feat(gitops): migrate platform and infra to OCI charts

StackFlow/svc-plus.yaml

@@ -1,140 +0,0 @@
-apiVersion: gitops.svc.plus/v1alpha1
-kind: StackFlow
-metadata:
-  # Stack identifier (used in plans/artifacts).
-  name: svc-plus
-
-global:
-  # Root domain for this business stack.
-  # Runner enforces: every targets[].domains[] must be under this root.
-  domain: svc.plus
-
-  # Declarative provider selector for future dns-apply (no secrets here).
-  dns_provider: cloudflare
-
-  # Default cloud for this stack (future iac-apply/deploy/observe phases).
-  cloud: gcp
-    project: xzerolab-480008
-
-  # Optional: multi-environment overrides (selected by runner --env).
-  # Today CI only runs plan/validate; env selection is for future expansion.
-  environments:
-    prod:
-      dns_provider: cloudflare
-      cloud: gcp
-      gcp_project: xzerolab-480008
-    dev:
-      dns_provider: cloudflare
-      cloud: gcp
-      gcp_project: xzerolab-480008
-
-  # Source-of-truth repos (informational).
-  gitops: https://github.com/cloud-neutral-toolkit/gitops
-  playbooks: https://github.com/cloud-neutral-toolkit/playbook
-  iac_modules: https://github.com/cloud-neutral-toolkit/iac_modules
-
-targets:
-  # -----------------------------------------
-  # Vercel: www + console
-  # -----------------------------------------
-  - id: vercel-console
-    type: vercel
-    vercel:
-      project_url: https://vercel.com/svc-designs-projects/console-svc-plus
-      team_slug: svc-designs-projects
-      project_slug: console-svc-plus
-    domains:
-      - www.svc.plus
-      - console.svc.plus
-    # Optional env-specific intent (not used by runner yet).
-    environments:
-      dev:
-        domains:
-          - www.dev.svc.plus
-          - console.dev.svc.plus
-    dns:
-      # Default policy: pure DNS. Proxy can be enabled per-record later.
-      records:
-        - name: www
-          type: CNAME
-          value: cname.vercel-dns.com.
-          proxied: false
-        - name: console
-          type: CNAME
-          value: cname.vercel-dns.com.
-          proxied: false
-
-  # -----------------------------------------
-  # GCE vhost: clawdbot
-  # -----------------------------------------
-  - id: clawdbot
-    type: vhost
-    cloud: gcp
-    gcp:
-      project: xzerolab-480008
-      zone: asia-east1-b
-      instance_name: clawdbot-svc-plus
-      console_url: https://console.cloud.google.com/compute/instancesDetail/zones/asia-east1-b/instances/clawdbot-svc-plus?project=xzerolab-480008
-    domains:
-      - clawdbot.svc.plus
-    resources:
-      os: debian-13
-      cpu: 2
-      mem_mib: 4096
-      disk_gb: 50
-    endpoints:
-      # Will be filled by future iac-apply output.
-      public_ipv4: ""
-    dns:
-      records:
-        - name: clawdbot
-          type: A
-          valueFrom: endpoints.public_ipv4
-          proxied: false
-
-  # -----------------------------------------
-  # GCP Cloud Run: accounts
-  # -----------------------------------------
-  - id: accounts
-    type: cloud-run
-    cloud: gcp
-    repo: https://github.com/cloud-neutral-toolkit/accounts.svc.plus
-    gcp:
-      project: xzerolab-480008
-      region: asia-northeast1
-      service: accounts-svc-plus
-      console_url: https://console.cloud.google.com/run/detail/asia-northeast1/accounts-svc-plus/observability/metrics?project=xzerolab-480008
-    domains:
-      - accounts.svc.plus
-    deploy:
-      mode: repo-dispatch
-      repository: cloud-neutral-toolkit/accounts.svc.plus
-      event_type: stackflow.deploy.cloudrun
-    dns:
-      # Cloud Run custom domain mapping needs provider-specific verification records.
-      # Keep explicit records here once known; plan/validate won't apply them.
-      records: []
-
-  # -----------------------------------------
-  # Cloudflare Workers Containers: hk-xhttp
-  # -----------------------------------------
-  - id: hk-xhttp
-    type: cloudflare-workers-containers
-    cloud: cloudflare
-    repo: https://github.com/cloud-neutral-toolkit/iac_modules
-    cloudflare:
-      account_id: e71be5efb76a6c54f78f008da4404f00
-      worker_name: hk-xhttp-svc-plus
-      dashboard_url: https://dash.cloudflare.com/e71be5efb76a6c54f78f008da4404f00/workers-and-pages
-    domains:
-      - xhttp.svc.plus
-    deploy:
-      mode: wrangler
-      working_directory: vpn-overlay/xray/cloudflare-workers-containers
-      command: npx wrangler deploy
-    dns:
-      records:
-        - name: xhttp
-          type: CNAME
-          value: hk-xhttp-svc-plus.workers.dev.
-          proxied: true

helm/app-service/Chart.yaml

@@ -1,7 +0,0 @@
-apiVersion: v2
-name: app-service
-description: Reusable chart for single-node core services
-type: application
-version: 0.1.0
-appVersion: "1.0.0"
-

helm/app-service/templates/_helpers.tpl

@@ -1,15 +0,0 @@
-{{- define "app-service.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{- define "app-service.fullname" -}}
-{{- include "app-service.name" . -}}
-{{- end -}}
-
-{{- define "app-service.labels" -}}
-app.kubernetes.io/name: {{ include "app-service.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-{{- end -}}
-

helm/app-service/templates/deployment.yaml

@@ -1,59 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "app-service.fullname" . }}
-  labels:
-    {{- include "app-service.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  revisionHistoryLimit: 3
-  strategy:
-    type: {{ .Values.strategy.type }}
-    rollingUpdate:
-      maxUnavailable: {{ .Values.strategy.rollingUpdate.maxUnavailable }}
-      maxSurge: {{ .Values.strategy.rollingUpdate.maxSurge }}
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "app-service.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-  template:
-    metadata:
-      labels:
-        {{- include "app-service.labels" . | nindent 8 }}
-        {{- with .Values.podLabels }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-      annotations:
-        {{- if and .Values.reloader.enabled .Values.existingSecretName }}
-        secret.reloader.stakater.com/reload: {{ default .Values.existingSecretName .Values.reloader.secretMatch | quote }}
-        {{- end }}
-        {{- with .Values.podAnnotations }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-    spec:
-      containers:
-        - name: app
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          ports:
-            - name: http
-              containerPort: {{ .Values.containerPort }}
-          {{- if .Values.env }}
-          env:
-            {{- range $key, $value := .Values.env }}
-            - name: {{ $key }}
-              value: {{ $value | quote }}
-            {{- end }}
-          {{- end }}
-          {{- if .Values.existingSecretName }}
-          envFrom:
-            - secretRef:
-                name: {{ .Values.existingSecretName }}
-          {{- end }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-          readinessProbe:
-            {{- toYaml .Values.readinessProbe | nindent 12 }}
-          livenessProbe:
-            {{- toYaml .Values.livenessProbe | nindent 12 }}
-

helm/app-service/templates/pdb.yaml

@@ -1,15 +0,0 @@
-{{- if .Values.pdb.enabled }}
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
-  name: {{ include "app-service.fullname" . }}
-  labels:
-    {{- include "app-service.labels" . | nindent 4 }}
-spec:
-  minAvailable: {{ .Values.pdb.minAvailable }}
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "app-service.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-

helm/app-service/templates/service.yaml

@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "app-service.fullname" . }}
-  labels:
-    {{- include "app-service.labels" . | nindent 4 }}
-spec:
-  type: {{ .Values.service.type }}
-  selector:
-    app.kubernetes.io/name: {{ include "app-service.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-  ports:
-    - name: http
-      port: {{ .Values.service.port }}
-      targetPort: http
-

helm/app-service/values.yaml

@@ -1,57 +0,0 @@
-nameOverride: ""
-
-replicaCount: 1
-
-image:
-  repository: ghcr.io/example/app
-  tag: latest
-  pullPolicy: IfNotPresent
-
-containerPort: 8080
-
-service:
-  port: 80
-  type: ClusterIP
-
-strategy:
-  type: RollingUpdate
-  rollingUpdate:
-    maxUnavailable: 0
-    maxSurge: 1
-
-podLabels: {}
-podAnnotations: {}
-
-env: {}
-existingSecretName: ""
-
-resources:
-  requests:
-    cpu: 100m
-    memory: 128Mi
-  limits:
-    cpu: 500m
-    memory: 512Mi
-
-readinessProbe:
-  httpGet:
-    path: /healthz
-    port: http
-  initialDelaySeconds: 10
-  periodSeconds: 10
-
-livenessProbe:
-  httpGet:
-    path: /healthz
-    port: http
-  initialDelaySeconds: 30
-  periodSeconds: 20
-
-pdb:
-  enabled: true
-  minAvailable: 1
-
-reloader:
-  enabled: true
-  secretMatch: ""
-

infra/apps/core/accounts/base/helmrelease.yaml

@@ -1,25 +1,17 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: accounts
 spec:
   interval: 5m0s
   releaseName: accounts
-  chart:
+  chartRef:
-    spec:
+    kind: OCIRepository
-      chart: ./helm/app-service
+    name: accounts-chart
-      sourceRef:
-        kind: GitRepository
-        name: platform-config
-        namespace: flux-system
-      interval: 1m0s
   valuesFrom:
     - kind: ConfigMap
       name: accounts-base-values
       valuesKey: values.yaml
-    - kind: ConfigMap
-      name: accounts-channel-values
-      valuesKey: values.yaml
     - kind: ConfigMap
       name: accounts-env-values
       valuesKey: values.yaml

infra/apps/core/accounts/base/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - oci-repository.yaml
+  - helmrelease.yaml
+configMapGenerator:
+  - name: accounts-base-values
+    files:
+      - values.yaml=values.yaml
+generatorOptions:
+  disableNameSuffixHash: true

infra/apps/core/accounts/base/oci-repository.yaml

@@ -0,0 +1,12 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: accounts-chart
+spec:
+  interval: 10m0s
+  url: oci://ghcr.io/x-evor/charts/app-service
+  ref:
+    semver: "0.1.0"
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy

infra/apps/core/accounts/channels/latest.yaml

@@ -1,3 +0,0 @@
-image:
-  repository: ghcr.io/x-evor/accounts
-  tag: latest

infra/apps/core/accounts/channels/release.yaml

@@ -1,3 +0,0 @@
-image:
-  repository: ghcr.io/x-evor/accounts
-  tag: release

infra/apps/core/accounts/pre/kustomization.yaml

@@ -2,16 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: core-pre
 resources:
-  - ../base/helmrelease.yaml
+  - ../base
   - externalsecret.yaml
   - ingress.yaml
 configMapGenerator:
-  - name: accounts-base-values
-    files:
-      - values.yaml=../base/values.yaml
-  - name: accounts-channel-values
-    files:
-      - values.yaml=../channels/latest.yaml
   - name: accounts-env-values
     files:
       - values.yaml=values.yaml

infra/apps/core/accounts/pre/values.yaml

@@ -1,4 +1,7 @@
 replicaCount: 1
+image:
+  repository: ghcr.io/x-evor/accounts
+  tag: latest
 resources:
   requests:
     cpu: 100m

infra/apps/core/accounts/prod/kustomization.yaml

@@ -2,16 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: core-prod
 resources:
-  - ../base/helmrelease.yaml
+  - ../base
   - externalsecret.yaml
   - ingress.yaml
 configMapGenerator:
-  - name: accounts-base-values
-    files:
-      - values.yaml=../base/values.yaml
-  - name: accounts-channel-values
-    files:
-      - values.yaml=../channels/release.yaml
   - name: accounts-env-values
     files:
       - values.yaml=values.yaml

infra/apps/core/accounts/prod/values.yaml

@@ -1,4 +1,7 @@
 replicaCount: 2
+image:
+  repository: ghcr.io/x-evor/accounts
+  tag: release
 resources:
   requests:
     cpu: 250m

infra/apps/core/console/base/helmrelease.yaml

@@ -1,25 +1,17 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: console
 spec:
   interval: 5m0s
   releaseName: console
-  chart:
+  chartRef:
-    spec:
+    kind: OCIRepository
-      chart: ./helm/app-service
+    name: console-chart
-      sourceRef:
-        kind: GitRepository
-        name: platform-config
-        namespace: flux-system
-      interval: 1m0s
   valuesFrom:
     - kind: ConfigMap
       name: console-base-values
       valuesKey: values.yaml
-    - kind: ConfigMap
-      name: console-channel-values
-      valuesKey: values.yaml
     - kind: ConfigMap
       name: console-env-values
       valuesKey: values.yaml

infra/apps/core/console/base/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - oci-repository.yaml
+  - helmrelease.yaml
+configMapGenerator:
+  - name: console-base-values
+    files:
+      - values.yaml=values.yaml
+generatorOptions:
+  disableNameSuffixHash: true

infra/apps/core/console/base/oci-repository.yaml

@@ -0,0 +1,12 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: console-chart
+spec:
+  interval: 10m0s
+  url: oci://ghcr.io/x-evor/charts/app-service
+  ref:
+    semver: "0.1.0"
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy

infra/apps/core/console/channels/latest.yaml

@@ -1,3 +0,0 @@
-image:
-  repository: ghcr.io/x-evor/console
-  tag: latest

infra/apps/core/console/channels/release.yaml

@@ -1,3 +0,0 @@
-image:
-  repository: ghcr.io/x-evor/console
-  tag: release

infra/apps/core/console/pre/kustomization.yaml

@@ -2,16 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: core-pre
 resources:
-  - ../base/helmrelease.yaml
+  - ../base
   - externalsecret.yaml
   - ingress.yaml
 configMapGenerator:
-  - name: console-base-values
-    files:
-      - values.yaml=../base/values.yaml
-  - name: console-channel-values
-    files:
-      - values.yaml=../channels/latest.yaml
   - name: console-env-values
     files:
       - values.yaml=values.yaml

infra/apps/core/console/pre/values.yaml

@@ -1,4 +1,7 @@
 replicaCount: 1
+image:
+  repository: ghcr.io/x-evor/console
+  tag: latest
 resources:
   requests:
     cpu: 100m

infra/apps/core/console/prod/kustomization.yaml

@@ -2,16 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: core-prod
 resources:
-  - ../base/helmrelease.yaml
+  - ../base
   - externalsecret.yaml
   - ingress.yaml
 configMapGenerator:
-  - name: console-base-values
-    files:
-      - values.yaml=../base/values.yaml
-  - name: console-channel-values
-    files:
-      - values.yaml=../channels/release.yaml
   - name: console-env-values
     files:
       - values.yaml=values.yaml

infra/apps/core/console/prod/values.yaml

@@ -1,4 +1,7 @@
 replicaCount: 2
+image:
+  repository: ghcr.io/x-evor/console
+  tag: release
 resources:
   requests:
     cpu: 250m

infra/clusters/pre/accounts-pre-kustomization.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: accounts-pre
@@ -11,4 +11,3 @@ spec:
     kind: GitRepository
     name: platform-config
   path: ./infra/apps/core/accounts/pre
-

infra/clusters/pre/console-pre-kustomization.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: console-pre
@@ -11,4 +11,3 @@ spec:
     kind: GitRepository
     name: platform-config
   path: ./infra/apps/core/console/pre
-

infra/clusters/prod/accounts-prod-kustomization.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: accounts-prod
@@ -14,4 +14,3 @@ spec:
   dependsOn:
     - name: platform-stack
     - name: infrastructure-stack
-

infra/clusters/prod/console-prod-kustomization.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: console-prod
@@ -14,4 +14,3 @@ spec:
   dependsOn:
     - name: platform-stack
     - name: infrastructure-stack
-

infra/clusters/prod/infrastructure-kustomization.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: infrastructure-stack
@@ -12,4 +12,3 @@ spec:
     kind: GitRepository
     name: platform-config
   path: ./infra/infrastructure
-

infra/clusters/prod/kustomization.yaml

@@ -4,7 +4,7 @@ resources:
   - namespaces.yaml
   - platform-kustomization.yaml
   - infrastructure-kustomization.yaml
+  - observability-kustomization.yaml
   - console-prod-kustomization.yaml
   - accounts-prod-kustomization.yaml
   - pre-kustomization.yaml
-

infra/clusters/prod/observability-kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: observability-stack
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  prune: true
+  wait: true
+  timeout: 10m0s
+  sourceRef:
+    kind: GitRepository
+    name: platform-config
+  path: ./infra/observability
+  dependsOn:
+    - name: platform-stack

infra/clusters/prod/platform-kustomization.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: platform-stack
@@ -12,4 +12,3 @@ spec:
     kind: GitRepository
     name: platform-config
   path: ./infra/platform
-

infra/clusters/prod/pre-kustomization.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: pre-stack
@@ -14,4 +14,3 @@ spec:
   dependsOn:
     - name: platform-stack
     - name: infrastructure-stack
-

infra/infrastructure/kustomization.yaml

@@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - repositories.yaml
-  - vault
   - postgresql
-

infra/infrastructure/postgresql/helmrelease.yaml

@@ -1,39 +1,22 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: postgresql
   namespace: database
 spec:
   interval: 10m0s
-  chart:
+  releaseName: postgresql
-    spec:
+  chartRef:
-      chart: postgresql
+    kind: OCIRepository
-      version: ">=15.0.0 <16.0.0"
+    name: postgresql-chart
-      sourceRef:
+    namespace: database
-        kind: HelmRepository
-        name: bitnami
-        namespace: flux-system
   install:
     remediation:
       retries: 3
   upgrade:
     remediation:
       retries: 3
-  values:
+  valuesFrom:
-    architecture: standalone
+    - kind: ConfigMap
-    auth:
+      name: postgresql-values
-      existingSecret: postgresql-auth
+      valuesKey: values.yaml
-    primary:
-      persistence:
-        enabled: true
-        size: 20Gi
-      extraVolumes:
-        - name: initdb
-          configMap:
-            name: postgresql-initdb
-      extraVolumeMounts:
-        - name: initdb
-          mountPath: /docker-entrypoint-initdb.d
-    metrics:
-      enabled: false
-

infra/infrastructure/postgresql/kustomization.yaml

@@ -2,7 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: database
 resources:
-  - initdb-configmap.yaml
+  - oci-repository.yaml
-  - externalsecret.yaml
   - helmrelease.yaml
-
+  - externalsecret.yaml
+  - stunnel-externalsecret.yaml
+configMapGenerator:
+  - name: postgresql-values
+    files:
+      - values.yaml=values.yaml
+generatorOptions:
+  disableNameSuffixHash: true

infra/infrastructure/postgresql/oci-repository.yaml

@@ -0,0 +1,13 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: postgresql-chart
+  namespace: database
+spec:
+  interval: 10m0s
+  url: oci://ghcr.io/x-evor/charts/postgresql
+  ref:
+    semver: "1.1.0"
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy

infra/infrastructure/postgresql/stunnel-externalsecret.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: postgresql-stunnel-server
+  namespace: database
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-platform
+  target:
+    name: postgresql-stunnel-server
+    creationPolicy: Owner
+  data:
+    - secretKey: server-cert.pem
+      remoteRef:
+        key: database/postgresql-stunnel
+        property: server-cert.pem
+    - secretKey: server-key.pem
+      remoteRef:
+        key: database/postgresql-stunnel
+        property: server-key.pem

infra/infrastructure/postgresql/values.yaml

@@ -0,0 +1,66 @@
+server:
+  enabled: true
+
+image:
+  repository: ghcr.io/x-evor/postgresql-svc-plus
+  tag: "16"
+  pullPolicy: IfNotPresent
+
+auth:
+  username: postgres
+  database: postgres
+  existingSecret: postgresql-auth
+  secretKey: postgres-password
+
+initScripts:
+  enabled: true
+  scripts:
+    01-core-schemas.sql: |
+      DO $$
+      BEGIN
+        IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'core_prod_user') THEN
+          CREATE ROLE core_prod_user LOGIN;
+        END IF;
+        IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'core_pre_user') THEN
+          CREATE ROLE core_pre_user LOGIN;
+        END IF;
+      END
+      $$;
+
+      CREATE SCHEMA IF NOT EXISTS core_prod AUTHORIZATION postgres;
+      CREATE SCHEMA IF NOT EXISTS core_pre AUTHORIZATION postgres;
+
+      GRANT USAGE ON SCHEMA core_prod TO core_prod_user;
+      GRANT USAGE ON SCHEMA core_pre TO core_pre_user;
+
+      ALTER DEFAULT PRIVILEGES IN SCHEMA core_prod
+        GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO core_prod_user;
+      ALTER DEFAULT PRIVILEGES IN SCHEMA core_pre
+        GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO core_pre_user;
+
+persistence:
+  enabled: true
+  size: 20Gi
+
+metrics:
+  enabled: false
+
+stunnel:
+  enabled: true
+  port: 5433
+  certificatesSecret: postgresql-stunnel-server
+
+stunnelClient:
+  enabled: true
+  service:
+    port: 5432
+  config: |
+    [postgres-client]
+    client = yes
+    accept = 0.0.0.0:5432
+    connect = postgresql.database.svc.cluster.local:5433
+    verifyChain = no
+    sslVersion = TLSv1.2
+    options = NO_SSLv2
+    options = NO_SSLv3
+    ciphers = HIGH:!aNULL:!MD5

infra/infrastructure/repositories.yaml

@@ -1,13 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: hashicorp
-  namespace: flux-system
-spec:
-  interval: 10m0s
-  url: https://helm.releases.hashicorp.com
----
-apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
   name: bitnami
@@ -15,4 +6,3 @@ metadata:
 spec:
   interval: 10m0s
   url: https://charts.bitnami.com/bitnami
-

infra/infrastructure/vault/bootstrap-job.yaml

@@ -1,73 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: vault-bootstrap
-  namespace: extsvc
-spec:
-  template:
-    spec:
-      serviceAccountName: vault-bootstrap
-      restartPolicy: OnFailure
-      containers:
-        - name: bootstrap
-          image: hashicorp/vault:1.16.3
-          env:
-            - name: VAULT_ADDR
-              value: http://vault.extsvc.svc.cluster.local:8200
-            - name: VAULT_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: vault-bootstrap
-                  key: rootToken
-            - name: CLOUDFLARE_API_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: vault-bootstrap
-                  key: cloudflareApiToken
-          command:
-            - /bin/sh
-            - -ec
-            - |
-              until vault status >/dev/null 2>&1; do
-                sleep 5
-              done
-              vault secrets enable -path=secret kv-v2 || true
-              cat <<'EOF' >/tmp/eso-policy.hcl
-              path "secret/data/*" {
-                capabilities = ["read"]
-              }
-              path "secret/metadata/*" {
-                capabilities = ["read", "list"]
-              }
-              EOF
-              vault policy write eso-read /tmp/eso-policy.hcl
-              vault auth enable kubernetes || true
-              vault write auth/kubernetes/config \
-                kubernetes_host="https://kubernetes.default.svc:443" \
-                kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-                token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
-              vault write auth/kubernetes/role/external-secrets \
-                bound_service_account_names="external-secrets" \
-                bound_service_account_namespaces="platform" \
-                policies="eso-read" \
-                ttl="1h"
-              vault kv put secret/platform/cloudflare api-token="${CLOUDFLARE_API_TOKEN}"
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: vault-bootstrap
-  namespace: extsvc
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: vault-bootstrap-auth-delegator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-  - kind: ServiceAccount
-    name: vault-bootstrap
-    namespace: extsvc

infra/infrastructure/vault/helmrelease.yaml

@@ -1,39 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: vault
-  namespace: extsvc
-spec:
-  interval: 10m0s
-  chart:
-    spec:
-      chart: vault
-      version: ">=0.28.0 <1.0.0"
-      sourceRef:
-        kind: HelmRepository
-        name: hashicorp
-        namespace: flux-system
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    injector:
-      enabled: false
-    server:
-      standalone:
-        enabled: false
-      dataStorage:
-        enabled: true
-        size: 8Gi
-      ha:
-        enabled: true
-        replicas: 1
-        raft:
-          enabled: true
-          setNodeId: true
-      service:
-        enabled: true
-

infra/infrastructure/vault/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: extsvc
-resources:
-  - helmrelease.yaml
-  - bootstrap-job.yaml
-

infra/observability/kustomization.yaml

@@ -1,6 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: platform
 resources:
-  - helmrelease.yaml
+  - repositories.yaml
-
+  - observability-stack

infra/observability/observability-stack/helmrelease.yaml

@@ -0,0 +1,16 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: observability-stack
+  namespace: observability
+spec:
+  interval: 10m0s
+  releaseName: observability
+  chartRef:
+    kind: OCIRepository
+    name: observability-chart
+    namespace: observability
+  valuesFrom:
+    - kind: ConfigMap
+      name: observability-values
+      valuesKey: values.yaml

infra/observability/observability-stack/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: observability
+resources:
+  - oci-repository.yaml
+  - helmrelease.yaml
+configMapGenerator:
+  - name: observability-values
+    files:
+      - values.yaml=values.yaml
+generatorOptions:
+  disableNameSuffixHash: true

infra/observability/observability-stack/oci-repository.yaml

@@ -0,0 +1,13 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: observability-chart
+  namespace: observability
+spec:
+  interval: 10m0s
+  url: oci://ghcr.io/x-evor/charts/observability
+  ref:
+    semver: "0.1.0"
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy

infra/observability/observability-stack/values.yaml

@@ -0,0 +1,182 @@
+namespaces:
+  observability: observability
+
+server:
+  prometheus:
+    enabled: true
+    releaseName: prometheus
+    sourceRef:
+      kind: HelmRepository
+      name: prometheus-community
+      namespace: flux-system
+    chart:
+      name: prometheus
+      version: ">=25.0.0 <26.0.0"
+    values:
+      server:
+        persistentVolume:
+          enabled: true
+          size: 20Gi
+  victoriaMetrics:
+    enabled: true
+    releaseName: victoria-metrics
+    sourceRef:
+      kind: HelmRepository
+      name: victoria-metrics
+      namespace: flux-system
+    chart:
+      name: victoria-metrics-single
+      version: ">=0.13.0 <1.0.0"
+    values:
+      server:
+        persistentVolume:
+          enabled: true
+          size: 50Gi
+  victoriaLogs:
+    enabled: true
+    releaseName: victoria-logs
+    sourceRef:
+      kind: HelmRepository
+      name: victoria-metrics
+      namespace: flux-system
+    chart:
+      name: victoria-logs-single
+      version: ">=0.9.0 <1.0.0"
+    values:
+      server:
+        persistentVolume:
+          enabled: true
+          size: 50Gi
+  victoriaTraces:
+    enabled: true
+    releaseName: victoria-traces
+    sourceRef:
+      kind: HelmRepository
+      name: victoria-metrics
+      namespace: flux-system
+    chart:
+      name: victoria-traces-single
+      version: ">=0.0.1 <1.0.0"
+    values: {}
+  grafana:
+    enabled: true
+    releaseName: grafana
+    sourceRef:
+      kind: HelmRepository
+      name: grafana
+      namespace: flux-system
+    chart:
+      name: grafana
+      version: ">=8.0.0 <9.0.0"
+    values:
+      persistence:
+        enabled: true
+        size: 10Gi
+  otelConnector:
+    enabled: true
+    releaseName: otel-connector
+    sourceRef:
+      kind: HelmRepository
+      name: open-telemetry
+      namespace: flux-system
+    chart:
+      name: opentelemetry-collector
+      version: ">=0.104.0 <1.0.0"
+    values:
+      mode: deployment
+      config:
+        receivers:
+          otlp:
+            protocols:
+              grpc: {}
+              http: {}
+        processors:
+          batch: {}
+        exporters:
+          debug: {}
+        service:
+          pipelines:
+            traces:
+              receivers: [otlp]
+              processors: [batch]
+              exporters: [debug]
+            metrics:
+              receivers: [otlp]
+              processors: [batch]
+              exporters: [debug]
+            logs:
+              receivers: [otlp]
+              processors: [batch]
+              exporters: [debug]
+
+agent:
+  nodeExporter:
+    enabled: true
+    releaseName: node-exporter
+    sourceRef:
+      kind: HelmRepository
+      name: prometheus-community
+      namespace: flux-system
+    chart:
+      name: prometheus-node-exporter
+      version: ">=4.30.0 <5.0.0"
+    values: {}
+  vector:
+    enabled: true
+    image:
+      repository: timberio/vector
+      tag: "0.36.0-distroless-libc"
+      pullPolicy: IfNotPresent
+    serviceAccountName: vector-agent
+    config: |
+      data_dir: /vector-data-dir
+
+      sources:
+        journald:
+          type: journald
+
+      transforms:
+        normalize:
+          type: remap
+          inputs: ["journald"]
+          source: |
+            .cluster = "k3s"
+            .origin = "vector-agent"
+
+      sinks:
+        vlogs:
+          type: elasticsearch
+          inputs: ["normalize"]
+          endpoints:
+            - http://victoria-logs-victoria-logs-single-server.observability.svc.cluster.local:9428/insert/elasticsearch/
+          mode: bulk
+          compression: gzip
+    resources:
+      limits:
+        cpu: 300m
+        memory: 512Mi
+      requests:
+        cpu: 100m
+        memory: 128Mi
+  processExporter:
+    enabled: true
+    image:
+      repository: ncabatoff/process-exporter
+      tag: v0.8.3
+      pullPolicy: IfNotPresent
+    serviceAccountName: process-exporter
+    port: 9256
+    config: |
+      process_names:
+        - name: "{{.Comm}}"
+          cmdline:
+            - '.+'
+    resources:
+      limits:
+        cpu: 100m
+        memory: 128Mi
+      requests:
+        cpu: 25m
+        memory: 64Mi
+
+extraObjects: []

infra/observability/repositories.yaml

@@ -0,0 +1,35 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: prometheus-community
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  url: https://prometheus-community.github.io/helm-charts
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: victoria-metrics
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  url: https://victoriametrics.github.io/helm-charts/
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: grafana
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  url: https://grafana.github.io/helm-charts
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: open-telemetry
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  url: https://open-telemetry.github.io/opentelemetry-helm-charts

infra/platform/apisix/helmrelease.yaml

@@ -1,40 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: apisix
-  namespace: platform
-spec:
-  interval: 10m0s
-  chart:
-    spec:
-      chart: apisix
-      version: ">=2.7.0 <3.0.0"
-      sourceRef:
-        kind: HelmRepository
-        name: apisix
-        namespace: flux-system
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    etcd:
-      enabled: false
-    ingress-controller:
-      enabled: false
-    dashboard:
-      enabled: false
-    gateway:
-      type: ClusterIP
-    apisix:
-      deployment:
-        role: traditional
-        roleTraditional:
-          configProvider: yaml
-      standalone:
-        enabled: true
-      admin:
-        enabled: false
-

infra/platform/apisix/ingress.yaml

@@ -1,36 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: apisix-gateway
-  namespace: platform
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: api.svc.plus,api-pre.svc.plus
-spec:
-  ingressClassName: caddy
-  tls:
-    - hosts:
-        - api.svc.plus
-        - api-pre.svc.plus
-      secretName: apisix-gateway-tls
-  rules:
-    - host: api.svc.plus
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: apisix-gateway
-                port:
-                  number: 80
-    - host: api-pre.svc.plus
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: apisix-gateway
-                port:
-                  number: 80
-

infra/platform/apisix/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: platform
-resources:
-  - helmrelease.yaml
-  - ingress.yaml
-

infra/platform/caddy/helmrelease.yaml

@@ -1,32 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: caddy
-  namespace: platform
-spec:
-  interval: 10m0s
-  chart:
-    spec:
-      chart: caddy-ingress-controller
-      version: ">=1.0.0 <2.0.0"
-      sourceRef:
-        kind: HelmRepository
-        name: caddy-ingress
-        namespace: flux-system
-  install:
-    createNamespace: false
-    remediation:
-      retries: 3
-  upgrade:
-    remediation:
-      retries: 3
-  values:
-    ingressController:
-      enabled: true
-    ingressClass:
-      create: true
-      name: caddy
-      default: false
-    service:
-      type: LoadBalancer
-

infra/platform/external-dns/helmrelease.yaml

@@ -1,4 +1,4 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: external-dns
@@ -34,4 +34,3 @@ spec:
           secretKeyRef:
             name: cloudflare-api-token
             key: api-token
-

infra/platform/external-secrets/helmrelease.yaml

@@ -1,4 +1,4 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: external-secrets
@@ -21,4 +21,3 @@ spec:
     crds: CreateReplace
     remediation:
       retries: 3
-

infra/platform/k3s-platform/helmrelease.yaml

@@ -0,0 +1,16 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: k3s-platform
+  namespace: platform
+spec:
+  interval: 10m0s
+  releaseName: k3s-platform
+  chartRef:
+    kind: OCIRepository
+    name: k3s-platform-chart
+    namespace: platform
+  valuesFrom:
+    - kind: ConfigMap
+      name: k3s-platform-values
+      valuesKey: values.yaml

infra/platform/k3s-platform/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: platform
+resources:
+  - oci-repository.yaml
+  - helmrelease.yaml
+configMapGenerator:
+  - name: k3s-platform-values
+    files:
+      - values.yaml=values.yaml
+generatorOptions:
+  disableNameSuffixHash: true

infra/platform/k3s-platform/oci-repository.yaml

@@ -0,0 +1,13 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: k3s-platform-chart
+  namespace: platform
+spec:
+  interval: 10m0s
+  url: oci://ghcr.io/x-evor/charts/k3s-platform-chart
+  ref:
+    semver: "0.1.0"
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy

infra/platform/k3s-platform/values.yaml

@@ -0,0 +1,111 @@
+namespaces:
+  platform: platform
+  vault: extsvc
+
+components:
+  caddy:
+    enabled: true
+    releaseName: caddy
+    sourceRef:
+      kind: HelmRepository
+      name: caddy-ingress
+      namespace: flux-system
+    chart:
+      name: caddy-ingress-controller
+      version: ">=1.0.0 <2.0.0"
+    values:
+      ingressController:
+        enabled: true
+      ingressClass:
+        create: true
+        name: caddy
+        default: false
+      service:
+        type: LoadBalancer
+  apisix:
+    enabled: true
+    releaseName: apisix
+    sourceRef:
+      kind: HelmRepository
+      name: apisix
+      namespace: flux-system
+    chart:
+      name: apisix
+      version: ">=2.7.0 <3.0.0"
+    values:
+      etcd:
+        enabled: false
+      ingress-controller:
+        enabled: false
+      dashboard:
+        enabled: false
+      gateway:
+        type: ClusterIP
+      apisix:
+        deployment:
+          role: traditional
+          roleTraditional:
+            configProvider: yaml
+        standalone:
+          enabled: true
+        admin:
+          enabled: false
+  vault:
+    enabled: true
+    releaseName: vault
+    sourceRef:
+      kind: HelmRepository
+      name: hashicorp
+      namespace: flux-system
+    chart:
+      name: vault
+      version: ">=0.28.0 <1.0.0"
+    values:
+      injector:
+        enabled: false
+      server:
+        standalone:
+          enabled: false
+        dataStorage:
+          enabled: true
+          size: 8Gi
+        ha:
+          enabled: true
+          replicas: 1
+          raft:
+            enabled: true
+            setNodeId: true
+        service:
+          enabled: true
+
+apisixIngress:
+  enabled: true
+  name: apisix-gateway
+  namespace: platform
+  className: caddy
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: api.svc.plus,api-pre.svc.plus
+  tls:
+    secretName: apisix-gateway-tls
+    hosts:
+      - api.svc.plus
+      - api-pre.svc.plus
+  hosts:
+    - host: api.svc.plus
+      serviceName: apisix-gateway
+      servicePort: 80
+    - host: api-pre.svc.plus
+      serviceName: apisix-gateway
+      servicePort: 80
+
+vaultBootstrap:
+  enabled: true
+  image: hashicorp/vault:1.16.3
+  serviceAccountName: vault-bootstrap
+  cloudflareSecretName: vault-bootstrap
+  cloudflareSecretKey: cloudflareApiToken
+  rootTokenSecretName: vault-bootstrap
+  rootTokenSecretKey: rootToken
+  externalSecretsRoleNamespace: platform
+
+extraObjects: []

infra/platform/kustomization.yaml

@@ -2,9 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - repositories.yaml
-  - caddy
+  - k3s-platform
-  - apisix
   - external-secrets
   - external-dns
   - reloader
-

infra/platform/reloader/helmrelease.yaml

@@ -1,4 +1,4 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: reloader
@@ -19,4 +19,3 @@ spec:
   upgrade:
     remediation:
       retries: 3
-

infra/platform/repositories.yaml

@@ -1,4 +1,4 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: caddy-ingress
@@ -7,7 +7,7 @@ spec:
   interval: 10m0s
   url: https://caddyserver.github.io/ingress/
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: apisix
@@ -16,7 +16,16 @@ spec:
   interval: 10m0s
   url: https://charts.apiseven.com
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: hashicorp
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  url: https://helm.releases.hashicorp.com
+---
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: external-dns
@@ -25,7 +34,7 @@ spec:
   interval: 10m0s
   url: https://kubernetes-sigs.github.io/external-dns/
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: external-secrets
@@ -34,7 +43,7 @@ spec:
   interval: 10m0s
   url: https://charts.external-secrets.io
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: stakater
@@ -42,4 +51,3 @@ metadata:
 spec:
   interval: 10m0s
   url: https://stakater.github.io/stakater-charts
-