GitOps |https://example.com/tags/gitops/GitOpsHugoBlox Kit (https://hugoblox.com)en-usSat, 16 May 2026 00:00:00 +0000https://example.com/media/icon_hu_da05098ef60dc2e7.pngGitOpshttps://example.com/tags/gitops/Stage II: CI/CD Pipeline, GitOps & Ephemeral Secretshttps://example.com/blog/stage-2-automation-zero-trust/Sat, 16 May 2026 00:00:00 +0000https://example.com/blog/stage-2-automation-zero-trust/<p>With a highly available K3s foundation established on my KVM environment in Stage I, the cluster was functional but not yet &ldquo;enterprise-grade.&rdquo; Manually applying manifests leads to configuration drift, and standard Kubernetes Secrets violate zero-trust security principles.</p> <p>This post covers <strong>Stage II</strong> of the roadmap: establishing a strict CI/CD GitOps pipeline and securing the cluster&rsquo;s sensitive credentials for my stateful workloads (specifically my n8n workflow engine and PostgreSQL database).</p> <h2 id="table-of-contents">Table of Contents</h2> <ol> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> </ol> <h2 id="github-actions">1. Continuous Integration with GitHub Actions</h2> <p>Before deployment can happen, the code must be built into an immutable artifact. I utilized <strong>GitHub Actions</strong> to automatically build my application code into Docker images and push them to the container registry on every main branch commit. This ensures that if a deployment breaks, I can instantly roll back to a previously tagged, working image.</p> <p>Here is a view of the automated pipeline successfully building and pushing the containerized application upon a new commit:</p> <p> <figure > <div class="flex justify-center "> <div class="w-full" > <img alt="GitHub Actions CI Pipeline Success" srcset="https://example.com/blog/stage-2-automation-zero-trust/github-action_hu_6946e54d37ded239.webp 320w, https://example.com/blog/stage-2-automation-zero-trust/github-action_hu_aaa7ff0cdc704c77.webp 480w, https://example.com/blog/stage-2-automation-zero-trust/github-action_hu_258ec8fe3ef742a2.webp 760w" sizes="(max-width: 480px) 100vw, (max-width: 768px) 90vw, (max-width: 1024px) 80vw, 760px" src="https://example.com/blog/stage-2-automation-zero-trust/github-action_hu_6946e54d37ded239.webp" width="760" height="453" loading="lazy" data-zoomable /></div> </div></figure> </p> <h2 id="argocd">2. The GitOps Philosophy: ArgoCD &amp; Helm</h2> <p>The core rule of GitOps is simple: <strong>The Git repository is the single source of truth.</strong> I deployed <strong>ArgoCD</strong> to operate as a continuous reconciliation loop, tracking my GitHub repository. Rather than syncing raw YAML, ArgoCD dynamically renders my deployments using <strong>Helm</strong> and <strong>Kustomize</strong> before applying them to the K3s cluster.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">argoproj.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Application</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">whatsapp-bot-sync</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">argocd</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">project</span><span class="p">:</span><span class="w"> </span><span class="l">default</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">repoURL</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;https://github.com/danack10/k3s-whatsapp-chatbot.git&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targetRevision</span><span class="p">:</span><span class="w"> </span><span class="l">HEAD</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">apps/whatsapp-bot/base</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">destination</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;https://kubernetes.default.svc&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">whatsapp-bot</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">syncPolicy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">automated</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">prune</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">selfHeal</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">syncOptions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">CreateNamespace=True</span><span class="w"> </span></span></span></code></pre></div><p>Once applied, the GitOps synchronization kicks in. The following dashboard view shows ArgoCD mapping and deploying the entire application stack:</p> <p> <figure > <div class="flex justify-center "> <div class="w-full" > <img alt="ArgoCD Application Sync Spiderweb" srcset="https://example.com/blog/stage-2-automation-zero-trust/argocd-tree_hu_6caeb52c84f0dc87.webp 320w, https://example.com/blog/stage-2-automation-zero-trust/argocd-tree_hu_4678e766810a09bc.webp 480w, https://example.com/blog/stage-2-automation-zero-trust/argocd-tree_hu_e9fa480fd7716cc8.webp 760w" sizes="(max-width: 480px) 100vw, (max-width: 768px) 90vw, (max-width: 1024px) 80vw, 760px" src="https://example.com/blog/stage-2-automation-zero-trust/argocd-tree_hu_6caeb52c84f0dc87.webp" width="760" height="492" loading="lazy" data-zoomable /></div> </div></figure> </p> <p><strong>The Challenge:</strong> Setting up secure authentication for ArgoCD to pull from my private repository was tricky. I wanted to use a dynamic GitHub App rather than a static Personal Access Token (PAT). Ensuring the GitHub App had the correct permissions scoped strictly to the <code>k3s-whatsapp-chatbot</code> repo took some trial and error. Additionally, before my edge ingress was fully established, I had to utilize <code>kubectl port-forward</code> routed entirely through my Tailscale mesh to access the ArgoCD UI, keeping the interface completely hidden from the public internet.</p> <h2 id="secrets-problem">3. The Problem with K8s Secrets</h2> <p>Deploying standard applications via GitOps is straightforward, but deploying secrets presents a major security flaw. You cannot push raw or base64-encoded secrets into a Git repository.</p> <p>To solve this, I deployed <strong>HashiCorp Vault</strong> as the centralized, encrypted credential store inside the cluster.</p> <h2 id="vault">4. Declarative Security with Vault &amp; OpenTofu</h2> <p>Many engineers deploy Vault and then manually configure it using CLI commands (<code>vault write auth/kubernetes...</code>). To maintain my declarative infrastructure standards, I bypassed the CLI entirely and used the <strong>OpenTofu Vault Provider</strong> to configure Vault&rsquo;s state as code. This allowed me to declaratively define my Kubernetes authentication roles, policies, and secret engines.</p> <p><strong>The Challenge:</strong> Learning to manage persistent state in Kubernetes was a huge learning curve. Stateful workloads like Vault, n8n, and PostgreSQL require robust Persistent Volume Claims (PVCs). At one point, my <code>vault-0</code> pod entered a failure state. The &ldquo;junior developer&rdquo; instinct is to simply delete the PVC, tear the Vault down, and rebuild it from scratch. However, in an enterprise environment with thousands of production secrets, deleting the database is catastrophic! Instead of wiping it, I architected a proper recovery process: safely restarting the pod, maintaining the PVC integrity, and gracefully unsealing the vault using my Shamir key shares.</p> <h2 id="eso">5. Bridging the Gap: External Secrets Operator (ESO)</h2> <p>While Vault securely stores the credentials, my stateful workloads (n8n and Postgres) still need a way to read them without hardcoding Vault API logic into the application containers.</p> <p>I implemented the <strong>External Secrets Operator (ESO)</strong> to act as an automated courier. It authenticates with Vault, reads the secure payload, and dynamically injects it into a standard native Kubernetes Secret.</p> <p>Here we define two distinct <code>ExternalSecret</code> manifests in a single multi-document YAML file. The first manifest pulls static database credentials, while the second pulls an ephemeral GitHub token:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># 1. Manifest for static n8n database credentials</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">external-secrets.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ExternalSecret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">n8n-creds-sync</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">whatsapp-bot</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1h&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">vault-backend-global</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterSecretStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">bot-secrets</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l">DB_POSTGRESDB_USER</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">n8n/config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l">POSTGRES_USER</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l">DB_POSTGRESDB_PASSWORD</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">n8n/config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l">POSTGRES_PASSWORD</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l">N8N_ENCRYPTION_KEY</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">n8n/config</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l">ENCRYPTION_KEY</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># 2. Manifest for dynamic GitHub Token</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">external-secrets.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ExternalSecret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">github-token-sync</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">whatsapp-bot</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;45m&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">vault-github-backend</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">SecretStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">github-auth-secret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l">GITHUB_TOKEN</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">github-app/token/whatsapp-bot</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l">token</span><span class="w"> </span></span></span></code></pre></div><p>Because this <code>ExternalSecret</code> manifest contains no actual passwords (only reference pointers to Vault), it is perfectly safe to commit to GitHub and deploy via ArgoCD. The n8n and Postgres pods then consume <code>pg-secret-live</code> natively.</p> <p>Here is the verification from the cluster showing the ExternalSecret successfully synchronized with Vault, proving the ephemeral credential pipeline is fully functional:</p> <p> <figure > <div class="flex justify-center "> <div class="w-full" > <img alt="ESO SecretSynced Status" srcset="https://example.com/blog/stage-2-automation-zero-trust/eso-proof_hu_547b9c035fee72b5.webp 320w, https://example.com/blog/stage-2-automation-zero-trust/eso-proof_hu_5571c2a63559a7fd.webp 480w, https://example.com/blog/stage-2-automation-zero-trust/eso-proof_hu_d0498f824edfd9cf.webp 760w" sizes="(max-width: 480px) 100vw, (max-width: 768px) 90vw, (max-width: 1024px) 80vw, 760px" src="https://example.com/blog/stage-2-automation-zero-trust/eso-proof_hu_547b9c035fee72b5.webp" width="760" height="235" loading="lazy" data-zoomable /></div> </div></figure> </p> <h2 id="outcomes">6. Stage II Outcomes</h2> <p>By the end of Phase 6, the cluster achieved a true DevSecOps deployment pipeline:</p> <ul> <li><strong>Zero Manual Intervention:</strong> Code pushed to Git is built by Actions, and automatically synchronized by ArgoCD.</li> <li><strong>Persistent &amp; Stateful:</strong> n8n, PostgreSQL, and Vault are securely backed by PVCs.</li> <li><strong>Zero-Trust Credentials:</strong> No sensitive data exists in the repository. Configuration is handled declaratively via OpenTofu, and credentials are injected ephemerally by Vault and ESO.</li> </ul> <p>With the deployment engine automated and secured, the cluster is ready to be exposed to the internet.</p> <p><strong>Next up:</strong> In , I cover how I secured the edge perimeter using <strong>Cloudflare Tunnels</strong> and established full-stack observability with <strong>Prometheus and Grafana</strong>.</p>Cloud Native Architecture: Zero-Trust Bare Metal Kuberneteshttps://example.com/projects/whatsapp-chatbot/Wed, 28 Jan 2026 00:00:00 +0000https://example.com/projects/whatsapp-chatbot/<p>An ongoing, 10-phase infrastructure build demonstrating modern DevSecOps principles. This active laboratory project is transforming bare-metal hardware into a highly available, self-healing, and secure Kubernetes environment using GitOps methodologies.</p> <h2 id="overview">Overview</h2> <p>I wanted to move beyond simple cloud provider tutorials and understand how the underlying compute layers actually work. I engineered this cluster to enforce zero-trust security and eliminate manual configuration drift, proving that enterprise-grade automation can be built from bare metal using virtualization, secure tunneling, and GitOps.</p> <h2 id="infrastructure-capabilities">Infrastructure Capabilities</h2> <h3 id="1-virtualized-compute--zero-trust-access">1. Virtualized Compute &amp; Zero-Trust Access</h3> <ul> <li><strong>KVM Hypervisor</strong> - Ubuntu guest virtual machine running efficiently on a bare-metal Kali Linux host.</li> <li><strong>Tailscale Mesh VPN</strong> - Hardened, zero-trust SSH access tunnel completely isolating the host from the public internet.</li> <li><strong>Declarative Provisioning</strong> - Utilizing OpenTofu to dynamically provision and manage the infrastructure state.</li> </ul> <h3 id="2-container-orchestration--networking">2. Container Orchestration &amp; Networking</h3> <ul> <li><strong>K3s Orchestration</strong> - Lightweight, highly available Kubernetes deployment.</li> <li><strong>Dynamic Ingress</strong> - Traefik configured as the primary ingress controller to manage robust routing and load balancing.</li> </ul> <h3 id="3-cicd--gitops">3. CI/CD &amp; GitOps</h3> <ul> <li><strong>Continuous Integration</strong> - GitHub Actions automates the building and pushing of Docker images for immutable rollbacks.</li> <li><strong>ArgoCD Synchronization</strong> - Cluster state is bound directly to the Git repository using Helm and Kustomize.</li> <li><strong>Zero Manual Drift</strong> - ArgoCD automatically detects and overwrites any manual changes, enforcing strict GitOps compliance.</li> </ul> <h3 id="4-secret-management">4. Secret Management</h3> <ul> <li><strong>HashiCorp Vault</strong> - Centralized, encrypted storage for all sensitive credentials and API keys.</li> <li><strong>External Secrets Operator (ESO)</strong> - Dynamically injects Vault secrets directly into Kubernetes pods.</li> </ul> <h2 id="system-architecture">System Architecture</h2> <pre><code>┌─────────────────┐ (Builds Docker Image) ┌───────────────────────┐ │ GitHub Actions │────────────────────────────▶│ Container Registry │ │ (CI Pipeline) │ │ (GHCR / Hub) │ └─────────────────┘ └───────────────────────┘ │ │ │ (Updates Manifests) │ (Pulls Image) ▼ ▼ ┌──────────────┐ ┌───────────────┐ ┌───────────────────────┐ │ │ │ │ │ Kubernetes (K3s) │ │ Git Repo │────▶│ ArgoCD │────▶│ ┌───────────────────┐ │ │ (Manifests) │ │ (Controller) │ │ │ Traefik Ingress │ │ │ │ │ │ │ └───────────────────┘ │ └──────────────┘ └───────────────┘ │ ┌───────────────────┐ │ │ │ k3s-whatsapp-bot │ │ ┌──────────────┐ ┌───────────────┐ │ │ (n8n + Postgres) │ │ │ │ │ External │ │ └───────────────────┘ │ │ HashiCorp │◀────│ Secrets │◀────│ ┌───────────────────┐ │ │ Vault │ │ Operator │ │ │ ESO Injector │ │ │ │ │ │ │ └───────────────────┘ │ └──────────────┘ └───────────────┘ └───────────────────────┘ [ Infrastructure: KVM Ubuntu Guest on Kali Metal | Secured via Tailscale ] </code></pre> <h2 id="engineering-outcomes">Engineering Outcomes</h2> <ul> <li>🚀 <strong>Full CI/CD</strong>: 100% automated pipeline from code push (GitHub Actions) to cluster synchronization (ArgoCD).</li> <li>🔒 <strong>Security</strong>: Host isolated via Tailscale; zero hardcoded secrets via Vault and ESO.</li> <li>📉 <strong>Configuration Drift</strong>: Reduced to 0% through strict ArgoCD reconciliation loops.</li> </ul> <h2 id="technical-deep-dives-architecture-series">Technical Deep Dives (Architecture Series)</h2> <p>To explore the raw code, YAML manifests, and how I solved specific architectural challenges across the lifecycle, read my detailed engineering write-ups:</p> <ul> <li>📝 <strong> </strong> - <em>Deep dive into Phases 1-4: Virtualizing Ubuntu on Kali via KVM, Tailscale SSH tunnels, and OpenTofu provisioning.</em></li> <li>📝 <strong> </strong> - <em>Deep dive into Phases 5-6: Docker builds via GitHub Actions, Helm/ArgoCD drift elimination, and Vault/ESO injection.</em></li> <li>📝 <strong> </strong> (Coming Soon) - <em>Deep dive into Phases 7-8: Cloudflare Tunnels and Prometheus/Grafana telemetry.</em></li> <li>📝 <strong> </strong> (Coming Soon) - <em>Deep dive into Phases 9-10: Executing automated attack paths against the cluster and Building a SIEM alerting pipeline.</em></li> </ul> <h2 id="the-10-phase-engineering-roadmap">The 10-Phase Engineering Roadmap</h2> <p>This cluster is designed as a living DevSecOps laboratory. I am currently executing Phase 7 of a comprehensive, capability-driven lifecycle.</p> <p><strong>Stage I: The Compute Foundation (✅ Completed)</strong></p> <ul> <li>✅ <strong>Phase 1: Base Hypervisor</strong> - Bare-metal Kali Linux hosting KVM.</li> <li>✅ <strong>Phase 2: Virtualization &amp; Access</strong> - OpenTofu provisioning of the Ubuntu guest and zero-trust Tailscale SSH tunneling.</li> <li>✅ <strong>Phase 3: Container Orchestration</strong> - High-availability K3s cluster bootstrapping.</li> <li>✅ <strong>Phase 4: Edge Routing</strong> - Dynamic ingress and load balancing via Traefik.</li> </ul> <p><strong>Stage II: Automation &amp; Zero-Trust (✅ Completed)</strong></p> <ul> <li>✅ <strong>Phase 5: CI/CD Pipeline</strong> - GitHub Actions building Docker images and ArgoCD/Helm synchronizing the GitOps state.</li> <li>✅ <strong>Phase 6: Ephemeral Secrets</strong> - Zero-trust credential injection via HashiCorp Vault and ESO.</li> </ul> <p><strong>Stage III: Perimeter Defense &amp; Observability (⏳ In Progress)</strong></p> <ul> <li>⏳ <strong>Phase 7: Zero-Trust Perimeter</strong> - Integrating Cloudflare Tunnels for unexposed, secure ingress.</li> <li>⏳ <strong>Phase 8: Full-Stack Telemetry</strong> - Deploying Prometheus &amp; Grafana for cluster observability.</li> </ul> <p><strong>Stage IV: Purple Teaming Laboratory (📅 Planned)</strong></p> <ul> <li>📅 <strong>Phase 9: Offensive Simulation (Red)</strong> - Executing automated attack paths against the cluster to validate resilience.</li> <li>📅 <strong>Phase 10: Threat Detection (Blue)</strong> - Building a SIEM alerting pipeline to capture the offensive testing telemetry.</li> </ul>