fluxcd : adding repo example with some apps

fluxcd/repo/apps/base/http-broadcaster/app/hr-http-broadcaster.yaml

@@ -0,0 +1,122 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: http-broadcaster
+spec:
+  chart:
+    spec:
+      chart: myChart
+      reconcileStrategy: ChartVersion
+      version: "2.x.x"
+      sourceRef:
+        kind: HelmRepository
+        name: myChart
+        namespace: infrastructure
+  interval: 10m0s
+  values:
+    environment:
+    fullnameOverride: "http-broadcaster"
+
+    app:
+      name: "app"
+
+      image:
+        repository: gitlabregistry.example.com/infrastructure/http-broadcaster
+        pullPolicy: IfNotPresent
+        tag:
+
+      labels:
+        technology: "go"
+        role: "api"
+
+      resources:
+        requests:
+          memory: 64Mi
+          cpu: 200m
+        limits:
+          memory: 64Mi
+          cpu: 400m
+
+      containerPort:
+        broadcaster: 6081
+
+      readinessProbe:
+        exec:
+          command:
+            - curl
+            - -f
+            - -L
+            - -m
+            - "5"
+            - "127.0.0.1:6081/healthcheck"
+
+      livenessProbe:
+        exec:
+          command:
+            - curl
+            - -f
+            - -L
+            - -m
+            - "5"
+            - "127.0.0.1:6081/healthcheck"
+
+      command:
+        - "/bin/sh"
+        - "-c"
+        - "[ -f /vault/secrets/.env ] && http-broadcaster --metrics"
+
+      lifecycle: {}
+
+      securityContext:
+        capabilities:
+          drop:
+            - ALL
+        allowPrivilegeEscalation: false
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+
+    # Generic sidecars
+    nginx:
+      enabled: false
+
+    fpmExporter:
+      enabled: false
+
+    elasticAgent:
+      enabled: false
+
+    logrotate:
+      enabled: false
+
+    imagePullSecrets:
+      - name: registry-credentials
+
+    vault:
+      enabled: true
+
+    serviceAccount:
+      create: true
+
+    service:
+      extraPorts:
+        - name: web
+          port: 6081
+          targetPort: 6081
+
+    ingress:
+      enabled: true
+      autoIngress:
+        enabled: true
+        path: "/"
+        port: 6081
+
+    replicaCount: 2
+
+    autoscaling:
+      enabled: false
+      minReplicas: 1
+      maxReplicas: 1
+      targetCPUUtilizationPercentage: 40

fluxcd/repo/apps/base/http-broadcaster/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - hr-http-broadcaster.yaml

fluxcd/repo/apps/base/k6-operator/hr-k6-operator.yaml

@@ -0,0 +1,59 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: k6-operator
+spec:
+  chart:
+    spec:
+      # https://github.com/grafana/k6-operator/blob/main/charts/k6-operator/values.yaml
+      chart: k6-operator
+      reconcileStrategy: ChartVersion
+      version: "3.x.x"
+      sourceRef:
+        kind: HelmRepository
+        name: grafana
+        namespace: infrastructure
+  interval: 10m0s
+
+  values:
+    fullnameOverride: "k6-operator"
+    customLabels:
+      team: "infrastructure"
+
+    manager:
+      replicas: 1
+      serviceAccount:
+        name: "k6-operator-controller"
+        create: true
+      image:
+        registry: ghcr.io
+        repository: grafana/k6-operator
+        tag: controller-v0.0.19
+        pullPolicy: IfNotPresent
+
+      livenessProbe: {}
+      readinessProbe: {}
+
+      resources:
+        limits:
+          cpu: 100m
+          memory: 100Mi
+        requests:
+          cpu: 100m
+          memory: 100Mi
+      env:
+        # Indique que seul le namespace infrastructure est surveille.
+        - name: WATCH_NAMESPACE
+          value: 'infrastructure'
+
+    authProxy:
+      # Disable/Enable authentication on metric endpoint
+      enabled: false
+
+    installCRDs: true
+    namespace:
+      create: false
+
+    prometheus:
+      enabled: false

fluxcd/repo/apps/base/k6-operator/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - hr-k6-operator.yaml

fluxcd/repo/apps/production/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - remote
+  - system

fluxcd/repo/apps/production/system/http-broadcaster/app/hr-http-broadcaster.yaml

@@ -0,0 +1,31 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: http-broadcaster
+spec:
+  chart:
+    spec:
+      chart: myChart
+      reconcileStrategy: ChartVersion
+      version: "2.x.x"
+      sourceRef:
+        kind: HelmRepository
+        name: myChart
+        namespace: infrastructure
+  interval: 10m0s
+  values:
+    environment: "prd"
+    app:
+      image:
+        tag: 2.1.5 # {"$imagepolicy": "system:http-broadcaster:tag"}
+    autoscaling:
+      enabled: false
+    vault:
+      path: "app/data/http-broadcaster/prd/envVars"
+    ingress:
+      autoIngress:
+        host: "purgatory.example.com"
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true

fluxcd/repo/apps/production/system/http-broadcaster/app/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../../base/http-broadcaster/app
+patches:
+  - path: hr-http-broadcaster.yaml

fluxcd/repo/apps/production/system/http-broadcaster/automations/iua-http-broadcaster.yaml

@@ -0,0 +1,28 @@
+---
+
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImageUpdateAutomation
+metadata:
+  name: http-broadcaster
+  labels:
+    team: system
+spec:
+  git:
+    checkout:
+      ref:
+        branch: main
+    commit:
+      author:
+        email: fluxcdbot@example.com
+        name: fluxcdbot
+      messageTemplate: 'deps(apps/production): {{ .AutomationObject }} ImageUpdateAutomation'
+    push:
+      branch: main
+  interval: 3m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  update:
+    path: ./apps/production/system/http-broadcaster
+    strategy: Setters

fluxcd/repo/apps/production/system/http-broadcaster/automations/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - iua-http-broadcaster.yaml
+  - policy-http-broadcaster.yaml
+  - registry-http-broadcaster.yaml

fluxcd/repo/apps/production/system/http-broadcaster/automations/policy-http-broadcaster.yaml

@@ -0,0 +1,15 @@
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImagePolicy
+metadata:
+  name: http-broadcaster
+  labels:
+    team: system
+spec:
+  imageRepositoryRef:
+    name: http-broadcaster
+  filterTags:
+    pattern: '^v?(?P<rv>[0-9]+\.[0-9]+\.[0-9]+)$'
+    extract: '$rv'
+  policy:
+    semver:
+      range: '^2.x.x-0'

fluxcd/repo/apps/production/system/http-broadcaster/automations/registry-http-broadcaster.yaml

@@ -0,0 +1,13 @@
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImageRepository
+metadata:
+  name: http-broadcaster
+  labels:
+    team: system
+spec:
+  secretRef:
+    name: registry-credentials
+  image: gitlabregistry.example.com/infrastructure/http-broadcaster
+  interval: 5m0s
+  exclusionList:
+    - "_dev$"

fluxcd/repo/apps/production/system/http-broadcaster/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: system
+resources:
+  - app
+  - automations

fluxcd/repo/apps/production/system/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - http-broadcaster

fluxcd/repo/apps/staging/infrastructure/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../k6-operator

fluxcd/repo/apps/staging/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - remote
+  - system
+  - infrastructure

fluxcd/repo/apps/staging/system/http-broadcaster/app/hr-http-broadcaster.yaml

@@ -0,0 +1,37 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: http-broadcaster
+spec:
+  chart:
+    spec:
+      chart: myChart
+      reconcileStrategy: ChartVersion
+      version: "2.x.x"
+      sourceRef:
+        kind: HelmRepository
+        name: myChart
+        namespace: infrastructure
+  interval: 10m0s
+  values:
+    environment: "stg"
+    app:
+      image:
+        tag: 2.2.0-rc.1 # {"$imagepolicy": "system:http-broadcaster:tag"}
+    autoscaling:
+      enabled: false
+    vault:
+      path: "app/data/http-broadcaster/stg/envVars"
+    # Test to verify that Traefik is not rejecting requests for being
+    # outside limit size.
+    ingress:
+      middlewares:
+        buffering:
+          enabled: false
+      autoIngress:
+        host: "purgatory.stg.example.com"
+    # Telling the chart that we want the service to be scrape.
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true

fluxcd/repo/apps/staging/system/http-broadcaster/app/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../../base/http-broadcaster/app
+patches:
+  - path: hr-http-broadcaster.yaml

fluxcd/repo/apps/staging/system/http-broadcaster/automations/iua-http-broadcaster.yaml

@@ -0,0 +1,28 @@
+---
+
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImageUpdateAutomation
+metadata:
+  name: http-broadcaster
+  labels:
+    team: system
+spec:
+  git:
+    checkout:
+      ref:
+        branch: main
+    commit:
+      author:
+        email: fluxcdbot@example.com
+        name: fluxcdbot
+      messageTemplate: 'deps(apps/staging): {{ .AutomationObject }} ImageUpdateAutomation'
+    push:
+      branch: main
+  interval: 3m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  update:
+    path: ./apps/staging/system/http-broadcaster
+    strategy: Setters

fluxcd/repo/apps/staging/system/http-broadcaster/automations/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - iua-http-broadcaster.yaml
+  - policy-http-broadcaster.yaml
+  - registry-http-broadcaster.yaml
+  - receiver-http-broadcaster.yaml

fluxcd/repo/apps/staging/system/http-broadcaster/automations/policy-http-broadcaster.yaml

@@ -0,0 +1,15 @@
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImagePolicy
+metadata:
+  name: http-broadcaster
+  labels:
+    team: system
+spec:
+  imageRepositoryRef:
+    name: http-broadcaster
+  filterTags:
+    pattern: '^v?(?P<rv>[0-9]+\.[0-9]+\.[0-9]+-(?:alpha|beta|rc)\.[0-9]+)$'
+    extract: '$rv'
+  policy:
+    semver:
+      range: '^2.x.x-0'

fluxcd/repo/apps/staging/system/http-broadcaster/automations/receiver-http-broadcaster.yaml

@@ -0,0 +1,15 @@
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+  name: http-broadcaster-app
+spec:
+  type: generic
+  secretRef:
+    name: webhook-receiver-token
+  resources:
+    - apiVersion: image.toolkit.fluxcd.io/v1beta1
+      kind: ImageRepository
+      name: http-broadcaster-app
+    - apiVersion: image.toolkit.fluxcd.io/v1beta2
+      kind: ImageUpdateAutomation
+      name: http-broadcaster

fluxcd/repo/apps/staging/system/http-broadcaster/automations/registry-http-broadcaster.yaml

@@ -0,0 +1,13 @@
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImageRepository
+metadata:
+  name: http-broadcaster
+  labels:
+    team: system
+spec:
+  secretRef:
+    name: registry-credentials
+  image: gitlabregistry.example.com/infrastructure/http-broadcaster
+  interval: 5m0s
+  exclusionList:
+    - "_dev$"

fluxcd/repo/apps/staging/system/http-broadcaster/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: system
+resources:
+  - app
+  - automations

fluxcd/repo/apps/staging/system/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - http-broadcaster

fluxcd/repo/clusters/cluster1-prd/dependencies.yaml

@@ -0,0 +1,44 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: namespaces
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  path: ./infrastructure/base/namespaces
+  prune: false # Prevent resources from being deleted when it is removed from the yaml file
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infrastructure
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  path: ./infrastructure/production
+  prune: true
+  wait: true
+  timeout: 3m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: apps
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  dependsOn:
+    - name: infrastructure
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/production
+  prune: true
+  wait: true

fluxcd/repo/clusters/cluster1-prd/flux-system/gotk-sync.yaml

@@ -0,0 +1,27 @@
+# This manifest was generated by flux. DO NOT EDIT.
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  ref:
+    branch: main
+  secretRef:
+    name: flux-system
+  url:
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./clusters/cluster1-prd
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system

fluxcd/repo/clusters/cluster1-prd/flux-system/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gotk-components.yaml
+- gotk-sync.yaml

fluxcd/repo/infrastructure/base/external-secrets/core/hr-external-secrets.yaml

@@ -0,0 +1,117 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: external-secrets
+spec:
+  chart:
+    spec:
+      chart: external-secrets
+      reconcileStrategy: ChartVersion
+      version: "0.14.x"
+      sourceRef:
+        kind: HelmRepository
+        name: external-secrets-operator
+        namespace: infrastructure
+  interval: 10m0s
+  values:
+    replicaCount: 3
+    affinity: {}
+
+    installCRDs: true
+
+    crds:
+      createClusterExternalSecret: true
+      createClusterSecretStore: true
+      createPushSecret: true
+
+    leaderElect: true
+    concurrent: 3
+
+    serviceAccount:
+      create: true
+      automount: true
+
+    rbac:
+      create: true
+
+    resources:
+      requests:
+        cpu: 10m
+        memory: 32Mi
+
+    serviceMonitor:
+      enabled: false
+      interval: 30s
+      scrapeTimeout: 25s
+
+    metrics:
+      service:
+        enabled: false
+
+    podDisruptionBudget:
+      enabled: true
+      minAvailable: 1
+      # maxUnavailable: 1
+
+    webhook:
+      create: true
+      replicaCount: 1
+      rbac:
+        create: true
+      serviceAccount:
+        create: true
+        automount: true
+
+      podDisruptionBudget:
+        enabled: true
+        minAvailable: 1
+        # maxUnavailable: 1
+
+      serviceMonitor:
+        enabled: false
+        interval: 30s
+        scrapeTimeout: 25s
+
+      metrics:
+        service:
+          enabled: false
+
+      resources:
+        requests:
+          cpu: 10m
+          memory: 32Mi
+
+      affinity: {}
+
+    certController:
+      create: true
+      requeueInterval: "5m"
+      replicaCount: 1
+
+      rbac:
+        create: true
+      serviceAccount:
+        create: true
+        automount: true
+
+      podDisruptionBudget:
+        enabled: true
+        minAvailable: 1
+        # maxUnavailable: 1
+
+      serviceMonitor:
+        enabled: false
+        interval: 30s
+        scrapeTimeout: 25s
+
+      metrics:
+        service:
+          enabled: false
+
+      resources:
+        requests:
+          cpu: 10m
+          memory: 32Mi
+
+      affinity: {}

fluxcd/repo/infrastructure/base/external-secrets/core/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: infrastructure
+resources:
+- hr-external-secrets.yaml

fluxcd/repo/infrastructure/base/external-secrets/dependencies.yaml

@@ -0,0 +1,29 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: inf-external-secrets-core
+  namespace: flux-system
+spec:
+  interval: 5m
+  path: ./infrastructure/base/external-secrets/core
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: inf-external-secrets-resources
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: inf-external-secrets-core
+  interval: 5m
+  path: ./infrastructure/base/external-secrets/resources
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system

fluxcd/repo/infrastructure/base/external-secrets/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- dependencies.yaml

fluxcd/repo/infrastructure/base/external-secrets/resources/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: infrastructure
+resources:
+    - vault-secret-store.yaml
+    - vault-secret-store-app.yaml
+    - registry-credentials.yaml
+    - longhorn-s3-backup-secret.yaml

fluxcd/repo/infrastructure/base/external-secrets/resources/longhorn-s3-backup-secret.yaml

@@ -0,0 +1,24 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterExternalSecret
+metadata:
+  name: longhorn-s3-backup-secret
+spec:
+  externalSecretName: "longhorn-s3-backup-secret"
+  refreshTime: "1h"
+  namespaceSelector:
+    matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: In
+        values:
+          - infrastructure
+  externalSecretSpec:
+    secretStoreRef:
+      name: vault-secret-store
+      kind: ClusterSecretStore
+    refreshInterval: "72h"
+    target:
+      name: longhorn-s3-backup-secret
+      deletionPolicy: Retain
+    dataFrom:
+      - extract:
+          key: kubernetes-secrets/longhorn/s3-backup-secret

fluxcd/repo/infrastructure/base/external-secrets/resources/registry-credentials.yaml

@@ -0,0 +1,31 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterExternalSecret
+metadata:
+  name: registry-credentials
+spec:
+  externalSecretName: "registry-credentials"
+  refreshTime: "1h"
+  namespaceSelector:
+    matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: In
+        values:
+          - system
+          - flux-system
+          - namespace1
+  externalSecretSpec:
+    secretStoreRef:
+      name: vault-secret-store
+      kind: ClusterSecretStore
+    refreshInterval: "1h"
+    target:
+      name: registry-credentials
+      deletionPolicy: Retain
+      template:
+        type: kubernetes.io/dockerconfigjson
+        data:
+          .dockerconfigjson: "{{ .auths }}"
+    data:
+      - secretKey: auths
+        remoteRef:
+          key: kubernetes-secrets/registry-credentials

fluxcd/repo/infrastructure/base/external-secrets/resources/vault-secret-store-app.yaml

@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-secret-store-app
+spec:
+  provider:
+    vault:
+      server: "https://vault.example.com"
+      path: "app"
+      version: "v2"
+      auth:
+        appRole:
+          path: "approle"
+          roleId: "" # k8s-external-secrets
+          secretRef:
+            name: "vault-k8s-external-secrets"
+            namespace: infrastructure
+            key: "secret-id"

fluxcd/repo/infrastructure/base/external-secrets/resources/vault-secret-store.yaml

@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-secret-store
+spec:
+  provider:
+    vault:
+      server: "https://vault.example.com"
+      path: "kubernetes-secrets"
+      version: "v2"
+      auth:
+        appRole:
+          path: "approle"
+          roleId: ""
+          secretRef:
+            name: "vault-k8s-external-secrets"
+            namespace: infrastructure
+            key: "secret-id"

fluxcd/repo/infrastructure/base/gatekeeper/core/hr-gatekeeper.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: gatekeeper
+  namespace: gatekeeper
+spec:
+  chart:
+    spec:
+      chart: gatekeeper
+      reconcileStrategy: ChartVersion
+      version: "3.13.x"
+      sourceRef:
+        kind: HelmRepository
+        name: gatekeeper
+        namespace: infrastructure
+  interval: 10m0s
+  values:
+    replicas: 1
+    enableTLSHealthcheck: true
+    logDenies: true
+    logMutations: true
+    controllerManager:
+      exemptNamespaces: ["infrastructure"]
+    postInstall:
+      labelNamespace:
+        enabled: false

fluxcd/repo/infrastructure/base/gatekeeper/core/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - hr-gatekeeper.yaml

fluxcd/repo/infrastructure/base/gatekeeper/dependencies.yaml

@@ -0,0 +1,29 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: inf-gatekeeper-core
+  namespace: gatekeeper
+spec:
+  interval: 5m
+  path: ./infrastructure/base/gatekeeper/core
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: inf-gatekeeper-resources
+  namespace: gatekeeper
+spec:
+  dependsOn:
+    - name: inf-gatekeeper-core
+  interval: 5m
+  path: ./infrastructure/base/gatekeeper/resources
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system

fluxcd/repo/infrastructure/base/gatekeeper/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: gatekeeper
+resources:
+  - dependencies.yaml

fluxcd/repo/infrastructure/base/gatekeeper/resources/affinity-datascience.yaml

@@ -0,0 +1,47 @@
+apiVersion: mutations.gatekeeper.sh/v1
+kind: Assign
+metadata:
+  name: affinity-datascience
+spec:
+  applyTo:
+  - groups:
+    - ""
+    kinds:
+    - Pod
+    versions:
+    - v1
+  location: spec.affinity
+  match:
+    kinds:
+    - apiGroups:
+      - '*'
+      kinds:
+      - Pod
+    labelSelector:
+      matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+        - disigas
+        - dilre
+        - difunds
+        - dicaplink
+        - dimatchdom
+        - dimatchname
+        - discoring
+        - dijal
+        - procol
+    namespaces:
+    - privateapi
+    scope: Namespaced
+  parameters:
+    assign:
+      value:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: InstanceUsage
+                operator: In
+                values:
+                - datascience

fluxcd/repo/infrastructure/base/gatekeeper/resources/block-latest-tags.yaml

@@ -0,0 +1,23 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: DisallowedTags
+metadata:
+  name: block-latest-tags
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+    namespaces:
+    - data-entry-management
+    - diffusion
+    - digital-marketing
+    - privateapi
+    - produits
+    - smartexchange
+    - vidocq
+    - flux-system
+    - infrastructure
+    scope: Namespaced
+  parameters:
+    tags: ["latest"]
+    exemptImages: []

fluxcd/repo/infrastructure/base/gatekeeper/resources/disallowed-tags.yaml

@@ -0,0 +1,80 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: disallowedtags
+spec:
+  crd:
+    spec:
+      names:
+        kind: DisallowedTags
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+            exemptImages:
+              description: >-
+                Any container that uses an image that matches an entry in this list will be excluded
+                from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
+                It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
+                in order to avoid unexpectedly exempting images from an untrusted repository.
+              type: array
+              items:
+                type: string
+            tags:
+              type: array
+              description: Disallowed container image tags.
+              items:
+                type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sdisallowedtags
+
+        import data.lib.exempt_container.is_exempt
+
+        violation[{"msg": msg}] {
+            container := input_containers[_]
+            not is_exempt(container)
+            tags := [forbid | tag = input.parameters.tags[_] ; forbid = endswith(container.image, concat(":", ["", tag]))]
+            any(tags)
+            msg := sprintf("container <%v> uses a disallowed tag <%v>; disallowed tags are %v", [container.name, container.image, input.parameters.tags])
+        }
+
+        violation[{"msg": msg}] {
+            container := input_containers[_]
+            not is_exempt(container)
+            tag := [contains(container.image, ":")]
+            not all(tag)
+            msg := sprintf("container <%v> didn't specify an image tag <%v>", [container.name, container.image])
+        }
+
+        input_containers[c] {
+            c := input.review.object.spec.containers[_]
+        }
+        input_containers[c] {
+            c := input.review.object.spec.initContainers[_]
+        }
+        input_containers[c] {
+            c := input.review.object.spec.ephemeralContainers[_]
+        }
+      libs:
+        - |
+          package lib.exempt_container
+
+          is_exempt(container) {
+              exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
+              img := container.image
+              exemption := exempt_images[_]
+              _matches_exemption(img, exemption)
+          }
+
+          _matches_exemption(img, exemption) {
+              not endswith(exemption, "*")
+              exemption == img
+          }
+
+          _matches_exemption(img, exemption) {
+              endswith(exemption, "*")
+              prefix := trim_suffix(exemption, "*")
+              startswith(img, prefix)
+          }

fluxcd/repo/infrastructure/base/gatekeeper/resources/gatekeeper-podmonitor.yaml

@@ -0,0 +1,16 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: gatekeeper
+spec:
+  namespaceSelector:
+    matchNames:
+      - gatekeeper
+  selector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - gatekeeper
+  podMetricsEndpoints:
+    - port: metrics

fluxcd/repo/infrastructure/base/gatekeeper/resources/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: infrastructure
+resources:
+  - affinity-datascience.yaml
+  - block-latest-tags.yaml
+  - disallowed-tags.yaml
+  - ndots-dns.yaml
+  - toleration-datasience.yaml
+  - gatekeeper-podmonitor.yaml

fluxcd/repo/infrastructure/base/gatekeeper/resources/ndots-dns.yaml

@@ -0,0 +1,38 @@
+apiVersion: mutations.gatekeeper.sh/v1
+kind: Assign
+metadata:
+  name: ndots-dns
+spec:
+  applyTo:
+    - groups:
+        - ""
+      kinds:
+        - Pod
+      versions:
+        - v1
+  location: spec.dnsConfig
+  match:
+    kinds:
+      - apiGroups:
+          - '*'
+        kinds:
+          - Pod
+    namespaces:
+      - data-entry-management
+      - diffusion
+      - digital-marketing
+      - privateapi
+      - produits
+      - vidocq
+      - smartexchange
+      - identite-solvabilite
+      - alertes
+      - flux-system
+    scope: Namespaced
+  parameters:
+    assign:
+      value:
+        options:
+          - name: ndots
+            value: "1"
+          - name: no-aaaa

fluxcd/repo/infrastructure/base/gatekeeper/resources/toleration-datasience.yaml

@@ -0,0 +1,44 @@
+apiVersion: mutations.gatekeeper.sh/v1
+kind: Assign
+metadata:
+  name: toleration-datascience
+spec:
+  applyTo:
+  - groups:
+    - ""
+    kinds:
+    - Pod
+    versions:
+    - v1
+  location: spec.tolerations
+  match:
+    kinds:
+    - apiGroups:
+      - '*'
+      kinds:
+      - Pod
+    labelSelector:
+      matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+        - disigas
+        - dilre
+        - difunds
+        - dicaplink
+        - dimatchdom
+        - dimatchname
+        - discoring
+        - dijal
+        - procol
+    namespaces:
+    - privateapi
+    scope: Namespaced
+  parameters:
+    assign:
+      value:
+      - effect: NoSchedule
+        key: InstanceUsage
+        operator: Equal
+        value: datascience
+

fluxcd/repo/infrastructure/base/helm-private-repositories/helm-private-repositories.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: myOrg
+spec:
+  secretRef:
+    name: helm-registry-gitlab
+  interval: 10m0s
+  url: https://gitlab.example.com/api/v4/projects/<projectID>/packages/helm/stable

fluxcd/repo/infrastructure/base/helm-private-repositories/helm-registry-gitlab.yaml

@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: helm-registry-gitlab
+spec:
+  secretStoreRef:
+    name: vault-secret-store
+    kind: ClusterSecretStore
+  refreshInterval: "1h"
+  target:
+    name: helm-registry-gitlab
+    deletionPolicy: Retain
+  dataFrom:
+  - extract:
+      key: kubernetes-secrets/helm-registry-gitlab

fluxcd/repo/infrastructure/base/helm-private-repositories/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-private-repositories.yaml
+  - helm-registry-gitlab.yaml

fluxcd/repo/infrastructure/base/helm-public-repositories/helm-repository-public.yaml

@@ -0,0 +1,147 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: bitnami
+spec:
+  interval: 360m0s
+  url: https://charts.bitnami.com/bitnami
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: bitnami-oci
+spec:
+  type: "oci"
+  interval: 360m0s
+  url: oci://registry-1.docker.io/bitnamicharts
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: bitnami-labs
+spec:
+  interval: 360m0s
+  url: https://bitnami-labs.github.io/sealed-secrets
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: elastic
+spec:
+  interval: 360m0s
+  url: https://helm.elastic.co
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: external-secrets-operator
+spec:
+  interval: 360m0s
+  url: https://charts.external-secrets.io
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: fairwinds-stable
+spec:
+  interval: 360m0s
+  url: https://charts.fairwinds.com/stable
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: gatekeeper
+spec:
+  interval: 360m0s
+  url: https://open-policy-agent.github.io/gatekeeper/charts
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: gitlab
+spec:
+  interval: 360m0s
+  url: https://charts.gitlab.io
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: grafana
+spec:
+  interval: 360m0s
+  url: https://grafana.github.io/helm-charts
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: kedacore
+spec:
+  interval: 360m0s
+  url: https://kedacore.github.io/charts
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: ingress-nginx
+spec:
+  interval: 360m0s
+  url: https://kubernetes.github.io/ingress-nginx
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: prometheus-community
+spec:
+  interval: 360m0s
+  url: https://prometheus-community.github.io/helm-charts
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: prometheus-msteams
+spec:
+  interval: 360m0s
+  url: https://prometheus-msteams.github.io/prometheus-msteams/
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: traefik
+spec:
+  interval: 360m0s
+  url: https://traefik.github.io/charts
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: velero-repo
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://vmware-tanzu.github.io/helm-charts
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: mercure
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://charts.mercure.rocks
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: longhorn-repo
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://charts.longhorn.io
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: aqua
+spec:
+  interval: 360m0s
+  url: https://aquasecurity.github.io/helm-charts/

fluxcd/repo/infrastructure/base/helm-public-repositories/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-repository-public.yaml

fluxcd/repo/infrastructure/base/keda/hr-keda.yaml

@@ -0,0 +1,130 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: keda
+spec:
+  chart:
+    spec:
+      chart: keda
+      sourceRef:
+        kind: HelmRepository
+        name: kedacore
+        namespace: infrastructure
+      version: "2.16.x"
+  install:
+    crds: Create
+  upgrade:
+    crds: CreateReplace
+  interval: 30m
+  values:
+    image:
+      keda:
+        repository: ghcr.io/kedacore/keda
+      metricsApiServer:
+        repository: ghcr.io/kedacore/keda-metrics-apiserver
+      webhooks:
+        repository: ghcr.io/kedacore/keda-admission-webhooks
+      pullPolicy: IfNotPresent
+
+    # -- Defines Kubernetes namespaces to watch to scale their workloads. Default watches all namespaces
+    watchNamespace: ""
+
+    operator:
+      # -- Capability to configure the number of replicas for KEDA operator.
+      # While you can run more replicas of our operator, only one operator instance will be the leader and serving traffic.
+      # You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover.
+      # Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability).
+      replicaCount: 2
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app
+                operator: In
+                values:
+                - keda-operator
+            topologyKey: "kubernetes.io/hostname"
+
+    metricsServer:
+      replicaCount: 2
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app
+                operator: In
+                values:
+                - keda-operator-metrics-apiserver
+            topologyKey: "kubernetes.io/hostname"
+
+    webhooks:
+      enabled: true
+      replicaCount: 2
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app
+                operator: In
+                values:
+                - keda-operator
+            topologyKey: "kubernetes.io/hostname"
+
+      # -- [Failure policy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) to use with KEDA admission webhooks
+      failurePolicy: Ignore
+
+    # We provides the default values that we describe in our docs:
+    # https://keda.sh/docs/latest/operate/cluster/
+    # If you want to specify the resources (or totally remove the defaults), change or comment the following
+    # lines, adjust them as necessary, or simply add the curly braces after 'operator' and/or 'metricServer'
+    # and remove/comment the default values
+    resources:
+      # -- Manage [resource request & limits] of KEDA operator pod
+      operator:
+        limits:
+          cpu: 1
+          memory: 1000Mi
+        requests:
+          cpu: 100m
+          memory: 1000Mi
+      # -- Manage [resource request & limits] of KEDA metrics apiserver pod
+      metricServer:
+        limits:
+          cpu: 1
+          memory: 1000Mi
+        requests:
+          cpu: 100m
+          memory: 1000Mi
+      # -- Manage [resource request & limits] of KEDA admission webhooks pod
+      webhooks:
+        limits:
+          cpu: 50m
+          memory: 1000Mi
+        requests:
+          cpu: 10m
+          memory: 1000Mi
+
+    tolerations: []
+    priorityClassName: ""
+
+    prometheus:
+      metricServer:
+        enabled: true
+        port: 8080
+        portName: metrics
+        serviceMonitor:
+          enabled: true
+      operator:
+        enabled: true
+        port: 8080
+        serviceMonitor:
+          enabled: true
+      webhooks:
+        enabled: true
+        port: 8080
+        serviceMonitor:
+          enabled: true

fluxcd/repo/infrastructure/base/keda/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- hr-keda.yaml

fluxcd/repo/infrastructure/base/longhorn/hr-longhorn.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: longhorn
+spec:
+  chart:
+    spec:
+      chart: longhorn
+      reconcileStrategy: ChartVersion
+      version: "1.8.x"
+      sourceRef:
+        kind: HelmRepository
+        name: longhorn-repo
+        namespace: infrastructure
+  interval: 10m0s
+  # https://github.com/longhorn/charts/blob/v1.8.x/charts/longhorn/values.yaml
+  values:
+
+    defaultBackupStore:
+      backupTarget: "s3://ilg-longhorn-backup-inf@fr-par/"
+      backupTargetCredentialSecret: "longhorn-s3-backup-secret"
+
+    ingress:
+      enabled: true
+      ingressClassName: "traefik"
+      annotations:
+        "traefik.ingress.kubernetes.io/router.middlewares": infrastructure-longhorn-dashboard-basic-auth@kubernetescrd
+
+    metrics:
+      serviceMonitor:
+        enabled: true

fluxcd/repo/infrastructure/base/longhorn/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - hr-longhorn.yaml

fluxcd/repo/infrastructure/base/namespaces/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespaces.yaml

fluxcd/repo/infrastructure/base/namespaces/namespaces.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: namespace1
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: system

fluxcd/repo/infrastructure/base/prometheus/alerts/alerts-flux.yaml

@@ -0,0 +1,18 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  labels:
+    release: prometheus
+  name: alerts-flux.rules
+  namespace: monitoring
+spec:
+  groups:
+    - name: Flux
+      rules:
+        - alert: ReconciliationFailure
+          expr: max(gotk_reconcile_condition{status="False",type="Ready"}) by (exported_namespace, name, kind) + on(exported_namespace, name, kind) (max(gotk_reconcile_condition{status="Deleted"}) by (exported_namespace, name, kind)) * 2 == 1
+          for: 10m
+          labels:
+            severity: warning
+          annotations:
+            summary: '{{ $labels.kind }} {{ $labels.exported_namespace }}/{{ $labels.name }} reconciliation has been failing for more than ten minutes.'

fluxcd/repo/infrastructure/base/prometheus/core/hr-kube-prometheus-stack.yaml

@@ -0,0 +1,397 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: prometheus
+spec:
+  upgrade:
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: kube-prometheus-stack
+      version: "54.x.x"
+      sourceRef:
+        kind: HelmRepository
+        name: prometheus-community
+        namespace: infrastructure
+  interval: 30m0s
+  values:
+    fullnameOverride: "prometheus"
+
+    ## Create default rules for monitoring the cluster
+    ##
+    defaultRules:
+      create: true
+      rules:
+        etcd: false
+        kubernetesSystem: false
+        kubeScheduler: false
+        kubeProxy: false
+        configReloaders: true
+        general: true
+        k8s: true
+        kubeApiserverAvailability: true
+        kubeApiserverBurnrate: true
+        kubeApiserverHistogram: true
+        kubeApiserverSlos: true
+        kubeControllerManager: true
+        kubelet: true
+        kubePrometheusGeneral: true
+        kubePrometheusNodeRecording: true
+        kubernetesApps: true
+        kubernetesResources: true
+        kubernetesStorage: true
+        kubeSchedulerAlerting: true
+        kubeSchedulerRecording: true
+        kubeStateMetrics: true
+        network: true
+        node: true
+        nodeExporterAlerting: true
+        nodeExporterRecording: true
+        prometheus: true
+        prometheusOperator: true
+
+    global:
+      rbac:
+        create: true
+
+    alertmanager:
+      enabled: true
+
+      config:
+        global:
+          resolve_timeout: 5m
+        route:
+          group_by:
+            - job
+            - alertname
+          receiver: 'null'
+          routes:
+          - receiver: 'null'
+            matchers:
+              - alertname =~ "InfoInhibitor|Watchdog"
+        receivers:
+        - name: 'null'
+        templates:
+        - '/etc/alertmanager/config/*.tmpl'
+
+      serviceMonitor:
+        interval: ""
+        selfMonitor: true
+
+
+      alertmanagerSpec:
+        replicas: 1
+        retention: 120h
+
+        storage: {}
+        # volumeClaimTemplate:
+        #   spec:
+        #     storageClassName: gluster
+        #     accessModes: ["ReadWriteOnce"]
+        #     resources:
+        #       requests:
+        #         storage: 50Gi
+        #     selector: {}
+
+        resources:
+          requests:
+            cpu: 10m
+            memory: 64Mi
+          limits:
+            cpu: 501m
+            memory: 64Mi
+
+        podAntiAffinity: "soft"
+        podAntiAffinityTopologyKey: kubernetes.io/hostname
+
+
+    grafana:
+      enabled: false
+
+    kubeApiServer:
+      enabled: true
+      tlsConfig:
+        # serverName: kubernetes
+        insecureSkipVerify: true
+      serviceMonitor:
+        interval: ""
+        proxyUrl: ""
+
+    kubelet:
+      enabled: true
+      namespace: kube-system
+
+      serviceMonitor:
+        additionalLabels: {}
+        cAdvisor: true
+        cAdvisorMetricRelabelings:
+          - action: drop
+            regex: >-
+              container_cpu_(load_average_10s|system_seconds_total|user_seconds_total)
+            sourceLabels:
+              - __name__
+          - action: drop
+            regex: >-
+              container_fs_(io_current|io_time_seconds_total|io_time_weighted_seconds_total|reads_merged_total|sector_reads_total|sector_writes_total|writes_merged_total)
+            sourceLabels:
+              - __name__
+          - action: drop
+            regex: container_memory_(mapped_file|swap)
+            sourceLabels:
+              - __name__
+          - action: drop
+            regex: container_(file_descriptors|tasks_state|threads_max)
+            sourceLabels:
+              - __name__
+          - action: drop
+            regex: container_spec.*
+            sourceLabels:
+              - __name__
+          - action: drop
+            regex: .+;
+            sourceLabels:
+              - id
+              - pod
+        cAdvisorRelabelings:
+          - sourceLabels:
+              - __metrics_path__
+            targetLabel: metrics_path
+        https: true
+        interval: ''
+        metricRelabelings: []
+        probes: true
+        probesMetricRelabelings: []
+        probesRelabelings:
+          - sourceLabels:
+              - __metrics_path__
+            targetLabel: metrics_path
+        proxyUrl: ''
+        relabelings:
+          - sourceLabels:
+              - __metrics_path__
+            targetLabel: metrics_path
+        resource: false
+
+    kubeControllerManager:
+      enabled: false
+
+      serviceMonitor:
+        enabled: false
+        interval: ""
+        proxyUrl: ""
+        https: null
+        insecureSkipVerify: null
+        serverName: null
+
+    coreDns:
+      enabled: true
+      service:
+        port: 9153
+        targetPort: 9153
+        # selector:
+        #   k8s-app: kube-dns
+      serviceMonitor:
+        interval: ""
+
+    kubeDns:
+      enabled: false
+
+    kubeEtcd:
+      enabled: false
+
+      serviceMonitor:
+        enabled: false
+        interval: ""
+        proxyUrl: ""
+        scheme: http
+        insecureSkipVerify: false
+
+    kubeScheduler:
+      enabled: false
+
+      serviceMonitor:
+        enabled: false
+        interval: ""
+        https: null
+        insecureSkipVerify: null
+
+    kubeProxy:
+      enabled: false
+
+      serviceMonitor:
+        enabled: false
+        interval: ""
+        https: false
+
+    kubeStateMetrics:
+      enabled: true
+
+    kube-state-metrics:
+      prometheus:
+        monitor:
+          enabled: true
+          interval: ""
+
+      selfMonitor:
+        enabled: true
+
+    nodeExporter:
+      enabled: true
+
+    prometheus-node-exporter:
+      extraArgs:
+        - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)
+        - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$
+      prometheus:
+        monitor:
+          enabled: true
+          interval: ""
+
+    prometheusOperator:
+      enabled: true
+
+      serviceMonitor:
+        interval: ""
+        scrapeTimeout: ""
+        selfMonitor: true
+
+      resources:
+        requests:
+          cpu: 125m
+          memory: 128Mi
+        limits:
+          cpu: 500m
+          memory: 128Mi
+
+      # Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico),
+      # because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working
+      ##
+      hostNetwork: false
+
+      dnsConfig: {}
+        # nameservers:
+        #   - 1.2.3.4
+        # searches:
+        #   - ns1.svc.cluster-domain.example
+        #   - my.dns.search.suffix
+        # options:
+        #   - name: ndots
+        #     value: "2"
+      #   - name: edns0
+      
+      # Enable vertical pod autoscaler support for prometheus-operator
+      verticalPodAutoscaler:
+        enabled: false
+        # List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
+        controlledResources: []
+
+        # Define the max allowed resources for the pod
+        maxAllowed: {}
+        # cpu: 200m
+        # memory: 100Mi
+        # Define the min allowed resources for the pod
+        minAllowed: {}
+        # cpu: 200m
+        # memory: 100Mi
+
+        updatePolicy:
+          # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates
+          # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
+          updateMode: Auto
+
+      prometheusConfigReloader:
+        resources:
+          requests:
+            cpu: 10m
+            memory: 35Mi
+          limits:
+            cpu: 500m
+            memory: 1024Mi
+
+    prometheus:
+      enabled: true
+
+      thanosService:
+        enabled: false
+
+      thanosServiceMonitor:
+        enabled: false
+        interval: ""
+
+      thanosServiceExternal:
+        enabled: false
+
+      podDisruptionBudget:
+        enabled: true
+        minAvailable: 1
+        maxUnavailable: ""
+
+      ingress:
+        enabled: false
+        ingressClassName: nginx
+        # hosts:
+        #   - prometheus.domain.com
+        hosts: []
+
+        ## Paths to use for ingress rules - one path should match the prometheusSpec.routePrefix
+        ##
+        paths: []
+        # - /
+        
+        pathType: Prefix
+
+      serviceMonitor:
+        interval: ""
+        selfMonitor: true
+
+      prometheusSpec:
+        ## If true, pass --storage.tsdb.max-block-duration=2h to prometheus. This is already done if using Thanos
+        ##
+        disableCompaction: false
+        scrapeInterval: "15s"
+        scrapeTimeout: "10s"
+        evaluationInterval: "1m"
+        enableAdminAPI: false
+        priorityClassName: "system-cluster-critical"
+
+        remoteWrite:
+          - url: https://mimir.example.com/api/v1/push
+        ruleNamespaceSelector: {}
+        ruleSelectorNilUsesHelmValues: false
+        ruleSelector: {}
+        serviceMonitorSelectorNilUsesHelmValues: false
+        serviceMonitorSelector: {}
+        serviceMonitorNamespaceSelector: {}
+        podMonitorSelectorNilUsesHelmValues: false
+        podMonitorSelector: {}
+        podMonitorNamespaceSelector: {}
+        probeSelectorNilUsesHelmValues: true
+        probeSelector: {}
+        probeNamespaceSelector: {}
+
+        retention: 1d
+        retentionSize: "25GiB"
+
+        ## Enable compression of the write-ahead log using Snappy.
+        ##
+        walCompression: false
+
+        replicas: 1
+
+        podAntiAffinity: "soft"
+        podAntiAffinityTopologyKey: kubernetes.io/hostname
+
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 6000Mi
+          requests:
+            cpu: 900m
+            memory: 6000Mi
+
+        thanos: {}
+          #   objectStorageConfig:
+          #     key: objstore.yml
+          #     name: thanos-objstore-config

fluxcd/repo/infrastructure/base/prometheus/core/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: infrastructure
+resources:
+  - hr-kube-prometheus-stack.yaml

fluxcd/repo/infrastructure/base/prometheus/dependencies.yaml

@@ -0,0 +1,34 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: inf-prometheus-core
+  namespace: infrastructure
+spec:
+  interval: 5m
+  path: ./infrastructure/base/prometheus/core
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  healthChecks:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: prometheus-operator
+      namespace: infrastructure
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: inf-prometheus-resources
+  namespace: infrastructure
+spec:
+  dependsOn:
+    - name: inf-prometheus-core
+  interval: 5m
+  path: ./infrastructure/base/prometheus/resources
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system

fluxcd/repo/infrastructure/base/prometheus/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: infrastructure
+resources:
+  - dependencies.yaml

fluxcd/repo/infrastructure/base/prometheus/resources/flux-podmonitor.yaml

@@ -0,0 +1,24 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: flux-system
+  labels:
+    app.kubernetes.io/part-of: flux
+    release: prometheus
+spec:
+  namespaceSelector:
+    matchNames:
+      - flux-system
+  selector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - helm-controller
+          - source-controller
+          - kustomize-controller
+          - notification-controller
+          - image-automation-controller
+          - image-reflector-controller
+  podMetricsEndpoints:
+    - port: http-prom

fluxcd/repo/infrastructure/base/prometheus/resources/http-broadcaster-servicemonitor.yaml

@@ -0,0 +1,15 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: http-broadcaster
+spec:
+  endpoints:
+  - interval: 30s
+    port: web
+    scheme: http
+    scrapeTimeout: 29s
+  namespaceSelector:
+    any: true
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: "http-broadcaster"

fluxcd/repo/infrastructure/base/prometheus/resources/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: infrastructure
+resources:
+  - flux-podmonitor.yaml
+  - php-fpm-exporters-servicemonitor.yaml
+  - rabbitmq-servicemonitor.yaml
+  - python-metrics-servicemonitor.yaml
+  - php-metrics-servicemonitor.yaml
+  - http-broadcaster-servicemonitor.yaml

fluxcd/repo/infrastructure/base/prometheus/resources/php-fpm-exporters-servicemonitor.yaml

@@ -0,0 +1,15 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: php-fpm-exporters
+spec:
+  endpoints:
+    - interval: 15s
+      port: php-fpm-exporter
+      scheme: http
+      scrapeTimeout: 14s
+  namespaceSelector:
+    any: true
+  selector:
+    matchLabels:
+      k8s.example.com/php-fpm-exporter-scrape: 'true'

fluxcd/repo/infrastructure/base/prometheus/resources/php-metrics-servicemonitor.yaml

@@ -0,0 +1,16 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: php-metrics
+spec:
+  endpoints:
+    - interval: 15s
+      port: php-metrics
+      path: /metrics
+      scheme: http
+      scrapeTimeout: 14s
+  namespaceSelector:
+    any: true
+  selector:
+    matchLabels:
+      k8s.example.com/php-metrics-scrape: 'true'

fluxcd/repo/infrastructure/base/prometheus/resources/python-metrics-servicemonitor.yaml

@@ -0,0 +1,16 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: python-metrics
+spec:
+  endpoints:
+    - interval: 15s
+      port: metrics
+      path: /metrics
+      scheme: http
+      scrapeTimeout: 14s
+  namespaceSelector:
+    any: true
+  selector:
+    matchLabels:
+      k8s.example.com/python-metrics-scrape: 'true'

fluxcd/repo/infrastructure/base/prometheus/resources/rabbitmq-servicemonitor.yaml

@@ -0,0 +1,42 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: rabbitmq
+  namespace: rabbitmq-operator
+spec:
+  endpoints:
+  - port: prometheus
+    scheme: http
+    interval: 15s
+    scrapeTimeout: 14s
+  - port: prometheus-tls
+    scheme: https
+    interval: 15s
+    scrapeTimeout: 14s
+    tlsConfig:
+      insecureSkipVerify: true
+  - port: prometheus
+    scheme: http
+    path: /metrics/detailed
+    params:
+      family:
+      - queue_coarse_metrics
+      - queue_metrics
+    interval: 15s
+    scrapeTimeout: 14s
+  - port: prometheus-tls
+    scheme: https
+    path: /metrics/detailed
+    params:
+      family:
+      - queue_coarse_metrics
+      - queue_metrics
+    interval: 15s
+    scrapeTimeout: 14s
+    tlsConfig:
+      insecureSkipVerify: true
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: rabbitmq
+  namespaceSelector:
+    any: true

fluxcd/repo/infrastructure/base/traefik/core/hr-traefik.yaml

@@ -0,0 +1,250 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: traefik
+spec:
+  chart:
+    spec:
+      chart: traefik
+      reconcileStrategy: ChartVersion
+      version: "35.x.x"
+      sourceRef:
+        kind: HelmRepository
+        name: traefik
+        namespace: infrastructure
+  interval: 10m0s
+  values:
+    image:
+      registry: docker.io
+      repository: traefik
+      tag: ""
+      pullPolicy: IfNotPresent
+
+    commonLabels: {}
+
+    deployment:
+      enabled: true
+      # -- Deployment or DaemonSet
+      kind: DaemonSet
+      # -- Number of pods of the deployment (only applies when kind == Deployment)
+      replicas: 1
+      terminationGracePeriodSeconds: 60
+      minReadySeconds: 0
+
+      dnsConfig:
+        options:
+          - name: ndots
+            value: '1'
+
+    ingressClass:
+      enabled: true
+      isDefaultClass: true
+      name: "traefik"
+
+    ingressRoute:
+      dashboard:
+        enabled: true
+        annotations: {}
+        labels: {}
+        matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
+        # By default, it's using traefik entrypoint, which is not exposed.
+        # /!\ Do not expose your dashboard without any protection over the internet /!\
+        entryPoints: ["traefik"]
+        middlewares: []
+      healthcheck:
+        enabled: true
+        annotations: {}
+        labels: {}
+        matchRule: PathPrefix(`/ping`)
+        entryPoints: ["traefik", "web", "websecure"]
+        middlewares: []
+
+    updateStrategy:
+      type: RollingUpdate
+      rollingUpdate:
+        maxUnavailable: 1
+        maxSurge: null
+
+    providers:
+      kubernetesCRD:
+        enabled: true
+        # -- Allows IngressRoute to reference resources in namespace other than theirs
+        allowCrossNamespace: false
+        # -- Allows to reference ExternalName services in IngressRoute
+        allowExternalNameServices: false
+        # -- Allows to return 503 when there is no endpoints available
+        allowEmptyServices: false
+        # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.
+        namespaces: []
+        # - "default"
+
+      kubernetesIngress:
+        enabled: true
+        # -- Allows to reference ExternalName services in Ingress
+        allowExternalNameServices: false
+        # -- Allows to return 503 when there is no endpoints available
+        allowEmptyServices: false
+        # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.
+        namespaces: []
+        # - "default"
+        # IP used for Kubernetes Ingress endpoints
+        publishedService:
+          enabled: false
+          # Published Kubernetes Service to copy status from. Format: namespace/servicename
+          # By default this Traefik service
+          # pathOverride: ""
+
+    logs:
+      general:
+        # -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
+        level: ERROR
+      access:
+        enabled: true
+        # format: json
+        # bufferingSize: 100
+        ## Filtering
+        # -- https://docs.traefik.io/observability/access-logs/#filtering
+        filters: {}
+        # statuscodes: "200,300-302"
+        # retryattempts: true
+        # minduration: 10ms
+        fields:
+          general:
+            # -- Available modes: keep, drop, redact.
+            defaultmode: keep
+            # -- Names of the fields to limit.
+            names: {}
+            ## Examples:
+            # ClientUsername: drop
+          headers:
+            # -- Available modes: keep, drop, redact.
+            defaultmode: drop
+            # -- Names of the headers to limit.
+            names: {}
+            ## Examples:
+            # User-Agent: redact
+            # Authorization: drop
+            # Content-Type: keep
+
+    metrics:
+      prometheus:
+        entryPoint: metrics
+        service:
+          enabled: true
+        serviceMonitor:
+          metricRelabelings: []
+          relabelings: []
+          jobLabel: traefik
+          interval: 30s
+          honorLabels: true
+
+    globalArguments:
+    - "--global.checknewversion"
+
+    additionalArguments:
+      - "--entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.0/8"
+      - "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8"
+
+    ports:
+      traefik:
+        port: 9000
+        # -- You SHOULD NOT expose the traefik port on production deployments.
+        # If you want to access it from outside your cluster,
+        # use `kubectl port-forward` or create a secure ingress
+        expose: false
+        exposedPort: 9000
+        protocol: TCP
+        exposeInternal: false
+      web:
+        port: 8000
+        hostPort: 80
+        # containerPort: 8000
+        expose: true
+        exposedPort: 80
+        protocol: TCP
+        exposeInternal: false
+      websecure:
+        port: 8443
+        hostPort: 443
+        expose: true
+        exposedPort: 443
+        protocol: TCP
+        exposeInternal: false
+        http3:
+          enabled: false
+        middlewares: []
+      metrics:
+        port: 9100
+        expose: false
+        exposedPort: 9100
+        protocol: TCP
+        exposeInternal: false
+
+    service:
+      enabled: true
+      single: true
+      type: ClusterIP
+      annotations: {}
+      annotationsTCP: {}
+      annotationsUDP: {}
+      labels: {}
+  
+    autoscaling:
+      enabled: false
+
+    # -- If hostNetwork is true, runs traefik in the host network namespace
+    # To prevent unschedulabel pods due to port collisions, if hostNetwork=true
+    # and replicas>1, a pod anti-affinity is recommended and will be set if the
+    # affinity is left as default.
+    hostNetwork: false
+
+    # -- Whether Role Based Access Control objects like roles and rolebindings should be created
+    rbac:
+      enabled: true
+      # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces.
+      # If set to true, installs Role and RoleBinding. Providers will only watch target namespace.
+      namespaced: false
+      # Enable user-facing roles
+      # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+      # aggregateTo: [ "admin" ]
+
+    # -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding
+    podSecurityPolicy:
+      enabled: false
+
+    resources:
+      requests:
+        cpu: "100m"
+        memory: "150Mi"
+      limits:
+        memory: "150Mi"
+
+    affinity:
+      podAntiAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                app.kubernetes.io/name: '{{ template "traefik.name" . }}'
+                app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}'
+            topologyKey: kubernetes.io/hostname
+
+    priorityClassName: "system-cluster-critical"
+
+    securityContext:
+      capabilities:
+        drop: [ALL]
+      readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
+
+    podSecurityContext:
+      fsGroupChangePolicy: "OnRootMismatch"
+      runAsGroup: 65532
+      runAsNonRoot: true
+      runAsUser: 65532
+
+    tolerations:
+      - effect: NoSchedule
+        key: InstanceUsage
+        operator: Equal
+        value: datascience

fluxcd/repo/infrastructure/base/traefik/core/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: infrastructure
+resources:
+- hr-traefik.yaml

fluxcd/repo/infrastructure/base/traefik/dependencies.yaml

@@ -0,0 +1,29 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: inf-traefik-core
+  namespace: flux-system
+spec:
+  interval: 5m
+  path: ./infrastructure/base/traefik/core
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: inf-traefik-resources
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: inf-traefik-core
+  interval: 5m
+  path: ./infrastructure/base/traefik/resources
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system

fluxcd/repo/infrastructure/base/traefik/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - dependencies.yaml

fluxcd/repo/infrastructure/base/traefik/resources/ingress-route-public-dashboard-prd.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-public-dashboard-prd
+spec:
+  entryPoints:
+    - websecure
+    - web
+  routes:
+    - match: (Host(`traefik-dashboard.example.com`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)))
+      kind: Rule
+      middlewares:
+        - name: traefik-dashboard-basic-auth
+          namespace: infrastructure
+      services:
+        - name: api@internal
+          kind: TraefikService

fluxcd/repo/infrastructure/base/traefik/resources/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: infrastructure
+resources:
+  - middleware-traefik-dashboard-basic-auth.yaml
+  - secret-traefik-dashboard-basic-auth.yaml
+  - ingress-route-public-dashboard-prd.yaml

fluxcd/repo/infrastructure/base/traefik/resources/middleware-traefik-dashboard-basic-auth.yaml

@@ -0,0 +1,7 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-dashboard-basic-auth
+spec:
+  basicAuth:
+    secret: traefik-dashboard-basic-auth

fluxcd/repo/infrastructure/base/traefik/resources/secret-traefik-dashboard-basic-auth.yaml

@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: traefik-dashboard-basic-auth
+spec:
+  secretStoreRef:
+    name: vault-secret-store
+    kind: ClusterSecretStore
+  refreshInterval: "6h"
+  target:
+    name: traefik-dashboard-basic-auth
+    deletionPolicy: Retain
+  dataFrom:
+  - extract:
+      key: kubernetes-secrets/traefik/traefik-dashboard-basic-auth

fluxcd/repo/infrastructure/staging/apps/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - longhorn

fluxcd/repo/infrastructure/staging/apps/longhorn/hr-longhorn.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: longhorn
+spec:
+  chart:
+    spec:
+      chart: longhorn
+      reconcileStrategy: ChartVersion
+      version: "1.8.x"
+      sourceRef:
+        kind: HelmRepository
+        name: longhorn-repo
+        namespace: infrastructure
+  interval: 10m0s
+  values:
+    ingress:
+      host: "longhorn.stg.example.com"

fluxcd/repo/infrastructure/staging/apps/longhorn/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../base/longhorn/
+  - recurringjob-backup-longhorn.yaml
+  - recurringjob-snapshot-longhorn.yaml
+patches:
+  - path: hr-longhorn.yaml

fluxcd/repo/infrastructure/staging/apps/longhorn/recurringjob-backup-longhorn.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: longhorn.io/v1beta1
+kind: RecurringJob
+metadata:
+  name: backup-daily
+  namespace: infrastructure
+spec:
+  cron: "0 19 * * *"
+  task: "backup"
+  groups:
+  - default
+  retain: 7
+  concurrency: 3

fluxcd/repo/infrastructure/staging/apps/longhorn/recurringjob-snapshot-longhorn.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: longhorn.io/v1beta1
+kind: RecurringJob
+metadata:
+  name: snapshot-hourly
+  namespace: infrastructure
+spec:
+  cron: "0 * * * *"
+  task: "snapshot"
+  groups:
+  - default
+  retain: 3
+  concurrency: 3

fluxcd/repo/infrastructure/staging/fundamental-apps/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - traefik
+  - ../../base/prometheus/resources
+  - prometheus

fluxcd/repo/infrastructure/staging/fundamental-apps/prometheus/core/hr-kube-prometheus-stack.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: prometheus
+spec:
+  install:
+    crds: CreateReplace
+  upgrade:
+    crds: CreateReplace
+    remediation:
+      retries: -1
+  chart:
+    spec:
+      chart: kube-prometheus-stack
+      version: "70.x.x"
+      sourceRef:
+        kind: HelmRepository
+        name: prometheus-community
+        namespace: infrastructure
+  interval: 30m0s
+  values:
+    prometheus:
+      prometheusSpec:
+        externalLabels:
+          source: prometheus-k8s-stg
+
+      ingress:
+        enabled: true
+        ingressClassName: traefik
+        hosts:
+          - kube-prometheus.stg.example.com
+        paths:
+          - /
+        pathType: Prefix

fluxcd/repo/infrastructure/staging/fundamental-apps/prometheus/core/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: infrastructure
+resources:
+  - ../../../../base/prometheus/core
+patches:
+  - path: hr-kube-prometheus-stack.yaml

fluxcd/repo/infrastructure/staging/fundamental-apps/prometheus/dependencies.yaml

@@ -0,0 +1,34 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: inf-prometheus-core
+  namespace: infrastructure
+spec:
+  interval: 5m
+  path: ./infrastructure/staging/fundamental-apps/prometheus/core
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  healthChecks:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: prometheus-operator
+      namespace: infrastructure
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: inf-prometheus-resources
+  namespace: infrastructure
+spec:
+  dependsOn:
+    - name: inf-prometheus-core
+  interval: 5m
+  path: ./infrastructure/base/prometheus/resources
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system

fluxcd/repo/infrastructure/staging/fundamental-apps/prometheus/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: infrastructure
+resources:
+  - dependencies.yaml

fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/core/hr-traefik.yaml

@@ -0,0 +1,255 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: traefik
+spec:
+  chart:
+    spec:
+      chart: traefik
+      reconcileStrategy: ChartVersion
+      version: "35.x.x"
+      sourceRef:
+        kind: HelmRepository
+        name: traefik
+        namespace: infrastructure
+  interval: 10m0s
+  values:
+    image:
+      registry: docker.io
+      repository: traefik
+      tag: ""
+      pullPolicy: IfNotPresent
+
+    commonLabels: {}
+
+    deployment:
+      enabled: true
+      # -- Deployment or DaemonSet
+      kind: DaemonSet
+      # -- Number of pods of the deployment (only applies when kind == Deployment)
+      replicas: 1
+      terminationGracePeriodSeconds: 60
+      minReadySeconds: 0
+
+      dnsConfig:
+        options:
+          - name: ndots
+            value: '1'
+
+    ingressClass:
+      enabled: true
+      isDefaultClass: true
+      name: "traefik"
+
+    ingressRoute:
+      dashboard:
+        enabled: true
+        annotations: {}
+        labels: {}
+        matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
+        # By default, it's using traefik entrypoint, which is not exposed.
+        # /!\ Do not expose your dashboard without any protection over the internet /!\
+        entryPoints: ["traefik"]
+        middlewares: []
+      healthcheck:
+        enabled: true
+        annotations: {}
+        labels: {}
+        matchRule: PathPrefix(`/ping`)
+        entryPoints: ["traefik", "web", "websecure"]
+        middlewares: []
+
+    updateStrategy:
+      type: RollingUpdate
+      rollingUpdate:
+        maxUnavailable: 1
+        maxSurge: null
+
+    providers:
+      kubernetesCRD:
+        enabled: true
+        # -- Allows IngressRoute to reference resources in namespace other than theirs
+        allowCrossNamespace: false
+        # -- Allows to reference ExternalName services in IngressRoute
+        allowExternalNameServices: false
+        # -- Allows to return 503 when there is no endpoints available
+        allowEmptyServices: false
+        # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.
+        namespaces: []
+        # - "default"
+
+      kubernetesIngress:
+        enabled: true
+        # -- Allows to reference ExternalName services in Ingress
+        allowExternalNameServices: false
+        # -- Allows to return 503 when there is no endpoints available
+        allowEmptyServices: false
+        # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.
+        namespaces: []
+        # - "default"
+        # IP used for Kubernetes Ingress endpoints
+        publishedService:
+          enabled: false
+          # Published Kubernetes Service to copy status from. Format: namespace/servicename
+          # By default this Traefik service
+          # pathOverride: ""
+
+    logs:
+      general:
+        # -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
+        level: ERROR
+      access:
+        enabled: true
+        # format: json
+        # bufferingSize: 100
+        ## Filtering
+        # -- https://docs.traefik.io/observability/access-logs/#filtering
+        filters: {}
+        # statuscodes: "200,300-302"
+        # retryattempts: true
+        # minduration: 10ms
+        fields:
+          general:
+            # -- Available modes: keep, drop, redact.
+            defaultmode: keep
+            # -- Names of the fields to limit.
+            names: {}
+            ## Examples:
+            # ClientUsername: drop
+          headers:
+            # -- Available modes: keep, drop, redact.
+            defaultmode: drop
+            # -- Names of the headers to limit.
+            names: {}
+            ## Examples:
+            # User-Agent: redact
+            # Authorization: drop
+            # Content-Type: keep
+
+    metrics:
+      prometheus:
+        entryPoint: metrics
+        service:
+          enabled: true
+        serviceMonitor:
+          enabled: true
+          metricRelabelings: []
+          relabelings: []
+          jobLabel: traefik
+          interval: 30s
+          honorLabels: true
+
+    globalArguments:
+    - "--global.checknewversion"
+
+    additionalArguments:
+      - "--entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.0/8"
+      - "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8"
+
+    ports:
+      traefik:
+        port: 9000
+        # -- You SHOULD NOT expose the traefik port on production deployments.
+        # If you want to access it from outside your cluster,
+        # use `kubectl port-forward` or create a secure ingress
+        expose:
+          default: false
+          internal: false
+        exposedPort: 9000
+        protocol: TCP
+      web:
+        port: 8000
+        hostPort: 80
+        # containerPort: 8000
+        expose:
+          default: true
+          internal: false
+        exposedPort: 80
+        protocol: TCP
+      websecure:
+        port: 8443
+        hostPort: 443
+        expose:
+          default: true
+          internal: false
+        exposedPort: 443
+        protocol: TCP
+        http3:
+          enabled: false
+        middlewares: []
+      metrics:
+        port: 9100
+        expose:
+          default: false
+          internal: false
+        exposedPort: 9100
+        protocol: TCP
+
+    service:
+      enabled: true
+      single: true
+      type: ClusterIP
+      annotations: {}
+      annotationsTCP: {}
+      annotationsUDP: {}
+      labels: {}
+
+    autoscaling:
+      enabled: false
+
+    # -- If hostNetwork is true, runs traefik in the host network namespace
+    # To prevent unschedulabel pods due to port collisions, if hostNetwork=true
+    # and replicas>1, a pod anti-affinity is recommended and will be set if the
+    # affinity is left as default.
+    hostNetwork: false
+
+    # -- Whether Role Based Access Control objects like roles and rolebindings should be created
+    rbac:
+      enabled: true
+      # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces.
+      # If set to true, installs Role and RoleBinding. Providers will only watch target namespace.
+      namespaced: false
+      # Enable user-facing roles
+      # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+      # aggregateTo: [ "admin" ]
+
+    # -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding
+    podSecurityPolicy:
+      enabled: false
+
+    resources:
+      requests:
+        cpu: "100m"
+        memory: "150Mi"
+      limits:
+        memory: "150Mi"
+
+    affinity:
+      podAntiAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchLabels:
+                app.kubernetes.io/name: '{{ template "traefik.name" . }}'
+                app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}'
+            topologyKey: kubernetes.io/hostname
+
+    priorityClassName: "system-cluster-critical"
+
+    securityContext:
+      capabilities:
+        drop: [ALL]
+      readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
+
+    podSecurityContext:
+      fsGroupChangePolicy: "OnRootMismatch"
+      runAsGroup: 65532
+      runAsNonRoot: true
+      runAsUser: 65532
+
+    tolerations:
+      - effect: NoSchedule
+        key: InstanceUsage
+        operator: Equal
+        value: datascience

fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/core/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: infrastructure
+resources:
+- hr-traefik.yaml

fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/dependencies.yaml

@@ -0,0 +1,29 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: inf-traefik-core
+  namespace: infrastructure
+spec:
+  interval: 5m
+  path: ./infrastructure/staging/fundamental-apps/traefik/core
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: inf-traefik-resources
+  namespace: infrastructure
+spec:
+  dependsOn:
+    - name: inf-traefik-core
+  interval: 5m
+  path: ./infrastructure/staging/fundamental-apps/traefik/resources
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system

fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - dependencies.yaml

fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/resources/ingress-route-prometheus-pushgateway.yaml

@@ -0,0 +1,15 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: prometheus-pushgateway
+  namespace: infrastructure
+spec:
+  entryPoints:
+    - websecure
+    - web
+  routes:
+    - match: Host(`promgw.stg.example.com`)
+      kind: Rule
+      services:
+        - name: prometheus-pushgateway
+          port: 9091

fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/resources/ingress-route-public-dashboard-stg.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-public-dashboard-stg
+spec:
+  entryPoints:
+    - websecure
+    - web
+  routes:
+    - match: (Host(`traefik-dashboard.stg.example.com`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)))
+      kind: Rule
+      middlewares:
+        - name: traefik-dashboard-basic-auth
+          namespace: infrastructure
+      services:
+        - name: api@internal
+          kind: TraefikService

fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/resources/ingress-route-public-longhorn-stg.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: longhorn-public-dashboard-stg
+spec:
+  entryPoints:
+    - websecure
+    - web
+  routes:
+    - match: Host(`longhorn.stg.example.com`)
+      kind: Rule
+      middlewares:
+        - name: longhorn-dashboard-basic-auth
+          namespace: infrastructure
+      services:
+        - name: infrastructure-longhorn-frontend-80@kubernetes
+          kind: TraefikService

fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/resources/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: infrastructure
+resources:
+  - middleware-traefik-dashboard-basic-auth.yaml
+  - middleware-longhorn-dashboard-basic-auth.yaml
+  - secret-traefik-dashboard-basic-auth.yaml
+  - secret-longhorn-dashboard-basic-auth.yaml
+  - ingress-route-public-dashboard-stg.yaml
+  - ingress-route-public-webservice.yaml
+  - ingress-route-prometheus-pushgateway.yaml

fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/resources/middleware-longhorn-dashboard-basic-auth.yaml

@@ -0,0 +1,7 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: longhorn-dashboard-basic-auth
+spec:
+  basicAuth:
+    secret: longhorn-dashboard-basic-auth

fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/resources/middleware-traefik-dashboard-basic-auth.yaml

@@ -0,0 +1,7 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-dashboard-basic-auth
+spec:
+  basicAuth:
+    secret: traefik-dashboard-basic-auth

fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/resources/secret-longhorn-dashboard-basic-auth.yaml

@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: longhorn-dashboard-basic-auth
+spec:
+  secretStoreRef:
+    name: vault-secret-store
+    kind: ClusterSecretStore
+  refreshInterval: "6h"
+  target:
+    name: longhorn-dashboard-basic-auth
+    deletionPolicy: Retain
+  dataFrom:
+  - extract:
+      key: kubernetes-secrets/longhorn/stg/dashboard-secret