fix: use correct kustomize file paths

Reviewed-on: #385

.taskfiles/Flux/Taskfile.yaml

@@ -3,20 +3,20 @@
 version: "3"
 
 vars:
-  CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/sops-key.sops.yaml"
+  CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTERS_DIR}}/common/bootstrap/flux/sops-key.sops.yaml"
-  GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/forgejo-deploy-key.sops.yaml"
+  GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTERS_DIR}}/common/bootstrap/flux/forgejo-deploy-key.sops.yaml"
 
 tasks:
   bootstrap:
     desc: Bootstrap Flux into a Kubernetes cluster
     cmds:
-      - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/bootstrap/flux
+      - kubectl apply --server-side --kustomize {{.CLUSTERS_DIR}}/common/bootstrap/flux
       - sops --decrypt {{.CLUSTER_SECRET_SOPS_FILE}} | kubectl apply --server-side --filename -
       - sops --decrypt {{.GITHUB_DEPLOY_KEY_FILE}} | kubectl apply --server-side --filename -
-      - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/flux/config
+      - kubectl apply --server-side --kustomize {{.CLUSTERS_DIR}}/{{.CLUSTER}}/flux/config
     preconditions:
       - { msg: "Missing cluster sops key", sh: "gpg -K 687802D4DFD8AA82EA55666CF7DADAC782D7663D" }
 
   reconcile:
-    desc: Force update Flux to pull in changes from your Git repository
+    desc: Force update Flux to pull in changes from the Git repository
     cmd: flux reconcile --namespace flux-system kustomization cluster --with-source

Taskfile.yaml

@@ -3,7 +3,7 @@
 version: "3"
 
 vars:
-  CLUSTER_DIR: "{{.ROOT_DIR}}/cluster"
+  CLUSTERS_DIR: "{{.ROOT_DIR}}/kubernetes"
 
 includes:
   flux: .taskfiles/Flux/Taskfile.yaml

kubernetes/common/apps/cert-manager/app/files/helm-release.yaml

@@ -14,7 +14,7 @@ spec:
         name: jetstack-charts
         namespace: flux-system
   values:
-    installCRDs: false
+    installCRDs: true
     webhook:
       enabled: true
     extraArgs:
@@ -26,8 +26,8 @@ spec:
       nameservers:
         - "1.1.1.1"
         - "9.9.9.9"
-    prometheus:
+#    prometheus:
-      servicemonitor:
+#      servicemonitor:
-        enabled: true
+#        enabled: false
-        labels:
+#        labels:
-          release: kube-prometheus-stack
+#          release: kube-prometheus-stack

kubernetes/common/apps/cert-manager/app/files/kustomization.yaml

@@ -1,6 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ./longhorn
+- ./helm-repository.yaml
-- ./openebs
+- ./helm-release.yaml
-#- ./local-path-provisioner

kubernetes/common/apps/cert-manager/app/ks.yaml

@@ -0,0 +1,25 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/common/apps/cert-manager/app/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/common/apps/cert-manager/certs/files/kustomization.yaml

@@ -1,10 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ./namespace.yaml
 - ./cloudflare-cred.sops.yaml
-- ./helm-repository.yaml
-- ./helm-release.yaml
 - ./letsencrypt-prod.yaml
 - ./letsencrypt-stage.yaml
 - ./wildcard-cert.yaml

kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml

@@ -10,9 +10,6 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-production
     solvers:
-#      - http01:
-#          ingress:
-#            class: traefik
       - dns01:
           cloudflare:
             email: "${SECRET_MY_EMAIL}"
@@ -21,4 +18,6 @@ spec:
               key: api-token
         selector:
           dnsZones:
-            - "${SECRET_NEW_DOMAIN}"
+            - "${SECRET_NEW_DOMAIN}"
+            - "internal.${SECRET_NEW_DOMAIN}"
+            - "*.internal.${SECRET_NEW_DOMAIN}"

kubernetes/common/apps/cert-manager/certs/files/letsencrypt-stage.yaml

@@ -10,9 +10,6 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-staging
     solvers:
-#      - http01:
-#          ingress:
-#            class: traefik
       - dns01:
           cloudflare:
             email: "${SECRET_MY_EMAIL}"

kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml

@@ -2,14 +2,10 @@ apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: wildcard-main-cert
-  namespace: traefik #cert-manager
+  namespace: nginx
 spec:
   secretName: wildcard-main-tls
 
-#  secretTemplate:
-#    annotations:
-#      replicator.v1.mittwald.de/replicate-to: "traefik"
-
   duration: 2160h # 90d
   renewBefore: 360h # 15d
 
@@ -20,6 +16,4 @@ spec:
   dnsNames:
     - "${SECRET_NEW_DOMAIN}"
     - "*.${SECRET_NEW_DOMAIN}"
-#    - "*.k3s.${SECRET_NEW_DOMAIN}"
+    - "*.internal.${SECRET_NEW_DOMAIN}"
-#    - "*.database.${SECRET_NEW_DOMAIN}"
-#    - "*.s3.${SECRET_NEW_DOMAIN}"

kubernetes/common/apps/cert-manager/certs/ks.yaml

@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager-certificates
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/common/apps/cert-manager/certs/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+    - name: cert-manager
+      namespace: flux-system
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/common/apps/cert-manager/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./namespace.yaml
+- ./app/ks.yaml
+- ./certs/ks.yaml

kubernetes/common/apps/database/dbs/ks.yaml

@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: postgresql
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/common/apps/database/dbs/postgresql
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+    - name: openebs-sc
+      namespace: flux-system
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/common/apps/database/dbs/postgresql/helm-release.yaml

@@ -0,0 +1,42 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: postgresql
+  namespace: database
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: postgresql
+      version: 14.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami-charts
+        namespace: flux-system
+  values:
+    auth:
+      existingSecret: "pgsql-secrets"
+      secretKeys:
+        adminPasswordKey: "adminPassword"
+        replicationPasswordKey: "replicationPassword"
+
+    serviceMonitor:
+      enabled: true
+      labels:
+        release: kube-prometheus-stack
+
+    volumePermissions:
+      enabled: true
+
+    primary:
+      persistence:
+        existingClaim: "postgresql-pvc"
+
+      containerSecurityContext:
+        enabled: true
+        runAsUser: 655
+
+    readReplicas:
+      containerSecurityContext:
+        enabled: true
+        runAsUser: 655

kubernetes/common/apps/database/dbs/postgresql/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./pgsql-pv.yaml
+- ./pgsql.sops.yaml
+- ./helm-release.yaml
+#- ./pgadmin4

kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-release.yaml

@@ -0,0 +1,47 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: pgadmin4
+  namespace: database
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: pgadmin4
+      version: "1.28.0"
+      sourceRef:
+        kind: HelmRepository
+        name: runix-charts
+        namespace: flux-system
+  values:
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-production
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+      hosts:
+        - host: &host pgadm.${SECRET_NEW_DOMAIN}
+          paths:
+            - path: "/"
+              pathType: Prefix
+      tls:
+        - hosts:
+            - *host
+
+#    securityContext:
+#      runAsUser: 10000
+#      runAsGroup: 10000
+#      fsGroup: 10000
+#
+#    containerSecurityContext:
+#      enabled: true
+#      allowPrivilegeEscalation: false
+
+#    envVarsFromConfigMaps:
+#    - pgadmin4-secret
+
+    persistentVolume:
+      enabled: false
+
+    volumePermissions:
+      enabled: true

kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: runix-charts
+  namespace: flux-system
+spec:
+  interval: 1m
+  url: https://helm.runix.net

kubernetes/common/apps/database/dbs/postgresql/pgadmin4/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./pgadmin4.sops.yaml
+- ./helm-repository.yaml
+- ./helm-release.yaml

kubernetes/common/apps/database/dbs/postgresql/pgsql-pv.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgresql-pvc
+  namespace: database
+spec:
+  storageClassName: openebs-dual
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

kubernetes/common/apps/database/dbs/postgresql/pgsql.sops.yaml

@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: pgsql-secrets
+    namespace: database
+stringData:
+    adminPassword: ENC[AES256_GCM,data:gJ7rl2V/VlbIIRvRHcwMaZKN87t5n8bVWZCj/tRv8Uw=,iv:b/5eEnOrHzJrtnO+E2IGwJLHy2AdJQwv9WfUR5fUHY4=,tag:nTtaDNHVfYpChQX9UWwdKA==,type:str]
+    userPassword: ENC[AES256_GCM,data:gR7q508lUaRDRJ/z5lH99JLJSS9zWfg0O+TAm2B9uvo=,iv:9DDQxwd/BGtLQDacAH/crfT+qU4Pn5sGkWuEtmMprUI=,tag:tK3WoUd7729LQDVqU7pckQ==,type:str]
+    replicationPassword: ENC[AES256_GCM,data:BSA5IfYhhvN445yp2i3BI5zlIXgdj+LejCPzvlTMnVo=,iv:Qku2NAQPLxt+NUnk2dSx1+WAoyx3aEuA3+piU2mubYk=,tag:MnI+atK6VLZUc3eGS1OE1w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-10-22T16:25:15Z"
+    mac: ENC[AES256_GCM,data:uWVPfKwPpR212js7f2RnCzEsMnxk2JpGPcf2L5i4gJCddJCrRJkdhjWGyVVpp/ociP3JLRTI95+WSEUH0KkPZpY1ptQevCVsUemRytOCtBlR0yR4qsBwEisSu8m4B5dbAYsqlXAndrBNL2WGB7uBv+ILgNxkhlN58unseSWJBDM=,iv:e7QyZSlhpyQ+A8OmV4p1848itIUxyam6CJOI9/N7DDY=,tag:N28mfrAjUTTYkly1hu0OhA==,type:str]
+    pgp:
+        - created_at: "2023-06-19T18:35:15Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzKleRwoSoixAQ//aQdUERyq3G7V29F5rpY6LdDgo8+hqrrZvdI3JnON0VUM
+            Tj3AAYg+xvYh8aPQywF9fJvn6qNw8fqrb2GiuuNTa9ZPCFsD+WXbuYHmQ9z6tAtV
+            opXe3QLNBuo9zEtUfGPbaCp8EH7f1TxQsTJoe9iE/1B2S69cHNUdgXZtfQyhpmlG
+            iyAk/G04kPazweIuFNjOYaN/12J/s2Cf5AZUeROkMxg8/GTPO68LeEBz9v4vl/1z
+            JlxmZyXR/9IeoBlO63asDrR85fcvSDb31K4qE3WVkag20bXClv1lehLVKO4bxA/F
+            lW1tXDR3odC9Ozme884Znd05L0NWkzYKYRta198IV6JuSCeMdjTscGGlMM9wqqKz
+            SZgs81FHXT16YCVupfI22CqMiD0EzQXrGEtJ4NqaBvhZu+MDxszNRzIl73b0HANc
+            8JQqQqOJh7ltrWnf39Xlv73yVC/pYbaV1LWGnMfqWvOcksa9QjOH9Ysfj/RxdaMw
+            VQhydU+21+xeuEQBL7OsiJQUzgJjFREnTRPXcorCtWxocCn5zwdct1SFchFzCOTp
+            H0ubpD+MP4RTWxuYbZRhE5ty6GJU9liRH7dUJtVaQiv8V+G1DungTqq36AbbnHzd
+            9cy+4cM3wZx2VYElL7DBom8nqqm7Xhffr0UaaY8VFuV5bBry3BmM5rOr8vDYqf7U
+            aAEJAhC/4yiBMuhEB+fwXIq/dBjMzW+p8SotK2QK03yaTFQchnBDknwVdqcKQxIZ
+            di3kupnjB+KllWOZhl121tT9L35ymL53BUu1FKCTFdIS2wXxy6UlIS98n0bvWJYN
+            c5WTfk81xmbT
+            =UE14
+            -----END PGP MESSAGE-----
+          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
+        - created_at: "2023-06-19T18:35:15Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAy5t8IMoPu4VAQ/9G2JDsJw6YJMjstWPrv07tnU0ErWZx5WGcNUGhw6T5tOJ
+            kXCAuaZax8NxoTtZnQ9Cd+WgJr7R0FuVPEPTc4G2RsfntSZq5rBgCpT0fgwyASFX
+            64b6YTbLcCL+G6sg/FwIi9SRqqCsaljATjoU685vrjaxYYfAdhyUoM3qSNjMMaMl
+            zVjn0kbWrQn4GqfuRMqcr+zCIQdHNTTJ12+c6UUo/zJp4zzjA68Yur9aiw1iHtR1
+            rYCPHX2/ZmQjADTHXqwpuMdb5j0VDcd5JcZabdcJkhn/6MRJiN+XryZN/Neq9UbF
+            5WrMaZz5v0iRnMUCr8HMw29P0ttu5Sma+RyCOZuWlpsXj+C84pJ8CjBbFhzSJzGP
+            cKI8Syn0CPLN3X6vKs+LJXEHg1jxJ9kuN+RgW+SQRctUX3A0JtFg2tWplkptNtLl
+            hN5rW+fWxk7BV9dP7wouwVJiKcW3Y/OMCF5H8YHwL/KVHvANBwNM+nmFPrHaqN2s
+            0RghznmZMVG+9IYedSM6d8ZJLnO/QsNTE0QTGM/3dmBAn9jcndCLTgcgThAtvcmw
+            lFJYaMN3W455Cccaif93xnb44yn47actgEuM6GOuP15GGJaHD2iBQ2atHcaQhNQR
+            mxhIIouu+Kaa6g34MA/VGDNoN0eNYI5RZIUSSBl7bgaOXs9/3j1Uvap9yesCaOTU
+            aAEJAhDDqjX7RUazeEByAiKjv5TxpQzsi8gR4zyrhf6tTx34jHzQNoVjYEtLMEVl
+            ZlAJ06RoxOj8O6+8RGYd/ZUE+TQPQ4jx+PgWrZPUQx8TSxevuduw5XZ1lKytUSCZ
+            GFDjOxp0lMGV
+            =LHSB
+            -----END PGP MESSAGE-----
+          fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.0

kubernetes/common/apps/database/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./namespace.yaml
+- ./dbs/ks.yaml

kubernetes/common/apps/database/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: database

kubernetes/common/apps/intel-gpu/ks.yaml

@@ -0,0 +1,24 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: intel-gpu
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/common/apps/intel-gpu/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+  - name: nfd
+    namespace: flux-system
+  # requires certificates for communications between plugins
+  - name: cert-manager
+    namespace: flux-system

kubernetes/common/apps/metallb/app/files/helm-release.yaml

@@ -24,4 +24,4 @@ spec:
         namespace: flux-system
   values:
     crds:
-      enabled: false
+      enabled: true

kubernetes/common/apps/metallb/app/files/kustomization.yaml

@@ -1,5 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ./traefik
+- ./helm-release.yaml
-- ./metallb

kubernetes/common/apps/metallb/app/ks.yaml

@@ -0,0 +1,25 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: metallb
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/common/apps/metallb/app/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/common/apps/metallb/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./namespace.yaml
+- ./app/ks.yaml
+- ./pool/ks.yaml

kubernetes/common/apps/metallb/pool/files/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./metallb-static-ips.yaml

kubernetes/common/apps/metallb/pool/ks.yaml

@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: metallb-pool
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/common/apps/metallb/pool/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+    - name: metallb
+      namespace: flux-system
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/common/apps/nfd/ks.yaml

@@ -7,7 +7,7 @@ metadata:
 spec:
   timeout: 5m
   interval: 10m
-  path: ./kubernetes/main/core/nfd/files
+  path: ./kubernetes/common/apps/nfd/files
   prune: true
   sourceRef:
     kind: GitRepository

kubernetes/common/apps/openebs/kustomization.yaml

@@ -4,5 +4,4 @@ resources:
 - ./namespace.yaml
 - ./helm-repository.yaml
 - ./helm-release.yaml
-- ./mainpool-sc.yaml
 - ./monitoring-helm-release.yaml

kubernetes/common/apps/traefik/app/files/helm-release.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: traefik
-      version: '30.1.0'
+      version: '31.1.0'
       sourceRef:
         kind: HelmRepository
         name: traefik-charts
@@ -17,7 +17,6 @@ spec:
   values:
     additionalArguments:
     - --api.insecure
-    - --entryPoints.factorio.address=:34197/udp
 
     logs:
       general:

kubernetes/common/apps/traefik/app/files/kustomization.yaml

@@ -4,5 +4,4 @@ resources:
 - ./namespace.yaml
 - ./helm-repository.yaml
 - ./helm-release.yaml
-- ./default-tls-store.yaml
 - ./dashboard-ingress.yaml

kubernetes/common/apps/traefik/app/ks.yaml

@@ -0,0 +1,25 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: traefik
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/common/apps/traefik/app/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/common/apps/traefik/extra/files/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./default-tls-store.yaml

kubernetes/common/apps/traefik/extra/ks.yaml

@@ -0,0 +1,30 @@
+
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: traefik-default-tls
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/common/apps/traefik/extra/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  dependsOn:
+  - name: traefik
+    namespace: flux-system
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets

kubernetes/common/apps/traefik/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./app/ks.yaml
+- ./extra/ks.yaml

kubernetes/main/apps/authentik/helm-release.yaml

@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: authentik
-      version: 2024.6.4
+      version: 2024.8.2
       sourceRef:
         kind: HelmRepository
         name: authentik-charts

kubernetes/main/apps/database/mysql/helm-release.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: mysql
-      version: 11.1.15
+      version: 11.1.17
       sourceRef:
         kind: HelmRepository
         name: bitnami-charts

kubernetes/main/apps/database/postgresql/pgadmin4/helm-release.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: pgadmin4
-      version: "1.28.0"
+      version: "1.29.0"
       sourceRef:
         kind: HelmRepository
         name: runix-charts

kubernetes/main/apps/database/redis/helm-release.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: redis
-      version: 20.0.x
+      version: 20.1.x
       sourceRef:
         kind: HelmRepository
         name: bitnami-charts

kubernetes/main/apps/default/cdn/helm-release.yaml

@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -8,58 +9,68 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 1.3.x
+      version: 3.4.0
       sourceRef:
         kind: HelmRepository
         name: bjws-charts
         namespace: flux-system
 
   values:
-    image:
+    controllers:
-      repository: oci.seedno.de/seednode/nginx
+      main:
-      tag: latest
+        pod:
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 65534
+            runAsGroup: 65533
+            fsGroup: 10000
+            fsGroupChangePolicy: OnRootMismatch
 
-    args:
+        containers:
-    - -c
+          main:
-    - /config/nginx.conf
+            image:
+              repository: git.${SECRET_NEW_DOMAIN}/seanomik/nginx
+              tag: 1.27.1
+              pullPolicy: Always
+
+            resources:
+              requests:
+                memory: 500Mi
+
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities: { drop: ["ALL"] }
 
     service:
-      main:
+      app:
+        controller: main
         ports:
           http:
             port: 6544
 
-    probes:
-      liveness:
-        enabled: false
-
     ingress:
       main:
-        enabled: true
         annotations:
           cert-manager.io/cluster-issuer: letsencrypt-production
           traefik.ingress.kubernetes.io/router.entrypoints: websecure
         hosts:
-          - host: &host "cdn.${SECRET_NEW_DOMAIN}"
+        - host: "cdn.${SECRET_NEW_DOMAIN}"
-            paths:
+          paths:
-              - path: /
+          - path: /
-                pathType: Prefix
+            service:
-        tls:
+              identifier: app
-          - hosts:
+              port: http
-              - *host
+
-            
     persistence:
-      data:
-        enabled: true
-        type: hostPath
-        hostPath: /mnt/MainPool/Kubernetes/cdn/data
-        readOnly: true
-        mountPath: /data
       config:
-        enabled: true
         type: configMap
         name: nginx-cdn-configmap
+        globalMounts:
+        - path: /etc/nginx/nginx.conf
+          subPath: nginx.conf
 
-    resources:
+      storage:
-      requests:
+        type: hostPath
-        cpu: 1m
+        hostPath: /mnt/MainPool/Kubernetes/cdn/data
+        globalMounts:
+        - path: /data

kubernetes/main/apps/default/dendrite/helm-release.yaml

@@ -30,7 +30,7 @@ spec:
           main:
             image:
               repository: matrixdotorg/dendrite-monolith
-              tag: v0.13.7
+              tag: v0.13.8
 
     service:
       app:

kubernetes/main/apps/default/ganymede/helm-release.yaml

@@ -26,21 +26,21 @@ spec:
 #            fsGroup: 10000
 #            fsGroupChangePolicy: OnRootMismatch
 
-        initContainers:
-          copy-config:
-            image:
-              repository: alpine
-              tag: 3.20
-
-            command: [ "sh", "-c", "cat /ganymede-config.json && cp -v /ganymede-config.json /data/config.json" ]
-
         containers:
           api:
             image:
               repository: ghcr.io/zibbp/ganymede
               tag: 3.0.1
 
+            securityContext:
+              #allowPrivilegeEscalation: false
+              #capabilities: { drop: ["ALL"] }
+
             env:
+            - name: PUID
+              value: 555
+            - name: PGID
+              value: 555
             - name: TZ
               value: "America/New_York" # Set to your timezone
             - name: DB_HOST
@@ -103,7 +103,7 @@ spec:
           frontend:
             image:
               repository: ghcr.io/zibbp/ganymede-frontend
-              tag: 3.0.0
+              tag: 3.0.1
 
             env:
             - name: API_URL
@@ -124,6 +124,10 @@ spec:
               repository: nginxinc/nginx-unprivileged
               tag: 1.27.1-alpine
 
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities: { drop: ["ALL"] }
+
     service:
       app:
         controller: main
@@ -155,7 +159,7 @@ spec:
             service:
               identifier: app
               port: api
-          - path: /vods
+          - path: /data/videos
             service:
               identifier: app
               port: nginx
@@ -168,18 +172,18 @@ spec:
         storageClass: mainpool-hostpath
         accessMode: ReadWriteOnce
         globalMounts:
-        - path: /vods
+        - path: /data/videos
 
       ganymede-data:
         type: persistentVolumeClaim
-        size: 5Gi
+        size: 15Gi
         retain: true
         storageClass: mainpool-hostpath
         accessMode: ReadWriteOnce
         advancedMounts:
           main: # controller name
             api: # container name
-            - path: /data
+            - path: /data/temp
 
       ganymede-logs:
         type: persistentVolumeClaim
@@ -190,7 +194,7 @@ spec:
         advancedMounts:
           main: # controller name
             api: # container name
-            - path: /logs
+            - path: /data/logs
 
       nginx-conf:
         name: ganymede-nginx-conf
@@ -199,17 +203,8 @@ spec:
         advancedMounts:
           main: # controller name
             nginx: # container name
-            - subPath: nginx.conf
+            - path: /etc/nginx/nginx.conf
-              path: /etc/nginx/nginx.conf
+              subPath: nginx.conf
-
-      ganymede-temp-conf:
-        type: emptyDir
-        advancedMounts:
-          main: # controller name
-            api: # container name
-            - path: /data
-            copy-config: # container name
-            - path: /data
 
       ganymede-conf:
         name: ganymede-conf
@@ -217,6 +212,7 @@ spec:
         defaultMode: 0777
         advancedMounts:
           main: # controller name
-            copy-config: # container name
+            api: # container name
-            - subPath: config.json
+            - path: /data/config/config.json
-              path: /ganymede-config.json
+              subPath: config.json
+              

kubernetes/main/apps/default/ganymede/nginx-conf.yaml

@@ -26,16 +26,16 @@ data:
 
       server {
         listen 8080;
-        root /vods;
+        root /data/videos;
 
         add_header 'Access-Control-Allow-Origin' '*' always;
         add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
         add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
         add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
 
-        location ^~ /vods {
+        location ^~ /data/videos {
           autoindex on;
-          alias /vods;
+          alias /data/videos;
 
           location ~* \.(ico|css|js|gif|jpeg|jpg|png|svg|webp)$ {
               expires 30d;

kubernetes/main/apps/default/ganymede/temporal-helm-release.yaml

@@ -22,7 +22,7 @@ spec:
           main:
             image:
               repository: temporalio/auto-setup
-              tag: 1.24
+              tag: 1.25
 
             env:
             - name: DB

kubernetes/main/apps/dev/woodpecker/helm-release.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: woodpecker
-      version: "1.5.1"
+      version: "1.6.0"
       sourceRef:
         kind: HelmRepository
         name: woodpecker-charts

kubernetes/main/apps/download/bazarr/helm-release.yaml

@@ -17,7 +17,7 @@ spec:
   values:
     image:
       repository: ghcr.io/onedr0p/bazarr
-      tag: "1.4.3"
+      tag: "1.4.4"
 
     env:
       TZ: America/New_York

kubernetes/main/apps/download/prowlarr/helm-release.yaml

@@ -17,7 +17,7 @@ spec:
   values:
     image:
       repository: ghcr.io/onedr0p/prowlarr-develop
-      tag: "1.21.2.4649"
+      tag: "1.24.0.4721"
 
     # Metrics sidecar
     sidecars:

kubernetes/main/apps/download/qbit-manage/helm-release.yaml

@@ -35,7 +35,7 @@ spec:
 
     image:
       repository: bobokun/qbit_manage
-      tag: "v4.1.7"
+      tag: "v4.1.9"
 
     env:
       QBT_STARTUP_DELAY: 45 # seconds

kubernetes/main/apps/download/qbittorrent/helm-release.yaml

@@ -28,7 +28,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/qbittorrent
-              tag: 4.6.5
+              tag: 4.6.7
 
             env:
               QBITTORRENT__PORT: 8080

kubernetes/main/apps/download/radarr/helm-release.yaml

@@ -17,7 +17,7 @@ spec:
   values:
     image:
       repository: ghcr.io/onedr0p/radarr-develop
-      tag: "5.10.0.9090"
+      tag: "5.10.3.9178"
 
     # Metrics sidecar
     sidecars:

kubernetes/main/apps/download/sonarr/helm-release.yaml

@@ -17,7 +17,7 @@ spec:
   values:
     image:
       repository: ghcr.io/onedr0p/sonarr-develop
-      tag: "4.0.9.2300"
+      tag: "4.0.9.2386"
 
     # Metrics sidecar
     sidecars:

kubernetes/main/apps/game-servers/factorio/helm-release.yaml

@@ -17,7 +17,7 @@ spec:
   values:
     image:
       repository: goofball222/factorio
-      tag: "1.1.109"
+      tag: "1.1.110"
 
     service:
       main:

kubernetes/main/apps/irc/znc/helm-release.yaml

@@ -21,7 +21,7 @@ spec:
     # Add init container for pulling znc modules and putting them into the modules directory
     initContainers:
       pull-module-source:
-        image: alpine:3.20.2
+        image: alpine:3.20.3
         command:
           - "sh"
           - "-c"

kubernetes/main/apps/media/audiobookshelf/helm-release.yaml

@@ -23,7 +23,7 @@ spec:
           main:
             image:
               repository: ghcr.io/advplyr/audiobookshelf
-              tag: 2.13.2
+              tag: 2.13.4
 
     service:
       app:

kubernetes/main/apps/media/freshrss/helm-release.yaml

@@ -17,7 +17,7 @@ spec:
   values:
     image:
       repository: linuxserver/freshrss
-      tag: "1.24.2"
+      tag: "1.24.3"
 
     env:
       PUID: 10000

kubernetes/main/apps/media/jellyfin/helm-release.yaml

@@ -22,7 +22,7 @@ spec:
           app:
             image:
               repository: linuxserver/jellyfin
-              tag: 10.9.10
+              tag: 10.9.11
             
             env:
               PUID: 10000

kubernetes/main/apps/media/komga/helm-release.yaml

@@ -17,7 +17,7 @@ spec:
   values:
     image:
       repository: gotson/komga
-      tag: "1.12.0"
+      tag: "1.13.0"
 
     env:
       TZ: America/New_York

kubernetes/main/apps/monitoring/grafana/helm-release.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: grafana
-      version: "8.5.0"
+      version: "8.5.1"
       sourceRef:
         kind: HelmRepository
         name: grafana-charts

kubernetes/main/apps/monitoring/kube-prometheus-stack/helm-release.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: kube-prometheus-stack
-      version: "62.3.1"
+      version: "62.7.0"
       sourceRef:
         kind: HelmRepository
         name: prometheus-community-charts

kubernetes/main/apps/monitoring/proxmoxve-exporter/helm-release.yaml

@@ -17,7 +17,7 @@ spec:
   values:
     image:
       repository: prompve/prometheus-pve-exporter
-      tag: "3.4.4"
+      tag: "3.4.5"
 
     args:
     - --config.file

kubernetes/main/apps/monitoring/victoria-metrics/helm-release.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: victoria-metrics-single
-      version: 0.11.0
+      version: 0.11.2
       sourceRef:
         kind: HelmRepository
         name: victoria-metrics-charts

kubernetes/main/core/kustomization.yaml

@@ -3,9 +3,14 @@ kind: Kustomization
 resources:
 - ./kube-system
 - ./helm-repositories.yaml
-- ./cert-manager
+- ../../common/apps/cert-manager
-- ./networking
+- ../../common/apps/metallb
-- ./storage
+- ../../common/apps/traefik
+# storage
+- ./longhorn
+- ./openebs
+
 - ./kube-replicator
-- ./nfd/ks.yaml
+
-- ./intel-gpu/ks.yaml
+- ../../common/apps/nfd/ks.yaml
+- ../../common/apps/intel-gpu/ks.yaml

kubernetes/main/core/longhorn/helm-release.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: longhorn
-      version: "1.7.0"
+      version: "1.7.1"
       sourceRef:
         kind: HelmRepository
         name: longhorn-charts

kubernetes/main/core/openebs/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../../common/apps/openebs
+- ./mainpool-sc.yaml

kubernetes/main/core/storage/local-path-provisioner/helm.yaml

@@ -1,82 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: local-path-provisioner
-  namespace: flux-system
-spec:
-  interval: 1m
-  url: https://github.com/rancher/local-path-provisioner.git
-  ref:
-    tag: v0.0.28
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: local-path-provisioner
-  namespace: kube-system
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: ./deploy/chart/local-path-provisioner
-      sourceRef:
-        kind: GitRepository
-        name: local-path-provisioner
-        namespace: flux-system
-  maxHistory: 3
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    helperImage:
-      repository: public.ecr.aws/docker/library/busybox
-      tag: latest
-    storageClass:
-      defaultClass: false
-    nodePathMap:
-      - node: DEFAULT_PATH_FOR_NON_LISTED_NODES
-        paths: ["/var/lib/rancher/k3s/storage"]
-    # Note: Do not enable Flux variable substitution on this HelmRelease
-    configmap:
-      setup: |-
-        #!/bin/sh
-        while getopts "m:s:p:" opt
-        do
-            case $opt in
-                p)
-                absolutePath=$OPTARG
-                ;;
-                s)
-                sizeInBytes=$OPTARG
-                ;;
-                m)
-                volMode=$OPTARG
-                ;;
-            esac
-        done
-        mkdir -m 0777 -p ${absolutePath}
-        chmod 701 ${absolutePath}/..
-      teardown: |-
-        #!/bin/sh
-        while getopts "m:s:p:" opt
-        do
-            case $opt in
-                p)
-                absolutePath=$OPTARG
-                ;;
-                s)
-                sizeInBytes=$OPTARG
-                ;;
-                m)
-                volMode=$OPTARG
-                ;;
-            esac
-        done
-        rm -rf ${absolutePath}

kubernetes/main/crds/traefik/crds.yaml

@@ -9,7 +9,7 @@ spec:
   url: https://github.com/traefik/traefik-helm-chart.git
   ref:
     # renovate: registryUrl=https://helm.traefik.io/traefik chart=traefik
-    tag: v30.1.0
+    tag: v31.1.0
   ignore: |
     # exclude all
     /*

kubernetes/main/secrets/kustomization.yaml

@@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ./cluster-secrets.sops.yaml
-- ./orca-registry-puller.sops.yaml
 - ./cluster-settings.yaml

kubernetes/main/secrets/orca-registry-puller.sops.yaml

@@ -1,62 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: orca-puller
-    namespace: default
-    annotations:
-        replicator.v1.mittwald.de/replication-allowed: "true"
-        replicator.v1.mittwald.de/replication-allowed-namespaces: '*'
-data:
-    .dockerconfigjson: ENC[AES256_GCM,data:g58h5rYAEZu2W3CYnYHgajsp7wvnFdhyRCt1qWPHbVDC+nwD1TVqTGDga1b2/RTR5tdobqZ9FdP41/1dzZeNBe2lfXOsWhQYd87EhpchFYRgsb9u7ZL32sxERhAxSg+0/AaoIYSHbuBLgRwxqnHOojS7Hcg956L+6Kgh/uiaOGsUrKRjlMAI0aN4agx+n/nU,iv:ichMs+o/3ld90VVq/UatXpAtpD6qjrEIdt0ZRwyh0Gg=,tag:lxvZy9U6sGsndz3sAy3DTQ==,type:str]
-type: kubernetes.io/dockerconfigjson
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2023-07-22T02:12:00Z"
-    mac: ENC[AES256_GCM,data:yFHVGwFdi2n4Ju6SqqxXDxqxZaHKROIsQZtF+AtJY52f0XJif9jP2fi05dnxULnQ+wWOq4FPwVXc/9GiCiYMItecEApS0+6C7sWxKCWzYYAiFyxSajECzNtr4/XN5yoZBJCgsgFAf42jy9Nr5xLHOAVomnNfmDheS/Pe+Uq9v9E=,iv:oFKca0hHR7ERNgJqDp3pOxzQDBlTCF9Fx1yIl3HCj2o=,tag:107vU6pOFE6Na4BO5C5tiA==,type:str]
-    pgp:
-        - created_at: "2023-07-22T02:12:00Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAzKleRwoSoixAQ//QEVgmHtcIVC1afYtQMgD3Kwb+n0nZid3d/enKN64D+fJ
-            bw0xXX9tjO4sy3To49k0EDETLW5paxcNApFYL+zajxNfa+EAZfdYxQqKWraQcxvL
-            /p8bNDyzYDrecWcIdcq4RqrVEA4Ga0K6MmPM0t5l+J/PgguDJWmAxEzlmTb/CdqI
-            MpUmO0RoLHb6m0vfAkEI0LT5E/37pTdqjAq4eMT9n7zxeHr3NmJBIetahENxTKDk
-            Ymw7DhBCLZBPvHyxw/kU7hS/yhJMxmLw9mjHuzWkYVYmZQDB/TwqWsL4cVLFNAVu
-            LqZBHtl2HmaeGefhDij4SfxCj3qTi1e3z1T5wch97XmFanabNizb2oezHYou4h5k
-            AVqWuxUd13am9YhmRMQ32TPPxyAWpV4W87C/XnIrMrfePH2xy54S2ISyL5lQ1I3K
-            5/a4ZMU8hBdCw7FxX6OSAXUd5cCfelJEaRopvwgXF5ZfQjARjQ7iGCedqBQbOsZM
-            vsf5WQvYxp8uivj7gKxhn+KkqJoM225OQKlSwCQ2bj20WsZ3SrjBuK41iO88urej
-            SJLAqG42e+nUjHXn/ql794kCHHG59uRES1wWLvgQ6Siu8TxJK6B+fjOrHBMOeSiD
-            oMKyqWIvziXN5KczkIpOWFCJzHb+AGTUn/a/jCLAqAxAqkWHwwbLdMiUv1053vHS
-            XgHkdbFnWqSekHCdLXu6q1lJhY+VAyzI55Ex2HvdxzBxWQKZAD4c1fFN/88j/Fb4
-            6/IVZvSU45coCyUR3O+py0s6XvBjrJL6W4haNXMl6nVcTxHgby1JTX5vickv400=
-            =cqEc
-            -----END PGP MESSAGE-----
-          fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
-        - created_at: "2023-07-22T02:12:00Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAy5t8IMoPu4VAQ//RAyoi7oTNza3klhojjvUXum9iH3pOl1eqNu3qdJc9L4A
-            rGeo7Q9NTgywAaHQA4N0WPjJfFNkKSFLBxbtRpzlVCNrfontoGoFr5fGFWDh2Kfe
-            LydY3Zz9yUfcQYuGm8onVM6B6ImYUtM9ZPix808jxfiuz7rvqNmxqTdCa9o5oMHK
-            TqQ5u26MBR9cFf+W7bxKdDsqm4vEhxxWpEf5wgX+iZboA4O/J8LCVwrp6pb2pJ1q
-            nMA5ElKk/WZbsB6C20DYNXJRsdHjC1Huye6NDt1Em2XY9qcfWkQskVtohlYCdDCp
-            TciHgOF32rmN7h1i4j5Ae58AaSQmNRpKZFc192z8+dHdiSlzQEno6XXV11pezz/i
-            0ALvy2Q+r7xFA8xXyrOf7xOU/j9T8XCEAeidtQoZzEcINtg93tKItakzqacxRa2C
-            4Yj3Wic3LGSX13dZ5cpQNT6P3F6UMVAlVEEu1lHdsAjShbmuFWSFNXVo473O3Nwu
-            1imHmfb1xnqbiWS0tKdUX9jMQg+xYPrsAXQESq/9PmPJxl4tsGPzzCu+rMKf9pmF
-            XqGBASdcf9WaB4Hojm6+4UKb7pPDKAC2vLnOV9ilGv/0z+DwxU0x9swPkAYBm9M9
-            KkcaEh8petqyU2J8f91ESU3OafMo2h5OsJvzB2Zte2XIZIZV0h0y8mo6LKOJ1hzS
-            XgFiMVicO02DFcMkSJXA7ZVnV+1qfJl5vPW6Sa0vDikz/k8jYoRSv2skwZcpFIYf
-            Kr6LbZskq2QVBDS50HdpbOfyF+N8/mYuSfjKkuVH8oOq0KrZ38eJROiygPgpUYk=
-            =i9P2
-            -----END PGP MESSAGE-----
-          fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
-    encrypted_regex: ^(data|stringData)$
-    version: 3.7.3

kubernetes/thin/apps/cilium/bgp.yaml

@@ -0,0 +1,54 @@
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPClusterConfig
+metadata:
+  name: cilium-bgp
+spec:
+  nodeSelector:
+    matchExpressions:
+    - key: node-role.kubernetes.io/control-plane
+      operator: DoesNotExist
+  bgpInstances:
+  - name: "bgp-public"
+    localASN: 65552
+    peers:
+    - name: "router"
+      peerASN: 65551
+      peerAddress: 192.168.1.1
+      peerConfigRef:
+        name: "cilium-peer-router"
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPPeerConfig
+metadata:
+  name: cilium-peer-router
+spec:
+  timers:
+    holdTimeSeconds: 9
+    keepAliveTimeSeconds: 3
+  gracefulRestart:
+    enabled: true
+    restartTimeSeconds: 15
+  families:
+    - afi: ipv4
+      safi: unicast
+      advertisements:
+        matchLabels:
+          advertise: "bgp-public"
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPAdvertisement
+metadata:
+  name: bgp-public-ad
+  labels:
+    advertise: "bgp-public"
+spec:
+  advertisements:
+  - advertisementType: "Service"
+    service:
+      addresses:
+      #- ClusterIP
+      - ExternalIP
+      - LoadBalancerIP
+    selector:
+      matchLabels:
+        bgp/service-type: public