Skip to main content
After bootstrapping Flux, configure essential cluster components including Gateway API, MetalLB, cert-manager, sealed-secrets, and observability tools.

Install Gateway API

The Gateway API provides advanced ingress capabilities for Kubernetes.
1

Install Gateway API CRDs

Apply the standard Gateway API installation:
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml
2

Verify installation

kubectl get crd | grep gateway
You should see Gateway API custom resources like gateways.gateway.networking.k8s.io and httproutes.gateway.networking.k8s.io.
The initial Cilium installation already has Gateway API support enabled. This step installs the Gateway API CRDs that Cilium will use.

Configure Cilium for Gateway API

Update Cilium to ensure Gateway API and NodePort support are properly configured.
1

Upgrade Cilium configuration

cilium upgrade \
  --set nodePort.enabled=true \
  --set gatewayAPI.enabled=true
2

Verify Cilium configuration

cilium status
cilium config view | grep -E '(nodePort|gatewayAPI)'

Add Core Components via Flux

The following components are typically managed through Flux HelmRelease resources. Ensure your repository contains the appropriate manifests.

Sealed Secrets

Sealed Secrets allows you to encrypt Kubernetes secrets and store them safely in Git.
Add a HelmRelease for sealed-secrets-controller to your Flux repository:
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: sealed-secrets
  namespace: kube-system
spec:
  chart:
    spec:
      chart: sealed-secrets
      sourceRef:
        kind: HelmRepository
        name: sealed-secrets
      version: 2.x.x
  interval: 1h

cert-manager

cert-manager automates certificate management and renewal.
1

Add cert-manager HelmRelease

Create a HelmRelease manifest in your Flux repository for cert-manager.
2

Configure ClusterIssuers

After cert-manager is installed, configure ClusterIssuers for Let’s Encrypt:
  • HTTP01 Challenge: For standard domains
  • DNS01 Challenge: For wildcard certificates (requires DNS provider integration like Cloudflare)
To issue wildcard certificates (e.g., *.kim.tec.br), you must use DNS01 challenge with a supported DNS provider like Cloudflare.

metrics-server

metrics-server provides resource metrics for kubectl top and HPA.
1

Add metrics-server HelmRelease

Include the following configuration for bare-metal clusters:
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: metrics-server
  namespace: kube-system
spec:
  chart:
    spec:
      chart: metrics-server
      sourceRef:
        kind: HelmRepository
        name: metrics-server
  values:
    args:
      - --kubelet-insecure-tls
  interval: 1h
The --kubelet-insecure-tls flag is required for bare-metal clusters without properly configured kubelet certificates.
2

Verify metrics-server

kubectl top nodes
kubectl top pods -A

MetalLB (Load Balancer)

MetalLB provides load balancer services for bare-metal clusters.
Add MetalLB HelmRelease and configure IP address pools for your network. For more information, see the MetalLB Configuration documentation.

Configure Observability (Alloy)

Grafana Alloy provides unified observability for logs and metrics.
1

Add Alloy HelmRelease

Configure Alloy to send telemetry to Grafana Cloud or your observability backend.
2

Configure log collection

Set up log collection from cluster workloads.
3

Configure metrics collection

Enable metrics collection for cluster and application monitoring.
For now, the cluster is configured to use Grafana Cloud for centralized observability.

DNS Configuration

Configure DNS for accessing cluster services.

Configure Domain

1

Set up DNS records

Configure DNS records for your domain (e.g., kim.tec.br):
  • A records: Point to your load balancer or node IPs
  • CNAME records: For subdomains
2

Create certificates

Use cert-manager to create certificates for your domains:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: version-management-cert
  namespace: default
spec:
  secretName: version-management-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
    - version-management.kim.tec.br
For wildcard certificates (*.kim.tec.br), you need a DNS provider that supports DNS01 challenge. Consider using Cloudflare’s free tier for DNS management.

Verify Core Components

1

Check all Flux kustomizations

flux get kustomizations
All kustomizations should show “Applied revision” status.
2

Verify HelmReleases

flux get helmreleases -A
All Helm releases should be in “Release reconciliation succeeded” status.
3

Check pod health

kubectl get pods -A
Verify all pods are running successfully.
4

Test Gateway API

kubectl get gateways -A
kubectl get httproutes -A

Architecture Notes

Gateway API vs Cilium Gateway

The cluster initially used Cilium’s built-in Gateway API implementation but has since migrated to using Kubernetes Gateway (kgateway) with Cilium providing the networking layer.

CNI Configuration

The cluster uses Cilium with the following networking configuration:
cilium-values.yaml
cluster:
  name: kubernetes
operator:
  replicas: 1
routingMode: tunnel
tunnelProtocol: vxlan
gatewayAPI:
  enabled: true
  • Routing Mode: Tunnel (VXLAN) for overlay networking
  • Gateway API: Enabled for advanced ingress capabilities
  • Operator: Single replica (suitable for small clusters)

Next Steps

Your cluster is now fully configured with:
  • GitOps continuous deployment via Flux
  • Networking and security via Cilium
  • Certificate management via cert-manager
  • Secret management via sealed-secrets
  • Observability via Alloy
  • Gateway API for ingress
You can now start deploying applications using Flux by committing manifests to your Git repository.

Build docs developers (and LLMs) love

Get started for freeTalk to us