.github/branch-protection-rules.json

@@ -0,0 +1,21 @@
+{
+  "required_status_checks": {
+    "strict": true,
+    "checks": [
+      { "context": "Lint / go-vet" },
+      { "context": "Lint / actionlint" }
+    ]
+  },
+  "enforce_admins": true,
+  "required_pull_request_reviews": {
+    "dismiss_stale_reviews": true,
+    "require_code_owner_reviews": false,
+    "required_approving_review_count": 1
+  },
+  "restrictions": null,
+  "required_linear_history": false,
+  "allow_force_pushes": false,
+  "allow_deletions": false,
+  "block_creations": false,
+  "required_conversation_resolution": true
+}

.gitignore

@@ -5,3 +5,9 @@
 playbooks/deepflow/*.zip
 playbooks/deepflow/*.tar.gz
 playbooks/deepflow/deepflow-agent-playbook/*.zip
+
+remotes.before.txt
+
+# Python
+__pycache__/
+*.pyc

LICENSE

@@ -1,674 +1,202 @@
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 3, 29 June 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-the GNU General Public License is intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.  We, the Free Software Foundation, use the
-GNU General Public License for most of our software; it applies also to
-any other work released this way by its authors.  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  To protect your rights, we need to prevent others from denying you
-these rights or asking you to surrender the rights.  Therefore, you have
-certain responsibilities if you distribute copies of the software, or if
-you modify it: responsibilities to respect the freedom of others.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must pass on to the recipients the same
-freedoms that you received.  You must make sure that they, too, receive
-or can get the source code.  And you must show them these terms so they
-know their rights.
-
-  Developers that use the GNU GPL protect your rights with two steps:
-(1) assert copyright on the software, and (2) offer you this License
-giving you legal permission to copy, distribute and/or modify it.
-
-  For the developers' and authors' protection, the GPL clearly explains
-that there is no warranty for this free software.  For both users' and
-authors' sake, the GPL requires that modified versions be marked as
-changed, so that their problems will not be attributed erroneously to
-authors of previous versions.
-
-  Some devices are designed to deny users access to install or run
-modified versions of the software inside them, although the manufacturer
-can do so.  This is fundamentally incompatible with the aim of
-protecting users' freedom to change the software.  The systematic
-pattern of such abuse occurs in the area of products for individuals to
-use, which is precisely where it is most unacceptable.  Therefore, we
-have designed this version of the GPL to prohibit the practice for those
-products.  If such problems arise substantially in other domains, we
-stand ready to extend this provision to those domains in future versions
-of the GPL, as needed to protect the freedom of users.
-
-  Finally, every program is threatened constantly by software patents.
-States should not allow patents to restrict development and use of
-software on general-purpose computers, but in those that do, we wish to
-avoid the special danger that patents applied to a free program could
-make it effectively proprietary.  To prevent this, the GPL assures that
-patents cannot be used to render the program non-free.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Use with the GNU Affero General Public License.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
-section 13, concerning interaction through a network will apply to the
-combination as such.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If the program does terminal interaction, make it output a short
-notice like this when it starts in an interactive mode:
-
-    <program>  Copyright (C) <year>  <name of author>
-    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, your program's commands
-might be different; for a GUI interface, you would use an "about box".
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU GPL, see
-<https://www.gnu.org/licenses/>.
-
-  The GNU General Public License does not permit incorporating your program
-into proprietary programs.  If your program is a subroutine library, you
-may consider it more useful to permit linking proprietary applications with
-the library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.  But first, please read
-<https://www.gnu.org/licenses/why-not-lgpl.html>.
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright (C) 2018-2026  Ruohang Feng, @Vonng (rh@vonng.com)
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

README.md

@@ -1,100 +1,18 @@
-# ansible-playbook
+# Cloud-Neutral Toolkit GitOps
 
-This repository contains a collection of Ansible playbooks and roles for various infrastructure setups and service management tasks.
+This repository is the GitOps declaration layer for the Cloud-Neutral Toolkit.
 
-For a quick overview of the directory layout see [docs/repo-structure.md](docs/repo-structure.md).
-Additional documentation is stored under the `docs/` folder.
+## Scope
 
-## Playbook 角色说明
+- Store declarative Kubernetes resources, Flux Kustomizations, and non-sensitive multi-environment values.
+- Keep application charts and Helm templates in the dedicated chart repository.
+- Keep imperative automation such as Ansible playbooks and inventories out of this repository.
 
-1. playbooks/roles/docker：适用于简单的、单机环境的部署，主要使用 Docker 和 Docker Compose 进行容器化管理。
-2. playbooks/roles/charts：面向大规模的 Kubernetes 集群，使用 Helm 和标准化 Chart 部署模式进行高可用和可扩展的管理。
-3. playbooks/roles/vhosts：传统的非容器化部署方式，通常涉及手动配置服务器和虚拟主机，适用于不使用容器的应用场景。
+## Layout
 
+- `infra/`: platform, infrastructure, and shared service declarations
+- `apps/`: application release declarations
+- `clusters/`: cluster-level overlays and entrypoints
+- `docs/`: repository conventions and operational documentation
 
-## Role Summary
-
-| Role Name               | Description                                           | Docker | Charts | VHosts | CICD    | Validate | Last Update  |
-|-------------------------|-------------------------------------------------------|--------|--------|--------|---------|----------|--------------|
-| `common`                | 通用角色，包含一些常用的功能，如日志记录、监控等。      |        |        |   ✔    |         |   yes    | 2025-02-14   |
-| `keycloak`              | 用于管理身份认证和授权服务。                            |   ✔    |        |        | github  |   yes    | 2024-11-10   |
-| `harbor`                | 容器镜像仓库角色，用于存储和管理容器镜像。              |   ✔    |        |        | github  |   yes    | 2024-11-14   |
-| `app`                   | 参考模板。                                              |        |        |        |         |          |              |
-| `nginx`                 | 用于设置 Nginx                                          |        |   ✔    |   ✔    |         |          |              |
-| `grafana`               | 用于设置 Grafana                                        |        |   ✔    |   ✔    |         |          |              |
-| `grafana-loki`          | 用于设置 Grafana-loki                                   |        |   ✔    |   ✔    |         |          |              |
-| `Grafana-tempo`         | 用于设置 Grafana-tempo                                  |        |   ✔    |   ✔    |         |          |              |
-| `prometheus`            | 用于设置 Prometheus                                     |        |   ✔    |   ✔    |         |          |              |
-| `prometheus-transfer`   | 用于 Prometheus 数据传输设置。                          |        |        |   ✔    |         |          |              |
-| `vector`                | 用于配置日志收集代理。                                  |        |        |   ✔    |         |          |              |
-| `node-exporter`         | 用于导出系统和硬件的监控数据。                          |        |   ✔    |        |         |          |              |
-| `observability-agent`   | 用于管理 Observability 代理。                           |        |   ✔    |   ✔    |         |          |              |
-| `observability-server`  | 用于设置 Observability 服务端。                         |        |   ✔    |   ✔    |         |          |              |
-| `wireguard-client`      | 用于设置 WireGuard 客户端。                             |        |        |   ✔    |         |          |              |
-| `wireguard-gateway`     | 用于设置 WireGuard 网关。                               |        |        |   ✔    |         |          |              |
-| `vault`                 | 用于管理敏感数据和密钥。                                |        |        |   ✔    |         |          |              |
-| `postgresql`            | PostgreSQL 数据库角色，用于提供 PostgreSQL 数据库服务。 |        |   ✔    |        |         |          |              |
-| `redis`                 | Redis 数据库角色，用于提供 Redis 数据库服务。           |        |   ✔    |        |         |          |              |
-| `chartmuseum`           | 图表仓库角色，用于存储和管理 Kubernetes 图表。          |        |   ✔    |        |         |          |              |
-| `gitlab`                | 代码仓库角色，用于存储和管理代码。                      |        |   ✔    |        |         |          |              |
-| `mysql`                 | MySQL 数据库角色，用于提供 MySQL 数据库服务。           |        |   ✔    |        |         |          |              |
-| `argo-server`           | 用于设置和管理 Argo Server。                            |        |   ✔    |        |         |          |              |
-| `deepflow`              | 用于流量监控与网络性能分析的 DeepFlow 服务。            |        |   ✔    |        |         |          |              |
-| `jenkins`               | Jenkins 自动化构建工具角色，用于 CI/CD 管道。           |        |   ✔    |        |         |          |              |
-| `chaos-mesh`            | 用于 Chaos Engineering 测试的 Chaos Mesh 角色。         |        |   ✔    |        |         |          |              |
-| `flagger-loadtester`    | 用于负载测试的 Flagger Loadtester 角色。                |        |   ✔    |        |         |          |              |
-| `splunk-otel-collector` | 用于配置 Splunk OpenTelemetry Collector。               |        |   ✔    |        |         |          |              |
-| `openldap`              | 用于设置和管理 OpenLDAP 身份认证服务。                  |        |   ✔    |        |         |          |              |
-| `alerting`              | 用于设置和管理警报系统。                                |        |        |   ✔    |         |          |              |
-| `k3s`                   | 用于创建 Kubernetes 集群。                              |        |        |   ✔    |         |          |              |
-| `k3s-reset`             | 用于重置 Kubernetes 集群。                              |        |        |   ✔    |         |          |              |
-| `k3s-addon`             | 用于安装 Kubernetes 集群插件。                          |        |        |   ✔    |         |          |              |
-| `secret-manger`         | 密钥管理角色，用于管理密钥。                            |        |        |   ✔    |         |          |              |
-| `cert-manager`          | 证书管理角色，用于管理证书。                            |        |        |   ✔    |         |          |              |
-| `ssh-trust`             | 配置 ops 主机与节点的 SSH 互信。    |        |        |   ✔    |         |          |              |
-
-表格说明
-- Docker：是否属于 Docker 角色。
-- Charts：是否属于 Helm Chart 角色。
-- VHosts：是否属于虚拟主机管理相关角色。
-- CICD：是否启用 CICD 管道，标明是否集成了自动化流程。
-- Validate：是否经过验证测试。
-- Last Update：最后更新时间。
-
-##  Usage Examples
-
-- Linux OS Setup
-
-ansible-playbook -i inventory/hosts/all playbooks/common -D -C
-ansible-playbook -i inventory/hosts/all playbooks/common -D
-
-- Gather Network Information
-
-ansible-playbook -i inventory gather_network_info.yml -e target_group=master
-
-- Display network information on all nodes
-
-ansible -i inventory all -m script -a 'roles/network_info/tasks/files/display_network_info.sh'
-
-- Deploy Keycloak Server
-
-ansible-playbook -i inventory/hosts/core playbooks/keycloak_server -D
-
-- Set up WireGuard Gateway
-
-ansible-playbook -i inventory/hosts/vpn playbooks/wireguard_gateway.yaml -D
-
-- Set up Grafana Alloy
-
-ansible-playbook -i inventory/k3s-cluster playbooks/init_grafana_alloy -D -C -l cn-k3s-server.svc.plus -e @playbooks/roles/alloy/files/loki_journal_sources_k3s_server.yml -e "ansible_become_pass='xxxx'"
-
-
-- Setup VPN gateway
-
-ansible-playbook -i inventory/hosts/all playbooks/common -l gateway -D
-
-## Documentation
-
-- [docs/gpu-k8s-role.md](docs/gpu-k8s-role.md) - How to run the GPU-enabled Kubernetes role.
-- [docs/repo-structure.md](docs/repo-structure.md) - Overview of repository layout.
-
+For a quick structure overview, see [docs/repo-structure.md](docs/repo-structure.md).

alerts/gitops/dashboards/logs.json

@@ -1,332 +0,0 @@
-{
-  "__inputs": [
-    {
-      "name": "DS_LOKI",
-      "label": "Loki",
-      "description": "",
-      "type": "datasource",
-      "pluginId": "loki",
-      "pluginName": "Loki"
-    }
-  ],
-  "annotations": {
-    "list": [
-      {
-        "builtIn": 1,
-        "datasource": "-- Grafana --",
-        "enable": true,
-        "hide": true,
-        "iconColor": "rgba(0, 211, 255, 1)",
-        "name": "Annotations & Alerts",
-        "target": {
-          "limit": 100,
-          "matchAny": false,
-          "tags": [],
-          "type": "dashboard"
-        },
-        "type": "dashboard"
-      },
-      {
-        "datasource": {
-          "type": "datasource",
-          "uid": "grafana"
-        },
-        "enable": true,
-        "iconColor": "red",
-        "name": "flux events",
-        "target": {
-          "limit": 100,
-          "matchAny": false,
-          "tags": [
-            "flux"
-          ],
-          "type": "tags"
-        }
-      }
-    ]
-  },
-  "description": "Flux logs collected from Kubernetes, stored in Loki",
-  "editable": true,
-  "gnetId": null,
-  "graphTooltip": 0,
-  "id": 29,
-  "iteration": 1653748775696,
-  "links": [],
-  "liveNow": false,
-  "panels": [
-    {
-      "datasource": "${DS_LOKI}",
-      "description": "",
-      "fieldConfig": {
-        "defaults": {
-          "color": {
-            "mode": "palette-classic"
-          },
-          "custom": {
-            "axisLabel": "",
-            "axisPlacement": "auto",
-            "barAlignment": 0,
-            "drawStyle": "bars",
-            "fillOpacity": 0,
-            "gradientMode": "none",
-            "hideFrom": {
-              "legend": false,
-              "tooltip": false,
-              "viz": false
-            },
-            "lineInterpolation": "linear",
-            "lineWidth": 1,
-            "pointSize": 5,
-            "scaleDistribution": {
-              "type": "linear"
-            },
-            "showPoints": "auto",
-            "spanNulls": false,
-            "stacking": {
-              "group": "A",
-              "mode": "none"
-            },
-            "thresholdsStyle": {
-              "mode": "off"
-            }
-          },
-          "mappings": [],
-          "thresholds": {
-            "mode": "absolute",
-            "steps": [
-              {
-                "color": "green",
-                "value": null
-              },
-              {
-                "color": "red",
-                "value": 80
-              }
-            ]
-          }
-        },
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 4,
-        "w": 24,
-        "x": 0,
-        "y": 0
-      },
-      "id": 4,
-      "options": {
-        "legend": {
-          "calcs": [],
-          "displayMode": "hidden",
-          "placement": "bottom"
-        },
-        "tooltip": {
-          "mode": "single",
-          "sort": "none"
-        }
-      },
-      "targets": [
-        {
-          "datasource": "${DS_LOKI}",
-          "expr": "sum(count_over_time({namespace=~\"$namespace\", stream=~\"$stream\", app =~\"$controller\"} | json | __error__!=\"JSONParserErr\" | level=~\"$level\" |= \"$query\" [$__interval]))",
-          "instant": false,
-          "legendFormat": "Log count",
-          "range": true,
-          "refId": "A"
-        }
-      ],
-      "type": "timeseries"
-    },
-    {
-      "datasource": "${DS_LOKI}",
-      "description": "Logs from services running in Kubernetes",
-      "gridPos": {
-        "h": 25,
-        "w": 24,
-        "x": 0,
-        "y": 4
-      },
-      "id": 2,
-      "options": {
-        "dedupStrategy": "numbers",
-        "enableLogDetails": false,
-        "prettifyLogMessage": true,
-        "showCommonLabels": false,
-        "showLabels": false,
-        "showTime": false,
-        "sortOrder": "Descending",
-        "wrapLogMessage": false
-      },
-      "targets": [
-        {
-          "datasource": "${DS_LOKI}",
-          "expr": "{namespace=~\"$namespace\", stream=~\"$stream\", app =~\"$controller\"} | json | __error__!=\"JSONParserErr\" | level=~\"$level\" |= \"$query\"",
-          "refId": "A"
-        }
-      ],
-      "type": "logs"
-    }
-  ],
-  "refresh": "10s",
-  "schemaVersion": 36,
-  "style": "light",
-  "tags": [
-    "flux"
-  ],
-  "templating": {
-    "list": [
-      {
-        "current": {
-          "selected": false,
-          "text": "",
-          "value": ""
-        },
-        "description": "String to search for",
-        "hide": 0,
-        "label": "Search Query",
-        "name": "query",
-        "options": [
-          {
-            "selected": true,
-            "text": "",
-            "value": ""
-          }
-        ],
-        "query": "",
-        "skipUrlSync": false,
-        "type": "textbox"
-      },
-      {
-        "allValue": "info|error",
-        "current": {
-          "selected": false,
-          "text": "All",
-          "value": "$__all"
-        },
-        "hide": 0,
-        "includeAll": true,
-        "multi": false,
-        "name": "level",
-        "options": [
-          {
-            "selected": true,
-            "text": "All",
-            "value": "$__all"
-          },
-          {
-            "selected": false,
-            "text": "info",
-            "value": "info"
-          },
-          {
-            "selected": false,
-            "text": "error",
-            "value": "error"
-          }
-        ],
-        "query": "info,error",
-        "queryValue": "",
-        "skipUrlSync": false,
-        "type": "custom"
-      },
-      {
-        "allValue": ".+",
-        "current": {
-          "selected": true,
-          "text": [
-            "All"
-          ],
-          "value": [
-            "$__all"
-          ]
-        },
-        "datasource": "${DS_LOKI}",
-        "definition": "label_values(app)",
-        "hide": 0,
-        "includeAll": true,
-        "multi": true,
-        "name": "controller",
-        "options": [],
-        "query": "label_values(app)",
-        "refresh": 1,
-        "regex": "",
-        "skipUrlSync": false,
-        "sort": 0,
-        "type": "query"
-      },
-      {
-        "allValue": ".+",
-        "current": {
-          "selected": true,
-          "text": [
-            "flux-system"
-          ],
-          "value": [
-            "flux-system"
-          ]
-        },
-        "datasource": "${DS_LOKI}",
-        "definition": "label_values(namespace)",
-        "hide": 0,
-        "includeAll": true,
-        "multi": true,
-        "name": "namespace",
-        "options": [],
-        "query": "label_values(namespace)",
-        "refresh": 1,
-        "regex": "",
-        "skipUrlSync": false,
-        "sort": 0,
-        "type": "query"
-      },
-      {
-        "allValue": ".+",
-        "current": {
-          "selected": false,
-          "text": "All",
-          "value": "$__all"
-        },
-        "datasource": "${DS_LOKI}",
-        "definition": "label_values(stream)",
-        "hide": 0,
-        "includeAll": true,
-        "multi": true,
-        "name": "stream",
-        "options": [],
-        "query": "label_values(stream)",
-        "refresh": 1,
-        "regex": "",
-        "skipUrlSync": false,
-        "sort": 0,
-        "type": "query"
-      },
-      {
-        "current": {
-          "selected": false,
-          "text": "Loki",
-          "value": "Loki"
-        },
-        "hide": 0,
-        "includeAll": false,
-        "label": "Datasource",
-        "multi": false,
-        "name": "DS_LOKI",
-        "options": [],
-        "query": "loki",
-        "refresh": 1,
-        "regex": "",
-        "skipUrlSync": false,
-        "type": "datasource"
-      }
-    ]
-  },
-  "time": {
-    "from": "now-6h",
-    "to": "now"
-  },
-  "timepicker": {},
-  "timezone": "",
-  "title": "Flux Logs",
-  "uid": "flux-logs",
-  "version": 2
-}

alerts/gitops/kustomization.yaml

@@ -1,16 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: monitoring
-resources:
-  - podmonitor.yaml
-configMapGenerator:
-  - name: flux-grafana-dashboards
-    files:
-      - dashboards/control-plane.json
-      - dashboards/cluster.json
-      - dashboards/logs.json
-    options:
-      labels:
-        grafana_dashboard: "1"
-        app.kubernetes.io/part-of: flux
-        app.kubernetes.io/component: monitoring

ansible.cfg

@@ -1,15 +0,0 @@
-[inventory]
-cache: yes
-cache_plugin: ansible.builtin.jsonfile
-
-[defaults]
-vault_password_file = ~/.vault_password
-timeout        = 10
-forks          = 10
-poll_interval  = 10
-transport      = smart
-gathering      = smart
-stdout_callback = skippy
-host_key_checking = False
-deprecation_warnings = False
-ansible_python_interpreter=/usr/bin/python3

apps/demo/c-app/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: demo-c
-  labels:
-    app.kubernetes.io/component: demo-c

apps/demo/c-app/release.yaml

@@ -1,30 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: stable
-  namespace: demo-c
-spec:
-  interval: 1m
-  url: https://charts.onwalk.net/
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: cp-app
-  namespace: demo-c
-spec:
-  chart:
-    spec:
-      chart: app
-      version: "0.1.1"
-      sourceRef:
-        kind: HelmRepository
-        name: stable
-        namespace: demo-c
-  interval: 1m
-  values:
-    image:
-      repository: artifact.onwalk.net/base/scaffolding-design/c
-      tag: "dee1c17b11822997e16e71244b1a1e98fe919688"
-    ingress:
-      className: "nginx"

apps/demo/go-app/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: demo-go
-  labels:
-    app.kubernetes.io/component: demo-go

apps/demo/go-app/release.yaml

@@ -1,30 +0,0 @@
-apps/go-demo/release.yaml apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: stable
-  namespace: demo-go
-spec:
-  interval: 1m
-  url: https://charts.onwalk.net/
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: stable
-  namespace: demo-go
-spec:
-  chart:
-    spec:
-      chart: app
-      version: "0.1.1"
-      sourceRef:
-        kind: HelmRepository
-        name: stable
-        namespace: demo-go
-  interval: 1m
-  values:
-    image:
-      repository: artifact.onwalk.net/base/scaffolding-design/go
-      tag: "fe2a0fba3014709b26d8acd75bacb661bf2522a4"
-    ingress:
-      className: "nginx"

apps/demo/js-app/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: demo-js
-  labels:
-    app.kubernetes.io/component: demo

apps/demo/js-app/release.yaml

@@ -1,30 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: stable
-  namespace: demo-js
-spec:
-  interval: 1m
-  url: https://charts.onwalk.net/
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: stable
-  namespace: demo-js
-spec:
-  chart:
-    spec:
-      chart: app
-      version: "0.1.1"
-      sourceRef:
-        kind: HelmRepository
-        name: stable
-        namespace: demo-python
-  interval: 1m
-  values:
-    image:
-      repository: artifact.onwalk.net/base/scaffolding-design/javascript-frontend
-      tag: "fc998a6d433c45986dc7d51ab62bf7aa48613d62"
-    ingress:
-      className: "nginx"

apps/demo/python-app/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - release.yaml 

apps/demo/python-app/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: demo-python
-  labels:
-    app.kubernetes.io/component: demo-python

apps/demo/python-app/release.yaml

@@ -1,30 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: stable
-  namespace: demo-python
-spec:
-  interval: 1m
-  url: https://charts.onwalk.net/
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: stable
-  namespace: demo-python
-spec:
-  chart:
-    spec:
-      chart: app
-      version: "0.1.1"
-      sourceRef:
-        kind: HelmRepository
-        name: stable
-        namespace: demo-python
-  interval: 1m
-  values:
-    image:
-      repository: artifact.onwalk.net/base/scaffolding-design/python
-      tag: "d72ba38f7a3a76b71eb50f00fe46a94497e6ecaa"
-    ingress:
-      className: "nginx"

apps/demo/rust-app/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - release.yaml 

apps/demo/rust-app/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: demo-rust
-  labels:
-    app.kubernetes.io/component: demo-rust

apps/demo/rust-app/release.yaml

@@ -1,30 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: stable
-  namespace: demo-rust
-spec:
-  interval: 1m
-  url: https://charts.onwalk.net/
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: stable
-  namespace: demo-rust
-spec:
-  chart:
-    spec:
-      chart: app
-      version: "0.1.1"
-      sourceRef:
-        kind: HelmRepository
-        name: stable
-        namespace: demo-rust
-  interval: 1m
-  values:
-    image:
-      repository: artifact.onwalk.net/base/scaffolding-design/rust
-      tag: "84a66d19f29c20c57127f5c896d00b0b84dcd986"
-    ingress:
-      className: "nginx"

apps/itsm-dev/release.yaml

@@ -1,40 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: itsm-dev
-  namespace: itsm-dev
-spec:
-  interval: 1m
-  chart:
-    spec:
-      version: "0.1.16"
-      chart: itsm
-      sourceRef:
-        kind: HelmRepository
-        name: stable
-        namespace: itsm-dev
-      interval: 1m
-  values:
-    novu:
-      web:
-        ingress:
-          enabled: true
-          hostname: novu-web.onwalk.net
-          ingressClassName: 'nginx'
-    apisix:
-      dashboard:
-        ingress:
-          enabled: true
-          className: "nginx"
-          hosts:
-            - host: apisix-dashboard.onwalk.net
-              paths:
-                - /*
-    etcd-adapter:
-      enabled: true
-      mysql:
-        host: mysql
-        port: 3306
-        username: apisix
-        password: apisix
-        database: apisix

apps/minio/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: itsm-dev
-resources:
-  - release.yaml

apps/minio/release.yaml

@@ -1,37 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: minio
-  namespace: itsm-dev
-spec:
-  interval: 1m
-  chart:
-    spec:
-      version: "5.0.15"
-      chart: minio
-      sourceRef:
-        kind: HelmRepository
-        name: stable
-        namespace: itsm-dev
-      interval: 1m
-  values:
-    enabled: true
-    nameOverride: minio
-    mode: standalone
-    replicas: 2
-    ingress:
-      enabled: true
-      ingressClassName: "nginx"
-      hosts:
-        - minio.local
-    persistence:
-      enabled: true
-      size: 10Gi
-    existingSecret: minio-secret
-    resources:
-      requests:
-        memory: 50Mi
-        cpu: 50m
-      limits:
-        cpu: "100m"
-        memory: "100Mi"

apps/mongodb/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: itsm-dev
-resources:
-  - release.yaml

apps/mongodb/release.yaml

@@ -1,42 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: mongodb
-  namespace: itsm-dev
-spec:
-  interval: 1m
-  chart:
-    spec:
-      version: "14.8.3"
-      chart: mongodb
-      sourceRef:
-        kind: HelmRepository
-        name: stable
-        namespace: itsm-dev
-      interval: 1m
-  values:
-    enabled: true
-    nameOverride: "mongodb"
-    architecture: standalone
-    useStatefulSet: true
-    global:
-      imageRegistry: ""
-    persistence:
-      enabled: true
-    auth:
-      enabled: true
-      rootUser: root
-      rootPassword: "mongodb"
-      usernames:
-      - novu
-      passwords:
-      - novu
-      databases:
-      - novu-db
-    resources:
-      requests:
-        memory: 100Mi
-        cpu: 100m
-      limits:
-        cpu: "500m"
-        memory: "500Mi"

apps/monitor/flagger-loadtester/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: monitoring
-resources:
-  - repository.yaml
-  - release.yaml

apps/monitor/flagger-loadtester/release.yaml

@@ -1,16 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: flaggerloadtester
-  namespace: monitoring
-spec:
-  interval: 1m
-  chart:
-    spec:
-      version: "0.30.0"
-      chart: flagger-loadtester
-      sourceRef:
-        kind: HelmRepository
-        name: flaggerload
-        namespace: monitoring
-      interval: 1m

apps/monitor/flagger-loadtester/repository.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: flaggerload
-  namespace: monitoring
-spec:
-  interval: 1m0s
-  url: https://flagger.app 

apps/monitor/flagger/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: ingress
-resources:
-  - repository.yaml
-  - release.yaml

apps/monitor/flagger/release.yaml

@@ -1,24 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: flagger
-  namespace: ingress
-spec:
-  interval: 1m
-  chart:
-    spec:
-      version: "1.35.0"
-      chart: flagger
-      sourceRef:
-        kind: HelmRepository
-        name: flagger
-        namespace: ingress
-      interval: 1m
-  values:
-    prometheus:
-      install: false
-    meshProvider: nginx
-    metricsServer: "https://prometheus.svc-dev.ink"
-    serviceMonitor:
-      enabled: true
-      namespace: monitoring

apps/monitor/flagger/repository.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: flagger
-  namespace: ingress
-spec:
-  interval: 1m0s
-  url: https://flagger.app 

apps/monitor/kube-prometheus-stack/kube-state-metrics-config.yaml

@@ -1,275 +0,0 @@
-kube-state-metrics:
-  # For kube-prometheus-stacks that are already installed and configured with
-  # custom collectors, commenting out the collectors and extraArgs below will
-  # retain any existing kube-state-metrics configuration.
-  collectors: [ ]
-  extraArgs:
-    - --custom-resource-state-only=true
-  rbac:
-    extraRules:
-      - apiGroups:
-          - source.toolkit.fluxcd.io
-          - kustomize.toolkit.fluxcd.io
-          - helm.toolkit.fluxcd.io
-          - notification.toolkit.fluxcd.io
-          - image.toolkit.fluxcd.io
-        resources:
-          - gitrepositories
-          - buckets
-          - helmrepositories
-          - helmcharts
-          - ocirepositories
-          - kustomizations
-          - helmreleases
-          - alerts
-          - providers
-          - receivers
-          - imagerepositories
-          - imagepolicies
-          - imageupdateautomations
-        verbs: [ "list", "watch" ]
-  customResourceState:
-    enabled: true
-    config:
-      spec:
-        resources:
-          - groupVersionKind:
-              group: kustomize.toolkit.fluxcd.io
-              version: v1
-              kind: Kustomization
-            metricNamePrefix: gotk
-            metrics:
-              - name: "resource_info"
-                help: "The current state of a GitOps Toolkit resource."
-                each:
-                  type: Info
-                  info:
-                    labelsFromPath:
-                      name: [ metadata, name ]
-                labelsFromPath:
-                  exported_namespace: [ metadata, namespace ]
-                  ready: [ status, conditions, "[type=Ready]", status ]
-                  suspended: [ spec, suspend ]
-                  revision: [ status, lastAppliedRevision ]
-                  source_name: [ spec, sourceRef, name ]
-          - groupVersionKind:
-              group: helm.toolkit.fluxcd.io
-              version: v2beta2
-              kind: HelmRelease
-            metricNamePrefix: gotk
-            metrics:
-              - name: "resource_info"
-                help: "The current state of a GitOps Toolkit resource."
-                each:
-                  type: Info
-                  info:
-                    labelsFromPath:
-                      name: [ metadata, name ]
-                labelsFromPath:
-                  exported_namespace: [ metadata, namespace ]
-                  ready: [ status, conditions, "[type=Ready]", status ]
-                  suspended: [ spec, suspend ]
-                  revision: [ status, lastAppliedRevision ]
-                  chart_name: [ spec, chart, spec, chart ]
-                  chart_source_name: [ spec, chart, spec, sourceRef, name ]
-          - groupVersionKind:
-              group: source.toolkit.fluxcd.io
-              version: v1
-              kind: GitRepository
-            metricNamePrefix: gotk
-            metrics:
-              - name: "resource_info"
-                help: "The current state of a GitOps Toolkit resource."
-                each:
-                  type: Info
-                  info:
-                    labelsFromPath:
-                      name: [ metadata, name ]
-                labelsFromPath:
-                  exported_namespace: [ metadata, namespace ]
-                  ready: [ status, conditions, "[type=Ready]", status ]
-                  suspended: [ spec, suspend ]
-                  revision: [ status, artifact, revision ]
-                  url: [ spec, url ]
-          - groupVersionKind:
-              group: source.toolkit.fluxcd.io
-              version: v1beta2
-              kind: Bucket
-            metricNamePrefix: gotk
-            metrics:
-              - name: "resource_info"
-                help: "The current state of a GitOps Toolkit resource."
-                each:
-                  type: Info
-                  info:
-                    labelsFromPath:
-                      name: [ metadata, name ]
-                labelsFromPath:
-                  exported_namespace: [ metadata, namespace ]
-                  ready: [ status, conditions, "[type=Ready]", status ]
-                  suspended: [ spec, suspend ]
-                  revision: [ status, artifact, revision ]
-                  endpoint: [ spec, endpoint ]
-                  bucket_name: [ spec, bucketName ]
-          - groupVersionKind:
-              group: source.toolkit.fluxcd.io
-              version: v1beta2
-              kind: HelmRepository
-            metricNamePrefix: gotk
-            metrics:
-              - name: "resource_info"
-                help: "The current state of a GitOps Toolkit resource."
-                each:
-                  type: Info
-                  info:
-                    labelsFromPath:
-                      name: [ metadata, name ]
-                labelsFromPath:
-                  exported_namespace: [ metadata, namespace ]
-                  ready: [ status, conditions, "[type=Ready]", status ]
-                  suspended: [ spec, suspend ]
-                  revision: [ status, artifact, revision ]
-                  url: [ spec, url ]
-          - groupVersionKind:
-              group: source.toolkit.fluxcd.io
-              version: v1beta2
-              kind: HelmChart
-            metricNamePrefix: gotk
-            metrics:
-              - name: "resource_info"
-                help: "The current state of a GitOps Toolkit resource."
-                each:
-                  type: Info
-                  info:
-                    labelsFromPath:
-                      name: [ metadata, name ]
-                labelsFromPath:
-                  exported_namespace: [ metadata, namespace ]
-                  ready: [ status, conditions, "[type=Ready]", status ]
-                  suspended: [ spec, suspend ]
-                  revision: [ status, artifact, revision ]
-                  chart_name: [ spec, chart ]
-                  chart_version: [ spec, version ]
-          - groupVersionKind:
-              group: source.toolkit.fluxcd.io
-              version: v1beta2
-              kind: OCIRepository
-            metricNamePrefix: gotk
-            metrics:
-              - name: "resource_info"
-                help: "The current state of a GitOps Toolkit resource."
-                each:
-                  type: Info
-                  info:
-                    labelsFromPath:
-                      name: [ metadata, name ]
-                labelsFromPath:
-                  exported_namespace: [ metadata, namespace ]
-                  ready: [ status, conditions, "[type=Ready]", status ]
-                  suspended: [ spec, suspend ]
-                  revision: [ status, artifact, revision ]
-                  url: [ spec, url ]
-          - groupVersionKind:
-              group: notification.toolkit.fluxcd.io
-              version: v1beta3
-              kind: Alert
-            metricNamePrefix: gotk
-            metrics:
-              - name: "resource_info"
-                help: "The current state of a GitOps Toolkit resource."
-                each:
-                  type: Info
-                  info:
-                    labelsFromPath:
-                      name: [ metadata, name ]
-                labelsFromPath:
-                  exported_namespace: [ metadata, namespace ]
-                  suspended: [ spec, suspend ]
-          - groupVersionKind:
-              group: notification.toolkit.fluxcd.io
-              version: v1beta3
-              kind: Provider
-            metricNamePrefix: gotk
-            metrics:
-              - name: "resource_info"
-                help: "The current state of a GitOps Toolkit resource."
-                each:
-                  type: Info
-                  info:
-                    labelsFromPath:
-                      name: [ metadata, name ]
-                labelsFromPath:
-                  exported_namespace: [ metadata, namespace ]
-                  suspended: [ spec, suspend ]
-          - groupVersionKind:
-              group: notification.toolkit.fluxcd.io
-              version: v1
-              kind: Receiver
-            metricNamePrefix: gotk
-            metrics:
-              - name: "resource_info"
-                help: "The current state of a GitOps Toolkit resource."
-                each:
-                  type: Info
-                  info:
-                    labelsFromPath:
-                      name: [ metadata, name ]
-                labelsFromPath:
-                  exported_namespace: [ metadata, namespace ]
-                  ready: [ status, conditions, "[type=Ready]", status ]
-                  suspended: [ spec, suspend ]
-                  webhook_path: [ status, webhookPath ]
-          - groupVersionKind:
-              group: image.toolkit.fluxcd.io
-              version: v1beta2
-              kind: ImageRepository
-            metricNamePrefix: gotk
-            metrics:
-              - name: "resource_info"
-                help: "The current state of a GitOps Toolkit resource."
-                each:
-                  type: Info
-                  info:
-                    labelsFromPath:
-                      name: [ metadata, name ]
-                labelsFromPath:
-                  exported_namespace: [ metadata, namespace ]
-                  ready: [ status, conditions, "[type=Ready]", status ]
-                  suspended: [ spec, suspend ]
-                  image: [ spec, image ]
-          - groupVersionKind:
-              group: image.toolkit.fluxcd.io
-              version: v1beta2
-              kind: ImagePolicy
-            metricNamePrefix: gotk
-            metrics:
-              - name: "resource_info"
-                help: "The current state of a GitOps Toolkit resource."
-                each:
-                  type: Info
-                  info:
-                    labelsFromPath:
-                      name: [ metadata, name ]
-                labelsFromPath:
-                  exported_namespace: [ metadata, namespace ]
-                  ready: [ status, conditions, "[type=Ready]", status ]
-                  suspended: [ spec, suspend ]
-                  source_name: [ spec, imageRepositoryRef, name ]
-          - groupVersionKind:
-              group: image.toolkit.fluxcd.io
-              version: v1beta1
-              kind: ImageUpdateAutomation
-            metricNamePrefix: gotk
-            metrics:
-              - name: "resource_info"
-                help: "The current state of a GitOps Toolkit resource."
-                each:
-                  type: Info
-                  info:
-                    labelsFromPath:
-                      name: [ metadata, name ]
-                labelsFromPath:
-                  exported_namespace: [ metadata, namespace ]
-                  ready: [ status, conditions, "[type=Ready]", status ]
-                  suspended: [ spec, suspend ]
-                  source_name: [ spec, sourceRef, name ]

apps/monitor/kube-prometheus-stack/kustomization.yaml

@@ -1,18 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: monitoring
-resources:
-  - repository.yaml
-  - release.yaml
-  - podmonitor-gitops-system.yaml
-  - podmonitor-ingress.yaml
-configMapGenerator:
-  - name: flux-kube-state-metrics-config
-    files:
-      - kube-state-metrics-config.yaml
-    options:
-      labels:
-        app.kubernetes.io/part-of: flux
-        app.kubernetes.io/component: monitoring
-configurations:
-  - kustomizeconfig.yaml

apps/monitor/kube-prometheus-stack/kustomizeconfig.yaml

@@ -1,6 +0,0 @@
-nameReference:
-- kind: ConfigMap
-  version: v1
-  fieldSpecs:
-  - path: spec/valuesFrom/name
-    kind: HelmRelease

apps/monitor/kube-prometheus-stack/podmonitor-gitops-system.yaml

@@ -1,30 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
-  name: gitops-system
-  namespace: monitoring
-  labels:
-    app.kubernetes.io/part-of: flux
-    app.kubernetes.io/component: monitoring
-spec:
-  namespaceSelector:
-    matchNames:
-      - gitops-system
-  selector:
-    matchExpressions:
-      - key: app
-        operator: In
-        values:
-          - helm-controller
-          - source-controller
-          - kustomize-controller
-          - notification-controller
-          - image-automation-controller
-          - image-reflector-controller
-  podMetricsEndpoints:
-    - port: "8080"
-      relabelings:
-        # https://github.com/prometheus-operator/prometheus-operator/issues/4816
-        - sourceLabels: [__meta_kubernetes_pod_phase]
-          action: keep
-          regex: Running

apps/monitor/kube-prometheus-stack/podmonitor-ingress.yaml

@@ -1,18 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
-  name: nginx-ingress-podmonitor
-  labels:
-    app.kubernetes.io/part-of: nginx
-    app.kubernetes.io/component: monitoring
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/instance: nginx
-  namespaceSelector:
-    matchNames:
-      - ingress
-  podMetricsEndpoints:
-    - port: "9113"
-      interval: 30s
-      path: /metrics

apps/monitor/kube-prometheus-stack/release.yaml

@@ -1,60 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: prometheus-agent 
-spec:
-  interval: 1m
-  chart:
-    spec:
-      version: "55.x"
-      chart: kube-prometheus-stack
-      sourceRef:
-        kind: HelmRepository
-        name: prometheus-community
-      interval: 10m
-  install:
-    crds: Create
-  upgrade:
-    crds: CreateReplace
-  driftDetection:
-    mode: enabled
-    ignore:
-      # Ignore "validated" annotation which is not inserted during install
-      - paths: [ "/metadata/annotations/prometheus-operator-validated" ]
-        target:
-          kind: PrometheusRule
-  valuesFrom:
-  - kind: ConfigMap
-    name: flux-kube-state-metrics-config
-    valuesKey: kube-state-metrics-config.yaml
-  # https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml
-  values:
-    global:
-      imageRegistry: "artifact.onwalk.net/base"
-    prometheus:
-      agentMode: true
-      prometheusSpec:
-        remoteWrite:
-        - name: remote_prometheus
-          url: 'https://prometheus.svc-dev.ink/api/v1/write'
-        retention: 24h
-        resources:
-          requests:
-            cpu: 200m
-            memory: 200Mi
-        podMonitorNamespaceSelector: { }
-        podMonitorSelector:
-          matchLabels:
-            app.kubernetes.io/component: monitoring
-    defaultRules:
-      create: false
-    grafana:
-      enabled: false
-    prometheus-windows-exporter:
-      enabled: false
-    alertmanager:
-      enabled: false
-    nodeExporter:
-      enabled: true
-    kubeStateMetrics:
-      enabled: true

apps/monitor/kube-prometheus-stack/repository.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: prometheus-community
-spec:
-  interval: 12h
-  type: oci
-  url: oci://ghcr.io/prometheus-community/charts

apps/monitor/loki-stack/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: monitoring
-resources:
-  - repository.yaml
-  - release.yaml

apps/monitor/loki-stack/release.yaml

@@ -1,60 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: loki-stack
-spec:
-  interval: 1m
-#  dependsOn:
-#    - name: kube-prometheus-stack
-  chart:
-    spec:
-      version: "2.x"
-      chart: loki-stack
-      sourceRef:
-        kind: HelmRepository
-        name: grafana-charts
-      interval: 60m
-  # https://github.com/grafana/helm-charts/blob/main/charts/loki-stack/values.yaml
-  # https://github.com/grafana/loki/blob/main/production/helm/loki/values.yaml
-  values:
-    promtail:
-      enabled: true
-    loki:
-      enabled: true
-      isDefault: false
-      ingress:
-        enabled: true
-        ingressClassName: nginx
-        hosts:
-          - host: loki.svc-dev.ink
-            paths:
-              - "/"
-        tls:
-          - secretName: obs-tls
-            hosts:
-              - loki.svc-dev.ink
-      ruler:
-        storage:
-          type: local
-          local:
-            directory: /rules
-        rule_path: /tmp/scratch
-        alertmanager_url: https://alertmanager.svc-dev.ink
-        ring:
-          kvstore:
-            store: inmemory
-        enable_api: true
-        remote_write:
-          enabled: true
-          client:
-            url: http://prometheus.svc-dev.ink/api/v1/write
-      serviceMonitor:
-        enabled: true
-        additionalLabels:
-          app.kubernetes.io/part-of: kube-prometheus-stack
-      config:
-        chunk_store_config:
-          max_look_back_period: 0s
-        table_manager:
-          retention_deletes_enabled: true
-          retention_period: 12h

apps/monitor/loki-stack/repository.yaml

@@ -1,7 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: grafana-charts
-spec:
-  interval: 120m0s
-  url: https://grafana.github.io/helm-charts

apps/monitor/observability-agent/release.yaml

@@ -1,101 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: stable
-  namespace: monitoring
-spec:
-  interval: 10m
-  url: https://charts.onwalk.net/
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: observabilityagent
-  namespace: monitoring
-spec:
-  chart:
-    spec:
-      chart: observabilityagent
-      version: "0.1.7"
-      sourceRef:
-        kind: HelmRepository
-        name: stable
-        namespace: monitoring
-  interval: 1m
-  values:
-    fluent-bit:
-      enabled: false
-    telegraf:
-      enabled: true
-      config:
-        agent:
-          interval: "10s"
-          round_interval: true
-          metric_batch_size: 1000
-          metric_buffer_limit: 10000
-          collection_jitter: "0s"
-          flush_interval: "10s"
-          flush_jitter: "0s"
-          precision: ""
-          debug: false
-          quiet: false
-          logfile: ""
-          hostname: "$HOSTNAME"
-          omit_hostname: true
-        processors:
-          - enum:
-              mapping:
-                field: "status"
-                dest: "status_code"
-                value_mappings:
-                  healthy: 1
-                  problem: 2
-                  critical: 3
-        outputs:
-          - influxdb:
-              urls:
-                - "https://influxdb.svc-dev.ink"
-              database: "telegraf"
-        inputs:
-          - net:
-              interfaces: *
-          - statsd:
-              service_address: ":8125"
-              percentiles:
-                - 50
-                - 95
-                - 99
-              metric_separator: "_"
-              allowed_pending_messages: 10000
-              percentile_limit: 1000
-    deepflow-agent:
-      enabled: true
-      deepflowServerNodeIPS:
-        - 10.0.1.3
-      deepflowK8sClusterID: d-rUJ4CUKMUt
-    prometheus:
-      enabled: true
-      server:
-        name: agent
-        retention: "30m"
-        extraFlags:
-        - web.enable-lifecycle
-        - enable-feature=expand-external-labels
-        remoteWrite:
-        - name: remote_prometheus
-          url: 'https://prometheus.svc-dev.ink/api/v1/write'
-        persistentVolume:
-          enabled: false
-      alertmanager:
-        enabled: false
-      prometheus-pushgateway:
-        enabled: false
-      kube-state-metrics:
-        enabled: false
-      prometheus-node-exporter:
-        enabled: false
-    promtail:
-      enabled: true
-      config:
-        clients:
-          - url: https://loki.svc-dev.ink/loki/api/v1/push

apps/monitor/prometheus-agent.yaml

@@ -1,94 +0,0 @@
-apiVersion: monitoring.coreos.com/v1alpha1
-kind: PrometheusAgent
-metadata:
-  annotations:
-    meta.helm.sh/release-name: prometheus-agent
-    meta.helm.sh/release-namespace: monitoring
-  creationTimestamp: "2023-12-27T12:13:56Z"
-  generation: 2
-  labels:
-    app: kube-prometheus-stack-prometheus
-    app.kubernetes.io/instance: prometheus-agent
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/part-of: kube-prometheus-stack
-    app.kubernetes.io/version: 55.5.0
-    chart: kube-prometheus-stack-55.5.0
-    helm.toolkit.fluxcd.io/name: prometheus-agent
-    helm.toolkit.fluxcd.io/namespace: monitoring
-    heritage: Helm
-    release: prometheus-agent
-  name: prometheus-agent-kube-prom-prometheus
-  namespace: monitoring
-  resourceVersion: "14691"
-  uid: 9bf6429e-2ae1-4568-95ee-0e2dc1a4071f
-spec:
-  externalUrl: http://prometheus-agent-kube-prom-prometheus.monitoring:9090
-  hostNetwork: false
-  image: artifact.onwalk.net/base/prometheus/prometheus:v2.48.1
-  listenLocal: false
-  logFormat: logfmt
-  logLevel: info
-  paused: false
-  podMonitorNamespaceSelector: {}
-  podMonitorSelector:
-    matchLabels:
-      app.kubernetes.io/component: monitoring
-  portName: http-web
-  probeNamespaceSelector: {}
-  probeSelector:
-    matchLabels:
-      release: prometheus-agent
-  remoteWrite:
-  - name: remote_prometheus
-    url: https://prometheus.svc-dev.ink/api/v1/write
-  replicas: 1
-  resources:
-    requests:
-      cpu: 200m
-      memory: 200Mi
-  routePrefix: /
-  scrapeConfigNamespaceSelector: {}
-  scrapeConfigSelector:
-    matchLabels:
-      release: prometheus-agent
-  scrapeInterval: 30s
-  securityContext:
-    fsGroup: 2000
-    runAsGroup: 2000
-    runAsNonRoot: true
-    runAsUser: 1000
-    seccompProfile:
-      type: RuntimeDefault
-  serviceAccountName: prometheus-agent-kube-prom-prometheus
-  serviceMonitorNamespaceSelector: {}
-  serviceMonitorSelector:
-    matchLabels:
-      release: prometheus-agent
-  shards: 1
-  version: v2.48.1
-  walCompression: true
-status:
-  availableReplicas: 1
-  conditions:
-  - lastTransitionTime: "2023-12-27T13:20:17Z"
-    message: ""
-    observedGeneration: 2
-    reason: ""
-    status: "True"
-    type: Available
-  - lastTransitionTime: "2023-12-27T13:20:17Z"
-    message: ""
-    observedGeneration: 2
-    reason: ""
-    status: "True"
-    type: Reconciled
-  paused: false
-  replicas: 1
-  shardStatuses:
-  - availableReplicas: 1
-    replicas: 1
-    shardID: "0"
-    unavailableReplicas: 0
-    updatedReplicas: 1
-  unavailableReplicas: 0
-  updatedReplicas: 1

apps/mysql/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: itsm-dev
-resources:
-  - release.yaml

apps/mysql/release.yaml

@@ -1,37 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: mysql
-  namespace: itsm-dev
-spec:
-  interval: 1m
-  chart:
-    spec:
-      version: "9.21.2"
-      chart: mysql
-      sourceRef:
-        kind: HelmRepository
-        name: stable
-        namespace: itsm-dev
-      interval: 1m
-  values:
-    global:
-      imageRegistry: "artifact.onwalk.net/public"
-    architecture: standalone
-    auth:
-      createDatabase: true
-      database: "apisix"
-      username: "apisix"
-      password: "apisix"
-      existingSecret: ""
-    primary:
-      persistence:
-        enabled: true
-        size: 8Gi
-      resources:
-        requests:
-          cpu: 250m
-          memory: 400Mi
-        limits:
-          cpu: 500m
-          memory: 800Mi

apps/postgresql/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: itsm-dev
-resources:
-  - release.yaml

apps/postgresql/release.yaml

@@ -1,37 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: postgresql
-  namespace: itsm-dev
-spec:
-  interval: 1m
-  chart:
-    spec:
-      version: "12.3.1"
-      chart: postgresql
-      sourceRef:
-        kind: HelmRepository
-        name: stable
-        namespace: itsm-dev
-      interval: 1m
-  values:
-    enabled: true
-    fullnameOverride: windmill-postgresql
-    global:
-      imageRegistry: ""
-      postgresql:
-        auth:
-          postgresPassword: "windmill"
-          username: "postgres"
-          password: "windmill"
-          database: "windmill"
-    primary:
-      persistence:
-        enabled: true
-      resources:
-        requests:
-          memory: 100Mi
-          cpu: 100m
-        limits:
-          cpu: "200m"
-          memory: "300Mi"

apps/redis/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: itsm-dev
-resources:
-  - release.yaml

apps/redis/release.yaml

@@ -1,38 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: redis
-  namespace: itsm-dev
-spec:
-  interval: 1m
-  chart:
-    spec:
-      version: "18.12.1"
-      chart: redis
-      sourceRef:
-        kind: HelmRepository
-        name: stable
-        namespace: itsm-dev
-      interval: 1m
-  values:
-    enabled: true
-    nameOverride: "redis"
-    architecture: standalone
-    global:
-      imageRegistry: ""
-      redis:
-        password: "redis"
-    auth:
-      enabled: true
-      sentinel: false
-      password: ""
-    master:
-      persistence:
-        enabled: false
-      resources:
-        requests:
-          memory: 100Mi
-          cpu: 100m
-        limits:
-          cpu: "200m"
-          memory: "300Mi"

clusters/app/helmrepo.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: stable
-  namespace: monitoring
-spec:
-  interval: 1m
-  url: https://charts.onwalk.net/

clusters/app/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: monitoring
-resources:
-  - namespace.yaml
-  - helmrepo.yaml
-  - observability-agent.yaml

clusters/app/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring

clusters/devops/kustomization.yaml

@@ -1,12 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - ../../apps/monitor/observability-agent/
-  - ../../apps/monitor/kube-prometheus-stack/
-  - ../../apps/monitor/flagger/
-  - ../../apps/demo/c-app
-  - ../../apps/demo/js-app
-  - ../../apps/demo/python-app
-  - ../../apps/demo/go-app
-  - ../../apps/demo/rust-app

clusters/devops/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  labels:
-    app.kubernetes.io/component: monitoring

clusters/k3s-local/kustomization.yaml

@@ -1,11 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - repository.yaml
-  - ../../apps/itsm-dev/
-  - ../../apps/redis/
-  - ../../apps/mysql/
-  - ../../apps/postgresql/
-  - ../../apps/mongodb/
-  - ../../apps/minio/

clusters/k3s-local/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: itsm-dev

clusters/k3s-local/repository.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: stable
-  namespace: itsm-dev
-spec:
-  interval: 1m0s
-  url: https://charts.onwalk.net

clusters/monitor/alert-rules-patch.yaml

@@ -1,53 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  annotations:
-    meta.helm.sh/release-name: observability-server
-    meta.helm.sh/release-namespace: monitoring
-  labels:
-    app.kubernetes.io/component: server
-    app.kubernetes.io/instance: observability-server
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: prometheus
-    app.kubernetes.io/part-of: prometheus
-    app.kubernetes.io/version: v2.48.1
-    helm.sh/chart: prometheus-25.8.2
-  name: observability-server-prometheus-server
-  namespace: monitoring
-data:
-  alerting_rules.yml: |
-    groups:
-      - name: host-monitoring
-        rules:
-          - alert: HighLoad
-            expr: node_load1 > 2.0
-            for: 5m
-            labels:
-              severity: warning
-            annotations:
-              summary: High load on {{ $labels.instance }}
-              description: "Load is High (threshold: 2.0)"
-          - alert: HighCpuUsage
-            expr: 100 - (avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) > 90
-            for: 5m
-            labels:
-              severity: critical
-            annotations:
-              summary: High CPU usage on {{ $labels.instance }}
-              description: "CPU usage is > 80%"
-          - alert: HighMemoryUsage
-            expr: (node_memory_MemTotal_bytes - node_memory_MemFree_bytes - node_memory_Buffers_bytes - node_memory_Cached_bytes) / node_memory_MemTotal_bytes * 100 > 90
-            for: 5m
-            labels:
-              severity: warning
-            annotations:
-              summary: High memory usage on {{ $labels.instance }}
-              description: "Memory usage is High"
-          - alert: HighDiskUsage
-            expr: node_filesystem_avail_bytes{fstype="ext4"} / node_filesystem_size_bytes{fstype="ext4"} * 100 < 10
-            for: 5m
-            labels:
-              severity: critical
-            annotations:
-              summary: High disk usage on {{ $labels.instance }}
-              description: "Disk usage is High"

clusters/monitor/helmrepo.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: stable
-  namespace: monitoring
-spec:
-  interval: 1m
-  url: https://charts.onwalk.net/

clusters/monitor/ingress-flagger.yaml

@@ -1,24 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-  name: flagger
-  namespace: monitoring
-spec:
-  ingressClassName: nginx
-  rules:
-  - host: flaggerloadtester.svc-dev.ink
-    http:
-      paths:
-      - backend:
-          service:
-            name: flagger-loadtester
-            port:
-              number: 80
-        path: /
-        pathType: Prefix
-  tls:
-  - hosts:
-    - flaggerloadtester.svc-dev.ink
-    secretName: obs-tls

clusters/monitor/kustomization.yaml

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: monitoring
-resources:
-  - ../../apps/monitor/flagger/
-  - ../../apps/monitor/flagger-loadtester/
-  - ../../apps/monitor/loki-stack
-  - namespace.yaml
-  - helmrepo.yaml
-  - observability-agent.yaml
-  - ingress-flagger.yaml
-#  - prometheus-server-configmap.yaml
-#  - alert-rules-patch.yaml
-#  - recording-rules-patch.yaml

clusters/monitor/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring

clusters/monitor/observability-agent.yaml

@@ -1,27 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: observabilityagent
-  namespace: monitoring
-spec:
-  chart:
-    spec:
-      chart: observabilityagent
-      version: "0.1.7"
-      sourceRef:
-        kind: HelmRepository
-        name: stable
-        namespace: monitoring
-  interval: 1m
-  values:
-    fluent-bit:
-      enabled: false
-    deepflow-agent:
-      enabled: false
-    prometheus:
-      enabled: false
-    promtail:
-      enabled: true
-      config:
-        clients:
-          - url: https://loki.svc-dev.ink/loki/api/v1/push

clusters/monitor/prometheus-server-configmap.yaml

@@ -1,339 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  annotations:
-    meta.helm.sh/release-name: observability-server
-    meta.helm.sh/release-namespace: monitoring
-  labels:
-    app.kubernetes.io/component: server
-    app.kubernetes.io/instance: observability-server
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: prometheus
-    app.kubernetes.io/part-of: prometheus
-    app.kubernetes.io/version: v2.48.1
-    helm.sh/chart: prometheus-25.8.2
-  name: observability-server-prometheus-server
-  namespace: monitoring
-data:
-  alerting_rules.yml: |
-    {}
-  alerts: |
-    {}
-  allow-snippet-annotations: "false"
-  prometheus.yml: |
-    global:
-      evaluation_interval: 1m
-      scrape_interval: 1m
-      scrape_timeout: 10s
-    rule_files:
-    - /etc/config/recording_rules.yml
-    - /etc/config/alerting_rules.yml
-    scrape_configs:
-    - job_name: prometheus
-      static_configs:
-      - targets:
-        - localhost:9090
-    - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-      job_name: kubernetes-apiservers
-      kubernetes_sd_configs:
-      - role: endpoints
-      relabel_configs:
-      - action: keep
-        regex: default;kubernetes;https
-        source_labels:
-        - __meta_kubernetes_namespace
-        - __meta_kubernetes_service_name
-        - __meta_kubernetes_endpoint_port_name
-      scheme: https
-      tls_config:
-        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-        insecure_skip_verify: true
-    - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-      job_name: kubernetes-nodes
-      kubernetes_sd_configs:
-      - role: node
-      relabel_configs:
-      - action: labelmap
-        regex: __meta_kubernetes_node_label_(.+)
-      - replacement: kubernetes.default.svc:443
-        target_label: __address__
-      - regex: (.+)
-        replacement: /api/v1/nodes/$1/proxy/metrics
-        source_labels:
-        - __meta_kubernetes_node_name
-        target_label: __metrics_path__
-      scheme: https
-      tls_config:
-        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-        insecure_skip_verify: true
-    - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-      job_name: kubernetes-nodes-cadvisor
-      kubernetes_sd_configs:
-      - role: node
-      relabel_configs:
-      - action: labelmap
-        regex: __meta_kubernetes_node_label_(.+)
-      - replacement: kubernetes.default.svc:443
-        target_label: __address__
-      - regex: (.+)
-        replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor
-        source_labels:
-        - __meta_kubernetes_node_name
-        target_label: __metrics_path__
-      scheme: https
-      tls_config:
-        ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-        insecure_skip_verify: true
-    - honor_labels: true
-      job_name: kubernetes-service-endpoints
-      kubernetes_sd_configs:
-      - role: endpoints
-      relabel_configs:
-      - action: keep
-        regex: true
-        source_labels:
-        - __meta_kubernetes_service_annotation_prometheus_io_scrape
-      - action: drop
-        regex: true
-        source_labels:
-        - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow
-      - action: replace
-        regex: (https?)
-        source_labels:
-        - __meta_kubernetes_service_annotation_prometheus_io_scheme
-        target_label: __scheme__
-      - action: replace
-        regex: (.+)
-        source_labels:
-        - __meta_kubernetes_service_annotation_prometheus_io_path
-        target_label: __metrics_path__
-      - action: replace
-        regex: (.+?)(?::\d+)?;(\d+)
-        replacement: $1:$2
-        source_labels:
-        - __address__
-        - __meta_kubernetes_service_annotation_prometheus_io_port
-        target_label: __address__
-      - action: labelmap
-        regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+)
-        replacement: __param_$1
-      - action: labelmap
-        regex: __meta_kubernetes_service_label_(.+)
-      - action: replace
-        source_labels:
-        - __meta_kubernetes_namespace
-        target_label: namespace
-      - action: replace
-        source_labels:
-        - __meta_kubernetes_service_name
-        target_label: service
-      - action: replace
-        source_labels:
-        - __meta_kubernetes_pod_node_name
-        target_label: node
-    - honor_labels: true
-      job_name: kubernetes-service-endpoints-slow
-      kubernetes_sd_configs:
-      - role: endpoints
-      relabel_configs:
-      - action: keep
-        regex: true
-        source_labels:
-        - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow
-      - action: replace
-        regex: (https?)
-        source_labels:
-        - __meta_kubernetes_service_annotation_prometheus_io_scheme
-        target_label: __scheme__
-      - action: replace
-        regex: (.+)
-        source_labels:
-        - __meta_kubernetes_service_annotation_prometheus_io_path
-        target_label: __metrics_path__
-      - action: replace
-        regex: (.+?)(?::\d+)?;(\d+)
-        replacement: $1:$2
-        source_labels:
-        - __address__
-        - __meta_kubernetes_service_annotation_prometheus_io_port
-        target_label: __address__
-      - action: labelmap
-        regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+)
-        replacement: __param_$1
-      - action: labelmap
-        regex: __meta_kubernetes_service_label_(.+)
-      - action: replace
-        source_labels:
-        - __meta_kubernetes_namespace
-        target_label: namespace
-      - action: replace
-        source_labels:
-        - __meta_kubernetes_service_name
-        target_label: service
-      - action: replace
-        source_labels:
-        - __meta_kubernetes_pod_node_name
-        target_label: node
-      scrape_interval: 5m
-      scrape_timeout: 30s
-    - honor_labels: true
-      job_name: prometheus-pushgateway
-      kubernetes_sd_configs:
-      - role: service
-      relabel_configs:
-      - action: keep
-        regex: pushgateway
-        source_labels:
-        - __meta_kubernetes_service_annotation_prometheus_io_probe
-    - honor_labels: true
-      job_name: kubernetes-services
-      kubernetes_sd_configs:
-      - role: service
-      metrics_path: /probe
-      params:
-        module:
-        - http_2xx
-      relabel_configs:
-      - action: keep
-        regex: true
-        source_labels:
-        - __meta_kubernetes_service_annotation_prometheus_io_probe
-      - source_labels:
-        - __address__
-        target_label: __param_target
-      - replacement: blackbox
-        target_label: __address__
-      - source_labels:
-        - __param_target
-        target_label: instance
-      - action: labelmap
-        regex: __meta_kubernetes_service_label_(.+)
-      - source_labels:
-        - __meta_kubernetes_namespace
-        target_label: namespace
-      - source_labels:
-        - __meta_kubernetes_service_name
-        target_label: service
-    - honor_labels: true
-      job_name: kubernetes-pods
-      kubernetes_sd_configs:
-      - role: pod
-      relabel_configs:
-      - action: keep
-        regex: true
-        source_labels:
-        - __meta_kubernetes_pod_annotation_prometheus_io_scrape
-      - action: drop
-        regex: true
-        source_labels:
-        - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow
-      - action: replace
-        regex: (https?)
-        source_labels:
-        - __meta_kubernetes_pod_annotation_prometheus_io_scheme
-        target_label: __scheme__
-      - action: replace
-        regex: (.+)
-        source_labels:
-        - __meta_kubernetes_pod_annotation_prometheus_io_path
-        target_label: __metrics_path__
-      - action: replace
-        regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})
-        replacement: '[$2]:$1'
-        source_labels:
-        - __meta_kubernetes_pod_annotation_prometheus_io_port
-        - __meta_kubernetes_pod_ip
-        target_label: __address__
-      - action: replace
-        regex: (\d+);((([0-9]+?)(\.|$)){4})
-        replacement: $2:$1
-        source_labels:
-        - __meta_kubernetes_pod_annotation_prometheus_io_port
-        - __meta_kubernetes_pod_ip
-        target_label: __address__
-      - action: labelmap
-        regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+)
-        replacement: __param_$1
-      - action: labelmap
-        regex: __meta_kubernetes_pod_label_(.+)
-      - action: replace
-        source_labels:
-        - __meta_kubernetes_namespace
-        target_label: namespace
-      - action: replace
-        source_labels:
-        - __meta_kubernetes_pod_name
-        target_label: pod
-      - action: drop
-        regex: Pending|Succeeded|Failed|Completed
-        source_labels:
-        - __meta_kubernetes_pod_phase
-      - action: replace
-        source_labels:
-        - __meta_kubernetes_pod_node_name
-        target_label: node
-    - honor_labels: true
-      job_name: kubernetes-pods-slow
-      kubernetes_sd_configs:
-      - role: pod
-      relabel_configs:
-      - action: keep
-        regex: true
-        source_labels:
-        - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow
-      - action: replace
-        regex: (https?)
-        source_labels:
-        - __meta_kubernetes_pod_annotation_prometheus_io_scheme
-        target_label: __scheme__
-      - action: replace
-        regex: (.+)
-        source_labels:
-        - __meta_kubernetes_pod_annotation_prometheus_io_path
-        target_label: __metrics_path__
-      - action: replace
-        regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})
-        replacement: '[$2]:$1'
-        source_labels:
-        - __meta_kubernetes_pod_annotation_prometheus_io_port
-        - __meta_kubernetes_pod_ip
-        target_label: __address__
-      - action: replace
-        regex: (\d+);((([0-9]+?)(\.|$)){4})
-        replacement: $2:$1
-        source_labels:
-        - __meta_kubernetes_pod_annotation_prometheus_io_port
-        - __meta_kubernetes_pod_ip
-        target_label: __address__
-      - action: labelmap
-        regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+)
-        replacement: __param_$1
-      - action: labelmap
-        regex: __meta_kubernetes_pod_label_(.+)
-      - action: replace
-        source_labels:
-        - __meta_kubernetes_namespace
-        target_label: namespace
-      - action: replace
-        source_labels:
-        - __meta_kubernetes_pod_name
-        target_label: pod
-      - action: drop
-        regex: Pending|Succeeded|Failed|Completed
-        source_labels:
-        - __meta_kubernetes_pod_phase
-      - action: replace
-        source_labels:
-        - __meta_kubernetes_pod_node_name
-        target_label: node
-      scrape_interval: 5m
-      scrape_timeout: 30s
-    alerting:
-      alertmanagers:
-        - static_configs:
-          - targets:
-            - alertmanager.svc-dev.ink
-  recording_rules.yml: |
-    {}
-  rules: |
-    {}

clusters/monitor/recording-rules-patch.yaml

@@ -1,29 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  annotations:
-    meta.helm.sh/release-name: observability-server
-    meta.helm.sh/release-namespace: monitoring
-  labels:
-    app.kubernetes.io/component: server
-    app.kubernetes.io/instance: observability-server
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: prometheus
-    app.kubernetes.io/part-of: prometheus
-    app.kubernetes.io/version: v2.48.1
-    helm.sh/chart: prometheus-25.8.2
-  name: observability-server-prometheus-server
-  namespace: monitoring
-data:
-  recording_rules.yml: |
-    groups:
-      - name: host-monitoring
-        rules:
-        - record: node_load1
-          expr: node_load1
-        - record: node_cpu_usage
-          expr: 100 - (avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100)
-        - record: node_memory_usage
-          expr: (node_memory_MemTotal_bytes - node_memory_MemFree_bytes - node_memory_Buffers_bytes - node_memory_Cached_bytes) / node_memory_MemTotal_bytes * 100
-        - record: node_disk_usage
-          expr: 100 - (avg by (instance) (node_filesystem_avail_bytes{fstype="ext4"} / node_filesystem_size_bytes{fstype="ext4"}) * 100)

clusters/prod/kustomization.yaml

@@ -1,12 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - ../../apps/monitor/observability-agent/
-  - ../../apps/monitor/kube-prometheus-stack/
-  - ../../apps/monitor/flagger/
-  - ../../apps/demo/c-app
-  - ../../apps/demo/js-app
-  - ../../apps/demo/python-app
-  - ../../apps/demo/go-app
-  - ../../apps/demo/rust-app

clusters/prod/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  labels:
-    app.kubernetes.io/component: monitoring

clusters/sit/kustomization.yaml

@@ -1,12 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - ../../apps/monitor/observability-agent/
-  - ../../apps/monitor/kube-prometheus-stack/
-  - ../../apps/monitor/flagger/
-  - ../../apps/demo/c-app
-  - ../../apps/demo/js-app
-  - ../../apps/demo/python-app
-  - ../../apps/demo/go-app
-  - ../../apps/demo/rust-app

clusters/sit/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  labels:
-    app.kubernetes.io/component: monitoring

clusters/uat/kustomization.yaml

@@ -1,12 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - ../../apps/monitor/observability-agent/
-  - ../../apps/monitor/kube-prometheus-stack/
-  - ../../apps/monitor/flagger/
-  - ../../apps/demo/c-app
-  - ../../apps/demo/js-app
-  - ../../apps/demo/python-app
-  - ../../apps/demo/go-app
-  - ../../apps/demo/rust-app

clusters/uat/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  labels:
-    app.kubernetes.io/component: monitoring

docs/DOC_COVERAGE.md

@@ -0,0 +1,14 @@
+# Documentation Coverage Matrix
+
+This matrix tracks the bilingual canonical documentation set for `gitops` and maps it back to the current codebase and older docs.
+
+该矩阵用于跟踪 `gitops` 的双语规范文档，并将其与当前代码状态和历史文档对应起来。
+
+| Category | EN | ZH | Current status | Existing references | Next check |
+| --- | --- | --- | --- | --- | --- |
+| Architecture | Yes | Yes | Seeded from current codebase and existing docs. | `repo-structure.md` | Keep diagrams and ownership notes synchronized with actual directories, services, and integration dependencies. |
+| Design | Yes | Yes | Seeded from current codebase and existing docs. | `stackflow/README.md` | Promote one-off implementation notes into reusable design records when behavior, APIs, or deployment contracts change. |
+| Deployment | Yes | Yes | Seeded from current codebase; deeper legacy consolidation is still needed. | None yet; use the new canonical page as the starting point. | Verify deployment steps against current scripts, manifests, CI/CD flow, and environment contracts before each release. |
+| User Guide | Yes | Yes | Seeded from current codebase; deeper legacy consolidation is still needed. | None yet; use the new canonical page as the starting point. | Prefer workflow-oriented examples and keep screenshots or terminal snippets aligned with the latest UI or CLI behavior. |
+| Developer Guide | Yes | Yes | Seeded from current codebase; deeper legacy consolidation is still needed. | None yet; use the new canonical page as the starting point. | Keep setup and test commands tied to actual package scripts, Make targets, or language toolchains in this repository. |
+| Vibe Coding Reference | Yes | Yes | Seeded from current codebase; deeper legacy consolidation is still needed. | None yet; use the new canonical page as the starting point. | Review prompt templates and repo rules whenever the project adds new subsystems, protected areas, or mandatory verification steps. |

docs/README.md

@@ -0,0 +1,32 @@
+# GitOps Repository / GitOps 运维仓库
+
+This `docs/` directory now has a bilingual canonical layer for the current repository state.
+
+本 `docs/` 目录现已补齐双语规范层，用于承接当前仓库状态下的核心文档。
+
+## Quick Entry / 快速入口
+
+- Coverage checklist / 覆盖检查矩阵: `docs/DOC_COVERAGE.md`
+- English index / 英文入口: `docs/en/README.md`
+- 中文入口 / Chinese index: `docs/zh/README.md`
+
+## Canonical Bilingual Pages / 双语规范页
+
+- `docs/en/architecture.md` / `docs/zh/architecture.md`
+- `docs/en/design.md` / `docs/zh/design.md`
+- `docs/en/deployment.md` / `docs/zh/deployment.md`
+- `docs/en/user-guide.md` / `docs/zh/user-guide.md`
+- `docs/en/developer-guide.md` / `docs/zh/developer-guide.md`
+- `docs/en/vibe-coding-reference.md` / `docs/zh/vibe-coding-reference.md`
+
+## Current Repo Context / 当前仓库背景
+
+- Root README: `Cloud-Neutral Toolkit GitOps`
+- Previous docs index: `Documentation`
+- Manifest evidence / 构建清单: repository structure and scripts only
+- Active code and ops directories / 当前主要目录: `infra/`, `apps/`, `clusters/`, `config/`, `scripts/`
+
+## Existing Docs To Reconcile / 需要继续归并的现有文档
+
+- `repo-structure.md`
+- `stackflow/README.md`

docs/en/README.md

@@ -0,0 +1,24 @@
+# GitOps Repository Documentation
+
+This repository organizes declarative GitOps assets for infrastructure delivery.
+
+## Current state snapshot
+
+- Root README title: `Cloud-Neutral Toolkit GitOps`
+- Build/runtime evidence: repository structure and scripts only
+- Primary directories detected: `infra/`, `apps/`, `clusters/`, `config/`, `scripts/`
+- Existing docs count: 3
+
+## Canonical pages
+
+- [Architecture](architecture.md)
+- [Design](design.md)
+- [Deployment](deployment.md)
+- [User Guide](user-guide.md)
+- [Developer Guide](developer-guide.md)
+- [Vibe Coding Reference](vibe-coding-reference.md)
+
+## Legacy docs to fold in
+
+- `repo-structure.md`
+- `stackflow/README.md`

docs/en/architecture.md

@@ -0,0 +1,24 @@
+# Architecture
+
+This repository organizes declarative GitOps assets for infrastructure delivery.
+
+Use this page as the canonical bilingual overview of system boundaries, major components, and repo ownership.
+
+## Current code-aligned notes
+
+- Documentation target: `gitops`
+- Repo kind: `infra-repo`
+- Manifest and build evidence: repository structure and scripts only
+- Primary implementation and ops directories: `scripts/`, `StackFlow/`, `config/`
+- Package scripts snapshot: No package.json scripts were detected.
+
+## Existing docs to reconcile
+
+- `repo-structure.md`
+
+## What this page should cover next
+
+- Describe the current implementation rather than an aspirational future-only design.
+- Keep terminology aligned with the repository root README, manifests, and actual directories.
+- Link deeper runbooks, specs, or subsystem notes from the legacy docs listed above.
+- Keep diagrams and ownership notes synchronized with actual directories, services, and integration dependencies.

docs/en/deployment.md

@@ -0,0 +1,24 @@
+# Deployment
+
+This repository organizes declarative GitOps assets for infrastructure delivery.
+
+Use this page to standardize deployment prerequisites, supported topologies, operational checks, and rollback notes.
+
+## Current code-aligned notes
+
+- Documentation target: `gitops`
+- Repo kind: `infra-repo`
+- Manifest and build evidence: repository structure and scripts only
+- Primary implementation and ops directories: `scripts/`, `StackFlow/`, `config/`
+- Package scripts snapshot: No package.json scripts were detected.
+
+## Existing docs to reconcile
+
+- No directly matching legacy docs were detected; this page is currently the canonical seed.
+
+## What this page should cover next
+
+- Describe the current implementation rather than an aspirational future-only design.
+- Keep terminology aligned with the repository root README, manifests, and actual directories.
+- Link deeper runbooks, specs, or subsystem notes from the legacy docs listed above.
+- Verify deployment steps against current scripts, manifests, CI/CD flow, and environment contracts before each release.

docs/en/design.md

@@ -0,0 +1,24 @@
+# Design
+
+This repository organizes declarative GitOps assets for infrastructure delivery.
+
+Use this page to consolidate design decisions, ADR-style tradeoffs, and roadmap-sensitive implementation notes.
+
+## Current code-aligned notes
+
+- Documentation target: `gitops`
+- Repo kind: `infra-repo`
+- Manifest and build evidence: repository structure and scripts only
+- Primary implementation and ops directories: `scripts/`, `StackFlow/`, `config/`
+- Package scripts snapshot: No package.json scripts were detected.
+
+## Existing docs to reconcile
+
+- `stackflow/README.md`
+
+## What this page should cover next
+
+- Describe the current implementation rather than an aspirational future-only design.
+- Keep terminology aligned with the repository root README, manifests, and actual directories.
+- Link deeper runbooks, specs, or subsystem notes from the legacy docs listed above.
+- Promote one-off implementation notes into reusable design records when behavior, APIs, or deployment contracts change.

docs/en/developer-guide.md

@@ -0,0 +1,24 @@
+# Developer Guide
+
+This repository organizes declarative GitOps assets for infrastructure delivery.
+
+Use this page to document local setup, project structure, test surfaces, and contribution conventions tied to the current codebase.
+
+## Current code-aligned notes
+
+- Documentation target: `gitops`
+- Repo kind: `infra-repo`
+- Manifest and build evidence: repository structure and scripts only
+- Primary implementation and ops directories: `scripts/`, `StackFlow/`, `config/`
+- Package scripts snapshot: No package.json scripts were detected.
+
+## Existing docs to reconcile
+
+- No directly matching legacy docs were detected; this page is currently the canonical seed.
+
+## What this page should cover next
+
+- Describe the current implementation rather than an aspirational future-only design.
+- Keep terminology aligned with the repository root README, manifests, and actual directories.
+- Link deeper runbooks, specs, or subsystem notes from the legacy docs listed above.
+- Keep setup and test commands tied to actual package scripts, Make targets, or language toolchains in this repository.

docs/en/user-guide.md

@@ -0,0 +1,24 @@
+# User Guide
+
+This repository organizes declarative GitOps assets for infrastructure delivery.
+
+Use this page to document primary user/operator tasks, everyday workflows, and navigation to existing how-to material.
+
+## Current code-aligned notes
+
+- Documentation target: `gitops`
+- Repo kind: `infra-repo`
+- Manifest and build evidence: repository structure and scripts only
+- Primary implementation and ops directories: `scripts/`, `StackFlow/`, `config/`
+- Package scripts snapshot: No package.json scripts were detected.
+
+## Existing docs to reconcile
+
+- No directly matching legacy docs were detected; this page is currently the canonical seed.
+
+## What this page should cover next
+
+- Describe the current implementation rather than an aspirational future-only design.
+- Keep terminology aligned with the repository root README, manifests, and actual directories.
+- Link deeper runbooks, specs, or subsystem notes from the legacy docs listed above.
+- Prefer workflow-oriented examples and keep screenshots or terminal snippets aligned with the latest UI or CLI behavior.

docs/en/vibe-coding-reference.md

@@ -0,0 +1,24 @@
+# Vibe Coding Reference
+
+This repository organizes declarative GitOps assets for infrastructure delivery.
+
+Use this page to align AI-assisted coding prompts, repo boundaries, safe edit rules, and documentation update expectations.
+
+## Current code-aligned notes
+
+- Documentation target: `gitops`
+- Repo kind: `infra-repo`
+- Manifest and build evidence: repository structure and scripts only
+- Primary implementation and ops directories: `scripts/`, `StackFlow/`, `config/`
+- Package scripts snapshot: No package.json scripts were detected.
+
+## Existing docs to reconcile
+
+- No directly matching legacy docs were detected; this page is currently the canonical seed.
+
+## What this page should cover next
+
+- Describe the current implementation rather than an aspirational future-only design.
+- Keep terminology aligned with the repository root README, manifests, and actual directories.
+- Link deeper runbooks, specs, or subsystem notes from the legacy docs listed above.
+- Review prompt templates and repo rules whenever the project adds new subsystems, protected areas, or mandatory verification steps.

docs/gpu-k8s-role.md

@@ -1,113 +0,0 @@
-# GPU Kubernetes Role
-
-This document describes how to use the `gpu-k8s` role to deploy a simple Kubernetes cluster with NVIDIA GPU support.
-
-## Overview
-
-The role performs four main tasks:
-
-1. **Create the Kubernetes cluster** using [sealos](https://github.com/labring/sealos). It runs the provided `sealos run` command to bootstrap the master and worker nodes.
-2. **Install NVIDIA drivers and the NVIDIA container toolkit** on the target hosts so that Kubernetes can access GPU resources.
-3. **Verify the cluster state** after initialization, displaying the `sealos` version and the current Kubernetes nodes.
-4. **Verify GPU access** by deploying the official NVIDIA device plugin and running a small CUDA workload.
-
-When `sealos_version` is set to `latest` (the default), the role automatically
-fetches the most recent stable release from GitHub. The Kubernetes image tag is
-controlled separately via `kubernetes_version`, which defaults to `v1.25.16` but
-can be overridden to any compatible release.
-
-
-The following command is used to create the cluster (example with one master and one worker):
-
-```bash
-REGISTRY=$(playbooks/roles/vhosts/gpu-k8s/files/get_labring_registry.sh)
-sealos run \
-  ${REGISTRY}/kubernetes:<kubernetes_version> \
-  ${REGISTRY}/cilium:<cilium_version> \
-  ${REGISTRY}/helm:<helm_version> \
-  --masters 172.16.11.120 \
-  --nodes 172.16.11.152 \
-  --env '{}' \
-  --cmd "kubeadm init --skip-phases=addon/kube-proxy"
-```
-If deploying with a non-root user the command also requires `--user` and
-`--pk` options pointing to the user's SSH key. The host running Sealos must have
-`newuidmap` and `newgidmap` installed (typically provided by the `uidmap`
-package) along with the `fuse-overlayfs` binary to enable user namespaces.
-
-After the cluster is running the role installs the NVIDIA device plugin and runs a test pod to ensure `nvidia-smi` works inside the cluster.
-
-## Usage
-
-Add the role to your playbook along with the `ssh-trust` role which configures passwordless access from the ops host to the cluster nodes:
-
-```yaml
-- hosts: all
-  roles:
-    - ssh-trust
-    - gpu-k8s
-```
-
-By default the SSH key is created for the same user Ansible connects with. You
-can override this by setting `ssh_user`. When `ansible_user` is defined it will
-be used automatically, otherwise `root` is assumed. The role also allows you to
-specify the private key path via `ssh_private_key`:
-
-```yaml
-- hosts: all
-  vars:
-    ssh_user: ubuntu
-    ssh_private_key: /home/ubuntu/.ssh/myuser_id_rsa
-  roles:
-    - ssh-trust
-    - gpu-k8s
-```
-
-The specified user must be able to log in without a password and have sudo
-access on the target hosts.
-
-
-Example playbook snippet defining the IP lists:
-
-```yaml
-- hosts: all
-  vars:
-    master_ips:
-      - "172.16.11.120"
-    node_ips:
-      - "172.16.11.152"
-  roles:
-    - ssh-trust
-    - gpu-k8s
-```
-
-You can also specify hostnames and let the role look up the IPs:
-
-```yaml
-- hosts: all
-  vars:
-    masters:
-      - "k8s-1"
-    nodes:
-      - "k8s-2"
-      - "k8s-3"
-  roles:
-    - ssh-trust
-    - gpu-k8s
-```
-
-The playbook expects at least one master and one node. You can provide the
-addresses directly via `master_ips` and `node_ips`, or give hostnames in the
-`masters` and `nodes` variables. When hostnames are used, the role will look up
-their `ansible_host` values from the inventory to obtain the IPs. Up to three
-masters can be specified.
-
-
-Run the playbook with your inventory that contains the master and node IP addresses.
-
-
-```bash
-ansible-playbook -i inventory/hosts/all playbooks/demo_gpu_k8s.yml
-```
-
-The final step prints the output of `nvidia-smi` from inside a Kubernetes pod, confirming that the GPU is available.

docs/repo-structure.md

@@ -1,19 +1,12 @@
 # Repository Structure
 
-This repository combines Ansible playbooks with Kubernetes manifests and
-automation scripts. Below is a short overview of the key directories.
+This repository contains declarative GitOps assets only. Below is a short overview of the key directories.
 
 | Directory | Purpose |
 |-----------|---------|
-| `playbooks` | Ansible playbooks and role definitions. |
 | `apps` | Flux HelmRelease and Kustomize files for applications. |
 | `clusters` | Kustomize overlays for different clusters referencing the `apps` definitions. |
-| `helmfiles` | Sample [helmfile](https://github.com/helmfile/helmfile) declarations. |
-| `helm` | Local Helm charts used in some playbooks. |
-| `inventory` | Example inventories and group variables for Ansible. |
-| `scripts` | Utility scripts such as cluster setup or secret management. |
-| `sync` | Tasks for local host setup and testing. |
+| `infra` | Platform and infrastructure declarations managed by Flux. |
+| `scripts` | Utility scripts that support validation or operational workflows. |
+| `config` | Non-sensitive configuration references and examples. |
 | `docs` | Additional documentation. |
-
-See `docs/gpu-k8s-role.md` for an example walkthrough deploying a GPU-enabled
-Kubernetes cluster.

docs/stackflow/README.md

@@ -0,0 +1,57 @@
+# StackFlow (GitOps YAML Flow)
+
+StackFlow is a declarative YAML describing a full business stack deployment
+across DNS, cloud resources (IAC), and GitOps-driven delivery.
+
+This repository already contains:
+- `iac-template/` (Terraform reference templates)
+- `.github/workflows/` (bootstrap workflows)
+
+StackFlow adds a top-level config file that can drive those pieces in one place.
+
+## Goals
+
+- One YAML describes root domain + targets (Vercel, Cloud Run, vhosts, etc.)
+- CI can validate config, produce a DNS plan, then apply phases later
+- Never commit real secrets (tokens/keys); use GitHub Secrets / Secret Manager
+
+## Config Example
+
+See: `StackFlow/svc-plus.yaml`
+
+## Schema (v1alpha1)
+
+Top-level:
+- `apiVersion`: `gitops.svc.plus/v1alpha1`
+- `kind`: `StackFlow`
+- `metadata.name`: stack id
+- `global.domain`: root domain, e.g. `svc.plus`
+- `global.dns_provider`: `cloudflare` (planned), `alicloud` (legacy)
+- `global.cloud`: `gcp`
+- `targets[]`: list of deployable targets
+
+Target fields (common):
+- `id`: unique id
+- `type`: `vercel` | `cloud-run` | `vhost` | `kubernetes` (planned)
+- `domains[]`: FQDNs owned by this target
+- `dns.records[]`: explicit DNS record intents
+
+DNS record intent:
+- `name`: record name relative to `global.domain` (e.g. `www`)
+- `type`: `A` | `AAAA` | `CNAME` | `TXT` | `MX`
+- `value`: literal value (string)
+- `valueFrom`: dotted path reference inside the target (e.g. `endpoints.public_ipv4`)
+- `ttl`: optional int seconds
+- `proxied`: optional bool (Cloudflare-specific)
+
+## Workflows
+
+Planned phases:
+- `validate`: validate YAML structure
+- `dns-plan`: output required DNS records (no apply)
+- `dns-apply`: apply DNS changes (provider-specific)
+- `iac-apply`: provision resources via Terraform
+- `deploy`: deploy apps via GitOps or repo-dispatch
+- `observe`: connect monitoring / alerts
+
+Today we only ship `validate` + `dns-plan` as the first step.

docs/zh/README.md

@@ -0,0 +1,24 @@
+# GitOps 运维仓库 文档
+
+该仓库仅组织声明式 GitOps 资产，用于基础设施与应用交付。
+
+## 当前状态快照
+
+- 根 README 标题: `Cloud-Neutral Toolkit GitOps`
+- 构建与运行时证据: repository structure and scripts only
+- 自动识别的主要目录: `infra/`, `apps/`, `clusters/`, `config/`, `scripts/`
+- 现有文档数量: 3
+
+## 核心双语文档
+
+- [架构](architecture.md)
+- [设计](design.md)
+- [部署](deployment.md)
+- [使用手册](user-guide.md)
+- [开发手册](developer-guide.md)
+- [Vibe Coding 参考](vibe-coding-reference.md)
+
+## 待归并的历史文档
+
+- `repo-structure.md`
+- `stackflow/README.md`

docs/zh/architecture.md

@@ -0,0 +1,24 @@
+# 架构
+
+该仓库仅组织声明式 GitOps 资产，用于基础设施与应用交付。
+
+本页作为系统边界、核心组件与仓库职责的双语总览入口。
+
+## 与当前代码对齐的说明
+
+- 文档目标仓库: `gitops`
+- 仓库类型: `infra-repo`
+- 构建与运行依据: repository structure and scripts only
+- 主要实现与运维目录: `scripts/`, `StackFlow/`, `config/`
+- `package.json` 脚本快照: No package.json scripts were detected.
+
+## 需要继续归并的现有文档
+
+- `repo-structure.md`
+
+## 本页下一步应补充的内容
+
+- 先描述当前已落地实现，再补充未来规划，避免只写愿景不写现状。
+- 术语需要与仓库根 README、构建清单和实际目录保持一致。
+- 将上方列出的历史 runbook、spec、子系统说明逐步链接并归并到本页。
+- 随着目录结构、服务关系和集成依赖变化，持续同步图示与职责说明。

docs/zh/deployment.md

@@ -0,0 +1,24 @@
+# 部署
+
+该仓库仅组织声明式 GitOps 资产，用于基础设施与应用交付。
+
+本页用于统一部署前提、支持的拓扑、运维检查项与回滚注意事项。
+
+## 与当前代码对齐的说明
+
+- 文档目标仓库: `gitops`
+- 仓库类型: `infra-repo`
+- 构建与运行依据: repository structure and scripts only
+- 主要实现与运维目录: `scripts/`, `StackFlow/`, `config/`
+- `package.json` 脚本快照: No package.json scripts were detected.
+
+## 需要继续归并的现有文档
+
+- 尚未发现直接对应的历史文档，本页目前就是该类别的规范起点。
+
+## 本页下一步应补充的内容
+
+- 先描述当前已落地实现，再补充未来规划，避免只写愿景不写现状。
+- 术语需要与仓库根 README、构建清单和实际目录保持一致。
+- 将上方列出的历史 runbook、spec、子系统说明逐步链接并归并到本页。
+- 每次发布前，依据当前脚本、清单、CI/CD 流程和环境契约重新核对部署步骤。

docs/zh/design.md

@@ -0,0 +1,24 @@
+# 设计
+
+该仓库仅组织声明式 GitOps 资产，用于基础设施与应用交付。
+
+本页用于汇总设计决策、类似 ADR 的权衡记录，以及与路线图相关的实现说明。
+
+## 与当前代码对齐的说明
+
+- 文档目标仓库: `gitops`
+- 仓库类型: `infra-repo`
+- 构建与运行依据: repository structure and scripts only
+- 主要实现与运维目录: `scripts/`, `StackFlow/`, `config/`
+- `package.json` 脚本快照: No package.json scripts were detected.
+
+## 需要继续归并的现有文档
+
+- `stackflow/README.md`
+
+## 本页下一步应补充的内容
+
+- 先描述当前已落地实现，再补充未来规划，避免只写愿景不写现状。
+- 术语需要与仓库根 README、构建清单和实际目录保持一致。
+- 将上方列出的历史 runbook、spec、子系统说明逐步链接并归并到本页。
+- 当行为、API 或部署契约发生变化时，把一次性实现笔记提升为可复用设计记录。

docs/zh/developer-guide.md

@@ -0,0 +1,24 @@
+# 开发手册
+
+该仓库仅组织声明式 GitOps 资产，用于基础设施与应用交付。
+
+本页用于记录本地开发环境、项目结构、测试面与贴合当前代码库的贡献约定。
+
+## 与当前代码对齐的说明
+
+- 文档目标仓库: `gitops`
+- 仓库类型: `infra-repo`
+- 构建与运行依据: repository structure and scripts only
+- 主要实现与运维目录: `scripts/`, `StackFlow/`, `config/`
+- `package.json` 脚本快照: No package.json scripts were detected.
+
+## 需要继续归并的现有文档
+
+- 尚未发现直接对应的历史文档，本页目前就是该类别的规范起点。
+
+## 本页下一步应补充的内容
+
+- 先描述当前已落地实现，再补充未来规划，避免只写愿景不写现状。
+- 术语需要与仓库根 README、构建清单和实际目录保持一致。
+- 将上方列出的历史 runbook、spec、子系统说明逐步链接并归并到本页。
+- 持续让环境搭建与测试命令对应真实存在的脚本、Make 目标或语言工具链。

docs/zh/user-guide.md

@@ -0,0 +1,24 @@
+# 使用手册
+
+该仓库仅组织声明式 GitOps 资产，用于基础设施与应用交付。
+
+本页用于记录主要用户或运维角色的日常任务、常见流程，以及现有操作文档入口。
+
+## 与当前代码对齐的说明
+
+- 文档目标仓库: `gitops`
+- 仓库类型: `infra-repo`
+- 构建与运行依据: repository structure and scripts only
+- 主要实现与运维目录: `scripts/`, `StackFlow/`, `config/`
+- `package.json` 脚本快照: No package.json scripts were detected.
+
+## 需要继续归并的现有文档
+
+- 尚未发现直接对应的历史文档，本页目前就是该类别的规范起点。
+
+## 本页下一步应补充的内容
+
+- 先描述当前已落地实现，再补充未来规划，避免只写愿景不写现状。
+- 术语需要与仓库根 README、构建清单和实际目录保持一致。
+- 将上方列出的历史 runbook、spec、子系统说明逐步链接并归并到本页。
+- 优先提供面向流程的示例，并确保截图或终端片段与最新 UI/CLI 行为一致。

docs/zh/vibe-coding-reference.md

@@ -0,0 +1,24 @@
+# Vibe Coding 参考
+
+该仓库仅组织声明式 GitOps 资产，用于基础设施与应用交付。
+
+本页用于统一 AI 辅助开发提示词、仓库边界、安全编辑规则与文档同步要求。
+
+## 与当前代码对齐的说明
+
+- 文档目标仓库: `gitops`
+- 仓库类型: `infra-repo`
+- 构建与运行依据: repository structure and scripts only
+- 主要实现与运维目录: `scripts/`, `StackFlow/`, `config/`
+- `package.json` 脚本快照: No package.json scripts were detected.
+
+## 需要继续归并的现有文档
+
+- 尚未发现直接对应的历史文档，本页目前就是该类别的规范起点。
+
+## 本页下一步应补充的内容
+
+- 先描述当前已落地实现，再补充未来规划，避免只写愿景不写现状。
+- 术语需要与仓库根 README、构建清单和实际目录保持一致。
+- 将上方列出的历史 runbook、spec、子系统说明逐步链接并归并到本页。
+- 当项目新增子系统、受保护目录或强制验证步骤时，同步更新提示模板与仓库规则。

environments/clusters/pre/accounts-pre-kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: accounts-pre
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  prune: true
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: platform-config
+  path: ./services/accounts/pre
+  dependsOn:
+    - name: stunnel-client-pre

environments/clusters/pre/console-pre-kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: console-pre
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  prune: true
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: platform-config
+  path: ./services/console/pre
+  dependsOn:
+    - name: accounts-pre

environments/clusters/pre/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - stunnel-client-pre-kustomization.yaml
+  - console-pre-kustomization.yaml
+  - accounts-pre-kustomization.yaml

environments/clusters/pre/stunnel-client-pre-kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: stunnel-client-pre
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  prune: true
+  wait: true
+  timeout: 10m0s
+  sourceRef:
+    kind: GitRepository
+    name: platform-config
+  path: ./services/stunnel-client/pre
+  dependsOn:
+    - name: stunnel-server

environments/clusters/prod/accounts-prod-kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: accounts-prod
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  prune: true
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: platform-config
+  path: ./services/accounts/prod
+  dependsOn:
+    - name: stunnel-client-prod

environments/clusters/prod/cert-manager-kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager-issuer
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  prune: true
+  wait: true
+  timeout: 10m0s
+  sourceRef:
+    kind: GitRepository
+    name: platform-config
+  path: ./services/platform/cert-manager

environments/clusters/prod/console-prod-kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: console-prod
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  prune: true
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: platform-config
+  path: ./services/console/prod
+  dependsOn:
+    - name: accounts-prod

environments/clusters/prod/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespaces.yaml
+  - cert-manager-kustomization.yaml
+  - postgresql-tls-platform-kustomization.yaml
+  - postgresql-tls-database-kustomization.yaml
+  - postgresql-prod-kustomization.yaml
+  - stunnel-server-kustomization.yaml
+  - stunnel-client-prod-kustomization.yaml
+  - console-prod-kustomization.yaml
+  - accounts-prod-kustomization.yaml
+  - observability-kustomization.yaml
+
+# cert-manager owns postgresql-tls in each namespace; no cross-namespace sync job.