luiz/flux-example
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
10 commits 1 branch 0 tags 60 KiB
Find a file
Exact
atreonova-infra df36e6e484 chore: sync gitops/ from atreonova-infra
2026-06-19 03:06:30 -03:00
clusters/dev chore: sync gitops/ from atreonova-infra 2026-06-19 01:34:08 -03:00
README.md chore: sync gitops/ from atreonova-infra 2026-06-19 03:06:30 -03:00

README.md

gitops/ — Flux source of truth (dev)

This tree is the GitOps source Flux reconciles into the local atreonova-dev k3s cluster (GOAL Stage 3). It is published, not consumed in place: the authoritative copy lives here in atreonova-infra (reviewable, in PRs), and make flux-seed mirrors it into the public test repo git.thenets.org/luiz/flux-example, which Flux pulls over anonymous HTTPS.

clusters/dev/
  infrastructure/           # platform layer — reconciled FIRST
    istio/                  #   ambient: base -> cni -> istiod -> ztunnel -> gateway
    spire/                  #   standalone SPIRE identity provider: spire-crds -> spire
  apps/                     # workloads — reconciled AFTER infrastructure is Ready
    hello-world/            #   stock nginx, in the ambient mesh, exposed via an istio Gateway
    spiffe-demo/            #   stock spire-agent, pulls an X.509-SVID from the SPIFFE Workload API
    atreonova-postgres/     #   shared postgres:16-alpine (NOT meshed); per-instance role+DB isolation
    atreonova-a/            #   atreonova instance A (meshed), DB instance_a, host atreonova-a.local
    atreonova-b/            #   atreonova instance B (meshed), DB instance_b, host atreonova-b.local

The atreonova app's Secrets (the regcred pull secret + atreonova-db-creds) are created out-of-git by make atreonova-secrets and referenced by name only — this tree is public, so no secret values are committed. Run that target before reconciling apps.

The in-cluster Flux objects live in ../k8s/flux/:

  • GitRepository — the source above.
  • Kustomization/infrastructure (wait) and Kustomization/apps (dependsOn: infrastructure) — this is the Stage 3b/3c ordering: istio (ambient) and SPIRE come up fully before any app deploys, so the istio CRDs exist and ztunnel is ready to capture the app's pods, and the ClusterSPIFFEID CRD + SPIRE controller-manager exist before spiffe-demo reconciles.

Loop: edit here → make flux-seedflux reconcile kustomization apps --with-source (or wait for the interval) → change is live. No kubectl apply.