feat: refactor apps

clusters/cl01tl/helm/harbor/Chart.yaml

@@ -4,15 +4,14 @@ version: 1.0.0
 description: Harbor
 keywords:
   - harbor
-  - images
+  - image-registry
-  - cache
+home: https://docs.alexlebens.dev/applications/harbor/
-  - kubernetes
-home: https://wiki.alexlebens.dev/s/7e132c13-afee-48ec-b3dd-efd656d240c9
 sources:
   - https://github.com/goharbor
-  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://github.com/orgs/goharbor/packages
   - https://github.com/goharbor/harbor-helm
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
 maintainers:
   - name: alexlebens
 dependencies:

clusters/cl01tl/helm/harbor/templates/external-secret.yaml

@@ -14,85 +14,49 @@ spec:
   data:
     - secretKey: HARBOR_ADMIN_PASSWORD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/config
-        metadataPolicy: None
         property: admin-password
     - secretKey: secretKey
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/config
-        metadataPolicy: None
         property: secretKey
     - secretKey: CSRF_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/core
-        metadataPolicy: None
         property: CSRF_KEY
     - secretKey: secret
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/core
-        metadataPolicy: None
         property: secret
     - secretKey: tls.crt
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/core
-        metadataPolicy: None
         property: tls.crt
     - secretKey: tls.key
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/core
-        metadataPolicy: None
         property: tls.key
     - secretKey: JOBSERVICE_SECRET
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/jobservice
-        metadataPolicy: None
         property: JOBSERVICE_SECRET
     - secretKey: REGISTRY_HTTP_SECRET
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/registry
-        metadataPolicy: None
         property: REGISTRY_HTTP_SECRET
     - secretKey: REGISTRY_REDIS_PASSWORD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/registry
-        metadataPolicy: None
         property: REGISTRY_REDIS_PASSWORD
     - secretKey: REGISTRY_HTPASSWD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/registry
-        metadataPolicy: None
         property: REGISTRY_HTPASSWD
     - secretKey: REGISTRY_CREDENTIAL_PASSWORD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/registry
-        metadataPolicy: None
         property: REGISTRY_CREDENTIAL_PASSWORD
     - secretKey: REGISTRY_PASSWD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/registry
-        metadataPolicy: None
         property: REGISTRY_CREDENTIAL_PASSWORD

clusters/cl01tl/helm/harbor/values.yaml

@@ -21,13 +21,9 @@ harbor:
         size: 100Gi
   existingSecretAdminPassword: harbor-secret
   existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD
-  internalTLS:
-    enabled: false
   ipFamily:
     ipv6:
       enabled: false
-    ipv4:
-      enabled: true
   updateStrategy:
     type: Recreate
   existingSecretSecretKey: harbor-secret
@@ -73,12 +69,12 @@ harbor:
     credentials:
       existingSecret: harbor-secret
     upload_purging:
-      enabled: true
       age: 72h
-      interval: 24h
-      dryrun: false
   trivy:
     enabled: true
+    image:
+      repository: ghcr.io/goharbor/trivy-adapter-photon
+      tag: v2.15.0@sha256:6fd6de9cfbbb04cb1d94722cfa01cf71b8994d3f9e7891d3b03a89a7536480ba
   database:
     type: external
     external:
@@ -109,32 +105,9 @@ postgres-18-cluster:
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true
-      # - name: garage-remote
-      #   index: 1
-      #   destinationBucket: postgres-backups
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   retentionPolicy: "90d"
-      #   data:
-      #     compression: bzip2
-      # - name: external
-      #   index: 1
-      #   endpointURL: https://nyc3.digitaloceanspaces.com
-      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 35 14 * * *"
         backupName: garage-local
-      # - name: weekly-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 4 * * SAT"
-      #   backupName: garage-remote
-      # - name: daily-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 0 * * *"
-      #   backupName: external

clusters/cl01tl/helm/headlamp/Chart.yaml

@@ -5,8 +5,7 @@ description: Headlamp
 keywords:
   - headlamp
   - dashboard
-  - kubernetes
+home: https://docs.alexlebens.dev/applications/headlamp/
-home: https://wiki.alexlebens.dev/s/6cc43960-78df-459d-aab6-433844249243
 sources:
   - https://github.com/headlamp-k8s/headlamp
   - https://github.com/headlamp-k8s/headlamp/tree/main/charts/headlamp

clusters/cl01tl/helm/headlamp/templates/external-secret.yaml

@@ -14,43 +14,25 @@ spec:
   data:
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/headlamp
-        metadataPolicy: None
         property: client
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/headlamp
-        metadataPolicy: None
         property: secret
     - secretKey: OIDC_ISSUER_URL
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/headlamp
-        metadataPolicy: None
         property: issuer
     - secretKey: OIDC_SCOPES
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/headlamp
-        metadataPolicy: None
         property: scopes
     - secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_IDP_ISSUER_URL
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/headlamp
-        metadataPolicy: None
         property: validator-issuer-url
     - secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_CLIENT_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/headlamp
-        metadataPolicy: None
         property: validator-client-id

clusters/cl01tl/helm/headlamp/templates/http-route.yaml

@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: headlamp
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: headlamp
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - headlamp.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: headlamp
-          port: 80
-          weight: 100

clusters/cl01tl/helm/headlamp/values.yaml

@@ -1,5 +1,9 @@
 headlamp:
   replicaCount: 2
+  image:
+    registry: ghcr.io
+    repository: headlamp-k8s/headlamp
+    tag: v0.41.0@sha256:89c6c65810bfde61796483c93c70d659104355593792bf55cab680d685da8eeb
   config:
     oidc:
       secret:
@@ -10,10 +14,30 @@ headlamp:
     watchPlugins: true
     # Bypasses: https://github.com/kubernetes-sigs/headlamp/issues/4883
     sessionTTL: null
+  httpRoute:
+    enabled: true
+    parentRefs:
+      - group: gateway.networking.k8s.io
+        kind: Gateway
+        name: traefik-gateway
+        namespace: traefik
+    hostnames:
+      - headlamp.alexlebens.net
+    rules:
+      - matches:
+        - path:
+            type: PathPrefix
+            value: /
+        backendRefs:
+          - group: ''
+            kind: Service
+            name: headlamp
+            port: 80
+            weight: 100
   resources:
     requests:
-      cpu: 10m
+      cpu: 1m
-      memory: 128Mi
+      memory: 80Mi
   pluginsManager:
     enabled: true
     securityContext:

clusters/cl01tl/helm/home-assistant/Chart.yaml

@@ -4,14 +4,13 @@ version: 1.0.0
 description: Home Assistant
 keywords:
   - home-assistant
-  - home
+  - home-automation
-  - automation
+home: https://docs.alexlebens.dev/applications/home-assistant/
-home: https://wiki.alexlebens.dev/s/5462c17e-cd39-4082-ad01-94545a2fa3ca
 sources:
-  - https://www.home-assistant.io/
   - https://github.com/home-assistant/core
   - https://github.com/home-assistant/core/pkgs/container/home-assistant
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:

clusters/cl01tl/helm/home-assistant/templates/external-secret.yaml

@@ -14,17 +14,11 @@ spec:
   data:
     - secretKey: PASSWORD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/home-assistant/code-server/auth
-        metadataPolicy: None
         property: PASSWORD
     - secretKey: SUDO_PASSWORD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/home-assistant/code-server/auth
-        metadataPolicy: None
         property: SUDO_PASSWORD
 
 ---
@@ -44,8 +38,5 @@ spec:
   data:
     - secretKey: bearer-token
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/home-assistant/auth
-        metadataPolicy: None
         property: bearer-token

clusters/cl01tl/helm/home-assistant/values.yaml

@@ -4,28 +4,29 @@ home-assistant:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
+      pod:
+        securityContext:
+          fsGroup: 1000
+          fsGroupChangePolicy: OnRootMismatch
       containers:
         main:
           image:
             repository: ghcr.io/home-assistant/home-assistant
-            tag: 2026.3.4
+            tag: 2026.3.4@sha256:916682086154a7390114a9788782b8efb199852d4f7d47066722c2bc5d1829e6
-            pullPolicy: IfNotPresent
           env:
             - name: TZ
-              value: US/Central
+              value: America/Chicago
           resources:
             requests:
-              cpu: 50m
+              cpu: 1m
-              memory: 512Mi
+              memory: 400Mi
         code-server:
           image:
             repository: ghcr.io/linuxserver/code-server
             tag: 4.112.0@sha256:4bb5b8ad22268001687c047f0f04933799fb03df1eb0e1e266ba15ed2d9f4e8b
-            pullPolicy: IfNotPresent
           env:
             - name: TZ
-              value: US/Central
+              value: America/Chicago
             - name: PUID
               value: 1000
             - name: PGID
@@ -35,10 +36,6 @@ home-assistant:
           envFrom:
             - secretRef:
                 name: home-assistant-code-server-password-secret
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
   service:
     main:
       controller: main
@@ -82,11 +79,8 @@ home-assistant:
         - home-assistant.alexlebens.net
       rules:
         - backendRefs:
-            - group: ''
+            - name: home-assistant-main
-              kind: Service
-              name: home-assistant-main
               port: 80
-              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -102,11 +96,8 @@ home-assistant:
         - home-assistant-code-server.alexlebens.net
       rules:
         - backendRefs:
-            - group: ''
+            - name: home-assistant-code-server
-              kind: Service
-              name: home-assistant-code-server
               port: 8443
-              weight: 100
           matches:
             - path:
                 type: PathPrefix