K3s on Docker Quickstart


  • Access to a functional Docker Engine,

  • CGroupv2 disabled (K3s does not support it for now)

  • Knowledge of Terraform basics

  • Minimal Terraform version: 0.14

  • jq binary

  • argocd CLI

Create your Terraform root module

Camptocamp’s DevOps Stack is instantiated using a Terraform composition module.

Here is a minimal working example:

# terraform/main.tf

module "cluster" {
  source = "git::https://github.com/camptocamp/devops-stack.git//modules/k3s/docker?ref=master"

  cluster_name = "my-cluster"

If your docker setup doesn’t support the bridge0 like on MacOSX, you cannot access to the container IP so the computed base domain isn’t reachable. You can specify the published ports of the K3S master and the base domain to use your computer’s IP.

# terraform/main.tf

module "cluster" {
  source = "git::https://github.com/camptocamp/devops-stack.git//modules/k3s/docker?ref=master"

  cluster_name = "my-cluster"
  cluster_endpoint = "192-168-1-118.nip.io"
  base_domain      = "192-168-1-118.nip.io"
  server_ports = [
      internal = 6443
      external = 6443
      internal = 80
      external = 80
      internal = 443
      external = 443

Terraform Outputs

Define outputs:

# terraform/outputs.tf

output "argocd_auth_token" {
  sensitive = true
  value     = module.cluster.argocd_auth_token

output "kubeconfig" {
  sensitive = true
  value     = module.cluster.kubeconfig

output "argocd_server" {
  value = module.cluster.argocd_server

output "grafana_admin_password" {
  sensitive = true
  value     = module.cluster.grafana_admin_password

Deploy the cluster

$ terraform init
$ terraform apply

You should see the services URL as Terraform outputs.

Get kubeconfig and admin password

Retrieve the Kubeconfig file:

$ terraform output -json kubeconfig | jq -r .

Retrieve the Keycloak password for the admin user of the kubernetes realm:

$ terraform output admin_password

You will use this user and password to log in to applications.

Wait for Keycloak to be ready

$ kubectl -n keycloak get sts
keycloak   1/1     8m58s

Wait until the READY column says 1/1.

Inspect the DevOps Stack Applications

You can view the ingress routes for the various DevOps Stack Applications with:

$ kubectl get ingress --all-namespaces

Access the URLs in https, and use the OIDC/OAuth2 to log in, using the admin account with the password previously retrieved.

Access the Keycloak dashboard

The keycloak dashboard uses the kubernetes realm. You can log in to it using the /auth/realms/kubernetes/account/ path with the Keycloak ingress.

Destroy the cluster

$ terraform destroy