Merge pull request #1015 from 3dwardch3ng/misc

update number of replicas
2024-09-26 19:53:59 +10:00 · 2024-09-26 19:44:22 +10:00 · 2024-09-25 23:26:38 +10:00 · 2024-09-25 23:25:25 +10:00 · 2024-09-25 23:24:04 +10:00 · 2024-09-25 23:19:36 +10:00
164 changed files with 3626 additions and 4061 deletions
--- a/apps/adguard-home/base/deployment.yaml
+++ b/apps/adguard-home/base/deployment.yaml
@@ -16,7 +16,7 @@ spec:
    spec:
      containers:
        - name: adguard-home
-          image: adguard/adguardhome:v0.107.51
+          image: adguard/adguardhome:v0.107.52
          ports:
            - protocol: TCP
              containerPort: 53
--- a/apps/adguard-home/base/service.yaml
+++ b/apps/adguard-home/base/service.yaml
@@ -3,12 +3,15 @@ kind: Service
 metadata:
  name: adguard-home
  namespace: adguard-home
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
  labels:
    app.kubernetes.io/name: adguard-home
 spec:
  selector:
    app.kubernetes.io/name: adguard-home
-  type: ClusterIP
+  type: LoadBalancer
  internalTrafficPolicy: Cluster
  ports:
    - protocol: TCP
@@ -32,11 +35,11 @@ spec:
      targetPort: 80
      name: http-tcp
    - protocol: TCP
-      port: 443
+      port: 10443
      targetPort: 443
      name: https-tcp
    - protocol: UDP
-      port: 443
+      port: 10443
      targetPort: 443
      name: https-udp
    - protocol: TCP
--- a/apps/adguard-home/env/k3s-cluster/config.json.bak
+++ b/apps/adguard-home/env/k3s-cluster/config.json.bak
--- a/apps/adguard-home/env/k3s-cluster/ingress.yaml
+++ b/apps/adguard-home/env/k3s-cluster/ingress.yaml
@@ -1,61 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: adguard-home-ingress
-  namespace: adguard-home
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    nginx.ingress.kubernetes.io/use-regex: "true"
-spec:
-  ingressClassName: nginx
-  rules:
-    - host: "adguard-home.cluster.edward.sydney"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: adguard-home
-                port:
-                  number: 10080
-    - host: "adguard-home.cluster.local"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: adguard-home
-                port:
-                  number: 10080
-    - host: "setup.adguard-home.cluster.edward.sydney"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: adguard-home
-                port:
-                  number: 13000
-    - host: "setup.adguard-home.cluster.local"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: adguard-home
-                port:
-                  number: 13000
-    - host: "doh.adguard-home.cluster.edward.sydney"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: adguard-home
-                port:
-                  number: 443
--- a/apps/adguard-home/env/k3s-cluster/kustomization.yaml
+++ b/apps/adguard-home/env/k3s-cluster/kustomization.yaml
@@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
-  - ./ingress.yaml
--- a/apps/chartmuseum/env/k3s-cluster/config.json
+++ b/apps/chartmuseum/env/k3s-cluster/config.json
@@ -0,0 +1,12 @@
+{
+  "appName": "chartmuseum",
+  "userGivenName": "chartmuseum",
+  "namespace": "chartmuseum",
+  "destNamespace": "chartmuseum",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "apps/chartmuseum/env/k3s-cluster",
+  "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": null
+}
--- a/apps/chartmuseum/env/k3s-cluster/kustomization.yaml
+++ b/apps/chartmuseum/env/k3s-cluster/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+  - name: chartmuseum
+    repo: https://chartmuseum.github.io/charts
+    version: 3.10.3
+    releaseName: chartmuseum
+    valuesFile: values.yaml
--- a/apps/chartmuseum/env/k3s-cluster/values.yaml
+++ b/apps/chartmuseum/env/k3s-cluster/values.yaml
@@ -0,0 +1,24 @@
+env:
+  open:
+    AUTH_ANONYMOUS_GET: true
+    DISABLE_API: false
+    CACHE: redis
+    CACHE_REDIS_ADDR: redis-master.redis.svc.cluster.local:6379
+  existingSecret: chartmuseum-secrets
+  existingSecretMappings:
+    BASIC_AUTH_USER: auth-user
+    BASIC_AUTH_PASS: auth-password
+    CACHE_REDIS_PASSWORD: redis-password
+service:
+  type: LoadBalancer
+  externalPort: 8899
+persistence:
+  enabled: true
+  existingClaim: chartmuseum-pvc
+ingress:
+  enabled: true
+  hosts:
+    - name: chartmuseum.cluster.edward.sydney
+      tls: true
+      tlsSecret: chartmuseum-tls
+  ingressClassName: nginx
--- a/apps/coder/env/k3s-cluster/kustomization.yaml
+++ b/apps/coder/env/k3s-cluster/kustomization.yaml
@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
  - name: coder
    repo: https://helm.coder.com/v2
-    version: 2.13.1
+    version: 2.15.0
    releaseName: coder
    valuesFile: values.yaml
--- a/apps/coder/env/k3s-cluster/values.yaml
+++ b/apps/coder/env/k3s-cluster/values.yaml
@@ -18,5 +18,11 @@ coder:
    - name: coder-data
      mountPath: /config
  service:
-    type: NodePort
-    httpNodePort: 31180
+    type: ClusterIP
+    annotations:
+      metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+      metallb.universe.tf/allow-shared-ip: k3s-cluster
+  ingress:
+    enable: true
+    className: nginx
+    host: "coder.cluster.edward.sydney"
--- a/apps/ec-config-server/env/k3s-cluster/config.json
+++ b/apps/ec-config-server/env/k3s-cluster/config.json
@@ -0,0 +1,12 @@
+{
+  "appName": "ec-config-server",
+  "userGivenName": "ec-config-server",
+  "namespace": "ec-proj",
+  "destNamespace": "ec-proj",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "apps/ec-config-server/env/k3s-cluster",
+  "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": null
+}
--- a/apps/ec-config-server/env/k3s-cluster/kustomization.yaml
+++ b/apps/ec-config-server/env/k3s-cluster/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+  - name: ec-config-server
+    repo: https://chartmuseum.cluster.edward.sydney:8899/
+    version: 1.0.12
+    releaseName: ec-config-server
+    valuesFile: values.yaml
--- a/apps/ec-config-server/env/k3s-cluster/values.yaml
+++ b/apps/ec-config-server/env/k3s-cluster/values.yaml
@@ -0,0 +1,9 @@
+environment:
+  configServerAuth:
+    existingSecret: ec-config-server-auth-secrets
+service:
+  type: LoadBalancer
+spring:
+  activeprofile: native,k3s
+persistence:
+  hostPath: /mnt/nfs/AppData/ec-config-server/config
--- a/apps/gitea/env/k3s-cluster/kustomization.yaml
+++ b/apps/gitea/env/k3s-cluster/kustomization.yaml
@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
  - name: gitea
    repo: oci://registry-1.docker.io/bitnamicharts
-    version: 2.3.14
+    version: 2.3.22
    releaseName: gitea
    valuesFile: values.yaml
--- a/apps/gitea/env/k3s-cluster/values.yaml
+++ b/apps/gitea/env/k3s-cluster/values.yaml
@@ -1,4 +1,7 @@
 namespaceOverride: "gitea"
+rootURL: "https://gitea.cluster.edward.sydney"
+updateStrategy:
+  type: Recreate
 podAntiAffinityPreset: ""
 adminUsername: "gitea_admin"
 adminEmail: "edward@cheng.sydney"
@@ -11,12 +14,21 @@ smtpUser: "me@edward.sydney"
 smtpExistingSecret: "gitea-secrets"
 persistence:
  existingClaim: "gitea-pvc"
+resourcesPreset: "xlarge"
+podSecurityContext:
+  fsGroup: 1000
+containerSecurityContext:
+  runAsUser: 1000
+  runAsGroup: 1000
 service:
  ports:
-    http: 10080
-    ssh: 10022
+    http: 10880
+    ssh: 10222
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
 ingress:
-  enabled: true
+  enabled: false
  ingressClassName: "nginx"
  hostname: "gitea.cluster.edward.sydney"
 serviceAccount:
@@ -28,3 +40,7 @@ externalDatabase:
  user: "gitea_user"
  existingSecret: "gitea-secrets"
  existingSecretPasswordKey: "db-password"
+nodeSelector:
+  kubernetes.io/os: linux
+  kubernetes.io/arch: amd64
+  kubernetes.io/hostname: k3s-cluster-node-y
--- a/apps/homer/base/deployment.yaml
+++ b/apps/homer/base/deployment.yaml
@@ -39,3 +39,5 @@ spec:
          hostPath:
            path: /mnt/nfs/AppData/homer/www
            type: Directory
+      nodeSelector:
+        kubernetes.io/os: linux
--- a/apps/homer/base/service.yaml
+++ b/apps/homer/base/service.yaml
@@ -3,12 +3,15 @@ kind: Service
 metadata:
  name: homer
  namespace: homer
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
  labels:
    app.kubernetes.io/name: homer
 spec:
  selector:
    app.kubernetes.io/name: homer
-  type: ClusterIP
+  type: LoadBalancer
  internalTrafficPolicy: Cluster
  ports:
    - protocol: TCP
--- a/apps/homer/env/k3s-cluster/kustomization.yaml
+++ b/apps/homer/env/k3s-cluster/kustomization.yaml
@@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
-  - ./ingress.yaml
--- a/apps/jellyfin/env/k3s-cluster/ingress.yaml
+++ b/apps/jellyfin/env/k3s-cluster/ingress.yaml
@@ -9,16 +9,6 @@ metadata:
 spec:
  ingressClassName: nginx
  rules:
-    - host: "jellyfin.cluster.local"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: jellyfin
-                port:
-                  number: 8096
    - host: "jellyfin.cluster.edward.sydney"
      http:
        paths:
--- a/apps/jellyfin/env/k3s-cluster/kustomization.yaml
+++ b/apps/jellyfin/env/k3s-cluster/kustomization.yaml
@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
-  - ./ingress.yaml
+#  - ./ingress.yaml
--- a/apps/kavita/base/deployment.yaml
+++ b/apps/kavita/base/deployment.yaml
@@ -20,7 +20,7 @@ spec:
        app.kubernetes.io/instance: kavita
    spec:
      containers:
-        - image: jvmilazz0/kavita:0.8.1
+        - image: jvmilazz0/kavita:0.8.3
          imagePullPolicy: IfNotPresent
          name: kavita
          ports:
--- a/apps/kubernetes-dashboard/base/kustomization.yaml
+++ b/apps/kubernetes-dashboard/base/kustomization.yaml
@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
  - name: kubernetes-dashboard
    repo: https://kubernetes.github.io/dashboard/
-    version: 7.5.0
+    version: 7.6.1
    releaseName: kubernetes-dashboard
    valuesFile: values.yaml
--- a/apps/nexus/base/deployment.yaml
+++ b/apps/nexus/base/deployment.yaml
@@ -22,10 +22,10 @@ spec:
          resources:
            limits:
              memory: "3Gi"
-              cpu: "1"
+              cpu: "2"
            requests:
              memory: "2Gi"
-              cpu: "500m"
+              cpu: "2"
          ports:
            - containerPort: 8081
          volumeMounts:
@@ -36,3 +36,6 @@ spec:
          hostPath:
            path: /mnt/nfs/AppData/nexus
            type: Directory
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/arch: arm64
--- a/apps/nexus/base/service.yaml
+++ b/apps/nexus/base/service.yaml
@@ -10,8 +10,7 @@ metadata:
 spec:
  selector:
    app: nexus
-  type: NodePort
+  type: LoadBalancer
  ports:
    - port: 8081
      targetPort: 8081
-      nodePort: 32000
--- a/apps/nexus/env/k3s-cluster/ingress.yaml
+++ b/apps/nexus/env/k3s-cluster/ingress.yaml
@@ -1,21 +1,21 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: homer-ingress
-  namespace: homer
+  name: nexus-ingress
+  namespace: nexus
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
  ingressClassName: nginx
  rules:
-    - host: "home.edward.sydney"
+    - host: "nexus.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
-                name: homer
+                name: nexus
                port:
-                  number: 8088
+                  number: 8081
--- a/apps/plane/base/deployment.yaml
+++ b/apps/plane/base/deployment.yaml
@@ -36,7 +36,7 @@ spec:
      serviceAccount: plane-srv-account
      serviceAccountName: plane-srv-account
      nodeSelector:
-        kubernetes.io/arch: arm64
+        kubernetes.io/os: linux
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -94,7 +94,7 @@ spec:
      serviceAccount: plane-srv-account
      serviceAccountName: plane-srv-account
      nodeSelector:
-        kubernetes.io/arch: arm64
+        kubernetes.io/os: linux
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -143,7 +143,7 @@ spec:
      serviceAccount: plane-srv-account
      serviceAccountName: plane-srv-account
      nodeSelector:
-        kubernetes.io/arch: arm64
+        kubernetes.io/os: linux
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -182,7 +182,7 @@ spec:
      serviceAccount: plane-srv-account
      serviceAccountName: plane-srv-account
      nodeSelector:
-        kubernetes.io/arch: arm64
+        kubernetes.io/os: linux
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -221,7 +221,7 @@ spec:
      serviceAccount: plane-srv-account
      serviceAccountName: plane-srv-account
      nodeSelector:
-        kubernetes.io/arch: arm64
+        kubernetes.io/os: linux
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -270,5 +270,5 @@ spec:
      serviceAccount: plane-srv-account
      serviceAccountName: plane-srv-account
      nodeSelector:
-        kubernetes.io/arch: arm64
+        kubernetes.io/os: linux
 ---
--- a/apps/plane/base/ingress.yaml
+++ b/apps/plane/base/ingress.yaml
@@ -1,46 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  namespace: plane
-  name: plane-ingress
-spec:
-  ingressClassName: nginx
-  rules:
-    - host: plane.cluster.edward.sydney
-      http:
-        paths:
-          - backend:
-              service:
-                port:
-                  number: 3000
-                name: plane-web
-            path: /
-            pathType: Prefix
-          - backend:
-              service:
-                port:
-                  number: 8000
-                name: plane-api
-            path: /api
-            pathType: Prefix
-          - backend:
-              service:
-                port:
-                  number: 8000
-                name: plane-api
-            path: /auth
-            pathType: Prefix
-          - backend:
-              service:
-                port:
-                  number: 3000
-                name: plane-space
-            path: /spaces
-            pathType: Prefix
-          - backend:
-              service:
-                port:
-                  number: 3000
-                name: plane-admin
-            path: /god-mode
-            pathType: Prefix
--- a/apps/plane/base/kustomization.yaml
+++ b/apps/plane/base/kustomization.yaml
@@ -7,4 +7,3 @@ resources:
  - ./deployment.yaml
  - ./stateful-set.yaml
  - ./service.yaml
-  - ./ingress.yaml
--- a/apps/plane/base/service.yaml
+++ b/apps/plane/base/service.yaml
@@ -7,9 +7,10 @@ metadata:
  labels:
    app.name: plane-admin
 spec:
+  type: LoadBalancer
  ports:
    - name: admin-3000
-      port: 3000
+      port: 3333
      protocol: TCP
      targetPort: 3000
  selector:
@@ -23,9 +24,10 @@ metadata:
  labels:
    app.name: plane-api
 spec:
+  type: LoadBalancer
  ports:
    - name: api-8000
-      port: 8000
+      port: 8808
      protocol: TCP
      targetPort: 8000
  selector:
@@ -39,9 +41,10 @@ metadata:
  labels:
    app.name: plane-space
 spec:
+  type: LoadBalancer
  ports:
    - name: space-3000
-      port: 3000
+      port: 3330
      protocol: TCP
      targetPort: 3000
  selector:
@@ -55,9 +58,10 @@ metadata:
  labels:
    app.name: plane-web
 spec:
+  type: LoadBalancer
  ports:
    - name: web-3000
-      port: 3000
+      port: 3033
      protocol: TCP
      targetPort: 3000
  selector:
@@ -71,6 +75,7 @@ metadata:
  labels:
    app.name: plane-redis
 spec:
+  type: LoadBalancer
  ports:
    - name: redis-6379
      port: 6379
--- a/apps/plane/base/stateful-set.yaml
+++ b/apps/plane/base/stateful-set.yaml
@@ -15,7 +15,7 @@ spec:
        app.name: plane-redis
    spec:
      containers:
-        - image: valkey/valkey:7.2.5-alpine
+        - image: valkey/valkey:8.0.0-alpine
          imagePullPolicy: Always
          name: plane-redis
          stdin: true
--- a/apps/plex/base/values.yaml
+++ b/apps/plex/base/values.yaml
@@ -8,6 +8,12 @@ extraEnv:
  PLEX_UID: 1000
  PLEX_GID: 1000
  ALLOWED_NETWORKS: "0.0.0.0/0"
+service:
+  type: LoadBalancer
+  port: 32400
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
 extraVolumeMounts:
  - name: plex-tv
    mountPath: /tv
--- a/apps/plex/env/k3s-cluster/config.json.bak
+++ b/apps/plex/env/k3s-cluster/config.json.bak
--- a/apps/qbittorrent/base/service.yaml
+++ b/apps/qbittorrent/base/service.yaml
@@ -3,6 +3,9 @@ kind: Service
 metadata:
  name: qbittorrent
  namespace: qbittorrent
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
  labels:
    app.kubernetes.io/name: qbittorrent
 spec:
--- a/apps/rlpa-server/base/deployment.yaml
+++ b/apps/rlpa-server/base/deployment.yaml
@@ -19,7 +19,7 @@ spec:
        runAsGroup: 1000
      containers:
        - name: rlpa-server
-          image: damonto/estkme-cloud:1.0.11
+          image: damonto/estkme-cloud:1.1.0
          securityContext:
            allowPrivilegeEscalation: false
          ports:
--- a/apps/rlpa-server/base/service.yaml
+++ b/apps/rlpa-server/base/service.yaml
@@ -3,12 +3,15 @@ kind: Service
 metadata:
  name: rlpa-server
  namespace: rlpa
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
  labels:
    app.kubernetes.io/name: rlpa
 spec:
  selector:
    app.kubernetes.io/name: rlpa
-  type: ClusterIP
+  type: LoadBalancer
  internalTrafficPolicy: Cluster
  ports:
    - protocol: TCP
--- a/apps/snippet-box/base/deployment.yaml
+++ b/apps/snippet-box/base/deployment.yaml
@@ -32,3 +32,6 @@ spec:
          hostPath:
            path: /mnt/nfs/AppData/snippet-box
            type: Directory
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/arch: arm64
--- a/apps/snippet-box/base/ingress.yaml
+++ b/apps/snippet-box/base/ingress.yaml
@@ -1,21 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: snippet-box-ingress
-  namespace: snippet-box
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    nginx.ingress.kubernetes.io/use-regex: "true"
-spec:
-  ingressClassName: nginx
-  rules:
-    - host: "snippet-box.cluster.edward.sydney"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: snippet-box
-                port:
-                  number: 5000
--- a/apps/snippet-box/base/kustomization.yaml
+++ b/apps/snippet-box/base/kustomization.yaml
@@ -3,4 +3,3 @@ kind: Kustomization
 resources:
  - ./deployment.yaml
  - ./service.yaml
-  - ./ingress.yaml
--- a/apps/snippet-box/base/service.yaml
+++ b/apps/snippet-box/base/service.yaml
@@ -8,10 +8,10 @@ metadata:
 spec:
  selector:
    app.kubernetes.io/name: snippet-box
-  type: ClusterIP
+  type: LoadBalancer
  internalTrafficPolicy: Cluster
  ports:
    - protocol: TCP
-      port: 5000
+      port: 5055
      targetPort: 5000
      name: snippet-box
--- a/apps/sonarqube/env/k3s-cluster/kustomization.yaml
+++ b/apps/sonarqube/env/k3s-cluster/kustomization.yaml
@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
  - name: sonarqube
    repo: oci://registry-1.docker.io/bitnamicharts
-    version: 5.2.10
+    version: 5.2.13
    releaseName: sonarqube
    valuesFile: values.yaml
--- a/apps/sonarqube/env/k3s-cluster/values.yaml
+++ b/apps/sonarqube/env/k3s-cluster/values.yaml
@@ -1,7 +1,9 @@
 priorityClassName: system-cluster-critical
+image:
+  debug: true
 podAntiAffinityPreset: ""
 namespaceOverride: "sonarqube"
-clusterDomain: sonarqube.cluster.edward.sydney
+clusterDomain: cluster.edward.sydney
 sonarqubeUsername: sonarqube
 existingSecret: "sonarqube-secrets"
 sonarqubeEmail: "me@edward.sydney"
@@ -10,22 +12,21 @@ smtpPort: "587"
 smtpUser: "me@edward.sydney"
 smtpProtocol: "TLS"
 smtpExistingSecret: "sonarqube-secrets"
+resourcesPreset: "2xlarge"
 podSecurityContext:
  fsGroup: 1000
 containerSecurityContext:
  runAsUser: 1000
  runAsGroup: 1000
+updateStrategy:
+  type: Recreate
 service:
  ports:
    http: 8090
    elastic: 9091
-  nodePorts:
-    http: 30089
-    elastic: 30091
-ingress:
-  enabled: true
-  ingressClassName: "nginx"
-  hostname: "sonarqube.cluster.edward.sydney"
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
 persistence:
  enabled: true
  storageClass: local-path
@@ -40,4 +41,4 @@ externalDatabase:
  user: "sonarqube_user"
  existingSecret: "sonarqube-secrets"
 nodeSelector:
-  kubernetes.io/hostname: k3s-cluster-node-3
+  kubernetes.io/hostname: k3s-cluster-node-y
--- a/apps/stirling-pdf/base/deployment.yaml
+++ b/apps/stirling-pdf/base/deployment.yaml
@@ -16,7 +16,7 @@ spec:
    spec:
      containers:
        - name: stirling-pdf
-          image: frooodle/s-pdf:0.26.1
+          image: frooodle/s-pdf:0.29.0
          securityContext:
            allowPrivilegeEscalation: false
          env:
--- a/apps/stirling-pdf/base/service.yaml
+++ b/apps/stirling-pdf/base/service.yaml
@@ -3,15 +3,18 @@ kind: Service
 metadata:
  name: stirling-pdf
  namespace: stirling-pdf
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
  labels:
    app.kubernetes.io/name: stirling-pdf
 spec:
  selector:
    app.kubernetes.io/name: stirling-pdf
-  type: ClusterIP
+  type: LoadBalancer
  internalTrafficPolicy: Cluster
  ports:
    - protocol: TCP
-      port: 8080
+      port: 8880
      targetPort: 8080
      name: http
--- a/apps/stirling-pdf/env/k3s-cluster/kustomization.yaml
+++ b/apps/stirling-pdf/env/k3s-cluster/kustomization.yaml
@@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
-  - ./ingress.yaml
--- a/apps/trillium/base/service.yaml
+++ b/apps/trillium/base/service.yaml
@@ -3,12 +3,15 @@ kind: Service
 metadata:
  name: trillium
  namespace: trillium
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
  labels:
    app.kubernetes.io/name: trillium
 spec:
  selector:
    app.kubernetes.io/name: trillium
-  type: ClusterIP
+  type: LoadBalancer
  internalTrafficPolicy: Cluster
  ports:
    - protocol: TCP
--- a/apps/trillium/env/k3s-cluster/ingress.yaml
+++ b/apps/trillium/env/k3s-cluster/ingress.yaml
@@ -1,21 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: trillium-ingress
-  namespace: trillium
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    nginx.ingress.kubernetes.io/use-regex: "true"
-spec:
-  ingressClassName: nginx
-  rules:
-    - host: "trillium.cluster.edward.sydney"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: trillium
-                port:
-                  number: 8080
--- a/apps/trillium/env/k3s-cluster/kustomization.yaml
+++ b/apps/trillium/env/k3s-cluster/kustomization.yaml
@@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
-  - ./ingress.yaml
--- a/apps/vaultwarden/base/deployment.yaml
+++ b/apps/vaultwarden/base/deployment.yaml
@@ -23,7 +23,7 @@ spec:
            runAsNonRoot: true
            runAsGroup: 1000
          name: vaultwarden
-          image: vaultwarden/server:1.31.0
+          image: vaultwarden/server:1.32.0
          env:
            - name: DOMAIN
              value: https://vaultwarden.cluster.edward.sydney
--- a/apps/vaultwarden/base/service.yaml
+++ b/apps/vaultwarden/base/service.yaml
@@ -3,12 +3,15 @@ kind: Service
 metadata:
  name: vaultwarden
  namespace: vaultwarden
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
  labels:
    app.kubernetes.io/name: vaultwarden
 spec:
  selector:
    app.kubernetes.io/name: vaultwarden
-  type: ClusterIP
+  type: LoadBalancer
  internalTrafficPolicy: Cluster
  ports:
    - protocol: TCP
--- a/apps/vaultwarden/env/k3s-cluster/ingress.yaml
+++ b/apps/vaultwarden/env/k3s-cluster/ingress.yaml
@@ -1,21 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: vaultwarden-ingress
-  namespace: vaultwarden
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    nginx.ingress.kubernetes.io/use-regex: "true"
-spec:
-  ingressClassName: nginx
-  rules:
-    - host: "vaultwarden.cluster.edward.sydney"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: vaultwarden
-                port:
-                  number: 11080
--- a/apps/vaultwarden/env/k3s-cluster/kustomization.yaml
+++ b/apps/vaultwarden/env/k3s-cluster/kustomization.yaml
@@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../base
-  - ./ingress.yaml
--- a/infrastructures/argo-events/base/cluster-role-binding.yaml
+++ b/infrastructures/argo-events/base/cluster-role-binding.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-events-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-events-role
+subjects:
+  - kind: ServiceAccount
+    name: argo-events-sa
+    namespace: argo-events
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-events-webhook-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-events-webhook
+subjects:
+  - kind: ServiceAccount
+    name: argo-events-webhook-sa
+    namespace: argo-events
--- a/infrastructures/argo-events/base/cluster-role.yaml
+++ b/infrastructures/argo-events/base/cluster-role.yaml
@@ -0,0 +1,230 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: argo-events-aggregate-to-admin
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - sensors
+      - sensors/finalizers
+      - sensors/status
+      - eventsources
+      - eventsources/finalizers
+      - eventsources/status
+      - eventbus
+      - eventbus/finalizers
+      - eventbus/status
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: argo-events-aggregate-to-edit
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - sensors
+      - sensors/finalizers
+      - sensors/status
+      - eventsources
+      - eventsources/finalizers
+      - eventsources/status
+      - eventbus
+      - eventbus/finalizers
+      - eventbus/status
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: argo-events-aggregate-to-view
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - sensors
+      - sensors/finalizers
+      - sensors/status
+      - eventsources
+      - eventsources/finalizers
+      - eventsources/status
+      - eventbus
+      - eventbus/finalizers
+      - eventbus/status
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-events-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - sensors
+      - sensors/finalizers
+      - sensors/status
+      - eventsources
+      - eventsources/finalizers
+      - eventsources/status
+      - eventbus
+      - eventbus/finalizers
+      - eventbus/status
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/exec
+      - configmaps
+      - services
+      - persistentvolumeclaims
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - get
+      - list
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-events-webhook
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+      - patch
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+      - patch
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - eventbus
+      - eventsources
+      - sensors
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+    verbs:
+      - get
+      - list
--- a/infrastructures/argo-events/base/configmap.yaml
+++ b/infrastructures/argo-events/base/configmap.yaml
@@ -0,0 +1,76 @@
+---
+apiVersion: v1
+data:
+  controller-config.yaml: |
+    eventBus:
+      nats:
+        versions:
+          - version: 0.22.1
+            natsStreamingImage: nats-streaming:0.22.1
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.8.0
+      jetstream:
+        # Default JetStream settings, could be overridden by EventBus JetStream specs
+        settings: |
+          # https://docs.nats.io/running-a-nats-service/configuration#jetstream
+          # Only configure "max_memory_store" or "max_file_store", do not set "store_dir" as it has been hardcoded.
+          # e.g. 1G. -1 means no limit, up to 75% of available memory
+          max_memory_store: -1
+          # e.g. 20G. -1 means no limit, Up to 1TB if available
+          max_file_store: 1TB
+        streamConfig: |
+          # The default properties of the streams to be created in this JetStream service
+          maxMsgs: 50000
+          maxAge: 168h
+          maxBytes: -1
+          replicas: 3
+          duplicates: 300s
+        versions:
+          - version: latest
+            natsImage: nats:2.10.10
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.14.0
+            configReloaderImage: natsio/nats-server-config-reloader:0.14.0
+            startCommand: /nats-server
+          - version: 2.8.1
+            natsImage: nats:2.8.1
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1
+            configReloaderImage: natsio/nats-server-config-reloader:0.7.0
+            startCommand: /nats-server
+          - version: 2.8.1-alpine
+            natsImage: nats:2.8.1-alpine
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1
+            configReloaderImage: natsio/nats-server-config-reloader:0.7.0
+            startCommand: nats-server
+          - version: 2.8.2
+            natsImage: nats:2.8.2
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1
+            configReloaderImage: natsio/nats-server-config-reloader:0.7.0
+            startCommand: /nats-server
+          - version: 2.8.2-alpine
+            natsImage: nats:2.8.2-alpine
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1
+            configReloaderImage: natsio/nats-server-config-reloader:0.7.0
+            startCommand: nats-server
+          - version: 2.9.1
+            natsImage: nats:2.9.1
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1
+            configReloaderImage: natsio/nats-server-config-reloader:0.7.0
+            startCommand: /nats-server
+          - version: 2.9.12
+            natsImage: nats:2.9.12
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1
+            configReloaderImage: natsio/nats-server-config-reloader:0.7.0
+            startCommand: /nats-server
+          - version: 2.9.16
+            natsImage: nats:2.9.16
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1
+            configReloaderImage: natsio/nats-server-config-reloader:0.7.0
+            startCommand: /nats-server
+          - version: 2.10.10
+            natsImage: nats:2.10.10
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.14.0
+            configReloaderImage: natsio/nats-server-config-reloader:0.14.0
+            startCommand: /nats-server
+kind: ConfigMap
+metadata:
+  name: argo-events-controller-config
+  namespace: argo-events
--- a/infrastructures/argo-events/base/custom-resource-definition.yaml
+++ b/infrastructures/argo-events/base/custom-resource-definition.yaml
@@ -0,0 +1,120 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: eventbus.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: EventBus
+    listKind: EventBusList
+    plural: eventbus
+    shortNames:
+      - eb
+    singular: eventbus
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+            status:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: eventsources.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: EventSource
+    listKind: EventSourceList
+    plural: eventsources
+    shortNames:
+      - es
+    singular: eventsource
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+            status:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: sensors.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: Sensor
+    listKind: SensorList
+    plural: sensors
+    shortNames:
+      - sn
+    singular: sensor
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+            status:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
--- a/infrastructures/argo-events/base/deployment.yaml
+++ b/infrastructures/argo-events/base/deployment.yaml
@@ -0,0 +1,82 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: argo-events
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: controller-manager
+  template:
+    metadata:
+      labels:
+        app: controller-manager
+    spec:
+      containers:
+        - args:
+            - controller
+          env:
+            - name: ARGO_EVENTS_IMAGE
+              value: quay.io/argoproj/argo-events:v1.9.2
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          image: quay.io/argoproj/argo-events:v1.9.2
+          imagePullPolicy: Always
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 3
+            periodSeconds: 3
+          name: controller-manager
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 3
+            periodSeconds: 3
+          volumeMounts:
+            - mountPath: /etc/argo-events
+              name: controller-config-volume
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 9731
+      serviceAccountName: argo-events-sa
+      volumes:
+        - configMap:
+            name: argo-events-controller-config
+          name: controller-config-volume
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: events-webhook
+  namespace: argo-events
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: events-webhook
+  template:
+    metadata:
+      labels:
+        app: events-webhook
+    spec:
+      containers:
+        - args:
+            - webhook-service
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: PORT
+              value: "443"
+          image: quay.io/argoproj/argo-events:v1.9.2
+          imagePullPolicy: Always
+          name: webhook
+      serviceAccountName: argo-events-webhook-sa
--- a/infrastructures/argo-events/base/kustomization.yaml
+++ b/infrastructures/argo-events/base/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./custom-resource-definition.yaml
+  - ./service-account.yaml
+  - ./cluster-role.yaml
+  - ./cluster-role-binding.yaml
+  - ./configmap.yaml
+  - ./deployment.yaml
+  - ./service.yaml
--- a/infrastructures/argo-events/base/service-account.yaml
+++ b/infrastructures/argo-events/base/service-account.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argo-events-sa
+  namespace: argo-events
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argo-events-webhook-sa
+  namespace: argo-events
--- a/infrastructures/argo-events/base/service.yaml
+++ b/infrastructures/argo-events/base/service.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: events-webhook
+  namespace: argo-events
+spec:
+  ports:
+    - port: 443
+      targetPort: 443
+  selector:
+    app: events-webhook
--- a/infrastructures/argo-events/env/k3s-cluster/config.json
+++ b/infrastructures/argo-events/env/k3s-cluster/config.json
@@ -0,0 +1,14 @@
+{
+  "appName": "argo-events",
+  "userGivenName": "argo-events",
+  "namespace": "argo-events",
+  "destNamespace": "argo-events",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "infrastructures/argo-events/env/k3s-cluster",
+  "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": {
+    "argo-events.argoproj.io/release-version": "v1.9.2"
+  }
+}
--- a/infrastructures/argo-events/env/k3s-cluster/examples/event-source.yaml
+++ b/infrastructures/argo-events/env/k3s-cluster/examples/event-source.yaml
@@ -0,0 +1,37 @@
+apiVersion: argoproj.io/v1alpha1
+kind: EventSource
+metadata:
+  name: webhook
+spec:
+  service:
+    ports:
+      - port: 12000
+        targetPort: 12000
+  webhook:
+    # event-source can run multiple HTTP servers. Simply define a unique port to start a new HTTP server
+    example:
+      # port to run HTTP server on
+      port: "12000"
+      # endpoint to listen to
+      endpoint: /example
+      # HTTP request method to allow. In this case, only POST requests are accepted
+      method: POST
+
+#    example-foo:
+#      port: "12000"
+#      endpoint: /example2
+#      method: POST
+
+# Uncomment to use secure webhook
+#    example-secure:
+#      port: "13000"
+#      endpoint: "/secure"
+#      method: "POST"
+#      # k8s secret that contains the cert
+#      serverCertSecret:
+#        name: my-secret
+#        key: cert-key
+#      # k8s secret that contains the private key
+#      serverKeySecret:
+#        name: my-secret
+#        key: pk-key
--- a/infrastructures/argo-events/env/k3s-cluster/examples/eventbus.yaml
+++ b/infrastructures/argo-events/env/k3s-cluster/examples/eventbus.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: EventBus
+metadata:
+  name: default
+spec:
+  nats:
+    native:
+      # Optional, defaults to 3. If it is < 3, set it to 3, that is the minimal requirement.
+      replicas: 3
+      # Optional, authen strategy, "none" or "token", defaults to "none"
+      auth: token
+#      containerTemplate:
+#        resources:
+#          requests:
+#            cpu: "10m"
+#      metricsContainerTemplate:
+#        resources:
+#          requests:
+#            cpu: "10m"
+#      antiAffinity: false
+#      persistence:
+#        storageClassName: standard
+#        accessMode: ReadWriteOnce
+#        volumeSize: 10Gi
--- a/infrastructures/argo-events/env/k3s-cluster/examples/ingress.yaml
+++ b/infrastructures/argo-events/env/k3s-cluster/examples/ingress.yaml
@@ -1,21 +1,21 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: stirling-pdf-ingress
-  namespace: stirling-pdf
+  name: event-example-ingress
+  namespace: argo-events
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
  ingressClassName: nginx
  rules:
-    - host: "s-pdf.cluster.edward.sydney"
+    - host: "event-example.cluster.edward.sydney"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
-                name: stirling-pdf
+                name: webhook-eventsource-svc
                port:
-                  number: 8080
+                  number: 12000
--- a/infrastructures/argo-events/env/k3s-cluster/examples/sensor.yaml
+++ b/infrastructures/argo-events/env/k3s-cluster/examples/sensor.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: operate-workflow-sa
+---
+# Similarly you can use a ClusterRole and ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: operate-workflow-role
+rules:
+  - apiGroups:
+      - argoproj.io
+    verbs:
+      - "*"
+    resources:
+      - workflows
+      - workflowtemplates
+      - cronworkflows
+      - clusterworkflowtemplates
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: operate-workflow-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: operate-workflow-role
+subjects:
+  - kind: ServiceAccount
+    name: operate-workflow-sa
--- a/infrastructures/argo-events/env/k3s-cluster/examples/webhook.yaml
+++ b/infrastructures/argo-events/env/k3s-cluster/examples/webhook.yaml
@@ -0,0 +1,47 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Sensor
+metadata:
+  name: webhook
+spec:
+  template:
+    serviceAccountName: operate-workflow-sa
+  dependencies:
+    - name: test-dep
+      eventSourceName: webhook
+      eventName: example
+  triggers:
+    - template:
+        name: webhook-workflow-trigger
+        k8s:
+          operation: create
+          source:
+            resource:
+              apiVersion: argoproj.io/v1alpha1
+              kind: Workflow
+              metadata:
+                generateName: webhook-
+              spec:
+                entrypoint: whalesay
+                arguments:
+                  parameters:
+                    - name: message
+                      # the value will get overridden by event payload from test-dep
+                      value: "hello world!"
+                templates:
+                  - name: whalesay
+                    inputs:
+                      parameters:
+                        - name: message
+                    container:
+                      image: docker/whalesay:latest
+                      command: [cowsay]
+                      args: ["{{inputs.parameters.message}}"]
+                nodeSelector:
+                  kubernetes.io/os: linux
+                  kubernetes.io/arch: amd64
+          parameters:
+            - src:
+                dependencyName: test-dep
+                dataKey: body
+              dest: spec.arguments.parameters.0.value
--- a/infrastructures/argo-events/env/k3s-cluster/examples/workflow.yaml
+++ b/infrastructures/argo-events/env/k3s-cluster/examples/workflow.yaml
@@ -0,0 +1,29 @@
+# This file enables a Workflow Pod (running Emissary executor) to be able to read and patch WorkflowTaskResults,
+# which get shared with the Workflow Controller. The Controller uses the results to update Workflow status.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      Recomended minimum permissions for the `emissary` executor.
+  name: executor
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtaskresults
+    verbs:
+      - create
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: executor-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: executor
+subjects:
+  - kind: ServiceAccount
+    name: default
--- a/infrastructures/argo-events/env/k3s-cluster/kustomization.yaml
+++ b/infrastructures/argo-events/env/k3s-cluster/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base
+#  - ./examples/eventbus.yaml
+#  - ./examples/event-source.yaml
+#  - ./examples/ingress.yaml
+#  - ./examples/sensor.yaml
+#  - ./examples/workflow.yaml
+#  - ./examples/webhook.yaml
--- a/infrastructures/argo-workflows/base/cluster-role-binding.yaml
+++ b/infrastructures/argo-workflows/base/cluster-role-binding.yaml
@@ -0,0 +1,52 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: argo
+    namespace: argo
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-clusterworkflowtemplate-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-clusterworkflowtemplate-role
+subjects:
+  - kind: ServiceAccount
+    name: argo
+    namespace: argo
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-server-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-server-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: argo-server
+    namespace: argo
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-server-clusterworkflowtemplate-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-server-clusterworkflowtemplate-role
+subjects:
+  - kind: ServiceAccount
+    name: argo-server
+    namespace: argo
--- a/infrastructures/argo-workflows/base/cluster-role.yaml
+++ b/infrastructures/argo-workflows/base/cluster-role.yaml
@@ -0,0 +1,298 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: argo-aggregate-to-admin
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+      - workflows/finalizers
+      - workfloweventbindings
+      - workfloweventbindings/finalizers
+      - workflowtemplates
+      - workflowtemplates/finalizers
+      - cronworkflows
+      - cronworkflows/finalizers
+      - clusterworkflowtemplates
+      - clusterworkflowtemplates/finalizers
+      - workflowtasksets
+      - workflowtasksets/finalizers
+      - workflowtaskresults
+      - workflowtaskresults/finalizers
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: argo-aggregate-to-edit
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+      - workflows/finalizers
+      - workfloweventbindings
+      - workfloweventbindings/finalizers
+      - workflowtemplates
+      - workflowtemplates/finalizers
+      - cronworkflows
+      - cronworkflows/finalizers
+      - clusterworkflowtemplates
+      - clusterworkflowtemplates/finalizers
+      - workflowtaskresults
+      - workflowtaskresults/finalizers
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: argo-aggregate-to-view
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+      - workflows/finalizers
+      - workfloweventbindings
+      - workfloweventbindings/finalizers
+      - workflowtemplates
+      - workflowtemplates/finalizers
+      - cronworkflows
+      - cronworkflows/finalizers
+      - clusterworkflowtemplates
+      - clusterworkflowtemplates/finalizers
+      - workflowtaskresults
+      - workflowtaskresults/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-cluster-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/exec
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - watch
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumeclaims
+      - persistentvolumeclaims/finalizers
+    verbs:
+      - create
+      - update
+      - delete
+      - get
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+      - workflows/finalizers
+      - workflowtasksets
+      - workflowtasksets/finalizers
+      - workflowartifactgctasks
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+      - create
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtemplates
+      - workflowtemplates/finalizers
+      - clusterworkflowtemplates
+      - clusterworkflowtemplates/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtaskresults
+    verbs:
+      - list
+      - watch
+      - deletecollection
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - cronworkflows
+      - cronworkflows/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
+      - create
+      - get
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-clusterworkflowtemplate-role
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - clusterworkflowtemplates
+      - clusterworkflowtemplates/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-server-cluster-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - watch
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/exec
+      - pods/log
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - watch
+      - create
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - eventsources
+      - sensors
+      - workflows
+      - workfloweventbindings
+      - workflowtemplates
+      - cronworkflows
+      - clusterworkflowtemplates
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-server-clusterworkflowtemplate-role
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - clusterworkflowtemplates
+      - clusterworkflowtemplates/finalizers
+    verbs:
+      - create
+      - delete
+      - watch
+      - get
+      - list
+      - watch
--- a/infrastructures/argo-workflows/base/configmap.yaml
+++ b/infrastructures/argo-workflows/base/configmap.yaml
@@ -0,0 +1,110 @@
+---
+apiVersion: v1
+data:
+  artifactRepository: |
+    s3:
+      bucket: argo-workflows
+      endpoint: minio.minio.svc.cluster.local:19000
+      insecure: true
+      accessKeySecret:
+        name: argo-workflows-minio-cred
+        key: accesskey
+      secretKeySecret:
+        name: argo-workflows-minio-cred
+        key: secretkey
+  columns: |
+    - name: Workflow Completed
+      type: label
+      key: workflows.argoproj.io/completed
+  executor: |
+    resources:
+      requests:
+        cpu: 10m
+        memory: 64Mi
+  images: |
+    docker/whalesay:v3.5.10:
+       cmd: [cowsay]
+  links: |
+    - name: Workflow Link
+      scope: workflow
+      url: http://logging-facility?namespace=${metadata.namespace}&workflowName=${metadata.name}&startedAt=${status.startedAt}&finishedAt=${status.finishedAt}
+    - name: Pod Link
+      scope: pod
+      url: http://logging-facility?namespace=${metadata.namespace}&podName=${metadata.name}&startedAt=${status.startedAt}&finishedAt=${status.finishedAt}
+    - name: Pod Logs Link
+      scope: pod-logs
+      url: http://logging-facility?namespace=${metadata.namespace}&podName=${metadata.name}&startedAt=${status.startedAt}&finishedAt=${status.finishedAt}
+    - name: Event Source Logs Link
+      scope: event-source-logs
+      url: http://logging-facility?namespace=${metadata.namespace}&podName=${metadata.name}&startedAt=${status.startedAt}&finishedAt=${status.finishedAt}
+    - name: Sensor Logs Link
+      scope: sensor-logs
+      url: http://logging-facility?namespace=${metadata.namespace}&podName=${metadata.name}&startedAt=${status.startedAt}&finishedAt=${status.finishedAt}
+    - name: Completed Workflows
+      scope: workflow-list
+      url: http://workflows?label=workflows.argoproj.io/completed=true
+  metricsConfig: |
+    enabled: true
+    path: /metrics
+    port: 9090
+  namespaceParallelism: "10"
+  persistence: |
+    connectionPool:
+      maxIdleConns: 100
+      maxOpenConns: 0
+      connMaxLifetime: 0s
+    nodeStatusOffLoad: true
+    archive: true
+    archiveTTL: 7d
+    postgresql:
+      host: postgresql-primary.argocd.svc.cluster.local
+      port: 5432
+      database: argo_workflows
+      tableName: argo_workflows
+      userNameSecret:
+        name: argo-workflows-postgres-config
+        key: username
+      passwordSecret:
+        name: argo-workflows-postgres-config
+        key: password
+  retentionPolicy: |
+    completed: 10
+    failed: 3
+    errored: 3
+kind: ConfigMap
+metadata:
+  name: workflow-controller-configmap
+  namespace: argo
+---
+apiVersion: v1
+data:
+  default-v1: |
+    archiveLogs: true
+    s3:
+      bucket: argo-workflows
+      endpoint: minio.minio.svc.cluster.local:19000
+      insecure: true
+      accessKeySecret:
+        name: argo-workflows-minio-cred
+        key: accesskey
+      secretKeySecret:
+        name: argo-workflows-minio-cred
+        key: secretkey
+  empty: ""
+  my-key: |
+    archiveLogs: true
+    s3:
+      bucket: argo-workflows
+      endpoint: minio.minio.svc.cluster.local:19000
+      insecure: true
+      accessKeySecret:
+        name: argo-workflows-minio-cred
+        key: accesskey
+      secretKeySecret:
+        name: argo-workflows-minio-cred
+        key: secretkey
+kind: ConfigMap
+metadata:
+  annotations:
+    workflows.argoproj.io/default-artifact-repository: default-v1
+  name: artifact-repositories
--- a/infrastructures/argo-workflows/base/custom-resource-definition.yaml
+++ b/infrastructures/argo-workflows/base/custom-resource-definition.yaml
@@ -0,0 +1,888 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterworkflowtemplates.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: ClusterWorkflowTemplate
+    listKind: ClusterWorkflowTemplateList
+    plural: clusterworkflowtemplates
+    shortNames:
+      - clusterwftmpl
+      - cwft
+    singular: clusterworkflowtemplate
+  scope: Cluster
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: cronworkflows.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: CronWorkflow
+    listKind: CronWorkflowList
+    plural: cronworkflows
+    shortNames:
+      - cwf
+      - cronwf
+    singular: cronworkflow
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+            status:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: workflowartifactgctasks.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: WorkflowArtifactGCTask
+    listKind: WorkflowArtifactGCTaskList
+    plural: workflowartifactgctasks
+    shortNames:
+      - wfat
+    singular: workflowartifactgctask
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+            status:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: workfloweventbindings.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: WorkflowEventBinding
+    listKind: WorkflowEventBindingList
+    plural: workfloweventbindings
+    shortNames:
+      - wfeb
+    singular: workfloweventbinding
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: workflows.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: Workflow
+    listKind: WorkflowList
+    plural: workflows
+    shortNames:
+      - wf
+    singular: workflow
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - description: Status of the workflow
+          jsonPath: .status.phase
+          name: Status
+          type: string
+        - description: When the workflow was started
+          format: date-time
+          jsonPath: .status.startedAt
+          name: Age
+          type: date
+        - description: Human readable message indicating details about why the workflow
+            is in this condition.
+          jsonPath: .status.message
+          name: Message
+          type: string
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+            status:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: workflowtaskresults.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: WorkflowTaskResult
+    listKind: WorkflowTaskResultList
+    plural: workflowtaskresults
+    singular: workflowtaskresult
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            message:
+              type: string
+            metadata:
+              type: object
+            outputs:
+              properties:
+                artifacts:
+                  items:
+                    properties:
+                      archive:
+                        properties:
+                          none:
+                            type: object
+                          tar:
+                            properties:
+                              compressionLevel:
+                                format: int32
+                                type: integer
+                            type: object
+                          zip:
+                            type: object
+                        type: object
+                      archiveLogs:
+                        type: boolean
+                      artifactGC:
+                        properties:
+                          podMetadata:
+                            properties:
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                            type: object
+                          serviceAccountName:
+                            type: string
+                          strategy:
+                            enum:
+                              - ""
+                              - OnWorkflowCompletion
+                              - OnWorkflowDeletion
+                              - Never
+                            type: string
+                        type: object
+                      artifactory:
+                        properties:
+                          passwordSecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          url:
+                            type: string
+                          usernameSecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                        required:
+                          - url
+                        type: object
+                      azure:
+                        properties:
+                          accountKeySecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          blob:
+                            type: string
+                          container:
+                            type: string
+                          endpoint:
+                            type: string
+                          useSDKCreds:
+                            type: boolean
+                        required:
+                          - blob
+                          - container
+                          - endpoint
+                        type: object
+                      deleted:
+                        type: boolean
+                      from:
+                        type: string
+                      fromExpression:
+                        type: string
+                      gcs:
+                        properties:
+                          bucket:
+                            type: string
+                          key:
+                            type: string
+                          serviceAccountKeySecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                        required:
+                          - key
+                        type: object
+                      git:
+                        properties:
+                          branch:
+                            type: string
+                          depth:
+                            format: int64
+                            type: integer
+                          disableSubmodules:
+                            type: boolean
+                          fetch:
+                            items:
+                              type: string
+                            type: array
+                          insecureIgnoreHostKey:
+                            type: boolean
+                          passwordSecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          repo:
+                            type: string
+                          revision:
+                            type: string
+                          singleBranch:
+                            type: boolean
+                          sshPrivateKeySecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          usernameSecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                        required:
+                          - repo
+                        type: object
+                      globalName:
+                        type: string
+                      hdfs:
+                        properties:
+                          addresses:
+                            items:
+                              type: string
+                            type: array
+                          force:
+                            type: boolean
+                          hdfsUser:
+                            type: string
+                          krbCCacheSecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          krbConfigConfigMap:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          krbKeytabSecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          krbRealm:
+                            type: string
+                          krbServicePrincipalName:
+                            type: string
+                          krbUsername:
+                            type: string
+                          path:
+                            type: string
+                        required:
+                          - path
+                        type: object
+                      http:
+                        properties:
+                          auth:
+                            properties:
+                              basicAuth:
+                                properties:
+                                  passwordSecret:
+                                    properties:
+                                      key:
+                                        type: string
+                                      name:
+                                        type: string
+                                      optional:
+                                        type: boolean
+                                    required:
+                                      - key
+                                    type: object
+                                  usernameSecret:
+                                    properties:
+                                      key:
+                                        type: string
+                                      name:
+                                        type: string
+                                      optional:
+                                        type: boolean
+                                    required:
+                                      - key
+                                    type: object
+                                type: object
+                              clientCert:
+                                properties:
+                                  clientCertSecret:
+                                    properties:
+                                      key:
+                                        type: string
+                                      name:
+                                        type: string
+                                      optional:
+                                        type: boolean
+                                    required:
+                                      - key
+                                    type: object
+                                  clientKeySecret:
+                                    properties:
+                                      key:
+                                        type: string
+                                      name:
+                                        type: string
+                                      optional:
+                                        type: boolean
+                                    required:
+                                      - key
+                                    type: object
+                                type: object
+                              oauth2:
+                                properties:
+                                  clientIDSecret:
+                                    properties:
+                                      key:
+                                        type: string
+                                      name:
+                                        type: string
+                                      optional:
+                                        type: boolean
+                                    required:
+                                      - key
+                                    type: object
+                                  clientSecretSecret:
+                                    properties:
+                                      key:
+                                        type: string
+                                      name:
+                                        type: string
+                                      optional:
+                                        type: boolean
+                                    required:
+                                      - key
+                                    type: object
+                                  endpointParams:
+                                    items:
+                                      properties:
+                                        key:
+                                          type: string
+                                        value:
+                                          type: string
+                                      required:
+                                        - key
+                                      type: object
+                                    type: array
+                                  scopes:
+                                    items:
+                                      type: string
+                                    type: array
+                                  tokenURLSecret:
+                                    properties:
+                                      key:
+                                        type: string
+                                      name:
+                                        type: string
+                                      optional:
+                                        type: boolean
+                                    required:
+                                      - key
+                                    type: object
+                                type: object
+                            type: object
+                          headers:
+                            items:
+                              properties:
+                                name:
+                                  type: string
+                                value:
+                                  type: string
+                              required:
+                                - name
+                                - value
+                              type: object
+                            type: array
+                          url:
+                            type: string
+                        required:
+                          - url
+                        type: object
+                      mode:
+                        format: int32
+                        type: integer
+                      name:
+                        type: string
+                      optional:
+                        type: boolean
+                      oss:
+                        properties:
+                          accessKeySecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          bucket:
+                            type: string
+                          createBucketIfNotPresent:
+                            type: boolean
+                          endpoint:
+                            type: string
+                          key:
+                            type: string
+                          lifecycleRule:
+                            properties:
+                              markDeletionAfterDays:
+                                format: int32
+                                type: integer
+                              markInfrequentAccessAfterDays:
+                                format: int32
+                                type: integer
+                            type: object
+                          secretKeySecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          securityToken:
+                            type: string
+                          useSDKCreds:
+                            type: boolean
+                        required:
+                          - key
+                        type: object
+                      path:
+                        type: string
+                      raw:
+                        properties:
+                          data:
+                            type: string
+                        required:
+                          - data
+                        type: object
+                      recurseMode:
+                        type: boolean
+                      s3:
+                        properties:
+                          accessKeySecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          bucket:
+                            type: string
+                          caSecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          createBucketIfNotPresent:
+                            properties:
+                              objectLocking:
+                                type: boolean
+                            type: object
+                          encryptionOptions:
+                            properties:
+                              enableEncryption:
+                                type: boolean
+                              kmsEncryptionContext:
+                                type: string
+                              kmsKeyId:
+                                type: string
+                              serverSideCustomerKeySecret:
+                                properties:
+                                  key:
+                                    type: string
+                                  name:
+                                    type: string
+                                  optional:
+                                    type: boolean
+                                required:
+                                  - key
+                                type: object
+                            type: object
+                          endpoint:
+                            type: string
+                          insecure:
+                            type: boolean
+                          key:
+                            type: string
+                          region:
+                            type: string
+                          roleARN:
+                            type: string
+                          secretKeySecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          useSDKCreds:
+                            type: boolean
+                        type: object
+                      subPath:
+                        type: string
+                    required:
+                      - name
+                    type: object
+                  type: array
+                exitCode:
+                  type: string
+                parameters:
+                  items:
+                    properties:
+                      default:
+                        type: string
+                      description:
+                        type: string
+                      enum:
+                        items:
+                          type: string
+                        type: array
+                      globalName:
+                        type: string
+                      name:
+                        type: string
+                      value:
+                        type: string
+                      valueFrom:
+                        properties:
+                          configMapKeyRef:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          default:
+                            type: string
+                          event:
+                            type: string
+                          expression:
+                            type: string
+                          jqFilter:
+                            type: string
+                          jsonPath:
+                            type: string
+                          parameter:
+                            type: string
+                          path:
+                            type: string
+                          supplied:
+                            type: object
+                        type: object
+                    required:
+                      - name
+                    type: object
+                  type: array
+                result:
+                  type: string
+              type: object
+            phase:
+              type: string
+            progress:
+              type: string
+          required:
+            - metadata
+          type: object
+      served: true
+      storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: workflowtasksets.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: WorkflowTaskSet
+    listKind: WorkflowTaskSetList
+    plural: workflowtasksets
+    shortNames:
+      - wfts
+    singular: workflowtaskset
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+            status:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: workflowtemplates.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: WorkflowTemplate
+    listKind: WorkflowTemplateList
+    plural: workflowtemplates
+    shortNames:
+      - wftmpl
+    singular: workflowtemplate
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
--- a/infrastructures/argo-workflows/base/deployment.yaml
+++ b/infrastructures/argo-workflows/base/deployment.yaml
@@ -0,0 +1,142 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argo-server
+  namespace: argo
+spec:
+  selector:
+    matchLabels:
+      app: argo-server
+  template:
+    metadata:
+      labels:
+        app: argo-server
+    spec:
+      containers:
+        - args:
+            - server
+            - --auth-mode
+            - server
+            - --auth-mode
+            - client
+          env: []
+          image: quay.io/argoproj/argocli:v3.5.11
+          name: argo-server
+          ports:
+            - containerPort: 2746
+              name: web
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 2746
+              scheme: HTTPS
+            initialDelaySeconds: 10
+            periodSeconds: 20
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/arch: amd64
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: argo-server
+      volumes:
+        - emptyDir: {}
+          name: tmp
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workflow-controller
+  namespace: argo
+spec:
+  selector:
+    matchLabels:
+      app: workflow-controller
+  template:
+    metadata:
+      labels:
+        app: workflow-controller
+    spec:
+      containers:
+        - args: []
+          command:
+            - workflow-controller
+          env:
+            - name: LEADER_ELECTION_IDENTITY
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.name
+          image: quay.io/argoproj/workflow-controller:v3.5.11
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: 6060
+            initialDelaySeconds: 90
+            periodSeconds: 60
+            timeoutSeconds: 30
+          name: workflow-controller
+          ports:
+            - containerPort: 9090
+              name: metrics
+            - containerPort: 6060
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/arch: amd64
+      priorityClassName: workflow-controller
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: argo
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: httpbin
+  name: httpbin
+spec:
+  selector:
+    matchLabels:
+      app: httpbin
+  template:
+    metadata:
+      labels:
+        app: httpbin
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - image: kong/httpbin
+          livenessProbe:
+            httpGet:
+              path: /get
+              port: 80
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          name: main
+          ports:
+            - containerPort: 80
+              name: api
+          readinessProbe:
+            httpGet:
+              path: /get
+              port: 80
+            initialDelaySeconds: 5
+            periodSeconds: 10
--- a/infrastructures/argo-workflows/base/kustomization.yaml
+++ b/infrastructures/argo-workflows/base/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./custom-resource-definition.yaml
+  - ./service-account.yaml
+  - ./role.yaml
+  - ./cluster-role.yaml
+  - ./role-binding.yaml
+  - ./cluster-role-binding.yaml
+  - ./configmap.yaml
+  - ./secret.yaml
+  - ./service.yaml
+  - ./priority-class.yaml
+  - ./deployment.yaml
--- a/infrastructures/argo-workflows/base/priority-class.yaml
+++ b/infrastructures/argo-workflows/base/priority-class.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: scheduling.k8s.io/v1
+kind: PriorityClass
+metadata:
+  name: workflow-controller
+value: 1000000
--- a/infrastructures/argo-workflows/base/role-binding.yaml
+++ b/infrastructures/argo-workflows/base/role-binding.yaml
@@ -0,0 +1,87 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argo-binding
+  namespace: argo
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argo-role
+subjects:
+  - kind: ServiceAccount
+    name: argo
+    namespace: argo
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: agent-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: agent
+subjects:
+  - kind: ServiceAccount
+    name: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: artifactgc-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: artifactgc
+subjects:
+  - kind: ServiceAccount
+    name: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: executor-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: executor
+subjects:
+  - kind: ServiceAccount
+    name: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: github.com
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: submit-workflow-template
+subjects:
+  - kind: ServiceAccount
+    name: github.com
+    namespace: argo
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pod-manager-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-manager
+subjects:
+  - kind: ServiceAccount
+    name: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: workflow-manager-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: workflow-manager
+subjects:
+  - kind: ServiceAccount
+    name: default
--- a/infrastructures/argo-workflows/base/role.yaml
+++ b/infrastructures/argo-workflows/base/role.yaml
@@ -0,0 +1,142 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argo-role
+  namespace: argo
+rules:
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates.
+
+      If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`.
+  name: agent
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtasksets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtasksets/status
+    verbs:
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      This is the minimum recommended permissions needed if you want to use artifact GC.
+  name: artifactgc
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowartifactgctasks
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowartifactgctasks/status
+    verbs:
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      Recomended minimum permissions for the `emissary` executor.
+  name: executor
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtaskresults
+    verbs:
+      - create
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      This is an example of the permissions you would need if you wanted to use a resource template to create and manage
+      other pods. The same pattern would be suitable for other resurces, e.g. a service
+  name: pod-manager
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - create
+      - get
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: submit-workflow-template
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workfloweventbindings
+    verbs:
+      - list
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtemplates
+    verbs:
+      - get
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      This is an example of the permissions you would need if you wanted to use a resource template to create and manage
+      other workflows. The same pattern would be suitable for other resurces, e.g. a service
+  name: workflow-manager
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+    verbs:
+      - create
+      - get
--- a/infrastructures/argo-workflows/base/secret.yaml
+++ b/infrastructures/argo-workflows/base/secret.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: default
+  name: default.service-account-token
+type: kubernetes.io/service-account-token
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: github.com
+  name: github.com.service-account-token
+type: kubernetes.io/service-account-token
--- a/infrastructures/argo-workflows/base/service-account.yaml
+++ b/infrastructures/argo-workflows/base/service-account.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argo
+  namespace: argo
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argo-server
+  namespace: argo
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: github.com
--- a/infrastructures/argo-workflows/base/service.yaml
+++ b/infrastructures/argo-workflows/base/service.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
+  name: argo-server
+  namespace: argo
+spec:
+  type: LoadBalancer
+  ports:
+    - name: web
+      port: 2746
+      targetPort: 2746
+  selector:
+    app: argo-server
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: httpbin
+  name: httpbin
+spec:
+  ports:
+    - name: api
+      port: 9100
+      protocol: TCP
+      targetPort: 80
+  selector:
+    app: httpbin
--- a/infrastructures/argo-workflows/env/k3s-cluster/config.json
+++ b/infrastructures/argo-workflows/env/k3s-cluster/config.json
@@ -0,0 +1,14 @@
+{
+  "appName": "argo-workflows",
+  "userGivenName": "argo-workflows",
+  "namespace": "argo",
+  "destNamespace": "argo",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "infrastructures/argo-workflows/env/k3s-cluster",
+  "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": {
+    "argo-workflows.argoproj.io/release-version": "v3.5.10"
+  }
+}
--- a/infrastructures/argo-workflows/env/k3s-cluster/kustomization.yaml
+++ b/infrastructures/argo-workflows/env/k3s-cluster/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base
--- a/infrastructures/cert-manager/base/kustomization.yaml
+++ b/infrastructures/cert-manager/base/kustomization.yaml
@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
  - name: cert-manager
    repo: https://charts.jetstack.io
-    version: v1.15.1
+    version: v1.15.3
    releaseName: cert-manager
    valuesFile: values.yaml
--- a/infrastructures/ingress-nginx/base/kustomization.yaml
+++ b/infrastructures/ingress-nginx/base/kustomization.yaml
@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
  - name: ingress-nginx
    repo: https://kubernetes.github.io/ingress-nginx
-    version: 4.10.1
+    version: 4.11.2
    releaseName: ingress-nginx
    valuesFile: values.yaml
--- a/infrastructures/ingress-nginx/base/values.yaml
+++ b/infrastructures/ingress-nginx/base/values.yaml
@@ -3,3 +3,71 @@ rbac:

 controller:
  priorityClassName: system-cluster-critical
+
+  extraArgs:
+    update-status-on-shutdown: "false"
+
+  allowSnippetAnnotations: true
+
+  config:
+    proxy-buffer-size: 16k
+    use-gzip: true
+    enable-brotli: true
+    hsts-max-age: 31536000
+    hsts-preload: true
+    disable-ipv6: true
+    disable-ipv6-dns: true
+    keep-alive-requests: 1000
+    use-geoip2: false
+    custom-http-errors: 401,403,404,500,501,502,503,504
+
+  extraEnvs:
+    - name: TZ
+      value: Australia/Sydney
+
+  addHeaders:
+    Referrer-Policy: same-origin, strict-origin-when-cross-origin
+    X-Content-Type-Options: nosniff
+    X-Frame-Options: SAMEORIGIN
+    X-XSS-Protection: 1; mode=block
+
+  ingressClassResource:
+    default: true
+
+  service:
+    externalTrafficPolicy: Cluster
+    ipFamilyPolicy: SingleStack
+
+  metrics:
+    enabled: ${metrics_enabled:=false}
+  #        serviceMonitor:
+  #          enabled: ${metrics_enabled:=false}
+  #          scrapeInterval: 1m
+
+  spec:
+    template:
+      spec:
+        containers:
+          volumeMounts:
+            - mountPath: /etc/nginx/template
+              name: nginx-template-volume
+              readOnly: true
+        volumes:
+          - name: nginx-template-volume
+            hostPath:
+              path: /mnt/nfs/AppData/ingress-nginx/etc/nginx/template
+              type: Directory
+
+defaultBackend:
+  enabled: true
+  image:
+    repository: ghcr.io/tarampampam/error-pages
+    tag: 3.3.0@sha256:43c9917e99ac1bb4df3c4e037327637e502e2ab4c3d84803b223d5b7db6d4cd7
+    pullPolicy: IfNotPresent
+  extraEnvs:
+    - name: TEMPLATE_NAME
+      value: connection
+    - name: SHOW_DETAILS
+      value: "true"
+    - name: READ_BUFFER_SIZE
+      value: "8192"
--- a/infrastructures/ingress-nginx/env/k3s-cluster/kustomization.yaml
+++ b/infrastructures/ingress-nginx/env/k3s-cluster/kustomization.yaml
@@ -1,8 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-helmCharts:
-  - name: ingress-nginx
-    repo: https://kubernetes.github.io/ingress-nginx
-    version: 4.10.1
-    releaseName: ingress-nginx
-    valuesFile: values.yaml
+resources:
+  - ../../base
--- a/infrastructures/logstash/base/kustomization.yaml
+++ b/infrastructures/logstash/base/kustomization.yaml
@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
  - name: logstash
    repo: oci://registry-1.docker.io/bitnamicharts
-    version: 6.2.14
+    version: 6.3.4
    releaseName: logstash
    valuesFile: values.yaml
--- a/infrastructures/minio/env/k3s-cluster/kustomization.yaml
+++ b/infrastructures/minio/env/k3s-cluster/kustomization.yaml
@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
  - name: minio
    repo: oci://registry-1.docker.io/bitnamicharts
-    version: 14.6.24
+    version: 14.7.10
    releaseName: minio
    valuesFile: values.yaml
--- a/infrastructures/minio/env/k3s-cluster/values.yaml
+++ b/infrastructures/minio/env/k3s-cluster/values.yaml
@@ -1,23 +1,21 @@
 namespaceOverride: "minio"
-clusterDomain: minio.cluster.edward.sydney
+image:
+  debug: true
+clusterDomain: cluster.edward.sydney
 auth:
  existingSecret: "minio-secrets"
  rootUserSecretKey: "root_user"
  rootPasswordSecretKey: "root_password"
 nodeSelector:
-  kubernetes.io/hostname: k3s-cluster-node-2
+  kubernetes.io/hostname: k3s-cluster-node-y
 service:
+  type: LoadBalancer
  ports:
    api: 19000
    console: 19001
-ingress:
-  enabled: true
-  ingressClassName: "nginx"
-  hostname: "minio.cluster.edward.sydney"
-apiIngress:
-  enabled: true
-  ingressClassName: "nginx"
-  hostname: "api.minio.cluster.edward.sydney"
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
 persistence:
  existingClaim: "minio-pvc"
 containerSecurityContext:
--- a/infrastructures/mongodb/env/k3s-cluster/kustomization.yaml
+++ b/infrastructures/mongodb/env/k3s-cluster/kustomization.yaml
@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
  - name: mongodb
    repo: oci://registry-1.docker.io/bitnamicharts
-    version: 15.6.14
+    version: 15.6.26
    releaseName: mongodb
    valuesFile: values.yaml
--- a/infrastructures/mongodb/env/k3s-cluster/values.yaml
+++ b/infrastructures/mongodb/env/k3s-cluster/values.yaml
@@ -8,6 +8,8 @@ auth:
    - edward
    - anysync
  existingSecret: "mongodb-secrets"
+updateStrategy:
+  type: Recreate
 automountServiceAccountToken: true
 nodeSelector:
  kubernetes.io/arch: amd64
@@ -20,6 +22,9 @@ startupProbe:
  enabled: true
 service:
  type: LoadBalancer
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
 persistence:
  existingClaim: "mongodb-pvc"
 persistentVolumeClaimRetentionPolicy:
--- a/infrastructures/netdata/base/kustomization.yaml
+++ b/infrastructures/netdata/base/kustomization.yaml
@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
  - name: netdata
    repo: https://netdata.github.io/helmchart/
-    version: 3.7.96
+    version: 3.7.102
    releaseName: netdata
    valuesFile: values.yaml
--- a/infrastructures/netdata/base/values.yaml
+++ b/infrastructures/netdata/base/values.yaml
@@ -1,15 +1,15 @@
 image:
  tag: stable
-
+ingress:
+  hosts:
+    - netdata.cluster.edward.sydney
 restarter:
  enabled: true
-
 parent:
  claiming:
    enabled: true
    token: HOJS7JMbEzKuDjbkJJv_Qp5369dyBGc0-qQ2DpKfWT22tiNWRZVH63bALjOv6A4bevsAJixzY1rIKO-1RvIr-NKGiYGpgfrMt1I5loXpU4CY7BgJp22jpK72kvRLwdM2rhNLcSQ
    rooms: 20334923-196a-477e-9a12-cfd5d02b24ec
-
 child:
  claiming:
    enabled: true
--- a/infrastructures/newrelic/env/k3s-cluster/config.json
+++ b/infrastructures/newrelic/env/k3s-cluster/config.json
@@ -0,0 +1,12 @@
+{
+  "appName": "newrelic",
+  "userGivenName": "newrelic",
+  "namespace": "newrelic",
+  "destNamespace": "newrelic",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "infrastructures/newrelic/env/k3s-cluster",
+  "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": null
+}
--- a/infrastructures/newrelic/env/k3s-cluster/kustomization.yaml
+++ b/infrastructures/newrelic/env/k3s-cluster/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+  - name: nri-bundle
+    repo: https://helm-charts.newrelic.com
+    version: 5.0.92
+    releaseName: nri-bundle
+    valuesFile: values.yaml
--- a/infrastructures/newrelic/env/k3s-cluster/values.yaml
+++ b/infrastructures/newrelic/env/k3s-cluster/values.yaml
@@ -0,0 +1,192 @@
+kubeEvents:
+  enabled: true
+logging:
+  enabled: false
+
+newrelic-infrastructure:
+  # newrelic-infrastructure.enabled -- Install the [`newrelic-infrastructure` chart](https://github.com/newrelic/nri-kubernetes/tree/main/charts/newrelic-infrastructure)
+  enabled: true
+  privileged: true
+
+nri-prometheus:
+  # nri-prometheus.enabled -- Install the [`nri-prometheus` chart](https://github.com/newrelic/nri-prometheus/tree/main/charts/nri-prometheus)
+  enabled: false
+
+nri-metadata-injection:
+  # nri-metadata-injection.enabled -- Install the [`nri-metadata-injection` chart](https://github.com/newrelic/k8s-metadata-injection/tree/main/charts/nri-metadata-injection)
+  enabled: true
+
+kube-state-metrics:
+  prometheusScrape: false
+  image:
+    tag: v2.10.0
+  revisionHistoryLimit: 5
+  releaseLabel: true
+  # kube-state-metrics.enabled -- Install the [`kube-state-metrics` chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics) from the stable helm charts repository.
+  # This is mandatory if `infrastructure.enabled` is set to `true` and the user does not provide its own instance of KSM version >=1.8 and <=2.0. Note, kube-state-metrics v2+ disables labels/annotations
+  # metrics by default. You can enable the target labels/annotations metrics to be monitored by using the metricLabelsAllowlist/metricAnnotationsAllowList options described [here](https://github.com/prometheus-community/helm-charts/blob/159cd8e4fb89b8b107dcc100287504bb91bf30e0/charts/kube-state-metrics/values.yaml#L274) in
+  # your Kubernetes clusters.
+  enabled: true
+
+nri-kube-events:
+  # nri-kube-events.enabled -- Install the [`nri-kube-events` chart](https://github.com/newrelic/nri-kube-events/tree/main/charts/nri-kube-events)
+  enabled: true
+
+newrelic-logging:
+  # newrelic-logging.enabled -- Install the [`newrelic-logging` chart](https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-logging)
+  enabled: true
+    # fluentBit:
+    # -- What path will be mounted to read logs from the node
+    # linuxMountPath: /var
+    # persistence:
+    # -- Fluent Bit persistence is needed to keep track of tailed logs, if set to none data loss or logs duplications could happen. Options are "hostPath", "none", "persistentVolume"
+    # mode: hostPath
+    # persistentVolume:
+    # -- When using persistent volume a storage class could be needed depending on the cluster. It should be a storage class that allows ReadWriteMany
+  # storageClass:
+
+
+newrelic-pixie:
+  # newrelic-pixie.enabled -- Install the [`newrelic-pixie`](https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie)
+  enabled: false
+
+pixie-chart:
+  # pixie-chart.enabled -- Install the [`pixie-chart` chart](https://docs.pixielabs.ai/installing-pixie/install-schemes/helm/#3.-deploy)
+  enabled: false
+
+newrelic-infra-operator:
+  # newrelic-infra-operator.enabled -- Install the [`newrelic-infra-operator` chart](https://github.com/newrelic/newrelic-infra-operator/tree/main/charts/newrelic-infra-operator) (Beta)
+  enabled: false
+
+newrelic-prometheus-agent:
+  # newrelic-prometheus-agent.enabled -- Install the [`newrelic-prometheus-agent` chart](https://github.com/newrelic/newrelic-prometheus-configurator/tree/main/charts/newrelic-prometheus-agent)
+  enabled: false
+  lowDataMode: true
+  config:
+    kubernetes:
+      integrations_filter:
+        enabled: false
+
+newrelic-k8s-metrics-adapter:
+  # newrelic-k8s-metrics-adapter.enabled -- Install the [`newrelic-k8s-metrics-adapter.` chart](https://github.com/newrelic/newrelic-k8s-metrics-adapter/tree/main/charts/newrelic-k8s-metrics-adapter) (Beta)
+  enabled: false
+
+
+# -- change the behaviour globally to all the supported helm charts.
+# See [user's guide of the common library](https://github.com/newrelic/helm-charts/blob/master/library/common-library/README.md) for further information.
+# @default -- See [`values.yaml`](values.yaml)
+global:
+  # -- The cluster name for the Kubernetes cluster.
+  cluster: Home Lab K3S Cluster
+
+  # -- The license key for your New Relic Account. This will be preferred configuration option if both `licenseKey` and `customSecret` are specified.
+  licenseKey: ""
+  # -- The license key for your New Relic Account. This will be preferred configuration option if both `insightsKey` and `customSecret` are specified.
+  insightsKey: ""
+  # -- Name of the Secret object where the license key is stored
+  customSecretName: newrelic-secrets
+
+  # -- Key in the Secret object where the license key is stored
+  customSecretLicenseKey: licence-key
+
+  # -- Additional labels for chart objects
+  labels: {}
+  # -- Additional labels for chart pods
+  podLabels: {}
+
+  images:
+    # -- Changes the registry where to get the images. Useful when there is an internal image cache/proxy
+    registry: ""
+    # -- Set secrets to be able to fetch images
+    pullSecrets: []
+
+  serviceAccount:
+    # -- Add these annotations to the service account we create
+    annotations: {}
+    # -- Configures if the service account should be created or not
+    create:
+    # -- Change the name of the service account. This is honored if you disable on this chart the creation of the service account so you can use your own
+    name:
+
+  # -- (bool) Sets pod's hostNetwork
+  # @default -- false
+  hostNetwork:
+  # -- Sets pod's dnsConfig
+  dnsConfig: {}
+
+  # -- Sets pod's priorityClassName
+  priorityClassName: ""
+  # -- Sets security context (at pod level)
+  podSecurityContext: {}
+  # -- Sets security context (at container level)
+  containerSecurityContext: {}
+
+  # -- Sets pod/node affinities
+  affinity: {}
+  # -- Sets pod's node selector
+  nodeSelector: {}
+  # -- Sets pod's tolerations to node taints
+  tolerations: []
+
+  # -- Adds extra attributes to the cluster and all the metrics emitted to the backend
+  customAttributes: {}
+
+  # -- (bool) Reduces number of metrics sent in order to reduce costs
+  # @default -- false
+  lowDataMode: true
+
+  # -- (bool) In each integration it has different behavior. See [Further information](#values-managed-globally-3) but all aims to send less metrics to the backend to try to save costs |
+  # @default -- false
+  privileged: true
+
+  # -- (bool) Must be set to `true` when deploying in an EKS Fargate environment
+  # @default -- false
+  fargate:
+
+  # -- Configures the integration to send all HTTP/HTTPS request through the proxy in that URL. The URL should have a standard format like `https://user:password@hostname:port`
+  proxy:
+
+  # -- (bool) Send the metrics to the staging backend. Requires a valid staging license key
+  # @default -- false
+  nrStaging:
+  fedramp:
+    # fedramp.enabled -- (bool) Enables FedRAMP
+    # @default -- false
+    enabled:
+
+  # -- (bool) Sets the debug logs to this integration or all integrations if it is set globally
+  # @default -- false
+  verboseLog:
+
+
+  # To add values to the subcharts. Follow Helm's guide: https://helm.sh/docs/chart_template_guide/subcharts_and_globals
+
+  # If you wish to monitor services running on Kubernetes you can provide integrations
+  # configuration under `integrations_config` that it will passed down to the `newrelic-infrastructure` chart.
+  #
+  # You just need to create a new entry where the "name" is the filename of the configuration file and the data is the content of
+  # the integration configuration. The name must end in ".yaml" as this will be the
+  # filename generated and the Infrastructure agent only looks for YAML files.
+  #
+  # The data part is the actual integration configuration as described in the spec here:
+  # https://docs.newrelic.com/docs/integrations/integrations-sdk/file-specifications/integration-configuration-file-specifications-agent-v180
+  #
+  # In the following example you can see how to monitor a Redis integration with autodiscovery
+  #
+  #
+  # newrelic-infrastructure:
+  #   integrations:
+  #     nri-redis-sampleapp:
+  #       discovery:
+  #         command:
+  #           exec: /var/db/newrelic-infra/nri-discovery-kubernetes --tls --port 10250
+  #           match:
+  #             label.app: sampleapp
+  #       integrations:
+  #         - name: nri-redis
+  #           env:
+  #             # using the discovered IP as the hostname address
+  #             HOSTNAME: ${discovery.ip}
+  #             PORT: 6379
+  #           labels:
+  #             env: test
--- a/infrastructures/postgresql/env/k3s-cluster/kustomization.yaml
+++ b/infrastructures/postgresql/env/k3s-cluster/kustomization.yaml
@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
  - name: postgresql
    repo: oci://registry-1.docker.io/bitnamicharts
-    version: 15.5.17
+    version: 15.5.32
    releaseName: postgresql
    valuesFile: values.yaml
--- a/infrastructures/postgresql/env/k3s-cluster/values.yaml
+++ b/infrastructures/postgresql/env/k3s-cluster/values.yaml
@@ -21,6 +21,9 @@ primary:
    name: "postgresql-primary"
  service:
    type: "LoadBalancer"
+    annotations:
+      metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+      metallb.universe.tf/allow-shared-ip: k3s-cluster
  persistence:
    existingClaim: postgresql-primary-pvc
    selector:
@@ -41,6 +44,9 @@ readReplicas:
    type: "LoadBalancer"
    ports:
      postgresql: 5433
+    annotations:
+      metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+      metallb.universe.tf/allow-shared-ip: k3s-cluster
  persistence:
    existingClaim: postgresql-replica-pvc
    selector:
--- a/infrastructures/prometheus-exporters/env/k3s-cluster/node-exporter.yaml
+++ b/infrastructures/prometheus-exporters/env/k3s-cluster/node-exporter.yaml
@@ -6,7 +6,7 @@ metadata:
  labels:
    app: prometheus-node-exporter
 spec:
-  replicas: 5
+  replicas: 6
  selector:
    matchLabels:
      app: prometheus-node-exporter
--- a/infrastructures/prometheus/env/k3s-cluster/deployment.yaml
+++ b/infrastructures/prometheus/env/k3s-cluster/deployment.yaml
@@ -22,7 +22,7 @@ spec:
        runAsGroup: 0
      containers:
        - name: prometheus
-          image: prom/prometheus:v2.53.0
+          image: prom/prometheus:v2.54.1
          args:
            - "--storage.tsdb.retention.time=14d"
            - "--config.file=/etc/prometheus/prometheus.yaml"
@@ -42,7 +42,7 @@ spec:
            - name: prometheus-storage-volume
              mountPath: /prometheus/
        - name: grafana
-          image: grafana/grafana:11.0.1
+          image: grafana/grafana:11.2.0
          ports:
            - containerPort: 3000
          volumeMounts:
--- a/infrastructures/prometheus/env/k3s-cluster/service.yaml
+++ b/infrastructures/prometheus/env/k3s-cluster/service.yaml
@@ -9,14 +9,12 @@ metadata:
 spec:
  selector:
    app: prometheus
-  type: NodePort
+  type: LoadBalancer
  ports:
    - port: 9999
      targetPort: 9090
-      nodePort: 30999
      protocol: TCP
      name: http
    - name: grafana-port
      port: 3030
-      nodePort: 30303
      targetPort: 3000
--- a/Show More
+++ b/Show More