Secure CI/CD with WireGuard and Kubernetes — the kreativarc.com Flow

Arnold LovasArnold Lovas
2 min read

Modern CI/CD pipelines often sacrifice security for convenience — public runners, open ports, shared secrets everywhere. At kreativarc.com, I took the opposite route: a zero-trust, VPN-gated CI/CD flow that uses GitHub Actions, GHCR, and a locked-down k3s cluster. The goal isn’t to impress auditors — it’s to build something that can scale without turning into a security liability later.

The cluster runs on a minimal Hetzner VPS setup, provisioned via Pulumi, costing less than €10/month. Every namespace gets its own WireGuard tunnel and kubeconfig, so access is scoped per deployment, not per developer. CI/CD runs through GitHub Actions, using a simple but effective flow:

  1. Git push triggers the workflow.

  2. The pipeline checks out the code and builds a Docker image.

  3. It logs in to GHCR, pushes the image, and restores WireGuard config + kubeconfig.

  4. A kubectl apply updates the deployment after injecting an imagePullSecret for GHCR.

  5. The pipeline then verifies the rollout to ensure the new pod is running.

  6. If rollout fails, the last events and pod logs are dumped for debugging.

  7. Finally, the WireGuard VPN is shut down — leaving no open ingress, no dangling access.

No CI runners inside the cluster, no open Kubernetes API, no SSH. Just a clean separation of concerns and a reusable pattern across projects.

You can follow this architecture’s evolution on the new landing page at kreativarc.com — built with a nod to the 90s demoscene, because creative code deserves a bit of nostalgia too.

Next Project: Neuroids

A neuroid is an artificial entity with a personality and long lifespan, capable of learning, making decisions, and developing autonomous behavior through neural systems. Neuroids can collaborate with each other and with humans, forming dynamic, goal-driven teams. This isn’t just another tool — it’s a new kind of digital lifeform.

The Neuroid Engine is the system responsible for their creation, coordination, and continuous evolution. These entities operate within a Neuroid Farm — a distributed environment where diverse neuroids live, learn, and evolve in parallel, continuously interacting with each other and their surroundings.

Stay tuned. The infrastructure is ready — now it’s time to give it life.

0
Subscribe to my newsletter

Read articles from Arnold Lovas directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Kubernetesci-cdwireguardgithub-actionsai agents

Written by

Arnold Lovas
Arnold Lovas

Senior full-stack dev with an AI twist. I build weirdly useful things on my own infrastructure — often before coffee.