Added loki as grafana datasource

.kcignore

@@ -0,0 +1 @@
+.sops.yaml

.pre-commit-config.yaml

@@ -0,0 +1,29 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+        args:
+          - --allow-multiple-documents
+      - id: check-added-large-files
+      - id: check-merge-conflict
+
+  - repo: https://github.com/crate-ci/typos
+    rev: v1.30.2
+    hooks:
+      - id: typos
+        args: ["--force-exclude"]
+
+  - repo: git@huizinga.dev:Dreaded_X/cluster-crds.git
+    rev: 951a61836937c443aa9a8d49d973cfc23dd6d219
+    hooks:
+      - id: kubeconform
+
+  # Linting does not work with external values.yaml
+  # TODO: Include url to schema in values.yaml and validate based on that?
+  # - repo: https://github.com/tarioch/flux-check-hook
+  #   rev: v0.8.0
+  #   hooks:
+  #     - id: check-flux-helm-values

.typos.toml

@@ -0,0 +1,10 @@
+[default]
+# Ignore
+extend-ignore-re = [
+  "-{5}BEGIN PGP MESSAGE-{5}(?:$|[^-]{63,}-{5}END PGP MESSAGE-{5})",
+  "-{5}BEGIN PGP PUBLIC KEY BLOCK-{5}(?:$|[^-]{63,}-{5}END PGP PUBLIC KEY BLOCK-{5})",
+]
+
+[files]
+# Ignore generated files
+extend-exclude = ["gotk-components.yaml", "gotk-sync.yaml"]

apps/akri-demo.yaml

@@ -16,3 +16,6 @@ spec:
       containers:
         - name: akri-demo
           image: traefik/whoami
+          resources:
+            limits:
+              "{{PLACEHOLDER}}": "1"

apps/authelia/kustomization.yaml

@@ -1,12 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: authelia
-resources:
-  - ./namespace.yaml
-  - ./repository.yaml
-  - ./release.yaml
-  - ./lldap.yaml
-
-components:
-  - ../../common/postgres
-  - ../../common/dragonflydb

apps/authelia/lldap.yaml

@@ -1,60 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: authelia-lldap
-type: Opaque
-stringData:
-    password: ENC[AES256_GCM,data:t9dCqqJrS0mhJMBXLKTKUgbOpwI3LGN134OlGmIaOsZg1bzWSV4sU0YAQMU=,iv:Bp2hO34VNtqy+7ZnWtqvmUNe2GKUh7KPZmRgXzyFqqA=,tag:qJ8iV6OyuNlVmnrPs13LNg==,type:str]
-    user-configs.json: ENC[AES256_GCM,data:7bhp9uWOM1NcfJ8DnnUdYCIFMZeCvmGr8S5gJPzw0kzXfXQfRbI2xfq4X5GdAbOCn9HHM1F+xJLaF6tno1ZmH26NN7FkXUZQCtqK9+yZgjHY8MZYsUZHdZlV40BcaYSCk7qtefGsCrITN2X/DAjrmedNeh0CF9rdov3ZKsi8nSGWGUeLpKcouhOpvbfLRSoEEfYUyUF1r5GscTuunh9uZ8DtoCJvBf8iyQ==,iv:3YuaXKKIHUgzWL07yItqR6rgI+YXbaoTVc4xdiZ/hWU=,tag:hyObOlrQVXgRHgDxcV/R0g==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2024-11-22T04:09:11Z"
-    mac: ENC[AES256_GCM,data:3o1AYP26QEIMjCUZ4y6AH+CXevoJoJ+rX3ioMLRf8KAGy0mSOtacaSY9xRdDIjATu9aJgHmFbSw9CHTBpXxmaISZxQdMPMHQAmRxHnSuQiofPRkVtD1TlvCFcDTSgITWbvG3dpUoLdM57Mgd3z7KpI/+gEoDebYfryDaYXCoH3c=,iv:1C8QMJCJtvnGVPpLJE+l0U3hOknEC3XiWTQrPAQsHKc=,tag:fn+cMj1NImJSvNiuyzX5pQ==,type:str]
-    pgp:
-        - created_at: "2024-11-22T04:09:11Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7pKPTYH5bqOAQ/+MgqnLWwHCWPxacANbHEEYsPENOyIywmYJnSnRqRLWhAn
-            9K0/udCxwO30rnvo+p6/YLF2VSqFfz7pUm/z+MH6ypyY1B83HjCkjsaTQhPR5Q0K
-            CmhTR7TrQBNfa/flawhebWOjvmUJ9lJ9uqCnAB16S03Sn+PqDYlGTE6CMJ0oJuSr
-            VpxdvdvFZ1gfR7hlVrsKqvn47T3XIYDJohp9l819nQ1O2adTPfevZEN/JLwaWSLT
-            YtwJyg+6ogKD3q6UBv7hyyXH9ZlMHFxGWxmo1OXAA3E/vMvOacgmFW6pqoGMqwGU
-            D9Ch2x1MBobD342ZPPmsQNiI+34Q5cl+hVJJgL5jWk2kML67itM8pMUTyn+5NtWO
-            wWo6zu5q5IfqREwuerZtisocctrLB9QKPVGcjVihWfoenvlkf4yfCRDFzOPSAb0o
-            e2K+3fZknZlnb3Qb/rgD7XRiBhcif1zIHZxUQDv/Lq9GyuCM7dk8YKUVCtyeixQ4
-            C+WFmp9ED8xzv1jR9lPcQhD+I2Cb7/9jlTXEetFHSzl4riYpKPjhKQedUWZ0YY1A
-            u0ORTBaLzcmrXTjGz24PxmWZDBjhV4Kgvn76rchqLrS8lvi1EbXoZB6ERhuhlz5Y
-            bm1FwUBxDRG04gFCPwWKV0AvMmhd+hOdyo4KeQbZCO+w3QqXnp/y6b3TtpEeQnPU
-            aAEJAhCMqxSAESN99AcEtW56mJsZmRCCi3NsRLwllDczeDfUznF2CSTCnJRDmjsU
-            bLf8jVjawLxfRnKmRyKX/cCYbuz9OmIFkOAWoSNVb/teiMrYYFq96kRDLHR1Llxr
-            EuX0poghRPqU
-            =tI6a
-            -----END PGP MESSAGE-----
-          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
-        - created_at: "2024-11-22T04:09:11Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA51kG++kLewoARAA15aOcSEfAIpEXXhmF4YToynn1NM9OsANHc3PR2uVzAPv
-            C4Wi8R1PNhGdV3aTuRN5WpSjkJEE3GNR0kA0Etao7Ip0d1UgXzg1wtwEd1Yyvtdh
-            ccK2/z0a4UJu8SMczChT1P18IASNksaxSAm+TOLFGcZeJFwQepsBaQIEfXYO3+hR
-            Jw+zcPmFaOzKoqdbAAWzvYhLxD2ocjZl7iiIOhz8fBSqWLO2oeJRp5Lk8Q14olTZ
-            708BQ+aLlsVJyLkiV7SzlKfEDIymMDZSe7Q3i4JqOFOyHRIkIM5ZPOLoelqRNcY2
-            zQphsk1U/MFp7LsR/d+5IKWBkqV5DYJWFunw+NRFHLg1/6+zmGnGbZ2gZfohvnKV
-            5GUrYfWCBACIclpxY7PlVQ7d/aTDf3jdR0iVV3Jh+8Lvze1msPvI+BF67oDNMsTu
-            EIbRa6eHzxgSqrq3Za5eeUXd9Gxfg2g4KdkbG+FA9qQI6f5Y1q0tE9cFfOElTiBk
-            xTAckrBMHOMGozvx4/6xXHMmAxd80tX0ZjVyBsPBeb64oZGlsGuRngWT1Ob9gF4Q
-            sDfyd74kpQ9fHhIYs9XSLrPbH6yzVIFF/sHpMGgri43PCMW6vvnfP4JQgdMNdXRw
-            U+RWDxA6BOkP7XvNfGADiumeSGQ+PE/KP0TuUqMD7gr9X/VGH+/1e6zbI1iruhPS
-            XgFoSamAXKfYrYz94J9u0vA8D8ne9EKa8Ls6ybicyyZlGLri/qnoHNJAVhLWKdId
-            h68ksrI5l25Z1MkAcKVR1xlHUnRCwb2Xdbag0vV07So00wxAl1XNhtPeuQrykk0=
-            =V4Gd
-            -----END PGP MESSAGE-----
-          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
-    encrypted_regex: ^(data|stringData)$
-    version: 3.9.0

apps/authelia/release.yaml

@@ -1,87 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: authelia
-spec:
-  chart:
-    spec:
-      chart: authelia
-      reconcileStrategy: ChartVersion
-      sourceRef:
-        kind: HelmRepository
-        name: authelia
-      version: 0.9.9
-  interval: 15m
-  values:
-    pod:
-      replicas: 2
-    ingress:
-      enabled: true
-      tls:
-        enabled: true
-        secret: ${domain//./-}-tls
-      traefikCRD:
-        enabled: true
-        entryPoints:
-          - websecure
-
-    secret:
-      additionalSecrets:
-        authelia-db-cluster-app:
-          key: authelia-db-cluster-app
-        authelia-lldap:
-          key: authelia-lldap
-
-    configMap:
-      authentication_backend:
-        ldap:
-          enabled: true
-          implementation: custom
-          address: ldap://lldap.lldap.svc.cluster.local:3890
-          base_dn: dc=huizinga,dc=dev
-          additional_users_dn: ou=people
-          users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"
-          additional_groups_dn: ou=groups
-          groups_filter: "(member={dn})"
-          attributes:
-            display_name: displayName
-            username: uid
-            group_name: cn
-            mail: mail
-          user: uid=authelia,ou=people,dc=huizinga,dc=dev
-          password:
-            secret_name: authelia-lldap
-            path: password
-
-      session:
-        cookies:
-          - subdomain: login${subdomain}
-            domain: ${topdomain}
-        redis:
-          enabled: true
-          host: dragonflydb.authelia
-
-      storage:
-        postgres:
-          enabled: true
-          address: tcp://authelia-db-cluster-rw.authelia:5432
-          database: app
-          username: app
-          password:
-            secret_name: authelia-db-cluster-app
-            path: password
-
-      notifier:
-        filesystem:
-          enabled: true
-
-      access_control:
-        rules:
-          - domain: traefik.${domain}
-            policy: one_factor
-            subject: "group:lldap_admin"
-          - domain: grafana.${domain}
-            policy: one_factor
-          # Deny by default, mainly a placeholder to allow patching in other rules
-          - domain: "*"
-            policy: deny

apps/grafana/access-control-rule.yaml

@@ -0,0 +1,7 @@
+apiVersion: authelia.huizinga.dev/v1
+kind: AccessControlRule
+metadata:
+  name: grafana
+spec:
+  domain: grafana.${domain}
+  policy: one_factor

apps/grafana/kustomization.yaml

@@ -5,9 +5,8 @@ resources:
   - ./namespace.yaml
   - ./repository.yaml
   - ./release.yaml
-  - ./lldap.yaml
-
-components:
+  - ./service-user.yaml
+  - ./access-control-rule.yaml
   - ../../common/postgres
   - ../../common/dragonflydb
 
@@ -17,4 +16,4 @@ configurations:
 secretGenerator:
   - name: grafana-ldap-toml
     files:
-      - ldap-toml
+      - ldap-toml=ldap.toml

apps/grafana/ldap.toml

@@ -20,10 +20,10 @@ ssl_skip_verify = false
 # client_key = "/path/to/client.key"
 
 # Search user bind dn
-bind_dn = "uid=grafana,ou=people,dc=huizinga,dc=dev"
+bind_dn = "${BIND_DN}"
 # Search user bind password
 # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
-bind_password = """${LDAP_ADMIN_PASSWORD}"""
+bind_password = "${LDAP_PASSWORD}"
 
 # User search filter
 search_filter = "(&(|(uid=%s)(mail=%s))(objectClass=person))"

apps/grafana/lldap.yaml

@@ -1,60 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: grafana-lldap
-type: Opaque
-stringData:
-    password: ENC[AES256_GCM,data:0QolUQJaul0Hao4qJF/wxmV1APnwuJPMm/JgjdrPSr6edFTjED5jSt9lyio=,iv:faITYBBHrnHEnPn9zAK+y24AfXi9rZDZzu7RO9EBpX0=,tag:SI7sf2ORGYrbU1v3PdRYmw==,type:str]
-    user-configs.json: ENC[AES256_GCM,data:oshuHNNLYtNXbtkWw4oSpsxGRLNnOfCOJ9jFhKaPtgwYqCLEiOvw2AoWC7SBBv+gScBHDAbghwWJHP0ff2RSCNT6zGaAOinTOezErwmdpwA8A6JZY+EGh2+qnSkO6Eosy+tbWATUqAfZGmzqLzKlhF1Bleg2pc3pb3q9lzv4RWaizg0sFVKxfxaKJ98BRmq7blH7F47c+ybmkheZL10dBr9JLtfTsQ==,iv:KvJVCDyseQ82CQn2gUB3BM1MFVAMoZGWGqzrt8Tjmcs=,tag:FvyL72NYx4VRXdrzW4abdg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2024-12-30T03:11:38Z"
-    mac: ENC[AES256_GCM,data:XIV9UXqKcSkWRyPUBasswbfUFy7PKCjz3xqghmvk0Nin0l2GzrPfXvmiFb9Ytt8HduR7s+a4c609ZXlnXLQPHoM0w7I/4ELYTPzez4jgWPRSB3f4Oz5GDz0zKOzHqXJQec92YULhbUKeuQdBnTlMl+JMLuMX2C7t16HlI+WgWvA=,iv:5yfI/pBYYNNE5B5JICGUnk1t045abQaQYDJObZbXflc=,tag:LdU1tMHmelPGTG4bESxPPg==,type:str]
-    pgp:
-        - created_at: "2024-12-30T03:06:07Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7pKPTYH5bqOARAAqYYnP/oUVePG0EMSXrEY/IadyZoi49oMzMKVKATJoRti
-            CMoDSc9URIe9hW9aVzTj925qfh/e1bU3gYS1ghCxRXINHkVpgFZ7o/iVGL4bdeuU
-            QrGYxrm7/IZQUSNy5d4r1vO/n5lEdrcmX57N4LKYDUnF2+Vf/j3DILGzDFBTh3U2
-            GnlaFMPtabMzZpDz5U9hfGeLmz+63DKMQeExq4egKoeKf1RIVG3x1S9XpvpwAvvG
-            omZSvDaT44winp2T6HF70oqF5nF0ex3mBTrhsEdff+5o/cinT40WfOID239MUmzq
-            U7Rafx/tHM9CI4u646C0CIAAY7tS0jB+eud8btA+X1KyfSUegFwAm1FzL5w3ZI3/
-            kcGXgV0AbrjprqWCqBbWF8ZWoHN3RgEr7naYuo8Z0wMWLdW6IvW9CBvh+I1K1hDW
-            mFZ8fA4cW4kowzSr79wYd32w1lnfjuA8itr/paSzCKpF44GfpkZ470h55KiEwCij
-            92ChS+RshTjLGebIzE/5LOmJYGauU1jcJ9HtRvWIajprQ6Y8oJh1fCvendTkVK58
-            psGNoVsguj3Jf4OZ7PK8KMvxxG/dceYHDRKlQe78x3VhlwUC3N0jrPqmqzuo1SFT
-            07L0tRepxa1MokZzC4Vs+yEFoy7lF1VjMSmXQWkavqzuEkffU9y/3gABnR7UEvrU
-            aAEJAhA5mxWyM1zu7f0ppbyTaYd7wqpq7DO6uoCziYza7xE3hZ+fNLMssi/gctd5
-            E9O1e7yRtxQui1L4uVtrpW3o7RfE+UqtE2peUFcdW7Uja+URM4/G7kzadgDAQ1fj
-            8PqQ49TpHxYC
-            =eBq+
-            -----END PGP MESSAGE-----
-          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
-        - created_at: "2024-12-30T03:06:07Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA51kG++kLewoARAApjAXIvzIxzFJgKTynZSQz36hBdz1silLW6iJF2I8rlll
-            tdw6Sez7m3ynta3dMU9m2rtA4yVNiDIOyW6HaKtNEAOSkaIfKDVTLt77a3ypZzVi
-            /mcJ94DmRqax/a8OInYIFKzKnH07ZF8uZ5NogRRCEd66AuUrymi0okNpKXYa/hw9
-            gJXmxzk5tzDqyoaDm4GraUQelE2CAFnML36nguc4HEwJsHvgnD+gEuAagDiLrdIU
-            LFNw39s+1wpstSjiWaOwZbl3XG9t+wBnUHpoN830cQE0hjib/XMtiH4D1EnHjxTr
-            wSRPEczLbe2Z1kpTHd2Zt/nFNsudtqViy2LgQDAkrlJL2YNbvWqfssMmPkVjDLeH
-            qh0cGKWJ3we+ad/pR60DBm2Q8RVzylqojn6o5sdOPlCh+cwI9Tiac6b3cdVYDAop
-            el4hbxGPojRw+BWGbrpTvu3H3zaTNA8Xwds1FIoisyTRIEISq9HGkbwFmtCXQGwN
-            R4qi151dUiuGDwkJlaVspbAu8uikV0ucZ7xR6+D6f3NUhyCeGiBz6gb48SZDJ0u8
-            IfcYu0HOzgeQzMn4X0vluxbFbIA4CxZlyy1I60YwHUSUvDGYFiJ7fDBSOnQeHUT9
-            2BSYlMsw0r5o8KZDPQ0vRVOCN7FC0lVZ+O4hSAfYJq7KdzD55HGFNZ1SgncUI3/S
-            XgGe/0g5rvyHi2Mc67Sl/6ooLL3AeelzTgOD1deMKO7inzfFfolETn42O09H3RL4
-            FVDaqZTgxRTo5vI0xy7tt8WzC2RnnKO04eCU2Fpzz/jORMD1YCOoAGuf5ZDsJbM=
-            =9p2Q
-            -----END PGP MESSAGE-----
-          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
-    encrypted_regex: ^(data|stringData)$
-    version: 3.9.1

apps/grafana/release.yaml

@@ -23,13 +23,17 @@ spec:
         - secretName: ${domain//./-}-tls
       annotations:
         traefik.ingress.kubernetes.io/router.entryPoints: "websecure"
-        traefik.ingress.kubernetes.io/router.middlewares: "authelia-forwardauth-authelia@kubernetescrd" # name of your middleware, as defined in your middleware.yml
+        traefik.ingress.kubernetes.io/router.middlewares: "authelia-forwardauth-authelia@kubernetescrd"
         traefik.ingress.kubernetes.io/router.tls: "true"
 
     envValueFrom:
-      LDAP_ADMIN_PASSWORD:
+      BIND_DN:
         secretKeyRef:
-          name: grafana-lldap
+          name: grafana-lldap-credentials
+          key: bind_dn
+      LDAP_PASSWORD:
+        secretKeyRef:
+          name: grafana-lldap-credentials
           key: password
 
     grafana.ini:
@@ -61,9 +65,15 @@ spec:
       enabled: true
       existingSecret: grafana-ldap-toml
 
+    sidecar:
+      datasources:
+        enabled: true
+        searchNamespace: ALL
+        labelValue: "1"
+
     extraSecretMounts:
-      - name: grafana-db-cluster-app-mount
-        secretName: grafana-db-cluster-app
+      - name: postgres-app-mount
+        secretName: postgres-app
         defaultMode: 0440
         mountPath: /etc/secrets/db
         readOnly: true

apps/grafana/service-user.yaml

@@ -0,0 +1,5 @@
+apiVersion: lldap.huizinga.dev/v1
+kind: ServiceUser
+metadata:
+  name: grafana
+spec: {}

apps/kustomization.yaml

@@ -1,10 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./lldap
-  - ./authelia
   - ./grafana
-  - ./traefik-dashboard
 
   - ./whoami.yaml
   - ./akri-demo.yaml

apps/lldap/bootstrap/bootstrap-job.yaml

@@ -1,83 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: lldap-bootstrap
-  annotations:
-    kustomize.toolkit.fluxcd.io/force: enabled
-spec:
-  template:
-    spec:
-      restartPolicy: OnFailure
-      containers:
-        - name: lldap-bootstrap
-          image: lldap/lldap:v0.5.0
-
-          command:
-            - /bootstrap/bootstrap.sh
-
-          env:
-            - name: LLDAP_URL
-              value: "http://lldap:17170"
-
-            - name: LLDAP_ADMIN_USERNAME
-              value: admin
-
-            - name: LLDAP_ADMIN_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: lldap-credentials
-                  key: lldap-ldap-user-pass
-
-            - name: DO_CLEANUP
-              value: "true"
-
-          volumeMounts:
-            - name: bootstrap
-              mountPath: /bootstrap/bootstrap.sh
-              readOnly: true
-              subPath: bootstrap.sh
-
-            - name: user-configs
-              mountPath: /bootstrap/user-configs
-              readOnly: true
-
-            - name: group-configs
-              mountPath: /bootstrap/group-configs
-              readOnly: true
-
-      volumes:
-        - name: bootstrap
-          configMap:
-            name: bootstrap
-            defaultMode: 0555
-            items:
-              - key: bootstrap.sh
-                path: bootstrap.sh
-
-        - name: user-configs
-          projected:
-            sources:
-              - secret:
-                  name: lldap-bootstrap-configs
-                  items:
-                    - key: user-configs.json
-                      path: user-configs.json
-              - secret:
-                  name: authelia-lldap
-                  items:
-                    - key: user-configs.json
-                      path: authelia-configs.json
-              - secret:
-                  name: grafana-lldap
-                  items:
-                    - key: user-configs.json
-                      path: grafana-configs.json
-
-        - name: group-configs
-          projected:
-            sources:
-              - secret:
-                  name: lldap-bootstrap-configs
-                  items:
-                    - key: group-configs.json
-                      path: group-configs.json

apps/lldap/bootstrap/bootstrap.sh

@@ -1,606 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-set -o pipefail
-
-LLDAP_URL="${LLDAP_URL:-http://localhost:17170}"
-LLDAP_ADMIN_USERNAME="${LLDAP_ADMIN_USERNAME:-admin}"
-LLDAP_ADMIN_PASSWORD="${LLDAP_ADMIN_PASSWORD:-password}"
-USER_SCHEMAS_DIR="${USER_SCHEMAS_DIR:-/bootstrap/user-schemas}"
-GROUP_SCHEMAS_DIR="${GROUP_SCHEMAS_DIR:-/bootstrap/group-schemas}"
-USER_CONFIGS_DIR="${USER_CONFIGS_DIR:-/bootstrap/user-configs}"
-GROUP_CONFIGS_DIR="${GROUP_CONFIGS_DIR:-/bootstrap/group-configs}"
-LLDAP_SET_PASSWORD_PATH="${LLDAP_SET_PASSWORD_PATH:-/app/lldap_set_password}"
-DO_CLEANUP="${DO_CLEANUP:-false}"
-
-# Fallback to support legacy defaults
-if [[ ! -d $USER_CONFIGS_DIR ]] && [[ -d "/user-configs" ]]; then
-  USER_CONFIGS_DIR="/user-configs"
-fi
-if [[ ! -d $GROUP_CONFIGS_DIR ]] && [[ -d "/group-configs" ]]; then
-  GROUP_CONFIGS_DIR="/group-configs"
-fi
-
-check_install_dependencies() {
-  local commands=('curl' 'jq' 'jo')
-  local commands_not_found='false'
-
-  if ! hash "${commands[@]}" 2>/dev/null; then
-    if hash 'apk' 2>/dev/null && [[ $EUID -eq 0 ]]; then
-      apk add "${commands[@]}"
-    elif hash 'apt' 2>/dev/null && [[ $EUID -eq 0 ]]; then
-      apt update -yqq
-      apt install -yqq "${commands[@]}"
-    else
-      local command=''
-      for command in "${commands[@]}"; do
-        if ! hash "$command" 2>/dev/null; then
-          printf 'Command not found "%s"\n' "$command"
-        fi
-      done
-      commands_not_found='true'
-    fi
-  fi
-
-  if [[ "$commands_not_found" == 'true' ]]; then
-    return 1
-  fi
-}
-
-check_required_env_vars() {
-  local env_var_not_specified='false'
-  local dual_env_vars_list=(
-    'LLDAP_URL'
-    'LLDAP_ADMIN_USERNAME'
-    'LLDAP_ADMIN_PASSWORD'
-  )
-
-  local dual_env_var_name=''
-  for dual_env_var_name in "${dual_env_vars_list[@]}"; do
-    local dual_env_var_file_name="${dual_env_var_name}_FILE"
-
-    if [[ -z "${!dual_env_var_name}" ]] && [[ -z "${!dual_env_var_file_name}" ]]; then
-      printf 'Please specify "%s" or "%s" variable!\n' "$dual_env_var_name" "$dual_env_var_file_name" >&2
-      env_var_not_specified='true'
-    else
-      if [[ -n "${!dual_env_var_file_name}" ]]; then
-        declare -g "$dual_env_var_name"="$(cat "${!dual_env_var_file_name}")"
-      fi
-    fi
-  done
-
-  if [[ "$env_var_not_specified" == 'true' ]]; then
-    return 1
-  fi
-}
-
-check_configs_validity() {
-  local config_file='' config_invalid='false'
-  for config_file in "$@"; do
-    local error=''
-    if ! error="$(jq '.' -- "$config_file" 2>&1 >/dev/null)"; then
-      printf '%s: %s\n' "$config_file" "$error"
-      config_invalid='true'
-    fi
-  done
-
-  if [[ "$config_invalid" == 'true' ]]; then
-    return 1
-  fi
-}
-
-auth() {
-  local url="$1" admin_username="$2" admin_password="$3"
-
-  local response
-  response="$(curl --silent --request POST \
-    --url "$url/auth/simple/login" \
-    --header 'Content-Type: application/json' \
-    --data "$(jo -- username="$admin_username" password="$admin_password")")"
-
-  TOKEN="$(printf '%s' "$response" | jq --raw-output .token)"
-}
-
-make_query() {
-  local query_file="$1" variables_file="$2"
-
-  curl --silent --request POST \
-    --url "$LLDAP_URL/api/graphql" \
-    --header "Authorization: Bearer $TOKEN" \
-    --header 'Content-Type: application/json' \
-    --data @<(jq --slurpfile variables "$variables_file" '. + {"variables": $variables[0]}' "$query_file")
-}
-
-get_group_list() {
-  local query='{"query":"query GetGroupList {groups {id displayName}}","operationName":"GetGroupList"}'
-  make_query <(printf '%s' "$query") <(printf '{}')
-}
-
-get_group_array() {
-  get_group_list | jq --raw-output '.data.groups[].displayName'
-}
-
-group_exists() {
-  if [[ "$(get_group_list | jq --raw-output --arg displayName "$1" '.data.groups | any(.[]; select(.displayName == $displayName))')" == 'true' ]]; then
-    return 0
-  else
-    return 1
-  fi
-}
-
-get_group_id() {
-  get_group_list | jq --raw-output --arg displayName "$1" '.data.groups[] | if .displayName == $displayName then .id else empty end'
-}
-
-create_group() {
-  local group_name="$1"
-
-  if group_exists "$group_name"; then
-    printf 'Group "%s" (%s) already exists\n' "$group_name" "$(get_group_id "$group_name")"
-    return
-  fi
-
-  # shellcheck disable=SC2016
-  local query='{"query":"mutation CreateGroup($name: String!) {createGroup(name: $name) {id displayName}}","operationName":"CreateGroup"}'
-
-  local response='' error=''
-  response="$(make_query <(printf '%s' "$query") <(jo -- name="$group_name"))"
-  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
-  if [[ -n "$error" ]]; then
-    printf '%s\n' "$error"
-  else
-    printf 'Group "%s" (%s) successfully created\n' "$group_name" "$(printf '%s' "$response" | jq --raw-output '.data.createGroup.id')"
-  fi
-}
-
-delete_group() {
-  local group_name="$1" id=''
-
-  if ! group_exists "$group_name"; then
-    printf '[WARNING] Group "%s" does not exist\n' "$group_name"
-    return
-  fi
-
-  id="$(get_group_id "$group_name")"
-
-  # shellcheck disable=SC2016
-  local query='{"query":"mutation DeleteGroupQuery($groupId: Int!) {deleteGroup(groupId: $groupId) {ok}}","operationName":"DeleteGroupQuery"}'
-
-  local response='' error=''
-  response="$(make_query <(printf '%s' "$query") <(jo -- groupId="$id"))"
-  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
-  if [[ -n "$error" ]]; then
-    printf '%s\n' "$error"
-  else
-    printf 'Group "%s" (%s) successfully deleted\n' "$group_name" "$id"
-  fi
-}
-
-get_user_details() {
-  local id="$1"
-
-  # shellcheck disable=SC2016
-  local query='{"query":"query GetUserDetails($id: String!) {user(userId: $id) {id email displayName firstName lastName creationDate uuid groups {id displayName}}}","operationName":"GetUserDetails"}'
-  make_query <(printf '%s' "$query") <(jo -- id="$id")
-}
-
-user_in_group() {
-  local user_id="$1" group_name="$2"
-
-  if ! group_exists "$group_name"; then
-    printf '[WARNING] Group "%s" does not exist\n' "$group_name"
-    return
-  fi
-
-  if ! user_exists "$user_id"; then
-    printf 'User "%s" is not exists\n' "$user_id"
-    return
-  fi
-
-  if [[ "$(get_user_details "$user_id" | jq --raw-output --arg displayName "$group_name" '.data.user.groups | any(.[]; select(.displayName == $displayName))')" == 'true' ]]; then
-    return 0
-  else
-    return 1
-  fi
-}
-
-add_user_to_group() {
-  local user_id="$1" group_name="$2" group_id=''
-
-  if ! group_exists "$group_name"; then
-    printf '[WARNING] Group "%s" does not exist\n' "$group_name"
-    return
-  fi
-
-  group_id="$(get_group_id "$group_name")"
-
-  if user_in_group "$user_id" "$group_name"; then
-    printf 'User "%s" already in group "%s" (%s)\n' "$user_id" "$group_name" "$group_id"
-    return
-  fi
-
-  # shellcheck disable=SC2016
-  local query='{"query":"mutation AddUserToGroup($user: String!, $group: Int!) {addUserToGroup(userId: $user, groupId: $group) {ok}}","operationName":"AddUserToGroup"}'
-
-  local response='' error=''
-  response="$(make_query <(printf '%s' "$query") <(jo -- user="$user_id" group="$group_id"))"
-  error="$(printf '%s' "$response" | jq '.errors | if . != null then .[].message else empty end')"
-  if [[ -n "$error" ]]; then
-    printf '%s\n' "$error"
-  else
-    printf 'User "%s" successfully added to the group "%s" (%s)\n' "$user_id" "$group_name" "$group_id"
-  fi
-}
-
-remove_user_from_group() {
-  local user_id="$1" group_name="$2" group_id=''
-
-  if ! group_exists "$group_name"; then
-    printf '[WARNING] Group "%s" does not exist\n' "$group_name"
-    return
-  fi
-
-  group_id="$(get_group_id "$group_name")"
-
-  # shellcheck disable=SC2016
-  local query='{"operationName":"RemoveUserFromGroup","query":"mutation RemoveUserFromGroup($user: String!, $group: Int!) {removeUserFromGroup(userId: $user, groupId: $group) {ok}}"}'
-
-  local response='' error=''
-  response="$(make_query <(printf '%s' "$query") <(jo -- user="$user_id" group="$group_id"))"
-  error="$(printf '%s' "$response" | jq '.errors | if . != null then .[].message else empty end')"
-  if [[ -n "$error" ]]; then
-    printf '%s\n' "$error"
-  else
-    printf 'User "%s" successfully removed from the group "%s" (%s)\n' "$user_id" "$group_name" "$group_id"
-  fi
-}
-
-get_users_list() {
-  # shellcheck disable=SC2016
-  local query='{"query": "query ListUsersQuery($filters: RequestFilter) {users(filters: $filters) {id email displayName firstName lastName creationDate}}","operationName": "ListUsersQuery"}'
-  make_query <(printf '%s' "$query") <(jo -- filters=null)
-}
-
-user_exists() {
-  if [[ "$(get_users_list | jq --raw-output --arg id "$1" '.data.users | any(.[]; .id == $id)')" == 'true' ]]; then
-    return 0
-  else
-    return 1
-  fi
-}
-
-delete_user() {
-  local id="$1"
-
-  if ! user_exists "$id"; then
-    printf 'User "%s" is not exists\n' "$id"
-    return
-  fi
-
-  # shellcheck disable=SC2016
-  local query='{"query": "mutation DeleteUserQuery($user: String!) {deleteUser(userId: $user) {ok}}","operationName": "DeleteUserQuery"}'
-
-  local response='' error=''
-  response="$(make_query <(printf '%s' "$query") <(jo -- user="$id"))"
-  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
-  if [[ -n "$error" ]]; then
-    printf '%s\n' "$error"
-  else
-    printf 'User "%s" successfully deleted\n' "$id"
-  fi
-}
-
-get_group_property_list() {
-  local query='{"query":"query GetGroupAttributesSchema { schema { groupSchema { attributes { name }}}}","operationName":"GetGroupAttributesSchema"}'
-  make_query <(printf '%s' "$query") <(printf '{}')
-}
-group_property_exists() {
-  if [[ "$(get_group_property_list | jq --raw-output --arg name "$1" '.data.schema.groupSchema.attributes | any(.[]; select(.name == $name))')" == 'true' ]]; then
-    return 0
-  else
-    return 1
-  fi
-}
-
-create_group_schema_property() {
-  local name="$1"
-  local attributeType="$2"
-  local isEditable="$3"
-  local isList="$4"
-  local isVisible="$5"
-
-  if group_property_exists "$name"; then
-    printf 'Group property "%s" already exists\n' "$name"
-    return
-  fi
-
-  # shellcheck disable=SC2016
-  local query='{"query":"mutation CreateGroupAttribute($name: String!, $attributeType: AttributeType!, $isList: Boolean!, $isVisible: Boolean!, $isEditable: Boolean!) {addGroupAttribute(name: $name, attributeType: $attributeType, isList: $isList, isVisible: $isVisible, isEditable: $isEditable) {ok}}","operationName":"CreateGroupAttribute"}'
-
-  local response='' error=''
-  response="$(make_query <(printf '%s' "$query") <(jo -- name="$name" attributeType="$attributeType" isEditable="$isEditable" isList="$isList" isVisible="$isVisible"))"
-  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
-  if [[ -n "$error" ]]; then
-    printf '%s\n' "$error"
-  else
-    printf 'Group attribute "%s" successfully created\n' "$name"
-  fi
-}
-
-get_user_property_list() {
-  local query='{"query":"query GetUserAttributesSchema { schema { userSchema { attributes { name }}}}","operationName":"GetUserAttributesSchema"}'
-  make_query <(printf '%s' "$query") <(printf '{}')
-}
-user_property_exists() {
-  if [[ "$(get_user_property_list | jq --raw-output --arg name "$1" '.data.schema.userSchema.attributes | any(.[]; select(.name == $name))')" == 'true' ]]; then
-    return 0
-  else
-    return 1
-  fi
-}
-
-create_user_schema_property() {
-  local name="$1"
-  local attributeType="$2"
-  local isEditable="$3"
-  local isList="$4"
-  local isVisible="$5"
-
-  if user_property_exists "$name"; then
-    printf 'User property "%s" already exists\n' "$name"
-    return
-  fi
-
-  # shellcheck disable=SC2016
-  local query='{"query":"mutation CreateUserAttribute($name: String!, $attributeType: AttributeType!, $isList: Boolean!, $isVisible: Boolean!, $isEditable: Boolean!) {addUserAttribute(name: $name, attributeType: $attributeType, isList: $isList, isVisible: $isVisible, isEditable: $isEditable) {ok}}","operationName":"CreateUserAttribute"}'
-
-  local response='' error=''
-  response="$(make_query <(printf '%s' "$query") <(jo -- name="$name" attributeType="$attributeType" isEditable="$isEditable" isList="$isList" isVisible="$isVisible"))"
-  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
-  if [[ -n "$error" ]]; then
-    printf '%s\n' "$error"
-  else
-    printf 'User attribute "%s" successfully created\n' "$name"
-  fi
-}
-
-__common_user_mutation_query() {
-  local \
-    query="$1" \
-    id="${2:-null}" \
-    email="${3:-null}" \
-    displayName="${4:-null}" \
-    firstName="${5:-null}" \
-    lastName="${6:-null}" \
-    avatar_file="${7:-null}" \
-    avatar_url="${8:-null}" \
-    gravatar_avatar="${9:-false}" \
-    weserv_avatar="${10:-false}"
-
-  local variables_arr=(
-    '-s' "id=$id"
-    '-s' "email=$email"
-    '-s' "displayName=$displayName"
-    '-s' "firstName=$firstName"
-    '-s' "lastName=$lastName"
-  )
-
-  local temp_avatar_file=''
-
-  if [[ "$gravatar_avatar" == 'true' ]]; then
-    avatar_url="https://gravatar.com/avatar/$(printf '%s' "$email" | sha256sum | cut -d ' ' -f 1)?size=512"
-  fi
-
-  if [[ "$avatar_url" != 'null' ]]; then
-    temp_avatar_file="${TMP_AVATAR_DIR}/$(printf '%s' "$avatar_url" | md5sum | cut -d ' ' -f 1)"
-
-    if ! [[ -f "$temp_avatar_file" ]]; then
-      if [[ "$weserv_avatar" == 'true' ]]; then
-        avatar_url="https://wsrv.nl/?url=$avatar_url&output=jpg"
-      fi
-      curl --silent --location --output "$temp_avatar_file" "$avatar_url"
-    fi
-
-    avatar_file="$temp_avatar_file"
-  fi
-
-  if [[ "$avatar_file" == 'null' ]]; then
-    variables_arr+=('-s' 'avatar=null')
-  else
-    variables_arr+=("avatar=%$avatar_file")
-  fi
-
-  make_query <(printf '%s' "$query") <(jo -- user=:<(jo -- "${variables_arr[@]}"))
-}
-
-create_user() {
-  local id="$1"
-
-  if user_exists "$id"; then
-    printf 'User "%s" already exists\n' "$id"
-    return
-  fi
-
-  # shellcheck disable=SC2016
-  local query='{"query":"mutation CreateUser($user: CreateUserInput!) {createUser(user: $user) {id creationDate}}","operationName":"CreateUser"}'
-
-  local response='' error=''
-  response="$(__common_user_mutation_query "$query" "$@")"
-  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
-  if [[ -n "$error" ]]; then
-    printf '%s\n' "$error"
-  else
-    printf 'User "%s" successfully created\n' "$id"
-  fi
-}
-
-update_user() {
-  local id="$1"
-
-  if ! user_exists "$id"; then
-    printf 'User "%s" is not exists\n' "$id"
-    return
-  fi
-
-  # shellcheck disable=SC2016
-  local query='{"query":"mutation UpdateUser($user: UpdateUserInput!) {updateUser(user: $user) {ok}}","operationName":"UpdateUser"}'
-
-  local response='' error=''
-  response="$(__common_user_mutation_query "$query" "$@")"
-  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
-  if [[ -n "$error" ]]; then
-    printf '%s\n' "$error"
-  else
-    printf 'User "%s" successfully updated\n' "$id"
-  fi
-}
-
-create_update_user() {
-  local id="$1"
-
-  if user_exists "$id"; then
-    update_user "$@"
-  else
-    create_user "$@"
-  fi
-}
-
-main() {
-  check_install_dependencies
-  check_required_env_vars
-
-  local user_config_files=("${USER_CONFIGS_DIR}"/*.json)
-  local group_config_files=("${GROUP_CONFIGS_DIR}"/*.json)
-  local user_schema_files=()
-  local group_schema_files=()
-
-  local file=''
-  [[ -d "$USER_SCHEMAS_DIR" ]] && for file in "${USER_SCHEMAS_DIR}"/*.json; do
-    user_schema_files+=("$file")
-  done
-  [[ -d "$GROUP_SCHEMAS_DIR" ]] && for file in "${GROUP_SCHEMAS_DIR}"/*.json; do
-    group_schema_files+=("$file")
-  done
-
-  if ! check_configs_validity "${group_config_files[@]}" "${user_config_files[@]}" "${group_schema_files[@]}" "${user_schema_files[@]}"; then
-    exit 1
-  fi
-
-  until curl --silent -o /dev/null "$LLDAP_URL"; do
-    printf 'Waiting lldap to start...\n'
-    sleep 10
-  done
-
-  auth "$LLDAP_URL" "$LLDAP_ADMIN_USERNAME" "$LLDAP_ADMIN_PASSWORD"
-
-  printf -- '\n--- group schemas ---\n'
-  local group_schema_config_row=''
-  [[ ${#group_schema_files[@]} -gt 0 ]] && while read -r group_schema_config_row; do
-    local field='' name='' attributeType='' isEditable='' isList='' isVisible=''
-    for field in 'name' 'attributeType' 'isEditable' 'isList' 'isVisible'; do
-      declare "$field"="$(printf '%s' "$group_schema_config_row" | jq --raw-output --arg field "$field" '.[$field]')"
-    done
-    create_group_schema_property "$name" "$attributeType" "$isEditable" "$isList" "$isVisible"
-  done < <(jq --compact-output '.[]' -- "${group_schema_files[@]}")
-  printf -- '--- group schemas ---\n'
-
-  printf -- '\n--- user schemas ---\n'
-  local user_schema_config_row=''
-  [[ ${#user_schema_files[@]} -gt 0 ]] && while read -r user_schema_config_row; do
-    local field='' name='' attributeType='' isEditable='' isList='' isVisible=''
-    for field in 'name' 'attributeType' 'isEditable' 'isList' 'isVisible'; do
-      declare "$field"="$(printf '%s' "$user_schema_config_row" | jq --raw-output --arg field "$field" '.[$field]')"
-    done
-    create_user_schema_property "$name" "$attributeType" "$isEditable" "$isList" "$isVisible"
-  done < <(jq --compact-output '.[]' -- "${user_schema_files[@]}")
-  printf -- '--- user schemas ---\n'
-
-  local redundant_groups=''
-  redundant_groups="$(get_group_list | jq '[ .data.groups[].displayName ]' | jq --compact-output '. - ["lldap_admin","lldap_password_manager","lldap_strict_readonly"]')"
-
-  printf -- '\n--- groups ---\n'
-  local group_config=''
-  while read -r group_config; do
-    local group_name=''
-    group_name="$(printf '%s' "$group_config" | jq --raw-output '.name')"
-    create_group "$group_name"
-    redundant_groups="$(printf '%s' "$redundant_groups" | jq --compact-output --arg name "$group_name" '. - [$name]')"
-  done < <(jq --compact-output '.' -- "${group_config_files[@]}")
-  printf -- '--- groups ---\n'
-
-  printf -- '\n--- redundant groups ---\n'
-  if [[ "$redundant_groups" == '[]' ]]; then
-    printf 'There are no redundant groups\n'
-  else
-    local group_name=''
-    while read -r group_name; do
-      if [[ "$DO_CLEANUP" == 'true' ]]; then
-        delete_group "$group_name"
-      else
-        printf '[WARNING] Group "%s" is not declared in config files\n' "$group_name"
-      fi
-    done < <(printf '%s' "$redundant_groups" | jq --raw-output '.[]')
-  fi
-  printf -- '--- redundant groups ---\n'
-
-  local redundant_users=''
-  redundant_users="$(get_users_list | jq '[ .data.users[].id ]' | jq --compact-output --arg admin_id "$LLDAP_ADMIN_USERNAME" '. - [$admin_id]')"
-
-  TMP_AVATAR_DIR="$(mktemp -d)"
-
-  local user_config=''
-  while read -r user_config; do
-    local field='' id='' email='' displayName='' firstName='' lastName='' avatar_file='' avatar_url='' gravatar_avatar='' weserv_avatar='' password=''
-    for field in 'id' 'email' 'displayName' 'firstName' 'lastName' 'avatar_file' 'avatar_url' 'gravatar_avatar' 'weserv_avatar' 'password'; do
-      declare "$field"="$(printf '%s' "$user_config" | jq --raw-output --arg field "$field" '.[$field]')"
-    done
-    printf -- '\n--- %s ---\n' "$id"
-
-    create_update_user "$id" "$email" "$displayName" "$firstName" "$lastName" "$avatar_file" "$avatar_url" "$gravatar_avatar" "$weserv_avatar"
-    redundant_users="$(printf '%s' "$redundant_users" | jq --compact-output --arg id "$id" '. - [$id]')"
-
-    if [[ "$password" != 'null' ]] && [[ "$password" != '""' ]]; then
-      "$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id" --password "$password"
-    fi
-
-    local redundant_user_groups=''
-    redundant_user_groups="$(get_user_details "$id" | jq '[ .data.user.groups[].displayName ]')"
-
-    local group=''
-    while read -r group; do
-      if [[ -n "$group" ]]; then
-        add_user_to_group "$id" "$group"
-        redundant_user_groups="$(printf '%s' "$redundant_user_groups" | jq --compact-output --arg group "$group" '. - [$group]')"
-      fi
-    done < <(printf '%s' "$user_config" | jq --raw-output '.groups | if . == null then "" else .[] end')
-
-    local user_group_name=''
-    while read -r user_group_name; do
-      if [[ "$DO_CLEANUP" == 'true' ]]; then
-        remove_user_from_group "$id" "$user_group_name"
-      else
-        printf '[WARNING] User "%s" is not declared as member of the "%s" group in the config files\n' "$id" "$user_group_name"
-      fi
-    done < <(printf '%s' "$redundant_user_groups" | jq --raw-output '.[]')
-    printf -- '--- %s ---\n' "$id"
-  done < <(jq --compact-output '.' -- "${user_config_files[@]}")
-
-  rm -r "$TMP_AVATAR_DIR"
-
-  printf -- '\n--- redundant users ---\n'
-  if [[ "$redundant_users" == '[]' ]]; then
-    printf 'There are no redundant users\n'
-  else
-    local id=''
-    while read -r id; do
-      if [[ "$DO_CLEANUP" == 'true' ]]; then
-        delete_user "$id"
-      else
-        printf '[WARNING] User "%s" is not declared in config files\n' "$id"
-      fi
-    done < <(printf '%s' "$redundant_users" | jq --raw-output '.[]')
-  fi
-  printf -- '--- redundant users ---\n'
-}
-
-main "$@"

apps/lldap/bootstrap/kustomization.yaml

@@ -1,20 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./bootstrap-job.yaml
-  - ../../authelia/lldap.yaml
-  - ../../grafana/lldap.yaml
-
-configMapGenerator:
-  - name: bootstrap
-    options:
-      annotations:
-        kustomize.toolkit.fluxcd.io/substitute: disabled
-    files:
-      - bootstrap.sh
-
-secretGenerator:
-  - name: lldap-bootstrap-configs
-    files:
-      - user-configs.json
-      - group-configs.json

apps/lldap/bootstrap/user-configs.json

@@ -1,8 +0,0 @@
-{
-  "id": "dreaded_x",
-  "email": "tim@huizinga.dev",
-  "password": "JustATest",
-  "displayName": "Tim Huizinga",
-  "firstName": "Tim",
-  "lastName": "Huizinga"
-}

apps/traefik-dashboard/ingress.yaml

@@ -1,19 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik-dashboard
-  namespace: traefik
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`traefik.${domain}`)
-      kind: Rule
-      middlewares:
-        - name: forwardauth-authelia
-          namespace: authelia
-      services:
-        - name: api@internal
-          kind: TraefikService
-  tls:
-    secretName: ${domain//./-}-tls

apps/whoami.yaml

@@ -8,13 +8,6 @@ metadata:
 
 spec:
   replicas: 2
-  topologySpreadConstraints:
-    - maxSkew: 1
-      topologyKey: kubernetes.io/hostname
-      whenUnsatisfiable: DoNotSchedule
-      labelSelector:
-        matchLabels:
-          type: dummy
   selector:
     matchLabels:
       app: whoami
@@ -23,6 +16,13 @@ spec:
       labels:
         app: whoami
     spec:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app: whoami
       containers:
         - name: whoami
           image: traefik/whoami

clusters/titan.lan.huizinga.dev/alerts/alert-flux-infra.yaml

@@ -0,0 +1,14 @@
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Alert
+metadata:
+  name: flux-infra
+  namespace: flux-system
+spec:
+  providerRef:
+    name: flux-infra
+  eventSeverity: info
+  eventSources:
+    - kind: Kustomization
+      name: "*"
+      matchLabels:
+        alert: flux-infra

clusters/titan.lan.huizinga.dev/alerts/alert-telegram.yaml

@@ -0,0 +1,12 @@
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Alert
+metadata:
+  name: telegram
+  namespace: flux-system
+spec:
+  providerRef:
+    name: telegram
+  eventSeverity: error
+  eventSources:
+    - kind: Kustomization
+      name: "*"

clusters/titan.lan.huizinga.dev/alerts/provider-flux-infra.yaml

@@ -0,0 +1,10 @@
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: flux-infra
+  namespace: flux-system
+spec:
+  type: gitea
+  address: https://git.huizinga.dev/dreaded_x/flux-infra
+  secretRef:
+    name: gitea

clusters/titan.lan.huizinga.dev/alerts/provider-telegram.yaml

@@ -0,0 +1,11 @@
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: telegram
+  namespace: flux-system
+spec:
+  type: telegram
+  address: https://api.telegram.org
+  channel: "-4748034121"
+  secretRef:
+    name: telegram

clusters/titan.lan.huizinga.dev/alerts/secret-gitea.yaml

@@ -0,0 +1,54 @@
+apiVersion: v1
+stringData:
+    token: ENC[AES256_GCM,data:jn3t5g5fkCmqXf7JEfn7HBigY60nPh3AqYzZ9fkEuj2RjN6ieAfiOg==,iv:b28wHrtETq+p/jH52c3RKYzthh7+IQmvRhVzY/TlnfI=,tag:kr+vdWBGihYN6AklQLYeTw==,type:str]
+kind: Secret
+metadata:
+    name: gitea
+    namespace: flux-system
+sops:
+    lastmodified: "2025-04-22T12:14:43Z"
+    mac: ENC[AES256_GCM,data:fb5EyaUv2slDoSNLNJZZPg2ZXwUC5tbdG2vDZEle3PfCDAWxQmEJ36hMQ9RcE8Ec5jfj/Ia6VOP+VOpLSIlQHzGeG3raEW+I/NBTN04KazsDhgzOfAlhTi8COkmu0D5hv3TfFPkWVV/Uw2zIpOsqTv56IoIKyPun+ndt470TgGE=,iv:k754Ju4XGpUCCsdkgQxaE2LEJNEBkQ4lcDIRIqZJnbY=,tag:1t3X7id14qhOvAA9pRw+wQ==,type:str]
+    pgp:
+        - created_at: "2025-04-22T11:56:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7pKPTYH5bqOARAAioWyCnKFGD/5XeH++ulmfannJcwuFbiJ+jyoYxbmbxZK
+            egOXaOg9jkw+FuKy+u/5QNFZAgL4Ju3dMOyeBuZXGAgchVoDuqFANj7sXMhUnBkc
+            BuKLs/ob5U2KUD2YU+fFQd4XZfOepPGZF9qNwl4wttUxhawzQ66G49j23B8bxe1E
+            0Isddm7SCzF0OJOogaJ1rh9ylfzwlBW0PaBhBaIlNs+PIUJW7URWouDJnWh+jBvE
+            qT8brYP7gb+Tl9lNihJdPLG32jiYhQxueIkm6BqSUQlU+yW/q8RUhp4+hLAaSOvC
+            vTx1qqhn9ipZWG+EgPatUtV2gW0U9jOPRAstC1/zUe6UljIuQAEDx844j1sfmKxl
+            1bPdl1790V2bDDvDX4zeRAR6N6lzNkfYd02ZvWVKkUr3dTCfn/dJ6LM39tfZNeh2
+            WKnIN/PoxPL2srD9QRQmVPBqoLJrBKs1v1jWBEfMdT75H8e4CHu69o0FCzxLi/Ty
+            /2Hz9zIyBlPsyUA6EHjmccnjE2dVkmgRcaQbhEaYMtM7pyECoCfixGdpgV+7iM6L
+            PnYVusFueMVX80HYoNl4/ZXf+1U5/aW3mnSgK8+4uX8m4/MqGi4tvYT/QdOUkEvS
+            kXSsfok5yBcYdoqUJl6N/gfP9Z9R6WqrCL4p98t2BiLpcu6TZnsP0ruJlRlzTjLU
+            ZgEJAhATXTi3So37vsc8TqTDXqkJjrwxk9k4cGfwd8PWFvuS+xzdKGA/vcU6jXCD
+            CQrTnQ2i6jZBi0L5FLunhG86BOSLs5GEhuO6PPjkyyJNbcX/Uh6hjzgwdElr14Qo
+            P7QnueJTiw==
+            =AMPG
+            -----END PGP MESSAGE-----
+          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
+        - created_at: "2025-04-22T11:56:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA51kG++kLewoAQ//b3JTskIOENHA1W8uE5jqsyxPDVMJuXQNoHe2u0264kS8
+            i2sC7SZa/Le98J9Gsl97CpA7xXVIcOWhma+6PTzrsaonn//nJyuh8YOfWAb/ZF4o
+            ijtd7etTLcA9Hb1iRUek5oD7tXWiGhl+ROR3xd7Al+nzQmTpvHju+HFWJboWA7RC
+            6PkusF1UAe39ZhZwxX2Hh8XdFfQdcrtFNIp7+TjMCO2Im54aBTRKLrz7aHlrjrgN
+            tie1RAdDwEqZ0Zoh3jezpkQW+9aKtkTtiG5BLmQYhVPUN5GTKMMwKoiYNMEdNUWx
+            s9SXiepDc9ZbdjiwGUig9pmuaKrPTSRh6kbmAWHyMKfwG4WZSgbh9gW0sU69rLdQ
+            onaGRkIS87If6AgE0dCxOgcNZEiUQE1Rj8Ie/XtR6ufKNUdSAsbJSoKIja4MQdKl
+            1BM2YJ5eD52e2J0XJJgLchW0nf7C+3Sil/wIRvU0k/lMniMHvXjWGfY5/v2TUF3Y
+            R3Ng6KsaaIRGW5pWzAA5vBDjOlDaPdWYvWd+ZZ96cd0ToxgMpEDLGOBAOhBZGP95
+            knqqsVTKswD3vy5h5bwevTxRdrPsmD+g26SbLZDYllRklNasGgfcf0CBydcftUHo
+            ePHC1ThKpC0Eb80fxLvAyyW+O8LjqjGWK+q7pVGE8eZ7B5XGQRSfzQRuNmc1aIjS
+            XAGtAlz0mJffgqHnOW++8CZjiUKWb5iSJuMqBcGPMuqz9nLBAP/n4/vw6nH4irAF
+            qL1fkj4yurE7yMmBjYEWi+I+D66g6xpKvEWTyDGeiiqUD8nZXGojT7bWz072
+            =zIA5
+            -----END PGP MESSAGE-----
+          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.1

clusters/titan.lan.huizinga.dev/alerts/secret-telegram.yaml

@@ -0,0 +1,54 @@
+apiVersion: v1
+stringData:
+    token: ENC[AES256_GCM,data:GgQ/uMKwKKxkEaqVlqH6RlhNTXE+9iM9C5seH0Vjsv/Rwb4aonM6Fy9lQUtiwg==,iv:xKKiRxMu0myMmT73XvUy69qt216TNbeJ4Y/0oUAK87s=,tag:ib0nLm2HkaB91vSllRPSWg==,type:str]
+kind: Secret
+metadata:
+    name: telegram
+    namespace: flux-system
+sops:
+    lastmodified: "2025-04-22T14:43:42Z"
+    mac: ENC[AES256_GCM,data:wiq7VPKe+PBXLbiL9VVJ0gjtAb0g0f5qJgZaDkFaeIn5KfXYauzX1MyoXxy0qSi5rBesKCmhhDhLHRW/SA7KJyaWO1GIdP9Obppm+l83zJ6FVn2XvDZQkP+IoEBCPUgooT4RBvvJUJJeA9BDuPV3ig43sYZM+47Vc/WFZrx1238=,iv:KqDkIbKqrv1087PQC10jNUfkeGvzaC9ZvwYwhLd3CcA=,tag:Tb6mKFaK3+3BmiuFfEXgQw==,type:str]
+    pgp:
+        - created_at: "2025-04-22T11:56:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7pKPTYH5bqOARAAioWyCnKFGD/5XeH++ulmfannJcwuFbiJ+jyoYxbmbxZK
+            egOXaOg9jkw+FuKy+u/5QNFZAgL4Ju3dMOyeBuZXGAgchVoDuqFANj7sXMhUnBkc
+            BuKLs/ob5U2KUD2YU+fFQd4XZfOepPGZF9qNwl4wttUxhawzQ66G49j23B8bxe1E
+            0Isddm7SCzF0OJOogaJ1rh9ylfzwlBW0PaBhBaIlNs+PIUJW7URWouDJnWh+jBvE
+            qT8brYP7gb+Tl9lNihJdPLG32jiYhQxueIkm6BqSUQlU+yW/q8RUhp4+hLAaSOvC
+            vTx1qqhn9ipZWG+EgPatUtV2gW0U9jOPRAstC1/zUe6UljIuQAEDx844j1sfmKxl
+            1bPdl1790V2bDDvDX4zeRAR6N6lzNkfYd02ZvWVKkUr3dTCfn/dJ6LM39tfZNeh2
+            WKnIN/PoxPL2srD9QRQmVPBqoLJrBKs1v1jWBEfMdT75H8e4CHu69o0FCzxLi/Ty
+            /2Hz9zIyBlPsyUA6EHjmccnjE2dVkmgRcaQbhEaYMtM7pyECoCfixGdpgV+7iM6L
+            PnYVusFueMVX80HYoNl4/ZXf+1U5/aW3mnSgK8+4uX8m4/MqGi4tvYT/QdOUkEvS
+            kXSsfok5yBcYdoqUJl6N/gfP9Z9R6WqrCL4p98t2BiLpcu6TZnsP0ruJlRlzTjLU
+            ZgEJAhATXTi3So37vsc8TqTDXqkJjrwxk9k4cGfwd8PWFvuS+xzdKGA/vcU6jXCD
+            CQrTnQ2i6jZBi0L5FLunhG86BOSLs5GEhuO6PPjkyyJNbcX/Uh6hjzgwdElr14Qo
+            P7QnueJTiw==
+            =AMPG
+            -----END PGP MESSAGE-----
+          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
+        - created_at: "2025-04-22T11:56:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA51kG++kLewoAQ//b3JTskIOENHA1W8uE5jqsyxPDVMJuXQNoHe2u0264kS8
+            i2sC7SZa/Le98J9Gsl97CpA7xXVIcOWhma+6PTzrsaonn//nJyuh8YOfWAb/ZF4o
+            ijtd7etTLcA9Hb1iRUek5oD7tXWiGhl+ROR3xd7Al+nzQmTpvHju+HFWJboWA7RC
+            6PkusF1UAe39ZhZwxX2Hh8XdFfQdcrtFNIp7+TjMCO2Im54aBTRKLrz7aHlrjrgN
+            tie1RAdDwEqZ0Zoh3jezpkQW+9aKtkTtiG5BLmQYhVPUN5GTKMMwKoiYNMEdNUWx
+            s9SXiepDc9ZbdjiwGUig9pmuaKrPTSRh6kbmAWHyMKfwG4WZSgbh9gW0sU69rLdQ
+            onaGRkIS87If6AgE0dCxOgcNZEiUQE1Rj8Ie/XtR6ufKNUdSAsbJSoKIja4MQdKl
+            1BM2YJ5eD52e2J0XJJgLchW0nf7C+3Sil/wIRvU0k/lMniMHvXjWGfY5/v2TUF3Y
+            R3Ng6KsaaIRGW5pWzAA5vBDjOlDaPdWYvWd+ZZ96cd0ToxgMpEDLGOBAOhBZGP95
+            knqqsVTKswD3vy5h5bwevTxRdrPsmD+g26SbLZDYllRklNasGgfcf0CBydcftUHo
+            ePHC1ThKpC0Eb80fxLvAyyW+O8LjqjGWK+q7pVGE8eZ7B5XGQRSfzQRuNmc1aIjS
+            XAGtAlz0mJffgqHnOW++8CZjiUKWb5iSJuMqBcGPMuqz9nLBAP/n4/vw6nH4irAF
+            qL1fkj4yurE7yMmBjYEWi+I+D66g6xpKvEWTyDGeiiqUD8nZXGojT7bWz072
+            =zIA5
+            -----END PGP MESSAGE-----
+          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.1

clusters/titan.lan.huizinga.dev/apps.yaml

@@ -3,9 +3,18 @@ kind: Kustomization
 metadata:
   name: apps
   namespace: flux-system
+  labels:
+    alert: flux-infra
 spec:
   dependsOn:
-    - name: infra-configs
+    - name: traefik
+    - name: authelia-controller
+    - name: lldap-controller
+    - name: cnpg
+    - name: dragonflydb
+    - name: rook-ceph-cluster
+    - name: akri
+    - name: lldap
   decryption:
     provider: sops
     secretRef:
@@ -16,11 +25,11 @@ spec:
     kind: GitRepository
     name: flux-system
   postBuild:
-    substitute:
-      domain: staging.huizinga.dev
-      # Specifically for authelia
-      subdomain: .staging
-      topdomain: huizinga.dev
+    substituteFrom:
+      - kind: ConfigMap
+        name: domain-vars
   path: ./apps
   prune: true
   wait: true
+  # Uncomment this in case of disaster recovery
+  # suspend: true

clusters/titan.lan.huizinga.dev/apps/siranga.yaml

@@ -0,0 +1,75 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: siranga
+  namespace: flux-system
+spec:
+  interval: 15m0s
+  url: oci://git.huizinga.dev/dreaded_x/siranga/manifests
+  ref:
+    tag: latest
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: siranga
+  namespace: flux-system
+spec:
+  interval: 15m
+  dependsOn:
+    - name: traefik
+    - name: letsencrypt
+    - name: lldap-controller
+    - name: authelia-controller
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: OCIRepository
+    name: siranga
+  wait: true
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: domain-vars
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+  name: siranga
+  namespace: flux-system
+spec:
+  type: generic
+  secretRef:
+    name: receiver
+  resources:
+    - apiVersion: source.toolkit.fluxcd.io/v1beta2
+      kind: OCIRepository
+      name: siranga
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: siranga
+  namespace: flux-system
+spec:
+  type: gitea
+  address: https://git.huizinga.dev/dreaded_x/siranga
+  secretRef:
+    name: gitea
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Alert
+metadata:
+  name: siranga
+  namespace: flux-system
+spec:
+  providerRef:
+    name: siranga
+  eventSeverity: info
+  eventSources:
+    - kind: Kustomization
+      name: siranga

clusters/titan.lan.huizinga.dev/apps/test-app.yaml

@@ -0,0 +1,30 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: test-app
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  url: oci://git.huizinga.dev/dreaded_x/test-app/manifests
+  ref:
+    tag: latest
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: test-app
+  namespace: flux-system
+spec:
+  interval: 15m
+  dependsOn:
+    - name: traefik
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: OCIRepository
+    name: test-app
+  wait: true
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: domain-vars

clusters/titan.lan.huizinga.dev/flux-system/config-map-domain-vars.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: domain-vars
+  namespace: flux-system
+data:
+  domain: staging.huizinga.dev
+  # Specifically for authelia
+  subdomain: .staging
+  topdomain: huizinga.dev

clusters/titan.lan.huizinga.dev/flux-system/ingress.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: flux-webhook
+  namespace: flux-system
+  annotations:
+    traefik.ingress.kubernetes.io/router.entryPoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: flux.${domain}
+      http:
+        paths:
+          - backend:
+              service:
+                name: webhook-receiver
+                port:
+                  number: 80
+            path: /
+            pathType: Prefix
+  tls:
+    - secretName: ${domain//./-}-tls

clusters/titan.lan.huizinga.dev/flux-system/kustomization.yaml

@@ -1,7 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - gotk-components.yaml
-  - gotk-sync.yaml
+  - ./gotk-components.yaml
+  - ./gotk-sync.yaml
+  - ./config-map-domain-vars.yaml
+  - ./ingress.yaml
+  - ./secret-receiver.yaml
+  - ./receiver.yaml
 patches:
-  - path: sops-overlay.yaml
+  - path: patches.yaml

clusters/titan.lan.huizinga.dev/flux-system/patches.yaml

@@ -3,8 +3,14 @@ kind: Kustomization
 metadata:
   name: flux-system
   namespace: flux-system
+  labels:
+    alert: flux-infra
 spec:
   decryption:
     provider: sops
     secretRef:
       name: sops-gpg
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: domain-vars

clusters/titan.lan.huizinga.dev/flux-system/receiver.yaml

@@ -0,0 +1,16 @@
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+  name: flux-infra
+  namespace: flux-system
+spec:
+  type: github
+  events:
+    - "ping"
+    - "push"
+  secretRef:
+    name: receiver
+  resources:
+    - apiVersion: source.toolkit.fluxcd.io/v1
+      kind: GitRepository
+      name: flux-system

clusters/titan.lan.huizinga.dev/flux-system/secret-receiver.yaml

@@ -0,0 +1,54 @@
+apiVersion: v1
+data:
+    token: ENC[AES256_GCM,data:Nd4t7LkkCe9pd/ilITlwZpmpF+oRmMfIbgbEiAzTK+OWUb4q37bBzGvhc3V70soS7XmpU13lJwo=,iv:qMoW9dsDauSEsw7GjuCSmsCy3k54jt5x/nngSdGiErg=,tag:ZTkP8IGT+DOJLfO+gIX2xg==,type:str]
+kind: Secret
+metadata:
+    name: receiver
+    namespace: flux-system
+sops:
+    lastmodified: "2025-04-23T17:01:23Z"
+    mac: ENC[AES256_GCM,data:blRYui9FBvet9nuOUEPaMLLzD6CvX7pDZQEtQV5jLfKqLWEBFXUA13zqTrxtH1slGOzif1xshGqjOgsxREvEdb4Y8uSfoWSPuhkPI4WuRESjyYsVHUlP0fOIdE/CNc/xT4wTxxsvZ46ShGCMZ/QN29XsQ04nwHaEsTmYMqtgsBM=,iv:Km0FIruKN+N0Hsat4QaTBCCAHMQz5IiYkTKG2IGILUI=,tag:A1v4kEs46vz2Cm9ZN5Qw1g==,type:str]
+    pgp:
+        - created_at: "2025-04-23T17:01:23Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7pKPTYH5bqOARAAwZ69AwI2iTOboLpzZmW41EngGkhPKGghGFssiyfWbXqR
+            dtNG+wG371TF9nUMoLagJEqTUGRVX8xznG7R68QhVd85C1iswrNJjZ55nnJKf0IN
+            aRcLp3xsZuWPefOFadaJglRtgLnmCtPNur1TmPXR4V94ycOe1wBTSbvheTs73h6M
+            LBfRBruv2ttJsrcmI2az57KgOrIQnPu/z/NSEbc2GM3CU7/Z9ChWt+b5WEyv/7Sp
+            Sp0ohmC9HputBFGueC6Hw08+152C8yn3BpJhMhiWcCEryNiwKawf/n2UFJ8gk86/
+            5CkRX1CWRtz8nRIfmiwU5IBd5aMXhK684/1lTtdshHGEhSbaGA9N6lK70vdrfVl+
+            euaQkqyCy2sFkhz0EvcK+PTGxnueQ4UuO01l5yRG/ZUdjzYVh9fpx3RoMnJaBctx
+            l63LUG+xXSwR0xy4JIkrWyFDwIyGAebxbtQ8QUeLkmMzHyUx8tOL0qfKd8qkEFwg
+            eJWh0guYllSldgP5h7bJXOTej3ZrP9yC1WY3z2wHu+415/eCpwucFCu/A5QnJXnA
+            YLTE2CIwdDpj5XjjwQwmTNpBgfQ/csHJua40CURJbsYhk4HfqbHNdjEc5kkem/3L
+            PrtA/d59iwy3Vjkn1xmrcX+od3qXRFVDwMjaCleAXi3dnsfN619j8PrZh2bkUyHU
+            aAEJAhD1hSP/yZbfctLVNBCXT3HE8bLlAp82zYsqwx7UJWOhv4saodU1Zm13CWdk
+            nlbN8v3w5o19Xo85rt4YB091dGliTAAQ2CfvsCLRO4ZjO6N2F4KSCSTO0jLSJkce
+            hly9/ZsJAtXB
+            =GCZA
+            -----END PGP MESSAGE-----
+          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
+        - created_at: "2025-04-23T17:01:23Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA51kG++kLewoARAA5IO7TXG5xkv+mlSwFBDbldn5jPy9E1+HbZHp+4CmRquI
+            ONPEeDZgh3n+Fr87OMUKMKfgdEpjdE+l80rCmF7zgaVNqLscRcLJ17k14XfbpsrG
+            wsp5gsvymGh6sllUopetugvzd6gdxEianuhKU6DYJMM+X/nPTDsa5wHazRzPQxS/
+            8zp9tlPWt0HkZelBKXmLoYofZBakZOqZstQvhB0SSjC0BVpQN5WIfh1ES6uoBxhY
+            ddA0R34r1jwXWDE2UqD1Rx12H3TzUxdPGGw5rQKsEZSuEwxfxqjUAsn29ARR88qU
+            FlvSsy+FW7/6HeTcxwS1IMyZfNwRKQYLkzcwqf+OsrrjqTSBPCt8rcMoDVH3vxdf
+            wazu/vqoM1mwkUlogEF/M/SITEO9nJzrkAihAr6OJgfTJqi8RJffxoXQ8gAfan2J
+            wYMkcTxPNnskyZMUr2onotdnqdVSMgR2vwnsvIfSWUSx4eMpK8wO2xQm60hAXNHx
+            QCVcTz7sMDu6nD3xsvJs5D67YnkrLuqnuNeHQqSsREPv132kKIpEhAZop0MYk8ld
+            798jafK8xCzasbIZqDRzSqUUK/Z/J4EN8A4zRY5EtcbXdKHpKkUYuX/Sb7y2FAQR
+            JMV3uqLxJoz4mqUM0VJBt77Del5YQ5LeqE8aHMBDNtfjAdmK/2xg7BuGuromZYzS
+            XgFxwGfX791vSkUJ/z+7Nf3QmAKBXOuEYaYJbcZ5pFbKKdcfI8iEfL7utVQ59U2k
+            4BLB7aChrp8J795YQna+YgPybK5NR00FX6qLJiZAp56MdcvncJ8s42/epRWRusk=
+            =8ak0
+            -----END PGP MESSAGE-----
+          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.1

clusters/titan.lan.huizinga.dev/infra/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./../../../infra/akri
+  - ./../../../infra/authelia
+  - ./../../../infra/cert-manager
+  - ./../../../infra/cnpg
+  - ./../../../infra/descheduler.yaml
+  - ./../../../infra/dragonflydb.yaml
+  - ./../../../infra/external-snapshotter.yaml
+  - ./../../../infra/intel-device-plugins.yaml
+  - ./../../../infra/kube-vip
+  - ./../../../infra/kyverno
+  - ./../../../infra/lldap
+  - ./../../../infra/loki
+  - ./../../../infra/node-feature-discovery
+  - ./../../../infra/rook-ceph
+  - ./../../../infra/topolvm
+  - ./../../../infra/traefik
+  - ./../../../infra/velero

clusters/titan.lan.huizinga.dev/infrastructure.yaml

@@ -1,50 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: infra-controllers
-  namespace: flux-system
-spec:
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg
-  interval: 1h
-  retryInterval: 1m
-  timeout: 5m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  path: ./infrastructure/controllers
-  prune: true
-  wait: true
-  patches:
-    - patch: |
-        - op: add
-          path: /spec/values/service/spec/loadBalancerIP
-          value: 10.0.2.2
-      target:
-        kind: HelmRelease
-        name: traefik
-        namespace: traefik
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: infra-configs
-  namespace: flux-system
-spec:
-  dependsOn:
-    - name: infra-controllers
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg
-  interval: 1h
-  retryInterval: 1m
-  timeout: 5m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  path: ./infrastructure/configs
-  prune: true
-  wait: true

clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.app.enp3s0.yaml

@@ -1,91 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  creationTimestamp: null
-  labels:
-    app.kubernetes.io/name: kube-vip-ds
-    app.kubernetes.io/version: v0.8.3
-  name: kube-vip-ds-enp3s0
-  namespace: kube-system
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: kube-vip-ds
-  template:
-    metadata:
-      creationTimestamp: null
-      labels:
-        app.kubernetes.io/name: kube-vip-ds
-        app.kubernetes.io/version: v0.8.3
-    spec:
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: node-role.kubernetes.io/master
-                    operator: Exists
-              - matchExpressions:
-                  - key: node-role.kubernetes.io/control-plane
-                    operator: Exists
-      nodeSelector:
-        vip_interface: enp3s0
-      containers:
-        - args:
-            - manager
-          env:
-            - name: vip_arp
-              value: "true"
-            - name: port
-              value: "6443"
-            - name: vip_nodename
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-            - name: vip_interface
-              value: enp3s0
-            - name: vip_cidr
-              value: "32"
-            - name: dns_mode
-              value: first
-            - name: cp_enable
-              value: "true"
-            - name: cp_namespace
-              value: kube-system
-            - name: svc_enable
-              value: "true"
-            - name: svc_election
-              value: "true"
-            - name: svc_leasename
-              value: plndr-svcs-lock
-            - name: vip_leaderelection
-              value: "true"
-            - name: vip_leasename
-              value: plndr-cp-lock
-            - name: vip_leaseduration
-              value: "5"
-            - name: vip_renewdeadline
-              value: "3"
-            - name: vip_retryperiod
-              value: "1"
-            - name: address
-              value: 10.0.2.1
-            - name: prometheus_server
-              value: :2112
-          image: ghcr.io/kube-vip/kube-vip:v0.8.3
-          imagePullPolicy: IfNotPresent
-          name: kube-vip
-          resources: {}
-          securityContext:
-            capabilities:
-              add:
-                - NET_ADMIN
-                - NET_RAW
-      hostNetwork: true
-      serviceAccountName: kube-vip
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
-        - effect: NoExecute
-          operator: Exists
-  updateStrategy: {}

clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.config.yaml

@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: kubevip
-  namespace: kube-system
-data:
-  # 10.0.2.1 is reserved for control plane
-  # 10.0.2.2 is reserved for traefik
-  range-global: 10.0.2.3-10.0.2.254

clusters/titan.lan.huizinga.dev/kube-vip/kustomization.yaml

@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - kube-vip.rbac.yaml
-  - kube-vip.app.enp3s0.yaml
-  - kube-vip.app.enp2s0.yaml
-  - https://raw.githubusercontent.com/kube-vip/kube-vip-cloud-provider/refs/tags/v0.0.10/manifest/kube-vip-cloud-controller.yaml
-  - kube-vip.config.yaml

common/dragonflydb/kustomization.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 resources:
   - ./database.yaml

common/name-reference/helm-release.yaml

@@ -0,0 +1,7 @@
+# This makes sure the field in the HelmRelease is recognized as a ConfigMap
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease

common/postgres/b2-access-key.yaml

@@ -1,60 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: b2-access-key
-type: Opaque
-data:
-    ACCESS_KEY_ID: ENC[AES256_GCM,data:YpYkexRxH4mVyufrS/Blw3PSrU9H1eO3O6urN9tCZvYBenp7,iv:1ka5Otp0u4HJ5WC3yj+YJLAQC0Cy8Y2vWGqxLSaAGfM=,tag:8SKOcUoUuOWLm0Na2r7Hfw==,type:str]
-    ACCESS_SECRET_KEY: ENC[AES256_GCM,data:8Q2QsCpe/yiWmETVnIROJe0uiY7gMzQF4e8PiaF2vAgqkNq/oT8ku21bWCQ=,iv:635wzxp/XJ0zoxw9n63km38LdqDcebfU/ltLzN/bHPc=,tag:nGfKtpf8qzNyO3bDbbtn/A==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2024-11-15T01:21:23Z"
-    mac: ENC[AES256_GCM,data:K8ATLj5nZfibvMPXR3ls7zXav0IVxSajyeFb/Qs/P3pPfHQ1p5ZRWaWTuNAFST04ynZ5BOcZyZCi9niMSZOGYBnDtOiJQAT1t3RxYS6j2X2HDX+nFTW6e4uDSOZMWk1poLP5lgBRvYxjsaco6X9F0hdvF7T7xvm7IHbHY7HAckg=,iv:C/bCoZKYy8gudmH8D/5R/MWlkC1ORlWZIvntjqt2dRk=,tag:yJsg7jj6p066CDzPXntOzA==,type:str]
-    pgp:
-        - created_at: "2024-10-10T22:08:04Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7pKPTYH5bqOAQ/+MJi/46q5TyjE0mqUfgmx90mYGchNQCvOHOdZJT2E2s2Z
-            DbqyrI5Bx+EauTl4eYhlMS9Xza/mL5I99GX/49FRpgvfmCwbM/aeOdq/CPWE771n
-            iylxE6uj0VVQGCazcO84Gg8CUxW3+dtNBbIUQYRxmQST6Pbg/lrmlXF5wDUfEueT
-            5FkfOZA7py3TyxUB4tcFA13e10CRFC1a7KHvfZm4ISs/1L97tsr0aZNgwCmHZodO
-            5fcm6poWtXEo16N/4XC8CI0z7unqNVRSgvpvVBHCvULkq4abznho2abkForNNkvv
-            GaN1Zcq8GIclVexMxaSC0M7BFfOdhmCDXuOdkKP/K1etL9UGGBdo7g5WJ7eqAiKN
-            Xs43VRijJsltIrTui/0s8zVIRzLfxTYGR2JtSnLuFaMGkKAijR34RsC9hXol+OB1
-            OAxGVzGfAR8wdgmShV9SPSOl3CtT6317YGuzjzkSbryJ2oYqR4zjV9jXgIEtuDZF
-            r6RITshhvata0w+e6tHSMYmnsF9YD4LbpGQmLm7r/A5ibBsE/2ZoUGBxNrb68YW1
-            vQmD2Ywv/Soe4f2Vj7vXJewrrJ1F0NPV/43sxl9lZB9JVMC6c8pMv7hndVq7dofn
-            dbqVXXeGd+Os/5X0P2yjlJYBjrMpFsg2tNi5dA5gUJ9uXqzNtSFx7ma9uJ4sX3zU
-            ZgEJAhDRzwccDHXa3D3+FBVJFbwN80G30Z6hS225mpIrBXqkElDH8hGs7KGkdIP5
-            O6CcZKt+j2R+40J0iJIcy1s211qgkzzDgtUaM1yAlVM8t3JpnykjhLp8mMzytOC1
-            rag4GdeG4Q==
-            =9TAG
-            -----END PGP MESSAGE-----
-          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
-        - created_at: "2024-10-10T22:08:04Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA51kG++kLewoAQ//fPw1ZgguXCZSLBnl4J/d4IZok6l4TdnbySDOKTOnZUi0
-            xyDusr9kdrEdDb4nYUT3PBrxEC2DsKDIJJSwUgLTZB6moIJgHPa51qermyGgqhKU
-            c4vyYCMKAJyS6rOoU5fsPb+kJS52ltBLEmyO7JndM32CFmfyq4iwphNcheJE7qFW
-            xBmEtsJBPh4P1ysFQtG0DH8iroAYvsI4HLJw6+pdy/rI3zu3LDmiOnEidGz685BB
-            gbYj+bJV2gIBGdSWqsjuAJh37dfP9143Hwvz57raA+uqVPtaTaywGuEyDE7E8B7U
-            LdxATRKDdRp9+ytdn+UBeZQPYolKhv2bOgm4tzBq/VGmm/11nZbXyv69vgooOqnf
-            YYPg3VGnqpaGmxy94EFuLCWvD0ZO7rMQMOoz0vZRHGNYsye2tUOF/F6eIzhehh3+
-            AhGSrGDZa5HM41dLsTrNnb8YbzGKqljVJyWvORfIniW6RONIuFrz3/Pe4jjnM+Dm
-            Y8z033SmAm5JT2Jhc/tb9LvYbVQzfrUWImh9qcVGOU5RqvB13VOCaNHmt33crMjg
-            KFMhBJ5F3ftqe3JiK+6KOuS9g2wd3M5VM5qLHBLr7qTDb5q/JKsBIY7AcLsVyYNx
-            T3OynFuAkiYVTe4CuXCSrbVPXd9XkV/dDdQh+5ZR8nxo0/TkpnAwwGdh9hFsOtLS
-            XAEXagTFsM3Cl3T45ehYSPt6oyfx5dwKkQ8wxaqSWIkrvTla/ofOD9xemsBfYNku
-            b9vLFfbry8J+p5H9fEtS9/co4xYmajP/Mzq54JflEHqt/ej0MTxnNB5m+a45
-            =CFmy
-            -----END PGP MESSAGE-----
-          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
-    encrypted_regex: ^(data|stringData)$
-    version: 3.9.0

common/postgres/cluster.yaml

@@ -0,0 +1,14 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgres
+spec:
+  instances: 2
+
+  storage:
+    size: 8Gi
+    storageClass: topolvm-provisioner
+
+  affinity:
+    topologyKey: kubernetes.io/hostname
+    podAntiAffinityType: required

common/postgres/database.yaml

@@ -1,35 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: -db
-spec:
-  chart:
-    spec:
-      chart: cluster
-      reconcileStrategy: ChartVersion
-      sourceRef:
-        kind: HelmRepository
-        name: cnpg
-        namespace: cnpg-system
-      version: 0.0.11
-  interval: 1m0s
-  values:
-    type: postgresql
-    mode: standalone
-    cluster:
-      instances: 2
-      affinity:
-        topologyKey: kubernetes.io/hostname
-        podAntiAffinityType: required
-      storage:
-        storageClass: piraeus-storage
-    backups:
-      enabled: true
-      provider: s3
-      endpointURL: https://s3.us-west-002.backblazeb2.com
-      s3:
-        bucket: titan-k3s-backup
-        path: /postgres
-      secret:
-        create: false
-        name: b2-access-key

common/postgres/kustomization.yaml

@@ -1,7 +1,4 @@
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 resources:
-  - ./database.yaml
-  - ./b2-access-key.yaml
-replacements:
-  - path: replacement.yaml
+  - ./cluster.yaml

common/postgres/replacement.yaml

@@ -1,12 +0,0 @@
-source:
-  kind: Namespace
-  fieldPath: metadata.name
-targets:
-  - select:
-      kind: HelmRelease
-      name: -db
-    fieldPaths:
-      - metadata.name
-    options:
-      delimiter: "-"
-      index: 0

infra/akri/akri.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: akri
+  namespace: flux-system
+  labels:
+    alert: flux-infra
+spec:
+  interval: 15m
+  path: ./infra/akri/akri
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true

infra/akri/akri/helm-release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: akri
+spec:
+  chart:
+    spec:
+      chart: akri
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: akri
+      version: 0.13.8
+  interval: 15m
+  timeout: 5m
+  valuesFrom:
+    - kind: ConfigMap
+      name: akri-values

infra/akri/akri/helm-repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: akri
+spec:
+  interval: 15m
+  timeout: 2m
+  url: https://project-akri.github.io/akri/

infra/akri/akri/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: akri
+resources:
+  - ./namespace.yaml
+  - ./helm-repository.yaml
+  - ./helm-release.yaml
+
+configurations:
+  - ../../../common/name-reference/helm-release.yaml
+
+configMapGenerator:
+  - name: akri-values
+    files:
+      - ./values.yaml

infra/akri/akri/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: akri

infra/akri/akri/values.yaml

@@ -0,0 +1,3 @@
+udev:
+  discovery:
+    enabled: true

infra/akri/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - cloudflare-token.yaml
+  - ./akri.yaml

infra/authelia/authelia-controller.yaml

@@ -0,0 +1,62 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: authelia-controller
+  namespace: flux-system
+spec:
+  interval: 15m0s
+  url: oci://git.huizinga.dev/dreaded_x/authelia-controller/manifests
+  ref:
+    tag: edge
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: authelia-controller
+  namespace: flux-system
+spec:
+  interval: 15m
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: OCIRepository
+    name: authelia-controller
+  wait: true
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+  name: authelia-controller
+  namespace: flux-system
+spec:
+  type: generic
+  secretRef:
+    name: receiver
+  resources:
+    - apiVersion: source.toolkit.fluxcd.io/v1beta2
+      kind: OCIRepository
+      name: authelia-controller
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: authelia-controller
+  namespace: flux-system
+spec:
+  type: gitea
+  address: https://git.huizinga.dev/dreaded_x/authelia-controller
+  secretRef:
+    name: gitea
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Alert
+metadata:
+  name: authelia-controller
+  namespace: flux-system
+spec:
+  providerRef:
+    name: authelia-controller
+  eventSeverity: info
+  eventSources:
+    - kind: Kustomization
+      name: authelia-controller

infra/authelia/authelia.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: authelia
+  namespace: flux-system
+  labels:
+    alert: flux-infra
+spec:
+  interval: 15m
+  path: ./infra/authelia/authelia
+  dependsOn:
+    - name: traefik
+    - name: cnpg
+    - name: dragonflydb
+    - name: kyverno-policies
+    - name: lldap-controller
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: domain-vars
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg

infra/authelia/authelia/helm-release.yaml

@@ -0,0 +1,17 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authelia
+spec:
+  chart:
+    spec:
+      chart: authelia
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: authelia
+      version: 0.9.16
+  interval: 15m
+  valuesFrom:
+    - kind: ConfigMap
+      name: authelia-values

infra/authelia/authelia/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: authelia
+resources:
+  - ./namespace.yaml
+  - ./helm-repository.yaml
+  - ./helm-release.yaml
+  - ./service-user.yaml
+  - ../../../common/postgres
+  - ../../../common/dragonflydb
+
+configurations:
+  - ../../../common/name-reference/helm-release.yaml
+
+configMapGenerator:
+  - name: authelia-values
+    files:
+      - ./values.yaml

infra/authelia/authelia/service-user.yaml

@@ -0,0 +1,5 @@
+apiVersion: lldap.huizinga.dev/v1
+kind: ServiceUser
+metadata:
+  name: authelia
+spec: {}

infra/authelia/authelia/values.yaml

@@ -0,0 +1,69 @@
+pod:
+  kind: Deployment
+  replicas: 2
+ingress:
+  enabled: true
+  tls:
+    enabled: true
+    secret: ${domain//./-}-tls
+  traefikCRD:
+    enabled: true
+    entryPoints:
+      - websecure
+
+secret:
+  additionalSecrets:
+    postgres-app:
+      key: postgres-app
+    authelia-lldap-credentials:
+      key: authelia-lldap-credentials
+
+configMap:
+  log:
+    level: debug
+
+  authentication_backend:
+    ldap:
+      enabled: true
+      implementation: lldap
+      address: ldap://lldap.lldap.svc.cluster.local:3890
+      base_dn: dc=huizinga,dc=dev
+      additional_users_dn: ou=people
+      users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"
+      additional_groups_dn: ou=groups
+      groups_filter: "(member={dn})"
+      attributes:
+        display_name: displayName
+        username: uid
+        group_name: cn
+        mail: mail
+      user: uid=authelia.authelia,ou=people,dc=huizinga,dc=dev
+      password:
+        secret_name: authelia-lldap-credentials
+        path: password
+
+  session:
+    cookies:
+      - subdomain: login${subdomain}
+        domain: ${topdomain}
+    redis:
+      enabled: true
+      host: dragonflydb.authelia
+
+  storage:
+    postgres:
+      enabled: true
+      address: tcp://postgres-rw.authelia:5432
+      database: app
+      username: app
+      password:
+        secret_name: postgres-app
+        path: password
+
+  notifier:
+    filesystem:
+      enabled: true
+
+  access_control:
+    secret:
+      existingSecret: authelia-acl

infra/authelia/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./authelia-controller.yaml
+  - ./authelia.yaml

infra/cert-manager/cert-manager.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager
+  namespace: flux-system
+  labels:
+    alert: flux-infra
+spec:
+  interval: 15m
+  path: ./infra/cert-manager/cert-manager
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true

infra/cert-manager/cert-manager/helm-release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+spec:
+  chart:
+    spec:
+      chart: cert-manager
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+      version: v1.16.4
+  interval: 15m
+  timeout: 5m
+  valuesFrom:
+    - kind: ConfigMap
+      name: cert-manager-values

infra/cert-manager/cert-manager/helm-repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: jetstack
+spec:
+  interval: 15m
+  timeout: 2m
+  url: https://charts.jetstack.io

infra/cert-manager/cert-manager/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+resources:
+  - ./namespace.yaml
+  - ./helm-repository.yaml
+  - ./helm-release.yaml
+
+configurations:
+  - ../../../common/name-reference/helm-release.yaml
+
+configMapGenerator:
+  - name: cert-manager-values
+    files:
+      - ./values.yaml

infra/cert-manager/cert-manager/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager

infra/cert-manager/cert-manager/values.yaml

@@ -0,0 +1,14 @@
+installCRDs: true
+replicaCount: 2
+webhook:
+  replicaCount: 2
+cainjector:
+  replicaCount: 2
+extraArgs:
+  - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
+  - --dns01-recursive-nameservers-only
+podDnsPolicy: None
+podDnsConfig:
+  nameservers:
+    - "1.1.1.1"
+    - "9.9.9.9"

infra/cert-manager/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./cert-manager.yaml
+  - ./letsencrypt.yaml

infra/cert-manager/letsencrypt.yaml

@@ -0,0 +1,22 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: letsencrypt
+  namespace: flux-system
+  labels:
+    alert: flux-infra
+spec:
+  interval: 15m
+  path: ./infra/cert-manager/letsencrypt
+  dependsOn:
+    - name: cert-manager
+  prune: true
+  timeout: 10m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg

infra/cert-manager/letsencrypt/certificate-huizinga-dev.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: huizinga-dev
+  namespace: letsencrypt
+spec:
+  secretName: huizinga-dev-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  commonName: "huizinga.dev"
+  dnsNames:
+    - "huizinga.dev"
+    - "*.huizinga.dev"

infra/cert-manager/letsencrypt/certificate-staging-huizinga-dev.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: staging-huizinga-dev
+  namespace: letsencrypt
+spec:
+  secretName: staging-huizinga-dev-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  commonName: "staging.huizinga.dev"
+  dnsNames:
+    - "staging.huizinga.dev"
+    - "*.staging.huizinga.dev"

infra/cert-manager/letsencrypt/cluster-issuer.yaml

@@ -13,5 +13,5 @@ spec:
           cloudflare:
             email: tim.huizinga@gmail.com
             apiTokenSecretRef:
-              name: cloudflare-token-secret
-              key: cloudflare-token
+              name: cloudflare-token
+              key: token

infra/cert-manager/letsencrypt/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  - ./secret-cloudflare-token.yaml
+  - ./cluster-issuer.yaml
+  - ./certificate-staging-huizinga-dev.yaml
+  - ./certificate-huizinga-dev.yaml

infra/cert-manager/letsencrypt/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: letsencrypt

infra/cert-manager/letsencrypt/secret-cloudflare-token.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-token
+  namespace: cert-manager
+type: Opaque
+stringData:
+  token: ENC[AES256_GCM,data:1QSjQJrky3AOQv9Bf8ifvfgeYCh3DvPtCWNLKEY/eEpzPsJKD7MYwQ==,iv:MbWKNj13K25TiP1MPfJMaM1P3Qpy3TE+dWnbF5Gpr3Y=,tag:IMRRhh2nwT40rjVDAgBhrw==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age: []
+  lastmodified: "2025-02-15T21:32:18Z"
+  mac: ENC[AES256_GCM,data:hYqyrhnrwpvEcJGMIfjSpbIvQ3NHukCDhRB2Zf7vifKYqQyd0hSmh6aeDPdARwdoiybQIuW6pa3SXOY4V1LgOYx6U36HOsDBe5ENQyXV0z5RID+H/nfZmcqj2pfRE8zpfAUhpcilCT8TMJpJSlaAh5kFl/6Z1feekVJLkxPYg30=,iv:FpZ8rDrvNACc+mgR6JNXmTNFXJt6es896n4xkLKzN/s=,tag:JW/OZHNBD+MEiRnhih1/fg==,type:str]
+  pgp:
+    - created_at: "2024-09-26T22:20:01Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA7pKPTYH5bqOARAAl2y4yZJGsWORJ5jd2CopSW6yx8IsHqLKq3khYxHkPamu
+        gjItOM/Gqep1QCJr4kxTkO7P0MaYi7ZGinuhishYu4xy1mom8WzJs/rA2cjW1UbF
+        m8GoUGypaPtSsR1nQufgrO6JbIch3Tr498wBD7SvXIWTFpooalcERvVB3F4T4CeT
+        gXIk+vSjvXkCmx4jgAVhpj249HQOk9nyX35UzcjaSOzYm9/vfs3vFRq8FXNRkGff
+        +Ui/os4xTB4GiLgnvQ7t8FYTqvDfMVwgKI6VkOplpnP50mmTdKYRVe79Awvq1+/V
+        UkkSHxmw5Zqj7nv8MoKIlYk2g+14NLz57i4zs2vK3cNqDAqezub7r/LRDcm5Haqp
+        ZmI8B6VUNhveI7hKjm8ssMlOz6x3s7hvex6e+AWRqvbknusXXCiI9dhL73TXXmeZ
+        yceIlg5T67PY2ysbpfuToyg6ihbkMo0bM1m/lQpA94yRx6EKO75AHvBaGxgDggSr
+        Q8/DM3J729yqjHvXLL+2YGXVlRSpMlWb+AYi4YLmB/rsT2wBlPWE7m0c3/xQA3ld
+        5b/CW/2JOfXlwnooXEMFICr9ExFeiOv4RTnNahOTVscnIsi5jSlYPkhWwKm6ughy
+        oahJRi6wb6sJrleoPKRea+Pwh2qdEaQE/nFeBZeMMZxyLySQmkWoXJET7HQR3szU
+        aAEJAhBFZF84NkBuqmo+A7z055hz1tEJSnjO6eZ/+jvX9pPkrAv/CqW9C8UeG3vt
+        a6/XjnRVr38ZKAtNt3ebFwjzKZDLVyrANycnEp1PV7Pc8QvltJ88VS/wmWSP9Hj0
+        BA11vpb7XvkU
+        =XmSy
+        -----END PGP MESSAGE-----
+      fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
+    - created_at: "2024-09-26T22:20:01Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA51kG++kLewoAQ/+M1BLbAVU8kVgx/atZnWwjZtjukEc8vOFw4n9tscq0Dm3
+        UzoOpbM1kaq5Hq8+e1mVFXMWLYgHnKjeSwBSiRCmZgFfvzPK63E5c6ZorKniTneZ
+        T7BJwxmtEF8JG+N9O2SHmto4cWZcrHvmWS5jJ5ybUFlMiFp6z7fPBuOzhKvTMBsc
+        IFHBBF0eMANUGwlpXuYJMTUECnFjvIxu/UXPMVBZ1HWHbIewYTRWXPQXeDxlJyk6
+        YgtGChBZ8KRYNqX1kBi5AyIdjWA9+wrMtTVTghC+1eBTOm8TsmN280KBmB512li1
+        HgexbmQkgItlJwyOV/7MTo19yzve72yYlqoIv3BSrwYfr0NDaQM0mhLAwcHC2R1R
+        IAOzajlHtgbr3XBW0BxWMC4Ch23CatZE4WJlu/CJ07+aMCsSV4L+da7wopt0A9dx
+        og0aPjUGq3MFmSet0kJKLJHS1JBSjf0LVnQjB5A451Wmndpoc2gZSpNtM4I2e2+7
+        xe6RUB6oYjRyB0t771UMQ3sQrSN3cn2c8yuijLep837yvNqpRBR4bbc2XJdZIOMw
+        sKEGIAMyJjCagQJa4c2YY0fksVSnhnYzjklfsx+PAvsW9EiWo26Vldp4zHYsVALD
+        7yKAWGupRTTB2mTXg9wvoKRkOY8A3Lb9aG+xnrf967nJt9nCV9hPXs959dVw9+jS
+        XgFCzdWtznuFA5wPJA3ko6lqLnE1HCIdgAo5ovQ4y3K9jkoVJsS2ADAnEy9Ac2uk
+        uds32S29PQ9o+ReAIQKvTzFNmKSLbcsK/z6rGLh0WdqmqWg6kVidWvktDQHY86E=
+        =cW8j
+        -----END PGP MESSAGE-----
+      fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
+  encrypted_regex: ^(data|stringData)$
+  version: 3.9.1

infra/cnpg/cnpg.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cnpg
+  namespace: flux-system
+  labels:
+    alert: flux-infra
+spec:
+  interval: 15m
+  path: ./infra/cnpg/cnpg
+  dependsOn:
+    - name: topolvm
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true

infra/cnpg/cnpg/helm-release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cnpg
+spec:
+  chart:
+    spec:
+      chart: cloudnative-pg
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: cnpg
+      version: 0.22.0
+  interval: 15m
+  timeout: 5m
+  valuesFrom:
+    - kind: ConfigMap
+      name: cnpg-values

infra/cnpg/cnpg/helm-repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cnpg
+spec:
+  interval: 15m
+  timeout: 2m
+  url: https://cloudnative-pg.github.io/charts

infra/cnpg/cnpg/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cnpg-system
+resources:
+  - ./namespace.yaml
+  - ./helm-repository.yaml
+  - ./helm-release.yaml
+configurations:
+  - ../../../common/name-reference/helm-release.yaml
+
+configMapGenerator:
+  - name: cnpg-values
+    files:
+      - ./values.yaml

infra/cnpg/cnpg/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cnpg-system

infra/cnpg/cnpg/values.yaml

@@ -0,0 +1 @@
+replicaCount: 2

infra/cnpg/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./cnpg.yaml

infra/descheduler.yaml

@@ -0,0 +1,25 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: descheduler
+  namespace: flux-system
+spec:
+  interval: 15m0s
+  ref:
+    tag: v0.32.2
+  url: https://github.com/kubernetes-sigs/descheduler
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: descheduler
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./kubernetes/cronjob
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: descheduler
+  wait: true

infra/dragonflydb.yaml

@@ -0,0 +1,28 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: dragonflydb
+  namespace: flux-system
+spec:
+  interval: 15m0s
+  ref:
+    tag: v1.1.8
+  url: https://github.com/dragonflydb/dragonfly-operator
+  ignore: |
+    /*
+    !/manifests/dragonfly-operator.yaml
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: dragonflydb
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./manifests
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: dragonflydb
+  wait: true

infra/external-snapshotter.yaml

@@ -0,0 +1,28 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: external-snapshotter
+  namespace: flux-system
+spec:
+  interval: 15m0s
+  ref:
+    tag: v8.2.0
+  url: https://github.com/kubernetes-csi/external-snapshotter
+  ignore: |
+    /*
+    !/client/config/crd/*
+    !/deploy/kubernetes/snapshot-controller/*
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: external-snapshotter
+  namespace: flux-system
+spec:
+  interval: 15m
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: external-snapshotter
+  wait: true

infra/intel-device-plugins.yaml

@@ -0,0 +1,48 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: intel-device-plugins
+  namespace: flux-system
+spec:
+  interval: 15m0s
+  ref:
+    tag: v0.32.0
+  url: https://github.com/intel/intel-device-plugins-for-kubernetes
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: intel-node-feature-rules
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./deployments/nfd/overlays/node-feature-rules
+  dependsOn:
+    - name: node-feature-discovery
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: intel-device-plugins
+  wait: true
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: intel-device-plugins
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: intel-gpu-plugin
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./deployments/gpu_plugin/overlays/nfd_labeled_nodes
+  targetNamespace: intel-device-plugins
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: intel-device-plugins
+  wait: true

infra/kube-vip/kube-vip.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: kube-vip
+  namespace: flux-system
+  labels:
+    alert: flux-infra
+spec:
+  interval: 15m
+  path: ./infra/kube-vip/kube-vip
+  dependsOn:
+    - name: kyverno-policies
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true

infra/kube-vip/kube-vip/cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:kube-vip-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kube-vip-role
+subjects:
+  - kind: ServiceAccount
+    name: kube-vip
+    namespace: kube-system

infra/kube-vip/kube-vip/cluster-role.yaml

@@ -1,9 +1,3 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kube-vip
-  namespace: kube-system
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -26,16 +20,3 @@ rules:
   - apiGroups: ["discovery.k8s.io"]
     resources: ["endpointslices"]
     verbs: ["list", "get", "watch", "update"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: system:kube-vip-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:kube-vip-role
-subjects:
-- kind: ServiceAccount
-  name: kube-vip
-  namespace: kube-system

infra/kube-vip/kube-vip/config-map-kubevip.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubevip
+data:
+  # Can't use cidr-range as 10.0.2.1 is reserved for the control plane
+  range-global: 10.0.2.2-10.0.2.254

infra/kube-vip/kube-vip/daemon-set.yaml

@@ -1,22 +1,19 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  creationTimestamp: null
   labels:
-    app.kubernetes.io/name: kube-vip-ds
-    app.kubernetes.io/version: v0.8.3
-  name: kube-vip-ds-enp2s0
-  namespace: kube-system
+    app.kubernetes.io/name: kube-vip
+    app.kubernetes.io/version: v0.9.0
+  name: kube-vip
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: kube-vip-ds
+      app.kubernetes.io/name: kube-vip
   template:
     metadata:
-      creationTimestamp: null
       labels:
-        app.kubernetes.io/name: kube-vip-ds
-        app.kubernetes.io/version: v0.8.3
+        app.kubernetes.io/name: kube-vip
+        app.kubernetes.io/version: v0.9.0
     spec:
       affinity:
         nodeAffinity:
@@ -28,8 +25,9 @@ spec:
               - matchExpressions:
                   - key: node-role.kubernetes.io/control-plane
                     operator: Exists
-      nodeSelector:
-        vip_interface: enp2s0
+              - matchExpressions:
+                  - key: feature.node.kubernetes.io/network-adapter
+                    operator: Exists
       containers:
         - args:
             - manager
@@ -43,8 +41,10 @@ spec:
                 fieldRef:
                   fieldPath: spec.nodeName
             - name: vip_interface
-              value: enp2s0
-            - name: vip_cidr
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.annotations['feature.node.kubernetes.io/network-adapter']
+            - name: vip_subnet
               value: "32"
             - name: dns_mode
               value: first
@@ -72,7 +72,9 @@ spec:
               value: 10.0.2.1
             - name: prometheus_server
               value: :2112
-          image: ghcr.io/kube-vip/kube-vip:v0.8.3
+            - name: enableUPNP
+              value: "true"
+          image: ghcr.io/kube-vip/kube-vip:v0.9.0
           imagePullPolicy: IfNotPresent
           name: kube-vip
           resources: {}
@@ -81,6 +83,8 @@ spec:
               add:
                 - NET_ADMIN
                 - NET_RAW
+              drop:
+                - ALL
       hostNetwork: true
       serviceAccountName: kube-vip
       tolerations:

infra/kube-vip/kube-vip/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+  - ./service-account.yaml
+  - ./cluster-role.yaml
+  - ./cluster-role-binding.yaml
+  - ./daemon-set.yaml
+
+  - https://raw.githubusercontent.com/kube-vip/kube-vip-cloud-provider/refs/tags/v0.0.11/manifest/kube-vip-cloud-controller.yaml
+  - ./config-map-kubevip.yaml

infra/kube-vip/kube-vip/service-account.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-vip

infra/kube-vip/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./kube-vip.yaml

infra/kyverno/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./kyverno-policies.yaml
+  - ./kyverno.yaml

infra/kyverno/kyverno-policies.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: kyverno-policies
+  namespace: flux-system
+  labels:
+    alert: flux-infra
+spec:
+  interval: 15m
+  path: ./infra/kyverno/kyverno-policies
+  dependsOn:
+    - name: kyverno
+  prune: true
+  timeout: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true