Examples & Recipes

Production-ready Kustomize recipes for extending your k3d-local cluster with additional tools and services.

Table of Contents

• Available Recipes
• ArgoCD - GitOps Continuous Delivery
• HashiCorp Vault - Secrets Management
• Harbor - Container Registry
• GitLab Runner - CI/CD Executor
• Keycloak - Identity and Access Management
• Authentik - Open Source IDP
• Recipe Structure
• Using Recipes
• Prerequisites
• Installation Methods
• Customizing Recipes
• Using Kustomize Overlays
• Common Customizations
• TLS Configuration
• Local Development
• Production
• Contributing Recipes
• Support
• Related Resources

Available Recipes

ArgoCD - GitOps Continuous Delivery

Install ArgoCD with proper TLS support for managing your Kubernetes applications using GitOps principles.

Features:

• ✅ Works with both self-signed (local) and Let's Encrypt (production) certificates
• ✅ Traefik ingress integration with HTTP and gRPC support
• ✅ One-command installation via script or kubectl
• ✅ Kustomize overlays for easy customization
• ✅ High availability configuration for production

Quick Start:

# Clone or download the examples
git clone https://github.com/gautampachnanda101/homebrew-tap.git
cd homebrew-tap/examples/argocd

# Install for local development
./install.sh

# Or for production with Let's Encrypt
./install.sh --environment prod --domain yourdomain.com

Access:

• Local: https://argocd.127.0.0.1.sslip.io
• Production: https://argocd.yourdomain.com

View ArgoCD Recipe →

HashiCorp Vault - Secrets Management

Install HashiCorp Vault for secure secrets management, encryption, and identity-based access.

Features:

• ✅ Works with both self-signed (local) and Let's Encrypt (production) certificates
• ✅ Traefik ingress integration
• ✅ Dev mode for local development (auto-unsealed with root token)
• ✅ Production-ready configuration with sealed storage
• ✅ Kustomize overlays for easy customization

Quick Start:

# Clone or download the examples
git clone https://github.com/gautampachnanda101/homebrew-tap.git
cd homebrew-tap/examples/vault

# Install for local development
./install.sh

# Or for production with Let's Encrypt
./install.sh --environment prod --domain vault.yourdomain.com

Access:

• Local: https://vault.127.0.0.1.sslip.io
• Root Token (dev mode): root
• Production: https://vault.yourdomain.com

View Vault Recipe →

Harbor - Container Registry

Install Harbor as a cloud-native container registry with vulnerability scanning, image signing, and replication.

Features:

• ✅ Works with both self-signed (local) and Let's Encrypt (production) certificates
• ✅ Traefik ingress integration
• ✅ PostgreSQL and Redis backends for scalability
• ✅ Complete registry stack: portal, core, registry, jobservice
• ✅ Kustomize overlays for easy customization

Quick Start:

# Clone or download the examples
git clone https://github.com/gautampachnanda101/homebrew-tap.git
cd homebrew-tap/examples/harbor

# Install for local development
./install.sh

# Or for production with Let's Encrypt
./install.sh --environment prod --domain harbor.yourdomain.com

Access:

• Local: https://harbor.127.0.0.1.sslip.io
• Default credentials: admin / Harbor12345
• Production: https://harbor.yourdomain.com

View Harbor Recipe →

GitLab Runner - CI/CD Executor

Install GitLab Runner with Kubernetes executor for running CI/CD pipelines in your cluster.

Features:

• ✅ Kubernetes executor for native pod-based builds
• ✅ RBAC configuration included
• ✅ Works with GitLab.com and self-hosted instances
• ✅ Configurable runner token and GitLab URL
• ✅ Kustomize overlays for easy customization

Quick Start:

# Clone or download the examples
git clone https://github.com/gautampachnanda101/homebrew-tap.git
cd homebrew-tap/examples/gitlab-runner

# Set your GitLab Runner token and URL
export GITLAB_RUNNER_TOKEN="your-registration-token"
export GITLAB_URL="https://gitlab.com"

# Install
./install.sh

Configuration:

• Get runner token from GitLab: Settings → CI/CD → Runners
• Runner will auto-register with your GitLab instance
• Default executor: Kubernetes (builds run in pods)

View GitLab Runner Recipe →

Keycloak - Identity and Access Management

Install Keycloak for comprehensive identity and access management (IAM) with OpenID Connect and SAML support.

Features:

• ✅ Works with both self-signed (local) and Let's Encrypt (production) certificates
• ✅ Traefik ingress integration
• ✅ PostgreSQL backend for production
• ✅ Admin console for managing realms, users, and clients
• ✅ OpenID Connect and SAML protocols
• ✅ Kustomize overlays for easy customization

Quick Start:

# Clone or download the examples
git clone https://github.com/gautampachnanda101/homebrew-tap.git
cd homebrew-tap/examples/keycloak

# Install for local development
./install.sh

# Or for production with Let's Encrypt
./install.sh --environment prod --domain keycloak.yourdomain.com

Access:

• Local: https://keycloak.127.0.0.1.sslip.io
• Admin credentials: Use get-password.sh script
• Production: https://keycloak.yourdomain.com

View Keycloak Recipe →

Authentik - Open Source IDP

Install Authentik as a modern, flexible identity provider with flow-based authentication and powerful policy engine.

Features:

• ✅ Works with both self-signed (local) and Let's Encrypt (production) certificates
• ✅ Traefik ingress integration
• ✅ PostgreSQL and Redis backends
• ✅ Server/worker architecture for scalability
• ✅ Modern UI with flow-based configuration
• ✅ OpenID Connect, SAML, LDAP support
• ✅ Kustomize overlays for easy customization

Quick Start:

# Clone or download the examples
git clone https://github.com/gautampachnanda101/homebrew-tap.git
cd homebrew-tap/examples/authentik

# Install for local development
./install.sh

# Or for production with Let's Encrypt
./install.sh --environment prod --domain auth.yourdomain.com

Access:

• Local: https://authentik.127.0.0.1.sslip.io/if/flow/initial-setup/
• First-time: Visit URL above to create admin account
• Admin interface: https://authentik.127.0.0.1.sslip.io/if/admin/
• Production: https://auth.yourdomain.com

View Authentik Recipe →

Recipe Structure

Each recipe follows a consistent structure using Kustomize:

recipe-name/
├── base/                       # Base Kubernetes manifests
│   ├── kustomization.yaml     # Base kustomize config
│   └── *.yaml                 # Resource definitions
├── overlays/
│   ├── local/                 # Local development overlay
│   │   └── kustomization.yaml
│   └── prod/                  # Production overlay
│       └── kustomization.yaml
├── install.sh                 # Installation script
├── get-password.sh            # Helper scripts (if needed)
├── uninstall.sh               # Cleanup script
└── README.md                  # Detailed documentation

Using Recipes

Prerequisites

All recipes require: 1. k3d-local cluster created with Traefik:

k3d-local create --with-traefik

1. kubectl configured to access your cluster

2. Kustomize (optional, kubectl has built-in support)

Installation Methods

Option 1: Using the Installation Script (Recommended)

cd examples/recipe-name
./install.sh

Option 2: Using kubectl with Kustomize

# Local development
kubectl apply -k examples/recipe-name/overlays/local/

# Production
kubectl apply -k examples/recipe-name/overlays/prod/

Option 3: Using Kustomize CLI

kustomize build examples/recipe-name/overlays/local/ | kubectl apply -f -

Customizing Recipes

Using Kustomize Overlays

Create your own overlay to customize any recipe:

# Create custom overlay
mkdir -p examples/recipe-name/overlays/custom
cd examples/recipe-name/overlays/custom

# Create kustomization.yaml
cat <<EOF > kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - ../../base

# Add your customizations
patches:
  - target:
      kind: Deployment
      name: my-app
    patch: |-
      - op: replace
        path: /spec/replicas
        value: 3
EOF

# Apply your custom overlay
kubectl apply -k .

Common Customizations

Change domain:

patches:
  - target:
      kind: Certificate
    patch: |-
      - op: replace
        path: /spec/dnsNames/0
        value: app.mydomain.com

Adjust resources:

patches:
  - target:
      kind: Deployment
    patch: |-
      - op: add
        path: /spec/template/spec/containers/0/resources
        value:
          limits:
            cpu: 1000m
            memory: 1Gi

Change namespace:

namespace: my-custom-namespace

TLS Configuration

Local Development

Recipes use self-signed certificates by default: - ClusterIssuer: local-dev-ca-issuer - Domain: *.127.0.0.1.sslip.io - Automatic certificate issuance via cert-manager

Production

For production with Let's Encrypt:

1. Create cluster with Let's Encrypt support:

   k3d-local create --with-traefik --use-letsencrypt \
     --domain yourdomain.com \
     --email admin@yourdomain.com
   

2. Use production overlay:

   ./install.sh --environment prod --domain yourdomain.com
   

Requirements:

• Domain must resolve to cluster's public IP
• Port 80 accessible for HTTP-01 challenge
• Port 443 for HTTPS traffic

Contributing Recipes

We welcome recipe contributions! If you've created a useful recipe:

1. Fork the repository
2. Create your recipe following the structure above
3. Test with both local and production configurations
4. Include comprehensive documentation
5. Submit a pull request

Guidelines:

• Use Kustomize for all configuration
• Support both local and production environments
• Include installation and uninstall scripts
• Document all prerequisites and requirements
• Test TLS configuration thoroughly
• Follow Kubernetes best practices

Support

• Report issues
• View k3d-local documentation
• Browse source code

Related Resources

• k3d-local Documentation
• Kustomize Documentation
• cert-manager Documentation
• Traefik Documentation