= WrenIX's FluxCD-Repository

== Install FluxCD into a cluster

Here i install it with connection to codeberg:
  - the path is just for the cluster
  - the url a repo where fluxcd (in given path) install itself and monitor
  - i just install my needed components (i skip notification-controller, i prefer prometheus and alerting)

[source,bash]
----
flux bootstrap git --components source-controller,kustomize-controller,helm-controller --path=<path> --url ssh://git@codeberg.org/wrenix/<repo>.git
----

=== Secure with verify

Afterwards we need to setup a verification with GPG, so that nobody else could commit any workload in your cluster.
That is because i select an public git hosting (here codeberg), i trust them but maybe it get compromised one time.

in your repository the flux cli has created an `<path>/flux-system/kustomization.yaml`, we will edit them.

[source,patch]
----
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - gotk-components.yaml
  - gotk-sync.yaml

+patches:
+  - target:
+      kind: GitRepository
+      name: flux-system
+    patch: |-
+      apiVersion: source.toolkit.fluxcd.io/v1
+      kind: GitRepository
+      metadata:
+        name: flux-system
+      spec:
+        verify: <1>
+          mode: HEAD
+          secretRef:
+            name: gpg-publickey
+
+generatorOptions:
+  disableNameSuffixHash: true <2>
+
+secretGenerator:
+  - name: gpg-publickey <3>
+    namespace: flux-system
+    files:
+      - gpg-publickey/wrenix.gpg <4>
----
<1> add verify, that only HEAD git commit with valide gpg signature is used
<2> on the next generate, do not add hash
<3> generate kubernetes Secret with the name `gpg-publickey` which is used in the patched GitRepository, see <1>
<4> Add list of valide gpg key files