Added loki as grafana datasource

.pre-commit-config.yaml

@@ -21,7 +21,9 @@ repos:
     hooks:
       - id: kubeconform
 
-  - repo: https://github.com/tarioch/flux-check-hook
-    rev: v0.8.0
-    hooks:
-      - id: check-flux-helm-values
+  # Linting does not work with external values.yaml
+  # TODO: Include url to schema in values.yaml and validate based on that?
+  # - repo: https://github.com/tarioch/flux-check-hook
+  #   rev: v0.8.0
+  #   hooks:
+  #     - id: check-flux-helm-values

apps/grafana/release.yaml

@@ -65,6 +65,12 @@ spec:
       enabled: true
       existingSecret: grafana-ldap-toml
 
+    sidecar:
+      datasources:
+        enabled: true
+        searchNamespace: ALL
+        labelValue: "1"
+
     extraSecretMounts:
       - name: postgres-app-mount
         secretName: postgres-app

clusters/titan.lan.huizinga.dev/alerts/alert-flux-infra.yaml

@@ -0,0 +1,14 @@
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Alert
+metadata:
+  name: flux-infra
+  namespace: flux-system
+spec:
+  providerRef:
+    name: flux-infra
+  eventSeverity: info
+  eventSources:
+    - kind: Kustomization
+      name: "*"
+      matchLabels:
+        alert: flux-infra

clusters/titan.lan.huizinga.dev/alerts/alert-telegram.yaml

@@ -0,0 +1,12 @@
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Alert
+metadata:
+  name: telegram
+  namespace: flux-system
+spec:
+  providerRef:
+    name: telegram
+  eventSeverity: error
+  eventSources:
+    - kind: Kustomization
+      name: "*"

clusters/titan.lan.huizinga.dev/alerts/provider-flux-infra.yaml

@@ -0,0 +1,10 @@
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: flux-infra
+  namespace: flux-system
+spec:
+  type: gitea
+  address: https://git.huizinga.dev/dreaded_x/flux-infra
+  secretRef:
+    name: gitea

clusters/titan.lan.huizinga.dev/alerts/provider-telegram.yaml

@@ -0,0 +1,11 @@
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: telegram
+  namespace: flux-system
+spec:
+  type: telegram
+  address: https://api.telegram.org
+  channel: "-4748034121"
+  secretRef:
+    name: telegram

clusters/titan.lan.huizinga.dev/alerts/secret-gitea.yaml

@@ -1,13 +1,13 @@
 apiVersion: v1
-data:
-    token: ENC[AES256_GCM,data:Rk5TRkrzTZPQSJ+rpW+VElb2DsEwWeeJ1vY3EI/62dmzZ3lbH9KYOQ==,iv:ZJ9HMSwIuc1nBvTBbWmz1Vw5mqbxAJJhkNXdmpTGGqs=,tag:fGgH+rRlRZ/N8Ch8WVJOVQ==,type:str]
+stringData:
+    token: ENC[AES256_GCM,data:jn3t5g5fkCmqXf7JEfn7HBigY60nPh3AqYzZ9fkEuj2RjN6ieAfiOg==,iv:b28wHrtETq+p/jH52c3RKYzthh7+IQmvRhVzY/TlnfI=,tag:kr+vdWBGihYN6AklQLYeTw==,type:str]
 kind: Secret
 metadata:
     name: gitea
     namespace: flux-system
 sops:
-    lastmodified: "2025-04-22T11:56:49Z"
-    mac: ENC[AES256_GCM,data:rH0bntYg5eZYiDzw3su6Bsv+MwO+fxRVuc45hORJK1WrqxnzRXhCN0I7f7LXZdMRVhcDTa+mCUY1nOM4Ay4Knt+QwBhKyeLXb6EyBokSYiTpjmtg3Lz/A98S10J64VgP7GMqE/zhlyxdCqnEDoYfTfWSEF4olSZaALMyuzLddxg=,iv:dR6TCn9ErLdu/hDNXKp5vPVolOtob7gedpeGAl7+O5c=,tag:s3b4XG+xKc6BpwPQXxBfJA==,type:str]
+    lastmodified: "2025-04-22T12:14:43Z"
+    mac: ENC[AES256_GCM,data:fb5EyaUv2slDoSNLNJZZPg2ZXwUC5tbdG2vDZEle3PfCDAWxQmEJ36hMQ9RcE8Ec5jfj/Ia6VOP+VOpLSIlQHzGeG3raEW+I/NBTN04KazsDhgzOfAlhTi8COkmu0D5hv3TfFPkWVV/Uw2zIpOsqTv56IoIKyPun+ndt470TgGE=,iv:k754Ju4XGpUCCsdkgQxaE2LEJNEBkQ4lcDIRIqZJnbY=,tag:1t3X7id14qhOvAA9pRw+wQ==,type:str]
     pgp:
         - created_at: "2025-04-22T11:56:49Z"
           enc: |-

clusters/titan.lan.huizinga.dev/alerts/secret-telegram.yaml

@@ -0,0 +1,54 @@
+apiVersion: v1
+stringData:
+    token: ENC[AES256_GCM,data:GgQ/uMKwKKxkEaqVlqH6RlhNTXE+9iM9C5seH0Vjsv/Rwb4aonM6Fy9lQUtiwg==,iv:xKKiRxMu0myMmT73XvUy69qt216TNbeJ4Y/0oUAK87s=,tag:ib0nLm2HkaB91vSllRPSWg==,type:str]
+kind: Secret
+metadata:
+    name: telegram
+    namespace: flux-system
+sops:
+    lastmodified: "2025-04-22T14:43:42Z"
+    mac: ENC[AES256_GCM,data:wiq7VPKe+PBXLbiL9VVJ0gjtAb0g0f5qJgZaDkFaeIn5KfXYauzX1MyoXxy0qSi5rBesKCmhhDhLHRW/SA7KJyaWO1GIdP9Obppm+l83zJ6FVn2XvDZQkP+IoEBCPUgooT4RBvvJUJJeA9BDuPV3ig43sYZM+47Vc/WFZrx1238=,iv:KqDkIbKqrv1087PQC10jNUfkeGvzaC9ZvwYwhLd3CcA=,tag:Tb6mKFaK3+3BmiuFfEXgQw==,type:str]
+    pgp:
+        - created_at: "2025-04-22T11:56:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7pKPTYH5bqOARAAioWyCnKFGD/5XeH++ulmfannJcwuFbiJ+jyoYxbmbxZK
+            egOXaOg9jkw+FuKy+u/5QNFZAgL4Ju3dMOyeBuZXGAgchVoDuqFANj7sXMhUnBkc
+            BuKLs/ob5U2KUD2YU+fFQd4XZfOepPGZF9qNwl4wttUxhawzQ66G49j23B8bxe1E
+            0Isddm7SCzF0OJOogaJ1rh9ylfzwlBW0PaBhBaIlNs+PIUJW7URWouDJnWh+jBvE
+            qT8brYP7gb+Tl9lNihJdPLG32jiYhQxueIkm6BqSUQlU+yW/q8RUhp4+hLAaSOvC
+            vTx1qqhn9ipZWG+EgPatUtV2gW0U9jOPRAstC1/zUe6UljIuQAEDx844j1sfmKxl
+            1bPdl1790V2bDDvDX4zeRAR6N6lzNkfYd02ZvWVKkUr3dTCfn/dJ6LM39tfZNeh2
+            WKnIN/PoxPL2srD9QRQmVPBqoLJrBKs1v1jWBEfMdT75H8e4CHu69o0FCzxLi/Ty
+            /2Hz9zIyBlPsyUA6EHjmccnjE2dVkmgRcaQbhEaYMtM7pyECoCfixGdpgV+7iM6L
+            PnYVusFueMVX80HYoNl4/ZXf+1U5/aW3mnSgK8+4uX8m4/MqGi4tvYT/QdOUkEvS
+            kXSsfok5yBcYdoqUJl6N/gfP9Z9R6WqrCL4p98t2BiLpcu6TZnsP0ruJlRlzTjLU
+            ZgEJAhATXTi3So37vsc8TqTDXqkJjrwxk9k4cGfwd8PWFvuS+xzdKGA/vcU6jXCD
+            CQrTnQ2i6jZBi0L5FLunhG86BOSLs5GEhuO6PPjkyyJNbcX/Uh6hjzgwdElr14Qo
+            P7QnueJTiw==
+            =AMPG
+            -----END PGP MESSAGE-----
+          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
+        - created_at: "2025-04-22T11:56:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA51kG++kLewoAQ//b3JTskIOENHA1W8uE5jqsyxPDVMJuXQNoHe2u0264kS8
+            i2sC7SZa/Le98J9Gsl97CpA7xXVIcOWhma+6PTzrsaonn//nJyuh8YOfWAb/ZF4o
+            ijtd7etTLcA9Hb1iRUek5oD7tXWiGhl+ROR3xd7Al+nzQmTpvHju+HFWJboWA7RC
+            6PkusF1UAe39ZhZwxX2Hh8XdFfQdcrtFNIp7+TjMCO2Im54aBTRKLrz7aHlrjrgN
+            tie1RAdDwEqZ0Zoh3jezpkQW+9aKtkTtiG5BLmQYhVPUN5GTKMMwKoiYNMEdNUWx
+            s9SXiepDc9ZbdjiwGUig9pmuaKrPTSRh6kbmAWHyMKfwG4WZSgbh9gW0sU69rLdQ
+            onaGRkIS87If6AgE0dCxOgcNZEiUQE1Rj8Ie/XtR6ufKNUdSAsbJSoKIja4MQdKl
+            1BM2YJ5eD52e2J0XJJgLchW0nf7C+3Sil/wIRvU0k/lMniMHvXjWGfY5/v2TUF3Y
+            R3Ng6KsaaIRGW5pWzAA5vBDjOlDaPdWYvWd+ZZ96cd0ToxgMpEDLGOBAOhBZGP95
+            knqqsVTKswD3vy5h5bwevTxRdrPsmD+g26SbLZDYllRklNasGgfcf0CBydcftUHo
+            ePHC1ThKpC0Eb80fxLvAyyW+O8LjqjGWK+q7pVGE8eZ7B5XGQRSfzQRuNmc1aIjS
+            XAGtAlz0mJffgqHnOW++8CZjiUKWb5iSJuMqBcGPMuqz9nLBAP/n4/vw6nH4irAF
+            qL1fkj4yurE7yMmBjYEWi+I+D66g6xpKvEWTyDGeiiqUD8nZXGojT7bWz072
+            =zIA5
+            -----END PGP MESSAGE-----
+          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.1

clusters/titan.lan.huizinga.dev/apps.yaml

@@ -3,6 +3,8 @@ kind: Kustomization
 metadata:
   name: apps
   namespace: flux-system
+  labels:
+    alert: flux-infra
 spec:
   dependsOn:
     - name: traefik

clusters/titan.lan.huizinga.dev/apps/siranga.yaml

@@ -4,10 +4,10 @@ metadata:
   name: siranga
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 15m0s
   url: oci://git.huizinga.dev/dreaded_x/siranga/manifests
   ref:
-    tag: edge
+    tag: latest
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
@@ -36,13 +36,27 @@ spec:
     secretRef:
       name: sops-gpg
 ---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+  name: siranga
+  namespace: flux-system
+spec:
+  type: generic
+  secretRef:
+    name: receiver
+  resources:
+    - apiVersion: source.toolkit.fluxcd.io/v1beta2
+      kind: OCIRepository
+      name: siranga
+---
 apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Provider
 metadata:
   name: siranga
   namespace: flux-system
 spec:
-  type: github
+  type: gitea
   address: https://git.huizinga.dev/dreaded_x/siranga
   secretRef:
     name: gitea
@@ -59,4 +73,3 @@ spec:
   eventSources:
     - kind: Kustomization
       name: siranga
-      namespace: flux-system

clusters/titan.lan.huizinga.dev/flux-system/ingress.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: flux-webhook
+  namespace: flux-system
+  annotations:
+    traefik.ingress.kubernetes.io/router.entryPoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: flux.${domain}
+      http:
+        paths:
+          - backend:
+              service:
+                name: webhook-receiver
+                port:
+                  number: 80
+            path: /
+            pathType: Prefix
+  tls:
+    - secretName: ${domain//./-}-tls

clusters/titan.lan.huizinga.dev/flux-system/kustomization.yaml

@@ -1,7 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - gotk-components.yaml
-  - gotk-sync.yaml
+  - ./gotk-components.yaml
+  - ./gotk-sync.yaml
+  - ./config-map-domain-vars.yaml
+  - ./ingress.yaml
+  - ./secret-receiver.yaml
+  - ./receiver.yaml
 patches:
-  - path: sops-overlay.yaml
+  - path: patches.yaml

clusters/titan.lan.huizinga.dev/flux-system/patches.yaml

@@ -3,8 +3,14 @@ kind: Kustomization
 metadata:
   name: flux-system
   namespace: flux-system
+  labels:
+    alert: flux-infra
 spec:
   decryption:
     provider: sops
     secretRef:
       name: sops-gpg
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: domain-vars

clusters/titan.lan.huizinga.dev/flux-system/receiver.yaml

@@ -0,0 +1,16 @@
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+  name: flux-infra
+  namespace: flux-system
+spec:
+  type: github
+  events:
+    - "ping"
+    - "push"
+  secretRef:
+    name: receiver
+  resources:
+    - apiVersion: source.toolkit.fluxcd.io/v1
+      kind: GitRepository
+      name: flux-system

clusters/titan.lan.huizinga.dev/flux-system/secret-receiver.yaml

@@ -0,0 +1,54 @@
+apiVersion: v1
+data:
+    token: ENC[AES256_GCM,data:Nd4t7LkkCe9pd/ilITlwZpmpF+oRmMfIbgbEiAzTK+OWUb4q37bBzGvhc3V70soS7XmpU13lJwo=,iv:qMoW9dsDauSEsw7GjuCSmsCy3k54jt5x/nngSdGiErg=,tag:ZTkP8IGT+DOJLfO+gIX2xg==,type:str]
+kind: Secret
+metadata:
+    name: receiver
+    namespace: flux-system
+sops:
+    lastmodified: "2025-04-23T17:01:23Z"
+    mac: ENC[AES256_GCM,data:blRYui9FBvet9nuOUEPaMLLzD6CvX7pDZQEtQV5jLfKqLWEBFXUA13zqTrxtH1slGOzif1xshGqjOgsxREvEdb4Y8uSfoWSPuhkPI4WuRESjyYsVHUlP0fOIdE/CNc/xT4wTxxsvZ46ShGCMZ/QN29XsQ04nwHaEsTmYMqtgsBM=,iv:Km0FIruKN+N0Hsat4QaTBCCAHMQz5IiYkTKG2IGILUI=,tag:A1v4kEs46vz2Cm9ZN5Qw1g==,type:str]
+    pgp:
+        - created_at: "2025-04-23T17:01:23Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7pKPTYH5bqOARAAwZ69AwI2iTOboLpzZmW41EngGkhPKGghGFssiyfWbXqR
+            dtNG+wG371TF9nUMoLagJEqTUGRVX8xznG7R68QhVd85C1iswrNJjZ55nnJKf0IN
+            aRcLp3xsZuWPefOFadaJglRtgLnmCtPNur1TmPXR4V94ycOe1wBTSbvheTs73h6M
+            LBfRBruv2ttJsrcmI2az57KgOrIQnPu/z/NSEbc2GM3CU7/Z9ChWt+b5WEyv/7Sp
+            Sp0ohmC9HputBFGueC6Hw08+152C8yn3BpJhMhiWcCEryNiwKawf/n2UFJ8gk86/
+            5CkRX1CWRtz8nRIfmiwU5IBd5aMXhK684/1lTtdshHGEhSbaGA9N6lK70vdrfVl+
+            euaQkqyCy2sFkhz0EvcK+PTGxnueQ4UuO01l5yRG/ZUdjzYVh9fpx3RoMnJaBctx
+            l63LUG+xXSwR0xy4JIkrWyFDwIyGAebxbtQ8QUeLkmMzHyUx8tOL0qfKd8qkEFwg
+            eJWh0guYllSldgP5h7bJXOTej3ZrP9yC1WY3z2wHu+415/eCpwucFCu/A5QnJXnA
+            YLTE2CIwdDpj5XjjwQwmTNpBgfQ/csHJua40CURJbsYhk4HfqbHNdjEc5kkem/3L
+            PrtA/d59iwy3Vjkn1xmrcX+od3qXRFVDwMjaCleAXi3dnsfN619j8PrZh2bkUyHU
+            aAEJAhD1hSP/yZbfctLVNBCXT3HE8bLlAp82zYsqwx7UJWOhv4saodU1Zm13CWdk
+            nlbN8v3w5o19Xo85rt4YB091dGliTAAQ2CfvsCLRO4ZjO6N2F4KSCSTO0jLSJkce
+            hly9/ZsJAtXB
+            =GCZA
+            -----END PGP MESSAGE-----
+          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
+        - created_at: "2025-04-23T17:01:23Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA51kG++kLewoARAA5IO7TXG5xkv+mlSwFBDbldn5jPy9E1+HbZHp+4CmRquI
+            ONPEeDZgh3n+Fr87OMUKMKfgdEpjdE+l80rCmF7zgaVNqLscRcLJ17k14XfbpsrG
+            wsp5gsvymGh6sllUopetugvzd6gdxEianuhKU6DYJMM+X/nPTDsa5wHazRzPQxS/
+            8zp9tlPWt0HkZelBKXmLoYofZBakZOqZstQvhB0SSjC0BVpQN5WIfh1ES6uoBxhY
+            ddA0R34r1jwXWDE2UqD1Rx12H3TzUxdPGGw5rQKsEZSuEwxfxqjUAsn29ARR88qU
+            FlvSsy+FW7/6HeTcxwS1IMyZfNwRKQYLkzcwqf+OsrrjqTSBPCt8rcMoDVH3vxdf
+            wazu/vqoM1mwkUlogEF/M/SITEO9nJzrkAihAr6OJgfTJqi8RJffxoXQ8gAfan2J
+            wYMkcTxPNnskyZMUr2onotdnqdVSMgR2vwnsvIfSWUSx4eMpK8wO2xQm60hAXNHx
+            QCVcTz7sMDu6nD3xsvJs5D67YnkrLuqnuNeHQqSsREPv132kKIpEhAZop0MYk8ld
+            798jafK8xCzasbIZqDRzSqUUK/Z/J4EN8A4zRY5EtcbXdKHpKkUYuX/Sb7y2FAQR
+            JMV3uqLxJoz4mqUM0VJBt77Del5YQ5LeqE8aHMBDNtfjAdmK/2xg7BuGuromZYzS
+            XgFxwGfX791vSkUJ/z+7Nf3QmAKBXOuEYaYJbcZ5pFbKKdcfI8iEfL7utVQ59U2k
+            4BLB7aChrp8J795YQna+YgPybK5NR00FX6qLJiZAp56MdcvncJ8s42/epRWRusk=
+            =8ak0
+            -----END PGP MESSAGE-----
+          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.1

clusters/titan.lan.huizinga.dev/infra/authelia-controller.yaml

@@ -1,24 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: OCIRepository
-metadata:
-  name: authelia-controller
-  namespace: flux-system
-spec:
-  interval: 1m0s
-  url: oci://git.huizinga.dev/dreaded_x/authelia-controller/manifests
-  ref:
-    tag: edge
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: authelia-controller
-  namespace: flux-system
-spec:
-  interval: 15m
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: OCIRepository
-    name: authelia-controller
-  wait: true

clusters/titan.lan.huizinga.dev/infra/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./../../../infra/akri
+  - ./../../../infra/authelia
+  - ./../../../infra/cert-manager
+  - ./../../../infra/cnpg
+  - ./../../../infra/descheduler.yaml
+  - ./../../../infra/dragonflydb.yaml
+  - ./../../../infra/external-snapshotter.yaml
+  - ./../../../infra/intel-device-plugins.yaml
+  - ./../../../infra/kube-vip
+  - ./../../../infra/kyverno
+  - ./../../../infra/lldap
+  - ./../../../infra/loki
+  - ./../../../infra/node-feature-discovery
+  - ./../../../infra/rook-ceph
+  - ./../../../infra/topolvm
+  - ./../../../infra/traefik
+  - ./../../../infra/velero

clusters/titan.lan.huizinga.dev/infra/lldap-controller.yaml

@@ -1,24 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: OCIRepository
-metadata:
-  name: lldap-controller
-  namespace: flux-system
-spec:
-  interval: 1m0s
-  url: oci://git.huizinga.dev/dreaded_x/lldap-controller/manifests
-  ref:
-    tag: edge
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: lldap-controller
-  namespace: flux-system
-spec:
-  interval: 15m
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: OCIRepository
-    name: lldap-controller
-  wait: true

infra/akri/akri.yaml

@@ -3,9 +3,11 @@ kind: Kustomization
 metadata:
   name: akri
   namespace: flux-system
+  labels:
+    alert: flux-infra
 spec:
   interval: 15m
-  path: ./infra/akri
+  path: ./infra/akri/akri
   prune: true
   timeout: 2m
   sourceRef:

infra/akri/akri/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: akri
+resources:
+  - ./namespace.yaml
+  - ./helm-repository.yaml
+  - ./helm-release.yaml
+
+configurations:
+  - ../../../common/name-reference/helm-release.yaml
+
+configMapGenerator:
+  - name: akri-values
+    files:
+      - ./values.yaml

infra/akri/kustomization.yaml

@@ -1,15 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: akri
 resources:
-  - ./namespace.yaml
-  - ./helm-repository.yaml
-  - ./helm-release.yaml
-
-configurations:
-  - ../../common/name-reference/helm-release.yaml
-
-configMapGenerator:
-  - name: akri-values
-    files:
-      - ./values.yaml
+  - ./akri.yaml

infra/authelia/authelia-controller.yaml

@@ -0,0 +1,62 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: authelia-controller
+  namespace: flux-system
+spec:
+  interval: 15m0s
+  url: oci://git.huizinga.dev/dreaded_x/authelia-controller/manifests
+  ref:
+    tag: edge
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: authelia-controller
+  namespace: flux-system
+spec:
+  interval: 15m
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: OCIRepository
+    name: authelia-controller
+  wait: true
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+  name: authelia-controller
+  namespace: flux-system
+spec:
+  type: generic
+  secretRef:
+    name: receiver
+  resources:
+    - apiVersion: source.toolkit.fluxcd.io/v1beta2
+      kind: OCIRepository
+      name: authelia-controller
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: authelia-controller
+  namespace: flux-system
+spec:
+  type: gitea
+  address: https://git.huizinga.dev/dreaded_x/authelia-controller
+  secretRef:
+    name: gitea
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Alert
+metadata:
+  name: authelia-controller
+  namespace: flux-system
+spec:
+  providerRef:
+    name: authelia-controller
+  eventSeverity: info
+  eventSources:
+    - kind: Kustomization
+      name: authelia-controller

infra/authelia/authelia.yaml

@@ -3,9 +3,11 @@ kind: Kustomization
 metadata:
   name: authelia
   namespace: flux-system
+  labels:
+    alert: flux-infra
 spec:
   interval: 15m
-  path: ./infra/authelia
+  path: ./infra/authelia/authelia
   dependsOn:
     - name: traefik
     - name: cnpg

infra/authelia/authelia/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: authelia
+resources:
+  - ./namespace.yaml
+  - ./helm-repository.yaml
+  - ./helm-release.yaml
+  - ./service-user.yaml
+  - ../../../common/postgres
+  - ../../../common/dragonflydb
+
+configurations:
+  - ../../../common/name-reference/helm-release.yaml
+
+configMapGenerator:
+  - name: authelia-values
+    files:
+      - ./values.yaml

infra/authelia/kustomization.yaml

@@ -1,18 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: authelia
 resources:
-  - ./namespace.yaml
-  - ./helm-repository.yaml
-  - ./helm-release.yaml
-  - ./service-user.yaml
-  - ../../common/postgres
-  - ../../common/dragonflydb
-
-configurations:
-  - ../../common/name-reference/helm-release.yaml
-
-configMapGenerator:
-  - name: authelia-values
-    files:
-      - ./values.yaml
+  - ./authelia-controller.yaml
+  - ./authelia.yaml

infra/cert-manager/cert-manager.yaml

@@ -3,9 +3,11 @@ kind: Kustomization
 metadata:
   name: cert-manager
   namespace: flux-system
+  labels:
+    alert: flux-infra
 spec:
   interval: 15m
-  path: ./infra/cert-manager
+  path: ./infra/cert-manager/cert-manager
   prune: true
   timeout: 2m
   sourceRef:

infra/cert-manager/cert-manager/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+resources:
+  - ./namespace.yaml
+  - ./helm-repository.yaml
+  - ./helm-release.yaml
+
+configurations:
+  - ../../../common/name-reference/helm-release.yaml
+
+configMapGenerator:
+  - name: cert-manager-values
+    files:
+      - ./values.yaml

infra/cert-manager/kustomization.yaml

@@ -1,15 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: cert-manager
 resources:
-  - ./namespace.yaml
-  - ./helm-repository.yaml
-  - ./helm-release.yaml
-
-configurations:
-  - ../../common/name-reference/helm-release.yaml
-
-configMapGenerator:
-  - name: cert-manager-values
-    files:
-      - ./values.yaml
+  - ./cert-manager.yaml
+  - ./letsencrypt.yaml

infra/cert-manager/letsencrypt.yaml

@@ -3,9 +3,11 @@ kind: Kustomization
 metadata:
   name: letsencrypt
   namespace: flux-system
+  labels:
+    alert: flux-infra
 spec:
   interval: 15m
-  path: ./infra/letsencrypt
+  path: ./infra/cert-manager/letsencrypt
   dependsOn:
     - name: cert-manager
   prune: true

infra/cnpg/cnpg.yaml

@@ -3,9 +3,11 @@ kind: Kustomization
 metadata:
   name: cnpg
   namespace: flux-system
+  labels:
+    alert: flux-infra
 spec:
   interval: 15m
-  path: ./infra/cnpg
+  path: ./infra/cnpg/cnpg
   dependsOn:
     - name: topolvm
   prune: true

infra/cnpg/cnpg/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cnpg-system
+resources:
+  - ./namespace.yaml
+  - ./helm-repository.yaml
+  - ./helm-release.yaml
+configurations:
+  - ../../../common/name-reference/helm-release.yaml
+
+configMapGenerator:
+  - name: cnpg-values
+    files:
+      - ./values.yaml

infra/cnpg/kustomization.yaml

@@ -1,14 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: cnpg-system
 resources:
-  - ./namespace.yaml
-  - ./helm-repository.yaml
-  - ./helm-release.yaml
-configurations:
-  - ../../common/name-reference/helm-release.yaml
-
-configMapGenerator:
-  - name: cnpg-values
-    files:
-      - ./values.yaml
+  - ./cnpg.yaml

infra/kube-vip/kube-vip.yaml

@@ -3,9 +3,11 @@ kind: Kustomization
 metadata:
   name: kube-vip
   namespace: flux-system
+  labels:
+    alert: flux-infra
 spec:
   interval: 15m
-  path: ./infra/kube-vip
+  path: ./infra/kube-vip/kube-vip
   dependsOn:
     - name: kyverno-policies
   prune: true

infra/kube-vip/kube-vip/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+  - ./service-account.yaml
+  - ./cluster-role.yaml
+  - ./cluster-role-binding.yaml
+  - ./daemon-set.yaml
+
+  - https://raw.githubusercontent.com/kube-vip/kube-vip-cloud-provider/refs/tags/v0.0.11/manifest/kube-vip-cloud-controller.yaml
+  - ./config-map-kubevip.yaml

infra/kube-vip/kustomization.yaml

@@ -1,11 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: kube-system
 resources:
-  - ./service-account.yaml
-  - ./cluster-role.yaml
-  - ./cluster-role-binding.yaml
-  - ./daemon-set.yaml
-
-  - https://raw.githubusercontent.com/kube-vip/kube-vip-cloud-provider/refs/tags/v0.0.11/manifest/kube-vip-cloud-controller.yaml
-  - ./config-map-kubevip.yaml
+  - ./kube-vip.yaml

infra/kyverno/kustomization.yaml

@@ -1,15 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: kyverno
 resources:
-  - ./namespace.yaml
-  - ./helm-repository.yaml
-  - ./helm-release.yaml
-
-configurations:
-  - ../../common/name-reference/helm-release.yaml
-
-configMapGenerator:
-  - name: kyverno-values
-    files:
-      - ./values.yaml
+  - ./kyverno-policies.yaml
+  - ./kyverno.yaml

infra/kyverno/kyverno-policies.yaml

@@ -3,9 +3,11 @@ kind: Kustomization
 metadata:
   name: kyverno-policies
   namespace: flux-system
+  labels:
+    alert: flux-infra
 spec:
   interval: 15m
-  path: ./infra/kyverno-policies
+  path: ./infra/kyverno/kyverno-policies
   dependsOn:
     - name: kyverno
   prune: true

infra/kyverno/kyverno.yaml

@@ -3,9 +3,11 @@ kind: Kustomization
 metadata:
   name: kyverno
   namespace: flux-system
+  labels:
+    alert: flux-infra
 spec:
   interval: 15m
-  path: ./infra/kyverno
+  path: ./infra/kyverno/kyverno
   prune: true
   timeout: 2m
   sourceRef:

infra/kyverno/kyverno/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kyverno
+resources:
+  - ./namespace.yaml
+  - ./helm-repository.yaml
+  - ./helm-release.yaml
+
+configurations:
+  - ../../../common/name-reference/helm-release.yaml
+
+configMapGenerator:
+  - name: kyverno-values
+    files:
+      - ./values.yaml

infra/lldap/kustomization.yaml

@@ -1,10 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: lldap
 resources:
-  - ./namespace.yaml
-  - ./secret-lldap-credentials.yaml
-  - ./deployment.yaml
-  - ./service.yaml
-  - ./ingress-route.yaml
-  - ../../common/postgres
+  - ./lldap-controller.yaml
+  - ./lldap.yaml

infra/lldap/lldap-controller.yaml

@@ -0,0 +1,62 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: lldap-controller
+  namespace: flux-system
+spec:
+  interval: 15m0s
+  url: oci://git.huizinga.dev/dreaded_x/lldap-controller/manifests
+  ref:
+    tag: edge
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: lldap-controller
+  namespace: flux-system
+spec:
+  interval: 15m
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: OCIRepository
+    name: lldap-controller
+  wait: true
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+  name: lldap-controller
+  namespace: flux-system
+spec:
+  type: generic
+  secretRef:
+    name: receiver
+  resources:
+    - apiVersion: source.toolkit.fluxcd.io/v1beta2
+      kind: OCIRepository
+      name: lldap-controller
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: lldap-controller
+  namespace: flux-system
+spec:
+  type: gitea
+  address: https://git.huizinga.dev/dreaded_x/lldap-controller
+  secretRef:
+    name: gitea
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Alert
+metadata:
+  name: lldap-controller
+  namespace: flux-system
+spec:
+  providerRef:
+    name: lldap-controller
+  eventSeverity: info
+  eventSources:
+    - kind: Kustomization
+      name: lldap-controller

infra/lldap/lldap.yaml

@@ -3,9 +3,11 @@ kind: Kustomization
 metadata:
   name: lldap
   namespace: flux-system
+  labels:
+    alert: flux-infra
 spec:
   interval: 15m
-  path: ./infra/lldap
+  path: ./infra/lldap/lldap
   dependsOn:
     - name: traefik
     - name: cnpg

infra/lldap/lldap/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: lldap
+resources:
+  - ./namespace.yaml
+  - ./secret-lldap-credentials.yaml
+  - ./deployment.yaml
+  - ./service.yaml
+  - ./ingress-route.yaml
+  - ../../../common/postgres

infra/loki/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./loki.yaml
+  - ./promtail.yaml

infra/loki/loki.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: loki
+  namespace: flux-system
+  labels:
+    alert: flux-infra
+spec:
+  interval: 15m
+  path: ./infra/loki/loki
+  dependsOn:
+    - name: rook-ceph
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true

infra/loki/loki/helm-release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: loki
+spec:
+  chart:
+    spec:
+      chart: loki
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: grafana
+      version: 6.29.0
+  interval: 15m
+  timeout: 5m
+  valuesFrom:
+    - kind: ConfigMap
+      name: loki-values

infra/loki/loki/helm-repository.yaml

@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: grafana
+spec:
+  interval: 15m
+  url: https://grafana.github.io/helm-charts

infra/loki/loki/kustomization.yaml

@@ -0,0 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: loki
+resources:
+  - ./namespace.yaml
+  - ./object-bucket-claim.yaml
+  - ./helm-repository.yaml
+  - ./helm-release.yaml
+
+configurations:
+  - ../../../common/name-reference/helm-release.yaml
+
+configMapGenerator:
+  - name: loki-values
+    files:
+      - ./values.yaml
+  - name: grafana-datasource
+    options:
+      labels:
+        grafana_datasource: "1"
+    files:
+      - ./loki-datasource.yaml

infra/loki/loki/loki-datasource.yaml

@@ -0,0 +1,8 @@
+apiVersion: 1
+datasources:
+  - name: Loki
+    type: loki
+    access: proxy
+    url: http://loki-gateway.loki.svc.cluster.local
+    uid: "loki"
+    jsonData: {}

infra/loki/loki/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: loki

infra/loki/loki/object-bucket-claim.yaml

@@ -0,0 +1,7 @@
+apiVersion: objectbucket.io/v1alpha1
+kind: ObjectBucketClaim
+metadata:
+  name: loki-bucket
+spec:
+  generateBucketName: loki
+  storageClassName: ceph-bucket

infra/loki/loki/values.yaml

@@ -0,0 +1,75 @@
+loki:
+  auth_enabled: false
+
+  schemaConfig:
+    configs:
+      - from: "2024-04-01"
+        store: tsdb
+        object_store: s3
+        schema: v13
+        index:
+          prefix: index_
+          period: 24h
+
+  limits_config:
+    split_queries_by_interval: "1h"
+    retention_period: 672h # 28 days retention
+  query_scheduler:
+    max_outstanding_requests_per_tenant: 2048
+
+  storage:
+    type: s3
+    bucketNames:
+      chunks: "${BUCKET_NAME}"
+      ruler: "${BUCKET_NAME}"
+      admin: "${BUCKET_NAME}"
+    s3:
+      # s3 URL can be used to specify the endpoint, access key, secret key, and bucket name this works well for S3 compatible storages or if you are hosting Loki on-premises and want to use S3 as the storage backend. Either use the s3 URL or the individual fields below (AWS endpoint, region, secret).
+      # s3: s3://access_key:secret_access_key@custom_endpoint/bucket_name
+      # AWS endpoint URL
+      endpoint: "${BUCKET_HOST}"
+      # AWS region where the S3 bucket is located
+      region: "${BUCKET_REGION}"
+      # AWS secret access key
+      secretAccessKey: "${AWS_SECRET_ACCESS_KEY}"
+      # AWS access key ID
+      accessKeyId: "${AWS_ACCESS_KEY_ID}"
+      # AWS signature version (e.g., v2 or v4)
+      # signatureVersion: <your-signature-version>
+      # Forces the path style for S3 (true/false)
+      s3ForcePathStyle: true
+      # Allows insecure (HTTP) connections (true/false)
+      insecure: true
+      # HTTP configuration settings
+      # http_config: {}
+
+backend:
+  replicas: 2
+
+  extraArgs:
+    - -config.expand-env=true
+  extraEnvFrom:
+    - secretRef:
+        name: loki-bucket
+    - configMapRef:
+        name: loki-bucket
+read:
+  replicas: 2
+
+  extraArgs:
+    - -config.expand-env=true
+  extraEnvFrom:
+    - secretRef:
+        name: loki-bucket
+    - configMapRef:
+        name: loki-bucket
+write:
+  replicas: 2
+
+  extraArgs:
+    - -config.expand-env=true
+  extraEnvFrom:
+    - secretRef:
+        name: loki-bucket
+    - configMapRef:
+        name: loki-bucket

infra/loki/promtail.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: promtail
+  namespace: flux-system
+  labels:
+    alert: flux-infra
+spec:
+  interval: 15m
+  path: ./infra/loki/promtail
+  dependsOn:
+    - name: loki
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true

infra/loki/promtail/helm-release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: promtail
+spec:
+  chart:
+    spec:
+      chart: promtail
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: grafana
+      version: 6.16.6
+  interval: 15m
+  timeout: 5m
+  valuesFrom:
+    - kind: ConfigMap
+      name: promtail-values

infra/loki/promtail/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: loki
+resources:
+  - ./helm-release.yaml
+
+configurations:
+  - ../../../common/name-reference/helm-release.yaml
+
+configMapGenerator:
+  - name: promtail-values
+    files:
+      - ./values.yaml

infra/loki/promtail/values.yaml

@@ -0,0 +1,14 @@
+initContainer:
+  # -- Specifies whether the init container for setting inotify max user instances is to be enabled
+  - name: init
+    # -- Docker registry, image and tag for the init container image
+    image: docker.io/busybox:1.33
+    # -- Docker image pull policy for the init container image
+    imagePullPolicy: IfNotPresent
+    # -- The inotify max user instances to configure
+    command:
+      - sh
+      - -c
+      - sysctl -w fs.inotify.max_user_instances=512
+    securityContext:
+      privileged: true