Add clusterissuer to flux

infra/controllers/cert-manager.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 24h
+  url: https://charts.jetstack.io
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cert-manager
+      version: 1.17.0
+      sourceRef:
+        kind: HelmRepository
+        name: cert-manager
+        namespace: cert-manager
+      interval: 12h
+  values:
+    crds:
+      enabled: true

infra/controllers/dns-public.yaml

@@ -0,0 +1,192 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns-external
+  namespace: kube-system
+data:
+  Corefile: |-
+    lb.homelab.lumpiasty.xyz.:53 {
+        view externalv4 {
+            expr type() in ['A'] 
+            expr not hasSuffix(name(), '.in-addr.arpa.')
+        }
+        log . {
+            class all
+        }
+        template IN A {
+          answer "{{ .Name }} 60 IN A 139.28.40.212"
+        }
+    }
+    .:53 {
+        # Filter out anything IPv4 related
+        view external {
+            expr type() in ['AAAA', 'SRV', 'PTR'] 
+            expr not hasSuffix(name(), '.in-addr.arpa.')
+        }
+        errors
+        health {
+            lameduck 5s
+        }
+        ready
+        log . {
+            class error
+        }
+        # Exposes kubernetes domain names under homelab.lumpiasty.xyz
+        # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
+        kubernetes homelab.lumpiasty.xyz ip6.arpa {
+            pods insecure
+            endpoint_pod_names
+            ttl 30
+        }
+        # Exposes loadbalancer domain names under lb.homelab.lumpiasty.xyz
+        k8s_external lb.homelab.lumpiasty.xyz {
+            ttl 30
+        }
+        # Cache results to reduce stress on apiserver
+        cache 30 {
+            disable success homelab.lumpiasty.xyz
+            disable denial homelab.lumpiasty.xyz
+        }
+        reload
+        loadbalance
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    k8s-app: kube-dns-external
+    kubernetes.io/name: CoreDNS
+  name: coredns-external
+  namespace: kube-system
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      k8s-app: kube-dns-external
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        k8s-app: kube-dns-external
+    spec:
+      subdomain: kube-dns-external
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                    - key: k8s-app
+                      operator: In
+                      values:
+                        - kube-dns
+                topologyKey: kubernetes.io/hostname
+              weight: 100
+      containers:
+        - args:
+            - -conf
+            - /etc/coredns/Corefile
+          env:
+            - name: GOMEMLIMIT
+              value: 161MiB
+          image: registry.k8s.io/coredns/coredns:v1.12.0
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 5
+            httpGet:
+              path: /health
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          name: coredns
+          ports:
+            - containerPort: 53
+              name: dns
+              protocol: UDP
+            - containerPort: 53
+              name: dns-tcp
+              protocol: TCP
+            - containerPort: 9153
+              name: metrics
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /ready
+              port: 8181
+              scheme: HTTP
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          resources:
+            limits:
+              memory: 170Mi
+            requests:
+              cpu: 0
+              memory: 70Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              add:
+                - NET_BIND_SERVICE
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /etc/coredns
+              name: config-volume
+              readOnly: true
+      dnsPolicy: Default
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      serviceAccount: coredns
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
+        - effect: NoSchedule
+          key: node.cloudprovider.kubernetes.io/uninitialized
+          operator: Exists
+      volumes:
+        - configMap:
+            defaultMode: 420
+            items:
+              - key: Corefile
+                path: Corefile
+            name: coredns-external
+          name: config-volume
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: kube-system
+  name: kube-dns-external
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  ipFamilyPolicy: RequireDualStack
+  selector:
+    k8s-app: kube-dns-external
+  ports:
+    - name: dns
+      port: 53
+      targetPort: 53
+      protocol: UDP
+    - name: dns-tcp
+      port: 53
+      targetPort: 53
+      protocol: TCP

infra/controllers/nginx.yaml

@@ -0,0 +1,56 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nginx-ingress-controller
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: nginx
+  namespace: nginx-ingress-controller
+spec:
+  interval: 24h
+  url: https://helm.nginx.com/stable
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: nginx-ingress
+  namespace: nginx-ingress-controller
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: nginx-ingress
+      version: 2.0.1
+      sourceRef:
+        kind: HelmRepository
+        name: nginx
+        namespace: nginx-ingress-controller
+      interval: 12h
+  values:
+    controller:
+      resources:
+        requests:
+          cpu: 0
+          memory: 128Mi
+        limits:
+          cpu: 100m
+          memory: 128Mi
+
+      ingressClass:
+        create: true
+        setAsDefaultIngress: true
+
+      service:
+        create: true
+        type: LoadBalancer
+        # Requirement for sharing ip with other service
+        externalTrafficPolicy: Cluster
+        ipFamilyPolicy: RequireDualStack
+        annotations:
+          # Share IP with gitea ssh so we can have the same domain for both port
+          lbipam.cilium.io/sharing-key: gitea
+          lbipam.cilium.io/sharing-cross-namespace: gitea
+          lbipam.cilium.io/ips: 10.44.0.0,2001:470:61a3:400::1