fix(k8s/infra): split infrastructure into controllers and configs stages

ClusterIssuer dry-run fails because cert-manager CRDs are not yet installed when the single infrastructure Kustomization is applied. Split into infrastructure-controllers (Helm charts that install CRDs) and infrastructure-configs (CRD-dependent resources like ClusterIssuer) with a dependency between them.
2026-02-21 23:45:15 +02:00
parent a36a925451
commit db16af0d27
18 changed files with 26 additions and 3 deletions
--- a/kubernetes/app/ks.yaml
+++ b/kubernetes/app/ks.yaml
@@ -12,7 +12,7 @@ spec:
    kind: GitRepository
    name: flux-system
  dependsOn:
-    - name: infrastructure
+    - name: infrastructure-configs
    - name: config
  decryption:
    provider: sops
--- a/kubernetes/infrastructure/cert-manager/clusterissuer.sops.yaml
+++ b/kubernetes/infrastructure/cert-manager/clusterissuer.sops.yaml
--- a/kubernetes/infrastructure/controllers/authelia/configmap.sops.yaml
+++ b/kubernetes/infrastructure/controllers/authelia/configmap.sops.yaml
--- a/kubernetes/infrastructure/controllers/authelia/namespace.yaml
+++ b/kubernetes/infrastructure/controllers/authelia/namespace.yaml
--- a/kubernetes/infrastructure/controllers/authelia/pvc.yaml
+++ b/kubernetes/infrastructure/controllers/authelia/pvc.yaml
--- a/kubernetes/infrastructure/controllers/authelia/release.yaml
+++ b/kubernetes/infrastructure/controllers/authelia/release.yaml
--- a/kubernetes/infrastructure/controllers/authelia/repository.yaml
+++ b/kubernetes/infrastructure/controllers/authelia/repository.yaml
--- a/kubernetes/infrastructure/controllers/authelia/secret.sops.yaml
+++ b/kubernetes/infrastructure/controllers/authelia/secret.sops.yaml
--- a/kubernetes/infrastructure/controllers/cert-manager/namespace.yaml
+++ b/kubernetes/infrastructure/controllers/cert-manager/namespace.yaml
--- a/kubernetes/infrastructure/controllers/cert-manager/release.yaml
+++ b/kubernetes/infrastructure/controllers/cert-manager/release.yaml
--- a/kubernetes/infrastructure/controllers/cert-manager/repository.yaml
+++ b/kubernetes/infrastructure/controllers/cert-manager/repository.yaml
--- a/kubernetes/infrastructure/controllers/nfs-provisioner/release.yaml
+++ b/kubernetes/infrastructure/controllers/nfs-provisioner/release.yaml
--- a/kubernetes/infrastructure/controllers/nfs-provisioner/repository.yaml
+++ b/kubernetes/infrastructure/controllers/nfs-provisioner/repository.yaml
--- a/kubernetes/infrastructure/controllers/secret-cloudflare.sops.yaml
+++ b/kubernetes/infrastructure/controllers/secret-cloudflare.sops.yaml
--- a/kubernetes/infrastructure/controllers/traefik/namespace.yaml
+++ b/kubernetes/infrastructure/controllers/traefik/namespace.yaml
--- a/kubernetes/infrastructure/controllers/traefik/release.yaml
+++ b/kubernetes/infrastructure/controllers/traefik/release.yaml
--- a/kubernetes/infrastructure/controllers/traefik/repository.yaml
+++ b/kubernetes/infrastructure/controllers/traefik/repository.yaml
--- a/kubernetes/infrastructure/ks.yaml
+++ b/kubernetes/infrastructure/ks.yaml
@@ -2,11 +2,11 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: infrastructure
+  name: infrastructure-controllers
  namespace: flux-system
 spec:
  interval: 10m
-  path: ./kubernetes/infrastructure
+  path: ./kubernetes/infrastructure/controllers
  prune: true
  sourceRef:
    kind: GitRepository
@@ -21,3 +21,26 @@ spec:
    substituteFrom:
    - kind: Secret
      name: cluster-vars
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infrastructure-configs
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ./kubernetes/infrastructure/configs
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  dependsOn:
+    - name: infrastructure-controllers
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  postBuild:
+    substituteFrom:
+    - kind: Secret
+      name: cluster-vars