update

.github/workflows/main.yml

@@ -71,9 +71,23 @@ jobs:
     environment: release
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v6
+      - id: create-release
+        uses: release-drafter/release-drafter@v6
         with:
           config-name: release-drafter-config.yml
           publish: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/checkout@v4
+
+      - name: Upload Release Asset
+        id: upload-release-asset 
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create-release.outputs.upload_url }}
+          asset_path: ./operator.yaml
+          asset_name: operator.yaml
+          asset_content_type: application/yaml

Makefile

@@ -1,15 +1,14 @@
-.PHONY: setup dev-recreate dev-create dev-destroy
-
-setup:
-	./scripts/setup-server.sh
+.PHONY: dev-recreate dev-destroy server-install
 
 dev-destroy:
 	colima delete -f
 
-dev-create:
-	colima start --network-address --kubernetes -m 8 --mount ${PWD}/data:/data:w --k3s-arg="--disable=helm-controller,local-storage"
+dev-recreate: dev-destroy
+	colima start --network-address --kubernetes -m 8 --k3s-arg="--disable=helm-controller,local-storage,traefik" # --mount ${PWD}/data:/data:w 
+	flux install --components="source-controller,helm-controller"
 
-dev-recreate: dev-destroy dev-create setup
+setup-flux:
+	flux install --components="source-controller,helm-controller"
 
 server-install:
 	curl -sfL https://get.k3s.io | sh -s - --disable traefik,local-storage,helm-controller

README.md

@@ -1,6 +0,0 @@
-## Bootstrap repo
-
-```
-brew install fluxcd/tap/flux
-make setup-server
-```

TODO.md

@@ -1 +0,0 @@
-- Fix issue with incompatible spec breaking the server

chart/templates/clusterrole.yaml

@@ -1,14 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "homelab-operator.fullname" . }}
-rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create", "get", "watch", "list"]
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["get", "watch", "list", "patch"]
-- apiGroups: ["apiextensions.k8s.io"]
-  resources: ["customresourcedefinitions"]
-  verbs: ["get", "create", "replace"]

charts/operator/templates/_storageclass.yaml

@@ -0,0 +1,12 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: {{ include "homelab-operator.fullname" . }}-local-path
+  labels:
+    {{- include "homelab-operator.labels" . | nindent 4 }}
+provisioner: reuse-local-path-provisioner
+parameters:
+  # Add any provisioner-specific parameters here
+reclaimPolicy: {{ .Values.storage.reclaimPolicy | default "Retain" }}
+allowVolumeExpansion: {{ .Values.storage.allowVolumeExpansion | default false }}
+volumeBindingMode: {{ .Values.storage.volumeBindingMode | default "WaitForFirstConsumer" }}

charts/operator/templates/clusterrole.yaml

@@ -0,0 +1,32 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "homelab-operator.fullname" . }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "get", "watch", "list"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list", "watch", "create", "update", "patch"]
+- apiGroups: [""]
+  resources: ["persistentvolumes"]
+  verbs: ["get", "list", "watch", "create", "delete", "patch", "update"]
+- apiGroups: [""]
+  resources: ["persistentvolumeclaims"]
+  verbs: ["get", "list", "watch", "update", "patch"]
+- apiGroups: [""]
+  resources: ["persistentvolumeclaims/status"]
+  verbs: ["update", "patch"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "patch"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["storageclasses"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["get", "watch", "list", "patch", "create", "update", "replace"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get", "create", "update", "replace", "patch"]

charts/operator/values.yaml

@@ -14,6 +14,9 @@ fullnameOverride: ''
 
 storage:
   path: /data/volumes
+  reclaimPolicy: Retain
+  allowVolumeExpansion: false
+  volumeBindingMode: WaitForFirstConsumer
 
 serviceAccount:
   # Specifies whether a service account should be created

docker-compose.dev.yaml

@@ -1,12 +0,0 @@
-name: homelab
-services:
-  postgres:
-    image: postgres:17
-    ports:
-      - 5432:5432
-    environment:
-      POSTGRES_USER: $POSTGRES_USER
-      POSTGRES_PASSWORD: $POSTGRES_PASSWORD
-      POSTGRES_DB: ${POSTGRES_DB:-postgres}
-    volumes:
-      - $PWD/.data/local/postgres:/var/lib/postgresql/data

docs/writing-custom-resources.md

@@ -1,901 +0,0 @@
-# Writing Custom Resources
-
-This guide explains how to create and implement custom resources in the
-homelab-operator.
-
-## Overview
-
-Custom resources in this operator follow a structured pattern that includes:
-
-- **Specification schemas** using Zod for runtime validation
-- **Resource implementations** that extend the base `CustomResource` class
-- **Manifest creation** helpers for generating Kubernetes resources
-- **Reconciliation logic** to manage the desired state
-
-## Project Structure
-
-Each custom resource should be organized in its own directory under
-`src/custom-resouces/` with the following structure:
-
-```
-src/custom-resouces/{resource-name}/
-├── {resource-name}.ts              # Main definition file
-├── {resource-name}.schemas.ts      # Zod validation schemas
-├── {resource-name}.resource.ts     # Resource implementation
-└── {resource-name}.create-manifests.ts # Manifest generation helpers
-```
-
-## Quick Start
-
-This section walks through creating a complete custom resource from scratch.
-We'll build a `MyResource` that manages a web application with a deployment and
-service.
-
-### 1. Define Your Resource
-
-The main definition file registers your custom resource with the operator
-framework. This file serves as the entry point that ties together your schemas,
-implementation, and Kubernetes CRD definition.
-
-Create the main definition file (`{resource-name}.ts`):
-
-```typescript
-import { createCustomResourceDefinition } from "../../services/custom-resources/custom-resources.ts";
-import { GROUP } from "../../utils/consts.ts";
-
-import { MyResourceResource } from "./my-resource.resource.ts";
-import { myResourceSpecSchema } from "./my-resource.schemas.ts";
-
-const myResourceDefinition = createCustomResourceDefinition({
-  group: GROUP, // Uses your operator's API group (homelab.mortenolsen.pro)
-  version: "v1", // API version for this resource
-  kind: "MyResource", // The Kubernetes kind name (PascalCase)
-  names: {
-    plural: "myresources", // Plural name for kubectl (lowercase)
-    singular: "myresource", // Singular name for kubectl (lowercase)
-  },
-  spec: myResourceSpecSchema, // Zod schema for validation
-  create: (options) => new MyResourceResource(options), // Factory function
-});
-
-export { myResourceDefinition };
-```
-
-**Key Points:**
-
-- The `group` should always use the `GROUP` constant to maintain consistency
-- `kind` should be descriptive and follow Kubernetes naming conventions
-  (PascalCase)
-- `names.plural` is used in kubectl commands (`kubectl get myresources`)
-- The `create` function instantiates your resource implementation when a CR is
-  detected
-
-### 2. Create Validation Schemas
-
-Schemas define the structure and validation rules for your custom resource's
-specification. Using Zod provides runtime type safety and automatic validation
-of user input.
-
-Define your spec schema (`{resource-name}.schemas.ts`):
-
-```typescript
-import { z } from "zod";
-
-const myResourceSpecSchema = z.object({
-  // Required fields - these must be provided by users
-  hostname: z.string(), // Base hostname for the application
-  port: z.number().min(1).max(65535), // Container port (validated range)
-
-  // Optional fields with defaults - provide sensible fallbacks
-  replicas: z.number().min(1).default(1), // Number of pod replicas
-
-  // Enums - restrict to specific values with defaults
-  protocol: z.enum(["http", "https"]).default("https"),
-
-  // Nested objects - for complex configuration
-  database: z.object({
-    host: z.string(), // Database hostname
-    port: z.number(), // Database port
-    name: z.string(), // Database name
-  }).optional(), // Entire database config is optional
-});
-
-// Additional schemas for secrets, status, etc.
-// Separate schemas help organize different data types
-const myResourceSecretSchema = z.object({
-  apiKey: z.string(), // API key for external services
-  password: z.string(), // Database or service password
-});
-
-export { myResourceSecretSchema, myResourceSpecSchema };
-```
-
-**Schema Design Best Practices:**
-
-- **Required vs Optional**: Make fields required only when absolutely necessary
-- **Defaults**: Provide sensible defaults to reduce user configuration burden
-- **Validation**: Use Zod's built-in validators (`.min()`, `.max()`, `.email()`,
-  etc.)
-- **Enums**: Restrict values to prevent invalid configurations
-- **Nested Objects**: Group related configuration together
-- **Separate Schemas**: Create different schemas for different purposes (spec,
-  secrets, status)
-
-### 3. Implement the Resource
-
-The resource implementation is the core of your custom resource. It contains the
-business logic for managing Kubernetes resources and maintains the desired
-state. This class extends `CustomResource` and implements the reconciliation
-logic.
-
-Create the resource implementation (`{resource-name}.resource.ts`):
-
-```typescript
-import type { KubernetesObject } from "@kubernetes/client-node";
-import deepEqual from "deep-equal";
-
-import {
-  CustomResource,
-  type CustomResourceOptions,
-  type SubresourceResult,
-} from "../../services/custom-resources/custom-resources.custom-resource.ts";
-import {
-  ResourceReference,
-  ResourceService,
-} from "../../services/resources/resources.ts";
-
-import type { myResourceSpecSchema } from "./my-resource.schemas.ts";
-import {
-  createDeploymentManifest,
-  createServiceManifest,
-} from "./my-resource.create-manifests.ts";
-
-class MyResourceResource extends CustomResource<typeof myResourceSpecSchema> {
-  #deploymentResource = new ResourceReference();
-  #serviceResource = new ResourceReference();
-
-  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
-    super(options);
-    const resourceService = this.services.get(ResourceService);
-
-    // Initialize resource references
-    this.#deploymentResource.current = resourceService.get({
-      apiVersion: "apps/v1",
-      kind: "Deployment",
-      name: this.name,
-      namespace: this.namespace,
-    });
-
-    this.#serviceResource.current = resourceService.get({
-      apiVersion: "v1",
-      kind: "Service",
-      name: this.name,
-      namespace: this.namespace,
-    });
-
-    // Set up event handlers for reconciliation
-    this.#deploymentResource.on("changed", this.queueReconcile);
-    this.#serviceResource.on("changed", this.queueReconcile);
-  }
-
-  #reconcileDeployment = async (): Promise<SubresourceResult> => {
-    const manifest = createDeploymentManifest({
-      name: this.name,
-      namespace: this.namespace,
-      ref: this.ref,
-      spec: this.spec,
-    });
-
-    if (!this.#deploymentResource.current?.exists) {
-      await this.#deploymentResource.current?.patch(manifest);
-      return {
-        ready: false,
-        syncing: true,
-        reason: "Creating",
-        message: "Creating deployment",
-      };
-    }
-
-    if (!deepEqual(this.#deploymentResource.current.spec, manifest.spec)) {
-      await this.#deploymentResource.current.patch(manifest);
-      return {
-        ready: false,
-        syncing: true,
-        reason: "Updating",
-        message: "Deployment needs updates",
-      };
-    }
-
-    // Check if deployment is ready
-    const deployment = this.#deploymentResource.current;
-    const isReady =
-      deployment.status?.readyReplicas === deployment.status?.replicas;
-
-    return {
-      ready: isReady,
-      reason: isReady ? "Ready" : "Pending",
-      message: isReady ? "Deployment is ready" : "Waiting for pods to be ready",
-    };
-  };
-
-  #reconcileService = async (): Promise<SubresourceResult> => {
-    const manifest = createServiceManifest({
-      name: this.name,
-      namespace: this.namespace,
-      ref: this.ref,
-      spec: this.spec,
-    });
-
-    if (!deepEqual(this.#serviceResource.current?.spec, manifest.spec)) {
-      await this.#serviceResource.current?.patch(manifest);
-      return {
-        ready: false,
-        syncing: true,
-        reason: "Updating",
-        message: "Service needs updates",
-      };
-    }
-
-    return { ready: true };
-  };
-
-  public reconcile = async () => {
-    if (!this.exists || this.metadata.deletionTimestamp) {
-      return;
-    }
-
-    // Reconcile subresources
-    await this.reconcileSubresource("Deployment", this.#reconcileDeployment);
-    await this.reconcileSubresource("Service", this.#reconcileService);
-
-    // Update overall ready condition
-    const deploymentReady =
-      this.conditions.get("Deployment")?.status === "True";
-    const serviceReady = this.conditions.get("Service")?.status === "True";
-
-    await this.conditions.set("Ready", {
-      status: deploymentReady && serviceReady ? "True" : "False",
-      reason: deploymentReady && serviceReady ? "Ready" : "Pending",
-      message: deploymentReady && serviceReady
-        ? "All resources are ready"
-        : "Waiting for resources to be ready",
-    });
-  };
-}
-
-export { MyResourceResource };
-```
-
-**Resource Implementation Breakdown:**
-
-**Constructor Setup:**
-
-- **Resource References**: Create `ResourceReference` objects to track managed
-  Kubernetes resources
-- **Service Access**: Use dependency injection to access operator services
-  (`ResourceService`)
-- **Event Handlers**: Listen for changes in managed resources to trigger
-  reconciliation
-- **Resource Registration**: Register references for Deployment and Service that
-  will be managed
-
-**Reconciliation Methods:**
-
-- **`#reconcileDeployment`**: Manages the application's Deployment resource
-  - Creates manifests using helper functions
-  - Checks if resource exists and creates/updates as needed
-  - Uses `deepEqual` to avoid unnecessary updates
-  - Returns status indicating readiness state
-- **`#reconcileService`**: Manages the Service resource for network access
-  - Similar pattern to deployment but typically simpler
-  - Services are usually ready immediately after creation
-
-**Main Reconcile Loop:**
-
-- **Deletion Check**: Early return if resource is being deleted
-- **Subresource Management**: Calls individual reconciliation methods
-- **Condition Updates**: Aggregates status from all subresources
-- **Status Reporting**: Updates the overall "Ready" condition
-
-**Key Design Patterns:**
-
-- **Private Methods**: Use `#` for private reconciliation methods
-- **Async/Await**: All reconciliation is asynchronous
-- **Resource References**: Track external resources with type safety
-- **Condition Management**: Provide clear status through Kubernetes conditions
-- **Event-Driven**: React to changes in managed resources automatically
-
-### 4. Create Manifest Helpers
-
-Manifest helpers are pure functions that generate Kubernetes resource
-definitions. They transform your custom resource's specification into standard
-Kubernetes objects. This separation keeps your reconciliation logic clean and
-makes manifests easy to test and modify.
-
-Define manifest creation functions (`{resource-name}.create-manifests.ts`):
-
-```typescript
-type CreateDeploymentManifestOptions = {
-  name: string;
-  namespace: string;
-  ref: any; // Owner reference
-  spec: {
-    hostname: string;
-    port: number;
-    replicas: number;
-  };
-};
-
-const createDeploymentManifest = (
-  options: CreateDeploymentManifestOptions,
-) => ({
-  apiVersion: "apps/v1",
-  kind: "Deployment",
-  metadata: {
-    name: options.name,
-    namespace: options.namespace,
-    ownerReferences: [options.ref],
-  },
-  spec: {
-    replicas: options.spec.replicas,
-    selector: {
-      matchLabels: {
-        app: options.name,
-      },
-    },
-    template: {
-      metadata: {
-        labels: {
-          app: options.name,
-        },
-      },
-      spec: {
-        containers: [
-          {
-            name: options.name,
-            image: "nginx:latest",
-            ports: [
-              {
-                containerPort: options.spec.port,
-              },
-            ],
-            env: [
-              {
-                name: "HOSTNAME",
-                value: options.spec.hostname,
-              },
-            ],
-          },
-        ],
-      },
-    },
-  },
-});
-
-type CreateServiceManifestOptions = {
-  name: string;
-  namespace: string;
-  ref: any;
-  spec: {
-    port: number;
-  };
-};
-
-const createServiceManifest = (options: CreateServiceManifestOptions) => ({
-  apiVersion: "v1",
-  kind: "Service",
-  metadata: {
-    name: options.name,
-    namespace: options.namespace,
-    ownerReferences: [options.ref],
-  },
-  spec: {
-    selector: {
-      app: options.name,
-    },
-    ports: [
-      {
-        port: 80,
-        targetPort: options.spec.port,
-      },
-    ],
-  },
-});
-
-export { createDeploymentManifest, createServiceManifest };
-```
-
-**Manifest Helper Patterns:**
-
-**Type Definitions:**
-
-- **Options Types**: Define clear interfaces for function parameters
-- **Structured Input**: Group related parameters in nested objects
-- **Type Safety**: Leverage TypeScript to catch configuration errors at compile
-  time
-
-**Deployment Manifest:**
-
-- **Owner References**: Ensures garbage collection when parent resource is
-  deleted
-- **Labels & Selectors**: Consistent labeling for pod selection and organization
-- **Container Configuration**: Maps custom resource spec to container settings
-- **Environment Variables**: Passes configuration from spec to running
-  containers
-- **Port Configuration**: Exposes application ports based on spec
-
-**Service Manifest:**
-
-- **Service Discovery**: Creates stable network endpoint for the deployment
-- **Port Mapping**: Routes external traffic to container ports
-- **Selector Matching**: Uses same labels as deployment for proper routing
-- **Owner References**: Links service lifecycle to custom resource
-
-**Best Practices for Manifest Helpers:**
-
-- **Pure Functions**: No side effects, same input always produces same output
-- **Immutable Objects**: Return new objects rather than modifying inputs
-- **Validation**: Let TypeScript catch type mismatches
-- **Consistent Naming**: Use predictable patterns for resource names
-- **Owner References**: Always set for proper cleanup
-- **Documentation**: Comment non-obvious configuration choices
-
-### 5. Register Your Resource
-
-Add your resource to `src/custom-resouces/custom-resources.ts`:
-
-```typescript
-import { myResourceDefinition } from "./my-resource/my-resource.ts";
-
-const customResources = [
-  // ... existing resources
-  myResourceDefinition,
-];
-```
-
-## Core Concepts
-
-These fundamental patterns are used throughout the operator framework.
-Understanding them is essential for building robust custom resources.
-
-### Resource References
-
-`ResourceReference` objects provide a strongly-typed way to track and manage
-Kubernetes resources that your custom resource creates or depends on. They
-automatically handle resource watching, caching, and change notifications.
-
-Use `ResourceReference` to manage related Kubernetes resources:
-
-```typescript
-import {
-  ResourceReference,
-  ResourceService,
-} from "../../services/resources/resources.ts";
-
-class MyResource extends CustomResource<typeof myResourceSpecSchema> {
-  #deploymentResource = new ResourceReference();
-
-  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
-    super(options);
-    const resourceService = this.services.get(ResourceService);
-
-    this.#deploymentResource.current = resourceService.get({
-      apiVersion: "apps/v1",
-      kind: "Deployment",
-      name: this.name,
-      namespace: this.namespace,
-    });
-
-    // Listen for changes
-    this.#deploymentResource.on("changed", this.queueReconcile);
-  }
-}
-```
-
-**Why Resource References Matter:**
-
-- **Automatic Watching**: Changes to referenced resources trigger reconciliation
-- **Type Safety**: Get compile-time checking for resource properties
-- **Lifecycle Management**: Easily check if resources exist and their current
-  state
-- **Event Handling**: React to external changes without polling
-- **Caching**: Avoid repeated API calls for the same resource data
-
-### Conditions
-
-Kubernetes conditions provide a standardized way to communicate resource status.
-They follow the Kubernetes convention of expressing current state, reasons for
-that state, and human-readable messages. Conditions are crucial for operators
-and users to understand what's happening with resources.
-
-Use conditions to track the status of your resource:
-
-```typescript
-// Set a condition
-await this.conditions.set("Ready", {
-  status: "True",
-  reason: "AllResourcesReady",
-  message: "All subresources are ready",
-});
-
-// Get a condition
-const isReady = this.conditions.get("Ready")?.status === "True";
-```
-
-**Condition Best Practices:**
-
-- **Standard Names**: Use common condition types like "Ready", "Available",
-  "Progressing"
-- **Clear Status**: Use "True", "False", or "Unknown" following Kubernetes
-  conventions
-- **Descriptive Reasons**: Provide specific reason codes for troubleshooting
-- **Helpful Messages**: Include actionable information for users
-- **Consistent Updates**: Always update conditions during reconciliation
-
-### Subresource Reconciliation
-
-The `reconcileSubresource` method provides a standardized way to manage
-individual components of your custom resource. It automatically handles
-condition updates, error management, and status aggregation. This pattern keeps
-your main reconciliation loop clean and ensures consistent error handling.
-
-Use `reconcileSubresource` to manage individual components:
-
-```typescript
-public reconcile = async () => {
-  // This automatically manages conditions and error handling
-  await this.reconcileSubresource("Deployment", this.#reconcileDeployment);
-  await this.reconcileSubresource("Service", this.#reconcileService);
-};
-```
-
-**Subresource Reconciliation Benefits:**
-
-- **Automatic Condition Management**: Sets conditions based on reconciliation
-  results
-- **Error Isolation**: Failures in one subresource don't stop others
-- **Status Aggregation**: Combines individual component status into overall
-  status
-- **Consistent Patterns**: Same error handling and retry logic across all
-  components
-- **Observability**: Clear visibility into which components are having issues
-
-### Deep Equality Checks
-
-Deep equality checks prevent unnecessary API calls and resource churn.
-Kubernetes resources should only be updated when their desired state actually
-differs from their current state. This improves performance and reduces cluster
-load.
-
-Use `deepEqual` to avoid unnecessary updates:
-
-```typescript
-import deepEqual from "deep-equal";
-
-if (!deepEqual(currentResource.spec, desiredManifest.spec)) {
-  await currentResource.patch(desiredManifest);
-}
-```
-
-**Deep Equality Benefits:**
-
-- **Performance**: Avoids unnecessary API calls to Kubernetes
-- **Reduced Churn**: Prevents resource version conflicts and unnecessary events
-- **Stability**: Reduces reconciliation loops and system noise
-- **Efficiency**: Lets you focus compute on actual changes
-- **Observability**: Cleaner audit logs with only meaningful changes
-
-**When to Use Deep Equality:**
-
-- **Spec Comparisons**: Before updating any Kubernetes resource
-- **Status Updates**: Only update status when values actually change
-- **Metadata Updates**: Check labels and annotations before patching
-- **Complex Objects**: Especially useful for nested configuration objects
-
-## Advanced Patterns
-
-These patterns handle more complex scenarios like secret management, resource
-dependencies, and sophisticated error handling. Use these when building
-production-ready operators that need to handle real-world complexity.
-
-### Working with Secrets
-
-Many resources need to manage secrets. Here's a pattern for secret management:
-
-```typescript
-import { SecretService } from "../../services/secrets/secrets.ts";
-
-class MyResource extends CustomResource<typeof myResourceSpecSchema> {
-  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
-    super(options);
-    const secretService = this.services.get(SecretService);
-
-    // Get or create a secret
-    this.secretRef = secretService.get({
-      name: `${this.name}-secret`,
-      namespace: this.namespace,
-    });
-  }
-
-  #ensureSecret = async () => {
-    const secretData = {
-      apiKey: generateApiKey(),
-      password: generatePassword(),
-    };
-
-    if (!this.secretRef.current?.exists) {
-      await this.secretRef.current?.patch({
-        apiVersion: "v1",
-        kind: "Secret",
-        metadata: {
-          name: this.secretRef.current.name,
-          namespace: this.secretRef.current.namespace,
-          ownerReferences: [this.ref],
-        },
-        data: secretData,
-      });
-    }
-  };
-}
-```
-
-### Cross-Resource Dependencies
-
-When your resource depends on other custom resources:
-
-```typescript
-class MyResource extends CustomResource<typeof myResourceSpecSchema> {
-  #dependentResource = new ResourceReference();
-
-  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
-    super(options);
-    const resourceService = this.services.get(ResourceService);
-
-    // Reference another custom resource
-    this.#dependentResource.current = resourceService.get({
-      apiVersion: "homelab.mortenolsen.pro/v1",
-      kind: "PostgresDatabase",
-      name: this.spec.database,
-      namespace: this.namespace,
-    });
-
-    this.#dependentResource.on("changed", this.queueReconcile);
-  }
-
-  #reconcileApp = async (): Promise<SubresourceResult> => {
-    // Check if dependency is ready
-    const dependency = this.#dependentResource.current;
-    if (!dependency?.exists) {
-      return {
-        ready: false,
-        failed: true,
-        reason: "MissingDependency",
-        message: `PostgresDatabase ${this.spec.database} not found`,
-      };
-    }
-
-    const dependencyReady = dependency.status?.conditions?.find(
-      (c) => c.type === "Ready" && c.status === "True",
-    );
-
-    if (!dependencyReady) {
-      return {
-        ready: false,
-        reason: "WaitingForDependency",
-        message:
-          `Waiting for PostgresDatabase ${this.spec.database} to be ready`,
-      };
-    }
-
-    // Continue with reconciliation...
-  };
-}
-```
-
-### Error Handling
-
-Proper error handling in reconciliation:
-
-```typescript
-#reconcileDeployment = async (): Promise<SubresourceResult> => {
-  try {
-    // Reconciliation logic...
-    return { ready: true };
-  } catch (error) {
-    return {
-      ready: false,
-      failed: true,
-      reason: 'ReconciliationError',
-      message: `Failed to reconcile deployment: ${error.message}`,
-    };
-  }
-};
-```
-
-## Example Usage
-
-Once your custom resource is implemented and registered, users can create
-instances using standard Kubernetes manifests. The operator will automatically
-detect new resources and begin reconciliation based on your implementation
-logic.
-
-```yaml
-apiVersion: homelab.mortenolsen.pro/v1
-kind: MyResource
-metadata:
-  name: my-app
-  namespace: default
-spec:
-  hostname: my-app.example.com
-  port: 8080
-  replicas: 3
-  protocol: https
-  database:
-    host: postgres.default.svc.cluster.local
-    port: 5432
-    name: myapp
-```
-
-**What happens when this resource is created:**
-
-1. **Validation**: The operator validates the spec against your Zod schema
-2. **Resource Creation**: Your `MyResourceResource` class is instantiated
-3. **Reconciliation**: The operator creates a Deployment with 3 replicas and a
-   Service
-4. **Status Updates**: Conditions are set to track deployment and service
-   readiness
-5. **Event Handling**: The operator watches for changes and re-reconciles as
-   needed
-
-Users can then monitor the resource status with:
-
-```bash
-kubectl get myresources my-app -o yaml
-kubectl describe myresource my-app
-```
-
-## Real Examples
-
-These examples show how the patterns described above are used in practice within
-the homelab-operator.
-
-### Simple Resource: Domain
-
-The `Domain` resource demonstrates a straightforward custom resource that
-manages external dependencies. It creates and manages TLS certificates through
-cert-manager and configures Istio gateways for HTTPS traffic routing.
-
-**What it does:**
-
-- Creates a cert-manager Certificate for TLS termination
-- Configures an Istio Gateway for traffic routing
-- Manages the lifecycle of both resources through owner references
-- Provides wildcard certificate support for subdomains
-
-```yaml
-apiVersion: homelab.mortenolsen.pro/v1
-kind: Domain
-metadata:
-  name: homelab
-  namespace: homelab
-spec:
-  hostname: local.olsen.cloud # Domain for certificate and gateway
-  issuer: letsencrypt-prod # cert-manager ClusterIssuer to use
-```
-
-**Key Implementation Features:**
-
-- **CRD Dependency Checking**: Validates that cert-manager and Istio CRDs exist
-- **Cross-Namespace Resources**: Certificate is created in the istio-ingress
-  namespace
-- **Status Aggregation**: Combines certificate and gateway readiness into
-  overall status
-- **Wildcard Support**: Automatically configures `*.hostname` for subdomains
-
-### Complex Resource: AuthentikServer
-
-The `AuthentikServer` resource showcases a complex custom resource with multiple
-dependencies and sophisticated reconciliation logic. It deploys a complete
-identity provider solution with database and Redis dependencies.
-
-**What it does:**
-
-- Deploys Authentik identity provider with proper configuration
-- Manages database schema and user creation
-- Configures Redis connection for session storage
-- Sets up domain integration for SSO endpoints
-- Handles secret generation and rotation
-
-```yaml
-apiVersion: homelab.mortenolsen.pro/v1
-kind: AuthentikServer
-metadata:
-  name: homelab
-  namespace: homelab
-spec:
-  domain: homelab # References a Domain resource
-  database: test2 # References a PostgresDatabase resource
-  redis: redis # References a Redis connection
-```
-
-**Key Implementation Features:**
-
-- **Resource Dependencies**: Waits for Domain, PostgresDatabase, and Redis
-  resources
-- **Secret Management**: Generates and manages API keys, passwords, and tokens
-- **Service Configuration**: Creates comprehensive Kubernetes manifests
-  (Deployment, Service, Ingress)
-- **Health Checking**: Monitors application readiness and database connectivity
-- **Cross-Resource Communication**: Uses other custom resources' status and
-  outputs
-
-### Database Resource: PostgresDatabase
-
-The `PostgresDatabase` resource illustrates how to manage stateful resources and
-external system integration. It creates databases within an existing PostgreSQL
-instance and manages user permissions.
-
-**What it does:**
-
-- Creates a new database in an existing PostgreSQL server
-- Generates dedicated database user with appropriate permissions
-- Manages connection secrets for applications
-- Handles database cleanup and user removal
-
-```yaml
-apiVersion: homelab.mortenolsen.pro/v1
-kind: PostgresDatabase
-metadata:
-  name: test2
-  namespace: homelab
-spec:
-  connection: homelab/db # References PostgreSQL connection (namespace/name)
-```
-
-**Key Implementation Features:**
-
-- **External System Integration**: Connects to existing PostgreSQL instances
-- **User Management**: Creates database-specific users with minimal required
-  permissions
-- **Secret Generation**: Provides connection details to consuming applications
-- **Cleanup Handling**: Safely removes databases and users when resource is
-  deleted
-- **Connection Validation**: Verifies connectivity before marking as ready
-
-**Common Patterns Across Examples:**
-
-- **Owner References**: All managed resources have proper ownership for garbage
-  collection
-- **Condition Management**: Consistent status reporting through Kubernetes
-  conditions
-- **Resource Dependencies**: Graceful handling of missing or unready
-  dependencies
-- **Secret Management**: Secure generation and storage of credentials
-- **Cross-Resource Integration**: Resources reference and depend on each other
-  appropriately
-
-## Best Practices
-
-1. **Validation**: Always use Zod schemas for comprehensive spec validation
-2. **Idempotency**: Use `deepEqual` checks to avoid unnecessary updates
-3. **Conditions**: Provide clear status information through conditions
-4. **Owner References**: Always set owner references for created resources
-5. **Error Handling**: Provide meaningful error messages and failure reasons
-6. **Dependencies**: Handle missing dependencies gracefully
-7. **Cleanup**: Leverage Kubernetes garbage collection through owner references
-8. **Testing**: Create test manifests in `test-manifests/` for your resources
-
-## Troubleshooting
-
-- **Resource not reconciling**: Check if the resource is properly registered in
-  `custom-resources.ts`
-- **Validation errors**: Ensure your Zod schema matches the expected spec
-  structure
-- **Missing dependencies**: Verify that referenced resources exist and are ready
-- **Owner reference issues**: Make sure `ownerReferences` are set correctly for
-  garbage collection
-- **Condition not updating**: Ensure you're calling `this.conditions.set()` with
-  proper status values
-
-For more examples, refer to the existing custom resources in
-`src/custom-resouces/`.

manifests/environment.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dev
+---
+apiVersion: homelab.mortenolsen.pro/v1
+kind: Environment
+metadata:
+  name: dev
+  namespace: dev
+spec:
+  domain: one.dev.olsen.cloud
+  tls:
+    issuer: letsencrypt-prod

manifests/example-pvc.yaml

@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: example-pvc
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: homelab-operator-local-path
+
+---
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example-pod
+  namespace: default
+spec:
+  containers:
+    - name: example-container
+      image: alpine
+      command: ["/bin/sh", "-c", "sleep infinity"]
+      volumeMounts:
+        - name: example-volume
+          mountPath: /data
+      resources:
+        limits:
+          memory: 100Mi
+          cpu: "0.1"
+        requests:
+          memory: 50Mi
+          cpu: "0.05"
+  volumes:
+    - name: example-volume
+      persistentVolumeClaim:
+        claimName: example-pvc

operator.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: homelab
+
+---
+
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: homelab
+  namespace: homelab
+spec:
+  interval: 60m
+  url: https://github.com/morten-olsen/homelab-operator
+  ref:
+    branch: main
+
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: operator
+  namespace: homelab
+spec:
+  releaseName: operator
+  interval: 60m
+  chart:
+    spec:
+      chart: charts/operator
+      sourceRef:
+        kind: GitRepository
+        name: homelab
+        namespace: homelab

src/bootstrap/bootstrap.ts

@@ -0,0 +1,38 @@
+import type { Services } from '../utils/service.ts';
+
+import { NamespaceService } from './namespaces/namespaces.ts';
+import { ReleaseService } from './releases/releases.ts';
+import { RepoService } from './repos/repos.ts';
+import { ClusterIssuerService } from './resources/issuer.ts';
+
+class BootstrapService {
+  #services: Services;
+
+  constructor(services: Services) {
+    this.#services = services;
+  }
+  public get namespaces() {
+    return this.#services.get(NamespaceService);
+  }
+
+  public get repos() {
+    return this.#services.get(RepoService);
+  }
+
+  public get releases() {
+    return this.#services.get(ReleaseService);
+  }
+
+  public get clusterIssuer() {
+    return this.#services.get(ClusterIssuerService);
+  }
+
+  public ensure = async () => {
+    await this.namespaces.ensure();
+    await this.repos.ensure();
+    await this.releases.ensure();
+    await this.clusterIssuer.ensure();
+  };
+}
+
+export { BootstrapService };

src/bootstrap/namespaces/namespaces.ts

@@ -0,0 +1,64 @@
+import { NamespaceInstance } from '../../instances/namespace.ts';
+import type { Services } from '../../utils/service.ts';
+import { ResourceService } from '../../services/resources/resources.ts';
+
+class NamespaceService {
+  #homelab: NamespaceInstance;
+  #istioSystem: NamespaceInstance;
+  #certManager: NamespaceInstance;
+
+  constructor(services: Services) {
+    const resourceService = services.get(ResourceService);
+    this.#homelab = resourceService.getInstance(
+      {
+        apiVersion: 'v1',
+        kind: 'Namespace',
+        name: 'homelab',
+      },
+      NamespaceInstance,
+    );
+    this.#istioSystem = resourceService.getInstance(
+      {
+        apiVersion: 'v1',
+        kind: 'Namespace',
+        name: 'istio-system',
+      },
+      NamespaceInstance,
+    );
+    this.#certManager = resourceService.getInstance(
+      {
+        apiVersion: 'v1',
+        kind: 'Namespace',
+        name: 'cert-manager',
+      },
+      NamespaceInstance,
+    );
+    this.#homelab.on('changed', this.ensure);
+    this.#istioSystem.on('changed', this.ensure);
+    this.#certManager.on('changed', this.ensure);
+  }
+
+  public get homelab() {
+    return this.#homelab;
+  }
+  public get istioSystem() {
+    return this.#istioSystem;
+  }
+  public get certManager() {
+    return this.#certManager;
+  }
+
+  public ensure = async () => {
+    await this.#homelab.ensure({
+      metadata: {
+        labels: {
+          'istio-injection': 'enabled',
+        },
+      },
+    });
+    await this.#istioSystem.ensure({});
+    await this.#certManager.ensure({});
+  };
+}
+
+export { NamespaceService };

src/bootstrap/releases/releases.ts

@@ -0,0 +1,171 @@
+import { HelmReleaseInstance } from '../../instances/helm-release.ts';
+import { ResourceService } from '../../services/resources/resources.ts';
+import { NAMESPACE } from '../../utils/consts.ts';
+import { Services } from '../../utils/service.ts';
+import { NamespaceService } from '../namespaces/namespaces.ts';
+import { RepoService } from '../repos/repos.ts';
+
+class ReleaseService {
+  #services: Services;
+  #certManager: HelmReleaseInstance;
+  #istioBase: HelmReleaseInstance;
+  #istiod: HelmReleaseInstance;
+  #istioGateway: HelmReleaseInstance;
+
+  constructor(services: Services) {
+    this.#services = services;
+    const resourceService = services.get(ResourceService);
+    this.#certManager = resourceService.getInstance(
+      {
+        apiVersion: 'helm.toolkit.fluxcd.io/v2',
+        kind: 'HelmRelease',
+        name: 'cert-manager',
+        namespace: NAMESPACE,
+      },
+      HelmReleaseInstance,
+    );
+    this.#istioBase = resourceService.getInstance(
+      {
+        apiVersion: 'helm.toolkit.fluxcd.io/v2',
+        kind: 'HelmRelease',
+        name: 'istio-base',
+        namespace: NAMESPACE,
+      },
+      HelmReleaseInstance,
+    );
+    this.#istiod = resourceService.getInstance(
+      {
+        apiVersion: 'helm.toolkit.fluxcd.io/v2',
+        kind: 'HelmRelease',
+        name: 'istiod',
+        namespace: NAMESPACE,
+      },
+      HelmReleaseInstance,
+    );
+    this.#istioGateway = resourceService.getInstance(
+      {
+        apiVersion: 'helm.toolkit.fluxcd.io/v2',
+        kind: 'HelmRelease',
+        name: 'istio-gateway',
+        namespace: NAMESPACE,
+      },
+      HelmReleaseInstance,
+    );
+    this.#certManager.on('changed', this.ensure);
+    this.#istioBase.on('changed', this.ensure);
+    this.#istiod.on('changed', this.ensure);
+    this.#istioGateway.on('changed', this.ensure);
+  }
+
+  public get certManager() {
+    return this.#certManager;
+  }
+  public get istioBase() {
+    return this.#istioBase;
+  }
+  public get istiod() {
+    return this.#istiod;
+  }
+
+  public ensure = async () => {
+    const namespaceService = this.#services.get(NamespaceService);
+    const repoService = this.#services.get(RepoService);
+    await this.#certManager.ensure({
+      spec: {
+        targetNamespace: namespaceService.certManager.name,
+        interval: '1h',
+        values: {
+          installCRDs: true,
+        },
+        chart: {
+          spec: {
+            chart: 'cert-manager',
+            version: 'v1.18.2',
+            sourceRef: {
+              apiVersion: 'source.toolkit.fluxcd.io/v1',
+              kind: 'HelmRepository',
+              name: repoService.jetstack.name,
+              namespace: repoService.jetstack.namespace,
+            },
+          },
+        },
+      },
+    });
+    await this.#istioBase.ensure({
+      spec: {
+        targetNamespace: namespaceService.istioSystem.name,
+        interval: '1h',
+        values: {
+          defaultRevision: 'default',
+          profile: 'ambient',
+        },
+        chart: {
+          spec: {
+            chart: 'base',
+            version: '1.24.3',
+            sourceRef: {
+              apiVersion: 'source.toolkit.fluxcd.io/v1',
+              kind: 'HelmRepository',
+              name: repoService.istio.name,
+              namespace: repoService.istio.namespace,
+            },
+          },
+        },
+      },
+    });
+    await this.#istiod.ensure({
+      spec: {
+        targetNamespace: namespaceService.istioSystem.name,
+        interval: '1h',
+        dependsOn: [
+          {
+            name: this.#istioBase.name,
+            namespace: this.#istioBase.namespace,
+          },
+        ],
+        chart: {
+          spec: {
+            chart: 'istiod',
+            version: '1.24.3',
+            sourceRef: {
+              apiVersion: 'source.toolkit.fluxcd.io/v1',
+              kind: 'HelmRepository',
+              name: repoService.istio.name,
+              namespace: repoService.istio.namespace,
+            },
+          },
+        },
+      },
+    });
+    await this.#istioGateway.ensure({
+      spec: {
+        targetNamespace: NAMESPACE,
+        interval: '1h',
+        dependsOn: [
+          {
+            name: this.#istioBase.name,
+            namespace: this.#istioBase.namespace,
+          },
+          {
+            name: this.#istiod.name,
+            namespace: this.#istiod.namespace,
+          },
+        ],
+        chart: {
+          spec: {
+            chart: 'gateway',
+            version: '1.24.3',
+            sourceRef: {
+              apiVersion: 'source.toolkit.fluxcd.io/v1',
+              kind: 'HelmRepository',
+              name: repoService.istio.name,
+              namespace: repoService.istio.namespace,
+            },
+          },
+        },
+      },
+    });
+  };
+}
+
+export { ReleaseService };

src/bootstrap/repos/repos.ts

@@ -0,0 +1,112 @@
+import type { Services } from '../../utils/service.ts';
+import { ResourceService } from '../../services/resources/resources.ts';
+import { HelmRepoInstance } from '../../instances/helm-repo.ts';
+import { NAMESPACE } from '../../utils/consts.ts';
+
+class RepoService {
+  #jetstack: HelmRepoInstance;
+  #istio: HelmRepoInstance;
+  #authentik: HelmRepoInstance;
+  #containerro: HelmRepoInstance;
+
+  constructor(services: Services) {
+    const resourceService = services.get(ResourceService);
+    this.#jetstack = resourceService.getInstance(
+      {
+        apiVersion: 'source.toolkit.fluxcd.io/v1',
+        kind: 'HelmRepository',
+        name: 'jetstack',
+        namespace: NAMESPACE,
+      },
+      HelmRepoInstance,
+    );
+    this.#istio = resourceService.getInstance(
+      {
+        apiVersion: 'source.toolkit.fluxcd.io/v1',
+        kind: 'HelmRepository',
+        name: 'istio',
+        namespace: NAMESPACE,
+      },
+      HelmRepoInstance,
+    );
+    this.#authentik = resourceService.getInstance(
+      {
+        apiVersion: 'source.toolkit.fluxcd.io/v1',
+        kind: 'HelmRepository',
+        name: 'authentik',
+        namespace: NAMESPACE,
+      },
+      HelmRepoInstance,
+    );
+    this.#containerro = resourceService.getInstance(
+      {
+        apiVersion: 'source.toolkit.fluxcd.io/v1',
+        kind: 'HelmRepository',
+        name: 'containerro',
+        namespace: NAMESPACE,
+      },
+      HelmRepoInstance,
+    );
+    this.#jetstack.on('changed', this.ensure);
+    this.#istio.on('changed', this.ensure);
+    this.#authentik.on('changed', this.ensure);
+    this.#containerro.on('changed', this.ensure);
+  }
+
+  public get jetstack() {
+    return this.#jetstack;
+  }
+  public get istio() {
+    return this.#istio;
+  }
+  public get authentik() {
+    return this.#authentik;
+  }
+  public get containerro() {
+    return this.#containerro;
+  }
+
+  public ensure = async () => {
+    await this.#jetstack.ensure({
+      metadata: {
+        name: 'jetstack',
+      },
+      spec: {
+        interval: '1h',
+        url: 'https://charts.jetstack.io',
+      },
+    });
+
+    await this.#istio.ensure({
+      metadata: {
+        name: 'istio',
+      },
+      spec: {
+        interval: '1h',
+        url: 'https://istio-release.storage.googleapis.com/charts',
+      },
+    });
+
+    await this.#authentik.ensure({
+      metadata: {
+        name: 'authentik',
+      },
+      spec: {
+        interval: '1h',
+        url: 'https://charts.goauthentik.io',
+      },
+    });
+
+    await this.#containerro.ensure({
+      metadata: {
+        name: 'containerro',
+      },
+      spec: {
+        interval: '1h',
+        url: 'https://charts.containeroo.ch',
+      },
+    });
+  };
+}
+
+export { RepoService };

src/bootstrap/resources/issuer.ts

@@ -0,0 +1,64 @@
+import { ClusterIssuerInstance } from '../../instances/cluster-issuer.ts';
+import { CustomDefinitionInstance } from '../../instances/custom-resource-definition.ts';
+import { ResourceService } from '../../services/resources/resources.ts';
+import type { Services } from '../../utils/service.ts';
+
+class ClusterIssuerService {
+  #clusterIssuerCrd: CustomDefinitionInstance;
+  #clusterIssuer: ClusterIssuerInstance;
+
+  constructor(services: Services) {
+    const resourceService = services.get(ResourceService);
+    this.#clusterIssuerCrd = resourceService.getInstance(
+      {
+        apiVersion: 'v1',
+        kind: 'CustomResourceDefinition',
+        name: 'clusterissuers.cert-manager.io',
+      },
+      CustomDefinitionInstance,
+    );
+    this.#clusterIssuer = resourceService.getInstance(
+      {
+        apiVersion: 'v1',
+        kind: 'ClusterIssuer',
+        name: 'cluster-issuer',
+      },
+      ClusterIssuerInstance,
+    );
+
+    this.#clusterIssuerCrd.on('changed', this.ensure);
+    this.#clusterIssuer.on('changed', this.ensure);
+  }
+
+  public ensure = async () => {
+    if (!this.#clusterIssuerCrd.ready) {
+      return;
+    }
+    await this.#clusterIssuer.ensure({
+      spec: {
+        acme: {
+          server: 'https://acme-v02.api.letsencrypt.org/directory',
+          email: 'admin@example.com',
+          privateKeySecretRef: {
+            name: 'cluster-issuer-key',
+          },
+          solvers: [
+            {
+              dns01: {
+                cloudflare: {
+                  email: 'admin@example.com',
+                  apiKeySecretRef: {
+                    name: 'cloudflare-api-key',
+                    key: 'api-key',
+                  },
+                },
+              },
+            },
+          ],
+        },
+      },
+    });
+  };
+}
+
+export { ClusterIssuerService };

src/custom-resouces/authentik-client/authentik-client.resource.ts

@@ -13,12 +13,9 @@ import { decodeSecret, encodeSecret } from '../../utils/secrets.ts';
 import { CONTROLLED_LABEL } from '../../utils/consts.ts';
 import { isDeepSubset } from '../../utils/objects.ts';
 import { AuthentikService } from '../../services/authentik/authentik.service.ts';
+import { authentikServerSecretSchema } from '../authentik-server/authentik-server.schemas.ts';
 
-import {
-  authentikClientSecretSchema,
-  authentikClientServerSecretSchema,
-  type authentikClientSpecSchema,
-} from './authentik-client.schemas.ts';
+import { authentikClientSecretSchema, type authentikClientSpecSchema } from './authentik-client.schemas.ts';
 
 class AuthentikClientResource extends CustomResource<typeof authentikClientSpecSchema> {
   #serverSecret: ResourceReference<V1Secret>;
@@ -43,7 +40,7 @@ class AuthentikClientResource extends CustomResource<typeof authentikClientSpecS
   }
 
   #updateResouces = () => {
-    const serverSecretNames = getWithNamespace(this.spec.secretRef, this.namespace);
+    const serverSecretNames = getWithNamespace(`${this.spec.server}-server`, this.namespace);
     const resourceService = this.services.get(ResourceService);
     this.#serverSecret.current = resourceService.get({
       apiVersion: 'v1',
@@ -62,7 +59,7 @@ class AuthentikClientResource extends CustomResource<typeof authentikClientSpecS
         message: 'Server or server secret not found',
       };
     }
-    const serverSecretData = authentikClientServerSecretSchema.safeParse(decodeSecret(serverSecret.data));
+    const serverSecretData = authentikServerSecretSchema.safeParse(decodeSecret(serverSecret.data));
     if (!serverSecretData.success || !serverSecretData.data) {
       return {
         ready: false,
@@ -70,7 +67,7 @@ class AuthentikClientResource extends CustomResource<typeof authentikClientSpecS
         message: 'Server secret not found',
       };
     }
-    const url = serverSecretData.data.external_url;
+    const url = serverSecretData.data.url;
     const appName = this.name;
     const clientSecretData = authentikClientSecretSchema.safeParse(decodeSecret(this.#clientSecretResource.data));
 
@@ -118,7 +115,7 @@ class AuthentikClientResource extends CustomResource<typeof authentikClientSpecS
       };
     }
 
-    const serverSecretData = authentikClientServerSecretSchema.safeParse(decodeSecret(serverSecret.data));
+    const serverSecretData = authentikServerSecretSchema.safeParse(decodeSecret(serverSecret.data));
     if (!serverSecretData.success || !serverSecretData.data) {
       return {
         ready: false,
@@ -139,8 +136,8 @@ class AuthentikClientResource extends CustomResource<typeof authentikClientSpecS
     const authentikService = this.services.get(AuthentikService);
     const authentikServer = authentikService.get({
       url: {
-        internal: serverSecretData.data.internal_url,
-        external: serverSecretData.data.external_url,
+        internal: `http://${serverSecretData.data.host}`,
+        external: serverSecretData.data.url,
       },
       token: serverSecretData.data.token,
     });

src/custom-resouces/authentik-client/authentik-client.schemas.ts

@@ -2,7 +2,7 @@ import { ClientTypeEnum, SubModeEnum } from '@goauthentik/api';
 import { z } from 'zod';
 
 const authentikClientSpecSchema = z.object({
-  secretRef: z.string(),
+  server: z.string(),
   subMode: z.enum(SubModeEnum).optional(),
   clientType: z.enum(ClientTypeEnum).optional(),
   redirectUris: z.array(
@@ -13,12 +13,6 @@ const authentikClientSpecSchema = z.object({
   ),
 });
 
-const authentikClientServerSecretSchema = z.object({
-  internal_url: z.string(),
-  external_url: z.string(),
-  token: z.string(),
-});
-
 const authentikClientSecretSchema = z.object({
   clientId: z.string(),
   clientSecret: z.string().optional(),
@@ -31,4 +25,4 @@ const authentikClientSecretSchema = z.object({
   jwks: z.string(),
 });
 
-export { authentikClientSpecSchema, authentikClientSecretSchema, authentikClientServerSecretSchema };
+export { authentikClientSpecSchema, authentikClientSecretSchema };

src/custom-resouces/authentik-server/authentik-server.controller.ts

@@ -0,0 +1,271 @@
+import type { V1Secret } from '@kubernetes/client-node';
+
+import { RepoService } from '../../bootstrap/repos/repos.ts';
+import { HelmReleaseInstance } from '../../instances/helm-release.ts';
+import { SecretInstance } from '../../instances/secret.ts';
+import {
+  CustomResource,
+  type CustomResourceOptions,
+  type CustomResourceObject,
+} from '../../services/custom-resources/custom-resources.custom-resource.ts';
+import { ResourceReference } from '../../services/resources/resources.ref.ts';
+import { ResourceService } from '../../services/resources/resources.ts';
+import type { EnsuredSecret } from '../../services/secrets/secrets.secret.ts';
+import { SecretService } from '../../services/secrets/secrets.ts';
+import { API_VERSION } from '../../utils/consts.ts';
+import { getWithNamespace } from '../../utils/naming.ts';
+import { decodeSecret, encodeSecret } from '../../utils/secrets.ts';
+import type { environmentSpecSchema } from '../environment/environment.schemas.ts';
+import { HttpServiceInstance } from '../../instances/http-service.ts';
+import type { redisServerSpecSchema } from '../redis-server/redis-server.schemas.ts';
+import { PostgresDatabaseInstance } from '../../instances/postgres-database.ts';
+
+import {
+  authentikServerInitSecretSchema,
+  authentikServerSecretSchema,
+  type authentikServerSpecSchema,
+} from './authentik-server.schemas.ts';
+
+class AuthentikServerController extends CustomResource<typeof authentikServerSpecSchema> {
+  #environment: ResourceReference<CustomResourceObject<typeof environmentSpecSchema>>;
+  #authentikInitSecret: EnsuredSecret<typeof authentikServerInitSecretSchema>;
+  #authentikSecret: SecretInstance;
+  #authentikRelease: HelmReleaseInstance;
+  #postgresSecret: ResourceReference<V1Secret>;
+  #httpService: HttpServiceInstance;
+  #redisServer: ResourceReference<CustomResourceObject<typeof redisServerSpecSchema>>;
+  #postgresDatabase: PostgresDatabaseInstance;
+
+  constructor(options: CustomResourceOptions<typeof authentikServerSpecSchema>) {
+    super(options);
+    const secretService = this.services.get(SecretService);
+    const resourceService = this.services.get(ResourceService);
+
+    this.#environment = new ResourceReference();
+    this.#authentikInitSecret = secretService.ensure({
+      owner: [this.ref],
+      name: `${this.name}-init`,
+      namespace: this.namespace,
+      schema: authentikServerInitSecretSchema,
+      generator: () => ({
+        AUTHENTIK_BOOTSTRAP_TOKEN: crypto.randomUUID(),
+        AUTHENTIK_BOOTSTRAP_PASSWORD: crypto.randomUUID(),
+        AUTHENTIK_BOOTSTRAP_EMAIL: 'admin@example.com',
+        AUTHENTIK_SECRET_KEY: crypto.randomUUID(),
+      }),
+    });
+    this.#authentikSecret = resourceService.getInstance(
+      {
+        apiVersion: 'v1',
+        kind: 'Secret',
+        name: `${this.name}-server`,
+        namespace: this.namespace,
+      },
+      SecretInstance<typeof authentikServerSecretSchema>,
+    );
+    this.#authentikRelease = resourceService.getInstance(
+      {
+        apiVersion: 'helm.toolkit.fluxcd.io/v2',
+        kind: 'HelmRelease',
+        name: this.name,
+        namespace: this.namespace,
+      },
+      HelmReleaseInstance,
+    );
+    this.#httpService = resourceService.getInstance(
+      {
+        apiVersion: API_VERSION,
+        kind: 'HttpService',
+        name: this.name,
+        namespace: this.namespace,
+      },
+      HttpServiceInstance,
+    );
+    this.#postgresDatabase = resourceService.getInstance(
+      {
+        apiVersion: API_VERSION,
+        kind: 'PostgresDatabase',
+        name: this.name,
+        namespace: this.namespace,
+      },
+      PostgresDatabaseInstance,
+    );
+    this.#redisServer = new ResourceReference();
+    this.#postgresSecret = new ResourceReference();
+    this.#authentikSecret.on('changed', this.queueReconcile);
+    this.#authentikInitSecret.resource.on('deleted', this.queueReconcile);
+    this.#environment.on('changed', this.queueReconcile);
+    this.#authentikRelease.on('changed', this.queueReconcile);
+    this.#postgresSecret.on('changed', this.queueReconcile);
+    this.#httpService.on('changed', this.queueReconcile);
+    this.#redisServer.on('changed', this.queueReconcile);
+  }
+
+  public reconcile = async () => {
+    if (!this.exists || this.metadata?.deletionTimestamp) {
+      return;
+    }
+
+    if (!this.#authentikInitSecret.isValid) {
+      await this.markNotReady('MissingAuthentikInitSecret', 'The authentik init secret is not found');
+      return;
+    }
+
+    const resourceService = this.services.get(ResourceService);
+    const environmentNames = getWithNamespace(this.spec.environment, this.namespace);
+
+    this.#environment.current = resourceService.get({
+      apiVersion: API_VERSION,
+      kind: 'Environment',
+      name: environmentNames.name,
+      namespace: this.namespace,
+    });
+
+    await this.#postgresDatabase.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        cluster: this.spec.postgresCluster,
+      },
+    });
+    const postgresSecret = this.#postgresDatabase.secret;
+
+    if (!postgresSecret.exists) {
+      await this.markNotReady('MissingPostgresSecret', 'The postgres secret is not found');
+      return;
+    }
+    const postgresSecretData = decodeSecret(postgresSecret.data) || {};
+
+    if (!this.#environment.current?.exists) {
+      await this.markNotReady(
+        'MissingEnvironment',
+        `Environment ${this.#environment.current?.namespace}/${this.#environment.current?.name} not found`,
+      );
+      return;
+    }
+
+    const domain = this.#environment.current.spec?.domain;
+    if (!domain) {
+      await this.markNotReady('MissingDomain', 'The domain is not set');
+      return;
+    }
+
+    const secretData = {
+      url: `https://${this.spec.subdomain}.${domain}`,
+      host: `${this.name}.${this.namespace}.svc.cluster.local`,
+      token: this.#authentikInitSecret.value?.AUTHENTIK_BOOTSTRAP_TOKEN ?? '',
+    };
+
+    await this.#authentikSecret.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      data: encodeSecret(secretData),
+    });
+
+    const repoService = this.services.get(RepoService);
+
+    const redisNames = getWithNamespace(this.spec.redisServer, this.namespace);
+    const redisHost = `${redisNames.name}.${redisNames.namespace}.svc.cluster.local`;
+
+    await this.#authentikRelease.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        interval: '60m',
+        chart: {
+          spec: {
+            chart: 'authentik',
+            version: '2025.6.4',
+            sourceRef: {
+              apiVersion: 'source.toolkit.fluxcd.io/v1',
+              kind: 'HelmRepository',
+              name: repoService.authentik.name,
+              namespace: repoService.authentik.namespace,
+            },
+          },
+        },
+        values: {
+          global: {
+            envFrom: [
+              {
+                secretRef: {
+                  name: this.#authentikInitSecret.name,
+                },
+              },
+            ],
+          },
+          authentik: {
+            error_reporting: {
+              enabled: false,
+            },
+            postgresql: {
+              host: postgresSecretData.host,
+              name: postgresSecretData.database,
+              user: postgresSecretData.username,
+              password: 'file:///postgres-creds/password',
+            },
+            redis: {
+              host: redisHost,
+            },
+          },
+          server: {
+            volumes: [
+              {
+                name: 'postgres-creds',
+                secret: {
+                  secretName: postgresSecret.name,
+                },
+              },
+            ],
+            volumeMounts: [
+              {
+                name: 'postgres-creds',
+                mountPath: '/postgres-creds',
+                readOnly: true,
+              },
+            ],
+          },
+          worker: {
+            volumes: [
+              {
+                name: 'postgres-creds',
+                secret: {
+                  secretName: postgresSecret.name,
+                },
+              },
+            ],
+            volumeMounts: [
+              {
+                name: 'postgres-creds',
+                mountPath: '/postgres-creds',
+                readOnly: true,
+              },
+            ],
+          },
+        },
+      },
+    });
+
+    await this.#httpService.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        environment: this.spec.environment,
+        subdomain: this.spec.subdomain,
+        destination: {
+          host: `${this.name}-server.${this.namespace}.svc.cluster.local`,
+          port: {
+            number: 80,
+          },
+        },
+      },
+    });
+    await this.markReady();
+  };
+}
+
+export { AuthentikServerController };

src/custom-resouces/authentik-server/authentik-server.schemas.ts

@@ -0,0 +1,23 @@
+import { z } from 'zod';
+
+const authentikServerSpecSchema = z.object({
+  redisServer: z.string(),
+  postgresCluster: z.string(),
+  environment: z.string(),
+  subdomain: z.string(),
+});
+
+const authentikServerInitSecretSchema = z.object({
+  AUTHENTIK_BOOTSTRAP_TOKEN: z.string(),
+  AUTHENTIK_BOOTSTRAP_PASSWORD: z.string(),
+  AUTHENTIK_BOOTSTRAP_EMAIL: z.string(),
+  AUTHENTIK_SECRET_KEY: z.string(),
+});
+
+const authentikServerSecretSchema = z.object({
+  url: z.string(),
+  host: z.string(),
+  token: z.string(),
+});
+
+export { authentikServerSpecSchema, authentikServerInitSecretSchema, authentikServerSecretSchema };

src/custom-resouces/authentik-server/authentik-server.ts

@@ -0,0 +1,19 @@
+import { createCustomResourceDefinition } from '../../services/custom-resources/custom-resources.ts';
+import { GROUP } from '../../utils/consts.ts';
+
+import { authentikServerSpecSchema } from './authentik-server.schemas.ts';
+import { AuthentikServerController } from './authentik-server.controller.ts';
+
+const authentikServerDefinition = createCustomResourceDefinition({
+  group: GROUP,
+  version: 'v1',
+  kind: 'AuthentikServer',
+  names: {
+    plural: 'authentikservers',
+    singular: 'authentikserver',
+  },
+  spec: authentikServerSpecSchema,
+  create: (options) => new AuthentikServerController(options),
+});
+
+export { authentikServerDefinition };

src/custom-resouces/custom-resources.ts

@@ -1,7 +1,21 @@
 import { authentikClientDefinition } from './authentik-client/authentik-client.ts';
+import { authentikServerDefinition } from './authentik-server/authentik-server.ts';
+import { environmentDefinition } from './environment/environment.ts';
 import { generateSecretDefinition } from './generate-secret/generate-secret.ts';
+import { httpServiceDefinition } from './http-service/http-service.ts';
+import { postgresClusterDefinition } from './postgres-cluster/postgres-cluster.ts';
 import { postgresDatabaseDefinition } from './postgres-database/postgres-database.ts';
+import { redisServerDefinition } from './redis-server/redis-server.ts';
 
-const customResources = [postgresDatabaseDefinition, authentikClientDefinition, generateSecretDefinition];
+const customResources = [
+  postgresDatabaseDefinition,
+  authentikClientDefinition,
+  generateSecretDefinition,
+  environmentDefinition,
+  postgresClusterDefinition,
+  authentikServerDefinition,
+  httpServiceDefinition,
+  redisServerDefinition,
+];
 
 export { customResources };

src/custom-resouces/environment/environment.controller.ts

@@ -0,0 +1,224 @@
+import { CertificateInstance } from '../../instances/certificate.ts';
+import { CustomDefinitionInstance } from '../../instances/custom-resource-definition.ts';
+import { NamespaceInstance } from '../../instances/namespace.ts';
+import {
+  CustomResource,
+  type CustomResourceOptions,
+} from '../../services/custom-resources/custom-resources.custom-resource.ts';
+import { ResourceService } from '../../services/resources/resources.ts';
+import { GatewayInstance } from '../../instances/gateway.ts';
+import { PostgresClusterInstance } from '../../instances/postgres-cluster.ts';
+import { API_VERSION } from '../../utils/consts.ts';
+import { AuthentikServerInstance } from '../../instances/authentik-server.ts';
+import { StorageClassInstance } from '../../instances/storageclass.ts';
+import { PROVISIONER } from '../../storage-provider/storage-provider.ts';
+import { RedisServerInstance } from '../../instances/redis-server.ts';
+import { NamespaceService } from '../../bootstrap/namespaces/namespaces.ts';
+
+import type { environmentSpecSchema } from './environment.schemas.ts';
+
+class EnvironmentController extends CustomResource<typeof environmentSpecSchema> {
+  #namespace: NamespaceInstance;
+  #certificateCrd: CustomDefinitionInstance;
+  #certificate: CertificateInstance;
+  #gatewayCrd: CustomDefinitionInstance;
+  #gateway: GatewayInstance;
+  #storageClass: StorageClassInstance;
+  #postgresCluster: PostgresClusterInstance;
+  #authentikServer: AuthentikServerInstance;
+  #redisServer: RedisServerInstance;
+
+  constructor(options: CustomResourceOptions<typeof environmentSpecSchema>) {
+    super(options);
+    const resourceService = this.services.get(ResourceService);
+    const namespaceService = this.services.get(NamespaceService);
+    this.#namespace = resourceService.getInstance(
+      {
+        apiVersion: 'v1',
+        kind: 'Namespace',
+        name: this.namespace,
+      },
+      NamespaceInstance,
+    );
+    this.#certificateCrd = resourceService.getInstance(
+      {
+        apiVersion: 'apiextensions.k8s.io/v1',
+        kind: 'CustomResourceDefinition',
+        name: 'certificates.cert-manager.io',
+      },
+      CustomDefinitionInstance,
+    );
+    this.#certificate = resourceService.getInstance(
+      {
+        apiVersion: 'cert-manager.io/v1',
+        kind: 'Certificate',
+        name: `${this.name}-tls`,
+        namespace: namespaceService.homelab.name,
+      },
+      CertificateInstance,
+    );
+    this.#gatewayCrd = resourceService.getInstance(
+      {
+        apiVersion: 'apiextensions.k8s.io/v1',
+        kind: 'CustomResourceDefinition',
+        name: 'gateways.networking.istio.io',
+      },
+      CustomDefinitionInstance,
+    );
+    this.#gateway = resourceService.getInstance(
+      {
+        apiVersion: 'networking.istio.io/v1',
+        kind: 'Gateway',
+        name: this.name,
+        namespace: this.namespace,
+      },
+      GatewayInstance,
+    );
+    this.#storageClass = resourceService.getInstance(
+      {
+        apiVersion: 'storage.k8s.io/v1',
+        kind: 'StorageClass',
+        name: `${this.name}-retain`,
+      },
+      StorageClassInstance,
+    );
+    this.#postgresCluster = resourceService.getInstance(
+      {
+        apiVersion: API_VERSION,
+        kind: 'PostgresCluster',
+        name: `${this.name}-postgres-cluster`,
+        namespace: this.namespace,
+      },
+      PostgresClusterInstance,
+    );
+    this.#authentikServer = resourceService.getInstance(
+      {
+        apiVersion: API_VERSION,
+        kind: 'AuthentikServer',
+        name: `${this.name}-authentik-server`,
+        namespace: this.namespace,
+      },
+      AuthentikServerInstance,
+    );
+    this.#redisServer = resourceService.getInstance(
+      {
+        apiVersion: API_VERSION,
+        kind: 'RedisServer',
+        name: `${this.name}-redis-server`,
+        namespace: this.namespace,
+      },
+      RedisServerInstance,
+    );
+    this.#gatewayCrd.on('changed', this.queueReconcile);
+    this.#gateway.on('changed', this.queueReconcile);
+    this.#certificateCrd.on('changed', this.queueReconcile);
+    this.#namespace.on('changed', this.queueReconcile);
+    this.#certificate.on('changed', this.queueReconcile);
+    this.#postgresCluster.on('changed', this.queueReconcile);
+    this.#authentikServer.on('changed', this.queueReconcile);
+    this.#storageClass.on('changed', this.queueReconcile);
+    this.#redisServer.on('changed', this.queueReconcile);
+  }
+
+  public reconcile = async () => {
+    if (!this.exists || this.metadata?.deletionTimestamp) {
+      return;
+    }
+    await this.#namespace.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+        labels: {
+          'istio-injection': 'enabled',
+        },
+      },
+    });
+    if (this.#certificateCrd.ready) {
+      await this.#certificate.ensure({
+        spec: {
+          secretName: `${this.name}-tls`,
+          issuerRef: {
+            name: this.spec.tls.issuer,
+            kind: 'ClusterIssuer',
+          },
+          dnsNames: [`*.${this.spec.domain}`],
+          privateKey: {
+            rotationPolicy: 'Always',
+          },
+        },
+      });
+    }
+    if (this.#gatewayCrd.ready) {
+      await this.#gateway.ensure({
+        metadata: {
+          ownerReferences: [this.ref],
+        },
+        spec: {
+          selector: {
+            istio: 'homelab-istio-gateway',
+          },
+          servers: [
+            {
+              hosts: [`*.${this.spec.domain}`],
+              port: {
+                name: 'http',
+                number: 80,
+                protocol: 'HTTP',
+              },
+              tls: {
+                httpsRedirect: true,
+              },
+            },
+            {
+              hosts: [`*.${this.spec.domain}`],
+              port: {
+                name: 'https',
+                number: 443,
+                protocol: 'HTTPS',
+              },
+              tls: {
+                mode: 'SIMPLE',
+                credentialName: `${this.name}-tls`,
+              },
+            },
+          ],
+        },
+      });
+      await this.#storageClass.ensure({
+        provisioner: PROVISIONER,
+        parameters: {
+          storageLocation: this.spec.storage?.location || `/data/volumes/${this.name}`,
+          reclaimPolicy: 'Retain',
+          allowVolumeExpansion: 'true',
+          volumeBindingMode: 'Immediate',
+        },
+      });
+      await this.#postgresCluster.ensure({
+        metadata: {
+          ownerReferences: [this.ref],
+        },
+        spec: {
+          environment: this.name,
+        },
+      });
+      await this.#authentikServer.ensure({
+        metadata: {
+          ownerReferences: [this.ref],
+        },
+        spec: {
+          environment: `${this.namespace}/${this.name}`,
+          subdomain: 'authentik',
+          postgresCluster: `${this.name}-postgres-cluster`,
+          redisServer: `${this.name}-redis-server`,
+        },
+      });
+      await this.#redisServer.ensure({
+        metadata: {
+          ownerReferences: [this.ref],
+        },
+        spec: {},
+      });
+    }
+  };
+}
+
+export { EnvironmentController };

src/custom-resouces/environment/environment.schemas.ts

@@ -0,0 +1,17 @@
+import { z } from 'zod';
+
+const environmentSpecSchema = z.object({
+  domain: z.string(),
+  tls: z.object({
+    issuer: z.string(),
+  }),
+  storage: z
+    .object({
+      location: z.string().optional(),
+    })
+    .optional(),
+});
+
+type EnvironmentSpec = z.infer<typeof environmentSpecSchema>;
+
+export { environmentSpecSchema, type EnvironmentSpec };

src/custom-resouces/environment/environment.ts

@@ -0,0 +1,19 @@
+import { createCustomResourceDefinition } from '../../services/custom-resources/custom-resources.ts';
+import { GROUP } from '../../utils/consts.ts';
+
+import { EnvironmentController } from './environment.controller.ts';
+import { environmentSpecSchema } from './environment.schemas.ts';
+
+const environmentDefinition = createCustomResourceDefinition({
+  group: GROUP,
+  version: 'v1',
+  kind: 'Environment',
+  names: {
+    plural: 'environments',
+    singular: 'environment',
+  },
+  spec: environmentSpecSchema,
+  create: (options) => new EnvironmentController(options),
+});
+
+export { environmentDefinition };

src/custom-resouces/generate-secret/generate-secret.resource.ts

@@ -37,8 +37,8 @@ class GenerateSecretResource extends CustomResource<typeof generateSecretSpecSch
     const current = decodeSecret(this.#secretResource.data) || {};
 
     const expected = {
-      ...current,
       ...secrets,
+      ...current,
     };
 
     if (!isDeepSubset(current, expected)) {

src/custom-resouces/http-service/http-service.controller.ts

@@ -0,0 +1,100 @@
+import { DestinationRuleInstance } from '../../instances/destination-rule.ts';
+import { VirtualServiceInstance } from '../../instances/virtual-service.ts';
+import {
+  CustomResource,
+  type CustomResourceObject,
+  type CustomResourceOptions,
+} from '../../services/custom-resources/custom-resources.custom-resource.ts';
+import { ResourceReference, ResourceService } from '../../services/resources/resources.ts';
+import { API_VERSION } from '../../utils/consts.ts';
+import { getWithNamespace } from '../../utils/naming.ts';
+import { environmentSpecSchema } from '../environment/environment.schemas.ts';
+
+import { httpServiceSpecSchema } from './http-service.schemas.ts';
+
+class HttpServiceController extends CustomResource<typeof httpServiceSpecSchema> {
+  #environment: ResourceReference<CustomResourceObject<typeof environmentSpecSchema>>;
+  #virtualService: VirtualServiceInstance;
+  #destinationRule: DestinationRuleInstance;
+
+  constructor(options: CustomResourceOptions<typeof httpServiceSpecSchema>) {
+    super(options);
+    const resourceService = this.services.get(ResourceService);
+    this.#environment = new ResourceReference();
+    this.#virtualService = resourceService.getInstance(
+      {
+        apiVersion: 'networking.istio.io/v1beta1',
+        kind: 'VirtualService',
+        name: `${this.name}-virtual-service`,
+        namespace: this.namespace,
+      },
+      VirtualServiceInstance,
+    );
+    this.#destinationRule = resourceService.getInstance(
+      {
+        apiVersion: 'networking.istio.io/v1beta1',
+        kind: 'DestinationRule',
+        name: `${this.name}-destination-rule`,
+        namespace: this.namespace,
+      },
+      DestinationRuleInstance,
+    );
+    this.#destinationRule.on('changed', this.queueReconcile);
+    this.#virtualService.on('changed', this.queueReconcile);
+    this.#environment.on('changed', this.queueReconcile);
+  }
+
+  public reconcile = async () => {
+    if (!this.exists || this.metadata?.deletionTimestamp) {
+      return;
+    }
+    const resourceService = this.services.get(ResourceService);
+    const environmentNames = getWithNamespace(this.spec.environment, this.namespace);
+    this.#environment.current = resourceService.get({
+      apiVersion: API_VERSION,
+      kind: 'Environment',
+      name: environmentNames.name,
+      namespace: environmentNames.namespace,
+    });
+    const environment = this.#environment.current;
+    if (!environment?.exists) {
+      return;
+    }
+    await this.#virtualService.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        hosts: [`${this.spec.subdomain}.${environment.spec?.domain}`],
+        gateways: [`${this.#environment.current.namespace}/${this.#environment.current.name}`],
+        http: [
+          {
+            route: [
+              {
+                destination: {
+                  host: this.spec.destination.host,
+                  port: this.spec.destination.port,
+                },
+              },
+            ],
+          },
+        ],
+      },
+    });
+    await this.#destinationRule.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        host: this.spec.destination.host,
+        trafficPolicy: {
+          tls: {
+            mode: 'DISABLE',
+          },
+        },
+      },
+    });
+  };
+}
+
+export { HttpServiceController };

src/custom-resouces/http-service/http-service.schemas.ts

@@ -0,0 +1,18 @@
+import { z } from 'zod';
+
+const httpServiceSpecSchema = z.object({
+  environment: z.string(),
+  subdomain: z.string(),
+  destination: z.object({
+    host: z.string(),
+    port: z
+      .object({
+        number: z.number().optional(),
+        protocol: z.enum(['http', 'https']).optional(),
+        name: z.string().optional(),
+      })
+      .optional(),
+  }),
+});
+
+export { httpServiceSpecSchema };

src/custom-resouces/http-service/http-service.ts

@@ -0,0 +1,19 @@
+import { createCustomResourceDefinition } from '../../services/custom-resources/custom-resources.ts';
+import { GROUP } from '../../utils/consts.ts';
+
+import { HttpServiceController } from './http-service.controller.ts';
+import { httpServiceSpecSchema } from './http-service.schemas.ts';
+
+const httpServiceDefinition = createCustomResourceDefinition({
+  group: GROUP,
+  version: 'v1',
+  kind: 'HttpService',
+  names: {
+    plural: 'httpservices',
+    singular: 'httpservice',
+  },
+  spec: httpServiceSpecSchema,
+  create: (options) => new HttpServiceController(options),
+});
+
+export { httpServiceDefinition };

src/custom-resouces/postgres-cluster/postgres-cluster.controller.ts

@@ -0,0 +1,155 @@
+import { ServiceInstance } from '../../instances/service.ts';
+import { StatefulSetInstance } from '../../instances/stateful-set.ts';
+import { ResourceService } from '../../services/resources/resources.ts';
+import {
+  CustomResource,
+  type CustomResourceOptions,
+} from '../../services/custom-resources/custom-resources.custom-resource.ts';
+import type { EnsuredSecret } from '../../services/secrets/secrets.secret.ts';
+import { SecretService } from '../../services/secrets/secrets.ts';
+
+import { postgresClusterSecretSchema, type postgresClusterSpecSchema } from './postgres-cluster.schemas.ts';
+
+class PostgresClusterController extends CustomResource<typeof postgresClusterSpecSchema> {
+  #statefulSet: StatefulSetInstance;
+  #headlessService: ServiceInstance;
+  #service: ServiceInstance;
+  #secret: EnsuredSecret<typeof postgresClusterSecretSchema>;
+
+  constructor(options: CustomResourceOptions<typeof postgresClusterSpecSchema>) {
+    super(options);
+    const resourceService = this.services.get(ResourceService);
+    const secretService = this.services.get(SecretService);
+    this.#statefulSet = resourceService.getInstance(
+      {
+        apiVersion: 'apps/v1',
+        kind: 'StatefulSet',
+        name: this.name,
+        namespace: this.namespace,
+      },
+      StatefulSetInstance,
+    );
+    this.#headlessService = resourceService.getInstance(
+      {
+        apiVersion: 'v1',
+        kind: 'Service',
+        name: `${this.name}-headless`,
+        namespace: this.namespace,
+      },
+      ServiceInstance,
+    );
+    this.#service = resourceService.getInstance(
+      {
+        apiVersion: 'v1',
+        kind: 'Service',
+        name: this.name,
+        namespace: this.namespace,
+      },
+      ServiceInstance,
+    );
+    this.#secret = secretService.ensure({
+      name: this.name,
+      namespace: this.namespace,
+      schema: postgresClusterSecretSchema,
+      generator: () => {
+        return {
+          database: 'postgres',
+          host: `${this.name}.${this.namespace}.svc.cluster.local`,
+          port: '5432',
+          username: 'postgres',
+          password: crypto.randomUUID(),
+        };
+      },
+    });
+    this.#statefulSet.on('changed', this.queueReconcile);
+    this.#service.on('changed', this.queueReconcile);
+    this.#headlessService.on('changed', this.queueReconcile);
+    this.#secret.resource.on('changed', this.queueReconcile);
+  }
+
+  public reconcile = async () => {
+    if (!this.exists || this.metadata?.deletionTimestamp || !this.#secret.isValid) {
+      return;
+    }
+    await this.#headlessService.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        clusterIP: 'None',
+        selector: {
+          app: this.name,
+        },
+        ports: [{ name: 'postgres', port: 5432, targetPort: 5432 }],
+      },
+    });
+    await this.#statefulSet.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        replicas: 1,
+        serviceName: this.name,
+        selector: {
+          matchLabels: {
+            app: this.name,
+          },
+        },
+        template: {
+          metadata: {
+            labels: {
+              app: this.name,
+            },
+          },
+          spec: {
+            containers: [
+              {
+                name: this.name,
+                image: 'postgres:17',
+                ports: [{ containerPort: 5432, name: 'postgres' }],
+                env: [
+                  { name: 'POSTGRES_PASSWORD', valueFrom: { secretKeyRef: { name: this.name, key: 'password' } } },
+                  { name: 'POSTGRES_USER', valueFrom: { secretKeyRef: { name: this.name, key: 'username' } } },
+                  { name: 'POSTGRES_DB', value: this.name },
+                  { name: 'PGDATA', value: '/var/lib/postgresql/data/pgdata' },
+                ],
+                volumeMounts: [{ name: this.name, mountPath: '/var/lib/postgresql/data' }],
+              },
+            ],
+          },
+        },
+        volumeClaimTemplates: [
+          {
+            metadata: {
+              name: this.name,
+            },
+            spec: {
+              accessModes: ['ReadWriteOnce'],
+              storageClassName: `${this.spec.environment}-retain`,
+              resources: {
+                requests: {
+                  storage: this.spec.storage?.size || '1Gi',
+                },
+              },
+            },
+          },
+        ],
+      },
+    });
+
+    await this.#service.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        type: 'ClusterIP',
+        selector: {
+          app: this.name,
+        },
+        ports: [{ name: 'postgres', port: 5432, targetPort: 5432 }],
+      },
+    });
+  };
+}
+
+export { PostgresClusterController };

src/custom-resouces/postgres-cluster/postgres-cluster.schemas.ts

@@ -0,0 +1,20 @@
+import { z } from 'zod';
+
+const postgresClusterSpecSchema = z.object({
+  environment: z.string(),
+  storage: z
+    .object({
+      size: z.string().optional(),
+    })
+    .optional(),
+});
+
+const postgresClusterSecretSchema = z.object({
+  database: z.string(),
+  host: z.string(),
+  port: z.string(),
+  username: z.string(),
+  password: z.string(),
+});
+
+export { postgresClusterSpecSchema, postgresClusterSecretSchema };

src/custom-resouces/postgres-cluster/postgres-cluster.ts

@@ -0,0 +1,19 @@
+import { createCustomResourceDefinition } from '../../services/custom-resources/custom-resources.ts';
+import { GROUP } from '../../utils/consts.ts';
+
+import { PostgresClusterController } from './postgres-cluster.controller.ts';
+import { postgresClusterSpecSchema } from './postgres-cluster.schemas.ts';
+
+const postgresClusterDefinition = createCustomResourceDefinition({
+  group: GROUP,
+  version: 'v1',
+  kind: 'PostgresCluster',
+  names: {
+    plural: 'postgres-clusters',
+    singular: 'postgres-cluster',
+  },
+  spec: postgresClusterSpecSchema,
+  create: (options) => new PostgresClusterController(options),
+});
+
+export { postgresClusterDefinition };

src/custom-resouces/postgres-database/portgres-database.schemas.ts

@@ -1,22 +1,7 @@
 import { z } from 'zod';
 
 const postgresDatabaseSpecSchema = z.object({
-  secretRef: z.string(),
+  cluster: z.string(),
 });
 
-const postgresDatabaseSecretSchema = z.object({
-  host: z.string(),
-  port: z.string(),
-  user: z.string(),
-  password: z.string(),
-});
-
-const postgresDatabaseConnectionSecretSchema = z.object({
-  host: z.string(),
-  port: z.string(),
-  user: z.string(),
-  password: z.string(),
-  database: z.string(),
-});
-
-export { postgresDatabaseSpecSchema, postgresDatabaseSecretSchema, postgresDatabaseConnectionSecretSchema };
+export { postgresDatabaseSpecSchema };

src/custom-resouces/postgres-database/postgres-database.resource.ts

@@ -1,4 +1,3 @@
-import { z } from 'zod';
 import type { V1Secret } from '@kubernetes/client-node';
 
 import {
@@ -8,46 +7,40 @@ import {
 } from '../../services/custom-resources/custom-resources.custom-resource.ts';
 import { PostgresService } from '../../services/postgres/postgres.service.ts';
 import { ResourceReference } from '../../services/resources/resources.ref.ts';
-import { Resource, ResourceService } from '../../services/resources/resources.ts';
+import { ResourceService } from '../../services/resources/resources.ts';
 import { getWithNamespace } from '../../utils/naming.ts';
-import { decodeSecret, encodeSecret } from '../../utils/secrets.ts';
-import { isDeepSubset } from '../../utils/objects.ts';
+import { decodeSecret } from '../../utils/secrets.ts';
+import { postgresClusterSecretSchema } from '../postgres-cluster/postgres-cluster.schemas.ts';
+import { SecretInstance } from '../../instances/secret.ts';
 
-import {
-  postgresDatabaseConnectionSecretSchema,
-  postgresDatabaseSecretSchema,
-  type postgresDatabaseSpecSchema,
-} from './portgres-database.schemas.ts';
+import { type postgresDatabaseSpecSchema } from './portgres-database.schemas.ts';
 
 const SECRET_READY_CONDITION = 'Secret';
 const DATABASE_READY_CONDITION = 'Database';
 
-const secretDataSchema = z.object({
-  host: z.string(),
-  port: z.string().optional(),
-  database: z.string(),
-  user: z.string(),
-  password: z.string(),
-});
-
 class PostgresDatabaseResource extends CustomResource<typeof postgresDatabaseSpecSchema> {
-  #serverSecret: ResourceReference<V1Secret>;
-  #databaseSecret: Resource<V1Secret>;
+  #clusterSecret: ResourceReference<V1Secret>;
+  #databaseSecret: SecretInstance<typeof postgresClusterSecretSchema>;
 
   constructor(options: CustomResourceOptions<typeof postgresDatabaseSpecSchema>) {
     super(options);
-    this.#serverSecret = new ResourceReference();
-
     const resourceService = this.services.get(ResourceService);
-    this.#databaseSecret = resourceService.get({
-      apiVersion: 'v1',
-      kind: 'Secret',
-      name: `${this.name}-connection`,
-      namespace: this.namespace,
-    });
+
+    this.#clusterSecret = new ResourceReference();
+
+    this.#databaseSecret = resourceService.getInstance(
+      {
+        apiVersion: 'v1',
+        kind: 'Secret',
+        name: `${this.name}-postgres-database`,
+        namespace: this.namespace,
+      },
+      SecretInstance<typeof postgresClusterSecretSchema>,
+    );
 
     this.#updateSecret();
-    this.#serverSecret.on('changed', this.queueReconcile);
+    this.#clusterSecret.on('changed', this.queueReconcile);
+    this.#databaseSecret.on('changed', this.queueReconcile);
   }
 
   get #dbName() {
@@ -60,8 +53,8 @@ class PostgresDatabaseResource extends CustomResource<typeof postgresDatabaseSpe
 
   #updateSecret = () => {
     const resourceService = this.services.get(ResourceService);
-    const secretNames = getWithNamespace(this.spec.secretRef, this.namespace);
-    this.#serverSecret.current = resourceService.get({
+    const secretNames = getWithNamespace(this.spec.cluster, this.namespace);
+    this.#clusterSecret.current = resourceService.get({
       apiVersion: 'v1',
       kind: 'Secret',
       name: secretNames.name,
@@ -70,7 +63,7 @@ class PostgresDatabaseResource extends CustomResource<typeof postgresDatabaseSpe
   };
 
   #reconcileSecret = async (): Promise<SubresourceResult> => {
-    const serverSecret = this.#serverSecret.current;
+    const serverSecret = this.#clusterSecret.current;
     const databaseSecret = this.#databaseSecret;
 
     if (!serverSecret?.exists || !serverSecret.data) {
@@ -80,7 +73,7 @@ class PostgresDatabaseResource extends CustomResource<typeof postgresDatabaseSpe
         reason: 'MissingConnectionSecret',
       };
     }
-    const serverSecretData = postgresDatabaseSecretSchema.safeParse(decodeSecret(serverSecret.data));
+    const serverSecretData = postgresClusterSecretSchema.safeParse(decodeSecret(serverSecret.data));
     if (!serverSecretData.success || !serverSecretData.data) {
       return {
         ready: false,
@@ -88,25 +81,17 @@ class PostgresDatabaseResource extends CustomResource<typeof postgresDatabaseSpe
         reason: 'SecretMissing',
       };
     }
-    const databaseSecretData = postgresDatabaseConnectionSecretSchema.safeParse(decodeSecret(databaseSecret.data));
+    const databaseSecretData = postgresClusterSecretSchema.safeParse(decodeSecret(databaseSecret.data));
     const expectedSecret = {
       password: crypto.randomUUID(),
       host: serverSecretData.data.host,
       port: serverSecretData.data.port,
-      user: this.#userName,
+      username: this.#userName,
       database: this.#dbName,
+      ...databaseSecretData.data,
     };
 
-    if (!isDeepSubset(databaseSecretData.data, expectedSecret)) {
-      databaseSecret.patch({
-        data: encodeSecret(expectedSecret),
-      });
-      return {
-        ready: false,
-        syncing: true,
-        reason: 'SecretNotReady',
-      };
-    }
+    await databaseSecret.ensureData(expectedSecret);
 
     return {
       ready: true,
@@ -114,8 +99,8 @@ class PostgresDatabaseResource extends CustomResource<typeof postgresDatabaseSpe
   };
 
   #reconcileDatabase = async (): Promise<SubresourceResult> => {
-    const connectionSecret = this.#serverSecret.current;
-    if (!connectionSecret?.exists || !connectionSecret.data) {
+    const clusterSecret = this.#clusterSecret.current;
+    if (!clusterSecret?.exists || !clusterSecret.data) {
       return {
         ready: false,
         failed: true,
@@ -123,7 +108,7 @@ class PostgresDatabaseResource extends CustomResource<typeof postgresDatabaseSpe
       };
     }
 
-    const connectionSecretData = postgresDatabaseSecretSchema.safeParse(decodeSecret(connectionSecret.data));
+    const connectionSecretData = postgresClusterSecretSchema.safeParse(decodeSecret(clusterSecret.data));
     if (!connectionSecretData.success || !connectionSecretData.data) {
       return {
         ready: false,
@@ -132,7 +117,7 @@ class PostgresDatabaseResource extends CustomResource<typeof postgresDatabaseSpe
       };
     }
 
-    const secretData = postgresDatabaseConnectionSecretSchema.safeParse(decodeSecret(this.#serverSecret.current?.data));
+    const secretData = postgresClusterSecretSchema.safeParse(decodeSecret(this.#databaseSecret.data));
     if (!secretData.success || !secretData.data) {
       return {
         ready: false,
@@ -145,14 +130,15 @@ class PostgresDatabaseResource extends CustomResource<typeof postgresDatabaseSpe
     const database = postgresService.get({
       ...connectionSecretData.data,
       port: connectionSecretData.data.port ? Number(connectionSecretData.data.port) : 5432,
+      database: connectionSecretData.data.database,
     });
     await database.upsertRole({
-      name: secretData.data.user,
+      name: secretData.data.username,
       password: secretData.data.password,
     });
     await database.upsertDatabase({
       name: secretData.data.database,
-      owner: secretData.data.user,
+      owner: secretData.data.username,
     });
 
     return {
@@ -166,8 +152,8 @@ class PostgresDatabaseResource extends CustomResource<typeof postgresDatabaseSpe
     }
     this.#updateSecret();
     await Promise.allSettled([
-      await this.reconcileSubresource(DATABASE_READY_CONDITION, this.#reconcileDatabase),
-      await this.reconcileSubresource(SECRET_READY_CONDITION, this.#reconcileSecret),
+      this.reconcileSubresource(DATABASE_READY_CONDITION, this.#reconcileDatabase),
+      this.reconcileSubresource(SECRET_READY_CONDITION, this.#reconcileSecret),
     ]);
 
     const secretReady = this.conditions.get(SECRET_READY_CONDITION)?.status === 'True';
@@ -178,4 +164,4 @@ class PostgresDatabaseResource extends CustomResource<typeof postgresDatabaseSpe
   };
 }
 
-export { PostgresDatabaseResource, secretDataSchema as postgresDatabaseSecretSchema };
+export { PostgresDatabaseResource };

src/custom-resouces/redis-server/redis-server.controller.ts

@@ -0,0 +1,82 @@
+import { DeploymentInstance } from '../../instances/deployment.ts';
+import { ServiceInstance } from '../../instances/service.ts';
+import { CustomResource } from '../../services/custom-resources/custom-resources.custom-resource.ts';
+import type { CustomResourceOptions } from '../../services/custom-resources/custom-resources.custom-resource.ts';
+import { ResourceService } from '../../services/resources/resources.ts';
+
+import type { redisServerSpecSchema } from './redis-server.schemas.ts';
+
+class RedisServerController extends CustomResource<typeof redisServerSpecSchema> {
+  #deployment: DeploymentInstance;
+  #service: ServiceInstance;
+
+  constructor(options: CustomResourceOptions<typeof redisServerSpecSchema>) {
+    super(options);
+    const resourceService = this.services.get(ResourceService);
+    this.#deployment = resourceService.getInstance(
+      {
+        apiVersion: 'apps/v1',
+        kind: 'Deployment',
+        name: this.name,
+        namespace: this.namespace,
+      },
+      DeploymentInstance,
+    );
+    this.#service = resourceService.getInstance(
+      {
+        apiVersion: 'v1',
+        kind: 'Service',
+        name: this.name,
+        namespace: this.namespace,
+      },
+      ServiceInstance,
+    );
+    this.#deployment.on('changed', this.queueReconcile);
+    this.#service.on('changed', this.queueReconcile);
+  }
+
+  public reconcile = async () => {
+    await this.#deployment.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        replicas: 1,
+        selector: {
+          matchLabels: {
+            app: this.name,
+          },
+        },
+        template: {
+          metadata: {
+            labels: {
+              app: this.name,
+            },
+          },
+          spec: {
+            containers: [
+              {
+                name: this.name,
+                image: 'redis:latest',
+                ports: [{ containerPort: 6379 }],
+              },
+            ],
+          },
+        },
+      },
+    });
+    await this.#service.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        selector: {
+          app: this.name,
+        },
+        ports: [{ port: 6379, targetPort: 6379 }],
+      },
+    });
+  };
+}
+
+export { RedisServerController };

src/custom-resouces/redis-server/redis-server.schemas.ts

@@ -0,0 +1,5 @@
+import { z } from 'zod';
+
+const redisServerSpecSchema = z.object({});
+
+export { redisServerSpecSchema };

src/custom-resouces/redis-server/redis-server.ts

@@ -0,0 +1,19 @@
+import { createCustomResourceDefinition } from '../../services/custom-resources/custom-resources.ts';
+import { GROUP } from '../../utils/consts.ts';
+
+import { RedisServerController } from './redis-server.controller.ts';
+import { redisServerSpecSchema } from './redis-server.schemas.ts';
+
+const redisServerDefinition = createCustomResourceDefinition({
+  group: GROUP,
+  version: 'v1',
+  kind: 'RedisServer',
+  names: {
+    plural: 'redis-servers',
+    singular: 'redis-server',
+  },
+  spec: redisServerSpecSchema,
+  create: (options) => new RedisServerController(options),
+});
+
+export { redisServerDefinition };

src/index.ts

@@ -1,37 +1,78 @@
-import 'dotenv/config';
-import { ApiException } from '@kubernetes/client-node';
-
-import { Services } from './utils/service.ts';
+import { BootstrapService } from './bootstrap/bootstrap.ts';
+import { customResources } from './custom-resouces/custom-resources.ts';
 import { CustomResourceService } from './services/custom-resources/custom-resources.ts';
 import { WatcherService } from './services/watchers/watchers.ts';
-import { customResources } from './custom-resouces/custom-resources.ts';
 import { StorageProvider } from './storage-provider/storage-provider.ts';
-
-process.on('uncaughtException', (error) => {
-  console.log('UNCAUGHT EXCEPTION');
-  if (error instanceof ApiException) {
-    return console.error(error.body);
-  }
-  console.error(error);
-  process.exit(1);
-});
-
-process.on('unhandledRejection', (error) => {
-  console.log('UNHANDLED REJECTION');
-  if (error instanceof Error) {
-    console.error(error.stack);
-  }
-  if (error instanceof ApiException) {
-    return console.error(error.body);
-  }
-  console.error(error);
-  process.exit(1);
-});
+import { Services } from './utils/service.ts';
 
 const services = new Services();
+
 const watcherService = services.get(WatcherService);
-const storageProvider = services.get(StorageProvider);
-await storageProvider.start();
+await watcherService.watchCustomGroup('source.toolkit.fluxcd.io', 'v1', ['helmrepositories', 'gitrepositories']);
+await watcherService.watchCustomGroup('helm.toolkit.fluxcd.io', 'v2', ['helmreleases']);
+await watcherService.watchCustomGroup('cert-manager.io', 'v1', ['certificates']);
+await watcherService.watchCustomGroup('networking.k8s.io', 'v1', ['gateways', 'virtualservices']);
+
+await watcherService
+  .create({
+    path: '/api/v1/namespaces',
+    list: async (k8s) => {
+      return await k8s.api.listNamespace();
+    },
+    verbs: ['add', 'update', 'delete'],
+    transform: (manifest) => ({
+      apiVersion: 'v1',
+      kind: 'Namespace',
+      ...manifest,
+    }),
+  })
+  .start();
+
+await watcherService
+  .create({
+    path: '/api/v1/secrets',
+    list: async (k8s) => {
+      return await k8s.api.listSecretForAllNamespaces();
+    },
+    verbs: ['add', 'update', 'delete'],
+    transform: (manifest) => ({
+      apiVersion: 'v1',
+      kind: 'Secret',
+      ...manifest,
+    }),
+  })
+  .start();
+
+await watcherService
+  .create({
+    path: '/apis/apps/v1/statefulsets',
+    list: async (k8s) => {
+      return await k8s.apps.listStatefulSetForAllNamespaces({});
+    },
+    verbs: ['add', 'update', 'delete'],
+    transform: (manifest) => ({
+      apiVersion: 'apps/v1',
+      kind: 'StatefulSet',
+      ...manifest,
+    }),
+  })
+  .start();
+
+await watcherService
+  .create({
+    path: '/apis/apps/v1/deployments',
+    list: async (k8s) => {
+      return await k8s.apps.listDeploymentForAllNamespaces({});
+    },
+    verbs: ['add', 'update', 'delete'],
+    transform: (manifest) => ({
+      apiVersion: 'apps/v1',
+      kind: 'Deployment',
+      ...manifest,
+    }),
+  })
+  .start();
+
 await watcherService
   .create({
     path: '/apis/apiextensions.k8s.io/v1/customresourcedefinitions',
@@ -48,35 +89,27 @@ await watcherService
   .start();
 await watcherService
   .create({
-    path: '/api/v1/secrets',
+    path: '/apis/storage.k8s.io/v1/storageclasses',
     list: async (k8s) => {
-      return await k8s.api.listSecretForAllNamespaces();
+      return await k8s.storageApi.listStorageClass();
     },
     verbs: ['add', 'update', 'delete'],
     transform: (manifest) => ({
-      apiVersion: 'v1',
-      kind: 'Secret',
-      ...manifest,
-    }),
-  })
-  .start();
-await watcherService
-  .create({
-    path: '/apis/apps/v1/deployments',
-    list: async (k8s) => {
-      return await k8s.apps.listDeploymentForAllNamespaces({});
-    },
-    verbs: ['add', 'update', 'delete'],
-    transform: (manifest) => ({
-      apiVersion: 'apps/v1',
-      kind: 'Deployment',
+      apiVersion: 'storage.k8s.io/v1',
+      kind: 'StorageClass',
       ...manifest,
     }),
   })
   .start();
 
+const storageProvider = services.get(StorageProvider);
+await storageProvider.start();
+
+const bootstrap = services.get(BootstrapService);
+await bootstrap.ensure();
+
 const customResourceService = services.get(CustomResourceService);
 customResourceService.register(...customResources);
 
 await customResourceService.install(true);
-// await customResourceService.watch();
+await customResourceService.watch();

src/instances/authentik-server.ts

@@ -0,0 +1,7 @@
+import type { authentikServerSpecSchema } from '../custom-resouces/authentik-server/authentik-server.schemas.ts';
+import type { CustomResourceObject } from '../services/custom-resources/custom-resources.custom-resource.ts';
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+
+class AuthentikServerInstance extends ResourceInstance<CustomResourceObject<typeof authentikServerSpecSchema>> {}
+
+export { AuthentikServerInstance };

src/instances/certificate.ts

@@ -0,0 +1,8 @@
+import type { KubernetesObject } from '@kubernetes/client-node';
+
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+import type { K8SCertificateV1 } from '../__generated__/resources/K8SCertificateV1.ts';
+
+class CertificateInstance extends ResourceInstance<KubernetesObject & K8SCertificateV1> {}
+
+export { CertificateInstance };

src/instances/cluster-issuer.ts

@@ -0,0 +1,12 @@
+import type { KubernetesObject } from '@kubernetes/client-node';
+
+import type { K8SClusterIssuerV1 } from '../__generated__/resources/K8SClusterIssuerV1.ts';
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+
+class ClusterIssuerInstance extends ResourceInstance<KubernetesObject & K8SClusterIssuerV1> {
+  public get ready() {
+    return this.exists;
+  }
+}
+
+export { ClusterIssuerInstance };

src/instances/custom-resource-definition.ts

@@ -0,0 +1,7 @@
+import type { V1CustomResourceDefinition } from '@kubernetes/client-node';
+
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+
+class CustomDefinitionInstance extends ResourceInstance<V1CustomResourceDefinition> {}
+
+export { CustomDefinitionInstance };

src/instances/deployment.ts

@@ -0,0 +1,11 @@
+import type { V1Deployment } from '@kubernetes/client-node';
+
+import { ResourceInstance } from '../services/resources/resources.ts';
+
+class DeploymentInstance extends ResourceInstance<V1Deployment> {
+  public get ready() {
+    return this.exists && this.status?.readyReplicas === this.status?.replicas;
+  }
+}
+
+export { DeploymentInstance };

src/instances/destination-rule.ts

@@ -0,0 +1,12 @@
+import type { KubernetesObject } from '@kubernetes/client-node';
+
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+import type { K8SDestinationRuleV1 } from '../__generated__/resources/K8SDestinationRuleV1.ts';
+
+class DestinationRuleInstance extends ResourceInstance<KubernetesObject & K8SDestinationRuleV1> {
+  public get ready() {
+    return this.exists;
+  }
+}
+
+export { DestinationRuleInstance };

src/instances/environment.ts

@@ -0,0 +1,7 @@
+import type { environmentSpecSchema } from '../custom-resouces/environment/environment.schemas.ts';
+import type { CustomResourceObject } from '../services/custom-resources/custom-resources.custom-resource.ts';
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+
+class EnvironmentInstance extends ResourceInstance<CustomResourceObject<typeof environmentSpecSchema>> {}
+
+export { EnvironmentInstance };

src/instances/gateway.ts

@@ -0,0 +1,8 @@
+import type { KubernetesObject } from '@kubernetes/client-node';
+
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+import type { K8SGatewayV1 } from '../__generated__/resources/K8SGatewayV1.ts';
+
+class GatewayInstance extends ResourceInstance<KubernetesObject & K8SGatewayV1> {}
+
+export { GatewayInstance };

src/instances/git-repo.ts

@@ -0,0 +1,12 @@
+import type { KubernetesObject } from '@kubernetes/client-node';
+
+import { ResourceInstance } from '../services/resources/resources.ts';
+import type { K8SGitRepositoryV1 } from '../__generated__/resources/K8SGitRepositoryV1.ts';
+
+class GitRepoInstance extends ResourceInstance<KubernetesObject & K8SGitRepositoryV1> {
+  public get ready() {
+    return this.exists;
+  }
+}
+
+export { GitRepoInstance };

src/instances/helm-release.ts

@@ -0,0 +1,12 @@
+import type { KubernetesObject } from '@kubernetes/client-node';
+
+import { ResourceInstance } from '../services/resources/resources.ts';
+import type { K8SHelmReleaseV2 } from '../__generated__/resources/K8SHelmReleaseV2.ts';
+
+class HelmReleaseInstance extends ResourceInstance<KubernetesObject & K8SHelmReleaseV2> {
+  public get ready() {
+    return this.exists;
+  }
+}
+
+export { HelmReleaseInstance };

src/instances/helm-repo.ts

@@ -0,0 +1,16 @@
+import type { KubernetesObject } from '@kubernetes/client-node';
+
+import { ResourceInstance } from '../services/resources/resources.ts';
+import type { K8SHelmRepositoryV1 } from '../__generated__/resources/K8SHelmRepositoryV1.ts';
+
+class HelmRepoInstance extends ResourceInstance<KubernetesObject & K8SHelmRepositoryV1> {
+  public get ready() {
+    if (!this.exists) {
+      return false;
+    }
+    const condition = this.getCondition('Ready');
+    return condition?.status === 'True';
+  }
+}
+
+export { HelmRepoInstance };

src/instances/http-service.ts

@@ -0,0 +1,7 @@
+import type { httpServiceSpecSchema } from '../custom-resouces/http-service/http-service.schemas.ts';
+import type { CustomResourceObject } from '../services/custom-resources/custom-resources.custom-resource.ts';
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+
+class HttpServiceInstance extends ResourceInstance<CustomResourceObject<typeof httpServiceSpecSchema>> {}
+
+export { HttpServiceInstance };

src/instances/namespace.ts

@@ -0,0 +1,11 @@
+import type { V1Namespace } from '@kubernetes/client-node';
+
+import { ResourceInstance } from '../services/resources/resources.ts';
+
+class NamespaceInstance extends ResourceInstance<V1Namespace> {
+  public get ready() {
+    return this.exists;
+  }
+}
+
+export { NamespaceInstance };

src/instances/postgres-cluster.ts

@@ -0,0 +1,7 @@
+import type { postgresClusterSpecSchema } from '../custom-resouces/postgres-cluster/postgres-cluster.schemas.ts';
+import type { CustomResourceObject } from '../services/custom-resources/custom-resources.custom-resource.ts';
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+
+class PostgresClusterInstance extends ResourceInstance<CustomResourceObject<typeof postgresClusterSpecSchema>> {}
+
+export { PostgresClusterInstance };

src/instances/postgres-database.ts

@@ -0,0 +1,23 @@
+import type { postgresDatabaseSpecSchema } from '../custom-resouces/postgres-database/portgres-database.schemas.ts';
+import type { CustomResourceObject } from '../services/custom-resources/custom-resources.custom-resource.ts';
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+import { ResourceService } from '../services/resources/resources.ts';
+
+import { SecretInstance } from './secret.ts';
+
+class PostgresDatabaseInstance extends ResourceInstance<CustomResourceObject<typeof postgresDatabaseSpecSchema>> {
+  public get secret() {
+    const resourceService = this.services.get(ResourceService);
+    return resourceService.getInstance(
+      {
+        apiVersion: 'v1',
+        kind: 'Secret',
+        name: `${this.name}-postgres-database`,
+        namespace: this.namespace,
+      },
+      SecretInstance,
+    );
+  }
+}
+
+export { PostgresDatabaseInstance };

src/instances/redis-server.ts

@@ -0,0 +1,7 @@
+import type { CustomResourceObject } from '../services/custom-resources/custom-resources.custom-resource.ts';
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+import type { redisServerSpecSchema } from '../custom-resouces/redis-server/redis-server.schemas.ts';
+
+class RedisServerInstance extends ResourceInstance<CustomResourceObject<typeof redisServerSpecSchema>> {}
+
+export { RedisServerInstance };

src/instances/secret.ts

@@ -0,0 +1,23 @@
+import type { V1Secret } from '@kubernetes/client-node';
+import type { z, ZodObject } from 'zod';
+
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+import { decodeSecret, encodeSecret } from '../utils/secrets.ts';
+
+class SecretInstance<T extends ZodObject = ExpectedAny> extends ResourceInstance<V1Secret> {
+  public get values() {
+    return decodeSecret(this.data) as z.infer<T>;
+  }
+
+  public ensureData = async (values: z.infer<T>) => {
+    await this.ensure({
+      data: encodeSecret(values as Record<string, string>),
+    });
+  };
+
+  public get ready() {
+    return this.exists;
+  }
+}
+
+export { SecretInstance };

src/instances/service.ts

@@ -0,0 +1,11 @@
+import type { V1Service } from '@kubernetes/client-node';
+
+import { ResourceInstance } from '../services/resources/resources.ts';
+
+class ServiceInstance extends ResourceInstance<V1Service> {
+  public get ready() {
+    return this.exists;
+  }
+}
+
+export { ServiceInstance };

src/instances/stateful-set.ts

@@ -0,0 +1,11 @@
+import type { V1StatefulSet } from '@kubernetes/client-node';
+
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+
+class StatefulSetInstance extends ResourceInstance<V1StatefulSet> {
+  public get ready() {
+    return this.exists && this.manifest?.status?.readyReplicas === this.manifest?.status?.replicas;
+  }
+}
+
+export { StatefulSetInstance };

src/instances/storageclass.ts

@@ -0,0 +1,7 @@
+import type { V1StorageClass } from '@kubernetes/client-node';
+
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+
+class StorageClassInstance extends ResourceInstance<V1StorageClass> {}
+
+export { StorageClassInstance };

src/instances/virtual-service.ts

@@ -0,0 +1,12 @@
+import type { KubernetesObject } from '@kubernetes/client-node';
+
+import { ResourceInstance } from '../services/resources/resources.instance.ts';
+import type { K8SVirtualServiceV1 } from '../__generated__/resources/K8SVirtualServiceV1.ts';
+
+class VirtualServiceInstance extends ResourceInstance<KubernetesObject & K8SVirtualServiceV1> {
+  public get ready() {
+    return this.exists;
+  }
+}
+
+export { VirtualServiceInstance };

src/services/custom-resources/custom-resources.custom-resource.ts

@@ -179,6 +179,20 @@ abstract class CustomResource<TSpec extends ZodObject> extends EventEmitter<Cust
     }
   };
 
+  public markNotReady = async (reason?: string, message?: string) => {
+    await this.conditions.set('Ready', {
+      status: 'False',
+      reason,
+      message,
+    });
+  };
+
+  public markReady = async () => {
+    await this.conditions.set('Ready', {
+      status: 'True',
+    });
+  };
+
   public patchStatus = async (status: Partial<CustomResourceStatus>) => {
     const k8s = this.services.get(K8sService);
     const [group, version] = this.apiVersion?.split('/') || [];

src/services/k8s/k8s.ts

@@ -5,8 +5,8 @@ import {
   CustomObjectsApi,
   EventsV1Api,
   KubernetesObjectApi,
-  ApiException,
   AppsV1Api,
+  StorageV1Api,
 } from '@kubernetes/client-node';
 
 class K8sService {
@@ -17,6 +17,7 @@ class K8sService {
   #k8sEventsApi: EventsV1Api;
   #k8sObjectsApi: KubernetesObjectApi;
   #k8sAppsApi: AppsV1Api;
+  #k8sStorageApi: StorageV1Api;
 
   constructor() {
     this.#kc = new KubeConfig();
@@ -27,6 +28,7 @@ class K8sService {
     this.#k8sEventsApi = this.#kc.makeApiClient(EventsV1Api);
     this.#k8sObjectsApi = this.#kc.makeApiClient(KubernetesObjectApi);
     this.#k8sAppsApi = this.#kc.makeApiClient(AppsV1Api);
+    this.#k8sStorageApi = this.#kc.makeApiClient(StorageV1Api);
   }
 
   public get config() {
@@ -56,6 +58,10 @@ class K8sService {
   public get apps() {
     return this.#k8sAppsApi;
   }
+
+  public get storageApi() {
+    return this.#k8sStorageApi;
+  }
 }
 
 export { K8sService };

src/services/postgres/postgres.instance.ts

@@ -8,8 +8,9 @@ type PostgresInstanceOptions = {
   services: Services;
   host: string;
   port?: number;
-  user: string;
+  username: string;
   password: string;
+  database?: string;
 };
 
 class PostgresInstance {
@@ -20,9 +21,10 @@ class PostgresInstance {
       client: 'pg',
       connection: {
         host: process.env.FORCE_PG_HOST ?? options.host,
-        user: process.env.FORCE_PG_USER ?? options.user,
+        user: process.env.FORCE_PG_USER ?? options.username,
         password: process.env.FORCE_PG_PASSWORD ?? options.password,
         port: process.env.FORCE_PG_PORT ? parseInt(process.env.FORCE_PG_PORT) : options.port,
+        database: options.database,
       },
     });
   }

src/services/resources/resources.instance.ts

@@ -0,0 +1,83 @@
+import type { KubernetesObject } from '@kubernetes/client-node';
+
+import { isDeepSubset } from '../../utils/objects.ts';
+
+import { ResourceReference } from './resources.ref.ts';
+
+abstract class ResourceInstance<T extends KubernetesObject> extends ResourceReference<T> {
+  public get resource() {
+    if (!this.current) {
+      throw new Error('Instance needs a resource');
+    }
+    return this.current;
+  }
+
+  public get services() {
+    return this.resource.services;
+  }
+
+  public get exists() {
+    return this.resource.exists;
+  }
+
+  public get manifest() {
+    return this.resource.manifest;
+  }
+
+  public get apiVersion() {
+    return this.resource.apiVersion;
+  }
+
+  public get kind() {
+    return this.resource.kind;
+  }
+
+  public get name() {
+    return this.resource.name;
+  }
+
+  public get namespace() {
+    return this.resource.namespace;
+  }
+
+  public get metadata() {
+    return this.resource.metadata;
+  }
+
+  public get spec() {
+    return this.resource.spec;
+  }
+
+  public get data() {
+    return this.resource.data;
+  }
+
+  public get status() {
+    return this.resource.status;
+  }
+
+  public patch = this.resource.patch;
+  public reload = this.resource.load;
+  public delete = this.resource.delete;
+
+  public ensure = async (manifest: T) => {
+    if (isDeepSubset(this.manifest, manifest)) {
+      return false;
+    }
+    await this.patch(manifest);
+    return true;
+  };
+
+  public get ready() {
+    return this.exists;
+  }
+
+  public getCondition = (
+    condition: string,
+  ): T extends { status?: { conditions?: (infer U)[] } } ? U | undefined : undefined => {
+    const status = this.status as ExpectedAny;
+    return status?.conditions?.find((c: ExpectedAny) => c?.type === condition);
+  };
+}
+
+export { ResourceInstance };

src/services/resources/resources.ref.ts

@@ -30,6 +30,10 @@ class ResourceReference<T extends KubernetesObject = KubernetesObject> extends E
     this.current = current;
   }
 
+  public get services() {
+    return this.#current?.services;
+  }
+
   public get current() {
     return this.#current;
   }

src/services/resources/resources.resource.ts

@@ -57,6 +57,10 @@ class Resource<T extends KubernetesObject = UnknownResource> extends EventEmitte
     this.#queue = new Queue({ concurrency: 1 });
   }
 
+  public get services() {
+    return this.#options.services;
+  }
+
   public get specifier() {
     return this.#options.data;
   }
@@ -163,6 +167,13 @@ class Resource<T extends KubernetesObject = UnknownResource> extends EventEmitte
     return undefined as ExpectedAny;
   }
 
+  public get status(): T extends { status?: infer K } ? K | undefined : never {
+    if (this.manifest && 'status' in this.manifest) {
+      return this.manifest.status as ExpectedAny;
+    }
+    return undefined as ExpectedAny;
+  }
+
   public get owners() {
     const { services } = this.#options;
     const references = this.metadata?.ownerReferences || [];

src/services/resources/resources.ts

@@ -3,6 +3,7 @@ import type { KubernetesObject } from '@kubernetes/client-node';
 import type { Services } from '../../utils/service.ts';
 
 import { Resource } from './resources.resource.ts';
+import type { ResourceInstance } from './resources.instance.ts';
 
 type ResourceGetOptions = {
   apiVersion: string;
@@ -19,6 +20,14 @@ class ResourceService {
     this.#services = services;
   }
 
+  public getInstance = <T extends KubernetesObject, I extends ResourceInstance<T>>(
+    options: ResourceGetOptions,
+    instance: new (resource: Resource<T>) => I,
+  ) => {
+    const resource = this.get<T>(options);
+    return new instance(resource);
+  };
+
   public get = <T extends KubernetesObject>(options: ResourceGetOptions) => {
     const { apiVersion, kind, name, namespace } = options;
     let resource = this.#cache.find(
@@ -40,5 +49,6 @@ class ResourceService {
   };
 }
 
+export { ResourceInstance } from './resources.instance.ts';
 export { ResourceReference } from './resources.ref.ts';
 export { ResourceService, Resource };

src/services/secrets/secrets.secret.ts

@@ -41,7 +41,7 @@ class EnsuredSecret<T extends ZodObject> {
     return this.#options.namespace;
   }
 
-  public get resouce() {
+  public get resource() {
     return this.#resource;
   }
 
@@ -62,7 +62,7 @@ class EnsuredSecret<T extends ZodObject> {
     if (deepEqual(patched, this.value)) {
       return;
     }
-    await this.resouce.patch({
+    await this.resource.patch({
       data: patched,
     });
   };

src/services/value-reference/value-reference.instance.ts

@@ -0,0 +1,83 @@
+import { z } from 'zod';
+import { V1Secret } from '@kubernetes/client-node';
+import { EventEmitter } from 'eventemitter3';
+import deepEqual from 'deep-equal';
+
+import { ResourceReference, ResourceService } from '../resources/resources.ts';
+import type { Services } from '../../utils/service.ts';
+import { getWithNamespace } from '../../utils/naming.ts';
+import { decodeSecret } from '../../utils/secrets.ts';
+
+const valueReferenceInfoSchema = z.object({
+  value: z.string().optional(),
+  secretRef: z.string().optional(),
+  key: z.string().optional(),
+});
+
+type ValueReferenceInfo = z.infer<typeof valueReferenceInfoSchema>;
+
+type ValueRefOptions = {
+  services: Services;
+  namespace: string;
+};
+
+type ValueReferenceEvents = {
+  changed: () => void;
+};
+class ValueReference extends EventEmitter<ValueReferenceEvents> {
+  #options: ValueRefOptions;
+  #ref?: ValueReferenceInfo;
+  #resource: ResourceReference;
+
+  constructor(options: ValueRefOptions) {
+    super();
+    this.#options = options;
+    this.#resource = new ResourceReference<V1Secret>();
+    this.#resource.on('changed', this.#handleChange);
+  }
+
+  public get ref() {
+    return this.#ref;
+  }
+
+  public set ref(ref: ValueReferenceInfo | undefined) {
+    if (deepEqual(this.#ref, ref)) {
+      return;
+    }
+    if (ref?.secretRef && ref.key) {
+      const { services, namespace } = this.#options;
+      const resourceService = services.get(ResourceService);
+      const refNames = getWithNamespace(ref.secretRef, namespace);
+      this.#resource.current = resourceService.get({
+        apiVersion: 'v1',
+        kind: 'Secret',
+        name: refNames.name,
+        namespace: refNames.namespace,
+      });
+    } else {
+      this.#resource.current = undefined;
+    }
+    this.#ref = ref;
+  }
+
+  public get value() {
+    console.log('get', this.#ref);
+    if (!this.#ref) {
+      return undefined;
+    }
+    if (this.#ref.value) {
+      return this.#ref.value;
+    }
+    if (this.#resource.current && this.#ref.key) {
+      const decoded = decodeSecret(this.#resource.current.data);
+      return decoded?.[this.#ref.key];
+    }
+    return undefined;
+  }
+
+  #handleChange = () => {
+    this.emit('changed');
+  };
+}
+
+export { ValueReference, valueReferenceInfoSchema, type ValueReferenceInfo };

src/services/value-reference/value-reference.ts

@@ -0,0 +1,21 @@
+import type { Services } from '../../utils/service.ts';
+
+import { ValueReference } from './value-reference.instance.ts';
+
+class ValueReferenceService {
+  #services: Services;
+
+  constructor(services: Services) {
+    this.#services = services;
+  }
+
+  public get = (namespace: string) => {
+    return new ValueReference({
+      namespace,
+      services: this.#services,
+    });
+  };
+}
+
+export * from './value-reference.instance.ts';
+export { ValueReferenceService };

src/storage-provider/storage-provider.ts

@@ -1,12 +1,10 @@
-import { mkdir } from 'fs/promises';
-
-import { V1PersistentVolume, type V1PersistentVolumeClaim } from '@kubernetes/client-node';
+import { V1PersistentVolume, type V1PersistentVolumeClaim, CoreV1Event, V1StorageClass } from '@kubernetes/client-node';
 
 import { Watcher, WatcherService } from '../services/watchers/watchers.ts';
 import type { Services } from '../utils/service.ts';
 import { ResourceService, type Resource } from '../services/resources/resources.ts';
 
-const PROVISIONER = 'reuse-local-path-provisioner';
+const PROVISIONER = 'homelab-operator-local-path';
 
 class StorageProvider {
   #watcher: Watcher<V1PersistentVolumeClaim>;
@@ -32,46 +30,128 @@ class StorageProvider {
   }
 
   #handleChange = async (pvc: Resource<V1PersistentVolumeClaim>) => {
-    if (pvc.metadata?.annotations?.['volume.kubernetes.io/storage-provisioner'] !== PROVISIONER) {
-      return;
-    }
-    const target = `/data/volumes/${pvc.namespace}/${pvc.name}`;
     try {
-      await mkdir(target, { recursive: true });
-    } catch (err) {
-      console.error(err);
+      if (!pvc.exists || pvc.metadata?.deletionTimestamp) {
+        return;
+      }
+
+      const storageClassName = pvc.spec?.storageClassName;
+      if (!storageClassName) {
+        return;
+      }
+      const resourceService = this.#services.get(ResourceService);
+      const storageClass = resourceService.get<V1StorageClass>({
+        apiVersion: 'storage.k8s.io/v1',
+        kind: 'StorageClass',
+        name: storageClassName,
+      });
+
+      if (!storageClass.exists || storageClass.manifest?.provisioner !== PROVISIONER) {
+        return;
+      }
+
+      if (pvc.status?.phase === 'Pending' && !pvc.spec?.volumeName) {
+        await this.#provisionVolume(pvc, storageClass);
+      }
+    } catch (error) {
+      console.error(`Error handling PVC ${pvc.namespace}/${pvc.name}:`, error);
+      await this.#createEvent(pvc, 'Warning', 'ProvisioningFailed', `Failed to provision volume: ${error}`);
     }
-    const resourceService = this.#services.get(ResourceService);
-    const pv = resourceService.get<V1PersistentVolume>({
-      apiVersion: 'v1',
-      kind: 'PersistentVolume',
-      name: `${pvc.namespace}-${pvc.name}`,
-    });
-    await pv.load();
-    await pv.patch({
-      metadata: {
-        labels: {
-          provisioner: PROVISIONER,
+  };
+
+  #provisionVolume = async (pvc: Resource<V1PersistentVolumeClaim>, storageClass: Resource<V1StorageClass>) => {
+    const pvName = `pv-${pvc.namespace}-${pvc.name}`;
+    const storageLocation = storageClass.manifest?.parameters?.storageLocation || '/data/volumes';
+    const target = `${storageLocation}/${pvc.namespace}/${pvc.name}`;
+
+    try {
+      const resourceService = this.#services.get(ResourceService);
+      const pv = resourceService.get<V1PersistentVolume>({
+        apiVersion: 'v1',
+        kind: 'PersistentVolume',
+        name: pvName,
+      });
+
+      await pv.patch({
+        metadata: {
+          name: pvName,
+          labels: {
+            provisioner: PROVISIONER,
+            'pvc-namespace': pvc.namespace || 'default',
+            'pvc-name': pvc.name || 'unknown',
+          },
+          annotations: {
+            'pv.kubernetes.io/provisioned-by': PROVISIONER,
+          },
         },
-      },
-      spec: {
-        hostPath: {
-          path: target,
+        spec: {
+          hostPath: {
+            path: target,
+            type: 'DirectoryOrCreate',
+          },
+          capacity: {
+            storage: pvc.spec?.resources?.requests?.storage ?? '1Gi',
+          },
+          persistentVolumeReclaimPolicy: 'Retain',
+          accessModes: pvc.spec?.accessModes ?? ['ReadWriteOnce'],
+          storageClassName: pvc.spec?.storageClassName,
+          claimRef: {
+            uid: pvc.metadata?.uid,
+            resourceVersion: pvc.metadata?.resourceVersion,
+            apiVersion: pvc.apiVersion,
+            kind: 'PersistentVolumeClaim',
+            name: pvc.name,
+            namespace: pvc.namespace,
+          },
         },
-        capacity: {
-          storage: pvc.spec?.resources?.requests?.storage ?? '1Gi',
-        },
-        persistentVolumeReclaimPolicy: 'Retain',
-        accessModes: pvc.spec?.accessModes,
-        claimRef: {
-          uid: pvc.metadata?.uid,
-          resourceVersion: pvc.metadata?.resourceVersion,
-          apiVersion: pvc.apiVersion,
-          name: pvc.name,
+      });
+
+      await this.#createEvent(pvc, 'Normal', 'Provisioning', `Successfully provisioned volume ${pvName}`);
+    } catch (error) {
+      console.error(`Failed to provision volume for PVC ${pvc.namespace}/${pvc.name}:`, error);
+      throw error;
+    }
+  };
+
+  #createEvent = async (pvc: Resource<V1PersistentVolumeClaim>, type: string, reason: string, message: string) => {
+    try {
+      const resourceService = this.#services.get(ResourceService);
+      const event = resourceService.get<CoreV1Event>({
+        apiVersion: 'v1',
+        kind: 'Event',
+        name: `${pvc.name}-${Date.now()}`,
+        namespace: pvc.namespace,
+      });
+
+      if (!pvc.name || !pvc.namespace || !pvc.metadata?.uid) {
+        console.error('Missing required PVC metadata for event creation');
+        return;
+      }
+
+      await event.patch({
+        metadata: {
           namespace: pvc.namespace,
         },
-      },
-    });
+        involvedObject: {
+          apiVersion: pvc.apiVersion,
+          kind: 'PersistentVolumeClaim',
+          name: pvc.name,
+          namespace: pvc.namespace,
+          uid: pvc.metadata.uid,
+        },
+        type,
+        reason,
+        message,
+        source: {
+          component: PROVISIONER,
+        },
+        firstTimestamp: new Date(),
+        lastTimestamp: new Date(),
+        count: 1,
+      });
+    } catch (error) {
+      console.error(`Failed to create event for PVC ${pvc.namespace}/${pvc.name}:`, error);
+    }
   };
 
   public start = async () => {
@@ -79,4 +159,4 @@ class StorageProvider {
   };
 }
 
-export { StorageProvider };
+export { StorageProvider, PROVISIONER };

src/utils/consts.ts

@@ -7,10 +7,12 @@ const FIELDS = {
   },
 };
 
+const NAMESPACE = 'homelab';
+
 const CONTROLLED_LABEL = {
   [`${GROUP}/controlled`]: 'true',
 };
 
 const CONTROLLED_LABEL_SELECTOR = `${GROUP}/controlled=true`;
 
-export { GROUP, FIELDS, CONTROLLED_LABEL, CONTROLLED_LABEL_SELECTOR, API_VERSION };
+export { GROUP, FIELDS, CONTROLLED_LABEL, CONTROLLED_LABEL_SELECTOR, API_VERSION, NAMESPACE };