A production-ready Kubernetes cluster setup for greenfield projects and startups with comprehensive infrastructure, observability, and security features.
This repository contains DEFAULT PASSWORDS for demonstration purposes only.
DO NOT use these passwords in production! All default passwords must be changed before deploying to any non-development environment.
See Security Configuration Guide for instructions on properly configuring secrets.
Comprehensive documentation with:
- Getting started guides
- Deployment tutorials
- Architecture diagrams
- Component details
- Security best practices
Create your own project from this template:
gh repo create my-project --template ianlintner/green_field_cluster --private --clone
cd my-project# Clone the repository
git clone https://github.com/ianlintner/green_field_cluster.git
cd green_field_cluster
# Deploy using Kustomize
kubectl apply -k kustomize/base/
# Or deploy using Helm
helm install greenfield helm/greenfield-cluster --namespace greenfield --create-namespace- ✅ Redis - Master-replica setup with persistence
- ✅ PostgreSQL - Multi-instance cluster for HA
- ✅ MySQL - Multi-instance cluster with replication
- ✅ MongoDB - Replica set configuration
- ✅ Kafka - Distributed messaging with Zookeeper
- ✅ Istio - Service mesh with SSL/TLS ingress (internal & external gateways)
- ✅ OpenTelemetry Collector - Centralized telemetry
- ✅ Jaeger - Distributed tracing
- ✅ Prometheus - Metrics collection with SLO recording rules
- ✅ Grafana - Dashboards and visualization with SLO dashboards
- ✅ Kiali - Service mesh observability for Istio
- ✅ SLO Framework - Cluster and application SLO metrics
- ✅ Alerting - Environment-aware alerts based on SLO violations
- ✅ AlertManager - Optional intelligent alert routing
- ✅ cert-manager - Automated SSL/TLS certificate management
- ✅ Let's Encrypt Integration - Staging and production issuers
- ✅ SSL Ingress - External gateway with TLS termination
- ✅ Sealed Secrets - Encrypted Kubernetes secrets
- ✅ Modular Authentication - Drop-in SAML, OAuth2, OIDC support
- Azure AD, Google, GitHub, Okta integration
- oauth2-proxy with Istio ext_authz
- Optional Keycloak IdP broker
- Group-based authorization policies
- ✅ GitHub Actions CI - Automated manifest validation
- ✅ Quality Gates - Kustomize, Helm, YAML linting
- ✅ Kind Cluster Testing - Real K8s cluster testing in CI
- ✅ Security Scanning - Trivy vulnerability checks
- ✅ Auto-deployed Docs - MkDocs on GitHub Pages
- ✅ Copilot Integration - AI-assisted customization
- ✅ FastAPI App - Fully instrumented with OTel and Prometheus metrics
For detailed documentation, see docs/README.md
.
├── kustomize/
│ ├── base/ # Base Kubernetes manifests
│ │ ├── namespace/
│ │ ├── redis/
│ │ ├── postgres/
│ │ ├── mysql/
│ │ ├── mongodb/
│ │ ├── kafka/
│ │ ├── istio/ # Istio service mesh with SSL/TLS
│ │ ├── cert-manager/ # Certificate management
│ │ ├── otel-collector/
│ │ ├── jaeger/
│ │ ├── prometheus/
│ │ ├── grafana/
│ │ ├── sealed-secrets/
│ │ └── fastapi-app/
│ └── overlays/ # Environment-specific configs
│ ├── dev/
│ ├── staging/
│ └── prod/
├── platform/
│ └── auth/ # Modular authentication
│ ├── base/ # oauth2-proxy, Keycloak, policies
│ └── overlays/ # Provider configs (Azure AD, Google, etc.)
├── helm/
│ └── greenfield-cluster/ # Helm chart
├── apps/
│ ├── fastapi-example/ # Example FastAPI application
│ └── templates/ # App protection templates
├── scripts/ # Automation scripts
│ ├── auth-install.sh
│ ├── auth-protect.sh
│ └── auth-doctor.sh
└── docs/ # Documentation
- Kubernetes cluster (v1.24+)
- kubectl configured
- Helm 3.0+ (for Helm deployment)
- Kustomize v4.5.7+ (for Kustomize deployment)
# Deploy to development
kubectl apply -k kustomize/overlays/dev/
# Deploy to production
kubectl apply -k kustomize/overlays/prod/helm install greenfield helm/greenfield-cluster \
--namespace greenfield \
--create-namespace \
--values custom-values.yamlThis project includes comprehensive security features:
- Sealed Secrets for encrypting Kubernetes secrets before storing them in Git
- See kustomize/base/sealed-secrets/README.md for setup
- Modular Auth System - Drop-in authentication for any HTTP application
- Multiple Providers - Azure AD, Google, GitHub, Okta SAML, Keycloak
- Zero App Changes - Authentication enforced at Istio ingress gateway
- Fine-Grained Access - Group-based and domain-based authorization policies
# Install authentication with Azure AD
make auth.install PROVIDER=azuread DOMAIN=example.com
# Protect an application
make auth.protect APP=myapp HOST=myapp.example.com POLICY=group:developers
# Verify setup
make auth.doctorSee kustomize/base/auth/README.md for detailed authentication documentation.
Test manifests on a local Kubernetes cluster:
# Run automated test on Kind cluster
./scripts/test-kind-cluster.sh
# Or use Make
make test-kind-cluster
# Create/delete Kind cluster manually
make kind-create
make kind-deleteSee docs/development/testing.md for detailed testing documentation.
# Port forward to FastAPI app
kubectl port-forward -n greenfield svc/fastapi-app 8000:8000
# Test endpoints
curl http://localhost:8000/health
curl http://localhost:8000/redis
curl http://localhost:8000/postgresWorks with all major cloud providers. Ready-to-use infrastructure examples available in the infrastructure/ directory:
- Amazon EKS - Terraform with ARM Graviton support (guide)
- Google GKE - Terraform with ARM Tau T2A support (guide)
- Azure AKS - Terraform with ARM Ampere Altra support (guide)
- DigitalOcean Kubernetes - Terraform configuration (guide)
- On-premises clusters - kubeadm, k3s, RKE2, OpenStack Magnum (guide)
See the Infrastructure README for quick cluster setup instructions.
- Grafana:
kubectl port-forward -n greenfield svc/grafana 3000:3000 - Prometheus:
kubectl port-forward -n greenfield svc/prometheus 9090:9090 - Jaeger:
kubectl port-forward -n greenfield svc/jaeger-query 16686:16686 - Kiali:
kubectl port-forward -n greenfield svc/kiali 20001:20001(Access at http://localhost:20001/kiali)
The cluster includes a comprehensive SLO (Service Level Objective) framework with environment-aware alerting:
- Cluster SLOs: API server availability (99.9%), node health (99%), resource utilization
- Application SLOs: Request success rate (99.9%), latency (P95/P99), error budgets
- Environment-Aware Alerts: Strict thresholds for production, relaxed for dev/staging
- Low-Traffic Handling: Automatic suppression in low-traffic environments
- Grafana Dashboards: Pre-built SLO visualization dashboards
- Optional AlertManager: Intelligent alert routing to Slack, PagerDuty, email, etc.
-
View SLO Dashboards in Grafana (port-forward and visit http://localhost:3000)
- Cluster Health SLOs
- Application SLOs
-
Enable AlertManager (optional):
# Edit kustomize/base/observability/kustomization.yaml # Uncomment the alertmanager resource # Configure notification channels in alertmanager/configmap.yaml # Then apply kubectl apply -k kustomize/base/
-
Customize Thresholds: Edit files in
kustomize/base/observability/slos/- Recording rules for SLO metricsalerts/- Alert rules and thresholds
For detailed documentation, see SLOs Guide and Alerting Guide.
Contributions are welcome! Please feel free to submit a Pull Request.
MIT License - see LICENSE file for details