init

2024-05-22 12:49:28 -05:00
commit 35b77bb0df
219 changed files with 9997 additions and 0 deletions
--- a/clusters/cl01tl/deployment/argo-rollouts/Chart.yaml
+++ b/clusters/cl01tl/deployment/argo-rollouts/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+name: argo-rollouts
+version: 1.0.0
+sources:
+  - https://github.com/argoproj/argo-rollouts
+  - https://github.com/argoproj/argo-helm/tree/main/charts
+dependencies:
+  - name: argo-rollouts
+    version: 2.35.2
+    repository: https://argoproj.github.io/argo-helm
+appVersion: v1.6.6
--- a/clusters/cl01tl/deployment/argo-rollouts/values.yaml
+++ b/clusters/cl01tl/deployment/argo-rollouts/values.yaml
@@ -0,0 +1,45 @@
+argo-rollouts:
+  controller:
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+        namespace: argocd
+  dashboard:
+    enabled: true
+    ingress:
+      enabled: true
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+        cert-manager.io/cluster-issuer: letsencrypt-issuer
+      ingressClassName: traefik
+      hosts:
+        - argo-rollouts.alexlebens.net
+      tls:
+        - secretName: argo-rollouts-secret-tls
+          hosts:
+            - argo-rollouts.alexlebens.net
+
+  notifications:
+    notifiers: {}
+      # service.slack: |
+      #   token: $slack-token
+
+    # -- Notification templates
+    templates: {}
+      # template.my-purple-template: |
+      #   message: |
+      #     Rollout {{.rollout.metadata.name}} has purple image
+      #   slack:
+      #       attachments: |
+      #           [{
+      #             "title": "{{ .rollout.metadata.name}}",
+      #             "color": "#800080"
+      #           }]
+
+    # -- The trigger defines the condition when the notification should be sent
+    triggers: {}
+      # trigger.on-purple: |
+      #   - send: [my-purple-template]
+      #     when: rollout.spec.template.spec.containers[0].image == 'argoproj/rollouts-demo:purple'
--- a/clusters/cl01tl/deployment/argo-workflows/Chart.yaml
+++ b/clusters/cl01tl/deployment/argo-workflows/Chart.yaml
@@ -0,0 +1,20 @@
+apiVersion: v2
+name: argo-workflows
+version: 1.0.0
+sources:
+  - https://github.com/argoproj/argo-workflows
+  - https://github.com/argoproj/argo-events
+  - https://github.com/argoproj/argo-helm/tree/main/charts
+  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
+dependencies:
+  - name: argo-workflows
+    version: 0.41.4
+    repository: https://argoproj.github.io/argo-helm
+  - name: argo-events
+    version: 2.4.4
+    repository: https://argoproj.github.io/argo-helm
+  - name: postgres-cluster
+    alias: postgres-16-cluster
+    version: 3.0.0
+    repository: http://alexlebens.github.io/helm-charts
+appVersion: v3.5.6
--- a/clusters/cl01tl/deployment/argo-workflows/templates/external-secret.yaml
+++ b/clusters/cl01tl/deployment/argo-workflows/templates/external-secret.yaml
@@ -0,0 +1,62 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: argo-workflows-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: argo-workflows-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/argo-workflows
+        metadataPolicy: None
+        property: secret
+    - secretKey: client
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/argo-workflows
+        metadataPolicy: None
+        property: client
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: argo-workflows-postgresql-16-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: argo-workflows-postgresql-16-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /aws/keys/cl01tl-argo-workflows-postgresql
+        metadataPolicy: None
+        property: access_key
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /aws/keys/cl01tl-argo-workflows-postgresql
+        metadataPolicy: None
+        property: secret_key
--- a/clusters/cl01tl/deployment/argo-workflows/values.yaml
+++ b/clusters/cl01tl/deployment/argo-workflows/values.yaml
@@ -0,0 +1,121 @@
+argo-workflows:
+  controller:
+    metricsConfig:
+      enabled: true
+    persistence:
+      connectionPool:
+        maxIdleConns: 100
+        maxOpenConns: 0
+      nodeStatusOffLoad: true
+      archive: true
+      postgresql:
+        host: argo-workflows-postgresql-16-cluster-rw
+        port: 5432
+        database: app
+        tableName: app
+        userNameSecret:
+          name: argo-workflows-postgresql-16-cluster-app
+          key: username
+        passwordSecret:
+          name: argo-workflows-postgresql-16-cluster-app
+          key: password
+        ssl: false
+        sslMode: disable
+    workflowWorkers: 2
+    workflowTTLWorkers: 1
+    podCleanupWorkers: 1
+    cronWorkflowWorkers: 1
+    telemetryConfig:
+      enabled: true
+    serviceMonitor:
+      enabled: true
+    name: workflow-controller
+    workflowNamespaces:
+      - argocd
+  server:
+    authModes:
+      - sso
+    ingress:
+      enabled: true
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+        cert-manager.io/cluster-issuer: letsencrypt-issuer
+      ingressClassName: traefik
+      hosts:
+        - argo-workflows.alexlebens.net
+      tls:
+        - secretName: argoworkflows-example-tls
+          hosts:
+            - argo-workflows.alexlebens.net
+    sso:
+      enabled: true
+      issuer: https://authentik.alexlebens.net/application/o/argo-workflows/
+      clientId:
+        name: argo-workflows-oidc-secret
+        key: client
+      clientSecret:
+        name: argo-workflows-oidc-secret
+        key: secret
+      redirectUrl: https://argo-workflows.alexlebens.net/oauth2/callback
+      rbac:
+        enabled: false
+      scopes:
+        - openid
+        - email
+        - profile
+  useStaticCredentials: true
+  artifactRepository:
+    archiveLogs: false
+    s3: {}
+      # accessKeySecret:
+      #   name: "{{ .Release.Name }}-minio"
+      #   key: accesskey
+      # secretKeySecret:
+      #   name: "{{ .Release.Name }}-minio"
+      #   key: secretkey
+      # insecure: true
+      # bucket:
+      # endpoint:
+      # region:
+      # encryptionOptions:
+      #   enableEncryption: true
+
+argo-events:
+  global:
+    image:
+      repository: quay.io/argoproj/argo-events
+      tag: v1.9.1
+  controller:
+    resources:
+      limits:
+        cpu: 500m
+        memory: 512Mi
+      requests:
+        cpu: 250m
+        memory: 256Mi
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+        namespace: argocd
+  webhook:
+    enabled: true
+postgres-16-cluster:
+  mode: standalone
+  cluster:
+    walStorage:
+      storageClass: local-path
+    storage:
+      storageClass: local-path
+    monitoring:
+      enabled: true
+      prometheusRule:
+        enabled: true
+  backup:
+    enabled: true
+    endpointURL: https://s3.us-east-2.amazonaws.com
+    destinationPath: s3://cl01tl-postgresql-backups/argo-workflows
+    endpointCredentials: argo-workflows-postgresql-16-cluster-backup-secret
+    backupIndex: 1
+    retentionPolicy: 14d
--- a/clusters/cl01tl/deployment/argocd/Chart.yaml
+++ b/clusters/cl01tl/deployment/argocd/Chart.yaml
@@ -0,0 +1,12 @@
+apiVersion: v2
+name: argocd
+version: 0.1.0
+home: https://outline.alexlebens.net/doc/argo-cd-qLEdrgdwOD
+sources:
+  - https://github.com/argoproj/argo-cd
+  - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
+dependencies:
+  - name: argo-cd
+    version: 6.9.3
+    repository: https://argoproj.github.io/argo-helm
+appVersion: v2.10.8
--- a/clusters/cl01tl/deployment/argocd/templates/external-secret.yaml
+++ b/clusters/cl01tl/deployment/argocd/templates/external-secret.yaml
@@ -0,0 +1,110 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: argocd-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: "{{ .Release.Name }}-server"
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/argocd
+        metadataPolicy: None
+        property: secret
+    - secretKey: client
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/argocd
+        metadataPolicy: None
+        property: client
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: argocd-cluster-cl02do-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: "{{ .Release.Name }}-server"
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    argocd.argoproj.io/secret-type: cluster
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: name
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /argocd/credentials/cluster/cl02do
+        metadataPolicy: None
+        property: name
+    - secretKey: server
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /argocd/credentials/cluster/cl02do
+        metadataPolicy: None
+        property: server
+    - secretKey: config
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /argocd/credentials/cluster/cl02do
+        metadataPolicy: None
+        property: config
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: argocd-repo-alexlebens-dev-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: "{{ .Release.Name }}-server"
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    argocd.argoproj.io/secret-type: repository
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: type
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /argocd/credentials/repo/alexlebens-dev
+        metadataPolicy: None
+        property: type
+    - secretKey: url
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /argocd/credentials/repo/alexlebens-dev
+        metadataPolicy: None
+        property: url
+    - secretKey: sshPrivateKey
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /argocd/credentials/repo/alexlebens-dev
+        metadataPolicy: None
+        property: sshPrivateKey
--- a/clusters/cl01tl/deployment/argocd/values.yaml
+++ b/clusters/cl01tl/deployment/argocd/values.yaml
@@ -0,0 +1,66 @@
+argo-cd:
+  crds:
+    install: true
+  configs:
+    cm:
+      admin.enabled: true
+      url: https://argocd.alexlebens.net
+      statusbadge.enabled: true
+      dex.config: |
+        connectors:
+        - config:
+            issuer: https://authentik.alexlebens.net/application/o/argocd/
+            clientID: $argocd-oidc-secret:client
+            clientSecret: $argocd-oidc-secret:secret
+            insecureEnableGroups: true
+            scopes:
+              - openid
+              - profile
+              - email
+              - groups
+          name: authentik
+          type: oidc
+          id: authentik
+    rbac:
+      policy.csv: |
+        g, ArgoCD Admins, role:admin
+    params:
+      server.insecure: true
+  server:
+    replicas: 2
+    ingress:
+      enabled: true
+      controller: generic
+      ingressClassName: traefik
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+        cert-manager.io/cluster-issuer: letsencrypt-issuer
+      hostname: argocd.alexlebens.net
+      tls: true
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  dex:
+    enabled: true
+  redis-ha:
+    enabled: true
+  controller:
+    replicas: 1
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  repoServer:
+    replicas: 2
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  applicationSet:
+    replicas: 2
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
--- a/clusters/cl01tl/deployment/kargo/Chart.yaml
+++ b/clusters/cl01tl/deployment/kargo/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+name: kargo
+version: 1.0.0
+sources:
+  - https://github.com/akuity/kargo
+  - https://github.com/akuity/kargo/blob/main/charts/kargo/Chart.yaml
+dependencies:
+  - name: kargo
+    version: 0.6.0
+    repository: oci://ghcr.io/akuity/kargo-charts
+appVersion: v0.5.1
--- a/clusters/cl01tl/deployment/kargo/templates/external-secret.yaml
+++ b/clusters/cl01tl/deployment/kargo/templates/external-secret.yaml
@@ -0,0 +1,56 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: kargo-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kargo-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: CLIENT_SECRET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/kargo
+        metadataPolicy: None
+        property: secret
+    - secretKey: CLIENT_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/kargo
+        metadataPolicy: None
+        property: client
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: kargo-cluster-cl02do-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kargo-cluster-cl02do-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    argocd.argoproj.io/secret-type: cluster
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: kubeconfig
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /argocd/credentials/cluster/cl02do
+        metadataPolicy: None
+        property: kubeconfig
--- a/clusters/cl01tl/deployment/kargo/values.yaml
+++ b/clusters/cl01tl/deployment/kargo/values.yaml
@@ -0,0 +1,120 @@
+kargo:
+  api:
+    host: kargo.alexlebens.net
+    resources:
+      limits:
+        cpu: 100m
+        memory: 128Mi
+      requests:
+        cpu: 100m
+        memory: 128Mi
+    tls:
+      enabled: false
+    ingress:
+      enabled: true
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+        cert-manager.io/cluster-issuer: letsencrypt-issuer
+      ingressClassName: traefik
+      tls:
+        enabled: true
+        selfSignedCert: false
+    adminAccount:
+      enabled: false
+    oidc:
+      enabled: true
+      admins:
+        groups: ["ArgoCD Admins"]
+      dex:
+        enabled: true
+        image:
+          repository: ghcr.io/dexidp/dex
+          tag: v2.39.1
+        env:
+          - name: CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: kargo-oidc-secret
+                key: CLIENT_ID
+          - name: CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: kargo-oidc-secret
+                key: CLIENT_SECRET            
+        tls:
+          selfSignedCert: false
+        skipApprovalScreen: true
+        connectors:
+          - type: oidc
+            id: authentik
+            name: Authentik
+            config:
+              issuer: https://authentik.alexlebens.net/application/o/kargo/
+              clientID: "$CLIENT_ID"
+              clientSecret: "$CLIENT_SECRET"
+              redirectURI: https://kargo.alexlebens.net/dex/callback
+              insecureEnableGroups: true
+              scopes:
+                - openid
+                - profile
+                - email
+                - groups
+        resources:
+          limits:
+            cpu: 100m
+            memory: 128Mi
+          requests:
+            cpu: 100m
+            memory: 128Mi
+    argocd:
+      urls:
+        "": https://argocd.alexlebens.net
+    rollouts:
+      integrationEnabled: true
+  controller:
+    enabled: true
+    gitClient:
+      name: "Kargo cl01tl"
+      email: "alexanderlebens@gmail.com"
+    argocd:
+      integrationEnabled: true
+    rollouts:
+      integrationEnabled: true
+    resources:
+      limits:
+        cpu: 100m
+        memory: 128Mi
+      requests:
+        cpu: 100m
+        memory: 128Mi
+  managementController:
+    enabled: true
+    resources:
+      limits:
+        cpu: 100m
+        memory: 128Mi
+      requests:
+        cpu: 100m
+        memory: 128Mi
+  webhooks:
+    register: true
+  webhooksServer:
+    tls:
+      selfSignedCert: true
+    resources:
+      limits:
+        cpu: 100m
+        memory: 128Mi
+      requests:
+        cpu: 100m
+        memory: 128Mi
+  garbageCollector:
+    schedule: "0 * * * *"
+    resources:
+      limits:
+        cpu: 100m
+        memory: 128Mi
+      requests:
+        cpu: 100m
+        memory: 128Mi
--- a/clusters/cl01tl/deployment/stack/Chart.yaml
+++ b/clusters/cl01tl/deployment/stack/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: stack
+version: 1.0.0
+sources:
+  - https://github.com/alexlebens/alexlebens-net.git  
+appVersion: 1.0.0
--- a/clusters/cl01tl/deployment/stack/templates/application-set.yaml
+++ b/clusters/cl01tl/deployment/stack/templates/application-set.yaml
@@ -0,0 +1,55 @@
+{{- range $index, $stack := .Values.applicationSet }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: {{ $stack.name }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ $stack.name }}
+    app.kubernetes.io/instance: {{ $stack.name }}
+    app.kubernetes.io/version: {{ $.Chart.AppVersion }}
+    app.kubernetes.io/component: {{ $stack.name }}
+    app.kubernetes.io/part-of: {{ $.Release.Name }}
+spec:
+  syncPolicy:
+    applicationsSync: create-only
+    preserveResourcesOnDeletion: true
+  generators:
+    - git:
+        repoURL: {{ $.Values.git.repo }}
+        revision: {{ $.Values.git.revision }}
+        directories:
+          - path: "{{ $.Values.git.path }}/{{ $stack.name }}/*"
+  template:
+    metadata:
+      name: '{{ `{{path.basename}}` }}'
+      finalizers:
+        - resources-finalizer.argocd.argoproj.io
+    spec:
+      destination:
+        name: in-cluster
+        namespace: '{{ $stack.namespace | default `{{path.basename}}` }}'
+      project: default
+      revisionHistoryLimit: 3
+      source:
+        repoURL: {{ $.Values.git.repo }}
+        targetRevision: {{ $.Values.git.revision }}
+        path: '{{ `{{path}}` }}'
+      ignoreDifferences:
+        {{- toYaml $stack.ignoreDifferences | nindent 8 }}          
+      syncPolicy:
+        {{- if $stack.syncPolicy.automated.enabled }}
+        automated:
+          prune: {{ $stack.syncPolicy.automated.prune | default false }}
+          selfHeal: {{ $stack.syncPolicy.automated.selfHeal | default false }}
+        {{- end }}
+        retry:
+          limit: 3
+          backoff:
+            duration: 1m
+            factor: 2
+            maxDuration: 15m
+        syncOptions:
+          {{- toYaml $stack.syncPolicy.syncOptions | nindent 10 }}
+{{- end }}
--- a/clusters/cl01tl/deployment/stack/templates/application.yaml
+++ b/clusters/cl01tl/deployment/stack/templates/application.yaml
@@ -0,0 +1,82 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cilium
+  namespace: {{ .Release.Namespace }}
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: {{ .Values.application.cilium.source.repo }}
+    targetRevision: {{ .Values.application.cilium.source.revision }}
+    path: "{{ .Values.git.path }}/{{ .Values.application.cilium.source.path }}"
+  destination:
+    name: in-cluster
+    namespace: {{ .Values.application.cilium.namespace }}
+  revisionHistoryLimit: 3
+  syncPolicy:
+    {{- toYaml .Values.application.cilium.syncPolicy | nindent 4 }}
+
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: metrics-server
+  namespace: {{ .Release.Namespace }}
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: {{ .Values.application.metricsServer.source.repo }}
+    targetRevision: {{ .Values.application.metricsServer.source.revision }}
+    path: "{{ .Values.git.path }}/{{ .Values.application.metricsServer.source.path }}"
+  destination:
+    name: in-cluster
+    namespace: {{ .Values.application.metricsServer.namespace }}
+  revisionHistoryLimit: 3
+  syncPolicy:
+    {{- toYaml .Values.application.metricsServer.syncPolicy | nindent 4 }}
+
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kubelet-serving-cert-approver
+  namespace: {{ .Release.Namespace }}
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: {{ .Values.application.kubeletServingCertApprover.source.repo }}
+    targetRevision: {{ .Values.application.kubeletServingCertApprover.source.revision }}
+    path: "{{ .Values.git.path }}/{{ .Values.application.kubeletServingCertApprover.source.path }}"
+  destination:
+    name: in-cluster
+    namespace: {{ .Values.application.kubeletServingCertApprover.namespace }}
+  revisionHistoryLimit: 3
+  syncPolicy:
+    {{- toYaml .Values.application.kubeletServingCertApprover.syncPolicy | nindent 4 }}
+
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prometheus-operator-crds
+  namespace: {{ .Release.Namespace }}
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: {{ .Values.application.prometheusOperatorCrds.source.repo }}
+    targetRevision: {{ .Values.application.prometheusOperatorCrds.source.revision }}
+    path: "{{ .Values.git.path }}/{{ .Values.application.prometheusOperatorCrds.source.path }}"
+  destination:
+    name: in-cluster
+    namespace: {{ .Values.application.prometheusOperatorCrds.namespace }}
+  revisionHistoryLimit: 3
+  syncPolicy:
+    {{- toYaml .Values.application.prometheusOperatorCrds.syncPolicy | nindent 4 }}
--- a/clusters/cl01tl/deployment/stack/values.yaml
+++ b/clusters/cl01tl/deployment/stack/values.yaml
@@ -0,0 +1,148 @@
+git:
+  repo: git@github.com:alexlebens/alexlebens-net.git
+  revision: HEAD
+  path: clusters/cl01tl
+applicationSet:
+  - name: applications
+    syncPolicy:
+      automated:
+        enabled: true
+        prune: true
+        selfheal: false
+      syncOptions:
+        - CreateNamespace=true
+        - ApplyOutOfSyncOnly=true
+        - ServerSideApply=false
+        - PruneLast=true
+  - name: deployment
+    namespace: argocd
+    syncPolicy:
+      automated:
+        enabled: true
+        prune: true
+        selfheal: false
+      syncOptions:
+        - CreateNamespace=true
+        - ApplyOutOfSyncOnly=true
+        - ServerSideApply=false
+        - PruneLast=true
+  - name: platform
+    syncPolicy:
+      automated:
+        enabled: true
+        prune: true
+        selfheal: false
+      syncOptions:
+        - CreateNamespace=true
+        - ApplyOutOfSyncOnly=true
+        - ServerSideApply=true
+        - PruneLast=true
+  - name: services
+    ignoreDifferences:
+      - group: ""
+        kind: Service
+        jqPathExpressions:
+          - .status.loadBalancer.ingress[].ipMode      
+    syncPolicy:
+      automated:
+        enabled: true
+        prune: true
+        selfheal: false
+      syncOptions:
+        - CreateNamespace=true
+        - ApplyOutOfSyncOnly=true
+        - ServerSideApply=true
+        - PruneLast=true
+  - name: storage
+    syncPolicy:
+      automated:
+        enabled: true
+        prune: true
+        selfheal: false
+      syncOptions:
+        - CreateNamespace=true
+        - ApplyOutOfSyncOnly=true
+        - ServerSideApply=false
+        - PruneLast=true
+application:
+  cilium:
+    namespace: kube-system
+    source:
+      repo: git@github.com:alexlebens/alexlebens-net.git
+      revision: HEAD
+      path: standalone/cilium
+    syncPolicy:
+      retry:
+        limit: 10
+        backoff:
+          duration: 1m
+          factor: 2
+          maxDuration: 16m
+      syncOptions:
+        - CreateNamespace=false
+        - ApplyOutOfSyncOnly=true
+        - ServerSideApply=true
+        - PruneLast=true
+  metricsServer:
+    namespace: kube-system
+    source:
+      repo: git@github.com:alexlebens/alexlebens-net.git
+      revision: HEAD
+      path: standalone/metrics-server
+    syncPolicy:
+      automated:
+        prune: true
+        selfHeal: true
+      retry:
+        limit: 10
+        backoff:
+          duration: 1m
+          factor: 2
+          maxDuration: 16m
+      syncOptions:
+        - CreateNamespace=false
+        - ApplyOutOfSyncOnly=false
+        - ServerSideApply=true
+        - PruneLast=true
+  kubeletServingCertApprover:
+    namespace: kubelet-serving-cert-approver
+    source:
+      repo: git@github.com:alexlebens/alexlebens-net.git
+      revision: HEAD
+      path: standalone/kubelet-serving-cert-approver
+    syncPolicy:
+      automated:
+        prune: true
+        selfHeal: true
+      retry:
+        limit: 10
+        backoff:
+          duration: 1m
+          factor: 2
+          maxDuration: 16m
+      syncOptions:
+        - CreateNamespace=true
+        - ApplyOutOfSyncOnly=false
+        - ServerSideApply=true
+        - PruneLast=true
+  prometheusOperatorCrds:
+    namespace: kube-system
+    source:
+      repo: git@github.com:alexlebens/alexlebens-net.git
+      revision: HEAD
+      path: standalone/prometheus-operator-crds
+    syncPolicy:
+      automated:
+        prune: true
+        selfHeal: true
+      retry:
+        limit: 10
+        backoff:
+          duration: 1m
+          factor: 2
+          maxDuration: 16m
+      syncOptions:
+        - CreateNamespace=false
+        - ApplyOutOfSyncOnly=false
+        - ServerSideApply=true
+        - PruneLast=true