Home

A Kubernetes lab for experimenting with multi-cluster management, GitOps, observability, CI/CD, identity, and service mesh — all running locally on Docker using k3d or KinD.

Architecture Overview

flowchart TB
    subgraph Docker["Local Machine (Docker)"]
        subgraph Hub["OCM Hub (k3d/KinD)"]
            OCM["OCM Hub"]
            ArgoCD["ArgoCD Agent<br/>Principal"]
            Monitoring["Prometheus +<br/>Grafana"]
            Ingress["Traefik Ingress<br/>*.nip.io"]
            Dex["Dex OIDC +<br/>OpenLDAP"]
            ArgoCDIngress["argocd.nip.io"]
        end
        subgraph Spoke1["Spoke-1 (k3d)"]
            S1App["Guestbook App<br/>(GitOps)"]
            S1Exp["node-exporter +<br/>kube-state-metrics"]
        end
        subgraph Spoke2["Spoke-2 (k3d)"]
            S2App["Guestbook App<br/>(GitOps)"]
            S2Exp["node-exporter +<br/>kube-state-metrics"]
        end
        Metallb["MetalLB<br/>172.18.0.200-210"]
    end

    OCM -->|register| Spoke1
    OCM -->|register| Spoke2
    ArgoCD -->|GitOps push| S1App
    ArgoCD -->|GitOps push| S2App
    Monitoring -->|scrape| S1Exp
    Monitoring -->|scrape| S2Exp
    Ingress --> Metallb
    Dex -->|LDAP| ArgoCD
    Dex -->|OIDC| Monitoring
    ArgoCDIngress -->|auth callback| Dex

All clusters run as lightweight k3s nodes in Docker. The hub acts as the control plane — OCM manages cluster registration and workload distribution, ArgoCD provides GitOps-driven application delivery to spoke clusters, and Prometheus scrapes metrics from spoke exporters over the shared Docker network. Grafana/Prometheus/Alertmanager are exposed via Traefik ingress on nip.io domains. Dex provides OIDC-based SSO for Grafana and ArgoCD with LDAP-backed user directories.

Labs

Lab	Description	Quickstart
Multi-Cluster (OCM)	Open Cluster Manager hub/spoke with up to 3 clusters	`make ocm-demo`
KinD Topology	Containerlab-based KinD topology for OCM	`make ocm-create-cluster`

Services

Service	Description	Quickstart	Docs
Prometheus Stack	Monitoring with Prometheus, Alertmanager, Grafana, BlackBox Exporter	`make deploy-promstack`	Docs
OCM Monitoring	Multi-cluster monitoring — hub Prometheus scrapes spoke node-exporters over Docker network	`make ocm-deploy-monitoring`	Docs
OCM SSO	Dex OIDC + LDAP for Grafana & ArgoCD on OCM hub	`make ocm-deploy-dex`	Docs
Elastic Stack (ECK)	Elasticsearch, Kibana, Heartbeat via ECK operator	`make deploy-elastic-stack`	Docs
Tekton	CI/CD pipelines with Tekton, Triggers, and Dashboard	`make tekton-full`	Docs
Dex	OIDC identity provider for SSO across services	`make deploy-dex`	Docs
Mailhog	Fake SMTP server with web UI for email testing	`make deploy-mailhog`	Docs
Cloudflare	Argo Tunnel and Zero Trust for secure ingress	`make deploy-cluster-tunnel`	Docs
Infrastructure	Service mesh, ingress, reloader, and platform components	`make deploy-istio`	Docs

Pre-Requisites

Tool	Version	Required By
Docker	24+	Cluster creation, containerlab
k3d	5.6+	Local Kubernetes clusters
kubectl	1.28+	All deployments
Helm	3.14+	Charts (promstack, kong, testkube, etc.)
kustomize	5.0+	Custom resources (dex, ingress, cloudflare)
make	4.0+	All Makefile targets
Python	3.10+	MkDocs site
Node.js	20+	Cloudflare Pages deploy (`wrangler`)
clusteradm	1.3+	OCM hub/spoke setup
containerlab	0.50+	OCM KinD topology
istioctl	1.20+	Istio service mesh

Quick install

# MkDocs site
pip install -r requirements.txt

# Cloudflare Pages CLI
npm install -g wrangler

Create a k3d cluster

k3d cluster create

Default Credentials

Service	URI	Username	Password
Grafana (OCM)	`http://grafana.100.106.163.111.nip.io`	`[email protected]` / `[email protected]`	`password` / `babayaga`
Grafana (local auth)	`http://grafana.100.106.163.111.nip.io`	`admin`	`prom-operator`
ArgoCD (SSO)	`https://argocd.100.106.163.111.nip.io`	`[email protected]` (admins) / `[email protected]` (developers)	`babayaga` / `ironman`
Dex	`http://dex.100.106.163.111.nip.io/dex`	`[email protected]`	`password`
Tekton Dashboard	`http://tekton.100.106.163.111.nip.io` / `http://tekton.172.18.0.200.nip.io`	`[email protected]` / `[email protected]`	`password` / `babayaga`
Prometheus	`http://prometheus.100.106.163.111.nip.io`	— (no auth)	—
Alertmanager	`http://alertmanager.100.106.163.111.nip.io`	— (no auth)	—

SSO with Dex

Dex provides OIDC-based SSO across services. Currently integrated with:

Service	Dex Instance	Provider
Tekton	OCM Dex (`ocm/configs/monitoring/dex-ocm.yaml`)	Static + LDAP
Grafana (standalone)	Standalone	Static + LDAP
Grafana (OCM hub)	OCM Dex (`ocm/configs/monitoring/dex-ocm.yaml`)	Static + LDAP
ArgoCD (OCM hub)	OCM Dex	Static + LDAP, group-based RBAC

Reloading on Secrets Change

Deploy Reloader to reload pods on secret and configmap changes.

make deploy-reloader

Enable reloader for Deployments with annotation:

  annotations:
    reloader.stakater.com/auto: "true"