feat: add example to deploy opencenter

examples/README.md

@@ -0,0 +1,70 @@
+# OpenCenter Examples
+
+This directory provides a reference flow to stand up:
+
+1. Cluster infrastructure (`examples/iac/dev-cluster`)
+2. Core service content using Flux (`examples/applications/overlays/dev-cluster`)
+
+It is intended as a **starter template**. Copy and adapt for your own environment.
+
+## Directory Layout
+
+- `iac/dev-cluster/`
+  - Terraform configuration for OpenStack infrastructure and cluster bootstrap modules.
+- `applications/overlays/dev-cluster/`
+  - Example Flux/Kustomize service deployment content (cert-manager, gateway-api, headlamp, metallb, etc.).
+
+## Prerequisites
+
+- OpenStack credentials and project access
+- Terraform
+- `kubectl`
+- Flux CLI (for bootstrap/ops)
+- Access to a Git repo for your cluster config
+
+Note: `examples/iac/dev-cluster/Makefile` contains helper targets to install common tooling versions.
+
+## 1) Deploy Infrastructure
+
+Use the Terraform example in `examples/iac/dev-cluster` as a reference template for cluster infrastructure creation.
+
+Typical flow:
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+Before applying, replace placeholders in `provider.tf` and `main.tf` for your environment.
+
+## 2) Deploy Service Content (Flux/Kustomize)
+
+Use `examples/applications/overlays/dev-cluster` as a template for your cluster repo.
+
+Recommended flow:
+
+1. Copy `examples/applications/overlays/dev-cluster` into your cluster Git repo.
+2. Bootstrap Flux in your cluster (if not already bootstrapped).
+3. Point Flux `Kustomization` to your copied overlay path.
+
+## Important Before Applying
+
+Validate and adjust these in the example manifests:
+
+1. Source paths currently use `./applications/overlays/dev/...` in some Flux files; if you keep `dev-cluster`, update paths accordingly.
+2. GitRepository URLs/branches under `services/sources/` should match your repo strategy.
+3. Domain names, hostnames, and IP ranges in service overrides must be environment-specific.
+4. Encrypted secrets (if added) require your SOPS/Age setup.
+
+## Suggested Validation
+
+Run local checks before committing:
+
+```bash
+kustomize build examples/applications/overlays/dev-cluster/services/sources
+kustomize build examples/applications/overlays/dev-cluster/services/fluxcd
+kustomize build examples/applications/overlays/dev-cluster
+```
+
+Then let Flux reconcile from your cluster repo path.

examples/applications/overlays/dev-cluster/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./flux-system
+  - ./services/fluxcd

examples/applications/overlays/dev-cluster/services/calico/helm-values/override_values.yaml

@@ -0,0 +1,19 @@
+---
+installation:
+  enabled: true
+  kubernetesProvider: ""
+  calicoNetwork:
+    windowsDataplane: "Disabled"
+    nodeAddressAutodetectionV4:
+      interface: "enp3s0"
+    ipPools:
+      - cidr: "10.42.0.0/16"
+        encapsulation: "VXLAN"
+        natOutgoing: Enabled
+  serviceCIDRs:
+    - "10.43.0.0/16"
+
+# Optionally configure the host and port used to access the Kubernetes API server.
+kubernetesServiceEndpoint:
+  host: "10.2.188.10"
+  port: "443"

examples/applications/overlays/dev-cluster/services/cert-manager/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+resources:
+  - "./rackspace-selfsigned-issuer.yaml"
+  - "./rackspace-selfsigned-ca.yaml"
+  - "./rackspace-ca-issuer.yaml"

examples/applications/overlays/dev-cluster/services/cert-manager/rackspace-ca-issuer.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: rackspace-ca
+spec:
+  ca:
+    secretName: rackspace-root-secret

examples/applications/overlays/dev-cluster/services/cert-manager/rackspace-selfsigned-ca.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: rackspace-selfsigned-ca
+spec:
+  isCA: true
+  commonName: rmpk.dev
+  secretName: rackspace-root-secret
+  duration: 87600h0m0s
+  renewBefore: 360h0m0s
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: rackspace-selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io

examples/applications/overlays/dev-cluster/services/cert-manager/rackspace-selfsigned-issuer.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: rackspace-selfsigned-issuer
+spec:
+  selfSigned: {}

examples/applications/overlays/dev-cluster/services/fluxcd/cert-manager.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager-base
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: sources
+      namespace: flux-system
+  interval: 15m
+  retryInterval: 1m
+  timeout: 10m
+  sourceRef:
+    kind: GitRepository
+    name: opencenter-cert-manager
+    namespace: flux-system
+  path: applications/base/services/cert-manager
+  targetNamespace: cert-manager
+  prune: true
+  wait: true
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2
+      kind: HelmRelease
+      name: cert-manager
+      namespace: cert-manager
+  commonMetadata:
+    labels:
+      app.kubernetes.io/part-of: cert-manager
+      app.kubernetes.io/managed-by: flux
+      opencenter/managed-by: opencenter

examples/applications/overlays/dev-cluster/services/fluxcd/gateway-api.yaml

@@ -0,0 +1,48 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: envoy-gateway-api-base
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: sources
+      namespace: flux-system
+  interval: 15m
+  retryInterval: 1m
+  timeout: 10m
+  sourceRef:
+    kind: GitRepository
+    name: opencenter-gateway-api
+    namespace: flux-system
+  path: applications/base/services/gateway-api
+  targetNamespace: envoy-gateway-system
+  prune: true
+  wait: true
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2
+      kind: HelmRelease
+      name: envoy-gateway-api
+      namespace: envoy-gateway-system
+  commonMetadata:
+    labels:
+      app.kubernetes.io/part-of: envoy-gateway
+      app.kubernetes.io/managed-by: flux
+      opencenter/managed-by: opencenter
+  patches:
+    - target:
+        kind: Namespace
+        name: envoy-gateway-system
+      patch: |
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: envoy-gateway-system
+          labels:
+            istio-injection: enabled
+            pod-security.kubernetes.io/enforce: privileged
+            pod-security.kubernetes.io/enforce-version: latest
+            pod-security.kubernetes.io/warn: baseline
+            pod-security.kubernetes.io/warn-version: latest
+            pod-security.kubernetes.io/audit: baseline
+            pod-security.kubernetes.io/audit-version: latest

examples/applications/overlays/dev-cluster/services/fluxcd/headlamp.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: headlamp-base
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: sources
+      namespace: flux-system
+  interval: 15m
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: opencenter-headlamp
+    namespace: flux-system
+  path: applications/base/services/headlamp
+  targetNamespace: headlamp
+  prune: true
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2
+      kind: HelmRelease
+      name: headlamp
+      namespace: headlamp
+  commonMetadata:
+    labels:
+      app.kubernetes.io/part-of: headlamp
+      app.kubernetes.io/managed-by: flux
+      opencenter/managed-by: opencenter

examples/applications/overlays/dev-cluster/services/fluxcd/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./sources.yaml
+  - ./gateway-api.yaml
+  - ./headlamp.yaml
+  - ./cert-manager.yaml
+  - ./metallb.yaml

examples/applications/overlays/dev-cluster/services/fluxcd/metallb.yaml

@@ -0,0 +1,57 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: metallb-base
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: sources
+      namespace: flux-system
+  interval: 15m
+  retryInterval: 1m
+  timeout: 10m
+  sourceRef:
+    kind: GitRepository
+    name: opencenter-metallb
+    namespace: flux-system
+  path: applications/base/services/metallb
+  targetNamespace: metallb-system
+  prune: true
+  wait: true
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2
+      kind: HelmRelease
+      name: metallb
+      namespace: metallb-system
+  commonMetadata:
+    labels:
+      app.kubernetes.io/part-of: metallb
+      app.kubernetes.io/managed-by: flux
+      opencenter/managed-by: opencenter
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: metallb-override
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: sources
+      namespace: flux-system
+  interval: 15m
+  retryInterval: 1m
+  timeout: 10m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  path: ./applications/overlays/dev/services/metallb
+  targetNamespace: metallb-system
+  prune: true
+  wait: true
+  commonMetadata:
+    labels:
+      app.kubernetes.io/part-of: metallb
+      app.kubernetes.io/managed-by: flux
+      opencenter/managed-by: opencenter

examples/applications/overlays/dev-cluster/services/fluxcd/sources.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: sources
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./applications/overlays/dev/services/sources
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  wait: true

examples/applications/overlays/dev-cluster/services/metallb/helm-values/override-values.yaml

@@ -0,0 +1,2 @@
+---
+...

examples/applications/overlays/dev-cluster/services/metallb/ipaddresspool.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+    name: default-pool
+    namespace: metallb-system
+spec:
+    addresses:
+        - <IP_ADDRESS_RANGE>

examples/applications/overlays/dev-cluster/services/metallb/kustomization.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: metallb-system
+resources:
+  - "./ipaddresspool.yaml"
+  - "./l2advertisement.yaml"
+secretGenerator:
+  - name: metallb-values-override
+    type: Opaque
+    files: [override.yaml=helm-values/override-values.yaml]
+    options:
+      disableNameSuffixHash: true

examples/applications/overlays/dev-cluster/services/metallb/l2advertisement.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+    name: default
+    namespace: metallb-system
+spec:
+    ipAddressPools:
+        - default-pool

examples/applications/overlays/dev-cluster/services/sources/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: flux-system
+resources:
+  - ./opencenter-gateway-api.yaml
+  - ./opencenter-cert-manager.yaml
+  - ./opencenter-headlamp.yaml
+  - ./opencenter-metallb.yaml

examples/applications/overlays/dev-cluster/services/sources/opencenter-cert-manager.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: opencenter-cert-manager
+  namespace: flux-system
+spec:
+  interval: 10m
+  url: https://github.com/rackerlabs/openCenter-gitops-base.git
+  ref:
+    branch: main