-itself bug</a>, so we&rsquo;re not even talking about THAT problem). They went into production almost immediately and have been running 24/7 for ~22 months.</p> <p>The workload on <code>/var</code>:</p> <ul> <li><strong>etcd WAL</strong> — Every Kubernetes API write. Pod scheduling, controller reconciliation, kubelet leases. Constant fsync.</li> <li><strong>Ceph mon RocksDB</strong> — Cluster state churn. Constant tiny writes.</li> <li><strong>Container runtime overlay</strong> — Image extraction, log writes, layer state.</li> </ul> <p>Fsync-heavy. Small-block-write heavy. The exact opposite of what consumer SSDs are tuned for.</p> <h2 id="the-autopsy">The autopsy </h2><p>After getting the cluster back to HEALTH_OK, I pulled SMART data off all three nvme1 drives. Same command on each:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl debug node/stanton-XX --image<span class="o">=</span>alpine --profile<span class="o">=</span>sysadmin -- <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> sh -c <span class="s2">&#34;apk add -q smartmontools &amp;&amp; smartctl -a /dev/nvme1&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Here&rsquo;s the comparison:</p> <table> <thead> <tr> <th>Metric</th> <th>stanton-01</th> <th>stanton-02 (failed)</th> <th>stanton-03</th> </tr> </thead> <tbody> <tr> <td>Serial</td> <td>S73VNU0X303066H</td> <td>S73VNU0X303413H</td> <td>S73VNU0X303400H</td> </tr> <tr> <td>Firmware</td> <td><code>4B2QJXD7</code></td> <td><code>4B2QJXD7</code></td> <td><code>4B2QJXD7</code></td> </tr> <tr> <td>Power-On Hours</td> <td>15,856</td> <td>15,864</td> <td>15,867</td> </tr> <tr> <td><strong>Percentage Used</strong></td> <td><strong>42%</strong></td> <td><strong>47%</strong></td> <td><strong>50%</strong></td> </tr> <tr> <td><strong>Data Units Written</strong></td> <td><strong>96.3 TB</strong></td> <td><strong>112 TB</strong></td> <td><strong>133 TB</strong></td> </tr> <tr> <td>Power Cycles</td> <td>83</td> <td>35</td> <td>38</td> </tr> <tr> <td><strong>Unsafe Shutdowns</strong></td> <td><strong>37 (45% of cycles)</strong></td> <td><strong>15 (43% of cycles)</strong></td> <td><strong>13 (34% of cycles)</strong></td> </tr> <tr> <td>Critical Warning</td> <td><code>0x00</code></td> <td><code>0x00</code></td> <td><code>0x00</code></td> </tr> <tr> <td>Media &amp; Data Integrity Errors</td> <td>0</td> <td>0</td> <td>0</td> </tr> <tr> <td>Available Spare</td> <td>100%</td> <td>100%</td> <td>100%</td> </tr> <tr> <td><strong>SMART Self-Test</strong></td> <td><strong>PASSED</strong></td> <td><strong>PASSED</strong></td> <td><strong>PASSED</strong></td> </tr> <tr> <td>Temperature</td> <td>54°C</td> <td>53°C</td> <td>53°C</td> </tr> </tbody> </table> <p>Three things should jump out.</p> <p><strong>First</strong>, all three drives &ldquo;PASSED&rdquo; the self-test. The drive that just died with a kernel-level IRQ-disable failure says it&rsquo;s healthy. So does the one with 50% wear. So does the one I haven&rsquo;t even seen flap yet.</p> <p><strong>Second</strong>, stanton-03 has more wear (50%) than the drive that just died (47%). It&rsquo;s next in line.</p> <p><strong>Third</strong>, the wear math doesn&rsquo;t add up. The 990 PRO 1TB has a 600 TBW endurance rating. stanton-03 has written 133 TB — 22% of its rated endurance — but reports 50% used. The drives are wearing <strong>roughly twice as fast as host writes alone would suggest.</strong></p> <p>That last one is the actually interesting story.</p> <h2 id="why-is-the-wear-accelerating">Why is the wear accelerating? </h2><p><code>Percentage Used</code> in NVMe SMART data isn&rsquo;t a measurement of how many host writes you&rsquo;ve done. It&rsquo;s the drive&rsquo;s own estimate of how much of its <strong>internal NAND endurance reserve</strong> has been consumed.</p> <p>For consumer drives, the gap between &ldquo;host writes&rdquo; and &ldquo;NAND wear&rdquo; gets large when you have:</p> <ol> <li><strong>Small random writes</strong> — etcd does fsync after every write. The drive can&rsquo;t batch these, so it ends up writing-in then re-writing pages constantly to maintain durability semantics.</li> <li><strong>No power-loss protection</strong> — every unclean shutdown forces the drive to discard in-flight write buffers and rebuild from journal, which means re-writing pages the drive thought it could batch. Wear amplification.</li> <li><strong>Mixed read/write pages</strong> — when read traffic and write traffic share NAND blocks, the drive shuffles data around to keep cells in spec. All extra writes the host never asked for.</li> </ol> <p>Each of those happens constantly under an etcd + mon workload.</p> <p>The unsafe-shutdown counter is the nail in the coffin. Across the three drives:</p> <ul> <li>stanton-01: <strong>37 unsafe shutdowns out of 83 cycles</strong> (45%)</li> <li>stanton-02: <strong>15 unsafe shutdowns out of 35 cycles</strong> (43%)</li> <li>stanton-03: <strong>13 unsafe shutdowns out of 38 cycles</strong> (34%)</li> </ul> <p>I don&rsquo;t have a UPS. The cluster has weathered multiple powercuts since I built it, plus the occasional kernel-level reboot under stress. Every one of those is a little bit of write-amp punishment to a drive that has no capacitors to flush its DRAM cache to NAND.</p> <h2 id="power-loss-protection--what-consumer-nvme-doesnt-have">Power Loss Protection — what consumer NVMe doesn&rsquo;t have </h2><p>Enterprise NVMe drives have a row of tantalum capacitors on the PCB. When the host yanks power, those caps hold the drive alive just long enough to flush its DRAM write buffer to flash. Result: no data loss, no in-flight pages stuck in limbo, no journal-replay amp on the next boot.</p> <p>Consumer NVMe drives do not have those capacitors. Cost-cut. The 990 PRO is a consumer drive. So is the SN850X. So is anything you&rsquo;d buy at a big-box store with &ldquo;Pro&rdquo; in the name.</p> <p>When a consumer drive loses power mid-write:</p> <ul> <li>In-flight writes that were in DRAM are gone. The host&rsquo;s write-cache thinks they hit NAND, but they didn&rsquo;t.</li> <li>On next boot, the drive replays its journal to figure out which pages are valid and which are torn.</li> <li>That replay re-writes a lot of pages &ldquo;to be safe.&rdquo;</li> <li>All of which counts against your NAND endurance reserve.</li> </ul> <p>This is why enterprise SSD specs say things like &ldquo;0.4 DWPD&rdquo; or &ldquo;1 DWPD&rdquo; or &ldquo;3 DWPD&rdquo; — Drive Writes Per Day, sustained for the warranty period (usually 5 years). The 990 PRO&rsquo;s spec is <code>600 TBW over 5 years</code>, which works out to about 0.33 DWPD if you do the math. <strong>That assumes a clean workload with no powercut amplification.</strong></p> <p>What I have is consumer drives, with no PLP, doing fsync-heavy etcd workloads, on hosts with no UPS, in a region that has the occasional powercut. Of course the wear is accelerating.</p> <h2 id="what-smart-didnt-tell-me">What SMART didn&rsquo;t tell me </h2><p>The most maddening thing about this whole episode is that the drive&rsquo;s &ldquo;PASSED&rdquo; self-test was technically correct, right up until it wasn&rsquo;t.</p> <p>NVMe SMART tracks things like media errors, temperature exceedences, and the available-spare counter. None of those tripped. The drive on stanton-02 is still reporting 100% Available Spare and 0 Media Errors as of writing. It also happens to be unable to respond to interrupts anymore.</p> <p>The actual signal of impending failure was buried in the kernel log — six controller-fatal-status events over 19 days, with the gap between events shrinking each time:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">nvme nvme1: controller is down; will reset: CSTS=0x3, PCI_STATUS=0x11 </span></span></code></pre></td></tr></table> </div> </div><p><code>CSTS=0x3</code> means the drive&rsquo;s own controller is asserting <strong>fatal status</strong> on itself. That&rsquo;s the drive saying &ldquo;something is wrong with me, please reset me.&rdquo; The kernel resets it, the drive comes back up, and SMART still says PASSED because by the spec, none of the threshold-based metrics have been crossed.</p> <p>The escalation timeline:</p> <table> <thead> <tr> <th>#</th> <th>Date (UTC)</th> <th>Failure mode</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>2026-04-15</td> <td>Soft CFS reset, auto-recovered</td> </tr> <tr> <td>2</td> <td>2026-04-20</td> <td>Soft CFS reset, auto-recovered</td> </tr> <tr> <td>3</td> <td>2026-04-21</td> <td>Soft CFS reset, auto-recovered</td> </tr> <tr> <td>4</td> <td>2026-04-25</td> <td>Soft CFS reset, auto-recovered</td> </tr> <tr> <td>5</td> <td>2026-04-30</td> <td>Soft CFS reset, auto-recovered</td> </tr> <tr> <td>6</td> <td>2026-05-04</td> <td><strong>IRQ disabled, no auto-recovery</strong></td> </tr> </tbody> </table> <p>The pattern is &ldquo;drive needs increasingly frequent kicks until eventually the kernel gives up on it.&rdquo; None of which shows up in <code>smartctl --health</code>.</p> <h2 id="side-effects-when-the-cluster_network-is-on-the-same-node">Side effects when the cluster_network is on the same node </h2><p>Here&rsquo;s the bit that turned an annoying-but-recoverable single-drive failure into a 4-hour cluster-wide incident: stanton-02 also runs one of three Ceph monitors AND one of three OSDs. The 990 PRO holds <code>/var</code> (mon RocksDB), and the PM9A3 in nvme0 holds the OSD bluestore data. When the 990 PRO died, mon.b went silent, but the OSD itself was still up.</p> <p>Then I rebooted the node to get the drive back. The reboot killed the Thunderbolt ring that Ceph uses for <code>cluster_network</code> traffic — a documented MS-01 quirk where the second TB port doesn&rsquo;t always re-enumerate after a warm boot. So when the node came back, OSDs were <code>up,in</code> per Ceph, but <code>osd.1</code> and <code>osd.2</code> couldn&rsquo;t actually talk to each other over the cluster network. PGs got stuck <code>peering</code> for an hour while traffic spilled to <code>public_network</code> and the slow-heartbeat alarms climbed past 500 seconds.</p> <p>I wrote up the Thunderbolt fix separately — kernel arg <code>thunderbolt.host_reset=0</code> baked into a custom factory.talos.dev schematic — but it&rsquo;s worth mentioning here because it&rsquo;s the failure-mode amplifier. <strong>A single dying disk wouldn&rsquo;t have caused a cluster-wide alert storm if my Ceph cluster network wasn&rsquo;t running over Thunderbolt cables that don&rsquo;t always come back up after a reboot.</strong> Two unrelated weaknesses combined into one bad night.</p> <h2 id="what-im-doing-about-it">What I&rsquo;m doing about it </h2><p>After confirming the failure was real and ongoing, I went back to Amazon AU. The drive had 38 months left on a 5-year warranty, the failure mode is documented in dmesg with timestamps and serial numbers, and the SMART screenshots showed the wear/unsafe-shutdown picture clearly. Amazon&rsquo;s Global Store rep was sympathetic.</p> <p>To my surprise, they refunded the <strong>full cost of all three drives</strong> — not just the failing one. Recognition that a same-batch matched set is going to fail in similar ways was a nicer outcome than I expected.</p> <p>Now I&rsquo;m shopping for replacements. The path:</p> <ul> <li><strong>Enterprise NVMe with hardware PLP</strong> — non-negotiable. The whole point is to remove the consumer-NAND-on-server-workload mismatch.</li> <li><strong>M.2 22110 form factor</strong> — fits the MS-01&rsquo;s slot 2 and 3. The PM9A3 already in nvme0 has been rock solid; putting its sibling family in nvme1 keeps the cluster homogeneous.</li> <li><strong>At least 1 DWPD endurance class</strong> — overkill for my measured 180 GB/day write rate (~0.18 DWPD on a 1TB drive), but every doubling of headroom is insurance against future workload growth.</li> </ul> <p>The shortlist I&rsquo;ve narrowed it to is <strong>Samsung PM9A3 M.2 22110 960GB</strong> (NEW from a Chinese eBay seller at ~AU$554 each) or <strong>Micron 7450 PRO 480GB</strong> (new retail, but the NZ pricing is eye-watering). The math + budget pushed me toward the PM9A3 — it matches the drive that&rsquo;s been working flawlessly on the same cluster for 22 months.</p> <p>That&rsquo;s where Part 2 comes in. New drives, installation, performance comparison, the burn-in protocol, and the real test: whether enterprise PLP actually fixes the failure mode I&rsquo;ve documented here, or whether the MS-01&rsquo;s chassis is going to throw new and unexpected thermal headaches at me with 8.2W enterprise drives in slots designed for 5W consumer parts.</p> <h2 id="lessons-so-far">Lessons so far </h2><ul> <li><strong>&ldquo;PASSED&rdquo; SMART status is necessary but not sufficient.</strong> Watch the kernel log for <code>CSTS=0x3</code> and similar; SMART&rsquo;s threshold-based metrics will lag behind the actual drive health by months.</li> <li><strong>Consumer NVMe under etcd workload is a category error.</strong> Even on a homelab, if the drive holds <code>/var</code> for a Kubernetes control-plane, it&rsquo;s doing enterprise work. Buy enterprise.</li> <li><strong>The <code>Percentage Used</code> metric tells you the truth.</strong> When it&rsquo;s growing roughly 2× faster than <code>Data Units Written ÷ TBW</code> would predict, your drive is wearing out faster than spec, and you need to plan for replacement before the controller events start.</li> <li><strong>PLP is the structural fix.</strong> A UPS helps with powercuts but doesn&rsquo;t fix the fsync-amp problem on consumer NAND.</li> <li><strong>Same-batch drives die together.</strong> If one drive in a matched set fails, pull SMART on all of them. They&rsquo;ll be on the same trajectory. In my case, the most-worn drive isn&rsquo;t the one that failed first — it&rsquo;s the one I haven&rsquo;t seen flap yet.</li> <li><strong>Architectural single-points-of-pain compound.</strong> A drive failure on its own is recoverable. A drive failure plus a fragile cluster_network on the same node is a bad night. Audit your dependencies before you have to.</li> </ul> <p>Part 2 incoming when the new drives arrive. Until then I&rsquo;m running on borrowed time on stanton-03 (the 50%-wear sibling). Coffee in hand, alert thresholds tightened, Renovate auto-merge disabled on Ceph until the swap is done.</p> https://blog.nerdz.cloud/2026/deploying-open-llms-04/ Thu, 12 Mar 2026 00:00:00 +1300 https://blog.nerdz.cloud/2026/deploying-open-llms-04/ <blockquote> <p>&ldquo;The best AI assistant isn&rsquo;t the smartest one. It&rsquo;s the one that remembers you told it not to do that thing last Tuesday.&rdquo;</p> </blockquote> <h2 id="intro">Intro </h2><p>It&rsquo;s been a while since <a class="link" href="https://gavinmcfall.github.io/nerdzblog/2025/deploying-open-llms-03/" target="_blank" rel="noopener" >Part 3</a> where I got Ollama running as a DaemonSet with shared storage across my three MS-01 nodes. That setup worked, but it had some fundamental limitations that started bugging me:</p> <ol> <li><strong>No GPU heterogeneity</strong> — All three MS-01 nodes have Intel UHD 770 iGPUs. When I added pyro-01 (with a GTX 1080 Ti) to the cluster, Ollama had no way to federate inference across different GPU types.</li> <li><strong>No load balancing</strong> — Requests hit whichever pod the service routed to. No awareness of which node was busy or idle.</li> <li><strong>No memory</strong> — Every conversation started from zero. The AI had no idea who I was, what we&rsquo;d talked about, or what I&rsquo;d asked it to remember.</li> </ol> <p>That last one is the big one. I don&rsquo;t just want a chatbot — I want an AI stack that builds context over time, across every interface I use.</p> <p>So I ripped it all out and started over.</p> <h2 id="why-localai">Why LocalAI? </h2><p><a class="link" href="https://github.com/mudler/LocalAI" target="_blank" rel="noopener" >LocalAI</a> is an OpenAI-compatible API server that runs locally, similar to Ollama. But it has some features that make it significantly more interesting for a multi-node homelab:</p> <h3 id="heterogeneous-gpu-support">Heterogeneous GPU Support </h3><p>My cluster has two types of GPU hardware:</p> <table> <thead> <tr> <th>Node</th> <th>GPU</th> <th>VRAM</th> <th>LocalAI Image</th> </tr> </thead> <tbody> <tr> <td>ms-01 (x3)</td> <td>Intel UHD 770 (iGPU)</td> <td>Shared 16GB RAM</td> <td><code>gpu-intel</code> (SYCL/oneAPI)</td> </tr> <tr> <td>pyro-01</td> <td>NVIDIA GTX 1080 Ti</td> <td>11GB GDDR5X</td> <td><code>gpu-nvidia-cuda-12</code></td> </tr> </tbody> </table> <p>LocalAI has dedicated container images for each GPU vendor. Different images, same API. Each worker loads models suited to its hardware.</p> <h3 id="openai-compatible-api">OpenAI-Compatible API </h3><p>Just like Ollama, LocalAI exposes <code>/v1/chat/completions</code>, <code>/v1/embeddings</code>, and all the standard OpenAI endpoints. Any tool that speaks OpenAI can talk to LocalAI without modification.</p> <h3 id="memory-reclaimer">Memory Reclaimer </h3><p>LocalAI can automatically evict idle models from memory when resources get tight. On constrained hardware (Intel iGPUs sharing system RAM), this is essential. Ollama would just OOM-kill.</p> <h3 id="p2p-federation-the-feature-i-wanted-but-couldnt-use">P2P Federation (The Feature I Wanted But Couldn&rsquo;t Use) </h3><p>LocalAI advertises P2P federation using <a class="link" href="https://github.com/mudler/edgevpn" target="_blank" rel="noopener" >edgevpn</a> and <a class="link" href="https://github.com/libp2p/go-libp2p" target="_blank" rel="noopener" >libp2p</a> — a CPU-only load balancer that discovers GPU workers via a DHT mesh. Workers join the network with a shared token, and the LB routes requests automatically.</p> <p>This was the killer feature that sold me on LocalAI. It didn&rsquo;t work. More on that below.</p> <h2 id="the-p2p-federation-trap">The P2P Federation Trap </h2><p>I spent significant time building out a P2P federated setup:</p> <ul> <li>A CPU-only load balancer running <code>local-ai federated</code></li> <li>Intel workers running <code>local-ai run --p2p --federated</code></li> <li>An NVIDIA worker running the same</li> <li>A shared edgevpn token (base64-encoded YAML with room, rendezvous, mDNS, and OTP keys) via ExternalSecret</li> </ul> <p>The LB started fine. EdgeVPN initialized, DHT bootstrapped, and it listened on port 8080. Then it spammed <code>No available nodes yet</code> for 20+ minutes and never found a single worker.</p> <h3 id="why-p2p-fails-in-kubernetes">Why P2P Fails in Kubernetes </h3><p>The edgevpn DHT bootstrap mechanism relies on two discovery methods:</p> <ol> <li> <p><strong>mDNS</strong> — Uses UDP multicast to <code>224.0.0.251:5353</code>. Works on a LAN. <strong>Does not work across Kubernetes nodes.</strong> Each pod has its own network namespace; multicast doesn&rsquo;t cross node boundaries in Cilium (or most CNIs).</p> </li> <li> <p><strong>DHT via public IPFS bootstrap nodes</strong> — Falls back to <code>bootstrap.libp2p.io:4001</code> when no custom bootstrap peers are set. In my cluster, this DNS name <strong>doesn&rsquo;t resolve from inside pods</strong>. Even if it did, the DHT would need to successfully NAT-traverse between pods, which Cilium&rsquo;s eBPF datapath doesn&rsquo;t support for libp2p&rsquo;s hole-punching.</p> </li> </ol> <p>There is a <code>LOCALAI_P2P_BOOTSTRAP_PEERS_MADDRS</code> env var (added in <a class="link" href="https://github.com/mudler/LocalAI/pull/4200" target="_blank" rel="noopener" >PR #4200</a>) that lets you specify custom bootstrap peers. But the LB&rsquo;s peer ID and port are randomly generated on each startup, so you&rsquo;d need a stable identity (persisted key file) and a fixed listen port (<code>LOCALAI_P2P_LISTEN_MADDRS</code>), plus a headless service for stable DNS. At that point you&rsquo;re fighting the architecture harder than using it.</p> <h3 id="the-simpler-solution">The Simpler Solution </h3><p>I dropped P2P entirely and used <strong>direct Kubernetes services</strong> instead:</p> <ul> <li>Each worker group (Intel, NVIDIA) gets its own <code>ClusterIP</code> Service</li> <li>Kubernetes handles load balancing between the two Intel replicas naturally</li> <li>Consumers point at the right service directly</li> </ul> <p>No DHT, no mDNS, no edgevpn, no P2P token. Just k8s doing what k8s does.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Intel workers — 2 replicas, k8s load-balances</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">service</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">controller</span><span class="p">:</span><span class="w"> </span><span class="l">local-ai-intel</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">http</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">8080</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># NVIDIA worker — single replica</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">service</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">controller</span><span class="p">:</span><span class="w"> </span><span class="l">local-ai-nvidia</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">http</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">8080</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Open WebUI gets both via <code>OPENAI_API_BASE_URLS</code> (semicolons):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">OPENAI_API_BASE_URLS</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;http://local-ai-intel:8080/v1;http://local-ai-nvidia:8080/v1&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Other consumers point at whichever backend has their models — mem0 talks to Intel (embeddings), OpenClaw talks to NVIDIA (coder models).</p> <h2 id="other-gotchas">Other Gotchas </h2><p>P2P wasn&rsquo;t the only thing that fought me. Here are the other issues I hit, because if you&rsquo;re deploying LocalAI in Kubernetes, you&rsquo;ll probably hit them too.</p> <h3 id="backend-alias-resolution-is-broken-at-model-load-time">Backend Alias Resolution is Broken at Model-Load Time </h3><p>When you set <code>LOCALAI_EXTERNAL_BACKENDS: &quot;llama-cpp&quot;</code>, LocalAI downloads a meta-backend from the gallery. On an Intel system, <code>llama-cpp</code> resolves to <code>intel-sycl-f16-llama-cpp</code>. On NVIDIA, it resolves to <code>cuda12-llama-cpp</code>.</p> <p>The downloaded <code>llama-cpp</code> directory contains only a <code>metadata.json</code> with <code>&quot;meta_backend_for&quot;: &quot;intel-sycl-f16-llama-cpp&quot;</code> — no <code>run.sh</code>, no binaries. The actual backend is in the <code>intel-sycl-f16-llama-cpp</code> directory.</p> <p>If your model config says <code>backend: llama-cpp</code>, LocalAI can&rsquo;t follow the metadata alias at model-load time. It tries to use the <code>llama-cpp</code> directory directly, finds no <code>run.sh</code>, and fails with &ldquo;all backends returned error.&rdquo;</p> <p><strong>Fix</strong>: Always use platform-specific backend names in model configs:</p> <table> <thead> <tr> <th>Platform</th> <th>Use This</th> <th>Not This</th> </tr> </thead> <tbody> <tr> <td>Intel iGPU</td> <td><code>intel-sycl-f16-llama-cpp</code></td> <td><code>llama-cpp</code></td> </tr> <tr> <td>Intel whisper</td> <td><code>intel-sycl-f16-whisper</code></td> <td><code>whisper</code></td> </tr> <tr> <td>NVIDIA CUDA</td> <td><code>cuda12-llama-cpp</code></td> <td><code>llama-cpp</code></td> </tr> </tbody> </table> <h3 id="localai_config_dir-is-not-for-model-configs">LOCALAI_CONFIG_DIR Is Not for Model Configs </h3><p>This one cost me hours. The <code>LOCALAI_CONFIG_DIR</code> flag (<code>--localai-config-dir</code>) sounds like where you put model YAML files. <strong>It is not.</strong> It&rsquo;s only for <code>api_keys.json</code> and <code>external_backends.json</code>.</p> <p>Model YAML config files <strong>must</strong> live in the models directory (<code>LOCALAI_MODELS_PATH</code>, which defaults to <code>/models/</code>). If you mount them to a separate <code>/configuration/</code> directory, LocalAI will never see them.</p> <p>I use ConfigMap <code>subPath</code> mounts to inject model configs alongside the GGUF files on the PVC:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">persistence</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">models</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">existingClaim</span><span class="p">:</span><span class="w"> </span><span class="l">local-ai-models-intel</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">globalMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/models</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">config</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">configMap</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">local-ai-config-intel</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">globalMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/models/mistral-7b-instruct.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">subPath</span><span class="p">:</span><span class="w"> </span><span class="l">mistral-7b-instruct.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/models/nomic-embed-text.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">subPath</span><span class="p">:</span><span class="w"> </span><span class="l">nomic-embed-text.yaml</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="the-download_files-directive-is-unreliable-for-large-models">The download_files Directive Is Unreliable for Large Models </h3><p>LocalAI model configs support a <code>download_files</code> directive that downloads models from HuggingFace on startup:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">download_files</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">filename</span><span class="p">:</span><span class="w"> </span><span class="l">mistral-7b-instruct-v0.3.Q4_K_M.gguf</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uri</span><span class="p">:</span><span class="w"> </span><span class="l">huggingface://MaziyarPanahi/Mistral-7B-Instruct-v0.3-GGUF/...</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>For small files (whisper at 142MB, piper TTS at 61MB, nomic embeddings at 81MB), this works fine. For large files (Mistral 7B at 4.1GB, Qwen 14B at 8.7GB), it consistently stalls mid-transfer with &ldquo;Connection reset by peer&rdquo; and leaves <code>.partial</code> files or corrupt incomplete files without the <code>.partial</code> extension.</p> <p>I ended up <code>kubectl exec</code>-ing into the pods and using <code>wget</code> with retry:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n cortex deploy/local-ai-intel -- <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> wget -c -t <span class="m">0</span> -O /models/mistral-7b-instruct-v0.3.Q4_K_M.gguf <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="s2">&#34;https://huggingface.co/MaziyarPanahi/Mistral-7B-Instruct-v0.3-GGUF/resolve/main/Mistral-7B-Instruct-v0.3.Q4_K_M.gguf&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Once the files are on the PVC, they persist across pod restarts. You only need to do this once.</p> <h3 id="non-aio-images-ship-without-backends">Non-AIO Images Ship Without Backends </h3><p>The standard container images (like <code>v3.12.1-gpu-nvidia-cuda-12</code>) do <strong>not</strong> include pre-compiled backends. The <code>/backends/</code> directory ships empty. Backends are downloaded from the OCI backend gallery at startup via <code>LOCALAI_EXTERNAL_BACKENDS</code>.</p> <p>This means:</p> <ul> <li>First startup is slow (backends download from <code>docker.io/localai/localai-backends</code>)</li> <li>If the download fails (network, permissions, rate limiting), the backend directory is left empty and models fail to load with &ldquo;backend not found&rdquo;</li> <li>The <code>backends: type: emptyDir</code> mount in Kubernetes is correct — you need a writable directory since the image&rsquo;s own <code>/backends/</code> is empty</li> </ul> <p>If you want pre-baked backends, use the AIO (all-in-one) images. But those come with pre-configured models too, which may not be what you want.</p> <h2 id="the-architecture-what-actually-works">The Architecture (What Actually Works) </h2><p>Here&rsquo;s the final architecture, after all the P2P was stripped out:</p> <p><img src="https://blog.nerdz.cloud/2026/deploying-open-llms-04/cortex-architecture.png" width="5969" height="2231" srcset="https://blog.nerdz.cloud/2026/deploying-open-llms-04/cortex-architecture_hu7057622867439076354.png 480w, https://blog.nerdz.cloud/2026/deploying-open-llms-04/cortex-architecture_hu16412193002194825415.png 1024w" loading="lazy" alt="Cortex Stack Architecture" class="gallery-image" data-flex-grow="267" data-flex-basis="642px" ></p> <p>Key differences from the original plan:</p> <ul> <li><strong>No P2P load balancer</strong> — consumers talk directly to worker services</li> <li><strong>Intel workers (x2)</strong>: General-purpose models — Mistral 7B (chat), nomic-embed-text (embeddings), whisper (STT), piper (TTS)</li> <li><strong>NVIDIA worker (x1)</strong>: Coder models — Qwen 2.5 Coder 7B and 14B</li> </ul> <table> <thead> <tr> <th>Component</th> <th>What It Does</th> <th>Why It&rsquo;s Here</th> </tr> </thead> <tbody> <tr> <td><strong>LocalAI (Intel)</strong></td> <td>Chat, embeddings, whisper, TTS</td> <td>General-purpose inference on 2x MS-01 iGPUs</td> </tr> <tr> <td><strong>LocalAI (NVIDIA)</strong></td> <td>Code generation</td> <td>Runs larger coder models on the 1080 Ti</td> </tr> <tr> <td><strong>Qdrant</strong></td> <td>Vector database</td> <td>Stores mem0 memories and Open WebUI&rsquo;s document RAG</td> </tr> <tr> <td><strong>PostgreSQL</strong></td> <td>Relational database</td> <td>mem0 access controls + history, Open WebUI user data</td> </tr> <tr> <td><strong>mem0</strong></td> <td>Memory extraction and retrieval</td> <td>The connective tissue — shared memory across all interfaces</td> </tr> <tr> <td><strong>OpenClaw</strong></td> <td>Discord agent</td> <td>Chat via Discord with persistent memory</td> </tr> <tr> <td><strong>Open WebUI</strong></td> <td>Browser chat UI</td> <td>Web-based chat with RAG and shared memory</td> </tr> <tr> <td><strong>SearXNG</strong></td> <td>Privacy-respecting search</td> <td>Web search for agent queries</td> </tr> <tr> <td><strong>Claude Code</strong></td> <td>CLI agent (local)</td> <td>Terminal-based AI with the same shared memory via MCP</td> </tr> </tbody> </table> <h3 id="how-memory-flows-across-interfaces">How Memory Flows Across Interfaces </h3><p>This is the part that excites me most. Say I&rsquo;m chatting with my AI agent on Discord and I mention that I&rsquo;m working on a Cilium BGP issue. mem0 extracts that fact, embeds it, and stores it in Qdrant — scoped to my <code>user_id</code>.</p> <p>Later, I open Claude Code in my terminal to work on the same problem. The mem0 MCP server searches for relevant memories, finds the Discord context, and injects it. Claude Code already knows what I&rsquo;ve been working on without me repeating myself.</p> <p>My wife opens Open WebUI to ask a cooking question? Her <code>user_id</code> is different — she gets her own memory space. No cross-contamination.</p> <p>One Qdrant instance, multiple collections, all user-scoped. The same memory layer serves every interface.</p> <h2 id="what-about-the-existing-stack">What About the Existing Stack? </h2><p>If you&rsquo;ve been following the series, you&rsquo;ll notice some things changed:</p> <table> <thead> <tr> <th>Before</th> <th>After</th> <th>Why</th> </tr> </thead> <tbody> <tr> <td>Ollama (DaemonSet)</td> <td>LocalAI (k8s services)</td> <td>GPU heterogeneity, memory reclaimer, better model configs</td> </tr> <tr> <td>Open WebUI built-in memory</td> <td>mem0 (universal)</td> <td>Cross-interface memory sharing</td> </tr> <tr> <td>No vector DB</td> <td>Qdrant</td> <td>Required by both mem0 and Open WebUI RAG</td> </tr> <tr> <td>No agent</td> <td>OpenClaw (Discord)</td> <td>I wanted to interact via Discord</td> </tr> </tbody> </table> <p>Open WebUI and SearXNG stay — they were already deployed and working. They just get rewired to talk to LocalAI instead of Ollama, and Open WebUI gets the mem0 pipeline filter bolted on.</p> <p>PostgreSQL was already running via CloudNative-PG (it backs about 20 other apps in my cluster), so mem0 and Open WebUI just get new databases on the existing cluster.</p> <h2 id="current-status">Current Status </h2><p>As of writing, here&rsquo;s what&rsquo;s deployed and working:</p> <table> <thead> <tr> <th>Component</th> <th>Status</th> <th>Models/Notes</th> </tr> </thead> <tbody> <tr> <td>LocalAI Intel (x2)</td> <td>Running</td> <td>mistral-7b-instruct, nomic-embed-text, whisper-1, tts-1</td> </tr> <tr> <td>LocalAI NVIDIA (x1)</td> <td>Running</td> <td>qwen2.5-coder:7b, qwen2.5-coder:14b</td> </tr> <tr> <td>Qdrant</td> <td>Running</td> <td>Vector storage ready</td> </tr> <tr> <td>mem0</td> <td>Running</td> <td>API on port 8765, using openmemory-mcp image</td> </tr> <tr> <td>Open WebUI</td> <td>Running</td> <td>Connected to both LocalAI backends</td> </tr> <tr> <td>OpenClaw</td> <td>Running</td> <td>Discord bot with coder model access</td> </tr> <tr> <td>SearXNG</td> <td>Running</td> <td>Web search available</td> </tr> </tbody> </table> <h2 id="whats-coming-in-part-5">What&rsquo;s Coming in Part 5 </h2><p>Next post will cover the mem0 integration — wiring up the pipeline filters in Open WebUI, the OpenClaw mem0 plugin for Discord, and the self-hosted mem0 MCP server for Claude Code. That&rsquo;s where the &ldquo;AI that remembers you&rdquo; promise actually comes together.</p> <hr> <p><em>The full architecture document is in my <a class="link" href="https://github.com/gavinmcfall/home-ops/blob/main/docs/ai-context/cortex-stack-architecture.md" target="_blank" rel="noopener" >home-ops repo</a>. The manifests are under <a class="link" href="https://github.com/gavinmcfall/home-ops/tree/main/kubernetes/apps/cortex" target="_blank" rel="noopener" >kubernetes/apps/cortex/</a>.</em></p> https://blog.nerdz.cloud/2026/cloud-provider-roulette-redroid/ Sun, 11 Jan 2026 00:00:00 +1300 https://blog.nerdz.cloud/2026/cloud-provider-roulette-redroid/ <blockquote> <p>&ldquo;The definition of insanity is doing the same thing over and over and expecting different results. The definition of homelabbing is trying every cloud provider until one doesn&rsquo;t hate you.&rdquo;</p> </blockquote> <h2 id="the-goal">The Goal </h2><p>I needed an Android device for testing <a class="link" href="https://github.com/bootible/bootible" target="_blank" rel="noopener" >Bootible</a> — a one-liner provisioning tool for gaming handhelds. The problem: I don&rsquo;t have a spare Android device lying around, and buying one just for development felt wasteful.</p> <p>Enter Redroid — Android containers that run natively on ARM hardware. No emulation overhead, just containerised Android with ADB access. Connect via scrcpy and you&rsquo;ve got a proper Android environment for testing.</p> <p>Simple enough, right?</p> <h2 id="attempt-1-truenas-scale">Attempt 1: TrueNAS SCALE </h2><p>My TrueNAS box has plenty of horsepower — 56 threads, 128GB RAM. Running Redroid there would keep everything local with zero latency. Perfect.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ssh truenas </span></span><span class="line"><span class="cl">sudo apt install linux-modules-extra-<span class="k">$(</span>uname -r<span class="k">)</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="nx">Reading</span> <span class="kn">package</span> <span class="nx">lists</span><span class="o">...</span> <span class="nx">Done</span> </span></span><span class="line"><span class="cl"><span class="nx">E</span><span class="p">:</span> <span class="nx">dpkg</span> <span class="nx">was</span> <span class="nx">interrupted</span><span class="p">,</span> <span class="nx">you</span> <span class="nx">must</span> <span class="nx">manually</span> <span class="nx">run</span> <span class="err">&#39;</span><span class="nx">sudo</span> <span class="nx">dpkg</span> <span class="o">--</span><span class="nx">configure</span> <span class="o">-</span><span class="nx">a</span><span class="err">&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Okay, let&rsquo;s try that:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo dpkg --configure -a </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">dpkg: error: unable to access dpkg status area: Read-only file system </span></span></code></pre></td></tr></table> </div> </div><p>TrueNAS SCALE is not your typical Linux box. It&rsquo;s an appliance with a read-only root filesystem. No installing packages, no loading kernel modules, no Redroid.</p> <p><strong>Result</strong>: Dead on arrival.</p> <h2 id="attempt-2-oracle-cloud-a1-free-tier">Attempt 2: Oracle Cloud A1 (Free Tier) </h2><p>Oracle Cloud&rsquo;s Always Free tier includes up to 4 ARM OCPUs and 24GB RAM on their Ampere A1 instances. Free ARM compute in Sydney? Sign me up.</p> <ol> <li>Created Oracle Cloud account</li> <li>Navigated to Compute → Create Instance</li> <li>Selected VM.Standard.A1.Flex</li> <li>Clicked Create</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Out of capacity for shape VM.Standard.A1.Flex in availability domain AD-1. </span></span></code></pre></td></tr></table> </div> </div><p>Tried AD-2. Same error. AD-3. Same.</p> <p>This is Oracle Cloud&rsquo;s dirty secret — the free tier instances are perpetually &ldquo;out of capacity&rdquo; in popular regions. Sydney? Forget it. You might get lucky at 3am on a Tuesday, but I wasn&rsquo;t willing to write a script to spam the API.</p> <p><strong>Result</strong>: Phantom free tier.</p> <h2 id="attempt-3-oracle-cloud-a2-paid">Attempt 3: Oracle Cloud A2 (Paid) </h2><p>Fine. I&rsquo;ll pay. Oracle A2 instances are the newer Ampere Altra processors. Still ARM, but with actual availability.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># SSH into new A2 instance</span> </span></span><span class="line"><span class="cl">ssh ubuntu@&lt;oracle-a2-ip&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Install Docker</span> </span></span><span class="line"><span class="cl">sudo apt install -y docker.io </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Load binder module</span> </span></span><span class="line"><span class="cl">sudo modprobe binder_linux <span class="nv">devices</span><span class="o">=</span>binder,hwbinder,vndbinder </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Run Redroid</span> </span></span><span class="line"><span class="cl">docker run -d --name redroid-11 --privileged <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -p 5555:5555 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> redroid/redroid:11.0.0-latest </span></span></code></pre></td></tr></table> </div> </div><p>The container started. Docker logs showed Android booting. Then:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">init: cannot execv(&#39;/system/bin/boringssl_self_test32&#39;): Exec format error </span></span></code></pre></td></tr></table> </div> </div><p>And the entire VM froze. SSH session dead. Console showed kernel panic.</p> <p>After some research: <strong>Oracle A2 instances don&rsquo;t support 32-bit ARM binaries</strong>. The Ampere Altra processors are 64-bit only. Standard Redroid images include 32-bit compatibility libraries that cause immediate kernel panics.</p> <p>The fix? Use Redroid&rsquo;s <code>_64only</code> images:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker run -d --name redroid-13 --privileged <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -p 5555:5555 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> redroid/redroid:13.0.0_64only-latest </span></span></code></pre></td></tr></table> </div> </div><p>But wait — there&rsquo;s no Android 11 <code>_64only</code> image. The oldest is Android 12. And after the kernel panic, I was done fighting with Oracle.</p> <p><strong>Result</strong>: Works in theory, terrifying in practice.</p> <h2 id="attempt-4-hetzner-arm-cax11">Attempt 4: Hetzner ARM (CAX11) </h2><p>Hetzner&rsquo;s ARM servers are cheap (~€4/month), available in multiple regions, and most importantly: they support 32-bit ARM binaries.</p> <p>Created a CAX11 in Helsinki:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># SSH in</span> </span></span><span class="line"><span class="cl">ssh root@&lt;hetzner-ip&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Install Docker</span> </span></span><span class="line"><span class="cl">apt update <span class="o">&amp;&amp;</span> apt install -y docker.io </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Load binder module</span> </span></span><span class="line"><span class="cl">modprobe binder_linux <span class="nv">devices</span><span class="o">=</span>binder,hwbinder,vndbinder </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Run Redroid</span> </span></span><span class="line"><span class="cl">docker run -d --name redroid-11 --privileged <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -p 5555:5555 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> redroid/redroid:11.0.0-latest </span></span></code></pre></td></tr></table> </div> </div><p>It worked. Android 11 booted, ADB connected, scrcpy displayed the Android home screen.</p> <p>Then I tried to actually use it:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tailscale ping &lt;hetzner-tailscale-ip&gt; </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">pong from hetzner-android (100.x.x.x) via DERP(fra) in 280ms </span></span></code></pre></td></tr></table> </div> </div><p>280 milliseconds. From New Zealand to Helsinki. Every tap, every swipe, every interaction — a quarter-second delay. For development testing, it was borderline unusable.</p> <p><strong>Result</strong>: Works, but feels like using Android through molasses.</p> <h2 id="attempt-5-aws-graviton-sydney">Attempt 5: AWS Graviton (Sydney) </h2><p>At this point I was ready to throw money at the problem. AWS has Graviton instances in Sydney. Their t4g.small is free tier eligible (750 hours/month until December 2026). Let&rsquo;s try it.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Create t4g.small in ap-southeast-2</span> </span></span><span class="line"><span class="cl"><span class="c1"># SSH in</span> </span></span><span class="line"><span class="cl">ssh -i ~/.ssh/android.pem ubuntu@&lt;aws-ip&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Install Docker and kernel modules</span> </span></span><span class="line"><span class="cl">sudo apt install -y docker.io linux-modules-extra-<span class="k">$(</span>uname -r<span class="k">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Load binder</span> </span></span><span class="line"><span class="cl">sudo modprobe binder_linux <span class="nv">devices</span><span class="o">=</span>binder,hwbinder,vndbinder </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Mount binderfs</span> </span></span><span class="line"><span class="cl">sudo mkdir -p /dev/binderfs </span></span><span class="line"><span class="cl">sudo mount -t binder binder /dev/binderfs </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Run Redroid (64-bit only for Graviton)</span> </span></span><span class="line"><span class="cl">docker run -d --name redroid-13 --privileged <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -p 5555:5555 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> redroid/redroid:13.0.0_64only-latest </span></span></code></pre></td></tr></table> </div> </div><p>Checked boot status:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker <span class="nb">exec</span> redroid-13 getprop sys.boot_completed </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">1 </span></span></code></pre></td></tr></table> </div> </div><p>Connected from my PC:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tailscale ping 100.66.154.79 </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">pong from aws-android (100.66.154.79) via DERP(syd) in 28ms </span></span><span class="line"><span class="cl">pong from aws-android (100.66.154.79) via DERP(syd) in 29ms </span></span><span class="line"><span class="cl">pong from aws-android (100.66.154.79) via DERP(syd) in 28ms </span></span></code></pre></td></tr></table> </div> </div><p>28 milliseconds. Ten times faster than Hetzner. scrcpy was responsive, taps registered instantly, the whole experience felt local.</p> <p><strong>Result</strong>: Finally.</p> <h2 id="the-scorecard">The Scorecard </h2><table> <thead> <tr> <th>Provider</th> <th>Region</th> <th>Cost</th> <th>Latency (NZ)</th> <th>Result</th> </tr> </thead> <tbody> <tr> <td>TrueNAS</td> <td>Local</td> <td>Free</td> <td>0ms</td> <td>Read-only filesystem</td> </tr> <tr> <td>Oracle A1</td> <td>Sydney</td> <td>Free</td> <td>N/A</td> <td>&ldquo;Out of capacity&rdquo; forever</td> </tr> <tr> <td>Oracle A2</td> <td>Sydney</td> <td>~$15/mo</td> <td>N/A</td> <td>Kernel panics (no 32-bit)</td> </tr> <tr> <td>Hetzner CAX11</td> <td>Helsinki</td> <td>~€4/mo</td> <td>280ms</td> <td>Works but unusable</td> </tr> <tr> <td>AWS t4g.small</td> <td>Sydney</td> <td>Free tier</td> <td>28ms</td> <td>Works perfectly</td> </tr> </tbody> </table> <h2 id="lessons-learned">Lessons Learned </h2><h3 id="1-truenas-is-an-appliance">1. TrueNAS is an Appliance </h3><p>Don&rsquo;t try to use TrueNAS SCALE as a general-purpose Linux box. It&rsquo;s designed to run apps through their official app system, not arbitrary Docker containers with kernel module requirements.</p> <h3 id="2-oracle-cloud-free-tier-is-a-lie">2. Oracle Cloud Free Tier is a Lie </h3><p>The A1 instances are theoretically free. In practice, they&rsquo;re never available in useful regions. The paid A2 tier works but has its own problems (see below).</p> <h3 id="3-not-all-arm-is-equal">3. Not All ARM is Equal </h3><p>Oracle A2 (Ampere Altra) and AWS Graviton processors are 64-bit only. Standard Redroid images include 32-bit ARM libraries that cause kernel panics. Always use <code>_64only</code> variants:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">redroid/redroid:12.0.0_64only-latest </span></span><span class="line"><span class="cl">redroid/redroid:13.0.0_64only-latest </span></span><span class="line"><span class="cl">redroid/redroid:14.0.0_64only-latest </span></span></code></pre></td></tr></table> </div> </div><p>Hetzner CAX (Ampere eMAG) supports both 32-bit and 64-bit, so standard images work there.</p> <h3 id="4-geography-matters">4. Geography Matters </h3><p>For interactive applications like scrcpy, latency is everything. 280ms makes an Android device feel broken. 28ms feels native. Pick a region close to you.</p> <h3 id="5-free-tier-math">5. Free Tier Math </h3><p>AWS t4g.small gives you 750 hours/month free — that&rsquo;s 24/7 operation with room to spare. The free tier runs until December 2026. After that, it&rsquo;s about $12/month in Sydney. Still cheaper than a dedicated Android device.</p> <h3 id="6-tailscale-is-the-answer">6. Tailscale is the Answer </h3><p>Every provider in this journey used Tailscale for access. No public ports exposed, no firewall rules to manage, no VPN certificates to rotate. Just <code>tailscale up</code> and you&rsquo;re connected.</p> <h2 id="the-final-setup">The Final Setup </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> Tailscale Mesh </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> ┌─────────────────┼─────────────────┐ </span></span><span class="line"><span class="cl"> │ │ │ </span></span><span class="line"><span class="cl"> ▼ ▼ ▼ </span></span><span class="line"><span class="cl"> ┌───────────┐ ┌───────────┐ ┌───────────┐ </span></span><span class="line"><span class="cl"> │ Desktop │ │ Phone │ │ Laptop │ </span></span><span class="line"><span class="cl"> │ (WSL2) │ │ │ │ │ </span></span><span class="line"><span class="cl"> └─────┬─────┘ └───────────┘ └───────────┘ </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> │ ADB + scrcpy </span></span><span class="line"><span class="cl"> │ 28ms RTT </span></span><span class="line"><span class="cl"> ▼ </span></span><span class="line"><span class="cl"> ┌───────────────────────────────────────────┐ </span></span><span class="line"><span class="cl"> │ AWS ap-southeast-2 │ </span></span><span class="line"><span class="cl"> │ ┌─────────────────────────────────────┐ │ </span></span><span class="line"><span class="cl"> │ │ t4g.small │ │ </span></span><span class="line"><span class="cl"> │ │ ┌──────────────────────────────┐ │ │ </span></span><span class="line"><span class="cl"> │ │ │ Redroid Container │ │ │ </span></span><span class="line"><span class="cl"> │ │ │ Android 13 (64-bit) │ │ │ </span></span><span class="line"><span class="cl"> │ │ │ Port 5555 │ │ │ </span></span><span class="line"><span class="cl"> │ │ └──────────────────────────────┘ │ │ </span></span><span class="line"><span class="cl"> │ └─────────────────────────────────────┘ │ </span></span><span class="line"><span class="cl"> └───────────────────────────────────────────┘ </span></span></code></pre></td></tr></table> </div> </div><h2 id="quick-reference">Quick Reference </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check latency</span> </span></span><span class="line"><span class="cl">tailscale ping &lt;aws-tailscale-ip&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Connect ADB</span> </span></span><span class="line"><span class="cl">adb connect &lt;aws-tailscale-ip&gt;:5555 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Display with scrcpy (optimised for remote)</span> </span></span><span class="line"><span class="cl">scrcpy -s &lt;aws-tailscale-ip&gt;:5555 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --max-size <span class="m">1024</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --video-bit-rate 4M <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --stay-awake </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check Android boot status</span> </span></span><span class="line"><span class="cl">docker <span class="nb">exec</span> redroid-13 getprop sys.boot_completed </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Shell into Android</span> </span></span><span class="line"><span class="cl">adb -s &lt;aws-tailscale-ip&gt;:5555 shell </span></span></code></pre></td></tr></table> </div> </div><hr> <p><em>The full setup guide is in my <a class="link" href="https://github.com/gavinmcfall/home-ops/blob/main/docs/Guides/Cloud%20Compute/Android%20Emulation/aws-redroid-setup.md" target="_blank" rel="noopener" >home-ops repo</a>.</em></p> https://blog.nerdz.cloud/2026/pterodactyl-truenas-setup/ Sat, 10 Jan 2026 00:00:00 +1300 https://blog.nerdz.cloud/2026/pterodactyl-truenas-setup/ <blockquote> <p>&ldquo;Why pay for game server hosting when you have a 56-thread NAS sitting idle?&rdquo; — <em>Me, justifying another homelab project</em></p> </blockquote> <h2 id="the-problem-game-server-sprawl">The Problem: Game Server Sprawl </h2><p>I&rsquo;ve been running various game servers over the years — Minecraft for the kids, Valheim with friends, the occasional ARK survival session. Each one was its own snowflake: different install methods, different backup strategies, different ways of breaking at 2am when someone actually wanted to play.</p> <p>What I wanted was something like Proxmox for VMs, but for game servers: a web UI where I could spin up a Minecraft server in 30 seconds, manage backups, and not have to SSH into anything unless something was on fire.</p> <p>Enter <a class="link" href="https://pterodactyl.io/" target="_blank" rel="noopener" >Pterodactyl</a>.</p> <h2 id="what-is-pterodactyl">What is Pterodactyl? </h2><p>Pterodactyl is an open-source game server management panel. It&rsquo;s what companies like Apex Hosting and Nodecraft use under the hood (or something similar). The architecture is split into two components:</p> <table> <thead> <tr> <th>Component</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><strong>Panel</strong></td> <td>Web UI for managing servers, users, allocations</td> </tr> <tr> <td><strong>Wings</strong></td> <td>Daemon that actually runs the game server containers</td> </tr> </tbody> </table> <p>The Panel is a Laravel app — database, Redis, the usual web stack. Wings is a Go binary that talks to Docker and manages the actual game server containers.</p> <p>In my setup:</p> <ul> <li><strong>Panel</strong> runs on Kubernetes (GitOps, because everything in my homelab is GitOps)</li> <li><strong>Wings</strong> runs on TrueNAS (where I have the storage and spare compute for game servers)</li> </ul> <h2 id="why-truenas-for-wings">Why TrueNAS for Wings? </h2><p>My Kubernetes cluster is three nodes with NVMe storage, optimised for services that need to be highly available. Game servers&hellip; don&rsquo;t really fit that mould. They&rsquo;re stateful, they want lots of RAM and CPU, and if a Minecraft server goes down for 30 seconds during a node reboot, the kids will survive.</p> <p>TrueNAS, on the other hand, has:</p> <ul> <li>56 CPU threads (Xeon goodness)</li> <li>128GB RAM</li> <li>Plenty of spinning rust for world saves</li> <li>Docker support via the app system</li> </ul> <p>Running Wings on TrueNAS means game servers get dedicated resources without competing with Grafana and Home Assistant for pod scheduling.</p> <h2 id="the-journey">The Journey </h2><h3 id="part-1-panel-deployment">Part 1: Panel Deployment </h3><p>The Panel deployment was straightforward thanks to the <code>bjw-s/app-template</code> chart. The config lives in an ExternalSecret with all the Laravel bits:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># The important environment variables</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">APP_KEY</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .PTERODACTYL_APP_KEY }}&#34;</span><span class="w"> </span><span class="c"># Laravel encryption key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">APP_URL</span><span class="p">:</span><span class="w"> </span><span class="l">https://pterodactyl.nerdz.cloud</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">DB_HOST</span><span class="p">:</span><span class="w"> </span><span class="l">mariadb.database.svc.cluster.local</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">REDIS_HOST</span><span class="p">:</span><span class="w"> </span><span class="l">dragonfly.database.svc.cluster.local</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># S3 backups to MinIO</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">APP_BACKUP_DRIVER</span><span class="p">:</span><span class="w"> </span><span class="l">s3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">AWS_ENDPOINT</span><span class="p">:</span><span class="w"> </span><span class="l">http://citadel.internal:9000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">AWS_BACKUPS_BUCKET</span><span class="p">:</span><span class="w"> </span><span class="l">gameserver-backups</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The gotchas I hit:</p> <ol> <li><strong><code>CADDY_APP_URL: &quot;:80&quot;</code></strong> — The container uses Caddy internally, and it needs this set</li> <li><strong><code>TRUSTED_PROXIES</code></strong> — Must be CIDR notation (<code>10.0.0.0/8,172.16.0.0/12,192.168.0.0/16</code>), not <code>*</code></li> <li><strong>Database init scripts</strong> — Only run on first MariaDB deployment, so I had to manually create the database</li> </ol> <h3 id="part-2-dns-and-networking">Part 2: DNS and Networking </h3><p>This is where it got interesting. Game servers need to be reachable from the internet, which means:</p> <ul> <li>A DNS record pointing to my external IP</li> <li>Port forwards through the UniFi gateway</li> <li>SSL certificates for the Wings API</li> </ul> <p>I created <code>play.nerdz.cloud</code> pointing to my external IP (not proxied through Cloudflare — game traffic needs direct access).</p> <p>Port forwards:</p> <table> <thead> <tr> <th>Port</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>8443</td> <td>Wings API (Panel ↔ Wings communication)</td> </tr> <tr> <td>2022</td> <td>SFTP (file uploads)</td> </tr> <tr> <td>25565-25600</td> <td>Game servers (36 allocations)</td> </tr> </tbody> </table> <h3 id="part-3-wings-wont-start--ssl-certificates">Part 3: Wings Won&rsquo;t Start — SSL Certificates </h3><p>First attempt at starting Wings:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">FATAL: failed to configure HTTPS server error=open /etc/letsencrypt/live/play.nerdz.cloud/fullchain.pem: no such file or directory </span></span></code></pre></td></tr></table> </div> </div><p>Wings expects SSL certificates at a specific path. My options were:</p> <ol> <li>Let Wings auto-generate certs via Let&rsquo;s Encrypt (requires port 80 forwarded)</li> <li>Provide my existing wildcard certificate</li> </ol> <p>I went with option 2 — my Kubernetes cluster already has a wildcard cert for <code>*.nerdz.cloud</code> via cert-manager. A quick export and copy later:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Export from Kubernetes</span> </span></span><span class="line"><span class="cl">kubectl get secret envoy-gateway-nerdz-cloud-tls -n network <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -o <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">&#39;{.data.tls\.crt}&#39;</span> <span class="p">|</span> base64 -d &gt; fullchain.pem </span></span><span class="line"><span class="cl">kubectl get secret envoy-gateway-nerdz-cloud-tls -n network <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -o <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">&#39;{.data.tls\.key}&#39;</span> <span class="p">|</span> base64 -d &gt; privkey.pem </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Copy to TrueNAS</span> </span></span><span class="line"><span class="cl">scp fullchain.pem privkey.pem truenas:/mnt/storage0/game-servers/wings/certs/ </span></span></code></pre></td></tr></table> </div> </div><p>Then mount them in docker-compose:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;./certs:/etc/letsencrypt/live/play.nerdz.cloud&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="part-4-dns-resolution-from-kubernetes">Part 4: DNS Resolution from Kubernetes </h3><p>The Panel needs to talk to Wings at <code>play.nerdz.cloud:8443</code>. When I tried to create a node, the Panel couldn&rsquo;t resolve the hostname. After much head-scratching, I traced it to CoreDNS → node&rsquo;s resolv.conf → systemd-resolved with stale cache.</p> <p>The fix was adding public DNS servers to my Talos nodes:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/bootstrap/talos/patches/global/local-dns.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">machine</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">network</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">nameservers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">10.90.254.1</span><span class="w"> </span><span class="c"># UDM Pro</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">1.1.1.1</span><span class="w"> </span><span class="c"># Cloudflare</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">8.8.8.8</span><span class="w"> </span><span class="c"># Google</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Applied via <code>talosctl patch mc</code> to each node — no reboot required since it&rsquo;s a network config change.</p> <h3 id="part-5-the-tmp-mount-gotcha">Part 5: The /tmp Mount Gotcha </h3><p>With Wings running and the node connected, I created my first Minecraft server. The Panel showed &ldquo;Installing&rdquo;&hellip; and then nothing. Checking the Wings logs:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ERROR: failed to run install process for server error=Error response from daemon: </span></span><span class="line"><span class="cl">invalid mount config for type &#34;bind&#34;: bind source path does not exist: </span></span><span class="line"><span class="cl">/tmp/pterodactyl/407c6b7d-cc34-4d31-a4e3-fa0e51265aa7 </span></span></code></pre></td></tr></table> </div> </div><p>This one took a while to figure out. Wings creates install scripts in <code>/tmp/pterodactyl/</code>, then spawns a container to run them. The problem? My docker-compose had:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;./tmp:/tmp/pterodactyl/&#34;</span><span class="w"> </span><span class="c"># WRONG</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This creates the path <em>inside</em> the Wings container, but when Wings spawns the install container, Docker looks for <code>/tmp/pterodactyl</code> on the <strong>host</strong> filesystem. The paths need to match:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;/tmp/pterodactyl:/tmp/pterodactyl&#34;</span><span class="w"> </span><span class="c"># RIGHT - same path on host and container</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Create the directory and restart Wings:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo mkdir -p /tmp/pterodactyl </span></span><span class="line"><span class="cl">sudo docker compose down <span class="o">&amp;&amp;</span> sudo docker compose up -d </span></span></code></pre></td></tr></table> </div> </div><h3 id="part-6-eula-and-first-boot">Part 6: EULA and First Boot </h3><p>With the mount fixed, the Minecraft Forge server installed successfully. Started it up and&hellip; immediately exited with code 0. The logs showed:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">You need to agree to the EULA in order to run the server. Go to eula.txt for more info. </span></span></code></pre></td></tr></table> </div> </div><p>Classic Minecraft. In Pterodactyl&rsquo;s client view (not admin), go to <strong>Files</strong>, open <code>eula.txt</code>, change <code>eula=false</code> to <code>eula=true</code>, save, and start again.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[Server thread/INFO] [minecraft/DedicatedServer]: Done (8.248s)! For help, type &#34;help&#34; </span></span><span class="line"><span class="cl">Server marked as running... </span></span></code></pre></td></tr></table> </div> </div><h3 id="part-7-testing-external-access">Part 7: Testing External Access </h3><p>The moment of truth. Connected from within my LAN first — worked. But that could just be hairpin NAT through the UDM.</p> <p>Switched my phone to mobile data, opened Minecraft, added server <code>play.nerdz.cloud:25565</code>&hellip; and I was in. External access confirmed.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[User Authenticator #1/INFO]: UUID of player NZVengeance is 525f1ee0-b0cc-4e07-88d8-4d77ffe25e85 </span></span><span class="line"><span class="cl">[Server thread/INFO]: NZVengeance joined the game </span></span></code></pre></td></tr></table> </div> </div><h2 id="importing-more-game-eggs">Importing More Game Eggs </h2><p>With the infrastructure working, I wanted more than just Minecraft. Pterodactyl uses &ldquo;eggs&rdquo; — JSON templates that define how to install and run different game servers.</p> <p>The community maintains hundreds of eggs at <a class="link" href="https://github.com/pelican-eggs" target="_blank" rel="noopener" >pelican-eggs</a>:</p> <table> <thead> <tr> <th>Repository</th> <th>Contents</th> </tr> </thead> <tbody> <tr> <td><a class="link" href="https://github.com/pelican-eggs/games-steamcmd" target="_blank" rel="noopener" >games-steamcmd</a></td> <td>150+ Steam games</td> </tr> <tr> <td><a class="link" href="https://github.com/pelican-eggs/minecraft" target="_blank" rel="noopener" >minecraft</a></td> <td>All Minecraft variants</td> </tr> <tr> <td><a class="link" href="https://github.com/pelican-eggs/games-standalone" target="_blank" rel="noopener" >games-standalone</a></td> <td>Non-Steam games</td> </tr> </tbody> </table> <p>Importing is straightforward: download the JSON, go to Admin → Nests → Import Egg. I added:</p> <ul> <li>Satisfactory</li> <li>Valheim</li> <li>Palworld</li> <li>ARK Survival Ascended</li> <li>Core Keeper</li> <li>Enshrouded</li> <li>Conan Exiles</li> <li>Icarus</li> <li>CurseForge (for modpack servers)</li> <li>Factorio</li> </ul> <p>Each game has different port requirements, so I&rsquo;ll need to add more allocations and port forwards as I spin up servers.</p> <h2 id="the-final-architecture">The Final Architecture </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> Internet </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> ▼ </span></span><span class="line"><span class="cl"> ┌─────────────────┐ </span></span><span class="line"><span class="cl"> │ UniFi Gateway │ </span></span><span class="line"><span class="cl"> │ Port Forward │ </span></span><span class="line"><span class="cl"> └────────┬────────┘ </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> ┌──────────────────────────┼──────────────────────────┐ </span></span><span class="line"><span class="cl"> │ │ │ </span></span><span class="line"><span class="cl"> ▼ ▼ ▼ </span></span><span class="line"><span class="cl"> ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ </span></span><span class="line"><span class="cl"> │ Pterodactyl │ │ Wings │ │ Game Servers │ </span></span><span class="line"><span class="cl"> │ Panel │◄───────►│ (TrueNAS) │◄───────►│ (Docker) │ </span></span><span class="line"><span class="cl"> │ (Kubernetes) │ │ Port 8443 │ │ Ports 25565+ │ </span></span><span class="line"><span class="cl"> └───────┬───────┘ └───────────────┘ └───────────────┘ </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> ┌───────┴───────┐ </span></span><span class="line"><span class="cl"> │ │ </span></span><span class="line"><span class="cl"> ▼ ▼ </span></span><span class="line"><span class="cl">┌────────┐ ┌──────────┐ </span></span><span class="line"><span class="cl">│MariaDB │ │Dragonfly │ </span></span><span class="line"><span class="cl">│ (DB) │ │ (Cache) │ </span></span><span class="line"><span class="cl">└────────┘ └──────────┘ </span></span></code></pre></td></tr></table> </div> </div><h2 id="lessons-learned">Lessons Learned </h2><ol> <li> <p><strong>Wings needs SSL</strong> — Even for internal communication, Wings expects HTTPS. Either provide certs or disable SSL (not recommended).</p> </li> <li> <p><strong>Volume mounts must match</strong> — When Wings spawns containers, bind mounts use host paths. If your docker-compose uses relative paths inside the container, the spawned containers won&rsquo;t find them.</p> </li> <li> <p><strong>Docker on TrueNAS works well</strong> — The <code>network_mode: host</code> requirement for Wings is handled fine, and having the volumes on ZFS gives me snapshot capabilities for free.</p> </li> <li> <p><strong>DNS is always the problem</strong> — When in doubt, add more upstream DNS servers. Kubernetes pods relying on node DNS resolution is a foot-gun.</p> </li> <li> <p><strong>Wildcard certs are worth it</strong> — Having <code>*.nerdz.cloud</code> available meant I could just export and use it rather than setting up another Let&rsquo;s Encrypt flow.</p> </li> <li> <p><strong>Split the control plane from the data plane</strong> — Panel in Kubernetes (HA, GitOps), Wings on TrueNAS (storage, compute). Best of both worlds.</p> </li> <li> <p><strong>Read the logs</strong> — Both Pterodactyl and Wings have excellent logging. Every problem I hit was clearly explained in the logs once I actually looked.</p> </li> </ol> <h2 id="whats-next">What&rsquo;s Next </h2><ul> <li><strong>Backup schedules</strong> — Configure automatic backups to the MinIO bucket</li> <li><strong>User management</strong> — Create accounts so the kids can manage their own servers</li> <li><strong>More port forwards</strong> — Different games need different ports (Valheim wants 2456-2457, Satisfactory wants 7777, etc.)</li> <li><strong>Monitoring</strong> — Add Prometheus metrics for game server health</li> </ul> <hr> <h2 id="resources">Resources </h2><ul> <li><a class="link" href="https://pterodactyl.io/project/introduction.html" target="_blank" rel="noopener" >Pterodactyl Documentation</a></li> <li><a class="link" href="https://pterodactyl.io/wings/1.0/installing.html#docker" target="_blank" rel="noopener" >Wings Docker Setup</a></li> <li><a class="link" href="https://github.com/pelican-eggs" target="_blank" rel="noopener" >Pelican Eggs Repository</a></li> <li><a class="link" href="https://github.com/gavinmcfall/home-ops" target="_blank" rel="noopener" >My home-ops repo</a> — Full GitOps setup including Pterodactyl manifests</li> </ul> https://blog.nerdz.cloud/2025/cephfs-sparse-file-corruption/ Mon, 22 Dec 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/cephfs-sparse-file-corruption/ <blockquote> <p>&ldquo;Your backups are only as good as your last successful restore.&rdquo;</p> </blockquote> <h2 id="the-discovery">The Discovery </h2><p>It started with qbittorrent refusing to authenticate. After the Ceph Reef to Tentacle upgrade, several apps needed restoring from backups. Routine stuff—trigger the VolSync ReplicationDestination, wait for completion, scale up the app.</p> <p>Except the restored data was garbage.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ kubectl <span class="nb">exec</span> -n downloads deploy/qbittorrent -c app -- cat /config/qBittorrent/qBittorrent.conf </span></span><span class="line"><span class="cl"><span class="o">[</span>Preferences<span class="o">]</span> </span></span><span class="line"><span class="cl">WebUI<span class="se">\U</span>sername<span class="o">=</span>^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@... </span></span></code></pre></td></tr></table> </div> </div><p>That&rsquo;s not a username. That&rsquo;s null bytes. The entire config file was zeroed out—the file existed, had the right size, but contained nothing but <code>0x00</code> characters.</p> <h2 id="the-pattern-emerges">The Pattern Emerges </h2><p>Checking other apps revealed the same problem:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Sabnzbd - entire config gone</span> </span></span><span class="line"><span class="cl">$ kubectl <span class="nb">exec</span> -n downloads deploy/sabnzbd -- ls -la /config/ </span></span><span class="line"><span class="cl">total <span class="m">4</span> </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">3</span> apps apps <span class="m">22</span> Dec <span class="m">22</span> 10:15 . </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">1</span> root root <span class="m">4096</span> Dec <span class="m">22</span> 10:15 .. </span></span><span class="line"><span class="cl">drwx------ <span class="m">2</span> apps apps <span class="m">6</span> Dec <span class="m">22</span> 10:15 lost+found </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Radarr - config.xml zeroed</span> </span></span><span class="line"><span class="cl">$ kubectl <span class="nb">exec</span> -n downloads deploy/radarr -- head -c <span class="m">50</span> /config/config.xml <span class="p">|</span> xxd </span></span><span class="line"><span class="cl">00000000: <span class="m">0000</span> <span class="m">0000</span> <span class="m">0000</span> <span class="m">0000</span> <span class="m">0000</span> <span class="m">0000</span> <span class="m">0000</span> <span class="m">0000</span> ................ </span></span><span class="line"><span class="cl">00000010: <span class="m">0000</span> <span class="m">0000</span> <span class="m">0000</span> <span class="m">0000</span> <span class="m">0000</span> <span class="m">0000</span> <span class="m">0000</span> <span class="m">0000</span> ................ </span></span></code></pre></td></tr></table> </div> </div><p>The common factor: all these PVCs were on <code>ceph-filesystem</code> storage class and had been restored via VolSync.</p> <h2 id="understanding-the-bug">Understanding the Bug </h2><p>CephFS handles sparse files differently than traditional filesystems. A sparse file is one where regions of null bytes aren&rsquo;t actually stored on disk—they&rsquo;re just metadata saying &ldquo;this region is empty.&rdquo;</p> <p>The problem: when VolSync&rsquo;s Kopia mover restores files to CephFS, something in the sparse file handling chain goes wrong. Files that should contain data get their content replaced with null bytes, while maintaining their original size and metadata.</p> <p>This isn&rsquo;t a VolSync bug or a Kopia bug. It&rsquo;s a quirk of how CephFS handles certain write patterns during restore operations. The same restore to <code>ceph-block</code> storage works perfectly.</p> <h2 id="the-damage-assessment">The Damage Assessment </h2><p>After checking all apps that used <code>ceph-filesystem</code> with VolSync backups:</p> <table> <thead> <tr> <th>App</th> <th>Status</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>qbittorrent</td> <td>Config zeroed</td> <td>Lost WebUI credentials, port settings</td> </tr> <tr> <td>sabnzbd</td> <td>Empty directory</td> <td>Lost entire config, server settings</td> </tr> <tr> <td>sonarr</td> <td>Config zeroed</td> <td>Minimal (uses PostgreSQL for data)</td> </tr> <tr> <td>sonarr-uhd</td> <td>Config zeroed</td> <td>Minimal (uses PostgreSQL for data)</td> </tr> <tr> <td>sonarr-foreign</td> <td>Config zeroed</td> <td>Minimal (uses PostgreSQL for data)</td> </tr> <tr> <td>radarr</td> <td>Config zeroed</td> <td>Minimal (uses PostgreSQL for data)</td> </tr> <tr> <td>radarr-uhd</td> <td>Config zeroed</td> <td>Minimal (uses PostgreSQL for data)</td> </tr> <tr> <td>filebrowser</td> <td>Config zeroed</td> <td>Lost user settings</td> </tr> </tbody> </table> <p>The sonarr and radarr instances were lucky—they store actual data in PostgreSQL, so the zeroed <code>config.xml</code> only meant losing some network settings. But qbittorrent and sabnzbd were serious losses.</p> <h2 id="recovery-strategy">Recovery Strategy </h2><p>The immediate fix was obvious: stop using <code>ceph-filesystem</code> for VolSync-backed PVCs. But first, I needed to recover the data.</p> <h3 id="attempt-1-kopia-snapshots-with-previous-n">Attempt 1: Kopia Snapshots with <code>previous: N</code> </h3><p>Kopia stores multiple snapshots. The <code>previous</code> parameter tells the ReplicationDestination to restore an older snapshot:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">volsync.backube/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ReplicationDestination</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">sabnzbd-test-restore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">downloads</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">trigger</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">manual</span><span class="p">:</span><span class="w"> </span><span class="l">test-restore-1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kopia</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repository</span><span class="p">:</span><span class="w"> </span><span class="l">sabnzbd-volsync-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">destinationPVC</span><span class="p">:</span><span class="w"> </span><span class="l">sabnzbd-test</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">copyMethod</span><span class="p">:</span><span class="w"> </span><span class="l">Snapshot</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">snapshotClassName</span><span class="p">:</span><span class="w"> </span><span class="l">csi-ceph-block</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">storageClassName</span><span class="p">:</span><span class="w"> </span><span class="l">ceph-block </span><span class="w"> </span><span class="c"># Not ceph-filesystem!</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">previous</span><span class="p">:</span><span class="w"> </span><span class="m">3</span><span class="w"> </span><span class="c"># Go back 3 snapshots</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>I tried <code>previous: 3</code>, <code>previous: 7</code>, <code>previous: 10</code>, even <code>previous: 13</code>. Every single snapshot was empty.</p> <p>The CephFS corruption happened <em>before</em> the Kopia migration. All Kopia snapshots were backing up already-corrupted data.</p> <h3 id="attempt-2-kopia-with-restoreasof">Attempt 2: Kopia with <code>restoreAsOf</code> </h3><p>Maybe the corruption was more recent? Kopia&rsquo;s <code>restoreAsOf</code> parameter restores from the most recent snapshot before a given timestamp:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kopia</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restoreAsOf</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;2025-12-10T23:59:59Z&#34;</span><span class="w"> </span><span class="c"># Day before Kopia migration</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Same result. Empty. The corruption predated any Kopia backup.</p> <h3 id="attempt-3-old-restic-backups">Attempt 3: Old Restic Backups </h3><p>Before migrating to Kopia on December 11th, I had Restic backups going to Backblaze B2. Those old backups might still have good data.</p> <p>The Restic backup bucket (<code>nerdz-volsync</code>) was separate from the Kopia bucket (<code>nerdz-volsync-kopia</code>). I still had the credentials in 1Password.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">volsync.backube/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ReplicationDestination</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">sabnzbd-restic-restore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">downloads</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">trigger</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">manual</span><span class="p">:</span><span class="w"> </span><span class="l">restic-restore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restic</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repository</span><span class="p">:</span><span class="w"> </span><span class="l">sabnzbd-volsync-restic-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">destinationPVC</span><span class="p">:</span><span class="w"> </span><span class="l">sabnzbd-test</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">copyMethod</span><span class="p">:</span><span class="w"> </span><span class="l">Direct</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">storageClassName</span><span class="p">:</span><span class="w"> </span><span class="l">ceph-block</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restoreAsOf</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;2025-12-10T23:59:59Z&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">moverSecurityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsUser</span><span class="p">:</span><span class="w"> </span><span class="m">568</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsGroup</span><span class="p">:</span><span class="w"> </span><span class="m">568</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fsGroup</span><span class="p">:</span><span class="w"> </span><span class="m">568</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ kubectl <span class="nb">exec</span> debug-pod -- ls -la /mnt/sabnzbd-test/ </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">5</span> apps apps <span class="m">101</span> Dec <span class="m">10</span> 03:15 . </span></span><span class="line"><span class="cl">-rw-r--r-- <span class="m">1</span> apps apps <span class="m">8234</span> Dec <span class="m">10</span> 03:15 sabnzbd.ini </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">2</span> apps apps <span class="m">45</span> Dec <span class="m">9</span> 12:30 admin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ kubectl <span class="nb">exec</span> debug-pod -- grep -A2 <span class="s2">&#34;\[servers\]&#34;</span> /mnt/sabnzbd-test/sabnzbd.ini </span></span><span class="line"><span class="cl"><span class="o">[</span>servers<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[[</span>Frugal EU<span class="o">]]</span> </span></span><span class="line"><span class="cl"><span class="nv">host</span> <span class="o">=</span> reader.frugalusenet.com </span></span></code></pre></td></tr></table> </div> </div><p>Success! The December 10th Restic backup had the full config with all my Usenet server settings.</p> <h2 id="the-recovery-process">The Recovery Process </h2><h3 id="step-1-create-the-restic-restore-component">Step 1: Create the Restic Restore Component </h3><p>I created a one-time-use component specifically for Restic restores:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/components/volsync-restic-restore/replicationdestination.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">volsync.backube/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ReplicationDestination</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;${APP}-restic-dst&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">trigger</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">manual</span><span class="p">:</span><span class="w"> </span><span class="l">restore-once</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restic</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repository</span><span class="p">:</span><span class="w"> </span><span class="l">${APP}-volsync-restic-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">destinationPVC</span><span class="p">:</span><span class="w"> </span><span class="l">${APP}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">copyMethod</span><span class="p">:</span><span class="w"> </span><span class="l">Direct</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">storageClassName</span><span class="p">:</span><span class="w"> </span><span class="l">${VOLSYNC_STORAGECLASS:=ceph-block}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restoreAsOf</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;${RESTIC_RESTORE_AS_OF:=2025-12-10T23:59:59Z}&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="step-2-migrate-each-app-to-ceph-block">Step 2: Migrate Each App to ceph-block </h3><p>For each affected app:</p> <ol> <li>Scale down the deployment</li> <li>Delete the corrupted PVC</li> <li>Create new PVC on <code>ceph-block</code></li> <li>Restore from Restic backup</li> <li>Update ks.yaml to use <code>ceph-block</code> going forward</li> <li>Scale up and verify</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Example for sabnzbd</span> </span></span><span class="line"><span class="cl">flux <span class="nb">suspend</span> kustomization sabnzbd -n downloads </span></span><span class="line"><span class="cl">kubectl scale deploy sabnzbd -n downloads --replicas<span class="o">=</span><span class="m">0</span> </span></span><span class="line"><span class="cl">kubectl delete pvc sabnzbd -n downloads </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Apply the restic restore component</span> </span></span><span class="line"><span class="cl"><span class="c1"># Wait for ReplicationDestination to complete</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">flux resume kustomization sabnzbd -n downloads </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-3-verify-and-create-fresh-backups">Step 3: Verify and Create Fresh Backups </h3><p>After confirming each app had valid data, I triggered fresh backups to all three destinations:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># NFS backup</span> </span></span><span class="line"><span class="cl">kubectl patch replicationsource sabnzbd -n downloads --type<span class="o">=</span>merge <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -p <span class="s1">&#39;{&#34;spec&#34;:{&#34;trigger&#34;:{&#34;manual&#34;:&#34;fresh-backup-nfs&#34;}}}&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Backblaze B2 backup</span> </span></span><span class="line"><span class="cl">kubectl patch replicationsource sabnzbd-b2 -n downloads --type<span class="o">=</span>merge <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -p <span class="s1">&#39;{&#34;spec&#34;:{&#34;trigger&#34;:{&#34;manual&#34;:&#34;fresh-backup-b2&#34;}}}&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Cloudflare R2 backup</span> </span></span><span class="line"><span class="cl">kubectl patch replicationsource sabnzbd-r2 -n downloads --type<span class="o">=</span>merge <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -p <span class="s1">&#39;{&#34;spec&#34;:{&#34;trigger&#34;:{&#34;manual&#34;:&#34;fresh-backup-r2&#34;}}}&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="the-flux-alert-spam">The Flux Alert Spam </h2><p>After fixing all the apps, I got bombarded with Flux alerts:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">PersistentVolumeClaim</span><span class="o">/</span><span class="n">downloads</span><span class="o">/</span><span class="n">sonarr</span><span class="o">-</span><span class="n">foreign</span> <span class="n">dry</span><span class="o">-</span><span class="n">run</span> <span class="n">failed</span> <span class="p">(</span><span class="n">Invalid</span><span class="p">):</span> </span></span><span class="line"><span class="cl"><span class="n">PersistentVolumeClaim</span> <span class="s1">&#39;sonarr-foreign&#39;</span> <span class="n">is</span> <span class="n">invalid</span><span class="p">:</span> <span class="n">spec</span><span class="p">:</span> <span class="n">Forbidden</span><span class="p">:</span> <span class="n">spec</span> <span class="n">is</span> <span class="n">immutable</span> </span></span></code></pre></td></tr></table> </div> </div><p>The volsync component&rsquo;s PVC template includes a <code>dataSourceRef</code> pointing to the ReplicationDestination. For existing PVCs, this causes a conflict—you can&rsquo;t add a dataSourceRef after creation.</p> <p>The fix was adding the <code>IfNotPresent</code> SSA label to the PVC template:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/components/volsync/nfs-truenas/pvc.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">PersistentVolumeClaim</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">${APP}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kustomize.toolkit.fluxcd.io/ssa</span><span class="p">:</span><span class="w"> </span><span class="l">IfNotPresent </span><span class="w"> </span><span class="c"># Don&#39;t update if exists</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dataSourceRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ReplicationDestination</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">apiGroup</span><span class="p">:</span><span class="w"> </span><span class="l">volsync.backube</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">${APP}-dst</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This tells Flux: &ldquo;Create this PVC if it doesn&rsquo;t exist, but don&rsquo;t try to update existing ones.&rdquo;</p> <h2 id="lessons-learned">Lessons Learned </h2><table> <thead> <tr> <th>Assumption</th> <th>Reality</th> </tr> </thead> <tbody> <tr> <td>CephFS works fine for all workloads</td> <td>Sparse file handling during restores can corrupt data</td> </tr> <tr> <td>Kopia backups are good if they complete</td> <td>They can back up already-corrupted data perfectly</td> </tr> <tr> <td><code>previous: N</code> is a time machine</td> <td>Only if the data was good when backed up</td> </tr> <tr> <td>Old backup systems can be deleted after migration</td> <td>Keep them until you&rsquo;ve verified restores work</td> </tr> <tr> <td>All my apps use PostgreSQL for data</td> <td>qbittorrent and sabnzbd use local config files</td> </tr> </tbody> </table> <h3 id="the-3-2-1-1-backup-strategy">The 3-2-1-1 Backup Strategy </h3><p>After this incident, I&rsquo;ve upgraded from 3-2-1 to 3-2-1-1:</p> <ul> <li><strong>3</strong> copies of data</li> <li><strong>2</strong> different storage types</li> <li><strong>1</strong> offsite copy</li> <li><strong>1</strong> air-gapped or delayed-deletion copy</li> </ul> <p>The old Restic backups in B2 were essentially an air-gapped backup—I hadn&rsquo;t deleted them after the Kopia migration. That laziness saved my data.</p> <h3 id="storage-class-selection">Storage Class Selection </h3><p>Going forward, all VolSync-backed PVCs use <code>ceph-block</code>:</p> <table> <thead> <tr> <th>Use Case</th> <th>Storage Class</th> </tr> </thead> <tbody> <tr> <td>App config/data backed by VolSync</td> <td><code>ceph-block</code></td> </tr> <tr> <td>Shared working storage (media processing)</td> <td><code>ceph-filesystem</code></td> </tr> <tr> <td>Databases (backed by pgBackRest)</td> <td><code>ceph-block</code></td> </tr> <tr> <td>Temporary/cache data</td> <td><code>openebs-hostpath</code></td> </tr> </tbody> </table> <p>CephFS is still useful for ReadWriteMany workloads where multiple pods need access to the same files. Just don&rsquo;t use it for data that needs to survive restore operations.</p> <h3 id="update-2025-12-23-csi-read-affinity">Update 2025-12-23: CSI Read Affinity </h3><p>After discussing this issue with the <a class="link" href="https://github.com/home-operations" target="_blank" rel="noopener" >home-operations</a> community, I discovered another contributing factor: <strong>CSI Read Affinity</strong>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">cephClusterSpec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">csi</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">readAffinity</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="c"># THIS CAUSES PROBLEMS</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This setting makes the Ceph CSI driver prefer reading from OSDs on the same node as the pod. While this sounds like a performance optimization, it can cause data consistency issues with CephFS—particularly with sparse file handling during restore operations.</p> <p><strong>The fix</strong>: Disable it.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">csi</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">readAffinity</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>If you&rsquo;re experiencing CephFS data corruption, check this setting first.</p> <h2 id="quick-reference">Quick Reference </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check for sparse file corruption</span> </span></span><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n &lt;namespace&gt; deploy/&lt;app&gt; -- od -c /config/config.xml <span class="p">|</span> head -5 </span></span><span class="line"><span class="cl"><span class="c1"># If you see &#34;0000000 \0 \0 \0 \0...&#34; - it&#39;s zeroed</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Restore from old Restic backup</span> </span></span><span class="line"><span class="cl"><span class="c1"># 1. Create secret with old Restic credentials</span> </span></span><span class="line"><span class="cl">kubectl create secret generic <span class="si">${</span><span class="nv">APP</span><span class="si">}</span>-volsync-restic-secret <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --from-literal<span class="o">=</span><span class="nv">RESTIC_REPOSITORY</span><span class="o">=</span>s3:s3.us-east-005.backblazeb2.com/nerdz-volsync/<span class="si">${</span><span class="nv">APP</span><span class="si">}</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --from-literal<span class="o">=</span><span class="nv">RESTIC_PASSWORD</span><span class="o">=</span>&lt;password&gt; <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --from-literal<span class="o">=</span><span class="nv">AWS_ACCESS_KEY_ID</span><span class="o">=</span>&lt;key&gt; <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --from-literal<span class="o">=</span><span class="nv">AWS_SECRET_ACCESS_KEY</span><span class="o">=</span>&lt;secret&gt; <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -n &lt;namespace&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2. Create ReplicationDestination with restoreAsOf</span> </span></span><span class="line"><span class="cl"><span class="c1"># 3. Trigger restore with: kubectl patch ... manual: restore-now</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Force fresh backup to all destinations</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> suffix in <span class="s2">&#34;&#34;</span> <span class="s2">&#34;-b2&#34;</span> <span class="s2">&#34;-r2&#34;</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> kubectl patch replicationsource <span class="si">${</span><span class="nv">APP</span><span class="si">}${</span><span class="nv">suffix</span><span class="si">}</span> -n &lt;namespace&gt; --type<span class="o">=</span>merge <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -p <span class="s1">&#39;{&#34;spec&#34;:{&#34;trigger&#34;:{&#34;manual&#34;:&#34;fresh-&#39;</span><span class="k">$(</span>date +%s<span class="k">)</span><span class="s1">&#39;&#34;}}}&#39;</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check backup status</span> </span></span><span class="line"><span class="cl">kubectl get replicationsource -n &lt;namespace&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="final-thoughts">Final Thoughts </h2><p>Data corruption is insidious. The files looked normal—right names, right sizes, right permissions. Only the content was wrong. Without actually reading the files, there was no indication anything was broken.</p> <p>This is why backup verification matters. Not &ldquo;did the backup job complete successfully,&rdquo; but &ldquo;can I actually restore and use the data.&rdquo; I&rsquo;ve added a monthly calendar reminder to do test restores.</p> <p>The silver lining: this forced me to audit all my apps and migrate everything to consistent storage classes. The cluster is more robust now than before the incident.</p> <hr> <p><em>This post documents the recovery from my <a class="link" href="https://github.com/gavinmcfall/home-ops" target="_blank" rel="noopener" >home-ops</a> cluster. The original VolSync Kopia migration is documented in my <a class="link" href="https://blog.nerdz.cloud/2025/volsync-kopia-migration/" >previous post</a>.</em></p> https://blog.nerdz.cloud/2025/ceph-reef-to-tentacle-upgrade/ Sat, 20 Dec 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/ceph-reef-to-tentacle-upgrade/ <blockquote> <p>&ldquo;You can&rsquo;t skip Ceph versions. But you can be wrong about Rook constraints.&rdquo;</p> </blockquote> <h2 id="the-situation">The Situation </h2><p>Reef (v18) end-of-life is August 2025. Tentacle (v20) shipped in November 2025. Time to upgrade.</p> <p>I initially wrote a combined &ldquo;Reef to Tentacle&rdquo; upgrade guide, planning to do both hops in sequence. Then I read the Rook compatibility matrix and concluded I needed to wait for Rook v1.19 to get Tentacle support.</p> <p><strong>I was wrong.</strong></p> <h2 id="the-rook-constraint-corrected">The Rook Constraint (Corrected) </h2><p>Here&rsquo;s what I originally thought:</p> <table> <thead> <tr> <th>Rook Version</th> <th>Supported Ceph Versions</th> </tr> </thead> <tbody> <tr> <td>v1.17.x</td> <td>Reef only</td> </tr> <tr> <td>v1.18.x</td> <td>Reef + Squid</td> </tr> <tr> <td>v1.19+</td> <td>Squid + Tentacle (drops Reef)</td> </tr> </tbody> </table> <p><strong>The reality:</strong> Rook v1.18.8 added Tentacle support. You don&rsquo;t need to wait for v1.19.</p> <p>From <a class="link" href="https://blog.nuvotex.de/ceph-20-2-0-tentacle-released/" target="_blank" rel="noopener" >this blog post</a>:</p> <blockquote> <p>&ldquo;If you&rsquo;re running Ceph within Kubernetes using Rook Ceph, and you want to use Tentacle without the unsupported flag, you need to update at least to version v1.18.8.&rdquo;</p> </blockquote> <p>So the actual support matrix is:</p> <table> <thead> <tr> <th>Rook Version</th> <th>Supported Ceph Versions</th> </tr> </thead> <tbody> <tr> <td>v1.18.0 - v1.18.7</td> <td>Reef + Squid</td> </tr> <tr> <td>v1.18.8+</td> <td>Reef + Squid + Tentacle</td> </tr> </tbody> </table> <p>The upgrade path still requires going through Squid—you can&rsquo;t skip versions—but you can do both hops on Rook v1.18.8.</p> <h2 id="my-starting-point">My Starting Point </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph version </span></span><span class="line"><span class="cl">ceph version 18.2.7 <span class="o">(</span>2cf3b0098dc3cbb1b6f2e8d8ed9df8c65b6aee53<span class="o">)</span> reef <span class="o">(</span>stable<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ kubectl -n rook-ceph get deploy rook-ceph-operator -o <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">&#39;{.spec.template.spec.containers[0].image}&#39;</span> </span></span><span class="line"><span class="cl">ghcr.io/rook/ceph:v1.18.8 </span></span></code></pre></td></tr></table> </div> </div><p>Reef v18.2.7 on Rook v1.18.8. Good to go for the full journey.</p> <hr> <h2 id="phase-1-reef-to-squid">Phase 1: Reef to Squid </h2><h3 id="step-1-backup-everything">Step 1: Backup Everything </h3><p>Ceph upgrades are one-way. Once you run <code>require-osd-release squid</code>, there&rsquo;s no going back to Reef.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">BACKUP_DIR</span><span class="o">=</span>~/backups/ceph/migration-<span class="k">$(</span>date +%Y%m%d<span class="k">)</span> </span></span><span class="line"><span class="cl">mkdir -p <span class="nv">$BACKUP_DIR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Cluster state</span> </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph status &gt; <span class="nv">$BACKUP_DIR</span>/ceph-status.txt </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd tree &gt; <span class="nv">$BACKUP_DIR</span>/osd-tree.txt </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd crush dump &gt; <span class="nv">$BACKUP_DIR</span>/crush-map.json </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph config dump &gt; <span class="nv">$BACKUP_DIR</span>/config-dump.txt </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph versions &gt; <span class="nv">$BACKUP_DIR</span>/versions.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Kubernetes resources</span> </span></span><span class="line"><span class="cl">kubectl -n rook-ceph get cephcluster -o yaml &gt; <span class="nv">$BACKUP_DIR</span>/cephcluster.yaml </span></span><span class="line"><span class="cl">kubectl get pods -n rook-ceph -o wide &gt; <span class="nv">$BACKUP_DIR</span>/pods.txt </span></span><span class="line"><span class="cl">kubectl get pvc -A <span class="p">|</span> grep -E <span class="s2">&#34;ceph-block|ceph-filesystem&#34;</span> &gt; <span class="nv">$BACKUP_DIR</span>/pvcs.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-2-set-safety-flags">Step 2: Set Safety Flags </h3><p>These prevent Ceph from marking OSDs as &ldquo;out&rdquo; and rebalancing data during the rolling restart:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd <span class="nb">set</span> noout </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd <span class="nb">set</span> norebalance </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Verify</span> </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd dump <span class="p">|</span> grep flags </span></span><span class="line"><span class="cl"><span class="c1"># flags noout,norebalance</span> </span></span></code></pre></td></tr></table> </div> </div><p>Without these flags, Ceph gets nervous when daemons restart and starts shuffling data around. That slows down the upgrade and adds risk.</p> <h3 id="step-3-update-the-helmrelease">Step 3: Update the HelmRelease </h3><p>The actual change is one line:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">cephClusterSpec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cephVersion</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">quay.io/ceph/ceph:v19.2.3-20250717 </span><span class="w"> </span><span class="c"># Was v18.2.7</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allowUnsupported</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Note the build-specific tag (<code>v19.2.3-20250717</code>). Don&rsquo;t use just <code>v19.2.3</code>—the build suffix ensures you get a specific, tested image rather than whatever &ldquo;latest v19.2.3&rdquo; happens to be.</p> <h3 id="step-4-deploy-via-gitops">Step 4: Deploy via GitOps </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git add kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml </span></span><span class="line"><span class="cl">git commit -m <span class="s2">&#34;feat(rook-ceph): upgrade Ceph from Reef v18.2.7 to Squid v19.2.3&#34;</span> </span></span><span class="line"><span class="cl">git push </span></span></code></pre></td></tr></table> </div> </div><p>Flux picks up the change and triggers Rook to start the rolling upgrade.</p> <h3 id="step-5-watch-the-rolling-upgrade">Step 5: Watch the Rolling Upgrade </h3><p>Rook upgrades daemons in a specific order: MON → MGR → MDS → OSD → RGW.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Terminal 1: Watch pods</span> </span></span><span class="line"><span class="cl">kubectl -n rook-ceph get pods -w </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Terminal 2: Watch Ceph status</span> </span></span><span class="line"><span class="cl">watch -n <span class="m">10</span> <span class="s1">&#39;kubectl -n rook-ceph exec deploy/rook-ceph-tools -- ceph -s&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Periodically check versions</span> </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph versions </span></span></code></pre></td></tr></table> </div> </div><p>During the upgrade, you&rsquo;ll see brief <code>HEALTH_WARN</code> states as daemons restart. This is normal. Only worry if you see <code>HEALTH_ERR</code> persisting for more than 10 minutes.</p> <p>My 3-node cluster upgraded in about 3 minutes:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;mon&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="nt">&#34;ceph version 19.2.3 (...) squid (stable)&#34;</span><span class="p">:</span> <span class="mi">3</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;mgr&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="nt">&#34;ceph version 19.2.3 (...) squid (stable)&#34;</span><span class="p">:</span> <span class="mi">2</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;osd&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="nt">&#34;ceph version 19.2.3 (...) squid (stable)&#34;</span><span class="p">:</span> <span class="mi">3</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;mds&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="nt">&#34;ceph version 19.2.3 (...) squid (stable)&#34;</span><span class="p">:</span> <span class="mi">2</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;rgw&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="nt">&#34;ceph version 19.2.3 (...) squid (stable)&#34;</span><span class="p">:</span> <span class="mi">2</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-6-finalize-the-squid-upgrade">Step 6: Finalize the Squid Upgrade </h3><p>This step is critical. It tells Ceph that all OSDs are now Squid-capable, enabling Squid-specific features:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check current state</span> </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd dump <span class="p">|</span> grep require_osd_release </span></span><span class="line"><span class="cl"><span class="c1"># require_osd_release reef</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Set Squid requirement (NO GOING BACK AFTER THIS)</span> </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd require-osd-release squid </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Verify</span> </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd dump <span class="p">|</span> grep require_osd_release </span></span><span class="line"><span class="cl"><span class="c1"># require_osd_release squid</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-7-unset-safety-flags">Step 7: Unset Safety Flags </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd <span class="nb">unset</span> noout </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd <span class="nb">unset</span> norebalance </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-8-verify-health">Step 8: Verify Health </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph health detail </span></span><span class="line"><span class="cl">HEALTH_OK </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph pg stat </span></span><span class="line"><span class="cl"><span class="m">169</span> pgs: <span class="m">169</span> active+clean </span></span></code></pre></td></tr></table> </div> </div><p>Phase 1 complete. Cluster is on Squid and healthy.</p> <hr> <h2 id="phase-2-squid-to-tentacle">Phase 2: Squid to Tentacle </h2><p>After running Squid stably for a while (in my case, a few hours—I was impatient), I proceeded with the Tentacle upgrade.</p> <h3 id="tentacle-breaking-changes">Tentacle Breaking Changes </h3><p>Before upgrading, I checked the <a class="link" href="https://docs.ceph.com/en/latest/releases/tentacle/" target="_blank" rel="noopener" >Tentacle release notes</a> for breaking changes:</p> <table> <thead> <tr> <th>Change</th> <th>Impact on My Cluster</th> </tr> </thead> <tbody> <tr> <td>RGW tenant-level IAM deprecated</td> <td>Not using tenant IAM. No impact.</td> </tr> <tr> <td><code>restful</code> mgr module removed</td> <td>Not using REST API module. No impact.</td> </tr> <tr> <td><code>zabbix</code> mgr module removed</td> <td>Not using Zabbix. No impact.</td> </tr> <tr> <td>Erasure coding default changed to ISA-L</td> <td>Only affects new pools. Existing pools unchanged.</td> </tr> <tr> <td><code>osd_repair_during_recovery</code> option removed</td> <td>Not in my config. No impact.</td> </tr> </tbody> </table> <h3 id="step-1-backup-again">Step 1: Backup Again </h3><p>Same process, new directory:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">BACKUP_DIR</span><span class="o">=</span>~/backups/ceph/squid-to-tentacle-<span class="k">$(</span>date +%Y%m%d<span class="k">)</span> </span></span><span class="line"><span class="cl">mkdir -p <span class="nv">$BACKUP_DIR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph status &gt; <span class="nv">$BACKUP_DIR</span>/ceph-status.txt </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd tree &gt; <span class="nv">$BACKUP_DIR</span>/osd-tree.txt </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd crush dump &gt; <span class="nv">$BACKUP_DIR</span>/crush-map.json </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph config dump &gt; <span class="nv">$BACKUP_DIR</span>/config-dump.txt </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph versions &gt; <span class="nv">$BACKUP_DIR</span>/versions.txt </span></span><span class="line"><span class="cl">kubectl -n rook-ceph get cephcluster -o yaml &gt; <span class="nv">$BACKUP_DIR</span>/cephcluster.yaml </span></span><span class="line"><span class="cl">kubectl get pods -n rook-ceph -o wide &gt; <span class="nv">$BACKUP_DIR</span>/pods.txt </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-2-set-safety-flags-1">Step 2: Set Safety Flags </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd <span class="nb">set</span> noout </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd <span class="nb">set</span> norebalance </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-3-update-helmrelease-to-tentacle">Step 3: Update HelmRelease to Tentacle </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">cephClusterSpec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cephVersion</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">quay.io/ceph/ceph:v20.2.0-20251104 </span><span class="w"> </span><span class="c"># Was v19.2.3-20250717</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allowUnsupported</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="step-4-deploy-via-gitops-1">Step 4: Deploy via GitOps </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git add kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml </span></span><span class="line"><span class="cl">git commit -m <span class="s2">&#34;feat(rook-ceph): upgrade Ceph from Squid v19.2.3 to Tentacle v20.2.0&#34;</span> </span></span><span class="line"><span class="cl">git push </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-5-watch-the-rolling-upgrade-1">Step 5: Watch the Rolling Upgrade </h3><p>Same monitoring as before:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl -n rook-ceph get pods -w </span></span><span class="line"><span class="cl">watch -n <span class="m">10</span> <span class="s1">&#39;kubectl -n rook-ceph exec deploy/rook-ceph-tools -- ceph -s&#39;</span> </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph versions </span></span></code></pre></td></tr></table> </div> </div><p>The upgrade took about 3-4 minutes. I watched the versions transition:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">MONs: 2/3 Tentacle... 3/3 Tentacle ✓ </span></span><span class="line"><span class="cl">MGRs: 0/2 Tentacle... 2/2 Tentacle ✓ </span></span><span class="line"><span class="cl">MDS: 0/2 Tentacle... 2/2 Tentacle ✓ </span></span><span class="line"><span class="cl">OSDs: 0/3 Tentacle... 1/3... 2/3... 3/3 Tentacle ✓ </span></span><span class="line"><span class="cl">RGWs: 0/2 Tentacle... 1/2... 2/2 Tentacle ✓ </span></span></code></pre></td></tr></table> </div> </div><p>Final state:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;mon&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="nt">&#34;ceph version 20.2.0 (...) tentacle (stable)&#34;</span><span class="p">:</span> <span class="mi">3</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;mgr&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="nt">&#34;ceph version 20.2.0 (...) tentacle (stable)&#34;</span><span class="p">:</span> <span class="mi">2</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;osd&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="nt">&#34;ceph version 20.2.0 (...) tentacle (stable)&#34;</span><span class="p">:</span> <span class="mi">3</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;mds&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="nt">&#34;ceph version 20.2.0 (...) tentacle (stable)&#34;</span><span class="p">:</span> <span class="mi">2</span> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;rgw&#34;</span><span class="p">:</span> <span class="p">{</span> <span class="nt">&#34;ceph version 20.2.0 (...) tentacle (stable)&#34;</span><span class="p">:</span> <span class="mi">2</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-6-finalize-the-tentacle-upgrade">Step 6: Finalize the Tentacle Upgrade </h3><p>Interestingly, this was already set automatically:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd dump <span class="p">|</span> grep require_osd_release </span></span><span class="line"><span class="cl">require_osd_release tentacle </span></span></code></pre></td></tr></table> </div> </div><p>Rook must have set it after detecting all OSDs were on Tentacle. If yours isn&rsquo;t set:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd require-osd-release tentacle </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-7-unset-safety-flags-1">Step 7: Unset Safety Flags </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd <span class="nb">unset</span> noout </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd <span class="nb">unset</span> norebalance </span></span></code></pre></td></tr></table> </div> </div><h3 id="step-8-final-health-check">Step 8: Final Health Check </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph health detail </span></span><span class="line"><span class="cl">HEALTH_OK </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph -s </span></span><span class="line"><span class="cl"> cluster: </span></span><span class="line"><span class="cl"> id: 3b3d504b-96b4-4102-9ce3-c91b6bc2948d </span></span><span class="line"><span class="cl"> health: HEALTH_OK </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> services: </span></span><span class="line"><span class="cl"> mon: <span class="m">3</span> daemons, quorum a,b,c <span class="o">(</span>age 6m<span class="o">)</span> </span></span><span class="line"><span class="cl"> mgr: b<span class="o">(</span>active, since 5m<span class="o">)</span>, standbys: a </span></span><span class="line"><span class="cl"> mds: 1/1 daemons up, <span class="m">1</span> hot standby </span></span><span class="line"><span class="cl"> osd: <span class="m">3</span> osds: <span class="m">3</span> up <span class="o">(</span>since 2m<span class="o">)</span>, <span class="m">3</span> in <span class="o">(</span>since 4w<span class="o">)</span> </span></span><span class="line"><span class="cl"> rgw: <span class="m">2</span> daemons active <span class="o">(</span><span class="m">2</span> hosts, <span class="m">1</span> zones<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> data: </span></span><span class="line"><span class="cl"> volumes: 1/1 healthy </span></span><span class="line"><span class="cl"> pools: <span class="m">12</span> pools, <span class="m">169</span> pgs </span></span><span class="line"><span class="cl"> objects: 55.48k objects, <span class="m">104</span> GiB </span></span><span class="line"><span class="cl"> usage: <span class="m">305</span> GiB used, 4.9 TiB / 5.2 TiB avail </span></span><span class="line"><span class="cl"> pgs: <span class="m">169</span> active+clean </span></span></code></pre></td></tr></table> </div> </div><p>Done. Reef → Squid → Tentacle complete.</p> <hr> <h2 id="what-about-the-toolbox">What About the Toolbox? </h2><p>One thing that caught me off guard during Reef → Squid: the Ceph toolbox doesn&rsquo;t auto-upgrade with the cluster. It&rsquo;s a separate deployment.</p> <p>Turns out Rook does update it automatically now (at least in v1.18.8). But if yours is still on an old version:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">set</span> image deploy/rook-ceph-tools rook-ceph-tools<span class="o">=</span>quay.io/ceph/ceph:v20.2.0-20251104 </span></span></code></pre></td></tr></table> </div> </div><p>Using mismatched toolbox and cluster versions can cause confusing behavior—the CLI tools might not understand newer cluster features.</p> <h2 id="lessons-learned">Lessons Learned </h2><table> <thead> <tr> <th>Assumption</th> <th>Reality</th> </tr> </thead> <tbody> <tr> <td>Can upgrade Reef → Tentacle directly</td> <td>Must go Reef → Squid → Tentacle, one version at a time</td> </tr> <tr> <td>Need Rook v1.19 for Tentacle</td> <td>Rook v1.18.8 already supports Tentacle</td> </tr> <tr> <td>Toolbox auto-upgrades with cluster</td> <td>It does now, but verify anyway</td> </tr> <tr> <td>Generic version tags are fine</td> <td>Use build-specific tags (e.g., <code>v20.2.0-20251104</code>) for reproducibility</td> </tr> <tr> <td><code>require_osd_release</code> needs manual setting</td> <td>Rook set it automatically for Tentacle (but verify)</td> </tr> </tbody> </table> <h2 id="quick-reference">Quick Reference </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check current versions</span> </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph version </span></span><span class="line"><span class="cl">kubectl -n rook-ceph get deploy rook-ceph-operator -o <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">&#39;{.spec.template.spec.containers[0].image}&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Set/unset safety flags</span> </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd <span class="nb">set</span> noout </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd <span class="nb">set</span> norebalance </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd <span class="nb">unset</span> noout </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd <span class="nb">unset</span> norebalance </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Finalize upgrade (NO UNDO)</span> </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph osd require-osd-release tentacle </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check health</span> </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph health detail </span></span><span class="line"><span class="cl">kubectl -n rook-ceph <span class="nb">exec</span> deploy/rook-ceph-tools -- ceph pg stat </span></span></code></pre></td></tr></table> </div> </div><h2 id="references">References </h2><ul> <li><a class="link" href="https://rook.io/docs/rook/latest-release/Upgrade/ceph-upgrade/" target="_blank" rel="noopener" >Rook Ceph Upgrade Guide</a></li> <li><a class="link" href="https://docs.ceph.com/en/latest/releases/squid/" target="_blank" rel="noopener" >Ceph Squid Release Notes</a></li> <li><a class="link" href="https://docs.ceph.com/en/latest/releases/tentacle/" target="_blank" rel="noopener" >Ceph Tentacle Release Notes</a></li> <li><a class="link" href="https://quay.io/repository/ceph/ceph?tab=tags" target="_blank" rel="noopener" >Quay.io Ceph Tags</a></li> <li><a class="link" href="https://blog.nuvotex.de/ceph-20-2-0-tentacle-released/" target="_blank" rel="noopener" >Tentacle + Rook v1.18.8 Blog Post</a></li> </ul> <hr> <p><em>The upgrade guides are in my <a class="link" href="https://github.com/gavinmcfall/home-ops" target="_blank" rel="noopener" >home-ops</a> repository under <code>docs/Guides/Storage/</code>.</em></p> https://blog.nerdz.cloud/2025/cilium-dsr-hairpin-workaround/ Sat, 20 Dec 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/cilium-dsr-hairpin-workaround/ <blockquote> <p>&ldquo;I thought BGP was supposed to solve this hairpin nonsense I had with L2?&rdquo; — <em>Me, staring at timeout errors</em></p> </blockquote> <h2 id="the-setup">The Setup </h2><p>Last week I <a class="link" href="https://blog.nerdz.cloud/2025/cilium-bgp-migration/" >migrated from Cilium L2 announcements to BGP</a> for LoadBalancer IP advertisement. The migration went smoothly — BGP sessions established, routes advertised, services reachable. I patted myself on the back for solving the hairpin routing issues that plagued L2 announcements.</p> <p>Then <code>qui</code> stopped working.</p> <h2 id="the-symptom">The Symptom </h2><p>The <code>qui</code> pod (a qBittorrent web UI) was failing its startup probe:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Warning Unhealthy 4s (x14 over 70s) kubelet Startup probe failed: </span></span><span class="line"><span class="cl"> Get &#34;http://10.69.0.144:7476/health&#34;: context deadline exceeded </span></span><span class="line"><span class="cl"> (Client.Timeout exceeded while awaiting headers) </span></span></code></pre></td></tr></table> </div> </div><p>Looking at the pod logs told the real story:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span><span class="nt">&#34;level&#34;</span><span class="p">:</span><span class="s2">&#34;warn&#34;</span><span class="p">,</span><span class="nt">&#34;error&#34;</span><span class="p">:</span><span class="s2">&#34;Get \&#34;https://id.nerdz.cloud/.well-known/openid-configuration\&#34;: </span></span></span><span class="line"><span class="cl"><span class="s2"> dial tcp 10.99.8.202:443: i/o timeout&#34;</span><span class="p">,</span><span class="nt">&#34;attempt&#34;</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span><span class="nt">&#34;issuer&#34;</span><span class="p">:</span><span class="s2">&#34;https://id.nerdz.cloud&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;message&#34;</span><span class="p">:</span><span class="s2">&#34;failed to initialize OIDC provider candidate&#34;</span><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>The app was timing out trying to reach my OIDC provider at <code>id.nerdz.cloud</code>. The health endpoint wasn&rsquo;t responding because the app was stuck waiting for OIDC initialization.</p> <h2 id="the-investigation">The Investigation </h2><p>My first instinct: test connectivity from the pod.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n downloads qui-79cf57dcb-5qss8 -- wget -qO- --timeout<span class="o">=</span><span class="m">5</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> https://id.nerdz.cloud/.well-known/openid-configuration </span></span></code></pre></td></tr></table> </div> </div><p>Timeout.</p> <p>But wait — from a debug pod on a different node:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl run debug --image<span class="o">=</span>busybox --restart<span class="o">=</span>Never -- sleep <span class="m">300</span> </span></span><span class="line"><span class="cl">kubectl <span class="nb">exec</span> debug -- wget -qO- --timeout<span class="o">=</span><span class="m">5</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> https://id.nerdz.cloud/.well-known/openid-configuration </span></span></code></pre></td></tr></table> </div> </div><p>Success. Full JSON response.</p> <p>The pattern emerged: pods on <code>stanton-01</code> couldn&rsquo;t reach <code>10.99.8.202</code> (the LoadBalancer VIP for my internal gateway), but pods on <code>stanton-02</code> and <code>stanton-03</code> could.</p> <p>What was special about <code>stanton-01</code>? Let&rsquo;s check:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl get pods -n network -l gateway.envoyproxy.io/owning-gateway-name<span class="o">=</span>internal -o wide </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">NAME NODE </span></span><span class="line"><span class="cl">envoy-network-internal-f0b82637-c98c4cbd8-c8mjh stanton-01 </span></span></code></pre></td></tr></table> </div> </div><p>The envoy-internal pod — the backend for <code>10.99.8.202</code> — was running on <code>stanton-01</code>. Same node as the failing <code>qui</code> pod.</p> <h2 id="the-root-cause-dsr-and-same-node-hairpin">The Root Cause: DSR and Same-Node Hairpin </h2><p>Cilium&rsquo;s DSR (Direct Server Return) mode is great for external traffic:</p> <ol> <li>Client sends packet to LoadBalancer VIP</li> <li>Router (UDM Pro) forwards to a cluster node via BGP</li> <li>Cilium DNATs to the backend pod</li> <li>Backend sends response <strong>directly</strong> back to client (skipping the load balancer)</li> </ol> <p>This preserves client IPs and reduces latency. But it breaks when the source and destination are on the same node.</p> <p>Here&rsquo;s what happens when a pod on <code>stanton-01</code> tries to reach <code>10.99.8.202</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">qui pod (stanton-01) </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> │ 1. Send packet to 10.99.8.202 </span></span><span class="line"><span class="cl"> ▼ </span></span><span class="line"><span class="cl">Cilium BPF (stanton-01) </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> │ 2. &#34;10.99.8.202 is an ExternalIP, not in my routing table&#34; </span></span><span class="line"><span class="cl"> │ Route to default gateway (UDM Pro) </span></span><span class="line"><span class="cl"> ▼ </span></span><span class="line"><span class="cl">UDM Pro </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> │ 3. BGP route says 10.99.8.202 → stanton-01 </span></span><span class="line"><span class="cl"> │ Send back to stanton-01 </span></span><span class="line"><span class="cl"> ▼ </span></span><span class="line"><span class="cl">??? </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> │ 4. Packet bounces or gets dropped </span></span><span class="line"><span class="cl"> ▼ </span></span><span class="line"><span class="cl">Timeout </span></span></code></pre></td></tr></table> </div> </div><p>The problem is that Cilium&rsquo;s DSR mode doesn&rsquo;t intercept traffic to LoadBalancer VIPs from pods — it&rsquo;s designed for external traffic entering the cluster. The packet goes out to the router, the router sends it back, and something breaks in the return path.</p> <p>This is <a class="link" href="https://github.com/cilium/cilium/issues/39198" target="_blank" rel="noopener" >a known Cilium limitation</a>. The GitHub issue title says it all: &ldquo;Pods are not able to reach Cilium-managed LoadBalancer IP.&rdquo;</p> <h2 id="what-i-tried-and-what-didnt-work">What I Tried (And What Didn&rsquo;t Work) </h2><h3 id="attempt-1-socket-lb">Attempt 1: Socket LB </h3><p>The first suggestion in the docs: enable socket-level load balancing.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># helm-values.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">socketLB</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Socket LB intercepts connections at the <code>connect()</code> syscall, before packets hit the network. In theory, it should handle hairpin traffic. In practice:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl <span class="nb">exec</span> debug-fresh -- curl --connect-timeout <span class="m">5</span> http://10.99.8.202:80 </span></span><span class="line"><span class="cl"><span class="c1"># Connection timed out after 5002 milliseconds</span> </span></span></code></pre></td></tr></table> </div> </div><p>Socket LB helps with ClusterIP services, but it doesn&rsquo;t intercept ExternalIP/LoadBalancer traffic.</p> <h3 id="attempt-2-hybrid-mode">Attempt 2: Hybrid Mode </h3><p>Maybe the problem is pure DSR. What about hybrid mode?</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">loadBalancer</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="l">hybrid </span><span class="w"> </span><span class="c"># DSR for external, SNAT for internal</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Nope. Still timing out.</p> <h3 id="attempt-3-lbexternalclusterip">Attempt 3: lbExternalClusterIP </h3><p>There&rsquo;s an option to allow cluster-internal access to external LB IPs:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">loadBalancer</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">lbExternalClusterIP</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Also didn&rsquo;t work.</p> <p>At this point I&rsquo;d tried everything in the Cilium docs. The problem is fundamental to how BGP + native routing + DSR interact. Pods simply can&rsquo;t reach LoadBalancer VIPs via the normal packet path when the backend is on the same node.</p> <h2 id="the-solution-coredns-rewriting">The Solution: CoreDNS Rewriting </h2><p>If I can&rsquo;t fix the network path, I can fix the DNS. The key insight: pods don&rsquo;t <em>need</em> to hit the LoadBalancer VIP — they can use the ClusterIP instead.</p> <table> <thead> <tr> <th>Client</th> <th>Should resolve to</th> </tr> </thead> <tbody> <tr> <td>External (internet)</td> <td>LoadBalancer VIP <code>10.99.8.202</code></td> </tr> <tr> <td>Pod (internal)</td> <td>ClusterIP <code>10.96.9.253</code></td> </tr> </tbody> </table> <p>CoreDNS can make this happen with the <code>template</code> plugin:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/kube-system/coredns/app/helm-values.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">servers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Internal gateway rewrite - resolves internal services to ClusterIP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># This works around Cilium DSR hairpin limitation</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">zones</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">zone</span><span class="p">:</span><span class="w"> </span><span class="l">${SECRET_DOMAIN}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">scheme</span><span class="p">:</span><span class="w"> </span><span class="l">dns://</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">53</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">plugins</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">errors</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">log</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">configBlock</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> class error</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">template</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span><span class="l">IN A</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">configBlock</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> match (^internal\.|^id\.)nerdz\.cloud\.$ </span></span></span><span class="line"><span class="cl"><span class="sd"> answer &#34;{{ .Name }} 60 IN A ${ENVOY_INTERNAL_CLUSTERIP}&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> fallthrough</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">template</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span><span class="l">IN AAAA</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">configBlock</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> match (^internal\.|^id\.)nerdz\.cloud\.$ </span></span></span><span class="line"><span class="cl"><span class="sd"> rcode NOERROR </span></span></span><span class="line"><span class="cl"><span class="sd"> fallthrough</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">forward</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span><span class="l">. /etc/resolv.conf</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cache</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span><span class="m">30</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The <code>ENVOY_INTERNAL_CLUSTERIP</code> variable is defined in <code>cluster-settings.yaml</code> and substituted by Flux. This way if the ClusterIP ever changes (e.g., if the service is recreated), you only need to update one place.</p> <p>The template matches queries for <code>internal.nerdz.cloud</code> and <code>id.nerdz.cloud</code> and returns the ClusterIP instead of forwarding to external DNS (which would return the LoadBalancer VIP).</p> <h3 id="why-both-domains">Why Both Domains? </h3><p>My DNS is set up with a CNAME:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">id.nerdz.cloud → internal.nerdz.cloud → 10.99.8.202 (LB VIP) </span></span></code></pre></td></tr></table> </div> </div><p>If I only intercept <code>internal.nerdz.cloud</code>, the CNAME lookup for <code>id.nerdz.cloud</code> goes to external DNS, which returns the CNAME, and then the A record lookup for <code>internal.nerdz.cloud</code> also goes to external DNS. The whole chain bypasses my template.</p> <p>By intercepting both domains, I catch the query before it ever leaves the cluster.</p> <h2 id="verification">Verification </h2><p>After deploying the CoreDNS change:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># From a pod on stanton-01</span> </span></span><span class="line"><span class="cl">kubectl <span class="nb">exec</span> debug-dns -- nslookup id.nerdz.cloud </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Server: 10.96.0.10 </span></span><span class="line"><span class="cl">Address: 10.96.0.10#53 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Name: id.nerdz.cloud </span></span><span class="line"><span class="cl">Address: 10.96.9.253 # ClusterIP, not LB VIP! </span></span></code></pre></td></tr></table> </div> </div><p>And the OIDC endpoint:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl <span class="nb">exec</span> debug-dns -- curl -s https://id.nerdz.cloud/.well-known/openid-configuration <span class="p">|</span> head -c <span class="m">100</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span><span class="nt">&#34;authorization_endpoint&#34;</span><span class="p">:</span><span class="s2">&#34;https://id.nerdz.cloud/authorize&#34;</span><span class="p">,</span><span class="nt">&#34;authorization_response_iss_parameter_supported&#34;</span><span class="p">:</span><span class="kc">true</span><span class="err">...</span> </span></span></code></pre></td></tr></table> </div> </div><p>The <code>qui</code> pod now starts without timing out:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl get pods -n downloads -l app.kubernetes.io/name<span class="o">=</span>qui </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">NAME READY STATUS RESTARTS AGE </span></span><span class="line"><span class="cl">qui-79cf57dcb-hn6dj 1/1 Running 0 2m </span></span></code></pre></td></tr></table> </div> </div><h2 id="the-trade-off">The Trade-off </h2><p>This solution has a subtle implication: internal pod traffic to <code>id.nerdz.cloud</code> won&rsquo;t hit the LoadBalancer layer. It goes directly to the envoy-internal ClusterIP.</p> <p>In practice, this doesn&rsquo;t matter — ClusterIP load balancing is still handled by Cilium, and there&rsquo;s only one replica of envoy-internal anyway. But if you&rsquo;re doing something fancy with LoadBalancer-level policies or metrics, be aware that pod traffic bypasses that layer.</p> <h2 id="lessons-learned">Lessons Learned </h2><ol> <li> <p><strong>BGP fixes L2 hairpin, not DSR hairpin</strong> — L2 announcements had hairpin issues because one node &ldquo;owned&rdquo; the IP via ARP. BGP fixed that by routing through the router. But DSR mode has its own hairpin problem when source and backend share a node.</p> </li> <li> <p><strong>ClusterIP always works</strong> — When in doubt, use ClusterIP for pod-to-service traffic. It&rsquo;s what Kubernetes expects.</p> </li> <li> <p><strong>DNS is a powerful escape hatch</strong> — When the network layer is fighting you, sometimes the answer is above the network layer. CoreDNS templates let you intercept and rewrite queries before they ever become packets.</p> </li> <li> <p><strong>Test from the same node</strong> — My initial testing from different nodes missed the issue entirely. When debugging network problems, always test from the specific node(s) having issues.</p> </li> <li> <p><strong>Read the GitHub issues</strong> — The Cilium issue tracker is full of people hitting this exact problem. I could have saved hours by searching for &ldquo;pods cannot reach LoadBalancer IP&rdquo; earlier.</p> </li> </ol> <h2 id="the-fix-in-context">The Fix in Context </h2><table> <thead> <tr> <th>Problem</th> <th>Solution</th> </tr> </thead> <tbody> <tr> <td>L2 hairpin (ARP ownership)</td> <td>Migrate to BGP</td> </tr> <tr> <td>DSR same-node hairpin</td> <td>CoreDNS rewrite to ClusterIP</td> </tr> <tr> <td>General pod-to-LB access</td> <td>Use ClusterIP or service DNS</td> </tr> </tbody> </table> <p>BGP was the right call for L2 hairpin. But DSR mode introduced a new hairpin scenario that BGP doesn&rsquo;t solve. CoreDNS rewriting is the cleanest workaround I&rsquo;ve found — it&rsquo;s targeted, doesn&rsquo;t require Cilium changes, and works regardless of pod scheduling.</p> <hr> <h2 id="references">References </h2><ul> <li><a class="link" href="https://github.com/cilium/cilium/issues/39198" target="_blank" rel="noopener" >Cilium Issue #39198</a> — Pods are not able to reach Cilium-managed LoadBalancer IP</li> <li><a class="link" href="https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#direct-server-return-dsr" target="_blank" rel="noopener" >Cilium DSR Documentation</a> — How DSR mode works</li> <li><a class="link" href="https://coredns.io/plugins/template/" target="_blank" rel="noopener" >CoreDNS Template Plugin</a> — Synthesizing DNS responses</li> <li><a class="link" href="https://blog.nerdz.cloud/2025/cilium-bgp-migration/" >From L2 to BGP</a> — The migration that started this journey</li> </ul> <hr> <p><em>This post documents a debugging session with help from Claude Code. The CoreDNS workaround is now part of my <a class="link" href="https://github.com/gavinmcfall/home-ops" target="_blank" rel="noopener" >home-ops</a> repository.</em></p> https://blog.nerdz.cloud/2025/pgbackrest-multi-destination-backups/ Fri, 19 Dec 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/pgbackrest-multi-destination-backups/ <blockquote> <p>&ldquo;The backup that only exists in one place doesn&rsquo;t exist at all.&rdquo;</p> </blockquote> <h2 id="the-problem-barmans-dirty-secret">The Problem: Barman&rsquo;s Dirty Secret </h2><p>I had what I thought was a solid PostgreSQL backup strategy for my Immich database. CloudNativePG with Barman Cloud Plugin, two ObjectStores configured—one for Backblaze B2, one for Cloudflare R2. Daily ScheduledBackups for each destination. Belt and suspenders.</p> <p>Then I checked the actual buckets.</p> <p><strong>B2</strong>: Full backups, WAL files, everything present. <strong>R2</strong>: Empty. Nothing. Not a single file.</p> <p>Both ScheduledBackups were writing to B2. The R2 ObjectStore was configured, referenced in the ScheduledBackup—and completely ignored.</p> <p>Turns out, Barman Cloud Plugin has a limitation I hadn&rsquo;t spotted. The <code>barmanObjectName</code> parameter in ScheduledBackup? <a class="link" href="https://github.com/cloudnative-pg/plugin-barman-cloud/issues/611" target="_blank" rel="noopener" >It&rsquo;s ignored</a>. The plugin only uses whatever&rsquo;s configured in the cluster&rsquo;s plugin configuration. Both my scheduled backups were hitting the same destination.</p> <p>This isn&rsquo;t theoretical concern. If Backblaze goes down, I can&rsquo;t copy backups to R2 because they&rsquo;re only in B2. My 3-2-1 backup strategy was actually a 2-1-1.</p> <h2 id="the-alternative-pgbackrest">The Alternative: pgBackRest </h2><p>After researching alternatives, I found three options for PostgreSQL backups with CloudNativePG plugins:</p> <ol> <li><strong>Barman</strong> (what I was using) - Single destination limitation</li> <li><strong>WAL-G</strong> - Similar architecture, no multi-repo support</li> <li><strong>pgBackRest</strong> - Native multi-repository support</li> </ol> <p>pgBackRest from <a class="link" href="https://github.com/dalibo/cnpg-plugin-pgbackrest" target="_blank" rel="noopener" >Dalibo</a> looked promising. It&rsquo;s designed from the ground up for multi-repository backups—WAL archiving goes to ALL configured repositories simultaneously. The catch: it&rsquo;s experimental, has 16 GitHub stars, and the documentation is thin.</p> <p>I gave it a shot anyway.</p> <h2 id="deploying-the-pgbackrest-plugin">Deploying the pgBackRest Plugin </h2><p>Unlike Barman which has a Helm chart, the Dalibo pgBackRest plugin requires manual deployment. I created a new directory structure:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">kubernetes/apps/database/cloudnative-pg/pgbackrest/ </span></span><span class="line"><span class="cl">├── kustomization.yaml </span></span><span class="line"><span class="cl">├── crd.yaml # Repository CRD </span></span><span class="line"><span class="cl">├── rbac.yaml # ServiceAccount, ClusterRole, RoleBinding </span></span><span class="line"><span class="cl">├── certificate.yaml # Self-signed TLS for plugin communication </span></span><span class="line"><span class="cl">├── deployment.yaml # The controller </span></span><span class="line"><span class="cl">└── service.yaml # Exposes the controller to CNPG </span></span></code></pre></td></tr></table> </div> </div><p>The controller deployment is straightforward:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">apps/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Deployment</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pgbackrest-controller</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">pgbackrest-controller</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pgbackrest-controller</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">registry.hub.docker.com/dalibo/cnpg-pgbackrest-controller:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">args</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">operator</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- --<span class="l">server-cert=/server/tls.crt</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- --<span class="l">server-key=/server/tls.key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- --<span class="l">client-cert=/client/tls.crt</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- --<span class="l">server-address=:9090</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- --<span class="l">log-level=debug</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">SIDECAR_IMAGE</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">registry.hub.docker.com/dalibo/cnpg-pgbackrest-sidecar:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumeMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l">/server</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">server</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">mountPath</span><span class="p">:</span><span class="w"> </span><span class="l">/client</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">client</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">server</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secret</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretName</span><span class="p">:</span><span class="w"> </span><span class="l">pgbackrest-controller-server-tls</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">client</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secret</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretName</span><span class="p">:</span><span class="w"> </span><span class="l">pgbackrest-controller-client-tls</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="the-service-name-gotcha">The Service Name Gotcha </h3><p>My first deployment crashed with a cryptic error:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">stanza creation failed: can&#39;t parse pgbackrest JSON: invalid character &#39;P&#39; </span></span></code></pre></td></tr></table> </div> </div><p>After way too much debugging, I found the issue. I&rsquo;d named the service <code>pgbackrest</code>. Kubernetes automatically creates environment variables for services: <code>PGBACKREST_SERVICE_HOST</code>, <code>PGBACKREST_PORT</code>, etc.</p> <p>pgBackRest interprets <strong>any</strong> <code>PGBACKREST_*</code> environment variable as configuration. The sidecar was trying to parse <code>PGBACKREST_PORT_9090_TCP_ADDR</code> as a pgBackRest option and choking on the JSON output.</p> <p>The fix: rename the service to <code>cnpg-pgbackrest</code>. No more environment variable conflicts.</p> <h3 id="leader-lease-conflict">Leader Lease Conflict </h3><p>After fixing the service name, the controller was stuck:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">attempting to acquire leader lease database/822e3f5c.cnpg.io... </span></span></code></pre></td></tr></table> </div> </div><p>Both Barman and pgBackRest plugins use the same leader election lease name. I had to disable Barman first:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">flux <span class="nb">suspend</span> helmrelease barman-cloud -n database </span></span><span class="line"><span class="cl">kubectl scale deployment barman-cloud-plugin-barman-cloud -n database --replicas<span class="o">=</span><span class="m">0</span> </span></span></code></pre></td></tr></table> </div> </div><p>Once Barman released the lease, pgBackRest acquired it and started working.</p> <h2 id="configuring-multi-repository-backups">Configuring Multi-Repository Backups </h2><p>The Repository CR is where the magic happens. You can define multiple S3 repositories and pgBackRest will archive WAL to all of them:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">pgbackrest.dalibo.com/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Repository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">immich18-repository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repoConfiguration</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stanza</span><span class="p">:</span><span class="w"> </span><span class="l">immich18</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">archive</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">async</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pushQueueMax</span><span class="p">:</span><span class="w"> </span><span class="l">1GiB</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">s3Repositories</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Primary: Backblaze B2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">bucket</span><span class="p">:</span><span class="w"> </span><span class="l">${IMMICH_PG_BACKUP_B2_BUCKET}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">endpoint</span><span class="p">:</span><span class="w"> </span><span class="l">s3.us-east-005.backblazeb2.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l">us-east-005</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repoPath</span><span class="p">:</span><span class="w"> </span><span class="l">/immich18</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">retentionPolicy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">full</span><span class="p">:</span><span class="w"> </span><span class="m">14</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fullType</span><span class="p">:</span><span class="w"> </span><span class="l">count</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">accessKeyId</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">immich-cnpg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">b2-access-key-id</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretAccessKey</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">immich-cnpg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">b2-secret-access-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Secondary: Cloudflare R2 (use Flux variable substitution)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">bucket</span><span class="p">:</span><span class="w"> </span><span class="l">${IMMICH_PG_BACKUP_R2_BUCKET}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">endpoint</span><span class="p">:</span><span class="w"> </span><span class="l">${CLOUDFLARE_ACCOUNT_ID}.r2.cloudflarestorage.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l">auto</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repoPath</span><span class="p">:</span><span class="w"> </span><span class="l">/immich18</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">retentionPolicy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">full</span><span class="p">:</span><span class="w"> </span><span class="m">14</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fullType</span><span class="p">:</span><span class="w"> </span><span class="l">count</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">accessKeyId</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">immich-cnpg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">r2-access-key-id</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretAccessKey</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">immich-cnpg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">r2-secret-access-key</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Note the R2 bucket and endpoint use Flux variable substitution (<code>${VARIABLE_NAME}</code>) instead of hardcoded values. These get populated from an ExternalSecret that pulls from 1Password, with the Flux Kustomization configured to substitute variables from that secret. This keeps sensitive values like Cloudflare account IDs out of git history.</p> <p>The cluster just needs to reference the plugin:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">plugins</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pgbackrest.dalibo.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repositoryRef</span><span class="p">:</span><span class="w"> </span><span class="l">immich18-repository</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="the-backup-target-problem">The Backup Target Problem </h2><p>First backup attempt failed:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ERROR: [056]: unable to find primary cluster - cannot proceed </span></span><span class="line"><span class="cl">HINT: are all available clusters in recovery? </span></span></code></pre></td></tr></table> </div> </div><p>CNPG defaults to running backups on replicas to reduce load on the primary. But pgBackRest can&rsquo;t run backups from replicas without SSH access to the primary—which doesn&rsquo;t exist in Kubernetes.</p> <p>The fix is simple: tell CNPG to run backups on the primary:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">postgresql.cnpg.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ScheduledBackup</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">immich18-daily-b2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0 3 * * *&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l">primary </span><span class="w"> </span><span class="c"># This is the key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">method</span><span class="p">:</span><span class="w"> </span><span class="l">plugin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cluster</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">immich18</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pluginConfiguration</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pgbackrest.dalibo.com</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="the-multi-repo-full-backup-discovery">The Multi-Repo Full Backup Discovery </h2><p>With the target fixed, backups started working. WAL archiving was going to both repositories—I could see files appearing in both B2 and R2. But when I checked the full backups:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># B2</span> </span></span><span class="line"><span class="cl">aws s3 ls s3://&lt;your-bucket&gt;/immich18/ --profile backblaze-b2 --recursive <span class="p">|</span> wc -l </span></span><span class="line"><span class="cl"><span class="m">1285</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># R2</span> </span></span><span class="line"><span class="cl">aws s3 ls s3://&lt;your-bucket&gt;/immich18/ --profile cloudflare-r2 --region auto --recursive <span class="p">|</span> wc -l </span></span><span class="line"><span class="cl"><span class="m">11</span> </span></span></code></pre></td></tr></table> </div> </div><p>WAL archives were in both. Full backup was only in B2.</p> <p>This is actually intentional behavior in pgBackRest. From the <a class="link" href="https://pgbackrest.org/command.html" target="_blank" rel="noopener" >documentation</a>:</p> <ul> <li><strong>WAL archiving</strong>: Pushes to ALL configured repositories simultaneously</li> <li><strong>Full backups</strong>: Only runs against ONE repository (defaults to repo1)</li> </ul> <p>The reasoning makes sense—full backups are large and expensive. Doing them twice doubles storage costs. WAL goes everywhere for redundancy.</p> <p>But for disaster recovery, I needed full backups in both locations.</p> <h3 id="the-selectedrepository-parameter">The selectedRepository Parameter </h3><p>After digging through the <a class="link" href="https://github.com/dalibo/cnpg-plugin-pgbackrest/blob/main/internal/instance/backup.go" target="_blank" rel="noopener" >plugin source code</a>, I found the solution. The plugin accepts a <code>selectedRepository</code> parameter:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="nx">selectedRepo</span><span class="p">,</span> <span class="nx">ok</span> <span class="o">:=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">Parameters</span><span class="p">[</span><span class="s">&#34;selectedRepository&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="p">!</span><span class="nx">ok</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">selectedRepo</span> <span class="p">=</span> <span class="s">&#34;1&#34;</span> <span class="c1">// use first repo by default </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Note: the parameter is <code>selectedRepository</code>, not <code>repo</code>. The code defaults to repository 1 if not specified.</p> <p>Testing it:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">postgresql.cnpg.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Backup</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pgbackrest-r2-test</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cluster</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">immich18</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">method</span><span class="p">:</span><span class="w"> </span><span class="l">plugin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l">primary</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pluginConfiguration</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pgbackrest.dalibo.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selectedRepository</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;2&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The logs confirmed it:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span><span class="nt">&#34;msg&#34;</span><span class="p">:</span><span class="s2">&#34;using repo&#34;</span><span class="p">,</span><span class="nt">&#34;repo&#34;</span><span class="p">:</span><span class="s2">&#34;PGBACKREST_REPO=2&#34;</span><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>After waiting for the backup to complete:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">aws s3 ls s3://&lt;your-bucket&gt;/immich18/ --profile cloudflare-r2 --region auto --recursive <span class="p">|</span> wc -l </span></span><span class="line"><span class="cl"><span class="m">1232</span> </span></span></code></pre></td></tr></table> </div> </div><p>Full backup in R2.</p> <h2 id="the-final-configuration-two-scheduledbackups">The Final Configuration: Two ScheduledBackups </h2><p>To get true dual-destination full backups, I created two ScheduledBackups—one for each repository:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">postgresql.cnpg.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ScheduledBackup</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">immich18-daily-b2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0 3 * * *&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">immediate</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">backupOwnerReference</span><span class="p">:</span><span class="w"> </span><span class="l">self</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">method</span><span class="p">:</span><span class="w"> </span><span class="l">plugin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l">primary</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cluster</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">immich18</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pluginConfiguration</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pgbackrest.dalibo.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selectedRepository</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">postgresql.cnpg.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ScheduledBackup</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">immich18-daily-r2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Offset by 1 hour to avoid concurrent runs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0 4 * * *&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">immediate</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">backupOwnerReference</span><span class="p">:</span><span class="w"> </span><span class="l">self</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">method</span><span class="p">:</span><span class="w"> </span><span class="l">plugin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="l">primary</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cluster</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">immich18</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pluginConfiguration</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pgbackrest.dalibo.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selectedRepository</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;2&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Key details:</p> <ul> <li>Schedules are offset by 1 hour to avoid concurrent backup operations</li> <li><code>immediate: true</code> only on the first one (don&rsquo;t need two immediate backups)</li> <li>Both target the primary explicitly</li> </ul> <h2 id="verifying-the-setup">Verifying the Setup </h2><p>After deployment, both buckets showed full backups:</p> <table> <thead> <tr> <th>Bucket</th> <th>Files</th> <th>Full Backup</th> </tr> </thead> <tbody> <tr> <td>B2</td> <td>1285+</td> <td><code>20251217-034103F</code></td> </tr> <tr> <td>R2</td> <td>1232+</td> <td><code>20251217-035928F</code></td> </tr> </tbody> </table> <p>WAL archiving continues to push to both repositories automatically. The Repository CR status shows the recovery window:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">status</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">recoveryWindow</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">firstBackup</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">label</span><span class="p">:</span><span class="w"> </span><span class="m">20251217</span>-<span class="l">034103F</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">full</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">lastBackup</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">label</span><span class="p">:</span><span class="w"> </span><span class="m">20251217</span>-<span class="l">035928F</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">full</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="lessons-learned">Lessons Learned </h2><table> <thead> <tr> <th>Assumption</th> <th>Reality</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>Barman supports multiple ObjectStores per ScheduledBackup</td> <td><code>barmanObjectName</code> is ignored</td> <td>Switch to pgBackRest</td> </tr> <tr> <td>Service name <code>pgbackrest</code> is fine</td> <td>Creates conflicting <code>PGBACKREST_*</code> env vars</td> <td>Use <code>cnpg-pgbackrest</code></td> </tr> <tr> <td>Plugins can share leader leases</td> <td>They use the same lease name</td> <td>Disable Barman first</td> </tr> <tr> <td>Backups run on any cluster member</td> <td>pgBackRest needs the primary</td> <td>Add <code>target: primary</code></td> </tr> <tr> <td>Parameter name is <code>repo</code></td> <td>It&rsquo;s <code>selectedRepository</code></td> <td>Read the source code</td> </tr> <tr> <td>pgBackRest multi-repo means full backups everywhere</td> <td>WAL yes, full backups no</td> <td>Create two ScheduledBackups</td> </tr> </tbody> </table> <h2 id="is-pgbackrest-worth-it">Is pgBackRest Worth It? </h2><p>For the specific use case of multi-destination full backups, yes. The Dalibo plugin is experimental but functional. The key advantages over Barman:</p> <ol> <li><strong>True WAL replication</strong>: WAL files go to all repositories simultaneously</li> <li><strong>Explicit repository selection</strong>: You can target specific repos for full backups</li> <li><strong>Better retention policies</strong>: Per-repository retention configuration</li> </ol> <p>The downsides:</p> <ul> <li>No Helm chart (manual deployment required)</li> <li>Experimental status (16 stars on GitHub)</li> <li>Documentation is sparse (I had to read source code)</li> </ul> <p>For a homelab where I&rsquo;m willing to debug issues, it&rsquo;s the right choice. For production, I&rsquo;d wait for the plugin to mature or implement external replication (rclone sync between buckets).</p> <h2 id="part-2-the-full-migration">Part 2: The Full Migration </h2><p>With pgBackRest working for Immich, I decided to go all-in and migrate my entire PostgreSQL infrastructure:</p> <ol> <li><strong>Rename immich18 to postgres18-immich</strong> - Clearer naming convention</li> <li><strong>Create postgres18-cluster</strong> - New cluster to replace postgres17 (which used Barman)</li> <li><strong>Migrate all 46 databases</strong> from postgres17 to postgres18-cluster</li> </ol> <h3 id="shared-credentials">Shared Credentials </h3><p>Rather than managing separate S3 credentials for each cluster, I consolidated to shared pgBackRest credentials:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">external-secrets.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ExternalSecret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cnpg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterSecretStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">onepassword-connect</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cnpg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># pgBackRest B2 - shared across all clusters</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l">b2-access-key-id</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">backblaze</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l">BACKBLAZE_PGBACKREST_ACCESS_KEY</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l">b2-secret-access-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">backblaze</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l">BACKBLAZE_PGBACKREST_SECRET_ACCESS_KEY</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># pgBackRest R2 - shared across all clusters</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l">r2-access-key-id</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">cloudflare</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l">CLOUDFLARE_PGBACKREST_ACCESS_KEY</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l">r2-secret-access-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">cloudflare</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l">CLOUDFLARE_PGBACKREST_SECRET_ACCESS_KEY</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Each cluster gets its own S3 bucket but shares the same credentials, simplifying secret management.</p> <h3 id="creating-postgres18-cluster">Creating postgres18-cluster </h3><p>The new cluster uses standard CloudNativePG PostgreSQL 18 (no VectorChord needed - that&rsquo;s only for Immich):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">postgresql.cnpg.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">postgres18-cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">instances</span><span class="p">:</span><span class="w"> </span><span class="m">3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">imageName</span><span class="p">:</span><span class="w"> </span><span class="l">ghcr.io/cloudnative-pg/postgresql:18@sha256:7f374e054e46fdefd64b52904e32362949703a75c05302dca8ffa1eb78d41891</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">storage</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">size</span><span class="p">:</span><span class="w"> </span><span class="l">20Gi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">storageClass</span><span class="p">:</span><span class="w"> </span><span class="l">openebs-hostpath</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">postgresql</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_connections</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;200&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">shared_buffers</span><span class="p">:</span><span class="w"> </span><span class="l">256MB</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">wal_keep_size</span><span class="p">:</span><span class="w"> </span><span class="l">2GB</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">plugins</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pgbackrest.dalibo.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repositoryRef</span><span class="p">:</span><span class="w"> </span><span class="l">postgres18-cluster-repository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">initdb</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">database</span><span class="p">:</span><span class="w"> </span><span class="l">postgres</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">owner</span><span class="p">:</span><span class="w"> </span><span class="l">postgres</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>With its own Repository CR pointing to <code>nerdz-postgres-cluster</code> bucket:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">pgbackrest.dalibo.com/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Repository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">postgres18-cluster-repository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repoConfiguration</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stanza</span><span class="p">:</span><span class="w"> </span><span class="l">postgres18-cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">archive</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">async</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pushQueueMax</span><span class="p">:</span><span class="w"> </span><span class="l">1GiB</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">s3Repositories</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">bucket</span><span class="p">:</span><span class="w"> </span><span class="l">nerdz-postgres-cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">endpoint</span><span class="p">:</span><span class="w"> </span><span class="l">s3.us-east-005.backblazeb2.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l">us-east-005</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repoPath</span><span class="p">:</span><span class="w"> </span><span class="l">/postgres18-cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">retentionPolicy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">full</span><span class="p">:</span><span class="w"> </span><span class="m">14</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fullType</span><span class="p">:</span><span class="w"> </span><span class="l">count</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">accessKeyId</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cnpg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">b2-access-key-id</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretAccessKey</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cnpg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">b2-secret-access-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">bucket</span><span class="p">:</span><span class="w"> </span><span class="l">nerdz-postgres-cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">endpoint</span><span class="p">:</span><span class="w"> </span><span class="l">${CLOUDFLARE_ACCOUNT_ID}.r2.cloudflarestorage.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l">auto</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repoPath</span><span class="p">:</span><span class="w"> </span><span class="l">/postgres18-cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">retentionPolicy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">full</span><span class="p">:</span><span class="w"> </span><span class="m">14</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fullType</span><span class="p">:</span><span class="w"> </span><span class="l">count</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">accessKeyId</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cnpg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">r2-access-key-id</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretAccessKey</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cnpg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">r2-secret-access-key</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="the-migration-pg_dump-direct-pipe">The Migration: pg_dump Direct Pipe </h3><p>With postgres18-cluster running and healthy, it was time to migrate 46 databases (~1.8GB total) from postgres17.</p> <p><strong>Step 1: Scale down all apps</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Downloads namespace (14 apps)</span> </span></span><span class="line"><span class="cl">kubectl scale deploy -n downloads autobrr bazarr bazarr-foreign bazarr-uhd <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> dashbrr prowlarr radarr radarr-uhd readarr sabnzbd sonarr sonarr-foreign <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> sonarr-uhd whisparr --replicas<span class="o">=</span><span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Home namespace</span> </span></span><span class="line"><span class="cl">kubectl scale deploy -n home atuin linkwarden manyfold paperless --replicas<span class="o">=</span><span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Home-automation namespace</span> </span></span><span class="line"><span class="cl">kubectl scale deploy -n home-automation n8n teslamate --replicas<span class="o">=</span><span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Other namespaces</span> </span></span><span class="line"><span class="cl">kubectl scale deploy -n games romm --replicas<span class="o">=</span><span class="m">0</span> </span></span><span class="line"><span class="cl">kubectl scale deploy -n observability gatus --replicas<span class="o">=</span><span class="m">0</span> </span></span><span class="line"><span class="cl">kubectl scale deploy -n plane plane-admin-wl plane-api-wl plane-beat-worker-wl <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> plane-live-wl plane-space-wl plane-worker-wl --replicas<span class="o">=</span><span class="m">0</span> </span></span><span class="line"><span class="cl">kubectl scale deploy -n security pocket-id --replicas<span class="o">=</span><span class="m">0</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>Step 2: Verify no connections</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n database postgres17-1 -c postgres -- psql -U postgres -c <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="s2">&#34;SELECT datname, usename, client_addr, state FROM pg_stat_activity \ </span></span></span><span class="line"><span class="cl"><span class="s2"> WHERE datname IS NOT NULL ORDER BY datname;&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Only the query connection itself should appear.</p> <p><strong>Step 3: Direct pipe migration</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n database postgres17-1 -c postgres -- pg_dumpall -U postgres <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> kubectl <span class="nb">exec</span> -i -n database postgres18-cluster-1 -c postgres -- psql -U postgres </span></span></code></pre></td></tr></table> </div> </div><p>This pipes the dump directly between clusters - no intermediate file needed. The only &ldquo;errors&rdquo; are expected:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">ERROR: role &#34;postgres&#34; already exists </span></span><span class="line"><span class="cl">ERROR: role &#34;streaming_replica&#34; already exists </span></span></code></pre></td></tr></table> </div> </div><p>These roles already exist in the target cluster.</p> <p><strong>Step 4: Verify the migration</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check database counts match</span> </span></span><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n database postgres17-1 -c postgres -- psql -U postgres -c <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="s2">&#34;SELECT COUNT(*) FROM pg_database WHERE datname NOT IN (&#39;template0&#39;, &#39;template1&#39;);&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1"># Result: 46</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n database postgres18-cluster-1 -c postgres -- psql -U postgres -c <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="s2">&#34;SELECT COUNT(*) FROM pg_database WHERE datname NOT IN (&#39;template0&#39;, &#39;template1&#39;);&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1"># Result: 46</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Spot check critical data</span> </span></span><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n database postgres18-cluster-1 -c postgres -- psql -U postgres -d teslamate -c <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="s2">&#34;SELECT COUNT(*) FROM positions;&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1"># Result: 3,140,499 (matches source)</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>Step 5: Update ExternalSecrets</strong></p> <p>All apps needed their database hostname updated from <code>postgres17-rw.database.svc.cluster.local</code> to <code>postgres18-cluster-rw.database.svc.cluster.local</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">find kubernetes/apps -name <span class="s2">&#34;*.yaml&#34;</span> -exec grep -l <span class="s2">&#34;postgres17-rw&#34;</span> <span class="o">{}</span> <span class="se">\;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> xargs sed -i <span class="s1">&#39;s/postgres17-rw\.database\.svc\.cluster\.local/postgres18-cluster-rw.database.svc.cluster.local/g&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>Step 6: Scale apps back up</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl scale deploy -n downloads autobrr bazarr bazarr-foreign bazarr-uhd <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> dashbrr prowlarr radarr radarr-uhd readarr sabnzbd sonarr sonarr-foreign <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> sonarr-uhd whisparr --replicas<span class="o">=</span><span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="c1"># ... repeat for other namespaces</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="adding-pgbouncer-connection-pooling">Adding PgBouncer Connection Pooling </h3><p>For better connection management, I added PgBouncer poolers to both clusters:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">postgresql.cnpg.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Pooler</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">postgres18-cluster-pooler</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cluster</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">postgres18-cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">instances</span><span class="p">:</span><span class="w"> </span><span class="m">2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">rw</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pgbouncer</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">poolMode</span><span class="p">:</span><span class="w"> </span><span class="l">session</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_client_conn</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;500&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default_pool_size</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;100&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="cleanup">Cleanup </h3><p>With everything migrated and verified:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Suspend the old Kustomization</span> </span></span><span class="line"><span class="cl">flux <span class="nb">suspend</span> kustomization cloudnative-pg-cluster17 -n database </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Delete the cluster</span> </span></span><span class="line"><span class="cl">kubectl delete cluster postgres17 -n database </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Remove from git</span> </span></span><span class="line"><span class="cl">rm -rf kubernetes/apps/database/cloudnative-pg/cluster17/ </span></span><span class="line"><span class="cl"><span class="c1"># Edit ks.yaml to remove the cluster17 Kustomization</span> </span></span><span class="line"><span class="cl">git add -A <span class="o">&amp;&amp;</span> git commit -m <span class="s2">&#34;chore(database): remove postgres17 cluster&#34;</span> </span></span><span class="line"><span class="cl">git push </span></span></code></pre></td></tr></table> </div> </div><h2 id="final-architecture">Final Architecture </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">kubernetes/apps/database/cloudnative-pg/ </span></span><span class="line"><span class="cl">├── app/ # CNPG operator + shared secrets </span></span><span class="line"><span class="cl">├── pgbackrest/ # pgBackRest controller </span></span><span class="line"><span class="cl">├── postgres18-immich/ # Immich cluster (VectorChord) </span></span><span class="line"><span class="cl">│ ├── postgres18-immich.yaml </span></span><span class="line"><span class="cl">│ ├── repository.yaml # B2: nerdz-postgres-immich </span></span><span class="line"><span class="cl">│ ├── scheduledbackup.yaml # B2 @ 03:00, R2 @ 04:00 </span></span><span class="line"><span class="cl">│ ├── pooler.yaml </span></span><span class="line"><span class="cl">│ └── service.yaml </span></span><span class="line"><span class="cl">└── postgres18-cluster/ # Main cluster (all other apps) </span></span><span class="line"><span class="cl"> ├── postgres18-cluster.yaml </span></span><span class="line"><span class="cl"> ├── repository.yaml # B2: nerdz-postgres-cluster </span></span><span class="line"><span class="cl"> ├── scheduledbackup.yaml # B2 @ 03:00, R2 @ 04:00 </span></span><span class="line"><span class="cl"> ├── pooler.yaml </span></span><span class="line"><span class="cl"> └── service.yaml </span></span></code></pre></td></tr></table> </div> </div><table> <thead> <tr> <th>Cluster</th> <th>Purpose</th> <th>Image</th> <th>Backups</th> </tr> </thead> <tbody> <tr> <td>postgres18-immich</td> <td>Immich only</td> <td>VectorChord PG18</td> <td>B2 + R2 via pgBackRest</td> </tr> <tr> <td>postgres18-cluster</td> <td>All other apps (46 DBs)</td> <td>Standard PG18</td> <td>B2 + R2 via pgBackRest</td> </tr> </tbody> </table> <h2 id="the-complete-lessons-learned">The Complete Lessons Learned </h2><table> <thead> <tr> <th>Assumption</th> <th>Reality</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>Barman supports multiple ObjectStores per ScheduledBackup</td> <td><code>barmanObjectName</code> is ignored</td> <td>Switch to pgBackRest</td> </tr> <tr> <td>Service name <code>pgbackrest</code> is fine</td> <td>Creates conflicting <code>PGBACKREST_*</code> env vars</td> <td>Use <code>cnpg-pgbackrest</code></td> </tr> <tr> <td>Plugins can share leader leases</td> <td>They use the same lease name</td> <td>Disable Barman first</td> </tr> <tr> <td>Backups run on any cluster member</td> <td>pgBackRest needs the primary</td> <td>Add <code>target: primary</code></td> </tr> <tr> <td>Parameter name is <code>repo</code></td> <td>It&rsquo;s <code>selectedRepository</code></td> <td>Read the source code</td> </tr> <tr> <td>pgBackRest multi-repo means full backups everywhere</td> <td>WAL yes, full backups no</td> <td>Create two ScheduledBackups</td> </tr> <tr> <td>pg_dumpall needs intermediate storage</td> <td>Direct pipe works fine</td> <td><code>pg_dumpall | psql</code> between pods</td> </tr> <tr> <td>CNPG clusters can scale to 0</td> <td>Minimum is 1 instance</td> <td>Suspend Kustomization + delete cluster</td> </tr> </tbody> </table> <h2 id="is-it-worth-it">Is It Worth It? </h2><p>Absolutely. The migration took about 2 hours total:</p> <ul> <li><strong>Zero data loss</strong>: All 46 databases migrated with verified row counts</li> <li><strong>Zero downtime</strong> (for the migration itself - apps were briefly stopped)</li> <li><strong>True dual-destination backups</strong>: Both B2 and R2 now have full backups</li> <li><strong>Cleaner architecture</strong>: Shared credentials, consistent naming, PgBouncer pooling</li> <li><strong>PostgreSQL 18</strong>: Latest version with performance improvements</li> </ul> <p>The pgBackRest plugin is experimental, but it works. For a homelab, it&rsquo;s the right choice.</p> <hr> <p><em>This post documents part of the ongoing work on my <a class="link" href="https://github.com/gavinmcfall/home-ops" target="_blank" rel="noopener" >home-ops</a> repository. The pgBackRest plugin is from <a class="link" href="https://github.com/dalibo/cnpg-plugin-pgbackrest" target="_blank" rel="noopener" >Dalibo</a>.</em></p> https://blog.nerdz.cloud/2025/cilium-bgp-migration/ Sat, 13 Dec 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/cilium-bgp-migration/ <blockquote> <p>&ldquo;L2 is fine until it isn&rsquo;t. BGP is harder until it isn&rsquo;t.&rdquo; — <em>Every network engineer eventually</em></p> </blockquote> <h2 id="the-problem-l2-announcements-on-a-crowded-subnet">The Problem: L2 Announcements on a Crowded Subnet </h2><p>My homelab has been running Cilium with L2 announcements for LoadBalancer IPs. It works — Cilium responds to ARP requests on behalf of the service IPs, and traffic flows. Simple.</p> <p>The problem? All my LoadBalancer IPs lived on the same <code>/24</code> as my nodes (<code>10.90.3.0/24</code>). With nodes, pods, services, and management devices all sharing airspace, I was running out of room. And L2 announcements have limitations:</p> <ol> <li><strong>Subnet constraint</strong>: IPs must be on the same L2 segment as the announcing nodes</li> <li><strong>ARP storms</strong>: High-traffic services can generate noisy ARP traffic</li> <li><strong>No route aggregation</strong>: Each IP is independently announced via ARP</li> <li><strong>Single point of failure</strong>: Only one node responds to ARP for a given IP</li> </ol> <p>I wanted a cleaner architecture: a dedicated Services VLAN for LoadBalancer IPs, advertised via BGP to my UDM Pro.</p> <h2 id="the-goal-bgp-advertised-loadbalancer-ips-on-a-dedicated-vlan">The Goal: BGP-Advertised LoadBalancer IPs on a Dedicated VLAN </h2><p>The target architecture:</p> <table> <thead> <tr> <th>Component</th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td>LoadBalancer IP range</td> <td><code>10.90.3.200-210</code> (node subnet)</td> <td><code>10.99.8.0/24</code> (Services VLAN)</td> </tr> <tr> <td>Advertisement method</td> <td>L2 (ARP)</td> <td>BGP</td> </tr> <tr> <td>Cluster ASN</td> <td>N/A</td> <td>65010</td> </tr> <tr> <td>Router ASN</td> <td>N/A</td> <td>65001 (UDM Pro)</td> </tr> </tbody> </table> <p>With BGP, the cluster announces routes to my UDM Pro, which installs them in its routing table. Traffic to <code>10.99.8.x</code> gets routed to whichever node is advertising that IP — no ARP required.</p> <h2 id="how-bgp-loadbalancer-advertisement-works">How BGP LoadBalancer Advertisement Works </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> ┌─────────────────────────────┐ </span></span><span class="line"><span class="cl"> │ UDM Pro │ </span></span><span class="line"><span class="cl"> │ ASN 65001 │ </span></span><span class="line"><span class="cl"> │ 10.90.254.1 │ </span></span><span class="line"><span class="cl"> └──────────┬──────────────────┘ </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> BGP Sessions (eBGP) │ </span></span><span class="line"><span class="cl"> ┌─────────────────────────┬──────────────────┼────────────────────┐ </span></span><span class="line"><span class="cl"> │ │ │ │ </span></span><span class="line"><span class="cl"> ▼ ▼ ▼ │ </span></span><span class="line"><span class="cl">┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ </span></span><span class="line"><span class="cl">│ Node 1 │ │ Node 2 │ │ Node 3 │ │ </span></span><span class="line"><span class="cl">│ ASN 65010 │ │ ASN 65010 │ │ ASN 65010 │ │ </span></span><span class="line"><span class="cl">│ 10.90.3.101 │ │ 10.90.3.102 │ │ 10.90.3.103 │ │ </span></span><span class="line"><span class="cl">└──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │ </span></span><span class="line"><span class="cl"> │ │ │ │ </span></span><span class="line"><span class="cl"> │ Announces: │ Announces: │ Announces: │ </span></span><span class="line"><span class="cl"> │ 10.99.8.201 (envoy) │ 10.99.8.203 │ 10.99.8.205 │ </span></span><span class="line"><span class="cl"> │ 10.99.8.207 (dragonfly)│ (mosquitto) │ (qbittorrent) │ </span></span><span class="line"><span class="cl"> └────────────────────────┴──────────────────┴────────────────────┘ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">When client requests 10.99.8.201: </span></span><span class="line"><span class="cl">1. UDM Pro looks up route → next-hop is Node 1 </span></span><span class="line"><span class="cl">2. Traffic routed directly to Node 1 </span></span><span class="line"><span class="cl">3. Cilium delivers to envoy-gateway pod </span></span></code></pre></td></tr></table> </div> </div><p>The key advantage: BGP routes are L3, so my LoadBalancer IPs can live on any subnet — they don&rsquo;t need to be on the same broadcast domain as the nodes.</p> <h2 id="the-migration">The Migration </h2><h3 id="step-1-enable-bgp-control-plane-in-cilium">Step 1: Enable BGP Control Plane in Cilium </h3><p>First, enable the BGP control plane in Cilium&rsquo;s Helm values:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/kube-system/cilium/app/helm-values.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">bgpControlPlane</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This unlocks the new BGP CRDs but doesn&rsquo;t configure any peering yet.</p> <h3 id="step-2-create-the-bgp-crds">Step 2: Create the BGP CRDs </h3><p>Cilium&rsquo;s BGP implementation uses four CRDs:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/kube-system/cilium/app/networking.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># What to advertise</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">cilium.io/v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">CiliumBGPAdvertisement</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">lb-services</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">advertise</span><span class="p">:</span><span class="w"> </span><span class="l">bgp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">advertisements</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">advertisementType</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Service&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">addresses</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">LoadBalancerIP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Advertise all LoadBalancer services unless explicitly excluded</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchExpressions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">io.cilium/bgp-announce</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">NotIn</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">values</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;false&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># How to peer (timers, graceful restart)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">cilium.io/v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">CiliumBGPPeerConfig</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">udm-peer</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">timers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">holdTimeSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">90</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">keepAliveTimeSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">30</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">gracefulRestart</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">restartTimeSeconds</span><span class="p">:</span><span class="w"> </span><span class="m">120</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">families</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">afi</span><span class="p">:</span><span class="w"> </span><span class="l">ipv4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">safi</span><span class="p">:</span><span class="w"> </span><span class="l">unicast</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">advertisements</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">advertise</span><span class="p">:</span><span class="w"> </span><span class="l">bgp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># Cluster-wide BGP configuration</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">cilium.io/v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">CiliumBGPClusterConfig</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">bgp-cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">nodeSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kubernetes.io/os</span><span class="p">:</span><span class="w"> </span><span class="l">linux</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bgpInstances</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;home-cluster&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">localASN</span><span class="p">:</span><span class="w"> </span><span class="m">65010</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">peers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;udm-pro&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">peerAddress</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10.90.254.1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">peerASN</span><span class="p">:</span><span class="w"> </span><span class="m">65001</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">peerConfigRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">udm-peer</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># IP pool for LoadBalancer services</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">cilium.io/v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">CiliumLoadBalancerIPPool</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">lb-pool</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allowFirstLastIPs</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;No&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">blocks</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">cidr</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10.99.8.0/24&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="step-3-configure-bgp-on-the-udm-pro">Step 3: Configure BGP on the UDM Pro </h3><p>On the UniFi side, I configured BGP in the Network settings:</p> <ol> <li><strong>Enable BGP</strong>: Settings → Routing → BGP</li> <li><strong>Local ASN</strong>: 65001</li> <li><strong>Add neighbor</strong>: 10.90.3.101-103 (each node), ASN 65010</li> <li><strong>Accept routes</strong>: Enable route acceptance from neighbors</li> </ol> <p>The UDM Pro now accepts route announcements from the cluster and installs them in its routing table.</p> <h3 id="step-4-centralize-loadbalancer-ip-variables">Step 4: Centralize LoadBalancer IP Variables </h3><p>Rather than scattering hardcoded IPs across HelmReleases, I centralized them in <code>cluster-settings.yaml</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/components/common/cluster-vars/cluster-settings.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cluster-settings</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># LoadBalancer IPs (Services VLAN - 10.99.8.0/24)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENVOY_EXTERNAL_LBIP</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10.99.8.201&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENVOY_INTERNAL_LBIP</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10.99.8.202&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">MOSQUITTO_LBIP</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10.99.8.203&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SMTP_RELAY_LBIP</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10.99.8.204&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">QBITTORRENT_LBIP</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10.99.8.205&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">PLEX_LBIP</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10.99.8.206&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">DRAGONFLY_LBIP</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10.99.8.207&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">JELLYFIN_LBIP</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10.99.8.208&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">NETWORK_UPS_TOOLS_LBIP</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10.99.8.209&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">GRAPHITE_EXPORTER_LBIP</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10.99.8.210&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">POSTGRES17_LBIP</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10.99.8.211&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Services reference these via Flux variable substitution:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Example: dragonfly service</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Service</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">dragonfly-lb</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">io.cilium/lb-ipam-ips</span><span class="p">:</span><span class="w"> </span><span class="l">${DRAGONFLY_LBIP}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">LoadBalancer</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">dragonfly</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">6379</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><style type="text/css"> .notice { --title-color: #fff; --title-background-color: #6be; --content-color: #444; --content-background-color: #e7f2fa; } .notice.info { --title-background-color: #fb7; --content-background-color: #fec; } .notice.tip { --title-background-color: #5a5; --content-background-color: #efe; } .notice.warning { --title-background-color: #c33; --content-background-color: #fee; } @media (prefers-color-scheme:dark) { .notice { --title-color: #fff; --title-background-color: #069; --content-color: #ddd; --content-background-color: #023; } .notice.info { --title-background-color: #a50; --content-background-color: #420; } .notice.tip { --title-background-color: #363; --content-background-color: #121; } .notice.warning { --title-background-color: #800; --content-background-color: #400; } } body.dark .notice { --title-color: #fff; --title-background-color: #069; --content-color: #ddd; --content-background-color: #023; } body.dark .notice.info { --title-background-color: #a50; --content-background-color: #420; } body.dark .notice.tip { --title-background-color: #363; --content-background-color: #121; } body.dark .notice.warning { --title-background-color: #800; --content-background-color: #400; } .notice { padding: 18px; line-height: 24px; margin-bottom: 24px; border-radius: 4px; color: var(--content-color); background: var(--content-background-color); } .notice p:last-child { margin-bottom: 0 } .notice-title { margin: -18px -18px 12px; padding: 4px 18px; border-radius: 4px 4px 0 0; font-weight: 700; color: var(--title-color); background: var(--title-background-color); } .icon-notice { display: inline-flex; align-self: center; margin-right: 8px; } .icon-notice img, .icon-notice svg { height: 1em; width: 1em; fill: currentColor; } .icon-notice img, .icon-notice.baseline svg { top: .125em; position: relative; } </style><div class="notice info" > <p class="notice-title"> <span class="icon-notice baseline"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="92 59.5 300 300"> <path d="M292 303.25V272c0-3.516-2.734-6.25-6.25-6.25H267v-100c0-3.516-2.734-6.25-6.25-6.25h-62.5c-3.516 0-6.25 2.734-6.25 6.25V197c0 3.516 2.734 6.25 6.25 6.25H217v62.5h-18.75c-3.516 0-6.25 2.734-6.25 6.25v31.25c0 3.516 2.734 6.25 6.25 6.25h87.5c3.516 0 6.25-2.734 6.25-6.25Zm-25-175V97c0-3.516-2.734-6.25-6.25-6.25h-37.5c-3.516 0-6.25 2.734-6.25 6.25v31.25c0 3.516 2.734 6.25 6.25 6.25h37.5c3.516 0 6.25-2.734 6.25-6.25Zm125 81.25c0 82.813-67.188 150-150 150-82.813 0-150-67.188-150-150 0-82.813 67.188-150 150-150 82.813 0 150 67.188 150 150Z"/> </svg> </span> Info </p><p><strong>Variable naming</strong>: Flux&rsquo;s envsubst doesn&rsquo;t allow hyphens in variable names. Use underscores: <code>DRAGONFLY_LBIP</code> not <code>DRAGONFLY-LBIP</code>.</p></div> <h3 id="step-5-remove-l2-announcement-configuration">Step 5: Remove L2 Announcement Configuration </h3><p>With BGP working, I removed the old L2 configs:</p> <ul> <li><code>CiliumL2AnnouncementPolicy</code> — deleted</li> <li><code>CiliumLoadBalancerIPPool</code> for old subnet — replaced with new <code>10.99.8.0/24</code> pool</li> </ul> <h3 id="step-6-update-dns">Step 6: Update DNS </h3><p>The internal gateway moved from <code>10.90.3.202</code> to <code>10.99.8.202</code>. I updated the DNS A record for <code>internal.nerdz.cloud</code> in my UDM Pro&rsquo;s local DNS settings (managed via external-dns-unifi, but this specific record needed a manual kick).</p> <h2 id="post-migration-cleanup">Post-Migration Cleanup </h2><p>After the BGP migration, some pods had stale network state — they&rsquo;d cached the old gateway IP or had connection pools pointing to old addresses. The fix was simple: restart everything.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Restart all deployments in affected namespaces</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> ns in downloads entertainment home home-automation games observability<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> kubectl rollout restart deployment -n <span class="nv">$ns</span> </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span></code></pre></td></tr></table> </div> </div><p>I also discovered an interesting side effect: Cilium performs TCP health checks on LoadBalancer services. My mosquitto logs filled with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Client &lt;unknown&gt; closed its connection. </span></span></code></pre></td></tr></table> </div> </div><p>These are Cilium&rsquo;s BGP control plane verifying the service is reachable — completely normal, not an error.</p> <h2 id="verifying-bgp-sessions">Verifying BGP Sessions </h2><p>To confirm BGP is working, exec into a Cilium pod and check peer status:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check BGP peering status from each node</span> </span></span><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n kube-system ds/cilium -- cilium-dbg bgp peers </span></span></code></pre></td></tr></table> </div> </div><p>Output shows all three nodes with established sessions:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">=== stanton-01 === </span></span><span class="line"><span class="cl">Local AS Peer AS Peer Address Session Uptime Family Received Advertised </span></span><span class="line"><span class="cl">65010 65001 10.90.254.1:179 established 47m11s ipv4/unicast 11 12 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">=== stanton-02 === </span></span><span class="line"><span class="cl">Local AS Peer AS Peer Address Session Uptime Family Received Advertised </span></span><span class="line"><span class="cl">65010 65001 10.90.254.1:179 established 47m55s ipv4/unicast 11 12 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">=== stanton-03 === </span></span><span class="line"><span class="cl">Local AS Peer AS Peer Address Session Uptime Family Received Advertised </span></span><span class="line"><span class="cl">65010 65001 10.90.254.1:179 established 48m11s ipv4/unicast 11 12 </span></span></code></pre></td></tr></table> </div> </div><p>To see what routes the cluster is advertising:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n kube-system ds/cilium -- cilium-dbg bgp routes advertised ipv4 unicast peer 10.90.254.1 </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">VRouter Prefix NextHop Age Attrs </span></span><span class="line"><span class="cl">65010 10.99.8.201/32 10.90.3.101 51m26s [{Origin: i} {AsPath: 65010} {Nexthop: 10.90.3.101}] </span></span><span class="line"><span class="cl">65010 10.99.8.202/32 10.90.3.101 51m25s [{Origin: i} {AsPath: 65010} {Nexthop: 10.90.3.101}] </span></span><span class="line"><span class="cl">65010 10.99.8.203/32 10.90.3.101 51m31s [{Origin: i} {AsPath: 65010} {Nexthop: 10.90.3.101}] </span></span><span class="line"><span class="cl">65010 10.99.8.204/32 10.90.3.101 51m30s [{Origin: i} {AsPath: 65010} {Nexthop: 10.90.3.101}] </span></span><span class="line"><span class="cl">65010 10.99.8.205/32 10.90.3.101 51m11s [{Origin: i} {AsPath: 65010} {Nexthop: 10.90.3.101}] </span></span><span class="line"><span class="cl">65010 10.99.8.206/32 10.90.3.101 51m11s [{Origin: i} {AsPath: 65010} {Nexthop: 10.90.3.101}] </span></span><span class="line"><span class="cl">65010 10.99.8.207/32 10.90.3.101 51m32s [{Origin: i} {AsPath: 65010} {Nexthop: 10.90.3.101}] </span></span><span class="line"><span class="cl">65010 10.99.8.208/32 10.90.3.101 51m10s [{Origin: i} {AsPath: 65010} {Nexthop: 10.90.3.101}] </span></span><span class="line"><span class="cl">65010 10.99.8.209/32 10.90.3.101 51m26s [{Origin: i} {AsPath: 65010} {Nexthop: 10.90.3.101}] </span></span><span class="line"><span class="cl">65010 10.99.8.210/32 10.90.3.101 51m24s [{Origin: i} {AsPath: 65010} {Nexthop: 10.90.3.101}] </span></span><span class="line"><span class="cl">65010 10.99.8.211/32 10.90.3.101 51m32s [{Origin: i} {AsPath: 65010} {Nexthop: 10.90.3.101}] </span></span></code></pre></td></tr></table> </div> </div><h3 id="verifying-routes-on-the-udm-pro">Verifying Routes on the UDM Pro </h3><p>The real proof is checking that the UDM Pro has actually installed these BGP routes. SSH into the UDM and check:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ssh unifi <span class="s2">&#34;ip route show proto bgp&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">10.99.8.201 metric 20 </span></span><span class="line"><span class="cl"> nexthop via 10.90.3.101 dev br0 weight 1 </span></span><span class="line"><span class="cl"> nexthop via 10.90.3.102 dev br0 weight 1 </span></span><span class="line"><span class="cl"> nexthop via 10.90.3.103 dev br0 weight 1 </span></span><span class="line"><span class="cl">10.99.8.202 metric 20 </span></span><span class="line"><span class="cl"> nexthop via 10.90.3.101 dev br0 weight 1 </span></span><span class="line"><span class="cl"> nexthop via 10.90.3.102 dev br0 weight 1 </span></span><span class="line"><span class="cl"> nexthop via 10.90.3.103 dev br0 weight 1 </span></span><span class="line"><span class="cl">10.99.8.203 metric 20 </span></span><span class="line"><span class="cl"> nexthop via 10.90.3.101 dev br0 weight 1 </span></span><span class="line"><span class="cl"> nexthop via 10.90.3.102 dev br0 weight 1 </span></span><span class="line"><span class="cl"> nexthop via 10.90.3.103 dev br0 weight 1 </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>This output is the smoking gun:</p> <ol> <li><strong><code>proto bgp</code></strong> — Routes were learned via BGP, not statically configured</li> <li><strong>Multiple nexthops</strong> — ECMP (Equal-Cost Multi-Path) is active; each LoadBalancer IP has three paths (one per node)</li> <li><strong>Equal weight</strong> — Traffic is load-balanced across all nodes</li> </ol> <p>The UDM Pro will distribute incoming traffic for any <code>10.99.8.x</code> IP across all three cluster nodes. Cilium on each node then delivers the traffic to the correct pod.</p> <h3 id="end-to-end-connectivity-test">End-to-End Connectivity Test </h3><p>Finally, verify that services are actually reachable via their BGP-advertised IPs:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Test from inside the cluster</span> </span></span><span class="line"><span class="cl">kubectl run bgp-test --rm -it --restart<span class="o">=</span>Never --image<span class="o">=</span>busybox:1.36 -- <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> sh -c <span class="s2">&#34;nc -zv 10.99.8.207 6379 &amp;&amp; echo &#39;Dragonfly reachable&#39;&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Output:</span> </span></span><span class="line"><span class="cl"><span class="c1"># 10.99.8.207 (10.99.8.207:6379) open</span> </span></span><span class="line"><span class="cl"><span class="c1"># Dragonfly reachable</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">kubectl run bgp-test --rm -it --restart<span class="o">=</span>Never --image<span class="o">=</span>busybox:1.36 -- <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> sh -c <span class="s2">&#34;nc -zv 10.99.8.211 5432 &amp;&amp; echo &#39;Postgres reachable&#39;&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Output:</span> </span></span><span class="line"><span class="cl"><span class="c1"># 10.99.8.211 (10.99.8.211:5432) open</span> </span></span><span class="line"><span class="cl"><span class="c1"># Postgres reachable</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="verification-summary">Verification Summary </h3><table> <thead> <tr> <th>Check</th> <th>Status</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>BGP CRDs deployed</td> <td>✅</td> <td>All 4 CRDs present</td> </tr> <tr> <td>IP Pool</td> <td>✅</td> <td><code>10.99.8.0/24</code> with 243 IPs available</td> </tr> <tr> <td>BGP session (stanton-01)</td> <td>✅</td> <td>Established, 12 routes advertised</td> </tr> <tr> <td>BGP session (stanton-02)</td> <td>✅</td> <td>Established, 12 routes advertised</td> </tr> <tr> <td>BGP session (stanton-03)</td> <td>✅</td> <td>Established, 12 routes advertised</td> </tr> <tr> <td>Routes in UDM</td> <td>✅</td> <td>11 <code>/32</code> routes with <code>proto bgp</code></td> </tr> <tr> <td>ECMP enabled</td> <td>✅</td> <td>3 nexthops per route</td> </tr> <tr> <td>L2 policies removed</td> <td>✅</td> <td>No <code>CiliumL2AnnouncementPolicy</code> found</td> </tr> <tr> <td>Service connectivity</td> <td>✅</td> <td>All LoadBalancer IPs reachable</td> </tr> </tbody> </table> <h2 id="the-numbers">The Numbers </h2><table> <thead> <tr> <th>Metric</th> <th>Before (L2)</th> <th>After (BGP)</th> </tr> </thead> <tbody> <tr> <td>IP range</td> <td><code>10.90.3.200-210</code> (shared subnet)</td> <td><code>10.99.8.0/24</code> (dedicated VLAN)</td> </tr> <tr> <td>Advertisement method</td> <td>ARP</td> <td>BGP route announcements</td> </tr> <tr> <td>Routing resilience</td> <td>Single ARP responder</td> <td>Multiple BGP paths possible</td> </tr> <tr> <td>Configuration files</td> <td>Scattered hardcoded IPs</td> <td>Centralized in cluster-settings</td> </tr> <tr> <td>Subnet flexibility</td> <td>Must be on node L2 segment</td> <td>Any routable subnet</td> </tr> </tbody> </table> <h2 id="lessons-learned">Lessons Learned </h2><ol> <li> <p><strong>BGP is simpler than it looks</strong> — The four Cilium CRDs are straightforward once you understand the model: pool defines IPs, advertisement defines what to announce, peer config defines how, cluster config ties it together.</p> </li> <li> <p><strong>Centralize your IPs</strong> — Having all LoadBalancer IPs in one ConfigMap makes changes easy and prevents the drift that comes from editing 15 different HelmReleases.</p> </li> <li> <p><strong>Restart pods after network changes</strong> — Pods cache DNS and connection state. After changing IPs or network paths, restart affected workloads to pick up fresh state.</p> </li> <li> <p><strong>Dedicated subnets are worth it</strong> — Moving LoadBalancer IPs to their own VLAN provides clean separation and makes firewall rules simpler.</p> </li> <li> <p><strong>BGP health checks are noisy</strong> — If you see mysterious connection attempts to your LoadBalancer services, it&rsquo;s probably Cilium verifying reachability. Check your BGP config before debugging application issues.</p> </li> </ol> <h2 id="the-gotcha-flux-substitutefrom">The Gotcha: Flux substituteFrom </h2><p>One issue that bit me: the envoy-gateway Gateways showed <code>null</code> for their addresses. The problem was that the <code>envoy-gateway-config</code> Kustomization was missing <code>postBuild.substituteFrom</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/network/envoy-gateway/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.toolkit.fluxcd.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">envoy-gateway-config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">network</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># ... other config ...</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">postBuild</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">substituteFrom</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cluster-settings</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cluster-secrets</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Without this, Flux doesn&rsquo;t substitute variables like <code>${ENVOY_INTERNAL_LBIP}</code>, and they render as literal <code>null</code> in the output. The parent Kustomization patches handle this for most resources, but <code>envoy-gateway-config</code> needed it explicitly because it&rsquo;s a separate Kustomization with its own path.</p> <hr> <h2 id="references">References </h2><ul> <li><a class="link" href="https://docs.cilium.io/en/stable/network/bgp-control-plane/" target="_blank" rel="noopener" >Cilium BGP Control Plane</a> — Official documentation</li> <li><a class="link" href="https://docs.cilium.io/en/stable/network/bgp-control-plane/bgp-control-plane-v2/" target="_blank" rel="noopener" >CiliumBGPClusterConfig CRD</a> — New v2 BGP API</li> <li><a class="link" href="https://help.ui.com/hc/en-us/articles/360050737353-UniFi-Network-BGP" target="_blank" rel="noopener" >UniFi BGP Configuration</a> — Setting up BGP on UDM Pro</li> </ul> <hr> <h2 id="update-dsr-hairpin-limitation">Update: DSR Hairpin Limitation </h2><p>After this migration, I discovered that while BGP fixes L2-level hairpin routing (where traffic couldn&rsquo;t reach an IP &ldquo;owned&rdquo; by a different node via ARP), it doesn&rsquo;t solve all hairpin scenarios.</p> <p>Cilium&rsquo;s DSR (Direct Server Return) mode has a <strong>same-node hairpin limitation</strong>: when a pod tries to reach a LoadBalancer VIP and the backend for that VIP is on the <em>same node</em>, traffic fails. The packet goes out to the router, comes back, and gets dropped.</p> <p><strong>The symptom</strong>: Pods intermittently timing out when reaching internal services — but only when the pod and the service backend happen to be scheduled on the same node.</p> <p><strong>The solution</strong>: CoreDNS rewriting to return ClusterIP instead of LoadBalancer VIP for pod-to-service traffic.</p> <p>Read the full story: <a class="link" href="https://blog.nerdz.cloud/2025/cilium-dsr-hairpin-workaround/" >When BGP Doesn&rsquo;t Fix Hairpin: Cilium DSR and the Same-Node Problem</a></p> <hr> <p><em>This post documents the BGP migration I performed on my <a class="link" href="https://github.com/gavinmcfall/home-ops" target="_blank" rel="noopener" >home-ops</a> repository. The centralized LBIP pattern and BGP configuration were refined through several iterations with help from Claude Code.</em></p> https://blog.nerdz.cloud/2025/self-hosted-kubernetes-schemas/ Sat, 13 Dec 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/self-hosted-kubernetes-schemas/ <blockquote> <p>&ldquo;Your IDE&rsquo;s schema validation is only as reliable as the endpoint serving it.&rdquo;</p> </blockquote> <h2 id="the-problem-schema-sprawl">The Problem: Schema Sprawl </h2><p>When I audited the <code>yaml-language-server</code> schema references across my home-ops repository, I found chaos:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ grep -rh <span class="s2">&#34;yaml-language-server.*\$schema=&#34;</span> --include<span class="o">=</span><span class="s2">&#34;*.yaml&#34;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> sed <span class="s1">&#39;s/.*\$schema=//&#39;</span> <span class="p">|</span> sort <span class="p">|</span> uniq -c <span class="p">|</span> sort -rn <span class="p">|</span> head -10 </span></span><span class="line"><span class="cl"> <span class="m">148</span> https://json.schemastore.org/kustomization </span></span><span class="line"><span class="cl"> <span class="m">79</span> https://kubernetes-schemas.pages.dev/... </span></span><span class="line"><span class="cl"> <span class="m">49</span> https://kubernetes-schemas.pages.dev/... </span></span><span class="line"><span class="cl"> <span class="m">21</span> https://lds-schemas.pages.dev/... </span></span><span class="line"><span class="cl"> <span class="m">7</span> https://kubernetes-schemas.ok8.sh/... </span></span><span class="line"><span class="cl"> <span class="m">5</span> https://kube-schemas.pages.dev/... </span></span><span class="line"><span class="cl"> <span class="m">2</span> https://cluster-schemas.pages.dev/... </span></span></code></pre></td></tr></table> </div> </div><p>678 YAML files with schemas, pulling from <strong>six different sources</strong>. All external. All outside my control.</p> <p>The problems:</p> <ol> <li><strong>Reliability</strong>: If any of these pages.dev sites go down, my IDE validation breaks</li> <li><strong>Consistency</strong>: Different sources have slightly different schema versions</li> <li><strong>Staleness</strong>: External schemas might not match my actual cluster CRDs</li> <li><strong>Version drift</strong>: After upgrading a CRD, schemas lag until someone updates them</li> </ol> <p>The solution: extract schemas directly from my cluster and host them myself.</p> <h2 id="the-architecture">The Architecture </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ </span></span><span class="line"><span class="cl">│ Talos Cluster │────▶│ GitHub Actions │────▶│ Cloudflare │ </span></span><span class="line"><span class="cl">│ CRDs │ │ Runner (self- │ │ Pages │ </span></span><span class="line"><span class="cl">│ │ │ hosted) │ │ │ </span></span><span class="line"><span class="cl">└─────────────────┘ └─────────────────┘ └─────────────────┘ </span></span><span class="line"><span class="cl"> │ │ │ </span></span><span class="line"><span class="cl"> ▼ ▼ ▼ </span></span><span class="line"><span class="cl"> kubectl get crds crd-extractor.sh kubernetes-schemas </span></span><span class="line"><span class="cl"> (from cluster) (JSON conversion) .nerdz.cloud </span></span></code></pre></td></tr></table> </div> </div><p>The workflow:</p> <ol> <li>Self-hosted runner has <code>kubectl</code> access to the cluster</li> <li>Daily cron job extracts all CRDs and converts to JSON Schema</li> <li>Schemas deploy to Cloudflare Pages at <code>kubernetes-schemas.nerdz.cloud</code></li> <li>All YAML files reference the self-hosted endpoint</li> </ol> <h2 id="step-1-github-app-for-actions-runner-controller">Step 1: GitHub App for Actions Runner Controller </h2><p>The self-hosted runner needs to authenticate to GitHub. Following the <a class="link" href="https://github.com/onedr0p/home-ops" target="_blank" rel="noopener" >onedr0p pattern</a>, I created a GitHub App rather than using a PAT.</p> <h3 id="creating-the-app">Creating the App </h3><ol> <li> <p>Go to <strong>GitHub Settings</strong> → <strong>Developer settings</strong> → <strong>GitHub Apps</strong> → <strong>New GitHub App</strong></p> </li> <li> <p>Configure:</p> <ul> <li><strong>Name</strong>: <code>Nerdz-Action Runner</code></li> <li><strong>Homepage URL</strong>: Your repo URL</li> <li><strong>Webhook</strong>: Disable (unchecked)</li> <li><strong>Permissions</strong>: <ul> <li>Repository: Administration (Read and write), Metadata (Read-only)</li> </ul> </li> <li><strong>Where can this app be installed?</strong>: Only on this account</li> </ul> </li> <li> <p>After creation, note the <strong>App ID</strong></p> </li> <li> <p>Generate a <strong>Private Key</strong> (downloads a .pem file)</p> </li> <li> <p>Install the app on your repository and note the <strong>Installation ID</strong> (from the URL)</p> </li> </ol> <h3 id="storing-credentials-in-1password">Storing Credentials in 1Password </h3><p>The private key is multi-line PEM, which 1Password doesn&rsquo;t handle well in text fields. The workaround: base64 encode it.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-powershell" data-lang="powershell"><span class="line"><span class="cl"><span class="c"># Windows PowerShell</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="no">Convert</span><span class="p">]::</span><span class="n">ToBase64String</span><span class="p">([</span><span class="no">IO.File</span><span class="p">]::</span><span class="n">ReadAllBytes</span><span class="p">(</span><span class="s2">&#34;path\to\private-key.pem&#34;</span><span class="p">))</span> </span></span></code></pre></td></tr></table> </div> </div><p>Store in 1Password under a <code>github-bots</code> item:</p> <ul> <li><code>ACTIONS_RUNNER_APP_ID</code>: The App ID</li> <li><code>ACTIONS_RUNNER_INSTALLATION_ID</code>: The Installation ID</li> <li><code>ACTIONS_RUNNER_PRIVATE_KEY</code>: Base64-encoded private key</li> </ul> <h2 id="step-2-deploy-actions-runner-controller">Step 2: Deploy Actions Runner Controller </h2><p>The controller manages ephemeral runner pods that scale based on workflow demand.</p> <h3 id="the-controller-helmrelease">The Controller HelmRelease </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/actions-runner-system/actions-runner-controller/app/helmrelease.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">helm.toolkit.fluxcd.io/v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">HelmRelease</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">actions-runner-controller</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">chartRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">OCIRepository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">gha-runner-scale-set-controller</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interval</span><span class="p">:</span><span class="w"> </span><span class="l">1h</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">values</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">replicaCount</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="the-runner-scale-set">The Runner Scale Set </h3><p>Each repository gets its own runner scale set. The key insight: the runner needs <code>kubectl</code> access to extract CRDs, so it gets a ServiceAccount with <code>cluster-admin</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/actions-runner-system/actions-runner-controller/runners/home-ops/helmrelease.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">helm.toolkit.fluxcd.io/v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">HelmRelease</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;name</span><span class="w"> </span><span class="l">home-ops-runner</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">chartRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">OCIRepository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">gha-runner-scale-set</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">values</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">githubConfigUrl</span><span class="p">:</span><span class="w"> </span><span class="l">https://github.com/gavinmcfall/home-ops</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">githubConfigSecret</span><span class="p">:</span><span class="w"> </span><span class="l">home-ops-runner-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">minRunners</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">maxRunners</span><span class="p">:</span><span class="w"> </span><span class="m">3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">containerMode</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">kubernetes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kubernetesModeWorkVolumeClaim</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">accessModes</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">ReadWriteOnce]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">storageClassName</span><span class="p">:</span><span class="w"> </span><span class="l">openebs-hostpath</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">storage</span><span class="p">:</span><span class="w"> </span><span class="l">25Gi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">controllerServiceAccount</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">actions-runner-controller</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">actions-runner-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">runner</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ghcr.io/home-operations/actions-runner:2.330.0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">/home/runner/run.sh]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">serviceAccountName</span><span class="p">:</span><span class="w"> </span><span class="cp">*name</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="externalsecret-with-base64-decode">ExternalSecret with Base64 Decode </h3><p>The private key needs decoding from base64:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/actions-runner-system/actions-runner-controller/runners/home-ops/externalsecret.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">external-secrets.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ExternalSecret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">home-ops-runner</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterSecretStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">onepassword-connect</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">home-ops-runner-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">github_app_id</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .ACTIONS_RUNNER_APP_ID }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">github_app_installation_id</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .ACTIONS_RUNNER_INSTALLATION_ID }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">github_app_private_key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .ACTIONS_RUNNER_PRIVATE_KEY | b64dec }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dataFrom</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">extract</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">github-bots</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The <code>| b64dec</code> template function handles the base64 decoding.</p> <h3 id="rbac-for-kubectl-access">RBAC for kubectl Access </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/actions-runner-system/actions-runner-controller/runners/home-ops/rbac.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">home-ops-runner</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">home-ops-runner</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">roleRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">apiGroup</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cluster-admin</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">home-ops-runner</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">actions-runner-system</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="step-3-the-schemas-workflow">Step 3: The Schemas Workflow </h2><p>The workflow runs daily, extracts CRDs, and deploys to Cloudflare Pages.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># .github/workflows/schemas.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Schemas</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">on</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">workflow_dispatch</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">cron</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">0</span><span class="w"> </span>*<span class="w"> </span>*<span class="w"> </span>*<span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">push</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">branches</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">main]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">.github/workflows/schemas.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">.github/schemas-index.html</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">main</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Schemas</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">home-ops-runner</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Checkout</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v6</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Install kubectl</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">azure/setup-kubectl@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Setup Python</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/setup-python@v6</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">python-version</span><span class="p">:</span><span class="w"> </span><span class="m">3.14</span><span class="l">.x</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Install Python Dependencies</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l">pip install pyyaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run crd-extractor</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> curl -fsSL https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/Utilities/crd-extractor.sh | bash</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Generate index.html</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> cd /home/runner/.datree/crdSchemas </span></span></span><span class="line"><span class="cl"><span class="sd"> # ... generate browsable index ...</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Publish Schemas</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">cloudflare/wrangler-action@v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">apiToken</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.CLOUDFLARE_API_TOKEN }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">accountId</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.CLOUDFLARE_ACCOUNT_ID }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">workingDirectory</span><span class="p">:</span><span class="w"> </span><span class="l">/home/runner/.datree/crdSchemas</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="l">pages deploy --project-name=kubernetes-schemas --branch main .</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The <a class="link" href="https://github.com/datreeio/CRDs-catalog" target="_blank" rel="noopener" >datreeio/CRDs-catalog</a> crd-extractor script handles the heavy lifting:</p> <ol> <li>Runs <code>kubectl get crds -o yaml</code></li> <li>Converts OpenAPI v3 schemas to JSON Schema format</li> <li>Organizes by API group (<code>helm.toolkit.fluxcd.io/</code>, <code>external-secrets.io/</code>, etc.)</li> </ol> <h2 id="step-4-cloudflare-pages-setup">Step 4: Cloudflare Pages Setup </h2><p>Cloudflare Pages is deprecated in favor of Workers, but still works for static hosting.</p> <ol> <li>Create a Pages project named <code>kubernetes-schemas</code></li> <li>Add custom domain <code>kubernetes-schemas.nerdz.cloud</code></li> <li>Add GitHub secrets: <ul> <li><code>CLOUDFLARE_API_TOKEN</code> (with Pages:Edit permission)</li> <li><code>CLOUDFLARE_ACCOUNT_ID</code></li> </ul> </li> </ol> <p>The first workflow run populates the site. After that, it updates daily.</p> <h3 id="the-index-page">The Index Page </h3><p>I added a styled index.html that makes the schemas browsable:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">kubernetes</span><span class="o">-</span><span class="n">schemas</span><span class="o">.</span><span class="n">nerdz</span><span class="o">.</span><span class="n">cloud</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">index</span><span class="o">.</span><span class="n">html</span> <span class="c1"># Searchable UI</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">helm</span><span class="o">.</span><span class="n">toolkit</span><span class="o">.</span><span class="n">fluxcd</span><span class="o">.</span><span class="n">io</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">helmrelease_v2</span><span class="o">.</span><span class="n">json</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">└──</span> <span class="n">helmrelease_v2beta2</span><span class="o">.</span><span class="n">json</span> </span></span><span class="line"><span class="cl"><span class="err">├──</span> <span class="n">external</span><span class="o">-</span><span class="n">secrets</span><span class="o">.</span><span class="n">io</span><span class="o">/</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">├──</span> <span class="n">externalsecret_v1</span><span class="o">.</span><span class="n">json</span> </span></span><span class="line"><span class="cl"><span class="err">│</span> <span class="err">└──</span> <span class="n">clustersecretstore_v1</span><span class="o">.</span><span class="n">json</span> </span></span><span class="line"><span class="cl"><span class="err">└──</span> <span class="o">...</span> <span class="mi">34</span> <span class="n">API</span> <span class="n">groups</span> <span class="n">total</span> </span></span></code></pre></td></tr></table> </div> </div><p>The UI shows stats (API groups, schema count, last update) and lets you search/filter.</p> <h2 id="step-5-migrate-all-yaml-files">Step 5: Migrate All YAML Files </h2><p>With schemas hosted, I migrated 357 files:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Replace all external schema sources</span> </span></span><span class="line"><span class="cl">find kubernetes/ -name <span class="s2">&#34;*.yaml&#34;</span> -exec sed -i <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="s1">&#39;s|https://kubernetes-schemas.pages.dev/|https://kubernetes-schemas.nerdz.cloud/|g&#39;</span> <span class="o">{}</span> + </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">find kubernetes/ -name <span class="s2">&#34;*.yaml&#34;</span> -exec sed -i <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> <span class="s1">&#39;s|https://lds-schemas.pages.dev/|https://kubernetes-schemas.nerdz.cloud/|g&#39;</span> <span class="o">{}</span> + </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ... repeat for ok8.sh, kube-schemas.pages.dev, cluster-schemas.pages.dev</span> </span></span></code></pre></td></tr></table> </div> </div><p>I also added schemas to ~75 files that were missing them entirely.</p> <h3 id="schema-version-mismatches">Schema Version Mismatches </h3><p>After migration, my IDE showed warnings on many files. The cause: schema URLs didn&rsquo;t match apiVersions.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Wrong - schema says v1beta1 but apiVersion is v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># yaml-language-server: $schema=https://kubernetes-schemas.nerdz.cloud/external-secrets.io/externalsecret_v1beta1.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">external-secrets.io/v1</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Fixed 60 files with version mismatches:</p> <ul> <li><code>externalsecret_v1beta1</code> → <code>externalsecret_v1</code> (51 files)</li> <li><code>clustersecretstore_v1beta1</code> → <code>clustersecretstore_v1</code> (1 file)</li> <li><code>helmrepository_v1beta2</code> → <code>helmrepository_v1</code> (8 files)</li> </ul> <h2 id="what-didnt-work-flux-variable-patterns">What Didn&rsquo;t Work: Flux Variable Patterns </h2><p>One schema validation error I couldn&rsquo;t fix cleanly:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">HTTPRoute unifi is invalid: at &#39;/spec/hostnames/0&#39;: </span></span><span class="line"><span class="cl">&#39;unifi.${SECRET_DOMAIN}&#39; does not match pattern &#39;^(\*\.)?[a-z0-9]...&#39; </span></span></code></pre></td></tr></table> </div> </div><p>The Flux variable <code>${SECRET_DOMAIN}</code> gets substituted at reconciliation time, but the schema validator sees the literal string and fails the hostname pattern.</p> <p>Options considered:</p> <ol> <li><strong>Patch schemas to allow Flux patterns</strong> - Over-permissive, masks real errors</li> <li><strong>Accept the warnings</strong> - Harmless, Flux still works</li> <li><strong>Remove schemas from files with variables</strong> - Loses validation</li> </ol> <p>I went with option 2. The warnings are cosmetic—kubeconform passes, Flux reconciles correctly, and the IDE just shows a squiggle on variable-heavy files.</p> <h2 id="the-end-result">The End Result </h2><p>Before:</p> <ul> <li>6 different external schema sources</li> <li>No control over availability or freshness</li> <li>Schema versions lagging behind CRD upgrades</li> </ul> <p>After:</p> <ul> <li>Single self-hosted endpoint: <code>kubernetes-schemas.nerdz.cloud</code></li> <li>Schemas extracted daily from actual cluster CRDs</li> <li>Browsable index with search</li> <li>Full control over the infrastructure</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ curl -sI https://kubernetes-schemas.nerdz.cloud/helm.toolkit.fluxcd.io/helmrelease_v2.json </span></span><span class="line"><span class="cl">HTTP/2 <span class="m">200</span> </span></span><span class="line"><span class="cl">content-type: application/json </span></span></code></pre></td></tr></table> </div> </div><p>The schemas update automatically when I upgrade CRDs. No more waiting for upstream schema repos to catch up.</p> <h2 id="costs">Costs </h2><ul> <li><strong>Cloudflare Pages</strong>: Free tier</li> <li><strong>GitHub Actions</strong>: Free for public repos (self-hosted runner avoids minute limits anyway)</li> <li><strong>Complexity</strong>: One more thing to maintain, but it&rsquo;s fully GitOps-managed</li> </ul> <h2 id="summary">Summary </h2><table> <thead> <tr> <th>Component</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>GitHub App</td> <td>Authentication for self-hosted runner</td> </tr> <tr> <td>Actions Runner Controller</td> <td>Manages ephemeral runner pods</td> </tr> <tr> <td>home-ops-runner</td> <td>Runner scale set with kubectl access</td> </tr> <tr> <td>crd-extractor.sh</td> <td>Converts CRDs to JSON Schema</td> </tr> <tr> <td>Cloudflare Pages</td> <td>Hosts schemas at custom domain</td> </tr> <tr> <td>schemas-index.html</td> <td>Browsable UI for schema discovery</td> </tr> </tbody> </table> <p>The self-hosted runner pattern enables more than just schemas—any workflow that needs cluster access (integration tests, deployments, monitoring) can now run on infrastructure I control.</p> <hr> <p><em>This post documents work on my <a class="link" href="https://github.com/gavinmcfall/home-ops" target="_blank" rel="noopener" >home-ops</a> repository. The runner pattern is adapted from <a class="link" href="https://github.com/onedr0p/home-ops" target="_blank" rel="noopener" >onedr0p&rsquo;s home-ops</a> and the broader Kubernetes@Home community.</em></p> https://blog.nerdz.cloud/2025/etcd-defragmentation/ Thu, 11 Dec 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/etcd-defragmentation/ <blockquote> <p>&ldquo;Your 100MB of data living in a 250MB file is not a feature.&rdquo;</p> </blockquote> <h2 id="the-alert">The Alert </h2><p>Got this from AlertManager:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">etcd cluster &#34;kube-etcd&#34;: database size in use on instance 10.90.3.101:2381 is 46.35% of the actual allocated disk space, please run defragmentation (e.g. etcdctl defrag) to retrieve the unused fragmented disk space. </span></span></code></pre></td></tr></table> </div> </div><p>Time to learn what etcd fragmentation actually means.</p> <h2 id="why-does-etcd-fragment">Why Does etcd Fragment? </h2><p>etcd stores all Kubernetes state—every pod, deployment, secret, and configmap lives here. Under the hood, it uses a B+ tree data structure backed by an <strong>append-only write-ahead log</strong> (WAL).</p> <p>Here&rsquo;s the key insight: when you delete or update a key in etcd, the old data isn&rsquo;t removed from disk. It&rsquo;s just marked as free space. The database file grows but never shrinks on its own.</p> <p>Three things constantly churn etcd in a Kubernetes cluster:</p> <ol> <li><strong>Pod scheduling</strong>: Every pod creation, update, and deletion writes to etcd</li> <li><strong>Controller loops</strong>: Controllers constantly reconciling state means constant writes</li> <li><strong>Lease renewals</strong>: Kubelet heartbeats, leader elections, and endpoint updates</li> </ol> <p>The Kubernetes API server runs automatic <strong>compaction</strong>, which removes old revisions of keys (you don&rsquo;t need 1000 historical versions of a ConfigMap). But compaction just marks space as reusable—it doesn&rsquo;t actually free it.</p> <p>Over time, your database file becomes Swiss cheese: actual data scattered among holes of freed space. This is fragmentation.</p> <h2 id="checking-the-damage">Checking the Damage </h2><p>In Talos, checking etcd status is straightforward:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ talosctl -n 10.90.3.101,10.90.3.102,10.90.3.103 etcd status </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">NODE MEMBER DB SIZE IN USE LEADER </span></span><span class="line"><span class="cl">10.90.3.101 4b0c33136dd72672 <span class="m">259</span> MB <span class="m">119</span> MB <span class="o">(</span>45.93%<span class="o">)</span> f0f9525a77920d83 </span></span><span class="line"><span class="cl">10.90.3.102 f0f9525a77920d83 <span class="m">262</span> MB <span class="m">119</span> MB <span class="o">(</span>45.28%<span class="o">)</span> f0f9525a77920d83 </span></span><span class="line"><span class="cl">10.90.3.103 cd15b67489885c40 <span class="m">267</span> MB <span class="m">119</span> MB <span class="o">(</span>44.49%<span class="o">)</span> f0f9525a77920d83 </span></span></code></pre></td></tr></table> </div> </div><p>All three control plane nodes were using less than 50% of their allocated space. The rest? Fragmented free space doing nothing but wasting disk I/O.</p> <h2 id="the-fix">The Fix </h2><p>Defragmentation rewrites the database file compactly, eliminating the holes. In Talos, it&rsquo;s a single command.</p> <h3 id="step-1-snapshot-first">Step 1: Snapshot First </h3><p>Paranoia is healthy when touching cluster state:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">talosctl -n 10.90.3.101 etcd snapshot /tmp/etcd-backup-<span class="k">$(</span>date +%Y%m%d<span class="k">)</span>.snapshot </span></span></code></pre></td></tr></table> </div> </div><p>This creates a consistent backup you can restore from if something goes wrong.</p> <h3 id="step-2-defrag-each-node-sequentially">Step 2: Defrag Each Node Sequentially </h3><p>Defrag briefly blocks reads and writes on that node, so you want to do one at a time. Best practice: <strong>non-leader nodes first, leader last</strong>.</p> <p>To find the leader, look at the <code>LEADER</code> column in the status output. It shows the member ID of the current leader (<code>f0f9525a77920d83</code>). Then match that to the <code>MEMBER</code> column to find which node it is:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ talosctl -n 10.90.3.101,10.90.3.102,10.90.3.103 etcd status </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">NODE MEMBER DB SIZE IN USE LEADER </span></span><span class="line"><span class="cl">10.90.3.101 4b0c33136dd72672 <span class="m">259</span> MB <span class="m">119</span> MB <span class="o">(</span>45.93%<span class="o">)</span> f0f9525a77920d83 </span></span><span class="line"><span class="cl">10.90.3.102 f0f9525a77920d83 <span class="m">262</span> MB <span class="m">119</span> MB <span class="o">(</span>45.28%<span class="o">)</span> f0f9525a77920d83 &lt;-- MEMBER matches LEADER </span></span><span class="line"><span class="cl">10.90.3.103 cd15b67489885c40 <span class="m">267</span> MB <span class="m">119</span> MB <span class="o">(</span>44.49%<span class="o">)</span> f0f9525a77920d83 </span></span></code></pre></td></tr></table> </div> </div><p>Node <code>10.90.3.102</code> has member ID <code>f0f9525a77920d83</code>, which matches the leader ID. So that&rsquo;s our leader.</p> <p>Now defrag:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Non-leaders first</span> </span></span><span class="line"><span class="cl">talosctl -n 10.90.3.101 etcd defrag </span></span><span class="line"><span class="cl">talosctl -n 10.90.3.103 etcd defrag </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Leader last</span> </span></span><span class="line"><span class="cl">talosctl -n 10.90.3.102 etcd defrag </span></span></code></pre></td></tr></table> </div> </div><p>Each defrag takes just a few seconds for a database this size.</p> <h3 id="step-3-verify">Step 3: Verify </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ talosctl -n 10.90.3.101,10.90.3.102,10.90.3.103 etcd status </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">NODE DB SIZE IN USE LEADER </span></span><span class="line"><span class="cl">10.90.3.101 <span class="m">104</span> MB <span class="m">104</span> MB <span class="o">(</span>100.00%<span class="o">)</span> f0f9525a77920d83 </span></span><span class="line"><span class="cl">10.90.3.102 <span class="m">104</span> MB <span class="m">104</span> MB <span class="o">(</span>100.00%<span class="o">)</span> f0f9525a77920d83 </span></span><span class="line"><span class="cl">10.90.3.103 <span class="m">104</span> MB <span class="m">104</span> MB <span class="o">(</span>100.00%<span class="o">)</span> f0f9525a77920d83 </span></span></code></pre></td></tr></table> </div> </div><p>~160MB reclaimed per node. 100% utilization means zero fragmentation.</p> <h2 id="when-to-defrag">When to Defrag </h2><p>The general guidance:</p> <ul> <li><strong>Below 50% utilization</strong>: Defrag recommended</li> <li><strong>NOSPACE errors</strong>: Defrag required (etcd will refuse writes when it hits its quota)</li> </ul> <p>For homelabs, waiting for the Prometheus alert is fine. Production clusters might schedule it monthly or watch the metric more closely.</p> <h2 id="what-if-you-hit-nospace">What If You Hit NOSPACE? </h2><p>If etcd hits its space quota before you defrag, it enters a read-only mode to protect data integrity. You&rsquo;ll need to:</p> <ol> <li>Defrag to free space</li> <li>Clear the alarm: <code>talosctl etcd alarm disarm</code></li> </ol> <p>If you&rsquo;re consistently hitting the quota, you can increase it in your Talos machine config:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">cluster</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">etcd</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">extraArgs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">quota-backend-bytes</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;4294967296&#34;</span><span class="w"> </span><span class="c"># 4 GiB</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="references">References </h2><ul> <li><a class="link" href="https://www.talos.dev/v1.11/advanced/etcd-maintenance/" target="_blank" rel="noopener" >Talos etcd Maintenance</a></li> <li><a class="link" href="https://etcd.io/docs/v3.5/op-guide/maintenance/" target="_blank" rel="noopener" >etcd Maintenance Documentation</a></li> </ul> https://blog.nerdz.cloud/2025/volsync-kopia-migration/ Sat, 06 Dec 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/volsync-kopia-migration/ <blockquote> <p>&ldquo;The best backup strategy is the one you can actually verify and restore from.&rdquo;</p> </blockquote> <h2 id="why-move-from-restic-to-kopia">Why Move from Restic to Kopia? </h2><p>My original Volsync setup used Restic to back up PVCs directly to Backblaze B2. It worked, but had some pain points:</p> <ol> <li><strong>No visibility</strong>: Restic repositories are opaque. You can&rsquo;t browse them without CLI tools.</li> <li><strong>Slow restores</strong>: Every restore required downloading from S3, which is slow and costs egress fees.</li> <li><strong>No deduplication across apps</strong>: Each app had its own Restic repository with no shared deduplication.</li> </ol> <p>Kopia solves all of these:</p> <ul> <li><strong>Web UI</strong>: Kopia has a built-in web interface to browse snapshots, verify integrity, and trigger restores.</li> <li><strong>Local NFS repository</strong>: Backups go to NFS first (fast restores), then sync to cloud storage.</li> <li><strong>Global deduplication</strong>: A single Kopia repository deduplicates across all PVCs.</li> </ul> <p>The pattern I&rsquo;m following comes from the <a class="link" href="https://github.com/home-operations" target="_blank" rel="noopener" >home-operations</a> community—specifically Devin (onedr0p), Jory (joryirving), and Kashall&rsquo;s homelab repos.</p> <h2 id="architecture-overview">Architecture Overview </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ </span></span><span class="line"><span class="cl">│ App PVC │────▶│ Volsync │────▶│ Kopia Server │ </span></span><span class="line"><span class="cl">│ (source) │ │ ReplicationSrc │ │ (NFS backend) │ </span></span><span class="line"><span class="cl">└─────────────────┘ └─────────────────┘ └─────────────────┘ </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> ▼ </span></span><span class="line"><span class="cl"> ┌─────────────────┐ </span></span><span class="line"><span class="cl"> │ NFS Share │ </span></span><span class="line"><span class="cl"> │ citadel:/mnt/ │ </span></span><span class="line"><span class="cl"> │ VolsyncKopia │ </span></span><span class="line"><span class="cl"> └─────────────────┘ </span></span></code></pre></td></tr></table> </div> </div><p>The key insight: Volsync mover pods need access to the NFS share where Kopia stores its repository. Instead of configuring NFS mounts in every ReplicationSource, we use <strong>MutatingAdmissionPolicy</strong> to automatically inject the NFS volume into any pod with specific labels.</p> <h2 id="prerequisites">Prerequisites </h2><p>Before starting, I needed:</p> <ol> <li><strong>NFS share</strong> on my NAS (citadel.internal) at <code>/mnt/storage0/backups/VolsyncKopia</code></li> <li><strong>1Password item</strong> named <code>kopia</code> with a <code>KOPIA_PASSWORD</code> field</li> <li><strong>Kubernetes 1.33+</strong> for MutatingAdmissionPolicy support</li> </ol> <h2 id="step-1-enable-mutatingadmissionpolicy-feature-gate">Step 1: Enable MutatingAdmissionPolicy Feature Gate </h2><p>MutatingAdmissionPolicy is an alpha feature in Kubernetes 1.33. To enable it on Talos, I added a controller patch:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/bootstrap/talos/patches/controller/feature-gates.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">cluster</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">apiServer</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">extraArgs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">feature-gates</span><span class="p">:</span><span class="w"> </span><span class="l">ImageVolume=true,MutatingAdmissionPolicy=true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runtime-config</span><span class="p">:</span><span class="w"> </span><span class="l">admissionregistration.k8s.io/v1alpha1=true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="the-v1beta1-vs-v1alpha1-gotcha">The v1beta1 vs v1alpha1 Gotcha </h3><p>My first attempt used <code>v1beta1</code> because that&rsquo;s what the documentation suggested. Wrong. Kubernetes 1.33 only supports <strong>v1alpha1</strong>—v1beta1 arrives in Kubernetes 1.34.</p> <p>After applying the feature gate and seeing the API still wasn&rsquo;t available, I had to:</p> <ol> <li>Change <code>runtime-config</code> from <code>v1beta1</code> to <code>v1alpha1</code></li> <li>Update all MutatingAdmissionPolicy manifests from <code>v1beta1</code> to <code>v1alpha1</code></li> <li>Reapply the Talos config to all three nodes</li> </ol> <p><strong>Lesson learned</strong>: Always verify API versions before implementing:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl api-resources --api-group<span class="o">=</span>admissionregistration.k8s.io </span></span><span class="line"><span class="cl">kubectl api-versions <span class="p">|</span> grep admission </span></span></code></pre></td></tr></table> </div> </div><h3 id="rolling-out-talos-changes-safely">Rolling Out Talos Changes Safely </h3><p>I applied the changes one node at a time to minimize risk:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Dry-run first</span> </span></span><span class="line"><span class="cl">talosctl apply-config -n 10.90.3.101 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -f clusterconfig/home-kubernetes-stanton-01.yaml --dry-run </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Apply to first node, wait for Ready</span> </span></span><span class="line"><span class="cl">talosctl apply-config -n 10.90.3.101 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -f clusterconfig/home-kubernetes-stanton-01.yaml </span></span><span class="line"><span class="cl">kubectl get nodes -w </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Repeat for remaining nodes</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="step-2-create-the-mutatingadmissionpolicy">Step 2: Create the MutatingAdmissionPolicy </h2><p>The policy automatically injects an NFS volume into Volsync mover pods:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/storage/volsync/app/mutatingadmissionpolicy.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">admissionregistration.k8s.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">MutatingAdmissionPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">volsync-mover-nfs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">failurePolicy</span><span class="p">:</span><span class="w"> </span><span class="l">Fail</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchConstraints</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resourceRules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">apiVersions</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;v1&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">operations</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;CREATE&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchConditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">is-volsync-mover</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;has(object.metadata.labels) &amp;&amp; &#39;volsync.backube/mover&#39; in object.metadata.labels&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">mutations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">patchType</span><span class="p">:</span><span class="w"> </span><span class="l">ApplyConfiguration</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">applyConfiguration</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">expression</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> Object{ </span></span></span><span class="line"><span class="cl"><span class="sd"> spec: Object.spec{ </span></span></span><span class="line"><span class="cl"><span class="sd"> volumes: [ </span></span></span><span class="line"><span class="cl"><span class="sd"> Object{ </span></span></span><span class="line"><span class="cl"><span class="sd"> name: &#34;kopia-repository&#34;, </span></span></span><span class="line"><span class="cl"><span class="sd"> nfs: Object{ </span></span></span><span class="line"><span class="cl"><span class="sd"> server: &#34;citadel.internal&#34;, </span></span></span><span class="line"><span class="cl"><span class="sd"> path: &#34;/mnt/storage0/backups/VolsyncKopia&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> ], </span></span></span><span class="line"><span class="cl"><span class="sd"> containers: object.spec.containers.map(c, </span></span></span><span class="line"><span class="cl"><span class="sd"> Object{ </span></span></span><span class="line"><span class="cl"><span class="sd"> name: c.name, </span></span></span><span class="line"><span class="cl"><span class="sd"> volumeMounts: [ </span></span></span><span class="line"><span class="cl"><span class="sd"> Object{ </span></span></span><span class="line"><span class="cl"><span class="sd"> name: &#34;kopia-repository&#34;, </span></span></span><span class="line"><span class="cl"><span class="sd"> mountPath: &#34;/repository&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> ] </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> ) </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> }</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This policy:</p> <ol> <li>Matches any pod with the label <code>volsync.backube/mover</code></li> <li>Injects an NFS volume pointing to the Kopia repository</li> <li>Mounts it at <code>/repository</code> in all containers</li> </ol> <p>I also added a jitter policy to prevent all backup jobs from running simultaneously.</p> <h2 id="step-3-deploy-the-kopia-server">Step 3: Deploy the Kopia Server </h2><p>The Kopia server provides a Web UI for browsing and managing backups:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/storage/kopia/app/helmrelease.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">helm.toolkit.fluxcd.io/v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">HelmRelease</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kopia</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">chartRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">OCIRepository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kopia</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">values</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">controllers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kopia</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repository</span><span class="p">:</span><span class="w"> </span><span class="l">ghcr.io/home-operations/kopia</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tag</span><span class="p">:</span><span class="w"> </span><span class="m">0.22.3</span>@<span class="l">sha256:eeebd12fd4b3a9c25b9f711fff32454f62e2d5e2d431ab6806ad21c52f414807</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">KOPIA_WEB_ENABLED</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">KOPIA_WEB_PORT</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;port</span><span class="w"> </span><span class="m">80</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">TZ</span><span class="p">:</span><span class="w"> </span><span class="l">${TIMEZONE}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">envFrom</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">secretRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">kopia-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">/bin/sh</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- -<span class="l">c</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> export HOME=/tmp </span></span></span><span class="line"><span class="cl"><span class="sd"> export USER=kopia </span></span></span><span class="line"><span class="cl"><span class="sd"> # Initialize repository if it doesn&#39;t exist </span></span></span><span class="line"><span class="cl"><span class="sd"> if ! kopia repository connect filesystem --path=/repository 2&gt;/dev/null; then </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;Initializing new Kopia repository...&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> kopia repository create filesystem --path=/repository </span></span></span><span class="line"><span class="cl"><span class="sd"> fi </span></span></span><span class="line"><span class="cl"><span class="sd"> # Start the server (disable CSRF for reverse proxy compatibility) </span></span></span><span class="line"><span class="cl"><span class="sd"> exec kopia server start --address=0.0.0.0:80 --without-password --insecure --disable-csrf-token-checks</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">defaultPodOptions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsNonRoot</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsUser</span><span class="p">:</span><span class="w"> </span><span class="m">568</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsGroup</span><span class="p">:</span><span class="w"> </span><span class="m">568</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fsGroup</span><span class="p">:</span><span class="w"> </span><span class="m">568</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fsGroupChangePolicy</span><span class="p">:</span><span class="w"> </span><span class="l">OnRootMismatch</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">route</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">internal-dns.alpha.kubernetes.io/target</span><span class="p">:</span><span class="w"> </span><span class="l">internal.${SECRET_DOMAIN}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hostnames</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;{{ .Release.Name }}.${SECRET_DOMAIN}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parentRefs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">internal</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">network</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sectionName</span><span class="p">:</span><span class="w"> </span><span class="l">https</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">persistence</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">config-file</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">configMap</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">identifier</span><span class="p">:</span><span class="w"> </span><span class="l">config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">globalMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/config/repository.config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">subPath</span><span class="p">:</span><span class="w"> </span><span class="l">repository.config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repository</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">nfs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="l">citadel.internal</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/mnt/storage0/backups/VolsyncKopia</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">globalMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/repository</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="mistakes-i-made">Mistakes I Made </h3><p><strong>1. Repository initialization</strong>: My first deployment crashed because the NFS path was empty—no Kopia repository existed. The startup script now auto-initializes if needed.</p> <p><strong>2. KOPIA_PASSWORD handling</strong>: I initially tried passing <code>--password</code> as a flag, which expects interactive input. The fix: rely on the <code>KOPIA_PASSWORD</code> environment variable being read automatically.</p> <p><strong>3. HOME and USER environment variables</strong>: The non-root container couldn&rsquo;t determine the current user. Adding <code>export HOME=/tmp</code> and <code>export USER=kopia</code> fixed the permission errors.</p> <p><strong>4. ConfigMap naming</strong>: app-template creates ConfigMaps using the release name (<code>kopia</code>), not a custom suffix. I had to change from <code>name: kopia-config</code> to <code>identifier: config</code> to reference the chart-defined ConfigMap correctly.</p> <p><strong>5. CSRF token errors behind reverse proxy</strong>: When accessing the Kopia Web UI through Gateway API, I got &ldquo;invalid CSRF token&rdquo; errors flooding the logs. The fix: add <code>--disable-csrf-token-checks</code> to the server start command. This is safe for internal services behind a reverse proxy.</p> <p><strong>6. Gateway naming conventions</strong>: My first attempt used <code>envoy-internal</code> as the gateway name. Wrong—the gateways are just named <code>internal</code> and <code>external</code> in the <code>network</code> namespace. Also forgot the <code>sectionName: https</code>.</p> <p><strong>7. Missing DNS annotation</strong>: Routes need <code>internal-dns.alpha.kubernetes.io/target: internal.${SECRET_DOMAIN}</code> for internal DNS to create records. Without this, the hostname doesn&rsquo;t resolve.</p> <p><strong>8. Hardcoded values</strong>: Used <code>Pacific/Auckland</code> instead of <code>${TIMEZONE}</code> and <code>kopia.${SECRET_DOMAIN}</code> instead of <code>&quot;{{ .Release.Name }}.${SECRET_DOMAIN}}&quot;</code>. These should use variables for consistency.</p> <p><strong>9. Wrong UID/GID</strong>: Initially used <code>1000</code> for the security context. The standard in my cluster is <code>568</code> for the <code>apps</code> user/group. This matters for NFS share permissions.</p> <h2 id="step-4-create-the-volsync-components">Step 4: Create the Volsync Components </h2><p>To avoid repeating the same configuration across every app, I created reusable Kustomize components. But I went further than just local NFS—I wanted a proper <strong>3-2-1 backup strategy</strong>:</p> <ul> <li><strong>3</strong> copies of data (local PVC + NFS + cloud)</li> <li><strong>2</strong> different storage types (Ceph block + NFS + S3)</li> <li><strong>1</strong> offsite copy (cloud)</li> </ul> <h3 id="the-multi-destination-architecture">The Multi-Destination Architecture </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">kubernetes/components/volsync/ </span></span><span class="line"><span class="cl">├── kustomization.yaml # Includes all 3 (most common) </span></span><span class="line"><span class="cl">├── nfs-truenas/ # Local NFS - hourly, with restore </span></span><span class="line"><span class="cl">│ ├── externalsecret.yaml </span></span><span class="line"><span class="cl">│ ├── kustomization.yaml </span></span><span class="line"><span class="cl">│ ├── pvc.yaml </span></span><span class="line"><span class="cl">│ ├── replicationdestination.yaml </span></span><span class="line"><span class="cl">│ └── replicationsource.yaml </span></span><span class="line"><span class="cl">├── s3-backblaze/ # Backblaze B2 - daily DR </span></span><span class="line"><span class="cl">│ ├── externalsecret.yaml </span></span><span class="line"><span class="cl">│ ├── kustomization.yaml </span></span><span class="line"><span class="cl">│ └── replicationsource.yaml </span></span><span class="line"><span class="cl">└── s3-cloudflare/ # Cloudflare R2 - daily DR </span></span><span class="line"><span class="cl"> ├── externalsecret.yaml </span></span><span class="line"><span class="cl"> ├── kustomization.yaml </span></span><span class="line"><span class="cl"> └── replicationsource.yaml </span></span></code></pre></td></tr></table> </div> </div><p><strong>Key insight</strong>: The cloud components (B2/R2) don&rsquo;t need PVC or ReplicationDestination. Restores happen from local NFS first (faster). Cloud backups are for disaster recovery only.</p> <h3 id="the-root-component">The Root Component </h3><p>The root <code>kustomization.yaml</code> includes all three destinations:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/components/volsync/kustomization.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.config.k8s.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Component</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">components</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./nfs-truenas</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./s3-backblaze</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./s3-cloudflare</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This means most apps just need:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">components</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">../../../../components/volsync </span><span class="w"> </span><span class="c"># Gets all 3 destinations</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>If you only want specific destinations, reference them directly:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">components</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">../../../../components/volsync/nfs-truenas </span><span class="w"> </span><span class="c"># Just local NFS</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="the-nfs-component-primary">The NFS Component (Primary) </h3><p>The NFS component has the PVC and ReplicationDestination for restores:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/components/volsync/nfs-truenas/externalsecret.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">external-secrets.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ExternalSecret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;${APP}-volsync&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterSecretStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">onepassword-connect</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;${APP}-volsync-secret&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">KOPIA_FS_PATH</span><span class="p">:</span><span class="w"> </span><span class="l">/repository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">KOPIA_PASSWORD</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .KOPIA_PASSWORD }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">KOPIA_REPOSITORY</span><span class="p">:</span><span class="w"> </span><span class="l">filesystem:///repository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dataFrom</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">extract</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">kopia</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The ReplicationSource backs up hourly:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/components/volsync/nfs-truenas/replicationsource.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">volsync.backube/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ReplicationSource</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">${APP}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sourcePVC</span><span class="p">:</span><span class="w"> </span><span class="l">${VOLSYNC_CLAIM:=${APP}}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">trigger</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0 * * * *&#34;</span><span class="w"> </span><span class="c"># Hourly</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kopia</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">compression</span><span class="p">:</span><span class="w"> </span><span class="l">zstd-fastest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">copyMethod</span><span class="p">:</span><span class="w"> </span><span class="l">Snapshot</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">moverSecurityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsUser</span><span class="p">:</span><span class="w"> </span><span class="l">${VOLSYNC_UID:=568}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsGroup</span><span class="p">:</span><span class="w"> </span><span class="l">${VOLSYNC_GID:=568}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fsGroup</span><span class="p">:</span><span class="w"> </span><span class="l">${VOLSYNC_GID:=568}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repository</span><span class="p">:</span><span class="w"> </span><span class="l">${APP}-volsync-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">retain</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hourly</span><span class="p">:</span><span class="w"> </span><span class="m">24</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">daily</span><span class="p">:</span><span class="w"> </span><span class="m">7</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="the-cloud-components-disaster-recovery">The Cloud Components (Disaster Recovery) </h3><p>The Backblaze B2 component uses Kopia&rsquo;s S3-compatible backend:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/components/volsync/s3-backblaze/externalsecret.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">external-secrets.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ExternalSecret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;${APP}-volsync-b2&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterSecretStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">onepassword-connect</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;${APP}-volsync-b2-secret&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">KOPIA_PASSWORD</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .KOPIA_PASSWORD }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">KOPIA_S3_BUCKET</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .VOLSYNC_KOPIA_B2_BUCKET }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">KOPIA_S3_ENDPOINT</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;s3.us-east-005.backblazeb2.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">AWS_ACCESS_KEY_ID</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .VOLSYNC_KOPIA_B2_ACCESS_KEY }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">AWS_SECRET_ACCESS_KEY</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .VOLSYNC_KOPIA_B2_SECRET_ACCESS_KEY }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">KOPIA_REPOSITORY</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;s3://{{ .VOLSYNC_KOPIA_B2_BUCKET }}/${APP}/&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dataFrom</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">extract</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">kopia</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">extract</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">backblaze</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The ReplicationSource backs up daily and keeps 14 days:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/components/volsync/s3-backblaze/replicationsource.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">volsync.backube/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ReplicationSource</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">${APP}-b2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sourcePVC</span><span class="p">:</span><span class="w"> </span><span class="l">${VOLSYNC_CLAIM:=${APP}}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">trigger</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">schedule</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0 0 * * *&#34;</span><span class="w"> </span><span class="c"># Daily at midnight</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kopia</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">compression</span><span class="p">:</span><span class="w"> </span><span class="l">zstd-fastest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">copyMethod</span><span class="p">:</span><span class="w"> </span><span class="l">Snapshot</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">moverSecurityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsUser</span><span class="p">:</span><span class="w"> </span><span class="l">${VOLSYNC_UID:=568}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsGroup</span><span class="p">:</span><span class="w"> </span><span class="l">${VOLSYNC_GID:=568}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fsGroup</span><span class="p">:</span><span class="w"> </span><span class="l">${VOLSYNC_GID:=568}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repository</span><span class="p">:</span><span class="w"> </span><span class="l">${APP}-volsync-b2-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">retain</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">daily</span><span class="p">:</span><span class="w"> </span><span class="m">14</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Cloudflare R2 follows the same pattern, with the endpoint constructed from the account ID:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">KOPIA_S3_ENDPOINT</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="why-kopia-for-cloud-too">Why Kopia for Cloud Too? </h3><p>You might wonder why I didn&rsquo;t stick with Restic for cloud backups. The answer: <strong>Restic lock issues</strong>. Restic repositories can get stuck with stale locks, requiring manual intervention with <code>restic unlock</code>. Kopia handles concurrent access better and doesn&rsquo;t have this problem.</p> <p>The perfectra1n fork of Volsync (<code>ghcr.io/perfectra1n/volsync</code>) supports Kopia&rsquo;s S3 backend via environment variables:</p> <ul> <li><code>KOPIA_S3_BUCKET</code> - bucket name</li> <li><code>KOPIA_S3_ENDPOINT</code> - S3-compatible endpoint</li> <li><code>AWS_ACCESS_KEY_ID</code> / <code>AWS_SECRET_ACCESS_KEY</code> - credentials</li> <li><code>KOPIA_REPOSITORY</code> - full repository URL (<code>s3://bucket/path/</code>)</li> </ul> <h3 id="another-gotcha-clustersecretstore-name">Another Gotcha: ClusterSecretStore Name </h3><p>I assumed the ClusterSecretStore was named <code>onepassword</code>. It&rsquo;s actually <code>onepassword-connect</code>. Always verify existing resource names:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl get clustersecretstore </span></span></code></pre></td></tr></table> </div> </div><h2 id="step-5-migrate-an-app-the-hard-way">Step 5: Migrate an App (The Hard Way) </h2><p>Migrating an existing app with data turned out to be more complex than expected. The Kopia volsync component expects PVCs named <code>${APP}</code> (e.g., <code>romm</code>), but my existing app used <code>romm-data</code>. Here&rsquo;s the approach that worked:</p> <h3 id="the-problem-pvc-name-mismatch">The Problem: PVC Name Mismatch </h3><p>My romm app used a PVC named <code>romm-data</code>, but the volsync component creates resources expecting PVC name <code>${APP}</code> (romm). I tried several approaches that failed:</p> <ol> <li><strong>Using VOLSYNC_CLAIM variable</strong> - The component&rsquo;s PVC template still created a conflicting <code>romm</code> PVC</li> <li><strong>Patching the dataSourceRef</strong> - PVC specs are immutable after creation</li> <li><strong>Snapshotting a terminating PVC</strong> - Can&rsquo;t add finalizers to a PVC marked for deletion</li> </ol> <h3 id="the-approach-that-worked">The Approach That Worked </h3><p><strong>Step 1: Keep existing backups running</strong></p> <p>Don&rsquo;t switch to Kopia immediately. Keep the old Restic-based volsync template running so you have cloud backups.</p> <p><strong>Step 2: Rename the PVC via snapshot</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Scale down the app</span> </span></span><span class="line"><span class="cl">flux <span class="nb">suspend</span> kustomization romm -n games </span></span><span class="line"><span class="cl">kubectl scale deploy romm -n games --replicas<span class="o">=</span><span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Create a snapshot of the existing PVC</span> </span></span><span class="line"><span class="cl">kubectl apply -f - <span class="s">&lt;&lt;EOF </span></span></span><span class="line"><span class="cl"><span class="s">apiVersion: snapshot.storage.k8s.io/v1 </span></span></span><span class="line"><span class="cl"><span class="s">kind: VolumeSnapshot </span></span></span><span class="line"><span class="cl"><span class="s">metadata: </span></span></span><span class="line"><span class="cl"><span class="s"> name: romm-data-migration </span></span></span><span class="line"><span class="cl"><span class="s"> namespace: games </span></span></span><span class="line"><span class="cl"><span class="s">spec: </span></span></span><span class="line"><span class="cl"><span class="s"> volumeSnapshotClassName: csi-ceph-block </span></span></span><span class="line"><span class="cl"><span class="s"> source: </span></span></span><span class="line"><span class="cl"><span class="s"> persistentVolumeClaimName: romm-data </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Wait for snapshot to be ready</span> </span></span><span class="line"><span class="cl">kubectl get volumesnapshot romm-data-migration -n games </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Create new PVC with correct name from snapshot</span> </span></span><span class="line"><span class="cl">kubectl apply -f - <span class="s">&lt;&lt;EOF </span></span></span><span class="line"><span class="cl"><span class="s">apiVersion: v1 </span></span></span><span class="line"><span class="cl"><span class="s">kind: PersistentVolumeClaim </span></span></span><span class="line"><span class="cl"><span class="s">metadata: </span></span></span><span class="line"><span class="cl"><span class="s"> name: romm </span></span></span><span class="line"><span class="cl"><span class="s"> namespace: games </span></span></span><span class="line"><span class="cl"><span class="s">spec: </span></span></span><span class="line"><span class="cl"><span class="s"> accessModes: [ReadWriteOnce] </span></span></span><span class="line"><span class="cl"><span class="s"> storageClassName: ceph-block </span></span></span><span class="line"><span class="cl"><span class="s"> dataSource: </span></span></span><span class="line"><span class="cl"><span class="s"> name: romm-data-migration </span></span></span><span class="line"><span class="cl"><span class="s"> kind: VolumeSnapshot </span></span></span><span class="line"><span class="cl"><span class="s"> apiGroup: snapshot.storage.k8s.io </span></span></span><span class="line"><span class="cl"><span class="s"> resources: </span></span></span><span class="line"><span class="cl"><span class="s"> requests: </span></span></span><span class="line"><span class="cl"><span class="s"> storage: 5Gi </span></span></span><span class="line"><span class="cl"><span class="s">EOF</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>Step 3: Update HelmRelease to use new PVC name</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/games/romm/app/helmrelease.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">persistence</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">existingClaim</span><span class="p">:</span><span class="w"> </span><span class="l">romm </span><span class="w"> </span><span class="c"># Changed from romm-data</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>Step 4: Delete old PVC and resume</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl delete pvc romm-data -n games </span></span><span class="line"><span class="cl">kubectl delete volumesnapshot romm-data-migration -n games </span></span><span class="line"><span class="cl">flux resume kustomization romm -n games </span></span></code></pre></td></tr></table> </div> </div><h3 id="the-gotcha-conflicting-datasourceref">The Gotcha: Conflicting dataSourceRef </h3><p>After the PVC migration, Flux complained about a dry-run failure. The manually-created PVC had <code>dataSource: VolumeSnapshot</code>, but the volsync template wanted <code>dataSourceRef: ReplicationDestination</code>. These are immutable.</p> <p>The fix: delete the PVC and let the volsync template recreate it from a cloud restore:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">flux <span class="nb">suspend</span> kustomization romm -n games </span></span><span class="line"><span class="cl">kubectl scale deploy romm -n games --replicas<span class="o">=</span><span class="m">0</span> </span></span><span class="line"><span class="cl">kubectl delete pvc romm -n games </span></span><span class="line"><span class="cl">flux resume kustomization romm -n games </span></span><span class="line"><span class="cl"><span class="c1"># The ReplicationDestination triggers a restore from R2</span> </span></span></code></pre></td></tr></table> </div> </div><p>This works because we kept the Restic backups running throughout the migration.</p> <h2 id="lessons-learned">Lessons Learned </h2><p>This migration surfaced several bad assumptions:</p> <table> <thead> <tr> <th>Assumption</th> <th>Reality</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>MutatingAdmissionPolicy feature gate &ldquo;just works&rdquo;</td> <td>Requires Talos patch for apiServer extraArgs + runtime-config</td> <td>Had to create patch, regenerate configs, roll out to all nodes</td> </tr> <tr> <td>K8s 1.33 uses MutatingAdmissionPolicy v1beta1</td> <td>Uses <strong>v1alpha1</strong> (v1beta1 is K8s 1.34+)</td> <td>API server crash, had to fix and reapply</td> </tr> <tr> <td>ClusterSecretStore named <code>onepassword</code></td> <td>Named <code>onepassword-connect</code></td> <td>ExternalSecrets failed to sync</td> </tr> <tr> <td>app-template creates ConfigMap as <code>kopia-config</code></td> <td>Creates as <code>kopia</code></td> <td>Pod stuck in ContainerCreating</td> </tr> <tr> <td>Kopia repository pre-exists</td> <td>NFS path was empty</td> <td>Kopia server crashed on startup</td> </tr> <tr> <td>Reference patterns from docs were tested</td> <td>They were aspirational</td> <td>Multiple fixes needed</td> </tr> <tr> <td>Can rename PVC by creating new one from snapshot</td> <td>Works, but dataSource is immutable</td> <td>Had to delete and restore from cloud</td> </tr> <tr> <td>PVC dataSourceRef can be patched</td> <td>PVC spec is immutable after creation</td> <td>Kustomization dry-run failures</td> </tr> <tr> <td>VolumeSnapshotClass named <code>csi-ceph-blockpool</code></td> <td>Named <code>csi-ceph-block</code></td> <td>Snapshots failed to create</td> </tr> <tr> <td>Gateway named <code>envoy-internal</code></td> <td>Named <code>internal</code> (in <code>network</code> namespace)</td> <td>HTTPRoute not attached to gateway</td> </tr> <tr> <td>Routes auto-create DNS records</td> <td>Need <code>internal-dns.alpha.kubernetes.io/target</code> annotation</td> <td>Hostname didn&rsquo;t resolve</td> </tr> <tr> <td>Kopia Web UI works behind reverse proxy</td> <td>CSRF token validation fails</td> <td>Had to add <code>--disable-csrf-token-checks</code></td> </tr> <tr> <td>Default UID 1000 is fine</td> <td>Should use 568 to match NFS share permissions</td> <td>Permission issues on NFS</td> </tr> <tr> <td>Can use hardcoded timezone</td> <td>Should use <code>${TIMEZONE}</code> variable</td> <td>Inconsistent with cluster conventions</td> </tr> </tbody> </table> <h3 id="verification-commands">Verification Commands </h3><p>Before implementing, always check:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># API version support</span> </span></span><span class="line"><span class="cl">kubectl api-resources <span class="p">|</span> grep -i mutating </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Existing resource names</span> </span></span><span class="line"><span class="cl">kubectl get clustersecretstore </span></span><span class="line"><span class="cl">kubectl get volumesnapshotclass </span></span><span class="line"><span class="cl">kubectl get storageclass </span></span><span class="line"><span class="cl">kubectl get gateway -n network </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Chart-generated resources</span> </span></span><span class="line"><span class="cl">helm template &lt;release&gt; <span class="p">|</span> grep -i configmap </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># After migration, verify backup works</span> </span></span><span class="line"><span class="cl">kubectl get replicationsource &lt;app&gt; -n &lt;namespace&gt; </span></span><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n storage deployment/kopia -- kopia snapshot list --all </span></span></code></pre></td></tr></table> </div> </div><h2 id="step-6-the-successful-migration">Step 6: The Successful Migration </h2><p>After fixing all the issues, migrating romm to Kopia was straightforward:</p> <p><strong>1. Update the Kustomization to use the component:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/games/romm/app/kustomization.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.config.k8s.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./externalsecret.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./helmrelease.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">../../../../templates/gatus/external</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">components</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">../../../../components/volsync # All 3 destinations</span><span class="p">:</span><span class="w"> </span><span class="l">NFS + B2 + R2</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>2. Set the required variables in ks.yaml:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/games/romm/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">postBuild</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">substitute</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">APP</span><span class="p">:</span><span class="w"> </span><span class="l">romm</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">VOLSYNC_CAPACITY</span><span class="p">:</span><span class="w"> </span><span class="l">5Gi</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>That&rsquo;s it! The <code>VOLSYNC_UID</code> and <code>VOLSYNC_GID</code> default to <code>568</code>, which matches most apps. You only need to specify them if your app uses a different UID/GID:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Only if your app uses a non-standard UID/GID</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">postBuild</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">substitute</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">APP</span><span class="p">:</span><span class="w"> </span><span class="l">myapp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">VOLSYNC_CAPACITY</span><span class="p">:</span><span class="w"> </span><span class="l">10Gi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">VOLSYNC_UID</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1000&#34;</span><span class="w"> </span><span class="c"># Override the default 568</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">VOLSYNC_GID</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1000&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>3. Commit, push, and reconcile:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git add . <span class="o">&amp;&amp;</span> git commit -m <span class="s2">&#34;feat(romm): switch volsync from Restic to Kopia&#34;</span> </span></span><span class="line"><span class="cl">git push </span></span><span class="line"><span class="cl">flux reconcile kustomization romm -n games </span></span></code></pre></td></tr></table> </div> </div><p><strong>4. Verify the backups:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check all three ReplicationSources were created</span> </span></span><span class="line"><span class="cl">kubectl get replicationsource -n games </span></span><span class="line"><span class="cl"><span class="c1"># NAME SOURCE LAST SYNC DURATION NEXT SYNC</span> </span></span><span class="line"><span class="cl"><span class="c1"># romm romm 2025-12-06T00:39:46Z 3s 2025-12-06T01:00:00Z</span> </span></span><span class="line"><span class="cl"><span class="c1"># romm-b2 romm 2025-12-06T00:00:00Z 45s 2025-12-07T00:00:00Z</span> </span></span><span class="line"><span class="cl"><span class="c1"># romm-r2 romm 2025-12-06T00:00:00Z 48s 2025-12-07T00:00:00Z</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check snapshots in Kopia Web UI or via CLI</span> </span></span><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n storage deployment/kopia -- kopia snapshot list --all </span></span><span class="line"><span class="cl"><span class="c1"># romm@games:/data</span> </span></span><span class="line"><span class="cl"><span class="c1"># 2025-12-06 13:39:46 NZDT k... 156.3 MB files:5582 dirs:285</span> </span></span></code></pre></td></tr></table> </div> </div><p>The local NFS backup completed in 3 seconds because Kopia&rsquo;s deduplication recognized the existing data. Cloud backups take longer but run daily for disaster recovery.</p> <h2 id="understanding-kopias-storage">Understanding Kopia&rsquo;s Storage </h2><p>When I first looked at the NFS share after the migration, I was confused:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">VolsyncKopia ls -la </span></span><span class="line"><span class="cl">drwxrwx--- 28 apps apps 32 Dec 6 13:35 . </span></span><span class="line"><span class="cl">-rwxrwx--- 1 apps apps 43 Dec 6 08:07 .shards </span></span><span class="line"><span class="cl">drwxrwx--- 3 apps apps 3 Dec 6 08:30 _lo </span></span><span class="line"><span class="cl">-rwxrwx--- 1 apps apps 30 Dec 6 08:17 kopia.blobcfg.f </span></span><span class="line"><span class="cl">-rwxrwx--- 1 apps apps 1117 Dec 6 12:31 kopia.maintenance.f </span></span><span class="line"><span class="cl">-rwxrwx--- 1 apps apps 1101 Dec 6 08:17 kopia.repository.f </span></span><span class="line"><span class="cl">drwxrwx--- 3 apps apps 3 Dec 6 12:31 p03 </span></span><span class="line"><span class="cl">drwxrwx--- 3 apps apps 3 Dec 6 12:31 p1e </span></span><span class="line"><span class="cl">drwxrwx--- 3 apps apps 3 Dec 6 12:31 q10 </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>Where&rsquo;s the <code>romm</code> folder? This is <strong>content-addressable storage</strong> - Kopia doesn&rsquo;t store data by source name. Instead:</p> <ul> <li>Data is deduplicated and compressed into <strong>pack blobs</strong> (the <code>p*</code>, <code>q*</code>, <code>s*</code> folders)</li> <li>Blob names are based on content hashes, not source names</li> <li>All apps share the same deduplication pool</li> <li>To see the logical structure, use <code>kopia snapshot list --all</code> or the Web UI</li> </ul> <p>This means if romm and another app have identical files, they&rsquo;re only stored once. The tradeoff is you can&rsquo;t browse the repository directly on the NAS - you need Kopia tools.</p> <p><strong>Important</strong>: Never manually delete files from the repository. Kopia uses garbage collection during maintenance to clean up unreferenced blobs safely.</p> <h2 id="whats-next">What&rsquo;s Next </h2><p>The Kopia infrastructure is deployed and working. Romm is now successfully backing up to all three destinations:</p> <ul> <li><strong>NFS (hourly)</strong> - Fast local restores</li> <li><strong>Backblaze B2 (daily)</strong> - Off-site disaster recovery</li> <li><strong>Cloudflare R2 (daily)</strong> - Additional cloud redundancy</li> </ul> <p>The next steps:</p> <ol> <li><del><strong>romm</strong> (games) - Migrated to Kopia</del> Done!</li> <li><strong>Downloads namespace</strong> - qbittorrent, radarr, sonarr, etc.</li> <li><strong>Entertainment namespace</strong> - plex, jellyfin, tautulli</li> <li><strong>Home automation</strong> - home-assistant, zigbee2mqtt</li> </ol> <p>The key lesson: <strong>keep existing backups running</strong> during migration. Don&rsquo;t switch to the new backup system until you&rsquo;ve verified the PVC naming is correct and the app is stable. Having cloud backups as a safety net saved me from data loss multiple times during this migration.</p> <h2 id="summary">Summary </h2><table> <thead> <tr> <th>Component</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>MutatingAdmissionPolicy</td> <td>Auto-inject NFS volume into Volsync mover pods</td> </tr> <tr> <td>Kopia server</td> <td>Web UI for browsing/managing NFS backups</td> </tr> <tr> <td><code>components/volsync</code></td> <td>Root component that includes all 3 destinations</td> </tr> <tr> <td><code>components/volsync/nfs-truenas</code></td> <td>Primary backup (hourly) with restore capability</td> </tr> <tr> <td><code>components/volsync/s3-backblaze</code></td> <td>Disaster recovery to B2 (daily)</td> </tr> <tr> <td><code>components/volsync/s3-cloudflare</code></td> <td>Disaster recovery to R2 (daily)</td> </tr> </tbody> </table> <p>The migration from Restic to Kopia took longer than expected due to API version mismatches and incorrect assumptions about resource names. But the end result—a 3-2-1 backup strategy with local NFS for fast restores and dual cloud destinations for disaster recovery—is worth the effort. No more Restic lock issues!</p> <hr> <p><em>This post documents part of the ongoing work on my <a class="link" href="https://github.com/gavinmcfall/home-ops" target="_blank" rel="noopener" >home-ops</a> repository. The patterns here are adapted from the excellent <a class="link" href="https://github.com/home-operations" target="_blank" rel="noopener" >home-operations</a> community repos.</em></p> https://blog.nerdz.cloud/2025/flux-namespace-migration/ Fri, 05 Dec 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/flux-namespace-migration/ <blockquote> <p>&ldquo;When your Kustomizations all live in flux-system, cross-namespace dependencies become a tangled mess of implicit assumptions.&rdquo;</p> </blockquote> <h2 id="the-problem-with-everything-in-flux-system">The Problem with Everything in flux-system </h2><p>If you&rsquo;ve run a Flux-managed Kubernetes cluster for any length of time, you&rsquo;ve probably inherited (or created) the pattern where every Flux <code>Kustomization</code> CR lives in the <code>flux-system</code> namespace. It looks something like this:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/database/mosquitto/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.toolkit.fluxcd.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">mosquitto</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">flux-system </span><span class="w"> </span><span class="c"># Everything lives here</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targetNamespace</span><span class="p">:</span><span class="w"> </span><span class="l">database </span><span class="w"> </span><span class="c"># But deploys resources here</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dependsOn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">external-secrets-stores </span><span class="w"> </span><span class="c"># No namespace needed - it&#39;s also in flux-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">./kubernetes/apps/database/mosquitto/app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># ...</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This works, but it has problems:</p> <ol> <li> <p><strong>Hidden coupling</strong>: Every <code>dependsOn</code> implicitly assumes the dependency is in <code>flux-system</code>. When you read the manifest, you can&rsquo;t tell where resources actually live.</p> </li> <li> <p><strong>Crowded namespace</strong>: Running <code>flux get kustomizations</code> dumps 80+ resources into one list. Finding the one that&rsquo;s failing means scrolling through walls of text.</p> </li> <li> <p><strong>Namespace isolation is fake</strong>: Your workloads deploy to separate namespaces, but their reconciliation state all lives in one place. RBAC, network policies, and observability tools can&rsquo;t easily scope to &ldquo;just the database apps.&rdquo;</p> </li> <li> <p><strong>The <code>substituteFrom</code> trap</strong>: Flux&rsquo;s variable substitution pulls ConfigMaps and Secrets from the Kustomization&rsquo;s namespace. If your Kustomization is in <code>flux-system</code> but your app namespace has its own secrets, you need explicit cross-namespace references everywhere.</p> </li> </ol> <h2 id="the-goal-kustomizations-in-their-target-namespaces">The Goal: Kustomizations in Their Target Namespaces </h2><p>The fix is straightforward in principle: move each Flux <code>Kustomization</code> into the namespace it actually manages. The result:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/database/mosquitto/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.toolkit.fluxcd.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;app</span><span class="w"> </span><span class="l">mosquitto</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;namespace</span><span class="w"> </span><span class="l">database </span><span class="w"> </span><span class="c"># Lives where it deploys</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targetNamespace</span><span class="p">:</span><span class="w"> </span><span class="cp">*namespace</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dependsOn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">external-secrets-stores</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">external-secrets </span><span class="w"> </span><span class="c"># Explicit cross-namespace reference</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sourceRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">GitRepository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">flux-system </span><span class="w"> </span><span class="c"># Git source is still in flux-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># ...</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Now <code>kubectl get kustomizations -n database</code> shows only database-related reconcilers. Dependencies are explicit. The mental model matches the deployment model.</p> <h2 id="the-challenge-substitutefrom-and-sops-decryption">The Challenge: substituteFrom and SOPS Decryption </h2><p>Here&rsquo;s where it gets interesting. Flux Kustomizations support <code>postBuild.substituteFrom</code> to inject variables from ConfigMaps and Secrets:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">postBuild</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">substituteFrom</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cluster-settings</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cluster-secrets</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The catch? From the Flux CRD documentation:</p> <blockquote> <p><strong>Name of the values referent. Should reside in the same namespace as the referring resource.</strong></p> </blockquote> <p>When your Kustomization is in <code>flux-system</code>, it can reference <code>cluster-settings</code> and <code>cluster-secrets</code> which also live in <code>flux-system</code>. Move the Kustomization to <code>database</code>, and suddenly it can&rsquo;t find those ConfigMaps anymore.</p> <p>The same problem applies to SOPS decryption:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">decryption</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">sops</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">sops-age </span><span class="w"> </span><span class="c"># Also needs to be in the same namespace</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>You could solve this by copying <code>cluster-settings</code>, <code>cluster-secrets</code>, and <code>sops-age</code> into every namespace. But that defeats the purpose of having cluster-wide settings, and it&rsquo;s a maintenance nightmare.</p> <h2 id="the-solution-strategic-patching-from-cluster-apps">The Solution: Strategic Patching from cluster-apps </h2><p>The elegant solution is to use Flux&rsquo;s patch capability at the parent Kustomization level. In my setup, <code>cluster-apps</code> is the top-level Kustomization that reconciles everything under <code>kubernetes/apps/</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/flux/cluster/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.toolkit.fluxcd.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cluster-apps</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">./kubernetes/apps</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">prune</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sourceRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">GitRepository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">postBuild</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">substituteFrom</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cluster-settings</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cluster-secrets</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">patches</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">patch</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> apiVersion: kustomize.toolkit.fluxcd.io/v1 </span></span></span><span class="line"><span class="cl"><span class="sd"> kind: Kustomization </span></span></span><span class="line"><span class="cl"><span class="sd"> metadata: </span></span></span><span class="line"><span class="cl"><span class="sd"> name: _ </span></span></span><span class="line"><span class="cl"><span class="sd"> spec: </span></span></span><span class="line"><span class="cl"><span class="sd"> decryption: </span></span></span><span class="line"><span class="cl"><span class="sd"> provider: sops </span></span></span><span class="line"><span class="cl"><span class="sd"> secretRef: </span></span></span><span class="line"><span class="cl"><span class="sd"> name: sops-age </span></span></span><span class="line"><span class="cl"><span class="sd"> sourceRef: </span></span></span><span class="line"><span class="cl"><span class="sd"> kind: GitRepository </span></span></span><span class="line"><span class="cl"><span class="sd"> name: flux-system </span></span></span><span class="line"><span class="cl"><span class="sd"> namespace: flux-system </span></span></span><span class="line"><span class="cl"><span class="sd"> postBuild: </span></span></span><span class="line"><span class="cl"><span class="sd"> substituteFrom: </span></span></span><span class="line"><span class="cl"><span class="sd"> - kind: ConfigMap </span></span></span><span class="line"><span class="cl"><span class="sd"> name: cluster-settings </span></span></span><span class="line"><span class="cl"><span class="sd"> optional: true </span></span></span><span class="line"><span class="cl"><span class="sd"> - kind: Secret </span></span></span><span class="line"><span class="cl"><span class="sd"> name: cluster-secrets </span></span></span><span class="line"><span class="cl"><span class="sd"> optional: true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.toolkit.fluxcd.io</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This patch is applied to every child Kustomization that <code>cluster-apps</code> creates. The key insight: <strong>the patch adds <code>namespace: flux-system</code> to the sourceRef and substituteFrom references</strong>, so child Kustomizations can live anywhere while still pulling variables from <code>flux-system</code>.</p> <h3 id="breaking-down-the-patch">Breaking Down the Patch </h3><p>Let&rsquo;s look at what this accomplishes:</p> <ol> <li> <p><strong><code>sourceRef.namespace: flux-system</code></strong>: Child Kustomizations reference the GitRepository in <code>flux-system</code>, regardless of where they live.</p> </li> <li> <p><strong><code>substituteFrom</code> with <code>optional: true</code></strong>: Variables are pulled from <code>flux-system</code>, but if they don&rsquo;t exist, reconciliation continues (useful for namespace-specific overrides).</p> </li> <li> <p><strong>SOPS decryption</strong>: The <code>sops-age</code> secret reference is injected, so encrypted secrets work everywhere.</p> </li> <li> <p><strong><code>name: _</code></strong>: This is a patch placeholder - Flux will apply this to all matching resources.</p> </li> </ol> <h2 id="the-migration-pattern">The Migration Pattern </h2><p>With the patching in place, migrating each Kustomization follows a consistent pattern:</p> <h3 id="before-in-flux-system">Before (in flux-system) </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.toolkit.fluxcd.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">mosquitto</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targetNamespace</span><span class="p">:</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dependsOn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">dragonfly</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">./kubernetes/apps/database/mosquitto/app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sourceRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">GitRepository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">flux-system</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="after-in-target-namespace">After (in target namespace) </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.toolkit.fluxcd.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;app</span><span class="w"> </span><span class="l">mosquitto</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;namespace</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targetNamespace</span><span class="p">:</span><span class="w"> </span><span class="cp">*namespace</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dependsOn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">dragonfly</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">database </span><span class="w"> </span><span class="c"># Explicit namespace required</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">./kubernetes/apps/database/mosquitto/app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sourceRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">GitRepository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">flux-system </span><span class="w"> </span><span class="c"># Cross-namespace reference</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="key-changes">Key Changes </h3><ol> <li> <p><strong>Add <code>metadata.namespace</code></strong>: Point to the target namespace using a YAML anchor for DRY.</p> </li> <li> <p><strong>Add <code>namespace</code> to <code>dependsOn</code></strong>: Every cross-namespace dependency needs an explicit namespace. Same-namespace dependencies can omit it, but I recommend always including it for clarity.</p> </li> <li> <p><strong>Add <code>sourceRef.namespace: flux-system</code></strong>: The GitRepository stays in flux-system, so child Kustomizations need to reach across.</p> </li> </ol> <h2 id="reusable-components-the-common-pattern">Reusable Components: The Common Pattern </h2><p>To reduce boilerplate, I created a shared component that every namespace includes:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/components/common/kustomization.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.config.k8s.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Component</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./namespace.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./cluster-vars</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./alerts</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./sops</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Each namespace&rsquo;s <code>kustomization.yaml</code> pulls this in:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/database/kustomization.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.config.k8s.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">components</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">../../components/common</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./cloudnative-pg/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./dragonfly/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./mosquitto/ks.yaml</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This ensures every namespace gets:</p> <ul> <li>A properly-labeled Namespace resource</li> <li>Cluster-wide variables (ConfigMaps/Secrets)</li> <li>Flux alerts and providers</li> <li>SOPS external secrets</li> </ul> <h2 id="real-world-gotchas">Real-World Gotchas </h2><h3 id="1-dns-resolution-during-migration">1. DNS Resolution During Migration </h3><p>During my migration, I hit a chicken-and-egg problem. CoreDNS was configured to forward internal DNS to a cluster-internal DNS service, but when that service drifted or wasn&rsquo;t ready, Flux couldn&rsquo;t fetch from Git because DNS was broken.</p> <p>The fix: simplify DNS architecture. I later removed k8s-gateway entirely and configured CoreDNS to forward to my UDM Pro (<code>10.90.254.1</code>), which has DNS records created by external-dns-unifi. This eliminates cluster-internal DNS dependencies during bootstrap.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/kube-system/coredns/app/helm-values.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">servers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">zones</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">zone</span><span class="p">:</span><span class="w"> </span><span class="l">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">plugins</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">forward</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span><span class="l">. /etc/resolv.conf </span><span class="w"> </span><span class="c"># Forwards to UDM (10.90.254.1)</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="2-rook-ceph-and-storage-dependencies">2. Rook-Ceph and Storage Dependencies </h3><p>Storage operators like Rook-Ceph are sensitive to manifest changes. Moving Kustomizations around can trigger reconciliation loops that confuse the operator about existing OSDs.</p> <p>My approach: migrate storage-adjacent namespaces last, and be prepared to wipe and rebuild if Ceph gets confused (see my <a class="link" href="https://blog.nerdz.cloud/2025/talos-dr-reset" >Talos DR Reset</a> post for that adventure).</p> <h3 id="3-the-cluster-apps--naming-convention">3. The <code>cluster-apps-*</code> Naming Convention </h3><p>Some apps had legacy names like <code>cluster-apps-rook-ceph-cluster</code>. When migrating, I renamed them to just <code>rook-ceph-cluster</code>. This meant updating every <code>dependsOn</code> that referenced the old name.</p> <p>A grep through the codebase found all the references:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grep -r <span class="s2">&#34;cluster-apps-&#34;</span> kubernetes/apps/ --include<span class="o">=</span><span class="s2">&#34;*.yaml&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="validation">Validation </h2><p>After migrating each namespace, I validated with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check all Kustomizations in the namespace are Ready</span> </span></span><span class="line"><span class="cl">flux get kustomizations -n database </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Force reconcile to ensure no cached state</span> </span></span><span class="line"><span class="cl">flux reconcile kustomization mosquitto -n database --force </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Verify HelmReleases deployed correctly</span> </span></span><span class="line"><span class="cl">flux get helmreleases -n database </span></span></code></pre></td></tr></table> </div> </div><p>For apps that weren&rsquo;t deployed yet (commented out in kustomization.yaml), I verified the YAML was syntactically correct:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kustomize build kubernetes/apps/cortex --load-restrictor<span class="o">=</span>LoadRestrictionsNone </span></span></code></pre></td></tr></table> </div> </div><h2 id="the-end-result">The End Result </h2><p>After migrating all namespaces, my cluster has:</p> <ul> <li><strong>Clear namespace boundaries</strong>: <code>kubectl get kustomizations -n downloads</code> shows only download-related apps</li> <li><strong>Explicit dependencies</strong>: No more guessing where a dependency lives</li> <li><strong>Scoped observability</strong>: Prometheus can scrape per-namespace, dashboards can filter by namespace</li> <li><strong>Simpler RBAC</strong>: Namespace-scoped roles can manage their own Flux resources</li> </ul> <p>The <code>cluster-apps</code> parent Kustomization still lives in <code>flux-system</code> (it has to - it&rsquo;s the entry point), but everything it spawns now lives where it belongs.</p> <h2 id="summary">Summary </h2><table> <thead> <tr> <th>Aspect</th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td>Kustomization location</td> <td>All in <code>flux-system</code></td> <td>Each in target namespace</td> </tr> <tr> <td>dependsOn references</td> <td>Implicit (same namespace)</td> <td>Explicit with namespace</td> </tr> <tr> <td>sourceRef</td> <td>Implicit (same namespace)</td> <td>Explicit <code>namespace: flux-system</code></td> </tr> <tr> <td>substituteFrom</td> <td>Direct reference</td> <td>Patched from parent with <code>namespace: flux-system</code></td> </tr> <tr> <td>Observability</td> <td>One giant list</td> <td>Namespaced views</td> </tr> </tbody> </table> <p>The migration took several sessions and touched 200+ files, but the result is a cleaner, more maintainable GitOps structure. If you&rsquo;re running a homelab with Flux, I highly recommend making this change before your cluster grows any larger.</p> <hr> <p><em>This post documents the migration I performed on my <a class="link" href="https://github.com/gavinmcfall/home-ops" target="_blank" rel="noopener" >home-ops</a> repository. The patterns here are heavily inspired by <a class="link" href="https://github.com/kashalls/home-ops" target="_blank" rel="noopener" >Kashalls&rsquo; homelab repo</a> and the broader Kubernetes@Home community.</em></p> https://blog.nerdz.cloud/2025/tailscale-split-dns/ Tue, 02 Dec 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/tailscale-split-dns/ <blockquote> <p>&ldquo;The best infrastructure is the infrastructure you delete.&rdquo; — <em>Me, staring at 23 proxy pods</em></p> </blockquote> <h2 id="the-problem-proxy-sprawl">The Problem: Proxy Sprawl </h2><p>I&rsquo;ve been running Tailscale in my homelab for remote access, using the Tailscale Operator&rsquo;s Ingress feature. It works great — you add a <code>tailscale</code> ingress class to your app, and the operator spins up a proxy pod that appears in your Tailnet. Access it via MagicDNS (<code>paperless.${TAILNET_DNS_NAME}</code>) and you&rsquo;re in.</p> <p>The problem? I had <strong>23 of these proxy pods</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl get pods -n network <span class="p">|</span> grep ts- </span></span><span class="line"><span class="cl">ts-filebrowser-l4k64-0 1/1 Running </span></span><span class="line"><span class="cl">ts-homepage-w2j25-0 1/1 Running </span></span><span class="line"><span class="cl">ts-paperless-r892j-0 1/1 Running </span></span><span class="line"><span class="cl">ts-teslamate-wthbr-0 1/1 Running </span></span><span class="line"><span class="cl"><span class="c1"># ... many more</span> </span></span></code></pre></td></tr></table> </div> </div><p>Each app gets its own Tailscale device, its own WireGuard tunnel, its own memory footprint. And the URLs are ugly — <code>paperless.${TAILNET_DNS_NAME}</code> instead of just <code>paperless.${SECRET_DOMAIN}</code>.</p> <p>What I really wanted: type <code>paperless.${SECRET_DOMAIN}</code> from anywhere and have it Just Work. On the LAN, on Tailscale, wherever.</p> <h2 id="the-goal-same-url-everywhere">The Goal: Same URL Everywhere </h2><p>The dream:</p> <table> <thead> <tr> <th>Location</th> <th>URL</th> <th>Result</th> </tr> </thead> <tbody> <tr> <td>LAN</td> <td><code>paperless.${SECRET_DOMAIN}</code></td> <td>Resolves to internal gateway, works</td> </tr> <tr> <td>Tailscale (remote)</td> <td><code>paperless.${SECRET_DOMAIN}</code></td> <td>Resolves to internal gateway via WireGuard, works</td> </tr> <tr> <td>Public internet</td> <td><code>paperless.${SECRET_DOMAIN}</code></td> <td>No access (internal-only app)</td> </tr> </tbody> </table> <p>One URL. Zero extra infrastructure. No per-app proxy pods.</p> <h2 id="the-solution-split-dns--connector">The Solution: Split DNS + Connector </h2><p>The key insight: my internal gateway (<code>10.90.3.202</code>) is already reachable via Tailscale — I just need DNS queries to return that IP when I&rsquo;m connected to the Tailnet.</p> <p>This requires two pieces:</p> <ol> <li><strong>Tailscale Connector</strong> — A pod that advertises my cluster subnet (<code>10.90.0.0/16</code>) to the Tailnet</li> <li><strong>Split DNS</strong> — Configure Tailscale to forward <code>*.${SECRET_DOMAIN}</code> queries to my UDM Pro (which has DNS records created by external-dns-unifi)</li> </ol> <h3 id="how-it-works">How It Works </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Remote Device (Tailscale connected) </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> │ 1. Browser: paperless.${SECRET_DOMAIN} </span></span><span class="line"><span class="cl"> │ 2. OS DNS query </span></span><span class="line"><span class="cl"> ▼ </span></span><span class="line"><span class="cl">┌─────────────────┐ </span></span><span class="line"><span class="cl">│ Tailscale Client│ 3. Intercepts DNS (Split DNS configured) </span></span><span class="line"><span class="cl">│ │ for *.${SECRET_DOMAIN} </span></span><span class="line"><span class="cl">└────────┬────────┘ </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> │ 4. Forward DNS query via WireGuard tunnel </span></span><span class="line"><span class="cl"> ▼ </span></span><span class="line"><span class="cl">┌─────────────────┐ </span></span><span class="line"><span class="cl">│ UDM Pro │ 5. Resolves paperless.${SECRET_DOMAIN} </span></span><span class="line"><span class="cl">│ 10.90.254.1 │ Returns: 10.90.3.202 (internal gateway) </span></span><span class="line"><span class="cl">└────────┬────────┘ (record created by external-dns-unifi) </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> │ 6. Response travels back via WireGuard </span></span><span class="line"><span class="cl"> ▼ </span></span><span class="line"><span class="cl">┌─────────────────┐ </span></span><span class="line"><span class="cl">│ Tailscale Client│ 7. Browser now knows IP: 10.90.3.202 </span></span><span class="line"><span class="cl">└────────┬────────┘ </span></span><span class="line"><span class="cl"> │ </span></span><span class="line"><span class="cl"> │ 8. HTTPS request to 10.90.3.202 via WireGuard </span></span><span class="line"><span class="cl"> ▼ </span></span><span class="line"><span class="cl">┌─────────────────┐ </span></span><span class="line"><span class="cl">│ Internal Gateway│ 9. Matches HTTPRoute, serves request </span></span><span class="line"><span class="cl">│ 10.90.3.202 │ </span></span><span class="line"><span class="cl">└─────────────────┘ </span></span></code></pre></td></tr></table> </div> </div><p>The beauty: my internal gateway doesn&rsquo;t know or care whether the request came from the LAN or through Tailscale. It&rsquo;s just another client hitting <code>10.90.3.202</code>.</p> <h2 id="setting-up-the-connector">Setting Up the Connector </h2><p>First, I needed a subnet router so Tailscale clients can reach my cluster IPs. The Tailscale Operator makes this easy with the <code>Connector</code> CRD:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/network/tailscale/operator/app/connector.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">tailscale.com/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Connector</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">home-subnet</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hostname</span><span class="p">:</span><span class="w"> </span><span class="l">home-subnet-router</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">subnetRouter</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">advertiseRoutes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">10.90.0.0</span><span class="l">/16</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Add it to your kustomization and push:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/network/tailscale/operator/app/kustomization.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.config.k8s.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./externalsecret.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./helmrelease.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./connector.yaml</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>After Flux reconciles, you&rsquo;ll see a new pod and Tailscale device:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl get connector -n network </span></span><span class="line"><span class="cl">NAME SUBNETROUTES STATUS AGE </span></span><span class="line"><span class="cl">home-subnet 10.90.0.0/16 ConnectorCreated 5m </span></span></code></pre></td></tr></table> </div> </div><style type="text/css"> .notice { --title-color: #fff; --title-background-color: #6be; --content-color: #444; --content-background-color: #e7f2fa; } .notice.info { --title-background-color: #fb7; --content-background-color: #fec; } .notice.tip { --title-background-color: #5a5; --content-background-color: #efe; } .notice.warning { --title-background-color: #c33; --content-background-color: #fee; } @media (prefers-color-scheme:dark) { .notice { --title-color: #fff; --title-background-color: #069; --content-color: #ddd; --content-background-color: #023; } .notice.info { --title-background-color: #a50; --content-background-color: #420; } .notice.tip { --title-background-color: #363; --content-background-color: #121; } .notice.warning { --title-background-color: #800; --content-background-color: #400; } } body.dark .notice { --title-color: #fff; --title-background-color: #069; --content-color: #ddd; --content-background-color: #023; } body.dark .notice.info { --title-background-color: #a50; --content-background-color: #420; } body.dark .notice.tip { --title-background-color: #363; --content-background-color: #121; } body.dark .notice.warning { --title-background-color: #800; --content-background-color: #400; } .notice { padding: 18px; line-height: 24px; margin-bottom: 24px; border-radius: 4px; color: var(--content-color); background: var(--content-background-color); } .notice p:last-child { margin-bottom: 0 } .notice-title { margin: -18px -18px 12px; padding: 4px 18px; border-radius: 4px 4px 0 0; font-weight: 700; color: var(--title-color); background: var(--title-background-color); } .icon-notice { display: inline-flex; align-self: center; margin-right: 8px; } .icon-notice img, .icon-notice svg { height: 1em; width: 1em; fill: currentColor; } .icon-notice img, .icon-notice.baseline svg { top: .125em; position: relative; } </style><div class="notice warning" > <p class="notice-title"> <span class="icon-notice baseline"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="126 76.5 300 300"> <path d="M297.431 324.397v-34.255c0-3.245-2.344-5.95-5.358-5.95h-32.146c-3.014 0-5.358 2.705-5.358 5.95v34.255c0 3.245 2.344 5.95 5.358 5.95h32.146c3.014 0 5.358-2.705 5.358-5.95Zm-.335-67.428 3.014-82.753c0-1.081-.502-2.524-1.674-3.425-1.005-.902-2.512-1.983-4.019-1.983h-36.834c-1.507 0-3.014 1.081-4.019 1.983-1.172.901-1.674 2.704-1.674 3.786l2.846 82.392c0 2.344 2.512 4.146 5.693 4.146h30.975c3.013 0 5.525-1.803 5.692-4.146Zm-2.344-168.39L423.34 342.425c3.683 7.032 3.516 15.686-.335 22.717-3.85 7.031-10.883 11.358-18.417 11.358H147.413c-7.534 0-14.566-4.327-18.417-11.358-3.85-7.031-4.018-15.685-.335-22.716L257.248 88.578C260.93 81.188 268.13 76.5 276 76.5c7.87 0 15.069 4.688 18.752 12.08Z"/> </svg> </span> Warning </p><p>You need to approve the subnet routes in Tailscale Admin. Go to <a class="link" href="https://login.tailscale.com/admin/machines" target="_blank" rel="noopener" >Machines</a>, find <code>home-subnet-router</code>, and approve the <code>10.90.0.0/16</code> route.</p></div> <h2 id="configuring-tailscale-split-dns">Configuring Tailscale Split DNS </h2><p>Now the fun part. In the <a class="link" href="https://login.tailscale.com/admin/dns" target="_blank" rel="noopener" >Tailscale Admin Console</a>:</p> <ol> <li>Navigate to the <strong>DNS</strong> tab</li> <li>Under <strong>Nameservers</strong>, click <strong>Add nameserver</strong> → <strong>Custom&hellip;</strong></li> <li>Configure: <ul> <li><strong>Nameserver</strong>: <code>10.90.254.1</code> (your UDM Pro)</li> <li>Check <strong>Restrict to domain</strong></li> <li><strong>Domain</strong>: <code>${SECRET_DOMAIN}</code></li> </ul> </li> </ol> <p>The dialog looks like this:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">┌─────────────────────────────────────────────────────────────────┐ </span></span><span class="line"><span class="cl">│ Add nameserver [x] │ </span></span><span class="line"><span class="cl">├─────────────────────────────────────────────────────────────────┤ </span></span><span class="line"><span class="cl">│ │ </span></span><span class="line"><span class="cl">│ Nameserver │ </span></span><span class="line"><span class="cl">│ ┌─────────────────────────────────────────────────────────┐ │ </span></span><span class="line"><span class="cl">│ │ 10.90.254.1 │ │ </span></span><span class="line"><span class="cl">│ └─────────────────────────────────────────────────────────┘ │ </span></span><span class="line"><span class="cl">│ │ </span></span><span class="line"><span class="cl">│ ☑ Restrict to domain │ </span></span><span class="line"><span class="cl">│ ┌─────────────────────────────────────────────────────────┐ │ </span></span><span class="line"><span class="cl">│ │ ${SECRET_DOMAIN} │ │ </span></span><span class="line"><span class="cl">│ └─────────────────────────────────────────────────────────┘ │ </span></span><span class="line"><span class="cl">│ │ </span></span><span class="line"><span class="cl">│ This nameserver will only be used for DNS queries matching │ </span></span><span class="line"><span class="cl">│ *.${SECRET_DOMAIN} │ </span></span><span class="line"><span class="cl">│ │ </span></span><span class="line"><span class="cl">│ [Cancel] [Save] │ </span></span><span class="line"><span class="cl">└─────────────────────────────────────────────────────────────────┘ </span></span></code></pre></td></tr></table> </div> </div><p>I also enabled <strong>Override local DNS</strong> to ensure Tailscale&rsquo;s DNS config takes precedence when connected.</p> <div class="notice info" > <p class="notice-title"> <span class="icon-notice baseline"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="92 59.5 300 300"> <path d="M292 303.25V272c0-3.516-2.734-6.25-6.25-6.25H267v-100c0-3.516-2.734-6.25-6.25-6.25h-62.5c-3.516 0-6.25 2.734-6.25 6.25V197c0 3.516 2.734 6.25 6.25 6.25H217v62.5h-18.75c-3.516 0-6.25 2.734-6.25 6.25v31.25c0 3.516 2.734 6.25 6.25 6.25h87.5c3.516 0 6.25-2.734 6.25-6.25Zm-25-175V97c0-3.516-2.734-6.25-6.25-6.25h-37.5c-3.516 0-6.25 2.734-6.25 6.25v31.25c0 3.516 2.734 6.25 6.25 6.25h37.5c3.516 0 6.25-2.734 6.25-6.25Zm125 81.25c0 82.813-67.188 150-150 150-82.813 0-150-67.188-150-150 0-82.813 67.188-150 150-150 82.813 0 150 67.188 150 150Z"/> </svg> </span> Info </p><p><strong>Why UDM Pro instead of k8s-gateway?</strong> I previously used k8s-gateway for internal DNS, but later migrated to using external-dns-unifi which pushes DNS records directly to my UDM Pro. This simplifies the architecture — UDM serves the same DNS records to LAN clients, pods (via CoreDNS forwarding), and Tailscale clients. One source of truth for internal DNS.</p></div> <h2 id="testing-it-works">Testing It Works </h2><p>From a Tailscale-connected device (away from home):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check DNS resolution</span> </span></span><span class="line"><span class="cl">dig paperless.<span class="si">${</span><span class="nv">SECRET_DOMAIN</span><span class="si">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Expected:</span> </span></span><span class="line"><span class="cl"><span class="c1"># paperless.${SECRET_DOMAIN}. 0 IN A 10.90.3.202</span> </span></span></code></pre></td></tr></table> </div> </div><p>From LAN (without Tailscale):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">dig paperless.<span class="si">${</span><span class="nv">SECRET_DOMAIN</span><span class="si">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Expected (via UDM internal DNS):</span> </span></span><span class="line"><span class="cl"><span class="c1"># paperless.${SECRET_DOMAIN}. 0 IN A 10.90.3.202</span> </span></span></code></pre></td></tr></table> </div> </div><p>Both return the same IP — my internal gateway. Same URL, same destination, regardless of where I am.</p> <h2 id="the-migration-removing-tailscale-ingresses">The Migration: Removing Tailscale Ingresses </h2><p>With Split DNS working, those 23 proxy pods became redundant. Time to delete them.</p> <p><strong>Before</strong> (per-app Tailscale proxy):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Each app had this</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">ingress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tailscale</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">className</span><span class="p">:</span><span class="w"> </span><span class="l">tailscale</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hosts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l">paperless </span><span class="w"> </span><span class="c"># MagicDNS name only</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>After</strong> (just the internal route):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Same internal route serves both LAN and Tailscale</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">route</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">internal-dns.alpha.kubernetes.io/target</span><span class="p">:</span><span class="w"> </span><span class="l">internal.${SECRET_DOMAIN}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hostnames</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">paperless.${SECRET_DOMAIN}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parentRefs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">internal</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">network</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># No ingress.tailscale block!</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The migration is straightforward:</p> <ol> <li>Configure Split DNS in Tailscale admin (done above)</li> <li>Verify access works via <code>paperless.${SECRET_DOMAIN}</code> on Tailscale</li> <li>Remove the <code>ingress.tailscale</code> blocks from HelmReleases</li> <li>Clean up orphaned Tailscale devices in admin console</li> </ol> <h2 id="the-numbers">The Numbers </h2><table> <thead> <tr> <th>Metric</th> <th>Before (Ingress)</th> <th>After (Split DNS)</th> </tr> </thead> <tbody> <tr> <td>Tailscale proxy pods</td> <td>23</td> <td>0</td> </tr> <tr> <td>Tailscale devices</td> <td>24 (proxies + connector)</td> <td>1 (connector)</td> </tr> <tr> <td>New infrastructure</td> <td>-</td> <td>1 Connector pod</td> </tr> <tr> <td>URLs to remember</td> <td>23 MagicDNS names</td> <td>0 (same as LAN)</td> </tr> </tbody> </table> <h2 id="why-this-works">Why This Works </h2><p>Tailscale&rsquo;s Split DNS feature intercepts DNS queries at the OS level. When I look up <code>paperless.${SECRET_DOMAIN}</code>:</p> <ol> <li><strong>On LAN</strong>: Query goes to my UDM Pro, which has internal DNS records (created by external-dns-unifi) pointing to <code>10.90.3.202</code></li> <li><strong>On Tailscale</strong>: Query is intercepted and forwarded through the WireGuard tunnel to <code>10.90.254.1</code> (UDM Pro), which returns <code>10.90.3.202</code></li> </ol> <p>In both cases, the browser gets <code>10.90.3.202</code>. The subsequent HTTPS request goes directly to the internal gateway — on LAN via the local network, on Tailscale via the WireGuard mesh.</p> <p>The Connector&rsquo;s subnet advertisement is what makes <code>10.90.3.202</code> reachable from Tailscale. Without it, DNS would resolve correctly but the connection would timeout.</p> <h2 id="lessons-learned">Lessons Learned </h2><ol> <li> <p><strong>Split DNS is the right pattern</strong> — Per-app proxies were solving the wrong problem. I didn&rsquo;t need 23 WireGuard tunnels; I needed one subnet route and proper DNS.</p> </li> <li> <p><strong>Connectors are underrated</strong> — The Tailscale Operator&rsquo;s Connector CRD is incredibly simple. One YAML file, and suddenly your entire cluster subnet is on your Tailnet.</p> </li> <li> <p><strong>Same URL everywhere matters</strong> — Having to remember <code>paperless.${TAILNET_DNS_NAME}</code> vs <code>paperless.${SECRET_DOMAIN}</code> was annoying. Now I just use the real URL regardless of where I am.</p> </li> <li> <p><strong>Delete infrastructure when you can</strong> — Those 23 proxy pods weren&rsquo;t free. They consumed memory, created noise in <code>kubectl get pods</code>, and cluttered my Tailscale device list. Sometimes the best optimization is removal.</p> </li> </ol> <hr> <h2 id="references">References </h2><ul> <li><a class="link" href="https://tailscale.com/kb/1054/dns" target="_blank" rel="noopener" >Tailscale DNS Documentation</a> — Official Split DNS guide</li> <li><a class="link" href="https://tailscale.com/learn/why-split-dns" target="_blank" rel="noopener" >What is Split DNS?</a> — Conceptual overview</li> <li><a class="link" href="https://tailscale.com/kb/1019/subnets" target="_blank" rel="noopener" >Tailscale Subnet Routers</a> — Making internal networks reachable</li> <li><a class="link" href="https://tailscale.com/kb/1236/kubernetes-operator" target="_blank" rel="noopener" >Tailscale Kubernetes Operator</a> — Connector CRD docs</li> </ul> https://blog.nerdz.cloud/2025/mcp-servers-vscode/ Wed, 26 Nov 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/mcp-servers-vscode/ <blockquote> <p>&ldquo;Give a man a fish and he eats for a day. Give an AI access to your cluster via MCP and watch it debug your HelmReleases at 2am.&rdquo; — <em>Me, probably sleep-deprived</em></p> </blockquote> <h2 id="what-is-mcp">What is MCP? </h2><p>Model Context Protocol (MCP) is Anthropic&rsquo;s open standard for connecting AI assistants to external tools and data sources. Think of it as giving your AI a set of hands — instead of just chatting, it can actually <em>do</em> things: query your Prometheus metrics, check Flux reconciliation status, browse GitHub PRs, or even execute kubectl commands.</p> <p>If you&rsquo;re running Claude Code in VS Code (or the CLI), MCP servers let you extend what Claude can access. Instead of copy-pasting error logs into the chat, Claude can pull them directly. Instead of describing your cluster state, Claude can just&hellip; look.</p> <h2 id="the-setup">The Setup </h2><p>I run a Kubernetes homelab managed via GitOps (Flux + Talos), and I wanted Claude to have full visibility into everything without me having to be the middleman. After a few evenings of tinkering, I landed on 14 MCP servers that cover infrastructure, observability, databases, code, and more.</p> <p>Here&rsquo;s what&rsquo;s running:</p> <table> <thead> <tr> <th>Server</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>kubernetes</code></td> <td>Native k8s resource access</td> </tr> <tr> <td><code>flux</code></td> <td>GitOps status, reconciliation</td> </tr> <tr> <td><code>talos</code></td> <td>Talos Linux node management</td> </tr> <tr> <td><code>helm</code></td> <td>Chart inspection and values</td> </tr> <tr> <td><code>grafana</code></td> <td>Dashboards, datasources, alerts</td> </tr> <tr> <td><code>prometheus</code></td> <td>PromQL queries, metric discovery</td> </tr> <tr> <td><code>databases</code></td> <td>PostgreSQL + MariaDB queries</td> </tr> <tr> <td><code>github</code></td> <td>PRs, issues, code search</td> </tr> <tr> <td><code>shell</code></td> <td>Controlled command execution</td> </tr> <tr> <td><code>mermaid</code></td> <td>Diagram validation</td> </tr> <tr> <td><code>eraser</code></td> <td>Diagram creation (Eraser.io)</td> </tr> <tr> <td><code>firecrawl</code></td> <td>Web scraping and search</td> </tr> <tr> <td><code>cloudflare-docs</code></td> <td>CF documentation search</td> </tr> <tr> <td><code>repoql</code></td> <td>Semantic codebase queries</td> </tr> </tbody> </table> <h2 id="the-configuration">The Configuration </h2><p>MCP servers are configured in a <code>.mcp.json</code> file. I keep mine in the root of my home-ops repo so it&rsquo;s shared between VS Code and Claude Code CLI.</p> <style type="text/css"> .notice { --title-color: #fff; --title-background-color: #6be; --content-color: #444; --content-background-color: #e7f2fa; } .notice.info { --title-background-color: #fb7; --content-background-color: #fec; } .notice.tip { --title-background-color: #5a5; --content-background-color: #efe; } .notice.warning { --title-background-color: #c33; --content-background-color: #fee; } @media (prefers-color-scheme:dark) { .notice { --title-color: #fff; --title-background-color: #069; --content-color: #ddd; --content-background-color: #023; } .notice.info { --title-background-color: #a50; --content-background-color: #420; } .notice.tip { --title-background-color: #363; --content-background-color: #121; } .notice.warning { --title-background-color: #800; --content-background-color: #400; } } body.dark .notice { --title-color: #fff; --title-background-color: #069; --content-color: #ddd; --content-background-color: #023; } body.dark .notice.info { --title-background-color: #a50; --content-background-color: #420; } body.dark .notice.tip { --title-background-color: #363; --content-background-color: #121; } body.dark .notice.warning { --title-background-color: #800; --content-background-color: #400; } .notice { padding: 18px; line-height: 24px; margin-bottom: 24px; border-radius: 4px; color: var(--content-color); background: var(--content-background-color); } .notice p:last-child { margin-bottom: 0 } .notice-title { margin: -18px -18px 12px; padding: 4px 18px; border-radius: 4px 4px 0 0; font-weight: 700; color: var(--title-color); background: var(--title-background-color); } .icon-notice { display: inline-flex; align-self: center; margin-right: 8px; } .icon-notice img, .icon-notice svg { height: 1em; width: 1em; fill: currentColor; } .icon-notice img, .icon-notice.baseline svg { top: .125em; position: relative; } </style><div class="notice info" > <p class="notice-title"> <span class="icon-notice baseline"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="92 59.5 300 300"> <path d="M292 303.25V272c0-3.516-2.734-6.25-6.25-6.25H267v-100c0-3.516-2.734-6.25-6.25-6.25h-62.5c-3.516 0-6.25 2.734-6.25 6.25V197c0 3.516 2.734 6.25 6.25 6.25H217v62.5h-18.75c-3.516 0-6.25 2.734-6.25 6.25v31.25c0 3.516 2.734 6.25 6.25 6.25h87.5c3.516 0 6.25-2.734 6.25-6.25Zm-25-175V97c0-3.516-2.734-6.25-6.25-6.25h-37.5c-3.516 0-6.25 2.734-6.25 6.25v31.25c0 3.516 2.734 6.25 6.25 6.25h37.5c3.516 0 6.25-2.734 6.25-6.25Zm125 81.25c0 82.813-67.188 150-150 150-82.813 0-150-67.188-150-150 0-82.813 67.188-150 150-150 82.813 0 150 67.188 150 150Z"/> </svg> </span> Info </p><p>MCP does not expand <code>~/</code> in paths. Always use full absolute paths like <code>/home/username/...</code> instead of <code>~/...</code> in your <code>.mcp.json</code> configuration.</p></div> <p>Here&rsquo;s the full config:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;mcpServers&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;kubernetes&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;npx&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;-y&#34;</span><span class="p">,</span> <span class="s2">&#34;kubernetes-mcp-server@latest&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;flux&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;flux-operator-mcp&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;serve&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;talos&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;/home/&lt;user&gt;/mcp/talos/.venv/bin/python&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;/home/&lt;user&gt;/mcp/talos/src/talos_mcp/server.py&#34;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;env&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;TALOSCONFIG&#34;</span><span class="p">:</span> <span class="s2">&#34;/home/&lt;user&gt;/home-ops/talosconfig&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;helm&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;/home/&lt;user&gt;/mcp/mcp-helm&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;-mode=stdio&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;grafana&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;/home/&lt;user&gt;/go/bin/mcp-grafana&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;env&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;GRAFANA_URL&#34;</span><span class="p">:</span> <span class="s2">&#34;${GRAFANA_URL}&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;GRAFANA_SERVICE_ACCOUNT_TOKEN&#34;</span><span class="p">:</span> <span class="s2">&#34;${GRAFANA_SERVICE_ACCOUNT_TOKEN}&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;shell&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;uvx&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;mcp-shell-server&#34;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;env&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;ALLOW_COMMANDS&#34;</span><span class="p">:</span> <span class="s2">&#34;ls,cat,pwd,grep,wc,find,head,tail,sort,uniq,cut,tr,sed,awk,jq,yq,kubectl,flux,talosctl,task,git,docker,helm&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;mermaid&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;npx&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;-y&#34;</span><span class="p">,</span> <span class="s2">&#34;@probelabs/maid-mcp&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;eraser&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;docker&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;run&#34;</span><span class="p">,</span> <span class="s2">&#34;-i&#34;</span><span class="p">,</span> <span class="s2">&#34;--rm&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;-e&#34;</span><span class="p">,</span> <span class="s2">&#34;ERASER_API_KEY=${ERASER_API_KEY}&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;eraser-mcp:claude&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;github&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;/home/&lt;user&gt;/mcp/github-mcp-server&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;stdio&#34;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;env&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;GITHUB_PERSONAL_ACCESS_TOKEN&#34;</span><span class="p">:</span> <span class="s2">&#34;${GITHUB_PERSONAL_ACCESS_TOKEN}&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;prometheus&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;npx&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;-y&#34;</span><span class="p">,</span> <span class="s2">&#34;prometheus-mcp@latest&#34;</span><span class="p">,</span> <span class="s2">&#34;stdio&#34;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;env&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;PROMETHEUS_URL&#34;</span><span class="p">:</span> <span class="s2">&#34;${PROMETHEUS_URL}&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;databases&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;uvx&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;database-mcp&#34;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;env&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;DB_CONFIGS&#34;</span><span class="p">:</span> <span class="s2">&#34;${DB_CONFIGS}&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;firecrawl&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;npx&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;-y&#34;</span><span class="p">,</span> <span class="s2">&#34;firecrawl-mcp&#34;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;env&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;FIRECRAWL_API_KEY&#34;</span><span class="p">:</span> <span class="s2">&#34;${FIRECRAWL_API_KEY}&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;cloudflare-docs&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;npx&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;-y&#34;</span><span class="p">,</span> <span class="s2">&#34;mcp-remote&#34;</span><span class="p">,</span> <span class="s2">&#34;https://docs.mcp.cloudflare.com/mcp&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;servers&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;repoql&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;stdio&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;/home/&lt;user&gt;/mcp/repoql&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;mcp&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="environment-variables">Environment Variables </h2><p>Sensitive values like API keys and tokens live in a <code>~/.secrets</code> file that gets sourced by my shell:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># ~/.secrets</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># API Keys</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">ERASER_API_KEY</span><span class="o">=</span>your-eraser-api-key </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">FIRECRAWL_API_KEY</span><span class="o">=</span>your-firecrawl-key </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># GitHub</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">GITHUB_PERSONAL_ACCESS_TOKEN</span><span class="o">=</span>ghp_xxxxx </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Grafana</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">GRAFANA_URL</span><span class="o">=</span>https://grafana.yourdomain.com </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">GRAFANA_SERVICE_ACCOUNT_TOKEN</span><span class="o">=</span>glsa_xxxxx </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Prometheus</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">PROMETHEUS_URL</span><span class="o">=</span>https://prometheus.yourdomain.com </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Database MCP Config</span> </span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">DB_CONFIGS</span><span class="o">=</span><span class="s1">&#39;[{&#34;id&#34;:&#34;postgres&#34;,&#34;db_type&#34;:&#34;pg&#34;,&#34;configuration&#34;:{&#34;host&#34;:&#34;10.x.x.x&#34;,&#34;port&#34;:5432,&#34;user&#34;:&#34;postgres&#34;,&#34;password&#34;:&#34;yourpassword&#34;,&#34;dbname&#34;:&#34;postgres&#34;},&#34;description&#34;:&#34;CloudNative-PG&#34;},{&#34;id&#34;:&#34;mariadb&#34;,&#34;db_type&#34;:&#34;mysql&#34;,&#34;configuration&#34;:{&#34;host&#34;:&#34;10.x.x.x&#34;,&#34;port&#34;:3306,&#34;user&#34;:&#34;root&#34;,&#34;password&#34;:&#34;yourpassword&#34;,&#34;database&#34;:&#34;mysql&#34;},&#34;description&#34;:&#34;MariaDB&#34;}]&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Source this in your <code>.zshrc</code> or <code>.bashrc</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span> -f ~/.secrets <span class="o">]</span> <span class="o">&amp;&amp;</span> <span class="nb">source</span> ~/.secrets </span></span></code></pre></td></tr></table> </div> </div><h2 id="server-specific-setup">Server-Specific Setup </h2><h3 id="grafana-service-account">Grafana Service Account </h3><p>Grafana MCP needs a service account token. Here&rsquo;s how to create one programmatically:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Port-forward to Grafana</span> </span></span><span class="line"><span class="cl">kubectl port-forward -n observability svc/grafana 3000:80 <span class="p">&amp;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Get admin credentials</span> </span></span><span class="line"><span class="cl">kubectl get secret -n observability grafana-admin-secret -o <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">&#39;{.data.GF_SECURITY_ADMIN_USER}&#39;</span> <span class="p">|</span> base64 -d </span></span><span class="line"><span class="cl">kubectl get secret -n observability grafana-admin-secret -o <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">&#39;{.data.GF_SECURITY_ADMIN_PASSWORD}&#39;</span> <span class="p">|</span> base64 -d </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Create service account with Viewer role</span> </span></span><span class="line"><span class="cl">curl -X POST http://localhost:3000/api/serviceaccounts <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -H <span class="s2">&#34;Content-Type: application/json&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -u <span class="s2">&#34;admin:yourpassword&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -d <span class="s1">&#39;{&#34;name&#34;: &#34;mcp-grafana-reader&#34;, &#34;role&#34;: &#34;Viewer&#34;}&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Generate token (replace SERVICE_ACCOUNT_ID with the ID from above)</span> </span></span><span class="line"><span class="cl">curl -X POST http://localhost:3000/api/serviceaccounts/SERVICE_ACCOUNT_ID/tokens <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -H <span class="s2">&#34;Content-Type: application/json&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -u <span class="s2">&#34;admin:yourpassword&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -d <span class="s1">&#39;{&#34;name&#34;: &#34;mcp-token&#34;}&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Save the token to your <code>~/.secrets</code> file.</p> <h3 id="eraser-docker">Eraser (Docker) </h3><p>The Eraser MCP server isn&rsquo;t on npm, so I built it locally as a Docker container:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">cd</span> /home/&lt;user&gt;/mcp/eraser </span></span><span class="line"><span class="cl">docker build -t eraser-mcp:claude . </span></span></code></pre></td></tr></table> </div> </div><p>The config references this local image and passes the API key via environment variable.</p> <h3 id="databases">Databases </h3><p>The <code>database-mcp</code> package expects a <code>DB_CONFIGS</code> environment variable containing JSON configuration. Important: it only supports <code>pg</code> (PostgreSQL), <code>mysql</code> (MariaDB/MySQL), <code>mssql</code>, <code>bigquery</code>, <code>oracle</code>, and <code>sqlite</code>. Redis/DragonflyDB are <strong>not supported</strong>.</p> <h2 id="testing-your-setup">Testing Your Setup </h2><p>After configuring everything, restart VS Code and check the MCP servers are loading. You can test individual servers:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># In Claude Code or VS Code with Claude extension</span> </span></span><span class="line"><span class="cl"><span class="c1"># Just ask Claude to use the tools:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="s2">&#34;List all Flux Kustomizations&#34;</span> </span></span><span class="line"><span class="cl"><span class="s2">&#34;Query Prometheus for node memory usage&#34;</span> </span></span><span class="line"><span class="cl"><span class="s2">&#34;Show me the Grafana datasources&#34;</span> </span></span><span class="line"><span class="cl"><span class="s2">&#34;List tables in the postgres database&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>If a server fails to load, check the VS Code Output panel (View → Output → select &ldquo;Claude&rdquo; from dropdown) for error messages.</p> <hr> <h2 id="the-journey-challenges-and-fixes">The Journey: Challenges and Fixes </h2><p>What follows is the debugging saga. If you just wanted the guide, you&rsquo;re done — go forth and MCP. But if you&rsquo;re troubleshooting issues or just enjoy watching someone else suffer through config errors, read on.</p> <h3 id="grafana-401-unauthorized">Grafana: 401 Unauthorized </h3><p><strong>Symptom:</strong> Grafana MCP failed with <code>401 Unauthorized</code></p> <p><strong>Cause:</strong> No authentication configured. The MCP server needs either basic auth or a service account token.</p> <p><strong>Fix:</strong> Created a service account with Viewer role (see setup above). The token goes in <code>GRAFANA_SERVICE_ACCOUNT_TOKEN</code>.</p> <h3 id="talos-no-talos-configuration-loaded">Talos: &ldquo;No Talos configuration loaded&rdquo; </h3><p><strong>Symptom:</strong> All Talos MCP tools returned &ldquo;No Talos configuration loaded&rdquo;</p> <p><strong>Cause:</strong> Bug in the Talos MCP server — it wasn&rsquo;t reading the <code>TALOSCONFIG</code> environment variable. The code instantiated <code>TalosClient()</code> without passing the config path.</p> <p><strong>Fix:</strong> Modified <code>/home/&lt;user&gt;/mcp/talos/src/talos_mcp/server.py</code> line 115:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># Before</span> </span></span><span class="line"><span class="cl"><span class="n">talos_client</span> <span class="o">=</span> <span class="n">TalosClient</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># After</span> </span></span><span class="line"><span class="cl"><span class="n">talos_client</span> <span class="o">=</span> <span class="n">TalosClient</span><span class="p">(</span><span class="n">config_path</span><span class="o">=</span><span class="n">os</span><span class="o">.</span><span class="n">environ</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&#34;TALOSCONFIG&#34;</span><span class="p">))</span> </span></span></code></pre></td></tr></table> </div> </div><p>I submitted a PR for this fix: <a class="link" href="https://github.com/ry-ops/talos-mcp-server/pull/1" target="_blank" rel="noopener" >https://github.com/ry-ops/talos-mcp-server/pull/1</a></p> <h3 id="databases-unsupported-database-type-redis">Databases: &ldquo;Unsupported database type: redis&rdquo; </h3><p><strong>Symptom:</strong> Database MCP failed to start entirely</p> <p><strong>Cause:</strong> I had DragonflyDB (Redis-compatible) in my <code>DB_CONFIGS</code> with <code>&quot;db_type&quot;:&quot;redis&quot;</code>. The <code>database-mcp</code> package doesn&rsquo;t support Redis.</p> <p><strong>Fix:</strong> Removed the DragonflyDB entry from <code>DB_CONFIGS</code>. Only PostgreSQL and MariaDB remain.</p> <h3 id="databases-environment-variable-expansion">Databases: Environment Variable Expansion </h3><p><strong>Symptom:</strong> Database passwords weren&rsquo;t being used — connection failures</p> <p><strong>Cause:</strong> I had nested environment variables in <code>.mcp.json</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="s2">&#34;DB_CONFIGS&#34;</span><span class="err">:</span> <span class="s2">&#34;[{...\&#34;password\&#34;:\&#34;${CNPG_PASSWORD}\&#34;...}]&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>The shell doesn&rsquo;t expand <code>${CNPG_PASSWORD}</code> inside a JSON string inside an env var.</p> <p><strong>Fix:</strong> Moved the entire <code>DB_CONFIGS</code> JSON (with passwords pre-embedded) to <code>~/.secrets</code>. The <code>.mcp.json</code> just references <code>${DB_CONFIGS}</code> which expands to the full JSON.</p> <h3 id="mermaid-package-name-change">Mermaid: Package Name Change </h3><p><strong>Symptom:</strong> Mermaid MCP failed with &ldquo;Connection closed&rdquo;</p> <p><strong>Cause:</strong> Package moved from <code>@probelabs/maid mcp</code> to <code>@probelabs/maid-mcp</code></p> <p><strong>Fix:</strong> Updated the args in <code>.mcp.json</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="s2">&#34;args&#34;</span><span class="err">:</span> <span class="p">[</span><span class="s2">&#34;-y&#34;</span><span class="p">,</span> <span class="s2">&#34;@probelabs/maid-mcp&#34;</span><span class="p">]</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="eraser-npm-404">Eraser: npm 404 </h3><p><strong>Symptom:</strong> <code>npm error 404 Not Found - eraser-io-mcp-server</code></p> <p><strong>Cause:</strong> The package <code>eraser-io-mcp-server</code> doesn&rsquo;t exist on npm. The only Eraser MCP is a GitHub repo that needs to be built locally.</p> <p><strong>Fix:</strong> Cloned the repo, built a Docker image, and configured MCP to run it via Docker:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="s2">&#34;eraser&#34;</span><span class="err">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;docker&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;run&#34;</span><span class="p">,</span> <span class="s2">&#34;-i&#34;</span><span class="p">,</span> <span class="s2">&#34;--rm&#34;</span><span class="p">,</span> <span class="s2">&#34;-e&#34;</span><span class="p">,</span> <span class="s2">&#34;ERASER_API_KEY=${ERASER_API_KEY}&#34;</span><span class="p">,</span> <span class="s2">&#34;eraser-mcp:claude&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="filesystem-redundant">Filesystem: Redundant </h3><p><strong>Symptom:</strong> Filesystem MCP showed &ldquo;Failed to fetch tools&rdquo;</p> <p><strong>Cause:</strong> The filesystem MCP requires allowed directories to be specified in args. Without them, it has no permissions and exposes no tools.</p> <p><strong>Resolution:</strong> Removed it entirely. The shell MCP already handles file operations via <code>cat</code>, <code>ls</code>, etc., plus gives access to kubectl/flux/talosctl. Filesystem MCP was redundant.</p> <h2 id="context-usage-the-cost-of-power">Context Usage: The Cost of Power </h2><p>One thing worth knowing: MCP tools consume tokens. Each tool definition takes up space in Claude&rsquo;s context window, and with 14 servers loaded, it adds up fast.</p> <p>You can check your context usage anytime by running <code>/context</code> in Claude Code:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">Context</span> <span class="n">Usage</span> </span></span><span class="line"><span class="cl"><span class="n">Model</span><span class="p">:</span> <span class="n">claude</span><span class="o">-</span><span class="n">opus</span><span class="o">-</span><span class="mi">4</span><span class="o">-</span><span class="mi">5</span><span class="o">-</span><span class="mi">20251101</span> </span></span><span class="line"><span class="cl"><span class="n">Tokens</span><span class="p">:</span> <span class="mf">199.6</span><span class="n">k</span> <span class="o">/</span> <span class="mf">200.0</span><span class="n">k</span> <span class="p">(</span><span class="mi">100</span><span class="o">%</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">Categories</span> </span></span><span class="line"><span class="cl"><span class="n">Category</span> <span class="n">Tokens</span> <span class="n">Percentage</span> </span></span><span class="line"><span class="cl"><span class="n">System</span> <span class="n">prompt</span> <span class="mf">3.0</span><span class="n">k</span> <span class="mf">1.5</span><span class="o">%</span> </span></span><span class="line"><span class="cl"><span class="n">System</span> <span class="n">tools</span> <span class="mf">13.9</span><span class="n">k</span> <span class="mf">6.9</span><span class="o">%</span> </span></span><span class="line"><span class="cl"><span class="n">MCP</span> <span class="n">tools</span> <span class="mf">137.3</span><span class="n">k</span> <span class="mf">68.7</span><span class="o">%</span> </span></span><span class="line"><span class="cl"><span class="n">Memory</span> <span class="n">files</span> <span class="mi">460</span> <span class="mf">0.2</span><span class="o">%</span> </span></span><span class="line"><span class="cl"><span class="n">Messages</span> <span class="mi">8</span> <span class="mf">0.0</span><span class="o">%</span> </span></span><span class="line"><span class="cl"><span class="n">Free</span> <span class="n">space</span> <span class="mi">375</span> <span class="mf">0.2</span><span class="o">%</span> </span></span><span class="line"><span class="cl"><span class="n">Autocompact</span> <span class="n">buffer</span> <span class="mf">45.0</span><span class="n">k</span> <span class="mf">22.5</span><span class="o">%</span> </span></span></code></pre></td></tr></table> </div> </div><p>Yeah, <strong>137k tokens just for MCP tool definitions</strong>. That&rsquo;s 68% of the context window before Claude even reads a single file or responds to a message.</p> <p>Some of the heavier servers by token count:</p> <table> <thead> <tr> <th>Server</th> <th>Tools</th> <th>~Tokens</th> </tr> </thead> <tbody> <tr> <td>grafana</td> <td>55 tools</td> <td>~42k</td> </tr> <tr> <td>github</td> <td>42 tools</td> <td>~30k</td> </tr> <tr> <td>flux</td> <td>17 tools</td> <td>~11k</td> </tr> <tr> <td>kubernetes</td> <td>21 tools</td> <td>~14k</td> </tr> <tr> <td>repoql</td> <td>3 tools</td> <td>~4.5k</td> </tr> <tr> <td>firecrawl</td> <td>6 tools</td> <td>~8.5k</td> </tr> </tbody> </table> <p>If you&rsquo;re hitting context limits, consider disabling servers you don&rsquo;t actively need. The shell MCP alone (716 tokens) gives you kubectl/flux/talosctl access — you might not need the dedicated kubernetes MCP (14k tokens) for basic queries.</p> <h2 id="wrapping-up">Wrapping Up </h2><p>14 MCP servers later, Claude can now:</p> <ul> <li>Check my Flux reconciliation status</li> <li>Query Prometheus metrics</li> <li>List Grafana dashboards and datasources</li> <li>Run SQL queries against my databases</li> <li>Create diagrams on Eraser.io</li> <li>Execute controlled shell commands</li> <li>Search and read GitHub repos</li> </ul> <p>Is it overkill? Probably. Is it fun watching an AI debug my cluster at 2am while I drink coffee? Absolutely.</p> <p>The config is in my <a class="link" href="https://github.com/gavinmcfall/home-ops" target="_blank" rel="noopener" >home-ops repo</a> if you want to steal it.</p> https://blog.nerdz.cloud/2025/talos-dr-reset/ Fri, 21 Nov 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/talos-dr-reset/ <blockquote> <p>&ldquo;When in doubt: <code>blkdiscard</code>, <code>talhelper</code>, a good <code>taskfile</code>, and a mug of coffee&hellip;or in my case Musashi Energy - lemonade&rdquo;</p> </blockquote> <h2 id="why-i-nuked-the-cluster">Why I nuked the cluster </h2><p>I wanted to simplify how Flux applies applications. Historically the top-level Kustomize for every workload lived inside <code>flux-system</code>, which meant lots of cross-namespace references and annoyingly long paths. The plan was to move each app&rsquo;s Flux <code>Kustomization</code> into the namespace it actually manages so that <code>kubernetes/apps/&lt;namespace&gt;/&lt;app&gt;/ks.yaml</code> is the single source of truth.</p> <p>That migration touched everything that rolls pods, including storage. Rook-Ceph saw the new manifests, decided that it needed to reconcile, and immediately tripped over the existing OSD data on disk. The net result: the operator kept trying to reformat disks that still held live block devices, the rollout failed in a messy state, and the cluster stopped scheduling anything critical. At that point it was faster (and safer) to pave the nodes and start clean than it was to try to coax Rook back to health while half the controllers were stuck.</p> <style type="text/css"> .notice { --title-color: #fff; --title-background-color: #6be; --content-color: #444; --content-background-color: #e7f2fa; } .notice.info { --title-background-color: #fb7; --content-background-color: #fec; } .notice.tip { --title-background-color: #5a5; --content-background-color: #efe; } .notice.warning { --title-background-color: #c33; --content-background-color: #fee; } @media (prefers-color-scheme:dark) { .notice { --title-color: #fff; --title-background-color: #069; --content-color: #ddd; --content-background-color: #023; } .notice.info { --title-background-color: #a50; --content-background-color: #420; } .notice.tip { --title-background-color: #363; --content-background-color: #121; } .notice.warning { --title-background-color: #800; --content-background-color: #400; } } body.dark .notice { --title-color: #fff; --title-background-color: #069; --content-color: #ddd; --content-background-color: #023; } body.dark .notice.info { --title-background-color: #a50; --content-background-color: #420; } body.dark .notice.tip { --title-background-color: #363; --content-background-color: #121; } body.dark .notice.warning { --title-background-color: #800; --content-background-color: #400; } .notice { padding: 18px; line-height: 24px; margin-bottom: 24px; border-radius: 4px; color: var(--content-color); background: var(--content-background-color); } .notice p:last-child { margin-bottom: 0 } .notice-title { margin: -18px -18px 12px; padding: 4px 18px; border-radius: 4px 4px 0 0; font-weight: 700; color: var(--title-color); background: var(--title-background-color); } .icon-notice { display: inline-flex; align-self: center; margin-right: 8px; } .icon-notice img, .icon-notice svg { height: 1em; width: 1em; fill: currentColor; } .icon-notice img, .icon-notice.baseline svg { top: .125em; position: relative; } </style><div class="notice info" > <p class="notice-title"> <span class="icon-notice baseline"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="92 59.5 300 300"> <path d="M292 303.25V272c0-3.516-2.734-6.25-6.25-6.25H267v-100c0-3.516-2.734-6.25-6.25-6.25h-62.5c-3.516 0-6.25 2.734-6.25 6.25V197c0 3.516 2.734 6.25 6.25 6.25H217v62.5h-18.75c-3.516 0-6.25 2.734-6.25 6.25v31.25c0 3.516 2.734 6.25 6.25 6.25h87.5c3.516 0 6.25-2.734 6.25-6.25Zm-25-175V97c0-3.516-2.734-6.25-6.25-6.25h-37.5c-3.516 0-6.25 2.734-6.25 6.25v31.25c0 3.516 2.734 6.25 6.25 6.25h37.5c3.516 0 6.25-2.734 6.25-6.25Zm125 81.25c0 82.813-67.188 150-150 150-82.813 0-150-67.188-150-150 0-82.813 67.188-150 150-150 82.813 0 150 67.188 150 150Z"/> </svg> </span> Info </p><p>I&rsquo;m assuming you are also doing DR, so you will have the existing CLI tools installed</p></div> <h2 id="wiping-the-nodes">Wiping the nodes </h2><p>I keep a USB stick with <code>ubuntu-24.04.3-desktop-amd64.iso</code> around for this exact situation. Live-booting into &ldquo;Try Ubuntu&rdquo; gives me a predictable environment, modern nvme-cli, and a desktop for sanity checks. On each node (Stanton-01/02/03) I confirmed the disks with <code>lsblk</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">lsblk </span></span></code></pre></td></tr></table> </div> </div><p>My Talos install lives on two NVMe devices:</p> <p><code>nvme1n1</code> (990 GB)</p> <ul> <li>The TalosOS Disk</li> <li>Where Open EBS hostpath PVCs live</li> </ul> <p><code>nvme0n1</code> (1.75 TB)</p> <ul> <li>Dedicated RookCeph Disk</li> <li>Runs on a <a class="link" href="https://gist.github.com/gavinmcfall/ea6cb1233d3a300e9f44caf65a32d519" target="_blank" rel="noopener" >Thunderbolt ring network</a></li> </ul> <p>Once confirmed, I zeroed the flash translation layer and wiped the labels:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo blkdiscard -f /dev/nvme0n1 </span></span><span class="line"><span class="cl">sudo blkdiscard -f /dev/nvme1n1 </span></span><span class="line"><span class="cl">sudo wipefs -a /dev/nvme0n1 </span></span><span class="line"><span class="cl">sudo wipefs -a /dev/nvme1n1 </span></span></code></pre></td></tr></table> </div> </div><h3 id="wiping-disks">Wiping Disks </h3><p><img src="https://blog.nerdz.cloud/2025/talos-dr-reset/wiping-disks.png" width="747" height="525" srcset="https://blog.nerdz.cloud/2025/talos-dr-reset/wiping-disks_hu10337863216965195117.png 480w, https://blog.nerdz.cloud/2025/talos-dr-reset/wiping-disks_hu14291481262216667360.png 1024w" loading="lazy" alt="Wiping Disks" class="gallery-image" data-flex-grow="142" data-flex-basis="341px" ></p> <p>Then I ran fdisk to take a look at the NVMEs</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo fdisk -l </span></span></code></pre></td></tr></table> </div> </div><h3 id="running-fdisk-l">Running fdisk-l </h3><p><img src="https://blog.nerdz.cloud/fdisk-output.png" loading="lazy" alt="fdisk -l" ></p> <p><code>blkdiscard</code> is the important bit for Rook. It makes sure the SSD firmware really forgets the previous partitions, which prevents Ceph from thinking an OSD is already provisioned the next time it boots. A final <code>lsblk</code>/<code>fdisk -l</code> confirmed that both drives were back to &ldquo;disk only&rdquo; with no partitions or filesystems.</p> <p>What we are looking to see here is that neither disk has any partitions on it (which we do see). After all the machines are wiped, we are ready to move on.</p> <p>Power down the machines, remove the Ubuntu media and prep the Talos media.</p> <p>I should note. I have a dedicated <a class="link" href="https://jetkvm.com/products/jetkvm" target="_blank" rel="noopener" >JetKVM</a> per Talos Node so I can easily view what the machine is doing, from the browser of my desktop computer. No need for KB/Mouse/Monitor on the actual machines. In addition, I run the JetKVM <a class="link" href="https://jetkvm.com/products/dc-power-control" target="_blank" rel="noopener" >DC Power Control Extension</a> so I can remotely power on and off the machines.</p> <h2 id="refreshing-the-talos-media">Refreshing the Talos media </h2><p>All three nodes share the same Talos schematic (<code>d009fe7b4f1bcd11a45d6ffd17e59921b0a33bc437eebb53cffb9a5b3b9e2992</code>) which is baked into my existing <code>talosconfig</code>. That meant I could download the matching ISO straight from the factory and know it would have the right kernel modules, Thunderbolt NIC support, and SecureBoot bits:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">wget https://factory.talos.dev/image/d009fe7b4f1bcd11a45d6ffd17e59921b0a33bc437eebb53cffb9a5b3b9e2992/v1.11.5/metal-amd64.iso </span></span></code></pre></td></tr></table> </div> </div><p>I still write it out with Rufus on a Windows machine because it&rsquo;s the quickest way to prepare three bootable USB sticks. Live-boot Talos, point it at the controller VIP, and wait for maintenance mode.</p> <p>For this I have 3 Identical Tesla 128GB USB Sticks (Two of which came out of our cars, the 3rd I grabbed from FB Marketplace)</p> <p><img src="https://blog.nerdz.cloud/2025/talos-dr-reset/tesla-usb-small.png" width="1024" height="1024" srcset="https://blog.nerdz.cloud/2025/talos-dr-reset/tesla-usb-small_hu8718640251784866520.png 480w, https://blog.nerdz.cloud/2025/talos-dr-reset/tesla-usb-small_hu11021477003139833112.png 1024w" loading="lazy" alt="USB Sticks" class="gallery-image" data-flex-grow="100" data-flex-basis="240px" ></p> <h2 id="talhelper-task-and-my-bootstrap-workflow">talhelper, Task, and my bootstrap workflow </h2><p>Everything from this point lives in <a class="link" href="https://github.com/gavinmcfall/home-ops" target="_blank" rel="noopener" ><code>gavinmcfall/home-ops</code></a>, which keeps Talos, Flux, and the apps in Git. Two files matter for bootstrap:</p> <ul> <li><code>kubernetes/bootstrap/talos/talconfig.yaml</code> – the talhelper definition of the cluster (VIP <code>10.90.3.100</code>, Thunderbolt cross-connects, bonded Intel NICs, etc.).</li> <li><code>.taskfiles/Talos/Taskfile.yaml</code> – wraps the talhelper commands so I don&rsquo;t fat-finger args.</li> </ul> <p>The <code>talos:bootstrap</code> task is essentially:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">task talos:bootstrap </span></span><span class="line"><span class="cl"><span class="c1"># expands to:</span> </span></span><span class="line"><span class="cl">talhelper gensecret &gt; kubernetes/bootstrap/talos/talsecret.sops.yaml </span></span><span class="line"><span class="cl">talhelper genconfig --config-file .../talconfig.yaml --secret-file .../talsecret.sops.yaml --out-dir .../clusterconfig </span></span><span class="line"><span class="cl">talhelper gencommand apply --insecure <span class="p">|</span> bash </span></span><span class="line"><span class="cl">talhelper gencommand bootstrap <span class="p">|</span> bash </span></span><span class="line"><span class="cl">task talos:fetch-kubeconfig </span></span><span class="line"><span class="cl">task talos:install-helm-apps </span></span><span class="line"><span class="cl">talosctl health --server<span class="o">=</span><span class="nb">false</span> </span></span></code></pre></td></tr></table> </div> </div><p>That installs Talos to all three NVMe devices, boots them into the control plane, then waits for etcd to converge. The follow-up <code>install-helm-apps</code> task runs <code>kubernetes/bootstrap/helmfile.yaml</code>, which deploys the CRDs Cilium needs, Cilium itself, CoreDNS, and Spegel so talosctl can start reporting node health correctly.</p> <p>Because the Talos VIP and Thunderbolt-only links are described directly inside <code>talconfig.yaml</code>, there is nothing manual to do after the ISO is written. The KubePrism SAN, bonded NIC configuration, and node-specific Thunderbolt routes are reapplied automatically. That&rsquo;s the magic of keeping talconfig and the cluster secrets in Git.</p> <h3 id="doing-a-dry-run">Doing a dry run </h3><p>Before I actually pipe <code>talhelper gencommand apply</code> into <code>bash</code>, I like to rehearse the entire sequence so I know Talos will accept the configs:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">cd</span> /home/gavin/home-ops/kubernetes/bootstrap/talos </span></span></code></pre></td></tr></table> </div> </div><h4 id="1-generate-configs-safe-local-files-only">1. Generate configs (safe, local files only) </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">talhelper genconfig --config-file talconfig.yaml --secret-file talsecret.sops.yaml --out-dir clusterconfig </span></span></code></pre></td></tr></table> </div> </div><p>Output:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">generated config <span class="k">for</span> stanton-01 in clusterconfig/home-kubernetes-stanton-01.yaml </span></span><span class="line"><span class="cl">generated config <span class="k">for</span> stanton-02 in clusterconfig/home-kubernetes-stanton-02.yaml </span></span><span class="line"><span class="cl">generated config <span class="k">for</span> stanton-03 in clusterconfig/home-kubernetes-stanton-03.yaml </span></span><span class="line"><span class="cl">generated client config in clusterconfig/talosconfig </span></span><span class="line"><span class="cl">generated .gitignore file in clusterconfig/.gitignore </span></span></code></pre></td></tr></table> </div> </div><h4 id="2-preview-the-applybootstrap-commands">2. Preview the apply/bootstrap commands </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">talhelper gencommand apply --extra-flags<span class="o">=</span><span class="s2">&#34;--insecure&#34;</span> --config-file talconfig.yaml --out-dir clusterconfig </span></span></code></pre></td></tr></table> </div> </div><p>Output:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">talosctl apply-config --talosconfig<span class="o">=</span>clusterconfig/talosconfig --nodes<span class="o">=</span>10.90.3.101 --file<span class="o">=</span>clusterconfig/home-kubernetes-stanton-01.yaml --insecure<span class="p">;</span> </span></span><span class="line"><span class="cl">talosctl apply-config --talosconfig<span class="o">=</span>clusterconfig/talosconfig --nodes<span class="o">=</span>10.90.3.102 --file<span class="o">=</span>clusterconfig/home-kubernetes-stanton-02.yaml --insecure<span class="p">;</span> </span></span><span class="line"><span class="cl">talosctl apply-config --talosconfig<span class="o">=</span>clusterconfig/talosconfig --nodes<span class="o">=</span>10.90.3.103 --file<span class="o">=</span>clusterconfig/home-kubernetes-stanton-03.yaml --insecure<span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><h4 id="3-preview-bootstrap-command">3. Preview bootstrap command </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">talhelper gencommand bootstrap --config-file talconfig.yaml --out-dir clusterconfig </span></span></code></pre></td></tr></table> </div> </div><p>Output:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">talosctl bootstrap --talosconfig<span class="o">=</span>clusterconfig/talosconfig --nodes<span class="o">=</span>10.90.3.101<span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p>This is expected to only show one node, as Bootstrap initializes the cluster on a single node (stanton-01 in this case) and then the other nodes join it</p> <h4 id="4-dry-run-each-node">4. Dry-run each node </h4><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">talosctl apply-config --insecure --nodes 10.90.3.101 --file clusterconfig/home-kubernetes-stanton-01.yaml --dry-run </span></span><span class="line"><span class="cl">talosctl apply-config --insecure --nodes 10.90.3.102 --file clusterconfig/home-kubernetes-stanton-02.yaml --dry-run </span></span><span class="line"><span class="cl">talosctl apply-config --insecure --nodes 10.90.3.103 --file clusterconfig/home-kubernetes-stanton-03.yaml --dry-run </span></span></code></pre></td></tr></table> </div> </div><p>Output:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">Dry run summary: </span></span><span class="line"><span class="cl">Node is running in maintenance mode and does not have a config yet. </span></span></code></pre></td></tr></table> </div> </div><p>If like me you just swap the IP address when typing the command again and forget to swap the file name&hellip; e.g. <code>talosctl apply-config --insecure --nodes 10.90.3.102 --file clusterconfig/home-kubernetes-stanton-01.yaml --dry-run</code></p> <p>You will get an error:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">talosctl apply-config --insecure --nodes 10.90.3.102 --file clusterconfig/home-kubernetes-stanton-01.yaml --dry-run </span></span><span class="line"><span class="cl">error applying new configuration: rpc error: <span class="nv">code</span> <span class="o">=</span> InvalidArgument <span class="nv">desc</span> <span class="o">=</span> runtime configuration validation failed: <span class="m">1</span> error occurred: </span></span><span class="line"><span class="cl"> * no disks matched the expression: glob<span class="o">(</span><span class="s2">&#34;S73VNU0X303066H&#34;</span>, disk.serial<span class="o">)</span> <span class="o">&amp;&amp;</span> disk.transport !<span class="o">=</span> <span class="s2">&#34;&#34;</span> <span class="o">&amp;&amp;</span> !disk.readonly <span class="o">&amp;&amp;</span> </span></span><span class="line"><span class="cl">!disk.cdrom </span></span></code></pre></td></tr></table> </div> </div><p>Make sure if you are going to be lazy, you are also accurate — the dry run is there to catch mistakes before Talos ever touches a disk.</p> <p><code>talhelper genconfig</code> prints which files were created, while the <code>gencommand</code> invocations show the exact <code>talosctl</code> commands that <code>task talos:bootstrap</code> is about to execute. The last step validates that each node is sitting in maintenance mode and that Talos can match the disk selector defined for that specific host. Once everything looks good it’s time to let the task rip.</p> <h2 id="install-time">Install Time </h2><p><img src="https://blog.nerdz.cloud/2025/talos-dr-reset/dont-panic.webp" width="1080" height="1440" srcset="https://blog.nerdz.cloud/2025/talos-dr-reset/dont-panic_hu18150505468570920477.webp 480w, https://blog.nerdz.cloud/2025/talos-dr-reset/dont-panic_hu6779540369425736441.webp 1024w" loading="lazy" alt="Dont Panic" class="gallery-image" data-flex-grow="75" data-flex-basis="180px" ></p> <p>#ifYouKnowYouKnow</p> <p>The entire process took 6 minutes from the time I typed <code>task talos:bootstrap</code> to the time it was done. You will see connection errors and lots of other &ldquo;scary&rdquo; looking things, this is just because this process polls for things that are not &ldquo;up&rdquo; yet. Just wait, go make a drink, have a cookie.</p> <h3 id="running-task-talosbootstrap">Running <code>task talos:bootstrap</code> </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">cd</span> /home/gavin/home-ops </span></span><span class="line"><span class="cl">task talos:bootstrap </span></span></code></pre></td></tr></table> </div> </div><p><code>task</code> runs every command defined in <code>.taskfiles/Talos/Taskfile.yaml</code>: it (re)generates Talos secrets if they’re missing, renders configs, applies them to each node, performs the one-time bootstrap on <code>stanton-01</code>, downloads the kubeconfig, and applies the bootstrap Helm apps (Cilium/CoreDNS/Spegel). If something fails midway I can rerun the task and it will pick up where it left off.</p> <p>Output:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">task talos:bootstrap </span></span><span class="line"><span class="cl">task: <span class="o">[</span>talos:bootstrap<span class="o">]</span> <span class="k">if</span> <span class="o">[</span> ! -f <span class="s2">&#34;/home/gavin/home-ops/kubernetes/bootstrap/talos/talsecret.sops.yaml&#34;</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> </span></span><span class="line"><span class="cl"> talhelper gensecret &gt; /home/gavin/home-ops/kubernetes/bootstrap/talos/talsecret.sops.yaml </span></span><span class="line"><span class="cl"> sops --encrypt --in-place /home/gavin/home-ops/kubernetes/bootstrap/talos/talsecret.sops.yaml </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">task: <span class="o">[</span>talos:bootstrap<span class="o">]</span> talhelper genconfig --config-file /home/gavin/home-ops/kubernetes/bootstrap/talos/talconfig.yaml --secret-file /home/gavin/home-ops/kubernetes/bootstrap/talos/talsecret.sops.yaml --out-dir /home/gavin/home-ops/kubernetes/bootstrap/talos/clusterconfig </span></span><span class="line"><span class="cl">generated config <span class="k">for</span> stanton-01 in /home/gavin/home-ops/kubernetes/bootstrap/talos/clusterconfig/home-kubernetes-stanton-01.yaml </span></span><span class="line"><span class="cl">generated config <span class="k">for</span> stanton-02 in /home/gavin/home-ops/kubernetes/bootstrap/talos/clusterconfig/home-kubernetes-stanton-02.yaml </span></span><span class="line"><span class="cl">generated config <span class="k">for</span> stanton-03 in /home/gavin/home-ops/kubernetes/bootstrap/talos/clusterconfig/home-kubernetes-stanton-03.yaml </span></span><span class="line"><span class="cl">generated client config in /home/gavin/home-ops/kubernetes/bootstrap/talos/clusterconfig/talosconfig </span></span><span class="line"><span class="cl">generated .gitignore file in /home/gavin/home-ops/kubernetes/bootstrap/talos/clusterconfig/.gitignore </span></span><span class="line"><span class="cl">task: <span class="o">[</span>talos:bootstrap<span class="o">]</span> talhelper gencommand apply --extra-flags<span class="o">=</span><span class="s2">&#34;--insecure&#34;</span> --config-file /home/gavin/home-ops/kubernetes/bootstrap/talos/talconfig.yaml --out-dir /home/gavin/home-ops/kubernetes/bootstrap/talos/clusterconfig <span class="p">|</span> bash </span></span><span class="line"><span class="cl">task: <span class="o">[</span>talos:bootstrap<span class="o">]</span> <span class="k">until</span> talhelper gencommand bootstrap --config-file /home/gavin/home-ops/kubernetes/bootstrap/talos/talconfig.yaml --out-dir /home/gavin/home-ops/kubernetes/bootstrap/talos/clusterconfig <span class="p">|</span> bash<span class="p">;</span> <span class="k">do</span> sleep 10<span class="p">;</span> <span class="k">done</span> </span></span><span class="line"><span class="cl">error executing bootstrap: rpc error: <span class="nv">code</span> <span class="o">=</span> Unavailable <span class="nv">desc</span> <span class="o">=</span> last connection error: connection error: <span class="nv">desc</span> <span class="o">=</span> <span class="s2">&#34;transport: Error while dialing: dial tcp 10.90.3.102:50000: connect: connection refused&#34;</span> </span></span><span class="line"><span class="cl">error executing bootstrap: rpc error: <span class="nv">code</span> <span class="o">=</span> Unavailable <span class="nv">desc</span> <span class="o">=</span> last connection error: connection error: <span class="nv">desc</span> <span class="o">=</span> <span class="s2">&#34;transport: Error while dialing: dial tcp 10.90.3.102:50000: connect: connection refused&#34;</span> </span></span><span class="line"><span class="cl">error executing bootstrap: rpc error: <span class="nv">code</span> <span class="o">=</span> Unavailable <span class="nv">desc</span> <span class="o">=</span> last connection error: connection error: <span class="nv">desc</span> <span class="o">=</span> <span class="s2">&#34;transport: Error while dialing: dial tcp 10.90.3.103:50000: connect: connection refused&#34;</span> </span></span><span class="line"><span class="cl">error executing bootstrap: rpc error: <span class="nv">code</span> <span class="o">=</span> Unavailable <span class="nv">desc</span> <span class="o">=</span> last connection error: connection error: <span class="nv">desc</span> <span class="o">=</span> <span class="s2">&#34;transport: Error while dialing: dial tcp 10.90.3.101:50000: connect: connection refused&#34;</span> </span></span><span class="line"><span class="cl">error executing bootstrap: rpc error: <span class="nv">code</span> <span class="o">=</span> Unavailable <span class="nv">desc</span> <span class="o">=</span> last connection error: connection error: <span class="nv">desc</span> <span class="o">=</span> <span class="s2">&#34;transport: Error while dialing: dial tcp 10.90.3.102:50000: connect: connection refused&#34;</span> </span></span><span class="line"><span class="cl">error executing bootstrap: rpc error: <span class="nv">code</span> <span class="o">=</span> Unavailable <span class="nv">desc</span> <span class="o">=</span> last connection error: connection error: <span class="nv">desc</span> <span class="o">=</span> <span class="s2">&#34;transport: Error while dialing: dial tcp 10.90.3.102:50000: connect: connection refused&#34;</span> </span></span><span class="line"><span class="cl">error executing bootstrap: rpc error: <span class="nv">code</span> <span class="o">=</span> Unavailable <span class="nv">desc</span> <span class="o">=</span> last connection error: connection error: <span class="nv">desc</span> <span class="o">=</span> <span class="s2">&#34;transport: Error while dialing: dial tcp 10.90.3.101:50000: connect: connection refused&#34;</span> </span></span><span class="line"><span class="cl">error executing bootstrap: rpc error: <span class="nv">code</span> <span class="o">=</span> Unavailable <span class="nv">desc</span> <span class="o">=</span> last connection error: connection error: <span class="nv">desc</span> <span class="o">=</span> <span class="s2">&#34;transport: Error while dialing: dial tcp 10.90.3.103:50000: connect: connection refused&#34;</span> </span></span><span class="line"><span class="cl">error executing bootstrap: rpc error: <span class="nv">code</span> <span class="o">=</span> Unavailable <span class="nv">desc</span> <span class="o">=</span> last connection error: connection error: <span class="nv">desc</span> <span class="o">=</span> <span class="s2">&#34;transport: Error while dialing: dial tcp 10.90.3.102:50000: connect: connection refused&#34;</span> </span></span><span class="line"><span class="cl">error executing bootstrap: rpc error: <span class="nv">code</span> <span class="o">=</span> Unavailable <span class="nv">desc</span> <span class="o">=</span> last connection error: connection error: <span class="nv">desc</span> <span class="o">=</span> <span class="s2">&#34;transport: Error while dialing: dial tcp 10.90.3.101:50000: connect: connection refused&#34;</span> </span></span><span class="line"><span class="cl">error executing bootstrap: rpc error: <span class="nv">code</span> <span class="o">=</span> Unavailable <span class="nv">desc</span> <span class="o">=</span> last connection error: connection error: <span class="nv">desc</span> <span class="o">=</span> <span class="s2">&#34;transport: Error while dialing: dial tcp 10.90.3.101:50000: connect: connection refused&#34;</span> </span></span><span class="line"><span class="cl">error executing bootstrap: rpc error: <span class="nv">code</span> <span class="o">=</span> Unavailable <span class="nv">desc</span> <span class="o">=</span> last connection error: connection error: <span class="nv">desc</span> <span class="o">=</span> <span class="s2">&#34;transport: Error while dialing: dial tcp 10.90.3.102:50000: connect: no route to host&#34;</span> </span></span><span class="line"><span class="cl">task: <span class="o">[</span>talos:fetch-kubeconfig<span class="o">]</span> <span class="k">until</span> talhelper gencommand kubeconfig --config-file /home/gavin/home-ops/kubernetes/bootstrap/talos/talconfig.yaml --out-dir /home/gavin/home-ops/kubernetes/bootstrap/talos/clusterconfig --extra-flags<span class="o">=</span><span class="s2">&#34;/home/gavin/home-ops --force&#34;</span> <span class="p">|</span> bash<span class="p">;</span> <span class="k">do</span> sleep 10<span class="p">;</span> <span class="k">done</span> </span></span><span class="line"><span class="cl">task: <span class="o">[</span>talos:install-helm-apps<span class="o">]</span> <span class="k">until</span> kubectl --kubeconfig /home/gavin/home-ops/kubeconfig <span class="nb">wait</span> --for<span class="o">=</span><span class="nv">condition</span><span class="o">=</span><span class="nv">Ready</span><span class="o">=</span>False nodes --all --timeout<span class="o">=</span>600s<span class="p">;</span> <span class="k">do</span> sleep 10<span class="p">;</span> <span class="k">done</span> </span></span><span class="line"><span class="cl">Unable to connect to the server: dial tcp 10.90.3.100:6443: connect: no route to host </span></span><span class="line"><span class="cl">The connection to the server 10.90.3.100:6443 was refused - did you specify the right host or port? </span></span><span class="line"><span class="cl">The connection to the server 10.90.3.100:6443 was refused - did you specify the right host or port? </span></span><span class="line"><span class="cl">The connection to the server 10.90.3.100:6443 was refused - did you specify the right host or port? </span></span><span class="line"><span class="cl">error: no matching resources found </span></span><span class="line"><span class="cl">error: no matching resources found </span></span><span class="line"><span class="cl">error: no matching resources found </span></span><span class="line"><span class="cl">error: no matching resources found </span></span><span class="line"><span class="cl">error: no matching resources found </span></span><span class="line"><span class="cl">error: no matching resources found </span></span><span class="line"><span class="cl">node/stanton-01 condition met </span></span><span class="line"><span class="cl">task: <span class="o">[</span>talos:install-helm-apps<span class="o">]</span> helmfile --kubeconfig /home/gavin/home-ops/kubeconfig --file /home/gavin/home-ops/kubernetes/bootstrap/helmfile.yaml apply --skip-diff-on-install --suppress-diff </span></span><span class="line"><span class="cl">Adding repo cilium https://helm.cilium.io </span></span><span class="line"><span class="cl"><span class="s2">&#34;cilium&#34;</span> has been added to your repositories </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Adding repo coredns https://coredns.github.io/helm </span></span><span class="line"><span class="cl"><span class="s2">&#34;coredns&#34;</span> has been added to your repositories </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Pulling ghcr.io/prometheus-community/charts/prometheus-operator-crds:24.0.2 </span></span><span class="line"><span class="cl">Pulling ghcr.io/spegel-org/helm-charts/spegel:0.5.1 </span></span><span class="line"><span class="cl">Listing releases matching ^prometheus-operator-crds$ </span></span><span class="line"><span class="cl">Listing releases matching ^coredns$ </span></span><span class="line"><span class="cl">Listing releases matching ^spegel$ </span></span><span class="line"><span class="cl">Listing releases matching ^cilium$ </span></span><span class="line"><span class="cl">Upgrading <span class="nv">release</span><span class="o">=</span>prometheus-operator-crds, <span class="nv">chart</span><span class="o">=</span>/tmp/helmfile4191493076/observability/prometheus-operator-crds/prometheus-operator-crds/24.0.2/prometheus-operator-crds </span></span><span class="line"><span class="cl">Release <span class="s2">&#34;prometheus-operator-crds&#34;</span> does not exist. Installing it now. </span></span><span class="line"><span class="cl">NAME: prometheus-operator-crds </span></span><span class="line"><span class="cl">LAST DEPLOYED: Wed Nov <span class="m">19</span> 10:22:06 <span class="m">2025</span> </span></span><span class="line"><span class="cl">NAMESPACE: observability </span></span><span class="line"><span class="cl">STATUS: deployed </span></span><span class="line"><span class="cl">REVISION: <span class="m">1</span> </span></span><span class="line"><span class="cl">TEST SUITE: None </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Listing releases matching ^prometheus-operator-crds$ </span></span><span class="line"><span class="cl">prometheus-operator-crds observability <span class="m">1</span> 2025-11-19 10:22:06.42745174 +1300 NZDT deployed prometheus-operator-crds-24.0.2 v0.86.2 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Upgrading <span class="nv">release</span><span class="o">=</span>cilium, <span class="nv">chart</span><span class="o">=</span>cilium/cilium </span></span><span class="line"><span class="cl">Release <span class="s2">&#34;cilium&#34;</span> does not exist. Installing it now. </span></span><span class="line"><span class="cl">NAME: cilium </span></span><span class="line"><span class="cl">LAST DEPLOYED: Wed Nov <span class="m">19</span> 10:22:10 <span class="m">2025</span> </span></span><span class="line"><span class="cl">NAMESPACE: kube-system </span></span><span class="line"><span class="cl">STATUS: deployed </span></span><span class="line"><span class="cl">REVISION: <span class="m">1</span> </span></span><span class="line"><span class="cl">TEST SUITE: None </span></span><span class="line"><span class="cl">NOTES: </span></span><span class="line"><span class="cl">You have successfully installed Cilium. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Your release version is 1.18.3. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">For any further help, visit https://docs.cilium.io/en/v1.18/gettinghelp </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Listing releases matching ^cilium$ </span></span><span class="line"><span class="cl">cilium kube-system <span class="m">1</span> 2025-11-19 10:22:10.403756432 +1300 NZDT deployed cilium-1.18.3 1.18.3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Upgrading <span class="nv">release</span><span class="o">=</span>coredns, <span class="nv">chart</span><span class="o">=</span>coredns/coredns </span></span><span class="line"><span class="cl">Release <span class="s2">&#34;coredns&#34;</span> does not exist. Installing it now. </span></span><span class="line"><span class="cl">NAME: coredns </span></span><span class="line"><span class="cl">LAST DEPLOYED: Wed Nov <span class="m">19</span> 10:23:23 <span class="m">2025</span> </span></span><span class="line"><span class="cl">NAMESPACE: kube-system </span></span><span class="line"><span class="cl">STATUS: deployed </span></span><span class="line"><span class="cl">REVISION: <span class="m">1</span> </span></span><span class="line"><span class="cl">TEST SUITE: None </span></span><span class="line"><span class="cl">NOTES: </span></span><span class="line"><span class="cl">CoreDNS is now running in the cluster as a cluster-service. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">It can be tested with the following: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">1. Launch a Pod with DNS tools: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">kubectl run -it --rm --restart<span class="o">=</span>Never --image<span class="o">=</span>infoblox/dnstools:latest dnstools </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">2. Query the DNS server: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">/ <span class="c1"># host kubernetes</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Listing releases matching ^coredns$ </span></span><span class="line"><span class="cl">coredns kube-system <span class="m">1</span> 2025-11-19 10:23:23.797590616 +1300 NZDT deployed coredns-1.45.0 1.13.1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Upgrading <span class="nv">release</span><span class="o">=</span>spegel, <span class="nv">chart</span><span class="o">=</span>/tmp/helmfile4191493076/kube-system/spegel/spegel/0.5.1/spegel </span></span><span class="line"><span class="cl">Release <span class="s2">&#34;spegel&#34;</span> does not exist. Installing it now. </span></span><span class="line"><span class="cl">NAME: spegel </span></span><span class="line"><span class="cl">LAST DEPLOYED: Wed Nov <span class="m">19</span> 10:23:26 <span class="m">2025</span> </span></span><span class="line"><span class="cl">NAMESPACE: kube-system </span></span><span class="line"><span class="cl">STATUS: deployed </span></span><span class="line"><span class="cl">REVISION: <span class="m">1</span> </span></span><span class="line"><span class="cl">TEST SUITE: None </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Listing releases matching ^spegel$ </span></span><span class="line"><span class="cl">spegel kube-system <span class="m">1</span> 2025-11-19 10:23:26.188082749 +1300 NZDT deployed spegel-0.5.1 v0.5.1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">UPDATED RELEASES: </span></span><span class="line"><span class="cl">NAME NAMESPACE CHART VERSION DURATION </span></span><span class="line"><span class="cl">prometheus-operator-crds observability oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds 24.0.2 4s </span></span><span class="line"><span class="cl">cilium kube-system cilium/cilium 1.18.3 1m13s </span></span><span class="line"><span class="cl">coredns kube-system coredns/coredns 1.45.0 3s </span></span><span class="line"><span class="cl">spegel kube-system oci://ghcr.io/spegel-org/helm-charts/spegel 0.5.1 46s </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">task: <span class="o">[</span>talos:install-helm-apps<span class="o">]</span> <span class="k">until</span> kubectl --kubeconfig /home/gavin/home-ops/kubeconfig <span class="nb">wait</span> --for<span class="o">=</span><span class="nv">condition</span><span class="o">=</span>Ready nodes --all --timeout<span class="o">=</span>600s<span class="p">;</span> <span class="k">do</span> sleep 10<span class="p">;</span> <span class="k">done</span> </span></span><span class="line"><span class="cl">node/stanton-01 condition met </span></span><span class="line"><span class="cl">node/stanton-02 condition met </span></span><span class="line"><span class="cl">node/stanton-03 condition met </span></span><span class="line"><span class="cl">task: <span class="o">[</span>talos:bootstrap<span class="o">]</span> talosctl health --server<span class="o">=</span><span class="nb">false</span> </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> etcd to be healthy: OK </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> etcd members to be consistent across nodes: OK </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> etcd members to be control plane nodes: OK </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> apid to be ready: OK </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> all nodes memory sizes: OK </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> all nodes disk sizes: OK </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> kubelet to be healthy: OK </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> all nodes to finish boot sequence: OK </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> all k8s nodes to report: OK </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> all k8s nodes to report ready: OK </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> all control plane static pods to be running: OK </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> all control plane components to be ready: OK </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> kube-proxy to report ready: SKIP </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> coredns to report ready: OK </span></span><span class="line"><span class="cl">waiting <span class="k">for</span> all k8s nodes to report schedulable: OK </span></span></code></pre></td></tr></table> </div> </div><h3 id="can-i-see-and-talk-to-the-cluster">Can I see and talk to the cluster? </h3><p>In your terminal, run:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">talosctl dashboard </span></span></code></pre></td></tr></table> </div> </div><p><img src="https://blog.nerdz.cloud/2025/talos-dr-reset/talosctl-dashboard.png" width="1720" height="1360" srcset="https://blog.nerdz.cloud/2025/talos-dr-reset/talosctl-dashboard_hu797103163415619291.png 480w, https://blog.nerdz.cloud/2025/talos-dr-reset/talosctl-dashboard_hu5801518542597615030.png 1024w" loading="lazy" alt="talosctl dashboard" class="gallery-image" data-flex-grow="126" data-flex-basis="303px" ></p> <p>You can use your keyboard&rsquo;s left and right arrows to cycle through the nodes. In addition I run k9s and can run this to see my cluster</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">k9s </span></span></code></pre></td></tr></table> </div> </div><p><img src="https://blog.nerdz.cloud/2025/talos-dr-reset/k9s-all-pods.png" width="1679" height="1328" srcset="https://blog.nerdz.cloud/2025/talos-dr-reset/k9s-all-pods_hu11552078392111102477.png 480w, https://blog.nerdz.cloud/2025/talos-dr-reset/k9s-all-pods_hu10594534170228560720.png 1024w" loading="lazy" alt="k9s" class="gallery-image" data-flex-grow="126" data-flex-basis="303px" ></p> <p>The default page takes me to a view of all pods across all namespaces</p> <p>Holding Shift and pressing <code>;</code> will type a <code>:</code> which opens the k9s menu. From here you can type <code>nodes</code> and press enter to see the nodes</p> <p><img src="https://blog.nerdz.cloud/2025/talos-dr-reset/k9s-all-nodes.png" width="1679" height="331" srcset="https://blog.nerdz.cloud/2025/talos-dr-reset/k9s-all-nodes_hu14168503436117881720.png 480w, https://blog.nerdz.cloud/2025/talos-dr-reset/k9s-all-nodes_hu11845638840075428891.png 1024w" loading="lazy" alt="k9s" class="gallery-image" data-flex-grow="507" data-flex-basis="1217px" ></p> <h2 id="rehydrating-gitops-state">Rehydrating GitOps state </h2><p>Before I do this next step I want to make sure the majority of my cluster is &ldquo;Off&rdquo; in Git. My repo layout is</p> <p><code>home-ops/kubernetes/apps/&lt;namespace&gt;</code></p> <p>Inside each namespace folder is a top-level <code>kustomization.yaml</code> e.g.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.config.k8s.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Pre Flux-Kustomizations</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./namespace.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Flux-Kustomizations</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - ./gatus/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - ./grafana/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - ./kromgo/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - ./kube-prometheus-stack/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - ./loki/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - ./network-ups-tools/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - ./prometheus-operator-crds/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - ./promtail/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - ./redisinsight/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - ./unpoller/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Exporters</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - ./exporters</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>You can see here I have commented out everything except the creation of the namespace. This means it won&rsquo;t initially deploy this when I <code>task flux:bootstrap</code></p> <p>I did this for every namespace except</p> <ul> <li>cert-manager</li> <li>external-secrets</li> <li>flux-system</li> <li>kube-system</li> <li>network</li> <li>openebs-system</li> <li>volsync-system</li> </ul> <p>Once Talos hands back a kubeconfig (stored at <code>kubernetes/bootstrap/talos/clusterconfig/talosconfig</code>), Flux gets bootstrapped with another task:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">task flux:bootstrap </span></span></code></pre></td></tr></table> </div> </div><p>Output:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">task flux:bootstrap </span></span><span class="line"><span class="cl">task: <span class="o">[</span>flux:bootstrap<span class="o">]</span> kubectl apply --kubeconfig /home/gavin/home-ops/kubeconfig --server-side --kustomize /home/gavin/home-ops/kubernetes/bootstrap/flux </span></span><span class="line"><span class="cl">namespace/flux-system serverside-applied </span></span><span class="line"><span class="cl">resourcequota/critical-pods-flux-system serverside-applied </span></span><span class="line"><span class="cl">customresourcedefinition.apiextensions.k8s.io/alerts.notification.toolkit.fluxcd.io serverside-applied </span></span><span class="line"><span class="cl">customresourcedefinition.apiextensions.k8s.io/buckets.source.toolkit.fluxcd.io serverside-applied </span></span><span class="line"><span class="cl">customresourcedefinition.apiextensions.k8s.io/externalartifacts.source.toolkit.fluxcd.io serverside-applied </span></span><span class="line"><span class="cl">customresourcedefinition.apiextensions.k8s.io/gitrepositories.source.toolkit.fluxcd.io serverside-applied </span></span><span class="line"><span class="cl">customresourcedefinition.apiextensions.k8s.io/helmcharts.source.toolkit.fluxcd.io serverside-applied </span></span><span class="line"><span class="cl">customresourcedefinition.apiextensions.k8s.io/helmreleases.helm.toolkit.fluxcd.io serverside-applied </span></span><span class="line"><span class="cl">customresourcedefinition.apiextensions.k8s.io/helmrepositories.source.toolkit.fluxcd.io serverside-applied </span></span><span class="line"><span class="cl">customresourcedefinition.apiextensions.k8s.io/imagepolicies.image.toolkit.fluxcd.io serverside-applied </span></span><span class="line"><span class="cl">customresourcedefinition.apiextensions.k8s.io/imagerepositories.image.toolkit.fluxcd.io serverside-applied </span></span><span class="line"><span class="cl">customresourcedefinition.apiextensions.k8s.io/imageupdateautomations.image.toolkit.fluxcd.io serverside-applied </span></span><span class="line"><span class="cl">customresourcedefinition.apiextensions.k8s.io/kustomizations.kustomize.toolkit.fluxcd.io serverside-applied </span></span><span class="line"><span class="cl">customresourcedefinition.apiextensions.k8s.io/ocirepositories.source.toolkit.fluxcd.io serverside-applied </span></span><span class="line"><span class="cl">customresourcedefinition.apiextensions.k8s.io/providers.notification.toolkit.fluxcd.io serverside-applied </span></span><span class="line"><span class="cl">customresourcedefinition.apiextensions.k8s.io/receivers.notification.toolkit.fluxcd.io serverside-applied </span></span><span class="line"><span class="cl">serviceaccount/helm-controller serverside-applied </span></span><span class="line"><span class="cl">serviceaccount/image-automation-controller serverside-applied </span></span><span class="line"><span class="cl">serviceaccount/image-reflector-controller serverside-applied </span></span><span class="line"><span class="cl">serviceaccount/kustomize-controller serverside-applied </span></span><span class="line"><span class="cl">serviceaccount/notification-controller serverside-applied </span></span><span class="line"><span class="cl">serviceaccount/source-controller serverside-applied </span></span><span class="line"><span class="cl">clusterrole.rbac.authorization.k8s.io/crd-controller-flux-system serverside-applied </span></span><span class="line"><span class="cl">clusterrole.rbac.authorization.k8s.io/flux-edit-flux-system serverside-applied </span></span><span class="line"><span class="cl">clusterrole.rbac.authorization.k8s.io/flux-view-flux-system serverside-applied </span></span><span class="line"><span class="cl">clusterrolebinding.rbac.authorization.k8s.io/cluster-reconciler-flux-system serverside-applied </span></span><span class="line"><span class="cl">clusterrolebinding.rbac.authorization.k8s.io/crd-controller-flux-system serverside-applied </span></span><span class="line"><span class="cl">service/notification-controller serverside-applied </span></span><span class="line"><span class="cl">service/source-controller serverside-applied </span></span><span class="line"><span class="cl">service/webhook-receiver serverside-applied </span></span><span class="line"><span class="cl">deployment.apps/helm-controller serverside-applied </span></span><span class="line"><span class="cl">deployment.apps/image-automation-controller serverside-applied </span></span><span class="line"><span class="cl">deployment.apps/image-reflector-controller serverside-applied </span></span><span class="line"><span class="cl">deployment.apps/kustomize-controller serverside-applied </span></span><span class="line"><span class="cl">deployment.apps/notification-controller serverside-applied </span></span><span class="line"><span class="cl">deployment.apps/source-controller serverside-applied </span></span><span class="line"><span class="cl">task: <span class="o">[</span>flux:bootstrap<span class="o">]</span> cat /home/gavin/home-ops/age.key <span class="p">|</span> kubectl --kubeconfig /home/gavin/home-ops/kubeconfig -n flux-system create secret generic sops-age --from-file<span class="o">=</span>age.agekey<span class="o">=</span>/dev/stdin </span></span><span class="line"><span class="cl">secret/sops-age created </span></span><span class="line"><span class="cl">task: <span class="o">[</span>flux:bootstrap<span class="o">]</span> sops --decrypt /home/gavin/home-ops/kubernetes/flux/vars/cluster-secrets.sops.yaml <span class="p">|</span> kubectl apply --kubeconfig /home/gavin/home-ops/kubeconfig --server-side --filename - </span></span><span class="line"><span class="cl">secret/cluster-secrets serverside-applied </span></span><span class="line"><span class="cl">task: <span class="o">[</span>flux:bootstrap<span class="o">]</span> kubectl apply --kubeconfig /home/gavin/home-ops/kubeconfig --server-side --filename /home/gavin/home-ops/kubernetes/flux/vars/cluster-settings.yaml </span></span><span class="line"><span class="cl">configmap/cluster-settings serverside-applied </span></span><span class="line"><span class="cl">task: <span class="o">[</span>flux:bootstrap<span class="o">]</span> kubectl apply --kubeconfig /home/gavin/home-ops/kubeconfig --server-side --kustomize /home/gavin/home-ops/kubernetes/flux/config </span></span><span class="line"><span class="cl">kustomization.kustomize.toolkit.fluxcd.io/cluster serverside-applied </span></span><span class="line"><span class="cl">kustomization.kustomize.toolkit.fluxcd.io/flux serverside-applied </span></span><span class="line"><span class="cl">gitrepository.source.toolkit.fluxcd.io/home-kubernetes serverside-applied </span></span><span class="line"><span class="cl">ocirepository.source.toolkit.fluxcd.io/flux-manifests serverside-applied </span></span></code></pre></td></tr></table> </div> </div><p>That command:</p> <ol> <li>Applies the manifests under <code>kubernetes/bootstrap/flux</code>, including the deploy key secret.</li> <li>Decrypts and applies <code>flux/vars/cluster-secrets.sops.yaml</code>.</li> <li>Applies cluster settings and Kustomizations per namespace (<code>kubernetes/apps/&lt;namespace&gt;/&lt;app&gt;</code>).</li> </ol> <h3 id="disasterkinda">Disaster&hellip;Kinda </h3><p>Because I am now cut over to Envoy Gateway and not ingress-nginx I am missing the Gateway CRDs because Cilium does not install them (I&rsquo;m not using Cilium for Gateway API, I&rsquo;m using Envoy)</p> <p>Now I could just <code>kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml</code> and solve the problem&hellip; But that&rsquo;s not IAC</p> <p>So, I created a new folder <code>home-ops/kubernetes/apps/network/gateway-api</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">. </span></span><span class="line"><span class="cl">├── app </span></span><span class="line"><span class="cl">│   └── kustomization.yaml </span></span><span class="line"><span class="cl">└── ks.yaml </span></span></code></pre></td></tr></table> </div> </div><p>That <code>kustomization.yaml</code> is fairly simple. Its job is to install the Gateway API CRDs</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.config.k8s.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>owever, I need these installed before Envoy so In<code>kubernetes/apps/network/envoy-gateway/ks.yaml</code> I had to add a <code>dependsOn:</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># yaml-language-server: $schema=https://kubernetes-schemas.ok8.sh/kustomize.toolkit.fluxcd.io/kustomization_v1.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.toolkit.fluxcd.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;app</span><span class="w"> </span><span class="l">envoy-gateway</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">flux-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targetNamespace</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;namespace</span><span class="w"> </span><span class="l">network</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">commonMetadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app.kubernetes.io/name</span><span class="p">:</span><span class="w"> </span><span class="cp">*app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">interval</span><span class="p">:</span><span class="w"> </span><span class="l">1h</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">./kubernetes/apps/network/envoy-gateway/app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">prune</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sourceRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">GitRepository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">home-kubernetes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">timeout</span><span class="p">:</span><span class="w"> </span><span class="l">15m</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dependsOn</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">gateway-api</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Now this comes up first, then Envoy.</p> <p>Sometimes things come up a little out of order, especially where CRDs are concerned. best bet is to check things and reconcile if needed. Example</p> <p><code>envoy-gateway</code> came up (the main Helm Release and installed the CRDs) but the dry run failed for <code>envoy-gateway-config</code></p> <p>All I had to do is:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">flux reconcile kustomization envoy-gateway-config --with-source </span></span></code></pre></td></tr></table> </div> </div><p>And the Ks <code>Applied Revision</code> and the rest of Envoy rolled out</p> <h2 id="rook-ceph-dr-recovery-why-it-wouldnt-start">Rook-Ceph DR Recovery: Why It Wouldn&rsquo;t Start </h2><h3 id="issue-1-cleanup-policy-blocking-orchestration">Issue 1: Cleanup Policy Blocking Orchestration </h3><p><strong>Symptom:</strong> Operator logs showed:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">skipping orchestration <span class="k">for</span> cluster object <span class="s2">&#34;rook-ceph&#34;</span> because its cleanup policy is <span class="nb">set</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>Cause:</strong> The CephCluster spec had <code>cleanupPolicy.confirmation: yes-really-destroy-data</code> set. When this field is present, Rook interprets it as &ldquo;this cluster is being deleted&rdquo; and skips all orchestration entirely. Fix: Removed from <code>helmrelease.yaml:</code></p> <ul> <li>confirmation: yes-really-destroy-data</li> <li>wipeDevicesFromOtherClusters: true</li> </ul> <p>Since the HelmRelease was stuck reinstalling, we also patched directly:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl patch cephcluster -n rook-ceph rook-ceph --type<span class="o">=</span>json <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -p<span class="o">=</span><span class="s1">&#39;[{&#34;op&#34;: &#34;remove&#34;, &#34;path&#34;: &#34;/spec/cleanupPolicy/confirmation&#34;}, </span></span></span><span class="line"><span class="cl"><span class="s1"> {&#34;op&#34;: &#34;remove&#34;, &#34;path&#34;: &#34;/spec/cleanupPolicy/wipeDevicesFromOtherClusters&#34;}]&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="issue-2-osd-network-configuration-failure">Issue 2: OSD Network Configuration Failure </h3><p><strong>Symptom:</strong> OSD pods in CrashLoopBackOff with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">unable to find any IPv4 address in networks <span class="s1">&#39;169.254.255.0/24&#39;</span> interfaces <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl">Failed to pick cluster address. </span></span></code></pre></td></tr></table> </div> </div><p><strong>Cause:</strong> The Ceph cluster was configured to use 169.254.255.0/24 (Thunderbolt mesh) for cluster traffic, but the Thunderbolt interfaces weren&rsquo;t up - the kernel showed timeout errors trying to communicate with the Thunderbolt controller. Fix:</p> <ol> <li>Replugged the Thunderbolt cables between nodes</li> <li>Verified interfaces came up with correct IPs (169.254.255.101/32)</li> <li>Temporarily patched cluster network to use main network while Thunderbolt was down:</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl patch cephcluster -n rook-ceph rook-ceph --type<span class="o">=</span>json <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -p<span class="o">=</span><span class="s1">&#39;[{&#34;op&#34;: &#34;replace&#34;, &#34;path&#34;: &#34;/spec/network/addressRanges/cluster&#34;, &#34;value&#34;: [&#34;10.90.0.0/16&#34;]}]&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="lessons-learned">Lessons Learned </h3><ol> <li><code>cleanupPolicy.confirmation</code> <strong>is a deletion flag</strong> - Only set it when you actually want to destroy the cluster</li> <li><strong>Check physical connectivity</strong> - Thunderbolt timeouts in dmesg indicate cable/connection issues</li> <li><strong>Network config must match available interfaces</strong> - OSDs can&rsquo;t start if they can&rsquo;t find an IP in the configured cluster network range</li> </ol> <p>The layout change that started this mess is still worth doing, so I&rsquo;m re-introducing it carefully:</p> <ul> <li>Each namespace owns its Flux <code>Kustomization</code> (<code>ks.yaml</code> in the namespace folder).</li> <li>Reconciles happen namespace-by-namespace with <code>task flux:apply path=rook-ceph/cluster ns=rook-ceph</code>.</li> <li>Critical infrastructure (Talos bootstrap Helm releases + Flux) never reference manifests outside their namespace so I can fence blast-radius.</li> </ul> <p>Once Flux is healthy I let VolSync and CloudNativePG pull data back from object storage, which rebuilds PVCs long before Rook redeploys fresh OSDs.</p> <h2 id="next-steps">Next Steps </h2><h3 id="roll-out-database-namespace">Roll out Database Namespace </h3><p>My Database Namespace contains</p> <ul> <li>Cloudnative PG (Postgres)</li> <li>Dragonfly DB (Redis) - Currently blocking the rollout of OAuth2Proxy which depends on this</li> <li>Maria DB (My SQL)</li> <li>Mosquitto (MQTT Message Broker)</li> </ul> <p>For this, I will edit the <code>kustomization.yaml</code> in the <code>Database</code> namespace to uncomment the paths</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># yaml-language-server: $schema=https://json.schemastore.org/kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.config.k8s.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Pre Flux-Kustomizations</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./namespace.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Flux-Kustomizations</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./cloudnative-pg/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./dragonfly/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./mosquitto/ks.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./mariadb/ks.yaml</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="postgres-restore">Postgres restore </h3><p>In Backblaze I have my Postgres Backups</p> <p><img src="https://blog.nerdz.cloud/2025/talos-dr-reset/backblaze-postgres-backup.png" width="1229" height="631" srcset="https://blog.nerdz.cloud/2025/talos-dr-reset/backblaze-postgres-backup_hu15400012367496775107.png 480w, https://blog.nerdz.cloud/2025/talos-dr-reset/backblaze-postgres-backup_hu6525324498517328733.png 1024w" loading="lazy" alt="Backblaze Postgres" class="gallery-image" data-flex-grow="194" data-flex-basis="467px" ></p> <p>and in my Cloudnative Postgres cluster config I have my restore settings: <code>kubernetes/apps/database/cloudnative-pg/cluster17/cluster17.yaml</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span><span class="nt">backup</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">retentionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l">60d</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">barmanObjectStore</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;barmanObjectStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">compression</span><span class="p">:</span><span class="w"> </span><span class="l">bzip2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">wal</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">compression</span><span class="p">:</span><span class="w"> </span><span class="l">bzip2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">maxParallel</span><span class="p">:</span><span class="w"> </span><span class="m">8</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">destinationPath</span><span class="p">:</span><span class="w"> </span><span class="l">s3://nerdz-cloudnative-pg/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">endpointURL</span><span class="p">:</span><span class="w"> </span><span class="l">https://s3.us-east-005.backblazeb2.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">serverName</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;currentCluster</span><span class="w"> </span><span class="l">postgres17-v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">s3Credentials</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">accessKeyId</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cloudnative-pg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">aws-access-key-id</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretAccessKey</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cloudnative-pg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">aws-secret-access-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Note: externalClusters is needed when recovering from an existing cnpg cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">recovery</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;previousCluster</span><span class="w"> </span><span class="l">postgres17-v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Note: externalClusters is needed when recovering from an existing cnpg cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">externalClusters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="cp">*previousCluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">barmanObjectStore</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">&lt;&lt;</span><span class="p">:</span><span class="w"> </span><span class="cp">*barmanObjectStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">serverName</span><span class="p">:</span><span class="w"> </span><span class="cp">*previousCluster</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This tells Postgres to grab the data from <code>postgres17-v2</code> in backblaze and to build a new cluster called <code>postgres17-v3</code> and sync that to backblaze.</p> <h3 id="mariadb-when-charts-wont-behave">MariaDB: when charts won&rsquo;t behave </h3><p>MariaDB should have been the easy part. The upgrade from Bitnami’s 22.x chart to 23.x surfaced two separate gotchas:</p> <ol> <li>Bitnami yanked the old <code>12.0.2-debian-12-r0</code> image tags, so the kubelet couldn’t pull the default container anymore.</li> <li>The new chart force-enables FIPS templating and renders two <code>env</code> sections in the mysqld-exporter sidecar whenever metrics are on, which makes Flux’s post-render stage blow up before anything gets applied.</li> </ol> <p>How I pulled it back:</p> <ul> <li>Temporarily pinned the MariaDB, volume-permissions, and mysqld-exporter containers to known-good digests so the cluster stayed alive while I figured out 23.x.</li> <li>Added <code>global.defaultFips: &quot;off&quot;</code> plus explicit <code>&quot;off&quot;</code> overrides for <code>primary</code>, <code>volumePermissions</code>, and <code>metrics</code> FIPS blocks so Helm would render the new manifests.</li> <li>Disabled the chart’s built-in metrics and stood up my own exporter Deployment + Service + ServiceMonitor (now in <code>kubernetes/apps/observability/exporters/mariadb-exporter</code>). It still runs in the <code>database</code> namespace, reads <code>mariadb-secret</code>, and Prometheus keeps scraping through the ServiceMonitor.</li> <li>Once everything was committed, I suspended/resumed the HelmRelease to clear Flux’s stuck rollout and let the StatefulSet recreate cleanly.</li> </ul> <p>It’s not glamorous, but it gets MariaDB onto chart 23.2.4 without losing metrics, and every moving piece is now in Git so the next rebuild will just be another <code>task flux:apply</code>.</p> <h3 id="continuation---more-namespaces-coming-online">Continuation - More namespaces coming online </h3><p>Now that MariaDB was sorted I moved on to enabling the next lot of namespaces</p> <ol> <li>Observability (exporters, gatus, grafana, kromgo, kube-prometheus-stack, loki, network-ups-tools, promtail, redis insights and unpoller)</li> <li>Then the security namespace (pocket-id)</li> <li>This allowed me to kick the oauth2proxy pods which were crashlooping and get them running again</li> <li>except&hellip; :sob:</li> </ol> <h3 id="oauth2-proxy-hairpin-nat-and-the-gateway-api-version-maze">oauth2-proxy Hairpin NAT and the Gateway API Version Maze </h3><p>With pocket-id running I expected oauth2-proxy to come up cleanly. Instead all three replicas crashed with OIDC discovery timeouts trying to reach <code>id.${SECRET_DOMAIN}</code>. The culprit: hairpin NAT. Pods on the same node as the external gateway couldn&rsquo;t reach its LoadBalancer IP (<code>10.90.3.201</code>) and curl just hung.</p> <p>The classic fix is split-horizon DNS—have CoreDNS forward queries for your domain to an internal resolver that returns ClusterIPs instead of the external gateway. I already had k8s-gateway deployed at <code>10.96.100.130</code>, so I added a server block to CoreDNS:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">servers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">zones</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">zone</span><span class="p">:</span><span class="w"> </span><span class="l">${SECRET_DOMAIN}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">scheme</span><span class="p">:</span><span class="w"> </span><span class="l">dns://</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">53</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">plugins</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">forward</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span><span class="l">. 10.96.100.130</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>That should have been the end of it, but k8s-gateway refused to serve queries:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">plugin/k8s_gateway: Could not sync required resources </span></span><span class="line"><span class="cl">failed to list *v1alpha2.GRPCRoute </span></span></code></pre></td></tr></table> </div> </div><p>k8s-gateway v0.4.0 hardcodes a watch on <code>v1alpha2.GRPCRoute</code>, but I was running Gateway API v1.2.0 which only ships <code>v1.GRPCRoute</code>. The experimental bundle doesn&rsquo;t help—v1alpha2 was removed in v1.1.0+.</p> <p><strong>The fix required threading a needle between multiple version requirements:</strong></p> <ol> <li><strong>Envoy Gateway v1.6.0</strong> needs <code>BackendTLSPolicy</code> at API version <code>v1</code>, which only exists in Gateway API ≥v1.4.0</li> <li><strong>k8s-gateway v0.4.0</strong> needs <code>v1alpha2.GRPCRoute</code>, which was removed in Gateway API v1.1.0+</li> </ol> <p>The solution is to use Gateway API v1.4.0 experimental (for BackendTLSPolicy v1) and patch the GRPCRoute CRD to add v1alpha2 back. See the &ldquo;Permanent Fix: JSON Patch for v1alpha2.GRPCRoute&rdquo; section below for the full solution.</p> <p>But I wasn&rsquo;t done. k8s-gateway was only watching <code>Ingress</code> and <code>Service</code> resources. pocket-id uses Gateway API HTTPRoutes for ingress, so k8s-gateway had no idea <code>id.${SECRET_DOMAIN}</code> existed:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">watchedResources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;Ingress&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;Service&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;HTTPRoute&#34;</span><span class="p">]</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>One more gotcha: deleting and recreating the Gateway API CRDs wiped out all existing HTTPRoute resources, and Helm didn&rsquo;t know to recreate them since the release checksum hadn&rsquo;t changed. I had to manually reapply from the helm manifest:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm get manifest -n security pocket-id <span class="p">|</span> kubectl apply -f - </span></span></code></pre></td></tr></table> </div> </div><p>After all that, DNS finally resolved:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$ nslookup id.${SECRET_DOMAIN} </span></span><span class="line"><span class="cl">Name: id.${SECRET_DOMAIN} </span></span><span class="line"><span class="cl">Address: 10.90.3.201 </span></span></code></pre></td></tr></table> </div> </div><p>And oauth2-proxy came up healthy:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">NAME READY STATUS RESTARTS AGE </span></span><span class="line"><span class="cl">oauth2-proxy-f7f87f84b-lhwx9 1/1 Running 0 28s </span></span><span class="line"><span class="cl">oauth2-proxy-f7f87f84b-q4n7s 1/1 Running 0 28s </span></span><span class="line"><span class="cl">oauth2-proxy-f7f87f84b-t5j6l 1/1 Running 0 28s </span></span></code></pre></td></tr></table> </div> </div><h2 id="gateway-api-version-hell-backendtlspolicy-and-websocket-drama">Gateway API Version Hell: BackendTLSPolicy and WebSocket Drama </h2><p>Just when I thought I was done, external services started failing. TrueNAS and Unifi were returning 400 Bad Request errors on WebSocket connections. The UI would load, but any real-time features (shell, charts, live updates) were dead.</p> <h3 id="the-problem">The Problem </h3><p>Envoy Gateway v1.6.0 expects <code>BackendTLSPolicy</code> at API version <code>gateway.networking.k8s.io/v1</code>, but Gateway API v1.1.0 experimental only ships v1alpha3. Meanwhile, k8s-gateway v0.4.0 hardcodes watching for <code>v1alpha2.GRPCRoute</code> which doesn&rsquo;t exist in newer Gateway API releases.</p> <p>The operator logs were clear:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">BackendTLSPolicy CRD not found, skipping BackendTLSPolicy watch </span></span></code></pre></td></tr></table> </div> </div><p>This meant Envoy wasn&rsquo;t applying TLS settings to the backends at all.</p> <h3 id="the-fix-and-the-trap">The Fix (and the Trap) </h3><p>Upgrading Gateway API to v1.4.0 experimental brought in BackendTLSPolicy v1 (see the full kustomization.yaml with the GRPCRoute JSON patch in the &ldquo;Permanent Fix&rdquo; section below).</p> <p>Updated the BackendTLSPolicy resources from v1alpha3 to v1, removed the <code>namespace</code> field from targetRefs (v1 doesn&rsquo;t have it), and removed <code>sectionName</code> to apply TLS to all service ports.</p> <p>But then WebSockets broke. I spent an hour chasing the wrong fix—removing <code>useClientProtocol: true</code> thinking it was sending HTTP/2 to HTTP/1.1-only backends. Wrong move.</p> <p>The original working config (pre-wipe) had:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">useClientProtocol</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This setting is essential for WebSocket support. When a client initiates an HTTP/1.1 WebSocket upgrade, Envoy needs to forward that same protocol to the backend. Removing it caused Envoy to use its default protocol (HTTP/2 with ALPN), which the backends rejected.</p> <p>WebSocket support is handled by <code>useClientProtocol: true</code> in the BackendTrafficPolicy—it allows Envoy to forward the client&rsquo;s HTTP/1.1 upgrade request using the same protocol.</p> <h3 id="permanent-fix-json-patch-for-v1alpha2grpcroute">Permanent Fix: JSON Patch for v1alpha2.GRPCRoute </h3><p>After fighting this multiple times (every Flux reconciliation would remove the manually-applied CRD), I finally found a permanent solution. The problem is that k8s-gateway v0.4.0 hardcodes a watch on <code>v1alpha2.GRPCRoute</code>, but Gateway API v1.1.0+ only ships <code>v1.GRPCRoute</code>.</p> <p>You can&rsquo;t just add the old CRD as a separate resource—Kustomize will fail with &ldquo;may not add resource with an already registered id&rdquo; because both define the same CRD name.</p> <p>The fix is to use a <strong>JSON patch</strong> to append v1alpha2 as an additional version to the existing GRPCRoute CRD:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/network/gateway-api/app/kustomization.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kustomize.config.k8s.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">patches</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># k8s-gateway v0.4.0 requires v1alpha2.GRPCRoute which was removed in Gateway API v1.1.0+</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Use JSON patch to ADD v1alpha2 version without replacing existing v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">target</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">CustomResourceDefinition</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">grpcroutes.gateway.networking.k8s.io</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">patch</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> - op: add </span></span></span><span class="line"><span class="cl"><span class="sd"> path: /spec/versions/- </span></span></span><span class="line"><span class="cl"><span class="sd"> value: </span></span></span><span class="line"><span class="cl"><span class="sd"> name: v1alpha2 </span></span></span><span class="line"><span class="cl"><span class="sd"> served: true </span></span></span><span class="line"><span class="cl"><span class="sd"> storage: false </span></span></span><span class="line"><span class="cl"><span class="sd"> schema: </span></span></span><span class="line"><span class="cl"><span class="sd"> openAPIV3Schema: </span></span></span><span class="line"><span class="cl"><span class="sd"> type: object </span></span></span><span class="line"><span class="cl"><span class="sd"> properties: </span></span></span><span class="line"><span class="cl"><span class="sd"> spec: </span></span></span><span class="line"><span class="cl"><span class="sd"> type: object </span></span></span><span class="line"><span class="cl"><span class="sd"> status: </span></span></span><span class="line"><span class="cl"><span class="sd"> type: object</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This approach:</p> <ol> <li>Pulls Gateway API v1.4.0 experimental (with v1.GRPCRoute and BackendTLSPolicy v1)</li> <li>Uses <code>op: add</code> with <code>path: /spec/versions/-</code> to append v1alpha2 to the versions array</li> <li>Keeps v1 as the storage version while serving v1alpha2 for k8s-gateway</li> </ol> <p>Now when Flux reconciles, k8s-gateway finds its required <code>v1alpha2.GRPCRoute</code> and stops complaining. No more manual patching after reconciliations.</p> <p><strong>Lessons learned:</strong></p> <ul> <li>Gateway API version compatibility is a minefield. k8s-gateway, Envoy Gateway, and external-dns all have different requirements. Pin to v1.4.0 experimental for BackendTLSPolicy v1 support with Envoy Gateway v1.6.0.</li> <li>Always add HTTPRoute to k8s-gateway&rsquo;s <code>watchedResources</code> if you&rsquo;re using Gateway API for ingress.</li> <li>CRD deletions cascade to all CR instances. After recreating CRDs, you need to force Helm to reapply resources even if the chart version hasn&rsquo;t changed.</li> <li><strong>Don&rsquo;t remove <code>useClientProtocol: true</code> from BackendTrafficPolicy</strong> – it&rsquo;s required for WebSocket connections to work properly. When in doubt, check the original working config before making changes.</li> <li><strong>Use JSON patches to add CRD versions</strong> – when you need to support multiple API versions in a single CRD, use Kustomize JSON patches with <code>op: add</code> to append versions without replacing the original.</li> </ul> <h3 id="hairpin-nat-and-cilium-socketlb">Hairpin NAT and Cilium socketLB </h3><p>After all the Gateway API CRD drama, I hit another wall: pods couldn&rsquo;t reach services on the external gateway. BookStack&rsquo;s OIDC login to PocketID was timing out with <code>cURL error 6: Could not resolve host: id.nerdz.cloud</code>.</p> <p>The symptoms were confusing:</p> <ul> <li>DNS resolved correctly via k8s-gateway (returning the LoadBalancer IP)</li> <li>The pod could reach the service directly via ClusterIP</li> <li>But any attempt to curl the LoadBalancer IP from inside the cluster timed out</li> </ul> <p>This is the classic <strong>hairpin NAT problem</strong>. With ingress-nginx, this worked because it runs with <code>hostNetwork: true</code>, so traffic never goes through the LoadBalancer service from inside the cluster. But Envoy Gateway deploys proxies as regular pods without hostNetwork, so internal traffic trying to reach the LoadBalancer IP gets stuck.</p> <p>The fix? <strong>Enable Cilium&rsquo;s socketLB</strong>. This allows pods to reach LoadBalancer IPs directly by doing socket-level interception:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># kubernetes/apps/kube-system/cilium/app/helm-values.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">socketLB</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Before this change, <code>bpf-lb-sock</code> was <code>false</code> in the cilium-config ConfigMap. After enabling it, pods can reach any LoadBalancer IP in the cluster, including the external gateway where PocketID lives.</p> <p>I also added an internal HTTPRoute to pocket-id as a belt-and-suspenders approach, so k8s-gateway returns both the internal and external gateway IPs. But the real fix was enabling socketLB.</p> <p><strong>Lesson learned:</strong> If you&rsquo;re using Cilium with Envoy Gateway (or any ingress that doesn&rsquo;t use hostNetwork), you need <code>socketLB.enabled: true</code> for pod-to-LoadBalancer connectivity.</p> <h3 id="rook-ceph-clearing-the-too-many-pgs-per-osd-alert">Rook Ceph: clearing the “too many PGs per OSD” alert </h3><p>Even on the fresh Talos rebuild, Ceph immediately threw <code>HEALTH_WARN too many PGs per OSD (265 &gt; max 250)</code>. With only three NVMe-backed OSDs online, the default PG soft limit is tight, so any extra pools tip it over. The culprit was the <strong>bootstrap RGW realm</strong> (<code>default</code>) that Rook creates every time, even if you never intend to use it.</p> <p>What I did:</p> <ol> <li> <p><strong>Confirmed the warning was PG-related</strong> – <code>kubectl -n rook-ceph exec deploy/rook-ceph-tools -- ceph status</code> showed 265 PGs spread across 15 pools, all OSDs healthy.</p> </li> <li> <p><strong>Inspected pool usage</strong> – <code>ceph df detail</code> revealed <code>default.rgw.(log|control|meta)</code> sucking up 96 PGs despite having zero data.</p> </li> <li> <p><strong>Verified the realm was unused</strong> – <code>radosgw-admin realm/zonegroup/zone list</code> only reported <code>ceph-objectstore</code> as active; the old <code>default</code> entries had no buckets or users (<code>radosgw-admin bucket list --rgw-zone=default</code> returned <code>[]</code>).</p> </li> <li> <p><strong>Deleted the bootstrap realm stack</strong> – removed the <code>default</code> zonegroup + zone, ran <code>radosgw-admin period update --commit</code>, then dropped the three empty pools with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ceph osd pool rm default.rgw.log default.rgw.log --yes-i-really-really-mean-it </span></span><span class="line"><span class="cl">ceph osd pool rm default.rgw.control default.rgw.control --yes-i-really-really-mean-it </span></span><span class="line"><span class="cl">ceph osd pool rm default.rgw.meta default.rgw.meta --yes-i-really-really-mean-it </span></span></code></pre></td></tr></table> </div> </div></li> <li> <p><strong>Rechecked cluster health</strong> – PG count fell to 169 and <code>ceph status</code> flipped back to <code>HEALTH_OK</code>.</p> </li> </ol> <p>Lesson learned: after every fresh Rook install, delete the unused <code>default</code> RGW realm or scale up OSDs before enabling your workloads. Otherwise Ceph wastes PGs on pools you don’t even mount, and you get an avoidable health warning the moment the cluster comes online.</p> <p>I&rsquo;m still in the middle of rebuilding, but wiping the nodes and re-running the Talos + Flux bootstrap took under an hour once the ISO was ready. The longest part was downloading backups and letting VolSync rehydrate PVCs. If you ever reach the point where Rook is fighting ghost disks, don&rsquo;t be afraid to pave the nodes. Talos makes the clean-room reinstall repeatable, and GitOps brings all of the workloads back on autopilot.</p> <h3 id="discovering-imagevolume-oci-images-as-read-only-config-volumes">Discovering ImageVolume: OCI images as read-only config volumes </h3><p>While getting qbittorrent running, I noticed it was using something I didn&rsquo;t know existed: the <code>type: image</code> persistence option in bjw-s&rsquo;s app-template. It lets you mount an OCI image directly as a read-only volume—perfect for bundling binaries or config without maintaining separate ConfigMaps or init containers.</p> <p>The qbittorrent helmrelease mounts qbrr (a torrent reannounce tool) this way:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">persistence</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">qbrr</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ghcr.io/buroa/qbrr:0.1.2@sha256:f930dbb4de49ffe3348d1d4f8187ce27590842bc4d6a89c3aa84234d7e99f46b</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">globalMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">readOnly</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This pulls the OCI image and mounts its filesystem as a read-only volume—qbittorrent gets access to the qbrr binary without needing an init container to copy it over. The catch? It requires the Kubernetes <code>ImageVolume</code> feature gate, which is alpha and disabled by default.</p> <h4 id="enabling-imagevolume-on-talos">Enabling ImageVolume on Talos </h4><p>Enabling a Kubernetes feature gate on Talos means patching both the kubelet (on all nodes) and the API server (on control plane nodes). I followed MASTERBLASTER&rsquo;s pattern from their home-ops repo.</p> <p><strong>Step 1: Create the controller patch for the API server</strong></p> <p>File: <code>kubernetes/bootstrap/talos/patches/controller/feature-gates.yaml</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">cluster</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">apiServer</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">extraArgs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">feature-gates</span><span class="p">:</span><span class="w"> </span><span class="l">ImageVolume=true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>Step 2: Update the kubelet patch</strong></p> <p>Added to the existing <code>kubernetes/bootstrap/talos/patches/global/kubelet.yaml</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">machine</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kubelet</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">nodeIP</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">validSubnets</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">10.90.3.0</span><span class="l">/16</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">extraConfig</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">featureGates</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ImageVolume</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>Step 3: Reference the new patch in talconfig.yaml</strong></p> <p>Added <code>&quot;@./patches/controller/feature-gates.yaml&quot;</code> to the controlPlane patches list.</p> <h4 id="rolling-out-the-change-safely">Rolling out the change safely </h4><p>Talos machineconfig changes can be risky—a bad config can brick your nodes. I took a cautious approach with full backups and validation at each step.</p> <p><strong>1. Document current state</strong></p> <p>First, verify no feature gates are currently configured:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check kubelet feature gates on all nodes</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> node in 10.90.3.101 10.90.3.102 10.90.3.103<span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="nb">echo</span> <span class="s2">&#34;--- Node </span><span class="nv">$node</span><span class="s2"> ---&#34;</span> </span></span><span class="line"><span class="cl"> talosctl -n <span class="nv">$node</span> get machineconfig -o yaml <span class="p">|</span> grep -A2 featureGates </span></span><span class="line"><span class="cl"><span class="k">done</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check API server feature gates</span> </span></span><span class="line"><span class="cl">kubectl get pod -n kube-system -l <span class="nv">component</span><span class="o">=</span>kube-apiserver -o yaml <span class="p">|</span> grep feature-gates </span></span></code></pre></td></tr></table> </div> </div><p>All nodes returned empty—no feature gates configured.</p> <p><strong>2. Backup existing configs before changes</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">cd</span> /home/gavin/home-ops/kubernetes/bootstrap/talos </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Copy current machineconfigs</span> </span></span><span class="line"><span class="cl">cp -r clusterconfig clusterconfig-before-imagevolume </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Copy patch files we&#39;re modifying</span> </span></span><span class="line"><span class="cl">cp patches/global/kubelet.yaml kubelet-before-imagevolume.yaml </span></span><span class="line"><span class="cl">cp talconfig.yaml talconfig-before-imagevolume.yaml </span></span></code></pre></td></tr></table> </div> </div><p><strong>3. Generate new configs and compare</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate new machineconfigs</span> </span></span><span class="line"><span class="cl">talhelper genconfig </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Compare old vs new (or use VS Code diff)</span> </span></span><span class="line"><span class="cl">diff clusterconfig-before-imagevolume/home-kubernetes-stanton-01.yaml <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> clusterconfig/home-kubernetes-stanton-01.yaml </span></span></code></pre></td></tr></table> </div> </div><p>Here&rsquo;s what the diffs look like in VS Code:</p> <p><strong>Kubelet patch</strong> – adds <code>extraConfig.featureGates.ImageVolume: true</code>:</p> <p><img src="https://blog.nerdz.cloud/2025/talos-dr-reset/talos-patch-kubelet.png" width="1827" height="407" srcset="https://blog.nerdz.cloud/2025/talos-dr-reset/talos-patch-kubelet_hu18083526264447897705.png 480w, https://blog.nerdz.cloud/2025/talos-dr-reset/talos-patch-kubelet_hu7548926015160413048.png 1024w" loading="lazy" alt="Kubelet patch diff showing ImageVolume feature gate addition" class="gallery-image" data-flex-grow="448" data-flex-basis="1077px" ></p> <p><strong>API server patch</strong> – adds <code>extraArgs.feature-gates: ImageVolume=true</code>:</p> <p><img src="https://blog.nerdz.cloud/2025/talos-dr-reset/talos-patch-apiserver.png" width="1819" height="236" srcset="https://blog.nerdz.cloud/2025/talos-dr-reset/talos-patch-apiserver_hu16350342951500093856.png 480w, https://blog.nerdz.cloud/2025/talos-dr-reset/talos-patch-apiserver_hu16854798511663391833.png 1024w" loading="lazy" alt="API server patch diff showing ImageVolume feature gate addition" class="gallery-image" data-flex-grow="770" data-flex-basis="1849px" ></p> <p><strong>4. Dry-run first node</strong></p> <p>Test the config without applying to catch any errors:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">TALOSCONFIG</span><span class="o">=</span>/home/gavin/home-ops/kubernetes/bootstrap/talos/clusterconfig/talosconfig </span></span><span class="line"><span class="cl">talosctl apply-config -n 10.90.3.101 -f clusterconfig/home-kubernetes-stanton-01.yaml --dry-run </span></span></code></pre></td></tr></table> </div> </div><p>The dry-run output showed exactly what would change:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Dry run summary: </span></span><span class="line"><span class="cl">Applied configuration without a reboot (skipped in dry-run). </span></span><span class="line"><span class="cl">Config diff: </span></span><span class="line"><span class="cl">+ extraConfig: </span></span><span class="line"><span class="cl">+ featureGates: </span></span><span class="line"><span class="cl">+ ImageVolume: true </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">+ extraArgs: </span></span><span class="line"><span class="cl">+ feature-gates: ImageVolume=true </span></span></code></pre></td></tr></table> </div> </div><p><strong>5. Apply one node at a time</strong></p> <p>Start with the first node, wait for it to return to Ready, then proceed:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Apply to first node</span> </span></span><span class="line"><span class="cl">talosctl apply-config -n 10.90.3.101 -f clusterconfig/home-kubernetes-stanton-01.yaml </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Watch for Ready status</span> </span></span><span class="line"><span class="cl">kubectl get nodes -w </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Verify feature gate applied</span> </span></span><span class="line"><span class="cl">talosctl -n 10.90.3.101 get machineconfig -o yaml <span class="p">|</span> grep -A2 featureGates </span></span></code></pre></td></tr></table> </div> </div><p><strong>6. Apply to remaining nodes</strong></p> <p>Only after stanton-01 is confirmed healthy:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Second node</span> </span></span><span class="line"><span class="cl">talosctl apply-config -n 10.90.3.102 -f clusterconfig/home-kubernetes-stanton-02.yaml </span></span><span class="line"><span class="cl">kubectl get nodes -w </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Third node</span> </span></span><span class="line"><span class="cl">talosctl apply-config -n 10.90.3.103 -f clusterconfig/home-kubernetes-stanton-03.yaml </span></span><span class="line"><span class="cl">kubectl get nodes -w </span></span></code></pre></td></tr></table> </div> </div><p>All three nodes applied the config without requiring a reboot—Talos intelligently determines whether kubelet/API server changes need a full reboot or just a service restart.</p> <h4 id="validating-the-feature-works">Validating the feature works </h4><p>With the feature gate enabled, I force-reconciled the qbittorrent helmrelease (the <code>--force</code> flag ensures Helm reapplies the deployment even if the chart version hasn&rsquo;t changed):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">flux reconcile helmrelease -n downloads qbittorrent --force </span></span><span class="line"><span class="cl">kubectl rollout status deployment/qbittorrent -n downloads --timeout<span class="o">=</span>120s </span></span></code></pre></td></tr></table> </div> </div><p>Once the pod came up, I verified the image volume was mounted and the binary was accessible:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check the qbrr volume is mounted</span> </span></span><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n downloads deploy/qbittorrent -c app -- ls -la /qbrr/ </span></span></code></pre></td></tr></table> </div> </div><p>Output shows the entire OCI image filesystem mounted read-only:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">total 2072 </span></span><span class="line"><span class="cl">drwxr-xr-x 1 root root 6 Nov 20 12:03 . </span></span><span class="line"><span class="cl">drwxr-xr-x 1 root root 40 Nov 20 12:03 .. </span></span><span class="line"><span class="cl">drwxr-xr-x 2 root root 6 Aug 25 04:05 bin </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">-rwxr-xr-x 1 root root 2118668 Nov 18 05:15 qbrr </span></span><span class="line"><span class="cl">... </span></span></code></pre></td></tr></table> </div> </div><p>And verify the binary is executable:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n downloads deploy/qbittorrent -c app -- /qbrr/qbrr --help </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">Usage</span> <span class="n">of</span> <span class="o">/</span><span class="n">qbrr</span><span class="o">/</span><span class="n">qbrr</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">qBittorrent</span> <span class="n">reannouncement</span> <span class="k">tool</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="o">-</span><span class="nb">hash</span> <span class="n">string</span> </span></span><span class="line"><span class="cl"> <span class="n">Specific</span> <span class="n">torrent</span> <span class="nb">hash</span> <span class="n">to</span> <span class="n">reannounce</span> <span class="p">(</span><span class="n">single</span> <span class="n">run</span> <span class="n">mode</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">-</span><span class="n">interval</span> <span class="ne">int</span> </span></span><span class="line"><span class="cl"> <span class="n">Interval</span> <span class="n">between</span> <span class="n">reannounce</span> <span class="n">checks</span> <span class="ow">in</span> <span class="n">seconds</span> <span class="p">(</span><span class="n">default</span> <span class="mi">7</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="o">...</span> </span></span></code></pre></td></tr></table> </div> </div><p>The ImageVolume feature is working—the qbrr binary is available at <code>/qbrr/qbrr</code> without any init containers or volume copying.</p> <p><strong>Lesson learned:</strong> <code>type: image</code> persistence is a cleaner pattern for shipping binaries or config alongside your main container. You avoid init containers that copy files around, and the volume is immutable. The feature gate requirement means it&rsquo;s not for everyone, but on a homelab where you control the cluster config, it&rsquo;s worth enabling.</p> <h2 id="guardrails-im-putting-in-place">Guardrails I&rsquo;m putting in place </h2><ol> <li><strong>Wipe before redeploying storage</strong> – running <code>blkdiscard</code> and <code>wipefs</code> is now part of the Taskfile <code>talos:nuke</code> flow so Ceph never trips on residual GPT headers again.</li> <li><strong>Namespace-scoped Flux Kustomize</strong> – large-scale reorganizations happen behind feature branches and are reconciled one namespace at a time instead of flipping the entire cluster at once.</li> <li><strong>Talos factory IDs in version control</strong> – keeping the Talos schematic IDs and Thunderbolt routes in <code>talconfig.yaml</code> meant the reinstall was deterministic. Future upgrades will keep those comments updated so I always know what ISO to pull.</li> <li><strong>Document the scary steps</strong> – posts like this become my runbook. The next time Talos needs to be rebuilt I can follow the exact steps—Ubuntu live boot, <code>blkdiscard</code>, <code>task talos:bootstrap</code>, <code>task flux:bootstrap</code>—without searching through old Discord threads.</li> </ol> <hr> <h2 id="update-2025-11-24-overseerr-connectivity-issues-after-gateway-api-migration">Update 2025-11-24: Overseerr Connectivity Issues After Gateway API Migration </h2><p>After completing the Envoy Gateway migration, I discovered that Overseerr couldn&rsquo;t communicate with any of the sonarr/radarr/plex instances. The logs showed consistent timeout errors:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="p">[</span><span class="n">error</span><span class="p">][</span><span class="n">Download</span> <span class="n">Tracker</span><span class="p">]:</span> <span class="n">Unable</span> <span class="n">to</span> <span class="n">get</span> <span class="n">queue</span> <span class="n">from</span> <span class="n">Sonarr</span> <span class="n">server</span><span class="p">:</span> <span class="n">Sonarr</span> <span class="n">UHD</span> </span></span><span class="line"><span class="cl"><span class="n">connect</span> <span class="n">ETIMEDOUT</span> <span class="mf">10.90</span><span class="o">.</span><span class="mf">3.202</span><span class="p">:</span><span class="mi">80</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="the-root-cause">The Root Cause </h3><p>Before the migration to Gateway API routes, Overseerr was configured to use external domain names (e.g., <code>sonarr.${SECRET_DOMAIN}</code>, <code>radarr-uhd.${SECRET_DOMAIN}</code>). These domains were resolving via k8s-gateway DNS to the envoy-internal LoadBalancer IP <code>10.90.3.202</code>.</p> <p>The problem? <strong>Pods cannot reach LoadBalancer IPs directly</strong> when using Cilium&rsquo;s socketLB in certain configurations. While I had enabled socketLB to fix the hairpin NAT issue for external services, it wasn&rsquo;t working for all pod-to-LoadBalancer scenarios.</p> <p>Testing revealed:</p> <ul> <li>✅ Direct cluster DNS (<code>sonarr.downloads.svc.cluster.local:80</code>) - <strong>WORKS</strong></li> <li>✅ ClusterIP access (<code>10.96.251.188:80</code>) - <strong>WORKS</strong></li> <li>❌ LoadBalancer IP (<code>10.90.3.202:80</code>) - <strong>TIMES OUT</strong></li> <li>❌ External domains (resolve to LoadBalancer IP) - <strong>FAILS</strong></li> </ul> <h3 id="the-solution">The Solution </h3><p>The fix is simple: <strong>use internal cluster DNS names instead of external domains</strong>. Since all the *arr services run in the <code>downloads</code> namespace and Overseerr runs in <code>entertainment</code>, I needed to update the Overseerr configuration to use fully-qualified cluster DNS names.</p> <p>Update Overseerr (Settings → Services) with these internal service URLs:</p> <p><strong>Sonarr instances:</strong></p> <ul> <li>Sonarr (Default): <code>http://sonarr.downloads.svc.cluster.local</code> port <code>80</code></li> <li>Sonarr Horror: <code>http://sonarr.downloads.svc.cluster.local</code> port <code>80</code></li> <li>Sonarr UHD (Default 4K): <code>http://sonarr-uhd.downloads.svc.cluster.local</code> port <code>80</code></li> <li>Sonarr Foreign: <code>http://sonarr-foreign.downloads.svc.cluster.local</code> port <code>80</code></li> </ul> <p><strong>Radarr instances:</strong></p> <ul> <li>Radarr (Default): <code>http://radarr.downloads.svc.cluster.local</code> port <code>80</code></li> <li>Radarr UHD (Default 4K): <code>http://radarr-uhd.downloads.svc.cluster.local</code> port <code>80</code></li> </ul> <p>** Plex instances:**</p> <ul> <li>Plex: <code>http://plex.entertainment.svc.cluster.local</code> port <code>80</code></li> <li>Tautulli: <code>http://tautulli.entertainment.svc.cluster.local</code> port <code>80</code></li> </ul> <p>All should have SSL set to <code>false</code> since internal cluster traffic doesn&rsquo;t need TLS termination.</p> <p>I also had to fix the link to Plex inside Tautulli by setting it to</p> <ul> <li>Plex: <code>plex.entertainment.svc.cluster.local</code> port <code>32400</code></li> </ul> <h3 id="why-this-happened">Why This Happened </h3><p>The original configuration worked with ingress-nginx because it ran with <code>hostNetwork: true</code>, meaning pods accessed services through the host&rsquo;s network stack and never hit the LoadBalancer service abstraction. Envoy Gateway deploys as regular pods without hostNetwork, so any attempt to reach a LoadBalancer IP from inside the cluster goes through the LoadBalancer service.</p> <p>While Cilium&rsquo;s socketLB is supposed to handle pod-to-LoadBalancer connectivity, the most reliable pattern is to use cluster DNS for internal service-to-service communication. LoadBalancer IPs should only be used for external ingress traffic.</p> <p><strong>Lesson learned:</strong> After migrating from ingress-nginx to Gateway API, audit all application configurations that reference external domain names for internal services. If both the client and server are in-cluster, use cluster DNS (<code>&lt;service&gt;.&lt;namespace&gt;.svc.cluster.local</code>) instead of external domains that resolve to LoadBalancer IPs.</p> https://blog.nerdz.cloud/2025/tesla-fleet-hass/ Fri, 08 Aug 2025 00:00:00 +1200 https://blog.nerdz.cloud/2025/tesla-fleet-hass/ <blockquote> <p>&ldquo;TL;DR Tesla don&rsquo;t make this simple, Kubernetes with proper security makes it worse&rdquo;</p> </blockquote> <h1 id="tesla-fleet-integration-in-kubernetes-the-real-world-guide">Tesla Fleet Integration in Kubernetes: The Real-World Guide </h1><p>&ldquo;Sometimes the best smart home setup is the one that actually works — even if it means fighting Kubernetes for three hours.&rdquo;</p> <h2 id="intro">Intro </h2><p>I&rsquo;ve been following <a class="link" href="https://thissmart.house/2025/07/03/%F0%9F%9A%97-full-smart-home-control-of-your-tesla-with-home-assistants-tesla-fleet-integration/" target="_blank" rel="noopener" >This Smart House&rsquo;s excellent guide</a> on setting up Tesla Fleet integration with Home Assistant, but let&rsquo;s be honest — it&rsquo;s written for Home Assistant OS with add-ons, not containerized deployments in Kubernetes.</p> <p>After wrestling with file permissions, mount conflicts, and Tesla&rsquo;s overly complex API requirements, I finally got it working. Here&rsquo;s what I learned, including all the gotchas that&rsquo;ll save you hours of frustration.</p> <p><strong>Full credit to <a class="link" href="https://thissmart.house/" target="_blank" rel="noopener" >This Smart House</a> for the original guide</strong> — this is essentially a Kubernetes adaptation of their excellent work.</p> <h2 id="why-this-integration-matters">Why This Integration Matters </h2><p>Tesla&rsquo;s new Fleet API integration lets you:</p> <ul> <li>Lock/unlock your Tesla from Home Assistant</li> <li>Start climate control remotely</li> <li>Monitor charging status and battery levels</li> <li>Control charging rates</li> <li>Create automations (pre-heat before you leave, charge during solar peak, etc.)</li> </ul> <p>All without opening the Tesla app. It&rsquo;s the real deal for smart home automation.</p> <h2 id="prerequisites">Prerequisites </h2><p>Before diving in, make sure you have:</p> <ul> <li>Tesla account with at least one vehicle</li> <li>Home Assistant running in Kubernetes (I&rsquo;m using the <a class="link" href="https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template" target="_blank" rel="noopener" >bjw-s app-template</a>)</li> <li>External domain with proper SSL (Tesla won&rsquo;t work with self-signed certs)</li> <li>ingress-nginx controller (I have not yet moved to Gateway API)</li> <li>External-secrets-operator with 1Password (optional, but recommended)</li> </ul> <h2 id="the-kubernetes-challenges">The Kubernetes Challenges </h2><p>The original guide assumes you&rsquo;re using Home Assistant OS add-ons for:</p> <ul> <li>NGINX SSL Proxy Add-on (for serving public keys)</li> <li>Advanced SSH &amp; Web Terminal (for generating encryption keys)</li> <li>File system access (for placing keys in specific locations)</li> </ul> <p><strong>In Kubernetes, we need to handle all of this differently.</strong></p> <h2 id="step-1-generate-tesla-fleet-encryption-keys">Step 1: Generate Tesla Fleet Encryption Keys </h2><p>Tesla requires ECDSA P-256 encryption keys for secure communication. Generate these locally:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate private key</span> </span></span><span class="line"><span class="cl">openssl ecparam -name prime256v1 -genkey -noout -out tesla_fleet.key </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Generate public key</span> </span></span><span class="line"><span class="cl">openssl ec -in tesla_fleet.key -pubout -out public-key.pem </span></span></code></pre></td></tr></table> </div> </div><p>Store these safely — you&rsquo;ll need both for the setup.</p> <h2 id="step-2-tesla-developer-portal-setup">Step 2: Tesla Developer Portal Setup </h2><ol> <li>Go to <a class="link" href="https://developer.tesla.com" target="_blank" rel="noopener" >developer.tesla.com</a> and create an account</li> <li>Create a new application with these settings: <ul> <li><strong>OAuth Grant Type</strong>: Authorization Code and Machine-to-Machine</li> <li><strong>Allowed Origin URL</strong>: <code>https://subdomain.domain.com</code> e.g. hass.domain.com</li> <li><strong>Redirect URI</strong>: <code>https://my.home-assistant.io/redirect/oauth</code></li> <li><strong>Scopes</strong>: Select ALL available scopes (Vehicle Information, Vehicle Location, Vehicle Commands, Vehicle Charging Management, Energy Product Information, Energy Product Commands)</li> </ul> </li> </ol> <p><strong>Critical gotcha</strong>: Make sure you specifiy the sub domain for home-assistant, if you select the root domain this doesnt work.</p> <h2 id="step-3-serving-the-public-key-the-hard-part">Step 3: Serving the Public Key (The Hard Part) </h2><p>Tesla needs to access your public key at <code>https://your-domain.com/.well-known/appspecific/com.tesla.3p.public-key.pem</code>.</p> <h3 id="the-mount-approach-doesnt-work">The Mount Approach (Doesn&rsquo;t Work) </h3><p>My first instinct was to mount the public key file and serve it:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># DON&#39;T DO THIS - it causes mount conflicts</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">persistence</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tesla-keys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">home-assistant-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">globalMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/.well-known/appspecific/com.tesla.3p.public-key.pem</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">subPath</span><span class="p">:</span><span class="w"> </span><span class="l">tesla_public_key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">readOnly</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>This fails spectacularly</strong> with &ldquo;not a directory&rdquo; errors because Kubernetes can&rsquo;t create the deep directory structure required.</p> <h3 id="the-working-solution-nginx-ingress">The Working Solution: nginx Ingress </h3><p>Instead, serve the public key content directly via nginx:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">ingress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tesla-key</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">external-dns.alpha.kubernetes.io/target</span><span class="p">:</span><span class="w"> </span><span class="l">external.${SECRET_DOMAIN}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">nginx.ingress.kubernetes.io/server-snippet</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> location = /.well-known/appspecific/com.tesla.3p.public-key.pem { </span></span></span><span class="line"><span class="cl"><span class="sd"> return 200 &#34;-----BEGIN PUBLIC KEY----- </span></span></span><span class="line"><span class="cl"><span class="sd"> YOUR_ACTUAL_PUBLIC_KEY_CONTENT_HERE </span></span></span><span class="line"><span class="cl"><span class="sd"> -----END PUBLIC KEY-----&#34;; </span></span></span><span class="line"><span class="cl"><span class="sd"> add_header Content-Type application/x-pem-file; </span></span></span><span class="line"><span class="cl"><span class="sd"> }</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">className</span><span class="p">:</span><span class="w"> </span><span class="l">external</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hosts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l">hass.${SECRET_DOMAIN}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/.well-known/appspecific/com.tesla.3p.public-key.pem</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pathType</span><span class="p">:</span><span class="w"> </span><span class="l">Exact</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">identifier</span><span class="p">:</span><span class="w"> </span><span class="l">app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l">http</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This bypasses all the file mounting complexity and serves the key directly from nginx.</p> <h2 id="step-4-the-private-key-challenge">Step 4: The Private Key Challenge </h2><p>Home Assistant needs the private key at <code>/config/tesla_fleet.key</code>. With <code>readOnlyRootFilesystem: true</code>, you can&rsquo;t just write files to the container.</p> <h3 id="the-permission-dance">The Permission Dance </h3><p>Here&rsquo;s the process that actually works:</p> <p><strong>1. Temporarily disable read-only filesystem:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allowPrivilegeEscalation</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">readOnlyRootFilesystem</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="c"># Temporarily disable</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">capabilities</span><span class="p">:</span><span class="w"> </span>{<span class="nt">drop</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;ALL&#34;</span><span class="p">]</span>}<span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>2. Apply and create the file:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -it deployment/home-assistant -c app -- sh -c <span class="s1">&#39;cat &gt; /config/tesla_fleet.key &lt;&lt; &#34;EOF&#34; </span></span></span><span class="line"><span class="cl"><span class="s1">-----BEGIN EC PRIVATE KEY----- </span></span></span><span class="line"><span class="cl"><span class="s1">YOUR_PRIVATE_KEY_CONTENT_HERE </span></span></span><span class="line"><span class="cl"><span class="s1">-----END EC PRIVATE KEY----- </span></span></span><span class="line"><span class="cl"><span class="s1">EOF&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>3. Re-enable read-only filesystem:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allowPrivilegeEscalation</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">readOnlyRootFilesystem</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="c"># Re-enable</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">capabilities</span><span class="p">:</span><span class="w"> </span>{<span class="nt">drop</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;ALL&#34;</span><span class="p">]</span>}<span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The file persists on the PVC even after re-enabling read-only mode.</p> <h2 id="step-5-domain-registration-with-tesla">Step 5: Domain Registration with Tesla </h2><p>This step is <strong>critical</strong> and often overlooked. You must register your domain with Tesla&rsquo;s Fleet API before they&rsquo;ll accept your public key.</p> <p><strong>Get an access token:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl --request POST <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>--header <span class="s1">&#39;Content-Type: application/x-www-form-urlencoded&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>--data-urlencode <span class="s1">&#39;grant_type=client_credentials&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>--data-urlencode <span class="s1">&#39;client_id=YOUR_CLIENT_ID&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>--data-urlencode <span class="s1">&#39;client_secret=YOUR_CLIENT_SECRET&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>--data-urlencode <span class="s1">&#39;scope=openid vehicle_device_data vehicle_cmds vehicle_location vehicle_charging_cmds energy_device_data energy_cmds&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>--data-urlencode <span class="s1">&#39;audience=https://fleet-api.prd.na.vn.cloud.tesla.com&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span><span class="s1">&#39;https://fleet-auth.prd.vn.cloud.tesla.com/oauth2/v3/token&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>Register your domain:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl --location <span class="s1">&#39;https://fleet-api.prd.na.vn.cloud.tesla.com/api/1/partner_accounts&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>--header <span class="s1">&#39;Content-Type: application/json&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>--header <span class="s1">&#39;Authorization: Bearer YOUR_ACCESS_TOKEN&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>--data <span class="s1">&#39;{&#34;domain&#34;: &#34;your-hass-domain.com&#34;}&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>Include ALL scopes</strong> in the token request — missing scopes here will limit what the Home Assistant integration can do later.</p> <h2 id="step-6-file-permission-gotchas">Step 6: File Permission Gotchas </h2><p>If you run into permission issues (and you probably will), here&rsquo;s the fix that actually works:</p> <p><strong>Update your pod security context:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">defaultPodOptions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsNonRoot</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsUser</span><span class="p">:</span><span class="w"> </span><span class="m">568</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsGroup</span><span class="p">:</span><span class="w"> </span><span class="m">568</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fsGroup</span><span class="p">:</span><span class="w"> </span><span class="m">568</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fsGroupChangePolicy</span><span class="p">:</span><span class="w"> </span><span class="l">Always </span><span class="w"> </span><span class="c"># This is critical</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">seccompProfile</span><span class="p">:</span><span class="w"> </span>{<span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">RuntimeDefault}</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>The key insight</strong>: <code>fsGroupChangePolicy: Always</code> ensures all files created in mounted volumes get proper ownership, preventing the auth file permission errors that can break Home Assistant startup.</p> <h2 id="step-7-home-assistant-integration">Step 7: Home Assistant Integration </h2><p>Once everything is set up:</p> <ol> <li><strong>Add the Tesla Fleet integration</strong> in Home Assistant</li> <li><strong>Enter your Client ID and Secret</strong></li> <li><strong>Set private key path to</strong>: <code>/config/tesla_fleet.key</code></li> <li><strong>Complete the OAuth flow</strong></li> </ol> <p>If you&rsquo;ve done everything correctly, you&rsquo;ll get all scopes including Vehicle Commands, and you can finally control your Tesla from your smart home.</p> <h2 id="the-complete-working-configuration">The Complete Working Configuration </h2><p>Here&rsquo;s my final working configuration:</p> <p><strong><a class="link" href="https://github.com/gavinmcfall/home-ops/blob/894dce1c6d1f80979db4ad52195db7f04aae9b12/kubernetes/apps/home-automation/home-assistant/app/helmrelease.yaml" target="_blank" rel="noopener" >After (working)</a></strong> — serving public key via nginx, manual private key creation</p> <h2 id="key-lessons-learned">Key Lessons Learned </h2><p><strong>Tesla API Gotchas:</strong></p> <ul> <li>HASS subdomin must be used</li> <li>Domain registration is mandatory before public key acceptance</li> <li>All scopes must be included in the domain registration token</li> <li>Public key format is extremely picky about line breaks</li> </ul> <p><strong>Kubernetes Gotchas:</strong></p> <ul> <li>Can&rsquo;t mount files to deep directory paths (<code>/.well-known/appspecific/...</code>)</li> <li><code>readOnlyRootFilesystem</code> prevents file creation even in mounted volumes</li> <li>File permissions get messy when switching between privileged/unprivileged containers</li> <li><code>fsGroupChangePolicy: Always</code> is essential for proper file ownership</li> </ul> <p><strong>Home Assistant Gotchas:</strong></p> <ul> <li>The integration requires the private key file path, not the content</li> <li>OAuth scopes are determined by your Tesla Developer app, not the HA integration</li> <li>Deleting and re-adding the integration is often necessary for scope updates</li> </ul> <h2 id="the-stupid-simple-alternative">The Stupid Simple Alternative </h2><p>If you&rsquo;re reading this and thinking &ldquo;this is way too complex,&rdquo; you&rsquo;re right. Most people should probably just:</p> <ol> <li>Use Home Assistant OS</li> <li>Install the NGINX add-on</li> <li>Follow the original guide</li> </ol> <p>But if you&rsquo;re committed to running everything in Kubernetes (like I am), this is how you make it work.</p> <h2 id="the-result">The Result </h2><p><img src="https://blog.nerdz.cloud/2025/tesla-fleet-hass/Tesla-home-assistant.png" width="1394" height="1179" srcset="https://blog.nerdz.cloud/2025/tesla-fleet-hass/Tesla-home-assistant_hu15464886432198662188.png 480w, https://blog.nerdz.cloud/2025/tesla-fleet-hass/Tesla-home-assistant_hu10629373126183706249.png 1024w" loading="lazy" alt="Tesla Fleet in HASS" class="gallery-image" data-flex-grow="118" data-flex-basis="283px" ></p> <h2 id="final-thoughts">Final Thoughts </h2><p>Tesla&rsquo;s Fleet API setup is unnecessarily convoluted for what should be a straightforward integration. The combination of encryption keys, domain registration, public key serving, and OAuth flows feels like security theater more than actual security.</p> <p>That said, once it&rsquo;s working, the integration is solid. Being able to pre-condition your Tesla from a Home Assistant automation, or automatically adjust charging rates based on solar production, makes the setup pain worth it.</p> <p><strong>Full credit again to <a class="link" href="https://thissmart.house/2025/07/03/%F0%9F%9A%97-full-smart-home-control-of-your-tesla-with-home-assistants-tesla-fleet-integration/" target="_blank" rel="noopener" >This Smart House</a> for the original comprehensive guide.</strong> Their work made this Kubernetes adaptation possible.</p> <p>Now if you&rsquo;ll excuse me, I&rsquo;m going to go start my car&rsquo;s climate control from my smartwatch like the proper nerd I am.</p> <hr> <p><em>You can find my complete home-ops configuration on <a class="link" href="https://github.com/gavinmcfall/home-ops" target="_blank" rel="noopener" >GitHub</a>. Feel free to steal whatever works for your setup.</em></p> https://blog.nerdz.cloud/2025/deploying-open-llms-03/ Thu, 10 Apr 2025 00:00:00 +1200 https://blog.nerdz.cloud/2025/deploying-open-llms-03/ <blockquote> <p>&ldquo;High availability for LLMs doesn&rsquo;t need to be hard. Just give them a shared brain and a quiet place to think.&rdquo;</p> </blockquote> <h2 id="intro">Intro </h2><p>This is the continuation of my open source LLM deployment journey. In <a class="link" href="https://gavinmcfall.github.io/nerdzblog/2025/deploying-open-llms-02/" target="_blank" rel="noopener" >Part 2</a>, I got Open-WebUI up and running with a connection to OpenAI and some solid OIDC-based auth.</p> <p>Now it&rsquo;s time to actually host my own models — enter <strong>Ollama</strong>.</p> <h2 id="why-ollama">Why Ollama? </h2><p>Ollama is a great backend for running open-source models like Mistral, DeepSeek Coder, TinyLLaMA, and many others. It offers:</p> <ul> <li>A clean CLI and API</li> <li>OpenAI-compatible endpoints</li> <li>Easy Docker-based deployment</li> <li>Excellent model ecosystem</li> </ul> <p>&hellip;but it also comes with a few quirks — especially when trying to run it in Kubernetes. Let’s dive into how I set it up and what I learned.</p> <h2 id="goals">Goals </h2><ul> <li>Deploy Ollama in Kubernetes</li> <li>Support <strong>High Availability</strong> across 3 nodes</li> <li>Share model and config volumes across pods</li> <li>Preload models to avoid UI pulls (at first)</li> <li>Integrate with Open-WebUI</li> </ul> <h2 id="why-i-chose-a-daemonset">Why I chose a DaemonSet </h2><p>Most guides suggest deploying Ollama as a single Deployment, but I had other plans. I wanted Ollama to:</p> <ul> <li>Be available on <strong>each node</strong></li> <li>Share model storage (so models don&rsquo;t redownload per pod)</li> <li>Provide <strong>resilience</strong> — if one node goes down, the others keep serving</li> </ul> <p>For that reason, I rolled it out as a <strong>DaemonSet</strong>, with a shared RWX volume for models and config. That means each node hosts its own Ollama pod, but they all read/write to the same <code>/models</code> and <code>/root/.ollama</code> paths.</p> <p>This was critical because:</p> <ul> <li>Downloads happen once</li> <li>Config/state persists</li> <li>Open-WebUI can talk to any node</li> </ul> <h2 id="storage-setup">Storage Setup </h2><p>I used a CephFS-backed PVC with <code>ReadWriteMany</code> access mode to share data across pods. Here&rsquo;s the relevant snippet:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">persistence</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">models</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">existingClaim</span><span class="p">:</span><span class="w"> </span><span class="l">ollama-models-shared</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">advancedMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ollama</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/models</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">config</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">existingClaim</span><span class="p">:</span><span class="w"> </span><span class="l">ollama</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">advancedMounts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ollama</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/root/.ollama</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>If you&rsquo;re running the <a class="link" href="https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template" target="_blank" rel="noopener" >bjw-s app-template Helm chart</a>, that’s how you wire volumes into the containers cleanly.</p> <h2 id="what-about-model-preloading">What about model preloading? </h2><p>I <strong>initially</strong> tried to preload models using an <code>initContainer</code>, but Ollama’s CLI expects a running server in the background for <code>ollama pull</code> to work. That meant the init container crashed trying to pull models before the server was up.</p> <p>I then considered a Kubernetes Job that spun up a temporary <code>ollama serve</code>, pulled the models, and exited, but in the end — I decided to keep it simple.</p> <h2 id="pulling-models-via-ui">Pulling Models via UI </h2><p>Instead of declarative model pulls, I now:</p> <ol> <li> <p>Browse to you Open-WebUI URL</p> </li> <li> <p>Log in as admin</p> </li> <li> <p>Select your avatar in the top right and click <strong>Admin Panel</strong></p> </li> <li> <p>In the top left menu click <strong>Settings</strong></p> </li> <li> <p>Then in the left menu click <strong>Models</strong></p> <p><code>Here you will see all your OpenAI/ChatGPT models if you followed that step from my previous post</code></p> </li> <li> <p>Click on the download icon in the top right</p> </li> <li> <p>Next, look at ollamas supported models. found <a class="link" href="https://ollama.com/library?sort=popular" target="_blank" rel="noopener" >here</a>.</p> <ul> <li>Search for each model that you want, click on it, then tags drop down and click <strong>View All</strong></li> <li>make a nodel of the model and tag you want: <ul> <li>tinyllama:1.1b</li> <li>mistral:7b-instruct-q4_0</li> <li>deepseek-coder:6.7b</li> </ul> </li> </ul> </li> <li> <p>Click the download Icon next to where you pasted the model:tag</p> <p><img src="https://blog.nerdz.cloud/2025/deploying-open-llms-03/model-pull.png" width="578" height="668" srcset="https://blog.nerdz.cloud/2025/deploying-open-llms-03/model-pull_hu15031558707542216138.png 480w, https://blog.nerdz.cloud/2025/deploying-open-llms-03/model-pull_hu3293706176916652794.png 1024w" loading="lazy" alt="Model Pull" class="gallery-image" data-flex-grow="86" data-flex-basis="207px" ></p> </li> <li> <p>You will see the model begin to download and will see topups in the top right about it verifying the SHA</p> <p><img src="https://blog.nerdz.cloud/2025/deploying-open-llms-03/model-dowloading.png" width="586" height="340" srcset="https://blog.nerdz.cloud/2025/deploying-open-llms-03/model-dowloading_hu3410150694064225730.png 480w, https://blog.nerdz.cloud/2025/deploying-open-llms-03/model-dowloading_hu9025018584249461412.png 1024w" loading="lazy" alt="Model Downloading" class="gallery-image" data-flex-grow="172" data-flex-basis="413px" ></p> </li> <li> <p>After that is complete, refresh the admin page and click <strong>models</strong> from the left manu again and scroll down through the list to see your new model</p> </li> <li> <p>Repeat this process for your other models</p> </li> <li> <p>Lets verify, from your Terminal run the following command which will grab the first ollama container and report the models:</p> <p><code>kubectl -n cortex exec -it $(kubectl -n cortex get pods -l app.kubernetes.io/name=ollama -o jsonpath='{.items[0].metadata.name}') -- ollama list</code></p> </li> <li> <p>Remember, if you want to change your default model, click the cog next to the download icon you clicked earlier. here you can reorder the model list and choose your default.</p> </li> </ol> <style type="text/css"> .notice { --title-color: #fff; --title-background-color: #6be; --content-color: #444; --content-background-color: #e7f2fa; } .notice.info { --title-background-color: #fb7; --content-background-color: #fec; } .notice.tip { --title-background-color: #5a5; --content-background-color: #efe; } .notice.warning { --title-background-color: #c33; --content-background-color: #fee; } @media (prefers-color-scheme:dark) { .notice { --title-color: #fff; --title-background-color: #069; --content-color: #ddd; --content-background-color: #023; } .notice.info { --title-background-color: #a50; --content-background-color: #420; } .notice.tip { --title-background-color: #363; --content-background-color: #121; } .notice.warning { --title-background-color: #800; --content-background-color: #400; } } body.dark .notice { --title-color: #fff; --title-background-color: #069; --content-color: #ddd; --content-background-color: #023; } body.dark .notice.info { --title-background-color: #a50; --content-background-color: #420; } body.dark .notice.tip { --title-background-color: #363; --content-background-color: #121; } body.dark .notice.warning { --title-background-color: #800; --content-background-color: #400; } .notice { padding: 18px; line-height: 24px; margin-bottom: 24px; border-radius: 4px; color: var(--content-color); background: var(--content-background-color); } .notice p:last-child { margin-bottom: 0 } .notice-title { margin: -18px -18px 12px; padding: 4px 18px; border-radius: 4px 4px 0 0; font-weight: 700; color: var(--title-color); background: var(--title-background-color); } .icon-notice { display: inline-flex; align-self: center; margin-right: 8px; } .icon-notice img, .icon-notice svg { height: 1em; width: 1em; fill: currentColor; } .icon-notice img, .icon-notice.baseline svg { top: .125em; position: relative; } </style><div class="notice note" > <p class="notice-title"> <span class="icon-notice baseline"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 128 300 300"> <path d="M150 128c82.813 0 150 67.188 150 150 0 82.813-67.188 150-150 150C67.187 428 0 360.812 0 278c0-82.813 67.188-150 150-150Zm25 243.555v-37.11c0-3.515-2.734-6.445-6.055-6.445h-37.5c-3.515 0-6.445 2.93-6.445 6.445v37.11c0 3.515 2.93 6.445 6.445 6.445h37.5c3.32 0 6.055-2.93 6.055-6.445Zm-.39-67.188 3.515-121.289c0-1.367-.586-2.734-1.953-3.516-1.172-.976-2.93-1.562-4.688-1.562h-42.968c-1.758 0-3.516.586-4.688 1.563-1.367.78-1.953 2.148-1.953 3.515l3.32 121.29c0 2.734 2.93 4.882 6.64 4.882h36.134c3.515 0 6.445-2.148 6.64-4.883Z"/> </svg> </span> Note </p><p>Because all my Ollama pods share the same <code>/models</code> volume, once a model is downloaded, it becomes instantly available to all nodes.</p></div> <h2 id="gotchas">Gotchas </h2><ul> <li><strong>You can’t use <code>ollama pull</code> unless the server is running.</strong> Init containers don’t work unless you do a background process trick.</li> <li><strong>Use a DaemonSet only if you have shared storage.</strong> Otherwise you’ll redownload the same models three times.</li> <li><strong>Open-WebUI doesn’t preload models declaratively.</strong> Use the admin UI.</li> <li><strong>Text Only</strong> These models are not able to read images an interpert text.</li> </ul> <h2 id="my-current-state">My Current State </h2><p>You can see the full setup in my <code>home-ops</code> repo here:</p> <ul> <li><a class="link" href="https://github.com/gavinmcfall/home-ops/tree/main/kubernetes/apps/cortex/ollama" target="_blank" rel="noopener" >Ollama HelmRelease</a></li> <li><a class="link" href="https://github.com/gavinmcfall/home-ops/tree/main/kubernetes/apps/cortex/open-webui" target="_blank" rel="noopener" >Open-WebUI HelmRelease</a></li> </ul> <p>The result: I now have a high-availability Ollama setup across 3 nodes, talking to a clean OIDC-protected Open-WebUI front-end, and serving both OpenAI models and my own local ones — no cloud dependencies required.</p> <p>Next Steps</p> <p>I&rsquo;m watching <a class="link" href="https://github.com/ollama/ollama/pull/6729" target="_blank" rel="noopener" >PR #6729</a> on the Ollama repo closely. When it lands, I plan to test distributed inference across all nodes — allowing parallel execution and true multi-node load balancing.</p> <p>I&rsquo;m also keeping an eye on vLLM, which is designed for blazing-fast inference and serves models with lower latency, dynamic batching, and high throughput — ideal for production-level performance. It’s more complex to integrate and resource-hungry, but I’m planning to explore it for my homelab in a future post.</p> <p>Stay tuned for Part 4 👀</p> https://blog.nerdz.cloud/2025/deploying-open-llms-02/ Mon, 07 Apr 2025 00:00:00 +1200 https://blog.nerdz.cloud/2025/deploying-open-llms-02/ <blockquote> <p>&ldquo;“Ideas are cheap. The real magic happens when those ideas survive YAML, GitOps, and Grafana dashboards.”&rdquo;</p> </blockquote> <h2 id="intro">Intro </h2><p>In my last post, I talked about my intent. In this post I will document what I am actually doing (and seeing if intent matches reality)</p> <p>First up is understanding Open-WebUI</p> <h2 id="open-web-ui">Open Web UI </h2><p><a class="link" href="https://openwebui.com" target="_blank" rel="noopener" >Website</a> | <a class="link" href="https://github.com/open-webui/open-webui" target="_blank" rel="noopener" >Github</a> | <a class="link" href="https://docs.openwebui.com/" target="_blank" rel="noopener" >Documentation</a></p> <p>Open WebUI lets you run and talk to AI models locally from your browser — no internet or cloud required. It connects to model backends like Ollama or anything OpenAI-compatible, and comes with advanced features like smart document search (RAG) built-in.</p> <p>This will be our front end (website) that lets us interact with both local models (hosted in our k8s cluster) and remote models (like ChatGPT). This is the ideal place to start before rolling our your own models.</p> <h3 id="what-is-rag">What is RAG? </h3><p>Retrieval-Augmented Generation (RAG) is a way of helping AI models give better answers by letting them search through documents or notes you provide — like giving the AI a memory or reference book it can read from before responding.</p> <h2 id="reading-the-documentation-and-looking-for-env-vars">Reading the documentation and looking for ENV Vars </h2><p>One of the first things I want to do is read through the documentation and check that the default values for things are set in the way I would want them to be, and pulling out the ones that are not so I can change them in my deployment.</p> <h3 id="values-i-need-to-set-and-settings-i-need-to-change">Values I need to set and settings I need to change </h3><p>Some of these I will set in the <code>helmrelease.yaml</code> and others in the <code>externalsecrets.yaml</code> conventionally our would just store secrets in the external secret file but you can also store other ENV VARS there too if you dont want to bloat our your helm release too much.</p> <p><code>externalsecrets.yaml</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Open-WebUI Config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OPENAI_API_KEY</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .OPENAI_API_KEY }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ADMIN_EMAIL</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .OPENAI_ADMIN_EMAIL }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENABLE_ADMIN_CHAT_ACCESS</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENABLE_ADMIN_EXPORT</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">DEFAULT_USER_ROLE</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;user&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">DATABASE_URL</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;postgres://{{ .OPENWEBUI_DB_USER }}:{{ .OPENWEBUI_DB_PASSWORD }}@postgres17-rw.database.svc.cluster.local:5432/openwebui?sslmode=disable&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">WEBUI_SECRET_KEY</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .WEBUI_SECRET_KEY }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Pocket ID Config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OAUTH_PROVIDER_NAME</span><span class="p">:</span><span class="w"> </span><span class="l">pocketid</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OAUTH_CLIENT_ID</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .OPENWEBUI_POCKETID_CLIENTID }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OAUTH_CLIENT_SECRET</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .OPENWEBUI_POCKETID_SECRET }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OPENID_PROVIDER_URL</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .OPENWEBUI_POCKETID_DISCOVERY }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OPENID_REDIRECT_URI</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .OPENWEBUI_POCKETID_REDIRECT }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OAUTHS_SCOPE</span><span class="p">:</span><span class="w"> </span><span class="l">openid profile email</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><code>helmrelease.yaml</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span><span class="nt">GLOBAL_LOG_LEVEL</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;DEBUG&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENABLE_LOGIN_FORM</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OAUTH_MERGE_ACCOUNTS_BY_EMAIL</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENABLE_OPENAI_API</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENABLE_OAUTH_SIGNUP</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENABLE_WEBSOCKET_SUPPORT</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">WEBSOCKET_MANAGER</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;redis&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">WEBSOCKET_REDIS_URL</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;redis://dragonfly.database.svc.cluster.local:6379&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENABLE_RAG_WEB_SEARCH</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">RAG_WEB_SEARCH_ENGINE</span><span class="p">:</span><span class="w"> </span><span class="l">searxng</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SEARXNG_QUERY_URL</span><span class="p">:</span><span class="w"> </span><span class="l">http://searxng.services.svc.cluster.local:8080/search?q=&lt;query&gt;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="open-webui-env-var-notes">Open-WebUI ENV Var Notes </h3><h4 id="enable_login_form"><code>ENABLE_LOGIN_FORM</code> </h4><ul> <li><strong>Type:</strong> <code>bool</code></li> <li><strong>Default:</strong> <code>True</code></li> <li><strong>Description:</strong> Toggles email, password, sign in and &ldquo;or&rdquo; (only when <code>ENABLE_OAUTH_SIGNUP</code> is set to True) elements.</li> <li><strong>Persistence:</strong> This environment variable is a <code>PersistentConfig</code> variable.</li> </ul> <blockquote> <p>⚠️ <strong>DANGER</strong><br> This should <strong>only</strong> ever be set to <code>False</code> when <code>ENABLE_OAUTH_SIGNUP</code> is also being used and set to <code>True</code>.<br> Failure to do so will result in the inability to login.</p> </blockquote> <h4 id="enable_oauth_signup"><code>ENABLE_OAUTH_SIGNUP</code> </h4><ul> <li><strong>Type:</strong> <code>bool</code></li> <li><strong>Default:</strong> <code>False</code></li> <li><strong>Description:</strong> Enables account creation when signing up via OAuth. Distinct from <code>ENABLE_SIGNUP</code>.</li> <li><strong>Persistence:</strong> This environment variable is a <code>PersistentConfig</code> variable.</li> </ul> <blockquote> <p>⚠️ <strong>DANGER</strong><br> <code>ENABLE_LOGIN_FORM</code> must be set to <code>False</code> when <code>ENABLE_OAUTH_SIGNUP</code> is set to <code>True</code>. Failure to do so will result in the inability to login.</p> </blockquote> <h4 id="rag_web_search_engine">RAG_WEB_SEARCH_ENGINE </h4><ul> <li><strong>Type:</strong> <code>str</code> (enum)</li> </ul> <h3 id="-rag_web_search_engine-options-comparison-table">🔍 <code>RAG_WEB_SEARCH_ENGINE</code> Options: Comparison Table </h3><table> <thead> <tr> <th>Engine</th> <th>Description</th> <th>Pros</th> <th>Cons</th> </tr> </thead> <tbody> <tr> <td><code>searxng</code></td> <td>Uses the <a class="link" href="https://searxng.github.io/" target="_blank" rel="noopener" >SearXNG</a> engine</td> <td>✅ Self-hostable, privacy-friendly, highly customizable</td> <td>❌ May require setup and maintenance</td> </tr> <tr> <td><code>google_pse</code></td> <td>Google Programmable Search Engine</td> <td>✅ Accurate, well-indexed, powerful relevance ranking</td> <td>❌ API limits, requires API key</td> </tr> <tr> <td><code>brave</code></td> <td><a class="link" href="https://search.brave.com/" target="_blank" rel="noopener" >Brave Search</a></td> <td>✅ Independent index, private, fast</td> <td>❌ May lack depth compared to Google</td> </tr> <tr> <td><code>kagi</code></td> <td><a class="link" href="https://kagi.com/" target="_blank" rel="noopener" >Kagi Search</a></td> <td>✅ Human-curated results, privacy-respecting</td> <td>❌ Paid subscription required for full access</td> </tr> <tr> <td><code>mojeek</code></td> <td><a class="link" href="https://www.mojeek.com/" target="_blank" rel="noopener" >Mojeek</a></td> <td>✅ Independent crawler, no tracking</td> <td>❌ Results less relevant for niche topics</td> </tr> <tr> <td><code>serpstack</code></td> <td><a class="link" href="https://serpstack.com/" target="_blank" rel="noopener" >Serpstack</a></td> <td>✅ Easy API for Google results</td> <td>❌ Commercial service, requires API key</td> </tr> <tr> <td><code>serper</code></td> <td><a class="link" href="https://serper.dev/" target="_blank" rel="noopener" >Serper</a></td> <td>✅ Google-like output, simple API</td> <td>❌ API limits, free tier capped</td> </tr> <tr> <td><code>serply</code></td> <td><a class="link" href="https://www.serply.io/" target="_blank" rel="noopener" >Serply</a></td> <td>✅ Tailored for AI + LLM use cases</td> <td>❌ Smaller user base, may have reliability issues</td> </tr> <tr> <td><code>SerpApi</code></td> <td><a class="link" href="https://serpapi.com//" target="_blank" rel="noopener" >SerpApi</a></td> <td>✅ search API that supports many engines with quick response times</td> <td>Setup done via ui. <a class="link" href="https://docs.openwebui.com/tutorials/web-search/serpapi" target="_blank" rel="noopener" >See here</a></td> </tr> <tr> <td><code>duckduckgo</code></td> <td><a class="link" href="https://duckduckgo.com/" target="_blank" rel="noopener" >DuckDuckGo</a></td> <td>✅ Privacy-first, no tracking</td> <td>❌ No real API (scraped or proxied, limited metadata)</td> </tr> <tr> <td><code>tavily</code></td> <td><a class="link" href="https://www.tavily.com/" target="_blank" rel="noopener" >Tavily</a></td> <td>✅ AI-tuned search for RAG, fast</td> <td>❌ Still new, smaller index</td> </tr> <tr> <td><code>jina</code></td> <td><a class="link" href="https://jina.ai/" target="_blank" rel="noopener" >Jina AI</a></td> <td>✅ Vector-aware search options</td> <td>❌ Focused more on enterprise &amp; vector DBs</td> </tr> <tr> <td><code>bing</code></td> <td>Microsoft Bing search engine</td> <td>✅ Wide coverage, high-quality results</td> <td>❌ Requires API key, tracking concerns</td> </tr> </tbody> </table> <style type="text/css"> .notice { --title-color: #fff; --title-background-color: #6be; --content-color: #444; --content-background-color: #e7f2fa; } .notice.info { --title-background-color: #fb7; --content-background-color: #fec; } .notice.tip { --title-background-color: #5a5; --content-background-color: #efe; } .notice.warning { --title-background-color: #c33; --content-background-color: #fee; } @media (prefers-color-scheme:dark) { .notice { --title-color: #fff; --title-background-color: #069; --content-color: #ddd; --content-background-color: #023; } .notice.info { --title-background-color: #a50; --content-background-color: #420; } .notice.tip { --title-background-color: #363; --content-background-color: #121; } .notice.warning { --title-background-color: #800; --content-background-color: #400; } } body.dark .notice { --title-color: #fff; --title-background-color: #069; --content-color: #ddd; --content-background-color: #023; } body.dark .notice.info { --title-background-color: #a50; --content-background-color: #420; } body.dark .notice.tip { --title-background-color: #363; --content-background-color: #121; } body.dark .notice.warning { --title-background-color: #800; --content-background-color: #400; } .notice { padding: 18px; line-height: 24px; margin-bottom: 24px; border-radius: 4px; color: var(--content-color); background: var(--content-background-color); } .notice p:last-child { margin-bottom: 0 } .notice-title { margin: -18px -18px 12px; padding: 4px 18px; border-radius: 4px 4px 0 0; font-weight: 700; color: var(--title-color); background: var(--title-background-color); } .icon-notice { display: inline-flex; align-self: center; margin-right: 8px; } .icon-notice img, .icon-notice svg { height: 1em; width: 1em; fill: currentColor; } .icon-notice img, .icon-notice.baseline svg { top: .125em; position: relative; } </style><div class="notice note" > <p class="notice-title"> <span class="icon-notice baseline"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 128 300 300"> <path d="M150 128c82.813 0 150 67.188 150 150 0 82.813-67.188 150-150 150C67.187 428 0 360.812 0 278c0-82.813 67.188-150 150-150Zm25 243.555v-37.11c0-3.515-2.734-6.445-6.055-6.445h-37.5c-3.515 0-6.445 2.93-6.445 6.445v37.11c0 3.515 2.93 6.445 6.445 6.445h37.5c3.32 0 6.055-2.93 6.055-6.445Zm-.39-67.188 3.515-121.289c0-1.367-.586-2.734-1.953-3.516-1.172-.976-2.93-1.562-4.688-1.562h-42.968c-1.758 0-3.516.586-4.688 1.563-1.367.78-1.953 2.148-1.953 3.515l3.32 121.29c0 2.734 2.93 4.882 6.64 4.882h36.134c3.515 0 6.445-2.148 6.64-4.883Z"/> </svg> </span> Note </p><p>I will be using Searxng which will require me to deploy that BEFORE I can proceed.</p></div> <h2 id="deploying-searxng">Deploying SearXNG </h2><p>As is tradition, I will be walking on the shoulders of giants and taking advantage of <a class="link" href="https://kubesearch.dev/hr/ghcr.io-bjw-s-helm-app-template-searxng" target="_blank" rel="noopener" >kubesearch.dev</a>, an amazing website that:</p> <blockquote> <p>Search Flux HelmReleases through awesome k8s-at-home projects, check it out at <a class="link" href="https://kubesearch.dev/" target="_blank" rel="noopener" >https://kubesearch.dev/</a>. We index Flux HelmReleases from Github and Gitlab repositories with the k8s-at-home topic and kubesearch topic. To include your repository in this search it must be public and then add the topic k8s-at-home or kubesearch to your GitHub Repository topics.</p> </blockquote> <p>My Deployment of SearXNG can be found in my <a class="link" href="https://github.com/gavinmcfall/home-ops/tree/main/kubernetes/apps/home/searxng" target="_blank" rel="noopener" >home-ops repo on github</a></p> <p>There were a couple of interesting learnings from this deployment</p> <p>In the <code>settings.yaml</code> file I wanted to set it up so I could do some regionalised searches so that I could get results for different countries but that, by default, I would get NZ results.</p> <p>Here are the things I did:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">search</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">autocomplete</span><span class="p">:</span><span class="w"> </span><span class="l">google</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">favicon_resolver</span><span class="p">:</span><span class="w"> </span><span class="l">duckduckgo</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default_lang</span><span class="p">:</span><span class="w"> </span><span class="l">en-NZ</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">languages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">en-AU</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">en-CA</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">en-GB</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">en-NZ</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">en-US</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">ui</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="l">...</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default_locale</span><span class="p">:</span><span class="w"> </span><span class="l">en</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">engines</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">google</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">engine</span><span class="p">:</span><span class="w"> </span><span class="l">google</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">shortcut</span><span class="p">:</span><span class="w"> </span><span class="l">g</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">hl</span><span class="p">:</span><span class="w"> </span><span class="l">en</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">gl: nz # This tells Google</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;give me NZ-localized results&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">cr</span><span class="p">:</span><span class="w"> </span><span class="l">countryNZ</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">tbs</span><span class="p">:</span><span class="w"> </span><span class="l">ctr:countryNZ</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This allows me to (by default) get localised NZ searches and then just change the language drop down to switch to Canadian, United Kindom, United States or Australian searches</p> <h2 id="deploying-open-webui">Deploying Open-WebUI </h2><p>This was a wild ride. Here are the things I wanted to achieve intially.</p> <ul> <li>Open-WebUI deployed in a basic fashion</li> <li>Connected to my paid OpenAI ChatGPT account</li> <li>Login handled by PocketID OIDC</li> <li>Sharing of OpenAI Model across users in my instance of Open-WebUI</li> </ul> <p>There was some fenagling and misinterpreting of environment variables (<a class="link" href="https://docs.openwebui.com/getting-started/env-configuration/" target="_blank" rel="noopener" >there are soo many</a>) But, I got there in the end. You can see my initial (working) deployment <a class="link" href="https://github.com/gavinmcfall/home-ops/tree/e68425ebe07150ff2abb763022bbf33714613718/kubernetes/apps/cortex/open-webui" target="_blank" rel="noopener" >here</a> and my current state <a class="link" href="https://github.com/gavinmcfall/home-ops/tree/main/kubernetes/apps/cortex/open-webui" target="_blank" rel="noopener" >here</a></p> <h3 id="gaining-access-to-openai-chatgpt-models-from-a-free-or-paid-account">Gaining access to OpenAI (chatGPT models from a free or paid account) </h3><ol> <li>Browse to <a class="link" href="https://openai.com/" target="_blank" rel="noopener" >https://openai.com/</a> and Click <code>Log In</code> followed by <code>API Platform</code></li> <li>If this is your first time here, you will likely need to set an Organization name. I chose to call mine after my cluster</li> <li>Once logged in, in the left menu, click <code>API keys</code> and in the top right click <code>Create new secret key</code></li> <li>Give the secret a name e.g. <code>Open-WebUI</code> and assign it to a project (if you have not set any up, then default is fine)</li> <li>Click <code>Create Secret key</code> and copy the value that shows up and store it in your secrets manager under the value <code>OPENAI_API_KEY</code> (See my <code>externalsecrets.yaml</code> example below)</li> </ol> <h3 id="deployment-learnings">Deployment Learnings </h3><p><code>helmrelease.yaml</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">GLOBAL_LOG_LEVEL</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;DEBUG&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENABLE_LOGIN_FORM</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OAUTH_MERGE_ACCOUNTS_BY_EMAIL</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENABLE_OPENAI_API</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENABLE_OAUTH_SIGNUP</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENABLE_WEBSOCKET_SUPPORT</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">WEBSOCKET_MANAGER</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;redis&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">WEBSOCKET_REDIS_URL</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;redis://dragonfly.database.svc.cluster.local:6379&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENABLE_RAG_WEB_SEARCH</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">RAG_WEB_SEARCH_ENGINE</span><span class="p">:</span><span class="w"> </span><span class="l">searxng</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SEARXNG_QUERY_URL</span><span class="p">:</span><span class="w"> </span><span class="l">http://searxng.services.svc.cluster.local:8080/search?q=&lt;query&gt;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><ol> <li>Make sure you set the Log Level to Debug, it makes deployment and troubleshooting much easier 🤣</li> <li><code>ENABLE_LOGIN_FORM: &quot;false&quot;</code> This need to be false if you are using OIDC</li> <li><code>ENABLE_OAUTH_SIGNUP: &quot;true&quot;</code> If you don&rsquo;t have this set, then your OIDC provider (PocketID in my case), can&rsquo;t create an account inside Open-WebUI</li> </ol> <p><code>externalsecret.yaml</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Open-WebUI Config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OPENAI_API_KEY</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .OPENAI_API_KEY }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ADMIN_EMAIL</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .OPENAI_ADMIN_EMAIL }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENABLE_ADMIN_CHAT_ACCESS</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ENABLE_ADMIN_EXPORT</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">DEFAULT_USER_ROLE</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;user&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">DATABASE_URL</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;postgres://{{ .OPENWEBUI_DB_USER }}:{{ .OPENWEBUI_DB_PASSWORD }}@postgres17-rw.database.svc.cluster.local:5432/openwebui?sslmode=disable&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">WEBUI_SECRET_KEY</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .WEBUI_SECRET_KEY }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Pocket ID Config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OAUTH_PROVIDER_NAME</span><span class="p">:</span><span class="w"> </span><span class="l">pocketid</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OAUTH_CLIENT_ID</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .OPENWEBUI_POCKETID_CLIENTID }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OAUTH_CLIENT_SECRET</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .OPENWEBUI_POCKETID_SECRET }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OPENID_PROVIDER_URL</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .OPENWEBUI_POCKETID_DISCOVERY }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OPENID_REDIRECT_URI</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .OPENWEBUI_POCKETID_REDIRECT }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">OAUTHS_SCOPE</span><span class="p">:</span><span class="w"> </span><span class="l">openid profile email</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><ol> <li><code>PROVIDER_URL</code> and <code>DISCOVERY-URL</code> are the same damn thing, but different tools call them different things. This should be set to: <code>https://{your OIDC url}/.well-known/openid-configuration</code></li> <li><code>OPENID_REDIRECT_URI</code> Make sure that the path for this is: <code>https://{Open-WebUI URL}/oauth/oidc/callback</code>. This needs to be set BOTH in your OIDC config AND your ENV Var in externalsecrets</li> </ol> <h3 id="configuration-learnings">Configuration learnings </h3><h4 id="setting-up-groups">Setting up Groups </h4><p>If you plan to have more than one user then you should probably setup groups.</p> <ol> <li>Ensure the other users have logged in via OIDC at least once to have their accounts created</li> <li>Navigate to <code>https://{Open-WebUI URL}/admin/users</code> and click on Groups.</li> <li>Click the Plus in the top right to create a new group and give it a name (and a description if needed) and click <code>Create</code></li> <li>Viewing your new group Click the ✏️ pencil in the top right to edit it</li> <li>Click Permissions and reivew them, defaults are likely fine but you may want to make some adjustments</li> <li>Click on users and check the box next to each user you want to add to the group</li> </ol> <h4 id="allowing-model-access">Allowing model access </h4><p>If like me, you configured <code>OPENAI_API_KEY</code> in your externalsecret then you will have access to ALL the OpenAI (ChatGPT) models that you plan allows&hellip;There is a lot If you did not (and want to) you will need to go through the process of generating an API Key and adding it to your <code>externalsecret.yaml</code> see <a class="link" href="#gaining-access-to-openai-chatgpt-models-from-a-free-or-paid-account" >above</a></p> <ol> <li>Navigate to your admin settings <code>https://{Open-WebUI URL}/admin/settings</code></li> <li>In the left manu click on <code>models</code></li> <li>Here you will see a massive list, feel free to disable as many of these as you see fit. I only retained the following:</li> </ol> <ul> <li><code>gpt-3.5-turbo</code></li> <li><code>gpt-4</code></li> <li><code>gpt-4-turbo</code></li> <li><code>gpt-4o</code></li> <li><code>gpt-4o-mini</code></li> </ul> <ol> <li>Once you have your list, for each one click on the ✏️ pencil</li> <li>Under <code>Visibility</code> click <code>Select a group</code> and select the group you created earlier.</li> <li>Click <code>Save &amp; Update</code></li> <li>Your other users now have access to use that model</li> <li>Repeat this process for the other models.</li> </ol> <h4 id="chat-history">Chat History </h4><p>If you are wanting your chat history from ChatGPT you will need to find a way import it directly into the Open-WebUI Database, There is no sync function between Open-WebUI and chat.openai.com</p> <h2 id="next-steps">Next Steps </h2><p>Next steps will be looking to deploy my own models locally so that long term I have no reliance on paid external tools like OpenAI&rsquo;s ChatGPT</p> https://blog.nerdz.cloud/2025/understanding-ai/ Sun, 06 Apr 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/understanding-ai/ <blockquote> <p>&ldquo;The real question is not whether machines think, but whether humans do.&rdquo;<br> — <em>B.F. Skinner</em></p> </blockquote> <h2 id="intro">Intro </h2><p>Unless you’ve been living under a pile of failed <code>kubectl</code> commands, you’ve probably noticed AI is everywhere. From image generators that make photorealistic art in seconds, to chatbots that can walk you through debugging your Docker Compose file, AI is embedded in daily life now.</p> <p>But here’s the thing — not all AI is created equal.</p> <p>There’s a ton of jargon flying around: LLMs, ML, AI, Generative AI, Transformers, Diffusion Models&hellip; and people use them interchangeably (wrongly, I might add). So let’s break this all down, and throw in some opinionated takes on open vs closed source models while we’re at it.</p> <h2 id="the-big-three">The Big Three </h2><p>Here’s a super simplified breakdown:</p> <h3 id="1-artificial-intelligence-ai">1. <strong>Artificial Intelligence (AI)</strong> </h3><p>This is the umbrella term. Anything that simulates human intelligence — planning, reasoning, problem-solving — falls under this.</p> <h3 id="2-machine-learning-ml">2. <strong>Machine Learning (ML)</strong> </h3><p>ML is a <em>subset</em> of AI. It focuses on training algorithms with data so that they can learn and make predictions or decisions without being explicitly programmed to do so.</p> <p>Think:</p> <ul> <li>Sorting your spam emails</li> <li>Recommending you another &ldquo;Linux ISO&rdquo; to download (yeah, sure 😏)</li> </ul> <h3 id="3-generative-ai">3. <strong>Generative AI</strong> </h3><p>This is a <strong>subset of ML</strong>. It’s trained to create new content — text, images, audio, video — based on learned patterns. It’s what powers:</p> <ul> <li>ChatGPT (text)</li> <li>Midjourney, Stable Diffusion (images)</li> <li>Suno, MusicGen (audio)</li> </ul> <p>So where do <strong>LLMs</strong> come into this?</p> <h2 id="llms--large-language-models">LLMs – Large Language Models </h2><p>These are the generative AI brainiacs that focus <em>specifically on text</em>.</p> <p>They&rsquo;re the ones reading docs, summarizing PDFs, hallucinating package install instructions, or writing spicy Kubernetes blogs for you.</p> <p>LLMs are trained on massive amounts of text data and rely heavily on a technique called <strong>Transformers</strong>, which is what revolutionized the AI world circa 2017.</p> <p>Popular LLMs you’ve probably heard of:</p> <ul> <li>GPT-4 (OpenAI, closed source)</li> <li>Claude (Anthropic, closed source)</li> <li>Mistral (Open source, 🔥 fast rising star)</li> <li>LLaMA (Meta, open-ish source — depends who you ask)</li> </ul> <h2 id="closed-source-vs-open-source-models">Closed Source vs Open Source Models </h2><p>This is where things get juicy.</p> <h3 id="-closed-source-ai-gpt-claude-gemini-etc">🧱 Closed Source AI (GPT, Claude, Gemini, etc.) </h3><p>These are typically the domain of Big Tech. They don&rsquo;t share their training data, weights, or inner workings. You’re locked into their ecosystem and pricing models.</p> <p><strong>Pros:</strong></p> <ul> <li>Generally higher accuracy (as of now)</li> <li>Huge funding = more compute = more training</li> <li>Easier to access if you&rsquo;re non-technical (nice UIs, APIs, etc)</li> </ul> <p><strong>Cons:</strong></p> <ul> <li>No insight into what&rsquo;s under the hood</li> <li>Limited customization</li> <li>Expensive at scale</li> <li>Not privacy-friendly</li> </ul> <p>Note: Many of the closed source Generative AI tools do release their models for use on Ollama</p> <h3 id="-open-source-ai-mistral-llama-tinyllama-mixtral-etc">🔓 Open Source AI (Mistral, LLaMA, TinyLLaMA, Mixtral, etc.) </h3><p>These models release their weights, training data (sometimes), and usually run great on your own hardware or cluster.</p> <p><strong>Pros:</strong></p> <ul> <li>Complete control &amp; transparency</li> <li>Host it yourself (goodbye API limits!)</li> <li>Customize it to your needs (e.g., domain-specific fine-tuning)</li> <li>Huge OSS community — collaboration is fast-paced</li> </ul> <p><strong>Cons:</strong></p> <ul> <li>Requires more technical know-how</li> <li>May lag slightly behind in benchmark scores</li> <li>Inference can be slower without proper infra (aka don’t expect 7B models to run well on a Pi)</li> </ul> <h2 id="how-they-interact">How They Interact </h2><p>This is something a lot of folks miss: these aren&rsquo;t siloed systems. Here&rsquo;s how the puzzle fits together:</p> <ul> <li><strong>ML</strong> is the foundation. It&rsquo;s how all these models are <em>trained</em>.</li> <li><strong>LLMs</strong> are a type of ML model, focused on language. They <em>use</em> ML principles.</li> <li><strong>Generative AI</strong> is a purpose: to <em>generate</em> — and LLMs fall under this when they generate text.</li> <li><strong>You</strong> interact with Generative AI (via UI, chat, API) → the underlying LLM runs inference → built on top of ML training → likely trained using massive GPU farms, a few metric tons of Reddit data, and questionable StackOverflow posts.</li> </ul> <h2 id="my-perspective">My Perspective </h2><p>Right now, I’m in the process of prepping my environment to run open source LLMs (think: Mistral, TinyLLaMA, and Code LLaMA) directly on my own infrastructure.</p> <p>The goal?</p> <ul> <li>Local, private, fast models</li> <li>No reliance on cloud APIs</li> <li>Fully integrated with my Kubernetes setup</li> </ul> <p>I’ll be writing about that setup (and the fun/chaos of queue-based autoscaling, Grafana monitoring, and model orchestration) in an upcoming post.</p> <p>For now, just know: open source is not only <em>viable</em> — it&rsquo;s starting to lead the charge.</p> <h2 id="tldr">TL;DR </h2><ul> <li><strong>AI</strong> is the umbrella.</li> <li><strong>ML</strong> teaches AI how to behave (The building blocks of Generative AI).</li> <li><strong>Generative AI</strong> creates content.</li> <li><strong>LLMs</strong> are language specialists in the generative AI world.</li> <li><strong>Open source</strong> is rising fast and worth your attention.</li> <li>My next post will cover how I run LLMs on-demand in a homelab Kubernetes cluster.</li> </ul> <p>Until then, keep your pods healthy, your YAML clean, and your tokens per second high.</p> https://blog.nerdz.cloud/2025/qbitorrent-woes/ Mon, 03 Feb 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/qbitorrent-woes/ <blockquote> <p>&ldquo;A lesson learned and not remembered is a mistake waiting to happen again.&rdquo;<br> — <em>Unknown</em></p> </blockquote> <h2 id="all-activity-halted">All activity halted </h2><p>I awoke Sunday morning to see that all my Linux ISOs had stopped downloading. All stalled. I kicked my container, but alas, no change</p> <p>Checking my logs I could see that my wg0 (Wireguard) interface was in an <code>Unknown</code> state and that I had no connection to the outside world.</p> <h2 id="my-setup">My Setup </h2><p>I run a pod with 3 containers in it</p> <ul> <li>QBitorrent - <code>cross-platform free and open-source BitTorrent client written in native C++.</code></li> <li>Glueten - <code>VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in. </code></li> <li>gluetun-qb-port-sync - <code>As its written on the tin, sync the ports between gluten and qbitorrent</code></li> </ul> <p>This is coupled with ProtonVPN (VPN Plus).</p> <h2 id="the-errors">The errors </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">gluetun 2025-02-02T19:28:42Z INFO <span class="o">[</span>wireguard<span class="o">]</span> Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working. </span></span><span class="line"><span class="cl">gluetun 2025-02-02T19:28:55Z INFO <span class="o">[</span>healthcheck<span class="o">]</span> program has been unhealthy <span class="k">for</span> 11s: restarting VPN <span class="o">(</span>healthcheck error: dialing: dial tcp4: lookup cloudflare.com: i/o timeout<span class="o">)</span> </span></span><span class="line"><span class="cl">luetun 2025-02-02T19:28:55Z INFO <span class="o">[</span>healthcheck<span class="o">]</span> ≡ƒæë See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md </span></span><span class="line"><span class="cl">gluetun 2025-02-02T19:28:55Z INFO <span class="o">[</span>healthcheck<span class="o">]</span> DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION </span></span><span class="line"><span class="cl">luetun 2025-02-02T19:28:55Z INFO <span class="o">[</span>vpn<span class="o">]</span> stopping </span></span><span class="line"><span class="cl">gluetun 2025-02-02T19:28:55Z ERROR <span class="o">[</span>vpn<span class="o">]</span> waiting <span class="k">for</span> DNS to be ready: context canceled </span></span><span class="line"><span class="cl">gluetun 2025-02-02T19:28:55Z ERROR <span class="o">[</span>vpn<span class="o">]</span> getting public IP address information: context canceled </span></span><span class="line"><span class="cl">gluetun 2025-02-02T19:28:55Z INFO <span class="o">[</span>port forwarding<span class="o">]</span> starting </span></span><span class="line"><span class="cl">gluetun 2025-02-02T19:28:55Z ERROR <span class="o">[</span>vpn<span class="o">]</span> starting port forwarding service: getting VPN assigned IP address: network interface wg0 not found: route ip+net: no such network interface </span></span><span class="line"><span class="cl">gluetun 2025-02-02T19:28:55Z INFO <span class="o">[</span>vpn<span class="o">]</span> starting </span></span><span class="line"><span class="cl">gluetun 2025-02-02T19:28:55Z INFO <span class="o">[</span>firewall<span class="o">]</span> allowing VPN connection... </span></span><span class="line"><span class="cl">gluetun 2025-02-02T19:28:55Z INFO <span class="o">[</span>wireguard<span class="o">]</span> Using available kernelspace implementation </span></span></code></pre></td></tr></table> </div> </div><p>Being a networking n00b, I could not figure out what the issue was. My Subscription was still valid, nothing else had changed&hellip;</p> <h3 id="culprit-found">Culprit Found </h3><p>After posting a support ticket in the <a class="link" href="https://discord.gg/home-operations" target="_blank" rel="noopener" >Home-Operations</a> Discord, a very helpful community member suggested that I recreate my wireguard config file and apply it.</p> <p>I log into <a class="link" href="https://account.protonvpn.com/downloads" target="_blank" rel="noopener" >ProtonVPN Downloads page</a> to generate the wireguard config (you have to scroll down below OpenVPN) and I see this:</p> <p><img src="https://blog.nerdz.cloud/2025/qbitorrent-woes/proton-expired.png" width="1292" height="216" srcset="https://blog.nerdz.cloud/2025/qbitorrent-woes/proton-expired_hu18387948350225931484.png 480w, https://blog.nerdz.cloud/2025/qbitorrent-woes/proton-expired_hu13281473543540727768.png 1024w" loading="lazy" alt="Proton VPN Credentials expires" class="gallery-image" data-flex-grow="598" data-flex-basis="1435px" ></p> <p>My Credentials had expired&hellip;</p> <h3 id="the-fix">The Fix </h3><p>Generate a new config file using the settings below. It should automatically pickup the best server for you and show it on step4</p> <p><img src="https://blog.nerdz.cloud/2025/qbitorrent-woes/new-wg-config.png" width="1358" height="848" srcset="https://blog.nerdz.cloud/2025/qbitorrent-woes/new-wg-config_hu4582330887475909714.png 480w, https://blog.nerdz.cloud/2025/qbitorrent-woes/new-wg-config_hu2396623933796722340.png 1024w" loading="lazy" alt="Proton VPN Wireguard Config" class="gallery-image" data-flex-grow="160" data-flex-basis="384px" ></p> <p>Download the config file and open it in your favorite text editor</p> <p>Inside you will have four values you will need</p> <ol> <li>Endpoint</li> <li>PublicKey</li> <li>PrivateKey</li> <li>Address</li> </ol> <p>Assuming you are using the <a class="link" href="https://github.com/gavinmcfall/home-ops/tree/main/kubernetes/apps/downloads/qbittorrent" target="_blank" rel="noopener" >same setup as I am</a></p> <p>You will need to update 1Password with the new values</p> <ol> <li>Endpoint = <code>QBITTORRENT_VPN_ENDPOINT_IP</code></li> <li>PublicKey = <code>QBITTORRENT_WIREGUARD_PUBLIC_KEY</code></li> <li>PrivateKey = <code>QBITTORRENT_WIREGUARD_PRIVATE_KEY</code></li> <li>Address = <code>QBITTORRENT_WIREGUARD_ADDRESSES</code></li> </ol> <p>Once this is done, you can run the following command to annotate the secret file so it updates with the changes (change the namespace and secret name accordingly)</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl --namespace downloads annotate externalsecret qbittorrent force-sync<span class="o">=</span><span class="k">$(</span>date +%s<span class="k">)</span> --overwrite </span></span></code></pre></td></tr></table> </div> </div><p>Then you can confirm the secret has changed using</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl get secret -n downloads qbittorrent-secret -o json <span class="p">|</span> jq -r <span class="s1">&#39;.data | to_entries[] | &#34;\(.key): \(.value | @base64d)&#34;&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Once that is done, your Qbittorrent container should terminate and spin up a fresh container. Give it a few minutes and downloading should resume.</p> https://blog.nerdz.cloud/2025/migrating-database-clusters/ Sat, 01 Feb 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/migrating-database-clusters/ <blockquote> <p>&ldquo;The most powerful database is the one you don’t have to recover.&rdquo;<br> — <em>Unknown</em></p> </blockquote> <h2 id="recovery-gone-bad">Recovery gone bad </h2><p>One of the nice things about how I have my Kubernetes cluster configured is that I use Volsync paired with backblaze B2 and Cloudflare R2 to backup (and recover) all my PVCs for my containers. This means that When I need to totally blow away a container because something has gone wrong, volsync will reach out to my replicationDestination (Backblaze) and pull the latest backup down to build out a new PVC locally.</p> <p>Recently, I had to shutdown my entire cluster due to my local power company needing to install a new &ldquo;Smart Metre&rdquo;. Under normal circumstances, when the cluster stood back up, Volsync would reach out to Backblaze and rebuild all the PVCs. And this worked almost flawlessly.</p> <p>Only one Postgres node was able to recover, the other two got the following error.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">file name too long <span class="k">for</span> tar format </span></span></code></pre></td></tr></table> </div> </div><p>This seems to have been cause by a <a class="link" href="https://github.com/tensorchord/pgvecto.rs/issues/570" target="_blank" rel="noopener" >bug</a>.</p> <p>I was not running standard Cloudnative Postgres. In the past, I had run an application called <a class="link" href="https://immich.app/" target="_blank" rel="noopener" >immich</a> which is both amazing, and aweful at the same time.</p> <p>Amazing because it did everything I wanted a photo application to do, aweful because nearly every update was a breaking change.</p> <p>Eventually I got rid of immich. However, Immich needed an extention called <code>pgvecto.rs</code> in Postgres in order for it work correctly. To make my life easier at the time, I ran a <a class="link" href="ghcr.io/tensorchord/cloudnative-pgvecto.rs" >custom image of Cloudnative Postgres from tensorchord</a> with pgvecto.rs baked in.</p> <p>Due to the aforementioned bug, I was not able to restore because the file names for some of the backed up files were too large and so I was only running on a single node.</p> <h3 id="failed-attempts-to-recover">Failed attempts to recover </h3><p>So what did I try to resolve the issue?</p> <ol> <li>Deleted the Immich DB and confirmed no other databases used the pgvecto.rs extension</li> <li>Forced a new backup to recover from</li> <li>Migrated to vanilla Cloudnative-PG</li> <li>Forced a new backup to recover from</li> </ol> <p>None of these things worked. After talking to the amazing community in the <a class="link" href="https://discord.gg/home-operations" target="_blank" rel="noopener" >Home Operations Discord</a> there was only one path forward</p> <h2 id="database-migration">Database Migration </h2><h3 id="high-level-process">High Level Process </h3><p>I was going to need to run a brand new Cloudnative-PG v17.2 cluster side by side with my existing Cloudnative-PG v16.3-7 cluster and import my existing databases contents to the new database.</p> <p>Thankfully, this is much easier than I first thought.</p> <h3 id="baked-in-support-for-recovery-and-existing-clusters">Baked in support for Recovery and existing clusters </h3><p>I was already using Cloudnative-PGs recovery process as a way to recover when I had DB issues</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span><span class="nt">backup</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">retentionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l">30d</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">barmanObjectStore</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;barmanObjectStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">compression</span><span class="p">:</span><span class="w"> </span><span class="l">bzip2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">wal</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">compression</span><span class="p">:</span><span class="w"> </span><span class="l">bzip2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">maxParallel</span><span class="p">:</span><span class="w"> </span><span class="m">8</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">destinationPath</span><span class="p">:</span><span class="w"> </span><span class="l">s3://nerdz-cloudnative-pg/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">endpointURL</span><span class="p">:</span><span class="w"> </span><span class="l">https://s3.us-east-005.backblazeb2.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">serverName</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;currentCluster</span><span class="w"> </span><span class="l">postgres16-v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">s3Credentials</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">accessKeyId</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cloudnative-pg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">aws-access-key-id</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretAccessKey</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cloudnative-pg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">aws-secret-access-key</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Note: externalClusters is needed when recovering from an existing cnpg cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">recovery</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;previousCluster</span><span class="w"> </span><span class="l">postgres16-v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Note: externalClusters is needed when recovering from an existing cnpg cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">externalClusters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="cp">*previousCluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">barmanObjectStore</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">&lt;&lt;</span><span class="p">:</span><span class="w"> </span><span class="cp">*barmanObjectStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">serverName</span><span class="p">:</span><span class="w"> </span><span class="cp">*previousCluster</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This block of code is what I use to recover my Database under normal circumstances. Just give the currentCluster a new number and specify the number for the old cluster and viola, recovered.</p> <p>But in this case, I was going to have to do something a little different</p> <h3 id="how-to-recover-from-an-existing-external-cluster">How to recover from an existing (external) cluster </h3><p>In the new cluster files change the <code>Bootstrap</code> and <code>externalClusters</code> to look like this</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># recovery:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># source: &amp;previousCluster postgres17v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">initdb</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">import</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">monolith</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">databases</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;*&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">roles</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;*&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">externalCluster</span><span class="p">:</span><span class="w"> </span><span class="l">cnpg16</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Note: externalClusters is needed when recovering from an existing cnpg cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">externalClusters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># - name: *previousCluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># barmanObjectStore:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># &lt;&lt;: *barmanObjectStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># serverName: *previousCluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cnpg16</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">connectionParameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l">postgres16-rw.database.svc.cluster.local</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">user</span><span class="p">:</span><span class="w"> </span><span class="l">postgres</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dbname</span><span class="p">:</span><span class="w"> </span><span class="l">postgres</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cloudnative-pg-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">password</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>You will see here that the host for the initDb is my existing Cloudnative-PG clusters service</p> <p><code>postgres16-rw.database.svc.cluster.local</code> this translate to <code>serviceName.NameSpace.svc.cluster.local</code></p> <p>You can see my files on <a class="link" href="https://github.com/gavinmcfall/home-ops/tree/main/kubernetes/apps/database/cloudnative-pg/cluster17" target="_blank" rel="noopener" >Github</a></p> <p>After pushing the changes you will see an import pod turn up which will pull all the data over and then the Cloudnative-PG Operator will spin up a pod with Cloudnative-PG v17 running</p> <p>In my case, only a single pod, as I had scaled down Cloudnative-PG v16 to a single pod to remove all the error from the restore, and I was lasy and copy pasted all the old files when creating the new cluster and missed this detail when making my changes.</p> <h3 id="scaling-up-the-deployment-to-3">Scaling up the deployment to 3 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/postgresql.cnpg.io/cluster_v1.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">postgresql.cnpg.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">postgres17</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">instances</span><span class="p">:</span><span class="w"> </span><span class="m">3</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Set the instances to 3 and push the change</p> <p>using k9s I can watch the process unfold. First you will see a post named <code>postgres17-2-join-garbageString</code> as it joins the new pod at which point you will see the <code>postgres17-2-garbageString</code> pod running nicely. Eventually, you will see something like this</p> <p><img src="https://blog.nerdz.cloud/2025/migrating-database-clusters/cnp17-running.png" width="1223" height="487" srcset="https://blog.nerdz.cloud/2025/migrating-database-clusters/cnp17-running_hu15623616290127357289.png 480w, https://blog.nerdz.cloud/2025/migrating-database-clusters/cnp17-running_hu5057181686937731004.png 1024w" loading="lazy" alt="Cloudnative-PG 17 Cluster Running" class="gallery-image" data-flex-grow="251" data-flex-basis="602px" ></p> <h2 id="next-steps">Next Steps </h2><h3 id="migrating-apps-to-using-the-new-cluster">Migrating apps to using the new cluster </h3><p>Take a look at your services in your database namespace.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl get svc -n database <span class="p">|</span> grep postgres </span></span></code></pre></td></tr></table> </div> </div><p>and you will see something like this</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">postgres-lb LoadBalancer 10.96.91.59 10.90.3.203 5432:32588/TCP 11d </span></span><span class="line"><span class="cl">postgres16-r ClusterIP 10.96.150.103 &lt;none&gt; 5432/TCP 11d </span></span><span class="line"><span class="cl">postgres16-ro ClusterIP 10.96.174.223 &lt;none&gt; 5432/TCP 11d </span></span><span class="line"><span class="cl">postgres16-rw ClusterIP 10.96.134.59 &lt;none&gt; 5432/TCP 11d </span></span><span class="line"><span class="cl">postgres17-lb LoadBalancer 10.96.222.51 10.90.3.210 5432:32310/TCP 17m </span></span><span class="line"><span class="cl">postgres17-r ClusterIP 10.96.108.178 &lt;none&gt; 5432/TCP 17m </span></span><span class="line"><span class="cl">postgres17-ro ClusterIP 10.96.6.175 &lt;none&gt; 5432/TCP 17m </span></span><span class="line"><span class="cl">postgres17-rw ClusterIP 10.96.156.130 &lt;none&gt; 5432/TCP 17m </span></span></code></pre></td></tr></table> </div> </div><p>Here you can see that we have matching sets of postgres services with the old one at 10.90.3.203 and the new one at 10.90.3.210 (Your IPs will vary based on your cluster)</p> <h3 id="moving-apps-to-the-new-cluster">Moving apps to the new cluster </h3><p>I use VS Code for interacting with my code for my cluster. all I need to do is a search for uses of <code>postgres16-rw.database.svc.cluster.local</code> to find all the apps using Postgres.</p> <p>From here I will pick an single app and and change it over to <code>postgres17-rw.database.svc.cluster.local</code> Push the change and confirm it worked</p> <p>I will use Sonarr for my test.</p> <p>When I log into Sonarr and go to <code>Status</code> <code>https://yourSonarURL/system/status</code> you will see in the about section that its currently connected to Postgresql 16.3</p> <p><img src="https://blog.nerdz.cloud/2025/migrating-database-clusters/sonarr-01.png" width="451" height="316" srcset="https://blog.nerdz.cloud/2025/migrating-database-clusters/sonarr-01_hu15928089158985083259.png 480w, https://blog.nerdz.cloud/2025/migrating-database-clusters/sonarr-01_hu825387417992131000.png 1024w" loading="lazy" alt="Sonarr - Before" class="gallery-image" data-flex-grow="142" data-flex-basis="342px" ></p> <p>I need to edit my externalSecret to move the host for Postgres to the new cluster. Because I used all the same usernames and passworda as my original cluster, nothing else needs to change</p> <p>In Sonarr&rsquo;s <code>externalsecret.yaml</code> I change the host</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">sonarr</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterSecretStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">onepassword-connect</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">sonarr-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SONARR__AUTH__APIKEY</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ .SONARR_API_KEY }}&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SONARR__POSTGRES__HOST</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;dbHost</span><span class="w"> </span><span class="l">postgres17-rw.database.svc.cluster.local</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>run the following command to confirm the change to the secret</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl describe externalsecret sonarr -n downloads </span></span></code></pre></td></tr></table> </div> </div><p>Be sure to swap our the name of the secret and the namespace to match your app and namespace.</p> <p>You should see the host has changed</p> <p>Go and refresh your Sonarr URL and you should see it changed there too</p> <p><img src="https://blog.nerdz.cloud/2025/migrating-database-clusters/sonarr-02.png" width="512" height="330" srcset="https://blog.nerdz.cloud/2025/migrating-database-clusters/sonarr-02_hu4294625150453917015.png 480w, https://blog.nerdz.cloud/2025/migrating-database-clusters/sonarr-02_hu14683121602403124743.png 1024w" loading="lazy" alt="Sonarr - After" class="gallery-image" data-flex-grow="155" data-flex-basis="372px" ></p> <p>If you want to be doubly sure, delete your sonarr pod and let k8s recreate it and check again that everything looks good. Once you are happy, migrate your other apps</p> <h3 id="all-apps-migrated">All Apps Migrated </h3><p>Once you have migrated all your apps and you can confirm that they are working, you can update your new Cloudnative-PG cluster to remove the InitDB and externalCluster settings you had that pointed to the old external cluster and go back to just having the standard settings you have for Volsync recovery:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="w"> </span><span class="nt">bootstrap</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">recovery</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span><span class="cp">&amp;previousCluster</span><span class="w"> </span><span class="l">postgres17v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Note: externalClusters is needed when recovering from an existing cnpg cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">externalClusters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="cp">*previousCluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">barmanObjectStore</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">&lt;&lt;</span><span class="p">:</span><span class="w"> </span><span class="cp">*barmanObjectStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">serverName</span><span class="p">:</span><span class="w"> </span><span class="cp">*previousCluster</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="scale-down--removal-of-old-cluster">Scale down / removal of old cluster </h3><p>At this point, I want scale down your old cluster. Leave all the files there and let it sit for a week or two so you can be 100% sure everything is running fine, before you remove it from your Git</p> <h4 id="note">Note </h4><ul> <li>Because we are running two clusters under Cloudnative-PG we cannot simply scale the deployment to 0, as this will scale down both clusters.</li> <li>We also can not set the instances to 0 as that is not valid configuration option for Cloudnative-PG</li> </ul> <p>Instead, we need to comment out the KS that sets up the cluster</p> <p>In your root <code>ks.yaml</code> file kubernetes/apps/database/cloudnative-pg/ks.yaml Comment out the section for the original cluster</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># ---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># apiVersion: kustomize.toolkit.fluxcd.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># kind: Kustomization</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># metadata:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># name: &amp;app cloudnative-pg-cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># namespace: flux-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># spec:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># targetNamespace: database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># commonMetadata:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># labels:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># app.kubernetes.io/name: *app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># dependsOn:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># - name: cloudnative-pg</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># - name: external-secrets-stores</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># path: ./kubernetes/apps/database/cloudnative-pg/cluster</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># prune: true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># sourceRef:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># kind: GitRepository</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># name: home-kubernetes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># wait: true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># interval: 30m</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># retryInterval: 1m</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># timeout: 5m</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># postBuild:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># substitute:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># APP: *app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># GATUS_SVC_NAME: postgres-lb</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># GATUS_SVC_PORT: &#34;5432&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># GATUS_NAMESPACE: database</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Note: You may need to remove the finalizers on the PVC which have protection for Cloudnative-PG in order for the cleanup to complete</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl get pvc -n database </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE </span></span><span class="line"><span class="cl">postgres16-1 Terminating pvc-753ef28f-9f40-44aa-bc33-24f3db0abbfb 20Gi RWO openebs-hostpath &lt;unset&gt; 11d </span></span><span class="line"><span class="cl">postgres17-1 Bound pvc-df4cbbb0-a2f2-4eb5-8377-09c68f6f8942 20Gi RWO openebs-hostpath &lt;unset&gt; 62m </span></span><span class="line"><span class="cl">postgres17-2 Bound pvc-696e5ed8-7a0a-4640-8e3f-55d36d69343c 20Gi RWO openebs-hostpath &lt;unset&gt; 56m </span></span><span class="line"><span class="cl">postgres17-3 Bound pvc-fd1344dd-f596-4ed3-a350-718c69c161f3 20Gi RWO openebs-hostpath &lt;unset&gt; 52m </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl edit pvc postgres16-1 -n database </span></span></code></pre></td></tr></table> </div> </div><p>Remove the finalizer lines and save</p> <h3 id="done">Done </h3><p>You have successfully migrated your Database.</p> <h3 id="final-checks">Final Checks </h3><ol> <li>Log into your replicationDestination (Backblaze in my case) and check that the first backup has taken place</li> <li>Check all your pods and make sure none are throwing errors</li> <li>Continue to monitor your cluster over the coming weeks for any DB related errors</li> <li>Once you are totally happy, remove all the old files from Git.</li> </ol> https://blog.nerdz.cloud/2025/car-care/ Tue, 14 Jan 2025 00:00:00 +1300 https://blog.nerdz.cloud/2025/car-care/ <blockquote> <p>&ldquo;The difference between something good and something great is attention to detail.&rdquo;<br> — <em>Charles R. Swindoll</em></p> </blockquote> <h2 id="protecting-your-investment">Protecting Your Investment </h2><h3 id="insurance">Insurance </h3><p>So you just spent all this money are a new car, and if your smart, you will want to protect that investment. There are a few things you can do.</p> <p>First of all, you should have insurance before you even drove the car away. There are many insurance companies out there and dealing with this is a Royal PITA. In my experince, it is much better to deal with a broker, they act on your behalf and communicate with all the different insurance companies to find the best deal that suits your needs. They do no charge you, as the insurance companies pay them to bring in new clients, and the deals they offer you are always better than if you went direct to the Insurance company.</p> <p>We use <a class="link" href="https://hutchisonrodway.co.nz/" target="_blank" rel="noopener" >Hutchison Rodway Insurance</a> They have been awesome and handle our House, Contents and Vehicle Insurance. We always deal with Jo Mitchel, feel free to <a class="link" href="tel:094772835" >call</a> or <a class="link" href="jo@hutchrod.co.nz" >email</a> her</p> <p>⚠️ NOTE: If your vehicle has a glass roof, ENSURE that you Insurance company counts it as a windshield so you get one free replacement per year if it gets cracked/damaged</p> <h3 id="long-term-protection">Long Term Protection </h3><p>Once you have the car, you may choose to protect the paint and body work in a manner designed to keep it looking good for years to come. There are several different things you can take a look at:</p> <h4 id="vehicle-wrap">Vehicle Wrap </h4><ul> <li><strong>Purpose:</strong> Changes the car&rsquo;s appearance (color, patterns, or designs) and offers light protection.</li> <li><strong>Material:</strong> Vinyl film.</li> <li><strong>Protection Level:</strong> Minor protection against scratches, chips, and UV rays.</li> <li><strong>Customization:</strong> High—can include matte, gloss, satin, carbon fiber, or custom designs.</li> <li><strong>Durability:</strong> 3–7 years, depending on quality and care.</li> <li><strong>Cost:</strong> Moderate to high, based on coverage and design complexity.</li> <li><strong>Best For:</strong> People looking to customize their car’s look or advertise a brand while adding light protection.</li> </ul> <h4 id="paint-protection-film-ppf">Paint Protection Film (PPF) </h4><ul> <li><strong>Purpose:</strong> Provides strong protection against scratches, chips, and abrasions.</li> <li><strong>Material:</strong> Transparent polyurethane or polymer film.</li> <li><strong>Protection Level:</strong> High—absorbs impacts and can self-heal minor scratches.</li> <li><strong>Customization:</strong> Clear, but some brands offer matte or colored variants.</li> <li><strong>Durability:</strong> 5–10 years with proper care.</li> <li><strong>Cost:</strong> High—especially for full-body applications.</li> <li><strong>Best For:</strong> People prioritizing protection for high-end, exotic, or new cars to maintain factory paint quality.</li> </ul> <h4 id="ceramic-coating">Ceramic Coating </h4><ul> <li><strong>Purpose:</strong> Provides a long-lasting, hydrophobic (water-repellent) layer for shine and easier cleaning.</li> <li><strong>Material:</strong> Liquid polymer that chemically bonds to the paint.</li> <li><strong>Protection Level:</strong> Protects against UV rays, dirt, and chemical stains, but not scratches or chips.</li> <li><strong>Customization:</strong> None—focuses only on enhancing the car&rsquo;s natural paint and gloss.</li> <li><strong>Durability:</strong> 2–5 years, depending on maintenance.</li> <li><strong>Cost:</strong> Moderate. Higher initial cost but lower maintenance than wax or sealants.</li> <li><strong>Best For:</strong> People who want a glossy finish, easy maintenance, and protection against dirt and weather.</li> </ul> <h4 id="tinted-windows">Tinted Windows </h4><ul> <li>**Purpose: Improves privacy, reduces glare, blocks UV rays, and keeps the car cooler.</li> <li>**Key Features: <ul> <li><strong>Privacy</strong> – Makes it harder for others to see inside the car.</li> <li><strong>UV Protection</strong> – Blocks up to 99% of harmful UV rays, reducing skin damage and fading of interiors.</li> <li><strong>Heat Reduction</strong> – Helps keep the interior cooler by reflecting solar heat.</li> <li><strong>Glare Reduction</strong> – Reduces glare from sunlight and headlights, improving visibility and comfort.</li> <li><strong>Safety</strong> – Helps hold shattered glass together in case of an accident.</li> <li><strong>Style</strong> – Enhances the appearance of the vehicle.</li> </ul> </li> <li><strong>Types:</strong> <ul> <li><strong>Dyed Film</strong> – Budget-friendly, reduces glare, and adds privacy but offers less heat reduction.</li> <li><strong>Metalized Film</strong> – Reflects heat well and strengthens windows but may interfere with GPS and radio signals.</li> <li><strong>Carbon Film</strong> – Provides excellent UV protection and heat rejection without signal interference.</li> <li><strong>Ceramic Film</strong> – Premium option with the best heat reduction, UV protection, and clarity, and no signal interference.</li> </ul> </li> </ul> <h4 id="costs-approx-nzd">Costs (approx NZD) </h4><ul> <li>Full Car Ceramic = $800</li> <li>Full car PPF = $5000 - $10,000 (Soo many variables)</li> <li>Vehicle Wrap = $5000+</li> <li>Tinbts = $400 - $1000</li> </ul> <h4 id="options">Options </h4><p>I decided to go with a mixture of the following</p> <ul> <li>PF M8 Satin/Matte PPF - Full external vehicle</li> <li>HV2 Ceramic Coating - Full external vehicle over PPF</li> <li>PTL50 Ceramic Tints @ 47% (Sides and rear window)</li> <li>Interior fabric hydrophobic treatment <ul> <li>Applied to seats, door cards &amp; dash (all ‘leather’ trims)</li> </ul> </li> <li>Chrome delete front &amp; rear (T ,TESLA &amp; DualMotor)</li> </ul> <h2 id="car-detailing">Car Detailing </h2><p>Keep an eye out for our next post which will cover car cleaning</p> https://blog.nerdz.cloud/2024/new-car-delivered/ Fri, 27 Dec 2024 00:00:00 +1300 https://blog.nerdz.cloud/2024/new-car-delivered/ <h2 id="finance-woes">Finance woes </h2><p>So, it turns out that in order to take advantage of the 2.99% deal that Tesla was doing with UDC Finance, I had to purchase from inventory.</p> <p>That put a bit of a kibosh on my plans. The transaction also had to be completed and I had to have taken delivery of the vehicle by 31st of December 2024.</p> <p>As it happens, no Model 3 Performance in stock, so our choices were limited. Decisions had to be made.</p> <p>My wife and I sat down with the salesmen from Tesla and took a look through all the available inventory.</p> <p>Inventory options (Model 3 Highland):</p> <ul> <li>Standard Range RWD (Rear Wheel Drive) <ul> <li>Pearl White Multi-Coat</li> <li>Solid Black</li> <li>Stealth Grey</li> </ul> </li> <li>Long Range AWD (All Wheel Drive) <ul> <li>Pearl White Multi-Coat</li> <li>Solid Black</li> <li>Stealth Grey</li> <li>Deep Blue Metallic</li> </ul> </li> </ul> <p>I really liked the <strong>Stealth Grey</strong> and my wife did not. We both likes the <strong>Deep Blue Metallic</strong></p> <p>There was one problem though. The interior, was white. I had never owned a white interior and was worried about the cleanliness of it. However, after talking to Hagan at <a class="link" href="https://www.thewrapshop.co.nz/" target="_blank" rel="noopener" >The Wrap Shop</a> and some research online, we were confident that the Ceramic Protection (along with regular cleaning and maintenence) would keep them looking good.</p> <h2 id="finance-woes-2">Finance woes #2 </h2><p>Originally when I spoke to UDC, they said they would be able to add any 3rd party items to the finance deal e.g. PPF (Paint Protection Film), Tints etc.</p> <p>However, as we closed in on completing the deal, they went back on that statement. It turns out that Tesla NZ lost money on all inventory sold when offereing 2.99% and their deal with UDC is such that they will not budge and add anything else to the loan that may cost them more money.</p> <p>Shit&hellip;</p> <p>This has really put a dent in my plans and I was going to have to do some quick juggling of things.</p> <p>We put though the car sale, and traded in the Skoda. Taking collection on Friday 27th December at 3:30pm</p> <p><img src="https://blog.nerdz.cloud/2024/new-car-delivered/tesla_m3lr_blue.jpeg" width="1920" height="1080" srcset="https://blog.nerdz.cloud/2024/new-car-delivered/tesla_m3lr_blue_hu5693404520592940109.jpeg 480w, https://blog.nerdz.cloud/2024/new-car-delivered/tesla_m3lr_blue_hu12127910043709293975.jpeg 1024w" loading="lazy" alt="Tesla Model 3 Highland LR AWD - Blue" class="gallery-image" data-flex-grow="177" data-flex-basis="426px" ></p> <ul> <li>Tesla Model 3 Long Range Dual Motor All-Wheel Drive</li> <li>Deep Blue Metallic Paint</li> <li>18&quot; Photon Wheels</li> <li>White Premium Interior</li> <li>Autopilot</li> <li>Enhanced Auto Pilot</li> <li><del>Full Self-Driving Capability</del></li> </ul> <p>So, what are the real world differenced between the originally ordered M3P and the actually delivered M3LR?</p> <table> <thead> <tr> <th>Feature</th> <th>Model 3 Performance</th> <th>Model 3 Long Range AWD</th> </tr> </thead> <tbody> <tr> <td><strong>Acceleration (0–100 km/h)</strong></td> <td>3.1 seconds</td> <td>4.2 seconds</td> </tr> <tr> <td><strong>Top Speed</strong></td> <td>261 km/h</td> <td>233 km/h</td> </tr> <tr> <td><strong>Range (WLTP)</strong></td> <td>~528 km</td> <td>~629 km</td> </tr> <tr> <td><strong>Power Output</strong></td> <td>~343 kW</td> <td>~366 kW</td> </tr> <tr> <td><strong>Wheels</strong></td> <td>20-inch forged wheels with performance tires</td> <td>18-inch (optional 19-inch) wheels</td> </tr> <tr> <td><strong>Brakes</strong></td> <td>Larger brakes for enhanced stopping power</td> <td>Standard brakes</td> </tr> <tr> <td><strong>Suspension</strong></td> <td>Adaptive suspension with performance tuning</td> <td>Standard suspension</td> </tr> <tr> <td><strong>Seats</strong></td> <td>Ventilated/heated sport seats with enhanced bolstering</td> <td>Ventilated/heated sport seats</td> </tr> <tr> <td><strong>Interior Trim</strong></td> <td>Carbon fiber trim</td> <td>Standard premium interior</td> </tr> <tr> <td><strong>Driving Modes</strong></td> <td>Track Mode for customizable dynamics</td> <td>Standard driving modes</td> </tr> <tr> <td><strong>Audio System</strong></td> <td>Premium 17-speaker system</td> <td>Premium 17-speaker system</td> </tr> <tr> <td><strong>Spoiler</strong></td> <td>Carbon fiber spoiler</td> <td>None</td> </tr> </tbody> </table> <p>So key take-aways are that we gained 101kms of WLTP range and lost a little top speed and acceleration.</p> <p>Additionally, what that table does not show is that the tires are much larger on the M3P and much more expensive (~ NZD$ 700 per tire, vs NZD$ 400 for the M3LR)</p> <h2 id="next-steps">Next steps </h2><p>Next steps are getting some upgrades done on the car.</p> <h3 id="professionally-installed">Professionally Installed </h3><ul> <li>Installing my Genevo Pro II (which was removed from the skoda)</li> <li>Front PPF <ul> <li>Bumper</li> <li>Bonnet</li> <li>Headlights</li> <li>Front Fenders</li> <li>Wing Mirrors</li> </ul> </li> <li>Full Car Exterior Ceramic Coating</li> <li>Tints <ul> <li>Ceramic Tints</li> <li>Blocks 99% of UV</li> <li>2x the heat reduction over normal tints</li> </ul> </li> <li>Interior fabric hydrophobic treatment <ul> <li>Seats</li> <li>Door cards</li> <li>Dash</li> <li>(all ‘leather’ trims)</li> </ul> </li> <li>Badge Blackout <ul> <li>Front Tesla Logo</li> <li>Rear Tesla Letters</li> </ul> </li> </ul> <h3 id="personally-installed">Personally Installed </h3><ul> <li> <p>Tesla</p> <ul> <li><a class="link" href="https://shop.tesla.com/en_nz/product/mobile-connector" target="_blank" rel="noopener" >Mobile Connector</a></li> <li><a class="link" href="https://shop.tesla.com/en_nz/product/tyre-repair-kit" target="_blank" rel="noopener" >Tyre Repair Kit</a></li> <li><a class="link" href="https://www.tesla.com/en_nz/support/connectivity" target="_blank" rel="noopener" >Premium Connectivity</a></li> </ul> </li> <li> <p>Hansshow</p> <ul> <li><a class="link" href="https://www.hautopart.com/products/tesla-model-3-highland-mud-flaps-front-and-rear-splash-guards-mudguard-mudflaps-car-accessoriesupgraded-version-4-pcs-hansshow?variant=45531059618004" target="_blank" rel="noopener" >6 Piece Mudflap Set</a></li> <li><a class="link" href="https://www.hautopart.com/products/tesla-model-3-highland-screen-swivel-mount-center-console-touch-screen-rotating-bracket?variant=45405465968852" target="_blank" rel="noopener" >Swivel Mount for Center Console Touch Screen</a></li> </ul> </li> <li> <p>Enhauto</p> <ul> <li><a class="link" href="https://enhauto.com/product/s3xy-knob" target="_blank" rel="noopener" >S3XY Knob (with Commander)</a></li> <li><a class="link" href="https://enhauto.com/product/2-add-on-s3xy-buttons-gen2" target="_blank" rel="noopener" >2 Add-on S3XY Buttons Gen2</a> <ul> <li>BONUS: At the time of ordering, they were giving away 2 extra buttons so I have 4</li> </ul> </li> <li><a class="link" href="https://enhauto.com/product/icons" target="_blank" rel="noopener" >Stickers With Icons</a></li> </ul> </li> <li> <p>Samsung</p> <ul> <li><a class="link" href="https://www.pbtech.co.nz/product/HDDSSM37102/Samsung-T7-Shield-1TB-Rugged-Portable-External-SSD" target="_blank" rel="noopener" >T7 Shield 1TB Rugged Portable External SSD - Blue</a> <ul> <li>For Sentry Mode, etc</li> </ul> </li> </ul> </li> <li> <p>Aliexpress</p> <ul> <li><a class="link" href="https://www.aliexpress.com/item/1005004921743402.html?spm=a2g0o.order_list.order_list_main.17.50441802c2FxRO" target="_blank" rel="noopener" >Glove Box Flocking USB HUB Adapter</a> <ul> <li>Gives me more USB ports for data and charging</li> </ul> </li> </ul> </li> <li> <p>Temu</p> <ul> <li><a class="link" href="https://www.temu.com/goods.html?goods_id=601099713528312" target="_blank" rel="noopener" >Center Console Organizer for Tesla Model 3 Highland</a> <ul> <li>Sliding style</li> </ul> </li> <li><a class="link" href="https://www.temu.com/goods.html?goods_id=601099523217349" target="_blank" rel="noopener" >128W QC3.0 High Power Fast Charger 3<em>USB 1</em>PD Car Charger Portable 3 Socket</a> <ul> <li>The Enhauto S3XY Commander takes up the only 12v accessory plug so this was needed</li> </ul> </li> <li><a class="link" href="https://www.temu.com/goods.html?goods_id=601099690729679" target="_blank" rel="noopener" >Silicone Center Console Organizer Tray Storage Box</a> <ul> <li>Convenient place to store sunglasses</li> </ul> </li> <li><a class="link" href="https://www.temu.com/goods.html?goods_id=601099577197483" target="_blank" rel="noopener" >2x ar Cup Holder Tablet Phone Mount with Heavy Duty Cupholder Base</a> <ul> <li>For the kids when they want to do things other than what is built into the Tesla&rsquo;s rear screen</li> </ul> </li> </ul> </li> <li> <p>Tessories NZ</p> <ul> <li><a class="link" href="https://tessories.nz/product/bundle-model-3-highland-floor-mats-door-pocket-inserts/" target="_blank" rel="noopener" >Bundle: Model 3 (2024-2025) Floor Mats + Door Pocket Inserts</a></li> <li><a class="link" href="https://tessories.nz/product/bundle-model-3-highland-liner-set/" target="_blank" rel="noopener" >Bundle: Model 3 (2024-2025) Liner Set</a></li> <li><a class="link" href="https://tessories.nz/product/model-3-boot-hook/" target="_blank" rel="noopener" >Boot Grocery Hook</a></li> <li><a class="link" href="https://tessories.nz/product/model-3-highland-cup-holder-liner/" target="_blank" rel="noopener" >Silicone Cup Holder Liner – Model 3 (2024-2025)</a></li> <li><a class="link" href="https://tessories.nz/product/tesla-jack-pads/?attribute_pa_quantity=set-of-4-with-case" target="_blank" rel="noopener" >Tesla Jack Pads</a></li> </ul> <h3 id="apps">Apps </h3><h4 id="vehicle-management--analytics--diagnostics">Vehicle Management / Analytics / Diagnostics </h4><ul> <li><strong>Tesla</strong> - Required to use the car. Acts as your phone key <ul> <li><a class="link" href="https://apps.apple.com/us/app/tesla/id582007913" target="_blank" rel="noopener" >iOS</a> | <a class="link" href="https://play.google.com/store/apps/details?id=com.teslamotors.tesla&amp;hl=en_NZ" target="_blank" rel="noopener" >Android</a></li> </ul> </li> <li><strong>Tessie</strong> - The Tesla management platform. Trusted by over 400,000 Tesla drivers. <ul> <li><a class="link" href="https://tessie.com/" target="_blank" rel="noopener" >Website</a> | <a class="link" href="https://apps.apple.com/us/app/tessie-for-your-tesla/id1496718223" target="_blank" rel="noopener" >iOS</a> | <a class="link" href="https://play.google.com/store/apps/dev?id=6455688736528489709&amp;hl=en_NZ&amp;pli=1" target="_blank" rel="noopener" >Android</a></li> </ul> </li> </ul> <h4 id="navigation">Navigation </h4><ul> <li><strong>A Better Route Planner</strong> - Optimize your EV journey with efficient routes, charging stop management, and live navigation for stress-free electric vehicle travel. <ul> <li><a class="link" href="https://abetterrouteplanner.com/" target="_blank" rel="noopener" >Website</a> | <a class="link" href="https://apps.apple.com/nz/app/a-better-routeplanner-abrp/id1490860521" target="_blank" rel="noopener" >iOS</a> | <a class="link" href="https://play.google.com/store/apps/details?id=com.iternio.abrpapp&amp;hl=en" target="_blank" rel="noopener" >Android</a></li> </ul> </li> </ul> <h4 id="charging">Charging </h4><ul> <li><strong>ChargeNet</strong> - New Zealand&rsquo;s EV fast-charging network <ul> <li><a class="link" href="https://charge.net.nz/" target="_blank" rel="noopener" >Website</a> | <a class="link" href="https://apps.apple.com/nz/app/chargenet/id1243950744" target="_blank" rel="noopener" >iOS</a> | <a class="link" href="https://play.google.com/store/apps/details?id=nz.net.charge.app&amp;hl=en_NZ" target="_blank" rel="noopener" >Android</a></li> </ul> </li> <li><strong>PlugShare</strong> - Find EV charging stations with PlugShare, the most complete map of electric vehicle charging stations in the world! <ul> <li><a class="link" href="https://www.plugshare.com/" target="_blank" rel="noopener" >Website</a> | <a class="link" href="https://apps.apple.com/us/app/plugshare/id421788217" target="_blank" rel="noopener" >iOS</a> | <a class="link" href="https://play.google.com/store/apps/details?id=com.xatori.Plugshare&amp;hl=en_NZ" target="_blank" rel="noopener" >Android</a></li> </ul> </li> <li><strong>Z Energy</strong> - Z Public Charging Stations — At a 180kW Ultra-Fast Charger, You Get Roughly 100km of Range Every 8 Minutes of Charging. <ul> <li><a class="link" href="https://www.z.co.nz/products-and-services/z-app/pay-with-z-app/ev-charging" target="_blank" rel="noopener" >Website</a> | <a class="link" href="https://apps.apple.com/nz/app/z-energy-app/id1641372494" target="_blank" rel="noopener" >iOS</a> | <a class="link" href="https://play.google.com/store/apps/details?id=com.zenergy.zenergyapp.android.prod&amp;hl=en_NZ" target="_blank" rel="noopener" >Android</a></li> </ul> </li> <li><strong>bp charge</strong> - Charging Points Across NZ — Find Your Nearest EV Charger. <ul> <li><a class="link" href="https://www.bp.com/en_nz/new-zealand/home/products-and-services/bpevcharging.html" target="_blank" rel="noopener" >Website</a> | <a class="link" href="https://apps.apple.com/nz/app/bp-charge/id1641193336" target="_blank" rel="noopener" >iOS</a> | <a class="link" href="https://play.google.com/store/apps/details?id=com.bp.mobile.bppulse.nz&amp;hl=en_NZ" target="_blank" rel="noopener" >Android</a></li> </ul> </li> <li><strong>Zero Charging</strong> - Zero is powered by Meridian Energy. A New Zealand power company that generates electricity through 100% renewable sources – wind, water and sun. <ul> <li><a class="link" href="https://zero.meridianenergy.co.nz/" target="_blank" rel="noopener" >Website</a> | <a class="link" href="https://apps.apple.com/nz/app/zero-charging/id1610229406" target="_blank" rel="noopener" >iOS</a> | <a class="link" href="https://play.google.com/store/apps/details?id=nz.co.meridian.android.zerocharging&amp;hl=en_NZ" target="_blank" rel="noopener" >Android</a></li> </ul> </li> <li>If you install your charger outdoors this could earn you a little extra cash <ul> <li><strong>Open Loop</strong> - EV Charge Point Owners can offer their EV charger for general public use through the OpenLoop platform and app <ul> <li><a class="link" href="https://openloop.co.nz/" target="_blank" rel="noopener" >Website</a> | <a class="link" href="https://apps.apple.com/nz/app/openloop/id1503633982" target="_blank" rel="noopener" >iOS</a> | <a class="link" href="https://play.google.com/store/apps/details?id=nz.co.openloop.mobile.production&amp;hl=en" target="_blank" rel="noopener" >Android</a></li> </ul> </li> </ul> </li> </ul> </li> </ul> <h2 id="end-of-month">End of month </h2><p>Come back soon to see updated pictures of the car once all the work is done!</p> https://blog.nerdz.cloud/2024/ordering-a-new-car/ Fri, 13 Dec 2024 00:00:00 +1300 https://blog.nerdz.cloud/2024/ordering-a-new-car/ <h2 id="prequel">Prequel </h2><p>Back in March my friend/colleague Charles and I (<em>and our respective families</em>) went down to <a class="link" href="https://www.warbirdsoverwanaka.com/" target="_blank" rel="noopener" >Warbirds over Wanaka</a> in the beautiful <a class="link" href="https://en.wikipedia.org/wiki/Queenstown-Lakes_District" target="_blank" rel="noopener" >Queenstown-Lakes District</a> to see the Airshow.</p> <p>We both owned cars that we enjoyed driving, but with a tendency towards a lead foot, not cheap to run 😅. Since we each needed to rent a car, we took the opportunity to hire an EV. We&rsquo;d heard so much about them but never actually driven one.</p> <p>We both hired a BYD Atto 3 and were looking forward to the experience.</p> <p>One week out from our holiday we both got an email from the rental company, they would be unable to supply us with our cars as both had been badly damaged in accidents&hellip; However, they offered us both FREE upgrades to a Tesla Model 3! Hell yea!</p> <p>We were in Wanaka for 1 week and spent a significant amount of time driving around in the Model 3, making many trips backwards and forwards across the <a class="link" href="https://en.wikipedia.org/wiki/The_Remarkables" target="_blank" rel="noopener" >Remarkables</a> between Wanaka and Queenstown.</p> <p>Needless to say, we were both very impressed with the Model 3, despite being a rental (<em>rental cars are heavily mistreated and are typically not in great condition</em>)</p> <p>Here are a few of the things that stood out to me:</p> <ul> <li>Low center of gravity - Having the batteries as a long wide block across the center 2/3 of the car keeps the weight very low. This drastically improves handling</li> <li>Balanced distribution of weight - Not having a heavy engine in the front meant that the car was evenly balanced front to back (Front: 856kg Rear: 904kg)</li> <li>Quiet - I noticed little to no road noise when driving (<em>except where the road surface was really bad</em>). This made it easy to have conversations with people in the car without raising our voices</li> <li>Storage - Despite the boot being smaller than the car we currently own (2021 Skoda Superb Sportline Wagon) with the added space in the Frunk (bonnet) for storage, the capacity was similar</li> <li>Infotainment - This was a real pleasure to use, the UX (user experience) is fantastic, well thought out, easy to use, AND regularly updated</li> <li>Performance - Even though we were driving the base model, the instantaneous torque was impressive to say the least, especially when pulling out of corners on the open highway.</li> </ul> <p>For me, this experience flipped a switch in my head, putting me into &ldquo;research&rdquo; mode, Kicking off approximately 9 months of deep research into the Teslas and whether they would be a good fit as a replacement car for my family and I.</p> <h2 id="gripes-with-my-current-car">Gripes with my current car </h2><p><img src="https://blog.nerdz.cloud/2024/ordering-a-new-car/skoda.jpg" width="960" height="720" srcset="https://blog.nerdz.cloud/2024/ordering-a-new-car/skoda_hu15198873789371667123.jpg 480w, https://blog.nerdz.cloud/2024/ordering-a-new-car/skoda_hu7723589734473922735.jpg 1024w" loading="lazy" alt="Skoda Superb Sportline Wagon" class="gallery-image" data-flex-grow="133" data-flex-basis="320px" ></p> <ul> <li>Fuel is getting increasingly expensive with 95 Octane costing $2.75 per L with a 70L tank. I&rsquo;m spending Nearly $200 per fill and filling twice a month</li> <li>The car is huge, and parking it is a pain</li> <li>The Infotainment SUCKS! <ul> <li>It&rsquo;s really slow to start</li> <li>Apple CarPlay lags like crazy</li> <li>The Radio still doesn&rsquo;t show the names of radio stations, because the importer won&rsquo;t allow it for privacy reasons&hellip;</li> <li>It had the steering wheel replaced multiple times because radar-guided cruise control stopped working</li> <li>I was without an engine cover for a year while Skoda redesigned it to prevent fires in the engine bay</li> </ul> </li> </ul> <p>Don&rsquo;t get me wrong, it&rsquo;s a good car. But a lot about it is frustrating. It was time for a change.</p> <h2 id="tesla-concerns">Tesla concerns </h2><p>Everyone watches videos online and hears all the negative things about Tesla. It&rsquo;s easy to have a strong bias against them without actually having had any experience with one. But holding onto that bias is the place of fools. I wanted to find out the real story and I did my research.</p> <p>First, I wanted to make sure that Tesla was the right choice from a pure specifications perspective. I spent a lot of time in Google Sheets, pulling in specification data and comparing all the cars in the market. Looking at weight, length, width, boot space, price, power/torque, warranty, range etc. It was an exhaustive list.</p> <p>This affirmed that Price : Spec, nothing beat out the Tesla.</p> <p>So the next question is build quality. Now I am a Quality Assurance Engineer by trade, having done Software, Hardware, and Firmware testing. I know that nothing is ever perfect. However, I&rsquo;d heard some nasty stories about build quality and I wanted to do some digging.</p> <p>First, I want to cut Tesla some slack, they are a &ldquo;new&rdquo; company in the car manufacturing game, and people are unfairly comparing the build quality with companies that are 100+ years old. Those early 5+ years will be shaky for any brand as they refine their processes. That said, I did hear a lot about panels not lining up and that was my greatest concern (<em>I had not seen anything about saftey being a concern</em>).</p> <p>After a lot of digging, this is what I found out.</p> <ul> <li>The majority of the issues existed only for customers in the US, taking delivery of cars built in the Fremont/California factory.</li> <li>Very few issues with the cars out of Beijing, China (<em>Which is where New Zealand gets its Teslas from</em>)</li> <li>99% of these issues were not present on the 2023+ models and I&rsquo;d heard of no issues on the Hardware 4 &ldquo;Highland&rdquo; Model 3&rsquo;s</li> <li>There are exhaustive <a class="link" href="https://jeremiahjones.gumroad.com/l/M3HChecklist" target="_blank" rel="noopener" >checksheets</a> you can get for delivery day to make sure everything is good and you don&rsquo;t drive away if there are issues</li> <li>You have 72 hours post delivery to bring up any issues that would cause a delivery rejection, beyond that you fall back to issues being resolved under warranty</li> <li>NZ has a STRONG Consumer Guarantees Act that protects the consumer from issues</li> </ul> <h2 id="fast-forward-to-2024-dec-03">Fast forward to 2024-Dec-03 </h2><p>My Wife and I had been away over the weekend for a surprise trip to Waitomo to see the glow worm caves and today we had planned to go into <a class="link" href="https://www.tesla.com/en_ZA/findus/location/service/TeslaCentreAucklandSouth" target="_blank" rel="noopener" >Tesla Auckland South</a> to see the Model 3 Performance (<em>Highland</em>) and take it for a Test drive</p> <p>We wanted to see how it performed, what it looked like in the flesh, and if we liked the changes.</p> <p>Let me tell you, The INSANE acceleration profile lives up to the name. I had never felt my internal organs press against my spine until that moment, it was amazing‼️ 😍</p> <p>Back at the dealership and chatting with the Sales guy I learned some useful information.</p> <ul> <li>Tesla had just increased its referral discount to 1,600 for the purchaser and 800 in Tesla credit for the referrer</li> <li>Tesla also used <a class="link" href="https://www.udc.co.nz/index.html" target="_blank" rel="noopener" >UDC Finance</a></li> <li>Tesla was offering 2.99% while my existing car was at 7.98%</li> </ul> <p>Tesla using UDC made this choice even easier as my Skoda was financed with UDC. Here is how it works</p> <h3 id="ordering-process">Ordering Process </h3><ol> <li>Everything is done inside the Tesla App on your phone</li> <li>You purchase the car through Tesla and pay the (<em>100% refundable if finance or Trade-in fails</em>) deposit of $ 400</li> <li>Choose UDC for the Finance</li> <li>You tell Tesla that you are trading in a car</li> <li>You let them know that money is owed on the car and that it&rsquo;s with UDC</li> <li>Tesla will give you a trade-in valuation on your car</li> <li>If you accept, Tesla will subtract the amount owing on your existing loan, pay it off to UDC on your behalf, and give you the balance of the trade-in as a reduction in the total loan amount.</li> </ol> <p>Example (arbitrary numbers for easy math):</p> <ul> <li>The new car is worth $100,000</li> <li>Your trade-in is valued at $50,000</li> <li>You still owe $25,000 on the trade-in</li> <li>Total new finance = NewCarPrice - (Trade-in value - OldCarBalance)</li> <li>Total new finance = $100,000 - ($50,000 - $25,000) = $75,000</li> </ul> <p>The next day, I contacted a colleague at work and asked for their Referral code to order a new Tesla.</p> <p><img src="https://blog.nerdz.cloud/2024/ordering-a-new-car/tesla-order.jpeg" width="1179" height="2556" srcset="https://blog.nerdz.cloud/2024/ordering-a-new-car/tesla-order_hu3577792883295051626.jpeg 480w, https://blog.nerdz.cloud/2024/ordering-a-new-car/tesla-order_hu17999446371125914218.jpeg 1024w" loading="lazy" alt="Tesla Order" class="gallery-image" data-flex-grow="46" data-flex-basis="110px" ></p> <h3 id="the-car">The Car </h3><ul> <li>Tesla Model 3 Performance Dual Motor All-Wheel Drive</li> <li>Ultra Red Paint</li> <li>20&quot; Warp Wheels</li> <li>Black Premium Interior</li> <li>Autopilot</li> <li>Enhanced Auto Pilot</li> <li><del>Full Self-Driving Capability</del></li> </ul> <p>I decided FSD (Full Self-Driving Capability) was not worth the cost.</p> <p>Delivery should be between Jan-Feb 2025 (March if I am unlucky)</p> <p><img src="https://blog.nerdz.cloud/2024/ordering-a-new-car/M3P-Red.jpeg" width="1920" height="1080" srcset="https://blog.nerdz.cloud/2024/ordering-a-new-car/M3P-Red_hu8922117226662537627.jpeg 480w, https://blog.nerdz.cloud/2024/ordering-a-new-car/M3P-Red_hu18313744224439444276.jpeg 1024w" loading="lazy" alt="Tesla Model 3 Performance" class="gallery-image" data-flex-grow="177" data-flex-basis="426px" ></p> <p>Follow along for more posts as we get closer to the time and I talk more about how I plan to pull data off the car into my Kubernetes cluster for analytics</p> https://blog.nerdz.cloud/2024/starting-a-new-blog/ Fri, 13 Dec 2024 00:00:00 +1300 https://blog.nerdz.cloud/2024/starting-a-new-blog/ <h2 id="starting-a-new-blog">Starting a new blog </h2><p><a class="link" href="https://github.com/kevindurb" target="_blank" rel="noopener" >Kevin Durbin</a> and I have been talking about starting a new blog for a while. This is my attempt to kick things off!</p> <p>A little about me.</p> <p>Hi, I am Gavin :)</p> <p><img src="https://blog.nerdz.cloud/2024/starting-a-new-blog/avatar.jpg" width="1210" height="1210" srcset="https://blog.nerdz.cloud/2024/starting-a-new-blog/avatar_hu17328516416912310373.jpg 480w, https://blog.nerdz.cloud/2024/starting-a-new-blog/avatar_hu5569309026207942336.jpg 1024w" loading="lazy" alt="Gavin McFall" class="gallery-image" data-flex-grow="100" data-flex-basis="240px" ></p> <p>I am a QA (Quality Advocate) I help my team build better quality software. I am a full time Nerd with diverse hobbies from Cars to 3D Printing to Kubernetes. This blog will be a place for me to write things that matter to me, and hopefully, you&hellip;</p> <p>More soon!</p> https://blog.nerdz.cloud/archives/ Tue, 28 May 2019 00:00:00 +1200 https://blog.nerdz.cloud/archives/ https://blog.nerdz.cloud/about/ Mon, 01 Jan 0001 00:00:00 +0000 https://blog.nerdz.cloud/about/ <h2 id="contact">Contact </h2><p>Feel free to contact me via the profile icons on the sidebar/menu, or via the links on the bottom of the page.</p> <h2 id="about-me">About Me </h2><p>Hey, I&rsquo;m Gavin 👋🏻. I have a deep interest in all things <strong>Nerdy!</strong>. In particular, I am passionate about the following domains:</p> <h3 id="kubernetes">Kubernetes </h3><ul> <li>Self Hosting Services</li> <li>Highly Availablity</li> <li>TalosOS as a Kubernetes native operating system</li> </ul> <h3 id="networking">Networking </h3><ul> <li>Ubiquity Networking Hardware</li> <li>VPNs (WireGuard, Tailscale, OpenVPN)</li> <li>Network Hardening (vlans, etc)</li> </ul> <h3 id="home-automation">Home Automation </h3><ul> <li>Apple Homekit</li> <li>Home Assistant</li> <li>IoT Communication Protocols (Matter, Thread, Zigbee, MQTT, Bluetooth/BLE)</li> </ul> <h3 id="operating-systems">Operating Systems </h3><ul> <li>Linux <ul> <li>Ubuntu, Debian, TalosOS, SteamOS</li> </ul> </li> <li>Windows</li> <li>MacOS</li> </ul> <h3 id="other-areas-of-interst">Other areas of interst </h3><ul> <li>Cars (Motorsport, EVs)</li> <li>Neurodiversity</li> <li>Gaming (PC, Steamdeck, TTRPG, TCG)</li> </ul> <p>   </p> <p>I enjoy exploring these domains by getting my hands dirty with these technologies. My constant pursuit is that of leaning.</p> <blockquote> <p>&ldquo;Tell me and I forget, teach me and I may remember, involve me and I learn.&rdquo;</p> <ul> <li><strong>Benjamin Franklin</strong></li> </ul> </blockquote> https://blog.nerdz.cloud/contact/ Mon, 01 Jan 0001 00:00:00 +0000 https://blog.nerdz.cloud/contact/ https://blog.nerdz.cloud/search/ Mon, 01 Jan 0001 00:00:00 +0000 https://blog.nerdz.cloud/search/