feat: Migrate sys applications to helmfile

Move most of helmfiles into temp to test only velero.

File structure:

```bash
/
├── helmfile.d/                                                 # Helmfiles, *.yaml.gotmpl
├── charts/                                                     # Our own charts, e.g `Atlantis`
├── values                                                      # Values for helmfiles
│   ├── <chart>
│   │   ├── values.yaml.gotmpl                                  # Values to be templated in `values/`
│   │   ├── kustomize                                           # Kustomizations per environment
│   │   ├── manifests                                           # Raw manifests
│   │   │   ├── <chart>.yaml                                    # Argo App for bootstrap
│   │   │   ├── dashboards                                      # Grafana dashboards
│   │   │   │   └── <chart>-metrics.yaml
│   │   │   └── policies                                        # Cilium and Kyverno policies
│   │   │       ├── CiliumNetworkPolicy-allow-api-server.yaml
│   │   │       └── KyvernoPolicy-regred-secret.yaml
│   │   └── values                                              # Values for each environment
│   │       ├── <chart>-staging.yaml.gotmpl                     # Values for staging environment
│   │       ├── <chart>-prod.yaml.gotmpl                        # Values for prod environment
│   │       └── <chart>.yaml.gotmpl                             # Standard values for all environments
│   │
│   ├── values.yaml                                             # Standard values for all cluster
│   ├── values-oceanbox.yaml                                    # Values overrides for oceanbox
│   ├── values-ekman.yaml                                       # Values overrides for ekman
```

values/x509-exporter/kustomize/base/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - _manifest.yaml

values/x509-exporter/kustomize/default/kustomization.yaml

@@ -1,4 +0,0 @@
-generatorOptions:
-  disableNameSuffixHash: true
-resources:
-  - ../base

values/x509-exporter/manifests/x509-certificates.yaml

@@ -0,0 +1,48 @@
+{{- if .Values.x509_exporter.alerts }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  labels:
+    # Some labels for various prometheus matching
+    k8s-app: x509-exporter
+    prometheus: k8s
+    role: alert-rules
+  name: x509-exporter-x509-certificate-exporter
+  namespace: x509-exporter
+spec:
+  groups:
+  - name: x509-certificate-exporter.rules
+    rules:
+      - alert: X509ExporterReadErrors
+        annotations:
+          description: Over the last 15 minutes, this x509-certificate-exporter instance has experienced errors reading certificate files or querying the Kubernetes API. This could be caused by a misconfiguration if triggered when the exporter starts.
+          summary: Increasing read errors for x509-certificate-exporter
+        expr: delta(x509_read_errors[15m]) > 0
+        for: 5m
+        labels:
+          severity: warning
+      - alert: CertificateError
+        annotations:
+          description: Certificate could not be decoded {{`{{`}}if $labels.secret_name {{`}}`}} in Kubernetes secret "{{`{{`}} $labels.secret_namespace {{`}}`}}/{{`{{`}} $labels.secret_name {{`}}`}}"{{`{{`}}else{{`}}`}}at location "{{`{{`}} $labels.filepath {{`}}`}}"{{`{{`}}end{{`}}`}}
+          summary: Certificate cannot be decoded
+        expr: x509_cert_error > 0
+        for: 15m
+        labels:
+          severity: warning
+      - alert: CertificateRenewal
+        annotations:
+          description: Certificate for "{{`{{`}} $labels.subject_CN {{`}}`}}" should be renewed {{`{{`}}if $labels.secret_name {{`}}`}}in Kubernetes secret "{{`{{`}} $labels.secret_namespace {{`}}`}}/{{`{{`}} $labels.secret_name {{`}}`}}"{{`{{`}}else{{`}}`}}at location "{{`{{`}} $labels.filepath {{`}}`}}"{{`{{`}}end{{`}}`}}
+          summary: Certificate should be renewed
+        expr: ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="", issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 28
+        for: 15m
+        labels:
+          severity: warning
+      - alert: CertificateExpiration
+        annotations:
+          description: Certificate for "{{`{{`}} $labels.subject_CN {{`}}`}}" is about to expire {{`{{`}}if $labels.secret_name {{`}}`}}in Kubernetes secret "{{`{{`}} $labels.secret_namespace {{`}}`}}/{{`{{`}} $labels.secret_name {{`}}`}}"{{`{{`}}else{{`}}`}}at location "{{`{{`}} $labels.filepath {{`}}`}}"{{`{{`}}end{{`}}`}}
+          summary: Certificate is about to expire
+        expr: ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="", issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 14
+        for: 15m
+        labels:
+          severity: critical
+{{- end }}