use example

apps/base/podinfo/kustomization.yaml

@@ -4,4 +4,4 @@ namespace: podinfo
 resources:
   - namespace.yaml
   - repository.yaml
-  - release.yaml
+  - release.yaml

apps/base/podinfo/namespace.yaml

@@ -1,4 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: podinfo
+  name: podinfo
+  labels:
+    toolkit.fluxcd.io/tenant: dev-team

apps/base/podinfo/release.yaml

@@ -24,4 +24,4 @@ spec:
       tag: 7.0.6
     ingress:
       enabled: true
-      className: nginx
+      className: nginx

apps/base/podinfo/repository.yaml

@@ -1,6 +1,8 @@
-apiVersion: v1
-kind: Namespace
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
 metadata:
   name: podinfo
-  labels:
-    toolkit.fluxcd.io/tenant: dev-team
+  namespace: podinfo
+spec:
+  interval: 5m
+  url: https://stefanprodan.github.io/podinfo

apps/base/windmill/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: windmill
-resources:
-  - windmill.yaml

apps/base/windmill/windmill.yaml

@@ -1,95 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: windmill
-  namespace: default
-spec:
-  interval: 10m
-  url: https://windmill-labs.github.io/windmill-helm-charts
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: windmill
-  namespace: default
-spec:
-  interval: 60m
-  chart:
-    spec:
-      chart: windmill
-      version: "2.0.170"
-      sourceRef:
-        kind: HelmRepository
-        name: windmill
-  values:
-    windmill:
-      # domain as shown in browser, this is used together with `baseProtocol` as part of the BASE_URL environment variable in app and worker container and in the ingress resource, if enabled
-      baseDomain: windmill2.sbtp.xyz
-      baseProtocol: https
-      # postgres URI, pods will crashloop if database is unreachable, sets DATABASE_URL environment variable in app and worker container
-      databaseUrl: postgres://postgres:windmill@windmill-postgresql/windmill?sslmode=disable
-      # replica for the application app
-      appReplicas: 2
-      # replicas for the workers, jobs are executed on the workers
-      lspReplicas: 2
-      workerGroups:
-        # The default worker group is the one that will execute jobs with any taggs  except the native ones. Windmill has a default worker group configuration for it
-        - name: "default"
-          replicas: 3
-          # -- Annotations to apply to the pods
-          annotations: {}
-          # -- Labels to apply to the pods
-          labels: {}
-          # -- Node selector to use for scheduling the pods
-          nodeSelector: {}
-          # -- Tolerations to apply to the pods
-          tolerations: []
-          # -- Affinity rules to apply to the pods
-          affinity: {}
-          # -- Resource limits and requests for the pods
-          resources:
-            requests:
-              memory: "1028Mi"
-              cpu: "500m"
-            limits:
-              memory: "2048Mi"
-              cpu: "1000m"
-          # -- Extra environment variables to apply to the pods
-          extraEnv: []
-          # -- Extra sidecar containers
-          extraContainers: []
-          # -- Mode for workers, defaults to "worker" - alternative "agent" requires Enterprise license
-          mode: "worker"
-        # Thenative worker group will only execute native jobs. Windmill has a default worker group configuration for it
-        - name: "native"
-          replicas: 4
-          # -- Resource limits and requests for the pods
-          resources:
-            requests:
-              memory: "128Mi"
-              cpu: "100m"
-            limits:
-              memory: "256Mi"
-              cpu: "200m"
-          # -- Extra environment variables to apply to the pods
-          extraEnv: []
-          # -- Extra sidecar containers
-          extraContainers: []
-          # -- Mode for workers, defaults to "worker" - alternative "agent" requires Enterprise license
-          mode: "worker"
-        - name: "gpu"
-          replicas: 0
-      # Use those to override the tag or image used for the app and worker containers. Windmill uses the same image for both.
-      # By default, if enterprise is enable, the image is set to ghcr.io/windmill-labs/windmill-ee, otherwise the image is set to ghcr.io/windmill-labs/windmill
-      #tag: "mytag"
-      #image: "ghcr.io/windmill-labs/windmill"
-      # enable postgres (bitnami) on kubernetes
-      postgresql:
-        enabled: true
-      # enable minio (bitnami) on kubernetes
-      minio:
-        enabled: false
-      ingress:
-        enabled: false
-      enterprise:
-        enable: false

apps/production/futureporn-values.yaml

@@ -1,24 +0,0 @@
-
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: futureporn
-  namespace: futureporn
-spec:
-  chart:
-    spec:
-      version: ">=1.0.0"
-  values:
-    storageClassName: vultr-block-storage-hdd
-    link2cid:
-      containerName: gitea.futureporn.net/futureporn/link2cid:latest
-    next:
-      containerName: sjc.vultrcr.com/fpcontainers/next
-    strapi:
-      containerName: sjc.vultrcr.com/fpcontainers/strapi
-      port: 1337
-      url: https://portal.futureporn.net
-    managedBy: Helm
-    extraArgs: 
-      - --dns01-recursive-nameservers-only
-      - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53

apps/production/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../base/futureporn
+  - ../base/podinfo
 patches:
-  - path: futureporn-values.yaml
+  - path: podinfo-values.yaml
     target:
-      kind: HelmRelease
+      kind: HelmRelease

apps/production/podinfo-values.yaml

@@ -0,0 +1,16 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: podinfo
+  namespace: podinfo
+spec:
+  chart:
+    spec:
+      version: ">=1.0.0"
+  values:
+    ingress:
+      hosts:
+        - host: podinfo.production
+          paths:
+            - path: /
+              pathType: ImplementationSpecific

apps/staging/kustomization.yaml

@@ -1,4 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: podinfo
 resources:
-  - ../base/futureporn
+  - ../base/podinfo
+patches:
+  - path: podinfo-values.yaml
+    target:
+      kind: HelmRelease

apps/staging/podinfo-values.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: podinfo
+  namespace: podinfo
+spec:
+  chart:
+    spec:
+      version: ">=1.0.0-alpha"
+  test:
+    enable: false
+  values:
+    ingress:
+      hosts:
+        - host: podinfo.staging
+          paths:
+            - path: /
+              pathType: ImplementationSpecific

clusters/production/apps.yaml

@@ -14,4 +14,4 @@ spec:
   path: ./apps/production
   prune: true
   wait: true
-  timeout: 5m0s
+  timeout: 5m0s

clusters/production/flux-system/gotk-sync.yaml

@@ -1,27 +1 @@
-# This manifest was generated by flux. DO NOT EDIT.
----
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: flux-system
-  namespace: flux-system
-spec:
-  interval: 1m0s
-  ref:
-    branch: main
-  secretRef:
-    name: flux-system
-  url: ssh://git@gitea.futureporn.net:2222/futureporn/fp
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: flux-system
-  namespace: flux-system
-spec:
-  interval: 10m0s
-  path: ./clusters/production
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
+# This file will be generated automatically by flux boostrap.

clusters/production/flux-system/kustomization.yaml

@@ -1,5 +1,19 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- gotk-components.yaml
-- gotk-sync.yaml
+  - gotk-components.yaml
+  - gotk-sync.yaml
+labels:
+  - pairs:
+      toolkit.fluxcd.io/tenant: sre-team
+patches:
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --concurrent=20
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --requeue-dependency=5s
+    target:
+      kind: Deployment
+      name: "(kustomize-controller|helm-controller|source-controller)"

clusters/production/infrastructure.yaml

@@ -31,3 +31,11 @@ spec:
     name: flux-system
   path: ./infrastructure/configs
   prune: true
+  patches:
+    - patch: |
+        - op: replace
+          path: /spec/acme/server
+          value: https://acme-v02.api.letsencrypt.org/directory
+      target:
+        kind: ClusterIssuer
+        name: letsencrypt

clusters/staging/apps.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: apps
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  dependsOn:
+    - name: infra-configs
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/staging
+  prune: true
+  wait: true
+  timeout: 5m0s

clusters/staging/flux-system/gotk-components.yaml

@@ -0,0 +1 @@
+# This file will be generated automatically by flux boostrap.

clusters/staging/flux-system/gotk-sync.yaml

@@ -0,0 +1 @@
+# This file will be generated automatically by flux boostrap.

clusters/staging/flux-system/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - gotk-components.yaml
+  - gotk-sync.yaml
+labels:
+  - pairs:
+      toolkit.fluxcd.io/tenant: sre-team
+patches:
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --concurrent=20
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --requeue-dependency=5s
+    target:
+      kind: Deployment
+      name: "(kustomize-controller|helm-controller|source-controller)"

clusters/staging/infrastructure.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-controllers
+  namespace: flux-system
+spec:
+  interval: 1h
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./infrastructure/controllers
+  prune: true
+  wait: true
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-configs
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: infra-controllers
+  interval: 1h
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./infrastructure/configs
+  prune: true
+  patches:
+    - patch: |
+        - op: replace
+          path: /spec/acme/server
+          value: https://acme-staging-v02.api.letsencrypt.org/directory
+      target:
+        kind: ClusterIssuer
+        name: letsencrypt

infrastructure/configs/cluster-issuers.yaml

@@ -2,44 +2,16 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
-  name: letsencrypt-prod
+  name: letsencrypt
 spec:
   acme:
-    # server: https://acme-staging-v02.api.letsencrypt.org/directory
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: cj@futureporn.net
-    privateKeySecretRef:
-      name: letsencrypt-prod
-    solvers:
-    - dns01:
-        webhook:
-          groupName: acme.vultr.com
-          solverName: vultr
-          config:
-            apiKeySecretRef:
-              key: apiKey
-              name: vultr
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-staging
-spec:
-  acme:
-    # You must replace this email address with your own.
-    # Let's Encrypt will use this to contact you about expiring
-    # certificates, and issues related to your account.
-    email: cj@futureporn.net
+    # Replace the email address with your own contact email
+    email: fluxcdbot@users.noreply.github.com
+    # The server is replaced in /clusters/production/infrastructure.yaml
     server: https://acme-staging-v02.api.letsencrypt.org/directory
     privateKeySecretRef:
-      # Secret resource that will be used to store the account's private key.
-      name: letsencrypt-staging
+      name: letsencrypt-nginx
     solvers:
-    - dns01:
-        webhook:
-          groupName: acme.vultr.com
-          solverName: vultr
-          config:
-            apiKeySecretRef:
-              key: apiKey
-              name: vultr-credentials
+      - http01:
+          ingress:
+            class: nginx

infrastructure/configs/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - cluster-issuers.yaml
+  - cluster-issuers.yaml

infrastructure/controllers/cert-manager-webhook-vultr.yaml

@@ -1,25 +0,0 @@
----
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: vultr
-  namespace: cert-manager
-spec:
-  interval: 1m
-  url: https://vultr.github.io/helm-charts
-
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: cert-manager-webhook-vultr
-  namespace: cert-manager
-spec:
-  interval: 60m
-  chart:
-    spec:
-      chart: cert-manager-webhook-vultr
-      version: "1.0.0"
-      sourceRef:
-        kind: HelmRepository
-        name: vultr

infrastructure/controllers/cert-manager.yaml

@@ -32,4 +32,4 @@ spec:
         namespace: cert-manager
       interval: 12h
   values:
-    installCRDs: true
+    installCRDs: true

infrastructure/controllers/external-dns.yaml

@@ -1,69 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-dns
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: external-dns
-rules:
-- apiGroups: [""]
-  resources: ["services","endpoints","pods"]
-  verbs: ["get","watch","list"]
-- apiGroups: ["extensions","networking.k8s.io"]
-  resources: ["ingresses"]
-  verbs: ["get","watch","list"]
-- apiGroups: [""]
-  resources: ["nodes"]
-  verbs: ["list"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: external-dns-viewer
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: external-dns
-subjects:
-- kind: ServiceAccount
-  name: external-dns
-  namespace: default
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: external-dns
-spec:
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: external-dns
-  template:
-    metadata:
-      labels:
-        app: external-dns
-    spec:
-      serviceAccountName: external-dns
-      containers:
-      - name: external-dns
-        resources:
-          requests:
-            memory: "64Mi"
-            cpu: "250m"
-          limits:
-            memory: "128Mi"
-            cpu: "500m"
-        image: registry.k8s.io/external-dns/external-dns:v0.14.1
-        args:
-        - --source=ingress
-        - --domain-filter=sbtp.xyz
-        - --provider=vultr
-        env:
-        - name: VULTR_API_KEY
-          valueFrom:
-            secretKeyRef:
-              name: vultr
-              key: apiKey

infrastructure/controllers/ingress-nginx.yaml

@@ -36,4 +36,4 @@ spec:
       service:
         type: "NodePort"
     admissionWebhooks:
-      enabled: false
+      enabled: false

infrastructure/controllers/kustomization.yaml

@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - cert-manager.yaml
-  - ingress-nginx.yaml
+  - ingress-nginx.yaml

infrastructure/controllers/roles.yaml

@@ -1,25 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: cert-manager-webhook-vultr-secret-reader
-  namespace: cert-manager
-rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get", "watch", "list"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: cert-manager-webhook-vultr-secret-reader-binding
-  namespace: cert-manager
-subjects:
-- kind: ServiceAccount
-  name: cert-manager-webhook-vultr
-  namespace: cert-manager
-roleRef:
-  kind: Role
-  name: cert-manager-webhook-vultr-secret-reader
-  apiGroup: rbac.authorization.k8s.io
-