Work

K3s on Oracle Always Free

A real Kubernetes cluster on $0/month

View on GitHub 8 Visit site
Year
2026
Language
HCL
Stars
8
Topics
kubernetes k3s oracle-cloud terraform gitops argocd

Overview

Provisions a 3-node K3s cluster on OCI Always Free Ampere A1 compute via Terraform, bootstraps Argo CD for GitOps continuous delivery, and exposes apps through the Kubernetes Gateway API with Envoy Gateway. Cloudflare-managed DNS via ExternalDNS, automatic TLS via cert-manager + Let’s Encrypt, secrets stored in OCI Vault and synced via External Secrets. The k3s.sudhanva.me docs site runs on this cluster.

Features

  • Three-node K3s cluster on OCI Always Free Ampere A1 ARM64 (4 OCPUs, 24 GB RAM)
  • Argo CD bootstrapped for full GitOps continuous delivery
  • Kubernetes Gateway API ingress via Envoy Gateway
  • Automatic DNS records in Cloudflare via ExternalDNS
  • Automatic TLS certificates from Let’s Encrypt via cert-manager
  • Secrets stored in OCI Vault, synced into the cluster by External Secrets
  • Infrastructure end-to-end managed with Terraform

Why it exists

A real cluster on $0/month

OCI Always Free includes 4 OCPUs / 24 GB of Ampere A1 compute, an NLB, Vault, and Object Storage indefinitely. This project squeezes a production-shaped 3-node Kubernetes cluster out of that envelope: one public ingress node, one private control plane, one private worker.

Why Gateway API over Ingress

Gateway API is the successor to the old Ingress resource — it has a cleaner separation between cluster-operator concerns (the Gateway) and app-developer concerns (the HTTPRoute), and it’s the direction every major implementation is moving. Envoy Gateway gives you a CNCF-graduated Envoy data plane with Gateway API as its native API.

Terraform owns the whole graph

No click-ops anywhere. The Terraform plan provisions OCI compute, networking, Vault, NLB, Cloudflare DNS, K3s install via remote-exec, the Argo CD bootstrap, and the initial GitHub PAT secret. `terraform destroy` returns the entire footprint to zero with one command.

Tech stack

Cloud
Oracle Cloud (OCI) Cloudflare DNS
Provisioning
Terraform cloud-init
Kubernetes
K3s Argo CD Gateway API Envoy Gateway
Platform
cert-manager ExternalDNS External Secrets OCI Vault

Architecture 

graph TD
  TF["Terraform"] -->|Provisions| OCI["OCI Always Free<br/>3× Ampere A1 ARM64"]
  OCI --> K["K3s Cluster"]
  K --> AC["Argo CD<br/>GitOps"]
  K --> EG["Envoy Gateway<br/>(Gateway API)"]
  K --> ES["External Secrets"]
  K --> ED["ExternalDNS"]
  K --> CM["cert-manager"]
  AC -.->|Syncs from| GH["GitHub Repo"]
  CM -->|ACME| LE["Let's Encrypt"]
  ED -->|Records| CF["Cloudflare DNS"]
  ES -->|Pulls secrets| VAULT["OCI Vault"]
  EG -->|Routes traffic| APP["Workloads"]
  classDef infra fill:#0a0a0a,stroke:#666,color:#fff
  classDef ext fill:#1e1e1e,stroke:#444,color:#ddd
  class TF,OCI,K infra
  class GH,LE,CF,VAULT ext
Architecture: K3s on Oracle Always Free

Quick start

bash 
									git clone https://github.com/nsudhanva/k3s-oracle
cd k3s-oracle/tf-k3s
cp terraform.tfvars.example terraform.tfvars   # edit OCI + Cloudflare creds
terraform init
terraform apply
# After ~5 min, push the generated argocd/ manifests to your GitOps repo

Links