From 852ff844c4a241e835183323e80f8e7be7d96de4 Mon Sep 17 00:00:00 2001 From: Valentin Haudiquet Date: Tue, 16 Jun 2026 11:06:05 +0200 Subject: [PATCH] fix: resolve cert-manager CRD dependency for cluster redeployability - Add root kustomization.yaml to explicitly list included paths - Exclude cert-manager and cert-manager-issuer from root kustomization - Add Flux Kustomizations in system/flux/ to manage deployment order - cert-manager Flux Kustomization includes health checks for CRDs - cert-manager-issuer depends on cert-manager being ready --- kubernetes/kustomization.yaml | 34 +++++++++++++++++++ .../clusterissuer.yaml | 0 .../cert-manager-issuer/kustomization.yaml | 5 +++ .../system/cert-manager/kustomization.yaml | 1 - .../system/flux/cert-manager-issuer.yaml | 19 +++++++++++ kubernetes/system/flux/cert-manager.yaml | 31 +++++++++++++++++ kubernetes/system/flux/kustomization.yaml | 8 +++++ 7 files changed, 97 insertions(+), 1 deletion(-) create mode 100644 kubernetes/kustomization.yaml rename kubernetes/system/{cert-manager => cert-manager-issuer}/clusterissuer.yaml (100%) create mode 100644 kubernetes/system/cert-manager-issuer/kustomization.yaml create mode 100644 kubernetes/system/flux/cert-manager-issuer.yaml create mode 100644 kubernetes/system/flux/cert-manager.yaml create mode 100644 kubernetes/system/flux/kustomization.yaml diff --git a/kubernetes/kustomization.yaml b/kubernetes/kustomization.yaml new file mode 100644 index 0000000..838d727 --- /dev/null +++ b/kubernetes/kustomization.yaml @@ -0,0 +1,34 @@ +# Root Kustomization for Flux +# Explicitly lists all components to exclude: +# - cert-manager: managed by separate Flux Kustomization (CRD dependency) +# - cert-manager-issuer: managed by separate Flux Kustomization (depends on cert-manager) +# - cilium: managed by Terraform (not Flux) +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + # System components + - system/blocky + - system/caddy + - system/coredns + - system/csi-driver-nfs + - system/external-dns + - system/flux + - system/traefik + # Code + - code/gitea + - code/harbor + # Home + - home/home-assisant + - home/zigbee2mqtt + # Infrastructure + - infrastructure/authentik + # Personal + - personal/linkwarden + - personal/notesnook + - personal/photoprism + # Production + - production/umami + - production/vhaudiquet-fr + # Tools + - tools/dashy + - tools/glance diff --git a/kubernetes/system/cert-manager/clusterissuer.yaml b/kubernetes/system/cert-manager-issuer/clusterissuer.yaml similarity index 100% rename from kubernetes/system/cert-manager/clusterissuer.yaml rename to kubernetes/system/cert-manager-issuer/clusterissuer.yaml diff --git a/kubernetes/system/cert-manager-issuer/kustomization.yaml b/kubernetes/system/cert-manager-issuer/kustomization.yaml new file mode 100644 index 0000000..9a27bac --- /dev/null +++ b/kubernetes/system/cert-manager-issuer/kustomization.yaml @@ -0,0 +1,5 @@ +# ClusterIssuer resources for cert-manager +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - clusterissuer.yaml diff --git a/kubernetes/system/cert-manager/kustomization.yaml b/kubernetes/system/cert-manager/kustomization.yaml index b654257..d2d7287 100644 --- a/kubernetes/system/cert-manager/kustomization.yaml +++ b/kubernetes/system/cert-manager/kustomization.yaml @@ -6,7 +6,6 @@ resources: - repository.yaml - release.yaml - cloudflare-api-token-secret.yaml - - clusterissuer.yaml secretGenerator: - name: cert-manager-values files: diff --git a/kubernetes/system/flux/cert-manager-issuer.yaml b/kubernetes/system/flux/cert-manager-issuer.yaml new file mode 100644 index 0000000..272f9b8 --- /dev/null +++ b/kubernetes/system/flux/cert-manager-issuer.yaml @@ -0,0 +1,19 @@ +# Flux Kustomization for cert-manager ClusterIssuer +# Depends on cert-manager being fully operational (CRDs installed) +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cert-manager-issuer + namespace: flux-system +spec: + interval: 10m + sourceRef: + kind: GitRepository + name: homeprod + path: ./kubernetes/system/cert-manager-issuer + dependsOn: + - name: cert-manager + decryption: + provider: sops + secretRef: + name: flux-sops diff --git a/kubernetes/system/flux/cert-manager.yaml b/kubernetes/system/flux/cert-manager.yaml new file mode 100644 index 0000000..3d7cdc6 --- /dev/null +++ b/kubernetes/system/flux/cert-manager.yaml @@ -0,0 +1,31 @@ +# Flux Kustomization for cert-manager +# Separate from main homeprod because cert-manager CRDs must be installed +# before ClusterIssuer resources can be applied +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cert-manager + namespace: flux-system +spec: + interval: 10m + sourceRef: + kind: GitRepository + name: homeprod + path: ./kubernetes/system/cert-manager + decryption: + provider: sops + secretRef: + name: flux-sops + healthChecks: + - apiVersion: apps/v1 + kind: Deployment + name: cert-manager + namespace: cert-manager + - apiVersion: apps/v1 + kind: Deployment + name: cert-manager-webhook + namespace: cert-manager + - apiVersion: apps/v1 + kind: Deployment + name: cert-manager-cainjector + namespace: cert-manager diff --git a/kubernetes/system/flux/kustomization.yaml b/kubernetes/system/flux/kustomization.yaml new file mode 100644 index 0000000..8e4d0a7 --- /dev/null +++ b/kubernetes/system/flux/kustomization.yaml @@ -0,0 +1,8 @@ +# Flux system resources +# Contains Flux Kustomization resources for additional dependencies +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - webhook.yaml + - cert-manager.yaml + - cert-manager-issuer.yaml