fix: move cluster path

kubernetes/hegira/apps/cert-manager/cert-manager/app/helmrelease.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.14.3
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack-charts
+        namespace: flux-system
+      interval: 15m
+  maxHistory: 3
+  install:
+    crds: CreateReplace
+    createNamespace: true
+    remediation: # perform remediation when helm install fails
+      retries: 5
+  upgrade:
+    crds: CreateReplace
+    remediation: # perform remediation when helm upgrade fails
+      retries: 5
+      remediateLastFailure: true # remediate the last failure, when no retries remain
+    cleanupOnFail: true
+  uninstall:
+    keepHistory: false
+
+  values:
+    installCRDs: true
+
+    webhook:
+      enabled: true
+
+    extraArgs:
+      - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
+      - --dns01-recursive-nameservers-only
+      - --enable-certificate-owner-ref
+
+    replicaCount: 1
+
+    podDnsPolicy: "None"
+    podDnsConfig:
+      nameservers:
+        - "1.1.1.1"
+        - "9.9.9.9"

kubernetes/hegira/apps/cert-manager/cert-manager/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
+  - ./prometheusrule.yaml

kubernetes/hegira/apps/cert-manager/cert-manager/app/prometheusrule.yaml

@@ -0,0 +1,59 @@
+
+
+
+
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: cert-manager.rules
+  namespace: cert-manager
+spec:
+  groups:
+    - name: cert-manager
+      rules:
+        - alert: CertManagerAbsent
+          expr: |
+            absent(up{job="cert-manager"})
+          for: 15m
+          labels:
+            severity: critical
+          annotations:
+            description: "New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back."
+            runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent
+            summary: 'Cert Manager has dissapeared from Prometheus service discovery.'
+    - name: certificates
+      rules:
+        - alert: CertManagerCertExpirySoon
+          expr: |
+            avg by (exported_namespace, namespace, name) (
+            certmanager_certificate_expiration_timestamp_seconds - time())
+              < (21 * 24 * 3600)
+          for: 15m
+          labels:
+            severity: warning
+          annotations:
+            description: 'The domain that this cert covers will be unavailable after {{ $value | humanizeDuration }}. Clients using endpoints that this cert protects will start to fail in {{ $value | humanizeDuration }}.'
+            runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon
+            summary: 'The cert {{ $labels.name }} is {{ $value | humanizeDuration }} from expiry, it should have renewed over a week ago.'
+        - alert: CertManagerCertNotReady
+          expr: |
+            max by (name, exported_namespace, namespace, condition) (
+            certmanager_certificate_ready_status{condition!="True"} == 1)
+          for: 15m
+          labels:
+            severity: critical
+          annotations:
+            description: 'This certificate has not been ready to serve traffic for at least 10m. If the cert is being renewed or there is another valid cert, the ingress controller _may_ be able to serve that instead.'
+            runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready
+            summary: 'The cert {{ $labels.name }} is not ready to serve traffic.'
+        - alert: CertManagerHittingRateLimits
+          expr: |
+            sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m]))
+              > 0
+          for: 15m
+          labels:
+            severity: critical
+          annotations:
+            description: 'Depending on the rate limit, cert-manager may be unable to generate certificates for up to a week.'
+            runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits
+            summary: 'Cert manager hitting LetsEncrypt rate limits.'

kubernetes/hegira/apps/cert-manager/cert-manager/issuers/clusterissuer.yaml

@@ -0,0 +1,48 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+  namespace: cert-manager
+spec:
+  acme:
+    email: acme@${EXTERNAL_DOMAIN}
+    preferredChain: ""
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    solvers:
+      - selector:
+          dnsZones:
+            - ${EXTERNAL_DOMAIN}
+            - voltaicforge.com
+        dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              key: API_TOKEN
+              name: cloudflare-api-token-secret
+            email: acme@${EXTERNAL_DOMAIN}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+  namespace: cert-manager
+spec:
+  acme:
+    email: acme@${EXTERNAL_DOMAIN}
+    preferredChain: ""
+    privateKeySecretRef:
+      name: letsencrypt-production
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+      - selector:
+          dnsZones:
+            - ${EXTERNAL_DOMAIN}
+            - voltaicforge.com
+        dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              key: API_TOKEN
+              name: cloudflare-api-token-secret
+            email: acme@${EXTERNAL_DOMAIN}

kubernetes/hegira/apps/cert-manager/cert-manager/issuers/deps

@@ -0,0 +1 @@
+cluster-apps-cert-manager

kubernetes/hegira/apps/cert-manager/cert-manager/issuers/externalsecret.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: &name cert-manager
+  namespace: cert-manager
+spec:
+  provider:
+    doppler:
+      project: *name
+      config: prd
+      auth:
+        secretRef:
+          dopplerToken:
+            name: doppler-token-auth-api
+            key: dopplerToken
+            namespace: flux-system
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-api-token-secret
+  namespace: cert-manager
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: &name cert-manager
+  target:
+    name: cloudflare-api-token-secret
+  dataFrom:
+    - find:
+        name:
+          regexp: .*

kubernetes/hegira/apps/cert-manager/cert-manager/issuers/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./clusterissuer.yaml
+  - ./externalsecret.yaml

kubernetes/hegira/apps/cert-manager/cert-manager/ks.yaml

@@ -0,0 +1,36 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-cert-manager
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: "./kubernetes/hegira/apps/cert-manager/cert-manager/app/"
+  prune: true
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster-kubernetes
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-cert-manager-issuers
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: "./kubernetes/hegira/apps/cert-manager/cert-manager/issuers/"
+  prune: true
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster-kubernetes
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m

kubernetes/hegira/apps/cert-manager/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # Pre Flux-Kustomizations
+  - ./namespace.yaml
+  # Flux-Kustomizations
+  - ./cert-manager/ks.yaml

kubernetes/hegira/apps/cert-manager/namespace.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+  annotations:
+    volsync.backube/privileged-movers: "true"

kubernetes/hegira/apps/databases/crunchy-postgres-operator/database/externalsecret.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: &name crunchy-postgres
+spec:
+  provider:
+    doppler:
+      project: *name
+      config: prd
+      auth:
+        secretRef:
+          dopplerToken:
+            name: doppler-token-auth-api
+            key: dopplerToken
+            namespace: flux-system
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name crunchy-postgres
+  namespace: databases
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: *name
+  target:
+    name: *name
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        s3.conf: |
+          [global]
+          repo1-s3-key={{ .S3_KEY }}
+          repo1-s3-key-secret={{ .S3_KEY_SECRET }}
+  dataFrom:
+    - find:
+        name:
+          regexp: .*

kubernetes/hegira/apps/databases/crunchy-postgres-operator/database/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./postgrescluster.yaml
+  - ./externalsecret.yaml