From aed01a77f6e646f3830a82133806755235f0471d Mon Sep 17 00:00:00 2001
From: "Audun V. Nes" <aunes@dfds.com>
Date: Fri, 8 Nov 2024 14:50:33 +0100
Subject: [PATCH] Prepare Flux for multi-tenancy support (#1608)

* Add missing dependency between Grafana helm chart and the resources it
uses from the kube-prometheus-stack

* Prepare for multi-tenancy support

* Add support for Flux multi-tenancy

* Remove unused variables. Add support for Trivy in pre-commit.

* Prepare druid-operator for Flux multi-tenancy

* Prepare Trivy Operator for Flux multi-tenancy
---
 .pre-commit-config.yaml                       | 70 ++++++++++---------
 _sub/compute/atlantis/flux.tf                 |  2 +
 _sub/compute/atlantis/values/app-config.yaml  | 15 ++++
 _sub/compute/atlantis/values/patch.yaml       |  1 +
 _sub/compute/druid-operator/main.tf           |  2 +
 .../druid-operator/values/app-config.yaml     | 15 ++++
 _sub/compute/druid-operator/values/patch.yaml |  1 +
 .../github-arc-runners/dependencies.tf        | 17 ++++-
 _sub/compute/github-arc-runners/vars.tf       | 32 ++++-----
 .../github-arc-ss-controller/dependencies.tf  | 19 ++++-
 .../dependencies.tf                           |  3 +-
 _sub/compute/k8s-fluxcd/dependencies.tf       |  4 +-
 _sub/compute/k8s-fluxcd/main.tf               |  7 +-
 .../k8s-fluxcd/values/flux-system-patch.yaml  | 30 ++++++++
 .../values/shared-manifests.yaml              | 15 ++++
 _sub/compute/k8s-traefik-flux/main.tf         |  2 +
 .../k8s-traefik-flux/values/app-config.yaml   |  1 +
 .../k8s-traefik-flux/values/app-helm.yaml     | 36 +++++++---
 .../k8s-traefik-flux/values/helm-patch.yaml   |  5 +-
 _sub/compute/nvidia-device-plugin/main.tf     | 12 ++--
 .../values/app-config.yaml                    | 15 ++++
 .../nvidia-device-plugin/values/patch.yaml    |  1 +
 _sub/compute/trivy-operator/main.tf           |  2 +
 .../trivy-operator/values/app-config.yaml     | 15 ++++
 _sub/compute/trivy-operator/values/patch.yaml |  1 +
 _sub/monitoring/blackbox-exporter/main.tf     |  2 +
 .../blackbox-exporter/values/app-config.yaml  | 15 ++++
 .../blackbox-exporter/values/patch.yaml       |  1 +
 _sub/monitoring/goldpinger/main.tf            |  2 +
 .../goldpinger/values/app-config.yaml         | 15 ++++
 _sub/monitoring/goldpinger/values/patch.yaml  |  1 +
 _sub/monitoring/helm-exporter/main.tf         |  2 +
 .../helm-exporter/values/app-config.yaml      | 15 ++++
 .../helm-exporter/values/patch.yaml           |  1 +
 .../monitoring/kafka-exporter/dependencies.tf | 20 +++++-
 _sub/monitoring/kafka-exporter/main.tf        |  2 +-
 _sub/monitoring/kafka-exporter/vars.tf        | 14 +---
 .../monitoring/metrics-server/dependencies.tf | 46 ++++++++----
 .../security/external-secrets/dependencies.tf | 17 ++++-
 .../external-snapshotter/values/config.yaml   |  1 +
 .../values/controller.yaml                    |  1 +
 .../external-snapshotter/values/crd.yaml      |  1 +
 _sub/storage/velero/main.tf                   |  2 +
 _sub/storage/velero/values/app-config.yaml    | 15 ++++
 _sub/storage/velero/values/patch.yaml         |  1 +
 compute/k8s-services/main.tf                  | 26 +++----
 46 files changed, 402 insertions(+), 121 deletions(-)
 create mode 100644 _sub/compute/k8s-fluxcd/values/flux-system-patch.yaml

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index fa93e9083..e5829858f 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,35 +1,37 @@
 repos:
-- repo: https://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.96.2
-  hooks:
-    - id: terraform_fmt
-      exclude: test/integration/suite/vendor/.*
-    - id: terraform_tfsec
-      exclude: test/integration/suite/vendor/.*
-      files: (\.tf|\.tfvars)$
-- repo: https://github.com/Yelp/detect-secrets
-  rev: v1.5.0
-  hooks:
-    - id: detect-secrets
-      exclude: test/integration/suite/vendor/.*
-- repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v5.0.0
-  hooks:
-    - id: trailing-whitespace
-      exclude: test/integration/suite/vendor/.*
-    - id: check-added-large-files
-      exclude: test/integration/suite/vendor/.*
-    - id: check-merge-conflict
-    - id: detect-aws-credentials
-      exclude: test/integration/suite/vendor/.*
-      args:
-        - "--allow-missing-credentials"
-    - id: detect-private-key
-- repo: https://github.com/gruntwork-io/pre-commit
-  rev: v0.1.24
-  hooks:
-    - id: tflint
-      exclude: test/integration/suite/vendor/.*
-      args:
-        - "--module"
-        - "--config=.tflint.hcl"
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.96.2
+    hooks:
+      - id: terraform_fmt
+        exclude: test/integration/suite/vendor/.*
+      - id: terraform_trivy
+        args:
+          - "--args=--skip-dirs=test/integration/suite/vendor/.*"
+          - "--args=--severity HIGH,CRITICAL"
+        files: (\.tf|\.tfvars)$
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        exclude: test/integration/suite/vendor/.*
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+        exclude: test/integration/suite/vendor/.*
+      - id: check-added-large-files
+        exclude: test/integration/suite/vendor/.*
+      - id: check-merge-conflict
+      - id: detect-aws-credentials
+        exclude: test/integration/suite/vendor/.*
+        args:
+          - "--allow-missing-credentials"
+      - id: detect-private-key
+  - repo: https://github.com/gruntwork-io/pre-commit
+    rev: v0.1.24
+    hooks:
+      - id: tflint
+        exclude: test/integration/suite/vendor/.*
+        args:
+          - "--call-module-type=all"
+          - "--config=__GIT_ROOT__/.tflint.hcl"
diff --git a/_sub/compute/atlantis/flux.tf b/_sub/compute/atlantis/flux.tf
index cdca50895..5d69c7c09 100644
--- a/_sub/compute/atlantis/flux.tf
+++ b/_sub/compute/atlantis/flux.tf
@@ -7,6 +7,8 @@ resource "github_repository_file" "helm" {
   branch     = local.repo_branch
   file       = "${local.cluster_repo_path}/${local.app_install_name}-helm.yaml"
   content = templatefile("${path.module}/values/app-config.yaml", {
+    deploy_name      = local.deploy_name
+    namespace        = local.namespace
     app_install_name = local.app_install_name
     helm_repo_path   = local.helm_repo_path
     prune            = var.prune
diff --git a/_sub/compute/atlantis/values/app-config.yaml b/_sub/compute/atlantis/values/app-config.yaml
index 5a2031825..773ed999f 100644
--- a/_sub/compute/atlantis/values/app-config.yaml
+++ b/_sub/compute/atlantis/values/app-config.yaml
@@ -1,9 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-${deploy_name}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: ${namespace}
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: ${app_install_name}-helm
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: platform-apps-sources
diff --git a/_sub/compute/atlantis/values/patch.yaml b/_sub/compute/atlantis/values/patch.yaml
index 1b8715129..ec7dd16b1 100644
--- a/_sub/compute/atlantis/values/patch.yaml
+++ b/_sub/compute/atlantis/values/patch.yaml
@@ -4,6 +4,7 @@ metadata:
   name: ${deploy_name}
   namespace: ${namespace}
 spec:
+  serviceAccountName: helm-controller
   chart:
     spec:
       version: "${chart_version}"
diff --git a/_sub/compute/druid-operator/main.tf b/_sub/compute/druid-operator/main.tf
index d5001ea74..d88b85a5f 100644
--- a/_sub/compute/druid-operator/main.tf
+++ b/_sub/compute/druid-operator/main.tf
@@ -8,6 +8,8 @@ resource "github_repository_file" "helm" {
   content = templatefile("${path.module}/values/app-config.yaml", {
     app_install_name = local.app_install_name
     helm_repo_path   = local.helm_repo_path
+    deploy_name      = var.deploy_name
+    namespace        = var.namespace
     prune            = var.prune
   })
   overwrite_on_create = var.overwrite_on_create
diff --git a/_sub/compute/druid-operator/values/app-config.yaml b/_sub/compute/druid-operator/values/app-config.yaml
index 40600a93b..4c606f5d3 100644
--- a/_sub/compute/druid-operator/values/app-config.yaml
+++ b/_sub/compute/druid-operator/values/app-config.yaml
@@ -1,9 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-${deploy_name}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: ${namespace}
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: ${app_install_name}-helm
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: platform-apps-sources
diff --git a/_sub/compute/druid-operator/values/patch.yaml b/_sub/compute/druid-operator/values/patch.yaml
index 209fabecb..d2caa32e5 100644
--- a/_sub/compute/druid-operator/values/patch.yaml
+++ b/_sub/compute/druid-operator/values/patch.yaml
@@ -4,6 +4,7 @@ metadata:
   name: ${deploy_name}
   namespace: ${namespace}
 spec:
+  serviceAccountName: helm-controller
   chart:
     spec:
       version: "${chart_version}"
diff --git a/_sub/compute/github-arc-runners/dependencies.tf b/_sub/compute/github-arc-runners/dependencies.tf
index 39c09e941..a728c4f61 100644
--- a/_sub/compute/github-arc-runners/dependencies.tf
+++ b/_sub/compute/github-arc-runners/dependencies.tf
@@ -12,17 +12,31 @@ locals {
 
 locals {
   app_helm_path = <<YAML
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-${var.deploy_name}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: ${var.namespace}
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: "${local.app_install_name}-helm"
   namespace: "flux-system"
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: "platform-apps-sources"
     - name: ${var.controller_deploy_name}
-
   sourceRef:
     kind: GitRepository
     name: "flux-system"
@@ -49,6 +63,7 @@ metadata:
   name: ${var.deploy_name}
   namespace: ${var.namespace}
 spec:
+  serviceAccountName: helm-controller
   chart:
     spec:
       version: ${var.helm_chart_version}
diff --git a/_sub/compute/github-arc-runners/vars.tf b/_sub/compute/github-arc-runners/vars.tf
index a273ceb45..ef83832d3 100644
--- a/_sub/compute/github-arc-runners/vars.tf
+++ b/_sub/compute/github-arc-runners/vars.tf
@@ -61,30 +61,30 @@ variable "prune" {
 }
 
 variable "github_config_url" {
-  type = string
+  type        = string
   description = "URL of Github organisation or repo for the runners"
 }
 
 variable "github_config_secret" {
-  type = string
+  type        = string
   description = "Secret name containing authorisation information for the runners. This is not deployed by this module, consider using external-secrets to deploy it"
 }
 
 variable "runner_scale_set_name" {
-  type = string
+  type        = string
   description = "Name for the runner scale set"
 }
 
 variable "storage_class_name" {
-  type = string
+  type        = string
   description = "Name of the storage class to use for the runners persistent volume"
-  default = "csi-gp3"
+  default     = "csi-gp3"
 }
 
 variable "storage_request_size" {
-  type = string
+  type        = string
   description = "Size of the persistent volume claim for the runners"
-  default = "1Gi"
+  default     = "1Gi"
 }
 
 variable "controller_deploy_name" {
@@ -94,25 +94,25 @@ variable "controller_deploy_name" {
 }
 
 variable "min_runners" {
-  type = number
+  type        = number
   description = "Minimum number of runners to keep running"
-  default = 0
+  default     = 0
 }
 
 variable "max_runners" {
-  type = number
+  type        = number
   description = "Maximum number of runners to keep running"
-  default = 5
+  default     = 5
 }
-  
+
 variable "runner_memory_request" {
-  type = string
+  type        = string
   description = "Memory request for the runner pods"
-  default = "128Mi"
+  default     = "128Mi"
 }
 
 variable "runner_memory_limit" {
-  type = string
+  type        = string
   description = "Memory request for the runner pods"
-  default = "8Gi"
+  default     = "8Gi"
 }
\ No newline at end of file
diff --git a/_sub/compute/github-arc-ss-controller/dependencies.tf b/_sub/compute/github-arc-ss-controller/dependencies.tf
index 89a59784c..7ea2abcb8 100644
--- a/_sub/compute/github-arc-ss-controller/dependencies.tf
+++ b/_sub/compute/github-arc-ss-controller/dependencies.tf
@@ -12,16 +12,30 @@ locals {
 
 locals {
   app_helm_path = <<YAML
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-${var.deploy_name}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: ${var.namespace}
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: "${local.app_install_name}-helm"
   namespace: "flux-system"
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: "platform-apps-sources"
-
   sourceRef:
     kind: GitRepository
     name: "flux-system"
@@ -45,9 +59,10 @@ metadata:
   name: ${var.deploy_name}
   namespace: ${var.namespace}
 spec:
+  serviceAccountName: helm-controller
   chart:
     spec:
       version: ${var.helm_chart_version}
 YAML
 
-}
\ No newline at end of file
+}
diff --git a/_sub/compute/helm-kube-prometheus-stack/dependencies.tf b/_sub/compute/helm-kube-prometheus-stack/dependencies.tf
index 774f73957..be5ee45bc 100644
--- a/_sub/compute/helm-kube-prometheus-stack/dependencies.tf
+++ b/_sub/compute/helm-kube-prometheus-stack/dependencies.tf
@@ -21,7 +21,8 @@ locals {
       "namespace" = "flux-system"
     }
     "spec" = {
-      "interval" = "1m0s"
+      "serviceAccountName" = "kustomize-controller"
+      "interval"           = "1m0s"
       "sourceRef" = {
         "kind" = "GitRepository"
         "name" = "flux-system"
diff --git a/_sub/compute/k8s-fluxcd/dependencies.tf b/_sub/compute/k8s-fluxcd/dependencies.tf
index 19d64236b..3ededa0f8 100644
--- a/_sub/compute/k8s-fluxcd/dependencies.tf
+++ b/_sub/compute/k8s-fluxcd/dependencies.tf
@@ -21,6 +21,7 @@ locals {
       "namespace" = "flux-system"
     }
     "spec" = {
+      "serviceAccountName" = "kustomize-controller"
       "dependsOn" = [
         {
           "name" = "platform-apps-sources"
@@ -62,6 +63,7 @@ metadata:
   name: platform-apps-sources
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: flux-system
@@ -80,6 +82,7 @@ metadata:
   name: custom
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   path: ./platform-apps/${var.cluster_name}/custom
   prune: ${var.prune}
@@ -93,4 +96,3 @@ Place custom manifests in here. Make sure to place them in a folder named after
   EOT
 }
 
-  
\ No newline at end of file
diff --git a/_sub/compute/k8s-fluxcd/main.tf b/_sub/compute/k8s-fluxcd/main.tf
index dd2e18a42..f9240da01 100644
--- a/_sub/compute/k8s-fluxcd/main.tf
+++ b/_sub/compute/k8s-fluxcd/main.tf
@@ -24,9 +24,10 @@ resource "github_repository_deploy_key" "main" {
 }
 
 resource "flux_bootstrap_git" "this" {
-  depends_on = [github_repository_deploy_key.main]
-  path       = local.cluster_target_path
-  version    = var.release_tag
+  depends_on             = [github_repository_deploy_key.main]
+  path                   = local.cluster_target_path
+  version                = var.release_tag
+  kustomization_override = file("${path.module}/values/flux-system-patch.yaml")
 }
 
 
diff --git a/_sub/compute/k8s-fluxcd/values/flux-system-patch.yaml b/_sub/compute/k8s-fluxcd/values/flux-system-patch.yaml
new file mode 100644
index 000000000..c5cb090c0
--- /dev/null
+++ b/_sub/compute/k8s-fluxcd/values/flux-system-patch.yaml
@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - gotk-components.yaml
+  - gotk-sync.yaml
+patches:
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --no-cross-namespace-refs=true
+    target:
+      kind: Deployment
+      # trunk-ignore(yamllint/quoted-strings)
+      name: "(kustomize-controller|notification-controller|image-reflector-controller|image-automation-controller)"
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: --default-service-account=default
+    target:
+      kind: Deployment
+      # trunk-ignore(yamllint/quoted-strings)
+      name: "(kustomize-controller|helm-controller)"
+  - patch: |
+      - op: add
+        path: /spec/serviceAccountName
+        value: kustomize-controller
+    target:
+      kind: Kustomization
+      # trunk-ignore(yamllint/quoted-strings)
+      name: "flux-system"
diff --git a/_sub/compute/k8s-shared-manifests/values/shared-manifests.yaml b/_sub/compute/k8s-shared-manifests/values/shared-manifests.yaml
index dca6c8527..b5787c53a 100644
--- a/_sub/compute/k8s-shared-manifests/values/shared-manifests.yaml
+++ b/_sub/compute/k8s-shared-manifests/values/shared-manifests.yaml
@@ -1,4 +1,17 @@
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-druid-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: druid-operator-system
+---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
@@ -18,6 +31,7 @@ metadata:
   name: shared-manifests-druid-operator
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: flux-system
@@ -35,6 +49,7 @@ metadata:
   name: shared-manifests-tiny-cluster
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: shared-manifests-druid-operator
diff --git a/_sub/compute/k8s-traefik-flux/main.tf b/_sub/compute/k8s-traefik-flux/main.tf
index 59e859388..32050515e 100644
--- a/_sub/compute/k8s-traefik-flux/main.tf
+++ b/_sub/compute/k8s-traefik-flux/main.tf
@@ -7,6 +7,8 @@ resource "github_repository_file" "traefik_helm" {
   file       = "${local.cluster_repo_path}/${local.app_install_name}-helm.yaml"
   content = templatefile("${path.module}/values/app-helm.yaml", {
     app_install_name = local.app_install_name
+    deploy_name      = var.deploy_name
+    namespace        = var.namespace
     helm_repo_path   = local.helm_repo_path
     prune            = var.prune
   })
diff --git a/_sub/compute/k8s-traefik-flux/values/app-config.yaml b/_sub/compute/k8s-traefik-flux/values/app-config.yaml
index 966719a5b..1aa51de60 100644
--- a/_sub/compute/k8s-traefik-flux/values/app-config.yaml
+++ b/_sub/compute/k8s-traefik-flux/values/app-config.yaml
@@ -4,6 +4,7 @@ metadata:
   name: ${app_install_name}-config
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: ${app_install_name}-helm
diff --git a/_sub/compute/k8s-traefik-flux/values/app-helm.yaml b/_sub/compute/k8s-traefik-flux/values/app-helm.yaml
index 19f8d96ed..4c606f5d3 100644
--- a/_sub/compute/k8s-traefik-flux/values/app-helm.yaml
+++ b/_sub/compute/k8s-traefik-flux/values/app-helm.yaml
@@ -1,15 +1,29 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-${deploy_name}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: ${namespace}
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-    name: ${app_install_name}-helm
-    namespace: flux-system
+  name: ${app_install_name}-helm
+  namespace: flux-system
 spec:
-    interval: 1m0s
-    dependsOn:
-       - name: platform-apps-sources
-    sourceRef:
-        kind: GitRepository
-        name: flux-system
-    path: "./${helm_repo_path}"
-    prune: ${prune}
-
+  serviceAccountName: kustomize-controller
+  interval: 1m0s
+  dependsOn:
+    - name: platform-apps-sources
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: "./${helm_repo_path}"
+  prune: ${prune}
diff --git a/_sub/compute/k8s-traefik-flux/values/helm-patch.yaml b/_sub/compute/k8s-traefik-flux/values/helm-patch.yaml
index 32bc4dc4d..9d472965d 100644
--- a/_sub/compute/k8s-traefik-flux/values/helm-patch.yaml
+++ b/_sub/compute/k8s-traefik-flux/values/helm-patch.yaml
@@ -4,6 +4,7 @@ metadata:
   name: ${deploy_name}
   namespace: ${namespace}
 spec:
+  serviceAccountName: helm-controller
   chart:
     spec:
       version: ${helm_chart_version}
@@ -14,8 +15,8 @@ spec:
       traefik:
         nodePort: ${admin_nodeport}
     additionalArguments:
-      %{~ for arg in additional_args ~}
+  %{~ for arg in additional_args ~}
       - ${arg}
-      %{~ endfor ~}
+  %{~ endfor ~}
     deployment:
       replicas: ${replicas}
diff --git a/_sub/compute/nvidia-device-plugin/main.tf b/_sub/compute/nvidia-device-plugin/main.tf
index cb1d81075..ac2c10041 100644
--- a/_sub/compute/nvidia-device-plugin/main.tf
+++ b/_sub/compute/nvidia-device-plugin/main.tf
@@ -7,6 +7,8 @@ resource "github_repository_file" "nvidia_device_plugin_helm" {
   file       = "${local.cluster_repo_path}/${local.app_install_name}-helm.yaml"
   content = templatefile("${path.module}/values/app-config.yaml", {
     app_install_name = local.app_install_name
+    deploy_name      = var.deploy_name
+    namespace        = var.namespace
     helm_repo_path   = local.helm_repo_path
     prune            = var.prune
   })
@@ -30,11 +32,11 @@ resource "github_repository_file" "nvidia_device_plugin_helm_patch" {
   branch     = local.repo_branch
   file       = "${local.helm_repo_path}/patch.yaml"
   content = templatefile("${path.module}/values/patch.yaml", {
-    namespace      = var.namespace
-    chart_version  = var.chart_version
-    deploy_name    = var.deploy_name
-    tolerations    = var.tolerations
-    affinity       = var.affinity
+    namespace     = var.namespace
+    chart_version = var.chart_version
+    deploy_name   = var.deploy_name
+    tolerations   = var.tolerations
+    affinity      = var.affinity
   })
   overwrite_on_create = var.overwrite_on_create
 }
diff --git a/_sub/compute/nvidia-device-plugin/values/app-config.yaml b/_sub/compute/nvidia-device-plugin/values/app-config.yaml
index 40600a93b..4c606f5d3 100644
--- a/_sub/compute/nvidia-device-plugin/values/app-config.yaml
+++ b/_sub/compute/nvidia-device-plugin/values/app-config.yaml
@@ -1,9 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-${deploy_name}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: ${namespace}
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: ${app_install_name}-helm
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: platform-apps-sources
diff --git a/_sub/compute/nvidia-device-plugin/values/patch.yaml b/_sub/compute/nvidia-device-plugin/values/patch.yaml
index a37836329..3e72a6945 100644
--- a/_sub/compute/nvidia-device-plugin/values/patch.yaml
+++ b/_sub/compute/nvidia-device-plugin/values/patch.yaml
@@ -4,6 +4,7 @@ metadata:
   name: ${deploy_name}
   namespace: ${namespace}
 spec:
+  serviceAccountName: helm-controller
   chart:
     spec:
       version: "${chart_version}"
diff --git a/_sub/compute/trivy-operator/main.tf b/_sub/compute/trivy-operator/main.tf
index db6a5d6f5..8547a60a7 100644
--- a/_sub/compute/trivy-operator/main.tf
+++ b/_sub/compute/trivy-operator/main.tf
@@ -8,6 +8,8 @@ resource "github_repository_file" "helm" {
   content = templatefile("${path.module}/values/app-config.yaml", {
     app_install_name = local.app_install_name
     helm_repo_path   = local.helm_repo_path
+    deploy_name      = var.deploy_name
+    namespace        = var.namespace
     prune            = var.prune
   })
   overwrite_on_create = var.overwrite_on_create
diff --git a/_sub/compute/trivy-operator/values/app-config.yaml b/_sub/compute/trivy-operator/values/app-config.yaml
index 40600a93b..4c606f5d3 100644
--- a/_sub/compute/trivy-operator/values/app-config.yaml
+++ b/_sub/compute/trivy-operator/values/app-config.yaml
@@ -1,9 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-${deploy_name}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: ${namespace}
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: ${app_install_name}-helm
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: platform-apps-sources
diff --git a/_sub/compute/trivy-operator/values/patch.yaml b/_sub/compute/trivy-operator/values/patch.yaml
index 196a5231d..08f86a796 100644
--- a/_sub/compute/trivy-operator/values/patch.yaml
+++ b/_sub/compute/trivy-operator/values/patch.yaml
@@ -4,6 +4,7 @@ metadata:
   name: ${deploy_name}
   namespace: ${namespace}
 spec:
+  serviceAccountName: helm-controller
   chart:
     spec:
       version: "${chart_version}"
diff --git a/_sub/monitoring/blackbox-exporter/main.tf b/_sub/monitoring/blackbox-exporter/main.tf
index d757eebe9..7666c0e07 100644
--- a/_sub/monitoring/blackbox-exporter/main.tf
+++ b/_sub/monitoring/blackbox-exporter/main.tf
@@ -8,6 +8,8 @@ resource "github_repository_file" "blackbox_exporter_helm" {
   content = templatefile("${path.module}/values/app-config.yaml", {
     app_install_name = local.app_install_name
     helm_repo_path   = local.helm_repo_path
+    deploy_name      = var.deploy_name
+    namespace        = var.namespace
     prune            = var.prune
   })
   overwrite_on_create = var.overwrite_on_create
diff --git a/_sub/monitoring/blackbox-exporter/values/app-config.yaml b/_sub/monitoring/blackbox-exporter/values/app-config.yaml
index 40600a93b..4c606f5d3 100644
--- a/_sub/monitoring/blackbox-exporter/values/app-config.yaml
+++ b/_sub/monitoring/blackbox-exporter/values/app-config.yaml
@@ -1,9 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-${deploy_name}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: ${namespace}
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: ${app_install_name}-helm
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: platform-apps-sources
diff --git a/_sub/monitoring/blackbox-exporter/values/patch.yaml b/_sub/monitoring/blackbox-exporter/values/patch.yaml
index f931234bf..89a6ef39c 100644
--- a/_sub/monitoring/blackbox-exporter/values/patch.yaml
+++ b/_sub/monitoring/blackbox-exporter/values/patch.yaml
@@ -4,6 +4,7 @@ metadata:
   name: prometheus-blackbox-exporter
   namespace: ${namespace}
 spec:
+  serviceAccountName: helm-controller
   chart:
     spec:
       version: "${helm_chart_version}"
diff --git a/_sub/monitoring/goldpinger/main.tf b/_sub/monitoring/goldpinger/main.tf
index c4a78df9c..b4824bfcc 100644
--- a/_sub/monitoring/goldpinger/main.tf
+++ b/_sub/monitoring/goldpinger/main.tf
@@ -8,6 +8,8 @@ resource "github_repository_file" "goldpinger_helm" {
   content = templatefile("${path.module}/values/app-config.yaml", {
     app_install_name = local.app_install_name
     helm_repo_path   = local.helm_repo_path
+    deploy_name      = var.deploy_name
+    namespace        = var.namespace
     prune            = var.prune
   })
   overwrite_on_create = var.overwrite_on_create
diff --git a/_sub/monitoring/goldpinger/values/app-config.yaml b/_sub/monitoring/goldpinger/values/app-config.yaml
index 40600a93b..4c606f5d3 100644
--- a/_sub/monitoring/goldpinger/values/app-config.yaml
+++ b/_sub/monitoring/goldpinger/values/app-config.yaml
@@ -1,9 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-${deploy_name}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: ${namespace}
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: ${app_install_name}-helm
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: platform-apps-sources
diff --git a/_sub/monitoring/goldpinger/values/patch.yaml b/_sub/monitoring/goldpinger/values/patch.yaml
index 3b99c0944..f92cc2e86 100644
--- a/_sub/monitoring/goldpinger/values/patch.yaml
+++ b/_sub/monitoring/goldpinger/values/patch.yaml
@@ -4,6 +4,7 @@ metadata:
   name: ${deploy_name}
   namespace: ${namespace}
 spec:
+  serviceAccountName: helm-controller
   chart:
     spec:
       version: "${chart_version}"
diff --git a/_sub/monitoring/helm-exporter/main.tf b/_sub/monitoring/helm-exporter/main.tf
index 4a1159340..842686807 100644
--- a/_sub/monitoring/helm-exporter/main.tf
+++ b/_sub/monitoring/helm-exporter/main.tf
@@ -5,6 +5,8 @@ resource "github_repository_file" "helm_exporter_helm" {
   content = templatefile("${path.module}/values/app-config.yaml", {
     app_install_name = local.app_install_name
     helm_repo_path   = local.helm_repo_path
+    deploy_name      = var.deploy_name
+    namespace        = var.namespace
     prune            = var.prune
   })
   overwrite_on_create = var.overwrite_on_create
diff --git a/_sub/monitoring/helm-exporter/values/app-config.yaml b/_sub/monitoring/helm-exporter/values/app-config.yaml
index 40600a93b..4c606f5d3 100644
--- a/_sub/monitoring/helm-exporter/values/app-config.yaml
+++ b/_sub/monitoring/helm-exporter/values/app-config.yaml
@@ -1,9 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-${deploy_name}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: ${namespace}
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: ${app_install_name}-helm
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: platform-apps-sources
diff --git a/_sub/monitoring/helm-exporter/values/patch.yaml b/_sub/monitoring/helm-exporter/values/patch.yaml
index 366f5b74b..bf01a9491 100644
--- a/_sub/monitoring/helm-exporter/values/patch.yaml
+++ b/_sub/monitoring/helm-exporter/values/patch.yaml
@@ -5,6 +5,7 @@ metadata:
   name: prometheus-helm-exporter
   namespace: ${namespace}
 spec:
+  serviceAccountName: helm-controller
   chart:
     spec:
       version: "${helm_chart_version}"
diff --git a/_sub/monitoring/kafka-exporter/dependencies.tf b/_sub/monitoring/kafka-exporter/dependencies.tf
index 98c83200c..15dc73f07 100644
--- a/_sub/monitoring/kafka-exporter/dependencies.tf
+++ b/_sub/monitoring/kafka-exporter/dependencies.tf
@@ -12,12 +12,27 @@ locals {
 
 locals {
   app_helm_path = <<YAML
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-${var.deploy_name}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: ${var.namespace}
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: "${local.app_install_name}-helm"
   namespace: "flux-system"
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: "platform-apps-sources"
@@ -39,6 +54,7 @@ metadata:
   namespace: ${var.namespace}
 spec:
   releaseName: ${var.deploy_name}-${item.id}
+  serviceAccountName: helm-controller
   chart:
     spec:
       chart: chart
@@ -59,10 +75,10 @@ spec:
         id: ${item.id}
         environment: ${item.environment}
 YAML
-  }}
+  } }
 
   dyn_clusters_file_list = [for key, value in local.clusters : "\"manifest-${key}.yaml\""]
-  clusters_mapped = join("\n  - ", local.dyn_clusters_file_list)
+  clusters_mapped        = join("\n  - ", local.dyn_clusters_file_list)
 
   helm_install = <<YAML
 apiVersion: kustomize.config.k8s.io/v1beta1
diff --git a/_sub/monitoring/kafka-exporter/main.tf b/_sub/monitoring/kafka-exporter/main.tf
index 5713c1c21..a50b318f9 100644
--- a/_sub/monitoring/kafka-exporter/main.tf
+++ b/_sub/monitoring/kafka-exporter/main.tf
@@ -20,7 +20,7 @@ resource "github_repository_file" "kafka-exporter_helm_install" {
 }
 
 resource "github_repository_file" "kafka-exporter_helm_manifest" {
-  for_each = local.clusters
+  for_each            = local.clusters
   repository          = var.repo_name
   branch              = local.repo_branch
   file                = "${local.helm_repo_path}/manifest-${each.value.original.id}.yaml"
diff --git a/_sub/monitoring/kafka-exporter/vars.tf b/_sub/monitoring/kafka-exporter/vars.tf
index c4f1890d3..33717cbba 100644
--- a/_sub/monitoring/kafka-exporter/vars.tf
+++ b/_sub/monitoring/kafka-exporter/vars.tf
@@ -4,7 +4,7 @@ variable "cluster_name" {
 
 variable "kafka_clusters" {
   type = map(object({
-    id = string
+    id          = string
     environment = string
   }))
   default = {}
@@ -50,18 +50,6 @@ variable "overwrite_on_create" {
   description = "Enable overwriting existing files"
 }
 
-variable "gitops_apps_repo_url" {
-  type        = string
-  default     = ""
-  description = "The https url for your GitOps manifests"
-}
-
-variable "gitops_apps_repo_branch" {
-  type        = string
-  default     = "main"
-  description = "The default branch for your GitOps manifests"
-}
-
 variable "prune" {
   type        = bool
   default     = true
diff --git a/_sub/monitoring/metrics-server/dependencies.tf b/_sub/monitoring/metrics-server/dependencies.tf
index 6119bc6f8..c808543f6 100644
--- a/_sub/monitoring/metrics-server/dependencies.tf
+++ b/_sub/monitoring/metrics-server/dependencies.tf
@@ -10,21 +10,36 @@ locals {
   app_install_name    = "platform-apps-${var.deploy_name}"
 
   app_helm_path = <<YAML
-    apiVersion: kustomize.toolkit.fluxcd.io/v1
-    kind: Kustomization
-    metadata:
-      name: "${local.app_install_name}-helm"
-      namespace: "flux-system"
-    spec:
-      interval: 1m0s
-      dependsOn:
-        - name: "platform-apps-sources"
-      sourceRef:
-        kind: GitRepository
-        name: "flux-system"
-      path: "./${local.helm_repo_path}"
-      prune: ${var.prune}
-    YAML
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-${var.deploy_name}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: ${var.namespace}
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: "${local.app_install_name}-helm"
+  namespace: "flux-system"
+spec:
+  serviceAccountName: kustomize-controller
+  interval: 1m0s
+  dependsOn:
+    - name: "platform-apps-sources"
+  sourceRef:
+    kind: GitRepository
+    name: "flux-system"
+  path: "./${local.helm_repo_path}"
+  prune: ${var.prune}
+YAML
 
   helm_install = <<YAML
     apiVersion: kustomize.config.k8s.io/v1beta1
@@ -42,6 +57,7 @@ locals {
       name: ${var.deploy_name}
       namespace: ${var.namespace}
     spec:
+      serviceAccountName: helm-controller
       chart:
         spec:
           version: ${var.chart_version}
diff --git a/_sub/security/external-secrets/dependencies.tf b/_sub/security/external-secrets/dependencies.tf
index cc4c80c54..45bb49abf 100644
--- a/_sub/security/external-secrets/dependencies.tf
+++ b/_sub/security/external-secrets/dependencies.tf
@@ -12,16 +12,30 @@ locals {
 
 locals {
   app_helm_path = <<YAML
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-${var.deploy_name}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: helm-controller
+  namespace: ${var.namespace}
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: "${local.app_install_name}-helm"
   namespace: "flux-system"
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: "platform-apps-sources"
-
   sourceRef:
     kind: GitRepository
     name: "flux-system"
@@ -45,6 +59,7 @@ metadata:
   name: ${var.deploy_name}
   namespace: ${var.namespace}
 spec:
+  serviceAccountName: helm-controller
   chart:
     spec:
       version: ${var.helm_chart_version}
diff --git a/_sub/storage/external-snapshotter/values/config.yaml b/_sub/storage/external-snapshotter/values/config.yaml
index deb5381f6..60ff2ddef 100644
--- a/_sub/storage/external-snapshotter/values/config.yaml
+++ b/_sub/storage/external-snapshotter/values/config.yaml
@@ -4,6 +4,7 @@ metadata:
   name: ${deploy_name}-config
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: ${deploy_name}-controller
diff --git a/_sub/storage/external-snapshotter/values/controller.yaml b/_sub/storage/external-snapshotter/values/controller.yaml
index 422f95b79..89f024194 100644
--- a/_sub/storage/external-snapshotter/values/controller.yaml
+++ b/_sub/storage/external-snapshotter/values/controller.yaml
@@ -4,6 +4,7 @@ metadata:
   name: ${deploy_name}-controller
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   dependsOn:
     - name: ${deploy_name}-crd
diff --git a/_sub/storage/external-snapshotter/values/crd.yaml b/_sub/storage/external-snapshotter/values/crd.yaml
index 2efaebb96..70c27fed0 100644
--- a/_sub/storage/external-snapshotter/values/crd.yaml
+++ b/_sub/storage/external-snapshotter/values/crd.yaml
@@ -4,6 +4,7 @@ metadata:
   name: ${deploy_name}-crd
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   interval: 1m0s
   sourceRef:
     kind: GitRepository
diff --git a/_sub/storage/velero/main.tf b/_sub/storage/velero/main.tf
index 5744ea8f0..279b8dad7 100644
--- a/_sub/storage/velero/main.tf
+++ b/_sub/storage/velero/main.tf
@@ -14,6 +14,8 @@ resource "github_repository_file" "velero_flux_helm_path" {
   content = templatefile("${path.module}/values/app-config.yaml", {
     app_install_name = local.app_install_name
     helm_repo_path   = local.helm_repo_path
+    deploy_name      = var.deploy_name
+    namespace        = var.namespace
     prune            = var.prune
   })
   overwrite_on_create = var.overwrite_on_create
diff --git a/_sub/storage/velero/values/app-config.yaml b/_sub/storage/velero/values/app-config.yaml
index 48f77ee8b..f6a22a20d 100644
--- a/_sub/storage/velero/values/app-config.yaml
+++ b/_sub/storage/velero/values/app-config.yaml
@@ -1,9 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-reconciler-${deploy_name}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: helm-controller
+    namespace: ${namespace}
+---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
   name: ${app_install_name}-helm
   namespace: flux-system
 spec:
+  serviceAccountName: kustomize-controller
   dependsOn:
     - name: external-snapshotter-config
   interval: 1m0s
diff --git a/_sub/storage/velero/values/patch.yaml b/_sub/storage/velero/values/patch.yaml
index 2767d751b..66234fe43 100644
--- a/_sub/storage/velero/values/patch.yaml
+++ b/_sub/storage/velero/values/patch.yaml
@@ -4,6 +4,7 @@ metadata:
   name: velero
   namespace: flux-system
 spec:
+  serviceAccountName: helm-controller
   chart:
     spec:
       chart: velero
diff --git a/compute/k8s-services/main.tf b/compute/k8s-services/main.tf
index 1c86213e2..3ea61cb3e 100644
--- a/compute/k8s-services/main.tf
+++ b/compute/k8s-services/main.tf
@@ -739,6 +739,8 @@ module "grafana_agent_k8s_monitoring" {
   priority_class                = var.monitoring_kube_prometheus_stack_priority_class
   namespace                     = var.grafana_agent_namespace
   timeout                       = var.grafana_agent_helm_install_timeout
+
+  depends_on = [module.monitoring_kube_prometheus_stack]
 }
 
 module "grafana" {
@@ -835,19 +837,17 @@ module "external_secrets_ssm" {
 # --------------------------------------------------
 
 module "kafka_exporter" {
-  source                  = "../../_sub/monitoring/kafka-exporter"
-  count                   = var.kafka_exporter_deploy ? 1 : 0
-  cluster_name            = var.eks_cluster_name
-  deploy_name             = "kafka-exporter"
-  namespace               = "monitoring"
-  github_owner            = var.fluxcd_bootstrap_repo_owner
-  repo_name               = var.fluxcd_bootstrap_repo_name
-  repo_branch             = var.fluxcd_bootstrap_repo_branch
-  overwrite_on_create     = var.fluxcd_bootstrap_overwrite_on_create
-  gitops_apps_repo_url    = local.fluxcd_apps_repo_url
-  gitops_apps_repo_branch = var.fluxcd_apps_repo_branch
-  prune                   = var.fluxcd_prune
-  kafka_clusters          = var.kafka_exporter_clusters
+  source              = "../../_sub/monitoring/kafka-exporter"
+  count               = var.kafka_exporter_deploy ? 1 : 0
+  cluster_name        = var.eks_cluster_name
+  deploy_name         = "kafka-exporter"
+  namespace           = "monitoring"
+  github_owner        = var.fluxcd_bootstrap_repo_owner
+  repo_name           = var.fluxcd_bootstrap_repo_name
+  repo_branch         = var.fluxcd_bootstrap_repo_branch
+  overwrite_on_create = var.fluxcd_bootstrap_overwrite_on_create
+  prune               = var.fluxcd_prune
+  kafka_clusters      = var.kafka_exporter_clusters
 
   providers = {
     github = github.fluxcd