Move a lot of stuff around

cluster/base/cluster-secrets.sops.yaml

@@ -0,0 +1,61 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cluster-secrets
+    namespace: flux-system
+stringData:
+    SECRET_MY_EMAIL: ENC[AES256_GCM,data:o1mpa9VUFdZOepjGKkD76/Px,iv:u+2VUsHGP0O0Qw5ojE4zuSd80iGTDxB95rXB6JO2CJs=,tag:5xvoFP96iOoYSjbZ9NVX0A==,type:str]
+    SECRET_LETSENCRYPT_EMAIL: ENC[AES256_GCM,data:J3Q3okoZ4APVwMXcl00pCPnO,iv:F0L/cRRy5FWMqCF+lpQbZwytSl2OqVOLmVtS0B4jRvU=,tag:cnxZCYcFLDFjKNlbMz+dsg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-04-05T02:32:38Z"
+    mac: ENC[AES256_GCM,data:2O89WN/cDwxmT0bisGGmIDjtuhFF2m7ZIGH33qUH1PdRjGAKGsPgp4NZtkZ6b5G1uvF2bJzzs8BQZty1VFHGm0fbIeoqXDNN1xhQJOOMu9ZhfsKpLSB06Owh+3QTxxRNF3TAIT7wRHr4SDEVwh5vLZhwUHWbJJPaFPX3w+YRqaE=,iv:Co3oTTwuEPdarOsm/NVjhaQmq6ntqVmjyfKpgemVmI8=,tag:jRcGlvu+1mWziskoxV1Zyg==,type:str]
+    pgp:
+        - created_at: "2023-04-05T02:28:36Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzKleRwoSoixARAAiNv/krMCYHIP95bxfJnuTNYvtBPDBIm6Bn5J6OWlS6Rz
+            DIEo/MUOvI5MjLYYDttHjasFLComWYD3FvzIt4/Tr2cvpe2gbqNZmlQt6GzBPZ7b
+            /BDmkXssAtY9s66ai9Vv/HV/iHedjQowK2JP0SCdeWazMPGuayoLxPc+SbsMYABe
+            IHff98sqF0JMaled3ScGy4b1nUuvt49ZViQ4lgj1Sx6S6AvDW6F3SVIYb7iysQ6E
+            CPBeUq7MTFyUwFzJyNy2imKj+sljghevRClPeJrMh4I+IDt8dS9rZVDIpgZJk8Tc
+            gB5bH8eoGwnsK9+Mr/dXCc3k9kTD/jlOVd6L8oHE8SDX3BiyQCuL8voDW2z/pq2A
+            lc/jsdlXhCuvZSd5+Cm3s9/PppMGqjH7b5o7Yu3d1lK7cuRm/Qvo8aualD10fix0
+            z9y5ZnI71VNjPEOyGV+P5GXCZ8XHH4rpfiO/03SkRNkiNvSrYazNGQqZsDtAEWW2
+            DdLcWQ/C7MtvD5sLC0ljkBBaMJ19OyZO+rG3UtkZGo47LM04089ToFYLU0g6PGB3
+            s3sFDkpZvME5Sl98Dky/ACLhzcEPNwIKejd12+MP0geYB61HJ+WP09EiAio303Xs
+            OPWQ+Zds8qdwukTD6HQsDcF4hz8uLH1nV9jvHRDRvd3prMYhHmOrNPNRxjrHxFjU
+            aAEJAhBNL3DpPI0uMNATER9iXVhTkc3RdXGXSwqWwwI2eXn3VHxX445RregyktbG
+            GQztnqkV7+DYjr0jMn1+saA8wbz6L11/ZmtXr/MVO991ol+FrxbrLYaWEpTK86au
+            NLtrwFimyMiQ
+            =fvF1
+            -----END PGP MESSAGE-----
+          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
+        - created_at: "2023-04-05T02:28:36Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4WLYkVpP8xtAQ//e7yj0vwd62fut5lLAor1A9hpt2aNG5PCPagECJRowbwl
+            KNH/aEt/kmLSUYPDS8nMGY3OP+y2mBw00yV0IosgkmBIf5rjY4BsaiT1gOZv6LJQ
+            tK/L8PgoIx1DJtTti2C4gOJadyqtNRi2pe8/bM6jBjkkj56ggv/pP/QQHSIWJv4z
+            RMA/7M2DNXbuMHDVbcp1PbnT8xPoxcfNRoFS/JDxqXs41yAUvI6xU9SFwzOLrSlU
+            prj5M/4TGVBqPh9V7vEjl0n2Z/lLHNr4herqM9tQ7MZggVQO0Q9MUGpz0ZpbwO5i
+            kN4rtvL9YPWPYf8YwTUWknQ7Ug70AD7JpGJm73HQ+bJWmvTVWaZN8g7mPKfBe9wU
+            k7p9/GT0gCbJ9CSdBI7XUb4pBIvClmYzcyxlFuC5UmDk31oVRBnHMe9LYwSaX9tQ
+            D1WQzUBAa4bt9C7JfDHBk13QM/8eTElGA4z6sIykj8mJDI2hCDeVoJRJFl3GukUO
+            YAWO05UtMNSaFGY5pAi+uPlGxzyJJGW6566BGstSHZMKQIMw6pyiqO/nTItFsq+d
+            e2OsEFqyTdKLJZVDNAjT2XRVzrTmcszG/SDuJLybnqbzzsI6RYfRz53KALnEhXDx
+            IPUH8U8kErSTHFwgs0q7cwx86IxYaKjKf18Rp5MExiE8FXz30gi5nrGAtBraYfbU
+            aAEJAhCdE5InRdRdqfF+ADxo2lDZL42j4PTK34Co3a4wpbVDJkCVZjK2DGKFm0co
+            kz3XEERvN4/hjs+4/MxNZkDijDpnVlGEfzYNiKDmHqgbjZaEQO90OH1D10OjMsqb
+            aaYyQYYKqtYJ
+            =3VJM
+            -----END PGP MESSAGE-----
+          fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

cluster/base/cluster-settings.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cluster-settings
+  namespace: flux-system
+data:
+  # MetalLB
+  METALLB_LB_RANGE: 192.168.87.10-192.168.87.29

cluster/base/ks.yaml

@@ -0,0 +1,67 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: crds
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./cluster/crds
+  prune: false
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: core
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  dependsOn:
+    - name: crds
+  path: ./cluster/core
+  prune: false
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: apps
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  dependsOn:
+    - name: core
+  path: ./cluster/apps
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

cluster/core/cert-manager/cloudflare-cred.sops.yaml

@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cloudflare-credentials
+    namespace: cert-manager
+type: Opaque
+stringData:
+    api-token: ENC[AES256_GCM,data:qA+gnSJHnGx+4IpoAHVzMx2oDfYl9n4cgK9TTEABynDITUYUSkxgnw==,iv:sumwgvvxupp+aDfbS0QrOgLIV5ncivO8dh9sWzZkROI=,tag:c2nOAIZPD1XMEozPNFoayQ==,type:str]
+    email: ENC[AES256_GCM,data:hd9vZ3ubTLMxJbbR38LjGHQQ,iv:9BvLfefAvzjd1aGLaTe/U3R1NLw/gdeNMF0yu/kDRH8=,tag:V40IrOkyTuUVawrl03p+qw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-04-05T02:16:12Z"
+    mac: ENC[AES256_GCM,data:DiCXc5CB3mjhM4EsnOWgPYlCyGOU+J1LNSNZ2dbisOy945G/9usANnljLu30gk0KE9TYyMeVxj2mHvp8Q05TgRJwU8g9sJvD2GEqokWxuVPpaWxK/CG7KEBLRGtdcpt8++vulT3/Npo4EwQsqIFzVreIOJ17kBpBtTTJZ51O+Ms=,iv:B1/NVCvx0SnC6k50TeLlyhi4z6cUHGff0R/+WMdGDEA=,tag:8C68isdbGpXuyGJFsnQkDA==,type:str]
+    pgp:
+        - created_at: "2023-04-05T02:16:11Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzKleRwoSoixAQ//fZKQ1+IE77dpxFTkwkmFTR3NmsTtgYV3YfQBjzH22Drf
+            3VWC9PFwQa0Ki9e4gtCzDbvfoSrq9DudmR2iUdk6asJO/kJtJbMxaZ1MyOL8Ld20
+            HIBnogTlEsQ3URMVhH6DFWa79bEPMAR38douKudahqg1e/H3D25EAGpE7a79YzIs
+            j8nZWFsO64am7uW+K/r5ziqD8uSgc6AEykARqnzmWgfQJwiSK6tTBp2Fl/P0atn5
+            N3hfvcQ5RX8RkP7QUczEN33Clfhxu/KERwmjG1tqbDUvgL64q7V2u2OG4G0KEnHa
+            iy4nf+I8Ec0z10me7r/uDu25L18KxctT9y+XDyAG8lnsyOUi1Tk1K9WMU6Z5HAeF
+            CG3BuR883DGx/wFocvjLYQ84x/VM8B/TAhVM3pP99fwrxoT4ZlTCZdPZmJvP4AcT
+            CVTHJfxNBZWZoSVfjNgurcRwFRXavxay0msbtIBSueVBYjIohflWNDT7HH1SnRUt
+            fkLRqg66wi/GfpLQF4ZThtK7hrrYAIh18DhAGbT+au6hqaOfTUT2FFA2IYrxJJoa
+            pHHeeGmlPgbNUJ/U7IO2mklP/qSx8ilkZ3gwrMtMOL9gr0C4OJ3Xzr5HKgnOzpIr
+            ZQya7FXZwL+Q8SPKBL47IhnMRwvsE1VTndh7KoCR2H8f609osxHsCQj3i88c+WfU
+            aAEJAhCGHJeg5y+BRa9nS8ivLc72DuThI6XoEaATBlJ+FJpwdS3NUVgNQ5NtJeRN
+            zFHBCTUDWJmEgnGpeRU3YgSCcyrUeNQ9zud5Hy+sE29hBEh+aqeg+2O/IGNAtnj0
+            2RYiogHfihb8
+            =vTlu
+            -----END PGP MESSAGE-----
+          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
+        - created_at: "2023-04-05T02:16:11Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4WLYkVpP8xtAQ/5Ae2agQj48SprxW7r7boDHRPYhzjI/vCCYnNLFMPLL4zN
+            pXQx0yb4wBWSh3cgXhNoaaAQIS4MWGF2FXL6Jo51iniLju9YxZN7uq0mXza896Ew
+            ldBitVQtPD1+naCdQ60ncmWCyVF8XuORUycJsIkubrPgHAiEQlHUGtx2shzliLCn
+            7bIKEhAm88J/l6Z1r4VETv/DrIblG0cpHCM/zbRckqvDX/g3Nq/KbcIohx+t04h8
+            iyMpugfRzSkC0GaBwphXFAcpTXP+obAbe9Pnsh0etC0280/3hbEgoWPpYQ5J8BWb
+            faIFwUfSVCIDEU0JwefOM40kXJhJq8M3p7+LO7IiT1ye/O8N/T5wjFGX9b9yXPzc
+            ZGaK/0rL9NukOtFj5B3VdggGrEzO7Aquijo8XvKfnnOZro/jo/l7XeXU5fnvpVjT
+            e4e8Caxq75E0/YmHWyq3XdvLWF8UlspCEm6MHh/AL3CibB1ZUwE1IyM3ohD1x0QP
+            tUp+HsyOu96UTnYe6zccQ+GvV5IfZV4sG9mYJe/QIyasw5AiNsTyHuomsG3W0eXP
+            I9tT6bWFQvivNFlGrUEX3hYai3CAXtalx4Vj4dvnQ+pJRFVMC/iS4nfVhakMxZHm
+            A6rKklRw+EEOXkgME/uNND0Y7ZbgpzJP9MW5ql+Qao0vXWCbXLnSya6qA7fU9dfU
+            aAEJAhC687QE1QUv4I2yPJUFCxsY7JGSsIellfE0nDjLJoOn1yWvRGOxHDv99aWP
+            FMMNwW7kpQkxMwqtQOEkCkBxTTrSBmkpxIhmmNbXh42rhd6nLlcbMV3rfyRIeyF8
+            v06tPzAqkfd5
+            =Y4JA
+            -----END PGP MESSAGE-----
+          fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

cluster/core/cert-manager/helm-release.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.11.0
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack-charts
+        namespace: flux-system
+  values:
+    installCRDs: true
+    webhook:
+      enabled: true
+    extraArgs:
+      - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
+      - --dns01-recursive-nameservers-only
+    replicaCount: 1
+    podDnsPolicy: "None"
+    podDnsConfig:
+      nameservers:
+        - "1.1.1.1"
+        - "9.9.9.9"

cluster/core/cert-manager/helm-repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: jetstack-charts
+  namespace: flux-system
+spec:
+  interval: 1m
+  url: https://charts.jetstack.io

cluster/core/cert-manager/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./namespace.yaml
+- ./cloudflare-cred.sops.yaml
+- ./helm-repository.yaml
+- ./helm-release.yaml
+- ./letsencrypt-prod.yaml
+#- ./dashboard-ingress.yaml

cluster/core/cert-manager/letsencrypt-prod.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: "${SECRET_LETSENCRYPT_EMAIL}"
+    privateKeySecretRef:
+      name: letsencrypt-production
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-token-secret
+              key: api-token

cluster/core/networking/kustomization.yaml

@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+- ./cert-manager
 - ./traefik
 - ./calico
 - ./metallb

cluster/core/networking/metallb/helm-release.yaml

@@ -17,7 +17,7 @@ spec:
   chart:
     spec:
       chart: metallb
-      version: 0.13.x
+      version: 0.13.9
       sourceRef:
         kind: HelmRepository
         name: metallb-charts

cluster/core/networking/traefik/dashboard-ingress.yaml

@@ -25,6 +25,7 @@ metadata:
   name: traefik-dashboard-ingress
   namespace: traefik
   annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-production"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
   rules:
@@ -35,6 +36,6 @@ spec:
             pathType: Prefix
             backend:
               service:
-                name: traefik-helm
+                name: traefik
                 port:
                   number: 9000

cluster/core/networking/traefik/helm-release.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: traefik
-      version: '22.x.x'
+      version: '22.0.0'
       sourceRef:
         kind: HelmRepository
         name: traefik-charts
@@ -18,13 +18,14 @@ spec:
 #      - ./traefik-values.yaml
   values:
     additionalArguments:
-    - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
+#    - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
-    - --certificatesresolvers.cloudflare.acme.email=seanomik@gmail.com
+#    - --certificatesresolvers.cloudflare.acme.email=seanomik@gmail.com
-    - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
+#    - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
-    - --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
+#    - --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
 
     - --api.insecure
     - --providers.kubernetesingress
+    - --providers.kubernetescrd
 
     logs:
       general:
@@ -65,19 +66,19 @@ spec:
 #      externalIPs:
 #        - 192.168.87.10
 
-    env:
+#    env:
-    - name: CF_DNS_API_TOKEN
+#    - name: CF_DNS_API_TOKEN
-      valueFrom:
+#      valueFrom:
-        secretKeyRef:
+#        secretKeyRef:
-          key: apiToken
+#          key: apiToken
-          name: cloudflare-credentials
+#          name: cloudflare-credentials
 
     # Disable Dashboard
     ingressRoute:
       dashboard:
-        enabled: true
+        enabled: false
-        matchRule: Host(`k3st.***REMOVED***`) && (PathPrefix(`/dashboard/`) || PathPrefix(`/api`))
+#        matchRule: Host(`k3st.***REMOVED***`) && (PathPrefix(`/dashboard/`) || PathPrefix(`/api`))
-        entryPoints: ["websecure"]
+#        entryPoints: ["websecure"]
 
     # Persistent Storage
     persistence:

cluster/core/networking/traefik/kustomization.yaml

@@ -5,4 +5,4 @@ resources:
 - ./traefik-secrets.sops.yaml
 - ./helm-repository.yaml
 - ./helm-release.yaml
-#- ./dashboard-ingress.yaml
+- ./dashboard-ingress.yaml

cluster/core/networking/traefik/traefik-secrets.sops.yaml

@@ -1,62 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: cloudflare-credentials
-    namespace: traefik
-type: Opaque
-stringData:
-    apiToken: ENC[AES256_GCM,data:2ofq1q6ZJ08RfWtb7KAkiLbTGuY0XX+YNOprSLPVf42MmcHk1AwIaw==,iv:TzSqE3UP8KeASgQeJmQJPOo0Gq4Qx5t7oPqXYr451sg=,tag:eumfMTxotVGmVdY5FmUhjQ==,type:str]
-    email: ENC[AES256_GCM,data:3SLMvJWYY/rCESO24AujCtdc,iv:bMvI+p8lL7UrkxdB+qCXhn+I3t99Kxx2uIoKv8WGJOE=,tag:c+3aqPigO1hUNEnTQih+7A==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2023-04-02T18:05:11Z"
-    mac: ENC[AES256_GCM,data:6e5z7+3l0Sn+Lw9vibQ//SgYMskY+TiRbMYX18JuIT+dCJHN3fz0FZCIUSTJXDIXv0SqHSEAgVpMCvyWwPoSgfeIc/3sKKKZ33yP4tv8rdpYBaDz7zXXY3NYqOk8BFeIdl6mzU6traIyzxAQ27rjO6AI0fEFSu5bY4uP9lFPtdc=,iv:sJ2iTk3P83NM9I3atYZvkYJg42IAIO29L7nMt37Lazk=,tag:1UtotsQ9VqBC66fI6kVr0g==,type:str]
-    pgp:
-        - created_at: "2023-04-02T17:33:57Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAzKleRwoSoixAQ//SGQIuAWmFUmI1DR1MpbDwjOg+s+YvbEbIcLv4iMTn6rM
-            vtNIpo5I183JJUxRcCKerpW9fIhMSqov7OlvS2c3cLNp2PapHWKR0av0r3Zk0D95
-            mcMjlpp6j8l9kXFnbGJBX8UkaCJ6jgm79xHhZjODa3A6WB1kQJ3kcXN0sQuZ61qH
-            UD2QKwPUnTR9cWURdBt4L1aX4+abEwKfLE+XygBTq/2sXOchEU6sKZ88ieGAt2te
-            8PQ3zWTTUBC2o+AVMnZ3CNCQrdvKKQ4vSEW6+jFsJLgloMThDcf83owvWNDfZwVS
-            O62k0Wsb9N7ZXScPp8A0VoPa4Qb6WVMJ7BpizUZcSmzC/qNz+CDk7u769xjHyBHC
-            8kS0JpCWDpozeqcXZjhMpC2MsgfU/FjB0dxy9vyhf910ZlM/TkXnrduJu8p20NQe
-            Mf1le0/kNoJiUzk0PZcG3l1osafvEChj7owGi1Tnjs1Z/Tz/7GpyDPUWwuxJi37A
-            ssMKFpuedckQlV6oTTvthX0YGGGF0lCoyLAUBqi81IX7b7GHxn/n8hP30oOGrljL
-            k77vpX/GDrK+3TtZdjAoQz079Go+AqyxKcgOfF0UJ6z88iYdBnPugHxCXXvMNHhF
-            HQxzlpFdqJ7P6XXDIFGm5G1oJCVzQyb5fSlh07NphNC6TTDUahkpYJz7qJoWwqPU
-            aAEJAhCXIy1CD5IdGnE16agicIw1VFhT1F7C4/zH7zBITyYXNTrZ4/5S0SdaT6Fi
-            XDVC7Eza3UTOIV6l4mJq5xOrGkV0mNi6hwPBJt334MDidNH3AaivUQgpCJX0hSTC
-            raho1DevzjCp
-            =vlaG
-            -----END PGP MESSAGE-----
-          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
-        - created_at: "2023-04-02T17:33:57Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA4WLYkVpP8xtAQ/7BW9zYpflHgi9WOyjyWjybWzsWbLDlHOXPSNMqcpKcsz1
-            uCp+ReZdsAbnPHRagpnpg5Wj2J9GfY1t8vgfQB4YwGfd0cfjTjumcCd7Lhd0iJjF
-            oJROOh2CD4B9MPxS0lbjFSUkMnS+8/M4mNdc1TzIRZNYJN0zgcFg51N7hg83d4K7
-            a2Jev4tCiaXkBLCPFUdTJfsL3BbR9sGt3+ip6qPJKf1fMQqQ8i/yHvzqVZWEtsI0
-            aD92ypqI32Jd+BFKKER1bxOA1QbsklkqLRLRIJtX0wA6SSH4Q0fRtUfvem4xSIei
-            m+8iQSSu1TSt65lRVXLmDUseKJcELv+DyKvDPnCZquLW3swYtWSGmv4ULAN8+bB2
-            W4+ZEi9XNouPTvYCG9rnS2PSsUigZ7lSwgL2y/Qe6h4UZgNibQ/nxGaESGik3dt6
-            igj9aJIbgF++QFQfHBfLxe3T+cbFyjw6WitrZPmksK3cKea3gx/33HBWu3VGL51x
-            nMkrjA9K4vu+7jec51HnuevXBhMMvRFrLZowogJy2usOBm2axfAIRJRJA9F/FSnT
-            ZNmq+PR3OuQZ6ytllSHnXDID+uCyAprVtqDKn3Nvw2WDK8Y8z8ssk24Nw1OmLZWo
-            6cCE1SJ1DBzsFOXjIhwkPD00gzYzyKYEbZLWAVF6aWPmvbdKIWorkdqiRcwcT/3U
-            aAEJAhBteUna4cfGfCufYAwi1SsNQ02KUb4kLDIr/OkzVkNUXOHxXJcvz/ACKwDI
-            gzPM91ZC5tslyR7K4171iEy2CbQWwZvoFqnKiCtXn4d0WunpArdc4XyfqWYoMUbA
-            Y58UlX+qac0F
-            =exhB
-            -----END PGP MESSAGE-----
-          fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

cluster/crds/cert-manager/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - https://github.com/jetstack/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml

cluster/crds/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cert-manager
+  - traefik
+  - metallb

cluster/crds/metallb/crds.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: GitRepository
+metadata:
+  name: metallb-source
+  namespace: flux-system
+spec:
+  interval: 12h
+  url: https://github.com/metallb/metallb.git
+  ref:
+    # renovate: registryUrl=https://metallb.github.io/metallb chart=metallb
+    tag: v0.13.9
+  ignore: |
+    # exclude all
+    /*
+    # include crd directory
+    !/config/crd
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: crds-metallb
+  namespace: flux-system
+spec:
+  interval: 30m
+  prune: false
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: metallb-source

cluster/crds/metallb/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - crds.yaml

cluster/crds/traefik/crds.yaml

@@ -0,0 +1,58 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: traefik-crd-source
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: https://github.com/traefik/traefik-helm-chart.git
+  ref:
+    # renovate: registryUrl=https://helm.traefik.io/traefik chart=traefik
+    tag: v22.0.0
+  ignore: |
+    # exclude all
+    /*
+    # path to crds
+    !/traefik/crds/
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: traefik-crds
+  namespace: flux-system
+spec:
+  timeout: 5m0s
+  interval: 15m
+  prune: false
+  sourceRef:
+    kind: GitRepository
+    name: traefik-crd-source
+  healthChecks:
+    - apiVersion: apiextensions.k8s.io/v1
+      kind: CustomResourceDefinition
+      name: ingressroutes.traefik.containo.us
+    - apiVersion: apiextensions.k8s.io/v1
+      kind: CustomResourceDefinition
+      name: ingressroutetcps.traefik.containo.us
+    - apiVersion: apiextensions.k8s.io/v1
+      kind: CustomResourceDefinition
+      name: ingressrouteudps.traefik.containo.us
+    - apiVersion: apiextensions.k8s.io/v1
+      kind: CustomResourceDefinition
+      name: middlewares.traefik.containo.us
+    - apiVersion: apiextensions.k8s.io/v1
+      kind: CustomResourceDefinition
+      name: middlewaretcps.traefik.containo.us
+    - apiVersion: apiextensions.k8s.io/v1
+      kind: CustomResourceDefinition
+      name: serverstransports.traefik.containo.us
+    - apiVersion: apiextensions.k8s.io/v1
+      kind: CustomResourceDefinition
+      name: tlsoptions.traefik.containo.us
+    - apiVersion: apiextensions.k8s.io/v1
+      kind: CustomResourceDefinition
+      name: tlsstores.traefik.containo.us
+    - apiVersion: apiextensions.k8s.io/v1
+      kind: CustomResourceDefinition
+      name: traefikservices.traefik.containo.us

cluster/crds/traefik/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - crds.yaml