feat: add Cilium to Talos environments (#912)

devantler · web-flow · commit 1eb53fa1b1d5 · 2025-05-10T20:12:42.000Z
* feat: add cilium to dev

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* fix: update SOPS configuration for dev and prod clusters

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* fix: add security context capabilities for Cilium

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* fix: reorder cgroup and service configuration in HelmRelease patch

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* fix: comment out security context capabilities in HelmRelease patch

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* fix: update kustomization files for cilium and correct resource paths

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* fix: restore security context capabilities in HelmRelease patch

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* feat: add kustomization and flux configurations for production environment

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* fix: change concurrency cancel-in-progress setting to false in deploy workflow

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

---------

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -11,7 +11,7 @@ on:
 
 concurrency:
   group: ${{ github.workflow }}
-  cancel-in-progress: true
+  cancel-in-progress: false
 
 permissions:
   contents: read
diff --git a/.sops.yaml b/.sops.yaml
@@ -3,7 +3,17 @@ creation_rules:
     encrypted_regex: ^(data|stringData)$
     age: |-
       age1fqcl89lrl8daucdkn7xstjhv9mcxk39m59a9mhvw0g3j24kjmu6qcaxpp7
+  - path_regex: ^k8s\/clusters\/dev\/.+\.enc\.ya?ml$
+    encrypted_regex: ^(data|stringData)$
+    age: |-
+      age1q2vtjmghm5yv3sm426325u0tsgvru758lum8kefhp62fhmhf3afqhrnm3x
+  - path_regex: ^k8s\/clusters\/prod\/.+\.enc\.ya?ml$
+    encrypted_regex: ^(data|stringData)$
+    age: |-
+      age18huaqzzrln439z9nj56kmqnkcu5zrj44y57ml8tlauhh5vj3yqgsa0l9dw
   - path_regex: ^.+\.enc\.ya?ml$
     encrypted_regex: ^(data|stringData)$
     age: |-
-      age1fqcl89lrl8daucdkn7xstjhv9mcxk39m59a9mhvw0g3j24kjmu6qcaxpp7
+      age1fqcl89lrl8daucdkn7xstjhv9mcxk39m59a9mhvw0g3j24kjmu6qcaxpp7,
+      age1q2vtjmghm5yv3sm426325u0tsgvru758lum8kefhp62fhmhf3afqhrnm3x,
+      age18huaqzzrln439z9nj56kmqnkcu5zrj44y57ml8tlauhh5vj3yqgsa0l9dw
diff --git a/k8s/clusters/dev/apps/flux-kustomization.yaml b/k8s/clusters/dev/apps/flux-kustomization.yaml
@@ -11,6 +11,18 @@ spec:
   sourceRef:
     kind: OCIRepository
     name: flux-system
+  dependsOn:
+    - name: infrastructure
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: variables-dev
+      - kind: Secret
+        name: variables-dev-sensitive
   path: clusters/dev/apps/
   prune: true
   wait: true
diff --git a/k8s/clusters/dev/infrastructure/controllers/kustomization.yaml b/k8s/clusters/dev/infrastructure/controllers/kustomization.yaml
@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../../../distributions/talos/infrastructure/controllers
+  - ../../../../distributions/talos/infrastructure/controllers/
diff --git a/k8s/clusters/dev/infrastructure/flux-kustomization.yaml b/k8s/clusters/dev/infrastructure/flux-kustomization.yaml
@@ -13,7 +13,6 @@ spec:
     kind: OCIRepository
     name: flux-system
   dependsOn:
-    - name: variables
     - name: infrastructure-controllers
   decryption:
     provider: sops
diff --git a/k8s/clusters/dev/kustomization.yaml b/k8s/clusters/dev/kustomization.yaml
@@ -2,6 +2,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - apps/flux-kustomization.yaml
   - infrastructure/controllers/flux-kustomization.yaml
   - infrastructure/flux-kustomization.yaml
   - variables/flux-kustomization.yaml
diff --git a/k8s/clusters/dev/variables/secret.enc.yaml b/k8s/clusters/dev/variables/secret.enc.yaml
@@ -4,21 +4,21 @@ metadata:
     name: variables-dev-sensitive
     namespace: flux-system
 stringData:
-    dex_client_secret: ENC[AES256_GCM,data:+e5Ci4m7nMWUpkDT42brDaehqE0=,iv:vt18z7crgtdhsa2L371GLCv/acPnD3hNS5ZA2ZktAgw=,tag:nPQRcUHivbfwg98P0hP+6Q==,type:str]
-    github_app_client_secret: ENC[AES256_GCM,data:ElSZ3N+pvXNWarUiBazdBYme7LGCbbSOCGXpgutMJ8Agt+SHBaCaIw==,iv:TQVSBXGdRdyMGUXUP3YMZjpw4GF/jvA+9Bro2al0sNs=,tag:99sUHhgeVxgvmpXIuRfZ/A==,type:str]
-    github_app_private_key: ENC[AES256_GCM,data:+uRkDbVKduvgExe15gaue3/Mr5MGLIyiJJsjbhQBbfeRPU0wsGc0Vrcyj+4eFUjloTBB0R29I/rsZrhDE0B9L+tF59YYK1uFn5Uc+MsNkxdwxpJ4XXZPBlMsfwclLZxtncm9BhP950PQnY/5VN2Fb53BGp+xDBv42ARkT2T2qjrYzogO3uOefMv5GqL4UX2Qxj+pRjw6VelUMUNSHFKCFBQ7DDl3eI2dhIfqT0ZwxxVBxvIgNdBnEKgzQgblWz8xpyNIeFHFscTWnpoY4xgMwJJOzdCwq7IV4zhmmzxAv339VmUi2jUE055ZvyX1D7mxGontQbjuJn7uFW8Z5b0ov8A3PMa6CuEycEKvymYhKG07s3KsUZvegtKheV4L33l/3LPUPHV9T8uIYfyImcJ8fJj5C/indawdxQDMpyDN5+KuSkc/AP4Xtte4YWdNXUxmo0SxsR0HOR0VsBCIOetVnkB5WBtDXI9hTCMGDS3QZ5PoHTjQtyvZdFBrS4sv8g3tsvNmuHCcfZ6s6qo6FQ65/ZJmzSWJ6BM8H/iIJWiLDFiDIAG1XiZNqr8GRSP/jzYcTTma6sh9ST7DmdAlAeSigV/Shn8IFLKmfXxlMUMEBnPoHbOeqIpLPxDZPOlr7CiYHPE7y6gjswVNfAb1KyU7HiLzDQdtwR7VMjghJ5bAJu+erBhSb3oMU/yecBCOnTCgZStV7Qn86DWflaWa/rdn7hC4elsMYGrfbocERef2AWRFQS3ZdmjczlLc2nEspiRPEdrw3SqPEr7MduHA0nHg/OPe7+OTbXevBp0/hNXLh8Jdbk63B3RqE2+aSvSal49n8bdLlK+S8F4UKTecxtIuhMGcmU7FLcgAjuFBda0FQqC8yMEaWSzmAfLybXQuEZxlHIMKc44ODpqVdT4y9mqQuS30tz0+UnXGYOzkPqmq75p46yltIj29ZoZ1mvQjBQ2ZU8dOLOIX1ouGu417cvpMq8qG4iFL9cfW6xzrwbMC8tlLh7tC2fYgtbqf1/JPRmraJCCqiWCwZaaihTcoEy/1yWmmreGjfNMbpyaauyzJ+8OnUq5bk91nP57PHaLPsHFrphNrjyGIhFh73+3rCZrwkfyf9BOpxNyXtNXFPlLTw6r22u1tr/qSPdvElcIWlxOrSX54b9lettgFB0SSPe6hJxr5afmaErAVG6uwxcrTaGhFuVDJ4FZTCV1ws8i9Q8txM7prvV8xmwf0zuG2eUjWcZfUEiZlZ9GVCSsPVqnHXuoSXEPiGGAKY3t3d+oVuVsenfk4LK/srJGBYUrahdG7TGEhMHgMyhd++/y02S+93oxJdGIwYwpZbHca/n0asEs8m8mwirs2+Fj+zAC9JOjo3F7ew4Plh63hkJC3j2bOXY4yD0gwNjrr9TyEkLlj06354TGVzlnmpkIRl2r8PwZdOtDrHWh1zMutMKYv2D+ws9nOqKjzE0Zf6hVI1XIbn471gVvMkVvxeMq8A//txNF5g0eYDBlY8iBZ3//dbhCWiY4MFPAkCC4+6QEkbSsGNqbnDZPwPMQm1zXrrF6hJpC4Oc6elo0wPk85hzdoyqTBE0XFEpgsvDFAeyEowNYFGaBMC6vM7snxfJvH4f3X8Kro74i9ImAO+DpviiMhT5NoYCstLkyYklzn/XEsN+EOMNq6p9CvDI3X3IYucI6julbAH6XgCYcetPPN0UdXtGn4eh7X1Y9ZG1xfI1xP7122y/OClx+LjhxRw/Tuw3uVgzo6pSC10TCXqEhmpO3kKlGKd09z3vTBpFueG2rCTpZ4MmrrLXdFCu2o7Z2jbzM0iD8MYl6LQ5FmWGyUWMSfkY8FQLOqRUklP/Uh9ZHQEf1yxR1JNcTSrzyqrP4l66js4q8hVxw/T9DJnOtDIF6dOk81K4GDRF8J/0j2ikMgeunESyblXsVomSjZkchSbjgfKpAagLqS1koBbflkU0NrVsqHCF0ZjiGFlkAGtfbTrUPLTMAR17r4QbJ5zqq3/ROjhS476GS8xiqZm4UnfX4LXezVEKMF4Y++IvbLkZ5SsV3a6+aL9yF+v0eQcA56Bb8MYag9KB7kkvWIfKbJcS+hINAChRABjzSSY0RHlPjeN4+6fyEbvAlllaRIO45s4vdIJOjvdTgtCJ4CMcWW5XGMRYshrypKi5sA/Na6SCKS6G8yvBmg+QuTJpaYm0XfFBYIsVikBknWNxHuTlzMbcbznlj6fX2WDIG/zPTBp5Jlpw==,iv:/tby64GY0Q5UPkbg0w81YT6aOBiTNyDBKFFgLB0T1WA=,tag:HZ8/bnRqeO0cFfSPffzhaw==,type:str]
+    dex_client_secret: ENC[AES256_GCM,data:tOdVZhFh2GCtciIQNBOlc6IqXTg=,iv:pPb8Qm4Yxxm7SzdMXN4sIcXWNdSTdY40LAXIgIangYU=,tag:BjKwaaxFqvdTPBOlJnUejg==,type:str]
+    github_app_client_secret: ENC[AES256_GCM,data:GfDCRM515Z7u/bcSTfEdMTYicv7CcDHNEen4cuu7Qk9gGMDVSzTZiQ==,iv:05NU5gqRQTsI06HDXdeAzKsrlgcG01XL1UD7RwUIqww=,tag:vKOs1MJHbdDxiuPem9pvFA==,type:str]
+    github_app_private_key: ENC[AES256_GCM,data:GQGbcemwC6QhUCkEQAafsZLqe7v8E3BEtiTu44kpQBiFC9coig+/4+YsRhEcLJnIFHl9G7bNhbZej5kKPQ+MdgU47Z9iS/sJDQLIsOI5WOf2aEB1i21bxBgDLobdArSbYO+oDy9HotvvAZ6crjILaWUjfGpjk6J20b8b+HYBBfplLKkQTg3ZeCFn/OAsWG4B+mgNAcHN1rSw617YnoZRej9N2JYMSY3CgOBQ/qTEO9/jvqGICvf1jouAk0oHb+4LgihXAsizo2BmdXf5tYZI1bJ7QbqFZYbSEL4cvy445FXhDpbpn7nKrq3p94ic/B3Mw0JS81uUj/rpFH7jD87IzHImrqm6Vt2US3Hn+xUc/xv8jVjOa+WxvZsFuT4/uR/k1l4tev3PfHxaztOmSXd1B4Tz2ec85qEYZDMvNYR+D/O6ext2P7P39RV21JD8e2M/yX+mjOEIX5uO7kJMe4UTsJrkK/K3XtkfqDoCFzQufkNrL9vBLzVI18VJU67ErDp4zH9THK8EqDvfq3JDu/F31tCDhsA3W2FSQ6zisW+QPRyqCHIaIvKw6dWjfr6zgbGUdPrhkowf2wY0nQIG4207QGHHYATv1f83nx2mZHMrxsFnYVLzNHFbJ2IjEj/D9MqkhLkY9v/Qw9rm+RWbymESEWZsBA3NbJWznsFgfhdKwsTjAe+HUDAs8gmJKd1h4AQTZq0VYCgaj0gzNwIICC7ZQqOIbA0g57xCJWM8XJBfoMds16fMv4dBJomQIGI1xw9oI9IGzYy/ahOwgZ9qZTWQ2n7fC/Hw1m8XvqOe8qHUTheo8OV3HReYpBybyCGpDVUvWeqY0Oo3uwewW0r/r0OuonUTZIqlUS98Rxnqbwz+M9rPbNJWPyfG095l0etjdimb9FgqmneS6jPXV5z2h4isPqibY1HjfxtMiVecyO1xHJZTAjxg3Jh+EOGPsclcoD3NC894atRMVP8KDoyZCIgYNmOUli2iKflIan3bG3s6zdTJxCPWMfTaXIJuorRmUsuCcBs+7PHhAb2BofWzT5vzrh4uLDq407b+ipx0hn6s8kOx9OvugsbsbzJHBP2fMXw/uFGt4EUGq8Yt0X85aN6CRpvcUjIcuj2Xff5bkWgK5MXn7JBgVe6Db+d37mWsj77TnKush+C4ZXNtrWGCtJdrYOCUSYhIOFUiSEGbrz5vdIqXjdrNTG+8nDTf5VZlI8wV22sBJOGiPlWLv5OMaZSnTxRCLfmlpr0lNOE4kC3smQvYA49dpSDKLLWOAoVbdoxZz3znRV9zK1/eEy+cPhIuwwRokcrCvTp5LwppLeLv60hdh+z0LhvrP7QrelRfHUrD+rYaQHd71a1ImYzJAJy+4TmBPDWKx+RotvLZk+SyKuTGrwjbx09SmLCvp1o8oiICVsYYf7DJeGT1aoPrqwd2VSs6lv156pv2c4hIFBvQzFxDyb5LJzmkxZorfyx8n8otj0wb2Gy4BcD9hC7RXFIbNPdzGi7Wjvj0/LhrIagwa2tzUMpIyOQkSIw0NWV3wjbSys3fBDTQ0mvk61QDDOrCiBjbU4bqM+JfFHCBlF+VwKy5AXAj50m2jl6eU1OkRbLa8nnfP6kb6yV6bYuyc13YNe/FQfyM5nHfJWJDd7it0DQjo6yYGirPrbPE9+Cn3hTeCO+LRcVvTMaa3+YN/MkjyuzFU8TSMBUuPOividdoNBGlrveJq8EkS0P9oUWRHUDP+Y+iGgQe6ChgZe13Vwn3M8nY/+tsbi7u2sG3v2jDFGA5puWcbfLcC3kBlF77d2XGm3Hok2+MHHRo1uwkiObKUONGAnQAUrfZElFrfTMupJTPBXSEcQgosaQb6qq2eo6B/rBNWQes43Ftkjpwo2H7gCNtkVcjrINt5aiDKMkcjN2O5CiaW/FdY2Oy/8fZ4pQpTyFeGnCY+0rHXbLT45GRV+ILUleKdC9offsa8Vf/EswKLYJ8E9tu/5YNCTqGPT79M1/jZf53G0B0aFXouUsmlDF0HPvoWyECG3v6Qyjs+S06Ht+1gnzmVNOZtQiyMNH59W87NDEIFf/nmnhGSYxpOis5gP+QMFSflRgncOxZgNUL3MzA93W155UysbaeCItiY3RS8aFKsyVyFUSQ7xxNDF66JU3iDc+bS2YdFeAKl7e+VoX4YM7YV8WNla7sniw+Q6IBTiosG/EpR9ELU3DuEbNgUWdG/XX30jTuXTrSeSHrhjTThMNfHdtVwQ==,iv:iaQu/4tWhLkNevePvoNF4KIxqQr/Zx+mqfvGqLlYYjc=,tag:F4w8EKfr+4zrZ1P2fz7PxA==,type:str]
 sops:
     age:
-        - recipient: age1fqcl89lrl8daucdkn7xstjhv9mcxk39m59a9mhvw0g3j24kjmu6qcaxpp7
+        - recipient: age1q2vtjmghm5yv3sm426325u0tsgvru758lum8kefhp62fhmhf3afqhrnm3x
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5b20wRER4SWdWdVgwTXpF
-            ZWxqTExtOFpFc2dpQ2l4bkNPRVZ4R3MyUVVnCnhUYkgxL1UxWGV6ZXBDb2xyQjZq
-            akJyVzdneUlPaXltNjhpYy9QbWtLVVkKLS0tIDFJUW54QUoxbXh5ZUNRcXBWRWI1
-            OE1CVEVqRVBjT3Jqckc1L0gwZ1JTdk0KGKF8qlUINhdrzW3JuplBqQ52s4PfbSo9
-            8HBAS+DlVet6PrlaolKlNjI5qL0u4FZfPwub6AXrI0jIq8XwEGzj/g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcGN3MG9COGxGOGhtTmN6
+            SFJsWkVxWjhLOEZpT0Y4WmFkOGxIQy80ZmpjCnAvWGVXOE5INUZ3Wkh1OGxJbjdo
+            UVo3S1o0UU9tUDV6aGJzK2FzeS9kNzQKLS0tIFpoNVpsQ0dKUUpKU1E3SlppbzQ0
+            WHEzdjBFQ1dlcURQMEVQL2lxQXFrM2cKeQMGiRZQjdWI0/faqJDsFSN9eggyr73d
+            q8S5XiZDB+wAFTMaMebscfhSWo/3N8G3EpFdh1GMiVNyLMskzkbARw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-09T15:47:43Z"
-    mac: ENC[AES256_GCM,data:Zw3zc3sQ6jLMAfj3rkMFbXh86F94JeOmP3caFW+cpqaziPyydXahQ+296Q10n3ydivNbEq2EMEkgjut3fArpN6KTxxTQ3vagpeReq3kOlDqOwdKTAwZ+Xd1IkCvljdUigbpsUWn6pPKvzfrxQ5UiOsA3J4re3ngndrKUqypW98s=,iv:qblri7AXEtDDKAIGJCCRZwrFR8b7Syk3uQphPqQNtNA=,tag:OSYICwjt0IC1IChS+shezQ==,type:str]
+    lastmodified: "2025-05-10T12:05:56Z"
+    mac: ENC[AES256_GCM,data:HuaKpCFAsbs/EnLsrWt0AMBlYzVNNEIFN/v7YW43D3PgVyq+Rh7rdJbkC3am9qlmXEbSbMGE0muMcudH+ApPYxRsFwmLvOskvAaEsnd41xiBwA+AIHkODcYcL7h18mSJ8JLXxI/I9+WKfYMf/hPIOds+SaAEI7l5t3PXHS8yJF8=,iv:VekpOes4+E6yO7tPfOILk8IV6n6eE+rdz6wqIAwjffo=,tag:7sLeFJgeN6SZ1mNd1oxO+w==,type:str]
     encrypted_regex: ^(data|stringData)$
     version: 3.10.2
diff --git a/k8s/clusters/local/apps/flux-kustomization.yaml b/k8s/clusters/local/apps/flux-kustomization.yaml
@@ -11,6 +11,18 @@ spec:
   sourceRef:
     kind: OCIRepository
     name: flux-system
+  dependsOn:
+    - name: infrastructure
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: variables-local
+      - kind: Secret
+        name: variables-local-sensitive
   path: clusters/local/apps/
   prune: true
   wait: true
diff --git a/k8s/clusters/local/infrastructure/flux-kustomization.yaml b/k8s/clusters/local/infrastructure/flux-kustomization.yaml
@@ -13,7 +13,6 @@ spec:
     kind: OCIRepository
     name: flux-system
   dependsOn:
-    - name: variables
     - name: infrastructure-controllers
   decryption:
     provider: sops
diff --git a/k8s/clusters/local/kustomization.yaml b/k8s/clusters/local/kustomization.yaml
@@ -2,6 +2,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - apps/flux-kustomization.yaml
   - infrastructure/controllers/flux-kustomization.yaml
   - infrastructure/flux-kustomization.yaml
   - variables/flux-kustomization.yaml
diff --git a/k8s/clusters/prod/apps/flux-kustomization.yaml b/k8s/clusters/prod/apps/flux-kustomization.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: apps
+  namespace: flux-system
+spec:
+  interval: 60m
+  timeout: 3m
+  retryInterval: 2m
+  sourceRef:
+    kind: OCIRepository
+    name: flux-system
+  dependsOn:
+    - name: infrastructure
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: variables-prod
+      - kind: Secret
+        name: variables-prod-sensitive
+  path: clusters/prod/apps/
+  prune: true
+  wait: true
+  force: true
diff --git a/k8s/clusters/prod/apps/kustomization.yaml b/k8s/clusters/prod/apps/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../distributions/talos/infrastructure
diff --git a/k8s/clusters/prod/infrastructure/controllers/flux-kustomization.yaml b/k8s/clusters/prod/infrastructure/controllers/flux-kustomization.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infrastructure-controllers
+  namespace: flux-system
+spec:
+  interval: 5m
+  timeout: 2m
+  retryInterval: 1m
+  path: clusters/prod/infrastructure/controllers/
+  sourceRef:
+    kind: OCIRepository
+    name: flux-system
+  dependsOn:
+    - name: variables
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: variables-prod
+      - kind: Secret
+        name: variables-prod-sensitive
+  wait: true
+  prune: true
+  force: true
diff --git a/k8s/clusters/prod/infrastructure/controllers/kustomization.yaml b/k8s/clusters/prod/infrastructure/controllers/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../../distributions/talos/infrastructure/controllers/
diff --git a/k8s/clusters/prod/infrastructure/flux-kustomization.yaml b/k8s/clusters/prod/infrastructure/flux-kustomization.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infrastructure
+  namespace: flux-system
+spec:
+  interval: 5m
+  timeout: 2m
+  retryInterval: 1m
+  path: clusters/prod/infrastructure/
+  sourceRef:
+    kind: OCIRepository
+    name: flux-system
+  dependsOn:
+    - name: infrastructure-controllers
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: variables-prod
+      - kind: Secret
+        name: variables-prod-sensitive
+  wait: true
+  prune: true
+  force: true
diff --git a/k8s/clusters/prod/infrastructure/kustomization.yaml b/k8s/clusters/prod/infrastructure/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../distributions/talos/infrastructure
diff --git a/k8s/clusters/prod/kustomization.yaml b/k8s/clusters/prod/kustomization.yaml
@@ -1,4 +1,8 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: []
+resources:
+  - apps/flux-kustomization.yaml
+  - infrastructure/controllers/flux-kustomization.yaml
+  - infrastructure/flux-kustomization.yaml
+  - variables/flux-kustomization.yaml
diff --git a/k8s/clusters/prod/variables/config-map.yaml b/k8s/clusters/prod/variables/config-map.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: variables-prod
+  namespace: flux-system
+data:
+  domain: prod.devantler.tech
+  github_app_client_id: Iv23liZ8GHRgpx32Em2y
diff --git a/k8s/clusters/prod/variables/flux-kustomization.yaml b/k8s/clusters/prod/variables/flux-kustomization.yaml
@@ -0,0 +1,20 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: variables
+  namespace: flux-system
+spec:
+  interval: 5m
+  timeout: 2m
+  retryInterval: 1m
+  path: clusters/prod/variables/
+  sourceRef:
+    kind: OCIRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  wait: true
+  prune: true
+  force: true
diff --git a/k8s/clusters/prod/variables/kustomization.yaml b/k8s/clusters/prod/variables/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../distributions/talos/variables
+  - config-map.yaml
+  - secret.enc.yaml
diff --git a/k8s/clusters/prod/variables/secret.enc.yaml b/k8s/clusters/prod/variables/secret.enc.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: variables-dev-sensitive
+    namespace: flux-system
+stringData:
+    dex_client_secret: ENC[AES256_GCM,data:N2lx0i3cU5/tvNOD8VGXD0Deui0=,iv:wd7GKLALtuptqKgcTW+PLQGcMJbce02dOd0m+y6ipZM=,tag:YG0w3pS7DkG+DWdg5K+Idg==,type:str]
+    github_app_client_secret: ENC[AES256_GCM,data:MqpUJOm7rBTBnh/dMjmu8JZGxpuEIwBxclc7+4yuzJsn8Q4P0a6Jhw==,iv:sOBoblUdfzbl+IX2wu5gwGUmr5vOBgTMF1wD1WOxqpQ=,tag:0P62JkP4hk3z/iTpWkoHNw==,type:str]
+    github_app_private_key: ENC[AES256_GCM,data:cSeSQfnoqNnmU9D6lqUpIZb75v1b/C4xvGHkI3XrTo0IoJoehqWIBt+CJnhm//lzClrFOBPoYUJGmZoAC56bdPwlOQ8owYhLiEdnZ1MQvwWsq1l/dVNCt6kZzzCCX5YsonT3UbHJ64XMHE5c7VJGhKpm3avU9RtbGy6wDoVyIkRG0XIqxcVS+549QFVvfEDBgObt38+ranVKJG+zqlQ4slc+ZxcV171oTDxTbdMNu8Jh8/JZqzmEwa5DO5hS3rPPR7JqOdSkvXnHbaGLuofxwFogSgyKIMSbNGTQBM7s8E4mQnW9+jaxJeOgXwVzf3VZfDeWoCPddzmgHVCLr4bvx0e1iwin0FigAbhJji0CJ/OfS9cptRusNYzlcEBrwcpteoZCAa/ni245m1J8WyL8hm5imfsTUhwD6uZIEgMvqAfWi7FwpQkP5Y1LOQdqMQ0yqNIbYim94PaMh2v/AC3cYitfpp12yJD6xKyY+R29WzJ2TCjaMOQKgbmncAMRuTWNC3Qyvd5Xt90KY/Di1xFNQ1AnbAk8IzYrTanHcJ8w1lA0OTxnRJZx4d19aE06H622cl/W6y0dJJaCuKwL0RJzklJOU0ZitQq5ZnWdHUvSx1IZbkHBdvCuOO71LGMSRn78+AGii8O417mFGxDASuMdEfMdNmMeX92LwLxuNBaYjncK+hMaTBr856Asct9mT+f/RzVVyHbti0yj5QBObKxifs17DUB5YwmeybF7O9mWmcuVayIEdJL9r/m6K5Tcu8GtcqunJ2cAXA65DcEni2iHB9bKu8r7raL+T0A38W4LvpDiecua6eVmFJTU8E5fxrf19mDTYsdGULq/BgkcWWRfziG/cDo5y2LMA7Idb9ddT90d4dvBNd5B7okUVOeXFOi/bO2C9/VhB/V6i4R8pBqYSw9lH9HDaX9/CNgCCYylS5fS0giGmjRXMdHUMjvJaSu7MChZcF7RZs260zY99gV+DI7UhG0BR2UXDHHpmfYZvqYas05UkLpLTvbTkHyj1AoCTZmnG8cn6uF11wjQJPEINakSC7vL6zZQzgGO6jTLAb4oqiZXvt1EIX0u1J/Mm/FfPo5yrP1VelmlUw2rwZ8jQWFJRhaBoGiu5ZT0wu0FLBs9iFEytbn4VN9d3KEAPgAD3wjb3Cys1YyNnfzfnDgFgseWkOAPZdPDSGhWeHnzbkVHsdhVRIQqpDcRJSxWT4v2sHeFH2xuLBYs/RezYUp+hisVBKUsfyj7yNJPnm88U2oVsTX0WiNczeXnJW+tjkK7H1uwk7n6uOfipqjLnfwvexTdfCmLr7aIYlw4CA56nD1rD6cwlw7tCd19he17Z92myKaI9XuxoO5aFGScT367GosriyYMon9Q7uqFU6hi5nQ9dnObpfCb9Omyv+9zWfcEBCFXptQ8NTFqGN4UImoswaRf4d15i6ltD9YtXqscnJ/VEBCnyOZYx/fi4LlfhLttnKjzX4fIykVc79p9gzdci2OJFEG57+zv9S/GSiCkYVS5euG8kjY6xaGV22wD5+Xaz+XHQFm4wJ/ogR5j4YQ3S3C7TKj56U2wo5sgIx7nEkqfqTwvUQK1ndyQwG4AOaHZAtcA/sGZiF/iIOmrGTx6eU9jb7KKy066cD8RpIK9hRTBF6hfYhSfrwRwIz6c0Xea3HkD+3Xu1ULCA330nFvbL0bYb5cEVG3Lr0qE7rCU34Y39sqqgQSyGr883qgW75ZnRpwZER34Cgtl9Fp04tYd3d0PU62G99/tL3V0U74durnfjCLP0VTppJg+MqRh6VQVizZwvJwUUXfqLCjEQ5EJUF/7yjr4XXmdGz7yv/qQETWX+aKtrFpH0AmPkfgiCbJGz+I6VrfNt8Nz+jB9beI2Ubqd7lmHTIv++OoM1KzhbsLSo8KCmJTjEvzXd5cZkdhYzSNp2qM3dWJ+IHxfzgBiLJzDCTOOTX2lWo+ltHa1BdR9QnY/r7J0JvUdWXQyPFwWMQh9qOf2r07PKjFwE6QKm+YnYnIV4ERukMFeESmuqbPqGHz6OkYG/AFhz/94tvqa/VZYFkQPVUIZz4XbsIE8cDDENFWbxrAnTmzHZxbf617UiiDrEmgeOuni7lJnnu4DfPzyAFQHlUaCoxyT/5Y/i0+h+XYmkHFqxA6I3WM4AOaDSNzhK4TTW3ssRTK13GQ+ixwyD/s7sr/aPriKea6Otf4HooFc9wCjBHinGmRl6zLlvtmrhZ3drJv0LA==,iv:o4Q7KwCOhekFO44TxRM0V9uDgIMnZVtNyhg8JZOA5Ts=,tag:XINc2NtdirAjEZHTYOq1Sw==,type:str]
+sops:
+    age:
+        - recipient: age18huaqzzrln439z9nj56kmqnkcu5zrj44y57ml8tlauhh5vj3yqgsa0l9dw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRTRBWmpXMEtIeWVLNWZp
+            QlpXV0VuRWxoSkZkdmtoZzViUCs4MWJsYlhrCnhHSUZwS0lXb2s5VXlPK0lvVjlF
+            bTBIY1NQZEoxMWQrdmx5WThvNlNlWlUKLS0tIFl1MituUnp6WThOd29zYkdhSkpt
+            UU5CNmM0eHVwMURtSWJzRkRCdEk2c3MKKiisA8AGWwUEvDsgJ+oqwSlmscNR2+5z
+            DCudOY0vl+rqhsHMGdkjRkK29LYuWBI125U2VZqMlPdMlhmRYcQAjA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-10T12:30:09Z"
+    mac: ENC[AES256_GCM,data:VDkP3um1ch27aPpesAtwLZjJcAB7MeRlFu61wG18HD+O9WQbEPc12NGHsX8JLPC51FGAB6N3opZ38paX1JkKpctuYC7gwl87i3yBITAhaOtFcgT8rWzpzCt29YzhJNZ7aflLpb4S7Bsf6X0PE89EJxJqwGnbt/Rgaz/FEXFxJLU=,iv:jTlj7IJsmwaqzy5DFxnZNUQUiEXO56tOp1CzkuqCFhU=,tag:NbrepcnCVp6GrnRbc4d7zQ==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
diff --git a/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml b/k8s/distributions/talos/infrastructure/controllers/cilium/patches/helm-release-patch.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cilium
+  namespace: kube-system
+spec:
+  # https://github.com/cilium/cilium/blob/main/install/kubernetes/cilium/values.yaml
+  values:
+    securityContext:
+      capabilities:
+        ciliumAgent:
+          - CHOWN
+          - KILL
+          - NET_ADMIN
+          - NET_RAW
+          - IPC_LOCK
+          - SYS_ADMIN
+          - SYS_RESOURCE
+          - DAC_OVERRIDE
+          - FOWNER
+          - SETGID
+          - SETUID
+        cleanCiliumState:
+          - NET_ADMIN
+          - SYS_ADMIN
+          - SYS_RESOURCE
+    cgroup:
+      autoMount:
+        enabled: false
+      hostRoot: /sys/fs/cgroup
+    k8sServiceHost: localhost
+    k8sServicePort: 7445
diff --git a/k8s/distributions/talos/infrastructure/controllers/kustomization.yaml b/k8s/distributions/talos/infrastructure/controllers/kustomization.yaml
@@ -1,5 +1,11 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: []
-  #- ../../../../bases/infrastructure/controllers/
+resources:
+  - ../../../../bases/infrastructure/controllers/
+patches:
+  - target:
+      kind: HelmRelease
+      name: cilium
+      namespace: kube-system
+    path: cilium/patches/helm-release-patch.yaml
diff --git a/k8s/distributions/talos/infrastructure/kustomization.yaml b/k8s/distributions/talos/infrastructure/kustomization.yaml
@@ -1,5 +1,5 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: []
-  #- ../../../bases/infrastructure/
+resources:
+  - ../../../bases/infrastructure/
