Reorganize config into base, components, and overlays#84
Merged
Conversation
The install bundle was a flat directory mixing three different kinds of
things: base resources, reusable components, and top-level install
overlays. Group them so it's obvious at a glance what each directory is
for and how they fit together.
- config/base/ - resources that get composed into an install
- config/components/ - reusable components (rbac, leader election,
metrics, network policies, etc.)
- config/overlays/ - top-level install entry points (single-cluster,
default, dev)
- config/samples/ - example custom resources, unchanged
Also converts the network-policy bundle from a Kustomization to a
Component so it can be composed in like the others.
Note for consumers: Flux Kustomizations that referenced
'path: single-cluster' in the OCI bundle now need
'path: overlays/single-cluster'.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
single-cluster/ was a strict subset of default/ and would have left the manager crash-looping on startup (missing webhook serving cert mount and no cert-manager CA injection wiring). default/ is the only overlay that actually deploys end-to-end, so keep it as the canonical entry point and delete single-cluster/. Also adds a comment to base/webhook/kustomization.yaml making it clear that manifests.yaml is generated by controller-gen and shouldn't be edited directly — the patches in the same file rewrite the hardcoded names that controller-gen produces. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
scotwells
force-pushed
the
refactor/config-layout
branch
from
ccfc6f3 to
2c10e3d
Compare
"default" is a kubebuilder convention that doesn't say what it actually deploys. "single-cluster" describes the install topology and pairs naturally with the cross-cluster overlay planned as a follow-up. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
scotwells
force-pushed
the
refactor/config-layout
branch
from
306365f to
f97093b
Compare
Tested end-to-end against a local kind cluster and found several real
issues that this commit cleans up:
- Resources no longer hardcode "namespace: system"; the namespace is set
in one place (the overlay) via kustomize's namespace transform.
Consumers can override via Flux's targetNamespace or by editing the
overlay.
- The webhook serving cert mount moves into base/manager/manager.yaml
with the secret marked optional, so consumers composing base/manager
directly (e.g. a future cross-cluster overlay) get the mount for free
and don't crash if they're running webhook-less.
- A new base/webhook/kustomizeconfig.yaml teaches kustomize about the
webhook clientConfig.service.{name,namespace} field paths, so the
namespace transform handles them automatically rather than needing
per-overlay replacements.
- The Certificate's dnsNames now use SERVICE_NAME / SERVICE_NAMESPACE
placeholders (the kubebuilder pattern) and the overlay substitutes
them via replacements pulling from the webhook Service.
- Drops a stale --metrics-bind-address arg patch that referenced a CLI
flag the binary no longer accepts (metrics config moved into the
WorkloadOperator config struct).
- Drops an orphaned metrics_service.yaml from the overlay that wasn't
referenced from kustomization.yaml.
- The default config.yaml now includes a webhookServer block so the
bundle deploys a working webhook out of the box. Consumers running
hermetic without webhooks can omit it (the binary skips the webhook
server entirely when the field is nil).
Verified end-to-end: manager pod 1/1 Running, Certificate ready,
admission webhook serving and being called by the apiserver.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
kevwilliams
approved these changes
Apr 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this changes
The install bundle used to be a flat
config/directory mixing base resources, reusable components, and top-level overlays. This groups them so anyone landing inconfig/can immediately tell what's what:Also:
network-policyfrom a Kustomization to a Component so it composes the same way the others do.default/overlay tosingle-cluster/so the install topology is obvious from the directory name (and pairs naturally with a futurecross-cluster/overlay).Heads up for consumers
Anything referencing a top-level
config/<dir>path inside the OCI bundle needs to update to its new location underbase/,components/, oroverlays/. In particular, the canonical install path is nowoverlays/single-cluster(previouslydefault). Resource names, namespaces, RBAC, webhook configs, and the leader election lease are all unchanged —kustomize build config/overlays/single-clusterproduces byte-identical output tokustomize build config/defaultonmain.