Initial test

app-root/application.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: root
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.mvzijl.nl/marco/veda.git
+    targetRevision: main
+    path: appset
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: false
+      selfHeal: false
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - PruneLast=true
+      - PrunePropagationPolicy=foreground

app-test-1/app-test-1.yaml

@@ -1,63 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: app-test-1
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: app-test-1-deploy
-  namespace: app-test-1
-spec:
-  replicas: 1
-  selector:
-    matchLabels: 
-      app: app-test-1
-  template:
-    metadata:
-      labels:
-        app: app-test-1
-    spec:
-      containers:
-      - name: app-test-1
-        image: nginx
-        ports:
-        - name: web
-          containerPort: 80
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: app-test-1-svc
-  namespace: app-test-1
-  labels:
-    app: app-test-1
-spec:
-  type: LoadBalancer
-  ports:
-  - name:  http
-    port:  80
-    targetPort: 80
-    protocol: TCP
-  selector:
-    app: app-test-1
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: app-test-1-ingress
-  namespace: app-test-1
-  annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: web
-spec:
-  rules:
-    - host: test.noxxos.nl
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: app-test-1-svc
-                port:
-                  name: http

apps/authentik/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: authentik
+version: 0.0.0
+dependencies:
+  - name: authentik
+    version: 2025.10.0
+    repository: https://charts.goauthentik.io

apps/authentik/values.yaml

@@ -0,0 +1,53 @@
+authentik:
+  global:
+    priorityClassName: homelab-critical
+  authentik:
+    secret_key: bGd7nChCpPQmypR64rgF
+    postgresql:
+      host: file:///postgres-creds/host
+      name: file:///postgres-creds/dbname
+      user: file:///postgres-creds/username
+      password: file:///postgres-creds/password
+  server:
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+    ingress:
+      enabled: true
+      hosts:
+        - authentik.noxxos.nl
+        - auth.noxxos.nl
+        - sso.noxxos.nl
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    volumes:
+      - name: postgres-creds
+        secret:
+          secretName: pg-authentik-cluster-app
+    volumeMounts:
+      - name: postgres-creds
+        mountPath: /postgres-creds
+        readOnly: true
+  worker:
+    volumes:
+      - name: postgres-creds
+        secret:
+          secretName: pg-authentik-cluster-app
+    volumeMounts:
+      - name: postgres-creds
+        mountPath: /postgres-creds
+        readOnly: true
+  postgresql:
+    enabled: false
+  redis:
+    enabled: true
+    image:
+      repository: redis
+      tag: 8.2
+    master:
+      persistence:
+        enabled: false
+  prometheus:
+    rules:
+      enabled: true

appset/applicationset.yaml

@@ -0,0 +1,108 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: apps
+  namespace: argocd
+spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
+  generators:
+  - merge:
+      # Join base (directories) with overrides (files) by folder name:
+      mergeKeys:
+        - '{{ .path.basename }}'         # requires recent Argo CD (see note)
+      generators:
+        # Base: every folder under apps/*
+        - git:
+            repoURL: https://git.mvzijl.nl/marco/veda.git
+            revision: HEAD
+            branch: applicationset-rewrite
+            directories:
+            - path: apps/*
+        # Overrides: optional appset.(yaml|yml|json) in each app
+        - git:
+            repoURL: https://git.mvzijl.nl/marco/veda.git
+            revision: HEAD
+            branch: applicationset-rewrite
+            files:
+              - path: apps/*/appset.yaml
+              - path: apps/*/appset.yml
+              - path: apps/*/appset.json
+  # ---- Application template ----
+  template:
+    metadata:
+      name: '{{ default .path.basename .name }}'
+      labels:
+        app.kubernetes.io/part-of: root
+        # allow grouping for RollingSync (see section B)
+        tier: '{{ default "apps" (index .labels "tier") }}'
+      finalizers:
+        - resources-finalizer.argocd.argoproj.io
+    spec:
+      project: '{{ default "default" .project }}'
+      source:
+        repoURL: https://git.mvzijl.nl/marco/veda.git
+        branch: applicationset-rewrite
+        targetRevision: '{{ default "main" .targetRevision }}'
+        path: '{{ .path.path }}'
+        # Tool-specific overrides (only render when present)
+        {{- if .helm }}
+        helm:
+          {{- if .helm.releaseName }}releaseName: {{ .helm.releaseName }}{{- end }}
+          {{- if .helm.valueFiles }}
+          valueFiles:
+          {{- range .helm.valueFiles }}
+            - {{ . }}
+          {{- end }}
+          {{- end }}
+          {{- if hasKey .helm "ignoreMissingValueFiles" }}
+          ignoreMissingValueFiles: {{ .helm.ignoreMissingValueFiles }}
+          {{- end }}
+        {{- end }}
+        {{- if .kustomize }}
+        kustomize:
+          {{- if .kustomize.namePrefix }}namePrefix: {{ .kustomize.namePrefix }}{{- end }}
+          {{- if .kustomize.commonLabels }}
+          commonLabels:
+          {{- range $k,$v := .kustomize.commonLabels }}
+            {{ $k }}: {{ $v }}
+          {{- end }}
+          {{- end }}
+        {{- end }}
+        {{- if .directory }}
+        directory:
+          {{- if hasKey .directory "recurse" }}recurse: {{ .directory.recurse }}{{- end }}
+        {{- end }}
+      destination:
+        server: '{{ default "https://kubernetes.default.svc" .server }}'
+        namespace: '{{ default .path.basename .namespace }}'
+      syncPolicy:
+        automated:
+          prune: false
+          selfHeal: false
+        syncOptions:
+          - CreateNamespace=true
+          - ServerSideApply=true
+          {{- range .syncOptions }}
+          - {{ . }}
+          {{- end }}
+  # ---- Progressive / RollingSync (section B) ----
+  strategy:
+    type: RollingSync
+    rollingSync:
+      steps:
+        - matchExpressions:
+            - key: tier
+              operator: In
+              values: ["system"]     # e.g. CRDs/operators first
+        - matchExpressions:
+            - key: tier
+              operator: In
+              values: ["platform"]   # infra (DBs, ingress, etc.)
+          maxUpdate: 50%
+        - matchExpressions:
+            - key: tier
+              operator: In
+              values: ["apps"]       # leaf apps
+          maxUpdate: 25%
+    deletionOrder: Reverse

argocd-ingress.yaml

@@ -4,7 +4,7 @@ metadata:
   name: argocd-ingress
   namespace: argocd
   annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: web
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
 spec:
   rules:
     - host: argocd.noxxos.nl
@@ -16,4 +16,4 @@ spec:
               service:
                 name: argocd-server
                 port:
-                  name: http
+                  name: http

harbor/values.yaml

@@ -0,0 +1,8 @@
+registry:
+  enabled: true
+  # put Harbor values under this alias, e.g.:
+  expose:
+    type: ingress
+    ingress:
+      hosts:
+        core: harbor.noxxos.nl