feat: move to flux

Author: muhlba91

.github/workflows/pipeline.yml

@@ -7,56 +7,15 @@ on:
       - main
   workflow_dispatch:
 
-env:
-  HELM_EXPERIMENTAL_OCI: true
-
 jobs:
-  conform:
-    runs-on: ubuntu-latest
-    name: Conform
-
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-        with:
-          fetch-depth: 0
-
-      - uses: siderolabs/[email protected]
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-
   lint:
     runs-on: ubuntu-latest
-    name: Lint Charts
-    strategy:
-      max-parallel: 12
-      matrix:
-        python-version: ["3.11"]
-        helm-version: ["3.13.0"]
-        yamale-version: ["4.0.4"]
-        directory:
-          - applications
-          - core
-          - home-assistant
-          - infrastructure
-          - library
+    name: Lint
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
 
-      - uses: yokawasa/[email protected]
-        with:
-          setup-tools: helm
-          helm: ${{ matrix.helm-version }}
-
-      - uses: actions/setup-python@v4
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - uses: helm/[email protected]
-        with:
-          yamale_version: ${{ matrix.yamale-version }}
-
-      - name: Lint all charts
-        run: ct lint --all --chart-dirs ${{ matrix.directory }}/charts --config ${{ github.workspace }}/ct.yml
+      - run: |
+          yamllint .

.github/workflows/pr.yml

@@ -4,9 +4,6 @@ name: Pull Request
 on:
   pull_request:
 
-env:
-  HELM_EXPERIMENTAL_OCI: true
-
 jobs:
   conform:
     runs-on: ubuntu-latest
@@ -23,46 +20,12 @@ jobs:
 
   lint:
     runs-on: ubuntu-latest
-    name: Lint Charts
-    strategy:
-      max-parallel: 12
-      matrix:
-        python-version: ["3.11"]
-        helm-version: ["3.13.0"]
-        yamale-version: ["4.0.4"]
-        directory:
-          - applications
-          - core
-          - home-assistant
-          - infrastructure
-          - library
+    name: Lint
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
 
-      - uses: yokawasa/[email protected]
-        with:
-          setup-tools: helm
-          helm: ${{ matrix.helm-version }}
-
-      - uses: actions/setup-python@v4
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - uses: helm/[email protected]
-        with:
-          yamale_version: ${{ matrix.yamale-version }}
-
-      - name: List changed charts
-        id: list-changed
-        run: |
-          changed=$(ct list-changed --chart-dirs ${{ matrix.directory }}/charts --config ${{ github.workspace }}/ct.yml)
-          if [[ -n "$changed" ]]; then
-            echo "changed=true" >> ${GITHUB_OUTPUT}
-          fi
-
-      - name: Lint changed charts
-        if: steps.list-changed.outputs.changed == 'true'
-        run: ct lint --chart-dirs ${{ matrix.directory }}/charts --config ${{ github.workspace }}/ct.yml
+      - run: |
+          yamllint .

.gitignore

@@ -33,3 +33,4 @@ TODO.md
 !**/secret-*.enc.yml
 !**/secret-generator.yaml
 !**/secret-generator.yml
+local.env

.pre-commit-config.yaml

@@ -7,7 +7,7 @@ repos:
         stages:
           - commit-msg
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: check-json
       - id: check-merge-conflict
@@ -17,12 +17,12 @@ repos:
       - id: destroyed-symlinks
       - id: detect-aws-credentials
         args: [
-            "--allow-missing-credentials"
+          "--allow-missing-credentials"
         ]
       - id: detect-private-key
       - id: trailing-whitespace
         args: [
-            "--markdown-linebreak-ext=md"
+          "--markdown-linebreak-ext=md"
         ]
 #      - id: no-commit-to-branch
 #        args: [

.sops.yaml

@@ -1,3 +1,4 @@
+---
 creation_rules:
-  - unencrypted_regex: "^(apiVersion|metadata|kind|type)$"
+  - encrypted_regex: ^(data|stringData)$
     gcp_kms: projects/tuxnet-385112/locations/europe/keyRings/infrastructure-encryption/cryptoKeys/infrastructure-encryption

.versionrc.json

@@ -0,0 +1,14 @@
+---
+extends: default
+
+ignore:
+  - secret-*.enc.yml
+
+rules:
+  line-length:
+    max: 300
+  comments:
+    min-spaces-from-content: 1
+  truthy:
+    ignore:
+      - .github/

.yamllint

@@ -1,92 +1,75 @@
 # Homelab: Kubernetes Home Cluster - Applications
 
-[![Build status](https://img.shields.io/github/actions/workflow/status/muhlba91/homelab-kubernetes-home-applications/pipeline.yml?style=for-the-badge)](https://github.com/muhlba91/homelab-kubernetes-home-applications/actions/workflows/pipeline.yml)
-[![License](https://img.shields.io/github/license/muhlba91/homelab-kubernetes-home-applications?style=for-the-badge)](LICENSE.md)
+[![Build status](https://img.shields.io/github/actions/workflow/status/muhlba91/homelab-home-cluster-applications/pipeline.yml?style=for-the-badge)](https://github.com/muhlba91/homelab-home-cluster-applications/actions/workflows/pipeline.yml)
+[![License](https://img.shields.io/github/license/muhlba91/homelab-home-cluster-applications?style=for-the-badge)](LICENSE.md)
 
-This repository contains applications deployed on the `home-cluster` via [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) using [GitOps](https://opengitops.dev).
+This repository contains applications deployed on the `home-cluster` via [Flux](https://fluxcd.io) using [GitOps](https://opengitops.dev).
 
 ---
 
 ## Bootstrapping
 
-A Kubernetes cluster needs to be bootstrapped with the [Cilium CNI](https://cilium.io) and ArgoCD with an `Application` pointing to this repository.
+A Kubernetes cluster needs to be bootstrapped with the [Cilium CNI](https://cilium.io) and Flux pointing to this repository.
 
-For [ksops](https://github.com/viaduct-ai/kustomize-sops) and ArgoCD to decrypt the initial secrets for configuring the [External Secrets Operator](http://external-secrets.io) using [Doppler](http://doppler.com), a [Google Cloud Service Account](https://cloud.google.com/docs/authentication#service-accounts) with access to the correct KMS key needs to be set in the `argocd` namespace. You can check out [`infrastructure/charts/argocd/values.yaml`](infrastructure/charts/argocd/values.yaml) on how this secret is passed to ArgoCD.
+For [ksops](https://github.com/viaduct-ai/kustomize-sops) and ArgoCD to decrypt the initial secrets for configuring the [External Secrets Operator](http://external-secrets.io) using [Doppler](http://doppler.com), a [Google Cloud Service Account](https://cloud.google.com/docs/authentication#service-accounts) with access to the correct KMS key needs to be set in the `flux` namespace.
 
-ArgoCD will then manage Cilium, itself, and all applications as defined in this repository.
+***Attention:*** some applications will be automatically deployed, others not (yet).
 
 ---
 
-## ArgoCD App-of-Apps
+## App-of-Apps
 
-The repository layout follows ArgoCD's [app-of-apps pattern](https://argo-cd.readthedocs.io/en/stable/operator-manual/cluster-bootstrapping/).
+The repository follows the app-of-apps pattern.
 
-The first ArgoCD `Application` being defined needs to reference [`app-of-apps/values.yaml`](app-of-apps/values.yaml) and the environment specific `values-<ENVIRONMENT>.yaml` files.
+The first Flux `Kustomization` being defined needs to reference [`app-of-apps/`](app-of-apps/).
 
-These are bootstrapping the main ArgoCD projects and applications, referring to the respective `<PROJECT>/applications/values[-<ENVIRONMENT>].yaml` files:
+These are bootstrapping the main Flux applications, referring to the respective `<PROJECT>/applications/` kosutomizations:
 
-- [`infrastructure`](#infrastructure): core cluster infrastructure, like Cilium and ArgoCD
-- [`core`](#core-applications): core applications, like [cert-manager](http://cert-manager.io) and [traefik](https://traefik.io)
+- [`infrastructure`](#infrastructure): core cluster infrastructure
+- [`core`](#core-applications): core applications
 - [`applications`](#user-applications): (user) applications running on the cluster/network
 - [`home-assistant`](#home-assistant): [Home Assistant](http://home-assistant.io) related applications
 
-Each of these applications follows the app-of-apps pattern again using subcharts defined in the respective `charts` directory.
-
-### Additional Helm Value Files
-
-In addition to the included `values[-<ENVIRONMENT].yaml` files, ArgoCD `Application`s load additonal Helm value files from an external repository defined with `global.spec.values.repoURL`.
-
-For example, values only defined in the external repository are ingress domains.
-
-## Library Charts
-
-### Applications
-
-To support bootstrapping these app-of-apps `Application`s, the library chart [applications](library/charts/applications) creates the ArgoCD `Project` and `Application` definitions based on the provided values.
+Each of these applications follows the app-of-apps pattern again using sub-kustomizations defined in the respective application directories.
 
 ---
 
 ## Hosted Services
 
 ### Infrastructure
 
-The following applications are defined in [`infrastructure/charts`](infrastructure/charts).
+The following applications are defined in [`infrastructure/`](infrastructure/).
 
-- [x] [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) - Manages the applications deployed on the cluster using GitOps.
 - [x] [Cilium](https://cilium.io) - Provides the cluster CNI.
-- [x] [CSI NFS Driver](https://github.com/kubernetes-csi/csi-driver-nfs/tree/master) - Exposes the NAS' NFS storage as a Kubernetes `StorageClass`.
-- [x] [Descheduler](https://github.com/kubernetes-sigs/descheduler) - Finds pods to be evicted for optimizing node usage.
-- [x] [External Secrets Operator](http://external-secrets.io) - Synchronizes secrets from external stores to Kubernetes `Secret` objects.
+- [ ] [CSI NFS Driver](https://github.com/kubernetes-csi/csi-driver-nfs/tree/master) - Exposes the NAS' NFS storage as a Kubernetes `StorageClass`.
 - [x] [MetalLB](https://metallb.universe.tf) - Provides a Kubernetes network load balancer to expose Kubernetes `Service`s.
 - [x] [Longhorn](https://longhorn.io) - Exposes local storage to Kubernetes `StorageClass`es.
-
-#### Kustomizations
-
-- [x] [External Secrets Stores](infrastructure/kustomizations/external-secrets-stores) - Deploys the required `ClusterSecretStore`s and Doppler [Service Tokens](https://docs.doppler.com/docs/service-tokens) as Kubernetes `Secret`s.
+- [x] [External Secrets Operator](http://external-secrets.io) - Synchronizes secrets from external stores to Kubernetes `Secret` objects.
+  - [x] [External Secrets Stores](infrastructure/external-secrets/) - Deploys the required `ClusterSecretStore`s and Doppler [Service Tokens](https://docs.doppler.com/docs/service-tokens) as Kubernetes `Secret`s.
+- [x] [Traefik](https://traefik.io) - Exposes Kubernetes `Ingress` resources to the "outside world".
 
 ### Core Applications
 
-The following applications are defined in [`core/charts`](core/charts).
+The following applications are defined in [`core/`](core/).
 
 - [x] [cert-manager](https://cert-manager.io) - Certificate management using ACME Let's Encrypt.
 - [x] [External DNS with Google Cloud DNS integration](https://github.com/kubernetes-sigs/external-dns) - Creates DNS records in Google Cloud DNS domains for publicly reachable services.
-- [x] [Traefik](https://traefik.io) - Exposes Kubernetes `Ingress` resources to the "outside world".
 
 ### (User) Applications
 
-The following applications are defined in [`applications/charts`](applications/charts).
+The following applications are defined in [`applications/`](applications/).
 
 - [x] [AdGuard](https://adguard.com/en/adguard-home/overview.html) - DNS server with ad filtering/blocking capabilities.
 - [x] [CoreDNS](https://coredns.io) - DNS resolver for internal, local only, domains.
 - [x] [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html) - IPv4 and IPv6 DHCP server.
 - [x] [External DNS with CoreDNS/etcd integration](https://github.com/kubernetes-sigs/external-dns) - Creates DNS records in CoreDNS/etcs for internal, local only, reachable services.
 - [x] External Services - Deploys Kubernetes `Service`s and `Ingress`es to local endpoints, and existing services outside of the cluster.
 - [x] [Grafana](http://grafana.com) - Visualization of metrics, and other data.
-- [x] [MinIO](https://min.io) - Local object storage.
+- [ ] [MinIO](https://min.io) - Local object storage.
 
 ### Home Assistant
 
-The following applications are defined in [`home-assistant/charts`](home-assistant/charts).
+The following applications are defined in [`home-assistant/`](home-assistant/).
 
 - [x] [ecowitt2mqtt](https://github.com/bachya/ecowitt2mqtt) - Forwards data received from ecowitt devices to the MQTT broker.
 - [x] [EMQX](https://www.emqx.io) - A MQTT broker.
@@ -128,5 +111,5 @@ No (cluster-wide) backup and restore has been implemented as of yet.
 
 ## Continuous Integration and Automations
 
-- [GitHub Actions](https://docs.github.com/en/actions) are linting and templating all Helm charts.
-- [Renovate Bot](https://github.com/renovatebot/renovate) is updating Helm (sub)charts and used container images in the `values.yaml` files, and GitHub Actions.
+- [GitHub Actions](https://docs.github.com/en/actions) are linting all YAML files.
+- [Renovate Bot](https://github.com/renovatebot/renovate) is updating Helm releases and used container images in the `values.yaml` files, and GitHub Actions.

README.md

@@ -0,0 +1,64 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: applications
+spec:
+  targetNamespace: flux-system
+  sourceRef:
+    kind: GitRepository
+    name: cluster-applications
+  path: ./applications/
+  dependsOn:
+    - name: infrastructure
+    - name: core
+  interval: 5m
+  retryInterval: 2m
+  timeout: 3m
+  wait: true
+  prune: true
+  force: false
+  patches:
+    - patch: |-
+        apiVersion: source.toolkit.fluxcd.io/v1beta2
+        kind: HelmRepository
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+      target:
+        kind: HelmRepository
+    - patch: |-
+        apiVersion: kustomize.toolkit.fluxcd.io/v1
+        kind: Kustomization
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+          retryInterval: 2m
+          timeout: 3m
+          prune: true
+          force: false
+      target:
+        kind: Kustomization
+    - patch: |-
+        apiVersion: helm.toolkit.fluxcd.io/v2beta1
+        kind: HelmRelease
+        metadata:
+          name: not-used
+        spec:
+          interval: 10m
+          maxHistory: 3
+          install:
+            createNamespace: true
+            crds: Create
+            remediation:
+              retries: -1
+          upgrade:
+            crds: CreateReplace
+            remediation:
+              retries: -1
+          rollback:
+            recreate: true
+      target:
+        kind: HelmRelease