change cluster role names

Update linuxserver/code-server Docker tag to v4.22.0

.github/renovate-update-notification/Dockerfile

@@ -0,0 +1,2 @@
+# This file is processed by Renovate bot so that it creates a PR on new major Renovate versions
+FROM renovate/renovate:37

.github/renovate.json

@@ -0,0 +1,93 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "config:recommended",
+        "mergeConfidence:all-badges",
+        ":rebaseStalePrs"
+    ],
+    "timezone": "US/Mountain",
+    "schedule": [
+        "after 10am every weekday",
+        "before 5pm every weekday"
+    ],
+    "labels": [
+    ],
+    "packageRules": [
+        {
+            "description": "Disables for non major Renovate version",
+            "matchPaths": [
+                ".github/renovate-update-notification/Dockerfile"
+            ],
+            "matchUpdateTypes": [
+                "minor",
+                "patch",
+                "pin",
+                "digest",
+                "rollback"
+            ],
+            "enabled": false
+        },
+        {
+            "description": "Generate for major Renovate version",
+            "matchPaths": [
+                ".github/renovate-update-notification/Dockerfile"
+            ],
+            "matchUpdateTypes": [
+                "major"
+            ],
+            "addLabels": [
+                "upgrade"
+            ],
+            "automerge": false
+        },
+        {
+            "description": "Generate image updates on Tuesdays",
+            "matchPackageNames": [
+                "linuxserver/calibre",
+                "homeassistant/home-assistant",
+                "linuxserver/code-server",
+                "ghcr.io/gethomepage/homepage",
+                "ghcr.io/alex1989hu/kubelet-serving-cert-approver",
+                "rmcrackan/libation",
+                "outlinewiki/outline",
+                "ghcr.io/cloudnative-pg/postgresql"
+            ],
+            "matchDatasources": [
+                "docker"
+            ],
+            "schedule": [
+                "after 10am on tuesday",
+                "before 5pm on tuesday"
+            ],
+            "addLabels": [
+                "upgrade",
+                "weekly",
+                "image"
+            ],
+            "bumpVersion": "minor",
+            "automerge": false,
+            "minimumReleaseAge": "3 days"
+        },
+        {
+            "description": "Generate application charts on Tuesdays",
+            "matchPackageNames": [
+                "redis"
+            ],
+            "matchDatasources": [
+                "helm"
+            ],
+            "schedule": [
+                "after 10am on tuesday",
+                "before 5pm on tuesday"
+            ],
+            "addLabels": [
+                "upgrade",
+                "weekly",
+                "chart"
+            ],
+            "bumpVersion": "minor",
+            "automerge": false,
+            "minimumReleaseAge": "3 days"
+        }
+    ]
+}

.github/workflows/lint-test.yaml

@@ -7,22 +7,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4
         with:
           version: v3.13.3
 
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.10"
           check-latest: true
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.0
+        uses: helm/chart-testing-action@v2.6.1
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -35,11 +35,3 @@ jobs:
       - name: Run chart-testing (lint)
         if: steps.list-changed.outputs.changed == 'true'
         run: ct lint --target-branch ${{ github.event.repository.default_branch }}
-
-      - name: Create kind cluster
-        if: steps.list-changed.outputs.changed == 'true'
-        uses: helm/kind-action@v1.8.0
-
-      - name: Run chart-testing (install)
-        if: steps.list-changed.outputs.changed == 'true'
-        run: ct install --target-branch ${{ github.event.repository.default_branch }}

.github/workflows/release.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 

charts/calibre-server/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: calibre-server
+version: 0.0.5
+description: Chart for Calibre content database
+keywords:
+  - media
+  - books
+sources:
+  - https://github.com/kovidgoyal/calibre
+maintainers:
+  - name: alexlebens
+icon: https://raw.githubusercontent.com/kovidgoyal/calibre/master/resources/images/lt.png
+appVersion: 7.5.1

charts/calibre-server/README.md

@@ -0,0 +1,18 @@
+## Introduction
+
+[Calibre](https://calibre-ebook.com/)
+
+calibre is an e-book manager. It can view, convert, edit and catalog e-books in all of the major e-book formats. It can also talk to e-book reader devices. It can go out to the internet and fetch metadata for your books. It can download newspapers and convert them into e-books for convenient reading.
+
+This chart bootstraps a [Calibre](https://github.com/home-assistant) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+- Traefik v2 / IngressRoute
+- Authentik / Auth
+
+## Parameters
+
+See the [values files](values.yaml).

charts/calibre-server/templates/deployment.yaml

@@ -0,0 +1,83 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: calibre-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: calibre-server
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: calibre-server
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: calibre-server
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: calibre-server
+      automountServiceAccountToken: true
+      containers:
+        - name: calibre-server
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.http.port }}
+              protocol: TCP
+            - name: content
+              containerPort: {{ .Values.service.content.port }}
+              protocol: TCP
+          env:
+          {{- range $k,$v := .Values.deployment.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+          {{- end }}
+          {{- with .Values.deployment.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - mountPath: /config
+              name: calibre-server-config
+            - mountPath: /books
+              name: calibre-server-books
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          livenessProbe:
+            tcpSocket:
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          readinessProbe:
+            tcpSocket:
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 30
+            timeoutSeconds: 1
+            periodSeconds: 5
+      volumes:
+        - name: calibre-server-config
+          persistentVolumeClaim:
+            claimName: calibre-server-config
+        - name: calibre-server-books
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.books.claimName }}

charts/calibre-server/templates/ingress-route.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.ingressRoute.enabled }}
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: calibre-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: calibre-server
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: calibre-server
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: "Host(`{{ .Values.ingressRoute.http.host }}`)"
+      middlewares:
+        - name: "authentik-{{ .Release.Name }}"
+          namespace: {{ .Release.Namespace }}
+      priority: 10
+      services:
+        - kind: Service
+          name: calibre-server
+          port: {{ .Values.service.http.port }}
+    - kind: Rule
+      match: "Host(`{{ .Values.ingressRoute.http.host }}`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      priority: 15
+      services:
+        - kind: Service
+          name: {{ .Values.ingressRoute.authentik.outpost }}
+          port: {{ .Values.ingressRoute.authentik.port }}
+{{- end }}

charts/calibre-server/templates/middleware.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.ingressRoute.enabled }}
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: "authentik-{{ .Release.Name }}"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: auth
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  forwardAuth:
+    address: "http://{{ .Values.ingressRoute.authentik.outpost }}.authentik:{{ .Values.ingressRoute.authentik.port }}/outpost.goauthentik.io/auth/traefik"
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version
+{{- end }}

charts/calibre-server/templates/persistant-volume-claim.yaml

@@ -0,0 +1,19 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: calibre-server-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: calibre-server
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.persistence.config.storageSize }}
+  storageClassName: {{ .Values.persistence.config.storageClassName }}
+  volumeMode: {{ .Values.persistence.config.volumeMode }}

charts/calibre-server/templates/service-account.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calibre-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: calibre-server
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: calibre-server

charts/calibre-server/templates/service.yaml

@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: calibre-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: calibre-server
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: {{ .Values.service.http.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: calibre-server
+    app.kubernetes.io/instance: {{ .Release.Name }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: calibre-server-content
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: calibre-server
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: {{ .Values.service.content.port }}
+      targetPort: content
+      protocol: TCP
+      name: content
+  selector:
+    app.kubernetes.io/name: calibre-server
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/calibre-server/values.yaml

@@ -0,0 +1,42 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  image:
+    repository: linuxserver/calibre
+    tag: v7.5.1-ls269
+    imagePullPolicy: IfNotPresent
+  env:
+    PGID: "1001"
+    PUID: "1001"
+    TZ: UTC
+    UMASK_SET: "022"
+    CUSTOM_USER: calibre
+    TITLE: Calibre Server
+    NO_DECOR: true
+  envFrom:
+  resources:
+    requests:
+      memory: 256Mi
+      cpu: 50m
+    limits:
+      memory: 1Gi
+      cpu: 500m
+service:
+  http:
+    port: 8080
+  content:
+    port: 8081
+ingressRoute:
+  enabled: true
+  http:
+    host:
+  authentik:
+    outpost: authentik-proxy-outpost
+    port: 9000
+persistence:
+  config:
+    storageClassName: default
+    storageSize: 5Gi
+    volumeMode: Filesystem
+  books:
+    claimName:

charts/home-assistant/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: home-assistant
+version: 0.0.15
+description: Chart for Home Assistant
+keywords:
+  - home-automation
+sources:
+  - https://github.com/home-assistant
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/13844975?s=200&v=4
+appVersion: v2024.2.5

charts/home-assistant/README.md

@@ -0,0 +1,18 @@
+## Introduction
+
+[Home Assistant](https://www.home-assistant.io/)
+
+Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server. 
+
+This chart bootstraps a [Home-Assistant](https://github.com/home-assistant) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+- Traefik v2 / IngressRoute
+- Authentik / Auth
+
+## Parameters
+
+See the [values files](values.yaml).

charts/home-assistant/templates/deployment.yaml

@@ -0,0 +1,98 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: home-assistant
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: home-assistant
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: home-assistant
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: home-assistant
+      automountServiceAccountToken: true
+      containers:
+        - name: {{ .Release.Name }}
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.http.port }}
+              protocol: TCP
+          env:
+          {{- range $k,$v := .Values.deployment.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+          {{- end }}
+          {{- with .Values.deployment.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - mountPath: /config
+              name: home-assistant-config
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          livenessProbe:
+            tcpSocket:
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          readinessProbe:
+            tcpSocket:
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 3
+            timeoutSeconds: 1
+            periodSeconds: 10
+          startupProbe:
+            tcpSocket:
+              port: {{ .Values.service.http.port }}
+            initialDelaySeconds: 0
+            failureThreshold: 30
+            timeoutSeconds: 1
+            periodSeconds: 5
+        {{- if .Values.codeserver.enabled }}
+        - name: codeserver
+          image: "{{ .Values.codeserver.image.repository }}:{{ .Values.codeserver.image.tag }}"
+          imagePullPolicy: {{ .Values.codeserver.image.imagePullPolicy }}
+          ports:
+            - containerPort: {{ .Values.codeserver.service.http.port }}
+              name: codeserver-http
+              protocol: TCP
+          env:
+          {{- range $k,$v := .Values.codeserver.env }}
+            - name: {{ $k }}
+              value: {{ $v | quote }}
+          {{- end }}
+          {{- with .Values.codeserver.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          securityContext:
+            {{- toYaml .Values.codeserver.securityContext | nindent 12 }}
+          volumeMounts:
+            - mountPath: /config/home-assistant
+              name: home-assistant-config
+        {{- end }}
+      volumes:
+        - name: home-assistant-config
+          persistentVolumeClaim:
+            claimName: home-assistant-config

charts/home-assistant/templates/ingress-route.yaml

@@ -0,0 +1,60 @@
+{{- if .Values.ingressRoute.enabled }}
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: home-assistant
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: home-assistant
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: "Host(`{{ .Values.ingressRoute.host }}`)"
+      middlewares:
+        - name: "authentik-{{ .Release.Name }}"
+          namespace: {{ .Release.Namespace }}
+      priority: 10
+      services:
+        - kind: Service
+          name: home-assistant
+          port: {{ .Values.service.http.port }}
+    - kind: Rule
+      match: "Host(`{{ .Values.ingressRoute.host }}`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      priority: 15
+      services:
+        - kind: Service
+          name: {{ .Values.ingressRoute.authentik.outpost }}
+          port: {{ .Values.ingressRoute.authentik.port }}
+{{- end }}
+
+---
+{{- if and .Values.codeserver.ingressRoute.enabled .Values.codeserver.enabled }}
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: home-assistant-codeserver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: home-assistant
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: "Host(`{{ .Values.codeserver.ingressRoute.host }}`)"
+      priority: 10
+      services:
+        - kind: Service
+          name: home-assistant-codeserver
+          port: {{ .Values.codeserver.service.http.port }}
+{{- end }}

charts/home-assistant/templates/middleware.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.ingressRoute.enabled }}
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: "authentik-{{ .Release.Name }}"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: auth
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  forwardAuth:
+    address: "http://{{ .Values.ingressRoute.authentik.outpost }}.authentik:{{ .Values.ingressRoute.authentik.port }}/outpost.goauthentik.io/auth/traefik"
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version
+{{- end }}

charts/home-assistant/templates/persistant-volume-claim.yaml

@@ -0,0 +1,19 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: home-assistant-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.persistence.config.storageSize }}
+  storageClassName: {{ .Values.persistence.config.storageClassName }}
+  volumeMode: {{ .Values.persistence.config.volumeMode }}

charts/home-assistant/templates/prometheus-rule.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: home-assistant
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: home-assistant
+spec:
+  groups:
+    - name: {{ .Release.Name }}
+      rules:
+        {{- toYaml .Values.metrics.prometheusRule.rules | nindent 8 }}
+{{- end }}

charts/home-assistant/templates/service-account.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: home-assistant
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: home-assistant

charts/home-assistant/templates/service-monitor.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.metrics.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: home-assistant
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: home-assistant
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: home-assistant
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  endpoints:
+    - port: http
+      interval: {{ .Values.metrics.serviceMonitor.interval }}
+      scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
+      path: /api/prometheus
+      bearerTokenSecret:
+        name: {{ .Values.metrics.serviceMonitor.bearerTokenSecret.name }}
+        key: {{ .Values.metrics.serviceMonitor.bearerTokenSecret.key }}
+{{- end }}

charts/home-assistant/templates/service.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: home-assistant
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: {{ .Values.service.http.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/instance: {{ .Release.Name }}
+
+---
+{{- if .Values.codeserver.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: home-assistant-codeserver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: {{ .Values.codeserver.service.http.port }}
+      targetPort: codeserver-http
+      protocol: TCP
+      name: codeserver-http
+  selector:
+    app.kubernetes.io/name: home-assistant
+    app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/home-assistant/values.yaml

@@ -0,0 +1,74 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  image:
+    repository: homeassistant/home-assistant
+    tag: 2024.3.0
+    imagePullPolicy: IfNotPresent
+  env:
+    TZ: UTC
+  envFrom:
+  resources:
+    requests:
+      memory: 512Mi
+      cpu: 50m
+    limits:
+      memory: 1Gi
+      cpu: 500m
+service:
+  http:
+    port: 8123
+ingressRoute:
+  enabled: true
+  host:
+  authentik:
+    outpost: authentik-proxy-outpost
+    port: 9000
+metrics:
+  enabled: false
+  serviceMonitor:
+    interval: 1m
+    scrapeTimeout: 30s
+    ## See https://www.home-assistant.io/docs/authentication/ for where to find
+    ## long lived access token creation under your account profile, which is
+    ## needed to monitor Home Assistant
+    bearerTokenSecret:
+      name: ""
+      key: ""
+  prometheusRule:
+    enabled: false
+    rules:
+      - alert: HomeAssistantAbsent
+        annotations:
+          description: Home Assistant has disappeared from Prometheus service discovery.
+          summary: Home Assistant is down.
+        expr: |
+          absent(up{job=~".*home-assistant.*"} == 1)
+        for: 5m
+        labels:
+          severity: critical
+persistence:
+  config:
+    storageClassName: default
+    storageSize: 1Gi
+    volumeMode: Filesystem
+codeserver:
+  enabled: false
+  image:
+    repository: linuxserver/code-server
+    tag: 4.22.0
+    imagePullPolicy: IfNotPresent
+  env:
+    TZ: UTC
+    PUID: 1000
+    PGID: 1000
+    DEFAULT_WORKSPACE: /config
+  envFrom:
+  securityContext:
+    runAsUser: 0
+  service:
+    http:
+      port: 8443
+  ingressRoute:
+    enabled: false
+    host:

charts/homepage/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: homepage
-version: 0.0.2
+version: 0.0.7
 description: Chart for benphelps homepage
 keywords:
   - dashboard
@@ -9,4 +9,4 @@ sources:
 maintainers:
   - name: alexlebens
 icon: https://github.com/benphelps/homepage/blob/de584eae8f12a0d257e554e9511ef19bd2a1232c/public/mstile-150x150.png
-appVersion: 0.8.7
+appVersion: v0.8.9

charts/homepage/templates/cluster-role-binding.yaml

@@ -1,19 +1,18 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: homepage
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: homepage
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
-    app.kubernetes.io/part-of: homepage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: homepage
+  name: {{ .Release.Name }}
 subjects:
   - kind: ServiceAccount
     name: homepage

charts/homepage/templates/cluster-role.yaml

@@ -1,15 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: homepage
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: homepage
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
-    app.kubernetes.io/part-of: homepage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: helm
 rules:
   - apiGroups:
       - ""

charts/homepage/templates/config-map.yaml

@@ -9,7 +9,6 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
 data:
   bookmarks.yaml: {{- if .Values.config.bookmarks }} |
 {{- .Values.config.bookmarks | toYaml | nindent 4}}

charts/homepage/templates/deployment.yaml

@@ -9,7 +9,6 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
 spec:
   revisionHistoryLimit: 3
   replicas: {{ .Values.deployment.replicas }}

charts/homepage/templates/ingress-route.yaml

@@ -9,7 +9,6 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
 spec:
   entryPoints:
     - websecure
@@ -17,7 +16,7 @@ spec:
     - kind: Rule
       match: "Host(`{{ .Values.ingressRoute.host }}`)"
       middlewares:
-        - name: authentik
+        - name: "authentik-{{ .Release.Name }}"
           namespace: {{ .Release.Namespace }}
       priority: 10
       services:

charts/homepage/templates/middleware.yaml

@@ -1,15 +1,14 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: authentik
+  name: "authentik-{{ .Release.Name }}"
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: homepage
+    app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: auth
-    app.kubernetes.io/part-of: homepage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: helm
 spec:
   forwardAuth:
     address: "http://{{ .Values.ingressRoute.authentik.outpost }}.authentik:{{ .Values.ingressRoute.authentik.port }}/outpost.goauthentik.io/auth/traefik"

charts/homepage/templates/secret.yaml

@@ -10,6 +10,5 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
   annotations:
     kubernetes.io/service-account.name: homepage

charts/homepage/templates/service-account.yaml

@@ -9,6 +9,5 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
 secrets:
   - name: "{{ .Release.Name }}-sa-token"

charts/homepage/templates/service.yaml

@@ -9,7 +9,6 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: web
     app.kubernetes.io/part-of: homepage
-    app.kubernetes.io/managed-by: helm
 spec:
   type: ClusterIP
   ports:

charts/homepage/values.yaml

@@ -2,23 +2,23 @@ deployment:
   replicas: 1
   strategy: Recreate
   image:
-    repository: ghcr.io/benphelps/homepage
+    repository: ghcr.io/gethomepage/homepage
-    tag: v0.8.7
+    tag: v0.8.9
     imagePullPolicy: IfNotPresent
   env:
   envFrom:
   resources:
     requests:
-      memory: 50Mi
+      memory: 256Mi
-      cpu: 10m
+      cpu: 50m
     limits:
-      memory: 200Mi
+      memory: 512Mi
       cpu: 500m 
 service:
   http:
     port: 3000
 ingressRoute:
-  host: homepage.alexlebens.net
+  host:
   authentik:
     outpost: authentik-proxy-outpost
     port: 9000

charts/kubelet-serving-cert-approver/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: kubelet-serving-cert-approver
+version: 0.0.4
+description: Kubelet Serving TLS Certificate Signing Request Approver
+keywords:
+  - kubernetes
+  - certificate
+sources:
+  - https://github.com/alex1989hu/kubelet-serving-cert-approver
+  - https://github.com/alexlebens/helm-charts/charts/homepage
+maintainers:
+  - name: alexlebens
+appVersion: 0.8.1

charts/kubelet-serving-cert-approver/README.md

@@ -0,0 +1,16 @@
+## Introduction
+
+[Kubelet Serving Certificate Approver](https://github.com/alex1989hu/kubelet-serving-cert-approver)
+
+Kubelet Serving Certificate Approver is a custom approving controller which approves kubernetes.io/kubelet-serving Certificate Signing Request that kubelet use to serve TLS endpoints.
+
+This chart bootstraps a [Kubelet Serving Certificate Approver](https://github.com/alex1989hu/kubelet-serving-cert-approver) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+
+## Parameters
+
+See the [values files](values.yaml).

charts/kubelet-serving-cert-approver/templates/cluster-role-binding.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubelet-serving-cert-approver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "certificates:{{ .Release.Name }}"
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}

charts/kubelet-serving-cert-approver/templates/cluster-role.yaml

@@ -0,0 +1,61 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: "certificates:{{ .Release.Name }}"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+rules:
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests/approval
+    verbs:
+      - update
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
+  - apiGroups:
+      - certificates.k8s.io
+    resourceNames:
+      - kubernetes.io/kubelet-serving
+    resources:
+      - signers
+    verbs:
+      - approve
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: "events:{{ .Release.Name }}"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: kubelet-serving-cert-approverv
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch

charts/kubelet-serving-cert-approver/templates/deployment.yaml

@@ -0,0 +1,88 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kubelet-serving-cert-approver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kubelet-serving-cert-approver
+      app.kubernetes.io/instance: {{ .Release.Name }}
+
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: kubelet-serving-cert-approver
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - preference:
+                matchExpressions:
+                  - key: node-role.kubernetes.io/master
+                    operator: DoesNotExist
+                  - key: node-role.kubernetes.io/control-plane
+                    operator: DoesNotExist
+              weight: 100
+      containers:
+        - name: {{ .Release.Name }}
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - containerPort: 8080
+              name: health
+            - containerPort: 9090
+              name: metrics
+          args:
+            - serve
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: health
+            initialDelaySeconds: 6
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: health
+            initialDelaySeconds: 3
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+      priorityClassName: {{ .Values.deployment.priorityClassName }}
+      securityContext:
+        fsGroup: 65534
+        runAsGroup: 65534
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: kubelet-serving-cert-approver
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists

charts/kubelet-serving-cert-approver/templates/namespace.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubelet-serving-cert-approver
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/warn: restricted

charts/kubelet-serving-cert-approver/templates/role-binding.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "events:{{ .Release.Name }}"
+  namespace: default
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "events:{{ .Release.Name }}"
+subjects:
+  - kind: ServiceAccount
+    name: kubelet-serving-cert-approver
+    namespace: {{ .Release.Name }}

charts/kubelet-serving-cert-approver/templates/service-account.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubelet-serving-cert-approver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver

charts/kubelet-serving-cert-approver/templates/service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kubelet-serving-cert-approver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: server
+    app.kubernetes.io/part-of: kubelet-serving-cert-approver
+spec:
+  ports:
+    - name: metrics
+      port: 9090
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app.kubernetes.io/name: kubelet-serving-cert-approver
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/kubelet-serving-cert-approver/values.yaml

@@ -0,0 +1,15 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  priorityClassName: system-cluster-critical
+  image:
+    repository: ghcr.io/alex1989hu/kubelet-serving-cert-approver
+    tag: main
+    imagePullPolicy: Always
+  resources:
+    limits:
+      cpu: 250m
+      memory: 32Mi
+    requests:
+      cpu: 10m
+      memory: 16Mi

charts/libation/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: libation
+version: 0.0.4
+description: Import library from audible
+keywords:
+  - audiobooks
+  - job
+sources:
+  - https://github.com/rmcrackan/Libation
+maintainers:
+  - name: alexlebens
+icon: https://getlibation.com/images/libation-logo.png
+appVersion: "11.1.0"

charts/libation/README.md

@@ -0,0 +1,18 @@
+## Introduction
+
+[Libation](https://github.com/rmcrackan/Libation)
+
+Libation: Liberate your Library. Import library from audible, including cover art
+
+
+This chart bootstraps a [Libation](https://github.com/benphelps/homepage) CronJob on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+- CronJob
+
+## Parameters
+
+See the [values files](values.yaml).

charts/libation/templates/job.yaml

@@ -0,0 +1,39 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: libation
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: libation
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: job
+    app.kubernetes.io/part-of: libation
+spec:
+  schedule: {{ .Values.libation.job.schedule }}
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: Never
+          containers:
+            - name: libation
+              image: "{{ .Values.libation.image.repository }}:{{ .Values.libation.image.tag }}"
+              imagePullPolicy: {{ .Values.libation.image.pullPolicy }}
+              env:
+                - name: SLEEP_TIME
+                  value: "-1"
+              volumeMounts:
+                - name: libation-config
+                  mountPath: /config
+                - name: libation-books
+                  mountPath: /data
+          volumes:
+            - name: libation-config
+              persistentVolumeClaim:
+                claimName: libation-config
+            - name: libation-books
+              persistentVolumeClaim:
+                claimName: {{ .Values.persistence.books.claimName }}

charts/libation/templates/persistent-volume-claim.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: libation-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: libation
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: libation
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.persistence.config.storageSize }}
+  storageClassName: {{ .Values.persistence.config.storageClassName }}
+  volumeMode: {{ .Values.persistence.config.volumeMode }}

charts/libation/values.yaml

@@ -0,0 +1,13 @@
+job:
+  schedule: "0 * * * *"
+image:
+  repository: rmcrackan/libation
+  tag: "11.1.0"
+  pullPolicy: IfNotPresent
+persistence:
+  config:
+    storageClassName: nfs-client
+    storageSize: 1Gi
+    volumeMode: Filesystem
+  books:
+    claimName: libation-nfs-storage

charts/outline/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: outline
+version: 0.0.2
+description: Chart for Outline wiki
+keywords:
+  - wiki
+  - documentation
+sources:
+  - https://github.com/outline/outline
+  - https://github.com/bitnami/charts/tree/main/bitnami/redis
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/1765001?s=48&v=4
+dependencies:
+  - name: redis
+    repository: https://charts.bitnami.com/bitnami
+    version: 18.x.x
+appVersion: v0.75.2

charts/outline/README.md

@@ -0,0 +1,17 @@
+## Introduction
+
+[Outline](https://github.com/outline/outline)
+
+The fastest knowledge base for growing teams. Beautiful, realtime collaborative, feature packed, and markdown compatible.
+
+This chart bootstraps an [Outline](https://github.com/outline/outline) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+- Bitnami Redis Chart
+
+## Parameters
+
+See the [values files](values.yaml).

charts/outline/templates/deployment.yaml

@@ -0,0 +1,170 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: outline
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: outline
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.deployment.replicas }}
+  strategy:
+    type: {{ .Values.deployment.strategy }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: outline
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: outline
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      serviceAccountName: outline
+      automountServiceAccountToken: true
+      containers:
+        - name: {{ .Release.Name }}
+          image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+          imagePullPolicy: {{ .Values.deployment.image.imagePullPolicy }}
+          ports:
+            - name: web
+              containerPort: {{ .Values.service.web.port }}
+              protocol: TCP
+          env:
+            - name: NODE_ENV
+              value: "{{ .Values.outline.nodeEnv }}"
+            - name: URL
+              value: "{{ .Values.outline.url }}"
+            - name: PORT
+              value: "{{ .Values.service.web.port }}"
+            - name: SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.secretKey.existingSecretName }}"
+                  key: "{{ .Values.outline.secretKey.existingSecretKey }}"
+            - name: UTILS_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.utilsSecret.existingSecretName }}"
+                  key: "{{ .Values.outline.secretKey.existingSecretKey }}"
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.database.passwordSecret.existingSecretName }}"
+                  key: "{{ .Values.outline.database.passwordSecret.existingSecretKey }}"
+            - name: POSTGRES_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.database.usernameSecret.existingSecretName }}"
+                  key: "{{ .Values.outline.database.usernameSecret.existingSecretKey }}"
+            - name: POSTGRES_DATABASE_NAME
+              value: {{ .Values.outline.database.databaseName }}
+            - name: POSTGRES_DATABASE_HOST
+              value: {{ .Values.outline.database.databaseHost }}
+            - name: DATABASE_URL
+              value: "postgres://$(POSTGRES_USERNAME):$(POSTGRES_PASSWORD)@postgresql-{{ .Release.Name }}-cluster-rw:5432/$(POSTGRES_DATABASE_NAME)"
+            - name: DATABASE_URL_TEST
+              value: "postgres://$(POSTGRES_USERNAME):$(POSTGRES_PASSWORD)@postgresql-{{ .Release.Name }}-cluster-rw:5432/$(POSTGRES_DATABASE_NAME)-test"
+            - name: DATABASE_CONNECTION_POOL_MIN
+              value: "{{ .Values.outline.database.connectionPoolMin }}"
+            - name: DATABASE_CONNECTION_POOL_MAX
+              value: "{{ .Values.outline.database.connectionPoolMax }}"
+            - name: PGSSLMODE
+              value: "{{ .Values.outline.database.sslMode }}"
+            - name: REDIS_URL
+              value: "redis://{{ .Release.Name }}-redis-master:6379"
+            - name: FILE_STORAGE
+              value: "{{ .Values.persistence.type }}"
+
+          {{- if eq .Values.persistence.type "s3" }}
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.persistence.s3.credentialsSecret }}"
+                  key: AWS_ACCESS_KEY_ID
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.persistence.s3.credentialsSecret }}"
+                  key: AWS_SECRET_ACCESS_KEY
+            - name: AWS_REGION
+              value: "{{ .Values.persistence.s3.region }}"
+            - name: AWS_S3_UPLOAD_BUCKET_NAME
+              value: "{{ .Values.persistence.s3.bucketName }}"
+            - name: AWS_S3_UPLOAD_BUCKET_URL
+              value: "{{ .Values.persistence.s3.endpoint }}"
+            - name: AWS_S3_FORCE_PATH_STYLE
+              value: "{{ .Values.persistence.s3.forcePathStyle }}"
+            - name: AWS_S3_ACL
+              value: "{{ .Values.persistence.s3.acl }}"
+            - name: FILE_STORAGE_UPLOAD_MAX_SIZE
+              value: "{{ .Values.persistence.s3.uploadMaxSize }}"
+          {{- else if eq .Values.persistence.type "local" }}
+            - name: FILE_STORAGE_LOCAL_ROOT_DIR
+              value: "{{ .Values.persistence.local.localRootDir }}"
+            - name: FILE_STORAGE_UPLOAD_MAX_SIZE
+              value: "{{ .Values.persistence.local.uploadMaxSize }}"
+          {{- end }}
+
+            - name: FORCE_HTTPS
+              value: "{{ .Values.outline.optional.forceHttps }}"
+            - name: ENABLE_UPDATES
+              value: "{{ .Values.outline.optional.enableUpdates }}"
+            - name: WEB_CONCURRENCY
+              value: "{{ .Values.outline.optional.webConcurrency }}"
+            - name: MAXIMUM_IMPORT_SIZE
+              value: "{{ .Values.outline.optional.maximumImportSize }}"
+            - name: LOG_LEVEL
+              value: "{{ .Values.outline.optional.logLevel }}"
+            - name: DEFAULT_LANGUAGE
+              value: "{{ .Values.outline.optional.defaultLanguage }}"
+            - name: RATE_LIMITER_ENABLED
+              value: "{{ .Values.outline.optional.rateLimiter.enabled }}"
+            - name: RATE_LIMITER_REQUESTS
+              value: "{{ .Values.outline.optional.rateLimiter.requests }}"
+            - name: RATE_LIMITER_DURATION_WINDOW
+              value: "{{ .Values.outline.optional.rateLimiter.durationWindow }}"
+            - name: DEVELOPMENT_UNSAFE_INLINE_CSP
+              value: "{{ .Values.outline.optional.developmentUnsafeInlineCsp }}"
+
+          {{- if .Values.outline.auth.oidc.enabled }}
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.auth.oidc.clientId.existingSecretName }}"
+                  key: "{{ .Values.outline.auth.oidc.clientId.existingSecretKey }}"
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.outline.auth.oidc.clientSecret.existingSecretName }}"
+                  key: "{{ .Values.outline.auth.oidc.clientSecret.existingSecretKey }}"
+            - name: OIDC_AUTH_URI
+              value: "{{ .Values.outline.auth.oidc.authUri }}"
+            - name: OIDC_TOKEN_URI
+              value: "{{ .Values.outline.auth.oidc.tokenUri }}"
+            - name: OIDC_USERINFO_URI
+              value: "{{ .Values.outline.auth.oidc.userinfoUri }}"
+            - name: OIDC_USERNAME_CLAIM
+              value: "{{ .Values.outline.auth.oidc.usernameClaim }}"
+            - name: OIDC_DISPLAY_NAME
+              value: "{{ .Values.outline.auth.oidc.displayName }}"
+            - name: OIDC_SCOPES
+              value: "{{ .Values.outline.auth.oidc.scopes }}"
+          {{- end }}
+
+          resources:
+            {{- toYaml .Values.deployment.resources | nindent 12 }}
+
+      {{- if eq .Values.persistence.type "local" }}
+          volumeMounts:
+          - name: "{{ .Release.Name }}-volume-claim"
+            mountPath: {{ .Values.persistence.local.localRootDir }}
+      volumes:
+      - name: "{{ .Release.Name }}-volume-claim"
+        persistentVolumeClaim:
+          claimName: "{{ .Release.Name }}-volume-claim"
+      {{- end }}

charts/outline/templates/ingress.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: outline-web
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline-web
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: outline
+  annotations:
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  tls:
+    - hosts:
+      - {{ .Values.ingress.host }}
+      secretName: {{ .Release.Name }}-tls-secret
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: outline-web
+                port:
+                  name: web
+{{- end }}

charts/outline/templates/persistent-volume-claim.yaml

@@ -0,0 +1,20 @@
+{{- if eq .Values.persistence.type "local" }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Release.Name }}-volume-claim
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: outline
+spec:
+  storageClassName: {{ .Values.persistence.local.storageClassName }}
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.persistence.local.storageSize }}
+{{- end }}

charts/outline/templates/service-account.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: outline
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: outline

charts/outline/templates/service.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: outline-web
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: outline-web
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: outline
+spec:
+  type: ClusterIP
+  ports:
+    - port: {{ .Values.service.web.port }}
+      targetPort: web
+      protocol: TCP
+      name: web
+  selector:
+    app.kubernetes.io/name: outline-web
+    app.kubernetes.io/instance: {{ .Release.Name }}

charts/outline/values.yaml

@@ -0,0 +1,89 @@
+deployment:
+  replicas: 1
+  strategy: Recreate
+  image:
+    repository: outlinewiki/outline
+    tag: "0.75.2"
+    imagePullPolicy: IfNotPresent
+  resources:
+    requests:
+      memory: 256Mi
+      cpu: 50m
+    limits:
+      memory: 1Gi
+      cpu: 500m
+service:
+  web:
+    port: 3000
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+  host:
+persistence:
+  type: s3
+  s3:
+    credentialsSecret: outline-s3-secret
+    region: us-east-1
+    bucketName: outline
+    endpoint:
+    uploadMaxSize: "26214400"
+    forcePathStyle: false
+    acl: private
+  local:
+    storageClassName: default
+    storageSize: 50Gi
+    localRootDir: /var/lib/outline/data
+    uploadMaxSize: 26214400
+redis:
+  architecture: standalone
+  auth:
+    enabled: false
+outline:
+  nodeEnv: production
+  url:
+  secretKey:
+    existingSecretName: outline-key-secret
+    existingSecretKey: secret-key
+  utilsSecret:
+    existingSecretName: outline-key-secret
+    existingSecretKey: utils-key
+  database:
+    passwordSecret:
+      existingSecretName: postgresql-outline-cluster-app
+      existingSecretKey: password
+    usernameSecret:
+      existingSecretName: postgresql-outline-cluster-app
+      existingSecretKey: username
+    databaseName: app
+    databaseHost: postgresql-outline-cluster-rw
+    connectionPoolMin: ""
+    connectionPoolMax: "20"
+    sslMode: disable
+  optional:
+    forceHttps: false
+    enableUpdates: false
+    webConcurrency: 1
+    maximumImportSize: 5120000
+    logLevel: info
+    defaultLanguage: en_US
+    rateLimiter:
+      enabled: false
+      requests: 1000
+      durationWindow: 60
+    developmentUnsafeInlineCsp: false
+  auth:
+    oidc:
+      enabled: true
+      clientId:
+        existingSecretName: outline-auth-secret
+        existingSecretKey: oidc-client-id
+      clientSecret:
+        existingSecretName: outline-auth-secret
+        existingSecretKey: oidc-client-secret
+      authUri:
+      tokenUri:
+      userinfoUri:
+      usernameClaim:
+      displayName:
+      scopes: openid profile email

charts/postgres-cluster/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: postgres-cluster
-version: 0.0.3
+version: 0.2.2
 description: Chart for cloudnative-pg cluster
 keywords:
   - database

charts/postgres-cluster/templates/postgresql-cluster.yaml

@@ -9,8 +9,8 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: database
     app.kubernetes.io/part-of: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: helm
 spec:
+  imageName: "{{ .Values.cluster.image.repository }}:{{ .Values.cluster.image.tag }}"
   instances: {{ .Values.cluster.instances }}
   replicationSlots:
     highAvailability:
@@ -41,12 +41,12 @@ spec:
   {{- if .Values.backup.recoveryEnabled }}
   bootstrap:
     recovery:
-      source: "postgresql-{{ .Release.Name }}-cluster-recovery-index-{{ .Values.backup.recoveryIndex }}"
+      source: "postgresql-{{ .Release.Name }}-cluster-backup-index-{{ .Values.bootstrap.recoveryIndex }}"
   externalClusters:
-    - name: "postgresql-{{ .Release.Name }}-cluster-recovery-index-{{ .Values.backup.recoveryIndex }}"
+    - name: "postgresql-{{ .Release.Name }}-cluster-backup-index-{{ .Values.bootstrap.recoveryIndex }}"
       barmanObjectStore:
-        endpointURL: {{ .Values.backup.endpointURL }}
+        endpointURL: {{ .Values.bootstrap.endpointURL }}
-        destinationPath: "s3://{{ .Values.backup.bucket }}/{{ .Values.cluster.name }}/postgresql/{{ .Release.Name }}-cluster"
+        destinationPath: "s3://{{ .Values.bootstrap.bucket }}/{{ .Values.cluster.name }}/postgresql/{{ .Release.Name }}-cluster"
         s3Credentials:
           accessKeyId:
             name: "postgresql-{{ .Release.Name }}-cluster-backup-secret"
@@ -55,9 +55,9 @@ spec:
             name: "postgresql-{{ .Release.Name }}-cluster-backup-secret"
             key: ACCESS_SECRET_KEY
         data:
-          compression: {{ .Values.backup.compression }}
+          compression: {{ .Values.cluster.compression }}
         wal:
-          compression: {{ .Values.backup.compression }}
+          compression: {{ .Values.cluster.compression }}
   {{- end }}
 
   {{- if .Values.backup.backupEnabled }}
@@ -75,7 +75,7 @@ spec:
           name: "postgresql-{{ .Release.Name }}-cluster-backup-secret"
           key: ACCESS_SECRET_KEY
       data:
-        compression: {{ .Values.backup.compression }}
+        compression: {{ .Values.cluster.compression }}
       wal:
-        compression: {{ .Values.backup.compression }}
+        compression: {{ .Values.cluster.compression }}
   {{- end }}

charts/postgres-cluster/templates/scheduled-backup.yaml

@@ -9,7 +9,6 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: database
     app.kubernetes.io/part-of: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: helm
 spec:
   schedule: {{ .Values.backup.schedule }}
   backupOwnerReference: self

charts/postgres-cluster/values.yaml

@@ -1,10 +1,14 @@
 cluster:
   name: cl01tl
+  image:
+    repository: ghcr.io/cloudnative-pg/postgresql
+    tag: 16.0
   instances: 2
   parameters:
     shared_buffers: 128MB
     max_slot_wal_keep_size: 2000MB
     hot_standby_feedback: "on"
+  compression: snappy
   resources:
     requests:
       memory: 512Mi
@@ -15,23 +19,24 @@ cluster:
       hugepages-2Mi: 512Mi
   storage:
     data:
-      storageClass: ceph-block
+      storageClass: default
       size: 10Gi
     wal:
-      storageClass: ceph-block
+      storageClass: default
       size: 2Gi
 bootstrap:
+  recoveryEnabled: false
+  recoveryIndex: 1
+  endpointURL:
+  bucket:
   initdbEnabled: false
   initdb:
     database: app
     owner: app
 backup:
   backupEnabled: true
-  recoveryEnabled: false  
   schedule: "0 0 0 * * *"
   retentionPolicy: 14d
   backupIndex: 1
-  recoveryIndex: 1
+  endpointURL:
-  endpointURL: https://nyc3.digitaloceanspaces.com
+  bucket:
-  bucket: net-infra
-  compression: snappy

renovate.json

@@ -1,14 +0,0 @@
-{
-    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-    "extends": [
-        "config:base",
-        "mergeConfidence:all-badges"
-    ],
-    "timezone": "MST7MDT",
-    "schedule": "before 8am every weekday",
-    "ignoreTests": true,
-    "lockFileMaintenance": {
-        "enabled": true,
-        "automerge": true
-    }
-}