Version 2 of kreativarc-infra is live, and it's built with the same principles: low overhead, strong boundaries, and developer sanity. The major upgrade this time? Fully automated, per-namespace kubeconfig and Wireguard config generation.

This isn’t a toy. It’s a real Kubernetes infrastructure with real separation, built from scratch — by one person, on a single Hetzner VPS setup — for less than €10/month.

Yes, this is solo DevOps on a budget.

The Current Architecture

The stack runs on a single Kubernetes cluster with two modest Hetzner VPS nodes. That’s enough for PoC development today, and easy to scale both vertically (larger instances) and horizontally (more nodes) tomorrow. The focus is deliberate: secure isolation, not premature complexity.

Here’s the updated flow diagram:

Every part of the system is built from the ground up using Pulumi in TypeScript, including:

Hetzner networking (private & subnet)
SSH key management
VPS provisioning
K3s install
Namespace-level VPN and config generation

One Namespace = One VPN = One Kubeconfig

This is the core of v2:

1 namespace
1 Wireguard config
1 kubeconfig file

That’s it. Each namespace can be configured for admin or restricted access. Need an isolated CI/CD pipeline for an app? Just add the namespace to inputConfig.ts, set the access level, and pulumi up. The system takes care of the rest — including generating VPN credentials and placing the config files in the correct directories.

Your secrets stay scoped. If something leaks, it affects exactly one namespace, not your entire cluster.

This was a non-negotiable design choice: repo-level and namespace-level isolation of secrets. It’s easy to sleep at night when your infrastructure doesn’t need to trust every container and pipeline globally.

User Access: Clear, Scoped, Predictable

Here’s what the user access model looks like in practice:

Whether you’re:

an infra admin managing the whole thing with SSH and Pulumi,
a core maintainer deploying shared services,
or a POC/app developer shipping code through CI/CD,

you get exactly the access you need — nothing more.

CI jobs connect through Wireguard, use their dedicated kubeconfig, and deploy into their namespace without ever seeing the rest of the cluster.

Test Automation: Namespaces as First-Class Citizens

New namespaces don’t just get configs — they’re automatically included in the infrastructure test suite. Just modify the config file and run npm test. The same goes for server definitions. No manual test wiring, no brittle test code. Everything is dynamic and config-driven.

Summary

One VPS cluster (2 nodes) under €10/month
Pulumi-managed K3s infra with secure VPN + kubeconfig per namespace
Namespace-level secret separation and access control
All configs auto-generated and ready for CI/CD integration
Scalable, testable, and ready for future multi-app deployment

This isn’t a full-blown multi-tenant production setup (yet), but it’s the next best thing — and it doesn’t require a platform team to maintain.

Per-Namespace Control: kreativarc-infra v2