feat: Move spegel to apps

apps/artifacts.yaml

@@ -0,0 +1,16 @@
+apiVersion: source.extensions.fluxcd.io/v1beta1
+kind: ArtifactGenerator
+metadata:
+  name: apps
+  namespace: flux-system
+spec:
+  sources:
+    - alias: foundation
+      kind: GitRepository
+      name: flux-system
+  artifacts:
+    - name: spegel
+      originRevision: "@foundation"
+      copy:
+        - from: "@foundation/apps/spegel/**"
+          to: "@artifact/"

clusters/testing/kustomization.yaml

@@ -6,13 +6,14 @@ resources:
   - ../../controllers/artifacts.yaml
   - ../../controllers/cilium/cilium.yaml
   - ../../controllers/cert-manager/cert-manager.yaml
-  - ../../controllers/spegel/spegel.yaml
   - ../../controllers/longhorn/longhorn.yaml
   - ../../controllers/local-path-provisioner/local-path-provisioner.yaml
   - ../../controllers/cnpg/cnpg.yaml
 
   - ../../configs/artifacts.yaml
-  - ../../configs/letsencrypt/letsencrypt.yaml
   - ../../configs/certificates/certificates.yaml
   - ../../configs/alerts/alerts.yaml
   - ../../configs/longhorn-jobs/longhorn-jobs.yaml
+
+  - ../../apps/artifacts.yaml
+  - ../../apps/spegel/spegel.yaml

configs/artifacts.yaml

@@ -9,11 +9,6 @@ spec:
       kind: GitRepository
       name: flux-system
   artifacts:
-    - name: letsencrypt
-      originRevision: "@foundation"
-      copy:
-        - from: "@foundation/configs/letsencrypt/**"
-          to: "@artifact/"
     - name: certificates
       originRevision: "@foundation"
       copy:

configs/certificates/base/kustomization.yaml

@@ -3,3 +3,5 @@ kind: Kustomization
 resources:
   - namespace.yaml
   - certificate-huizinga-dev.yaml
+  - secret-cloudflare-token.enc.yaml
+  - cluster-issuer.yaml

configs/certificates/certificates.yaml

@@ -8,10 +8,14 @@ spec:
   retryInterval: 2m
   timeout: 15m
   dependsOn:
-    - name: letsencrypt
+    - name: cert-manager
   sourceRef:
     kind: ExternalArtifact
     name: certificates
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
   path: ./${cluster_env}
   prune: true
   wait: true

configs/letsencrypt/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - secret-cloudflare-token.enc.yaml
-  - cluster-issuer.yaml

configs/letsencrypt/letsencrypt.yaml

@@ -1,21 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: letsencrypt
-  namespace: flux-system
-spec:
-  interval: 1h
-  retryInterval: 2m
-  timeout: 5m
-  dependsOn:
-    - name: cert-manager
-  sourceRef:
-    kind: ExternalArtifact
-    name: letsencrypt
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg
-  path: ./
-  prune: true
-  wait: true

controllers/artifacts.yaml

@@ -19,11 +19,6 @@ spec:
       copy:
         - from: "@foundation/controllers/cert-manager/**"
           to: "@artifact/"
-    - name: spegel
-      originRevision: "@foundation"
-      copy:
-        - from: "@foundation/controllers/spegel/**"
-          to: "@artifact/"
     - name: openebs
       originRevision: "@foundation"
       copy:

controllers/cnpg/base/kustomization.yaml

@@ -4,6 +4,7 @@ resources:
   - namespace.yaml
   - helm-repository.yaml
   - helm-release.yaml
+  - https://github.com/cloudnative-pg/plugin-barman-cloud/releases/download/v0.9.0/manifest.yaml
 
 configurations:
   - name-reference.yaml

controllers/cnpg/cnpg.yaml

@@ -7,6 +7,12 @@ spec:
   interval: 1h
   retryInterval: 2m
   timeout: 5m
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+    - name: cert-manager
   sourceRef:
     kind: ExternalArtifact
     name: cnpg

controllers/cnpg/staging/kustomization.yaml

@@ -2,6 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../base
+  - secret-s3-garage.enc.yaml
+  - object-store.yaml
 
 configMapGenerator:
   - name: values-overlay

controllers/cnpg/staging/object-store.yaml

@@ -0,0 +1,18 @@
+apiVersion: barmancloud.cnpg.io/v1
+kind: ObjectStore
+metadata:
+  name: garage-store
+  namespace: cnpg-system
+spec:
+  configuration:
+    destinationPath: s3://cnpg-backup/
+    endpointURL: http://192.178.1.1:3900
+    s3Credentials:
+      accessKeyId:
+        name: s3-garage
+        key: ACCESS_KEY_ID
+      secretAccessKey:
+        name: s3-garage
+        key: ACCESS_SECRET_KEY
+    wal:
+      compression: gzip

controllers/cnpg/staging/secret-s3-garage.enc.yaml

@@ -0,0 +1,54 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: s3-garage
+    namespace: cnpg-system
+type: Opaque
+stringData:
+    ACCESS_KEY_ID: ENC[AES256_GCM,data:TOEQMG/kHs5XUk77ijyV089ZTq1dKsoZUas=,iv:mVDOkl5qOxGdvCvdcXUuUjX85oKqbd+n5maHsKwCiFg=,tag:pho0oWPTwtM6lGQ2vA1d5A==,type:str]
+    SECRET_ACCESS_KEY: ENC[AES256_GCM,data:mc42T/AQ8NRi32SzvwGJA6LEq1x0Yz3Tu+CPDYPf+E2+C00zQcGRk6tACPvRoMxRzU4ZZpK346e2K/8ajU77hg==,iv:Isxe81aQEbI5xd1dRjXDKj/2Jp9eTHdv0/XVBBHoRyE=,tag:gtcmKmfUIfIy977Df11P4g==,type:str]
+sops:
+    age:
+        - recipient: age1860txadrlqrjwnqh0g466re2nt8jk7xhj640pq9gpsddpg23uynqsp2hul
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3cmd2NkxFOVB0a1R3MHVN
+            RWRwbFVVaHF6Mlo4UElIZ1ROd1pyV1czSEYwCmFQMGM3Nkw0U0hzcWdyQVpnZTZL
+            eFNLWW5iNWpZVU9BQm9KakV4dEJzaGsKLS0tIGZ0ajdRZjZIUnNRSElzeENYRG4r
+            eUJHQVAzeWJSUDZTYy8zbTJIQ3pscjAKERe7k/VVNqMhqe2rLLRA9dO71bjieffX
+            YMIzJ0/UNMo2el4bcefwRnqwl0oyPG+pMXZ3F6UXyEoZw3ZIc4Nzvg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hktythzvsnth6u5en2lvag0tftnj9r03w7rpnzfgzgf5w95qxycq2azufj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhakxrQ1Zrd3FRekZwZkU4
+            MVBpdloxeTJWQm1GZjA4M2NFVk1IYWtrTG1RCnpaRGh1WDZ4dCtzeFhkK1YzczYz
+            dmFNSWQ1bXgwQjJ1VlkrQnFhMXJ3bGcKLS0tIDhpcWx0MklNazJ0SjUzRmlyV0Er
+            K09tZGI0Z2w0eXh5eHcvcEttMy82aU0K2fnCDfYIShzw2Zipof+C8zf9pcOmiDg9
+            2SCiIfAJs9MB3n078P068z77KpvdlJYOi9pUTKSBhNw+mBI24y6X6A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-15T03:46:42Z"
+    mac: ENC[AES256_GCM,data:UG9rSQ4ep7Ln4g5QCtvD6U90Oc8iWpni+kypMpJ+AQM8LC0TTs9zFQgcxmo2wjZn38Fp+br/5KC172SqBNG4Q1yXhlRiqiIeyx9ynrZeceRSqHaaruB1hj83/0FwahqjB/t6yutWIfnp00UC92mMKGlef48UNZ8IW17e5uHE0m4=,iv:LvR4BEkgAr6PJ8fYATFois4j8/rgztn/Jggj/mFgCIk=,tag:W38qDd1RkCdK3bVMqOVnjA==,type:str]
+    pgp:
+        - created_at: "2025-12-11T23:56:15Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA51kG++kLewoARAA2+TLPMKYQFUjyuER+HZgY5Zl4qcF94sYcZuTdcvl/Pam
+            l//PcgU80DLb/3IZ1K12EYyuZ+QVdJxmUQt1OvBUWv2p0/5mU7zbkxc8YJ/vc46b
+            yMX7mmDnzuyU2Lss0hUl5dDDk3pdC4SgjrBz15g9TvS2jOWDTOwKCb1DEghfzB07
+            /9Yfj6Rfds2gqsUgfyxVCzHXzC0SNpuqqPLmnzNmjYiQGNFOCOdyxP6c2ehCI6Bq
+            Lu38n6rjTj2QWJZvtr57a2IVqmFVcD9wcy7ITUk8u9+ncYemLmx1LTQKD6n0WDHm
+            DwjRjziqdJRpHo70Q6TUanFppqTB2q1CReS4yk9sc3CINq9fRJrKtOeJxW8x81yZ
+            o3X++3gYbsRIrApVAFECJyKA4H6eK1gp4djNV7K0MmbQcR/7wSqaYrE6vTPml7jG
+            Ribd7eGvF2FnH5P/z3ckh6HH2Ln+i+iVy+ZeY+lgWuIrVNDWwR8mDH8AkjXuGTu4
+            K6ra+kCna6v7CAKwlGd31rk9i0CTNTqyHEQeqYuto/HTEC0Jj/lRyFPq+KuuvoAq
+            vxQlmP6VnYR0gTfkneBAny4neu3zrbYMuIMWoA9pAhZBNOLPuPXZtUwhAStHBS1V
+            Sdc6AI9CXSPFIP2WDn6iwjwXElkG5+iYyngf3tXrJUVXs0SQeFH05j3r5zVNT0zS
+            XgFAiWuLAOyWWvP+Jlre5dgKnbiaSs3wIVL9Qw9MuHIWdlXmTyuQ5SQKErQLSQ2j
+            b5ogtCcgcbVd+OsZCHWQbPtLI2yk/n0afA9D6cRvLHbNZGrWRZjdTYUHU2Drp0w=
+            =/yAN
+            -----END PGP MESSAGE-----
+          fp: CD17A34CBFB21DE9A73D47EB76BDEC4E165D8AD9
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0