enable cstor in openebs

sync is not possible with pgo without SSA because CRD is too large

.gitignore

@@ -1,3 +1,5 @@
 \#*#
 *~
 charts/
+.*
+!.gitignore

README.md

@@ -68,5 +68,18 @@ pre-bootstrap files:
  - `install.sh`
  - `uninstall.sh`
 
+## Adopting a helm chart
+
+To adopt an existing helm chart, there is an adopt-helm.sh script.  It is not perfectly
+reliable, however, so ensure the output makes sense.
+
+1. Setup your helm release how you need it to work
+2. `cd argo1`
+2. `bash adopt-helm.sh release-name`
+3. Follow configuration instructions
+4. Validate templates/release-name.yaml
+ - Especially, check that the repoURL is correct.
+5. Commit templates/release-name.yaml and values.yaml
+
 
 [argo-crds]: https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/

argo1/adopt-helm.sh

@@ -0,0 +1,121 @@
+#!/bin/bash
+
+cd "$(dirname "$0")"
+
+SOURCE_RELEASE="$1"
+
+eval "$(
+  helm list -A -o json | jq -r --arg release $SOURCE_RELEASE '
+      .[]
+    | select(.name == $release)
+    | (
+        @sh "CHART=\(     .chart | split("-") | .[0:-1] | join("-") )",
+        @sh "VERSION=\(   .chart | split("-") | .[-1] )",
+        @sh "RELEASE=\(   .name )",
+        @sh "NAMESPACE=\( .namespace )"
+      )
+  '
+)"
+
+TEMPLATE="${PWD}/templates/${RELEASE}.yaml"
+if [ -e "$TEMPLATE" ];then
+  1>&2 echo "$TEMPLATE: already exists.  aborting."
+  exit 1
+fi
+
+REPO="$(
+    helm repo list -o json \
+  | jq -r '.[].url' \
+  | xargs -P 8 -L 1 bash -c '
+      if helm show readme --repo "$1" $0 > /dev/null 2>&1;then
+        echo $1
+      fi
+    ' "$CHART" \
+  | sort | uniq
+)"
+
+REPOS_MATCHING="$(echo "$REPO" | grep . | wc -l | tr -d ' \t\n\r\v')"
+
+if [ x"$REPOS_MATCHING" != x"1" ];then
+  1>&2 echo "found $REPOS_MATCHING repos with $CHART. aborting."
+  1>&2 echo "$REPO"
+  exit 1
+fi
+
+if [ x"$CHART" = x"$VERSION" ];then 1>&2 echo "could not parse chart version from name"; exit 1; fi
+
+VALUES="$(helm get values -n "$NAMESPACE" "$RELEASE" -o yaml)"
+
+echo -n '# {{ if (index .Values "'"$RELEASE"'").enabled }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: "{{ .Release.Name }}-'"$RELEASE"'"
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    chart: "'"$CHART"'"
+    repoURL: "'"$REPO"'"
+    targetRevision: "'"$VERSION"'"
+    helm:
+      values: |-
+        {{ (index .Values "'"$RELEASE"'").values | nindent 8 }}
+      # the next line preserves the release name.
+      # this is optional but recommended for singleton services.
+      releaseName: "'"$RELEASE"'"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: "'"$NAMESPACE"'"
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+# {{- end }}
+' > "$TEMPLATE"
+
+if [ x"$VALUES" = x"null" ];then
+  SAMPLE_VALUES="## (sample configs from $CHART -- choose one) ## 
+
+### (minimal config) ###
+$CHART: {enabled: true}
+
+### (skeleton config) ###
+$CHART:
+  enabled: true
+  values: |
+    # values.yaml contents here
+"
+else
+  SAMPLE_VALUES="
+## (sample config from $CHART) ##
+
+$RELEASE:
+  enabled: true
+  values: |
+$(echo "$VALUES" | sed -e 's/^/    /')
+"
+fi
+
+which pbcopy > /dev/null 2>&1 && (echo "$SAMPLE_VALUES" | pbcopy)
+
+printf '#####
+A new template has been added at %s.
+
+Please finish configuring this template by adding the following to values.yaml and customizing:
+
+%s
+
+(this has also been copied to your clipboard on macos
+' "$TEMPLATE" "$SAMPLE_VALUES"

argo1/templates/cert-manager.yaml

@@ -0,0 +1,37 @@
+# {{ if (index .Values "cert-manager").enabled }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: "{{ .Release.Name }}-cert-manager"
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    chart: "cert-manager"
+    repoURL: "https://charts.jetstack.io"
+    targetRevision: "v1.11.0"
+    helm:
+      values: |-
+        {{ (index .Values "cert-manager").values | nindent 8 }}
+      # the next line preserves the release name.
+      # this is optional but recommended for singleton services.
+      releaseName: "cert-manager"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: "cert-manager"
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+# {{- end }}

argo1/templates/cluster-resources.yaml

@@ -0,0 +1,33 @@
+# {{ if (index .Values "cluster-resources").enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ .Release.Name }}-cluster-resources
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    path: {{ (index .Values "cluster-resources").path | default "." | quote }}
+    repoURL: {{ (index .Values "cluster-resources").repoURL | quote }}
+    targetRevision: {{ (index .Values "cluster-resources").targetRevision | default "main" | quote}}
+    directory:
+      recurse: {{ (index .Values "cluster-resources").directoryRecurse | default "true" }}
+      include: {{ (index .Values "cluster-resources").directoryInclude | default "*.yaml" | quote }}
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+# {{- end }}

argo1/templates/external-secrets.yaml

@@ -0,0 +1,35 @@
+# {{ if (index .Values "external-secrets").enabled }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: "{{ .Release.Name }}-external-secrets"
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    chart: external-secrets
+    repoURL: https://charts.external-secrets.io
+    targetRevision: v0.8.1
+    helm:
+      values: |-
+        {{ (index .Values "external-secrets").values | default "{}" | nindent 8 }}
+      releaseName: external-secrets
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: external-secrets
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+# {{- end }}

argo1/templates/istio-base.yaml

@@ -0,0 +1,41 @@
+# {{ if (index .Values "istio-base").enabled }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: "{{ .Release.Name }}-istio-base"
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    chart: base
+    repoURL: https://istio-release.storage.googleapis.com/charts
+    targetRevision: 1.18.1
+    helm:
+      values: |-
+        {{ (index .Values "istio-base").values | default "{}" | nindent 8 }}
+      releaseName: istio-base
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: istio-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+  ignoreDifferences:
+  - group: admissionregistration.k8s.io
+    kind: ValidatingWebhookConfiguration
+    jqPathExpressions:
+    - .webhooks[].failurePolicy
+
+# {{- end }}

argo1/templates/istio-ingress.yaml

@@ -0,0 +1,35 @@
+# {{ if (index .Values "istio-ingress").enabled }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: "{{ .Release.Name }}-istio-ingress"
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    chart: gateway
+    repoURL: https://istio-release.storage.googleapis.com/charts
+    targetRevision: 1.18.1
+    helm:
+      values: |-
+        {{ (index .Values "istio-ingress").values | default "{}" | nindent 8 }}
+      releaseName: istio-ingressgateway
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: istio-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+# {{- end }}

argo1/templates/istiod.yaml

@@ -1,25 +1,25 @@
-# {{ if (index .Values "haproxy-ingress").enabled }}
+# {{ if (index .Values "istiod").enabled }}
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: "{{ .Release.Name }}-haproxy-ingress"
+  name: "{{ .Release.Name }}-istiod"
   namespace: argocd
   finalizers:
     - resources-finalizer.argocd.argoproj.io
 spec:
   project: default
   source:
-    chart: haproxy-ingress
-    repoURL: https://haproxy-ingress.github.io/charts
-    targetRevision: 0.14.2
+    chart: istiod
+    repoURL: https://istio-release.storage.googleapis.com/charts
+    targetRevision: 1.18.1
     helm:
       values: |-
-        {{ (index .Values "haproxy-ingress").values | nindent 8 }}
-      releaseName: haproxy-ingress
+        {{ (index .Values "istiod").values | default "{}" | nindent 8 }}
+      releaseName: istiod
   destination:
     server: "https://kubernetes.default.svc"
-    namespace: haproxy-ingress
+    namespace: istio-system
   syncPolicy:
     automated:
       prune: true

argo1/templates/metallb.yaml

@@ -0,0 +1,31 @@
+# {{ if (index .Values "metallb").enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ .Release.Name }}-metallb
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: "{{ .Values.bootstrap.source.repoURL }}"
+    targetRevision: "{{ .Values.bootstrap.source.targetRevision }}"
+    path: {{ (index .Values "metallb").path | default "metallb" | quote }}
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: {{ (index .Values "metallb").namespace | default "metallb-system" | quote }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+# {{- end }}

argo1/templates/nfs.yaml

@@ -0,0 +1,37 @@
+# {{ if (index .Values "nfs").enabled }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: "{{ .Release.Name }}-nfs"
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    chart: "nfs-subdir-external-provisioner"
+    repoURL: "https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner"
+    targetRevision: "4.0.18"
+    helm:
+      values: |-
+        {{ (index .Values "nfs").values | nindent 8 }}
+      # the next line preserves the release name.
+      # this is optional but recommended for singleton services.
+      releaseName: "nfs"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: "kube-system"
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+# {{- end }}

argo1/templates/openebs.yaml

@@ -0,0 +1,37 @@
+# {{ if (index .Values "openebs").enabled }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: "{{ .Release.Name }}-openebs"
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    chart: "openebs"
+    repoURL: "https://openebs.github.io/charts"
+    targetRevision: "3.5.0"
+    helm:
+      values: |-
+        {{ (index .Values "openebs").values | nindent 8 }}
+      # the next line preserves the release name.
+      # this is optional but recommended for singleton services.
+      releaseName: "openebs"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: "openebs"
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+# {{- end }}

argo1/templates/pgo.yaml

@@ -0,0 +1,31 @@
+# {{ if (index .Values "pgo").enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ .Release.Name }}-pgo
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: "{{ .Values.bootstrap.source.repoURL }}"
+    targetRevision: "{{ .Values.bootstrap.source.targetRevision }}"
+    path: {{ (index .Values "pgo").path | default "pgo" | quote }}
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: {{ (index .Values "pgo").namespace | default "postgres-operator" | quote }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+# {{- end }}

argo1/templates/stakater-reloader.yaml

@@ -0,0 +1,31 @@
+# {{ if (index .Values "stakater-reloader").enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ .Release.Name }}-stakater-reloader
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/stakater/Reloader.git
+    targetRevision: v1.0.32
+    path: deployments/kubernetes
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: {{ (index .Values "stakater-reloader").namespace | default "stakater-reloader" | quote }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+# {{- end }}

argo1/templates/template-operator.yaml

@@ -0,0 +1,31 @@
+# {{ if (index .Values "template-operator").enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ .Release.Name }}-template-operator
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: "{{ .Values.bootstrap.source.repoURL }}"
+    targetRevision: "{{ .Values.bootstrap.source.targetRevision }}"
+    path: {{ (index .Values "template-operator").path | default "template-operator" | quote }}
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: {{ (index .Values "template-operator").namespace | default "template-operator" | quote }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+# {{- end }}

argo1/templates/trust-manager.yaml

@@ -0,0 +1,33 @@
+# {{ if (index .Values "trust-manager").enabled }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: "{{ .Release.Name }}-trust-manager"
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    chart: "trust-manager"
+    repoURL: "https://charts.jetstack.io"
+    targetRevision: "v0.4.0"
+    helm:
+      releaseName: "trust-manager"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: "cert-manager"
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 10
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+# {{- end }}

argo1/values.yaml

@@ -1,14 +1,17 @@
 bootstrap:
   source:
-    repoURL: "https://set.to.your.fork/of/this"
-    targetRevision: "main"
+    repoURL: "http://gitea.gitea.svc.cluster.local:3000/infra/argo1"
+    targetRevision: "prod"
 
-secrets: {enabled: true}
-sealed-secrets: {enabled: true}
-haproxy-ingress:
-  enabled: false
+cert-manager:
+  enabled: true
   values: |
-    # values.yaml contents here
+    extraArgs:
+    - --dns01-recursive-nameservers-only
+    - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
+    ingressShim.defaultIssuerKind: ClusterIssuer
+    ingressShim.defaultIssuerName: zerossl
+    installCRDs: "true"
 
 argo-cd:
   crds:
@@ -17,10 +20,139 @@ argo-cd:
   configs:
     params:
       "server.insecure": "true"
+      "reposerver.enable.git.submodule": "false"
+
+  controller:
+    replicas: 1
+
+  server:
+    ingress:
+      enabled: true
+      hosts: &hhosts
+      - argocd.strudelline.net
+      tls:
+      - hosts: *hhosts
+        secretName: wildcard-tls
+    ingressGrpc:
+      enabled: true
+      hosts: &ghosts
+      - grpc-argocd.strudelline.net
+      tls:
+      - hosts: *ghosts
+        secretName: wildcard-tls
+
+cluster-resources:
+  enabled: true
+  repoURL: 'http://gitea.gitea.svc.cluster.local:3000/infra/kube-cascade'
 
 vault-agent-injector:
   enabled: true
   values: |
     global:
-      # disable global vault because we're only using this as an agent injector
       enabled: false
+      externalVaultAddr: https://vault.strudelline.net
+    injector:
+      affinity: ""
+      agentImage:
+        repository: jamesandariese/vault-with-ca
+      enabled: true
+      failurePolicy: Fail
+
+nfs:
+  enabled: true
+  values: |
+    nfs:
+      path: /volume1/k8s-volumes
+      server: 172.16.18.1
+    storageClass:
+      name: nfs
+
+openebs:
+  enabled: true
+  values: |
+    jiva:
+      enabled: false
+    legacy:
+      enabled: false
+    localprovisioner:
+      enabled: false
+    localpv-provisioner:
+      enabled: true
+    lvm-localpv:
+      enabled: true
+    cstore:
+      enabled: true
+    ndm:
+      enabled: false
+
+external-secrets:
+  enabled: true
+  values: |
+    extraContainers:
+      - name: bitwarden-external-secrets-adapter
+        image: jamesandariese/bitwarden-external-secrets-adapter:latest
+        imagePullPolicy: IfNotPresent
+      - name: bitwarden-cli
+        image: jamesandariese/bitwarden-docker:latest
+        imagePullPolicy: IfNotPresent
+        env:
+          - name: BW_HOST
+            valueFrom:
+              secretKeyRef:
+                name: bitwarden-user
+                key: BW_HOST
+          - name: BW_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: bitwarden-user
+                key: BW_USERNAME
+          - name: BW_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: bitwarden-user
+                key: BW_PASSWORD
+        ports:
+          - name: http
+            containerPort: 8087
+            protocol: TCP
+        livenessProbe:
+          exec:
+            command: ["wget", "-q", "-O", "-", "http://127.0.0.1:8087/sync", "--post-data=''"]
+          initialDelaySeconds: 20
+          failureThreshold: 3
+          timeoutSeconds: 1
+          periodSeconds: 120
+        readinessProbe:
+          exec:
+            command: ["wget", "-q", "-O", "-", "http://127.0.0.1:8087/status"]
+          initialDelaySeconds: 20
+          failureThreshold: 3
+          timeoutSeconds: 1
+          periodSeconds: 10
+        startupProbe:
+          exec:
+            command: ["wget", "-q", "-O", "-", "http://127.0.0.1:8087/status"]
+          initialDelaySeconds: 10
+          failureThreshold: 30
+          timeoutSeconds: 1
+          periodSeconds: 5
+
+istio-base:
+  enabled: true
+#  values:
+#    defaultRevision: default
+
+istio-ingress:
+  enabled: true
+  values: |
+    meshConfig:
+      gatewayTopology:
+        numTrustedProxies: 2
+istiod: {enabled: true}
+metallb: {enabled: true}
+pgo: {enabled: true}
+secrets: {enabled: true}
+sealed-secrets: {enabled: true}
+stakater-reloader: {enabled: true}
+template-operator: {enabled: true}
+trust-manager: {enabled: true}

copy-admin-password.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+kubectl get secret -n argocd argocd-initial-admin-secret -o json | jq -r '.data.password | @base64d' | pbcopy

pgo/install/crd/kustomization.yaml

@@ -0,0 +1,3 @@
+resources:
+- bases/postgres-operator.crunchydata.com_postgresclusters.yaml
+- bases/postgres-operator.crunchydata.com_pgupgrades.yaml

pgo/install/default/kustomization.yaml

@@ -0,0 +1,25 @@
+namespace: postgres-operator
+
+commonLabels:
+  app.kubernetes.io/name: pgo
+  # The version below should match the version on the PostgresCluster CRD
+  app.kubernetes.io/version: 5.3.0
+
+bases:
+- ../crd
+- ../rbac/cluster
+- ../manager
+
+images:
+- name: postgres-operator
+  newName: registry.developers.crunchydata.com/crunchydata/postgres-operator
+  newTag: ubi8-5.3.0-0
+- name: postgres-operator-upgrade
+  newName: registry.developers.crunchydata.com/crunchydata/postgres-operator-upgrade
+  newTag: ubi8-5.3.0-0
+
+patchesJson6902:
+- target: { group: apps, version: v1, kind: Deployment, name: pgo }
+  path: selectors.yaml
+- target: { group: apps, version: v1, kind: Deployment, name: pgo-upgrade }
+  path: selectors.yaml

pgo/install/default/selectors.yaml

@@ -0,0 +1,8 @@
+# We add the app version as a "commonLabel" and change it with each release.
+# Remove it from selectors until we use "labels" of Kustomize v4.1.
+# See: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/commonlabels/
+# See: https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.1.0
+- op: remove
+  path: /spec/selector/matchLabels/app.kubernetes.io~1name
+- op: remove
+  path: /spec/selector/matchLabels/app.kubernetes.io~1version

pgo/install/manager/kustomization.yaml

@@ -0,0 +1,3 @@
+resources:
+- manager.yaml
+- manager-upgrade.yaml

pgo/install/manager/manager-upgrade.yaml

@@ -0,0 +1,36 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pgo-upgrade
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator-upgrade
+spec:
+  replicas: 1
+  strategy: { type: Recreate }
+  selector:
+    matchLabels:
+      postgres-operator.crunchydata.com/control-plane: postgres-operator-upgrade
+  template:
+    metadata:
+      labels:
+        postgres-operator.crunchydata.com/control-plane: postgres-operator-upgrade
+    spec:
+      containers:
+      - name: operator
+        image: postgres-operator-upgrade
+        env:
+        - name: PGO_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: CRUNCHY_DEBUG
+          value: "true"
+        - name: RELATED_IMAGE_PGUPGRADE
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-upgrade:ubi8-5.3.0-0"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities: { drop: [ALL] }
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+      serviceAccountName: postgres-operator-upgrade

pgo/install/manager/manager.yaml

@@ -0,0 +1,60 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pgo
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator
+spec:
+  replicas: 1
+  strategy: { type: Recreate }
+  selector:
+    matchLabels:
+      postgres-operator.crunchydata.com/control-plane: postgres-operator
+  template:
+    metadata:
+      labels:
+        postgres-operator.crunchydata.com/control-plane: postgres-operator
+    spec:
+      containers:
+      - name: operator
+        image: postgres-operator
+        env:
+        - name: PGO_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: CRUNCHY_DEBUG
+          value: "true"
+        - name: RELATED_IMAGE_POSTGRES_13
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-13.9-2"
+        - name: RELATED_IMAGE_POSTGRES_13_GIS_3.0
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-13.9-3.0-2"
+        - name: RELATED_IMAGE_POSTGRES_13_GIS_3.1
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-13.9-3.1-2"
+        - name: RELATED_IMAGE_POSTGRES_14
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.6-2"
+        - name: RELATED_IMAGE_POSTGRES_14_GIS_3.1
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.6-3.1-2"
+        - name: RELATED_IMAGE_POSTGRES_14_GIS_3.2
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.6-3.2-2"
+        - name: RELATED_IMAGE_POSTGRES_14_GIS_3.3
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.6-3.3-2"
+        - name: RELATED_IMAGE_POSTGRES_15
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.1-0"
+        - name: RELATED_IMAGE_POSTGRES_15_GIS_3.3
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-15.1-3.3-0"
+        - name: RELATED_IMAGE_PGADMIN
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-8"
+        - name: RELATED_IMAGE_PGBACKREST
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.41-2"
+        - name: RELATED_IMAGE_PGBOUNCER
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.17-5"
+        - name: RELATED_IMAGE_PGEXPORTER
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-5.3.0-0"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities: { drop: [ALL] }
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+      serviceAccountName: pgo

pgo/install/namespace/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+- namespace.yaml

pgo/install/namespace/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: postgres-operator

pgo/install/rbac/cluster/kustomization.yaml

@@ -0,0 +1,7 @@
+resources:
+- service_account.yaml
+- role.yaml
+- role_binding.yaml
+- service_account-upgrade.yaml
+- role-upgrade.yaml
+- role_binding-upgrade.yaml

pgo/install/rbac/cluster/role-upgrade.yaml

@@ -0,0 +1,71 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: postgres-operator-upgrade
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator-upgrade
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgupgrades
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgupgrades/finalizers
+  verbs:
+  - patch
+  - update
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgupgrades/status
+  verbs:
+  - get
+  - patch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters/status
+  verbs:
+  - patch

pgo/install/rbac/cluster/role.yaml

@@ -0,0 +1,135 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: postgres-operator
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  - persistentvolumeclaims
+  - secrets
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - endpoints/restricted
+  - pods/exec
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters
+  verbs:
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters/status
+  verbs:
+  - patch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - roles
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch

pgo/install/rbac/cluster/role_binding-upgrade.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: postgres-operator-upgrade
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator-upgrade
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: postgres-operator-upgrade
+subjects:
+- kind: ServiceAccount
+  name: postgres-operator-upgrade

pgo/install/rbac/cluster/role_binding.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: postgres-operator
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: postgres-operator
+subjects:
+- kind: ServiceAccount
+  name: pgo

pgo/install/rbac/cluster/service_account-upgrade.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgres-operator-upgrade
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator-upgrade

pgo/install/rbac/cluster/service_account.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pgo
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator

pgo/install/rbac/namespace/kustomization.yaml

@@ -0,0 +1,7 @@
+resources:
+- service_account.yaml
+- role.yaml
+- role_binding.yaml
+- service_account-upgrade.yaml
+- role-upgrade.yaml
+- role_binding-upgrade.yaml

pgo/install/rbac/namespace/role-upgrade.yaml

@@ -0,0 +1,71 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: postgres-operator-upgrade
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator-upgrade
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgupgrades
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgupgrades/finalizers
+  verbs:
+  - patch
+  - update
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgupgrades/status
+  verbs:
+  - get
+  - patch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters/status
+  verbs:
+  - patch

pgo/install/rbac/namespace/role.yaml

@@ -0,0 +1,135 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: postgres-operator
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  - persistentvolumeclaims
+  - secrets
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - endpoints/restricted
+  - pods/exec
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters
+  verbs:
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters/status
+  verbs:
+  - patch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - roles
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch

pgo/install/rbac/namespace/role_binding-upgrade.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: postgres-operator-upgrade
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator-upgrade
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: postgres-operator-upgrade
+subjects:
+- kind: ServiceAccount
+  name: postgres-operator-upgrade

pgo/install/rbac/namespace/role_binding.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: postgres-operator
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: postgres-operator
+subjects:
+- kind: ServiceAccount
+  name: pgo

pgo/install/rbac/namespace/service_account-upgrade.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: postgres-operator-upgrade
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator-upgrade

pgo/install/rbac/namespace/service_account.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pgo
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator

pgo/install/singlenamespace/kustomization.yaml

@@ -0,0 +1,29 @@
+namespace: postgres-operator
+
+commonLabels:
+  app.kubernetes.io/name: pgo
+  # The version below should match the version on the PostgresCluster CRD
+  app.kubernetes.io/version: 5.3.0
+
+bases:
+- ../crd
+- ../rbac/namespace
+- ../manager
+
+images:
+- name: postgres-operator
+  newName: registry.developers.crunchydata.com/crunchydata/postgres-operator
+  newTag: ubi8-5.3.0-0
+- name: postgres-operator-upgrade
+  newName: registry.developers.crunchydata.com/crunchydata/postgres-operator-upgrade
+  newTag: ubi8-5.3.0-0
+
+patchesJson6902:
+- target: { group: apps, version: v1, kind: Deployment, name: pgo }
+  path: selectors.yaml
+- target: { group: apps, version: v1, kind: Deployment, name: pgo-upgrade }
+  path: selectors.yaml
+
+patchesStrategicMerge:
+- manager-target.yaml
+- manager-target-upgrade.yaml

pgo/install/singlenamespace/manager-target-upgrade.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pgo-upgrade
+spec:
+  template:
+    spec:
+      containers:
+      - name: operator
+        env:
+        - name: PGO_TARGET_NAMESPACE
+          valueFrom: { fieldRef: { apiVersion: v1, fieldPath: metadata.namespace } }

pgo/install/singlenamespace/manager-target.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pgo
+spec:
+  template:
+    spec:
+      containers:
+      - name: operator
+        env:
+        - name: PGO_TARGET_NAMESPACE
+          valueFrom: { fieldRef: { apiVersion: v1, fieldPath: metadata.namespace } }

pgo/install/singlenamespace/selectors.yaml

@@ -0,0 +1,8 @@
+# We add the app version as a "commonLabel" and change it with each release.
+# Remove it from selectors until we use "labels" of Kustomize v4.1.
+# See: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/commonlabels/
+# See: https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.1.0
+- op: remove
+  path: /spec/selector/matchLabels/app.kubernetes.io~1name
+- op: remove
+  path: /spec/selector/matchLabels/app.kubernetes.io~1version

pgo/kustomization.yaml

@@ -0,0 +1,4 @@
+namespace: postgres-operator
+
+bases:
+- install/default

secrets/bitwarden-user-sealed.yaml

@@ -0,0 +1,43 @@
+---
+kind: SealedSecret
+apiVersion: bitnami.com/v1alpha1
+metadata:
+  name: bitwarden-user
+  namespace: external-secrets
+  creationTimestamp: null
+spec:
+  template:
+    metadata:
+      name: bitwarden-user
+      namespace: external-secrets
+      creationTimestamp: null
+    type: Opaque
+  encryptedData:
+    BW_HOST: AgA5YbPiLEiJL44P5Dcjph4h/QbOQog1xb5TuJ9YDl1k8WY5GhX8uR4lB6ceyg3nl49S5KF88JAMUl1x3uXFSMhAZ+mdc1HJr6Czvr/A0KLeeX82jh1S2j0sGIjleXQxtJfUjQs4nWOXmjKWbju0aMzgJy3iLBcutFPEKKaPcmjm9SsC6ruz0KsEMa0CfH+lbGX6YmZQeDn+EdVt3dw+/vugFILsdOauVrvwJ862xnB7zNgpSCa4VWYO1xl4UsElAlRcTA9TowVfQcPyjwjzp+tBzHjBQFXfzhkfO1bJGjPrVVZydzVbMfBXrILP1BpHdlrxqEgfsJLV464lJix/4C17rA1Z4X4tBa5+ZT4aWPKX8OXhi/bXW7sA7yzyIZEFAEmfvaDbe8/2MfK9T4FbaEJ7rMCGz35CHsuX12PJdwHX2q8lGM5IdQsITvQoKD/mWGCK4iG6oWZ8q4zUU+wdZLqoWexyfKNMPncS7+5xnEsDB94B97j+VZtaS7M+Rxv8xYlFsguQzDUfYuFLo3imCgaNIZ2Ci24u775V9kKQmCVdMpCf5LtXwp1u56LSYy93lEGFanDe8dZ7iMZScwnQypW/Ytl9g3jVE5BGhlyFPscdv+5LzhVIhpbjT7jWg7lrJowDX39Y0OQpyaqrfRnYHqCg+WM2vVE0AVYzL3erpuKgAiofiQRMBLNal1CDiR+aF9bHrZTnbzklB12h3Ee/mm9aSjSbvdeuxsK/NFFFlUE=
+    BW_PASSWORD: AgCldsd1izPvL+5+hnlm4j7cnX571s13BoN2OePyt0yubk9IkjaoqRDlcMMISWkcEMjqztgZwm2Yez5KdZ6I2uJcew7fREy4D3RcwhCWZT9sgsSXZQTZ5Nu+mmQePHoZFgXnmNL8JDNi/lSCxLXUgm/sa+6AEB/Wwy5vG6gi3X8ZsmbmNe2hDIYrq+oGgU3cmUqhPv3UJTsHgKEYUgfByXAj39rjocRCpF9Sk7R9WciUmMHPcfX7hnX9cHp1DaYDhCJY8N5/MfvV+PocoOJpIDpyA+HJqnvxspBkxWFHlkk4HdtydW6iEUiGlI/KxT6wTHZE9baWOJC+n0SpkPqiNebie62+Vq+0t4VflhWrqQQT7GHL1QLmC3EZn6eiaaz4Y+KBuDHy8pu8nEUwBX2P4jpAOB9NNIgZ3HKBz0xmTSZ6n9kUn0rYPBrFDEZWdhYngW/aVxDA5dI66MDVBcIajTErUBf966QUbizyBTGstzchdsEnJaxJFICjrq5Xj9psFZIztwz0ejCQnk5d48U6SY5bGUgxs4mcJXerLETvUqdtBVd7iJ2oCsUc2FiLJQk2FFn1rpspt0joMVpLZ1QlsFVagnPPpTljyseOJgQEE+4Qfok5e0s/JoTjaDmzmLg+di8plubMUODwnV2xgfjlvVBN9EsDOC+QR6vl2VLL3GZ6/bU3XbsJ66A6sN7WddOtzMpbQ4L5lP7sfvmANtZcdUNRPy3keNFI4qE2qVzi3fs=
+    BW_USERNAME: AgAp39BMRsv9KFmeZDvMugQpkK3Jla3p6rGC2oYRC/BK4ROnXaRviQ3++6RsXjsatMHhBT3ZvUSSe/VzwjVmlFar05Rz3/Y0SZ5c0CVD28/R++xDKxNlp3RmB2RlCwvfl89aJ3UfTd3uJYmOoOh8OfgXnF6n9ObBvY98ZWvZiTcK6fcmoyyjoTttP6rMTQjN3be+Aq5OwenwkfpuWYGELW5tPBOKqM31b7unX8ZdJFyjCfhWSvnRSujaSM6J9yKJDJy5wNA1twmaSpnmUlG0zznGS3X4m2pf0frAybqPF5zZSIuGwQZKKiSpWpTM36i78xzczP4w9HR+znoLuSIr1QLltkpdU9CiP+4G8iLNv8AfQ9kk4M1FfwZV4EVXP78UZ1GHPJijAvN+mUuTkIiRAxcATagUPahfpRunNNjerwiectf8Mnub4IKKpRawP+F2w3A0dmNwBMTY+POPCpRZfT3Cx4gIlsHUhwAFy5pmtPlm4xYAF9dzWBvrgOALuhFdRvLfLBgVDx0dMHT7wXCBqXZqK3/vFkWGdZ90aI9sBXfLlL1ed4GDYNzUVa4QjnjWAZlxVvcbvT6bXrN9DtRzUZY15RdNH5LLIWpm0xUKhUrbCh7fefzJ66zSVRPJDNcmXTb1h9Ex4J11qlPwjonex1w4EZIf6eOdA6qVhwb8WG9nRTPwJgq3dl+0FLubFwPUbnmzJwicUfRGDEQKqORayrI//dwun2A=
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: bitwarden-login
+spec:
+  provider:
+    webhook:
+      url: "http://127.0.0.1:8087/object/item/{{ .remoteRef.key }}"
+      headers:
+        Content-Type: application/json
+      result:
+        jsonPath: "$.data.login.{{ .remoteRef.property }}"
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: bitwarden-fields
+spec:
+  provider:
+    webhook:
+      url: "http://127.0.0.1:8087/object/item/{{ .remoteRef.key }}"
+      result:
+        jsonPath: "$.data.fields[?@.name==\"{{ .remoteRef.property }}\"].value"
+

secrets/git-creds.yaml

@@ -0,0 +1,29 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "local-git-token",
+    "namespace": "argocd",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "local-git-token",
+        "namespace": "argocd",
+        "creationTimestamp": null,
+        "labels": {
+          "argocd.argoproj.io/secret-type": "repo-creds"
+        }
+      },
+      "type": "Opaque"
+    },
+    "encryptedData": {
+      "password": "AgAZClR6k01hwzedgGaf3qfKKIjFMqYoUVU4NfB7/xzXmyIjLcYoN89kMedYxTP2ESS3vHopkkP/XbRYBudyzgX5mU4T1Mke3LhO2b2/1pMBhSFKfJ76BWpiTcVwq9z3fxKFdptBw4DoqxwzFurMla2rw+Qbx6Unk+Oj6ob+JXu3u7Ym19D3jK79LO6jN7RDs8thJ0Z1sZpMxdwYM+SYR89tfkqIJmhX0nXQVcjB/FWAp3hKf4seIU/dfq/pqg3bnvalkp8JV7UeMqXwlGAJkTJh9ebJuaaI5ekaqJF2vZqTsqQ91RH7ByebDpVy/085uo+OJ9ltjHivBWPn+cqqvOnh8QAkENpyc89tHolqJVSPrCUfaOFBoNAEiMvuXV7govkbIDr9lFbGSweue+oYh2GjtDRJnJuUFtAVxadxuu1VBmiUYR0mnkDaOSEEw3fA0ErSrkCrSZxikk88TdcUzoicn7GXJugew8pBneX1OQgLVTsZq5Pwvx0LA69VF1y9zsHzqUEKUrtrCIyJBCEvsPtgKgGne+vRrWXJVAFMarZRIobgpeNlPGUQRuOf0CVsxDAA2pa+z1gKEQC040eIuZBJw6T/JkEqoFOP+/Y2/7E6LzcS5UseSI4h+dDH6X1ydKnnRA4VuUw23fPe+Ypw9NDYmWk+Vjpcra3PdgTZ2NU9bMzGNm2d6HMQ7zDbC6DN7DUUbQmtYvbSCj/o9kHbeNTvrC78RatR6G/DFhP4UKCGObuP5/V+pH53",
+      "project": "AgCIjPYmZ3V2JeeA2Yalhxmkp6bPhs1ruvJHuNmMYROTdajDSxM8hk/HH/ue+C6GZvVnBMAbcxB4Hs5w2L4+bsR5evrKnpt0wPjo6wT5rpijltyhiZ/uPlnMHytDKfTTHPSTbIyFaaqHPAVWo9FEiqfPNFB1u0w5eT5Wpr3ZesCV6Ijikm1H8PAHz98J0Ujnbxco3WTKIDb/Ab3wYBWocpAU50bXrej2lqVItgtN/tr85Xol7GMdwm2knAy4ajxR0ule0llo2LO7CcEeU2pb5kXwvltQajPP52jG5DGk6Mtd+LT8OvEPM/2KNToQ/YO1x6qCz8hPPjl5vU0cigHMKoK6DHaG3ea2H8lC3oOacDKyJkmsjVhUgiu4DPGDLpLEq92qCFwnAZ5XVJ+g6LW5D2J0zdETNwcoGiYL0jHBlqIwLOX7E5SkS0/gTVltsBtWoNy9wrrC9SXs9GoqvlFMsZh3/tiEuHTa0nzWKCf8ANuDPO/q2QzT2N5yGx5EqWeS9G0etwFlsomcA1GojVvtlAvCnnHcca69jfaaCU5VVC2AlRWYxwXynTmutgOiZ578Ml9DErHpg9QO4ULOUojdBcbyuMZK0ie45nHBgS5jzE3yE82ZKbyrZmu9Ah6NA1I82kAfuG+SHgylrI6YaSwWK3pk+QCMK7wU5vwmu5ttveU9OStB5thrZQpuWPlPtWyW2ed9Ou0yOuxT",
+      "type": "AgBmsYlD5sj9g/elOiV6lyjtcECgB1Bp7Ls7JWIp7tXKo3cOuoubLRGwaHp7dic5d4sig6q0JiooCGL5WP1TALp1Th401yiQN3i4KJLoRD4HlwvrIx+fH/daK4Rzu2HlFNdBTg15SPczqAxZxwgwaUpfYvQOAysClRRI5dLs2aGSpxvE88qh/BIRuZ6aBOzvF4lxjRtCj1iUijscPTYJiLz/zQsojvnCBkXPctpe7C39rddYtkcWFCSoOpMx9KsHqKzQXDJiUMx/8mYFfIXA4WTCa+wnJCD4bOTOJQu2mwxFQH5xf9cTAN0WOOSdundd2zr0qLrOpN2niIxM2wfofCDzRBB9+0Jr/VqH+9CsklqzqIV21QjSyXe6X2oVjq9UIoILfB6hb6VE01R31YXiy+Qwh/icC014K7G3UpOz1rnBCmKbHC+bm3PCXttTSeV7J27qpAJDwAibtuCmccLUrZZeLsk54n64LTTHESV6k8vBWaoyeKNG9AwSMculTdfo3F5NT5lWtdaQWLzIeUM33n9LVtYX7MiAZJnitxv29uwMb4wz8EjLp5aesLKCm04/682MPLGDDo/kL/7D5mwGJP6cz1uqWWfLkqodZ/HcKPEdn1NkU8CE/xqbbrGU8Cs9wFah4RVQ7D+wUbpeOmI+N1rBQ6XWh1u5piyYxW6s52FDVlaVmpRuRW+XXm6YwV9DXj9PUDo=",
+      "url": "AgDg2TfHr2da7XELt6EAqeA9z9Q58wIohGDdIWJbk+RPBHALQ+AGvMvlSb0LgIA1HHDOL4uj7KC6bSS4bZs3UaT+914MZrnNGfpmh9zV1m5ZjAhvQuYkI417jlKt/zXEBGo+OIV/sVjr+yK0yDHtlFj82/EXlALJ0d4a74fMi6P0fOvoC4oYCW82UpUH87d568/RmwwPtHynGXxHA3LW9M05eFiej6vYbY1HWJDODr9crHMj35LSwqLvzYxxzoNQZEVqapTAe6L22wDOMLYCabctvu5hOE5/pJvPYZj7t/LSdK7HNN678SK9ukbI52QDyz0AyZM7OlEprYVG9CGo1rLDWrofYEgXi86nC2mK8sRJES1Cb5iY2l933UwZ2y59+TQEWgioy4cKPhKv+DkNWOo95eXvdUvbojPMGY+7FsC+NbGIsVR+RpAB88ePMxaBl2YPzGp9BU7/MxNdITDIuFtEOczQR09VNAH6hI4hdmTSfyHb5dJRkSnnJYjK+J+lmMpDtlETUeQv78wMH37UEbu/9cesJRoWbunA7i1ySO/OrdVnCCnW6x+pm780Kt+woKuYx09G35xBMH1OYbhieE4ltoj9rLEWDbo5LnI3qlhFje9jPRwP9IS/HvoyjzGuUNLRVonx5W9z0/SL2NJEeYS1GYk/ttyyeB1gdUDNtAG5LFwrRkyMi3cfJ7KfsYfGs3WtzizBMN/6/iwRG/CVolFr9zn4wKVBqV1KKLoP",
+      "username": "AgBTUXyEIPPPMOKu/6dbFKMmiQzKs8afxYm//3aIgUGpVX6PAFYYNtydra2JvVmsH5ZctMn+IYVLgeMp/2Q6HMF34/7+O95mTjeLYjx3qsG7GOUVBCgAFeJ/5g6bEaX/wW30afIXhsOM/L1OXjU+82KhgjCODxBBQP7jRKvppVEp+m7q68FjnKf4GSYDyKxf7aIb2m3ox/kFa9oR9cDeJ8/vll7iTRqo4uOOXEgFXw+IZG2v1A7iRkqiLgf4jWVdVvOQ/AgbHeQ9OL3SU4UukhDJcXo9nnp+UVwy9mdY6QNTZ+pr7mEGh8agfsMSthSq/4miLKkHlm5wPJaZTi+hpKdfxrE2jNeZ/ALQD2qPv9tRPE+WfK1sO26QWsLlF4AdJaWFLuZPDb1XNKPnfSbMMegidO58mkHuWM77IIjkC5n6R42xE2LoqgTS0EGmMIZ81vhfxmcGAYNCZa+2R+ErrG5yxX+XnLRbrmcBQOKHQNiC9pfYa7jjNjlBp7grph2yVJcSOOvHq3Kxktjxz8u988R8q/iA9PVXjFVQhS7zglzvplus+vyyO34X2iCcexVDdu0R6cR1WSI7zk2rR9/P+T1M+t2hNBE7rGe9hZBJIiPx5gO/7bxjvCREINKdIX6kW0nh4NSfdX46iC5TTFEArFaL2g5qkQmWLjl9QLk71KQkVRPUFwkPlw0sq5Pt3vbTZO28nx9iWQ=="
+    }
+  }
+}

secrets/sealed-secret.yaml

@@ -1,22 +0,0 @@
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: local-git-token
-  namespace: argocd
-spec:
-  encryptedData:
-    password: AgAlNckjIJjOhBKYA54pngBa50DagQ6BtT0I9vvjyhbwBV62efdfnIrRcPSUzrXzSnCMrJPFCYyGZQwHCe7+MurVLPX+i94bBDFjZlGwP7kokaMQjTi4122nWbM0y9AGrYQUtDV3KodRdUkhRP8aAuhqtbzOjqSKB96xHc9EzUKupwrhs7iymbY50d5b7FVxvCBWL0ZzctIwlZU7o2OQ46ImmrAo/0Hn1ueI2wsuhSjg4a4xsh1GipVsRWTCuLO5Ot0eDOgEqQEhTQji5+uwOy4iCuYnj+UHlNodClGsn9MsRv4dIZhCt8kapKKTv4PdQNKSq9JjefgPjyXJs7Za5xTOj07KSsOHdrOQOBNzbf2piaKiGt3p1e8/NhdhB4ODpxbW973y/2ErR4xcf+hpCKQ8CqffNIYEvcRs+NcZAq0afaHQymWTjzqRgYjtceDp8gNIUbQxD5WRlbvaxRwgDWfe4aSrp/cRw7JbwkcOEQGfjGNJr15PmYO7jT8yb8ZJNavUG9KK4tCio8j2nCC7OZECewWr1vj/FLquYvD6AYeKMHKgfL2eRdxcqTwbXIoWXAP6JeWF1oN97xN0TANPljf+Pyt89D73BHMDVuQ1Ei2528y7JZy6xir7C3PoDRBBbSX0imMmHFCngSwtbGYMKdRfbxJ7rG+aamYGo6LUfqArrpnXDGPe4ti/FIp/fUKjYs7azT1f+Ntwfg==
-    project: AgCaMGRFcW9LaVW8M5dLLwpEGEAnbwXgHZzBWkgkc804rL9lKNuu6L40l0QmZizziEf14u3MdVh5VecHo9julJgMQNaArWIwOLRGR3vcETcYdYHjMmQwUT+TO7GwY7xJZCAxEKMoQrM74ha+wgT2uWMn0uEOFTkobTQfnWLoTlXZcspIWFcTNhdgZeJKAqZMKIt7yE1CF0AjMy+7XWDAGHOByyWllpZSHp2wh78fuaK0tLGzY50+NmwE44cft6lATSh5a/Ko1UL+1uCDeMRvrs2cR5+1Zh9MNWbXHKCggyM81vojf831p58dfJ3yPzXJTWLADZ/k2o3liWvY43W5mp/C4my9wUYR9JRXFsByvbvtu+7vvdhFV2YLEPErKvJAVv66R/r+6u3YQTAAtz8iAHaxLtEn9Tj91b+iBeCqZnnChqfRF4Ts2XZvSmwH6O1V8k6Lv1s9ULYN7lDesvO0W4vbkO01P72vaPgjWYgDLkxeWrnEx5jQM9jPs29U9NaCiiWxnHxReGN87WklCA0Gsb5eyXmbXoh50qICx26Cf2TUqbrVGyMPT0pEJdavXpX7mgQDohP9iAy9ALGFicUmZ8gDH9DeadtqkHT8UgGWWoAGroTMulRCWK1v+plVfRJkfrtw3AXmWTegkNFYX8lYjyAHJokMOEpF4OjL1By2XngfwAnd2eAiSWtU1cPL1Jjv2NCYDR5ZlHXu
-    type: AgBWOyU8137TFCt3kJC2WJV3gXlBQEirknbHVmS3IDcxwmyhuIxZh5NeLbDfc7Ip9OEtGQFViBD523gUzr3qJRZBE0IAWplF98+NwRopT3jVjxRCt8H6yF8+/3EiagUBe/9WM/eb5+S428KMDT7eDn9PiB6pEjoduxD5w/l+QDBUQQOoejc98bzxjC8ml8EpkaMS4H4yiO7JAlW2QYFRyF1fFaopoEdwyIEkPJ5Br/TXDOtdJeCEIhUhNKE+wQmNZc7MBJKWiqGyb54HzdsAndmF2PQs1FZ+sUCn0xJtu1pP8WTpcKGm4VpHPASlDNQgpuNFBvkYRGe+MErAmqyrAs0E5VU3R0qoIkmbhuvXY+gOploJ2YljG5gqLUx8DtECoSmkrF92oQZx61Yf4duvE/mEciWcDRThzUXwrG8A+qj8B/JxomoEQB4xu/l3WgNBOPMonF77b2dpTckBfH9VH70QKygbMTGAj7zl/sZDavPMZq37SCqNTmRhcDBs1qt3wtv8sUy6F4RUmr6XZsOtePxGg+WYijeHpXXeQSu7oASiZgUcNnjIPFPLc64IXoUv3s4a/QiSGRCgz8uUqws6QSu+TggY4P7f8VBOrJATv4jbOc++XGgWe0o/+b9oQACn5qPrdCkR4hiGd5wZ1BQXVINK5FMXCJq3l4kIjxDdKC6TjfG4vhi2VLld5eAz6f9cNphrocM=
-    url: AgAk92yrw8BJX0rVsCkZOEz3PhkLMoNhKBOXEAGqlcH+AESKIKUH152fMcfFKNj3DBrOEaNGXM+HiM1DLCd+e4A46ytx/aqSF4uEno2853wLlHjlLQlqfSWdkMYwosSV11Y9MuMGhGTMyCB/u10QUIycUjBs/gZEHDrJV/ObJYtw1pIlMadeKG5nomYYoOiMArdKZ1EXqv010imTItAhrW+Xn4h7/GftCEm2vWPbCdTbFBNIirif2DIAge7kTM3NeLzeLdAqf+tM7+A2Ekw7lU6+bnuVGGNWzEbQI/e4soSGYATQqVdhRPD/UFRJJrmp6IFZ2ymgqKr7t7EbTJ8UKr+GiMP2Gy/9ihBe3cDiQuVEfj791yHMSfChkIQ4vDYzJjMueYJE5pAz04y6QMbqgDxfVaQlx1B2XTP2ma3W+9bMB8vrDCuqK5iWtfM1jSmLVnM10KCsxcQAraE6C8jOArpkUqMPzsCmIfAudEe8FUxv56EeOP0MVT7sHLDKjklxqfgFCzzeqpGAZOP+k8zLT89vXlqbgeUWl3VmXMRqheDmhS6v8YiwJhkusvEdMeC8GOukvXM5limKC/+SZDIUNLlf0wct8/ymi0nkkmcGsfI2Jl7M5ZyOrjjXfvMLeNhc/vE+atXeKIXy8NLoDM0UwjyvMiO2mOpx3ZUwu2M5ff2i9n3rpxevYTh+fpOLWz2CXpLkMzvIm8wIgOow/4mWWYuY1Oqg
-    username: AgCIo+y2uwCJVEfnLl8wwTKLyw10rMfpJExCHcXq7dBlYWit2tG/uBQr6SM0jqlRINoe0jSNcaVUuzdRZWjvRwW7fwRonz2rjFih9wdmCXYhSc5K4qF5FeB8mO7tmOW+CzILUviZfqnqTyYLzd66BV2etCusuGHPBGomOYsaELYLMzQmpKPLt7an4PP8dUAM09aCeKe0KkTwQcgCkNRKBPRysg1mXnulCpGgWdUDGsj5QCM3byp2+l45g+/RDvELZgnkRjzVNNnXK9AI4Xy3vekDMoNEuFX3A+YWoBwI6LRSRWFOy5hi6w596PrvCq/O4FEomIsFqk9jkBY7dEVXsUX6JKVpIxkwtlKSChO3rt558YGipamt1csNKstM7frgtkzfXoNB7jQiKzHULeimtZnUOSjI8TaboeBKKKLHfrlbIWrJBHD1xJ3kuYCM/O7dpHM5aGBOwPSbjc72ur9Lso/uDs/ZvibsYkuaIBnP+Y8rj+t2d6cFe8//W4zcC90L+0Gnxn1/rLyuAp+B92bb13yq7sY50la2zu7zmvsL41/V4NYErgAUMciT2bSZMvSNh6wtx2IhCyJJSByDbsUMth7ixzfbuK8bgIeoyS3L3V17pB90YI9ttGNLmZ5zJLXzIhejD817EpnrIXHBQqjl0fNpxRgwJw2rmAH8fkKxSbsdT+hX3BORI/LUmFMuXuWhsarwbjTXmVHUV5qvbX0=
-  template:
-    metadata:
-      creationTimestamp: null
-      labels:
-        argocd.argoproj.io/secret-type: repo-creds
-      name: local-git-token
-      namespace: argocd
-    type: Opaque
-

secrets/secret.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-stringData:
-  password: password
-  project: default
-  type: git
-  url: https://github.com/
-  username: bobtedsmithy
-kind: Secret
-metadata:
-  labels:
-    argocd.argoproj.io/secret-type: repo-creds
-  name: local-git-token
-  namespace: argocd
-type: Opaque

template-operator/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+bases:
+- "https://github.com/flanksource/template-operator/releases/download/v0.7.1/operator.yml"
+- proxy-protocol-shim.yaml
+
+patchesStrategicMerge:
+- template-operator-memory.yaml

template-operator/proxy-protocol-shim.yaml

@@ -0,0 +1,26 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: proxy-protocol-shim
+  namespace: argocd
+spec:
+  destination:
+    name: in-cluster
+    namespace: default
+  project: default
+  source:
+    path: .
+    repoURL: https://github.com/strudelline-net/k8s-proxy-protocol-shim
+    targetRevision: main
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    retry:
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+      limit: 10
+    syncOptions:
+    - CreateNamespace=true

template-operator/template-operator-memory.yaml

@@ -0,0 +1,17 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: template-operator-controller-manager
+  namespace: template-operator
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        resources:
+          limits:
+            cpu: 500m
+            memory: 500Mi
+          requests:
+            cpu: 100m
+            memory: 120Mi

template-operator/vnc-mqtt-bridge.yaml

@@ -0,0 +1,26 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: proxy-protocol-shim
+  namespace: argocd
+spec:
+  destination:
+    name: in-cluster
+    namespace: default
+  project: default
+  source:
+    path: .
+    repoURL: https://github.com/jamesandariese/k8s-vnc-mqtt-bridge-operator
+    targetRevision: main
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    retry:
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+      limit: 10
+    syncOptions:
+    - CreateNamespace=true