infrastructure/kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
# Core infrastructure
- providers.yaml
- provider-configs.yaml
- namespaces.yaml
- external-dns.yaml
- ambassador-listeners.yaml

# Certificate management
- cert-manager/

# Authentication system
- auth/
- keycloak-config.yaml

# Secret management
- sealed-secrets.yaml

# Applications
- forgejo-k8s.yaml
- pomerium-allinone.yaml
- pomerium-dns.yaml
- vaultwarden.yaml
- keycloak-nge6-dns.yaml

# Argo Workflows
- argo-workflows/

# Exclude problematic directories:
# - flux/ (managed by Flux itself)
# - pomerium/ (Helm chart)
# - gitea/ (legacy, replaced by forgejo)
# - bin/ (binaries)
# - cookies.txt, DEPLOYMENT.md (not Kubernetes manifests)
Add Kustomization config to exclude problematic directories from GitOps 2025-09-26 00:51:52 +00:00			`apiVersion: kustomize.config.k8s.io/v1beta1`
			`kind: Kustomization`

			`resources:`
Add core infrastructure to GitOps: providers, external-dns - providers.yaml: Crossplane provider installations - provider-configs.yaml: Provider authentication configs - external-dns.yaml: Automatic DNS record management Testing batch deployment before adding more components. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-27 17:00:23 +00:00			`# Core infrastructure`
			`- providers.yaml`
			`- provider-configs.yaml`
Complete GitOps infrastructure setup Added to kustomization.yaml: - namespaces.yaml: Centralized namespace management - auth/: Keycloak authentication system - keycloak-config.yaml: Identity provider configuration - sealed-secrets.yaml: Secret encryption system Fixed namespace conflicts: - Removed duplicate pomerium-namespace from pomerium.yaml - Removed duplicate external-dns-namespace from external-dns.yaml - All namespaces now managed centrally via namespaces.yaml Now managing 72 Kubernetes resources via GitOps: ✅ Infrastructure: Crossplane providers, external-dns ✅ Certificates: cert-manager, Let's Encrypt, Gandi webhook ✅ Authentication: Keycloak, RBAC configs ✅ Applications: Forgejo, Pomerium, Vaultwarden ✅ Security: Sealed secrets, proper RBAC 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-28 06:43:00 +00:00			`- namespaces.yaml`
Add core infrastructure to GitOps: providers, external-dns - providers.yaml: Crossplane provider installations - provider-configs.yaml: Provider authentication configs - external-dns.yaml: Automatic DNS record management Testing batch deployment before adding more components. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-27 17:00:23 +00:00			`- external-dns.yaml`
Add Argo Workflows, mTLS container registry, and fix infrastructure - Move Keycloak off Helm to plain Crossplane Object manifests (PostgreSQL + Keycloak deployment) - Add Vaultwarden SSO/OIDC config with Keycloak, fix Recreate deployment strategy for RWO volumes - Switch routing from Helm-based Pomerium to pomerium-allinone with all service routes - Deploy Argo Workflows (controller, server, CRDs, RBAC) with KEDA queue-depth autoscaling - Add Civo cluster autoscaler with pool-scaler for zero-to-one scale-up via Civo API - Add node-labeler to auto-tag nodes by pool membership for nodeSelector scheduling - Set up mTLS container registry at registry.nge6.com (Forgejo built-in, client cert required) - Add internal registry route (registry-internal.nge6.com) for in-cluster image pulls - Fix DNS records for new Emissary LB IP (212.2.241.28) - Fix CoreDNS crash from invalid custom config - Fix Emissary apiext expired webhook CA certificate Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-08 01:23:12 +00:00			`- ambassador-listeners.yaml`
Add core infrastructure to GitOps: providers, external-dns - providers.yaml: Crossplane provider installations - provider-configs.yaml: Provider authentication configs - external-dns.yaml: Automatic DNS record management Testing batch deployment before adding more components. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-27 17:00:23 +00:00
Add cert-manager to GitOps infrastructure - Includes Gandi webhook for DNS-01 challenges - ClusterIssuers for Let's Encrypt certificates - RBAC configurations for cert-manager components Second batch deployment - cert infrastructure now managed via GitOps. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-28 06:37:45 +00:00			`# Certificate management`
			`- cert-manager/`

Complete GitOps infrastructure setup Added to kustomization.yaml: - namespaces.yaml: Centralized namespace management - auth/: Keycloak authentication system - keycloak-config.yaml: Identity provider configuration - sealed-secrets.yaml: Secret encryption system Fixed namespace conflicts: - Removed duplicate pomerium-namespace from pomerium.yaml - Removed duplicate external-dns-namespace from external-dns.yaml - All namespaces now managed centrally via namespaces.yaml Now managing 72 Kubernetes resources via GitOps: ✅ Infrastructure: Crossplane providers, external-dns ✅ Certificates: cert-manager, Let's Encrypt, Gandi webhook ✅ Authentication: Keycloak, RBAC configs ✅ Applications: Forgejo, Pomerium, Vaultwarden ✅ Security: Sealed secrets, proper RBAC 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-28 06:43:00 +00:00			`# Authentication system`
			`- auth/`
			`- keycloak-config.yaml`

			`# Secret management`
			`- sealed-secrets.yaml`

Add core infrastructure to GitOps: providers, external-dns - providers.yaml: Crossplane provider installations - provider-configs.yaml: Provider authentication configs - external-dns.yaml: Automatic DNS record management Testing batch deployment before adding more components. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-27 17:00:23 +00:00			`# Applications`
Add Kustomization config to exclude problematic directories from GitOps 2025-09-26 00:51:52 +00:00			`- forgejo-k8s.yaml`
Add Argo Workflows, mTLS container registry, and fix infrastructure - Move Keycloak off Helm to plain Crossplane Object manifests (PostgreSQL + Keycloak deployment) - Add Vaultwarden SSO/OIDC config with Keycloak, fix Recreate deployment strategy for RWO volumes - Switch routing from Helm-based Pomerium to pomerium-allinone with all service routes - Deploy Argo Workflows (controller, server, CRDs, RBAC) with KEDA queue-depth autoscaling - Add Civo cluster autoscaler with pool-scaler for zero-to-one scale-up via Civo API - Add node-labeler to auto-tag nodes by pool membership for nodeSelector scheduling - Set up mTLS container registry at registry.nge6.com (Forgejo built-in, client cert required) - Add internal registry route (registry-internal.nge6.com) for in-cluster image pulls - Fix DNS records for new Emissary LB IP (212.2.241.28) - Fix CoreDNS crash from invalid custom config - Fix Emissary apiext expired webhook CA certificate Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-08 01:23:12 +00:00			`- pomerium-allinone.yaml`
			`- pomerium-dns.yaml`
Add Vaultwarden to GitOps infrastructure 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-27 04:05:25 +00:00			`- vaultwarden.yaml`
Add Argo Workflows, mTLS container registry, and fix infrastructure - Move Keycloak off Helm to plain Crossplane Object manifests (PostgreSQL + Keycloak deployment) - Add Vaultwarden SSO/OIDC config with Keycloak, fix Recreate deployment strategy for RWO volumes - Switch routing from Helm-based Pomerium to pomerium-allinone with all service routes - Deploy Argo Workflows (controller, server, CRDs, RBAC) with KEDA queue-depth autoscaling - Add Civo cluster autoscaler with pool-scaler for zero-to-one scale-up via Civo API - Add node-labeler to auto-tag nodes by pool membership for nodeSelector scheduling - Set up mTLS container registry at registry.nge6.com (Forgejo built-in, client cert required) - Add internal registry route (registry-internal.nge6.com) for in-cluster image pulls - Fix DNS records for new Emissary LB IP (212.2.241.28) - Fix CoreDNS crash from invalid custom config - Fix Emissary apiext expired webhook CA certificate Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-08 01:23:12 +00:00			`- keycloak-nge6-dns.yaml`

			`# Argo Workflows`
			`- argo-workflows/`
Add Kustomization config to exclude problematic directories from GitOps 2025-09-26 00:51:52 +00:00
			`# Exclude problematic directories:`
			`# - flux/ (managed by Flux itself)`
			`# - pomerium/ (Helm chart)`
			`# - gitea/ (legacy, replaced by forgejo)`
			`# - bin/ (binaries)`
			`# - cookies.txt, DEPLOYMENT.md (not Kubernetes manifests)`