From 94e6c4a9bee4850ec033015a7be259fb5b0be2ca Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Wed, 8 Apr 2026 00:59:02 +0000 Subject: [PATCH] chore: Update manifests after change --- .../tdarr/Deployment-tdarr-server.yaml | 12 ++++++---- .../Deployment-tdarr-tdarr-exporter.yaml | 6 ++--- .../manifests/tdarr/HTTPRoute-tdarr.yaml | 2 +- .../PersistentVolumeClaim-tdarr-config.yaml | 2 -- .../PersistentVolumeClaim-tdarr-server.yaml | 2 -- .../tdarr/StatefulSet-tdarr-node.yaml | 7 +++--- .../manifests/traefik/DaemonSet-traefik.yaml | 10 +++++--- .../traefik/PodDisruptionBudget-traefik.yaml | 16 +++++++++++++ .../traefik/PrometheusRule-traefik.yaml | 23 +++++++++++++++++++ .../Deployment-tubearchivist.yaml | 12 ++++------ ...nalSecret-tubearchivist-config-secret.yaml | 6 ----- ...et-tubearchivist-elasticsearch-secret.yaml | 9 -------- ...alSecret-tubearchivist-wireguard-conf.yaml | 12 ---------- .../HTTPRoute-tubearchivist.yaml | 2 +- .../PersistentVolumeClaim-tubearchivist.yaml | 2 -- .../StatefulSet-tubearchivist-valkey.yaml | 8 +++---- 16 files changed, 70 insertions(+), 61 deletions(-) create mode 100644 clusters/cl01tl/manifests/traefik/PodDisruptionBudget-traefik.yaml create mode 100644 clusters/cl01tl/manifests/traefik/PrometheusRule-traefik.yaml diff --git a/clusters/cl01tl/manifests/tdarr/Deployment-tdarr-server.yaml b/clusters/cl01tl/manifests/tdarr/Deployment-tdarr-server.yaml index ac975da08..123cb9fdf 100644 --- a/clusters/cl01tl/manifests/tdarr/Deployment-tdarr-server.yaml +++ b/clusters/cl01tl/manifests/tdarr/Deployment-tdarr-server.yaml @@ -29,6 +29,9 @@ spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch hostIPC: false hostNetwork: false hostPID: false @@ -36,7 +39,7 @@ spec: containers: - env: - name: TZ - value: US/Central + value: America/Chicago - name: PUID value: "1001" - name: PGID @@ -57,13 +60,12 @@ spec: value: "8266" - name: webUIPort value: "8265" - image: ghcr.io/haveagitgat/tdarr:2.67.01 - imagePullPolicy: IfNotPresent + image: ghcr.io/haveagitgat/tdarr:2.67.01@sha256:dc23becc667f77d2489b1042bd3af87fdd2fd85c2802e126928ef2ced9a8f560 name: main resources: requests: - cpu: 200m - memory: 1Gi + cpu: 500m + memory: 2Gi volumeMounts: - mountPath: /app/configs name: config diff --git a/clusters/cl01tl/manifests/tdarr/Deployment-tdarr-tdarr-exporter.yaml b/clusters/cl01tl/manifests/tdarr/Deployment-tdarr-tdarr-exporter.yaml index e4d0a6cdf..1b630f00e 100644 --- a/clusters/cl01tl/manifests/tdarr/Deployment-tdarr-tdarr-exporter.yaml +++ b/clusters/cl01tl/manifests/tdarr/Deployment-tdarr-tdarr-exporter.yaml @@ -31,7 +31,7 @@ spec: containers: - name: tdarr-exporter securityContext: {} - image: "docker.io/homeylab/tdarr-exporter:1.4.3" + image: "docker.io/homeylab/tdarr-exporter:1.4.3@sha256:88254cb505bfff20e86e04fa23a71789a411e7939e3bcbccbd5ef397ff91d052" imagePullPolicy: IfNotPresent ports: - name: metrics @@ -77,5 +77,5 @@ spec: timeoutSeconds: 2 resources: requests: - cpu: 10m - memory: 256Mi + cpu: 1m + memory: 10Mi diff --git a/clusters/cl01tl/manifests/tdarr/HTTPRoute-tdarr.yaml b/clusters/cl01tl/manifests/tdarr/HTTPRoute-tdarr.yaml index 4462ccbf0..f360c3189 100644 --- a/clusters/cl01tl/manifests/tdarr/HTTPRoute-tdarr.yaml +++ b/clusters/cl01tl/manifests/tdarr/HTTPRoute-tdarr.yaml @@ -23,7 +23,7 @@ spec: name: tdarr-web namespace: tdarr port: 8265 - weight: 100 + weight: 1 matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/manifests/tdarr/PersistentVolumeClaim-tdarr-config.yaml b/clusters/cl01tl/manifests/tdarr/PersistentVolumeClaim-tdarr-config.yaml index f237560e4..fb5e7ecea 100644 --- a/clusters/cl01tl/manifests/tdarr/PersistentVolumeClaim-tdarr-config.yaml +++ b/clusters/cl01tl/manifests/tdarr/PersistentVolumeClaim-tdarr-config.yaml @@ -7,8 +7,6 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: tdarr helm.sh/chart: tdarr-4.6.2 - annotations: - helm.sh/resource-policy: keep namespace: tdarr spec: accessModes: diff --git a/clusters/cl01tl/manifests/tdarr/PersistentVolumeClaim-tdarr-server.yaml b/clusters/cl01tl/manifests/tdarr/PersistentVolumeClaim-tdarr-server.yaml index b75e40eba..29da032ee 100644 --- a/clusters/cl01tl/manifests/tdarr/PersistentVolumeClaim-tdarr-server.yaml +++ b/clusters/cl01tl/manifests/tdarr/PersistentVolumeClaim-tdarr-server.yaml @@ -7,8 +7,6 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: tdarr helm.sh/chart: tdarr-4.6.2 - annotations: - helm.sh/resource-policy: keep namespace: tdarr spec: accessModes: diff --git a/clusters/cl01tl/manifests/tdarr/StatefulSet-tdarr-node.yaml b/clusters/cl01tl/manifests/tdarr/StatefulSet-tdarr-node.yaml index 16655627c..53053d224 100644 --- a/clusters/cl01tl/manifests/tdarr/StatefulSet-tdarr-node.yaml +++ b/clusters/cl01tl/manifests/tdarr/StatefulSet-tdarr-node.yaml @@ -50,7 +50,7 @@ spec: containers: - env: - name: TZ - value: US/Central + value: America/Chicago - name: PUID value: "1001" - name: PGID @@ -69,8 +69,7 @@ spec: value: tdarr-api - name: serverPort value: "8266" - image: ghcr.io/haveagitgat/tdarr_node:2.67.01 - imagePullPolicy: IfNotPresent + image: ghcr.io/haveagitgat/tdarr_node:2.67.01@sha256:048ae8ed4de8e9f0de51ad739b2105bee3e4d1a8575120df468cec5f6ef2b1da name: main resources: limits: @@ -78,7 +77,7 @@ spec: requests: cpu: 10m gpu.intel.com/i915: 1 - memory: 512Mi + memory: 100Mi volumeMounts: - mountPath: /mnt/store name: media diff --git a/clusters/cl01tl/manifests/traefik/DaemonSet-traefik.yaml b/clusters/cl01tl/manifests/traefik/DaemonSet-traefik.yaml index b466f42ca..9fdf78f3c 100644 --- a/clusters/cl01tl/manifests/traefik/DaemonSet-traefik.yaml +++ b/clusters/cl01tl/manifests/traefik/DaemonSet-traefik.yaml @@ -17,7 +17,7 @@ spec: updateStrategy: type: RollingUpdate rollingUpdate: - maxUnavailable: 0 + maxUnavailable: 1 maxSurge: 1 minReadySeconds: 0 template: @@ -32,6 +32,7 @@ spec: automountServiceAccountToken: true containers: - args: + - --global.checkNewVersion=false - --entryPoints.metrics.address=:9100/tcp - --entryPoints.ssh.address=:22/tcp - --entryPoints.traefik.address=:8080/tcp @@ -78,7 +79,7 @@ spec: fieldPath: metadata.namespace - name: USER value: traefik - image: docker.io/traefik:v3.6.12 + image: docker.io/traefik:v3.6.12@sha256:171c9c3565b29f6c133f1c1b43c5d4e5853415198e9e1078c001f8702ff66aec imagePullPolicy: IfNotPresent lifecycle: null livenessProbe: @@ -118,7 +119,10 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 2 - resources: null + resources: + requests: + cpu: 10m + memory: 100Mi securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/clusters/cl01tl/manifests/traefik/PodDisruptionBudget-traefik.yaml b/clusters/cl01tl/manifests/traefik/PodDisruptionBudget-traefik.yaml new file mode 100644 index 000000000..3017bcc20 --- /dev/null +++ b/clusters/cl01tl/manifests/traefik/PodDisruptionBudget-traefik.yaml @@ -0,0 +1,16 @@ +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: traefik + namespace: traefik + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik-traefik + helm.sh/chart: traefik-39.0.7 + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik-traefik + minAvailable: 1 diff --git a/clusters/cl01tl/manifests/traefik/PrometheusRule-traefik.yaml b/clusters/cl01tl/manifests/traefik/PrometheusRule-traefik.yaml new file mode 100644 index 000000000..04539b736 --- /dev/null +++ b/clusters/cl01tl/manifests/traefik/PrometheusRule-traefik.yaml @@ -0,0 +1,23 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: traefik + namespace: traefik + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: traefik-traefik + helm.sh/chart: traefik-39.0.7 + app.kubernetes.io/managed-by: Helm +spec: + groups: + - name: traefik + rules: + - alert: TraefikDown + annotations: + description: '{{ $labels.pod }} on {{ $labels.nodename }} is down' + summary: Traefik Down + expr: up{job="traefik"} == 0 + for: 5m + labels: + context: traefik + severity: warning diff --git a/clusters/cl01tl/manifests/tubearchivist/Deployment-tubearchivist.yaml b/clusters/cl01tl/manifests/tubearchivist/Deployment-tubearchivist.yaml index 83abc3e05..977b22823 100644 --- a/clusters/cl01tl/manifests/tubearchivist/Deployment-tubearchivist.yaml +++ b/clusters/cl01tl/manifests/tubearchivist/Deployment-tubearchivist.yaml @@ -29,13 +29,15 @@ spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch hostIPC: false hostNetwork: false hostPID: false dnsPolicy: ClusterFirst containers: - - image: brainicism/bgutil-ytdlp-pot-provider:1.3.1 - imagePullPolicy: IfNotPresent + - image: brainicism/bgutil-ytdlp-pot-provider:1.3.1@sha256:1aaa43a0ca72dfca6a6d2129a0fb4a23465c25adb1b043f8aff829a20825646b name: bgutil - env: - name: VPN_SERVICE_PROVIDER @@ -68,7 +70,6 @@ spec: - name: SHADOWSOCKS value: "off" image: ghcr.io/qdm12/gluetun:v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab - imagePullPolicy: IfNotPresent lifecycle: postStart: exec: @@ -91,9 +92,7 @@ spec: limits: devic.es/tun: "1" requests: - cpu: 10m devic.es/tun: "1" - memory: 128Mi securityContext: capabilities: add: @@ -122,8 +121,7 @@ spec: envFrom: - secretRef: name: tubearchivist-config-secret - image: bbilly1/tubearchivist:v0.5.10 - imagePullPolicy: IfNotPresent + image: bbilly1/tubearchivist:v0.5.10@sha256:dfe723cf008520e1758ecc3e59e6ea8761dd10d5bb099cd87289e80f5bd66567 name: main resources: requests: diff --git a/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-config-secret.yaml b/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-config-secret.yaml index 2be36b0b8..071cdf40b 100644 --- a/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-config-secret.yaml +++ b/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-config-secret.yaml @@ -14,15 +14,9 @@ spec: data: - secretKey: ELASTIC_PASSWORD remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/tubearchivist/env - metadataPolicy: None property: ELASTIC_PASSWORD - secretKey: TA_PASSWORD remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/tubearchivist/env - metadataPolicy: None property: TA_PASSWORD diff --git a/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-elasticsearch-secret.yaml b/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-elasticsearch-secret.yaml index b09934ee2..36c820917 100644 --- a/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-elasticsearch-secret.yaml +++ b/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-elasticsearch-secret.yaml @@ -14,22 +14,13 @@ spec: data: - secretKey: username remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/tubearchivist/elasticsearch - metadataPolicy: None property: username - secretKey: password remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/tubearchivist/elasticsearch - metadataPolicy: None property: password - secretKey: roles remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/tubearchivist/elasticsearch - metadataPolicy: None property: roles diff --git a/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-wireguard-conf.yaml b/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-wireguard-conf.yaml index 25a39e5fb..466aacf25 100644 --- a/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-wireguard-conf.yaml +++ b/clusters/cl01tl/manifests/tubearchivist/ExternalSecret-tubearchivist-wireguard-conf.yaml @@ -14,29 +14,17 @@ spec: data: - secretKey: private-key remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /airvpn/conf/cl01tl - metadataPolicy: None property: private-key - secretKey: preshared-key remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /airvpn/conf/cl01tl - metadataPolicy: None property: preshared-key - secretKey: addresses remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /airvpn/conf/cl01tl - metadataPolicy: None property: addresses - secretKey: input-ports remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /airvpn/conf/cl01tl - metadataPolicy: None property: input-ports diff --git a/clusters/cl01tl/manifests/tubearchivist/HTTPRoute-tubearchivist.yaml b/clusters/cl01tl/manifests/tubearchivist/HTTPRoute-tubearchivist.yaml index 708026a4b..2dae0be37 100644 --- a/clusters/cl01tl/manifests/tubearchivist/HTTPRoute-tubearchivist.yaml +++ b/clusters/cl01tl/manifests/tubearchivist/HTTPRoute-tubearchivist.yaml @@ -23,7 +23,7 @@ spec: name: tubearchivist namespace: tubearchivist port: 80 - weight: 100 + weight: 1 matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/manifests/tubearchivist/PersistentVolumeClaim-tubearchivist.yaml b/clusters/cl01tl/manifests/tubearchivist/PersistentVolumeClaim-tubearchivist.yaml index 406ac114d..e2b91230b 100644 --- a/clusters/cl01tl/manifests/tubearchivist/PersistentVolumeClaim-tubearchivist.yaml +++ b/clusters/cl01tl/manifests/tubearchivist/PersistentVolumeClaim-tubearchivist.yaml @@ -7,8 +7,6 @@ metadata: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: tubearchivist helm.sh/chart: tubearchivist-4.6.2 - annotations: - helm.sh/resource-policy: keep namespace: tubearchivist spec: accessModes: diff --git a/clusters/cl01tl/manifests/tubearchivist/StatefulSet-tubearchivist-valkey.yaml b/clusters/cl01tl/manifests/tubearchivist/StatefulSet-tubearchivist-valkey.yaml index 0357c427c..c9e535459 100644 --- a/clusters/cl01tl/manifests/tubearchivist/StatefulSet-tubearchivist-valkey.yaml +++ b/clusters/cl01tl/manifests/tubearchivist/StatefulSet-tubearchivist-valkey.yaml @@ -94,8 +94,8 @@ spec: command: ["sh", "-c", "valkey-cli ping"] resources: requests: - cpu: 100m - memory: 1Gi + cpu: 10m + memory: 20Mi volumeMounts: - name: valkey-data mountPath: /data @@ -117,8 +117,8 @@ spec: port: metrics resources: requests: - cpu: 10m - memory: 64M + cpu: 1m + memory: 10M env: - name: REDIS_ALIAS value: tubearchivist-valkey