Services

Below is a catalog of every service deployed to my clusters, categorized roughly by its purpose.

---

Observability

Dashboards

• Grafana is used as the primary interface for visualizing everything observable.
• kube-dashboard is used when Grafana isn't working (rare).
• Oneuptime is used for user-facing status pages.

Logs

• Grafana Alloy is the log collection agent. Previously, I used Promtail. Read about the migration here.
• Grafana Loki is the log ingester for Alloy.

Traces

• Grafana Beyla runs on each node, collecting and exporting trace data and associated metrics.
• Grafana Tempo (managed with the Tempo operator) is the trace storage backend.

Metrics

• OpenTelemetry Collector, deployed as a DaemonSet by the OpenTelemetry Operator, scrapes containerd metrics on each Kubernetes node.
• Mimir, deployed via the mimir-distributed helm chart, is the storage backend for metrics and the query frontend for Grafana.

Profiling

• Parca is used for overall cluster resource profiling.
• Pyroscope is used for ingesting profiles for specific workload applications (e.g. Minecraft).

Alerting

• Alertmanager is used for basic alerting.

Metrics Exporters

• node_exporter exposes node-level metrics
• redis_exporter exposes metrics about ValKey instances
• rabbitmq_exporter exposes metrics about RabbitMQ
• kafka_exporter exposes metrics about Kafka
• transmission_exporter exposes torrent metrics
• mc-monitor exposes world-level metrics about Minecraft servers I run
• minecraft-exporter exposes player-level metrics in minecraft worlds.

---

Cluster Security

Policy Enforcement & Trust

• SPIRE is used primarily to grant access to OpenBao secrets.
• Kyverno is used for policy management. In practice, I'm just using it to mount required root CA certificates or volumes through policies.
• trust-manager creates configmaps out of certificates issued by cert-manager, for consumption by Kyverno.

Secrets Management

• OpenBao provides secrets to Kubernetes pods through the Openbao CSI Provider. Primarily used for supplying credentials to Tekton without exposing them in a secret.
• Secrets Store CSI Driver is required for the Openbao CSI provider.
• External Secrets Operator provides OpenBao secrets to pods in the form of Kubernetes secrets. Previously, I used OpenBao Secrets Operator.
• VaultWarden is used to store secrets for use by humans.

Certificate Management

• cert-manager to provide TLS certs for use with Istio.
• step-ca as the CA for generating HTTPS certificates for my internal domains. Some services don't recognize self-signed certificates as "valid", so adding step-ca as a trusted CA and using its certificates instead is a handy workaround.
• step-issuer to issue certificates for cert-manager.
• istio-csr to integrate Istio and cert-manager.

---

Platform Tooling

CI/CD

• Tekton is my single solution for CI. I run the operator, which manages the pipeline, trigger, and dashboard components.
• ArgoCD manages CD; most Tekton pipelines result in a tag + Docker image push, and ArgoCD handles it from there.

GitOps

• ArgoCD also handles GitOps; all kubernetes resources are committed to a single repository and managed through the app-of-apps pattern.

Git Forge

• Gitea is the main service I use for hosting Git repositories.
• Forgejo is something I've been experimenting with. Currently, it serves as a mirror for public-facing things (e.g. Structurizr diagram fragments).
• GitLab uses too many resources for me to consider it a good candidate for my needs, but I keep it running as a mirror of certain Gitea repos just to say I have experience with GitLab.

---

Application Infrastructure

Databases

• PostgreSQL, managed via CloudNativePG, as a traditional SQL data store. It's rare that I write something that requires SQL, but it's my go-to for any application that requires a SQL data store..
• CouchDB as a general-purpose document store. Whenever I spin up a new project and I need a database, I use this.
• ArangoDB stores social media info that I've scraped; managed with kube-arangodb.
• Clickhouse is used as a backend for OneUptime, managed by the Altinity Clickhouse operator alongside a deployment of Altinity's clickhouse-keeper.

Messaging / Event Streaming

• Kafka as the main pub/sub message queue. Managed by Strimzi, and backed up to MinIO by Kafka Connect. I do lots of web scraping, so most projects I spin up use this for delegation of tasks to scrapers.
• Apicurio Registry as a schema registry for Kafka; managed by the Apicurio Registry Operator.
• RabbitMQ as a simple message queue for various services that require it. I prefer to use Kafka where possible, but not everything supports it.

Data Storage

• SeaweedFS for general in-cluster object storage. Very frequently I'll need to make some file accessible over the internet (ISOs, config files, etc), so I just drop it into a bucket. It also serves as a storage backend for many services, especially the LGTM stack.
• MinIO is also running as a stable, legacy object storage for lower-importance tasks.
• Etcd as a key-value store for data that should be recovered in the case of a disaster. Managed by etcd-druid.
• Memcached as a cache storage backend for Mimir.
• Valkey as a key-value store for non-critical data. It's proven to be most useful for quickly iterating upon object schema, when sharing information between processes. Previously, I used Redis.

Registries

• Harbor for storage of custom images and as a pull-through cache.
• Liget as a low-overhead nuget server.
• Verdaccio as a low-overhead private npm registry.

---

Cluster Management

Scheduling & Coordination

• Talos Discovery Service handles cluster membership for nodes. I choose to host this because I don't think a third-party website should have its hands in my Kubernetes clusters.
• Talos Image Factory provides ISOs installed onto nodes, for the same reason as above.
• Descheduler automatically balances workloads between nodes.
• metrics-server for enabling HPAs.

Networking

• Cilium acts as the CNI in the LOONA cluster as I experiment with eBPF-based networking observability.
• Istio acts as a service mesh and ingress gateway for Kubernetes.
• Aeraki is used a service mesh specifically for Valkey, primarily for automatically handling Valkey Cluster connections.
• MetalLB provisions IP addresses for ingress gateways.
• HAProxy serves as a load balancer for clusters running Talos Linux, forwarding requests to kubernetes API servers in the cluster.
• CoreDNS is configured to answer queries about my internal domains and their subdomains. It forwards all other requests to Technitium.
• Technitium as a general-purpose DNS blackhole for ads and tracking

Storage

• Longhorn is the primary storage method for persistent volumes.
• Local Path Provisioner is used for data that is less critical or backed up elsewhere.

---

Developer Tools

Documentation

• Dendron, a FOSS alternative to Obsidian. All pods are built and served as a static site via httpd. This website is comprised of a subset of these notes.
• Forgejo Pages as a FOSS alternative to Github Pages. Very often I've found it useful to make a repo's readme a discrete website.

Architecture / Diagrams

• Stucturizr OnPrem allows rapid iteration of structurizr diagrams. It hasn't reached feature parity with the cli, so it's rare I do heavy diagramming with it.
• Structurizr Mini serves Structurizr diagrams to users.
• mermaid-live-editor for collaboration when creating MermaidJS diagrams.
• Kroki as the renderer backend for mermaid-live-editor.

Other Utilities

• Swagger UI to turn OpenAPI json into something human-readable. Very often I work with third-party APIs, so this has proved to be useful.
• Pgweb for when I need to manually interface with Postgres. I don't like having tools installed on my workstation, so having something accessible over the web is great.
• RedisInisght is used to quickly view Valkey cluster status.
• Redpanda Console as a single-pane-of-glass view for insight into Kafka operations.
• Kiali for visualizing Istio.
• string-is, for manipulating text without having to send it to some random person's webserver in order to do so.
• go-httpbin for debugging HTTP requests made to the cluster. Making a request to /post is so much simpler than using something like WireShark.

---

Other

Media

• jellyfin is the primary way that I interface with my media collection
• emby is the best option for Samsung smart TVs, so I begrudgingly run it despite it not meeting my use-case or adhering to my philosophy.
• jellyseerr, a UI for managing requests for my media library
• jackett for better querying to trackers
• prowlarr for syncing indexers between radarr and sonarr
• sonarr for organizing tv shows
• radarr for organizing movies
• flaresolverr for bypassing cloudflare rate-limiting
• Airsonic Advanced for streaming my music library to other devices.

Gaming

• infrared as a reverse proxy. I've found it to suit my needs better than mc-router despite not having as much flexibility.
• docker-mc-proxy to facilitate switching between minecraft worlds
• docker-minecraft-server for both Limbo worlds and the actual game worlds
• docker-mc-backup in order to back up my minecraft worlds
• RCON web admin as a container in order to delegate admin access without having to worry about cracked account impersonation.

File Sharing (P2P)

• PicoShare for easy short-term storage and sharing of files
• flood is used as a layer of abstraction for all automated services that need a torrent client, and as a UI when necessary
• transmission is behind flood. I've found it to be the most performant of all clients, when the total torrent volume is in the thousands.
• deluge is used for manually downloading torrents

Other

• taiga for project/task management. It's pretty bad honestly, but I haven't gotten around to replacing it yet.
• telegram bot api because I run a telegram bot, and the additional features granted by running your own instance are useful

---

Backlinks

• Uses
• LOONA Cluster