feat: flux instance

kubernetes/apps/cert-manager/cert-manager/app/helm/kustomizeconfig.yaml

@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease

kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml

@@ -0,0 +1,11 @@
+---
+crds:
+  enabled: true
+enableCertificateOwnerRef: true
+dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
+dns01RecursiveNameserversOnly: true
+prometheus:
+  enabled: true
+  servicemonitor:
+    enabled: true
+    prometheusInstance: observability

kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml

@@ -1,41 +1,40 @@
 ---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: cert-manager
+spec:
+  interval: 5m
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy
+  ref:
+    tag: v1.17.1
+  url: oci://ghcr.io/home-operations/charts-mirror/cert-manager
+  verify:
+    provider: cosign
+    matchOIDCIdentity:
+      - issuer: "^https://token.actions.githubusercontent.com$"
+        subject: "^https://github.com/home-operations/charts-mirror.*$"
+---
 # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: cert-manager
-  namespace: cert-manager
 spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: cert-manager
-      version: v1.17.1
-      sourceRef:
-        kind: HelmRepository
-        name: jetstack
-        namespace: flux-system
-  maxHistory: 2
+  interval: 1h
+  chartRef:
+    kind: OCIRepository
+    name: cert-manager
   install:
-    createNamespace: true
-    crds: CreateReplace
     remediation:
-      retries: 3
+      retries: -1
   upgrade:
     cleanupOnFail: true
-    crds: CreateReplace
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    crds:
-      enabled: true
-    enableCertificateOwnerRef: true
-    dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
-    dns01RecursiveNameserversOnly: true
-    prometheus:
-      enabled: true
-      servicemonitor:
-        enabled: true
-        prometheusInstance: observability
+  valuesFrom:
+    - kind: ConfigMap
+      name: cert-manager-values

kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml

@@ -4,14 +4,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: cert-manager
 resources:
+  - ./externalsecret.yaml
+  - ./clusterissuer.yaml
   - ./helmrelease.yaml
   - ./prometheusrule.yaml
-# configMapGenerator:
-#   - name: cert-manager-dashboard
-#     files:
-#       - cert-manager-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json
-# generatorOptions:
-#   disableNameSufs
-#     kustomize.toolkit.fluxcd.io/substitute: disabled
-#   labels:
-#     grafana_dashboard: "true"
+configMapGenerator:
+  - name: cert-manager-values
+    files:
+      - values.yaml=./helm/values.yaml
+configurations:
+  - ./helm/kustomizeconfig.yaml

kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml

@@ -1,7 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./externalsecret.yaml
-  - ./helmrelease.yaml

kubernetes/apps/cert-manager/cert-manager/ks.yaml

@@ -10,42 +10,22 @@ spec:
   commonMetadata:
     labels:
       app.kubernetes.io/name: *app
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2
+      kind: HelmRelease
+      name: *app
+      namespace: cert-manager
+  healthCheckExprs:
+    - apiVersion: cert-manager.io/v1
+      kind: ClusterIssuer
+      failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False')
+      current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True')
+  interval: 1h
   path: ./kubernetes/apps/cert-manager/cert-manager/app
   prune: true
+  retryInterval: 2m
   sourceRef:
     kind: GitRepository
     name: home-ops-kubernetes
-  wait: false
-  interval: 30m
-  retryInterval: 1m
+    namespace: flux-system
   timeout: 5m
-  postBuild:
-    substitute:
-      APP: *app
----
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app cert-manager-issuers
-  namespace: flux-system
-spec:
-  targetNamespace: cert-manager
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  dependsOn:
-    - name: cert-manager
-    - name: external-secrets-stores
-  path: ./kubernetes/apps/cert-manager/cert-manager/issuers
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-ops-kubernetes
-  wait: false
-  interval: 30m
-  retryInterval: 1m
-  timeout: 5m
-  postBuild:
-    substitute:
-      APP: *app