chore: update README

Signed-off-by: Michael Fornaro <20387402+xUnholy@users.noreply.github.com>

Author: xunholy

CLAUDE.md

@@ -12,29 +12,45 @@ This is a Kubernetes GitOps repository for a personal homelab cluster managed wi
 - **GitOps**: FluxCD with Flux Operator for declarative cluster management
 - **Container Runtime**: containerd
 - **Networking**: Cilium CNI with Istio service mesh
-- **Storage**: OpenEBS for container-attached storage
-- **Monitoring**: Prometheus, Grafana, Loki, Jaeger for observability
-- **Security**: Kyverno for policy management, Falco for runtime security
+- **Storage**: Rook-Ceph, OpenEBS, democratic-csi for container-attached storage
+- **Monitoring**: Prometheus, Grafana, Loki, Jaeger, Thanos for observability
+- **Security**: Kyverno, OPA Gatekeeper for policy management, Falco & Tetragon for runtime security
 - **Load Balancing**: MetalLB for bare metal load balancing
+- **Chaos Engineering**: Litmus for chaos testing
 
 ## Directory Structure
 
 ```
-├── kubernetes/              # Kubernetes manifests and configurations
-│   ├── apps/                # Application deployments (base + overlays)
-│   ├── bootstrap/           # Initial cluster bootstrap configuration
-│   ├── clusters/            # Per-cluster configurations
-│   ├── components/          # Shared components and alerts
-│   └── tenants/             # Multi-tenant configurations
-├── talos/                   # Talos Linux configuration files
-│   ├── generated/           # Generated Talos configs (encrypted)
-│   ├── integrations/        # Integration configurations
-│   └── patches/             # Talos configuration patches
-├── terraform/               # Infrastructure as Code
-│   ├── cloudflare/          # Cloudflare DNS/CDN configuration
-│   └── gcp/                 # Google Cloud Platform resources
-├── .taskfiles/              # Task automation definitions
-└── docs/                    # Documentation
+├── kubernetes/                       # Kubernetes manifests and configurations
+│   ├── apps/
+│   │   ├── base/                     # Base application configurations (DRY principle)
+│   │   │   └── [system-name]/        # e.g., observability, kube-system, home-system
+│   │   │       ├── [app-name]/
+│   │   │       │   ├── app/          # HelmRelease, OCIRepository, secrets, values
+│   │   │       │   └── ks.yaml       # Flux Kustomization with dependencies
+│   │   │       ├── namespace.yaml
+│   │   │       └── kustomization.yaml
+│   │   └── overlays/
+│   │       └── cluster-00/           # Cluster-specific overrides
+│   ├── bootstrap/
+│   │   └── helmfile.yaml             # Bootstrap Flux Operator and dependencies
+│   ├── clusters/
+│   │   └── cluster-00/
+│   │       ├── flux-system/          # Flux Operator and FluxInstance configs
+│   │       ├── secrets/              # Cluster secrets (SOPS encrypted)
+│   │       └── ks.yaml               # Root Kustomization
+│   ├── components/
+│   │   └── common/alerts/            # Shared monitoring alerts
+│   └── tenants/                      # Multi-tenant configurations
+├── talos/                            # Talos Linux configuration files
+│   ├── generated/                    # Generated Talos configs (encrypted)
+│   ├── integrations/                 # Cilium, cert-approver integrations
+│   └── patches/                      # iSCSI, metrics patches
+├── terraform/                        # Infrastructure as Code
+│   ├── cloudflare/                   # Cloudflare DNS/CDN configuration
+│   └── gcp/                          # GCP KMS, Thanos storage, Velero backups
+├── .taskfiles/                       # Task automation definitions
+└── docs/                             # Documentation
 ```
 
 ## Common Commands
@@ -43,17 +59,29 @@ This is a Kubernetes GitOps repository for a personal homelab cluster managed wi
 The repository uses [Task](https://taskfile.dev) for automation. All commands should be run via `task`:
 
 ```bash
-# Core FluxCD operations
-task flux:bootstrap          # Bootstrap FluxCD in the cluster
-task flux:secrets           # Install cluster secrets and configs
+# FluxCD Operations
+task flux:bootstrap          # Bootstrap Flux Operator via Helmfile
+task flux:secrets           # Install cluster secrets (SOPS decrypt + apply)
+task fluxcd:bootstrap       # Alternative bootstrap path
+task fluxcd:diff            # Preview FluxCD operator changes
 
-# Talos operations
-task talos:config           # Decrypt and load Talos config
+# Talos Operations
+task talos:config           # Decrypt and load talosconfig to ~/.talos/config
+
+# Core Operations
+task core:gpg               # Import SOPS PGP keys
+task core:lint              # Run yamllint
 
 # View available tasks
 task --list
 ```
 
+**Important Variables:**
+- `CLUSTER`: cluster-00 (default cluster ID)
+- `GITHUB_USER`: xunholy
+- `GITHUB_REPO`: k8s-gitops
+- `GITHUB_BRANCH`: main
+
 ### Pre-commit Hooks
 The repository uses pre-commit for code quality:
 ```bash
@@ -67,72 +95,200 @@ Active hooks include:
 - Trailing whitespace and EOF fixes
 
 ### Secret Management
-Secrets are encrypted using [SOPS](https://github.com/mozilla/sops):
+Secrets are encrypted using [SOPS](https://github.com/mozilla/sops) with dual encryption (PGP + GCP KMS):
 ```bash
-# Decrypt secrets (requires proper age key setup)
-sops -d path/to/encrypted.yaml
+# Edit encrypted files (automatically decrypts/encrypts)
+sops path/to/file.enc.yaml
 
-# Edit encrypted files
-sops path/to/encrypted.yaml
+# Decrypt for viewing only
+sops -d path/to/file.enc.yaml
 ```
 
+**SOPS Configuration:**
+- **PGP Key**: `0635B8D34037A9453003FB7B93CAA682FF4C9014`
+- **Age Key**: `age19gj66fq5v2veu940ftyj4pkw0w5tgxgddlyqnd00pnjzyndevurqx70g4t`
+- **GCP KMS**: Used for stored PGP keys
+- Encrypted files use `.enc.yaml` or `.enc.age.yaml` suffix
+
 ## Key Technologies & Patterns
 
 ### GitOps with FluxCD
-- **Flux Operator**: Manages FluxCD installation via FluxInstance CRDs
-- **Kustomizations**: Define how to apply Kubernetes manifests
-- **HelmReleases**: Manage Helm chart deployments
-- **GitRepository/OCIRepository**: Source definitions for manifests
+This repository uses **Flux Operator** instead of traditional `flux bootstrap`:
+- **FluxInstance CRDs**: Declaratively manage FluxCD components
+- **OCIRepository**: Used for Helm charts instead of HelmRepository (e.g., `oci://ghcr.io/prometheus-community/charts`)
+- **Kustomizations**: Define manifest application with SOPS decryption, post-build substitution, and dependency chains
+- **HelmReleases**: Reference charts via `chartRef` pointing to OCIRepository
+- **Root Kustomization**: Located at `kubernetes/clusters/cluster-00/ks.yaml`
+
+### Application Deployment Pattern
+Each application follows this structure:
+1. **Base configuration** in `kubernetes/apps/base/[system-name]/[app-name]/`:
+   - `app/helmrelease.yaml`: Helm release definition
+   - `app/ocirepository.yaml`: Chart source
+   - `app/secret.enc.yaml`: Encrypted secrets
+   - `app/values.yaml`: Helm values
+   - `ks.yaml`: Flux Kustomization with `dependsOn`, SOPS settings, substitutions
+
+2. **Cluster overlays** in `kubernetes/apps/overlays/cluster-00/`: Cluster-specific customizations using Kustomize patches
 
-### Cluster Configuration
-- **Bootstrap**: Initial cluster setup in `kubernetes/bootstrap/`
-- **Apps**: Application deployments with base configurations and cluster-specific overlays
-- **Components**: Shared components like monitoring alerts
-- **Tenants**: Multi-tenant namespace configurations
+3. **System categories**: Apps organized into logical systems:
+   - `kube-system`: Core Kubernetes (Cilium, metrics-server, reflector)
+   - `network-system`: Networking (cert-manager, external-dns, oauth2-proxy, dex)
+   - `observability`: Monitoring (Prometheus, Grafana, Loki, Jaeger, Thanos)
+   - `security-system`: Security (Kyverno, Falco, Gatekeeper, Crowdsec)
+   - `istio-system` & `istio-ingress`: Service mesh
+   - `home-system`: Home automation & media
+   - `rook-ceph`: Storage
+
+### HelmRelease Global Defaults
+All HelmReleases are patched with these defaults via Kustomization:
+```yaml
+install:
+  crds: CreateReplace
+  createNamespace: true
+  replace: true
+  strategy: RetryOnFailure
+  timeout: 10m
+rollback:
+  recreate: true
+  force: true
+  cleanupOnFail: true
+upgrade:
+  cleanupOnFail: true
+  crds: CreateReplace
+  remediation:
+    remediateLastFailure: true
+    retries: 3
+    strategy: rollback
+```
 
 ### Security Practices
-- All secrets encrypted with SOPS using age encryption
-- Kyverno policies enforce security standards
-- Falco provides runtime security monitoring
-- Talos Linux provides immutable, minimal attack surface
+- **Dual encryption**: SOPS with PGP (primary) + GCP KMS backup
+- **Never commit unencrypted secrets**: All secrets use `.enc.yaml` suffix
+- **Policy enforcement**: Kyverno & OPA Gatekeeper
+- **Runtime security**: Falco & Tetragon
+- **Pod security labels**: Applied to all namespaces
+- **Immutable OS**: Talos Linux minimal attack surface
 
 ## Development Workflow
 
-1. **Making Changes**:
-   - Edit YAML manifests in appropriate directories
-   - Ensure proper directory structure (base + overlays pattern)
-   - Follow existing naming conventions
+### Bootstrap New Cluster
+```bash
+# 1. Set environment variables (CLUSTER_ID defaults to cluster-00)
+# 2. Bootstrap Flux Operator
+task fluxcd:bootstrap  # Installs flux-operator, flux-instance, cert-manager, kustomize-mutating-webhook
+
+# 3. Install cluster secrets
+task flux:secrets      # Decrypts and applies sops-gpg, sops-age, cluster-secrets, github-auth, cluster-config
+
+# 4. Configure Talos
+task talos:config      # Decrypts talosconfig to ~/.talos/config
+```
+
+### Making Changes to Applications
+1. **Edit base configuration** in `kubernetes/apps/base/[system-name]/[app-name]/`
+2. **Use overlays** for cluster-specific customization in `kubernetes/apps/overlays/cluster-00/`
+3. **Follow naming conventions**:
+   - `ks.yaml`: Flux Kustomization resources
+   - `kustomization.yaml`: Kustomize configuration
+   - `*.enc.yaml`: SOPS encrypted files
+   - `helmrelease.yaml`: Helm release definitions
+   - `ocirepository.yaml`: OCI repository sources
+4. **Ensure secrets are encrypted** before committing (use `sops` command)
+5. **Run pre-commit hooks**: `pre-commit run --all-files`
+6. **FluxCD auto-reconciles** from main branch after push
+
+### Adding New Applications
+1. Create directory structure: `kubernetes/apps/base/[system-name]/[app-name]/`
+2. Add `app/` directory with:
+   - `helmrelease.yaml` (with `chartRef` to OCIRepository)
+   - `ocirepository.yaml` (chart source)
+   - `values.yaml` (Helm values)
+   - `secret.enc.yaml` (if needed, encrypted with SOPS)
+   - `kustomization.yaml`
+3. Create `ks.yaml` with:
+   - `dependsOn` for dependency chain
+   - `decryption` for SOPS secrets
+   - `postBuild.substituteFrom` for ConfigMap/Secret references
+4. Add to parent `kustomization.yaml`
+5. Create overlay if cluster-specific customization needed
 
-2. **Testing**:
-   - Use `task` commands to validate configurations
-   - Run pre-commit hooks before committing
-   - FluxCD will automatically reconcile changes after push
+## Important Patterns & Conventions
 
-3. **Secrets Management**:
-   - Never commit unencrypted secrets
-   - Use SOPS for any sensitive data
-   - Reference encrypted secrets in `.sops.yaml`
+### File Naming
+- `ks.yaml`: Flux Kustomization resources (defines how to apply manifests)
+- `kustomization.yaml`: Kustomize configuration (defines what resources to include)
+- `*.enc.yaml`: SOPS-encrypted with PGP
+- `*.enc.age.yaml`: SOPS-encrypted with Age
+- `helmfile.yaml`: Helmfile configurations (used in bootstrap)
+- `helmrelease.yaml`: Helm release definitions
+- `ocirepository.yaml`: OCI repository sources for Helm charts
+- `namespace.yaml`: Namespace definitions with pod security labels
 
-## File Patterns to Understand
+### Kustomization Labels
+- `substitution.flux/enabled=true`: Enables SOPS decryption and variable substitution
+- Patches applied globally to all Kustomizations for HelmRelease defaults
 
-- `kustomization.yaml`: Kustomize configuration files
-- `*.enc.yaml`: SOPS-encrypted files
-- `helmfile.yaml`: Helmfile configurations for chart management
-- `app/`: Directory containing application-specific configurations
-- `resources/`: Directory for Kubernetes resource definitions
+### Namespace Conventions
+Labels applied to namespaces:
+- `pod-security.kubernetes.io/enforce: privileged` (or `restricted`/`baseline`)
+- `goldilocks.fairwinds.com/enabled: "true"` (monitoring)
+- `kustomize.toolkit.fluxcd.io/prune: disabled` (on flux-system)
+
+### Dependency Management
+Flux Kustomizations use `dependsOn` to establish deployment order:
+```yaml
+dependsOn:
+  - name: cert-manager
+    namespace: flux-system
+```
 
 ## Important Notes
 
-- The cluster uses cluster ID "cluster-00" as the default
-- Talos config is stored encrypted in `talos/generated/`
-- FluxCD manages all application deployments automatically
-- Changes to `main` branch trigger automatic reconciliation
-- The repository follows enterprise GitOps patterns suitable for production use
+- **Cluster ID**: "cluster-00" is the default cluster identifier
+- **Branch**: `main` is the primary branch (auto-reconciled by FluxCD)
+- **Talos configs**: Stored encrypted in `talos/generated/`
+- **Bootstrap method**: Uses Flux Operator (not traditional `flux bootstrap`)
+- **Chart sources**: Uses OCIRepository instead of HelmRepository
+- **Yamllint config**: Line length warning at 240 characters, 2-space indentation
+- **Renovate automation**: Auto-merge enabled for digests, ignores encrypted files
+- **Multi-cluster ready**: Designed with overlay pattern for multiple clusters
+- **Enterprise patterns**: Production-grade GitOps implementation showcasing CNCF ecosystem
 
 ## External Dependencies
 
-- **Cloudflare**: DNS and CDN services
-- **Google Cloud Platform**: OAuth, backup storage
-- **GitHub**: Source control and authentication
-- **SOPS/age**: Secret encryption (requires age key setup)
+- **Cloudflare**: DNS management and CDN services
+- **Google Cloud Platform**:
+  - GCP KMS for SOPS encryption
+  - Google Cloud Storage for Thanos long-term metrics storage
+  - Google Cloud Storage for Velero backups
+  - OAuth for authentication
+- **GitHub**: Source control, authentication, and OCI registry for Helm charts
+- **SOPS/age**: Secret encryption (requires PGP and/or age key setup)
 - **Task**: Task runner (must be installed locally)
+- **Helmfile**: Used for bootstrap process
+- **Let's Encrypt**: Certificate generation for secure communication
+- **NextDNS**: Malware protection and ad-blocking
+- **UptimeRobot**: Service monitoring
+
+## Troubleshooting with Flux MCP
+
+This repository includes Cursor rules for troubleshooting Flux resources using the `flux-operator-mcp` tools. Key troubleshooting workflows:
+
+### Analyzing HelmReleases
+1. Check helm-controller status with `get_flux_instance`
+2. Get HelmRelease resource and analyze spec, status, inventory, events
+3. Check `valuesFrom` ConfigMaps and Secrets
+4. Verify source (OCIRepository) status
+5. Analyze managed resources from inventory
+6. Check logs if resources are failing
+
+### Analyzing Kustomizations
+1. Check kustomize-controller status with `get_flux_instance`
+2. Get Kustomization resource and analyze spec, status, inventory, events
+3. Check `substituteFrom` ConfigMaps and Secrets
+4. Verify source (GitRepository/OCIRepository) status
+5. Analyze managed resources from inventory
+
+### Comparing Resources Across Clusters
+Use `get_kubernetes_contexts` and `set_kubernetes_context` to switch between clusters, then compare resource specs and status.

README.md

@@ -52,13 +52,16 @@ This repository leverages a range of cutting-edge open-source tools and platform
 
 ## 🔧 Hardware
 
-| Device                                                                                 | Description              | Quantity | CPU     | RAM      | Architecture | Operating System                      | Notes |
-| -------------------------------------------------------------------------------------- | ------------------------ | -------- | ------- | -------- | ------------ | ------------------------------------- | ----- |
-| [Protectli FW6E](https://protectli.com/product/fw6e/)                                  | Router                   | 1        | 4 Cores | 16GB RAM | AMD64        | [VyOs](https://vyos.io/)              |       |
-| [Protectli VP2410](https://protectli.com/product/vp2410/)                             | Kubernetes Control Plane | 3        | 4 Cores | 8GB RAM  | AMD64        | [Talos Linux](https://www.talos.dev/) |       |
-| [Protectli FW2B](https://protectli.com/product/fw2b/)                                  | Kubernetes Node(s)       | 3        | 2 Cores | 8GB RAM  | AMD64        | [Talos Linux](https://www.talos.dev/) |       |
-| [Raspberry Pi 4 Model B](https://www.raspberrypi.org/products/raspberry-pi-4-model-b/) | Kubernetes Node(s)       | 4        | 4 Cores | 8GB RAM  | ARM64        | [Talos Linux](https://www.talos.dev/) | Decommisioned      |
-| [Rock Pi 4 Model C](https://rockpi.org/rockpi4#)                                       | Kubernetes Node(s)       | 6        | 4 Cores | 4GB RAM  | ARM64        | [Talos Linux](https://www.talos.dev/) |  Decommisioned   |
+| Device                                                                                 | Description        | Quantity | CPU      | RAM   | Storage                     | Architecture | Operating System                      | Notes          |
+| -------------------------------------------------------------------------------------- | ------------------ | -------- | -------- | ----- | --------------------------- | ------------ | ------------------------------------- | -------------- |
+| [Ubiquiti UDM-Pro-Max](https://ui.com/us/en/cloud-gateways/dream-machine-pro-max)     | Router/Gateway     | 1        | -  | -   | 8TB                           | -        | UniFi OS                              |                |
+| [Ubiquiti USW-Pro-Max-48-PoE](https://ui.com/switching/pro-max-48-poe)                | Network Switch     | 1        | -        | -     | -                           | -            | UniFi OS                              | 48-port PoE    |
+| [Asus NUC 14 Pro](https://www.asus.com/displays-desktops/nucs/nuc-mini-pcs/asus-nuc-14-pro/) | Kubernetes Cluster | 3        | 14 Cores | 48GN   | 1TB NVMe + 1TB SSD          | AMD64        | [Talos Linux](https://www.talos.dev/) | Ultra 5-125H   |
+| [Protectli FW6E](https://protectli.com/product/fw6e/)                                  | Router             | 1        | 4 Cores  | 16GB  | -                           | AMD64        | [VyOs](https://vyos.io/)              | Decommissioned |
+| [Protectli VP2410](https://protectli.com/product/vp2410/)                             | Kubernetes Node(s) | 3        | 4 Cores  | 8GB   | -                           | AMD64        | [Talos Linux](https://www.talos.dev/) | Decommissioned |
+| [Protectli FW2B](https://protectli.com/product/fw2b/)                                  | Kubernetes Node(s) | 3        | 2 Cores  | 8GB   | -                           | AMD64        | [Talos Linux](https://www.talos.dev/) | Decommissioned |
+| [Raspberry Pi 4 Model B](https://www.raspberrypi.org/products/raspberry-pi-4-model-b/) | Kubernetes Node(s) | 4        | 4 Cores  | 8GB   | -                           | ARM64        | [Talos Linux](https://www.talos.dev/) | Decommissioned |
+| [Rock Pi 4 Model C](https://rockpi.org/rockpi4#)                                       | Kubernetes Node(s) | 6        | 4 Cores  | 4GB   | -                           | ARM64        | [Talos Linux](https://www.talos.dev/) | Decommissioned |
 
 ## ☁️ Cloud Services