Merge pull request #1015 from 3dwardch3ng/misc

update number of replicas

apps/adguard-home/base/deployment.yaml

@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
         - name: adguard-home
-          image: adguard/adguardhome:v0.107.51
+          image: adguard/adguardhome:v0.107.52
           ports:
             - protocol: TCP
               containerPort: 53

apps/adguard-home/base/service.yaml

@@ -3,12 +3,15 @@ kind: Service
 metadata:
   name: adguard-home
   namespace: adguard-home
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
   labels:
     app.kubernetes.io/name: adguard-home
 spec:
   selector:
     app.kubernetes.io/name: adguard-home
-  type: ClusterIP
+  type: LoadBalancer
   internalTrafficPolicy: Cluster
   ports:
     - protocol: TCP
@@ -32,11 +35,11 @@ spec:
       targetPort: 80
       name: http-tcp
     - protocol: TCP
-      port: 443
+      port: 10443
       targetPort: 443
       name: https-tcp
     - protocol: UDP
-      port: 443
+      port: 10443
       targetPort: 443
       name: https-udp
     - protocol: TCP

apps/adguard-home/env/k3s-cluster/ingress.yaml

@@ -1,61 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: adguard-home-ingress
-  namespace: adguard-home
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    nginx.ingress.kubernetes.io/use-regex: "true"
-spec:
-  ingressClassName: nginx
-  rules:
-    - host: "adguard-home.cluster.edward.sydney"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: adguard-home
-                port:
-                  number: 10080
-    - host: "adguard-home.cluster.local"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: adguard-home
-                port:
-                  number: 10080
-    - host: "setup.adguard-home.cluster.edward.sydney"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: adguard-home
-                port:
-                  number: 13000
-    - host: "setup.adguard-home.cluster.local"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: adguard-home
-                port:
-                  number: 13000
-    - host: "doh.adguard-home.cluster.edward.sydney"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: adguard-home
-                port:
-                  number: 443

apps/adguard-home/env/k3s-cluster/kustomization.yaml

@@ -1,5 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../base
-  - ./ingress.yaml
+  - ../../base

apps/chartmuseum/env/k3s-cluster/config.json

@@ -0,0 +1,12 @@
+{
+  "appName": "chartmuseum",
+  "userGivenName": "chartmuseum",
+  "namespace": "chartmuseum",
+  "destNamespace": "chartmuseum",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "apps/chartmuseum/env/k3s-cluster",
+  "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": null
+}

apps/chartmuseum/env/k3s-cluster/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+  - name: chartmuseum
+    repo: https://chartmuseum.github.io/charts
+    version: 3.10.3
+    releaseName: chartmuseum
+    valuesFile: values.yaml

apps/chartmuseum/env/k3s-cluster/values.yaml

@@ -0,0 +1,24 @@
+env:
+  open:
+    AUTH_ANONYMOUS_GET: true
+    DISABLE_API: false
+    CACHE: redis
+    CACHE_REDIS_ADDR: redis-master.redis.svc.cluster.local:6379
+  existingSecret: chartmuseum-secrets
+  existingSecretMappings:
+    BASIC_AUTH_USER: auth-user
+    BASIC_AUTH_PASS: auth-password
+    CACHE_REDIS_PASSWORD: redis-password
+service:
+  type: LoadBalancer
+  externalPort: 8899
+persistence:
+  enabled: true
+  existingClaim: chartmuseum-pvc
+ingress:
+  enabled: true
+  hosts:
+    - name: chartmuseum.cluster.edward.sydney
+      tls: true
+      tlsSecret: chartmuseum-tls
+  ingressClassName: nginx

apps/coder/env/k3s-cluster/kustomization.yaml

@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
   - name: coder
     repo: https://helm.coder.com/v2
-    version: 2.13.1
+    version: 2.15.0
     releaseName: coder
     valuesFile: values.yaml

apps/coder/env/k3s-cluster/values.yaml

@@ -18,5 +18,11 @@ coder:
     - name: coder-data
       mountPath: /config
   service:
-    type: NodePort
-    httpNodePort: 31180
+    type: ClusterIP
+    annotations:
+      metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+      metallb.universe.tf/allow-shared-ip: k3s-cluster
+  ingress:
+    enable: true
+    className: nginx
+    host: "coder.cluster.edward.sydney"

apps/ec-config-server/env/k3s-cluster/config.json

@@ -0,0 +1,12 @@
+{
+  "appName": "ec-config-server",
+  "userGivenName": "ec-config-server",
+  "namespace": "ec-proj",
+  "destNamespace": "ec-proj",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "apps/ec-config-server/env/k3s-cluster",
+  "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": null
+}

apps/ec-config-server/env/k3s-cluster/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+  - name: ec-config-server
+    repo: https://chartmuseum.cluster.edward.sydney:8899/
+    version: 1.0.12
+    releaseName: ec-config-server
+    valuesFile: values.yaml

apps/ec-config-server/env/k3s-cluster/values.yaml

@@ -0,0 +1,9 @@
+environment:
+  configServerAuth:
+    existingSecret: ec-config-server-auth-secrets
+service:
+  type: LoadBalancer
+spring:
+  activeprofile: native,k3s
+persistence:
+  hostPath: /mnt/nfs/AppData/ec-config-server/config

apps/gitea/env/k3s-cluster/kustomization.yaml

@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
   - name: gitea
     repo: oci://registry-1.docker.io/bitnamicharts
-    version: 2.3.14
+    version: 2.3.22
     releaseName: gitea
     valuesFile: values.yaml

apps/gitea/env/k3s-cluster/values.yaml

@@ -1,4 +1,7 @@
 namespaceOverride: "gitea"
+rootURL: "https://gitea.cluster.edward.sydney"
+updateStrategy:
+  type: Recreate
 podAntiAffinityPreset: ""
 adminUsername: "gitea_admin"
 adminEmail: "edward@cheng.sydney"
@@ -11,12 +14,21 @@ smtpUser: "me@edward.sydney"
 smtpExistingSecret: "gitea-secrets"
 persistence:
   existingClaim: "gitea-pvc"
+resourcesPreset: "xlarge"
+podSecurityContext:
+  fsGroup: 1000
+containerSecurityContext:
+  runAsUser: 1000
+  runAsGroup: 1000
 service:
   ports:
-    http: 10080
-    ssh: 10022
+    http: 10880
+    ssh: 10222
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
 ingress:
-  enabled: true
+  enabled: false
   ingressClassName: "nginx"
   hostname: "gitea.cluster.edward.sydney"
 serviceAccount:
@@ -27,4 +39,8 @@ externalDatabase:
   host: "postgresql-primary.argocd.svc.cluster.local"
   user: "gitea_user"
   existingSecret: "gitea-secrets"
-  existingSecretPasswordKey: "db-password"
+  existingSecretPasswordKey: "db-password"
+nodeSelector:
+  kubernetes.io/os: linux
+  kubernetes.io/arch: amd64
+  kubernetes.io/hostname: k3s-cluster-node-y

apps/homer/base/deployment.yaml

@@ -32,10 +32,12 @@ spec:
               containerPort: 8088
               name: http
           volumeMounts:
-            - name: assets
-              mountPath: /www/assets
+            - name: www
+              mountPath: /www
       volumes:
-        - name: assets
+        - name: www
           hostPath:
-            path: /mnt/nfs/AppData/homer/www/assets
+            path: /mnt/nfs/AppData/homer/www
             type: Directory
+      nodeSelector:
+        kubernetes.io/os: linux

apps/homer/base/service.yaml

@@ -3,12 +3,15 @@ kind: Service
 metadata:
   name: homer
   namespace: homer
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
   labels:
     app.kubernetes.io/name: homer
 spec:
   selector:
     app.kubernetes.io/name: homer
-  type: ClusterIP
+  type: LoadBalancer
   internalTrafficPolicy: Cluster
   ports:
     - protocol: TCP

apps/homer/env/k3s-cluster/kustomization.yaml

@@ -1,5 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../base
-  - ./ingress.yaml
+  - ../../base

apps/jellyfin/base/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+  - name: jellyfin
+    repo: https://beluga-cloud.github.io/charts
+    version: 2.3.0
+    releaseName: jellyfin
+    valuesFile: values.yaml

apps/jellyfin/base/values.yaml

@@ -0,0 +1,155 @@
+podSecurityContext:
+  runAsGroup: 1000
+  runAsUser: 1000
+  fsGroup: 1000
+containerSecurityContext:
+  runAsGroup: 1000
+  runAsUser: 1000
+persistence:
+  config:
+    enabled: true
+    volumeClaimSpec:
+      accessModes:
+        - ReadWriteOnce
+      volumeName: jellyfin-config
+      storageClassName: local-path
+  data:
+    enabled: true
+    volumeClaimSpec:
+      accessModes:
+        - ReadWriteOnce
+      volumeName: jellyfin-data
+      storageClassName: local-path
+jellyfin:
+  mediaVolumes:
+    - name: movies
+      readOnly: false
+      volumeSpec:
+        storageClassName: local-path
+        volumeMode: Filesystem
+        capacity:
+          storage: 256Gi
+        accessModes:
+          - ReadWriteOnce
+        persistentVolumeReclaimPolicy: Retain
+        nodeAffinity:
+          required:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/os
+                    operator: In
+                    values:
+                      - linux
+        claimRef:
+          apiVersion: v1
+          kind: PersistentVolumeClaim
+          name: jellyfin-mediavol-movies
+          namespace: jellyfin
+        hostPath:
+          path: "/mnt/nfs/media/movie"
+          type: "Directory"
+    - name: series
+      readOnly: false
+      volumeSpec:
+        storageClassName: local-path
+        volumeMode: Filesystem
+        capacity:
+          storage: 256Gi
+        accessModes:
+          - ReadWriteOnce
+        persistentVolumeReclaimPolicy: Retain
+        nodeAffinity:
+          required:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/os
+                    operator: In
+                    values:
+                      - linux
+        claimRef:
+          apiVersion: v1
+          kind: PersistentVolumeClaim
+          name: jellyfin-mediavol-series
+          namespace: jellyfin
+        hostPath:
+          path: "/mnt/nfs/media/tv"
+          type: "Directory"
+    - name: music-videos
+      readOnly: false
+      volumeSpec:
+        storageClassName: local-path
+        volumeMode: Filesystem
+        capacity:
+          storage: 128Gi
+        accessModes:
+          - ReadWriteOnce
+        persistentVolumeReclaimPolicy: Retain
+        nodeAffinity:
+          required:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/os
+                    operator: In
+                    values:
+                      - linux
+        claimRef:
+          apiVersion: v1
+          kind: PersistentVolumeClaim
+          name: jellyfin-mediavol-music-videos
+          namespace: jellyfin
+        hostPath:
+          path: "/mnt/nfs/media/music-video"
+          type: "Directory"
+    - name: short-videos
+      readOnly: false
+      volumeSpec:
+        storageClassName: local-path
+        volumeMode: Filesystem
+        capacity:
+          storage: 32Gi
+        accessModes:
+          - ReadWriteOnce
+        persistentVolumeReclaimPolicy: Retain
+        nodeAffinity:
+          required:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/os
+                    operator: In
+                    values:
+                      - linux
+        claimRef:
+          apiVersion: v1
+          kind: PersistentVolumeClaim
+          name: jellyfin-mediavol-short-videos
+          namespace: jellyfin
+        hostPath:
+          path: "/mnt/nfs/media/short-video"
+          type: "Directory"
+    - name: gv
+      readOnly: false
+      volumeSpec:
+        storageClassName: local-path
+        volumeMode: Filesystem
+        capacity:
+          storage: 64Gi
+        accessModes:
+          - ReadWriteOnce
+        persistentVolumeReclaimPolicy: Retain
+        nodeAffinity:
+          required:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: kubernetes.io/os
+                    operator: In
+                    values:
+                      - linux
+        claimRef:
+          apiVersion: v1
+          kind: PersistentVolumeClaim
+          name: jellyfin-mediavol-gv
+          namespace: jellyfin
+        hostPath:
+          path: "/mnt/nfs/media/gv"
+          type: "Directory"
+  persistentTranscodes: true

apps/jellyfin/env/k3s-cluster/config.json

@@ -0,0 +1,12 @@
+{
+  "appName": "jellyfin",
+  "userGivenName": "jellyfin",
+  "namespace": "jellyfin",
+  "destNamespace": "jellyfin",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "apps/jellyfin/env/k3s-cluster",
+  "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": null
+}

apps/jellyfin/env/k3s-cluster/ingress.yaml

@@ -1,21 +1,21 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: trillium-ingress
-  namespace: trillium
+  name: jellyfin-ingress
+  namespace: jellyfin
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "false"
     nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
   ingressClassName: nginx
   rules:
-    - host: "trillium.cluster.edward.sydney"
+    - host: "jellyfin.cluster.edward.sydney"
       http:
         paths:
           - pathType: Prefix
             path: "/"
             backend:
               service:
-                name: trillium
+                name: jellyfin
                 port:
-                  number: 8080
+                  number: 8096

apps/jellyfin/env/k3s-cluster/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base
+#  - ./ingress.yaml

apps/kavita/base/deployment.yaml

@@ -20,7 +20,7 @@ spec:
         app.kubernetes.io/instance: kavita
     spec:
       containers:
-        - image: jvmilazz0/kavita:0.8.1
+        - image: jvmilazz0/kavita:0.8.3
           imagePullPolicy: IfNotPresent
           name: kavita
           ports:

apps/kubernetes-dashboard/base/kustomization.yaml

@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
   - name: kubernetes-dashboard
     repo: https://kubernetes.github.io/dashboard/
-    version: 7.5.0
+    version: 7.6.1
     releaseName: kubernetes-dashboard
     valuesFile: values.yaml

apps/nexus/base/deployment.yaml

@@ -22,10 +22,10 @@ spec:
           resources:
             limits:
               memory: "3Gi"
-              cpu: "1"
+              cpu: "2"
             requests:
               memory: "2Gi"
-              cpu: "500m"
+              cpu: "2"
           ports:
             - containerPort: 8081
           volumeMounts:
@@ -35,4 +35,7 @@ spec:
         - name: nexus-data
           hostPath:
             path: /mnt/nfs/AppData/nexus
-            type: Directory
+            type: Directory
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/arch: arm64

apps/nexus/base/service.yaml

@@ -10,8 +10,7 @@ metadata:
 spec:
   selector:
     app: nexus
-  type: NodePort
+  type: LoadBalancer
   ports:
     - port: 8081
-      targetPort: 8081
-      nodePort: 32000
+      targetPort: 8081

apps/nexus/env/k3s-cluster/ingress.yaml

@@ -1,21 +1,21 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: homer-ingress
-  namespace: homer
+  name: nexus-ingress
+  namespace: nexus
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "false"
     nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
   ingressClassName: nginx
   rules:
-    - host: "home.edward.sydney"
+    - host: "nexus.cluster.edward.sydney"
       http:
         paths:
           - pathType: Prefix
             path: "/"
             backend:
               service:
-                name: homer
+                name: nexus
                 port:
-                  number: 8088
+                  number: 8081

apps/plane/base/configmap.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: plane
+  name: plane-app-vars
+data:
+  SENTRY_DSN: ""
+  SENTRY_ENVIRONMENT: ""
+  DEBUG: "0"
+  DOCKERIZED: "1"
+  GUNICORN_WORKERS: "1"
+  WEB_URL: "http://plane.cluster.edward.sydney"
+  CORS_ALLOWED_ORIGINS: "http://plane.cluster.edward.sydney,https://plane.cluster.edward.sydney"
+  REDIS_URL: "redis://plane-redis.plane.svc.cluster.local:6379/"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: plane
+  name: plane-doc-store-vars
+data:
+  FILE_SIZE_LIMIT: "5242880"
+  AWS_S3_BUCKET_NAME: "plane"
+  MINIO_ROOT_USER: "admin"
+  AWS_S3_ENDPOINT_URL: "http://minio.minio.svc.cluster.local:19000"
+  USE_MINIO: "1"
+---

apps/plane/base/deployment.yaml

@@ -0,0 +1,274 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: plane
+  name: plane-admin-wl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.name: plane-admin
+  template:
+    metadata:
+      namespace: plane
+      labels:
+        app.name: plane-admin
+    spec:
+      containers:
+        - name: plane-admin
+          imagePullPolicy: Always
+          image: makeplane/plane-admin:stable
+          stdin: true
+          tty: true
+          resources:
+            requests:
+              memory: "50Mi"
+              cpu: "50m"
+            limits:
+              memory: "1000Mi"
+              cpu: "500m"
+          command:
+            - node
+          args:
+            - admin/server.js
+            - admin
+      serviceAccount: plane-srv-account
+      serviceAccountName: plane-srv-account
+      nodeSelector:
+        kubernetes.io/os: linux
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: plane
+  name: plane-api-wl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.name: plane-api
+  template:
+    metadata:
+      namespace: plane
+      labels:
+        app.name: plane-api
+    spec:
+      containers:
+        - name: plane-api
+          imagePullPolicy: Always
+          image: makeplane/plane-backend:stable
+          stdin: true
+          tty: true
+          resources:
+            requests:
+              memory: "50Mi"
+              cpu: "50m"
+            limits:
+              memory: "1000Mi"
+              cpu: "500m"
+          command:
+            - ./bin/docker-entrypoint-api.sh
+          envFrom:
+            - configMapRef:
+                name: plane-app-vars
+                optional: false
+            - secretRef:
+                name: plane-app-secrets
+                optional: false
+            - configMapRef:
+                name: plane-doc-store-vars
+                optional: false
+            - secretRef:
+                name: plane-doc-store-secrets
+                optional: false
+          readinessProbe:
+            failureThreshold: 30
+            httpGet:
+              path: /
+              port: 8000
+              scheme: HTTP
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+      serviceAccount: plane-srv-account
+      serviceAccountName: plane-srv-account
+      nodeSelector:
+        kubernetes.io/os: linux
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: plane
+  name: plane-beat-worker-wl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.name: plane-beat-worker
+  template:
+    metadata:
+      namespace: plane
+      labels:
+        app.name: plane-beat-worker
+    spec:
+      containers:
+        - name: plane-beat-worker
+          imagePullPolicy: Always
+          image: makeplane/plane-backend:stable
+          stdin: true
+          tty: true
+          resources:
+            requests:
+              memory: "50Mi"
+              cpu: "50m"
+            limits:
+              memory: "1000Mi"
+              cpu: "500m"
+          command:
+            - ./bin/docker-entrypoint-beat.sh
+          envFrom:
+            - configMapRef:
+                name: plane-app-vars
+                optional: false
+            - secretRef:
+                name: plane-app-secrets
+                optional: false
+            - configMapRef:
+                name: plane-doc-store-vars
+                optional: false
+            - secretRef:
+                name: plane-doc-store-secrets
+                optional: false
+      serviceAccount: plane-srv-account
+      serviceAccountName: plane-srv-account
+      nodeSelector:
+        kubernetes.io/os: linux
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: plane
+  name: plane-space-wl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.name: plane-space
+  template:
+    metadata:
+      namespace: plane
+      labels:
+        app.name: plane-space
+    spec:
+      containers:
+        - name: plane-space
+          imagePullPolicy: Always
+          image: makeplane/plane-space:stable
+          stdin: true
+          tty: true
+          resources:
+            requests:
+              memory: "50Mi"
+              cpu: "50m"
+            limits:
+              memory: "1000Mi"
+              cpu: "500m"
+          command:
+            - node
+          args:
+            - space/server.js
+            - space
+      serviceAccount: plane-srv-account
+      serviceAccountName: plane-srv-account
+      nodeSelector:
+        kubernetes.io/os: linux
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: plane
+  name: plane-web-wl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.name: plane-web
+  template:
+    metadata:
+      namespace: plane
+      labels:
+        app.name: plane-web
+    spec:
+      containers:
+        - name: plane-web
+          imagePullPolicy: Always
+          image: makeplane/plane-frontend:stable
+          stdin: true
+          tty: true
+          resources:
+            requests:
+              memory: "50Mi"
+              cpu: "50m"
+            limits:
+              memory: "1000Mi"
+              cpu: "500m"
+          command:
+            - node
+          args:
+            - web/server.js
+            - web
+      serviceAccount: plane-srv-account
+      serviceAccountName: plane-srv-account
+      nodeSelector:
+        kubernetes.io/os: linux
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: plane
+  name: plane-worker-wl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.name: plane-worker
+  template:
+    metadata:
+      namespace: plane
+      labels:
+        app.name: plane-worker
+    spec:
+      containers:
+        - name: plane-worker
+          imagePullPolicy: Always
+          image: makeplane/plane-backend:stable
+          stdin: true
+          tty: true
+          resources:
+            requests:
+              memory: "50Mi"
+              cpu: "50m"
+            limits:
+              memory: "1000Mi"
+              cpu: "500m"
+          command:
+            - ./bin/docker-entrypoint-worker.sh
+          envFrom:
+            - configMapRef:
+                name: plane-app-vars
+                optional: false
+            - secretRef:
+                name: plane-app-secrets
+                optional: false
+            - configMapRef:
+                name: plane-doc-store-vars
+                optional: false
+            - secretRef:
+                name: plane-doc-store-secrets
+                optional: false
+      serviceAccount: plane-srv-account
+      serviceAccountName: plane-srv-account
+      nodeSelector:
+        kubernetes.io/os: linux
+---

apps/plane/base/job.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  namespace: plane
+  name: plane-api-migrate
+spec:
+  backoffLimit: 3
+  template:
+    metadata:
+      labels:
+        app.name: plane-api-migrate
+    spec:
+      containers:
+        - name: plane-api-migrate
+          image: makeplane/plane-backend:stable
+          command:
+            - ./bin/docker-entrypoint-migrator.sh
+          imagePullPolicy: Always
+          envFrom:
+            - configMapRef:
+                name: plane-app-vars
+                optional: false
+            - secretRef:
+                name: plane-app-secrets
+                optional: false
+            - configMapRef:
+                name: plane-doc-store-vars
+                optional: false
+            - secretRef:
+                name: plane-doc-store-secrets
+                optional: false
+      restartPolicy: OnFailure
+      serviceAccount: plane-srv-account
+      serviceAccountName: plane-srv-account

apps/plane/base/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./configmap.yaml
+  - ./service-account.yaml
+  - ./job.yaml
+  - ./deployment.yaml
+  - ./stateful-set.yaml
+  - ./service.yaml

apps/plane/base/service-account.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+automountServiceAccountToken: true
+kind: ServiceAccount
+metadata:
+  namespace: plane
+  name: plane-srv-account

apps/plane/base/service.yaml

@@ -0,0 +1,85 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: plane
+  name: plane-admin
+  labels:
+    app.name: plane-admin
+spec:
+  type: LoadBalancer
+  ports:
+    - name: admin-3000
+      port: 3333
+      protocol: TCP
+      targetPort: 3000
+  selector:
+    app.name: plane-admin
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: plane
+  name: plane-api
+  labels:
+    app.name: plane-api
+spec:
+  type: LoadBalancer
+  ports:
+    - name: api-8000
+      port: 8808
+      protocol: TCP
+      targetPort: 8000
+  selector:
+    app.name: plane-api
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: plane
+  name: plane-space
+  labels:
+    app.name: plane-space
+spec:
+  type: LoadBalancer
+  ports:
+    - name: space-3000
+      port: 3330
+      protocol: TCP
+      targetPort: 3000
+  selector:
+    app.name: plane-space
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: plane
+  name: plane-web
+  labels:
+    app.name: plane-web
+spec:
+  type: LoadBalancer
+  ports:
+    - name: web-3000
+      port: 3033
+      protocol: TCP
+      targetPort: 3000
+  selector:
+    app.name: plane-web
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: plane
+  name: plane-redis
+  labels:
+    app.name: plane-redis
+spec:
+  type: LoadBalancer
+  ports:
+    - name: redis-6379
+      port: 6379
+      protocol: TCP
+      targetPort: 6379
+  selector:
+    app.name: plane-redis

apps/plane/base/stateful-set.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  namespace: plane
+  name: plane-redis-wl
+spec:
+  selector:
+    matchLabels:
+      app.name: plane-redis
+  serviceName:  plane-redis
+  template:
+    metadata:
+      labels:
+        app.name: plane-redis
+    spec:
+      containers:
+        - image: valkey/valkey:8.0.0-alpine
+          imagePullPolicy: Always
+          name: plane-redis
+          stdin: true
+          tty: true
+          volumeMounts:
+            - mountPath: /data
+              name: plane-redis-data
+      volumes:
+        - name: plane-redis-data
+          persistentVolumeClaim:
+            claimName: plane-redis-pvc
+      serviceAccount: plane-srv-account
+      serviceAccountName: plane-srv-account
+---

apps/plane/env/k3s-cluster/config.json

@@ -0,0 +1,12 @@
+{
+  "appName": "plane",
+  "userGivenName": "plane",
+  "namespace": "plane",
+  "destNamespace": "plane",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "apps/plane/env/k3s-cluster",
+  "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": null
+}

apps/plane/env/k3s-cluster/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base

apps/plex/base/values.yaml

@@ -8,29 +8,47 @@ extraEnv:
   PLEX_UID: 1000
   PLEX_GID: 1000
   ALLOWED_NETWORKS: "0.0.0.0/0"
+service:
+  type: LoadBalancer
+  port: 32400
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
 extraVolumeMounts:
   - name: plex-tv
     mountPath: /tv
   - name: plex-movie
     mountPath: /movie
+  - name: plex-short-video
+    mountPath: /short-video
   - name: plex-music
     mountPath: /music
+  - name: plex-music-video
+    mountPath: /music-video
   - name: plex-gv
     mountPath: /gv
 extraVolumes:
   - name: plex-tv
     hostPath:
-      path: /mnt/nfs/AppData/plex/tv
+      path: /mnt/nfs/media/tv
       type: Directory
   - name: plex-movie
     hostPath:
-      path: /mnt/nfs/AppData/plex/movie
+      path: /mnt/nfs/media/movie
+      type: Directory
+  - name: plex-short-video
+    hostPath:
+      path: /mnt/nfs/media/short-video
       type: Directory
   - name: plex-music
     hostPath:
-      path: /mnt/nfs/AppData/plex/music
+      path: /mnt/nfs/media/music
+      type: Directory
+  - name: plex-music-video
+    hostPath:
+      path: /mnt/nfs/media/music-video
       type: Directory
   - name: plex-gv
     hostPath:
-      path: /mnt/nfs/AppData/plex/gv
+      path: /mnt/nfs/media/gv
       type: Directory

apps/qbittorrent/base/service.yaml

@@ -3,6 +3,9 @@ kind: Service
 metadata:
   name: qbittorrent
   namespace: qbittorrent
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
   labels:
     app.kubernetes.io/name: qbittorrent
 spec:

apps/rlpa-server/base/deployment.yaml

@@ -19,7 +19,7 @@ spec:
         runAsGroup: 1000
       containers:
         - name: rlpa-server
-          image: damonto/estkme-cloud:1.0.11
+          image: damonto/estkme-cloud:1.1.0
           securityContext:
             allowPrivilegeEscalation: false
           ports:

apps/rlpa-server/base/service.yaml

@@ -3,12 +3,15 @@ kind: Service
 metadata:
   name: rlpa-server
   namespace: rlpa
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
   labels:
     app.kubernetes.io/name: rlpa
 spec:
   selector:
     app.kubernetes.io/name: rlpa
-  type: ClusterIP
+  type: LoadBalancer
   internalTrafficPolicy: Cluster
   ports:
     - protocol: TCP

apps/snippet-box/base/deployment.yaml

@@ -32,3 +32,6 @@ spec:
           hostPath:
             path: /mnt/nfs/AppData/snippet-box
             type: Directory
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/arch: arm64

apps/snippet-box/base/ingress.yaml

@@ -1,21 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: snippet-box-ingress
-  namespace: snippet-box
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    nginx.ingress.kubernetes.io/use-regex: "true"
-spec:
-  ingressClassName: nginx
-  rules:
-    - host: "snippet-box.cluster.edward.sydney"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: snippet-box
-                port:
-                  number: 5000

apps/snippet-box/base/kustomization.yaml

@@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./deployment.yaml
-  - ./service.yaml
-  - ./ingress.yaml
+  - ./service.yaml

apps/snippet-box/base/service.yaml

@@ -8,10 +8,10 @@ metadata:
 spec:
   selector:
     app.kubernetes.io/name: snippet-box
-  type: ClusterIP
+  type: LoadBalancer
   internalTrafficPolicy: Cluster
   ports:
     - protocol: TCP
-      port: 5000
+      port: 5055
       targetPort: 5000
       name: snippet-box

apps/sonarqube/env/k3s-cluster/kustomization.yaml

@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
   - name: sonarqube
     repo: oci://registry-1.docker.io/bitnamicharts
-    version: 5.2.10
+    version: 5.2.13
     releaseName: sonarqube
     valuesFile: values.yaml

apps/sonarqube/env/k3s-cluster/values.yaml

@@ -1,7 +1,9 @@
 priorityClassName: system-cluster-critical
+image:
+  debug: true
 podAntiAffinityPreset: ""
 namespaceOverride: "sonarqube"
-clusterDomain: sonarqube.cluster.edward.sydney
+clusterDomain: cluster.edward.sydney
 sonarqubeUsername: sonarqube
 existingSecret: "sonarqube-secrets"
 sonarqubeEmail: "me@edward.sydney"
@@ -10,22 +12,21 @@ smtpPort: "587"
 smtpUser: "me@edward.sydney"
 smtpProtocol: "TLS"
 smtpExistingSecret: "sonarqube-secrets"
+resourcesPreset: "2xlarge"
 podSecurityContext:
   fsGroup: 1000
 containerSecurityContext:
   runAsUser: 1000
   runAsGroup: 1000
+updateStrategy:
+  type: Recreate
 service:
   ports:
     http: 8090
     elastic: 9091
-  nodePorts:
-    http: 30089
-    elastic: 30091
-ingress:
-  enabled: true
-  ingressClassName: "nginx"
-  hostname: "sonarqube.cluster.edward.sydney"
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
 persistence:
   enabled: true
   storageClass: local-path
@@ -39,3 +40,5 @@ externalDatabase:
   host: "postgresql-primary.argocd.svc.cluster.local"
   user: "sonarqube_user"
   existingSecret: "sonarqube-secrets"
+nodeSelector:
+  kubernetes.io/hostname: k3s-cluster-node-y

apps/stirling-pdf/base/deployment.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: stirling-pdf
+  namespace: stirling-pdf
+  labels:
+    app.kubernetes.io/name: stirling-pdf
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: stirling-pdf
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: stirling-pdf
+    spec:
+      containers:
+        - name: stirling-pdf
+          image: frooodle/s-pdf:0.29.0
+          securityContext:
+            allowPrivilegeEscalation: false
+          env:
+            - name: DOCKER_ENABLE_SECURITY
+              value: "true"
+          ports:
+            - protocol: TCP
+              containerPort: 8080
+              name: http
+          volumeMounts:
+            - name: s-pdf-tessdata
+              mountPath: /usr/share/tesseract-ocr/5/tessdata
+            - name: s-pdf-configs
+              mountPath: /configs
+            - name: s-pdf-custom-files
+              mountPath: /customFiles
+            - name: s-pdf-logs
+              mountPath: /logs
+      volumes:
+        - name: s-pdf-tessdata
+          hostPath:
+            path: /mnt/nfs/AppData/stirling-pdf/tessdata
+            type: Directory
+        - name: s-pdf-configs
+          hostPath:
+            path: /mnt/nfs/AppData/stirling-pdf/configs
+            type: Directory
+        - name: s-pdf-custom-files
+          hostPath:
+            path: /mnt/nfs/AppData/stirling-pdf/customFiles
+            type: Directory
+        - name: s-pdf-logs
+          hostPath:
+            path: /mnt/nfs/AppData/stirling-pdf/logs
+            type: Directory
+

apps/stirling-pdf/base/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./deployment.yaml
+  - ./service.yaml

apps/stirling-pdf/base/service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: stirling-pdf
+  namespace: stirling-pdf
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
+  labels:
+    app.kubernetes.io/name: stirling-pdf
+spec:
+  selector:
+    app.kubernetes.io/name: stirling-pdf
+  type: LoadBalancer
+  internalTrafficPolicy: Cluster
+  ports:
+    - protocol: TCP
+      port: 8880
+      targetPort: 8080
+      name: http

apps/stirling-pdf/env/k3s-cluster/config.json

@@ -0,0 +1,12 @@
+{
+  "appName": "stirling-pdf",
+  "userGivenName": "stirling-pdf",
+  "namespace": "stirling-pdf",
+  "destNamespace": "stirling-pdf",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "apps/stirling-pdf/env/k3s-cluster",
+  "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": null
+}

apps/stirling-pdf/env/k3s-cluster/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base

apps/trillium/base/service.yaml

@@ -3,12 +3,15 @@ kind: Service
 metadata:
   name: trillium
   namespace: trillium
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
   labels:
     app.kubernetes.io/name: trillium
 spec:
   selector:
     app.kubernetes.io/name: trillium
-  type: ClusterIP
+  type: LoadBalancer
   internalTrafficPolicy: Cluster
   ports:
     - protocol: TCP

apps/trillium/env/k3s-cluster/kustomization.yaml

@@ -1,5 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../base
-  - ./ingress.yaml
+  - ../../base

apps/vaultwarden/base/deployment.yaml

@@ -23,7 +23,7 @@ spec:
             runAsNonRoot: true
             runAsGroup: 1000
           name: vaultwarden
-          image: vaultwarden/server:1.31.0
+          image: vaultwarden/server:1.32.0
           env:
             - name: DOMAIN
               value: https://vaultwarden.cluster.edward.sydney

apps/vaultwarden/base/service.yaml

@@ -3,12 +3,15 @@ kind: Service
 metadata:
   name: vaultwarden
   namespace: vaultwarden
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
   labels:
     app.kubernetes.io/name: vaultwarden
 spec:
   selector:
     app.kubernetes.io/name: vaultwarden
-  type: ClusterIP
+  type: LoadBalancer
   internalTrafficPolicy: Cluster
   ports:
     - protocol: TCP

apps/vaultwarden/env/k3s-cluster/kustomization.yaml

@@ -1,5 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../base
-  - ./ingress.yaml
+  - ../../base

infrastructures/argo-events/base/cluster-role-binding.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-events-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-events-role
+subjects:
+  - kind: ServiceAccount
+    name: argo-events-sa
+    namespace: argo-events
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-events-webhook-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-events-webhook
+subjects:
+  - kind: ServiceAccount
+    name: argo-events-webhook-sa
+    namespace: argo-events

infrastructures/argo-events/base/cluster-role.yaml

@@ -0,0 +1,230 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: argo-events-aggregate-to-admin
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - sensors
+      - sensors/finalizers
+      - sensors/status
+      - eventsources
+      - eventsources/finalizers
+      - eventsources/status
+      - eventbus
+      - eventbus/finalizers
+      - eventbus/status
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: argo-events-aggregate-to-edit
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - sensors
+      - sensors/finalizers
+      - sensors/status
+      - eventsources
+      - eventsources/finalizers
+      - eventsources/status
+      - eventbus
+      - eventbus/finalizers
+      - eventbus/status
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: argo-events-aggregate-to-view
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - sensors
+      - sensors/finalizers
+      - sensors/status
+      - eventsources
+      - eventsources/finalizers
+      - eventsources/status
+      - eventbus
+      - eventbus/finalizers
+      - eventbus/status
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-events-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - sensors
+      - sensors/finalizers
+      - sensors/status
+      - eventsources
+      - eventsources/finalizers
+      - eventsources/status
+      - eventbus
+      - eventbus/finalizers
+      - eventbus/status
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/exec
+      - configmaps
+      - services
+      - persistentvolumeclaims
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - get
+      - list
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-events-webhook
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+      - patch
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+      - patch
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - eventbus
+      - eventsources
+      - sensors
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+    verbs:
+      - get
+      - list

infrastructures/argo-events/base/configmap.yaml

@@ -0,0 +1,76 @@
+---
+apiVersion: v1
+data:
+  controller-config.yaml: |
+    eventBus:
+      nats:
+        versions:
+          - version: 0.22.1
+            natsStreamingImage: nats-streaming:0.22.1
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.8.0
+      jetstream:
+        # Default JetStream settings, could be overridden by EventBus JetStream specs
+        settings: |
+          # https://docs.nats.io/running-a-nats-service/configuration#jetstream
+          # Only configure "max_memory_store" or "max_file_store", do not set "store_dir" as it has been hardcoded.
+          # e.g. 1G. -1 means no limit, up to 75% of available memory
+          max_memory_store: -1
+          # e.g. 20G. -1 means no limit, Up to 1TB if available
+          max_file_store: 1TB
+        streamConfig: |
+          # The default properties of the streams to be created in this JetStream service
+          maxMsgs: 50000
+          maxAge: 168h
+          maxBytes: -1
+          replicas: 3
+          duplicates: 300s
+        versions:
+          - version: latest
+            natsImage: nats:2.10.10
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.14.0
+            configReloaderImage: natsio/nats-server-config-reloader:0.14.0
+            startCommand: /nats-server
+          - version: 2.8.1
+            natsImage: nats:2.8.1
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1
+            configReloaderImage: natsio/nats-server-config-reloader:0.7.0
+            startCommand: /nats-server
+          - version: 2.8.1-alpine
+            natsImage: nats:2.8.1-alpine
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1
+            configReloaderImage: natsio/nats-server-config-reloader:0.7.0
+            startCommand: nats-server
+          - version: 2.8.2
+            natsImage: nats:2.8.2
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1
+            configReloaderImage: natsio/nats-server-config-reloader:0.7.0
+            startCommand: /nats-server
+          - version: 2.8.2-alpine
+            natsImage: nats:2.8.2-alpine
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1
+            configReloaderImage: natsio/nats-server-config-reloader:0.7.0
+            startCommand: nats-server
+          - version: 2.9.1
+            natsImage: nats:2.9.1
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1
+            configReloaderImage: natsio/nats-server-config-reloader:0.7.0
+            startCommand: /nats-server
+          - version: 2.9.12
+            natsImage: nats:2.9.12
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1
+            configReloaderImage: natsio/nats-server-config-reloader:0.7.0
+            startCommand: /nats-server
+          - version: 2.9.16
+            natsImage: nats:2.9.16
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.9.1
+            configReloaderImage: natsio/nats-server-config-reloader:0.7.0
+            startCommand: /nats-server
+          - version: 2.10.10
+            natsImage: nats:2.10.10
+            metricsExporterImage: natsio/prometheus-nats-exporter:0.14.0
+            configReloaderImage: natsio/nats-server-config-reloader:0.14.0
+            startCommand: /nats-server
+kind: ConfigMap
+metadata:
+  name: argo-events-controller-config
+  namespace: argo-events

infrastructures/argo-events/base/custom-resource-definition.yaml

@@ -0,0 +1,120 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: eventbus.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: EventBus
+    listKind: EventBusList
+    plural: eventbus
+    shortNames:
+      - eb
+    singular: eventbus
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+            status:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: eventsources.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: EventSource
+    listKind: EventSourceList
+    plural: eventsources
+    shortNames:
+      - es
+    singular: eventsource
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+            status:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: sensors.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: Sensor
+    listKind: SensorList
+    plural: sensors
+    shortNames:
+      - sn
+    singular: sensor
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+            status:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}

infrastructures/argo-events/base/deployment.yaml

@@ -0,0 +1,82 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: argo-events
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: controller-manager
+  template:
+    metadata:
+      labels:
+        app: controller-manager
+    spec:
+      containers:
+        - args:
+            - controller
+          env:
+            - name: ARGO_EVENTS_IMAGE
+              value: quay.io/argoproj/argo-events:v1.9.2
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          image: quay.io/argoproj/argo-events:v1.9.2
+          imagePullPolicy: Always
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 3
+            periodSeconds: 3
+          name: controller-manager
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 3
+            periodSeconds: 3
+          volumeMounts:
+            - mountPath: /etc/argo-events
+              name: controller-config-volume
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 9731
+      serviceAccountName: argo-events-sa
+      volumes:
+        - configMap:
+            name: argo-events-controller-config
+          name: controller-config-volume
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: events-webhook
+  namespace: argo-events
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: events-webhook
+  template:
+    metadata:
+      labels:
+        app: events-webhook
+    spec:
+      containers:
+        - args:
+            - webhook-service
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: PORT
+              value: "443"
+          image: quay.io/argoproj/argo-events:v1.9.2
+          imagePullPolicy: Always
+          name: webhook
+      serviceAccountName: argo-events-webhook-sa

infrastructures/argo-events/base/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./custom-resource-definition.yaml
+  - ./service-account.yaml
+  - ./cluster-role.yaml
+  - ./cluster-role-binding.yaml
+  - ./configmap.yaml
+  - ./deployment.yaml
+  - ./service.yaml

infrastructures/argo-events/base/service-account.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argo-events-sa
+  namespace: argo-events
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argo-events-webhook-sa
+  namespace: argo-events

infrastructures/argo-events/base/service.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: events-webhook
+  namespace: argo-events
+spec:
+  ports:
+    - port: 443
+      targetPort: 443
+  selector:
+    app: events-webhook

infrastructures/argo-events/env/k3s-cluster/config.json

@@ -0,0 +1,14 @@
+{
+  "appName": "argo-events",
+  "userGivenName": "argo-events",
+  "namespace": "argo-events",
+  "destNamespace": "argo-events",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "infrastructures/argo-events/env/k3s-cluster",
+  "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": {
+    "argo-events.argoproj.io/release-version": "v1.9.2"
+  }
+}

infrastructures/argo-events/env/k3s-cluster/examples/event-source.yaml

@@ -0,0 +1,37 @@
+apiVersion: argoproj.io/v1alpha1
+kind: EventSource
+metadata:
+  name: webhook
+spec:
+  service:
+    ports:
+      - port: 12000
+        targetPort: 12000
+  webhook:
+    # event-source can run multiple HTTP servers. Simply define a unique port to start a new HTTP server
+    example:
+      # port to run HTTP server on
+      port: "12000"
+      # endpoint to listen to
+      endpoint: /example
+      # HTTP request method to allow. In this case, only POST requests are accepted
+      method: POST
+
+#    example-foo:
+#      port: "12000"
+#      endpoint: /example2
+#      method: POST
+
+# Uncomment to use secure webhook
+#    example-secure:
+#      port: "13000"
+#      endpoint: "/secure"
+#      method: "POST"
+#      # k8s secret that contains the cert
+#      serverCertSecret:
+#        name: my-secret
+#        key: cert-key
+#      # k8s secret that contains the private key
+#      serverKeySecret:
+#        name: my-secret
+#        key: pk-key

infrastructures/argo-events/env/k3s-cluster/examples/eventbus.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: EventBus
+metadata:
+  name: default
+spec:
+  nats:
+    native:
+      # Optional, defaults to 3. If it is < 3, set it to 3, that is the minimal requirement.
+      replicas: 3
+      # Optional, authen strategy, "none" or "token", defaults to "none"
+      auth: token
+#      containerTemplate:
+#        resources:
+#          requests:
+#            cpu: "10m"
+#      metricsContainerTemplate:
+#        resources:
+#          requests:
+#            cpu: "10m"
+#      antiAffinity: false
+#      persistence:
+#        storageClassName: standard
+#        accessMode: ReadWriteOnce
+#        volumeSize: 10Gi

infrastructures/argo-events/env/k3s-cluster/examples/ingress.yaml

@@ -1,21 +1,21 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: vaultwarden-ingress
-  namespace: vaultwarden
+  name: event-example-ingress
+  namespace: argo-events
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "false"
     nginx.ingress.kubernetes.io/use-regex: "true"
 spec:
   ingressClassName: nginx
   rules:
-    - host: "vaultwarden.cluster.edward.sydney"
+    - host: "event-example.cluster.edward.sydney"
       http:
         paths:
           - pathType: Prefix
             path: "/"
             backend:
               service:
-                name: vaultwarden
+                name: webhook-eventsource-svc
                 port:
-                  number: 11080
+                  number: 12000

infrastructures/argo-events/env/k3s-cluster/examples/sensor.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: operate-workflow-sa
+---
+# Similarly you can use a ClusterRole and ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: operate-workflow-role
+rules:
+  - apiGroups:
+      - argoproj.io
+    verbs:
+      - "*"
+    resources:
+      - workflows
+      - workflowtemplates
+      - cronworkflows
+      - clusterworkflowtemplates
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: operate-workflow-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: operate-workflow-role
+subjects:
+  - kind: ServiceAccount
+    name: operate-workflow-sa

infrastructures/argo-events/env/k3s-cluster/examples/webhook.yaml

@@ -0,0 +1,47 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Sensor
+metadata:
+  name: webhook
+spec:
+  template:
+    serviceAccountName: operate-workflow-sa
+  dependencies:
+    - name: test-dep
+      eventSourceName: webhook
+      eventName: example
+  triggers:
+    - template:
+        name: webhook-workflow-trigger
+        k8s:
+          operation: create
+          source:
+            resource:
+              apiVersion: argoproj.io/v1alpha1
+              kind: Workflow
+              metadata:
+                generateName: webhook-
+              spec:
+                entrypoint: whalesay
+                arguments:
+                  parameters:
+                    - name: message
+                      # the value will get overridden by event payload from test-dep
+                      value: "hello world!"
+                templates:
+                  - name: whalesay
+                    inputs:
+                      parameters:
+                        - name: message
+                    container:
+                      image: docker/whalesay:latest
+                      command: [cowsay]
+                      args: ["{{inputs.parameters.message}}"]
+                nodeSelector:
+                  kubernetes.io/os: linux
+                  kubernetes.io/arch: amd64
+          parameters:
+            - src:
+                dependencyName: test-dep
+                dataKey: body
+              dest: spec.arguments.parameters.0.value

infrastructures/argo-events/env/k3s-cluster/examples/workflow.yaml

@@ -0,0 +1,29 @@
+# This file enables a Workflow Pod (running Emissary executor) to be able to read and patch WorkflowTaskResults,
+# which get shared with the Workflow Controller. The Controller uses the results to update Workflow status.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      Recomended minimum permissions for the `emissary` executor.
+  name: executor
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtaskresults
+    verbs:
+      - create
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: executor-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: executor
+subjects:
+  - kind: ServiceAccount
+    name: default

infrastructures/argo-events/env/k3s-cluster/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base
+#  - ./examples/eventbus.yaml
+#  - ./examples/event-source.yaml
+#  - ./examples/ingress.yaml
+#  - ./examples/sensor.yaml
+#  - ./examples/workflow.yaml
+#  - ./examples/webhook.yaml

infrastructures/argo-workflows/base/cluster-role-binding.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: argo
+    namespace: argo
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-clusterworkflowtemplate-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-clusterworkflowtemplate-role
+subjects:
+  - kind: ServiceAccount
+    name: argo
+    namespace: argo
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-server-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-server-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: argo-server
+    namespace: argo
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argo-server-clusterworkflowtemplate-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argo-server-clusterworkflowtemplate-role
+subjects:
+  - kind: ServiceAccount
+    name: argo-server
+    namespace: argo

infrastructures/argo-workflows/base/cluster-role.yaml

@@ -0,0 +1,298 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: argo-aggregate-to-admin
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+      - workflows/finalizers
+      - workfloweventbindings
+      - workfloweventbindings/finalizers
+      - workflowtemplates
+      - workflowtemplates/finalizers
+      - cronworkflows
+      - cronworkflows/finalizers
+      - clusterworkflowtemplates
+      - clusterworkflowtemplates/finalizers
+      - workflowtasksets
+      - workflowtasksets/finalizers
+      - workflowtaskresults
+      - workflowtaskresults/finalizers
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: argo-aggregate-to-edit
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+      - workflows/finalizers
+      - workfloweventbindings
+      - workfloweventbindings/finalizers
+      - workflowtemplates
+      - workflowtemplates/finalizers
+      - cronworkflows
+      - cronworkflows/finalizers
+      - clusterworkflowtemplates
+      - clusterworkflowtemplates/finalizers
+      - workflowtaskresults
+      - workflowtaskresults/finalizers
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: argo-aggregate-to-view
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+      - workflows/finalizers
+      - workfloweventbindings
+      - workfloweventbindings/finalizers
+      - workflowtemplates
+      - workflowtemplates/finalizers
+      - cronworkflows
+      - cronworkflows/finalizers
+      - clusterworkflowtemplates
+      - clusterworkflowtemplates/finalizers
+      - workflowtaskresults
+      - workflowtaskresults/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-cluster-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/exec
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - watch
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumeclaims
+      - persistentvolumeclaims/finalizers
+    verbs:
+      - create
+      - update
+      - delete
+      - get
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+      - workflows/finalizers
+      - workflowtasksets
+      - workflowtasksets/finalizers
+      - workflowartifactgctasks
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+      - create
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtemplates
+      - workflowtemplates/finalizers
+      - clusterworkflowtemplates
+      - clusterworkflowtemplates/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtaskresults
+    verbs:
+      - list
+      - watch
+      - deletecollection
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - cronworkflows
+      - cronworkflows/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
+      - create
+      - get
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-clusterworkflowtemplate-role
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - clusterworkflowtemplates
+      - clusterworkflowtemplates/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-server-cluster-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - watch
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/exec
+      - pods/log
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - watch
+      - create
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - eventsources
+      - sensors
+      - workflows
+      - workfloweventbindings
+      - workflowtemplates
+      - cronworkflows
+      - clusterworkflowtemplates
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argo-server-clusterworkflowtemplate-role
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - clusterworkflowtemplates
+      - clusterworkflowtemplates/finalizers
+    verbs:
+      - create
+      - delete
+      - watch
+      - get
+      - list
+      - watch

infrastructures/argo-workflows/base/configmap.yaml

@@ -0,0 +1,110 @@
+---
+apiVersion: v1
+data:
+  artifactRepository: |
+    s3:
+      bucket: argo-workflows
+      endpoint: minio.minio.svc.cluster.local:19000
+      insecure: true
+      accessKeySecret:
+        name: argo-workflows-minio-cred
+        key: accesskey
+      secretKeySecret:
+        name: argo-workflows-minio-cred
+        key: secretkey
+  columns: |
+    - name: Workflow Completed
+      type: label
+      key: workflows.argoproj.io/completed
+  executor: |
+    resources:
+      requests:
+        cpu: 10m
+        memory: 64Mi
+  images: |
+    docker/whalesay:v3.5.10:
+       cmd: [cowsay]
+  links: |
+    - name: Workflow Link
+      scope: workflow
+      url: http://logging-facility?namespace=${metadata.namespace}&workflowName=${metadata.name}&startedAt=${status.startedAt}&finishedAt=${status.finishedAt}
+    - name: Pod Link
+      scope: pod
+      url: http://logging-facility?namespace=${metadata.namespace}&podName=${metadata.name}&startedAt=${status.startedAt}&finishedAt=${status.finishedAt}
+    - name: Pod Logs Link
+      scope: pod-logs
+      url: http://logging-facility?namespace=${metadata.namespace}&podName=${metadata.name}&startedAt=${status.startedAt}&finishedAt=${status.finishedAt}
+    - name: Event Source Logs Link
+      scope: event-source-logs
+      url: http://logging-facility?namespace=${metadata.namespace}&podName=${metadata.name}&startedAt=${status.startedAt}&finishedAt=${status.finishedAt}
+    - name: Sensor Logs Link
+      scope: sensor-logs
+      url: http://logging-facility?namespace=${metadata.namespace}&podName=${metadata.name}&startedAt=${status.startedAt}&finishedAt=${status.finishedAt}
+    - name: Completed Workflows
+      scope: workflow-list
+      url: http://workflows?label=workflows.argoproj.io/completed=true
+  metricsConfig: |
+    enabled: true
+    path: /metrics
+    port: 9090
+  namespaceParallelism: "10"
+  persistence: |
+    connectionPool:
+      maxIdleConns: 100
+      maxOpenConns: 0
+      connMaxLifetime: 0s
+    nodeStatusOffLoad: true
+    archive: true
+    archiveTTL: 7d
+    postgresql:
+      host: postgresql-primary.argocd.svc.cluster.local
+      port: 5432
+      database: argo_workflows
+      tableName: argo_workflows
+      userNameSecret:
+        name: argo-workflows-postgres-config
+        key: username
+      passwordSecret:
+        name: argo-workflows-postgres-config
+        key: password
+  retentionPolicy: |
+    completed: 10
+    failed: 3
+    errored: 3
+kind: ConfigMap
+metadata:
+  name: workflow-controller-configmap
+  namespace: argo
+---
+apiVersion: v1
+data:
+  default-v1: |
+    archiveLogs: true
+    s3:
+      bucket: argo-workflows
+      endpoint: minio.minio.svc.cluster.local:19000
+      insecure: true
+      accessKeySecret:
+        name: argo-workflows-minio-cred
+        key: accesskey
+      secretKeySecret:
+        name: argo-workflows-minio-cred
+        key: secretkey
+  empty: ""
+  my-key: |
+    archiveLogs: true
+    s3:
+      bucket: argo-workflows
+      endpoint: minio.minio.svc.cluster.local:19000
+      insecure: true
+      accessKeySecret:
+        name: argo-workflows-minio-cred
+        key: accesskey
+      secretKeySecret:
+        name: argo-workflows-minio-cred
+        key: secretkey
+kind: ConfigMap
+metadata:
+  annotations:
+    workflows.argoproj.io/default-artifact-repository: default-v1
+  name: artifact-repositories

infrastructures/argo-workflows/base/custom-resource-definition.yaml

@@ -0,0 +1,888 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterworkflowtemplates.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: ClusterWorkflowTemplate
+    listKind: ClusterWorkflowTemplateList
+    plural: clusterworkflowtemplates
+    shortNames:
+      - clusterwftmpl
+      - cwft
+    singular: clusterworkflowtemplate
+  scope: Cluster
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: cronworkflows.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: CronWorkflow
+    listKind: CronWorkflowList
+    plural: cronworkflows
+    shortNames:
+      - cwf
+      - cronwf
+    singular: cronworkflow
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+            status:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: workflowartifactgctasks.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: WorkflowArtifactGCTask
+    listKind: WorkflowArtifactGCTaskList
+    plural: workflowartifactgctasks
+    shortNames:
+      - wfat
+    singular: workflowartifactgctask
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+            status:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: workfloweventbindings.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: WorkflowEventBinding
+    listKind: WorkflowEventBindingList
+    plural: workfloweventbindings
+    shortNames:
+      - wfeb
+    singular: workfloweventbinding
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: workflows.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: Workflow
+    listKind: WorkflowList
+    plural: workflows
+    shortNames:
+      - wf
+    singular: workflow
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - description: Status of the workflow
+          jsonPath: .status.phase
+          name: Status
+          type: string
+        - description: When the workflow was started
+          format: date-time
+          jsonPath: .status.startedAt
+          name: Age
+          type: date
+        - description: Human readable message indicating details about why the workflow
+            is in this condition.
+          jsonPath: .status.message
+          name: Message
+          type: string
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+            status:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: workflowtaskresults.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: WorkflowTaskResult
+    listKind: WorkflowTaskResultList
+    plural: workflowtaskresults
+    singular: workflowtaskresult
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            message:
+              type: string
+            metadata:
+              type: object
+            outputs:
+              properties:
+                artifacts:
+                  items:
+                    properties:
+                      archive:
+                        properties:
+                          none:
+                            type: object
+                          tar:
+                            properties:
+                              compressionLevel:
+                                format: int32
+                                type: integer
+                            type: object
+                          zip:
+                            type: object
+                        type: object
+                      archiveLogs:
+                        type: boolean
+                      artifactGC:
+                        properties:
+                          podMetadata:
+                            properties:
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                            type: object
+                          serviceAccountName:
+                            type: string
+                          strategy:
+                            enum:
+                              - ""
+                              - OnWorkflowCompletion
+                              - OnWorkflowDeletion
+                              - Never
+                            type: string
+                        type: object
+                      artifactory:
+                        properties:
+                          passwordSecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          url:
+                            type: string
+                          usernameSecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                        required:
+                          - url
+                        type: object
+                      azure:
+                        properties:
+                          accountKeySecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          blob:
+                            type: string
+                          container:
+                            type: string
+                          endpoint:
+                            type: string
+                          useSDKCreds:
+                            type: boolean
+                        required:
+                          - blob
+                          - container
+                          - endpoint
+                        type: object
+                      deleted:
+                        type: boolean
+                      from:
+                        type: string
+                      fromExpression:
+                        type: string
+                      gcs:
+                        properties:
+                          bucket:
+                            type: string
+                          key:
+                            type: string
+                          serviceAccountKeySecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                        required:
+                          - key
+                        type: object
+                      git:
+                        properties:
+                          branch:
+                            type: string
+                          depth:
+                            format: int64
+                            type: integer
+                          disableSubmodules:
+                            type: boolean
+                          fetch:
+                            items:
+                              type: string
+                            type: array
+                          insecureIgnoreHostKey:
+                            type: boolean
+                          passwordSecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          repo:
+                            type: string
+                          revision:
+                            type: string
+                          singleBranch:
+                            type: boolean
+                          sshPrivateKeySecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          usernameSecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                        required:
+                          - repo
+                        type: object
+                      globalName:
+                        type: string
+                      hdfs:
+                        properties:
+                          addresses:
+                            items:
+                              type: string
+                            type: array
+                          force:
+                            type: boolean
+                          hdfsUser:
+                            type: string
+                          krbCCacheSecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          krbConfigConfigMap:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          krbKeytabSecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          krbRealm:
+                            type: string
+                          krbServicePrincipalName:
+                            type: string
+                          krbUsername:
+                            type: string
+                          path:
+                            type: string
+                        required:
+                          - path
+                        type: object
+                      http:
+                        properties:
+                          auth:
+                            properties:
+                              basicAuth:
+                                properties:
+                                  passwordSecret:
+                                    properties:
+                                      key:
+                                        type: string
+                                      name:
+                                        type: string
+                                      optional:
+                                        type: boolean
+                                    required:
+                                      - key
+                                    type: object
+                                  usernameSecret:
+                                    properties:
+                                      key:
+                                        type: string
+                                      name:
+                                        type: string
+                                      optional:
+                                        type: boolean
+                                    required:
+                                      - key
+                                    type: object
+                                type: object
+                              clientCert:
+                                properties:
+                                  clientCertSecret:
+                                    properties:
+                                      key:
+                                        type: string
+                                      name:
+                                        type: string
+                                      optional:
+                                        type: boolean
+                                    required:
+                                      - key
+                                    type: object
+                                  clientKeySecret:
+                                    properties:
+                                      key:
+                                        type: string
+                                      name:
+                                        type: string
+                                      optional:
+                                        type: boolean
+                                    required:
+                                      - key
+                                    type: object
+                                type: object
+                              oauth2:
+                                properties:
+                                  clientIDSecret:
+                                    properties:
+                                      key:
+                                        type: string
+                                      name:
+                                        type: string
+                                      optional:
+                                        type: boolean
+                                    required:
+                                      - key
+                                    type: object
+                                  clientSecretSecret:
+                                    properties:
+                                      key:
+                                        type: string
+                                      name:
+                                        type: string
+                                      optional:
+                                        type: boolean
+                                    required:
+                                      - key
+                                    type: object
+                                  endpointParams:
+                                    items:
+                                      properties:
+                                        key:
+                                          type: string
+                                        value:
+                                          type: string
+                                      required:
+                                        - key
+                                      type: object
+                                    type: array
+                                  scopes:
+                                    items:
+                                      type: string
+                                    type: array
+                                  tokenURLSecret:
+                                    properties:
+                                      key:
+                                        type: string
+                                      name:
+                                        type: string
+                                      optional:
+                                        type: boolean
+                                    required:
+                                      - key
+                                    type: object
+                                type: object
+                            type: object
+                          headers:
+                            items:
+                              properties:
+                                name:
+                                  type: string
+                                value:
+                                  type: string
+                              required:
+                                - name
+                                - value
+                              type: object
+                            type: array
+                          url:
+                            type: string
+                        required:
+                          - url
+                        type: object
+                      mode:
+                        format: int32
+                        type: integer
+                      name:
+                        type: string
+                      optional:
+                        type: boolean
+                      oss:
+                        properties:
+                          accessKeySecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          bucket:
+                            type: string
+                          createBucketIfNotPresent:
+                            type: boolean
+                          endpoint:
+                            type: string
+                          key:
+                            type: string
+                          lifecycleRule:
+                            properties:
+                              markDeletionAfterDays:
+                                format: int32
+                                type: integer
+                              markInfrequentAccessAfterDays:
+                                format: int32
+                                type: integer
+                            type: object
+                          secretKeySecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          securityToken:
+                            type: string
+                          useSDKCreds:
+                            type: boolean
+                        required:
+                          - key
+                        type: object
+                      path:
+                        type: string
+                      raw:
+                        properties:
+                          data:
+                            type: string
+                        required:
+                          - data
+                        type: object
+                      recurseMode:
+                        type: boolean
+                      s3:
+                        properties:
+                          accessKeySecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          bucket:
+                            type: string
+                          caSecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          createBucketIfNotPresent:
+                            properties:
+                              objectLocking:
+                                type: boolean
+                            type: object
+                          encryptionOptions:
+                            properties:
+                              enableEncryption:
+                                type: boolean
+                              kmsEncryptionContext:
+                                type: string
+                              kmsKeyId:
+                                type: string
+                              serverSideCustomerKeySecret:
+                                properties:
+                                  key:
+                                    type: string
+                                  name:
+                                    type: string
+                                  optional:
+                                    type: boolean
+                                required:
+                                  - key
+                                type: object
+                            type: object
+                          endpoint:
+                            type: string
+                          insecure:
+                            type: boolean
+                          key:
+                            type: string
+                          region:
+                            type: string
+                          roleARN:
+                            type: string
+                          secretKeySecret:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          useSDKCreds:
+                            type: boolean
+                        type: object
+                      subPath:
+                        type: string
+                    required:
+                      - name
+                    type: object
+                  type: array
+                exitCode:
+                  type: string
+                parameters:
+                  items:
+                    properties:
+                      default:
+                        type: string
+                      description:
+                        type: string
+                      enum:
+                        items:
+                          type: string
+                        type: array
+                      globalName:
+                        type: string
+                      name:
+                        type: string
+                      value:
+                        type: string
+                      valueFrom:
+                        properties:
+                          configMapKeyRef:
+                            properties:
+                              key:
+                                type: string
+                              name:
+                                type: string
+                              optional:
+                                type: boolean
+                            required:
+                              - key
+                            type: object
+                          default:
+                            type: string
+                          event:
+                            type: string
+                          expression:
+                            type: string
+                          jqFilter:
+                            type: string
+                          jsonPath:
+                            type: string
+                          parameter:
+                            type: string
+                          path:
+                            type: string
+                          supplied:
+                            type: object
+                        type: object
+                    required:
+                      - name
+                    type: object
+                  type: array
+                result:
+                  type: string
+              type: object
+            phase:
+              type: string
+            progress:
+              type: string
+          required:
+            - metadata
+          type: object
+      served: true
+      storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: workflowtasksets.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: WorkflowTaskSet
+    listKind: WorkflowTaskSetList
+    plural: workflowtasksets
+    shortNames:
+      - wfts
+    singular: workflowtaskset
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+            status:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: workflowtemplates.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: WorkflowTemplate
+    listKind: WorkflowTemplateList
+    plural: workflowtemplates
+    shortNames:
+      - wftmpl
+    singular: workflowtemplate
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              type: string
+            kind:
+              type: string
+            metadata:
+              type: object
+            spec:
+              type: object
+              x-kubernetes-map-type: atomic
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true

infrastructures/argo-workflows/base/deployment.yaml

@@ -0,0 +1,142 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argo-server
+  namespace: argo
+spec:
+  selector:
+    matchLabels:
+      app: argo-server
+  template:
+    metadata:
+      labels:
+        app: argo-server
+    spec:
+      containers:
+        - args:
+            - server
+            - --auth-mode
+            - server
+            - --auth-mode
+            - client
+          env: []
+          image: quay.io/argoproj/argocli:v3.5.11
+          name: argo-server
+          ports:
+            - containerPort: 2746
+              name: web
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 2746
+              scheme: HTTPS
+            initialDelaySeconds: 10
+            periodSeconds: 20
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/arch: amd64
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: argo-server
+      volumes:
+        - emptyDir: {}
+          name: tmp
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workflow-controller
+  namespace: argo
+spec:
+  selector:
+    matchLabels:
+      app: workflow-controller
+  template:
+    metadata:
+      labels:
+        app: workflow-controller
+    spec:
+      containers:
+        - args: []
+          command:
+            - workflow-controller
+          env:
+            - name: LEADER_ELECTION_IDENTITY
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.name
+          image: quay.io/argoproj/workflow-controller:v3.5.11
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: 6060
+            initialDelaySeconds: 90
+            periodSeconds: 60
+            timeoutSeconds: 30
+          name: workflow-controller
+          ports:
+            - containerPort: 9090
+              name: metrics
+            - containerPort: 6060
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/arch: amd64
+      priorityClassName: workflow-controller
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: argo
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: httpbin
+  name: httpbin
+spec:
+  selector:
+    matchLabels:
+      app: httpbin
+  template:
+    metadata:
+      labels:
+        app: httpbin
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - image: kong/httpbin
+          livenessProbe:
+            httpGet:
+              path: /get
+              port: 80
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          name: main
+          ports:
+            - containerPort: 80
+              name: api
+          readinessProbe:
+            httpGet:
+              path: /get
+              port: 80
+            initialDelaySeconds: 5
+            periodSeconds: 10

infrastructures/argo-workflows/base/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./custom-resource-definition.yaml
+  - ./service-account.yaml
+  - ./role.yaml
+  - ./cluster-role.yaml
+  - ./role-binding.yaml
+  - ./cluster-role-binding.yaml
+  - ./configmap.yaml
+  - ./secret.yaml
+  - ./service.yaml
+  - ./priority-class.yaml
+  - ./deployment.yaml

infrastructures/argo-workflows/base/priority-class.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: scheduling.k8s.io/v1
+kind: PriorityClass
+metadata:
+  name: workflow-controller
+value: 1000000

infrastructures/argo-workflows/base/role-binding.yaml

@@ -0,0 +1,87 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argo-binding
+  namespace: argo
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argo-role
+subjects:
+  - kind: ServiceAccount
+    name: argo
+    namespace: argo
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: agent-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: agent
+subjects:
+  - kind: ServiceAccount
+    name: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: artifactgc-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: artifactgc
+subjects:
+  - kind: ServiceAccount
+    name: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: executor-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: executor
+subjects:
+  - kind: ServiceAccount
+    name: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: github.com
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: submit-workflow-template
+subjects:
+  - kind: ServiceAccount
+    name: github.com
+    namespace: argo
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pod-manager-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-manager
+subjects:
+  - kind: ServiceAccount
+    name: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: workflow-manager-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: workflow-manager
+subjects:
+  - kind: ServiceAccount
+    name: default

infrastructures/argo-workflows/base/role.yaml

@@ -0,0 +1,142 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argo-role
+  namespace: argo
+rules:
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      This is the minimum recommended permissions needed if you want to use the agent, e.g. for HTTP or plugin templates.
+
+      If <= v3.2 you must replace `workflowtasksets/status` with `patch workflowtasksets`.
+  name: agent
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtasksets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtasksets/status
+    verbs:
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      This is the minimum recommended permissions needed if you want to use artifact GC.
+  name: artifactgc
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowartifactgctasks
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowartifactgctasks/status
+    verbs:
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      Recomended minimum permissions for the `emissary` executor.
+  name: executor
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtaskresults
+    verbs:
+      - create
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      This is an example of the permissions you would need if you wanted to use a resource template to create and manage
+      other pods. The same pattern would be suitable for other resurces, e.g. a service
+  name: pod-manager
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - create
+      - get
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: submit-workflow-template
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workfloweventbindings
+    verbs:
+      - list
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflowtemplates
+    verbs:
+      - get
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    workflows.argoproj.io/description: |
+      This is an example of the permissions you would need if you wanted to use a resource template to create and manage
+      other workflows. The same pattern would be suitable for other resurces, e.g. a service
+  name: workflow-manager
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+    verbs:
+      - create
+      - get

infrastructures/argo-workflows/base/secret.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: default
+  name: default.service-account-token
+type: kubernetes.io/service-account-token
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: github.com
+  name: github.com.service-account-token
+type: kubernetes.io/service-account-token

infrastructures/argo-workflows/base/service-account.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argo
+  namespace: argo
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argo-server
+  namespace: argo
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: github.com

infrastructures/argo-workflows/base/service.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    metallb.universe.tf/address-pool: k3s-cluster-ip-pool
+    metallb.universe.tf/allow-shared-ip: k3s-cluster
+  name: argo-server
+  namespace: argo
+spec:
+  type: LoadBalancer
+  ports:
+    - name: web
+      port: 2746
+      targetPort: 2746
+  selector:
+    app: argo-server
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: httpbin
+  name: httpbin
+spec:
+  ports:
+    - name: api
+      port: 9100
+      protocol: TCP
+      targetPort: 80
+  selector:
+    app: httpbin

infrastructures/argo-workflows/env/k3s-cluster/config.json

@@ -0,0 +1,14 @@
+{
+  "appName": "argo-workflows",
+  "userGivenName": "argo-workflows",
+  "namespace": "argo",
+  "destNamespace": "argo",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "infrastructures/argo-workflows/env/k3s-cluster",
+  "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": {
+    "argo-workflows.argoproj.io/release-version": "v3.5.10"
+  }
+}

infrastructures/argo-workflows/env/k3s-cluster/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base

infrastructures/cert-manager-clusterissuer/base/clusterissuer-cloudflare.yaml

@@ -0,0 +1,23 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: clusterissuer
+  namespace: cert-manager
+spec:
+  acme:
+    email: "edward@cheng.sydney"
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: cluster-issuer-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            email: "edward@cheng.sydney"
+            apiTokenSecretRef:
+              name: clusterissuer-secrets
+              namespace: cert-manager
+              key: cloudflare_api_token
+        selector:
+          dnsNames:
+            - "cluster.edward.sydney"
+            - "*.cluster.edward.sydney"

infrastructures/cert-manager-clusterissuer/base/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - clusterissuer-cloudflare.yaml

infrastructures/cert-manager-clusterissuer/env/k3s-cluster/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base

infrastructures/cert-manager/base/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+  - name: cert-manager
+    repo: https://charts.jetstack.io
+    version: v1.15.3
+    releaseName: cert-manager
+    valuesFile: values.yaml

infrastructures/cert-manager/base/values.yaml

@@ -0,0 +1,4 @@
+global:
+  priorityClassName: system-cluster-critical
+namespace: cert-manager
+installCRDs: true

infrastructures/cert-manager/env/k3s-cluster/config.json

@@ -0,0 +1,12 @@
+{
+  "appName": "cert-manager",
+  "userGivenName": "cert-manager",
+  "namespace": "cert-manager",
+  "destNamespace": "cert-manager",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "infrastructures/cert-manager/env/k3s-cluster",
+  "srcRepoURL": "https://github.com/3dwardch3ng/home-cluster-ops.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": null
+}

infrastructures/cert-manager/env/k3s-cluster/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base

infrastructures/gpu-device-plugin/base/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+  - name: intel-device-plugins-gpu
+    repo: https://intel.github.io/helm-charts/
+    version: 0.30.0
+    releaseName: intel-device-plugins-gpu
+    valuesFile: values.yaml

infrastructures/gpu-device-plugin/base/values.yaml

@@ -0,0 +1,14 @@
+name: gpu-device-plugin
+
+image:
+  hub: intel
+
+sharedDevNum: 10
+logLevel: 2
+resourceManager: true
+enableMonitoring: false
+
+nodeSelector:
+  kubernetes.io/arch: amd64
+
+nodeFeatureRule: true

infrastructures/gpu-device-plugin/env/k3s-cluster/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base

infrastructures/ingress-nginx/base/kustomization.yaml

@@ -3,6 +3,6 @@ kind: Kustomization
 helmCharts:
   - name: ingress-nginx
     repo: https://kubernetes.github.io/ingress-nginx
-    version: 4.10.1
+    version: 4.11.2
     releaseName: ingress-nginx
     valuesFile: values.yaml

infrastructures/ingress-nginx/base/values.yaml

@@ -3,3 +3,71 @@ rbac:
 
 controller:
   priorityClassName: system-cluster-critical
+
+  extraArgs:
+    update-status-on-shutdown: "false"
+
+  allowSnippetAnnotations: true
+
+  config:
+    proxy-buffer-size: 16k
+    use-gzip: true
+    enable-brotli: true
+    hsts-max-age: 31536000
+    hsts-preload: true
+    disable-ipv6: true
+    disable-ipv6-dns: true
+    keep-alive-requests: 1000
+    use-geoip2: false
+    custom-http-errors: 401,403,404,500,501,502,503,504
+
+  extraEnvs:
+    - name: TZ
+      value: Australia/Sydney
+
+  addHeaders:
+    Referrer-Policy: same-origin, strict-origin-when-cross-origin
+    X-Content-Type-Options: nosniff
+    X-Frame-Options: SAMEORIGIN
+    X-XSS-Protection: 1; mode=block
+
+  ingressClassResource:
+    default: true
+
+  service:
+    externalTrafficPolicy: Cluster
+    ipFamilyPolicy: SingleStack
+
+  metrics:
+    enabled: ${metrics_enabled:=false}
+  #        serviceMonitor:
+  #          enabled: ${metrics_enabled:=false}
+  #          scrapeInterval: 1m
+
+  spec:
+    template:
+      spec:
+        containers:
+          volumeMounts:
+            - mountPath: /etc/nginx/template
+              name: nginx-template-volume
+              readOnly: true
+        volumes:
+          - name: nginx-template-volume
+            hostPath:
+              path: /mnt/nfs/AppData/ingress-nginx/etc/nginx/template
+              type: Directory
+
+defaultBackend:
+  enabled: true
+  image:
+    repository: ghcr.io/tarampampam/error-pages
+    tag: 3.3.0@sha256:43c9917e99ac1bb4df3c4e037327637e502e2ab4c3d84803b223d5b7db6d4cd7
+    pullPolicy: IfNotPresent
+  extraEnvs:
+    - name: TEMPLATE_NAME
+      value: connection
+    - name: SHOW_DETAILS
+      value: "true"
+    - name: READ_BUFFER_SIZE
+      value: "8192"