feat: overhaul

kubernetes/flux/apps.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:

kubernetes/flux/config/cluster.yaml

@@ -19,7 +19,7 @@ spec:
     # include kubernetes directory
     !/kubernetes
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:

kubernetes/flux/config/flux.yaml

@@ -11,7 +11,7 @@ spec:
   ref:
     tag: v2.4.0
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
@@ -26,7 +26,7 @@ spec:
     kind: OCIRepository
     name: flux-manifests
   patches:
-    # Remove the network policies that does not work with k3s
+    # Remove the network policies
     - patch: |
         $patch: delete
         apiVersion: networking.k8s.io/v1
@@ -37,11 +37,11 @@ spec:
         group: networking.k8s.io
         kind: NetworkPolicy
     # Increase the number of reconciliations that can be performed in parallel and bump the resources limits
-    # Ref: https://fluxcd.io/flux/cheatsheets/bootstrap/#increase-the-number-of-workers
+    # https://fluxcd.io/flux/cheatsheets/bootstrap/#increase-the-number-of-workers
     - patch: |
         - op: add
           path: /spec/template/spec/containers/0/args/-
-          value: --concurrent=12
+          value: --concurrent=8
         - op: add
           path: /spec/template/spec/containers/0/args/-
           value: --kube-api-qps=500
@@ -66,24 +66,13 @@ spec:
                 - name: manager
                   resources:
                     limits:
+                      cpu: 2000m
                       memory: 2Gi
       target:
         kind: Deployment
         name: (kustomize-controller|helm-controller|source-controller)
-    # Enable in-memory-kustomize builds
-    # Ref: https://fluxcd.io/flux/installation/configuration/vertical-scaling/#enable-in-memory-kustomize-builds
-    - patch: |
-        - op: replace
-          path: /spec/template/spec/volumes/0
-          value:
-            name: temp
-            emptyDir:
-              medium: Memory
-      target:
-        kind: Deployment
-        name: kustomize-controller
     # Enable Helm near OOM detection
-    # Ref: https://fluxcd.io/flux/cheatsheets/bootstrap/#enable-helm-near-oom-detection
+    # https://fluxcd.io/flux/cheatsheets/bootstrap/#enable-helm-near-oom-detection
     - patch: |
         - op: add
           path: /spec/template/spec/containers/0/args/-

kubernetes/flux/repositories/helm/coredns.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: coredns
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://coredns.github.io/helm

kubernetes/flux/repositories/helm/crunchydata.yaml

@@ -0,0 +1,12 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: crunchydata
+  namespace: flux-system
+spec:
+  type: oci
+  interval: 30m
+  url: oci://registry.developers.crunchydata.com/crunchydata
+  timeout: 3m

kubernetes/flux/repositories/helm/k8s-gateway.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: k8s-gateway
+  namespace: flux-system
+spec:
+  interval: 2h
+  url: https://ori-edge.github.io/k8s_gateway

kubernetes/flux/repositories/helm/kustomization.yaml

@@ -10,6 +10,8 @@ resources:
   - ./cert-manager-webhook-ovh.yaml
   - ./cilium.yaml
   - ./cloudnative-pg.yaml
+  - ./coredns.yaml
+  - ./crunchydata.yaml
   - ./crowdsec.yaml
   - ./descheduler.yaml
   - ./dysnix.yaml
@@ -22,6 +24,7 @@ resources:
   - ./ingress-nginx.yaml
   - ./intel.yaml
   - ./jetstack.yaml
+  - ./k8s-gateway.yaml
   - ./kyverno.yaml
   - ./metrics-server.yaml
   - ./node-feature-discovery.yaml

kubernetes/flux/vars/cluster-secrets.sops.yaml

@@ -7,6 +7,7 @@ metadata:
 stringData:
     SECRET_CLUSTER_CERTIFICATE_DEFAULT: ENC[AES256_GCM,data:8HotHVJva77fd9S+j2BB,iv:fqCDD0NuK9ySCsGGT3G4QsfViM2L9oPp9ZLgwXf0tLI=,tag:rX1quD8RTjvzV75fmwmC6w==,type:str]
     SECRET_CLUSTER_DOMAIN_EMAIL: ENC[AES256_GCM,data:j1yBajAlXKQeDuvbV2IyJp8IT3wA,iv:pxPgYZEZ6pvcr6trM1gkL5MZORewARaiVfwRTyWxny0=,tag:y31EGp46NgF/Pf3hQ2Iavw==,type:str]
+    SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:nS0cVHEiuEk1w43AjcWNjGVecEr8RZr4iXsMCO9152bn2wWc,iv:jDz8AP6eCF5+CASt3ogR8vzAO5VkbZQ3pY2+AFmz15U=,tag:DVKZ3xSZLrW9pQIx0HJRCQ==,type:str]
     SECRET_DOMAIN: ENC[AES256_GCM,data:UtdBDs6+azVHO7Y=,iv:ZnWrBW+vW6HiMs1PbgY2LjcwUwuUh1HxYjqvOXvCrDk=,tag:r6uDIJhVoTIcizIfRW+lHw==,type:str]
     SECRET_EXTERNAL_DOMAIN: ENC[AES256_GCM,data:Brd9H7gizPxew+4=,iv:YaIxv9TFF0mAks9gJXwXA1N7b8k5mcSJ6hs9lpaUV/M=,tag:8xdRoWun3IUVywagpsrsBw==,type:str]
     SECRET_INTERNAL_DOMAIN: ENC[AES256_GCM,data:WLuQAi9JsUsD5Q==,iv:Zc+5/rQONxepZFVC/ia01aBdlVyG99thOeIipeAVS3E=,tag:FwwjDKoUMfZ/taFPRRThOQ==,type:str]
@@ -31,8 +32,8 @@ sops:
             WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm
             pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-21T20:32:55Z"
-    mac: ENC[AES256_GCM,data:KEiOqecL9LenpkLZZkgfaSA9tZUklild1QHj00n5IuKu3JZVtSfdqG9lDw6KMb02ZenG5e+NRzLQ/kek+TdekoNRFK65zFcPR2DtmimjapE383eNe+gwqGggCynxjse1o+HhtJq/0zeEukRpBVkl8pWt9d10oaGDTpbLfHwZbWg=,iv:p8TsrgDv4GMEnNGaDlBbCmE5MzueKmKReLmHpYME63s=,tag:o7e4sV+eVmhmqcAHOhFkkg==,type:str]
+    lastmodified: "2025-01-03T20:27:58Z"
+    mac: ENC[AES256_GCM,data:QgFNCP1l74XISc2/6byMOzk4brz0SkbfjLxgoLRaBx08BHULaJRHiNqRRyhaKF5ZjxsOxVYiFpHrWgfu/mi/InwA6nBttwNSM/+bzKabRC6vdgrLIIXxJKGKu7BlmtILF4uZRqKqcOIK+nrZS8YWdlOY0Vyzunh4kMQoyIvugRk=,iv:0HYH18NEag1KqIXwoiMPHkFiW1jaQkK1LJ5XhENPalw=,tag:RO8oMhTRBLOzf31DgV38CQ==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
-    version: 3.9.0
+    version: 3.9.3

kubernetes/flux/vars/cluster-settings.yaml

@@ -8,7 +8,6 @@ data:
   CILIUM_BGP_SVC_RANGE: 192.168.169.0/24
   CILIUM_POD_CIDR: 10.69.0.0/16
   CLUSTER_LB_K8SGATEWAY: 192.168.169.100
-  CLUSTER_LB_NGINX: 192.168.169.101
   CLUSTER_LB_SMTP_RELAY: 192.168.169.102
   CLUSTER_LB_UNIFI: 192.168.169.103
   CLUSTER_LB_GITEA: 192.168.169.104
@@ -25,8 +24,11 @@ data:
   CLUSTER_LB_CILIUM: 192.168.169.115
   CLUSTER_LB_LMS: 192.168.169.116
   CLUSTER_LB_TDARR: 192.168.169.117
+  CLUSTER_LB_POSTGRES: 192.168.169.118
+  CLUSTER_LB_NGINX_INTERNAL: 192.168.169.119
+  CLUSTER_LB_NGINX_EXTERNAL: 192.168.169.120
   LOCAL_LAN: 192.168.8.0/22
   LOCAL_LAN_OPNSENSE: 192.168.8.1
   LOCAL_LAN_TRUENAS: 192.168.9.10
   LOCAL_LAN_TRUENAS_REMOTE: 10.10.0.2
-  TIMEZONE: "Europe/Paris"
+  TIMEZONE: Europe/Paris