feat: Commit initial

kubernetes/flux-system/README.md

@@ -0,0 +1,43 @@
+# FluxCD System Configuration
+
+This directory contains FluxCD configuration for GitOps.
+
+## Setup
+
+1. **Install FluxCD** (done automatically by Ansible):
+   ```bash
+   flux install --namespace=flux-system
+   ```
+
+2. **Create Forgejo credentials secret**:
+   ```bash
+   kubectl create secret generic forgejo-credentials \
+     --namespace=flux-system \
+     --from-literal=username=git \
+     --from-literal=password=YOUR_FORGEJO_TOKEN
+   ```
+
+3. **Update GitRepository URL** in `gotk-sync.yaml`:
+   ```yaml
+   url: https://forgejo.your-domain.com/your-org/infra.git
+   ```
+
+4. **Apply FluxCD configuration**:
+   ```bash
+   kubectl apply -k kubernetes/flux-system/
+   ```
+
+## Monitoring
+
+Check FluxCD status:
+```bash
+flux get sources git
+flux get kustomizations
+flux logs
+```
+
+Force reconciliation:
+```bash
+flux reconcile source git infra-repo
+flux reconcile kustomization apps --with-source
+```

kubernetes/flux-system/gotk-sync.yaml

@@ -0,0 +1,59 @@
+---
+# GitRepository resource - tells FluxCD where to find the Git repo
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: infra-repo
+  namespace: flux-system
+spec:
+  interval: 1m  # Poll Git every 1 minute
+  url: ssh://git@forgejo.tellserv.fr:222/Tellsanguis/infra.git
+  ref:
+    branch: main
+  secretRef:
+    name: forgejo-credentials
+  ignore: |
+    # Ignore files that don't need to trigger reconciliation
+    /*.md
+    /terraform/
+    /ansible/
+    /.forgejo/
+
+---
+# Kustomization resource - tells FluxCD what to deploy
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: apps
+  namespace: flux-system
+spec:
+  interval: 5m  # Reconcile every 5 minutes
+  path: ./kubernetes/apps
+  prune: true  # Remove resources deleted from Git
+  sourceRef:
+    kind: GitRepository
+    name: infra-repo
+  timeout: 3m
+  wait: true
+  healthChecks:
+    - apiVersion: apps/v1
+      kind: Deployment
+      namespace: default
+      name: '*'
+
+---
+# Kustomization for infrastructure components
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infrastructure
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ./kubernetes/infrastructure
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: infra-repo
+  timeout: 5m
+  wait: true

kubernetes/flux-system/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - gotk-sync.yaml
+  - secret-forgejo.yaml

kubernetes/flux-system/secret-forgejo.yaml

@@ -0,0 +1,22 @@
+---
+# Secret for Forgejo authentication
+# IMPORTANT: This file should contain a sealed secret or be created manually
+# Never commit actual credentials to Git!
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: forgejo-credentials
+  namespace: flux-system
+type: Opaque
+stringData:
+  # Create this secret manually with:
+  # kubectl create secret generic forgejo-credentials \
+  #   --namespace=flux-system \
+  #   --from-literal=username=git \
+  #   --from-literal=password=YOUR_FORGEJO_TOKEN
+
+  # For this example, we use a placeholder
+  # REPLACE THIS IN PRODUCTION with sealed-secrets or external-secrets
+  username: git
+  password: REPLACE_WITH_FORGEJO_TOKEN