redaction (#1)

Add the redacted source file for demo purposes

Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1
Co-authored-by: Michael DiLeo <michael_dileo@proton.me>
Co-committed-by: Michael DiLeo <michael_dileo@proton.me>

manifests/cluster/flux-system/applications.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: applications
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./manifests/applications
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  # SOPS decryption configuration
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  # Applications will start after flux-system is ready (implicit dependency)
+  # Health checks for application readiness
+  # healthChecks:
+  #   - apiVersion: apps/v1
+  #     kind: Deployment
+  #     name: wireguard
+  #     namespace: wireguard
+  # Timeout for application deployments
+  timeout: 15m0s 
+  

manifests/cluster/flux-system/authentik.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: authentik
+  namespace: flux-system
+spec:
+  dependsOn:
+  - name: infrastructure-postgresql
+  - name: infrastructure-redis
+  interval: 5m
+  path: ./manifests/infrastructure/authentik
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  timeout: 10m
+  wait: true 
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg 

manifests/cluster/flux-system/celery-monitoring.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infrastructure-celery-monitoring
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./manifests/infrastructure/celery-monitoring
+  prune: true
+  wait: true
+  dependsOn:
+  - name: infrastructure-redis
+  - name: cert-manager
+  - name: ingress-nginx
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg

manifests/cluster/flux-system/ceph-cluster.yaml

@@ -0,0 +1,12 @@
+# apiVersion: kustomize.toolkit.fluxcd.io/v1
+# kind: Kustomization
+# metadata:
+#   name: ceph-cluster
+#   namespace: flux-system
+# spec:
+#   interval: 10m0s
+#   path: ./manifests/infrastructure/ceph-cluster
+#   prune: true
+#   sourceRef:
+#     kind: GitRepository
+#     name: flux-system

manifests/cluster/flux-system/cert-manager.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./manifests/infrastructure/cert-manager
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system 

manifests/cluster/flux-system/cilium.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cilium
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./manifests/infrastructure/cilium
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system

manifests/cluster/flux-system/cloudflared.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cloudflared
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./manifests/infrastructure/cloudflared
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true
+  timeout: 5m
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg

manifests/cluster/flux-system/cluster-issuers.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-issuers
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./manifests/infrastructure/cluster-issuers
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: cert-manager
+      namespace: cert-manager

manifests/cluster/flux-system/elasticsearch.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: elasticsearch
+  namespace: flux-system
+spec:
+  interval: 5m
+  timeout: 15m
+  retryInterval: 1m
+  path: "./manifests/infrastructure/elasticsearch"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  # Wait for these before deploying Elasticsearch
+  dependsOn:
+  - name: longhorn
+    namespace: flux-system
+  # Force apply to handle CRDs that may not be registered yet during validation
+  # The operator HelmRelease will install CRDs, but validation happens before apply
+  force: true
+  wait: true
+  healthChecks:
+  - apiVersion: apps/v1
+    kind: Deployment
+    name: elastic-operator
+    namespace: elasticsearch-system
+  - apiVersion: elasticsearch.k8s.elastic.co/v1
+    kind: Elasticsearch
+    name: elasticsearch
+    namespace: elasticsearch-system 

manifests/cluster/flux-system/gotk-sync.yaml

@@ -0,0 +1,27 @@
+# This manifest was generated by flux. DO NOT EDIT.
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  ref:
+    branch: k8s-fleet
+  secretRef:
+    name: flux-system
+  url: https://<GITEA_INSTANCE>/<USERNAME>/keyboard-vagabond.git
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./manifests/cluster
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system

manifests/cluster/flux-system/harbor-registry.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: harbor-registry
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./manifests/infrastructure/harbor-registry
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg

manifests/cluster/flux-system/ingress-nginx.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: ingress-nginx
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./manifests/infrastructure/ingress-nginx
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  targetNamespace: ingress-nginx

manifests/cluster/flux-system/kustomization.yaml

@@ -0,0 +1,33 @@
+---
+# Infrastructure Components Kustomization
+# This handles core cluster infrastructure like networking, storage, etc.
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gotk-components.yaml
+- gotk-sync.yaml
+- cilium.yaml
+# - ceph-cluster.yaml
+# - rook-ceph.yaml
+- longhorn.yaml
+- pull-secrets.yaml
+- ingress-nginx.yaml
+- metrics-server.yaml
+
+- cert-manager.yaml
+- cluster-issuers.yaml
+- harbor-registry.yaml
+- renovate.yaml
+- opentelemetry-operator.yaml
+- openobserve-collector.yaml
+- openobserve.yaml
+- postgresql.yaml
+- redis.yaml
+- elasticsearch.yaml
+- authentik.yaml
+- cloudflared.yaml
+- tailscale.yaml
+- celery-monitoring.yaml
+
+# Applications are managed by separate Flux Kustomization
+- applications.yaml

manifests/cluster/flux-system/longhorn.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: longhorn
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./manifests/infrastructure/longhorn
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg 

manifests/cluster/flux-system/metrics-server.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: metrics-server
+  namespace: flux-system
+spec:
+  interval: 30m
+  retryInterval: 2m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./manifests/infrastructure/metrics-server
+  prune: true
+  wait: true
+  dependsOn:
+    - name: cert-manager  # For the production TLS version (when ready)
+  healthChecks:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: metrics-server
+      namespace: metrics-server-system

manifests/cluster/flux-system/openobserve-collector.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: openobserve-collector
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ./manifests/infrastructure/openobserve-collector
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  dependsOn:
+    - name: opentelemetry-operator
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg 

manifests/cluster/flux-system/openobserve.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: openobserve
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ./manifests/infrastructure/openobserve
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  dependsOn:
+    - name: cert-manager
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg 

manifests/cluster/flux-system/opentelemetry-operator.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: opentelemetry-operator
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ./manifests/infrastructure/opentelemetry-operator
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  dependsOn:
+    - name: cert-manager
+  # Handle large CRDs that exceed annotation limits
+  force: true
+  wait: true
+  timeout: 10m

manifests/cluster/flux-system/postgresql.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infrastructure-postgresql
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 15m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./manifests/infrastructure/postgresql
+  prune: true
+  wait: true
+  dependsOn:
+  - name: longhorn
+  - name: cilium
+  # Wait for operator to be ready before applying Cluster resources
+  # This ensures CRDs are registered before validation
+  healthChecks:
+  - apiVersion: apps/v1
+    kind: Deployment
+    name: cloudnative-pg
+    namespace: postgresql-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg 

manifests/cluster/flux-system/pull-secrets.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: pull-secrets
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./manifests/infrastructure/pull-secrets
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg

manifests/cluster/flux-system/redis.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infrastructure-redis
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./manifests/infrastructure/redis
+  prune: true
+  wait: true
+  dependsOn:
+  - name: longhorn
+  - name: cilium
+  - name: cert-manager  # For potential TLS in the future
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg 

manifests/cluster/flux-system/renovate.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: renovate
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./manifests/infrastructure/renovate
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  targetNamespace: renovate
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg

manifests/cluster/flux-system/rook-ceph.yaml

@@ -0,0 +1,12 @@
+# apiVersion: kustomize.toolkit.fluxcd.io/v1
+# kind: Kustomization
+# metadata:
+#   name: rook-ceph
+#   namespace: flux-system
+# spec:
+#   interval: 10m0s
+#   path: ./manifests/infrastructure/rook-ceph
+#   prune: true
+#   sourceRef:
+#     kind: GitRepository
+#     name: flux-system

manifests/cluster/flux-system/tailscale.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: tailscale
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./manifests/infrastructure/tailscale
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true
+  timeout: 5m
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg