REV 9df64d6 // BUILT 13 JUN 17:54 47.79°N 122.49°W //
builds station
Builds · 02 Jun 2026

Wiring the front door

Everything this site is, the blog and every project, runs as its own workload on one small cluster, behind one front door. Each piece deploys independently and stays isolated. Adding a new subdomain should be cheap and ceremony-free.

The shape

A single ingress controller does host-based routing: one subdomain is one ingress rule, nothing more. DNS is a wildcard pointed at the cluster; TLS is a wildcard cert from Let’s Encrypt over DNS-01. A new subdomain needs zero DNS work and zero cert work. That is the whole reason adding apps stays cheap.

The loop

push code → Actions builds + pushes image → bumps tag in git → Argo reconciles → live

Actions only builds. Argo only deploys, by reconciling a config repo. Git is the single source of truth for what is running, and nothing holds cluster credentials but the cluster. A blog post rides the same loop: commit a text file, the image rebuilds, the tag bumps, Argo rolls it out.

You never touch kubectl.

Read
8min
Stack
k3s · Traefik · Argo CD · cert-manager
Filed under
infra