♻️ flux kustomizations

kubernetes/apps/networking/external-dns/app/helmrelease.yaml

@@ -0,0 +1,60 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: external-dns
+  namespace: networking
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: external-dns
+      version: 1.12.0
+      sourceRef:
+        kind: HelmRepository
+        name: external-dns
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    interval: 2m
+    logLevel: debug
+    provider: ovh
+    env:
+      - name: OVH_APPLICATION_KEY
+        valueFrom:
+          secretKeyRef:
+            name: ovh-external-dns-creds
+            key: application-key
+      - name: OVH_APPLICATION_SECRET
+        valueFrom:
+          secretKeyRef:
+            name: ovh-external-dns-creds
+            key: application-secret
+      - name: OVH_CONSUMER_KEY
+        valueFrom:
+          secretKeyRef:
+            name: ovh-external-dns-creds
+            key: consummer-key
+    extraArgs:
+      - --annotation-filter=external-dns.home.arpa/enabled in (true)
+    policy: sync
+    sources:
+      - ingress
+    txtOwnerId: "default"
+    domainFilters:
+      - "${SECRET_DOMAIN}"
+    serviceMonitor:
+      enabled: true
+    resources:
+      requests:
+        memory: 100Mi
+        cpu: 25m
+      limits:
+        memory: 250Mi

kubernetes/apps/networking/external-dns/app/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: networking
+resources:
+  - ./secret.sops.yaml
+  - ./helmrelease.yaml

kubernetes/apps/networking/external-dns/app/secret.sops.yaml

@@ -0,0 +1,31 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+    name: ovh-external-dns-creds
+    namespace: networking
+stringData:
+    application-key: ENC[AES256_GCM,data:eM+c4o7krcCr38iYl+V9aw==,iv:bWvn6Du2AYczidEiYcCiiXiCWQoNTM55+pEqEDT5gVg=,tag:XAtpQsK7J7mQWs47qqAt/Q==,type:str]
+    application-secret: ENC[AES256_GCM,data:dsAI3MXIpqC5FQZojzchOUfJPARBYOOUbnmY042w9DQ=,iv:gLh0ySZfm1akVIcnN/LMuuI7GZrBBq/X6mnQd1j9BeA=,tag:wIKWVoDMRfn68Ot56HFPGA==,type:str]
+    consummer-key: ENC[AES256_GCM,data:5RZrrLBGOhmnPLyRBy83SSAYz67h9zfIwx2cEUSxFAs=,iv:x3rMt3obLjR12PSiuzFb4qPirnMXpxojFZ9sTDp2pis=,tag:2ve3wWb2bHQQUA8m7+gyKQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByazlaTU9oZFR2Y2U1blg0
+            VXdUK3BzL1hsM3RydHQzcE95RklOTUdVWEE4CnNkOGprRVFCNFZjTkpOMnJ0R09T
+            RWhhemdvb243UGlVMHhjWVUzTW03V00KLS0tIDJ3d1NYdkJLaHlvQXBCbFlDZXRp
+            bi8wYjlEM0xGZExSV05HSGlkYjQ2VlUKesUixJpqR2iYx5kNxrbD0kTG1siHVKqq
+            sh8UblAqd1av0/3Qpj9dMF8awR8Q80dElcEwXT90Ks/S7p/uEA358g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-27T00:19:30Z"
+    mac: ENC[AES256_GCM,data:hbC1/+QtH1O0w7cCshPm5b/3pljWMR4Q1bhqoepIJEeLa82N3YqHZ4PcEKPHaJKRpzBN/+OcoMMAC29xBzp+yaS3WZLkh7cz2rYC4+16fjZCjwChZXJOtyE8CrUlsXUj7OvL23RnscCE/0fuIL4uRWqLKokLkbdc6X+sVRlY4l0=,iv:JZZIrTeY0L4jy4cUZfmcm3+ZCjxgn27qIdJf5pVrZkM=,tag:DM+XGSXt/rD/5jTW6LaWTQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

kubernetes/apps/networking/external-dns/ks.yaml

@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-external-dns
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/networking/external-dns/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: external-dns
+      namespace: networking
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m

kubernetes/apps/networking/ingress-nginx/app/clusterpolicy.yaml

@@ -0,0 +1,99 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: ingress-auth-annotations
+  annotations:
+    policies.kyverno.io/title: Ingress Auth Annotations
+    policies.kyverno.io/subject: Ingress
+    policies.kyverno.io/description: >-
+      This policy creates auth annotations on ingresses. When
+      the `auth.home.arpa/enabled` annotation is `true` it
+      applies the nginx auth annotations for use with Authelia.
+spec:
+  mutateExistingOnPolicyUpdate: true
+  generateExistingOnPolicyUpdate: true
+  rules:
+    - name: auth
+      match:
+        any:
+          - resources:
+              kinds: ["Ingress"]
+              annotations:
+                auth.home.arpa/enabled: "true"
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              +(nginx.ingress.kubernetes.io/auth-method): GET
+              +(nginx.ingress.kubernetes.io/auth-url): |-
+                http://authelia.default.svc.cluster.local.:8888/api/verify
+              +(nginx.ingress.kubernetes.io/auth-signin): |-
+                https://auth.${SECRET_CLUSTER_DOMAIN}?rm=$request_method
+              +(nginx.ingress.kubernetes.io/auth-response-headers): |-
+                Remote-User,Remote-Name,Remote-Groups,Remote-Email
+              +(nginx.ingress.kubernetes.io/auth-snippet): |
+                proxy_set_header X-Forwarded-Method $request_method;
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: ingress-external-dns-annotations
+  annotations:
+    policies.kyverno.io/title: Ingress External-DNS Annotations
+    policies.kyverno.io/subject: Ingress
+    policies.kyverno.io/description: >-
+      This policy creates external-dns annotations on ingresses.
+      When the `external-dns.home.arpa/enabled` annotation is `true`
+      it applies the external-dns annotations for use with external
+      application access.
+spec:
+  mutateExistingOnPolicyUpdate: true
+  generateExistingOnPolicyUpdate: true
+  rules:
+    - name: external-dns
+      match:
+        any:
+          - resources:
+              kinds: ["Ingress"]
+              annotations:
+                external-dns.home.arpa/enabled: "true"
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              +(external-dns.alpha.kubernetes.io/target): |-
+                services.${SECRET_DOMAIN}.
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: ingress-whitelist-annotations
+  annotations:
+    policies.kyverno.io/title: Ingress Whitelist Annotations
+    policies.kyverno.io/subject: Ingress
+    policies.kyverno.io/description: >-
+      This policy creates annotations on ingresses. When
+      the `external-dns.home.arpa/enabled` annotation is not
+      set it applies the nginx annotations for use with only
+      internal application access.
+spec:
+  mutateExistingOnPolicyUpdate: true
+  generateExistingOnPolicyUpdate: true
+  rules:
+    - name: whitelist
+      match:
+        any:
+          - resources:
+              kinds: ["Ingress"]
+      exclude:
+        any:
+          - resources:
+              annotations:
+                external-dns.home.arpa/enabled: "true"
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              +(nginx.ingress.kubernetes.io/whitelist-source-range): |-
+                10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

kubernetes/apps/networking/ingress-nginx/app/dashboard/kustomization.yaml

@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: networking
+configMapGenerator:
+  - name: nginx-dashboard
+    files:
+      - nginx-dashboard.json=https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json
+  - name: nginx-request-handling-performance-dashboard
+    files:
+      - nginx-request-handling-performance-dashboard.json=https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json
+generatorOptions:
+  disableNameSuffixHash: true
+  annotations:
+    kustomize.toolkit.fluxcd.io/substitute: disabled
+  labels:
+    grafana_dashboard: "true"

kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml

@@ -0,0 +1,137 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: ingress-nginx
+  namespace: networking
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: ingress-nginx
+      version: 4.4.0
+      sourceRef:
+        kind: HelmRepository
+        name: ingress-nginx
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  dependsOn:
+    - name: cert-manager
+      namespace: cert-manager
+  values:
+    controller:
+      replicaCount: 2
+      service:
+        type: LoadBalancer
+        loadBalancerIP: "${CLUSTER_LB_NGINX}"
+        externalTrafficPolicy: Local
+      publishService:
+        enabled: true
+      ingressClassResource:
+        default: true
+      config:
+        client-body-buffer-size: "100M"
+        client-body-timeout: 120
+        client-header-timeout: 120
+        custom-http-errors: 400,401,403,404,500,502,503,504
+        enable-brotli: "true"
+        enable-real-ip: "true"
+        hsts-max-age: "31449600"
+        keep-alive-requests: 10000
+        keep-alive: 120
+        proxy-body-size: "0"
+        proxy-buffer-size: "16k"
+        ssl-protocols: "TLSv1.3 TLSv1.2"
+        use-forwarded-headers: "true"
+        # crowdsec bouncer
+        # plugins: "crowdsec"
+        # lua-shared-dicts: "crowdsec_cache: 50m"
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true
+          namespace: default
+          namespaceSelector:
+            any: true
+      extraArgs:
+        default-ssl-certificate: |-
+          networking/${SECRET_CLUSTER_DOMAIN/./-}-tls
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: ingress-nginx
+              app.kubernetes.io/component: controller
+      # crowdsec bouncer
+      # extraVolumes:
+      # - name: crowdsec-bouncer-plugin
+      #   emptyDir: {}
+      # extraInitContainers:
+      # - name: init-clone-crowdsec-bouncer
+      #   image: crowdsecurity/lua-bouncer-plugin
+      #   tag: v0.1.11
+      #   imagePullPolicy: IfNotPresent
+      #   env:
+      #     - name: API_URL
+      #       value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
+      #     - name: API_KEY
+      #       value: "${SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY}"
+      #     - name: DISABLE_RUN
+      #       value: "true"
+      #     - name: BOUNCER_CONFIG
+      #       value: "/crowdsec/crowdsec-bouncer.conf"
+      #   command:
+      #     - "/bin/sh"
+      #     - "-c"
+      #     - |
+      #       #!/bin/sh
+
+      #       sh /docker_start.sh
+      #       mkdir -p /lua_plugins/crowdsec/
+      #       cp -pr /crowdsec/* /lua_plugins/crowdsec/
+      #   volumeMounts:
+      #   - name: crowdsec-bouncer-plugin
+      #     mountPath: /lua_plugins
+      # extraVolumeMounts:
+      # - name: crowdsec-bouncer-plugin
+      #   mountPath: /etc/nginx/lua/plugins/crowdsec
+      #   subPath: crowdsec
+      # resources:
+      #   requests:
+      #     memory: 400Mi
+      #     cpu: 25m
+      #   limits:
+      #     memory: 1Gi
+    defaultBackend:
+      enabled: true
+      image:
+        repository: ghcr.io/tarampampam/error-pages
+        tag: 2.19.0
+      extraEnvs:
+        - name: TEMPLATE_NAME
+          value: l7-light
+        - name: SHOW_DETAILS
+          value: "true"
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                    - key: app.kubernetes.io/name
+                      operator: In
+                      values: ["ingress-nginx"]
+                    - key: app.kubernetes.io/component
+                      operator: In
+                      values: ["default-backend"]
+                topologyKey: kubernetes.io/hostname

kubernetes/apps/networking/ingress-nginx/app/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: networking
+resources:
+  - ./dashboard
+  - ./helmrelease.yaml
+  - ./clusterpolicy.yaml

kubernetes/apps/networking/ingress-nginx/certificates/certificates.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${SECRET_CLUSTER_DOMAIN/./-}
+  namespace: networking
+spec:
+  secretName: ${SECRET_CLUSTER_DOMAIN/./-}-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "${SECRET_CLUSTER_DOMAIN}"
+  dnsNames:
+    - ${SECRET_CLUSTER_DOMAIN}
+    - "*.${SECRET_CLUSTER_DOMAIN}"

kubernetes/apps/networking/ingress-nginx/certificates/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./certificates.yaml

kubernetes/apps/networking/ingress-nginx/ks.yaml

@@ -0,0 +1,47 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-ingress-nginx-certificates
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-cert-manager-webhook-ovh
+  path: ./kubernetes/apps/networking/ingress-nginx/certificates
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-ingress-nginx
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-ingress-nginx-certificates
+    - name: cluster-apps-kyverno
+  path: ./kubernetes/apps/networking/ingress-nginx/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: ingress-nginx
+      namespace: networking
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m

kubernetes/apps/networking/k8s-gateway/app/Corefile

@@ -0,0 +1,17 @@
+.:1053 {
+  errors
+  log
+  health {
+    lameduck 5s
+  }
+  ready
+  k8s_gateway ${SECRET_CLUSTER_DOMAIN} {
+    apex  k8s-gateway.network
+    resources Ingress Service
+    ttl 300
+  }
+  prometheus 0.0.0.0:9153
+  loop
+  reload
+  loadbalance
+}

kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml

@@ -0,0 +1,92 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app k8s-gateway
+  namespace: networking
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    controller:
+      replicas: 2
+      strategy: RollingUpdate
+      annotations:
+        reloader.stakater.com/auto: "true"
+    image:
+      repository: quay.io/oriedge/k8s_gateway
+      tag: v0.3.2
+    args: ["-conf", "/etc/coredns/Corefile"]
+    service:
+      main:
+        type: LoadBalancer
+        loadBalancerIP: "${CLUSTER_LB_K8SGATEWAY}"
+        externalTrafficPolicy: Local
+        ports:
+          http:
+            enabled: false
+          metrics:
+            enabled: true
+            port: 9153
+          dns:
+            enabled: true
+            port: 53
+            targetPort: 1053
+            protocol: UDP
+    serviceMonitor:
+      main:
+        enabled: true
+        endpoints:
+          - port: metrics
+            scheme: http
+            path: /metrics
+            interval: 1m
+            scrapeTimeout: 10s
+    probes:
+      readiness:
+        custom: true
+        spec:
+          httpGet:
+            path: /ready
+            port: 8181
+      liveness:
+        custom: true
+        spec:
+          httpGet:
+            path: /health
+            port: 8080
+      startup:
+        enabled: false
+    serviceAccount:
+      create: true
+      name: *app
+    persistence:
+      config-file:
+        enabled: true
+        type: configMap
+        name: k8s-gateway-configmap
+        subPath: Corefile
+        mountPath: /etc/coredns/Corefile
+        readOnly: true
+    topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: *app

kubernetes/apps/networking/k8s-gateway/app/kustomization.yaml

@@ -0,0 +1,14 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: networking
+resources:
+  - ./rbac.yaml
+  - ./helmrelease.yaml
+configMapGenerator:
+  - name: k8s-gateway-configmap
+    files:
+      - ./Corefile
+generatorOptions:
+  disableNameSuffixHash: true

kubernetes/apps/networking/k8s-gateway/app/rbac.yaml

@@ -0,0 +1,48 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: k8s-gateway
+  namespace: networking
+  labels:
+    app.kubernetes.io/instance: k8s-gateway
+    app.kubernetes.io/name: k8s-gateway
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - namespaces
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - list
+      - watch
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["*"]
+    verbs: ["watch", "list"]
+  - apiGroups: ["k8s.nginx.org"]
+    resources: ["*"]
+    verbs: ["watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: k8s-gateway
+  labels:
+    app.kubernetes.io/instance: k8s-gateway
+    app.kubernetes.io/name: k8s-gateway
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: k8s-gateway
+subjects:
+  - kind: ServiceAccount
+    name: k8s-gateway
+    namespace: networking

kubernetes/apps/networking/k8s-gateway/ks.yaml

@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-k8s-gateway
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/networking/k8s-gateway/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: k8s-gateway
+      namespace: networking
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m

kubernetes/apps/networking/kustomization.yaml

@@ -0,0 +1,11 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # Pre Flux-Kustomizations
+  - ./namespace.yaml
+  # Flux-Kustomizations
+  - ./external-dns/ks.yaml
+  - ./ingress-nginx/ks.yaml
+  - ./k8s-gateway/ks.yaml

kubernetes/apps/networking/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: networking
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled