Lab it, learn it

Learn more

Big tech, small lab.

Homelab builds, DevOps deep dives, and automation playbooks.
All open source.

Subscribe to newsletter GitHub → Instagram →
What has been built

6 repos. 3 tools. 2 complexity levels.

The same Kubernetes cluster, built differently every time.

UTMVAGRANTORBSTACK
SIMPLE

1 master · 1 etcd · 2 workers

Vault PKI · utmctl + cloud-init

→ GitHub repo

1 master · 1 etcd · 2 workers

Vault PKI · QEMU + socket_vmnet

→ GitHub repo

1 master · 1 etcd · 2 workers

Vault PKI · OrbStack Linux machines

→ GitHub repo
HA

11 VMs · The Hard Way

Vault PKI · etcd · HAProxy

→ GitHub repo

11 VMs · The Hard Way

Vault PKI · etcd · HAProxy

→ GitHub repo

11 VMs · The Hard Way

Vault PKI · etcd · HAProxy

→ GitHub repo
Pillar guides

Start with the big picture.

Three pillar posts that map the entire project — from choosing a tool, to the learning path, to the security architecture.

Kubernetes on Apple Silicon: UTM vs Vagrant vs OrbStack

Side-by-side benchmarks, gotchas, and the verdict on which tool fits which use case.

14 min read

From Simple to HA: A Learning Path for Kubernetes on Apple Silicon

Start with 6 VMs, graduate to 11. The structured progression with working code at every level.

16 min read

Production-Grade Kubernetes Security on a Homelab Budget

Vault PKI, mTLS everywhere, CA separation, bastion access — the full security architecture across all 6 repos.

Read now →
Deep dives

Go deep on the internals.

Technical deep dives into the components that make production Kubernetes work.

Vault PKI for Kubernetes: 3-Tier CA the Right Way

Separate CAs for K8s, etcd, and front-proxy. 5 Vault engines, 3 Ansible roles, automated end to end.

Read now →

Why Kubernetes Needs Three Separate CAs

What each CA signs, what breaks if they’re combined, and how Vault enforces the boundaries.

Read now →

mTLS Between etcd Nodes Explained

Peer certificates, systemd flags, the handshake step by step, and what breaks when you get it wrong.

Read now →

Understanding etcd Quorum — Why 3 Nodes, Never 2 or 4

Raft consensus, quorum math, and 6 hands-on experiments to run on your homelab cluster.

Read now →

The Bastion Server Pattern — Why You Shouldn’t SSH Directly to Cluster Nodes

SSH flow, defense in depth, and how this maps to AWS, GCP, and Azure in production.

Read now →

Why Your Homelab K8s Cluster Isn’t Production-Ready

Single master, self-signed certs, no bastion. Let’s fix all of it.

Read now →
Step-by-step builds

The full deployment walkthroughs.

Every step of building the clusters — from VM creation to kubectl get nodes.

Gotchas

What broke (so you don’t have to find out yourself).

Tool-specific and cross-tool lessons learned the hard way.

UTM Gotchas

What breaks when building K8s clusters on Apple Silicon.

Read now →

Vagrant Gotchas

QEMU, socket_vmnet, and dual-NIC surprises.

Read now →

OrbStack Gotchas

Shared-kernel surprises when running K8s.

Read now →

HA-Specific Gotchas

Cross-tool problems that hit every HA deployment.

Read now →
Start here

New to the lab?

Start with a simple cluster to learn the fundamentals, then graduate to HA with Vault PKI, etcd clustering, HAProxy load balancing, and bastion architecture. All free, all on your Mac.

→ UTM vs Vagrant vs OrbStack → The Simple to HA learning path → Security architecture overview → About labitlearnit
© 2026 labitlearnit
GitHub Instagram About Blog Link in bio