feat: Move cluster services to wild-directory as unified packages

Convert all 15 cluster services from embedded API format to
wild-directory packages using the unified manifest format:
- metallb, traefik, cert-manager, longhorn, snapshot-controller
- nfs, smtp, coredns, node-feature-discovery, nvidia-device-plugin
- externaldns, docker-registry, headlamp, crowdsec, utils

Changes:
- wild-manifest.yaml → manifest.yaml with is, defaultConfig, requires
- Eliminated configReferences and serviceConfig fields
- Flattened kustomize.template/ to package root
- Template vars use flat defaultConfig keys
- install.sh paths updated for apps/ layout
- Updated 9 app manifests: cloud.smtp.* → apps.smtp.* with requires
- Removed dead install: true field from 6 app manifests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

externaldns/README.md

@@ -0,0 +1,14 @@
+# External DNS
+
+See: https://github.com/kubernetes-sigs/external-dns
+
+ExternalDNS allows you to keep selected zones (via --domain-filter) synchronized with Ingresses and Services of type=LoadBalancer and nodes in various DNS providers.
+
+Currently, we are only configured to use CloudFlare.
+
+Docs: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/cloudflare.md
+
+Any Ingress that has metatdata.annotions with
+external-dns.alpha.kubernetes.io/hostname: `<something>.${DOMAIN}`
+
+will have Cloudflare records created by External DNS.

externaldns/externaldns-cloudflare.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns
+  namespace: externaldns
+spec:
+  selector:
+    matchLabels:
+      app: external-dns
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: external-dns
+    spec:
+      serviceAccountName: external-dns
+      containers:
+        - name: external-dns
+          image: registry.k8s.io/external-dns/external-dns:v0.13.4
+          args:
+            - --source=service
+            - --source=ingress
+            - --txt-owner-id={{ .ownerId }}
+            - --provider=cloudflare
+            - --domain-filter=payne.io
+            #- --exclude-domains=internal.${DOMAIN}
+            - --cloudflare-dns-records-per-page=5000
+            - --publish-internal-services
+            - --no-cloudflare-proxied
+            - --log-level=debug
+          env:
+            - name: CF_API_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: cloudflare-api-token
+                  key: api-token

externaldns/externaldns-rbac.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-dns
+  namespace: externaldns
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns
+rules:
+  - apiGroups: [""]
+    resources: ["services", "endpoints", "pods"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns-viewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns
+subjects:
+  - kind: ServiceAccount
+    name: external-dns
+    namespace: externaldns

externaldns/install.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+set -e
+set -o pipefail
+
+if [ -z "${WILD_INSTANCE}" ]; then
+    echo "ERROR: WILD_INSTANCE is not set"
+    exit 1
+fi
+
+if [ -z "${WILD_API_DATA_DIR}" ]; then
+    echo "ERROR: WILD_API_DATA_DIR is not set"
+    exit 1
+fi
+
+if [ -z "${KUBECONFIG}" ]; then
+    echo "ERROR: KUBECONFIG is not set"
+    exit 1
+fi
+
+INSTANCE_DIR="${WILD_API_DATA_DIR}/instances/${WILD_INSTANCE}"
+EXTERNALDNS_DIR="${INSTANCE_DIR}/apps/externaldns"
+
+echo "=== Setting up ExternalDNS ==="
+echo ""
+
+echo "Verifying cert-manager is ready (required for ExternalDNS)..."
+kubectl wait --for=condition=Available deployment/cert-manager -n cert-manager --timeout=60s 2>/dev/null && \
+kubectl wait --for=condition=Available deployment/cert-manager-webhook -n cert-manager --timeout=60s 2>/dev/null || {
+    echo "cert-manager not ready, but continuing with ExternalDNS installation"
+    echo "Note: ExternalDNS may not work properly without cert-manager"
+}
+
+echo "Using pre-compiled ExternalDNS templates..."
+if [ ! -f "${EXTERNALDNS_DIR}/kustomization.yaml" ]; then
+    echo "ERROR: Compiled templates not found at ${EXTERNALDNS_DIR}"
+    echo "Templates should be compiled before deployment."
+    exit 1
+fi
+
+echo "Deploying ExternalDNS..."
+kubectl apply -k ${EXTERNALDNS_DIR}/
+
+echo "Creating Cloudflare API token secret..."
+SECRETS_FILE="${WILD_API_DATA_DIR}/instances/${WILD_INSTANCE}/secrets.yaml"
+CLOUDFLARE_API_TOKEN=$(yq '.apps.externaldns.cert-manager\.cloudflareToken' "$SECRETS_FILE" 2>/dev/null | tr -d '"')
+
+if [ -z "$CLOUDFLARE_API_TOKEN" ] || [ "$CLOUDFLARE_API_TOKEN" = "null" ]; then
+    echo "ERROR: Cloudflare API token not found."
+    echo "Please ensure cert-manager has been added with a cloudflareToken secret."
+    exit 1
+fi
+kubectl create secret generic cloudflare-api-token \
+  --namespace externaldns \
+  --from-literal=api-token="${CLOUDFLARE_API_TOKEN}" \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+echo "Waiting for Cloudflare ExternalDNS to be ready..."
+kubectl rollout status deployment/external-dns -n externaldns --timeout=60s
+
+echo ""
+echo "ExternalDNS installed successfully"
+echo ""
+echo "To verify the installation:"
+echo "  kubectl get pods -n externaldns"
+echo "  kubectl logs -n externaldns -l app=external-dns -f"
+echo ""

externaldns/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- namespace.yaml
+- externaldns-rbac.yaml
+- externaldns-cloudflare.yaml

externaldns/manifest.yaml

@@ -0,0 +1,15 @@
+name: externaldns
+is: externaldns
+description: Automatically configures DNS records for services
+version: v0.13.4
+namespace: externaldns
+deploymentName: external-dns
+category: infrastructure
+requires:
+  - name: cert-manager
+defaultConfig:
+  ownerId: "wild-cloud-{{ .cluster.name }}"
+defaultSecrets:
+  - key: cloudflareToken
+requiredSecrets:
+  - cert-manager.cloudflareToken

externaldns/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: externaldns