apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: infra-net
spec:
  patches:
    - target:
        kind: HelmRelease
        name: ingress-nginx
      patch: |
        apiVersion: helm.toolkit.fluxcd.io/v2
        kind: HelmRelease
        metadata:
          name: ingress-nginx
        spec:
          values:
            controller:
              nodeSelector:
                svccontroller.k3s.cattle.io/enablelb: "true"
              tolerations:
                - key: "node-role.kubernetes.io/control-plane"
                  operator: "Exists"
                  effect: "NoSchedule"
              dnsPolicy: "None"
              dnsConfig:
                nameservers:
                  - "169.254.20.10"
                  - "10.43.0.10"
            defaultBackend:
              affinity:
                nodeAffinity:
                  requiredDuringSchedulingIgnoredDuringExecution:
                    nodeSelectorTerms:
                      - matchExpressions:
                          - key: topology.kubernetes.io/region
                            operator: In
                            values:
                              - "cn-sh"
                              - "cn-hk"
    - target:
        kind: HelmRelease
        name: crowdsec
      patch: |
        apiVersion: helm.toolkit.fluxcd.io/v2
        kind: HelmRelease
        metadata:
          name: crowdsec
        spec:
          values:
            lapi:
              env:
                - name: DB_PASSWORD
                  valueFrom:
                    secretKeyRef:
                      name: cnpg17-cluster-hk-app
                      key: password
              affinity:
                nodeAffinity:
                  preferredDuringSchedulingIgnoredDuringExecution:
                    - weight: 1
                      preference:
                        matchExpressions:
                          - key: topology.kubernetes.io/region
                            operator: In
                            values:
                              - cn-hk
            config:
              config.yaml.local: |
                db_config:
                  type: postgresql
                  host: cnpg17-cluster-hk-rw.infra-data
                  port: 5432
                  db_name: crowdsec
                  user: app
                  password: ${DB_PASSWORD}
                  sslmode: require
                api:
                  server:
                    auto_registration:
                      enabled: true
                      token: "${REGISTRATION_TOKEN}"
                      allowed_ranges:
                        - "127.0.0.1/32"
                        - "192.168.0.0/16"
                        - "172.16.0.0/12"
                        - "10.0.0.0/8"
            agent:
              affinity:
                podAffinity:
                  preferredDuringSchedulingIgnoredDuringExecution:
                    - weight: 100
                      podAffinityTerm:
                        labelSelector:
                          matchLabels:
                            app.kubernetes.io/name: loki
                        topologyKey: kubernetes.io/hostname
                        namespaceSelector: {}
            appsec:
              affinity:
                nodeAffinity:
                  preferredDuringSchedulingIgnoredDuringExecution:
                    - weight: 1
                      preference:
                        matchExpressions:
                          - key: topology.kubernetes.io/region
                            operator: In
                            values:
                              - cn-hk
    - target:
        kind: HelmRelease
        name: tailscale-derp-hk
      patch: |
        apiVersion: helm.toolkit.fluxcd.io/v2
        kind: HelmRelease
        metadata:
          name: tailscale-derp-hk
        spec:
          values:
            nodeSelector:
              kubernetes.io/hostname: tchk