joryirving · joryirving · Jan 16, 2025 · Jan 16, 2025 · Jan 16, 2025
@@ -22,9 +22,6 @@ spec:
     remediation:
       strategy: rollback
       retries: 3
-  dependsOn:
-    - name: nginx-external
-      namespace: network
   values:
     controllers:
       cloudflared:
@@ -99,16 +96,16 @@ spec:
             interval: 1m
             scrapeTimeout: 10s
     persistence:
-      config:
+      config-file:
         type: configMap
         name: cloudflared-configmap
         globalMounts:
           - path: /etc/cloudflared/config/config.yaml
             subPath: config.yaml
             readOnly: true
-      creds:
+      secret-file:
         type: secret
-        name: cloudflared-secret
+        name: cloudflared-tunnel-secret
         globalMounts:
           - path: /etc/cloudflared/creds/credentials.json
             subPath: credentials.json

@@ -9,6 +9,6 @@ resources:
 configMapGenerator:
   - name: cloudflared-configmap
     files:
-      - ./configs/config.yaml
+      - config.yaml=./resources/config.yaml
 generatorOptions:
   disableNameSuffixHash: true
@@ -3,7 +3,7 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: &name external-dns-secret
+  name: &name external-dns-cloudflare
 spec:
   secretStoreRef:
     kind: ClusterSecretStore

@@ -32,7 +32,7 @@ spec:
       - name: CF_API_TOKEN
         valueFrom:
           secretKeyRef:
-            name: &secret external-dns-secret
+            name: *app
             key: api-token
     extraArgs:
       - --cloudflare-dns-records-per-page=1000
@@ -44,10 +44,10 @@ spec:
     triggerLoopOnEvent: true
     policy: sync
     sources: ["crd", "ingress"]
-    txtOwnerId: main
-    txtPrefix: k8s.main.
+    txtOwnerId: ${CLUSTER}
+    txtPrefix: k8s.${CLUSTER}.
     domainFilters: ["${SECRET_DOMAIN}"]
     serviceMonitor:
       enabled: true
     podAnnotations:
-      secret.reloader.stakater.com/reload: *secret
+      secret.reloader.stakater.com/reload: *app
@@ -3,8 +3,7 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: nginx-external
-  namespace: &namespace network
+  name: &app external-ingress-nginx
 spec:
   interval: 30m
   chart:
@@ -24,7 +23,7 @@ spec:
       strategy: rollback
       retries: 3
   values:
-    fullnameOverride: nginx-external
+    fullnameOverride: *app
     controller:
       replicaCount: 2
       service:
@@ -44,7 +43,7 @@ spec:
       config:
         allow-snippet-annotations: true
         annotations-risk-level: Critical
-        block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*" # taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go
+        block-user-agents: "AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot," # taken from https://github.com/ai-robots-txt/ai.robots.txt
         client-body-buffer-size: 100M
         client-body-timeout: 120
         client-header-timeout: 120
@@ -86,7 +85,7 @@ spec:
           labelSelector:
             matchLabels:
               app.kubernetes.io/name: ingress-nginx
-              app.kubernetes.io/instance: nginx-external
+              app.kubernetes.io/instance: *app
               app.kubernetes.io/component: controller
       resources:
         requests:

@@ -0,0 +1,88 @@
+---
+# yaml-language-server: $schema=https://kube-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app external-cloudflared
+  namespace: flux-system
+spec:
+  targetNamespace: network
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: external-external-dns
+    - name: external-secrets-stores
+  path: ./kubernetes/main/apps/network/external/cloudflared
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: false # no flux ks dependents
+  interval: 30m
+  timeout: 5m
+---
+# yaml-language-server: $schema=https://kube-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app external-echo-server
+  namespace: flux-system
+spec:
+  targetNamespace: network
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/main/apps/network/external/echo-server
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: false # no flux ks dependents
+  interval: 30m
+  timeout: 5m
+
+---
+# yaml-language-server: $schema=https://kube-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app external-dns-cloudflare
+  namespace: flux-system
+spec:
+  targetNamespace: network
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: external-secrets-stores
+  path: ./kubernetes/main/apps/network/external/external-dns
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: true
+  interval: 30m
+  timeout: 5m
+---
+# yaml-language-server: $schema=https://kube-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app external-ingress-nginx
+  namespace: flux-system
+spec:
+  targetNamespace: network
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: cert-manager-tls
+  path: ./kubernetes/main/apps/network/external/ingress-nginx
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  wait: false # no flux ks dependents
+  interval: 30m
+  timeout: 5m
@@ -37,7 +37,7 @@ spec:
           - name: UNIFI_API_KEY
             valueFrom:
               secretKeyRef:
-                name: &secret external-dns-unifi
+                name: *app
                 key: EXTERNAL_DNS_UNIFI_API_KEY
           # - name: LOG_LEVEL
           #   value: "debug"
@@ -64,4 +64,4 @@ spec:
     serviceMonitor:
       enabled: true
     podAnnotations:
-      secret.reloader.stakater.com/reload: *secret
+      secret.reloader.stakater.com/reload: *app
@@ -3,8 +3,7 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: nginx-internal
-  namespace: &namespace network
+  name: &app internal-ingress-nginx
 spec:
   interval: 30m
   chart:
@@ -24,7 +23,7 @@ spec:
       strategy: rollback
       retries: 3
   values:
-    fullnameOverride: nginx-internal
+    fullnameOverride: *app
     controller:
       replicaCount: 2
       service:
@@ -45,7 +44,7 @@ spec:
       config:
         allow-snippet-annotations: true
         annotations-risk-level: Critical
-        block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*" # taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go
+        block-user-agents: "AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot," # taken from https://github.com/ai-robots-txt/ai.robots.txt
         client-body-buffer-size: 100M
         client-body-timeout: 120
         client-header-timeout: 120
@@ -87,7 +86,7 @@ spec:
           labelSelector:
             matchLabels:
               app.kubernetes.io/name: ingress-nginx
-              app.kubernetes.io/instance: nginx-internal
+              app.kubernetes.io/instance: *app
               app.kubernetes.io/component: controller
       resources:
         requests:

@@ -1,9 +1,10 @@
+
 ---
 # yaml-language-server: $schema=https://kube-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &app external-dns-cloudflare
+  name: &app external-dns-unifi
   namespace: flux-system
 spec:
   targetNamespace: network
@@ -12,7 +13,7 @@ spec:
       app.kubernetes.io/name: *app
   dependsOn:
     - name: external-secrets-stores
-  path: ./kubernetes/main/apps/network/external-dns/cloudflare
+  path: ./kubernetes/main/apps/network/internal/external-dns
   prune: true
   sourceRef:
     kind: GitRepository
@@ -25,20 +26,20 @@ spec:
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &app external-dns-unifi
+  name: &app internal-ingress-nginx
   namespace: flux-system
 spec:
   targetNamespace: network
   commonMetadata:
     labels:
       app.kubernetes.io/name: *app
   dependsOn:
-    - name: external-secrets-stores
-  path: ./kubernetes/main/apps/network/external-dns/unifi
+    - name: cert-manager-tls
+  path: ./kubernetes/main/apps/network/internal/ingress-nginx
   prune: true
   sourceRef:
     kind: GitRepository
     name: flux-system
-  wait: true
+  wait: false # no flux ks dependents
   interval: 30m
   timeout: 5m
@@ -7,10 +7,8 @@ resources:
   - ./namespace.yaml
   - ../../../shared/templates/alerts
   # Flux-Kustomizations
-  - ./cloudflared/ks.yaml
-  - ./echo-server/ks.yaml
-  - ./external-dns/ks.yaml
-  - ./nginx/ks.yaml
+  - ./external/ks.yaml
+  - ./internal/ks.yaml
 transformers:
   - |-
     apiVersion: builtin