Update on Home IAC

August 9, 2020

A quick update

I haven’t had much time to progress much further with this set up yet, as since my original post, I had started Couch to 5K which was taking up a good amount of my evenings. How did Couch to 5K go you ask? It went pretty well. I was finishing my last couple of weeks with around 6KM tracked per run.

Anyway, back to the IAC stuff. I have expanded on my current CentOS 7 based solution due to getting back into Home Automation a bit more again, and discovering that Home Assistant has an official Android application. This lets me get rid of some of my third party device trackers.

The work I had to do

Having the home and away states set via the Home Assitant application on my work required me to a bit more work to make Home Assistant available publicly on the internet.

To do this I needed to do the following pieces of work.

Set up a new traefik ingress controller with LetsEncrypt support
Create a new Load Balancer on my firewall
Troubleshoot to work out why certificates weren’t generating
Learn more about the IngressRoute resources for Traefik
Troubleshoot why IngressRoutes were not working
Learn a bit more about Custom Resources Definitions
Do a bit of Terraform to handle creating CloudFlare DNS resources for public facing services.

Why did I choose to set up a second ingress controller?

The decision for this was so that I can control what resources are actually available publicly. Sure, not making certain DNS records public does ‘resolve’ this, however, it really is just security by obscurity.

For instance, I could create a record in my hosts file that resolves a non public DNS entry to the external IP address of my current ingress. Therefore, by having a second ingress controller, I am able to have complete control over what is exposed to the internet.

The challenging part

Setting up the second ingress controller to work with the Custom Resource Definitions took me a little while to get my head around and then I finally realised that I need to configure the address for the Kubernetes API within my deployment because I was not using what it expects by default, and am also using SSL.

After a little while of reading docs, I discovered that I was missing the following configuration as well as a ConfigMap to place the CA for my cluster in the container.

- --providers.kubernetescrd.endpoint=https://kubernetes:6443
- --providers.kubernetescrd.certauthfilepath=/etc/config/kubernetes.crt

Once I’d fixed that issue I let out a loud ‘Fuck yeah’ which lead to a strange look from my girlfriend. I tried to explain my little victory, she acted like she understood (even though she didn’t completely), but she was proud of my achievement nonetheless!